PowerPoint 演示文稿
Download
Report
Transcript PowerPoint 演示文稿
Huawei Policy Center Competitive Positioning
VS. Cisco ISE
Author/ ID: Author's name/Author's ID
Dept: Branding Planning Dept
Version: V1.0(20YYMMDD)
Content
1
2
3
4
Cisco ISE Overview
5
HUAWEI Policy Center Overview
The Key Features Analysis Of ISE
Cisco ISE Business Analysis
Competitive Strategy
1
Cisco ISE Overview
eth0
3315
3355
3395
eth2
eth2
eth3
eth1
eth3
eth0
eth1
The Cisco ISE(Identity Services Engine) is a next-generation identity and access
control policy platform that enables enterprises to enforce compliance, enhance
infrastructure security, and streamline service operations. Its unique architecture allows
enterprises to gather real-time contextual information from networks, users, and devices
to make proactive governance decisions by enforcing policy across the network
infrastructure - wired, wireless and remote。
2
Cisco ISE Main Function
•
Context-Based Access
Who?
What?
Known users (Employees,
Sales, HR)
Unknown users (Guests)
Where?
Device identity
Device classification (profile)
Device health (posture)
When?
Geographic location
Calling Station ID
SSID / Switchport
Date
Time
Start/Stop Access
•
Policy Definition
•
Policy Enforcement
•
Monitoring and Troubleshooting
3
How?
Wired
Wireless
VPN
Other?
• AD, LDAP or custom attributes
• Did user “badge in to the bldg
• Citizenship, etc
Cisco ISE Architecture
Monitor
Logging
Logging
View Logs/ Reports
Admin
View/ Configure
Policies
Policy
Service
The overall architecture consists of three
parts:
•
Monitor
•
Policy Service
•
Enforce
Among them, the Policy is its core
Query
Attributes
External
Data
Logging
Request/Response
Context
Resource
Enforce
Endpoint
Access Request
4
Resource
Access
Cisco ISE Model
Hardware
Model
Small
Medium
Large
VM
1121/3315
3355
3395
Based on the IBM System
x3250 M2
Based on the IBM System
x3550 M2
Based on the IBM System
x3550 M2
VMware Server v2.0
(Demos)
VMware ESX v4.0 / v4.1
VMware ESXi v4.0 / v4.1
CPU
1x Quad-core Xeon 2.66GHz
1x Quad-core Nehalem 2GHz
2x Quad-core Nehalem 2GHz
>= 1 processor
RAM
4GB
4GB
4GB
4GB (max)
Disk
2 x 250-GB SATA
(500GB available)
2 x 300-GB 2.5” SATA
(600GB available)
4 x 300-GB 2.5” SAS I
(600GB available)
Admin: >= 60GB
Policy Service: >= 60GB
Monitoring: >= 200GB
RAID
No
Yes: RAID 0
Yes: RAID 1
-
Network
4 x Gigabit Ethernet
4 x Gigabit Ethernet
4 x Gigabit Ethernet
4 x Gigabit Ethernet
Power
Single 650W
650W Redundant
650W Redundant
-
Node Roles
All Roles
All Roles
All Roles
No Inline Posture Node
5
Cisco ISE Deployment Scheme
Centralized deployment
Distributed deployment
ISE servers are deployed in one site
6
ISE servers are deployed distributed at multiple
sites, such as headquarters and branch
Cisco NAC Solution based ISE
TrustSec Branch Features
ISE: Policy and Integrated Security services
•
•
•
•
Wired Identity:
• Baseline Identity features (802.1X, flex auth, web auth)
• SGT carried via SXP
Wireless Identity:
• CoA and profiling
AAA services
Profiling – categorization of devices
Posture – assurance of compliance
Guest – guest management
ISE
WLC
AP
Wireless user
Wired user
Guest Server
Posture
Profiler
Nexus 5000/2000
SXP
Campus
Network
AnyConnect
Catalyst 6500
Catalyst® Switch
Nexus 7000
Data Center
SXP
Egress Enforcement
Site-to-Site
VPN user
ASR1K
WAN
ISR G2 with integrated switch
7
Security Group Access
WAN Aggregation Router:
• SXP/ SGT Support (No MACSec)
Campus Aggregation:
• Cat6K/Sup2 – SGT/SGACL
Data Center Enforcement
• Nexus 7000 – SGT/SGACL
Content
1
2
3
4
Cisco ISE Overview
5
HUAWEI Policy Center Overview
The Key Features Analysis Of ISE
Cisco ISE Business Analysis
Competitive Strategy
8
Key Features——AAA
Cisco ISE integrates AAA function. It provides standard RADIUS server and support authentication and
authorization for users and endpoints via wired, wireless, and VPN with consistent policy throughout the enterprise
Identity Store
OS/Version
Radius
RFC 2865-compliant RADIUS servers
Protocol
EAP-GTC,PAP,MS-CHAP v1/v2,EAP-MSCHAPv2,LEAP,EAP-MD5,CHAP,
EAP-TLS和PEAP-TLS
User authentication
data source
Local data
Account + password
Active Directory
Microsoft Windows Active Directory 2000
Microsoft Windows Active Directory 2003, 32-bit only
Microsoft Windows Active Directory 2003 R2, 32-bit only
LDAP Servers
SunONE LDAP Directory Server, Version 5.2
Linux LDAP Directory Server, Version 4.1
NAC Profiler, Version 2.1.8 or later
Token Servers
RSA ACE/Server 6.x Series
RSA Authentication Manager 7.x Series
RADIUS RFC 2865-compliant token servers
SafeWord Server prompts
9
Key Features——NAC Of ISE
• The Main NAC solution: 802.1x, MAB, Web authentication;
• Network devices include: cisco’s switch, route, WLC&firewall, and so on;
ISE dynamic distributed ACL and Vlan of the device based on users, device
type, access type, access site, and time
VLAN
Assignment
VLANs
• Authorization policy sets VLAN. Infrastructure provides enforcement
• Typical VLAN examples:
• Quarantine/Remediation VLAN
• Guest VLAN
• Employee VLAN.
• Typically requires IP change -> potential conflicts with other endpoint
processes.
802.1X/MAB/Web Auth
ACL
Download
10
dACLs
• Authorization policy pushes dACL or named ACL to NAD.
• ACL source (any) automatically converted to specific host address
• No IP address change required, thus typically less disruptive to endpoint
and improved user experience.
Key Features——ISE Network Access Device
• 802.1x authentication scheme supports
standard radius protocol and private
radius:
•Standard 802.1x scheme controls
user network access by the
dynamical Vlan, supporting
network equipment of all
manufacturers;
•Private 802.1x scheme controls
user network access by the
dynamical ACL. It only support
cisco’s network equipment;
•Web authentication is only compatible
with cisco’s network equipments
11
Key Features——Profiling
• Cisco ISE integrates Profiling function. It can detect and identify the
type of network equipments so that the administrator can configure
strategy based on device type.
• ISE can use the following attributes to identify device type:
MAC OUI
DHCP Information
RADIUS Information
HTTP Information
DNS Query Information
NetFlow Information
NMAP
SNMPQUERY
SNMPTRAP
•ISE presets a huge equipment type library:
12
Key Features——Guest Management
• Cisco ISE allow visitors, contract employees, consultants, or WEB page access to
the network. The administrator can configure the policy based on the role and time
of guest. ISE dynamic distributed ACL and Vlan to the device
•Main functions include:
approval process and notice management of guest account
Visitor role authorization management
Custom web authentication page
Visitor login log management;
13
Key Features——Host Health Check
Persistent and Web Agent Support
Assessment /check options:
Antivirus/Antispyware
Registry keys
Windows Update
Application/Process
File existence/dates
Windows Server Update Services (WSUS)
Posture definitions:
Pre-built or custom checks with granular Boolean logic
Custom checks for AV, AS, Microsoft, and other attributes
Hundreds of AV/AS vendor packages/versions
Dynamic updates on hourly basis for latest hotfixes, signature definitions/DAT files
Compliance Module–dynamic update of new vendor packages via Client Provisioning
Employee Policy:
•
Microsoft patches updated
•
McAfee AV installed, running,
and current
•
Corp asset checks
•
Enterprise application running
Guest Policy:
Accept AUP (No posture Internet Only)
Wired
Remediation
Automatic / Interactive
API to AV/AS/WU client, URL redirect, Execute program, Download files, Instructions
Mandatory / Optional / Audit Only
Employees
Passive reassessment
Separate login versus post login policy
Admin configurable action – monitor/alert/enforce
14
VPN
Wireless
Contractors/Guests
Content
1
2
3
4
Cisco ISE Overview
5
HUAWEI Policy Center Overview
The Key Features Analysis Of ISE
Cisco ISE Business Analysis
Competitive Strategy
15
Platforms and Options Of ISE
Platforms
Options
Appliance
Cisco Identity Services Engine 3315 (small) 3,000-endpoint target
Cisco Identity Services Engine 3355 (medium) 6,000-endpoint target
Cisco Identity Services Engine 3395 (large) 10,000-endpoint target
Software or Virtual
Machine
1, 5, or 10 virtual machines
Base
Capabilities: Basic network access and guest access
Network deployment support: Wired, wireless, and VPN
License prerequisite: None
Perpetual license
Licenses are available for 100, 250, 500, 1,000, 1,500, 2,500, 3,500, 5,000, 10,000, 25,000, 50,000, and 100,000 endpoints
Advanced
Capabilities: Profiler, posture, and Security Group Access (SGA)
Network deployment support: Wired, wireless, and VPN
License prerequisite: Base license
Term license: 3- and 5-year terms
Licenses are available for 100, 250, 500, 1,000, 1,500, 2,500, 3,500, 5,000, 10,000, 25,000, 50,000, and 100,000 endpoints
Wireless
Capabilities: Basic network access, guest access, profiler, posture, and SGA
Network deployment support: Wireless
License prerequisite: None
Term license: 5-year term
Licenses are available for 100, 250, 500, 1,000, 1,500, 2,500, 3,500, 5,000, 10,000, 25,000, 50,000, and 100,000 endpoints
Wireless Upgrade
Capabilities: Basic network access, guest access, profiler, posture, and SGA
Network deployment support: Wired, wireless, and VPN
License prerequisite: Wireless license
Term license: Term matches preinstalled Wireless licenses
Upgrade licenses are available for 100, 250, 500, 1,000, 1,500, 2,500, 3,500, 5,000, 10,000, 25,000, 50,000, and 100,000 endpoints
16
HUAWEI Policy Center VS. Cisco ISE
Base ISE licenses include Basic network access
and guest access;
Advanced ISE licenses include profiler, posture,
and Security Group Access (SGA), and its period of
validity is 3 years or 5 years
Cisco ISE has 2 product forms: virtual
machine software and hardware;
According to the configuration principle of
reciprocity, TSM listed price is about 5-10%
less than average price of Cisco ISE.
17
Content
1
2
3
4
Cisco ISE Overview
5
HUAWEI Policy Center Overview
The Key Features Analysis Of ISE
Cisco ISE Business Analysis
Competitive Strategy
18
The Specialty Of HUAWEI Policy Center
Endpoint
Network
eSight+TSM
Wired
Access
switch
route
eSight+TSM
Wireless
Access
AD/Ldap
/RSA
AP
AC
3rd OS patch server
Specialty 1:
Support for multiple access
terminal types, it can meet the
needs of mobile users access
•PC(Win/Linux/Mac)
•Android
•iOS(iPAD, iPhone)
•Endpoint fault diagnosis
Specialty 2:
Cooperate with network
deployment, implement a
variety of access control
•Portal
•VPN &SSL
•802.1x
•ACL&COA
19
Specialty 3:
Achieve flexible user control
strategy, meet the demand of
different scenarios
•User management, visitor control
•Location, time, role, type of
equipment authorization
•Integrate with network management
system
3rd AV
server
Specialty 4:
Check terminal access
equipment safety, eliminate
terminal access risk
•Endpoint security check
•OS patch service
•Update service
•Asset management
VS. ISE Competitive Advantage
Platforms
Options
Cisco ISE support to integrate with AD/LDAP, but ISE only syn user group information. It can’t synchronize user account
information. Therefore, ISE can’t configure policy based on user account.
User Management
If there is AD Domain, Cisco ISE server must add the domain, and one ISE server only support integration with one AD
Domain. Multifold AD Domain is not supported.
The account in Cisco ISE can’t support binding the port/IP of access switch, Vlan, and SSID together.
Cisco ISE can’t support automatic approval function for visitors account. Manual approval of administrator is required.
Cisco ISE can’t support configure different Web authentication webpage based on different attribute, such as endpoint
access site, device type, SSID, and so on. ISE only support one Web authentication webpage in one device.
Guest management
Cisco ISE can’t support custom the Web authentication webpage’s CSS styles, it only support custom the content, such as
text and picture.
Cisco ISE can’t support passcode function, it only support account+password, AD/LDAP account.
Cisco ISE can’t support API interface of visitors account approval that can be used to integrate with other application
system
20
VS. ISE Competitive Advantage
Platforms
Options
Cisco ISE only support 802.1x/MAC/Web authentication, the network access control solution is single.(In addition to this,
HUAWEI TSM support SACG(Security Access Control Gateway) scheme and software SACG scheme which is based on
host firewall. It adapts to the customer network environment)
NAC Solution
The 802.1x authentication of Cisco ISE has some disadvantages:
•All access layer switches must support 802.1x;
•All endpoints must obtain the IP address by DHCP server;
•The deployment and management cost is very high;
•It’s very difficult in the mobile office scenario. if users need to access the network, the Vlan configuration in all
switches must be consistent .
Cisco the old NAC solution supports Out-Of-band scheme. In this scheme, the ACS server integrates with switch/route/AC
device through SNMP protocol, but only Cisco own network device can support this scheme.
Wireless access user doesn't support user isolation.
The security policy of PC endpoint is very poor in the Cisco ISE. It can’t support Peripherals management, USB equipment
management, Illegal communications, network behavior auditing, and so on.
Endpoint Security
Management
The client in the IOS, Android device only support VPN function. it can’t support security checking function.
Cisco ISE can’t support patch management, asset management, software distribution, and so on.
Cisco ISE can’t support client custom function, it can’t customize the LOGO, authentication scheme, and so on.
21
Content
1
2
3
4
Cisco ISE Overview
5
HUAWEI Policy Center Overview
The Key Features Analysis Of ISE
Cisco ISE Business Analysis
Competitive Strategy
22
HUAWEI NAC Solution
OA
employees
employees
AD/LDAP
Intranet
employees
Policy
Center
Unified authentication
and authorization
Unified authentication and
authorization for Internal and Intranet
users
Unified access control for wired,
wireless, vpn users
Network access control policy based
on role, device, location, time, and so on
Security compliance
Endpoint comply the security
policy
Standardization of the desktop
operation audit behavior
Assist
employees visitors
employees visitors
23
employees visitors
The asset lifecycle management
OS patch management
Remote fault diagnosis
HUAWEI Policy Center Architecture
NAC
Server
Policy Center Server Authentication Server
AAA Server
NAC
Server
802.1x Switch
NAC
Agent
Client
(Windows/Linux/MAC)
24
Portal Switch
Web Auth
Route
Web agent
AC/AP
Firewall
OS native 802.1x Client
(windows/Linux/MAC/iOS/Android)
Unified Authentication
employees
Policy Center
Server
switch
partners
switch
Wireless
users
AP
OA Service
Core Switch
AP
visitors
BSS Service
SACG
AC
CRM System
Branch
employees
Internet
Route
BYOD users
ERP System
Switch
VPN
25
Email System
Unified Authorization
Who?
user
What?
Terminal type
Host health inspection Policy
Where?
Location
AV check
Patch check
account security check
When?
Date, Time
Desktop baseline configuration
Policy
Software installation check
System configuration check
Policy custom
How?
Wire, Wireless, VPN
Employee behavior monitoring
Peripheral monitoring
Illegal communications
Network behavior monitoring
26
Isolation and repair strategy
Network isolation
Repair Policy(prompt, fast
repair)
Network Access Policy
Vlan
ACLs
users-group
QoS Policy
IP Car
users Car
HUAWEI ENTERPRISE ICT SOLUTIONS A BETTER WAY
Copyright©2012 Huawei Technologies Co., Ltd. All Rights Reserved.
The information in this document may contain predictive statements including, without limitation, statements regarding the future financial and operating results, future product
portfolio, new technology, etc. There are a number of factors that could cause actual results and developments to differ materially from those expressed or implied in the predictive
statements. Therefore, such information is provided for reference purpose only and constitutes neither an offer nor an acceptance. Huawei may change the information at any time
without notice.