Huawei Cloud Fabric Data Center Security and Application Optimization Solution

Transcription

1 Huawei Cloud Fabric Data Center and Application Highly Secure s and High-Performance, High-Efficiency Networks Emerging new technologies such as cloud computing, Big Data, and virtualization drive data centers to transform from data-oriented integration to application-oriented integration. To adapt to this transformation, enterprise users have to improve service evolution efficiency and capability of coping with complex environments. In addition, data center management and resources must be significantly optimized. What's more, traditional data center security solutions are almost useless against the spread of malicious internal and external threats to their new resources and services. Huawei, a leading global network solutions provider, has been dedicated to developing industry-leading data center network security and optimization solutions. Huawei offers users an end-to-end network security and application optimization solution, helping enterprises build modern data centers with highly secure services and high-performance, high-efficiency networks. Comprehensive To help industry users adapt to traffic bursts, virtualization technology, and complex, fast-changing applications in data centers, Huawei Cloud Fabric Data Center Network Solution provides comprehensive security protection that features high performance, virtualization, and rugged defense for network, application, and management security. Intranet Leased Line/ Backbone Network Extranet Internet AntiDDoS Detects DDoS attacks on the DCN and cleans attack traffic. Firewall Provides security isolation, defense against unauthorized access, and access rights management. IPS/IDS Provides detection of and defense against intrusions and malicious threats. UMA/eSight Provides unified network O&M, management, and audit capabilities. UMA AntiDDoS FW esight Management O&M Zone Network TRILL SVN Network Mobile Office Application Server Zone WAF AVE SVN Provides a security solution for access from an insecure zone to the DCN. WAF Provides a security mechanism for websites and prevents information leakage and content tampering. AVE Provides virus cleaning and filtering for online applications or services. Storage Zone Page1, Total8

2 Deployment Proposals Requirement Location Risk Deployment Proposal Solution Product Model Network security Data center High Firewall, Unauthorized access solved USG9500 security Intrusion by network security zone zone edge Prevention division, isolation, and (access System (IPS), access control edge, and Intrusion Detection and intrusion extranet Detection defense capabilities prevent zone, and System (IDS) intrusion behaviors and service malicious behaviors zone) Data center High Employees/partners gain SVN5000 access edge SSL VPN secure access through (SVN) gateway Virtual Private Network (VPN) Internet High Distributed Flood and application-layer AntiDDoS8000 egress Denial of DDoS attack defense (DDoS) traffic cleaning gateway Medium Applied security Application security USG6000 server zone gateway protection Medium Antivirus Real-time, online virus AVE2000 server zone Gateway (AVG) cleaning and filtering of Application security Medium Web online applications or services defense WAF5000 server zone Application mechanisms for websites; Firewall (WAF) prevents information leakage and content tampering Data center Medium Unified Solves problems of UMA manageme Maintenance unauthorized access, Management nt zone Audit (UMA) security event correlation, security security device management, and O&M audits Page2, Total8

3 Network Industry's Highest-Performing Gateway processing performance: Huawei USG9500 series data center firewalls use the company's proprietary traffic splitting technology. The entire device's performance multiplies in a linear manner based on the number of configured s Processing Units (SPUs). The maximum throughput of mixed packets 960 Gbit/s leads the industry. The maximum number of concurrent connections is 960 million, and the maximum number of virtual firewalls is 4,096, satisfying the performance requirements of high-end users in broadcast & TV, government, energy, and education industries. VPN gateway performance: Huawei USG9500 supports VPN gateway redundancy, which enables up to 500 Gbit/s encryption and decryption and 960,000 concurrent VPN tunnels. Next-Generation Anti-DDoS Solution Large-volume DDoS attack defense: The multi-core distributed hardware architecture provides Terabit-class defense performance and responds to attacks within several seconds, ensuring link availability. Application-layer DDoS attack defense: Accurate, comprehensive attack detection and full-scale defense against over 100 types of attacks ensure continued operation of key enterprise service systems such as web applications, Domain Name Server (DNS), Dynamic Host Configuration Protocol (DHCP), and Voice over IP (VoIP). Anti-DDoS operations: Tenant/service-based automatic and manual policies support large-scale operations and simultaneous protection of 10,000 tenants/services. Powerful VPN Access Gateway Mobile access: Supports mobile terminals that can run seven types of Operating Systems (OSs), five access methods, and access to data center services anywhere, anytime. Overall security protection: 10 types of authentication methods ensure complete security defense. Leading virtualization technology: 256 virtual SVN gateways reduce Capital Expenditure (CAPEX) and Operating Expense (OPEX). Page3, Total8

