Chapter 1_Secospace Security Rationale.pdf

8/11/2019 Chapter 1_Secospace Security Rationale.pdf

1/33

Huawei Symantec Technologies Co., Ltd.

ChapterChapter 11Secospace Security RationaleSecospace Security Rationale


2/33


IntroductionThe Secospace is an enterprise terminal informationsecurity management system developed by HuaweiSymantec. HS owns information security managementand application experiences. It has the capability ofdeveloping security system by using advancedtechnology and project management methods. Thedominant idea of the Secospace is to authenticate theidentity of the user who attempts to access theenterprise network resources. This compulsory securitycheck ensures enterprise information security.


3/33


4/33

page 4Huawei Symantec Technologies Co., Ltd.

Introduction to Terminal Security

Background information of terminal security

Concept behind terminal security design


5/33


Security Threats Inside the Enterprise According to ISCA statistics:

The global loss caused by

information leakage reaches

more than ten billion dollars

each year.

Internal information leakagebecomes the primary

security concern of the

enterprise.

The internal threat rate is

60%.

Terminals areprimary sourcesof securitythreats.


6/33


Enterprise NetworkSituation

CORE NET

Internet

VPN VPN

Terminal ofservice 1DMZ

The user lacks securityawareness .

Security incidents occurfrequently.

Actions of the stuff are difficultto manage.

The security policy is notcarried out successfully.

The enterprise assets are

difficult to count and manage.

Mobile terminals and

remote terminals bringmore security threats.

Servicesystem 1

Servicesystem 2

Servicesystem 3

Servicesystem 4

Terminal ofservice 2



External network

Internal network

AV

Service systems arecore resources, butaccess to servicesystems is not managed

and controlled in acentralized manner.


7/33


Overview of Terminal Security

Terminal security aims to improve the security of the internal network

and accessed terminals. The source measure of terminal security is toimprove the security of terminals.

Validity check and audit of terminals

Preventing invalid terminals from accessing the network Preventing unauthenticated terminals from accessing the network

Conformity check and audit of terminals

Checking and auditing terminal actions to prevent potential security

problems and malicious damage by the staff

Checking and auditing terminal asset conditions to prevent information

leakage and asset loss caused by asset change


8/33


Model of Terminal Security Rationale

Recover

IDauthentication

Securityauthentication

Invalid users are not allowedto access the network.

The unsecured isisolated for recover.

Authenticated access to the service system

Core resourcesof internal

network

Real-time monitoring and auditing

Securityauthorization


9/33


10/33


Introduction to Terminal Security

Background information of terminal security

Concept behind terminal security design


11/33


Position of Terminal Security in a SecuritySystem

Monitor

Intrusion Detective System

Monitor

Intrusion Detective SystemSafe transmission

Encryption and VPN

Safe transmission

Encryption and VPN

Access control system

ID authentication and

access control

Access control system

ID authentication and

access control

Monitoring room

Security Management Center

Monitoring room

Security Management Center

Protected room

System security and immunity

Protected room

System security and immunity

Door

Firewall

Door

Firewall

Security guard

Security check and violation audit

Security guard

Security check and violation audit


12/33


Terminal Security Design Model of HS

Core information

Refuseunauthenticateduser accounts

Isolate and recoverinsecure user

accounts

Sensitive

information

Commoninformation

Authenticate theaccess scope

Monitor and auditbehaviors

Identityauthentication

Identityauthentication

Securitycheck

Securitycheck MonitoringMonitoring

Authenticated access

Authenticated access

Stipulate policy

andregulations

Carry out thepolicy

Check theimplementation

Rectify andaudit

violations

AuditAudit

Recover Recover

Policymodification

Policymodification


13/33


14/33


15/33


Secospace Architecture

Terminal securityagent



SACG


SQL SERVER2005

component

DBserver

Violation/assetinformation reporting

Viewreport

SM JBOSSSERVER

Primary LDAPSERVER

Primary FTPSERVER

SMmanage

mentserver

SC JBOSSSERVER

SecondaryLDAP

SERVER

SecondaryFTP SERVER

SCcontrolserver

SecondaryLDAP

SERVER

SecondaryFTP SERVER

SCcontrolserver

SC JBOSSSERVER

Other SMmanagement

server

LDAPsy nchronization

FTP sy nchronization

The upper-layer SM management server manages multiple lower-layer SM servers .

The SM management server functions as a gatew ay. I tmanages multiple SC control servers.

802.1X sw itch

SM JBOSSSERVER

Primary LDAPSERVER

Upper-layer SM

management server

The SC control server provides the 1+1backup f unction f or the agent.


16/33


Cluster TechnologySM

SA

SC SC SC SC

SA SA SA SA


17/33


SC

SM/SRS

Service system

SA

Centralized Deployment

SC SC

SA SA SASA

SC

Service system


18/33


Distributed Deployment

SC

SM/SRS

Service system

SA

SC SC

SA

SA

SA

SA

SC

SM/SRS

SC

SC SC SC SC

SC

SM/SRS

SC

SA


19/33


Logical Relations Between ComponentsUpper-layer SM

Lower-layer SM

SC

SM/ SRSSC

MS SQLLDAPFTP

SM/ SRSSCMS SQLLDAP

FTPSCLDAPFTP

SCLDAPFTP


20/33


Subscriber layer

Access layer

Core layer

Application layer

OAdomain

BOSSdomain

SACG SACG SACG SACG SACG SACG

GlobalnetworkGlobal

network

End pointnetwork

End pointnetwork

SystemSystemlayer layer

Network Layer-Based Control


21/33


SECO Architecture

Secospace architecture

Secospace components

Secospace service process


22/33


Secospace Manager (SM)

The SM is the core of the Secospace terminal security management

The SM supports distributed deployment: one SM for multiple SCs

The SM, SC, and SRS together constitute the server part of the Secospace


23/33


Secospace Controller (SC)The SC manages SAs according to the data configured by the SM

SCs are executors of various management functions of the SM: the SMmakes decisions and SCs coordinate all components to implement the

decisions.

When a user passes the SA authentication, the SC informs the SACG togrant rights to the users for accessing related enterprise resources.

The SC separates the management and the control of the Secospace

and enhances the hierarchical management.


24/33


Secospace Recover Server (SRS)The SRS provides recovery suggestions in case of user violations and

assistance for the installation of recovery patches.

The SRS provides assistance for configuring terminal security of users.

The SRS provides personalized security help for users.

The SRS helps to query security policies of the enterprise.


25/33


Secospace Agent

The SA is installed on terminals that

require management.

Users are required to pass the identityand security authentication through

the terminal SA before accessing the

enterprise core network.

The SA checks and monitors the

security status of users according to

the security policy configured by the

SM.

The SA helps to monitor screens and

provides remote assistance.

Security advertisement


26/33


Secospace Access Control Gateway

(SACG)The SACG controls rights of users in accessing the service server by groups inreal time.

The SACG helps to divide the operator-level hardware platform into multiple

post-authentication domains.

Devices of three levels (300/500/1000) are provided to meet requirements of

different customers.

Eudemon300

4000 concurrent users

Eudemon500


Eudemon1000


802.1x switch provides port-level-based control services.


27/33


28/33


SECO Architecture

Secospace architecture

Secospace components

Secospace service process


29/33


Secospace Service Process802.1X authentication process

SACG authentication processWEB authentication process without agent

Agent offline service process


30/33


Secospace Service Process Agent/SC server heartbeat detection process

SACG/SC server heartbeat detection process


31/33


Secospace Service ProcessPatch management service process

Violations reporting processVersion upgrade/mandatory upgrade process

Transfer-on-invalid service process


32/33


33/33


Chapter 1_Secospace Security Rationale.pdf

Documents