Huawei Cloud Fabric Data Center Security and Application Optimization Solution

Similar documents
USG2110 Unified Security Gateways

Systrome Next Gen Firewalls

Copyright Huawei Technologies Co., Ltd All rights reserved. Trademark Notice General Disclaimer

ISG-600 Cloud Gateway

Venusense UTM Introduction

NIP6000 Next-Generation Intrusion Prevention System

Security Assessment Checklist

Huawei NIP2000/5000 Intrusion Prevention System

Training UNIFIED SECURITY. Signature based packet analysis

Future-ready security for small and mid-size enterprises

Eudemon8000E-X Series

HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Secospace USG2000&5000 Datasheet

DPX17000 Deep Service Core Switch

Next-Generation Firewall Series Datasheet

Exam: : VPN/Security. Ver :

MAKING THE CLOUD A SECURE EXTENSION OF YOUR DATACENTER

Content. Initial Contact. Further Follow-Up. Bidding Guidance

Data Sheet. DPtech IPS2000 Series Intrusion Prevention System. Overview. Series IPS2000-MC-N. Features

NSG50/100/200 Nebula Cloud Managed Security Gateway

Anti-DDoS. FAQs. Issue 11 Date HUAWEI TECHNOLOGIES CO., LTD.

F5 comprehensive protection against application attacks. Jakub Sumpich Territory Manager Eastern Europe

HUAWEI USG6000 Series Next-Generation Firewall Technical White Paper VPN HUAWEI TECHNOLOGIES CO., LTD. Issue 1.1. Date

HUAWEI UMA Full Product Datasheet

Huawei esight LogCenter Technical White Paper HUAWEI TECHNOLOGIES CO., LTD. Issue 1.0. Date PUBLIC

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

Simple and Powerful Security for PCI DSS

Security and Compliance Powered by the Cloud. Ben Friedman / Strategic Accounts Director /

Gigabit SSL VPN Security Router

Pulse Secure Application Delivery

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Features. HDX WAN optimization. QoS

NETWORKING &SECURITY SOLUTIONSPORTFOLIO

All-in one security for large and medium-sized businesses.

Corrigendum 3. Tender Number: 10/ dated

NETWORK THREATS DEMAN

Contents. Background. Use Cases. Product Introduction. Product Value

WHITE PAPER: BEST PRACTICES. Sizing and Scalability Recommendations for Symantec Endpoint Protection. Symantec Enterprise Security Solutions Group

HUAWEI TECHNOLOGIES CO., LTD. Huawei FireHunter6000 series

Cato Cloud. Software-defined and cloud-based secure enterprise network. Solution Brief

Imperva Incapsula Website Security

HikCentral V1.3 for Windows Hardening Guide

Eudemon200E-X Series Unified Security Gateway

Introduction. Network Architecture Requirements of Data Centers in the Cloud Computing Era

NetDefend Firewall UTM Services

Synchronized Security

HikCentral V.1.1.x for Windows Hardening Guide

DPX19000 Next Generation Cloud-Ready Service Core Platform

Next-Generation Firewall Series Datasheet

SONICWALL SECURITY HEALTH CHECK SERVICE

Anti-DDoS. User Guide (Paris) Issue 01 Date HUAWEI TECHNOLOGIES CO., LTD.

Cato Cloud. Solution Brief. Software-defined and Cloud-based Secure Enterprise Network NETWORK + SECURITY IS SIMPLE AGAIN

FIREWALL PROTECTION AND WHY DOES MY BUSINESS NEED IT?

Exam : Title : Security Solutions for Systems Engineers. Version : Demo

Q-Balancer Range FAQ The Q-Balance LB Series General Sales FAQ

SONICWALL SECURITY HEALTH CHECK SERVICE

Security

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 3 Protecting Systems

INSIDE. Symantec AntiVirus for Microsoft Internet Security and Acceleration (ISA) Server. Enhanced virus protection for Web and SMTP traffic

HUAWEI USG6370/6380/6390 Next-Generation Firewalls ---Comprehensive Protection for Medium- Sized Businesses

SteelGate Overview. Manage perimeter security and network traffic to ensure operational efficiency, and optimal Quality of Service (QoS)

HUAWEI USG6330/6350/6360 Next-Generation Firewalls ---Securely and Reliably Connect Smalland Medium-Sized Businesses

Surat Smart City Development Ltd. Surat Municipal Corporation 1

PROTECTING INFORMATION ASSETS NETWORK SECURITY

Network. Arcstar Universal One

Siebel CRM. Siebel Security Hardening Guide Siebel Innovation Pack 2015 E

Cloud Managed Campus, Cloudifying Network Management. Huawei Cloud Managed Campus Solution

CIH

Securing Your Amazon Web Services Virtual Networks

Securing Your Microsoft Azure Virtual Networks

Exam: Title : VPN/Security. Ver :

McAfee Embedded Control

Security+ SY0-501 Study Guide Table of Contents

Microsoft Internet Security & Acceleration Server Overview

Most Common Security Threats (cont.)

One Net Campus Huawei Campus Network Solution

Firefly Perimeter ( vsrx ) Technical information 12.1 X47 D10.2. Tuncay Seyran

CISCO NETWORKS BORDERLESS Cisco Systems, Inc. All rights reserved. 1

SONICWALL SECURITY HEALTH CHECK PSO 2017

ICSA Labs Network Firewall Certification Testing Report Corporate Criteria Version 4.2. Huawei Technologies. USG Series/Eudemon-N Series

MX Sizing Guide. 4Gon Tel: +44 (0) Fax: +44 (0)

Eudemon 1000E. Eudemon 1000E Series Product Quick Reference. Huawei Technologies Co., Ltd.

McAfee Network Security Platform Administration Course

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Simplify Your Network Security with All-In-One Unified Threat Management

Maximum Security, Zero Compromise in Availability and Performance

SANGFOR AD Product Series

Huawei FusionCloud Desktop Solution 5.3. Branch Technical White Paper. Issue 01. Date HUAWEI TECHNOLOGIES CO., LTD.

Huawei Next-Generation Network Security

Database Security Service. Service Overview. Issue 16 Date HUAWEI TECHNOLOGIES CO., LTD.

DATASHEET. Advanced 6-Port Gigabit VPN Network Router. Model: ER-6. Sophisticated Routing Features. Advanced Security, Monitoring, and Management

Medium / Large Enterprises Next-Generation UTM NU-850C

Evaluation criteria for Next-Generation Firewalls

Building Resilience in a Digital Enterprise

Barracuda Networks Portfolio. Bartłomiej Moczulski Sales Engineer CEE

A Unified Threat Defense: The Need for Security Convergence

Protecting Against Online Fraud. F5 EMEA Webinar August 2014

Vishal Shirodkar Technology Specialist Microsoft India Session Code:

AccessEnforcer Version 4.0 Features List

Author: Tonny Rabjerg Version: Company Presentation WSF 4.0 WSF 4.0

2 ZyWALL UTM Application Note

Transcription:

Huawei Cloud Fabric Data Center and Application Highly Secure s and High-Performance, High-Efficiency Networks Emerging new technologies such as cloud computing, Big Data, and virtualization drive data centers to transform from data-oriented integration to application-oriented integration. To adapt to this transformation, enterprise users have to improve service evolution efficiency and capability of coping with complex environments. In addition, data center management and resources must be significantly optimized. What's more, traditional data center security solutions are almost useless against the spread of malicious internal and external threats to their new resources and services. Huawei, a leading global network solutions provider, has been dedicated to developing industry-leading data center network security and optimization solutions. Huawei offers users an end-to-end network security and application optimization solution, helping enterprises build modern data centers with highly secure services and high-performance, high-efficiency networks. Comprehensive To help industry users adapt to traffic bursts, virtualization technology, and complex, fast-changing applications in data centers, Huawei Cloud Fabric Data Center Network Solution provides comprehensive security protection that features high performance, virtualization, and rugged defense for network, application, and management security. Intranet Leased Line/ Backbone Network Extranet Internet AntiDDoS Detects DDoS attacks on the DCN and cleans attack traffic. Firewall Provides security isolation, defense against unauthorized access, and access rights management. IPS/IDS Provides detection of and defense against intrusions and malicious threats. UMA/eSight Provides unified network O&M, management, and audit capabilities. UMA AntiDDoS FW esight Management O&M Zone Network TRILL SVN Network Mobile Office Application Server Zone WAF AVE SVN Provides a security solution for access from an insecure zone to the DCN. WAF Provides a security mechanism for websites and prevents information leakage and content tampering. AVE Provides virus cleaning and filtering for online applications or services. Storage Zone Page1, Total8

