HUAWEI eSight Secure Center Feature Introduction

Contents 1 2 3 4 Typical Scenario and Management Challenges Secure Center Solution 3 Competitive Analysis 4 Ordering Guidance

Application Scenario for Firewall Policies 1. Headquarters, branch, and data center border protection 2. Internal security protection for an enterprise network and data center network 3. User access control for an enterprise network and data center network In these scenarios, a large number of policies (such as security policies and NAT policies) and objects (such as address sets and services) need to be planned. Branch Enterprise Network Office Network Data Center FW IPS Terminal security FW Terminal security FW IPS DMZ WAF SSL VPN SOC eSight Cloud Data Center SSL VPN IPSecVPN FW Anti-DDoS IPS FW Terminal security

Policy Management Challenges Unfamiliarity with new devices Fault recovery Rapid deployment Centralized planning Secure Center Complex traffic in an enterprise Establishment of new branches Lack of security knowledge Migration of office areas Employee admission and resignation Employee transfer to another department Changes in service traffic Rapid fault recovery Lack of optimization skills Migration of policies to new devices Provides centralized policy planning, adjustment and deployment as well as rapid fault recovery capabilities. Smart Policy是华为NGFW独有的智能策略管理技术，在安全管理的整个生命周期为企业提供帮助。

Contents 1 2 3 4 Typical Scenarios and Management Challenges Secure Center Solution 3 Competitive Analysis 4 Ordering Guidance

eSight Secure Center O&M Solution Centralized planning and management of polices/objects Centrally plans and manages security policies and NAT policies of firewalls. Centrally manages public objects such as security zones, address sets, time segments, and services. Planning and Management Configuration Synchronization Policy Deployment Backup and Restoration Backup and restoration of policies and objects Supports periodical and manual backup of firewall policies and objects. Supports restoration of firewall policies and objects. Synchronization of firewall policies and objects Supports synchronization of firewall policies and objects to eSight. Supports comparison between policies and objects on firewalls and those in eSight. Supports synchronization of device configurations using NETCONF. Completion of policy deployment in four steps Supports verification of the deployment environment, improving the deployment success rate. Allows incremental deployment, minimizing the effect of the deployment on network service operating. Supports service data deployment using NETCONF.

Planning and Management Configuration Synchronization Policy Deployment Backup and Restoration Planning and Management

Centralized Planning and Management of Policies/Objects NGFW Object Management NMS area eSight Headquarters Firewall Switch Branch A Branch B Branch C DMZ Data Center App Location Time Attack Content User IP address pool NGFW Security Policies Quintuple App Content Time User Threat Location Action NGFW NAT Policies Quintuple IP address pool Action Object management: centrally plans and manages objects on the entire network. Policy management: plans and manages security policies and NAT policies on the entire network. Policy planning in multiple modes: supports the following operations in policy planning: copy, cut, paste, drag, and import. Multi-user operation support: provides the lock function, to prevent multiple users from modifying a policy or object at the same time. Note: eSight V3R7C00 does not support planning and configuration of the following objects: applications, contents, users, and threats. 6个维度起来进行策略控制，控制粒度更细，管理更方便。各个功能可以相互叠加，例如识别具体应用后再进行防病毒，文件解压后在进行防病毒。

Planning Objects and Policies 1. Create an object. 2. Create a policy, and reference the object in the policy. After planning policies and objects, the administrator creates and adjusts objects on the object management page, and references objects on the page for creating or modifying a policy. The system allows the administrator to drag the objects to be referenced to desired areas on the page for creating or modifying a policy. If an object that the administrator wants to reference does not exist, the administrator can create one on the page for creating or modifying a policy. 3. Bind the policy to devices on which the policy needs to be deployed.

Centralized Policy Management Secure Center provides centralized and policy-based management of security policies and NAT policies on the entire network. The administrator can bind a policy to multiple devices to implement centralized planning and management of policies.

Planning and Management of Policy Groups Support centralized planning and management of policy groups. Allows the administrator to create, delete, and modify policy groups.

Support for Multi-user Operations Provides the lock function to prevent multiple administrators from modifying an object or policy at the same time, ensuring data consistency and accuracy. When an administrator is modifying an object or policy, the system automatically locks this object or policy, so other administrators cannot modify or delete it. The admin user can unlock objects or policies locked up by other users. A button is provided on the GUI to allow an administrator to manually lock an object or policy.

Domain-based Management Domain Enable The administrator can enable, disable, and manage administrative domains. The administrator can create administrative domains, and plan devices and virtual systems in the administrative domains. eSight provides the domain-based management function to manage security policies for services in different domains. Each domain runs independently, and the administrator can switch between administrative domains.

Configuration Synchronization Planning and Management Configuration Synchronization Policy Deployment Backup and Restoration Configuration Synchronization

Configuration Synchronization Management Supports synchronization of policies and objects configured on devices to eSight. Supports immediate synchronization and periodical synchronization. The former synchronization mode is manual, while the latter one is automatic but an interval needs to be set. Device configuration status: The system checks device configurations between two synchronizations. If they are inconsistent, the device configuration status will be Changed. Configuration status: The system checks the configuration data on eSight and that on a device in the last synchronization. If they are inconsistent, the configuration status will be Out of Syn.

Comparison of Configuration Between eSight and Devices The system provides detailed differences between configuration data in eSight and that on a device. An administrator analyzes the differences and determines which data is correct. If the configuration data on a device is correct, the administrator performs the accept operation to write the device configuration to the eSight database. If the data in eSight is correct, the administrator simply needs to retain the data in eSight. The preceding operations ensure consistency between configuration data in eSight and that on the devices.

Policy Deployment Planning and Management Configuration Synchronization Policy Deployment Backup and Restoration Policy Deployment

Policy Deployment After planning objects and policies, an administrator deploys them on devices by clicking Instant execution or Schedule deployment. Currently, an object or policy can be deployed on a maximum of 10 devices at a time.

Policy Deployment (Continued) Specify devices Verify deployment environment Display deployment results After an administrator specifies devices, the system verifies the deployment environment and provides the data to deploy for the administrator. This is to ensure deployment success.

Backup and Restoration Planning and Management Configuration Synchronization Policy Deployment Backup and Restoration Backup and Restoration

Backing Up Configuration Data Manually back up policies and objects. Configure parameters for automatic backup. The customer can regularly back up policies and objects supported in eSight. If faults occur on the network, the customer can restore the network service using backup data, improving network restoration efficiency.

Checking Differences Between Backup Data An administrator can compare data that is backed up in different backup tasks and determine which backup data can be used to restore network configuration.

Restoring Configuration Data Select the backup data and restore network configuration. The administrator checks differences between backup data and selects the desired backup data to restore network configuration, ensuring rapid restoration of network services. To restore network configuration, the administrator first needs to replace configuration data in the eSight database with the backup data, and then deploy the new configuration data on specified devices.