Вы находитесь на странице: 1из 50

Quidway Eudemon 1000E Unified Security Gateway

V100R002

Product Description

Issue

01

Date

2009-01-20

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

Huawei Technologies Co., Ltd. provides customers with comprehensive technical support and service. For any
assistance, please contact our local office or company headquarters.

Huawei Technologies Co., Ltd.


Address:

Huawei Industrial Base


Bantian, Longgang
Shenzhen 518129
People's Republic of China

Website:

http://www.huawei.com

Email:

support@huawei.com

Copyright Huawei Technologies Co., Ltd. 2009. All rights reserved.


No part of this document may be reproduced or transmitted in any form or by any means without prior written
consent of Huawei Technologies Co., Ltd.

Trademarks and Permissions


and other Huawei trademarks are the property of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective holders.

Notice
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but the statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

Quidway Eudemon 1000E Unified Security Gateway


Product Description

Contents

Contents
About This Document.....................................................................................................................1
1 Product Overview.......................................................................................................................1-1
2 Product Features.........................................................................................................................2-1
2.1 Multiple Security Zones..................................................................................................................................2-3
2.2 Powerful GTP Protection................................................................................................................................2-3
2.3 Virtual Firewall...............................................................................................................................................2-3
2.4 Multiple Work Modes.....................................................................................................................................2-4
2.5 Enhanced Packet Filtering...............................................................................................................................2-4
2.5.1 High-speed ACL Searching...................................................................................................................2-4
2.5.2 Malicious Host Filtering Based on the Blacklist....................................................................................2-4
2.5.3 MAC Address and IP Address Binding.................................................................................................2-4
2.5.4 Packet Filtering Based on the Application Layer...................................................................................2-4
2.6 Multiple NAT Applications............................................................................................................................2-4
2.6.1 Address Translation................................................................................................................................2-5
2.6.2 Multiple NAT ALGs..............................................................................................................................2-5
2.7 Powerful Attack-Defending Capability...........................................................................................................2-6
2.7.1 Defending Worm Virus..........................................................................................................................2-6
2.7.2 Defending Multiple DoS And DDoS Attacks........................................................................................2-6
2.7.3 Defending Scanning and Snooping Attacks...........................................................................................2-6
2.7.4 Defending Other Attacks........................................................................................................................2-6
2.8 IDS Cooperation..............................................................................................................................................2-6
2.9 Cost-Effective Reliability................................................................................................................................2-7
2.9.1 Cost-Effective Product Design...............................................................................................................2-7
2.9.2 1+1 Backup of Routing Information......................................................................................................2-7
2.9.3 Dual-System Hot Backup.......................................................................................................................2-7
2.10 Perfect Traffic Monitoring............................................................................................................................2-7
2.11 Multiple Authentication Modes....................................................................................................................2-7
2.12 QoS Guarantee..............................................................................................................................................2-8
2.13 Security-Guaranteed VPN Applications.......................................................................................................2-8
2.14 Flexible P2P Flow Limiting..........................................................................................................................2-9
2.15 Enhanced Log Management..........................................................................................................................2-9
2.15.1 Two Log Output Formats.....................................................................................................................2-9
Issue 01 (2009-01-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

Contents

Quidway Eudemon 1000E Unified Security Gateway


Product Description
2.15.2 Varied Types of Logs...........................................................................................................................2-9

2.16 Rich and Flexible Maintenance and Management......................................................................................2-10


2.16.1 Rich Maintenance and Management..................................................................................................2-10
2.16.2 SNMP Based Terminal System Management....................................................................................2-10
2.16.3 GUI Management...............................................................................................................................2-10
2.17 Compliant Tests and Standards...................................................................................................................2-10

3 System Structure.........................................................................................................................3-1
3.1 Appearance......................................................................................................................................................3-2
3.1.1 Front Panel of the Eudemon 1000E.......................................................................................................3-2
3.1.2 Rear Panel of the Eudemon 1000E Powered by AC Input....................................................................3-2
3.1.3 Rear Panel of the Eudemon 1000E Powered by DC Input....................................................................3-3
3.2 System Configuration......................................................................................................................................3-3
3.3 External Interfaces...........................................................................................................................................3-4
3.3.1 Fixed Interfaces......................................................................................................................................3-4
3.3.2 Extended Interfaces................................................................................................................................3-4
3.4 Supported Interface Modules..........................................................................................................................3-5

4 Networking Applications.........................................................................................................4-1
4.1 Attack-Defending Function.............................................................................................................................4-2
4.2 Application of Dual-System Hot Backup........................................................................................................4-2
4.3 IPSec VPNs.....................................................................................................................................................4-3

5 Purchase Guide...........................................................................................................................5-1
5.1 Host Purchase..................................................................................................................................................5-2
5.1.1 Factors for Your Purchase......................................................................................................................5-2
5.1.2 Optional List for Host Purchase.............................................................................................................5-2
5.2 Interface Module Purchase..............................................................................................................................5-2

6 Compliant Standards and Feature List.................................................................................. 6-1


6.1 Compliant Standards.......................................................................................................................................6-2
6.2 Feature List of the Eudemon 1000E................................................................................................................6-5

A Appendix...................................................................................................................................A-1

ii

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

Issue 01 (2009-01-20)

Quidway Eudemon 1000E Unified Security Gateway


Product Description

Figures

Figures
Figure 3-1 Front panel of the Eudemon 1000E....................................................................................................3-2
Figure 3-2 Real panel of the Eudemon 1000E powered by AC input..................................................................3-2
Figure 3-3 Rear panel of the Eudemon 1000E powered by DC input..................................................................3-3
Figure 4-1 Hybrid networking of the Eudemon 1000E and the IDS....................................................................4-2
Figure 4-2 Dual-system hot backup of the Eudemon 1000E...............................................................................4-3
Figure 4-3 IPSec VPN implemented by the Eudemon 1000E.............................................................................4-4

Issue 01 (2009-01-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

iii

Quidway Eudemon 1000E Unified Security Gateway


Product Description

Tables

Tables
Table 3-1 System configuration of the Eudemon 1000E.....................................................................................3-3
Table 3-2 Console port.........................................................................................................................................3-4
Table 3-3 GE optical/electrical interface..............................................................................................................3-4
Table 3-4 FE electrical interface...........................................................................................................................3-4
Table 3-5 GE optical/electrical interface..............................................................................................................3-5
Table 5-1 Eudemon 1000E host accessories........................................................................................................5-2
Table 5-2 Interface module purchase of the Eudemon 1000E.............................................................................5-3
Table 6-1 Compliant standards.............................................................................................................................6-2
Table 6-2 Feature list of theEudemon 1000E.......................................................................................................6-5

Issue 01 (2009-01-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

Quidway Eudemon 1000E Unified Security Gateway


Product Description

About This Document

About This Document


Purpose
This document describes the following contents of the Eudemon 1000E series:
l

Product overview

Product features

System structure

Networking applications

Purchase guide

Standard and feature list

This document provides the service functions of the Eudemon 1000E.

