Introduction To Ead; Typical Network Application Of Ead; Chapter 2 Ead Configuration - Huawei Quidway S3900 Series Operation Manual

Operation Manual – AAA & RADIUS & HWTACACS & EAD
Quidway S3900 Series Ethernet Switches-Release 1510

Chapter 2 EAD Configuration

2.1 Introduction to EAD

Endpoint admission defense (EAD) is an attack defense solution that monitors endpoint
admission. This enhances the active defense ability of endpoints, and prevents viruses
and worms from spreading on the network. Meanwhile, EAD protects the entire network
by restricting the access right of those hazardous terminals.
EAD requires the cooperation between switch, AAA sever, security policy server and
security client, thus to evaluate the security compliance of endpoints and dynamically
control their access rights.
After implementing the EAD, the switch determines the validity of packets it receives
according to the source IP address of the packets:
Only those packets sent from the authentication server and the security policy
server can be regarded as valid.
The switch dynamically adjusts the VLAN, rate, packet scheduling priority and the
access control list (ACL) on the user terminal according to the session control
packet, thus to control user access right dynamically.

2.2 Typical Network Application of EAD

The EAD scheme checks the security status of the user, and implements the user
access control policy forcibly according to the result. Therefore, those non-compliant
users are isolated and are forced to upgrade virus database software and install system
patches. Figure 2-1 shows the typical network application of EAD.
Virus patch server Virus patch server
Client Client
Figure 2-1 The typical network application of EAD
Huawei Technologies Proprietary
2-1
Chapter 2 EAD Configuration
Authentication server Authentication server
Security policy server Security policy server