CISCO STRUCTURED WIRELESS-AWARE NETWORKÂ

1© 2003 Cisco Systems, Inc. All rights reserved.

Session NumberPresentation_ID

CISCO STRUCTURED WIRELESS-AWARE NETWORK

A SOLUTIONS APPROACH TO WLAN

KOEN JACOBS – SYSTEMS ENGINEER – [email protected]

www.cisco.com/go/wireless/

mailto:[email protected]

http://www.cisco.com/go/wireless/

222© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID

CISCO WLAN EXTENDS THE MULTISERVICE NETWORK

222© 2003, Cisco Systems, Inc. All rights reserved.Presentation_ID


Bringing Intelligent Services to WLAN

• Security

• QoS

• VLANs

• …

interface Dot11Radio0

no ip address

no ip route-cache

encryption key 1 size 40bit 7 7823F25A0AB8 transmit-key

encryption mode wep mandatory

!

ssid tsunami

authentication open

guest-mode

!

End-to-End IOS = End-to-End Intelligence!


Security in WLANs

• Still the number 1 concern!

• Wardriving & Warchalking

Getting a lot of press

• Still many poorly protected WLANs

SSID != Security

MAC Filters

802.11 Standard WEP

Credit: KNTV San Jose


Cisco Wireless Security SuiteSecurity in the Enterprise

No WEP and Broadcast Mode

Public Access

No Security

Wi-Fi 40-bit, 128-bit, and Static WEP

Telecommuter and Small Business

Basic Security

Dynamic Key Management

System, Mutual Authentication, and

802.1x via EAP

Mid-Market and Enterprise

Enhanced Security


Cisco Wireless Security Suite www.cisco.com/go/aironet/security

Wireless LAN Security consists of three components

I. The Authentication FrameworkIEEE 802.1x authentication framework supports many authentication types & the link layer

II. The Authentication AlgorithmEAP Cisco Wireless (LEAP) and EAP-FAST support centralized, user-based authentication with the ability to generate dynamic WEP keys

Idem for PEAP*, but also supports OTPs

III. The Encryption Algorithm = WEP for 802.11

Cisco was the first to augment WEP encryption through TKIP* (Temporal Key Integrity Protocol) - same functionality now part of WPA, under the name CKIP

Message Integrity Check (MIC) mitigates man-in-the-middle attacks

Per-Packet Keying mitigates WEP key derivation attacks e.g. AirSnort

Broadcast Key Rotation

* 802.11i draft

http://www.cisco.com/go/aironet/security


Cisco Wireless Security SuiteThe Complete Picture – Cisco Compatible Extensions

WPAWi-Fi Protected Access

CCXCisco Compatible eXtensions

CCX

WPA

CCX• Built on Standards• Optimized for Enterprise• Broad Adoption• Tested for Interoperability

TKIPTemporal Key Integrity Protocol

AESAdvanced Encryption Standard

802.1X

Au

then

tica

tio

n

TKIPor

AESEn

cryp

tio

n


SSID: VoiceVLAN: 3

SSID: PrivateVLAN: 1

802.1Q VLAN trunk to wired network

SSID: PublicVLAN: 2

• Static VLAN mapping via SSID, or dynamic VLAN assignment via policy server (RADIUS)

• Up to 16 VLANs

• Each VLAN can e.g. have a different security policy, in-line with the user-profile

• Support for 802.1p/Q VLANs for end-to-end integration

VLANs – Segmenting the WLAN

Supports any CCX Supports any CCX client!!client!!


Quality of Service

• Pre-standard implementation: downstream QoS

Using EDCF – Enhanced Distributed Coordination Frame

• 802.11e will deliver upstream & downstream


CISCO SWANwww.cisco.com/go/swan/


http://www.cisco.com/go/swan/


Providing Superior Wireless Security, Deployment, Management, and Mobility by INTEGRATING and EXTENDING Wireless Awareness into Key Elements of the Network Infrastructure - Servers, Switches, Routers, APs, and Clients


Cisco Structured Wireless-Aware Network

121212© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID 12

Cisco SWAN – Three Elements

33Cisco switches and routers with wireless-aware Cisco IOS® Software

11WLSE 2.7Aironet 1100/1200/1300Radios: 802.11b/g/aWi-Fi client adapters802.1X AAA Server

