Eric Wu/吳章銘大中國區技術總監 · -Alteon-Cisco-Instel Dominic Orr President and CEO-Nortel-Alteon - BayNetworks-HP. Gridding the Enterprise ... GRE Encapsulation Encrypted

企業無線網路安全解決方案企業無線網路安全解決方案

Eric Wu/吳章銘大中國區技術總監China: +886-1391-0819920Taiwan: +886-933889776 [email protected]

Gridding the EnterprisePage 2

AgendaAgenda

Aruba ProfileWLAN Solution EvolutionRF Site Planning Tools (3+1)RF Optimization–Dynamic Tuning of RF settingRF triangulation location based servicesWireless Security ControlPersonalized services and security for users, devices, and applicationsAruba Product Line


Aruba SnapshotAruba SnapshotFounded February, 2002

Status Privately-held

Funding $84M in four rounds

Investors Matrix, Sequoia, Trinity, WK Technology Fund

Revenue First 6 quarters have exceeded comparables of NetApp, NetScreen, and Foundry

Innovations Mobility controllers

Customers 1200+ (adding over 100/quarter)

Employees 200 and counting

Markets Intersection of wireless, security and mobility


Keerti MelkoteCo-Founder andVP, Marketing- Nortel/Shasta- Tahoe Networks- Cisco- Intel

Managing GrowthManaging Growth

Duston WilliamsCFO- Rhapsody- Western Digital

Merv AndradeCTO- Cisco- Bombay Stock Ex

Dave ButlerVP, Sales- FORE Systems

Pankaj ManglikCo-Founder andVP, Product Mgmt.- Alteon- Cisco- Instel

Dominic OrrPresident and CEO- Nortel- Alteon- BayNetworks- HP


Enterprise WLAN ChallengesEnterprise WLAN Challenges

OPEX of AP managementRF spectrum managementLarge scale deployments

Security issues and upgradesMobility across access pointsRogue access points

Three Problems Aruba Set Out to Solve

Voice overWireless LANsSecurity IssuesMobility IssuesBattery Life

WLAN Solution Evolution


Fat/Smart Access Points SolutionFat/Smart Access Points Solution

Corp. Backbone

CampusL2 Switch

Corp. Backbone

Wired Network

802.11 Network(Access Points Centric

Loaded with WLAN features )

e.g, Cisco Aironet (IOS)

Security,QoS,.. VPN termination802.11 MAC,802.11 Radio

POE

Fat/Smart Access Point: Single CPU Architecture loaded with all the WLAN features and functions

Security,QoS,.. VPN termination802.11 MAC,802.11 Radio

Example : Cisco Aironet


WLAN Switching - Appliance ModelWLAN Switching - Appliance Model

FLOOR 1

FLOOR 2

FLOOR 3

FLOOR 4

LAN Backbone

POE

POE

Fit AP

Fit AP

Ethernet Switch

Ethernet Switch

Ethernet Switch

Ethernet Switch

Corp. Backbone

WLAN ManagementIntelligences

Wired Network

Full/Fit 802.11 AP

Encryption/Decryption(WEP, TKIP, AES)

Encryption/Decryption(WEP, TKIP, AES)

WLAN Appliance, most notably Vernier, BlueSocket, Reefedge,and Cranite - Lack Intelligent RF Management

- No Wireless Intrusion Detection/Protection


Pioneered WLAN Switch ArchitecturePioneered WLAN Switch ArchitectureCentralized Architecture Solves Security and TCO for WLANs

“Thin”Access Points

Centralized WLAN Switch

802.11a/b/g

Antennas

Policy

Mobility

Forwarding

Encryption

Authentication

Management

“Fat”Access Points


Centralized Encryption/Decryption -End-to-end secure communication Centralized Encryption/Decryption -End-to-end secure communication

Encrypted 802.11 packetEncrypted 802.11 packetGRE Encapsulation

Normal Ethernet packet Encrypted 802.11 packet

Unencrypted Encrypted

Encrypted

WLAN Appliance or Server

GRE Tunnel

Fat/Fit AP


COREDATA

CENTERDISTRIBUTION

Traditional Wireless LANs:Complex Integration ProcessTraditional Wireless LANs:Complex Integration Process

FLOOR 2

ACCESS

FLOOR 1

EMPLOYEE

EMPLOYEE

2

1

2 8

71

2

1GUEST

GUEST

Add wireless VLANseverywhere1 WLSE for AP and RF management2

Configure RADIUS everytime you add an AP3Upgrade IOS for 802.1x fast roaming4 WLSM Blade for inter-VLAN mobility5

VLANs

4

4

4

3

3

4

3

3

3

4

6

6

5

6

5

6

5

5

5

6

Firewalls and VPNBlades for Security6


COREDATA

CENTERDISTRIBUTION

Aruba Network Architecture:Existing Network is a No Touch ZoneAruba Network Architecture:Existing Network is a No Touch Zone

FLOOR 2

ACCESS

FLOOR 1

EMPLOYEE

EMPLOYEE

2

1

2 8

71

2

1GUEST

GUEST

VLANs

Standby

6543

IP-Based Tunneled Architecture Proves Most Successful Overlay Model

RF Site Planning Tools


Before Aruba… Site SurveysBefore Aruba… Site Surveys

ExpensiveOptimizing for coverage not capacityTime consuming

About 2 hours for 802.11b/g and another 2 hours for 802.11a

Never finishedNeed to repeat every 3 monthsNeed to repeat if adding APsNeed to repeat if neighbors add APs

Not real-time - just a snapshotRequired for location tracking using “RF Fingerprinting”


RF PlanRF Plan


Phase Two PlanningPhase Two Planning

Setting Channels


Phase Three PlanningPhase Three Planning

Setting Output Power


No more site surveys…No more site surveys…

Dynamic Heat MapsPlace the APs on a floor plan and see the results in real timeSignificantly reduce labor costs by eliminating manual walkabouts for RF fingerprinting

Automatic location tracking

Real-time views onSignal-to-Noise Ratio (SNR)InterferenceCoverage at specific data ratesLayered views for comprehensive visualizationViews of cross floor RF leakage

RF Optimization –Dynamic Tuning Of RF Settings


Self-Healing Wi-FiSelf-Healing Wi-Fi

WLAN switch detects AP failurex


Self-Healing Wi-FiSelf-Healing Wi-Fi

• Switch automatically reconfigures AP to extend coverage to compensate

• Plug and PlayAPs downloadoriginal config


Load Balancing Wi-Fi ConnectionsLoad Balancing Wi-Fi Connections

2

3

Move 1,2 and 3

1

RF triangulation location based services


Removing Rogue Access PointsRemoving Rogue Access Points

Rogue AP Air Monitors

Locate the rogue AP


RF LocateRF Locate


Aruba 800 Switch與Aruba 52 Access Points測試報告Aruba 800 Switch與Aruba 52 Access Points測試報告

作者：陳世揚工研院交大網路測試中心Aruba Networks推出的方案要讓企業更樂於導入WLAN設備，它能集中化管理許多AP，具有動態RF能力、安全控管與IDP能力，NBL這次評估的Aruba 800和Aruba 52的確實令我們看到它的優異之處。

NBL Review Highlights1.具備圖形化的RF規劃，其APM能動態配置Channel與Power Level2.實現RF Heat Maps（等強度涵蓋圖）能及時顯示AP的部署情形3.能識別是否有危險的AP，並偵測Ad-Hoc、Wireless Bridge和多種攻擊4.可定位無線裝置，並精確到3公尺範圍以內5.能依不同身分，給予如地點、時間、頻寬合約、與應用協定等的控管6.支援WPA連線的Seamless漫遊，甚至在使用Switch失效備援的情況下


Wireless Intrusion DetectionWireless Intrusion Detection

Intrusion Detection and PreventionHackers Can Trap Users, Grab Data and

Pretend to be Valid Users


ClassificationClassification

BACKBONE

Corporation with Aruba WIDS

Neighboring Company or

Public Hotspot

Parking Lot

Valid

Interfering

Rogue


Safety with Aruba (Rogue Prevention)Safety with Aruba (Rogue Prevention)

AP detectionSee all APs

AP classificationAre they neighbors?Or are they a threat?

Rogue destructionStop users from accessing rogue APs and leave neighbors alone

Per Role, User, DeviceFirewall, QoS, Bandwidth Contracts


Resource awareI am Matt Green with a laptop using VoIP

Identity awareI am Matt Green, the employee

Device awareI am Matt Green with a laptop with no viruses or worms

Location awareI am Matt Green with a laptop using a soft phone at 1:40 p.m. in the clinic

Enabling Policy-based Network AccessEnabling Policy-based Network AccessCustom Service Delivery Based on Who, What, When, Where and How

Time awareI am Matt Green with a laptop using a soft phone at 1:40 p.m.


Intelligent Secure Access Edge SwitchIntelligent Secure Access Edge Switch

Authenticate users via web-based portalRedirects all client logons to web pageCapture guest user accessCustomizable web pageBuilt-in Internal User DatabaseWorks with external AAA servers

Web Authentication

Managing & Tracking Wireless Devices


Subnet B

Seamless Mobility and Role-based Secure Access Control Seamless Mobility and Role-based Secure Access Control

Wired Intranet

Subnet A

Authentication and Role Assignment802.1X – PEAP, TTLS, TLSBrowser Based Captive PortalVPN – IPSEC, PPTPInteroperable with Existing RADIUS, LDAP & RSA Secure ID

USERNAMEJohn Doe

PASSWORD

ROLEEmployee

AUTHENTICATIONRSA SecurID

FIREWALL POLICYDon’t allow on Finance Subnets

USERNAMEJohn Doe

PASSWORD

ROLEEmployee

AUTHENTICATIONRSA SecurID

FIREWALL POLICYDon’t allow on Finance Subnets

Fast Roaming

RF TROUBLESHOOTING


Wireless RMON StatisticsWireless RMON Statistics

Per station,per AP aggregate stats

Retry ratesError ratesFragmentation ratesBandwidth rates

Per station/AP raw stats

Packet byte countsFrame size statsProtocol type stats


Remote troubleshootingRemote troubleshooting

WAN

I’ve got a performance

problem, start capturing

packets


SOHO and Road Warrior AccessSOHO and Road Warrior AccessKey FeaturesRemote AP with Centralized and Distributed Termination (FlexMAC™)

Multi-SSID Support

Remote Site Survivability

Wired Port Tunneling (AP70)

Plug and Play

NAT Traversal

Mobile Edge Client

MOBILITY

Remote Location Corporate HQ

EmployeeInternet Services

Guest Internet Access DMZ

All security policies centrally defined and

enforced at the mobility controller

INTERNET

GUEST

CORP

CORP

VOICEVOICE

Remote AP connected to any Ethernet port with

Internet connection

企業無線網路安全機制重點整理企業無線網路安全機制重點整理無線管理機制

提供無線AP及無線網卡使用者偵測及定位功能，並以圖形方式顯示提供頻寬管理功能，可依據使用者帳號設定可用頻寬提供三度空間 Site Survey 工具，可設定多樓層，自動建議無線AP提供自動頻道選擇功能，可控制無線AP自動選擇頻道以減少干擾

無線網路安全提供系統安全認證機制提供Wireless IDS/IPS功能提供Wireless Firewall, VPN加密功能可即時辨識合法、非法及鄰近無線AP並有效阻絕非法無線AP的使用。支援其他廠牌的無線AP的安全控管提供內建 User資料庫,並可支援外部 RADIUS 及 LDAP 認證

無線應用最佳化提供無線AP負載平衡功能，可依照連線數量及使用率做負載平衡功能提供自動涵蓋損毀無線AP之無線信號範圍 (Self Healing) 功能

其他提供廣域漫遊功能。支援HA備援架構

Q & AYou’re Not Alone…


Product Line

Aruba Mobility Controller FamilySame Value Proposition Across All Platforms

Performance & Capacity(800MB – 8GB full feature)

6000

2400

800

200

Scalable and Flexible:- 200: 6 APs- 800: 4 and 16 AP Options- 2400: Support for 48 APs- 6000: Scales from 48 to 512 APs

Full Redundancy OptionsSingle Mobility Network

- Up to 32,000 Access Points

Size 3U 1U 1U 1U

Access Points 256/512 48 4 or 16 6

Users 4096/8192 512 256 100

Clear text 8 Gbps 2 Gbps 1 Gbps 1 Gbps

Encrypted (3DES) 7.8 Gbps 760 Mbps 380 Mbps 200 Mbps

Scalability and Performance

Aruba 5000/6000 Aruba2400Aruba800

Deployment: Campus Building Branch

Aruba200

AP 41

AP 65

AP 80M

AP 60/61

AP 70

Single Band (802.11a or b/g)Dual-Band (802.11a/b/g)Auto-Discovery (Plug’n’Play)Multi-Service

- Multi-Band Wireless AP- Remote AP- Branch Office AP- Air Monitor

Centrally Managed- RF Parameters- Security Parameters- Service Definition- Version Management- Regulatory Domain

Low End / Low CostHigh End / High FeatureIntegral / Detachable Antenna Versions

Wireless Access Point FamilySame Value Proposition Across All Applications

AP 65

AP 61

Aruba Access Point Family

Single Radio

Dual Radio

Outdoor APs

Software Configurable 802.11a or b/gAP / Air Monitor / Remote APIdeal for Dense Office, Home Office and/or Air Monitor Deployments Internal or External Antenna OptionsLow Cost

Dual-Radio 802.11 a/b/gIdeal for Campus / Remote / Branch Office APHigh Availability Features (AP70)Wired and Wireless Security (AP70)Extensible USB Interface Port (AP70)

Dual-Radio 802.11 a/b/gAP or WDS Bridge (Point-Point & Multi-Point)Fully Environmentally-Hardened Design : Desert, Snow, Rain, Harsh Environment

Mobility Management System Software• Dashboard view of entire network• Monitoring with “drag and drop”• Flexible reporting• RF planning and visualization• Location tracking• Supported on Intel server running RedHat Linux

Mobility Management System Appliance MM-100• High Performance Dual Intel Xeon Processors• Dual network interfaces• High-availability RAID storage• Mobility Management system Software pre-installed

Aruba Mobility Management SystemSoftware Distributed or Embedded on MMS Appliance

MM-100 Appliance

MMS Software

centralized, scalable monitoring, data collection and reporting

Why Aruba?

• Simple Deployment and Management• Access Point Density (Performance)• Structured Deployment (Out of Ceiling)• Centralized Operations

• Most Secure Solution• Wireless Intrusion Detection & Prevention• Integrated Policies – Identity, Encryption,

Resource, Application, Location, Time, …• Centralized Encryption and Enforcement

• Enterprise-Class Resiliency• Modular, Scalable Controller Platform• High-Availability Architecture• Programmable for Future Services

High Tech Education Healthcare Government Financial Other

400+80+ 150+ 50+ 40+ 20+

Novell

Broad Market AcceptanceOver 1000 Enterprise Customers Worldwide

Documents

Eric Wu/吳章銘 大中國區技術總監 · -Alteon-Cisco-Instel Dominic Orr President and CEO-Nortel-Alteon - BayNetworks-HP. Gridding the Enterprise ... GRE Encapsulation Encrypted

Eric Wu/吳章銘大中國區技術總監 · -Alteon-Cisco-Instel Dominic Orr President and CEO-Nortel-Alteon - BayNetworks-HP. Gridding the Enterprise ... GRE Encapsulation Encrypted