eudemon8000e-x series - huawei series 6-1 ... firewall throughput and maximum number of concurrent...
Post on 23-Mar-2018
259 Views
Preview:
TRANSCRIPT
6-1Eudemon8000E-X Series
As networks enter the IP era, more applications are integrated into the traditional broadband network.
The network bandwidth, threats, and network attack intensity have multiplied exponentially, forcing
companies and carriers to constantly evolve their network architectures. With data communication
entering the era of terabit, the Eudemon8000E-X steps up the demand by providing a scalable and
highly reliable security service platform with terabit capacity. It offers a range of security services, such
as IPv6 security, virtual security systems, VPN, and intrusion prevention, to satisfy the highly integrated,
rapidly responsive, high-speed processing, and continuously evolving network demands from data
centers, carriers, ISPs, and governments.
Overview
Eudemon8000E-X3 Eudemon8000E-X8 Eudemon8000E-X16
Eudemon8000E-X SeriesComprehensive High-End Security Gateway
6-2 Eudemon8000E-X Series
Description
Highlights
The Eudemon8000E-X series products include three sub-categories: Eudemon8000E-X3, Eudemon8000E-X8, and
Eudemon8000E-X16, providing industry-leading security protection and scalability with up to 1.44 Tbit/s firewall
throughput, over 1.44 billion concurrent connections, and up to 720 Gbit/s VPN performance.
Integrating the dedicated multi-core processing chip and distributed hardware platform, the Eudemon8000E-X
breaks the security limitations on CPU capability, providing leading service processing capability and scalability.
At the same time, all components are redundant, establishing a strong reliability equivalent of core routers, and
further ensuring service continuity under high-speed network environment. The distributed technology uses line-
rate intelligent traffic splitting for data forwarding. Starting with the first packet, all data flows will be evenly
distributed to service modules to avoid bottleneck; so that service processing keeps up with linearly increasing
service modules, sustainably supporting long-term user network development.
The Eudemon8000E-X provides various I/O interface modules (LPU) for external connections and data
transmissions. The I/O interface and service processing modules use similar interface slots, where they may
customize security solutions by matching user network interface and capability demands with I/O interface and
service processing modules. The Eudemon8000E-X provides 10G POS, 10GE, 40GE, and 100GE interfaces and
cross-board port bundling, flexibly adapting to various conditions, such as high interface capacity and density.
The Eudemon8000E-X Service Processing Unit (SPU) processes all services. Each SPU has a subslot, which can
house an expansible subcard, implementing flexible service combination. The Eudemon8000E-X also provides 40
Gbit/s to 160 Gbit/s throughput. The SPU uses multi-core and multi-processor hardware to achieve various service
features and software to achieve the heartbeat detection mechanism between an SPU and LPU as well as the
backup mechanism between SPUs. If a security service module fails, all functions immediately re-distribute services
to other service units without interrupting services.
Most Advanced "NP + Multi-Core + Distributed" Architecture – Linear Multiple Capability Breaks
Traditional Bottleneck
The Eudemon8000E-X employs the core router hardware platform to provide modularized components. The
interface module, based on dual NPs, ensures the line rate forwarding of interface traffic. The SPU, based on
the multi-core and multi-thread architecture, ensures high-speed concurrent processing of various services,
such as NAT and VPN services. The processing capability is not affected by CPU's processing capability
limits. The LPU and SPU function separately. Multiple SPUs are deployed to linearly increase the overall
performance, which provides unparalleled expandability and flexibility in protecting the network security, and
ensures low investments up front with capability expansion later.
High Service Processing Capability – Effectively Protecting Key Services
Because of its evolutionary architecture, the Eudemon8000E-X takes the leading role in many areas, including
firewall throughput and maximum number of concurrent connections. Because the Eudemon8000E-X
employs the dedicated traffic splitting technology, the overall performance multiplies linearly as the number
of SPUs increases. The maximum firewall throughput has reached world leading position of 1.44 Tbit/s; the
maximum number of concurrent connections is 1.44 billion; the maximum number of virtual firewalls is 4,096.
These features satisfy the strong demands from carriers, financial service providers, government sectors, and
energy providers.
6-3Eudemon8000E-X Series
Most Stable and Reliable Security Gateway Product - Fully Redundancy Ensuring Security Service
Continuity
Network security has always been a key element of enterprise operation. In order to ensure service continuity
under high-speed network environment, while supporting key technologies, such as active/standby
networking, active/active networking, interface aggregation, VPN redundancy, and SPU load balancing, the
Eudemon8000E-X also supports unique dual-MPU active/standby switchover, providing a firewall with high-
end router reliability and ensuring service continuity at key nodes. The mean time between failures (MTBF) of
the Eudemon 8000E-X reaches up to 200,000 hours, and the failover time is less than 1 second, which truly
ensures consistent and stable service operation.
