Technical Proposal For The NAC Security Solution (V100R001C00 - 01)

NAC Security Solution
Technical Proposal
Issue 01
Date 2011-07-24
HUAWEI TECHNOLOGIES CO., LTD.

Copyright Huawei Technologies Co., Ltd. 2011. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior
written consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and
the customer. All or part of the products, services and features described in this document may not be
within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,
information, and recommendations in this document are provided "AS IS" without warranties, guarantees or
representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.

Address: Huawei Industrial Base
Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website: http://www.huawei.com
Email: support@huawei.com
Issue 01 (2011-07-24) Huawei Proprietary and Confidential i

Copyright Huawei Technologies Co., Ltd
Technical Proposal 1 Overview of the NAC Security Solution
Contents
1 Overview of the NAC Security Solution .................................................................................. 1

1.1 Background ...................................................................................................................................................... 1
1.1.1 Overview of Enterprise Network Security .............................................................................................. 1
1.1.2 Major Security Problems in Enterprise Intranets .................................................................................... 1
1.2 Major Requirements ......................................................................................................................................... 2
1.2.1 Authentication ......................................................................................................................................... 2
1.2.2 Security Check ........................................................................................................................................ 3
1.2.3 User Authorization .................................................................................................................................. 3
1.2.4 Division of Security Domains ................................................................................................................. 3
1.3 Huawei NAC Security Solution ....................................................................................................................... 4
2 Planning Suggestions for the NAC Security Solution .......................................................... 7

2.1 Overview .......................................................................................................................................................... 7
2.1.1 Introduction to the NAC Security Solution ............................................................................................. 7
2.1.2 Composition of the NAC System............................................................................................................ 8
2.1.3 Service Capabilities of the NAC System .............................................................................................. 10
2.1.4 Basic Process of the NAC Security Solution ........................................................................................ 11
2.2 Planning Suggestions for the Authentication Solution ................................................................................... 13
2.2.1 Introduction to Authentication Protocols .............................................................................................. 13
2.2.2 Selection of Authentication Modes and Authentication Control Points ................................................ 19
2.3 Planning Suggestions for the Solution to Access Layer Authentication ......................................................... 21
2.3.1 Application Scenarios ........................................................................................................................... 21
2.3.2 Networking Planning ............................................................................................................................ 21
2.3.3 Planning for the NAC System ............................................................................................................... 22
2.3.4 Security Policy Planning ....................................................................................................................... 23
2.3.5 User Authority Planning........................................................................................................................ 23
2.3.6 Reliability Planning .............................................................................................................................. 24
2.4 Planning Suggestions for the Solution to Convergence Layer Authentication ............................................... 24
2.4.3 Planning for the NAC System ............................................................................................................... 25
2.4.4 Security Policy Planning ....................................................................................................................... 26
2.4.5 User Authority Planning........................................................................................................................ 26
Issue 01 (2011-07-24) Huawei Proprietary and Confidential ii

2.4.6 Reliability Planning .............................................................................................................................. 27

2.5 Planning Suggestions for the Solution to Side-Connection Authentication at the Convergence Layer ......... 27
3 Product Suggestions ................................................................................................................... 29
Issue 01 (2011-07-24) Huawei Proprietary and Confidential iii

1 Overview of the NAC Security Solution
1.1 Background
1.1.1 Overview of Enterprise Network Security
With the application and development of enterprise network, production and operating
activities of enterprises rely more on networks. However, various information security threats,
such as viruses, Trojan horse programs, spyware, and network attacks, also keep increasing.
According to statistics, the requirement for the network security has overtaken the
requirements for the network reliability, switching capability, and quality of service (QoS),
and the network security has become the greatest concern of enterprise users. Network
security infrastructures have also become the focus of enterprise network construction.
In traditional ideas of enterprise network construction, it is considered that enterprise intranets
are safe and security threats come externally. Therefore, most security measures, for example,
deploying a firewall or an access control system, focus on how to protect networks against
external attacks. In addition, these products and techniques are mutually independent and
cannot collaborate.
It is proved, however, that many critical network security problems occur in enterprise
intranets. Eighty percent of network security loopholes exist inside networks. The loopholes
continue to damage networks in a severer and wider manner, and often cause system and
network breakdown. Certain malicious software such as spyware and Trojan horse programs
may be unknowingly downloaded to PCs when enterprise employees browse certain websites.
The malicious software is distributed in enterprise intranets, leading to serious security
troubles.
Therefore, with continuous upgrade of security challenges, mere border defense depending on
traditional security measures and independent work is far from enough. Instead, the security
model must be shifted from the passive mode to the active mode, completely tackling network
security problems from the root (terminals), and finally improving the information security
level of the whole enterprise.
1.1.2 Major Security Problems in Enterprise Intranets

On an enterprise intranet, the security status of any terminal directly affects the security of the
whole intranet. The security status of a terminal includes including the antivirus capability,
patch level, and system security setting. In addition, mass occurrences of illegal access and
unauthorized access damage the services system of the enterprise and cause the leakage of
key information assets.
Issue 01 (2011-07-24) Huawei Proprietary and Confidential 1

Currently, the following security problems exist in most enterprise intranets.
Decentralized Management of Antivirus Software

If a terminal is infected by viruses or Trojan horse programs, access to the terminal cannot be
controlled. You can require after the event only by administrative means that employees kill
viruses on the terminal. When an unknown virus spreads widely, however, the whole intranet
may fail, greatly affecting the security and stability of the intranet.
Disorderly Patch Management

System patches cannot be forcibly installed on terminals, many of which run without system
patches. As a result, once a terminal is infected by a virus or malicious code, the virus or
malicious code quickly spreads through the whole intranet.
Difficulty in Implementing Enterprise Security Policies

Employees with weak safety consciousness may privately install illegal software, or illegally
access the Internet using network devices such as modems, integrated services digital network
(ISDN) dial-up devices, asymmetric digital subscriber line (ADSL) dial-up devices, or
wireless network cards. As a result, great hidden dangers are brought to the intranet security.
Failing to detect or control such cases, the enterprise network security system is difficult to
effectively carry out security policies.
Lack of Systematic Monitoring and Auditing Capabilities

The enterprise security system cannot monitor the system security status in real time. Lacking
subsequent security audit methods, the system cannot audit employee behaviors such as
access to the intranet, illegal access to external networks, and use of USB storage equipment,
and report the behaviors to the security policy server.
1.2 Major Requirements

With continuous scale enlargement of an enterprise, the number of employees and that of
terminals rapidly grow, and the network complexity also increases by geometric progression.
The major purposes of enterprise network security are to effectively manage networks, to
update system patches and upgrade the virus library in time, and to enable network
administrators to promptly identify, isolate, and repair insecure terminals.
Enterprise network security solutions must meet requirements on authentication, security
check, user authorization, and division of security domains.
1.2.1 Authentication
Because more and more problems about enterprise intranets result from terminal related
problems, the capability of authenticating users is a basic requirement of enterprise network
security.
User authentication on ordinary terminals (for example, PCs) must meet the following
requirements:
A terminal meeting security requirements can normally access the intranet after
providing the correct user name and password.

A terminal that does not meet security requirements can access only network isolation
areas. The terminal can access the intranet after its security is repaired.
Terminals used by invalid users cannot access the intranet.
The validity of other terminals including printers, fax machines, and IP telephones
cannot be authenticated through terminal software, but can be authenticated through
MAC addresses.
1.2.2 Security Check

Hidden terminal troubles do great harm to networks. Therefore, in the security solution of an
enterprise intranet, the intranet must restrict the access of invalid users and must perform
systematic security check for valid users. Security check must meet the following
requirements:
The intranet checks the security status of the terminal that is to access the intranet. The
system must finish checking the antivirus software installation, patch update, password
strength, and screen saver of the terminal before the terminal accesses the intranet.
The intranet must be capable of responding to the insecure state of the terminal together
with control devices. When an insecure terminal is found to access the intranet, the
intranet must be able to block the access of the terminal to prevent damages to the
service system. In addition, the intranet must be able to actively help the terminal
complete self-repair of the security status.
The intranet must be able to restrict the access authority of an insecure terminal failing to
be repaired in time, to stop the terminal from accessing the intranet and avoid network
security problems.
1.2.3 User Authorization

Currently, access control of network resources is not strict on enterprise intranets. Generally,
terminals can freely access the entire intranet if the intranet is successfully accessed. Based on
IP addresses only, common firewall isolation cannot be flexibly configured and managed. In
addition, security risks such as IP address forgery also exist. Therefore, firewall isolation
cannot completely solve the problems of illegal access and unauthorized access.
In the security solution of an enterprise intranet, the network must manage access control
rights based on user authentication of terminals and user roles. By doing this, the access
control of the intranet is enhanced and illegal access and unauthorized access are prevented,
finally ensuring the security of the enterprise intranet.
1.2.4 Division of Security Domains

Administrators divide the network resources of the live network into different logical security
domains by service and security level. The system opens access authorities for different
security domains according to results of user authentication and security check. In this way,
illegal terminals are isolated and the security of the entire enterprise intranet is ensured. Table
1-1 describes the division of security domains.

Table 1-1 Division of security domains

Type Description
Pre-authenticati Network resources that terminals can access before user authentication
on domain and security check. The network resources of this type include DHCP
servers and system servers.
Isolation Network resources that terminals in the isolated state can access. When
domain the authentication of a terminal is successful but the security check fails,
the terminal is in the isolated state. In that case, the terminal can perform
only security repair, including antivirus update servers and patch servers.
Post-authentica Network resources that terminals with successful authentication and
tion domain security check can access. Administrators can authorize different
terminal users to access relevant network resources according to the job
relatedness and minimum authorization principle. This method can
effectively prevent illegal access and unauthorized access.
The security domain division described in the security solution of an enterprise intranet must
meet the following requirements:
A common terminal can obtain valid public area authorities and departmental authorities
after properly accessing the network. After the location of a terminal is moved, the
terminal must still be able to obtain its network authorities.
A wireless user has the same legal network authorities as a wired user after properly
accessing the network. Illegal wireless users will be rejected to access the network in this
domain.
A new user must have a default authority to access the network. Employees on business
must be restricted on relevant authorities when accessing the network.
Printers, fax machines, access control systems, and voice and video terminals on the
network must be granted authorities by class of service (CoS), preventing information
port theft from bringing security problems to the network.
The network must be able to control inter-access between terminals. Terminals before
authentication must be restricted to only access server resources that are configured
according to the security policy. The mode of trusted inter-access is used after
authentication. That is, only terminals with successful authentication can access each
other.
1.3 Huawei NAC Security Solution

Huawei network access control (NAC) security solution provides integrated terminal security
protection functions through user authentication, security check, and repair and upgrade,
based on the guiding ideology that only valid users and safe terminals can access the intranet.
Huawei can help enterprises construct safe intranets, ensuring normal service development
and operation of enterprises. Huawei NAC security solution starts with the security control of
terminals that access networks. In the solution, the terminal security status is combined with
network access control. The active defense capability of terminals on a network is enhanced
through check, isolation, hardening, and audit, ensuring the security of each terminal on an
enterprise intranet and the security of the enterprise intranet. Figure 1-1 shows the networking
of the NAC solution.

Figure 1-1 Networking of the NAC solution
Small Pre-authentication
Data Access server
Branch authentication point domain
branch center DHCP server
Portal authentication access
DNS server
Software server
AR router Isolation domain

Patch server
Virus database
server
Remote
access Post-authentication domain
Router/VPN
gateway NMC
Intranet
Service server
Branch authentication point

SSL VPN access
Authentication point at the
Campus convergenc layer
network/large Convergenc Convergence
Portal authentication point
branch switch switch
Authentication
Access
point at the
switch
access layer Access
IEEE 802.1X switch
authentication AP
access
IP
Mobile access
telephone Printer PC terminal
Huawei NAC security solution includes the following contents:

Check the validity of a terminal user using multiple authentication methods.
Check terminals about their security loopholes, antivirus software installation, and virus
database update.
Control network access authorities of terminal users through unified access policy and
security policy management.
Register and monitor desktop assets, manage peripheral equipment, and distribute
software through desktop operation and maintenance.

Technical Proposal 2 Planning Suggestions for the NAC Security Solution
2 Planning Suggestions for the NAC

Security Solution
2.1 Overview
2.1.1 Introduction to the NAC Security Solution
Huawei NAC security solution is based on the guiding ideology that only valid users and safe
terminals can access the network. Huawei combines a complete series of enterprise intranet
and security products with the terminal security management (TSM) system to provide an
integral and safe NAC solution based on user identification, security check, and repair and
upgrade. In addition, the solution has rich extension functions, providing enterprise intranets
with a capability of integral terminal security protection.
Authentication and Access Control

In the NAC solution, the network can authenticate the validity of users that attempt to access
the network. Only valid users are allowed into the network and available resources vary with
roles and users.
Administrators can divide users into groups or define different roles, and configure different
resources for them. In this way, specific users can access only authorized specific resources.
Access Security Check and Control

The NAC solution provides security check for user terminals. Only healthy and safe user
terminals are allowed to access the network. Network administrators of an enterprise can
self-define security rules and policies for the enterprise intranet. For example, antivirus
software must be installed and run on terminals, the virus database must be the latest, it is
prohibited to install unlawful software on terminal systems, and terminal systems must be
installed with system patches.
System Repair and Upgrade

If hidden security troubles exist in the system, Huawei NAC solution provides the automatic
and manual repair and upgrade functions for the system. The solution enables the system to be
associated with the Windows Server Update Services (WSUS) and to automatically download
and upgrade system patches. The solution also provides strong association with commercial

antivirus software to update the virus database. In addition, the solution provides forcible
security measures to automatically kill invalid or illegal processes.
Rich Extension Functions

Huawei NAC solution also provides extension functions such as behavior management,
software distribution, and asset management.
Behavior management
The TSM system provides the terminal based function of employee behavior
management to remind terminal users to obey the enterprise behavioral norms when
using terminal hosts and thus improve the intranet capability of security management.
Software distribution
The TSM system provides the software distribution function to manually or
automatically distribute software on schedule to corresponding terminal hosts. Software
can be distributed by department or operating system (OS).
Asset management
The TSM system provides the asset management function to uniformly manage
enterprise assets. The function improves efficiency, reduces maintenance costs, avoids
behaviors that employees privately modify configurations on enterprise terminal hosts,
and reduce risks in losing assets.
2.1.2 Composition of the NAC System

The framework of the NAC security system (NAC system for short) comprises three key
components: agent clients, network admission devices, and admission servers, as shown in
Figure 2-1.
Figure 2-1 Components of the NAC system

Network
Terminal admission Admission
agent server
device
Intranet
Virus database
server
CN
Admission
control server
Patch server
Authenticate users
Check security
Management
server
Special client Access controller Authenticator/checker

software

Agent Clients
Agent clients are special client software installed in the user terminal system. They associate
with admission servers to do such work as user authentication, terminal security check,
system repair and upgrade, and terminal behavior monitoring and audit.
User authentication
You can enter the user name and password after client software is installed on a terminal.
Then the client software sends the user name and password to admission servers.
Terminal security check
Terminal security check is also called terminal health check. According to the security
policy delivered by the admission servers, the client software checks the security status
of the user terminal, including the OA version, system patch installation, antivirus
software installation, virus database date, and black and white lists of application
processes. After that, the client software reports the check result to the admission servers
to determine whether the terminal is secure or healthy.
System repair and upgrade
The client software accepts instructions from the admission servers. If the user terminal
does not meet the security standards, the client software requires the terminal to
automatically repair and upgrade its system, or forces the terminal to do so. After the
repair, the client software reports the result to the admission servers.
Monitoring and audit
The client software monitors in real time whether the security status of the terminal host
and user behaviors comply with the security policy, and regularly reports security events
to the admission servers for security audit afterwards. Terminal security check comprises
the check on the agent client implementation patch, antivirus software, screen saver, and
shared directory. User behavior monitoring includes the monitoring of agent client
operations on executable files, network connections, accessed websites, and USB storage
devices.
Network Admission Devices

Network admission devices are network control points (NCPs) for terminals to access
networks. As implementers of enterprise security policies, network admission devices
implement relevant admission control (permission, rejection, isolation, or restriction)
according to security policies of customers' networks.
In Huawei NAC solution, network admission devices can be a switch, router, wireless access
point, virtual private network (VPN) gateway, or other security devices. These network
admission devices force users to be authenticated for admission, reject network access of
invalid users, isolate unhealthy terminals, and provide valid users and healthy terminals with
network services.
Network admission devices have the following functions:
User authentication
Network admission devices can help agent clients fulfill authentication. Huawei NAC
solution supports multiple authentication modes, such as IEEE 802.1X, MAC, and Portal
authentication. In different authentication modes, network admission devices assist client
software and admission server with user authentication.
User authority control
Network admission devices monitor the process of user authentication and grant users
authorities corresponding to the results provided by admission servers.

Terminals before authentication have the access authorities of the pre-authentication

domain. They can access admission servers and public-domain software servers to
install agent clients.
Terminals isolated for security have the authorities of the isolation domain. They can
access the virus database server and patch server.
Terminals with successful authentication have the network authorities of the
post-authentication domain. Network authorities can vary with different user roles.
Admission Servers
Admission servers include the admission control server, management server, virus database
server, and patch server.
The admission control server authenticates users, audits the security, implements security
policies, and associate with network admission devices to grant user authorities.
The management server manages users using the following ways: add, delete, or modify
user authorities, configure users' departments, and customize and manage security
policies.
The virus database server controls automatic virus database update of antivirus software
on terminals.
The patch server controls patch installation and update of OSs and application software
on terminals.
2.1.3 Service Capabilities of the NAC System

The NAC security solution provides such functions as access authentication, authority control,
terminal management, attack defense, and assets management. In addition, the solution
features high reliability, flexible implementation, and open convergence.
Multiple Authentication Modes

Provide different solutions to the authentication deployed at the access layer and the
convergence layer, suitable for large campus networks.
Provide multiple authentication modes, such as IEEE 802.1X, MAC, Portal, forcibly
pushed web authentication, and active directory (AD) or Lightweight Directory Access
Protocol (LDAP) authentication, which needs just authentication one time if combining
with the domain authentication
Support deployment on various terminals, including PCs, non-PC terminals, wireless
terminals, and IP telephones.
Provide agent clients and ActiveX plug-ins without agent clients.
Rich Security Control Modes

Support access control list (ACL) delivery based on users and ports, and support access
authorities based on limited users.
Support authority restriction based on user security statuses.
Provide the perfect function of one-touch intelligent repair.
Perfect Terminal Management Scheme

Provide such functions as organization personnel management, policy management,
behavior monitoring, and patch management.

Provide the richest security policies in the industry for user customization.
Provide abundant user behavior audit functions, including USB device monitoring,
management on illegal access to external networks, and process and service monitoring.
Attack Defense
Support preventing terminal hosts from sending Address Resolution Protocol (ARP)
spoofed messages.
Support preventing terminal hosts from sending ARP flooding messages.
Provide the static ARP address binding function.
Efficient Assets Management

Provide abundant assets management functions, such as assets registration, assets
lifecycle management, assets statistics, and assets change alarms.
Provide the functions of server platform monitoring, announcement, and remote
assistance for user management.
High Reliability
Provide remote authentication dial-in user service (RADIUS) server backup and Portal
server backup.
Provide the functions of two-node cluster hot backup, two-node cluster cold backup, and
single-point escape.
Flexible and Convenient Implementation Interface

Provide simple and easy-to-use operation interfaces with complete functions.
Provide a convenient and fast installation mode, in which you just need to install the
system once and purchase licenses on demand.
Rich, Flexible, Convergent, and Open Solutions

Realize centralized and unified authentication and authorization management.
Make the best of the existing network security construction to integrate isolated solutions
in an optimal manner.
Provide flexible and abundant security checks that include the most terminal security
check policies in the industry and can be performed in the whole process of user access.
Provide industry-class high security. In terms of system management, the NAC system
controls operation authorities based on management roles, and records administrator
operation logs to enhance operation security and traceability.
Provide high reliability. All the important components of the NAC system work in
active-standby and load balancing mode, and provide a particular escape channel
function.
Support the installation of Windows software and the authentication associated with
Windows domains.
2.1.4 Basic Process of the NAC Security Solution

Figure 2-2 shows the basic process of the NAC solution, which involves the components of
agent clients, network admission devices, and admission servers.

Figure 2-2 Basic process of the NAC solution
Network
Terminal Network admission Admission/Policy Patch/Virus

device server database server
A user enters the user name and password
to initiate authentication.
After the authentication is successful, servers
deliver security policies to check the security
Security check is
successful
Servers enable
Secutity network authorities
check
The user can
access the network
Security
check fails
Repair the security

Repair the
security Security repair is
complete
Servers enable
network authorities
The user can
access the network
Upgrade other patches and
upgrade the virus database
Audit the user on the server
The detailed process is as follows:

a. A user terminal accesses the network. Terminals before authentication all have the
network authorities of the pre-authentication domain. They can access the networks in
the pre-authentication domain on demand.
b. The user installs the agent client software or Web Agent plug-in on the PC terminal.
Then the user enters the user name and password to initiate authentication. After the
authentication of the terminal is successful, the agent client software or Web Agent
plug-in associates with the admission servers to check the security status of the terminal.
c. If the user is valid and safe, after the authentication, the admission servers deliver
corresponding network authorities to the network admission devices to permit the user to
access the networks in the post-authentication domain.
d. If the user is valid but has a few security risks, after the authentication, the admission
servers deliver corresponding network authorities to the network admission devices to
permit the user to access the networks in the post-authentication domain, and prompt the
terminal about the security risks.
e. If the user is valid but seriously insecure, after the authentication, the admission servers
deliver corresponding network authorities to the network admission devices to permit the
user only to access the networks in the isolation domain. In that case, the user can access
the patch server and the virus database server in the isolation domain. After the terminal
security is repaired, the admission servers deliver the network authorities in the
post-authentication domain.

f. The system can check the security status of the online terminal in real time. If a serious
security problem occurs during the use of the online terminal, the terminal will still be
isolated
g. The terminal after the authentication can install patches on demand. It can also access
relevant servers for virus database upgrade.
h. The policy server can audit the user.
i. If the user is invalid and unauthenticated, the user can access only the network resources
in the pre-authentication domain.
2.2 Planning Suggestions for the Authentication Solution

2.2.1 Introduction to Authentication Protocols
Huawei NAC security solution supports multiple network access control modes, such as IEEE
802.1X, MAC, and Portal authentication. In addition, this solution can be flexibly deployed
on multiple network devices such as access switches, convergence switches, access
controllers, and AR routers. The network devices work with the NAC terminal agents and
servers to fulfill NAC and to provide secure and reliable access control for enterprise intranets,
campus networks, and metropolitan area networks (MANs).
IEEE 802.1X Authentication

As a port-based NAC protocol, the standard IEEE 802.1X protocol is used to authenticate and
control accessed user devices at the ports of local area network (LAN) access devices.
Terminals connected to the ports can access the resources in the LAN only when the
authentication of the terminals is successful.
IEEE 802.1X authentication uses the Extensible Authentication Protocol (EAP),
implementing authentication information exchange between clients, network admission
devices, and admission servers. Encapsulated in the EAP over LAN (EAPoL) format, EAP
messages between terminals and devices are directly carried in the LAN environment.

Figure 2-3 Flowchart of IEEE 802.1X authentication
Terminal agent Network Admission server Patch server

admission device
User authentication
User authentication through
EAPo802.1X the RADIUS protocol
After the authentication through

the RADIUS protocol is
successful, the admission server
tells the network admission
devices to assign network
authorities to the user.
Successful
authentication The server delivers a
VLAN ID/ACL
EAP Success
Security check
Repair and upgrade

b. When a user terminal accesses the network, the agent clients and network admission
devices exchange user name and password information through the EAP.
c. The network admission devices and admission servers authenticate the validity of the
terminal user through the RADIUS protocol.
d. If the authentication of the terminal is successful, the admission servers report to the
network admission devices through the RADIUS protocol, and deliver the corresponding
ACL or the ID of the VLAN that the terminal accesses, to perform an access control over
the valid terminal user after authentication.
e. The network admission devices send an EAP Success message to inform the terminal.
f. The terminal agents and admission servers exchange the security status information of
the terminal system, and check the security of the terminal.
g. If the terminal is insecure, the terminal agents start system repair and upgrade, interact
with related servers such as the patch server and the virus database server, and complete
the system security repair.
If the IEEE 802.1X protocol cannot be deployed on the underlying access switch on a
customer's network for special reasons, or if multiple user terminals accesses the hub
connected to the access switch, the standard port-based IEEE 802.1X protocol cannot perform
separate access control over each terminal.
In view of the preceding problems, Huawei NAC security solution enhances the functions of
the standard IEEE 802.1X protocol on switches and routers, and realizes the MAC-based
IEEE 802.1X access control. In addition, the solution can realize the access control over a
single terminal when one port accesses multiple terminals access the network from a single
port. Huawei NAC solution supports both port-based and MAC-based IEEE 802.1X access
control, which can be selected for customers' networks.

Port-based mode: In port-based mode, if the first user connected to the port succeeds in
authentication, other users can access the network resources without authentication.
Once the first user gets offline, however, other users will be rejected to use the network.
MAC-based mode: In MAC-based mode, all users connected to the port must be
separately authenticated.
The NAC system can control the access of user terminals by delivering VLAN IDs or ACLs,
or delivering both VLAN IDs and ACLs. According to different control modes, IEEE 802.1X
authentication can be subdivided into Guest VLAN-based and ACL-based authentication.
Guest VLAN-based IEEE 802.1X authentication
This is the most commonly used 802.1X authentication mode in the industry. Terminals
before authentication belong to Guest VLANs by default. After the authentication of the
terminals is successful, admission servers deliver VLAN IDs of corresponding roles after
user authentication, and switch user terminals from Guest VLANs to the VLANs of
corresponding roles.
ACL-based IEEE 802.1X authentication
In this mode, after the authentication of a terminal is successful, admission servers
deliver only the user ACL to control the access of this user. This mode has relatively high
requirements for the ACL specifications of devices in the case of mass users.
Admission devices first initiate terminals to use the IEEE 802.1X authentication. If the
terminals do not perform the IEEE 802.1X authentication for a long time, the admission
devices regard the MAC addresses of the terminals as the authentication information, and
send the MAC addresses to servers as user names and passwords for authentication. This
authentication mode is called bypass MAC authentication.
Portal Authentication
Portal authentication is a layer-3 authentication mode. Users can access the Web
authentication pages on the Portal server or the Web server, and enter user names and
password to complete user authentication. If Portal authentication is used, terminals do not
need to be installed with client software. When terminals access the Portal pages, the system
implements the basic security check function through the ActiveX control that is downloaded
following automatic prompts.
Portal authentication supports Web authentication and does not require installing client
software. With the two features, Portal authentication is applicable to visitors and users on
business.
NOTE
In Portal authentication mode, you can still realize the complete function of terminal admission control
by downloading the client.
Before Web authentication on the Portal server, users must first access the authentication page,
and then enter and submit user names and passwords on the authentication page. Users can
access the authentication page either actively or passively (namely, in forcibly pushed mode).

Figure 2-4 Flowchart of Portal authentication
Terminal Network admission Admission

Portal server Patch server
agent device server
A user accesses web
pages
Network admission
devices push the web
pages on the Portal server
Web authentication(account
HTTP redirection information)
Portal authentication exchange
RADIUS authentication exchange
Authentication result: If the authentication is

successful, admission servers deliver an ACL
(RADIUS)
Authentication result Authentication result (Portal)

(Web)
Security check
Repair and upgrade

b. A user terminal accesses any Web server.
c. Network admission devices capture the user's HTTP request. If the destination address of
the request is not the address of the Portal server, the network admission devices push
the Web authentication page on the Portal server by running the HTTP redirection
command.
d. The terminal accesses the Web authentication page on the Portal server. The user enters
and then submit the user name and password for authentication.
e. The Portal server and network admission devices exchange user account information
through the Portal protocol.
f. The network admission devices request the admission server (RADIUS server) to
authenticate the user through the RADIUS protocol.
g. The admission servers authenticate the user and report the authentication result. If the
authentication is successful, the admission servers deliver also deliver the user ACL.
h. The network admission devices inform the Portal server through the Portal protocol after
receiving the RADIUS authentication result. If the authentication succeeds, the Portal
server assigns the network access authorities to the user and starts the ACL for the
network access control over the user.
i. The Portal server informs the terminal of the authentication result through the HTTP.
j. The user downloads and installs the ActiveX control or install the client agent software
on the terminal. After the authentication of the terminal is successful, the terminal agent
exchanges information about the security status with the admission servers to check the
security of the terminal.

k. If the terminal is insecure, the agent client starts system repair and upgrade, interacts
with related servers such as the patch server and the virus database server, and completes
the system security repair.
NOTE
In Huawei NAC solution of, the Portal server and admission servers are integrated. They can be different
functional modules deployed on the same physical server.
MAC Authentication
In certain special cases, terminal users do not want or fail to complete authentication by
entering user names and passwords. For example, certain privileged terminals hope to directly
access networks without authentication; certain special PC terminals, such as printers and IP
telephones, can neither be installed with client software nor be authenticated or authorized by
entering user names and passwords. In those cases, the network access of terminals is
controlled through MAC authentication.
MAC authentication is that the system authenticates a terminal using the MAC address of the
terminal as the proof of identification. After MAC authentication is enabled, when a terminal
accesses the network, network admission devices extract the MAC address of the terminal and
use it as the user name and password for authentication. If the authentication fails, the
network admission devices force users to get offline, stop initiating authentication and
detection for a preset period, and restart detection after timeout. If the authentication succeeds,
the switch will add the MAC address to the MAC table and the user can normally access the
network.
The MAC authentication of users can be performed locally or remotely through the RADIUS
server. In the case of RADIUS authentication, the RADIUS server controls user access
authorities by delivering ACLs or VLAN IDs.
Figure 2-5 Flowchart of MAC authentication
SIP terminal, Network Admission

printer admission device server
Network admission devices sends the
Terminals go online MAC address of the terminal through
the RADIUS protocol
Network admission servers deliver an ACL

or VLAN ID after the authentication
Remote MAC
through the RADIUS protocol is successful
authentication or
local MAC
authentication Terminals access the network
The detailed process of MAC authentication is as follows:

b. When a terminal goes online, network admission devices automatically extract the MAC
address of the terminal.
c. The network admission devices authenticate the MAC address of the terminal.

In the case of RADIUS authentication, the network admission devices send the MAC
address of the terminal as the user name and password through the RADIUS protocol
to admission servers for authentication.
In the case of local authentication, the network admission devices authenticate the
MAC address of the terminal using the locally configured MAC authentication table.
d. If the authentication is successful, the network admission devices assign network
authorities to the terminal. In the case of RADIUS authentication, the network admission
devices use the ACL or VLAN ID delivered by the RADIUS server to control the
authorities of the terminal.
Comparison Between the Three Authentication Modes

Table 2-1 lists the comparison of advantages and disadvantages between IEEE 802.1X, Portal,
and MAC authentication.
Table 2-1 Comparison between the three authentication modes
Compared IEEE 802.1X Portal MAC

Item Authentication Authentication Authentication
Client Mandatory. Portal authentication Not required.

requirements does not need clients,
while forcibly pushed
web authentication
needs.
Advantages If this mode is The deployment is No need to install
deployed at the access flexible. clients.
layer, the system
directly controls the
connection and
disconnection of the
network access
information port. The
security is high.
Disadvantages The deployment is The security is low. The management is
inflexible. complicated and MAC
addresses must be
registered.
Applicable This mode is This mode is flexible, This mode is
scenarios applicable to the and applicable to applicable to the
scenarios in which a wireless scenarios in access authentication
new network is which users are of SIP terminals,
constructed, users are scattered. printers, and fax
centralized, and machines.
information security is
strictly required.

2.2.2 Selection of Authentication Modes and Authentication

Control Points
As described in section 2.2.1 "Introduction to Authentication Protocols", the currently
available authentication modes include IEEE 802.1X, Portal and MAC authentication.
Authentication control points can be deployed at the access layer and convergence layer, and
on routers or VPN gateways.
Deployment of Authentication Control Points at the Access Layer

IEEE 802.1X authentication is recommended if deploy authentication control points are
deployed at the access layer, as shown in Figure 2-6.
All terminals before authentication belong to the Guest VLAN.
If the authentication of a terminal is successful, the admission server delivers Service
VLAN and switches the domain of the terminal.
If a terminal is found insecure, the admission server delivers Isolate VLAN to isolate the
terminal.
Convergence switches control user authorities according to different VLAN or network
segment configurations.
Because this deployment mode is simple and control points are the closest to users, intranets
can obtain the maximum security assurance. This deployment mode is applicable to most new
campus networks or the campus networks having relatively new network devices. Owing to
many authentication points, however, such deployment causes troubles to management and
maintenance.
Figure 2-6 Deployment of authentication control points at the access layer

Pre-authentication Isolation Post-authenticaion
domain Admission server domain domain
Patch server
DHCP server NMC
Virus database
DNS server Service server
server
Software server
1 2 3
1. A terminal accesses the network. The terminal Intranet

before authentication belongs to the Guest VLAN
configured at the port
Configure ACL on the
convergence switch to
2. Servers check the security of the terminal after the control access authorities
authentication is successful. If the security check
fails, the authentication server delivers Isolate VLAN
to switch the user authorities
3. After repair and the security check are successful, Access

the authentication server delivers Service VLAN to swtich
switch the user authorities
Authentication point at the access layer

IEEE 802.1X authentication access
PC terminal

Deployment of Authentication Control Points at the Convergence Layer

Portal authentication is recommended if authentication control points are deployed at the
convergence layer, as shown in Figure 2-7.
User authorities of the pre-authentication domain are restricted through the Portal Free
Rule.
If the authentication of a terminal is successful, the admission server delivers an ACL
and switches the user authorities.
If a terminal is found insecure, the admission server delivers an ACL to isolate the
terminal.
Owing to a few authentication points, this deployment mode is suitable for the access of
various users. Featuring convenient and flexible deployment and easy management and
maintenance, this mode applies to the scenarios in which users are scattered, or both wireless
and wired terminals access the network. In addition, this mode also applies to network
reconstruction scenarios in which access control of network security is improved with the
original network structure unchanged. To solve network security problems resulting from
terminal inter-access at the access layer, you can configure such security functions as port
isolation and DHCP snooping on access switches.
Figure 2-7 Deployment of authentication control points at the convergence layer
Pre-authenticaton Isolation Post-authentication

Patch server
DHCP server NMC
Virus database
server
Software server
1 2 3
Intranet
1. A user accesses the network. The user can
access the region defined through the Portal
Free Rule, namely, the pre-authentication
domain. Authentication point at the
convergence layer
Portal authentication
access
2. If the authentication of the user is successful
but the security check fails, the TSM server
delivers Isolate ACL to change the users access
authority to that of the isolation domain. Acess switch
3. After the users security is repaired, the TSM

server delivers a new ACL to change the users
authority to that of the post-authentication
domain. PC termianl
Deployment of Authentication Control Points on Routers or VPN Gateways

The deployment of authentication control points on routers or VPN gateways is generally
used to control the access authentication of remote mobile office personnel. In this case,
Portal authentication is used. The detailed deployment mode is similar to that of
authentication control points at the convergence layer.

2.3 Planning Suggestions for the Solution to Access Layer

Authentication
2.3.1 Application Scenarios
The current security solutions focus on the protection of layer 3 and higher layers on networks.
However, any behavior that threatens the security of layer 2 will endanger the whole network.
Therefore, the access layer is the best point to deploy network security control. IEEE 802.1X
authentication can directly isolate invalid users at the access layer, ensuring the validity of
accessed users.
To deploy the NAC solution at the access layer, access switches must support IEEE 802.1X
authentication. Because this deployment mode is simple and control points are the closest to
users, intranets can obtain the maximum security assurance. This mode applies to the
scenarios in which networks are newly built. In addition, this mode also applies to network
reconstruction scenarios in which authentication must be added with the original network
security deployment unchanged.
2.3.2 Networking Planning

The solution to access layer authentication uses the traditional three-layer network structure.
Deploy IEEE 802.1X or MAC authentication on access switches to authenticate accessed
users and isolate invalid and insecure users. Configure ACLs on convergence switches for
access authority control. Deploy admission servers and patch and virus database servers in the
server area, in addition to the traditional service server, network management (NM) server,
DHCP server, and domain name server (DNS). See Figure 2-8.

Figure 2-8 Networking of the solution to access layer authentication

Patch server
DHCP server NMC
Virus database
server
Software server
Remote access
Router/VPN
gateway
Intranet
Branch access
Authentication
point at the access
Convergence
layer
switch
IEEE 802.1X
authentication
access
Authentication point at Authentication point at
the access layer the access layer
IEEE 802.1X IEEE 802.1X AP
authentication access authentication access
IP Printer Department Department terminal Department Insecure Mobile

Visitors
telephone A B access B users access
2.3.3 Planning for the NAC System

Planning for the Software System
Clients
Install the agent client software on PCs and set the authentication mode in the software
to 802.1X.
Servers
Deploy the admission servers, DHCP server, DNS server, and public software servers
Deploy the patch server and virus database servers in the isolation domain.
Deploy the NM server and the service system in the post-authentication domain.
Deploy active and standby admission servers according to network reliability
requirements.
Planning for Network Devices

IP addresses
Use the DHCP to dynamically obtain client IP addresses. Dynamically allocate constant
addresses to obtain static IP addresses of users in either of the following ways:

After a user applies for an IP address, the DHCP server binds the IP address with the
MAC address. Since then, the DHCP server allocates the same IP address to the
terminal corresponding to the MAC address each time the terminal goes online.
Use DHCP Option 82 to bind an IP address with the switch through which a terminal
goes online and the port on the switch. In this way, the same IP address is allocated to
the terminal goes online from this port.
VLAN planning
VLANs can be divided into three types: Guest VLAN in the pre-authentication domain,
Isolate VLAN in the isolation domain, and VLAN in the post-authentication domain. In
actual deployment, you can allocate VLANs by functional department, and reserve the
Guest VLAN and the Isolate VLAN.
Domain planning
Distinguish the pre-authentication domain, isolation domain, and post-authentication
domain through VLAN planning. Configure ACLs on convergence switches to control
the access authority of each VLAN. You can combine the pre-authentication and
isolation domains into one domain according to actual deployment conditions.
Authentication configuration
Configure IEEE 802.1X authentication and specify the EAP mode for access devices
that serve as access control points.
Configure IEEE 802.1X authentication for agent clients.
Configure MAC authentication for the terminals such as printers and IP telephones.
If both printers and PCs access the network from a port, configure bypass MAC
authentication on access devices.
2.3.4 Security Policy Planning

Configure a unified security template on admission servers, determine security check
items in the template, and set security levels to general and serious levels.
If a PC terminal lightly violates related rules, the terminal enters the post-authentication
domain after authentication, and admission servers deliver the VLAN in the
post-authentication domain to access switches for authority control. Although the
authorities of the terminal are not restricted, the terminal receives a violation alarm that
prompts the user to perform violation repair as soon as possible.
If a PC terminal seriously violates related rules, the terminal enters the isolation domain
after authentication. The authorities of the terminal are controlled, and the terminal
receives a serious violation alarm that prompts the user to perform violation repair as
soon as possible. The user can perform automatic repair by pressing the relevant button.
The user can gain the access authorities of the post-authentication domain only after
successful repair.
The NAC system provides real-time security check. If a PC terminal violates rules again,
re-authentication is triggered, and the terminal enters the isolation domain and receives
an alarm prompt.
2.3.5 User Authority Planning

Authority control over valid users
The access layer uses IEEE 802.1X authentication and changes user authorities by
switching VLANs before and after authentication. Configure ACLs on convergence
switches to control the access authorities of VLAN IDs or network segments.
Authority control over invalid users

Access authorities of invalid or unauthenticated users are restricted on access switches.

They can access only the networks restricted by the Guest VLAN.
Authority control over insecure users
IEEE 802.1X authentication requires the installation of agent client software. Admission
servers associate with agent clients to check the security of clients and discriminate
terminals with different security risk levels.
For general violation of security rules with small risks, for example, if a user does not
set a screen saver or share files, the agent client software will offer a risk prompt but
will not change the user authorities.
Serious violation of security rules may do great harm to intranets if not controlled.
For example, if the patches on a terminal are not upgraded or the virus database is not
updated, the terminal will be directly assigned to the isolation domain and given a
violation alarm that prompts the user to perform violation repair. The agent client
software provides a one-touch automatic repair function that facilitate violation repair.
The agent client rechecks the security of the terminal after the repair. If the terminal
complies with the security policies, the agent client automatically re-authenticates the
terminal and obtains the network authorities of the post-authentication domain.
2.3.6 Reliability Planning

Deploy security functions such as DHCP snooping and IP Source Guard on access
switches to prevent address theft and spoofing between users.
Bind terminals to the port of a switch to effectively restrict the access of terminals and
prevent terminal theft.
2.4 Planning Suggestions for the Solution to Convergence

Layer Authentication
The deployment of authentication control points at the convergence layer applies to the
scenarios in which users are scattered, multiple types of terminals access the network, or both
wireless and wired terminals access the network. In these cases, gateway-based Portal
authentication is recommended.
This authentication mode is irrelevant to access devices. In this mode, terminal devices can be
installed with agent clients or use the forcibly pushed web mode instead. Featuring convenient
and flexible deployment and easy management and maintenance, this mode applies to the
access of various kinds of terminals such as PCs and handheld devices. If the function of
security access control must be added with the original network structure unchanged during
network reconstruction, directly deploy Portal authentication at the convergence layer.

The solution to convergence layer authentication uses the traditional three-layer network
structure. Deploy gateway-based Portal authentication on convergence switches to
authenticate accessed users and isolate invalid and insecure users. Configure ACLs on
convergence switches for access authority control. Deploy the admission servers, patch server,
and virus database server in the server area, in addition to the traditional service server, NM
server, DHCP server, and DNS server. See Figure 2-9.

Figure 2-9 Networking of the solution to convergence layer authentication
Pre-authenticaton Post-authentication
domain Admission server Isolation domain domain
Patch server
DHCP server NMC
Virus database
server
Software server
Remote
access Router/VPN
gateway
Intranet
Branch
access
Authentication point at the
convergence layer Convergence
Portal identificaiton switch
access
AP
IP Mobile
telephone Printer Department Department New terminal Department Insecure Visitors access
A B access B users
2.4.3 Planning for the NAC System

Planning for the Software System
Clients
Installation of the agent client software on PCs is optional. The default authentication
mode is Portal.
Servers
Deploy the admission servers, DHCP server, DNS server, and public software server
Deploy the patch server and virus database server in the isolation domain.
Deploy the NM server and service system in the post-authentication domain.
Deploy active and standby admission servers according to network reliability
requirements.
Network Device Planning

IP addresses
Use the DHCP to dynamically obtain client IP addresses. Dynamically allocate constant
addresses to obtain static IP addresses of users in either of the following ways:

After a user applies for an IP address, the DHCP server binds the IP address with the
MAC address. Since then, the DHCP server allocates the same IP address to the
terminal corresponding to the MAC address each time the terminal goes online.
Use DHCP Option 82 to bind an IP address with the switch through which a terminal
goes online and the port on the switch. In this way, the same IP address is allocated to
the terminal goes online from this port.
VLAN planning
Allocate VLANs by functional department during deployment. Deploy terminals devices
like printers and IP telephones to other VLANs without authentication.
Domain planning
The pre-authentication domain is the access area specified through the Portal Free Rule.
The isolation and post-authentication domains are specified through ACLs delivered by
admission servers. During deployment, combine the pre-authentication and isolation
domains into one according the actual situation.
Authentication configuration
Configure Portal authentication for convergence devices that serve as access control
points.
Configure the default Portal authentication for agent clients.
If terminals such as printers and IP telephones are deployed on the same VLAN as
PCs, configure the Portal Free Rule to assign their access authorities. If they are
deployed on a VLAN different from PCs, you do not need to configure authentication
for the VLAN.
2.4.4 Security Policy Planning

Configure a unified security template on admission servers, determine security check
items in the template, and set security levels to general and serious levels.
If a PC terminal slightly violates related rules, the terminal enters the post-authentication
domain after authentication, and admission servers deliver the VLAN in the
post-authentication domain to access switches for authority control. Although the
authorities of the terminal is not restricted, the terminal receives a violation alarm that
prompts the user to perform violation repair as soon as possible.
If a PC terminal seriously violates related rules, the terminal enters the isolation domain
after authentication. The authorities of the terminal are controlled, and the terminal
receives a serious violation alarm that prompts the user to perform violation repair as
soon as possible. Users can perform automatic repair by pressing the relevant button.
Users can gain the access authorities of the post-authentication domain only after
successful repair.
The NAC system provides real-time security check. If a PC terminal violates rules,
re-authentication is triggered, and the terminal enters the isolation domain and receives
an alarm prompt.
2.4.5 User Authority Planning

Authority control over valid users
Portal authentication is used for access authority control at the convergence layer.
Admission servers deliver ACLs to convergence switches to control user authority.
In actual deployment, you can flexibly configure ACLs according to different
departments and levels of users. Admission servers also support uniformly configuring
ACLs by department, greatly facilitating actual deployment.

Authority control over invalid users

Convergence switches restrict access authorities of invalid or unauthenticated users, who
can only access the network area restricted through the Portal Free Rule.
To avoid user inter-access, you can deploy port isolation or other security features on
access switches.
Authority control over insecure users
Admission servers associate with the agent client to check the security of the terminal
installed with the agent client, using the method similar to the one described in the
solution to access layer authentication. That is, the agent client gives alarms to the
terminals having small risks and isolates the terminals having large risks. The difference
is that in deployment of authentication solution at the convergence layer, the isolated
information is the ACL control information.
If a terminal is not installed with the agent client but use the web authentication, the Web
Agent plug-in can also check the security of the terminal. Different from the agent client,
the Web Agent plug-in does not support automatic repair for violations.
2.4.6 Reliability Planning

Deploy security functions such as DHCP snooping and IP Source Guard on access
switches to prevent address theft and spoofing between users.
Bind terminals with the port of a switch to effectively restrict the access of terminals and
prevent terminal theft.
To avoid user inter-access, deploy port isolation on access switches.
2.5 Planning Suggestions for the Solution to

Side-Connection Authentication at the Convergence Layer
The solution to side-connection authentication at the convergence layer is specific to certain
network upgrade scenarios. In such a scenario, network devices on the network to be
upgraded are old but the original network structure must remain unchanged. In that case, the
NAC security solution can be introduce through a side-connected device installed on the
network, effectively saving customer investments. In the solution to side-connection
authentication at the convergence layer, the side-connected device serves as a gateway of both
uplink and downlink flows. Therefore, the side-connected device must have good
performance.
Portal authentication is also recommended for the solution to side-connection authentication
at the convergence layer. For details about the planning for the NAC system, security policy
planning, user authority planning, and reliability planning, see section 2.4 "Planning
Suggestions for the Solution to Convergence Layer Authentication."

The networking of this solution is similar to that of the solution to convergence layer
authentication. The difference is that a switch having the authentication function is connected
at the side of the convergence switch. The side-connected switch serves as a gateway. Deploy
gateway-based Portal authentication on the side-connected switch to authenticate accessed
users and to isolate invalid and insecure users. See Figure 2-10.

Figure 2-10 Networking diagram of bypass authentication solution at the convergence layer
Patch server
DHCP server NMC
Virus database
server
Software server
Remote
access
Router/VPN
gateway
Side-connected
Intranet
authentication point at
the convergence layer
Portal authentication
access
Branch
access
Convergence Side-connected
switch device
AP
IP Mobile
telephone Printer Department Department New terminal Department Insecure Visitors
access
A B access B user

Technical Proposal 3 Product Suggestions
3 Product Suggestions
Huawei recommends the products listed in Table 3-1 for the nodes and network elements
(NEs) involved in the NAC security solution.
Table 3-1 Suggestions for component products

Component Product/Model
Access switch S5700, S370, S2700S5700, S3700, S2700

Convergence switch S7700, S5700
Core switch S9300
WLAN AC S9300 AC plug-in card
Server software TSM Server
Client software TSM Agent
AD server Windows 2003 Server


Technical Proposal For The NAC Security Solution (V100R001C00 - 01)

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Technical Proposal For The NAC Security Solution (V100R001C00 - 01)

Caricato da

Copyright:

Formati disponibili

NAC Security Solution

HUAWEI TECHNOLOGIES CO., LTD.

Trademarks and Permissions

Huawei Technologies Co., Ltd.

Issue 01 (2011-07-24) Huawei Proprietary and Confidential i

1 Overview of the NAC Security Solution .................................................................................. 1

2 Planning Suggestions for the NAC Security Solution .......................................................... 7

Issue 01 (2011-07-24) Huawei Proprietary and Confidential ii

2.4.6 Reliability Planning .............................................................................................................................. 27

3 Product Suggestions ................................................................................................................... 29

Issue 01 (2011-07-24) Huawei Proprietary and Confidential iii

1 Overview of the NAC Security Solution

1.1.2 Major Security Problems in Enterprise Intranets

Issue 01 (2011-07-24) Huawei Proprietary and Confidential 1

Currently, the following security problems exist in most enterprise intranets.

Decentralized Management of Antivirus Software

Disorderly Patch Management

Difficulty in Implementing Enterprise Security Policies

Lack of Systematic Monitoring and Auditing Capabilities

1.2 Major Requirements

Issue 01 (2011-07-24) Huawei Proprietary and Confidential 2

1.2.2 Security Check

1.2.3 User Authorization

1.2.4 Division of Security Domains

Issue 01 (2011-07-24) Huawei Proprietary and Confidential 3

Table 1-1 Division of security domains

1.3 Huawei NAC Security Solution

Issue 01 (2011-07-24) Huawei Proprietary and Confidential 4

Figure 1-1 Networking of the NAC solution

AR router Isolation domain

Branch authentication point

Huawei NAC security solution includes the following contents:

Issue 01 (2011-07-24) Huawei Proprietary and Confidential 5

2 Planning Suggestions for the NAC

Authentication and Access Control

Access Security Check and Control

System Repair and Upgrade

Issue 01 (2011-07-24) Huawei Proprietary and Confidential 7

Rich Extension Functions

2.1.2 Composition of the NAC System

Figure 2-1 Components of the NAC system

Special client Access controller Authenticator/checker

Issue 01 (2011-07-24) Huawei Proprietary and Confidential 8

Network Admission Devices

Issue 01 (2011-07-24) Huawei Proprietary and Confidential 9

Terminals before authentication have the access authorities of the pre-authentication

2.1.3 Service Capabilities of the NAC System

Multiple Authentication Modes

Rich Security Control Modes

Perfect Terminal Management Scheme

Issue 01 (2011-07-24) Huawei Proprietary and Confidential 10

Efficient Assets Management

Flexible and Convenient Implementation Interface

Rich, Flexible, Convergent, and Open Solutions

2.1.4 Basic Process of the NAC Security Solution

Issue 01 (2011-07-24) Huawei Proprietary and Confidential 11

Figure 2-2 Basic process of the NAC solution

Terminal Network admission Admission/Policy Patch/Virus

Repair the security

Audit the user on the server

The detailed process is as follows:

Issue 01 (2011-07-24) Huawei Proprietary and Confidential 12

2.2 Planning Suggestions for the Authentication Solution