6-1Eudemon8000E-X Series

As networks enter the IP era, more applications are integrated into the traditional broadband network.

The network bandwidth, threats, and network attack intensity have multiplied exponentially, forcing

companies and carriers to constantly evolve their network architectures. With data communication

entering the era of terabit, the Eudemon8000E-X steps up the demand by providing a scalable and

highly reliable security service platform with terabit capacity. It offers a range of security services, such

as IPv6 security, virtual security systems, VPN, and intrusion prevention, to satisfy the highly integrated,

rapidly responsive, high-speed processing, and continuously evolving network demands from data

centers, carriers, ISPs, and governments.

Overview

Eudemon8000E-X3 Eudemon8000E-X8 Eudemon8000E-X16

Eudemon8000E-X SeriesComprehensive High-End Security Gateway

6-2 Eudemon8000E-X Series

Description

Highlights

The Eudemon8000E-X series products include three sub-categories: Eudemon8000E-X3, Eudemon8000E-X8, and

Eudemon8000E-X16, providing industry-leading security protection and scalability with up to 1.44 Tbit/s firewall

throughput, over 1.44 billion concurrent connections, and up to 720 Gbit/s VPN performance.

Integrating the dedicated multi-core processing chip and distributed hardware platform, the Eudemon8000E-X

breaks the security limitations on CPU capability, providing leading service processing capability and scalability.

At the same time, all components are redundant, establishing a strong reliability equivalent of core routers, and

further ensuring service continuity under high-speed network environment. The distributed technology uses line-

rate intelligent traffic splitting for data forwarding. Starting with the first packet, all data flows will be evenly

distributed to service modules to avoid bottleneck; so that service processing keeps up with linearly increasing

service modules, sustainably supporting long-term user network development.

The Eudemon8000E-X provides various I/O interface modules (LPU) for external connections and data

transmissions. The I/O interface and service processing modules use similar interface slots, where they may

customize security solutions by matching user network interface and capability demands with I/O interface and

service processing modules. The Eudemon8000E-X provides 10G POS, 10GE, 40GE, and 100GE interfaces and

cross-board port bundling, flexibly adapting to various conditions, such as high interface capacity and density.

The Eudemon8000E-X Service Processing Unit (SPU) processes all services. Each SPU has a subslot, which can

house an expansible subcard, implementing flexible service combination. The Eudemon8000E-X also provides 40

Gbit/s to 160 Gbit/s throughput. The SPU uses multi-core and multi-processor hardware to achieve various service

features and software to achieve the heartbeat detection mechanism between an SPU and LPU as well as the

backup mechanism between SPUs. If a security service module fails, all functions immediately re-distribute services

to other service units without interrupting services.

Most Advanced "NP + Multi-Core + Distributed" Architecture – Linear Multiple Capability Breaks

Traditional Bottleneck

The Eudemon8000E-X employs the core router hardware platform to provide modularized components. The

interface module, based on dual NPs, ensures the line rate forwarding of interface traffic. The SPU, based on

the multi-core and multi-thread architecture, ensures high-speed concurrent processing of various services,

such as NAT and VPN services. The processing capability is not affected by CPU's processing capability

limits. The LPU and SPU function separately. Multiple SPUs are deployed to linearly increase the overall

performance, which provides unparalleled expandability and flexibility in protecting the network security, and

ensures low investments up front with capability expansion later.

High Service Processing Capability – Effectively Protecting Key Services

Because of its evolutionary architecture, the Eudemon8000E-X takes the leading role in many areas, including

firewall throughput and maximum number of concurrent connections. Because the Eudemon8000E-X

employs the dedicated traffic splitting technology, the overall performance multiplies linearly as the number

of SPUs increases. The maximum firewall throughput has reached world leading position of 1.44 Tbit/s; the

maximum number of concurrent connections is 1.44 billion; the maximum number of virtual firewalls is 4,096.

These features satisfy the strong demands from carriers, financial service providers, government sectors, and

energy providers.

6-3Eudemon8000E-X Series

Most Stable and Reliable Security Gateway Product - Fully Redundancy Ensuring Security Service

Continuity

Network security has always been a key element of enterprise operation. In order to ensure service continuity

under high-speed network environment, while supporting key technologies, such as active/standby

networking, active/active networking, interface aggregation, VPN redundancy, and SPU load balancing, the

Eudemon8000E-X also supports unique dual-MPU active/standby switchover, providing a firewall with high-

end router reliability and ensuring service continuity at key nodes. The mean time between failures (MTBF) of

the Eudemon 8000E-X reaches up to 200,000 hours, and the failover time is less than 1 second, which truly

ensures consistent and stable service operation.

Superb VPN Performance – Adapting the Demands for Encrypted Transfer of Massive Services

With a rising number of network applications, more services require secure transmissions over the public

network. Subsequently, services that need 100-Gigabit VPN access gateway emerge, such as mobile

security access, short message service (SMS) push, and email push services. The Eudemon8000E-X supports

VPN gateway redundancy. It provides a maximum of 720 Gbit/s encryption performance and supports

one million concurrent VPN tunnels and is the VPN access gateway with the highest performance for the

moment. It also supports 4over6 and 6over4 VPN technologies to meet VPN traffic needs during network

evolution. Besides, the Eudemon8000E-X supports the IKEv2 protocol, enhancing functions, such as user

authentication, packet authentication, and NAT traversal, thereby eliminating the risks of man-in-the-middle

attacks and denial of services. It also supports EAP-SIM and EAP-AKA wireless authentication protocols to

ensure the security during access to wireless networks.

Most Practical Application Security Features – Preventing External Threats & Improving Network

Security

Besides supporting basic firewall functions, the Eudemon8000E-X also provides the next-generation firewall

features, such as intrusion prevention, antivirus, and URL filtering. With the advanced intrusion prevention

engine and signature database, the Eudemon8000E-X is capable of defending against threats, such as

system vulnerabilities, unauthorized automatic downloads, and abnormal protocols. A single vulnerability

signature covers thousands of attacks. Supplemented by the globally-deployed honeypot system, the

Eudemon8000E-X captures the latest attacks, worms, and Trojans horses, providing the capability to defend

against zero-day attacks. In antivirus processing, the Eudemon8000E-X employs an intelligent awareness

engine (IAE) for in-depth traffic analysis, identifies the protocol type, and then matches up with the antivirus

signature database, effectively improving the virus detection accuracy and efficiency. Based on the more

than 85 million URL categories, the Eudemon8000E-X is capable of managing and controlling user's Internet

access to comply with national law and regulation as well as company requirements on Internet access.

In order to further enhance the practicality of application security, the Eudemon8000E-X uses internal bypass

and dedicated module technology, bypassing services in need of intrusion prevention into dedicated service

modules for processing. The process not only improves the service processing capability, but also does not

affect firewall's basic services, ensuring overall service stability.

6-4 Eudemon8000E-X Series

Specifications

Model Eudemon8000E-X3 Eudemon8000E-X8 Eudemon8000E-X16

Performance and Capacity

Firewall throughput (maximum) 120 Gbit/s 0.72 Tbit/s 1.44 Tbit/s

Firewall throughput (composite traffic) 120 Gbit/s 0.72 Tbit/s 1.44 Tbit/s

Maximum number of concurrent sessions

160,000,000 720,000,000 1,440,000,000

IPSec VPN performance (AES) 56 Gbit/s 336 Gbit/s 720 Gbit/s

Maximum number of concurrent IPSec VPN tunnels

128,000 768,000 1,000,000

Expansion and I/O

Expansion slots 3 8 16

MPU slots 2

SPU Firewall and application security SPUs

LPU Supports GE, 10GE, 40GE, and 100GE interfaces.

Most Comprehensive CGN Features – For Flexible IPv6 Transition

With the exhaustion of IPv4 addresses, networks need to smoothly transit into IPv6 networks while ensuring

the sound service experience. The Eudemon8000E-X supports various transition technologies, including

NAT44(4), DS-Lite, 6RD, and NAT64, providing a highly-efficient, flexible, reliable, and economy solution for

carrier network evolution and service transition. NAT44 (4) greatly increases the utilization of IPv4 addresses,

easing the IPv4 address exhaustion problem. DS-Lite not only allows a new network directly entering IPv6

networks, but also is compatible with many IPv4 applications on the live networks. Based on the existing

IPv4 infrastructure, 6RD rapidly provides users with IPv6 intervention capability. NAT64 enables IPv6 networks

to access IPv4 networks. The Eudemon8000E-X also provides the NAT tracing function for NAT44 and DS-

Lite.

Most Abundant Virtualization – For Cloud Network Deployment

With advent of the cloud computing era, cloud computing, a technology founded on virtualization and high-

speed Internet, faces security challenges. The Eudemon8000E-X provides high throughput capability and abundant

virtual system functions. It supports multi-faceted virtualization function, including resource virtualization,

configuration virtualization, and forwarding virtualization, responding to each and every user's network security

needs. Resource virtualization provides customized virtual resources by allocating different resources for different

virtual systems. Based on tenant's management strategy, management virtualization supports personalized

policies, log management, and auditing for each standalone virtual firewall. Forwarding virtualization provides

customized service processing. The forwarding places between virtual systems are isolated. When the resource of

one virtual system is depleted, it does not affect other virtual systems' operations. The virtual systems are logically

isolated, thereby securing tenants' data in each virtual system.

6-5Eudemon8000E-X Series

Security Features

Model Eudemon8000E-X3 Eudemon8000E-X8 Eudemon8000E-X16

Dimensions, Power Supply, and Operating Environment

Dimensions (H x W x D)

175 mm x 442 mm x 650 mm (4 U, DC)220 mm x 442 mm x 650 mm (5 U, AC)

620 mm x 442 mm x 650 mm (14 U)

1420 mm x 442 mm x 650 mm (32 U)

Weight

Empty: 15 kg (DC)Full configuration: 32 kg (DC)Empty: 25 kg (AC)Full configuration: 42 kg (AC)

Empty: 43.2 kgFull configuration: 113 kg

Empty: 94.4 kgFull configuration: 229 kg

AC power supply 90 V AC to 275 V AC; 175 V AC to 275 V AC (recommended)

DC power supply –72 V to –38 V; –48 V (rated)

Power consumption 1270 W 3960 W 7540 W

Operating temperatureOperating: 0 °C to 45 °CStorage: –40°C to +70 °C

Ambient humidityLong term: 5% RH to 85% RH, non-condensingStorage: 0% RH to 95%RH, non-condensing

Basic Firewall Features

Transparent, routing, and hybrid modes

Stateful inspection

Blacklist and whitelist

Access control

Application specific packet filter (ASPF)

Security zone division

Outbound load balancing

ISP-based route

Intelligent uplink selection

Transparent DNS proxy at egress

User-specific traffic control

Application-specific traffic control

Link-specific traffic control

Time-specific traffic control

Inbound load balancing

Smart DNS at ingress

Server load balancing

Application-specific QoS

NAT/CGN

Destination NAT/PAT

NAT No-PAT

Source NAT-IP address persistency

Source IP address pool grouping

NAT Server

Bidirectional NAT

NAT-ALG

Unlimited IP address expansion

Policy-based destination NAT

Port range pre-allocation

Pin access mode

SMART NAT

NAT64

DS-Lite

IPv6 rapid deployment (6RD)

Service awareness

Identification and prevention of over 6000

protocols:

6-6 Eudemon8000E-X Series

URL filtering

85 million URLs

130+ categories

Trend and top N statistics based on users, IP

addresses, categories, and counts

URL filtering log query

Virtual private network (VPN)

DES, 3DES, and AES encryption

MD5 and SHA-1 authentication

Manual key, PKI (X509), and IKEv2

Perfect forward secrecy (DH group)

Anti-replay attack

Transport and tunnel modes

IPSec NAT traversal

Dead peer detection (DPD)

EAP authentication

EAP-SIM and EAP-AKA

VPN gateway redundancy

IPSec v6, IPSec 4 over 6, IPSec 6 over 4

L2TP tunnel

GRE tunnel

Anti-DDoS

SYN-flood, ICMP-flood, TCP-flood, UDP-flood,

DNS-flood attack defense

Port-scan, Smurf, Tear-drop, IP-Sweep attack

defense

Defense against attacks exploiting IPv6 extension

headers

Examining TTL

TCP-mss detection

Attack logs

High availability

Active/standby and active/active modes

Hot standby (Huawei redundancy protocol)

Configuration synchronization

Firewall and IPSec VPN session synchronization

Device fault detection

Link fault detection

Dual-MPU switchover

P2P, IM, game, stock charting/trading, VoIP, video,

stream media, email, mobile phone services, Web

browsing, remote access, network management,

and news applications

Antivirus

Detection of 5 million viruses

Flow-based inspection for higher performance

Inspection of encrypted traffic

Trend and top N statistics by virus family

PKI

Online CA certificate enrollment

Online CRL checks

Hierarchical CA certificates

Support for public-key cryptography standards

(PKCS#10 protocol)

CA authentication

Support for SCEP, OCSP, and CMPv2 protocols

Self-signed certificate

Intrusion Prevention System

Protocol anomaly detection

User-defined signature

Automatic update of the knowledge bases

Zero-day attack defense

Prevention of worms, Trojan horses, and malware

attacks

Network and route

Support for POS, GE, and 10GE interfaces

DHCP relay/server

Policy-based routing (PBR)

IPv4/IPv6 dynamic routing (RIP/OSPF/ISIS/BGP)

Interzone/inter-VLAN routing

Link aggregation, such as Eth-trunk and LACP

Virtual system

Up to 4096 virtual systems (VSYS)

VLAN on virtual systems

Security zones on virtual systems

User-configurable resources on virtual systems

6-7Eudemon8000E-X Series

Management

Web UI (HTTP and HTTPS)

CLI (console)

CLI (Telnet)

CLI (SSH)

U2000/VSM network management

Hierarchical administrators

Software upgrade

Configuration rollback

STelnet and SFTP

Authentication

Security authentication

Electro Magnetic Compatibility (EMC) certification

CB , Rohs , FCC , MET, C - t i c k , and VCC I

authentication

Inter-virtual system routing

Virtual system-specific Committed Access Rate

(CAR)

Management virtualization

Resource isolation for different tenants

Logging/Monitoring

Structured syslog

SNMP (v2)

Binary log

Traceroute

Log server (eLog)

User authentication and access control

Built-in (internal) database

RADIUS accounting

Web-based authentication