Huawei Smart University Exit Security Solution (1)

Course address

The course resources related to this program have been released in the Huawei O3 community. If you need to watch the video, you can follow the following steps to access it (you need a Huawei account, an ordinary personal account is enough~)

Course address:

1. Copy the link https://o3community.huawei.com/ to enter the Huawei O3 community;
2. Click "Training Empowerment > Guided Learning";
   
3. Select "Huawei Intelligent University Exit Security Solution" in the guided course to see the relevant content of the course.
   
   The video is explained by myself. The course includes solution explanation and solution-related technical documents. If you have any questions during the learning process, you can leave a message below the video course or in the comment area of ​​this article for discussion~

Program background

Educational informatization is the mainstream development trend in the education industry. With the continuous development of ICT technology, while university networks bring convenience to teachers and students, they are also facing various types of network attacks and intrusions. To ensure the network security of universities, it is necessary to coordinate the support of security technologies related to each network functional partition, and the security technology of university network exports is an important part of it.

This article mainly describes Huawei's smart university exit security solution, mainly from three aspects: demand analysis, solution design and solution deployment.

demand analysis

Overview of college campus network

The College Campus Network is a network platform that specifically provides services to colleges and universities. It aims to provide efficient, convenient and secure network services for teachers and students of colleges and universities. Teachers and students can quickly access various teaching resources and academic information through the university campus network, and can also conveniently carry out personnel management, teaching management, scientific research management and other tasks.

Panorama of college campus network

College campus networks usually include the following network functional areas: school interconnection area, campus core area, teaching area, living area, dormitory area, administrative management area, operation and maintenance management area, on-campus data center area and university export area, etc. This article will focus on explaining the relevant content of university export zones.

Introduction to college exit scenarios

The university exit refers to the network exit area within the campus where the university is located. Through this area, business needs such as university network and off-campus Internet resource sharing, information transmission, teaching and scientific research can be met.

The export business flow of universities can be roughly divided into:

1. External access traffic: visitors accessing the Internet, teachers and students accessing the Internet, and accessing the education private network.
2. External access traffic: remote access flow based on SSL VPN for teachers and students outside the school.
3. External visitor traffic: The traffic of off-campus visitors to the university’s public platform.

In addition to carrying various business traffic of the campus network itself, university egresses also need to have the ability to defend against various network attacks.

Analysis of the overall export demand of universities

As a key area connecting the campus network and the external network, the overall requirements of the university exit can be divided into business security requirements, attack defense requirements and operation and maintenance audit requirements.

Business security requirements

Business flows can be roughly divided into three types:

1. External visit traffic
   

Because modern education has been closely connected with the Internet. Connecting with the external network can enable teachers and students to obtain a wider range of information resources, strengthen communication and interaction in learning and teaching, and also help expand the school's influence and popularity.

While providing outbound visits services to teachers, students and visitors on campus, it is also necessary to ensure university user network experience and campus network security. Specific safeguard measures are as follows:

(1) Access control: Allow legitimate users to have normal external access, and deny illegal users external access;
(2) Behavior management: Manage and control users’ online behavior to avoid illegal access and inappropriate remarks;
(3) Quality assurance: By selecting appropriate exit routes, Ensure the quality of key business communications.

2. External access traffic
   

During the winter and summer vacations of colleges and universities, teachers and students can access the campus network through SSL VPN and access the school's teaching platform, library, laboratory and other resources to achieve remote data acquisition, remote teaching and remote office work, etc., to improve work efficiency and learning convenience.

In order to ensure the network experience of off-campus access users and the security of the campus network, the following control needs to be carried out on all types of external access traffic:

(1) Access control: Only legal remote users are allowed to access specific intranet resources;
(2) Identity authentication: The identity of remote users needs to be verified to ensure that their identities are legal and to avoid illegal user access;
(3) Permission control: Remote users need to be Reasonably control user access rights to avoid unauthorized access and operations.

3. External visitor traffic
   

It is necessary for universities to build service websites that are open to the outside world. Such websites can provide the outside world with basic information about universities, disciplines and majors, faculty, scientific research results, campus culture and other information. This is conducive to the publicity, promotion and enrollment work of universities, strengthens the connection between universities and society, and promotes the construction of campus culture and the development of alumni resources.

In order to ensure the normal access and network experience of off-campus visitors as well as the security of university networks, it is necessary to reasonably control the services and ports open to the outside world and avoid opening redundant ports and services to allow criminals to take advantage of them.

Attack defense requirements

Because universities need to open public online services to the outside world, they need to resist common attacks and threats to ensure the stable operation of public services. Common attacks and threats are as follows:

1. Network intrusion & virus attack
   

External servers of universities need to provide many services, such as website access, teaching resource downloads, scientific research data storage, etc. Without adequate network security measures or poor management, servers can be exposed to viruses and intrusions. Hackers can exploit vulnerabilities to invade servers and then steal sensitive information or use the server as a springboard to directly conduct internal attacks.

In order to ensure the normal operation of universities' external services, it is necessary to deploy intrusion prevention and anti-virus equipment, which can effectively ensure university network security, protect teaching and scientific research information security, and avoid sensitive information leaks and virus attacks.

2. DDoS attack
   

Various service websites opened to the public by universities are extremely vulnerable to DDoS attacks. This type of attack can paralyze university servers, making them unable to be used normally and affecting normal teaching and research work. Corresponding defensive measures need to be taken to ensure the normal operation of various online services in universities.

As a key area connecting the campus network and the Internet, the exit area of ​​a university needs to deploy relevant security equipment to resist DDoS attacks.

3. APT attack
   

With the continuous evolution of network attack technology, APT (Advanced Persistent Threat) attacks have become one of the main attack methods faced by university networks. Such attacks may steal relevant sensitive and key data from university servers or on-campus data centers, affecting normal business operations.

In order to ensure the security of key data, sensitive data and important servers in the school, as well as the smooth development of normal teaching and research work, relevant network security equipment needs to be deployed to resist APT attacks.

Operation and maintenance audit requirements

University network operation and maintenance managers need network operation and maintenance audit functions to monitor system operation in real time, check whether the system is operating normally, discover and solve problems in a timely manner, and issue security policies based on a unified security controller to achieve network-wide security coordination and reduce network Failure rate and maintenance costs.

In addition, based on the logging and auditing functions, administrators can perform data analysis, behavior forensics, operation recurrence, and intelligent decision-making, etc., to help university networks improve security, optimize network performance, achieve refined management, and improve user satisfaction.

Program planning

Huawei Smart University Exit Security Solution Architecture

1. Deploy a full-traffic cleaning Anti-DDoS abnormal traffic cleaning system outside the egress firewall to avoid malicious DDoS attacks on the school website.
2. Firewalls are deployed at network egress to provide border security protection capabilities. Huawei T-level firewalls ensure the Internet access needs of tens of thousands of teachers and students, meeting large concurrency and scalable performance requirements.
3. Respond to APT attacks on the Internet through the linkage of firewalls and sandboxes. In the solution, the firewall sends files of unknown threats to the sandbox for detection, and regularly obtains the detection results of the sandbox, and refreshes the corresponding malicious file library based on the detection results.
4. Internet behavior management is attached to the core switch, and teachers and students' online authentication-related traffic and teacher and student Internet traffic are obtained through mirroring, and teachers and students' online behavior are audited and recorded to avoid unnecessary legal risks caused by accessing illegal websites and publishing illegal remarks.
5. Intelligent routing of egress traffic is performed based on weight, threshold, application, etc. to ensure reasonable utilization of bandwidth.
6. Deploy a VPN gateway at the exit (which can be replaced by a firewall) to provide VPN access channels for teachers working at home, students at home during winter and summer vacations, and network management personnel, which is safe and controllable.

Functional division of Huawei’s smart university exit security solution

Based on the above analysis of the overall needs of university exit areas, Huawei's smart university exit solution can be divided into three functional modules: business deployment and optimization, attack defense, and operation and maintenance auditing.

Business deployment and optimization

1. Deployment and optimization of external traffic

Access control: Deploy firewalls and configure relevant security policies to ensure that only traffic within the permitted access range of the business can access the external network to avoid key data leakage and illegal access.

Behavior management: Deploy ASG equipment and configure behavior audit policies to supervise and audit the online behavior of school personnel to avoid unnecessary legal risks caused by accessing illegal websites and publishing illegal remarks.

Quality assurance: Deploy firewalls and configure intelligent routing technology to ensure the communication quality of key business flows in universities and the reasonable utilization of bandwidth.
This solution deploys policy routing to allow key business flows to bypass the Anti-DDoS device and be sent directly to the egress. The return journey is similar.

2. External access traffic deployment and optimization

Access control: Deploy firewalls and configure relevant security policies to allow users to establish SSL VPN tunnels with devices, allow users to access specific intranet resources, and intercept remote illegal access traffic.

Identity authentication: Create remote user groups and remote login users locally on the firewall, and use local authentication to ensure that only legal users can remotely access the campus network through SSL VPN to access intranet resources.

Permission control: Configure the SSL VPN gateway on the firewall and set parameters such as "role authorization" and "network extension" for permission control to avoid unauthorized access.

3. External guest traffic deployment and optimization

policy control: Configure security policies on the firewall, set parameters such as "service", "port" and "time", strictly control the services, ports and opening time periods open to the outside world, and avoid open redundancy ports and services.

Attack defense design

1. Deployment of firewall equipment for intrusion prevention & anti-virus solutions

: Deploy firewall equipment, create intrusion prevention configuration files and anti-virus configuration files, and call them appropriately in business security policies to prevent campus servers from network intrusions and virus infections, and effectively protect the university network Security, protect the security of teaching and scientific research information.
2. DDoS attack defense solution

Anti-DDoS device deployment: Deploy anti-DDoS devices in direct transparent mode outside the egress firewall, and configure traffic cleaning policies to clean abnormal traffic to avoid DDoS attacks on the school's public website.

3.APT attack defense solution

Configure the APT defense function on the firewall: Enable the APT defense function on the firewall and respond to APT attacks by configuring anti-virus and APT defense based on signature databases.

Sandbox device deployment: Deploy sandbox devices to run suspicious files in a virtual environment and feed back the running detection results to security devices to defend against unknown attacks and threats.

Firewall and sandbox linkage: After the firewall is connected to the sandbox, the firewall sends files of unknown threats to the sandbox for detection, and regularly obtains the detection results of the sandbox, and refreshes the corresponding malicious file library based on the detection results.

Operation and maintenance audit planning

1.Device management

SecoManager deployment: Deploying SecoManager and configuring the device management function can realize unified management of network security devices such as firewalls, and can uniformly issue relevant security policies and streamline and optimize security policies to achieve unified security and coordinated defense of the entire network.
2. Log audit

LogAuditor deployment: Deploy LogAuditor and configure log audit policies, conduct unified data analysis and report presentation for logs reported by various devices and systems, use a global perspective to analyze potential security risks in the network, and make relevant adjustments and reinforcements in a timely manner .

Equipment selection

The recommended product models and software versions of Huawei’s smart university export solution are as follows:

The details of the plan deployment will be continuously updated in subsequent blogs of the same series~

to be continued……