18岁末年禁止观看试看一分钟

1.0 Intelligent Campus Network Solution 2.0 IDC Data Center Network Solution 3.0 Enterprise Cloud Solutions 4.0 Overall Information Security Solution 5.0 Smart Wireless Total Solution 6.0 HD Video Conference Solution 7.0 IDC Computer Room Construction Solution 8.0 Intelligent Weak Current Solution 9.0 Intelligent Building Solution 10.0 Intelligent Management Center Overall Solution
solution

1.0 Intelligent Campus Network Solution

2.0 IDC Data Center Network Solution

3.0 Enterprise Cloud Solutions

4.0 Overall Information Security Solution

5.0 Smart Wireless Total Solution

6.0 HD Video Conference Solution

7.0 IDC Computer Room Construction Solution

8.0 Intelligent Weak Current Solution

9.0 Intelligent Building Solution

10.0 Intelligent Management Center Overall Solution

4.9 Desktop Access Scheme
4.9 Desktop Access Scheme
Date: 2018-12-06


1       demand analysis

I. Access control requirements

局域网接入控制:能通过 802.1x 协议,配合支持准入控制功能的网络交换机,实现用户身份认证,并根据终端安全性检查结果,确定终端接入方式,对于认证失败的用户,断开其网络连接;认证成功但安全性检查不通过的终端,放入隔离区自动引导其完成主机完整性修复;对于认证和安全性检查全部通过的主机,按照策略设定完成相应网络设置和终端安全客户端设置; 1) LAN access control: Through the 802.1x protocol, it can cooperate with network switches that support admission control functions to implement user identity authentication, and determine the terminal access method based on the results of terminal security checks. For users who fail authentication, disconnect Its network connection; terminals that have passed authentication but failed security checks are automatically placed in the quarantine to complete host integrity repair; for hosts that pass all authentication and security checks, complete the corresponding network settings and terminal security in accordance with policy settings Client settings;

网关准入控制:针对无线用户、 VPN 用户和来访客人,应配合支持准入控制功能的安全网关设备,对访问终端执行安全性检查和修复,下发终端策略;只有身份认证和安全状态检查都通过的用户,才能允许其访问内部网络; 2) Gateway admission control: For wireless users, VPN users, and visitors, cooperate with security gateway devices that support admission control functions to perform security checks and repairs on access terminals and issue terminal policies; only identity authentication and security status Only those users who pass the check can be allowed to access the internal network;

隔离区:无论局域网还是无线用户,在执行终端安全检查过程中都支持隔离区设置,采取二层 Guset VLAN 技术或三层 ACL 技术,自动对不符合安全性检查的终端进行隔离,并自动启动终端修复过程; 3) Isolation zone: Regardless of the LAN or wireless users, the isolation zone setting is supported during the security check of the terminal. Layer 2 Guset VLAN technology or layer 3 ACL technology is adopted to automatically isolate the terminals that do not meet the security check and automatically Start the terminal repair process;

Second, security inspection

安全补丁:支持与微软 WSUS 系统联动,对 windows2000/XP/2003 等各类终端的操作系统进行补丁检查和升级; 1) Security patch: Supports linkage with Microsoft WSUS system to perform patch check and upgrade on the operating systems of various terminals such as windows2000 / XP / 2003 ;

防病毒软件:支持对趋势 / 金山防病毒软件的运行状态、软件版本、病毒库版本进行检查; 2) Anti-virus software: Supports checking the running status, software version, and virus database version of Trend / Jinshan anti-virus software;

黑白软件: 可提供软件黑白名单功能,软件识别准确,控制特定软件的安装、使用; 3) Black and white software: It can provide software black and white list function, the software can be identified accurately, and the installation and use of specific software can be controlled;

注册表:可对终端注册表任意键值进行检查,不符合要求的自动对其进行修改; 4) Registry: You can check any key value in the terminal registry, and automatically modify it if it does not meet the requirements;

用户权限:可灵活设置用户权限,对 VIP 用户采取宽松的安全策略; 5) VIP user rights: Flexible user rights can be set, and loose security policies can be adopted for VIP users;

ARP 攻击:可以通过网关地址保护,检测 ARP 攻击流量并强制下线等措施,对局域网中存在的 ARP 攻击问题进行防护; 6) Prevent ARP attacks: You can protect the ARP attack problems in the local area network by measures such as gateway address protection, detecting ARP attack traffic and forcing offline .

