Resource support on Learning website

You can get free E-Learning courses, training materials, product materials, software, cases and so on.
/ en
 1、E-Learning Courses： Logon http://learning.huawei.com/en and enter Huawei Training/E-Learning
o m
i .c you will have the


we
Career Certification E-Learning courses: After received any Huawei Career Certification,
privilege to learn all Huawei Career Certification E-Learning courses.
u a
Partner E-Learning Courses: Any Huawei Partner Engineer have the learning
. h privilege
g


i
Free E-Learning Courses: Any website users have the learning privilegen
rn


2、Training Materials：
le a
/


/
Logon http://learning.huawei.com/en and enter Huawei :Training/Classroom Training ,then you can download
t tp
h
training material in the specific training introduction page.
:
Huawei product training material and Huawei
e s career certification training material are accessible without
c


logon.
u r
o
3、 Huawei Online Open Class(LVC)：sLive Virtual Class(LVC) are ongoing freely


R e

g
The Huawei career certification training and product training covering all ICT technical domains like R&S,
inand so on, which are conducted by Huawei professional instructors
UC&C, Security, Storage
r n
4、Product Materials e a

L and Software Download: http://support.huawei.com/enterprise

e addition, Huawei has built up Huawei Technical Forum which allows candidates to discuss
 5、Community：In
o r
M
technical issues with Huawei experts , share exam experiences with others or be acquainted with Huawei Products

HUAW EI TECHNOLOGIES CO., LTD. Huawei Confidential 1

n
/e
o m
e i .c
aw
. hu
ng
IDC Security Designearn i
: //l
t tp
: h
e s
r c
o u www.huawei.com

es
R
n g
r ni
e a
e L
or
M
Copyright © 2013 Huaw ei Technologies Co., Ltd. All rights reserved.
Objectives /e
n
o m
e i .c
Upon completion of this course, you will be able to:

a w
Describe the principle for IDC security design; . hu


i n g
 Describe the security plan for IDC design;
arn
/ / le
Describe the ways to protect IDCp:security;

t t
Describe the security plan sfor : h IDC infrastructure;
ce


Describe the securityoplan

r
u for IDC network layer;


es
R plan for IDC hosts and applications

n g
Describe the security
r ni
e a
e L
or
M
Copyright © 2013 Huaw ei Technologies Co., Ltd. All rights reserved. Page 1
Contents /e
n
o m
e i .c
1. Security issues for IDC and correspondingaw solutions
. hu
2. Architecture Design for IDC security ing
arn
e
3. Best practice of IDC security solutions
/: /l
t tp
: h
e s
r c
o u
es
R
n g
r ni
e a
e L
or
M
Copyright © 2013 Huaw ei Technologies Co., Ltd. All rights reserved. Page 2
Analysis for security trend /e
n
o m
e i .c
aw
Fire Virus Phishing Service/content
. hu
i ng
Spyware Application layer
arn DPI
Worm
//le
Presentation
p :
layer
t t L2-L7

: h Merge trend
omnidirection
Session layer
e s al protection
r c
ulayer
Transmission
o
BotNet
e s Access control
R Network layer Protocol security
DDoS
n g L2-4 attack
DoS
rni Data link layer prevention

e a Physical layer

e L
rThreat
o trend Network Security
trend
M layer

Copyright © 2013 Huaw ei Technologies Co., Ltd. All rights reserved. Page 3
Frequent IDC Security Breaches /e
n
o m
e i .c
 Amazon cloud
a w service
 Terremark: VMware's partner
. hu
 Quora crashed
 7 hours crash n
 Reddit
i g and Hootsuite crashed
n
 r…
e a
/: /l
Jan. 2010 Mar. 2010
tp
Mar.2011
t
Apr. 2011 Dec. 2011

: h
e s
r c
o u
 Salesforce.com Re
s   CSDN.NET
Gmail
 68,000 users ng
n i  150,000 users  6 million users

a
 I hour crashr
L e
e
or
M
Copyright © 2013 Huaw ei Technologies Co., Ltd. All rights reserved. Page 4
Importance for IDC security design /en
o m
Is data security？
How to isolate
e i .c
aw
resources？
Any
u
g.h management
for privileged
Is business
i n
security？
arn users?

//le
p :
t t
:h
Laws and

e s regulation

rc
Is business compliance
smooth?
o u
es
R
n g
ni
ar
Any resource
Is business
L e
reliable？ How to control
abuse？

e
or
the inside
threats？
M
Copyright © 2013 Huaw ei Technologies Co., Ltd. All rights reserved. Page 5
Analysis for IDC security & corresponding
/ en
solutions om
i .c
Intranet WAN Extranet
we Internet

a
Intranet WAN access Partner access
. hu Internet
Intranet access threat area threat
WAN access
n g
Partner access threat
i
Internet access threat

Illegal business Illegal business

r n
VPN security access DDOS attack
access access
le a
Illegal business Illegal business

: //
access access

t t p
Service area
s :h Maintenance
Service threat
rc e Maintenance threat

ou
Illegal business Illegal business access
access
es Lack of management
for security issues
Hacker intrusion
R Lack of management

n g for security

ni
devices

a r
L e
r e Production Operation Application

o area area
Data Center
servers

M
Copyright © 2013 Huaw ei Technologies Co., Ltd. All rights reserved. Page 6
Analysis for IDC security & corresponding
/ en
solutions (Conti’) om
i .c
Security dimension Security requirements Solutionsw
e
and technology
u a
Anti-DDOS attack Anti-DDoS
. h
Isolation, access control
i n
Firewallg
Network security
Security access rn VPN gateway
aIPSec
le SSL VPN gateway
://
Remote users access

t tp
Protect illegal business access Host hardening, Anti-virus
Host and
:
Virtualization security h Isolation for virtualization machine
virtualization
e s
r c
Hacker’s intrusion IPS

o u and
Intrusion detection
e s
protection
IDS、IPS
Application security Web R
g security
n security
iMail
WAF

n
r Prevent data disclosure
Mail gateway
a
e Data encryption DLP

e L
Data protection
VES

o r
M
Copyright © 2013 Huaw ei Technologies Co., Ltd. All rights reserved. Page 7 Page7
Contents /e
n
o m
i .c
we
1. Security issues for IDC and corresponding solutions
a
u
2. Architecture Design for IDC security g.h
i n
2.1 Overall architecture for IDC security arn
/ / le
2.2 Security design for IDC p :
t t
: h
3. Best practice of IDC security e s solutions
r c
o u
es
R
n g
r ni
e a
e L
or
M
Copyright © 2013 Huaw ei Technologies Co., Ltd. All rights reserved. Page 8
Overall architecture for IDC security/en
o m
e i .c
aw
. hu
i ng
arn
//le
p :
t t
s:h
rc e
o u
es
R
n g
rni
e a
e L
o r
M
Copyright © 2013 Huaw ei Technologies Co., Ltd. All rights reserved. Page 9
Overall architecture for IDC security n
/e
o m
e i .c
Access
aw
Identification Content Respond Audit
trace
authorization
authorization security recovery

. hu
Unified identity
i n g
rn
Access management Policy management SIEM / SOC
Security management
management Unified operation
le a Equipment Unified operation
management
: // management management

Network
t tp
: hVirtual IPS/IDS/AV
security
virtualization
e s
Virtual FW

Interior FWrc IPS/IDS/UTM Anti-DDOS

network
o u
es FW IPS/IDS/UTM Anti-DDOS
Border network
R
n g
ni
Application

ar
security DLP/VES
Data security
UMA－DB
Business
L e WAF、mail gateway Cache for internet traffic
security
e
Host security
or Virtualization machine
isolation Host hardening Traffic visualization
M
Copyright © 2013 Huaw ei Technologies Co., Ltd. All rights reserved. Page 10
Contents /e
n
o m
i .c
we
1. Security issues for IDC and corresponding solutions
a
u
2. Architecture Design for IDC security g .h
i n
2.1 Overall architecture for IDC security arn
/ / le
2.2 Security design for IDC p :
t t
: h
3. Best practice of IDC security e s solutions
r c
o u
es
R
n g
r ni
e a
e L
or
M
Copyright © 2013 Huaw ei Technologies Co., Ltd. All rights reserved. Page 11
Security design for IDC /e
n
o m
e i .c
Network security
aw


Host and virtualization security . hu


i ng
Application security arn
le


: //
 Data protection t t p
s :h
Unified operation securitycemanagement

u r
s o
R e
n g
rni
e a
e L
o r
M
Copyright © 2013 Huaw ei Technologies Co., Ltd. All rights reserved. Page 12
Network security: border network n
/ e
security om
i .c
e
Internet user
IDC remote maintainer
a
DDoS managementw
hu
center
hacker
IDC user
g .
i n
arn
le
DDoS
Border network protection

//
protection

p : • FW deployed at the egress of

t t IDC

:h
• Main function:

e s 1) Security domain isolation

urc 2) Intrusion prevention in real-

s o time

DMZ R e Sharing cloud

3) Turn on NAT function based

n g on needs

rni 4) Turn on anti-DDoS function

e a based on needs

e L
o r
Web，DNS, FTP, Server/

M
Email, DB server virtualization/operation

Copyright © 2013 Huaw ei Technologies Co., Ltd. All rights reserved. Page 13
Network security: border network n
/ e
security (Conti’) om
i .c
Internet user
we
IDC remote maintainer
a
hu
DDoS management

.
hacker center
IDC user

i n g
arn
le
DDoS

//
protection
:
t t p
:h
Anti-DDoS protection

es
Deploy Anti-DDOS in bypass

r c • business configuration and

ou management based on VIP

s
Re
clients needs
DMZ Sharing cloud • Client can check traffic attack

n g
ni
information or modify

a r information through web

L e browser

r e
Web，DNS, FTP, Server/
• send alarms, attack

o
Email, DB server virtualization/operation
information via mail, voice,

M SMS

Copyright © 2013 Huaw ei Technologies Co., Ltd. All rights reserved. Page 14
Network Security: interior network /esecurity
n
o m
e i .c
• Isolation of management and

a w
business layer

. hu
Computing and management on

i n g
rn •Various value-added security
different VLAN planes

le a
: // services

t t p Firewall, IPS/IDS, WAF, email security

s:h gateway, and SSL VPN can be deployed on

rc e core switches.

o u
es
R Management traffic flow

n g
ni Service traffic flow

e ar
e L Server traffic flow after IPS inspection

or Server traffic flow though SSL VPN

M
Copyright © 2013 Huaw ei Technologies Co., Ltd. All rights reserved. Page 15
Network Security: interior network n
/ e
security om
i .c
we
a
Service area

. hu
•Isolation of computation area and

i n g storage area
physical
n
ar
individual storage network

e
/: /l
•Isolation of computation area,

t tp Service area and Service area

:h
Separate Service area (DMZ) and

es
computation area

r c
o u
s
Re
Computation area

i n g Storage area

r n
e a
e L IP/FC SAN

or
M
Copyright © 2013 Huaw ei Technologies Co., Ltd. All rights reserved. Page 16
Network Security: interior network n
/ e
security om
i .c
e
•Three-layer
w layer
VLAN isolation at

a
application
hu
g.
Web, applications, and

i n databases can be deployed

arn on three VLAN planes

le
://
•Isolated in different service

tp
areas by virtual firewalls or
t
:h
Virtual Switch

r ces WEB Data Flow

APP Data Flow

o u DB Data Flow
s
Re VS2

i n g VS1

n
VS0

a r
L e
e
or
M Sharing cloud for multi-users

Copyright © 2013 Huaw ei Technologies Co., Ltd. All rights reserved. Page 17
Network security: VM layer security/en
o m
VM1 VM2 •
e i .c
IP addresses & MAC of VMs are bundled with the memory to

aw
avoid IP address spoofing and ARP address spoofing.
• The vSwitch is an exchange-type switch rather than the

hu
Guest OS
App App sharing-type switch. Packets from different VMs are forwarded

.
to specified virtual ports, and even VMs on the same physical

g
Virtual Machine

homed host cannot receive packets from each other's packets.

OS OS
i n
In this way, malicious VM sniffing is avoided.
•
rn
Inbound and outbound traffic of each VM can also be limited to

a
avoid network resource abuse.
•

// le
The vSwitch supports the division of security groups. VMs can

:
be allocated to different security groups and flexible access

t t p policies can be configured for the security groups.

:h
Unified computing
虚拟硬件

es
resource allocation VM VM VM VM
module
r c
u
vcpu1
Hypervisor

vSwitch
o
1 2 1
VM VM VM VM
s
vcpu1

Re
1 1 2
vcpu2
2 2 1
……

i n g VM VM VM VM

r n
a
Le
Security group1

e
HW

o r Security group2

M Security group 3

Copyright © 2013 Huaw ei Technologies Co., Ltd. All rights reserved. Page 18
Network security: VM layer security/en
o m
Challenges
e i .c
VM
aw
VM VM VM  Illegitimate access between VMs at different security levels

hu
 Mutual attacks between VMs at different security levels

VM VM VM VM .
VLAN1  Transmission of Trojan horse and viruses on the virtual
g
VLAN2
network

ni n
VM VM VLAN3
ar
VM VM
e
/: /l
Solutions

tp
 Independent VLAN attributes can be configured for each VM.
vSwitch t  VMs of different customers, departments, or groups can be

V V V
s:h allocated to different VLANs.
L
A
L
A
L
A
rc e  The access between VLANs is effectively protected by Huawei
Eudemon security gateway, including the firewall, IPS, and
N N N
o u AV.
1 2 3

es
R
i n g Customer Values
 High-performance physical security gateways protect for the
r n Hypervisor network.

e a Security  Multi-layer protection is provided over firewall, IPS, and AV

e L gateway
features.

or
 Security solutions are not required on the Hypervisor network,
which saves server resources.
M
Copyright © 2013 Huaw ei Technologies Co., Ltd. All rights reserved. Page 19
Security design for IDC /e
n
o m
e i .c
Network security
aw


Host and virtualization security . hu


i ng
Application security arn
le


: //
 Data protection t t p
s :h
Unified operation securitycemanagement

u r
s o
R e
n g
rni
e a
e L
o r
M
Copyright © 2013 Huaw ei Technologies Co., Ltd. All rights reserved. Page 20
Host and virtualization security: isolation
/ en
of visualization resources om
i .c
we
a
. hu
i ng
rn
MEM NIC MEM NIC MEM NIC

le a
: //
t t p
s:h
rc e
MEM

o u MEM

es MEM
R
n g
rni
e a
e L
o r
M
Copyright © 2013 Huaw ei Technologies Co., Ltd. All rights reserved. Page 21
Host and virtualization security: n
Anti-virus for Host and Server /e
o m
e i .c
aw
. hu
Unified virus
i ng
rn
management center

le a
: //
t t p
s:h
VM system
r c e
VM system
o u
visualization
es platform
visualization
platform R
n g
ni
ar
Server cluster Server cluster

L e Server cluster
e
or
M
Copyright © 2013 Huaw ei Technologies Co., Ltd. All rights reserved. Page 22
Host and virtualization security: n
Host hardening /e
o m
e i .c
aw
System security hardening

. hu
Hardening OS hardening DB hardening
App hardening
i
（Web hardening）ng Patch
management
domain
r n
le a
Hardening Minimized tailoring code security
: //
Security
Security test Integrity
process

t t p
configuration protection

:h
es
Cut Code Comply with

c
Use industry Integrity check
Specific complies

r
unnecessary industry
scanning tools are used
with the

u
configuration
ways components
code hardening standards tools such as to perform
and

o such as CIS. Appscan checks.

s
services. standards.

Re
n g
ni
• Bugs of software bring vulnerabilities. Security hardening for operating systems (including the UVP

r
platform), databases, and applications and patch management can fix the vulnerabilities.
a
L e
r e
o
M
Copyright © 2013 Huaw ei Technologies Co., Ltd. All rights reserved. Page 23
Host and virtualization security : IDCn
/ e
resource protection om
i .c
IDC Post-authentication domain e
IDC Pre-authentication
w
domain

u a
.h
ERP server File server Mail server Business server
Management
W
i n g layer

arn
le
Service

: // layer

t t p Isolation domain

:h
Network domain
SACG
e s Antivirus server
Control
layer u rc
802.1X
s o
R e Patch server

n g
rni
e a User
User domain
e L layer

o rWeb Web agent Agent

Enterprise
M Visitor Enterprise users administrator

Copyright © 2013 Huaw ei Technologies Co., Ltd. All rights reserved. Page 24
Host and virtualization security : IDCn
/ e
resource protection om
i .c
Hardware SACG
we
Post-authentication domain

a
. hu Sensitive
i n g resources
arn
le
Public

//
Finance department: No TSM Agent is resources
installed for new employees.
p :
TSM server

t t
:h
es
Pre-authentication domain
Marketing department: Agents are installed.
r c AV server...
Isolation domain

o u
Identity
s Security check

Re
URL redirection Switchover to the
authentication post-authentication domain

Userg

The SACG 
Is the antivirus The TSM notifies the SACG of

in sending ACL rules and switching to


provides the Web software running?
n

Are the OS, Office,
r LDAP
name+password the post-authentication domain.
pushing function

ea

Internet Explorer,
to download the and database patch Automatic
TSM Agent for
e L 
MAC installed?

Is the virus
security repair

r database updated? 
installation Upgrade the antivirus software

o

Is any illegitimate 
Update the virus database
software installed? 
Download patches
M 
… automatically …

Copyright © 2013 Huaw ei Technologies Co., Ltd. All rights reserved. Page 25
Security design for IDC /e
n
o m
e i .c
Network security
aw


Host and virtualization security . hu


i ng
Application security arn
le


: //
 Data protection t t p
s :h
Unified operation securitycemanagement

u r
s o
R e
n g
rni
e a
e L
o r
M
Copyright © 2013 Huaw ei Technologies Co., Ltd. All rights reserved. Page 26
Intuitive and Granular DPI Operation
/e
n
o m
Core egress
e i .c
aw
. hu
In-line deployment or DPI i ng
off-line splitting
arn
deployment
//le
p :
IDC
t t
:h
egress

e s
rc
Core
layer
o u
es
R
n g
rni
TRILL TRILL TRILL

e a
e L
o r
M
Copyright © 2013 Huaw ei Technologies Co., Ltd. All rights reserved. Page 27
Application security deploy /e
n
o m
e i .c
aw
. hu
i ng
rn
Application identify Application identify
device
le a device

//
Web Firewall Web Firewall
IPS Device p : IPS Device
t t Email Security

:h
Email Security
Gateway
Gateway
e s
u rc
s o
R e
n g
rni
e a
eL
IP/FC SAN

or
M
Copyright © 2013 Huaw ei Technologies Co., Ltd. All rights reserved. Page 28
Security design for IDC /e
n
o m
e i .c
Network security
aw


Host and virtualization security . hu


i ng
Application security arn
le


: //
 Data protection t t p
s :h
Unified operation securitycemanagement

u r
s o
R e
n g
rni
e a
e L
o r
M
Copyright © 2013 Huaw ei Technologies Co., Ltd. All rights reserved. Page 29
DLP: 3 key factors for data leak n
prevention /e
o m
c data
 Network monitor: .dynamic
i
e integrate with
• Detect technology based on

w
content recognition monitoring
• Based on keyword, file prints
a Proxy, monitor WEB &
HTTP、SMTP、FTP,
u
Emailh
• Comply with regulations: email, WEB

g . monitoring– static data

n i n
 Storage
monitoring

ar  Database, mail, centralized and

SOX
//le distributed storage
PCPD
p :
PII t t
PHI
s:h
HIPAA
rc e
o u
es
R
n g
rni Data protection
e a
e L • Log record, informing, alarm, risk report
o r and assessment
M
Copyright © 2013 Huaw ei Technologies Co., Ltd. All rights reserved. Page 30
Security design for IDC /e
n
o m
e i .c
Network security
aw


Host and virtualization security . hu


i ng
Application security arn
le


: //
 Data protection t t p
s management :h
 c e
Unified operation security
r
o u
es
R
n g
rni
e a
e L
o r
M
Copyright © 2013 Huaw ei Technologies Co., Ltd. All rights reserved. Page 31
Unified operation security management:
/ en
deployment om
i .c
External
Maintenance
we
staff
u a Core business
partner

g.h
vendors
i n
arn
le
Travel
Core business
://
staff

t tp
:h
Internal
Maintenance
staff
e s
rc
Core business

o u
es
R
i n g Unified operation security
management
Core business

r n
e a
e L Unified authentication/
or authorization/auditing
M
Copyright © 2013 Huaw ei Technologies Co., Ltd. All rights reserved. Page 32
Contents /e
n
o m
i .c
we
1. Security issues for IDC and corresponding solutions
a
u
2. Architecture Design for IDC security g .h
i n
3. Best practice of IDC security solutions arn
e
/: /l
t tp
: h
e s
r c
o u
es
R
n g
r ni
e a
e L
or
M
Copyright © 2013 Huaw ei Technologies Co., Ltd. All rights reserved. Page 33
General architecture /e
n
External user partner Travelling
o m
Internet
staff
e i .c
Security zone Service objectives
and Security level

aw
Extranet
ISP1 ISP2 Intranet area Enterprise High
Enterprise
hu
branch
branch
g . WAN area WAN High

WAN
i n area

rn Intranet Intranet High

le a WAN area Travelling Mid-

//
staff high

Internet access Interconnection

p : Interconnection
area Partner Middle

area t t Internet access Internet Low

:h
area user

Management
e s
rc
Internet users are least trusted, which
center WAN area has independent business area.
Core router
o u Partner has middle-level trustiness,

es part of the enterprise business is

R open to them, deployed with

n g Extranet Server area.

ni
Enterprise branch & travelling staff is

ar
divided with different areas based on
intranet ways of access.

L e Intranet & WAN area has the highest

e trustiness,, based on business, can

or
WAN/MAN Remote IDC
Service area 1 Service area N DWDM access different business service
areas in IDC
M
Copyright © 2013 Huaw ei Technologies Co., Ltd. All rights reserved. Page 34
Internet access area /e
n
o m
Internet Internet user
e i .c
Security risk/needs

aw
ISP1 ISP2 DDoS attack

u Illegal access

DDoS
g .h NAT transfer
detection
i n VPN security gateway

rn
Extranet DDoS management Security solution
DDoS
a
access center

le
cleaning Deploy Anti-DDoS at egress,

//
SSL VPN
LB1

p : Clean abnormal attack traffic

t t SSL VPN In-line deploy FW to control access

:h
FW1
Block SSL VPN sits besides switch to

e
SSL VPNs Suspicious traffic satisfy remote access needs
Solution value
rc
ou
Normal traffic High-security: through Anti-DDoS
IPS/IDS
& FW policy to make sure the

es security of IDC

R
DMZ Illegal access
High-reliability: redundant

n g LB
equipments for FW and SSL VPN

r ni Web、DNS、FTP、
Flexibility: SSL VPN can meet the

e a Email、DB server
remote security access needs

e L FW2
intranet
o r
M
Copyright © 2013 Huaw ei Technologies Co., Ltd. All rights reserved. Page 35
Business service area /e
n
o m
e i .c
Core Normal traffic Security
a wrisk/needs
hu
layer Illegal access
Illegal access
g . Hacker attack

i n
arn Security solution

le
Block
By-pass deployment of FW

//
Convergence
layer
p :FW IPS on core router to prevent

t t LB1
app-layer attack

:h Solution value
VLAN/ACL
rc es Block
High-security: FW makes
sure legal access from various
Access
o u IPS/IDS service areas, IPS prevents
layer
es hacker attack

R LB2 High-reliability: redundant

n g equipments for FW and IPS

rni Flexibility: by-pass FW, induce

Access
e a traffic based on needs and
policy control
equipment

e L
…

o r App DB
M
Copyright © 2013 Huaw ei Technologies Co., Ltd. All rights reserved. Page 36
Intranet access area /e
n
o m
Core switch i .c
Security risk/needs
e
aw
Illegal access
Security solution

hu
Park/Campu
s core
g . By-pass or inline deployment
of FW, recommended for inline
switch
i n deployment

Campus/par arn Redundant equipments

k
阻止 阻止
//le Solution value

p : High security: through security

Convergence
t t policy to make sure the
interconnection between user
switch
s:h and IDC

WA r c e High-reliability: redundant
Flexible access: FW as VPN can

oNu Remot meet the security access needs

es e park of branches

R IPSec VPN
branch n g
i branch
r n IPSec VPN after being peeled off
e a
e L Normal traffic

or
M Illegal access

Copyright © 2013 Huaw ei Technologies Co., Ltd. All rights reserved. Page 37
Partner access area /e
n
o m
Extranet partner Security risk/needsi.c
ISP1 ISP2
w e
VPN access

u a
Illegal access

. hsolution
Security

i n g Inline deployment of FW with dual

rn
Interco layer
nnecti
le a Outer FW 1 has V{N function, can

//
on isolate illegal traffic from partner to
Block FW1
p : front-line computer

t t Inner FW 2 isolate illegal traffic

:h
SSL VPN between internal service areas and

e s front-line computer

rc
IPS/IDS Solution value

ou
High-security: through dual FW to
DMZ
es SSL VPN
make sure the security of partner’s
access to internal business area of IDC,
R LB
outer FW has VPN function
Web, DNS, FTP,
n g SSL VPN after being High-reliability: redundant

ni
Email, DB server
r
peeled off equipments

e a Block
Normal traffic High-effective: inline deployment FW

eL
FW2 increases forwarding efficiency

or
intranet Illegal access

M
Copyright © 2013 Huaw ei Technologies Co., Ltd. All rights reserved. Page 38
Network maintenance area /e
n
o m
Security risk/needs i.c
Management
area
Normal traffic
w
Illegal accesse
u a
Sharing accounts issue
Illegal access
. h
i n g
Security equipments management issue,
security problem dealing issue

a rn Massive security logs, incomplete security

e Security solution
trend analysis

/: /l
t t p Block Inline deployment of FW, only permit bastion
host, network maintenance and SOC system
Bastionh
:
KVM to access outside area. Through bastion host,
Maintenance Equipment
e s
host
Management providing only egress. Deploy SOC for
system management
area r c isolation complete security trend analysis

o u Solution value

e s High-security: bastion host provides only

operation ingress, centralized account
R KVM management, strict right control

n g KVM

ni
Unified security operation: output security

r
trend report through SOC and bastion host

e a High-reliability: redundant FWs, prevent

e L KVM over IP System

impact when errors happen

IDC
r
o business and administrator

Mequipments
Maintenance
area

Copyright © 2013 Huaw ei Technologies Co., Ltd. All rights reserved. Page 39
Summary /e
n
o m
e i .c
aw
Security area Risk & Needs Risk level Deployment Value

hu
Solve the illegal access from intranet,
Intranet access area Illegal access Low/mid Firewall

g .
remote access, remote branch

Low/mid Firewall
i n
rn
WAN access area Illegal access Solve illegal access of branch

le a
//
DDoS attack
Illegal access
p :
Anti-DDoS
Solve DDOS attack, illegal business
Internet access area
NAT
High
t t
Firewall
access, remote user access

:h
SSL VPN
VPN access

e s
rc
VPN access Dual Firewall Solve illegal access, VPN access of
Partner access area Middle

u
Illegal access partner

Business service Illegal access

s o Firewall
area Hacker’s attack
R e Mid/high
IPS
Solve illegal access and hacker’s attack

n g
ni
Illegal access
Firewall

ar
Lack of security issue
iSoC Solve illegal access, security issues
management
Maintenance area
L e
Lack of security
low Security equipments
management system
correlation, security equipments
management and auditing
e
or
equipment management
Bastion host
Lack of security auditing

M
Copyright © 2013 Huaw ei Technologies Co., Ltd. All rights reserved. Page 40
Summary /e
n
o m
 Principle for IDC security design; e i .c
aw
 Security plan for IDC design;
. hu
The ways to protect IDC security; i ng
rn


le a
 Security plan for IDC infrastructure;
: //
Security plan for IDC network layer; t t p
:h


e
Security plan for IDC hosts andcapplications
s


u r
s o
R e
n g
rni
e a
e L
o r
M
Copyright © 2013 Huaw ei Technologies Co., Ltd. All rights reserved. Page 41
n
/e
o m
e i .c
aw
. hu
i ng
arn
Thank://you le
www.huawei.com t tp
: h
e s
r c
o u
es
R
n g
rni
e a
e L
o r
M
Resource support on Learning website
You can get free E-Learning courses, training materials, product materials, software, cases and so on.
/ en
 1、E-Learning Courses： Logon http://learning.huawei.com/en and enter Huawei Training/E-Learning
o m
i .c you will have the


we
Career Certification E-Learning courses: After received any Huawei Career Certification,
privilege to learn all Huawei Career Certification E-Learning courses.
u a
Partner E-Learning Courses: Any Huawei Partner Engineer have the learning
. h privilege
g


i
Free E-Learning Courses: Any website users have the learning privilegen
rn


2、Training Materials：
le a
/


/
Logon http://learning.huawei.com/en and enter Huawei :Training/Classroom Training ,then you can download
t tp
h
training material in the specific training introduction page.
:
Huawei product training material and Huawei
e s career certification training material are accessible without
c


logon.
u r
o
3、 Huawei Online Open Class(LVC)：sLive Virtual Class(LVC) are ongoing freely


R e

g
The Huawei career certification training and product training covering all ICT technical domains like R&S,
inand so on, which are conducted by Huawei professional instructors
UC&C, Security, Storage
r n
4、Product Materials e a

L and Software Download: http://support.huawei.com/enterprise

e addition, Huawei has built up Huawei Technical Forum which allows candidates to discuss
 5、Community：In
o r
M
technical issues with Huawei experts , share exam experiences with others or be acquainted with Huawei Products

HUAW EI TECHNOLOGIES CO., LTD. Huawei Confidential 1