Embed Size (px)
DESCRIPTION
Simon Hollister, Ruckus Wireless:WiFi, BYOD to death!
Citation preview
BYOD:A Blessing or a Curse?
Eddie Felmer
Technical Director – UK, EIRE & Nordics
07921-264076
May 2012 – Rev 2
2
Agenda▪Why BYOD and Preparing for BYOD
▪BYOD Deployment
▪BYOD NAC Solutions
▪Dealing with Density
▪A Few Words about Ruckus Wireless
Why BYOD and Preparing for BYOD
4
Why BYOD?
▪Our IT refresh is once every 5 years, but our students Tech refresh is EVERY Birthday, Christmas,…
▪Teachers and Students want to bring in their own mobile devices
▪Teachers want to move around the school whilst remaining connected to access school resources and systems
▪Student want access to voice, video, internet everywhere
▪Applications are moving to the Internet driving the need for up to date client devices
5
Are You Ready For BYOD?
Mixed device Environment?
Which Wi-FiSolution?
Authentication & SecurityAt what Cost
Today/Tomorrow?
How to Deploy & Manage?
What if I don’t want to?
6
Challenges Of BYO “Devices”▪Another distraction for the overloaded IT team
▪Different types of device hardware▪ Maybe a small form factor is not suitable for the application or
content (small screen, fiddly controls,…)
▪Different types of device OS and browsers▪ May lead to incompatibility with applications or content
▪Can’t connect to the Wi-Fi network…▪ Who deals with it - the teacher, the IT department?
▪Please Ms., I have forgotten my device; its broken; the battery is flat… ▪The modern-age excuse for skiving lessons???▪ If the device is critical to delivering the lesson then can BYOD be
effectively used with any device type?
▪Oh, and of course the little matter of Security…
7
Scoping The BYOD Deployment
▪Teachers BYOD only?
▪Teachers and Students BYOD?
▪School managed BYOD?
▪ Standardise the BYOD device type, offer a financing package and manage it as a school asset when its on the school network
▪Basic or sophisticated BYOD provisioning and NAC?
▪ Use the network provisioning and security features or overlay with a “best of breed” solution such as Bradford or Cloudpath
BYOD Deployment
9
BYOD Must Haves…
10
Defining The SSID Structure
▪School SSID▪ School owned / managed devices with access to all resources:
printers, applications, files shares
▪Guest Visitor SSID▪ Non-school owned devices with access only to the internet
▪BYOD SSID▪ Non-school owned / managed devices needing Internet access
and specified school resources
▪Sub-SSID▪ Teacher and student SSID may be further sub-divided to provide
more granular control of access and resources
11
The BYOD SSID
▪Educate Teachers and Students on being responsible mobile devices users
▪ Keep anti-virus/malware applications current
▪ Avoid the “scam du’jour”
▪ Provide information on safe use of the Internet and e-mail
▪BYOD Activation▪ Restrict the BYOD activation SSID to a designated
area that is supervised i.e. the library
Form a process for dealing with BYOD
12
Wireless Features To Support BYOD▪Multiple SSID deployable per AP
Reception AP“Guest” VLAN 10 Classroom AP
“Student” VLAN 20
“Teacher” VLAN 30
Library AP“BYOD-Prov”
VLAN 40
“Teacher” VLAN 30
“Teacher” VLAN 30 “Student”
VLAN 20
▪Zero-IT / Dynamic-Pre Shared Key
▪ “Over the Air” provisioning of WLAN security parameters and a unique 8 to 63 byte D-PSK on the device
▪ User can be forced to authenticate for ZERO-IT
▪ IT admin can bulk generate D-PSK
▪ Deletion of D-PSK will prevent WLAN access by that device
▪ Supports popular OS such as Windows, Apple OS-X/iOS and Android
13
Wireless Features To Support BYOD▪Guest Access and Captive Web Portal
▪ Guest Access WLAN generally requires a Guest Pass Key generated by Admin/Reception
▪ Guest can have unauthenticated access and simply accept T&C
▪ Captive Portal supports authentication to AD, Radius and LDAP
14
Wireless Features To Support BYOD▪Role Based Controls using Authentication Server
Groups
▪ Specify which user groups can access which WLAN
▪ Limit who can generate Guest SSID Pass Keys
▪ Control Admin access to the WLAN controller
▪Client Isolation
▪ Blocks client-client communication on the WLAN to prevent MiM / Snooping attacks
▪Access Control Lists
▪ L3/L4 destination rules
15
Wireless Features To Support BYOD▪Device OS/Host name identification
▪BYOD Device Policies by OS/device type
▪ Permit / Deny access
▪ Assign to VLAN
▪ Apply Rate Limit ✖
VLAN 20 VLAN 10
16
Wireless Features To Support BYOD
▪WiPS - Rogue device detection and containment
▪ Detect and classify different Rogue device types: AP, SSID / MAC spoofing, AD-Hoc,
▪ De-authenticate clients from Rogue device
▪ Rogue DHCP server detection
▪Time based WLAN availability
▪ Simple to use 7 day WLAN scheduler
▪Dynamic-VLAN
▪ Dynamically assign user VLAN based on users Radius attribute
▪ Can also be used in a NAC environment such as Bradford for placement into an isolated remediation VLAN
▪Web Proxy Auto Discovery (WPAD) support
BYOD NAC Solutions
18
Got Budget? Then Add NAC
▪School SSID▪ School owned devices with access to all resources: printers,
applications, files shares
▪Guest Visitor SSID▪ Non-school owned devices with access only to the internet
▪BYOD SSID▪ Non-school owned devices needing Internet access and specified
school resources
▪Sub-SSID▪ Teacher and student SSID may be further sub-divided to provide
more granular control of access and resources
▪BYOD SSID with NAC▪ Non-school owned devices needing Internet access and specified
school resources under full NAC policy
19
Adding NAC To Your BYOD SSID
Prevent Control Detect
Preconnect Postconnect
End Point Integrity
AuthenticationApplication Intelligence
Encrypted Access Control
Signature-based IPS
Traffic Anomaly
User Activity Visibility
Stateful ID-based Firewall
20
What’s Needed In NAC
Identify Identify every user and device on the network
Validate Validate security posture of devices
Notify Notify through automated alerts/messages
Remediate Remediate non-compliant devices
Enforce Dynamically enforce security policies
Audit Log and report for regulatory compliance
CO
NT
RO
L
Solve Real-World Security Challenges
Dealing With Density
22
OK…You’ve Implemented BYODBut.. multiple devices per user – so how does your Wireless scale??
23
Dealing With Density
Dual-band802.11n
• Steers clients to 5GHz by withholding probe and auth responses on 2.4GHz
• Doesn’t steer clients below RSSI threshold set per WLAN
• Client table in each AP tracks• Client probe requests per band• Avg. RSSI per band over last minute• Dual band support
• Table checked before responding to client
After Band Steering5GHz – 14 (82%)2.4GHz – 3 (18%)
Band Steering for High Capacity
Environments
Before Band Steering5GHz – 3 (18%)2.4GHz – 14 (82%)
24
Wi-Fi Stress Test
KEY EVALUATION CRITERIA
▪Latency when logging in
▪Coverage area
▪Concurrent user support
▪Ease of deployment and configuration
▪Performance as device rotates
A single ZoneFlex 7962 handled 78 concurrent MAC/PC clients streamingFlash-based video
25
What is the Big Difference?
THEM US
Fixed 1:1 relationship between Wi-Fi radios and antennas
Dynamic 1:manyrelationship betweenWi-Fi radios andantennas
26
Adaptive Polarization Diversity▪ Better reception (PD-MRC) for weak and hard to
“hear” devices
▪ Better transmission to devices constantly changing their orientation
Device orientation accounts for up to 5x performance differential among products
VERTICALPOLARIZATION
HORIZONTALPOLARIZATION
5x
27AP models:Ruckus 7363, Cisco 3500, Aruba 125, HP 460, Meraki 24, Apple Extreme.
Ruckus
Meraki
HP
Cisco
Aruba
Apple
Downlink Mbps0 20 40 60 80
1 client, 100’2.4 GHzNo interference
Non Line of Sight Beating Interference
Ruckus
Meraki
HP
Cisco
Aruba
Apple
Uplink Mbps0 20 40 60 80
1 client, 70’5 GHzLine of sight
Ruckus
HP
Aruba
Cisco
Meraki
Apple
Aggregate Bi-Directional Mbps0
60 Clients, Bi-Directional
20 40 60 80 100
Failed to Finish
Failed to Finish
5 GHz75% downlink25% uplink
Ruckus
HP
Aruba
Cisco
Meraki
Apple
Aggregate Uplink Mbps0
60 Clients, Uplink
20 40 60 80 100
5 GHz
Not All Wi-Fi Is Created Equal
28
Best 3x3:3 Performance In Its Class
MCS0
2.4/5GHz Simultaneous, Single Client TCP Throughput (Mbps)
30’ 60’ 120’
AP 135 ZF 7982MR-24 Aironet 3602i AP-330
143
310
379
98
159
227190
266
133
259283
48
91103
Up to 4Xfaster than competitors
across all distances
Tester: RuckusLocation: Metropolitan universityLaptop: Apple MacBook Pro (3-stream)OS: 10.7.2Test Tool: IxChariot (TCP)Test runs: 60 secondsBands: 2.4 / 5GHz
AP
5GHz
2.4GHz
TEST LOCATIONS
30’ 60’ 120’30’ 60’30’ 60’ 120’30’ 60’ 120’
A Few Words About Ruckus
30
Ruckus is 100% Wireless
Founded 2004, Sunnyvale, CA
Innovation Enterprise and Carrier Wi-Fi
Customers 8,000+
Employees 450+ in 20 countries
R&D Centers Sunnyvale, China, Taiwan, India, Israel
Capitalization $51 million
Investors Sequoia, Sutter Hill, Motorola, T-Ventures, Focus Ventures, Telus
Patents 47 granted (80 pending)
Units shipped 3 million and counting
Markets Carrier/enterprise infrastructure
57%
18%
10%
15%
R&DSupportSales and MarketingAdministration
EMPLOYEE BREAKDOWN
31
Sample UK Education Customers Chesterfield College
Woking College
King George V & Birkenhead Colleges
Royal College of Music
Royal College of Arts
Sherborne Boys School
Harrow and Eton Independent Schools
Highworth Girls Grammar School
Bradford University Halls of Residence
And 3,000+ more…
32
ZONEDIRECTORFamily of Scalable Controllers
1100 Series▪ APs: 6-50 APs▪ Clients: 1250▪ Size:
Desktop/rack▪ WLANs 128▪ App: SMB▪ Price: $1.2K and
up
5000 Series▪ APs: 100-1,000
APs▪ Clients: 20,000▪ Size: 2U rack
mount▪ WLANs 2048▪ App: Large
enterprise, service provider
▪ Price: $35K and up
3000 Series▪ APs: 25-500 APs▪ Clients: 10,000▪ Size: 1U rack
mount▪ WLANs 1024▪ App: Medium
enterprise▪ Price: $6K and up
Medium
Small Large
33
OUTDOOR
ZoneFlex 7762Dual-band 802.11n
3x3:2
ZoneFlex 7761-CMDual-band 802.11n
3x3:2
ZoneFlex 7762-SDual-band 802.11n
3x3:2
ZoneFlex 7762-ACDual-band 802.11n
3x3:2
Broadest Wi-Fi AP Portfolio
ZoneFlex 7982Dual-band 802.11n
3x3:3
ZoneFlex 73xxDual-band 802.11
2x2:2
MIDRANGEHIGH END
ZoneFlex 7962Dual-band 802.11n
3x3:2
SmartCell 8800Dual-band 802.11n
3x3:3
ZoneFlex 7731P-T-M-P 5GHz
802.11n
LOW END
ZoneFlex 2942 802.11g
ZoneFlex 70252.4GHz 802.11n
1x1:1
INDOOR
ZoneFlex 73212.4GHz or 5Ghz
802.11n 2x2:2
