Eudemon8000E Series
10-Gigabits IPS security gateway
Eudemon8000E Series
10-Gigabits IPS security gateway
Eudemon8000E Series
10-Gigabits IPS security gateway
Eudemon8000E Series
10-Gigabits IPS security gateway
Eudemon8000E Series
10-Gigabits IPS security gateway
HUAWEI TECHNOLOGIES CO., LTD.
Product Overview
Nowadays, network bandwidths increase rapidly, and security threats and attacks also flood on networks. Therefore, enterprise and carriers must ensure the service security and continuity while extending network structure. The E8000E adopts distributed hardware and software design. Its LPUs and SPUs are mutually independent and support on-demand configuration. Therefore, the E8000E provides flexible processing capability, diversified I/O interfaces, and abundant security services. This perfectly satisfies
the requirements of users (including data centers, carriers, ISPs, and governments) for high integrity, quick response, high-speed
processing, and long-term guarantee.
Product Description
Combining the dedicated multi-core processor and distributed hardware platform and adopting innovative NP+multi-core+distributed architecture, the E8000E breaks through the performance bottleneck of the CPU. It delivers industry-leading service processing capability and service expansion capability. In addition, the full-redundancy technology is applied on all
components. The E8000E provides diversified technical guarantees,
including dual-NP interface module, dual-CPU service processing module, dual-MPU control module, dual power supplies, and load balancing. All these ensure the core router-level reliability, which further guarantees the service continuity in high-speed networking.
The E8000E utilizes the dynamic distributed concurrent processing
technology. Service traffic is forwarded to multiple dedicated SPUs at the line rate in distributed manner. Additionally, the SPUs support on-demand configuration, which thoroughly solves the conflict between the service processing performance and data forwarding capability in ever-increasing high-speed networking.
This distributed technology uses line-rate intelligent traffic splitting for data forwarding. All data flows are equally distributed to service
processing modules to prevent performance bottleneck. In so doing, the service processing performance increases at the line rate in accordance with service modules, fundamentally supporting the long-term development of networks.
The E8000E supports multiple LPUs, and users can realize flexible LPU configuration as required. Furthermore, LPUs and SPUs adopt
the same slot type. Thus, different combinations of LPUs and SPUs can be implemented for various interface and performance
requirements, providing users with customized security protection
solutions.The E8000E has a maximum interface capacity of 320 Gbps and provides 30 10GE interfaces and 360 GE interfaces. The E8000E also supports various POS interfaces and cross-board
interface binding, which meets the requirements for large interface
capacity and high interface intensity. Moreover, this also meets the
networking requirements in complicated situations, such as the
Metropolitan Area Networks (MANs) of carriers, large enterprises, and data centers.
The E8000E series includes two models, namely, the E8080E
Product Portfolio
Eudemon8000E Series
10-Gigabits IPS security gateway
Eudemon8000E Series
10-Gigabits IPS security gateway
Eudemon8000E Series
10-Gigabits IPS security gateway
Eudemon8000E Series
10-Gigabits IPS security gateway
Product Feature
Advanced NP + multi-system + distributed
architecture — breaking traditional performance
bottlenecks
E8000E adopts the architecture of independent control modules,
■
interface modules, and service processing modules. Based on the dual NP, the interface module ensures the line-speed forwarding of interface traffic. Based on the multi-core and multi-thread architecture, the service processing module ensures the high-speed concurrent processing of multiple services, such as the Network Address Translation (NAT), Application Specific Packet Filter (ASPF), Anti-DDoS, and VPN. E8000E adopts the distributed concurrent processing mechanism, which greatly enhances the product performance. Thus, users can expand capacities with low pre-phase investment.
