幻灯片 0
advertisement
H3C SecPath UTM series Overview Date: Nov. 2008 sunsonger@h3c.com Hangzhou H3C Technologies Co., Ltd. UTM Series Overview Multiple Features Competitor analysis Success Stories www.h3c.com 1 H3C Oversea Security Product Portfolio Vs. Cisco SecPath IPS series T200-M: up to 200Mbps T200-A: up to 400Mbps T1000-S: up to 600Mbps T1000-M: up to 800Mbps T1000-A: up to 1200Mbps T5000-S3: 3Gbps developing SecPath UTM series IPS4215 IPS4240/4255 IPS4260/4270 Vs. Cisco ASA5510 ASA5520 ASA5540 Vs. Juniper U200-S: FW up to 200Mbps, AV/IPS: 30Mbps U200-M: FW up to 400Mbps, AV/IPS: 60Mbps U200-A: FW up to 600Mbps,AV/IPS:100Mbps U2000-S: FW up to 2Gbps U2000-A: FW up to 4Gbps SSG5/20/140 SSG320/350 SSG520/550 Vs. Cisco SecPath Firewall series ASA5505 ASA5550 ASA5580-20/ 40 Vs. Juniper F100-C: up to 60Mbps F100-A: up to 200Mbps F1000-S: up to 1Gbps F1000-A: up to 1.5Gbps F1000-E: up to 6Gbps F5000-A5:40Gbps NS5/20/50 NS204/208/500 NS5200/NS5400 Vs. Cisco SecBlade Series SecBlade FW on 3com 7900E/8800 SecBlade Netstream only 3com 7900E www.h3c.com SecBlade Load Balance SecBlade SSL VPN all based on FWSM WEB VPN module CSM 3com 7900E/8800 2 H3C SecPath UTM Series overview Product Name H3C Secpath UTM 200-A Description Interfaces: Fixed—6GE WAN Port Support 2 expand slot: 4GE SFP LAN switch Card FW Throughput: 600Mbps,3DES VPN: 400Mbps H3C Secpath UTM 200-M Interfaces: Fixed—6GE WAN Port Support 1 expand slot: 4GE SFP LAN switch Card FW Throughput: 400Mbps,3DES VPN: 200Mbps H3C Secpath UTM 200-S Interfaces: Fixed—5GE WAN Port Support 1 expand slot: 4GE SFP LAN switch Card FW Throughput: 200Mbps,3DES VPN: 100Mbps www.h3c.com 3 UTM Series Overview Multiple Features Competitor analysis Success Stories www.h3c.com 4 Key Features—Secpath UTM Overview BANDWIDTH MANAGEMENT FIREWALL Network Feature QoS and Traditional Provide support bandwidth firewall security for next management to zones protect generation IP improve technology to networks, network support the provide access performance OSPF/RIP to control and and provide Route, AAA etc policy policy-based enforcement, traffic shaping support NAT VPN IPSec VPN to transform the Internet into a secure converged network for multi-site connectivity, Support WEB FILTERING To protect against offensive Web content and enforce acceptable usage policies ANTI-VIRUS ANTI-SPAM OTHER … Real-time network protection against widespread & harmful in-thewild viruses and malware Increase employee productivity whilst reducing exposure to email borne threats SSL VPN Wireless Centralized Management IPSEC/L2TP/GRE H3C Secpath UTM www.h3c.com 5 Key Features—Firewall technology ASPF ASPF (Application Specific Packet Filter) How it works –Monitor packet in communication –Maintenance status of each connection –Dynamic create and delete filter ACL Benefits –Truly protect your network’s security with 4-7 layer filtering technology Non-client’s session request is refused Client sends session request to server Intranet Client www.h3c.com Data of the client’s session is transferred SecPath Firewall Internet Monitor packet in session & Dynamic create and delete filter ACL Server 6 Key Features—Division of Security Domain Division of Security Domain: Implementing network security policies in zones with different security levels, and controlli ng accesses Communications between Trust zone and Untrust zone are prohibited. Firewall Trust Zone Trust zone->DMZ zone, accessible to POP3 and SMTP services DMZ zone->Trust zone, inaccessible to all services Untrust Zone DMZ Zone Switch Untrust zone->DMZ zone, accessible to POP3 and SMTP services DMZ zone->Untrust zone, accessible to all services Application Server www.h3c.com 7 Key Features—IPSec NAT Transverse Problem –Traditional GRE VPN tunnel can not transverse IP network after NAT. Headquarter SecPath F1000-A –User must use NAT for only one legal IP address. How to solve? –SecPath has support UDP VPN tunnel technique. –It