Cloudnet network security

technology white paper

1. Introduction to information security

Information security means that the information system (including hardware,

software, data, human, material resources, environment and infrastructure) is

protected from damage, change, disclosure, continuous, reliable and normal

operation of the system, interruption of the information service department and

finally business continuity due to accidental or malicious reasons.

All information security technologies are designed to achieve certain security

objectives. Strictly speaking, they mainly include five aspects: confidentiality,

integrity, availability and controllability, and non-repudiation.

1.1 confidentiality

Confidentiality refers to preventing unauthorized users from obtaining

information. More generally, it means that unauthorized users cannot obtain

sensitive information to ensure that only authorized users can use it.

The confidentiality of Cloudnet network is mainly reflected in:

● the tenant platform is a hierarchical decentralization mechanism, and
the information that users in different roles can access is blocked to
ensure that the data will not be accessed beyond their authority.
● HTTPS security access mechanism is adopted for data circulation to
ensure that it will not be intercepted by malicious users and lead to
privacy disclosure of communication.
● the system can only log in with a legal registered account.
● API external interface. Each account has an independent key to ensure
that only the key can obtain the data under its own account.

1.2 Integrity

Integrity refers to preventing information from being tampered with without

authorization. It is to protect the original state of information and keep the

authenticity of information. That is, in the process of storage or transmission,

network data will not be damaged or lost by accidental or deliberate deletion,

modification, forgery, disorder, replay, insertion and other acts.

The integrity of Cloudnet network is mainly reflected in:

● the data flowing to the Cloudnet network is encrypted and transmitted through
SSL to ensure the integrity of the data.
1.3 Usability

Availability refers to the ability of an authorized subject to receive services in time when

information is needed. It is a comprehensive reflection of product reliability,

maintainability and maintenance supportability.

The availability of Cloudnet network is mainly reflected in:

● Cloudnet network is a SaaS service on Microsoft's public cloud platform.
Microsoft cloud has three-level security qualification and the ability to
prevent DDoS attacks.
● Cloudnet network is a container architecture based on kubernetes, with the
ability of automatic business expansion and capacity reduction.

1.4 Controllability

Controllability refers to the implementation of security monitoring and

management of information and information systems to prevent illegal use of

information and information systems.

The controllability of Cloudnet network is mainly reflected in:

● Cloudnet network has a perfect monitoring system to ensure the legitimacy of
system access, and alarm abnormal behaviors through email, SMS and wechat.

1.5 Non-repudiation

Non-repudiation means that in the network environment, both sides of

information exchange cannot deny the behavior of sending or receiving

information in the process of exchange.

The non-repudiation of Cloudnet network is mainly reflected in:

 ● the Cloudnet network has perfect operation records, which will record the
source IP and account of each operation to ensure that the user's operations
on the Cloudnet network can be traced.

2. Safety design principles

In the process of Cloudnet network reinforcement, the following basic security

principles need to be followed to ensure that tenant data, authentication data, intelligent

operation and maintenance data can meet the security requirements to the greatest

extent.

2.1 Safety classification principle

Cloudnet network is a multi-service comprehensive platform, including cloud

management, cloud authentication, cloud operation and maintenance and cloud

application. Different levels of security reinforcement schemes need to be carried out

according to the characteristics of each business.

2.2 Business priority principle

When there is a conflict between security and business, we must first ensure the

smooth operation of business. In the process of security reinforcement configuration, the

security personnel must communicate with the business department to ensure that they

understand the business objectives. The objectives of security reinforcement must serve
the business objectives.

2.3 Open design principles

The data service of Cloudnet network is provided by API interface. There must be a

perfect API security control system to ensure the security of user data.

2.4 Comprehensive defense system

Cloudnet network adopts multi-point and multiple security verification mechanism to

build a strong defense system on the possible attack path of the whole path from layer 3

to layer 7 of the network protocol, so as to prevent the unscrupulous destruction inside

the system caused by a single point of breakthrough.

The security reinforcement of Cloudnet network ensures the security of the whole system

from five aspects: confidentiality, integrity, availability, controllability and non-repudiation.

3. Cloudnet network security scheme

3.1 introduction to cloud Jane network security scheme

UCenter platform is a unified basic platform covering computing, storage,

network, security, etc. Cloudnet network provides the overall solution for network

services on the UCenter platform. The security of Cloudnet network is reflected in the

following aspects:

● platform safety
 ● network communication security

● application safety

● equipment safety

● terminal access security

This solution provides a wealth of security features, including, but not limited to, the

following:

1． the administrator account supports email and SMS authentication.

2． administrator user account supports password complexity length limit.

3． support sub account management

4． support the management of grading and decentralization of account number

5． support terminal mobile number certification.

6． support WiFi authentication of terminal wechat.

7． black and white list of domain names supported.

8． black and white list supporting mac.

9． support the wireless adoption of WPA2 PSK certification.

10． support user isolation.

11． support network security group.

12． support unified log analysis platform.

13． support wechat, SMS and app notification alarm mechanism.

3.2 Safety reinforcement technology

3.2.1 certification and authority control

3.2.1.1 Tenant administrator / mobile app

The tenant administrator logs into Cloudnet through cloud network or mobile app,

and adopts a unified authentication authorization framework:

1. Unified authentication authorization and access control model.

2. Unified database management.

3. Support unified CAS protocol (original ecology, no modification without

permission).

4. Support the uniqueness of user identity and complexity verification of

password.
 5. Support hierarchical decentralization, support multi account roles (sub

account, full account, operation and maintenance account, operation account,

monitoring account)

6. All operations can be traced back to the source, and operation logs will be

recorded. Include account number, IP address, and specific configuration command.

3.2.1.2 Terminal access user

The identity identification and authentication of end users can not only use the

functions of wechat WiFi authentication, wechat public ID authentication, SMS

authentication, fixed account authentication provided by Cloudnet platform, but

also can deploy authentication server in local network, and adopt 802.1x or Mac

authentication, PSK and other authentication methods.

3.2.1.3 Equipment access certification

The secure websocket protocol (websocket over TLS) is used between the network

access device and the cloudnet. Based on this protocol, access control of serial number

permission is carried out.

3.2.1.4 API open interface

The tenant can obtain the secret key corresponding to his account in the cloud Jane
network. After obtaining the key, the tenant can obtain the data corresponding to the

device under the tenant name according to its own development capability. This

verification method is the key authentication method of API Kong.

3.2.1.5 Developer Mode

3.2.2 data protection

3.2.2.1 operation data security

The tenant administrator / mobile app uses HTTPS to log in to the Cloudnet network

for equipment diagnosis and maintenance.

3.2.2.2 terminal data security

Wireless access point devices provide WPA, WPA2, 802.1x, portal and other security

policy mechanisms. Each security strategy embodies a set of security mechanisms,

including link authentication when wireless link is established, user access

authentication when wireless users are online and data encryption when wireless users
 transmit data services. For the occasions with high security requirements, 802.1x

authentication method is recommended. It is suggested to adopt the PSK

authentication method of WPA2 for ordinary visitors access.

3.2.2.3 equipment data security

The management traffic that the device must run contains configuration

information, and it is distributed by using NETCONF over websocket or CMD over

websocket channel; The sensitive information about device configuration is encrypted

and stored in the local memory database.

The data flow of users running the device is forwarded locally, and the traffic will

not be sent to the public cloud

3.2.2.5 Data security in platform

The business data of each tenant is stored in MySQL and mongodb which are

secured and reinforced; After the tenant logs out, the data is completely deleted.

The platform receives performance, location, traffic and other data first written

into rabbitmq or Kafka, then reads and processes the data and writes it to mongodb

database.

3.2.3 safety detection and response

There are many access points and large number of access devices in Cloudnet
network. Therefore, the platform is also vulnerable to illegal intrusion from devices,

malicious denial of service attacks. Cloudnet network is on Microsoft Azure cloud

platform, which has the ability to detect illegal intrusion online, and even use big data to

analyze malicious attack behavior. It has three levels of security mechanism.

1. through the deployment of firewall in the exit gateway, the anti-attack

detection and response of the import and export network are carried out, and a strong

defense mechanism is provided for various flood attacks and single packet attacks in the

network.

2. H3C supports the functions of IPS and AV of gateway devices. Through

Cloudnet, tenants can configure URL filtering and NAT functions, select IPS and AV

templates and apply them. The cloud management platform can also monitor in real

time and provide alarm and log functions to provide users with richer security defense

strategies.

3.Cloudnet network inherits all data plane anti-attack capabilities of IP network

devices, including but not limited to:

− application layer linkage

− abnormal message anti attack

− routing protocol authentication verification

− GTSM(Generalized TTL Security Mechanism)

− security defense based on security authentication

 − attack traceability and warning

− CPU message rate limit (CPU defer)

− black and white list

− user defined flow (ACL based)

− layer 2 loop detection and suppression

− QoS

3.2.4 privacy protection

Cloudnet network involves the following privacy data:

1. Cloudnet network administrator authentication credentials.

2. Authentication credentials and registration information of tenant users.

3. Profile of the network device.

4. A large number of end users' online and offline records and online records.

5. Mass end user MAC information.

In order to protect the above privacy data, this solution provides the following

technologies:

1. 1.The authentication credentials of Cloudnet network and tenant users are stored in

MySQL and mongodb using AES256 algorithm;

The configuration file of the device is stored in the corresponding HDFS according to

the location and device group.

2. The tenant logs in to the Cloudnet network using HTTPS.

3. Tenants use NETCONF / CMD over websocket to configure and manage cloud

devices.

4. The cloud device uses websocket over TLS to send the operation status data of the

device itself to the Cloudnet network for status display.

5. The MAC information of the end user is desensitized and stored locally by hash

algorithm.

3.2.5 safety management

The Cloudnet network comprehensively checks the equipment operation log and user
operation log.

1. Logs in the system are divided into user operation logs, security logs and equipment

maintenance logs. Logs are classified as follows:

− user operation log: records the historical information of user operation and login.

− security log: records information including account management, protocol, anti-

attack, etc.

− equipment maintenance log: record information to assist in problem location, such as

CPU and memory alarms.

2. The main elements of logging include:

− when the event occurred

− user information

− place and equipment where the accident occurred

− access the source IP address of the initiator

− event type

− name of the accessed resource

− result of the event

3. Support sending security reports through app, SMS or wechat

3.3 Customer value

all interfaces of the overall solution meet the safety requirements.

the overall solution all user data and equipment data meet the privacy protection

requirements.