Technical White Paper

Technical White Paper
USG6000V Series Virtual Integrated Service
Gateway
Technical White Paper
Issue
1.0
Date
2016-10-10
Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd. 2016. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior
written consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and
the customer. All or part of the products, services and features described in this document may not be
within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,
information, and recommendations in this document are provided "AS IS" without warranties, guarantees or
representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.
Address:
Huawei Industrial Base
Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website:
http://e.huawei.com
Email:
[email protected]
Issue 1.0 (2016-10-10)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
i
USG6000V Series Virtual Integrated Service Gateway
Technical White Paper
Contents
Contents
1 Overview ................................................................................................................................... 1
1.1 Changes in Network Virtualization and Emergence of NFV Virtual Firewalls ......................................................... 1
1.2 vNGFW Definition ................................................................................................................................................ 2
2 USG6000V series Architecture Panorama ............................................................................. 3
3 Technical Features of NFV Firewalls..................................................................................... 5
3.1 Reliability Design .................................................................................................................................................. 5
3.2 Performance Model ............................................................................................................................................... 6
3.3 Network Isolation .................................................................................................................................................. 7
3.4 Access Control ...................................................................................................................................................... 7
3.5 Flow-based Stateful Inspection .............................................................................................................................. 8
3.6 User-Specific Management and Control ................................................................................................................. 8
3.7 Application-Specific Management and Control ...................................................................................................... 8
3.8 Application-Layer Intrusion Prevention .................................................................................................................. 8
3.9 Service Support ..................................................................................................................................................... 9
3.10 NAT .................................................................................................................................................................... 9
3.11 Attack Defense .................................................................................................................................................... 9
3.12 Networking Adaptability .....................................................................................................................................10
3.13 VPN Service .......................................................................................................................................................10
3.14 Management System ........................................................................................................................................... 11
3.15 Log System ........................................................................................................................................................ 11
4 Technical Features of HUAWEI USG6000V series ............................................................ 12
4.1 High Reliability Design ........................................................................................................................................12
4.2 Flexible Security Zone Management .....................................................................................................................14
4.3 Security Policy Control.........................................................................................................................................15
4.4 Stateful Inspection Based on Flow Sessions ..........................................................................................................17
4.5 ACTUAL Awareness ............................................................................................................................................18
4.6 SmartPolicy..........................................................................................................................................................24
4.7 Advanced Virtual Firewall Technology..................................................................................................................25
4.8 Service Support ....................................................................................................................................................26
4.9 NAT .....................................................................................................................................................................27
4.10 LSLB .................................................................................................................................................................29
4.11 Diversified Attack Defense Methods ...................................................................................................................33
Issue 1.0 (2016-10-10)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
ii
USG6000V Series Virtual Integrated Service Gateway
Technical White Paper
Contents
4.12 High Networking Adaptability ............................................................................................................................35
4.13 Excellent VPN Functions ....................................................................................................................................36
4.14 Application-Layer Security .................................................................................................................................38
4.15 Diversified Northbound Integration Capabilities ..................................................................................................41
4.16 Sound Maintenance and Management System .....................................................................................................41
4.17 Comprehensive Log Report System ....................................................................................................................42
Issue 1.0 (2016-10-10)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
iii
USG6000V Series Virtual Integrated Service Gateway
Technical White Paper
HUAWEI USG6000V Series NFV Firewall
Technical White Paper
Keywords:
NFV, SDN, NGFW, Huawei USG6000V series, network security
Abstract:
This document describes the technical features and working mechanisms of Huawei
USG6000V series NFV firewall and analyzes technical issues that you should pay attention to
during firewall selection.
Acronym and Abbreviation
Full Spelling
AAA
Authentication, Authorization and Accounting
ACL
access control list
AD
active directory
AH
Authentication Header
API
application programming interface
ASPF
Application Specific Packet Filter
BFD
Directional Forwarding Detection
DCN
data center network
DDoS
distributed denial of service
DES
Data Encryption Standard
3DES
Triple Data Encryption Standard
DHCP
Dynamic Host Configuration Protocol
DLP
data loss prevention
DMZ
demilitarized zone
DoS
Denial of Service
DST
daylight saving time
ESP
Encapsulating Security Protocol
FRR
Fast ReRoute
GRE
Generic Routing Encapsulation
ICMP
Internet Control Message Protocol
IPS
intrusion prevention system
IPSec
IP Security
Issue 1.0 (2016-10-10)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
iv
USG6000V Series Virtual Integrated Service Gateway
Technical White Paper
Acronym and Abbreviation
Full Spelling
IKE
Internet Key Exchange
LAC
L2TP access concentrator
LAN
local area network
LDAP
LightWeight Directory Access Protocol
LNS
L2TP network server
L2TP
Layer 2 tunnel protocol
MGCP
Media Gateway Control Protocol
MMS
multimedia messaging service
MPLS
Multiprotocol Label Switching
MIPS
microprocessor without interlocked pipeline stages
NAT
Network Address Translation
NFV
Network Functions Virtualization
NFVO
Network Functions Virtualization Orchestration
NFVI
Network Functions Virtualization Infrastructure
NFVM
Network Functions Virtualization Management
NGFW
Next Generation Firewall
NMS
network management system
OA
office automation
PE
provider edge
PKI
Public key infrastructure
POP3
Post Office Protocol 3
PPPoE
Point-to-Point Protocol over Ethernet
QoS
quality of service
RADIUS
Remote Authentication Dial In User Service
RAS
Registration Admission and Status
RTCP
Real-Time Transport Control Protocol
RTP
Real-Time Transport Protocol
SA
service awareness
SIP
Session Initiation Protocol
SDN
Software-defined Networking
SNMP
Simple Network Management Protocol
Issue 1.0 (2016-10-10)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
v
USG6000V Series Virtual Integrated Service Gateway
Technical White Paper
Acronym and Abbreviation
Full Spelling
SSH
Secure Shell
SSL
Secure Sockets Layer
TCO
total cost of operation
ToS
type of service
TTL
time to live
UDP
User Datagram Protocol
vESA
Virtual Elastic Security Architecture
VPN
Virtual Private Network
VM
Virtual Machine
vNGFW
Virtual Next Generation Firewall
Issue 1.0 (2016-10-10)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
vi
USG6000V Series Virtual Integrated Service Gateway
Technical White Paper
1 Overview
1
Overview
1.1 Changes in Network Virtualization and Emergence of
NFV Virtual Firewalls
The explosive growth of Internet services, information volume, and network traffic gives rise
to the cloud computing development, brings diversified convenient and low-cost services, but
also poses high requirements on IT computing, storage, and network infrastructure. In
response to these requirements, the Software-Defined Networking (SDN) and Network
Functions Virtualization (NFV) technologies emerge.
SDN decouples control and forwarding planes. On traditional networks, traffic is forwarded
by such means as traffic learning and are not centrally managed. SDN uses a Controller to
centrally deliver flow tables to network devices which then implement traffic forwarding
based on SDN rules. In this way, SDN features flexible centralized configuration,
programmable open interfaces, and easy adaption to service migrations.
NFV is a new network architectural approach proposed by carriers to meet their own
requirements. It sets up an open network platform to centrally carry network functions
dedicated to original enclosure devices.
Based on the separation and distribution of management and control planes as well as
software-based and virtualized network functions, SDN and NFV provide a variety of
possibilities for the combination flexibility and dynamic deployment of new services. In
addition, they provide better ecological system integration for customers through open and
interconnected service and platform interfaces.
The USG6000V series is a new NFV virtual firewall that can work with Huawei
FusionSphere cloud platform, Agile Controller, and EMS/NMS, as well as open-source
OpenStack platform to constitute an open SDN data center solution. In this solution, it
provides public cloud or enterprise data centers with basic routing functions, such as
forwarding, NAT, IPSec/GRE VPN, security policy, user access, broadband management, as
well as security and value-added services, such as attack defense, stateful firewall, application
identification and control, IPS, antivirus, and server load balancing. It delivers all you expect
from a next-generation firewall (NGFW). Therefore, the USG6000V series virtual firewall is
called vNGFW.
Issue 1.0 (2016-10-10)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
1
USG6000V Series Virtual Integrated Service Gateway
Technical White Paper
1 Overview
1.2 vNGFW Definition
Based on Gartner's NGFW definition, an NGFW has at least the following attributes:

Supports the online bump-in-the-wire (BITW) configuration and does not disturb
network operating.

Serves as a platform to detect network traffic and execute network security policies with
at least the following features:
−
Standard first-generation firewall capabilities: packet filtering, NAT, stateful protocol
inspection, and VPN.
−
Integrated network intrusion detection: The NGFW supports vulnerability-specific
and threat-specific feature codes. The interaction effect of the IPS and firewall is
greater than the sum of two separate parts. For example, an NGFW automatically
binds conditions to apply firewall rules to prevent an address from loading malicious
traffic to the IPS, but does not require administrators to deploy the solution cross
consoles. The NGFW has integrated powerful IPS engines and feature codes.
−
Application awareness and full-stack visibility: The NGFW identifies applications
and implements network security policies that are independent from ports, protocols,
and services. For example, the NGFW allows the use of Skype, but disables file
sharing in Skype or always blocks the GoToMyPC function.
−
Excellent firewall intelligence: The NGFW collects incoming information, helps
administrators make informed decisions, and optimizes the deny rule database. For
example, the NGFW binds the deny action to user identities or set up the address
blacklist and whitelist.
Based on the preceding definition, Huawei adds the following key features of the vNGFW in
SDN/NFV scenarios:

Decoupling firewall functions from dedicated hardware platforms: Firewall functions no
longer depend on dedicated hardware platforms, such as NP and MIPS network
processing platforms, but are virtualized and flexibly adaptive to common server
platforms or virtual machines (VM), such as the Hypervisor VM environment provided
by VMware.

Automatic lifecycle management: After firewall functions are virtualized, especially
when firewalls can run on VMs separately, such functions are no longer deployed on
dedicated hardware platforms. The loading, removal, capacity expansion, upgrade, and
troubleshooting of firewall functions can be automatically managed after common
servers are networked.

Northbound APIs for integration: Based on SDN ideas, firewall service functions need to
be centrally controlled by SDN. Therefore, firewalls need to provide abundant
northbound integration capabilities, so that the SDN controller can implement service
orchestration and dynamic on-demand deployment on firewalls.
Issue 1.0 (2016-10-10)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
2
USG6000V Series Virtual Integrated Service Gateway
Technical White Paper
2
2 USG6000V series Architecture Panorama
USG6000V series Architecture Panorama
Using Huawei vESA, the USG6000V series can flexibly adapt to various VM environments,
deliver rich northbound APIs for integration by various Controllers, and support hybrid
networking with traditional hardware switches to maximally meet customer requirements.
SDN Controller
vNGFW
Northbound API
Service
Security Policy
Security Policy
Security Policy
Conf
Routing
Virtual Resource
Management
GuestOS
Data Path Plane
Cloud Aware Middleware
Support Layer
Fabric
OS
Switch
vSwitch
vSwitch
vSwitch
vSwitch
OS
Linux/KVM
Xen
VMWare
FusionSphere
Hardware Hardware
HostOS
x86
As shown in the preceding figure, the vESA has the following features:

Support for multiple VM platforms: The vESA is compatible with mainstream VM
platforms, including Linux KVM, Xen, VMware, and Huawei FusionSphere cloud
computing platform.

Compatible with the layer-2 processing of hardware switches: The vESA can be
deployed on a single VM, multiple VMs, or hybrid networks with non-NFV-based
dedicated hardware switches.

High-performance data processing engine: The vESA implements data acceleration
processing for various VM platforms and employs SR-IOV and DPDK to provide
high-performance data processing capabilities.
Issue 1.0 (2016-10-10)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
3
USG6000V Series Virtual Integrated Service Gateway
Technical White Paper
2 USG6000V series Architecture Panorama

Rich northbound APIs: The northbound API for integration is one of the vESA's key
capabilities. The vESA provides two suites of APIs, NETCONF and RESTful, which can
be integrated by Huawei Agile Controller (used in the DCN solution) and third-party
controllers, such as OpenStack.

Flexible lifecycle management: The USG6000V series using the vESA architecture
supports multiple software release modes, including VMDK, ISO, QCOW2, OVF, and
BIN. Such VM management software as VNFM can be used to manage the entire
lifecycle of NFV devices.

Flexible license authorization: The vESA architecture provides not only license
authorization for standalone devices, but also centralized authorization by a centralized
license server in a data center to meet multi-tenant requirements. In centralized
authorization scenarios, such management software as VNFM can flexibly load licenses.
Issue 1.0 (2016-10-10)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
4
USG6000V Series Virtual Integrated Service Gateway
Technical White Paper
3
3 Technical Features of NFV Firewalls
Technical Features of NFV Firewalls
3.1 Reliability Design
An NFV firewall is a key network device deployed at the network egress. The firewall
requires high reliability because of its location and functions.
The high reliability is implemented on the basis of the following technologies:

Hot standby
To ensure the reliable operating at a key location, the firewall must support hot standby.
Hot standby requires two independent devices of the same model to work together to
provide a more reliable working environment. Two devices deployed in hot standby
mode can work in either of the following modes: Only one of the two devices is working,
and if it fails, the other device takes over services; two devices are working. If one
device fails, the other device takes over all services.

Link backup
Link backup prevents physical link faults from interrupting services. Link backup is
implemented as follows: Two links are used to carry services. When both links are
normal, service traffic may select links in load balancing mode. If one link fails, service
traffic of that link is automatically switched to the other link. To implement link backup,
the firewall must support various routing protocols and provide route management
functions. The route-based link backup technology can well suit different scenarios and
provide more reliable services by implementing the mutual backup of links.

Hot backup
Hot backup means that services are not affected during the device or link switchover
when a fault occurs. If the backup occurs when services are interrupted due to a fault,
such a backup mechanism is called cold or warm backup. In most documents, hot backup,
warm backup, and cold backup are not strictly distinguished. Many vendors advertise
their hot backup concepts, but most of their backup mechanisms are cold or warm
backup. More dynamic information requires a more complex hot backup mechanism.
Each firewall maintains large amounts of rule and connection data. The hot backup
mechanism of firewalls is complex. Therefore, you must distinguish hot backup from
cold backup when choosing firewall backup technologies.
Issue 1.0 (2016-10-10)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
5
USG6000V Series Virtual Integrated Service Gateway
Technical White Paper

3 Technical Features of NFV Firewalls
NFV live migration
In such scenarios as the elastic capacity expansion of a cloud computing data center and
geographical recovery, the NFV firewall needs to implement live migration without
disconnecting the client or service. To implement live migration, the NFV firewall needs
to interwork with the SDN controller which instructs the NFV firewall to implement data
hot backup during migration.
The reliability design of firewalls reflects comprehensive considerations. Firewalls are
important network devices that have demanding requirements on reliability. Therefore, you
must consider the reliability design during firewall selection.
3.2 Performance Model
This section describes the indexes that you must pay attention to when measuring firewall
performance.
Throughput is a key index to evaluate firewall performance in the industry. Throughput refers
to the total traffic that a firewall can forward with the best effort in the case of large packets,
in bit per second (bit/s). However, the throughput does not reflect the actual working
capabilities of the firewall, and using the throughput as the only performance index is
one-sided.
In addition to the throughput, you must consider the following indexes:

Small-packet forwarding capability
In the industry, large packets of 1 KB to 1.5 KB are used to measure the processing
capability of a firewall. Since network traffic mainly comprises 200-byte packets, the
capability of forwarding small packets must be assessed. This performance reflects the
actual forwarding capacity of the firewall on the live network.

Impacts on forwarding efficiency by rule quantity
A firewall is generally running with a large number of rules. The implementation of rules
and services may affect the forwarding performance. Therefore, you must pay attention
to the forwarding efficiency of a firewall in the scenarios where massive rules and
services exist to avoid performance deterioration.

Number of new connections per second
The index is the number of TCP connections can be established on a firewall per second.
Connections are dynamically established on the basis of the communication status. A
connection must be set up on the firewall for each session before data exchange. If the
firewall has a low connection setup rate, the communication delay is long on clients. The
larger the specification, the higher the forwarding rate, the stronger the status backup
capability, and the more powerful the attack defense capability. The number of new
connections per second is an important index to measure firewall functionality. If this
index is low, the firewall cannot present excellent performance in actual network
environments and even cannot work under DoS attacks.

Number of concurrent connections
A firewall processes packets based on connections. The index is the maximum number of
connections supported by the firewall. Each connection is TCP/UDP access.
Issue 1.0 (2016-10-10)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
6
USG6000V Series Virtual Integrated Service Gateway
Technical White Paper

3 Technical Features of NFV Firewalls
Delay
Delay is the time for transmitting data with no packet loss. The delay must be as short as
possible. Delay is a critical index for time-critical services, such as voice and video
services. A long delay of a firewall results in harmonic distortion and service interruption.
Therefore, delay is a key index of firewall performance.
During firewall selection, you may consider other indexes based on actual requirements. You
must note that a firewall is a data communication device that processes complex services and
has more performance indexes than any traditional data communication device. The
performance indexes of a firewall also reflect the comprehensive indexes of the firewall.
Therefore, the performance indexes are an important reference for firewall selection.
3.3 Network Isolation
The essential function of a firewall is to isolate network areas. The firewall isolates the logical
networks of common areas and key areas to avoid the spread of insecure factors. Network
isolation is an important feature in the firewall technology system. Security policies can be
effectively implemented only after you have divided network areas properly. To check
whether network isolation is correct, examine the following aspects:

The network isolation system of a firewall must have a clear logic structure to meet
requirements in different scenarios. For example, a firewall must have a DMZ.

Network areas must interwork with physical interfaces during network isolation, and the
division of network areas cannot rely on physical interfaces only. If only physical
interfaces are used for network isolation, requirements on flexible implementation
cannot be met. Network isolation is a logical concept and must be flexibly implemented
to meet service requirements.

When you isolate networks, you must consider the implementation of virtual interfaces,
such as the tunnel, VPN, and VLAN interfaces. Network services are ever-changing.
VPN isolation and VLAN isolation are widely applied on networks. In area isolation,
virtual interfaces and services, such as VPNs and VLANs, must be taken into
consideration.

You must consider the security of a firewall itself. The firewall is a control point of
network isolation and must be secure. The firewall security is the basis of network
security. You must also consider the access to a firewall from the network areas that are
isolated by the firewall.
3.4 Access Control
The access control function of a firewall is important and applies Access Control Lists
(ACLs). Each ACL defines a series of rules based on packet characteristics to control the
packets that pass through the firewall. In some scenarios, a large number of rules are specified
on the firewall. Therefore, the rule capacity is a key index of evaluating firewall performance
and functionality.
Issue 1.0 (2016-10-10)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
7
USG6000V Series Virtual Integrated Service Gateway
Technical White Paper
3 Technical Features of NFV Firewalls
3.5 Flow-based Stateful Inspection
The ACL-based IP packet filtering technology is widely used in access control. This
technology is simple and reliable, but lacks flexibility. For the communication using such
multi-channel protocols as FTP, the firewall is difficult to configure. FTP includes a TCP
control channel with predefined ports and a dynamically-negotiated TCP data channel. You
cannot obtain the port number of the data channel when configuring security policies on a
common firewall. Therefore, the ingress of the data channel cannot be determined. The
stateful inspection technology can resolve this problem. By detecting the status of data
packets, the firewall dynamically discovers ports to be opened to determine the packets that
are allowed to pass through the firewall during the communication process.
The flow-based stateful inspection technology provides high forwarding performance.
ACL-based packet filtering detects packets one by one. As a result, the firewall performance
is degraded when massive filtering rules exist. Flow-based stateful inspection, however,
determines whether a packet is allowed to pass through the firewall based on flow information.
Such processing improves the forwarding performance.
Mainstream firewalls mainly use the stateful inspection technology. Stateful firewalls are
preferentially selected.
3.6 User-Specific Management and Control
An NGFW performs security policy control by IP address and user identity.
The NGFW must monitor the user logins and logouts, and control user permissions and assign
bandwidths by user or user group.
3.7 Application-Specific Management and Control
An NGFW performs security policy control by port, in-depth application identification by
protocol, and application-based management and control according to the identification
results.
The NGFW must support continuous updates of pattern files (used for identifying applications)
to prevent employees from evading firewall monitoring by updating applications or using new
applications.
3.8 Application-Layer Intrusion Prevention
An NGFW defends against application-layer threats, apart from traditional network-layer
attacks. The NGFW integrates application identification and decoding capabilities, identify
worms, botnets, and other application-based attacks, detects content transmitted by
applications, and performs application-layer content filtering to prevent information leaks and
illegitimate transmission.
Issue 1.0 (2016-10-10)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
8
USG6000V Series Virtual Integrated Service Gateway
Technical White Paper
3 Technical Features of NFV Firewalls
3.9 Service Support
A firewall is deployed at the control point of network services. An important measure of the
network security solution is to find a balance between openness and security. Because of
technical features, the firewall may affect some services when being deployed on a network.
To meet the requirements on service expansion, you must consider the service support
capabilities of a firewall as follows:

Supports diversified services using flow-based stateful inspection. With the growth of
network resources and bandwidths, more and more services based on broadband
applications come into being. You must ensure that the flow-based stateful inspection
technology supports various services.

Supports all multimedia services, such as voice and video services based on H.323, SIP,
and RTSP, that account for a large proportion of broadband services.

Supports powerful NAT functions. Public IPv4 addresses are in great shortage. Therefore,
NAT is required to provide services. Because a firewall is deployed at a key position,
configuring NAT on the firewall is one of the most common services. In addition, NAT
hides the intranet structure, which effectively protects intranet security.
3.10 NAT
With the rapid development of the Internet, public IPv4 addresses are being exhausted. Before
IPv6 is applied, NAT is a major technology that resolves this problem.
NAT is proposed to resolve public IP address shortage to enable intranet users to access the
Internet. NAT protects the privacy of the intranet and provides Internet users with such
services as WWW, FTP, Telnet, SMTP, and POP3. NAT functions include forward NAT and
reverse NAT. The forward NAT has two forms: NAT and Port Address Translation (PAT).
Because of the deployment position and technical features of a firewall, NAT services
provided by the firewall are suitable. Therefore, providing comprehensive NAT services is a
necessary feature of the firewall.
3.11 Attack Defense
Attack defense is a key firewall function. The firewall must have the following attack defense
capabilities:

Defends against DoS attacks.

Defends against malformed packet attacks and intelligently identifies attack packets.

Defends against scanning and sniffing attacks.

Provides comprehensive and diversified attack defense methods. DoS attacks can be
launched using various means. Therefore, the firewall must provide diversified methods
to defend against these DoS attacks.

Has excellent processing capabilities. An important feature of DoS attacks is the sudden
burst of network traffic. If a firewall does not have excellent processing capabilities, the
firewall itself becomes a bottleneck when processing the traffic of DoS attacks.
Defending against the DoS attacks is impossible. A DoS attack is to paralyze the target
network. If network congestion occurs on a key device, the attack objective is achieved.
Issue 1.0 (2016-10-10)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
9
USG6000V Series Virtual Integrated Service Gateway
Technical White Paper

3 Technical Features of NFV Firewalls
Has accurate attack identification capabilities. When processing traffic of DoS attacks,
many firewalls only ensure that the passing traffic falls into an acceptable range, but
cannot accurately identify attack packets. Such processing ensures the normal network
traffic and server operating, but blocks legitimate users from accessing the Internet. In
this sense, the firewalls still fail to defend against DoS attacks.
3.12 Networking Adaptability
Because of the complex network deployment, the firewall must provide excellent networking
adaptability for constructing service networks flexibly. Excellent networking adaptability
includes the following aspects:

Support for routing protocols. Most firewalls support static routing protocols, but not
dynamic routing protocols. However, dynamic routing protocols can effectively improve
the networking adaptability of a firewall.

Support for the transparent mode. The transparent mode helps a firewall to work in Layer
2 mode. Therefore, when you add the firewall to a network, the existing network
topology is not affected.

Various virtual interfaces, such as VLAN sub-interfaces and tunnel interfaces. A firewall
provides limited physical interfaces. To adapt to more complex networking schemes, the
firewall must support various virtual interfaces.
3.13 VPN Service
Firewalls are usually deployed at enterprise network borders. The firewalls, with powerful
control capabilities, can provide VPN services to ensure the communication between the
headquarters and branch offices.
IP VPN is a common VPN technology, including the IPSec VPN, L2TP VPN, and GRE VPN.
The IP VPN technology, applied at network borders, enables remote users and mobile users to
securely and efficiently access the intranet.
The firewall provides the following VPN services:

Provides VPN services to enable the communication among branch offices. IPSec
tunnels are used to provide secure and reliable VPN services.

Provides VPN access services for mobile employees. The firewall must support Layer 2
VPN protocols. The widely applied Layer 2 VPN protocol is L2TP. L2TP provides VPN
services and enables employees on the move to securely access the intranet using
accounts and passwords.

Provides efficient encryption services.

Supports comprehensive VPN protocols, including GRE, IPSec, and L2TP.

Strictly complies with RFC and protocol standards to interwork with the VPN devices of
other vendors.
Issue 1.0 (2016-10-10)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
10
USG6000V Series Virtual Integrated Service Gateway
Technical White Paper
3 Technical Features of NFV Firewalls
3.14 Management System
The firewall management system must have the following features:

User-friendly man-machine interface. Users can manage a firewall through diversified
methods.

