H3C iMC EAD

As shown in the following figure, the EAD solution admits the network access of a user endpoint as follows:

When a user attempts to access the network, the EAD solution first verifies the user identity.

When the user passes identity verification, the EAD solution performs security authentication on the user endpoint. The following items are examined based on the customized security policy: virus definition upgrade, system updates, whitelisted and blacklisted software, usage of USB storage device and other peripherals, and software and hardware assets.

The EAD solution authorizes available network resources to the user based on the security check result. If the user is placed in the isolation zone, the user must fix the endpoint vulnerabilities to pass the security authentication.

If the user is unauthenticated or unauthorized, EAD will block the client’s access to the network.

After the user passes security authentication, the user is allowed to access the enterprise network. The EAD solution also audits and monitors the endpoint running status and network behaviors of the user.

EAD solution workflow

All-round admission control

With all-round access control, EAD supports LAN, WAN, VPN, and wireless network access methods and can be deployed in a heterogeneous network that contain hubs and Cisco devices. Users can securely access the network from anywhere by using any one of these methods.

Strict identity authentication

The EAD solution supports the following identity authentication types:

Authentication based on the username and password.

Enhanced authentication based on the binding between the user identity and specific information of the endpoint (MAC address, IP address, and VLAN) or access device (IP address and port number).

Enhanced authentication through intelligent cards and digital certificates.

Complete security state evaluation

The administrator can customize security policies to enable EAD to check the following items on endpoints for security authentication: virus definition version, patch updates, applications, proxy status, dial-up setting, USB storage device, peripheral devices, and desktop assets. EAD clients collaborate with anti-virus products of mainstream vendors, such as Symantec, MacAfee, Trend Micro, and Kaspersky, and supports high-end desktop security products including Microsoft SMS, LANDesk, and BigFix. When EAD works with Microsoft SMS, EAD controls the network access, and SMS manages assets, patch updates, and software distribution and installation in various Windows environments. With this, H3C iMC EAD solution can identify suspected security-compromised devices and do corrective remediation action as well as respond to threats immediately, whether advertently or inadvertently introduced to the network by malicious and innocent actors via external third party devices on a BYOD environment or external devices such as USBs.

Precise privilege control

After a user endpoint passes the security check, EAD assigns an access control policy to the security collaboration device based on the role of the endpoint user. The network behavior of the user is regulated by the policy. EAD allows the administrator to manage endpoint users in a centralized way by configuring the following parameters: user VLANs, ACLs, proxy service, and dual NIC usage.

Flexible customization of security policies

The administrator can customize security policies to enable EAD to apply a security check method and a handling mode based on the user identity (for example, VIP guest, common guest, and employee). Available handling modes include Monitor, Inform, Isolate, and Kick Out.

Comprehensive monitoring and management of desktop assets and peripherals

The EAD solution monitors the endpoint hardware and software usage and changes, and manages desktop assets by managing endpoint asset configuration, unified software distribution, and remote desktop control. It also manages USB storage devices and other peripherals to avoid information leakage, and monitors the user behavior of copying files through the USB storage device.

Easily deployed clients

When a user accesses the network, the EAD server automatically pushes the EAD client to the user endpoint for identification authentication and security check. EAD ensures network security of users without changing their network behaviors.

Multi-level high availability

Stateless failover and hot backup features effectively avoid single point of failure and interruption of the authentication process. If the EAD server fails, users can bypass authentication and access network resources.

Extended and open solution

The extended and open framework of the EAD solution substantially protects user investment. EAD extensively and deeply works with domestic and foreign vendors of virus definitions, operating systems, and desktop security products, and makes full use of their advantages. Based on the standard and open protocols, the interoperation within the EAD framework can be easily implemented.

As shown in the following figure, an EAD network includes the following components.

Security clients—Installed on user endpoints, H3C iNode clients initiate identity authentication and perform the security check on endpoints.

Security collaboration devices—Include switches, routers, and VPN gateway devices. The EAD solution supports various network architectures so that security collaboration devices can be deployed at the access layer or distribution layer.

EAD security policy server—Assigns security policies to clients, receives and approves security check results, and authorizes network resources to clients through the security collaboration devices.

Third-party servers—Deployed in the isolation zone, third-party servers include the update server, virus definition server, and security proxy server. If a user passes identity authentication but fails security authentication, EAD places the user in the isolation zone. The user uses third-party servers in the isolation zone to fix security vulnerabilities until it meets the requirement of the security policy.

Network architecture of EAD solution