Professional Documents
Culture Documents
V100R002
Product Description
Issue
01
Date
2009-01-20
Huawei Technologies Co., Ltd. provides customers with comprehensive technical support and service. For any
assistance, please contact our local office or company headquarters.
Website:
http://www.huawei.com
Email:
support@huawei.com
Notice
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but the statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Contents
Contents
About This Document.....................................................................................................................1
1 Product Overview.......................................................................................................................1-1
2 Product Features.........................................................................................................................2-1
2.1 Multiple Security Zones..................................................................................................................................2-3
2.2 Powerful GTP Protection................................................................................................................................2-3
2.3 Virtual Firewall...............................................................................................................................................2-3
2.4 Multiple Work Modes.....................................................................................................................................2-4
2.5 Enhanced Packet Filtering...............................................................................................................................2-4
2.5.1 High-speed ACL Searching...................................................................................................................2-4
2.5.2 Malicious Host Filtering Based on the Blacklist....................................................................................2-4
2.5.3 MAC Address and IP Address Binding.................................................................................................2-4
2.5.4 Packet Filtering Based on the Application Layer...................................................................................2-4
2.6 Multiple NAT Applications............................................................................................................................2-4
2.6.1 Address Translation................................................................................................................................2-5
2.6.2 Multiple NAT ALGs..............................................................................................................................2-5
2.7 Powerful Attack-Defending Capability...........................................................................................................2-6
2.7.1 Defending Worm Virus..........................................................................................................................2-6
2.7.2 Defending Multiple DoS And DDoS Attacks........................................................................................2-6
2.7.3 Defending Scanning and Snooping Attacks...........................................................................................2-6
2.7.4 Defending Other Attacks........................................................................................................................2-6
2.8 IDS Cooperation..............................................................................................................................................2-6
2.9 Cost-Effective Reliability................................................................................................................................2-7
2.9.1 Cost-Effective Product Design...............................................................................................................2-7
2.9.2 1+1 Backup of Routing Information......................................................................................................2-7
2.9.3 Dual-System Hot Backup.......................................................................................................................2-7
2.10 Perfect Traffic Monitoring............................................................................................................................2-7
2.11 Multiple Authentication Modes....................................................................................................................2-7
2.12 QoS Guarantee..............................................................................................................................................2-8
2.13 Security-Guaranteed VPN Applications.......................................................................................................2-8
2.14 Flexible P2P Flow Limiting..........................................................................................................................2-9
2.15 Enhanced Log Management..........................................................................................................................2-9
2.15.1 Two Log Output Formats.....................................................................................................................2-9
Issue 01 (2009-01-20)
Contents
3 System Structure.........................................................................................................................3-1
3.1 Appearance......................................................................................................................................................3-2
3.1.1 Front Panel of the Eudemon 1000E.......................................................................................................3-2
3.1.2 Rear Panel of the Eudemon 1000E Powered by AC Input....................................................................3-2
3.1.3 Rear Panel of the Eudemon 1000E Powered by DC Input....................................................................3-3
3.2 System Configuration......................................................................................................................................3-3
3.3 External Interfaces...........................................................................................................................................3-4
3.3.1 Fixed Interfaces......................................................................................................................................3-4
3.3.2 Extended Interfaces................................................................................................................................3-4
3.4 Supported Interface Modules..........................................................................................................................3-5
4 Networking Applications.........................................................................................................4-1
4.1 Attack-Defending Function.............................................................................................................................4-2
4.2 Application of Dual-System Hot Backup........................................................................................................4-2
4.3 IPSec VPNs.....................................................................................................................................................4-3
5 Purchase Guide...........................................................................................................................5-1
5.1 Host Purchase..................................................................................................................................................5-2
5.1.1 Factors for Your Purchase......................................................................................................................5-2
5.1.2 Optional List for Host Purchase.............................................................................................................5-2
5.2 Interface Module Purchase..............................................................................................................................5-2
A Appendix...................................................................................................................................A-1
ii
Issue 01 (2009-01-20)
Figures
Figures
Figure 3-1 Front panel of the Eudemon 1000E....................................................................................................3-2
Figure 3-2 Real panel of the Eudemon 1000E powered by AC input..................................................................3-2
Figure 3-3 Rear panel of the Eudemon 1000E powered by DC input..................................................................3-3
Figure 4-1 Hybrid networking of the Eudemon 1000E and the IDS....................................................................4-2
Figure 4-2 Dual-system hot backup of the Eudemon 1000E...............................................................................4-3
Figure 4-3 IPSec VPN implemented by the Eudemon 1000E.............................................................................4-4
Issue 01 (2009-01-20)
iii
Tables
Tables
Table 3-1 System configuration of the Eudemon 1000E.....................................................................................3-3
Table 3-2 Console port.........................................................................................................................................3-4
Table 3-3 GE optical/electrical interface..............................................................................................................3-4
Table 3-4 FE electrical interface...........................................................................................................................3-4
Table 3-5 GE optical/electrical interface..............................................................................................................3-5
Table 5-1 Eudemon 1000E host accessories........................................................................................................5-2
Table 5-2 Interface module purchase of the Eudemon 1000E.............................................................................5-3
Table 6-1 Compliant standards.............................................................................................................................6-2
Table 6-2 Feature list of theEudemon 1000E.......................................................................................................6-5
Issue 01 (2009-01-20)
Product overview
Product features
System structure
Networking applications
Purchase guide
Related Versions
The following table lists the product versions related to this document.
Product Name
Version
V100R002
Intended Audience
This document is intended for:
l
Network engineers
Organization
This document is organized as follows.
Issue 01 (2009-01-20)
Chapter
Description
1 Product Overview
2 Product Features
3 System Structure
4 Networking Applications
5 Purchase Guide
A Appendix
Conventions
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol
Description
DANGER
WARNING
CAUTION
TIP
NOTE
Issue 01 (2009-01-20)
General Conventions
The general conventions that may be found in this document are defined as follows.
Convention
Description
Boldface
Italic
Courier New
Command Conventions
The command conventions that may be found in this document are defined as follows.
Convention
Description
Boldface
Italic
[]
{ x | y | ... }
[ x | y | ... ]
{ x | y | ... }*
[ x | y | ... ]*
GUI Conventions
The GUI conventions that may be found in this document are defined as follows.
Issue 01 (2009-01-20)
Convention
Description
Boldface
>
Keyboard Operations
The keyboard operations that may be found in this document are defined as follows.
Format
Description
Key
Press the key. For example, press Enter and press Tab.
Key 1+Key 2
Key 1, Key 2
Mouse Operations
The mouse operations that may be found in this document are defined as follows.
Action
Description
Click
Double-click
Drag
Press and hold the primary mouse button and move the
pointer to a certain position.
Update History
Updates between document issues are cumulative. Therefore, the latest document issue contains
all updates made in previous issues.
Issue 01 (2009-01-20)
1 Product Overview
Product Overview
This topic describes the major features of the Eudemon 1000E in performance.
With the rapid development of the Internet, more and more enterprises begin to speed up their
development based on the network services. In an open network, how to protect the Intranet has
become a practical hot topic. Huawei develops the Quidway Eudemon series for large and
medium-sized enterprises, which provides a cost-effective solution for the security in the large
and medium sized enterprises and telecommunication network. Eudemon 1000E provides not
only the command-line view, but also the graphical user interface (GUI), which facilitates the
device management and configuration.
The Eudemon 1000E uses the 1U standard chassis which is equipped with a Console port. The
Eudemon 1000E has four pairs of fixed 10/100/1000 M Ethernet opto-electronic mutually
exclusive interfaces and two universal serial bus (USB2.0) interfaces. The chassis provides two
extended slots. Users can install four Fast Ethernet (FE) interfaces and two pairs of gigabit
Ethernet (GE) interfaces. The Eudemon 1000E can be installed with two AC or DC power
modules to implement two-way power supply and redundancy for the power supply.
The Eudemon 1000E brings perfect experience in performance. The number of new connections
per second takes the leading place in the field.
The Eudemon 1000E supports 30,000 access control list (ACL) rules. The mean time between
failures (MTBF) is 37.54 years.
The Eudemon 1000E is based on an integrated software and hardware platform, and adopts the
dedicated and real-time operating system (OS). In this system, you can flexibly define security
zones, such as the pre-defined Local zone, Trust zone, Untrust zone, and Demilitarized zone
(DMZ). You can also customize other security zones as required. When the data is transmitted
between two interfaces with different security levels, the checking according to security rules
is enabled on the Eudemon 1000E.
The Eudemon 1000E not only supports multiple protocols such as File Transfer Protocol (FTP)
and Simple Mail Transfer Protocol (SMTP), but also provides multiple features such as
algorithm-based fast ACL searching, static, dynamic blacklist filtering, VPN service, and P2P
flow limiting.
Issue 01 (2009-01-20)
1-1
2 Product Features
Product Features
2-1
2 Product Features
2-2
Issue 01 (2009-01-20)
2 Product Features
Local zone
Trust zone
Untrust zone
DMZ zone
Vzone zone
In addition, it also supports the customized security areas. The root firewall supports 11
customized areas. The virtual firewall supports 3 customized areas.
In addition, in transparent mode and mixed mode, theEudemon 1000E can classify security zones
based on virtual local area networks (VLAN).
Issue 01 (2009-01-20)
2-3
2 Product Features
Channel and state inspection based on TCP (Transmission Control Protocol) /UDP (User
Datagram Protocol)
Port-to-application mapping
Issue 01 (2009-01-20)
2 Product Features
Network address translation (NAT) is to translate the address of the private network into the
address of the public network (Internet).
2.6.1 Address Translation
2.6.2 Multiple NAT ALGs
Port-level NAT
NAT ALG of the H.323 protocol (including T.120, RAS, Q.931 and H.245)
2-5
2 Product Features
Blacklist filtering
Address scanning
Port scanning
Issue 01 (2009-01-20)
2 Product Features
complete information about the behavior model of attacks, the cooperative networking will
provide a more reliable and comprehensive safeguard for the network.
ISPKeeper function
2-7
2 Product Features
The Eudemon 1000E provides uniform framework for authentication, authorization and
accounting.
It manages the security of network access in a centralized manner.
The Eudemon 1000E provides the following authentication modes:
l
Local authentication
HWTACACS authentication
MD5 authentication
CAR
The Eudemon 1000E supports the use of CAR in security zones and supports speed limiting
based on the ACL. In speed limiting, the priority is determined by the time of configuration.
The later the time is, the higher the priority is.
Sequence guarantee
In data communications, many services such as real-time services require the devices to
guarantee the sequence, for example, the VoIP service. Thus, for both the router and the
firewall, it is an important feature to guarantee the sequence of forwarding flows. Based
on the sequence of the packets received by the interface and congestion management, the
Eudemon 1000E can guarantee the correct sequence when forwarding the packets.
Issue 01 (2009-01-20)
2 Product Features
and tunnel. The security association (SA) of IPSec can be established through manual
configuration or IKE auto-negotiation and supports NAT traversal. Both IKE V1 and IKE V2
are supported. IKE V2 supports EAP authentication.
The Eudemon 1000E can be applied in IPSec VPNs to provide highly reliable security
transmission channels for users. Also, it can work with L2TP and GRE to implement varied
types of VPN applications.
l
L2TP VPN
GRE VPN
IPSec VPN
Attack-defending logs
Blacklist logs
Issue 01 (2009-01-20)
2-9
2 Product Features
l
The SSH maintenance and management mode ensures information security and powerful
authentication functions over an insecure network, thus avoiding such attacks as IP spoofing
and plain text password interception.
2-10
Issue 01 (2009-01-20)
3 System Structure
System Structure
Issue 01 (2009-01-20)
3-1
3 System Structure
3.1 Appearance
This topic describes the appearance of the front panel and back panel of the Eudemon 1000E.
