华为Eudemon1000E-N下一代防火墙 - Huawei - Building A ...
华为Eudemon防火墙基础概念、技术、工作模式
整理ppt
防火墙基本概念--会话
(Session)
• 会话
会话是状态防火墙的基础,每一个通过防火墙的会话都会在防 火墙上建立一个会话表项,以五元组(源目的IP地址、源目的 端口、协议号)为Key值;通过建立动态的会话表来可以提供 高优先级域更高的安全性,即如下图所示高优先级域可以主动 访问低优先级域,反之则不能够;防火墙通过会话表还能提供 许多新的功能,如加速转发,基于流的等价路由,应用层流控 等。
• ServerMap的实质 ServerMap表项本质上是一个三元组表项,五元组表项过于严格, 导致多通道协议不能通过防火墙,因为多通道协议再没有子通 道报文通过的时候,并不知道完整的5元组信息,只能预测到3 元组信息。
ServerMap表项就是用在NAT ALG、ASPF当中,满足多通道协议通 过防火墙设计的一个数据结构。
更新Session/匹配TACL
............
检测应用层状态转换
............
.
C <------->FIN<------> S .
C <----->FIN/ACK<----> S 删除Session/TACL
– 对于UDP应用:检测到第一个报文认为发 起连接,检测到第一个返回报文认为连接 建立,Session/TACL的删除取决于空闲超时。
整理ppt
ASPF基本工作原理--多通道
例:FTP报文处理
协议
检查接口上的外发IP报文,确认为 基于TCP的FTP报文
ftp指令和应答
FTP 控制通道连接
server
port指令
FTP client
数据通道连接
Eudemon系列防火墙
强大的 抗攻击 能力
支持多样的配 置和认证方式
Eudemon
电信级 可靠性
防火墙
丰富业务特性 优良的 支持多种 业务可 VPN和加密 扩充性 算法 高速 NAT , 支持多种 接口和工 支持丰富 的ALG 作模式
20
基于改进的状态检测安全技术
包过滤防火墙:
早期防火墙就是简单的包过滤防火墙,只支持静态
强大的认证系统,可支持本地和Radius认证服务器认证。
和防火墙配套的日志系统管理也支持严格的用户认证,日志数据库加密存储。
14
Eudemon防火墙基本规格
E100
接口数量 自 带 2 个 10/100M 以太网口,另有 2 个扩展接口插槽 接口类型 10/100M以太网
E200
自 带 2 个 10/100M 以太网口。, 2个扩展接口插槽 10/100M 以太网, E1、ATM接口
RTSP、H.323、SIP、HTTP等应用进行状态检测。
支持端口到应用映射,隐藏内部知名端口。 支持丰富的NAT应用,利用NAT方式组网可进一步提高安全性。 11
Eudemon防火墙主要特点
高性能:
采用华为3Com专利技术,提供业界领先的ACL高速算法,性能与ACL数目无关。 高端防火墙采用了网络处理器,达到3G线速。
产品开发采用IPD和CMM流程,最大程度保证产品质量可靠。
路由备份功能。 支持双机状态热备。
高安全:
专门为防火墙设计的硬件结构。
具有自主知识产权的安全操作系统。 内置IDS功能,对网上几十种攻击进行检测和防范。具有与IDS联动功能,通 过与IDS配合防御不断出现的新的攻击方式。
数通产品工程师认证考试试题
2012年数通产品工程师认证考试试题总分:注意事项:1、本试卷为数通产品试题,满分200分,考试时间90分钟.本次考试采用闭卷考试.2、应考人员应严格遵守考场纪律,服从监考人员的监督和管理,凡考场舞弊不听劝阻或警告者,监考人员有权终止其考试资格,没收试卷,以0分处理,并报相关部门予以处分。
一、填空题(每空0.5分,共25分)1、路由表中包含了哪几项内容:目的地址、__ _____ ___、协议、__ _____ ___.2、请分别写出DIRECT、OSPF、STATIC的优先级__ _____ ___、10、__ _____ ___。
3、当前使用最多的两种IGP路由协议是__ _____ ___和IS—IS,它们都是链路状态路由协议.4、哪个协议用于发现设备的硬件地址__ _____ ___。
5、RIP路由协议根据__ _____ ___计算metric参数.6、建立一条TCP连接,需经过__ _____次握手,断开一条TCP连接,需经过____ _次握手.7、OSPF路由协议的5种报文__ _____ ___、__ _____ ___、LSR、__ _____ ___、__ _____ ___.8、OSPF 将不同的网络拓扑抽象为以下四种类型__ _____ ___、__ _____ ___、点到多点、__ _____ ___。
9、NE40/NE80设备采用分布式转发的架构,对于链路层协议处理是在______处理,对于动态路由协议处理是在_____处理。
10、NE40E、NE80E、NE5000E设备上查看设备告警日志的命令是:__ _______;查看上报网管的告警日志信息命令是:_______________;查看系统CPU占用率的命令是:_____________;查看系统内存占用的命令是:_________________;11、NE80E中,基于接口的ACL 的数值范围是_____________;NE80E中,使用________________命令就可以看出是哪条规则首先生效12、安全域间的数据流动具有方向性,包括__________和______________.13、NE80E中,BGP使用的协议类型为_______端口号为_________;NTP使用的协议类型为______________,端口号为_________. 14、S9300 系列交换机在端口上执行loopback-detection control命令后,当系统发现该端口上存在环路时,除了上报Trap 信息外,还会将该端口__________。
华为防火墙Eudemon1000E-X_硬件描述
硬件描述
文档版本 01 发布日期 2012-11-06
华为技术有限公司
版权所有 © 华为技术有限公司 2012。 保留一切权利。 非经本公司书面许可,任何单位和个人不得擅自摘抄、复制本文档内容的部分或全部,并不得以任何形式传播。
商标声明
3 DMIC 接口卡................................................................................................................................16
3.1 2×10GE 光口卡..............................................................................................................................................17 3.1.1 功能和特性.............................................................................................................................................17 3.1.2 面板.........................................................................................................................................................17 3.1.3 技术指标.................................................................................................................................................18
华为Eudemon1000双机配置
双机热备配置举例目录1双机热备配置举例1.1 配置主备备份方式下的双机热备1.2 配置负载分担方式上下行设备是路由器的双机热备1.3配置负载分担方式下业务接口工作在交换模式的双机热备1.4 配置主备备份方式下VRRP 和OSPF 结合的双机热备1.5 配置主备备份方式下OSPF 与NAT 结合的双机热备1双机热备配置举例通过配置双机热备功能,可以确保主用设备出现故障时能由备份设备平滑地接替工作。
配置主备备份方式下的双机热备Eudemon 作为安全设备部署在业务节点上,上下行设备均是交换机,实现主备备份的双机热备份组网。
配置负载分担方式上下行设备是路由器的双机热备Eudemon 作为安全设备部署在业务节点上,上下行设备均是路由器,实现负载分担的双机热备份组网。
配置负载分担方式下业务接口工作在交换模式的双机热备Eudemon 上下行设备均是路由器,主备设备的业务接口工作在交换模式下,在上下行路由器之间透传OSPF 协议,同时对业务流量提供安全过滤功能。
配置主备备份方式下VRRP和OSPF结合的双机热备主备设备与路由器运行OSPF协议,与交换机运行VRRP , 实现主备备份的双机热备份组网。
配置主备备份方式下OSPF与NAT结合的双机热备主备设备与路由器及下行设备GGSN设备运行OSPF协议,在设备上配置NAT功能,实现主备备份的双机热备份组网。
父主题:典型配置案例1.1配置主备备份方式下的双机热备Eudemon作为安全设备部署在业务节点上,上下行设备均是交换机,实现主备备份的双机热备份组网。
组网需求Eudemon作为安全设备被部署在业务节点上。
其中上下行设备均是交换机,Eudemon_A、Eudemon_B分别充当主用设备和备用设备。
网络规划如下:•内部网络通过路巾器与Eudemon_A、Eudemon_B 的GigabitEthernet 0/0/2接口相连,部署在Trust区域。
•外部网络通过路由器与Eudemon_A、Eudemon_B 的GigabitEthernet 0/0/1接口相连,部署在Untrust区域。
华为Eudemon1000E-G系列 AIl防火墙(盒式)产品说明书
华为Eudemon1000E-G系列AI防火墙(盒式)随着运营商业务不断的数字化、云服务化,网络在运营商运营中占据着重要的位置,出于各种目的,网络攻击者通过身份仿冒、网站挂马、恶意软件等多种方式进行网络渗透与攻击,影响运营商网络的正常使用。
采用防火墙部署网络边界是当前防护运营商网络安全的主要方式,但是防火墙通常只能基于签名实现威胁的分析和阻断,该方法对未知威胁无有效的处置方法,还会引起设备性能的降低。
这种单点、被动、事中防御的方式已经不能有效的解决未知威胁攻击,对于隐匿于加密流量中的威胁在不损坏用户隐私的情况下更是无法有效的识别。
华为Eudemon1000E-G系列AI防火墙,在提供NGFW能力的基础上,联动其他安全设备,主动防御网络威胁,增强边界检测能力,有效防御高级威胁,同时解决性能下降问题。
NP提供快速转发能力,防火墙性能显著提升。
产品图华为Eudemon1000E-G15/Eudemon 1000E-G25 AI防火墙华为Eudemon1000E-G35/Eudemon 1000E-G55 AI防火墙华为Eudemon1000E-G 系列AI 防火墙(盒式)卓越性能Eudemon1000E-G 系列AI 防火墙内置转发、加密、模式匹配三大协处理引擎,有效将小包转发性能,IPS 、AV 业务性能以及IPSec 业务性能提升2倍。
内置AI 芯片,具备8TOPS 16位浮点数算力,有效支撑高级威胁防御模型加速。
智能防御Eudemon1000E-G 系列AI 防火墙内置NGE 、CDE 和AIE 三大威胁防御引擎。
NGE 作为NGFW 检测引擎,提供IPS 、反病毒和URL 过滤等内容安全相关的功能,有效保证内网服务器和用户免受威胁的侵害。
CDE (Content-based Detection Engine )可提供数据深度分析,暴露威胁的细节,快速检测恶意文件,有效提高威胁检出率。
产品亮点C&C 加密破解检测…华为Eudemon1000E-G 系列AI 防火墙(盒式)8-3AIE 作为APT 威胁检测引擎,针对暴力破解、C&C 异常流量、DGA 恶意域名和加密威胁流量进行检测,有效解决威胁快速变化、变种频繁、传统升级特征库检测响应慢以及加密攻击检测难度大等问题,构建“普惠式”AI ,帮助客户做到更全面的网络风险评估,有效应对攻击链上的网络威胁,真正实现攻击防御“智”能化。
华为Eudemon一道门防火墙
配置路由模式下负载分担的双机热备份两台Eudemon和4台路由器之间运行OSPF协议Eudemon上下行业务端口加入到同一个link-group管理组,在链路故障时候能加快路由收敛。
Eudemon的双机热备份功能基于VRRP实现,Eudemon的HRP备份链路上配置两个VRRP 组分别加入VGMP管理组的Master管理组和Slave管理组,组成负载分担网络。
PC0所在LAN为受保护区域,Eudemon的GE0/0/1端口连接,部署在Trust区域。
外部网络和Eudemon的GE0/0/3相连,部署在Untrust区域。
两台Eudemon之间互联的HRP备份通道接口GE0/0/2部署在DMZ区域。
其中DMZ区域对应的VRRP组虚拟地址分别为10.100.50.5和10.100.50.6步骤1配置Eudemon A。
<Eudemon> system-view[Eudemon] interface gigabitethernet 0/0/1[Eudemon-GigabitEthernet 0/0/0] ip address 10.100.10.2 24[Eudemon-GigabitEthernet 0/0/0] quit[Eudemon] interface gigabitethernet 0/0/2[Eudemon-GigabitEthernet 0/0/1] ip address 10.100.50.2 24[Eudemon-GigabitEthernet 0/0/1] quit[Eudemon] interface gigabitethernet 0/0/3[Eudemon-GigabitEthernet 0/0/2] ip address 10.100.30.2 24[Eudemon-GigabitEthernet 0/0/2] quit[Eudemon] firewall zone trust[Eudemon-zone-trust] add interface gigabitethernet 0/0/1[Eudemon-zone-trust] quit[Eudemon] firewall zone dmz[Eudemon-zone-dmz] add interface gigabitethernet 0/0/2[Eudemon-zone-dmz] quit[Eudemon] firewall zone untrust[Eudemon-zone-untrust] add interface gigabitethernet 0/0/3[Eudemon-zone-untrust] quit[Eudemon] interface gigabitethernet 0/0/1[Eudemon-GigabitEthernet 0/0/0] link-group 1[Eudemon-GigabitEthernet 0/0/0] quit[Eudemon] interface gigabitethernet 0/0/3[Eudemon-GigabitEthernet 0/0/1] link-group 1[Eudemon-GigabitEthernet 0/0/1] quit# 配置统一安全网关的缺省过滤规则。
Quidway防火墙 Eudemon1000E 开局指导书V1[1].0-20091025-B1
资料编码产品名称Quidway自研以太网交换机使用对象华为工程师、合作工程师产品版本编写部门软件服务部-解决方案部资料版本V100R002Quidway防火墙 Eudemon1000E 开局指导书拟制:孙崧铭日期:2009-09-20审核:日期:审核:日期:批准:日期:华为技术有限公司版权所有侵权必究修订记录日期修订版本描述作者2009-10-25 V1.0 完成孙崧铭目录第1章Quidway Eudemon 1000E产品概述 (1)1.1 系统介绍 (1)1.2 组网介绍 (2)1.3 系统结构介绍 (2)第2章Quidway Eudemon 1000E的特点 (3)2.1 产品系列 (3)2.2 产品优点 (4)2.3 安全域概念介绍 (5)2.3.1 防火墙的域 (5)2.3.2 域间概念 (6)2.3.3 本地域 (6)2.4 防火墙工作模式 (7)2.4.1 防火墙工作模式概述 (7)2.4.2 路由模式 (7)2.4.3 透明模式 (8)2.4.4 混合模式 (9)2.5 访问控制策略和报文过滤 (9)2.5.1 访问控制策略的异同 (9)2.5.2 ACL加速查找 (9)2.5.3 报文过滤规则的应用 (10)2.5.4 防火墙缺省动作 (11)2.6 双机热备 (11)2.6.1 VRRP的应用 (12)2.6.2 传统VRRP在E1000E备份实现的不足 (13)2.6.3 VGMP备份组 (15)2.6.4 HRP备份 (15)2.6.5 VRRP、VGMP和HRP之间的协议层次关系 (15)2.7 NAT介绍 (16)2.7.1 NAT的应用 (16)2.7.2 NAT与VRRP绑定 (17)第3章Quidway Eudemon 1000E数据准备 (18)3.1 初始连接配置 (18)3.1.1 通过Console接口搭建 (18)3.1.2 通过Telnet方式搭建 (21)3.1.3 通过WEB方式接入设备 (23)3.2 设备启动 (24)3.2.1 设备上电 (24)3.2.2 设备启动过程 (25)3.3 版本配套 (28)3.3.1 查看当前的软件版本 (28)3.4 软件版本升级 (28)3.5 配置规划 (30)3.5.1 网络拓扑图 (30)3.5.2 系统名 (31)3.5.3 当地时区 (31)3.5.4 远程维护登录帐号/口令和Super密码 (31)3.5.5 区域、接口和IP地址规划 (32)3.5.6 路由规划 (32)3.5.7 访问策略规划 (32)3.5.8 双机热备规划 (33)3.5.9 链路可达性规划 (33)3.5.10会话快速备份规划 (34)3.5.11 NAT规划 (34)3.5.12 NAT与VRRP绑定 (34)第4章Quidway Eudemon 1000E 配置 (35)4.1 时间日期和时区配置 (35)4.2 系统名配置 (35)4.3 远程维护登录帐号/口令和Super密码配置 (36)4.3.1 远程维护登录帐号/口令配置 (36)4.3.2 Super密码配置 (36)4.4 区域、接口和IP地址配置 (37)4.4.1 数据配置步骤 (37)4.4.2 测试验证 (38)4.5 路由配置 (38)4.5.1 缺省路由配置 (38)4.5.2 静态路由配置 (38)4.5.3 动态路由OSPF配置 (39)4.5.4 测试验证 (39)4.6 访问策略控制配置 (39)4.6.1 需求说明 (39)4.6.2 数据配置 (40)4.6.3 测试验证 (41)4.7 双机热备配置 (41)4.7.1 VRRP/VGMP配置 (41)4.7.2 HRP配置 (41)4.7.3 测试验证 (42)4.8 链路可达性配置 (42)4.8.1 配置方法 (42)4.8.2 测试验证 (42)4.9 会话快速备份配置 (43)4.10 NAT配置 (43)4.10.1 配置地址池与VRRP绑定 (43)4.10.2 配置内部服务器与VRRP绑定 (44)4.10.3 验证测试 (44)第5章Quidway Eudemon 1000E基本维护 (44)5.1 查看软件版本信息 (44)5.2 系统配置文件维护 (44)5.3 查看单板、电源、风扇运行状况 (45)5.4 查看CPU占用率 (45)5.5 查看内存占用率 (45)5.6 查看接口流量 (45)5.7 查看接口、链路状态 (46)5.8 查看日志缓冲区信息 (46)5.9 查看路由表信息 (46)5.10 查看ARP映射表 (46)5.11 查看会话表信息 (46)5.12 收集系统诊断信息 (46)关键词:Quidway,防火墙,Eudemon1000E,开局指导书摘要:本文结合业务与软件产品线工程师开局需要对华为Quidway局域网交换机数据准备给出指导,并对其常见配置进行描述。
华为Eudemon1000E-X系列防火墙产品说明书
HUAWEI TECHNOLOGIES CO., LTD.Burgeoning services such as high-speed Internet access, video, and media stream lead to the rocketing of network traffic and ever-increasing service requirements of large organizations, intranets, and data centers in the 10-Gigabit epoch. New applications emerge and occupy the fixed ports of traditional services, making traditional port-dependent firewalls inadequate to cope with such applications. For the sake of illegal profits, hacker attacks and malware are spreading at will. Under this background, false positive and false negative are frequently seen in traditional traffic-based attacks. IT administrators find it difficult to deal with so many problems; therefore, large organizations, intranets, and data centers have to be confronted with such predicaments:How to select a cost-effective product to deal with ever- •increasing service requirements at present and in the future?How to block abuse and provide sufficient bandwidths for mission-•critic applications in the case of so many new applications?How to deal with flooding worms, effectively protecting intranets •and securing office environments?With in-depth understanding of service and customer requirements, Huawei launches its Eudemon1000E-X series. This series employs the new 10-Gigabit multi-core hardware platform and constructs a more high-speed network with no delay for processing mass services. By integrating advanced Symantec intrusion prevention and anti-virus technologies, it delivers content security protection and builds a secure network; with Huawei industry-leading deep packet inspection (DPI) technology, it manages thousands of application programs subtly and provides an effective network. All in all, the Eudemon1000E-X series brings "continuous, cost-effective, and secure" network experiencefor large organizations, intranets, and data centers.Eudemon1000E-X3Eudemon1000E-X5Eudemon1000E-X6Highlights10-Gigabit Multi-Core Hardware PlatformProminent performance, realizing mass service processing ■Provides 15G firewall throughput, 200,000 new connections •per second, 4,000,000 concurrent connections, and 15,000 concurrent VPN tunnels.Supports high-capacity NAT.•High-density 10G interfaces, suiting different application ■scenariosDelivers 64 Gigabit+14 x 10-Gigabit high-density interfaces. •Super-long mean time between failures (MTBF), safeguarding ■service continuitySupplies redundant key components and mature link conversion. •Provides built-in bypass cards for both optical and electrical links. •Relies on a stable software platform for over 10 years' •commercial use, and more than 100,000 devices concurrently online in the world.1Refined Management over Thousands of Application Programs, Building an Efficient NetworkWide application identification, providing visibility into the ■applications running on your networkPossesses 150 application identification experts, and over 850 •identifiable categories.Massive Web site categories, constructing a green Internet ■access environmentEquips with 65 million Web sites and over 130 content •categories, blocking Trojan horse-embedded and phishing Web sites, isolating pornographic and gambling Web sites, and preventing employees against maloperations.Refined application management, creating an efficient ■working networkOffers multi-dimensional control measures specific to time, •application, user, bandwidth, and connection number, effectively providing bandwidths for mission-critic applications, improving bandwidth usage and working efficiency, and making P2P/IM//Web sites at your mercy.Professional Content Security Defense, Providing a Secure NetworkIndustry-leading anti-virus engine with 99% high identification ■accuracyBases on Symantec accumulative anti-virus technologies, •adopts the anti-virus engine with file-level content scanning, combines the globally leading emulation environment and virtual execution technology, provides a 99% identification ratio, and gains good reputation from the international assessment organization.Dedicated vulnerability patching, making transformation ■illuminatedMaintains and updates the huge signature database by the •traditional attack code-based defense mode due to the transformation of attack types, which imposes overload on the IPS engine and leads to low detection performance and high false negative and false positive ratios. The Eudemon1000E-X is backed by advanced Symantec vulnerability defense technology and delivers virtual patches for vulnerabilities (not attack code), disabling various attacks from transforming.Real-time update by a professional team, realizing zero-day ■attack defenseSupplies the honeynet system deployed globally together •with a professional team of over 300 experts to keep tracking the latest, hottest, and most dangerous system and software vulnerabilities, and to defend against zero-day attacks quickly.One-Key Configuration, Freeing You from Complicated Policy OptimizationGUI, a farewell to CLI■Delivers the Web page–based configuration and management, •visualized and simple.Professional configuration wizard, simplifying policy configuration ■Provides a professional configuration wizard for each independent •service.One-key enabling of IPS and anti-virus, reducing maintenance ■workloadBuilds the IPS/anti-virus rule base, with a 99% detection •ratio, which can be directly enabled without commissioning. Therefore, administrators are freed from time-consuming, strenuous, and complicated policy optimization, and quick deployment comes true, that is, plug and play.Application ScenariosNetwork Isolation and VPN InterconnectionCustomer challenges■Because user networks reside in different network areas, •problems such as unclear borders, improper access control management, and disordered mutual access may occur. When branches and mobile employees communicate with the headquarters, data may be intercepted or tampered.Solution strengths ■Delivers 15G processing performance, avoiding the bottleneck •of border deployment.Divides security zones on demand, clearly planning network •borders.Provides the flexible packet filtering policies, accurately •controlling mutual access.Comes with 15,000 concurrent VPN tunnels, 7G VPN •encryption and decryption capabilities, ensuring mass secure interconnection and securing data communication.2External Threat PreventionCustomer challenges■Coming along with the abundant Internet resources are •threats such as DDoS attacks, malicious intrusions, and viruses.Solution strengths■Supplies 200,000 new connections per second and 4,000,000•concurrent connections, easily coping with millions of DDoS attack packets per second.Empowered by advanced IPS and anti-virus technologies •of Symantec as well as vulnerability-based and abundant signature database, ensuring near-zero false positives and negatives, and a detection ratio of higher than 99%; providespowerful security defense against diversified security threats.Office networkOnline Behavior ManagementCustomer challenges■None-work-related Internet surfing, P2P download, online •games, and stock transaction waste bandwidths for business, reduce productivity, and increase the risks of potential malicious code and hacker attacks.Solution strengths■Provides over 850 identifiable application categories, providing•visibility into the applications running on your network.Equips with 65 million Web sites, blocking Trojan horse- •embedded and phishing Web sites, isolating pornographic and gambling Web sites, and preventing employees against maloperations.Offers multi-dimensional control measures specific to the •time, application, user, and bandwidth, effectively providing bandwidths for mission-critic applications, improving working efficiency, and making P2P/IM//Web sites at your mercy.P2POffice networkProduct Specifications456Copyright © Huawei Technologies Co., Ltd. 2011. All rights reserved.General DisclaimerThe information in this document may contain predictive statements including, without limitation, statements regarding the future financial and operating results, future product portfolio, new technology, etc. There are a number of factorsthat could cause actual results and developments to differ materially from those expressed or implied in the predictive statements. Therefore, such informationis provided for reference purpose only and constitutes neither an offer nor an acceptance. Huawei may change the information at any time without notice.HUAWEI TECHNOLOGIES CO., LTD.Huawei Industrial BaseBantian LonggangShenzhen 518129, P.R. ChinaTel: +86-755-28780808 Version No.: M3-110019999-20110805-C-1.0。
华为HiSecEngine Eudemon1000E-F系列AI防火墙产品简介说明书
HiSecEngine Eudemon1000E-F Series AI FirewallsOverviewThe Eudemon1000E-F is a new series firewall developed by Huawei to meet the needs of carriers, enterprises, and next-generation data centers. It combines industry-leading security technologies such as access control, intrusion prevention (IPS), antivirus (AV), URL filtering, anti-spam, and data loss prevention with rich security, robust processing and carrier-class reliability. Inheriting the Eudemon series' outstanding firewall, VPN, and routing features, it helps you build a fast, efficient, and secure network.Product HighlightsComprehensive and Integrated Protection⚫Integrates the traditional firewall, VPN, intrusion prevention, antivirus, data leak prevention, bandwidth management, URL filtering, and online behavior management functions all in one device.⚫Implements refined bandwidth management based on applications and websites, preferentially forwards key services, and ensures bandwidth for key services.⚫Comes with an antivirus content-based detection engine (CDE) powered by intelligence technologies that helps detect unknown threats, and provides in-depth data analysis to gain insight into threat activities and quickly detect malicious files, effectively improving the threatdetection rate.Easy Security Management⚫Rapidly deploys security policies using scenario-specific templates.⚫Complies with the minimum permission control principle and automatically generates policy tuning suggestions based on network traffic and application risks.⚫Analyzes the policy matching ratio and discovers redundant and invalid policies to remove policies and simplify policy management.⚫Supports Huawei SecoManager to achieve a unified configuration, management and maintenance of all devices.High Performance⚫Uses the network processing platform, improving forwarding performance significantly.⚫Enables pattern matching and accelerates encryption/decryption, improving the performance for processing IPS, antivirus, and IPSec services. High Port Density⚫The device has multiple types of interfaces, such as 100G,40G, 10G, and 1G interfaces. Services can be flexibly expanded without extra interface cards.Note: The interface types supported by different models vary. For details, see the specification table.DeploymentExternal Threat Prevention⚫Coming along with the abundant Internet resources are threats such as DDoS attacks, maliciousintrusions, and viruses.⚫The capabilities of supporting large numbers of concurrent connections and new connections persecond help to combat the numerous DDoS attacks.Empowered by advanced IPS and antivirustechnologies as well as vulnerability-based andreal-time updated signature database, theEudemon1000E-F series implements near-zerofalse positives and negatives and a detection ratio of higher than 99%; defends against diversifiedthreats from the Internet, and ensures the security of the intranet . Network Isolation and VPN Interconnection⚫Network areas are not clearly divided, access control is insufficient, and the data transmittedbetween mobile employees or branches and theheadquarters is likely to be intercepted or tampered with.⚫Delivers high throughput to avoid bottleneck at network borders, supports security zones to clearly divide networks, offers flexible packet filteringpolicies to accurately control communication, and encapsulates and checks packets of VPN users to ensure the security of data communication.HackerMalwareInternetEudemonDatacenterBranchInternetHeadquartersUserIPSec VPNSSL VPNEudemonHardwareSoftware FeaturesFeature DescriptionIntegrated protection Integrates firewall, VPN, intrusion prevention, antivirus, data leak prevention, bandwidth management, anti-DDoS, URL filtering, and anti-spam functions. Provides a global configuration view, and manages policies in a unified manner.Application identification and control Identifies over 6000 applications and supports the access control granularity down to application functions. The firewall combines application identification with intrusion detection, antivirus, and data filtering, improving detection performance and accuracy.Intrusion prevention and web protection Accurately detects and defends against vulnerability-specific attacks based on up-to-date threat information. The firewall can defend against web-specific attacks, including SQL injection and XSS attacks.Antivirus Supports intelligent antivirus engine that helps detect hundreds of millions of virus variants.Bandwidth management Manages per-user and per-IP bandwidth in addition to identifying service applications to ensure the network access experience of key services and users. Control methods include limiting the maximum bandwidth, ensuring the minimumbandwidth, and changing application forwarding priorities.Eudemon1000E-F15/F25Eudemon1000E-F35/F55/F85Eudemon1000E-F125Eudemon1000E-F205Feature DescriptionURL filtering Supports remote query for URL categories. The URL category database contains over 140 million URL categories. URL category query servers are deployed globally to offer high-speed, low-latency category query services and meet the regulatory requirements of different countries and regions. URL category filtering can implement URL access control for users or groups based on information such as users or groups, time ranges, and security zones, accurately managing users' online behaviors.Intelligent uplink selection Supports service-specific PBR and intelligent uplink selection based on multiple load balancing algorithms (for example, based on bandwidth ratio and link health status) in multi-egress scenarios.VPN encryption Supports multiple highly available VPN features, such as IPSec VPN, SSL VPN, and GRE, as well as multiple encryption algorithms, such as DES, 3DES, AES, and SHA.Anti-DDoS Defends against more than 10+types of common DDoS attacks, including SYN flood and UDP flood attacks.Security virtualization Supports virtualization of multiple types of security services, including firewall, intrusion prevention, antivirus, and VPN. Users can separately conduct personal management on the same physical device.Security policy management Controls traffic based on the 5-tuples, security zone, application, and time range, and implements integrated content security detection.Uses predefined templates for common attack defense scenarios to rapidly deploy security policies, reducing learning costs.Diversified reports Provides visualized and multi-dimensional report display by user, application, content, time, traffic, threat, and URL.Routing Supports multiple types of routing protocols and features, such as RIP, OSPF, BGP, IS-IS, RIPng, OSPFv3, BGP4+, and IPv6 IS-IS.Deployment and reliability Supports transparent, routing, and hybrid working modes and high availability (HA), including the Active/Active and Active/Standby modes.SpecificationPerformance and Capability Eudemon1000E-F15Eudemon1000E-F25 IPv4 Firewall Throughput1(1518/512/64-byte, UDP)15/15/15 Gbit/s25/25/25 Gbit/s IPv6 Firewall Throughput1(1518/512/84-byte, UDP)15/15/15 Gbit/s25/2525 Gbit/s Firewall Throughput(Packet per Second)22.5 Mpps37.5 M pps Firewall Latency (64-byte, UDP)18 µs18 µsFW + SA* Throughput28Gbps12Gbps NGFW Throughput36Gbps10Gbps NGFW Throughput(Enterprise Mix)4 4.6Gbps 4.6Gbps Threat Protection Throughput (Enterprise Mix)54Gbps4Gbps Concurrent Sessions (HTTP1.1)110,000,00010,000,000 New Sessions/Second (HTTP1.1)1250,000250,000 IPSec VPN Throughput1 (AES-256 + SHA256, 1420-byte)10 Gbit/s15 Gbit/s Maximum IPSec VPN Tunnels (GW to GW)15,00015,000 Maximum IPSec VPN Tunnels (Client to GW)15,00015,000SSL VPN Throughput6 1 Gbit/s 1.5 Gbit/s Concurrent SSL VPN Users (Default/Maximum)100/2000100/2000 Security Policies (Maximum)40,00040,000 Virtual Firewalls 10001000URL Filtering: Categories More than 130URL Filtering: URLs Can access a database of over 120 million URLs in the cloudAutomated Threat Feed and IPS Signature Updates Yes, an industry-leading security center from Huawei (/sec/web/index.do)Centralized Management Centralized configuration, logging, monitoring, and reporting is performed by Huawei SecoManagerVLANs (Max)4094VLANIF Interfaces (Max)1000High Availability Configurations Active/Active, Active/StandbyPerformance and CapabilityNote:1. Performance is tested under ideal conditions based on RFC2544, 3511. The actual result may vary with deployment environments.2. SA performance is measured using 100 KB HTTP files.3. NGFW throughput is measured with Firewall, SA, and IPS enabled; the performance is measured using 100 KB HTTP files.4. NGFW throughput is measured with Firewall, SA, and IPS enabled; the performance is measured using the Enterprise Mix Traffic Model.5. The threat protection throughput is measured with Firewall, SA, IPS,and AV enabled; the performance is measured using the Enterprise Mix Traffic Model.6. SSL VPN throughput is measured using TLS v1.2 with AES128-SHA.*SA: Service Awareness.Hardware Specification Eudemon1000E-F15Eudemon1000E-F25 Dimensions (H x W x D) mm43.6 x 442 x 420Form Factor/Height1UFixed Interface8*GE COMBO + 4*GE(RJ45) + 4*GE(SFP)+ 6*10GE(SFP+)USB Port 1 x USB 3.0 portsWeight (Empty Configuration) 6.3 kgLocal Storage Optional, 1 * 2.5 inch 240G SSD storage, or 1 * 2.5 inch 1TB HDD storage Maximum Power Consumption222WAC Power Supply AC:100V to 240V, 50/60Hz DC: -48V to 60VPower Supplies Dual AC or dual DC power suppliesOperating Environment (Temperature/Humidity)Temperature: 0°C to 45°C (without optional HDD);5°C to 40°C (with optional HDD)Humidity: 5% to 95% (without optional HDD), non-condensing; 5% to 95% (with optional HDD), non-condensingNon-operating Environment Temperature: –40°C to +70°CHumidity: 5% to 95% (without optional HDD), non-condensing; 5% to 95% (with optional HDD), non-condensingOperating Altitude (Maximum)5,000 meters (without optional HDD); 3,000 meters (with optional HDD) Non-operating Altitude (Maximum)5,000 meters (without optional HDD); 3,000 meters (with optional HDD) Noise Maximum value < 72 DbaHardware SpecificationSpecificationPerformance and Capability Eudemon1000E-F35Eudemon1000E-F55Eudemon1000E-F85IPv4 Firewall Throughput1(1518/512/64-byte, UDP)35/35/35 Gbit/s50/50/40 Gbit/s80/80/40 Gbit/s IPv6 Firewall Throughput1(1518/512/84-byte, UDP)35/35/25 Gbit/s50/50/25 Gbit/s80/80/25 Gbit/s Firewall Throughput(Packet per Second)52.5 Mpps60 Mpps60 M pps Firewall Latency (64-byte, UDP)18 µs18 µs18 µsFW + SA* Throughput218Gbps25Gbps25Gbps NGFW Throughput312Gbps18Gbps18Gbps NGFW Throughput (Enterprise Mix)48Gbps8Gbps8Gbps Threat Protection Throughput (Enterprise Mix)57Gbps7Gbps7Gbps Concurrent Sessions (HTTP1.1)120,000,00020,000,00025,000,000 New Sessions/Second (HTTP1.1)1500,000500,000750,000 IPSec VPN Throughput1 (AES-256 + SHA256, 1420-byte)20 Gbit/s30 Gbit/s30Gbit/s Maximum IPSec VPN Tunnels (GW to GW)200002000020000 Maximum IPSec VPN Tunnels (Client to GW)200002000020000 SSL VPN Throughput6 3 Gbit/s 3 Gbit/s 5 Gbit/s Concurrent SSL VPN Users (Default/Maximum)50005000100/5000 Security Policies (Maximum)60,00060,00060000 Virtual Firewalls 100010001000 URL Filtering: Categories More than 130URL Filtering: URLs Can access a database of over 120 million URLs in the cloudAutomated Threat Feed and IPS Signature Updates Yes, an industry-leading security center from Huawei (/sec/web/index.do)Centralized Management Centralized configuration, logging, monitoring, and reporting is performed by Huawei SecoManagerVLANs (Max)4094VLANIF Interfaces (Max)1000High Availability Configurations Active/Active, Active/Standby Performance and CapabilityHardware SpecificationEudemon1000E-F35Eudemon1000E-F55Eudemon1000E-F85Dimensions (H x W x D) mm43.6 x 442 x 420Form Factor/Height1UFixed Interface 8*GE COMBO + 4*GE(RJ45)+ 10*10GE(SFP+)USB Port 1 x USB 3.0 portsWeight (Empty Configuration)7.3 kgLocal Storage Optional, 1 * 2.5 inch 240G SSD storage, or 1 * 2.5 inch 1TB HDD storage Maximum Power Consumption242WAC Power Supply AC:100V to 240V, 50/60Hz DC: -48V to 60VPower SuppliesDual AC or dual DC power suppliesOperating Environment (Temperature/Humidity)Temperature: 0°C to 45°C (without optional HDD); 5°C to 40°C (with optional HDD)Humidity: 5% to 95% (without optional HDD), non-condensing; 5% to 95% (with optional HDD), non-condensingNon-operating Environment Temperature: –40°C to +70°CHumidity: 5% to 95% (without optional HDD), non-condensing; 5% to 95% (with optional HDD), non-condensingOperating Altitude (Maximum)5,000 meters (without optional HDD); 3,000 meters (with optional HDD)Non-operating Altitude (Maximum)5,000 meters (without optional HDD); 3,000 meters (with optional HDD)Noise Maximum value < 72 DbaHardware SpecificationNote :1. Performance is tested under ideal conditions based on RFC2544, 3511. The actual result may vary with deployment environments.2. SA performance is measured using 100 KB HTTP files.3. NGFW throughput is measured with Firewall, SA, and IPS enabled; the performance is measured using 100 KB HTTP files.4. NGFW throughput is measured with Firewall, SA, and IPS enabled; the performance is measured using the Enterprise Mix Traffic Model.5. The threat protection throughput is measured with Firewall, SA, IPS, and AV enabled; the performance is measured using the Enterprise Mix Traffic Model.6. SSL VPN throughput is measured using TLS v1.2 with AES128-SHA.*SA: Service Awareness.SpecificationPerformance and Capability Eudemon1000E-F125Eudemon1000E-F205 IPv4 Firewall Throughput1(1518/512/64-byte, UDP)160/160/80 Gbit/s240/240/120 Gbit/s IPv6 Firewall Throughput1(1518/512/84-byte, UDP)160/120/50 Gbit/s240/200/75 Gbit/s Firewall Throughput(Packet per Second)120 M pps180 M pps Firewall Latency (64-byte, UDP)35 µs35 µsFW + SA* Throughput250Gbps75Gbps NGFW Throughput336Gbps54Gbps NGFW Throughput(Enterprise Mix)416Gbps24Gbps Threat Protection Throughput (Enterprise Mix)514Gbps21Gbps Concurrent Sessions (HTTP1.1)150,000,00075,000,000New Sessions/Second (HTTP1.1)11,500,0002,250,000 IPSec VPN Throughput1 (AES-256 + SHA256, 1420-byte)45Gbit/s65Git/s Maximum IPSec VPN Tunnels (GW to GW)4000060000 Maximum IPSec VPN Tunnels (Client to GW)4000060000SSL VPN Throughput610 Gbit/s12 Gbit/s Concurrent SSL VPN Users (Default/Maximum)100/10000100/15000 Security Policies (Maximum)6000060000Virtual Firewalls 10001000URL Filtering: Categories More than 130URL Filtering: URLs Can access a database of over 120 million URLs in the cloudAutomated Threat Feed and IPS Signature Updates Yes, an industry-leading security center from Huawei (/sec/web/index.do)Centralized Management Centralized configuration, logging, monitoring, and reporting is performed by Huawei SecoManagerVLANs (Max)4094VLANIF Interfaces (Max)1000High Availability Configurations Active/Active, Active/StandbyPerformance and CapabilityNote:1. Performance is tested under ideal conditions based on RFC2544, 3511. The actual result may vary with deployment environments.2. SA performance is measured using 100 KB HTTP files.3. NGFW throughput is measured with Firewall, SA, and IPS enabled; the performance is measured using 100 KB HTTP files.4. NGFW throughput is measured with Firewall, SA, and IPS enabled; the performance is measured using the Enterprise Mix Traffic Model.5. The threat protection throughput is measured with Firewall, SA, IPS, and AV enabled; the performance is measured using the Enterprise Mix Traffic Model.6. SSL VPN throughput is measured using TLS v1.2 with AES128-SHA.*SA: Service Awareness.Hardware Specification Eudemon1000E-F125Eudemon1000E-F205 Dimensions (H x W x D) mm43.6 x 442 x 600Form Factor/Height1UFixed Interface 2*100GE(QSFP28) + 2*40G(QSFP+)+8*25(ZSFP+) + 20*GE(SFP+)14*100GE(QSFP28) +16*25GE(ZSFP+) + 8*GE(SFP+)2USB Port 1 x USB 3.0 portsWeight (Empty Configuration) 6.3 kgLocal Storage Optional, 1 * 2.5 inch 240G SSD storage, or 1 * 2.5 inch 1TB HDD storage Maximum Power Consumption222WAC Power Supply AC:100V to 240V, 50/60Hz DC: -48V to 60VPower Supplies Dual AC or dual DC power suppliesOperating Environment (Temperature/Humidity)Temperature: 0°C to 45°C (without optional HDD);5°C to 40°C (with optional HDD)Humidity: 5% to 95% (without optional HDD), non-condensing; 5% to 95% (with optional HDD), non-condensingNon-operating Environment Temperature: –40°C to +70°CHumidity: 5% to 95% (without optional HDD), non-condensing; 5% to 95% (with optional HDD), non-condensingOperating Altitude (Maximum)5,000 meters (without optional HDD); 3,000 meters (with optional HDD) Non-operating Altitude (Maximum)5,000 meters (without optional HDD); 3,000 meters (with optional HDD) Noise Maximum value < 72 DbaHardware SpecificationNote:1. Some 100GE interfaces and 25GE interfaces of Eudemon1000E-F125 are mutually exclusive.2. Some 100GE interfaces and 25GE interfaces of Eudemon1000E-F205 are mutually exclusive.Order InformationProductEudemon1000E-F15-AC Eudemon1000E-F15 AC Host (8*GE COMBO + 4*GE RJ45 + 4*GE SFP + 6*10GE SFP+, 1 AC power supply) Eudemon1000E-F15-DC Eudemon1000E-F15 DC Host (8*GE COMBO + 4*GE RJ45 + 4*GE SFP + 6*10GE SFP+, 1 DC power supply) Eudemon1000E-F25-AC Eudemon1000E-F25 AC Host (8*GE COMBO + 4*GE RJ45 + 4*GE SFP + 6*10GE SFP+, 1 AC power supply) Eudemon1000E-F25-DC Eudemon1000E-F25 DC Host (8*GE COMBO + 4*GE RJ45 + 4*GE SFP + 6*10GE SFP+, 1 DC power supply) Eudemon1000E-F35-AC Eudemon1000E-F35 AC Host (8*GE COMBO + 4*GE RJ45 + 4*GE SFP + 10*10GE SFP+, 2 AC power supply) Eudemon1000E-F35-DC Eudemon1000E-F35 DC Host (8*GE COMBO + 4*GE RJ45 + 4*GE SFP + 10*10GE SFP+, 2 DC power supply) Eudemon1000E-F55-AC Eudemon1000E-F55 AC Host (8*GE COMBO + 4*GE RJ45 + 4*GE SFP + 10*10GE SFP+, 2 AC power supply) Eudemon1000E-F55-DC Eudemon1000E-F55 DC Host (8*GE COMBO + 4*GE RJ45 + 4*GE SFP + 10*10GE SFP+, 2 DC power supply) Eudemon1000E-F85-AC Eudemon1000E-F85 AC Host (8*GE COMBO + 4*GE RJ45 + 4*GE SFP + 10*10GE SFP+, 2 AC power supply) Eudemon1000E-F85-DC Eudemon1000E-F85 DC Host (8*GE COMBO + 4*GE RJ45 + 4*GE SFP + 10*10GE SFP+, 2 DC power supply) Eudemon1000E-F125-AC Eudemon1000E-F125 AC Host (2*QSFP28 + 2*QSFP+ + 8*ZSFP+ + 20*SFP+, 2 AC power supplies) Eudemon1000E-F125-DC Eudemon1000E-F125 DC Host (2*QSFP28 + 2*QSFP+ + 8*ZSFP+ + 20*SFP+, 2 DC power supplies) Eudemon1000E-F205-AC Eudemon1000E-F205 AC Host (4*QSFP28 + 16*ZSFP+ + 8*SFP+, 2 AC power supplies)Eudemon1000E-F205-DC Eudemon1000E-F205 DC Host (4*QSFP28 + 16*ZSFP+ + 8*SFP+, 2 DC power supplies)SSL VPN LicenseLIC-E1KF-SSLVPN-100Quantity of SSL VPN Concurrent Users(100 Users)LIC-E1KF-SSLVPN-200Quantity of SSL VPN Concurrent Users(200 Users)LIC-E1KF-SSLVPN-500Quantity of SSL VPN Concurrent Users(500 Users)LIC-E1KF-SSLVPN-1000Quantity of SSL VPN Concurrent Users(1000 Users)LIC-E1KF-SSLVPN-2000Quantity of SSL VPN Concurrent Users(2000 Users)LIC-E1KF-SSLVPN-5000Quantity of SSL VPN Concurrent Users(5000 Users)VSYS LicenseLIC-E1KF--VSYS-10Quantity of Virtual Firewall (10 Vsys)LIC-E1KF--VSYS-20Quantity of Virtual Firewall (20 Vsys)LIC-E1KF--VSYS-50Quantity of Virtual Firewall (50 Vsys)LIC-E1KF--VSYS-100Quantity of Virtual Firewall (100 Vsys)LIC-E1KF--VSYS-200Quantity of Virtual Firewall (200 Vsys)LIC-E1KF--VSYS-500Quantity of Virtual Firewall (500 Vsys)LIC-E1KF--VSYS-1000Quantity of Virtual Firewall (1000 Vsys)Threat Protection LicenseLIC-E1KE-Fxx-IPS-1YIPS Update Service Subscribe 12 MonthsLIC-E1KE-Fxx-IPS-3YIPS Update Service Subscribe 36 MonthsLIC-E1KE-Fxx-AV-1YAV Update Service Subscribe 12 MonthsLIC-E1KE-Fxx-AV-3YAV Update Service Subscribe 36 MonthsLIC-E1KE-Fxx-URL-1YURL Remote Query Service Subscribe 12MonthsLIC-E1KE-Fxx-URL-3YURL Remote Query Service Subscribe 36MonthsLIC-E1KE-Fxx-TP-1Y-OVSThreat Protection Subscription 12 MonthsLIC-E1KE-Fxx-TP-3Y-OVSThreat Protection Subscription 36 MonthsLIC-E1KE-F-CONTENTContent Security Group FunctionAbout This PublicationThis publication is for reference only and shall not constitute any commitments or guarantees. All trademarks, pictures, logos, and brands mentioned in this document are the property of Huawei Technologies Co., Ltd. or a third party.For more information, visit /en/products/enterprise-networking/security. Copyright©2021 Huawei Technologies Co., Ltd. All rights reserved.Huawei Technologies Co., Ltd.Address: Huawei Industrial Base Bantian, Longgang Shenzhen 518129, People's Republic of ChinaWebsite: Tel: 4008302118Page 7。
- 1、下载文档前请自行甄别文档内容的完整性,平台不提供额外的编辑、内容补充、找答案等附加服务。
- 2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
- 3、如文档侵犯您的权益,请联系客服反馈,我们会尽快为您处理(人工客服工作时间:9:00-18:30)。
6-1华为Eudemon1000E-N 下一代防火墙华为Eudemon1000E-N 下一代防火墙Eudemon1000E-N 下一代防火墙随着互联网技术的不断发展,智能手机、iPad 等终端被更多地应用到办公中,移动应用程序、Web2.0、社交网络应用于生产生活的方方面面。
网络边界变得模糊,信息安全问题日益复杂。
传统的安全网关通常只能通过IP 和端口进行安全防护,难以完全应对层出不穷的应用威胁和Web 威胁。
Eudemon1000E-N 系列是华为公司为解决运营商、企业、政府、数据中心等机构的网络安全问题自主研发的下一代防火墙产品。
它基于业界领先的软、硬件体系架构,通过对应用、用户、威胁、时间、位置的全面感知,将网络环境清晰的映射为业务环境。
在应用识别的基础上提供精准的管控能力,融合了IPS 攻击防护、AV 防病毒、URL 过滤,Web 内容过滤,反垃圾邮件和邮件过滤等行业领先的专业安全技术,支持IPv6防护及过渡技术,为用户提供强大、可扩展、持续的安全能力。
在运营商、政府、金融、电力、石油、教育、工业制造等行业得到广泛应用。
下一代防火墙,地址才能“应用(Application )、时间(Time )、用户多个维度解析企业的业务流量,并结合各种维度进行、行为识别等技术手段,准确识别超过6000个网络应用。
• 用户:通过Radius 、LDAP 、AD 等8种用户识别手段,将流量中的IP 地址与现实世界中的用户信息联系起来。
基于用户对网络流量进行管控。
• 威胁:支持超过5000+特征的攻击检测和防御。
支持Web 攻击识别和防护,如跨站脚本攻击、SQL注入攻击等。
可以识别和防范SYN flood 、UDP flood 等10+种DDoS 攻击,识别500多万种病毒。
采用基于云的URL 分类过滤,预定义的URL 分类库已超过8500万,阻止访问恶意网站带来的威胁。
• 位置:与全球位置信息结合,识别流量及威胁发起的位置信息;使用流量地图和威胁地图快速发现异常,进而制定对应的防护策略。
支持根据IP 自定义位置。
正是基于ACTUAL 全面感知体系Eudemon1000E-N 系列下一代防火墙能准确地识别出隐藏在应用基于应用访问策略是否正确实施39%37%36%Verifying that application-based policies are enforced correctlyHow to maintain threat prevention policiesHow to optimize firewall policies安全威胁策略如何实施如何优化防火墙规则集Source: Survey of Osterman Research on 209 enterprises about next generation firewall management传统的安全网关管理完全依赖于使用者的经验和投入。
对比传统安全网关,下一代防火墙最大的优势就是对应用的精细化控制,以及对这些应用的进一步深度防护。
在下一代防火墙上,仅使用五元组策略并不能带来更多的安全性。
因此,要充分发挥下一代防火墙的作用,需要比传统安全网关更好的安全管理。
然而,做好下一代防火墙的安全管理并不容易。
无论哪一个厂家提供的下一代防火墙产品,包含的网络应用数量都是数以千计的。
想充分发挥NGFW的作用,需要安全管理员具备更多的技能,更多的工作量,这意味更高的整体成本。
Eudemon1000E-N系列下一代防火墙通过Smart Policy技术很好地解决了NGFW的管理难题。
首先,Eudemon1000E-N根据使用场景提供了一系列策略模板,可以快速的部署应用防护策略。
例如:如果希望使用网络存储,管理员仅需基于“使用网盘”这个策略模板,就能建立一系列策略。
在策略中,对网盘类应用允许下载并进行病毒检测,但禁止文件上传。
其次,Eudemon1000E-N根据网络流量对现有的安全策略进行优化,让它们变得更准确、更有效。
这在遗留大量端口防护策略,需要转换为NGFW使用的应用防护策略时尤其有用。
第三,Eudemon1000E-N能够迅速发现重复的和长期没有使用的策略,精简策略规模,简化管理;通过这三个方面的优化,Eudemon1000E-N大大提高了策略管理中的自动化程度,降低NGFW的维护成本。
最高的性能体验当前,网络攻击成为一种产业,黑客们为了追求经济利益有组织、有预谋的开展攻击,应用层访问控制、入侵防御等深度应用防护不再是可有可无的。
UTM产品当开启应用层防护时性能下降明显,无法满足当前应用层防护的性能要求。
Eudemon1000E-N系列下一代防火墙采用全新架构的智能感知引擎(IAE, Intelligence Awareness Engine),采用了一次解析多业务并行处理的架构。
IAE使用了三大核心技术:UNIFIED DL UNIFIED Scan UNIFIED PMUNIFIED典型应用场景大中型企业边界防护Eudemon1000E-N作为大中型企业的出口网关,典型的应用场景如图所示:• 将企业员工网络、公司服务器网络、外部网络划分到不同安全区域,对安全区域间的流量进行检测和保护。
• 根据公司对外提供的网络服务的类型开启相应的内容安全防护功能。
例如针对所有服务器开启反病毒和入侵防御。
• 针对内网员工访问外部网络的行为,开启URL过滤、反病毒等功能,既保护内网主机不受外网威胁,又可以防止企业机密信息的泄露,提高企业网络的安全性。
• 在Eudemon1000E-N与出差员工、分支机构间建立VPN隧道,使用VPN保护公司业务数据,使其在Internet上安全传输。
• 开启DDoS防御功能,抵抗外网主机对内网服务器进行的大流量攻击,保证企业业务的正常开展。
• 针对内外网之间的流量部署带宽策略,控制流量带宽和连接数,避免网络拥塞,同时也可辅助进行DDoS攻击的防御。
• 部署eSight网管系统(需要单独采购),记录网络运行的日志信息。
日志信息可以帮助管理员进行配置调整、风险识别。
• 采用双机热备部署,提高系统可靠性。
单机故障时可以将业务流量从主机平滑切换至备机上运行,保证企业业务持续无间断的运行。
大中型企业边界防护典型部署内网管控与安全隔离Eudemon1000E-N作为大中型企业的内网边界,典型的应用场景如图所示:• 在内网部署一个或多个Eudemon1000E-N作为内部不同网络的边界网关,隔离不同网络。
• 建立用户管理体系,对内网主机接入进行用户权限控制。
• 相同安全等级的网络划分到同一个安全区域,只部署少量的安全功能,例如“研发部1”和“研发部2”同属于Research安全区域,但是两者间通信的流量仍可进行简单的包过滤、黑白名单、反病毒等功能。
• 不同安全等级的网络划分到不同的安全区域,根据业务需求部署不同的安全功能,例如仅允许部分研发网络主机访问指定的市场部主机,并在Research与Marketing、Production、Server之间应用反病毒等功能。
华为Eudemon1000E-N下一代防火墙6-5华为Eudemon1000E-N 下一代防火墙数据中心边界防护数据中心(Internet Data Center ,IDC ),是基于Internet 网络提供的一整套设施与相关维护服务体系。
Eudemon1000E-N 作为数据中心的边界网关,典型的应用场景如图2-3所示:• 开启流量统计功能,基于IP 、用户、应用对流量状况进行长期统计分析,以帮助安全策略的制定。
• 基于IP 地址和应用进行限流,使服务器稳定运行,也避免网络出口拥塞,影响网络服务。
• 开启入侵防御、反病毒功能,使服务器免受入侵以及蠕虫、木马等病毒危害。
• 开启DDoS 及其他攻击防范功能,避免服务器受到外网攻击导致瘫痪。
• 部署eSight 网管系统(需要单独采购),记录网络运行的日志信息。
日志信息可以帮助管理员进行配置调整、风险识别和流量检查。
• 采用双机热备部署,提高系统可靠性。
单机故障时可以将业务流量平滑切换至备机上运行,保证服务器业务持续无间断的运行。
区域间流量区域内流量内网管控与安全隔离典型部署数据中心边界防护典型部署• 在各个区域之间应用带宽策略,控制带宽与连接数,避免内网网络拥塞。
• 内网各个区域与外网之间应用入侵防御、反病毒、URL 过滤等功能。
华为Eudemon1000E-N 下一代防火墙VPN 远程接入与移动办公Eudemon1000E-N 作为企业的VPN 接入网关,典型的应用场景如图2-4所示:• 对于拥有固定VPN 网关的分支机构和合作伙伴,使用IPSec 或者L2TP over IPSec 建立静态永久隧道。
当需要进行接入账号验证时,建议使用L2TP over IPSec 。
• 对于地址不固定的出差员工,使用SSL VPN 技术,无需安装VPN 客户端,只需使用网络浏览器即可与总部建立隧道,方便快捷。
同时可以对出差员工可访问的资源进行精细化控制。
• 在上述隧道中,通过IPSec 加密算法或者SSL 加密算法,对网络数据进行加密保护。
• 对于通过VPN 隧道接入后的用户,进行接入认证,保证用户合法性。
并且基于用户权限进行访问授权。
• 部署入侵防御、反病毒、DDoS 攻击防范,避免网络威胁经由远程接入用户穿过隧道进入公司总部,同时防止机密信息泄露。
云计算网关云计算是目前一种新兴的网络服务提供模式,需要一系列技术的配合和支持。
Eudemon1000E-N 可以在云计算的部署中担任云计算网关的角色。
云计算技术目前存在多种应用方式,最为典型的方式是由网络服务提供商为网络用户提供硬件资源和计算能力,网络用户只需使用一台终端通过网络 接入云端,就可以像操作家庭电脑一样操作自己保存在云端的资源。
云计算的核心技术是通过服务器的集群为大量网络用户提供相互独立而又完整的网络服务,其中涉及到多种虚拟化技术。
Eudemon1000E-N 作为云计算网关,典型的应用场景如图2-5所示:在这个场景中,Eudemon1000E-N 担任的是云计算网关的角色。
通过虚拟系统功能,可以将一台物理设备划分为多台相互的独立的逻辑设备。
每台逻辑设备都可以拥有自己的接口、系统资源以及配置文件,可以独立进行流量的转发和安全防护,所以被称为虚拟系统。
虚拟系统从逻辑上相互隔离,所以对于每一个云终端看来都拥有一个独享的防火墙设备。
同时由于这些虚拟系统共用同一个物理实体,所以当需要虚拟系统之间进行流量转发时,转发效率非常高。
所以Eudemon1000E-N 在此场景中主要负责进行虚拟服务器之间的数据快速交换,以及在云终端接入云服务器的通信过程中进行网络安全的防护,为云计算方案提供增值的安全业务。