Huawei 2000/5000 Intrusion Prevention System Huawei series is designed for large- and medium-sized enterprises, industries, and carriers to defend against network threats and ensure proper operations of services. With the carrier-class design, Huawei system supports various special protocols, such as Multiprotocol Label Switching (MPLS) and Virtual Local Area Network (VLAN), and can be deployed in various environments. The with default configurations can automatically block various types of service threats. Therefore, the significantly simplifies the deployment and effectively decreases the total cost of ownership (TCO). Product Overview Farsighted Overall Prevention The uses various advanced detection technologies to effectively defend against various types of known and hidden threats. The technologies are as follows: Intelligent protocol identification technology, which is used to identify different applications and protocols. This technology frees you from manually setting the protocol port. Vulnerability- and attack signature-based detection technologies, which are used to detect and defend against known attacks, such as vulnerability-based attacks, worms, and Trojan horses. Protocol anomaly detection, traffic anomaly detection, and heuristic detection technologies, which are used to effectively detect hidden vulnerabilities and malware attacks. Virtual patches: The uses multiple types of intrusion detection technologies. The most important technology is vulnerability-based detection technology, which can effectively prevent against vulnerabilitybased threats, such as overflow attacks and worm infections. Compared with traditional attack signaturebased detection technology, this technology does not generate false positive reports and can prevent against attacks that use evasive technologies. 6-1
Appearance Advantages Overall defense against new threats Defends against new malware, zero-day attacks, and botnet. Defends against application-layer DDoS attacks, such as DNS, HTTP, and SIP attacks. More than 300 security researchers globally collect threats and update signatures in real time.; Accurate detection and automatic prevention against service threats Uses vulnerability-based detection technology to provide accurate detection. Avoids threshold configuration mistakes through automatic baseline learning. Automatically prevents against key service threats with no manual intervention. Easy to use and low TCO Can be deployed online with default configurations. Provides centralized security management and real-time security monitor. Provides visualized application traffic. High availability Provides carrier-class hardware design and supports temperature monitor and hot swap of components, such as the fan and power supply. Supports active-active and active-standby HA deployments. Supports hardware bypass. Function Overview With more than 300 advanced researchers and global data and attack collection capabilities, Huawei security research team provides newest security reports and releases new vulnerability signatures periodically (every week) or in emergency (when a key security vulnerability is detected) mode. These vulnerabilities are then delivered to the IPS devices through the cloud security center so that the IPS devices can defend against zero-time-difference attacks as soon as the vulnerabilities are released. Client protection: In Web 2.0 era, more attacks are launched targeting at browsers and widely-spread PDF, SWF, JPEG, and Office documents. A large number of PCs with weak client protection are controlled by hackers as zombies, and key information (such as bank accounts and network passwords) on these PCs are stolen. 6-2
The provides in-depth resolution based on protocols and file formats. It can detect encoded or compressed files, such as GZIP and UTF files. In the process of resolution, the automatically skips the content that is irrelevant with threats. In doing so, the provides overall browser and file vulnerability defense and outstanding online detection performance. Malware control: The defends against malware, such as Trojan horse backdoor, adware, and malicious programs. The blocks the communications and transmission traffic of malware based on the signatures of the communications and traffic and prevents the spreading of the malware. In doing so, the helps decrease the IT cost and prevents potential personal data intrusion and confidential data leaks. Web application protection:enterprises and organizations migrate applications to the web service platform. However, these enterprises and organizations are greatly affected by web server-targeted intrusion attacks and malicious behaviors, such as SQL injection-based web page change, administrator password stolen, and overall website data destruction. Application sensing and control: The can identify more than 1200 network applications, monitor and manage online behaviors, such as Instant Messaging (IM), gaming, video, and stocking, help enterprises identify and limit unauthorized online behaviors, and implement security policies to ensure the working efficiency of employees. The applies a refined bandwidth distribution policy to limit the bandwidth used by malicious applications, such as P2P, online video, and large file download, and ensures enough bandwidth for office applications, such as Office Automation (OA) and Enterprise Resource Planning (ERP). Infrastructure protection: The has powerful anti-ddos and traffic model self-learning capabilities. When DoS attacks are detected or network traffic surges because of the burst of a large scale viruses in a short term, the can automatically detect and block the attacks and abnormal traffic to defend infrastructures, such as routers, switches, VoIP systems, DNS, and web servers, against various types of DoS attacks and ensure the continuity of key services. Easy to Deploy The is delivered with the mature security policy and can provide security protection with no configurations. This default security policy uses advanced engine technology and high-quality vulnerabilitybased signatures and provides accurate threat detection. With this policy, the can automatically block the medium and advanced threats that may compromise services. The can be deployed off-line or online in transparent mode. Interfaces on one device can work online or off-line. Network and security administrators can flexibly select working modes of the device as required without adjusting the network. The also detects data encapsulated on special networks, such as networks using MPLS, VLAN trunk, or Generic Routing Encapsulation (GRE), and can be flexibly deployed in various places. High Availability To deploy the IPS online, high availability is required. Huawei provides the highest-level availability. The supports high availability configurations (configurations of active-standby mode and active-active mode), hot swap of the redundancy power supply and fan, and e-disk solutions. The also provides software and hardware bypass functions (enabled when the software or hardware is faulty), which can bypass a functional module when anomalies occur in this module and bypass the IPS device when the IPS device is faulty. 6-3
Centralized Management and Report The provides not only web management of the device but also centralized management of Manager, through which centralized configuration operations, such as monitoring, upgrade, and policy delivery, can be performed on multiple devices. The provides customers with multiple predefined policies to meet the requirement of policy customization. The Manager has rich log statistics report functions, which enable the Manager to globally display real-time network status, historical information, Top N detected attacks, and traffic trends from multiple granularities and dimensions. With these statistics, users can know the health status of the network at any time and secure the network and perform IT behaviors under the guidance. Application Scenarios WAN Border Internet Internet Access Point In front of servers In front of servers Internet Access Point Limits undesired P2P and video traffic and ensures the bandwidth for proper services. Prevents IM, online gaming, and stock exchange applications to avoid network abuse. Prevents online storage, Web mail, and IM applications to avoid disclosure of internal documents or confidential information. Protects internal hosts and browsers against threats to avoid data loss, data damage, or turning the hosts into zombies. Off-line Monitor (IDS Mode) Meets the requirement of policy compliance. Meet the governmental mandatory standards in classified protection of information system and secretinvolved networks. Helps to maintain the network by providing key information for intrusion detection or faults caused by other anomalies. Helps enterprises to pass standard authentications, which are necessary for company listing or investment promotion. 6-4
In Front of a Server Prevents worms and exploits targeting at service and platform vulnerabilities to avoid possible damage, tampering, data loss, or turning the servers into zombies. Prevents server faults caused by DoS or DDoS attacks. Prevents emerging attacks, such as SQL injection, cross-site scripting, scanning, password guessing, and sniffing, targeting at Web applications. Provides IDC value-added services. WAN Border Implements network logical isolation. Prevents the spread of worms and Trojan horses from external networks. Monitors violations on internal networks. Detects and prevents malicious behaviors, such as sniffing and reconnaissance, from external networks. echnical Requirements Model 2050 2100 2130 2150 2200 5100 5200 5500 Product Basic Performance Megabit Mid-range Megabit Basic Gigabit Mid-range Gigabit High-end Gigabit 10-Gigabit Extension and I/O Dedicated management interface 1 x GE 1 x GE 1 x GE 1 x GE 1 x GE 1 x GE 1 x GE 1 x GE Fixed interface 2 x 10 GE (SFP) Expansion slot 2 x FIC 2 x FIC 2 x FIC 3 x FIC 3 x FIC 3 x FIC 3 x FIC 2 x FIC Expansion network interface, 8 x, 8 x, 8 x, 8 x, 8 x, 8 x 2 x XE, 2 x XE + 8 GE, 8 x 2 x XE, 2 x XE + 8 GE, 8 x 2 x 10 GE 6-5
Model 2050 2100 2130 2150 2200 5100 5200 5500 Feature Server protection Client protection Infrastructure Protection Network application control Alarm and Response Device management Log report monitor Deployment and availability Provides all-round protection for application servers and defends against system vulnerability attacks, service vulnerability attacks, brute force, SQL injection, cross-site scripting, and viruses. Protects browsers and plug-ins, such as Java and ActiveX. Protects files such as Word, PDF, Flash, and AVI. Detects and defends against system vulnerabilities, spyware, adware and viruses. Defends against malformed packet attacks, special packet control attacks, scanning attacks, and TCP/UDP flood attacks. Defends against application-layer DDoS attacks, such as the HTTP, HTTPS, DNS, and SIP flood attacks. Traffic self-learning: sets the threshold for traffic-type attacks based on statistics on normal traffic. Identifies and controls more than 1200 application protocols, including P2P, IM, online game, stock, voice, online video, stream media, web mail, mobile terminal, and remote login applications. Provides real-time alarming, audible alarms, syslogs, SNMP traps, emails, SMS messages, interworking with the third-party device, IP address isolation, attack packet capture, and real-time session blocking. Provides GUI, hierarchical management over administrators, access control permission setting, and centralized management over devices. Supports the rollback and periodic update of the engine knowledge database, and centralized update on the intranet. Provides device status monitoring, event information backup, log query and filtering, realtime network status monitoring, and report customization. The IPS device is deployed in in-line mode and the IDS device is deployed in off-line mode. Interfaces are deployed in online and off-line modes. Supports hardware bypass cards and hot standby deployment. Specifications of Integrated Devices Dimensions (H x W x D) (mm) 43.6 x 442 x 560 43.6 x 442 x 560 43.6 x 442 x 560 130.5 x 442 x 415 Power supply Maximum power AC: 100 V to 240 V 50/60 Hz 150 W 150 W 150 W 300 W AC: 100 V to 240 V 50/60 Hz DC: 48 V to 60 V Power supply redundancy is supported. Operating environment Temperature: 0ºC to 40ºC Relative humidity: 5% to 95%, non-condensing MTBF 12.67 years 6-6
Subscription Information Model (External) Description Host Quoted Items 2050-AC-01 2100-AC-01 2130-AC-01 2150-AC-01 2200-AC-01 5100-AC-01 5200-AC-01 5200-DC-01 5500-AC-01 5500-DC-01 2050 Standard AC Host(4GE+4GE Combo,4G Memory,2 AC Power),with HW Network,with 12 Months 2100 Standard AC Host(4GE+4GE Combo,4G Memory,2 AC Power),with HW Network,with 12 Months 2130 Standard AC Host(4GE+4GE Combo,4G Memory,2 AC Power),with HW Network,with 12 Months 2150 Standard AC Host(4GE+4GE Combo,4G Memory,2 AC Power),with HW Network,with 12 Months 2200 Standard AC Host(4GE+4GE Combo,4G Memory,2 AC Power),with HW Network,with 12 Months 5100 Standard AC Host(4GE+4GE Combo,4G Memory,2 AC Power),with HW Network,with 12 Months 5200 Standard AC Host(4GE+4GE Combo,4G Memory,2 AC Power),with HW Network,with 12 Months 5200 Standard DC Host(4GE+4GE Combo,4G Memory,2 DC Power),with HW Network,with 12 Months 5500 Standard AC Host(4GE+4GE Combo+2*10GE Optical Ports,4G Memory,2 AC Power),with HW Network Intelligent Protection System Software,with 12 Months 5500 Standard DC Host(4GE+4GE Combo+2*10GE Optical Ports,4G Memory,2 AC Power),with HW Network Intelligent Protection System Software,with 12 Months Host Auxiliary Software 2050 Knowledge Base Update Feature LIC-IPS-12-2050 LIC-IPS-36-2050 LIC-AV-12-2050 LIC-AV-36-2050 Subscribe 12 Months,with HW Network Subscribe 36 Months,with HW Network 6-7
Model (External) Description 2100 Knowledge Base Update Feature LIC-IPS-12-2100 LIC-IPS-36-2100 LIC-AV-12-2100 LIC-AV-36-2100 Subscribe 12 Months,with HW Network Subscribe 36 Months,with HW Network 2130 Knowledge Base Update Feature LIC-IPS-12-2130 LIC-IPS-36-2130 LIC-AV-12-2130 LIC-AV-36-2130 Subscribe 12 Months,with HW Network Subscribe 36 Months,with HW Network 2150 Knowledge Base Update Feature LIC-IPS-12-2150 LIC-IPS-36-2150 LIC-AV-12-2150 LIC-AV-36-2150 Subscribe 12 Months,with HW Network Subscribe 36 Months,with HW Network 2200 Knowledge Base Update Feature LIC-IPS-12-2200 LIC-IPS-36-2200 LIC-AV-12-2200 LIC-AV-36-2200 Subscribe 12 Months,with HW Network Subscribe 36 Months,with HW Network 5100 Knowledge Base Update Feature LIC-IPS-12-5100 Subscribe 12 Months,with HW Network 6-8
Model (External) LIC-IPS-36-5100 LIC-AV-12-5100 LIC-AV-36-5100 Description Subscribe 36 Months,with HW Network 5200 Knowledge Base Update Feature LIC-IPS-12-5200 LIC-IPS-36-5200 LIC-AV-12-5200 LIC-AV-36-5200 Subscribe 12 Months,with HW Network Subscribe 36 Months,with HW Network 5500 Knowledge Base Update Feature LIC-IPS-12-5500 LIC-IPS-36-5500 LIC-AV-12-5500 LIC-AV-36-5500 Subscribe 12 Months,with HW Network Subscribe 36 Months,with HW Network Service Board/Bypass Card FIC-4GE- FIC-8GE FIC-8SFP FIC-2LINE-M- FIC-2LINE-S- FIC-2SFP+ FIC-2SFP+&8GE 4GE Electric Ports Bypass Card,with HW General Security Platform Software 8GE Electric Ports Interface Card,with HW General Security Platform Software 8GE Optical Ports FIC Interface Card,with HW General Security Platform Software 2 Link LC/UPC Multimode Optical Interface Bypass Protect Card,with HW General Security Platform Software 2 Link LC/UPC Singlemode Optical Interface Bypass Protect Card,with HW General Security Platform Software 2*10GE Optical Ports FIC Interface Card,with HW General Security Platform Software 2*10GE Optical Ports+8GE Electric Ports Interface Card,with HW General Security Platform Software 6-9