Download HUAWEI USG Product Pre-sales Specialist Training

Document related concepts

Network tap wikipedia , lookup

Recursive InterNetwork Architecture (RINA) wikipedia , lookup

Piggybacking (Internet access) wikipedia , lookup

Deep packet inspection wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Wireless security wikipedia , lookup

Computer security wikipedia , lookup

Distributed firewall wikipedia , lookup

Transcript
HUAWEI NGFW USG6000 Series
Products Pre-sales Specialist
Training
Version: V1.1(20130801)
Contents
1
2
3
4
5
Click toand
addPositioning
Title
Market Summary
Product Highlights
Click to add Title
Product Comparisons
Click to add Title
Success Stories
Quotations &Click
Configurations
to add Title
2
Global Security Products Market
Annual Revenue Statistics of Global Security Products - Infonetics
Market Shares of Security Vendors- Infonetics
5.8 billion
Unit: Million dollars
Cisco
1824.2
McAfee
460.4
Checkpoint
786.8
Fortinet
262.3
Juniper
705.2
Huawei
229.0
In 2011, the global security products revenue reached $5.8 billion, increased 3.3% compared with 2010 revenue. Huawei accounts for
3.9% in the global market and ranks No.6.
3
Middle and Low-End Security Gateway Market Analysis
Infonetics Forecast of the Global Security Device Market
1. In 2014, the global firewall, VPN, and UTM markets are expected to reach $3.1 billion.
2. Middle-range and low-end security gateways will account for 71% of the global security gateway market with $2.2
billion.
Note: $0 to $5000 security gateways are low-end. $5000 to $30,000 security gateways are middle-range.
Security Device Market Forecast — Infonetics
Million dollars
Low-end and middle-range firewalls
$30,000
$10,000
$5,000
$1500
$500
4
Network Security and Firewall
Enterprise Network
Remote/Branch Office
Data Center
Office
Endpoint Security
FW
Endpoint Security
FW
IPS
FW
DMZ
Internet
WAF
SSL VPN
IPS
SOC
Cloud DC
FW
Endpoint Security
5
Anti-DDoS
IPS
FW
VFW
Typical Application — Security Protection of Private
Government Network
Existing Issues
 Private government networks are not
isolated.
 Governmental intranet and Internet
communication is not protected.
 Multiple internal service systems have
vulnerabilities.
Private province government network
USG6000
Solution
 Add antivirus (AV) isolation at borders for
security.
 Manage unified network security.
Solution Values
 Private government networks are isolated
securely.
 The solution prevents viruses professionally
and effectively.
 The solution controls the range of security
events effectively.
 The solution upgrades vulnerabilities and
patches with unified management.
…
USG6000
City 1
City N
…
District/County 1
6
Municipal governments
…
District/County N
District/County 1
District/County
governments
USG6000
District/County N
Typical Application — Security Isolation of the Data Center
Existing Issues
 Unsecure heavy traffic isolation
 Not guaranteed service continuity
 No anti-DDoS defense
 No visualized application
management
Core switch
USG6000
WAN
Data center
switch
Solution
 10-GB device for security isolation of
the data center
 Hot standby deployment
Solution Values
 Security isolation of 32 Gbit/s traffic
on one host
 Professional 10 Gbit/s anti-DDoS
capability
 Microsecond-level delay and hot
standby
 Zero packet loss ratio to ensure
service continuity
 Visualized service management
Application
server
IP SAN
Database
server
FC SAN
Network
redundancy and
virtualized device:
VIS6000
NAS node
IP switching plane
Backup device:
S2600T/S5500T
/VIS6600T
FC switching plane
Redundancy array: S5500
Unified storage
device: N8500
NAS
IP SAN
FC SAN
7
Main data center
Geographic redundancy center
Typical Application — Network Admission Protection
WAN
Existing Issues
 Terminals have vulnerabilities.
 Authorized users access unauthorized
resources.
 Unauthorized access is not controlled.
 Numerous terminals are hard to
manage.
Router
Server area
Switch
USG6000
Terminal security
management system
Solution
 Provide a professional gateway
solution with excellent adaptability.
 Manage devices centrally with quick
deployment.
 Support comprehensive terminals.
 Provide HA and flexible control.
Solution Values
 Forces terminals to protect service
systems.
 Improves network security and
usability.
 Improves efficiency and saves costs.
USG6000
IDS
NIP1000
Core switch
USG6000
Terminal access
control gateway
Access
switch
8
Access switch
Access switch
Typical Application — Secure VPN Access to Branches
Headquarters
RADIUS & CA
Intranet
Existing Issues
 Unsecure access for branches and mobile
working
 Unsecure data transmission on the Internet
VSM management system
USG6000
USG6000
VPN Solution
 Multiple VPN technologies, such as IPSec,
L2TP, GRE, SSL, and MPLS
 Online expansion of the number of tunnels
 Carrier-class reliability
Solution Values
 Secure, flexible, and reliable VPN access
 Centralized service management
Internet
USG6000
Branch
USG6000
Branch
Remote site
9
Contents
1
2
3
4
5
Click toand
addPositioning
Title
Market Summary
Product Highlights
Click to add Title
Product Comparisons
Click to add Title
Success Stories
Quotations &Click
Configurations
to add Title
10
NGFW Needs Optimization…
Upgrade
Management
Optimization
Traffic Control
Security Scope
Performance
APP
Definition
Basic FW/VPN
11
Application-aware
Integrated IPS
For Large Enterprise
1
Fine-granular Access Control
12
Applications Identification No.1
Applications Identification
13
No.1 in Industry
Comprehensive Coverage, Fine-grained Control
Games
Huawei
6000
ALL
P2P
GAME
450
422
Half-life
Freenet
Games
WeChat
Voice/
Text
✔
✔
✔
✘
✘
✘
LINE
RapidShare
Great Wisdom
Voice/
Text
Upload/
Download
Browsing/
Exchange
App Only
App Only
App Only
App Only
CheckPoint
ALL
P2P
GAME
Cisco
ALL
P2P
GAME
1181
75
62
✔
✔
✘
App Only
App Only
App Only
App Only
PAN
ALL
P2P
GAME
ALL
P2P
GAME
1600
120
56
✘
✔
✘
App Only
App Only
App Only
App Only
3133
214
148
✘
✘
✔
Fortinet
5000
321
183
14
Voice/
Text
Voice/
Text
Upload/
Download
No
Application Awareness: Better Service Visibility & More Refined Control
Applications are described in three dimensions:
client-server: applications, such as client-side games
browser-based: applications, such as browser games
Networking: network applications, such as HTTP
peer-to-peer: P2P applications, such as Thunder and BT
…
5 Categories and 33 Sub-categories
Business Systems:
Finance: E-bank and stock software
•
Database: database, such as Mysql
•
…
Entertainment:
•
Game: Game software, such as Warcraft
•
Social Networking: social software, such as
Facebook
•
…
General Internet:
•
Web Browsing: web browsing
•
Search Engines: Search engine, such as Google
•
File Sharing: file sharing software
•
…
…
Data Transmission Mode
•
Risk Types and Levels
 Identify 6000+ network applications.
 Cover main application protocols.
 Support popular encrypted P2P
protocols, Web2.0 applications, mobile
apps, and micro-apps.
 Customize to meet individual needs.
Exploitable: applications that have known vulnerabilities
Evasive: applications, such as proxy applications, that attempt to
evade firewall inspections
Data leak: applications that can transmit files or upload text
Infected by malicious software: applications infected by malicious
software
Tunneling protocol: Applications that can use a tunneling protocol
to transmit other applications
…
Risk types  risk levels
15
Value of Application awareness?
Access
Control
Service
Acceleration
Working in
conjunction
with other
defence
16
User Awareness: I Know Who You Are
Facing Changing User IP Addresses
8 authentication modes:
•
Local, RADIUS, LDAP, AD domain,
SecureID, TSM, and HWTACACS
authentication
Values:
17
•
Following the mobile working trend
•
User-based security policies
•
User-based bandwidth management policies
•
User-based online behavior management
Location Awareness: Where Attacks Are
IP  Location
Identification granularity:
•
•
•
•
China: city
U.S.: state
Others: country
Support for IP segment-based location definition
Application scenarios:
•
•
•
Traffic map: location-based application statistical analysis
report
Attack map: location-based attack statistical analysis report
Location policy: access permissions varying according to
locations
For example:
•
18
Some data can be accessed at headquarters, not at branches.
Policy Integration: simplify management and improve efficiency
Access Control Area
Access control policy and content
security policies, such as IPS, AV
configured in a single interface.
Content Security Area
19
2
Easy Security Management
20
Traditional Security Management
?
Administrator
IT
New deployment is difficult.
NMS
CLI
policies never change
? Applied
regardless of traffic changes.
Web
UI
Policy
?
Security Features
21
Polices become more redundant
and difficult to streamline.
Smart Policy Management Optimization
22
Quick Deployment
Built-in Policy Templates
23
Built-in Application Categories
Policy tuning
Original Policies
Optimization Based
On Applications
Optimization Based
On Security
Automatic
Traffic Analysis and
Security Evaluation
Validation Check
Manual
Optimization Based
On Bandwidth
New Policies
24
Policy Simplification
Finding long-term unused policies:
Finding redundant policies:
25
3
Comprehensive Prevention of
Threats
26
Comprehensive Security
Application
security
Comprehensive
context
awareness
•
•
•
Awareness of applications,
content, time, users, attacks,
and locations
8 user authentication modes
•
Data security
Email security
•
•
•
6000+ application
protocol identification
5,000,000+ virus
detection
•
Real-time anti-spam
Content and keyword filtering
•
Attachment virus detection and
notification
27
30+ file reassembly and
content filtering
120+ file type filtering
Intrusion
prevention
•
3500+ attack detection
•
90+% false alarm
detection rate
Web security
•
•
85,000,000+ URLs in
the database
80+ categories
Network security
Routing
• Anti-DDoS
• VPN
(IPSec/SSL/L2TP/MPLS/GRE
…)
•
•
IPv4: static routing, RIP, OSPF,
BGP, and IS-IS
IPv6: RIPng, OSPFv3, BGP4+,
IPv6 IS-IS, IPv6 RD, and ACL6
Intrusion Prevention: 5500+ signatures
Detect and defend against over 5500 vulnerabilities
28
Anti-Virus: faster scanning and more fresh signatures
•
Rich protocols of flow-based
antivirus scanning.
•
Signature database is updated
daily.
•
faster scanning than appliance of
competitors.
29
File filtering & Content filtering: Data Loss prevention
XXXXXX price XXXX…
credit card number :XXXX
XXXXXXXXX Bidding material XXXXXX
Able to identify actual file types and filtering sensitive content, even it was hidden
in compressed files, or it’s extension was modified.
30
URL filtering:Control web browsing activity
•
80+URL category
•
85,000,000 URLs in database
•
20 Language
•
500,000 malicious URLs
Legitimate websites
URL whitelist
Illegal /Malicious websites
URL blacklist
31
SSL encryption traffic security
More and more website use https
Content security over SSL decryption
URL filtering
Anti-virus
Instruction prevention
SSL traffic:blind spot of security
Content filtering
File filtering
Activity control
32
Bandwidth Management

