Professional Documents
Culture Documents
SECURITY
Overview
Organizations of all sizes are having their networks attacked at an unprecedented rate. Attacks can result in network outages; they can claim valuable bandwidth from productivity applications like Voice over IP (VoIP); they may even perpetrate the theft of company data and the personal and financial information of employees and customers. To defend against such attacks, businesses need a comprehensive security solution, including the advanced threat protection offered by H3C SecPath F-Series Advanced VPN Firewalls. The F-Series family delivers advanced scalable threat protection for organizations of all sizes with single sites, multiple branch offices, remote workers or headquarter data centershelping prevent business disruptions, revenue loss and damage to an organizations reputation caused by security breaches. Built on the latest state-of-the-art multi-core CPU platforms, with advanced hardware acceleration, the SecPath F-Series enables advanced scalable network protection from the core to the edge, at up to multi-10-Gigabit speeds. The F-Series combines built-in protection against denial of service and hacking attacks with virtual private network (VPN) support, zonal and virtual stateful packet inspection firewall, application bandwidth management, audio/video IP multicast routing, application traffic control and email attachment filtering. With these advanced security capabilities built on top of the same operating system that powers all H3C enterprise switching and routing platforms, a rich networking feature set with ease of integration and lowest total cost of ownership is assured. These advanced high-performance security platforms help safeguard the network and data center from attacks and misuse, while delivering policy-based multisite connectivity for real-time business-critical applications such as VoIP, video and collaboration tools. High-availability features help ensure wire-speed traffic flow even in the event of network or internal device error or loss of power to a primary device.
Key Benefits
Enhanced Firewall Security
SecPath F-Series VPN Firewalls provide enhanced stateful packet inspection firewall filtering, which is currently undergoing ICSA certification, to ensure comprehensive protection. Granular firewall rules allow network and security administrators to control traffic down to individual IP addresses, with fine-grain control of all security services. This advanced firewall capability significantly enhances security compared to more static router- or switch-based access control lists. Security is maximized with built in protection against key denial of service and hacking attacks, while business continuity is assured with enhanced support for dynamic application specific filtering of key network protocols, including FTP, HTTP, SMTP, RTSP, SIP and H.323 (including Q.931, H.245 and RTP/RTCP).
Attack Protection
Standard firewalls can be vulnerable to today's sophisticated internet attacks. The SecPath F-Series includes advanced protection technology to stop well-known hacking and denial of service attacks from breaking through perimeter defenses. To further mitigate the chance of security breaches, SecPath platforms include built-in filters to control or block the use of potentially high risk traffic including peer-to-peer, Active-X and email attachments.
Advanced VPN
High-performance and low-latency allows the Internet to be used as a secure connectivity mechanism for IPSec VPN siteto-site connections and remote user connectivity. The ability to inspect VPN tunnels offers complete security protection, ensuring that remote VPN clients or branch offices cannot be used to propagate attacks into the LAN.
Network Transparency
No IP or MAC addressand no changes needed to network configurationsimplifies installation, saves time and helps eliminate the risk of hackers discovering devices on the network.
Sample Deployment
Flexible Security Control
The SecPath F-Series enables flexible line-rate segmentation of the network from the core to the edge, and into the data center. Zonal and virtual firewall capabilities ensure maximum control of information exchanged between the data center and the different resources on the network.
LINK ACT 2 3
Pa ness Busi
Ce Data
H3C
SecPa
th F1000-
H3C
SecPa
th F1000-
ON
OFF
Internet
C less P Wire
H3C SecPath
F1000-S
LINK
LINK ACT
LINK
ACT
ACT
H3C SecPath
F1000-A
LINK
LINK
ACT
Slot
um Medi
ch Bran
Specifications (continued)
Features Networking iP router interfaces riP/OSPF routes Other 7,000 10,000 4,000 10,000 2,000 10,000 10,000 10,000 10,000 10,000 F100-A F1000-S F1000-A F1000-E F5000-A5
deployment modes: iP transparent, routed, nat, Pat dynamic routing riP v1 and 2, OSPF v2 including nSSa, BGP, policy PPPoe, l2tP, iP assignment ieee 802.1Q vlan support internal multi-scope dHCP server dHCP relay over vPn Gre tunneling iP multicast routing PiM-dM/SM (F1000-e and F5000-a5 only) iGMP v1, 2 and 3 (F1000-e and F5000-a5 only) iPv6 support: iPv6, tCPv6, UdPv6, iCMPv6, Ping, telnet6, nat-Pt, iPv6 tunnel (F1000-e and F5000-a5 only)
High availability vrrP dual-box active-active/active-standby pair dual-box automatic configuration synchronization dual wan links in active-standby fail-over pair dual wan links in active-active load-balancing pair Primary and secondary vPn peers Configurable load-balancing System and administration web interface via HttP/HttPS Command line interface via console, telnet, SSH radiUS/taCaCS+ server and local database authentication dnS support for dynamic iP allocation SnMP v1, 2c and 3 Dimensions Height width depth weight Power supply 100 to 240 vaC, 50/60 Hz Power consumption 54w, max. 100w, max. 100w, max. 150w, max 650w, max Environmental requirements Operating temperature: 0 to 45C (32 to 113F) Storage temperature: -20 to 80C (-4 to 176F) Humidity: 10% to 95% non-condensing Reliability MtBF (@25C) 36 yrs (315,000 hrs) FCC Part 15 Class B en 55022 Class B iCeS-003 Class B vCCi Class B en 61000-3-2 en 61000-3-3 Immunity Product conforms to en 550244 58 yrs (508,000 hrs) 56 yrs (490,000 hrs) 56 yrs (490,000 hrs) 36 yrs (315,000 hrs) Emissions/agency approvals 4.4 cm (1.7 in) 43.6 cm (17.2 in) 33.0 cm (13.0 in) 4.5 kg (2.5 lb) 4.4 cm (1.8 in) 43.6 cm (17.2 in) 43.0 cm (17.0 in) 6.0 kg (13.2 lb) 4.4 cm (1.8 in) 43.6 cm (17.2 in) 43.0 cm (17.0 in) 5.5 kg (12.1 lb) 4.4 cm (1.8 in) 44.2 cm (17.4 in) 47.6 cm (18.8 in) 7.5 kg (16.5 lb) 46.8 cm (18.4) 43.6 cm (17.2 in) 30.8 cm (12.1 in) 44.0 kg (97.0 lb), max.
Specifications (continued)
Features F100-A F1000-S F1000-A F1000-E F5000-A5 Safety agency certifications Ul 60950-1 Standards and protocols ieee standards ieee 802.1Q (vlans) ieee 802.1s (MStP) rFC standards ieee 802.3 ethernet ieee 802.1w (rStP) ieee 802.3i (10BaSe-t) ieee 802.3u (Fast ethernet) ieee 802.1d (StP) ieee 802.1X (Security) ieee 802.1p (CoS) ieee 802.3x (Flow Control) ieee 802.3ab (1000BaSe-t) ieee 802.3z (1000BaSe-X) irFC 0768 (User datagram Protocol) rFC 0791 (internet Protocol) rFC 792, 950, 1256 (internet Control Message Protocol) rFC 0793 (transmission Control Protocol) rFC 0854 (telnet Protocol Specification) rFC 0856 (telnet Binary transmission) rFC 1157 (Simple network Management Protocol) rFC 1213 (Management information Base for network Management of tCP/iP-based internets: MiB-ii) rFC 2082 (riP-2 Md5 authentication) rFC 2453 (riP version 2) rFC 1058 (routing information Protocol) rFC 2328 (OSPF version 2) rFC 1771 (Border Gateway Protocol 4) rFC 2236 (internet Group Management Protocol, version 2) rFC 3376 (internet Group Management Protocol, version 3) rFC 1531 (dynamic Host Configuration Protocol) rFC 1533 (dHCP Options and BOOtP vendor extensions) rFC 1534 (interoperation Between dHCP and BOOtP) rFC 2131 (dynamic Host Configuration Protocol) rFC 2132 (dHCP Options and BOOtP vendor extensions) rFC 2403 (Use of HMaC-Md5-96 within eSP and aH) rFC 2404 (Use of HMaC-SHa-1-96 within eSP and aH) rFC 2405 (eSP deS-CBC Cipher algorithm with explicit iv) rFC 2409 (the internet Key exchange) rFC 2410 (null encryption algorithm and its Use with iPsec) rFC 3526 (More Modular exponential (MOdP) diffie-Hellman groups for internet Key exchange (iKe)) rFC 2516 (Method for transmitting PPP Over ethernet (PPPoe)) rFC 2661 (layer two tunneling Protocol "l2tP") rFC 2784 (Generic routing encapsulation) rFC 3022 (network address translation) rFC 3164 (Syslog) rFC 3193 (Securing l2tP using iPsec) rFC 2933 (internet Group Management Protocol MiB) rFC 4109 (algorithms for internet Key exchange version 1) rFC 4301 (Security architecture for the internet Protocol) rFC 4302 (iP authentication Header) rFC 4303 (iP encapsulating Security Payload) rFC 3768 (virtual router redundancy Protocol (vrrP)) ieC 60950-1 en 60950-1 Can/CSa-C22.2 no. 60950-1-03
Product Warranty
The H3C SecPath F-Seires Firewall has a 1-year hardware warranty that includes the power supply and fan assembly.
Ordering Information
H3C SecPath F-Series Advanced VPN Firewalls
SKU No. 0235a11l 0235a11Q 0235a12v 0235a26G 0150a0aG Product Name H3C SecPath F100-a vPn Firewall Security Platform H3C SecPath F1000-S vPn Firewall Security Platform H3C SecPath F1000-a vPn Firewall Security Platform H3C SecPath F1000-e vPn Firewall Security Platform H3C SecPath F5000-a5 vPn Firewall Host System
* Power supplies ordered separately
Description Fast ethernet advanced vPn Firewall Gigabit ethernet advanced vPn Firewall Gigabit ethernet advanced vPn Firewall Multi-Gigabit ethernet advanced vPn Firewall Host Chassis Plus Firewall Processor Module*
Description iPSec encryption acceleration Module Fast ethernet interface Module Fast ethernet interface Module Gigabit ethernet interface Module Gigabit ethernet Fiber interface Module
F1000-S and F1000-a only
Description Gigabit ethernet interface Module Gigabit ethernet interface Module Gigabit ethernet Fiber interface Module
Transceivers
SKU No. 0231a562 0231a563 02312170 02312172 02312173 0231a494 0231a438 0231a72X Product Name H3C 1000BaSe-SX SFP, Multi-Mode H3C 1000BaSe-lX SFP, Single Mode H3C 1000BaSe-lH40 SFP, Single Mode H3C 1000BaSe-lH40 SFP, Single Mode H3C 1000BaSe-lH70 SFP, Single Mode H3C 10GBaSe-Sr XFP, Multi-Mode H3C 10GBaSe-lr/lw XFP, Single Mode H3C 10GBaSe-er/ew XFP, Single Mode Description 850nm, 550m, lC 1310nm, 10km, lC 1310nm, 40km, lC 1550nm, 40km, lC 1550nm, 70km, lC 850nm, 300m, lC 1310nm, 10km, lC 1550nm, 40km, lC
Copyright 2009 H3C Technologies, Co., Ltd. All rights reserved. H3C and the H3C logo are in various countries worldwide registered trademarks of H3C Technologies Co., Ltd., a subsidiary of 3Com Corporation. All other company and product names may be trademarks of their respective companies. While every effort is made to ensure the information given is accurate, neither H3C or 3Com accepts liability for any errors or mistakes which may arise. All specifications are subject to change without notice. 401173-001 04/09