chapter 2_system architecture of seco.pdf
TRANSCRIPT
-
8/10/2019 Chapter 2_System Architecture of SECO.pdf
1/28
Huawei Symantec Technologies Co., Ltd.
ChapterChapter 22System Architecture of SecospaceSystem Architecture of Secospace
-
8/10/2019 Chapter 2_System Architecture of SECO.pdf
2/28
Huawei Symantec Technologies Co., Ltd.
Introduction
The Secospace TSM system is mainly composed of the
client-side agent software and the server-side
management system. The agent software is installed on
terminal hosts for monitoring the network, sampling and
reporting the assets, behaviors and network environments
of users in real time according to policy parameters
configured on the management system. Users are able to
make decisions by analyzing the log and reports of
terminal hosts.
-
8/10/2019 Chapter 2_System Architecture of SECO.pdf
3/28
Huawei Symantec Technologies Co., Ltd.
ObjectiveSystem Architecture ofSECO
Objective
System Architecture of SECO
-
8/10/2019 Chapter 2_System Architecture of SECO.pdf
4/28
page 4Huawei Symantec Technologies Co., Ltd.
System Architecture of Secospace
System Architecture
of Secospace
Utilities of Secospace
-
8/10/2019 Chapter 2_System Architecture of SECO.pdf
5/28
page 5Huawei Symantec Technologies Co., Ltd.
Representative Solution to the Secospace
TSM
Extranet
Intranet
VPN gateway
SC SM
SAC
G
SA
Anti-virus server
Domain management
server Patch server
Pre-authentication domain
Internet
SA
SA
Post-authentication domain 1
Server of Service 1
Post-authentication domain 2
Server of Service 2SRS
-
8/10/2019 Chapter 2_System Architecture of SECO.pdf
6/28
page 6Huawei Symantec Technologies Co., Ltd.
System Architecture of the Secospace
-
8/10/2019 Chapter 2_System Architecture of SECO.pdf
7/28
page 7Huawei Symantec Technologies Co., Ltd.
Function Model of the System
Make
policies
Implement
polices
Check the
execution
of policies
Modify for
further
auditing
P D
CA
-
8/10/2019 Chapter 2_System Architecture of SECO.pdf
8/28
page 8Huawei Symantec Technologies Co., Ltd.
Function Structure of the Secospace TSM
Secospace Suite
TSPMRLMAAM EBASPM
Authentication, Authorization, Account, and Audit (4A) Solution
Terminal Security Management (TSM) Solution
SecurityAccessControl
SACSecurit
yPolicyMgmt
NRMAssetA
ccountMgmt
NetworkResourceMgmt
SDMSoftware
DistributionMgmt
TerminalBehaviorAudit
OUMReport
&LogMgmt
UserGroupMgmt
-
8/10/2019 Chapter 2_System Architecture of SECO.pdf
9/28
page 9Huawei Symantec Technologies Co., Ltd.
System Architecture of Secospace
System Architecture of Secospace
Utilities of Secospace
-
8/10/2019 Chapter 2_System Architecture of SECO.pdf
10/28
page 10Huawei Symantec Technologies Co., Ltd.
Utility Functions of Secospace TSM
Secospace Security PolicyManagement
Network
Resource
Management
Asset Account
ManagementPatch
Management
Report and Log
Management
Security Access
Control
-
8/10/2019 Chapter 2_System Architecture of SECO.pdf
11/28
page 11Huawei Symantec Technologies Co., Ltd.
Security Access Control
Controls network accesses by terminals based on the identities of users
to ensure the intranet security.
Controls the access rights based on the service requirements of
different users to protect the core resources of service systems.
Provides diversified and flexible access control modes for different
scenarios.
-
8/10/2019 Chapter 2_System Architecture of SECO.pdf
12/28
page 12Huawei Symantec Technologies Co., Ltd.
Process of the Security Access Control
Access
allowed
Access
application
Security check
Recovery
Granting
rights
Access deniedInform a
recovery
Authentication
SACG
SA
SRS
SC/SM
Scenario 1: An unauthorized user attempts
to access the network.
Scenario 2: An insecure user accesses the
network after recovery.
Scenario 3: A valid user accesses the
network.
FailFail FailFail
PassPass PassPass
PassPass PassPass
802.1X Switch
-
8/10/2019 Chapter 2_System Architecture of SECO.pdf
13/28
page 13Huawei Symantec Technologies Co., Ltd.
Utilities Involved in Security Access Control
Service
Controlled Child Domain
Controlled Domain
Uncontrolled Domain
Post-authentication Domain
Pre-authentication Domain
-
8/10/2019 Chapter 2_System Architecture of SECO.pdf
14/28
page 14Huawei Symantec Technologies Co., Ltd.
Assets Management
Basic information of assets
Assets port-in/port-out
Assets account binding
Assets reporting function
Automatic collecting of assets information
Statistical reports of assets
Other functions of assets
-
8/10/2019 Chapter 2_System Architecture of SECO.pdf
15/28
page 15Huawei Symantec Technologies Co., Ltd.
Assets Reporting Process
SACG
SA
SM/SC
Administrator
Binding Assets
Automatic Collecting
Assets Information
Generate
Assets Library
Query & make
statistics of assets
Assets
Change
Assets Change
List
Query assets
changes
Generate
Report
Enable the Assets
Management Function
Configuration
Step 1: The administrator enters the basic information of assets into the terminal mgmt server.
Step 2: Users bind an asset number and an account on the terminal agent to ensure that the
account is the management owner of the asset.
Step 3: The agent collects the hardware and software information from the terminal, like the hard
disk SN and OS.
Step 4: If the agent detects any difference of the assets from the original assets library, it will report
the change to the server.Step 5: The administrator is able to query related assets change lists.
Assets Information
-
8/10/2019 Chapter 2_System Architecture of SECO.pdf
16/28
page 16Huawei Symantec Technologies Co., Ltd.
Software and Patch Management
Software distribution
Software uploading
Software delivery
Patch management
Patch delivery parameter management
Terminal patch information management
-
8/10/2019 Chapter 2_System Architecture of SECO.pdf
17/28
page 17Huawei Symantec Technologies Co., Ltd.
Software Distribution Process
of Secospace TSM
SA SASA SA
SC SCSM
LDAP dual-system
Dual-system
Administrator
XXXXXX
XXXXXXXXX
XXXXXX
XXX
XXXXXX
-
8/10/2019 Chapter 2_System Architecture of SECO.pdf
18/28
page 18Huawei Symantec Technologies Co., Ltd.
Patch Acquisition Process of the
Secospace TSM
SACG
SRS SM/SC
Anti-virus server
Domain mgmt server
Pre-authentication domain
Post-authentication domain
Service Domain
Service system
Patch status reporting
Server communication
XXXXXX
-
8/10/2019 Chapter 2_System Architecture of SECO.pdf
19/28
page 19Huawei Symantec Technologies Co., Ltd.
Security Policy Management
The system administrator is able to define a security policy template to
provide human-centered management of security policies for end users
and enhance the security level of enterprises.
The security policy is subcategorized as follows:
User operation monitoring Application monitoring
Network monitoring
System check
Patch check
-
8/10/2019 Chapter 2_System Architecture of SECO.pdf
20/28
page 20Huawei Symantec Technologies Co., Ltd.
Process for Checking Security Policies
Remote management
of security policy
End user
System check policy
Reporting violations
System administrator SM/SCEnd user
Network policing policy
Reporting violations
End user
User monitoring policy
Reporting violations
Other check policies
Remote management
of reports and logs
-
8/10/2019 Chapter 2_System Architecture of SECO.pdf
21/28
page 21Huawei Symantec Technologies Co., Ltd.
Security Management Measures
Monitoring User Operations
Users copy information by screen
snapshots.
Users copy system resources or transfer
invalid information by using USB ports,
optical disks, or other storage devices.
Record the uses of USB ports and otherdevices to control the use of storage devices.
Prohibit screen snapshots.
Issues related to user violations
Corresponding security management
measures
Users change or delete resources of system
files.
Control the type of specified files and allocate
the access rights of only read-only files.
-
8/10/2019 Chapter 2_System Architecture of SECO.pdf
22/28
page 22Huawei Symantec Technologies Co., Ltd.
Security Management Measures
Monitoring Applications
Invalid service is running on the user
host.
Invalid software is installed on the
user host.
Control the rights of users in installing
software and report violations in time.
Monitor the running status of system
services and report violations in time.
Issues related to invalid application
programsCorresponding security measures
-
8/10/2019 Chapter 2_System Architecture of SECO.pdf
23/28
page 23Huawei Symantec Technologies Co., Ltd.
Security Management Measures
Monitoring the Network
Users access invalid IP addresses or sites.
Users are connected to the Extranet through
invalid accounts or devices.
Provide valid proxy accounts for users to
access the Internet, record IP addresses of
the network devices and the online time.
Monitor the destinations of users online
through access control methods, record the
related blacklist and white list.
Issues related to the network connection
and resources
Corresponding security measures
Users install multiple network cards and
generate excessive network traffic.
Check the IP addresses and time of network
cards to monitor the network traffic
-
8/10/2019 Chapter 2_System Architecture of SECO.pdf
24/28
page 24Huawei Symantec Technologies Co., Ltd.
Security Management Measures
Checking the System
System registry and outdated user accounts
Vulnerabilities of invalid software and
shared folders of the OS.
No password is set for saving the computer
screen.
A terminal is infected with viruses, affecting
the overall intranet.
Check for anti-virus software, version of the
anti-virus software, version of the virus
engine, and update of the virus library.
Check to ensure that the names of installed
software products and the access rights of
shared folders are valid.
Check the screen saving.
Monitor malicious changes to the registry,
prompt users for outdated accounts.
Issues related to OSs Corresponding security measures
-
8/10/2019 Chapter 2_System Architecture of SECO.pdf
25/28
page 25Huawei Symantec Technologies Co., Ltd.
Security Management Measures
Checking Patches
OS vulnerabilities
Vulnerabilities of the Internet Explorer and
Windows Office
Database vulnerabilities
Check for the latest version of the Internet
Explorer and Windows Office, prompt users
to update the patches.
Check for the latest version of the database
and prompt users to update the patches.
Check for the latest patches of the OS and
prompt users to update the patches.
Issues related to OS patches
Corresponding security measures
-
8/10/2019 Chapter 2_System Architecture of SECO.pdf
26/28
page 26Huawei Symantec Technologies Co., Ltd.
Security Policy Report
The system collects the asset information on a client side in real time by
delivering the security policy template to the end user and then sends
the asset information to the system administrator for statistics and audit.
The security policy report is subcategorized as follows:
Customizing report tasks Personal report information
Customizing report tasks
Personal report information
User assets report
-
8/10/2019 Chapter 2_System Architecture of SECO.pdf
27/28
page 27Huawei Symantec Technologies Co., Ltd.
Summary
This chapter is summarized as follows:
The Secospace TSM has taken all aspects of the terminal security into
accounts by following the PDCA standard model.
The Secospace utility is composed of the following:
Security access control
Network resource management
Security policy management
Patch management
Assets account management
-
8/10/2019 Chapter 2_System Architecture of SECO.pdf
28/28
Huawei Symantec Technologies Co., Ltd.