Structured Wireless-Aware Network (SWAN) fileWireless Domain Services √ Betriebskosten Integration...
Transcript of Structured Wireless-Aware Network (SWAN) fileWireless Domain Services √ Betriebskosten Integration...
1© 2004 Cisco Systems, Inc. All rights reserved.Structured Wireless Aware Network
Structured Wireless-Aware Network(SWAN)
Wolfgang KriegischInternetworking [email protected]
2© 2004 Cisco Systems, Inc. All rights reserved.Structured Wireless Aware Network
Was ist SWAN ???
333© 2004 Cisco Systems, Inc. All rights reserved.Structured Wireless Aware Network
802.11b Overview
• Ratified in 1999Two years after initial 802.11 standard
Same time as 802.11a
• Defined data rates up to 11Mbps
• Operates in 2.4GHz bandSimilar frequencies and regulations around the world
• Three non-overlapping operating channels
444© 2004 Cisco Systems, Inc. All rights reserved.Structured Wireless Aware Network
802.11a
• Ratified as standard in September 1999
• Data rates to 54 Mbps defined
• Provides twelve WLAN channels todayMore channels forthcoming
• Regulations currently differ extensively across countries
555© 2004 Cisco Systems, Inc. All rights reserved.Structured Wireless Aware Network
The 802.11g Standard
• 802.11g standard ratified in June 2003• Operates in the same 2.4-GHz band as
802.11bUses the same three nonoverlapping channels
• Full backward compatibility with 802.11bConceptually similar to Ethernet and fast Ethernet
• Uses OFDM for 802.11g data rates, DSSS for 802.11b data rates
Employs various modulation schemes for a variety of data rates54, 48, 36, 24, 18, 12, 9, and 6 Mbps via OFDM11, 5.5, 2, and 1 Mbps via DSSS
666© 2004 Cisco Systems, Inc. All rights reserved.Structured Wireless Aware Network
Was ist SWAN ????Structured Wireless Aware Network
SWAN
ist Cisco‘s WLAN Lösungsarchitektur zur Integration von drahtlosen und drahtgebunden Diensten in ein
Unternehmensnetzwerk.
777© 2004 Cisco Systems, Inc. All rights reserved.Structured Wireless Aware Network
SWAN: Architektur für WLAN Dienste
• Integration in bestehende Infrastruktur und DiensteKein zusätzliches L2/L3 Netzwerk und SwitchesL3 Roaming Sprache (IPT) und DatenVLAN‘sQoS
• Zentrales, Institutweites WLAN ManagementVon einzelnen AP‘s bis zu hunderten AP‘sRF Managment -> Unterstützung Site SurveyErkennung illegaler AP‘s
• SicherheitHohe und flexible SicherheitsmechanismenImplementierung in vorhandene Security Services (Radius,AAA)Fast Roaming
• Unterstützung unterschiedlichster Endgeräte Cisco Compatible
888© 2004 Cisco Systems, Inc. All rights reserved.Structured Wireless Aware Network
Welche Dienste sind für das Unternehmen wichtig??
Dienste (Voice)√√Fast Secure Layer 2 Roaming
√
√
dezentral
Einheitlichen Dienste
(Voice/Data)√VLAN in WLAN & LAN
Installations-kostenDienste
√Fast Secure Layer 3 Roaming
Geringste Betriebskosten√Wireless Domain ServicesIntegration in best.
Infrastruktur
Geringste Installations-
kosten√Assisted Site Survey
Geringste Betriebskosten√RF-Management
Geringste BetriebskostenÆberwachungs-Management
Geringste Betriebskosten√Auto Konfigurations-/ Installations-ManagementAutomatisierung &
Management
NutzenzentralServicesAnforderungen
999© 2004 Cisco Systems, Inc. All rights reserved.Structured Wireless Aware Network
Welche Dienste sind für das Unternehmen wichtig??
Maximale Sicherheit√ (AP)√ (IDS)Intrusion Detection
√
√ (802.11i)
√
√ (AP)
dezentral
Maximale Sicherheit
√ (VPN)
Verschlüsselung
Maximale Sicherheit√Security Policy Monitoring
Maximale Sicherheit√Rogue Access Point Detection
Maximale Sicherheit√Virtuelle Segmentierung
Geringste Betriebskosten√ (AAA)AuthentifizierungSicherheit
Breite Endgeräte-
Unterstützung
Cisco Compatible Extensions (CCx)Offenheit
NutzenzentralServicesAnforderungen
101010© 2004 Cisco Systems, Inc. All rights reserved.Structured Wireless Aware Network
WLAN Domain Services
101010
111111© 2004 Cisco Systems, Inc. All rights reserved.Structured Wireless Aware Network
SWAN Mobility:Fast Secure Layer 3 and Layer 2 Roaming
Single Point of Ingress/Egress
• Fast Secure Roaming (<50ms roam times)
• Scalability (1 WLSM supports up to 300 AP’s)
• Simple Configuration • Non-Stop Forwarding /
Stateful Switchover
Seamless Layer 3 Roaming Across Subnets10.11.12.13
Existing L3 Network
WLSE 2.7
Fast Secure Roaming Tunnels
Cat 6500w/ WLSM
12© 2004 Cisco Systems, Inc. All rights reserved.Structured Wireless Aware Network
VLAN in WLAN & LAN
131313© 2004 Cisco Systems, Inc. All rights reserved.Structured Wireless Aware Network
Einsatz von W-VLAN’s Voice/Data und Security
Erlaubt mit einem einzigen WLAN verschiedene
Systeme und Applikationen mit unterschiedlichen
Sicherheits-Konzepten zu betreiben (bis zu 16 getrennte VLANs)
SSID: DatenSecurity: PEAP + AES
AP Channel: 6SSID “Daten” = VLAN 1
802.1Q WiredNetwork w/VLANs
SSID: SpracheSecurity: LEAP + WPA
SSID “Sprache” = VLAN 2
SSID: externSecurity: Offen
SSID “extern” = VLAN 3
141414© 2004 Cisco Systems, Inc. All rights reserved.Structured Wireless Aware Network
PSTN
Voice
Mobility Groups = Secure Segmentation
Catalyst 6500With WLSM
VPN ServicesFirewall
Core
IntrusionDetection
Firewall
Internet
extern
Patient
Personal
Phone
151515© 2004 Cisco Systems, Inc. All rights reserved.Structured Wireless Aware Network
Catalyst 6500 Switch with theWireless LAN Solutions Module (WLSM)
• New Member of the SWAN Family
• 1st Cisco wired switch/router to take on Wireless Domain Services (WDS) functionality
Each WLSM can support up to 300 APs (single-band or dual-band) & up to 6000 clients
• Fast, Secure Layer 3 MobilityLayer 3 roam times of <50 msec (with 802.1X security)
• Availability: Summer 2004WLSM Blade
Catalyst 6500
161616© 2004 Cisco Systems, Inc. All rights reserved.Structured Wireless Aware Network
WLAN Management
161616
171717© 2004 Cisco Systems, Inc. All rights reserved.Structured Wireless Aware Network
Das “Herz” von SWAN:WLSE (Wireless LAN Solutions Engine)
• zentralisiertes WLAN Netzwerk Management
• Unterstützung von bis zu 2500 AP’s mit einer WLSE
• Unterstützung von 802.11a, b, & g
• Funktionen – Implementierung:Assisted Site SurveyAuto configuration of Cisco AP’s “out-of-the-box”Bulk configuration of AP’s with user-defined groups
• Funktionen – Betrieb:Fault & Performance MonitoringRogue AP Detection, Location, & SuppressionIntrusion DetectionAuto Re-Site SurveySelf-HealingReal-time Active Client Tracking
18© 2004 Cisco Systems, Inc. All rights reserved.Structured Wireless Aware Network
Auto Konfigurations-/ Installations-/ Überwachungs-Management
191919© 2004 Cisco Systems, Inc. All rights reserved.Structured Wireless Aware Network
WLSE WLAN Konfiguration
Zentralisierte Konfiguration / Firm-ware Verteilung an APs und Wireless Bridges (Anwenderspez. Gruppen)
Automatische Konfiguration von neuen APs und Bridges
Archiv für 4 frühere Konfigurationen von APs / Bridges
WLSE Konfigurations-Auftrag kann zu einem definierten Zeitpunkt ausgelöst werden
20© 2004 Cisco Systems, Inc. All rights reserved.Structured Wireless Aware Network
Security Policy Monitoring
212121© 2004 Cisco Systems, Inc. All rights reserved.Structured Wireless Aware Network
WLSE Wireless LAN Security