Bandwidth guarantee for key services

Connection limit

Bandwidth limit

QoS tag remark
33
Anti-DDOS

Defend against over 10 types of DDoS

Automatically set threshold by learning traffic.
34
Dynamic Smart Virtual Private Network (DSVPN)
Advantage of DSVPN:

Effective IPSec communication
between spokes。

simplifies configuration
maintenance。
35
Virtualized Security Protection
Border Security of Cloud Data Centers
Virtual system border defense:

Border protection for up to 1000 virtual systems

Application identification, IPS, antivirus, and URL
filtering
C
B
•Session: XX
•Bandwidth: XX
•Security: B
•Policy Num: X
A
•Session: XX
•Bandwidth: XX
•Security: A
•Policy Num: X
36
•Session: XX
•Bandwidth: XX
•Security: C
•Policy Num: X

Virtualized security protection

Resource virtualization

Virtualized floating for security policies
Tenant-specific management:

Customized security management for tenants

Customized QoS management for tenants
4
Excellent Performance
37
Unified Performance Experience for NGFW
Huawei
UNIFIED App/Threat
Description Language
UNIFIED Security Scan
Intrusion
Trojan
horse
IPS
Identification
Parsing
AV
UNIFIED Pattern Match
UNIFIED PM
UNIFIED Scan
UNIFIED DL
Separate Definitions
URL
Trojan
horse
Exploit
38
AV
URL
3G
8G
10G
6G
/
NA
8G
5G
Software Only Approach
/
IPS
8.8G
App
20G
20G
12G
FW
20G
20G
15G
Data
IPS
Identification
Parsing
2.5G
Result
One By One Detection
Intrusion
4G
Hardware
VS
Industry
Everything UNIFIED
For High Performance
Full
Protection
Software
Regular
MT DL
Exploit
15G
Non-regular
Data
Response
Handling
VPN
Response
Handling
Data
Software
Hardware
Result
Result
20G
What is IAE?
Web Security
URL
Categorization
Intrusion
Prevention
File Security
Intelligent
Awareness
Engine
Application
Classification
Application
Signatures
DLP Scan
Virus
Definitions
Intrusion
Signatures
39
Web Attack
Signatures
Anti-virus
DLP Signatures
URL Database
Everything UNIFIED
UNIFIED
Security Scan
General
Contents
DLP Scan
Routing
&
Switching
URL Scan
UNIFIED
Response
Basic
Firewall
Features
Application
Identification
IAE
UNIFIED
Protocol Dissector
Intrusion Detection
Web Security Scan
URL
DLP Scan
Intrusion Detection
File Typer
NIC
File
Stream
Virus Scan
DLP Scan
Intrusion Detection
UNIFIED
Threat/Application
Description Language
40
UNIFIED
Pattern Match and Hash
Algorithm
UNIFIED
Decomposition
Hardware Acceleration
Small/Singleton Requests
Bulk/Stream Requests
Hardware Based
Pattern Match
Utilize
Utilize
Software Based
Pattern Match
Response
Protocol
Dissector
DLP Scan
Intrusion Detection
Utilize
Utilize
Application
Identification
Security Scan
Synchronous Result
Asynchronous Result
UNIFIED Pattern Match
41
Stream-based File Processing
Traditional File
Processing
Receiving
Virus Scan
DLP Scan
Transmitting
Elapsed Time
Receiving
Huawei NGFW's
Stream-based
New Approach
Virus Scan
DLP Scan
Transmitting
t2
t1
e
Segm
e
Segm
Decomposition
42
nts
me
nts
nts
Security Scan
Response
nts
File Dissector
Se
g
File Typer
Se
g
me
nts
Se
g
me
nts
me
Se
g
Protocol
Dissector
Application
Identification
UNIFIED
Security Scan
NGFW Appliance

USG6300/USG6600 series has 14 models

Provides 1G to 40G performance when application identification
USG6680, 40Gbps 3U,
4*10GE+16GE+8SFP
USG6670, 35Gbps 3U,
4*10GE+16GE+8SFP
is enabled.

Provides a minimum of 8 GE ports and scalable to a maximum of
64*GE+14*10GE ports
USG6660, 25Gbps 3U,
2*10GE+8GE+8SFP
USG6650, 20Gbps
3U,2*10GE+8GE+8SFP
USG6630, 16Gbps,1U,8GE+4SFP
USG6620, 12Gbps,1U,8GE+4SFP
USG6390, 8Gbps, 1U,8GE+4SFP
USG6380, 6Gbps, 1U,8GE+4SFP
USG6370, 4Gbps ,1U,8GE+4SFP
Expansion modules
USG6360, 3Gbps,1U,4GE+2Combo
USG6350, 2Gbps,1U,4GE+4Combo
USG6330, 1Gbps,1U,4GE+4Combo
USG6320, 2Gbps,Desktop,8GE
WSIC-2SFP+&8GE
WSIC-8GE
WSIC-8SFP
USG6310, 1Gbps,Desktop,8GE
43
WSIC-4GE-BYPASS
SAS-300GB
Contents
1
2
3
4
5
Click toand
addPositioning
Title
Market Summary
Product Highlights
Click to add Title
Product Comparisons
Click to add Title
Success Stories
Quotations &Click
Configurations
to add Title
44
How to Beat Overview
Huawei
Vendor
Palo Alto
CheckPoint
Cisco
Fortinet
Hardware
Software Feature
Price
Palo Alto NGFWs have comprehensive functions and advanced
Huawei is stronger than Palo Alto
technologies. but Huawei NGFWs deliver more comprehensive
in interface quantity and reliability.
performance than their counterparts.
The host price is low, and the price is more
competitive than the vendor if a license is
sold together.
Huawei is stronger than
Check Point NGFWs have comprehensive functions and advanced
CheckPoint in interface quantity technologies. but Huawei NGFWs deliver more comprehensive
and availability.
performance than their counterparts.
The host price is low, and the price is more
competent than the vendor if a license is sold
together.
Cisco NGFWs are incompetent in technologies. Huawei has more
Huawei is stronger than Cisco in
comprehensive software features than Cisco. Therefore, Huawei
interface quantity and availability.
NGFWs are stronger than Cisco's in both performance and functions.
The host price is low, and the price is more
competent than the vendor if a license is sold
together.
Fortinet NGFWs have comprehensive functions. Therefore, The firewall
Huawei is stronger than Fortinet
The host price is nearly the same, but
throughput is relatively weaker but other performance indicators, such
in interface quantity and
Huawei NGFWs can be more competent if a
as new connections per second and concurrent connections are
availability.
license is sold together.
stronger than Fortinet NGFWs.
Notes:
1. To beat all vendors, emphasize the number of interfaces and the price advantage with license sold together.
2. Emphasize the high availability and 10G interfaces to increase the price of vendors' devices.
45
Competitiveness Map of USG6000 NGFW
Firewall
Huawei
Throughput
Cisco
Check Point
Fortinet
Palo Alto
PA-200
1G(desk)*
USG6310
30D
60C
2G(desk)
USG6320
1140 1180 2200 60D
90D
1G *
USG6330
ASA 5512-X
2G *
USG6350
ASA 5515-X
3G *
USG6360
ASA 5545-X
4G
USG6370
ASA 5555-X
6G
USG6380
8G
USG6390
12G *
USG6620
16G *
USG6630
20G
USG6650
25G
USG6660
12400
35G
USG6670
12600 1240B
40G
USG6680
PA-500
ASA 5525X
PA-2050
4200 100D
ASA 5585X(SSP10)
200D
PA-3020
240D
4400
PA-4060 PA-4050
ASA 5585-X(SSP40)
46
PA-4020
PA-5020
4600 4800
12200 600C
ASA 5585-X(SSP60)
280D
PA-3050
300C
ASA 5585-X(SSP20)
PA-2020
800C
1000C
3240C
PA-5060
PA5050
Fortinet: FW&UTM Market Leader
•
Fortinet is the first vendor that launches a UTM
device. The annual compound growth rate is
greater than 48%.
•
Ranks No. 1 in the UTM sales market and No. 3
in the global security hardware market.
•
Provides comprehensive product functions and
third-party authentication. With low prices, the
cost-effectiveness of Fortinet devices is the
major promotion point.
•
Fortinet claims to help customers invest less
(cheap) and protect more (comprehensive
functions).
47
How To Beat Fortinet (FortiGate Series)
Three
methods
for
winning
Key
1. Hardware: Emphasize the use of non-X86 multi-core architecture, use hardware bypass and redundant power supplies, and
try your best to configure 10G interfaces.
2. Price: Guide the bidding based on the number of fixed ports on Huawei NGFWs and try your best to configure security function
licenses to relatively increase the price of Fortinet NGFWs.
3. Function: Guide the use of application-layer defense functions (the FortiGate series deliver poor performance in this aspect),
such as IPS, AV, and DLP, and emphasize the Smart Policy feature, which features scenario template-based policy making,
intelligent tuning, and policy simplification.
1. The FortiGate series does not support hardware bypass or dual-power redundancy.
2. Only the 20G or higher products support 10G interfaces, and the maximum number of interfaces is small.
3. Compared with counterparts, the FortiGate series lag behind in new connections per second, concurrent connections, and VPN
throughput.
beating
points
1. The FortiGate series identifies only over 3100 applications, which is far less than that of Huawei (identifies over 6000
applications).
2. The FortiGate series does not support MPLS or application-layer attack defense, such as HTTP, DNS, or SIP attack defense.
3. The FortiGate series neither support security policy intelligent tuning nor redundancy analysis.
48
Palo Alto: Leading the NGFW Industry in Technologies

The first NGFW vendor and long-term leader in the
Gartner FW quadrant

The annual income reaches $400 million in 2013
and increases 30 times in the last five years. Palo
Alto ranks No. 5 in the global security hardware
market and increases the fastest.

Palo Alto developed more than 4800 customers in
2013 and has over 13500 customers in over 120
countries and regions, with 1250 channel partners.

Palo Alto NGFWs have comprehensive functions
and lead the industry in technologies. It has a good
brand in the NGFW market, but the firewall price is
high.
49
How To Beat Palo Alto (PA-XXXX Series)
Three
methods for
winning
1. Hardware: Emphasize power redundancy and hardware bypass.
2. Price: Guide the bidding based on the number of fixed ports on Huawei NGFWs and try your best to configure security function
licenses to relatively increase the price of Palo Alto NGFWs.
3. Function: Emphasize the Smart Policy feature that features scenario template-based policy making, intelligent tuning, and
policy cleanup.
1. Palo Alto NGFWs do not support interface expansion, and only the PA-5060, 5050, and 4060 support 10G interfaces.
2. The PA3000 series and lower supports neither power redundancy nor hardware bypass, delivering poor availability.
3. Compared with counterparts, Palo Alto NFGWs lag behind in all key indicators, such as new connections per second,
concurrent connections, VPN throughput, IPS throughput, and AV throughput.
Key beating
points
1. Palo Alto NGFWs identify only 1600+ applications (Huawei 6000+), support 47 million URLs (Huawei 85 million), and identify
60+ file types in DLP (Huawei 120+), but do not support application-layer anti-DDoS, such as HTTP, DNS, or SIP attack
defense.
2. Palo Alto NGFWs do not support mail filtering, CA or SecurID authentication mode, or AV email declaration.
3. Palo Alto NGFWs supports neither security policy intelligent tuning nor redundancy analysis.
4. Palo Alto NGFWs do not support logging or auditing on Internet access behaviors or email sending and receiving.
50
CheckPoint: A Leader in Technology and Market

CheckPoint is a long-term leader in the FW
quadrant of Gartner, and its security hardware
market share ranks No. 2 on the globe.

Quote software blades in over ten groups to
meet the requirements of different procurement
scenarios, in which way CheckPoint delivers a
great sum of products.

CheckPoint NGFWs provide comprehensive
functions, lead in technology, and are good
brands in the NGFW market. However, the
software blade combinations have high prices.
51
How To Beat CheckPoint (NGFW Series)
Three
methods
for
winning
Key
beating
points
1. Hardware: Emphasize power redundancy. For Gigabit high-end models, emphasize the 10G interfaces.
2. Price: Guide the bidding based on the number of fixed ports on Huawei NGFWs and try your best to configure security
function licenses to relatively increase the price of CheckPoint NGFWs.
3. Function: Emphasize the Smart Policy feature, which features scenario template-based policy making, intelligent tuning,
and policy simplification.
1. Only the 4800 and high support 10G interfaces, whereas all Huawei NGFWs support 10G interfaces except only the
desktop devices.
2. The 4200/4400/4600 series supports neither power redundancy not hardware bypass, delivering poor availability.
3. Compared with counterparts, CheckPoint NFGWs lag behind in all key indicators, such as new connections per second,
concurrent connections, VPN throughput, IPS throughput, and AV throughput.
1. CheckPoint NGFWs support neither security policy intelligent tuning nor redundancy analysis.
2. CheckPoint NGFWs support neither MPLS/NAT64 nor DSVPN.
3. CheckPoint NGFWs do not provide open XML interfaces, manage only some policies, (Huawei provide at 2014.11)
52
Cisco: A Traditional Tycoon Lacking Visions

Ranks No. 1 in the network security hardware
market.

Mainly sells the ASA-X series firewall and lacks
features and visions in the NGFW field. The
sales relies on network supporting projects that
focus less on security.

Acquired Sourcefire in October 2013, but the
integration of products takes time.

The ASA-X series lag behind in technology,
deliver poor competitiveness, and have high
prices.
53
How To Beat Cisco (ASA5500-X Series)
Three
methods
for winning
1. Hardware: Emphasize the non-X86 multi-core architecture and configure redundant power supplies and fan modules.
2. Price: Guide the bidding based on the number of fixed ports on Huawei NGFWs and try your best to configure security function
licenses to relatively increase the price of Cisco NGFWs.
3. Function: Guide the use of IPS, AV, and DLP together and emphasize the Smart Policy feature, which features scenario templatebased policy making, intelligent tuning, and policy simplification.
1. Only the ASA5585-X series support 10G interfaces. All NGFWs do not support hardware bypass, and the ASA5512/15/25-X do not
support dual-power redundancy.
2. The ASA5585-X has only two expansion slots, and the IPS and CX functions require separate hardware support and fail to
implement full service processing (FW+IPS+CX).
3. Compared with counterparts, Cisco NFGWs lag behind in all key indicators, such as new connections per second, concurrent
connections, VPN throughput, and IPS throughput.
4. ASA5585-X DC power modules are not redundant, the redundant AC power modules cannot coexist with the independent fan
module, which easily cause heat dissipation problems, delivering bad reliability.
Key
beating
points
1. Cisco firewalls identify only over 1000 applications, which is far behind that of Huawei (identifies over 6000 applications). Besides,
Cisco firewalls do not support user-defined applications.
2. Bad security capability: All series do not support file blocking or data filtering. The ASA5500-X series does not have any AV engine
and does not support Chinese encryption algorithms.
3. Cisco firewalls do not support GRE, GRE over IPSec, IPSec over GRE, IPSec IPv6, 6RD, or DS-Lite, and fail to implement smooth
IPv4-IPv6 transition.
4. Cisco firewalls neither support security policy intelligent tuning nor redundancy analysis. The FW and CX modules are independent
NEs, and FW/VPN functions cannot be managed using the same management software that is used to manage CX functions. The
management is complicated.
5. The CX module provides only simple rate limiting and does not support application-specific policy routing.
54
Contents
1
2
3
4
5
Click toand
addPositioning
Title
Market Summary
Product Highlights
Click to add Title
Product Comparisons
Click to add Title
Success Stories
Quotations &Click
Configurations
to add Title
55
Lots of Commercial Use
6052
pieces
Alibaba Cloud Computing
国家超级计算中心
112858
pieces
Note: the shipment was collected until 2013 Dec.
56
Dortmund Signal Iduna Park stadium
Huawei end-to-end stadium solutions
Security Solution



Dortmund Signal Iduna Park stadium is
Germany's largest, the world's ninthlargest football field, can accommodate
more than 80000 viewers watch the game.
As a security solution for the WIFI system.
Huawei NGFW developed a intelligent
identification management based on URL.
In the whole ICT solution, Huawei NGFW
provided fine-grained control, all threat
high performance prevention, integrated
IPS, URL filtering features, ensuring the
best network experience for customer.
57
ICITA public cloud network in Australia
Sydney ·Australia
•
Serving more than 100 large enterprises
•
6 dimensional fine-grained control
•
Full Threat Protection 10+ Gbps
“USG6000 takes all the box to get ability to build on
infrastructure network to provide multi -tenancy for our
partners. It could complete separation, so each partner can
build their own virtual data center. In fact it has module, so we
can expand as our requirements. The cost is also very
effective. We don't have specific security engineer in the
infrastructure, but we can provide security support as
a service for our customers.”
Public cloud service provider in Australia
58
Damien Stephens, CEO of ICITA
Opole OSTO, Poland
The City of Opole ·Poland
Security Solution



The project includes delivery of 3 core routers, 3 edge routers, 5
firewalls, 69 access switches.
HUAWEI USG6000s are deployed at the edge of the optical
telecommunication network after HUAWEI NE40E routers to
secure the internal network and enhance data transmission
security.
HUAWEI USG6000s cooperate with Policy Center to perform
secure access.
Customer Values