4 IPv4/IPv6 dual-stack defense Branch protects against 100+ types of attacks 7-layer defense and 2-second attack response 7 mainstream OSs 10 authentication methods 256 virtual SVN gateways Headquarters Partner Internet/Intranet Data Center Multiple security operation methods AntiDDoS FW SVN Gateway Terabit-class defense performance and IPv4/IPv6 dual-stack defense Over 900 million concurrent NAT sessions and multiple IPv6 transition technologies Mobile user 4,000+ virtual firewalls Multi-Tenancy Although cloud computing is based on advanced virtualization technology and high-speed networks, it also requires the high throughput and large numbers of Virtual System (VS) and multi-dimensional virtualization functions available with Huawei USG9500: Resource virtualization enables customized, virtual resources. Different resources can be assigned to different VSs. Management virtualization provides personalized policies for independent configuration of each virtual firewall, log management and audit management function, and management policies based on tenant requirements. Forwarding virtualization provides customized service processing processes. The forwarding plane logically isolates VSs from one another. If the resource of a single VS is exhausted, other VSs can still work properly. In this way, data of internal tenants of each VS is secured. Intrusion Detection and Prevention Huawei USG9500 contains the core technology of intrusion prevention search engines, signature database identification, and processing performance. This technology defends against system vulnerabilities, unauthorized automatic downloads, spoofing software, spyware/adware, abnormal protocols, and P2P anomalies. Each of the USG9500's "vulnerability-based" signature rules can cover thousands of attacks. What's more, worldwide honeynet systems can capture the latest attacks, worms, and Trojan horses in real time and provide zero-day attack defense. The USG9500 also uses other intrusion prevention methods, including internal bypass and "one board, one feature" technologies. Certain necessary service traffic is split to the dedicated SPU. In this way, service processing is improved, and the data traffic does not affect the firewall's basic operations, thereby ensuring service continuity. Page4, Total8

5 VAS Zone USG9500 Zone 1 Zone 2 Tenant Isolation Logical isolation Isolated Target Computing, storage, and network Isolation Method Virtualization technologies provide exclusive use of hardware resources VLAN isolation Virtual firewalls isolate security policies Zone N Physical isolation Region and equipment room Mapping a virtual firewall/tenant and the physical location provides physical binding service for tenants Zone 1 Zone 2 On- Demand Resource Allocation Virtual defense Comprehensive reports Cloud data center and 960 Gbit/s high-performance security protection Access of massive numbers of terminals/isolated tenants and 4K virtual firewalls that support operations Customized virtual firewall policies and resources implement elastic resource allocation -based IPS virtualization, IPSec virtualization, and secure access Application Professional Web Application User behavior detection: A detection engine quickly identifies abnormal user behaviors and provides optimal access experience. A transparent proxy engine restores the Hypertext Transfer Protocol (HTTP), which prevents bypass and penetration attacks. Fine-grained control policies: Dynamic blocking policies based on IP reputation level only block attacking request packets if the originating IP address has a high reputation level. If the IP address has a low reputation level, the policies blockade the network. Various complex web application protection policies based on HTTP can be customized. rules implement differentiated protection of web resources. In-depth service security protection: This mechanism prevents application-layer CC attacks from affecting services, business crawlers from capturing business data, and competitors in the same industry from conducting malicious reservation and panic purchasing behaviors. Industry's Best Virus Detection Professional file-level Antivirus Engine (AVE): Thoroughly cleans compressed, packed, and encrypted binary viruses, PDF viruses, Microsoft Office macro viruses and Adobe Flash viruses. Detecting massive numbers of viruses: A worldwide virus sample collection system can detect over seven million types of viruses. Powerful threat defense: A built-in network threat feature library and a hotspot and malicious site library can detect and block download of browser controls and plug-ins such as ActiveX and Java Applet, which may have viruses or malicious codes, and defend against Trojan horses, worms, and other malicious codes. USG6000 for Mail and Data Page5, Total8

