huawei agile controller full product datasheet - · pdf filentroduction to te agile ontroller...

Huawei Agile Controller Full Product Datasheet

Huawei Agile Controller

Introduction to the Agile Controller·················································4

Access Control Manager···································································8

Guest Manager··················································································14

Free Mobility Manager······································································20

Service Orchestration Manager························································24

Terminal Security Manager······························································29

United Security Manager·································································32

Contents

Introduction to the Agile Controller

Product Overview

For mobile office, bring your own device (BYOD), and wireless local area network (WLAN) services, user terminals (information

receivers) are not fixed in certain physical locations. These services cause the following challenges to traditional networks using static

configuration:

1.How to deliver consistent experience to different user terminals regardless of their locations?

2.How to configure user privileges, security, QoS, priority, and other network policies? On a traditional network, users can be

bound to physical interfaces, and the administrator manually configures policies on network devices closest to users. However,

manual configuration cannot adapt to changes of user locations. To meet requirements of mobile users, the network must support

dynamic resource allocation and policy configuration. That is, network resources and policies must be able to migrate with users.

3.How to deploy network security policies? On traditional networks, the boundaries between enterprise networks and the Internet

have security risks. Many enterprises deploy security devices such as firewalls at their network boundaries. However, with the

development of mobile services and diversified network attacks, the boundaries of security protection become blurred. The services

such as Wi-Fi, mobile terminals, and remote office, bring a large number of new security risks and internal attacks, such as, viruses,

Trojan horses, and advanced persistent threat (APT). In this case, traditional boundary protection measures become invalid.

5Introduction to the Agile Controller

The Agile Controller is the core component of a next-generation network solution designed by Huawei for enterprise markets. It can be

deployed on agile campus networks, agile branches, agile wired area networks (WANs), and agile data centers to control policies for

accessing to these networks as well as interconnection between data centers. Following the centralized control principle of software-

defined networking (SDN), the Agile Controller dynamically schedules network and security resources on the entire network to allow

these resources to migrate with users. With the Agile Controller, networks will be more agile for services.

Product Characteristics

Experience-centric Redefined Network

The Agile Controller shifts customers' attention from technologies, equipment, and connectivity to users, services, and user experience,

and freed customers from laborious manual configuration by providing natural-language network planning and automatic deployment.

• The Agile Controller applies the SDN's centralized control idea into campus networks. It can dynamically schedule and adjust network

and security resources on the entire campus network to meet requirements of frequently moving users, offering free mobility.

• The Agile Controller can flexibly adjust user rights, QoS policies, and security policies on the entire network. This dynamic policy

adjustment greatly reduces the service provisioning or network expansion period, allowing networks to keep in pace with fast

changing services.

• Using the Agile Controller, customers no longer need to pay attention to differences of various devices. They can use the natural

language to configure network policies and deliver the configurations to all network devices by one click on the Agile Controller.

• User-based QoS scheduling ensures preferential forwarding of VIP users' services when network resources are insufficient, delivering

good experience to VIP users.

WAN/Internet

Agile Controller

WAN/Internet

Finance, sales, R&D

Data center

Headquarters:Executive/employee/guest

Branch:Executive/employee/guest

Internet:Executive/employeeControl f low

Service f low

6 Introduction to the Agile Controller

Network-wide United Security

The Agile Controller implements united security, replacing single-point protection with network-wide protection.

• The Agile Controller collects logs from network devices, security devices, and service systems, and employs Big Data analytics to

discover potential attacks and threats that are difficult to detect through single-point protection.

• The Agile Controller virtualizes security devices into a security resource center. Traffic of users with certain characteristics is blocked or

redirected to the security resource center to defend against attacks.

• The Agile Controller provides comprehensive terminal security and desktop management functions, and has over 5000 predefined

terminal security policies, ensuring terminal access security.

Openness and Interoperability

• The Agile Controller provides various northbound and southbound interfaces and open APIs to make the forwarding plane

and control plane programmable. It can interoperate with service systems of customers to improve end-to-end operation and

maintenance efficiency, shorten new service provisioning time, and give customers a platform for innovation.

• The Agile Controller is seamlessly interoperable with mainstream cloud platforms, including Huawei FusionSphere, VMware vSphere,

OpenStack, and Microsoft Hyper-v. The good interoperability makes the Agile Controller an elastic, open platform integrating best

practices of various fields, allowing customers to flexibly define their networks based on service requirements.

Highly Reliable, Flexible Architecture

• The Agile Controller can be deployed in centralized, distributed, and hierarchical modes, and is applicable to various networks.

• The Agile Controller supports various authentication modes and database backup to ensure high reliability and service continuity.

• The Agile Controller uses the Browser/Server (B/S) architecture and complies with the latest Huawei User Interface (UI) design

standards; therefore, it is easy to use.

7Introduction to the Agile Controller

Product Components

The Agile Controller provides multiple service components for different application scenarios to meet diversified customer

requirements.

Component Description

Access Control Manager

Provides unified network access policies and supports multiple authentication methods such

as 802.1X, Portal, MAC address, and SACG authentication. This implements unified access

management on users from wired, wireless, or VPN networks.

Supports refined authorization based on the user identity, access time, access location, device

type, device source, and access mode. This ensures unified maintenance and management of all

terminals that access the enterprise network in various modes.

Guest Manager

Provides full lifecycle guest management, including guest account application, approval,

distribution, authentication, auditing, and deregistration.

Supports various account application methods, including self-service application, WeChat, and

QR code. In addition, the enterprise's employees can apply accounts for guests.

Allows users to customize guest account application and authentication pages and flexibly

pushes advertisements.

Free Mobility Manager

Works with Huawei agile switches and NGFWs to provide security group–based policies in

addition to the traditional NAC and implement unified policy deployment and automatic policy

synchronization. This ensures that users can have the same service experience when they move

on the network.

Provides user group–based QoS policy configuration to ensure preferential forwarding of VIP

users' data traffic when network resources are insufficient, delivering good service experience

for VIP users.

Service Orchestration Manager

Virtualizes physical security devices to shield the device models and locations, forming a security

resource center.

Directs service flows to the security resource center based on service requirements to improve

use efficiency of physical resources and reduce costs.

Terminal Security Manager

Strictly controls network access from all terminal users and enforces security policies to the users

connected to the network.

Supports terminal health check, employee behavior management and control, software

distribution, patch management, and asset management to ensure that terminals connected to

the network possess self-defense capabilities and comply with enterprise's security policies.

United Security Manager

Manages logs and security events from network, security, and IT devices on the entire network

in a centralized manner.

Uses the Big Data correlation analysis technique to evaluate network security and identify risky

assets and areas on the entire network.

Allows customers to take proactive defense measures so that they do not need to analyze or

trace the attack sources and network risks.

Access Control Manager

Component Overview

With the Information and Communication Technologies (ICT) improvement, enterprise users want to access the network from every

corner in their offices. A large number of mobile staff and partners frequently use their own terminals (such as laptop computers) to

access the enterprise local area networks (LANs), which brings great challenges to the enterprise information security. Unauthorized

terminals may bring computer viruses to the enterprise networks and even obtain the enterprises' trade secrets, threatening the

network security. In addition, the maturity of WLAN technologies and popularization of intelligent terminals cause many enterprises to

allow their employees to access the enterprise intranets using intelligent BYOD terminals. The enterprises aim to improve employees'

work efficiency and reduce the cost and investment on mobile terminals. The application of WLAN technologies on enterprise networks

also brings great information security risks.

The Access Control component of the Huawei Agile Controller associates with network access control devices to control access to

enterprise networks from internal and external terminals. This component provides unified access control policies and flexibly manages

authentication and authorization polices to meet different service control requirements.

9Access Control Manager

Component Characteristics

Comprehensive Admission Control Technologies, Applicable to Multiple Types of Networks

Authentication Mode Characteristics Application Scenarios

802.1X authentication

• The 802.1X function is enabled on a switch

or an AC.

• It can implement Layer 2 isolation.

• The maintenance is complex because there

are multiple authentication points.

• The switch must support 802.1X.

Applies to small-, medium-, and large-

sized campus networks with high security

requirements. The Access Control

component can associate with Huawei all

series switches, routers, WLAN devices,

and third-party standard 802.1X switches.

MAC address authentication

• The switch or AC automatically enables

802.1X or MAC address authentication for

different terminals.

• Terminals are authenticated by the

authentication server based on their MAC

addresses.

Applies to dumb terminals such as IP

phones and printers.

Portal authentication

• A combination of Portal and MAC address

authentication is configured on devices at

the aggregation layer, and the devices select

authentication modes based on terminal

types. The AC authenticates wireless users in

a unified manner.

• Clients are optional on terminals based on

service requirements.

• Access switches do not need to support

802.1X.

The Access Control component can only

associate with Huawei all series switches,

routers, and WLAN devices, especially

when no client is required.

SACG authentication

• The USG firewall is connected to the router

or switch in bypass mode, and terminal

access control is implemented using policy-

based routing. There is no need to change

the network topology.

• The management and maintenance are easy

because there are few authentication points.

• The control point is at the aggregation or

core layer; therefore, the control capability at

Layer 2 is weak.

Applies to complex campus networks

with a large number of third-party

datacom devices, such as switches and

routers. This authentication mode applies

to campus network reconstruction

especially.

10 Access Control Manager

Hierarchical Department and User Management, Meeting the Requirements of Enterprises with Complex Organization

• Contains both sub-departments and users in a department.

• Supports a maximum of ten department levels, which meets the requirements of enterprises with complex organization.

• Allows administrators to import and export department and user information in batches using the Excel files.

Seamless Interconnection with External Data Sources and Social Media Platforms

• Supports multiple authentication protocols, and connects to mainstream AD, LDAP, and RADIUS servers and dynamic token systems.

Authentication ProtocolSystem Built-in

AccountAD LDAP RADIUS Token RADIUS Relay

PAP YES YES YES YESDepending on the

external system

CHAP YES NO NO NODepending on the

external system

EAP-PEAP-MSCHAPV2 YES YES NO NODepending on the

external system

EAP-MD5 YES NO NO NODepending on the

external system

EAP-TLS YES YES YES NODepending on the

external system

EAP-TTLS-PAP YES YES YES YESDepending on the

external system

EAP-PEAP-GTC YES YES YES YESDepending on the

external system

• Supports on-demand data synchronization or filtering to meet diversified user requirements.


Refined, 5W1H-based Context Awareness Authorization, Flexible and Secure

Dimension Description Example

Who • User identity Administrative personnel, common employees,

VIP users, guests

Where • Access location R&D area, non-R&D area, home

When • Access time On-duty time, off-duty time, working days

Whose • Device source Enterprise devices, BYOD devices

What • Device type Windows, Linux, iOS, Android

How • Access mode Wired, wireless, VPN, Internet

Intelligent Terminal Identification, Authentication Page Customization, Providing Permission Control for BYOD Terminals

• Provides up to 200 types of terminal identification templates, and supports multiple terminal identification modes, such as MAC

organizationally unique identifier (OUI), Dynamic Host Configuration Protocol (DHCP) Option, Hypertext Transfer Protocol (HTTP)

User-Agent, and Simple Network Management Protocol (SNMP).

• Allocates different service policies to terminals using the same account based on the terminal type, refining user permission control.

• Pushes authentication pages based on the terminal type, ensuring fine user experience.

• Allocates different service policies based on the terminal type, such as VLANs, ACLs, and bandwidth limits.

12 Access Control Manager

Operating Environment

Configuration requirements in scenarios with no more than 2000 users are as follows.

Hardware Configuration

• CPU: E5-2640 6c 2.5 GHz or higher

• Memory: 8 GB

• Hard disk: 600 GB

• Network adapter: 2 x GB

Operating System • Windows Server 2008 R2 (X64)

Database

• Microsoft SQL Server 2005


• Microsoft SQL Server 2008 R2

Configuration requirements in scenarios with more than 2000 users are as follows.


• CPU: 2 x E5-2640 6c 2.5 GHz or higher

• Memory: 16 GB

• Hard disk: 2 TB



Database




Deployment Scenarios

802.1X Access Control

802.1X is enabled on the switches closest to the terminals.

Before the terminals can access the network, customers need

to deploy security agents or 802.1X clients provided by the

operating system on the terminals. After the terminals pass

802.1X authentication, the Agile Controller server delivers

authorization parameters, such as VLANs and ACLs, to the access

switches, to control the network access permissions of the

terminals. MAC address authentication is enabled to authenticate

dumb terminals, such as printers and IP phones, on the network.

When the dumb terminals access the network, the terminals

automatically trigger MAC address authentication to obtain the

network access permission.

NetworkAgile Controller

802.1X switch


Portal Access Control

A combination of Portal and MAC address authentication is

enabled on the gateway. Terminals can use web authentication

to access the network, or use the Agile Controller NAC client to

access the network. Dumb terminals access the network using

MAC address authentication.

SACG Access Control

SACG access control can be used on a complex campus network

with a large number of third-party datacom devices, such as

switches and routers. The SACG device is connected to the

Layer 3 switch or a router in bypass mode. Upstream traffic sent

from terminals is redirected to the SACG through the packet

redirection function configured on the switch or policy-based

routing configured on the router. Filtered by the SACG, the traffic

is sent back to the switch or router for forwarding.

Auxiliary Devices

Device Role Device Type

Authentication device

• Huawei Sx7 switches

• Huawei AR routers

• Huawei WLAN ACs

• Huawei USG firewalls

• 802.1X switches from mainstream third-party vendors

Ordering Information

Item Remarks

Agile Controller Access Control Function Mandatory

Agile Controller Terminals of Access Control Function, Including 200 Access Terminals License Optional








Portal switch

Network

Agile Controller server

SACG

Pre-authentication domain

Agile Controller server

Third-party antivirus server

Isolation domain

File server

Service server

Post-authentication domain

Service server

Area A

Component Overview

The maturity of WLAN technologies and popularization of intelligent terminals cause many enterprises to open their intranets for guests

and partners. In public areas (such as, shopping malls, hotels, exhibition halls, chain stores, scenic spots, business halls, and airport

lounges), a large number of users access the WLAN, bringing enormous advertisement chances.

The Guest Management component of the Huawei Agile Controller provides full lifecycle guest management, including guest account

application, approval, distribution, authentication, auditing, and deregistration. The component supports various account application

methods, including self-service application, WeChat, and QR code. In addition, the enterprise's employees can apply accounts for

guests. It also allows users to customize guest account application and authentication pages and flexibly pushes advertisements.

Guest Manager

15Guest Manager


Unified Management on Employees and Guests, Reducing Enterprises' Construction and IT O&M Costs

• The Access Control and Guest Management components can be deployed on the same server or separately.

Full Lifecycle Guest Management, Flexible Approval Modes

Phase Options

Registration• Employee application

• Self-help application

Approval

• Automatic approval

• Administrator approval

• Approval by the receptionist

Distribution

• SMS (GPRS and SMS gateway)

• Email

• Web

Authentication

• User name and password

• Passcode

• Rights isolation using VLANs or ACLs

Audit and deregistration

• User login and logout audit

• Automatic deregistration after expiration

• Scheduled account deregistration

Portal Page Customization and Flexible Portal Page Pushing, Improving Enterprise Brand Image and Promoting Products

•Allows customers to customize login and registration pages that provide personalized information about enterprises, improving the

brand image of enterprises.

Registration

User name

Password

Welcome to the WLAN provided by XXX free of

charge

16 Guest Manager

• Automatically redirects users to the pre-authentication page or the URL configured by the administrator after the users pass

authentication. This function is suitable for brand promotion.

• Pushes pages according to the location (SSID or associated AP), facilitating information push.

• Pushes pages according to the terminal type and terminal IP address.

Binding with Enterprises' WeChat Public Account, Periodically Pushing Information

17Guest Manager

Approval by Scanning the QR Code, Zero-Input Guest Account Registration, Improving Guest Satisfaction

Intelligent Terminals Unaware of Authentication, One-time Authentication for Multiple Accesses

• A combination of Portal and MAC address authentication is used for the first access, and MAC address authentication is used for

subsequent accesses.


Configuration requirements in scenarios with no more than 2000 users are as follows.


• CPU: E5-2640 6c 2.5 GHz or higher

• Memory: 8 GB

• Hard disk: 600 GB



Database




Agile Controllerserver

Guest WLANEmployee

The employee accesses the Wi-Fi from a mobile phone.

The employee logs in to the Agile Controller.

The guest scans the QR code.

The guest accesses the Wi-Fi from a mobile phone.

The guest accesses a web page through the browser and is redirected to a page on which the QR code is displayed.

The QR code includes the authorization URL, guest IP address (account), time when the guest associates with the Wi-Fi (password). The guest is redirected to the authorization page. After the guest click Authorization, the Agile Controller generates guest account information.

After the employee authorizes the guest, the guest account exists in the platform. The guest is automatically switched to the desired page after being authenticated and can access the Internet.

18 Guest Manager

Configuration requirements in scenarios with more than 2000 users are as follows.



• Memory: 16 GB

• Hard disk: 2 TB



Database





A combination of Portal and MAC address authentication is enabled on the gateway. Terminals can use the web authentication to

access the network.

Network Agile Controllerserver

Portal switch

19Guest Manager

Auxiliary Devices



• Huawei Sx7 series switches with native ACs

• Huawei AR routers with native ACs

• Huawei WLAN ACs


Item Remarks

Agile Controller Guest Management Function Mandatory

Agile Controller Guest Management Function, Including 200 Guest Accounts Management License Optional







Free Mobility Manager

Component Overview

With the popularization of mobile office and BYOD applications, users in the headquarters and branches and on business trips want to

access the enterprise network. The physical locations of the terminals are no longer fixed, and users even process business using their

private terminals. How to ensure that different terminals accessing the network from different office locations can obtain the same

experience.

The Free Mobility component of the Huawei Agile Controller works with Huawei agile switches and NGFWs to provide security group-

based policies in addition to the traditional NAC and implement unified policy deployment and automatic policy synchronization. This

ensures that users can have the same service experience when they move on the network. The component also provides user group–

based QoS policy configuration to ensure preferential forwarding of VIP users' data traffic when network resources are insufficient,

delivering good service experience for VIP users.

21Free Mobility Manager


Traditional VLAN/ACL Control Replaced by Policy Control based on Security Group, Greatly Improving Configuration Efficiency

• The policies on the entire network are planned in a unified manner and deployed through one click on the Agile Controller.

• Associates with switches, firewalls, and SVNs to ensure consistent service experience when users move on the entire network.

• Manages network-wide policies in a unified manner, flexibly adjusts policies, and delivers only the newly added policies.

Permission Control for Access Between User group and Resource Group, and Between User Groups

Quick Authorization Using Natural Language, Optimizing 5W1H-based Configuration Experience

22 Free Mobility Manager

User-group-based Bandwidth/QoS Policy, Ensuring Experience of VIP Users


The Free Mobility component can work properly only after the Access Control component is deployed. The operating environment of

the Free Mobility component is the same as that of the Access Control component.


The Free Mobility component has no special networking requirements, provided that there are reachable IP routes between the Agile

Controller server and the associated network devices. Generally, the component is deployed on data centers.

AP

LSW

LSW

WAN/Internet

Server

NGFW/SVN

APLSW

Agile core

Converged access

Agile aggregation

LSW

Campus egress

BranchL2 SW

ARBranch

L2 SW

AR

Internet access

Agile Controller

NMS

Data center

23Free Mobility Manager

Auxiliary Devices



• Chassis switch: S77/97/127 V2R6C00

• Box switch: S5720HI V2R6C00

• Firewall: USG63/65/66 V1R1C20

• VPN gateway: SVN 56/58 V2R3C00


Item Remarks


Agile Controller Free Mobility Function Mandatory

Service Orchestration Manager

Component Overview

Traditional security solutions used on enterprise campus networks and data center networks define network borders and deploy

security devices such as firewall, anti-DDoS, antivirus (AV), intrusion prevention system (IPS), and data loss prevention (DLP) devices on

borders of different security levels. As the network scale expands, users connect to networks using more diversified access methods.

Traditional security deployment results in exponential increase of cost in this circumstance. In addition, many customers determine the

number of security devices they need to purchase based on two to five times the peak-hour rates. However, high-performance security

devices, such as firewalls, IPS, and anti-DDoS, have a low resource utilization, which is a waste of resources.

The Huawei Agile Controller Service Orchestration component virtualizes physical security devices to shield the device models and

locations. All security devices form a security resource center. The component directs service flows to the security resource center based

on service needs to improve use efficiency of physical resources and reduce costs.

25Service Orchestration Manager


Resource Virtualization, Service Flow-based Resource Scheduling, Implementing In-depth Security Protection

• Improves hardware utilization efficiency and reduces customer investment.

Comprehensive Service Flow Management, Service Flow Defining Based on IP Address or 5-tuple Information of User Group

• Defines service flows based on the source and destination IP addresses, source and destination port numbers, and protocol.

• Defines service flows based on the source and destination user groups, source and destination port numbers, and protocol.

26 Service Orchestration Manager

Role-based Service Chain Resource Management

• Service devices can be defined as firewall, virus wall, or online behavior management device.

• The administrator can set up a GRE tunnel between an orchestration device (switch) and a service device to redirect service traffic to

the specified service device for security monitoring.

Service Chain Creation Based on Service Flows, Providing Differentiated Security Policies for Different Services

• Configured service chain orchestration policies are displayed on the GUI, allowing administrators to rearrange service chains by

simply dragging service devices.


The Service Orchestration component can work properly only after the Access Control component is deployed. The operating

environment of the Service Orchestration component is the same as that of the Access Control component.

27Service Orchestration Manager


Three hardware parts are required to provide the service orchestration function:

• Agile Controller service server: functions as the service orchestration subsystem, which completes service logic configuration of

service chains.

• Orchestration device: must be a Huawei agile switch. The switch identifies service traffic and redirects the traffic to the service

devices in the sequence specified by the service chain. There must be reachable IP routes between the orchestration device and

service devices.

• Service device: processes the service flows redirected to it. The service and orchestration devices work at Layer 3, and are connected

through GRE tunnels. Service devices can be connected to the core router or the core or aggregation switch according to the

following principles:

Core layer: define service flows based on IP information to shorten the traffic transmission path.

Aggregation layer: define service flows based on user information if the customer can accept the circuitous transmission path.

Aggregation layer

Access layer

Data center

NMS center

Application layer

Dept A Dept BGuest areaInternal public area

Agile Controller Campus egress

Service chain node

Service chain 1

Service chain 2

Firewall

Online behavior management

Antivirus

28 Service Orchestration Manager

Auxiliary Devices


Orchestration device• Chassis switch: S77/97/127 V2R6C00

• Box switch: S5720HI V2R6C00

Service device• Firewall: USG63/65/66 V1R1C20

• Juniper device: SRX210


Item Remarks


Agile Controller Free Mobility Function Mandatory

Agile Controller Service Orchestration Function Mandatory

Terminal Security Manager

Component Overview

Security health assessment on access terminals is a key indicator of an enterprise's security management. A large number of mobile

staff and partners frequently use their own terminals (such as laptop computers) to access the enterprise LANs, which brings great

challenges to the enterprise information security. Unauthorized terminals may bring computer viruses to the enterprise networks and

even obtain the enterprises' trade secrets, threatening the network security.

The Terminal Security Management component of the Huawei Agile Controller strictly controls network access from all terminal users

and enforces security policies to the users connected to the network. The component supports terminal health check, employee

behavior management and control, software distribution, patch management, and asset management to ensure that terminals

connected to the network possess self-defense capabilities and comply with enterprise's security policies.

30 Terminal Security Manager


Terminal Security Hardening, Ensuring that Access Terminals Meet Enterprise Requirements

• Has predefined more than 5000 terminal security policies, including weak password check, monitoring of unauthorized external

connections, web access monitoring, antivirus software monitoring, and mobile storage device monitoring.

• Provides different security rules based on user roles or departments.

Intelligent Patch Management System, Helping Terminal Users Rectify System Vulnerabilities and Improving Enterprise

Terminal Security

• Provides patches for the Microsoft Windows operating system, Microsoft SQL Server database, Microsoft Internet Explorer, and

Microsoft Office.

• Automatically downloads patches from the Microsoft website, and allows servers to connect to the Internet through an agent.

Automatic or Manual Software Distribution, Improving Deployment Efficiency

• Distributes files in any format, and automatically executes .exe or .msi files.

• Distributes software by department, operation type, IP address segment, terminal user, and time segment.

• Supports software distribution through fast downloading software to subnets.

Employee Terminal and Network Behavior Auditing, Reducing Risks of Information Leak

• Audits network behaviors, including unauthorized external connections, web access, and network traffic.

• Audits usage of peripheral devices, including USB installation and removable operations, USB file operations, and use of other

peripheral devices.

• Audits terminal files, including file creation, copying, renaming, and deletion.

• Audits terminal operations, for example, controls non-standard software, monitors programs and services, and prohibits read-only or

read-write drive.

Enterprise-level Asset Management, Preventing Employees from Changing Terminal Configurations and Reducing Risks of

Asset Loss

• Collects asset information, including the operating system, hardware and software list, hard disk serial number, and basic input

output system (BIOS) information.

• Generates asset reports and provides asset statistics and asset change analysis.

• Reports asset change alarms, and allows administrators to trace asset information continuously.


The Terminal Security Management component can work properly only after the Access Control component is deployed. The operating

environment of the Terminal Security Management component is the same as that of the Access Control component.

31Terminal Security Manager


The networking of the Terminal Security Management component is similar to that of the Access Control component. Customers need

to install the dedicated NAC client of the Agile Controller before they can enable the terminal security management feature.

Auxiliary Devices

Terminal Operating System Version

Windows

• Microsoft Windows XP

• Microsoft Windows Vista

• Microsoft Windows 7

• Microsoft Windows 8

• Microsoft Windows 8.1


Item Remarks


Agile Controller Terminal Security Management Function Mandatory

Agile Controller Terminal Security Feature, Including 200 Terminals License Optional







32 United Security Manager

United Security Manager

Component Overview

On traditional networks, the boundaries between enterprise networks and the Internet have security risks. Many enterprises deploy

security devices such as firewalls at their network boundaries. However, with the development of mobile services and diversified

network attacks, the boundaries of security protection become blurred. The services such as Wi-Fi, mobile terminals, and remote

office, bring a large number of new security risks and internal attacks, such as, viruses, Trojan horses, and APT. In this case, traditional

boundary protection measures become invalid.

The United Security component of the Huawei Agile Controller manages logs and security events from network, security, and IT devices

on the entire network in a centralized manner. The component uses the Big Data correlation analysis technique to evaluate network

security, detect security problems that cannot be detected through single-point protection, and identify Top N risky assets and areas

on the entire network. It allows customers to take proactive defense measures so that they do not need to analyze or trace the attack

sources and network risks.

33United Security Manager


Unique Architectural Design, Re-defining Network Security from the Entire Network Perspective

• Detects security problems that cannot be detected through single-point protection.

• Provides self-defined correlation rules to satisfy differentiated security requirements.

• Allows the executives to clearly obtain the current security situation on the network, and engineers to effectively resolve security

problems.

Comprehensive Security Log Collection Capacity, Interconnecting with Third-party Devices

• Collects logs from Huawei network and security devices.

• Collects logs from third-party devices with standard interfaces, including Syslog, SNMP, and FTP/SFTP, OPSEC, and ODBC.

Preset and Self-defined Correlation Rules, Discovering Network-wide Security Events

• Provides abundant built-in correlation rules for events. The events include the password guess attack, virus spread, attack in an area,

server DDoS attack, DMZ server penetration attack, and O&M violation (traversing the bastion host).

• Allows users to customize correlation rules, including basic statistics correlation, dynamic statistics correlation, multi-rule nesting

correlation, and multi-dimensional expansion correlation.

Log collection

Security policy takes effect

②Big data correlation analysis

③ Security situation evaluation


Security Situation Display, Providing the Basis for Proactive Defense

• Divides the entire network into several areas and marks them with different colors based on the security view of the entire network.

• Identifies Top N risky assets on the entire network and evaluates the security level of the network, helping users quickly obtain the

network security status.

• Displays details of security events and suggestions, which can be referenced by administrators to address security issues.



Configuration requirements for a Unified Security server are as follows:



• Memory: 32 GB

• Hard disk: 2 x 1 TB


Operating System • SuSE Linux 11

Database• Mongo DB

• MySQL 5.5


The United Security component has no special networking requirements, provided that there are reachable IP routes between the Agile

Controller server and the associated network devices.


United Security server

Firewall Router Switch Third-party system


Auxiliary Devices


Huawei security device

• NGFW

• DDOS

• ASG

• NIP

• SVN

Huawei network device

• Sx7 switches

• AR routers

• WLAN devices

Third-party device

Devices that support log collection through standard protocols, including the following:

• Syslog

• SNMP

• FTP/SFTP

• OPSEC

• ODBC

• Devices that support log collection through universal files and dedicated log collection

interfaces.


Item Remarks

Agile Controller United Security Function Mandatory

Agile Controller United Security, Including 500 EPS License Optional




EPS: short for events per second, indicating the number of log events processed per second.

More Information

For more information about the Huawei Agile Controller, visit http://enterprise.huawei.com.

Copyright © Huawei Technologies Co., Ltd. 2014. All rights reserved.

Trademark Notice

General Disclaimer

, HUAWEI, and are trademarks or registered trademarks of Huawei Technologies Co., Ltd.Other trademarks, product, service and company names mentioned are the property of their respective owners.

The information in this document may contain predictive statements including, without limitation, statements regarding the future financial and operating results, future product portfolio, new technology, etc. There are a number of factors that could cause actual results and developments to differ materially from those expressed or implied in the predictive statements. Therefore, such information is provided for reference purpose only and constitutes neither an offer nor an acceptance. Huawei may change the information at any time without notice.

No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd.

huawei agile controller full product datasheet - · pdf filentroduction to te agile ontroller...

Documents