Superb VPN Performance – Adapting the Demands for Encrypted Transfer of Massive Services
With a rising number of network applications, more services require secure transmissions over the public
network. Subsequently, services that need 100-Gigabit VPN access gateway emerge, such as mobile
security access, short message service (SMS) push, and email push services. The Eudemon8000E-X supports
VPN gateway redundancy. It provides a maximum of 720 Gbit/s encryption performance and supports
one million concurrent VPN tunnels and is the VPN access gateway with the highest performance for the
moment. It also supports 4over6 and 6over4 VPN technologies to meet VPN traffic needs during network
evolution. Besides, the Eudemon8000E-X supports the IKEv2 protocol, enhancing functions, such as user
authentication, packet authentication, and NAT traversal, thereby eliminating the risks of man-in-the-middle
attacks and denial of services. It also supports EAP-SIM and EAP-AKA wireless authentication protocols to
ensure the security during access to wireless networks.
Most Practical Application Security Features – Preventing External Threats & Improving Network
Security
Besides supporting basic firewall functions, the Eudemon8000E-X also provides the next-generation firewall
features, such as intrusion prevention, antivirus, and URL filtering. With the advanced intrusion prevention
engine and signature database, the Eudemon8000E-X is capable of defending against threats, such as
system vulnerabilities, unauthorized automatic downloads, and abnormal protocols. A single vulnerability
signature covers thousands of attacks. Supplemented by the globally-deployed honeypot system, the
Eudemon8000E-X captures the latest attacks, worms, and Trojans horses, providing the capability to defend
against zero-day attacks. In antivirus processing, the Eudemon8000E-X employs an intelligent awareness
engine (IAE) for in-depth traffic analysis, identifies the protocol type, and then matches up with the antivirus
signature database, effectively improving the virus detection accuracy and efficiency. Based on the more
than 85 million URL categories, the Eudemon8000E-X is capable of managing and controlling user's Internet
access to comply with national law and regulation as well as company requirements on Internet access.
In order to further enhance the practicality of application security, the Eudemon8000E-X uses internal bypass
and dedicated module technology, bypassing services in need of intrusion prevention into dedicated service
modules for processing. The process not only improves the service processing capability, but also does not
affect firewall's basic services, ensuring overall service stability.
6-4 Eudemon8000E-X Series
Specifications
Model Eudemon8000E-X3 Eudemon8000E-X8 Eudemon8000E-X16
Performance and Capacity
Firewall throughput (maximum) 120 Gbit/s 0.72 Tbit/s 1.44 Tbit/s
Firewall throughput (composite traffic) 120 Gbit/s 0.72 Tbit/s 1.44 Tbit/s
Maximum number of concurrent sessions
160,000,000 720,000,000 1,440,000,000
IPSec VPN performance (AES) 56 Gbit/s 336 Gbit/s 720 Gbit/s
Maximum number of concurrent IPSec VPN tunnels
128,000 768,000 1,000,000
Expansion and I/O
Expansion slots 3 8 16
MPU slots 2
SPU Firewall and application security SPUs
LPU Supports GE, 10GE, 40GE, and 100GE interfaces.
Most Comprehensive CGN Features – For Flexible IPv6 Transition
With the exhaustion of IPv4 addresses, networks need to smoothly transit into IPv6 networks while ensuring
the sound service experience. The Eudemon8000E-X supports various transition technologies, including
NAT44(4), DS-Lite, 6RD, and NAT64, providing a highly-efficient, flexible, reliable, and economy solution for
carrier network evolution and service transition. NAT44 (4) greatly increases the utilization of IPv4 addresses,
easing the IPv4 address exhaustion problem. DS-Lite not only allows a new network directly entering IPv6
networks, but also is compatible with many IPv4 applications on the live networks. Based on the existing
IPv4 infrastructure, 6RD rapidly provides users with IPv6 intervention capability. NAT64 enables IPv6 networks
to access IPv4 networks. The Eudemon8000E-X also provides the NAT tracing function for NAT44 and DS-
Lite.
Most Abundant Virtualization – For Cloud Network Deployment
With advent of the cloud computing era, cloud computing, a technology founded on virtualization and high-
speed Internet, faces security challenges. The Eudemon8000E-X provides high throughput capability and abundant
virtual system functions. It supports multi-faceted virtualization function, including resource virtualization,
configuration virtualization, and forwarding virtualization, responding to each and every user's network security
needs. Resource virtualization provides customized virtual resources by allocating different resources for different
virtual systems. Based on tenant's management strategy, management virtualization supports personalized
policies, log management, and auditing for each standalone virtual firewall. Forwarding virtualization provides
customized service processing. The forwarding places between virtual systems are isolated. When the resource of
one virtual system is depleted, it does not affect other virtual systems' operations. The virtual systems are logically
isolated, thereby securing tenants' data in each virtual system.
6-5Eudemon8000E-X Series
Security Features
Model Eudemon8000E-X3 Eudemon8000E-X8 Eudemon8000E-X16
Dimensions, Power Supply, and Operating Environment
Dimensions (H x W x D)
175 mm x 442 mm x 650 mm (4 U, DC)220 mm x 442 mm x 650 mm (5 U, AC)
620 mm x 442 mm x 650 mm (14 U)
1420 mm x 442 mm x 650 mm (32 U)
Weight
Empty: 15 kg (DC)Full configuration: 32 kg (DC)Empty: 25 kg (AC)Full configuration: 42 kg (AC)
Empty: 43.2 kgFull configuration: 113 kg
Empty: 94.4 kgFull configuration: 229 kg
AC power supply 90 V AC to 275 V AC; 175 V AC to 275 V AC (recommended)
DC power supply –72 V to –38 V; –48 V (rated)
Power consumption 1270 W 3960 W 7540 W
Operating temperatureOperating: 0 °C to 45 °CStorage: –40°C to +70 °C
Ambient humidityLong term: 5% RH to 85% RH, non-condensingStorage: 0% RH to 95%RH, non-condensing
Basic Firewall Features
Transparent, routing, and hybrid modes
Stateful inspection
Blacklist and whitelist
Access control
Application specific packet filter (ASPF)
Security zone division
Outbound load balancing
ISP-based route
Intelligent uplink selection
Transparent DNS proxy at egress
User-specific traffic control
Application-specific traffic control
Link-specific traffic control
Time-specific traffic control
Inbound load balancing
Smart DNS at ingress
Server load balancing
Application-specific QoS
NAT/CGN
Destination NAT/PAT
NAT No-PAT
Source NAT-IP address persistency
Source IP address pool grouping
NAT Server
Bidirectional NAT
NAT-ALG
Unlimited IP address expansion
Policy-based destination NAT
Port range pre-allocation
Pin access mode
SMART NAT
NAT64
DS-Lite
IPv6 rapid deployment (6RD)
Service awareness
Identification and prevention of over 6000
protocols:
6-6 Eudemon8000E-X Series
URL filtering
85 million URLs
130+ categories
Trend and top N statistics based on users, IP
addresses, categories, and counts
URL filtering log query
Virtual private network (VPN)
DES, 3DES, and AES encryption
MD5 and SHA-1 authentication
Manual key, PKI (X509), and IKEv2
Perfect forward secrecy (DH group)
Anti-replay attack
Transport and tunnel modes
IPSec NAT traversal
Dead peer detection (DPD)
EAP authentication
EAP-SIM and EAP-AKA
VPN gateway redundancy
IPSec v6, IPSec 4 over 6, IPSec 6 over 4
L2TP tunnel
GRE tunnel
Anti-DDoS
SYN-flood, ICMP-flood, TCP-flood, UDP-flood,
DNS-flood attack defense
Port-scan, Smurf, Tear-drop, IP-Sweep attack
defense
Defense against attacks exploiting IPv6 extension
headers
Examining TTL
TCP-mss detection
Attack logs
High availability
Active/standby and active/active modes
Hot standby (Huawei redundancy protocol)
Configuration synchronization
Firewall and IPSec VPN session synchronization
Device fault detection
Link fault detection
Dual-MPU switchover
P2P, IM, game, stock charting/trading, VoIP, video,
stream media, email, mobile phone services, Web
browsing, remote access, network management,
and news applications
Antivirus
Detection of 5 million viruses
Flow-based inspection for higher performance
Inspection of encrypted traffic
Trend and top N statistics by virus family
PKI
Online CA certificate enrollment
Online CRL checks
Hierarchical CA certificates
Support for public-key cryptography standards
(PKCS#10 protocol)
CA authentication
Support for SCEP, OCSP, and CMPv2 protocols
Self-signed certificate
Intrusion Prevention System
Protocol anomaly detection
User-defined signature
Automatic update of the knowledge bases
Zero-day attack defense
Prevention of worms, Trojan horses, and malware
attacks
Network and route
Support for POS, GE, and 10GE interfaces
DHCP relay/server
Policy-based routing (PBR)
IPv4/IPv6 dynamic routing (RIP/OSPF/ISIS/BGP)
Interzone/inter-VLAN routing
Link aggregation, such as Eth-trunk and LACP
Virtual system
Up to 4096 virtual systems (VSYS)
VLAN on virtual systems
Security zones on virtual systems
User-configurable resources on virtual systems
6-7Eudemon8000E-X Series
Management
Web UI (HTTP and HTTPS)
CLI (console)
CLI (Telnet)
CLI (SSH)
U2000/VSM network management
Hierarchical administrators
Software upgrade
Configuration rollback
STelnet and SFTP
Authentication
Security authentication
Electro Magnetic Compatibility (EMC) certification
CB , Rohs , FCC , MET, C - t i c k , and VCC I
authentication
Inter-virtual system routing
Virtual system-specific Committed Access Rate
(CAR)
Management virtualization
Resource isolation for different tenants
Logging/Monitoring
Structured syslog
SNMP (v2)
Binary log
Traceroute
Log server (eLog)
User authentication and access control
Built-in (internal) database
RADIUS accounting
Web-based authentication
top related