Data centers play an important role in IT-based development and IT applications in the oil and gas industry. Operational systems used in

oil and gas companies, including enterprise resource planning (ERP) systems, logistics systems, delivery systems, retail systems, portals,

customer management systems, oil and gas prospecting systems, and marketing systems, are all dependent on data centers.

As the Internet is used more extensively, data centers that used to run on clients and servers are migrating to central servers connected to the

Internet. Multi-layer applications under the infrastructure architecture interact with hardware, networks, and operating systems with increased

complexity. It is this complexity that creates a lot of uncertainty for security systems of data centers. Data centers on which security strategies

are inappropriately implemented risk frequent intrusion from hackers and worms. Although most system administrators are aware of the

serious damage caused by Internet-based malicious attacks and have deployed security devices to defend data centers at the access control

layer, these traditional defense measures are becoming less effective in dealing with the latest types of attacks that use mature technologies.

Security threats to data centers can appear on any layer, including terminals, network, business applications, data, management

systems, and risk control, as shown in the following figure "Data Center Security Threats".

Cloud Computing Data Center Security Solution

Figure: Data Center Security Threats

Huawei Solution

……

Systems for differentuse run independently

from each other.

Without unified securitystrategies, data centers

are vulnerable to threats.

Data theft by maliciousinternal users

Regulatory complianceand legal risks from cloud

computing

Malicious administratorsoverstep their authorities.

Security log audit separation

……

Leakage risks due to poorisolation of VM resources

……

Attacks to perimeter network

Network attacks betweendifferent internal departments

Visible virtual memory (VM) flow and mutual access

security control

Attacks betweenHypervisor and VM

Data transmission security

Cyberloafing lowersoffice efficiency.

……

……

Illegal terminal orillegal user access

Terminal data leakage

Malicious attacks fromterminals

Application system

Prospecting and exploration system Oil and gas production system Production command system OA & production management system

Data center

IP backbone transmission network

Access network

Management system database ERP databaseProspecting and exploration database Oil and gas exploitation database ...

OTN Ring

Sensor networkZigBee/RFID

Central control room

SCADA/Automatic controlZigBee/Wi-Fi

Access network2G/CDMA/Wi-Fi/WiMAX/Microwave/GPON

Video surveillance Mobile terminal

Communications gateway RTU

DC hierarchical model Terminal Network Service application Data Managementand risk control

Security of datatransmission via internaland external networks

As a large quantity ofaccess to point-to-point (P2P)

and videos takes upbandwidth at network

egress points, important serviceoperations are delayed.

Data leakage due tovulnerabilities in document

security management

Storage data theft

Data disaster recovery

Database intrusionrisks and data theft

Trojan-intruded websitesand Structured Query

Language (SQL) injection

Email virus transmission,email phishing, emailinformation leakage

Virus intrusion anddissemination in applications

Hosts and Hypervisorsystems are vulnerable

to threats.

DDoS attack

Customer Benefits

The focus of enterprise data centers' security lies in the safe and

efficient operation of data centers, secure access to services

anywhere and anytime, and the capability to keep services

confidential, integrated, and available.

Huawei's enterprise data center security system consists of five

dimensions: identification & authentication (who are you), access &

authorization (what information is available for you), audit trail (behavior

records are traceable for audit), response & recovery (capability to quickly

respond and recover), and content security (what attacks are threatening

data centers). Collectively, these protections are abbreviated as IAARC.

This five-dimensional security approach helps provide differentiated

security solutions to secure the operations of enterprise data centers.

Solution Architecture

Huawei's enterprise data center security architecture secures services in three layers: cloud, pipe, and device.

An overall terminal access security solution is provided to help ensure device security at mobile terminals, virtual desktop infrastructure (VDIs),

and office automation terminals.

A hierarchical network security protection solution is provided to protect perimeter networks, internal networks, and virtual layer networks

against attacks from within or outside data centers.

This solution secures the major services (like Web and email) at the cloud end, and offers an all-around data security solution that helps

ensure document security, database security, virtual machine full-disk encryption, and data leakage prevention (DLP). By securing the

services at these three layers (cloud, pipe, and device), this solution helps ensure access security, network security, application security, and

data security for data center services.

The security service package offered by Huawei's professional teams integrates security management consulting, service security evaluation,

security penetration testing, security hardening, and other services that help customers build highly secure and reliable data centers.

Device security:• mobile access security, desktop cloud terminal access security, and office automation terminal access security.

Network security:• perimeter network security, internal network security, and virtual layer network security.

Application security:• host security, service security, and data security.

Security management:• O&M audit, security device service management, and security operation.

Security services:• infrastructure security service and security management consulting service.

InternetiCacheInternet

LLB

SSL VPN

DMZ

DDOS/FW/IPS

Networkservice zone

iStack

Server

iStack

Server

PC SAN storage FC SAN storage

FC Switch

iStack

Server

iStack

Server

iStack

Operationsmanagement area

Prospecting andexploration area

Data leakageprevention

OA areaOil and gas

production area Highly secured production area

Network core layer

CSSNetwork

service zone

ASG

Enterprise data center

Extranet

WAN/MAN

Disasterrecoverycenter

Localbranch

BranchExtranet

Private OAnetwork

DMZ

External networks

UTM

UTM

UTM

iStack