-
企業無線網路安全解決方案企業無線網路安全解決方案
Eric Wu/吳章銘大中國區技術總監China: +886-1391-0819920Taiwan: +886-933889776 [email protected]
-
Gridding the EnterprisePage 2
AgendaAgenda
Aruba ProfileWLAN Solution EvolutionRF Site Planning Tools (3+1)RF Optimization–Dynamic Tuning of RF settingRF triangulation location based servicesWireless Security ControlPersonalized services and security for users, devices, and applicationsAruba Product Line
-
Gridding the EnterprisePage 3
Aruba SnapshotAruba SnapshotFounded February, 2002
Status Privately-held
Funding $84M in four rounds
Investors Matrix, Sequoia, Trinity, WK Technology Fund
Revenue First 6 quarters have exceeded comparables of NetApp, NetScreen, and Foundry
Innovations Mobility controllers
Customers 1200+ (adding over 100/quarter)
Employees 200 and counting
Markets Intersection of wireless, security and mobility
-
Gridding the EnterprisePage 4
Keerti MelkoteCo-Founder andVP, Marketing- Nortel/Shasta- Tahoe Networks- Cisco- Intel
Managing GrowthManaging Growth
Duston WilliamsCFO- Rhapsody- Western Digital
Merv AndradeCTO- Cisco- Bombay Stock Ex
Dave ButlerVP, Sales- FORE Systems
Pankaj ManglikCo-Founder andVP, Product Mgmt.- Alteon- Cisco- Instel
Dominic OrrPresident and CEO- Nortel- Alteon- BayNetworks- HP
-
Gridding the EnterprisePage 5
Enterprise WLAN ChallengesEnterprise WLAN Challenges
OPEX of AP managementRF spectrum managementLarge scale deployments
Security issues and upgradesMobility across access pointsRogue access points
Three Problems Aruba Set Out to Solve
Voice overWireless LANsSecurity IssuesMobility IssuesBattery Life
-
WLAN Solution Evolution
-
Gridding the EnterprisePage 7
Fat/Smart Access Points SolutionFat/Smart Access Points Solution
Corp. Backbone
CampusL2 Switch
Corp. Backbone
Wired Network
802.11 Network(Access Points Centric
Loaded with WLAN features )
e.g, Cisco Aironet (IOS)
Security,QoS,.. VPN termination802.11 MAC,802.11 Radio
POE
Fat/Smart Access Point: Single CPU Architecture loaded with all the WLAN features and functions
Security,QoS,.. VPN termination802.11 MAC,802.11 Radio
Example : Cisco Aironet
-
Gridding the EnterprisePage 8
WLAN Switching - Appliance ModelWLAN Switching - Appliance Model
FLOOR 1
FLOOR 2
FLOOR 3
FLOOR 4
LAN Backbone
POE
POE
Fit AP
Fit AP
Ethernet Switch
Ethernet Switch
Ethernet Switch
Ethernet Switch
Corp. Backbone
WLAN ManagementIntelligences
Wired Network
Full/Fit 802.11 AP
Encryption/Decryption(WEP, TKIP, AES)
Encryption/Decryption(WEP, TKIP, AES)
WLAN Appliance, most notably Vernier, BlueSocket, Reefedge,and Cranite - Lack Intelligent RF Management
- No Wireless Intrusion Detection/Protection
-
Gridding the EnterprisePage 9
Pioneered WLAN Switch ArchitecturePioneered WLAN Switch ArchitectureCentralized Architecture Solves Security and TCO for WLANs
“Thin”Access Points
Centralized WLAN Switch
802.11a/b/g
Antennas
Policy
Mobility
Forwarding
Encryption
Authentication
Management
“Fat”Access Points
-
Gridding the EnterprisePage 10
Centralized Encryption/Decryption -End-to-end secure communication Centralized Encryption/Decryption -End-to-end secure communication
Encrypted 802.11 packetEncrypted 802.11 packetGRE Encapsulation
Normal Ethernet packet Encrypted 802.11 packet
Unencrypted Encrypted
Encrypted
WLAN Appliance or Server
GRE Tunnel
Fat/Fit AP
-
Gridding the EnterprisePage 11
COREDATA
CENTERDISTRIBUTION
Traditional Wireless LANs:Complex Integration ProcessTraditional Wireless LANs:Complex Integration Process
FLOOR 2
ACCESS
FLOOR 1
EMPLOYEE
EMPLOYEE
2
1
2 8
71
