Upload
ipexpo-online
View
206
Download
0
Tags:
Embed Size (px)
Citation preview
Confidential 2009
May 2009
Building a Secure Multi-Service Wi-Fi Network
Confidential 2009
Today’s WLAN Landscape
Yesterday’s WLAN
- Convenience WiFi
- Guest Access
- Nomadic Users
- Scanners & single
mode voice
Problems
- Security
- Management
2
Today’s WLAN
- Client Explosion
- Mobile Apps
- 10 x Bandwidth
- Voice / FMC
- Location Services
- Mobile Employees
- All Wireless Access
Problems
- Security, Mgmt & Mobility
- Single Points of Failure
- Performance Limitations
- Scalability
- Cost
Users
Applications
Mobility
Flexibility
Productivity
Confidential 2009
Wi-Fi Infrastructure & Applications
3
Contractor
WiFi Tags
Guest
Real–time
Location
Tracking
Voice over Wi-FiVideo
Surveillance
Business Productivity
Wireless
Bridging
Enterprise Mesh
Central ManagementAAA
Wireless
Branch
WANOutdoor
Extension
Ethernet Replacement
802.11n
Migration
Guest
Access
Secure Employee Access
High
Performance
Campus
Confidential 2009
Delivering a secure multi-service
“App Ready” infrastructure
Security WPA2/802.1X
WIDS, Rogue Detection & Mitigation
Directory and NAC integration
Client Management
4
Per User Policy Enforcement User profiles and policy are used to
“Virtualize” WLAN infrastructure
User Profiles including security, QoS
and access policy
Resource Management Prioritization – Voice
BW limiting – student access
Time of Day scheduling
Trusted Client
Launching IP DoS attack
Voice Policy
Laptop Policy
Guest Policy
Quarantine
WMMUser
QUEUEsDiff Serv
Guest
Administrator
Device Types Laptops, Scanners
Tags, Wi-Fi Phones
Tablets, IV Pumps
User Types Guests, Employees
Doctors , Nurses
Contactors , Teachers
Students
Traffic Types Voice
Video
Data
Confidential 2009
Time
2 Fast
Clients
1 Slow
Client,
1 Fast
Client
With Contention, Fast Clients Wait for Airtime
and Perform Like the Slowest Client
Improving Network & Application
Performance
5
Time
2 Fast
Clients
1 Slow
Client,
1 Fast
Client
Dynamic Airtime Scheduling Allows Fast Clients to Transmit more Packets,
Finish Quickly and Free Up the Air for the Slow Clients
Th
rou
gh
pu
t
Fast Client Slow Client
Speed of the network is
subject to the slowest client
Th
rou
gh
pu
t
Fast Client Slow Client
Faster clients
dramatically improve
their performance
without impacting slower
clients
10
x fa
ste
r
Airtime Capacity
Airtime Capacity
Confidential 2009
Go
od
pu
tK
bp
s
Time (s)
Airtime Scheduling / Fairness Results
6
n@270M, n@108M, n@54M
a@54M, a@12M, n@6M
~ 100 Seconds
6 x .11a/n clients - n@270M, n@108M, n@54M, a@54M, a@12M, a@6M
Without
Dynamic
Airtime
Scheduling
With
Dynamic
Airtime
Scheduling
n@270M - 10sec ~ 10x performance improvement
n@108M - 15sec ~ 6x performance improvement
n@54M - 30sec ~ 3x performance improvement
a@6M
a@54M - 35sec ~ 2.5x improvement
a@12M - 65sec ~ 1.5x improvement
Go
od
pu
tK
bp
s
Time (s)
Upstream
IxChariot
Confidential 2009
Voice Features
Voice Classification
– Application Layer Gateway
detects dynamic ports
Voice Resiliency
– Proactive Session
Synchronization
– Call Admission Control
Voice Quality
– Strict Priority Queuing
– WMM
– Policing
Battery Life Improvements
– WMM Power Save/U-APSD
Voice Reporting
7
Call
Begins
SIP dynamic
ports
detected
SIP Session
information
proactively sent
to neighboring
APs
ZZ
Z Z
Confidential 2009
Reducing risk with wired-like
resilience
Eliminate Single Points of
Failure
Path Resiliency
– Mesh Failover, Dual homed
Ethernet
Branch Survivability
– AAA caching
8
WAN
WLAN Management
AAA
Functional WLAN
Confidential 2009
Reducing Capex and Opex costs
Less Infrastructure Cost
– Wi-Fi access and mesh wi-fi reduces cabling
– Leverage existing switches
Reduced operational cost with centralized policy-
based management
– Easy to use, policy-based mgmt simplifies large deployments
– Intuitive web management with wizards to manage simple
networks
– Role-based guest mgmt delegation
9
Confidential 2009
Role Based Administration
Policy Design &
Configuration
Monitoring &
Maintaining
Upgrading &
Adjusting
WLAN PoliciesHive, Services,
WLAN Mappings (SSID),
Ethernet Access,
Backhaul, QoS
ReportingSummary, Radio,
SSID, Client, Security,
Inventory
New WLAN PoliciesUser Profiles,
Services (Applications)
Security PoliciesDoS Prevention,
Firewall,
Rogue Detection,
Filters
Active & Rogue
ClientsMAC/IP Address,
Host/User Name,
HiveAP Name/MAC
Certificate & Key UpdatesUpload Captive Web Pages and
Keys
Upload AAA Certificates & Keys
AuthenticationAAA client settings,
LDAP Settings,
Captive Web Portal
Fault Events &
AlarmsSeverity, Date,
Description
SW & Config. UpdatesUpload & Activate Config
Upload & Activate SW
Administration
ManagementAdmin Groups
Administrators
HiveAP Status HiveAP name, type, #
of clients, uptime, OS
version
HiveManager
OperationsBackup Database,
Update SW, Tech Support Data
10
WLAN
Manager
Device Life Cycle
Confidential 2009
Summary
Qualities of a Modern Wireless LAN Infrastructure
11
• A future-proofed secure multi-service infrastructure
• Increased network and application performance
• Reduced risk with wire-like resiliency
• Reduced capital and operational cost
Confidential 2009