280 likes | 408 Vues
Show. case. Wireless LAN Deployment at Microsoft. Supporting the Mobile Knowledge Worker. Published January 2002. Agenda. Wireless Local Area Network (WLAN) Description Information Technology Group (ITG) WLAN Deployment Project Drivers Schedule and tasks Requirements Piloting Results
E N D
Show case
Wireless LAN Deploymentat Microsoft Supporting theMobile Knowledge Worker Published January 2002
Agenda • Wireless Local Area Network (WLAN) Description • Information Technology Group (ITG) WLAN Deployment Project • Drivers • Schedule and tasks • Requirements • Piloting • Results • Engineering Considerations • Security Considerations • Installation Approach – Concealed System • Lessons Learned • Reference Information
Global & Universal Area Satellite Data Networks Wide Area & Metro Area Cellular-based mobile data (CDPD/ GPRS) Fixed Microwave Wireless (LMDS/MMDS) Wireless Local Loop (WLL) Local Area Wireless LAN (WLAN) Personal Area Bluetooth Infrared Data Association (IrDA) What is Wireless LAN (WLAN)?
ITG WLANDeployment Project Drivers • Executive Call to Action • Microsoft is Developing Software for Wireless Environments • Multiple User Requests for WLAN Technology Deployment to Increase User Mobility • Standardization and Interoperability • Pilot • Puget Sound area buildings • Deploy to worldwide subsidiary offices as budget and local regulations permit
ITG WLAN Deployment Project Schedule and Tasks • 150 user proof of concept (3 months) • Submitted RFI for 802.11b products (1 month) • Two RFI finalists selected and lab tested both. • Pilot: four buildings, more than 600 users (2 months) • Completed Engineering & Operations Standard design documentation (1 month) • 63 building campus wireless deployment (8 months) • 1300+ Access Points (APs) • Worldwide wireless deployments (on-going) • 1200+ APs • 802.1x enhanced wireless security deployment(1 month) • Covered 70 buildings in Puget Sound area and 23 remote locations
ITG WLAN RFIInfrastructure Requirements • Network Administration of APs • Full support for • Simple Network Management Protocol (SNMP)-II Management Information Base (MIB) • 802.11 extended MIBs • HP Openview integration • Scalable, scripted AP firmware and configuration updates • Little to no user account administration, but secured • Enterprise Installation Considerations • Low cost for all hardware • Power supply configuration options • Inexpensive plenum installation • Variety of antenna solutions to increase or direct Radio Frequency (RF) coverage • Security • Encryption and authentication of the wireless link • Secured administrative access to wireless APs • No removable cards from APs
ITG WLAN RFIInfrastructure Requirements • 802.11b Installation with an Infrastructure Migration Path to 802.11a • Troubleshooting Tools for End User and Infrastructure • Windows® Hardware Quality Labs (WHQL)-certified Driver Support • Windows XP and Windows .NET Server • Windows CE 2.11 and Pocket PC • Windows NT® 4 and Windows 2000 • Windows 98 and Windows 98 SE • Adapter Types • PC Card (primary choice) • PCI and USB • Mini-PCI or other integration in laptops
ITG WLAN RFIInfrastructure Requirements • Health and Safety Issues • FCC approved • Support to address health and safety issues • Documentation, Web sites, Q&A sessions, contact information • Wireless Home LAN Hardware Solution • Under $250 • Easy to use and support • Must promote security – Wired Equivalent Privacy (WEP) • Provides Network Address Translation (NAT)/Dynamic Host Configuration Protocol (DHCP) function • Variety of products and accessories – hubs, routers, external antennas, and wireless repeating • Robust support for home users provided by vendor
ITG WLAN RFIInfrastructure Requirements • Installation Considerations • Power supply configuration options • Inexpensive plenum installation support • Flexible antenna solutions to increase coverage area • Worldwide Deployment • Worldwide certification and support • Manage differing RF and security requirements across different countries
ITG Aironet/Cisco Pilot • Pilot WLAN in Three Buildings and One Cafeteria • More than 600 users participated • PC Card adapters only • 112 Aironet 4800B 802.11b APs • 11 megabits per second (Mbps) shared connection • 128-bit shared WEP key • Installed APs using existing wall power and network connections • Surveyed Users at the End of the Pilot • Greater than 50% response rate
