Security Level Secospace USG 9100 Competition Analysis Huawei

Скачать презентацию Security Level Secospace USG 9100 Competition Analysis Huawei

3fe9695d34af4c3d95fa72e73282498a.ppt

Количество слайдов: 80

Security Level Secospace USG 9100 Competition Analysis Huawei Symantec Technologies Co. , Ltd. Huawei Symantec Confidential 2018/3/18

Overview Huawei Symantec Technologies Co. , Ltd. page 2

Objective l Know about the products of both HS and peer vendors; defeat rival products with our invincible features. l For any question or query, you may contact Song Xuzhao, the marketing representative of the USG 9100. Any idea to better the slide is appreciated, especially suggestions from the front-line colleagues, who are acquainted with the products of peer vendors. Huawei Symantec Technologies Co. , Ltd. page 3

HS 10 -Gigabit Security Gateway Product Family USG 9110 USG 9120 USG 9310 USG 9320 • 10 G to 120 G performance • ATCA • Distributed architecture • High performance & low power consumption Huawei Symantec Technologies Co. , Ltd. • 10 G to 80 G performance • Mass VPN access • Distributed architecture • NP+multi-core processor page 4

Product Overview — Brand Names l The USG 9100 series includes the USG 9110 (5 U) and the USG 9120 (14 U). This series mainly targets at non-operator markets. So far, HS has not OEMed the USG 9100 series. Chinese Non- Overseas Non- operator Brand Secoway Secospace Name USG 9100 Chinese Operator Overseas Operator Secospace Quidway USG 9100 Eudemon Logo Huawei Symantec Technologies Co. , Ltd. page 5

Product Overview l Orientation ▬ ▬ l Target market ▬ l High-end 10 -Gigabit security gateway with multiple functions Sorting out inferior 10 -Gigabit FWs in non-operator markets Non-operator 10 -Gigabit FW market Highlights ▬ ▬ ▬ High performance & low power consumption Excellent performance ATCA distributed scalable architecture Huawei Symantec Technologies Co. , Ltd. page 6

Super 100 -Gigabit FW — the USG 9100 u Advanced ATCA+multi-core+distributed architecture u u Brilliant FW performance u u — Facilitating flexible networking Sound reliability u u — Adapting to the encrypted transmission of mass services Extensive interfaces u u — Safeguarding key services Excellent VPN performance u u — Providing high scalability and reducing the TCO — Ensuring service consistency and stability with 330000 -hour MTBF Low power consumption & easy deployment u — Consuming lowest power of less than 20 W/G in the industry, applicable to standard cabinets n The super 100 -Gigabit high-end FW delivers industry-leading performance and reliability, which effectively guarantees the security of large IDCs, big Web sites, and high-end applications on vertical industry networks. Huawei Symantec Technologies Co. , Ltd. page 7

Competition Analysis Huawei Symantec Technologies Co. , Ltd. page 8

10 -Gigabit FWs in the Industry + l Cisco l Juniper Cisco mainly adopts security boards. Its security products gain the first market share relying on the ASA 5580 -40 6500 switch+FW board leading role in routing and switching technologies. l Fortinet Market share l HS l H 3 C l. TOPSEC Juniper has advanced security technologies. The SRX series is launched in 08/09. Its performance and functions are in leading roles. SRX 3000 SRX 5000 l Lenovo Technology leadership • Supporting 10 GE interfaces; FW through > 10 Gbps; transaction price > $30000 NGFW Huawei Symantec Technologies Co. , Ltd. Fortinet is the founder of UTM. Its products are outstanding in UTM features and management, but the performance and FW functions are poor. King. Guard 9000 F 5000 -A 5 page 9 Forti. Gate 5000

Integrated Architecture Analysis of 10 -Gigabit FWs Security board Independent device CEO Centralized Distributed Integrating interface cards and service boards Separating interface cards from service boards + ASA 5580 -40 Forti. Gate 5000 F 5000 -A 5 SRX series USG 9100 MS-DPC + Sec. Blade + FWSM Juniper, Cisco, and H 3 C, dedicated in routing and switching devices, provide both independent devices and security boards. Other professional security product vendors provide independent devices only. Most new products in the market adopt distributed architecture to promote integrated performance. Moreover, interface cards and service boards are separated to enhance reliability and networking flexibility. Huawei Symantec Technologies Co. , Ltd. page 10

Strength Emphasis n Advanced performance The USG 9100 provides up to 120 G throughput, 48000000 concurrent connections, 3000000 new connections per second, 96 G VPN performance, and 480000 IPSec concurrent tunnels. All these ensure the best performance of the USG 9100 in the industry. n Distributed architecture The USG 9100 adopts the standard ATCA architecture, which provides excellent scalability (both the performance and interfaces can be expanded smoothly). The USG 9100 also adopts distributed SPUs to implement load balancing and hot backup among SPUs. n Interface density The USG 9100 provides a maximum of 96 x GE interfaces or 12 x 10 GE interfaces. In Q 1, 2010, we will provide the high-density LPU, which provides 2 x 10 GE+16 x GE interfaces. n High reliability Dual MPUs, dual-system hot backup, key component redundancy, 99. 999% reliability, and 38 year MTBF. Recommend users to adopt dual-system hot backup networking to ensure high reliability. n Selling price The selling price of the USG 9100 is much lower than that of products from overseas vendors. n High performance and low power consumption The power consumption of the USG 9100 is lower than 20 W/G. The total power consumption of the USG 9110 is 800 W and that of the USG 9120 is 2000 W. Huawei Symantec Technologies Co. , Ltd. page 11

Weakness Avoidance n Interface density: Currently, the interface density of our board is relatively poor, but the maximum number of interfaces is large. In Q 1, 2010, we will launch the high-density LPU, which provides 2 x 10 GE+16 x GE interfaces. n LPU: The number of LPUs corresponds to that of SPUs. If highdensity interfaces are required, great pressure is imposed on the selling price of the USG 9100. n Power supply: External power supply. n UTM feature: The USG 9100 currently lacks the UTM feature, which should be avoided. In high-end application scenarios, the enabling of the UTM feature leads to performance decrease and results in the network bottleneck. Therefore, the UTM feature is not practical in high-end application scenarios. Huawei Symantec Technologies Co. , Ltd. page 12

Catalog Huawei Symantec Technologies Co. , Ltd. page 13

Juniper SRX 3000 ③ l Juniper SRX 5000 NS-5200/5400 Juniper launched the SRX 5600/5800 high-end FWs in September 2008. The SRX 5600/5800 are based on the MX 480/960 router platforms. A single slot provides 40 G switching capability. The advertised integrated throughput of the SRX 5600/5800 is 60 Gbps/120 Gbps. l Juniper SRX 3400/3600 (20 Gbps/30 Gbps throughput) are entry-level 10 -Gigabit FWs. l Juniper NS 10 -Gigabit FW series includes the NS-5200 and NS-5400, which provide 10 G and 34 G throughput respectively. The NS series supports multiple 10 GE interfaces, and is the earliest independent 10 -Gigabit FW in the industry. The NS series adopts the traditional ASIC+CPU architecture and the number of new connections per second is small. Therefore, the NS series cannot apply to current networks where DDo. S attacks and burst traffic frequently occur. Huawei Symantec Technologies Co. , Ltd. page 14

Juniper SRX 5000 l Juniper launched the SRX 5600/5800 high-end FWs in September 2008. The SRX 5600/5800 are based on the MX 480/960 router platforms. A single slot provides 40 G switching capability. The advertised integrated throughput of the SRX 5600/5800 is 60 Gbps/120 Gbps. l Key message: Speed Ahead l SRX 5800 Advertised features: ▬ ▬ System and network resiliency ▬ Interface flexibility ▬ Network segmentation ▬ Robust routing engine ▬ l Scalable performance Comprehensive threat protection SRX 5600 Main functions: FW, Qo. S, routing, and IPS Huawei Symantec Technologies Co. , Ltd. page 15

Components of Juniper SRX 5000 Control panel Upper fantray IOC SCB SPC RE Lower fantray RE — g Routin e Engin SCB — h Switc ol Contr Board Air intake IOC: Input Output Card, supporting 4 x 10 GE and 40 x GE SPC: Service Processing Card, supporting 10 G large-packet throughput and lower than 1 G smallpacket throughput RE: Routing Engine, supporting 1. 3 GHz and 2 GB DRAM SCB: Switch Control Board, supporting backup Huawei Symantec Technologies Co. , Ltd. page 16

Components Analysis of Juniper SRX 5000 Chassis: The SRX 5600 adopts the 8 -U chassis and the SRX 5800 adopts the 16 -U chassis. SCB: The SRX 5600 can be configured with two SCBs (1+1) and the SRX 5800 can be configured with three (2+1). RE: The RE is installed on the SCB. The switch platform supports dual routes, but the RE supports only one. The 1. 3 GHz Celeron-M chip is adopted and the 2 GB memory is configured. Complete separation of control and data planes SPC: The SPC provides 15 G large-packet throughput, smaller than 1 G small-packet throughput, and 5 G mixedpacket throughput. The advertised throughput is 20 Gbps. IOC: The IOC supports 40 x GE and 4 x 10 GE interfaces, but not POS interfaces. The IOC adopts the switch fabric architecture; the integrated processing capability is ordinary. (The USG 9100 supports POS interfaces, but the interface density and LPU capacity are not as good as Juniper SRX 5000 series. ) According to the specifications, the indexes (such as the number of new connections per second, number of concurrent connections, and number of policies) of the SRX 5600 and those of the SRX 5800 are the same. That is, these specifications do not increase linearly in accordance with the number of SPCs. Therefore, we can conclude that all services are forwarded by the RE, and the integrated throughput and reliability of Juniper SRX 5000 series rely on the RE. As a result, its reliability and scalability are much poorer than those of the USG 9100. Huawei Symantec Technologies Co. , Ltd. page 17

Specifications Comparison SRX 5600 SRX 5800 USG 9110 USG 9120 Integrated throughput 60 Gbps 120 Gbps 40 Gbps 120 Gbps Throughput (mixed packet) 20 Gbps 45 Gbps 32 Gbps 64 Gbps Throughput per board (large packet/mixed 20 Gbps/5 Gbps/1 Gbps 10 Gbps/8 Gbps/5 Gbps packet/small packet) Number of concurrent 4000000 x 4 4000000 x 12 Single board: 100000/integrated device: 350000 250000 x 4 250000 x 12 connections Number of new connections per second Anti-DDo. S performance 7 Mpps 15 Mpps 7. 5 Mpps x 4 7. 5 Mpps x 12 Number of VPN tunnels 45000 85000 40000 x 4 40000 x 12 Type of interface modules 40 x GE/4 x 10 GE 8 x GE/4 x 2. 5 GE/1 x 10 GE/POS Based on the switching platform Based on the routing platform Number of slots 6 12 4 12 IPS performance 15 Gbps 30 Gbps / / Reliability VPN performance Active/standby, RE promoting reliability Dual-system hot backup, SPU backup Switching platform Core routing platform 15 G 3 DES+SHA 1 30 G 3 DES+SHA 1 4 x 8 Gbps 12 x 8 Gbps Number of security policies 80000 50000 Number of virtual FWs H 209 1024 Huawei Symantec Technologies Co. , Ltd. page 18

Quotation Mode of the SRX 5800 Series l Quotation mode: ▬ Frame (including the RE and SCB)+IOC+SPC l Quotation example: ▬ SRX 5800 40 G throughput+2 REs+2 SCBs+4 x 10 GE+24 x GE+dual power supplies: catalog price: ￥ 15680000 ▬ SRX 5800 80 G throughput+2 REs+2 SCBs+4 x 10 GE+24 x GE+dual power supplies: catalog price ￥ 22080000 l Juniper's maximum discount: 89% Huawei Symantec Technologies Co. , Ltd. page 19

USG 9100 vs. SRX 5000 Comprehensive linear scalable architecture The USG 9100 adopts the real distributed architecture. Its throughput, number of new connections per second, and number of concurrent connections can be expanded linearly. But for Juniper SRX 5000, only the throughput can be expanded linearly, but not the other specifications, which approves that Juniper SRX 5000 does not adopt the real scalable architecture. n Advantageous integrated performance Except the integrated throughput and large-packet throughput, the small-packet throughput, mixed-packet throughput, number of new connections per second, number of concurrent connections, and VPN performance of the USG 9100 stick out. The SRX 5000 cannot be mentioned in the same breath with the USG 9100, especially the small-packet throughput. The SRX 5000 cannot defend against large-scale DDo. S attacks. n High reliability Dual main processing units: According to the purchase list, Juniper SRX 5000 does not support dual main processing units. Mutual backup among SPCs: This feature is not mentioned in the promotion of Juniper SRX 5000. MTBF: This data is not mentioned in the promotion of Juniper SRX 5000. The USG 9100 supports dual-system hot backup. The SRX 5000 supports the active/standby mode only and is of poor reliability. The boards of the SRX 5000 do not support hot swapping. Juniper solves the problem on continuous transmission through the chassis cluster. n Virtual FW The USG 9100 supports 1024 virtual FWs, but the SRX 5000 does not. The new software platform of the SRX 5000 has not comprehensively integrated the original functions. n Interface The USG 9100 supports POS interfaces, but the SRX 5000 does not. The interface density of the USG 9100 is high. A single LPU of the USG 9100 supports 4 x 10 GE or 40 x GE interfaces. n Anti-DDo. S The number of new connections per second of the SRX 3000 is small and the anti-DDo. S capability is poor. n Slot The IOC and SPC of the SRX 5000 share the same slot. The SPU of the USG 9100 corresponds to the LPU (one-to-one), and the USG 9100 supports 4/12 pairs of SPUs and LPUs. The SPC and IOC of the SRX 5600 are the same as those of the SRX 5800. n Selling price The selling price of the SRX 5000 is much higher than that of the USG 9100. Therefore, they seldom compete with each other through selling prices. n Management The SRX 5000 is managed through the NSM, but the NSM cannot receive security alarms from the SRX 3000. That is, this security management platform does notify what kind of attacks occur on the network, nor whether the network is under attack. After the IPS function of the SRX 5000 is enabled, the configuration interface becomes unstable and the attack database is incoherent. The management of the IPS function can hardly be implemented. The IPS performance is poor, the configuration is difficult to implement, and the management is hard to realize. All these indicate that the SRX 5800 may be a high-speed FW; however, before Juniper solves the manageability problem, the IPS function of the SRX 5000 is not applicable. Fore details, go to http: //www. networkworld. com/reviews/2009/022309 -juniper-firewall-test. html http: //www. cww. net. cn/tech/html/2009/3/16/2009316162046380. htm http: //cisco. chinaitlab. com/firewall/779297. html. n Huawei Symantec Technologies Co. , Ltd. page 20

Weakness Avoidance of the USG 9100 l Integrated performance: The throughput (large packet/mixed packet/small packet), number of concurrent connections, and number of new connections per second should be emphasized. Guide customers to know that the capability of processing large packets cannot present the actual performance of a FW and only the integrated performance makes sense. l Interface density: We are not good in interface density. 2 x 10 GE+16 x GE high-density LPUs will be provided in the coming year. l Selling price: The selling price of the USG 9100 is much lower than that of the SRX 5000. Huawei Symantec Technologies Co. , Ltd. page 21

Juniper SRX 5000 Juniper SRX 3000 ③ NS 5200/5400 Huawei Symantec Technologies Co. , Ltd. page 22

Juniper SRX 3000 l l l Juniper SRX 3400/3600 are entry-level 10 -Gigabit FWs launched in March, 2009. The throughput ranges from 10 Gbps to 30 Gbps. The advertised integrated throughput of Juniper SRX 3400/3600 is 20 Gbps/30 Gbps. Key message: advanced scalability and service integration Advertised features ▬ ▬ ▬ Flexible performance expansion and I/O expansion Powerful network and security services Various detection methods IPS function Network and Security Manager for centralized management Simple and flexible deployment Main functions: FW, NAT, DDo. S defense, Qo. S, ALG, IPSec/SSL VPN, and IPS l SRX 3400 Huawei Symantec Technologies Co. , Ltd. page 23 SRX 3600

Components of Juniper SRX 3400 Front panel of the SRX 3400 Rear panel of the SRX 3400 IOC: Input Output Card, supporting 2 x 10 GE or 16 x GE interfaces (optical/electrical) SPC: Service Processing Card, supporting 5 G throughput (large packet) and 1 G throughput (small packet) respectively RE: Routing Engine, Power. PC platform NPC: Network Processing Card, forwarding traffic between IOCs and SPCs SFB: Switch Fabric Board, supporting 8 x GE (electrical)+4 x GE (optical) interfaces Huawei Symantec Technologies Co. , Ltd. page 24

Components of Juniper SRX 3600 Front panel of the SRX 3600 Rear panel of the SRX 3600 IOC/SPC/RE/NPC/SFB: the same as those of the SRX 3400 Huawei Symantec Technologies Co. , Ltd. page 25

Components Analysis of Juniper SRX 3000 Chassis: The SRX 3400 adopts the 3 -U chassis and the SRX 3600 adopts the 5 -U chassis. Juniper SRX 3000 series adopts the central backplane. SCB: One SCB is integrated in the chassis of the SRX 3400/3600. NPC: The SRX 3400 can be configured with one or two NPCs and the SRX 3600 can be configured with one to three NPCs. RE: The RE is installed on the SCB (or Ethernet IOC). The switch platform supports dual routes, but the RE supports only one, and single main processing unit is adopted. SPC: The SPC provides 5 G large-packet throughput and 1 G small-packet throughput. The USG 9100 provides 5 G smallpacket throughput, 8 G mixed-packet throughput, and 10 G large-packet throughput. IOC: The IOC supports 16 x GE or 2 x 10 GE interfaces, but not POS interfaces. The IOC adopts the switch fabric architecture; the integrated processing capability is ordinary. (The USG 9100 supports POS interfaces, but the interface density and LPU capacity are not as good as Juniper SRX 5000 series. ) Maximum number of boards (SRX 3400): Seven slots in total (four in the front panel and three in rear panel). The IOC should be installed in the front panel and the NPC in the rear panel. The SPC can be installed either in the front or rear panel. The maximum number of SPCs is four, IOCs four, and NPCs two. Maximum number of boards (SRX 3600): 12 slots in total (six in the front panel and six in rear panel). The IOC should be installed in the front panel and the NPC in the rear panel. The SPCs can be installed either in the front or rear panel. The maximum number of SPCs is seven, IOCs six, and NPCs three. According to the specifications, the indexes (such as the number of new connections per second and number of policies) of the SRX 3400 and those of the SRX 3600 are the same. That is, these specifications do not increase linearly in accordance with the number of SPCs. Therefore, we can conclude that all services are forwarded by the NPC, and the integrated throughput and reliability of Juniper SRX 3000 series rely on the NPC. As a result, its reliability and scalability are much poorer than those of the USG 9100. Huawei Symantec Technologies Co. , Ltd. page 26

Specifications Comparison SRX 3400 Integrated throughput Throughput (mixed packet) SRX 3600 USG 9110 USG 9120 10 Gbps/20 Gbps/30 Gbps 10 Gbps to 40 Gbps 10 Gbps to 120 Gbps 8 Gbps 18 Gbps 32 Gbps 64 Gbps Throughput per board 5 Gbps/4 Gbps/1 Gbps (large packet/mixed 10 Gbps/8 Gbps/5 Gbps packet/small packet) Number of concurrent connections Single board: 1000000/Integrated device: 2000000 4000000 x 4 4000000 x 12 Integrated device: 175000 250000 x 4 250000 x 12 Single board: 3 Mpps/integrated device: 6 Mpps 7. 5 Mpps x 4 7. 5 Mpps x 12 40000 x 4 40000 x 12 Number of new connections per second Anti-DDo. S performance Number of VPN tunnels Type of interface modules 10000 20000 16 x GE (optical/electrical)/2 x 10 GE 8 x GE/4 x 2. 5 GE/1 x 10 GE/ POS Based on the switching platform Based on the routing platform Number of slots 4 SPC, 1 IOC, 2 NPC 7 SPC, 2 IOC, 3 NPC 4 12 IPS performance 6 Gbps 10 Gbps / / Reliability Active/standby, RE promoting reliability Dual-system hot backup, SPU backup Switching platform Core routing platform 40000 50000 Number of security policies IPSec VPN performance Number of virtual FWs 6 Gbps 10 Gbps 4 x 8 Gbps 256 Huawei Symantec Technologies Co. , Ltd. 12 x 8 Gbps 1024 page 27

Quotation Mode of the SRX 3000 Series l Quotation mode: ▬ Frame (including the RE and SCB)+interface board+SPC, 89% discount l Quotation example: ▬ SRX 3400: 30 G throughput+1 x NPC+2 x 10 GE+4 x SPC+12 x GE (delivered)+DC, discounted price: ￥ 470000 ▬ SRX 3600: 30 G throughput+1 x NPC+2 x 10 GE+4 x SPC+12 x GE (delivered)+DC, discounted price: ￥ 510000 Huawei Symantec Technologies Co. , Ltd. page 28

Strength Emphasis of the USG 9100 Comprehensive linear scalable architecture The USG 9100 adopts the real distributed architecture. Its throughput, number of new connections per second, and number of concurrent connections can be expanded linearly. But for Juniper SRX 3000, only the throughput and number of concurrent connections can be expanded linearly, but not the other specifications, which approves that Juniper SRX 3000 does not adopt the real scalable architecture. n Advantageous integrated performance The large-packet throughput, small-packet throughput, mixed-packet throughput, number of new connections per second, number of concurrent connections, and VPN performance of the USG 9100 stick out. The SRX 3000 is just an entry-level 10 -Gigabit product, its performance cannot be mentioned in the same breath with those of the USG 9100, especially the small-packet throughput. The SRX 3000 cannot defend against large-scale DDo. S attacks. The processing capability of a single board of the SRX 3000 is just half that of the USG 9100. n High reliability Juniper SRX 3000 does not support dual main processing units. Mutual backup: The USG 9100 supports load balancing and mutual backup among SPUs. Anomalies on a single board do not affect the system running. This feature is not mentioned in the promotion of Juniper SRX 3000. MTBF: 99. 9999% reliability, 500000 hours/57 years MTBF. This data is not mentioned in the promotion of Juniper SRX 3000. The SRX 3000 supports the active/standby mode only. The boards of the SRX 3000 do not support hot swapping. Juniper solves the problem on continuous transmission through the chassis cluster. n Virtual FW The USG 9100 supports 1024 virtual FWs, but the SRX 3000 does not. n POS interface The USG 9100 supports the interfaces of extensive specifications, including 10 GE interfaces, to facilitate networking. The SRX 3000 does not support such interfaces. n Anti-DDo. S The number of new connections per second of the SRX 3000 is small and the anti-DDo. S capability is poor. n Selling price The selling price of the USG 9100 is low. n IPS The SRX 3000 supports the IPS function. Once the IPS function is enabled on the SRX 3000, the performance decreases sharply. Therefore, the SRX 3000 is not applicable to high-end applications. The SRX 3000 is managed through the NSM. According to the test result of Spirent, after the IPS function is enabled, the NSM can hardly manage the SRX 3000. Therefore, the IPS function of the SRX 3000 exists in name only. n Management The SRX 3000 is managed through the NSM, but the NSM cannot receive security alarms from the SRX 3000. That is, this security management platform does notify what kind of attacks occur on the network, nor whether the network is under attack. n Huawei Symantec Technologies Co. , Ltd. page 29

Juniper SRX 5000 Juniper SRX 3000 ③ NS 5200/5400 Huawei Symantec Technologies Co. , Ltd. page 30

USG 9100 vs. NS-5200/5400 USG 9110/USG 9120 NS-5200/5400 Fixed hardware architecture: ASIC+CPU p The CPU is involved in the processing of the header packet; the number of new connections per second is low. p The cycle for the ASIC update and upgrade is long, and new attacks cannot be effectively defended against. Advanced architecture: ATCA+multi-core+distributed p Multi-core CPU: high performance and flexibility p Distributed: supporting performance expansion Poor integrated performance p Performance such as the throughput, number of concurrent connections, number of new connections per second, and VPN is poor. p It cannot defend against DDo. S attacks or apply to scenarios with mass concurrent connections. Industry-leading performance p Performance such as the throughput, number of concurrent connections, number of new connections per second, and VPN is far advanced. p It can effectively defend against DDo. S attacks and apply to scenarios with mass concurrent connections. No performance expansion p Supporting interface expansion, but not performance expansion High scalability p It can be configured with different numbers of SPUs, and supports performance expansion. High selling price Low selling price Ordinary interface diversity and density p No POS interface; providing only 1/3 extension slots Diversified interfaces with high density p Supporting POS interfaces; providing 4/12 extension slots Ordinary reliability p Not supporting dual main processing units or load balancing High reliability p Supporting dual-system hot backup, load balancing, and mutual backup of SPUs UTM feature p URL filtering; IPS UTM feature p None at present Huawei Symantec Technologies Co. , Ltd. page 31

