Number : G583D178E7F390
Brand : HUAWEI
This section describes how the USG6000 deals with new network threats.
The next-generation firewall addresses the new threats posed by new networks as follows:
The USG6000 series of HUAWEI uses the next generation firewall features to address new threats as follows:
The USG6000 inherits and improves traditional security functions to effectively identify applications and defend against application-layer threats and attacks.
The Intelligent Awareness Engine (IAE) inspects packets once and extract all information needed for subsequent policy matching processes for data security, increasing processing efficiency.
The USG6000 controls services by user, application, content, and quintuple (source/destination IP address, source/destination port, and service).
The USG6000 provides flow-based detection and real-time monitoring. It also supports cache-free technologies to detect applications, intrusion behaviors, and virus infected fragments and packets. This improves the security of network access.
Cloud computing and data center
The USG6000 virtualizes route forwarding, configuration management, and security services to provide comprehensive defense capabilities for the cloud computing and data center.
The USG6000 can be deployed to bring about significant benefits.
This section describes the functions and designs of the USG6000.
The USG6000 provides the following features:
High performance using a new, 10-Gigabit, and multi-core hardware platform
High slot density and diversified interface cards to process massive services
Key component redundancy, mature link switchover, and electrical built-in bypass cards to deliver long Mean Time Between Failures (MTBF) and build a sustainable working environment for users
The USG6000 provides the following to maintain professional content security defense:
Unified detection mechanism to ensure highly efficient Service Awareness (SA). Based on the predefined signature database and IAE, the USG6000 identifies the common applications and the multi-channel applications.
Antivirus (AV). The USG6000 employs the advanced Intelligent Awareness Engine (IAE) and constantly updated virus signature database to detect and remove viruses.
Intrusion Prevention System (IPS). The USG6000 detects and defends against thousands of intrusion behaviors, worms, Trojan horses, and Botnets.
URL filtering. The USG6000 blocks connections to HTTP and HTTPS URLs as configured. URLs and URL categories can be deployed locally or on a remote real-time query server.
Content filtering. The USG6000 filters the packets of common file transfer protocols and mail protocols based on keywords in files and mails.
File blocking. The USG6000 filters the packets of common file transfer protocols and mail protocols based on file types.
Application behavior control. The USG6000 supports connection control by application to disable unwanted applications. It controls common HTTP and FTP application behaviors, such as the file upload and download through HTTP/FTP, HTTP POST, web page browsing, and HTTP proxy.
Mail filtering. The USG6000 interworks with the Real-time Blacklist (RBL) server to block the spam. It filters mails by receiver address, sender address, subject, body, attachment name, attachment content, or attachment size.
The USG6000 provides the following to integrate security, routing, and VPN services:
Powerful content security capabilities. The USG6000 analyzes the contents transmitted by applications and detects intrusion behaviors, viruses, files, URLs, and confidential information. The administrator can formulate security policies for various services and perform global configurations based on flows, which greatly improves management efficiency.
All-round traditional firewall security functions. The USG6000 inherits all network-layer security functions of traditional firewalls to easily cope with network-layer attacks or threats.
Support for various routing and switching protocols. The USG6000 applies to various network environments, and can replace existing routers or firewalls or be transparently connected to the existing network.
Diversified VPN access modes. The USG6000 supports multiple VPN access modes such as IPSec, L2TP, GRE, SSL VPN, and DSVPN for secure connections between the headquarters, branches, partners, and mobile workers on the Internet to provide low-cost VLAN solutions.
Highly integrated services that construct an E2E secure network environment for the enterprise
The USG6000 provides the following to refine management by application and user:
Managing users on the local, maintaining the organizational structure, implementing centralized management over VPNs or PPPoE users
Interworking with common user servers such as the Active Directory (AD), Remote Authentication Dial-In User Service (RADIUS), Huawei Terminal Access Controller Access Control System (HWTACACS), Lightweight Directory Access Protocol (LDAP), and TSM servers to import user information and implement proxy authentication
Pushing web pages for user authentication or collaborating with the AD server to synchronize information about online users promptly
Single Sign-on (SSO) that simplifies configurations and user logins without increasing security risks
Applying security policies to the authenticated users for managing traffic by user and application
The USG6000 provides the following to implement visualized management:
New web UI for the administrator to rapidly configure, manage, maintain, commission, and troubleshoot the device.
Multiple management modes such as Web UI, CLI (Console, Telnet, or SSH), and NMS (SNMP)
Multiple log types such as the traffic log, threat log, URL log, content log, mail filtering log, operation log, system log, user activity log, and policy matching log for the administrator to learn about network events
Multiple report formats such as the traffic report, threat report, application report, URL report, and user report for the administrator to gain visibility into the network traffic status and security defense effect
The USG6000 provides carrier-class reliability as follows:
USG6000 has used its considerable telecommunications experience to develop the USG6000. The USG6000 provides various carrier-class reliability technologies at the hardware, software, and link layers to ensure high availability. The USG6000 supports technologies such as dual-system hot backup, fault detection, power supply redundancy, and hardware bypass.
Based on multiple reliability technologies, the traffic direction is changed in time upon a device fault to ensure normal transmission.
The USG6000 provides flexible scalability with the following features:
Multiple expansion interface card slots for enhancing hardware forwarding capabilities and device performance
Key content security components such as the IAE, application signature database, antivirus signature database, threat signature database, RBL query server, and URL category database. These components can be updated or queried online to ensure that the USG6000 can cope with the latest security risks.
Virtual system. A physical device is divided into multiple virtual devices. Each is independent and locally isolated to implement system-level expansion, and each meets the requirements of device leasing and cloud computing.