The City of Opole
59
Huawei USG6600 series demonstrated its good firewall
performance at layer 7. The success is a good reference for the
Government network security expansion.
Guangdong Smart Grid Network
Huawei's Security Solution

Huawei deploys its USG6650 products at the Internet egress and
comprehensive information network border. The USG6650 provides 10 Gbps
all threat defense performance and a powerful NAT function for the Internet
egress. In addition, Huawei's solution manages devices on the entire network
through a unified management center to implement power dispatching
management and report display, helping China Southern Power Grid build a
simplified, highly efficient security protection system.
Customer Benefits



Feature- and sandbox-based all threat defense methods, guaranteeing
smooth office services for China Southern Power Grid
When the all threat defense feature is enabled, the performance decrease is
less than 50%. High-performance security protection and high-quality user
experience support large volumes of service traffic.
Automatic policy management based on traffic learning reduces the Total Cost
of Ownership (TCO) by over 30%.
60
Beijing University of Posts and Telecommunications
Security Solution


Deploy a USG6600 at the network egress
and access the WAN via multiple ISP links.
Implement application identification, traffic
management, and comprehensive
inspection
Customer feedback

“Huawei NGFW can automatically learn the
traffic patterns and provide detailed
suggestions for policy fine tuning. These
functions provide good visibility into
applications on our network so that we can
determine which applications need to be
protected and which need to be controlled.
We can easily fine tune the policies based
on the suggestions.”
61
Jie An
Deputy director of the information
network center
Ministry of education in Portugal
Construct a public government affairs platform for the ministry of
education in Portugal, meeting the requirements on high-performance, high
availability, and comprehensive security. This platform supports real-time
online visits and public affairs query from users in the entire country 。
Customer challenges
• 20G performance to carry real-time services and ensure service
continuity and availability
• No effective defense against frequent attacks in various forms
Solution
• Deploy a USG6680 at the service border to provide 20G bidirectional
service protection, ensuring service continuity.
• Enable service protection against DDoS and application-layer
attacks and deploy Huawei cloud sandbox to defend against
unknown threats.
62
Contents
1
2
3
4
5
Click toand
addPositioning
Title
Market Summary
Product Highlights
Click to add Title
Product Comparisons
Click to add Title
Success Stories
Quotations &Click
Configurations
to add Title
63
USG6000 Marketing Patterns
FW (include App, Anti-spam)
IPS
AV
URL
License Bundle
FW (include App, Anti-spam)
IPS
AV
URL
VSYS
(10 default)
SSL
(100 default)
x 10
x 100
x 20
x 200
x 50
x 500
x 100
x 1000
x 200
x 2000
x 500
x 5000
Device + License Bundle(1 Year)
FW (include App,
Anti-spam)
IPS
AV
URL
1 year or 3 years
x 1000
Device
Update License
64
Function License
USG Configuration Guide
1. Select a appliance
device
Bundles device
2 Select expansion interfaces (optional)
Layer-3 Ethernet interfaces:
WSIC/1FE/1GE/4FE/2FE2FEC.
HDD: Used for report and Smart
Policy feather.
3. Value-added functions (optional)
SSL VPN license
(100/200/500/1000/2000/
5000)
VFW license
(10/20/50/100/200/500/10
00)
4. Materials
Optical module
Optical fiber connector
Cable
Security license (1/3/YS)
References:
1. Network throughput
2. Number of users
3. Interfaces
IPS license
AV license
URL Filtering license
Three-in-one bundle
license
65
HUAWEI ENTERPRISE ICT SOLUTIONS A BETTER WAY
Copyright©2012 Huawei Technologies Co., Ltd. All Rights Reserved.
The information in this document may contain predictive statements including, without limitation, statements regarding the future financial and operating results, future product
portfolio, new technology, etc. There are a number of factors that could cause actual results and developments to differ materially from those expressed or implied in the predictive
statements. Therefore, such information is provided for reference purpose only and constitutes neither an offer nor an acceptance. Huawei may change the information at any time
without notice.