WLAN Pilot Survey Results • 50% saved .5 - 1.5 hours per day due to their WLAN connection • 10% used Windows CE devices • 18% wanted PCI desktop support for testing, demos, home networking • 24% used WLAN for more than six hours per day • 93% used their computer in new locations • In conference rooms, hallways, or in other employee offices • 72% could work without a wired connection • 88% were interested in purchasing WLAN equipment for use at home • 66% felt they could run any application or installation over the WLAN connection
WLAN Pilot Operational Recommendations • Require concealed installations • Reduces user RF health and safety concerns • Require multicast application support • Require client and infrastructure troubleshooting tools
WLAN Engineering Recommendations • AP Placement (to minimize user/AP ratio) • Decrease cell size (to 10 meter radius) • Increase cell density • Overlapping cells via channel configuration • Force 5.5-11 Mbps connections only • Mitigate possible Bluetooth interference • Create a migration path to 802.11a • Single Broadcast Service Set Identifier (SSID) • Enhanced usability with Windows XP Zero Configuration wireless client • Client and Helpdesk Troubleshooting Tools • AP Monitor in Windows XP
WLAN Engineering Recommendations • Each Separate Building Has a Dedicated DHCP Subnet for WLAN • Enables seamless roaming within building • Reduces collision domain • Restricts NetBIOS access to that building segment • Utilize Windows 2000, Windows XP automatic DHCP when changing subnets • Enhances security • Low Voltage Wiring or Inline Power • To enable cold booting of APs from a centralized or remote location • Easy Client Setup – Plug and Play • AP Load Balancing
802.11b Security Concerns • WEP • Unique key required across enterprise • 802.11b standard is only 40-bit • 128-bit is proprietary • WEP keys are not dynamically changed and therefore vulnerable to attack • Using a PC-based tool and 802.11b antenna, a 128-bit WEP key can be hacked within two hours, and a 40-bit key within 40 minutes • Difficult to change or administer • Media Access Control (MAC) Address Filtering • Not scalable • Exception list must be administrated and propagated to all APs • The list may have a size limit • MAC address must be associated to a user name • User could neglect to report a lost or stolen card • User could change the MAC address
The 802.1x Solution • Client network access (link layer) is controlled by the AP based on domain user and/or machine account authentication • Authentication process is secured via standard Public Key Infrastructure (PKI) protocols available in WindowsXP • Extensible Authentication Protocol over LAN (EAPoL) • Transport Layer Security (TLS) • Public / private keys, X.509 Certificates • Uses two factor authentication • Client user and computers negotiate authentication against Internet Authentication Server (IAS). • IAS proxies authentication requests to Active Directory and Certificate Authority • IAS is the Microsoft implementation of the IETF Remote Authentication Dial-In User Service (RADIUS) standard • WEP keys are dynamic • They are changed with each new connection session, when roaming, or within a preset time interval
Domain UserCertificate Laptop 802.1x SecurityThe 802.1x solution EAP/TLS Connection RADIUS(IAS) CertificateAuthority Uncontrolled Port DomainController 802.11/.1XAccess Point Controlled Port Exchange DHCP Domain Controllerused to log onto domain after obtaining an IP address from DHCP Peers File
802.1x Deployment Challenges • Operational Support • Requires improved troubleshooting tools for both client and infrastructure • Integration of disparate support organizations for end-to-end support • Certificate Server, RADIUS server, Active Directory™, AP, and client
802.1x Technical Challenges • Certificates Issues • Required to build a secure, Web-based tool to validate and / or obtain computer / user certificates • Certificate Revocation List (CRL) expiration issues must be managed • Active Directory • If Active Directory becomes overloaded; 802.1x authentication is affected • Client DHCP Response Timeouts • Inconsistent across domains and platforms • Poor RADIUS Server Failover Support in APs • Can cause clients to fail authentication and lose connectivity • Authentication Mechanisms Stresses Infrastructure • Reauthentication required when roaming and at timeout • Cross-forest and multi-domain authentication required
Concealed System Installation Best Practices • Pre-installation • Develop AP location plan based on design guidelines • Field verify proposed AP locations to check for physical interferences • Present final locations for approval prior to starting construction • Installation • Enclose AP units and antennas within “plenum-rated” enclosures to meet building fire code requirements • Central, low voltage power supply on uninterruptible power supply (UPS) • Delivery • Spot check AP installation for conformance with commissioning checklist • Check RF coverage and network connectivity of each AP • Deliver “as-built” documents
Lessons Learned • Costs are Concentrated in Labor and Materials for Building Infrastructure Installation and Construction • AP installations should be concealed within the plenum • Using Standardized Equipment Does Not Ensure Interoperability • Involve IT Operations and Help Desk Early • Offer educational seminars and engineering reviews • Develop and Communicate Security Policies Around “Rogue” Wireless Implementations • User Health and Safety Concerns Must Be Addressed Appropriately • Involve vendor and internal Risk Management and Human Resource organizations
Reference Information • Microsoft Corporation • Enterprise Deployment of IEEE 802.11 Using Windows XP and Windows 2000 Internet Authentication Service • http://www.microsoft.com/windowsxp/pro/techinfo/deployment/wireless/default.asp • 802.1x (TechNet) • http://www.microsoft.com/technet/prodtechnol/winxppro/reskit/prdc_mcc_corc.asp • 802.1x Authentication • http://msdn.microsoft.com/library/en-us/wceddk40/htm/cmcon8021xauthentication.asp • Wireless Network Security within 802.1x • http://www.microsoft.com/WINDOWSXP/pro/evaluation/overviews/8021x.asp • Set up 802.1x Authentication on Windows XP Client • http://www.microsoft.com/windowsxp/home/using/productdoc/en/8021x_client_configure.asp • Securing Wireless Networks Security Bulletin • http://www.microsoft.com/windows2000/datacenter/evaluation/news/bulletins/secwireless.asp • Wireless LAN Association • http://www.wlana.org • IEEE 802.11 & 802.1x • http://www.ieee.org • OSHA Health and Safety • http://www.osha-slc.gov/sltc/radiofrequencyradiation • Cisco Systems • http://www.cisco.com/warp/public/44/jump/wireless.shtml
For More Information • Additional IT Showcase white papers, case studies, and presentations on ITG deployments and best practices can be found on http://www.microsoft.com. • Microsoft TechNet http://www.microsoft.com/technet/itshowcase.
The Future of WLAN Technology • 802.11a • New physical layer using 5 GHz band utilizing Orthogonal Frequency-Division Multiplexing (OFDM) to provide speeds up to 54 Mbps • Lower range and higher power requirements • 802.11b • Existing implementation using 2.4 GHz band to provide speeds up to 11 Mbps • High range and low power requirements • 802.11d • AP specifies a client profile which includes channel set and power • Allows for single AP and client product which would self-configure to meet local RF regulations • International roaming – “World Mode” • 802.11e • Quality of Service (QoS) support • Coupled with 802.1p (Class of Service) and 802.1q • Support for real-time applications like voice and streaming media • Dynamically-plumbed WEP keys
The Future of WLAN Technology • 802.11g • New physical layer using 2.4 GHz band utilizing OFDM • Max speed 22 Mbps, but cannot coexist with 802.11b • 802.11h • Enhancement to MAC to support EU power and RF requirements • Recommended feature for any future implementations • 802.11i • Enhanced Security • Advanced Encryption Standard (AES) strong contender for replacing WEP • May be used with 802.1x • 802.1q • Virtual LAN (VLAN) tagging
The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. This document is provided for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. Ó2002Microsoft Corporation. All rights reserved. Microsoft, Active Directory, Where to you want to go today?, Windows, and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Other product and company names mentioned herein may be the trademarks of their respective owners.