3.1.1 Front Panel of the Eudemon 1000E
3.1.2 Rear Panel of the Eudemon 1000E Powered by AC Input
3.1.3 Rear Panel of the Eudemon 1000E Powered by DC Input
E2GE
RUN
SLOT2
HUAWEI
8 9
6. USB2.0 interface
7. Indicator
8. ESD
3-2
POW0
OFF
OFF
Powered
Off Before
Pulled
Powered
Off Before
Pulled
RUN
ON
RUN
ON
POW1
2. AC power interface
3. AC power switch
4. AC power interface
5. AC power switch
6. Grounding terminal
Issue 01 (2009-01-20)
3 System Structure
POW0
OFF
OFF
Powered
Off Before
Pulled
RUN
ON
RUN
ON
POW1
2. DC power interface
3. DC power switch
4. DC power interface
5. DC power switch
6. grounding terminal
Issue 01 (2009-01-20)
Item
Eudemon 1000EDescription
Extended interface
Fixed interface
CPU
1000MHz
Memory
NVRAM
128KB
Flash Memory
64MB
Dimensions
Weight
10kg
Input voltage
Total consumption
100W
Operation temperature
0 to 40
Relative humidity
5%RH to 90%RH
Storage temperature
-25 to +70
3-3
3 System Structure
Parameter
Port standard
RS232
Connector
RJ45
Transfer rate
Parameter
Interface standard
1000Base-LX/1000Base-SX/1000Base-T, 802.3z
Connector
Optical interface: SFP optical module (supports singlemode and multimode optical modules)
Transfer rate
3-4
Index
Parameter
Port standard
10/100Base-TX
Connector
RJ45
Transfer rate
10/100Mbit/s
Issue 01 (2009-01-20)
3 System Structure
Parameter
Port standard
1000Base-LX/1000Base-SX/1000Base-T, 802.3z
Connector
Transfer rate
Issue 01 (2009-01-20)
3-5
4 Networking Applications
Networking Applications
Issue 01 (2009-01-20)
4-1
4 Networking Applications
IDS
WWW
DNS
Mail
LAN Swich
Hacker
Router
Internal Office
Area
Firewall
Hacker
PC
PC
Government
Enterprise
The Eudemon 1000E is deployed at the network ingress to prevent attacks from internal or
external networks.
The IDS device is deployed on the key location in the Intranet to identify attacks from
hackers, and the log host records the detailed attack logs.
LAN Switch and the Eudemon 1000E cooperate with each other so as to guard against
various attacks.
Issue 01 (2009-01-20)
4 Networking Applications
PC
LAN
Switch Firewall
(Master)
Router
PC
LAN
Switch
Firewall
(Backup)
Router
Company headquarter
Two Eudemon 1000E devices in the headquarters (HQ) form a hot backup group. One of
the Eudemon 1000E is used as the master device for security protection. The other is used
as the slave device. The backup group provides the security guard such as ACL, ASPF,
traffic monitoring and NAT.
The LAN switch devices in the Intranet and the routers in the Extranet are connected with
each Eudemon 1000E device to form the mesh connection.
The access VPN provides SOHO and mobile office users with security channels to access
the resources of the headquarters through public switched telephone network (PSTN)/
integrated services digital network (ISDN).
The intranet VPN provides channels to access the headquarters for the regional offices and
branch offices. The IPSec/IKE technology is used to ensure that data is securely transmitted
over the Internet. This protects the data on the Internet from eavesdropping and tampering.
Issue 01 (2009-01-20)
4-3
4 Networking Applications
l
The extranet VPN provides channels to access the internal network of an enterprise for the
partners and customers. Also, it protects the security of the internal network.
File Server
Extranet VPN
Intrannet VPN
PC
Branch/Partner
PC
Company
Headquarter
Firewall
Firewall
Carriers
network
NAS
Access
VPN
PSTN/ISDN
Personal
mobile
office
Home office
VPN tunnel
4-4
Issue 01 (2009-01-20)
5 Purchase Guide
Purchase Guide
Issue 01 (2009-01-20)
5-1
5 Purchase Guide
Networking requirement: Choose the types and amount of interfaces according to the scale
and performance of your networking. Then choose the product model according to the
interfaces.
Reliability: The Eudemon 1000E hosts adopt a double power supply module that works in
1+1 redundancy backup mode.
Power supply: Choose AC or DC power supply module according to the type of power
supply.
