770 likes | 781 Views
WINS Monthly Meeting www2.widener.edu/wins http://events.internet2.edu/index.cfm 03/07/2008. Agenda. Introductions ISP Update Caching Plans Spring Break Aruba Wireless Solutions Question & Answers. Introductions. Name Title Location New Widener Tech Resources Staff Member :
E N D
WINS Monthly Meetingwww2.widener.edu/winshttp://events.internet2.edu/index.cfm03/07/2008
Agenda • Introductions • ISP Update • Caching Plans • Spring Break • Aruba Wireless Solutions • Question & Answers
Introductions • Name • Title • Location • New Widener Tech Resources Staff Member : • Jason Buttacavoli • Cell 856-889-1336 • Office 610-499-1040
ISP Update Level3 Contract Approved! Yipes 150 MB will be replaced with Level3 250 MB Yipes Internet2 20 MB will be replaced with Level3 20 MB SNIP Upgrade from 40 MB to 100 MB Install and Cutover dates and times to be determined Hope to have Level3 at May 2nd WINS meeting?
Caching Plans Currently Steering only HTTP (TCP Port 80) to Bluecoat Cache Server HTTPS sites must be blocked in the Firewall by IP address (No Blocked Message) Bluecoat Solution : Stop Steering and go In-Line Bluecoat Concern : Current Model may not be able to handle FULL load Widener Best Effort : Capital request in to get new box that can handle it Widener Worst Case : Use current box(s) and distribute traffic, as required Districts Currently Requiring Content Filtering: Chester Upland, Haverford, Marple, Penn Delco, Radnor, Ridley, Rosetree, Springfield, Upper Darby
Spring Break • Annual event at Widener to stay fresh • Chance to test WINS 8600 and FW Code • Fortinet 800 and 3600 Version 3.0 MR4 to MR6 • Nortel 4.1.1.0 to 4.1.5.4
Aruba Wireless Solutions Michael Mulroy Territory Manager Aruba Networks 215-853-2552 www.arubanetworks.com mmulroy@arubanetworks.com Presentation
Aruba Product and Solutions UpdatePeople Move. Networks Must Follow.™
Agenda • 2.5 to 3.x Transition • 3.x New Features/Enhancements • Aruba Acquisitions and New Products • ECS • Airwave • Network Chemistry • The Buzz around 802.11n • Q&A
2nd Floor=#3 Jacks_Office Break-room 2nd Floor=#3 Room_514 1st Floor=#2 G floor = #1 Bldg-West_1st-floor Bldg-West_G-floor AP Names & AP GroupsNo more B.F.N AP=1.3.3 • AP Config: • AP’s now have a single GROUP • AP’s now have a single NAME • Both are alphanumeric text strings- you name them however it makes sense for your network Bld West = #1 #3 #2 #1 B.F.N Notation
The Advantage Of AP-GroupsGroup the APs by logical function, not by floors 1. Define your services- • Employee WPA/2 • Guest Access 2. Apply them where and when you want- • Employee Coverage Everywhere • Guest Access in Conference Rooms • Guest access in Reception from 9:00 – 17:00 • APs are now grouped, however you like- not just by floor e.g • Reception • Cubicles • Conference Rooms • Open Space
Network Wide Settings 0.0.0 1.0.0 … 1.1.0 1.1.0 … 1.1.1 1.1.2 1.1.3 1.2.1 1.2.2 … Configuration Prior to 3.x • In AOS <3.x, the services over the air from an AP was determined by 2 major groups of settings- • Network wide settings such as IDS, fast-roaming, mobility, XML API, derivation rules, auth-server, AAA Fastconnect, bandwidth contracts • AP location settings such as ESSID, opmode, channel, ARM, tx-rates, voip-cac, static keys, Virtual-APs • Virtual-APs were an add-on that lets you support multiple BSSIDs, with limited configuration that varies per release AP 1.1.3
Groups and Profiles cp-profile internal-CP dot1x auth-profile company-IAS ssid-profile emp-WPA aaa-profile company-dot1x ssid-profile emp-WPA2 aaa-profile guest-cap ssid-profile guest virtual-ap-profile emp-WPA virtual-ap-profile emp-WPA2 virtual-ap-profile guest Group AP-Group AP-Group AP-Group AP-Group AP-Group Virtual-AP RF Mgmt Wired-AP AP QoS IDS 2 APs share dot1x but have different SSIDs SSID AAA a/g Radio Settings System Profile VoIP Signatures WMM Authen-tication ARM Ethernet a/g RF Mgmt DOS Server- Group Optimi- sation Regula- tory Imper-sonation XML-API Event Thresholds SNMP Unauth-orised AP- “Jacks_Office” • The heirarchy is now in the configuration- • Define your virtual-ap, QoS, RF, IDS, AP settings and apply them to all APs in your group • Highly scalable since complexity is grouped into named profiles- just apply one profile and all the rest follow • See the hierarchy with “show profile-hierarchy” AP-name Override • All profiles completely modular and re-useable- • define a aaa profile and apply it to multiple virtual APs • All unspecified profiles are taken to be “default” • Ease of partitioning responsibilities • Links in with MMS2.0 configuration
