Chapter 4 Ead Configuration; Ead Overview; Ead Network Applications - Huawei Quidway S3500 Series Operation Manual

Operation Manual - Security
Quidway S3500 Series Ethernet Switches

Chapter 4 EAD Configuration

Note:
For the S3500 series, EAD feature is supported on the S3552G, S3552P, S3528G and
S3528P.

4.1 EAD Overview

Endpoint admission defense (EAD) solution monitors data accessed at endpoints, to
enhance active defense capacity of user clients and control spread of viruses and
worms inside the network. The solution also can prevent security threats from insecure
clients by limiting their access rights.
EAD solution requires cooperation of the switch, AAA server, security policy server and
security client to implement security condition evaluation and dynamic access control
on user devices.
When EAD solution is enabled, the switch determines if a session control packet
received is valid through its source IP address (only the packets received from the
authentication server and security policy server are considered valid). The switch then
dynamically adjusts the VLAN, rate, packet scheduling priority and ACL settings on the
target client based on the instructions in the session control packet.

4.2 EAD Network Applications

EAD solution forces to check the security condition of user clients before they access
the network, and forces to perform access control policies according to check results.
So it can separate insecure users and force users to upgrade the virus database and
install system patches. The typical network application is illustrated in Figure 4-1.
Huawei Technologies Proprietary
4-1
Chapter 4 EAD Configuration