多元素绑定:可以绑定用户名、 IP 地址、 MAC 地址、设备端口、 VLAN 等,防止网络滥用; 7) Multi-element binding: can bind user name, IP address, MAC address, device port, VLAN, etc. to prevent network abuse;

软、硬件资产调查:可通过中心控制台详细看到所有接入终端的软、硬件信息,并能以报表形式呈现; 8) Software and hardware asset survey: The software and hardware information of all access terminals can be seen in detail through the central console, and can be presented in the form of reports;

外设管理:可管理个人电脑终端的 USB 、红外、蓝牙、 1394 、读卡器、 PCI 插槽等各种外设和接口,将其设为禁用,或不能被用作连接外部存储器; 9) Peripheral management: It can manage various peripherals and interfaces such as USB , infrared, Bluetooth, 1394 , card reader, PCI slot of personal computer terminals , set it to disabled, or cannot be used to connect external storage;

软件分发:能通过中心服务器自动向所有接入终端稳定可靠地下发补丁或相关软件。 10) Software distribution: It can send patches or related software to all access terminals automatically and stably through the central server.

安全审计:能够对用户登录、上网情况、失败信息、管理员操作、连接时间等有详细日志记录可查,日志及时上传管理服务器数据库; 11) Security audit: detailed log records of user login, Internet access, failure information, administrator operations, and connection time can be checked, and the logs are uploaded to the management server database in time;

Reliability and management requirements

服务器支持双机备份:中心策略服务器支持双机冗余配置,主服务器发生故障时,功能可向从服务器转移。 1) The server supports dual-machine backup: The central policy server supports dual-machine redundant configuration. When the master server fails, the functions can be transferred to the slave server. The policy server configuration has a good backup and recovery mechanism;

用户群组策略: 能针对用户分组,安全策略针对单个用户,或某组用户绑定; 2) User group policy: can be grouped for users, security policy is targeted at a single user, or a group of users is bound;

管理目标分组: 能针对不同的层级、区域、用户组、计算机组等设定不同的管理员; 3) Management target grouping: Different administrators can be set for different levels, regions, user groups, computer groups, etc.

2       Terminal admission control scheme

EAD 终端准入控制系统,与防病毒软件、 WSUS 补丁管理相配合,防毒软件、 WSUS 负责专业杀毒、补丁下载, EAD 专注于网络接入控制、桌面管理、用户行为审计和终端安全管理功能,可以为 XXXX 提供全面、完善的端到端网络安全解决方案。 Deploy a set of EAD terminal access control systems to cooperate with antivirus software and WSUS patch management. Antivirus software and WSUS are responsible for professional antivirus and patch download. EAD focuses on network access control, desktop management, user behavior auditing, and terminal security management. Function, can provide XXXX with a comprehensive and complete end-to-end network security solution. EAD 采用双机热备或双机冷备方式部署,以提高系统的可靠性。 At the same time, EAD is deployed in dual-system hot backup or dual-system cold backup mode to improve system reliability.

802.1x 部署方案。 In terms of access, LAN users adopt the access layer 802.1x deployment scheme. H3C 交换机配合,实现终端准入控制功能。 EAD works directly with H3C switches to implement terminal access control functions. 802.1x 功能,不仅可以实现单端口单用户的准入控制,也可以实现单端口多用户的准入控制,从而实现对 HUB 及小交换机用户的管理。 H3C switches support standard 802.1x functions, which can not only implement single-port single-user access control, but also single-port multi-user access control, thereby realizing the management of HUB and small switch users. HUB 下挂到 H3C 交换机下面, EAD 可以区分 HUB 下面的多个用户,并根据不同用户的安全状态下发不同策略。 In specific cases, the HUB can be connected to the H3C switch, and the EAD can distinguish multiple users under the HUB and issue different policies according to the security status of different users.

