USG9500 Terabit Level Next-Generation Firewall

USG9500 Terabit Level Next-Generation Firewall
Product Overview
A fully connected world is becoming a reality. Glasses, watches, and even home appliances and health
check products are going smart and digitally connected. In this big data era, the growth of network
traffic is exponential, network access methods are diverse, and services can scale on demand.
Mobile working offers convenience, allowing people to be productive at home or anywhere. However,
traditional security architectures cannot effectively protect agile and ubiquitous connections from
equally ubiquitous vulnerabilities, risks, and intrusions that may compromise data security and privacy.
Security has been the top priority in the ICT world.
Therefore, cloud service providers and large data centers and enterprises are upgrading their firewalls
at network borders to high-performance and full-featured next generation firewalls (NGFWs). All
enterprises that are exploring the viability of mobile working are advised to evaluate the functionality
and performance of their firewalls for bottlenecks, and to upgrade their devices before becoming a
target of emerging threats.
USG9520
USG9560
USG9580
Huawei enterprise security products
6-01
Product Description
The USG9500 series comprises the USG9520, USG9560, and USG9580, and provides industry-leading
security capabilities and scalability. The firewall throughput of the series is up to 1.44 Tbps.
By using dedicated multi-core chips and a distributed hardware platform, the USG9500 provides industryleading service processing and expansion capabilities. Moreover, all key components are redundant to
ensure service continuity on high-speed networks, providing a level of availability that is normally seen in
core routers. The distributed technology uses line-rate intelligent traffic distribution for data forwarding. All
data flows are equally distributed to service processing units (SPUs) to prevent performance bottlenecks.
Therefore, the service processing capability increases linearly with service modules, supporting the long-term
development of customer networks.
The USG9500 provides multiple types of I/O interface modules (LPUs) for external connections and data
transmissions. Line processing units (LPUs) and SPUs have the same interface slots and can be mixed and
matched as needed. The SPUs of the USG9500 process all services. The motherboard of each SPU can hold
expansion cards that house multi-core CPUs, which together with the software modules allow the SPUs to
process all services on the USG9500. To ensure service continuity, the USG9500 provides SPU redundancy
and a heartbeat detection mechanism between the SPU and LPU If one SPU fails, all functions are switched
to other SPUs without interrupting service transmission. In addition, the USG9500 provides GE and 10GE
interfaces and supports cross-board port bundling to improve throughput and port density.
Highlights
Most accurate access control-ACTUAL-based comprehensive protection
The core function of both traditional firewalls and NGFWs is access control. However, access control is based
on port and IP address on traditional firewalls. In contrast, the USG9500 provides a more fine-grained access
control:
•
Comprehensive protection: Provides integrated control and protection based on application, content,
time, user, attack, and location (ACTUAL). The application-layer protection and application identification
are combined. For example, the USG9500 can identify Oracle-specific traffic and implement intrusion
prevention accordingly to increase efficiency and reduce false positives.
•
Based on application: Accurately identifies over 6000 applications (including mobile and web
applications) and their services, and then implements access control and service acceleration accordingly.
For example, the USG9500 can identify the voice and data services of an instant messaging application
and apply different control policies to the services.
•
Based on user: Supports eight user authentication methods, including RADIUS, LDAP, and AD
authentication, synchronization of user information from an existing user authentication system, userbased access control, and QoS management.
•
Based on location: Uses IP address geolocation to identify from where application and attack traffic
originates, promptly detects network anomalies, and implements differentiated user-defined access
control for traffic from different locations.
6-02
Huawei enterprise security products
Most pragmatic NGFW features – equivalent to multiple devices to reduce TCO
As more information assets are accessible from the Internet, cyber attacks and information theft are rampant,
requiring a wider range of protection from next-generation firewalls. The USG9500 provides comprehensive
protection:
•
Versatility: Integrates traditional firewall functions, VPN, intrusion prevention, antivirus, data leak
prevention (DLP), bandwidth management, and online behavior management into one device to simplify
deployment and improve efficiency.
•
Intrusion prevention system (IPS): Detects and prevents exploits of over 5000 vulnerabilities and web
application attacks, such as cross-site scripting and SQL injection.
•
Antivirus (AV): Prevents over 5 million viruses and Trojan horses using the high-performance antivirus
engine and the daily-updated virus signature database.
•
Data leak prevention: Identifies and filters file and content transfers. The USG9500 can identify more
than 120 file types, regardless of whether file name extensions are maliciously changed. In addition, the
USG9500 can restore and implement content filtering for over 30 types of files, such as Word, Excel, PPT,
PDF, and RAR files, to prevent leaks of critical enterprise information.
•
Anti-DDoS: Identifies and prevents 10 types of DDoS attacks, such as SYN and UDP flood attacks.
•
Online behavior management: Implements cloud-based URL filtering to prevent threats from malicious
websites by using a URL category database that contains 85 million URLs, controls online behaviors such
as posting to social media and FTP upload and download, and audits Internet access records.
•
Secure interconnection: Supports various VPN features, such as IPSec, SSL, L2TP, MPLS, and GRE VPN, to
ensure secure and reliable connections between enterprise headquarters and branch offices.
•
QoS management: Flexibly manages the upper and lower traffic thresholds and supports applicationspecific policy-based routing and QoS marking to preferentially forward traffic of specified URL
categories, such as financial websites.
•
Load balancing: Supports server load balancing, such as load balancing based on link quality, bandwidth,
and weight in scenarios where multi-egresses are available.
Most advanced network processor + multi-core CPU + distributed architecture allowing linear increase of performance to break the performance bottleneck
The USG9500 uses a hardware platform that is often used in core routers to provide modularized
components. Each LPU has two network processors (NPs) to provide line rate forwarding. The SPU uses
multi-core CPUs and a multi-threaded architecture, and each CPU has an application acceleration engine.
These hardware advantages, combined with Huawei's optimized concurrent processing technology, increase
CPU capacity to ensure the high speed parallel processing of multiple services, such as NAT and VPN. LPUs
and SPUs function separately. The overall performance increases linearly with the number of SPUs so that
customers can easily scale up the performance at a low cost.
With the revolutionary system architecture, the USG9500 is the industry's highest-performance security
gateway in terms of throughput and concurrent connections. The dedicated traffic distribution technology
allows for linear performance growth with the number of SPUs. The USG9500 delivers a maximum of 1.44
Tbps large-packet throughput, 1.44 billion concurrent connections, and 4096 virtual firewalls to meet the
performance demand of high-end customers, such as television and broadcast companies, government
agencies, energy companies, and education organizations.
Huawei enterprise security products
6-03
Most stable and reliable security gateway - full redundancy to ensure service continuity
Network security is important for the normal operation of enterprises. To ensure the service continuity on
high-speed networks, the USG9500 supports active/standby and active/active redundancy, port aggregation,
VPN redundancy, and SPU load balancing. The USG9500 also supports dual-MPU active/standby switchover,
which is normally seen in high-end routers, to provide high availability. The mean time between failures (MTBF)
of the USG9500 is up to 200,000 hours, and the failover time is less than one second.
Most diverse virtualization functions - for cloud networks
Cloud computing relies on virtualization and secure high-speed network connections. To support cloud
technologies, the USG9500 delivers high throughput and supports virtual systems that have dedicated
resources, independently forward traffic, and are configured and managed separately to meet the
requirements of different customers. You can assign different resources to virtual systems as needed,
configure different policies, log management, and audit functions on virtual systems based on the
requirements of tenants, and customize traffic forwarding processes on virtual systems. The forwarding
planes of virtual systems are separated to ensure the data security of tenants and that any resource
exhaustion on one virtual system does not affect other virtual systems.
Specifications
Model
USG9520
USG9560
USG9580
120 Gbps
720 Gbps
1.44 Tbps
120 million
720 million
1.44 billion
Number of expansion slots
3
8
16
Number of MPU slots
2
Interface types
GE, 10GE, 40GE, and 100GE interfaces
SPU
Firewall and application security SPUs
Performance and Capacity
Maximum firewall throughput
Maximum number of
concurrent sessions
Expansion and I/O
Dimensions, Power Supply, and Operating Environment
75 mm x 442 mm x
Dimensions (H x W x D)
650 mm (4U, DC)
620 mm x 442 mm x
1420 mm x 442 mm x
220 mm x 442 mm x
650 mm (14U)
650 mm (32U)
650 mm (5U, AC)
6-04
Huawei enterprise security products
Model
USG9520
USG9560
USG9580
Empty: 43.2 kg
Empty: 94.4 kg
Full configuration:
Full configuration:
113 kg
229 kg
Empty: 15 kg (DC)
Full configuration: 32
Weight
kg (DC)
Empty: 25 kg (AC)
Full configuration: 42
kg (AC)
AC power supply
90 V AC to 275 V AC; 175 V AC to 275 V AC (recommended)
DC power supply
–72 V to –38 V; –48 V (rated)
Power
1270 W
Working temperature
Ambient humidity
3960 W
7540 W
Extended operation: 0oC to 45oC
Storage: –40oC to +70oC
Long term: 5% RH to 85% RH, non-condensing
Storage: 0% RH to 95% RH, non-condensing
Security Functions
Basic Firewall Functions
NAT/CGN
Transparent, routing, and hybrid modes
Destination NAT/PAT
Stateful inspection
Blacklist and whitelist
Access control
NAT NO-PAT
Source NAT-IP address persistency
Source IP address pool groups
NAT server
Application specific packet filter (ASPF)
Bidirectional NAT
Security zones
NAT-ALG
Egress Load Balancing
Unlimited IP address expansion
Policy-based destination NAT
ISP-based routing
Port range allocation
Intelligent uplink selection
Hairpin connections
Transparent DNS proxy at egress
SMART NAT
User-based traffic control
Application-based traffic control
NAT64
DS-Lite
IPv6 rapid deployment (6RD)
Link-based traffic control
Time-based traffic control
Ingress Load Balancing
Service Awareness
Identification and prevention of over 6000
protocols:
Intelligent DNS at ingress
P2P, IM, game, stock charting/trading, VoIP,
Server load balancing
video, stream media, email, mobile phone
Application-based QoS
services, Web browsing, remote access, network
management, and news applications
Huawei enterprise security products
6-05
URL Filtering
Antivirus
URL database of 85 million URLs
Detection of 5 million viruses
130+ URL categories
Flow-based inspection for higher performance
Trend and top N statistics based on users, IP
Inspection of encrypted traffic
addresses, categories, and counts
Trend and top N statistics by virus family
Query of URL filtering logs
PKI
VPN
Online CRL check
MD5 and SHA-1 authentication
Hierarchical CA certificates
Manual key, PKI (X509), and IKEv2
Support for public-key cryptography standards
Perfect forward secrecy (DH group)
(PKCS#10 protocol)
Anti-replay
CA certificate
Transport and tunnel modes
Support for SCEP, OCSP, and CMPv2 protocols
IPSec NAT traversal
Self-signed certificates
Dead peer detection (DPD)
Intrusion Prevention System
EAP authentication
Protocol anomaly detection
EAP-SIM, EAP-AKA
User-defined signatures
VPN gateway redundancy
Automatic update of the knowledge bases
IPSec v6, IPSec 4 over 6, and IPSec 6 over 4
Zero-day attack defense
L2TP tunnel
Prevention of worms, Trojan horses, and malware
GRE tunnel
attacks
Anti-DDoS
Networking/Routing
Prevention of SYN, ICMP, TCP, UDP, and DNS
Support for POS, GE, and 10GE interfaces
floods
DHCP relay/server
Prevention of port scan, Smurf, teardrop, and
Policy-based routing
IP sweep attacks
IPv4/IPv6 dynamic routing protocols, such as RIP,
Prevention of attacks exploiting IPv6 extension
OSPF, BGP, and IS-IS
headers
Interzone/inter-VLAN routing
TTL detection
Link aggregation, such as Eth-trunk and LACP
TCP-mss detection
Attack logs
6-06
Online CA certificate enrollment
DES, 3DES, and AES encryption
Huawei enterprise security products
High Availability
Virtual System
Active/active and active/standby modes
Up to 4096 virtual systems (VSYS)
Hot standby (Huawei redundancy protocol)
VLAN on virtual systems
Configuration synchronization
Security zones on virtual systems
Firewall and IPSec VPN session synchronization
User-configurable resources on virtual systems
Device fault detection
Inter-virtual system routing
Link fault detection
Virtual system-specific Committed Access Rate
Dual-MPU switchover
(CAR)
Management
Separate management of virtual systems
Resource isolation for different tenants
Web UI (HTTP/HTTPS)
CLI (console)
Logging/Monitoring
CLI (remote login)
Structured system logs
CLI (SSH)
SNMPv2
U2000/VSM network management system
Binary logs
Hierarchical administrators
Traceroute
Software upgrade
Log server (eLog)
Configuration rollback
STelnet and SFTP
User Authentication and Access Control
Built-in (internal) database
Certification
RADIUS accounting
Safety certification
Web-based authentication
Electro Magnetic Compatibility (EMC)
certification
CB, Rohs, FCC, MET, C-tick, and VCCI
certification
Note: Not all versions support all listed features. Contact your Huawei representative for details.
Huawei enterprise security products
6-07