Transcript PowerPoint 演示文稿

Author/ID
Xu Wei/00111912
Department
Marketing & Solutions Dept.
Group Email Address
@huawei.com
Co-author/ID
Wei Pengcheng/00211437
Approver/ID
Yudong/00117220; Yao Jiankui/00208238
Release Date
2013-11-8
0
Friday, July 17, 2015
Huawei Secure Desktop Cloud
Solution for Government
Contents
1
Challenges and Requirements
2
Huawei Secure Desktop Cloud
3
Success Stories
2
Government Extranet Is Facing a Growing Number of
Internal and External Security Risks
Operations performed by
employees that break laws
or regulations
Hacking attacks
Risks
Unauthorized computers
or removable media
Fragile and vulnerable
network systems
3
Increasing damages
from network viruses
Implanted spyware
“2 + N” Services: Isolated Terminal Access
VPN logical
isolation
Virtual service
network 1
Virtual service
network 2
VPN logical
isolation
Interoperability
service
Secure
switching
Access
service
Firewall, intrusion
prevention (logical
isolation)
Internet
service
Secure
switching
Citizen
Enterprise
G2C
services
G2B
services
Internet
Extract secure
access
Virtual service
network n
Private network
domain
Secure
access
Public
application
service
Secure
access
Public network
domain
Government Extranet (IP network)
4
Internet access
domain
G2E
services
Government
employees
G2G
services
Government
agencies
Advantages and Disadvantages of PC-based Isolation
Technologies
eGov
Extranet
Advantages
 Secure isolation
 Simple
management
Disadvantages
 Dual-network
deployment
 High cost
Internet
Dual-host physical isolation
Physical isolation card
5
Advantages
 Shared network
 Low cost
Disadvantages
 Difficult to
control risks
Distributed 802.1x control
Advantages
 Physical
switchover
 Exclusive
resource usage
Disadvantages
 Dual-network
support
Centralized Portal control
 Complex network
switchover
Advantages
 Dedicated
certification
 Trusted access
Disadvantages
 Certification push
 Complex applications
Challenges Arising from PC-based Isolation Technologies
Complex on-site
maintenance
Difficult to unify application
and system versions
Gov. OA 2007


Re-cabling, setting hard disk jumpers…
Setting the BIOS self-check speed, and
installing the driver…
Difficult to detect
unauthorized data
duplication
Gov. OA Enhanced Gov. OA new
3D city planning V3.0
3D city planning V3.5
Inefficient O&M and high information leakage risks
6
Contents
1
Challenges and Requirements
2
Huawei Secure Desktop Cloud
3
Success Stories
7
Huawei Secure Desktop Cloud Architecture
Internet access
domain
Access domain
Desktop
TC
FusionSphere
Internet
Ÿ
Internet
VM cluster
Government
office system
FusionSphere
CA
center
Authentication
domain
Gov.
Ÿ
network VM cluster
8
Government network
access domain
 Unified architecture and
secure isolation
Uses a unified architecture
to securely isolate
government network and
Internet access.
 Secure access control
Uses a government CA
UKey to enable office VM
login, quick dual-network
switchover, and application
access control.
 Prevention of
unauthorized data
duplication
Uses the CA to encrypt
government data disks.
Simple, Clear, and Unified Architecture
Internet VM
Gov.
cluster
network VM
cluster
1
desktop terminal
1 certification key
1 Internet egress
1 access network
1 certification system
1 virtual desktop
system
9
Internet
1 Extranet data center
Three-fold Isolation: Secure Edges
Internet access
domain
Access domain
3
Internet
vSwitch 1
vSwitch 2
2
Internet
Ÿ
VM
Desktop TC
1
vSwitch 1
vSwitch 2
Government
office system
Authentication
domain
Gov.
Ÿ
network VM
10
Government network
access domain
1. VM isolation:
Uses different VMs to
access the government
network and Internet.
2. Network domain isolation:
Uses dual VM physical
network adapters to access
different domains.
3. Access domain isolation:
Uses VLAN and firewall
policies to prevent a
desktop TC from accessing
the government network
and Internet simultaneously.
Secure Network Switchover
3 Direct login
Internet
Internet
Ÿ
VM
2 Remove UKey after
use
1 Ukey + PIN
Agent
CA authentication
Gov. CA center
11
Gov.
Ÿ
network VM
Government
office system
1. Use the CA UKey to
authenticate
government network
login.
2. The government VM
agent automatically
monitors the UKey
device status. If it is
removed, the TC is
disconnected from the
government network.
3. Internet login requires
only user name and
password
authentication, not CA
authentication.
Prevention of Unauthorized Data Duplication
VEM encryption
service
management
system
Manage encryption
policies
IT administrator
Encryption policy
Agent
Use UKey to decrypt data
Gov.
Ÿ
12
network VM
Data
encryption
 Government data is
encrypted before storage
and cannot be decrypted
without UKey.
 Government network VM
data volumes are encrypted
and transparent to upperlayer applications.
 Seamless connection
between encryption and
government CA provides a
highly secure and reliable
key management system.
 Government data is
encrypted and decrypted
through the same UKey
device, simplifying operation
and management.
Flexible Expansion Options
Shared office
devices
Access of
personal devices
Access control across
service terminal domains
GPU
pass-through
Other terminals Financial terminals
Citizen
terminals
Access
VLAN
Internet
VLAN
PU
VLAN
Gov.
network
VLAN
Reduce device investment
Access
VLAN
Access
VLAN
Internet
VLAN
Gov.
network
VLAN
Prevent personal devices from
access to the government network
13
Citizen
service
LAN
Access
VLAN
Core server
Internet
VLAN
Gov.
network
VLAN
Guarantee key services in
priority
Core service
VLAN
Gov.
network
VLAN
Display 3D drawings
Ensures Smooth Services with Robust QoS
Internet
access
Graphics
processing
Manager
office
QoS engine for Huawei secure desktop cloud
14
 Use flexible service policies to
ensure smooth operation of
key applications.
 Implement hierarchical QoS
control (CPU, memory, and
network) to meet flexible QoS
control needs.
Efficient O&M of Desktop Software and Hardware
Desktop cloud
system
administrator
Convert
PC administrator
Gov. application
systems
OA
Terminal
Gov. service system
Desktop cloud
Asset
Desktop
Message
Asset
Fault
distribution
maintenance
management
management
maintenance
Software
Configuration
Log
distribution
management
management
Power
Statistics &
Resource
management
monitoring
management
Upgrade &
Task
Data
expansion
management
configuration
TC
PC
PC
PC
PC
PC
Server
PC
Storage
Email
IT system support
Self-service
Hardware
management
upgrade
Alarm
management
Fault
diagnosis
Rights
management
PC
PC
PC
Network
System
upgrade
Anti-virus
AD
DNS
IT administrator
Legacy system
administrators
Basic network monitoring
Network
monitoring
Traffic
management
DCN
Network IT
administrator
The “desktop cloud system administrator” replaces the traditional PC asset administrator and maintenance personnel.
The "traditional PC asset administrator” has a large amount of on-site support workload, needs to master a variety of
Centralized and remote management enables a single person to maintain 2,000+ desktops, greatly enhancing management
skills, and can process only 50+ desktops. Desktop maintenance is inefficient.
efficiency.
15
Comprehensive Monitoring and Auditing, High Security
Forbid
Other
entrances
Internet domain
administrator
Manage
networks
Unauthorized
operation
vSwitch 1
vSwitch 2
Internet
cluster
FW
Security
administrator
Unauthorized
operation
Government
network
domain
administrator
vSwitch 1
vSwitch 2
Gov.
network
cluster
Centralized monitoring and auditing
Supports hierarchical management and prevents unauthorized operations.
Deploys bastion hosts to unify O&M entrances, monitors and audits system administrator operations.
16
Contents
1
Challenges and Requirements
2
Huawei Secure Desktop Cloud
3
Success Stories
17
Secure Desktop Project for Langfang City Planning Bureau
Challenges
Solutions
• Internet access without compromising government data
confidentiality
• Network switchover was complex for the legacy isolation card
solution
• Inefficient on-site maintenance
• Lack of unified management of office applications
• Configured two VMs for each government employee to access
the government network and Internet respectively.
• Used comprehensive isolation mechanisms (cloud, network)
to isolate government network and Internet access.
• Enables Internet access while delivering high data security.
Benefits
• Reduces network switchover from 2 minutes to 5 seconds.
• Decreases desktop maintenance from 2 hours to 3 minutes,
greatly improving O&M efficiency.
18
Shaoxing Police Bureau Improves O&M efficiency with
Huawei Solution
Challenges
• Difficult to control unauthorized data duplication, terminal
viruses, and information security
• Inefficient on-site maintenance
• Tradition PCs had to be updated frequently; a waste of
resources
• Deployed the Secure Desktop Cloud Solution for police
Extranet office systems.
Solutions
• Deployed the Secure Desktop Cloud Solution for the
command platform call center.
• Unified O&M and monitoring to centrally manage resources.
Benefits
• Enables remote maintenance to reduce maintenance time
from 2 hours to 3 minutes.
• Minimizes terminal viruses to ensure service continuity.
• Improves hardware resource utilization from 10% to 60%.
19
AU Conference Center Enhances Work Efficiency and
Reduces Costs with Huawei Solution
• Conference documents must not be printed
Challenges
• A large number of PCs had to be prepared for sessions
• Energy-consuming and inefficient O&M
Solutions
• Provided a Secure Desktop Cloud Solution for the AU
Conference Center to support the 18th summit.
• Enabled office, conferencing, and online video conferencing
on a single platform.
• Enhances conference efficiency (highly recognized by
participants).
Benefits
• Implements mobile office.
• Uses the Secure Desktop Cloud Solution to provide video
training sessions for internal employees.
20
Global Footprint of Huawei Secure Desktop Cloud Solution
Worldwide deployment and recognition
42 countries and regions:



Serving almost 200 customers
Industry’s largest desktop cloud application:
100,000 users
2,200+ distributors, ISVs, and VAPs worldwide
21
HUAWEI ENTERPRISE ICT SOLUTIONS A BETTER WAY
Copyright©2014 Huawei Technologies Co., Ltd. All Rights Reserved.
The information in this document may contain predictive statements including, without limitation, statements regarding the future financial and operating results, future product
portfolio, new technology, etc. There are a number of factors that could cause actual results and developments to differ materially from those expressed or implied in the
predictive statements. Therefore, such information is provided for reference purpose only and constitutes neither an offer nor an acceptance. Huawei may change the
information at any time without notice.
All logos and images displayed in this document are the sole property of their respective copyright holders. No endorsement, partnership, or affiliation is suggested or implied.