Huawei Agile Controller

Full Product Datasheet

Huawei Agile Controller
Contents
Introduction to the Agile Controller·················································4

Access Control Manager···································································8

Guest Manager··················································································14

Free Mobility Manager······································································20

Service Orchestration Manager························································24

Terminal Security Manager······························································29

United Security Manager·································································32

Introduction to the
Agile Controller
Product Overview
For mobile office, bring your own device (BYOD), and wireless local area network (WLAN) services, user terminals (information
receivers) are not fixed in certain physical locations. These services cause the following challenges to traditional networks using static
configuration:

1.How to deliver consistent experience to different user terminals regardless of their locations?

2.How to configure user privileges, security, QoS, priority, and other network policies? On a traditional network, users can be
bound to physical interfaces, and the administrator manually configures policies on network devices closest to users. However,
manual configuration cannot adapt to changes of user locations. To meet requirements of mobile users, the network must support
dynamic resource allocation and policy configuration. That is, network resources and policies must be able to migrate with users.

3.How to deploy network security policies? On traditional networks, the boundaries between enterprise networks and the Internet
have security risks. Many enterprises deploy security devices such as firewalls at their network boundaries. However, with the
development of mobile services and diversified network attacks, the boundaries of security protection become blurred. The services
such as Wi-Fi, mobile terminals, and remote office, bring a large number of new security risks and internal attacks, such as, viruses,
Trojan horses, and advanced persistent threat (APT). In this case, traditional boundary protection measures become invalid.
 Introduction to the Agile Controller 5

The Agile Controller is the core component of a next-generation network solution designed by Huawei for enterprise markets. It can be
deployed on agile campus networks, agile branches, agile wired area networks (WANs), and agile data centers to control policies for
accessing to these networks as well as interconnection between data centers. Following the centralized control principle of software-
defined networking (SDN), the Agile Controller dynamically schedules network and security resources on the entire network to allow
these resources to migrate with users. With the Agile Controller, networks will be more agile for services.

Data center

Finance, sales,
WAN/Internet
R&D
Internet:
Control f low Executive/employee

Service f low

WAN/Internet

Agile Controller

Headquarters:
Executive/employee/ Branch:
guest Executive/employee/
guest

Product Characteristics
Experience-centric Redefined Network

The Agile Controller shifts customers' attention from technologies, equipment, and connectivity to users, services, and user experience,
and freed customers from laborious manual configuration by providing natural-language network planning and automatic deployment.

• The Agile Controller applies the SDN's centralized control idea into campus networks. It can dynamically schedule and adjust network
and security resources on the entire campus network to meet requirements of frequently moving users, offering free mobility.

• The Agile Controller can flexibly adjust user rights, QoS policies, and security policies on the entire network. This dynamic policy
adjustment greatly reduces the service provisioning or network expansion period, allowing networks to keep in pace with fast
changing services.

• Using the Agile Controller, customers no longer need to pay attention to differences of various devices. They can use the natural
language to configure network policies and deliver the configurations to all network devices by one click on the Agile Controller.

• User-based QoS scheduling ensures preferential forwarding of VIP users' services when network resources are insufficient, delivering
good experience to VIP users.
 6 Introduction to the Agile Controller

Network-wide United Security

The Agile Controller implements united security, replacing single-point protection with network-wide protection.

• The Agile Controller collects logs from network devices, security devices, and service systems, and employs Big Data analytics to
discover potential attacks and threats that are difficult to detect through single-point protection.

• The Agile Controller virtualizes security devices into a security resource center. Traffic of users with certain characteristics is blocked or
redirected to the security resource center to defend against attacks.

• The Agile Controller provides comprehensive terminal security and desktop management functions, and has over 5000 predefined
terminal security policies, ensuring terminal access security.

Openness and Interoperability

• The Agile Controller provides various northbound and southbound interfaces and open APIs to make the forwarding plane
and control plane programmable. It can interoperate with service systems of customers to improve end-to-end operation and
maintenance efficiency, shorten new service provisioning time, and give customers a platform for innovation.

• The Agile Controller is seamlessly interoperable with mainstream cloud platforms, including Huawei FusionSphere, VMware vSphere,
OpenStack, and Microsoft Hyper-v. The good interoperability makes the Agile Controller an elastic, open platform integrating best
practices of various fields, allowing customers to flexibly define their networks based on service requirements.

Highly Reliable, Flexible Architecture

• The Agile Controller can be deployed in centralized, distributed, and hierarchical modes, and is applicable to various networks.

• The Agile Controller supports various authentication modes and database backup to ensure high reliability and service continuity.

• The Agile Controller uses the Browser/Server (B/S) architecture and complies with the latest Huawei User Interface (UI) design
standards; therefore, it is easy to use.

Product Components
The Agile Controller provides multiple service components for different application scenarios to meet diversified customer
requirements.
Component
Access Control Manager
Guest Manager
Free Mobility Manager
Service Orchestration Manager
Terminal Security Manager
United Security Manager
Introduction to the Agile Controller 7
Description
Provides unified network access policies and supports multiple authentication methods such
as 802.1X, Portal, MAC address, and SACG authentication. This implements unified access
management on users from wired, wireless, or VPN networks.
Supports refined authorization based on the user identity, access time, access location, device
type, device source, and access mode. This ensures unified maintenance and management of all
terminals that access the enterprise network in various modes.
Provides full lifecycle guest management, including guest account application, approval,
distribution, authentication, auditing, and deregistration.
Supports various account application methods, including self-service application, WeChat, and
QR code. In addition, the enterprise's employees can apply accounts for guests.
Allows users to customize guest account application and authentication pages and flexibly
pushes advertisements.
Works with Huawei agile switches and NGFWs to provide security group–based policies in
addition to the traditional NAC and implement unified policy deployment and automatic policy
synchronization. This ensures that users can have the same service experience when they move
on the network.
Provides user group–based QoS policy configuration to ensure preferential forwarding of VIP
users' data traffic when network resources are insufficient, delivering good service experience
for VIP users.
Virtualizes physical security devices to shield the device models and locations, forming a security
resource center.
Directs service flows to the security resource center based on service requirements to improve
use efficiency of physical resources and reduce costs.
Strictly controls network access from all terminal users and enforces security policies to the users
connected to the network.
Supports terminal health check, employee behavior management and control, software
distribution, patch management, and asset management to ensure that terminals connected to
the network possess self-defense capabilities and comply with enterprise's security policies.
Manages logs and security events from network, security, and IT devices on the entire network
in a centralized manner.
Uses the Big Data correlation analysis technique to evaluate network security and identify risky
assets and areas on the entire network.
Allows customers to take proactive defense measures so that they do not need to analyze or
trace the attack sources and network risks.
Access Control
Manager

Component Overview
With the Information and Communication Technologies (ICT) improvement, enterprise users want to access the network from every
corner in their offices. A large number of mobile staff and partners frequently use their own terminals (such as laptop computers) to
access the enterprise local area networks (LANs), which brings great challenges to the enterprise information security. Unauthorized
terminals may bring computer viruses to the enterprise networks and even obtain the enterprises' trade secrets, threatening the
network security. In addition, the maturity of WLAN technologies and popularization of intelligent terminals cause many enterprises to
allow their employees to access the enterprise intranets using intelligent BYOD terminals. The enterprises aim to improve employees'
work efficiency and reduce the cost and investment on mobile terminals. The application of WLAN technologies on enterprise networks
also brings great information security risks.

The Access Control component of the Huawei Agile Controller associates with network access control devices to control access to
enterprise networks from internal and external terminals. This component provides unified access control policies and flexibly manages
authentication and authorization polices to meet different service control requirements.
 Access Control Manager 9

Component Characteristics
Comprehensive Admission Control Technologies, Applicable to Multiple Types of Networks

Authentication Mode Characteristics Application Scenarios

• The 802.1X function is enabled on a switch
or an AC.
• It can implement Layer 2 isolation.
802.1X authentication
• The maintenance is complex because there
are multiple authentication points.
• The switch must support 802.1X.
Applies to small-, medium-, and large-
sized campus networks with high security
requirements. The Access Control
component can associate with Huawei all
series switches, routers, WLAN devices,
and third-party standard 802.1X switches.

• The switch or AC automatically enables

802.1X or MAC address authentication for
different terminals. Applies to dumb terminals such as IP
MAC address authentication
• Terminals are authenticated by the phones and printers.
authentication server based on their MAC
addresses.

