USG 5000 Introduction PDF

USG5300 Unified Security Gateway Function
and Application Scenario Introduction
Huawei Symantec Technologies Co., Ltd.
USG 5300 Introduction
Contents
Product Description
USG 5300 Features
USG 5300 Scenarios
Objective
Understand the network deployment position of USG 5300
Master the major function and feature of USG 5300
Master the hardware parameter of USG 5300
Understand the typical networking of USG 5300
USG 5300Introduction
Contents
Product Description
USG 5300 Features
USG 5300 Scenarios
page 4
USG5300 Product Description

1
USG 9320
USG 9310
Eudemon 8080
Orientation in the Product Family
Eudemon 8040
Eudemon 1000
e
ctur
e
t
i
h
e arc
i-cor
t
l
u
M
MAN 10 Gigabit
egresses
Eudemon 500
MAN traffic cleaning
Eudemon 300
USG 5360
Eudemon 200S
Eudemon 200
Eudemon 100E
ture
hitec
c
r
a
e
USG 5350
re
i-cor
Mult chitectu
USG 5330
e ar
i-cor ecture
t
l
u
M rchit
ea
USG 5320
o
c
i r ture
t
l
u
Large enterprises
M
ec
rchit
a
e
r
and Data centers
USG 3000
i-co
Mult
USG 2110 USG 2120/2130/2200

Small and medium-sized enterprises
Small enterprises and remote offices
Large and medium-sized enterprises

Medium-sized enterprises
An authoritative
security product
testing organization in
the world
Ranging from desktop devices to high-end Gigabit devices, Huawei carrier-class

hardware firewalls deliver excellent performance and advanced security system
architecture to fully protect your networks.
page 5

Advanced Multi-Core Architecture
Multi-Core
processor
Multi-core cooperation; strong performance
The built-in cores can process up to 30 concurrent threads, and thus the
forwarding performance is improved exponentially.
Sound concurrent-task processing capability
Tasks are shared among multiple modules so that resources can be flexibly
allocated. The application layer computation performance is very strong.
Open architecture; excellent expandability
The system delivers strong technology compatibility. It can be easily

upgraded and expanded, and can interconnect with various extended buses.
page 6

3
A New Generation Unified Security Gateway for Large and Medium-sized

Enterprises and Operators Networks
32 concurrent threads, delivering excellent performance and up to 8 Gbps throughput

Great number of new connections per second, defending against DDoS attacks with
millions of packets
Huge number of VPN tunnels, supporting 20000 concurrent tunnels
Most extensive range of P2P protocols identified in the industry, implementing accurate
filtering and traffic control
Full redundancy design, ports supporting bundling, and link type redundancy
Very low power consumption, of the average in the industry
Supporting defense against GTP attacks
re
ectu
t
i
h
c
e ar
i-cor
t
l
u
M
page 7

Parameter
U5320
Large and medium-
Applicable scenarios
U5330
U5350
Large and medium-sized Large and medium-sized
U5360
Large and medium-sized
sized enterprises,
enterprises, campuses,
enterprises, campuses,
enterprises, campuses, DCNs,
campuses, DCNs, and
DCNs, and data centers
DCNs, and data centers
and data centers
data centers
Throughput (bps)-large packets
2G
4G
6G
8G
Throughput (bps)-mixed packets
1.6 G
2.2 G
3G
4G
Throughput (bps)-small packets
1.2 G
1.6 G
2G
2G
New connections per second
60000
80000
100000
150000
Number of concurrent connections
1600000/3000000
1600000/3000000
2000000/4000000
2000000/4000000
Number of ACLs
Number of IPSec VPN connections
30000
30000
30000
30000
20000
20000
20000
20000
Number of L2TP VPN connections
20000
20000
20000
20000
(standard/Maximum)
VPN performance (bps)
2G
2G
2G
2G
Reliability
Double power; dual-
Double power; dual-system
Double power; dual-system
Double power; dual-system hot
system hot backup
100
hot backup
100
backup
Virtual firewall
100
hot backup
GTP filtering
Supported
Supported
Supported
Supported
P2P monitoring
supported
supported
supported
supported
WebUI
Supported
Supported
Supported
Supported
Terminal secure access control
supported
supported
supported
supported
page 8
100
Comparison of New Connections per Second

Number of new
connections per second
150000
USG5360
150000
100000
ASA5580-20
USG5350
100000
100000
USG5330
80000
50000
F1000-E
40000
ASA5550
10000
28000
ISG2000
ISG1000
23000
20000
Cisco
Juniper
F1000-A
20000
H3C
TG5664
TG5564
TG5464
TG5366
TG5266
TG5166
TG5328
TOPSEC
USG5320
HS
The USG5000 enjoys a noticeable advantage in this index. Products at each level of the USG5000 keep
ahead of those from other companies. The performance data of TOPSEC is unavailable, but according to
the hardware structures, the number of new connections per second of TOPSEC is no more than 20000.
page 9
60000
Comparison of Maximum Throughput Rate

(Large Packets)
Forwarding performance
10 G
ASA5580-20
The official data is 10 G (huge packets). In
actual networks, the data is 5 G. The
product orientation of ASA5580-20 is
different from that of the USG5000. There is
no counterpart product from Cisco.
TG5664
USG5360
TG5564
6G
TG5464
TG5366
USG5350
TG5266
ISG2000
F1000-E
3G
TG5166
TG5328
F1000-A
1G
USG5330
ASA5550
ISG1000
Estimated value
Declared value
(Generally, the
actual value is
no more than
1/3 of the
declared one.)
H3C
TOPSEC
0.5 G
Cisco
USG5320
Juniper
page 10
HS
Comparison of Maximum Throughput Rate

(Small Packets)
Forwarding performance
3G
ASA5580-20
ISG2000
2G
F1000-E
USG5360
USG5350
USG5330
USG5320
1G
ISG1000
F1000-A
Estimated value
TG5664
TG5564
TG5464
TG5366
TG5266
TG5166
TG5328
H3C
TOPSEC
Data unavailable
ASA5550
0.5 G
Cisco
Juniper
page 11
HS
Comparison of Maximum Concurrent

Connections
450
400
400
350
300
250
220 220
220 220
200
200
150
100 100
100
100 100
65 65
50
50
25
0
ASA5550
ASA5580
ISG2000
F1000
Standard concurrent connections (10000)
TG5x66
TG5x64
USG5000
Maximum concurrent connections (10000)
The USG5000 supports memory expansion. The maximum number of concurrent

connections of the USG5000 is 4000000, which is greater than the maximum concurrent
connections declared by other companies.
page 12
Comparison of Power Consumption

900
800 800
*The lower the consumption is, the more

competitive the product is.*
800
700
600
500
400
300
200
250250
250 250
190
190
150
100
80
100
62.5
250 250
125
83
80
25
100
75
16.6
0
ASA5550
ASA5580
Maximum consumption (W)
ISG2000
F1000
Average consumption (W)
TG5x66
TG5x64
USG5000
consumption of 1 G performance (W)
Power consumption of the USG5000 are the lowest in the industry, and this gives the USG5000 a noticeable
predominance. Especially, the power consumption of 1 G performance is the lowest among all products;
Concepts of saving-energy, lowering-consumption and environment-friendly are the main trend of society
development and attract attentions of the society and governments. The maintenance costs can be largely
reduced if customers adopt an energy-saving product.
page 13
Summary of Performance Comparison

The USG5000 is advanced in the following indices
New connections per second
Maximum forwarding capability
Maximum concurrent connections
Power consumption
page 14

1U Box design, Appearance: 436*44.4*560mm, weight:10Kg

Dual-power
supply system
Fan
Cabinet
Mainboard
Slot
page 15

4
Leading Hardware Design

E2GE
E2GE
Class 1 laser product
SLOT2
HUAWEI
USG5300 Series
RUN
SLOT1
Front panel and rear panel of the USG5300

Main features:
Electrical or optical GE interfaces (mutually exclusive), implementing dual physical link backup
Two extension slots, supporting 2GE and 4FE interface boards
Automatic temperature control fans, automatically adjusting speed and power consumption
Supporting AC and DC power supplies
Supporting alarms upon faults of key components
Supporting dual power backup
page 16
Contents
Product Description
USG 5300 Features
USG 5300 Scenarios
page 17
USG5300 Feature
Strong NAT Technology
Translated into
addresses in NET 4
NET 1
Public IP address
Supporting extended NAT and implementing

sharing of one public IP address among infinite
number of internal hosts
USG5300
NET 3
Supporting NAT ALG and
implementing NAT traversal of
multiple types of application
protocols:
H.323 (including RAS and T.120)
SIP
MGCP
H.248
RTSP
...
Translated into
addresses in NET 2
Supporting bi-directional NAT and

implementing simultaneous NAT on the
two networks
Intranet IP 2
Intranet IP 3
Intranet IP 1
Group 1
Load balancing among multiple servers,
guaranteeing proportional distribution of
traffic among devices by using an efficient
distribution algorithm
The USG5300 provides customers with more flexible networking modes through
multiple NAT technologies and realizes better network planning.
page 18
USG5300 Feature
2
All-round DDoS Attack

Defense

UDP
SYN
Flood
1 SYN Flood
2 UDP Flood
3 ICMP Flood
4 DNS Flood
5 SMURF
6 CC
7 Land
8 Fraggle
9 WinNuke
10 ICMP
ICMP
Network B
Botnet
Networ
kA
Flood
Botnet
CC
Service
system
Organization
network
USG5300
attack
Botnet

SMURF
redirection
Flood
Botnet
11

Normal network users

Network C
Botnet
Network A: Traffic is abnormal and

fingerprints are recorded.
Network B: Traffic is abnormal and
fingerprints are recorded.
Network C: Traffic is normal.

Attack traffic
The USG5300 can effectively protect customers key service systems and
improve the sustainability of customers services.
page 19
Normal access traffic
USG5300 Feature
3
Link Bundling
USG5300
USG5300
Network B
Network A
Link bundling
Link bundling is enabled between devices to bundle multiple physical links into
one logical link.
Supporting standard 802.3ad, connectible with other network devices
Supporting bundling of up to 4 x 4 links
Load balancing and redundancy among links
page 20
USG5300 Feature
4
Control of Multiple Types of Network Traffic

Controlling external
traffic that accesses the
service system
Service system
Controlling network
application traffic of
terminal users
USG5300
Remote user
Controlling multiple
protocols such as P2P,
HTTP, and FTP
Intranet
Most comprehensive P2P feature base in the industry, effective control of more than 20
types of P2P protocols
Supporting multiple modes of traffic control and combination of traffic control modes
Implementing reasonable network traffic planning and effectively controlling bandwidth
exhaustion by abnormal traffic, and thus protecting bandwidth resources
page 21
USG5300 Feature
5
Diversified VPN Functions

Remote user
L2TP tunnel
RADIUS server
Branch
IPSec tunnel
Internal server
USG5300

6 Gbps IPSec encryption

20000 VPN tunnels
NAT traversal of IPSec
L2TP, LAC, and LNS
GRE tunnel transmission
The USG5300 delivers a very large VPN capacity. It supports 20000 concurrent
tunnels, and provides G level VPN transmission experience and high-speed
encryption of services with heavy traffic across customers networks.
page 22
USG5300 Feature
5
Two-Node Cluster Hot Backup and Load Balancing
Effectively
guaranteeing network
reliability and
preventing singlepoint failures
Based on standard VRRP, this feature can be easily generalized and flexibly
configured. It can be applied to multiple networking environments and can
effectively improve reliability of customers networks.
page 23
USG5300 Feature
6
The best route to

Network E can be
automatically selected.
Dynamic Routing Protocols
Routing protocol computation
Load balancing among multiple Network A
Network C
Multiple links
automatically balance
loads and implement
backup.
links
Seamless interoperation with
Network E
routing devices
Types of routes supported:
RIP v1
RIP v2
OSPF
BGP
Network D
Network B
Network F
Network G
The Eudemon provides customers with both security and routing functions
to reduce customers investments and networking costs.
page 24
USG5300 Feature
7
Virtual Firewall
Supporting up to 100 virtual firewalls

Each virtual firewall can support the Trust zone, the
Untrust zone, the DMZ, and five user-defined security
...
zones. The interfaces (physical interface VLANs and

VPN channel interfaces) can be flexibly classified and
allocated.
The system resources can be independently
allocated to provide independent security services,
VZONE
NAT multiple instances, and VPN multiple instances.

Each virtual firewall is independently managed.

Trust
Trust
DMZ
DMZ
...
User defined zone
User defined zone
The virtualized platform can isolate multiple service systems and reduce security
risks. Multiple virtual systems can better use the device and greatly improve
customers product values.
page 25
USG5300 Feature
8
GTP Security Defense
Supporting
filtering of GTP
SGSN
GGSN
USG5300
Applicable to Gn, Gp,

and Gi interfaces in the
PS domain
Cell phone or wireless terminal users
The USG5300 provides all-round defense for operators PS domains. It can

defend against GTP-based attacks such as protocol abnormalities, spoofing,
resource exhaustion, and overbilling.
page 26
USG5300 Feature
9
High-speed Log Traffic Audit
External
network
Collecting all logs
passing through this
device
USG5300
High-speed transmission
of log traffic in binary
format
Intranet
Log server
Intranet user
The USG5300 can work with log software to provide customers with clear
network access records for future analysis or searches.
page 27
USG5300 Feature
10
Information
theft
Cooperate
with
Secospace
through USB
storage devices
Internet
IM
chatting
SA
PROXY server
SA
VPN gateway
Domain
server
management
Anti-virus server
SA
Patch server
USG5300
Invalid
external
connection
and games
SRS
Intranet
SC
SM
Service system
Blocking invalid connections in time
Terminating invalid network programs
Prohibiting USB storage devices
Manage and audit all behaviors of the terminal for monitoring the security status and providing
continuous defense.
Audit employee behaviors and enhance the security awareness among employees to facilitate
employees in focusing on their work and improving their efficiency.
page 28
Cooperate with Elog

NAT log query
Time segment
based
Destination IP
Rank alarms in
based
real time to locate
Destination based
faulty equipment
port
timely
Source IP
based
Source port
Defensiveness
I based
Network
Management
System
eLog
log
log
Intranet
Switch
Firewall
Router
page 29
ternet
analysis
the
GetSave
to know
Cofirewall
query
mpan
y
template
defensiveness
situation with
ease and produce
proposals on
countermeasures
Product Version Development Planning

2007/01-2008/05
2008/06-2008/12
2008/11-2009/10
USG5000 V1R1
USG5000 V1R2
USG5000 V1R3
Hardware and interfaces:

4 GE-Comb fixed
interfaces
2 slots
2-6 Gbps throughput
6000-15000 new
connections per second
Interface module, 2/4 FE,
1/2 GE-SFP
Reliability:
VRRP/VGMP/HRP
Firewall features:
NAT and ASPF
Anti-attack
Virtual Systems
Security protection over
GTP:
GTP
Version for sale
Added features:
Added features:
IPSec VPN
UTM
P2P protocol control
Functions based on
IPv6
Overflow attack defense

and GTP accounting
SSL VPN
Payload balancing
among multiple
devices
MPLS VPN
Bandwidth control
Version for sale
page 30
Contents
Product Description
USG 5300 Features
USG 5300 Scenarios
page 31
Application Scenarios of the USG5300
HQ
USG5300 Route mode
Block the attack, no impact to normal traffic.
Cisco
Cisco
FE
USG5300 Route Mode
Internet
Cisco
E1
ADSL
Juniper
USG5300
page 32
Application Scenarios of the USG5300
HQ
USG5300 Transparency mode
Block the attack, no impact to normal traffic.

Cisco
Cisco
FE
USG5300 Transparency mode
Internet
Cisco
E1
ADSL
Juniper
USG5300
page 33
USG5300 Scenarios
1
Typical Application
Eudemon 200E
Remote user
Branch
VPN tunnel
Link
aggregation
Key service system
Eudemon 200E
SOHO office
USG5300
Data center
Intranet
The USG5300 provides customers with a highly reliable network security

platform featuring full redundancy and double links to guarantee network operation
and avoid single-point failures.
page 34
USG5300 Scenarios
2
Multiple Security Zones
ISP A
ISP B
Management area
Partner area
USG5300
Financial
department area
External service
system
Intranet
Personnel
department area
Intranet security zone
Internal service
system
The USG5300 provides customers with high-density network interfaces to further

divide customers networks and reduce risks across the networks.
page 35
USG5300 Scenarios
3
Link Bundling
Links of key
services to the
DMZ are
aggregated.
Key service system

Link
aggregation
Link
aggregation
Links are aggregated
at the egress to
external networks to
handle heavy traffic.
USG5300
Link
aggregation
Links to the core
switch in the intranet
are aggregated.
Meeting the bandwidth requirements of 1 Gbps traffic links

Simultaneous working of multiple links, improving link
reliability
Leaving out expensive 10 devices
page 36
Intranet

USG 5000 Introduction PDF

Caricato da

Informazioni sul documento

Descrizione originale:

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

USG 5000 Introduction PDF

Caricato da

Copyright:

Formati disponibili

USG5300 Unified Security Gateway Function

and Application Scenario Introduction

Huawei Symantec Technologies Co., Ltd.

USG 5300 Introduction

USG 5300 Features

USG 5300 Scenarios

Huawei Symantec Technologies Co., Ltd.

Huawei Symantec Technologies Co., Ltd.

USG 5300 Features

USG 5300 Scenarios

Huawei Symantec Technologies Co., Ltd.

USG5300 Product Description

Orientation in the Product Family

USG 2110 USG 2120/2130/2200

Large and medium-sized enterprises

Ranging from desktop devices to high-end Gigabit devices, Huawei carrier-class

USG5300 Product Description

Multi-core cooperation; strong performance

Sound concurrent-task processing capability

Open architecture; excellent expandability

The system delivers strong technology compatibility. It can be easily

Huawei Symantec Technologies Co., Ltd.

USG5300 Product Description

A New Generation Unified Security Gateway for Large and Medium-sized

32 concurrent threads, delivering excellent performance and up to 8 Gbps throughput

Huawei Symantec Technologies Co., Ltd.

USG5300 Product Description

Large and medium-sized Large and medium-sized

enterprises, campuses, DCNs,

campuses, DCNs, and

DCNs, and data centers

DCNs, and data centers

and data centers

Throughput (bps)-mixed packets

Throughput (bps)-small packets

New connections per second

Number of concurrent connections

Number of L2TP VPN connections

VPN performance (bps)

Double power; dual-

Double power; dual-system

Double power; dual-system

Double power; dual-system hot

system hot backup

Terminal secure access control

Huawei Symantec Technologies Co., Ltd.

Comparison of New Connections per Second

Huawei Symantec Technologies Co., Ltd.

Comparison of Maximum Throughput Rate

Huawei Symantec Technologies Co., Ltd.

Comparison of Maximum Throughput Rate

Huawei Symantec Technologies Co., Ltd.

Comparison of Maximum Concurrent

Standard concurrent connections (10000)

Maximum concurrent connections (10000)

The USG5000 supports memory expansion. The maximum number of concurrent

Comparison of Power Consumption

*The lower the consumption is, the more

Maximum consumption (W)

Average consumption (W)

consumption of 1 G performance (W)

Huawei Symantec Technologies Co., Ltd.

1U Box design, Appearance: 43644.4560mm, weight:10Kg