Specifications Comparison NS-5200 NS-5400 USG 9110 USG 9120 10 Gbps/4 Gbps 30 Gbps/10 Gbps 40 Gbps/14 Gbps 120 Gbps/42 Gbps 1000000 2000000 16000000 48000000 20000 1000000 3000000 6 Mpps 18 Mpps 30 Mpps 90 Mpps 8 x GE (optical)/2 x 10 GE 8 x GE/1 x 10 GE/POS 1 management module+1 1 management module+3 IOCs 4 SPUs+4 LPUs 12 SPUs+12 LPUs 8 x GE (optical)/2 x 10 GE 24 x GE (optical)/6 x 10 GE 32 x GE/4 x 10 GE 96 x GE/12 x 10 GE VPN performance 6 Gbps 15 Gbps 32 Gbps 96 Gbps Number of VPN tunnels 25000 160000 480000 Supported / / 0 to 500 1024 Throughput (large packet/small packet) Number of concurrent connections Number of new connections per second Anti-DDo. S performance Type of interface modules Number of slots Number of interfaces IPS and URL filtering Number of virtual FWs The USG 9100 can defeat Juniper products in terms of FW and VPN performance, and number of extension slots. Try to avoid the comparison on IPS and URL functions. Huawei Symantec Technologies Co. , Ltd. page 32

Quotation Mode of the NS 5000 Series Quotation example: u NS 5200: 10 G throughput+2 x 10 GE+8 x GE+dual power supplies ▬ u Catalog price: ￥ 5920000 NS 5400: 30 G throughput+2 x 10 GE+8 x GE+dual power supplies ▬ u Juniper's maximum discount: ▬ u. Quotation mode: Frame+IOC+management module ▬ Huawei Symantec Technologies Co. , Ltd. page 33 Catalog price: ￥ 7008000 89%

USG 9100 vs. NS-5000 l Selling price The selling price of the USG 9100 is an advantage. Particularly, to implement the IPS function on the NS-5000, customers need to purchase related licenses every year. l Performance Because the NS-5000 adopts the ASIC architecture, the number of new connections per second is small. Consequently, the NS-5000 cannot deal with large-scale sudden network incidents. Moreover, the performance of the NS-5000 is much lower than that of the USG 9100. Huawei Symantec Technologies Co. , Ltd. page 34

ASA 5580 6500/7600+FWSM Huawei Symantec Technologies Co. , Ltd. page 35

HS vs. Cisco high-end 10 -Gigabit FWs include: Independent FW: ASA 5580 -20/ASA 5580 -40 n These two products were launched in 2008. They are both 4 U high and of the same appearance. The one with better configuration may be packed to the lower-end one, or different CPUs are adopted for packing the two models. The ASA 5580 -20/ASA 558040 adopts the multi-core processor, supports 10 GE interfaces, and provides the ASA 5580 -20 FW/VPN feature. The throughput (large packet/small packet) is 6. 5 Gbps/1. 7 Gbps and 14 Gbps/2. 7 Gbps respectively. The performance of the USG 9100 is much better than that of these two Cisco products. Router/Switch+security board: n ▬ ASA 5580 -40 6500/7600 switch/router+FWSM This is the main solution of Cisco and applies to scenarios where Cisco devices are already deployed. The main advantage is that the solution is easy to deploy and of low upgrade costs. But the security board adopts the X 86 chip, the performance of this solution cannot be mentioned in the same breath with the USG 9100. In addition, this FWSM solution is not widely applied. ▬ XR 12000 high-end router+MSB The MSB adopts the NP+CPU architecture. A single board provides 8 G throughput. This solution is not widely applied in China, and thus the specifications are not clear. Moreover, the deployment costs are high. Huawei Symantec Technologies Co. , Ltd. page 36 MSB

USG 9100 vs. Cisco ASA 5580 -40 USG 9100 Security Board 4 -U centralized X 86 server p The small-packet throughput cannot reach Gigabit line speed. p No distributed architecture or scalability Switch/router+N x service boards p CPU involved in service processing, which results in performance bottleneck Advanced architecture: ATCA+multicore+distributed p Multi-core CPU: high performance and flexibility p Distributed: supporting performance expansion Poor integrated performance p Performance such as the throughput, number of concurrent connections, number of new connections per second, and VPN is poor. Industry-leading performance p Performance such as the throughput, number of concurrent connections, number of new connections per second, and VPN is far advanced. p It can effectively defend against DDo. S attacks and apply to scenarios with mass concurrent connections. No performance expansion p Supporting interface expansion, but not performance expansion Ordinary performance scalability p Supporting a maximum of 4 FWSMs p Supporting a maximum of 8 SMBs High scalability p It can be configured with different numbers of SPUs, and supports performance expansion. Ordinary interface diversity p No POS interface Diversified interfaces p Integrating the features of the router and switch, and thus providing diversified interfaces Diversified interfaces with high density p Supporting POS interfaces; providing 4/12 extension slots (4 x 10 GE+16 x GE interfaces will be provided in later versions) Application p It is a new product and there is no p It is a non-independent security device p The USG 9100 has many application case. and is seldom applied in China. Huawei Symantec Technologies Co. , Ltd. page 37 cases.

Specifications Comparison ASA 5800 -20 ASA 5800 -40 USG 9110 USG 9120 6. 4 Gbps/1. 7 Gbps 14 Gbps/2. 7 Gbps 40 Gbps/14 Gbps 120 Gbps/42 Gbps 1000000 2000000 16000000 48000000 90000 150000 1000000 3000000 2. 5 Mpps 4 Mpps 30 Mpps 90 Mpps 4 x GE (optical)/2 x 10 GE 8 x GE/4 x 2. 5 GE/1 x 10 GE/POS 6 6 4 SPUs+4 LPUs 12 SPUs+12 LPUs 24 x GE/12 x 10 GE 32 x GE/4 x 10 GE 96 x GE/12 x 10 GE 1 Gbps 32 Gbps 96 Gbps 10000 160000 480000 250 4094 Supported / / 0 to 500 0 to 1024 Throughput (large packet/small packet) Number of concurrent connections Number of new connections per second Anti-DDo. S performance Type of interface modules Number of slots Number of interfaces VPN performance Number of VPN tunnels VLAN SSL VPN Number of virtual FWs The ASA 5580 -40 is an almost-Gigabit product. The line-speed processing cannot be implemented on small packets. The ASA 5580 -4 is not a direct rival for the USG 9100. The USG 9100 can defeat it in terms of the FW/VPN performance, number of GE interfaces, types of interfaces, and number of extension slots. Try to avoid the comparison on the number of 10 GE interfaces and SSL VPN performance. Huawei Symantec Technologies Co. , Ltd. page 38

Quotation Mode of the ASA 5580 Series l. Quotation mode: Frame (multiple ▬ specifications)+interface card l. Quotation example: l. ASA 5580 -20: 10 G throughput+2 x 10 GE+8 x GE+dual power supplies l. Catalog price: $165990 l. ASA 5580 -40: 20 G throughput+2 x 10 GE+8 x GE+dual power supplies l. Catalog price: $270990 ØCisco's maximum discount: 80% Huawei Symantec Technologies Co. , Ltd. page 39

Competition Analysis of the ASA 5580 Series Strength: u. High scalability u The ASA 5580 -20 supports a maximum of 10 G throughput and 4 extension slots (up to 24 x GE/8 x GE+8 x 10 GE interfaces). u The ASA 5580 -40 supports a maximum of 20 G throughput and 6 extension slots (up to 32 x GE/8 x GE+12 x 10 GE interfaces). u The USG 9110 supports a maximum of 40 G throughput and 4 extension slots (32 x GE/4 x 10 GE interfaces). u The USG 9100 provides high-density GE interfaces, and supports 24 GE LPUs; Cisco products only provide 4 GE interface cards. Weakness: u The 10 GE interface density of the USG 9100 is low. If many 10 GE interfaces are required, the USG 9100 is in a disadvantageous position. u High 10 GE interface costs: the ASA: $20000/10 GE interface; the USG 9100: ￥ 1125000/10 GE interface Huawei Symantec Technologies Co. , Ltd. page 40

Tactics to Compete with the ASA 5800 Strength emphasis: l The USG 9100 provides the FW throughput of over 20 Gbps, but the ASA 5800 cannot. l The USG 9100 provides high-density GE interfaces (over 32 GE interfaces), but the ASA 5800 cannot. l The USG 9100 passes certain qualifications and certifications. l The USG 9100 adopts the distributed architecture, but the ASA 5800 does not. l The USG 9100 supports performance expansion, but the ASA 5800 cannot. l The ASA 5800 -40 is a centralized X 86 server with backward architecture. The ASA 5800 -40 adopts AMD OPTERON 8300 CPU, 2600 MHz basic frequency, and 8 GB memory. Currently, the X 86 architecture is out of favor in bidding documents. Weakness avoidance: l The 10 GE interface density of the USG 9100 is low. Try to avoid the comparison on 10 GE interfaces. The increase of the number of 10 GE interfaces imposes high pressure on the selling price of the USG 9100. l The ASA 5580 is an entry-level 10 -Gigabit FW, and its performance indexes cannot be mentioned in the same breath with the USG 9100. But, the ASA provides the cluster function, and a maximum of 10 ASAs can be deployed, which greatly improves the performance and reliability. Huawei Symantec Technologies Co. , Ltd. page 41

ASA 5540 -80 6500/7600+FWSM Huawei Symantec Technologies Co. , Ltd. page 42

Analysis of Cisco FWSM FMSM overview: The FWSM is the Catalyst 6500 series multi-Gigabit FW module. The FWSM supports the switching matrix and can exchange data with the bus and switching matrix. The FWSM can provide the FW function on Cisco Catalyst 6500 series switch and Cisco 7600 series Internet router. A single FWSM provides 5 G throughput. A maximum of 4 FWSMs can be deployed on a switch, enabling the integrated switch to provide FW 20 G throughput. Advertised key message: 1. Service integration: providing customers with solutions integrating the functions of routing, switching, security, and VPN. 2. Adapting to future requirements: providing 4 x 5 Gbps = 20 Gbps throughput. 3. Low integrated costs: purchase FW modules only, which can be used on the 6500 or 7600 frame. 4. Good ease-of-use: Cisco PIX GUI can be directly used to manage the FWSM, and the support of Cisco management frame and AVVID is available. 5. Reliability: integrating the reliability of both the integrated 6500/7600 and PIX technology. Huawei Symantec Technologies Co. , Ltd. page 43

Analysis of Cisco FWSM — Existing Problems Architecture: ① Limitation: Cisco FWSM relies on the Sup 720 engine and must interwork with the Sup 720 engine. Thus, the FWSM is not applicable to the first- and second-generation engine SE 1 and SE 2. ② The FWSM is claimed to be on the basis of Cisco's PIX technology, but the PIX technology is actually based on civil X 86 processor, which cannot meet the requirement for high performance. ③ Each FWSM has its independent operating system and management interface. This further imposes the complexity and configuration error possibility. Performance and reliability: ① Poor performance: The small-packet throughput of the FWSM is 1700 Mbps; the number of new connections per second is 4000 (that of the USG 9100 is 100000). ② Poor reliability: Each FWSM has its independent operating system and management interface. This further imposes the complexity and configuration error possibility. ③ Incompatibility of operating systems: The FWSM is purchased by Cisco from another company. The operating system is incompatible with the Catalyst operating system, and thus many FW features cannot be implemented. ④ The FWSM supports mutual hot backup, but the switchover duration ranges from 10 seconds to several minutes, which is unacceptable for core IDC networks. Features: ① No VPN: The FW should provide three main functions, namely, security, NAT, and VPN. The FWSM does not support the VPN (including L 2 TP, GRE, and IPSec) function. If the VPN function is required in networking, additional investment is needed. ② Poor Do. S defense: Due to the small number of new connections per second, the FWSM is easily flooded with mass network attack traffic. The Do. S defense, however, is one of the main functions of a FW. ③ The transparent and composite modes are not supported. Services: ① The product services of Cisco completely relies on Chinese distributors, but the technology capability of distributors (even if it is a level-1 distributor), is much poorer than that of dedicated vendors. ② The demand change due to network change needs to be reported to Cisco R&D center, and the R&D center responds to the change. This leads to a long duration. Nevertheless, this process of HS is much shorter. Selling price: The selling price of the FWSM module is high. Worse still, its functions are not comprehensive. Therefore, customer's investment is much higher than what is expected. Huawei Symantec Technologies Co. , Ltd. page 44

Networking Analysis of Cisco FWSM 1. 2. 3. The FW access method is single; only the access through the serial connection is valid, and the off-line mode is not supported. Because the serial connection is adopted, the NAT traversal function of the FW cannot be implemented on certain services. The FW module (IDS module) does not support hot swapping and the costs are high. If dual FW modules are adopted for networking, only the failover mode is supported, but not load balancing, resulting in the waste of investment. It is advertised that the FW module supports 1000000 concurrent sessions. But in actual networking, when a host worm sql 1434 is sent from the internal network to the external network, the integrated device breaks down, resulting critical network incident. Huawei Symantec Technologies Co. , Ltd. page 45

Specifications Comparison Cisco FWSM Cisco MSB USG 9100 5 Gbps/1. 7 Gbps 8 Gbps/? 10 Gbps 4 8 4/12 20 Gbps 64 Gbps 40 Gbps/120 Gbps Throughput (large packet/small packet) Maximum number of security boards Performance in full configuration Number of concurrent connections Number of new connections per second Anti-DDo. S performance 1000000 4000000 100000 250000 2. 8 Mpps 7. 5 Mpps Type of interface modules The same as the 6500/7600 The same as the XR 12000 8 x GE/4 x 2. 5 GE/1 x 10 GE/POS Number of slots The same as the 6500/7600 The same as the XR 12000 4/12 Number of interfaces The same as the 6500/7600 The same as the XR 12000 4/12 / / Supported 20 to 250 / 0 to 1024 IPSec VPN performance Number of virtual FWs Active/active and active/standby Reliability Dual-system hot backup and load modes (inner-chassis or cross- balancing chassis) Cisco 6500/7600+N x FWSM is the main rival of the USG 9100. Huawei Symantec Technologies Co. , Ltd. page 46

Cisco FWSM vs. USG 9100 l Note: If the 6500/7600 is deployed, the expansion costs are low. l Analysis of the selling price: Typical 6500+FWSM configuration: 6500 host+main processing engine+FW package+interface card costs $239690. Note: The security package includes the FWSM and related licenses and the discount is 72% (this discount is for the FW collective purchase of China Mobile in 2007). l The costs of the FWSM are higher than that our products with the same configuration. In the FW collective purchase in 2007, Cisco's discount is 72%. Huawei Symantec Technologies Co. , Ltd. page 47

Forti. Gate 5000 Series Forti. Gate 3000 Series Fortinet is the pioneer in new-generation real-time network security defense technologies. It provides a series of integrated network and information security solutions. Fortinet launches the Forti. Gate, which is a network security platform based on ASIC acceleration. In addition to the FW, VPN, and IPS functions, the Forti. Gate also delivers the application-layer functions such as anti-virus/worm and Web content filtering, as well as anti-spam and antispyware. Furthermore, Fortinet puts forwards the concept of UTM. Huawei Symantec Technologies Co. , Ltd. page 48

Forti. Gate 5000 Series Forti. Gate 5000 series The Forti. Gate 5000 is based on the standard ATCA architecture, and is a frame product with high scalability and modular design. The frames currently include: Forti. Gate 5020 (2 slots) Forti. Gate 5050 (5 slots) Forti. Gate 5140 (14 slots) The frames can be configured with different modules, including the Forti. Gate 5001, Forti. Gate 5001 FA 2 with the Forti. Accel technology, powerful Forti. Gate 5005 FA 2, and Forti. Gate 5003 switching modules. With these modules, more functions are available. The entire Forti. Gate 5000 series supports the Forti. Gate 5001 module, but the Forti. Gate 5003 switching module applies to the Forti. Gate 5050 and Forti. Gate 5140 frames only. Huawei Symantec Technologies Co. , Ltd. page 49

HS vs. Fortinet Forti. Gate 3810 A Forti. Gate 5000 USG 9100 ASIC+NP+extension module p Providing basic scalability X 86 ATCA architecture p Similar to our architecture; providing flexible expansion p X 86 architecture; poor small-packet performance Advanced architecture: ATCA+multicore+distributed p Multi-core CPU: high performance and flexibility p Distributed: supporting performance expansion Poor integrated performance p Performance such as the throughput, number of concurrent connections, number of new connections per second, and VPN is poor. p It cannot defend against DDo. S attacks or apply to scenarios with mass concurrent connections. Ordinary integrated performance p The number of new connections per second is relatively low. p It cannot defend against DDo. S attacks or apply to scenarios with mass concurrent connections. Industry-leading performance p Performance such as the throughput, number of concurrent connections, number of new connections per second, and VPN is far advanced. p It can effectively defend against DDo. S attacks and apply to scenarios with mass concurrent connections. Ordinary scalability p Providing basic scalability; interface cards and service boards are integrated, and thus the expansion is inflexible. Relatively-good scalability p Providing basic scalability; interface cards and service boards are integrated, and thus the expansion is inflexible. High scalability p It can be configured with different numbers of SPUs, and supports performance expansion. Ordinary interface diversity p No POS interface Diversified interfaces with high density p Supporting POS interfaces; providing 4/12 extension slots (4 x 10 GE+16 x GE interfaces will be provided in later versions) FW feature p Basic FW features such as NAT FW feature p Dedicated FW device p Extended NAT, ASPF, and anti-DDo. S UTM feature p Abundant UTM feature p None at present Ordinary reliability p Not supporting dual main processing units or load balancing High reliability p Supporting dual-system hot backup, load balancing, and mutual backup of SPUs Huawei Symantec Technologies Co. , Ltd. page 50

Specifications Comparison Forti. Gate 5140 Forti. Gate 5050 Forti. Gate 5020 USG 9110 USG 9120 Throughput 182 Gbps 65 Gbps 26 Gbps 10 Gbps to 40 Gbps 10 Gbps to 120 Gbps VPN performance 98 Gbps 35 Gbps 14 Gbps 8 Gbps to 32 Gbps 8 Gbps to 96 Gbps 28000000 10000000 4000000 to 16000000 4000000 to 48000000 700000 250000 100000 250000 to 1000000 250000 to 3000000 Number of VPN tunnels 896000 320000 128000 40000 to 160000 40000 to 480000 AV performance 7 Gbps 2. 5 Gbps 1 Gbps / IPS performance 56 Gbps 20 Gbps 8 Gbps / 1400000 500000 200000 50000 ? 120 Mpps 30 Mpps 8 x GE/1 x 10 GE/4 x 2. 5 GE/POS 14 5 2 4 12 DC/AC AC DC DC Number of concurrent connections Number of new connections per second Maximum number of policies Anti-DDo. S performance Type of interface modules Number of slots Redundant power supply 8 x GE, 10 x GE Number of virtual FWs Huawei Symantec Technologies Co. , Ltd. 7. 5 Mpps to 30 Mpps 8 x GE/1 x 10 GE/4 x 2. 5 GE/POS 0 to 1024 page 51 7. 5 Mpps to 90 Mpps

Boards of the Forti. Gate 5000 Board Number of interfaces 5001 SX 5001 FA 2 5001 A 5005 FA 2 4 4 8, AMC 8 1000000 2000000 1000000 20000 50000 30000 Throughput 4 Gbps 22 Gbps 5 Gbps VPN performance 600 Mbps 7 Gbps 800 Mbps 10000 64000 IPS performance 2 Gbps 4 Gbps 3 Gbps AV performance 250 Mbps 500 Mbps 300 Mbps Number of concurrent connections Number of new connections per second Number of IPSec tunnels Huawei Symantec Technologies Co. , Ltd. page 52 5003 3 x GE 5003 A 9 x 10 GE 5208 8 x GE+2 x 10 GE

Quotation Mode of the Forti. Gate 5000 Series l Quotation mode: ▬ l Quotation example: ▬ l l Huawei Symantec Technologies Co. , Ltd. Frame+interface card+AMC extension board Forti. Gate 5140: 40 G throughput+2 x 10 GE+8 x GE+dual power supplies Catalog price: ￥ 5110000 Fortinet's maximum discount: 89% page 53

Analysis of the Forti. Gate 5000 l The Forti. Gate 5000 series adopts the ATCA architecture, and supports security boards, switching boards, and load balancing boards. The ATCA architecture, however, is not distributed architecture, and the service boards are separated. The Forti. Gate 5000 series is not a real integrated product. l The Forti. Gate high-end products adopt the technology of integrating interface cards and service boards. The maximum throughput is just the accumulation of the throughput of each board, but not the real integrated throughput. The processing capability of the device is subject to that of each board. The Forti. Gate high-end products are only the accumulation of multiple FWs. Huawei Symantec Technologies Co. , Ltd. page 54

Forti. Gate 5000 Series Forti. Gate 3000 Series Huawei Symantec Technologies Co. , Ltd. page 55

Forti. Gate 3000 Series Forti. Gate 3810 A Forti. Gate 3000 series The Forti. Gate 3000 series currently includes the Forti. Gate 3810 A, Forti. Gate 3600 A, and Forti. Gate 3016 B. These three models are not of high performance, but their interfaces and performance can be expanded through extension interface boards. Different extension modules can be configured to provide various combinations of interfaces and performance. Forti. Gate 3600 A Forti. Gate-AMC module The Advanced. MC (AMC) is developed by PICMG. Currently, over 100 enterprises follow this standard. 4 x 10 GE (double width) FW: 20 Gbps VPN: 6 Gbps 4 x GE (single width) 8 x GE (double width) FW: 4 Gbps VPN: 3 Gbps FW: 8 Gbps VPN: 6 Gbps Huawei Symantec Technologies Co. , Ltd. page 56 Forti. Gate 3016 B

Specifications Comparison Forti. Gate 3016 B Forti. Gate 3600 A Forti. Gate 3810 A USG 9110 USG 9120 16 Gbps to 20 Gbps 6 Gbps to 10 Gbps 7 Gbps-37 Gbps 10 Gbps to 40 Gbps 10 Gbps to 120 Gbps 12 Gbps to 15 Gbps 0. 8 Gbps to 3. 8 Gbps 1 Gbps to 19 Gbps 8 Gbps to 32 Gbps 8 Gbps to 96 Gbps 1000000 2000000 25000 40000 2500000 to 1000000 250000 to 3000000 64000 40000 to 160000 40000 to 480000 AV performance 300 Mbps 400 Mbps 500 Mbps / IPS performance 2 Gbps 3 Gbps 4 Gbps / Number of slots 1 single width 16 (20, AMC) 2 (6, AMC) 2 (26, AMC) 8 x GE / / 8, AMC 1 x 10 GE 29. 7 Mbps 9. 5 Mbps 74. 7 Mbps 100000 Throughput (large packet) VPN performance Number of concurrent connections 4000000 to 48000000 16000000 Number of new connections per second Number of VPN tunnels Number of Gigabit interfaces Number of 10 Gigabit interfaces PPS Maximum number of policies Huawei Symantec Technologies Co. , Ltd. 2 single width+2 double width page 57 4 12 50000

Check Point products are based on the universal X 86 platform. Check Point high-end FWs include the Power-1 and IAS M 8 (UTM). The Power-1 adopts the software blade architecture, including the FW software blade, IPS blade, and IPSec VPN blade. FW: Power-1 11000 Power-1 11065: up to 15 G throughput; 10 G IPS performance Power-1 11075: up to 20 G throughput; 12 G IPS performance Power-1 11085: up to 25 G throughput; 15 G IPS performance The lower-end models can be upgraded to higher-end ones. A higher-end model can be packed as a less advanced one. FW: Power-1 9075 Integrating the FW, IPSec VPN, and IPS functions, which enables the Power-1 9075 applicable to high-performance security platforms in multi. Gigabit environment. The Power-1 9075 provides up to 16 G FW throughput, 3. 7 G VPN performance, and 10 G IPS performance. UTM: IAS M 8 Check Point Integrated Appliance Solution (IAS) provides security services based on exact requirements through the binding of software and hardware. The hardware adopts the servers or blade chassis of IBM. The IAS M 8 provides up to 12 G FW throughput and 3. 1 G VPN performance, but 10 GE interfaces are not supported. Huawei Symantec Technologies Co. , Ltd. page 58

HS vs. Check Point Power-1 9075 IAS M 8 USG 9100 Intel multi-core architecture (estimated) IBM server Advanced architecture: ATCA+multicore+distributed p Multi-core CPU: high performance and flexibility p Distributed: supporting performance expansion Poor integrated performance p Performance such as the throughput, number of concurrent connections, number of new connections per second, and VPN is poor. p It cannot defend against DDo. S attacks or apply to scenarios with mass concurrent connections. Ordinary integrated performance p The number of new connections per second is relatively low. p It cannot defend against DDo. S attacks or apply to scenarios with mass concurrent connections. Industry-leading performance p Performance such as the throughput, number of concurrent connections, number of new connections per second, and VPN is far advanced. p It can effectively defend against DDo. S attacks and apply to scenarios with mass concurrent connections. Poor performance scalability High scalability p It can be configured with different numbers of SPUs, and supports performance expansion. Ordinary interface diversity p No POS interface Poor interface diversity p No 10 GE interface p No POS interface Diversified interfaces with high density p Supporting POS interfaces; providing 4/12 extension slots (high-density LPUs will be provided in later versions) UTM feature p IPS; AV UTM feature p None at present Ordinary reliability p Not supporting dual main processing units or load balancing High reliability p Supporting load balancing, and mutual backup of SPUs Huawei Symantec Technologies Co. , Ltd. page 59

Specifications Comparison Power-1 Throughput IAS USG 9110 11085 Height Power-1 9075 M 8 (2 SPUs) 2 U 2 U 25 Gbps 16 Gbps 12 Gbps 40 Gbps 1200000 1100000 16000000 Not advertised, but it is estimated to be low. / / 30 Mpps 4 ? 4 SPUs+4 LPUs 18 x GE/4 x 10 GE 14 x GE 4 x 10 GE/32 x GE 4. 5 Gbps 3. 7 Gbps 3. 1 Gbps 32 Gbps 64000 ? 160000 10 Gbps IPS/AV/URL filtering / / / 0 to 1024 Number of concurrent connections Number of new connections per second Anti-DDo. S performance Number of slots Number of interfaces VPN performance Number of VPN tunnels IPS performance 15 Gbps Number of virtual FWs l. The 1000000 USG 9100 can defeat Check Point products in terms of the FW/VPN performance, number of interfaces, types of interfaces, and anti- DDo. S performance. Try to avoid the comparison on IPS performance. Huawei Symantec Technologies Co. , Ltd. page 60

F 5000 -A 5 Sec. Blade H 3 C F 5000 -A 5: Adopting the FPGA+ multi-core architecture, similar to our products. The advertised smallpacket throughput is 10 Gbps per board, and the integrated small-packet throughput is 40 Gbps. H 3 C F 5000 -A 5 is not widely commercialized, and is just an entry-level 10 -Gigabit FW product. Rouer/Switch+security boards: S 7500/9500, SR 6600/8800+Sec. Blade FW module: integrating routing, switching, and security functions. It is easy to deploy and the upgrade costs are low. The Sec. Blade FW module adopts the multi-core+single CPU architecture and RMI XLR 732 chip. The largepacket throughput is 6 Gbps and the small-packet throughput is not higher than 2 Gbps. Huawei Symantec Technologies Co. , Ltd. page 61

H 3 C F 5000 -A 5 • H 3 C F 5000 -A 5: Adopting the FPGA+ multicore architecture, similar to our products. The advertised small-packet throughput is 10 Gbps per board, and the integrated small-packet throughput is 40 Gbps. H 3 C F 5000 -A 5 is not widely commercialized. • Functions: attack defense, intranet protection, traffic monitoring, anti-spam, URL filtering, application-layer filtering; dual power supplies; AC/DC power supply; service board hot swapping Huawei Symantec Technologies Co. , Ltd. page 62

Specifications Comparison F 5000 -A 5 USG 9100 Throughput 40 Gbps 10 Gbps x 4, 10 Gbps x 12 Number of concurrent connections 5000000 4000000 x 4, 4000000 x 12 80000 250000 x 4, 250000 x 412 / 7. 5 Mpps x 4, 7. 5 Mpps x 12 Type of interface modules 2 x 10 GE/12 x GE (8 electrical+4 optical) 8 x GE/1 x 10 GE/4 x 2. 5 GE Number of slots 4 interface cards+1 management module Number of new connections per second Anti-DDo. S performance Number of interfaces 4/12, the number of LPUs corresponding to that of SPUs 48 x GE/8 x 10 GE 96 x GE/12 x 10 GE VPN performance / 8 Gbps x 4, 8 Gbps x 12 Number of VPN tunnels / 40000 x 4, 40000 x 12 UTM feature / / 35 years 38 years MTBF Dual-system hot backup, active/active and Reliability active/standby modes, load balancing, and service Dual-system hot backup and load balancing backup Number of virtual FWs Huawei Symantec Technologies Co. , Ltd. / 1024 page 63

Analysis of H 3 C F 5000 -A 5 l Quotation mode: ▬ Host+interface card ▬ H 3 C's maximum discount: 89% Strength: u. High scalability u. The F 5000 -A 5 supports 4 extension slots (a maximum of 48 x GE/8 x 10 GE interfaces). u. The USG 9120 supports 12 extension slots (a maximum of 96 x GE/12 x 10 GE interfaces). Weakness: u. The density of 10 GE interfaces is low. u. The costs of 10 GE interfaces are high. Huawei Symantec Technologies Co. , Ltd. page 64

USG 9100 vs. F 5000 l The F 5000 provides extensive interfaces. Its interface module includes 12 x GE (8 electrical+4 optical)/2 x 10 GE interfaces. The F 5000, however, has only four extension slots; its scalability is lower than that of the USG 9100. The total number of the interfaces of the F 5000 is smaller than 91. l The advertised throughput of the F 5000 is 40 Gbps, but the actual is not as that high. The integrated performance of the F 5000 is relatively low. The USG 9100 can defeat the F 5000 in terms of performance. l The VPN performance of the F 5000 is not advertised, but it is estimated to be relatively low. l The F 5000 has scalability in interfaces, but not in performance. l The F 5000 supports the Web UI and H 3 C network management software; the USG 9100 also supports the VSM, which is network management software developed by ourselves. Huawei Symantec Technologies Co. , Ltd. page 65

Tactics to Compete with H 3 C Strength emphasis: l The USG 9100 provides the throughput of over 40 Gbps, but the F 5000 cannot. l The USG 9100 provides more than 48 GE interfaces, but the F 5000 cannot. l The USG 9100 provides the specifications of 5 x 10 GE+24 x GE interfaces, but the F 5000 cannot. l The USG 9100 provides distributed hardware architecture, but the F 5000 cannot. l The USG 9100 supports performance expansion, but the F 5000 cannot. Weakness avoidance: l The selling price of the F 5000 is low. We must defeat it in terms of technical specifications. Huawei Symantec Technologies Co. , Ltd. page 66

F 5000 -A 5 Sec. Blade Huawei Symantec Technologies Co. , Ltd. page 67

Sec. Blade FW S 7500 E/S 9500 switch, SR 66/SR 88 router, and WX 6103 radio controller FW module: integrating the FW, VPN, content filtering, NAT, attack defense, intranet protection, traffic monitoring, URL filtering, and application layer filtering functions. The Sec. Blade FW is easy to deploy and the upgrade costs are low. The Sec. Blade board adopts the multi-core+single CPU architecture, and RMI XLR 732 chip. The large-packet throughput is 6 Gbps and small-packet throughput is lower than 2 Gbps. The number of new connections per second is 50000. The transparent and composite modes are not supported. Huawei Symantec Technologies Co. , Ltd. page 68

TOPSEC TG-5736: adopting the RMI XLR 732 chip, which provides two more SPI 4. 2 interfaces than the RMI XLR 532 on the USG 5000. That is, the 10 GE interface is available; but the processing capabilities are the same. Therefore, the FW throughput of the TG-5736 can reach only 6 Gbps, but not the advertised 10 Gbps; and only one 10 GE interface is provided. Since one year's commercialization, the shipment of the TG-5736 is less than 10. TOPSEC TG-5622: The advertised throughput is 20 Gbps but the actual one is 10 Gbps. So far, the TG-5622 has no application case, and thus its stability is questionable. Huawei Symantec Technologies Co. , Ltd. page 69

Specifications Comparison TG-5736 Throughput USG 9100 10 Gbps (advertised)/6 Gbps (actual) 10 Gbps x 4, 10 Gbps x 12 24000000 x 4, 4000000 x 12 > 100000 250000 x 4, 250000 x 412 The same as the USG 5000 7. 5 Mpps x 4, 7. 5 Mpps x 12 GE, 10 GE 8 x GE/1 x 10 GE/4 x 2. 5 GE Number of concurrent connections Number of new connections per second Anti-DDo. S performance Type of interface modules Number of slots Number of interfaces VPN performance SPUs 1 x 10 GE+14 x GE 96 x GE/12 x 10 GE 4 Gbps (advertised)/2 Gbps (actual) 8 Gbps x 4, 8 Gbps x 12 / 40000 x 4, 40000 x 12 IPS/AV (not released) / Number of VPN tunnels UTM feature 4/12, the number of LPUs corresponding to that of / MTBF 38 years Reliability Number of virtual FWs Huawei Symantec Technologies Co. , Ltd. Dual-system hot backup, load balancing / 1024 page 70

Analysis of the TG 5736 l Quotation mode: ▬ Host+interface card+interface module l Quotation example: ▬ 10 G throughput+1 x 10 GE+8 GE+dual power supplies l Catalog price: ￥ 2570000 l TOPSEC's maximum discount: 83% Competition analysis: • TOPSEC TG 5736 is an entry-level Gigabit FW product. It is not at the same level as the USG 9100. Therefore, huge gap exists between their performance. • Compared with TOPSEC TG 5736, the USG 9100 has obvious advantages in specifications, which can easily defeat TOPSEC TG 5736. Huawei Symantec Technologies Co. , Ltd. page 71

Tactics to Compete with TOPSEC Strength emphasis: l The USG 9100 provides 2 x 10 GE interfaces or higher specifications, but TOPSEC products cannot. l The USG 9100 provides the FW throughput of over 20 Gbps, but TOPSEC products cannot. l The USG 9100 provides 14 x GE interfaces or higher specifications, but TOPSEC products cannot. l TOPSEC and Lenovo have not obtained related sales license (计算机信息系统安全专用产品销售许可证) from the Ministry of Public Security for their 10 -Gigabit FWs. Instead, the sales licenses for Gigabit FWs are borrowed for 10 -Gigabit FWs. For details, go to http: //www. mps. gov. cn/n 16/n 1297/n 4498/1950928. html. l The USG 9100 provides distributed hardware architecture, but TOPSEC products cannot. l The USG 9100 supports performance expansion, but TOPSEC products cannot. Weakness avoidance: l The product orientations of the USG 9100 and TOPSEC products are different. The selling price discrepancy is obvious. We must defeat TOPSEC products in terms of technical specifications. l The USG 9110 can compete with TOPSEC products based on the low selling price. Huawei Symantec Technologies Co. , Ltd. page 72

n Lenovo King. Guard: adopting the multi-core chip. The advertised throughput is higher than 10 Gbps. But no product specifications or interface descriptions are provided. The King. Guard is currently in promotion and not commercialized. n The King. Guard-9201 and King. Guard-9202 adopt the same hardware platform. The difference lies in that the King. Guard-9201 provides only one service board but the King. Guard-9202 provides two. ( The King. Guard-9201 can expand to two service boards, which is the same as the King. Guard-9202. ) n The King. Guard-9201 provides two 10 GE interfaces; the throughput is 10 Gbps; the maximum number of concurrent connections is 5000000. The King. Guard-9202 provides two 10 GE interfaces; the throughput is 20 Gbps; the maximum number of concurrent connections is 10000000. n Neither the King. Guard-9201 nor the King. Guard-9202 has application cases. Therefore, the stability of the two products is questionable. Huawei Symantec Technologies Co. , Ltd. page 73

Lenovo King. Guard: Ø Lenovo King. Guard adopts the multi-core and multi-thread (16 -core and 64 -thread) platform as its hardware basis, and using the Windrunner matrix parallel computing system. Its network processing capability is up to 20 Gbps. Ø Lenovo King. Guard is listed in "863" Program and granted as one of the National Torch Program Items in 2007. Corresponding endowment is awarded as well. ØLenovo King. Guard is in promotion, but not commercialized. Certificate of National Torch Program Items 863 Program project application Hardware specifications: ØLenovo King. Guard integrates service boards and interface cards. The throughput of each service board is 10 Gbps. Two extension interface cars are supported. ØThe interface cards include three types: 1 x XFP/10 x GE/10 x SFP. Huawei Symantec Technologies Co. , Ltd. page 74

Analysis of the King. Guard l Quotation mode: ▬ l Host (including the service board)+interface card Quotation example: 20 G throughput+2 x 10 GE+8 x GE ▬ Catalog price: ￥ 4090000 ▬ l Maximum discount: ▬ Lenovo is good at pricecutting, and has no fixed discount system. Generally, the discount is higher than 90%. ØThe catalog price of each service board is ￥ 1560000 ØThe catalog price of each 1 XFP interface card is ￥ 300000, that of each 10 SFP interface card is ￥ 260000, and that of each 10 GE interface card is ￥ 210000. Huawei Symantec Technologies Co. , Ltd. page 75

Tactics to Compete with Lenovo l Strength emphasis: ▬ ▬ ▬ l The USG 9100 provides 3 x 10 GE+24 x GE interfaces or higher specifications, but current Lenovo products cannot. The USG 9100 provides the FW throughput of over 30 Gbps, but current Lenovo products cannot. TOPSEC and Lenovo have not obtained related sales license (计算机信息系统安全专用产品销售许可证) from the Ministry of Public Security for their 10 -Gigabit FWs. Instead, the sales licenses for Gigabit FWs are borrowed for 10 -Gigabit FWs. For details, go to http: //www. mps. gov. cn/n 16/n 1297/n 4498/1950928. html. Weakness avoidance: ▬ ▬ ▬ The 10 GE interface costs of Lenovo are low. If 4 x 10 GE interfaces are required, the selling price of the USG 9100 is high. The product orientations of the USG 9100 and Lenovo products are different. The selling price discrepancy is obvious. We must defeat Lenovo products in terms of technical specifications. The USG 9110 can compete with Lenovo products based on the low selling price. Huawei Symantec Technologies Co. , Ltd. page 76

Hillstone SG-6000 -X 5100: The height is 2 U. The multi-core chip is adopted, and the advertised performance indexes are as follows: FW throughput: 20 Gbps IPSec throughput: 8 Gbps Maximum number of concurrent connections: 10000000 AV throughput: 1. 5 Gbps IPS throughput: 3 Gbps Number of new connections: 200000 Number of IPSec tunnels: 30000 Interface: 1 Gigabit interface, 12 SFP interfaces, 2 XFP interfaces The performance of Hillstone SG-6000 -X 5100 is not high, but its UTM features are extensive. The SG 6000 -X 5100 is the highest-end product of Hillstone Networks. Huawei Symantec Technologies Co. , Ltd. page 77

USG 9100 vs. SG-6000 -X 5100 USG 9100 20 Gbps 10 Gbps x 4, 10 Gbps x 12 24000000 x 4, 4000000 x 12 200000 250000 x 4, 250000 x 412 1 x GE, 12 x SFP, 2 x XFP 96 x GE/12 x 10 GE VPN throughput 8 Gbps x 4, 8 Gbps x 12 Number of VPN tunnels 30000 40000 x 4, 40000 x 12 IPS: 3 Gbps; AV: 1. 5 Gbps / Throughput Number of concurrent connections Number of connections per second Maximum number of interfaces UTM feature MTBF 38 years Reliability Number of virtual FWs Huawei Symantec Technologies Co. , Ltd. Dual-system hot backup/load balancing / 1024 page 78

Who Contribute to the Slide — the USG 9100 Team PDT Manager Liang Bin R&D representative Zhang Guodong SE Zhao Ge Market representative Song Xuzhao Product management personnel Market technical personnel Sales representative Test manager Technical support personnel Zhu Feng Li Min Overseas: Wu Huajun, Fei Weixin Chinese: Liu Li, Hu Wenyou Zhao Jinming Li Yufeng Huawei Symantec Technologies Co. , Ltd. page 79