Fast Secure L3 MobilityCentralized Policies

High Availability

Expanded security optionsGranular Site Surveys

Simplified Deployment/MgmtRogue AP Detection and Suppression

22Cisco Aironet clients

Cisco Compatible

(CCX) clients


Cisco SWAN Minimizes WLAN TCO

Cisco warranties and support services; Cisco partnerships like CCX program

Optimized deployment of high-performance APs: Assisted Site Survey, “live” RF* readings

WPA for access control/authentication and data privacy, integrated WLAN IDS functionality,

including rogue AP detection and suppression

Support

Deployment

Security

* RF = radio frequency = data transmissions in the air

Automated operations of APs (configs, FW, etc.) and RF* (coverage, interference, etc.)Management

Future switch/router enhancements for scalability, familiar interface, and fast secure L3 roaming Flexibility


Wireless Network Manager (WNM):CiscoWorks Wireless LAN Solution Engine

Wireless Domain Services (WDS)

Infrastructure Access Points(registered with WDS)

Cisco or Cisco Compatible Clients (version 2)

Wireless Domain Services (WDS)

Infrastructure Access Points(registered with WDS)

Cisco SWAN Components

WLSE

Cisco Secure ACS

Access Points

WDS-mode

Infrastructure-mode

Client Cards

Cisco Clients

CCX v2


Wireless Domain Services

• Provides centralized software services on behalf of a L2 subnet (WLAN clients and APs)

• Currently supported on

AP 1100/1200 & Bridge/AP 1300

Catalyst 6500 WLSM – more switches/routers to follow

• Minimizes traffic across LAN/WAN

• WDS AP supports up to 30 infrastructure APs

60 infrastructure APs in dedicated mode

• Features that leverage WDS

Fast Secure Roaming

Radio Management/Monitoring - Rogue AP detection / Interference / …

Local authentication


An Example – Rogue AP Detection

Network Core

Distribution

Access

WLSECluster

NMSSiSi

SiSi

SiSi

WDS

Rogue APin coverage

areas of trusted APs

RM

RM

SiSi SiSi

RM

Rogue AP outside

coverage areas of

trusted APs


An Example – Rogue AP Detection

Network Core

Distribution

Access

WLSECluster

NMSSiSi

SiSi

SiSi

Rogue AP

SiSi

RM-Agg

RM

RM

RM

SiSiWDS

Rogue AP

1. Radio measurements (RMs) are sent to WDS

2. WDS aggregates and condenses RMs

3. WDS forwards RM aggregation to WLSE

4. WLSE generates reports, alerts, etc.


Catalyst 6500 WLSMWireless LAN Services Module

• Provide seamless layer 3 mobility across an entire campus

No client hardware or software requirements

Supports low latency roams for Voice

• Simplify Cisco SWAN deployment and configuration

Reduce the number of Wireless Domain Services (WDS) needed

• Simplify Deployments

No changes necessary to existing network infrastructure

Provides a single interface per-SSID for the application of security and QoS policy


Enterprise Campus Roaming and Aggregation Cisco SWAN enables Fast Secure Scalable Wireless Networking

Single Point of Ingress/Egress

• Fast Secure Roaming• Simple Configuration • Non-Stop Forwarding /

Stateful Switchover• Scalability• Integrated Security

Services

Seamless Layer 3 Roaming Across Subnets10.11.12.1310.11.12.13

Existing Network

CiscoWorks WLSE 2.7

Fast Secure Roaming Tunnels

WDS


PSTN

Voice

Catalyst 6500 Series with WLSM

VPN Services

Firewall

Core

IntrusionDetection

Firewall

Internet

Guests

Guest

Employee

Phone

WLAN traffic tunneled to mGRE interface

Mobility Groups Enable Secure Segmentation


Wireless LAN Solution EngineKey Features

• Turnkey operational tool for managing Cisco WLANs

• Manages up to 2500 Cisco APs and bridges, plus attached Cisco switches and routers and LEAP servers

• Template-based configuration of APs and bridges

• AP & bridge security misconfiguration detection and alerts

• Proactive fault and performance monitoring of APs, bridges

• Authentication server and attached switch/router monitoring

• AP/Bridge summary and utilization reports

• Current & historical client association tracking reports

• Upper-layer NMS/OSS integration via northbound trap, SYSLOG

• Secure HTML-based UI

• Role-based Access Control

• System & User Defined Device Grouping


Managing the WLAN with WLSE

Network Operations Center

ACS WLSE CiscoWorks EMS

Client Association Tracking and Reports

Device Grouping

LEAP Monitoring

Fault/Performance Monitoring of APs & Bridges

Template-based configuration of APs & Bridges

Switch monitoring


CiscoWorks WLSEwww.cisco.com/go/wlse

Rogue AP Detection

Location Manager

Assisted Site Survey

http://www.cisco.com/go/wlse


RM Example: Self Healing Radio NetworkLost radio interface


CISCO AIRONETwww.cisco.com/go/aironet/


http://www.cisco.com/go/aironet/

http://www.cisco.com/go/aironet/


Cisco Aironet 1200 Series

• Investment Protection and Future Proof

Supports 802.11a/b/g

IOS support

8MB of storage

• Performance & Flexibility

Modularity

In-line and regular power

Unique security suite (LEAP, PEAP, …)

Easy and integrated management

• Minimizes Total Cost of Ownership

• Plenum rated chassis

• Physical Security

802.11b/g

802.11a

Dual-band


• Scalable Fully functional access point ideal for all enterprise deployments without expensive controllers

802.11b now – upgradeable to 802.11g

• AffordableLowest priced upgradeable Cisco Aironet access point protects customer investment

• Enterprise-class featuresEnd-to-end intelligent networking extended to WLAN

• SecureEnterprise-class interoperable security for WLAN

• Easy-to-useIntuitive installation and set up for rapid deployment

Cisco Aironet 1100 Series


• Multi Function

Access Point

Bridge

Workgroup Bridge

• 802.11g

54 Mbps at 2.4 GHz

• Outdoor enclosure – IP56

• Included in Cisco SWAN solution

Aironet 1300 Outdoor AP/Bridge


Wireless LAN Client Adapters

• 802.11a/b/g dual band client adapters

54 Mbps in 2.4 and 5 GHz bands

802.11b support provides investment protection

CardBus and PCI form factors

Windows XP/2000

• 802.11a client adapters

• 802.11b client adapters

PCMCIA and PCI form factors

Broad OS support (MacOS, Linux, …)

• CCX-compliant adapters


Cisco Compatible Extension ProgramKey Benefits

Innovative Features

• Cisco Wireless Security Suite• LEAP & pre-standard TKIP

• Cisco VLAN• 40+ features in CCX v2.0• No cost licensing

Innovative Features

• Cisco Wireless Security Suite• LEAP & pre-standard TKIP

• Cisco VLAN• 40+ features in CCX v2.0• No cost licensing

Confidence to Deploy WLAN

• Tested Interoperability• Leading security solution• Ongoing feature development• Wide variety of devices & OS’s

Confidence to Deploy WLAN

• Tested Interoperability• Leading security solution• Ongoing feature development• Wide variety of devices & OS’s

Industry Standards Compliance

•Wi-Fi, WPA & 802.11

Industry Standards Compliance

•Wi-Fi, WPA & 802.11

Superset to industry

standards

Accelerate availability

of enterprise features


Cisco Compatible Extension ProgramSome of the partners… www.cisco.com/go/ciscocompatible/wireless/

In total 95% of 3rd party client NICs are covered!

http://www.cisco.com/go/ciscocompatible/wireless/


Cisco Wireless IP Phone 7920 Supports LEAP – Extending security to voice clients!

• IEEE 802.11b, Direct Sequence with Dynamic Rate Scaling at 1, 2, 5.5, 11 Mbps

• Pixel-based display

4 lines + soft keys + date/time/RF/battery + status indication

• High performance speaker supports CCM ring tones

• Visual message waiting, key lock, and vibration icon indicators

• Current HW version will go through 3 SW stages

• Automatic IEEE 802.1q (virtual LAN [VLAN]) configuration

• G.711a, G.711u, and G.729a audio-compression coder-decoders (codecs)

• SNMP manager

• DHCP or static configuration option

• Alternate TFTP support

• Range of accessories: cradle, casings, USB cable, …

Features planned for future software release XML services

Directory services (LDAP)

Extension mobility

WPA

Additional language support

450 character, two-way

Paging/messaging


Q and A


CISCO STRUCTURED WIRELESS-AWARE NETWORKÂ

Documents

Transcript of CISCO STRUCTURED WIRELESS-AWARE NETWORKÂ