< Home

Security Group

A security group is an abstracted and logical set of communicating objects on the network. Security group members can be network terminals such as PCs and smartphones. They can be statically added by an administrator or dynamically added during authentication.

An administrator can add the users requiring the same access control policy to the same UCL group, and configure an access control policy for the group. Network objects are added to the same security group based on their similarities in network access, and obtain the same rights based on the policy configured for the security group. For example, an R&D group is a set of individual hosts, a printer group is a set of all printers on the entire network, and a database server group is a set of server IP addresses and ports. Compared with the solution in which access control policies are deployed for each user, the security group-based access control solution greatly reduces the administrator's workload.

Classification of Security Groups

An administrator can define security groups to describe and organize the sources or destinations of network traffic, such as that transmitted by user hosts, IP phones, servers, and interfaces of network devices that have IP addresses and can send or receive IP packets. To control mutual access between these devices, an administrator first needs to define them on a controller.

Security groups include:

  • Dynamic user groups: contain users and terminals that can access the network only after authentication.
  • Push user groups: contain authenticated users and terminals whose network access rights are controlled by policy enforcement devices based on the group policies delivered by a controller through an IP-GROUP channel. Agile Controller-Campus does not support push user groups.
  • Static resource groups: contain devices that have fixed IP addresses. These resources include data center servers, interfaces of network devices, and special terminals that use fixed IP addresses to access the network without authentication.
  • Emergency resource groups: contain resources that users can still access after the IP-GROUP channel fails. Agile Controller-Campus does not support emergency resource groups.

When a security group is bound to multiple authorization rules, it is a dynamic user group; when a security group is bound to multiple IP addresses or IP network segments, it is a static resource group. Differences between dynamic users and static resources are as follows:

  • The IP address of a dynamic user is not fixed; instead, it is dynamically associated with a security group after the user is authenticated. After the user logs out, the association is dynamically canceled, with the mappings between user IP addresses and security groups remaining valid only when users are online. A network device can obtain the mappings only when it functions as the authentication device of users or actively queries the mappings from a controller.
  • The IP address of a user in the push user group is not fixed; instead, it is dynamically associated with a security group after the user is authenticated. After the user logs out, the association is dynamically canceled, with the mappings between user IP addresses and security groups remaining valid only when users are online. A policy enforcement device can obtain the mappings based on the group policies delivered by a controller through an IP-GROUP channel.
  • The IP address of a static resource is fixed. An administrator needs to configure the bindings between security groups and static resource IP addresses. In the pre-deployment phase, the bindings are synchronized to all policy enforcement devices when a controller synchronizes policies to these devices through the Extensible Messaging and Presence Protocol (XMPP).
  • The IP address of an emergency resource is also fixed. An administrator needs to configure the bindings between emergency resource groups and emergency resource IP addresses. In the pre-deployment phase, the bindings take effect on policy enforcement devices if the IP-GROUP channel between the policy enforcement devices and controller fails.

If an IP address is added to different groups in both authentication and static modes, the security group with the highest priority takes effect. The priorities of security groups are as follows, in descending order: dynamic user group > push user group > static resource group > emergency resource group.

Joining a Security Group

Members can join a security group in the following ways:

  • User authentication: An administrator configures user authorization rules and associates them with security groups on a controller. After a user is authenticated, the controller automatically associates the user's IP address with the security group to which the user belongs.

    An authorization rule is composed of two parts:

    • Authorization condition: Users are described based on their login conditions.
    • Authorization result: Users matching the authorization conditions are associated with the security group specified in the authorization result on their logins. That is, the users are assigned certain identities and rights.

    The administrator can configure the following user authorization conditions:

    • User information
      • User group: such as HR department, marketing department, and logistics department
      • Role: such as R&D personnel, service personnel, sales personnel, and finance personnel
      • Account: user name used to access the network
    • Location information
      • Access device group: physical locations of access devices, such as an office and office building
      • Terminal IP address range: IP address used to connect to the network
      • SSID: SSID used to access a WLAN
    • Other information
      • Terminal device group: terminals used to connect to the network, for example, PCs with Windows operating systems or smart terminals with Android operating systems
      • Time range: user online time range
      • Customized condition: RADIUS attributes carried in authentication packets, which are used to determine the current login environment
  • Static configuration: The administrator associates IP addresses, network segments, or IP addresses + ports with security groups on the web UI of a controller. The administrator can add objects that can access the network without authentication such as dumb terminals and servers to specified security groups.
  • Third-party system: Through open interfaces of a controller, a third-party software system can dynamically add members to or remove members from security groups based on the application scenario and algorithm.

A key technology in the free mobility solution is to synchronize the association between users and security groups to other devices. Common group information synchronization methods are as follows:

  1. The controller synchronizes group information to all relevant devices on the network.
  2. A dedicated protocol is used to synchronize group information between devices.
  3. User traffic carries group information and is sent to other devices.

When the third synchronization method is used, user group information is carried in VXLAN packet headers. The procedure is as follows:

  1. When a user goes online, a controller delivers the mapping between the user and security group to the user gateway.
  2. After receiving a user packet, the user gateway adds security group information to the packet before forwarding it.
  3. The destination gateway determines the resource or user in a different security group that the user wants to access, searches for a mutual access policy in the policy matrix based on the security group information in the packet and that of the destination resource, and then enforces the policy.
Parent Topic: Understanding Free Mobility
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic