Vous êtes sur la page 1sur 2

Key Findings and Conclusion

• Best of the best: earned the "recommended" rating in the latest

NGFW Group test.
• The total cost of ownership (TCO) per Mbps is as low as USD 7
based on the list price or USD 4 based on the street price.
• 99.95% CAWS threat detection rate and 98.1% overall security
Product Analysis effectiveness.
Report (Brief)

SS Labs released a test report on Huawei USG6000 series. The report covers the
product analysis on Huawei USG6650. The test evaluated the firewall from such
February 2016 aspects as security effectiveness, performance, stability and reliability, management
and configuration, and TCO. NSS Labs examined many indicators of the tested equipment and
gave detailed and objective performance evaluations.
Huawei USG6650 belongs to the USG6000 series, which are next-generation firewalls
that Huawei launches for small and medium-sized businesses, branch offices, chain
Product Category stores, and large- and medium-sized enterprises.

Comparative Product Test Report

Firewall Huawei USG6650 passed the stability and reliability, application control, firewall policy
enforcement, identity awareness, malware intrusion detection, "real-world" performance
tests and was awarded the highest evaluation rating "recommended". It also provides the
Tested Vendor great cost performance, with Huawei firewalls having a lower total cost of ownership (TCO)
per Mbps than most of those from other participating vendors.
Check point Fortinet
Hillstone 100%
Juniper Forcepoint Dell SonicWALL Huawei
Cisco ASA
Average Palo Alto Networks Cisco FirePOWER

Security Effectiveness



Tested Equipment


Firewall $100 $80 $60 $40 $20 $0


TCO per Protected Mbps

Figure 1: NSS Security Value Map

Total Cost of Ownership (TCO)

NSS Labs calculated the TCO per Mbps based on the results of TCO tests in the past three
years and the results of the throughput and security effectiveness tests to compare the
cost effectiveness of products against the same criteria.
Huawei USG6000 provides competitive performance and cost-effectiveness. The TCO per Mbps
is only USD 7 based on the list price or USD 4 based on the street price. The formula is as follows:
USG6000 series
Security Effectiveness = Firewall (Firewall Policy Enforcement * Application Control * User/Group
ID) * IPS (Exploit Block Rate* Evasions) * Stability and Reliability
TCO per Protected Mbps = TCO/(Security Effectiveness * NSS-Tested Throughput)
Security Effectiveness Test Procedure Result
Block Unwanted Applications Pass
The test result shows that the threat detection percentage is Block Specific Actions Pass
99.95% in the Cyber Advanced Warning System (CAWS) test
Table 2: Application Control
(the latest live network test using simulated attacks), and the
comprehensive security effectiveness is 98.1%. The firewall policy
Total Number of Total Number Block
enforcement, application control, and resistance to evasion Product
Exploits Run Blocked Percentage
are 100% passed. Table 1 to Table 4 list the test items in the USG6650 1,999 1,926 96.3%
effectiveness tests.
Table 3: Number of Exploits Blocked (%)

Test Procedure Result Test Procedure Result

Baseline Policy Pass IP Packet Fragmentation Pass
Simple Policy Pass Stream Segmentation Pass
Complex Policy Pass RPC Fragmentation Pass
Static NAT Pass URL Obfuscation Pass
Dynamic/Hide NAT Pass HTML Obfuscation Pass
SYN Flood Protection Pass Payload Encoding Pass
IP Address Spoofing Protection Pass FTP Evasion Pass
TCP Split Handshake Spoof Pass IP Packet Fragmentation + TCP Segmentation Pass

Table 1: Firewall Policy Enforcement Table 4: Resistance to Evasion

Real-World Traffic Mixes Stability and Reliability

To accurately test the real-world performance of products on live It is very important that a device is capable of maintaining its
networks, NSS Labs has introduced the "real-world" test method to stability and reliability during long-time heavy loads (sessions).
simulate real-world traffic models in five typical scenarios. Huawei Huawei USG6650 is capable of forwarding legitimate traffic with
USG6650 is designed as the egress gateway for large- and medium- malicious traffic blocked during long-time heavy loads, which
sized campus networks. In the test, the throughput of enterprise proves its robustness. Table 5 lists the test items.
border traffic reaches 10.8 Gbps, which is higher than the vendor-
claimed 8.8 Gbps.

Test Procedure Result

Blocking under Extended Attack Pass
Passing Legitimate Traffic under Extended Attack Pass
Behavior of the State Engine under Load Pass
Protocol Fuzzing and Mutation Pass
Power Fail Pass
Persistence of Data Pass

Figure 2: Real-World Traffic Mixes Table 5: Stability and Reliability

Test Methodology
NSS Labs Next Generation Firewall (NGFW), Test Methodology v6.0. The V6.0 version has been added the CAWS test which is a simulation
test of the defense for attacks in the actual network. The test result can reflect the attack defense capability of the device more truly.
All test content in this report references the test methodology. A copy of the test methodology is available on the NSS Labs website (www.nsslabs.com).

More Information
To know more information, contact Huawei personnel or access the Huawei MiniSite of RSA 2016.
For more information about the USG6000 series, scan the QR code on the left to access the website.
For more information about Huawei Enterprise BG, visit http://enterprise.huawei.com/en