Ⅰ, introduces common network security devices
eSight Unified Network Management
For the enterprise data center, campus / branch network, unified communications, video conferencing, video surveillance integration integration operation and maintenance management solution that provides automated configuration for enterprise deployment of ICT equipment, visual fault diagnosis, intelligent capacity analysis. Huawei eSight is mainly used in the data center integration operation and maintenance, safe operation and maintenance of urban intelligent, WLAN lifecycle management scenarios, can effectively help enterprises to improve operation and maintenance efficiency, reduce operating costs, improve resource utilization, effective protection of corporate ICT system stability run
LogCenter Security Event Management Center
LogCenter security event management center is a function of leading unified security management platform for industry users. For the full range of Huawei security products, integration of report management, log audit, centralized alarm management and other functions, it has the characteristics of high integration, high reliability.
CIS network security intelligence system
CIS (Cybersecurity Intelligence System, network security intelligence system) using the latest big data analysis and machine learning techniques that can be used against APT attacks. It extracts critical information from massive data, multi-dimensional risk assessment by using big data analysis of abnormal behavior associated with a single point, thus reducing the APT attack chain, accurately identify and protect against APT attacks, to avoid the loss of core information assets.
FireHunter6000 sandbox
Huawei FireHunter6000 series sandbox Huawei products are a new generation of high-performance APT threat detection system that can accurately identify unknown malicious files to penetrate and C & C (command and control, Command & Control, referred to as C & C) malicious outreach. For analysis in a virtual environment by direct reduction of network traffic and extract files or rely on the file to extract the next-generation firewall, enable detection of unknown malicious files.
Huawei FireHunter6000 series of products with unique sandbox ADE advanced threat detection engine, and next-generation firewall with the face of advanced malware by scanning reputation, real-time behavior analysis of static and dynamic behavior of local and cloud technology, analysis and collection software on the "gray" flow of real-time detection, blocking and report presentation, effectively prevent the rapid spread of information and enterprise core asset losses unknown threats of attack, especially for financial, confidential government departments, energy, high technology and other key users.
WAF Web Application Firewall
WAF5000 Web Application Firewall original state chain behavior detection technology to effectively deal with hotlinking, cross-site request forgery attacks and other Web special. Intelligent interaction ms-level locking feature can effectively reduce the risk of compromise, in order to meet the various laws and regulations such as PCI, level of protection, internal control practices and other requirements, a full range of services to protect customer's Web application security operation.
WAF5000 Huawei products for government, enterprise and ISP to launch professional-grade Web application firewall.
UMA unified operation and maintenance management
UMA (Unified Maintenance and Audit) is the core of a unified IT resource management and security auditing operation and maintenance platform operators, government, finance, electricity, and other large enterprises design, by the account of the various IT resources, authentication, authorization and auditing centralized management and control, to achieve a centralized operation and maintenance access, centralized authentication, centralized authority, centralized auditing capabilities to meet user operation and maintenance management and internal control and external audit requirements.
AntiDDoS8000 series of DDoS Defense System
Huawei AntiDDoS8000 series of DDoS defense system, using big data analysis techniques, abstract modeling for 60 kinds of network traffic, you can achieve the level of protection T performance, comprehensive protection against attack-second response times and ultra-one hundred kinds of attacks. By cleaning center linkage with Huawei cloud, you can achieve a layered cleaning, to provide users with comprehensive protection from network link bandwidth to online business.
NGFW next-generation firewall
NGFW Module Huawei launched a veneer form the next generation of firewall products. By NGFW Module, users can flexibly and quickly integrated firewall, NAT, VPN, content security and other security features on the main network device (such as Huawei S9300 and S9300E series switches), the realization of highly integrated network security and protection.
The primary network device and forwarding service processing organic together, while achieving a high-performance master data forwarding network devices, security services can be processed according to the characteristics of the network, to achieve security and monitoring.
• four GE provide external interfaces for managing and maintaining hot standby device; connected via two internal high speed master 20G Ethernet network interface device, to ensure the forwarding of the master network device between smooth data.
• using a dedicated high-performance multi-core processors and high-speed memory, while the high-speed processing of security services, the existing service processing master network device will not be affected.
• can be inserted over the primary network device a plurality of slots, and a plurality of insertable NGFW Module performance spread over a master network device, to easily adapt to network upgrading. And, without taking up more space and re-wiring, reducing the investment in the equipment room / refrigeration / accessories and the like.
USG6000 product
USG6000 uses a new design of 10G multi-core hardware platform, excellent performance.
• Provides multiple high-density expansion interface card slots, supports a rich interface card type, to achieve mass business processes.
• The key component redundancy, mature link conversion mechanisms to support built-in power Bypass card, to provide users with ultra-long trouble-free hardware protection, to create a permanent office environment.
USG6000 Product Features: stable and efficient new 10G multi-core hardware platform; professional content security and defense technology; security, routing, VPN multi-service integration; based applications and meticulous management of users; visual management and rich carrier-grade log report ;; reliability assurance program; flexible expansion capabilities
USG6000 product scenarios: medium-sized enterprises boundary maintenance; within the network control and security isolation; data center boundary protection; VPN remote access and mobile office; cloud computing gateways; agile network
USG9000 series (USG9520; USG9560; USG9580)
Huawei USG9500 lower end generation firewall, targeted at the protection of the cloud service provider, large data centers, campus networks and large enterprise business security. T provides up-level processing performance, integrated NAT, VPN, virtualization, multiple security features, and up to 99.999% reliability to help companies meet the network and data center environments growing demand for high-performance processing, reduce floor space and every investment Mbps total cost of ownership
USG9000 product features: multi-core distributed architecture, to improve the return on investment ratio; T level processing performance, to deal with the surge in traffic; the reliability of end to end solutions to ensure business continuity
USG9000 product scenarios: data center perimeter protection; and radio and television The second carrier network; medium-sized enterprises boundary maintenance; enterprise branch offices Internet; cloud computing gateway
vNGFW Virtualization Security
With the development and application of cloud computing technology, the traditional data center into the cloud data center, rapid business on-line, on-demand business migration, the surge in customer demand for customized protection, and, at the same time attack the virtual machine Hypervisor, between the virtual machine and sniffing attacks the new virtual network security issues to explore, virtualized network availability losses occur, the traditional business gateway can not adapt to deploy cloud networks, SDN and NFV demand for network equipment and technology came into being. SDN and NFV separation of software and distributed data management and control plane, network functions, virtualization, offers a variety of possible flexibility to deploy a variety of new and dynamic business portfolio, while business and by Platform Interface open Internet, can provide better ecological system integration for customers.
Huawei USG6000V is a run on a standard server virtual machine software-only product, cloud-oriented data center and NFV scene, providing a comprehensive virtual network security software deployments. To achieve fast deployment of security capabilities through a software-defined security. USG6000V can with Huawei Fusion Sphere, Agile Controller controller, EMS / NMS, as well as open source Openstack platform constitutes an open data center solutions. Rich next-generation firewall features, providing customers with a rich set of security and protection operations of virtual networks.
USG6000V products include: USG6000V1; USG6000V2; USG6000V4; USG6000V8
USG6000V Series Features: High-performance; elastic deployment; various service features; a variety of open Internet platform
USG6000V products Scenario: cloud data center VXLAN
USG9000V product positioning
USG9000V oriented cloud data center security, distributed high-capacity NFV (Network Function Virtualization) firewall.
With the development of cloud computing, data center and network infrastructure operators are moving to the cloud of virtualization, automated network architecture transformation. New opportunities also bring new challenges, cloud network deployment automation, operation and maintenance of automation, high utilization of resources put forward higher requirements. Huawei launched USG9000V through centralized scheduling of resources to achieve flexibility scalability, optimal resource utilization; while automated operation and maintenance, can be self-healing and self-test failure, help enterprises and cloud operators to enhance the ability of security .
USG9000V standard of ETSI NFV architecture, as shown below. USG9000V as VNF (Virtualized Network Function) to achieve functional safety network elements deployed on a common hardware platform that provides standardized interfaces to other VNF collaboration deployment.
USG9000V Features: cloud architecture, scalable on-demand elasticity; high performance; multi-level reliability guarantee mechanism, automated operation and maintenance; business feature-rich
USG9000V product scenarios: the cloud data center
SVN Secure Access Gateway
SVN5600 / 5800 Series Secure Access Gateway product supports up to 50,000 concurrent users online, with complete security protection capabilities, rich terminal support, quick access experience, adaptability and flexible networking and carrier-class reliability design to meet different scale enterprise remote access, mobile office, branches Internet and other needs, and to ensure consistent access to the user experience, enhance business office efficiency, Huawei-oriented medium-sized enterprises, government, carriers launch of a new generation of secure access gateway.
SVN product positioning
SVN integration of rich features including SSL VPN, IPSec VPN, GRE VPN , MPLS VPN, firewall, attack defense and leading Layer 3 features such as IPv6, MPLS, dynamic routing, policy routing, making the business government users and operators can deploy the required security services in a single device, can effectively reduce the cost of deploying security solutions.
SVN Features: Integrated VPN remote access; the rich rights management tools; flexible user authorization; high reliability
SVN product scenarios
through a secure SSL tunnel Remote Access:
SSL provides secure connections for TCP-based application layer protocol , SSL can provide a secure connection for the HTTP protocol. SSL is widely used for e-commerce, online banking and other fields, provide security guarantee for the transmission of data over the network.
Web Proxy: Web proxy is a transfer function SVN end users to communicate with a Web server provided by the network. After the end-user login SVN, you can enable access to internal network resources through issued by the SVN virtual gateways list of resources.
File Sharing: File Sharing converted file sharing protocol (SMB, NFS) into SSL-based hypertext transfer protocol (the HTTPS), and displayed to an end user in the form of the Web, Web-based access to the file system implemented.
Port forwarding: port-based network access control mode for all TCP applications. The data are forwarded through SSL encryption to ensure the completeness and correctness of the TCP application data.
Network expansion: the end user can establish an SSL tunnel to the gateway via SVN virtual network card installed locally, to achieve comprehensive security for all IP-based network service access right. Within the user remote access to network resources as easy as access to a local area network for a variety of complex business functions.
Establish headquarters and branch offices through IPSec security channel:
establish an IPSec tunnel between SVN1 and SVN2, corporate headquarters and branch offices through IPSec VPN visits resources.
IPSec provides a way to build and manage secure tunnel by providing authentication and encryption services for data packets to be transmitted to prevent data from being illegally viewed within the network or through the public network transmission or tampered with, the equivalent is located in different geographical the user creates a secure communication tunnel. IPSec is the most common networking point (Site-to-Site) networking,
(the PS: this mode connection between two gateways is encrypted between the client but the client to the gateway. connection, the connection between the gateway server and the server is unencrypted gateway must support both sides of the IPSec.)
Cloud Desktop Agent
ICA (Independent Computing Architecture) protocol is the current mainstream virtual desktop display protocol, commonly used in enterprise virtual desktop solution.
Typical Networking virtual desktop solutions in the following figure; Client TCP connection is established, the remote access server VM virtual desktop protocol and virtual machines. SVN as a desktop cloud proxy device, mainly to complete the Gateway Load Balancing (Load Balance Gateway) gateway and secure cloud (Cloud Gateway) function.
• Load Balancing Gateway: Gateway Load Balancing can load balance multiple Web services so that traffic from multiple clients to the appropriate balance of real servers. Real server for the client to provide Web (HTTP / HTTPS) service.
• Secure Cloud Gateway: VM proxy client and server connections to improve the security of your connection while external shield internal structure.
(PS: load balancing and gateway security gateway functionality can be deployed on different SVN, it can be deployed on the same SVN)
NIP6000 series of next-generation intrusion prevention system
NIP6000 series of next-generation network intrusion prevention system is to increase the awareness of environmental protection on the basis of the traditional IPS (Intrusion Prevention System) products based on deep application awareness, content awareness, as well as the unknown threat defense capabilities, to achieve a more more precise detection capability and optimization of management experience. Better protect customer applications and business security, comprehensive protection against network infrastructure, servers, clients, and network bandwidth performance.
NIP6000 series Huawei launched the next-generation intrusion prevention system, mainly used in business, IDC, campus and other network operators to provide customers with applications and traffic safety.
NIP6000 products not only have the function of a traditional IPS products it has been extended on this basis, to better protect customer applications and business security:
• Standard IPS capabilities
provide a wealth of signatures for vulnerabilities and threats libraries, timely detect and block attack.
• application-aware, application-layer threat protection
with powerful web application identification and control capabilities, administrators can configure security policies based on the application, bandwidth policy control applications, etc., not just based on port, protocol, policy configuration services.
Meanwhile, NIP6000 protects against attacks against a variety of applications, application security guarantee.
• Context-Aware
by entering asset information (operating system, asset types, asset value, etc.), NIP6000 combined assets of attacks risk assessment, identify the risk level attacks, the events provide reliable results for the administrator.
According to information assets while administrators can select the appropriate operating system, application generation intrusion prevention strategy, targeted protection.
• detect unknown threats
by detecting linkage with sandbox APT attacks, zero-day attacks and other new network attacks.
NIP6000 Series Features: fast signature updates, vulnerability detected in time; plug and play, flexible deployment; a new software architecture, industry-leading product performance; sandbox linkage detection APT, clear evidence of a potential threat; dynamic network environment awareness, policy configuration intelligence and risk assessment; professional virus killing, protect the network from viruses
NIP6000 products scenario: Internet boundary; IDC / server front end; network boundaries; bypass the detection
AgileController
Agile Controller-Campus Huawei new generation campus and branch network controller with support for network deployment automation, automation strategy, SD-WAN and other innovative programs to help enterprises reduce OPEX operation and maintenance costs, and accelerate the digital transformation of the cloud business, make the network management more convenient, allowing more intelligent network operation and maintenance; support campus network, SD-WAN, user access management and other scenarios.
Agilecontroller Features: User-centric business and redefine network; centralized network-wide resource control and flexibility to adjust; open collaboration product
AC-Campus system includes four parts: Management Center (Management Center, referred to as MC), Business Manager (Service Manager, referred SM), the service controller (service controller, SC) a client and a network access device (network access device, referred to as NAD) as part of the service controller program linkage user-based access control and accompanied by business.
Anyoffice
AnyOffice office is a unified mobile security table, providing a unified mobile office entrance and flexible application publishing platform, in the "end of pipe, cloud" three-point build the core capabilities, through the network, devices, applications, data unified management and control, providing strong power and a solid protection for the enterprise mobility business innovation. AnyOffice integrated security sandbox, secure email, secure browser, enterprise mobility management (EMM), enterprise application store and other features and components, to achieve SSO experience for all applications through a single sign-on framework to help users achieve 5W1H (Who, Whose Device, What Device, Where, When, How) of context-aware and policy linkage, and thus enjoy freedom of movement and information security office.
The main network firewall applications
Network control and isolation within the enterprise: fine access control; IPS / AV / DLP / URL filtering / QOS management
Internet perimeter protection: fine access control; IPS / AV / DLP / URL / DDOS / Spam; QOS management
data center isolation: High-performance security; IPS / AV / DLP / DDoS ; virtualization security business
enterprise branch Internet: VPN transport safety; wifi Internet access identity cards; IPS / AV / DLP / URL / Spam
Network Security Device Manager
Device Login: console login / web interface login / ssh / telnet login
console: the terminal to log in by using a PC connected to the device Console port device, performing a first configuration and power. When users can not remotely access devices, can log in through the Console; when the device can not start the system, can be diagnosed through the console port or into BootRom system upgrade
web: client access devices through a Web browser, control and management. Suitable for the configuration PC terminal login through Web
ssh: providing secure information guarantee and powerful authentication, protection equipment system from IP spoofing and plain text password interception attacks. SSH login greater extent of information exchange to ensure data security
telnet: connection to the network via a PC terminal, log on to the device through Telnet, local or remote configuration, the user authentication target device according to the configured parameters. Telnet login convenience of remote management and maintenance of equipment
Device Management: By default, the USG6000 products have a main panel fixed management interface G0 / 0/0, apparatus for managing