Easy upgrade methods, such as online upgrade using hot patches

Graphical management that allows convenient configuration and policy management

Remote maintenance and monitoring

Secure and reliable remote logins, such as remote login using SSH
3.15 Log System
System logs enable after-the-event audit. A firewall logs various operations and attacks and
provides the log query and filtering means to facilitate search and analysis.
Issue 1.0 (2016-10-10)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
11
USG6000V Series Virtual Integrated Service Gateway
Technical White Paper
4
4 Technical Features of HUAWEI USG6000V series
Technical Features of HUAWEI
USG6000V series
4.1 High Reliability Design
HUAWEI USG6000V series uses the carrier-class hardware system and dedicated software
system (Huawei-proprietary VRP) to provide high security and reliability and effectively
resolve the conflicts between high performance and complex service processing. With the
highly reliable hardware design, robust software system, hot standby, hot backup, and link
backup, the USG6000V series ensures high network reliability.
Robust Software System
The USG6000V series uses Huawei-proprietary VRP operating system as its core component.
Therefore, the USG6000V series itself can prevent unreliable elements, such as security
vulnerabilities in universal operating systems, viruses, and attacks.
The VRP operating system is a dedicated platform for data communications. Its software
architecture is customized for data communications devices and has taken the development of
communications technologies into consideration. The USG6000V series not only ensures
reliable and secure operating, but can also be expanded for the further development of
security technologies. All these factors endow the technology advance of the USG6000V
series.
Hot Standby
Hot standby of the USG6000V series means that two independent devices of the same model
work simultaneously to provide a more reliable operating environment. The USG6000V
series can work in either of the following modes:

Only one of the two devices is working. If one device fails, the other device takes over
its services.

Both devices are working to implement load balancing. If one device fails, the other
device automatically takes over all tasks.
Issue 1.0 (2016-10-10)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
12
USG6000V Series Virtual Integrated Service Gateway
Technical White Paper
4 Technical Features of HUAWEI USG6000V series
Hot Backup
Hot backup means that services are not affected during the device or link switchover when a
fault occurs. If services are interrupted when backup is implemented due to a fault, such
backup mechanism is called cold backup. The USG6000V series implements hot backup on
firewall configuration and dynamic traffic, including filtering rules, connections, dynamic
routing information, and state machines of application-layer protocols in status check. The
complexity of the hot backup mechanism increases with the amount of dynamic information.
Link Backup
Link backup prevents physical link faults from interrupting services. The USG6000V series
provides two links to carry services. When the two links are normal, traffic may select both
links in load balancing. When one link fails, traffic of that link automatically fails over to the
other link. The USG6000V series dynamically adjusts routing protocols during the switchover.
Therefore, the route-based link backup technology of the USG6000V series can well suit
different scenarios and provide more reliable services based on the mutual backup of links.
NFV Live Migration
In such scenarios as the elastic capacity expansion of a cloud computing data center and
remote disaster recovery, the NFV firewall needs to implement live migration, without
interrupting user traffic and service traffic. To implement live migration, the NFV firewall
needs to interwork with the SDN controller that notifies the NFV firewall to back up policies
during migration.
BFD
Bidirectional Forwarding Detection (BFD) quickly identifies communications faults between
systems and reports the faults to upper-level applications.
As an independent hello protocol, BFD implements low-overhead and rapid fault detection.
By interworking with upper-layer protocols, BFD enables them to rapidly identify and recover
from faults. BFD can interwork with OSPF, static routing, FRR, policy-based routing (PBR),
and DHCP to rapidly identify link faults.
Advantages of Huawei Firewalls in Reliability
The hot standby mechanism of HUAWEI USG6000V series has the following advantages:

Since Huawei USG6000V series has expanded the Virtual Router Redundancy Protocol
(VRRP) to the VRRP Group Management Protocol (VGMP) to control and guarantee the
consistency of VRRP, it has abundant advantages in LAN application. The VRRP
reliability technology is proved to be stable and reliable in LANs and can be transparent
to users in LANs. For this reason, the hot standby solution of the USG6000V series has
distinct advantages in LANs or intranet access points.

The USG6000V series uses Huawei Redundancy Protocol (HRP) to implement a quick
and efficient hot standby mechanism. Through the hot standby technology, multiple HRP
backup channels with different priorities can be configured according to live-network
traffic. Due to the quick backup of the session table, users' applications are not
interrupted during the active/standby switchover caused by firewall faults.
Issue 1.0 (2016-10-10)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
13
USG6000V Series Virtual Integrated Service Gateway
Technical White Paper
4 Technical Features of HUAWEI USG6000V series

The hot standby technology of the USG6000V series supports preemption, which is
important for the networking in which devices back up each other to share traffic. Since
all the traffic is switched over to one firewall once the other is faulty, a practical
mechanism is needed to ensure that the traffic can smoothly switch back to the original
faulty firewall when it recovers. The hot standby technology supporting preemption
guarantees the smooth switchover and therefore ensures the reliable operating of the
devices in mutual backup networking.

The USG6000V series supports OSPF +VRRP hybrid networking. If a fault occurs, the
firewalls dynamically adjust OSPF parameters so that the traffic can be quickly switched
over to the other device. In this way, traffic can be smoothly switched back in the event
of failure recovery and reliable operating of the backup networking is guaranteed.

The USG6000V series supports the hot standby solution in hybrid mode, ensuring that
the service interfaces of the firewalls can back up traffic and work in transparent mode
without any influence on the existing network topology, so that users' services are not
interrupted during the switchover caused by firewall faults.

The USG6000V series supports diversified networking modes, and each mode can
provide the full redundancy of devices and links, which ensures the stable operating of
the high reliability network.
4.2 Flexible Security Zone Management
Isolation by Security Zone
Based on security zones, the security isolation design of the USG6000V series provides an
excellent management model for users in the actual application of firewalls.
The core function of a firewall is network isolation, and the network isolation technology does
not rely only on interfaces in network division. Network topologies vary with actual
conditions. Network isolation based on fixed interfaces cannot meet requirements on the live
network.
The USG6000V series provides an isolation model based on security zones. Each security
zone can be added to any interface according to actual conditions, not affected by the network
topology.
Manageable Security Zones
Many firewalls in the industry provide independent Trust zones, Untrust zones, and DMZs.
Such a protection model meets networking requirements in most cases, but not scenarios that
have demanding requirements on security policies.
The USG6000V series provides four default security zones: Trust, Untrust, DMZ, and Local.
It has added the Local zone that defines packets destined for the firewall itself, which
enhances security protection for the firewall itself. For example, by controlling the packets in
the Local zone, the USG6000V series easily prevents the access initiated from insecure zones
using Telnet or FTP.
The USG6000V series also supports user-defined security zones. Independent interfaces can
be added to each security zone.
Issue 1.0 (2016-10-10)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
14
USG6000V Series Virtual Integrated Service Gateway
Technical White Paper
4 Technical Features of HUAWEI USG6000V series
Policy Control by Security Zone
The USG6000V series supports the design of security policy groups for the access between
security zones. Each security policy group supports several independent rules. Such a rule
system enables easy management of firewall policies and facilitates independent management
over logical security zones.
The policy control model based on security zones can clearly define the access from the Trust
zone to the Untrust zone and from the DMZ to the Untrust zone. The model enables the
network isolation function of the USG6000V series to provide excellent management
capabilities.
Comprehensive Service Capability
Security zone management of a firewall covers all physical interfaces, subinterfaces, loopback
interfaces, tunnel interfaces, dial-up logic interfaces, and virtual-template interfaces. The
policies of security zone management support all types of services on the firewall.
Independent security zone management of the USG6000V series isolates network areas
accessing through VLANs.
The USG6000V series supports management over the Local zone. You can easily define
policies to allow external users' access to the USG6000V series itself. By defining these
policies, you can flexibly set the management rules of the USG6000V series. For example,
you can permit users in a security zone to log in to a firewall and interfaces in a security zone
to communicate with the firewall. Such an operation manages the firewall itself and
distinguishes firewall management policies from service flow management policies, helping
you define clear security policies.
The security policies of the USG6000V series can be defined on the basis of security zones in
a centralized manner. For example, the levels of defense against DoS attacks may vary with
security areas. Through the support of services, the policies and control modes of the
USG6000V series can cooperate well with the security zones. In this way, the USG6000V
series provides security defense and policy management at the system level, therefore
facilitating management and implementation of services and policies, and the security defense
system becomes clearer.
4.3 Security Policy Control
Flexible Rule Setting
The USG6000V series supports flexible rule settings based on packet characteristics. It
provides the following functions:

Sets rules based on the protocol number of packets.

Sets rules based on the source and destination addresses of packets.

Uses a wildcard character to define an address range to specify hosts of the address
range.

Sets a source or destination port for UDP or TCP.

Sets a port range for the source and destination ports using such methods as greater than,
equal to, between, or not equal to.

Defines the type and code of ICMP packets and configures a rule for each type of ICMP
packets.
Issue 1.0 (2016-10-10)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
15
USG6000V Series Virtual Integrated Service Gateway
Technical White Paper
4 Technical Features of HUAWEI USG6000V series

Sets flexible rules based on the ToS field of IP packets.

Sets filtering rules based on the user groups and names of Internet access users.

Sets filtering rules based on application categories and protocols.

Sets filtering rules based on locations.
Rule Management by Time Segment
ACL policies of the USG6000V series can be managed by time segment. You can configure
absolute time segments or periodic time segments. You can easily configure time-specific
policies on the USG6000V series using time segments. For example, forbid the use of Skype
in working hours and allow the use of it in non-working hours.
ACL-based policies can be configured on the basis of time segments. For example, NAT
services define policies based on ACLs. Time segments can be used to provide more flexible
NAT services.
High-Speed Policy Matching
Policy matching may affect firewall efficiency because each policy consists of many rules.
The USG6000V series uses Huawei-proprietary ACL acceleration and matching algorithm
that enables the USG6000V series to maintain highly efficient forwarding when a large
number of rules exist. When searching thousands of ACL rules, the system performance is
almost not affected and the processing speed remains unchanged. Therefore, high-speed
policy matching of the USG6000V series improves the overall system performance.
IP-MAC Binding
According to user configurations, you can bind MAC addresses to IP addresses on the
USG6000V series. If packets from an IP address do not match the bound MAC address, the
USG6000V series discards the packets. The USG6000V series sends packets that are destined
for an IP address to the bound MAC address to prevent IP spoofing attacks.
Dynamic Policy Management — Blacklist
The USG6000V series blacklists the source IP addresses of untrusted packets and discards all
packets of the blacklisted users, therefore effectively preventing the attacks from malicious
hosts.
The USG6000V series provides the following blacklist maintenance methods:

Manually adding entries to the blacklist to implement proactive defense

Automatically adding blacklist entries through attack defense to implement intelligent
protection

Interworking with the whitelist to allow the blacklisted host to access some network
resources. For example, users are allowed to access the Internet using a host even if the
host is blacklisted.
Blacklist is a dynamic policy technology and belongs to the response system. The USG6000V
series can identify some attack behavior during dynamic running. It controls the traffic of
these illegitimate users through the blacklist dynamic response system to protect the entire
system.
Issue 1.0 (2016-10-10)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
16
USG6000V Series Virtual Integrated Service Gateway
Technical White Paper
4 Technical Features of HUAWEI USG6000V series
4.4 Stateful Inspection Based on Flow Sessions
Kernel Technology Based on Session Management
The USG6000V series is an advanced stateful firewall based on flow sessions and has
integrated powerful kernel technology based on session management. It provides two core
processing units: first-packet processing unit and session management unit. They rely on
independent acceleration systems in terms of management. Such processing has the following
advantages:

The first-packet processing unit avoids bottleneck of the USG6000V series in the
processing of the first packet. It enables the USG6000V series to provide outstanding
performance of new connections per second and maintain excellent processing
performance on the live network.

The session management unit equips the USG6000V series with an extraordinary
forwarding acceleration system, delivering high forwarding performance. The
forwarding performance of the USG6000V series for subsequent packets relies on the
independent acceleration system to achieve accelerated packet forwarding, so that the
USG6000V series delivers high forwarding performance besides the brilliant processing
of new connections per second.

The USG6000V series can implement fine-granular connection management. On most
firewalls, you can configure policies only over TCP or UDP in terms of connection
management. On the USG6000V series, you can configure management policies by
service type. For example, you can configure management policies for Telnet and HTTP.

The service processing of a firewall is based on session management, so that the firewall
can support abundant services. For example, the USG6000V series supports such service
features as PBR and QoS. These features can be managed on the flow basis. With the
flow-based forwarding and stateful inspection technologies, the USG6000V series
provides diversified flow-based services to meet requirements in various operating
environments.
In-Depth Inspection
The USG6000V series provides ASPF that is an advanced communication filtering
technology to check application-layer protocol information and monitor connection-based
application-layer protocol status. The USG6000V series, relying on access control based on
packet content, detects and defends against some application-layer attacks. It also detects FTP
commands, SMTP commands, HTTP Java, and ActiveX controls.
ASPF provides in-depth inspection based on session management. The ASPF technology uses
information in the session management module to maintain session access rules. It saves
session status information that cannot be saved by static ACLs in the session management
module. The session status information can be used to intelligently permit or deny packets.
When a session terminates, the ASPF session management module removes the session
information from the session table and closes the session on the firewall.
ASPF intelligently detects the TCP three-way handshake and the connection removal
handshake. Stateful inspection on the handshake and connection removal ensures that a TCP
access can normally proceed and the packets of incomplete TCP handshake connections are
denied directly.
Issue 1.0 (2016-10-10)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
17
USG6000V Series Virtual Integrated Service Gateway
Technical White Paper
4 Technical Features of HUAWEI USG6000V series
Advantages of Stateful Inspection
ACL-based IP packet filtering is applied in common scenarios. This technology is simple and
inflexible. In many complex scenarios, common packet filtering is unable to protect networks.
For example, configuring packet filtering rules is difficult for multi-channel protocols, such as
FTP. FTP includes a TCP control channel with a predefined port and a TCP data channel that
is dynamically negotiated. You cannot obtain the port number of the data channel when
configuring security policies on a packet filtering firewall. Therefore, the ingress of the data
channel cannot be determined, and security policies cannot be accurately configured. The
ASPF technology resolves this problem. It detects application-layer packet information and
dynamically creates and deletes temporary rules based on packet content to permit certain
packets.
ASPF enables the USG6000V series to support multiple data connections over one control
channel. It facilitates security policy configuration in complex application scenarios. Many
application protocols, such as Telnet and SMTP, use standard or well-known ports for
communication. However, most multimedia application protocols, such as H.323 and SIP, and
other protocol, such as FTP and NetMeeting use designated ports to initialize a control
connection and dynamically select ports to transmit data. Port selection is unpredictable. An
application may use more than one port at a time. Therefore, packet filtering prevents only the
single-channel transmission of applications and blocks the applications using fixed ports,
which brings about many security risks. ASPF listens to the port used by each connection of
an application, opens an appropriate path to permit data of a session, and closes this path at
the end of the session. In this way, the USG6000V series effectively implements access
control over the applications using dynamic ports.
When a packet reaches the USG6000V series, ASPF matches the packet with access rules. If a
match is found, the packet can pass through the USG6000V series. Otherwise, the packet is
discarded. If a packet is used to open a control or data connection, ASPF dynamically
modifies access rules. The returned packets can pass through the USG6000V series only after
matching an access rule. When processing the returned packets, ASPF also updates the status
information table. After a connection is closed or timed out, ASPF deletes the status
information table of the connection, preventing unauthorized packets from passing through
the USG6000V series.
4.5 ACTUAL Awareness
Networks are evolving into next-generation networks that feature explosive information
growth, borderless network, mobile Internet, and Web2.0. Cybercriminals can easily penetrate
a traditional firewall that uses quintuple ACLs. Under this background, the USG6000V series
of Huawei provides an "ACTUAL" (Application, Content, Time, User, Attack, and Location)
awareness technology to accurately control network traffic in a refined manner, defend against
security threats, and ensure intranet security.
Definition
ACTUAL awareness is the capability of identifying network traffic by application, content,
time, user, attack, and location. Based on the ACTUAL awareness results, you can configure
security policies such as the filtering, route selection, traffic control, and NAT policies.
Issue 1.0 (2016-10-10)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
18
USG6000V Series Virtual Integrated Service Gateway
Technical White Paper
4 Technical Features of HUAWEI USG6000V series
Figure 4-1 ACTUAL Awareness
A pplication
00011101
10101010
Cloud service
C ontent
11100100
10101101
Content
Threat
Time
11101101
Apps
10101001
User
00101011
10101100
Mobile user
Application
Office user
A ttack
01010100
L ocation
00111110
OA service
Network environment
ACTUAL awareness system
Service environment
As shown in the previous figure, network traffic is complex. The administrator of a traditional
firewall cannot accurately analyze or obtain real service traffic types, and cannot apply
security policies to control network traffic. ACTUAL awareness of the USG6000V series
analyzes the traffic of complex network environments, provides visibility into traffic statistics
by application, content, time, user, attack, and location, and helps the administrator configure
security policies in a refined manner.
Application Awareness
The application awareness module identifies unknown traffic and packet formats, extracts the
signature, payload length, content or length change rule, IP address, and port of a packet, and
incorporates packet statistics and relationship to accurately categorize applications of the
traffic.
Huawei cloud security competence center, by virtue of its experience and expertise, provides
an application signature database that covers more than 6000 applications. The USG6000V
series can use the application identification engine and online update of the signature database
to identify and track the latest applications.

Application-specific security control
The USG6000V series implements application-specific security control to categorize
traffic in a fine-granular manner and accurately control the traffic. For example, the
USG6000V series permits HTTP traffic and denies traffic of WebThunder.
Based on unified policies, application-specific security policies have integrated the
application dimension. The policy meaning and configuration mode remain unchanged.

Application-specific traffic management and control
The USG6000V series implements application-specific traffic management and control
to categorize traffic in a fine-granular manner and accurately control the traffic. For
example, the USG6000V series limits the P2P traffic bandwidth to guarantee bandwidth
for internal applications.
Based on bandwidth policies, application-specific security policies have integrated the
application dimension. The policy meaning and configuration mode remain unchanged.
Issue 1.0 (2016-10-10)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
19
USG6000V Series Virtual Integrated Service Gateway
Technical White Paper
4 Technical Features of HUAWEI USG6000V series
Traffic management and control of the USG6000V series support the guaranteed
bandwidth and maximum bandwidth. The guaranteed bandwidth specifies the minimum
bandwidth resources for key services to prevent other services from occupying too much
bandwidth. The maximum bandwidth specifies the maximum bandwidth resources of
some services to prevent the impact on other services.

Application-specific PBR
The USG6000V series implements application-specific PBR to apply different route
selection policies by application. For example, the USG6000V series selects a reliable
and low-delay link for key information system applications of enterprises and other links
for P2P applications.
Based on PBR policies, application-specific security policies have integrated the
application dimension. The policy meaning and configuration mode remain unchanged.
Content Awareness
The USG6000V series analyzes application protocols to obtain the content transmitted by the
application protocols and applies security policies by content.
The content awareness module consists of a protocol decoding module and a content
matching module. The protocol decoding module categorizes incoming packets by protocol,
obtains information based on the category, decompresses and unpacks the obtained files,
identifies real file types, sorts the obtained URLs, and sends them to the content matching
module. The content matching module matches traffic information with virus signatures,
intrusion rule signatures, sensitive information, and email contents and determines whether
the traffic triggers security policies based on the matching results. The signatures can be
updated on the cloud, or traffic information can be sent to the cloud for detection, which
ensures the up-to-date and effectiveness of signatures.
Time Awareness
The USG6000V series implements time awareness based on the following technologies:

Automatic clock synchronization
The USG6000V series uses Network Time Protocol (NTP) to obtain standard network
time and adjust the local clock.

Automatic conversion of DST
Some countries and regions use the DST system. The USG6000V series sets the DST
clock based on the VRP, and the device clock is automatically switched with the DST
clock.

Time-specific security policy
The USG6000V series has integrated the time or time segment into security, traffic
control, and authentication policies as a matching condition and updates the policies by
time or time segment to implement time-specific control. You can configure the
USG6000V series to apply traffic control policies on network traffic by time segment.
User Awareness
Enterprise networks become borderless with increasing mobile office employees whose IP
addresses are dynamically changed. The security policies of traditional firewalls are based on
IP configurations, which cannot meet requirements on security management and control. How
to accurately identify users and effectively manage and control user behavior has become a
top issue of network security.
Issue 1.0 (2016-10-10)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
20
USG6000V Series Virtual Integrated Service Gateway
Technical White Paper
4 Technical Features of HUAWEI USG6000V series
User awareness of the USG6000V series identifies users of network traffic and implements
security management and control by user.

User authentication and identification
User identification is the prerequisite of applying differentiated policies on users. The
user management and control module provides multiple authentication modes to meet
the requirements of different user types and scenarios.
−
Authentication exemption
Upper executives require high efficiency and authentication exemption. However,
their activities must be highly secure. You can bind their accounts to IP or MAC
addresses and configure authentication exemption for them. The USG6000V series
then exempts upper executives from authentication and allows the login only from
the bound IP or MAC address.
Some enterprises have guests who may need to access the enterprise networks. The
guests do not have dedicated accounts and cannot be authenticated. Therefore, their
network access permissions must be controlled. To accommodate this situation, the
user management and control module automatically creates temporary accounts for
the guests, with their IP addresses as user names.
−
Password authentication
For common employees, convenient password authentication is applied.
Users can access the URL of an authentication page before starting service access.
The USG6000V series supports HTTP and HTTPS authentication. You are advised to
choose HTTPS authentication to meet high security requirements.
The USG6000V series supports authentication based on user names and passwords. It
can also interwork with the LDAP, RADIUS, and AD authentication servers and send
user information to the authentication servers.
In addition, the USG6000V series supports redirected web authentication. When an
unauthenticated employee accesses HTTP services, the USG6000V series redirects
the user to an authentication page and prompts the user to get authenticated.
−
Single Sign-On (SSO)
If an AD server authentication system has been deployed on a network, the
USG6000V series can interwork with the AD server to implement SSO. After
identifying that a user has been authenticated by the AD server, the USG6000V series
permits the user without requesting the user name and password.
If a user has used a VPN (such as an L2TP or SSL VPN) for access and the
USG6000V series has authenticated the user, the USG6000V series normalizes the
access user and the user whose online behavior is managed to implement SSO and
avoid re-authentication.
−
User-initiated authentication and redirected authentication
User-initiated authentication is an authentication mode where a user logs in to the
authentication portal page of the USG6000V series for authentication before
accessing network resources. User-initiated authentication supports all access
methods.
Redirected authentication is an authentication mode where an unauthenticated user
accesses network resources and the USG6000V series identifies that the user is not
authenticated and pushes an authentication page to the user. Redirected authentication
supports only HTTP access.
Issue 1.0 (2016-10-10)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
21
USG6000V Series Virtual Integrated Service Gateway
Technical White Paper

4 Technical Features of HUAWEI USG6000V series
User-specific management and control policy
−
Online user management and control
To restrict all online behavior of some users within a time segment, you can lock out
the online users.
You can also force some untrustworthy online users to log out.
−
Policy management and control
The USG6000V series supports user-specific online behavior management that
includes application-layer management and control functions, such as user-specific
and quintuple-based behavior control, user-specific application-layer protocol control,
user-specific URL access control, mail filtering, and file filtering by keyword or type.
For example, you can forbid instant messaging tools, such as Skype, during working
hours and forbid the access to certain game or forum URLs to ensure working
efficiency.
The USG6000V series provides user-specific traffic management and control and
limits the number of concurrent connections by user to effectively allocate and
manage bandwidth resources. The USG6000V series can audit and analyze the traffic
statistics of users and user groups for follow-up optimization.
The USG6000V series provides reports, such as user-specific traffic rankings by
category and time.
Users can inherit management and control policies from user groups, and the user groups
can inherit the policies from parent user groups.
Attack Awareness
Attack awareness of the USG6000V series identifies network security events and content
security events and incorporates the awareness results of attack events, attack behavior, and
abnormal traffic into the reports of unified security policies and security postures. Attack
awareness enables the USG6000V series to defend against attack behavior and provides
administrators and CIOs visibility into security postures for accurate understanding.
Huawei security R&D team has sustained accumulation of attack awareness technologies as
follows:

DoS/DDoS detection and defense
The USG6000V series provides powerful DDoS detection capabilities based on the
behavior analysis, legitimate traffic identification, feature identification and filtering,
abnormal traffic baseline learning, dynamic fingerprint identification, reverse source
detection technologies to detect malformed packet attacks (such as WinNuke and
Teardrop), scanning and sniffing attacks (such as the IP sweep, port scanning, and IP
source routing option attacks), and flood or traffic attacks (such as CC attacks). The
USG6000V series also incorporates the NetStream and route-based traffic injection and
diversion technologies and interworks with the upstream and downstream devices to
implement DDoS detection, layer-specific attack traffic cleaning, and attack defense on
the entire network.

IPS
Botnets, Trojan horses, worms, SQL injection attacks, and XSS attacks are predominant
on the Internet. The USG6000V series has integrated IPS that provides the in-line
deployment mode to proactively detect and block intrusion behavior in real time.
Issue 1.0 (2016-10-10)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
22
USG6000V Series Virtual Integrated Service Gateway
Technical White Paper
4 Technical Features of HUAWEI USG6000V series
IPS of the USG6000V series uses Huawei-proprietary integrated detection engine and
Intel Hyperscan acceleration engine to obtain high-performance detection capabilities.
The predefined and user-defined detection rules, online update of the engine and
signature database, and intrusion tracking results of Huawei security attack-defense lab
enable the USG6000V series to accurately detect intrusions and zero-day attacks.

Antivirus
Antivirus of the USG6000V series detects and blocks the files infected with viruses
based on the flow reassembly, file reassembly, unpacking, decompression, PE virus
detection, and flow-based heuristic detection technologies. The engine and virus
database of antivirus also supports real-time online updates.

Anti-spam
Anti-spam of the USG6000V series detects spam and enables the data filtering and
management and control of incoming and outgoing emails based on the Real-time
Blackhole List (RBL) technology using dynamic blacklists and real-time filtering of
emails over SMTP, POP3, and Webmail.

Malicious URL detection
Malicious URL detection of the USG6000V series blocks access to malicious websites,
such as the Trojan horse and phishing websites. Huawei security team maintains
malicious URL categories to be up to date. The malicious URL categories of the
USG6000V series support real-time online query and update.
In addition, attack awareness of the USG6000V series has powerful cloud security capabilities.
The USG6000V series collects and sends all attack awareness results to cloud servers for
analysis and processing, obtains Internet security postures, and synchronizes real-time
detection capabilities from other devices.
Location Awareness
Location awareness of the USG6000V series analyzes the location (such as the city, region, or
country) where traffic is initiated or destined based on the source and destination IP addresses.
The USG6000V series incorporates the network address and geographical location
information and integrates user-defined locations and location sets into unified policies to
provide location-specific security policies, traffic limiting policies, routing policies, audit
policies, and statistics and reports of traffic and threats.
The USG6000V series implements location awareness as follows:

Location-specific policy configuration
Location-specific policy configuration helps you manage users and traffic by location.
The USG6000V series can provide security filtering, bandwidth control, authentication,
and audit policies based on location awareness. For example, you can configure
location-specific security policies to allow Internet users in Hong Kong and London to
access intranet resources and prevent Internet users of the USA from accessing the
resources.

Location-specific traffic statistics collection, threat statistics collection, and analysis
The USG6000V series automatically collects location information of the local device
and packets, analyzes traffic, threats, and security threats by location, and provides
location-specific traffic and threat trend reports. The reports provide you visibility into
traffic rankings by source location and destination location. You can click a location to
view all statistics and trends of the location.
Issue 1.0 (2016-10-10)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
23
USG6000V Series Virtual Integrated Service Gateway
Technical White Paper
4 Technical Features of HUAWEI USG6000V series
Unified Policy
The USG6000V series supports the configuration of security policies based on the quintuple
as well as application, user, time, and location. The USG6000V series provides unified
policies to integrate all policy conditions and a unified configuration page. Policy unification
is implemented from two aspects:

Unified configuration page
You can configure all conditions such as the quintuple, application, user, time, and
location in one policy rule. The USG6000V series provides a unified page for policy
configuration and maintenance.
Each policy rule can be bound to application-layer profiles such as the IPS, antivirus, and
Data Loss Prevention profiles.

Unified processing flow
The USG6000V series provides a unified processing flow of policies. Different features
at the same layer require only one resolution and policy matching process, which
prevents the waste of system resources.
4.6 SmartPolicy
The NGFW has changed the quintuple-based policy configuration of traditional firewalls into
refined policy configuration by user and application. The system administrator faces a variety
of applications, categories, and protocols during policy management.
In addition, the NGFW provides such threat detection functions as IPS and antivirus with a
wide selection of threats and viruses. The increase in security policies will bring an increasing
number of inefficient, conflicting, and redundant policies, which add to the administrative
workload and difficulty.
In addition, the system administrator must understand application features to correctly use the
defense and protection technologies, because application-layer security defense is complex.
Therefore, firewall policy management brings about great challenges.
SmartPolicy intelligently analyzes network traffic, identifies common applications, and
obtains the percentage of all application traffic. SmartPolicy generates a series of security
defense policies according to possible threats of an application, which simplifies the
configuration process.
SmartPolicy consists of the following actions:

Traffic learning and analysis
The USG6000V series implements application analysis on traffic using the application
awareness technology and provides the proportions of traffic generated by all
applications and behavior models of application traffic. Based on the analysis result, the
USG6000V series identifies possible threats and provides reference for follow-up policy
recommendation and tuning.

Policy recommendation
Based on the traffic learning and analysis results, the USG6000V series identifies the
proportions of application-specific traffic and behavior models, analyzes threats and risks,
and generates recommended policies based on the traffic and risk status. These policies
include integrated policies and application-layer security profiles, which help
administrators in policy configuration.
Issue 1.0 (2016-10-10)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
24
USG6000V Series Virtual Integrated Service Gateway
Technical White Paper

4 Technical Features of HUAWEI USG6000V series
Policy tuning
The USG6000V series analyzes existing integrated policies and generates optimized
policies. Static analysis and dynamic analysis are implemented as follows:
Static analysis: The USG6000V series analyzes the configurations of existing integrated
policies in terms of conflict and redundancy and provides optimization references. It also
analyzes policy validity based on the traffic learning and risk identification results and
provides optimization references.
Dynamic analysis: The USG6000V series collects statistics on the matching status of all
integrated security policies and displays the trend and distribution of policies that are
seldom matched for administrators to reference.
4.7 Advanced Virtual Firewall Technology
Nowadays, large cross-region enterprises and organizations are blooming in business scale
and management complexity, and traditional management modes cannot follow the business
development any longer. Informationization, however, effectively breaks through the
bottleneck and has become a hot concern. With the increase of business scales, the
functionality and responsibility of each division are much clearer; and security zones with
different priorities are also formed in each division, for example, the OA and data center. All
these factors pose high security requirements on certain important security zones in an
enterprise.
How to implement flexible and convenient security zone division and controllable
communication among security zones becomes an urgent challenge for information
administrators of enterprises.
To meet the previous requirements, a firewall is deployed at the egress of each service VPN to
implement access control over department networks.
Obviously, the number of service VPNs in an enterprise increases sharply with the rapid
business development. The traditional deployment cannot adapt to new application
environments as follows:
Many independent firewalls must be deployed and managed due to the large number of
divisions, resulting in high TCO.

The centralized deployment of independent firewalls occupies large subrack space and
complicates the cabling.

The VPN division changes with business development. As a result, physical change is
required by traditional firewalls, bringing about difficulties in future component
preparation and management.

The deployment of additional physical firewalls increases network management
complexity.
The virtual firewall technology emerges for this service mode. With this technology, a
physical firewall is divided into multiple logical firewall instances to apply independent
security policies for each service VPN. In addition, intranets can adapt to new services
through flexibly deployed logical firewalls. When business division changes or a new service
department appears, the customer can expand the network accordingly by adding or deleting
firewall instances. In this manner, the deployment of network security devices is greatly
simplified.
Issue 1.0 (2016-10-10)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
25
USG6000V Series Virtual Integrated Service Gateway
Technical White Paper
4 Technical Features of HUAWEI USG6000V series
In addition, physical firewalls are replaced by virtual firewalls. This greatly reduces the
number of devices to be managed and the complexity of network management and prevents
possible misoperations.
Each virtual firewall can be independently configured with resources to avoid impacts from
other virtual firewalls during the operating process. Resources available to virtual firewalls
fall into two categories: configuration resources and operating resources. Configuration
resources are those that can be configured by virtual firewall administrators, including the
user group quantity, user quantity, and policy quantity. Operating resources are the service
specifications when virtual firewalls are operating, including the session capacity, online user
quantity, and bandwidth.
4.8 Service Support
Flawless Protection for Multi-Channel Protocols
The USG6000V series provides powerful service support capabilities. The major advantage of
the USG6000V series is the implementation mode that combines connection status–based
core technology and the dynamic and real-time policy modification. The USG6000V series
can accurately identify dynamic ports generated by service negotiations and dynamically tune
policies to guarantee security when ensuring the normal running of services.
The dynamic and real-time policy modification enables the USG6000V series to dynamically
modify policies for multi-channel protocols. The dynamic policy works as a temporary entry.
When packets of the data channel arrive, the USG6000V series matches them with the
dynamic policies to determine channels that allow packets through. The USG6000V series
then sets up a complete flow-based channel for the data channel and deletes the dynamic
policies.
Data Flow Management for All Services
During data flow management, the USG6000V series dynamically identifies diversified
services. For example, the USG6000V series can accurately identify FTP control flows, FTP
data flows, Telnet data flows, and dynamically negotiated RTP and RTCP data flows. Because
the negotiated data channels, such as RTP, RTCP, and FTP data flows, cannot be identified by
ACLs, common routers and firewalls cannot control these data flows.
Based on accurate identification of data flows, the USG6000V series implements
differentiated control policies over data flows. For example, the USG6000V series allows
longer idle time for Telnet data flows, but shorter for FTP data flows, or collects accurate
statistics on the data flows of each service, such as the proportion of the passing data flows.
With accurate data flow identification, the USG6000V series presents great strengths in the
optimization of network resource allocation.
Comprehensive Service Capacity
The USG6000V series supports various complex services and is advantageous in networking
environments with complex services.
It provides comprehensive support for each protocol to process network services. For example,
H.323 is a complex protocol, and most firewalls cannot fully support H.323 applications. The
USG6000V series, however, supports all networking models of H.323, including the MCU,
GK, video terminal, and voice terminal.
Issue 1.0 (2016-10-10)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
26
USG6000V Series Virtual Integrated Service Gateway
Technical White Paper
4 Technical Features of HUAWEI USG6000V series
Huawei has been engaged in data communications for many years and accumulated abundant
technologies and experience. This is why the USG6000V series can provide such excellent
service capabilities for diversified services.
Perfect Multi-Media Services
The USG6000V series supports various multi-media protocols, including H.323, RAS, MGCP,
SIP, and MMS. With these protocols, the USG6000V series not only ensures the security of
multi-media service networks, but also isolates data services and voice services.
All service features of the USG6000V series support NAT that improves serviceability on
intranets. Moreover, the USG6000V series provides the most comprehensive support for
voice services. Most firewalls in the industry do not fully support multi-media services and
therefore cannot work with high performance on VoIP networks.
4.9 NAT
Excellent Performance
The USG6000V series uses connection-based address translation. It maintains a session entry
for each connection and uses optimized algorithms during the processing to ensure
outstanding address translation performance. Its performance deteriorates slightly with the
enabling of NAT, so the NAT service provided by the USG6000V series will not become a
network bottleneck.
Flexible Management
The USG6000V series provides the management function based on security zones. It logically
divides the managed network by such factors as functional area and security requirement into
multiple logical subnets according to the security zone concept. Each logical subnet is called a
security zone. By default, the USG6000V series provides four security zones: Trust, Untrust,
DMZ, and Local. The Trust zone connects to the intranet, the Untrust zone connects to the
Internet, and the DMZ connects to internal servers such as the mail server and FTP server.
The NAT function of the USG6000V series is configured for the access between different
security zones, and therefore network management can be conveniently implemented. For
example, if internal servers have sufficient public IP addresses, the public IP addresses can be
directly used in the DMZ-Untrust interzone without any network translation. NAT is
implemented in the Trust-Untrust interzone because the intranet uses private IP addresses.
The NAT function can interwork with ACLs that are used to control the range of address
translation. Therefore, you can easily set address translation rules on the USG6000V series
even if the public network and private network are mixed in the same zone.
Powerful Internal Servers
Internal servers enable Internet users to access resources on the intranet, such as web services.
Many firewalls provide static mapping to enable such access. That is, a private address is
bound to a public address. The biggest disadvantage of static mapping is that it consumes lots
of legitimate IP addresses.
Issue 1.0 (2016-10-10)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
27
USG6000V Series Virtual Integrated Service Gateway
Technical White Paper
4 Technical Features of HUAWEI USG6000V series
For example, the IP address of a host on the internal LAN is 10.110.0.0/24, and the LAN is
connected to the Internet using a private line, with the public IP address 202.38.160.1
obtained from an ISP. If a web server at 10.110.0.1 is deployed on the LAN, you can
configure static mapping to bind 10.110.0.1 to 202.38.160.1, so that Internet users can access
the web server at 10.110.0.1 using 202.38.160.1. In this case, an internal server is deployed.
Because the only public IP address on the LAN is used by the web server and no DNS or FTP
server is available, hosts on the intranet cannot access the Internet and the LAN fails to
provide any services for Internet users.
Static mapping has the following shortcomings:

Static mapping severely wastes public IP addresses, even if it resolves the reverse access
issue. The NAT technology saves public IP addresses. However, public IP addresses
cannot be fully used in static mapping mode.

Big security problems may occur. An internal server serves only a single purpose. For
example, the web server provides only HTTP services. This server needs to provide
access only to port 80. However, the web server deployed in static mapping mode
enables Internet users to access port 80 and other ports, which brings about security risks.
If a server can be maintained only at an intranet host using Telnet, static mapping may
enable Internet hosts to telnet the server.

Servers with non-standard ports are difficult to deploy. For example, static mapping
cannot be used to deploy two web servers, one using port 80 and the other using port
8080.
The NAT function of the USG6000V series supports port-level internal servers. You can
configure internal servers in terms of ports and protocols for internal use and that for external
use. In the previous example, if the NAT function of the USG6000V series is used,
202.38.160.1 can be used as the addresses of the web and FTP servers, and URL
http://202.38.160.1:8080 can be used to deploy the second web server and internal users can
use 202.38.160.1 to access the Internet.
The USG6000V series provides port-based mapping of internal servers. It can provide
port-specific services and implement one-to-one mapping of addresses.
Perfect Service Support
NAT has difficulties in processing the packet whose payload contains address information.
FTP packets are typical examples. The NAT function of the USG6000V series supports ICMP
redirect, ICMP unreachable, FTP (in passive and active modes), H.323, NetMeeting, PPTP,
L2TP, DNS, NetBIOS, SIP, MGCP, and Skype. Based on available services, the USG6000V
series can provide powerful service support to meet the requirements of most Internet services
and prevent NAT from becoming a bottleneck in network services.
To better accommodate the development of network services, the USG6000V series provides
a customized ALG function. The ALG of some service applications can be configured using
command lines. This function strengthens the USG6000V series in its service support and
response speed.
Limitless PAT
The USG6000V series provides powerful PAT. PAT uses the port information of TCP or UDP
and applies the "Address+Port" mode to identify connections initiated by hosts from the
intranet to the Internet during NAT. In this manner, PAT enables users on the intranet to share
one IP address to access the Internet.
Issue 1.0 (2016-10-10)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
28
USG6000V Series Virtual Integrated Service Gateway
Technical White Paper
4 Technical Features of HUAWEI USG6000V series
The TCP or UDP port ranges from 1 to 65535. Ports 1 to 1024 are reserved by the system.
Theoretically, a public IP address in PAT mode can support about 60,000 concurrent
connections. The USG6000V series provides a Huawei-proprietary "unrestricted port"
connection algorithm, which ensures that one public IP address can support infinite
concurrent connections. This technology breaks through the upper limit of 65535 ports for
Internet access in PAT mode, better meets requirements on address translation, and optimizes
public IP addresses.
Multi-Interface Load Balancing
The NAT function of the USG6000V series supports Internet access using multiple interfaces
in load balancing mode. In actual scenarios, intranet users may access the Internet using
different interfaces or ISP networks. If address translation is not needed, you can configure
two default routes on the USG6000V series to implement load balancing.
The address translation function of the USG6000V series supports the previous load
balancing and Internet access using multiple interfaces. The function has an excellent effect in
the Internet access scenario of a large intranet.
4.10 LSLB
As the Internet develops rapidly, users' access traffic grows accordingly. Single-host servers
cannot meet the requirements of ever-increasing access traffic. Enterprises start to deploy
more servers to resolve such issue. Local server load balancing (LSLB) is developed to
resolve the issue.
When a server cluster is deployed as a service access server, the most critical nodes are
service distribution nodes. The major advantages of LSLB are high concurrent performance,
fault detecting and recovery, dynamic performance expansion, and value-added features (such
as local cache acceleration and SSL uninstallation). LSLB uses load balancing algorithms,
sticky session algorithms, service availability probe technology, service traffic load balancing,
cache technology, and encryption and uninstallation technology.
Network Address Translation-based SLB (L4 SLB)
Network address translation-based SLB works at Layer 4. A virtual IP address is mapped to
the IP addresses of multiple internal servers. User access traffic arrives at the virtual IP
address first. Then the SLB device replaces the destination IP address of the traffic with the
real IP address of a specific internal server. Multiple access services can be distributed to
different internal servers based on certain load balancing algorithm for load balancing.
Real Server Group
Real server 1:
192.168.100.101:80
Virtual server
218.200.243.150:80
Real server 2:
192.168.100.102:80
LSLB
Real server 3:
192.168.100.103:80
Issue 1.0 (2016-10-10)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
29
USG6000V Series Virtual Integrated Service Gateway
Technical White Paper
4 Technical Features of HUAWEI USG6000V series
As shown in the figure, the server cluster provides a virtual IP address for service access, and
the USG6000V series distributes traffic destined for the virtual IP address to multiple internal
real servers based on the load balancing algorithm.
In this mode, the advantage/disadvantage and easiness of a load balancing policy depend on
two key factors: one is the load balancing algorithm, and the other is the server's service
availability detection technology.
Considering different types of service requests, different processing capabilities of the server,
and unbalanced load distribution due to random selection, the load balancing algorithm that
can correctly reflect the processing capabilities of servers and the network status is required to
distribute traffic among multiple internal servers in a more reasonable way. The commonly
used load balancing algorithms are as follows:

Round robin algorithm: Requests from the network are distributed to internal servers in
turn from 1 to N and then from the beginning again. This algorithm applies to the
scenario where all servers in a server group have the same software and hardware
configuration and service requests are relatively balanced.

Weighted round robin algorithm: Servers are assigned different weights based on their
processing capabilities, and service requests are distributed to each server based on the
weight. For example, if the weights of servers A, B, and C are set to 1, 3, and 6,
respectively, servers A, B, and C will receive 10%, 30%, and 60% of service requests,
respectively. This algorithm can ensure that a high-performance server is used more,
avoiding overloading of low-performance servers.

Random algorithm: The requests are allocated to multiple servers at random.

Weighted random algorithm: This algorithm is similar to the weighted round robin
algorithm, but the requests are allocated at random.

Least response time algorithm: The SLB device sends a probe request (such as ping
packet) to all servers, and the server sends a response to the probe request first will send
a response to the service request from the client. This algorithm can well reflect the
current running states of servers, but this least response time only refers to the time
between the SLB device and server, but not the client and server.

Least connection algorithm: The time for each request from the client to stay on the
server may vary. As the working time prolongs, simple round robin or random algorithm
may result in great difference in the connection on each server, achieving no load
balancing. The least connection algorithm records the number of current connections of
each load balancing member. When a new connection request is received, the request is
sent to the load balancing member that has the fewest number of connections according
to this algorithm. In this manner, packets can be distributed evenly. This algorithm is
applicable to services that need to be processed for a long time, for example, FTP
services.
To avoid access failure due to a server fault, the SLB device needs to check whether the
related server is faulty to prevent access traffic from being distributed to the faulty server.
This is the server's service availability detection technology. Commonly used detection
technologies include:

ICMP detection: It is also known as ping detection, where the ping command is run to
check the states of the server and network. This is a simple and fast method, but it can
only check whether the operating systems on the network and server are normal and
cannot check the application services on the server.

TCP detection: checks whether the service is normal by checking a certain TCP port on
the server (such as the port 23 on the Telnet server and port 80 on the HTTP server).

HTTP detection: checks whether the server is faulty by sending a request to the HTTP
server to access files on a certain page and obtaining the files.
Issue 1.0 (2016-10-10)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
30
USG6000V Series Virtual Integrated Service Gateway
Technical White Paper
4 Technical Features of HUAWEI USG6000V series
Full Socket Proxy-based SLB (L7 Socket Proxy SLB)
To resolve sticky session failure for some applications in the L4 network address translation
or lightweight proxy mode, the USG6000V series introduces full socket proxy-based SLB.
The full socket proxy mode provides a foundation for optimizing some more refined services,
such as the access path optimization based on URL types, SSL proxy acceleration, packet
compression, protocol optimization, cache, and multiplexing. The following sections provide
further explanations.

Socket proxy and sticky session
Real Server
Group
Real server 1:
192.168.100.101:80
Virtual server
218.200.243.150:80
Real server 2:
192.168.100.102:80
LSLB
Real server 3:
192.168.100.103:80
syn
Syn+ack
ack
Socket 1
Payload 1
Parse application information,
implement sticky session, and
select a destination server server.
syn
Syn+ack
ack
Socket 2
Payload 2
As shown in the preceding figure, after establishing a TCP session with the SLB device,
the client sends all payloads to the SLB device, which selects the correct destination
server based on the sticky session algorithm at the application layer. The SLB device
initiates and establishes TCP sessions to the real destination server and forwards the
payload information from the client to the real destination server (as needed or after
certain changes based on the payload content) to complete the service access.
In this scenario, the client and the SLB device are connected through an independent
socket, and the payload is independent for the both. The advantage of the solution is that
different application-layer sticky session algorithms can be flexibly developed based on
different application-layer protocols and different solutions with optimized and
accelerated applications can be developed. However, this solution offers lower
performance than the direct network address translation solution.

Static resource access and dynamic computing access on multiple servers based on
load balancing of different url types
A large web server provides both static pages (such as HTML and images) and dynamic
pages (such as asp and CGI scripts). The performance for processing static and dynamic
resources is different. The response time for processing dynamic resources is much
longer than that for processing static resources. Based on different URL types, the full
socket proxy dynamically allocates the access traffic to different resources to different
servers to make more servers respond to complicated dynamic resource access requests,
greatly improving user access experience.
Issue 1.0 (2016-10-10)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
31
USG6000V Series Virtual Integrated Service Gateway
Technical White Paper
4 Technical Features of HUAWEI USG6000V series
Real server 1:
192.168.100.101:80
Real Server Group
*.html services
Real server 2:
192.168.100.102:80
Virtual server
218.200.243.150:80
*.cgi services
LSLB
Socket 1
Payload 1
URL duplexing
Parse application-layer
information and distribute
access traffic to different
resources to different servers.
Get http://x.x.x.x/*.html
Socket 1
Payload 2
Get http://x.x.x.x/*.cgi?...
Socket 1
Payload 3

SSL uninstallation
Considering transmission security, more and more websites use HTTPS to replace
traditional HTTP access, although HTTPS encryption consumes much processing
performance of the server. The high encryption/decryption performance is already
considered in the hardware design phase of gateways, and the hardware co-processing
capability can help to enhance the encryption/decryption performance. Using the SLB
device to uninstall the HTTPS encryption/decryption of the server is a practical solution
to ensure high performance of HTTPS service access.
The following figure shows the basic process of SSL proxy (also known as SSL reverse
proxy).
Real Server
Group
Real server 1:
192.168.100.101:80
Virtual server
218.200.243.150:80
Real server 2:
192.168.100.102:80
LSLB
Real server 3:
192.168.100.103:80
HTTPS
Socket 1
Payload 1
Import in advance
Parse application information,
implement sticky session, and
select a destination server
server.
HTTP
Socket 2
Payload 2
Issue 1.0 (2016-10-10)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
32
USG6000V Series Virtual Integrated Service Gateway
Technical White Paper
4 Technical Features of HUAWEI USG6000V series
During server deployment, the server certificate must be imported to the USG6000V
series. The client implements SSL negotiation and establishes SSL socket with the
USG6000V series, which then establishes unencrypted socket connection with the real
server. The payload information sent by the client to the server usually experiences SSL
decryption by the USG6000V series, and the USG6000V series then sends the decrypted
payload to the back-end real server. The uninstallation of a real server requires SSL
negotiation and encryption/decryption processing to achieve high performance of the
service access.
4.11 Diversified Attack Defense Methods
Excellent Necessary Capabilities for Defending Against DoS Attacks
DoS attacks are prevailing on the Internet. A DoS attack is to congest networks and interrupt
services by sending various junk packets to the target. IP communication is connectionless.
Attackers take advantage of this feature to invent various attack means. Launching a DoS
attack is simple, even only a PC and a packet sending tool will suffice. Consequently, DoS
attacks prevail on the Internet and exert severe impacts on intranets and even backbone
networks, leading to severe network accidents. Therefore, an excellent anti-DoS capability is
indispensable to firewalls.
Almost all firewalls advertise anti-DoS functions. Why do DoS attacks frequently break down
networks? An excellent anti-DoS system must have the following features:

Provides comprehensive and diversified attack defense methods. The firewall must
provide diversified methods to defend against DoS attacks, because they are launched
using different means.

Has excellent processing capabilities. An important feature of DoS attacks is the sudden
increase of network traffic. If a firewall does not have excellent processing capabilities,
the firewall itself becomes a bottleneck when processing the traffic of DoS attacks.
Defending against the DoS attacks is impossible. A DoS attack is to make the target
network paralyzed. If network congestion occurs on a key device, the attack objective is
achieved. Note that you must consider forwarding performance and service processing
capabilities of a firewall. In the anti-DoS defense process, the number of new
connections per second is a key index to ensure network connectivity. Attackers
randomly change source addresses to launch DoS attacks, and all connections are new
ones.