• A combination of Portal and MAC address

authentication is configured on devices at
the aggregation layer, and the devices select
authentication modes based on terminal The Access Control component can only
types. The AC authenticates wireless users in associate with Huawei all series switches,
Portal authentication
a unified manner. routers, and WLAN devices, especially
• Clients are optional on terminals based on when no client is required.
service requirements.
• Access switches do not need to support
802.1X.

• The USG firewall is connected to the router

or switch in bypass mode, and terminal
access control is implemented using policy-
based routing. There is no need to change
the network topology.
SACG authentication
• The management and maintenance are easy
because there are few authentication points.
• The control point is at the aggregation or
core layer; therefore, the control capability at
Layer 2 is weak.
Applies to complex campus networks
with a large number of third-party
datacom devices, such as switches and
routers. This authentication mode applies
to campus network reconstruction
especially.
 10 Access Control Manager

Hierarchical Department and User Management, Meeting the Requirements of Enterprises with Complex Organization

• Contains both sub-departments and users in a department.

• Supports a maximum of ten department levels, which meets the requirements of enterprises with complex organization.
• Allows administrators to import and export department and user information in batches using the Excel files.

Seamless Interconnection with External Data Sources and Social Media Platforms

• Supports multiple authentication protocols, and connects to mainstream AD, LDAP, and RADIUS servers and dynamic token systems.

System Built-in
Authentication Protocol AD LDAP RADIUS Token RADIUS Relay
Account

Depending on the
PAP YES YES YES YES
external system

Depending on the
CHAP YES NO NO NO
external system

Depending on the
EAP-PEAP-MSCHAPV2 YES YES NO NO
external system

Depending on the
EAP-MD5 YES NO NO NO
external system

Depending on the
EAP-TLS YES YES YES NO
external system

Depending on the
EAP-TTLS-PAP YES YES YES YES
external system

Depending on the
EAP-PEAP-GTC YES YES YES YES
external system

• Supports on-demand data synchronization or filtering to meet diversified user requirements.

 Access Control Manager 11

Refined, 5W1H-based Context Awareness Authorization, Flexible and Secure

Dimension Description Example

Who • User identity Administrative personnel, common employees,

VIP users, guests

Where • Access location R&D area, non-R&D area, home

When • Access time On-duty time, off-duty time, working days

Whose • Device source Enterprise devices, BYOD devices

What • Device type Windows, Linux, iOS, Android

How • Access mode Wired, wireless, VPN, Internet

Intelligent Terminal Identification, Authentication Page Customization, Providing Permission Control for BYOD Terminals

• Provides up to 200 types of terminal identification templates, and supports multiple terminal identification modes, such as MAC
organizationally unique identifier (OUI), Dynamic Host Configuration Protocol (DHCP) Option, Hypertext Transfer Protocol (HTTP)
User-Agent, and Simple Network Management Protocol (SNMP).

• Allocates different service policies to terminals using the same account based on the terminal type, refining user permission control.

• Pushes authentication pages based on the terminal type, ensuring fine user experience.

• Allocates different service policies based on the terminal type, such as VLANs, ACLs, and bandwidth limits.
 12 Access Control Manager

Operating Environment
Configuration requirements in scenarios with no more than 2000 users are as follows.

• CPU: E5-2640 6c 2.5 GHz or higher

• Memory: 8 GB
Hardware Configuration
• Hard disk: 600 GB
• Network adapter: 2 x GB

Operating System • Windows Server 2008 R2 (X64)

• Microsoft SQL Server 2005

Database • Microsoft SQL Server 2008
• Microsoft SQL Server 2008 R2

Configuration requirements in scenarios with more than 2000 users are as follows.

• CPU: 2 x E5-2640 6c 2.5 GHz or higher

• Memory: 16 GB
Hardware Configuration
• Hard disk: 2 TB
• Network adapter: 2 x GB

Operating System • Windows Server 2008 R2 (X64)

• Microsoft SQL Server 2005

Database • Microsoft SQL Server 2008
• Microsoft SQL Server 2008 R2

Deployment Scenarios
802.1X Access Control

802.1X is enabled on the switches closest to the terminals.