Related Versions
The following table lists the product versions related to this document.
Product Name

Version

Quidway Eudemon 1000E

V100R002

Intended Audience
This document is intended for:
l

Network engineers

Network management personnel

Users with network basics

Organization
This document is organized as follows.
Issue 01 (2009-01-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

Quidway Eudemon 1000E Unified Security Gateway


Product Description

About This Document

Chapter

Description

1 Product Overview

The main performance and features of the


Eudemon 1000E.

2 Product Features

The powerful attack-defending capability and


various security features of the Eudemon 1000E.

3 System Structure

The appearance and interface information of the


Eudemon 1000E.

4 Networking Applications

Some typical networking modes of the Eudemon


1000E.

5 Purchase Guide

The factors that must be considered when


purchasing the Eudemon 1000E.

6 Compliant Standards and Feature


List

The compliant standards and feature list of the


Eudemon 1000E.

A Appendix

The acronyms and abbreviations used in this


document.

Conventions
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol

Description

DANGER

WARNING

CAUTION

Indicates a hazard with a high level of risk, which if not


avoided, will result in death or serious injury.
Indicates a hazard with a medium or low level of risk, which
if not avoided, could result in minor or moderate injury.
Indicates a potentially hazardous situation, which if not
avoided, could result in equipment damage, data loss,
performance degradation, or unexpected results.

TIP

Indicates a tip that may help you solve a problem or save


time.

NOTE

Provides additional information to emphasize or supplement


important points of the main text.

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

Issue 01 (2009-01-20)

Quidway Eudemon 1000E Unified Security Gateway


Product Description

About This Document

General Conventions
The general conventions that may be found in this document are defined as follows.
Convention

Description

Times New Roman

Normal paragraphs are in Times New Roman.

Boldface

Names of files, directories, folders, and users are in


boldface. For example, log in as user root.

Italic

Book titles are in italics.

Courier New

Examples of information displayed on the screen are in


Courier New.

Command Conventions
The command conventions that may be found in this document are defined as follows.
Convention

Description

Boldface

The keywords of a command line are in boldface.

Italic

Command arguments are in italics.

[]

Items (keywords or arguments) in brackets [ ] are optional.

{ x | y | ... }

Optional items are grouped in braces and separated by


vertical bars. One item is selected.

[ x | y | ... ]

Optional items are grouped in brackets and separated by


vertical bars. One item is selected or no item is selected.

{ x | y | ... }*

Optional items are grouped in braces and separated by


vertical bars. A minimum of one item or a maximum of all
items can be selected.

[ x | y | ... ]*

Optional items are grouped in brackets and separated by


vertical bars. Several items or no item can be selected.

GUI Conventions
The GUI conventions that may be found in this document are defined as follows.

Issue 01 (2009-01-20)

Convention

Description

Boldface

Buttons, menus, parameters, tabs, window, and dialog titles


are in boldface. For example, click OK.

>

Multi-level menus are in boldface and separated by the ">"


signs. For example, choose File > Create > Folder.

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

Quidway Eudemon 1000E Unified Security Gateway


Product Description

About This Document

Keyboard Operations
The keyboard operations that may be found in this document are defined as follows.
Format

Description

Key

Press the key. For example, press Enter and press Tab.

Key 1+Key 2

Press the keys concurrently. For example, pressing Ctrl+Alt


+A means the three keys should be pressed concurrently.

Key 1, Key 2

Press the keys in turn. For example, pressing Alt, A means


the two keys should be pressed in turn.

Mouse Operations
The mouse operations that may be found in this document are defined as follows.
Action

Description

Click

Select and release the primary mouse button without moving


the pointer.

Double-click

Press the primary mouse button twice continuously and


quickly without moving the pointer.

Drag

Press and hold the primary mouse button and move the
pointer to a certain position.

Update History
Updates between document issues are cumulative. Therefore, the latest document issue contains
all updates made in previous issues.

Updates in Issue 01 (2009-01-20)


Initial field trial release.

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

Issue 01 (2009-01-20)

Quidway Eudemon 1000E Unified Security Gateway


Product Description

1 Product Overview

Product Overview

This topic describes the major features of the Eudemon 1000E in performance.
With the rapid development of the Internet, more and more enterprises begin to speed up their
development based on the network services. In an open network, how to protect the Intranet has
become a practical hot topic. Huawei develops the Quidway Eudemon series for large and
medium-sized enterprises, which provides a cost-effective solution for the security in the large
and medium sized enterprises and telecommunication network. Eudemon 1000E provides not
only the command-line view, but also the graphical user interface (GUI), which facilitates the
device management and configuration.
The Eudemon 1000E uses the 1U standard chassis which is equipped with a Console port. The
Eudemon 1000E has four pairs of fixed 10/100/1000 M Ethernet opto-electronic mutually
exclusive interfaces and two universal serial bus (USB2.0) interfaces. The chassis provides two
extended slots. Users can install four Fast Ethernet (FE) interfaces and two pairs of gigabit
Ethernet (GE) interfaces. The Eudemon 1000E can be installed with two AC or DC power
modules to implement two-way power supply and redundancy for the power supply.
The Eudemon 1000E brings perfect experience in performance. The number of new connections
per second takes the leading place in the field.
The Eudemon 1000E supports 30,000 access control list (ACL) rules. The mean time between
failures (MTBF) is 37.54 years.
The Eudemon 1000E is based on an integrated software and hardware platform, and adopts the
dedicated and real-time operating system (OS). In this system, you can flexibly define security
zones, such as the pre-defined Local zone, Trust zone, Untrust zone, and Demilitarized zone
(DMZ). You can also customize other security zones as required. When the data is transmitted
between two interfaces with different security levels, the checking according to security rules
is enabled on the Eudemon 1000E.
The Eudemon 1000E not only supports multiple protocols such as File Transfer Protocol (FTP)
and Simple Mail Transfer Protocol (SMTP), but also provides multiple features such as
algorithm-based fast ACL searching, static, dynamic blacklist filtering, VPN service, and P2P
flow limiting.

Issue 01 (2009-01-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

1-1

Quidway Eudemon 1000E Unified Security Gateway


Product Description

2 Product Features

Product Features

About This Chapter


This topic describes the powerful attack-defending capabilities and security features of the
Eudemon 1000E.
2.1 Multiple Security Zones
This topic describes the security zone division of the Eudemon 1000E.
2.2 Powerful GTP Protection
This topic describes the GPRS Tunneling protocol (GTP) data protection function of the
Eudemon 1000E.
2.3 Virtual Firewall
This topic describes the virtual firewall function provided by the Eudemon 1000E.
2.4 Multiple Work Modes
This topic describes the multiple work modes supported by the Eudemon 1000E.
2.5 Enhanced Packet Filtering
This topic describes the enhanced packet filtering capabilities of the Eudemon 1000E.
2.6 Multiple NAT Applications
This topic describes the multiple types of NAT functions provided by the Eudemon 1000E.
2.7 Powerful Attack-Defending Capability
This topic describes the powerful attack-defending capabilities of the Eudemon 1000E.
2.8 IDS Cooperation
This topic describes the powerful capabilities provided when the Eudemon 1000E networks with
the IDS.
2.9 Cost-Effective Reliability
This topic describes the high stability and availability of the Eudemon 1000E.
2.10 Perfect Traffic Monitoring
This topic describes the flow monitoring functions provided by the Eudemon 1000E.
2.11 Multiple Authentication Modes
This topic describes the multiple types of user authentication modes and charging modes
provided by the Eudemon 1000E.
Issue 01 (2009-01-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

