What Is Network-Security Convergence?

Network-security convergence can restore the subnets of security zones. Based on the preconfigured network-security matrix and the existing security policies on firewalls, it can automatically check the compliance of user security intents and the matching degree of existing security policies during new service provisioning. It can also automatically recommend security policy rules that meet user security intents and provision multi-security zone policies in a collaborative manner within minutes. All of this maximizes the efficiency of security policy changes and simplifies O&M.

Contents

Why Do We Need Network-Security Convergence?

In data center scenarios, firewall security policy management accounts for more than 50% of routine network O&M. As the service volume increases, the provisioning and change of security policies become more and more complex, presenting the following pain points:

After receiving a service request, the security team needs to analyze and locate the involved IP addresses and find the firewall location, which is complicated. The security team needs to manually maintain the network-security matrix.
When analyzing service requests, the security team needs to analyze the matching degree of a large number of existing security policies. In NAT scenarios, generating a security policy configuration scheme is time-consuming, because both pre-NAT and post-NAT addresses need to be taken into account.
If security devices are provided by different vendors, the security policy configuration scheme needs to be adapted according to the configurations of different vendors.
Policy configurations are difficult to deliver, security devices are scattered, and policies need to be enabled for multiple zones and firewall blocking points. It takes a long time for network engineers to update different scripts.
Verifying the generated security policy is time-consuming.

To address the preceding pain points, Huawei has launched the network-security convergence function based on the network digital map of iMaster NCE. This function can automatically recommend and deliver security policies that meet user intents on iMaster NCE when new services are rolled out. With this function, multi-security zone policies can be provisioned in a collaborative manner in minutes, ensuring more efficient security policy changes and simplifying O&M. In addition, third-party integration is supported, minimizing the cost for third-party firewall adaptation.

Implementation of Network-Security Convergence

The digital map has a huge amount of data, enabling network-security convergence to restore the subnets of security zones. Based on the preconfigured network-security matrix and the existing security policies on firewalls, network-security convergence can automatically check the compliance of user security intents and the matching degree of existing security policies during new service provisioning. In addition, it can automatically recommend security policy rules that meet user security intents and provision multi-security zone policies in a collaborative manner within minutes. The following figure shows the configuration process of network-security convergence.

Configuration process of network-security convergence

Network-security convergence provides the following capabilities:

Firewall policy collection, synchronization, restoration, and management
Policy configuration information can be collected from firewalls, including security policies, NAT policies, service sets, address sets, and security zones. You can configure a scheduled task for data collection and synchronization or manually trigger instant data collection and synchronization.

The collected policy configurations can be parsed and converted into a unified security model, saved into the database, and restored on the GUI, enabling efficient management.

The collection and parsing scripts of Huawei firewalls and some third-party firewalls are preset. (The original commands can be configured in a unified model.) In addition, new models can be dynamically added, and devices from new vendors can be dynamically adapted.
Security zone management
A security zone is a logical concept. Security zones are designed based on whether service traffic needs to pass through firewalls for isolation or access control. For example, services whose traffic needs to pass through firewalls are planned in different security zones, and services whose traffic does not need to pass through firewalls are planned in the same security zone. A security zone can contain one or more fabric zones, and a fabric zone can be divided into multiple security zones.

With network-security convergence, you can intuitively search for, add, and delete security zones, as well as manage regions, devices, VPNs (VPCs), and BDs (in the ACI scenario) as members of security zones. In addition, subnets in a security zone can be automatically restored (based on the VBDIF/VLANIF gateway information of the device and the subnet information associated with the ACI BD), and subnets in security zones can be manually added and managed.
Network-security matrix management
Network-security convergence can help you manage the connectivity between security zones. It allows you to select security zones to manage the network-security matrix.
The security outline for access between any two security zones in the network-security matrix can be specified, including the source and destination security zones, security specifications, and corresponding policy paths.
- Security compliance check can be performed on existing policies of policy nodes in a policy path.
- Policy paths can be manually orchestrated. The VAS to which the corresponding security zone belongs is automatically displayed. You can select the policy nodes of multiple VASs and the execution sequence to orchestrate policy paths.
- Policy paths can be automatically restored, and the automatically restored policy paths can be manually edited.
Automatic security policy recommendation
After you enter the 5-tuple security intent such as the source and destination IP addresses, network-security convergence automatically checks, recommends, and delivers policies.
1. Network-security convergence automatically checks security outline compliance to determine whether your security intent is met.
  - If so, network-security convergence proceeds with further analysis.
  - If not, the process ends.
2. Network-security convergence automatically matches and checks existing policies. It displays the policy path corresponding to the security intents, and analyzes and determines whether existing policies are matched, including the matching of security policies and NAT policies on each firewall in the policy path.
  - If the analysis result is Deny, network-security convergence proceeds with automatic recommendation of security policies.
  - If the analysis result is Permit and the matching policy has been deployed, the process ends.
3. Network-security convergence automatically recommends security policies, including security policies for multiple firewalls in the policy path. Then, network-security convergence generates and delivers the workflow.

Typical Application of Network-Security Convergence

A financial institute may have dozens or even hundreds of network changes every week, over 55% of which are related to security policies. It may also have a complex network environment, with hundreds of security zones, thousands of switches, hundreds of firewalls, and hundreds of thousands to millions of security policies across the entire network.

When service requirements arise, network change and security policy change requirements are assigned to the network team and security team through the work order system. The two teams need to analyze the work orders, design implementation solutions, perform tests, and deploy solutions.

Financial services usually need to communicate across security zones and pass through multiple firewalls. The security team needs to locate the related IP addresses, determine the firewalls that the services pass through, and then determine the compliance of the existing policies. If existing policies cannot meet requirements, the security team needs to design new security solutions and verify their correctness and compliance. All of this can take days or even months. In addition, security devices from multiple vendors may be deployed on the network. During security solution design and implementation, attention needs to be paid to configuration differences across multi-vendor devices, making configuration even more complicated.

iMaster NCE supports network-security convergence, which can automatically collect and restore security policies and NAT policies on the network and construct intuitive service access paths based on the security matrix. After 5-tuple security intents such as the source and destination IP addresses are entered, network-security convergence automatically checks the existing policies. If existing policies cannot meet the security intents, network-security convergence intelligently recommends and generates security policies, enabling quick delivery of configurations to multi-vendor firewalls.

Huawei network-security convergence can sort out security policy matrices and recommend optimal policy adjustment solutions for tens of thousands of devices within minutes, enabling security services to be provisioned within minutes and improving the efficiency of security policy changes.