Page 1
Data sheet
HP 10500/11900/7500 20Gbps VPN Firewall
Module
Key features
• High-performance, 20Gbps firewall throughput
• Comprehensive security protection
• Rich VPN functions; IPSec/GRE/L2TP
• Advanced virtual firewall
• Low operating cost
Product overview
The HP 10500/11900/7500 20Gbps VPN Firewall Module is a high
performance, integrated network security that can deliver more than
20Gbps of throughput. The scalable stateful firewalls can be
aggregated in a single switch chassis (up to 16 modules), delivering up
to 400Gbps firewall throughput.
The firewalls unify the administration of the network and firewall,
enabling customers to have simplified management, and learn once
for administrating the network and firewall security. These advanced
features provide high return on investment as you will be taking
advantage of the existing switches for the blades.
The Firewall modules have the following features:
•Integrated security functions, including firewall, VPN, NAT, URL
filtering, and application layer filtering
•Application Specific Packet Filter (ASPF), used to detect application
layer connection state in real time, implementing security protection
from Layer 3 through Layer 7
•Operation logs, attack logs, stream logs, and network management
and monitoring functions
•Plug-and-play with great scalability, allowing for insertion of one
or more firewall modules into the network device
Page 2
2
Features and benefits
Firewall
• High Performance
20 Gbps throughput secures traffic without compromising network
performance.Support for 2 million concurrent connections and
60,000 new connections per second enables high-volume networks
to remain secure under peak traffic
• Application Specific Packet Filter (ASPF)
Dynamically determines whether to forward or drop a packet by
checking its application layer protocol information (such as FTP,
HTTP, SMTP, RTSP and other application layer protocols based on
TCP/UDP) and monitoring the connection-based application layer
protocol status.
• Virtualization
Multi-core architecture enables both multiple zones and multiple
separate firewall instances to be created on the same device.
Support for 256 security zones, 256 virtual firewalls and 4,094
virtual LANs (VLANs) offers robust protection to all corners of your
network. Centralized deployment of a single device offering
multiple virtual firewalls lowers total cost of ownership through
streamlined training, simplified deployment and management and
reduced power consumption
• Zone-based access policies
groups virtual LANs (VLANs) logically into zones that share common
security policies; allows both unicast and multicast policy settings
by zones instead of by individual VLANs
• Application-level gateway (ALG)
discovers the IP address and service port information embedded in
the application data using deep packet inspection in the firewall;
firewall then dynamically opens appropriate connections for specific
applications
• NAT
Fully support of NAT applications including many-to-one,
many-to-many, static NAT, dual translation, easy IP and DNS
mapping. It supports NAT traversal with multiple protocols, and
delivers NAT ALG functions such as DNS, FTP, H.323, and NBT.
Virtual private network (VPN)
• IPSec
provides secure tunneling over an untrusted network such as the
Internet or a wireless network; offers data confidentiality,
authenticity, and integrity between two network endpoints
• Manual or automatic Internet Key Exchange (IKE)
provides both manual or automatic key exchange required for the
algorithms used in encryption or authentication; auto-IKE allows
automated management of the public key exchange, providing the
highest levels of encryption
Management
• Secure Web GUI
provides a secure, easy-to-use graphical interface for configuring
the module via HTTPS
• Command-line interface (CLI)
provides a secure, easy-to-use
SSH or a switch console; provides direct real-time session visibility
• SNMPv1, v2c, and v3
facilitate centralized discovery, monitoring, and secure
management of networking devices
• Complete session logging
provides detailed information for problem identification and
resolution
• Manager and operator privilege levels
provides read-only (operator) and read/write (manager) access on
CLI
