Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Technical Proposal
Issue 01
Date 2011-07-24
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and
the customer. All or part of the products, services and features described in this document may not be
within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,
information, and recommendations in this document are provided "AS IS" without warranties, guarantees or
representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Contents
1.1 Background
1.1.1 Overview of Enterprise Network Security
With the application and development of enterprise network, production and operating
activities of enterprises rely more on networks. However, various information security threats,
such as viruses, Trojan horse programs, spyware, and network attacks, also keep increasing.
According to statistics, the requirement for the network security has overtaken the
requirements for the network reliability, switching capability, and quality of service (QoS),
and the network security has become the greatest concern of enterprise users. Network
security infrastructures have also become the focus of enterprise network construction.
In traditional ideas of enterprise network construction, it is considered that enterprise intranets
are safe and security threats come externally. Therefore, most security measures, for example,
deploying a firewall or an access control system, focus on how to protect networks against
external attacks. In addition, these products and techniques are mutually independent and
cannot collaborate.
It is proved, however, that many critical network security problems occur in enterprise
intranets. Eighty percent of network security loopholes exist inside networks. The loopholes
continue to damage networks in a severer and wider manner, and often cause system and
network breakdown. Certain malicious software such as spyware and Trojan horse programs
may be unknowingly downloaded to PCs when enterprise employees browse certain websites.
The malicious software is distributed in enterprise intranets, leading to serious security
troubles.
Therefore, with continuous upgrade of security challenges, mere border defense depending on
traditional security measures and independent work is far from enough. Instead, the security
model must be shifted from the passive mode to the active mode, completely tackling network
security problems from the root (terminals), and finally improving the information security
level of the whole enterprise.
1.2.1 Authentication
Because more and more problems about enterprise intranets result from terminal related
problems, the capability of authenticating users is a basic requirement of enterprise network
security.
User authentication on ordinary terminals (for example, PCs) must meet the following
requirements:
A terminal meeting security requirements can normally access the intranet after
providing the correct user name and password.
A terminal that does not meet security requirements can access only network isolation
areas. The terminal can access the intranet after its security is repaired.
Terminals used by invalid users cannot access the intranet.
The validity of other terminals including printers, fax machines, and IP telephones
cannot be authenticated through terminal software, but can be authenticated through
MAC addresses.
Pre-authenticati Network resources that terminals can access before user authentication
on domain and security check. The network resources of this type include DHCP
servers and system servers.
Isolation Network resources that terminals in the isolated state can access. When
domain the authentication of a terminal is successful but the security check fails,
the terminal is in the isolated state. In that case, the terminal can perform
only security repair, including antivirus update servers and patch servers.
Post-authentica Network resources that terminals with successful authentication and
tion domain security check can access. Administrators can authorize different
terminal users to access relevant network resources according to the job
relatedness and minimum authorization principle. This method can
effectively prevent illegal access and unauthorized access.
The security domain division described in the security solution of an enterprise intranet must
meet the following requirements:
A common terminal can obtain valid public area authorities and departmental authorities
after properly accessing the network. After the location of a terminal is moved, the
terminal must still be able to obtain its network authorities.
A wireless user has the same legal network authorities as a wired user after properly
accessing the network. Illegal wireless users will be rejected to access the network in this
domain.
A new user must have a default authority to access the network. Employees on business
must be restricted on relevant authorities when accessing the network.
Printers, fax machines, access control systems, and voice and video terminals on the
network must be granted authorities by class of service (CoS), preventing information
port theft from bringing security problems to the network.
The network must be able to control inter-access between terminals. Terminals before
authentication must be restricted to only access server resources that are configured
according to the security policy. The mode of trusted inter-access is used after
authentication. That is, only terminals with successful authentication can access each
other.
Small Pre-authentication
Data Access server
Branch authentication point domain
branch center DHCP server
Portal authentication access
DNS server
Software server
Authentication
Access
point at the
switch
access layer Access
IEEE 802.1X switch
authentication AP
access
IP
Mobile access
telephone Printer PC terminal
2.1 Overview
2.1.1 Introduction to the NAC Security Solution
Huawei NAC security solution is based on the guiding ideology that only valid users and safe
terminals can access the network. Huawei combines a complete series of enterprise intranet
and security products with the terminal security management (TSM) system to provide an
integral and safe NAC solution based on user identification, security check, and repair and
upgrade. In addition, the solution has rich extension functions, providing enterprise intranets
with a capability of integral terminal security protection.
antivirus software to update the virus database. In addition, the solution provides forcible
security measures to automatically kill invalid or illegal processes.
Intranet
Virus database
server
CN
Admission
control server
Patch server
Authenticate users
Check security
Management
server
Agent Clients
Agent clients are special client software installed in the user terminal system. They associate
with admission servers to do such work as user authentication, terminal security check,
system repair and upgrade, and terminal behavior monitoring and audit.
User authentication
You can enter the user name and password after client software is installed on a terminal.
Then the client software sends the user name and password to admission servers.
Terminal security check
Terminal security check is also called terminal health check. According to the security
policy delivered by the admission servers, the client software checks the security status
of the user terminal, including the OA version, system patch installation, antivirus
software installation, virus database date, and black and white lists of application
processes. After that, the client software reports the check result to the admission servers
to determine whether the terminal is secure or healthy.
System repair and upgrade
The client software accepts instructions from the admission servers. If the user terminal
does not meet the security standards, the client software requires the terminal to
automatically repair and upgrade its system, or forces the terminal to do so. After the
repair, the client software reports the result to the admission servers.
Monitoring and audit
The client software monitors in real time whether the security status of the terminal host
and user behaviors comply with the security policy, and regularly reports security events
to the admission servers for security audit afterwards. Terminal security check comprises
the check on the agent client implementation patch, antivirus software, screen saver, and
shared directory. User behavior monitoring includes the monitoring of agent client
operations on executable files, network connections, accessed websites, and USB storage
devices.
Admission Servers
Admission servers include the admission control server, management server, virus database
server, and patch server.
The admission control server authenticates users, audits the security, implements security
policies, and associate with network admission devices to grant user authorities.
The management server manages users using the following ways: add, delete, or modify
user authorities, configure users' departments, and customize and manage security
policies.
The virus database server controls automatic virus database update of antivirus software
on terminals.
The patch server controls patch installation and update of OSs and application software
on terminals.
Provide the richest security policies in the industry for user customization.
Provide abundant user behavior audit functions, including USB device monitoring,
management on illegal access to external networks, and process and service monitoring.
Attack Defense
Support preventing terminal hosts from sending Address Resolution Protocol (ARP)
spoofed messages.
Support preventing terminal hosts from sending ARP flooding messages.
Provide the static ARP address binding function.
High Reliability
Provide remote authentication dial-in user service (RADIUS) server backup and Portal
server backup.
Provide the functions of two-node cluster hot backup, two-node cluster cold backup, and
single-point escape.
Network
f. The system can check the security status of the online terminal in real time. If a serious
security problem occurs during the use of the online terminal, the terminal will still be
isolated
g. The terminal after the authentication can install patches on demand. It can also access
relevant servers for virus database upgrade.
h. The policy server can audit the user.
i. If the user is invalid and unauthenticated, the user can access only the network resources
in the pre-authentication domain.
User authentication
User authentication through
EAPo802.1X the RADIUS protocol
Port-based mode: In port-based mode, if the first user connected to the port succeeds in
authentication, other users can access the network resources without authentication.
Once the first user gets offline, however, other users will be rejected to use the network.
MAC-based mode: In MAC-based mode, all users connected to the port must be
separately authenticated.
The NAC system can control the access of user terminals by delivering VLAN IDs or ACLs,
or delivering both VLAN IDs and ACLs. According to different control modes, IEEE 802.1X
authentication can be subdivided into Guest VLAN-based and ACL-based authentication.
Guest VLAN-based IEEE 802.1X authentication
This is the most commonly used 802.1X authentication mode in the industry. Terminals
before authentication belong to Guest VLANs by default. After the authentication of the
terminals is successful, admission servers deliver VLAN IDs of corresponding roles after
user authentication, and switch user terminals from Guest VLANs to the VLANs of
corresponding roles.
ACL-based IEEE 802.1X authentication
In this mode, after the authentication of a terminal is successful, admission servers
deliver only the user ACL to control the access of this user. This mode has relatively high
requirements for the ACL specifications of devices in the case of mass users.
Admission devices first initiate terminals to use the IEEE 802.1X authentication. If the
terminals do not perform the IEEE 802.1X authentication for a long time, the admission
devices regard the MAC addresses of the terminals as the authentication information, and
send the MAC addresses to servers as user names and passwords for authentication. This
authentication mode is called bypass MAC authentication.
Portal Authentication
Portal authentication is a layer-3 authentication mode. Users can access the Web
authentication pages on the Portal server or the Web server, and enter user names and
password to complete user authentication. If Portal authentication is used, terminals do not
need to be installed with client software. When terminals access the Portal pages, the system
implements the basic security check function through the ActiveX control that is downloaded
following automatic prompts.
Portal authentication supports Web authentication and does not require installing client
software. With the two features, Portal authentication is applicable to visitors and users on
business.
NOTE
In Portal authentication mode, you can still realize the complete function of terminal admission control
by downloading the client.
Before Web authentication on the Portal server, users must first access the authentication page,
and then enter and submit user names and passwords on the authentication page. Users can
access the authentication page either actively or passively (namely, in forcibly pushed mode).
Security check
k. If the terminal is insecure, the agent client starts system repair and upgrade, interacts
with related servers such as the patch server and the virus database server, and completes
the system security repair.
NOTE
In Huawei NAC solution of, the Portal server and admission servers are integrated. They can be different
functional modules deployed on the same physical server.
MAC Authentication
In certain special cases, terminal users do not want or fail to complete authentication by
entering user names and passwords. For example, certain privileged terminals hope to directly
access networks without authentication; certain special PC terminals, such as printers and IP
telephones, can neither be installed with client software nor be authenticated or authorized by
entering user names and passwords. In those cases, the network access of terminals is
controlled through MAC authentication.
MAC authentication is that the system authenticates a terminal using the MAC address of the
terminal as the proof of identification. After MAC authentication is enabled, when a terminal
accesses the network, network admission devices extract the MAC address of the terminal and
use it as the user name and password for authentication. If the authentication fails, the
network admission devices force users to get offline, stop initiating authentication and
detection for a preset period, and restart detection after timeout. If the authentication succeeds,
the switch will add the MAC address to the MAC table and the user can normally access the
network.
The MAC authentication of users can be performed locally or remotely through the RADIUS
server. In the case of RADIUS authentication, the RADIUS server controls user access
authorities by delivering ACLs or VLAN IDs.
In the case of RADIUS authentication, the network admission devices send the MAC
address of the terminal as the user name and password through the RADIUS protocol
to admission servers for authentication.
In the case of local authentication, the network admission devices authenticate the
MAC address of the terminal using the locally configured MAC authentication table.
d. If the authentication is successful, the network admission devices assign network
authorities to the terminal. In the case of RADIUS authentication, the network admission
devices use the ACL or VLAN ID delivered by the RADIUS server to control the
authorities of the terminal.
1 2 3
PC terminal
1 2 3
Intranet
1. A user accesses the network. The user can
access the region defined through the Portal
Free Rule, namely, the pre-authentication
domain. Authentication point at the
convergence layer
Portal authentication
access
2. If the authentication of the user is successful
but the security check fails, the TSM server
delivers Isolate ACL to change the users access
authority to that of the isolation domain. Acess switch
Remote access
Router/VPN
gateway
Intranet
Branch access
Authentication
point at the access
Convergence
layer
switch
IEEE 802.1X
authentication
access
Authentication point at Authentication point at
the access layer the access layer
IEEE 802.1X IEEE 802.1X AP
authentication access authentication access
After a user applies for an IP address, the DHCP server binds the IP address with the
MAC address. Since then, the DHCP server allocates the same IP address to the
terminal corresponding to the MAC address each time the terminal goes online.
Use DHCP Option 82 to bind an IP address with the switch through which a terminal
goes online and the port on the switch. In this way, the same IP address is allocated to
the terminal goes online from this port.
VLAN planning
VLANs can be divided into three types: Guest VLAN in the pre-authentication domain,
Isolate VLAN in the isolation domain, and VLAN in the post-authentication domain. In
actual deployment, you can allocate VLANs by functional department, and reserve the
Guest VLAN and the Isolate VLAN.
Domain planning
Distinguish the pre-authentication domain, isolation domain, and post-authentication
domain through VLAN planning. Configure ACLs on convergence switches to control
the access authority of each VLAN. You can combine the pre-authentication and
isolation domains into one domain according to actual deployment conditions.
Authentication configuration
Configure IEEE 802.1X authentication and specify the EAP mode for access devices
that serve as access control points.
Configure IEEE 802.1X authentication for agent clients.
Configure MAC authentication for the terminals such as printers and IP telephones.
If both printers and PCs access the network from a port, configure bypass MAC
authentication on access devices.
Pre-authenticaton Post-authentication
domain Admission server Isolation domain domain
Patch server
DHCP server NMC
Virus database
DNS server Service server
server
Software server
Remote
access Router/VPN
gateway
Intranet
Branch
access
Authentication point at the
convergence layer Convergence
Portal identificaiton switch
access
AP
IP Mobile
telephone Printer Department Department New terminal Department Insecure Visitors access
A B access B users
After a user applies for an IP address, the DHCP server binds the IP address with the
MAC address. Since then, the DHCP server allocates the same IP address to the
terminal corresponding to the MAC address each time the terminal goes online.
Use DHCP Option 82 to bind an IP address with the switch through which a terminal
goes online and the port on the switch. In this way, the same IP address is allocated to
the terminal goes online from this port.
VLAN planning
Allocate VLANs by functional department during deployment. Deploy terminals devices
like printers and IP telephones to other VLANs without authentication.
Domain planning
The pre-authentication domain is the access area specified through the Portal Free Rule.
The isolation and post-authentication domains are specified through ACLs delivered by
admission servers. During deployment, combine the pre-authentication and isolation
domains into one according the actual situation.
Authentication configuration
Configure Portal authentication for convergence devices that serve as access control
points.
Configure the default Portal authentication for agent clients.
If terminals such as printers and IP telephones are deployed on the same VLAN as
PCs, configure the Portal Free Rule to assign their access authorities. If they are
deployed on a VLAN different from PCs, you do not need to configure authentication
for the VLAN.
Figure 2-10 Networking diagram of bypass authentication solution at the convergence layer
Pre-authenticaton Isolation Post-authentication
domain Admission server domain domain
Patch server
DHCP server NMC
Virus database
DNS server Service server
server
Software server
Remote
access
Router/VPN
gateway
Side-connected
Intranet
authentication point at
the convergence layer
Portal authentication
access
Branch
access
Convergence Side-connected
switch device
AP
IP Mobile
telephone Printer Department Department New terminal Department Insecure Visitors
access
A B access B user
3 Product Suggestions
Huawei recommends the products listed in Table 3-1 for the nodes and network elements
(NEs) involved in the NAC security solution.