USG6600 the next generation firewall

The USG6000 inherits the original employee management system of an enterprise to implement user-based traffic detection and control.

Number : G583D178E7F390

Brand : HUAWEI


Goods details

USG6000 Highlights
This section describes how the USG6000 deals with new network threats.
The next-generation firewall addresses the new threats posed by new networks as follows:

  • Uses signatures and features instead of ports and protocols to define applications and identify the actual attributes of packets and security risks.
  • Integrates the Service Awareness (SA) function and employs the dedicated hardware systems to inspect the actual applications and contents of packets.
  • Integrates the Intrusion Prevention System (IPS) function to ensure high performance in threat identification and blocking.
  • Provides comprehensive visualized management, audit, and reports functions for a network administrator to learn the actual network status.

The USG6000 series of HUAWEI uses the next generation firewall features to address new threats as follows:

  • Security feature

    The USG6000 inherits and improves traditional security functions to effectively identify applications and defend against application-layer threats and attacks.

  • Performance

    The Intelligent Awareness Engine (IAE) inspects packets once and extract all information needed for subsequent policy matching processes for data security, increasing processing efficiency.

  • Control dimension

    The USG6000 controls services by user, application, content, and quintuple (source/destination IP address, source/destination port, and service).

  • Detection granularity

    The USG6000 provides flow-based detection and real-time monitoring. It also supports cache-free technologies to detect applications, intrusion behaviors, and virus infected fragments and packets. This improves the security of network access.

  • Cloud computing and data center

    The USG6000 virtualizes route forwarding, configuration management, and security services to provide comprehensive defense capabilities for the cloud computing and data center.

The USG6000 can be deployed to bring about significant benefits.

  • The USG6000 inherits the original employee management system of an enterprise to implement user-based traffic detection and control.
  • An individual USG6000 is highly integrated and offers high performance to defend against network threats, which greatly reduces Total Cost of Ownership (TCO).
  • The unified detection mechanism improves network security, and does not significantly delay or exert impacts on the transmission of network traffic, ensuring good user experience.
  • The USG6000 enables visualized management over applications and contents to improve the management efficiency, help enterprises carry out services securely, and obtain more benefits.

USG6000 Features

This section describes the functions and designs of the USG6000.

New 10-Gigabit Multi-Core Hardware Platform

The USG6000 provides the following features:

  • High performance using a new, 10-Gigabit, and multi-core hardware platform

  • High slot density and diversified interface cards to process massive services

  • Key component redundancy, mature link switchover, and electrical built-in bypass cards to deliver long Mean Time Between Failures (MTBF) and build a sustainable working environment for users

Professional Content Security Defense

The USG6000 provides the following to maintain professional content security defense:

  • Unified detection mechanism to ensure highly efficient Service Awareness (SA). Based on the predefined signature database and IAE, the USG6000 identifies the common applications and the multi-channel applications.

  • SSL decryption. The USG6000 can decrypt SSL traffic and implement content security check on the decrypted traffic.
  • Antivirus (AV). The USG6000 employs the advanced Intelligent Awareness Engine (IAE) and constantly updated virus signature database to detect and remove viruses.

  • Intrusion Prevention System (IPS). The USG6000 detects and defends against thousands of intrusion behaviors, worms, Trojan horses, and Botnets.

  • URL filtering. The USG6000 blocks connections to HTTP and HTTPS URLs as configured. URLs and URL categories can be deployed locally or on a remote real-time query server.

  • Content filtering. The USG6000 filters the packets of common file transfer protocols and mail protocols based on keywords in files and mails.

  • File blocking. The USG6000 filters the packets of common file transfer protocols and mail protocols based on file types.

  • Application behavior control. The USG6000 supports connection control by application to disable unwanted applications. It controls common HTTP and FTP application behaviors, such as the file upload and download through HTTP/FTP, HTTP POST, web page browsing, and HTTP proxy.

  • Mail filtering. The USG6000 interworks with the Real-time Blacklist (RBL) server to block the spam. It filters mails by receiver address, sender address, subject, body, attachment name, attachment content, or attachment size.

Integration of Security, Routing, and VPN Services

The USG6000 provides the following to integrate security, routing, and VPN services:

  • Powerful content security capabilities. The USG6000 analyzes the contents transmitted by applications and detects intrusion behaviors, viruses, files, URLs, and confidential information. The administrator can formulate security policies for various services and perform global configurations based on flows, which greatly improves management efficiency.

  • All-round traditional firewall security functions. The USG6000 inherits all network-layer security functions of traditional firewalls to easily cope with network-layer attacks or threats.

  • Support for various routing and switching protocols. The USG6000 applies to various network environments, and can replace existing routers or firewalls or be transparently connected to the existing network.

  • Diversified VPN access modes. The USG6000 supports multiple VPN access modes such as IPSec, L2TP, GRE, SSL VPN, and DSVPN for secure connections between the headquarters, branches, partners, and mobile workers on the Internet to provide low-cost VLAN solutions.

  • Highly integrated services that construct an E2E secure network environment for the enterprise

Refined Management by Application and User

The USG6000 provides the following to refine management by application and user:

  • Managing users on the local, maintaining the organizational structure, implementing centralized management over VPNs or PPPoE users

  • Interworking with common user servers such as the Active Directory (AD), Remote Authentication Dial-In User Service (RADIUS), Huawei Terminal Access Controller Access Control System (HWTACACS), Lightweight Directory Access Protocol (LDAP), and TSM servers to import user information and implement proxy authentication

  • Pushing web pages for user authentication or collaborating with the AD server to synchronize information about online users promptly

  • Single Sign-on (SSO) that simplifies configurations and user logins without increasing security risks

  • Applying security policies to the authenticated users for managing traffic by user and application

Visualized Management and Diversified Logs and Reports

The USG6000 provides the following to implement visualized management:

  • New web UI for the administrator to rapidly configure, manage, maintain, commission, and troubleshoot the device.

  • Multiple management modes such as Web UI, CLI (Console, Telnet, or SSH), and NMS (SNMP)

  • Multiple log types such as the traffic log, threat log, URL log, content log, mail filtering log, operation log, system log, user activity log, and policy matching log for the administrator to learn about network events

  • Multiple report formats such as the traffic report, threat report, application report, URL report, and user report for the administrator to gain visibility into the network traffic status and security defense effect

Carrier-Class Reliability

The USG6000 provides carrier-class reliability as follows:

  • USG6000 has used its considerable telecommunications experience to develop the USG6000. The USG6000 provides various carrier-class reliability technologies at the hardware, software, and link layers to ensure high availability. The USG6000 supports technologies such as dual-system hot backup, fault detection, power supply redundancy, and hardware bypass.

  • Based on multiple reliability technologies, the traffic direction is changed in time upon a device fault to ensure normal transmission.

Flexible Scalability

The USG6000 provides flexible scalability with the following features:

  • Multiple expansion interface card slots for enhancing hardware forwarding capabilities and device performance

  • Key content security components such as the IAE, application signature database, antivirus signature database, threat signature database, RBL query server, and URL category database. These components can be updated or queried online to ensure that the USG6000 can cope with the latest security risks.

  • Virtual system. A physical device is divided into multiple virtual devices. Each is independent and locally isolated to implement system-level expansion, and each meets the requirements of device leasing and cloud computing.