Copyright © Siemens AG 2006. All rights reserved.
HiPath WirelessMarket IntroductionVersion 4.0 Update for Consulting and Engineering
August 2006
Page 2 August 2006 HiPath WirelessCopyright © Siemens AG 2006. All rights reserved.
HiPath WirelessDriving Value with Open Mobility Solutions
Presentation Contents
Introduction
Architectural Features
Operational Control Features
Solutions Enablement Features
Conclusion
Page 3 August 2006 HiPath WirelessCopyright © Siemens AG 2006. All rights reserved.
Flexible Architecture
Operational Control
Converged Mobile
Enterprise
Solutions Enablement
HiPath WirelessDriving Value with Converged Mobility Solutions
HiPath Wireless drives value through superior Converged Mobility Solutions while maintaining control over network operations and costs
Flexible Architecture
Product Foundation
Converged Mobility Solutions
Page 4 August 2006 HiPath WirelessCopyright © Siemens AG 2006. All rights reserved.
HiPath Wireless Key Differentiators
HiPath Wireless unique differentiators lie in three key areas:
Flexible, Open Architecture
• A highly flexible architecture that can accommodate many different application solutions on a single architecture
• Minimal changes needed to the physical network
Unequaled Operational Control
• Industry-leading integrated WLAN security
• Most TCO-effective, efficient management
Exceptional Solutions Enablement
• Open partner ecosystem that offers existing high-value Converged Mobility Solutions and fast integration of new ones
• A complete voice portfolio and robust multimedia features to accelerate the integration of voice & data
Page 5 August 2006 HiPath WirelessCopyright © Siemens AG 2006. All rights reserved.
HiPath WirelessConverged Mobility Solutions Portfolio
Converged Clients & DevicesConverged Clients & Devices
HiPath Wireless APs and SensorsHiPath Wireless APs and Sensors
HiPath Wireless Controllers HiPath Wireless Controllers
HiPath Wireless Management SuiteHiPath Wireless Management Suite
Converged Mobility ApplicationsConverged Mobility Applications
Page 6 August 2006 HiPath WirelessCopyright © Siemens AG 2006. All rights reserved.
HiPath Wireless Access Point
AP 2610 & AP 2620 “Fit AP” model that efficiently shares processing load with
Controller Dual radio 802.11a + b/g External and Internal Antenna versions
RF Features Wi-Fi Certified Multi-SSID (16 per AP) with individual suppression Load balancing and auto-failover
Plug and Play installation Auto discovery of Controller Centralized configuration deployment
Enterprise Class Access Point 10/100bT with PoE (802.3af) Wall, ceiling, and plenum (UL 2043) mounting
Page 7 August 2006 HiPath WirelessCopyright © Siemens AG 2006. All rights reserved.
SCALANCE W788-2RR: True Industrial-grade WLAN
Expands enterprise WLAN functionality to harsh industrial and outdoor environments
Dual-radio 802.11 a + b/g access point Runs HiPath Wireless Access Point software for complete device
management integration in mixed carpeted/concrete environments I-Safe compliant Industrial certification for:
ATEX (ex area) EMC UL FM
Rugged housing: IP65 protection against dust and water Chemically resistant and flame-retardant Halogen and Silicon-free Safe operating temperature range: -20 to 60°C
Page 8 August 2006 HiPath WirelessCopyright © Siemens AG 2006. All rights reserved.
HiPath Wireless Controller
Each Controller Model runs consistent HiPath Wireless Convergence SW
Integrated HiPath Wireless Assistant web-based management interface
Full Layer 3 Routing Static OSPF
Mobile User Services AAA Services DHCP Services Mobility Management (Client-
independent) Roaming
Multiple Hardware PlatformsC1000 Controller
75-200 APs 4096 Users 2x Gig Ethernet Ports Redundant PSU
C100 Controller 31-75 APs 2048 Users 4x Fast Ethernet Ports Redundant PSU
C10 Controller 30 or fewer APs 512 Users 4x Fast Ethernet Ports
Page 9 August 2006 HiPath WirelessCopyright © Siemens AG 2006. All rights reserved.
HiPath Wireless AssistantController-based integrated web management: Access Point deployment & configuration VNS user segmentation and policy Network Statistics
AP ManagementController ManagementSensor Management
HiPath Wireless Management Suite
HiPath Wireless ManagerMultiple Controller network management: Reporting, monitoring, and statistics Graphical network topology
HiPath Wireless ManagerAdvanced ServicesHiGuard Module Sophisticated wireless intrusion prevention Graphical location-based services Intuitive management dashboard & reports
HiGuard Reporting Module Assesses network compliance with
industry or regulatory specifications Intuitive reports facilitate conformance
Page 10 August 2006 HiPath WirelessCopyright © Siemens AG 2006. All rights reserved.
HiPath Wireless Manager
Centralized multi-Controller management platform for large wireless networks:Comprehensive global network view provided by hierarchical map
Charts, statistics, and reports for network trend analysis
Detailed event logs and alerts make it easy to zoom in and troubleshoot issues
Advanced Services modules available to enhance WLAN capabilities:HiGuard – Wireless IPS and locationHiGuard Reporting – Compliance tool
Open APIs provide opportunity for further solution integration
Page 11 August 2006 HiPath WirelessCopyright © Siemens AG 2006. All rights reserved.
HiPath Wireless ManagerHiGuard and HiGuard Reporting
Resolves unique “open air” challenges of managing wireless LANs
HiPath Wireless Manger HiGuard provides the following advanced services:State-of-the-art wireless intrusion detection and prevention capabilities
Visual mapping and location capabilitiesPerformance optimizationComprehensive dashboard leading to advanced charts, reports, and statistics
HiGuard Reporting delivers automated compliance assessments:Pre-defined regulatory reports (Sarbanes-Oxley, HIPAA, etc.)
Ability to create customized reports
Page 12 August 2006 HiPath WirelessCopyright © Siemens AG 2006. All rights reserved.
HiPath Wireless Client Portfolio
Wireless Telephones and Softphones
optiClient130optiPoint WL2 professional
optiPoint WL1 professional
optiPocket
optiPoint WL2 professional WiFi Phone Features:
802.11b / g, SIP and CorNet IP Protocol Support Color Display (128 x 128), USB Port LDAP Dialing, Voice Recognition Dialing and Built-In
Headset Jack and Speakerphone Embedded Linux Operating System
Open Standards Based: WPA2/802.11i, WPA, WEP (64 / 128 bit), VPN, CCX, LEAP
Page 13 August 2006 HiPath WirelessCopyright © Siemens AG 2006. All rights reserved.
Managed Services
Lifecycle ServicesProfessional Services
Network management
Security management
Multi-Vendor Support
Asset management
Service/Help Desk
24/7 Remote Monitoring
802.11 RF site survey
Network assessment
Applications assessment
Systems integration/design
Security planning
Remote monitoring, diagnostics, reporting
Hardware/software installation, maintenance, fixes, spare parts
Moves, Adds, Changes (MACs)
Training
Manage EducateSupportBuildDesignConsult
HiPath Wireless Services – Making WLAN even easier!
Page 14 August 2006 HiPath WirelessCopyright © Siemens AG 2006. All rights reserved.
HiPath WirelessArchitectural Features
Operational Control &
Effectiveness
Converged Mobile
Enterprise
Solutions Enablement
Operational Control
Flexible Architecture
Page 15 August 2006 HiPath WirelessCopyright © Siemens AG 2006. All rights reserved.
HiPath Wireless Network Topology
HiPath Wireless Controller and Convergence Software
• Routes IP Traffic to and from Mobile Users• Comprehensive Policy Management and
User Segmentation via VNS• Centralization of Moves/Adds/Changes
HiPath Wireless Access Points• Plug & Play anywhere on an IP Network• Communicates to WLAN Controller via IP
Mobile Units• IP Addresses are from virtual IP subnet
defined in the Controller• Includes VoWLAN phones and soft clients• Fast Secure Roaming
IP Network
IP Network
IP Network
WAN
Segment C(Guest Access)
Segment B(Factory)
Segment D(Voice)
Segment A(Real Time
Data)
RADIUS Server
VoIP Platform
HiPath Wireless Manager• Multi-controller full network management• Intuitive dashboard plus detailed trend
analysis and problem diagnosis• Sophisticated wireless intrusion prevention• Graphical location services
Page 16 August 2006 HiPath WirelessCopyright © Siemens AG 2006. All rights reserved.
HiPath Wireless ArchitectureEnabling WLAN Mobile Convergence
Access Points Intelligence at edge Layer 2 bridge
Wireless LAN Switch Centralizes intelligence
100m from the edge Provides Layer 2 services
Mobile Session Management Full Layer 3 solution Centralizes intelligence
anywhere in the network Converged voice & data
VLAN Network
VLAN-based WLAN Appliance Centralizes intelligence with pre-
configured VLANs Provides Layer 2 services
IP Network
Page 17 August 2006 HiPath WirelessCopyright © Siemens AG 2006. All rights reserved.
HiPath Wireless Architecture Split MAC versus HiPath Fit AP
IP NetworkFit AP Decentralizes dynamic decision
making (encryption, QoS, RF management)
Centralizes management and control
Split Mac Splits MAC function with controller
(encryption, QoS, RF management)
Not scalable to medium-large networks
Page 18 August 2006 HiPath WirelessCopyright © Siemens AG 2006. All rights reserved.
HiPath WirelessFlexible, Non-disruptive Network Integration
Independent Wireless Domain
Best solutions for unique wireless challenges
Integrated Wired Network Services
Seamless handoff when wireless client touches wired network (or vice versa) for services and management
Intelligent Traffic Management
Optimal use of RF spectrum for peak performance, intelligent routing and switching in wireline network
Ap
plic
atio
n M
igra
tion
Page 19 August 2006 HiPath WirelessCopyright © Siemens AG 2006. All rights reserved.
HiPath WirelessIEEE Standard Tracking
802.11a/b/g: certified
802.11i (WPA): certified
802.11i (WPA2): certified
802.11e (WMM): certified
802.11d: certified
802.11h: supported in V4
802.11j (extensions for Japan): supported
802.11k: pre-standard work done, but full implementation not ready until standard ratification
802.11m: planned
802.11n: planned
802.11r (Fast Roaming): planned
802.11s (Mesh Networking): WDS with ST planned
802.11v/u (Radio Management enhancements): planned
Page 20 August 2006 HiPath WirelessCopyright © Siemens AG 2006. All rights reserved.
CAPWAP Tunneling Protocol (CTP)
Traffic is tunneled from Access Points to the Controller via CTP
Enables centralized WLAN management to stretch anywhere via IP
Ability to encapsulate and forward management traffic and/or user traffic
HiPath WirelessController (HWC)
Access Point
Page 21 August 2006 HiPath WirelessCopyright © Siemens AG 2006. All rights reserved.
WAN
Building – Coordinated Mode• Central Management• Central Traffic Management• 100s APs
Small Office – Standalone Mode• Local Management• Local Traffic Management• Few APs
L2 or L3
L3
Internet
Public Access – Any Mode• Central Management• Central and Local
Traffic Management• Outdoor AP
L2 or L3
Network
Campus – Coordinated Mode• Central Management• Central Traffic Forwarding• Full Redundancy• 1000s of APs• DRM
Remote Office – Branch Mode• Central Management• Local Traffic Forwarding• Few APs
L2
GuestEmployee Voice Consultant Branch GuestGuestEmployeeEmployee VoiceVoice ConsultantConsultant BranchBranchVNS Groups:
HiPath Wireless ArchitectureMultiple Modes for Maximum Deployment Flexibility
Page 22 August 2006 HiPath WirelessCopyright © Siemens AG 2006. All rights reserved.
Characteristics
Typical Controllers: C100 – 1536 users C1000 – 4096 users
Multiple Controllers can be combined to serve thousands of users HWCs load balance
with high availability
Controllers can be deployed centralized or distributed
Works with multiple router hops
WAN Network
Router
VoIP Call Server
Existing L2 switch
Med-Large Building/Campus
Deployment ScenariosHQ & Campus
Router
HWC
Existing L2 switch
Page 23 August 2006 HiPath WirelessCopyright © Siemens AG 2006. All rights reserved.
Characteristics
Typically HWC: C10
WAN router optional
Controller at small office does not need an HQ Controller unless seamless inter-site roaming required
WAN RouterVoIP
Call Server
Existing L2 switches
WAN Network
Small Office/Department
Deployment ScenariosSME
Page 24 August 2006 HiPath WirelessCopyright © Siemens AG 2006. All rights reserved.
Controllers
VPNGateway
Access Points
DMZVPN for Remote Users
Internet
Single logical network No VLANs required (no leakage or
configuration issues) Separate physical networks
Single VPN Gateway Remote User & Wireless Clients No Client Issues Same PKI infrastructure
WLAN Wireless Security as required WPA2 can be used on wireless link
Deployment ScenariosOne VPN Solution, One Logical Network!
Page 25 August 2006 HiPath WirelessCopyright © Siemens AG 2006. All rights reserved.
Deployment Scenarios3rd Party AP Integration
3rd Party APs must reside separate LAN segments with the Controller as the default gateway
Controller implements policy on user traffic that traverses through it
3rd Party AP segment is defined as a special “VNS” with its own IP address space
3rd Party APs 3rd Party APs
LAN Segments
RADIUS
IP Network
Page 26 August 2006 HiPath WirelessCopyright © Siemens AG 2006. All rights reserved.
Internet
Headquarters Office
Branch Office 1 Branch Office 2
Software-based Management
Appliance
Management Traffic
Internet
Headquarters Office
Branch Office 1 Branch Office 2
Controller
Mini-Controller Mini-Controller
Introduced management server to handle some distributed functionality
However, customers seeking full 3G functionality require separate WLANs
Introduced “branch controllers” to keep WLAN traffic local
However, this adds management complexity and is costly
Second Generation WLAN (Fat AP) Third Generation WLAN (Thin AP)
Branch SupportLimitations in Large Distributed Environments
Page 27 August 2006 HiPath WirelessCopyright © Siemens AG 2006. All rights reserved.
HiPath Wireless Branch SupportTraffic Segmentation for Peak Performance
HiPath Wireless Access Points can dynamically decide if traffic should remain local or be routed to the Controller
Traffic segmentation policy defined at the Controller Sensitive real-time applications enjoy optimal performance
Internet
Headquarters
Branch Location
Local
Central
Page 28 August 2006 HiPath WirelessCopyright © Siemens AG 2006. All rights reserved.
HiPath WirelessOperational Control Features
Operational Control &
Effectiveness
Converged Mobile
Enterprise
Solutions Enablement
Operational Control
Flexible Architecture
Page 29 August 2006 HiPath WirelessCopyright © Siemens AG 2006. All rights reserved.
HiPath Wireless Meets Your Operational Needs
Maintenance & Configuration Centralized management User segmentation and policy management User adds/changes/deletes Software upgrades
Monitoring Visual network map and location services Support for standard management protocols Verbose charts, statistics, and reports Troubleshooting tools
Deployment Site Planning Easy device installation
Availability Controller & AP redundancy Dynamic RF management
Scalability Controller Capacity
Security Encryption & authentication support Wireless IDS/IPS
Performance Ability to define & optimize traffic flow Support for multi-site deployments Visual RF coverage mapping Voice optimization and QoS
Interoperability Standards support & certification
However, above all else:“Customers have moved from asking if the technology works and interoperates to asking how wireless LAN can benefit their company and how it can be deployed and managed in a secure and cost-effective fashion.”
Source: US WLAN Equipment 2005-2009 Forecast by Vertical Market, IDC 2005
Page 30 August 2006 HiPath WirelessCopyright © Siemens AG 2006. All rights reserved.
Maintenance & ConfigurationHiPath Wireless Assistant
Web-based centralized management interface that resides on the Controller and administers all associated Access Points
Primary configuration interface for HiPath Wireless networks
Access Point deployment
Virtual Network Services (VNS) segmentation
Dynamic RF Management
Accounting, reports, alerts, and statistics
Page 31 August 2006 HiPath WirelessCopyright © Siemens AG 2006. All rights reserved.
Maintenance & ConfigurationVirtual Network Services (VNS)
VNS groups can segment users, devices, or applications Each VNS tied to an SSID Each Controller supports up to
50 VNS groupsLogical layer 3 segmentation eliminates complicated configuration of VLANs
Network privacy maintained Each VNS has a discrete IP address space Network filters ensure that VNS groups are
kept separate Users can only see authorized resources
(eg. Guest web access)
InternalNetwork
Internet
SecureNetwork
Guests
VoIP Server
VoiceUsers
Captive Portal
Staff
Data
VNS Segmentation
Page 32 August 2006 HiPath WirelessCopyright © Siemens AG 2006. All rights reserved.
Maintenance & ConfigurationVNS Management – Unique & Discrete Policy Control
Each VNS is configured with distinct settings: IP networking parameters Session timeout values Network resource Access Security policy QoS Settings Multicast settings Local or centralized traffic
forwarding 802.11 RF settings
Assign SSID and suppression Applicable APs and radios
Page 33 August 2006 HiPath WirelessCopyright © Siemens AG 2006. All rights reserved.
Maintenance & ConfigurationVNS Management – Flexible Traffic Forwarding
Each VNS can be configured to bridge traffic locally at the AP instead of through the Controller (default)
Management information (statistics, logs, etc.) and authentication traffic are still forwarded centrally
Page 34 August 2006 HiPath WirelessCopyright © Siemens AG 2006. All rights reserved.
Maintenance & ConfigurationVNS Management – Security Settings
Separate security options can be defined for each VNS group: Authentication
Captive Portal Internal or external server
MAC-based Authentication RADIUS, 802.1X
Tested interoperability with leading RADIUS vendors (Funk, Microsoft)
Privacy (Encryption) 64, 104 & 128 bit WEP WPA-PSK with AES WPA with TKIP WPA2 with AES (802.11i)
Page 35 August 2006 HiPath WirelessCopyright © Siemens AG 2006. All rights reserved.
Maintenance & ConfigurationVNS Management – QoS Prioritization
QoS can be enabled or disabled on a per-VNS basis Six QoS options available:
1. Best Effort
2. WMM priority
3. Pre-WMM priority
4. Pre-WMM and WMM priority
5. Voice VNS without WMM
6. Voice VNS with WMM QoS policy is enforced by VNS Ensures high-priority user groups
and/or real-time applications get the performance they need
Page 36 August 2006 HiPath WirelessCopyright © Siemens AG 2006. All rights reserved.
Maintenance & ConfigurationVNS Management - Filtering
VNS groups can only see specified resources
VNS groups are logically discrete and not viewable by other VNS groups
Filter characteristics: 2048 filters per HWC Default filters for pre and post
authenticated sessions Users can be assigned to
individual filters based on authorization response
Page 37 August 2006 HiPath WirelessCopyright © Siemens AG 2006. All rights reserved.
Maintenance & ConfigurationAccess Point Software Upgrades
Centralized distribution of AP software updates minimizes ongoing maintenance costs Retrieve AP images Manage up to 10 different AP
image versions Upgrade behavior defined for
each AP: Controlled Upgrades push a
specific software version to a single AP or group of APs
Default AP image is loaded each time the AP boots
Page 38 August 2006 HiPath WirelessCopyright © Siemens AG 2006. All rights reserved.
Maintenance & ConfigurationClient (Mobile Unit) Management
Disconnect at AP Effective to force re-
authentication Blacklist
MAC Addresses not allowed to associate with any AP
Import and export functions Up to 768 blacklist members per
Controller
Individual users can be identified to allow administrators to take immediate action:
Page 39 August 2006 HiPath WirelessCopyright © Siemens AG 2006. All rights reserved.
MonitoringHiPath Wireless Assistant Reports
Page 40 August 2006 HiPath WirelessCopyright © Siemens AG 2006. All rights reserved.
MonitoringManagement Logging
AP and Controller information is gathered into log files 5 different configurable priority levels
Log information can be directed to multiple locations: Local Controller log file External Syslog server
Up to 3 Syslog Reporting servers simultaneously
Traces can be set up for troubleshooting
Page 41 August 2006 HiPath WirelessCopyright © Siemens AG 2006. All rights reserved.
MonitoringRADIUS Accounting
Either stored locally on Controller or externally to up to 3 RADIUS Accounting servers
Accounting Data User Information
Userid Mac Address VSAs
Usage Information Session Time Bytes/Packets Exchanged Terminate reason
Accounting information configured per VNS and sent as Call Detail Records (CDRs) or RADIUS Accounting
Page 42 August 2006 HiPath WirelessCopyright © Siemens AG 2006. All rights reserved.
AP Discovery Acquire IP address Acquire Controller IP address(es) Provision via Controller configuration
DeploymentPlug & Play AP Installation
AP Registration Authenticate Get Configuration Be Managed Provide WLAN user service
Then
DHCP DNS
Plug & Play installation via automatic Controller discovery makes WLAN deployment faster and easier
Page 43 August 2006 HiPath WirelessCopyright © Siemens AG 2006. All rights reserved.
DeploymentPlug & Play AP Installation – Discovery Options
Dynamic Discovery Enables more than one way for APs to discover HWC Enterprise can leverage infrastructure or apply preference
1.SLP – for highest reliability
2.DNS – for simplest automated discovery
3.SLP Multicast – for L2 only network All discovery mechanisms enabled
Continuously attempts all mechanisms until connected to a Controller
AP Discovery Order:1. Static2. SLP3. DNS4. SLP Multicast
Static Discovery APs can be manually configured with an IP
address and Controller IP address(es) to expedite discovery and registration
Remaining deployment information pushed from the Controller upon boot
Page 44 August 2006 HiPath WirelessCopyright © Siemens AG 2006. All rights reserved.
High AvailabilityEnd-to-End WLAN Resiliency
Session continuity Survival through Access Point and network
outages
Redundant Controllers Ensure against controller outage Redundant power supplies Run in load sharing mode
Survives network failures Multiple interface support on controller Full functioning router
Page 45 August 2006 HiPath WirelessCopyright © Siemens AG 2006. All rights reserved.
High AvailabilityLoad Sharing Controller Failover
Controllers are paired for redundancy and must continually provide Access Point information to its paired Controller
Each Controller monitors for Controller and/or network failure Once failure is detected, Controller will accept AP connections from its
availability partner AP capacity limit can be doubled in this circumstance
APs are re-associated with primary Controller via management interface once functionality is restored
Advantages over N+1 redundancy configurations: Unlike N+1 redundancy configurations, both primary and backup Controllers
are always actively servicing users Requires the minimum amount of hardware (less than or equal to N+1)
Page 46 August 2006 HiPath WirelessCopyright © Siemens AG 2006. All rights reserved.
High AvailabilityLoad Sharing Controller Failover – The AP’s Role
Access Points learn address of failover Controller during discovery Keep alive mechanism to detect failure is built in to AP-Controller
communications (CTP):
VNS C
AP1
HWC 1 - Primary
AP2
HWC 2 - Secondary
AP 3 AP4
XVNS B’
VNS A’
VNS B
VNS A
Polling times are configurable Re-discovers to “secondary”
Controller after failure AP is assigned to a VNS pre-
configured by administrator
Page 47 August 2006 HiPath WirelessCopyright © Siemens AG 2006. All rights reserved.
High AvailabilityDynamic Radio Management (DRM)
Dynamic optimization of RF power and channel selection performed cooperatively by Access Points
Centralized Controller-based configuration Managed RF signal co-existence with friendly neighbouring networks
X
High availability and performance through automatic Access Point fault tolerance and client load-balancing
Page 48 August 2006 HiPath WirelessCopyright © Siemens AG 2006. All rights reserved.
High AvailabilityDRM Coverage Types
Management Power
Management Power
Data Power
Data Power
Shaped Coverage OFF
Shaped Coverage ON
Page 49 August 2006 HiPath WirelessCopyright © Siemens AG 2006. All rights reserved.
SecurityComprehensive Integrated WLAN Security
HiPath Wireless lets enterprises achieve the benefits of WLAN without the security risks: 802.11i / WPA2 standard support
for Authentication and Data Confidentiality
Proactive Intrusion Detection and Prevention via HiPath Wireless Manager HiGuard
Captive Portal and Guest Services
Seamless integration with wired network VPN and authentication infrastructure
RF Level Security
(Wireless IPS)
RF Level Security
(Wireless IPS)
Frame Level Security
(802.11i/WPA2)
Frame Level Security
(802.11i/WPA2)
DataConfidentiality
and Integrity
AuthenticationAnd Access Control
Intrusion Detection and
Prevention
Session Level Security (802.1X)
Session Level Security (802.1X)
Page 50 August 2006 HiPath WirelessCopyright © Siemens AG 2006. All rights reserved.
SecurityHiPath Wireless Full Range of Security Options
RF-Level Options
Multi-tasking APs scan network & provide access
“Dedicated IDS” Rogue Detection APs
HWM HiGuard Sensors• Threat Auto-classification
• Continuous Scanning
• Simultaneous attack prevention & detection
• Visual location and mapping
Frame-Level Options
WEP CRC-32 (RC4)
Encryption Pre-shared Key
Authentication
WPA TKIP (RC4)
Encryption 802.1X
Authentication
WPA2 (802.11i) CCMP (AES) Encryption 802.1X Authentication
Degree of Security
HiPath Wireless features an array of security features to meet your company’s specific needs
Page 51 August 2006 HiPath WirelessCopyright © Siemens AG 2006. All rights reserved.
Security802.1x and EAP Authentication
802.1x security protocols are tunneled to the Controller 802.1x defines Extensible Authentication Protocol over LAN (EAPoL)
HiPath ControllerAccess Point RADIUS
EAP (TLS, TTLS, PEAP, SIM, FAST)
EAPoLRADIUS
The Controller terminates EAPoL and forwards EAP messages in RADIUS messages
Clients exchange EAP messages directly with the RADIUS server
Page 52 August 2006 HiPath WirelessCopyright © Siemens AG 2006. All rights reserved.
SecurityImportance of Wireless IDS/IPS
Most enterprise WLAN vendors have standardized on 802.11i (WPA2) WLAN security
However, industry standards focus on securing packets and validating users, but ignore securing the air
No industry standard exists for securing the RF level
Wireless Intrusion Detection and Prevention (IDS/IPS) complements frame-level mechanisms for complete WLAN security
Ad Hoc
Denial of Service Attack
Rogue AP
Mis-Configured AP
Unauthorized Association
Mis-association
HoneypotEnterprise Network
Neighboring
Network
AP MAC Spoofing
Exploits & Attacks Unauthorized Access Denial of Service (DoS) Man in the Middle IP Spoofing Hijacking
Page 53 August 2006 HiPath WirelessCopyright © Siemens AG 2006. All rights reserved.
SecurityIntegrated AP Rogue Detection
Scan Task Selected HiPath Wireless APs scan
the RF space at pre-defined intervals for Rogue APs and Ad Hoc networks
RFDC Collects the raw scanned information
from each scanning HiPath AP Forwards it to the Analysis Engine
Analysis engine Analyzes all information centrally Reports and events can be viewed
from HiPath Wireless Assistant SNMP alerts and traps can be sent
Scan Task
RFDC
Analysis Engine
SNMP Server(Unicenter, Tivoli, Openview)
HiPath Wireless Assistant
Page 54 August 2006 HiPath WirelessCopyright © Siemens AG 2006. All rights reserved.
SecurityIntegrated AP Rogue Detection - Mitigator
Rogue AP detection information found in the Mitigator section of HiPath Wireless Assistant
Scan Groups define rogue detection parameters Designate scanning APs and intervals Configure channels and dwell time
Reports provide: Summary threat page Detailed information on each threat
Detecting APs Type of threat
Friendly AP incorporation Detected APs can be added to the
Friendly list Ability to manually add friendly APs 3rd Party APs automatically added
Page 55 August 2006 HiPath WirelessCopyright © Siemens AG 2006. All rights reserved.
SecurityWebJail Quarantine
Security Ability to quarantine and redirect Dynamic policy management
Partner Ecosystem API Provides dynamic feedback on WLAN
and user states for customized user redirection
Actions: Blacklist an IP address Change VNS (to/from quarantine VNS)
Controller disassociates and automatically moves user to quarantine VNS
Dynamic traffic filtering
Internet
Approved
ApprovedGroup B
SecureNetwork
Network
QuarantinedRemedial Server:• Check Point Zone Labs• Bradford• Tipping Point• API link for customization
Page 56 August 2006 HiPath WirelessCopyright © Siemens AG 2006. All rights reserved.
ScalabilityMulti-Controller Mobility
In a multi-Controller environment, Controllers are defined as either a “VN Manager” or a “VN Agent”
VN Manager is responsible for managing the distribution of client session information to all VN Agents
VN Agents associated with a VN Manager, creating a “Mobility Domain” VN Agents only communicate with the VN Manager If a VN Agent fails, VN Manager will clean up the session information
VN Agent VN Agent
VN Manager
VN Management Messages
Page 57 August 2006 HiPath WirelessCopyright © Siemens AG 2006. All rights reserved.
HiPath Wireless ManagerCentralized Multi-Controller Management
Comprehensive global network view provided by hierarchical map Network auto-detection:
Installed Controllers and associated APs Mobility zones Availability pairs
Click on a Controller to automatically launch HiPath Wireless Assistant for configuration changes
Page 58 August 2006 HiPath WirelessCopyright © Siemens AG 2006. All rights reserved.
HiPath Wireless ManagerComprehensive Monitoring Tools
Consolidated charts, statistics, and reports for network trend analysis
Detailed information kept on every associated user and device for easy problem isolation
Alerts can be set for: Specific events (eg. device failures) Surpassed thresholds
Associated Clients Aggregate Bandwidth (%, Mbps) Tunnel Traffic (bytes) Busiest Devices RADIUS Requests/Failures
Page 59 August 2006 HiPath WirelessCopyright © Siemens AG 2006. All rights reserved.
HiPath Wireless Manager HiGuardArchitecture
HiPath Wireless Manager HiGuard:
1. Builds a model of the network
2. Directs real-time sensing of the network
3. Analyzes sensing results via heuristics
4. Forwards results to core RF management services:
Intrusion Prevention (IPS)
Location Services
Performance Optimization
Network Monitoring and Control
Real-time MonitoringReal-time Monitoring
HWMA Analysis Engine
HWMA Analysis Engine
Network Monitoring and Control
Network Monitoring and Control
Policy ManagerPolicy Manager
Intrusion PreventionIntrusion
Prevention
Performance Optimization
Performance Optimization
Location Services
Location Services
3rd Party Management
Tools
Mo
deling InterfaceM
odeling Interface
HiPath Wireless
Controllers
3rd Party Planning
Tools
Page 60 August 2006 HiPath WirelessCopyright © Siemens AG 2006. All rights reserved.
HiPath Wireless Manager HiGuardSuperior Wireless Intrusion Prevention (IPS)
HWM HiGuard deploys sensors to continually scan the RF space to detect and defend against threats the standards (e.g. 802.11i) don’t touch
HiPath Wireless Manager HiGuard automatically: Identifies and classifies potential threats, enabling administrators to find and
remove them from the network Identifies friendly neighboring devices and users to allow co-existence
without compromising network resources
Proven best in class performance among both standalone and integrated IDS/IPS solutions 100% success vs 65%-75% from competitors (Tolly Group, 2006)
Visual representations of the RF coverage area and wireless devices make threat removal especially easy
NOTE: Defending the air space surrounding network should be a requirement even if there is no wireless LAN support
Page 61 August 2006 HiPath WirelessCopyright © Siemens AG 2006. All rights reserved.
HiPath Wireless Manager HiGuardLocation Services
Locate any device on the network (3m accuracy):
By distance from sensors or by visual map
Temporarily activate additional APs as sensors for greater accuracy
Use for security, asset tracking, etc. or open interface into 3rd party apps
Page 62 August 2006 HiPath WirelessCopyright © Siemens AG 2006. All rights reserved.
Multiple views available:
Coverage view by radio and AP
Link Speed view
Sensor IPS and IDS coverage
Real-time visualization enables optimal device placement to maximize performance and protection
HiPath Wireless Manager HiGuardVisualized Performance Optimization
Page 63 August 2006 HiPath WirelessCopyright © Siemens AG 2006. All rights reserved.
Intuitive management dashboard provides summary evaluations at a glance
All views and reports can be launched from here (charts, graphs, logs, reports, etc.)
Automated compliance reporting (with HiGuard Reporting module)
HiPath Wireless Manager HiGuardMonitoring and Reporting
Page 64 August 2006 HiPath WirelessCopyright © Siemens AG 2006. All rights reserved.
HiPath Wireless Manager HiGuard ReportingAutomated Compliance Reports
Audits conducted at defined intervals based on event history and compared with regulatory compliance specifications
Available pre-defined reports: DoD Directive 8100.2 Gramm-Leach-Bliley Sarbanes-Oxley HIPAA
Custom report tool enables definition of test criteria specific to your own company or industry
Page 65 August 2006 HiPath WirelessCopyright © Siemens AG 2006. All rights reserved.
Converged Mobile
Enterprise
Solutions Enablement
Operational Control
Flexible Architecture
Solutions Enablement
Solutions Enablement
HiPath WirelessSolutions Enablement Features
Page 66 August 2006 HiPath WirelessCopyright © Siemens AG 2006. All rights reserved.
HiPath Wireless Meets Your Solutions Needs
“Operational and security discussions will be augmented by the emergence of new applications and product functions that increase the value and ease the steps required to take advantage of network portability and mobility in the enterprise.”
Source: US WLAN Equipment 2005-2009 Forecast by Vertical Market, IDC 2005
Voice-over-WLAN and Multimedia H.323 and SIP support VoWLAN client interoperability Optimized voice performance and power-
saving 802.11e/WMM support Multicast support
Location-based Services Location accuracy Network Visualization Coordination with LBS applications Support for active RFID technology Visual network map and location services
Guest Networking Ability to segregate guest users Transparent, secure authentication Accounting and billing
Solution Integration Partner solutions portfolio Integration APIs Certification program
Page 67 August 2006 HiPath WirelessCopyright © Siemens AG 2006. All rights reserved.
Enabling Mobility Solutions
HiPath Wireless makes it faster and easier to deliver complete converged mobility solutions that enhance your business processes
Converged Mobility Solutions deliver optimal performance & functionality through: A portfolio of existing partner solutions
A solution certification program for customers and system integrators
Open APIs for custom development: Location coordinates Presence information Call control information
HiPath Wireless Partners:
Page 68 August 2006 HiPath WirelessCopyright © Siemens AG 2006. All rights reserved.
Voice-over-WLAN (VoWLAN)Secure Fast Roaming
HiPath Wireless method: Pre-Authentication with Key Caching Highest security Fast secure L3 roaming (< 40ms controller to controller)
Description Pro Con
WPA2 pre-authentication and Key Caching (HiPath Secure Fast Roaming)
Eliminates the latency contribution of 802.1x authentication
Maintains a high level of voice security
Requires handset support for WPA2
Extra authentication overhead due to pre-authentication
Key Sharing Eliminates the latency contribution of 802.1x authentication
Reduces the overall security by sharing PMK’s across the network.
Page 69 August 2006 HiPath WirelessCopyright © Siemens AG 2006. All rights reserved.
Voice-over-WLAN (VoWLAN)Secure Fast Roaming
WPA2 client simultaneously establishes Pairwise Master Key (PMK) with primary AP and pre-establishes PMKs with neighboring APs
This forces the client to re-authenticate prior to roaming The Controller allows WPA2 to pre-authenticate
When roaming, the WLAN client is already pre-authenticated by controller and is allowed to roam seamlessly
PMK established with
primary AP
PMK established
with neighboring
AP
WPAv2 client
Page 70 August 2006 HiPath WirelessCopyright © Siemens AG 2006. All rights reserved.
Voice-over-WLAN (VoWLAN)Quality of Service: 802.11e / WMM
Enabled per VNS/SSID
4 priority queues per radio
Recommended when voice and data traffic share same SSID
Prioritizes voice traffic
Adaptive (end-to-end) QoS:
CTP IP packet automatically configured to DSCP matching WMM marking
The HiPath Wireless Portfolio is Wi-Fi Multimedia (WMM) certified
WMM Priority Marking
Priority
(3=highest)
Description
AC_VO 3 Voice
AC_VI 2 Video
AC_PR 1 Prioritized non-RT Data
AC_DA 0 Data
Page 71 August 2006 HiPath WirelessCopyright © Siemens AG 2006. All rights reserved.
Voice-over-WLAN (VoWLAN)Quality of Service: Adaptive QoS
HiPath Wireless maintains IP QoS prioritization between the wired and wireless networks IP TOS field (DiffServ/Precedence) copied to CTP header
Entire 8 bits are copied Client IP QoS maintained within CTP
Adapts seamlessly to existing wired QoS policies
Subnet y Subnet A
Subnet C
Subnet B
Subnet x
VNS
0 71 1 1 0 0 0 0 00 71 1 1 0 0 0 0 00 70 71 1 1 0 0 0 0 0
0 71 1 1 0 0 0 0 00 71 1 1 0 0 0 0 00 70 71 1 1 0 0 0 0 0
0 71 1 1 0 0 0 0 00 71 1 1 0 0 0 0 00 70 71 1 1 0 0 0 0 0
0 71 0 0 0 0 0 0 00 71 0 0 0 0 0 0 00 70 71 0 0 0 0 0 0 0
0 71 0 0 0 0 0 0 00 71 0 0 0 0 0 0 00 70 71 0 0 0 0 0 0 0
0 71 0 0 0 0 0 0 00 71 0 0 0 0 0 0 00 70 71 0 0 0 0 0 0 0
IP TOS
VoiceGateway
Page 72 August 2006 HiPath WirelessCopyright © Siemens AG 2006. All rights reserved.
Voice-over-WLAN (VoWLAN) End-to-end Voice Quality of Service (QoS)
High Quality Voice R-value >78 for 12 concurrent calls Turbo Voice queue
Legacy QoS SpectraLink SVP (VIEW certified) Prioritization by SSID
Battery Life optiPoint WL2 power optimization UAPSD
End to end QoS 802.11e / WMM DiffServ Adaptive QoS
Call Admission Control TSPEC (client and AP)
Load Balancing QBSS Load, Neighbor reports
WMMIP TOS/Prec/DSCPIP TOS/Prec/DSCPIP TOS/Prec/DSCP
Subnet y
Subnet C
Subnet x
Subnet B
Subnet A
VoIP Gateway
LAN QoS Traffic Shaper
Page 73 August 2006 HiPath WirelessCopyright © Siemens AG 2006. All rights reserved.
Beacon & Probe Request
(SSID, …, QBSS load)Beacon & Probe Request
(SSID, …, Q
BSS load)
Beacon & Probe Request
(SSID, …
, QBSS load)
AP 3 QBSS LOAD
2.4G available bandwidth
4 MBps
5G available bandwidth
15 MBps
AP 1 QBSS LOAD
2.4G available bandwidth
3 MBps
5G available bandwidth
20 MBps
AP 4 QBSS LOAD
2.4G available bandwidth
2 MBps
5G available bandwidth
7 MBps
Voice-over-WLAN (VoWLAN)Enhanced Roaming with QBSS Load IE
AP 2 QBSS LOAD
2.4G available bandwidth
8 MBps
5G available bandwidth
12 MBps
Associated
Least Busy
Associated
Page 74 August 2006 HiPath WirelessCopyright © Siemens AG 2006. All rights reserved.
Voice-over-WLAN (VoWLAN)AP Channel Report
Siemens proprietary IE provides details of all configured channels per radio/SSID for the entire wireless network
As a result, the client has less channels to scan Reduces roaming time Increases battery life
Beacon & Probe Request (SSID, …, APchannelreport1,6,11)
Beacon & Probe Request
(SSID, …, APchannelreport1,6,11)
Beacon & Probe Request
(SSID, …, APchannelreport
1,6,11)VNS-SSID Voice:Channels 1,6,11
Page 75 August 2006 HiPath WirelessCopyright © Siemens AG 2006. All rights reserved.
Voice-over-WLAN (VoWLAN)Call Admission Control (CAC)
Client device requests a TSPEC (ADDTS) from the Access Point AP responds with success or failure
(accept or deny) AP responds based on CAC rules:
If Util < MAXNew Accept
If MAXNew < Util < MAXRoam Accept only established calls that are
roaming If Util > MAXRoam
Deny If denied, client attempts association
with the next best AP based on QBSS Load IE
AllowNew Calls
AllowRoaming
Deny
0%
100%
60% = MAXNew
80% = MAXRoam
ADDTS
Utilization (Util)
Page 76 August 2006 HiPath WirelessCopyright © Siemens AG 2006. All rights reserved.
Security High-Performance Voice
Voice and data segregated by VLANs to maintain data WLAN securityThis does not work because:
Voice network is still vulnerableLimited application convergence
Voice and data segregated by VLANs to maintain data WLAN securityThis does not work because:
Voice network is still vulnerableLimited application convergence
Use of less robust but more efficient security (eg. WEP) ensures high quality voiceThis does not work because:
The security problem is not solved
Use of less robust but more efficient security (eg. WEP) ensures high quality voiceThis does not work because:
The security problem is not solved
Encryption: WPA2 & WPA2-PSKAuthentication: 802.1x or PSKRoaming: 802.1x w/ pre-authWIDS/WIPS: prevent credential compromises
Encryption: WPA2 & WPA2-PSKAuthentication: 802.1x or PSKRoaming: 802.1x w/ pre-authWIDS/WIPS: prevent credential compromises
QoS: 802.11e (WMM)AP reports for better roaming and load balancing decisions (eg. QBSS load IE)
Optimized end-to-end VoIP network with minimal packet loss and jitter
QoS: 802.11e (WMM)AP reports for better roaming and load balancing decisions (eg. QBSS load IE)
Optimized end-to-end VoIP network with minimal packet loss and jitter
802.11r – next generation secure fast roamingCAC: WMM TSPECPower save: U-APSD802.11k: better roaming decisions802.11u: advanced CAC (eg. e911)
802.11r – next generation secure fast roamingCAC: WMM TSPECPower save: U-APSD802.11k: better roaming decisions802.11u: advanced CAC (eg. e911)
Some suggest compromise:
To achieve Secure WLAN & VoWLAN today:
Further enhancements coming:
Voice-over-WLAN (VoWLAN)Balancing WLAN Security & Voice Performance
Page 77 August 2006 HiPath WirelessCopyright © Siemens AG 2006. All rights reserved.
Consistent feature set & UI
Dual-mode VoWLAN – Public Network Roaming
EnterpriseIP Network
HiPath 8000softswitch
MobilityAppliance
HiPath WirelessNetwork
Public Mobile Network
Hand-over Control
Mobile on-/off-site
LAN
ONE mailbox & ONE directoryONE number service
Cellular communication
Enterprise on-site
Page 78 August 2006 HiPath WirelessCopyright © Siemens AG 2006. All rights reserved.
Voice-over-WLAN (VoWLAN)HiPath WLAN Controller & HiPath Integration
HiPath 3-8KCommunicationPlatforms (incl GWs) HiPath
WLAN Controller
HiPathAccess PointsHiPath
WLANHandset
optiClient
Large Enterprise / Campus Small Enterprise / Building
optional
HiPath 3000 HiPath WLAN Controller
HiPathAccessPoints
optiClientHiPathWLANhandset
Branch Office
HiPathAccessPoints
HiPathWLANhandset
optiClient
All-in-One Solution:- HiPath 1/3K- Access Router- LAN-Switch- WLAN Controller
PSTN
PSTN
CorporateWAN
Page 79 August 2006 HiPath WirelessCopyright © Siemens AG 2006. All rights reserved.
HiPath Wireless Guest Networking Solutions
Providing WLAN access to guests gives businesses:
An additional revenue stream
Increased customer satisfaction
Higher competitiveness and productivity for visiting employees or partners
Guest services over HiPath Wireless leverage existing infrastructure while maintaining corporate network security and performance
VNS defining unique security, performance, and network access
Partnership with Garderos delivers a complete Guest Services solution, including: User registration Authentication Accounting Billing
Page 80 August 2006 HiPath WirelessCopyright © Siemens AG 2006. All rights reserved.
HiPath Wireless Location Service Solutions
Location-based Services (LBS) let companies: Track staff across campuses Find key equipment or inventory Efficiently deploy mobile resources
LBS boosts resource productivity and availability, and minimizes the costs of theft or loss
HiPath Wireless Manager HiGuard can locate any device on the network to within 3 meters, and represent it on a floor plan
Partnerships help to deliver real-time location services and can use RFID tags to track anything
Source: US WLAN Equipment 2005-2009 Forecast Update, IDC 2005
“A new class of enterprise application that… use[s] the mobile and ubiquitous nature of the WLAN to support business processes in ways a wired network cannot.
In essence, the network becomes a source of business data instead of a mere conduit.”
Location Partners:
Page 81 August 2006 HiPath WirelessCopyright © Siemens AG 2006. All rights reserved.
HiPath Wireless Healthcare Solutions One infrastructure for all solutions
Mobile Data Access
Mobile Monitoring
Monitor Alerting
VoWLAN and Nurse Call
Hotspot for Patients and
Visitors
RFID Services
Key HiPath Wireless Features:Excellent QoS and fast secure roamingAbility to segregate voice traffic from
mission-critical data via VNS
Siemens Solution Components:HiPath IP Communications PlatformsoptiPoint WL2 professional phone and
optiClient soft phone
Partners:VoceraSpectraLink
Benefits:Always reachable and able to communicateFast emergency response
Key HiPath Wireless Features:HiPath Wireless CAC to ensure that alerts
receive uninterrupted priority access
Siemens Solution Components:DACS Alerting ServeroptiPoint WL2 professional phoneHiPath IP Communications Platforms
Benefits:Staff receive alerts immediatelyFast emergency response
Key HiPath Wireless Features:Segregation medical staff from patients and
visitors via VNSStrict WPA2 (802.11i) authentication and
encryption comply with industry regulations
PartnersDraeger WinView
Benefits:Secure real-time access to centralized
patient data for medical staff everywhere in the hospital and in branches
Elimination of paper files and separate, error-prone data transfer into IT system
Key HiPath Wireless Features:VNS-segregated patient services and guest
networking from medical staff and resourcesCaptive Portal – All guest traffic is directed
to a login page (internal or external)
VoWLAN Solution Components:HiMed
PartnersGarderos
Benefits:Additional revenue stream Improved patient service
Key HiPath Wireless Features:VNS segregation of high-priority vital sign
traffic with QoSAccess Points bridge monitoring traffic
locally for highest performance & reliability, while forwarding other traffic centrally
Siemens Solution Components:HiPath QoS 2000
Partners:Draeger Infinity One Net
Benefits:Centralized monitoring and remote control from
Draeger MultiView WorkStationsFast emergency response
Page 82 August 2006 HiPath WirelessCopyright © Siemens AG 2006. All rights reserved.
MultimediaReal-time Application Optimization
Challenges:
Monitoring and alerting must be responsive and resilient
End-to-end QoS is needed
Atypical network applications
HiPath Wireless Ensures:
WLAN multicast support for real-time monitoring via Dräger Infinity OneNet, etc.
Fit APs can locally bridge specific applications for dedicated high performance
Interoperability with HiPath QoS 2000 for end-to-end QoS
HiPath Wireless is the industry’s only Dräger-certified WLAN, and delivers the
most optimized solution for real-time healthcare applications with unique
multicast and traffic bridging support
HospitalWLAN
Segregated DrägerNetwork
HospitalLAN
VoIP Server
VoiceUsers
Dräger Infinity OneNe
t
Staff
Data
Dräger Monitor
Local traffic bridging and multicast support enabledCentralized management
Dräger Real-time Optimization
Page 83 August 2006 HiPath WirelessCopyright © Siemens AG 2006. All rights reserved.
Location Partners:
HiPath Wireless Manager HiGuard can locate any device on the network to within 3 meters, and represent it on a floor plan
Tight integration with RFID-based vendors provides hospitals with complete real-time location services
RFID wristbands identify patients
Tracking and identification of pharmaceutical inventories
Access and inventory of pharmaceutical cabinets and Medical Records
Real-time patient location systems
Accurate identification of medications for safety check
Asset & equipment tracking
Access to parking areas
Tissue sample and other medical product identification
RFID wristbands identify patients
Tracking and identification of pharmaceutical inventories
Access and inventory of pharmaceutical cabinets and Medical Records
Real-time patient location systems
Accurate identification of medications for safety check
Asset & equipment tracking
Access to parking areas
Tissue sample and other medical product identification
RFID Application Scenarios in Healthcare
Page 84 August 2006 HiPath WirelessCopyright © Siemens AG 2006. All rights reserved.
HiPath Wireless Manufacturing Solutions One infrastructure for all solutions
VoWLANData Entry
Bar Coding and Inventory
Location Services
Mobility for Outdoor & Harsh
Environments
Page 85 August 2006 HiPath WirelessCopyright © Siemens AG 2006. All rights reserved.
HiPath Wireless Manufacturing SolutionsNetwork Topology
HiPath 3-8KHiPathWireless Controllers
HiPath Wireless Access Points
optiClient
PSTN
CompanyWAN
HiPathWireless Controller
HiPathQoS2000
HiPathQoS2000
W788 -1PRO
W788 -1PRO
W744-1PRO
ET200S PN
IE/PB Link PN IO
ET200X
W744-1PRO
PROFIBUSIO-Devices
Industrie Ethernet
Shop FloorInduststrial WLAN
Office Space
Page 86 August 2006 HiPath WirelessCopyright © Siemens AG 2006. All rights reserved.
Corporate Office Plant Floor
HiPath Wireless Manufacturing Differentiators:SCALANCE W Industrial-grade WLAN Integration
Challenges:
Overcome harsh climate and interference issues
Centralized management of dispersed infrastructure
Unified WLAN across carpeted office and plant floor
Use of enterprise applications
SCALANCE W Delivers:
Highly rugged housing and industry certifications
Full management and feature integration with centralized HiPath Wireless Portfolio
Integration of the SCALANCE W Access Point extends WLAN access and the
unique Converged Mobility Solutions to harsh manufacturing environments
Centralized management of all Access Points
Users can seamlessly move between the office and the plant floor
SCALANCE W Integration
Page 87 August 2006 HiPath WirelessCopyright © Siemens AG 2006. All rights reserved.
Conclusion
Page 88 August 2006 HiPath WirelessCopyright © Siemens AG 2006. All rights reserved.
Driving Value with Converged Mobility Solutions
HiPath Wireless drives value through superior Converged Mobility Solutions while maintaining control over network operations and costs
A strong foundation for the Converged Mobile Enterprise:
Flexible, open architecture
Highly secure and easy to manage
A suite of network-aware converged applications supported by a robust partner program
Converged mobility solutions are able to build on the initial WLAN foundation to continually drive value as enterprise needs evolve
HiPath Wireless can help your organization develop into a more competitive, adaptive, and flexible Converged Mobile Enterprise
Page 89 August 2006 HiPath WirelessCopyright © Siemens AG 2006. All rights reserved.
Why Choose HiPath Wireless?
Complete Enterprise Communications Solutions Global leader in converged IP voice communications Platforms, client devices, applications, professional services Long-standing leadership in wireless and radio communications
Investment Protection Scalable, ‘future proof’ design based on industry standards Architected and ready for voice/data convergence Vendor commitment and viability
Trusted Provider Proven leadership in innovation Worldwide enterprise communications revenue of over $3.5 billion Global presence
Page 90 August 2006 HiPath WirelessCopyright © Siemens AG 2006. All rights reserved.
BACKUP
Page 91 August 2006 HiPath WirelessCopyright © Siemens AG 2006. All rights reserved.
What’s so Different?Technology
Split MAC AP
Fit AP
Fat AP
Coord
inate
d
Mod
e
Sta
nd
-A
lon
e
Mod
eFit AP
(coordinated)Fit AP(branch)
Split MAC Fat AP
Termination of PHY AP AP AP AP
Termination of MAC AP AP Controller AP
Termination of management protocols Controller Controller Controller AP
Optimal Deployment Overlay Branch Wiring Closet Branch
Page 92 August 2006 HiPath WirelessCopyright © Siemens AG 2006. All rights reserved.
What’s so Different?Technology
Function Fit AP Split MAC Fat AP
802.11 management protocol (RADIUS, 802.1x, SNMP, etc.)
Controller Controller AP
Probe, Authentication and Association Messages AP Controller AP
Frame Translation (802.11 to 802.3) AP Controller AP
Encryption AP Controller AP
Dynamic RF Management Operation (DRM) AP Controller External SW
QoS (802.11) AP AP AP
QoS (802.3/IP reassignment) AP Controller AP
Bridging AP (branch mode)
Controller (coordinated)
Controller AP
L2 Roaming AP (branch)
Controller (coordinated)
Controller AP
L3 Roaming Controller Controller External SW
Page 93 August 2006 HiPath WirelessCopyright © Siemens AG 2006. All rights reserved.
DHCP DNS
Multiple Discovery Approaches First try Static config If fail – then try DHCP Option 78 & SLP If fail – then try Domain Name Service If fail – then try Layer 2 Multicast (SLP) If all fail, then repeat process indefinitely.
Method that is successful
remembered upon next reboot/restart Failure = unsuccessful after N retries
and M seconds between retries. N
and M are configurable from GUI
DHCP
DNS
Multicast
AP Discovery in Detail
Page 94 August 2006 HiPath WirelessCopyright © Siemens AG 2006. All rights reserved.
Mobile Voice
Mobile Voice & Data
Mobile Data
DECT
HiPath CordlessPreferred Solution for voice only:- Cost effective- High quality- Mature, proven technology
- DECT does not provide wireless data- DECT and WLAN parallel to be considered for substantial existing DECT installations
- DECT does not provide wireless data
WLAN- Deploy WLAN if later expansion to wireless data is planned
HiPath WirelessConverged WLAN for voice and data- Fast secure roaming- Premium voice quality (QoS)- WLAN phones and soft clients
HiPath WirelessLeading-edge WLAN solution for enterprise-wide deployment- Security- Scalability- Manageability- Virtual WLANs, Hosting
Distinct Roles for VoWLAN and DECT
Page 95 August 2006 HiPath WirelessCopyright © Siemens AG 2006. All rights reserved.
Quality of Service: SVP Support (WL1)
End-to-End QoS w/ SVP support (SpectraLink Voice Priority)
• SVP “Backoff”
• SVP PDU prioritized
Works with any other VoWLAN solution
Adaptive QoS on wired LAN
Prioritized SSID required, unless WMM client
VNS #1
VoiceGatewayVNS= “Enterprise VoWLAN”SSID= “VoWLAN”SVP= enabled
VNS= “Enterprise Data”SSID= “Employee”SVP= disabled
Subnet y
Subnet C
Subnet B
Subnet x
VNS
Subnet A
Page 96 August 2006 HiPath WirelessCopyright © Siemens AG 2006. All rights reserved.
Deployment Model
All devices must sit on the same LAN
segment
• Phones cannot roam across subnets
without dropping calls
• Gateways and Servers cannot support
a set IP address change during call
Multicast required for registration and
“Push-to-Talk”
• Requires infrastructure enabled with
multicast
Support over a single segment
VoWLAN Solution with optiPoint WL1 professional
Page 97 August 2006 HiPath WirelessCopyright © Siemens AG 2006. All rights reserved.
Deployment Model
APs can be deployed across router hops
• Solution can now scale to support a larger
network with APs on multiple subnets
• Phones don’t have to exist on a single
subnet
• Phones don’t need to support subnet
roaming
Works without multicast being enabled
on the infrastructure
Intranet
HiPath Wireless Proposition with a WL1 Solution
Page 98 August 2006 HiPath WirelessCopyright © Siemens AG 2006. All rights reserved.
WL1 Solution
SpectraLink Radio Protocol (SRP)• SpectraLink’s proprietary IP protocol for providing communication between their voice sets and
their gateway products• Phone and Gateway do IGMP version 1 – Group Membership Report• UDP & IP multicast to SPECTRALINK.MCAST.NET group (IP group address 224.0.1.116) for
discovery and registration• SRP Unicast (IP port 119) for voice (like RTP) and other signaling
SpectraLinkSpectraLinkNetLink e340/i640NetLink e340/i640
HiPath Controller Support SpectraLink’s multicast was designed not to work over router hops (i.e. TTL set to 1) HiPath Controller treats this as a special case and will forward these packets to ensure
delivery to devices and gateways
HiPath WirelessHiPath WirelessControllerController
Access Points
SpectraLinkSpectraLinkNetLink GatewayNetLink Gateway
Page 99 August 2006 HiPath WirelessCopyright © Siemens AG 2006. All rights reserved.
WL1 Solution
SpectraLink Voice Priority (SVP) is the de facto standard for offering QoS for voice services on 802.11 today
• SVP was defined in the absence of any 802.11 QoS mechanisms• It is defined as a specific mechanism to allow prioritization of packets from an
AP to a SpectraLink device• It requires SRP packets to be queued in front of all other packets• Sets the 802.11 contention backoff period to 0 for those packets
Access Point Support of SVP
• Based on our implementation of WMM (WiFi Multimedia)• SRP packets are placed in the high priority queue (AC3) according to WMM
rules• AC3 defines specific backoff mechanisms to support high quality voice
Page 100 August 2006 HiPath WirelessCopyright © Siemens AG 2006. All rights reserved.
Glossary of Terms
3PAP Third Party AP
AAA Authentication, Authorization, Accounting
AES Advanced Encryption Standard
AP Access Point
BSSID Basic Service Set Identifier
CAPWAP Control and Provisioning of Wireless Access Points
CCX Cisco Compatible Extensions
CDR Call Detail Record
CLI Command Line Interface
CTP CAPWAP Tunnelling Protocol
DECT Digital Enhanced Cordless Telecommunications
DHCP Dynamic Host Configuration Protocol
DRM Dynamic RF Management
DSCP Differentiated Services Code Point
EAP Extensible Authentication Protocol
Page 101 August 2006 HiPath WirelessCopyright © Siemens AG 2006. All rights reserved.
Glossary of Terms
HWC HiPath Wireless Controller
ICMP Internet Control Message Protocol (Ping, etc.)
IGMP Internet Group Management Protocol (Multicast)
IPSec IP Security (VPN)
LEAP Lightweight EAP
MAC Media Access Control (Layer 2)
MOS Mean Opinion Score (Voice quality standard)
MU Mobile User
NAPT Network Address Port Translation
OSPF Open Shortest Path First (Dynamic routing protocol)
PBX Private Branch Exchange
PKI Public Key Infrastructure (Digital Certificates)
PMK Pairwise Master Key
PoE Power over Ethernet
PSK Pre-shared Key
Page 102 August 2006 HiPath WirelessCopyright © Siemens AG 2006. All rights reserved.
Glossary of Terms
PSTN Public Switched Telephone Network
PSU Power Supply Unit
QoS Quality of Service
RADIUS Remote Authentication Dial In User Service
RF Radio Frequency
RU Replaceable Unit
SIP Session Initiation Protocol
SLP Service Location Protocol
SNMP Simple Network Management Protocol
SRP SpectraLink Radio Protocol
SSID Service Set Identifier (Wireless Network Name)
SVP SpectraLink Voice Priority
TKIP Temporal Key Integrity Protocol
TOS Type of Service
VLAN Virtual LAN
Page 103 August 2006 HiPath WirelessCopyright © Siemens AG 2006. All rights reserved.
Glossary of Terms
VNS Virtual Network Services
VoIP Voice over IP
VoWLAN Voice over Wireless LAN
VPN Virtual Private Network
VSA Vendor Specific Attribute
WEP Wired Equivalent Privacy
WMM Wi-Fi Multimedia
WPA/WPA2
Wi-Fi Protected Access