Security Policy Monitoring Beobachtung von Security Policies auf allen APs Generiert Alarm bei Verstößen Email, Syslog und SNMP-Trap-Benachrichtigung
Durchgängige Security- Definitionen / Konfigurationen durch zentrales Management
802.1x EAP, WEP and WPA Konfigurationen
802.1x EAP Server MonitoringUnterstützung für LEAP, PEAP und RADIUS Überprüft die Verfügbarkeit des Cisco ACS EAP Servers Beobachtet Adapter Antwortzeiten durch Simulation E-mail, Syslog und SNMP Trap Benachrichtigung durch Definition verschiedener Schwellwerte
22© 2004 Cisco Systems, Inc. All rights reserved.Structured Wireless Aware Network
Rogue Access Point Detection
232323© 2004 Cisco Systems, Inc. All rights reserved.Structured Wireless Aware Network
Rogue AP Detection Overview
Network Core
Distribution
Access
RMRM
SiSi
SiSi
SiSi
Switch-based WDS
SiSi
Rogue AP Rogue
AP
RMRMRMRM
SiSiRM-AggRM-Agg
NMS
WLSECluster
242424© 2004 Cisco Systems, Inc. All rights reserved.Structured Wireless Aware Network
Cisco Works WLSE “Rogue AP Detail Screen”
25© 2004 Cisco Systems, Inc. All rights reserved.Structured Wireless Aware Network
Assisted Site-Survey
262626© 2004 Cisco Systems, Inc. All rights reserved.Structured Wireless Aware Network
Assisted Site Survey: Process
))))))))
S
272727© 2004 Cisco Systems, Inc. All rights reserved.Structured Wireless Aware Network
Assisted Site Survey:Results
282828© 2004 Cisco Systems, Inc. All rights reserved.Structured Wireless Aware Network
Self-Healing WLAN:Losing an AP
Lost radio interface
292929© 2004 Cisco Systems, Inc. All rights reserved.Structured Wireless Aware Network
Self-Healing WLAN: Other AP’s Automatically Adjust
303030© 2004 Cisco Systems, Inc. All rights reserved.Structured Wireless Aware Network
WLAN Security
303030
313131© 2004 Cisco Systems, Inc. All rights reserved.Structured Wireless Aware Network
WLAN Security Hierarchie
VirtualPrivate
Network (VPN)
Keine Encryption, Basis Authentisierung
Öffentliche “Hotspots”
Offener Zugang 40-bit or 128-bitStatisches WEP
Private Nutzung
Basis Security 802.11i,TKIP/WPA Encryption,
Gegenseitige Authentisierung,
Skalierbares Schlüssel Mgmt., etc.
Unternehmen
Erweiterte Security
Remote Access
Geschäftsreisende, Heimarbeiter
323232© 2004 Cisco Systems, Inc. All rights reserved.Structured Wireless Aware Network
Wi-Fi Protected Access:• Erfordert TKIP Encryption + MIC
+ 802.1X Authentisierung• Erfordert ab Aug.’03
CCX Program:• Cisco Compatible eXtensions• Gewährleistet die
Interoperabilität für eine Vielzahl von 802.1X Authentisierungs- Typen, wie LEAP & PEAP
Wi-Fi ProtectedAccess (“WPA”)
CCXProgram
Enterprise-Class WLAN Security
Encryption: TKIP + MIC• Temporal Key Integrity Protocol• Message Integrity Check• Erweiterung zur WEP
Encryption
802.1X
Aut
hent
icat
ion
TKIP+
MICEncr
yptio
n
• Standardisiert• Optimiert für Unternehmen• Große Verbreitung• Getestet auf Interoperabilität
http://www.wi-fi.org/OpenSection/protected_access.asp
333333© 2004 Cisco Systems, Inc. All rights reserved.Structured Wireless Aware Network
End-to-End Secured VPN
Cisco VPN Solutions Utilize Standards-Based SecurityCisco VPN Solutions Utilize Standards-Based Security
B A N K
DES
3DES AES (NEW*)
EncryptionEncryption RSA digital certificates
RADIUS
Kerberos
AuthenticationAuthentication HMAC-MD5
HMAC-SHA1
IPSec
GRE
L2TP/PPTP
IntegrityIntegrityTunnelingTunneling
343434© 2004 Cisco Systems, Inc. All rights reserved.Structured Wireless Aware Network
WLAN Security White Papers
To download these White Papers, go to: www.cisco.com/go/aironet/security
Wireless LAN Security & the Cisco Wireless Security Suite SAFE for Wireless
353535© 2004 Cisco Systems, Inc. All rights reserved.Structured Wireless Aware Network
Cisco Brand & Cisco-Compatible Clients
353535© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID
363636© 2004 Cisco Systems, Inc. All rights reserved.Structured Wireless Aware Network
802.11a/b/g Client Adapters
• 802.11a/b/g Dual-Band Client Adapters54 Mbps Performance im 2.4 GHz & 5 GHz BandAbwärtskompatibel zu 802.11b Netzwerken
- Bietet Investitionsschutz
• 2 Varianten:Cardbus CardPCI Adapter
• Windows XP/2000 support
• CCX v1 & v2 features
• AES implementiert
• 802.11h per Softwareupgrade
373737© 2004 Cisco Systems, Inc. All rights reserved.Structured Wireless Aware Network
Cisco Wireless IP Phone 7920
Cisco Wireless IP Phone 7920
• For workers who need to communicate while moving about their workplace / campus
• 802.11b WLAN
• To the IP-PBX system, it acts just like a wired desktop phone
• 802.1X LEAP Security
• How to Deploy a VoWLAN Network:White Paper: Cisco Wireless IP Phone 7920 Deployment Recommendations (Mar. ’04)
June/July ‘03
383838© 2004 Cisco Systems, Inc. All rights reserved.Structured Wireless Aware Network Page 7
Intel/Cisco CollaborationIntel/Cisco Collaboration
ŸŸ BestBest--inin--class Securityclass SecurityŸŸ Validated CompatibilityValidated CompatibilityŸŸ Mobile OptimizedMobile OptimizedŸŸ WLAN Industry LeadersWLAN Industry Leaders
OEM notebooks OEM notebooks with with IntelIntel®® CentrinoCentrino™™
mobile technologymobile technology Cisco Aironet WirelessCisco Aironet WirelessInfrastructureInfrastructure
Delivers the leading mobility solution for the enterprise
Delivers the leading mobility solution for the Delivers the leading mobility solution for the enterpriseenterprise
+IntelIntel®® 855 Chipset855 Chipset
IntelIntel®® PRO/WirelessPRO/Wireless
PentiumPentium ®® M ProcessorM Processor
393939© 2004 Cisco Systems, Inc. All rights reserved.Structured Wireless Aware Network
CCX Status
• 71 CCX Partner Inklusive 20 Wi-Fi Silicon Vendors
• >140 Produkte erfolgreich nach CCX getestetinklusive Laptops HP, IBM, Dell, Toshiba, & Fujitsu
- 6 der Top 8 Laptop Hersteller im CCX ProgramForm Faktor: PC Card, PCI, USB, Barcode Scanners, etc.
• CCX v2 Products (2Q’04)Security
WPAInteroperability testing for three 802.1X types
LEAP, PEAP, EAP-TLSMobility (Fast Secure Layer 2/3 Roaming)Voice over WLANRogue AP DetectionSite Survey Assist
404040© 2004 Cisco Systems, Inc. All rights reserved.Structured Wireless Aware Network
WLAN Komponenten und Funktionen
404040
WirelessWireless
AccessAccess
PointsPointsAP1200 AP1100 BR1310
414141© 2004 Cisco Systems, Inc. All rights reserved.Structured Wireless Aware Network
Aironet 1100 Serie
• 802.11b/g (2,4 GHz, 54 Mbps)
• Inline Power
• HochleistungsradioReichweite
Durchsatz
• Verfügbarkeit (Hot-Standby)
• Cisco WLAN Security Suite
• Cisco IOS
424242© 2004 Cisco Systems, Inc. All rights reserved.Structured Wireless Aware Network
Aironet 1200 Serie
• Modulares System
• Dual Band802.11b/g (2,4 GHz, 54 Mbps)802.11a (5 GHz, 54 Mbps)
• Inline Power
• Cisco WLAN Security Suite
• Verfügbarkeit (Hot-Standby)
• Cisco IOS
• -20 bis + 55 Grad Celsius
Cisco Aironet 1200 Series AP Won
“Best Enterprise WLAN System”
-April 2003, Networld+Interop Well-Connected Awards
434343© 2004 Cisco Systems, Inc. All rights reserved.Structured Wireless Aware Network
Outdoor Access Points & Wireless Bridges
• Outdoor AP & Wireless Bridge• 2.4 GHz, 802.11g, 54 Mbps• integrierte Antennen oder
exerne Antennen
1300 Series
Point-to-Point &Point-to-Multipoint
Full Security over Wireless Link
444444© 2004 Cisco Systems, Inc. All rights reserved.Structured Wireless Aware Network
The Industry’s Only Enterprise-Class Integrated Wired & Wireless Solution
• Industry Leading Scalability
• Industry leading Fast Secure Layer 3 Mobility
• Simplified Management
• Enhanced Security
• Integration of Wired & Wireless Networking
But you can add elements in phases
• Flexible deployments and broad range of client devices
SWAN
454545© 2004 Cisco Systems, Inc. All rights reserved.Structured Wireless Aware Network
Questions?
464646© 2004 Cisco Systems, Inc. All rights reserved.Structured Wireless Aware Network 464646