Eudemon8000E-X
En la actualidad, el ancho de banda de las redes está en constante crecimiento, por lo que las amenazas y ataques a las redes también se incrementan. Por lo tanto, las empresas y operadoras se deben asegurar la seguridad del servicio y la continuidad, además de expandir la estructura de la red. La serie E8000E adopta un diseño de hardware y software distribuido. Sus LPU y SPU son independientes y soportan la configuración bajo demanda. Por lo tanto, la serie E8000E proporciona una capacidad de procesamiento flexible, interfaces diversificadas de entrada/salida y gran cantidad de servicios de seguridad. De esta manera satisface perfectamente los requerimientos de los usuarios (incluidos los centros de datos, operadoras, proveedores de servicios de Internet y gobiernos) en cuanto a la alta integridad, rápida respuesta, procesamiento de alta velocidad y garantía a largo plazo.
The Power to Harness the Big Cloud: impressive performance
Leading Product Architecture in the Industry — delivering Terabit capacity, flexible resource allocation, and linear increase of performance
The Eudemon8000E-X uses the core router-level hardware platform and Crossbar routing and switching technology with Terabit expansion. Therefore, the service processing performance can be smoothly upgrade to Terabit level without chassis replacement.
The Eudemon8000E-X provides modularized components. Based on the dual NPs, the interface module ensures the line rate forwarding of interface traffic. Based on the multi-thread architecture, the SPU ensures the high-speed concurrent processing of multiple services, such as NAT, ASPF, Anti-DoS, and VPN to break through the performance bottlenecks of the CPU. LPUs and SPUs function separately. The overall performance increases linearly with the addition of SPUs, which provides flexible service processing capability.
Leading Performance — protecting key services of customers effectively
With the revolutionized system architecture, the Eudemon8000E-X is takes the leading role in the indexes of throughput, number of connections per second, and maximum number of concurrent connections. The single-slot firewall performance of the Eudemon8000E-X reaches 20 Gbit/s for IMIX traffic and 5 Gbit/s for small packets (64 bytes). The single-slot DDoS protection capability and VPN throughput is 20 Gbit/s and 12 Gbit/s respectively. The maximum number of connections per second is 500,000, and the maximum number of concurrent connections is 8,000,000. Because the Eudemon8000E-X uses the dedicated traffic splitting technology, the overall performance increases linearly with the addition of SPUs. When the Eudemon8000E-X is configured with 10 SPUS, the firewall throughput is 10 times of a single SPU. The throughput reaches 200 Gbit/s for IMIX traffic and 50 Gbit/s for small packets (64 bytes). The DDoS protection capability and VPN throughput reaches 200 Gbit/s and 120 Gbit/s respectively. The maximum number of connections established per second is 5,000,000, and the maximum number of concurrent connections is 80,000,000.
Perfect Reliability — hierarchal management and full redundancy ensuring service continuity
Network security is a key point in enterprise operating. To ensure the service continuity on the high-speed network, the Eudemon8000E-X uses unique hierarchal management technology separating management, monitoring, and data providing high hardware reliability. The Eudemon8000E-X also supports active/standby networking, active/active networking, interface aggregation, VPN redundancy, and SPU load balancing. Meanwhile, the Eudemon8000E-X also provides unique dual-MPU active/standby switchover providing the firewall with high-end router reliability to ensure the service continuity at key nodes. The mean time between failures (MTBF) of the Eudemon8000E-X is as long as 500,000 hours, and the failover time is less than 0.1 second. These ensure the consistent and stable operating of services.
The Intelligence to Protect the Cloud: dedicated security
Professional Anti-DDoS — ensuring network and service security
In 2010, the DDoS attack bandwidth exceeds 100 Gbit/s, which witnessed a 100% increase comparing with that in 2005. Since new attacks targeting the HTTP, HTTPS, SIP, and DNS attacks evolves rapidly, the traditional Flow-based attack detection is on the brink of invalidity. The DPI-based detection mechanism of the Eudemon8000E-X analyzes the packets by bytes, building a seven-layer filtering structure. The seven-layer filtering structure can accurately detect attacks including flood attacks, application-layer attacks, scanning attacks and sniffing attacks, and malformed packet attacks. Meanwhile, the Eudemon8000E-X responds to attacks within seconds, and provides a defense capacity of up to 200 Gbit/s. Therefore, the Eudemon8000E-X can defend against various DDoS attacks.
Professional IPS — preventing external intrusion
The core technologies of the IPS are embodied in the detection engine performance, signature identification efficiency, and integrated processing performance. With the advanced IPS detection engine and mature signature database, Huawei Eudemon8000E-X defends against various threats, including system vulnerabilities, unauthorized automatic download, spoofing software, spyware/adware, abnormal protocols, and P2P anomalies. A single vulnerability-based signature covers thousands of attacks. Supplemented with the globally deployed honeypot system, the Eudemon8000E-X can capture the latest attacks, worms, and Trojan horses features, providing zero-day attack defense capability. Moreover, the practicability of the IPS is significantly promoted. The Eudemon8000E-X uses internal off-line and "one board one feature" technologies; certain necessary service traffic is split to the dedicated SPU. In so doing, the service processing capability is improved; furthermore, the traffic processing does not affect the basic services of the firewall, ensuring in-service continuity.
Professional DPI — Application Management and Control
Because of the massive applications at cloud data centers, how to implement network data transparency and visualization for pre-event risk control becomes significantly vital. DPI of the Eudemon8000E-X uses packet feature inspecting technology and protocol analyzing technology to analyze the data in the application layer thoroughly. This technology is high effective against more than 500 kinds of worms and 350 zombie tools, and can accurately identify up to 850 application protocols of over 20 categories, such as P2P, VoIP, chatting, video, game, and stock. The DPI technology offers multi-dimensional control measures specific to time, application, user, bandwidth, and connection number, effectively providing bandwidths for mission-critical applications, improving bandwidth usage and working efficiency, blocking zombie traffic, preventing against worm infection to make application visible and controllable.
The DPI technology provides periodically database update from a professional maintenance team.
Comprehensive IPv6 Security — providing a secure IPv6 network deployment
The IPv4 addresses are already exhausted, and the smooth transition to IPv6 while ensuring the service experience is necessary. The Eudemon8000E-X supports IPv6 routes, IPv6 ACL, IPv6 anti-DDoS features, and IPv6 IPSec accesses providing a secure solution for users to implement the IPv4-to-IPv6 evolution. Meanwhile, the Eudemon8000E-X also supports the IPv4-to-IPv6 transition technologies, such as NAT44 (4), DS-Lite, 6RD, and NAT64 providing an effective, flexible, reliable, and economic network transition and service evolution solution.
Comprehensive security — providing comprehensive security features with a single Eudemon8000E-X
The Eudemon8000E-X integrates professional anti-DDoS, IPS, and IPv6 security defense on a single device addressing the problems caused by external attacks and providing perfect network transition solution. The integration maximizes the ROI, and reduces the deployment, management, and maintenance cost.
The Agility to Adapt to the Cloud: dynamic policies
Virtualization is the path for the cloud computing to be deployed at IDCs. Virtualization maximizes resource usage to achieve maximal profits. Meanwhile, dedicated devices are required to ensure the virtualization security. The Eudemon8000E-X provides professional and comprehensive security functions and maximum resource virtualization. The Eudemon8000E-X supports a maximum of 4094 virtual firewalls and virtualized IPS functions ensuring the security of the virtualized data and services. The virtualized VPN technology supports massive secure accesses for enterprises and terminal users ensuring the cloud channel security.
The flexible resource allocation and address flapping technologies can easily adapt to the situations of dynamic resource change and address flapping of enterprises and terminal users in the cloud by implementing corresponding security policy flapping. These technologies enable dynamic security defense meeting the requirements of flexibility and dynamic security of cloud data centers.
| Model | Eudemon8000E-X3 | Eudemon8000E-X8 | Eudemon8000E-X16 | |
|---|---|---|---|---|
| Performance and Capacity | ||||
| Firewall throughput (maximum) | 20 Gbit/s/SPU | 20 Gbit/s/SPU | 20 Gbit/s/SPU | |
| Firewall throughput (composite traffic) | 20 Gbit/s/SPU | 20 Gbit/s/SPU | 20 Gbit/s/SPU | |
| Firewall throughput (HTTP) | 19 Gbit/s/SPU | 19 Gbit/s/SPU | 19 Gbit/s/SPU | |
| Firewall packets per second (64 bytes) | 7.5 Mbits/SPU | 7.5 Mbits/SPU | 7.5 Mbits/SPU | |
| IPSec VPN performance (3DES) | 12 Gbit/s/SPU | 12 Gbit/s/SPU | 12 Gbit/s/SPU | |
| IPSec VPN performance (AES) | 12 Gbit/s/SPU | 12 Gbit/s/SPU | 12 Gbit/s/SPU | |
| IPS performance (maximum) | 8 Gbit/s/SPU | 8 Gbit/s/SPU | 8 Gbit/s/SPU | |
| Number of new connections per second | 500,000/SPU | 500,000/SPU | 500,000/SPU | |
| Maximum number of concurrent sessions | 8,000,000/SPU | 8,000,000/SPU | 8,000,000/SPU | |
| Maximum number of security policies | 128,000 | |||
| Maximum number of users supported | Unlimited | |||
| Expansion and I/O | ||||
| Expansion slots | 3 SPU and LPU slots | 8 SPU and LPU slots | 16 SPU and LPU slots | |
| Number of MPU slots | 2 | |||
| SPU option | Mother boards with 2 CPUs and 8 G memory; expansion cards with 2 CPUs and 8 G memory | |||
| Interface module type | Ethernet interface:24 x GE/2 x 10GE/12 x GE+1 x 10GE POS: OC192 | |||
| Basic Firewall Features | ||||
| Operating Mode | Transparent mode, routing mode, and composite mode | |||
| ASPF | Y | |||
| Accesses control | Y | |||
| State validation detection | Y | |||
| Blacklist and whitelist | Y | |||
| Virtual firewall | Y | |||
| Security zone division | Y | |||
| Application protocol identification | Y | |||
| Anti-DDoS | ||||
| Bidirectional defense | Y | |||
| SYN flood | Y | |||
| SYN-ACK flood | Y | |||
| FIN/RST flood | Y | |||
| UDP flood | Y | |||
| DNS flood | Y | |||
| DNS cache poisoning | Y | |||
| HTTP flood | Y | |||
| HTTPS flood | Y | |||
| ICMP flood | Y | |||
| Intrusion Prevention | ||||
| Protocol state detection | Y | |||
| Simple configuration IPS | Y | |||
| Attack detection mechanism | Protocol anomaly, traffic anomaly, and mode matching | |||
| Attack response mechanism | Link discarding, connection termination, logs, and mails | |||
| Anti-worm | Y | |||
| Zero-day attack protection | Y | |||
| Trojan horse protection | Y | |||
| Adware/Keylogger protection | Y | |||
| Web attack toolkit attack detection | Y | |||
| Web 2.0 attack defense | Y | |||
| Drive-by download attack prevention | Y | |||
| Botnet defense | Y | |||
| Protection against attack proliferation from infected systems | Y | |||
| Interception protection | Y | |||
| Composite attack defense | Y | |||
| Vulnerability-based signature database | Y | |||
| Multi-level compression file | Y | |||
| Independent PDF detection engine | Y | |||
| Custom attack signatures | Y | |||
| Attack editing (port range) | Y | |||
| Stream signatures | Y | |||
| Protocol state detection | Y | |||
| Overload protection | Y | |||
| Number of defendable attacks | More than 8000 | |||
| NAT | ||||
| Destination NAT/PAT | Y | |||
| Destination NAT on the same subnet with the IP address of the interface serving as the network ingress | Y | |||
| Destination IP addresses corresponding to one IP address (M:1) | Y | |||
| Destination IP addresses corresponding to multiple IP addresses (M:M) | Y | |||
| NAT NO-PAT | Y | |||
| NAT PAT | Y | |||
| Source NAT-IP address persistency | Y | |||
| Source IP address pool grouping | Y | |||
| Source IP addresses outside of the interface subnet range | Y | |||
| NAT Server | Y | |||
| Bidirectional NAT | Y | |||
| NAT ALG | Y | |||
| Unlimited IP address expansion | Y | |||
| Policy-based destination NAT | Y | |||
| Triplet NAT | Y | |||
| IPSec VPN | ||||
| Maximum number of concurrent IPSec VPN tunnels | 320,000 | |||
| DES, 3DES, and AES encryption | Y | |||
| MD-5 and SHA-1 authentication | Y | |||
| Manually configured key, PKI (X 509), and IKEv2 | Y | |||
| Perfect forward secrecy (DH group) | 1, 2, and 5 | |||
| Anti-replay attack | Y | |||
| Remote VPN access | Y | |||
| EAP authentication | Y | |||
| VPN gateway redundancy | Y | |||
| High Availability | ||||
| Active/standby and active/active | Y | |||
| Configuration synchronization | Y | |||
| Firewall and IPSec VPN session synchronization | Y | |||
| Device fault detection | Y | |||
| Link fault detection | Y | |||
| Dual-MPU switchover | Y | |||
| User Identity Authentication and Accesses Control | ||||
| Built-in (internal) database | Y | |||
| RADIUS accounting | Y | |||
| Web-based authentication | Y | |||
| Public Key Infrastructure (PKI) | ||||
| PKI certificate requests (PKCS 10) | Y | |||
| Certificate authority (CA) | Y | |||
| Self-signed certificate | Y | |||
| Routing | ||||
| BGP route | 200,000 | |||
| BGP peer | 1000 | |||
| BGP instance | 1000 | |||
| OSPF route | 200,000 | |||
| OSPF instance | 1000 | |||
| RIPv2 routing table capacity | 200,000 | |||
| RIPv1/v2 instance | 1000 | |||
| Dynamic routing | Y | |||
| Static route | Y | |||
| Source-based routing | Y | |||
| Policy-based routing | Y | |||
| Policy-based route | 1024 | |||
| FIB | Y | |||
| Route iteration | Y | |||
| IPv6 | ||||
| Status filtering | Y | |||
| OSPFv3 | Y | |||
| BGP4+ | Y | |||
| ISIS6 | Y | |||
| IPv6 ACL standard | Y | |||
| IPv6 ACL extended | Y | |||
| IPv6 interface statistics | Y | |||
| NAT-PT (4to6 and 6to4) | Y | |||
| IPv6 Neighbor Discovery (ND) Security (SEND) | Y | |||
| DS-Lite | Y | |||
| NAT64 | Y | |||
| 6RD | Y | |||
| Virtualization | ||||
| Maximum number of security zones | Root firewall: 32, virtual firewall: 8 | |||
| Maximum number of virtual firewall | 4094 | |||
| Maximum number of VLAN supported per interface | 4094 | |||
| Management | ||||
| GUI (HTTP/HTTPS) | Y | |||
| CLI (console) | Y | |||
| CLI (Telnet) | Y | |||
| CLI (SSH) | Y | |||
| U2000/VSM network management | Y | |||
| Hierarchical administrators | Y | |||
| Software upgrade | Y | |||
| Configuration rollback | Y | |||
| Logging/Monitoring | ||||
| Structured syslog | Y | |||
| SNMP (v2) | Y | |||
| Binary log | Y | |||
| Traceroute | Y | |||
| Log server (eLog) | Y | |||
| Dimensions, Power Supply, and Operating Environment | ||||
| Dimensions (H x W x D) | DC: 6.9 x 17.4 x 25.6 in. (175 x 442 x 650 mm ) AC: 8.7 x 17.4 x 25.6 in. (220 x 442 x 650 mm ) |
DC: 24.4 x 17.4 x 25.6 in.(620 x 442 x 650 mm ) AC: 27.9 x 17.4 x 25.6 in. (709 x 442 x 650 mm ) |
DC: 55.9 x 17.4 x 25.6 in.(1420 x 442 x 650 mm ) AC: 62.9 x 17.4 x 25.6 in. (1598 x 442 x 650 mm) | |
| Weight | DC: Base chassis: 33 lbs (15 kg) DC: Fully configured chassis: 70.5 lbs (32 kg) AC: Base chassis: 55.1 lbs (25 kg) AC: Fully configured chassis: 92.5 lbs (42 kg) |
DC: Base chassis: 95.1 lbs (43.2 kg) DC: Fully configured chassis:248.9 lbs (113 kg) AC: Base chassis: 141.8 lbs (64.4 kg) AC: Fully configured chassis: 295.5 lbs (134.2 kg) |
DC: Base chassis: 207.9 lbs (94.4 kg) DC: Fully configured chassis: 504.3 lbs (229 kg) AC: Base chassis: 301.3 lbs (136.8 kg AC: Fully configured chassis: 597.7 lbs (271.4 kg) | |
| AC power supply | 90 V AC to 275 V AC;175 V AC to 275 V AC (recommended) | |||
| DC power supply | -38 V to -72 V; Rated -48 V | |||
| Maximum power consumption | 725 W DC, 880 W AC | 2560 W | 4860 W | |
| Operating temperature | Long term: 0 °C to 45 °C Short term: -5°C to +55 °C Storage: -40°C to +70 °C | |||
| Ambient humidity | Long term: 5% RH to 85% RH, non-condensing Short term: 5% RH to 95% RH, non-condensing Storage: 0% RH to 95% RH, non-condensing | |||
| Certification | ||||
| Safety certification | Y | |||
| EMC | Y | |||
| CB | Y | |||
| Rohs | Y | |||
| FCC | Y | |||
| MET | Y | |||
| C-tick | Y | |||
| VCCI | Y | |||
IDC
Egress of the Campus Network
Broadcasting & Television (at the Carrier Network Border)