Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Computer security wikipedia , lookup
Power over Ethernet wikipedia , lookup
Distributed firewall wikipedia , lookup
Policies promoting wireless broadband in the United States wikipedia , lookup
IEEE 802.11 wikipedia , lookup
Cracking of wireless networks wikipedia , lookup
“There is nothing more important than our customers” RoamAbout Wireless Product Portfolio Customer Presentation Enterasys RoamAbout WLAN Solutions • RoamAbout Product Portfolio • Management Applications • Advanced Features of Thin Mode WLANs © 2007 Enterasys Networks, Inc. All rights reserved. 2 WLAN Implementation – The Major Challenges The WLAN must be as secure as the LAN infrastructure Performance The WLAN should support today’s standards and be 802.11n ready Deployment Optimize positioning of Access Points Find and isolate rogue APs Automatically reconfigure failed nodes Management Manage WLAN with existing resources Easily authenticate and authorize corporate and guest users User Satisfaction Non-stop operation Ready for Next gen productivity apps, such as Voice over WLAN © 2007 Enterasys Networks, Inc. All rights reserved. RoamAbout Solutions from Enterasys Security 3 RoamAbout - Enterasys’ Wireless LAN Heritage More Than 14 years experience in WLAN technology - First RoamAbout product shipped in January 1993 - 100,000+ RoamAbout Access Points have been deployed - 1,000+ enterprise class customers worldwide Many industry innovations - First Access Point with Power over Ethernet - First Access Point with secure SNMP v3 support - First 802.11b PCMCIA Radio Card with 128 bit encryption - First radio technology-upgradeable Acess Point Committed to open standards - WiFi Alliance - IEEE - UNH WLAN Interoperability Lab • Numerous large deployments across a broad spectrum of industries - Goodyear - Unisys - West Hartford Public Schools - Montgomery Township © 2007 Enterasys Networks, Inc. All rights reserved. 4 RoamAbout – A Flexible Product Portfolio Today • Secure Networks - Enterasys’ embedded security architecture for wired & wireless networks • Wireless Switches - The intelligence for next gen wireless networks - Provides ACL policy, centralized management, plug and play deployment, L3 mobility, rogue detection, reliability, and load balancing • Access Points - Performance, security and 802.11 standards compliance • WLAN Management Software - Operations center for network • Site Survey Tools - Helps size and optimize wireless network for customer environment © 2007 Enterasys Networks, Inc. All rights reserved. 5 RoamAbout Wireless Switches Mobility System Software Version 5.0 includes support for all wireless switch controllers Ports Active APs AP configs TPRZ-MXR2 Remote Office Solution 2 x 10/100/ RJ45 with PoE * 3 3 RBT-8110 1 x Gigabit RJ45 1 x 10/100/ RJ45 1 x Console 24 120 RBT-8210 2 x Gigabit RJ45 1 x Console 24 48 72 300 RBT-8400 4 x Gigabit (GBIC or RJ45) 1 x Console 1 x Flash card slot 40 80 120 480 * Note: TPRZ-MXR2 works with RBT-1602 Access Point only © 2007 Enterasys Networks, Inc. All rights reserved. 6 RoamAbout Wireless Access Points RBT-4102 • Convertible AP that supports either Thick or Thin Modes • Secure Networks edge policy in Thick Mode • ACL-based edge policy in Thin Mode • Single RJ45 LAN connection with Standards-Based PoE • Redundant, Load-Sharing Power when External Power is use with PoE RBT-1002, RBT-1602 • Support for Thin Mode ONLY • Dual radio for 802.11a+b/g, less expensive than RBT-4102 • Supports ACL-based edge policy • dual-homed LAN and dual-homed PoE (RBT-1602) • RBT-1602 can ONLY be powered via PoE • Redundant, load-sharing power with PoE + external (RBT-1002) TPRZ-MP-620 • Weatherproofed for Outdoor Deployments • Support for Thin Mode ONLY • Dual radio for 802.11a+b/g • Supports ACL-based edge policy • Single Ethernet port with PoE support • External RSSI port for field antenna alignment • Built-in lightning protector © 2007 Enterasys Networks, Inc. All rights reserved. 