幻灯片 0

advertisement
H3C SecPath UTM series Overview
Date: Nov. 2008
sunsonger@h3c.com
Hangzhou H3C Technologies Co., Ltd.
UTM Series Overview
Multiple Features
Competitor analysis
Success Stories
www.h3c.com
1
H3C Oversea Security Product Portfolio
Vs. Cisco
SecPath
IPS series
T200-M: up to 200Mbps
T200-A: up to 400Mbps
T1000-S: up to 600Mbps
T1000-M: up to 800Mbps
T1000-A: up to 1200Mbps
T5000-S3: 3Gbps
developing
SecPath
UTM series
IPS4215
IPS4240/4255
IPS4260/4270
Vs. Cisco
ASA5510
ASA5520
ASA5540
Vs. Juniper
U200-S: FW up to 200Mbps, AV/IPS: 30Mbps
U200-M: FW up to 400Mbps, AV/IPS: 60Mbps
U200-A: FW up to 600Mbps,AV/IPS:100Mbps
U2000-S: FW up to 2Gbps
U2000-A: FW up to 4Gbps
SSG5/20/140
SSG320/350
SSG520/550
Vs. Cisco
SecPath
Firewall
series
ASA5505
ASA5550
ASA5580-20/ 40
Vs. Juniper
F100-C: up to 60Mbps
F100-A: up to 200Mbps
F1000-S: up to 1Gbps
F1000-A: up to 1.5Gbps
F1000-E: up to 6Gbps
F5000-A5:40Gbps
NS5/20/50
NS204/208/500
NS5200/NS5400
Vs. Cisco
SecBlade
Series
SecBlade FW on 3com 7900E/8800
SecBlade Netstream only 3com 7900E
www.h3c.com
SecBlade Load Balance
SecBlade SSL VPN all based on
 FWSM
 WEB VPN module
 CSM
3com 7900E/8800
2
H3C SecPath UTM Series overview
Product Name
H3C Secpath UTM 200-A
Description
Interfaces: Fixed—6GE WAN Port
Support 2 expand slot: 4GE SFP LAN switch Card
FW Throughput: 600Mbps,3DES VPN: 400Mbps
H3C Secpath UTM 200-M
Interfaces: Fixed—6GE WAN Port
Support 1 expand slot: 4GE SFP LAN switch Card
FW Throughput: 400Mbps,3DES VPN: 200Mbps
H3C Secpath UTM 200-S
Interfaces: Fixed—5GE WAN Port
Support 1 expand slot: 4GE SFP LAN switch Card
FW Throughput: 200Mbps,3DES VPN: 100Mbps
www.h3c.com
3
UTM Series Overview
Multiple Features
Competitor analysis
Success Stories
www.h3c.com
4
Key Features—Secpath UTM Overview
BANDWIDTH
MANAGEMENT
FIREWALL
Network
Feature
QoS and
Traditional
Provide support
bandwidth
firewall security
for next
management to zones protect
generation IP
improve
technology to
networks,
network
support the
provide access
performance
OSPF/RIP
to control and
and provide
Route, AAA etc
policy
policy-based
enforcement,
traffic shaping
support NAT
VPN
IPSec VPN to
transform the
Internet into a
secure
converged
network for
multi-site
connectivity,
Support
WEB
FILTERING
To protect
against
offensive Web
content and
enforce
acceptable
usage policies
ANTI-VIRUS
ANTI-SPAM
OTHER …
Real-time
network
protection
against
widespread &
harmful in-thewild viruses and
malware
Increase
employee
productivity
whilst reducing
exposure to
email borne
threats
SSL VPN
Wireless
Centralized
Management
IPSEC/L2TP/GRE
H3C Secpath UTM
www.h3c.com
5
Key Features—Firewall technology ASPF
 ASPF (Application Specific Packet Filter)
 How it works
–Monitor packet in communication
–Maintenance status of each connection
–Dynamic create and delete filter ACL
 Benefits
–Truly protect your network’s security with 4-7 layer filtering technology
Non-client’s session request
is refused
Client sends session request
to server
Intranet
Client
www.h3c.com
Data of the client’s session is
transferred
SecPath
Firewall
Internet
Monitor packet in session & Dynamic
create and delete filter ACL
Server
6
Key Features—Division of Security Domain
Division of Security Domain:
 Implementing network security policies in zones with different security levels, and controlli
ng accesses
Communications between Trust zone and Untrust
zone are prohibited.
