Presentation is loading. Please wait.

Presentation is loading. Please wait.

2014/5/7 Huawei Policy Center Sales Guide. 1 Contents Overview 1 1 Functions and Specifications 2 2 Competition Analysis 3 3 Bidding Support 4 4.

Published byMildred Farmer Modified over 9 years ago

Similar presentations

Presentation on theme: "2014/5/7 Huawei Policy Center Sales Guide. 1 Contents Overview 1 1 Functions and Specifications 2 2 Competition Analysis 3 3 Bidding Support 4 4."— Presentation transcript:

1 2014/5/7 Huawei Policy Center Sales Guide

2 1 Contents Overview 1 1 Functions and Specifications 2 2 Competition Analysis 3 3 Bidding Support 4 4

3 2 Policy Center Evolution Terminal Security Management (TSM) Positioning: traditional NAC market Function: secure access control for enterprise terminals and desktop management Scenario: fixed terminal management and control Policy Center Positioning: campus/BYOD Policy Center Function: context-aware access control (wired and wireless convergence), visitor management, terminal identification, and health check Scenario: numerous terminal access, policy engine Software upgrade

4 3 Policy Center Overview Policy Center = Unified authentication + Refined policy management + Terminal identification + Visitor management + Terminal security Access switch Enterprise AP Internet Public radio VPN remote accessWireless access Wired access (original function) Unified authentication for multiple access modes Refined policy management BYOD Fixed VPN When Who Where What Whose How Visitor management system Terminal identification Terminal security Mobile storage device management

5 4 1. Access Authentication Visitor Employee Partner BSS system ERP system CRM system Mail system Switch AP AC Switch Core switch Only authenticated terminals are allowed to access the network. 802.1x, MAC address, and Portal authentication modes are supported.

6 5 Campus R&D area Headquarters On business trip 2. Refined Policy Management: 5W1H-based Context Awareness Employee Visitor User Group (Who) Device Type (What) Device Attribute (Whose) Access Point (Where) Access Mode (How) Access Time (When) Available Resources R&DPCEnterpriseR&D areaWired24 hoursR&D resources R&DMobile phonePrivateNon-R&D areaWiredNone R&DMobile phonePrivateNon-R&D areaWireless21:00-08:00Internet HRPCEnterpriseNon-R&D areaWired and wireless 24 hoursHR resources VisitorMobile phonePrivateNon-R&D areaWired and wireless 08:00-20:00Internet On-duty time Off-duty time Enterprise device BYOD device Refined policy management, multi-dimensional authentication and authorization

7 6 3. Intelligent Terminal Identification Policy Center The authentication packet carries the terminal type information. Terminal-based policies for the same account Provides different policies for the same account based on the types of terminals, implementing fine-grained rights control. AP Terminal-based service policies Customizes authentication pages based on terminal types. Delivers different service policies, such as VLAN/ACL/bandwidth limiting policies, based on terminal types. Switch AC Policy delivery based on terminal types Delivers service policies, such as VLAN, ACL, bandwidth limiting, and user isolation policies, based on the reported terminal types. Terminal identification method Obtains vendor OUI information from MAC addresses. Obtains vendor information from DHCP packets. Obtains the terminal's operating system, IE browser, and terminal type information from HTTP packets. Traditional terminals Smart terminals Dumb terminals More than 200 terminal identification templates and various types of probes.

8 7 4. Visitor Management Visitor Operations Visitor Management Customized Enterprise Portal, Location- and Terminal-based Page Pushing Registration  Employee application  Self-service application Approval  Automatic approval  Administrator approval  Receptionist approval Distribution  SMS  Email  Web Auditing and Deregistration  Login/Logoff auditing  Automatic deregistration after expiration  Scheduled account deregistration Authentication  User name/password  Passcode  Isolation based on VLAN or ACL Full Lifecycle Management of Visitor Account, Approval or Approval-Free

9 8 5. Terminal Security: Health Check Password complexity check Unauthorized connection monitoring Mobile storage device monitoring If the security check fails, network access is prohibited. Records about the unauthorized access are reported to the server. If the security check succeeds, network access is permitted. Unauthorized connection monitoring Security Policy Template for Formal Employees Password complexity check Unauthorized connection monitoring Web access monitoring Antivirus software monitoring Mobile storage device monitoring Policy Template for Temporary Employees Policy Template for Temporary Office If the security check succeeds, network access is permitted. TSM system Post-authentication domain Antivirus software monitoring Post-authentication domain Many policy templates can be made to meet the needs of different types of users. For example, formal employees require a security template with high security requirements, while temporary employees require a template with low security requirements. Template Distribution Based on the User Type

10 9 5. Terminal Security: Behavior Monitoring Network Behavior Auditing Peripheral Use Auditing Terminal File Auditing Employee Operation Auditing -Web access -Network application -Network connection -Policy management -User management -Approval management Auditing and Monitoring  Create files  Copy files  Rename or delete files  USB installation or removal  USB file  Use of other peripherals  Establishes a 7 x 24 auditing and monitoring mechanism to ensure real-time processing of violation activities. Whole process records, violation operations traceable

11 10 Contents Functions and Specifications 2 2 Overview 1 1 Competition Analysis 3 3 Bidding Support 4 4

12 11 Identity Authentication, Connection with Mainstream Data Sources  A mature enterprise has a unified user information system. Enterprise CIOs concern about whether the access control system can smoothly connect to the existing user information system. The system supports multiple Extensible Authentication Protocols (EAPs) and can connect to mainstream AD, LDAP, RADIUS, and dynamic token systems. The system supports synchronization by demands or the filtering criteria to meet specific customer requirements. Authentication ProtocolSelf-built AccountADLDAPRADIUS TokenRADIUS Relay PAPYES Depending on the external system CHAPYESNO Depending on the external system EAP-PEAP-MSCHAPV2YES NO Depending on the external system EAP-MD5YESNO Depending on the external system EAP-TLSYES NODepending on the external system EAP-TTLS-PAPYES Depending on the external system EAP-PEAP-GTCYES Depending on the external system Authentication Protocols Supported by External Data Sources Determine the web, web agent, or agent authentication mode for the account based on the account attribute.

13 12 MAC address authentication The authentication server authenticates terminals based on their MAC addresses. It applies to dumb terminals such as IP phones and printers. 802.1x authentication Clients, devices, and authentication servers exchange authentication messages using the EAP. It supports association with Huawei all series switches, routers, WLAN devices, and third-party standard 802.1x switches. Portal authentication Users can enter their user names and passwords on the web authentication page for identity authentication. It is also called web authentication. It supports association with Huawei all series switches, routers, and WLAN devices. SACG authentication The USG firewall is connected to a router or switch in bypass mode and it controls terminal access through policy-based routing. MAC address authentication 802.1X authentication Portal authentication SACG authentication VLAN1 SSID1 SSID2 VLAN2 Comprehensive Access Control, Applicable to Multiple Types of Networks Office area Dumb terminal Guest area

14 13 Senseless Authentication: One-time Authentication for Multiple Times of Access AC AP User Policy Center Portal Server RADIUS Server One-time Authentication for Multiple Times of Access Wireless Access Initial Portal + MAC Authentication Subsequent Automatic MAC Authentication 3 1 2 4 5 Authentication and Connection Stores the Web authentication page. Provides the page customization function. Connects to the AC. Stores user names, passwords, and user policies. Connects to the AC. Records MAC addresses of users. The RADIUS server performs only MAC address authentication on wireless users after their initial access. Users are not aware of the authentication process. The wireless user initiates web authentication requests. The Portal server sends authentication requests to the AC. The AC initiates RADIUS authentication and sends the user name, password, and terminal MAC address to the RADIUS server. The RADIUS server performs authentication and records terminal MAC addresses.

15 14 Full Lifecycle Visitor Management and Customized Portal Push Portal Page Customization Supports portal page customization to provide enterprises with tailored pages, improving enterprise images. Location-based Information Push Supports location-based (SSID and AP) information push.  Employee application  Self-service application  Batch application  Automatic and employee approval  SMS, email, and web notifications  User name/password authentication and passcode authentication Full Lifecycle Management of Visitor Accounts Supports visitor account registration, approval, distribution, and deregistration. Provides approval and approval exemption workflows and visitor authentication APIs to integrate with service systems. Automatic deregistration after expiration  Scheduled account deregistration Venezuelans bid farewell to Chavez Wen's legacy hailed by nation's top economistWen's legacy hailed by nation's top economist Chongqing remains 'pragmatic' France to start withdrawing Mali troops from AprilFrance to start withdrawing Mali troops from April Apps Wechat Webs Video Fetion Weibo

16 15 Comprehensive Terminal Protection Policies System Hardening Screen protection settings Unified security baseline for system hardening Security Protection Enhanced security protection measures Data Leak Prevention Peripheral devices Optimized data leak prevention mechanism Mobile storage devices Behavior Management Centralized management and control of employee behaviors Web access Antivirus software System processes Software blacklist and whitelist System ports ARP attack defense Sharing settings Account security Registry settings System patches Application patches File operations Unauthorized external connections ScreenshotScreenshot Network applications File operations IP access Network traffic ►System hardening policy management ►Security protection policy management ►Data leak prevention policy management ►Terminal behavior policy management ►System hardening policy management ►Security protection policy management ►Data leak prevention policy management ►Terminal behavior policy management Key Capabilities

17 16 Desktop Management Automation – Desktop Maintenance Protection Policies Software Distribution Software classification and management Unified software distribution center Patch Management Centralized patch management User Service Optimized user desktop experience Instant messages WSUS patch linkage Patch policy management Distributed patch distribution System vulnerability statistics System vulnerability restoration Distributed software distribution Resumable download Distribution status report Forcible execution Unattended installation Automatic alarm notification Remote assistance Fault diagnosis and rectification Portal push ►Full lifecycle asset management ►Message push center ►Fault diagnosis and rectification on the client ►Patch management center and software distribution center ►Full lifecycle asset management ►Message push center ►Fault diagnosis and rectification on the client ►Patch management center and software distribution center Key Capabilities Asset Management Asset registration Full lifecycle asset management Asset information collection Asset information statistics Asset change discovery Asset change alarm Asset change auditing

18 17 Contents Competition Analysis 3 3 Overview 1 1 Functions and Specifications 2 2 Bidding Support 4 4

19 18 Overcome Competitors with the Visitor Management Solution Emphasize that Huawei provides a comprehensive visitor management solution (wireless access + authentication + traffic isolation/authorization + auditing + visitor account management + advertisement placement). HWCiscoH3CStrategy Visitor traffic isolation prevents security threats brought by visitors who connect to the Internet from the campus network. Huawei uses general technologies such as GRE and VRF to isolate visitor traffic; therefore, no additional devices need to be deployed. Cisco uses EoIP to isolate visitor traffic. An additional anchor AC needs to be deployed, which increases customer investment. H3C does not provide a traffic isolation solution. Some enterprise networks have few visitor access, and the enterprises are not willing to construct an independent visitor management system due to limited capital budget. In this case, you can advise the customer to construct a wireless network without the visitor management system. Visitors can be allocated with dedicated SSIDs, WAP2 accounts, and passwords to access the network. This may lead to the following problems: 1.Visitor traffic and employee traffic is not isolated, which will bring about security threats. 2.Visitor accounts are not managed in a unified manner, which leads to maintenance and auditing difficulties. 3.Network access auditing is not supported, which does not meet the requirements of public security authorities. Advise the customer to deploy the visitor management system later. Huawei Policy Center can be associated with ASGs to implement online behavior management and auditing based on visitor identity. Meanwhile, the ASGs can function as GRE tunnel endpoints for visitor traffic isolation. Cisco solution does not support online behaviour management and auditing and cannot meet security requirements. H3C does not support online behaviour management and auditing and cannot meet security requirements.

20 19 Network Architecture Function CompetitorCustomer BenefitStrategy H3CCisco Compatible with majority of mainstream vendor networks H3C offers 802.1x and Portal authentication on H3C series switches only. Cisco ISE supports 802.1x authentication for standard 802.1x switches only. Besides, Cisco ISE uses proprietary OOB protocol. There is no need to upgrade or replace a large number of devices on the live network, protecting customer investment. Use Policy Center to make a breakthrough on networks dominant by competitor devices and replace these devices step by step. SACG networkingNot supported The change to the network architecture is small and the delivery and maintenance is simple. Firewalls can be added to a complex and large-scale network in bypass mode, minimizing network architecture changes. Use this advantage to make customers replace competitor devices.

21 20 User Account Function CompetitorCustomer BenefitStrategy H3CCisco Authenticating AD/LDAP accounts from multiple domains Not supported Only one set of Policy Center is required in scenarios with multiple domains. Recommend this function in scenarios with multiple AD/LDAP domains Binding user accounts with switch ports, IP addresses, VLANs, or SSIDs SupportedNot supported Automatic binding is implemented, which simplifies maintenance and improves security.

22 21 Policy Engine and Authorization Function CompetitorCustomer BenefitStrategy H3CCisco Authorization control based on terminal type and asset type Not supportedSupported With intelligent terminal identification, company owned devices and BYOD devices can have different access rights. Recommend this function in BYOD scenarios. Pushing web authentication pages based on the access location, device type, and SSID Not supported Different login pages and information are pushed to users flexibly. It can provide value- added services. This function is mandatory in hotels, shopping malls, and scenic areas where Internet surfing and other value-added services are required. Flexible visitor management, APIs for connection with service systems Not supported It can integrate with the existing systems to reduce customer investment. The visitor API can be integrated with tickets or VIP cards in scenic areas, and with queue management system in banks to print visitor accounts and passwords.

23 22 Comprehensive Terminal Security Policies: Security Hardening and Behavior Management Function CompetitorCustomer BenefitStrategy H3CCisco Managing peripherals, USB flash drives, and unauthorized external connections, and auditing online behaviours SupportedNot supported The customer does not require a third-party desktop security management system because it integrates security management functions. Recommend this function when intranet security management is required. Advocate Huawei information security practices. Extensible and self-defined terminal security policies Not supported Secondary development is not required because the customer can flexibly define security check policies by themselves. If the customer has high security requirements, use Policy Center to define security check policies. Mobile storage device management; USB disk authorization based on the user or device; USB disk encryption (SM algorithm) WeakNot supported Data leaks caused by USB copying can be prevented. Access rights are authorized based on the user or device, not affecting normal services. Applies to scenarios with high data leak risks such as banks. Overcomes competitors with flexible authorization and SM algorithm. Location-based terminal security control policies Not supported The customer can flexibly manage and control terminal security policies. Standard security policies can be used in offices. Monitoring is not required when SOHO users access the network not through VPN. Monitoring policies are required for remote VPN access to prevent data leaks.

24 23 Contents Bidding Support 4 4 Overview 1 1 Functions and Specifications 2 2 Competition Analysis 3 3

25 24 1. Functional Components and License

26 25 2. Server Configuration (Database Hot Backup Not Required) Customers can purchase Huawei servers HW RH2288. Place an order on the Unistar. Customers can use third-party servers. Customers need to purchase hardware and software (Windows + Server 2008). If customers use virtual machines, the virtual machines must meet the minimum configuration requirements (CPU 2 GB; memory 8 GB). ==Configuration== Tecal RH2288 V2, (2 x E5-2640 CPU; 8 GB memory; 3 x 300 GB SAS hard disk 1 Huawei server 3 Server quantity 2 Third-party server The Unistar automatically calculates the number of required servers based on the license quantity. The server quantity is calculated as follows: Less than 5000 users: only one server (SM+SC+DB); redundancy not required 5000 to 10000 users: two servers (1SM+2SC +1DB); redundancy required More than 10000 users: One more server is required for each 10000 users.

27 26 3. Server Configuration (Database Hot Backup Required) If database hot backup is required in a site, at least three servers must be deployed in the site, and each server has a database installed. The three servers work as the primary database, secondary database, and monitor database respectively. 1 Three database servers are required. Server quantity 2 If database hot backup is required, you need to select at least three servers (with database installed) in the Unistar. Less than 5000 users: three servers with database installed More than 10000 users: three servers with database installed. One more server is required for each 10000 users.

28 27 4. Customization and Development Fees Policy Center can send short messages through the SMS modem or carrier's SMS gateway. By default, Policy Center can only connect to SMS gateways of China Unicom, China Mobile, and China Telecom. To connect Policy Center to SMS gateways of other carriers, customization is required. If the visitor management component is configured, the customer needs to purchase SMS gateway customization service. SMS Gateway Customization Portal Page Customization Policy Center supports customization of authentication and registration pages. Policy Center provides default authentication and registration page templates. Administrators can set parameters in the templates or modify HTML codes to change the page styles. If the customers want R&D personnel to complete page customization, they must provide information about their preferred styles or images. The R&D personnel charge this service based on the number of required pages. FEE-SMSCustomization and development fee for SMS gateway FEE-PAGE Customization and development fee for Portal page (per page) Portal customization example

29 28 Unified Entry for Policy Center Documents http://3ms.huawei.com/hi/EnterpriseBG_connect/Network_OSS_PolicyCenter_index.html

30 29 Project Support Personnel Project support (Technical Enquiry, bidding, solution, customer communication, and training) Regional contact person Upgrade MSE: Zengfanlei/66568 MO: Xiongtun/239064 SPDT manager: Wangshaoshen/162705

31 Copyright © 2013 Huawei Technologies Co., Ltd. All Rights Reserved. The information in this document may contain predictive statements including, without limitation, statements regarding the future financial and operating results, future product portfolio, new technology, etc. There are a number of factors that could cause actual results and developments to differ materially from those expressed or implied in the predictive statements. Therefore, such information is provided for reference purpose only and constitutes neither an offer nor an acceptance. Huawei may change the information at any time without notice. HUAWEI ENTERPRISE ICT SOLUTIONS A BETTER WAY

32 31 Policy Center Cluster and Hot Backup Configuration SC 1SC 2SC 3 SQL Server (primary) Client Connects to server 1 when it works properly. Connects to another server when server 1 is faulty. All the servers use the same database Client Selects a server based on the server weight. SQL Server (Secondary)SQL Server (Monitor) SM One SC server can respond to 10000 concurrent users. SC servers can be added for future expansion. When a user agent detects that the primary server in the current area is faulty or unavailable, it automatically associates with the primary server. The SM and SC can be installed on the same server. The database can be installed on the same server as the SM and SC. To support database hot backup, three servers are required.

Download ppt "2014/5/7 Huawei Policy Center Sales Guide. 1 Contents Overview 1 1 Functions and Specifications 2 2 Competition Analysis 3 3 Bidding Support 4 4."

Similar presentations

WEB AND WIRELESS AUTOMATION connecting people and processes InduSoft Web Solution Welcome.

WEB AND WIRELESS AUTOMATION connecting people and processes InduSoft Web Solution Welcome.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
Security and Policy Enforcement Mark Gibson Dave Northey

Security and Policy Enforcement Mark Gibson Dave Northey
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Cisco NAC Guest Server Guest Access - Simplified Tim Wellborn SE Sangeeta.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Cisco NAC Guest Server Guest Access - Simplified Tim Wellborn SE Sangeeta.
Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.

Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.
Computer Networks IGCSE ICT Section 4.

Computer Networks IGCSE ICT Section 4.
Installing and Maintaining ISA Server. Planning an ISA Server Deployment Understand the current network infrastructure Review company security policies.

Installing and Maintaining ISA Server. Planning an ISA Server Deployment Understand the current network infrastructure Review company security policies.
Make your messaging reliable use it Messaging. A single and global solution Send, receive and process any type of message through the appropriate channel.

Make your messaging reliable use it Messaging. A single and global solution Send, receive and process any type of message through the appropriate channel.
Copyright Microsoft Corp. 2006 Ramnish Singh IT Advisor Microsoft Corporation Secure Remote Access Challenges, Choices, Best Practices.

Copyright Microsoft Corp Ramnish Singh IT Advisor Microsoft Corporation Secure Remote Access Challenges, Choices, Best Practices.
Chapter 11: Dial-Up Connectivity in Remote Access Designs

Chapter 11: Dial-Up Connectivity in Remote Access Designs
MCTS GUIDE TO MICROSOFT WINDOWS 7 Chapter 14 Remote Access.

MCTS GUIDE TO MICROSOFT WINDOWS 7 Chapter 14 Remote Access.
MiVoice Office v6.0. 2 MiVoice Office v6.0 is mainly a service enhancement release, rather than a user feature rich enhancement release.

MiVoice Office v MiVoice Office v6.0 is mainly a service enhancement release, rather than a user feature rich enhancement release.
It’s Not Your Father’s NAC: Next-generation NAC

It’s Not Your Father’s NAC: Next-generation NAC
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.

Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
May 30 th – 31 st, 2006 Sheraton Ottawa. Microsoft Certificate Lifecycle Manager Saleem Kanji Technology Solutions Professional - Windows Server Microsoft.

May 30 th – 31 st, 2006 Sheraton Ottawa. Microsoft Certificate Lifecycle Manager Saleem Kanji Technology Solutions Professional - Windows Server Microsoft.
Purpose Intended Audience and Presenter Contents Proposed Presentation Length Intended audience is all distributor partners and VARs Content may be customized.

Purpose Intended Audience and Presenter Contents Proposed Presentation Length Intended audience is all distributor partners and VARs Content may be customized.
1 Managed Security. 2 Managed Security provides a comprehensive suite of security services to manage and protect your network assets –Managed Firewall.

1 Managed Security. 2 Managed Security provides a comprehensive suite of security services to manage and protect your network assets –Managed Firewall.
Unified Student-Centric Authentication and Authorization Nathan Wilder Special Assistant - Technology Office of the CIO.

Unified Student-Centric Authentication and Authorization Nathan Wilder Special Assistant - Technology Office of the CIO.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.

Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.

Similar presentations

Ads by Google