7 Enterasys RoamAbout WLAN Solutions • RoamAbout Product Portfolio • Management Applications • Advanced Features of Thin Mode WLANs © 2007 Enterasys Networks, Inc. All rights reserved. 8 RoamAbout WLAN Management NetSight Console & Policy Manager RoamAbout Switch Manager Management Application for RoamAbout AP4102 operating in Thick Mode. Management Application for all Enterasys Wireless Systems operating in Thin Mode. © 2007 Enterasys Networks, Inc. All rights reserved. 9 RoamAbout Switch Manager (RASM) • Feature rich NMS for RoamAbout WLAN Switches • Integrates Site Survey Information - User location and roaming history - Intrusion detection and location • Device & User Management - With a template model to simplify enterprise class deployments • Performance tracking - At multiple levels of granularity – from campus-wide to user-specific - Includes real-time to 30 day history logging • Fault and event viewing - Network Admins can quickly isolate and eliminate malfunctioning APs • Scales to manage 1 to 100+ RoamAbout switches © 2007 Enterasys Networks, Inc. All rights reserved. 10 RoamAbout Thick Mode WLAN APs Thick Mode • WLAN Access Points operating standalone • Access Points use Enterasys Edge-Policy (equivalent to wired Switches). • Relatively Simple Configuration that is easy to deploy and easy to manage • Deployments are relatively static Advantages • Supports Policy Management features • Access Points are managed natively using NetSight applications • Uses NetSight Policy Manager to enforces policy rules and roles Why Choose a Thick Mode WLAN? • Very efficient WLAN traffic-flow • Limited dynamic mobility for users moving • Enforces Secure Networks Policy characteristics because WLAN traffic is between Access Points not aggregated through a Wireless • Simplified management using NetSight Policy Switch Manager and other NetSight Applications • APs are not dependent on a wireless • APs are administered in a similar manner switch,toso they can be “plug-and-play” Ethernet Switches on the network © 2007 Enterasys Networks, Inc. All rights reserved. 11 RoamAbout Thin Mode WLAN Switches & APs Thin Mode Advantages • WLAN Switching with lightweight Access Points • Scalable, centralized management for large scale WLAN deployments • Sophisticated controllers enable the use of less intelligent Access Points • Multiple APs are managed as a single system • Advanced rogue Access Point detection & suppression • Self-healing capabilities with auto• WLAN Switching enables automated RF power and auto-channel functions domain sizing, power adjustments and Why Choose Thin Mode? • Support for Web based authentication channel selection • Multiple Access Points behave as a single • Supports Topography views in • Convergence and Telephony apps are entity management applications enhanced with fast roaming capability • Improved support for advanced features, • Wireless Switches are designed to including Voice support future 802.11n networks • Elimination of Subnet Roaming Issues • ACL-based edge-policies can be configured to equate with Secure Networks policies in the LAN. © 2007 Enterasys Networks, Inc. All rights reserved. 12 Enterasys RoamAbout WLAN Solutions • RoamAbout Product Portfolio • Management Applications • Advanced Features of Thin Mode WLANs © 2007 Enterasys Networks, Inc. All rights reserved. 13 Dynamic Response to Rogue APs • Rogue Access Points are a serious security threat - Unauthorized parties can gain wireless access to the entire IT infrastructure - They are not subject to IT administration or monitoring - Access Point Access Point They interfere with production WLAN operation • RoamAbout WLAN switch infrastructures can automatically detect and isolate rogue APs - Access Points temporarily convert to WLAN Sensors to locate the rogue AP - once the threat is mitigated Access Points revert to normal operation - this approach negates the need for an overlay WLAN security sensor network • In addition Enterasys Policy-enabled LAN Switches can limit access for rogue APs - LAN ports deploy authentication techniques that block network access for non-authenticated devices, such as Rogue APs - Security policy prevents IP addresses resolving to unauthorized DHCP Servers hosted by Rogue APs - MAC locked LAN ports block unauthorized APs from joining the network Rogue AP Access Point © 2007 Enterasys Networks, Inc. All rights reserved. Access Point Access Point 14 WLAN Switch Automation Tools Simplify IT Administration • Self healing infrastructure ensures business continuity - Adjacent APs detect and respond to AP failure or RF degradation Access Point - Clients are automatically migrated to fully functional APs • Dynamic load balancing addresses the “over-subscribed AP” challenge - Automatic frequency selection and power control for adjacent APs Access Point - Changes are localized, do not cascade throughout the network Access Point - Option to dedicate bandwidth to QOS sensitive applications such as video and voice © 2007 Enterasys Networks, Inc. All rights reserved. 15 Seamless Subnet to Subnet Roaming • Supports leading edge corporate productivity applications Subnet A - Non disrupted use of WiFi and dual mode telephony handsets on the corporate WLAN - Increase the effectiveness of PDA and handheld computer applications • RoamAbout WLAN Switches integrate advanced roaming technologies including - Synchronized handoffs to avoid call jitter for VoIP - Fast subnet to subnet handoff times of less than 100ms - Eliminate the need for client reauthentication © 2007 Enterasys Networks, Inc. All rights reserved. Subnet B 16 Enhanced Security with WLAN Intrusion Defense for AP1602 • Integrated IDS and IPS for the WLAN network - Optional AirDefense software turns each RoamAbout AP1602 into an “on-demand” AirDefense Sensor - A centralized Security Dashboard aggregates threat information from each Air Defense Sensor WLAN Switch WLAN Switch - Includes real-time dedicated monitoring of all channels and frequencies for Intruders and Impending threats - Forensics & incident analysis capabilities - May be used for regulatory compliance monitoring - Common Criteria certified AP © 2007 Enterasys Networks, Inc. All rights reserved. AP 17 Real Time Asset Tracking & Location • The ability to rapidly locate mobile assets is a key competitive advantage for many industries - Tracking raw materials and WIP in a manufacturing setting - Locating patients and medical diagnostic equipment within a healthcare facility © Copyright (c) 2000-2005 Ekahau, Inc. All rights reserved. - Managing inventory and shipments in a warehouse • Automated asset tracking improves productivity - While increaing cycle count accuracy and reducing operational costs • RoamAbout switch infrastructures support real-time location services - Using WiFi Tags and 3rd party Location Servers - Operates with products from AeroScout and Ekahau Location Server © 2007 Enterasys Networks, Inc. All rights reserved. 18 “There is nothing more important than our customers” Wireless Networking Vision Today - RoamAbout® “Thick” WLAN solutions • Independent operation • Convertible to “thin” mode • Configured and managed with NetSight policy manager • Continuous identity management • Flexible operational modes - Workgroup - Point-to-Point - Point-to-Multipoint © 2007 Enterasys Networks, Inc. All rights reserved. Today - RoamAbout “thin” WLAN solutions Wireless Controllers • Wireless controllers Product TRPZ-MXR-2 - Network security RBT-8110 RBT-8210 RBT-8400 › Network Access Control RBT-8500 › ACL Policy Interfaces 1 x 10/100 RJ45 with PoE, 1 x 10/100 RJ45 without PoE 1 x Gigabit RJ45, 1 x 10/100 RJ45, 1 x Console 2 x Gigabit RJ45, 1 x console 4 x Gigabit (GBIC or RJ45), 1 x Console, 1 x Flash Card Slot 2 x Gigabit SFP (MGBIC), 1 x console, 1 x Flash Card Slot Active APs Up to 3 Up to 24 Up to 72 up to 120 up to 128 Wireless Access Points › Data encryption Product RBT-4102 › Continuous identity management RBT-1002 - 802.11n capable RBT-1602 TRPZ-MP-422 TRPZ-MP-620 - Low latency L3 mobility - WiFi rogue detection TRPZ-MP-432 Interfaces (1) Wired 10/100 Mbps, (1) Console port RS232, (2) reverse male SMA connectors (4102 only) (1) Wired 10/100 Mbps, (1) Console port RS232, (2) reverse male SMA connectors (4102 only) (2) Wired 10/100 Mbps, (2) reverse male SMA connectors (2) Wired 10/100 Mbps, (2) reverse male SMA connectors (1) Wired 10/100 Mbps, (1) Console port RS232, (2) reverse male SMA connectors (4102 only) 2 Gigabit Ethernet uplink ports - Plug and play management applications • Wireless access points • RoamAbout Switch Manager - Operations center for WLAN • Site Survey Tools - Easy to use RF planning © 2007 Enterasys Networks, Inc. All rights reserved. Protocol 802.11a/b/g 802.11a/b/g 802.11a/b/g 802.11a/b/g 802.11a/b/g 802.11a/b/g/n 2008 - Software Releases • Version 7.0 - Multi hop meshing › Reduce cabling costs and deploy APs in locations where cabling is not possible - 802.11n support dramatically increases WLAN throughput (up to 600 Mbps) while improving client coverage and density › TRPZ-MP-432 - Indoor 802.11 a/b/g/ n AP - Enterasys NAC Support › Force re-auth, quarantine, etc. - Wireless Switch Clustering › Scalable and dynamic backup/recovery services for switch controllers • Version 7.2 - Automatic AP and controller load balancing - Controller Distributed Configurations - Security Enhancements © 2007 Enterasys Networks, Inc. All rights reserved. 2008 –WLAN “Thin” Mode Multi Hop Meshing • Wireless AP access where wired interfaces are not available - Radio link to multiple access points that do not have wired interfaces • Cost effective WLAN deployments - Reduces number of switch controllers - Reduces cabling costs(~$200/AP) © 2007 Enterasys Networks, Inc. All rights reserved. 2008 – RASM / Smart Pass • RASM Planning - Tools ease installation and eliminate surprises - Improved outdoor RF planning - Improved scaling • RASM Management - MS Vista support - Full lifecycle indoor/outdoor management - Wizards (for desired coverage, capacity, client type, e.g. WMM Voice or Spectralink SVP) for rapid deployment of hundreds of APs - Mobile client management, tacking, logging, and reporting for thousands of wireless clients • SmartPass - Web-based provisioning for non-technical staff - Secure guest access without network reconfigurations - Scalable centralized client/server architecture with Radius API, up to 10,000 clients © 2007 Enterasys Networks, Inc. All rights reserved. 2008 - WLAN Controller: RBT-10000 • 28Gbps Ethernet switching capacity – industry’s highest density WLAN switch • 2 x 10-Gbps ports; 8 x 1-Gbps ports • Line-rate speed and throughput • Industry’s only hardware-switched wired and wireless • 512 active AP’s • 12,000 active clients per switch © 2007 Enterasys Networks, Inc. All rights reserved. 25 2008 – 802.11n Access Point • Superior performance - Simultaneous dual band operation (2.4GHz and 5 GHz) - 300 Mbps per band -> 600 Mbps total - 3x3 MIMO in both bands - 2x10/100/1000 uplink ports • Leverages existing infrastructure - Interoperates with existing switch controllers - Same PoE injectors - Utilizes the same mounting brackets • Flexible Power over Ethernet options - 802.3af injectors (1 or 2) - 802.3at draft injectors • WiFi certified ready - Fully compliant with 802.11n draft 2.0 - Guaranteed interoperability with standards based networks - Upgradeable to final standard • Optimal range - Internal antenna design delivers surround coverage © 2007 Enterasys Networks, Inc. All rights reserved. 2009 – WLAN/LAN Integration • Integrated WLAN and LAN solution offerings to the enterprise - Integrated with Enterasys edge switches - Reduces complexity and expense of wireless controller appliances • “Unified” access points capable of dynamically converting between “Thin” mode and “Thick” mode - Provides increased resiliency for the WLAN in the event of a switch layer failure - 802.11n performance for bandwidth intensive applications • Single, integrated WLAN/LAN management - Cost effective - Easy network administration • Integrated WLAN/LAN network security - Including IDS/IPS security mechanisms © 2007 Enterasys Networks, Inc. All rights reserved. RoamAbout Hardware – Timeline Wireless Switches · RBT-8500 32 – 128 Aps 2x1Ge SFP ports · RBT-8500-32 License upgrade for 32 additional APs Access Point · TRPZ-MP-432 · RBT-10000 802.11 a/b/g/N AP 10 Gigabit switch controller up to 512 APs Feb 2008 Jun 2008 RBT-8500 Feb Mar Wireless Switches May Jun Jul · Edge switch with embedded wireless controller · TRPZ-MP-632 Outdoor 802.11 a/ b/g/N AP Oct 2008 Indoor 802.11n Apr Access Point Feb 2009 RBT-10000 Aug Sep Oct Nov Jan 1, 2008 Outdoor 802.11n Dec Jan Feb Mar Mar 31, 2009 © 2007 Enterasys Networks, Inc. All rights reserved. Mobility Switching Software – Timeline v7.0 wireless switching Wireless Switching v7.2 wireless switching · RASM 6.2 · Mesh multi-hop support RF Planning Enh · 802.11n Outdoor RF Planning. · Bandwidth Control · SmartPass 6.3 Per User Per SSID · ETS NAC support · Wireless Switch/ Controller Clustering Apr 2008 Jun 2008 MSS 6.2 Feb Mar Apr May Jul Aug Security enhancements Capacity scaling Distributed configs Resilient clustering Nov 2008 MSS 7.0 Jun · · · · MSS 7.2 Sep Oct Nov Jan 1, 2008 Dec Jan Feb Mar Mar 31, 2009 © 2007 Enterasys Networks, Inc. All rights reserved. Thank you © 2007 Enterasys Networks, Inc. All rights reserved. 30 Enterasys RoamAbout WLAN Solutions • Additional Slides © 2007 Enterasys Networks, Inc. All rights reserved. 31 Evolution of Wireless Standards 2005 2004 802.11e 2005 - QoS which also exposed WMM (wireless QoS) 802.11i 2004 - AES (advanced encryption standard truw wireless security) 802.11f - Inter-Access Point Protocol. 2003 802.11g - 2.4 GHz 54 Mbps 11 Channels only 3 non-overlapping 802.11h - Spectrum and Transmit Power Management for Europe 2002 2001 802.11d - Auto Regulatory Domains 802.11j - 4.9 - 5.1 GHz Japanese Regulatory 802.1X - Secure Authentication 802.16 - WiMAX for static networks 2000 1999 802.11 - 2.4GHz, 2Mbps 11 Channels only 3 non-overlapping 802.11a - 5GHz, 54Mbps up to 23 channels all non-overlapping 802.11b - 2.4GHz 11 Mbps 11 Channels only 3 non-overlapping © 2007 Enterasys Networks, Inc. All rights reserved. 32 Next Few Years – More Alphabet Soup 802.11s - Mesh (efficient mulitcast/broadcast) 802.11t - Wireless Performance Prediction (standard comparison tests) 2008 802.11u - Inter-operation with External Networks (off 11 roaming) 802.11n – 100 Mb/s+ of user throughputs (wireless radio-trunking) 802.11v - Wireless Network Management (more advanced IAPP) 2007 802.11m - Enhanced Maintenance & Mgmt Security (paperwork) 802.11r - Fast Authentication Roaming (faster roaming) . 2006 802.11k - Radio Resource Measurement (AP-to-client queries & vice versa) 802.16e - WiMAX for mobile networks (wireless MANs) © 2007 Enterasys Networks, Inc. All rights reserved. 33 Secure Networks Support – Thick Mode Secure Networks Policy: • Same Policy Architecture as Wired LAN, configurable with NetSight Policy Manager • Provides for a consistent user experience across the wired or wireless infrastructure How it Works: • Policies are defined and applied simultaneously to the wired and wireless infrastructures. • The RBT-4102 supports most, but not all policy types seen in the wired switches. Policy Manager helps to identify inconsistencies. • The system uses a RADIUS back end for AAA and policy implementation. • The RADIUS return-attribute: “FILTER-ID” is used to dynamically apply policy settings. • Upon sign-on, consistent policy rules are applied based upon user’s role – (Policy and QoS follow the user) © 2007 Enterasys Networks, Inc. All rights reserved. 34 Secure Networks Support – Thin Mode ACL-Based Policy: • Uses dynamically-applied ACL’s to closely replicate the Secure Networks policies existing on the Wired LAN • Provides for a consistent user experience across the wired or wireless infrastructure How it Works: • Policy is defined for the wired and wireless infrastructures using Secure Networks policy for wired devices and analogous ACL-based policies in wireless. • Both systems share the RADIUS back end for AAA and policy implementation • The RADIUS return-attribute: “FILTER-ID” is used to dynamically apply policy settings. • Upon sign-on, consistent policy rules are applied based upon user’s role – (Policy and QoS follow the user) © 2007 Enterasys Networks, Inc. All rights reserved. 35 RoamAbout Firmware Version 4.1.11.0 Thick Mode Added Support for Specified Countries © 2007 Enterasys Networks, Inc. All rights reserved. • AE UNITED ARAB EMIRATES • AR ARGENTINA • AU AUSTRALIA • BR BRAZIL • CN CHINA • EG EGYPT • IL ISRAEL • IN INDIA • JP JAPAN (W52/W53) • KR KOREA, REPUBLIC OF • KW KUWAIT • MY MALAYSIA • NZ NEW ZEALAND • PH PHILIPPINES • SA SAUDI ARABIA • SG SINGAPORE • TH THAILAND • TW TAIWAN • VE VENEZUELA • VN VIETNAM • ZA SOUTH AFRICA 36 Approaches to WLAN Architectures Thick Architecture Centralized Architecture Direct Path Forwarding Limited Control Features Controllers can be Bottlenecks Intelligent Switching Distributed Forwarding for Latencysensitive Applications Centralized Forwarding for Other Applications (e.g. security-sensitive) Control Control Control Management Management Management Efficient Traffic Efficient Traffic Efficient Traffic © 2007 Enterasys Networks, Inc. All rights reserved. 37 Direct Path Forwarding Application-Driven Direct Path Forwarding - EXAMPLES Voice over Wireless Guest Access 802.11n Ready Today Latency Sensitive Applications Security Sensitive Mobility Applications Tomorrow’s Applications Direct Path Proceed Through Switch Direct path © 2007 Enterasys Networks, Inc. All rights reserved. 38 802.11n – Problem and Solution Typical Thin Approach Direct Path Forwarding Return-to-Core Forwarding Intelligent Switching Direct Path Forwarding Intelligent WLAN controller Offered load exceeds controller capacity X Offered load increases up to 10x Offered load increases up to 10x • 802.11n creates up to 10x increase in throughput • Forwarding occurs at the AP, not through controller • Throughput exceeds controller capacity • No impact on controller • Cannot scale without expensive hardware upgrades • Scales in place without expensive forklift upgrade © 2007 Enterasys Networks, Inc. All rights reserved. 39