Huawei Intelligent Enterprise Remote Office Security Solution (1)

Course address

The course resources related to this program have been released in the Huawei O3 community and can be accessed by following the following steps (you need to have a Huawei account, an ordinary personal account will suffice~)

Course address:

1. Copy the link https://o3community.huawei.com/ to enter the Huawei O3 community;
2. Click "Training Empowerment > Guided Learning";

3. Select "Huawei Intelligent Enterprise Remote Office Security Solution" in the guided course to see the relevant content of the course.
   

Huawei's O3 community platform will provide technical documentation and simulation test questions to support the course. All content of the course is developed by myself. If you have any questions during the learning process, you can leave a message below the course on the O3 platform or in the comment area of ​​this article for discussion~

Program background

With the popularity of the Internet and the improvement of network technology, employees can work from anywhere through stable network connections. Globalization and intensified market competition have made cross-time zone cooperation the norm. Telecommuting eliminates geographical restrictions, improves work efficiency, and has become a new work model that adapts to the trend of the times and responds to challenges, bringing many advantages to employees and enterprises.

Huawei's intelligent enterprise remote office security solution can provide SSL VPN access channels for enterprise employees outside the country based on Huawei USG equipment, enabling employees to access and work remotely, ensuring that employees can work at any time and anywhere, improving work efficiency, and at the same time Reduce costs for businesses and employees. In addition, in emergencies, remote access by enterprise maintenance personnel can provide timely business support and maintenance to avoid greater losses to the enterprise.

This article mainly describes Huawei's intelligent enterprise remote office security solution, mainly from three aspects: demand analysis, solution design and solution deployment.

demand analysis

Overview of enterprise remote office business

The so-called enterprise remote office business refers to various types of work performed by employees outside the enterprise who access the enterprise intranet through tunnel technologies such as SSL VPN. Mainly include the following categories:

• File sharing: To facilitate employees to access and share files in different locations, companies will provide cloud storage services. Employees can upload files to the enterprise cloud space, access and edit them anytime and anywhere, and share and collaborate with team members.
• Resource access: In order to enable employees to remotely access the company's internal systems and resources (enterprise OA, mail servers, etc.), the company will provide employees with remote resource access channels. Employees can access relevant resources through Remote Desktop Protocol (RDP) and other methods, achieving remote access and resource access to the corporate intranet in a secure environment.
• Remote collaboration: In order to promote collaboration and communication among team members, companies usually provide remote collaboration tools, such as video conferencing software, instant messaging and chat tools, project management platforms, etc. These tools help employees communicate in real time, share files and content, coordinate work tasks, and keep teamwork productive.
• Technical support: In order to enable enterprise maintenance personnel to handle various emergencies in a timely and effective manner, the enterprise will provide remote technical support and training to ensure enterprise business continuity and system stability. This type of business includes online training courses, remote conference technical support, IT help desk and other services.

Enterprise remote working security risk analysis

The network security risks associated with the various types of enterprise remote office operations mentioned above are as follows:

Analysis of requirements for setting up an enterprise remote office environment

Based on the above analysis, it can be seen that enterprise remote office business faces various network security risks. If an enterprise provides various remote services to external employees without control, it will seriously threaten the enterprise's network security.

In order to prevent various remote working security risks and ensure flexible access and efficient working for external employees, it is necessary for enterprises to provide a safe and efficient remote working environment for external employees. The specific needs of enterprises for establishing a remote office environment can be divided into the following points:

Design

Networking architecture

• This solution uses Huawei's USG6615F firewall as the enterprise SSL VPN security gateway, which is responsible for forwarding remote users' VPN traffic to the enterprise intranet, ensuring that enterprise remote users can flexibly access the enterprise intranet anytime and anywhere for remote work.
• In order to ensure the overall stability and reliability of the solution, this solution uses two USG6615F firewalls to form a dual-machine hot standby system in master and backup mode.

Equipment selection

The recommended product models and software versions of Huawei’s intelligent enterprise remote office security solution are as follows:

Note: This solution uses Huawei USG6000F series firewall as the SSL VPN gateway, and requires an additional VPN client (UniVPN Client) to be installed on the external terminal. Huawei USG6000E series firewalls also support SSL VPN functions and do not require the installation of additional VPN clients. If the client terminal does not support additional installation of software, consider purchasing the USG6000E series firewalls to complete the solution deployment.

Program Highlights

Huawei's intelligent enterprise remote office security solution can meet the various enterprise remote office environment construction needs analyzed above through the following functions:

• Encrypted transmission: This solution uses SSL VPN as a tunnel for external employees to access the intranet. SSL VPN is a VPN technology that realizes remote secure access through the SSL (Secure Sockets Layer) protocol. SSL is a security protocol provided on the basis of the Internet to ensure privacy. It can prevent the communication between the client and the server from being eavesdropped. It can also verify the identities of both communicating parties and ensure the security of data transmission on the network. It can satisfy the needs of enterprises. Data encryption requirements.

• User authentication: The firewall device provides four user authentication methods: username + password authentication, username + password + certificate authentication, certificate challenge authentication and certificate anonymous authentication. Diversified identity authentication methods combined with strict password policies can ensure the identity verification and verification of external employees of the enterprise, prevent illegal user access, and meet the needs of enterprise password management.

• Traffic filtering: By configuring security policies on the firewall, the enterprise's remote user access scope is strictly controlled, and only specific business-related external employees (business network segments) are allowed to access the enterprise intranet through the SSL VPN tunnel provided by the company for business interaction and remote access. For office use, deny access to other traffic to prevent illegal traffic from entering the corporate intranet, threatening corporate information security and system operation, and meeting corporate access control needs.

• Unified tool: This solution uses UniVPN Client as the VPN client for external employees to access the intranet. UniVPN Client integrates three mainstream VPN access technologies: SSL VPN, L2TP VPN and L2TP over IPSec VPN. It is a safe and reliable VPN access client that can meet the VPN access needs of users in different scenarios and meet the needs of enterprises. Requirements for tool management and control when external employees access remotely.

• Protocol filtering: When configuring business-related security policies, the firewall can deploy business policies based on the enterprise's specific remote access business needs and in accordance with the principle of minimization. Only business-related protocol traffic is allowed and other protocols are rejected, which can avoid irrelevant protocol reports. The text enters the enterprise intranet, threatening the security of the enterprise intranet, affecting normal business interactions, and meeting the enterprise's management and control requirements for remote access protocols.

• Role authorization: The firewall performs access authorization based on roles, which are the bridge connecting users and business resources. When configuring the SSL VPN gateway on the firewall, you can add users with the same permissions to a role, and then associate business resources (intranet resources that remote users can access) in the role to achieve reasonable authorization of remote users and meet the needs of enterprises for external use. Requirements for permission control when users access the corporate intranet.

The solution deployment part will be continuously updated in subsequent blogs of the same series~

to be continued……