PowerPoint 演示文稿 - Huawei Enterprise

Download Report

Transcript PowerPoint 演示文稿 - Huawei Enterprise

2014/5/7
Huawei Policy Center Sales Guide
Contents
1
Overview
2
Functions and Specifications
3
Competition Analysis
4
Bidding Support
1
Policy Center Evolution
Policy Center
Terminal Security
Management (TSM)
Positioning: traditional NAC market
Function: secure access control for enterprise
terminals and desktop management
Scenario: fixed terminal management and
control
2
Positioning: campus/BYOD Policy Center
Function: context-aware access control (wired
and wireless convergence), visitor
management, terminal identification, and health
check
Scenario: numerous terminal access, policy
engine
Policy Center Overview
Policy Center = Unified authentication + Refined policy management + Terminal
identification + Visitor management + Terminal security
Refined policy
management
Visitor management
system
When
Who
Unified authentication for multiple
access modes
Internet
Where
Enterprise
AP
What
Fixed
BYOD
VPN
Access
switch
Public radio
Terminal
identification
Whose
How
Wireless
access
3
Wired access (original function)
Terminal
security
Mobile storage
device management
VPN remote access
1. Access Authentication
Only authenticated terminals are allowed to access the network. 802.1x, MAC address, and Portal authentication
modes are supported.
BSS system
Employee
Switch
Switch
Partner
Core switch
AP
CRM system
ERP system
Visitor
AP
AC
Mail system
What resources can
you access?
Who are you?
4
2. Refined Policy Management: 5W1H-based Context Awareness
On-duty time
Employee
Off-duty time
Enterprise
device
Campus
R&D area
Headquarters
BYOD device
Refined policy management, multi-dimensional authentication
and authorization
User Group
(Who)
Employee On business trip
Visitor
5
Device Type Device Attribute
(What)
(Whose)
Access Point
(Where)
Access Mode Access Time Available
(How)
(When)
Resources
R&D
PC
Enterprise
R&D area
Wired
24 hours
R&D
resources
R&D
Mobile phone
Private
Non-R&D area
Wired
None
None
R&D
Mobile phone
Private
Non-R&D area
Wireless
21:00-08:00
Internet
HR
PC
Enterprise
Non-R&D area
Wired and
wireless
24 hours
HR
resources
Visitor
Mobile phone
Private
Non-R&D area
Wired and
wireless
08:00-20:00
Internet
3. Intelligent Terminal Identification
Terminal-based service policies
 Customizes authentication pages based
on terminal types.
Traditional
terminals
 Delivers different service policies, such
as VLAN/ACL/bandwidth limiting
policies, based on terminal types.
Terminal-based policies for the
same account
Smart
terminals
 Provides different policies for the
same account based on the types of
terminals, implementing fine-grained
rights control.
Terminal identification method
Dumb
terminals
Obtains vendor OUI information from MAC
addresses.
Obtains vendor information from DHCP packets.
Obtains the terminal's operating system, IE
browser, and terminal type information from
HTTP packets.
6
AC
Switch
AP
The authentication packet
carries the terminal type
information.
Policy Center
Policy delivery based on terminal types
 Delivers service policies, such as VLAN, ACL,
bandwidth limiting, and user isolation policies,
based on the reported terminal types.
4. Visitor Management
Visitor Management
Visitor Operations
Full Lifecycle Management of Visitor Account, Approval or Approval-Free
Registration
Approval
Distribution
Authentication
Auditing and Deregistration
Employee
 Automatic approval

SMS

User name/password
 Login/Logoff auditing
application
 Administrator

Email

Passcode
 Automatic deregistration after

Web

Isolation based on
expiration
Self-service
application
approval
 Receptionist
VLAN or ACL
 Scheduled account deregistration
approval
Customized Enterprise Portal, Location- and Terminal-based Page Pushing
7
5. Terminal Security: Health Check
Security Policy Template for Formal
Employees
Password complexity check
Unauthorized connection
monitoring
Web access monitoring
Antivirus software monitoring
Mobile storage device
monitoring
Post-authentication
domain
If the security check fails,
network access is prohibited.
TSM system
Records about the unauthorized
access are reported to the server.
Policy Template for Temporary
Employees
Password complexity check
Unauthorized connection
monitoring
Mobile storage device
monitoring
If the security check
succeeds, network access
is permitted.
Policy Template for Temporary
Office
Post-authentication
domain
Post-authentication
domain
Unauthorized connection monitoring If the security check
succeeds, network access
Antivirus software monitoring
is permitted.
8
Template Distribution Based
on the User Type
Many policy templates can
be made to meet the needs
of different types of users.
For example, formal
employees require a
security template with high
security requirements, while
temporary employees
require a template with low
security requirements.
5. Terminal Security: Behavior Monitoring
Whole process records, violation operations traceable
Network Behavior Auditing
-Web access
-Network application
-Network connection
Peripheral Use Auditing  USB installation or
removal
 USB file
 Use of other
peripherals
Auditing and
Monitoring
 Create files
 Copy files
 Rename or
delete files
-Policy management
-User management
Terminal File Auditing
Employee Operation -Approval management
Auditing
 Establishes a 7 x 24 auditing and monitoring mechanism to ensure real-time processing of violation
activities.
9
Contents
1
2
Overview
3
Competition Analysis
4
Bidding Support
Functions and Specifications
10
Identity Authentication, Connection with Mainstream
Data Sources
 A mature enterprise has a unified user information system. Enterprise CIOs concern about whether the access control system can smoothly connect
to the existing user information system.
 The system supports multiple Extensible Authentication Protocols (EAPs) and can connect to mainstream AD, LDAP, RADIUS, and dynamic
token systems.
 The system supports synchronization by demands or the filtering criteria to meet specific customer requirements.
Authentication Protocols Supported by External Data Sources
Authentication Protocol
Self-built Account
AD
LDAP
RADIUS Token
RADIUS Relay
PAP
YES
YES
YES
YES
Depending on the external system
CHAP
YES
NO
NO
NO
Depending on the external system
EAP-PEAP-MSCHAPV2
YES
YES
NO
NO
Depending on the external system
EAP-MD5
YES
NO
NO
NO
Depending on the external system
EAP-TLS
YES
YES
YES
NO
Depending on the external system
EAP-TTLS-PAP
YES
YES
YES
YES
Depending on the external system
EAP-PEAP-GTC
YES
YES
YES
YES
Depending on the external system
Determine the web, web agent, or agent authentication mode for the account based on
the account attribute.
11
Comprehensive Access Control, Applicable to
Multiple Types of Networks
Office area
Dumb terminal
MAC address authentication
The authentication server authenticates terminals based on their MAC
addresses.
MAC address
VLAN1 authentication
It applies to dumb terminals such as IP phones and printers.
802.1x authentication
802.1X
authentication
VLAN2
It supports association with Huawei all series switches, routers, WLAN
devices, and third-party standard 802.1x switches.
SSID1
Portal
authentication
Guest area
Clients, devices, and authentication servers exchange authentication
messages using the EAP.
Portal authentication
Users can enter their user names and passwords on the web authentication
page for identity authentication. It is also called web authentication.
SSID2
SACG
authentication
It supports association with Huawei all series switches, routers, and WLAN
devices.
SACG authentication
The USG firewall is connected to a router or switch in bypass mode and it
controls terminal access through policy-based routing.
12
Senseless Authentication: One-time Authentication for
Multiple Times of Access
One-time Authentication for
Multiple Times of Access
Wireless
Access
Authentication
and Connection
Portal Server
1
User
 Provides the page
customization function.
2
AC
AP
 Stores the Web
authentication page.
Policy Center
 Connects to the AC.
3
4
5
Initial Portal + MAC
Authentication
 The wireless user initiates web authentication
requests.
 The Portal server sends authentication
requests to the AC.
 The AC initiates RADIUS authentication and
sends the user name, password, and terminal
MAC address to the RADIUS server.
 The RADIUS server performs authentication
and records terminal MAC addresses.
Subsequent Automatic
MAC Authentication
 The RADIUS server performs only
MAC address authentication on
wireless users after their initial
access. Users are not aware of the
authentication process.
13
RADIUS Server
Policy Center
 Stores user names,
passwords, and user
policies.
 Connects to the AC.
 Records MAC
addresses of users.
Full Lifecycle Visitor Management and Customized Portal Push
Visitor
account
application
Visitor
Visitor
account
authentication deregistration
•Venezuelans bid farewell to Chavez
•Wen's legacy hailed by nation's top
economist
•Chongqing remains 'pragmatic'
•France to start withdrawing Mali
troops from April
Apps
 Employee application
Automatic
 Self-service
deregistration after
application
Automatic and employee approval expiration
 Batch application
SMS, email, and web notifications  Scheduled
User name/password authentication account
and passcode authentication
deregistration
Full Lifecycle Management of Visitor
Accounts
 Supports visitor account registration, approval,
distribution, and deregistration.
 Provides approval and approval exemption
workflows and visitor authentication APIs to
integrate with service systems.
14
Wechat Fetion Weibo
Webs
Video
Portal Page Customization
 Supports portal page
customization to provide
enterprises with tailored pages,
improving enterprise images.
Location-based
Information Push
 Supports location-based (SSID
and AP) information push.
System
Hardening
Security
Protection
Data Leak
Prevention
Behavior
Management
Comprehensive Terminal Protection Policies
Centralized management and control of employee behaviors
Web access
File operations
Network
applications
IP access
Network traffic
Optimized data leak prevention mechanism
Peripheral devices
File operations
Mobile storage
devices
Unauthorized
external
connections
Screenshot
Enhanced security protection measures
Antivirus software
Software blacklist
and whitelist
System processes
System ports
ARP attack
defense
Unified security baseline for system hardening
Screen protection
settings
Account security
System patches
Sharing settings
Registry settings
Application
patches
15
Key Capabilities
► System hardening policy management
► Security protection policy management
► Data leak prevention policy
management
► Terminal behavior policy management
Asset
Management
Software
Distribution
Patch
Management
User Service
Desktop Management Automation – Desktop Maintenance
Protection Policies
Optimized user desktop experience
Instant messages
Remote assistance
Automatic alarm
notification
Fault diagnosis and
rectification
Portal push
Centralized patch management
WSUS patch linkage
Distributed patch
distribution
Patch policy
management
System vulnerability
statistics
Unified software distribution center
Software
classification and
Resumable download
management
Distributed software
Distribution status
distribution
report
System vulnerability
restoration
Forcible execution
Unattended
installation
Full lifecycle asset management
Asset registration
Asset information
statistics
Asset change alarm
Asset information
collection
Asset change
discovery
Asset change
auditing
16
Key Capabilities
► Full lifecycle asset management
► Message push center
► Fault diagnosis and rectification on the
client
► Patch management center and
software distribution center
Contents
1
Overview
2
Functions and Specifications
3
Competition Analysis
4
Bidding Support
17
Overcome Competitors with the Visitor Management
Solution
Emphasize that Huawei provides a comprehensive visitor management solution (wireless access +
authentication + traffic isolation/authorization + auditing + visitor account management +
advertisement placement).
HW
Cisco
H3C
Visitor traffic isolation prevents security
threats brought by visitors who connect to
the Internet from the campus network.
Huawei uses general technologies such as
GRE and VRF to isolate visitor traffic;
therefore, no additional devices need to be
deployed.
Cisco uses EoIP to isolate visitor
traffic. An additional anchor AC H3C does not provide a
traffic isolation solution.
needs to be deployed, which
increases customer investment.
Huawei Policy Center can be associated
with ASGs to implement online behavior
management and auditing based on visitor
identity. Meanwhile, the ASGs can function
as GRE tunnel endpoints for visitor traffic
isolation.
Cisco solution does not support
online behaviour management
and auditing and cannot meet
security requirements.
18
H3C does not support
online behaviour
management and auditing
and cannot meet security
requirements.
Strategy
Some enterprise networks have few visitor access, and the enterprises are not
willing to construct an independent visitor management system due to limited
capital budget.
In this case, you can advise the customer to construct a wireless network without
the visitor management system. Visitors can be allocated with dedicated SSIDs,
WAP2 accounts, and passwords to access the network.
This may lead to the following problems:
1. Visitor traffic and employee traffic is not isolated, which will bring about
security threats.
2. Visitor accounts are not managed in a unified manner, which leads to
maintenance and auditing difficulties.
3. Network access auditing is not supported, which does not meet the
requirements of public security authorities.
Advise the customer to deploy the visitor management system later.
Network Architecture
Competitor
Customer Benefit
Strategy
There is no need to upgrade
or replace a large number of
devices on the live network,
protecting customer
investment.
Use Policy Center to make a
breakthrough on networks
dominant by competitor
devices and replace these
devices step by step.
The change to the network
architecture is small and the
delivery and maintenance is
simple.
Firewalls can be added to a
complex and large-scale
network in bypass mode,
minimizing network
architecture changes. Use
this advantage to make
customers replace
competitor devices.
Function
Compatible with
majority of mainstream
vendor networks
SACG networking
H3C
Cisco
H3C offers 802.1x and Portal
authentication on H3C series
switches only.
Cisco ISE supports 802.1x
authentication for standard 802.1x
switches only. Besides, Cisco ISE
uses proprietary OOB protocol.
Not supported
19
Not supported
User Account
Competitor
Customer Benefit
Strategy
Function
H3C
Authenticating AD/LDAP
accounts from multiple domains
Binding user accounts with switch
ports, IP addresses, VLANs, or
SSIDs
Not supported
Supported
20
Cisco
Not supported
Only one set of Policy
Center is required in
scenarios with multiple
domains.
Not supported
Automatic binding is
implemented, which
simplifies maintenance and
improves security.
Recommend this function
in scenarios with multiple
AD/LDAP domains
Policy Engine and Authorization
Competitor
Customer Benefit
Strategy
Function
Authorization control based on terminal type and asset
type
Pushing web authentication pages based on the access
location, device type, and SSID
H3C
Cisco
Not supported
Supported
With intelligent terminal
identification, company owned
devices and BYOD devices can
have different access rights.
Recommend this function in
BYOD scenarios.
Not supported
Different login pages and
information are pushed to users
flexibly. It can provide valueadded services.
This function is mandatory in
hotels, shopping malls, and
scenic areas where Internet
surfing and other value-added
services are required.
It can integrate with the existing
systems to reduce customer
investment.
The visitor API can be integrated
with tickets or VIP cards in scenic
areas, and with queue
management system in banks to
print visitor accounts and
passwords.
Not supported
Flexible visitor management, APIs for connection with
service systems
Not supported
21
Not supported
Comprehensive Terminal Security Policies:
Security Hardening and Behavior Management
Competitor
Customer Benefit
Strategy
Function
H3C
Cisco
Managing peripherals, USB flash drives, and
unauthorized external connections, and auditing
online behaviours
Supported
Not supported
The customer does not require a third-party desktop
security management system because it integrates
security management functions.
Recommend this function when intranet security
management is required. Advocate Huawei
information security practices.
Extensible and self-defined terminal security
policies
Not
supported
Not supported
Secondary development is not required because the
customer can flexibly define security check policies
by themselves.
If the customer has high security requirements, use
Policy Center to define security check policies.
Mobile storage device management; USB disk
authorization based on the user or device; USB
disk encryption (SM algorithm)
Weak
Not supported
Data leaks caused by USB copying can be
prevented. Access rights are authorized based on
the user or device, not affecting normal services.
Applies to scenarios with high data leak risks such
as banks. Overcomes competitors with flexible
authorization and SM algorithm.
Location-based terminal security control policies
Not
supported
Not supported
The customer can flexibly manage and control
terminal security policies.
Standard security policies can be used in offices.
Monitoring is not required when SOHO users access
the network not through VPN. Monitoring policies are
required for remote VPN access to prevent data
leaks.
22
Contents
1
Overview
2
Functions and Specifications
3
Competition Analysis
4
Bidding Support
23
1. Functional Components and License
Function
Scenario
License
Total number of terminals on a
network, including PCs, smart
terminals, and IP phones
Access control
Introduction
Provides multiple access authentication
modes, such as RADIUS, 802.1x, Portal,
and MAC address authentication.
Provides full lifecycle management for visitor
accounts.
Visitor management
Total number of valid visitor
accounts
Advanced functions
(terminal security
protection)
Total number of PCs to which
terminal security policies apply
Provides terminal health check, employee
behavior management, software
distribution, patch management, and asset
management.
Mobile storage device
management
Total number of Windows terminals
to which mobile storage device
management applies
Controls the use of mobile storage devices
to prevent data leaks and supports USB
disk encryption.
24
Supports Portal customization for visitor
authentication, sends account information
to visitors through emails and SMSs, and
deregisters expired visitor accounts.
2. Server Configuration (Database Hot Backup Not Required)
1
Huawei server
Customers can purchase Huawei servers HW RH2288. Place an order on the Unistar.
==Configuration==
Tecal RH2288 V2, (2 x E5-2640 CPU; 8 GB memory; 3 x 300 GB SAS hard disk
2
Third-party server
3
Server quantity
Customers can use third-party servers. Customers need to purchase hardware and software (Windows +
Server 2008).
If customers use virtual machines, the virtual machines must meet the minimum configuration requirements
(CPU 2 GB; memory 8 GB).
The Unistar automatically calculates the number of required servers based on the license quantity. The
server quantity is calculated as follows:
Less than 5000 users: only one server (SM+SC+DB); redundancy not required
5000 to 10000 users: two servers (1SM+2SC +1DB); redundancy required
More than 10000 users: One more server is required for each 10000 users.
25
3. Server Configuration (Database Hot Backup Required)
1
Three database servers are required.
If database hot backup is required in a site, at least three servers must be deployed in the site, and each server
has a database installed. The three servers work as the primary database, secondary database, and monitor
database respectively.
2
Server quantity
If database hot backup is required, you need to select at least three servers (with database installed) in
the Unistar.
Less than 5000 users: three servers with database installed
More than 10000 users: three servers with database installed. One more server is required for each 10000
users.
26
4. Customization and Development Fees
SMS Gateway Customization
Policy Center can send short messages through the SMS modem or carrier's SMS gateway. By default, Policy
Center can only connect to SMS gateways of China Unicom, China Mobile, and China Telecom. To connect
Policy Center to SMS gateways of other carriers, customization is required.
If the visitor management component is configured, the customer needs to purchase SMS gateway
customization service.
FEE-SMS
Customization and development fee for SMS gateway
Portal Page Customization
Policy Center supports customization of authentication and registration
pages. Policy Center provides default authentication and registration
page templates. Administrators can set parameters in the templates or
modify HTML codes to change the page styles.
If the customers want R&D personnel to complete page customization,
they must provide information about their preferred styles or images.
The R&D personnel charge this service based on the number of
required pages.
FEE-PAGE
Customization and development fee
for Portal page (per page)
27
Portal customization example
Unified Entry for Policy Center Documents
http://3ms.huawei.com/hi/EnterpriseBG_connect/Network_OSS_PolicyCenter_index.html
28
Project Support Personnel
Support Team
Region
Project support
(Technical Enquiry, bidding, solution,
customer communication, and
training)
North China
Liuhongjun/00112047,
(including the
Zhuzunyi/64383
Account Dept)
Regional contact
person
Upgrade
MSE:
Zengfanlei/66568
MO: Xiongtun/239064
SPDT manager:
Wangshaoshen/162705
East China
Longdingyi/00207893
South China
Zhongcui/69642
Others
Zengfanlei/66568
China
West
European
Region,
CEE&Nordic
European
Outside of Southeast
Asia
China
Liqingsong/9
0003812
Yangxianpin
g/00216594
Longdingyi/00207893, Xiaoshifen/
Wangxuan/00743624 00101011
Zhuzunyi/64383
Zengfanlei/66568
Others
29
Test
Support
HUAWEI ENTERPRISE ICT SOLUTIONS A BETTER WAY
Copyright © 2013 Huawei Technologies Co., Ltd. All Rights Reserved.
The information in this document may contain predictive statements including, without limitation, statements regarding the future financial and operating results, future product
portfolio, new technology, etc. There are a number of factors that could cause actual results and developments to differ materially from those expressed or implied in the predictive
statements. Therefore, such information is provided for reference purpose only and constitutes neither an offer nor an acceptance. Huawei may change the information at any time
without notice.
Policy Center Cluster and Hot Backup Configuration
SQL Server (primary)
SQL Server (Secondary)
The database can be installed on
the same server as the SM and SC.
To support database hot backup,
three servers are required.
SQL Server (Monitor)
All the servers use the same database
The SM and SC can be installed on
the same server.
SM
SC 1
Connects to server 1
when it works properly.
SC 2
Connects to another
server when server 1 is faulty.
Client
31
One SC server can respond to 10000
concurrent users. SC servers can be
added for future expansion.
SC 3
Selects a server
based on the server weight.
Client
When a user agent detects that the primary
server in the current area is faulty or
unavailable, it automatically associates with
the primary server.