6 Real-time spam prevention detects and defends against online phishing attacks Local blacklist and whitelist: remote and real-time blacklist, content filtering, keyword filtering, and attachment type, size, and quantity POP3/SMTP/IMAP antivirus (AV) scanning, attachment scanning, and security risk alerts In-depth file content identification and filtering prevents sensitive information leaks Restores and filters content of 30+ files in multiple formats, including Word, Excel, PPT, and PDF, and filters 120+ file types Internet Web tampering SQL injection WAN Web Application Defense Web page defense: WAF2000/5000 gateway prevents tampering of static web pages and blocks Structured Query Language (SQL) injections and Cross-Site Scripting (XSS) attacks. USG6000 detects and removes viruses in uploaded files or dynamic web pages. CE12800 USG6000 AVE2200 WAF5520 Aggregation & Access Layers Web Application Zone Mail System AV Professional file-level Antivirus Engine (AVE): Thoroughly cleans compressed, packed, and encrypted binary viruses, PDF viruses, Microsoft Office's macro viruses, or Adobe Flash viruses by using Symantec's mature, reliable antivirus (AV) technologies. Detecting massive numbers of viruses: A worldwide virus sample collection system can detect over seven million types of viruses. Mail Defense USG6000 series NGFW blocks spam and phishing attacks. Reputation technology: IP, domain, and URL reputation Blacklist and whitelist: IP address, ID, and domain ID Signature filtering: phishing mail signature, spam signature, and attachment signature Management Huawei's UMA system lowers internal O&M risks to resources such as network devices, servers, databases, and service systems by managing, monitoring, and auditing operation behaviors of all O&M personnel in a data center. This system makes the IT management system complete and complies with related rules and regulations as well as standards. Regularizes O&M management The UMA system establishes a unified O&M access management and resource control platform, unifies access portals, and centralizes rights control to implement centralized, regular O&M management. Reduces resource risks The UMA system uses a bastion host to reject access attempts by unauthorized and insecure terminals, and reduce the impacts of Trojan, spyware, and internal security risks. This system also prevents external risks by standardizing third-party maintenance and system integrators' onsite operations. Operation records help to trace events and assess liabilities. Abides by compliance requirements The UMA system complies with laws and regulations such as IT internal control guidelines, the Sarbanes-Oxley (SOX) Act, and the Control Objectives for Information and Related Page6, Total8

7 Technology (COBIT) framework. Audit reports and O&M logs are available for regulatory authorities. These comprehensive IT internal control and audit systems help organizations administer IT audits. Remote Access Unified Management UMA Operations Recording DC Resource Zone System Illegal data interception Data tampering OA violation operation ERP violation operation Illegitimate deletion Illegitimate access Unified Management Unified management portal and authorization implement enterprises' device maintenance compliance and security; manages administrator accounts in a centralized manner to facilitate rights setting and periodic adjustment. Behavior Audit Displays behavior relationships Locates and blocks high-risk operations Block high-risk operations Event Reporting Reports operation instructions to thirdparty monitoring devices to implement non-repudiation Associates operations with security events Who are you? Audit What have you done? UMA Syslog Where are you from? Where have you been? Application s Huawei partners closely with the industry's top vendors to provide users with end-to-end application optimization solutions. Link and server load balancing devices intelligently judge link congestion or service loads and select appropriate load balancing scheduling algorithms that improve the speed of data centers' service response and processing capability. Wide Area Network (WAN) acceleration devices increase the transmission rate of key applications and data and fully exploit bandwidth potential, lowering network latency and enhancing user experience. Load Balancing Multiple data center egresses use link load balancing technology to connect to different carriers, implementing intelligent traffic analysis and access. As a result, corresponding carrier egresses are intelligently selected for load balancing. Server load balancing technology significantly reduces the performance pressure on a single server, lowers server hardware upgrade costs, and improves service reliability. Failure of a single server will not interrupt services. In a multi-data center network, services are provisioned by following the principle of proximity, which greatly improves the quality of service access. Global load-balancing technology enables users to quickly access services of the "closest" data center, effectively solving the problem of network congestion and increasing the server's response speed. Page7, Total8

8 WAN Optimization WAN bandwidth is less than Local Area Network (LAN) bandwidth. In addition, WAN latency is higher, packet loss ratio is greater, and application system access speed is lower. As a result, enterprise branches have to increase the number of locally deployed servers. Active and standby data centers that are deployed in two places also have problems of low bandwidth and high O&M costs and latency. To solve these problems, many mature technologies are available to optimize the WAN and improve the experience of WAN applications. Problems and solutions include: Insufficient bandwidth: Reduce the volume of data transmitted on the WAN through data compression and buffering and eliminate repeated data. High latency: Lower latency through technologies such as protocol optimization (for example, TCP, HTTP, CIFS, and NFS), prior request, and proxy response. High packet loss ratio: Lower the packet loss ratio through congestion control, Forward Error Correction (FEC), and packet re-sequencing. Page8, Total8