Campus Network Security Solution

Oil and gas companies apply ICT technologies to cut costs and mitigate risks, increasing revenue and enhancing efficiency. They
build campus networks that cover their own working areas, to support oil and gas prospecting, production, transportation,
processing, storage, sales, and other activities of their business. As information technologies develop, oil and gas companies are
confronted with the following challenges when building campus networks.
Mobile office: The increasing consumption of terminals threatens the border security of traditional campus networks. The prevalence
of applications may trigger more data leakage risks. The boundaries between office services and personal data are increasingly
blurred. The extensive use of smart terminals to access campus networks brings network security problems. Employees working at
remote offices may encounter security problems in service operation and data transmission.
Web-based applications: The ease-of-use of the web creates mounting security problems, so oil and gas companies are compelled
to find ways to secure their web portals and web service platforms to effectively control terminal users' web access, to effectively
resist hostile attacks and Trojan programs from web-based applications, and to protect campus networks from security threats like
information leakages through email or web-based instant messaging applications.
Segmented functional areas: Exposed to the Internet, demilitarized zones (DMZ) are battling with relentless security threats,
compelling oil and gas companies to find ways to make their multi-service campus networks more secure and reliable, to improve
the policies and systems adopted to control access between different service areas, to block virus and hostile attacks from
disseminating between different service areas, and to monitor deliberate and illegal behaviors internally.
Data explosion: Oil and gas companies have to consider how to guarantee data security when massive amounts of data are
transmitted, how to guarantee legal access to massive amounts of data related to core businesses, how to prevent data leakage
through internal and external networks, how to secure data through virtualization, and how to secure data backup.

Huawei Solution
The Campus Network Security Solution consists of five parts: border protection, terminal security, remote access, network traffic clean-up, and
application surveillance. These flexible and collaborative five parts constitute a reliable solution to secure the campus networks of oil and gas companies.
Off-site
employee

Branch office

Branch office Branch

Subsidiary

R&D base

Solutions

Products

SSL VPN
IPSec VPN

Internet

IPSec VPN

IPSec VPN

Private line

Border
security solution

MPLS

SIG9800

Remote access
security solution

HQ of oil group

SVN series

Network traffic clean-up

security solution

Application Server
Wi-Fi access zone

Terminal internal control

security solution

Fine-grained management
security solution

Web server
DMZ
Data center

Management
center

Application

10GE LINK
Gigabit Ethernet
(GE) LINK

iSoc

(UMA-DB)

Terminals inside
the company

FW/UTM

Router
eLog Server

VSM Server

Switch

NIP5000

ASG2600

UMA

VSM Server

Unified security
management solution

eLog Server

Customer Benefits
This solution provides robust protection for customers' campus
networks and defends against a large quantity of internal and
external attacks, to support the stable business operations of
customers, support the secure remote access from branches and
off-site employees, and provide enterprises with a panoramic view
of their network security situation, support their analysis on public
opinions, and proactively protect campus networks. This solution
can also reduce customers' expenses on managing and maintaining
confidential data.

Solution Architecture
Scenario 1: Access control
Through deploying all-in-one equipment (like firewall [FW] and unified threat management [UTM], which integrates firewall, router,
switch, VPN, antivirus device, intrusion prevention system [IPS], Wi-Fi, CDMA, and voice), this solution effectively monitors Internet
access, terminal access, and remote access, guaranteeing network access security. Through high-performance clean-up of traffic from
malicious attacks, network egress is protected from distributed denial of service (DDoS) attacks. Through isolating and protecting
enterprise networks from the Internet, this solution offers trustworthy cross-network (internal and external) access control policies. The
separated business zones prevent security threats from spreading between different business networks. Robust data security protections
are made possible with the best use access controls overall authorized users. The unified security access control policy helps to upgrade
the protection level. The defense access control system integrates the three dimensions of network, application, and data.

Through deploying security manager (SM), security controller (SC) and security access control gateway (SACG) and installing security
agent (SA) in terminals, this solution allows authorized users to access the network at any time, in any place and through any device.
Management center

Branch office
Employees on
business trips
VPN private line

VPN private line

SC

SM

Internet

Web

MPLS private network

E-mail

Oilfield

Application

Core network
DMZ
SACG
Office area

SACG

Subsidiary

Branch office
Data center

SA: Security Agent

SM: Security Manager
SC: Security Controller
SACG: Security Access
Control Gateway
FW/UTM

Scenario 2: Application content security

By deploying the antivirus defense system that integrates unified threat management (UTM) and an antivirus gateway that blocks AVE
viruses, this solution also applies the new file reputation technology (FRT) and web reputation technology (WRT) to intercept access to
malicious files and websites and thereby destroy the virus infection chain. With double engines and through three-dimensional defense,
this solution builds a comprehensive enterprise antivirus system.
By deploying office information control (OIC) and document security management (DSM) systems, this solution centralizes document
security management.
Centralized management helps to prevent information leakage and centralizes the storage and management of multi-service and multisource information and data while also allowing information to be easily queried and searched.
Security management guarantees information security by unifying the data security level setting and applying different control methods
(including query, encryption, printing, and tracking).
Value-added services facilitate sharing and increase information value by offering personal space storage services as well as multi-format
online editing and playing.
Employees on business trips

Branch office
VPN
VPN
private line private line

E-mail

Internet

Web Application

Oilfield

OIC server

Core
network

DMC

Management center

SACG

SACG

MPLS private network

DMZ

Office area

Subsidiary

Branch office
Data center

OIC server

DMC: document management

control server

UTM+/AVE Virus Gateway

Antivirus

DSM-C: document security

management client

Scenario 3: Fine-grained management

This solution can identify users and applications that access the company's campus networks and present abundant reports.
With abundant and accurate protocol detection, this solution reaches a 96% plus accuracy rate in hotspot protocol recognition,
supporting over 850 types of protocols. This solution covers all mainstream application protocols (including the popular point-to-point
(P2P) encryption protocols), promptly responds to customized requirements and upgrades and updates the knowledge base regularly.
The solution limits the network traffic for P2P downloading and online video playing at campus network egress, for the purpose of
improving bandwidth efficiency; reducing campus network and broadband network congestion and cutting the expenses on bandwidth
expansion at the egress of the campus networks.
This solution offers the iCache tool that provides suggestions on avoiding network congestion and localizing network traffic to reduce needs for and cut the
costs of bandwidth at egress. This solution also improves user experience when users get access to the Internet from oilfield residence areas and office areas.
P2P

Internet

Visualized
network

Gold
Bronze
Silver

Campus network
egress
SIG background system
SIG9800

Access layer

Game 100+
Stream 70+
P2P 70+
VoIP 60+
Video 50+
IM 50+
PeerCastin
Mobile 15+
Stock 10+

P2P Upload
P2P Download
VoIP
WebTV
Videoconferencing
Gaming
Email

Scenario 4: Security audit

This is an end-to-end security audit solution provided for energy industry customers to satisfy their needs for compliance audits.
This solution helps customers comply with security regulations.
The solution helps to reduce leakage of information assets.
The solution helps customers to trace the sources of attacks and illegal access and define the responsibilities of all parties involved.
The solution helps to improve the IT internal control system and security management system.
The solution unifies security management and O&M.

Internet

Oilfield

E-mail

Web

Application

Core
network

TSM server
Management
center
Office area

Terminal operation behavior audit

MPLS private network

DMZ

Audit of online employee behavior

Oil and gas prospecting company

O&M behavior audit

Branch office
Data center
Database behavior audit

Operation system for production

and office automation

Unified auditing platform

Scenario 5: Security management

This is an end-to-end security management solution provided for energy industry customers to satisfy their needs for compliance
management.
The solution supports the unified collection, analysis and presentation of equipment logs across the entire campus network.
The solution supports visualized O&M management as well as diversified managerial roles.
With high-performance analysis engines, this solution supports correlated analysis of massive amounts of audit logs and responds to all levels.
The solution supports self-learning and dynamic service modeling.
UMA
Unified authentication
Unified authorization
Unified management

iSoc+VSM
Unified security
management platform

Management
center

Data center
Core services
Server, database

Terminal security management

Log collector

Network equipment
management

Security equipment management