Download Release Notes

Agile Controller
V100R001C00
Product Description
Issue
01
Date
2014-01-27
HUAWEI TECHNOLOGIES CO., LTD.
Copyright © Huawei Technologies Co., Ltd. 2014. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior
written consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and
the customer. All or part of the products, services and features described in this document may not be
within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,
information, and recommendations in this document are provided "AS IS" without warranties, guarantees or
representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.
Address:
Huawei Industrial Base
Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website:
http://enterprise.huawei.com
Issue 01 (2014-01-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
i
Compus Controller
Product Description
About This Document
About This Document
Overview
This document describes the positioning, product architecture, network applications, functions,
configuration requirements, and technical indicators of Agile Controller.
This document helps users gain basic understandings of the features and functions of Agile
Controller.
Intended Audience
This document is intended for:

Network planning engineers

Data configuration engineers

Maintenance engineers
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol
Description
Indicates an imminently hazardous situation which, if not
avoided, will result in death or serious injury.
Indicates a potentially hazardous situation which, if not
avoided, could result in death or serious injury.
Indicates a potentially hazardous situation which, if not
avoided, may result in minor or moderate injury.
Indicates a potentially hazardous situation which, if not
avoided, could result in equipment damage, data loss,
performance deterioration, or unanticipated results.
NOTICE is used to address practices not related to personal
injury.
Issue 01 (2014-01-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
ii
Compus Controller
Product Description
About This Document
Symbol
Description
Calls attention to important information, best practices and
tips.
NOTE is used to address information not related to personal
injury, equipment damage, and environment deterioration.
Change History
Changes between document issues are cumulative. The latest document issue contains all the
changes made in earlier issues.
Issue 01 (2014-04-15)
Author: Longdingyi
This issue is the first official release.
Issue 01 (2014-01-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
iii
Compus Controller
Product Description
Contents
Contents
About This Document .................................................................................................................... ii
1 Product Description ...................................................................................................................... 1
1.1 Requirements and Challenges ....................................................................................................................................... 1
1.2 Product Overview ......................................................................................................................................................... 3
1.3 Product Characteristics ................................................................................................................................................. 3
2 Product Architecture ..................................................................................................................... 5
3 Application Scenario .................................................................................................................... 7
3.1 Free Mobility ............................................................................................................... Error! Bookmark not defined.
3.1.1 Scenario 1: Network-wide Permission Policy Management by Administrator .......................................................... 8
3.1.2 Scenario 2: Ubiquitous Service Experience Guarantee............................................................................................ 10
3.2 Service Chain ............................................................................................................... Error! Bookmark not defined.
3.3 Unity Security .............................................................................................................. Error! Bookmark not defined.
3.3.1 Scenario 1: Correlation Analysis of Security Events ............................................................................................... 13
3.3.2 Scenario 2: Detection of Top Threat Assets on the Campus Network Based on Security Levels of Assets ............ 14
4 Function ........................................................................................................................................ 16
4.1 Free Mobility ............................................................................................................... Error! Bookmark not defined.
4.1.1 Network Access Control .......................................................................................................................................... 16
4.1.2 Policy Management ................................................................................................................................................. 17
4.1.3 Device Identification................................................................................................................................................ 17
4.1.4 Visitor Management ................................................................................................................................................. 18
4.2 Service Chain ............................................................................................................... Error! Bookmark not defined.
4.3 Unity Security .............................................................................................................. Error! Bookmark not defined.
4.3.1 Data Collection ........................................................................................................................................................ 20
4.3.1.1 Collection Modes.................................................................................................................................................. 20
4.3.1.2 Collected Data Type ............................................................................................................................................. 20
4.3.1.3 Collection Device Type ........................................................................................................................................ 21
4.3.1.4 Data Storage ......................................................................................................................................................... 21
4.3.2 Correlation Analysis Implementation ...................................................................................................................... 21
4.3.3 Security Trend Display ............................................................................................................................................ 22
4.3.3.1 Area and Asset Management ................................................................................................................................ 24
4.3.3.2 Security Event Management ................................................................................................................................. 25
Issue 01 (2014-01-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
iv
Compus Controller
Product Description
Contents
5 Configuration Requirements .................................................................................................... 26
5.1 PC Client Requirements.............................................................................................................................................. 26
5.2 Server Requirements ................................................................................................................................................... 28
6 Performance Indicators .............................................................................................................. 30
6.1 PC Client Performance Indicators .............................................................................................................................. 30
6.2 Server Performance Indicators .................................................................................................................................... 30
6.3 Devices Supported by the Free Mobility Component ................................................................................................. 34
6.4 Devices Supported by the Service Chain Component ................................................................................................ 35
6.5 Devices Supported by the Unity Security Component ............................................................................................... 35
7 Standards and Protocols ............................................................................................................ 39
A Terms ............................................................................................................................................ 40
Issue 01 (2014-01-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
v
Compus Controller Product Description
1 Product Description
1
Product Description
1.1 Requirements and Challenges
With the rapid development of network technologies, popularization of mobile terminals, and
emergence of mobile office and wireless access, users want to use various terminals to access
networks anywhere, anytime, with unified user experience. The requirements are as follows:

Users can work at any office location.

Traveling users can connect to the enterprise intranet from any access point in a branch,
enjoying the same user experience as that in the headquarters.

Users working at home can connect to the enterprise intranet through the Internet,
enjoying the same experience as that in the office.

Users can have high-quality mobile office experience in bars, coffee houses, and
coaches.

Users can have the same service experience when they access the network from different
access points at different time points.
Campus networks are IP-based networks. IP address segments and VLAN IDs are statically
allocated during network deployment, and service deployment solution is planned in advance
based on the service requirement. The service deployment solution covers static
configurations of IP addresses, VLAN IDs, and policies. When users require to access the
network anytime and anywhere, they may face the following challenges:

Difficulty in controlling access rights
Seamless switching is required when users move from one location to another. Originally,
users access networks using fixed IP addresses. When users move from one location to
another, the IP addresses used to access the networks change. However, user access control
can be implemented based on the IP address but not the user identity.

Inconsistent user experience
On a traditional network, many vendors provide user-based unified control to control access
rights of mobile users, implementing ubiquitous policies. However, no vendor meets
requirements of policy mobility, dynamic resource allocation, and unified experience. Users
hope that they can enjoy the same access experience regardless of the access points and time.
Currently, the Quality of Service (QoS), access policies, bandwidth, and security rules are
configured based on access points. When users move to another location, the access rules and
end-to-end (E2E) quality guarantee rules change with the IP address, making it impossible to
achieve unified experience.
Issue 01 (2014-01-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
1
Compus Controller Product Description

1 Product Description
Uncontrollable network security
Solutions provided by vendors on the traditional network do not support unified security
control. For example, the enterprise headquarters and branches have different security
requirements according to the service type, service importance, and IT capability. When VIP
users work in enterprise branches, different security levels are provided for them when they
access the network from different locations. The reason is that the traditional network cannot
dynamically adjust security policies based on users.

Difficulty in predicting mobile traffic
The mobile swarm situation occurs when various terminals access the network anytime and
anywhere. When a large number of users swarm to one access point, they will compete for the
network resources at this point, lowering user experience. The traditional network cannot
solve the customer pain point. This is because the network resources at one access point are
predefined and fixed, and cannot be dynamically adjusted based on user requirements. The
network resources include QoS, routes, bandwidth, and isolation policies. The policy mobility
and dynamic resource allocation requirements cannot be satisfied.

Low-efficient manual configuration
Traditionally, IT personnel manually configure network layer configurations, including IP
addresses, VLANs, and user rights. When there are many mobile users on the network, the
configuration efficiency is low and errors may occur. For example, the access rights and
bandwidth are incorrectly configured. This degrades user experience and increases the
workload of IT personnel.

Security issues caused by mobility
To protect enterprise campus networks and data center networks, borders are defined and
security devices such as firewall, anti-DDoS, antivirus (AV), intrusion prevention system
(IPS), and data loss prevention (DLP) devices are deployed on borders of different security
levels. Deploying these devices on external borders can ensure internal network security on a
traditional network. As wireless access becomes popular and BYOD is used, any devices with
any roles can connect to enterprise networks anywhere. In this situation, virus and intrusion
modes become diversified. Single-point defense and border defense are not enough to protect
enterprise networks.
Untrusted intranet: As various roles including visitors, BYOD devices, partners, vendors, and
employees can access the campus network, the terminal security status is no longer trustable
and the east-west intranet traffic may be insecure. The internal traffic needs to be controlled
because multiple departments of an enterprise data center (EDC), many subsidiaries, multiple
tenants of an Internet data center (IDC), and different data centers have different security
levels. Traditional border protection cannot solve all these problems.
Mobility: Terminals and virtual machines dynamically migrate on mobile campus and virtual
DC scenarios. The external borders and internal physical borders are no longer effective.
Scattered deployment: A large number of defense points are required and a hardware firewall
needs to be deployed in each department, with low resource usage.
Issue 01 (2014-01-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
2
Compus Controller Product Description
1 Product Description
1.2 Product Overview
Agile Controller is a user- and application-based network resource auto control system
developed by Huawei. As the brain on smart campus networks, Agile Controller dynamically
allocates network and security resources on the entire campus network based on
software-defined networking (SDN), enabling networks to be more agile for services.
Agile Controller provides the following features:

Provides a unified policy engine to realize unified access policies, and implements
5W1H-based authentication and authorization (access user, access time, access location,
device type, device source, and access mode).

Provides full lifecycle visitor management, allows users to customize Portal login pages,
and pushes personalized pages based on the terminal IP address range and location,
improving enterprise brand image and reducing IT operation and maintenance (O&M)
pressure.

Provides right planning based on the policy matrix, and implements automatic
network-wide policy deployment and status monitoring based on 5W1H policy control,
ensuring that users enjoy the same service experience when they move freely on the
network.

Provides user group-based QoS policy planning to preferentially forwarded data from
VIP users in the case of limited network resources, ensuring fine service experience of
VIP users.

Provides Service Chain and abstracts security devices into the security resource center,
and imports user traffic to the security resource center for processing, improving security
resource use efficiency and enhancing the network-wide security protection capability.

Uses Big Data correlation analysis to collect, correlate, and analyze the network-wide
events and displays security trends of the entire network, helping users quickly identify
network risks and proactively taking defense measures.
1.3 Product Characteristics

Service experience-centered redefined network
The network transfers attentions from technology, device, connectivity to user, service,
experience. Agile Controller provides 5W1H policy matrix to ensure consistent policies on the
entire network. Users can enjoy the same service experience regardless of access terminals
and access points.

All-round Unity Security based on Big Data analysis
Single-point protection is transferred to network-wide protection. Through Big Data
correlation analysis, Agile Controller detects security threats on the entire network, helping
users quickly identify network risks and proactively taking defense measures.

Centralized control and flexible adjustment of network resources
Originally, manual configurations are mainly performed. Currently, network and services need
to be dynamically deployed. Agile Controller controls network resources in a centralized
manner and flexibly adjusts network resources according to service requirements. For
example, it can create work groups. Agile Controller provides QoS guarantee for VIP users,
identifies top threat assets, and deploys strict security policies.

Issue 01 (2014-01-27)
Product openness and collaboration
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
3
Compus Controller Product Description
1 Product Description
Agile Controller uses the open system. It can interconnect with existing devices and service
systems using interfaces such as web service APIs and SNMP interfaces, improving service
provisioning efficiency and O&M.
Issue 01 (2014-01-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
4
Compus Controller Product Description
2 Product Architecture
2
Product Architecture
Agile Controller is composed of the following components: service manager (SM), service
controller (SC), Security View (SV), and AnyOffice client. Network access devices (NADs)
associate with the Agile Controller server to implement user-based access control and Free
Mobility.
SM
SM is responsible for service management. The system administrator can configure user
management, access control, ubiquitous service policies, and Unity Security service
configurations on the web management page.
As the manager of the Agile Controller server, the SM manages SCs connected to it and sends
real-time instructions to the SCs to transmit services.
SC
Issue 01 (2014-01-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
5
Compus Controller Product Description
2 Product Architecture
The SC integrates standard RADIUS server and Portal server and associates with NADs to
implement user-based network access control. The SC provides the following functions:

Associates with NADs such as switches, routers, WLAN devices, or firewalls to
uniformly manage and automatically deploy network access policies. It informs the NAD
to change the network access rights of users after users pass identity authentication.

Associates with an orchestration device to deliver service flow orchestration policies and
direct the specified service flows to the next-generation NGFW firewall in the security
resource center.
SV
The SV server provides Big Data analysis capability for analyzing and correlating the
network-wide security events to detect potential security threats and display the current threat
degree and rating of assets, and the security trends.
AnyOffice Client
Agile Controller supports access authentication through AnyOffice clients running the
Windows, Linux, or MAC operating system. Users can install an AnyOffice client, a standard
802.1x client, or a mainstream browser for access authentication.
NAD
Agile Controller works with NADs to provide the network access control and visitor
management functions on enterprise networks. Agile Controller supports a variety of NADs,
including WLAN ACs and APs, Huawei Portal switches, standard 802.1x switches, and
Huawei security access control gateways (SACGs).
Issue 01 (2014-01-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
6
Compus Controller Product Description
3 Application Scenario
3
Application Scenario
Agile Controller provides five components including access control, visitor management, Free
Mobility, Service Chain, and Unity Security. The access control and visitor management
components are the basis of Free Mobility and correlate user rights with IP addresses to
implement unified policies regardless of the network topology, and simplify policy
management. This satisfies the high requirements brought by security, mobility, and BYOD
applications. The Service Chain component virtualizes physical devices to shield device
models and locations, and directs different service flows to different service termination nodes.
The Unity Security component uses Big Data analysis to detect network-wide threats and
provide active defense.
3.1 Free Mobility
The Free Mobility component ensures that a user can have the same network access rights
when the user uses different IP addresses to access the network from different locations. Agile
Controller executes the same permission policy and user experience assurance policy for the
same user. The component associates user rights with IP addresses to implement unified
policies regardless of the network topology, and simplify policy management, satisfying the
high requirements brought by security, mobility, and BYOD applications.
Permission policies use the user group-based rights control model. Users can be allocated to
user groups based on the 5W1H conditions and the user IP addresses change in different user
groups. However, each user group is assigned with a fixed IP address. Agile Controller
provides permission policies to control access between the source user group and destination
service security group.
User experience assurance policies include QoS priority policies and traffic limiting policies.
The user-based bandwidth guarantee and QoS priority settings provide user experience
assurance policies to guarantee user experience between the source user group and destination
service security group.
The following figure shows how the Free Mobility component of Agile Controller controls
user access. Agile Controller controls the SSL VPN gateway, access control gateway, border
firewall, and switches to control access rights to resource from different user groups and
ensure user experience.
Issue 01 (2014-01-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
7
Compus Controller Product Description
3 Application Scenario
3.1.1 Scenario 1: Network-wide Permission Policy Management
by Administrator
With the popularization of Wi-Fi network and mobile access, many large-scale enterprises
will deploy the authentication and control system, which usually requires the access control
list (ACL) or other policies. Generally, to control a user in an enterprise office, an average of
more than 100 ACL rules need to be configured. The IT personnel need to configure and
maintain these policies on all access switches or firewalls. The workload of the IT personnel
is huge. Besides, when users roam from one access point to another, the ACL rules need to be
adjusted, leading to huge workload. To reduce the workload of the IT personnel, many
enterprises divide the entire network into several areas and deploy the policies based on the
security level of department or service, reducing the number of policies. Even so, there are
still a large number of ACL policies to be adjusted.
Typical networking
Issue 01 (2014-01-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
8
Compus Controller Product Description
3 Application Scenario
To solve this problem, Huawei Agile Controller provides 5W1H-based authentication and
authorization (based on access users, access time, access location, device type, and device
source) to manage the network access control policies in a centralized manner. This
implements automatic network-wide policy deployment and ensures that users enjoy the same
service access rights when they move freely on the network. In addition, the innovative policy
matrix page visualizes policy management. Administrators can easily manage thousands of
permission policies on the Agile Controller web page, without the need to know the
permission policies on the entire network. Easy-to-understand nature language and matrix
diagrams instead of command lines are displayed on the page. When the number of users and
network resources changes or resource IP addresses change, administrators do not need to
modify the ACL rules or the permission rights, but simply modify the resource group on Agile
Controller.
Through the policy matrix-based network access authorization mode, administrators can
configure bidirectional access control policies based on the security group. This reduces the
administrators' configuration and management workload, so that they can spend more time on
network optimization.
Issue 01 (2014-01-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
9
Compus Controller Product Description
3 Application Scenario
3.1.2 Scenario 2: Ubiquitous Service Experience Guarantee
As more and more users start to use the mobile office or BYOD work style, user terminals
access the network from changing physical locations. In this case, the static QoS policies used
for access from fixed locations are no longer sufficient to ensure access experience of the
mobile users.
Users want to have the same access experience no matter they access the network through the
intranet or the Internet. Agile Controller guarantees network-wide access experience through
centralized user identity management and unified QoS policy configuration.
Typical networking
When users access a campus network through the intranet, bottlenecks affecting user
experience are the wide area network (WAN) interconnection egresses, aggregation nodes
between the branch and headquarters, and remote VPN access points. To ensure high-quality
service experience, performance of these nodes must be ensured.
Agile Controller associates with NADs, Internet egress firewalls, and Secure Sockets Layer
virtual private network (SVN) devices. You can configure uplink and downlink bandwidth
policies on NADs at authentication points and service packet priority policies on WAN
egresses, remote access points, and firewalls, ensuing that users have the same access
experience regardless of their locations.
Issue 01 (2014-01-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
10
Compus Controller Product Description
3 Application Scenario
3.2 Service Chain
Traditionally, the network architecture is fixed. Once the network structure is modified,
services need to be migrated from the old network to the new network. This network
migration will affect services on the network. In this fixed network architecture, firewalls
cannot be deployed based on service requirements. An independent firewall needs to be
deployed at each network border for security protection even if the border has no security
risks. This results in waste of and low usage efficiency of firewalls.
Agile Controller can associate with the NADs to schedule specific traffic flows to firewalls,
antivirus devices, or online behavior control devices based on the specified orchestration
sequence. These security devices form a security resource center. Agile Controller controls
traffic distribution based on flow import policies and provides network-wide security
monitoring service.
Agile Controller identifies traffic flows sent to NADs based on the source/destination IP
address or the user group, and then forwards these flows through a tunnel to the security
resource center based on Service Chain policies configured by the administrator.
Service Chain can be implemented based on users or areas. If the administrator wants to
monitor access from traveling employees to R&D data or detect attacks, user-based Service
Chain can be used to dynamically import service flows to security service devices for in-depth
detection and cleaning. If the administrator wants to detect and audit traffic flows from the
R&D department to the Internet, area-based Service Chain can be used to direct the flows to
the specified security devices. The traffic flows processed by the security resource center are
then directed to the original device through a tunnel and forwarded along the default route.
Issue 01 (2014-01-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
11
Compus Controller Product Description
3 Application Scenario
The Service Chain component of Agile Controller directs risky service flows to the security
resource center for monitoring, without changing the existing network architecture and not
requiring network migration. By doing so, it implements dynamic allocation of security
resources.
3.3 Unity Security
Agile Controller collects and manages security devices, network devices, hosts, databases,
application logs, and events in a centralized manner according to the actual situation. Based
on information security pain points, Agile Controller defines correlation rules using the strong
correlation analysis engine, monitors and analyzes customer's network environment, reports
alarms about security events such as network exceptions, hacker intrusions, and violations in
real time, and displays the alarms so that the administrator can find required security
information on the Unity Security platform. With correlation analysis, Agile Controller can
detect security events that cannot be detected by a single device. It associates with devices to
resolve security events.
Agile Controller provides the following Unity Security functions:

Correlation analysis of logs on the entire network

Predefined and customized use cases

Asset threat management based on security events
Issue 01 (2014-01-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
12
Compus Controller Product Description

Security trend monitoring on the entire network

Blocking, flow import, and alarms
3 Application Scenario
Benefit to customers:

Identifies security events that cannot be detected by a single device.

Defines correlation rules to meet differentiated security requirements of various users.

Displays the security trend and monitors and handles security issues efficiently.
3.3.1 Scenario 1: Correlation Analysis of Security Events
Multi-point Correlation Detection
A company has multiple key devices, and attacks on any device may cause information
leaks. On each device, the maximum number of login failures is 5 within six hours.
An intranet device attempts to crack password on key devices. There is such user name
as admin or root on a common device. This intranet device has three attempts on each
device, which does not violate regulations. If logs of a single device are analyzed
independently, security risks cannot be detected. In terms of security, the intranet device
attempts to crack passwords of 100 devices within six hours. There are potential security
risks. Security experts need to perform correlation analysis for logs of deices on the
entire network to detect security risks. It is difficult to manually detect the security risks.
If security experts can analyze principles of security issues such as brute force cracking,
intrusions, content leaks, and security regulation violations, retrieve required logs, form
security issue cases (use cases), and configure the use cases as correlation rules that can
be identified by the correlation analysis engine, and add them to Agile Controller, Agile
Controller can analyze logs and determine security risks.
Issue 01 (2014-01-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
13
Compus Controller Product Description
3 Application Scenario
A use case is a solution to detecting a security issue. Use cases are able to identify
associated logs in real time and a series of security events.
Agile Controller provides the following types of use cases:
1. Predefined use cases: Agile Controller provides predefined use cases based on
Huawei network security management experiences. On the live network, Huawei
technical personnel or customers can modify the use cases (log adaptation or rule
change) according to the network.
2. Customized use cases
(1) Security issues linger on, for example, APT attacks, and attack measures change
continuously.
(2) Enterprises and industry users require different standard compliance and comply
with different management regulations. In addition, the network security
environments are different. Therefore, there are differences in usecases.
Actions Taken by Agile Controller After Security Events Are Identified
After Agile Controller identifies a security event, it determines the security event level
and pushes the security event to the administrator for processing. Moreover, Agile
Controller scores the threat degree for the target resource for which the security event is
targeted.
Agile Controller supports correlation of some security events. The correlation rules are
as follows:
1. Misoperations are not allowed. If a use case can accurately identify the result, Agile
Controller can deliver an action to solve the security issue.
2. If a use case cannot accurately identify the result, it is recommended that a correlation
action be delivered. Agile Controller allows users to acknowledge results of use cases,
and then determines whether to deliver the correlation action.
Agile Controller supports the following correlation actions:
1. Blocking: Agile Controller defines ACLs on the switch or NGFW used as the control
point to block flows from identified threat sources.
2. Flow import: Agile Controller imports DDoS or virus traffic identified by use cases
from the switch to the NGFW. The NGFW then cleans the DDoS or virus traffic. On
the switch, flows can be imported to a physical interface, logical tunnel, or next hop.
3. Alarm: After identifying security events, Agile Controller sends traps to notify the
upper-layer service system and emails and SMS messages to alert the administrator
and users. Then the administrator and users can take measures immediately.
3.3.2 Scenario 2: Detection of Top Threat Assets on the Campus
Network Based on Security Levels of Assets
On enterprise campuses and data center networks, there are thousands of devices. The
administrator wants to find Top threat assets. Based on security event data, asset significance,
and threat evaluation model, Agile Controller calculates security risk values of all assets and
displays Top10 threat assets. The administrator can easily find them.
Threat evaluation involves the security event level, asset significance, and security event
count. Asset security evaluation uses the hundred mark system. A larger value indicates a
higher security risk. If an enterprise has multiple campuses, Agile Controller can evaluate the
threat level based on areas. There are five threat levels, which are marked in different colors.
The evaluation result highlights the impact of serious security events on important assets.
Issue 01 (2014-01-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
14
Compus Controller Product Description
Issue 01 (2014-01-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
3 Application Scenario
15
Compus Controller Product Description
4 Function
4
Function
4.1 Free Mobility
4.1.1 Network Access Control
The Free Mobility component provides user identity management and access control
functions. Agile Controller integrates standard RADIUS and Portal servers, supports various
identity authentication modes including local account and password, AD/LDAP association,
CA/USB key, and association with the third-party RADIUS server. Meanwhile, the
component can cooperate with WLAN devices, Huawei Portal switches, or standard 802.1x
switches to provide multi-dimensional network access control function. It provides flexible
network access authorization policies based on the user identity, terminal type, access location,
access time, and access mode:
1.
User identity: Authorization is implemented based on the user's organization structure
and department according to service requirements. Authorization can also be
implemented based on the user role and service type.
2.
Terminal type: The component provides the terminal identification function and can
divide terminals into different groups to authorize them based on the terminal type. This
can meet the wireless 802.1x or Portal access requirements of BYOD applications.
3.
Access location: The component can provide different access policies and authorization
by distinguishing the switches, APs, or ACs connected to the terminals and the SSIDs.
4.
Access time: The component can provide different access and authorization policies for
business hour access and after-hour access.
5.
Access mode: The component can provide different access policies and authorization
based on the network access mode, such as wired access, wireless access, and VPN
access.
When the live enterprise network is complex and replacing many network devices is improper,
the 802.1x or Portal access control solution can be deployed and the Free Mobility component
can be used to provide cost-effective access control. Huawei SACG can be deployed in the
enterprise data center to function as the switching core. Specific traffic flows can be diverted
to the SACG using policy-based routing to protect important service resources of the
enterprise. Huawei SACG implements the access control function based on user identity and
access location.
Issue 01 (2014-01-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
16
Compus Controller Product Description
4 Function
4.1.2 Policy Management
The Free Mobility component provides visualized policy management and configuration
functions. Administrators can set policies based on the source and destination security groups
and determine whether inter-group policies take effect.
Policies can be displayed in a matrix or list. Administrators can switch the policy display
mode. Administrators can perform the following operations in a policy matrix:
1.
Create and manage user groups.
2.
Create and manage policy templates.
3.
Create and edit the matrix view, and set the source and destination user groups.
4.
Configure inter-group policies.
Administrators can create a policy in a block specified by the source and destination user
groups on the policy matrix page. The policy can be a user control list (UCL) policy or a QoS
policy.
In the policy management list, administrators can click Add to create a permission control
policy for source and destination users. The policy can be a UCL policy or a QoS policy.
After administrators create and enable a policy, Agile Controller automatically synchronizes
related configurations to all NADs on the entire network.
4.1.3 Device Identification
The Free Mobility component provides the device identification function to determine the
device type and its operating system based on data features obtained by the device
identification probe.
The component supports the following types of device identification probes:
1.
MAC OUI probe
MAC organizationally unique identifier (OUI) indicates the first three bytes in a MAC
address. The OUI is allocated to each vendor in a centralized manner. OUI information is
saved in a database. To distinguish the vendor, match the first three bytes in a MAC
address in the database.
2.
DHCP Option probe
A terminal carries its feature information in the DHCP Option field to obtain an IP
address using DHCP. The feature information determines terminal type. Currently, the
Free Mobility component only works with a Huawei switch to obtain a terminal's DCHP
Option information.
Issue 01 (2014-01-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
17
Compus Controller Product Description
3.
4 Function
HTTP User-Agent probe
HTTP packets of a browser carry the HTTP User-Agent field, which determines the
terminal type.
4.
SNMP probe
A network device that supports SNMP query can obtain the device feature information
such as device description and SNMP OID through SNMP query. Feature information
determines the terminal type.
The Free Mobility component can use multiple probing technologies simultaneously. It
analyzes data obtained through more than one probes to more accurately determine the
device type. In BYOD applications, the device identification function of the Free
Mobility component can work with the network access control function to provide
different network access policies for different types of terminals, improving IT O&M
efficiency.
4.1.4 Visitor Management
The Free Mobility component provides the visitor management function to support full
lifecycle visitor management, implementing uniform management of visitor application,
approval, distribution, authentication, and deregistration. The visitor management function
has the following features:
1.
Supports customization of the visitor application/authentication page.
Visitors can customize the visitor registration and account notification pages.
Visitors can customize the web login and login success pages.
Visitors can customize more than one authentication and registration pages and page
redirection based on the browser language and visitor location.
The system provides some commonly used visitor attributes. When the default visitor
attributes cannot meet service requirements, visitors can customize visitor attributes and
define their meanings.
Visitors can preview the customized authentication and registration pages to test the
pages and view effects in real time.
2.
Allows visitors to register accounts by themselves or employees to register visitor
accounts.
Visitors can fill in registration required parameters on the registration page to apply for
accounts by themselves.
The system supports visitor manager customization to allow receptionist to apply for
accounts.
The Free Mobility component provides flexible visitor approval and management
functions. Users can specify the batch approval mode for visitor accounts on the visitor
application page. Batch visitor accounts can be approved by employees or system
administrators or do not need to be approved.
3.
4.
Supports multiple visitor account notification modes.
−
Web notification
−
Email notification
−
SMS notification
Provides a set of visitor management APIs to external users.
The Free Mobility component can be integrated with external systems through the APIs.
The APIs are frequently used in the service industry. For example, after the component is
Issue 01 (2014-01-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
18
Compus Controller Product Description
4 Function
integrated with a queue management system, users can create a visitor account through
the API and use this visitor account to access the Wi-Fi network.
4.2 Service Chain
The Service Chain component of Agile Controller can schedule specified service flows on
NADs to specific security devices based on the orchestration sequence and determine the
sequence in which the service flows are processed. The component implements Service Chain
using service flow policies. Generally, visitor traffic and user traffic from insecure areas need
to be scheduled, and then detected in the security resource center.
The Service Chain component virtualizes physical devices to shield device models and
locations, and directs different service flows to different service termination nodes.
Agile Controller can configure an independent service device as a link node, which can have a
bypass device deployed to improve reliability. Each service chain can have a maximum of
four nodes.
On Agile Controller, users can define service flows based on the source user group (source IP
address segment), destination resource group (destination IP address segment), source
resource group, and destination user group.
Agile Controller classifies devices into two categories for Service Chain: orchestration device
(such as switch) and service device (such as NGFW). Administrators can perform the
following operations to manage these devices:
1.
Import a single device, import devices in batches, or delete devices.
2.
Manually synchronize interface (including loopback and GRE interfaces) data of devices
added to Agile Controller. Anyway, after devices are added, Agile Controller is able to
automatically synchronize interface data.
3.
Adapt and manage devices on Agile Controller using SNMP or Telnet.
Administrators can define orchestration devices, their service nodes, and roles of the nodes.
The operations are as follows:
1.
Add a service node, specify the orchestration device to which the service node is
connected, and specify the role (firewall, antivirus device, or online monitoring device).
2.
Configure the connection mode between the service node and the orchestration device.
Create a GRE address pool and then configure the service nodes before a GRE tunnel
can be automatically established. A GRE tunnel can be established only when the
devices at both ends of the tunnel are Huawei devices.
3.
Deliver configurations to the devices before a GRE tunnel can be automatically
established.
After service nodes are configured, administrators need to view the connection status between
the service device and the orchestration device and the configurations. Administrators can
define a service chain on a specified orchestration device and adjust the node sequence in the
service chain. The service chain related operations are as follows:
1.
Define a service flow using ACL or UCL.
2.
Define a service chain, specify the service flow and orchestration device to which the
service chain applies, and configure the mode in which the orchestration device
processes service chain abnormality (by default route or discarding).
Issue 01 (2014-01-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
19
Compus Controller Product Description
4 Function
3.
Drag to adjust the sequence of service nodes in a defined service chain, modify the
device on a service node, and enable or disable a service node.
4.
Deploy the service chain configuration.
After all the configurations are complete, administrators can view connectivity of the service
chain. Administrators can also add, delete, modify, and query service chains.
4.3 Unity Security
4.3.1 Data Collection
With innovative architecture, Unity Security of Agile Controller is able to collect and protect
data efficiently. At the data collection layer, there are various types of collection components.
The distributed collection architecture is supported, and proxy and non-proxy collection
modes are available. The simplified design greatly reduces customer costs.
4.3.1.1 Collection Modes
Agile Controller adapts to standard interface protocols of various security objects to collect
data such as the security object configuration, running status, security events, and
vulnerabilities of security objects. The data collection layer supports the mainstream
collection protocols or interfaces. Agile Controller can collect the following logs:

Syslog: logs of the Unix system, and Syslog-compliant firewalls, routers, switches,
antivirus devices, and IDS

SNMP: logs of SNMP-compliant firewalls, routers, switches, antivirus devices, patches,
IDS, and application systems

FTP/SFTP: log files of application systems where FTP download is enabled, for example,
Apache log files

OPSEC: logs of CheckPoint firewalls

ODBC: application system logs stored in relational databases

Universal file: file-based logs, for example, logs obtained through NFS or SMB (logs are
formatted using a template)

Specified log collection interface: logs of specified systems, which are obtained by
specialized API interfaces, for example, logs of the vulnerability scanning system that
can be collected by a specialized API interface or through the XML file, and logs of
Windows operating system that are collected by the WMI interface
4.3.1.2 Collected Data Type
To meet requirements of various service applications, Agile Controller can collect the
following data:

Events or logs

Vulnerabilities

Configurations and differences with standard configurations

Performance and running status

Asset information
Issue 01 (2014-01-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
20
Compus Controller Product Description
4 Function
4.3.1.3 Collection Device Type

Supports over 160 types of devices.

Provides the document about detailed collection configuration for each type of device.
4.3.1.4 Data Storage
1.
2.
3.
4.
Basic functions of data storage
−
Stores original logs, analyzed and merged logs, correlation analysis results, and
generated statistics reports in a centralized manner.
−
Quickly associates with original logs using analyzed and merged logs.
Storage security requirements
−
Original logs and analyzed and merged logs are encrypted and stored or access rights
are restricted.
−
Logs are encrypted and stored with the timestamp defacement mark to prevent raw
data of original logs from being modified or edited.
Storage configuration management
−
There are original logs and analyzed and merged logs in the centralized log
management and audit system, and the two types of logs are stored in a centralized
manner.
−
The storage capacity is limited. If the limit is reached, an alarm is generated. Data
compression can be used to solve this problem.
−
Agile Controller can fast retrieve stored logs, generate indexes in real time or at
intervals, and provide fuzzy matching and fast query based on key words.
Backup log security requirements
−
5.
6.
Backup data storage compression
−
Provides backup data compression.
−
Provides the compression ratio not smaller than 1:10.
Backup restoration
−
7.
Encrypts and stores original logs and analyzed and merged logs, and verifies their
integrity.
Provides restoration of original and merged data.
Backup management configuration
−
Backup space configuration: Agile Controller configures the log backup space and
sets the threshold. When the threshold is reached, Agile Controller generates an
alarm.
−
Backup status display: Agile Controller displays the current log backup status.
4.3.2 Correlation Analysis Implementation
1.
Basic statistics correlation
−
2.
Dynamic statistics association
−
Issue 01 (2014-01-27)
A specified type of event, duration during which no such event occurs, and duration
during which the number of such events reaches the threshold is correlated.
The log and alarm quantities (including the number of error alarms) of the same
software and hardware are different when the software and hardware are used to carry
different services in different positions and time ranges. Therefore, it is important to
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
21
Compus Controller Product Description
4 Function
set the proper event statistics threshold, especially the dynamic statistics threshold
that triggers alarms.
3.
4.
5.
−
Agile Controller dynamically collects increments in percentage on a parallel period
basis and compares increments and thresholds. The following correlation rule is
defined: When the number of ARP attack events occurred in 1 minute is higher than
50% of the average number of attack events occurred in the previous hour, risks exist.
−
Agile Controller supports the following dynamic baseline statistics modes:
7.

By hour: Data collected on the same day a week ago is used as the baseline.

By day: Data collected every day a week ago is used as the baseline.
−
Supports multiple logical nesting correlations such as or, and, and or, followed by.
−
Defines the nesting correlation event scope.
−
Does not limit nesting correlation layers.
Multi-dimensional correlation extension
−
There is no limit on correlation extension, so correlation can be performed for users,
objective properties, assets, vulnerabilities, and exceptions.
−
If information to be correlated can be obtained from logs, files, or databases, the
information can be correlated and displayed.
Correlation filtering conditions
−
Defines the packet header and message content.
−
Static value

is, in, not in, like, not like, regex

=, >, <, >=, <=, <>
Functions

MIN, MAX, SUM, CAT

BYTES, DUR, CALC, DIRCHK, Flip, HDR, PARMVAL, RMQ, STRCAT,
SYSVAL, URL, UTC
Correlation rule template
−
Predefines a template with more than 200 correlation rules in different scenarios.
−
Provides the default correlation rule template and allows the correlation rule template
to be customized.
Correlation rule architecture
−
8.
By minute: Data collected an hour ago is used as the baseline.
Multi-rule nesting correlation
−
6.

During and after a correlation rule is configured, the correlation rule page displays
the five factors of the correlation rule, including correlation nesting relationship,
nesting correlation cache value, event threshold, matching condition, and collection
device source.
Correlation rule configuration guide
−
Configures correlation rules on the graphical user interface (GUI) that provides
graphical configuration guidance based on five factors of correlation rules.
4.3.3 Security Trend Display
Agile Controller displays security levels of areas on the entire network, top security events,
and attack route on the Unity Security home page. It provides messages for Top10 threat
assets and evaluates the security level of the entire network.
Issue 01 (2014-01-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
22
Compus Controller Product Description
4 Function
Based on security trend display of the entire network, an administrator can learn the security
situation and trend of the entire network, total number of threats, IT asset security risk
situation and trend, and threat and attack distribution and trend. The administrator then can
improve security management regulations.
Implementation personnel: monitoring personnel, administrator, security experts
1.
Monitor security events in real time.
2.
Respond to security events, acknowledge actions, and trigger correlation operations.
3.
Security experts define new usecases for new security issues and verify the usecases.
4.
Learn the security situation and trend of the entire network, total number of threats, IT
asset security risk situation and trend, and threat and attack distribution and trend.
5.
Monitor the security situation and trend of the entire network, total number of threats, IT
asset security risk situation and trend, and threat and attack distribution and trend.
As shown in the following figure, the administrator can learn the topology of the entire
network, threat degrees of branches, and attack route.
Agile Controller also provides the security trend of a single area.
Issue 01 (2014-01-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
23
Compus Controller Product Description
4 Function
You only need to click the threat degree icon of a target area or an asset group to view security
risks of the area or asset group.
4.3.3.1 Area and Asset Management
Agile Controller can divide the entire network into multiple areas so that assets can be
managed based on areas. In an area, there are multiple IP address segments. An administrator
can create and manage areas and assign different IP address segments to the specified area.
Unity Security of Agile Controller performs risk management for security objects. Security
objects include hosts, network devices, security devices, applications, data, and information.
Security objects have common and specialized attributes.
Agile Controller can display Top10 threat assets so that the administrator can easily find the
area with high risks on the entire network.
Agile Controller evaluates the security level of the entire network based on the security trend.
Issue 01 (2014-01-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
24
Compus Controller Product Description
4 Function
4.3.3.2 Security Event Management
Agile Controller analyzes internal and external alarms and sends alarms about potential
threats. Alarms are often used with security objects and risk management. By default, Agile
Controller lists security events by severity, and displays security events with high severity
levels on the home page to alert the administrator. In addition, Agile Controller displays
details of security events and suggestions to the administrator, which are used as the reference
for the administrator to address security issues.
If a usecase can accurately identify the result, Agile Controller delivers the action
corresponding to the security event. If a usecase cannot accurately identify the result, it is
recommended that a correlation action be delivered. Agile Controller allows users to
acknowledge results of usecases, and then determines whether to deliver the correlation
action.
Issue 01 (2014-01-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
25
Compus Controller Product Description
5
5 Configuration Requirements
Configuration Requirements
5.1 PC Client Requirements
Client Type
Operating System
Minimum Hardware
Configuration
PC Agent
(Windows
platform)
Windows 2000 (Chinese)
1. CPU dominant frequency:
800 MB or above
Windows 2000 (English)
2. Memory: 256 MB or above
Windows XP X86 (32-bit)
Chinese
1. CPU dominant frequency:
800 MB or above
Windows XP X86 (32-bit)
English
2. Memory: 512 MB or above
Windows XP X64 (64-bit)
Chinese
Browser
3. Video card: DirectX 9
graphics processing unit
(GPU)
Windows XP X64 (64-bit)
English
Windows Server 2003 X86
(32-bit) Chinese
Windows Server 2003 X86
(32-bit) English
Windows Vista X86 (32-bit)
Chinese
1. CPU dominant frequency:
800 MB or above
Windows Vista X86 (32-bit)
English
2. Memory: 512 MB or above
Windows 7 X86 (32-bit)
Chinese
1. CPU dominant frequency: 1
GHz 32-bit or 64-bit
Windows 7 X86 (32-bit)
English
2. Memory: 1 GB
Windows 7 X64 (64-bit)
Chinese
Issue 01 (2014-01-27)
3. Video card: DirectX 9 GPU
3. Video card: DirectX 9 GPU
or above 128 MB (AERO
effect enabled)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
26
Compus Controller Product Description
Client Type
Operating System
5 Configuration Requirements
Minimum Hardware
Configuration
Browser
Windows 7 X64 (64-bit)
English
Windows 8 X86 (32-bit)
Chinese
1. CPU dominant frequency: 1
GHz 32-bit or 64-bit
Windows 8 X86 (32-bit)
English
2. Memory: 1 GB
Windows 8 X64 (64-bit)
Chinese
3. Video card: DirectX 9 GPU
or above 128 MB (AERO
effect enabled)
Windows 8 X64 (64-bit)
English
Windows XP X86 (32-bit)
English
Windows XP X64 (64-bit)
Chinese
Windows XP X64 (64-bit)
English
Windows Server 2003 X86
(32-bit) Chinese
Windows Server 2003 X86
(32-bit) English
Windows Vista X86 (32-bit)
Chinese
Windows Vista X86 (32-bit)
English
Windows 7 X86 (32-bit)
Chinese
Windows 7 X86 (32-bit)
English
Windows 7 X64 (64-bit)
Chinese
Windows 7 X64 (64-bit)
English
Windows 8 X86 (32-bit)
Chinese
Windows 8 X86 (32-bit)
English
Windows 8 X64 (64-bit)
Chinese
Windows 8 X64 (64-bit)
Issue 01 (2014-01-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
27
Compus Controller Product Description
Client Type
Operating System
5 Configuration Requirements
Minimum Hardware
Configuration
Browser
English
Web
authentication
IOS
Safari
QQ
Dolphin
Android Chrome
(built-in)
Android
UC
360
QQ
Sogou
Baidu
Dolphin
Windows phone
IE
Windows
IE
Mozilla Firefox
Google Chrome
Safari
Web
management
IE6.0-10.0
5.2 Server Requirements
Version
Management
Scale
Hardware
Configuration
OS
DB
Agile
Controller
(SM&SC)
SC: 10,000
online users
CPU: 2 x E5-2640
6c 2.5 GHz or above
1. Microsoft SQL Server
2005 Chinese
Network server:
2000 devices
Memory: 16 GB
1. Windows Server
2008 R2 (X64)
Chinese
Hard disk: 2 x 1 TB
Network adapter: 2
x GE
2. Windows Server
2008 R2 (X64)
English
2. Microsoft SQL Server
2005 English
3. Microsoft SQL Server
2008 Chinese
4. Microsoft SQL Server
2008 English
5. Microsoft SQL Server
2008 R2 Chinese
Issue 01 (2014-01-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
28
Compus Controller Product Description
Version
Management
Scale
Hardware
Configuration
5 Configuration Requirements
OS
DB
6. Microsoft SQL Server
2008 R2 English
Agile
Controller
(Unity
Security)
2500 EPS
CPU: 2 x E5-2640
6c 2.5 GHz or above
Memory: 32 GB
Hard disk: 2 x 1 TB
Network adapter: 2
x GE
Issue 01 (2014-01-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
29
Compus Controller Product Description
6 Performance Indicators
6
Performance Indicators
This section describes performance indicators of Agile Controller.
6.1 PC Client Performance Indicators
Client Type
Memory
Usage
CPU
Usage
Authentication Time
Software and
Hardware
Configuration
AnyOffice client
(Windows platform)
40 to 50
MB
≤ 5%
Non-802.1x
≤ 3s
802.1x
≤ 10s
CPU dominant
frequency: 2 GHz 32
bits or 64 bits
802.1x certificate
≤ 15s
Memory: 4 GB
Operating system:
Windows 7
Web authentication
N/A
≤ 3s
N/A
6.2 Server Performance Indicators
[Component Indicator]
Component
Minimum
Memory
Recommended
Memory
CPU
(Idle)
CPU
(Busy)
Disk
Space
Quantity
SM
1024 MB
≤ 1.2 GB
≤ 5%
≤ 50%
≤ 1500
MB
1
SC
512 MB
≤ 1.2 GB
≤ 5%
≤ 50%
≤ 1500
MB
≤ 50
Database
2 GB
Default configuration ≤
2 GB
≤ 5%
≤ 50%
≤ 300 GB
≤3
Issue 01 (2014-01-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
30
Compus Controller Product Description
6 Performance Indicators
Component Server
Memory
Minimum Disk Quantity
Operating System
Integrated server (including all
components)
32 GB
[2 x 1T system disk + 4 x 2T data
disk] (Raid10)
SuSE Linux 11 +
MySQL 5
Security View server
32 GB
2 x 1T system disk (Raid10)
SuSE Linux 11 +
MySQL 5.5
Security View server (HA)
32 GB
2 x 1T system disk (Raid10)
SuSE Linux 11 +
MySQL 5.5
iRadar server
64 GB
[2 x 1T system disk + 6 x 2T data
disk] (Raid10)
SuSE Linux 11
iRadar server (HA)
64 GB
2 x 1T system disk (Raid10) +
S2600T
SuSE Linux 11
Log collection server
8 GB
2 x 1T system disk (Raid10) +
S2600T
SuSE Linux 11
Correlation analysis server
64 GB
2 x 1T system disk (Raid10) +
S2600T
SuSE Linux 11
[Performance Indicator]
Type
Item
Value
Remarks
RADIUS server - local
account
1000 times per second
(using a test tool, low
delay)
PAP/CHAP/EAP-MD5
RADIUS server - local
account
100 times per second
EAP-PEAP-MSCHAPV2/EAP-PEAP-GTC/
EAP-TLS
RADIUS server - external
data source account
50 times per second
Portal server - local
account
40 times per second
Portal server - external
data source account
40 times per second
Authentication
AD/LDAP synchronization
Synchronization of
100,000 AD accounts
2 hours
Synchronization of
100,000 LDAP accounts
2 hours
Terminal identification
Non-scanning
1000 per minute
Scanning
5 per minute
Issue 01 (2014-01-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
31
Compus Controller Product Description
Type
Item
6 Performance Indicators
Value
Remarks
External interface
Visitor interface
5 times per second
Management scale
Maximum number of
sub-departments in each
department
≤ 500
Maximum number of
layers in a department
≤ 20
Maximum number of
terminal accounts
100,000
Maximum number of
terminals
100,000
Maximum number of
managed devices
2000
Maximum number of
online terminals on the SC
10,000 per server
Number of IP addresses
bound to each account
≤ 10
Number of MAC addresses
bound to each account
≤ 10
Number of terminals that
can be registered using one
account
≤ 10
Maximum number of
visitor accounts
100,000
Number of AD data
sources
≤ 50
Number of LDAP data
sources
≤ 50
Number of RADIUS relay
servers
≤ 50
Number of RADIUS token
servers
≤ 50
Number of CA issue
organizations
≤ 50
Number of self-defined
page templates
≤ 10
Issue 01 (2014-01-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
32
Compus Controller Product Description
Type
Item
6 Performance Indicators
Value
Remarks
Data amount
System disk
30 GB
Administrator operation
Page operation
3s
exporting 10,000 records
30s
Page opening and
switching
5s
Administrator login
5s
Online user information
storing
15s
Online user querying
5s
[Unity Security]
Component
Item
Value
Remarks
Integrated server
Log processing by the bus
2500 EPS
Log cache and distribution
performance
Log correlation analysis
1000 EPS
Log correlation analysis
performance
Log processing by the bus
5000 EPS
Log cache and distribution
performance
Single log correlation
analysis engine
1000 EPS
Correlation analysis performance of
the distributed log correlation
analysis engine
Number of iRadar_CA
servers (distributed
correlation analysis
engines)
4
Log collection performance of the
distributed log collection servers
Total capability of
distributed correlation
analysis engines
5000 ESP
Number of collector
management programs (of a
collection server)
70
iRadar - distributed
correlation analysis engine
server
Log correlation analysis
1000 EPS
iRadar - distributed
collector
Log processing
performance
2500 ESP
Log processing
performance of the iRadar
bus
Issue 01 (2014-01-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
33
Compus Controller Product Description
Component
Security View server
6 Performance Indicators
Item
Value
Number of collectors
10
Security event processing
capability
5 EPS
Maximum records of stored
security events
5 million
Maximum records of
unprocessed security events
20,000
Maximum number of areas
in the topology
50
Maximum number of asset
groups in the area topology
50
Maximum number of assets
20,000
Exporting performance
5 million
Remarks
6.3 Devices Supported by the Free Mobility Component
Type
Version
Device Model
NG firewall
V1R1C20
USG6320
NG firewall
V1R1C20
USG6510-SJJ
NG firewall
V1R1C20
USG6330
NG firewall
V1R1C20
USG6350
NG firewall
V1R1C20
USG6360, USG6530
NG firewall
V1R1C20
USG6370, USG6550
NG firewall
V1R1C20
USG6380
NG firewall
V1R1C20
USG6390, USG6570
NG firewall
V1R1C20
USG6620
NG firewall
V1R1C20
USG6630
NG firewall
V1R1C20
USG6650
NG firewall
V1R1C20
USG6660
NG firewall
V1R1C20
USG6670
NG firewall
V1R1C20
USG6680
Box switch
V2R6C00
5720HI
Issue 01 (2014-01-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
34
Compus Controller Product Description
6 Performance Indicators
Type
Version
Device Model
Chassis switch
V2R6C00
S12700
Chassis switch
V2R6C00
S9700
Chassis switch
V2R6C00
S7700
6.4 Devices Supported by the Service Chain Component
Type
Version
Device Model
NG firewall
V1R1C20
USG6320
NG firewall
V1R1C20
USG6510-SJJ
NG firewall
V1R1C20
USG6330
NG firewall
V1R1C20
USG6350
NG firewall
V1R1C20
USG6360, USG6530
NG firewall
V1R1C20
USG6370, USG6550
NG firewall
V1R1C20
USG6380
NG firewall
V1R1C20
USG6390, USG6570
NG firewall
V1R1C20
USG6620
NG firewall
V1R1C20
USG6630
NG firewall
V1R1C20
USG6650
NG firewall
V1R1C20
USG6660
NG firewall
V1R1C20
USG6670
NG firewall
V1R1C20
USG6680
Chassis switch
V2R6C00
S12700
Chassis switch
V2R6C00
S9700
Chassis switch
V2R6C00
S7700
6.5 Devices Supported by the Unity Security Component
Type
Version
Device Model
NG firewall
V1R1C20
USG6320
Issue 01 (2014-01-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
35
Compus Controller Product Description
6 Performance Indicators
Type
Version
Device Model
NG firewall
V1R1C20
USG6330
NG firewall
V1R1C20
USG6350
NG firewall
V1R1C20
USG6360
NG firewall
V1R1C20
USG6370
NG firewall
V1R1C20
USG6380
NG firewall
V1R1C20
USG6390
NG firewall
V1R1C20
USG6510-SJJ
NG firewall
V1R1C20
USG6530
NG firewall
V1R1C20
USG6550
NG firewall
V1R1C20
USG6570
NG firewall
V1R1C20
USG6620
NG firewall
V1R1C20
USG6630
NG firewall
V1R1C20
USG6650
Chassis switch
V2R6C00
USG6660
Chassis switch
V2R6C00
USG6670
Chassis switch
V2R6C00
USG6680
High-end firewall
V3R1C20
USG9520
High-end firewall
V3R1C20
USG9560
High-end firewall
V3R1C20
USG9580
SVN
V200R003C00
SVN6350
SVN
V200R003C00
SVN6350-C
NIP
V100R002C10
NIP2050
NIP
V100R002C10
NIP2100
NIP
V100R002C10
NIP2130
NIP
V100R002C10
NIP2150
NIP
V100R002C10
NIP2200
NIP
V100R002C10
NIP5100
NIP
V100R002C10
NIP5200
NIP
V100R002C10
NIP5500
NIP
V100R002C10
NIP2050D
Issue 01 (2014-01-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
36
Compus Controller Product Description
6 Performance Indicators
Type
Version
Device Model
NIP
V100R002C10
NIP2100D
NIP
V100R002C10
NIP2130D
NIP
V100R002C10
NIP2150D
NIP
V100R002C10
NIP2200D
NIP
V100R002C10
NIP5100D
NIP
V100R002C10
NIP5200D
NIP
V100R002C10
NIP5500D
ASG
V100R001C10
ASG2050
ASG
V100R001C10
ASG2100
ASG
V100R001C10
ASG2150
ASG
V100R001C10
ASG2200
ASG
V100R001C10
ASG2600
ASG
V100R001C10
ASG2800
Switch
V2R6C00
S7700
Switch
V2R6C00
S9700
Switch
V2R6C00
S12700
Switch
V2R6C00
S5720HI
Switch
V2R6C00
S5700LI
Switch
V2R5C00
S5710EI
Switch
V2R5C00
S5710HI
Switch
V2R5C00
S5700EI
Switch
V2R5C00
S5700HI
Switch
V2R5C00
S6700EI
Switch
V2R5C00
S5700SI
Switch
V2R5C00
S275X-EI
AR
V2R5C10
AR150
AR
V2R5C10
AR160
AR
V2R5C10
AR200
AR
V2R5C10
AR1200
AR
V2R5C10
AR2220
Issue 01 (2014-01-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
37
Compus Controller Product Description
6 Performance Indicators
Type
Version
Device Model
AR
V2R5C10
AR3260
WLAN
V2R5C00
AC6605
WLAN
V2R5C00
AC6005
WLAN
V2R5C00
ACU2
DDoS
V100R001C00
AntiDDoS1500-D
DDoS
V100R001C00
AntiDDoS1520
DDoS
V100R001C00
AntiDDoS1550
DDoS
V100R001C00
AntiDDoS8030
DDoS
V100R001C00
AntiDDoS8080
DDoS
V100R001C00
AntiDDoS8160
Issue 01 (2014-01-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
38
Compus Controller Product Description
7 Standards and Protocols
7
Issue 01 (2014-01-27)
Standards and Protocols
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
39
Compus Controller
Product Description
A Terms
A
Issue 01 (2014-01-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
Terms
40