Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Cisco Structured Wireless-Aware Network
Document related concepts
Policies promoting wireless broadband in the United States wikipedia , lookup
Spanning Tree Protocol wikipedia , lookup
Computer security wikipedia , lookup
Extensible Authentication Protocol wikipedia , lookup
Piggybacking (Internet access) wikipedia , lookup
Cracking of wireless networks wikipedia , lookup
Transcript
www.cisco.com/go/wireless/ CISCO STRUCTURED WIRELESSAWARE NETWORK A SOLUTIONS APPROACH TO WLAN KOEN JACOBS – SYSTEMS ENGINEER – [email protected] Session Number Presentation_ID © 2003 Cisco Systems, Inc. All rights reserved. 1 CISCO WLAN EXTENDS THE MULTISERVICE NETWORK Presentation_ID © © 2003, 2003 Cisco Cisco Systems, Systems, Inc. Inc. All All rights rights reserved. reserved. 2 Bringing Intelligent Services to WLAN interface Dot11Radio0 • Security no ip address no ip route-cache encryption key 1 size 40bit 7 7823F25A0AB8 transmit-key • QoS encryption mode wep mandatory ! • VLANs ssid tsunami • … authentication open guest-mode ! End-to-End IOS = End-to-End Intelligence! Presentation_ID © 2003 Cisco Systems, Inc. All rights reserved. 3 Security in WLANs • Still the number 1 concern! • Wardriving & Warchalking Getting a lot of press • Still many poorly protected WLANs SSID != Security MAC Filters 802.11 Standard WEP Credit: KNTV San Jose Presentation_ID © 2003 Cisco Systems, Inc. All rights reserved. 4 Cisco Wireless Security Suite Security in the Enterprise Presentation_ID No Security Basic Security Enhanced Security No WEP and Broadcast Mode Wi-Fi 40-bit, 128-bit, and Static WEP Dynamic Key Management System, Mutual Authentication, and 802.1x via EAP Public Access Telecommuter and Small Business Mid-Market and Enterprise © 2003 Cisco Systems, Inc. All rights reserved. 5 Cisco Wireless Security Suite www.cisco.com/go/aironet/security Wireless LAN Security consists of three components I. The Authentication Framework IEEE 802.1x authentication framework supports many authentication types & the link layer II. The Authentication Algorithm EAP Cisco Wireless (LEAP) and EAP-FAST support centralized, user-based authentication with the ability to generate dynamic WEP keys Idem for PEAP*, but also supports OTPs III. The Encryption Algorithm = WEP for 802.11 Cisco was the first to augment WEP encryption through TKIP* (Temporal Key Integrity Protocol) - same functionality now part of WPA, under the name CKIP Message Integrity Check (MIC) mitigates man-in-the-middle attacks Per-Packet Keying mitigates WEP key derivation attacks e.g. AirSnort Broadcast Key Rotation * 802.11i draft Presentation_ID © 2003 Cisco Systems, Inc. All rights reserved. 6 Cisco Wireless Security Suite The Complete Picture – Cisco Compatible Extensions CCX • Built on Standards • Optimized for Enterprise • Broad Adoption • Tested for Interoperability Encryption 802.1X Authentication WPA TKIP or AES WPA Wi-Fi Protected Access TKIP Temporal Key Integrity Protocol CCX AES Advanced Encryption Standard CCX Presentation_ID Cisco Compatible eXtensions © 2003 Cisco Systems, Inc. All rights reserved. 7 VLANs – Segmenting the WLAN SSID: Public VLAN: 2 SSID: Voice VLAN: 3 SSID: Private VLAN: 1 • Static VLAN mapping via SSID, or dynamic VLAN assignment via policy server (RADIUS) • Up to 16 VLANs • Each VLAN can e.g. have a different security policy, inline with the user-profile • Support for 802.1p/Q VLANs for end-to-end integration 802.1Q VLAN trunk to wired network Presentation_ID Supports any CCX client!! © 2003 Cisco Systems, Inc. All rights reserved. 8 Quality of Service • Pre-standard implementation: downstream QoS Using EDCF – Enhanced Distributed Coordination Frame • 802.11e will deliver upstream & downstream Presentation_ID © 2003 Cisco Systems, Inc. All rights reserved. 9 CISCO SWAN www.cisco.com/go/swan/ Presentation_ID © © 2003, 2003 Cisco Cisco Systems, Systems, Inc. Inc. All All rights rights reserved. reserved. 10 Cisco Structured Wireless-Aware Network Providing Superior Wireless Security, Deployment, Management, and Mobility by INTEGRATING and EXTENDING Wireless Awareness into Key Elements of the Network Infrastructure - Servers, Switches, Routers, APs, and Clients Presentation_ID © © 2003, 2003 Cisco Cisco Systems, Systems, Inc. Inc. All All rights rights reserved. reserved. 11 Cisco SWAN – Three Elements Fast Secure L3 Mobility Centralized Policies High Availability 2 1 Presentation_ID 3 Cisco switches and routers with wireless-aware Cisco IOS® Software Cisco Aironet clients Cisco Compatible (CCX) clients WLSE 2.7 Aironet 1100/1200/1300 Radios: 802.11b/g/a Wi-Fi client adapters 802.1X AAA Server © 2003 Cisco Systems, Inc. All rights reserved. Expanded security options Granular Site Surveys Simplified Deployment/Mgmt Rogue AP Detection and Suppression 12 Cisco SWAN Minimizes WLAN TCO Deployment Management Optimized deployment of high-performance APs: Assisted Site Survey, “live” RF* readings Automated operations of APs (configs, FW, etc.) and RF* (coverage, interference, etc.) WPA for access control/authentication and data privacy, integrated WLAN IDS functionality, including rogue AP detection and suppression Security Flexibility Future switch/router enhancements for scalability, familiar interface, and fast secure L3 roaming Cisco warranties and support services; Cisco partnerships like CCX program Support * RF = radio frequency = data transmissions in the air Presentation_ID © 2003 Cisco Systems, Inc. All rights reserved. 13 Cisco SWAN Components Wireless Network Manager (WNM): CiscoWorks Wireless LAN Solution Engine Wireless Domain Services (WDS) WLSE Infrastructure Access Points (registered with WDS) Cisco Secure ACS Access Points WDS-mode Wireless Domain Services (WDS) Infrastructure Access Points (registered with WDS) Infrastructure-mode Client Cards Cisco Clients Cisco or Cisco Compatible Clients (version 2) CCX v2 Presentation_ID © 2003 Cisco Systems, Inc. All rights reserved. 14 Wireless Domain Services • Provides centralized software services on behalf of a L2 subnet (WLAN clients and APs) • Currently supported on AP 1100/1200 & Bridge/AP 1300 Catalyst 6500 WLSM – more switches/routers to follow • Minimizes traffic across LAN/WAN • WDS AP supports up to 30 infrastructure APs 60 infrastructure APs in dedicated mode • Features that leverage WDS Fast Secure Roaming Radio Management/Monitoring - Rogue AP detection / Interference / … Local authentication Presentation_ID © 2003 Cisco Systems, Inc. All rights reserved. 15 An Example – Rogue AP Detection Si Network Core Si NMS Si WLSE Cluster WDS Si Si Distribution Access RM RM Rogue AP in coverage areas of trusted APs RM Presentation_ID © 2003 Cisco Systems, Inc. All rights reserved. Rogue AP outside coverage areas of trusted APs 16 An Example – Rogue AP Detection Si Network Core Si NMS WLSE Cluster Si RM-Agg WDS Si Si Distribution 1. Radio measurements (RMs) are sent to WDS 2. WDS aggregates and condenses RMs 3. WDS forwards RM aggregation to WLSE Access RM 4. WLSE generates reports, alerts, etc. RM Rogue AP Rogue AP RM Presentation_ID © 2003 Cisco Systems, Inc. All rights reserved. 17 Catalyst 6500 WLSM Wireless LAN Services Module • Provide seamless layer 3 mobility across an entire campus No client hardware or software requirements Supports low latency roams for Voice • Simplify Cisco SWAN deployment and configuration Reduce the number of Wireless Domain Services (WDS) needed • Simplify Deployments No changes necessary to existing network infrastructure Provides a single interface per-SSID for the application of security and QoS policy Presentation_ID © 2003 Cisco Systems, Inc. All rights reserved. 18 Enterprise Campus Roaming and Aggregation Cisco SWAN enables Fast Secure Scalable Wireless Networking CiscoWorks WLSE 2.7 Single Point of Ingress/Egress WDS • Fast Secure Roaming • Simple Configuration • Non-Stop Forwarding / Stateful Switchover • Scalability • Integrated Security Services Existing Network 10.11.12.13 10.11.12.13 Presentation_ID Seamless Layer 3 Roaming Across Subnets © 2003 Cisco Systems, Inc. All rights reserved. 19 Mobility Groups Enable Secure Segmentation Guests Internet Guest WLAN traffic tunneled to mGRE interface Firewall Catalyst 6500 Series with WLSM Employee Core VPN Services Firewall Phone Intrusion Detection Voice PSTN Presentation_ID © 2003 Cisco Systems, Inc. All rights reserved. 20 Wireless LAN Solution Engine Key Features • Turnkey operational tool for managing Cisco WLANs • Manages up to 2500 Cisco APs and bridges, plus attached Cisco switches and routers and LEAP servers • Template-based configuration of APs and bridges • AP & bridge security misconfiguration detection and alerts • Proactive fault and performance monitoring of APs, bridges • Authentication server and attached switch/router monitoring • AP/Bridge summary and utilization reports • Current & historical client association tracking reports • Upper-layer NMS/OSS integration via northbound trap, SYSLOG • Secure HTML-based UI • Role-based Access Control • System & User Defined Device Grouping Presentation_ID © 2003 Cisco Systems, Inc. All rights reserved. 21 Managing the WLAN with WLSE LEAP Monitoring Template-based configuration of APs & Bridges Fault/Performance Monitoring of APs & Bridges Switch monitoring Device Grouping Client Association Tracking and Reports Presentation_ID © 2003 Cisco Systems, Inc. All rights reserved. 22 CiscoWorks WLSE www.cisco.com/go/wlse Assisted Site Survey Rogue AP Detection Location Manager Presentation_ID © 2003 Cisco Systems, Inc. All rights reserved. 23 Lost radio interface RM Example: Self Healing Radio Network Presentation_ID © 2003 Cisco Systems, Inc. All rights reserved. 24 CISCO AIRONET www.cisco.com/go/aironet/ Presentation_ID © © 2003, 2003 Cisco Cisco Systems, Systems, Inc. Inc. All All rights rights reserved. reserved. 25 Cisco Aironet 1200 Series • Investment Protection and Future Proof Supports 802.11a/b/g 802.11b/g IOS support 8MB of storage 802.11a • Performance & Flexibility Modularity In-line and regular power Unique security suite (LEAP, PEAP, …) Easy and integrated management Dualband • Minimizes Total Cost of Ownership • Plenum rated chassis • Physical Security Presentation_ID © 2003 Cisco Systems, Inc. All rights reserved. 26 Cisco Aironet 1100 Series • Scalable Fully functional access point ideal for all enterprise deployments without expensive controllers 802.11b now – upgradeable to 802.11g • Affordable Lowest priced upgradeable Cisco Aironet access point protects customer investment • Enterprise-class features End-to-end intelligent networking extended to WLAN • Secure Enterprise-class interoperable security for WLAN • Easy-to-use Intuitive installation and set up for rapid deployment Presentation_ID © 2003 Cisco Systems, Inc. All rights reserved. 27 Aironet 1300 Outdoor AP/Bridge • Multi Function Access Point Bridge Workgroup Bridge • 802.11g 54 Mbps at 2.4 GHz • Outdoor enclosure – IP56 • Included in Cisco SWAN solution Presentation_ID © 2003 Cisco Systems, Inc. All rights reserved. 28 Wireless LAN Client Adapters • 802.11a/b/g dual band client adapters 54 Mbps in 2.4 and 5 GHz bands 802.11b support provides investment protection CardBus and PCI form factors Windows XP/2000 • 802.11a client adapters • 802.11b client adapters PCMCIA and PCI form factors Broad OS support (MacOS, Linux, …) • CCX-compliant adapters Presentation_ID © 2003 Cisco Systems, Inc. All rights reserved. 29 Cisco Compatible Extension Program Key Benefits Innovative Features Confidence to Deploy WLAN • Cisco Wireless Security Suite • Tested Interoperability • Leading security solution • Ongoing feature development • Wide variety of devices & OS’s • LEAP & pre-standard TKIP • Cisco VLAN • 40+ features in CCX v2.0 • No cost licensing Accelerate availability of enterprise features Superset to industry standards Industry Standards Compliance •Wi-Fi, WPA & 802.11 Presentation_ID © 2003 Cisco Systems, Inc. All rights reserved. 30 Cisco Compatible Extension Program Some of the partners… www.cisco.com/go/ciscocompatible/wireless/ In total 95% of 3rd party client NICs are covered! Presentation_ID © 2003 Cisco Systems, Inc. All rights reserved. 31 Cisco Wireless IP Phone 7920 Supports LEAP – Extending security to voice clients! Features planned for future software release XML services Directory services (LDAP) Extension mobility WPA Additional language support 450 character, two-way Paging/messaging Presentation_ID • IEEE 802.11b, Direct Sequence with Dynamic Rate Scaling at 1, 2, 5.5, 11 Mbps • Pixel-based display 4 lines + soft keys + date/time/RF/battery + status indication • High performance speaker supports CCM ring tones • Visual message waiting, key lock, and vibration icon indicators • Current HW version will go through 3 SW stages • Automatic IEEE 802.1q (virtual LAN [VLAN]) configuration • G.711a, G.711u, and G.729a audio-compression coder-decoders (codecs) • SNMP manager • DHCP or static configuration option • Alternate TFTP support • Range of accessories: cradle, casings, USB cable, … © 2003 Cisco Systems, Inc. All rights reserved. 32 Q and A Presentation_ID © © 2003, 2003 Cisco Cisco Systems, Systems, Inc. Inc. All All rights rights reserved. reserved. 33 Presentation_ID © 2003, Cisco Systems, Inc. All rights reserved. 34