Before the terminals can access the network, customers need
Network
Agile Controller
to deploy security agents or 802.1X clients provided by the
operating system on the terminals. After the terminals pass
802.1X authentication, the Agile Controller server delivers
authorization parameters, such as VLANs and ACLs, to the access
switches, to control the network access permissions of the
terminals. MAC address authentication is enabled to authenticate 802.1X switch
dumb terminals, such as printers and IP phones, on the network.
When the dumb terminals access the network, the terminals
automatically trigger MAC address authentication to obtain the
network access permission.
 Access Control Manager 13

Portal Access Control

Network
Agile Controller
A combination of Portal and MAC address authentication is
enabled on the gateway. Terminals can use web authentication
Portal switch
to access the network, or use the Agile Controller NAC client to
access the network. Dumb terminals access the network using
MAC address authentication.

SACG Access Control

Pre-authentication domain

SACG access control can be used on a complex campus network

with a large number of third-party datacom devices, such as Agile Controller
server
Agile Controller
server
Network

switches and routers. The SACG device is connected to the Isolation domain

Layer 3 switch or a router in bypass mode. Upstream traffic sent

Third-party File server
from terminals is redirected to the SACG through the packet antivirus server
SACG

redirection function configured on the switch or policy-based Post-authentication domain

Area A
routing configured on the router. Filtered by the SACG, the traffic
Service server Service server

is sent back to the switch or router for forwarding.

Auxiliary Devices

Device Role Device Type

• Huawei Sx7 switches

• Huawei AR routers
Authentication device • Huawei WLAN ACs
• Huawei USG firewalls
• 802.1X switches from mainstream third-party vendors

Ordering Information

Item Remarks
Agile Controller Access Control Function Mandatory
Agile Controller Terminals of Access Control Function, Including 200 Access Terminals License Optional
Agile Controller Terminals of Access Control Function, Including 500 Access Terminals License Optional
Agile Controller Terminals of Access Control Function, Including 1000 Access Terminals License Optional
Agile Controller Terminals of Access Control Function, Including 2000 Access Terminals License Optional
Agile Controller Terminals of Access Control Function, Including 5000 Access Terminals License Optional
Agile Controller Terminals of Access Control Function, Including 10000 Access Terminals License Optional
Agile Controller Terminals of Access Control Function, Including 50000 Access Terminals License Optional
Guest Manager

Component Overview
The maturity of WLAN technologies and popularization of intelligent terminals cause many enterprises to open their intranets for guests
and partners. In public areas (such as, shopping malls, hotels, exhibition halls, chain stores, scenic spots, business halls, and airport
lounges), a large number of users access the WLAN, bringing enormous advertisement chances.

The Guest Management component of the Huawei Agile Controller provides full lifecycle guest management, including guest account
application, approval, distribution, authentication, auditing, and deregistration. The component supports various account application
methods, including self-service application, WeChat, and QR code. In addition, the enterprise's employees can apply accounts for
guests. It also allows users to customize guest account application and authentication pages and flexibly pushes advertisements.
 Guest Manager 15

Component Characteristics
Unified Management on Employees and Guests, Reducing Enterprises' Construction and IT O&M Costs

• The Access Control and Guest Management components can be deployed on the same server or separately.

Full Lifecycle Guest Management, Flexible Approval Modes

Phase Options

• Employee application
Registration
• Self-help application

• Automatic approval
Approval • Administrator approval
• Approval by the receptionist

• SMS (GPRS and SMS gateway)

Distribution • Email
• Web

• User name and password

Authentication • Passcode
• Rights isolation using VLANs or ACLs

• User login and logout audit

Audit and deregistration • Automatic deregistration after expiration
• Scheduled account deregistration

Portal Page Customization and Flexible Portal Page Pushing, Improving Enterprise Brand Image and Promoting Products

•Allows customers to customize login and registration pages that provide personalized information about enterprises, improving the
brand image of enterprises.

Welcome to the WLAN

provided by XXX free of
charge
User name
Password
Registration
 16 Guest Manager

• Automatically redirects users to the pre-authentication page or the URL configured by the administrator after the users pass
authentication. This function is suitable for brand promotion.

• Pushes pages according to the location (SSID or associated AP), facilitating information push.

• Pushes pages according to the terminal type and terminal IP address.

Binding with Enterprises' WeChat Public Account, Periodically Pushing Information

 Guest Manager 17

Approval by Scanning the QR Code, Zero-Input Guest Account Registration, Improving Guest Satisfaction

Guest Employee WLAN Agile Controller

The guest accesses the server
Wi-Fi from a mobile phone.

The guest accesses a web page through the browser and is

redirected to a page on which the QR code is displayed.

The employee accesses the

Wi-Fi from a mobile phone.
The employee logs in to
the Agile Controller.

The guest scans the QR code.

The QR code includes the authorization URL, guest IP address
(account), time when the guest associates with the Wi-Fi
(password). The guest is redirected to the authorization page.
After the guest click Authorization, the Agile Controller
generates guest account information.

After the employee authorizes the guest, the guest account exists in the platform. The guest is
automatically switched to the desired page after being authenticated and can access the Internet.

Intelligent Terminals Unaware of Authentication, One-time Authentication for Multiple Accesses

• A combination of Portal and MAC address authentication is used for the first access, and MAC address authentication is used for
subsequent accesses.

Operating Environment
Configuration requirements in scenarios with no more than 2000 users are as follows.

• CPU: E5-2640 6c 2.5 GHz or higher

• Memory: 8 GB
Hardware Configuration
• Hard disk: 600 GB
• Network adapter: 2 x GB

Operating System • Windows Server 2008 R2 (X64)

• Microsoft SQL Server 2005

Database • Microsoft SQL Server 2008
• Microsoft SQL Server 2008 R2
 18 Guest Manager

Configuration requirements in scenarios with more than 2000 users are as follows.

• CPU: 2 x E5-2640 6c 2.5 GHz or higher

• Memory: 16 GB
Hardware Configuration
• Hard disk: 2 TB
• Network adapter: 2 x GB

Operating System • Windows Server 2008 R2 (X64)

• Microsoft SQL Server 2005

Database • Microsoft SQL Server 2008
• Microsoft SQL Server 2008 R2

Deployment Scenarios
A combination of Portal and MAC address authentication is enabled on the gateway. Terminals can use the web authentication to
access the network.

Network Agile Controller

server

Portal switch
 Guest Manager 19

Auxiliary Devices

Device Role Device Type

• Huawei Sx7 series switches with native ACs

Authentication device • Huawei AR routers with native ACs
• Huawei WLAN ACs

Ordering Information

Item Remarks
Agile Controller Guest Management Function Mandatory
Agile Controller Guest Management Function, Including 200 Guest Accounts Management License Optional
Agile Controller Guest Management Function, Including 500 Guest Accounts Management License Optional
Agile Controller Guest Management Function, Including 1000 Guest Accounts Management License Optional
Agile Controller Guest Management Function, Including 2000 Guest Accounts Management License Optional
Agile Controller Guest Management Function, Including 5000 Guest Accounts Management License Optional
Agile Controller Guest Management Function, Including 1000 Guest Accounts Management License Optional
Agile Controller Guest Management Function, Including 50000 Guest Accounts Management License Optional
Free Mobility Manager

Component Overview
With the popularization of mobile office and BYOD applications, users in the headquarters and branches and on business trips want to
access the enterprise network. The physical locations of the terminals are no longer fixed, and users even process business using their
private terminals. How to ensure that different terminals accessing the network from different office locations can obtain the same
experience.

The Free Mobility component of the Huawei Agile Controller works with Huawei agile switches and NGFWs to provide security group-
based policies in addition to the traditional NAC and implement unified policy deployment and automatic policy synchronization. This
ensures that users can have the same service experience when they move on the network. The component also provides user group–
based QoS policy configuration to ensure preferential forwarding of VIP users' data traffic when network resources are insufficient,
delivering good service experience for VIP users.
 Free Mobility Manager 21

Component Characteristics
Traditional VLAN/ACL Control Replaced by Policy Control based on Security Group, Greatly Improving Configuration Efficiency

• The policies on the entire network are planned in a unified manner and deployed through one click on the Agile Controller.

• Associates with switches, firewalls, and SVNs to ensure consistent service experience when users move on the entire network.

• Manages network-wide policies in a unified manner, flexibly adjusts policies, and delivers only the newly added policies.

Permission Control for Access Between User group and Resource Group, and Between User Groups

Quick Authorization Using Natural Language, Optimizing 5W1H-based Configuration Experience

 22 Free Mobility Manager

User-group-based Bandwidth/QoS Policy, Ensuring Experience of VIP Users

Operating Environment
The Free Mobility component can work properly only after the Access Control component is deployed. The operating environment of
the Free Mobility component is the same as that of the Access Control component.

Deployment Scenarios
The Free Mobility component has no special networking requirements, provided that there are reachable IP routes between the Agile
Controller server and the associated network devices. Generally, the component is deployed on data centers.

L2 SW L2 SW Internet access
Branch Branch
AR AR

Data center
WAN/Internet

Campus egress
NGFW/SVN
Agile Controller

Agile core
LSW

Server NMS
Agile aggregation

LSW

Converged access

LSW AP AP LSW
 Free Mobility Manager 23

Auxiliary Devices

Device Role Device Type

• Chassis switch: S77/97/127 V2R6C00

• Box switch: S5720HI V2R6C00
Authentication device
• Firewall: USG63/65/66 V1R1C20
• VPN gateway: SVN 56/58 V2R3C00

Ordering Information

Item Remarks
Agile Controller Access Control Function Mandatory
Agile Controller Free Mobility Function Mandatory
Service Orchestration Manager

Component Overview
Traditional security solutions used on enterprise campus networks and data center networks define network borders and deploy
security devices such as firewall, anti-DDoS, antivirus (AV), intrusion prevention system (IPS), and data loss prevention (DLP) devices on
borders of different security levels. As the network scale expands, users connect to networks using more diversified access methods.
Traditional security deployment results in exponential increase of cost in this circumstance. In addition, many customers determine the
number of security devices they need to purchase based on two to five times the peak-hour rates. However, high-performance security
devices, such as firewalls, IPS, and anti-DDoS, have a low resource utilization, which is a waste of resources.

The Huawei Agile Controller Service Orchestration component virtualizes physical security devices to shield the device models and
locations. All security devices form a security resource center. The component directs service flows to the security resource center based
on service needs to improve use efficiency of physical resources and reduce costs.
 Service Orchestration Manager 25

Component Characteristics
Resource Virtualization, Service Flow-based Resource Scheduling, Implementing In-depth Security Protection

• Improves hardware utilization efficiency and reduces customer investment.

Comprehensive Service Flow Management, Service Flow Defining Based on IP Address or 5-tuple Information of User Group

• Defines service flows based on the source and destination IP addresses, source and destination port numbers, and protocol.

• Defines service flows based on the source and destination user groups, source and destination port numbers, and protocol.
 26 Service Orchestration Manager

Role-based Service Chain Resource Management

• Service devices can be defined as firewall, virus wall, or online behavior management device.
• The administrator can set up a GRE tunnel between an orchestration device (switch) and a service device to redirect service traffic to
the specified service device for security monitoring.

Service Chain Creation Based on Service Flows, Providing Differentiated Security Policies for Different Services

• Configured service chain orchestration policies are displayed on the GUI, allowing administrators to rearrange service chains by
simply dragging service devices.

Operating Environment
The Service Orchestration component can work properly only after the Access Control component is deployed. The operating
environment of the Service Orchestration component is the same as that of the Access Control component.
 Service Orchestration Manager 27

Deployment Scenarios
Three hardware parts are required to provide the service orchestration function:

• Agile Controller service server: functions as the service orchestration subsystem, which completes service logic configuration of
service chains.

• Orchestration device: must be a Huawei agile switch. The switch identifies service traffic and redirects the traffic to the service
devices in the sequence specified by the service chain. There must be reachable IP routes between the orchestration device and
service devices.

• Service device: processes the service flows redirected to it. The service and orchestration devices work at Layer 3, and are connected
through GRE tunnels. Service devices can be connected to the core router or the core or aggregation switch according to the
following principles:

Core layer: define service flows based on IP information to shorten the traffic transmission path.
Aggregation layer: define service flows based on user information if the customer can accept the circuitous transmission path.

