huawei secospace usg6600 next-generation … usg6000 series next-generation firewall analyzes...

HUAWEI Secospace USG6600

Next-Generation Firewall Datasheet

Huawei Technologies Co., Ltd.

2013-8-26 Huawei Confidential of 19

Copyright © Huawei Technologies Co., Ltd. 2012. All rights reserved.

No part of this document may be reproduced or transmitted in any form or by any means without prior written

consent of Huawei Technologies Co., Ltd.

Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.

All other trademarks and trade names mentioned in this document are the property of their respective holders.

Notes:

The purchased products, services, and features are stipulated by the contract made between Huawei Technologies

Co., Ltd. and the customer. All or part of the products, services, and features described in this document may not be

within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,

and recommendations in this document are provided "AS IS" without warranties, guarantees or representations of any

kind, either express or implied.

The information in this document is subject to change due to version upgrade or other reasons. Every effort has been

made in the preparation of this document to ensure accuracy of the contents, but all statements, information, and

recommendations in this document do not constitute a warranty of any kind, express or implied.

Huawei Technologies Co., Ltd.

Address: Huawei Industrial Base Bantian, Longgang Shenzhen 518129, People's Republic of

China

Website: http://www.huawei.com

Tel: 4008302118

http://www.huawei.com/


With the popularity of mobile working using smartphones and tablets, mobile apps, Web2.0,

and social networking become integral parts of enterprise operation. These changes in IT

environments greatly improve the communication efficiency for enterprises, but blurs

network borders and makes information security more challenging. Traditional security

gateway implements security control only based on IP addresses and ports, and cannot cope

with the ever-increasing application layer and web threats.

Against this background, Huawei launches the Secospace USG6000 series next-generation

firewall to address these challenges. With the awareness of applications, content, time, users,

attacks, and locations, the USG6000 series clearly maps the network environment to service

environment and provides application- and user-based security management and QoS

management functions. Based on application identification, the USG6000 series provides

powerful IPS, AV, and data leak prevention capabilities to efficiently and comprehensively

secure enterprise information.

Application protection is the core of the next-generation security. Configuring and managing

application protection require more administrators with higher skills, increasing maintenance

costs. However, the USG6000 series eliminates such concerns by using the industry-leading

SmartPolicy technology to automatically generates security policies based on the service

awareness result, making next-generation security simple, consistent, and cost-effective.

Product Appearance

Features and Highlights

Granular Application Access Control

In the Web2.0 era, social networking and IM applications are widely used for communication

and information sharing on enterprise networks. Massive applications are used, and most of

them use the same protocol (HTTP) and the same port. Traditional firewalls are aware of IP

addresses and ports, but not of user information, service environment, and application-layer

information. However, awareness is the basis of access control and security protection.

Firewalls require comprehensive context awareness to effectively take actions and protect

information security.

Huawei USG6000 series next-generation firewall analyzes intranet service traffic from six

dimensions, including application, content, time, user, attack, and location and implements

comprehensive network protection.

Application: Identifies 6000+ mobile and web applications using technologies, such


as feature identification, port identification, correlation identification, and behavior

identification. Application awareness, coupled with antivirus scanning, can

recognize traffic of different applications and detect the viruses, Trojan horses, and

malware hidden in applications.

User: Supports eight user authentication methods, including RADIUS, LDAP, and

AD authentication to associate traffic IP addresses and ports with users for per-user

traffic control.

Threat: Provides over 3000 signatures for attack identification. The USG6000 series

defends against web application attacks, such as cross-site scripting and SQL

injection attacks, identifies and defends against more than 10 types of DDoS attacks,

including SYN flood and UDP flood attacks, and identifies more than 5,000,000

viruses. With cloud-based URL filtering enabled, the USG6000 series provides over

85,000,000 predefined URLs to block malicious websites.

Content: Identifies and filters the files and content to be transferred. The USG6000

series not only reassembles and filters over 20 types of files, including Word, Excel,

PPT, PDF, and RAR, and identifies more than 60 types of file name extensions to

prevent data leaks and virus attacks even when the file name extensions are

intentionally modified.

Time: Records the time when traffic anomalies or security events occur to provide

evidence for audit.

Location: Identifies the location where the traffic is initiated to implement

differentiated traffic control in different regions. The USG6000 series supports

location customization based on IP addresses.

Based on the ACTUAL-awareness system, the USG6000 series next-generation firewall

accurately identifies threats hidden in applications and implements granular access control and

network protection.

Easy Security Management

Traditional security gateways and most next-generation firewalls can only passively execute

policies configured by administrators. However, in the real world, attacks are usually a step

ahead of network administrators. Therefore, completely relying on administrators cannot

protect network security in the long run. However, Huawei USG6000 series next-generation

firewall can proactively discover network risks and dynamically generate protection and

optimizing advises, like a security consultant. Proactive functions of security appliances are

better than completely relying on administrators in the long run.


Compared with the traditional security gateways, the next-generation firewall features

granular application control and in-depth application protection. Compared with traditional

firewalls, using 5-tuple-based policies on the next-generation firewall does not improve

network security. Next-generation firewalls has more powerful functions. However,

configuring and managing these functions require more administrators with higher skills,

which means a higher operation cost.

The USG6000 series resolves this issue using the SmartPolicy technology. After automatic

traffic pattern learning, the USG6000 automatically generates security policies using the

predefined knowledge base. Enterprise administrators need only a confirmation before the

firewall applies the policies to the network. The SmartPolicy function decreases the TCO by

30% using the following functions:

Dynamically discover security risks and automatically generate defense policies.

Discover invalid and redundant policies to remove them.

Discover incorrect policies, such as the policy in which the source and destination

zones are any, but the action is permit.

Excellent Performance

Nowadays, hackers are launching organized attacks for illegal gains. Therefore, in-depth

application protection, such as application-layer access control and intrusion prevention,

becomes a must for network protection. However, the throughput of UTM devices is poor

when application-layer protection is enabled.


In contrast, the USG6000 series uses the Intelligent Awareness Engine (IAE) to implement

Layer-7 protection and still deliver a throughput of a Layer-4 gateway. The traditional threat

detection engine implements per-packet inspection and is easy to evade. The IAE analyzes and

processes multiple services concurrently. The hardware acceleration module conducts core

application analysis and signature matching, concurrently processing each security services,

and updates the security status. This structure ensures the minimum compromise of the overall

performance with multiple security services enabled. In terms of hardware, the USG6000

series uses the dedicated multi-core platform for parallel processing. In addition, it uses the

hardware acceleration technology and the content security acceleration chip on the CPU to

function with the IAE for a higher detection efficiency. The combination of the intelligent

awareness engine and the elastic hardware structure enable the USG6000 series to deliver

10-Gigabit level threat prevention performance, meeting the security protection requirements

of large enterprise data centers.

Prevention of Unknown Threats

Unknown threats refer to the threats whose signatures are not yet extracted. These threats

attack networks mainly through email and web access. Unknown attacks may occur when a

user downloads a malicious email attachment, clicks a malicious URL link in an email

message, executes a malicious script, or downloads a malicious file. However, the security

devices cannot detect such attacks because they have no signatures to match them.

To address this issue, Huawei USG6000 series next-generation firewall uses the Power

Fortress Cloud detection system to detect unknown threats. This system simulates suspicious

samples collected around the world in the cloud sandbox and virtualization system to analyze

these samples, including behavior analysis and service awareness, to detect viruses, 0-day

attacks, phishing websites, botnets, and malicious websites. If any threat is found in a sample,

the system further identifies the threat by IP address, domain name, file, URL, location, spam,


user IP, and history. Then the system updates the global reputation detection and query system

in the cloud. With 7 x 24 pushing service of the Power Fortress Cloud-U cloud center for

security knowledge base updates, the USG6000 series can obtain the latest threat detection and

prevention capability to effective defend against unknown threats.

Typical Application Scenarios

Enterprise Intranet Management and Isolation

Security challenges:

1. Isolation of service departments or areas and mutual access management

2. Accurate user identification and access permission control

3. Identification of PCs, tablets, and mobile applications and unified network

behavior management

4. Prevention of confidential data leaks through social networking websites,

instant messaging, and Internet storage applications

Solution:

1. Deploy next-generation firewalls at internal network boarders.

2. Configure firewall policies to implement user-based access control on PC users.

3. Implement user- and application-based policy control on mobile users for

refined permission management and logging

4. Implement content filtering and auditing on email transfer, IM, and file transfer

to monitor social networking applications and prevent data leaks.

Internet Border Protection


1. Anonymous access or access with forged identities from the Internet

2. Large-scale and organized DDoS attacks, paralyzing the service platform

3. Confidential data leaks through social networking websites, instant messaging,

and Internet storage applications


4. Employees' access to malicious websites, bringing threats to the intranet

5. Employees' access to non-work-related websites, affecting productivity

Solution:

1. Deploy a next-generation firewall at the Internet egress to implement access

control and prevent unauthorized access.

2. Enable intrusion prevention and provide 10-Gigabit level application-layer

protection.

3. Enable anti-DDoS to clean massive traffic and ensure service qualities.

4. Implement content filtering and auditing on email transfer, IM, and file transfer

to monitor social networking applications and prevent data leaks.

5. Implement user-, application-, and time-based QoS management to

preferentially guarantee the service qualities for mission-critical personnel and

services.

6. Use URL categories and application blocking to prevent Trojan horse websites

and non-work-related websites and monitor the accessible websites and

available network applications.

Data Center Isolation


1. In the virtualization-based cloud computing environment, each virtual system

must be independently protected to provide services for multiple tenants or

provide different services for one tenant.

2. The big and centralized data faces unprecedented privacy challenges from

hackers.

3. Data centers must provide reliable services in real time. However, DoS attacks

occur frequently.

Solution:

1. Deploy a USG series next-generation firewall which virtualizes all security

services and system resources to provide exceptional experiences for each

virtual system.

2. Enable the 10-Gigabit level intrusion prevention function to effectively block

attacks and provide differentiated defense functions in different virtual systems.

3. Enable anti-DDoS to remove DDoS traffic and protect data centers.

Enterprise Branch Interconnection (VPN Remote Interconnection)


1. The sensitive data exchanged between headquarters and branch offices faces

the risk of in-transit interception and tampering.

2. Intranet access from mobile devices is insecure.

Solution:

1. Deploy a USG series next-generation firewall which provides five VPN access

methods and over 10 encryption algorithms to establish a reliable, controllable,

and manageable tunnel for secure data transfer on the Internet.

2. Provide SSL VPN across multiple platforms (including Windows, IOS, Android,

Blackberry, and Symbian).


Specifications Model USG6650 USG6660 USG6680

Firewall throughput 20 Gbit/s 25 Gbit/s 40 Gbit/s

IPS throughput 10 Gbit/s 13 Gbit/s 20 Gbit/s

Threat prevention

throughput 10 Gbit/s 13 Gbit/s 20 Gbit/s

Concurrent sessions 8,000,000 10,000,000 12,000,000

New sessions per

second 300,000 350,000 400,000

IPSec VPN

throughput 12 Gbit/s 16 Gbit/s 20 Gbit/s

Virtual firewalls 500 500 1000

Expansion and I/O

Fixed port

2 x 10GE+8GE+8SFP 4 x 10GE+16GE+8SFP

Expansion Slots 6 x WSIC 2 x WSIC

Interface module WSIC: 2 x 10GE (SFP+)+8 x GE (RJ45), 8 x GE (RJ45), 8 x GE (SFP) 4 x GE

(RJ45) BYPASS

Functions

Context awareness

ACTUAL (Application, Content, Time, User, Attack, Location)–based

awareness capabilities

Eight authentication methods (local, RADIUS, HWTACACS, SecureID, AD,

CA, LDAP, and Endpoint Security)

Application security

Fine-grained identification of over 6000 application protocols,

application-specific action, and online update of protocol databases

Combination of application identification and virus scanning to recognize the

viruses (more than 5 millions), Trojan horses, and malware hidden in

applications

Combination of application identification and content detection to identify file

types and sensitive information to prevent information leaks

Intrusion prevention

Provides over 3000 signatures for attack identification.

Provides protocol identification to defend against abnormal protocol behaviors.

Supports user-defined IPS signatures.

Web security

Cloud-based URL filtering with a URL category database that contains over 85

million URLs in over 130 categories

Defense against web application attacks, such as cross-site scripting and SQL

injection attacks

HTTP/HTTPS/FTP-based content awareness to defend against web viruses

URL blacklist and whitelist and keyword filtering

Email security Real-time anti-spam to detect and filter out phishing emails

Local whitelist and blacklist, remote real-time blacklist, content filtering,


keyword filtering, and mail filtering by attachment type, size, and quantity

Virus scanning and notification for POP3/SMTP/IMAP email attachments

Data security

Data leak prevention based on content awareness

File reassembly and data filtering for more than 20 file types (including Word,

Excel, PPT, and PDF), and file blocking for more than 60 file types

Security

virtualization*

Virtualization of security features, forwarding statistics, users, management

operations, views, and resources (such as bandwidths and sessions)

Network security

Defense against more than 10 types of DDoS attacks, such as the SYN flood

and UDP flood attacks

VPN technologies: IPSec VPN, SSL VPN, L2TP VPN, MPLS VPN, and GRE

Routing IPv4: static routing, RIP, OSPF, BGP, and IS-IS

IPv6: RIPng, OSPFv3, BGP4+, IPv6 IS-IS, IPv6 RD, and ACL6

Working mode and

availability

Transparent, routing, or hybrid working mode and high availability (HA),

including the Active/Active and Active/Standby mode

Intelligent

management*

SmartPolicy: evaluates the network risks based on the passed traffic and

intelligently generates policies based on the evaluation to automatically

optimize security policies. Supports policy matching ratio analysis and the

detection of conflict and redundant policies to remove them, simplifying policy

management.

Provides a global configuration view and integrated policy management. The

configurations can be completed in one page.

Provides visualized and multi-dimensional report display by user, application,

content, time, traffic, threat, and URL.

Specifications

Height 3 U

Dimensions (H x W

x D) 130.5 mm x 442 mm x 415 mm

Weight (full

configuration) 24 kg

HDD Optional. Supports 300 GB hard disks (RAID1 and hot swappable).

Redundant power

supply Standard configuration

AC power supply 100 V to 240 V

DC power supply –48 V to–60 V

Maximum power 350 W

Operating

environment Temperature: 5℃ to 40℃/Humidity: 10% to 90%

Non-operating

environment Temperature: -40℃ to 70℃/Humidity: 5% to 95%

Note: The features marked with an asterisk (*) will be available soon.


Ordering Guide

USG6650 Quotation Items

Model Description

Main device

USG6650-AC

USG6650 AC

Host(8GE(RJ45)+8GE(SFP)+2*10GE(SFP+),16G Memory,2

AC Power),with HW General Security Platform Software

USG6650-BDL-AC

USG6650 AC


AC Power,IPS/AV/URL/AS Function Group Update Service

Renewal Subscribe 12 Months per Set),with HW General

Security Platform Software

Interface card

WSIC-8GE 8GE Optical Ports WSIC Card,with HW General Security

Platform Software

WSIC-4GEBYPASS 4GE Electric Ports Bypass Card,with HW General Security

Platform Software

WSIC-8GEF 8GE Electric Ports Interface Card,with HW General Security

Platform Software

WSIC-2XG8GE 2*10GE Optical+8GE Electric Ports Interface Card,with HW

General Security Platform Software

Disk

SM-HDD-SAS300G-A 300GB 10K RPM SAS Hard Disk Unit

Optical transceiver

OSX040N01 Optical Transceiver,SFP+,10G,Single-mode

Module(1550nm,40km,LC)

OSU015N00 Optical Transceiver,eSFP,2.5G,Single-mode


SFP-GE-LX-SM1310 Optical Transceiver,eSFP,GE,Single-mode


eSFP-GE-SX-MM850 Optical Transceiver,eSFP,GE,Multi-mode

Module(850nm,0.5km,LC)

eSFP-FE-LX-SM1310 Optical Transceiver,eSFP,100M/155M,Single-mode


S-SFP-FE-LH40-SM1310 Optical Transceiver,eSFP,FE,Single-mode





S-SFP-GE-LH40-SM1310 Optical Transceiver,eSFP,GE,Single-mode


OMXD30000 Optical Transceiver,SFP+,10G,Multi-mode


OSX010000 Optical Transceiver,SFP+,10G,Single-mode


Outsourced components

SU5M1RAIL01 Cabinet Guide Rail

QW1P0FIBER06

Optical

adapter-LC/PC-LC/PC-Blue-Shell:Plastic-Sleeve:Zirconia-Squ

are

SS-OP-D-LC-M-5 Patch

cord-LC/PC-LC/PC-Multimode-A1b-2mm-5m-PVC-Orange





SS-OP-D-LC-S-6 Patch cord-LC/PC-LC/PC-Single

mode-G.652D-2mm-6m-PVC-Yellow




mode-G.652-2mm-20m-PVC-Yellow

SS-OP-LC-SC-M-20 Patch

cord-LC/PC-SC/PC-Multimode-A1b-2mm-20m-PVC-Orange

SS-OP-LC-SC-S-20 Patch cord-LC/PC-SC/PC-Single


SS-OP-LC-FC-M-10 Patch

cord-FC/PC-LC/PC-Multimode-A1b-2mm-10m-PVC-Orange

SS-OP-LC-FC-S-10 Patch cord-FC/PC-LC/PC-Single


Basic license

USG6000-LFWSSL01 Quantity of SSL VPN Concurrent Users(100

Users),with HW General Security Platform Software

USG6000-LFWSSL02 Quantity of SSL VPN Concurrent Users(200 Users),with HW











USG6000-LFWSEC0 Encryption Function License,with HW General


NGFW license

USG6600-LFWIPS05 IPS Update Service Subscribe 12 Months,With HW


USG6600-LFWIPS06 IPS Update Service Subscribe 36 Months,With HW General


USG6600-LFWURL05 URL Filtering Update Service Subscribe 12 Months,With HW




USG6600-LFWAV05 Anti-Virus Update Service Subscribe 12 Months,With HW




USG6600-LFWIPSAVURL05 IPS-AV-URL-AS Function Group Subscribe 12

Months,with HW General Security Platform Software

USG6600-LFWIPSAVURL06 IPS-AV-URL-AS Function Group Subscribe 36 Months,with

HW General Security Platform Software

USG6000-LFWVSYS Virtual System

LIC-CONTENT Content Filter


Model Description

Main device

USG6660-AC

USG6660 AC



USG6660-BDL-AC

USG6660 AC






USG6660-DC

USG6660 AC



Interface card


Platform Software


Platform Software


Platform Software



Disk


Optical transceiver























QW1P0FIBER06

Optical


are






















Basic license





USG6000-LFWSSL03 Quantity of SSL VPN Concurrent Users(500

Users),with HW General Security Platform Software







USG6000-LFWSEC0 Encryption Function License,with HW General Security

Platform Software

NGFW license





















Model Description

Main device

USG6680-AC

USG6680 AC



USG6680-BDL-AC

USG6680 AC





USG6680-DC

USG6680 AC



Interface card


Platform Software


Platform Software


Platform Software



Disk



Optical transceiver























QW1P0FIBER06

Optical


are






















Basic license













USG6000-LFWSEC0 Encryption Function License,with HW General Security

Platform Software

NGFW license













USG6600-LFWIPSAVURL05 IPS-AV-URL Function Group Subscribe 12 Months,With HW


USG6600-LFWIPSAVURL06 IPS-AV-URL Function Group Subscribe 36 Months,With HW





About This Publication

This publication is for reference only and shall not constitute any commitments or guarantees.

All trademarks, pictures, logos, and brands mentioned in this document are the property of

Huawei Technologies Co., Ltd. or a third party.

Copyright © Huawei Technologies Co., Ltd. All rights reserved.

huawei secospace usg6600 next-generation … usg6000 series next-generation firewall analyzes...

Documents