H3c Secpath Next Generation Firewall (ngfw) Series

Transcript

DATA SHEET FIREWALL H3C SecPath Next Generation Firewall (NGFW) Series F1020/F1050 F1080 F5020 Overview H 3C SecPath NGFW series firewall is the latest incarnation of high performance security gateway. The series is developed with the advent of Web 2.0 era, integrating the latest security trends and network deep inspection technologies and is designed for SMEs, campus network egress and WAN branches. H3C SecPath NGFW series provides multi-dimension security protection in a box such as: protects multiple vectors including user, application, time and network quintuple, to implement secure access control with IPS, AV and DLP scans that lead to guaranteed network security. NGFW also supports multiple VPN solutions, such as L2TP VPN, GRE VPN, IPSec VPN and SSL VPN to implement mobile office with smart devices. It is also built with rich routing capabilities with RIP/OSPF/BGP routing strategies and routing policies based on applications and URLs, supports IPv4/IPv6, and protects users from attacks crafted for IPV6. H3C SecPath NGFW series consist of F10X0 (F1020/F1050/F1080) and F5020, F10X0 series firewall employs redundant 1+1 power supply and supports dual-device SCF (Security Cluster Framework) virtualization technology to satisfy the reliability requirements for high performance network. F10X0 comes in 1U dimension with at least 24 GE ports and 2 fixed 10GE ports. F5020 firewall is equipped with 1+1 redundant power supply modules, hot-swappable AC or DC power modules as well as session based active/active standby mode which is most suitable when reliability is concerned. F5020 also comes in 2U dimension with a maximum of 48 GE ports and 10 10GE ports. Features Cutting edge hardware and software specifications • H3C SecPath NGFW series is equipped with the latest 64-bit multi-core processor and high speed storage. Telecommunication carrier guide reliability • • H3C patented and self-developed software and hardware platform have adopted and trusted by customers ranging from SMEs to telecommunication carriers. H3C SCF virtualization combines multiple physical devices as a single logical device, which can be managed as a single network node. Resource could be managed as a whole, application backup could be completed in batch and overall system performance is doubled. Bulletproof security • • • • • Protection from a wide range of attacks including but not limited to: Land, Smurf, Fraggle, Ping of Death, Tear Drop, IP Spoofing, IP fragment packets, ARP spoofing, reverse ARP lookup, TCP packet illegal flag bit attack defense, oversized ICMP packets, address/port scanning, detection and protection against common DDoS attacks such as SYN Flood, UPD Flood, ICMP Flood, and DNS Flood. SOP (Security One Platform) 1:N complete virtualization added. Container based virtualization makes logical device configuration consistent with its physical counterpart. One might create multiple virtual firewalls in an H3C SecPath F10X0 device and can configure throughput, concurrent session, policy and more based on virtual system. Security zone let you configure security zones based on interfaces and VLANs. Packet filtering allows you to apply standard or advanced ACLs between security zones to filter packets based on information contained in the packets, such as UDP and TCP port numbers. Configuration of time range based ACL is also allowed. Support application and user based ACL combined with in-depth protection to implement the next generation access control functions. 1 NGFW DATA SHEET • • • • • • • • ASPF (Application specific Packet Filter) dynamically determines whether to forward or drop a packet by checking its application layer protocol information and state (such as FTP, HTTP, SMPT, RTSP and other application layer protocols based on TCP/UDP). Supports AAA, including authentication RADIUS/HWTACACS+, CHAP, PAP and more. based on Supports static and dynamic blacklist. • • • • Supports rich routing protocol, including static routing, policy based routing, and dynamic routing protocols such as RIP and OSPF. Security logs Traffic monitoring, statistics, and management • Flexible, expandable built-in DPI • • • • • • Integrated security application processing platform is fully coupled with essential security protection. Comprehensive application layer traffic identification and management: with H3C’s longtime expertise in stateful inspection and traffic cross-checking technology, NGFW can accurately detect P2P/IM/online game/equity trading/video stream/multimedia applications such as Thunder/Web Thunder, BitTorrent, eMule, eDonkey, QQ, MSN, PPLive; supports P2P throttle through deep packet inspection which matches network packets with P2P packet characteristics. This effectively detects P2P traffic, achieves necessary P2P traffic management and provides different control strategies to flexibly limit P2P traffic. Highly precise and efficient intrusion detection engine using H3C patented and self-developed FIRST (Full Inspection with Rigorous State Test). FIRST engine consolidates multiple detection technologies to realize comprehensive inspection based on status with highly accurate intrusion detection. FIRST also uses parallel inspection technology that can be flexibly deployed with software and hardware to increase the detection efficiency. • • • • • Fast URL filtering: Apart from basic URL blacklist and white list filtering, URL lookup server can be set for online query. • Industry-leading IPv6 features • • IPv6 stateful inspection truly implements IPv6 firewall, and completes IPv6 protection against attacks. Supports IPv4/IPv6 dual protocol stacks and supports IPv6 packet forwarding, static routing, dynamic routing and multicast routing. Supports IPv6 ACL and Radius. Load Balancing: Implement auto switch and auto load-balancing of enterprise Internet egress through links status check and links busy status protection. SSL VPN: Integrated SSL VPN fulfils the secure remote access needs for mobile office and roaming employees. Additional authentication factor can be implemented with USB-Key or mobile SMS, and integrates with existing enterprise authentication system to create a fully integrated access authentication system. Basic support for DLP (Data Leak Prevention) includes E-mail filtering, SMTP E-mail address, subject and attachment filtering, Web page filtering, HTTP URL and content filtering, files filtering based on network transportation protocol, application layer filtering such as Java/ActiveX blocking and SQL injection attack blocking. Intelligent management Realtime anti-virus protection: Kaspersky stream-based virus scanning engine results in quick, accurate scanning and removal of viral code in network stream. Comprehensive and up-to-date security signature database. With years of operation and experience, H3C hires the best team in identifying attack signatures, set up professional defense lab that keeps the team at the forefront of network security, and ensures timely update of signature database. IPv6 transition technologies consist of NAT-PT, IPv6 over IPv4 GRE tunnel, manual tunnel, 6to4 tunnel, automatic IPv4-compatible IPv6 tunnel, ISATAP tunnel, NAT444, and DS-Lite. Next generation applications NAT and multiple NAT instances. VPN—Supports L2TP, IPsec/IKE, GRE, and SSL VPNs, and implements smart terminal connection. FIREWALL • Intelligent security policy: policy redundancy check, policy mapping optimization advice, dynamic internal network application check and appropriate policy creations and recommendations. Supports SNMPv3 and compatible with SNMPv1 and SNMPv2. Graphical interface with simple and easy to use Web based management. CLI-based device management and firewall configuration that fulfils the professional management and batch deployment requirements. Security Service Manager (SSM) is an iMC component for centralized network security management. SSM monitors firewall devices on the network in real time, collects and analyzes security events and logs and feedback in a single console. It breaks the silos between network security devices, provides an intuitive interface for network security, gives real time feedback to security events and pinpoints the exact location of network outage. It frees IT and security administrators from the chore of management, significantly improves their productivity and let them focus on core business instead. Centralized log management functions based on advanced data drill-down and analysis technology. It can request and receive information to generate logs, compile different types of logs (such as syslogs and binary stream logs) in the same format, and compress and store large amounts of logs. You can encrypt and export saved logs to external storage devices such as DAS, NAS, and SAN to avoid loss of important security logs. Choices of reports: application-based reports and stream-based analysis reports. Export of reports in different formats, such as PDF, HTML, Microsoft Word, and txt. Report customization through the Web interface. Customizable contents include time range, data source device, generation period, and export format. NGFW 2 DATA SHEET FIREWALL Specifications Features F1020/F1050 Interface 1 console port 1 console port Device comes with 8 optical GE Device comes with 8 optical GE ports+16 electric GE ports ports+16 electric GE ports+2 optical 10GE ports F1080 1 console port Device comes with 12 optical GE ports+12 electric GE ports+4 optical 10GE ports Expansion 2 (F1020 comes with one expansion slot) 1 Expansion types 4 GE PFC interface module 12 optical GE ports+12 electrical GE ports+6 10 ports Storage 1*500G HDD Ambient temperature Operating: 0°C to 45°C (32°F to 113°F) Non operating: –40°C to +70°C (–40°F to +158°F) 2*500G HDD F5020 N/A Operation modes Router, transparent and hybrid AAA services Authentication: Portal, RADIUS, HWTACACS, PKI /CA (X.509) , domain, CHAP, PAP Firewall SOP virtualized firewall platform supports complete virtualization and hardware resource allocation of CPU, RAM and storage Security zones allocation Protection against malicious attacks, such as Land, Smurf, Fraggle, Ping of Death, Tear Drop, IP spoofing, IP fragmentation, ARP spoofing, reverse ARP lookup, invalid TCP flag, oversized ICMP packet, address/port scanning, SYN flood, ICMP flood, UDP flood, and DNS query flood Basic and extended ACL Time range-based ACL User/application based ACL MAC based ACL ASPF application layer packet filtering Static and dynamic blacklist MAC-IP binding 802.1Q VLAN transparent transmission Malware protection Malware signature based inspection Automatic and manual update of virus database Packet stream processing mode HTTP, FTP, SMTP and POP3 protocol Malware detection: Backdoor, Email-Worm, IM-Worm, P2P-Worm, Trojan, AdWare and virus Virus log and report IPS Protection against hacker’s common attacks such as worm/virus, Trojan, malicious code, spyware/ adware and DoS/DDoS Protection against buffer overflow, SQL injection and IDS/IPS escape Attack classification based on signature (attack type, target system) and grading of severity (high, middle, low and alert) Automatic and manual upgrade of attack signature through TFTP and HTTP Identification and control of P2P/IM protocols such as BT 3 NGFW DATA SHEET FIREWALL Specifications Features F1020/F1050 E-mail/Web page/application layer E-mail filtering F1080 F5020 SMTP e-mail address filtering E-mail header filtering E-mail content filtering E-mail attachment filtering Web page filtering HTTP URL filtering HTTP content filtering Application layer filtering Java Blocking ActiveX Blocking SQL injection attack prevention NAT Many-to-one NAT—Maps multiple internal addresses to one public address Many-to-many NAT—Maps multiple internal addresses to multiple public addresses One-to-one NAT—Maps one internal address to one public address NAT of both source address and destination address External hosts access to internal servers Internal address to public interface address mapping NAT support for DNS Setting effective period for NAT NAT ALGs for NAT ALG, including DNS, FTP, H.323, ILS, MSN, NBT, PPTP, and SIP VPN L2TP VPN, IPSec VPN, GRE VPN, SSL VPN IPv6 IPv6 based stateful protocol inspection firewall and intrusion prevention IPv6 protocols: IPv6 forwarding, ICMPv6, PMTU, Ping6, DNS6, TraceRT6, Telnet6, DHCPv6 Client, DHCPv6 Relay and etc IPv6 routing: RIPng, OSPFv3, BGP4+, static routing, strategic routing, PIM-SM, PIM-DM and so on IPv6 security: NAT-PT, IPv6 Tunnel, IPv6 packet filter, Radius, IPv6 inter-domain security, IPv6 session number limit High reliability SCF 2:1 virtualization support ations) Dual-device stateful failover (active/active and active/standby configurations) Configuration synchronization across dual-device setup IPSec VPN IKE status synchronization VRRP Ease of maintenance CLI based configuration management Web based remote management Device management through H3C Security Service Manager (SSM) SNMPv3, compatible with SNMPv2c and SNMPv1 Intelligent security policy Green certification NGFW 4 Compliant with Restriction of Hazardous Substances (RoHS) Directive DATA SHEET FIREWALL Application Scenarios Campus network security solution • • • • Fully virtualization security solution with SCF 2:1 for highly reliable network design and SOP 1:N to separate different application zones. Rich routing protocols support. Strong VPN encryption power. Comprehensive security functions that fends off malware attack, scans and filters e-mails, Web pages and attachments. Internet VPN Internet F5020 cluster WAN F10X0 F10X0 Cluster Internal NMS SSL VPN IPSce VPN 5 NGFW DATA SHEET FIREWALL Cloud based comprehensive security solution H3C CSM Cloud Orchestration Cinder Storage API Nova Computer API Storage Plug-in Compute Plug-in VCF Controller Cluster H3C CAS F5020 hardware FW (South to north traffic) OpenStack (IceHouse) Neutron Network API VCF Controller Plug-in OpenFlow +Netconf NFV Manager Core Switch VxLAN Network Leaf Leaf Leaf H3C v Switch H3C v Switch SR-IOV Adpt WAN H3C CVK VM VM VM VM VM VM vSwi tch H3C CVK vFW/vLB H3C CVK Virtual security resources (East to west traffic) In latest cloud solution, such as Virtual Private Cloud (VPC), security control and tenant separation are very crucial for network design. Together with H3C comprehensive total cloud and virtualization components, including VXLAN hardware infrastructure, H3C CAS (Cloud Automation System), VCF (Virtual Converged Framework) controller and CSM (Cloud Service Manager). F5020 hardware based firewall provides strong security control for all south to north traffic, it can support up to 128 virtual firewall, which is perfect for large cloud solution with many tenants. With the help of SOP, F5020 realizes process based separation, high performance virtual firewall and virtual firewall fault separation. H3C Technologies Co. Limited Add: Room 2301, 23/F, Lee Garden Two, 28 Yun Ping Rd, Causeway Bay, Hong Kong Tel: 2501 1111 Fax: 2537 1149 Service Hotline: 2907 0456 Email: [email protected] NGFW 6 Copyright © 2015 by H3C Technologies Co., Limited All product photography in this literature is intended for reference only. All rights reserved. No part of this document may be reproduced or transmitted in any form, by any company or person and product names may be trademarks of their respective companies. While every effort is made to ensure the information given is accurate, H3C Technologies Co., Limited does not hold liability for any errors or mistakes which may arise. Specifications and other information in this document is subject to change without notice. www.h3c.com