huawei agile controller full product datasheet - · pdf filentroduction to te agile ontroller...
TRANSCRIPT
Introduction to the Agile Controller·················································4
Access Control Manager···································································8
Guest Manager··················································································14
Free Mobility Manager······································································20
Service Orchestration Manager························································24
Terminal Security Manager······························································29
United Security Manager·································································32
Contents
Introduction to the Agile Controller
Product Overview
For mobile office, bring your own device (BYOD), and wireless local area network (WLAN) services, user terminals (information
receivers) are not fixed in certain physical locations. These services cause the following challenges to traditional networks using static
configuration:
1.How to deliver consistent experience to different user terminals regardless of their locations?
2.How to configure user privileges, security, QoS, priority, and other network policies? On a traditional network, users can be
bound to physical interfaces, and the administrator manually configures policies on network devices closest to users. However,
manual configuration cannot adapt to changes of user locations. To meet requirements of mobile users, the network must support
dynamic resource allocation and policy configuration. That is, network resources and policies must be able to migrate with users.
3.How to deploy network security policies? On traditional networks, the boundaries between enterprise networks and the Internet
have security risks. Many enterprises deploy security devices such as firewalls at their network boundaries. However, with the
development of mobile services and diversified network attacks, the boundaries of security protection become blurred. The services
such as Wi-Fi, mobile terminals, and remote office, bring a large number of new security risks and internal attacks, such as, viruses,
Trojan horses, and advanced persistent threat (APT). In this case, traditional boundary protection measures become invalid.
5Introduction to the Agile Controller
The Agile Controller is the core component of a next-generation network solution designed by Huawei for enterprise markets. It can be
deployed on agile campus networks, agile branches, agile wired area networks (WANs), and agile data centers to control policies for
accessing to these networks as well as interconnection between data centers. Following the centralized control principle of software-
defined networking (SDN), the Agile Controller dynamically schedules network and security resources on the entire network to allow
these resources to migrate with users. With the Agile Controller, networks will be more agile for services.
Product Characteristics
Experience-centric Redefined Network
The Agile Controller shifts customers' attention from technologies, equipment, and connectivity to users, services, and user experience,
and freed customers from laborious manual configuration by providing natural-language network planning and automatic deployment.
• The Agile Controller applies the SDN's centralized control idea into campus networks. It can dynamically schedule and adjust network
and security resources on the entire campus network to meet requirements of frequently moving users, offering free mobility.
• The Agile Controller can flexibly adjust user rights, QoS policies, and security policies on the entire network. This dynamic policy
adjustment greatly reduces the service provisioning or network expansion period, allowing networks to keep in pace with fast
changing services.
• Using the Agile Controller, customers no longer need to pay attention to differences of various devices. They can use the natural
language to configure network policies and deliver the configurations to all network devices by one click on the Agile Controller.
• User-based QoS scheduling ensures preferential forwarding of VIP users' services when network resources are insufficient, delivering
good experience to VIP users.
WAN/Internet
Agile Controller
WAN/Internet
Finance, sales, R&D
Data center
Headquarters:Executive/employee/guest
Branch:Executive/employee/guest
Internet:Executive/employeeControl f low
Service f low
6 Introduction to the Agile Controller
Network-wide United Security
The Agile Controller implements united security, replacing single-point protection with network-wide protection.
• The Agile Controller collects logs from network devices, security devices, and service systems, and employs Big Data analytics to
discover potential attacks and threats that are difficult to detect through single-point protection.
• The Agile Controller virtualizes security devices into a security resource center. Traffic of users with certain characteristics is blocked or
redirected to the security resource center to defend against attacks.
• The Agile Controller provides comprehensive terminal security and desktop management functions, and has over 5000 predefined
terminal security policies, ensuring terminal access security.
Openness and Interoperability
• The Agile Controller provides various northbound and southbound interfaces and open APIs to make the forwarding plane
and control plane programmable. It can interoperate with service systems of customers to improve end-to-end operation and
maintenance efficiency, shorten new service provisioning time, and give customers a platform for innovation.
• The Agile Controller is seamlessly interoperable with mainstream cloud platforms, including Huawei FusionSphere, VMware vSphere,
OpenStack, and Microsoft Hyper-v. The good interoperability makes the Agile Controller an elastic, open platform integrating best
practices of various fields, allowing customers to flexibly define their networks based on service requirements.
