Application of the Huawei Firewall USG5300

The USG5300 series is a new-generation multi-function firewall launched by Huawei Symantec. The USG5300 series delivers extensive advanced security functions such as the firewall, VPN, IPS, anti-virus, and URL filtering, and provides all-around security protection to safeguard the efficient running of the network system.

The USG5300 supports Virtual Private Networks (VPNs) to ensure secure access between the enterprise and its remote branches, personnel on business trip, or service partners. The IPS function can deeply sense and detect the data flows passing through the USG5300; once attacks are detected, the USG5300 can block the attacks in time, thus effectively defending against application-layer attacks. The AV function implement scanning the files transmitted through HTTP, SMTP, and POP3, and processing the files infected with viruses according the AV policy. The URL filtering function is used to manage online behaviors, audit and monitor terminal applications, and limit the applications that may increase internal security risks or affect normal services. The update function can supports the updates of the IPS signature database and virus database through both online and manual update, and this ensures that the USG5300 always has the latest IPS signature database and virus database, making the intrusion prevention and AV functions more effective.

The Application for Huawei Firewall USG5300

1 Application of Dual-System Hot Backup

The USG5300 provides the dual-system hot backup, so that the user data will not be disrupted due to the switchover between the active and standby Unified Security Gateways.

Figure 1 Dual-system hot backup of the USG5300

Two USG5300 devices in the headquarters (HQ) form a hot backup group. One of the USG5300 is used as the active device for security protection. The other is used as the standby device. The backup group provides the security guard such as ACL, ASPF, traffic monitoring and NAT.

Two USG5300 devices are interconnected with each other.

The LAN switch devices in the Intranet and the routers in the Extranet are connected with each USG5300 device to form the mesh connection.

2 IPSec VPNs

As the VPN gateway, the USG5300 supports tunneling technologies such as L2TP and GRE. It uses the tunneling technologies with the IPSec and firewall technologies to guarantee the QoS and security of network transmission. Figure 1 shows the details.

The access VPN provides SOHO and mobile office users with security channels to access the resources of the headquarters through public switched telephone network (PSTN)/integrated services digital network (ISDN).

The intranet VPN provides channels to access the headquarters for the regional offices and branch offices. The IPSec/IKE technology is used to ensure that data is securely transmitted over the Internet. This protects the data on the Internet from eavesdropping and tampering.

The extranet VPN provides channels to access the internal network of an enterprise for the partners and customers. Also, it protects the security of the internal network.

Figure 2 IPSec VPN implemented by the USG5300

3 IDC Security Protection

Two USG5300 are deployed at the egress of the IDC and the basic routing, firewall, IPS, AV, and URL filtering functions are enabled.

The IPS function can deeply sense and detect the data flows passing through the USG5300; once attacks are detected, the USG5300 can block the attacks in time, thus effectively defending against application-layer attacks.

The AV function implement scanning the files transmitted through HTTP, SMTP, and POP3, and processing the files infected with viruses according the AV policy.

The URL filtering function manages online behaviors, audits and monitors terminal applications, and limits the applications that may increase internal security risks or affect normal services.

The security service center on the Internet provides the USG5300 with the online update of the IPS signature database and virus database, and this ensures that the USG5300 always has the latest IPS signature database and virus database, making the intrusion prevention and AV functions more effective.