• Remote monitoring (RMON)
uses standard SNMP to monitor essential network functions;
supports events, alarm, history, and statistics group plus a private
alarm extension group
• FTP, TFTP, and SFTP support
offers different mechanisms for configuration updates; FTP allows
bidirectional transfers over a TCP/IP network; trivial FTP (TFTP) is a
simpler method using User Datagram Protocol (UDP); Secure File
Transfer Protocol (SFTP) runs over an SSH tunnel to provide
additional security
and Web browser management interfaces
Layer 3 routing
• Static IP routing
provides manually configured routing; includes ECMP capability
• Routing Information Protocol (RIP)
provides RIPv1 and RIPv2 routing
• OSPF
includes host-based ECMP to provide link redundancy/scalable
bandwidth and NSSA
CLI
for configuring the module via
• Layer 2 Tunneling Protocol (L2TP)
an industry standard-based traffic encapsulation mechanism
supported by many common operating systems such as Windows®
XP and Windows Vista®; will tunnel the Point-to-Point Protocol
(PPP) traffic over the IP and non-IP networks; may use the IP/UDP
transport mechanism in IP networks
• Generic Routing Encapsulation (GRE)
transports Layer 2 connectivity over a Layer 3 path in a secured
way; enables the segregation of traffic from site to site
• Border Gateway Protocol 4 (BGP-4)
delivers an implementation of the Exterior Gateway Protocol (EGP)
utilizing path vectors; uses TCP for enhanced reliability for the route
discovery process; reduces bandwidth consumption by advertising
only incremental updates; supports extensive policies for increased
flexibility; scales to very large networks
• Dual IP stack
maintains separate stacks for IPv4 and IPv6 to ease the transition
from an IPv4-only network to an IPv6-only network design
Page 3
3
• Policy routing
allows custom filters for increased performance and security;
supports ACLs, IP prefix, AS paths, community lists, and aggregate
policies
• Layer 3 IPv6 routing
provides routing of IPv6 at media speed; supports static routes,
RIPng, OSPFv3, BGP+,policy route and PIM-SM/DM
Security
• Defense against attacks
Firewall provides defense against various attacks, such as
DoS/DDoS, ARP spoofing, large ICMP packet, address/port scanning,
Tracert, IP packets with the Record Route option, static and dynamic
blacklists. It also supports binding of MAC address and IP address,
and supports intelligent defense of worm viruses.
• Application layer content filtering
Firewall supports mail filtering, based on SMTP mail address, titles,
attachments, and contents; supports Web page filtering including
HTTP URL and content filtering.
• Multiple security authentication services
Firewall supports RADIUS and HWTACACS authentications,
certificate-based (x.509 format) PKI/CA authentication, supports
user identity management (different users own different rights to
execute commands), supports levels of user views (users of
different levels have different management rights).
• Centralized management and auditing
Firewall provides logging, traffic statistics and analysis, events
monitoring and statistics, and mail notification of alarms.
Warranty and support
• Electronic and telephone support
limited electronic and business-hours telephone support is
available from HP for the entire warranty period; to reach our
support centers, refer to
www.hp.com/networking/contact-support
duration of support provided with your product purchase, refer to
www.hp.com/networking/warrantysummary
• Software releases
to find software for your product, refer to
www.hp.com/networking/support
releases available with your product purchase, refer to
www.hp.com/networking/warrantysummary
• 1-year warranty
advance hardware replacement with 10-calendar-day delivery
(available in most countries)
; for details on the
; for details on the software
Page 4
4
HP 10500/11900/7500 20Gbps VPN Firewall Module
Specifications
Ports
Physical characteristics
Weight
Environment
Operating temperature
Operating relative humidity
Managemen t
Features
HP 10500/11900/7500 20Gbps VPN Firewall Module (JG372A)
2 RJ-45 auto-negotiating 10/100/1000 ports (IEEE 802.3 Type 10BASE-T, IEEE 802.3u Type 100BASE-TX, IEEE 802.3ab T ype 1000BASE-T)
2 dual-personality ports; auto-sensing 10/100/1000BASE-T or S FP
