1 / 42

Wireless LAN Solutions - Security, Management

lucie
Télécharger la présentation

Wireless LAN Solutions - Security, Management

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


    1. Wireless LAN Solutions - Security, Management Jukka Saarenmaa Nortel Networks Oy

    2. New Ways of Connecting

    3. Security Issues and Options with WLANs Security Issues WEP Rogue Access Points IP Mobility Lack of employee education Security Options: Wired and wireless DMZs IPSec or SSL VPN encryption Reuse existing IPSec infrastructure or use dedicated wireless security switch Future: New protocols with better security = added security

    4. Different Challenges

    5. Standalone The Traditional Distributed Architecture Typical Customer Profile Wireless small branch/remote office Requires only limited ‘Hot Zone’ capability Few users Customer Benefits Low Startup cost Easy install / LAN add-on Simple but effective security Investment protection

    6. Secure Your WLAN IPsec Security for Wired and Wireless LANs Strong end to end IPsec Security Common User Experience (VPN)

    8. Hybrid Centralized Security and Management for Existing WLANs Typical Customer Profile Multi-vendor environment Larger Deployments Intelligent Overlay requirement Wireless upgrade or extension Customer Benefits Low incremental cost Minimal disruption Centralized security Centralized management Introduction of Enterprise roaming Unauthorized AP detection Wireless VPN capability

    9. WLAN Security Implementation

    10. Mobile Authentication, Authorisation & Auditing (AAA)

    11. Clear Access Method Non encrypted, non-secure access to Intranet/Internet If no L2 encryption is used (i.e. WEP, TKIP, AES), the traffic is completely unprotected! Example: Open new browser window and go to http://web.us.nortel.com Clear access should be carefully controlled in terms of what Intranet resources (if any!) are allowed. Default configuration allows clear access to all but “Intranet” networks—Internet access available Useful for PC-based IP Telephony applications: i2050, SIP,...

    12. SSL Access Method Client logs into Portal website via SSL connection This is the Home WSS (determined by WLAN subnet) Encrypted session between VIP and Client IP Unencrypted on Intranet Intranet/Internet access is virtually the same as SSL VPN Client IP can be proxied with IIP to solve routing issues Support for SSL VPN client (SOCKS)

    13. PPTP Access Method Client logs into Portal website via SSL connection Get One-time password from Portal website Solves PPTP dictionary attack weakness PPTP tunnel between Client IP and VIP WSS assigns tunnel IPs from local scope Scope must be routed by WSS Scope is local to each WSS Compatible with MS VPN client

    14. IPSec (Passthrough) Access Method No client login on WSS; AAA is bypassed on WSS IPSec tunnel between Client IP and Contivity WLAN subnet is not routable on Intranet by default Static routes on Intranet and/or redistribution into IGP Static routes plus NAT on Intranet router Requires NAT Traversal IPSec tunnel could also be non-Contivity solution

    15. Nortel Networks Solution Nortel Wireless Security Switch 2250

    16. Adaptive Non-Stop Convergence-Ready WLAN for New Deployments Typical Customer Profile Large number of users Ubiquitous building coverage Green field deployments Recommended for Wireless IP Telephony Customer Benefits Ease of deployment Adjusts to changing environment Automatic load balancing Active security including over the air Voice roaming capability Dynamic RF management Plug ‘n’ Play and Plug ‘n’ Grow Self healing

    17. WLAN – Adaptive Solution

    18. Split MAC The concept is to decouple timing critical elements of MAC from timing sensitive elements of MAC: ACKs vs. Probe Responses Decoupling switching from RF WSS 2270 is sort of like a traditional L2 switch except with radios instead of 10/100 ports

    19. Nortel Access Point Plenum-ratable cast aluminum-case Standard Ethernet (802.3) cabling Multi-band support (802.11 a/b/g) Powerful dual-dispatch directional antenna Various mounting options Power over Ethernet(802.3af) 802.11i and 802.11e ready WPA/TKIP SNMPv3 SSH v2.0 Multiple SSIDs Monitor mode available 100 mw radio power

    20. Nortel 2270 Wireless Switch Compact design conserves wiring closet space two 1000Base-SX with LC connector- one logical path (Failover Protection) On-board VPN capability using Enhanced Security Module crypto processor Configurable Distribution System Port (GigE) 10/100 Mbps-TX Ethernet Service Port 9 pin Serial Connector for Console Port n+1 redundancy Crypto H/W accelerator IPSEC termination

    21. APs use encrypted control traffic

    22. Data Paths with WSS 2270 LWAPP transports control messages to/from AP LWAPP transports data packets to/from AP L2 or L3 tunneling

    23. Overlaying 2270/2230 on LAN All ports untagged in VLAN 1 LWAPP is in VLAN 1 User devices are mapped back to VLAN 1 too All data is tunneled to 2270 BayStack will see MAC of clients on the port connecting to 2270, not the port connecting to 2230 Right hand side represents what the WLAN looks like to the rest of the data network

    24. 2270/2230 with Multiple VLANs L2 Switch: All ports are members of VLAN1 Link to 2270 has VLANs 1, 2, 3 (all tagged) Link to router has VLANs 1, 2, 3 (all tagged) Access link to 2230 is only member of VLAN 1 (untagged) Right hand side represents what the WLAN looks like to the rest of the data network

    25. L3 Mode with Multiple VLANs Layer 3 mode of LWAPP is essentially the same logically Physically APs are placed anywhere in the network though

    26. Per-SSID Security Features Layer 2 Static WEP Shared or Open authentication MAC-based authentication WPA 802.1x Cranite Fortress Layer 3 IPsec Up to 1 Gbps bulk encryption Web Authorization VPN Passthrough

    27. Where is Encryption Done (L2) L2 Encryption based methods are encrypted/decrypted on 2230 WEP, dynamic WEP, WPA, AES (future)

    28. Where is Encryption Done (L3) IPsec terminated on 2270 Tested clients: SSH, Sentinel, Movian, Cisco, Netscreen Per-SSID

    29. VPN Passthrough VPN Passthrough leverages an external VPN server Configure IP address of server Applies traffic filter so only traffic to the server can get through Per-SSID

    30. How to Implement VoIP Multiple SSIDs (i.e. two WLANs) No Active Load Balancing QoS: SSID: VOIP = Gold SSID: DATA = Bronze Security: SSID: VOIP = MAC based and/or WEP (only on b/g radio) SSID: DATA = 802.1x or whatever is desired Adjust Queue depth Prioritize LWAPP on switches between 2270 and 2230

    31. How to Implement VoIP (cont.)

    32. WLAN Management System User interface to WMS is a web browser Running locally Running remotely Database and control reside on WMS server

    33. Accurate RF prediction for AP placement and RF topology mapping Detailed heat maps for easy analysis Ekahau Site Survey (ESS) tool to verify RF prediction and perform ongoing analysis (if needed)

    34. Nortel WLAN Control Software uses advanced fingerprinting for <10 meter accuracy

    35. Nortel Location Positioning Closest AP How: Identify the AP to which a client is associated Pro: Easy to do; Nothing new required Con: Limited accuracy – an AP can easily cover several thousand square feet. RF Triangulation How: All APs identify the “strength” with which they hear a client. Intelligent algorithms triangulate responses to pinpoint probable location. Pro: More accurate than closest AP Con: Does not account for effects of building material on signal (e.g., reflection, attenuation, multi-path) RF Fingerprinting How: RF prediction creates grid that identifies how every single part of a floor plan looks to all access points. Real-world info gathered from APs is compared to these fingerprints to determine precise location Pro: GPS-like accuracy Con: More comprehensive (requires RF prediction tools)

    36. Understanding RF Fingerprinting

    37. Nortel’s WLAN – Adaptive Solution

    39. Mesh Minimize Backhaul Costs in Open Environments Typical Customer Profile Open spaces (depot, campus) No existing wired infrastructure Constantly changing environment (e.g. convention center) Customer Benefits Minimize backhaul costs Rapid deployment Auto-configuration Resilient

    40. Nortel Networks Solutions

    41. Security Issues and Options with WLANs Security Is An Issue with WLANs But…. Problems can be addressed

    42. Applying the Unified Security Architecture to Wireless LANs

More Related