Transcript enterprise.huawei.com

2014/7/8
Agile Controller Campus Network
Features
Enabling Networks to Be More Agile for Services
Contents
1
Traditional Network Facing New Challenges
2
Huawei Agile Controller Campus Network Features
3
Success Stories
1
Mobility Demands Unified Service Experience
How to Fast Implement Mobility in
Enterprises
Irresistible Mobility


In 2011, mobile smart terminal shipment
first overtook PC shipment.
Gartner predicts that 326 million tablets and
1 billion smart phones (50% share of mobile
phones) will be sold in 2015, which are
mostly used by enterprise office users.
Computing Devices – Yearly Sales
Smart phones
Sales (millions of
units)
500

Wired and wireless access management


Unified service experience

400
PCs
300

200
Tablets
100
0
Year
2008
2009
2010
Source: Gartner, iSuppli Market Intelligence
2
2011
There is both wired and wireless access in the
mobility era. Users may have both mobile or fixed
terminals, which need to be managed uniformly.
Mobility requires unified service experience, and
network policies need to be fast adjusted based on
users and applications.
Fast promotion of mobile applications

When enterprises need to deploy new applications,
the network configuration can be fast and flexibly
adjusted to adapt to changes.
New Service Deployment Period Affects Enterprise Market
Competition
Network Situation

Irresistible Mobility and Virtualization
Static networks are often manually
configured by administrators.
When new services are
provisioned, the static networks
cannot fast adapt to changes.
User rights
User bandwidth
Security policies
Application
policies
Work groups
…
Virtualization requiring high
automation
VM
Server
Migration
VMotion
AP 2
AP 1
VM
VM
Server
How do network
configuration policies fast
change as VMs migrate?
3
Policy
Data center network architecture
VM
How are
140, 000
configurations
performed?
Mobility requiring flexible policy
adjustment
User A
Mobility
Mobility
How do network-wide security policies
and access policies fast change as
user access positions change?
Borderless Security and Ineffective Security Protection Mechanisms
WAN/Internet
WAN/Internet
External
attack
 Single-point
defense
External attack
Ⅹ Single-point defense by the
firewall has no effect.
Mobile network attack
Wireless
eavesdropping attack
AP
AP
AP
Mobile terminal attack
Traditional network access modes and positions are fixed, so
the attack points and methods are limited.
4
With mobility, office networks are expanding and exposed to different types of
access terminals. Attack points and methods are diversified.
Solutions
Mobility trend
New service deployment
Traditional single-point defense
New policy mode
New deployment mode
New security mechanism
Network resources are dynamically
allocated as users move; the service
experience is irrelevant to access
positions; the service experience of VIP
users is guaranteed.
Service policies are adjusted
automatically, and new service
provisioning is shortened.
5
Comprehensive network defense and security
resource control are required.
Contents
1
Traditional Network Facing New Challenges
2
Huawei Agile Controller
3
Success Stories
6
Agile Controller, Smart Brain of an Agile Campus
L2 SW
L2 SW
Branch
network
Branch
network
Internet access
AR
AR
Security
resource center
Access Control
Guest Management
WAN/Internet
Egress
NGFW/SVN
Agile Controller
Free Mobility
Service
Orchestration
Virtualizes physical devices, shields device
models and locations, directs different service
flows to different service termination nodes.
United Security
Collects security logs and events, identifies Top N
threat assets and zones through Big Data
correlation analysis, evaluates the network-wide
security trend, and helps implement network-wide
security defense.
Terminal Security
Provides various security policies, enhancing
terminal security.
Blocks insecure terminals and terminals that do
not meet enterprise security policy requirements.
LSW
Aggregation
Access
LSW
AP
AP
7
LSW
Provides 5W1H-based policy management and
supports MAC/802.1x/ Portal/SACG
authentication.
Provides self-help registration management of
guest accounts and Portal page customization
and pushing.
Allows network resources to be dynamically
allocated based on the security group policy
matrix and VIP user experience guarantee,
ensuring unified service experience.
LSW
Core
NGFW
Component Description
Access Control
8
Dumb terminal
Comprehensive Access Control Applies to Various Networks
MAC address authentication
The authentication server authenticates terminals based on their MAC addresses.
MAC address
authentication
It applies to dumb terminals such as IP phones and printers.
VLAN 1
802.1x authentication
Clients, devices, and authentication servers exchange authentication messages
using the Extensible Authentication Protocol (EAP).
Guest area
Office area
802.1x
authentication
It supports association with Huawei all series switches, routers, WLAN devices,
and third-party standard 802.1x switches.
VLAN2
SSID1
Portal authentication
It is also called web authentication. Users can enter their user names and
passwords on the web authentication page for identity authentication.
Portal
authentication
It supports association with Huawei all series switches, routers, and WLAN
devices.
SSID2
SACG authentication
SACG
authentication
The USG firewall is connected to a router or switch in bypass mode and controls
terminal access through policy-based routing.
9
Access Control Based on User Identities
Security
domain
partition
Pre-authentication
domain
Isolation domain
Post-authentication
domain
Domain that can be
accessed by terminals
without authentication. The
terminal authentication
server and enterprise
Portal page are deployed in
the domain.
Domain that can be accessed
by terminals when terminals
fail security check and
violations need to be rectified.
The antivirus server and patch
server are deployed in this
domain.
Domain that can be accessed by terminals after the
authentication is successful and terminals pass security check.
Multiple post-authentication domains are divided based on
user types:
1. Post-authentication domain of the enterprise headquarters
2. Post-authentication domain of the financial system
3. Post-authentication domain of the Internet
User domain
Authentication
process
Network domain
1
Service domain
2
3
4
10
Postauthentication
domain
User authentication process:
1. A terminal initiates an authentication
request.
2. The gateway sends the authentication
request to the authentication server.
3. After the check is successful, the
authentication server notifies the
gateway of grant permissions to the user.
4. The user can access the postauthentication domain.
Various User Management
Third-party authentication
system
Digital certificate
Guest
Market
Finance
R&D
Common account
Scenario: Enterprises have no identity
data systems and use the database of
the Agile Controller. Common
accounts are created by the network
administrator, and contain user names
and passwords, MAC addresses, and
guests’ accounts.
11
Scenario: Enterprises have identity
data systems that can be associated
with the AD controller or LDAP server.
The identity data sources are stored on
the Microsoft AD controller or LDAP
server.
Multiple AD controllers or LDAP
servers are supported.
Scenario: Enterprises provide digital
certificate authentication.
The USB key of the Cryptographic Service
Provider (CSP) is supported. The signature
and encryption of the USB key are used to
acknowledge and verify user identities.
Example: Damingwuzhou, ESAFE,
Shanghai Welhop,
Zhejiang Winsun Industrial Co., Ltd.
5W1H-based Context Awareness
1
Who: Who connect to the network? (staff, guest)
2
Where: Where do users connect to the network?
(R&D, non-R&D, home)
3
When: When do users connect to the network?
(working time, after-work time)
4
Whose: Whose device? (enterprises’ devices,
BYOD devices)
5
What: What devices connect to the network? (PC,
iOS, Android)
6
How: How do users connect to the network?
(wired, wireless, VPN)
Unified policy platform
Agile Controller
Wired
Users
Users
12
Wireless
Users
Users
Flexible and Dynamic Authorization
1
AP
2
Switch
Guest
group
Agile Controller
3
Employee
group
VIP
group
1. User authentication
Binding the Account to the
User Group
AC

Binds a guest account to a
guest group.

Binds an employee account
to an employee group.

Binds a VIP account to the
VIP group.
Employee Group Policies
Guest Group Policies
2. The RADIUS server delivers user
group policies to the AC/SW.
3. The AC/SW enforces user group
policies.
VIP Group Policies

Authorized bandwidth: 30 to 50 kbit/s

Authorized bandwidth: 2 Mbit/s

Authorized bandwidth: 3 Mbit/s

ACL authorization: Guests are not
allowed to access internal resources.


ACL authorization: VIP are allowed to
access core resources.

Service VLAN: guest service VLAN
ACL authorization: Employees are
allowed to access the service platform on
the internal network.

Service VLAN: VIP service VLAN

User isolation: Users cancommunicate
with each other.

User isolation: Users cannot
communicate with each other.
13

Service VLAN: employee service VLAN

User isolation: Only users in the same
group can communicate with each other.
Guest Management
14
Full Lifecycle Guest Management
Account application
User authentication
Audit and deregistration
ASG
Wired
Switch
Network
Internet
Guest
Phones
Wireless
AC
Registration
Approval
Distribution
Authentication
 Employ application
 Automatic approval
 SMS
 User name or password authentication  User login and logout audit

Self-help application  Administrator approval  Email
 Approval by the receiver  Web
15
Audit and deregistration
 Passcode authentication
 Online behavior audit
 Right isolation using VLANs or ACLs
 Automatic deregistration after expiration
 L3 GRE
 Scheduled account deregistration
Intelligent Terminal Identification, Terminal-based Policy Delivery
Terminal-based service policies

Customizes authentication pages based
on terminal types.

Delivers different service policies, such
as VLAN/ACL/bandwidth limiting policies,
based on terminal types.
Traditional
terminals
Terminal-based policies for the
same account
Smart
terminals

Authentication packets
carry terminal types.
AP
Provides different policies for the
same account based on the types of
terminals, implementing fine-grained
rights control.
Agile Controller
Terminal identification method
Dumb
terminals
Obtains vendor OUI information from MAC
addresses.
Obtains vendor information from DHCP packets.
Obtains the terminal's operating system, IE
browser, and terminal type information from HTTP
packets.
16
AC
Switch
Policy delivery based on terminal types

Delivers service policies, such as VLAN, ACL,
bandwidth limiting, and user isolation policies,
based on the reported terminal types.
Senseless Authentication: One-time Authentication for Multiple
Access
One-time
authentication for
multiple access
Wireless
access
Authentication and
interconnection
Portal Server

Stores the Web
authentication page.

Provides the page
customization function.

Connects to the AC.
1
User
2
AC
AP
Agile Controller
3
4
5
Portal+MAC Address
Authentication
MAC address authentication
subsequently
1. A user initiates a web authentication request.
5. The RADIUS server performs
only MAC address authentication
on wireless users after their initial
access. Users are not aware of
the authentication process.
2. The Portal server sends the authentication
request to the AC.
3. The AC initiates RADIUS authentication and
sends the user name, password, and
terminal MAC address to the RADIUS server.
4. The RADIUS server performs authentication
and records terminal MAC addresses.
17
RADIUS Server



Agile Controller
Stores user names,
passwords, and user
policies.
Connects to the AC.
Records MAC addresses of
users.
Customized Enterprise Portal Page
Registration page
customization
Solution

Authentication
page customization

Supports portal page customization and provides enterprises
with tailored pages.
Allows enterprises to customize information display on the
portal page.
Template
management
Highlights


The enterprise GUI style is uniform.
The enterprise image is displayed.
Products


18
WLAN products
Portal&authentication server: Agile Controller
Location-based Information Push
Solution

Portal&Authentication
&Web server
AP

Welcome to access
the WLAN provided
by xx free of charge.
User name
There is Wi-Fi.
Connect to the
Internet at high
speed.
Password
Registration

Something
on sale!
Highlights




19
Location-based advertisement pushing has better effect.
Fine-granular advertisement operation attracts business
cooperation and gains more profits.
Products

Portal redirection messages carry SSIDs and MAC addresses and
advertisements associated with the AP are pushed.
This solution provides Internet access and services using Portal
authentication.
Portal redirection messages carry SSIDs and MAC addresses.
The web server obtains the advertisements associated with the
AP according to the AP information and pushes the
advertisements on the Portal authentication page.
WLAN products
Portal&authentication server: Agile Controller
Web server: provides customized advertisements.
Free Mobility
20
Free Mobility: Centered on Services and Experience
Ubiquitous Policies
Enhanced Experience
1. Rights (Permit/Deny)
1. Priority
2. Service flow
2. Bandwidth
3. Security (IPS/AV/application security)
Policies,
resources
WAN/Internet
User: XXX
Location: XXX
Policies,
resources
Silicon Valley
Policies,
resources
Shenzhen
Beijing
No Access
Differentiation
Guaranteed
Experience
21
Agile
Controller
Free Mobility: Solution Deployment Logic Diagram
Data Center
1. Define and deliver
user groups/policies
simultaneously.
WAN/Internet
Enterprise branch
Execution point device
Switches:
S12700/S9700/S7700/S5720HI
NGFW: USG6300/6500/6600 series
SVN: SVN5800 series
Agile
Controller
• VIP priority guarantee
• VIP remote access
• Security protection
resource guarantee
NGFW
SVN
• Bandwidth guarantee
• Service flow policy
• Rights policy
2. Users go online
after authentication.
The user group is
identified.
WAN/Internet
Agile switch
/Native AC
Enterprise
campus
22
Authentication point device
3. Execute policies.
Employee on a
business trip
VIP employee
using remote
access
Free Mobility: Centralized Authentication and UUM
Authentication point device
WAN/Internet
Execution point device
User group access to resource group
Data Center
10.111.13.5
Wired and wireless unified
authentication point
Core switch
ENP card
/Native AC
Input
Output
IP
Group
Source IP
10.138.63.15
R&D employee
group
UUM and Inter-User Group Policies
Inter-group
policy
•
PPPoE, 802.1x, Portal, and MAC authentication or a
Permit
Destination IP
10.111.13.5
different service scenarios.
•
Inter-user group access
Output
IP
Group
Source IP
10.138.63.15
R&D employee
group
Sales employee
group
Centralized authentication
Wired and wireless authentication points are deployed on
the core switch, reducing difficulties with configuring and
Inter-group
policy
managing multiple authentication points.
•
Deny
Destination IP
10.12.138.23
combination of authentication modes can be adapted for
Office server group
Input
Multiple authentication modes
UUM
The unified authentication mode is deployed on the core
switch, which stores information about users and user
groups for the entire network.
R&D employee
Sales employee
10.138.63.15
10.12.138.23
UUM: Unified User Management
23
Ubiquitous Policies: Inter-Group, Refined Rights Management
1. The Agile Controller defines and
delivers policies simultaneously.
User Group Definition
Group Name
Group ID
Definition (5W1H-based)
R&D desktop cloud
10
R&D employees using the
desktop cloud
R&D BYOD
11
Employees who bring their
own devices
Sales
20
Sales employees
VIP
30
VIP employees
Sales
Employee
R&D
Server
Sales
Server
R&D desktop cloud
Deny
Permit
Deny
R&D BYOD
Deny
Deny
Deny
Sales employees
Permit
Deny
Permit
VIP employees
Permit
Permit
Permit
Source Group
5W1H: Who, Whose, What, When, Where, and How
24
Agile
Controller
User: A
Group ID: 13
IP address: XXX
Inter-User Group Policy Definition
Destination
Group
Data Center
WAN/Internet
3. Users send service flows
that are forwarded to the
authentication switch. The
switch identifies source
and destination groups
and executes inter-user
group policies.
Agile switch/
2. Users go online
Native AC
after being
authentication. The
authentication
switch reports the
IP address.
2. You can add new users to a
user group and allocate IP
addresses to them.
R&D employee
accesses the
campus network.
Ubiquitous Policies: Global Centralized Policy Control
Global Centralized Policy Control
Inter-User Group Policy Control
Data Center
Agile
Controller
Sales
employee
• Based on the SDN idea of global centralization
Huawei Agile Campus Network Solution uses the Agile
Controller as the core device for centralized configuration
and security policy deployment for the entire network. A onetime configuration takes effect in a uniform manner, which
reduces the number of inconsistent configurations.
• Automatic policy deployment
One-click policy delivery and automatic translation reduce the
configuration workload.
25
√
R&D
employee
Outsourced
employee
VIP
Guest
×
• Inter-user group policy control
Policies based on source and destination users replace
policies based on source users and IP addresses, enabling
more flexible inter-user group control.
• Improved network resource use efficiency
Compared to previous solutions, two-dimensional inter-user
group policies support more policies and reduce devices'
consumption of Access Control List (ACL) resources.
Consistent Experience: Unified User Experience Guarantee
The branch router
automatically sends VIP user
traffic to a high-priority queue
according to the policy
delivered by the Agile
Controller.
WAN
Router
Enterprise
branch
The campus egress firewall
automatically sends VIP user
traffic to a high-priority queue
according to the policy delivered
by the Agile Controller.
NGFW
The authentication point obtains
the user identity during the
authentication process. After
authentication, the authentication
point limits the access rate of
each user according to the policy
delivered by the Agile Controller.
The SSL VPN (SVN) device
automatically sends VIP user
traffic to a high-priority queue
according to the policy
delivered by the Agile
Controller.
Internet
SVN
Internet
Agile Switch/
Native AC
Employee on
a business trip
VIP employee using
remote access
Enterprise
campus
26
Scenario 1: Mobile Office with Free Mobility
Access rights,
QoS, bandwidth,
and security
policies
Usage Scenario:
In the mobile office scenario, users are presented with
consistent policies and experiences when they access the
corporate network from different locations. In other words,
the users gain free mobility and accompanied experience.
Customer Challenges:
Xi'an
Campus
Beijing
Campus
Nanjing
Campus
Business
Trip
A user can access the corporate network from different
locations, and different users may access the network at the
same physical location, making network device
configurations complex when a large number of static
VLANs or ACLs are deployed. Configuration change
remains a complicated task for the IT department.
Huawei Agile Campus Network Solution:
The solution deploys user group-based and inter-user group
policies on the Agile Controller in a unified manner and
delivers the policies to devices on the entire network. After
going online, users are presented with consistent policies
and experiences.
Customer Benefits:
Customers benefit from free mobility and accompanied
experience in the mobile office workspace.
27
Scenario 2: Temporary Work Group Established at Anytime
Data Center
Usage Scenario:
A temporary work group works in the same area (accessing the same switch and
AP). Users of different roles can obtain different rights and are isolated from one
another. A temporary work group can be established or removed anytime.
Customer Challenges:
Sales
R&D Outsourced
employee employee employee
Source
Group
Destination
Group
R&D
Access switches are configured with VLANs and ACLs that are bound to users,
implementing source user-based rights control.
Problem 1: Switch configurations are complex, making network maintenance
difficult when users are added or deleted.
Problem 2: If only ACLs are delivered, intra-VLAN users cannot be isolated from
one another.
Problem 3: With a growing number of user types, the numbers of pre-configured
VLANs and IP address segments on access switches multiply.
Guest
VIP
Huawei Agile Campus Network Solution:
Sales
VIP
Guest
Server
R&D
Permit
Permit
Deny
Permit
Permit
Sales
Permit
Deny
Permit
Permit
Permit
The solution defines user group-based and inter-user group policies on the Agile
Controller and delivers these policies to switches and other network devices. After
going online, users of different roles are associated to different user groups. In this
manner, the users attain different user rights and are isolated from one another.
VIP
Permit
Permit
Permit
Permit
Permit
Customer Benefits:
Guest
Deny
Deny
Deny
Deny
Permit
Server
Permit
Permit
Permit
Permit
Permit
A temporary work group can be set up or removed at any time without changing any
network device configurations.
28
Scenario 3: VIP User Experience Guarantee
Data Center
WAN/Internet
WAN/Internet
VIP user access
through the VPN
The NGFW automatically
sends VIP user traffic to a
high-priority queue according
to the policy delivered by the
Agile Controller.
The network guarantees the
VPN access resource needed is
available for VIP users. When
the SVN resource is exhausted,
the Agile Controller forces
common users to go offline,
ensuring VIP access.
Agile Switch
/Native AC
The Agile Controller collaborates with network devices to
allocate guaranteed resources to VIP users. Centralized
control guarantees VIP users an end-to-end, consistent
experience.
• Bandwidth
• Priority
• VPN resource
The authentication switch
sends VIP user traffic to a
high-priority queue
according to the policy
delivered by the Agile
Controller.
VIP
29
Service Orchestration
30
Service Orchestration: Dynamically Allocate Security Resources and
Achieve Network-wide Protection
Function
Internet
Agile
Controller
Security
resource center
The Agile Controller pools security resources to form the security
resource center. It can flexibly invoke security capabilities based
on attributes such as the resource, user, and zone to improve the
security protection capability on the entire network.
Components
Security policy
configuration
Tunnel
Core layer:
agile switch
Antivirus
Tunnel
Aggregation layer:
agile switch
Security policy
Tunnel
Service flow
Online behavior
management
Firewall
 Agile Controller: Delivers security policies to the agile switch
based on service security requirements to flexibly invoke the
security capabilities in the security resource center.
 Agile switch: Imports traffic to the specified security resource
for detection based on the security policy delivered by the Agile
Controller.
 Security resource center: A security device can be invoked by
an agile switch for multiple times or by different agile switches
simultaneously. In addition to NGFWs, third-party security
devices can be integrated in the security resource center
through open interfaces.
Typical Application
 Security protection of dumb terminals
User group
Resource group
31
 Fast invoking of security resources
Agile Controller: User Group-based Service Flow Security Policies
Service flow path
WAN/Internet
The solution can be used with the dynamic security resource allocation
solution for a specified group on the authentication point switch on the
agile campus network to schedule flows based on the specified
orchestration sequence. You need to configure group-based security
policies on the Agile Controller to define the service flows that need to
be processed by security devices and specify the sequence in which
the flows are processed.
Example: Flows from financial employees to financial data must be
imported to the security resource center for detection, while other
types of flows are not imported to the security resource center.
Data center
Step 2 Apply
security policies
Agile
switch/Native
AC
Security
resource center
Step 1 Define service flow policies.
Step 1 Define service
flow policies
Financial
employees access
financial data
32
Step 2 Apply security policies.
The NGFW identifies applications of the service flows and provides
security policies (including block, IPS, antivirus, and content filtering)
based on the user group and application. The NGFW can identify more
than 6000 applications.
Example: BYOD flows from R&D employees during the working hours
are scheduled to the security resource center, where non-working
applications, such as social applications and games, are filtered.
Drag and Adjust Service Chains to Realize Service-based Policy
Execution
1. Create a service
flow based on
service needs
2. Select an agile
switch as the
orchestration device
3. Define service chain
resources
Application Scenario


Works with the Free Mobility component to plan
service chains based on the user and service type.
Guests access the Internet: Firewall <--> Online
behavior management
R&D personnel access the DC: Firewall <-->
Antivirus
Sales personnel work in the office: Firewall <-->
Online behavior management <--> Antivirus
…
Works with the United Security component to
deliver service chains to risky assets or zones.
Customer Benefits


33
Flexibly implements security policies, which is not
limited by locations.
Reduces user investment and improves security
resource usage.
Scenario 1: Import Guest Traffic to the Security Data Center for
Detection
WAN/Internet
Data center
Agile
switch/Native AC
Guest
34
There are security risks for guest traffic because
guests’ terminals are not controlled by enterprises.
Guest traffic needs to be imported to the security
resource center.
1. Define service flow policies: Define service flow
policies to import guest traffic to the security
resource center.
2. Apply security policies: The security resource
center provides security policies including block,
PBR, IPS, antivirus, and content filtering.
Scenario 2: Security Check Based on Specified Groups to Prevent
Terminal Spoofing Attacks
Agile
Controller
Huawei Solution:
1. Dynamically invoke
security resources.
1. Dynamically invoke security resources: Configure a
Security resource
center
NGFW
Tunnel
Core agile
switch
3. Block unauthorized
access and generate
alarms.
printer group on the Agile Controller and enable service
flows of the printer group to be detected by the security
resource center.
2. Unauthorized terminals access the network:
Unauthorized terminals forge dumb terminals to connect to
the internal campus network without passing the
authentication system.
Agile switch
Agile switch
2. Unauthorized terminals
connect to the network.
3. Block unauthorized access and generate alarms:
Unauthorized traffic is checked by the security resource
center. If protocols and ports in the traffic are not those of
the printer group, the Agile Controller blocks the traffic and
generates alarms.
Employee
Printer
Employee
Printer
Customer Benefits:
Security policy
Tunnel
Service flow
Effectively prevents hackers or malicious users from attacking
the campus network with forged addresses.
35
United Security
36
United Security: From Single-Point Security to Comprehensive
Network Protection
Security
resource center
Agile
Controller
② Performs Big Data
analytics.
1. Collects security events on the entire network.
Security events include network and security device logs, terminal
④ Dynamically
allocates the
security resource.
NGFW
Third-party
security device
user behavior logs, and abnormal traffic logs.
2. Performs Big Data analytics.
The Agile Controller analyzes the collected mass data and
detects potential security risks.
3. Quickly responds to security events.
Sends alarms in real time and recommends a response; flexibly
delivers security policies and quickly responds to security events.
4. Dynamically allocates security resources.
Carries out resource pooling of security devices on the entire
network and dynamically allocates the security resource according
to area, user group, and security event, significantly improving the
Collects security events.
security protection capabilities of the entire network.
Enables security policies.
37
Key Technology 1: Big Data Security Log Collection, Correlation, and
Response
SNMP Trap
SMS
Email
Event resolution
recommendation
Security policy
delivery
Third-party interfaces
Security Response
Data Processing
Data
compression
Data Collection
Security
device
Data merging
Format
standardization
Collects and identifies logs on 160+
types of devices.
Network
device
Host
device
Database
Agile Controller
38
Common correlation rules
(usecase):
 Intranet access threats
 Network and service threats
 Secure O&M
 Customization
Logs
Correlation Analysis
Powerful correlation analysis
engine:
 Inter-device, cross-type, and
Correlation
multi-event correlation analysis
Analysis
 Multi-dimensional analysis based
on rules, groups, time, and counts
Logs
Agile Controller
Performs correlation analysis of
massive logs on devices on the
entire network to quickly detect
and respond to security events.
TSM
Scanner
Typical Deployment: Security Correlation Analysis and Response
Deployment Recommendation:
1. Agile Controller deployment: Deploy the Agile
Controller in the O&M zone.
Security response
Server zone
NGFW
correlation
analysis
Core switch
Agile
Controller
O&M zone
2. Log collection: Configure the devices for log
collection on the Agile Controller, confirm the types of
log collection protocols, and ensure communication
between the devices and the Agile Controller.
3. Correlation rule customization: Directly invoke the
Agile Controller correlation rule template (use case)
based on service characteristics. If the template does
not meet requirements, security correlation rules can
be customized.
4. Security event response: Configure security
response mechanisms, such as alarms, SMS
messages, and emails.
Aggregation
switch
Typical Application:
 Guessing/cracking device login passwords
 Network attacks from user terminals
 O&M noncompliance (for example, bypassing base
hosts)
39
Typical Deployment: Customized Correlation Rules
Correlation rule
customization
elements
Rule type
Sequence rule (Sequence)
Compound rule (AND)
Compound rule (OR): ≥ 2
Grouping
basis
Displays attributes for grouping correlation events.
Time
Period
Corresponding specified conditions of subtypes must be met to
trigger the time period of a rule.
Count
This field indicates the maximum number of sub-rules that meet
specified conditions and are required to trigger rules.
How to apply:
Sub-rule 1: Sequence rule: Event 1 -> Event 2 -> Event 3, all events occur in a certain sequence.
Sub-rule 2: Compound rule (AND): Event 3 + Event 1 + Event 2, all events occur in no particular sequence and match rules.
Sub-rule 3: Compound rule (OR) ≥ 2: Event 1 + Event 2 or Event 3, more than two events occur and match rules.
Grouping basis: Sub-rules associate with one another based on IP addresses and ports.
Rule embedding: If the system, device, and application logs match the IP addresses and ports in the grouping basis while matching
sub-rules 1, 2, 3 more than 10 times within 30 minutes, the security event is considered as a severe security event A.
40
Typical Deployment: Customized Correlation Rule Example
Suspicious
attack
Rules of network
attacks in a zone
Sample: “detecting network attacks in a zone”
The rate exceeds
the global rate limit
of ARP Miss packets.
OR
OR
An ARP gateway
attack occurred.
The attack source
information (for example,
DHCP) is displayed when
a device is attacked.
OR
OR
The ARP packets do
not match the user
binding table.
A device whose IP address
conflicts with the IP address of
the VLANIF interface through
DHCP exists on the network.
Over 20 network attacks (attack time and the number of attacks can be defined) occur in a certain area
(define the area by defining a switch group and associate the logs for the switch group) within 5 minutes.
ACTION
Alarm: Network attacks
occur in XX area.
41
Network Security Status Display Helps You Rapidly Learn About the
Network Situation
1.Display and
query the health
status of the
entire network in
real time.
2.Display the
security status
based on
zones.
You can click
the attack flow
to display
attack events.
3.Display the
security status
based on key
assets. You can
click each asset
to display the
security events.
4.Provide security
event display
based on the
emergency and
suggestions.
42
Typical Deployment: Display Security Status by Area and Assets
Deployment Recommendation:
1. Agile Controller deployment: Deploy the Agile Controller in the O&M zone.
Asset Management and
Configuration Interface
2. Log collection: Configure the devices for log collection on the Agile Controller, confirm
the types of log collection protocols, and ensure communication between the devices and
the Agile Controller.
3. Security status display: Configure the asset information (at the asset management
and configuration interface) and area information (at the area management and
configuration interface) that must be monitored. The Agile Controller analyzes the
information and displays the security status.
Typical Application:
 O&M personnel can view the security status of the entire network in real time.
Area Management and
Configuration Interface
43
Define the asset class. The
system can select and
display the security status
of key assets based on
asset importance.
Scenario 1: Quick View of Key Asset Security
Defines corporate key assets.
Huawei Solution:
Displays security status of key assets.
Displays risks and provides handling recommendations.
1. Defines corporate key assets: Defines asset
importance based on the value of corporate assets.
2. Displays the security status of key assets: Analyzes
massive security logs for the entire network and
detects risk states of the corresponding assets.
O&M personnel clearly understand the risk status of
each asset.
3. Displays risks and suggests a resolution: Provides a
detailed description of each risk and security eventhandling recommendations based on Huawei’s
longstanding, professional security expertise helping
O&M personnel implement effective security
hardening.
Customer Benefits:
Quickly detects security risks and effectively protects
key assets while reducing the workload of O&M
personnel and associated OPEX.
44
Scenario 2: Deep Correlation Analysis Blocks Malicious Terminal
Attacks
Huawei Solution:
Server Zone
NGFW
1. Malicious terminal attacks: Malicious terminals attempt to log in to devices located
throughout network that may have weak passwords. These terminals log in to each device
once or twice. The device considers such single login events as normal operations.
Agile
Controller
2. Correlation rule: If the same IP address receives more than 20 login failures from different
devices (including network and security devices and servers) within one hour, the terminal is
flagged for “guessing password” behavior and the Agile Controller reports an alarm.
③
Big Data-based
correlation analysis
3. Big Data-based correlation analysis:
•Correlation rule: If the same IP address receives more than 20 login failures from different
devices (including network and security devices and servers) within one hour, the terminal is
flagged for “guessing password” behavior and the Agile Controller reports an alarm.
•Correlation analysis: The Agile Controller analyzes logs reported from each device to
detect malicious terminals, generates security events, and notifies O&M personnel of security
events.
4. Security policy delivery: O&M personnel deliver security policies based on the correlation
results to quickly block unauthorized users.
Customer Benefits:
Malicious terminal attacks are quickly detected and are blocked before security events occur,
securing corporate service data and environments.
45
Scenario 3: Device Collaboration to Prevent Security Outbreaks
Huawei Solution:
1. Detects the problem with Big Data security correlation analysis
Agile
Controller
①
correlation rule establishment: Enables the template of “network
attacks in a certain area” in the “use case.”
Security
resource center
Big Data-based
correlation analysis
correlation analysis: Analyzes logs reported from devices on the
entire network and detects multiple terminals conducting IP address
scanning over the entire network from a certain area.
NGFW
Third-party
security device
②
Dynamic invocation of
security resources
2.
Emergency handling through dynamic invocation of security
resource: O&M personnel quickly invoke security capabilities in the
security resource center and clean traffic in the area to ensure normal
service operations and prevent further proliferation of security events.
3. Solves the problem with terminal security hardening: If a large
number of terminals are infected with Trojan horse and worm viruses,
the terminal virus library may be old and unable to keep viruses in
check. Configure terminal virus library upgrading policies and deliver
these policies. The terminals can then upgrade their virus library and
remove the viruses.
Customer Benefits:
Detects security events in a certain area and quickly invokes security
resources to carry out effective defense against attacks to prevent security
events from proliferating and affecting services.
Collecting security events
Service flow
Security policy
Tunnel
46
Terminal Security Management
47
Terminal Security Hardening, Desktop Management, and Data Leak
Prevention
Key Features
Terminal
security
hardening
Desktop
management
Network
identity
identification
Terminal Security Hardening
• Antivirus and check for suspicious
processes/registration entries
• Patch management and security
hardening
Desktop Management
• Software distribution, asset
management, and remote assistance
Data Leak Prevention
• Mobile storage device management,
network access monitoring,
unauthorized connection monitoring,
and file operation auditing
Data leak
prevention
48
Terminal Security Hardening Meets Enterprise Access Requirements
Policy template for security check
in the core department
Password complexity check
Unauthorized connection
monitoring
Web access monitoring
Antivirus software monitoring
Mobile storage device
monitoring
If the security check fails,
network access is prohibited.
Records about the unauthorized
access are reported to the server.

Protects the investment value of
security products such as AVs.

Reduces spreading of the malicious
code, improves the availability of
resources, and lowers service
interruption risks.

Lowers the information leakage risks.

Lowers terminal threats to the network.

Provides correct and real-time
enterprise compliance information.
Service
resource 2
If the security check succeeds,
network access is permitted.
Role-based Dynamic Policy Control
OA mail system
Policy template for temporary office
security check
Antivirus software monitoring
Diversified Security Check Policies in
the Industry
ERP system
Policy template for security check
in the ordinary department
Password complexity check
Unauthorized connection
monitoring
Mobile storage device
monitoring
Service
resource 1
Internet area
If the security check succeeds,
network access is permitted.
49
Internet

Customizes role- or department-specific
security rules.

Supports evolution of enterprise security
management systems.
Desktop Maintenance Assistant Implements
Automatic Desktop Management
Industry-leading patch management system
implements automatic patch repair without the need for
daily maintenance.

Accurate
Efficient
Controllable
Locate vulnerability according to the
authoritative data source

Accurately present patches for terminals

Active scanning, fast evaluation

Automatic patch update

Minimum bandwidth occupation

Active management, continuous update

Automatically verify patches

Automatically ignore abnormal patches

Time-based vulnerability repair in batches
50
Automatic software distribution and file/program/configuration
deployment simplifies terminal information maintenance and
improves deployment efficiency.

Fast
Simplified
Fast distribution based on the subnet
and file sharing by all subnets

Distribution in any file format, and
file distribution in batches

Unattended installation and default
parameter modification

Software distribution by department
or operating system

Time-based distribution
Controllable
Control Employee Behaviors to Reduce Information Leaks
Peripheral Use Auditing
Network Behavior Auditing

Web access auditing

USB installation or removal operations

Unauthorized external connection

USB file operations
auditing

Use of other peripherals

Network traffic monitoring
Employee Operation Auditing
Terminal File Auditing

Create files

Copy files

Rename or delete files
51

Control non-standard software

Monitor programs and services

Prohibit read-only or read-write drive
Flexible Deployment, Security and Reliability, Evolution
52
Agile Controller Architecture
MC
SM
SC
MC (hierarchical
deployment)
The MC is used in hierarchical deployment mode.
The MC defines the overall security policies and
monitors policy execution on Agile Controller nodes.
SM
The SM allows system administrators to perform
service management operations including user
management and security policy configuration on the
web management page.
The SC implements authentication and authorization
based on the user, device type, access time, access
location, and access mode, and associates with switches,
WLAN devices, and SACGs.
SC
Client
Client
(Windows/Linux/MAC)
53
Portal page
Web agent page
Built-in 802.1x client
(Windows/Linux/MAC/iOS/Android)
Centralized Deployment Facilitates Management
Centralized
Deployment
Distributed
Deployment
Hierarchical
Deployment
Pre-authentication Agile Controller
domain
Service
resource 1
ERP
SM + SC
Service
resource 2
OA mail system
AC
Core switch
Post-authentication domain 3: Internet area
Internet
SA
AP
Simplified Management, Improving
Working Efficiency
SA
AP

SA
SA
SA
Dept A
SA
Dept B
54


Unified management, convenient
operation
Centralized authentication of all
terminals in the headquarters
System status monitoring tool
Distributed Deployment Meets Requirements of Multiple Branches
Centralized
Deployment
Distributed
Deployment
Hierarchical
Deployment
Pre-authentication Agile Controller
domain
Service
resource 1
SM + SC
ERP system
Service
resource 2
AC
OA mail system
Core switch
SC
SC
Post-authentication domain 3: Internet area
Internet
SA
SA
AP
AP
Flexible Deployment Caters to Complex
Network Environments

SA

SA
SA
Dept A
SA
Dept B
55

There are many terminals.
There are many branches.
Terminals in each branch are
authenticated by the SC in the branch.
Hierarchical Deployment Meets Large-Scale Network Requirements
Centralized
Distributed
Deployment
Deployment
Make global policies
Hierarchical
Deployment
Centralized Management
MC
Admin

Unified management, convenient
operation

Global policies applicable to the entire
network
Headquarters
Hierarchical Maintenance
Pre-authentication
domain

Customized services at the local layer

Terminals authenticated locally,
facilitating management and
maintenance
Agile Controller
Pre-authentication
domain
SM + SC
Agile Controller
SM + SC
Hierarchical Management, Meeting LargeScale Networking Requirements

Province A
Province B
Deliver global policies
56
Applicable to large-scale networks that
require multiple Policy Center systems
Content
1
Traditional Network Facing New Challenges
2
Huawei Agile Controller
3
Success Stories
57
Internet Surfing Solution for Customers of the Rural Credit
Cooperatives in Kunming City
Background
The rural credit cooperatives in Kunming city is the first city level rural credit union. The union
develops and innovates a series of new products and services, meeting needs of rural people and
small- and medium-sized enterprises (SMEs) for localized, specialized, and personalized financial
services. The customer requirements are as follows:
 WLAN is deployed in the business hall to provide customers with value-added Internet surfing
service.
 In the business hall, customers can connect their mobile phones and tablets to the WLAN free of
charge to log in to the online banking or mobile banking to process financial transactions.
Huawei Solution




Uses the Agile Controller that supports full lifecycle guest management and allows guests to surf
the Internet.
Connects the queue management system (QMS) to the Agile Controller, invokes the guest API of
the Agile Controller to generate a temporary guest account and print the account for the customer
when a customer clicks the QMS.
Redirects to the authentication page when a customer accesses any other web page. The
customer can surf the Internet after being authenticated using the temporary account.
Deletes the temporary account automatically in 2 hours after the account is generated.
Customer Benefits



Bank customers can browse and process transactions without the need to wait in queues,
improving customer satisfaction.
Customers can process services through WLAN access, reducing the load of bank staffs.
The automatic and intelligent system requires no management personnel, lowering IT costs.
58
Internet
Agile Controller
Guest Access Authentication Solution for Hong Kong Stock Exchange
Background
Hong Kong Exchanges and Clearing Limited (abbreviated as HKEx) is a holding company that
wholly owns three subsidiaries Stock Exchange of Hong Kong Limited, Hong Kong Futures
Exchange Limited, and Hong Kong Securities Clearing Company Limited. It provides and
manages stock and futures exchange and settlement.
The customer requirements are as follows:
 The wired and wireless networks are integrated to provide access for employees and guests.
 Personalized portals are provided to reduce IT operation and maintenance (O&M) pressure
and improve the company's brand image.
eSight
Internet
Huawei Solution


Uses the Agile Controller to authenticate access users and control policies for network
access permissions. Users can access the pre-authentication domain when they fail the
authentication or when no authentication is available; users can access the isolation domain
when they are authenticated but the terminals are insecure; users can access the postauthentication domain when they are authenticated and the terminals are secure.
Provides the guest approval process. The receptionist creates a guest account and sends
the account to the guest through a short message or prints the account in a paper. The
customer uses the account to access the Internet.


Aggregation switch
(integrated AC)
Aggregation switch
(integrated AC)
AP
Customer Benefits

Core network
The personalized portal improves the company's brand image.
Guests are allowed to surf the Internet at any time, improving customer satisfaction.
The easy-to-use Agile Controller reduces IT O&M costs.
59
DHCP DNS
Agile Controller
Server
Access Authentication Solution for German Borussia Dortmund
Football Club
Challenges of Internet Access for Fans in the Stadium
Mass user access
• 80,000 online users, 24,000 concurrent users
Guaranteed service
experience
• User bandwidth needs to be guaranteed and
differentiated services are required.
Huawei Solution


The Agile Controller authenticates users and provides policy control for
users’ network rights. It limits bandwidth of VIPs and common fans.
The Agile Controller allows fans to use third-party social accounts to log
in, without registration and approval.
Customer Benefits

Fans can log in through accounts such as Facebook, Google,
Twitter, and youtube accounts.
60

Personalized Portal page and simplified Internet access improve user
satisfaction and stadium brand.
The easy-to-use Agile Controller reduces IT O&M costs and meets
authentication requirements of many users.
HUAWEI ENTERPRISE ICT SOLUTIONS A BETTER WAY
Copyright © 2014 Huawei Technologies Co., Ltd. All Rights Reserved.
The information in this document may contain predictive statements including, without limitation, statements regarding the future financial and operating results, future product
portfolio, new technology, etc. There are a number of factors that could cause actual results and developments to differ materially from those expressed or implied in the predictive
statements. Therefore, such information is provided for reference purpose only and constitutes neither an offer nor an acceptance. Huawei may change the information at any time
without notice.
Huawei Agile Campus Network Solution Products
Huawei Agile Campus Network Solution
Security
Network
USG6000
Agile Controller
AVE2000
AR router
SVN 5000
S9700/S7700
S12700
AP
Software
ASG 2000
S5700
eSight
Agile Campus Network
62
Agile Controller Functions
Agile Campus
Agile Data Center
• Network automation based on services
• Visualized and unified management of
physical and virtual networks
• Interconnection with four cloud platforms
and unified deployment of ICT resources
• Free mobility, dynamic allocation of
network resources
• United security, Big Data analytics
• Service chain, physical resource pooling
• One-key distribution and fast service
deployment
• Zero local maintenance, reducing the TCO
• Openness at multiple layers, helping
value-added services
• Centralized routing and traffic control,
and intelligent scheduling
Implements software- • Programmability, and network capability
defined networking
openness
Agile Controller
Agile WAN
Agile Branch
63