Has accurate attack identification capabilities. When processing traffic of DoS attacks,
many firewalls only ensure that the passing traffic falls into an acceptable range, but
cannot accurately identify attack packets. Such processing ensures the normal network
traffic and server operating, but blocks legitimate users from accessing the Internet. The
network plane is normal, but services of the legitimate users are denied. Therefore, the
firewalls still fail to defend against DoS attacks.
The USG6000V series has thoroughly considered all the previous aspects, so it has big
advantages over other firewalls in anti-DoS performance and functionality.
Issue 1.0 (2016-10-10)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
33
USG6000V Series Virtual Integrated Service Gateway
Technical White Paper
4 Technical Features of HUAWEI USG6000V series
Abundant Anti-DoS Measures
The USG6000V series can defend against DoS attacks, such as ICMP flood, SYN flood, UDP
flood, CC, and DNS attacks based on the characteristics of data packets and the attack means.
The USG6000V series proactively identifies dozens of common attack types, many of which
may result in DoS. The USG6000V series can proactively detect and block illegal attacks to
protect the intranet. The USG6000V series can be used to set up a secure defense system that
has various attack defense methods to protect the network from DoS attacks.
The USG6000V series uses some unique defense technologies according to attack features to
ensure that it can more specifically defend against DoS attacks and provide a complete attack
defense feature.
In addition to careful consideration of attack means, the USG6000V series has fully taken into
account the usage and network adaptability. The attack defense may protect a host or all hosts
in a security zone.
Advanced TCP Proxy
The USG6000V series can use TCP proxy to prevent DoS attacks, such as SYN flood, which
may quickly exhaust all server resources and crash the server. The common anti-DoS
technology cannot accurately identify traffic of legitimate users and attack packets when
attacks are launched. The USG6000V series uses transparent TCP proxy to defend against
DoS attacks. It can accurately identify attack packets based on precise authentication, allow
the normal packets to access firewall resources, and discard attack packets directly.
Some attacks set up complete TCP connections to exhaust server resources. The USG6000V
series implements an enhanced proxy function. It checks whether the client has any data
packet to send after the connection with the client is established. If yes, the USG6000V series
connects to the server. If no, the USG6000V series discards the packet from the client. Such a
function ensures that the USG6000V series can identify the attacks that consume server
resources even using the complete TCP three-way handshake.
Defense Against Scanning and Sniffing Attacks
Scanning and sniffing attacks use the ping sweep (ICMP and TCP) to identify the systems on
the network, accurately locating potential targets. Alternatively, the scanning and sniffing
attacks use the TCP and UDP port scanning to detect the potential services monitored by the
operating system. Through scanning and sniffing, attackers can roughly understand potential
security vulnerabilities of and service types provided by the target system, preparing for
further attacks.
The USG6000V series can flexibly and efficiently detect such scanning and sniffing packets
using comparative analysis and prevent the subsequent attacks. Such scanning and sniffing
attacks include address scanning, port scanning, IP Source Route attacks, IP Route Record
attacks, and network structure sniffing through Tracert.
Malformed Packet Attack Prevention
The USG6000V series automatically detects attack packets and defends against the attacks
that utilize malformed packets, including Land, Smurf, Fraggle, WinNuke, ICMP Redirect or
Unreachable packets, illegitimate TCP packet flag bits (such as ACK, SYN, and FIN), Ping of
Death, and Teardrop.
Issue 1.0 (2016-10-10)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
34
USG6000V Series Virtual Integrated Service Gateway
Technical White Paper
4 Technical Features of HUAWEI USG6000V series
Application-Layer Anti-DDoS
The anti-DDoS function of the USG6000V series defends against network, transport, and
application layer DDoS attacks, such as the SIP flood, HTTP flood, HTTPS flood, DNS
Request flood, and DNS Reply flood attacks. The USG6000V series automatically detects
DDoS attacks. When a DDoS attack is spotted, the USG6000V series enables the anti-DDoS
function to block attack traffic and permit normal traffic.
The anti-DDoS function of the USG6000V series supports threshold self-learning to provide
references for the attack defense threshold setting and improve policy effectiveness. In normal
cases, the system collects statistics on various types of traffic by destination IP address and
time, calculates the peak value of each traffic type, and automatically sets the defense
thresholds.
4.12 High Networking Adaptability
Enriched Routing Protocols and Routing Management
The USG6000V series provides abundant security features and has integrated some routing
capabilities. The USG6000V series supports static routing, Routing Information Protocol
(RIP), Open Shortest Path First (OSPF), routing policies, and route iteration. These functions
make the networking of the USG6000V series more flexible. In addition, the USG6000V
series supports Border Gateway Protocol (BGP) dynamic routing, which also improves
networking flexibility.
Based on session flow-based PBR, the USG6000V series enables synergetic work between
PBR and security features (such as NAT and ASPF) to implement load balancing on multiple
egresses connected to ISP networks. When one link fails, the traffic fails over to other normal
links.
Multiple Working Modes
The USG6000V series supports multiple working modes to enrich networking applications.
The working modes are as follows:
Routing mode: The IP addresses of interfaces on the USG6000V series are fixed. Devices on
the intranet and Internet have obtained the routes to the USG6000V series. This mode is
recommended for planning IP addresses in the initial phase of network construction to
facilitate global network management.
Transparent mode: Interfaces on the USG6000V series are embedded between the intranet and
the Internet, and no IP address is assigned to the interfaces. Devices on the intranet and
Internet are unaware of the existence of the USG6000V series. This mode does not require the
planning of IP addresses and routes and prevents the USG6000V series from intrusion.
Composite mode: The USG6000V series has both interfaces (with IP addresses) working in
routing mode and interfaces (without IP addresses) working in transparent mode.
Issue 1.0 (2016-10-10)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
35
USG6000V Series Virtual Integrated Service Gateway
Technical White Paper
4 Technical Features of HUAWEI USG6000V series
Diversified Authentication Methods
The USG6000V series provides a unified framework of authentication, authorization, and
accounting and centralizes the security management of access to networks.
The USG6000V series provides local authentication and Remote Access Dial-In User Service
(RADIUS) authentication. It also provides plain-text authentication and Message-Digest
Algorithm 5 (MD5) authentication to support local user management. The USG6000V series
can verify user identities, authorize legitimate users, and block illegitimate users.
Multi-ISP Networking Adaptability
The USG6000V series delivers such features as PBR and multi-interface NAT to improve the
multi-ISP networking solution. Users can configure PBR to specify two interfaces to share
traffic. If one interface is faulty, all the traffic fails over to the other interface by the
USG6000V series.
VXLAN
As data centers change, Virtual Extensible LAN (VXLAN) has become the most widely used
IP Overlay technology of the next-generation cloud data center. Huawei USG6000V series
provides the L3 VXLAN gateway function to provide north-south border protection for data
centers.
4.13 Excellent VPN Functions
The USG6000V series provides IPSec mechanisms based on software or hardware encryption
(DES, 3DES, AH, and ESP) to offer services, such as access control, connectionless integrity,
data source authentication, anti-replay, encryption, and data flow classification and encryption
to both parties of the communications. Through Authentication Header (AH) and
Encapsulating Security Payload (ESP), data transmitted at the IP layer or upper layers are
protected, and the tunnel encapsulation mode is supported.
In addition to supporting IPSec VPN application and providing highly reliable security
transport channels, the USG6000V series can incorporate Layer 2 Tunneling Protocol (L2TP)
and Generic Routing Encapsulation (GRE) to provide diversified VPN applications:

L2TP VPN

IPSEC VPN

GRE VPN

SSL VPN

L2TP over IPSec VPN

GRE over IPSec VPN
GRE VPN
GRE, a Layer 3 tunneling protocol of VPNs, can add an IP header on the IP packet. In other
words, GRE adds a "coat" on private data for secure transmission.
The USG6000V series not only supports the GRE VPN function, which sets up a GRE tunnel
between two gateways to provide secure transmission, but also incorporates IPSec to provide
diversified VPN applications.
Issue 1.0 (2016-10-10)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
36
USG6000V Series Virtual Integrated Service Gateway
Technical White Paper
4 Technical Features of HUAWEI USG6000V series
L2TP VPN
The USG6000V series supports L2TP that implements the transparent transmission of PPP
packets between users and enterprise servers, which is widely applied to VPN access. Layer-2
data packets are encapsulated in a tunnel. For example, PPP packets are encapsulated in the
L2TP tunnel.
When serving as an LNS, the USG6000V series allows mobile users to initiate L2TP tunnel
connections and requires mobile users to install VPN Client and know the IP address of the
LNS. After receiving the requests of mobile users, the USG6000V series authenticates the
mobile users based on the user name and password, allocates private addresses for mobile
users, and establishes tunnels.
When serving as an LAC, the USG6000V series initiates L2TP tunnel connections for users
when they access the Internet. Users can access the Internet using PPP or PPPoE. When
implementing the user name and password authentication, the LAC can identify L2TP tunnel
users by user name. The LAC automatically initiates connections to the LNS, and the user
then can access the enterprise VPN.
Mobile users can use L2TP client software to connect to the LNS and access the headquarters
intranet, but the IP address of the LNS, which is a private IP address, must be translated by the
NAT server.
IPSec VPN
Using the IPSec mechanism, the USG6000V series provides security services, such as access
control, connectionless integrity, data source authentication, anti-replay, encryption, and data
flow classification and encryption. Data transmitted at the IP layer or upper layers is protected
using AH and ESP, and the data can be encapsulated in tunnels.
IPSec provides the following types of network security services:

Privacy: IPSec encrypts packets before transmitting them for data confidentiality.

Integrity: IPSec verifies packets at the destination against data tampering during
transmission.

Authenticity: IPSec authenticates all protected packets.

Anti-replay: IPSec prevents packets from being captured or retransmitted on the
network. That is, the destination denies duplicate packets. Sequence numbers help
implement anti-replay.
The USG6000V series uses the IPSec VPN to establish tunnels between the headquarters
VPN gateway and branch VPN gateways and to obtain private addresses, securing the
transmission and information. IPSec provides data protection between two hosts, two security
gateways, or a host and a security gateway. Multiple security associations (SAs) can be
established between two ends. By using ACLs and SAs, IPSec can apply different protection
policies to data flows, to provide varied protection. IPSec SAs can be manually established.
When the nodes on the network increase, it is difficult to configure SAs and ensure security.
In this case, IKE is required to automatically establish SAs and implement key exchange.
The IPSec VPN function of the USG6000V series provides the certificate authentication
mechanism based on the PKI framework. This mechanism supports certificate application,
storage, and authentication, but not certificate generation. In addition, this mechanism
supports digital envelop-based IKE negotiation. That is, certificate authentication is used
during IKE negotiation.
Issue 1.0 (2016-10-10)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
37
USG6000V Series Virtual Integrated Service Gateway
Technical White Paper
4 Technical Features of HUAWEI USG6000V series
BGP/MPLS VPN
As a Layer 3 Virtual Private Network (L3VPN), BGP/MPLS IP VPN employs BGP to
advertise VPN routes and MPLS to forward VPN packets on the backbone networks of ISPs.
"IP" indicates that the VPN carries IP packets.
The Multiprotocol Label Switching (MPLS) technology combines the flexible IP routing and
convenient asynchronous transfer mode (ATM) label switching. MPLS incorporates the
connection-oriented control plane into the connectionless IP network to facilitate network
management and operation.
Therefore, an MPLS VPN that uses the MPLS-based IP network as the backbone network has
become an important method for IP network carriers to provide value-added services and
attracts more carriers.
Unlike Interior Gateway Protocol (IGP), BGP focuses on controlling route advertisement and
choosing the optimal route instead of finding and computing routes. VPN uses the public
network to transmit data, where IGP route discovery and calculation have been applied. The
primary concerns for constructing a VPN are controlling the spread of VPN routes and
choosing the best route between two PEs.
BGP uses TCP (port 179) as the transport protocol to improve reliability. Two
USG6000V-connected PE devices can run BGP to exchange VPN routes.
BGP carries any information attached to routes as optional BGP attributes. The USG6000V
series directly forwards the routes with any unknown attributes. Such processing facilitates
the spread of VPN routes between PEs.
BGP sends only the updated routes, instead of all, to reduce the bandwidth for route
transmission, making it possible to transmit a large number of VPN routes on the public
network.
As an Exterior Gateway Protocol (EGP), BGP better applies to the VPN across carriers'
networks.
4.14 Application-Layer Security
SA
Traditional firewalls identify applications and apply policies by port. If an application uses an
ephemeral port for communication, the application may evade the detection of firewalls.
SA of the USG6000V series implements in-depth analysis on packet payload to identify the
real application type of traffic. It has the following features:

Multiple identification methods
The USG6000V series uses several methods to accurately identify common protocols
such as HTTP and applications such as Facebook and WebMail.

Predefined identification rule database
The USG6000V series incorporates a predefined rule database to identify applications.
The rule database can be updated online to identify ever-increasing new applications.
Huawei predefined rule database supports over 6000 protocols and applications to meet
identification requirements.
Issue 1.0 (2016-10-10)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
38
USG6000V Series Virtual Integrated Service Gateway
Technical White Paper

4 Technical Features of HUAWEI USG6000V series
User-defined identification rules
The USG6000V series also supports user-defined rules for application identification to
meet differentiated requirements.
You can define conditions, such as the IP address, port, and content matching, in
application identification rules to identify protocols or applications that are not covered
by the predefined rules.
IPS
IPS of the USG6000V series, based on in-depth application identification, implements
application-layer analysis and detection on the traffic to accurately identify various network
attack behavior and defend against the attacks. The USG6000V series detects threats, such as
botnets, Trojan horses, and worms and attacks, such as the SQL injection and XSS attacks.

Deployment mode
Off-line deployment: The USG6000 series implements security detection, but not
defense action or traffic cleaning. No impact is exerted on the traffic.
In-line detection deployment: The USG6000V series implements security detection,
but not defense actions. It modifies only some QoS and TTL information but does not
discard packets.
In-line defense deployment: The USG6000V series implements security detection and
traffic cleaning. When a security threat is detected, the USG6000V series applies defense
actions, such as discarding packets, modifying packets, and limiting traffic.

Major features
Detection based on predefined rules: You can configure predefined rules for users,
including the policies that defend against vulnerability-based attacks, botnets, Trojan
horses, worms, SQL injection attacks, and XSS attacks. You can choose and generate a
set of signatures by object, severity, operating system, protocol type, and threat type and
formulate predefined rules based on the signatures. You can also define exception
signatures to exempt some objects.
Detection based on user-defined rules: You can configure user-defined rules when
necessary. A user-defined rule consists of the user-defined object and rule body. The rule
body contains identification conditions for the decoded fields. Such a user-defined rule
helps you flexibly meet the detection requirements for IPS.
Correlation detection: The USG6000V series provides predefined correlation detection
for some threats to identify the relationship between security threat events. Such
correlation detection helps you discover in-depth threats.
Anti-evasion: Hackers may evade the detection of IPS to attack the target device or
server. Anti-evasion ensures accurate detection, without missing any attacks or threats.
Updates of the engine and signature database: The USG6000V series supports the
online and offline updates of the engine and signature database to defend against new
threats on the live network.
Antivirus
The antivirus feature of the USG6000V series implements application-layer inspection on
traffic to analyze transmitted files, detect viruses, and blocks the transfer of virus-infected
files, protecting the customer's server and PC.
Issue 1.0 (2016-10-10)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
39
USG6000V Series Virtual Integrated Service Gateway
Technical White Paper
4 Technical Features of HUAWEI USG6000V series
The USG6000V series provides the following antivirus functions:

Powerful application-layer protocol parsing
The USG6000V series implements powerful application-layer protocol parsing to
analyze file transfer actions and scan files for viruses.

Diversified file types
The USG6000V series supports diversified file types, decompresses file packages for
virus scanning, and identifies the real file types based on content to prevent detection
evasion that may be conspired by changing file name extensions.

Flow-based antivirus detection
The USG6000V series supports flow-based antivirus detection for high defense
performance.

Update of the virus signature database
The virus signature database can be updated for the device to detect new viruses on the
live network. Antivirus detection will not be interrupted while the virus signature
database is updated.
Data Filtering
Data filtering of the USG6000V series implements application-layer analysis on the
transmitted data, detects and blocks data at the application layer based on predefined filtering
policies, and reduces the risks of unauthorized file transfers and sensitive information
transmission.
Data filtering consists of protocol data filtering, file blocking by type, and file blocking by
data. They have different scanning and filtering objectives:

Application behavior control
Some application-layer protocols carry information in protocol contents, such as the web
page, forum, micro-blogging, and email contents. You can configure policies to filter
protocol contents.
Based on in-depth protocol identification, the USG6000V series identifies traffic that
uses an ephemeral port to prevent detection evasion and misjudgment.
The USG6000V series supports in-depth protocol decoding, multi-layer carrier protocol
decoding, compression and decompression, and normalization to prevent
application-layer detection evasion.

File blocking by type
The USG6000V series filters application-layer files by type to block high-risk files and
confidential files. In addition, the USG6000V series filters transferred files by file name
extension and real file type.
During the filtering by real file type, the USG6000V series identifies the real type of
transferred files based on content to prevent detection evasion.
The USG6000V series decompresses compressed files and filters the files by real file
type.

File blocking by data
The USG6000V series implements in-depth analysis on file content and filters files by
data to prevent information leaks and unauthorized information input.
During the filtering by real file type, the USG6000V series identifies the real type of
transferred files based on content to prevent detection evasion.
Issue 1.0 (2016-10-10)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
40
USG6000V Series Virtual Integrated Service Gateway
Technical White Paper
4 Technical Features of HUAWEI USG6000V series
The USG6000V series decompresses compressed files and filters the files by real file
type.
The USG6000V series also supports data normalization to prevent detection evasion
using coding technologies.
4.15 Diversified Northbound Integration Capabilities
As an NFV firewall, Huawei USG6000V series provides rich northbound APIs for various
Controllers/Orchestrators to form various solutions.
Netconf and Restconf APIs
Huawei USG6000V series uses the unified YANG modeling and provides Netconf and
Restconf APIs.
Huawei Agile Controller integrates the USG6000V into Huawei agile cloud data center
solution by scheduling Netconf APIs.
Restconf APIs implement Create/Read/Update/Delete (CRUD) operations through HTTP
Get/Put operations. This makes easy for Restconf APIs to accommodate to complicated
network environments and to achieve API interconnection. The USG6000V plug-in based on
Openstack schedules Restconf APIs to integrate the USG6000V into the Openstack solution.
Both Netconf and Restconf APIs are available for customers. Customers can integrate the
USG6000V into any third-party cloud computing solution.
Openstack Neutron Plug-in
Openstack is the most widely used open-source cloud computing platforms. Neutron is
responsible for network components in openstack. Users can build their own SDN solutions
using Openstack. Huawei USG6000V series provides a Neutron-based plug-in. With the
plug-in, users can schedule the USG6000V through APIs, such as openstack FWaas, to
automatically provision services.
4.16 Sound Maintenance and Management System
Diversified Management Methods
The USG6000V series performs local or remote maintenance using the following methods:

Local configuration and maintenance using the console port.

Local or remote operation and maintenance through Telnet.

Secure Shell (SSH) maintenance and management. It provides information security
guarantee and powerful authentication on an insecure network to defend against attacks,
such as IP spoofing and plain-text password interception.

Web- and sWeb-based GUI configuration and maintenance.

Unified management by Huawei NMS.
Issue 1.0 (2016-10-10)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
41
USG6000V Series Virtual Integrated Service Gateway
Technical White Paper
4 Technical Features of HUAWEI USG6000V series
SNMP-based Terminal System Management
The USG6000V series supports SNMP (v1/v2/v3) and the Client/Server model and can be
managed by the NMS workstation, such as Huawei eSight.
4.17 Comprehensive Log Report System
The USG6000V series collects statistics on the interface traffic and sessions during its
operating to provide reference for the NMS, generate log information for other modules to
make decisions, or deliver the information to users for debugging use. The users can
customize logs by configuring the USG6000V series to collect statistics only on the interested
information.
Logs are used to check the operating status of the device, analyze the network status, and
locate the problem, providing references for system diagnosis and maintenance.
The system log of the USG6000V series provides an after-the-event audit mode. A router
provides detailed logs on all operation records and attacks, as well as log query and filtering
methods to facilitate log query and analysis.
The generated log information can be displayed using the console port or Telnet. It can be
saved in the device or output through the syslog protocol to a log server.
Local Log Storage
The USG6000V series supports hard disk cards to store generated logs. When no log server is
configured, you can use the local hard disk to store logs. If the local hard disk is full, you can
enable the USG6000V series to discard the latest logs or use the latest logs to overwrite the
oldest logs.
You can also export log files on hard disks to prevent log loss.
Log Server
To receive and store router logs, Huawei has launched dedicated log server software. Based
on this software, you can conveniently browse, query, and analyze logs. The log server
software consists of the front-end management and back-end process parts. Front-end
management provides operations, such as database configuration, log configuration, and log
category query. Back-end processes include the log collection and monitoring processes. You
can use the log server software to customize receiving log types and provides log storage,
query, export, and backup functions.
Log Export Modes
The USG6000V series supports the output of syslogs in text. In addition, the USG6000V
series can create information tables based on flow status and generate fast binary logs for the
heavy traffic passing through. Compared with syslogs, binary logs better suit the scenario in
which the log content is massive and therefore require a higher network speed.
Issue 1.0 (2016-10-10)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
42
USG6000V Series Virtual Integrated Service Gateway
Technical White Paper
4 Technical Features of HUAWEI USG6000V series
Abundant Logs
The USG6000V series provides complete and unified log information. The types of logs
include:

Traffic log
The USG6000V series generates traffic logs by flow for the passing traffic. A log of this
type contains the source address, source port, destination address, destination port,
Internet access user, application, flow start time, flow end time, and flow status. For a
flow that uses NAT, the related log also contains information about the post-NAT address
and port.
You can view global traffic conditions by user and application to better understand the
bandwidth usage and security policy implementation.

Attack defense log
When massive attacks occur, the USG6000V series applies the queuing mechanism to
provide log alarm information for the attack defense feature that routers support, and
generates alarms in SYSLOG mode. Alarm information includes the attack source
(source address) and attack type.

Threat log
When detecting threats, the USG6000V series generates threat logs. The threat logs
record the detected network threats, such as viruses, intrusions, DDoS attacks, botnets,
and worms and the defense against them. They help you better understand the current
and historical threat events, modify policies, and take defense measures.

URL filtering log
The USG6000V series implements URL filtering on intranet users who initiate web
access based on the specified policy and records URL logs of the users. URL filtering
logs help you better understand the URL access behavior, alarms and blocking events
generated when intranet users access URLs, and causes of the alarms and blocking
events.

Data filtering log
The USG6000V series implements data filtering and generates logs for the traffic that
matches data filtering conditions. Data filtering logs help you better understand the risky
user behavior, alarms and blocking events generated when intranet users transfer files,
send and receive emails, and access websites, and causes of the alarms and blocking
events.

Mail filtering log
The USG6000V series implements mail filtering and generates logs for the traffic that
matches mail filtering conditions. Mail filtering logs help you better understand the
protocol types, attachment quantities, and attachment sizes of user emails and the reasons
why legitimate emails are blocked and take appropriate measures.

Operation log
Operation logs record all operations performed by administrators on the USG6000V
series. The USG6000V series helps you better understand the logins, logouts, and
configuration operations of all administrators and the device management history and
enhance device security.

System log
System logs record all key events during the system operating. Based on the logs, you
can better understand the operating status of the device and locate the fault.
Issue 1.0 (2016-10-10)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
43
USG6000V Series Virtual Integrated Service Gateway
Technical White Paper

4 Technical Features of HUAWEI USG6000V series
User activity log
The USG6000V series logs user activities when the users access the Internet. User
activity logs help you better understand user behavior and user online records, such as
the login time, Internet-access duration, and IP and MAC addresses used for login,
discover abnormal user login and access behavior, and take immediate measures.

Policy matching log
The USG6000V series logs policy matching events. Policy matching logs help you better
understand the events that policies are matched, determine whether policies are correctly
configured and effective, and locate faults.

Audit log
The USG6000V series supports the behavior audit and content audit functions and
generates audit logs on user Internet-access behavior and key contents. Based on audit
logs, you can view the network behavior of users.

Traffic monitoring log
The USG6000V series monitors traffic by security zone and IP address, checks whether
the rate or connection quantity reaches the upper limit or lower limit. The USG6000V
series generates alarms and records logs when the upper limit is hit, and generates alarms
to instruct the system to recover when the lower limit is hit.

Blacklist log
The USG6000V series automatically adds the source IP address of any illegitimate user
that it has detected to the blacklist and generates a blacklist log that records the host IP
address and blacklisting reason.

Statistics information
Flow statistics are recorded to help you better understand the operating status of a router.
The flow statistics include total connection quantity, current connection quantity and
half-open connection quantity, peak connection quantity, and discarded packet quantity.
Statistics on attack packet quantities help you better understand the status of attack
events.
Diversified Reports
The USG6000V series provides diversified reports that combine log information and
intuitively display the information. You can customize reports to obtain only the data of your
concern.
Reports can be sent in an email to the administrator at the scheduled time.

Traffic report
Traffic reports of the USG6000V series analyze traffic statistics, rankings, and trends by
source address, destination address, user, application, application category, and
application subcategory.
The USG6000V series summarizes data of traffic logs and generates intuitive reports in
different dimensions, which provide visibility into network traffic status and help
determine traffic management methods.

Threat report
Threat reports of the USG6000V series analyze threat times trends and rankings by
threat type, application, user, attacker, target, threat name, virus, and attack defense.
The USG6000V series summarizes data of threat logs and generates intuitive reports in
different dimensions, which provide visibility into latest threat behavior, attackers, and
victims and help determine security defense methods.
Issue 1.0 (2016-10-10)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
44
USG6000V Series Virtual Integrated Service Gateway
Technical White Paper

4 Technical Features of HUAWEI USG6000V series
URL report
URL reports of the USG6000V series analyze URL access statistics, rankings, and trends
by URL type and website.
The USG6000V series summarizes data of URL logs and generates intuitive reports in
different dimensions, which provide visibility into the URLs or websites that are access
the most times and users who frequently access illegitimate URLs and help determine
URL filtering policies.

Policy matching report
Policy matching reports of the USG6000V series analyze statistics on matching times
and rankings by policy.
The USG6000V series summarizes data of policy matching logs and generates intuitive
reports in different dimensions, which provide visibility into policy configuration and
effectiveness and help optimize policies.
Issue 1.0 (2016-10-10)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
45
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement