DATA SHEET

SECURITY

H3C SeCPatH F-SerieS advanCed vPn FirewallS

H3C SecPath F100-A

H3C SecPath F1000-A

H3C SecPath F1000-S

H3C SecPath F1000-E

H3C SecPath F5000-A5

Overview
Organizations of all sizes are having their networks attacked at an unprecedented rate. Attacks can result in network outages; they can claim valuable bandwidth from productivity applications like Voice over IP (VoIP); they may even perpetrate the theft of company data and the personal and financial information of employees and customers. To defend against such attacks, businesses need a comprehensive security solution, including the advanced threat protection offered by H3C SecPath F-Series Advanced VPN Firewalls. The F-Series family delivers advanced scalable threat protection for organizations of all sizes with single sites, multiple branch offices, remote workers or headquarter data centershelping prevent business disruptions, revenue loss and damage to an organizations reputation caused by security breaches. Built on the latest state-of-the-art multi-core CPU platforms, with advanced hardware acceleration, the SecPath F-Series enables advanced scalable network protection from the core to the edge, at up to multi-10-Gigabit speeds. The F-Series combines built-in protection against denial of service and hacking attacks with virtual private network (VPN) support, zonal and virtual stateful packet inspection firewall, application bandwidth management, audio/video IP multicast routing, application traffic control and email attachment filtering. With these advanced security capabilities built on top of the same operating system that powers all H3C enterprise switching and routing platforms, a rich networking feature set with ease of integration and lowest total cost of ownership is assured. These advanced high-performance security platforms help safeguard the network and data center from attacks and misuse, while delivering policy-based multisite connectivity for real-time business-critical applications such as VoIP, video and collaboration tools. High-availability features help ensure wire-speed traffic flow even in the event of network or internal device error or loss of power to a primary device.

Key Benefits
Enhanced Firewall Security
SecPath F-Series VPN Firewalls provide enhanced stateful packet inspection firewall filtering, which is currently undergoing ICSA certification, to ensure comprehensive protection. Granular firewall rules allow network and security administrators to control traffic down to individual IP addresses, with fine-grain control of all security services. This advanced firewall capability significantly enhances security compared to more static router- or switch-based access control lists. Security is maximized with built in protection against key denial of service and hacking attacks, while business continuity is assured with enhanced support for dynamic application specific filtering of key network protocols, including FTP, HTTP, SMTP, RTSP, SIP and H.323 (including Q.931, H.245 and RTP/RTCP).

Flexible Security Zone and Virtual Firewall Containment

The flexible high-performance, hardware-accelerated, multicore architecture of the SecPath F-Series platforms enables up to multiple zones and separate firewall instances to be created on the same SecPath device. With multiple security zones created for wired/wireless, employee/guest LANs and DMZs, for example, more granular security policies are possible than with traditional firewall devices. Traffic between these security zones can be fully inspected and prioritized using stateful packet and application inspection for maximum security and control. Centralized deployment of a single device offering multiple virtual firewalls in the same form-factor can greatly simplify security deployment within an organization and significantly lower total cost of ownershipthrough streamlined training, simplified deployment and management, as well as reduced power consumptioncompared to multiple discrete devices.

H3C SECPATH F SERIES ADVANCED VPN FIREWALLS

Key Benefits (continued)

Comprehensive Site-to-Site and Remote Access Security
While most security implementations do not address security within a VPN connection, SecPath F-Series platforms take a comprehensive approach to VPN-based security by providing the ability to look inside VPN IPSec tunnels for attacks. This thorough inspection prevents propagation of exploits between sites and can also be used to provide protection from security risks that occur when laptop users terminate VPN connections while traveling. Attacks that once gained access via a VPN tunnel are now eliminated by this approach, offering complete security protection, ensuring that remote VPN clients or branch offices cannot be used to propagate threats into the LAN. Another unique feature is prioritization of bi-directional traffic inside the VPN tunnel, enabling high-quality secure VoIP services and optimizing other site-to-site applications.

Application Blocking and Web Filtering

The F-Series platforms enforce usage policies by blocking or rate limiting applications such as instant messaging (IM) and peer-to-peer (P2P) file sharing that are not essential to business, which can waste bandwidth and reduce productivity. Web content keyword filtering can help restrict access to nonbusiness content, boosting employee productivity and helping reduce legal liability and security threats related to offensive or harmful web content.

Attack Protection
Standard firewalls can be vulnerable to today's sophisticated internet attacks. The SecPath F-Series includes advanced protection technology to stop well-known hacking and denial of service attacks from breaking through perimeter defenses. To further mitigate the chance of security breaches, SecPath platforms include built-in filters to control or block the use of potentially high risk traffic including peer-to-peer, Active-X and email attachments.

Application Prioritization and Optimization

Policy-based prioritization ensures QoS for business-critical applications and latency-sensitive services such as VoIP, video or collaboration tools helps ensure network traffic adheres to policies set by management, and can improve user productivity. SIP/H323 application layer gateway provides the ability to identify, prioritize and protect mission-critical and stateful traffic shaping applications, such as VoIP. Traffic shaping inside VPN tunnels prioritizes site-to-site voice traffic across VPN tunnels, saving costs on longdistance phone calls and leveraging centralized business applications. Support for PIM-DM multicast routing enables nextgeneration applications such as distance-based learning, between sites over IPSec VPN real-time training and conferencing and, at the same time, helps to preserve precious WAN bandwidth

Advanced VPN
High-performance and low-latency allows the Internet to be used as a secure connectivity mechanism for IPSec VPN siteto-site connections and remote user connectivity. The ability to inspect VPN tunnels offers complete security protection, ensuring that remote VPN clients or branch offices cannot be used to propagate attacks into the LAN.

Network Transparency
No IP or MAC addressand no changes needed to network configurationsimplifies installation, saves time and helps eliminate the risk of hackers discovering devices on the network.

Enterprise-Class High Availability

Dual-box failover protects against loss of connectivity due to hardware failure, with automatic configuration and state table synchronization to simplify administration and remove scope for security policy inconsistencies. Dual-WAN failover helps prevent loss of connectivity due to ISP WAN link failure and, with the inclusion of load-balancing, enables increased WAN bandwidth for remote sites while both links are active.

H3C SECPATH F SERIES ADVANCED VPN FIREWALLS

Sample Deployment
Flexible Security Control
The SecPath F-Series enables flexible line-rate segmentation of the network from the core to the edge, and into the data center. Zonal and virtual firewall capabilities ensure maximum control of information exchanged between the data center and the different resources on the network.

H3C F100-A SecPath

LINK ACT 2 3

PN 0-A V Platform y h F10 cPat ll Securit Se a rtner Firew

LINK ACTIVE

PN AS V atform 000l th F5ecurity P a SecPwall S Fire nter

Pa ness Busi

Ce Data

H3C

SecPa

th F1000-

H3C

SecPa

th F1000-

ON

OFF

Internet

N m E VP 000- y Platfor th F1 it ecPaall Secur S w Fire

ON OFF

C less P Wire

ters quar Head e rpris Ente

/ ne PDA i Pho VoWiF

H3C SecPath

F1000-S

LINK

LINK ACT

LINK

ACT

ACT

H3C SecPath

F1000-A

LINK

LINK

N m S VP 000- y Platfor th F1 it ecPaall Secur S Firew

ACT

ACT

Slot

N rm -A VP 1000 ity Platfo r ath F SecP all Secu Firew

um Medi

ch Bran

m ediu nd M all a es Sm nch Bra

Secure Information Access and Sharing

The SecPath VPN Firewall family ensures organizations can reliably and securely share information across public networks with remote locations, mobile workers and business partners.

Static VPN tunnel Dynamic VPN tunnel

H3C SECPATH F SERIES ADVANCED VPN FIREWALLS

Specifications (Specifications apply to all models, unless otherwise noted)

Features Fixed ports F100-A 7 10/100BaSe-tX F1000-S 2 10/100/1000BaSe-t 2 10/100/1000BaSe-t/ 1000BaSe-X combo 2 serial (rJ-45) expansion slots expansion modules 1 MiM 2-port 10/100 4-port 10/100 High-performance ndeC Firewall Performance Security zones virtual firewalls Other Attack prevention ddoS dnS query/SYn/iCMP/UdP/arP flood SYn cookie proxySQl injection filtering iP/MaC binding iP spoofing detection arP reverse query checking Management interfaces disabled by default Sessions Concurrent connections 500,000 Connections/second 3,000 Virtual private network (VPN) iPSec vPn performance 60 Mbps (168-bit deS) Concurrent iPSec vPn tunnels Concurrent l2tP vPn tunnels Security associations Keying modes encryption vPn client support Application layer filtering application layer gateway support for FtP, SMtP, HttP, rtSP, H323 and SiP* (*F1000-e and F5000-a5 only) User-based web HttP Url content filtering via keyword, wildcard and regular Url matching Custom SMtP mail subject/content/attachment filtering via keyword and wildcard matching Java/active-X detection and blocking P2P detection, blocking and throttling; by user and time Traffic shaping inbound and outbound rate limiting Policy-based shaping Committed access rates traffic shaping inside vPn tunnels User-group based shaping traffic prioritization via FiFO/PQ/CQ/wFQ/rtPQ/CBwFQ Congestion avoidance with wred 500 5,000 5,000 24,000 24,000 manual key, iKe-PSK, iKe-X509 deS, 3deS, aeS-128, aeS-192, aeS-256 native iPSec, l2tP/iPSec, Gre, rSa Securid two-factor authentication 500 1,000 1,000 8,000 8,000 (via ndeC module) 500 3,500 5,000 5,000 6,000 600 Mbps 600 Mbps 2 Gbps 6 Gbps 1,000,000 10,000 1,000,000 20,000 2,000,000 60,000 4,000,000 100,000 200 Mbps 4 16 time-based schedules User authentication 1 Gbps 4 16 1.5 Gbps 4 16 8 Gbps 256 256 40 Gbps 256 256 2 serial (rJ-45) 2 MiM 2-port 10/100 4-port 10/100 2-port 10/100/1000 2-port 1000BaSe-X 2 serial (rJ-45) 1 MiM 2-port 10/100 4-port 10/100 2-port 10/100/1000 2-port 1000BaSe-X F1000-A 2 10/100/1000BaSe-t/ 1000BaSe-X combo F1000-E 4 10/100/1000BaSe-t/ 1000BaSe-X combo 1 CompactFlash 2 serial (rJ-45) 2 HiM 4-port 10/100/1000 8-port 10/100/1000 4-port 1000BaSe-X F5000-A5 1 10/100/1000BaSe-t (management) 1 10/100/1000BaSe-t (high-availbility link) 1 processor module 4 interface 12-port 10/100/1000 w/ 4 combo 2-port 10GBaSe-X

H3C SECPATH F SERIES ADVANCED VPN FIREWALLS

Specifications (continued)
Features Networking iP router interfaces riP/OSPF routes Other 7,000 10,000 4,000 10,000 2,000 10,000 10,000 10,000 10,000 10,000 F100-A F1000-S F1000-A F1000-E F5000-A5

deployment modes: iP transparent, routed, nat, Pat dynamic routing riP v1 and 2, OSPF v2 including nSSa, BGP, policy PPPoe, l2tP, iP assignment ieee 802.1Q vlan support internal multi-scope dHCP server dHCP relay over vPn Gre tunneling iP multicast routing PiM-dM/SM (F1000-e and F5000-a5 only) iGMP v1, 2 and 3 (F1000-e and F5000-a5 only) iPv6 support: iPv6, tCPv6, UdPv6, iCMPv6, Ping, telnet6, nat-Pt, iPv6 tunnel (F1000-e and F5000-a5 only)

High availability vrrP dual-box active-active/active-standby pair dual-box automatic configuration synchronization dual wan links in active-standby fail-over pair dual wan links in active-active load-balancing pair Primary and secondary vPn peers Configurable load-balancing System and administration web interface via HttP/HttPS Command line interface via console, telnet, SSH radiUS/taCaCS+ server and local database authentication dnS support for dynamic iP allocation SnMP v1, 2c and 3 Dimensions Height width depth weight Power supply 100 to 240 vaC, 50/60 Hz Power consumption 54w, max. 100w, max. 100w, max. 150w, max 650w, max Environmental requirements Operating temperature: 0 to 45C (32 to 113F) Storage temperature: -20 to 80C (-4 to 176F) Humidity: 10% to 95% non-condensing Reliability MtBF (@25C) 36 yrs (315,000 hrs) FCC Part 15 Class B en 55022 Class B iCeS-003 Class B vCCi Class B en 61000-3-2 en 61000-3-3 Immunity Product conforms to en 550244 58 yrs (508,000 hrs) 56 yrs (490,000 hrs) 56 yrs (490,000 hrs) 36 yrs (315,000 hrs) Emissions/agency approvals 4.4 cm (1.7 in) 43.6 cm (17.2 in) 33.0 cm (13.0 in) 4.5 kg (2.5 lb) 4.4 cm (1.8 in) 43.6 cm (17.2 in) 43.0 cm (17.0 in) 6.0 kg (13.2 lb) 4.4 cm (1.8 in) 43.6 cm (17.2 in) 43.0 cm (17.0 in) 5.5 kg (12.1 lb) 4.4 cm (1.8 in) 44.2 cm (17.4 in) 47.6 cm (18.8 in) 7.5 kg (16.5 lb) 46.8 cm (18.4) 43.6 cm (17.2 in) 30.8 cm (12.1 in) 44.0 kg (97.0 lb), max.

H3C SECPATH F SERIES ADVANCED VPN FIREWALLS

Specifications (continued)
Features F100-A F1000-S F1000-A F1000-E F5000-A5 Safety agency certifications Ul 60950-1 Standards and protocols ieee standards ieee 802.1Q (vlans) ieee 802.1s (MStP) rFC standards ieee 802.3 ethernet ieee 802.1w (rStP) ieee 802.3i (10BaSe-t) ieee 802.3u (Fast ethernet) ieee 802.1d (StP) ieee 802.1X (Security) ieee 802.1p (CoS) ieee 802.3x (Flow Control) ieee 802.3ab (1000BaSe-t) ieee 802.3z (1000BaSe-X) irFC 0768 (User datagram Protocol) rFC 0791 (internet Protocol) rFC 792, 950, 1256 (internet Control Message Protocol) rFC 0793 (transmission Control Protocol) rFC 0854 (telnet Protocol Specification) rFC 0856 (telnet Binary transmission) rFC 1157 (Simple network Management Protocol) rFC 1213 (Management information Base for network Management of tCP/iP-based internets: MiB-ii) rFC 2082 (riP-2 Md5 authentication) rFC 2453 (riP version 2) rFC 1058 (routing information Protocol) rFC 2328 (OSPF version 2) rFC 1771 (Border Gateway Protocol 4) rFC 2236 (internet Group Management Protocol, version 2) rFC 3376 (internet Group Management Protocol, version 3) rFC 1531 (dynamic Host Configuration Protocol) rFC 1533 (dHCP Options and BOOtP vendor extensions) rFC 1534 (interoperation Between dHCP and BOOtP) rFC 2131 (dynamic Host Configuration Protocol) rFC 2132 (dHCP Options and BOOtP vendor extensions) rFC 2403 (Use of HMaC-Md5-96 within eSP and aH) rFC 2404 (Use of HMaC-SHa-1-96 within eSP and aH) rFC 2405 (eSP deS-CBC Cipher algorithm with explicit iv) rFC 2409 (the internet Key exchange) rFC 2410 (null encryption algorithm and its Use with iPsec) rFC 3526 (More Modular exponential (MOdP) diffie-Hellman groups for internet Key exchange (iKe)) rFC 2516 (Method for transmitting PPP Over ethernet (PPPoe)) rFC 2661 (layer two tunneling Protocol "l2tP") rFC 2784 (Generic routing encapsulation) rFC 3022 (network address translation) rFC 3164 (Syslog) rFC 3193 (Securing l2tP using iPsec) rFC 2933 (internet Group Management Protocol MiB) rFC 4109 (algorithms for internet Key exchange version 1) rFC 4301 (Security architecture for the internet Protocol) rFC 4302 (iP authentication Header) rFC 4303 (iP encapsulating Security Payload) rFC 3768 (virtual router redundancy Protocol (vrrP)) ieC 60950-1 en 60950-1 Can/CSa-C22.2 no. 60950-1-03

H3C SECPATH F SERIES ADVANCED VPN FIREWALLS

Service and Support

H3C Global Services offers the resources and talents of a major corporation plus more than two decades of experience in resolving network challenges and delivering business benefits to enterprises around the world. Global support with a personalized, local focus in the local language helps drive productivity and minimize expenses. Because H3C understands both the technology and the business, were the partner you need to remain strong and competitive.

Suggested Service, Support and Training Offerings

H3C GuardianSM Maintenance Service H3C ExpressSM Maintenance Service Network Health Check This service provides comprehensive on-site support and includes advance hardware replacement, expedited telephone technical support and software upgrades This service provides speedy access to H3C shipment of advance hardware replacements (including a four-hour option), expedited telephone technical support and software upgrades An activity-auditing service focused on improving network performance and productivity Includes traffic monitoring, utilization analysis, problem identification, and asset deployment recommendations Extensive report provides blueprint for action Network Installation and Implementation Services Experts set up and configure equipment and integrate technologies to maximize functionality and minimize business disruption For large and complex sites, implementation services include personalized configuration, project management, extended testing and coaching on network administration Project Management Provides extra focus and resources that special projects demand H3C engineers manage entire process from initial specifications to post-project review Using structured methodology, requirements are identified, projects planned and progress of implementation activities tracked Global Education and Training Self-paced and instructor-led technology and product courses, plus certification programs

For additional information, please visit www.h3cnetworks.com/services

Product Warranty
The H3C SecPath F-Seires Firewall has a 1-year hardware warranty that includes the power supply and fan assembly.

H3C SECPATH F SERIES ADVANCED VPN FIREWALLS

Ordering Information
H3C SecPath F-Series Advanced VPN Firewalls
SKU No. 0235a11l 0235a11Q 0235a12v 0235a26G 0150a0aG Product Name H3C SecPath F100-a vPn Firewall Security Platform H3C SecPath F1000-S vPn Firewall Security Platform H3C SecPath F1000-a vPn Firewall Security Platform H3C SecPath F1000-e vPn Firewall Security Platform H3C SecPath F5000-a5 vPn Firewall Host System
* Power supplies ordered separately

Description Fast ethernet advanced vPn Firewall Gigabit ethernet advanced vPn Firewall Gigabit ethernet advanced vPn Firewall Multi-Gigabit ethernet advanced vPn Firewall Host Chassis Plus Firewall Processor Module*

Modules and Power Supplies (for SecPath F5000-A5)

SKU No. 0231a84X 0231a84Y 0231a81J 0231a79S Product Name H3C SecPath F5000-a5 12-Port Gigabit Module H3C SecPath F5000-a5 2-Port 10-Gigabit Module H3C SecPath 650w aC Power Supply Module H3C SecPath 650w dC Power Supply Module Description 8 10/100/1000 plus 4 Combo ports 2 10GBase-X XFP ports required, as F5000-a5 Host ships with none required, as F5000-a5 Host ships with none

Multi-function Interface Modules (MIM)

SKU No. 0231a55Y 0231a52U 0231a54X 0231a54M 0231a54C Product Name H3C SecPath High-Performance network data encryption MiM H3C SecPath 2-Port 10/100BaSe-tX MiM H3C SecPath 4-Port 10/100BaSe-tX MiM H3C SecPath 2-Port 10/100/1000BaSe-t MiM H3C SecPath 2-Port 1000BaSe-X MiM
not for use in F1000-e F100-a only

Description iPSec encryption acceleration Module Fast ethernet interface Module Fast ethernet interface Module Gigabit ethernet interface Module Gigabit ethernet Fiber interface Module
F1000-S and F1000-a only

High-speed Interface Modules (HIM)

SKU No. 0231a753 0231a754 0231a87r Product Name H3C SecPath 4-Port 10/100/1000BaSe-t HiM H3C SecPath 8-Port 10/100/1000BaSe-t HiM H3C SecPath 4-Port 1000BaSe-X HiM
F1000-e only

Description Gigabit ethernet interface Module Gigabit ethernet interface Module Gigabit ethernet Fiber interface Module

Transceivers
SKU No. 0231a562 0231a563 02312170 02312172 02312173 0231a494 0231a438 0231a72X Product Name H3C 1000BaSe-SX SFP, Multi-Mode H3C 1000BaSe-lX SFP, Single Mode H3C 1000BaSe-lH40 SFP, Single Mode H3C 1000BaSe-lH40 SFP, Single Mode H3C 1000BaSe-lH70 SFP, Single Mode H3C 10GBaSe-Sr XFP, Multi-Mode H3C 10GBaSe-lr/lw XFP, Single Mode H3C 10GBaSe-er/ew XFP, Single Mode Description 850nm, 550m, lC 1310nm, 10km, lC 1310nm, 40km, lC 1550nm, 40km, lC 1550nm, 70km, lC 850nm, 300m, lC 1310nm, 10km, lC 1550nm, 40km, lC

Visit www.H3Cnetworks.com for more information about H3C enterprise solutions.

Copyright 2009 H3C Technologies, Co., Ltd. All rights reserved. H3C and the H3C logo are in various countries worldwide registered trademarks of H3C Technologies Co., Ltd., a subsidiary of 3Com Corporation. All other company and product names may be trademarks of their respective companies. While every effort is made to ensure the information given is accurate, neither H3C or 3Com accepts liability for any errors or mistakes which may arise. All specifications are subject to change without notice. 401173-001 04/09