Huawei USG9500 Cloud Data Center Gateway Datasheet.pdf

Copyright © Huawei Technologies Co., Ltd. 2013. All rights reserved.

No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd.

General Disclaimer

The information in this document may contain predictive statements including,

without limitation, statements regarding the future financial and operating results,

future product portfolio, new technology, etc. There are a number of factors

that could cause actual results and developments to differ materially from those

expressed or implied in the predictive statements. Therefore, such information

is provided for reference purpose only and constitutes neither an offer nor an

acceptance. Huawei may change the information at any time without notice.

Trademark Notice

, HUAWEI, and are trademarks or registered trademarks of Huawei Technologies Co.,

Other trademarks, product, service and company names mentioned are the property of their respective owners.

HUAWEI TECHNOLOGIES CO., LTD.

Huawei Industrial Base

Bantian Longgang

Shenzhen 518129, P.R. China

Tel: +86-755-28780808

Version No.: M3-008360399-20110510-C-1.0

www.huawei.com HUAWEI TECHNOLOGIES CO., LTD.

USG9500 SeriesCloud Data Center Security Gateway

USG9500 SeriesCloud Data Center Security Gateway1


USG9520 USG9560 USG9580

Product Overview

The full-IP network is expanding rapidly and is integrating more and more applications into the traditional

broadband network. Network bandwidth is increasing exponentially, but so are the types of network threats

and the intensity of attacks. As a result, enterprises and carriers must constantly adapt their network structures to

change network environments. Data communication devices have stepped into the Terabit era. The USG9500, a

highly scalable, reliable, and comprehensive security service platform, is such a Terabit device. It supports a wide

range of security services, such as IPv6 security, virtual security systems, VPN, and IPS. It addresses the requirements

of customers (including data centers, carriers, ISPs, and government agencies) for integrated security, rapid

responses, fast processing, and continuous evolution.

USG9500 SeriesCloud Data Center Security Gateway 2

Product Description

The USG9500 series comprises the USG9520, USG9560, and USG9580, and provides industry-leading security

capabilities and scalability. The firewall throughput of the series reaches 0.96 Tbps, the maximum number of

concurrent connections exceeds 960 million, and the VPN performance is up to 500 Gbps.

By using dedicated multi-core chips and the distributed hardware platform, the USG9500 provides industry-leading

service processing and expansion capabilities. Moreover, all components are redundant, providing a high reliability

that normally exists a core router to ensure continuous service on high-speed networks. The distributed technology

uses line-rate intelligent traffic splitting for data forwarding. All data flows are equally distributed to service

processing modules. Therefore, the service processing performance increases linearly with service modules.

The USG9500 provides multiple types of I/O interface modules (Line Process Unit, LPU) for external connection and

data transmission. The I/O interface modules and service processing modules use the same interface slot. You can

mix and match the I/O interfaces modules and service processing modules as needed. The USG9500 provides GE

and 10GE interfaces and supports cross-board port bundling to improve throughput and port density.

The Service Process Unit (SPU) of the USG9500 processes all services. The SPU has a motherboard that can hold

two expansion cards. The SPU uses the multi-core CPUs on the expansion cards and the software modules to

process services. The heartbeat detection mechanism between the SPU and LPU and SPU redundancy ensure in-

service switchover. If one SPU fails, all functions are quickly switched to other SPUs without service interruption.



Highlights

Advanced network processor + multi-core CPU + distributed architecture — allowing linear increase of performance

The USG9500 uses a hardware platform that often exists in a core router to provide modularized components. Each

interface module has two network processors (NPs) to provide line rate forwarding. The SPU uses multi-core CPUs

and a multi-thread architecture, and each CPU has an application acceleration engine. These hardware advantages,

combined with Huawei's optimized concurrent processing technology, increases CPU capacity to ensure the high

speed parallel processing of multiple services, such as NAT and VPN. LPUs and SPUs function separately. The overall

performance increases linearly with the addition of SPUs so that customers can easily scale up the performance at a

low cost.

High firewall performance — ensuring mission-critical services

With revolutionized system architecture, the USG9500 security gateway series has the industry's highest firewall

throughput and the most concurrent connections. With dedicated traffic splitting technology, the overall

performance of the USG9500 increases linearly with the addition of SPUs. The USG9500 delivers a maximum of

960 Gbps large-packet throughput, 960 million concurrent connections, and 4096 virtual firewalls. The industry-

leading performance can meet the performance demand of high-end customers, such as television and broadcast

systems, government agencies, energy companies, and education organizations.

Stable and reliable security gateway — full redundancy ensuring service continuity

Network security is a key point in enterprise operating. To ensure the service continuity on a high-speed network,

the USG9500 supports active/standby and active/active redundancy, port aggregation, VPN redundancy, and SPU

load balancing. Meanwhile, the USG9500 also supports dual-MPU active/standby switchover to provide high

availability. The mean time between failures (MTBF) of the USG9500 is up to 200,000 hours, and the failover time

is less than one second. These features ensure the service continuity.

Excellent VPN performance — meeting the needs for massive encryption

More and more services, such as mobile access, short message notification, and push mail, require secure data

transmission over the Internet. To meet these needs, a VPN gateway that supports hundreds of thousands

of connections is required. The USG9500 supports VPN gateway redundancy, up to 500 Gbps encryption

performance, and 960,000 concurrent VPN tunnels, which are industry's highest standards. The USG9500 supports

4over6 and 6over4 VPN technologies to deal with the evolution from IPv4 to IPv6. The USG9500 also supports


IKEv2, provides improved user authentication, packet authentication, and NAT traversal functions, and prevents

attacks, such as man-in-the-middle attacks and denial of service (DoS) attacks. The USG9500 also supports

Extensible Authentication Protocol for GSM Subscriber Identity Module (EAP-SIM) and Extensible Authentication

Protocol – Authentication and Key Agreement (EAP-AKA) authentication to protect wireless networks.

Practical IPS feature — defending against external threats and promoting network security

The performance of an Intrusion Prevention System (IPS) relies on detection engine performance, signature

identification ratio, and processing capacity. With the advanced IPS detection engine and mature signature

database, the USG9500 defends against various threats, including unauthorized automatic downloads, spoofing

software, spyware/adware, abnormal protocols, P2P anomalies, and exploits that target system vulnerabilities.

A single vulnerability-based signature covers thousands of attacks that target at the vulnerability. Supplemented

with the globally deployed honeypot system, the USG9500 can capture the latest attacks, worms, and Trojan

horses, thereby providing zero-day attack defense capability. Moreover, to improve real-world IPS performance,

the USG9500 uses an internal off-line design and "one board one feature" technology to direct the traffic to be

inspected by the IPS to a dedicated module. This method improves IPS performance without compromising basic

firewall performance.

Comprehensive CGN Features — addressing the transition from IPv4 to IPv6

The IPv4 addresses are already exhausted and the Internet is smoothly evolving from IPv4 to IPv6. To meet the

needs during the transition from IPv4 to IPv6, the USG9500 supports NAT44 (4), DS-Lite, 6RD, and NAT64, thereby

providing an effective, flexible, reliable, and cost-effective transition solution for carriers. NAT44 (4) enables the

high utilization of IPv4 addresses to prevent the exhaustion of IPv4 addresses; DS-Lite allows the IPv4 application

to be used on the newly established IPv6 networks; 6RD provides efficient IPv6 access; and NAT64 enables an IPv6

network to communicate with an IPv4 network. The NAT44 and DS-Lite functions support NAT tracing.

Enriched virtualization — adapting to cloud networks

Cloud computing, which relies on virtualization and high-speed network connection, faces security challenges. The

USG9500 delivers high throughput and enriched virtual system functions, including resource, configuration, and

management virtualization to meet the requirements of different customers. Resource virtualization manages virtual

host resources based on quota, management virtualization supports user-defined policies, log management, and

auditing for each virtual firewall, and forwarding virtualization enables customized service processing.


Model USG9520 USG9560 USG9580

Performance and Capacity

Firewall throughput (maximum) 80 Gbps 480 Gbps 960 Gbps

Firewall throughput (composite traffic) 80 Gbps 480 Gbps 960 Gbps

Maximum number of concurrent sessions 80 million 480 million 960 million

IPSec VPN performance (3DES) 48 Gbps 240 Gbps 500 Gbps

IPSec VPN performance (AES) 48 Gbps 240 Gbps 500 Gbps

Maximum number of concurrent IPSec VPN tunnels

128,000 640,000 1,000,000

Expansion and I/O

Expansion slots 3 SPU and LPU slots 8 SPU and LPU slots16 SPU and LPU slots

Specifications



Dimensions, Power Supply, and Operating Environment

Dimensions

(H x W x D:mm)

175 x 442x 650 (4U DC model)

220 x 442 x 650 (5U620 x 442 x 650 1420 x 442 x 650

DC model)

Weight

Empty chassis: 15 kg, DC

Full configuration: 32 kg, DC

Empty chassis: 25 kg, AC

Full configuration: 42 kg, AC

Empty chassis: 43.2 kg

Full configuration: 113 kg

Empty chassis: 94.4 kg

Full configuration: 229 kg

AC power supply 90 V AC to 275 V AC; 175 V AC to 275 V AC (recommended)

DC power supply -38 V to -72 V; Rated -48 V

Power consumption 1270 W 3960 W 7540 W

Operating temperature

Long term: 0°C to 45°C

Storage: -40°C to +70°C

Ambient humidity

Long term: 5% RH to 85% RH, non-condensing

Short term: 5% RH to 95% RH, non-condensing

Storage: 0% RH to 95% RH, non-condensing

Number of MPU slots 2

Interface

Interface board LPUF-21 LPU-40 LPUF-101

Ethernet interfaces

12 x GE SFP

12 x GE RJ45

1 x 10GE XFP

4 x 10GE XFP

20xGE SFP

2x10GE XFP

4x10GE XFP

1x40GE CSFP

5x10GE XFP

4x10GE SFP+

24x1GE SFP

POS 12 x GE RJ45 Not support Not support

SPU SPUC SPUD


Security FunctionsBASIC FIREWALLRouting/Transparent/Composite mode

State validation detection

Blacklist and whitelist

Access control

ASPF(Application Specific Packet Filter)

Security zone division

SERVICE AWARENESSIdentify and Control Over 1,200 Applications:

P2P, IM, game, stock, VoIP, video, media stream,

mail, mobile, Web browsing, remote access, network

management, and news etc.

VIRTUAL PRIVATE NETWORK (VPN)DES, 3DES, and AES encryption

MD5 and SHA-1 authentication

Manually configured key, PKI (X 509), and IKEv2

Perfect forward secrecy (DH group)

Anti-replay attack

Remote VPN access

IPSec NAT Traversal

Dead Peer Detection

EAP authentication

VPN gateway redundancy

IPSec V6,IPSec 4 over 6, IPSec 6 over 4

L2TP Tunnel

GRE Tunnel

NAT/CGNDestination NAT/PAT

NAT NO-PAT

Source NAT-IP address persistency

Source IP address pool grouping

NAT Server

Bidirectional NAT

NAT-ALG(Application Layer Gateway)

Unlimited IP address expansion

Policy-based destination NAT

Port Range pre-allocated

Hair pinning mode

SMART NAT

NAT64

DS-Lite

6RD(IPv6 Rapid Deployment)

PKIPKI certificate requests (PKCS 10)

Certificate authority (CA)

PKI Authentication: EAP-SIM, EAP-AKA

PKI Protocol: SCEP, OCSP, CMPv2

Self-signed certificate

INTRUSION PREVENTION SYSTEMProtocol Anomaly Support

Custom Signature Support

Automatic Attack Database Update

Defends against worms, zero-day attacks, Trojans

horses, and malware.


ANTI-DDOSSYN-flood, ICMP-flood, TCP-flood,

UDP-flood, DNS-flood etc.

Port-scan, Smurf, Tear-drop, IP-Sweep etc.

IPv6-extension-header defend

TTL detection

TCP-mss detection

Attack log output

HIGH AVALABILITYActive-Active, Active-Standby

Stateful Failover

(Huawei Redundancy Protocol)

Configuration synchronization

Firewall and IPSec VPN session synchronization

Device fault detection

Link fault detection

Dual main board switchover

ManagementWeb UI (HTTP and HTTPS)

CLI (console/Telnet/SSH)

U2000/VSM network management

Hierarchical administrators

Software upgrade

Configuration rollback

CertificationSafety certification, EMC, CB, Rohs, FCC, MET, C-tick,

VCCI

NETWORKING/ROUTINGPOS/GE/10GE link support

DHCP relay/server

Policy-based routing

Dynamic Routing for IPv4/IPv6 (RIP/OSPF/ISIS/BGP)

Multi-zone support

Route between zones/Vlans

Multi-link Aggregation (Eth-trunk, LACP)

VIRTUAL FIREWALLS4096 virtual firewall(VFW) definition

VLAN virtualization

Security zones virtualization

User defined virtual resources

Route between VFW

VFW based traffic CAR

Logging/MonitoringStructured syslog

SNMP (v2)

Binary log

Traceroute

Log server (eLog)

Note: The list above is comprehensive and may contain features which are not available on all USG9500 appliances. Consult USG9500 system documentation to determine feature availability.


Application ScenarioSecurity Defense in Large IDCs Communicates through VPN

The USG9500 ensures security and stability of IDC services, with the configuration of the following services:

Configuration of security policies such as • blacklist to filter suspicious IP address.

Configuration of intrusion prevention function • to perform in-depth traffic detection, and blocks attack traffic once attacked. This function effectively defends against application-layer attacks.

Configure virtual firewall to realize the virtual • system separation function from level 2 to level 7 as you need.

Configure resource pre-allocation to control • virtual firewall traffic of inbound and outbound and the number of session connections; configure public IP address-based traffic restriction to prevent one IP address occupying too much bandwidth.

The enterprise headquarters communicates with branches of the enterprise through the Internet. VPN tunnels (such as IPSec VPN, L2TP over IPSec VPN, GRE over IPSec VPN) can be established between the egress gateway of the headquarters and the egress gateways of the branches and between the egress gateway of the headquarters and the egress gateway of the regional offices. The employees on business trips can also access the headquarters egress gateway through the PC. The data flows produced when all users of the enterprise remotely access each other are carried by the secure VPN tunnel. Although the data flow is transmitted in the public network, it is protected through encryption and authentication, which ensures the security of the data transmission.

In this networking, the IP addresses of branches can be fixed public IP addresses, or dynamically obtained through 3G, ADSL, PPPoE dial-up, or DHCP. Configure IPSec, L2TP over IPSec, or GRE over IPSec based on actual requirements.

USG9500

Basic servicesarea

10-Gigabit link

Large-scale IDC

Other areaManagement andmaintenance area

Value-addedservices area

USG9000_A

PC

Headquarters

USG9000_C

USG9000_B

IPSec Tunnel

IPSec Tunnel

Branch1

Branch2


Order Information

E8KE-X3-BASE-DCE8000E X3 DC Standard Configuration(include X3 DC Chassis,2*MPU),with HS General Security Platform Software

E8KE-X3-BASE-ACE8000E X3 AC Standard Configuration(include X3 AC Chassis,2*MPU),with HS General Security Platform Software

E8KE-X8-BASE-DC-200E8000E X8 DC Standard Configuration(include X8 DC Chassis,2*SRU,1*200G SFU),with HS General Security Platform Software

E8KE-X8-BASE-AC-200E8000E X8 AC Standard Configuration(include X8 DC Chassis,2*SRU,1*200G SFU,4*AC Power Module),with HS General Security Platform Software

E8KE-X16-BASE-DC-200E8000E X16 DC Standard Configuration(include X16 DC Chassis,2*MPU,4*200G SFU),with HS General Security Platform Software

E8KE-X16-BASE-AC-200E8000E X16 AC Standard Configuration(include X16 DC Chassis,2*MPU,4*200G SFU,8*AC Power Module),with HS General Security Platform Software

SPU-X3-20-O-E8KE20G X3 Firewall Processing Card(oversea),with HS General Security Platform Software

SPU-X8X16-20-O-E8KE20G X8&X16 Firewall Processing Card(oversea),with HS General Security Platform Software

FWCD0LPUKD01Flexible Card Line Processing Unit(LPUF-21,2 Sub-Slots) B,With HS General Security Platform Software

FWCD00L1XX01 1-Port 10GBase WAN/LAN XFP Flexible Interface Daughter Card

FWCD00EBGF01 12-Port 100/1000Base-X SFP Flexible Interface Daughter Card

FWCD00EBGE01 12-Port 10/100/1000Base-TX RJ45 Flexible Interface Daughter Card

FWCD0LPUND01Flexible Card Line Processing Unit(LPUF-40,2 sub-slots) A,with HS General Security Platform Software

FWCD00L2XX01 2-Port 10GBase LAN/WAN-XFP Flexible Card(P40)

FWCD00EFGF01 20-Port 100/1000Base-X-SFP Flexible Card(P40)

Note: The order information only lists the main components of USG9500 series, please contact Huawei engineer for detailed information.

Copyright © Huawei Technologies Co., Ltd. 2013. All rights reserved.

No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd.

General Disclaimer

The information in this document may contain predictive statements including,

without limitation, statements regarding the future financial and operating results,

future product portfolio, new technology, etc. There are a number of factors

that could cause actual results and developments to differ materially from those

expressed or implied in the predictive statements. Therefore, such information

is provided for reference purpose only and constitutes neither an offer nor an

acceptance. Huawei may change the information at any time without notice.

Trademark Notice

, HUAWEI, and are trademarks or registered trademarks of Huawei Technologies Co.,

Other trademarks, product, service and company names mentioned are the property of their respective owners.

HUAWEI TECHNOLOGIES CO., LTD.

Huawei Industrial Base

Bantian Longgang

Shenzhen 518129, P.R. China

Tel: +86-755-28780808

Version No.: M3-008360399-20110510-C-1.0

www.huawei.com HUAWEI TECHNOLOGIES CO., LTD.


Huawei USG9500 Cloud Data Center Gateway Datasheet.pdf

Documents

Transcript of Huawei USG9500 Cloud Data Center Gateway Datasheet.pdf