Profile Power • 2.x could only have most settings network-wide: aaa dot1x auth-server foo1 • Sets the 802.1x auth server for the entire network wms assoc-rate-threshold 15 • Sets the IDS rate threshold for association frames for the entire network • Profiles let you re-use settings for ease of maintanance: • Define a campus wide server-group for authentication and apply it to all chemistry & engineering & arts groups • The rest of the settings can be defined as new or previously existing profiles, but to add a new authentication server for everybody, you now can update only your one server group • Virtual APs are now indistinguishable from the real AP • Physical Parameters (channel/rf etc) are now independent • EVERYTHING is now per Virtual-AP (eg. basic-rates, tx-rates, fast-roaming, mobility, XML API, derivation rules, Mac-auth, AAA Fastconnect, OKC, bandwidth contracts, etc) • Enable disable each virtual-ap at will • No more logon- each virtual AP has it’s own default role and captive portal parameters are configured per-role
Configuration - Summary • What does it all fundamentally mean? • Per SSID/Group Enable/disable auth method • TKIP & AES/ WPA & WPA2 any mix, any SSID, any where • Per role (thus SSID/Group) Captive Portal • Per SSID/Group AAA Fastconnect • Per Group RF Monitoring & IDS • Arbitrary partitioning of Wireless Services to SSIDs and/or Areas
New Features - Overview • Guest Connect • Syslog API • Remote-AP Enhancements • Mesh
GuestConnect™ Ticket Printing • Receptionist can securely provision guest access accounts • Automatically generates guest username and password • Prints guest ticket with customized graphics and acceptable use policy
Data Center Syslog Processor Syslog: Virus Detected X Quarantine Corporate Network Mobility Controller Cluster Security Appliance • Integrate any security or network appliance into the Mobile Edge Architecture • Quarantine, change role, or blacklist clients based on external processing
Per-SSID Bandwidth Contracts • Allocates “air time” to virtual APs on a given physical AP • SSIDs may burst above configured limit as long as other SSIDs not starved
Network Continuity Services: Remote AP GUEST CORP CORP VOICE VOICE Internet Services Split Tunnel Home / Nomadic Office Corporate HQ Internet Services GUEST VLAN DMZ Mobility Controller DSL Router Remote AP INTERNET Firewall/NAT Split Tunneling for Internet Traffic Built-in User-centric Firewall Integrated User Access Control HotelConnect™ Captive Portal Pass-Through
Concurrently Runs Multiple Forwarding Architectures Data Center Split control and data planes to meet application and site requirements Control Only IP Network Internet Ethernet Internet Local Services Centralized Forwarding Distributed Forwarding Split Tunnel Forwarding Remote Mesh Forwarding
Only Integrated 802.11n Mesh Indoor • Easy to deploy and operate • Centralized management tools • Centralized and distributed security • Integrated architecture for ALL enterprise wireless needs • Designed from the ground up for business-critical applications Mobility Controller with Secure Enterprise Mesh Module Existing Core Network Remains Intact Outdoor
How Do I Upgrade? • Upgrade could be complex if not planned out. • Tools available on Aruba’s Support Site: • 2.5 to 3.x Migration Tutorial Videos • Walks you through an upgrade • 2.5 to 3.x Migration Tool • Take your 2.5 config and upgrade to 3.x and presents possible issues. • 2.5 to 3.x Migration Guide • Manual that discusses the upgrade process • Partners available to assist/complete the upgrade for you….
MMSEvolution MMS 2.0 + ArubaOS 3.1 MMS 2.0 MMS 1.0 • Interactive UI • Monitoring • Reporting • Rapid Problem Scoping • Planning • UI L&F • Dashboard • Charting Improvements • High Availability • AAA Integration • Location API • Association Trails • Remote Auth • Configuration • Policy Management • Rights Partitioning • Service • Access • Equipment • Security
What Is Aruba Announcing? + Availability Of Applications Integrated Applications • Strengthened Commitment to Multi-Vendor capability with acquisition of AirWave Wireless • Leading multi-vendor wireless Network Management Software for enterprise wireless LAN, mesh, WiMax and point-to-point products from Cisco, Aruba, Motorola/Symbol, Tropos, and others • Builds on Aruba’s existing multi-vendor partnering initiatives • Preserves existing infrastructure, simplifies technology migration, enables hybrid networks from multiple suppliers • Continued growth of AirWave’s stand-alone management portfolio • Structured as a separate product development unit • Focused, dedicated product development, support, and service • Expanded roster of supported multiple vendor products based on market share and customer demand – e.g. Cisco, Aruba, Symbol • AirWave powering new Aruba products • AirWave Mobility Management System will enhance and expand the management options already available from Aruba • Over time new products incorporating both AirWave and Mobility Management Software technology will become available
The AirWave Universe Once companies do take the wireless plunge, their priorities and concerns quickly shift. If you have deployed, you know that security isn't the problem - it's the management. Susan Breidenbach, Network World, 9 October 2006
AirWave Technology Complements Aruba’s User-Centric Networks • Simple Deployment and Maintenance • Automated set-up and continuous network optimization • Interoperates with legacy core infrastructure • Upgradeable Design • Modular, software-downloadable design to support new and future technologies • Client-to-Core Security • Identity-based access control – policies follow users • High security encryption, guest access, captive portal • Endpoint compliance of unmanaged devices • Ease of Management • Centralized management and control • Multi-vendor network management • Supports enterprise WLAN, mesh, WiMax and p-to-p products from Cisco, Motorola/Symbol, Tropos, others
Integrating MMS and AMP Unique Features • Location Services: RTLS Tag and API Support • Aruba Profile-based configuration management • Advanced role-based access control • Aruba Mesh visualization 2008 Management Roadmap • User and bandwidth usage trend reporting • Integrated troubleshooting views • Help desk workflow and snapshots • Threshold based alerts • Device location history and replay • MoM Integration - Tivoli, HP Openview & others • Multi-tier deployment architecture
Introducing Endpoint Compliance System Permanent and dissolvable agents Pre- & Post-Connect Assessment:- Scan machines for anti-virus, up-to-date definitions, additional required software prior to granting network access Client Remediation: Isolate users that fail compliance and push to remediation server. Client Remediation Allow guests to register machines prior to access. Correlates MAC address, IP address, username, connection location, connect time, disconnect time (CALEA Compliance) Device Registration Wired and Wireless Policy Compliance Single point of control for all wired and wireless access policies Mobile Access Policies (per user) Usage Policies Endpoint Compliance Policies
Network Access Control (NAC) What is NAC? • A means of limiting access to network resources based on a user’s business needs and the real-time security risk of the user or networked device How does NAC work? • Assess Identity: sets access privileges based on user-centric criteria so that policies move with the user and are not bound to specific ports or hardware • Ensure Compliance: ensures that all communications are authenticated, authorized, and free from viruses, worms, and malware • Enforce Policy:allows entry by only valid users, and quarantines/remediates unauthorized and/or harmful devices on the basis of stateful-firewall roles
What is NAC? Identity Compliance Enforcement Auth, Role, Device, Location, Time, Application usage Health validation, Remediation, Ongoing compliance Policy enforcement, Quarantine Use Cases Granular policy: Firewall VLAN: 802.1X Blacklisting 802.1x, AAA: Radius/AD TCG/TNC; NAP; Proprietary protocols Behavior evaluation Managed Clients (Employees) Granular policy: Firewall VLAN: 802.1X Blacklisting Third party scanners; dissolvable agents Behavior evaluation Captive Portal, MAC Auth Unmanaged Clients (Guests, students) Third-party scanners Behavior evaluation Granular policy: Firewall VLAN: 802.1X Blacklisting MAC Authentication Unmanageable Devices Pre- & Post-Connect Assessment
VALIDATION Checks VULNERABILITY Checks Anti-virus Checks Nessus Scans Anti-spyware Checks Custom Developed Scans • Blaster, • Bagel, MyDoom, ASN.1, • Sasser, • etc… Operating System Checks Independently Developed Scans Required Software Checks Prohibited Software Checks Microsoft Endpoint Compliance For Wireless and Wired users Execution Frequency: Upon client connection, ongoing scans, reoccurring, or user definable Endpoint Compliance
