United Security Technology White Paper

Similar documents
1 Network Service Development Trends and Challenges

Log Audit Ensuring Behavior Compliance Secoway elog System

Huawei One Net Campus Network Solution

How To Create A Network Access Control (Nac) Solution

Eudemon8000E Anti-DDoS SPU

Eudemon8000 High-End Security Gateway HUAWEI TECHNOLOGIES CO., LTD.

Product Overview. Product Family. Product Features. Powerful intrusion detection and monitoring capacity

SDN, a New Definition of Next-Generation Campus Network

Huawei Cloud Data Center Solution

HUAWEI USG6000 Next-Generation Firewall V100R001. Product Description. Issue 01. Date HUAWEI TECHNOLOGIES CO., LTD.

Eudemon1000E Series Firewall HUAWEI TECHNOLOGIES CO., LTD.

DDoS Protection Technology White Paper

V-ISA Reputation Mechanism, Enabling Precise Defense against New DDoS Attacks

Huawei Agile Network FAQ What is an agile network? What is the relationship between an agile network and SDN?... 2

Huawei esight Brief Product Brochure

HUAWEI USG6000 Series Next-Generation Firewall Viatualization Technical White Paper

Huawei Agile WAN Solution

Secospace elog. Secospace elog

Quidway SVN3000 Security Access Gateway

Huawei Business Continuity and Disaster Recovery Solution

Huawei PAN BYOD Converged Network Solution

Trademark Notice. General Disclaimer

Virtual Machine in Data Center Switches Huawei Virtual System

Huawei Smart Education Solution

1.Agile Network: SDN Concepts + 3 Architectural Innovations

Intro to NSX. Network Virtualization VMware Inc. All rights reserved.

Cloud Security. Securing what you can t touch. Presentation to Malaysia Government Cloud Computing Forum HUAWEI TECHNOLOGIES CO., LTD.

Application Defined E2E Security for Network Slices. Linda Dunbar Diego Lopez

Dell SonicWALL Portfolio

Lucent VPN Firewall Security in x Wireless Networks

The Ultimate WLAN Management and Security Solution for Large and Distributed Deployments

SCADA SYSTEMS AND SECURITY WHITEPAPER

VMware Software Defined Network. Dejan Grubić VMware Systems Engineer for Adriatic

Huawei Network Edge Security Solution

HUAWEI OceanStor Load Balancing Technical White Paper. Issue 01. Date HUAWEI TECHNOLOGIES CO., LTD.

Security Technology White Paper

Simple security is better security Or: How complexity became the biggest security threat

SVN3000 Security Access Gateway SSL/IPSec VPN Access Gateway

ARCHITECT S GUIDE: Mobile Security Using TNC Technology

PART D NETWORK SERVICES

Unified Threat Management Throughput Performance

DATA SECURITY 1/12. Copyright Nokia Corporation All rights reserved. Ver. 1.0

Design and Implementation Guide. Apple iphone Compatibility

HUAWEI TECHNOLOGIES CO., LTD. HUAWEI FusionServer X6800 Data Center Server

HUAWEI Tecal E6000 Blade Server

Huawei Enterprise UC&C Product and Solution Guide. -Mobility, Video Integration, and Cloud Collaboration HUAWEI TECHNOLOGIES CO., LTD.

Best Practices for Outdoor Wireless Security

Secure Cloud-Ready Data Centers Juniper Networks

Tech Brief. Enterprise Secure and Scalable Enforcement of Microsoft s Network Access Protection in Mobile Networks

Unified Threat Management, Managed Security, and the Cloud Services Model

Offer Highly Available SAAS Solutions with Huawei. Huang Li Executive Vice President of isoftstone

United States Trustee Program s Wireless LAN Security Checklist

A Mock RFI for a SD-WAN

SonicWALL Clean VPN. Protect applications with granular access control based on user identity and device identity/integrity

IPS AIM for Cisco Integrated Services Routers

Technical White Paper for Multi-Layer Network Planning

Alcatel-Lucent Services

PCI Compliance for Branch Offices: Using Router-Based Security to Protect Cardholder Data

Move over, TMG! Replacing TMG with Sophos UTM

Huawei espace VTM Remote Bank Solution

Part Number: HG253s V2 Home Gateway Product Description V100R001_01. Issue HUAWEI TECHNOLOGIES CO., LTD.

HUAWEI Secospace USG6600 Next-Generation Firewall Datasheet

Network Virtualization

Apple Airport Extreme Base Station V4.0.8 Firmware: Version 5.4

IBM Security QRadar Risk Manager

MSP Dashboard. Solution Guide

HUAWEI TECHNOLOGIES CO., LTD. Huawei AnyOffice Mobile Security Solution

Wireless Services. The Top Questions to Help You Choose the Right Wireless Solution for Your Business.

SVN5800 Secure Access Gateway

Designing for Cisco Internetwork Solutions

Cisco Virtualization Experience Infrastructure: Secure the Virtual Desktop

NIP6300/6600 Next-Generation Intrusion Prevention System

Network Virtualization Network Admission Control Deployment Guide

74% 96 Action Items. Compliance

CTS2134 Introduction to Networking. Module Network Security

Security Level: HUAWEI TECHNOLOGIES CO., LTD.

Protecting the Extended Enterprise Network Security Strategies and Solutions from ProCurve Networking

Deploying Firewalls Throughout Your Organization

UNIFIED THREAT MANAGEMENT SOLUTIONS AND NEXT-GENERATION FIREWALLS ADMINISTRATION TOOLS NETWORK SECURITY I ENDPOINT SECURITY I DATA SECURITY

Extreme Networks Security Analytics G2 Risk Manager

HUAWEI USG2000&5000 Series Unified Security Gateway Content Filtering White Paper

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

ARCHITECT S GUIDE: Comply to Connect Using TNC Technology

USG6600 Next-Generation Firewall

HUAWEI OceanStor Enterprise Storage System Success Cases

The following chart provides the breakdown of exam as to the weight of each section of the exam.

Implementing Cisco IOS Network Security

Cloud Managed Security with Meraki MX

HUAWEI TECHNOLOGIES CO., LTD. Huawei IDS2000-S Small Modular Data Center Solution

Network Instruments white paper

Training & Certification

White Paper A SECURITY GUIDE TO PROTECTING IP PHONE SYSTEMS AGAINST ATTACK. A balancing act

MPLS L2VPN (VLL) Technology White Paper

Verizon Managed SD WAN with Cisco IWAN. October 28, 2015

Transcription:

United Security Technology White Paper

United Security Technology White Paper 1 Challenges...6 1.1 Security Problems Caused by Mobile Communication...6 1.2 Security Fragmentation Problems...8 2 United Security Solution...8 2.1 Big Data Analytics for United Security...9 2.2 United Security Based on Security Resource Virtualization...11 3 Applicable Scenarios...14 3.1 Threat Detection Throughout the Network...14 3.2 On-Demand Allocation of Security Resources...14

1 Challenges 1.1 Security Problems Caused by Mobile Communication To implement security defense on enterprise campus networks and data center networks, edges must be defined and security devices with different security levels are deployed on edges. The devices include the firewall, anti-ddos device, Anti-Virus (AV) device, Intrusion Prevention System (IPS) device, and Data Loss Prevention (DLP) device. While traditional internal network security is ensured at the external edge, wireless security is different. Bring Your Own Device (BYOD) and mobile users in any role, with any device, can connect to networks anywhere. Virus attacks and hacker intrusions have become diversified. Single-point and edge defenses face the following challenges: Untrusted intranet: Visitors, BYOD users, partners, vendors, and employees connect to campus networks, so terminal security status cannot be trusted and the intranet's horizontal traffic is insecure. Security levels of multiple departments and branches of Enterprise Data Centers (EDCs), Internet Data Center (IDC) multitenants, and Data Center (DC) networks are different, so internal traffic needs to be controlled. Traditional edges cannot solve all problems. Mobility: On mobile campus networks and virtualized DCs, terminals or DCs can move dynamically. Intranet's external and physical edges are unavailable. Traditional network security defense: Only edge defense is required. The access mode and user positions are fixed, and attack points and countermeasures come from single points. WAN/Internet External attack Single-point defense 1

Mobile network security: how is network defense performed on a borderless network? In mobile scenarios, employees can connect to enterprise networks anywhere using different types of terminals. In this case, attack points and countermeasures are diversified. WAN/Internet External attack Mobile network attack X Unavailable firewall single-point defense Wireless eavesdropping attack AP AP AP Mobile terminal attack Access terminals on a borderless network do not have unified security defense software. As a result, threats are omnipresent when users access WLANs, VPNs, and intranets. Traditional single-point defenses cannot meet changing user requirements. 1.2 Security Fragmentation Problems Fragmented Deployment Wastes Resources Background: Intranets demand high security. In addition to security defense at the external edge, security checks are needed for intranet services' horizontal traffic. Each department also requires an independent security defense. Multiple security defense points: Every department needs a hardware firewall, which increases Capital Expense (OPEX). In addition, policies are distributed and maintenance workloads are heavy. Inefficient usage: Many purchasers figure they need security devices that will handle two or five times the amount of peak data traffic. In practice, this is an inefficient use of high-performance security devices such as firewalls, IPS devices, anti-ddos devices. Complex Service Configuration Policies Background: Individual departments use different security levels for their service systems. As a result, companies require different security defenses and configuration policies for each department. Complex traffic distribution: Different security defense measures are also deployed between different areas. To implement different security defenses, complex traffic diversion policies need to be configured. This makes it difficult to expand and maintain networks. 2

2 United Security Solution Facing single-point defense and fragmented deployment problems, Huawei's United Security Solution collects security events across the entire network, and uses Big Data analytics to perform correlation analysis to detect security risks. The solution then employs virtualization technology to virtualize security resources and implement resource sharing and on-demand service provisioning. Huawei's United Security Solution solves security defense and service deployment problems. This solution has two sub-solutions: threat detection and security defense based on the results of Big Data analytics, and flexible chain based on security resource pooling. 2.1 Big Data Analytics for United Security Big Data analytics relieves personnel from service data analysis and improves their ability to utilize data values to improve security policies. Huawei's United Security Solution employs Big Data analytics to detect network threats and take defense measures. 2.1.1 Solution Architecture Agile Controller 4 Dynamically allocate security resources. Security resource center 2 Perform correlation analysis of Big Data. 3 Deliver security policies. 1 Deliver security policies. Anti- DDoS Sandbox NGFW SVN Collect security events. Ensure that security policies take effect. 3

The Agile Controller collects network security events. Security events are drawn from network and service device logs, logs of terminal user behaviors, and network attack events. The Agile Controller correlates the analysis of Big Data. This analysis detects potential security risks. The Agile Controller delivers security policies. The Agile Controller delivers adjusted security policies to devices. 2.1.2 Agile Controller Technology Huawei's United Security Solution uses the controller to analyze attack sources and respond to security devices. Agile controller Security resource center 1 Isolate threats 2 Intelligently import and clean traffic The Agile Controller performs the following operations: Collects security events. The Agile Controller collects, identifies, and analyzes security events, alarms, and faults, and detects network security situations by correlating analysis of Big Data. The technology module is divided into three layers: Data collection layer The data collection layer collects data including various types of security resources, security events of objects, vulnerabilities, and assets. The data is transmitted through standard protocols such as Syslog, SNMP, FTP/SFTP, ODBC, Socket, and XML. Analysis processing layer The analysis processing layer stores, analyzes, and processes collected device information. It filters and combines information, performs correlation analysis, analyzes potential security risks from mass logs, generates alarms, and performs risk analysis according to asset values and vulnerabilities. 4

Security presentation layer The security presentation layer presents collected data and provides a Portal page to implement asset, report, system, security alarm, vulnerability, risk, knowledge base, and O&M management. The security presentation layer provides different presentation pages for administrators of different levels. The system administrator only needs to perform operations three times to locate the source of a security event. Performs user policy management. The Agile Controller is responsible for authenticating users, synchronizing user information, and associating security policies. It can associate analysis results generated by the security event collection component. Huawei's Agile Controller combines various attributes and, in that way, provides complex authentication and authorization services for mobile users in campus networks. Attributes include: User: distinguishes identities of different users and delivers different authorization rules for accessing devices to the user authentication device (AC/ LSW/SVN). Position: delivers authorization rules based on IP addresses, SSIDs of access devices, and MAC addresses of Access Points (APs) to the user authentication device (AC/LSW/SVN). Time: distinguishes time ranges and delivers different authorization rules for accessing devices. Terminal type: differentiates terminal types and delivers different authorization rules for accessing devices to the user authentication device (AC/LSW/SVN). Terminal security compliance: identifies non-compliant terminals and delivers different authorization rules for accessing these devices to the user authentication device (AC/LSW/SVN). 2.1.3 Solution Process Event report: Security systems such as Next-Generation Firewalls (NGFWs), IPS devices, and AV software detect attack behaviors. For example, a vulnerable terminal may be used for intrusions, scanning attacks, and worm attacks. A security system then reports the threats to the controller, and the log analysis component of the controller identifies and eliminates the threats. Events include threats, faults, security events, and non-compliant applications from network and security devices, host security software, and authentication/service systems. Association analysis and policy delivery: The controller's log analysis component accepts or collects network events. It then associates with an engine to perform Big Data analytics, including combination, traceability, and weighted algorithms, and reports critical risks. The log analysis component reports major events 5

to the IT administrator, and responds to and processes threats. For example, the component associates the vulnerable terminal with external data flow for processing. This reduces the manual workload of tracing the position, IP address, and traffic interface. Association solution 1 isolation: User access and authentication devices such as the switch, WLAN device, and SVN are associated with the controller to execute policies. For example, risky terminals are isolated or disconnected, or notifications are sent about these terminals. Association solution 2 flow diversion: The controller associates with the switch to divert attack traffic to the security device for processing through policy-based routing (PBR). 2.2 United Security Based on Security Resource Virtualization Cloud computing uses virtualization technology to efficiently use calculation resources and enable those resources to be quickly provisioned and scheduled. Virtualization technology virtualizes security resources, which makes possible unified management, on-demand service provisioning, and resource sharing. 2.2.1 Architecture Solution: security resource pooling, on-demand scheduling, and unified management Agile controller Security center Anti-attack Antivirus Leak prevention NGFW/DDOS/DLP DDoS attack 2 After the security center checks suspicious traffic, the Agile controller isolates it and lowers its level. DDoS attack Suspicious traffic is detected and diverted to the security center for cleaning. After identifying traffic from the untrusted area, the Agile controller diverts the traffic to the security center for cleaning. Office area A Office area B Untrusted area (visitor access and remote access) 6

2.2.2 Solution Process This solution uses agile switches, security devices such as the NGFW, and Agile Controller. The Agile Controller uniformly manages security resources and virtualizes them into a shared security resource center. The Agile Controller can dynamically use security resources based on user configurations or security event analysis. Security resource pooling Security devices 敏 捷 交 换 机 FW/IPS/AV/ASG/VPN Service-noed1 FW Service-noed2 AV Service-noed3 ASG Service-noedN IPS Fast deployment Efficient use of all resources Simplified configuration and management High reliability Service orchestration Users can configure security rules for service flows simply, without worrying about deployment of security resources. On-demand provisioning of security resources Marketing Service-noed1 FW Service-noed2 AV Service-noed3 ASG Service-noedN IPS Flow Type Service1 Service2 R&D Marketing- >Internet http vslot 1(FW) vslot2 (ASG) WAN/ Internet Marketing->R&D Marketing- >R&D File sharing vslot 1(FW) Video vslot1(fw) / vslot2(av) 7

3 Applicable Scenarios 3.1 Threat Detection Throughout the Network Background During mobile office, viruses may attack the external network connected to the enterprise network. Some terminals on the LAN also may be attacked due to a lack of control measures. In this case, internal and external terminals can be easily used by hackers to attack the enterprise network. Huawei Solution The NGFW, IPS device, or AV software detects attack behaviors. For example, a vulnerable terminal may be used for intrusions and scanning or worm attacks. The security system then reports the threats to the Agile Controller. The controller performs correlation analysis for various events. After determining the threats, the controller sends policies to the user authentication device (AC/LSW/SVN), executes isolation policies for risky terminals, and notifies the administrator. Customer Benefits This solution implements pervasive security defenses, improves intranet security, and speeds response times. 3.2 On-Demand Allocation of Security Resources Background The deployment costs of content security facilities are high and their performance is low. Specified users and services cannot be differentiated and cannot be well protected. Huawei Solution The solution ensures high security at a low cost: User-based traffic diversion: The solution performs the highest security checks for VIP users, plus security checks for untrusted terminals such as partner, guest, and agent-less devices to ensure intranet security. In addition, the solution provides differentiated security defenses based on subnets, VLANs, and MPLS VPNs. Service-based traffic diversion: The solution uses traffic flow based on service interfaces to prevent email information leaks and protect files against viruses. It also ensures positive user experience with video services. 8

Figure 3-1 User-based traffic diversion Security resource center 100M low-cost content security device Inject User-based traffic diversion LAN 10G high-speed network Untrusted terminal VIP Employee BYOD Figure 3-2 Service-based traffic diversion Security resource center Inject SMTP used to divert traffic Smtp-tcp 25 Anti-leak audit and detection Customer Benefits Provides differentiated security defenses, which improves security, reduces investments, and ensures positive user experiences. 9

Copyright Huawei Technologies Co., Ltd. 2014. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd. Trademark Notice, HUAWEI, and are trademarks or registered trademarks of Huawei Technologies Co., Ltd. Other trademarks, product, service and company names mentioned are the property of their respective owners. General Disclaimer The information in this document may contain predictive statements including, without limitation, statements regarding the future financial and operating results, future product portfolio, new technology, etc. There are a number of factors that could cause actual results and developments to differ materially from those expressed or implied in the predictive statements. Therefore, such information is provided for reference purpose only and constitutes neither an offer nor an acceptance. Huawei may change the information at any time without notice. HUAWEI TECHNOLOGIES CO., LTD. Huawei Industrial Base Bantian Longgang Shenzhen 518129, P.R. China Tel: +86-755-28780808 Version No.: M3-032102-20140219-C-1.0 www.huawei.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information