United Security Technology White Paper

United Security Technology White Paper
United Security Technology
White Paper
United Security Technology
White Paper
1 Challenges ............................................................................................. 6
1.1 Security Problems Caused by Mobile Communication ....................................................6
1.2 Security Fragmentation Problems ...................................................................................8
2 United Security Solution ........................................................................ 8
2.1 Big Data Analytics for United Security ............................................................................9
2.2 United Security Based on Security Resource Virtualization ............................................11
3 Applicable Scenarios ............................................................................ 14
3.1 Threat Detection Throughout the Network ..................................................................14
3.2 On-Demand Allocation of Security Resources ...............................................................14
1 Challenges
1.1 Security Problems Caused by Mobile
Communication
To implement security defense on enterprise campus networks and data center
networks, edges must be defined and security devices with different security
levels are deployed on edges. The devices include the firewall, anti-DDoS device,
Anti-Virus (AV) device, Intrusion Prevention System (IPS) device, and Data Loss
Prevention (DLP) device. While traditional internal network security is ensured at
the external edge, wireless security is different. Bring Your Own Device (BYOD)
and mobile users in any role, with any device, can connect to networks anywhere.
Virus attacks and hacker intrusions have become diversified. Single-point and edge
defenses face the following challenges:
•• Untrusted intranet: Visitors, BYOD users, partners, vendors, and employees
connect to campus networks, so terminal security status cannot be trusted and
the intranet's horizontal traffic is insecure. Security levels of multiple departments
and branches of Enterprise Data Centers (EDCs), Internet Data Center (IDC) multitenants, and Data Center (DC) networks are different, so internal traffic needs to
be controlled. Traditional edges cannot solve all problems.
•• Mobility: On mobile campus networks and virtualized DCs, terminals or DCs can
move dynamically. Intranet's external and physical edges are unavailable.
Traditional network security defense: Only edge defense is required.
The access mode and user positions are fixed, and attack points and countermeasures
come from single points.
WAN/Internet
External
attack
Single-point
defense
1
Mobile network security: how is network defense performed on a borderless network?
In mobile scenarios, employees can connect to enterprise networks anywhere using
different types of terminals. In this case, attack points and countermeasures are diversified.
WAN/Internet
External attack
X Unavailable firewall single-point defense
Mobile network attack
Wireless eavesdropping attack
AP
AP
AP
Mobile terminal attack
Access terminals on a borderless network do not have unified security defense
software. As a result, threats are omnipresent when users access WLANs, VPNs, and
intranets. Traditional single-point defenses cannot meet changing user requirements.
1.2 Security Fragmentation Problems
Fragmented Deployment Wastes Resources
Background: Intranets demand high security. In addition to security defense at the
external edge, security checks are needed for intranet services' horizontal traffic.
Each department also requires an independent security defense.
Multiple security defense points: Every department needs a hardware firewall,
which increases Capital Expense (OPEX). In addition, policies are distributed and
maintenance workloads are heavy.
Inefficient usage: Many purchasers figure they need security devices that will
handle two or five times the amount of peak data traffic. In practice, this is an
inefficient use of high-performance security devices such as firewalls, IPS devices,
anti-DDoS devices.
Complex Service Configuration Policies
Background: Individual departments use different security levels for their service
systems. As a result, companies require different security defenses and configuration
policies for each department.
Complex traffic distribution: Different security defense measures are also deployed
between different areas. To implement different security defenses, complex traffic
diversion policies need to be configured. This makes it difficult to expand and
maintain networks.
2
2 United Security Solution
Facing single-point defense and fragmented deployment problems, Huawei's United
Security Solution collects security events across the entire network, and uses Big
Data analytics to perform correlation analysis to detect security risks. The solution
then employs virtualization technology to virtualize security resources and implement
resource sharing and on-demand service provisioning.
Huawei's United Security Solution solves security defense and service deployment
problems. This solution has two sub-solutions: threat detection and security defense
based on the results of Big Data analytics, and flexible chain based on security
resource pooling.
2.1 Big Data Analytics for United Security
Big Data analytics relieves personnel from service data analysis and improves their
ability to utilize data values to improve security policies. Huawei's United Security
Solution employs Big Data analytics to detect network threats and take defense
measures.
2.1.1 Solution Architecture
Agile
Controller
2 Perform correlation
analysis of Big Data.
licies.
rity po
s.
er secu
policie
urity
c
e
s
r
ve
1 Deli
4 Dynamically allocate
security resources.
Security resource center
AntiDDoS
NGFW
Sandbox
SVN
3 Deliv
Collect security events.
Ensure that security policies take effect.
3
•• The Agile Controller collects network security events.
Security events are drawn from network and service device logs, logs of
terminal user behaviors, and network attack events.
•• The Agile Controller correlates the analysis of Big Data.
This analysis detects potential security risks.
•• The Agile Controller delivers security policies.
The Agile Controller delivers adjusted security policies to devices.
2.1.2 Agile Controller Technology
Huawei's United Security Solution uses the controller to analyze attack sources and
respond to security devices.
Agile controller
Security resource
center
1 Isolate threats
2 Intelligently
import and clean traffic
The Agile Controller performs the following operations:
•• Collects security events.
The Agile Controller collects, identifies, and analyzes security events, alarms,
and faults, and detects network security situations by correlating analysis of Big
Data. The technology module is divided into three layers:
− Data collection layer
The data collection layer collects data including various types of security
resources, security events of objects, vulnerabilities, and assets. The data is
transmitted through standard protocols such as Syslog, SNMP, FTP/SFTP, ODBC,
Socket, and XML.
− Analysis processing layer
The analysis processing layer stores, analyzes, and processes collected device
information. It filters and combines information, performs correlation analysis,
analyzes potential security risks from mass logs, generates alarms, and performs
risk analysis according to asset values and vulnerabilities.
4
− Security presentation layer
The security presentation layer presents collected data and provides a Portal
page to implement asset, report, system, security alarm, vulnerability, risk,
knowledge base, and O&M management. The security presentation layer
provides different presentation pages for administrators of different levels. The
system administrator only needs to perform operations three times to locate the
source of a security event.
•• Performs user policy management.
The Agile Controller is responsible for authenticating users, synchronizing user
information, and associating security policies. It can associate analysis results
generated by the security event collection component.
Huawei's Agile Controller combines various attributes and, in that way, provides
complex authentication and authorization services for mobile users in campus
networks. Attributes include:
•• User: distinguishes identities of different users and delivers different
authorization rules for accessing devices to the user authentication device (AC/
LSW/SVN).
•• Position: delivers authorization rules based on IP addresses, SSIDs of access
devices, and MAC addresses of Access Points (APs) to the user authentication
device (AC/LSW/SVN).
•• Time: distinguishes time ranges and delivers different authorization rules for
accessing devices.
•• Terminal type: differentiates terminal types and delivers different authorization
rules for accessing devices to the user authentication device (AC/LSW/SVN).
•• Terminal security compliance: identifies non-compliant terminals and
delivers different authorization rules for accessing these devices to the user
authentication device (AC/LSW/SVN).
2.1.3 Solution Process
•• Event report: Security systems such as Next-Generation Firewalls (NGFWs), IPS
devices, and AV software detect attack behaviors. For example, a vulnerable
terminal may be used for intrusions, scanning attacks, and worm attacks. A
security system then reports the threats to the controller, and the log analysis
component of the controller identifies and eliminates the threats. Events include
threats, faults, security events, and non-compliant applications from network
and security devices, host security software, and authentication/service systems.
•• Association analysis and policy delivery: The controller's log analysis component
accepts or collects network events. It then associates with an engine to perform
Big Data analytics, including combination, traceability, and weighted algorithms,
and reports critical risks. The log analysis component reports major events
5
to the IT administrator, and responds to and processes threats. For example,
the component associates the vulnerable terminal with external data flow
for processing. This reduces the manual workload of tracing the position, IP
address, and traffic interface.
•• Association solution 1 – isolation: User access and authentication devices such
as the switch, WLAN device, and SVN are associated with the controller to
execute policies. For example, risky terminals are isolated or disconnected, or
notifications are sent about these terminals.
•• Association solution 2 – flow diversion: The controller associates with the switch
to divert attack traffic to the security device for processing through policy-based
routing (PBR).
2.2 United Security Based on Security Resource
Virtualization
Cloud computing uses virtualization technology to efficiently use calculation
resources and enable those resources to be quickly provisioned and scheduled.
Virtualization technology virtualizes security resources, which makes possible
unified management, on-demand service provisioning, and resource sharing.
2.2.1 Architecture
Solution: security resource pooling, on-demand scheduling, and unified management
Agile
controller
Anti-attack
Antivirus
Leak prevention
……
Security center
NGFW/DDOS/DLP…
2 After the security center
checks suspicious
traffic, the Agile
controller isolates it and
lowers its level.
DDoS attack
Office area A
6
DDoS
attack
Office area B
Suspicious traffic is
detected and
diverted to the
security center for
cleaning.
After identifying traffic from
the untrusted area, the
Agile controller diverts
the traffic to the security
center for cleaning.
Untrusted area
(visitor access and remote access)
2.2.2 Solution Process
This solution uses agile switches, security devices such as the NGFW, and Agile
Controller.
•• The Agile Controller uniformly manages security resources and virtualizes them
into a shared security resource center.
•• The Agile Controller can dynamically use security resources based on user
configurations or security event analysis.
Security resource pooling
Security devices
敏捷交换机
FW/IPS/AV/ASG/VPN
Service-noed1 FW
Service-noed2 AV
…
Service-noed3 ASG
Service-noedN IPS
Fast deployment
Simplified configuration
and management
Efficient use of all
resources
High reliability
•• Service orchestration
Users can configure security rules for service flows simply, without worrying
about deployment of security resources.
On-demand provisioning of security resources
Marketing
Service-noed1 FW
Service-noed2 AV
…
Service-noed3 ASG
Service-noedN IPS
Flow
R&D
WAN/
Internet
Type
Service1
Service2
Marketing>Internet
http
vSlot 1(FW)
vSlot2
(ASG)
Marketing->R&D
File
sharing
vSlot 1(FW)
vSlot2(AV)
Marketing>R&D
Video
vSlot1(FW)
/
7
3 Applicable Scenarios
3.1 Threat Detection Throughout the Network
Background
During mobile office, viruses may attack the external network connected to the
enterprise network. Some terminals on the LAN also may be attacked due to a lack
of control measures. In this case, internal and external terminals can be easily used
by hackers to attack the enterprise network.
Huawei Solution
The NGFW, IPS device, or AV software detects attack behaviors. For example, a
vulnerable terminal may be used for intrusions and scanning or worm attacks.
The security system then reports the threats to the Agile Controller. The controller
performs correlation analysis for various events. After determining the threats, the
controller sends policies to the user authentication device (AC/LSW/SVN), executes
isolation policies for risky terminals, and notifies the administrator.
Customer Benefits
This solution implements pervasive security defenses, improves intranet security,
and speeds response times.
3.2 On-Demand Allocation of Security Resources
Background
The deployment costs of content security facilities are high and their performance is low.
Specified users and services cannot be differentiated and cannot be well protected.
Huawei Solution
The solution ensures high security at a low cost:
•• User-based traffic diversion: The solution performs the highest security checks for
VIP users, plus security checks for untrusted terminals such as partner, guest, and
agent-less devices to ensure intranet security. In addition, the solution provides
differentiated security defenses based on subnets, VLANs, and MPLS VPNs.
•• Service-based traffic diversion: The solution uses traffic flow based on service
interfaces to prevent email information leaks and protect files against viruses. It
also ensures positive user experience with video services.
8
Figure 3-1 User-based traffic diversion
Inject
Security
resource
center
100M low-cost
content security
device
10G
high-speed
network
User-based
traffic
diversion
LAN
VIP
Employee
Untrusted
terminal
BYOD
Figure 3-2 Service-based traffic diversion
Inject
Security
resource
center
Smtp-tcp 25
SMTP used to
divert traffic
Anti-leak
audit and
detection
Customer Benefits
Provides differentiated security defenses, which improves security, reduces investments,
and ensures positive user experiences.
9
Copyright © Huawei Technologies Co., Ltd. 2014. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd.
Trademark Notice
, HUAWEI, and
are trademarks or registered trademarks of Huawei Technologies Co., Ltd.
Other trademarks, product, service and company names mentioned are the property of their respective owners.
General Disclaimer
The information in this document may contain predictive statements including,
without limitation, statements regarding the future financial and operating results,
future product portfolio, new technology, etc. There are a number of factors
that could cause actual results and developments to differ materially from those
expressed or implied in the predictive statements. Therefore, such information
HUAWEI TECHNOLOGIES CO., LTD.
Huawei Industrial Base
Bantian Longgang
Shenzhen 518129, P.R. China
Tel: +86-755-28780808
Version No.: M3-032102-20140219-C-1.0
is provided for reference purpose only and constitutes neither an offer nor an
acceptance. Huawei may change the information at any time without notice.
www.huawei.com
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertising