1 / 35

Alcatel OmniAccess Wireless

Alcatel OmniAccess Wireless. January 2006. Enterprises Are Buying Wireless LANs. Goldman Sachs report identifies Top 3 IT 2005 Spending priorities- Wireless LANs, Security and Mobile Computing devices

jeneva
Télécharger la présentation

Alcatel OmniAccess Wireless

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Alcatel OmniAccess Wireless January 2006

  2. Enterprises Are Buying Wireless LANs • Goldman Sachs report identifies Top 3 IT 2005 Spending priorities- Wireless LANs, Security and Mobile Computing devices • 27% of Enterprises will deploy Voice Over Wireless LANs by 2006 (Infonetics Research) • Forrester Research Inc., forecasts 75% percent of Enterprises will be buying or evaluating wireless LANs in 2006. • Wireless LAN security market will reach $8.4 Billion by 2008 (source: In-Stat/MDR) • IDC forecasts that wireless laptops will be 95% of Mobile PC sales by 2006 • Worldwide WiFi revenues are expected to grow from $7 billion in 2003 to over $44 billion by 2008, at a compounded annual rate of 44 percent (source: Insight Research Corporation ) 

  3. Management Policy Mobility Forwarding Encryption Authentication 802.11a/b/g Antennas Thin Access Point Architecture IETF CapWap terminology – Split MAC Solving the Wireless “Challenge” Centralized WLAN Systems “Fat” Access Points “Thin” Access Points

  4. Flexible Access Point Options Dual-Radio AP Supports simultaneous 2.4GHz (b/g) and 5GHz (a) operation Single-Radio APs Software configurable 2.4GHz (b/g) or 5GHz (a) AP70 Integrated dual-band antenna and RP-SMA connectors for external antennae. Dual Ethernet ports for redundant uplinks. (PoE Load Balanced) USB port for future-proof expansion. OAW-AP61 Integrated dual-band antenna. OAW-AP60 RP-SMA connectors for external antennae.

  5. Product Line Up Number of AP’s Branch Regional HQ Large Branch Medium - Large HQ 512 OAW-6000-512 (Dual Supervisor II) 256 OAW-6000-256 (Supervisor II) 128 OAW-6000-128 (Supervisor I) Pay as you grow Capability OAW-4324 48 OAW-4308 OAW-6000-48 (Supervisor I) 16 OAW-4304 Performance (Clear Text/Encrypted) 4 1 Gbps /200 Mbps 2 Gbps /400 Mbps 4 Gbps/1 Gbps 4 Gbps/3.6 Gbps 8 Gbps/7.2 Gbps

  6. OmniAccess WLAN – Network Examples OAW-AP70 OAW-4324 OAW-4308 or OAW-4304 OAW-AP70 OAW-6000 HEADQUARTERS WAN OAW-AP61 OAW-AP61 BRANCH OFFICE OAW-AP70 OAW-AP70 OAW-4324 SMALL / HOME OFFICE REGIONAL HEADQUARTERS

  7. Control Traffic over PPP/L2TP/IPSec NAT-T Data Path: 802.11/GRE/IP/IPSec NAT-T GUEST CORP VOICE • AP Provisioning • “AP Name@FQDN” “Password” • AAA with RADIUS • Automatically “enroll” & “disable” APs via AAA • IKE secret encrypted on FLASH – non transferable to other APs OmniAccess WLAN Network AdvantagesRemote Access Point Security Examples Extending Corporate WLAN Security Anywhere, Anytime • AP-Switch Security: • Diffie-Hellman Group 2 for IKE (uses Public Key Cryptography) • 3DES Encrypted IPSec HQ WLAN IN A BOX Internet Services GUEST DMZ CORP WAN / Public Internet Firewall/NAT Firewall/NAT VOICE

  8. Alcatel OmniAccess Wireless WiFi Services November 2005

  9. OmniAccess Wireless Optional Software Modules SWITCH LEVEL OPTIONAL MODULES • Policy Enforcement Firewall (PEF) Module • VPN Server Module • Wireless Intrusion Protection (WIP) Module • Advanced AAA Module • Client Integrity Module (CIM) • External Services Interface (ESI) Module INCREMENTAL CAPACITY BASED MODULES • Remote AP (RAP) Licenses

  10. Embedded RF Spectrum Management For Scaling to Large WLAN Systems • This used to be an art • With the Alcatel OmniAccess Wireless it all just happens • Auto Calibration • Continuous Tuning • Rogue AP detection, classification and location • Rogue AP containment (optional WIP SW module) • 802.11 attack signature detection (optional WIP SW module) • Interference Detection/Management • Load Balancing • Coverage Hole Detection • AP failure self-healing • Wiretap/Packet Capture • Location/Tracking • Automated RF Site Surveys • Now It’s Routine Cafeteria Lobby Conference Rooms Offices/Cubicles

  11. Embracing Best-of-Breed Mobile SecurityUser Authentication and Authorization MAC @ Radius Server 802.1x User User Role Web portal • Stateful FW rules (SVP, SIP, Skinny FW pin holing) • ACLs • Traffic redirection • BW contracts • VLAN Membership User User Role VPN

  12. User Authentication and AuthorizationSilver bullets – Configuration Guide • Embedded per user FW - Traffic Classification at up to Layer 7 • Enforce application policies • Spectralink Voice Protocol, SIP, Cisco Skinny de-code support • Secures first generation handset by restricting network use to voice protocols only • Classify traffic by application for QoS • Provides QoS for voice on softphones (VoIP enabled PCs, PDA, RIM) • Does not require separate SSID for Voice and Data • Configuration Guide • Base SW: MAC, 802.1x authentication, dynamic VLAN assignment • PEF: Web authentication, full role assignment and FW support • VPN: VPN authentication and encryption (IPSec)

  13. Embracing Best-of-Breed Mobile SecurityClient-less Host Integrity Check Host Integrity Check • Propagation of Virus/Worms facilitated by outdated systems • Need policy enforcement of OS version / patch level / Anti-Virus / AV signature file… • If station fails policy check, access to remediation area for self remediation • Client-less implementation eases administrative burden • No need to touch every station in network • Compatible with guest access, student access • Unique integration in WLAN switch • Requires PEF and CIM modules installed Web portal

  14. Embracing Best-of-Breed Mobile SecurityContent Inspection • Enables Content Inspection • Used for risky users / flows • Will detect/block malware • Can quarantine infected host • Can ban infected host (black listing) • Requires PEF and ESI modules Fortinet Appliances Cluster From AP To Network Corporate VLAN • Stateful FW rules • ACLs • Traffic redirection • BW contracts • VLAN Membership Guest VLAN User User Role = Guest

  15. Leading VoWLAN Solution • Industry recognition • Aruba Network World Clear Choice • Number of terminal supported by AP • Voice Quality • Roaming capabilities • Voice aware ARM (Adaptive RF Management) • No RF scanning when voice active terminals are present • Preserves Voice QoS • Voice Connection Admission Control • Keeps number of terminals per AP below defined level • Works with Load balancing • Classifies on-call and on-hook phones • Preserves Voice QoS • Joint work with Alcatel - improving end user experience • Improved battery life (U-APSD) – 1H 2006 • E911 (emergency call location) – 1H 2006

  16. Real-Time Location Tracking • Multi-point triangulation enables fine granularity (within 1-3 meters) • Real-time location service tracks radio source as it moves • Automatic RF prediction: eliminates manual walkabout to fingerprint RF propagation • Independent of the client device and drivers • API available from WLAN switch • One application: Location tracking of RFID tags

  17. Alcatel Wireline – Wireless IntegrationOmniVista / Rogue Access Point Containment OmniVista (discovery, topology, trap management, element manager launch for OmniAccess WLAN) • Rogue AP/Clients have been detected • MAC addresses are located • Port is shut down Rogue APs Syslog Interface – Rogue AP messages Workgroup Switch WLAN Controller Data Center / Aggregation LAN Switch Light APs

  18. Traditional WLAN Solution vs.OmniAccess WLAN Solution Traditional WLAN Solution OmniAccess WLAN Solution Access Points Site Survey Access Points Packet capture Air Monitors WLAN Switches WiFi IDS / IPS An Integrated, Total Solution Better Security Easier To Grow/Scale More Functionality Easier To Manage Easier To Deploy Lower Total Cost of Ownership WLAN Switches/Blades Captive Portal VPN Concentrator LAN-speed Firewall QoS Devices

  19. VPN BLADE L4 - L7 BLADE AAA SERVICES FIREWALL BLADE QUARANTINE SERVICES WLAN BLADE LOCATION SERVICES NEW SUPERVISOR Cisco Solution & Problems- Upgrade Every Wired Closet , Network Disruption, High Costs WIRING CLOSET UPGRADES 1. 802.1X FOR PORT SECURITY 2. PoE LAN PORTS FOR VOIP PHONES 3. POWER & COOLING CAPACITY UPGRADES • High cost of managing disparate solutions • Port-based security model inappropriate for mobility • Additional appliances needed to complete solution • Network solution cannot keep up with rapid evolution • Never ending upgrade cycle very disruptive CORE UPGRADES

  20. Alcatel OmniAccess Wireless ArchitectureNetwork Design Guidelines January 2006

  21. WLAN Network Design • Conservative rules • AP can cover 10,000 sqf • AP can support 10 users • AM can cover 30,000 sqf • Exceptions • Hospitals • Libraries • High BW requirements (5-10Mbps per users) • RF Plan • Application part of Management suite • Also available as stand alone • Takes into account • Building shape • Size • Number of users • Performance requirements • Pro service – Wireless Valley RF simulation tool • Invoiced to the customer if deal is won

  22. OmniAccess Wireless Base Feature Set (factory load) ~ BASE = DEFAULT FACTORY INSTALLED FEATURE SET BEFORE ADDING LICENSES ~

  23. Policy Enforcement Firewall Module

  24. VPN Server Module NOTE: VPN server module NOT required for Remote AP services

  25. Wireless Intrusion Protection Module

  26. Advanced AAA Module

  27. Client Integrity Module Embedded Sygate On Demand Agent also requires the “SODA Manager application” - Free application downloadable from eservice.ind.alcatel.com (service web site) - Requires a license key and company name for activation both available on service web site - Alcatel OmniAccess WLAN documentation missing CIM section - Missing section can be found on service web site - Sygate – Aruba integration document (produced by Sygate) also found on service web site - SODA manager application runs on PC (Windows OS only – no MAC/LINUX) NOTE: *Policy Enforcement Module required in addition

  28. External Services Interface Module NOTE: *Policy Enforcement Module required in addition

  29. Remote AP License Module NOTE: VPN server module NOT required for Remote AP services

  30. Note on the xSec Optional Module • Requires specific, non GA Client from FUNK Limited scope of applications/verticals (defense/government specific use) Not introduced as part of initial Alcatel launch If feature required, product management should be contacted

  31. www.alcatel.com

  32. Roadmap November 2005

  33. OmniAccess WLANRoadmap November 05 Q1 06 Q2 06 ACCESS POINT WLAN SWITCH OAW-4302 (low cost branch switch) Outdoor AP (OAW-AP80P) OAW-AP65 Cost red AP70 OAW-AP41 Cost red AP61 Airespace OAW-1200 Retrofitted w/ G2 FW Release 2.4.1 Support of Airspace APs (OAW 1200) Local Switching (Remote AP) DiffServ/ToS marking (GRE tunnel) • Release 2.5 • Switch to switch IPSec VPN • Guest account creation login • Voice CAC phase I: • 1st Thold: load balance stdby wifi phones • 2nd Thold: load balance in-roaming wifi phones • 3rdnd Thold: reject in-roaming wifi phones • Manual black listing (Base OS) Release 3.0 AMAP TACACS+ for Admin Users 802.1s RIPv2 routing Mobility Domains U-APSD: battery saving WMM: QoS over the air (timeslot) Voice CAC phase 2 (T-Spec) AOS - W OmniVista Mobility OmniVista Mobility 1.0 System Dashboards RF Plan / RF Live System Monitoring System Reporting/Trending

  34. OmniAccess Wireless Retrofitted OAW-1200 support New Generation OAW switch First Generation OAW switch/appliance LWAPP PAPI/GRE After “Brain Transplant” OAW-1200 becomes an Aruba AP

  35. !!! Attack has been detected You Can: • The attack comes from WLAN • You can “Black List” the faulty MAC QM Data Center Switch Workgroup Switches Critical Resources End stations 2H05 - Alcatel Wireline – Wireless IntegrationPolicy Enforcement • Application-Level attack containment (End 05) • Full integration with OV Quarantine Manager: from wired user containment to wired + wireless user containment

More Related