Endpoint Admission Defense


With the rapid development of 5G and IoT, the number of edge endpoints increases rapidly, making the management of intranet endpoints increasingly important. Connecting a vulnerable user endpoint to a network opens the door to security risks, resulting in a crisis that can spread rapidly into a larger area, which in turn leads to "out of control" internet use behavior and the loss or damage of important data assets for an enterprise. Ensuring the health of user endpoints, preventing network threats, effectively controlling users' network access behaviors, and preventing the loss of critical data on enterprise endpoints, are the prerequisites for the proper operation of enterprise networks and endpoints, as well as pressing issues for enterprises to address. While ensuring the legal compliance of endpoints, endpoint administrators must deal with new challenges, such as the management stress brought by massive endpoints, which requires them to achieve effective management and control of massive endpoints and reduce the management cost effectively at the same time.

H3C's Endpoint Admission Defense (EAD³), focusing on the network, desktop, behavior, and data, integrates network access control, desktop security, behavior audit, and data protection products on the basis of controlling the admission of user endpoints to the network. Through the linkage of clients, policy server, network device and third-party software, EAD³ implements enterprise endpoint management and control policies on the user endpoints accessing the network, strictly controls the internet usage behavior of the end user, comprehensively controls the distribution and flow of endpoints' sensitive data, and effectively strengthens the active defense capability of the user endpoints, providing effective and user-friendly management tools and measures for enterprise network administrators.


The multi-dimensional endpoint management system is built through endpoint-network combination and multi-dimensional management to provide all-round protection for endpoints and help customers step into a new era of endpoint security governance.


All-around Access Control

EAD³ provides comprehensive access control and supports various access modes such as LAN, WAN, VPN, and wireless networks. It also supports deployment on complex networks such as HUB and heterogeneous networks such as Cisco, ensuring access security in any location and in any mode.

Multi-factor Combined Identity Authentication

H3C e-shield soft token provides a free and secure dynamic password service, which can be used for network access user authentication and device management user authentication.

In addition to supporting self-created accounts, it can interact with various third-party authentication data sources, such as third-party LDAP/AD, third-party RADIUS, third-party database, and third-party WEB system users. EAD³ can bind an identity to the MAC address, IP address, VLAN, IP address of the access device, and port number of the access device. It also supports smart cards, digit certificate authentication, and dynamic token to enhance identity authentication security.

Fine-grained Permission Control

After a user endpoint passes the security information check, such as virus and patch checks, EAD³ can allocate a pre-configured access control policy to safety linkage devices based on the end user's role, and regulate the user's internet usage behavior according to the permission of the user's role. The administrator can configure and implement security measures such as the VLAN to which end users belong, ACL access policy, whether to disable proxy, and whether to disable dual network adapters.

Flexible and Convenient Execution Mode

EAD³ treats users with different identities based on the security policy configured by the network administrator, and customizes different security checks and processing modes, which include the monitoring mode, reminder mode, isolation mode, and offline mode. Users can define different security policy execution modes for different groups, such as VIP customers, internal employees, and external visitors, as required.

Powerful IP Address Management Capability

EAD³ can implement powerful IP address management in both static and dynamic scenarios, realizing full-process automatic management of endpoint IP address planning, allocation, recycling, and visualization to improve the utilization of IP address resources. Through the iNode client, it can completely prevent IP address spoofing, ensuring one device for one user and one IP for one device. By working with the access system, it can automatically recycle zombie IP addresses and log out endpoints, preventing IP address resources from being occupied for a long time.

Real-time Perception and Assessment of Endpoint Health

EAD³ can build a complete endpoint state awareness system and a real-time assessment system for customers. The iNode client collects endpoint data in real-time to comprehensively learn about the trusted state of the endpoint, including but not limited to system configuration, network configuration, software configuration, process management, and peripheral management. The weight of each collection indicator can be flexibly adjusted based on the scenario. The endpoint is assessed in real-time based on the hundred-mark system, and the assessment result is clear. The real-time assessment result can be provided to the third-party application system in an active or passive way as a quantifiable basis for deeper permission control.

Desktop Assets and Peripheral Management

EAD³ monitors and manages endpoint assets in an all-around way. It can not only monitor the usage and changes of endpoint hardware and software, but also support endpoint assets configuration management, unified software distribution, and remote desktop control, to effectively manage desktop assets. EAD³ can also manage USB flash disks and other peripherals. It can control various peripherals of the end users to prevent the leakage of important information. At the same time, it can monitor files in USB flash disks to check whether the important files are used properly when they are copied by the USB flash disks.

Detailed Terminal Behavior Audit Capability

EAD³ can implement endpoint behavior audit. It tracks the operation behaviors of endpoint computers in real-time, monitors the use of network resources and the spread of sensitive information, accurately understands the security status of endpoint systems, and exports various statistical reports, which provide strong support for the traceability of leaks.

Comprehensive Terminal Data Protection Capability

EAD³ can protect the endpoint data and solve the problem of sensitive data leakage of the endpoint. In the era of information security, data is the most powerful productivity. EAD³ uses advanced endpoint scanning, data classification, and content recognition technologies to make the sensitive data of user endpoints visible and controllable, preventing sensitive data from leaking from the source via various ways.

Integrated Client

The unified, customizable, and assembled iNode client provides users with comprehensive endpoint service management services, such as network access, desktop security, behavior audit, and data management, greatly improving user experience and reducing the degree of difficulty in later O&M.

Convenient O&M Capability

EAD³ provides remote assistance. The administrators can perform endpoint maintenance remotely. The end user and the system administrator share the endpoint desktop for real-time interaction and remote O&M. At the same time, a mobile O&M app is provided so that the system administrator can access and implement O&M anytime and anywhere.

Multiple Layers of High Availability

EAD³ features two-node cluster cold backup, two-node cluster hot backup and distributed cluster functions to avoid the authentication interruption caused by the breakdown of a single EAD³ server. It also supports the fail-permit scheme of the single-device failure to temporarily allow clients to use the network without authentication, ensuring the interests of economically sensitive users.

Expandable and Open Solution

EAD³ provides customers with an expandable and open architecture that maximizes the protection of their existing investments. H3C has conducted extensive and in-depth cooperation with domestic and foreign anti-virus, operating system, and desktop security vendors. EAD³ interacts with third-party authentication servers and safety linkage devices based on standard and open protocol architectures and specifications, facilitating easy interconnection.