EAD 可以与胖 AP AC 无线控制器、 EAD 网关等配合,通过三层 Portal 方式进行准入控制。 For wireless users, EAD can cooperate with fat APs , AC wireless controllers, EAD gateways, etc., to perform admission control through a three-layer Portal method. AP AC 无线控制器的组网方式给大部分用户所采用,因此一般情况下无线 EAD 方案主要是与 AC 无线控制器配合。 Since the networking mode of the thin AP + AC wireless controller is adopted by most users, the wireless EAD solution is generally used in cooperation with the AC wireless controller. When a wireless user accesses, a page pops up to authenticate and check the user.

802.1x 用户接入,但经过多个项目实施发现, 802.1x 由于是二层方式,受底层无线网卡的影响较大,不同品牌的无线网卡稳定性参差不齐,可能存在掉线的情况,因此从实践经验出发,建议用户采用稳定性极高的三层 Portal 方式。 EAD also supports 802.1x user access in a wireless environment , but after several project implementations, it is found that 802.1x is a Layer 2 method and is greatly affected by the underlying wireless network card. The stability of wireless network cards of different brands is uneven and may There is a case of disconnection. Therefore, based on practical experience, it is recommended that users use the highly stable three-layer Portal method.

可以不仅可以支持常见的准入、安全和桌面资产管理功能,也支持 ACL 下发、匿名认证、防 ARP 攻击、异常流量检测、 U 盘外设管理、结合设备与业务的融合管理等创新功能。 EAD can not only support common access, security, and desktop asset management functions, but also support innovative functions such as ACL issuance, anonymous authentication, ARP attack prevention , abnormal traffic detection, U disk peripheral management, and integrated management of devices and services. . EAD 支持与 H3C UBAS 行为审计系统、 NTA 流量分析系统联动,结合 EAD 强大的用户身份、权限的管理,高效地管理网络用户的同时,可以帮助管理员分析网络中的异常流量,追查恶意的上网行为,为管理员提供行之有效的网络管理和用户管理策略。 In addition, EAD supports linkage with H3C UBAS behavior auditing system and NTA traffic analysis system. Combined with EAD's powerful user identity and permission management, while efficiently managing network users, it can help administrators analyze abnormal traffic on the network and track down malicious ones. Internet behavior, providing administrators with effective network management and user management strategies.

2.1        Network admission control

EAD 解决方案可在多种应用场景中实现用户终端安全准入控制,满足不同网络环境下,终端安全准入控制的需要。 Through linkage with different network access devices, the EAD solution can implement user terminal security admission control in a variety of application scenarios and meet the needs of terminal security admission control in different network environments.

2.1.1   Access layer admission control

Use the access layer device as a security access control point, perform security checks on user terminals trying to access the network, and force user terminals to perform enterprise-defined security policy checks, such as antivirus and operating system patches, to prevent illegal users and non-compliant corporate security Strategic terminal access to the network, reducing the risk of virus, worm and other security threats spreading in the enterprise.

Solution networking

 

                                                                                            EAD 解决方案组网应用 Figure 1 Networking application of access layer EAD solution

plan description

n   iNode 客户端,在上网前首先要进行 802.1x 和安全认证,否则将不能接入网络或者只能访问隔离区的资源。 The user terminal must have an iNode client installed , and 802.1x and security authentication must be performed before going online . Otherwise, it will not be able to access the network or only access resources in the quarantine area. ACL ,一般包括 EAD 安全代理服务器、补丁服务器、防病毒服务器、 DNS DHCP 等服务器的 IP 地址。 The isolation zone refers to a set of ACLs configured in the switch, and generally includes the IP addresses of EAD security proxy servers, patch servers, antivirus servers, DNS , and DHCP servers .

n   802.1x 认证和安全认证,强制进行基于用户的 802.1x 认证和动态 ACL VLAN 控制。 802.1x authentication and security authentication shall be deployed in the access switch, and user-based 802.1x authentication and dynamic ACL and VLAN control shall be enforced .

n   安全策略服务器中配置用户的服务策略、接入策略、安全策略,用户进行 802.1x 认证时,由 EAD 安全策略服务器验证用户身份的合法性,并基于用户角色(服务)向安全客户端下发安全评估策略(如检查病毒库版本、补丁安装情况等),完成身份和安全评估后,由 EAD 安全策略服务器确定用户的 ACL VLAN 以及病毒监控策略等。 The user's service policy, access policy, and security policy are configured in the EAD security policy server. When the user performs 802.1x authentication, the EAD security policy server verifies the legitimacy of the user's identity and delivers it to the security client based on the user role (service) Security evaluation policies (such as checking the virus database version, patch installation status, etc.). After completing the identity and security evaluation, the EAD security policy server determines the user's ACL , VLAN, and virus monitoring policy.

n   安全代理服务器必须部署于隔离区,可以与自助服务器共用一台主机。 The EAD security proxy server must be deployed in a quarantine zone and can share a host with the self-service server.

n   EAD 安全代理共用一台主机。 The patch server (optional) must be deployed in the quarantine area and can share a host with the EAD security agent.

n   EAD 安全代理共用一台主机,可以选择 Norton 防病毒、趋势防病毒、 McAfee 防病毒、安博士防病毒、 CAKill 安全甲胄、瑞星杀毒软件、金山毒霸以及江民 KV 防病毒软件。 The anti-virus server (optional) must be deployed in the quarantine area. It can share a host with the patch server and EAD security agent. You can choose Norton anti-virus, trend anti-virus, McAfee anti-virus, Dr. An anti-virus, CAKill security armor, Rising Anti-virus software , Kingsoft Internet Security and Jiangmin KV anti-virus software.

2.1.2   Convergence layer admission control

EAD 特性时,可以将汇聚层设备作为安全准入控制点,实施 EAD 解决方案,这样可简化 EAD 解决方案的应用部署。 When the access layer devices in the network do not support the EAD feature, the aggregation layer devices can be used as security access control points to implement the EAD solution, which can simplify the application deployment of the EAD solution. EAD 解决方案时,可以将原有汇聚层设备替换为支持 EAD 解决方案的 H3C 汇聚层设备,实现 EAD 解决方案的应用。 Especially when the user's original enterprise network is transformed and the EAD solution is implemented, the original aggregation layer device can be replaced with an H3C aggregation layer device that supports the EAD solution to implement the application of the EAD solution.

Solution networking



                                                                                                    EAD 解决方案组网应用 Figure 2 Networking application of the EAD solution at the convergence layer

plan description

n   802.1x 认证和安全认证,强制进行基于用户的 802.1x 和动态 ACL 控制。 802.1x authentication and security authentication shall be deployed in the aggregation switch, and user-based 802.1x and dynamic ACL control shall be enforced .

n   Other access control with same access layer

Flow Description

User authentication process with the same access layer admission control scheme.

Implementation Effect

The implementation effect is the same as the access control at the access layer, but the network reconstruction cost is reduced and the system deployment is simple. EAD 应用组网模式下,认证设备下挂接入层设备,如果接入层设备端口不作 VLAN 划分,用户终端之间将可实现互访。 In the aggregation-layer EAD application networking mode, authentication devices are connected to access-layer devices. If the access-layer device ports are not divided into VLANs , user terminals can achieve mutual access. VLAN It is recommended that the access layer device divides different VLANs between different ports while strictly controlling mutual access between users .

2.1.3   Admission control for wireless users

The security problem of wireless local area network is mainly reflected in two levels of access control and data transmission. At the access control level, once an unauthorized or non-secure customer accesses the network, they will directly face the core server of the enterprise and threaten the core business of the enterprise. Therefore, wireless access users can be identified, security checked, and networked. Authorized access control systems are essential. EAD 解决方案,可以有效的满足园区网的无线安全准入的需求。 In wireless networks, combined with EAD solutions, it can effectively meet the needs of wireless security access for campus networks.


                                                                                            EAD 解决方案典型组网 1 Figure 3 Typical EAD solution networking 1

Networking Features

1.   802.1X 接入方式相同。 The physical networking mode is the same as the 802.1X access mode.

2.   与无线控制器之间的连接可以使用二层连接,也可以使用三层连接。 The connection between the FIT AP and the wireless controller can be a Layer 2 connection or a Layer 3 connection.

3.   Windows 客户端接入无线网络,然后使用 iNode 进行 Portal 接入。 Users need to use a Windows client to access the wireless network, and then use an iNode for Portal access.

4.   IP 地址不发生变化的情况下,可以在 AP 之间漫游。 In a network, users can roam between APs without changing their IP addresses .

5.   AC 上下发。 Control information based on user identity is sent and received on the AC .

2.1.4   VLAN/ACL 的隔离 VLAN / ACL- based isolation

可以与支持 802.1x 的交换机(二层、三层均可)实现完美配合。 EAD can work perfectly with switches that support 802.1x (both Layer 2 and Layer 3). ACL 可以在认证通过后由 IMCEAD 下发给接入设备,由设备动态控制用户的访问权限;也可以在用户认证通过后由 IMC EAD 将所属的 VLAN 可以在下发给接入设备,由接入设备动态设置用户所属的 VLAN The user's ACL can be issued by the IMCEAD to the access device after the authentication is passed , and the device dynamically controls the user's access rights. The user's ACL can also be issued by the IMC EAD to the access device after the user passes the authentication . The incoming device dynamically sets the VLAN to which the user belongs . By cooperating with network devices, you can achieve dynamic control of user-based access rights, restricting users' access to internal sensitive servers and external illegal websites.

2.2        Terminal Security Management

2.2.1   Antivirus

EAD 终端准入控制解决方案中, EAD 策略服务器根据安全策略对安装了第三方防病毒产品客户端和 iNode 智能客户端的用户终端计算机进行安全检查。 By cooperating with third-party anti-virus vendors, in the EAD terminal admission control solution, the EAD policy server performs security checks on user terminal computers installed with third-party anti-virus product clients and iNode smart clients according to security policies . ACL VLAN 访问控制的方式,从物理或网络层面上将 危险 终端限制在隔离区中。 For user terminals that do not comply with the security policy , the " dangerous " terminals are restricted in the isolation zone at the physical or network level by using ACL or VLAN access control in conjunction with related network equipment . 危险 终端可以访问隔离区中的补丁服务器、防病毒软件服务器来进行系统修复,修复完成后,通过身份认证、安全认证后即可获得网络访问权限。 " Dangerous " terminals can access patch servers and antivirus software servers in the quarantine area to perform system repairs. After the repairs are completed, network access rights can be obtained after identity authentication and security authentication.

EAD 支持的第三方防病毒软件包括:国内的瑞星、金山、江民,国外的 Symantec 、趋势科技、 McAfee 、安博士、卡巴斯基、 CA NOD32 等众多知名厂商,并且不断在增加中。 Currently , third-party anti-virus software supported by EAD includes: domestic Rising, Kingsoft, Jiangmin, foreign Symantec , Trend Micro, McAfee , Dr. An, Kaspersky, CA , NOD32 and many other well-known manufacturers, and it is constantly increasing.

 

2.2.2   Black and white software management

提供黑白软件统一管理功能。 EAD provides unified management of black and white software. IT 政令,在安全策略服务器定义员工终端黑白软件列表,通过安全客户端实时检测、网络设备联动控制,完成对用户终端的软件安装运行状态的统一监控和管理。 The administrator can define the black and white software list of the employee terminal on the security policy server according to the enterprise's IT decree, and complete the unified monitoring and management of the software installation and operation status of the user terminal through real-time detection of the security client and linkage control of the network equipment.

The administrator defines a black and white software list on the security policy server according to the process name of the software running process; at the same time, defines a corresponding security mode for each controlled software rule, that is, when the user terminal accesses the network, the security client finds that the rule is violated When the system adopts the strategy. Second, the administrator adds black and white software control rules to the security policy.

EAD 解决方案来完成统一监控和管理。 After the security policy server completes the definition of the black and white software list and the software control part of the security policy, the software installation status of the user terminal can be unifiedly monitored and managed through the EAD solution.

2.2.3   Registry security check

EAD 支持系统服务检测,包括服务种类、是否启动等。 Support registry security detection: EAD supports system service detection, including service types and whether to start. Users who do not meet the service inspection items need to be handled according to the security policy, including reminding, quarantine, and offline.

Support remote users to modify the local registry defense; support remote access, sharing, and process call defense.

 

2.2.4   Abnormal flow monitoring features

EAD 解决方案支持异常流量监控特性。 In order to monitor the network traffic of end users, the EAD solution supports the abnormal traffic monitoring feature. iNode 客户端异常流量监控功能。 The administrator sets the end user traffic threshold on the security policy server and enables the abnormal traffic monitoring function of the iNode client. EAD 策略服务器上可以收到 iNode 发送的用户流量信息。 There are two types of abnormal traffic thresholds. When the end user exceeds the first threshold, the EAD policy server can receive user traffic information sent by the iNode . The security policy server only alerts the end user. iNode 客户端发送下线指令。 When end-user traffic exceeds the second threshold, the security policy server sends an offline instruction to the iNode client.

2.2.5   ARP 攻击特性 Anti- ARP Attack Features

ARP 攻击的泛滥,给企业带来的损失也越来越大。 With the flood of ARP attacks, the losses to enterprises are also increasing. ARP 攻击特性。 The EAD solution provides anti- ARP attack features. EAD 安全策略服务器上设定终端用户正确的 ARP 表,并在认证时下发给 iNode 客户端。 Set the correct ARP table of the end user on the EAD security policy server and send it to the iNode client during authentication . ARP 表,并查找用户网卡的路由 IP 信息,与安全策略服务器下发的 ARP 表进行核对。 The iNode client periodically clears the end user's local ARP table, finds the routing IP information of the user's network card, and checks with the ARP table issued by the security policy server . IP 信息,就把该纪录添加到客户的机器上。 If the corresponding routing IP information is found, the record is added to the client's machine.

2.2.6   Desktop and asset management

iMC EAD 的主要功能,支持对企业内部的计算机制造商、计算机型号、 CPU 、硬盘等硬件进行统计和管理,还能够对计算机操作系统及各种软件进行统计、分发。 Asset management and software distribution are the main functions of iMC EAD . They support the statistics and management of computer manufacturers, computer models, CPUs , hard disks and other hardware within the enterprise , as well as statistics and distribution of computer operating systems and various software. In general, functions such as asset grouping, asset management, asset change management, asset statistics, and software distribution management can be implemented.

2.3        Visitor Management

The application of EAD in the enterprise network will bring some workload to the management of user access, especially in the application environment where there are many temporary users, the administrator will face a large number of operations such as account opening, account cancellation and account issuance. EAD provides the option of anonymous authentication to help administrators reduce the workload of managing temporary accounts without affecting the implementation of corporate security policies.

The initial deployment of EAD can effectively reduce the maintenance workload and quickly meet the security access requirements

IT 服务水平的不满。 In the early stage of EAD deployment, it is often faced with the opening and issuing of a large number of user accounts. The workload is large and easy to omit. This often results in some users not being able to obtain accounts in time and not being able to access the network normally, causing some users to be dissatisfied with IT service levels. At this point, the administrator can enable anonymous user authentication and set appropriate security policies for anonymous users (such as restricting access to resources). EAD 客户端的安全检查和防护,在保障企业安全策略正常实施的前提下,提升用户对 IT 服务水平的满意度。 End users can use anonymous authentication for network access, and accept the security inspection and protection of EAD clients. Under the premise of ensuring the normal implementation of corporate security policies, improve user satisfaction with IT service levels. EAD 部署和运行基本稳定后,可以根据企业自身要求禁用匿名认证。 After the EAD deployment and operation are basically stable, anonymous authentication can be disabled according to the enterprise's own requirements.

/ 来访用户使用匿名认证,减轻开销户的维护工作量 Temporary / visiting users use anonymous authentication to reduce the maintenance workload of overhead users

/ 来访用户,管理员不得不经常为此类用户进行开户操作,还要以各种方式告知用户其上网帐号和密码,在用户帐号使用完毕后还要及时销户以防止无效帐号过多。 There will inevitably be some temporary / visiting users in the enterprise. The administrator has to frequently perform account opening operations for such users, and also inform the user of their online account and password in various ways. After the user account is used, the account must be cancelled in time To prevent too many invalid accounts. MAC 绑定,则可以轻松的管理临时 / 来访用户,在合理分配网络资源访问权限和安全策略控制的前提下,减轻开销户的维护工作量,提高 IT 管理的效率。 If you enable anonymous authentication, set security policies for anonymous authentication, and perform reasonable port binding or batch MAC binding, you can easily manage temporary / visiting users. Under the premise of reasonable allocation of network resource access rights and security policy control, Reduce the maintenance workload of overhead users and improve the efficiency of IT management.

Special users adopt anonymous authentication to meet the ease of use requirements of special users

EAD 部署和安全策略的推行产生负面影响。 Some special users in the enterprise may have resistance to remembering user names and passwords for surfing the Internet, which will often have a negative impact on EAD deployment and security policy implementation. EAD 接入的易用性。 At this time, the administrator can enable anonymous authentication and assist special users to set the anonymous authentication connection to automatic authentication. In this way, the special user automatically completes authentication after turning on the computer. Under normal circumstances, the existence of the access authentication process is basically not felt. It avoids the tediousness of remembering usernames and passwords for special users, and improves the ease of use of EAD access. MAC 绑定。 In this case, in order to prevent the abuse of anonymous accounts, port or MAC binding must be performed on the anonymous accounts .

2.4        High availability solution

EAD 解决方案中, EAD 安全策略服务器是全网终端进行认证和保持状态的关键模块,是整体解决方案的核心中枢。 In the EAD solution, the EAD security policy server is a key module for authentication and maintenance of the status of the entire network terminal, and is the core center of the overall solution. EAD 解决方案的高可靠性,重点聚焦于 EAD 服务器核心中枢的高可靠、高稳定运行。 Therefore, the high reliability of the EAD solution focuses on the highly reliable and stable operation of the EAD server core hub. EAD 高可靠性解决方案提供了重要技术保障。 The proposal and application of dual-machine cold backup and dual-machine hot backup schemes provide important technical support for EAD high-reliability solutions.

The dual-system system refers to a scheme in which at least two computers implement computer backup redundancy, thereby achieving high reliability of the application. In a typical two-machine system, each node is an independent server running its own process. These processes can communicate with each other. It appears to the network client as a single system that cooperates to provide applications to users. , System resources and data. Web 服务和文件服务)的单一客户视图,与传统的单一服务器系统相比,它有几个优点,包括对高可用性和可伸缩性应用程序的支持、适应模块化增长的容量。 It only provides a single client view of network services or applications (including databases, web services, and file services). It has several advantages over traditional single server systems, including high availability and scalability of applications. Support and adapt to the capacity of modular growth.

IP SAN 架构服务器)本身的高可靠性, EAD 高可靠性方案可以一体化保证从网络、到计算、再到存储的端到端高可靠性,保证 EAD 关键安全策略服务器的稳定运行,为用户认证及终端安全管理提供有力的保障。 Utilizing cold standby and hot standby technologies, combined with cluster software that supports multiple computer systems, combined with the high reliability of the disk array (or IP SAN architecture server) itself, the EAD high reliability solution can guarantee the integration of network, computing, and The end-to-end high reliability of the storage guarantees the stable operation of EAD's key security policy server, and provides a strong guarantee for user authentication and terminal security management.

2.4.1   Cold standby

EAD 服务器出现故障时,交换机与 EAD 服务器之间通讯中断,发出的认证请求在一定时间内未收到响应。 As shown in the figure, when the main EAD server fails, the communication between the switch and the EAD server is interrupted, and the authentication request sent does not receive a response within a certain period of time. EAD 服务器,同时将主服务器状态置为 block After the default number of retries, the switch automatically sends an authentication request to the standby EAD server, and sets the status of the primary server to block . EAD 服务器,若通讯恢复则立即将主服务器状态置为 active ,从服务器状态不变。 After waiting for a certain time interval, try to send the authentication request to the master EAD server again. If the communication is restored, immediately set the master server status to active and the slave server status remains unchanged.

EAD 服务器和备 EAD 服务器上保存的帐户信息同步, EAD 系统提供了数据库自动同步功能,每间隔 24 小时主 EAD 服务器和备 EAD 服务器会进行一次数据库同步。 In order to ensure that the account information stored on the primary EAD server and the secondary EAD server are synchronized, the EAD system provides an automatic database synchronization function. The primary EAD server and the secondary EAD server will synchronize the database every 24 hours . If there is an urgent need, you can also manually perform database synchronization immediately.

2.4.2   Hot Standby


EAD Server 之间通过群集软件完成两台计算机的群集管理。 As shown in the figure, the cluster management of the two computers is completed by the cluster software between the two EAD Servers . SunCluster Windows 群集管理器)对两台计算机进行群集管理起到至关重要的作用。 In the hot standby solution, the cluster management software ( SunCluster or Windows Cluster Manager) plays a crucial role in cluster management of two computers. iNode 智能客户端而言,两台经过群集的主机就相当于一台主机,对外提供同一个访问地址。 For iNode smart clients, two hosts that pass through the cluster are equivalent to one host, providing the same access address to the outside. iNode 智能客户端在进行认证和相关的报文传输,都对此虚拟主机进行交互。 All iNode smart clients interact with this virtual host during authentication and related message transmission.

EAD 高可靠性方案同时要确定磁盘的冗余备份方案,以防止或避免单点故障对系统运行造成的影响。 At the same time, in order to effectively protect the data, the EAD high-reliability solution must also determine the redundant backup solution of the disk to prevent or avoid the impact of a single point of failure on the system operation. 方案建议采用磁盘阵列存储应用和数据库的数据(也可以使用 IX1000T IPSAN 架构服务器),在此基础上,两台互为备份的计算机可以共享一个磁盘空间,一旦一台计算机出现问题,则可以快速通过另一台计算机接管所有的数据报文的处理。 The EAD solution recommends using a disk array to store application and database data (you can also use the IX1000T IPSAN architecture server). On this basis, two computers that back up each other can share a disk space. Once a computer fails , you can Quickly take over all data message processing through another computer.

2.4.3   escape


As shown in the figure, Escape is a low-cost, high-availability solution, suitable for small and medium-sized network users with limited financial budgets. PC 安装逃生工具,同时需要在接入设备上备份的 Radius 服务器的 IP 地址(指向安装逃生工具的 PC )。 To implement the escape, an ordinary PC is required to install the escape tool, and the IP address of the Radius server (pointing to the PC on which the escape tool is installed ) needs to be backed up on the access device .

EAD 主服务器无法正确响应认证请求时,如数据库出问题、机器宕掉、认证进程出错等,将会造成大量用户无法上线。 When the EAD master server cannot respond to the authentication request correctly, such as a database problem, a machine downtime, an authentication process error, etc., a large number of users cannot go online. Radius 服务器的 IP ,此时设备会自动转向安装有逃生工具的 PC If the IP of the backup Radius server is configured in advance , the device will automatically switch to the PC on which the escape tool is installed . PC 上的逃生进程 对所有的认证请求都直接批准,不管用户是否存在,密码是否正确, 这样就避免了主服务器出问题而影响用户使用网络。 The escape process on the PC directly approves all authentication requests, regardless of whether the user exists and the password is correct. This avoids problems with the main server and affects users' use of the network.


© 2016 Guangzhou Mingchuang Network Technology Co., Ltd. All rights reserved Technical support: 35