Quantity
Remarks
Host
Accessories
Mandatory
5-2
Issue 01 (2009-01-20)
5 Purchase Guide
Issue 01 (2009-01-20)
Interface Module
Cable
Remarks
Ethernet cable
Ethernet cable
Multi-mode
optical cable
Single-mode
optical cable
5-3
Issue 01 (2009-01-20)
6-1
6-2
Standard
Content
IEC 62151
IEEE 802.1d
MAC bridges
IEEE 802.1p
IEEE 802.1q
IEEE 802.3u
IEEE 802.3z
ITU-T G.652
RFC0768
RFC0791
RFC0792
RFC0793
RFC0854
Telnet
RFC0894
RFC1157
RFC1213
RFC1229
RFC1661
RFC1757
RFC2865
RFC2869
RADIUS extensions
RFC2903
RFC2904
Issue 01 (2009-01-20)
Issue 01 (2009-01-20)
Standard
Content
RFC2906
RFC2809
RFC1492
RFC2401
RFC2402
RFC2403
RFC2404
RFC2405
RFC2406
RFC2407
RFC2408
RFC2409
RFC2410
RFC3715
RFC3947
RFC3948
RFC2663
RFC 2712
RFC 3268
RFC 3943
RFC 4132
RFC 4162
RFC 4279
RFC 4346
RFC 4366
6-3
6-4
Standard
Content
RFC 4492
RFC 4507
RFC 2578
RFC 2579
RFC2580
RFC1157
SNMP
RFC1155
RFC1213
RFC1212
RFC1901
RFC1035
NTPv3 specification
RFC854
RFC857
RFC858
RFC1091
RFC4250
RFC4251
RFC4252
RFC4253
RFC4254
RFC4255
RFC4256
RFC4335
RFC4344
RFC4419
Issue 01 (2009-01-20)
Standard
Content
RFC4462
RFC1350
TFTPv2
RFC959
FTP
RFC1945
RFC2145
RFC2616
RFC2617
RFC2774
RFC2817
RFC2818
RFC2965
RFC2787
VGMP
VRRP
HRP
Issue 01 (2009-01-20)
Attribute
Description
Security
defending
Packet filtering
6-5
Attribute
Description
NAT
Attack
defending
traffic
monitoring
Link layer
protocol
Supports VLAN
IP service
Routing
protocol
6-6
Issue 01 (2009-01-20)
Attribute
Description
VPN
CAR
Sequence guarantee
Supports file system and provides multiconfiguration files and multiple program files
GUI management
Dual-system
hot backup
System
management
AAA
Service
application
QoS
Configuration
and management
Working mode
Configuration
method
Maintenance and
reliability
Issue 01 (2009-01-20)
Product design
6-7
6-8
Attribute
Description
System logs
Issue 01 (2009-01-20)
A Appendix
Appendix
A
AC
Alternating Current
ACL
AH
Authentication Header
ALG
ASPF
C
CE
Community European
CPU
D
DC
Direct Current
DDoS
DoS
Denial of Service
DMZ
Demilitarized Zone
DNS
Issue 01 (2009-01-20)
ECC
EMC
Electromagnetic Compatibility
ESP
A-1
A Appendix
F
FE
FastEthernet
FR
Frame Relay
FTP
G
GE
GigabitEthernet
GGSN
GPRS
GRE
GSN
GUI
H
HDLC
HRP
HWCC
HWTACACS
I
ICMP
IDS
IKE
ILS
IP
Internet Protocol
IPSec
IP Security
ISDN
L
L2TP
M
A-2
Issue 01 (2009-01-20)
A Appendix
MAC
MD5
Message-Digest Algorithm 5
N
NAT
NBT
NGN
NMS
NTP
NVRAM
P
P2P
Peer to Peer
PAT
PPP
PPTP
PSTN
Q
QoS
Quality of Service
R
RADIUS
RTSP
Issue 01 (2009-01-20)
SFP
SGSN
SIP
SMTP
SNMP
SSH
Secure Shell
A-3
A Appendix
T
TCP
TFTP
U
UDP
UL
USB
A-4
VLAN
VPN
VRRP
Issue 01 (2009-01-20)