Devices can be added to the SecoManager through the following methods: manual import and automatic device discovery.
- • Manual import: Device information is entered into a specific template and then imported to the SecoManager, which proactively connects to the devices.
- • Automatic device discovery: Devices in a specified IP subnet can be discovered and added through SNMP.
The SecoManager enables quick login to the web UI of discovered Huawei firewalls in order to change the admin user password.
1. Security policy management
Security policies determine packet forwarding and content security detection on a firewall. A firewall matches the attributes of traffic against the conditions of a security policy, and if all the conditions are met, the traffic matches the security policy. The firewall then applies the action defined in the matching security policy to the traffic.
- • If the action is permit, the firewall performs content security detection on the traffic and determines whether to permit the traffic based on the detection result.
- • If the action is deny, the firewall does not permit the traffic.
Security policy management supports centralized control of
security policies on all firewalls and distribution of those policies to physical and vFWs, ensuring consistency across the entire network and simplifying policy maintenance. Security policy management enables configuration of security policies for firewalls, allowing automatic identification and filtering of network traffic passing through the firewalls.
2. Policy orchestration
The SecoManager supports security policy orchestration based on the protected subnet and automatically deploys security policies to firewalls accordingly. If the protected subnet changes, devices can be re-selected and security policies can be re-deployed to implement automatic orchestration.
3. Policy optimization
Policy optimization provides the following functions:
- • Application discovery: discover new, removed, and changed applications. Application discovery results can be imported to an application policy for deployment.
- • Redundancy analysis: analyze all policies on one or more firewalls to identify any that may be redundant. These can then be disabled or deleted as required.
- • Matching analysis: discover which policies are not often used, allowing administrators to perform optimization to ensure service security and maximize firewall performance and efficiency. Unnecessary policies can be deleted.
- • Compliance check: define compliance check rules to identify a policy as a whitelist item or a risk item. For low-risk policies, compliance check items can be configured to add them to a whitelist. The system then automatically approves the policies, enhancing approval efficiency.
- 4. Policy simulation
It can be challenging to determine whether device functionality will be affected when a large number of policies are changed. The policy simulation function enables the impact of these updated policies to be evaluated before deployment on devices. This makes room for policy adjustment and prevents devices from being affected by updated policies.
5. Configuration consistency check
Device configurations must be consistent with those on the NMS. The SecoManager supports manual and automatic configuration synchronization from devices, with comparison and analysis possible on the GUI. In addition, configurations can be synchronized with one click.
6. VPC policy
VPCs provide isolated VMs and network environments to meet the data security isolation requirements of different tenants. A VPC policy is specific to a tenant VPC network and provides security service configurations such as NAT policy, EIP, traffic policy, and anti-DDoS.
- • NAT policy: Tenants use private IP addresses and cannot directly access the Internet. NAT translates their private IP addresses to specific public IP addresses to allow them to access the Internet.
- • EIP: A public IP address is bound to a specific service IP address on the intranet to form a mapping. When an internal network provides external services, an external network needs to access internal network resources. After EIP is deployed, only a public IP address is exposed to the external network. The destination address in IP packets is the public IP address and is translated into a private IP address to provide external services.
- • Traffic policy: A firewall manages and controls traffic based on services and ports to improve bandwidth efficiency and prevent bandwidth exhaustion.
- • Anti-DDoS: Defense against various common DDoS attacks and traditional single-packet attacks.
The SecoManager is based on an open software platform and has an architecture composed of loosely coupled components. It can provide extensive API interface capabilities.
- • The SecoManager connects to the SDN controller to synchronize information about tenants, network topologies, VPCs, SFCs, and EPGs created by the SDN controller.
- • The SecoManager manages southbound physical and virtual network devices using standard protocols including NETCONF and SNMP.