2-1

2 Product Features

Quidway Eudemon 1000E Unified Security Gateway


Product Description

2.12 QoS Guarantee


This topic describes the QoS of the Eudemon 1000E.
2.13 Security-Guaranteed VPN Applications
This topic describes the application of theEudemon 1000E in VPNs.
2.14 Flexible P2P Flow Limiting
This topic describes the P2P flow limiting function provided by the Eudemon 1000E.
2.15 Enhanced Log Management
This topic describes the perfect log management function of the Eudemon 1000E.
2.16 Rich and Flexible Maintenance and Management
This topic describes the flexible maintenance and management methods supported by the
Eudemon 1000E.
2.17 Compliant Tests and Standards
This topic describes the security certifications that the Eudemon 1000E passes.

2-2

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

Issue 01 (2009-01-20)

Quidway Eudemon 1000E Unified Security Gateway


Product Description

2 Product Features

2.1 Multiple Security Zones


This topic describes the security zone division of the Eudemon 1000E.
A security zone includes one or more interfaces. Different security zones have different security
levels. The Eudemon 1000E supports the following pre-defined security areas:
l

Local zone

Trust zone

Untrust zone

DMZ zone

Vzone zone

In addition, it also supports the customized security areas. The root firewall supports 11
customized areas. The virtual firewall supports 3 customized areas.
In addition, in transparent mode and mixed mode, theEudemon 1000E can classify security zones
based on virtual local area networks (VLAN).

2.2 Powerful GTP Protection


This topic describes the GPRS Tunneling protocol (GTP) data protection function of the
Eudemon 1000E.
Eudemon 1000E puts forward the general packet radio service (GPRS) tunneling protocol (GTP)
solution to interwork with the GPRS support node (GSN) of Huawei. In this way, the security
for data transmission in GPRS is guaranteed. Similar to the products of serving GPRS support
node (SGSN) and gateway GPRS support node (GGSN), the Eudemon 1000E implements the
GTP function based on the user datagram protocol (UDP). In the GPRS network, the Eudemon
1000E can deploy in the Gn, Gp, or Gi interface.
The Eudemon 1000E can protect a system against GTP charging overflow attacks.

2.3 Virtual Firewall


This topic describes the virtual firewall function provided by the Eudemon 1000E.
For the features of small-sized private network, Huawei puts forward the multiple instances
solution. That is, users can logically divide a Eudemon 1000E into multiple virtual firewalls. In
this way, the security of the multiple small-sized private networks can be guaranteed
independently. For network carriers, they can use the Eudemon 1000E to hire the service for
guaranteeing the network security.
The VPN instances provides separate VPN routes for the virtual firewalls. The VPN instances
are in one-to-one mapping relationship with the virtual firewalls. At present, the Eudemon
1000E supports IPSec, L2TP, NAT, security zone, ACL, session, blacklist, and routing for the
virtual firewalls.

Issue 01 (2009-01-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

2-3

Quidway Eudemon 1000E Unified Security Gateway


Product Description

2 Product Features

2.4 Multiple Work Modes


This topic describes the multiple work modes supported by the Eudemon 1000E.
The Eudemon 1000E supports routing mode, transparent mode and mixed mode. This enhances
the flexibility and adaptability of networking applications. The Eudemon 1000E integrates with
part of the routing function.

2.5 Enhanced Packet Filtering


This topic describes the enhanced packet filtering capabilities of the Eudemon 1000E.
2.5.1 High-speed ACL Searching
2.5.2 Malicious Host Filtering Based on the Blacklist
2.5.3 MAC Address and IP Address Binding
2.5.4 Packet Filtering Based on the Application Layer

2.5.1 High-speed ACL Searching


The Eudemon 1000E implements fast traffic classification algorithm. When the system is
searching more than ten thousands of ACL rules, the performance and the processing speed are
not affected.

2.5.2 Malicious Host Filtering Based on the Blacklist


The Eudemon 1000E discards the packets originated from the users in the blacklist. In this way,
the security of the Internet Service Providers (ISP) and enterprises is ensured.

2.5.3 MAC Address and IP Address Binding


If the MAC address of a packet does not match the source IP address, the packet is discarded,
so as to avoid the attack from the IP spoofing.

2.5.4 Packet Filtering Based on the Application Layer


The Eudemon 1000E provides the following Application Specific Packet Filter (ASPF) security
filtering:
l

Channel and state inspection based on TCP (Transmission Control Protocol) /UDP (User
Datagram Protocol)

Java Blocking protection and ActiveX Blocking protection

Port-to-application mapping

Filtering based on contents

2.6 Multiple NAT Applications


This topic describes the multiple types of NAT functions provided by the Eudemon 1000E.
2-4

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

Issue 01 (2009-01-20)

Quidway Eudemon 1000E Unified Security Gateway


Product Description

2 Product Features

Network address translation (NAT) is to translate the address of the private network into the
address of the public network (Internet).
2.6.1 Address Translation
2.6.2 Multiple NAT ALGs

2.6.1 Address Translation


The Eudemon 1000E supports the following address translations:
l

NAT based on IP address pool

NAT implementing different policies based on different addresses

PAT based on IP address and port (TCP or UDP port)

NAT based on ACL rules

Port-level NAT

2.6.2 Multiple NAT ALGs


NAT supports multiple Application Level Gateways (ALGs) in the registration mode, including:
l

NAT ALG of the FTP protocol

NAT ALG of the NBT protocol

NAT ALG of the ICMP protocol

NAT ALG of the H.323 protocol (including T.120, RAS, Q.931 and H.245)

NAT ALG of the SIP protocol

NAT ALG of the RTSP protocol

NAT ALG of the HWCC protocol

NAT ALG of the ILS protocol

NAT ALG of the PPTP protocol

NAT ALG of Tencent QQ chatting

NAT ALG of MSN massager provided by Microsoft

NBT is short for NetBIOS over TCP.


ICMP is short for Internet Control Message Protocol.
SIP is short for Session Initiation Protocol.
RTSP is short for Real-Time Streaming Protocol.
HWCC is short for Huawei Conference Control Protocol.
DNS is short for domain name system.
ILS is short for Internet locator service.
PPTP is short for Point to Point Tunneling Protocol.
Supporting the special protocols in the registration mode, NAT can be expanded flexibly so
as to support new protocols easily without changing the software architecture.
Issue 01 (2009-01-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

2-5

Quidway Eudemon 1000E Unified Security Gateway


Product Description

2 Product Features

2.7 Powerful Attack-Defending Capability


This topic describes the powerful attack-defending capabilities of the Eudemon 1000E.
2.7.1 Defending Worm Virus
2.7.2 Defending Multiple DoS And DDoS Attacks
2.7.3 Defending Scanning and Snooping Attacks
2.7.4 Defending Other Attacks

2.7.1 Defending Worm Virus


According to the features of worms, the Eudemon 1000E is designed with the following
enhanced defense functions:
l

Traffic monitoring and inspection

Connection number inspection

Defense of IP address scanning

Defense of port scanning

Blacklist filtering

2.7.2 Defending Multiple DoS And DDoS Attacks


The Eudemon 1000E can effectively detect DoS and DDoS attack packets, and then forward or
discard them to avoid the attacks. Meanwhile, it records the attack behavior in the logs.

2.7.3 Defending Scanning and Snooping Attacks


The Eudemon 1000E detects the scanning and snooping packets flexibly through comparison
and analysis, so as to avoid the subsequent attacks.
l

Address scanning

Port scanning

IP source routing options

IP routing record options

Network architecture snooping through the tracer tool

2.7.4 Defending Other Attacks


The Eudemon 1000E can protect a system against multiple types of DoS attacks and scan
snooping. Also, it can guard against IP Spoofing attacks to avoid the intrusion of the system.

2.8 IDS Cooperation


This topic describes the powerful capabilities provided when the Eudemon 1000E networks with
the IDS.
With a powerful attack-defending capability, the Eudemon 1000E can work with the professional
Intrusion Detective System (IDS) that is deployed externally. Since the IDS device contains the
2-6

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

Issue 01 (2009-01-20)

Quidway Eudemon 1000E Unified Security Gateway


Product Description

2 Product Features

complete information about the behavior model of attacks, the cooperative networking will
provide a more reliable and comprehensive safeguard for the network.

2.9 Cost-Effective Reliability


This topic describes the high stability and availability of the Eudemon 1000E.
2.9.1 Cost-Effective Product Design
2.9.2 1+1 Backup of Routing Information
2.9.3 Dual-System Hot Backup

2.9.1 Cost-Effective Product Design


With a dedicated hardware system, the Eudemon 1000E supports temperature monitoring and
hot swapping of fans. It is applicable to harsh environments. It adopts dual power supply modules
that support 1+1 backup. The two power supply modules can work in mutual hot backup mode
and support hot swapping. A power supply switchover does not affect system operation.
According to the design requirements for carrier-class products, the Eudemon 1000E meets the
requirements of high reliability for network devices.

2.9.2 1+1 Backup of Routing Information


The Eudemon 1000E supports Virtual Router Redundancy Protocol (VRRP). A backup group
in a network can be set based on a virtual IP address. The hosts in the network can communicate
with other networks through the virtual router.

2.9.3 Dual-System Hot Backup


The Eudemon 1000E supports Huawei Redundancy Protocol (HRP). In this case, a backup group
includes an active device and a standby device. The HRP backs up key configuration commands
and state information of the session table. In this way, the HRP ensures that the standby Eudemon
1000E can smoothly take over the work when the active Eudemon 1000E is faulty.

2.10 Perfect Traffic Monitoring


This topic describes the flow monitoring functions provided by the Eudemon 1000E.
The Eudemon 1000E supports multiple traffic monitoring, including the following functions:
l

Basic session monitoring

Promised access rate

ISPKeeper function

Real-time traffic measurement

and P2P flow limiting

2.11 Multiple Authentication Modes


This topic describes the multiple types of user authentication modes and charging modes
provided by the Eudemon 1000E.
Issue 01 (2009-01-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

2-7

Quidway Eudemon 1000E Unified Security Gateway


Product Description

2 Product Features

The Eudemon 1000E provides uniform framework for authentication, authorization and
accounting.
It manages the security of network access in a centralized manner.
The Eudemon 1000E provides the following authentication modes:
l

Local authentication

Standard RADIUS authentication

Huawei RADIUS+ authentication

HWTACACS authentication

Plain text authentication

MD5 authentication

RADIUS is short for Remote Authentication Dial-in User Service.


HWTACACS is short for Terminal Access Controller Access Control System.
The UEudemon 1000E supports local management to verify and authorize legal users and deny
illegal users.
Cooperating with Huawei Portal Server, the Eudemon 1000E can provide secure on-line IP
detection to prevent spoof IP attacks.

2.12 QoS Guarantee


This topic describes the QoS of the Eudemon 1000E.
Quality of Service (QoS) is used to manage the traffic over Wide Area Network (WAN) ( The
WAN is encapsulated with Point to Point Protocol (PPP), frame relay (FR) and high level data
link control (HDLC).) or the LAN through the following measures:
l

CAR
The Eudemon 1000E supports the use of CAR in security zones and supports speed limiting
based on the ACL. In speed limiting, the priority is determined by the time of configuration.
The later the time is, the higher the priority is.

Sequence guarantee
In data communications, many services such as real-time services require the devices to
guarantee the sequence, for example, the VoIP service. Thus, for both the router and the
firewall, it is an important feature to guarantee the sequence of forwarding flows. Based
on the sequence of the packets received by the interface and congestion management, the
Eudemon 1000E can guarantee the correct sequence when forwarding the packets.

2.13 Security-Guaranteed VPN Applications


This topic describes the application of theEudemon 1000E in VPNs.
The Eudemon 1000E can provide the IPSec mechanism through software or hardware encryption
cards to provide services such as access control, wireless connection integrity, data source
authentication, anti-replay, encryption, and type-based data flow encryption for the two parties
involved in communication. Through AH and ESP, the Eudemon 1000E protects IP datagrams
and upper-level protocols. The Eudemon 1000E supports two encapsulation modes, transmission
2-8

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

Issue 01 (2009-01-20)

Quidway Eudemon 1000E Unified Security Gateway


Product Description

2 Product Features

and tunnel. The security association (SA) of IPSec can be established through manual
configuration or IKE auto-negotiation and supports NAT traversal. Both IKE V1 and IKE V2
are supported. IKE V2 supports EAP authentication.
The Eudemon 1000E can be applied in IPSec VPNs to provide highly reliable security
transmission channels for users. Also, it can work with L2TP and GRE to implement varied
types of VPN applications.
l

L2TP VPN

GRE VPN

IPSec VPN

L2TP over IPSec VPN

GRE over IPSec VPN

2.14 Flexible P2P Flow Limiting


This topic describes the P2P flow limiting function provided by the Eudemon 1000E.
This function can be widely applied to access networks with a large volume of P2P flows, such
as community, campuses, and enterprises.
The Eudemon 1000E adopts multiple methods to limit P2P flows.
l

Limiting multiple protocols, such as Xunlei, BT, PPLive, and QQLive

Limiting upstream and downstream flows separately

Supporting the limiting of P2P flows based on periods

2.15 Enhanced Log Management


This topic describes the perfect log management function of the Eudemon 1000E.
2.15.1 Two Log Output Formats
2.15.2 Varied Types of Logs

2.15.1 Two Log Output Formats


The Eudemon 1000E can output SYSLOG in text. It can create the information table based on
traffic state for all data traffic passing through the Eudemon 1000E. Besides, it can output high
speed binary flow logs.

2.15.2 Varied Types of Logs


The Eudemon 1000E provides complete and unified logs. The log types are listed as follows:
l

NAT logs and ASPF traffic logs

Attack-defending logs

Traffic monitoring logs

P2P flow detection logs

Blacklist logs

Issue 01 (2009-01-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

2-9

Quidway Eudemon 1000E Unified Security Gateway


Product Description

2 Product Features
l

Multiple kinds of statistics

2.16 Rich and Flexible Maintenance and Management


This topic describes the flexible maintenance and management methods supported by the
Eudemon 1000E.
2.16.1 Rich Maintenance and Management
2.16.2 SNMP Based Terminal System Management
2.16.3 GUI Management

2.16.1 Rich Maintenance and Management


The Eudemon 1000E supports the following local and remote maintenances:
l

Local configuration and maintenance through Console port

Local and remote maintenance based on Telnet

Maintenance and management based on Secure Shell (SSH)

The SSH maintenance and management mode ensures information security and powerful
authentication functions over an insecure network, thus avoiding such attacks as IP spoofing
and plain text password interception.

2.16.2 SNMP Based Terminal System Management


The Eudemon 1000E supports Simple Network Management Protocol (SNMP) (V1/V2c/V3)
protocol and Client/Server structure. It can be managed by Network Management Station
(NMS). For example, it can be managed by Huawei network management platforms such as
iManager N2000 and Quidway.

2.16.3 GUI Management


The Eudemon 1000E provides a friendly GUI for configuration and management. You can
configure security zones, ACL, NAT, ASPF, attack defending, blacklist and statistics parameters
through the GUI.

2.17 Compliant Tests and Standards


This topic describes the security certifications that the Eudemon 1000E passes.
The Eudemon 1000E not only has obtained the sales license issued by the Ministry of Public
Security and the Security Product Certificate of military information, but also has passed the
test of the National Information Security Inspection Center. Besides, the Eudemon 1000E is one
of the products recommended by National Confidentiality Bureau. The Eudemon 1000E is
designed in compliance with the national standards of China, Asia-Pacific and Europe. It meets
the requirements of Underwriter Laboratories Inc. (UL), CE, electromagnetic compatibility
(EMC), FCC-part15, and safety certification and network access.

2-10

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

Issue 01 (2009-01-20)

Quidway Eudemon 1000E Unified Security Gateway


Product Description

3 System Structure

System Structure

About This Chapter


This topic describes the appearance and interfaces of the Eudemon 1000E.
3.1 Appearance
This topic describes the appearance of the front panel and back panel of the Eudemon 1000E.
3.2 System Configuration
This topic describes the hardware configuration requirements and environment requirements of
the Eudemon 1000E.
3.3 External Interfaces
This topic describes the external fixed interfaces and expansion slots of the Eudemon 1000E.
3.4 Supported Interface Modules
This topic describes the interface modules supported by the Eudemon 1000E.

Issue 01 (2009-01-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

3-1

Quidway Eudemon 1000E Unified Security Gateway


Product Description

3 System Structure

3.1 Appearance
This topic describes the appearance of the front panel and back panel of the Eudemon 1000E.
3.1.1 Front Panel of the Eudemon 1000E
3.1.2 Rear Panel of the Eudemon 1000E Powered by AC Input
3.1.3 Rear Panel of the Eudemon 1000E Powered by DC Input

3.1.1 Front Panel of the Eudemon 1000E


The Eudemon 1000E uses embedded power modules and fans. Thus, the power modules and
fans are not shown on the front panel of the Eudemon 1000E.
Figure 3-1 Front panel of the Eudemon 1000E
1
E2GE

E2GE

RUN

Class 1 laser product

SLOT2

HUAWEI

Quidway Eudemon 1000E


SLOT1

8 9

1. Extended interface module-slot 2 2. Extended interface moduleslot 3. 10/100/1000 M GE electrical


1
interface
4. 1000M GE optical interface

5. Console serial port

6. USB2.0 interface

7. Indicator

8. ESD

9. preventive wrist strap jack

3.1.2 Rear Panel of the Eudemon 1000E Powered by AC Input


Figure 3-2 Real panel of the Eudemon 1000E powered by AC input

3-2

POW0

OFF

OFF

Powered
Off Before
Pulled

Powered
Off Before
Pulled

RUN
ON

RUN
ON

HAZARDOUS MOVING PARTS


KEEP FINGERS AND OTHER
BODY PARTS AWAY

POW1

1. Fan module slot

2. AC power interface

3. AC power switch

4. AC power interface

5. AC power switch

6. Grounding terminal

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

Issue 01 (2009-01-20)

Quidway Eudemon 1000E Unified Security Gateway


Product Description

3 System Structure

3.1.3 Rear Panel of the Eudemon 1000E Powered by DC Input


Figure 3-3 Rear panel of the Eudemon 1000E powered by DC input
Powered
Off Before
Pulled

POW0

OFF

OFF

Powered
Off Before
Pulled

RUN
ON

RUN
ON

HAZARDOUS MOVING PARTS


KEEP FINGERS AND OTHER
BODY PARTS AWAY

POW1

1. Fan module slot

2. DC power interface

3. DC power switch

4. DC power interface

5. DC power switch

6. grounding terminal

3.2 System Configuration


This topic describes the hardware configuration requirements and environment requirements of
the Eudemon 1000E.
Table 3-1 System configuration of the Eudemon 1000E

Issue 01 (2009-01-20)

Item

Eudemon 1000EDescription

Extended interface

Two 4-FE-port card/2-GE-port card interfaces

Fixed interface

One Console port

Four 10/100/1000 M opto-electronic mutually


exclusive interfaces

Two USB2.0 interfaces

CPU

1000MHz

Memory

1GB2, supports ECC

NVRAM

128KB

Flash Memory

64MB

Dimensions

436 mm560 mm44.2 mm (WDH)

Weight

10kg

Input voltage

AC: 100V to 240V (50/60Hz)

DC: -48V to -60V

Total consumption

100W

Operation temperature

0 to 40

Relative humidity

5%RH to 90%RH

Storage temperature

-25 to +70

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

3-3

Quidway Eudemon 1000E Unified Security Gateway


Product Description

3 System Structure

3.3 External Interfaces


This topic describes the external fixed interfaces and expansion slots of the Eudemon 1000E.
3.3.1 Fixed Interfaces
3.3.2 Extended Interfaces

3.3.1 Fixed Interfaces


Table 3-2 Console port
Index

Parameter

Port standard

RS232

Connector

RJ45

Transfer rate

9600 bit/s115200 bit/s

Table 3-3 GE optical/electrical interface


Index

Parameter

Interface standard

1000Base-LX/1000Base-SX/1000Base-T, 802.3z

Connector

Optical interface: SFP optical module (supports singlemode and multimode optical modules)

Electrical interface: RJ45

Transfer rate

10/100/1000 Mbit/s, supports full-duplex and half-duplex


modes.

3.3.2 Extended Interfaces


Table 3-4 FE electrical interface

3-4

Index

Parameter

Port standard

10/100Base-TX

Connector

RJ45

Transfer rate

10/100Mbit/s

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

Issue 01 (2009-01-20)

Quidway Eudemon 1000E Unified Security Gateway


Product Description

3 System Structure

Table 3-5 GE optical/electrical interface


Index

Parameter

Port standard

1000Base-LX/1000Base-SX/1000Base-T, 802.3z

Connector

Optical interface: SFP optical module (supports


single-mode and multimode optical modules)

Electrical interface: RJ45

Transfer rate

10/100/1000 Mbit/s, supports full-duplex and halfduplex modes.

3.4 Supported Interface Modules


This topic describes the interface modules supported by the Eudemon 1000E.
TheEudemon 1000E supports the following interface modules:
l

Four-port 10/100 M Ethernet electrical interface module.

Two-port gigabit Ethernet optical/electrical interface module.

Issue 01 (2009-01-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

3-5

Quidway Eudemon 1000E Unified Security Gateway


Product Description

4 Networking Applications

Networking Applications

About This Chapter


This topic describes several typical networking modes of the Eudemon 1000E.
4.1 Attack-Defending Function
This topic describes the attack-defending function provided by the Eudemon 1000E when it
networks with the IDS.
4.2 Application of Dual-System Hot Backup
This topic describes how the Eudemon 1000E protect the security of user data by means of dualsystem hot backup.
4.3 IPSec VPNs
This topic describes how the Eudemon 1000E uses the VPN technology to guarantee the security
of network transmission.

Issue 01 (2009-01-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

4-1

Quidway Eudemon 1000E Unified Security Gateway


Product Description

4 Networking Applications

4.1 Attack-Defending Function


This topic describes the attack-defending function provided by the Eudemon 1000E when it
networks with the IDS.
The Eudemon 1000E can work with the IDS to detect the potential attacks.
Figure 4-1 Hybrid networking of the Eudemon 1000E and the IDS
Syslog

IDS
WWW
DNS

Mail
LAN Swich

Hacker
Router

Internal Office
Area

Firewall

Hacker

PC
PC
Government
Enterprise

The Eudemon 1000E is deployed at the network ingress to prevent attacks from internal or
external networks.

The IDS device is deployed on the key location in the Intranet to identify attacks from
hackers, and the log host records the detailed attack logs.

At present, there are two deployment modes:

Based on the mirroring port of the device.

LAN Switch and the Eudemon 1000E cooperate with each other so as to guard against
various attacks.

4.2 Application of Dual-System Hot Backup


This topic describes how the Eudemon 1000E protect the security of user data by means of dualsystem hot backup.
The Eudemon 1000E provides the dual-system hot backup, so that the user data will not be
disrupted due to the switchover between the active and standby Eudemons.
4-2

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

Issue 01 (2009-01-20)

Quidway Eudemon 1000E Unified Security Gateway


Product Description

4 Networking Applications

Figure 4-2 Dual-system hot backup of the Eudemon 1000E

PC
LAN
Switch Firewall
(Master)

Router

PC

LAN
Switch

Firewall
(Backup)

Router

Company headquarter

Two Eudemon 1000E devices in the headquarters (HQ) form a hot backup group. One of
the Eudemon 1000E is used as the master device for security protection. The other is used
as the slave device. The backup group provides the security guard such as ACL, ASPF,
traffic monitoring and NAT.

Two Eudemon 1000E devices are interconnected with each other.

The LAN switch devices in the Intranet and the routers in the Extranet are connected with
each Eudemon 1000E device to form the mesh connection.

4.3 IPSec VPNs


This topic describes how the Eudemon 1000E uses the VPN technology to guarantee the security
of network transmission.
As the VPN gateway, the Eudemon 1000E supports tunneling technologies such as L2TP and
GRE. It uses the tunneling technologies with the IPSec and firewall technologies to guarantee
the QoS and security of network transmission. Figure 4-3 shows the details.
l

The access VPN provides SOHO and mobile office users with security channels to access
the resources of the headquarters through public switched telephone network (PSTN)/
integrated services digital network (ISDN).

The intranet VPN provides channels to access the headquarters for the regional offices and
branch offices. The IPSec/IKE technology is used to ensure that data is securely transmitted
over the Internet. This protects the data on the Internet from eavesdropping and tampering.

Issue 01 (2009-01-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

4-3

Quidway Eudemon 1000E Unified Security Gateway


Product Description

4 Networking Applications
l

The extranet VPN provides channels to access the internal network of an enterprise for the
partners and customers. Also, it protects the security of the internal network.

Figure 4-3 IPSec VPN implemented by the Eudemon 1000E


PC

File Server

Extranet VPN
Intrannet VPN
PC
Branch/Partner

PC
Company
Headquarter
Firewall

Firewall

Carriers
network
NAS
Access
VPN
PSTN/ISDN
Personal
mobile
office
Home office
VPN tunnel

4-4

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

Issue 01 (2009-01-20)

Quidway Eudemon 1000E Unified Security Gateway


Product Description

5 Purchase Guide

Purchase Guide

About This Chapter


This topic describes the factors to be considered when you purchase the product.
5.1 Host Purchase
This topic describes the factors to be considered when you purchase hosts.
5.2 Interface Module Purchase
This topic describes the factors to be considered when you purchase interface modules.

Issue 01 (2009-01-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

5-1

Quidway Eudemon 1000E Unified Security Gateway


Product Description

5 Purchase Guide

5.1 Host Purchase


This topic describes the factors to be considered when you purchase hosts.
5.1.1 Factors for Your Purchase
5.1.2 Optional List for Host Purchase

5.1.1 Factors for Your Purchase


You can take the following factors into consideration when you buy Eudemon 1000E hosts:
l

Networking requirement: Choose the types and amount of interfaces according to the scale
and performance of your networking. Then choose the product model according to the
interfaces.

Reliability: The Eudemon 1000E hosts adopt a double power supply module that works in
1+1 redundancy backup mode.

Power supply: Choose AC or DC power supply module according to the type of power
supply.

5.1.2 Optional List for Host Purchase


The Eudemon 1000E provides AC and DC power supply. You can select either of them as
required. Table 5-1 lists the host and related accessories.
Table 5-1 Eudemon 1000E host accessories
Item

Quantity

Remarks

Host

Mandatory, provides hosts powered by AC/DC


input

Accessories

Mandatory

5.2 Interface Module Purchase


This topic describes the factors to be considered when you purchase interface modules.
The Eudemon 1000E provides multiple interface modules and the relevant cables that may be
delivered separately from the host. You can purchase the modules and host as needed.
The purchase for the interface modules involves two selections: interface module selection and
its relevant cable or optical cable selection. Generally, if the interface module matches only a
certain type of cable, you do not need to choose cable. Otherwise, you should choose and buy
cables in the cable suite based on the line features and the number of interfaces. For more
information, see Table 5-2.

5-2

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

Issue 01 (2009-01-20)

Quidway Eudemon 1000E Unified Security Gateway


Product Description

5 Purchase Guide

Table 5-2 Interface module purchase of the Eudemon 1000E

Issue 01 (2009-01-20)

Interface Module

Cable

Remarks

Four-port 10/100 M Ethernet


electrical interface module

Ethernet cable

The cables are optional.

Two-port 10/100/1000 M optoelectronic mutually exclusive


interface module

Ethernet cable

The cables are optional.

Multi-mode optical transceiver

Multi-mode
optical cable

The optical cables are optional.


Choose the optical cables from the
external optical cable set.

Single-mode optical transceiver

Single-mode
optical cable

The optical cables are optional.


Choose the optical cables from the
external optical cable set.

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

5-3

Quidway Eudemon 1000E Unified Security Gateway


Product Description

6 Compliant Standards and Feature List

Compliant Standards and Feature List

About This Chapter


This topic describes the compliant standards and features of theEudemon 1000E.
6.1 Compliant Standards
This topic describes the compliant standards of theEudemon 1000E.
6.2 Feature List of the Eudemon 1000E
This topic describes the features of the Eudemon 1000E.

Issue 01 (2009-01-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

6-1

Quidway Eudemon 1000E Unified Security Gateway


Product Description

6 Compliant Standards and Feature List

6.1 Compliant Standards


This topic describes the compliant standards of theEudemon 1000E.
Table 6-1 Compliant standards

6-2

Standard

Content

ETS 300 386

Electromagnetic compatibility and Radio spectrum Matters (ERM);


Telecommunication network equipment;ElectroMagnetic
Compatibility (EMC) requirements

IEC 62151

Safety of equipment electrically connected to a telecommunication


network

IEEE 802.1d

MAC bridges

IEEE 802.1p

Traffic Class Expediting and Dynamic Multicast Filtering

IEEE 802.1q

Virtual Bridged Local Area Networks

IEEE 802.3u

Definition of Fast Ethernet (100BTX, 100BT4, 100BFX)

IEEE 802.3z

Definition of Gigabit Ethernet (over Fibre)

ITU-T G.652

Characteristics of a single-mode optical fibre and cable

RFC0768

User datagram protocol (UDP)

RFC0791

Internet protocol (IP)

RFC0792

Internet Control Massage Protocol (ICMP)

RFC0793

Transport Control Protocol (TCP)

RFC0854

Telnet

RFC0894

Technical specification For network access server

RFC1157

Simple Network Management Protocol (SNMP)

RFC1213

Management information base for network management of TCP/


IP-based Internets: MIB-II

RFC1229

Extensions to the generic-interface MIB

RFC1661

Point-to-point links (PPP)

RFC1757

Remote network monitoring management information base

RFC2865

Remote authentication dial in user service (RADIUS)

RFC2869

RADIUS extensions

RFC2903

Generic AAA architecture

RFC2904

AAA authorization framework

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

Issue 01 (2009-01-20)

Quidway Eudemon 1000E Unified Security Gateway


Product Description

Issue 01 (2009-01-20)

6 Compliant Standards and Feature List

Standard

Content

RFC2906

AAA authorization requirements

RFC2809

Implementation of L2TP compulsory tunneling via RADIUS

RFC1492

An access control protocol, sometimes called TACACS

RFC2401

Security architecture for the Internet protocol

RFC2402

Authentication header (AH)

RFC2403

The Use of HMAC-MD5-96 within ESP and AH

RFC2404

The Use of HMAC-SHA-1-96 within ESP and AH

RFC2405

The ESP DES-CBC cipher algorithm with explicit IV

RFC2406

IP encapsulating security payload (ESP)

RFC2407

The Internet IP security domain of interpretation for ISAKMP

RFC2408

Internet security association and key management protocol


(ISAKMP)

RFC2409

Internet key exchange (IKE)

RFC2410

The NULL encryption algorithm and its use with IPsec

RFC3715

IPSec-Network Address Translation (NAT) Compatibility


Requirements

RFC3947

Negotiation of NAT-Traversal in the IKE

RFC3948

UDP Encapsulation of IPsec ESP Packets

RFC2663

IP Network Address Translator (NAT) Terminology and


Considerations

RFC 2712

Addition of Kerberos Cipher Suites to Transport Layer Security


(TLS)

RFC 3268

Advanced Encryption Standard (AES) Ciphersuites for Transport


Layer Security (TLS)

RFC 3943

Transport Layer Security (TLS) Protocol Compression Using


Lempel-Ziv-Stac (LZS)

RFC 4132

Addition of Camellia Cipher Suites to Transport Layer Security


(TLS)

RFC 4162

Addition of SEED Cipher Suites to Transport Layer Security (TLS).

RFC 4279

Pre-Shared Key Ciphersuites for Transport Layer Security (TLS)

RFC 4346

The Transport Layer Security (TLS) Protocol Version 1.1

RFC 4366

Transport Layer Security (TLS) Extensions

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

6-3

Quidway Eudemon 1000E Unified Security Gateway


Product Description

6 Compliant Standards and Feature List

6-4

Standard

Content

RFC 4492

Elliptic Curve Cryptography (ECC) Cipher Suites for Transport


Layer Security (TLS)

RFC 4507

Transport Layer Security (TLS) Session Resumption without


Server-Side State

RFC 2578

Structure of management information version 2 (SMIv2)

RFC 2579

Textual conventions for SMIv2

RFC2580

Conformance statements for SMIv2

RFC1157

SNMP

RFC1155

Structure and identification of management information for TCP/


IP-based Internets

RFC1213

Management information base for network management of TCP/


IP-based Internets: MIB-II

RFC1212

Concise MIB definitions

RFC1901

Introduction to community-based SNMPv2

RFC1035

NTPv3 specification

RFC854

Telnet protocol specification

RFC857

Telnet echo option

RFC858

Telnet "Suppress Go Ahead" option

RFC1091

Telnet terminal type option

RFC4250

The Secure Shell (SSH) Protocol Assigned Numbers

RFC4251

The Secure Shell (SSH) Protocol Architecture

RFC4252

The Secure Shell (SSH) Authentication Protocol

RFC4253

The Secure Shell (SSH) Transport Layer Protocol

RFC4254

The Secure Shell (SSH) Connection Protocol

RFC4255

Using DNS to Securely Publish Secure Shell (SSH) Key


Fingerprints

RFC4256

Generic Message Exchange Authentication for the Secure Shell


Protocol (SSH)

RFC4335

The Secure Shell (SSH) Session Channel Break Extension

RFC4344

The Secure Shell (SSH) Transport Layer Encryption Modes

RFC4419

Diffie-Hellman Group Exchange for the Secure Shell (SSH)


Transport Layer Protocol

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

Issue 01 (2009-01-20)

Quidway Eudemon 1000E Unified Security Gateway


Product Description

6 Compliant Standards and Feature List

Standard

Content

RFC4462

Generic Security Service Application Program Interface (GSS-API)


Authentication and Key Exchange for the Secure Shell (SSH)
Protocol

RFC1350

TFTPv2

RFC959

FTP

RFC1945

Hypertext Transfer Protocol -- HTTP/1.0

RFC2145

Use and Interpretation of HTTP Version Numbers

RFC2616

Hypertext Transfer Protocol -- HTTP/1.1

RFC2617

HTTP Authentication: Basic and Digest Access Authentication

RFC2774

An HTTP Extension Framework

RFC2817

Upgrading to TLS Within HTTP/1.1

RFC2818

HTTP Over TLS

RFC2965

HTTP State Management Mechanism

RFC2787

Definitions of managed objects for the virtual router redundancy


protocol

VGMP

VRRP

HRP

Huawei redundancy protocol

6.2 Feature List of the Eudemon 1000E


This topic describes the features of the Eudemon 1000E.
Table 6-2 Feature list of theEudemon 1000E

Issue 01 (2009-01-20)

Attribute

Description

Security
defending

Packet filtering

Supports basic ACL and advanced ACL

Supports ACL based on time period

Supports ACL between zones

Supports dynamic maintenance ACL rules

Supports blacklist, MAC address and IP address


binding

Supports ASPF and state inspection

Provides port mapping mechanism

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

6-5

Quidway Eudemon 1000E Unified Security Gateway


Product Description

6 Compliant Standards and Feature List

Attribute

Description
NAT

Attack
defending

traffic
monitoring

Supports address conversion (NAT and PAT)

Provides the internal server

Port-level NAT server

Supports multiple NAT ALGs, including FTP,


PPTP, DNS, NBT, ICMP, H.323, QQ, MSN, RTSP,
SIP and conference control protocol.

Defends multiple DoS attacks such as SYN Flood,


ICMP Flood, UDP Flood, WinNuke, ICMP
redirection and unreachable packets, Land, Smurf,
Fraggle and IP Spoofing.

Defends scanning and snooping such as address


scanning, port scanning, IP source routing option,
IP routing record option, timestamp and snooping
routing.

Macrocephalic packet attacks: macrocephalic IP


multipartite packets, macrocephalic TCP packets,
extra-large ICMP packets, Tear Drop and Ping Of
Death.

Supports limit to link amount

Supports access rate promise

Supports real-time traffic measurement and


analysis

Supports the monitoring and limitation of P2P flows

Supports the networking with IDS devices


Network
interconnecting

Link layer
protocol

Supports Ethernet_II and Ethernet_SNAP

Supports VLAN

IP service

Supports address resolution

Supports static domain name resolution

Supports DHCP trunk and DHCP server

Supports static routing

Supports RIP, OSPF and BGP dynamic routing

Supports policy routing

Supports routing policy and routing iteration

Routing
protocol

6-6

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

Issue 01 (2009-01-20)

Quidway Eudemon 1000E Unified Security Gateway


Product Description

Attribute

Description
VPN

Supports the authentication protocols AH and ESP,


and encapsulation in transmission or tunnel mode

Supports the key exchange protocol, IKE V1/V2

Supports L2TP VPN

Supports GRE VPN

Supports IPSec VPN

Supports RADIUS protocols and provides


verification modes of PAP and CHAP

Supports user authentication of PPP and Login

Supports local authentication

Supports multiple ISP

CAR

Sequence guarantee

Supports routing mode

Supports transparent mode

Supports composite mode

Hierarchical protection of command line against the


intrusion from unauthorized users

Supports file system and provides multiconfiguration files and multiple program files

GUI management

Telnet configuration management, which supports


Telnet Client.

Maintenance management through the SSH

Complies with multiple national and international


certification and design standards

1+1 hot backup of power

Dual-system
hot backup

Supports hot backup of part of the commands

Supports hot backup of state: firewall ACL, ASPF,


traffic monitoring and NAT.

System
management

Supports standard network management protocol


SNMPv1/v2c/v3

AAA

Service
application

QoS

Configuration
and management

Working mode

Configuration
method

Maintenance and
reliability

Issue 01 (2009-01-20)

6 Compliant Standards and Feature List

Product design

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

6-7

Quidway Eudemon 1000E Unified Security Gateway


Product Description

6 Compliant Standards and Feature List

6-8

Attribute

Description

System logs

Measures input and output of IP packets

Provides NAT logs

Provides ASPF logs

Provides attack defending logs

Provides P2P flow detection logs

Provides traffic monitoring logs

Provides blacklist logs

Provides multiple measurement information (traffic measurement,


attack packet amount)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

Issue 01 (2009-01-20)

Quidway Eudemon 1000E Unified Security Gateway


Product Description

A Appendix

Appendix

A
AC

Alternating Current

ACL

Access Control List

AH

Authentication Header

ALG

Application Level Gateway

ASPF

Application Specific Packet Filter

C
CE

Community European

CPU

Central Processing Unit

D
DC

Direct Current

DDoS

Distributed Denial of Service

DoS

Denial of Service

DMZ

Demilitarized Zone

DNS

Domain Name Server

Issue 01 (2009-01-20)

ECC

Embedded Control Channel

EMC

Electromagnetic Compatibility

ESP

Encapsulating Security Payload

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

A-1

Quidway Eudemon 1000E Unified Security Gateway


Product Description

A Appendix

F
FE

FastEthernet

FR

Frame Relay

FTP

File Transfer Protocol

G
GE

GigabitEthernet

GGSN

Gateway GPRS Support Node

GPRS

General Packet Radio Service

GRE

Generic Routing Encapsulation

GSN

Gateway Serving Node

GUI

Graphic User Interface

H
HDLC

High Data Link Control

HRP

Huawei Redundancy Protocol

HWCC

Huawei Conference Control Protocol

HWTACACS

Huawei Terminal Access Controller Access Control


System

I
ICMP

Internet Control Message Protocol

IDS

Intrusion Detective System

IKE

Internet Key Exchange

ILS

Internet Locator Service

IP

Internet Protocol

IPSec

IP Security

ISDN

Integrated Services Digital Network

L
L2TP

Layer 2 Tunneling Protocol

M
A-2

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

Issue 01 (2009-01-20)

Quidway Eudemon 1000E Unified Security Gateway


Product Description

A Appendix

MAC

Medium Access Control

MD5

Message-Digest Algorithm 5

N
NAT

Network Address Translation

NBT

NetBIOS over TCP

NGN

Next Generation Network

NMS

Network Management System

NTP

Network Time Protocol

NVRAM

Non-Volatile Random Access Memory

P
P2P

Peer to Peer

PAT

Port Address Translation

PPP

Point to Point Protocol

PPTP

Point to Point Tunneling Protocol

PSTN

Public Switched Telephone Network

Q
QoS

Quality of Service

R
RADIUS

Remote Authentication Dial-In User Service

RTSP

Real-Time Streaming Protocol

Issue 01 (2009-01-20)

SFP

Small Form-Factor Pluggable

SGSN

Serving GPRS Support Node

SIP

Session Initiation Protocol

SMTP

Simple Mail Transfer Protocol

SNMP

Simple Network Management Protocol

SSH

Secure Shell

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

A-3

Quidway Eudemon 1000E Unified Security Gateway


Product Description

A Appendix

T
TCP

Transport Control Protocol

TFTP

Trivial File Transfer Protocol

U
UDP

User Datagram Protocol

UL

Underwriter Laboratories Inc.

USB

Universal Serial Bus

A-4

VLAN

Virtual Local Area Network

VPN

Virtual Private Network

VRRP

Virtual Router Redundancy Protocol

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

Issue 01 (2009-01-20)