Firewall
Trust Zone
Trust zone->DMZ zone, accessible to
POP3 and SMTP services
DMZ zone->Trust zone, inaccessible to
all services
Untrust Zone
DMZ Zone
Switch
Untrust zone->DMZ zone,
accessible to POP3 and SMTP
services
DMZ zone->Untrust zone,
accessible to all services
Application Server
www.h3c.com
7
Key Features—IPSec NAT Transverse
 Problem
–Traditional GRE VPN tunnel can not transverse
IP network after NAT.
Headquarter
SecPath F1000-A
–User must use NAT for only one legal IP
address.
 How to solve?
–SecPath has support UDP VPN tunnel
technique.
–It can effectively transverse IP network after
NAT
NAT
IP
Network
Traditional GRE
VPN tunnel
UDP VPN tunnel
realize NAT
transverse
Legal IP
address
Legal IP
address
SecPath U200-S
Branch
www.h3c.com
NAT
SecPath F100-A
Collaborator
8
Key Features— Attacks prevention
Providing multiple build-in attack prevention functions,
removing most threats to network security:
Outstanding
DoS-prevention
function!
Land Prevention
ICMP Flood Prevention
Smurf Prevention
UDP Flood Prevention
Fraggle Prevention
ARP Spoofing Prevention
WinNuke Prevention
ARP Automatic Reverse Lookup
Ping of Death Prevention
TCP Message Bit Exception Attack Prevention
Tear Drop Prevention
Super-large ICMP Message Attack Prevention
IP Spoofing Prevention
IP Address Scan Prevention
SYN Flood Prevention
Port Scan Prevention
Trust Zone
Blocked by
Security Policy DoS Attack
Firewall
Accepted by
Security Policy
www.h3c.com
Unauthorized
Access
Authorized
Access
Untrust Zone
Hacker
Authorized Users
9
Key Features— Diverse VPN features
 Protocols Supported
L2TP VPN
Secpath F1000-S
GRE VPN
IPSec VPN
SSL VPN ( optional, released 2009.Q2 in UTM )
 Encryption/Authentication Algorithms
DES/3DES
L2TP VPN
Https browse
SSL VPN
AES
MD5
SHA-1
IPSec/GRE VPN
 Identity Authentication Modes
Local authentication
Secpath U200-S
RADIUS/TACACS authentication
PKI/CA authentication
www.h3c.com
Branch office
10
Key Features— Content depth identification
eDonkey
BT
Traffic comes from P2P files now is
the largest single traffic over the Internet!
HTTP
Source: European Tier I ISP Feb ‘04
 Disabling P2P applications completely
 Enabling P2P bandwidth limit
 Enabling P2P bandwidth limit by time
 Enabling P2P bandwidth limit by user
www.h3c.com
11
Key Features—Traffic QoS assurance
 SecPath series firewalls can restrict the number of connections and monitor the traffic
flow for each session. They also support complete QoS features.
PQ/CQ/WFQ/CBQ
GTS
FIFO
RED,WRED
CAR,LR
Token
Discard
Queue0
Discard
Congestion
management
Ingress
ACL
Source address
Destination address
CAR
Source port
Destination port
Protocol type
TOS
RED
WRED
SARED
Egress
Queue1
FIFO
PQ
CQ
WFQ
CBWFQ
Queue2
GTS
Token
bucket
Receiving packets
QueueN
www.h3c.com
Congestion
inspection/avoidance
Enter the
queue
Packet
sorting/labeling
Traffic Shaping
Queue scheduling
12
Key Features— High Flexibility & Availability
High Flexibility
Route/Transparent Mode
Policy routing and routing policy
Multicast/Virtual firewall
Supporting 802.1q, VLAN trunk
Physical connection
such as GE.
Stateful
backup
Powerful routing capability
Static/RIPv1/2/OSPF/BGP
Master/Slave
Master/Slave
Expand Module
4 GE SFP module firstly released
Support OSN module ( developing )
High Availability
Active/Standby ;Active/Active backup
LAN
-All the Session table; Forwarding table and configuration will not be lost during switch.
