Chapter 1 - Secospace Security Rationale PDF

Huawei Symantec Technologies Co., Ltd.
Chapter
Chapter
1
1
Secospace Security Rationale
Secospace Security Rationale
Introduction
The Secospace is an enterprise terminal information
security management system developed by Huawei
Symantec. HS owns information security management
and application experiences. It has the capability of
developing security system by using advanced
technology and project management methods. The
dominant idea of the Secospace is to authenticate the
identity of the user who attempts to access the
enterprise network resources. This compulsory security
check ensures enterprise information security.
ObjectiveSECO Security
Rationale
Objective
Rationale of the SECO
Concept of terminal security

page 4
Introduction to Terminal Security
Background information of terminal security
Concept behind terminal security design
page 5
Security Threats Inside the Enterprise
According to ISCA statistics:
The global loss caused by
information leakage reaches
more than ten billion dollars
each year.
Internal information leakage
becomes the primary
security concern of the
enterprise.
The internal threat rate is
60%.
Terminals are
primary sources
of security
threats.
page 6
Enterprise Network
Situation
CORE NET
Internet
VPN
VPN
Terminal of
service 1 DMZ
The user lacks security

awareness.
Security incidents occur
frequently.
Actions of the stuff are difficult
to manage.
The security policy is not
carried out successfully.
The enterprise assets are
difficult to count and manage.
Mobile terminals and
remote terminals bring
more security threats.
Service
system 1
Service
system 2
Service
system 3
Service
system 4
Terminal of
service 2
Terminal of
service 3
Terminal of
service 4
External network
Internal network
AV
Service systems are
core resources, but
access to service
systems is not managed
and controlled in a
centralized manner.
page 7
Overview of Terminal Security
Terminal security aims to improve the security of the internal network
and accessed terminals. The source measure of terminal security is to
improve the security of terminals.
Validity check and audit of terminals
Preventing invalid terminals from accessing the network
Preventing unauthenticated terminals from accessing the network
Conformity check and audit of terminals
Checking and auditing terminal actions to prevent potential security
problems and malicious damage by the staff
Checking and auditing terminal asset conditions to prevent information
leakage and asset loss caused by asset change
page 8
Model of Terminal Security Rationale
Recover
ID
authentication
Security
authentication
Invalid users are not allowed
to access the network.
The unsecured is
isolated for recover.
Authenticated access to the service system
Core resources
of internal
network
Real-time monitoring and auditing
Security
authorization
page 9
Evolution of Terminal Security
Anti virus software
Private firewall
System control
Software protection
System control
Network control
Combination of
software and
hardware protections
Simple
protection
Software
protection
Compound
protection
page 10
Introduction to Terminal Security
Background information of terminal security
Concept behind terminal security design
page 11
Position of Terminal Security in a Security
System
Monitor
Intrusion Detective System
Monitor
Intrusion Detective System
Safe transmission
Encryption and VPN
Safe transmission
Encryption and VPN
Access control system
ID authentication and
access control
Access control system
ID authentication and
access control
Monitoring room
Security Management Center
Monitoring room
Security Management Center
Protected room
System security and immunity
Protected room
System security and immunity
Door
Firewall
Door
Firewall
Security guard
Security check and violation audit
Security guard
Security check and violation audit
page 12
Terminal Security Design Model of HS
Core information
Refuse
unauthenticated
user accounts
Isolate and recover
insecure user
accounts
Sensitive
information
Common
information
Authenticate the
access scope
Monitor and audit
behaviors
Identity
authenticatio
n
Identity
authenticatio
n
Security
check
Security
check
Monitoring
Monitoring
Authenticate
d access
Authenticate
d access
Stipulate policy
and
regulations
Carry out the

policy
Check the
implementation
Rectify and
audit
violations

Audit
Audit
Recover
Recover
Policy
modificatio
n
Policy
modificatio
n
page 13
Patch
management
Staff
behaviour
Security
policy
Antivirus
Identity
management
Access
control
Access
authorizatio
n
Asset
management
Security audit
Security authentication
Identity authentication
Security authorization
Terminal Security Platform Design
Network layer
Network layer System layer
page 14
SECO Architecture
Secospace architecture
Secospace components
Secospace service process
page 15
Secospace Architecture
Terminal security
agent
Terminal security
agent
Terminal security
agent
SACG
Terminal security
agent
SQL SERVER
2005
component
DB
server
Violation/asset
information reporting
View
report
SM JBOSS
SERVER
Primary LDAP
SERVER
Primary FTP
SERVER
SM
manage
ment
server
SC JBOSS
SERVER
Secondary
LDAP
SERVER
Secondary
FTP SERVER
SC
control
server
Secondary
LDAP
SERVER
Secondary
FTP SERVER
SC
control
server
SC JBOSS
SERVER
Other SM
management
server
LDAP
sy nchronization
FTP sy nchronization
The upper-layer SM management server
manages multiple lower-layer SM servers.
The SM management server f unctions as a gateway. It
manages multiple SC control servers.
802.1X switch
SM JBOSS
SERVER
Primary LDAP
SERVER
Upper-l ayer
SM
manageme
nt server
The SC control server provides the 1+1
backup f unction for the agent.
page 16
Cluster Technology
SM
SA
SC
SC SC
SC
SA
SA SA SA
page 17
SC
SM/SRS
Service system
SA
Centralized Deployment
SC SC
SA
SA SA
SA
SC
Service system
page 18
Distributed Deployment
SC
SM/SRS
Service system
SA
SC SC
SA
SA
SA
SA
SC
SM/SRS
SC
SC
SC
SC
SC
SC
SM/SRS
SC
SA
page 19
Logical Relations Between Components
Upper-layer SM
Lower-layer SM
SC
SM/ SRS
SC
MS SQL
LDAP
FTP
SM/ SRS
SC
MS SQL
LDAP
FTP
SC
LDAP
FTP
SC
LDAP
FTP
page 20
Subscriber layer
Access layer
Core layer
Application layer
OA
domain
BOSS
domain
SACG
SACG
SACG
SACG
SACG
SACG
Global
network
Global
network
End point
network
End point
network
System System
layer layer
Network Layer-Based Control
page 21
SECO Architecture
page 22
Secospace Manager (SM)
The SM is the core of the Secospace terminal security management
The SM supports distributed deployment: one SM for multiple SCs
The SM, SC, and SRS together constitute the server part of the Secospace
page 23
Secospace Controller (SC)
The SC manages SAs according to the data configured by the SM
SCs are executors of various management functions of the SM: the SM
makes decisions and SCs coordinate all components to implement the
decisions.
When a user passes the SA authentication, the SC informs the SACG to
grant rights to the users for accessing related enterprise resources.
The SC separates the management and the control of the Secospace
and enhances the hierarchical management.
page 24
Secospace Recover Server (SRS)
The SRS provides recovery suggestions in case of user violations and
assistance for the installation of recovery patches.
The SRS provides assistance for configuring terminal security of users.
The SRS provides personalized security help for users.
The SRS helps to query security policies of the enterprise.
page 25
Secospace Agent
The SA is installed on terminals that
require management.
Users are required to pass the identity
and security authentication through
the terminal SA before accessing the
enterprise core network.
The SA checks and monitors the
security status of users according to
the security policy configured by the
SM.
The SA helps to monitor screens and
provides remote assistance.
Security advertisement
page 26
Secospace Access Control Gateway
(SACG)
The SACG controls rights of users in accessing the service server by groups in
real time.
The SACG helps to divide the operator-level hardware platform into multiple
post-authentication domains.
Devices of three levels (300/500/1000) are provided to meet requirements of
different customers.
Eudemon300
4000 concurrent users
Eudemon500
Eudemon1000
802.1x switch provides port-level-based control services.
page 27
System Environment Requirements
Operating system for server
Database system
Directory environment
Operating systems for terminal
page 28
SECO Architecture
page 29
Secospace Service Process
802.1X authentication process
SACG authentication process
WEB authentication process without agent
Agent offline service process
page 30
Agent/SC server heartbeat detection process
SACG/SC server heartbeat detection process
page 31
Patch management service process
Violations reporting process
Version upgrade/mandatory upgrade process
Transfer-on-invalid service process
page 32
Summary
Internal security threat is a major objective of the SECO
Based on the terminal security management model, SECO proposes
the overall security solution guideline for continued audit: policy
customization check & control recovery & enhancement statistics
& summary.
SECO components include the SM, SC, SRS, SA, and SACG.
The SECO service process covers the SACG authentication process,
web authentication process without agent, agent offline service process,
agent/SC server heartbeat detection process, patch management
service process, violation information reporting process, version
upgrade/mandatory upgrade process, etc.

Chapter 1 - Secospace Security Rationale PDF

Загружено:

Сведения о документе

Исходное описание:

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Chapter 1 - Secospace Security Rationale PDF

Загружено:

Авторское право:

Доступные форматы

Huawei Symantec Technologies Co., Ltd.

Rationale of the SECO

Concept of terminal security

The user lacks security

Carry out the

Вам также может понравиться