2
1GUEST
GUEST
Add wireless VLANseverywhere1 WLSE for AP and RF management2
Configure RADIUS everytime you add an AP3Upgrade IOS for 802.1x fast roaming4 WLSM Blade for inter-VLAN mobility5
VLANs
4
4
4
3
3
4
3
3
3
4
6
6
5
6
5
6
5
5
5
6
Firewalls and VPNBlades for Security6
-
Gridding the EnterprisePage 12
COREDATA
CENTERDISTRIBUTION
Aruba Network Architecture:Existing Network is a No Touch ZoneAruba Network Architecture:Existing Network is a No Touch Zone
FLOOR 2
ACCESS
FLOOR 1
EMPLOYEE
EMPLOYEE
2
1
2 8
71
2
1GUEST
GUEST
VLANs
Standby
6543
IP-Based Tunneled Architecture Proves Most Successful Overlay Model
-
RF Site Planning Tools
-
Gridding the EnterprisePage 14
Before Aruba… Site SurveysBefore Aruba… Site Surveys
ExpensiveOptimizing for coverage not capacityTime consuming
About 2 hours for 802.11b/g and another 2 hours for 802.11a
Never finishedNeed to repeat every 3 monthsNeed to repeat if adding APsNeed to repeat if neighbors add APs
Not real-time - just a snapshotRequired for location tracking using “RF Fingerprinting”
-
Gridding the EnterprisePage 15
RF PlanRF Plan
-
Gridding the EnterprisePage 16
Phase Two PlanningPhase Two Planning
Setting Channels
-
Gridding the EnterprisePage 17
Phase Two PlanningPhase Two Planning
Setting Channels
-
Gridding the EnterprisePage 18
Phase Three PlanningPhase Three Planning
Setting Output Power
-
Gridding the EnterprisePage 19
No more site surveys…No more site surveys…
Dynamic Heat MapsPlace the APs on a floor plan and see the results in real timeSignificantly reduce labor costs by eliminating manual walkabouts for RF fingerprinting
Automatic location tracking
Real-time views onSignal-to-Noise Ratio (SNR)InterferenceCoverage at specific data ratesLayered views for comprehensive visualizationViews of cross floor RF leakage
-
RF Optimization –Dynamic Tuning Of RF Settings
-
Gridding the EnterprisePage 21
Self-Healing Wi-FiSelf-Healing Wi-Fi
WLAN switch detects AP failurex
-
Gridding the EnterprisePage 22
Self-Healing Wi-FiSelf-Healing Wi-Fi
• Switch automatically reconfigures AP to extend coverage to compensate
• Plug and PlayAPs downloadoriginal config
-
Gridding the EnterprisePage 23
Load Balancing Wi-Fi ConnectionsLoad Balancing Wi-Fi Connections
2
3
Move 1,2 and 3
1
-
RF triangulation location based services
-
Gridding the EnterprisePage 25
Removing Rogue Access PointsRemoving Rogue Access Points
Rogue AP Air Monitors
Locate the rogue AP
-
Gridding the EnterprisePage 26
RF LocateRF Locate
-
Gridding the EnterprisePage 27
Aruba 800 Switch與Aruba 52 Access Points測試報告Aruba 800 Switch與Aruba 52 Access Points測試報告
作者:陳世揚 工研院交大網路測試中心Aruba Networks推出的方案要讓企業更樂於導入WLAN設備,它能集中化管理許多AP,具有動態RF能力、安全控管與IDP能力,NBL這次評估的Aruba 800和Aruba 52的確實令我們看到它的優異之處。
NBL Review Highlights1.具備圖形化的RF規劃,其APM能動態配置Channel與Power Level2.實現RF Heat Maps(等強度涵蓋圖)能及時顯示AP的部署情形3.能識別是否有危險的AP,並偵測Ad-Hoc、Wireless Bridge和多種攻擊4.可定位無線裝置,並精確到3公尺範圍以內5.能依不同身分,給予如地點、時間、頻寬合約、與應用協定等的控管6.支援WPA連線的Seamless漫遊,甚至在使用Switch失效備援的情況下
-
Gridding the EnterprisePage 28
Wireless Intrusion DetectionWireless Intrusion Detection
Intrusion Detection and PreventionHackers Can Trap Users, Grab Data and
Pretend to be Valid Users
-
Gridding the EnterprisePage 29
ClassificationClassification
BACKBONE
Corporation with Aruba WIDS
Neighboring Company or
Public Hotspot
Parking Lot
Valid
Interfering
Rogue
-
Gridding the EnterprisePage 30
Safety with Aruba (Rogue Prevention)Safety with Aruba (Rogue Prevention)
AP detectionSee all APs
AP classificationAre they neighbors?Or are they a threat?
Rogue destructionStop users from accessing rogue APs and leave neighbors alone
-
Per Role, User, DeviceFirewall, QoS, Bandwidth Contracts
-
Gridding the EnterprisePage 32
Resource awareI am Matt Green with a laptop using VoIP
Identity awareI am Matt Green, the employee
Device awareI am Matt Green with a laptop with no viruses or worms
Location awareI am Matt Green with a laptop using a soft phone at 1:40 p.m. in the clinic
Enabling Policy-based Network AccessEnabling Policy-based Network AccessCustom Service Delivery Based on Who, What, When, Where and How
Time awareI am Matt Green with a laptop using a soft phone at 1:40 p.m.
-
Gridding the EnterprisePage 33
Intelligent Secure Access Edge SwitchIntelligent Secure Access Edge Switch
Authenticate users via web-based portalRedirects all client logons to web pageCapture guest user accessCustomizable web pageBuilt-in Internal User DatabaseWorks with external AAA servers
Web Authentication
-
Managing & Tracking Wireless Devices
-
Gridding the EnterprisePage 35
Subnet B
Seamless Mobility and Role-based Secure Access Control Seamless Mobility and Role-based Secure Access Control
Wired Intranet
Subnet A
Authentication and Role Assignment802.1X – PEAP, TTLS, TLSBrowser Based Captive PortalVPN – IPSEC, PPTPInteroperable with Existing RADIUS, LDAP & RSA Secure ID
USERNAMEJohn Doe
PASSWORD
ROLEEmployee
AUTHENTICATIONRSA SecurID
FIREWALL POLICYDon’t allow on Finance Subnets
USERNAMEJohn Doe
PASSWORD
ROLEEmployee
AUTHENTICATIONRSA SecurID
FIREWALL POLICYDon’t allow on Finance Subnets
Fast Roaming
-
RF TROUBLESHOOTING
-
Gridding the EnterprisePage 37
Wireless RMON StatisticsWireless RMON Statistics
Per station,per AP aggregate stats
Retry ratesError ratesFragmentation ratesBandwidth rates
Per station/AP raw stats
Packet byte countsFrame size statsProtocol type stats
-
Gridding the EnterprisePage 38
Remote troubleshootingRemote troubleshooting
WAN
I’ve got a performance
problem, start capturing
packets
-
Gridding the EnterprisePage 39
SOHO and Road Warrior AccessSOHO and Road Warrior AccessKey FeaturesRemote AP with Centralized and Distributed Termination (FlexMAC™)
Multi-SSID Support
Remote Site Survivability
Wired Port Tunneling (AP70)
Plug and Play
NAT Traversal
Mobile Edge Client
MOBILITY
Remote Location Corporate HQ
EmployeeInternet Services
Guest Internet Access DMZ
All security policies centrally defined and
enforced at the mobility controller
INTERNET
GUEST
CORP
CORP
VOICEVOICE
Remote AP connected to any Ethernet port with
Internet connection
-
企業無線網路安全機制重點整理企業無線網路安全機制重點整理無線管理機制
提供無線AP及無線網卡使用者偵測及定位功能,並以圖形方式顯示提供頻寬管理功能,可依據使用者帳號設定可用頻寬提供三度空間 Site Survey 工具,可設定多樓層,自動建議無線AP提供自動頻道選擇功能,可控制無線AP自動選擇頻道以減少干擾
無線網路安全提供系統安全認證機制提供Wireless IDS/IPS功能提供Wireless Firewall, VPN加密功能可即時辨識合法、非法及鄰近無線AP並有效阻絕非法無線AP的使用。支援其他廠牌的無線AP的安全控管提供內建 User資料庫,並可支援外部 RADIUS 及 LDAP 認證
無線應用最佳化提供無線AP負載平衡功能,可依照連線數量及使用率做負載平衡功能提供自動涵蓋損毀無線AP之無線信號範圍 (Self Healing) 功能
其他提供廣域漫遊功能。支援HA備援架構
-
Q & AYou’re Not Alone…
Q & AYou’re Not Alone…
-
Product Line
-
Aruba Mobility Controller FamilySame Value Proposition Across All Platforms
Performance & Capacity(800MB – 8GB full feature)
6000
2400
800
200
Scalable and Flexible:- 200: 6 APs- 800: 4 and 16 AP Options- 2400: Support for 48 APs- 6000: Scales from 48 to 512 APs
Full Redundancy OptionsSingle Mobility Network
- Up to 32,000 Access Points
-
Size 3U 1U 1U 1U
Access Points 256/512 48 4 or 16 6
Users 4096/8192 512 256 100
Clear text 8 Gbps 2 Gbps 1 Gbps 1 Gbps
Encrypted (3DES) 7.8 Gbps 760 Mbps 380 Mbps 200 Mbps
Scalability and Performance
Aruba 5000/6000 Aruba2400Aruba800
Deployment: Campus Building Branch
Aruba200
-
AP 41
AP 65
AP 80M
AP 60/61
AP 70
Single Band (802.11a or b/g)Dual-Band (802.11a/b/g)Auto-Discovery (Plug’n’Play)Multi-Service
- Multi-Band Wireless AP- Remote AP- Branch Office AP- Air Monitor
Centrally Managed- RF Parameters- Security Parameters- Service Definition- Version Management- Regulatory Domain
Low End / Low CostHigh End / High FeatureIntegral / Detachable Antenna Versions
Wireless Access Point FamilySame Value Proposition Across All Applications
AP 65
AP 61
-
Aruba Access Point Family
Single Radio
Dual Radio
Outdoor APs
Software Configurable 802.11a or b/gAP / Air Monitor / Remote APIdeal for Dense Office, Home Office and/or Air Monitor Deployments Internal or External Antenna OptionsLow Cost
Dual-Radio 802.11 a/b/gIdeal for Campus / Remote / Branch Office APHigh Availability Features (AP70)Wired and Wireless Security (AP70)Extensible USB Interface Port (AP70)
Dual-Radio 802.11 a/b/gAP or WDS Bridge (Point-Point & Multi-Point)Fully Environmentally-Hardened Design : Desert, Snow, Rain, Harsh Environment
-
Mobility Management System Software• Dashboard view of entire network• Monitoring with “drag and drop”• Flexible reporting• RF planning and visualization• Location tracking• Supported on Intel server running RedHat Linux
Mobility Management System Appliance MM-100• High Performance Dual Intel Xeon Processors• Dual network interfaces• High-availability RAID storage• Mobility Management system Software pre-installed
Aruba Mobility Management SystemSoftware Distributed or Embedded on MMS Appliance
MM-100 Appliance
MMS Software
centralized, scalable monitoring, data collection and reporting
-
Why Aruba?
• Simple Deployment and Management• Access Point Density (Performance)• Structured Deployment (Out of Ceiling)• Centralized Operations
• Most Secure Solution• Wireless Intrusion Detection & Prevention• Integrated Policies – Identity, Encryption,
Resource, Application, Location, Time, …• Centralized Encryption and Enforcement
• Enterprise-Class Resiliency• Modular, Scalable Controller Platform• High-Availability Architecture• Programmable for Future Services
-
High Tech Education Healthcare Government Financial Other
400+80+ 150+ 50+ 40+ 20+
Novell
Broad Market AcceptanceOver 1000 Enterprise Customers Worldwide
-
Q & AYou’re Not Alone…
Q & AYou’re Not Alone…