Confidential 2009

May 2009

Building a Secure Multi-Service Wi-Fi Network

Confidential 2009

Today’s WLAN Landscape

Yesterday’s WLAN

- Convenience WiFi

- Guest Access

- Nomadic Users

- Scanners & single

mode voice

Problems

- Security

- Management

2

Today’s WLAN

- Client Explosion

- Mobile Apps

- 10 x Bandwidth

- Voice / FMC

- Location Services

- Mobile Employees

- All Wireless Access

Problems

- Security, Mgmt & Mobility

- Single Points of Failure

- Performance Limitations

- Scalability

- Cost

Users

Applications

Mobility

Flexibility

Productivity

Confidential 2009

Wi-Fi Infrastructure & Applications

3

Contractor

WiFi Tags

Guest

Real–time

Location

Tracking

Voice over Wi-FiVideo

Surveillance

Business Productivity

Wireless

Bridging

Enterprise Mesh

Central ManagementAAA

Wireless

Branch

WANOutdoor

Extension

Ethernet Replacement

802.11n

Migration

Guest

Access

Secure Employee Access

High

Performance

Campus

Confidential 2009

Delivering a secure multi-service

“App Ready” infrastructure

Security WPA2/802.1X

WIDS, Rogue Detection & Mitigation

Directory and NAC integration

Client Management

4

Per User Policy Enforcement User profiles and policy are used to

“Virtualize” WLAN infrastructure

User Profiles including security, QoS

and access policy

Resource Management Prioritization – Voice

BW limiting – student access

Time of Day scheduling

Trusted Client

Launching IP DoS attack

Voice Policy

Laptop Policy

Guest Policy

Quarantine

WMMUser

QUEUEsDiff Serv

Guest

Administrator

Device Types Laptops, Scanners

Tags, Wi-Fi Phones

Tablets, IV Pumps

User Types Guests, Employees

Doctors , Nurses

Contactors , Teachers

Students

Traffic Types Voice

Video

Data

Confidential 2009

Time

2 Fast

Clients

1 Slow

Client,

1 Fast

Client

With Contention, Fast Clients Wait for Airtime

and Perform Like the Slowest Client

Improving Network & Application

Performance

5

Time

2 Fast

Clients

1 Slow

Client,

1 Fast

Client

Dynamic Airtime Scheduling Allows Fast Clients to Transmit more Packets,

Finish Quickly and Free Up the Air for the Slow Clients

Th

rou

gh

pu

t

Fast Client Slow Client

Speed of the network is

subject to the slowest client

Th

rou

gh

pu

t

Fast Client Slow Client

Faster clients

dramatically improve

their performance

without impacting slower

clients

10

x fa

ste

r

Airtime Capacity

Airtime Capacity

Confidential 2009

Go

od

pu

tK

bp

s

Time (s)

Airtime Scheduling / Fairness Results

6

n@270M, n@108M, n@54M

a@54M, a@12M, n@6M

~ 100 Seconds

6 x .11a/n clients - n@270M, n@108M, n@54M, a@54M, a@12M, a@6M

Without

Dynamic

Airtime

Scheduling

With

Dynamic

Airtime

Scheduling

n@270M - 10sec ~ 10x performance improvement

n@108M - 15sec ~ 6x performance improvement

n@54M - 30sec ~ 3x performance improvement

a@6M

a@54M - 35sec ~ 2.5x improvement

a@12M - 65sec ~ 1.5x improvement

Go

od

pu

tK

bp

s

Time (s)

Upstream

IxChariot

Confidential 2009

Voice Features

Voice Classification

– Application Layer Gateway

detects dynamic ports

Voice Resiliency

– Proactive Session

Synchronization

– Call Admission Control

Voice Quality

– Strict Priority Queuing

– WMM

– Policing

Battery Life Improvements

– WMM Power Save/U-APSD

Voice Reporting

7

Call

Begins

SIP dynamic

ports

detected

SIP Session

information

proactively sent

to neighboring

APs

ZZ

Z Z

Confidential 2009

Reducing risk with wired-like

resilience

Eliminate Single Points of

Failure

Path Resiliency

– Mesh Failover, Dual homed

Ethernet

Branch Survivability

– AAA caching

8

WAN

WLAN Management

AAA

Functional WLAN

Confidential 2009

Reducing Capex and Opex costs

Less Infrastructure Cost

– Wi-Fi access and mesh wi-fi reduces cabling

– Leverage existing switches

Reduced operational cost with centralized policy-

based management

– Easy to use, policy-based mgmt simplifies large deployments

– Intuitive web management with wizards to manage simple

networks

– Role-based guest mgmt delegation

9

Confidential 2009

Role Based Administration

Policy Design &

Configuration

Monitoring &

Maintaining

Upgrading &

Adjusting

WLAN PoliciesHive, Services,

WLAN Mappings (SSID),

Ethernet Access,

Backhaul, QoS

ReportingSummary, Radio,

SSID, Client, Security,

Inventory

New WLAN PoliciesUser Profiles,

Services (Applications)

Security PoliciesDoS Prevention,

Firewall,

Rogue Detection,

Filters

Active & Rogue

ClientsMAC/IP Address,

Host/User Name,

HiveAP Name/MAC

Certificate & Key UpdatesUpload Captive Web Pages and

Keys

Upload AAA Certificates & Keys

AuthenticationAAA client settings,

LDAP Settings,

Captive Web Portal

Fault Events &

AlarmsSeverity, Date,

Description

SW & Config. UpdatesUpload & Activate Config

Upload & Activate SW

Administration

ManagementAdmin Groups

Administrators

HiveAP Status HiveAP name, type, #

of clients, uptime, OS

version

HiveManager

OperationsBackup Database,

Update SW, Tech Support Data

10

WLAN

Manager

Device Life Cycle

Confidential 2009

Summary

Qualities of a Modern Wireless LAN Infrastructure

11

• A future-proofed secure multi-service infrastructure

• Increased network and application performance

• Reduced risk with wire-like resiliency

• Reduced capital and operational cost

Confidential 2009