You are on page 1of 39

E8000E Series Firewall Products

Introduction

Huawei Symantec Technologies Co., Ltd.

Foreword


The Eudemon 8080E/8160E is a new generation and high end Gigabit


firewall developed by Huawei for the core network and backbone
network. The Eudemon 8080E/8160E is of large capacity, high
performance, and high reliability. As a high performance security device,
the Eudemon 8080E/8160E provides an all-round and flexible network
solution for network applications.

Huawei Symantec Technologies Co., Ltd.

page 2

Objectives
Master the hardware structure of E8000E
Know about the Characteristics of E8000E
Know about the typical application of E8000E

Huawei Symantec Technologies Co., Ltd.

E8000E Series Firewall Introduction

Contents

Network orientation of E8000E

Hardware structure of E8000E

Characteristics of E8000E

Typical application of E8000E

Huawei Symantec Technologies Co., Ltd.

page 4

Requirements for the New Generation Firewall


Higher performance
Better flexibility

Indexes such as the throughput, new


connection established per second,
and maximum concurrent services
must adapt to network development to
avoid the firewall being the bottleneck.

Quick response to new threads


and customer requirements

New requirements
New devices
Larger interface
capacities

Lower deployment
costs

Richer interface types


more interfaces
larger interface capacities

Huawei Symantec Technologies Co., Ltd.

True extensible architecture


supporting virtual technologies

page 5

Network Orientation of E8000E


100M security
gateways

E100E/200/200S

100-500M performance
P2P traffic control
Supporting of E1 and
T1 interfaces
Rich routing features

High-end 10Gigabit
security gateways

Gigabit security
gateways

E300/500/1000

E1000E-U2/3/5/6

2 G-4 G
performance

2 G-8 G
performance

NP architecture High-density
interfaces
High VPN
performance
Multi-core
processor
Best DDoS
protection
Best DDoS
protection

Huawei Symantec Technologies Co., Ltd.

page 6

E8040/8080

E8080E/8160E

10 G-20 G
performance

10 G-80 G
performance

Distributed
architecture

Mass VPN access

NP and distributed
architectures
Best DDoS
protection

Distributed
architecture
NP and multi-core
processor

Advanced Architecture
NP high performance interface boards:
-forwarding of consistent and stable line speed

Multi-core and multi-thread service processing cards:


-Process services such as NAT, ASPF, Anti-DDoS,
and VPN at high speed with flexible extensions.

MultiMulti-core
Distributed hardware architecture:
-Solve the performance bottleneck
Enhance the whole performance greatly

Huawei Symantec Technologies Co., Ltd.

page 7

Various Interfaces of Capacity


Dual NP high speed hardware forwarding engines for implementing line speed forwarding
Unique 155 M, 622 M, 2.5 G, and 10 G POS interfaces for accessing backbone networks and
improving transmission efficiency
Maximum interface capacities for supporting 192 X GE or 8 10GE and facilitating user networking
and capacity expansion

Type

POS

Ethernet

155 M

622 M

2.5 G

10 G

10 G

GE

24

E8080E

32

16

16

96

E8160E

64

32

32

192

Board
density

Huawei Symantec Technologies Co., Ltd.

page 8

E8000E Product Specifications


Product model
Throughput

Eudemon8080E

Eudemon8160E

10Gbps*4

10Gbps*8

Concurrent connection 4 million*4


New connections

4 million*8

250,000*4

250,000*8

8 Gbps*4/40,000*4

8 Gbps*8/40,000*8

1024

1024

established per second


VPN performance
number of tunnels
Virtual firewall

Component redundancy and hot swap/dual-system hot backup/link


Reliability

aggregation/dual main control boards/service load balancing and mutual


backup/supports of BYPASS device

Extended slot
Software feature

8 extended slots

16 extended slots

Working mode: transparent/routing/mixed


FW: ASPF/DDOS defense/NAT/PAT/virtual FW
VPN: MPLS/IPSEC/GRE/L2TP/IKEv2
Routing feature: RIP/OSPF/BGP/static routes/I GMP/source address routing

Interface type

GE, 10 GE, 24 GE, 1 10 G (optical or electrical interfaces)


POS interface: 8 155 M, 4 622 M, 4 2.5 G, 1 10 G
Ethernet interface: 5

Huawei Symantec Technologies Co., Ltd.

page 9

E8000E Series Firewall Introduction

Contents

Network orientation of E8000E

Hardware structure of E8000E

Characteristics of E8000E

Typical application of E8000E

Huawei Symantec Technologies Co., Ltd.

page 10

E8000E Appearance
MPU/SRU

E8160E

ESPU

MPU1+1 backup
SFU3+1 backup
LPU8
ESPU8

E8080E

SFU

SRU1+1 backup
SFU3+1 backup
LPU4
ESPU4

LPU

Huawei Symantec Technologies Co., Ltd.

page 11

Equipment Structure of E8160E


1.1.LCD
LCD
2.2.Fan
Fanmodule
module
3.3.Cable
Cablemanagement
managementbracket
bracket
4.4.Board
Board frame
frame
5.5.Cable
Cablemanagement
managementbracket
bracket
6.6.Air
Airintake
intakeframe
frame
7.7.Plastic
Plasticpanel
panelofofthe
thepower
powersupply
supplymodule
module
8.8.Power
Powersupply
supplymodule
module
9.9.Rack-mounting
Rack-mountingear
ear
10.
10.Handle
Handle

Huawei Symantec Technologies Co., Ltd.

page 12

Board Cage Distribution of E8160E


1

17

18

10

11

12

13

19

20

21

22

14

15

16

Huawei Symantec Technologies Co., Ltd.

page 13

Equipment Structure of E8080E


1.1.Plastic
Plasticpanel
panelofofthe
theFAN
FANmodule
module
2.2.Fan
Fanmodule
module
3.3.Board
Boardcage
cage
4.4.Air
Airintake
intakeframe
frame
5.5.Plastic
Plasticpanel
panelofofthe
thepower
powersupply
supply
module
module
6.6.Power
Powersupply
supplymodule
module
7.7.Handle
Handle
8.8.Rack-mounting
Rack-mountingear
ear
9.9.Cable
Cablemanagement
managementbracket
bracket

Huawei Symantec Technologies Co., Ltd.

page 14

Board Cage Distribution of E8080E


1

11

10

10

S
F
L

S
F
U

Huawei Symantec Technologies Co., Ltd.

12

page 15

E8000E Hardware Structure


M onitoring bus

M
PU
MPU

M anagement bus

(1+1
(1+1backup)
backup)

Power
PowerSupply
Supply
Redundancy
RedundancyBackup
Backup

LPU
(NP inside)

Heat
HeatDissipation
DissipationSystem
System
Redundancy
Backup
Redundancy Backup

SFU
SFU

SFU
SFU

LPU
(NP inside)

(multi-core cpu inside)

(1+3)
(1+3)
3+1
3+1backup
backup

Huawei Symantec Technologies Co., Ltd.

ESPU

page 16

ESPU
(multi-core cpu inside)

E8000E Hardware Structure MPU/SRU


Function
offline button

Routing calculation

Provide clock unit

Monitoring and

NM

clock

management

Huawei Symantec Technologies Co., Ltd.

page 17

Processor and Storage of MPU Board


Parameters

Description

Remark

CPU

1GHz

Boot ROM

1MB

SDRAM

2GB

NVRAM

512KB

Flash Memory

32MB

512MB

CF cards of different capacities


can be configured.

CF Card

Huawei Symantec Technologies Co., Ltd.

page 18

E8000E Hardware Structure - SFU


Function


line-rate switching

3+1 redundant
backup; working in
the loading balance
mode

8080E SFU Board


8160E SFU Board

Huawei Symantec Technologies Co., Ltd.

page 19

E8000E Hardware Structure - LPU

Physical-Layer adapter

Link-Layer protocol
disposal

Traffic Management

Forwarding according to

PIC

NP

Connector

Connector

Function

FIB
PIC
Card

Huawei Symantec Technologies Co., Ltd.

