Documente Academic
Documente Profesional
Documente Cultură
Wireless LANs are fast becoming popular in the enterprise because of their significant advantages over wired LANs. According to latest industry surveys, over 60% of the enterprises are planning to purchase a wireless LAN solution in 2005. The reason for this widespread adoption is that Wireless LANs bring multiple benefits to the enterprise; 1. Significant savings in the costs of adding, moving and changing network users 2. Consolidation in number of wired physical ports that must be deployed and maintained 3. Improved workflow through user mobility 4. Improved productivity through innovative new applications such as location tracking, point of sale, voice over wireless LAN etc. Wireless LANs also secure the air. Low cost access points brought in to the office by employees to create private wireless networks single handedly defeat the purpose of perimeter firewalls and are a stealth threat that must be stopped.
DISTRIBUTION
STEP 6: New blades for - Stateful Firewall - IPSEC V PNs
CORE
DA TA CENTER
STEP 7a: Bolt on Wireless IDS
RADIUS 4 4
EMPLOYEE
GUEST
G E G
103 203
ACCESS BLOCK 2
1
E G 101 201 101 201 1 1
STEP 5: IOS U pgrade for - Inter-VLAN Mobility STEP 1: Add Wir eless VLANs Everywher e
GUEST
E G
First generation WLAN design requires expensive, time consuming and complex upgrades of the wired network just to add and partially secure the wireless network. This ordinarily includes: 1) Add VLANs everywhere: The old architecture does not allow multiple VLANs per SSID. Since these APs function as IP nodes in the network where the wireless connection terminates, the distribution and core switches must be updated with the new VLAN topology. In contrast, Aruba supports multiple VLANs per SSID so the number of VLANs needed is greatly minimized and since Aruba AP tunnels the information back to the core, there are no upgrades needed to distribution and core switches. 2) Add new hardware for AP and RF management: AP management platforms such as Ciscos WLSE are separate components which must be installed and managed separately. The Aruba architecture integrates AP and RF management functionality in the switch itself, minimizing the number of independent IP nodes in the network which require management and configuration. 3) Configure RADIUS every time you add an AP: Because the AP functions as an IP node in the old architecture, it must authenticate itself with the RADIUS server and as new APs are added the RADIUS server must be re-configured. In contrast, the Aruba design authenticates the AP at the switch itself, requiring no ongoing re-configuration of RADIUS. 4) Upgrade OS for 802.1x fast roaming: As VoWLAN phones and laptop users move about the network they must associate with new access points quickly to maintain quality of service. Older architectures require updates of OS software in access switches to achieve this mobility.
5) Upgrade OS for inter-VLAN mobility: All distribution switches must be upgraded to support inter-VLAN mobility as users move about the building and associate with different APs. The Aruba switch centrally handles these requests by using proxy DHCP to retain the original IP address of a mobile node as it moves in the network. 6) New blades for firewall and VPN: Expensive new software and hardware must be purchased to secure the wireless traffic with former architectures. The Aruba WLAN switch has a integrated ICSA certified LAN-speed firewall and VPN built-in to the system and applies policies per-flow. 7) Third party IDS and wireless sensors: It is still common practice to deploy yet another platform for wireless intrusion detection and prevention. These piecemeal solutions do not provide an integration defense for detection, location tracking, blacklisting and containment in both RF and firewalls.
DISTRIBUTION
CORE
DA TA CENTER
E GUEST G E G EMPLOYEE
3 3 3
3
4 FLOOR 3 4
E GUEST G E G EMPLOYEE
2 2 2
STANDBY
1
E G 1 1 1 1
GUEST
E G
G RE TUNNELS
FLOOR 1
Arubas recommend design includes: 1) Deploy the APs by plugging them into the existing wired infrastructure and give them IP addresses in the existing wired VLANs. Wireless users get IP addresses in wireless VLANs created on the Aruba switch. There is no need to configure new VLANs on the access switches. 2) In most environments it is easier and cheaper to deploy the APs in user space where existing Ethernet jacks already exist. Arubas adaptive RF management eliminates the need for site surveys while providing optimal capacity and avoids interference. See Aruba white papers on the wireless grid for more information. 3) Avoid SSID and VLAN explosion by utilizing the ICSA-certified stateful firewall to compartmentalize users and devices. VOWLAN users may have dedicated handsets or use soft phones on PDAs and laptops. A dedicated voice SSID and VLAN to provide QoS and security is useless to a device that does both voice and data. Aruba can detect and prioritize voice traffic present on the same SSID as data traffic. 4) Rely on Arubas remote packet capture to enable debugging and troubleshooting of WLAN connection and performance issues from anywhere. No need to send IT staff to remote floors and buildings just to sniff the air. 5) Aruba switches/controllers can be deployed where ever appropriate based on network traffic but it is most common to deploy them in the data center attached to the core routers/switches. While 802.1q trunking is possible to provide connectivity to the wireless VLANs created on the switch it is also possible and recommended to use a much simpler approach with a single static route. The wireless VLANs can be super-netted with the core router given a static route to the single super-net. This simplifies any routing table updates and also protects the core routers/switches from maintaining a massive MAC address table of user traffic it would otherwise see on the trunked VLANs.
prevent attacks and intruders, monitor and manage network availability or coverage issues, troubleshoot and solve user connectivity problems and IT staff must login and use each one separately. Some solutions even require installation of additional client software on all devices. The Aruba Networks wireless networking solution delivers superior security with lower CAPEX and OPEX. The customer can realize these benefits by deploying Aruba Networks because the solution provides: Security policies for access control and QoS which are customizable for each user, group, device, or application regardless of where a user connects to the network and everywhere a user roams A single point of configuration and monitoring for these security policies that can automatically protect users from threats inside the network and outside network, including potential attacks from users on the same AP or other parts of the network who may be infected with computer viruses or worms Advanced intrusion detection, classification, and protection including automatic rogue AP and ad-hoc containment Fewer points of vulnerability because the APs do not store sensitive data such as passwords or keys Wireless deployment without any changes to the wired network including auto-configuration of APs and the addition of new types of users, devices, or security and QoS policies without requiring the addition of new VLANs Flexible deployment options that can utilize existing SSIDs/VLANs if desired for separation of user data and network performance Enterprise class solution with redundant and field replaceable modules Provide high availability based on a redundant network design and dynamic RF management One interface for managing the entire wireless network including network and client health monitoring, intrusion and security monitoring, and client troubleshooting while also providing alerts, statistics and audit data to an NMS