Support VRRP feature
Temperature- sensored fans to auto adjust the fan speed
www.h3c.com
13
Key Features- Content Filter deployment
 Cooperating with Secure Computing to provide the Top Level URL filter solution
 Two query mode: URL database located in Enterprise Network, or H3C DC ghost site
Enterprise deploy the URL database
to implement the local query
Mode 1
2、UTM capture the URL
information and match the
URL database
2、database reply the
URL match result
Users
Internet
H3C UTM
4、UTM permit or drop the URL
access and send the log
URL database
in H3C Data Center ghost site
1、pc send the http request
2、UTM capture the URL information
and send to H3C DC to match the
database and reply the result
1、pc send the http
request
用户区
Internet
H3C UTM
Mode 2
www.h3c.com
4、UTM permit or drop
the URL access and send
the log
14
Key Features- Anti-Virus deployment
•Cooperating with Kaspersky safestream to provide anti-virus
solution
•Most dangerous and wide-spread malware detection
Worm
malware
Trojan
•
virus
•
Internet
Kaspersky
SafeStream Lab
•
Fastest response to the most dangerous viruses, Trojans, worms
as well as spyware programs
Based on real-time virus spreading statistics gathered by
Kaspersky Lab
Regular daily updates and urgent updates in case of malware
outbreaks
H3C virus scan engine
based on flow mode
H3C UTM
Table1 : The schematic process
www.h3c.com
Table2 : Signatures update releasing scheme
15
Key Features- Anti-Spam deployment
Cooperating with Commtouch to provide the Top level anti-spam solution
Secpath UTM capture the mail info and query mail classification from commtouch database
Based on Commtouch PRD technology, Secpath UTM also support:
Content filter based on email title and content keywords, email permit or deny based on white & black list
Support protocol check and filter, support RBLS , RFC822 check and reverse DNS analysis algorithm
www.h3c.com
16
Key Features—Advanced Hardware Platform
 Multi-core CPU platform, every CPU has Independent Cache inside
 Flexible expansion of multi-core CPUs to meet increasingly changing security
requirements
 Multiple CPUs working together, reducing risk of future cost growth due to
increase of network pressure
 Service-depth security protection mechanism to exhibit performance advantages
Multi-core CPU
Secpath UTM high performance
benefit from multi-core platform
NP Architecture
ASIC
X86 System
www.h3c.com
17
Key Features-Centralized Management
 All H3C firewall or UTM products can be managed by SecCenter
which is a management software platform and includes many
components sold by software license, it can implement:
• Global network topology collect and show, Click the units to
implement the configuration by web GUI
• Product Config file or system application process centralized
distribute, remote upgrading, backup the configuration file
• Global license file management: Centralized distribute license file to
remote units, show the license information
• AV/URL Filter/IPS signature upgrading weekly
• All security events statistics and analysis, output all kind of security
reports such as TOP N attack Rank based on source IP or destination
IP address
www.h3c.com
18
UTM Series Overview
Multiple Features
Competitor analysis
Success Stories
www.h3c.com
19
Success Stories
—Application in Government Network
Hangzhou, China Government Network
branch
branch
branch
IX1000
IV5000
branch
DiskSafe
branch
backup Software backup Software
S5600 Core Switch
Internet
SecPath F1000-E
UDM
CA Authentication
center
ISP NGO
www.h3c.com
IX3000
20
Success Stories
—Application in Government Network
VPN Backup of Negotiable Securities in Shandong Province
SecPath U200-S
SecPath
U200-A
ADSL
Router
100M
Office
Router
Bargain
Department
…
…
2M
Router
2M
SDH
155M
Router
SecPath U200-S
ADSL
www.h3c.com
21
Success Stories
—Application in Government Network
Application in Sichuan Banking Regulatory Commission
IPS SecPath T1000
Application
Server
Internal
Network
Core Switch
Banking
Regulatory
Commission
Center
SecCenter A1000
SecPath U200-A
Core Router1
Core Router2
155M CPOS
155M CPOS
B ISP
A ISP
E1
Access Router
Security
Appliance
E1
E1
Access Router
Security
Appliance
Access
www.h3c.com
22
Success Stories
—Application in Electrical Industries
Application in MENGXI plant of North United Power Corporation
Internet
U200-A
U200-A
S9512
S3600
www.h3c.com
S3600
S7506
S3600
S3600
23
Success Stories
—Application in Financial Network
Xinhua Publish Corporation
SEVERS
Core layer
S5516
SecPath F1000-A
S5516
S7506R
S7506R
AR4640
AR4640
SecPath U200-M
Convergence Layer
同城10M宽带
ADSL/DVPN
Branch1
AR2809
SecPath F1000-A
AR2809
Branch2
AR18
AR18
Access layer
www.h3c.com
24
Success Stories
—Application in Enterprise
Application in Ufida Software
www.h3c.com
China
Netcom
100M
25
Success Stories
—Application in Enterprise
Application in CCTV International
China
Netcom
100M
Internal
Network
U200-A
YANJING
Building
U200-A
Router
Router
SecCenter
Servers
EAD
www.h3c.com
EAD
EAD
26
Thank You
www.h3c.com
27
IToIP Solutions Expert
Hangzhou H3C Technologies Co., Ltd.
www.h3c.com
Download