1 RJ-45 serial console port
1 Compact Flash port
15.71(w) x 14.84(d) x 1.57(h) in (39.9 x 37.7 x 4 cm)
7.72 lb (3.5 kg)
32°F to 113°F (0°C to 45°C)
10% to 95%, noncondensing
IMC - Intelligent Mana gement Center; command-li ne interface; Web browser; SNMP Manager; Telnet; HTTPS; RMON1; FTP
Performance
- 6.5 Gbps firewall throughput
- 2 mi llion concurren t connections
- 60,000 new connecti ons per second
- Maximum 20,480 securi ty policies
- 2 Gbps 3DES/AES VPN throughp ut
- 5,000 IPSec tunnels
- 4,000 VLANs
Firewall operation mode
- Routing mode
- Transparent mode
- Hybrid mode
AAA ser vice
- Local authentication
- Standard RADIUS
- HWTACACS+
- RADIUS d omain authenticati on
ASPF
- General TCP/UD P application
- FTP/SMTP/HT TP/RTSP/H323 Protocol State Detection
- SIP/MGCP/Q Q/MSN Protocol St ate Detection
- Java/ActiveX blocking and detection
- Port mapping
- Support for the fragmented packets
Virtualization
- 256 v irtual firewalls
- 4 default security zones
- Maximum 256 security zones
NAT
- NAPT
- PAT
- NAT server
- Port mapping
- Bidirectional NAT
- Static NAT
Network security
- Add blacklist by hand or automatically
- IP+MAC binding
- ARP Reverse Query
- ARP Cheat Ch eck
- Management ports closed by default
DDOS
- DNS Query flood
- SYN flood
Page 5
5
HP 10500/11900/7500 20Gbps VPN Firewall Module
Specifications (continued)
HP 10500/11900/7500 20Gbps VPN Firewall Module (JG372A)
- Autostarts TCP Proxy when detects SYN flood
- ICMP flood
- UDP flood
- IP spoofing
- SQL injection filter
L2TP VPN
- LNS, LAC
- L2TP Multi-instance
GRE
- GRE tunn eling protocol
IPSec
- AH/ESP
- ESP
- Transport/tunnel
- NAT traversal
- Strategy template
IKE
- DH
- Preshare key a uthentication method
- Support aggressive mode and main ex change mode
- IKE DPD, PKI/CA
Network feature
- IEEE 802.1q VLAN
- 4,000 subinterfaces
- Static and dynamic ARP
- Multicast, PI M
- IGMPv1/v2/v 3
Routing
- RIP
- OSPF
- BGP
- Static route
- Policy route
High availability
- Active-active mode
- Active-passive mode
- Session synchronization for firewall
System manag ement
- Web management support for Internet Explorer/Firefox
- Command-line interface (Console/Teln et/SSH)
- Classification Manager
- Unified management through iMC
- SNMPv1/v2c/v3
Administration
- Software upgrades
- Configuration backup and restore
Logging/Monitoring
- Syslog
- Mini RMON
- NTP
- NAT/ASPF/fi rewall log stream (Bin ary log)
IPv6 routing and multi cast
- RIPng
- OSPFv3
- BGP4+
- Static route
Page 6
HP 10500/11900/7500 20Gbps VPN Firewall Module
Specifications (continued)
6
Services
HP 10500/11900/7500 20Gbps VPN Firewall Module (JG372A)
- Policy route
- PIM-SM/DM
IPv6 security
- NAT-PT
- Manual tunnel
- IPv6 over IPv4 GRE tunnel
- 6to4 tunnel (RFC 3056)
- ISATAP tunnel
- IPv6 packet filter
- RADIUS
- NAT64
3-year, parts only, global next-day advance exchange (UZ896E)
3-year, 4-hour onsite, 13x5 coverage for hardware (UZ897E)
3-year, 4-hour onsite, 24x7 coverag e for hardware (UZ900E)
3-year, 4-hour onsite, 24x7 co verage for hardware, 24x7 SW phone support and SW updates (UZ904E) 3-
year, 24x7 SW phon e support, software updates (UZ907E)
1-year, post-warranty, 4-hour o nsite, 13x5 coverage for hardwa re (HR735E) 1-
year, post-warranty, 4-hour onsi te, 24x7 coverage for hardware (HR736E)
1-year, post-warranty, 4-hour onsite, 24x7 coverage for hardware, 24x7 software ph one sup port (H R737E) 4-
year, 4-hour o nsite, 13x5 coverage for har dware (UZ 898E)
4-year, 4-hour onsite, 24x7 coverag e for hardware (UZ901E)
4- year, 4-hour onsite, 24x7 coverag e for hardware, 24x7 software phone (UZ905E)
4-year, 24x7 SW phone support, software updates (UZ908E)
5- year, 4-hour o nsite, 13x5 coverage for har dware (UZ 899E)
5-year, 4-hour onsite, 24x7 coverag e for hardware (UZ902E)
5-year, 4-hour onsite, 24x7 covera ge for hard ware, 24x7 software phone (UZ906E)
5-year, 24x7 SW phone support, software updates (UZ909E)
3 Yr 6 hr Call-to-Rep air Onsite (UZ910E)
4 Yr 6 hr Call-to-Rep air Onsite (UZ911E)
5 Yr 6 hr Call-to-Re pair Onsite (UZ912E)
1-year, 6 hour Call-To-Repair Onsite for hardware (HR739E)
1-year, 24x7 so ftware phone su pport, software updates (HR738E)
Refer to the HP website at
in your area, pl ease con tact you r loca l HP sales office.
www.hp.com/networking/services
for details on the service-level descriptions and product numbers. For details about services and response times
Page 7
7
Standards and Protocols
(applies to all p roducts in series)
IPv6
Security
VPN
IKEv1
PKI
RFC 1981 IPv6 Path MTU Discover y RFC 2465 Management Information Ba se for IP Version
RFC 2460 IPv6 Specificati on
IEEE 802.1X: Port-Based Networ k Access Control (2001) RFC 2104 Keyed -Hashing for Mess age Authentication RFC 286 6 RADIUS Accounting
RFC 1321 The MD5 Messa ge-Digest Algorithm RFC 2138 RADIUS Authenti cation RFC 2867 RADIUS Accounting Modi fications for Tunnel
RFC 1334 PPP Authentication Protoc ols (PAP) RFC 2618 RADIUS Authentication Client MIB
RFC 1994 PPP Chall enge Handsh ake Authentic ation
Protocol (CHAP)
RFC 1701 Generic Routing En capsulation (GRE) RFC 2402 IP Authentication Heade r RFC 2473 Generic Packet Tunneling in IPv6 Specification
RFC 1702 Generic Routing Encapsulation over IPv4
networks.
RFC 1828 IP Authe ntication using Keyed MD5
RFC 1829 T he ESP DES-CBC Transfor m
RFC 1853 IP in IP Tunneling RFC 2406 IP Encapsulating Security Payload (ESP) RFC 2868 RADIUS At tributes for Tunnel Protoc ol Support
RFC 2085 HMAC-MD5 IP Authentication with Replay
Prevention
RFC 2401 Securi ty Architecture for the Internet Pr otocol RFC 2411 IP Security Docume nt Roadmap RFC 3602 The AES-CBC Cipher Algorithm and Its Use with
RFC 2407 The In ternet IP Security Domain of
Interpretation for ISAKMP
RFC 2510 Internet X.509 Public Key Infrastructure
Certificate Management Protocols
RFC 2511 Internet X.509 Certificate Request Message
Format RFC 3280 Internet X.509 Public Key Infrastructure
6: Textual Conventions and General Group(partially
support, only "IPv6 In terface St atistics table")
RFC 3484 Default Addre ss Selection for IPv6
RFC 3513 IPv 6 Addressing A rchitecture
RFC 2620 RADIUS Accounting Client MIB
RFC 2716 PPP EAP TLS Authenticati on Protocol
RFC 2865 RA DIUS Authentication
RFC 2403 The Use of HMAC-MD5-96 within ESP and AH RFC 2529 Transmission of IPv6 o ver IPv4 Do mains
RFC 2404 The Use of H MAC-SHA-1-96 within ESP and AH
RFC 2 405 The ESP DES-CBC Ciph er Algori thm With
Explicit IV RFC 2784 Generic Ro uting Encapsulatio n (GRE)
RFC 2410 The NULL Encryption Algorit hm and Its Use
With IPSec
RFC 2451 T he ES P CB C-Mode Cipher Algorithms
RFC 2408 Internet Sec urity Associati on and Ke y
Management Pr otocol (ISAKMP).
RFC 2409 The Internet Key Excha nge (IKE) RFC 3706 A Traffic -Based Method of Detecti ng Dead
RFC 2412 The O AKLEY Key Determination Protocol
RFC 3279 Algorithms and Identifiers for the Internet
X.509 Public Key Infrastructure Certificate and
Certificate Rev ocation List (CRL) Profile
Certificate and Certificate Revoc ation List (CRL) P rofile
draft-nourse-scep-06 :
PKCS#1
RFC 3587 IPv6 Global Unicast Address Fo rmat
RFC 4007 IPv6 Scoped Address Architect ure
RFC 4862 IPv6 Stateless Address Auto-configuration
Protocol Support
RFC 2868 RADIUS Attri butes for Tunnel Protoc ol Support
RFC 2869 RADIUS Extensions
draft-grant-t acacs-02 (TACACS)
without Explicit Tunnels
RFC 2661 La yer Two Tunneling Protocol "L 2TP"
RFC 2893 Transition Mechanisms for IPv6 Hosts and
Routers
IPSec
RFC 3526 More Modular Exponential (MODP)
Diffie-Hellma n groups for Internet Key E xchange (IKE)
Internet Key E xchange (IKE) Peers
PKCS#10
PKCS#12
PKCS#7
Page 8
To learn more, visit hp.com/networking
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only
warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing
herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained
herein.
September 2013
Loading...