Deployment Proposals Requirement Location Risk Deployment Proposal Solution Product Model Network security Data center High Firewall, Unauthorized access solved USG9500 security Intrusion by network security zone zone edge Prevention division, isolation, and (access System (IPS), access control edge, and Intrusion Detection and intrusion extranet Detection defense capabilities prevent zone, and System (IDS) intrusion behaviors and service malicious behaviors zone) Data center High Employees/partners gain SVN5000 access edge SSL VPN secure access through (SVN) gateway Virtual Private Network (VPN) Internet High Distributed Flood and application-layer AntiDDoS8000 egress Denial of DDoS attack defense (DDoS) traffic cleaning gateway Medium Applied security Application security USG6000 server zone gateway protection Medium Antivirus Real-time, online virus AVE2000 server zone Gateway (AVG) cleaning and filtering of Application security Medium Web online applications or services defense WAF5000 server zone Application mechanisms for websites; Firewall (WAF) prevents information leakage and content tampering Data center Medium Unified Solves problems of UMA manageme Maintenance unauthorized access, Management nt zone Audit (UMA) security event correlation, security security device management, and O&M audits Page2, Total8

Network Industry's Highest-Performing Gateway processing performance: Huawei USG9500 series data center firewalls use the company's proprietary traffic splitting technology. The entire device's performance multiplies in a linear manner based on the number of configured s Processing Units (SPUs). The maximum throughput of mixed packets 960 Gbit/s leads the industry. The maximum number of concurrent connections is 960 million, and the maximum number of virtual firewalls is 4,096, satisfying the performance requirements of high-end users in broadcast & TV, government, energy, and education industries. VPN gateway performance: Huawei USG9500 supports VPN gateway redundancy, which enables up to 500 Gbit/s encryption and decryption and 960,000 concurrent VPN tunnels. Next-Generation Anti-DDoS Solution Large-volume DDoS attack defense: The multi-core distributed hardware architecture provides Terabit-class defense performance and responds to attacks within several seconds, ensuring link availability. Application-layer DDoS attack defense: Accurate, comprehensive attack detection and full-scale defense against over 100 types of attacks ensure continued operation of key enterprise service systems such as web applications, Domain Name Server (DNS), Dynamic Host Configuration Protocol (DHCP), and Voice over IP (VoIP). Anti-DDoS operations: Tenant/service-based automatic and manual policies support large-scale operations and simultaneous protection of 10,000 tenants/services. Powerful VPN Access Gateway Mobile access: Supports mobile terminals that can run seven types of Operating Systems (OSs), five access methods, and access to data center services anywhere, anytime. Overall security protection: 10 types of authentication methods ensure complete security defense. Leading virtualization technology: 256 virtual SVN gateways reduce Capital Expenditure (CAPEX) and Operating Expense (OPEX). Page3, Total8