can effectively transverse IP network after NAT NAT IP Network Traditional GRE VPN tunnel UDP VPN tunnel realize NAT transverse Legal IP address Legal IP address SecPath U200-S Branch www.h3c.com NAT SecPath F100-A Collaborator 8 Key Features— Attacks prevention Providing multiple build-in attack prevention functions, removing most threats to network security: Outstanding DoS-prevention function! Land Prevention ICMP Flood Prevention Smurf Prevention UDP Flood Prevention Fraggle Prevention ARP Spoofing Prevention WinNuke Prevention ARP Automatic Reverse Lookup Ping of Death Prevention TCP Message Bit Exception Attack Prevention Tear Drop Prevention Super-large ICMP Message Attack Prevention IP Spoofing Prevention IP Address Scan Prevention SYN Flood Prevention Port Scan Prevention Trust Zone Blocked by Security Policy DoS Attack Firewall Accepted by Security Policy www.h3c.com Unauthorized Access Authorized Access Untrust Zone Hacker Authorized Users 9 Key Features— Diverse VPN features Protocols Supported L2TP VPN Secpath F1000-S GRE VPN IPSec VPN SSL VPN ( optional, released 2009.Q2 in UTM ) Encryption/Authentication Algorithms DES/3DES L2TP VPN Https browse SSL VPN AES MD5 SHA-1 IPSec/GRE VPN Identity Authentication Modes Local authentication Secpath U200-S RADIUS/TACACS authentication PKI/CA authentication www.h3c.com Branch office 10 Key Features— Content depth identification eDonkey BT Traffic comes from P2P files now is the largest single traffic over the Internet! HTTP Source: European Tier I ISP Feb ‘04 Disabling P2P applications completely Enabling P2P bandwidth limit Enabling P2P bandwidth limit by time Enabling P2P bandwidth limit by user www.h3c.com 11 Key Features—Traffic QoS assurance SecPath series firewalls can restrict the number of connections and monitor the traffic flow for each session. They also support complete QoS features. PQ/CQ/WFQ/CBQ GTS FIFO RED,WRED CAR,LR Token Discard Queue0 Discard Congestion management Ingress ACL Source address Destination address CAR Source port Destination port Protocol type TOS RED WRED SARED Egress Queue1 FIFO PQ CQ WFQ CBWFQ Queue2 GTS Token bucket Receiving packets QueueN www.h3c.com Congestion inspection/avoidance Enter the queue Packet sorting/labeling Traffic Shaping Queue scheduling 12 Key Features— High Flexibility & Availability High Flexibility Route/Transparent Mode Policy routing and routing policy Multicast/Virtual firewall Supporting 802.1q, VLAN trunk Physical connection such as GE. Stateful backup Powerful routing capability Static/RIPv1/2/OSPF/BGP Master/Slave Master/Slave Expand Module 4 GE SFP module firstly released Support OSN module ( developing ) High Availability Active/Standby ;Active/Active backup LAN -All the Session table; Forwarding table and configuration will not be lost during switch. Support VRRP feature Temperature- sensored fans to auto adjust the fan speed www.h3c.com 13 Key Features- Content Filter deployment Cooperating with Secure Computing to provide the Top Level URL filter solution Two query mode: URL database located in Enterprise Network, or H3C DC ghost site Enterprise deploy the URL database to implement the local query Mode 1 2、UTM capture the URL information and match the URL database 2、database reply the URL match result Users Internet H3C UTM 4、UTM permit or drop the URL access and send the log URL database in H3C Data Center ghost site 1、pc send the http request 2、UTM capture the URL information and send to H3C DC to match the database and reply the result 1、pc send the http request 用户区 Internet H3C UTM Mode 2 www.h3c.com 4、UTM permit or drop the URL access and send the log 14 Key Features- Anti-Virus deployment •Cooperating with Kaspersky safestream to provide anti-virus solution •Most dangerous and wide-spread malware detection Worm malware Trojan • virus • Internet Kaspersky SafeStream Lab • Fastest response to the most dangerous viruses, Trojans, worms as well as spyware programs Based on real-time virus spreading statistics gathered by Kaspersky Lab Regular daily updates and urgent updates in case of malware outbreaks H3C virus scan engine based on flow mode H3C UTM Table1 : The schematic process www.h3c.com Table2 : Signatures update releasing scheme 15 Key Features- Anti-Spam deployment Cooperating with Commtouch to provide the Top level anti-spam solution Secpath UTM capture the mail info and query mail classification from commtouch database Based on Commtouch PRD technology, Secpath UTM also support: Content filter based on email title and content keywords, email permit or deny based on white & black list Support protocol check and filter, support RBLS , RFC822 check and reverse DNS analysis algorithm www.h3c.com 16 Key Features—Advanced Hardware Platform Multi-core CPU platform, every CPU has Independent Cache inside Flexible expansion of multi-core CPUs to meet increasingly changing security requirements Multiple CPUs working together, reducing risk of future cost growth due to increase of network pressure Service-depth security protection mechanism to exhibit performance advantages Multi-core CPU Secpath UTM high performance benefit from multi-core platform NP Architecture ASIC X86 System www.h3c.com 17 Key Features-Centralized Management All H3C firewall or UTM products can be managed by SecCenter which is a management software platform and includes many components sold by software license, it can implement: • Global network topology collect and show, Click the units to implement the configuration by web GUI • Product Config file or system application process centralized distribute, remote upgrading, backup the configuration file • Global license file management: Centralized distribute license file to remote units, show the license information • AV/URL Filter/IPS signature upgrading weekly • All security events statistics and analysis, output all kind of security reports such as TOP N attack Rank based on source IP or destination IP address www.h3c.com 18 UTM Series Overview Multiple Features Competitor analysis Success Stories www.h3c.com 19 Success Stories —Application in Government Network Hangzhou, China Government Network branch branch branch IX1000 IV5000 branch DiskSafe branch backup Software backup Software S5600 Core Switch Internet SecPath F1000-E UDM CA Authentication center ISP NGO www.h3c.com IX3000 20 Success Stories —Application in Government Network VPN Backup of Negotiable Securities in Shandong Province SecPath U200-S SecPath U200-A ADSL Router 100M Office Router Bargain Department … … 2M Router 2M SDH 155M Router SecPath U200-S ADSL www.h3c.com 21 Success Stories —Application in Government Network Application in Sichuan Banking Regulatory Commission IPS SecPath T1000 Application Server Internal Network Core Switch Banking Regulatory Commission Center SecCenter A1000 SecPath U200-A Core Router1 Core Router2 155M CPOS 155M CPOS B ISP A ISP E1 Access Router Security Appliance E1 E1 Access Router Security Appliance Access www.h3c.com 22 Success Stories —Application in Electrical Industries Application in MENGXI plant of North United Power Corporation Internet U200-A U200-A S9512 S3600 www.h3c.com S3600 S7506 S3600 S3600 23 Success Stories —Application in Financial Network Xinhua Publish Corporation SEVERS Core layer S5516 SecPath F1000-A S5516 S7506R S7506R AR4640 AR4640 SecPath U200-M Convergence Layer 同城10M宽带 ADSL/DVPN Branch1 AR2809 SecPath F1000-A AR2809 Branch2 AR18 AR18 Access layer www.h3c.com 24 Success Stories —Application in Enterprise Application in Ufida Software www.h3c.com China Netcom 100M 25 Success Stories —Application in Enterprise Application in CCTV International China Netcom 100M Internal Network U200-A YANJING Building U200-A Router Router SecCenter Servers EAD www.h3c.com EAD EAD 26 Thank You www.h3c.com 27 IToIP Solutions Expert Hangzhou H3C Technologies Co., Ltd. www.h3c.com