High firewall performance
— guaranteeing
users’ key services
The three main indexes of the E8000E, throughput, number of
■
connections established per second, and maximum number of concurrent connections, are in leading roles. The throughput of
one service processing module of E8000E is 20 G; the number of connections established per second is 500,000; and the maximum
number of concurrent connections is 8,000,000. Furthermore, E8000E has a maximum of eight service processing modules and
its entire throughput reaches 160 G; the number of connections
established per second is 4,000,000; the maximum number of concurrent connections is 64,000,000; and the number of virtual firewalls is 1024. The high performance and expandability of E8000E can meet high-end users’ requirements for high performance.
Stable and reliable security gateway — ensuring
consistency of users’ services
Network security is a key point for enterprise operations. E8000E
■
supports the redundant components, such as interface, fan, and power, networking of hot swap, dual processing engine, master/ backup, master/master, and high reliability. Different service boards of E8000E support the load balancing and mutual hot
backup, so the abnormity of a single board will not influence the
entire system. Meanwhile, together with BYPASS devices, services will not be interrupted even if faults or power failures occur on devices. The mean time between failures of E8000E is as long as 500,000 hours, and the failover time is less than 0.1 second. These ensure the consistent and stable service operations.
Optimal VPN performance — adapting to
requirements for encrypted transmission of mass
services
With the increase of network applications, more and more
■
services need to be transmitted on the public network safely.
Subsequently, services that require mass VPN access gateway
and E8160E. The E8160E provides industry-leading security protection capability and scalability. It supports 16 extension
slots. The maximum firewall throughput reaches 160 Gbps; the IPS performance is 64 Gbps; the number of new connections per second is 4M, and 64M concurrent connections are supported;
the VPN performance is 96 Gbps. The E8080E adopts the same software and hardware architecture as the E8160E. The E8080E, however, supports only 8 extension slots, and its integrated performance is just half that of the E8160E.
The SPU, heart of the E8000E, processes all services.To realize
flexible configuration, the board combination design is adopted. Each SPU contains two parts, that is, the mother board and extension board, which can be deployed either independently or separately. The mother board provides 10G firewall performance and the mother board+extension board provides 20G firewall performance.The SPU adopts the multi-core+multi-processor hardware and implements service features through software
modules. The heartbeat detection mechanism is realized between
the SPU and LPU. Moreover, the SPU supports mutual backup.When an SPU is faulty, all its traffic is immediately distributed to other SPUs, preventing service interruption.
The LPU, limb of the E8000E, is responsible for external connection and data transmission.The LPU integrates the high-speed network processor to ensure flexibility.Certain firewall functions can be
implemented on the LPU, which significantly reduces the pressure of
the SPU.The network processor provides special processing design for each type of packets, for example, dedicated co-processor for hardware-based table searching and professional bit operation
design, enabling unique advantage for small packet processing. Thus, the E8000E can realize almost-line-rate performance when processing mixed traffic on the network.Through the interworking
between the LPU and SPU, the E8000E delivers high performance for services processing, as well as sound scalability.
Eudemon8000E Series
10-Gigabits IPS security gateway
Eudemon8000E Series
10-Gigabits IPS security gateway
Eudemon8000E Series
10-Gigabits IPS security gateway
Eudemon8000E Series
10-Gigabits IPS security gateway
Eudemon8000E Series
10-Gigabits IPS security gateway
of 100-Gigabit emerge, such as mobile security access, Short Message Service (SMS) push, and email push. E8000E provides a maximum of 96 Gbps encryption and decryption performance and supports 320,000 concurrent VPN tunnels, which is the VPN access gateway of the highest performance for the moment. E8000E also supports the IKEv2 protocol and enhances the functions of user authentication, packet authentication, and NAT
traversal. Thus, E8000E eliminates the hidden hazards of the
middleman attack and the DDoS attack, and supports wireless authentication protocols, such as EAP-SIM and EAP-AKA, which effectively ensures the wireless network security.
Practical IPS feature — defending against
external threats and promoting network security
The core technologies of the IPS are embodied in the detection
■
engine performance, signature identification efficiency, and integrated processing performance. Adopting the advanced IPS detection engine and mature signature database, Huawei E8000E defends against various threats, including system vulnerabilities,
unauthorized automatic downloading, spoofing software,
spyware/adware, abnormal protocols, and P2P anomalies' single vulnerability-based signature covers thousands of attacks. Supplemented with globally deployed honeypot system, the E8000E can capture the latest attack, worm, and Trojan horse
features, thus providing zero-day attack defense capability. Moreover, the practicability of the IPS is significantly promoted.
The E8000E adopts internal off-line and "one board one feature"
technologies; certain necessary service traffic is split to the
dedicated SPU. In so doing, the service processing capability is
improved; further more, the traffic processing does not affect the basic services of the firewall, ensuring service continuity.
Product Specification
Models E8080E E8160E
Performance
Firewall throughput (Max) 80Gbps 160Gbps
Firewall throughput (IMIX) 80Gbps 160Gbps
Firewall throughput (HTTP) 78Gbps 156Gbps
Firewall packets per second (64bytes) 30Mpps 60Mpps
IPSec VPN performance (3DES) 48Gbps 96Gbps
IPSec VPN performance (AES) 48Gbps 96Gbps
Maximum IPS performance 32Gbps 64Gbps
New sessions per second 2M 4M
Maximum concurrent sessions 32M 64M
Maximum security policies 128K 128K
Maximum users supported unrestricted unrestricted
MAC table size 128K/LPU 128K/LPU
Connectivity
Available slots 8 (SPU+LPU) 16 (SPU+LPU)
Main control slots 2 2
SPU options Mother board: 2CPU + 8G memory
Daughter board: 2CPU + 8G memory
Interfaces ETH: 24×GE / 2×10GE / 1×10G+12×GE
POS: OC192 Firewall basic feature
Working mode Transparent / Routing / Hybrid
ASPF Yes
Access control Yes
State validation detection Yes
Black/White list Yes
Virtual Firewall Yes
Eudemon8000E Series
10-Gigabits IPS security gateway
Eudemon8000E Series
10-Gigabits IPS security gateway
Eudemon8000E Series
10-Gigabits IPS security gateway
Eudemon8000E Series
10-Gigabits IPS security gateway
Eudemon8000E Series
10-Gigabits IPS security gateway
Models E8080E E8160E
Application level recognition Yes Defense of DDoS attack
Bi-directional protection Yes
SYN Flood Yes
SYN-ACK Flood Yes
FIN/RST Flood Yes
UDP Flood Yes
DNS Query Flood Yes
HTTP Flood Yes
ICMP flood Yes
Intrusion Prevention System
Stateful protocol signatures Yes Simple Configuration IPS Yes
Attack detection mechanisms Abnormal protocol / Abnormal traffic / Pattern matching Attack response mechanisms Drop connection / Close connection / log / email
Worm protection Yes
zero Day attack protection Yes
Trojan protection Yes
Adware/key logger protection Yes Web Attack Toolkit Attack detection Yes Web 2.0 Attack protection Yes Drive by download attack prevention Yes
Botnet Protection Yes
Protection against attack proliferation from
infected systems Yes
Interception protection Yes
Application level DDoS attacks protection Yes Compound attacks protection Yes Vulnerability-based signature database Yes Multi-levels compressed file Yes Independent PDF detection Yes Custom attack signatures Yes Attack editing (port range) Yes
Stream signatures Yes
Overload protection Yes
Approximate number of attacks covered 8000+ NAT
Destination NAT/PAT Yes
Destination NAT within same subnet as ingress
interface IP Yes
Destination addresses to one single address
(M:1) Yes
Destination addresses to another range of
addresses (M:M) Yes
NO-PAT Yes
PAT Yes
Source NAT - IP address persistency Yes
Source pool grouping Yes
Source IP outside of the interface subnet Yes
NAT Server Yes
Eudemon8000E Series
10-Gigabits IPS security gateway
Eudemon8000E Series
10-Gigabits IPS security gateway
Eudemon8000E Series
10-Gigabits IPS security gateway
Eudemon8000E Series
10-Gigabits IPS security gateway
Models E8080E E8160E
NAT-ALG Yes
Unlimited address expansion Yes Policy-based destination NAT Yes VPN
IPSec VPN tunnels 320K
DES/3DES/AES encryption Yes
MD-5 and SHA-1 authentication Yes Manual key, PKI (X.509), IKEv2 Yes Perfect forward secrecy (DH groups) 1, 2, 5
Prevent replay attack Yes
Remote access VPN Yes
EAP certification Yes
Redundant VPN gateways Yes
GRE Tunnel 8192
High Availability
Active/passive active/active Yes Configuration synchronization Yes Session synchronization for firewall and IPSec
VPN Yes
Device failure detection Yes
Link failure detection Yes
Dual control Yes
User Authentication and Access Control
Built-in (internal) database Yes
RADIUS accounting Yes
Web-based authentication Yes Public Key Infrastructure (PKI)
PKI certificate requests (PKCS 10) Yes
Certificate authorities Yes
Self-signed certificates Yes Routing
BGP routes 200K
BGP peers 1000
BGP instances 1000
OSPF routes 200K
OSPF instances 2000
RIP v2 table size 200K
RIP v1/v2 instances 2000
Dynamic routing Yes
Static routing Yes
Source-based routing Yes
Policy-based routing Yes
PBR instances 1024
FIB Yes
Routing iteration Yes
IPv6
State filtering Yes
OSPFv3 Yes
BGP4+ Yes
ISIS6 Yes
Eudemon8000E Series
10-Gigabits IPS security gateway
Eudemon8000E Series
10-Gigabits IPS security gateway
Eudemon8000E Series
10-Gigabits IPS security gateway
Eudemon8000E Series
10-Gigabits IPS security gateway
Eudemon8000E Series
10-Gigabits IPS security gateway
Copyright © Huawei Technologies Co., Ltd. 2011. All rights reserved.
General Disclaimer
The information in this document may contain predictive statements including,
without limitation, statements regarding the future financial and operating results,
future product portfolio, new technology, etc. There are a number of factors that could cause actual results and developments to differ materially from those expressed or implied in the predictive statements. Therefore, such information is provided for reference purpose only and constitutes neither an offer nor an acceptance. Huawei may change the information at any time without notice.
HUAWEI TECHNOLOGIES CO., LTD. Huawei Industrial Base Bantian Longgang Shenzhen 518129, P.R. China Tel: +86-755-28780808 Version No.: M3-110019999-20110629-C-1.0
www.huawei.com
Models E8080E E8160E
IPv6 ACL Extended Yes
IPv6 interface statistic Yes
NATPT (4 to 6, 6 to 4,) Yes
IPv6 ND Yes
Virtualization
Maximum security zones Root firewall: 32 Virtual firewall: 8 Maximum virtual firewall 1024
Maximum VLAN supported per interface 4094 Management
WebUI (HTTP and HTTPS) Yes
CLI (console) Yes
CLI (telnet) Yes
CLI (SSH) Yes
U2000/VSM network management Yes Level-based administrator Yes
Software upgrade Yes
Configuration rollback Yes
Logging/Monitoring
Structured syslog Yes
SNMP (v2) Yes
Binary log Yes
Traceroute Yes
Logging server (eLog) Yes
Dimensions and Power
Dimensions (W×H×D) 442×669×886 442×669×1600
Weight 100Kg 150Kg
AC Power supply AC: 180~275V; 50/60Hz AC: 180V~264V; 50/60Hz
DC Power supply DC: -75~-38V DC: -75~-38V
Maximum Power draw 3000W 5000W
Operating temperature 0~45°C 0~45°C
Humidity 0~95% 0~95%
Certification
Safety certification Yes
EMC Yes
CB Yes
Rohs Yes
FCC Yes
MET Yes
C-tick Yes
