Tiered Model - Alcatel-Lucent Security Management Server (SMS) Release 9.4 Technical Overview

Alcatel-Lucent Security Management Server (SMS)

Tiered Model

...................................................................................................................................................................................................................................
Overview
The SMS is installed in a central location, with logical access to all Brik devices via
an IP network. The SMS is accessed by administrators using a built-in utility called
Navigator. SMS can also be accessed remotely using the SMS Remote Navigator, an
included component, which may be downloaded from the SMS via HTTP/S and
installed locally on multiple management workstations. SMS Remote Navigator
provides the full functionality of a SMS Navigator.
Once the SMS Remote Navigator is installed on a user's workstation, that software can
access different SMS servers.
Firewall administrators use the SMS Navigator to control all aspects of every Brick
device in the system, ranging from IP addresses and VLAN information all the way to
firewall policy and VPN tunnels. No other mechanism is necessary; the SMS Navigator
provides full and complete access to all aspects of Brick device management.
Levels of administrative control
To promote the efficient management of Bricks, policies, tunnels, and users on a local
basis, the SMS allows an administrator to organize the entire constellation of managed
objects into separate groups, and then to further subdivide objects within a named
group into folders and subfolders. Some objects can be made globally visible to all
other groups.
Groups can be administered by both SMS Administrators and Group Administrators.
SMS Administrators have full privileges over all groups, which means they can access
all folders in all groups and make any additions, modifications, or deletions they deem
necessary.
Group Administrators, on the other hand, can only access the specific groups to which
they are assigned. In addition, Group Administrators can be given three levels of
privilege over the folders in their groups: None, View and Full.
This means that multiple Group Administrators can be created for a group, each with
different privileges, to administer different aspects of the group's operations. For
example, one Group Administrator could have Full privileges over devices, but only
View privileges over policy, while a second Group Administrator could have View
privileges over devices and Full privileges over policy.
Concurrency control
The SMS application is a carrier grade centralized management system capable of
managing a large number of objects (Bricks, zone rulesets, Host groups, tunnels,
service groups, and so forth). The group-based model allows the creation of multiple
...................................................................................................................................................................................................................................
2-2
260-100-022R9.4
Issue 1, June 2009