Secospace TSM
Secospace TSM
Product Overview
With the expansion of the network scale of enterprises and
organizations, multiple access points such as branches, mobile
users, and guests are added to the network. Thus, the network
vulnerabilities at each layer of the network increase greatly.
Professional interest-driven hackers attack the terminals of the
enterprise and access the key resources to intrude the core services
of the system. In this way, data is intercepted or damaged, the core
services are interrupted, and malicious codes are spread, thus, the
services and reputation of the enterprise are affected greatly.
Based on the comprehensive security evaluation on terminals
and unified terminal configuration, Huawei Secospace terminal
security management (TSM) system actively evaluates the
security statuses of terminals before they access the network,
constructs the role-based network access mechanism, and
repairs the system vulnerabilities of the insecure terminals. In
this way, viruses are blocked, and a complete, simple, and easy-
to-manage terminal security environment is constructed for
the enterprises and organizations.
In-depth defense: By combining the terminal layer, network
layer, and application layer, an in-depth defense system is
formed, thus, a complete security defense line is constructed for
the enterprises and organizations. To be specific, the TSM actively
evaluates terminal statuses at the terminal layer, cooperates
with the security access control devices at the network layer to
ID Security
Policy
authentication check
Authorization
access
Remote
employees
On-site
employees
Visitors
External
illegal users
Preventing Isolating and repairing
unauthorized users untrusted users
1
implement the role-based access control, and implements the
patch and asset management at the application layer to block
risks, thus effectively improving the capability against risks.
Unified deployment: To defend the increasingly complex
security attacks, enterprises need to deploy multiple types of
terminal management products; however, these products are
not associated with each other and are difficult to deploy on a
network in a centralized manner. In this case, the procurement
cost is high, and the network architecture is complex and
difficult to maintain. To cater the requirement for simplifying
IT solutions, the TSM provides an integrated terminal security
management solution for enterprises by combining network
access control, security policy management, staff behavior
management, patch management, asset management, and
software distribution. It reduces the total cost of ownership
(TCO) for terminals and reduces the deployment complexity.
Comprehensive protection: The internal information security
management is a systematic project, which takes the security
regulations, technologies, process, and management into
consideration. The TSM focuses on the security policy and enhances
the continual PDCA defense process of checking, quarantining,
monitoring, and remediation. It offers a comprehensive security
management and protection solution for intranet terminals and
continually increases the information security level of organizations.
Recovery
Monitoring Response Audit
Sensitive information
resources
Core information
resources
repair
General information
resources
Authorizing users’ Providing audit results of
access range behavior monitoring
Secospace TSM

Major functions:
•• The TSM provides the network security access control
function, that is, the TSM detects and controls the access
of the internal staff, guests, and partners, thus preventing
unauthorized users and insecure terminals from accessing
the intranet. In addition, it authorizes users to access the
intranet resources according to users' identities.
•• The TSM provides the terminal securit y baseline
management function, that is, the TSM configures the
security baseline of terminals in a centralized manner,
comprehensively evaluates the terminal statuses, and
isolates and repairs the insure terminals to increase
terminals' security protection level, thus ensuring
enterprise network security.
•• The TSM provides user behavior management, that is,
the TSM audits and controls the terminal users' behaviors
that violate the enterprise management system, such as
illegitimate external connections, peripherals of computers,
and network access behaviors, thus avoiding malicious
attacks to the network, regulating the use of IT resources,
and improving network efficiency.
•• The TSM provides the intelligent and efficient patch
and software distribution function, detects system
vulnerabilities, reduces bandwidth usage to the maximum
extent, helps terminals to update patches in time, and
repairs system vulnerabilities.
•• The TSM provides enterprises with the asset security
auditing function, that is, the TSM dynamically collects
sof t ware and hardware asset information of the
enterprises, traces enterprises' asset changes, and helps
administrators to comprehensively understand the asset
status, thus improving the IT management capability of
the enterprises.

Product Functions
Secospace TSM

Security access Security User behavior Patch Software Asset

control policy check auditing management distribution management

•• SACG mode •• Cooperated anti- •• Network behavior •• WSUS cooperation •• Software distribution •• Registering assets
•• 802.1x access control virus software check management •• Customized patch tasks based on time •• Asset lifecycle
mode •• Patch check of the •• Peripheral distribution policy period management
•• Access control OS, IE, and Office management •• Patent-based quick •• Resumable •• Asset information
mode based on host •• Host security check •• USB device and efficient patch download and statistics
firewall such as system monitoring distribution integrity check •• Software license
•• AD/LDAP/CA accounts and •• Illegitimate external •• Patch filtering •• Automatic-run of management
cooperated registries connection •• Patch statistics files •• Asset change
authentication •• Check of the shared management report •• Detailed report of notification
•• Agent client files and printer •• ARP defense distribution status •• Server platform
•• Non-agent Internet •• One-click intelligent •• Network traffic monitoring
Explorer control repair monitoring •• Notification and
•• Process and service remote assistance
monitoring function

Terminal Security Management Solution

2
Secospace TSM
Product Features
Supports multiple access control modes
to satisfy the requirements on the access
control in different application scenarios.
•• Supports the carrier-class hardware security access control
gateway (SACG). The SACG provides high-reliable access
control for terminals at the network layer. Besides excellent
performance, the SACG is easy to deploy and maintain and
supports a maximum of 40,000 concurrent users.
•• Supports the 802.1x control mode. The TSM supports
terminal-based security access control and switches of
mainstreams manufacturers in the industry, thus ensuring
network access security.
•• Supports the host firewall access control mode. The
solution is based on the host firewall and does not depend
on any network device, thus implementing terminal-based
security access control. This access control mode is easy to
deploy and maintain and the firewall blocks or quarantines
the insecure terminals without SAs from accessing other
terminals, thus reducing threats.
Supports diversified authentication modes
for different scenarios.
The TSM supports authentication and authorization based
on user names and passwords as well as the mainstreams
of external authentication platforms such as AD, LDAP, and
USBKey + digital certificate. The diversified authentication
and authorization modes help the administrators configure
and manage access users in a centralized manner, which
dramatically reduces the cost for technical support and
maintenance. In addition, the TSM provides the non-agent
authentication mode based on the agent client and Internet
Explorer. This mode flexibly meets the temporary access
authentication requirements of guests and mobile customers.
Provides the role-based access control mode
to ensure the security of core service systems
of enterprises.
3
The TSM grants appropriate access permissions to different
users including employees, guests, and partners, thus
preventing the access of unauthorized terminals.
Provides powerful access and control
between terminals to meet the requirements
on quarantining terminals.
The TSM provides the mutual access control function and
classifies security zones by terminals' permissions. The access
of the terminals in different security zones need authorization,
thus ensuring the access quarantine between terminals.
Provides the flexible security policy
management that adapts to the security
management policies of different enterprises.
The dynamic policy management mode based on templates
allows you to flexibly and conveniently configure and expand
policies, thus, different users and departments can adopt
different security polices at different times.
Provides abundant terminal security check
policies to promote the general security
baseline of terminals.
The TSM provides the most terminal security check policies in
the industry and perfect system enhancement and protection
solution, that is, the TSM comprehensively evaluates terminal
status. These polices ensure terminal security and control as
well as implementation of enterprise security strategies.
Provides continuous management of staff
behaviors to ensure high network availability
and efficiency.
The TSM provides various security policies for auditing online
behaviors and software use. These policies are designed to
audit and control the violation behaviors of employees. In this
way, the employees' consciousness of security is strengthened
and the IT resources of enterprises are used rationally.
Secospace TSM

Supports automatic patch management to dedicated emergency channel. The server platform monitor

repair the terminal vulnerabilities efficiently. tool is provided to monitor the running status of the server

The TSM provides the policy-based patch distribution and gateways in real-time, thus ensuring the high reliability of

mechanism, that is, the patches can be distributed according the system and service continuity of the enterprise.

to departments. In addition, the one-click automatic repair

function is provided. The TSM actively collects the vulnerability
information about the client and adopts Huawei patented
subnet downloading technology to reduce the bandwidth
usage to the maximum extent and repair the system
vulnerabilities efficiently. The TSM provides a detailed patch
report, so that the administrator can understand the status of
patch distribution.

Provides complete lifecycle management

of the asset and automatically collects asset
status to ensure that assets are controllable
and manageable.
The TSM provides complete lifecycle management of the asset,
automatically collects the information about terminal software
and hardware assets, and generates and exports asset status
reports. In addition, the TSM tracks asset changes, and exports
asset change reports, thus implementing information of asset
management and ensuring that the assets are controllable and
manageable.

Supports flexible and easy deployment to

meet the requirements of complex network
environments.
The TSM can be flexibly deployed in centralized or distributed
mode. The SACG can be connected in direct mode or bypass
mode and supports two-node cluster hot backup, which
makes only a few modifications to the existing network.

Supports high reliability to ensure the service

continuity for enterprises.
The TSM server provides load balancing and redundancy
backup through the resource pool. The SACG provides a

4
Secospace TSM

Product Specifications
The Secospace TSM consists of the security agent (SA), security manager (SM), security controller (SC), and security access control
gateway (SACG).

Partner VPN access

External network

Pre-authentication SM SC
SA domain Third-party anti-virus
Local sever

VPN Gateway
SA
Third-party
Quarantine patch server
Local
SA domain
Core
network

Post-authentication
SACG domain3

Post-authentication
Intranet domain2

Post-authentication
domain1

Component Description

Software: The SA is installed on the terminal host for assisting identity authentication and security check and for
SA collecting the asset information and security status of the terminal. The SA uses a small amount of terminal and system
resources. The CPU usage is about 2%, and the maximum memory usage is 15 MB.

Software: The SM is the core of the TSM. It provides many service management functions including asset management,
software distribution, patch management, log auditing, terminal security policy management, identity management,
SM and reporting. The SM adopts the B/S architecture and enables the system administrator to manage the system
through Web UI. The SM can be deployed in distribution mode. An SM can manage multiple SCs. The SM and SC
compose the system server of the TSM.

Software: The SC manages the SA based on the data configured by the SM. The SC implements the management
functions of the SM. The SM sends the instructions and then the SC coordinates the related components to implement
SC
the instructions. After the user is authenticated by the SA, the SC sends instructions to the SACG to assign the access
permission.

Hardware: As a network layer device, the SACG controls the network access permission of terminals and allocates
different permissions to terminal users with different IDs and of different security statuses. SACGs are Huawei USG
series products built on carrier-class hardware platforms. Different SACGs, such as USG 2130/2220/2250/5320/5330/53
SACG
50/5360 are prepared for the scenarios with different numbers of concurrent users.
The SACG can be deployed both in centralized and distributed mode, and it supports the two-node cluster hot
backup.

5
Secospace TSM

Typical Networking

Core server
SM SC

Internet Pre-authentication
domain
Remote
user SACG Post-authentication
domain
Border router Intranet
Anti-virus server

Border router Border router

SC SC

SACG SACG SACG SACG

... ...
SA SA SA SA SA SA
Node A Node B

6
 Secospace TSM

The information contained in this document is for reference purpose only, do not constitute the warranty of any kind, experss or implied. It is
subject to change or withdrawal according to specific customer requirements and conditions.
All the trademarks, pictures, and brands mentioned in this document are the property of Huawei Symantec Technologies Co., Ltd or their
respective holders.

Copyright ©2010 Huawei Symantec Technologies Co., Ltd. All rights reserved.

Version No.: M3-110019999-20100120-V-1.0