Highly Reliable, Flexible Architecture
• The Agile Controller can be deployed in centralized, distributed, and hierarchical modes, and is applicable to various networks.
• The Agile Controller supports various authentication modes and database backup to ensure high reliability and service continuity.
• The Agile Controller uses the Browser/Server (B/S) architecture and complies with the latest Huawei User Interface (UI) design
standards; therefore, it is easy to use.
7Introduction to the Agile Controller
Product Components
The Agile Controller provides multiple service components for different application scenarios to meet diversified customer
requirements.
Component Description
Access Control Manager
Provides unified network access policies and supports multiple authentication methods such
as 802.1X, Portal, MAC address, and SACG authentication. This implements unified access
management on users from wired, wireless, or VPN networks.
Supports refined authorization based on the user identity, access time, access location, device
type, device source, and access mode. This ensures unified maintenance and management of all
terminals that access the enterprise network in various modes.
Guest Manager
Provides full lifecycle guest management, including guest account application, approval,
distribution, authentication, auditing, and deregistration.
Supports various account application methods, including self-service application, WeChat, and
QR code. In addition, the enterprise's employees can apply accounts for guests.
Allows users to customize guest account application and authentication pages and flexibly
pushes advertisements.
Free Mobility Manager
Works with Huawei agile switches and NGFWs to provide security group–based policies in
addition to the traditional NAC and implement unified policy deployment and automatic policy
synchronization. This ensures that users can have the same service experience when they move
on the network.
Provides user group–based QoS policy configuration to ensure preferential forwarding of VIP
users' data traffic when network resources are insufficient, delivering good service experience
for VIP users.
Service Orchestration Manager
Virtualizes physical security devices to shield the device models and locations, forming a security
resource center.
Directs service flows to the security resource center based on service requirements to improve
use efficiency of physical resources and reduce costs.
Terminal Security Manager
Strictly controls network access from all terminal users and enforces security policies to the users
connected to the network.
Supports terminal health check, employee behavior management and control, software
distribution, patch management, and asset management to ensure that terminals connected to
the network possess self-defense capabilities and comply with enterprise's security policies.
United Security Manager
Manages logs and security events from network, security, and IT devices on the entire network
in a centralized manner.
Uses the Big Data correlation analysis technique to evaluate network security and identify risky
assets and areas on the entire network.
Allows customers to take proactive defense measures so that they do not need to analyze or
trace the attack sources and network risks.
Access Control Manager
Component Overview
With the Information and Communication Technologies (ICT) improvement, enterprise users want to access the network from every
corner in their offices. A large number of mobile staff and partners frequently use their own terminals (such as laptop computers) to
access the enterprise local area networks (LANs), which brings great challenges to the enterprise information security. Unauthorized
terminals may bring computer viruses to the enterprise networks and even obtain the enterprises' trade secrets, threatening the
network security. In addition, the maturity of WLAN technologies and popularization of intelligent terminals cause many enterprises to
allow their employees to access the enterprise intranets using intelligent BYOD terminals. The enterprises aim to improve employees'
work efficiency and reduce the cost and investment on mobile terminals. The application of WLAN technologies on enterprise networks
also brings great information security risks.
The Access Control component of the Huawei Agile Controller associates with network access control devices to control access to
enterprise networks from internal and external terminals. This component provides unified access control policies and flexibly manages
authentication and authorization polices to meet different service control requirements.
9Access Control Manager
Component Characteristics
Comprehensive Admission Control Technologies, Applicable to Multiple Types of Networks
Authentication Mode Characteristics Application Scenarios
802.1X authentication
• The 802.1X function is enabled on a switch
or an AC.
• It can implement Layer 2 isolation.
• The maintenance is complex because there
are multiple authentication points.
• The switch must support 802.1X.
Applies to small-, medium-, and large-
sized campus networks with high security
requirements. The Access Control
component can associate with Huawei all
series switches, routers, WLAN devices,
and third-party standard 802.1X switches.
MAC address authentication
• The switch or AC automatically enables
802.1X or MAC address authentication for
different terminals.
• Terminals are authenticated by the
authentication server based on their MAC
addresses.
Applies to dumb terminals such as IP
phones and printers.
Portal authentication
• A combination of Portal and MAC address
authentication is configured on devices at
the aggregation layer, and the devices select
authentication modes based on terminal
types. The AC authenticates wireless users in
a unified manner.
• Clients are optional on terminals based on
service requirements.
• Access switches do not need to support
802.1X.
The Access Control component can only
associate with Huawei all series switches,
routers, and WLAN devices, especially
when no client is required.
SACG authentication
• The USG firewall is connected to the router
or switch in bypass mode, and terminal
access control is implemented using policy-
based routing. There is no need to change
the network topology.
• The management and maintenance are easy
because there are few authentication points.
• The control point is at the aggregation or
core layer; therefore, the control capability at
Layer 2 is weak.
Applies to complex campus networks
with a large number of third-party
datacom devices, such as switches and
routers. This authentication mode applies
to campus network reconstruction
especially.
10 Access Control Manager
Hierarchical Department and User Management, Meeting the Requirements of Enterprises with Complex Organization
• Contains both sub-departments and users in a department.
• Supports a maximum of ten department levels, which meets the requirements of enterprises with complex organization.
• Allows administrators to import and export department and user information in batches using the Excel files.
Seamless Interconnection with External Data Sources and Social Media Platforms
• Supports multiple authentication protocols, and connects to mainstream AD, LDAP, and RADIUS servers and dynamic token systems.
Authentication ProtocolSystem Built-in
AccountAD LDAP RADIUS Token RADIUS Relay
PAP YES YES YES YESDepending on the
external system
CHAP YES NO NO NODepending on the
external system
EAP-PEAP-MSCHAPV2 YES YES NO NODepending on the
external system
EAP-MD5 YES NO NO NODepending on the
external system
EAP-TLS YES YES YES NODepending on the
external system
EAP-TTLS-PAP YES YES YES YESDepending on the
external system
EAP-PEAP-GTC YES YES YES YESDepending on the
external system
• Supports on-demand data synchronization or filtering to meet diversified user requirements.
11Access Control Manager
Refined, 5W1H-based Context Awareness Authorization, Flexible and Secure
Dimension Description Example
Who • User identity Administrative personnel, common employees,
VIP users, guests
Where • Access location R&D area, non-R&D area, home
When • Access time On-duty time, off-duty time, working days
Whose • Device source Enterprise devices, BYOD devices
What • Device type Windows, Linux, iOS, Android
How • Access mode Wired, wireless, VPN, Internet
Intelligent Terminal Identification, Authentication Page Customization, Providing Permission Control for BYOD Terminals
• Provides up to 200 types of terminal identification templates, and supports multiple terminal identification modes, such as MAC
organizationally unique identifier (OUI), Dynamic Host Configuration Protocol (DHCP) Option, Hypertext Transfer Protocol (HTTP)
User-Agent, and Simple Network Management Protocol (SNMP).
• Allocates different service policies to terminals using the same account based on the terminal type, refining user permission control.
• Pushes authentication pages based on the terminal type, ensuring fine user experience.
• Allocates different service policies based on the terminal type, such as VLANs, ACLs, and bandwidth limits.
12 Access Control Manager
Operating Environment
Configuration requirements in scenarios with no more than 2000 users are as follows.
Hardware Configuration
• CPU: E5-2640 6c 2.5 GHz or higher
• Memory: 8 GB
• Hard disk: 600 GB
• Network adapter: 2 x GB
Operating System • Windows Server 2008 R2 (X64)
Database
• Microsoft SQL Server 2005
• Microsoft SQL Server 2008
• Microsoft SQL Server 2008 R2
Configuration requirements in scenarios with more than 2000 users are as follows.
Hardware Configuration
• CPU: 2 x E5-2640 6c 2.5 GHz or higher
• Memory: 16 GB
• Hard disk: 2 TB
• Network adapter: 2 x GB
Operating System • Windows Server 2008 R2 (X64)
Database
• Microsoft SQL Server 2005
• Microsoft SQL Server 2008
• Microsoft SQL Server 2008 R2
Deployment Scenarios
802.1X Access Control
802.1X is enabled on the switches closest to the terminals.
Before the terminals can access the network, customers need
to deploy security agents or 802.1X clients provided by the
operating system on the terminals. After the terminals pass
802.1X authentication, the Agile Controller server delivers
authorization parameters, such as VLANs and ACLs, to the access
switches, to control the network access permissions of the
terminals. MAC address authentication is enabled to authenticate
dumb terminals, such as printers and IP phones, on the network.
When the dumb terminals access the network, the terminals
automatically trigger MAC address authentication to obtain the
network access permission.
NetworkAgile Controller
802.1X switch
13Access Control Manager
Portal Access Control
A combination of Portal and MAC address authentication is
enabled on the gateway. Terminals can use web authentication
to access the network, or use the Agile Controller NAC client to
access the network. Dumb terminals access the network using
MAC address authentication.
SACG Access Control
SACG access control can be used on a complex campus network
with a large number of third-party datacom devices, such as
switches and routers. The SACG device is connected to the
Layer 3 switch or a router in bypass mode. Upstream traffic sent
from terminals is redirected to the SACG through the packet
redirection function configured on the switch or policy-based
routing configured on the router. Filtered by the SACG, the traffic
is sent back to the switch or router for forwarding.
Auxiliary Devices
Device Role Device Type
Authentication device
• Huawei Sx7 switches
• Huawei AR routers
• Huawei WLAN ACs
• Huawei USG firewalls
• 802.1X switches from mainstream third-party vendors
Ordering Information
Item Remarks
Agile Controller Access Control Function Mandatory
Agile Controller Terminals of Access Control Function, Including 200 Access Terminals License Optional
Agile Controller Terminals of Access Control Function, Including 500 Access Terminals License Optional
Agile Controller Terminals of Access Control Function, Including 1000 Access Terminals License Optional
Agile Controller Terminals of Access Control Function, Including 2000 Access Terminals License Optional
Agile Controller Terminals of Access Control Function, Including 5000 Access Terminals License Optional
Agile Controller Terminals of Access Control Function, Including 10000 Access Terminals License Optional
Agile Controller Terminals of Access Control Function, Including 50000 Access Terminals License Optional
NetworkAgile Controller
Portal switch
Network
Agile Controller server
SACG
Pre-authentication domain
Agile Controller server
Third-party antivirus server
Isolation domain
File server
Service server
Post-authentication domain
Service server
Area A
Component Overview
The maturity of WLAN technologies and popularization of intelligent terminals cause many enterprises to open their intranets for guests
and partners. In public areas (such as, shopping malls, hotels, exhibition halls, chain stores, scenic spots, business halls, and airport
lounges), a large number of users access the WLAN, bringing enormous advertisement chances.
The Guest Management component of the Huawei Agile Controller provides full lifecycle guest management, including guest account
application, approval, distribution, authentication, auditing, and deregistration. The component supports various account application
methods, including self-service application, WeChat, and QR code. In addition, the enterprise's employees can apply accounts for
guests. It also allows users to customize guest account application and authentication pages and flexibly pushes advertisements.
Guest Manager
15Guest Manager
Component Characteristics
Unified Management on Employees and Guests, Reducing Enterprises' Construction and IT O&M Costs
• The Access Control and Guest Management components can be deployed on the same server or separately.
Full Lifecycle Guest Management, Flexible Approval Modes
Phase Options
Registration• Employee application
• Self-help application
Approval
• Automatic approval
• Administrator approval
• Approval by the receptionist
Distribution
• SMS (GPRS and SMS gateway)
• Web
Authentication
• User name and password
• Passcode
• Rights isolation using VLANs or ACLs
Audit and deregistration
• User login and logout audit
• Automatic deregistration after expiration
• Scheduled account deregistration
Portal Page Customization and Flexible Portal Page Pushing, Improving Enterprise Brand Image and Promoting Products
•Allows customers to customize login and registration pages that provide personalized information about enterprises, improving the
brand image of enterprises.
Registration
User name
Password
Welcome to the WLAN provided by XXX free of
charge
16 Guest Manager
• Automatically redirects users to the pre-authentication page or the URL configured by the administrator after the users pass
authentication. This function is suitable for brand promotion.
• Pushes pages according to the location (SSID or associated AP), facilitating information push.
• Pushes pages according to the terminal type and terminal IP address.
Binding with Enterprises' WeChat Public Account, Periodically Pushing Information
17Guest Manager
Approval by Scanning the QR Code, Zero-Input Guest Account Registration, Improving Guest Satisfaction
Intelligent Terminals Unaware of Authentication, One-time Authentication for Multiple Accesses
• A combination of Portal and MAC address authentication is used for the first access, and MAC address authentication is used for
subsequent accesses.
Operating Environment
Configuration requirements in scenarios with no more than 2000 users are as follows.
Hardware Configuration
• CPU: E5-2640 6c 2.5 GHz or higher
• Memory: 8 GB
• Hard disk: 600 GB
• Network adapter: 2 x GB
Operating System • Windows Server 2008 R2 (X64)
Database
• Microsoft SQL Server 2005
• Microsoft SQL Server 2008
• Microsoft SQL Server 2008 R2
Agile Controllerserver
Guest WLANEmployee
The employee accesses the Wi-Fi from a mobile phone.
The employee logs in to the Agile Controller.
The guest scans the QR code.
The guest accesses the Wi-Fi from a mobile phone.
The guest accesses a web page through the browser and is redirected to a page on which the QR code is displayed.
The QR code includes the authorization URL, guest IP address (account), time when the guest associates with the Wi-Fi (password). The guest is redirected to the authorization page. After the guest click Authorization, the Agile Controller generates guest account information.
After the employee authorizes the guest, the guest account exists in the platform. The guest is automatically switched to the desired page after being authenticated and can access the Internet.
18 Guest Manager
Configuration requirements in scenarios with more than 2000 users are as follows.
Hardware Configuration
• CPU: 2 x E5-2640 6c 2.5 GHz or higher
• Memory: 16 GB
• Hard disk: 2 TB
• Network adapter: 2 x GB
Operating System • Windows Server 2008 R2 (X64)
Database
• Microsoft SQL Server 2005
• Microsoft SQL Server 2008
• Microsoft SQL Server 2008 R2
Deployment Scenarios
A combination of Portal and MAC address authentication is enabled on the gateway. Terminals can use the web authentication to
access the network.
Network Agile Controllerserver
Portal switch
19Guest Manager
Auxiliary Devices
Device Role Device Type
Authentication device
• Huawei Sx7 series switches with native ACs
• Huawei AR routers with native ACs
• Huawei WLAN ACs
Ordering Information
Item Remarks
Agile Controller Guest Management Function Mandatory
Agile Controller Guest Management Function, Including 200 Guest Accounts Management License Optional
Agile Controller Guest Management Function, Including 500 Guest Accounts Management License Optional
Agile Controller Guest Management Function, Including 1000 Guest Accounts Management License Optional
Agile Controller Guest Management Function, Including 2000 Guest Accounts Management License Optional
Agile Controller Guest Management Function, Including 5000 Guest Accounts Management License Optional
Agile Controller Guest Management Function, Including 1000 Guest Accounts Management License Optional
Agile Controller Guest Management Function, Including 50000 Guest Accounts Management License Optional
Free Mobility Manager
Component Overview
With the popularization of mobile office and BYOD applications, users in the headquarters and branches and on business trips want to
access the enterprise network. The physical locations of the terminals are no longer fixed, and users even process business using their
private terminals. How to ensure that different terminals accessing the network from different office locations can obtain the same
experience.
The Free Mobility component of the Huawei Agile Controller works with Huawei agile switches and NGFWs to provide security group-
based policies in addition to the traditional NAC and implement unified policy deployment and automatic policy synchronization. This
ensures that users can have the same service experience when they move on the network. The component also provides user group–
based QoS policy configuration to ensure preferential forwarding of VIP users' data traffic when network resources are insufficient,
delivering good service experience for VIP users.
21Free Mobility Manager
Component Characteristics
Traditional VLAN/ACL Control Replaced by Policy Control based on Security Group, Greatly Improving Configuration Efficiency
• The policies on the entire network are planned in a unified manner and deployed through one click on the Agile Controller.
• Associates with switches, firewalls, and SVNs to ensure consistent service experience when users move on the entire network.
• Manages network-wide policies in a unified manner, flexibly adjusts policies, and delivers only the newly added policies.
Permission Control for Access Between User group and Resource Group, and Between User Groups
Quick Authorization Using Natural Language, Optimizing 5W1H-based Configuration Experience
22 Free Mobility Manager
User-group-based Bandwidth/QoS Policy, Ensuring Experience of VIP Users
Operating Environment
The Free Mobility component can work properly only after the Access Control component is deployed. The operating environment of
the Free Mobility component is the same as that of the Access Control component.
Deployment Scenarios
The Free Mobility component has no special networking requirements, provided that there are reachable IP routes between the Agile
Controller server and the associated network devices. Generally, the component is deployed on data centers.
AP
LSW
LSW
WAN/Internet
Server
NGFW/SVN
APLSW
Agile core
Converged access
Agile aggregation
LSW
Campus egress
BranchL2 SW
ARBranch
L2 SW
AR
Internet access
Agile Controller
NMS
Data center
23Free Mobility Manager
Auxiliary Devices
Device Role Device Type
Authentication device
• Chassis switch: S77/97/127 V2R6C00
• Box switch: S5720HI V2R6C00
• Firewall: USG63/65/66 V1R1C20
• VPN gateway: SVN 56/58 V2R3C00
Ordering Information
Item Remarks
Agile Controller Access Control Function Mandatory
Agile Controller Free Mobility Function Mandatory
Service Orchestration Manager
Component Overview
Traditional security solutions used on enterprise campus networks and data center networks define network borders and deploy
security devices such as firewall, anti-DDoS, antivirus (AV), intrusion prevention system (IPS), and data loss prevention (DLP) devices on
borders of different security levels. As the network scale expands, users connect to networks using more diversified access methods.
Traditional security deployment results in exponential increase of cost in this circumstance. In addition, many customers determine the
number of security devices they need to purchase based on two to five times the peak-hour rates. However, high-performance security
devices, such as firewalls, IPS, and anti-DDoS, have a low resource utilization, which is a waste of resources.
The Huawei Agile Controller Service Orchestration component virtualizes physical security devices to shield the device models and
locations. All security devices form a security resource center. The component directs service flows to the security resource center based
on service needs to improve use efficiency of physical resources and reduce costs.
25Service Orchestration Manager
Component Characteristics
Resource Virtualization, Service Flow-based Resource Scheduling, Implementing In-depth Security Protection
• Improves hardware utilization efficiency and reduces customer investment.
Comprehensive Service Flow Management, Service Flow Defining Based on IP Address or 5-tuple Information of User Group
• Defines service flows based on the source and destination IP addresses, source and destination port numbers, and protocol.
• Defines service flows based on the source and destination user groups, source and destination port numbers, and protocol.
26 Service Orchestration Manager
Role-based Service Chain Resource Management
• Service devices can be defined as firewall, virus wall, or online behavior management device.
• The administrator can set up a GRE tunnel between an orchestration device (switch) and a service device to redirect service traffic to
the specified service device for security monitoring.
Service Chain Creation Based on Service Flows, Providing Differentiated Security Policies for Different Services
• Configured service chain orchestration policies are displayed on the GUI, allowing administrators to rearrange service chains by
simply dragging service devices.
Operating Environment
The Service Orchestration component can work properly only after the Access Control component is deployed. The operating
environment of the Service Orchestration component is the same as that of the Access Control component.
27Service Orchestration Manager
Deployment Scenarios
Three hardware parts are required to provide the service orchestration function:
• Agile Controller service server: functions as the service orchestration subsystem, which completes service logic configuration of
service chains.
• Orchestration device: must be a Huawei agile switch. The switch identifies service traffic and redirects the traffic to the service
devices in the sequence specified by the service chain. There must be reachable IP routes between the orchestration device and
service devices.
• Service device: processes the service flows redirected to it. The service and orchestration devices work at Layer 3, and are connected
through GRE tunnels. Service devices can be connected to the core router or the core or aggregation switch according to the
following principles:
Core layer: define service flows based on IP information to shorten the traffic transmission path.
Aggregation layer: define service flows based on user information if the customer can accept the circuitous transmission path.
Aggregation layer
Access layer
Data center
NMS center
Application layer
Dept A Dept BGuest areaInternal public area
Agile Controller Campus egress
Service chain node
Service chain 1
Service chain 2
Firewall
Online behavior management
Antivirus
28 Service Orchestration Manager
Auxiliary Devices
Device Role Device Type
Orchestration device• Chassis switch: S77/97/127 V2R6C00
• Box switch: S5720HI V2R6C00
Service device• Firewall: USG63/65/66 V1R1C20
• Juniper device: SRX210
Ordering Information
Item Remarks
Agile Controller Access Control Function Mandatory
Agile Controller Free Mobility Function Mandatory
Agile Controller Service Orchestration Function Mandatory
Terminal Security Manager
Component Overview
Security health assessment on access terminals is a key indicator of an enterprise's security management. A large number of mobile
staff and partners frequently use their own terminals (such as laptop computers) to access the enterprise LANs, which brings great
challenges to the enterprise information security. Unauthorized terminals may bring computer viruses to the enterprise networks and
even obtain the enterprises' trade secrets, threatening the network security.
The Terminal Security Management component of the Huawei Agile Controller strictly controls network access from all terminal users
and enforces security policies to the users connected to the network. The component supports terminal health check, employee
behavior management and control, software distribution, patch management, and asset management to ensure that terminals
connected to the network possess self-defense capabilities and comply with enterprise's security policies.
30 Terminal Security Manager
Component Characteristics
Terminal Security Hardening, Ensuring that Access Terminals Meet Enterprise Requirements
• Has predefined more than 5000 terminal security policies, including weak password check, monitoring of unauthorized external
connections, web access monitoring, antivirus software monitoring, and mobile storage device monitoring.
• Provides different security rules based on user roles or departments.
Intelligent Patch Management System, Helping Terminal Users Rectify System Vulnerabilities and Improving Enterprise
Terminal Security
• Provides patches for the Microsoft Windows operating system, Microsoft SQL Server database, Microsoft Internet Explorer, and
Microsoft Office.
• Automatically downloads patches from the Microsoft website, and allows servers to connect to the Internet through an agent.
Automatic or Manual Software Distribution, Improving Deployment Efficiency
• Distributes files in any format, and automatically executes .exe or .msi files.
• Distributes software by department, operation type, IP address segment, terminal user, and time segment.
• Supports software distribution through fast downloading software to subnets.
Employee Terminal and Network Behavior Auditing, Reducing Risks of Information Leak
• Audits network behaviors, including unauthorized external connections, web access, and network traffic.
• Audits usage of peripheral devices, including USB installation and removable operations, USB file operations, and use of other
peripheral devices.
• Audits terminal files, including file creation, copying, renaming, and deletion.
• Audits terminal operations, for example, controls non-standard software, monitors programs and services, and prohibits read-only or
read-write drive.
Enterprise-level Asset Management, Preventing Employees from Changing Terminal Configurations and Reducing Risks of
Asset Loss
• Collects asset information, including the operating system, hardware and software list, hard disk serial number, and basic input
output system (BIOS) information.
• Generates asset reports and provides asset statistics and asset change analysis.
• Reports asset change alarms, and allows administrators to trace asset information continuously.
Operating Environment
The Terminal Security Management component can work properly only after the Access Control component is deployed. The operating
environment of the Terminal Security Management component is the same as that of the Access Control component.
31Terminal Security Manager
Deployment Scenarios
The networking of the Terminal Security Management component is similar to that of the Access Control component. Customers need
to install the dedicated NAC client of the Agile Controller before they can enable the terminal security management feature.
Auxiliary Devices
Terminal Operating System Version
Windows
• Microsoft Windows XP
• Microsoft Windows Vista
• Microsoft Windows 7
• Microsoft Windows 8
• Microsoft Windows 8.1
Ordering Information
Item Remarks
Agile Controller Access Control Function Mandatory
Agile Controller Terminal Security Management Function Mandatory
Agile Controller Terminal Security Feature, Including 200 Terminals License Optional
Agile Controller Terminal Security Feature, Including 500 Terminals License Optional
Agile Controller Terminal Security Feature, Including 1000 Terminals License Optional
Agile Controller Terminal Security Feature, Including 2000 Terminals License Optional
Agile Controller Terminal Security Feature, Including 5000 Terminals License Optional
Agile Controller Terminal Security Feature, Including 10000 Terminals License Optional
Agile Controller Terminal Security Feature, Including 50000 Terminals License Optional
32 United Security Manager
United Security Manager
Component Overview
On traditional networks, the boundaries between enterprise networks and the Internet have security risks. Many enterprises deploy
security devices such as firewalls at their network boundaries. However, with the development of mobile services and diversified
network attacks, the boundaries of security protection become blurred. The services such as Wi-Fi, mobile terminals, and remote
office, bring a large number of new security risks and internal attacks, such as, viruses, Trojan horses, and APT. In this case, traditional
boundary protection measures become invalid.
The United Security component of the Huawei Agile Controller manages logs and security events from network, security, and IT devices
on the entire network in a centralized manner. The component uses the Big Data correlation analysis technique to evaluate network
security, detect security problems that cannot be detected through single-point protection, and identify Top N risky assets and areas
on the entire network. It allows customers to take proactive defense measures so that they do not need to analyze or trace the attack
sources and network risks.
33United Security Manager
Component Characteristics
Unique Architectural Design, Re-defining Network Security from the Entire Network Perspective
• Detects security problems that cannot be detected through single-point protection.
• Provides self-defined correlation rules to satisfy differentiated security requirements.
• Allows the executives to clearly obtain the current security situation on the network, and engineers to effectively resolve security
problems.
Comprehensive Security Log Collection Capacity, Interconnecting with Third-party Devices
• Collects logs from Huawei network and security devices.
• Collects logs from third-party devices with standard interfaces, including Syslog, SNMP, and FTP/SFTP, OPSEC, and ODBC.
Preset and Self-defined Correlation Rules, Discovering Network-wide Security Events
• Provides abundant built-in correlation rules for events. The events include the password guess attack, virus spread, attack in an area,
server DDoS attack, DMZ server penetration attack, and O&M violation (traversing the bastion host).
• Allows users to customize correlation rules, including basic statistics correlation, dynamic statistics correlation, multi-rule nesting
correlation, and multi-dimensional expansion correlation.
Log collection
Security policy takes effect
②Big data correlation analysis
③ Security situation evaluation
34 United Security Manager
Security Situation Display, Providing the Basis for Proactive Defense
• Divides the entire network into several areas and marks them with different colors based on the security view of the entire network.
• Identifies Top N risky assets on the entire network and evaluates the security level of the network, helping users quickly obtain the
network security status.
• Displays details of security events and suggestions, which can be referenced by administrators to address security issues.
35United Security Manager
Operating Environment
Configuration requirements for a Unified Security server are as follows:
Hardware Configuration
• CPU: 2 x E5-2640 6c 2.5 GHz or higher
• Memory: 32 GB
• Hard disk: 2 x 1 TB
• Network adapter: 2 x GB
Operating System • SuSE Linux 11
Database• Mongo DB
• MySQL 5.5
Deployment Scenarios
The United Security component has no special networking requirements, provided that there are reachable IP routes between the Agile
Controller server and the associated network devices.
NetworkAgile Controller
United Security server
Firewall Router Switch Third-party system
36 United Security Manager
Auxiliary Devices
Device Role Device Type
Huawei security device
• NGFW
• DDOS
• ASG
• NIP
• SVN
Huawei network device
• Sx7 switches
• AR routers
• WLAN devices
Third-party device
Devices that support log collection through standard protocols, including the following:
• Syslog
• SNMP
• FTP/SFTP
• OPSEC
• ODBC
• Devices that support log collection through universal files and dedicated log collection
interfaces.
Ordering Information
Item Remarks
Agile Controller United Security Function Mandatory
Agile Controller United Security, Including 500 EPS License Optional
Agile Controller United Security, Including 1000 EPS License Optional
Agile Controller United Security, Including 2500 EPS License Optional
Agile Controller United Security, Including 5000 EPS License Optional
EPS: short for events per second, indicating the number of log events processed per second.
More Information
For more information about the Huawei Agile Controller, visit http://enterprise.huawei.com.
Copyright © Huawei Technologies Co., Ltd. 2014. All rights reserved.
Trademark Notice
General Disclaimer
, HUAWEI, and are trademarks or registered trademarks of Huawei Technologies Co., Ltd.Other trademarks, product, service and company names mentioned are the property of their respective owners.
The information in this document may contain predictive statements including, without limitation, statements regarding the future financial and operating results, future product portfolio, new technology, etc. There are a number of factors that could cause actual results and developments to differ materially from those expressed or implied in the predictive statements. Therefore, such information is provided for reference purpose only and constitutes neither an offer nor an acceptance. Huawei may change the information at any time without notice.
No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd.