8/11/2019 Chapter 1_Secospace Security Rationale.pdf
1/33
Huawei Symantec Technologies Co., Ltd.
ChapterChapter 11Secospace Security RationaleSecospace Security Rationale
8/11/2019 Chapter 1_Secospace Security Rationale.pdf
2/33
Huawei Symantec Technologies Co., Ltd.
IntroductionThe Secospace is an enterprise terminal informationsecurity management system developed by HuaweiSymantec. HS owns information security managementand application experiences. It has the capability ofdeveloping security system by using advancedtechnology and project management methods. Thedominant idea of the Secospace is to authenticate theidentity of the user who attempts to access theenterprise network resources. This compulsory securitycheck ensures enterprise information security.
8/11/2019 Chapter 1_Secospace Security Rationale.pdf
3/33
8/11/2019 Chapter 1_Secospace Security Rationale.pdf
4/33
page 4Huawei Symantec Technologies Co., Ltd.
Introduction to Terminal Security
Background information of terminal security
Concept behind terminal security design
8/11/2019 Chapter 1_Secospace Security Rationale.pdf
5/33
page 5Huawei Symantec Technologies Co., Ltd.
Security Threats Inside the Enterprise According to ISCA statistics:
The global loss caused by
information leakage reaches
more than ten billion dollars
each year.
Internal information leakagebecomes the primary
security concern of the
enterprise.
The internal threat rate is
60%.
Terminals areprimary sourcesof securitythreats.
8/11/2019 Chapter 1_Secospace Security Rationale.pdf
6/33
page 6Huawei Symantec Technologies Co., Ltd.
Enterprise NetworkSituation
CORE NET
Internet
VPN VPN
Terminal ofservice 1DMZ
The user lacks securityawareness .
Security incidents occurfrequently.
Actions of the stuff are difficultto manage.
The security policy is notcarried out successfully.
The enterprise assets are
difficult to count and manage.
Mobile terminals and
remote terminals bringmore security threats.
Servicesystem 1
Servicesystem 2
Servicesystem 3
Servicesystem 4
Terminal ofservice 2
Terminal ofservice 3
Terminal ofservice 4
External network
Internal network
AV
Service systems arecore resources, butaccess to servicesystems is not managed
and controlled in acentralized manner.
8/11/2019 Chapter 1_Secospace Security Rationale.pdf
7/33
page 7Huawei Symantec Technologies Co., Ltd.
Overview of Terminal Security
Terminal security aims to improve the security of the internal network
and accessed terminals. The source measure of terminal security is toimprove the security of terminals.
Validity check and audit of terminals
Preventing invalid terminals from accessing the network Preventing unauthenticated terminals from accessing the network
Conformity check and audit of terminals
Checking and auditing terminal actions to prevent potential security
problems and malicious damage by the staff
Checking and auditing terminal asset conditions to prevent information
leakage and asset loss caused by asset change
8/11/2019 Chapter 1_Secospace Security Rationale.pdf
8/33
page 8Huawei Symantec Technologies Co., Ltd.
Model of Terminal Security Rationale
Recover
IDauthentication
Securityauthentication
Invalid users are not allowedto access the network.
The unsecured isisolated for recover.
Authenticated access to the service system
Core resourcesof internal
network
Real-time monitoring and auditing
Securityauthorization
8/11/2019 Chapter 1_Secospace Security Rationale.pdf
9/33
8/11/2019 Chapter 1_Secospace Security Rationale.pdf
10/33
page 10Huawei Symantec Technologies Co., Ltd.
Introduction to Terminal Security
Background information of terminal security
Concept behind terminal security design
8/11/2019 Chapter 1_Secospace Security Rationale.pdf
11/33
page 11Huawei Symantec Technologies Co., Ltd.
Position of Terminal Security in a SecuritySystem
Monitor
Intrusion Detective System
Monitor
Intrusion Detective SystemSafe transmission
Encryption and VPN
Safe transmission
Encryption and VPN
Access control system
ID authentication and
access control
Access control system
ID authentication and
access control
Monitoring room
Security Management Center
Monitoring room
Security Management Center
Protected room
System security and immunity
Protected room
System security and immunity
Door
Firewall
Door
Firewall
Security guard
Security check and violation audit
Security guard
Security check and violation audit
8/11/2019 Chapter 1_Secospace Security Rationale.pdf
12/33
page 12Huawei Symantec Technologies Co., Ltd.
Terminal Security Design Model of HS
Core information
Refuseunauthenticateduser accounts
Isolate and recoverinsecure user
accounts
Sensitive
information
Commoninformation
Authenticate theaccess scope
Monitor and auditbehaviors
Identityauthentication
Identityauthentication
Securitycheck
Securitycheck MonitoringMonitoring
Authenticated access
Authenticated access
Stipulate policy
andregulations
Carry out thepolicy
Check theimplementation
Rectify andaudit
violations
AuditAudit
Recover Recover
Policymodification
Policymodification
8/11/2019 Chapter 1_Secospace Security Rationale.pdf
13/33
8/11/2019 Chapter 1_Secospace Security Rationale.pdf
14/33
8/11/2019 Chapter 1_Secospace Security Rationale.pdf
15/33
page 15Huawei Symantec Technologies Co., Ltd.
Secospace Architecture
Terminal securityagent
Terminal securityagent
Terminal securityagent
SACG
Terminal securityagent
SQL SERVER2005
component
DBserver
Violation/assetinformation reporting
Viewreport
SM JBOSSSERVER
Primary LDAPSERVER
Primary FTPSERVER
SMmanage
mentserver
SC JBOSSSERVER
SecondaryLDAP
SERVER
SecondaryFTP SERVER
SCcontrolserver
SecondaryLDAP
SERVER
SecondaryFTP SERVER
SCcontrolserver
SC JBOSSSERVER
Other SMmanagement
server
LDAPsy nchronization
FTP sy nchronization
The upper-layer SM management server manages multiple lower-layer SM servers .
The SM management server functions as a gatew ay. I tmanages multiple SC control servers.
802.1X sw itch
SM JBOSSSERVER
Primary LDAPSERVER
Upper-layer SM
management server
The SC control server provides the 1+1backup f unction f or the agent.
8/11/2019 Chapter 1_Secospace Security Rationale.pdf
16/33
page 16Huawei Symantec Technologies Co., Ltd.
Cluster TechnologySM
SA
SC SC SC SC
SA SA SA SA
8/11/2019 Chapter 1_Secospace Security Rationale.pdf
17/33
page 17Huawei Symantec Technologies Co., Ltd.
SC
SM/SRS
Service system
SA
Centralized Deployment
SC SC
SA SA SASA
SC
Service system
8/11/2019 Chapter 1_Secospace Security Rationale.pdf
18/33
page 18Huawei Symantec Technologies Co., Ltd.
Distributed Deployment
SC
SM/SRS
Service system
SA
SC SC
SA
SA
SA
SA
SC
SM/SRS
SC
SC SC SC SC
SC
SM/SRS
SC
SA
8/11/2019 Chapter 1_Secospace Security Rationale.pdf
19/33
page 19Huawei Symantec Technologies Co., Ltd.
Logical Relations Between ComponentsUpper-layer SM
Lower-layer SM
SC
SM/ SRSSC
MS SQLLDAPFTP
SM/ SRSSCMS SQLLDAP
FTPSCLDAPFTP
SCLDAPFTP
8/11/2019 Chapter 1_Secospace Security Rationale.pdf
20/33
page 20Huawei Symantec Technologies Co., Ltd.
Subscriber layer
Access layer
Core layer
Application layer
OAdomain
BOSSdomain
SACG SACG SACG SACG SACG SACG
GlobalnetworkGlobal
network
End pointnetwork
End pointnetwork
SystemSystemlayer layer
Network Layer-Based Control
8/11/2019 Chapter 1_Secospace Security Rationale.pdf
21/33
page 21Huawei Symantec Technologies Co., Ltd.
SECO Architecture
Secospace architecture
Secospace components
Secospace service process
8/11/2019 Chapter 1_Secospace Security Rationale.pdf
22/33
page 22Huawei Symantec Technologies Co., Ltd.
Secospace Manager (SM)
The SM is the core of the Secospace terminal security management
The SM supports distributed deployment: one SM for multiple SCs
The SM, SC, and SRS together constitute the server part of the Secospace
8/11/2019 Chapter 1_Secospace Security Rationale.pdf
23/33
page 23Huawei Symantec Technologies Co., Ltd.
Secospace Controller (SC)The SC manages SAs according to the data configured by the SM
SCs are executors of various management functions of the SM: the SMmakes decisions and SCs coordinate all components to implement the
decisions.
When a user passes the SA authentication, the SC informs the SACG togrant rights to the users for accessing related enterprise resources.
The SC separates the management and the control of the Secospace
and enhances the hierarchical management.
8/11/2019 Chapter 1_Secospace Security Rationale.pdf
24/33
page 24Huawei Symantec Technologies Co., Ltd.
Secospace Recover Server (SRS)The SRS provides recovery suggestions in case of user violations and
assistance for the installation of recovery patches.
The SRS provides assistance for configuring terminal security of users.
The SRS provides personalized security help for users.
The SRS helps to query security policies of the enterprise.
8/11/2019 Chapter 1_Secospace Security Rationale.pdf
25/33
page 25Huawei Symantec Technologies Co., Ltd.
Secospace Agent
The SA is installed on terminals that
require management.
Users are required to pass the identityand security authentication through
the terminal SA before accessing the
enterprise core network.
The SA checks and monitors the
security status of users according to
the security policy configured by the
SM.
The SA helps to monitor screens and
provides remote assistance.
Security advertisement
8/11/2019 Chapter 1_Secospace Security Rationale.pdf
26/33
page 26Huawei Symantec Technologies Co., Ltd.
Secospace Access Control Gateway
(SACG)The SACG controls rights of users in accessing the service server by groups inreal time.
The SACG helps to divide the operator-level hardware platform into multiple
post-authentication domains.
Devices of three levels (300/500/1000) are provided to meet requirements of
different customers.
Eudemon300
4000 concurrent users
Eudemon500
10000 concurrent users
Eudemon1000
20000 concurrent users
802.1x switch provides port-level-based control services.
8/11/2019 Chapter 1_Secospace Security Rationale.pdf
27/33
8/11/2019 Chapter 1_Secospace Security Rationale.pdf
28/33
page 28Huawei Symantec Technologies Co., Ltd.
SECO Architecture
Secospace architecture
Secospace components
Secospace service process
8/11/2019 Chapter 1_Secospace Security Rationale.pdf
29/33
page 29Huawei Symantec Technologies Co., Ltd.
Secospace Service Process802.1X authentication process
SACG authentication processWEB authentication process without agent
Agent offline service process
8/11/2019 Chapter 1_Secospace Security Rationale.pdf
30/33
page 30Huawei Symantec Technologies Co., Ltd.
Secospace Service Process Agent/SC server heartbeat detection process
SACG/SC server heartbeat detection process
8/11/2019 Chapter 1_Secospace Security Rationale.pdf
31/33
page 31Huawei Symantec Technologies Co., Ltd.
Secospace Service ProcessPatch management service process
Violations reporting processVersion upgrade/mandatory upgrade process
Transfer-on-invalid service process
8/11/2019 Chapter 1_Secospace Security Rationale.pdf
32/33
8/11/2019 Chapter 1_Secospace Security Rationale.pdf
33/33
Huawei Symantec Technologies Co., Ltd.