page 20

LPU
Module

FAD
Module

LPU Types
The types of LPUs supported by the Eudemon 8080E/8160E are as
follows:
24-port 10Base-T/100Base-TX/1000Base-T-RJ45 electrical interface LPU
5-port or 10-port 1000Base-X-SFP optical interface LPU
24-port 100Base-FX/1000Base-X-SFP optical interface LPU
1-port 10 GBase LAN-XFP optical interface LPU
1-port 10 GBase WAN-XFP optical interface LPU
4-port or 8-port OC-3c/STM-1 POS-SFP optical interface LPU
4-port OC-12c/STM-4c POS-SFP optical interface LPU
1-port or 2-port or 4 port OC-48c/STM-16c POS-SFP optical interface LPU
1-port OC-192c/STM-64c POS-XFP optical interface LPU

Huawei Symantec Technologies Co., Ltd.

page 21

E8000E Hardware Structure - ESPU


Function


Filtering application layer packets

Defending attacks

Blacklist function

NAT

Multiple Virtual Private Network (VPN)


instances

Huawei Symantec Technologies Co., Ltd.

page 22

E8000E Series Firewall Introduction

Contents

Network orientation of E8000E

Hardware structure of E8000E

Characteristics of E8000E

Typical application of E8000E

Huawei Symantec Technologies Co., Ltd.

page 23

Security defense-Packet filtering


Attribute

Description
Supporting basic ACL and advanced ACL.
Supporting time range ACL.
Supporting preference of configuration time for sequencing ACL

Packet

rules.

filtering

Supporting dynamic addition of ACL rules.


Supporting blacklist.
Supporting the ASPF and the state inspection.
Providing the port mapping mechanism.

Huawei Symantec Technologies Co., Ltd.

page 24

Security defense-NAT
Packet 1
source192.168.1.3
PC
destination202.120.10.2
192.168.1.3

source202.169.10.1
destination202.120.10.2
.

Eudemon
Trust
Untrust
Eth0/0/0
Eth0/0/0
202.169.10.1
192.168.1.1
Packet 2
Server
192.168.1.2

source202.120.10.2
destination192.168.1.3

Attribute

Server
202.120.10.2

Packet 1

Internet

Packet 2
source202.120.10.2
destination202.169.10.1

PC
202.130.10.3
Description

Supporting address translation (NAT and NAPT).


Providing static address mapping of internal server addresses.
NAT

Supporting security zone-based static address mapping of internal server


addresses.
Supporting multiple NAT ALGs, including FTP, HTTP, SMTP, RTSP, MSN, QQ.

Huawei Symantec Technologies Co., Ltd.

page 25

Security defense-Attack defense


Defective packet attack

Scanning and snooping attack

Network B

Network A

Denial of service attack

Eudemon

Scanning and snooping attack

8000E
Network Aabnormal traffic
Network Babnormal traffic
Defective packet attack

Network Cnormal traffic


Attacking traffic

Network C

Huawei Symantec Technologies Co., Ltd.

Ordinary traffic

page 26

Network interconnection
Attribute

Description
Supporting Ethernet
Supporting VLAN
Link layer

Supporting PPP

protocol

Supporting HDLC
Supporting Trunk
Supporting IP-link

Network
interconnection

IP

Supporting ARP address resolution

Service
Supporting static routing
Routing
Protocol

Supporting dynamic routing through RIP, OSPF and BGP


Supporting policy-based routing
Supporting routing policy , routing iteration and routing
management

Huawei Symantec Technologies Co., Ltd.

page 27

Virtual Firewall
vfw2
DMZ

Eth4/0/4
Eth4/0/6
192.168.2.1/24 2.1.2.1/24

vfw1
Trust

Eth4/0/1
10.1.1.1/24
Eth4/0/2
10.1.1.1/24

vfw2
Trust

vfw2
Untrust

Eth4/0/5
2.1.1.1/24
Eth4/0/3
192.168.1.1/24

vfw1
Untrust

vfw1
DMZ

By the firewall multi-instance solution of Huawei, the network operator can divide
one Eudemon firewall into multiple VPN instances, so as to provide independent
security services for multiple small private networks.
Huawei Symantec Technologies Co., Ltd.

page 28

VPN Features
L2TP
Tunnel

HOME/OFFICE
Hundred thousands of
concurrent access
Radius Server

Branch
IPSEC Tunnel
Internal Server

Eudemon 8000E

HQ

Huawei Symantec Technologies Co., Ltd.

32 Gbps encryption and decryption performance;


320,000 concurrent IPSec tunnels.
Supports the IKEv2 protocol, enhance the authentication
mechanism, and eliminates attack threads. It also supports
wireless authentication protocols such as EAP-SIM and
EAP-AKA.
Supports the L2TP protocol.
Support GRE protocol.

page 29

High Reliability
Master
Backup group 1

EudemonA

Trust

Untrust

N+1 Backup

DMZ

Backup group3

Backup group 2

EudemonB
Backup

VPPR+VGMP+HRP
Huawei Symantec Technologies Co., Ltd.

page 30

E8000E Series Firewall Introduction

Contents

Network orientation of E8000E

Hardware structure of E8000E

Characteristics of E8000E

Typical application of E8000E

Huawei Symantec Technologies Co., Ltd.

page 31

Security Protection of Large IDCs


Provide the best firewall performance
in the industry

CHINANET

CNC backbone
networks

Provide high density 10 Gigabit


Ethernet and POS interfaces.

10 G links

Support dual-system hot backup/dual


main control boards/card backup/link
aggregation
Anti-attack capabilities of ten million
packets per second

Adopt the distributed and


salable architecture

Large IDCs

Traffic cleaning/VPN/NAT/virtual FW
Data storage area

Service area

Management and
maintenance area

Huawei Symantec Technologies Co., Ltd.

page 32

Other areas

Security Protection of Government and Large


Enterprise Vertical Networks
HQ

Eudemon8000E

10 Gigabit link
Gigabit link
100 M link

Provincial institutes

Dedicated network
Eudeom1000

Eudmeon200

Dedicated network

Municipal institutes

Security association of multiple 10 Gigabit links

DDoS protection of HQ services

Security separation of internal and external networks

VPN access of a large number of

Access control of HQ internal network resources

on-trip employees

Huawei Symantec Technologies Co., Ltd.

page 33

Security of High-speed Campus Network


Egress
INTERNET

CERNET

10 G links

Eudemon8000E

NMS center

Data center

Administrative area Teaching buildings Sub campus

High density Gigabit and 10 Gigabit


interfaces for ensuing interworking
Rich routing features for ensuring
intercommunications
Powerful DDoS protection capabilities for
ensuring service continuity
Huawei Symantec Technologies Co., Ltd.

High scalability for following updates and


capacity expansion
Mass concurrent connections for ensuring user
access to external network resources

page 34

Security Protection of Large-capacity WAP


Gateways
Terminals with

Eudemon8000E
Attackers

worms

CMNET
Mobile access

INTERNET
GGSN

WAP gateways

With the rapid increase of mobile users, traffic of WAP services is also increasing
dramatically. The WAP gateway urgently requires security gateways of large capacities and
high performance for security separation and attack defense. The Eudemon8000E provides:
10 G-80 G scalability to meet users growing performance requirements.
Tens of millions of concurrent connections to ensure concurrent access of a large number of
mobile users.
Powerful DDoS defense capabilities to ensure stability of WAP gateway services.
Huawei Symantec Technologies Co., Ltd.

page 35

Security Separation of Carrier Network Planes


ChinaNET public network

CN2 dedicated network

Capital cities

Small cities

With the reorganization of services, large carriers are facing service integration and network capacity expansion,
which requires security gateway products of higher performance stability. The Eudemon8000E provides:
A maximum of 80 G salability and the best DDoS defense function to fully meet carriers requirements on high
performance.
Multiple 10 Gigabit interfaces and unique POS interfaces to facilitating access of high-speed networks, including SDH.
A virtual system to effectively ensure security separation of different services in each network.

Huawei Symantec Technologies Co., Ltd.

page 36

Typical Application of uBroUTMS Broadband


SIM Card
NM Platform
SIM Card
AP
Wireless terminal

AAA

ADSL Dialing+NAT

Base station

HLR

IPSecTunnel
BRAS

AHR
Internet
AG

Private network
Public network
Intranet

Huawei Symantec Technologies Co., Ltd.

IPClock
Intranet

page 37

Summary


How many kinds of boards does E8000E have?

What are the differences of hardware structure between E8080E


and E8160E?

Huawei Symantec Technologies Co., Ltd.

page 38

Huawei Symantec Technologies Co., Ltd.