Académique Documents
Professionnel Documents
Culture Documents
Issue 01
Date 2014-12-01
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and
the customer. All or part of the products, services and features described in this document may not
be within the purchase scope or the usage scope. Unless otherwise specified in the contract, all
statements, information, and recommendations in this document are provided "AS IS" without warranties,
guarantees or representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Contents
8 Management Security................................................................................................................. 26
8.1 Log Management ........................................................................................................................................................ 26
8.1.1 Log Type .................................................................................................................................................................. 26
8.1.2 Log Backup .............................................................................................................................................................. 26
8.1.3 Log Format .............................................................................................................................................................. 26
8.2 Account and Password Security .................................................................................................................................. 27
8.2.1 Account and Default Password ................................................................................................................................ 27
8.2.2 Password Encryption and Changing Principles ....................................................................................................... 27
8.3 Rights- and Domain-Based Management ................................................................................................................... 27
8.4 Role-Based Management ............................................................................................................................................ 29
8.5 Certificate Snap-ins .................................................................................................................................................... 29
8.5.1 Communication Certificate Snap-ins Between Components ................................................................................... 29
8.5.2 Unified O&M and Auditing ..................................................................................................................................... 29
poor usability and expansibility and cannot fundamentally resolve the security problems.
Therefore, the solutions are not widely used.
To address security problems of traditional office desktops, the IT architecture transformation
is crucial. Desktop cloud is the best method currently. Desktop cloud separates terminals and
information, and stores data on the background data center (centralized computing, storage,
and network), instead of on various thin clients (TCs). Only the encrypted screen images are
sent to terminals. This greatly reduces the risks of data leakage from PCs.
2.1 Overview
As a new method of providing computing resources, desktop cloud features high security,
convenience, and cost effectiveness. However, users also have doubts about the security of the
cloud computing system. Therefore, cloud computing must ensure the confidentiality,
integrity, and usability of user data and resources. This document analyzes the security risks
and threats of cloud computing and introduces the countermeasures of Huawei's secure and
reliable desktop cloud solution.
Data in the terminals and the data centers is faced with threats in confidentiality and
integrity. Some sensitive information, such as passwords, can be stolen. Screen
display packets can be intercepted and resolved to get critical information.
Traditional network security still faces challenges.
Threats and challenges brought by virtual technologies
Security threats are posed to the Hypervisor, which is a core component of
virtualization.
The Hypervisor works as follows:
Receives commands from the central processing unit (CPU) and transfers them
to hardware controllers and peripherals.
Coordinates the allocation of all resources.
Works as the core of virtualization and runs at the highest privilege level (even
higher than that at which the operating system runs).
Once the Hypervisor is hacked, all virtual machines (VMs) running on the
Hypervisor are completely under attack.
Resource sharing poses security risks.
Resource sharing among many users poses the following security risks:
User data may leak out because of inappropriate isolation.
Users may be attacked by other users within the same physical environment.
The virtualization capability of network firewalls or Intrusion Prevention
Systems (IPSs) may be insufficient. As a result, the static network partitions and
the isolation model cannot meet the requirements for dynamic resource sharing.
The change of network isolation mode causes a security loophole.
Logical isolation replaces physical isolation, causing a security loophole on the
enterprise network. Generally, an enterprise network uses high-security measures
such as physical isolation to ensure the information security between organizations or
departments at different security levels. Cloud computing logically isolates
enterprises, and organizations or departments inside an enterprise.
Malicious network traffic between VMs can run away from audits.
If in one VLAN, the communication between VMs that belong to one PC can be
directly conducted in the PC without traffic going through external networks. Hence,
the existing network supervision and audit system cannot monitor this part of traffic.
Data security threats
Residual data security threats
After VMs or disks are deleted, the released storage space is allocated to other users.
If no security measure is taken on the data, other users can obtain the original data by
some data recovery methods.
Reuse of memory or residual memory cause data security threats.
Data is collected in the data center, which is easy for administrator to spy on the data
by certain methods.
Migration of physical disks may also cause data leakage.
VM terminal security threats
Traditional security threats still exist.
Virus and Trojan horse malware are still traditional threats to data security. Antivirus
system and OS security patches should be updated in real time.
Data leakage on VMs
Network security
Network plane isolation, firewalls, security access gateway, and data transfer encryption
are used to ensure the security of service operation and maintenance.
Virtualization security
Virtual machines (VMs) are isolated from each other based on the virtualization
mechanism.
Data security
The integrity and confidentiality of user data are ensured by user authentication, data
access control, and data encryption.
Management security
The management security is ensured using user accounts, passwords, administrator and
user permissions, and logs.
Infrastructure security
The infrastructures security is ensured by hardening the system and database and
installing patches.
User VM security
The VM security is ensured by functions such as network access control, staff activity
monitoring, patch management, and software distribution.
3 Terminal Security
3.1 TC Security
3.1.1 Overview of TC Security
The TC hardware and software designs use various security mechanisms to prevent virus
attacks. TCs provide the following security mechanisms:
Hardware security
BIOS security
OS security
3.1.4 OS Security
TCs run a simplified and offline Linux, WES7, XPe OS that implements the following
security mechanisms:
Prohibits use of USB storage devices.
The TC OS prohibits use of USB storage devices such as USB disks and USB flash
drives from the driver layer
Prohibits direct access to internal memory.
Users can only indirectly access the internal memory using programs provided by a TC
but cannot directly access internal memory using an interface. This effectively prevents
system files from being damaged.
Prohibits unauthorized software installation.
Software cannot be installed on a TC locally. To install a software package to a TC, users
must send the software package to the Thin Client Management (TCM) system first. To
ensure that only authorized software can be installed on a TC, the following security
requirements must be met:
Only TCM administrators can install software on a TC.
The TCM recognizes only software package in a customized proprietary format.
After a TC receives a software package from the TCM, it verifies the integrity of the
package locally. If the software package is modified or has not been authenticated,
the TC will not install the software.
Restricts use of ports.
To prevent attacks, TCs only provide the required local ports to communicate with the
TCM, and other ports are not used.
Blocks viruses.
Viruses spread through storage devices and networks. A TC does not have virus running
environment and spreading channels.
1. When users log in to the WI, 2. If the information matches 3. Users log in to
the TC sends the user name, the binding information saved the VM
domain name, and MAC in the ITA, the system continue successfully.
address to the desktop cloud with the AD authentication and
system to check whether the login process. Otherwise, the
user has been bound to the TC. login is banned.
Method Two: Imported in batches
Users that are bound to a fixed TC can log in to the VM only over the bound TC.
User logs in
2.Domain account
authentication
VM AD
Figure 1-6 Authentication for USB key non-single sign-on (SSO) login
WI AD
OTP
Server
1. The user enters the domain 2. The WI sends the domain password to 3. Af ter the authentication 4. Click the icon of one VM
account, password, and dynamic the AD and then sends the dynamic succeeds, the user can and click login to log in to
password, and then clicks login. password to the OTP server if the AD see the VM list. the VM.
authentication succeeds.
SMS-based dynamic password authentication: A mobile phone is used to receive the dynamic
password. The administrator registers the user account and mobile phone number in advance
on the dynamic password authentication server. The user enters the domain password when
logging in to the WI. After the password is authenticated, the WI sends the domain account
information to the server, then the server generates a dynamic password and sends it to the
registered mobile phone. The user copies the password to the WI within the required time.
After the password is authenticated, the WI sends the VM list to the user.
WI AD WI AD
OTP OTP
Server Server
1. The user enters the domain 2. The WI sends the domain 3. The OTP server creates a 5. A VM list is
4. The WI sends the domain
account and password and then password to the AD and then dynamic password and sends it to displayed. Click
password to the AD and then
obtains the dynamic password requires a dynamic password the user's cell phone over SMS one VM to log in to
sends the dynamic password
icon. from the OTP server if the AD gateway. The user enters the the VM.
to the OTP server if the AD
authentication succeeds. dynamic password and clicks login. authentication succeeds.
5 Network Security
Terminal user
Service plane
Management
plane
Storage plane
Administrator
TCM
NetScaler
Firewall
VNC GW
WI HDC ITA
Firewall Firewall
License DB
User area
Loggetter WSUS
User VMs
VM VM
VM VM FusionCompute FusionManager
Cloud
computing
terminals
The Huawei FusionCloud Desktop Solution adopts the security group capabilities of the cloud platform
to implement the security group function. If virtual desktops require security groups, FusionManager is
used to provision VMs, and FusionAccess is used to manage the VMs.
6 Virtualization Isolation
The Hypervisor isolates VMs running on the same physical machine to prevent data theft and
malicious attacks. Users can only use VMs to access resources belonging to their own VMs,
such as hardware and software resources and data. Figure 1-9 shows the VM isolation.
6.1.1.3 Virtual Memories of Different VMs Are Isolated from Each Other
The VM uses the Memory Virtualization technology to virtualize the physical memory and
isolate the virtual memory. This technology introduces a new address concept, physical
address, based on the existing mapping between virtual addresses and the machine addresses
of clients. The OS on a VM translates the virtual address into the physical address. The
Hypervisor first transfers the physical address of a client into a machine address, and then
sends the machine address to the physical server.
The system performs a bit- or byte-based verification on data stored in disks, and distributes
verification information to each disk in a disk array. During the distribution, the system makes
sure that a data block and its verification information are stored on different disks. In this way,
damaged data can be reconstructed based on other data blocks and corresponding verification
information after a disk is damaged.
8 Management Security
Table 8-1 Principles for encrypting, setting, and changing passwords for accounts
Item Principles
Initial password The default password must be changed when the system is logged in
setting to for the first time. For details about how to change the password,
see associated account password changing guide.
The password is set according to the password policy.
Password All passwords are encrypted before they are stored.
encryption Passwords are not displayed in plain texts.
Password Only authenticated users can change passwords.
changing Old passwords must be verified before they are changed.
After the password validity period expires, the system requires users
to change the passwords when they log in.
Administrator passwords must be changed at most every 180 days.
Password policy A password policy table is generated during system installation.
changing Only the system administrator has the permission to modify the
password policy table.
After the password policy table is modified, users can successfully
log in to the system using passwords set according to the old
password policy.
Domain-based management
Domain-based management allows the administrator to manage only resources assigned in its
domain.
For some large-scale enterprises or units, a second-level maintenance administrator is
assigned for each department or branch office. The first-level administrator divides the
management domains according to the enterprise organization structures and creates VMs
accordingly. The second-level administrator logs in to the desktop management system and
can only manage the VMs in its domain.
User A
Service system B
Service system C
Centralized monitoring
and audit
9 Infrastructure Security
9.2 OS Security
9.2.1 Windows 2008 OS Security Hardening
With Huawei FusionCloud Desktop solution, the AD, ITA, TCM, and log servers for
FusionAccess are all deployed in VMs that run Windows Server 2008 R2. To ensure the
security these VMs, basic OS security hardening is required. The OS security is hardened in
following aspects:
System installation
Legal copies of OS installation software are installed on VMs. System software and
application software are installed on different disks. System patches are installed in a
timely manner. BIOS passwords can be set. File system adopts the NTFS format
Account password
Strong account passwords are used and changed periodically.
System service
Use of the remote access service is not allowed. Use of unnecessary ports is prohibited.
Security auditing
The maximum number of security logs is configured to prevent important logs from
being replaced. Successful and failed user logins are audited.
File system
Important system files are protected, and they have a high security level. Registry
permission is controlled. System file integrity is verified.
System access control
Default sharing is deleted. The system cannot be powered off before a successful login.
System kernel
To improve security configuration efficiency, the Huawei desktop cloud solution
provides the SetWin tool and execution scripts to harden OS security quickly.
9.4 Antivirus
9.4.1 Antivirus Software for Cloud Computing Platform
Components
Infrastructure VM
A hardened Linux system is adopted by the WI, HDC, License server, and VRM to
reduce the threats of virus infection. Hence no antivirus software is required.
Deploy the Trend Micro antivirus software on Windows Server 2008 ITA VMs to protect
infrastructure VMs from viruses by setting scheduled tasks for scanning and removal of
viruses.
If a customer does not use the Trend Micro antivirus software but use other antivirus software, the
software must pass Huawei's compatibility test.
Computing node and storage node
It is unnecessary to deploy antivirus software because of the following reasons:
The computing node and storage node run the reinforced Linux OS.
The computing nodes and storage nodes are in the closed network, and they do not
provide an external operation platform.
360 antivirus
Norton antivirus
McAfee antivirus
Symantec antivirus software
The preceding antivirus software products have passed Huawei's compatibility tests, and therefore are
recommended for installation. To prevent antivirus storms brought by the simultaneous disk virus
scanning and client updates, it is recommended that users use the software version optimized in virtual
environments, such as the Symantec SEP 12.1 or later versions, the network version of Rising Antivirus
optimized in virtual environments.
10 User VM Security
Huawei's desktop cloud solution systematically prevents unauthenticated users and malicious
system administrators from accessing the desktop cloud data center.
That is, unauthenticated users cannot access the system. Even if an unauthenticated user
accesses the system, the user cannot copy data or read confidential data. The system logs all
operations of the unauthenticated user to ensure that the unauthenticated user has to be
responsible for unauthorized operations. In addition, system data and user data can be
properly protected based on some encryption and data redundancy mechanisms.