Abstract: Service entourage is a solution to ensure that users get the same network access policy no matter where they are and which IP address they use.

This article is from huawei cloud community “Datacom certification new knowledge: Business following”, the original author: fan Picture little bookboy.

1. Overview of functions and features

The so-called service entourage, as the name implies, means that in the park, no matter how a person moves in the network, where he or she accesses the network from, where he or she changes to, or whether the IP address changes, his or her permission is the same, that is, the permission follows the person. Permissions, simply put, refer to whether a user is allowed access to certain resources or other user groups.

In essence, the service entourage scheme decoupled IP addresses from policies. In other words, users have the same permissions no matter what IP address they use and where they access the network.

The service traveling solution divides users on a network into groups based on actual requirements, for example, teachers and students in the education park. Network administrators assign accounts to users and bind the accounts to groups based on specific rules. When a user accesses the network, the network device authenticates the user and binds the user to the corresponding group based on the authentication result. At the same time, the network device maintains the inter-group communication matrix (policy control matrix) delivered by the network administrator. In this way, when traffic from authenticated users reaches the network device, the device can match the source and destination groups based on the source and destination of the traffic and query the traffic in the communication matrix to determine whether the traffic is legitimate.

2. Basic concepts in business entourage

1. Security group

A security group is a collection of communication objects on a network. You can create a security group on the iMaster NCE as required. For example, in the office park network, users can set security groups for marketing users, R&D users, and sales users as required. These security groups are intuitively defined based on natural semantics.

A security group can be authorized to users according to condition 5W1H, and users that meet condition 5W1H can be authorized to specified security groups (dynamic security groups), or security groups (static security groups) can be defined by statically binding IP addresses.

The figure above shows creating a dynamic security group on the iMaster NCE. Here is how to create a static security group:

After a static security group is defined, it appears in the communication matrix like a dynamic security group and can be used as the source or destination security group.

2. Resource group

Static server resources can be expressed by binding IP address segments to security groups. The static binding relationship between security groups and IP addresses will be delivered to the device through netconf. However, service resources with overlapping IP address sets cannot be distinguished by security groups. Resource groups can solve this problem by allowing IP addresses to duplicate between resource groups. Resource groups can be used as destination addresses in inter-group policies.

The page for creating a resource group on the iMaster NCE is as follows:

A resource group is only a destination security group in the communication matrix, not a source security group. The disadvantage of using resource groups is that the device generates one policy for each IP address instead of one policy for each resource group, resulting in too many policies.

3. Policy control

After security groups are defined, the administrator can define inter-group policies for the entire network based on the groups. The policy matrix is used to configure inter-group policies. An inter-group permission policy controls the access permissions between groups.

4. Authentication point, policy execution point and iMaster NCE

Authentication point: authenticates the identity of terminals and obtains authorization results, such as the security group to which terminals belong, from the iMaster NCE. If policy linkage is deployed on the network, the authentication point refers to the authentication control point.
IMaster NCE: serves as an authentication server and policy control center for service travel. It maintains the communication matrix between security groups on the entire network.

Policy execution point: Obtain the communication matrix between security groups from the iMaster NCE. After receiving the traffic, execute the policy based on the source and destination security groups corresponding to the source and destination IP addresses of the traffic. If the policy permits the traffic, the traffic is forwarded.

3. Overview of implementation steps

4. Overview of working mechanism

1. Create users and security groups

1) Network administrators define security groups in the iMaster NCE.

Network administrators can create dynamic or static security groups. Dynamic security groups Are used to dynamically bind users to corresponding security groups based on the authorization rules configured on the controller when the network device authenticates users. In static security groups, the administrator manually binds IP addresses or address segments.

For example, in the example shown above, we create Group1, Group2, and Server security groups. Group1 and Group2 are dynamic security groups. The Server is a static security group. The administrator can define static mapping, for example, mapping the IP address of the 10.1.1.1 Server to the Server group. In practical applications, Group1 and Group2 can be defined based on actual conditions. For example, in the education park, group name of Teacher and group name of Student can be defined.

2) The network administrator creates user accounts on the iMaster NCE, configures authorization rules based on condition 5W1H, and binds the users to corresponding user groups.

2. Define and deploy inter-group policies

1) Network administrators define inter-group policies in iMaster NCE, that is, inter-group communication matrix. For example, Group1 and Group2 are allowed to access the Server, and Group1 is forbidden to access Group2.

2) Deployment policy: The network device at the policy execution point is connected to the iMaster NCE. The iMaster NCE automatically delivers security group and inter-group policies to the network device.

The iMaster NCE delivers group Group1, 2, Server (name and group ID) and the inter-group policy defined above to network devices. This action prepares the system for subsequent automatic operation. The policy enforcement point in the following figure refers to the network device that implements the policy (permission policy).

3. The system runs automatically

Authentication: When a user attempts to access the network, the iMaster NCE verifies the identity certificate.
Authorization: The iMaster NCE matches the authorization policy and authorizes the user to the security group based on the 5W1H condition. The device dynamically adds the IP address used by the user to the specified group. The controller centrally maintains the mapping between the information of all online users (such as user names and IP addresses) and user groups.
Execution: The network device identifies the source and destination group information of packets based on the mapping between IP addresses and groups stored in the local and iMaster NCE, and then matches and executes the group policy.

Specific examples are as follows:

For user access (User1 is used as an example), the switch Core functions as the authentication point device to initiate user authentication and exchange user authentication information with the iMaster NCE.
The iMaster NCE determines the login conditions of the user and associates the user with the security group (Group1) bound in the authorization result.
After the user is authenticated, the iMaster NCE notifies the authentication point Core of the security group to which the user belongs.
Authentication point Core reports the real IP address 168.1.1 currently used by the user.

IMaster NCE associates the IP address with Group1 and records the IP address in the online user information table.
User2 in the same way. In this case, the Core device at the authentication point maintains the online user entries of User1 and User2, including the IP addresses, MAC addresses, and security groups to which the two users belong.
In this case, User1 sends data to User2. Core receives the service packet from the user, identifies the source group and destination group of the packet, and implements the inter-group policy. In this case, the traffic from User1 to User2 will be discarded by Core.

Click to follow, the first time to learn about Huawei cloud fresh technology ~

mo4tech.com (Moment For Technology) is a global community with thousands techies from across the global hang out!Passionate technologists, be it gadget freaks, tech enthusiasts, coders, technopreneurs, or CIOs, you would find them all here.

Business following: The user’s network access strategy can also play this way

1. Overview of functions and features

2. Basic concepts in business entourage

3. Overview of implementation steps

4. Overview of working mechanism

Business following: The user’s network access strategy can also play this way

1. Overview of functions and features

2. Basic concepts in business entourage

3. Overview of implementation steps

4. Overview of working mechanism

Related Posts

Go inside Python classes

Why do local variables referenced by Java Lambda expressions need to be final

Java data structure source exploration (a) – ArrayList