IPv4/IPv6 dual-stack defense Branch protects against 100+ types of attacks 7-layer defense and 2-second attack response 7 mainstream OSs 10 authentication methods 256 virtual SVN gateways Headquarters Partner Internet/Intranet Data Center Multiple security operation methods AntiDDoS FW SVN Gateway Terabit-class defense performance and IPv4/IPv6 dual-stack defense Over 900 million concurrent NAT sessions and multiple IPv6 transition technologies Mobile user 4,000+ virtual firewalls Multi-Tenancy Although cloud computing is based on advanced virtualization technology and high-speed networks, it also requires the high throughput and large numbers of Virtual System (VS) and multi-dimensional virtualization functions available with Huawei USG9500: Resource virtualization enables customized, virtual resources. Different resources can be assigned to different VSs. Management virtualization provides personalized policies for independent configuration of each virtual firewall, log management and audit management function, and management policies based on tenant requirements. Forwarding virtualization provides customized service processing processes. The forwarding plane logically isolates VSs from one another. If the resource of a single VS is exhausted, other VSs can still work properly. In this way, data of internal tenants of each VS is secured. Intrusion Detection and Prevention Huawei USG9500 contains the core technology of intrusion prevention search engines, signature database identification, and processing performance. This technology defends against system vulnerabilities, unauthorized automatic downloads, spoofing software, spyware/adware, abnormal protocols, and P2P anomalies. Each of the USG9500's "vulnerability-based" signature rules can cover thousands of attacks. What's more, worldwide honeynet systems can capture the latest attacks, worms, and Trojan horses in real time and provide zero-day attack defense. The USG9500 also uses other intrusion prevention methods, including internal bypass and "one board, one feature" technologies. Certain necessary service traffic is split to the dedicated SPU. In this way, service processing is improved, and the data traffic does not affect the firewall's basic operations, thereby ensuring service continuity. Page4, Total8

VAS Zone USG9500 Zone 1 Zone 2 Tenant Isolation Logical isolation Isolated Target Computing, storage, and network Isolation Method Virtualization technologies provide exclusive use of hardware resources VLAN isolation Virtual firewalls isolate security policies Zone N Physical isolation Region and equipment room Mapping a virtual firewall/tenant and the physical location provides physical binding service for tenants Zone 1 Zone 2 On- Demand Resource Allocation Virtual defense Comprehensive reports Cloud data center and 960 Gbit/s high-performance security protection Access of massive numbers of terminals/isolated tenants and 4K virtual firewalls that support operations Customized virtual firewall policies and resources implement elastic resource allocation -based IPS virtualization, IPSec virtualization, and secure access Application Professional Web Application User behavior detection: A detection engine quickly identifies abnormal user behaviors and provides optimal access experience. A transparent proxy engine restores the Hypertext Transfer Protocol (HTTP), which prevents bypass and penetration attacks. Fine-grained control policies: Dynamic blocking policies based on IP reputation level only block attacking request packets if the originating IP address has a high reputation level. If the IP address has a low reputation level, the policies blockade the network. Various complex web application protection policies based on HTTP can be customized. rules implement differentiated protection of web resources. In-depth service security protection: This mechanism prevents application-layer CC attacks from affecting services, business crawlers from capturing business data, and competitors in the same industry from conducting malicious reservation and panic purchasing behaviors. Industry's Best Virus Detection Professional file-level Antivirus Engine (AVE): Thoroughly cleans compressed, packed, and encrypted binary viruses, PDF viruses, Microsoft Office macro viruses and Adobe Flash viruses. Detecting massive numbers of viruses: A worldwide virus sample collection system can detect over seven million types of viruses. Powerful threat defense: A built-in network threat feature library and a hotspot and malicious site library can detect and block download of browser controls and plug-ins such as ActiveX and Java Applet, which may have viruses or malicious codes, and defend against Trojan horses, worms, and other malicious codes. USG6000 for Mail and Data Page5, Total8

Real-time spam prevention detects and defends against online phishing attacks Local blacklist and whitelist: remote and real-time blacklist, content filtering, keyword filtering, and attachment type, size, and quantity POP3/SMTP/IMAP antivirus (AV) scanning, attachment scanning, and security risk alerts In-depth file content identification and filtering prevents sensitive information leaks Restores and filters content of 30+ files in multiple formats, including Word, Excel, PPT, and PDF, and filters 120+ file types Internet Web tampering SQL injection WAN Web Application Defense Web page defense: WAF2000/5000 gateway prevents tampering of static web pages and blocks Structured Query Language (SQL) injections and Cross-Site Scripting (XSS) attacks. USG6000 detects and removes viruses in uploaded files or dynamic web pages. CE12800 USG6000 AVE2200 WAF5520 Aggregation & Access Layers Web Application Zone Mail System AV Professional file-level Antivirus Engine (AVE): Thoroughly cleans compressed, packed, and encrypted binary viruses, PDF viruses, Microsoft Office's macro viruses, or Adobe Flash viruses by using Symantec's mature, reliable antivirus (AV) technologies. Detecting massive numbers of viruses: A worldwide virus sample collection system can detect over seven million types of viruses. Mail Defense USG6000 series NGFW blocks spam and phishing attacks. Reputation technology: IP, domain, and URL reputation Blacklist and whitelist: IP address, email ID, and domain ID Signature filtering: phishing mail signature, spam signature, and attachment signature Management Huawei's UMA system lowers internal O&M risks to resources such as network devices, servers, databases, and service systems by managing, monitoring, and auditing operation behaviors of all O&M personnel in a data center. This system makes the IT management system complete and complies with related rules and regulations as well as standards. Regularizes O&M management The UMA system establishes a unified O&M access management and resource control platform, unifies access portals, and centralizes rights control to implement centralized, regular O&M management. Reduces resource risks The UMA system uses a bastion host to reject access attempts by unauthorized and insecure terminals, and reduce the impacts of Trojan, spyware, and internal security risks. This system also prevents external risks by standardizing third-party maintenance and system integrators' onsite operations. Operation records help to trace events and assess liabilities. Abides by compliance requirements The UMA system complies with laws and regulations such as IT internal control guidelines, the Sarbanes-Oxley (SOX) Act, and the Control Objectives for Information and Related Page6, Total8

Technology (COBIT) framework. Audit reports and O&M logs are available for regulatory authorities. These comprehensive IT internal control and audit systems help organizations administer IT audits. Remote Access Unified Management UMA Operations Recording DC Resource Zone System Illegal data interception Data tampering OA violation operation ERP violation operation Illegitimate deletion Illegitimate access Unified Management Unified management portal and authorization implement enterprises' device maintenance compliance and security; manages administrator accounts in a centralized manner to facilitate rights setting and periodic adjustment. Behavior Audit Displays behavior relationships Locates and blocks high-risk operations Block high-risk operations Event Reporting Reports operation instructions to thirdparty monitoring devices to implement non-repudiation Associates operations with security events Who are you? Audit What have you done? UMA Syslog Where are you from? Where have you been? Application s Huawei partners closely with the industry's top vendors to provide users with end-to-end application optimization solutions. Link and server load balancing devices intelligently judge link congestion or service loads and select appropriate load balancing scheduling algorithms that improve the speed of data centers' service response and processing capability. Wide Area Network (WAN) acceleration devices increase the transmission rate of key applications and data and fully exploit bandwidth potential, lowering network latency and enhancing user experience. Load Balancing Multiple data center egresses use link load balancing technology to connect to different carriers, implementing intelligent traffic analysis and access. As a result, corresponding carrier egresses are intelligently selected for load balancing. Server load balancing technology significantly reduces the performance pressure on a single server, lowers server hardware upgrade costs, and improves service reliability. Failure of a single server will not interrupt services. In a multi-data center network, services are provisioned by following the principle of proximity, which greatly improves the quality of service access. Global load-balancing technology enables users to quickly access services of the "closest" data center, effectively solving the problem of network congestion and increasing the server's response speed. Page7, Total8

WAN Optimization WAN bandwidth is less than Local Area Network (LAN) bandwidth. In addition, WAN latency is higher, packet loss ratio is greater, and application system access speed is lower. As a result, enterprise branches have to increase the number of locally deployed servers. Active and standby data centers that are deployed in two places also have problems of low bandwidth and high O&M costs and latency. To solve these problems, many mature technologies are available to optimize the WAN and improve the experience of WAN applications. Problems and solutions include: Insufficient bandwidth: Reduce the volume of data transmitted on the WAN through data compression and buffering and eliminate repeated data. High latency: Lower latency through technologies such as protocol optimization (for example, TCP, HTTP, CIFS, and NFS), prior request, and proxy response. High packet loss ratio: Lower the packet loss ratio through congestion control, Forward Error Correction (FEC), and packet re-sequencing. Page8, Total8

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback