Colubris Basic Customer Presentation

… … Extend Your Extend Your Business Mobilize Your Network … Business Mobilize Your Network …

Colubris NetworksColubris NetworksProduct OverviewProduct Overview

2

Wilfredo López EscobarDATEN

System Engineer

Caribbean and Latin America

[email protected]

3

What is Wi-Fi?What is Wi-Fi?

• Wireless Ethernet – WLAN IEEE 802.11• Broadband wireless data service that connects mobile

devices to an Ethernet network Data rates: 11 to 54 MbpsData rates: 11 to 54 Mbps Distance: 300 ft, depending on antenna and environmentDistance: 300 ft, depending on antenna and environment

Wi-Fi Access Point

EthernetNetwork

4

Colubris OverviewColubris Overview

Mission: Industry-leading developer of unified multiservice WLAN/LAN systems

• Highly scalable business mobility solutions for enterprises and service providers

Market Leadership:

Over 1,000 customers worldwide• 60,000 WLAN devices installed, worldwide• #2 global market share in hospitality and

service provider; #1 in transportation

Founded in 2000; HQ in Waltham, MAProfile:• Strategic Partners – Alcatel, Juniper, Avaya• #1 privately held WLAN company

5

Distributed Intelligence Distributed Intelligence VPN Termination/AggregationVPN Termination/Aggregation

• Distributed Intelligence – VPN termination on AP eliminates separate WLAN infrastructure

• Secure VPN perimeter from client-to-corporate LAN On-board encryption accelerator optimizes performance

• Local termination enables simplicity, greater scale Back-end aggregation to fewer VPN tunnels

• Secure VPN management interface

SSID=EmployeeSecurity=VPN

Wide AreaNetwork

CN1250

Employees Corporate HQ

AAA

NMS

DHCP

VPN Server

6

Next Generation WLAN ArchitectureNext Generation WLAN Architecture

Smart Access

Management & Control

(incl. 1st Gen WLAN

Switch)

Scalability & Services Breadth

7

WLAN RF & system mgt.

QoS and security enforcement,

packet forwarding

Localized Services Policy ControlLocalized Services Policy Control

• Services applied at AP• Distributed architecture with

Centralized management and control NOT in Data Path

• Adds centralized WLAN QoS, security and roaming to existing LAN

• 10x higher scalability than WLAN switch solutions

• Leverages commercial AP chips for reduced costs

• Smooth migration to unified switch and 802.11n standards

AP AP

NMS

Central QoS and security control,

roamingMultiService

ControllerLAN

Policy Data Base

8

Colubris WLAN SolutionColubris WLAN Solution

InMotion

....

.... ........ .... .... .... ....

.... .... .... .... .... ....

VoIP-PBX

InCharge CNMSInCharge RF Security Server

L2/L3Switch

Internet Gateway

Internet

InReach

VLANSwitch

VLANSwitch

10

Free or Fee-based Hotspot ServicesFree or Fee-based Hotspot Services

• Cafes and restaurants• Hotels and marinas• Train stations

• Increase foot traffic• Customer stays longer• Generate revenue

FEE-BASED SERVICE OPPORTUNITIES

• Retailers, Malls• Municipalities

• Increase foot traffic• Attract techno-savvy clients

FREE SERVICE OPPORTUNITIES

NOC

CN3200AccessNetwork

Kiosk

Hotspot

11

Public InterfacePublic Interface

13

Internal Web Page

14

Original URL and Session Page

15

Customized Local (MSC) PagesCustomized Local (MSC) Pages

16

Rich Content Remote WEB server PageRich Content Remote WEB server Page

17

Interactive Captive Portal Interactive Captive Portal

18

Payment optionsPayment options

19

Credit Card PaymentCredit Card Payment

20

Public Internet Access Industry StructurePublic Internet Access Industry Structure

• Wireless service provider Owns and operates WLAN infrastructure

• Carrier Owns and operates Internet network service

• Back-office service provider Performs back-end authentication, billing, phone

support

• Venue owner (hotel, restaurant, etc.)

• Aggregator Markets services to end-users Aggregates service operated by 3rd party WSPs

End User

Venue Owner

Wireless Service Provider

Back Office Service Provider

Carrier

22

Public Access Service Business ModelsPublic Access Service Business Models

• Service branding Private label for venue Wireless service provider brand Aggregator brand

• Revenue models Service paid by venue owner Service paid by end user and split with venue

owner Service paid by aggregator and split with service

provider and venue owner

• Various back office and carrier outsourcing models

Aggregator

Wireless Service Provider

Back Office Service Provider

Carrier

24

Public Access Service Network ComponentsPublic Access Service Network Components

BackOffice

Firewall/Router

WLAN Access Point (s)

Service Provider NOC

Service Provider

NMS

Broadband client connectivity

Client authentication, service presentation, billing support

Routing services, security

Access GatewayNMS manages and controls public access infrastructure,Portal delivers web content to clients

Back OfficeSubscriber authentication, Credit card processing

Public Internet Access VenuePortal

Carrier Internet Service

Cable/DSL Modem

25

CIMS Fully Integrated Public Access SolutionCIMS Fully Integrated Public Access Solution

BackOffice

InMotion MSC InReach MAP(s)InCharge Colubris

NMS (CNMS)

Service Provider

• MultiService client connectivity

• Turnkey public access CPE solution

• Integrated access gateway, router, firewall, access point

• CNMS manages and controls geographically distributed public access infrastructure

Back Office

• Comprehensive support for AAA and back-office billing systems

Public Access VenuePortal

Carrier Internet Service

Cable/DSL Modem

CNMS

MultiService Controller MultiService

Access Point

29

SSID and Windows XPSSID and Windows XP

30

VAPs – Access Contol lists and Backend VAPs – Access Contol lists and Backend ServicesServices

LAN/WAN

Back-end RADIUS 4 & WEB

AAA

NMS

Billing

Portal

SSID=AdminSecurity=VPN

QoS=P2RADIUS Profile 2

ACL 3

SSID=VoiceSecurity=WEP


ACL - 4

SSID= POSSecurity=MAC


ACL - 2

SSID=GuestSecurity=Open


ACL - 5

POSServer

VoIP Gateway

SSID=HotspotSecurity=Open


ACL - 6

• Services ControllerServices Controller• Access DevicesAccess Devices


AAA

NMS

Billing

Portal


AAA

NMS

Billing

Portal


AAA

NMS

Billing

Portal

Radius Profile 1 – Walled Garden ACL’a

31

Multi-Service WLANs for Higher Multi-Service WLANs for Higher EducationEducation

LAN/MAN/WANSSID=FacultySecurity=VPN

QoS=P2

SSID=VoiceSecurity=WEP

QoS=P1

Staff

SSID=StudentSecurity=Open

QoS=P4

Admin Services

StudentServices

VoIP Gateway

Faculty

Data Center

SSID=AssetsSSID=AssetsSecurity=WPASecurity=WPA

QoS=P2QoS=P2

Students

CNMS WLAN CNMS WLAN MgmtMgmt

AAA/VPN Server

• Services ControllerServices Controller• Access DevicesAccess Devices

Internet

32

GSM / Wi-Fi phones are hereGSM / Wi-Fi phones are here

33

Toll-Quality Voice ServiceToll-Quality Voice Service

• Broad QoS support for VoWLAN handsets SpectraLink, 802.11e,

Vocera, SIP and H.323 softphones

• Transparent client subnet roaming support

• Traffic segregation and IP filters reinforce security

• Open support for 3rd party power-save modes

EmployeeServer

VoIPGateway

CN1250

SSID=VOICESecurity= WEP

IP Filter=VoIP G/WQoS=P1

Router

Data Center

Subnet “A”Subnet “B”

Seamless Subnet Roaming

35

Colubris: QoS Enforced at the AP EdgeColubris: QoS Enforced at the AP Edge

• Policies applied at WLAN/wired network boundary Mapping between WLAN and LAN/WAN policies

• Embedded processors provide scalability to large networks Each AP adds processing power for 16 services to network

• CNMS centrally configures QoS policies for ease of operation

IP Backbone

LAN Backbone

802.1p

TOS/DiffServ

QoS Policy EnforcementSSID

802.1pWME

802.1pTOS/DiffServ

ApplicationsCorporate HQSuppliers

36

Interoperability with QoS-Capable Interoperability with QoS-Capable ClientsClients

• Protocol-based policy enables client device to request priority 802.11e WME provides

open voice, video, data interoperability

SVP support provides interoperability with SpectraLink phones

• Part of end-to-end QoS scheme Client-AP-Ethernet

SVP QoSWME QoS No QoS

Ethernet

Wi-Fi

1 2 3 4

Protocol-basedForwarding

SSID=MultimediaSecurity=OpenQoS=Protocol

38

Problems with next generation SolutionsProblems with next generation Solutions

....

.... ........ .... .... .... ....

.... .... .... .... .... ....

VoIP-PBX

Management

VLANSwitch

Subnet A

Master VLANSwitch

IP Router

Internet

RADIUSServer

DNSServer

VLANSwitch

Subnet B

Phone IP

NEW IP

Inter AP Roam – re associate & KEY

39

Large Site / Campus deploymentLarge Site / Campus deployment

VLANSwitch

In Motion MSC

....

.... ........ .... .... .... ....

.... .... .... .... .... ....

VoIP-PBX

Control / mgmt

Call Setup

Legend:

Call

CNMS Management

VLANSwitch

Master VLANSwitch

IP Router

Internet

Secure Control IP Tunnel

In Motion MSC

40

InMotionInMotion™™ Delivers New Services Delivers New Services

• New Industry-leading Voice Over WLAN Service Highest R-values and voice session capacity More than 28% lower jitter than competitors

• New Fast, Secure Intra/Inter Subnet Roaming Service Mobility for real-time applications MOBILE IP Protocol Secure WPA2 hand-offs < 50 milliseconds

• New Plug-and-Play Deployment Service Automatic MAP discovery and configuration Mutual authentication and encryption for security

• Industry-Leading Public/guest Network Access Service “Zero configuration” for easy client access Rich service management policies

MultiService Controllers

43

Data Network SecurityData Network Security

3 Requirements1. Access Control – Bi directional, verifiable, centrally

Managed 2. Confidentiality – Encryption3. Data Integrity – Frame Check and Sequencing

Cipher Cipher TextTextDATADATA DATADATA

Encryption Encryption EngineEngine

Encryption Encryption EngineEngine

Encryption KEYEncryption KEY Encryption KEYEncryption KEY

RC4

DES/3DES

CCMP AES

RC4

DES/3DES

CCMP AES

Static – PSKCertificate

PMK TKIP

44

Wi-Fi SecurityWi-Fi Security

• WEP – Wired Equivalent Privacy Original 802.11 encryption scheme RC4 - Static Weak Key

• VPN – Virtual Private Network (DES, 3DES) cryptography – VPN client and Gateway

• IEEE 802.1x – Access Control EAP protocol using Radius Authentication

• WPA – Wireless Protected Access Strong encryption TKIP RC4 Requires access to authentication server

• IEEE 802.11i – WPA2 Strongest encryption (AES) Government approved

• HTML Access Control Public Access via Captive Portal authentication

WLAN System ComponentsWLAN System Components

49

Colubris ProductsColubris Products

Product Type 1 Radio2 ports total

2 Radios3 ports total

Appliance No Radio, 4 Ethernet Ports only

In ReachMAP – MultiService Access Point

MAP-320MAP-320RCN320

WAP-200 2 VAP no QOS

MAP-330MAP-330RCN330

In MotionMSC – MultiService Access Contoller

MSC-3200MSC-3200RCN3200100 concurrent Users

MSC-3300MSC-3300RCN3300100 concurrent Users

MSC-5200CN3400500 concurrent Users

MSC-55002000 concurrent Users2-1000BASE-T4

MGW – MultiService Gateway

MGW-1250CN1250

MGW-3500CN3500 1000 concurrent Users

51

Product PositioningProduct Positioning

Performance- User Capacity, Future Proofing

Feat

ures

- Con

nect

ivity

, Sec

urity

, Mob

ility

MSC-3200 MSC-3300

MSC-5500MSC-5200

100 Users

500 Users/25 AP

MGW-3500

1000 Users

2000 Users/200 AP

52

InMotionInMotion™™ MultiService Controllers MultiService Controllers

Specifications MSC-5200 MSC-5500

Software Configuration COS Access Service

COS Service Pack

COS Access Service

COS Service Pack

ServicesVoWLANFast RoamingPlug & Play DeploymentPublic/Guest Access

Maximum MAPs N.A. 25 N.A. 200

Max. Public/Guest Access Users 500 500 2,000 2,000

53

FirewallFirewall

54

NATNAT

55

VPN ClientVPN Client

To protect the VPN, add the following definitions to the access list:access-list=vpn,DENY,all,192.168.30.0/24,alluse-access-list=vpn

56

Centralized Mode Centralized Mode

57

Dual Radio Access Device FeaturesDual Radio Access Device Features

• Industry first dual a/b/g radios Two channels on single band increases performance, coverage

• Configurable AP, WDS Bridge and Monitor operating modes Flexibility and investment protection Enables continuous full-spectrum rogue scanning for increased

security• Robust monitor and diagnostic capability

Eliminates cost of redundant probes/monitors

Configurability Radio 1 Radio 2

Transceiver Mode a/b/g a/b/g

Operating Mode AP, Bridge, Monitor

AP, Bridge, Monitor

59

Extended Access Control NetworkExtended Access Control Network

60

Network Topology - WDSNetwork Topology - WDS

MAP-330

MAP-330

MAP-330

MAP-330

MAP-330

Access line

Client

Client

client

Client

Client

Client

Client

MAP-330

MAP-3300

MAP-330

MAP-330

MAP-330

MAP-330

MAP-330

Internet

MAP-330

Client

Client

Client

Client

Client

Client .11g or 11a (WDS)

.11b ch 1 area (AP)

.11b ch 6 area (AP)

.11b ch 11 area (AP)

MAP-3300/MAP-330 – one radio in AP mode and the other radio in WDS mode

Potential hidden node issue, for shared

WDS/AP radios

61

Rogue AP Detection and ReportingRogue AP Detection and Reporting

• Wireless RF Scanning Use of existing, authorized APs for wireless scans Differentiates between true “rogues” and “ignored” 3rd

party APs Multi-vendor support enables most comprehensive

Rogue AP detection• Wireline Rogue Discovery

Scans network via multiple protocols Automatically IDs the “fingerprints” of rogue APs

• Integrated Rogue AP Reporting Correlates all information to rapidly locate and disable

rogues

62

Outdoor Rated Enclosure: MSC-3200R, MAP-320ROutdoor Rated Enclosure: MSC-3200R, MAP-320R

This slide for planning purposes only, content and dates subject to change

• Die-Cast Aluminum, NEMA 67 rating• 2 waterproof N-type Antennas option• Waterproof, quick disconnect RJ-45 connector• 3 point silicone-rubber gasket• Pole-top and wall-mount mounting options• Colubris Logo Applied

63

Locking Mounting BracketLocking Mounting Bracket

This slide for planning purposes only, content and dates subject to change

• Die-Cast Aluminum• Wall or Ceiling Mountable• Compatible with standard product enclosure (slides in and out)• Padlock not included• List Price $50 (USD)

64

CNMS - WiFi Network Management CNMS - WiFi Network Management

65

WiFi Network Management WiFi Network Management

66

CNMS OverviewCNMS Overview

NMSAuthentication

RADIUS SNMP

NOC

WAN/LAN

Campus A Campus B

CN3200 CN320CN3200

CN1250

SNMP/HTTP/TFTP

CNMS

• Monitor AP discovery User monitoring Rogue AP detection NMS & AAA integration

• Analyze Alerts & diagnostics Performance reports RF event correlation

• Act Multi-vendor

config mgt Firmware distribution Grouping & scheduling

67

Colubris Networks Offers a Comprehensive RF Colubris Networks Offers a Comprehensive RF Security and Management SolutionSecurity and Management Solution

• InCharge RF Server• InReach 330P

• InCharge RF Planner

• Automatically prevent Wi-Fi security attacks• Perform real-time network audits• Assist performance troubleshooting• Monitor wireless LAN health

68

InCharge RF Server Two appliance models support up to 50 sensors

or up to 200 sensors Correlates sensor data Analyzes and classifies Wi-Fi devices Enforces security policy Web interface Within CNMS, launch InCharge RF Server

screens in Phase 1 Tight integration with CNMS in Phase 2

InCharge RF Server, InReach 330P, InCharge RF Server, InReach 330P, InCharge RF PlannerInCharge RF Planner

InReach 330P Scans 2.4 and 5 GHz bands Centrally managed and configured by Server Dedicated sensor function in Phase 1 Concurrent AP and Sensor function at Phase 2; Phase 1 InReach 330P

devices can be upgraded to Phase 2 capability Power over Ethernet

InReach330P

Web InterfaceInCharge RF Server

InChargeSecurity Server

InCharge RF PlannerStand-alone Windows-based application

Models wireless LAN coverage without a physical site survey

Evaluates security risk from wireless LAN spillage outside building

Assesses changes with simple drag and drop techniques

Generates equipment lists for installation team Provides powerful predictive planning

Input floor planInput floor plan Add building material typeAdd building material type Specify 802.11b, g or aSpecify 802.11b, g or a Input minimum bandwidth requirementsInput minimum bandwidth requirements Drag and drop APsDrag and drop APs

Supports dynamic floor plan models RF coverageRF coverage ChannelsChannels Signal strengthSignal strength SpillageSpillage

69

The Threat!!!; Eight Major Classes of The Threat!!!; Eight Major Classes of Wi-Fi ThreatsWi-Fi Threats

Firewalls, VPNs, and 802.11 Security StandardsDo Not Prevent These Wi-Fi Threats on Either Wired or Wireless Networks

Enterprise Network

Neighboring Network

?

Ad Hoc

Denial of

Service Attack

AP MAC Spoofing

Rogue AP

Mis-configured AP

Unauthorized Association

Mis-association

Honeypot

• Common Rogue Access Points Mis-configured Access

Points Ad hoc connections Client mis-associations Unauthorized client

associations• Malicious

Honeypot APs MAC Spoofing APs

Client > Malicious APClient > Malicious AP Denial of Service

De-authentication De-authentication floodflood

Packet stormPacket storm

70

Monitor/DetectMonitor/Detect

• Scan all bands• 2.4 GHz and 5 GHz

• Detect all Wi-Fi activity• Access points, soft APs, NATing

APs, clients

• Correlate information from multiple sensors

• Eliminate confusing duplicate reports of the same device

71

VisualizeVisualize

• Make your airwaves visible

• View RF coverage in real time Handhelds only provide a

snapshot in time

• Plan for security and Wi-Fi coverage Only integrated solution that

ensures proper sensor placement Model detection and prevention

levels

• Self-calibrating Site-specific RF

characteristics Deployment orientation

Good Coverage

No RF Coverage Poor RF Coverage

72

Auto-ClassifyAuto-Classify

• Comprehensive Access points

Authorized, Rogue, ExternalAuthorized, Rogue, External Clients

Authorized and UnauthorizedAuthorized and Unauthorized• Accurate and Reliable

No false positives/no false negatives• Instantaneous

No manual user intervention required

InCharge RF Server dashboard automatically classifies Access Points and Clients into appropriate categories.

73

PreventPrevent• Over-the-air

Ensures non-stop protection• Instantaneous

Based on quarantine policy and accurate auto-classification

Doesn’t require manual administrator intervention

• No harm policy Won’t disrupt your own or neighbor’s

networks• Most comprehensive solution

All major classes of threats Rogue access points, Evil Twin/Honey

Pot APs, MAC spoofing APs, mis-configured APs, rogue clients, client mis-associations, ad hoc networks and DoS attacks

InCharge RF Server dashboard shows rogue access points that has been

quarantined; I.e. automatically blocked to prevent any and all client connections.

3

5

74

LocateLocate

• Precise• Locates rogues and other Wi-

Fi security threats for physical remediation

• Pinpoints all AP and client device locations

• Authorized, unauthorized Authorized, unauthorized and neighborand neighbor

• Immediate• One click operation

• Site calibrated• Displays location on a

floor plan

• One click operation provides graphical probability analysis of location

• Not just a red ‘X’InCharge RF Server integrates a floor plan to show a range of probable locations of

rogue APs or clients.

75

Prevent Wi-Fi Threats in a Non Wi-Fi NetworkPrevent Wi-Fi Threats in a Non Wi-Fi Network

• Even if you have no 802.11 AP’s, most laptops have 802.11 cards

• A laptop radio is default configured to ‘automatically associate’ with the strongest signal from a list of SSID’s

• Hackers simple sit outside the building with an AP configured to a common SSID and wait for a number of laptops to connect

SSID: linksys

Corporate FirewallInternet

XX X

X

Honeypot attack lures in multiple laptops to miss-associate.

76

Rogue AP BlockingRogue AP Blocking

• Rogue AP is Detected

Over-the-air detection Network connect tested Auto-classified

• No False Positives Does not rely on switch

• Blocked over-the-air De-auth all Clients 100% accurate Any network / switch

• Better than port blocking Port blocking is not reliable Port blocking may cause DoS

Rogue AP

Wi-Fi Ready Laptop

XCorporate Firewall

Internet

77

Prevent Client Mis-AssociationPrevent Client Mis-Association

C orp ora te F irewa llIn ternet

Enterprise Network

Neighboring Network

SSID: a1b2c3

SSID: a1b2c3

SSID: a1b2c3

X X X X • Clients associate to strongest signal

• Blocks clients that mis-associate

• Prevents SSID spoofing Client roaming

78

C orpo ra te F irewa llIn ternet

Enterprise Network

SSID: a1b2c3MAC: 00.20.A6.4C.1A.46

SSID: a1b2c3MAC: 00.20.A6.4C.1A.46X

X

• Detects MAC Spoofing • Blocks unauthorized

spoofed AP’s• Prevent malicious threats

Evil Twin Man-in-the-middle

Prevent MAC & Air-Jack AttackPrevent MAC & Air-Jack Attack

79

Denial of Service Attack PreventionDenial of Service Attack Prevention

• Wi-Fi Denial of Service can shut down your network

• Blocks DoS attacks Exclusive vendor DoS

prevention

• Patented ‘Virtual Selective Jamming’

technique


Enterprise Network

X XX

DoS attack

80

Complete Protection Requires Complete Protection Requires Simultaneous Threat PreventionSimultaneous Threat Prevention


Enterprise Network X

X XX

X

SSID: linksys

Rogue AP

Single Sensor must block

multiple Clients and multiple

Rogue AP’s on multiple channels

simultaneously

81

Knowledge-Based TroubleshootingKnowledge-Based Troubleshooting• Step-by-step flowchart

Connectivity and performance problems

Client and access point issues

• Not just problem identification Suggests remedies

• Easy to use Helpdesks Remote administrators

• Live over-the-air packet capture Ethereal

82

Knowledge-based Troubleshooting Knowledge-based Troubleshooting (cont’d) (cont’d)

1. Administrator logs into the InCharge RF Server & chooses the device to troubleshoot

2. Administrator selects the appropriate sensor to troubleshoot the device

Step 1

Step 2

Live Packet stream

83

Customizable ReportsCustomizable Reports

This custom report captures uncategorized & unauthorized

clients that are not quarantined!

84

Security & Performance MonitoringSecurity & Performance Monitoring

• Monitor & alert for security and performance issues

• Total of 140 events!

• Complete protection Sensors scan ALL

channels Independent of

regulatory domain

• Details provided for each event Suggested remedies

85

AvailabilityAvailability

• Phase 1: GA End of October InReach 300P (dedicated sensor) InCharge RF Server appliance InCharge RF Planning Tool

• Phase 2: target GA of 1Q06 Multi-function MAP-330 will support AP and sensor function or

act as a dedicated sensor Software migration path from Phase 1 to Phase 2 capability Tight integration of InCharge CNMS and RF server

86

A New ParadigmA New Paradigm

• Determine AP and security sensor placement without physical walk around

• Much more efficient method than physical site survey

• What-if analysis

• Predictive planning enables simply, easily

Building floor plan with predicted RF coverage

87

How it WorksHow it Works

• Predictive planning Input floor plan Add building material type Specify 802.11b, g or a Input minimum

bandwidth requirements Drag and drop APs

• Dynamic floor plan models RF coverage Channels Signal strength Spillage

88

InCharge RF Planner InCharge RF Planner Wi-Fi Site PlanningWi-Fi Site Planning

• InCharge RF Planner Site Planner for Wireless LAN Access Point Coverage Site Planner for Performance Optimization Planning for WLAN Security Sensors Coverage

• Advantages Software solution does not require manual site surveys Automatic RF Mapping with ‘True Map’ Automatic report generation

Planning for Coverage,

Performance and Security

89

Good security coverage

blind spots

Wi-Fi Site PlanningWi-Fi Site Planning• Software Planning Tool

• Import or create floor plans• State-of-the-art RF propagation

modeling for wireless LAN and security sensor coverage

• Models site specific parameters• Ensure optimum performance

• Capacity and coverage• Allows for redundancy planning• Ensures no blind spots• Provides visual confirmation

• Determine security level needed• Detection vs. prevention

coverage areas• Security sensitivity modeling

90

Wireless LAN CoverageWireless LAN Coverage

• Model building RF reflection, refraction, and absorption

• Import floor map from virtually any electronic format

• Plan for complete and optimum coverage

91

Redundancy PlanningRedundancy Planning

• Eliminate blind spots

• Model 802.11 a/b/g

• Minimize AP requirements

92

Link SpeedLink Speed

• Performance optimization modeling

• Model 802.11a/b/g

• Building specific

93

Channel AllocationChannel Allocation

• Visualize Channel Overlap to minimize interference

• Model various scenarios Vendor APs Antennae Antennae direction Power a/b/g

94

Channel InterferenceChannel Interference

• Minimize Interference

• Model multiple scenarios

• Optimize performance

95

Security ExposureSecurity Exposure

• Know where you are vulnerable

• Model various scenarios to minimize risk

96

Comprehensive Security Coverage Comprehensive Security Coverage PlanningPlanning

• Accurately determines number of sensors based on

customer specific risk profile

• Five specific variables used to model coverage level Site specific

characteristics Detection vs. prevention

range Detection range vs.

transmit power of rogue or attacker

Redundancy

• Other solutions blindly quote coverage ranges with no real method to determine actual security level

SpectraGuard Enterprise shows precisely the detection (blue) versus protection (purple)

range of each sensor.

97

Work OrderWork Order

• Automatic work order generation

• Detailed management reporting

• Ease deployment and maintain performance of your WLAN project

Access Point ID Vendor / Model From NW

corner Supported Protocols

Channel (a, b, g)

Transmit Power (mW)

(a, b, g)

Antenna (a, b, g)

AP01 Generic ABG 45 ft E, 16 ft S b,a,g 36,1,1 40,50,30

Generic_2.2dBi Dipole,


Generic_2.2dBi Dipole

















Sensor01 AirTight Networks SS-200-AT

18 ft E, 55 ft S a,b,g 48,6,6 100,100,10

0




Sensor02 AirTight Networks SS-200-AT

106 ft E, 48 ft S a,b,g 52,6,6 100,100,10

0




98

Global Customer DeploymentsGlobal Customer Deployments

New Zealand

Argentina

Wireline Wireless Cable ISP

Hospitality Retail Education Transportation Sporting Venues

Serv

ice

Prov

ider

s Ve

rtic

als

Part

ners

99

Customer Success: McDonald’s Customer Success: McDonald’s RestaurantsRestaurants

Trigger Events: • 500+ “Store of the Future” WLAN Program Initiative

McDonald's is the leading global foodservice retailer with more than 30,000 restaurants serving nearly 47 million people in more than 120 countries each day.

Why Colubris: • Open systems, multiservice platform provided a simple, cost-effective means to evaluate and launch new business applications to improve quality and speed of service

• Scale and manageability to potentially thousands of locations• Simple integration with existing Juniper infrastructure

Goals: • Enhanced customer satisfaction and revenue throughput• Consistent quality monitoring• Real-time inventory management• Timely corporate communications

Vision Point: • Use wireless mobility to improve customer service, quality and cost across business systems

Solution: • CN3200 AP/SC platform, CNMS Management

Competition: • Cisco & Symbol

100

McDonald’s “Store of the Future”McDonald’s “Store of the Future”

VSC 1

VSC 2

Roaming Quality Audits

• Segment Traffic • WPA Security VSC 3

Public Internet Access

• Segment Traffic • Access Control

• Best Effort Priority

Quality &

Inventory

Internet

POS

Line Busting

Hotspot

Quality Control

Mobile Order Taking

• Segment Traffic • WEP Security

Intelligent Access & Service Control • 3 VSCs deliver separate service

through single WLAN system

• VSC security and QoS policies tailored to each application

• Open support for wide range of devices, users and apps.

• Applications under evaluation: Wireless telemetry, Inventory

management, VoIP (drivethru), Signage

WLAN Management

101

Customer Success: Wendy'sCustomer Success: Wendy's

Trigger Events: • Interoperable, low cost WLAN equipment widely available

Wendy’s is one of the world's largest restaurant operating and franchising companies with more than 9,500 restaurants

under the Wendy's Old Fashioned Hamburgers®, Tim Horton's and Baja Fresh® Mexican Grill brands.

Why Colubris: • Delivers multiple private and public WLAN services in one device• Integrated IP routing and VPN security services• Centralized management of 1000s of remote sites• Easy to deploy solution for autonomous franchises

Goals: • Wireless mobility for all headquarters and regional employees• Real-time network automation of restaurant equipment• Single WLAN architecture for campus, regional offices and stores• Eliminate cabling expenses• Offer customers public Internet access services

Vision Point: • Common wireless infrastructure for restaurant automation, enhanced customer service and human resource productivity initiatives

Solution: • CN1250 (HQ), CN3200 (Restaurant), CNMS management

Competition: • Cisco, Sonic Wall, ReefEdge

102

Wendy’s Common WLAN Wendy’s Common WLAN InfrastructureInfrastructure

Restaurant Automation

• Segment Traffic • P2 Priority




Equipment

Controller

Internet

POS

HotSpot(Future)

EquipmentAutomation & Telemetry

Regional Mgr Network

• Segment Traffic • VPN Security

• Wireless connectivity to HQ VPN network

• VSC security and QoS policies segment traffic tailored to each application

• CNMS centralizes management for HQ, regional offices and restaurants

WLAN ManagementIntelligent Access &

Service Control

VPN access to HQ applications

Headquarters

Intelligent Access & Service Control

Point of Sale/ Line Busting

(Future)

POS

• Segment Traffic• VPN Security

VSC 3VSC 4

VSC 2

VSC 1

VPN Server

103

Gander Mountain “Store of the Future”Gander Mountain “Store of the Future”

VSC 1: Associate Communication

• Segment Traffic• WEP Security• Voice Priority

VSC 2: Inventory Control

• Segment Traffic• WPA Security

VSC 3: Corporate Employee

• Segment Traffic• WPA Security• Best Effort Priority

Quality & Inventory

Management

POS

WLAN Management


Internet

• VSCs deliver 3 separate services through single WLAN system

• VSC security and QoS policies segment traffic tailored to each application

• VSCs provide open support for wide range of devices, users and applications

VoWLAN

Wire Replacement

Wire Replacement

104

Customer Success: Emory Customer Success: Emory UniversityUniversity

Trigger Events: • Availability of unified WLAN voice and data network technology

Why Colubris: • VSC capabilities• Leadership VoFi and QoS solution• Central management for scalability and ease of operation

Goals: • Easy access to network services from any campus location• Instant voice communications for all staff members• Wireless student Net access• Guest Internet access in hospitals

Vision Point: • Improved staff, faculty, student productivity through ubiquitous broadband network services

Solution: • CN1250 Secure Gateway, CNMS Management

Competition: • Cisco

Emory University is recognized as one of the U.S.’s top 25 national universities. It is known for its demanding academics, outstanding undergraduate college of arts and sciences, highly ranked professional schools and state-of-the-art research facilities.

105

Emory University Ubiquitous WLANEmory University Ubiquitous WLAN

VSC 1

VSC 2

VPN Data Service

• Segment Traffic • VPN Security VSC 4




Data Servic

es

Internet

VoIP Gatewa

yVoFi

Hotspot(hospital)

Student, Staff,

Faculty

Voice Service

• Segment Traffic • High Priority


• SpectraLink VoWLAN phone support

• Smooth migration from VPN to WPA capable devices

• Student, Staff and Faculty security privileges set by RADIUS authentication

WLAN Management

VSC 3

WPA Data Service

• Segment Traffic • WPA Security

Student, Staff,

Faculty

106

Customer Success: SJCustomer Success: SJ

Trigger Events: • “Internet On Track” -- The first full fleet roll out by a train operator of an onboard wireless Internet service and the world's first implementation of 3G/Satellite -enabled Wi-Fi service

Why Colubris: • VSC capabilities• Security policies ensure internal applications are protected from

public Internet traffic• Corporate responsiveness and networking expertise

Goals: • Integrate an Internet access service into business class ticket• Optional fee service for coach class ticket holders• Separate internal WLAN service for train monitoring

Vision Point: • Continuous broadband Internet service improves passenger experience

Solution: • CN320 Intelligent MultiService Access Point

Competition: • Cisco, Proxim

SJ is Sweden’s leading rail traffic company and operator of the X2000, Sweden’s high-speed train, and its new X40 fleet – servicing 85 trains beginning in summer 2005.

107

SJ “Internet On Track” ServiceSJ “Internet On Track” Service

Internet

Data CollectionTrain

Data Monitor

Hotspot


• Segment traffic per VSC for security

• Strong security for internal train applications

• Selective Layer 2 isolation prevents snooping on passenger hotspot service while enabling peer-peer monitoring connections

VSC 2




VSC 1

Data Collection

• Segment Traffic• WPA Security • High Priority

108

Wi-Fi on the TrainWi-Fi on the Train

Head CarRear Car Middle Cars (7)

Mobility Router

GPRS, EDGE, CDMA, UMTS, WCDMA, 3G and satellite technologies.

Provide wireless multi-service applications in a single footprint

Provide Access Control

CN330 CN320 CN330 CN3300

Public Access – internet for passengers

Personnel Access – ticket sales, inter cart communication

Video surveillance

SSID 1SSID 2

SSID 3

Internet

109

Customer Success: SprintCustomer Success: Sprint

Trigger Events: • Previous vendors unable to reach vision point

Why Colubris: • VSC capabilities: traffic segmentation, security & QoS policies per VSC

• Ease of management with CNMS• Interoperability with 3rd party hotspot back-end services

Goals: • Upsell existing WAN service customers to managed Wi-Fi• Offer revenue-generating hotspot service to retailers and public

venue operators• Flexibility to add new software-defined Wi-Fi service offerings

(training, video surveillance, point-of-sale system, credit card service)

Vision Point: • Managed Wi-Fi service for installed base of 8,000 enterprises

Solution: • CN3200 AP/SC platform, CNMS Management

Competition: • Cisco, Nomadix, AireSpace

Sprint is a Fortune 100 company with more than $27 billion in annual revenues in 2004, Sprint is widely recognized for developing, engineering and deploying state-of-the-art network technologies.

110

Sprint “Enterprise Wi-Fi Access” Sprint “Enterprise Wi-Fi Access” ServiceService

Internet

Hotspot


• Segment traffic per VSN for security

• Authenticate hotspot users via Airpath back-end service

• CNMS in NOC centralizes management for all customer sites

• Additional VSCs available for future services

VSC 1




Security Surveillance

Service(Future)

VSC 2

Video Surveillance

• Segment Traffic• High Priority

Back-end Hotspot Service

Point of SaleCredit Verification

(Future)POS

• Segment Traffic• VPN Security

VSC 3

Enterprise Customer Premise

WLAN Management

Sprint NOC

111

Customer Success: Best Western Customer Success: Best Western EuropaEuropa

Trigger Events: • Best Western mandate to offer Wi-Fi Internet access in all properties

Why Colubris: • VSC capabilities• Strong security policy enforcement• VoWLAN and QoS support

Goals: • Differentiate by offering wireless keycard and wireless guest authentication services

• Upgrade path to VoWLAN service for guests• Reduce operating costs while expanding guest services

Vision Point: • Leverage Wi-Fi to provide multiple wireless customer conveniences

Solution: • CN3200 AP/SC platform, CN320 AP, CNMS Management

Competition: • Cisco

The Europa is a 180-room business hotel located in downtown Montreal and a franchise of the Best Western hotel chain.

112

Best Western MultiService WLANBest Western MultiService WLAN

Internet

Guest Internet Access Service


• Segment traffic per VSC for security

• Authenticate hotspot users via Airpath back-end service

• Additional VSCs available for future services

VSC 1




Wireless Guest

Authentication and Direct

Billing

VSC 2

Guest Authentication

• Segment Traffic• WPA Security

Guest Wireless Voice Service

(Future)Telephony

• Segment Traffic• High priority

VSC 3

VoIP Gatewa

y

Property Management

System

113

Veteran Leadership TeamVeteran Leadership Team Barry Fougere - President & CEO• A.T. Kearney, EDS, Cambridge Strategic Mgt Group

Pierre Trudeau - Co-founder & CTO• Eicon Technology, Touch Tones Digital Jukebox

Larry Whitman - CFO• WaveSmith Networks, Shiva

John O’Hara – VP, Engineering• WaveSmith Networks, New Oak Communications

Marty Falaro – VP, Sales & Business Development• Altiga Networks, Cisco, PictureTel

Roger Sands – VP, Enterprise Development• Accton Technoloogies, US Robotics

Ken MacLure – VP, Operations• Narad Networks, Cascade

Michael Welts – VP, Marketing• Unisphere, Castle Networks, Bay Networks

114

Demonstration SetupDemonstration Setup

Internet

MSC-3300MAP-330

5.8GHz WDS Secure Link

In Charge

CNMS192.168.2.20

RADIUS/Apache192.168.2.99

WIN2KServer

192.168.2.100Gateway Router