Terabity w Security. Paweł Wachelka IP Product Manager, Huawei Polska Sp. z o.o.

Transcription

1 HUAWEI ENTERPRISE ICT SOLUTIONS A BETTER WAY Terabity w Security Paweł Wachelka IP Product Manager, Huawei Polska Sp. z o.o. Pawel.Wachelka@huawei.com

2 HUAWEI ENTERPRISE ICT SOLUTIONS A BETTER WAY Terabity w Security Introduction USG9500 Hardware Overview Transition technologies Translation between IPv4 and IPv6 packet headers Virtual System Security product portfolio

3 HUAWEI ENTERPRISE ICT SOLUTIONS A BETTER WAY Reading Between Datasheet Lines Metric Firewall A Firewall B Max. Throughput 120Gbps 560Gbps IMIX Throughput 45Gbps 560Gbps 64B Throughput 10.13Gbps 560Gbps Concurrent sessions 10 M 280 M Connections per second 350, M Will the datasheet stated performance characteristics meet needs? Are the numbers representative of and validated under real-world scenarios?

4 HUAWEI ENTERPRISE ICT SOLUTIONS A BETTER WAY Looking a Little Deeper Testing under optimal conditions UDP Throughput 120Gbps HTTP Goodput 30Gbps HTTP Goodput with IPS 78Gbps 0 CPU Usage Making choices based on best case, unrealistic usage scenarios, can lead to challenges in real world deployment.

5 IMIX is No Longer Today s Internet Mix HUAWEI ENTERPRISE ICT SOLUTIONS A BETTER WAY Packet size (incl. IP header) # Packets Distribution (in packets) Bytes % 280 7% % % % % Distribution (in bytes) Source: Internet Mix was defined using sample data from over a decade ago. It no longer accurately reflects current conditions, and can be inaccurate in validating the performance of an internet environment.

6 HUAWEI ENTERPRISE ICT SOLUTIONS A BETTER WAY Differences Between IMIX and Data Center Traffic 7% UDP 40byte 16.5% HTTPS 16.5% Oracle Database 56% UDP 576byte 37% UDP 1500byte IMIX traffic model distribution in bytes 2.7% DCE/RPC MAPI Session 11% Citrix 2.7% DCE/RPC 11% HTTP 5.5% FTP 2.7% SMTP 2.7% H % NFS 1.1% SSH 22% SMB Client File Download IXIA Breaking Point Pre-defined Data Center Traffic Model The breakdown of modern data center traffic includes many kinds of applications, not just a simple mix of different length UDP packets. Firewalls need to perform complex actions like handshakes, session state tracking & awareness, etc. This is dramatically more resource intensive.

7 Handling of Modern Traffic Mixes HUAWEI ENTERPRISE ICT SOLUTIONS A BETTER WAY FTP Flash video P2P HTTP HTTPS Permit traffic flow Inspect/Anti-DDoS/IPS traffic flow Deny traffic flow A security gateway should process not only simple stateful/non-stateful permit/deny traffic, but also including traffic with complex actions ( eg. Inspect etc.)

8 Redefining Real World Performance HUAWEI ENTERPRISE ICT SOLUTIONS A BETTER WAY Real Performance = Permit Control + + Traffic Traffic Typical traffic model Deny Traffic The total of permit, control and deny traffic is the real performance of one security gateway. Different scenario(eg. Data Center) has different percentage of typical traffic model. It is layer 7 traffic and mixed with different percentage of traffic of various protocols.

9 The Significance of Real Performance HUAWEI ENTERPRISE ICT SOLUTIONS A BETTER WAY Metric Firewall A Firewall B Throughput(64B) 7.7 Gbps Connections per Second Worst-case Throughput Worst-case Goodput 560 Gbps 380, M 1.8 Gbps 15.8 Gbps 6 Mbps 52 Mbps Delta between Best & Worst Case 76.6% 97.2% Worst-case performance is significantly different from best case maximum performance. Effective firewalling must now typically include deeper packet and application level inspection. RFC2544 and RFC3511 can not validate the accurate real performance under certain scenario.

10 HUAWEI ENTERPRISE ICT SOLUTIONS A BETTER WAY Huawei s Real Traffic Performance Methodology DCE/RPC MAPI Session DCE/RPC HTTPS FTP SMTP H323 SSH Oracle Database illegal flow Citrix HTTP NFS SMB Client File Download Permit traffic ACL/Inspect/CAR/Anti-DDoS/IPS traffic Anti-DDoS/IPS/ACL Deny traffic Validation of firewall performance should simulate typical application traffic model found in real Data Centers. Traffic a firewall processes should also include traffic handling with complex actions ( eg. Inspect, Rate limit, Redirect, Analyze, etc.)

11 HUAWEI ENTERPRISE ICT SOLUTIONS A BETTER WAY Huawei USG9500 & The World s Fastest Security Blade Up to 160 (80)Gbps throughput for one blade, 960 (480)Gbps in a single chassis New Quad 32-core MIPS64 CPU high density design, saving up to 75% in slots & space compared to competitors Flexible expansion from Gbps Sophisticated Anti-DDoS/IPS/VPN/NAT capabilities All features & performance validated under real data center conditions Virtualization features designed for DC environments USG9500 Series 160G Security Blade Max. throughput Max. Concurrent connections Max. CPS Introducing the World s Fastest Firewall Blade USG Gbps 960 M 12 M/s 6X 9X 12X Industry Average 150 Gbps 100 M 1 M/s

12 High Stability % Reliability HUAWEI ENTERPRISE ICT SOLUTIONS A BETTER WAY HA Mode Smart Traffic Part Redundancy Card hot plug-in/out Software Reliability Hardware Reliability A-A, A-S mode Session backup Config backup VPN tunnel backup Link-state detect Load based route Weight based route App based route Multi-core distribute platform HA mode Port trunk/lacp Power, fan redundancy LPU plug-in/out SPU plug-in/out MPU plug-in/out Power, Fan plug-in/out

13 HUAWEI ENTERPRISE ICT SOLUTIONS A BETTER WAY USG9500 V3R1C00 Hardware Overview Host Overview Expansion Card Overview Hardware architecture

14 Huawei High-end Firewall Series Products HUAWEI ENTERPRISE ICT SOLUTIONS A BETTER WAY Specification USG9520 USG9560 USG9580 Appearance Slot FW Throughput 80G 480G 960G New Sessions per second 1M 6M 12M Max. Concurrent Sessions 160M 480M 960M IPSec Throughput 96G 384G 576G IPSEC Tunnels 256, ,000 1,000,000 Height 4U/5U 14U 32U Features Interfaces FW: ASPF/anti-DDoS/NAT/PAT/virtual FW/GTP VPN: IPSec/GRE/L2TP/IKEv2/PKI Routing: RIP/OSPF/BGP/static routing/i GMP/source address routing IPS: traffic reassembly/signature-based IPS/protocol anomaly detection/automatic upgrade 12 x GE (RJ45/SFP), 20 x GE SFP, 1 x 10G XFP, 2 x 10G XFP, 4 x 10G XFP, 5 x 10G XFP, 1 x 40G CFP, 1 x 100G etc.

15 USG9520 HUAWEI ENTERPRISE ICT SOLUTIONS A BETTER WAY The USG9520 AC module is 5 U in height. The MPU, LPU, and power module are front-accessed, and the fan module is rear-accessed. No. Module Quantity 1 Air inlet MPU 2 3 LPU+SPU Power module 2 5 Fan enclosure 2 4

16 HUAWEI ENTERPRISE ICT SOLUTIONS A BETTER WAY USG9560 Height: 14 U Backplane capacity: 15 Tbit/s, Switching capacity: 7.08 Tbit/s SRU: 1:1 backup SFU: 2+1 loadbalancing Fan module: 1+1 backup Power module: Switched-mode power supply, 2+2 backup 1 No. Module Quantity 1 Air inlet 1 2 SRU SFU 1 (Three SFUs are provided, and two of them are integrated on the two SRUs separately.) 4 LPU+SPU 8 5 Cable trough 1 6 Fan enclosure 2 7 Filtering unit 2 8 Power module 4 9 Monitoring unit 1

17 HUAWEI ENTERPRISE ICT SOLUTIONS A BETTER WAY USG Height: 32 U Backplane capacity: 30 Tbit/s, Switching capacity: Tbit/s MPU: 1:1 backup SFU: 3+1 loadbalancing Fan module: 2+2 backup Power module: Switched-mode power supply, 4+4 backup No. Module Quantity 1 Air inlet MPU 2 3 SFU 4 4 LPU+SPU 16 5 Cable trough 2 6 Fan enclosure 4 7 Filtering unit 4 8 Power module 8 9 Monitoring unit 1

18 HUAWEI ENTERPRISE ICT SOLUTIONS A BETTER WAY USG9500 V3R1C00 Hardware Overview Host Overview Expansion Card Overview Hardware architecture

19 Boards - SPU 20G Firewall Service Processing Unit HUAWEI ENTERPRISE ICT SOLUTIONS A BETTER WAY 20G Firewall Performance Expansion Card IPS Service Processing Card

20 Boards - LPU HUAWEI ENTERPRISE ICT SOLUTIONS A BETTER WAY -LPUF-101 and FPIC 4 subslots 5-Port 10GBase LAN/WAN-SFP+ FPIC A 2/4 24-Port 100/1000 Base-X-SFP FPIC 2/4 4-Port 10G Base LAN -SFP+ FPIC 1/4 1-Port 40GBase LAN-CFP FPIC 2/4-1-Port 100GBase-CFP Integrated Line Processing Unit (LPUI-101) -LPUF-40-A and FPIC 2 subslots 20-Port 100/1000Base-X-SFP Flexible Card 2-Port 10GBase LAN/WAN-XFP Flexible Card 4-port 10GBase LAN/WAN-XFP FPIC -LPUF-21 and FPIC 2 subslots 1-port 10GBase LAN/WAN-XFP FPIC 12-port 100Base-FX/1000Base-X-SFP FPIC 12-port 10Base-T/100Base-TX/1000Base-T-RJ45 FPIC 1-port OC-192c/STM-64c POS-XFP FPIC 4-Port 10GBase WAN/LAN-XFP FPIC

21 HUAWEI ENTERPRISE ICT SOLUTIONS A BETTER WAY USG9500 V3R1C00 Hardware Overview Host Overview Expansion Card Overview Hardware architecture

22 Logical Hardware Architecture HUAWEI ENTERPRISE ICT SOLUTIONS A BETTER WAY Monitoring plane LPU MPU LPU Line card monitoring unit Line card monitoring unit System monitoring unit Line card monitoring unit Line card monitoring unit Line card management unit Line card management unit Control and management plane Line card management unit MPU SFU... Line card management unit Line card forwarding unit Line card forwarding unit Data plane Line card forwarding unit LPU Switch fabric Switch fabric board Line card forwarding unit LPU

23 HUAWEI ENTERPRISE ICT SOLUTIONS A BETTER WAY Hardware architecture of the USG9500 Monitoring bus MPU (Active/standby backup) Management bus Power supply redundancy Fan redundancy LPU (with built-in NPs) Switching matrix SFU SPU (with built-in multi-core CPU) LPU (with built-in NPs) 3+1 redundancy backup SPU (with built-in multi-core CPU)

24 Data Forwarding Process HUAWEI ENTERPRISE ICT SOLUTIONS A BETTER WAY

25 Switching Network System HUAWEI ENTERPRISE ICT SOLUTIONS A BETTER WAY

26 HUAWEI ENTERPRISE ICT SOLUTIONS A BETTER WAY Terabity w Security Introduction USG9500 Hardware Overview Transition technologies Translation between IPv4 and IPv6 packet headers Virtual System Security product portfolio

27 Transition technologies HUAWEI ENTERPRISE ICT SOLUTIONS A BETTER WAY IPv6 tunnel IPv6 over IPv4 manual tunnel IPv6 over IPv4 GRE tunnel IPv6 over IPv4 automatic tunnel 6to4 tunnel 6RD tunnel ISATAP tunnel IPv4 over IPv6 tunnel Endpoint Independent Mapping (EIM or 3-tupel) NAT NAT ALG NAT444 NAT64 DS-Lite NAT with port pre-allocation and incremental allocation DS-Lite with port pre-allocation and incremental allocation Static mapping

28 IPv6 over IPv4 Tunnel Manual Tunnel protocol 41 IPv4 Header IPv6 Header IPv6 Data HUAWEI ENTERPRISE ICT SOLUTIONS A BETTER WAY IPv /24 G1/0/0 IPv /24 G1/0/0 IPv6 4000::2/ ::1/64 G1/0/1 3000::1/64 G1/0/1 3000::2/64 Interface G1/0/0 ip addr Interface G1/0/1 ipv6 enable ipv6 addr 4000::1/64 Interface Tunnel 1 ipv6 enable ipv6 addr 2000::1/64 tunnel-protocol ipv6-ipv4 source g1/0/0 dest ipv6 route-static 3000:: 64 Tunnel 1 Interface G1/0/0 ip addr Interface G1/0/1 ipv6 enable ipv6 addr 3000::1/64 Interface Tunnel 1 ipv6 enable ipv6 addr 2000::2/64 tunnel-protocol ipv6-ipv4 source g1/0/0 dest ipv6 route-static 4000:: 64 Tunnel 1

29 IPv6 over IPv4 Tunnel GRE Tunnel HUAWEI ENTERPRISE ICT SOLUTIONS A BETTER WAY IPv4 Header GRE Header IPv6 Header IPv6 Data IPv /24 G1/0/0 IPv /24 G1/0/0 IPv6 4000::2/ ::1/64 G1/0/1 3000::1/64 G1/0/1 3000::2/64 Interface G1/0/0 ip addr Interface G1/0/1 ipv6 enable ipv6 addr 4000::1/64 Interface Tunnel 1 ipv6 enable ipv6 addr 2000::1/64 tunnel-protocol gre source g1/0/0 dest ipv6 route-static 3000:: 64 Tunnel 1 Interface G1/0/0 ip addr Interface G1/0/1 ipv6 enable ipv6 addr 3000::1/64 Interface Tunnel 1 ipv6 enable ipv6 addr 2000::2/64 tunnel-protocol gre source g1/0/0 dest ipv6 route-static 4000:: 64 Tunnel 1

30 IPv6 over IPv4 Tunnel Automatic Tunnel HUAWEI ENTERPRISE ICT SOLUTIONS A BETTER WAY /24 G1/0/0 IPv /24 G1/0/0 Interface G1/0/0 ip addr Interface Tunnel 1 ipv6 enable ipv6 addr :: /96 tunnel-protocol ipv6-ipv4 auto-tunnel source g1/0/0 Interface G1/0/0 ip addr Interface Tunnel 1 ipv6 enable ipv6 addr :: /96 tunnel-protocol ipv6-ipv4 auto-tunnel source g1/0/0

31 IPv6 over IPv4 Tunnel 6to4 Tunnel HUAWEI ENTERPRISE ICT SOLUTIONS A BETTER WAY Interface G1/0/0 ip addr Interface G1/0/1 ipv6 enable ipv6 addr 2002:101:101:33::1/64 Interface Tunnel 1 ipv6 enable ipv6 addr 2002:101:101::1/64 tunnel-protocol ipv6-ipv4 6to4 source g1/0/0 ipv6 route-static 2002:: 16 Tunnel 1 ipv6 route-static :: :101:103::1 2002:101:101:33::2/64 6to4 Site :101:101: 33::1/64 G1/0/ /24 G1/0/ /24 G1/0/0 6to4 IPv4 6to4 6to4 Relay /24 G1/0/0 2002:101:10 2:33::1/64 G1/0/1 3000::1/64 G1/0/1 6to4 IPv6 Site :101:102:33::2/64 Site ::2/64 The 6to4 tunnel requires that both ends use 6to4 addresses. Address format: 2002:IPv4 address:subnet ID:interface ID Interface G1/0/0 ip addr Interface G1/0/1 ipv6 enable ipv6 addr 2002:101:102:33::1/64 Interface Tunnel 1 ipv6 enable ipv6 addr 2002:101:102::1/64 tunnel-protocol ipv6-ipv4 6to4 source g1/0/0 ipv6 route-static 2002:: 16 Tunnel 1 Interface G1/0/0 ip addr Interface G1/0/1 ipv6 enable ipv6 addr 3000::1/64 Interface Tunnel 1 ipv6 enable ipv6 addr 2002:101:103::1/64 tunnel-protocol ipv6-ipv4 6to4 source g1/0/0 ipv6 route-static 2002:: 16 Tunnel 1

32 IPv4 over IPv6 Tunnel Manual Tunnel HUAWEI ENTERPRISE ICT SOLUTIONS A BETTER WAY IPv6 Header IPv4 Header IPv4 Data IPv4 3000::2/64 G1/0/0 IPv6 3000::1/64 G1/0/0 IPv / /24 G1/0/ /24 G1/0/ /24 Interface G1/0/0 ipv6 enable ipv6 addr 3000::2/64 Interface G1/0/1 ip addr Interface Tunnel 1 ip addr tunnel-protocol ipv4-ipv6 source g1/0/0 dest 3000::1 ip route-static Tunnel 1 Interface G1/0/0 ipv6 enable ipv6 addr 3000::1/64 Interface G1/0/1 ip addr Interface Tunnel 1 ip addr tunnel-protocol ipv4-ipv6 source g1/0/0 dest 3000::2 ip route-static Tunnel 1

33 HUAWEI ENTERPRISE ICT SOLUTIONS A BETTER WAY Terabity w Security Introduction USG9500 Hardware Overview Transition technologies Translation between IPv4 and IPv6 packet headers Virtual System Security product portfolio

34 HUAWEI ENTERPRISE ICT SOLUTIONS A BETTER WAY Static Configuration for Translation Between IPv6 and IPv4 Addresses IPv4 network NAT64 server IPv6 network 2001::1 IPv4 host IPv6 server (D) IPv4 host: (D) IPv4 host: 2001::1 Basic configurations: ipv6 (Enables the NAT64 on interfaces in interface mode.) nat64 prefix 3001:: 96 (Configures the global interface NAT64 prefix) nat64 static 2001:: (Sets the IPv6 host address mapping.) Static routes are configured on IPv6 and IPv4 hosts to ensure correct packet transmission. C:\> ping Pinging with 32 bytes of data: Reply from : time=1ms Reply from : time=2ms Reply from : time=1ms Reply from : time=1ms

35 HUAWEI ENTERPRISE ICT SOLUTIONS A BETTER WAY Configuration for Translation Between IPv6 and IPv4 Addresses (in Address Pool Mode) # Set the IPv6 prefix to 3001::/96. [USG9500] nat64 prefix 3001:: 96 [USG9500] nat64 address-group [USG9500] nat64-policy interzone trust untrust outbound [USG9500 -outbound] policy 1 [USG9500 -outbound-1] action nat64 [USG9500 -outbound-1] address-group 1 c:\ ping Pinging 3001::ca01:102 with 32 bytes of data: Reply from 3001::ca01:102: time=23ms Reply from 3001::ca01:102: time=6ms..

36 HUAWEI ENTERPRISE ICT SOLUTIONS A BETTER WAY Configuration for Translation Between IPv6 and IPv4 Addresses (in Easy IP Mode) # Set the IPv6 prefix to 64:FF9B::/96. [USG9500] nat64 prefix 64:FF9B:: 96 [USG9500] nat64-policy interzone trust untrust outbound [USG9500 -outbound] policy 1 [USG9500 -outbound-1] action nat64 [USG9500 -outbound-1] easy-ip GigabitEthernet0/0/2 c:\ ping Pinging 64:ff9b::ca01:102 with 32 bytes of data: Reply from 64:ff9b::ca01:102: time=29ms

37 HUAWEI ENTERPRISE ICT SOLUTIONS A BETTER WAY Terabity w Security Introduction USG9500 Hardware Overview Transition technologies Translation between IPv4 and IPv6 packet headers Virtual System Security product portfolio

38 Virtual System - Application Scenarios 1. Network isolation for large and medium-sized enterprises HUAWEI ENTERPRISE ICT SOLUTIONS A BETTER WAY 2. Device leasing 3. Security gateway for the cloud computing

39 Virtual System HUAWEI ENTERPRISE ICT SOLUTIONS A BETTER WAY Logical architecture of dividing virtual systems Logical diagram of administrator functions

40 Allocating Virtual System Resources HUAWEI ENTERPRISE ICT SOLUTIONS A BETTER WAY Resource Preemption Sessions are dynamic resources. Besides allocated resources, virtual systems can preempt other resources. Sessions are assigned based on the binding between the resource class and the virtual system. If the virtual system is not bound to a resource class, or the resource class is empty, the virtual system preempts the resources of the public system. The resources exceeding the guaranteed number are preempted from the resource pool of the public system. Guaranteed resources take effect only after the system works stably. For example, if the resources to be allocated to virtual system A have been preempted by virtual system B, virtual system A can obtain the resources only after virtual system B releases them. Allocated resources are guaranteed. Virtual systems can preempt only unallocated resources.

41 Communication Between Virtual Systems HUAWEI ENTERPRISE ICT SOLUTIONS A BETTER WAY

42 HUAWEI ENTERPRISE ICT SOLUTIONS A BETTER WAY Terabity w Security Introduction USG9500 Hardware Overview Transition technologies Translation between IPv4 and IPv6 packet headers Virtual System Security product portfolio

43 Security Service Security Capability Botnet Signature Library Protocol/Application Library Virus Library Spam Library URL Classification Library Vulnerability Library Security Service Emergency HUAWEI Response ENTERPRISE Security ICT SOLUTIONS Management A BETTER WAY On-line Upgrade Security Management Service Credibility Assessment Security Consulting Application Security Secure Web Gateway ASG2100/2200 ASG2600/2800 Web Application Gateway WAF2000/5000 AVE2200 Anti-Virus Gateway AVE2600/2800 Secure Access Gateway Intrusion Prevention System Anti-DDoS Network Security SVN2000 SVN5000 Unified Threat Management NIP2000 NIP5000 Next-Generation Firewall AntiDDoS1000/8000 Data Centers Security Gateway USG2110/2100/2200 USG5100/5500 USG3000/6000 USG9500 Endpoint Security TSM Terminal Security AnyOffice Mobile Security Security Management esight Unified Management isoc UMA/UMA-DB Security Operation Center Unified Maintenance Audit DSM Document Security Management OMM Online Multimedia Management

44 HUAWEI ENTERPRISE ICT SOLUTIONS A BETTER WAY Copyright 2012 Huawei Technologies Co., Ltd. All Rights Reserved. The information in this document may contain predictive statements including, without limitation, statements regarding the future financial and operating results, future product portfolio, new technology, etc. There are a number of factors that could cause actual results and developments to differ materially from those expressed or implied in the predictive statements. Therefore, such information is provided for reference purpose only and constitutes neither an offer nor an acceptance. Huawei may change the information at any time without notice.