cisco structured wireless-aware networkÂ
TRANSCRIPT
1© 2003 Cisco Systems, Inc. All rights reserved.
Session NumberPresentation_ID
CISCO STRUCTURED WIRELESS-AWARE NETWORK
A SOLUTIONS APPROACH TO WLAN
KOEN JACOBS – SYSTEMS ENGINEER – [email protected]
www.cisco.com/go/wireless/
222© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID
CISCO WLAN EXTENDS THE MULTISERVICE NETWORK
222© 2003, Cisco Systems, Inc. All rights reserved.Presentation_ID
333© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID
Bringing Intelligent Services to WLAN
• Security
• QoS
• VLANs
• …
interface Dot11Radio0
no ip address
no ip route-cache
encryption key 1 size 40bit 7 7823F25A0AB8 transmit-key
encryption mode wep mandatory
!
ssid tsunami
authentication open
guest-mode
!
End-to-End IOS = End-to-End Intelligence!
444© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID
Security in WLANs
• Still the number 1 concern!
• Wardriving & Warchalking
Getting a lot of press
• Still many poorly protected WLANs
SSID != Security
MAC Filters
802.11 Standard WEP
Credit: KNTV San Jose
555© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID
Cisco Wireless Security SuiteSecurity in the Enterprise
No WEP and Broadcast Mode
Public Access
No Security
Wi-Fi 40-bit, 128-bit, and Static WEP
Telecommuter and Small Business
Basic Security
Dynamic Key Management
System, Mutual Authentication, and
802.1x via EAP
Mid-Market and Enterprise
Enhanced Security
666© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID
Cisco Wireless Security Suite www.cisco.com/go/aironet/security
Wireless LAN Security consists of three components
I. The Authentication FrameworkIEEE 802.1x authentication framework supports many authentication types & the link layer
II. The Authentication AlgorithmEAP Cisco Wireless (LEAP) and EAP-FAST support centralized, user-based authentication with the ability to generate dynamic WEP keys
Idem for PEAP*, but also supports OTPs
III. The Encryption Algorithm = WEP for 802.11
Cisco was the first to augment WEP encryption through TKIP* (Temporal Key Integrity Protocol) - same functionality now part of WPA, under the name CKIP
Message Integrity Check (MIC) mitigates man-in-the-middle attacks
Per-Packet Keying mitigates WEP key derivation attacks e.g. AirSnort
Broadcast Key Rotation
* 802.11i draft
777© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID
Cisco Wireless Security SuiteThe Complete Picture – Cisco Compatible Extensions
WPAWi-Fi Protected Access
CCXCisco Compatible eXtensions
CCX
WPA
CCX• Built on Standards• Optimized for Enterprise• Broad Adoption• Tested for Interoperability
TKIPTemporal Key Integrity Protocol
AESAdvanced Encryption Standard
802.1X
Au
then
tica
tio
n
TKIPor
AESEn
cryp
tio
n
888© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID
SSID: VoiceVLAN: 3
SSID: PrivateVLAN: 1
802.1Q VLAN trunk to wired network
SSID: PublicVLAN: 2
• Static VLAN mapping via SSID, or dynamic VLAN assignment via policy server (RADIUS)
• Up to 16 VLANs
• Each VLAN can e.g. have a different security policy, in-line with the user-profile
• Support for 802.1p/Q VLANs for end-to-end integration
VLANs – Segmenting the WLAN
Supports any CCX Supports any CCX client!!client!!
999© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID
Quality of Service
• Pre-standard implementation: downstream QoS
Using EDCF – Enhanced Distributed Coordination Frame
• 802.11e will deliver upstream & downstream
101010© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID
CISCO SWANwww.cisco.com/go/swan/
101010© 2003, Cisco Systems, Inc. All rights reserved.Presentation_ID
111111© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID
Providing Superior Wireless Security, Deployment, Management, and Mobility by INTEGRATING and EXTENDING Wireless Awareness into Key Elements of the Network Infrastructure - Servers, Switches, Routers, APs, and Clients
111111© 2003, Cisco Systems, Inc. All rights reserved.Presentation_ID
Cisco Structured Wireless-Aware Network
121212© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID 12
Cisco SWAN – Three Elements
33Cisco switches and routers with wireless-aware Cisco IOS® Software
11WLSE 2.7Aironet 1100/1200/1300Radios: 802.11b/g/aWi-Fi client adapters802.1X AAA Server
Fast Secure L3 MobilityCentralized Policies
High Availability
Expanded security optionsGranular Site Surveys
Simplified Deployment/MgmtRogue AP Detection and Suppression
22Cisco Aironet clients
Cisco Compatible
(CCX) clients
131313© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID
Cisco SWAN Minimizes WLAN TCO
Cisco warranties and support services; Cisco partnerships like CCX program
Optimized deployment of high-performance APs: Assisted Site Survey, “live” RF* readings
WPA for access control/authentication and data privacy, integrated WLAN IDS functionality,
including rogue AP detection and suppression
Support
Deployment
Security
* RF = radio frequency = data transmissions in the air
Automated operations of APs (configs, FW, etc.) and RF* (coverage, interference, etc.)Management
Future switch/router enhancements for scalability, familiar interface, and fast secure L3 roaming Flexibility
141414© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID
Wireless Network Manager (WNM):CiscoWorks Wireless LAN Solution Engine
Wireless Domain Services (WDS)
Infrastructure Access Points(registered with WDS)
Cisco or Cisco Compatible Clients (version 2)
Wireless Domain Services (WDS)
Infrastructure Access Points(registered with WDS)
Cisco SWAN Components
WLSE
Cisco Secure ACS
Access Points
WDS-mode
Infrastructure-mode
Client Cards
Cisco Clients
CCX v2
151515© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID
Wireless Domain Services
• Provides centralized software services on behalf of a L2 subnet (WLAN clients and APs)
• Currently supported on
AP 1100/1200 & Bridge/AP 1300
Catalyst 6500 WLSM – more switches/routers to follow
• Minimizes traffic across LAN/WAN
• WDS AP supports up to 30 infrastructure APs
60 infrastructure APs in dedicated mode
• Features that leverage WDS
Fast Secure Roaming
Radio Management/Monitoring - Rogue AP detection / Interference / …
Local authentication
161616© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID
An Example – Rogue AP Detection
Network Core
Distribution
Access
WLSECluster
NMSSiSi
SiSi
SiSi
WDS
Rogue APin coverage
areas of trusted APs
RM
RM
SiSi SiSi
RM
Rogue AP outside
coverage areas of
trusted APs
171717© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID
An Example – Rogue AP Detection
Network Core
Distribution
Access
WLSECluster
NMSSiSi
SiSi
SiSi
Rogue AP
SiSi
RM-Agg
RM
RM
RM
SiSiWDS
Rogue AP
1. Radio measurements (RMs) are sent to WDS
2. WDS aggregates and condenses RMs
3. WDS forwards RM aggregation to WLSE
4. WLSE generates reports, alerts, etc.
181818© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID
Catalyst 6500 WLSMWireless LAN Services Module
• Provide seamless layer 3 mobility across an entire campus
No client hardware or software requirements
Supports low latency roams for Voice
• Simplify Cisco SWAN deployment and configuration
Reduce the number of Wireless Domain Services (WDS) needed
• Simplify Deployments
No changes necessary to existing network infrastructure
Provides a single interface per-SSID for the application of security and QoS policy
191919© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID
Enterprise Campus Roaming and Aggregation Cisco SWAN enables Fast Secure Scalable Wireless Networking
Single Point of Ingress/Egress
• Fast Secure Roaming• Simple Configuration • Non-Stop Forwarding /
Stateful Switchover• Scalability• Integrated Security
Services
Seamless Layer 3 Roaming Across Subnets10.11.12.1310.11.12.13
Existing Network
CiscoWorks WLSE 2.7
Fast Secure Roaming Tunnels
WDS
202020© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID
PSTN
Voice
Catalyst 6500 Series with WLSM
VPN Services
Firewall
Core
IntrusionDetection
Firewall
Internet
Guests
Guest
Employee
Phone
WLAN traffic tunneled to mGRE interface
Mobility Groups Enable Secure Segmentation
212121© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID
Wireless LAN Solution EngineKey Features
• Turnkey operational tool for managing Cisco WLANs
• Manages up to 2500 Cisco APs and bridges, plus attached Cisco switches and routers and LEAP servers
• Template-based configuration of APs and bridges
• AP & bridge security misconfiguration detection and alerts
• Proactive fault and performance monitoring of APs, bridges
• Authentication server and attached switch/router monitoring
• AP/Bridge summary and utilization reports
• Current & historical client association tracking reports
• Upper-layer NMS/OSS integration via northbound trap, SYSLOG
• Secure HTML-based UI
• Role-based Access Control
• System & User Defined Device Grouping
222222© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID
Managing the WLAN with WLSE
Network Operations Center
ACS WLSE CiscoWorks EMS
Client Association Tracking and Reports
Device Grouping
LEAP Monitoring
Fault/Performance Monitoring of APs & Bridges
Template-based configuration of APs & Bridges
Switch monitoring
232323© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID
CiscoWorks WLSEwww.cisco.com/go/wlse
Rogue AP Detection
Location Manager
Assisted Site Survey
242424© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID
RM Example: Self Healing Radio NetworkLost radio interface
252525© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID
CISCO AIRONETwww.cisco.com/go/aironet/
252525© 2003, Cisco Systems, Inc. All rights reserved.Presentation_ID
262626© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID
Cisco Aironet 1200 Series
• Investment Protection and Future Proof
Supports 802.11a/b/g
IOS support
8MB of storage
• Performance & Flexibility
Modularity
In-line and regular power
Unique security suite (LEAP, PEAP, …)
Easy and integrated management
• Minimizes Total Cost of Ownership
• Plenum rated chassis
• Physical Security
802.11b/g
802.11a
Dual-band
272727© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID
• Scalable Fully functional access point ideal for all enterprise deployments without expensive controllers
802.11b now – upgradeable to 802.11g
• AffordableLowest priced upgradeable Cisco Aironet access point protects customer investment
• Enterprise-class featuresEnd-to-end intelligent networking extended to WLAN
• SecureEnterprise-class interoperable security for WLAN
• Easy-to-useIntuitive installation and set up for rapid deployment
Cisco Aironet 1100 Series
282828© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID
• Multi Function
Access Point
Bridge
Workgroup Bridge
• 802.11g
54 Mbps at 2.4 GHz
• Outdoor enclosure – IP56
• Included in Cisco SWAN solution
Aironet 1300 Outdoor AP/Bridge
292929© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID
Wireless LAN Client Adapters
• 802.11a/b/g dual band client adapters
54 Mbps in 2.4 and 5 GHz bands
802.11b support provides investment protection
CardBus and PCI form factors
Windows XP/2000
• 802.11a client adapters
• 802.11b client adapters
PCMCIA and PCI form factors
Broad OS support (MacOS, Linux, …)
• CCX-compliant adapters
303030© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID
Cisco Compatible Extension ProgramKey Benefits
Innovative Features
• Cisco Wireless Security Suite• LEAP & pre-standard TKIP
• Cisco VLAN• 40+ features in CCX v2.0• No cost licensing
Innovative Features
• Cisco Wireless Security Suite• LEAP & pre-standard TKIP
• Cisco VLAN• 40+ features in CCX v2.0• No cost licensing
Confidence to Deploy WLAN
• Tested Interoperability• Leading security solution• Ongoing feature development• Wide variety of devices & OS’s
Confidence to Deploy WLAN
• Tested Interoperability• Leading security solution• Ongoing feature development• Wide variety of devices & OS’s
Industry Standards Compliance
•Wi-Fi, WPA & 802.11
Industry Standards Compliance
•Wi-Fi, WPA & 802.11
Superset to industry
standards
Accelerate availability
of enterprise features
313131© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID
Cisco Compatible Extension ProgramSome of the partners… www.cisco.com/go/ciscocompatible/wireless/
In total 95% of 3rd party client NICs are covered!
323232© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID
Cisco Wireless IP Phone 7920 Supports LEAP – Extending security to voice clients!
• IEEE 802.11b, Direct Sequence with Dynamic Rate Scaling at 1, 2, 5.5, 11 Mbps
• Pixel-based display
4 lines + soft keys + date/time/RF/battery + status indication
• High performance speaker supports CCM ring tones
• Visual message waiting, key lock, and vibration icon indicators
• Current HW version will go through 3 SW stages
• Automatic IEEE 802.1q (virtual LAN [VLAN]) configuration
• G.711a, G.711u, and G.729a audio-compression coder-decoders (codecs)
• SNMP manager
• DHCP or static configuration option
• Alternate TFTP support
• Range of accessories: cradle, casings, USB cable, …
Features planned for future software release XML services
Directory services (LDAP)
Extension mobility
WPA
Additional language support
450 character, two-way
Paging/messaging
333333© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID
Q and A
333333© 2003, Cisco Systems, Inc. All rights reserved.Presentation_ID
343434© 2003, Cisco Systems, Inc. All rights reserved.Presentation_ID