Presentation is loading. Please wait.

Presentation is loading. Please wait.

Author/ ID: Author's name/Author's ID Dept: Branding Planning Dept Version: V1.0(20YYMMDD) Huawei Policy Center Competitive Positioning VS. Cisco ISE.

Similar presentations


Presentation on theme: "Author/ ID: Author's name/Author's ID Dept: Branding Planning Dept Version: V1.0(20YYMMDD) Huawei Policy Center Competitive Positioning VS. Cisco ISE."— Presentation transcript:

1 Author/ ID: Author's name/Author's ID Dept: Branding Planning Dept Version: V1.0(20YYMMDD) Huawei Policy Center Competitive Positioning VS. Cisco ISE

2 1 Content Cisco ISE Business Analysis Cisco ISE Overview Competitive Strategy 1 1 2 2 3 3 4 4 The Key Features Analysis Of ISE HUAWEI Policy Center Overview 5 5

3 2 Cisco ISE Overview The Cisco ISE ( Identity Services Engine ) is a next-generation identity and access control policy platform that enables enterprises to enforce compliance, enhance infrastructure security, and streamline service operations. Its unique architecture allows enterprises to gather real-time contextual information from networks, users, and devices to make proactive governance decisions by enforcing policy across the network infrastructure - wired, wireless and remote 。 3315 eth2 eth3 eth0 eth1 3355 3395 eth2 eth3 eth0 eth1

4 3 Cisco ISE Main Function Who? Known users (Employees, Sales, HR) Unknown users (Guests) What? Device identity Device classification (profile) Device health (posture) How? Wired Wireless VPN Where? Geographic location Calling Station ID SSID / Switchport When? Date Time Start/Stop Access Other? AD, LDAP or custom attributes Did user “badge in to the bldg Citizenship, etc Context-Based Access Policy Definition Policy Enforcement Monitoring and Troubleshooting

5 4 Cisco ISE Architecture Endpoint Resource Enforce Admin External Data Policy Service View/ Configure Policies Query Attributes Access Request Resource Access Logging Request/Response Context Monitor View Logs/ Reports Logging The overall architecture consists of three parts: Monitor Policy Service Enforce Among them, the Policy is its core

6 5 HardwareSmallMediumLargeVM Model 1121/3315 Based on the IBM System x3250 M2IBM System x3250 M2 3355 Based on the IBM System x3550 M2IBM System x3550 M2 3395 Based on the IBM System x3550 M2IBM System x3550 M2 VMware Server v2.0 (Demos) VMware ESX v4.0 / v4.1 VMware ESXi v4.0 / v4.1Server v2.0ESX v4.0v4.1ESXi v4.0v4.1 CPU1x Quad-core Xeon 2.66GHz1x Quad-core Nehalem 2GHz2x Quad-core Nehalem 2GHz>= 1 processor RAM4GB 4GB (max) Disk2 x 250-GB SATA (500GB available) 2 x 300-GB 2.5” SATA (600GB available) 4 x 300-GB 2.5” SAS I (600GB available) Admin: >= 60GB Policy Service: >= 60GB Monitoring: >= 200GB RAIDNoYes: RAID 0Yes: RAID 1- Network4 x Gigabit Ethernet PowerSingle 650W650W Redundant - Node RolesAll Roles No Inline Posture Node Cisco ISE Model

7 6 Cisco ISE Deployment Scheme Centralized deploymentDistributed deployment ISE servers are deployed in one site ISE servers are deployed distributed at multiple sites, such as headquarters and branch

8 7 Cisco NAC Solution based ISE Nexus 7000 Data Center Catalyst ® Switch ISE Wireless user Site-to-Site VPN user Campus Network WAN Wired user ISR G2 with integrated switch ASR1K Security Group Tag SXP AAA services Profiling – categorization of devices Posture – assurance of compliance Guest – guest management AAA services Profiling – categorization of devices Posture – assurance of compliance Guest – guest management ISE: Policy and Integrated Security services Profiler Posture Guest Server Nexus 5000/2000 Catalyst 6500 Security Group Tag SXP Wired Identity: Baseline Identity features (802.1X, flex auth, web auth) SGT carried via SXP Wireless Identity: CoA and profiling Wired Identity: Baseline Identity features (802.1X, flex auth, web auth) SGT carried via SXP Wireless Identity: CoA and profiling TrustSec Branch Features AnyConnect Campus Aggregation: Cat6K/Sup2 – SGT/SGACL Data Center Enforcement Nexus 7000 – SGT/SGACL Campus Aggregation: Cat6K/Sup2 – SGT/SGACL Data Center Enforcement Nexus 7000 – SGT/SGACL Egress Enforcement WAN Aggregation Router: SXP/ SGT Support (No MACSec) WAN Aggregation Router: SXP/ SGT Support (No MACSec) Security Group Access WLC AP

9 8 Content Cisco ISE Business Analysis Cisco ISE Overview Competitive Strategy 1 1 2 2 3 3 4 4 The Key Features Analysis Of ISE HUAWEI Policy Center Overview 5 5

10 9 Key Features——AAA Identity StoreOS/Version RadiusRFC 2865-compliant RADIUS servers Protocol EAP-GTC , PAP , MS-CHAP v1/v2 , EAP-MSCHAPv2 , LEAP , EAP-MD5 , CHAP , EAP-TLS 和 PEAP-TLS User authentication data source Local dataAccount + password Active DirectoryMicrosoft Windows Active Directory 2000 Microsoft Windows Active Directory 2003, 32-bit only Microsoft Windows Active Directory 2003 R2, 32-bit only LDAP ServersSunONE LDAP Directory Server, Version 5.2 Linux LDAP Directory Server, Version 4.1 NAC Profiler, Version 2.1.8 or later Token ServersRSA ACE/Server 6.x Series RSA Authentication Manager 7.x Series RADIUS RFC 2865-compliant token servers SafeWord Server prompts Cisco ISE integrates AAA function. It provides standard RADIUS server and support authentication and authorization for users and endpoints via wired, wireless, and VPN with consistent policy throughout the enterprise

11 10 Key Features ——NAC Of ISE VLANs Authorization policy sets VLAN. Infrastructure provides enforcement Typical VLAN examples: Quarantine/Remediation VLAN Guest VLAN Employee VLAN. Typically requires IP change -> potential conflicts with other endpoint processes. dACLs Authorization policy pushes dACL or named ACL to NAD. ACL source (any) automatically converted to specific host address No IP address change required, thus typically less disruptive to endpoint and improved user experience. 802.1X/MAB/Web Auth VLAN Assignment ACL Download The Main NAC solution: 802.1x, MAB, Web authentication; Network devices include: cisco’s switch, route, WLC&firewall, and so on; ISE dynamic distributed ACL and Vlan of the device based on users, device type, access type, access site, and time

12 11 Key Features ——ISE Network Access Device 802.1x authentication scheme supports standard radius protocol and private radius: Standard 802.1x scheme controls user network access by the dynamical Vlan, supporting network equipment of all manufacturers; Private 802.1x scheme controls user network access by the dynamical ACL. It only support cisco’s network equipment; Web authentication is only compatible with cisco’s network equipments

13 12 Key Features——Profiling Cisco ISE integrates Profiling function. It can detect and identify the type of network equipments so that the administrator can configure strategy based on device type. ISE can use the following attributes to identify device type:  MAC OUI  DHCP Information  RADIUS Information  HTTP Information  DNS Query Information  NetFlow Information  NMAP  SNMPQUERY  SNMPTRAP ISE presets a huge equipment type library:

14 13 Key Features——Guest Management Cisco ISE allow visitors, contract employees, consultants, or WEB page access to the network. The administrator can configure the policy based on the role and time of guest. ISE dynamic distributed ACL and Vlan to the device Main functions include: approval process and notice management of guest account Visitor role authorization management Custom web authentication page Visitor login log management;

15 14 Key Features ——Host Health Check Persistent and Web Agent Support Assessment /check options: Posture definitions:  Pre-built or custom checks with granular Boolean logic  Custom checks for AV, AS, Microsoft, and other attributes  Hundreds of AV/AS vendor packages/versions  Dynamic updates on hourly basis for latest hotfixes, signature definitions/DAT files  Compliance Module–dynamic update of new vendor packages via Client Provisioning Remediation  Automatic / Interactive  API to AV/AS/WU client, URL redirect, Execute program, Download files, Instructions  Mandatory / Optional / Audit Only Passive reassessment  Separate login versus post login policy  Admin configurable action – monitor/alert/enforce Antivirus/AntispywareRegistry keysWindows Update Application/ProcessFile existence/datesWindows Server Update Services (WSUS) WiredWirelessVPN Employees Contractors/Guests Employee Policy: Microsoft patches updated McAfee AV installed, running, and current Corp asset checks Enterprise application running Guest Policy: Accept AUP (No posture - Internet Only)

16 15 Content Cisco ISE Business Analysis Cisco ISE Overview Competitive Strategy 1 1 2 2 3 3 4 4 The Key Features Analysis Of ISE HUAWEI Policy Center Overview 5 5

17 16 Platforms and Options Of ISE PlatformsOptions Appliance Cisco Identity Services Engine 3315 (small) 3,000-endpoint target Cisco Identity Services Engine 3355 (medium) 6,000-endpoint target Cisco Identity Services Engine 3395 (large) 10,000-endpoint target Software or Virtual Machine 1, 5, or 10 virtual machines Base Capabilities: Basic network access and guest access Network deployment support: Wired, wireless, and VPN License prerequisite: None Perpetual license Licenses are available for 100, 250, 500, 1,000, 1,500, 2,500, 3,500, 5,000, 10,000, 25,000, 50,000, and 100,000 endpoints Advanced Capabilities: Profiler, posture, and Security Group Access (SGA) Network deployment support: Wired, wireless, and VPN License prerequisite: Base license Term license: 3- and 5-year terms Licenses are available for 100, 250, 500, 1,000, 1,500, 2,500, 3,500, 5,000, 10,000, 25,000, 50,000, and 100,000 endpoints Wireless Capabilities: Basic network access, guest access, profiler, posture, and SGA Network deployment support: Wireless License prerequisite: None Term license: 5-year term Licenses are available for 100, 250, 500, 1,000, 1,500, 2,500, 3,500, 5,000, 10,000, 25,000, 50,000, and 100,000 endpoints Wireless Upgrade Capabilities: Basic network access, guest access, profiler, posture, and SGA Network deployment support: Wired, wireless, and VPN License prerequisite: Wireless license Term license: Term matches preinstalled Wireless licenses Upgrade licenses are available for 100, 250, 500, 1,000, 1,500, 2,500, 3,500, 5,000, 10,000, 25,000, 50,000, and 100,000 endpoints

18 17 HUAWEI Policy Center VS. Cisco ISE  Cisco ISE has 2 product forms: virtual machine software and hardware;  According to the configuration principle of reciprocity, TSM listed price is about 5-10% less than average price of Cisco ISE.  Base ISE licenses include Basic network access and guest access;  Advanced ISE licenses include profiler, posture, and Security Group Access (SGA), and its period of validity is 3 years or 5 years

19 18 Content Cisco ISE Business Analysis Cisco ISE Overview Competitive Strategy 1 1 2 2 3 3 4 4 The Key Features Analysis Of ISE HUAWEI Policy Center Overview 5 5

20 19 AP eSight+TSM AC eSight+TSM 3 rd OS patch server AD/Ldap /RSA EndpointNetwork switch route Wired Access Wireless Access 3 rd AV server Specialty 1: Support for multiple access terminal types, it can meet the needs of mobile users access PC ( Win/Linux/Mac ) Android iOS ( iPAD, iPhone ) Endpoint fault diagnosis Specialty 2: Cooperate with network deployment, implement a variety of access control Portal VPN &SSL 802.1x ACL&COA Specialty 3: Achieve flexible user control strategy, meet the demand of different scenarios User management, visitor control Location, time, role, type of equipment authorization Integrate with network management system Specialty 4: Check terminal access equipment safety, eliminate terminal access risk Endpoint security check OS patch service Update service Asset management The Specialty Of HUAWEI Policy Center

21 20 VS. ISE Competitive Advantage PlatformsOptions User Management Cisco ISE support to integrate with AD/LDAP, but ISE only syn user group information. It can’t synchronize user account information. Therefore, ISE can’t configure policy based on user account. If there is AD Domain, Cisco ISE server must add the domain, and one ISE server only support integration with one AD Domain. Multifold AD Domain is not supported. The account in Cisco ISE can’t support binding the port/IP of access switch, Vlan, and SSID together. Guest management Cisco ISE can’t support automatic approval function for visitors account. Manual approval of administrator is required. Cisco ISE can’t support configure different Web authentication webpage based on different attribute, such as endpoint access site, device type, SSID, and so on. ISE only support one Web authentication webpage in one device. Cisco ISE can’t support custom the Web authentication webpage’s CSS styles, it only support custom the content, such as text and picture. Cisco ISE can’t support passcode function, it only support account+password, AD/LDAP account. Cisco ISE can’t support API interface of visitors account approval that can be used to integrate with other application system

22 21 VS. ISE Competitive Advantage PlatformsOptions NAC Solution Cisco ISE only support 802.1x/MAC/Web authentication, the network access control solution is single.(In addition to this, HUAWEI TSM support SACG(Security Access Control Gateway) scheme and software SACG scheme which is based on host firewall. It adapts to the customer network environment) The 802.1x authentication of Cisco ISE has some disadvantages: All access layer switches must support 802.1x; All endpoints must obtain the IP address by DHCP server; The deployment and management cost is very high; It’s very difficult in the mobile office scenario. if users need to access the network, the Vlan configuration in all switches must be consistent. Cisco the old NAC solution supports Out-Of-band scheme. In this scheme, the ACS server integrates with switch/route/AC device through SNMP protocol, but only Cisco own network device can support this scheme. Wireless access user doesn't support user isolation. Endpoint Security Management The security policy of PC endpoint is very poor in the Cisco ISE. It can’t support Peripherals management, USB equipment management, Illegal communications, network behavior auditing, and so on. The client in the IOS, Android device only support VPN function. it can’t support security checking function. Cisco ISE can’t support patch management, asset management, software distribution, and so on. Cisco ISE can’t support client custom function, it can’t customize the LOGO, authentication scheme, and so on.

23 22 Content Cisco ISE Business Analysis Cisco ISE Overview Competitive Strategy 1 1 2 2 3 3 4 4 The Key Features Analysis Of ISE HUAWEI Policy Center Overview 5 5

24 23 HUAWEI NAC Solution employees Intranet Policy Center OA AD/LDAP Unified authentication and authorization  Unified authentication and authorization for Internal and Intranet users  Unified access control for wired, wireless, vpn users  Network access control policy based on role, device, location, time, and so on Security compliance  Endpoint comply the security policy  Standardization of the desktop  operation audit behavior Assist  The asset lifecycle management  OS patch management  Remote fault diagnosis employees visitors employees visitors employees visitors

25 24 Route 802.1x SwitchPortal Switch NAC Server NAC Agent Client ( Windows/Linux/MAC ) Web Auth Web agent OS native 802.1x Client ( windows/Linux/MAC/iOS/Android ) Policy Center Server Authentication Server AAA Server AC/AP Firewall HUAWEI Policy Center Architecture

26 25 visitors Wireless users employees partners Branch employees Internet BYOD users Policy Center Server BSS Service OA Service ERP System CRM System Email System switch AP AC SACG Route VPN Switch Core Switch Unified Authentication

27 26 Who? What? Where? When? How? user Location Date, Time Wire, Wireless, VPN Terminal type Host health inspection Policy Desktop baseline configuration Policy Employee behavior monitoring  AV check  Patch check  account security check  Software installation check  System configuration check  Policy custom  Peripheral monitoring  Illegal communications  Network behavior monitoring Isolation and repair strategy Network Access Policy QoS Policy  Network isolation  Repair Policy(prompt, fast repair)  Vlan  ACLs  users-group  IP Car  users Car Unified Authorization

28 Copyright©2012 Huawei Technologies Co., Ltd. All Rights Reserved. The information in this document may contain predictive statements including, without limitation, statements regarding the future financial and operating results, future product portfolio, new technology, etc. There are a number of factors that could cause actual results and developments to differ materially from those expressed or implied in the predictive statements. Therefore, such information is provided for reference purpose only and constitutes neither an offer nor an acceptance. Huawei may change the information at any time without notice. HUAWEI ENTERPRISE ICT SOLUTIONS A BETTER WAY


Download ppt "Author/ ID: Author's name/Author's ID Dept: Branding Planning Dept Version: V1.0(20YYMMDD) Huawei Policy Center Competitive Positioning VS. Cisco ISE."

Similar presentations


Ads by Google