United Security Technology White Paper

Transcription

1 United Security Technology White Paper

2 United Security Technology White Paper 1 Challenges Security Problems Caused by Mobile Communication Security Fragmentation Problems United Security Solution Big Data Analytics for United Security United Security Based on Security Resource Virtualization Applicable Scenarios Threat Detection Throughout the Network On-Demand Allocation of Security Resources...14

3 1 Challenges 1.1 Security Problems Caused by Mobile Communication To implement security defense on enterprise campus networks and data center networks, edges must be defined and security devices with different security levels are deployed on edges. The devices include the firewall, anti-ddos device, Anti-Virus (AV) device, Intrusion Prevention System (IPS) device, and Data Loss Prevention (DLP) device. While traditional internal network security is ensured at the external edge, wireless security is different. Bring Your Own Device (BYOD) and mobile users in any role, with any device, can connect to networks anywhere. Virus attacks and hacker intrusions have become diversified. Single-point and edge defenses face the following challenges: Untrusted intranet: Visitors, BYOD users, partners, vendors, and employees connect to campus networks, so terminal security status cannot be trusted and the intranet's horizontal traffic is insecure. Security levels of multiple departments and branches of Enterprise Data Centers (EDCs), Internet Data Center (IDC) multitenants, and Data Center (DC) networks are different, so internal traffic needs to be controlled. Traditional edges cannot solve all problems. Mobility: On mobile campus networks and virtualized DCs, terminals or DCs can move dynamically. Intranet's external and physical edges are unavailable. Traditional network security defense: Only edge defense is required. The access mode and user positions are fixed, and attack points and countermeasures come from single points. WAN/Internet External attack Single-point defense 1

4 Mobile network security: how is network defense performed on a borderless network? In mobile scenarios, employees can connect to enterprise networks anywhere using different types of terminals. In this case, attack points and countermeasures are diversified. WAN/Internet External attack Mobile network attack X Unavailable firewall single-point defense Wireless eavesdropping attack AP AP AP Mobile terminal attack Access terminals on a borderless network do not have unified security defense software. As a result, threats are omnipresent when users access WLANs, VPNs, and intranets. Traditional single-point defenses cannot meet changing user requirements. 1.2 Security Fragmentation Problems Fragmented Deployment Wastes Resources Background: Intranets demand high security. In addition to security defense at the external edge, security checks are needed for intranet services' horizontal traffic. Each department also requires an independent security defense. Multiple security defense points: Every department needs a hardware firewall, which increases Capital Expense (OPEX). In addition, policies are distributed and maintenance workloads are heavy. Inefficient usage: Many purchasers figure they need security devices that will handle two or five times the amount of peak data traffic. In practice, this is an inefficient use of high-performance security devices such as firewalls, IPS devices, anti-ddos devices. Complex Service Configuration Policies Background: Individual departments use different security levels for their service systems. As a result, companies require different security defenses and configuration policies for each department. Complex traffic distribution: Different security defense measures are also deployed between different areas. To implement different security defenses, complex traffic diversion policies need to be configured. This makes it difficult to expand and maintain networks. 2

5 2 United Security Solution Facing single-point defense and fragmented deployment problems, Huawei's United Security Solution collects security events across the entire network, and uses Big Data analytics to perform correlation analysis to detect security risks. The solution then employs virtualization technology to virtualize security resources and implement resource sharing and on-demand service provisioning. Huawei's United Security Solution solves security defense and service deployment problems. This solution has two sub-solutions: threat detection and security defense based on the results of Big Data analytics, and flexible chain based on security resource pooling. 2.1 Big Data Analytics for United Security Big Data analytics relieves personnel from service data analysis and improves their ability to utilize data values to improve security policies. Huawei's United Security Solution employs Big Data analytics to detect network threats and take defense measures Solution Architecture Agile Controller 4 Dynamically allocate security resources. Security resource center 2 Perform correlation analysis of Big Data. 3 Deliver security policies. 1 Deliver security policies. Anti- DDoS Sandbox NGFW SVN Collect security events. Ensure that security policies take effect. 3

6 The Agile Controller collects network security events. Security events are drawn from network and service device logs, logs of terminal user behaviors, and network attack events. The Agile Controller correlates the analysis of Big Data. This analysis detects potential security risks. The Agile Controller delivers security policies. The Agile Controller delivers adjusted security policies to devices Agile Controller Technology Huawei's United Security Solution uses the controller to analyze attack sources and respond to security devices. Agile controller Security resource center 1 Isolate threats 2 Intelligently import and clean traffic The Agile Controller performs the following operations: Collects security events. The Agile Controller collects, identifies, and analyzes security events, alarms, and faults, and detects network security situations by correlating analysis of Big Data. The technology module is divided into three layers: Data collection layer The data collection layer collects data including various types of security resources, security events of objects, vulnerabilities, and assets. The data is transmitted through standard protocols such as Syslog, SNMP, FTP/SFTP, ODBC, Socket, and XML. Analysis processing layer The analysis processing layer stores, analyzes, and processes collected device information. It filters and combines information, performs correlation analysis, analyzes potential security risks from mass logs, generates alarms, and performs risk analysis according to asset values and vulnerabilities. 4

7 Security presentation layer The security presentation layer presents collected data and provides a Portal page to implement asset, report, system, security alarm, vulnerability, risk, knowledge base, and O&M management. The security presentation layer provides different presentation pages for administrators of different levels. The system administrator only needs to perform operations three times to locate the source of a security event. Performs user policy management. The Agile Controller is responsible for authenticating users, synchronizing user information, and associating security policies. It can associate analysis results generated by the security event collection component. Huawei's Agile Controller combines various attributes and, in that way, provides complex authentication and authorization services for mobile users in campus networks. Attributes include: User: distinguishes identities of different users and delivers different authorization rules for accessing devices to the user authentication device (AC/ LSW/SVN). Position: delivers authorization rules based on IP addresses, SSIDs of access devices, and MAC addresses of Access Points (APs) to the user authentication device (AC/LSW/SVN). Time: distinguishes time ranges and delivers different authorization rules for accessing devices. Terminal type: differentiates terminal types and delivers different authorization rules for accessing devices to the user authentication device (AC/LSW/SVN). Terminal security compliance: identifies non-compliant terminals and delivers different authorization rules for accessing these devices to the user authentication device (AC/LSW/SVN) Solution Process Event report: Security systems such as Next-Generation Firewalls (NGFWs), IPS devices, and AV software detect attack behaviors. For example, a vulnerable terminal may be used for intrusions, scanning attacks, and worm attacks. A security system then reports the threats to the controller, and the log analysis component of the controller identifies and eliminates the threats. Events include threats, faults, security events, and non-compliant applications from network and security devices, host security software, and authentication/service systems. Association analysis and policy delivery: The controller's log analysis component accepts or collects network events. It then associates with an engine to perform Big Data analytics, including combination, traceability, and weighted algorithms, and reports critical risks. The log analysis component reports major events 5

8 to the IT administrator, and responds to and processes threats. For example, the component associates the vulnerable terminal with external data flow for processing. This reduces the manual workload of tracing the position, IP address, and traffic interface. Association solution 1 isolation: User access and authentication devices such as the switch, WLAN device, and SVN are associated with the controller to execute policies. For example, risky terminals are isolated or disconnected, or notifications are sent about these terminals. Association solution 2 flow diversion: The controller associates with the switch to divert attack traffic to the security device for processing through policy-based routing (PBR). 2.2 United Security Based on Security Resource Virtualization Cloud computing uses virtualization technology to efficiently use calculation resources and enable those resources to be quickly provisioned and scheduled. Virtualization technology virtualizes security resources, which makes possible unified management, on-demand service provisioning, and resource sharing Architecture Solution: security resource pooling, on-demand scheduling, and unified management Agile controller Security center Anti-attack Antivirus Leak prevention NGFW/DDOS/DLP DDoS attack 2 After the security center checks suspicious traffic, the Agile controller isolates it and lowers its level. DDoS attack Suspicious traffic is detected and diverted to the security center for cleaning. After identifying traffic from the untrusted area, the Agile controller diverts the traffic to the security center for cleaning. Office area A Office area B Untrusted area (visitor access and remote access) 6

9 2.2.2 Solution Process This solution uses agile switches, security devices such as the NGFW, and Agile Controller. The Agile Controller uniformly manages security resources and virtualizes them into a shared security resource center. The Agile Controller can dynamically use security resources based on user configurations or security event analysis. Security resource pooling Security devices 敏 捷 交 换 机 FW/IPS/AV/ASG/VPN Service-noed1 FW Service-noed2 AV Service-noed3 ASG Service-noedN IPS Fast deployment Efficient use of all resources Simplified configuration and management High reliability Service orchestration Users can configure security rules for service flows simply, without worrying about deployment of security resources. On-demand provisioning of security resources Marketing Service-noed1 FW Service-noed2 AV Service-noed3 ASG Service-noedN IPS Flow Type Service1 Service2 R&D Marketing- >Internet http vslot 1(FW) vslot2 (ASG) WAN/ Internet Marketing->R&D Marketing- >R&D File sharing vslot 1(FW) Video vslot1(fw) / vslot2(av) 7

10 3 Applicable Scenarios 3.1 Threat Detection Throughout the Network Background During mobile office, viruses may attack the external network connected to the enterprise network. Some terminals on the LAN also may be attacked due to a lack of control measures. In this case, internal and external terminals can be easily used by hackers to attack the enterprise network. Huawei Solution The NGFW, IPS device, or AV software detects attack behaviors. For example, a vulnerable terminal may be used for intrusions and scanning or worm attacks. The security system then reports the threats to the Agile Controller. The controller performs correlation analysis for various events. After determining the threats, the controller sends policies to the user authentication device (AC/LSW/SVN), executes isolation policies for risky terminals, and notifies the administrator. Customer Benefits This solution implements pervasive security defenses, improves intranet security, and speeds response times. 3.2 On-Demand Allocation of Security Resources Background The deployment costs of content security facilities are high and their performance is low. Specified users and services cannot be differentiated and cannot be well protected. Huawei Solution The solution ensures high security at a low cost: User-based traffic diversion: The solution performs the highest security checks for VIP users, plus security checks for untrusted terminals such as partner, guest, and agent-less devices to ensure intranet security. In addition, the solution provides differentiated security defenses based on subnets, VLANs, and MPLS VPNs. Service-based traffic diversion: The solution uses traffic flow based on service interfaces to prevent information leaks and protect files against viruses. It also ensures positive user experience with video services. 8

11 Figure 3-1 User-based traffic diversion Security resource center 100M low-cost content security device Inject User-based traffic diversion LAN 10G high-speed network Untrusted terminal VIP Employee BYOD Figure 3-2 Service-based traffic diversion Security resource center Inject SMTP used to divert traffic Smtp-tcp 25 Anti-leak audit and detection Customer Benefits Provides differentiated security defenses, which improves security, reduces investments, and ensures positive user experiences. 9

12 Copyright Huawei Technologies Co., Ltd All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd. Trademark Notice, HUAWEI, and are trademarks or registered trademarks of Huawei Technologies Co., Ltd. Other trademarks, product, service and company names mentioned are the property of their respective owners. General Disclaimer The information in this document may contain predictive statements including, without limitation, statements regarding the future financial and operating results, future product portfolio, new technology, etc. There are a number of factors that could cause actual results and developments to differ materially from those expressed or implied in the predictive statements. Therefore, such information is provided for reference purpose only and constitutes neither an offer nor an acceptance. Huawei may change the information at any time without notice. HUAWEI TECHNOLOGIES CO., LTD. Huawei Industrial Base Bantian Longgang Shenzhen , P.R. China Tel: Version No.: M C-1.0