Aruba NAC Deployment Architecture Typical Corporate Network Interoperation with broad range of Wired switches for policy enforcement To Internet Application Server Farms Switch Wired Access Employees RADIUS, Link Trap, 802.1X Voice Accept Wireless Access VLAN, Role, VSA Aruba ECS Aruba Mobility Controller Contractors RADIUS, 802.1x Backend AAA (RADIUS, AD, etc.) MAC-Address Policy Enforcement Firewall Guest Registration, Endpoint integrity assessment, Quarantine, Remediation for wireless & wired users Interoperability with existing AAA infrastructure. (NAP, CNAC, TCG/TNC, etc) Active role based usage policy enforcement Interoperates with most client PC Operating Systems
WIP Phase 2: Network Chemistry Asset Acquisition Sensor software integration into Aruba APs RFprotect console integration into Aruba MMS
RFprotect MobilePortable laptop-based analyzer for automating site surveys, security assessments, and incident response RFprotect Distributed24/7 wireless monitoring and intrusion prevention system for protecting against wireless threats in and around enterprise facilities Network Chemistry Acquisition
RFprotect™ Distributed • Automatically defends against wireless threats and vulnerabilities • Wireless security policy enforcement • Flexible policy and alarm management • Auto rogue management • Extensive regulatory compliance reporting • Enterprise-class scalability • Provides rapid deployment, ease-of-use and low TCO Tightly Integrated With RFprotect Mobile - Improving Incident Response and Efficiency
Industry’s Largest Detection Library “Network Chemistry has a comprehensive attack signature set, detecting and accurately classifying the most attacks [of all the products reviewed]” - Network Computing Magazine, Product Lab Comparison, June 2005 Aruba ensures attack currency with WVE
Save time and reduce resource needs through a unified dashboard view of critical security metrics (including violations, exceptions, and anomalies) Dashboard gives real-time view of wireless health Classification summary Filter by location Network performance Security and remediation metrics System health and recent events (including what is being shielded)
Comprehensive Auditing and Reporting • Provides a full range of reports on network operations including security management, performance, policy enforcement, alerts, and asset management • Pre-configured compliance reports, e.g. DoDD 8100.2, HIPAA, GLBA, PCI DSS • The ideal auditing tool archiving all measurements into the database and creating reports that indicate when a security policy is violated • Open database architecture with Crystal Reports front-end allows the creation of custom reporting • Report flexibility to filter by device, device type, location, alert severity, day and time • Reports can be exported in multiple formats including those for application integration • User Report Formats: • PDF • Crystal reports • HTML 3.2 • HTML 4.0 • MS Excel 97-2000 • MS Excel 97-2000 (Data only) • MS Word • Rich Text Format (RTF) • Tab-separated text • Text • Application Formats: • Application • Disk file • Exchange Folder • MAPI Automate Operations, Meet Compliance Requirements
Integration Plan for RFProtectTM Distributed NOW • Re-brand RFProtect Server and sensor • Port sensor software AP-70 • AP functions as dedicated sensor only • EOL Dedicated sensor hardware Q1 FY 08 • Integrated sensor functionality with AP software • All Aruba APs can multi-task as sensors • Customer can also configure some APs as dedicated sensors Q2 FY 08 • Integration of server functionality into MMS Q3/4 FY 08
RFprotect™ Mobile Hunt Down Rogues Quickly with RFProtect Mobile • Walk-around vulnerability management tool • Ensures accurate RF site surveys and detailed WLAN troubleshooting • Coordinates with a GPS device to keep track of surveyor’s location while conducting an outdoor survey • Provides analysis across all 802.11 a/b/g channels and Bluetooth • Accelerates threat response and mitigation visual/audio “real-time” signal metering
Convenience Convenience Business-Critical Business-Critical Reduce Costs Reduce Costs No Use Wired No Wireless Policy Guest Access Guest Access Corporate HotSpots Corporate HotSpots Pervasive Employee Access Pervasive Employee Access Primary Access Method Primary Access Method All-wireless workplace All-wireless workplace # of network users Wireless Enterprise Mobility Adoption Continuum No Use No Wireless Policy
Right Technology More Secure Than Wired As Reliable As Wired WLAN Equal To Or Faster Than Wired A New Inflection Point In Enterprise Mobility Right Time A new industry architecture for enterprise mobility using 802.11n as the primary access method
Wireless Is The Only Viable Network Guest Services Network Value Campus Retail Voice Service Home Access Broadcast Video Wireless Rogue Prevention Emergency Response Location Services Video Surveillance Student information systems Adds/Moves/Changes Learning Management Student Communications Applications
802.11n Makes It PossibleEliminate the Mobility Tax • Exceeds the throughput of fast Ethernet • Over 5x Throughput • Handle dense environments like lecture halls more easily • Extends network coverage indoor and out • Over 2x Range • Improves coverage to outdoor and RF-challenged indoor areas • Improves reliability for critical applications • Makes convergence of data, voice and video a reality
ARM Enables a Smooth Migration Path to ‘n’ New 802.11n Access Points Existing 802.11a/g Access Points • 802.11n Replacement • Reuse existing cabling and PoE infrastructure with AP-120 series • Point substitution for speed-spots or network-wide substitution New 802.11n Access Points Existing 802.11a/g Access Points • 802.11n Greenfield • No site surveys needed • RF planning tool provides estimates of AP placement • ARM does fine tuning 802.11n Access Points 50 • 802.11n Overlay • 5 Ghz operation makes it easy to co-exist with legacy WLAN • ARM ensures seamless integration into the RF domain