Introduction to Terminal Security and the SACG

The terminal security concept is a supplement to the concept of common firewalls defending against the extranet security risks to prevent increasing potential intranet security risks.

With the development of networks and the prevailing of firewall devices, the main source of the network security risks among enterprises is changed from the extranet to the intranet, including:

• Illegitimate terminals and unauthorized terminals access the service system in the following cases:

  • Non-private terminal devices access the intranet.
  • Illegitimate users adopt the devices of the enterprise to access the intranet.
  • Legitimate users access unauthorized network resources.

• Insecure terminals spread viruses.

• Terminals are of a large number, systems are complex, and employee violations cannot be monitored.

The SACG interworking solution is proposed to solve the previous problems. The SACG interworking solution divides the network into the following domains:

• User domain

  Including all terminal devices accessing the intranet, for example, desktops, laptops, and personnel on business trip, regional offices, and partners adopting the Internet for access.

• Network domain

  The network domain comprises network devices for traffic forwarding. It bears service traffic, and interconnects networks. The SACG is deployed in this domain

• Pre-authentication domain

  The pre-authentication domain can be accessed by terminal devices before authentication is complete. The domain mainly implements authentication, authorization, policy management, and patch delivery on terminals and users. Most components of the SACG interworking solution are deployed in this domain.

• Controlled domain

  The controlled domain can be accessed by terminals after authentication is complete. Controlled domains are divided into the following types:

  • Isolation domain

    Isolation domain can be accessed by terminal hosts that pass identity authentication but not the authorization. Generally, the resources (for example, the patch server and anti-virus server) that can help terminal users mitigate potential security risks are deployed in this domain.

  • Post-authentication domain

    The core resources of an enterprise are deployed in its post-authentication domain. Therefore, terminals and users can access the security zones corresponding to their permissions only after passing authentication and authorization.

Figure 1 shows the typical networking diagram of the SACG interworking solution.

Main working procedure of the SACG interworking solution is as follows:

1. The terminal accesses the network and initiates an authentication request.
2. The SACG forwards the received authentication request to the Service Controller of the server. In addition, the SACG prohibits the terminal that does not pass authentication and authorization from accessing the post-authentication domain.
3. The Agile Controller system implements the check on permissions and terminal security. If security vulnerabilities exist on the terminal, the Agile Controller system grants the device the permission of accessing the isolation domain, so that the terminal can download the patch or virus library. After security vulnerabilities are repaired, the Agile Controller system determines whether to allow the terminal to access the post-authentication domain and which post-authentication domain to be accessed.
4. The Agile Controller system delivers the access control policy that is generated for the terminal to the SACG.
5. The SACG generates the corresponding forwarding policy according to the received policy, to detect whether allow the related terminal device accesses the post-authentication domain through the SACG or not.