HUAWEI USG5500 series Unified Security Gateway Sales ......HUAWEI USG5500 series Unified Security...

Doc. code

HUAWEI USG5500 series Unified

Security Gateway Sales Guide

Issue 1.0

Date 2012-10-20

HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2012. All rights reserved.

No part of this document may be reproduced or transmitted in any form or by any means without

prior written consent of Huawei Technologies Co., Ltd.

Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd. All other

trademarks and trade names mentioned in this document are the property of their respective

holders.

Notice

The purchased products, services and features are stipulated by the commercial contract made

between Huawei and the customer. All or partial products, services and features described in this

document may not be within the purchased scope or the usage scope. Unless otherwise agreed by

the contract, all statements, information, and recommendations in this document are provided “AS

IS” without warranties, guarantees or representations of any kind, either express or implied.

The information in this document is subject to change without notice. Every effort has been made in

the preparation of this document to ensure accuracy of the contents, but all statements, information,

and recommendations in this document do not constitute the warranty of any kind, express or implied.

Huawei Technologies Co., Ltd.

Address: Huawei Industrial Base

Bantian, Longgang

Shenzhen 518129

People's Republic of China

Website: http://www.huawei.com

Email: [email protected]

http://www.huawei.com/

mailto:[email protected]

HUAWEI USG5500 series Unified Security Gateway

Sales Guide

Contents

1 General Marketing Strategy........................................................................................................ 1

1.1 Product Positioning .......................................................................................................................................... 1

1.2 Product Series................................................................................................................................................... 1

1.3 License Policy .................................................................................................................................................. 2

2 Major Selling Points ..................................................................................................................... 3

2.1 Powerful and Reliable UTM – Effectively Protecting Key Services ............................................................... 3

2.2 Identifying 1000+ Application Protocols ......................................................................................................... 4

2.3 Full Service Integration – Configuring Software and Hardware Based on Demands and Supporting

Enhanced Extension ............................................................................................................................................... 4

2.4 Simply and Easy-to-Use UTM – Instance Use Upon Enabling, Dynamic Update, and Real-Time Assurance 4

3 Version Description ...................................................................................................................... 5

3.1 V300R001 Version Description ........................................................................................................................ 5

3.2 Hardware Platform and Version Support .......................................................................................................... 6

4 Competitive Strategy .................................................................................................................... 7

4.1 Guided Selling Points ....................................................................................................................................... 7

5 Marketing Opportunities and Typical Application Scenarios ............................................ 8

5.1 Hierarchical Protection ...................................................................................................... 错误!未定义书签。

5.2 Construction of e-Government Networks ......................................................................... 错误!未定义书签。

5.3 Network Border Protection .............................................................................................................................. 8

5.4 Security Interconnection Solutions for Enterprise and Organization Networks ............................................... 9

5.5 SSL VPN Solutions for Enterprise Networks ................................................................................................. 10

5.6 IDC Protection Solution ................................................................................................................................. 11

5.7 Integrated Security Solution for Enterprise Networks ................................................................................... 12

HUAWEI USG5500 series Unified Security Gateway Sales Guide

1 General Marketing Strategy

1.1 Product Positioning

The USG5500 series unified security gateways are self-developed by Huawei for the

mid-range security market. The USG5500 series use industry-leading software and hardware

architectures and integrate various security functions such as firewall, network address

translation (NAT), routing, switching, virtual private network (VPN), anti-virus (AV),

intrusion protection system (IPS), anti-spam (AS), uniform resource location (URL) filtering,

and application control. The USG5500 series are widely applied in the government, finance,

electricity, telecommunications, petroleum, education, and industry manufacturing industries.

The USG5500 series provide 6 Gbit/s to 32 Gbit/s processing capacity and support 10GE, GE,

USB-3G, and Bypass extension plug-in cards. The USG5500 series provide a maximum of 14

x 10GE interfaces and 64 x GE interfaces.

1.2 Product Series

The USG5520S is a 1 U device and provides 4 x GE electrical interfaces and 4 x GE Combo

interfaces. The USG5520S supports 2 x FIC extension slots. The USG5520S provides two

USB interfaces. The power supply of the USG5520S is AC and can works in AC 1+1

redundancy mode.

The USG5530S is a 1 U device and provides 4 x GE electrical interfaces and 4 x GE Combo

interfaces. The USG5530S supports 2 x FIC extension slots. The USG5530S provides two

USB interfaces. The power supply of the USG5530S is AC and can works in AC 1+1

redundancy mode.

The USG5530 is a 3 U device and provides 4 x GE electrical interfaces and 4 x GE Combo

interfaces. The USG5530 supports 1 x DMIC and 6 x FIC extension slots. The USG5530

provides two USB interfaces. The power supply of the USG5530 is AC and can works in AC

1+1 redundancy mode.

The USG5550 is a 3 U device and provides 4 x GE electrical interfaces and 4 x GE Combo

interfaces. The USG5550 supports 1 x DMIC and 5 x FIC extension slots. The USG5550

provides two USB interfaces. Two USG5550 types, that is, AC and DC, are available. The

power supply of the USG5550 works in 1+1 redundancy mode.

The USG5560 is a 3 U device and provides 4 x GE electrical interfaces, 4 x GE Combo

interfaces and 8 x GE optical interfaces. The USG5560 supports 5xFIC extension slots. The


USG5560 provides two USB interfaces. Two USG5560 types, that is, AC and DC, are

available. The power supply of the USG5560 works in 1+1 redundancy mode.

1.3 License Policy

The licenses for the V300R001 version are as follows:

License for controlling the number of SSL VPN concurrent users

License for controlling the number of virtual firewalls

The preceding licenses are resource licenses. After a customer purchases a certain

number of resources for corresponding functions, the licenses can be accumulated for

life-long use. The following table lists the upper limits of authorized resources.

Upper Limit of SSL VPN Concurrent Users

Upper Limit of Virtual Firewalls

USG5500 series 500 100

License for the AV upgrade service

License for the IPS upgrade service

License for the AS upgrade service

License for the URL filtering upgrade service

License for the 4-in-1 service (AV, IPS, AS, and URL)

The preceding unified treat management (UTM) licenses are service duration licenses. A

customer can purchase the upgrade service duration for the corresponding service. The

upgrade service is provided for free for initial service purchase.

Licenses are bound with devices. A license file can be activated on only a device. Multiple devices

cannot share a license.


2 Major Selling Points

2.1 Powerful and Reliable UTM – Effectively Protecting Key Services

The UTM integrates the advanced IPS and AV technologies developed by Symantec. The

UTM uses various decompression algorithms and integrates exclusive engine technologies

such as virtual engine, script resolution engine, and PDF engine. The UTM merges various

anti-detection technologies and uses Huawei dedicated integrated detection engine. By

continuously upgrading the feature library, the UTM supports a detection ratio higher than 99%

and achieves real security protection. With the user-centered policy configurations, the UTM

supports policy configuration for specific users. In this manner, the policy matching and

locating become accurate and the anti-detection becomes difficult.

The IPS uses the advanced IPS detection engine developed by Symantec and can effectively

and accurately scan network packets. The IPS can accurately identify anti-IPS detection and

spoofing activities.

The AV module uses the advanced virus detection engine developed by Symantec and can

detect viruses hidden in network traffic. The AV module supports effective and accurate virus

scanning capability.

The AS module can effectively intercept spam and clean enterprises' mail systems. By

blocking spam, the AS module helps enterprises improve work efficiency. The AS module can

control the sending and receiving of anonymous mails, control mail senders and receivers,

filter mail titles or key words in texts, and control internal employees' mail behaviors such as

attachment names, types, size, and quantity.

The web filtering module supports URL-based filtering and Web key word-based filtering.

The URL filtering function uses the advanced matching engine, which greatly shortens the

URL matching duration and improves the URL filtering efficiency. The Web key word

function can filter key words of searching engines, Web pages, and POST packets and control

the upload and download file names, types, and size, and control the HTTP POST packets.

The UTM virtualization function integrates the UTM functions and the virtual firewalls. The

UTM virtualization function provides independent policy configurations and advanced

security protection for each virtual firewall.


2.2 Identifying 1000+ Application Protocols

Huawei deploys multiple attack defense labs, Honeynet, and Honeypot systems. The Service

awareness helps you learn the latest security threaten and attack information and extract

threaten and attack features for upgrading products, maintaining high product security, and

ensuring continuous increase of investments.

Huawei builds the industry-leading security analysis and research teams. After many years of

experience accumulation, Huawei leads the industry in application protocol identification

field. TheService awareness can accurately identify 1000+ mainstream application protocols.

You can control network traffic based on actual network and service status. In this manner,

network bandwidth is saved and reliability of major services is ensured.

2.3 Full Service Integration – Configuring Software and Hardware Based on Demands and Supporting Enhanced Extension

The USG5500 series integrate the traditional firewall, UTM, routing, and switching functions

and support extension of 10GE interfaces. The USG5500 series support the maximum VPN

access functions in the industry, including the Layer 2 Tunneling Protocol (L2TP), IP Security

(IPsec), Secure Sockets Layer (SSL), Generic Routing Encapsulation (GRE), and

Multiprotocol Label Switching (MPLS) L3 VPNs. In actual applications, you can select

appropriate software and hardware based on network and service requirements. Flexible and

rich extension capability can fulfill continuously-changing software and hardware

requirements, protect customers' investments, and help enterprises in development.

2.4 Simply and Easy-to-Use UTM – Instance Use Upon Enabling, Dynamic Update, and Real-Time Assurance

Huawei collects and summarizes practical experience of USG series globally and stipulates

the optimal pre-defined detection policies. If you do not have customized requirements, you

can enable the related functions on the user-friendly graphical user interface (GUI) rather than

configuring a large amount of data. The USG series are easy to use. The USG series also

support customized policy configurations. You can use the integrated policy configuration

method to customize policy configurations. The integrated policy configuration method

decreases the number of policy configurations and provides unified policy configuration

entrance that avoids missing policies. The integrated policy configuration method simplifies

configurations and maintenance.

The global upgrade center focuses on network security events in real time and dynamically

updates various detection libraries and feature libraries, and provides various attack defense

methods in real time. The global upgrade center provides available and easy-to-use attack

defense devices.


3 Version Description

3.1 V300R001 Version Description

The V300R001 version integrates the medium and low-end products, including the

USG2000/5100 and USG5500 series. The V300R001 version provides the following

functions:

User management

Integrated policies and traffic control policies

Enhanced QoS (HQoS and Tunnel QoS)

Enhanced IPsec VPN (IPsec VPN two-node cluster hot backup, IPsec VPN tunnelization,

and CA)

UTM virtualization

Web content filtering (filtering by key words of Web pages, searching engines, and

POST packets, controlling the file names, types, and size of uploaded or downloaded

files, and controlling HTTP POST packets) (This function does not require a license.)

Mail filtering (controlling the sending and receiving of anonymous mails, controlling

mail senders and receivers, filtering mail titles or key words in texts, and controlling

internal attachment names, types, size, and quantity) (This function does not require a

license.)

FTP filtering (upload or download control)

Enhanced IPv6 (enhanced NAT64, 6RD, DNS6, ND-RA, IPv6 DHCP (server, relay, and

client), IPv6 PPPoE (client), and IPv6 QoS)

Static LACP

BFD

Routing enhancement (user-based policy routing, application-based policy routing,

WCMP weighted equivalent routing, manually triggering re-calculation of dynamic

routing protocols, and manually refreshing routes)

Alarm synchronization

Multi-dimensional reports based on users, applications, traffic, and network behaviors

(This function requires the VSM)


3.2 Hardware Platform and Version Support

The following table lists the mapping between hardware platforms and software versions.

Hardware Platform Software Version

USG5500 series 1 U platform V3R1

USG5500 series 3 U platform V3R1

1. All models of the USG5500 series use dual power supplies (optional AC and DC

power supplies) according to the standard configuration.

2. The USB 3G data cards support USB 3G extension. Huawei does not sell USB 3G

data cards. You can purchase USB 3G data cards based on the models specified in

the quoter.

3. Extension interface cards

Plug-in Card/Product USG5520S USG5530S USG5530 USG5550 USG5560

USB 3G Supported Supported Supported Supported Supported

DMIC 2x10GE (SFP+) Not supported Not supported Supported Supported Not supported

FIC 2x10GE (SFP+) Supported Supported Supported Supported Supported

8xGE (SFP) Supported Supported Supported Supported Supported

8xGE (RJ45) Supported Supported Supported Supported Supported

2x10GE (SFP+) +

8xGE (RJ45)

Supported Supported Supported Supported Supported

4xGEx (RJ45) Bypass Supported Supported Supported Supported Supported

2 Line (LC/UPC)

BYPASS

Supported Supported Supported Supported Supported

DFIC 16GE4S Supported Supported Supported Supported Supported

18FE2S Supported Supported Supported Supported Supported


4 Competitive Strategy

4.1 Guided Selling Points

1. The hardware platform uses an advanced multi-core architecture.

2. The USG5500 series support complete UTM function modules.

3. The USG5500 series support various VPN functions such as the L2TP, IPsec, SSL, GRE,

and MPLS L3 VPNs.

4. The USG5500 series support the IPsec VPNs in two-node cluster hot backup mode.

5. The USG5500 series provide various types of interfaces and interface densities.

6. The USG5500 series support the BFD function.

7. The USG5500 series support the IPv6 function.


5 Marketing Opportunities and Typical Application Scenarios

5.1 Network Border Protection

The major functions are as follows:

Network border protection

Security zone division

Intrusion protection

AV on the networks

Online behavior management

VPN access

Application industries:

Egress of government, finance, education, electricity, railway, energy, and enterprise networks

and interconnection of industry networks


5.2 Security Interconnection Solutions for Enterprise and Organization Networks

The USG5500 series support various VPN functions such as the L2TP, IPsec, SSL, GRE, and

MPLS L3 VPNs. The USG5500 series completely support the Access VPN, Intranet VPN,

and Extranet VPN solutions. The USG5500 series use professional encryption and decryption

chips to improve the encryption and decryption performance. With the advanced IPsec

mechanism, the USG5500 series provide various services for communication parties such as

access control, connectionless integrity, data source authentication, anti-replay, encryption,

and classification-based data stream encryption.

Mobile office: The USG5500 series support the Access VPN function such as the L2TP,

IPsec, and SSL VPNs. Employees on a business trip can securely access VPNs anytime

and anywhere.

VPN interconnection between branch networks and headquarter networks: The

USG5500 series use professional built-in encryption and decryption chips and provide

high-performance VPN hardware acceleration capability. The USG5500 series meet the

site-to-site VPN requirements, ensure data transmission security, and facilitate internal

resource sharing.


5.3 SSL VPN Solutions for Enterprise Networks

The major functions are as follows:

The SSL VPN supports complete identity authentication, access authorization, and

behavior audit to ensure the user validity and achieve flexible access control policies.

Data transmitted between remote users and enterprise internal networks is encrypted to

protect sensitive information and avoid information leakage.

The SSL VPN supports various remote access services, for example, Web resource

access, file system access, C/S application access, and all IP-layer service access that is

irrelevant to applications.

Administrators do not need to install, configure, and maintain software on clients. You

can access the VPN over standard browsers. This feature greatly improves the work

efficiency of remote employees (for example, employees on a business trip).

The virtual gateway function ensures that different departments or user groups can

independently access each other.

Detailed logs facilitate real-time audit and management on user or administrator

operations.


5.4 IDC Protection Solution

The Internet data center (IDC) uses more than one GE link or 10GE link as the network egress,

which requires that the security gateway at the IDC egress provide high-density GE and 10GE

interfaces. To ensure smooth, continuous, and stable IDC services, the egress security gateway

must supports large-capacity NAT and high-density attach defense capabilities. The egress

security gateway must also ensure the security protection and stability of key service servers.

The USG5500 series provide a maximum of 14x10GE interfaces and 64xGE interfaces and

support infinite NAT addresses (depending on the upper limit of session quantity). The DDoS

function can defend millions of attack packets per second and the carrier-level stability fully

meets the security protection requirements.


5.5 Integrated Security Solution for Enterprise Networks

At present, enterprise networks face severe security potential risks and threatening from

various fields. External security threatens such as the DDoS attack, hacker intrusion, horse

viruses, spam, and information leakage greatly threaten the network security. In addition,

internal network abuse also causes a series of problems, for example, non-service-related

access, point-to-point (P2P) download, and viruses brought by instant message programs.

These problems introduce a large number of viruses, decrease the bandwidth utilization, and

decrease the work efficiency. Common firewalls cannot handle these complex security

problems. As new generation security gateways, the USG5500 series integrate various

functions based on the high performance and reliability, for example, firewall, DDoS attack

defense, NAT, VPN, P2P, IPS, AV, URL filtering, and AS. The USG5500 series can effectively

address existing issues on enterprise networks.

HUAWEI USG5500 series Unified Security Gateway Sales ......HUAWEI USG5500 series Unified Security...

Documents

Transcript of HUAWEI USG5500 series Unified Security Gateway Sales ......HUAWEI USG5500 series Unified Security...