Service chain 1
NMS center
Service chain 2

Agile Controller Campus egress

Firewall
Data center Online
behavior
management
Antivirus

Service chain node

Aggregation layer

Access layer
Internal public
Guest area Dept A Dept B area

Application layer
28 Service Orchestration Manager

Auxiliary Devices

Device Role Device Type

• Chassis switch: S77/97/127 V2R6C00

Orchestration device
• Box switch: S5720HI V2R6C00

• Firewall: USG63/65/66 V1R1C20

Service device
• Juniper device: SRX210

Ordering Information

Item Remarks
Agile Controller Access Control Function Mandatory
Agile Controller Free Mobility Function Mandatory
Agile Controller Service Orchestration Function Mandatory
Terminal Security Manager

Component Overview
Security health assessment on access terminals is a key indicator of an enterprise's security management. A large number of mobile
staff and partners frequently use their own terminals (such as laptop computers) to access the enterprise LANs, which brings great
challenges to the enterprise information security. Unauthorized terminals may bring computer viruses to the enterprise networks and
even obtain the enterprises' trade secrets, threatening the network security.

The Terminal Security Management component of the Huawei Agile Controller strictly controls network access from all terminal users
and enforces security policies to the users connected to the network. The component supports terminal health check, employee
behavior management and control, software distribution, patch management, and asset management to ensure that terminals
connected to the network possess self-defense capabilities and comply with enterprise's security policies.
 30 Terminal Security Manager

Component Characteristics
Terminal Security Hardening, Ensuring that Access Terminals Meet Enterprise Requirements

• Has predefined more than 5000 terminal security policies, including weak password check, monitoring of unauthorized external
connections, web access monitoring, antivirus software monitoring, and mobile storage device monitoring.
• Provides different security rules based on user roles or departments.

Intelligent Patch Management System, Helping Terminal Users Rectify System Vulnerabilities and Improving Enterprise
Terminal Security

• Provides patches for the Microsoft Windows operating system, Microsoft SQL Server database, Microsoft Internet Explorer, and
Microsoft Office.
• Automatically downloads patches from the Microsoft website, and allows servers to connect to the Internet through an agent.

Automatic or Manual Software Distribution, Improving Deployment Efficiency

• Distributes files in any format, and automatically executes .exe or .msi files.
• Distributes software by department, operation type, IP address segment, terminal user, and time segment.
• Supports software distribution through fast downloading software to subnets.

Employee Terminal and Network Behavior Auditing, Reducing Risks of Information Leak

• Audits network behaviors, including unauthorized external connections, web access, and network traffic.
• Audits usage of peripheral devices, including USB installation and removable operations, USB file operations, and use of other
peripheral devices.
• Audits terminal files, including file creation, copying, renaming, and deletion.
• Audits terminal operations, for example, controls non-standard software, monitors programs and services, and prohibits read-only or
read-write drive.

Enterprise-level Asset Management, Preventing Employees from Changing Terminal Configurations and Reducing Risks of
Asset Loss

• Collects asset information, including the operating system, hardware and software list, hard disk serial number, and basic input
output system (BIOS) information.
• Generates asset reports and provides asset statistics and asset change analysis.
• Reports asset change alarms, and allows administrators to trace asset information continuously.

Operating Environment
The Terminal Security Management component can work properly only after the Access Control component is deployed. The operating
environment of the Terminal Security Management component is the same as that of the Access Control component.
 Terminal Security Manager 31

Deployment Scenarios
The networking of the Terminal Security Management component is similar to that of the Access Control component. Customers need
to install the dedicated NAC client of the Agile Controller before they can enable the terminal security management feature.

Auxiliary Devices

Terminal Operating System Version

• Microsoft Windows XP
• Microsoft Windows Vista
Windows • Microsoft Windows 7
• Microsoft Windows 8
• Microsoft Windows 8.1

Ordering Information

Item Remarks
Agile Controller Access Control Function Mandatory
Agile Controller Terminal Security Management Function Mandatory
Agile Controller Terminal Security Feature, Including 200 Terminals License Optional
Agile Controller Terminal Security Feature, Including 500 Terminals License Optional
Agile Controller Terminal Security Feature, Including 1000 Terminals License Optional
Agile Controller Terminal Security Feature, Including 2000 Terminals License Optional
Agile Controller Terminal Security Feature, Including 5000 Terminals License Optional
Agile Controller Terminal Security Feature, Including 10000 Terminals License Optional
Agile Controller Terminal Security Feature, Including 50000 Terminals License Optional
 32 United Security Manager

United Security Manager

Component Overview
On traditional networks, the boundaries between enterprise networks and the Internet have security risks. Many enterprises deploy
security devices such as firewalls at their network boundaries. However, with the development of mobile services and diversified
network attacks, the boundaries of security protection become blurred. The services such as Wi-Fi, mobile terminals, and remote
office, bring a large number of new security risks and internal attacks, such as, viruses, Trojan horses, and APT. In this case, traditional
boundary protection measures become invalid.

The United Security component of the Huawei Agile Controller manages logs and security events from network, security, and IT devices
on the entire network in a centralized manner. The component uses the Big Data correlation analysis technique to evaluate network
security, detect security problems that cannot be detected through single-point protection, and identify Top N risky assets and areas
on the entire network. It allows customers to take proactive defense measures so that they do not need to analyze or trace the attack
sources and network risks.
 United Security Manager 33

Component Characteristics
Unique Architectural Design, Re-defining Network Security from the Entire Network Perspective

• Detects security problems that cannot be detected through single-point protection.

• Provides self-defined correlation rules to satisfy differentiated security requirements.
• Allows the executives to clearly obtain the current security situation on the network, and engineers to effectively resolve security
problems.

③ Security situation
evaluation
②Big data correlation
analysis

Log collection
Security policy
takes effect

Comprehensive Security Log Collection Capacity, Interconnecting with Third-party Devices

• Collects logs from Huawei network and security devices.

• Collects logs from third-party devices with standard interfaces, including Syslog, SNMP, and FTP/SFTP, OPSEC, and ODBC.

Preset and Self-defined Correlation Rules, Discovering Network-wide Security Events

• Provides abundant built-in correlation rules for events. The events include the password guess attack, virus spread, attack in an area,
server DDoS attack, DMZ server penetration attack, and O&M violation (traversing the bastion host).
• Allows users to customize correlation rules, including basic statistics correlation, dynamic statistics correlation, multi-rule nesting
correlation, and multi-dimensional expansion correlation.
 34 United Security Manager

Security Situation Display, Providing the Basis for Proactive Defense

• Divides the entire network into several areas and marks them with different colors based on the security view of the entire network.
• Identifies Top N risky assets on the entire network and evaluates the security level of the network, helping users quickly obtain the
network security status.

• Displays details of security events and suggestions, which can be referenced by administrators to address security issues.
 United Security Manager 35

Operating Environment
Configuration requirements for a Unified Security server are as follows:

• CPU: 2 x E5-2640 6c 2.5 GHz or higher

• Memory: 32 GB
Hardware Configuration
• Hard disk: 2 x 1 TB
• Network adapter: 2 x GB

Operating System • SuSE Linux 11

• Mongo DB
Database
• MySQL 5.5

Deployment Scenarios
The United Security component has no special networking requirements, provided that there are reachable IP routes between the Agile
Controller server and the associated network devices.

Network
Agile Controller
United Security server

Firewall Router Switch Third-party system

 36 United Security Manager

Auxiliary Devices

Device Role Device Type

• NGFW
• DDOS
Huawei security device • ASG
• NIP
• SVN

• Sx7 switches
Huawei network device • AR routers
• WLAN devices

Devices that support log collection through standard protocols, including the following:
• Syslog
• SNMP
• FTP/SFTP
Third-party device
• OPSEC
• ODBC
• Devices that support log collection through universal files and dedicated log collection
interfaces.

Ordering Information

Item Remarks
Agile Controller United Security Function Mandatory
Agile Controller United Security, Including 500 EPS License Optional
Agile Controller United Security, Including 1000 EPS License Optional
Agile Controller United Security, Including 2500 EPS License Optional
Agile Controller United Security, Including 5000 EPS License Optional

EPS: short for events per second, indicating the number of log events processed per second.

More Information
For more information about the Huawei Agile Controller, visit http://enterprise.huawei.com.
United Security Manager 37
Copyright © Huawei Technologies Co., Ltd. 2014. All rights reserved .
No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei
Technologies Co., Ltd.

Trademark Notice
, HUAWEI, and are trademarks or registered trademarks of Huawei Technologies Co., Ltd.
Other trademarks, product, service and company names mentioned are the property of their respective owners.

General Disclaimer
The information in this document may contain predictive statements including,
without limitation, statements regarding the future financial and operating results,
future product portfolio, new technology, etc. There are a number of factors that
could cause actual results and developments to differ materially from those
expressed or implied in the predictive statements. Therefore, such information is
provided for reference purpose only and constitutes neither an offer nor an
acceptance. Huawei may change the information at any time without notice.