Requirements and Challenges

Huawei's e-Government Internet Egress Security Solution has two major functions. One is to enable the public to access government agency websites, while protecting sensitive information inside the government Internet. The second is to enable authorized users to access government agency extranets and communicate with certain office networks and data centers.

An Internet egress functions as a main channel for exchanging government and external information, setting high-level requirements for data and application security. It also requires network bandwidth optimization and network security protection.

Network Bandwidth Optimization

• Multi-level NAT

e-Government extranet layers map government administrative levels. Some regional IP address segments conflict with vertical Virtual Private Network (VPN) addresses, leading to the multi-level Network Address Translation (NAT) issue. e-Government campuses using either private IP addresses or carriers' networks require at least one NAT before accessing the Internet or external resources. Multi-level NAT slows Internet access speed. At present, one efficient way to solve this issue is to improve device NAT forwarding performance.



• Multi-link load balancing

Architecture and device redundancy are also important for keeping up with Internet egress security requirements. Links that connect an e-Government extranet and the Internet transmit diverse, large-volume data. Therefore, to optimize network performance, one device must support multi-link load balancing and dynamically adjust the bandwidth occupation ratio of each link.



• Internet cache

Any vulnerability of network applications may lead to a decrease in user experience satisfaction. In addition to high bandwidth and end-to-end delay performance, governments want to shift the traffic cache from the Internet egress to the intranet. This will sharply ease bandwidth expansion pressure and save bandwidth lease costs on Internet egresses, further enhancing users' experience with government extranets.

Network Security Protection

• In some cases, data center networks, office networks, and the Internet communicate with each other without any dedicated isolation or prevention approaches. Any security hazards brought by Internet users may affect the security of data center networks.
• Access from visitors to e-Government extranets may incur security risks.
• If there are no authentication or control measures to limit the access of internal e-Government users, any internal employee can access e-Government extranets on the PC.
• Traffic cleaning and security monitoring must be provided to prevent attacks on Internet security.
• Government agencies provide many services to the public through their official websites, so it is very important to protect those service systems.
• If real-time event analysis is unavailable, then security events cannot be monitored across the entire network and logs cannot be uniformly analyzed.

Huawei Solution

Huawei offers powerful ICT support for an e-Government Internet Egress Security Solution that helps government agencies optimize network performance and implement comprehensive security protection.

Solution Overview

Figure2-1 Internet egress security solution architecture

Anti-DDoS Solution

Huawei's solution is highly flexible. It provides a rich set of functions, including anti-Distributed Denial of Service (DDoS), intuitive Service Inspection Gateway (SIG) traffic analysis, cache acceleration, intrusion detection/prevention, Web application prevention, unified security monitoring, Internet use management, and unified security auditing. These functions can be combined based on specific requirements for Internet security.

Figure2-2 Anti-DDoS solution

• Huawei's anti-DDoS solution has the following key features:
• High-performance hardware platform
• Bypass detection
• Self-healing network
• Automatic response
• Deep Packet Inspection (DPI) of all traffic on the network
• Flexible deployment.

Intuitive SIG Traffic Analysis Solution

Huawei's SIG intuitive traffic analysis solution identifies network applications, displays the bandwidth occupied by each application, and supports each services priority configuration and occupied bandwidth ratio. These functions implement intelligent network traffic management to ensure that traffic from an e-Government extranet is transmitted by priority.

Figure2-3 Intuitive SIG traffic analysis solution architecture

Huawei's SIG traffic analysis solution includes the following features:

• Multi-dimensional traffic and flow direction analysis that help governments learn about the composition of users, traffic, flow directions, and services, and provide statistics for network optimization.
• Multi-dimensional traffic optimization and bandwidth management utilize government bandwidth resources, avoid network congestion, ensure the quality of operation-critical services, ease network expansion pressure, and improve user experience.
• Uniform Resource Locator (URL) filtering, network control by time segment, network control by applications, and user access control efficiently manage the Internet use by government agencies' employees.
• Dynamic filtering of malicious IP addresses adds security to employee Internet use.
• Information push provides a convenient means for routine information release.

iCache Solution

Huawei's iCache solution has the following features:

• The iCache platform enables filtering for links and uses bypass deployment methods for traffic mirroring, minimizing impacts on live network services.
• Bypass deployment enables the system to send upstream packet copies to the iCache Redirection Subsystem (RSS). The RSS redirects user requests to the iCache platform where users can obtain resources.
• The iCache platform uses a dedicated system to manage all local cache subsystems.
• The iCache system is fully functional within one network when service and management networks are isolated from each other.

Figure2-4 iCache solution architecture

Intrusion Detection/Prevention Solution

Huawei's intrusion detection/prevention solution has been selected by customers throughout the world because of the following characteristics:

• Integration of multiple services, including firewall, content filtering, traffic control, and Internet use management
• Simplified and efficient management of network devices
• Reduced Total Cost of Ownership (TCO)
• Dedicated, professional service teams, who ensure quick response to customer requests.

Figure 2-5 Intrusion detection/prevention solution architecture

Web Application Security Solution

Huawei's Web application security solution has helped many customers enhance security. Here are major reasons:

• Injection attack detection rate of 99 percent-plus leads the industry
• Zero application interruption resulting from tampering restoration and detection of unknown attacks provides a comprehensive attack defense
• Cache acceleration, policy self-learning, and full transparent deployment for superb user experience
• Accurate Structured Query Language (SQL) detection, website anti-tamper system, anti-DDoS protection at the application layer, blacklist and whitelist, and automatic locking against attackers
• Variety of protection measures for the application layer: real-time Hypertext Transfer Protocol Secure (HTTPS) and Web application defense, application acceleration, and sensitive data loss prevention, to secure websites, accelerate access, and ease operation and maintenance (O&M)
• Huawei's vulnerability mining and prevention efforts provide support for mainstream security vulnerability library, mainstream Content Management System (CMS) vulnerability library, and mainstream scanner library
• Zero percent detection loss rate for Web application vulnerabilities and less than 3 percent detection loss rate for CMS vulnerabilities, as tested by authoritative organizations

Figure2-6 Web application security solution

Unified Security Management Solution

Huawei's unified security management solution includes service management, report management, network element management, and operation management.

Figure 2-7 Unified security management solution

Details of this function-rich solution include:

• Service management

Analysis of protocol traffic logs




Internet use tracking and playback




Massive log storage and management




Threat protection and application control management



• Report management

Report task management




Periodic reports at different measurement periods




Report customization




Comprehensive reports



• Network element management

Automatic discovery of devices




Automatic discovery of topologies




Performance indicator collection



• Operation management

Defense policy management




Unified configuration management




Report display

Internet Use Management Solution

Huawei's Internet use management solution contains the following key features:

• Dedicated identification libraries for stock and game applications and websites classified as indecent
• Auditing of Internet access behaviors and content minimizes Internet security risks and complies with laws and regulations

Figure 2-8 Internet use management solution

Unified Security Auditing Solution

Huawei's unified security auditing architecture consists of five important parts:

• Terminal auditing

Audits an array of operations, including operations on office terminals, service terminals, peripherals (such as printers), documents, and network access




Records regulation-against behaviors and operations




Generates related alarms



• Network auditing

Audits Internet access behaviors regarding access operations, content, and protocol




Content and application auditing




Audits operations on core service systems, servers, office systems, and database systems




Audits application protocols based on specified key information



• O&M auditing

Audits O&M operations on network devices, security devices, hosts, and application systems



• Monitoring platform auditing

Collects, manages, and queries logs




Analyzes events, generates alarms, traces faults, and audits reports




Monitors and manages holistic security policies

Figure 2-9 Unified security auditing solution architecture

Solution Highlights

Here are highlights of Huawei's e-Government Internet Egress Security Solution:

• Security protection requirements for the Internet access zone
• Intuitive, panoramic monitoring view and security event collection for the entire network for unified security protection and zero-hour threat elimination
• Linked prevention, ensuring that one fault detected in one node be shared on the entire network
• End-to-end event analysis and handling capabilities with the Event Per Second (EPS) exceeding 5000
• More than 130 predefined monitoring scenarios plus dynamic expansion of scenarios for accurate detection of unknown security threats
• Industry first dual Main Processing Units (MPUs), switchover between active and standby devices in milliseconds, "Five Nines" reliability, anti-DDoS for over 100 attacks, and response in seconds
• Seven-layer DDoS traffic learning, combined in-line defense and bypass detection, and ability to identify more than 1,200 applications

Customer Benefits

Huawei's solution provides the following benefits:

• Intuitive traffic analysis and monitoring enable O&M personnel to easily control and optimize bandwidth utilization and to ensure transmission of government transactions with higher priorities
• Comprehensive security protection measures free the Internet from diverse attacks
• Unified auditing of network behaviors and recordings of O&M operations ensure that security threats are traceable
• Web application security guarantees the secure operation of government portal websites and service systems
• Refined security monitoring helps identify threats in a timely manner