WINS Monthly Meeting 03_07_2008
Download
Report
Transcript WINS Monthly Meeting 03_07_2008
WINS
Monthly Meeting
www2.widener.edu/wins
http://events.internet2.edu/index.cfm
03/07/2008
Agenda
•
Introductions
•
ISP Update
•
Caching Plans
•
Spring Break
•
Aruba Wireless Solutions
•
Question & Answers
Introductions
•
•
•
Name
Title
Location
•
New Widener Tech Resources Staff Member :
•
•
•
Jason Buttacavoli
Cell 856-889-1336
Office 610-499-1040
ISP Update
Level3 Contract Approved!
Yipes 150 MB will be replaced with Level3 250 MB
Yipes Internet2 20 MB will be replaced with Level3 20 MB
SNIP Upgrade from 40 MB to 100 MB
Install and Cutover dates and times to be determined
Hope to have Level3 at May 2nd WINS meeting?
Caching Plans
Currently Steering only HTTP (TCP Port 80) to Bluecoat Cache Server
HTTPS sites must be blocked in the Firewall by IP address (No Blocked Message)
Bluecoat Solution : Stop Steering and go In-Line
Bluecoat Concern : Current Model may not be able to handle FULL load
Widener Best Effort : Capital request in to get new box that can handle it
Widener Worst Case : Use current box(s) and distribute traffic, as required
Districts Currently Requiring Content Filtering: Chester Upland, Haverford, Marple,
Penn Delco, Radnor, Ridley, Rosetree, Springfield, Upper Darby
Spring Break
•
Annual event at Widener to stay fresh
•
Chance to test WINS 8600 and FW Code
•
Fortinet 800 and 3600 Version 3.0 MR4 to MR6
•
Nortel 4.1.1.0 to 4.1.5.4
Aruba Wireless Solutions
Michael Mulroy
Territory Manager
Aruba Networks
215-853-2552
www.arubanetworks.com
[email protected]
Presentation
Aruba Product and
Solutions Update
People Move. Networks Must Follow.™
© Copyright 2008. Aruba Networks, Inc. All rights reserved
Agenda
• 2.5 to 3.x Transition
– 3.x New Features/Enhancements
• Aruba Acquisitions and New Products
– ECS
– Airwave
– Network Chemistry
• The Buzz around 802.11n
• Q&A
9
2.5 to 3.x Transition
© Copyright 2008. Aruba Networks, Inc. All rights reserved
AP Names & AP Groups
No more B.F.N
•
AP=1.3.3
#2
#1
AP Config:
–
–
•
AP’s now have a single GROUP
AP’s now have a single NAME
Both are alphanumeric text strings- you name them however it
makes sense for your network
#3
1st Floor=#2
G floor = #1
B.F.N Notation
Bldg-West_1st-floor
Bldg-West_G-floor
The Advantage Of AP-Groups
Group the APs by logical function, not by floors
1. Define your services•
•
Employee WPA/2
Guest Access
2. Apply them where and
when you want•
•
•
•
Employee Coverage
Everywhere
Guest Access in
Conference Rooms
Guest access in
Reception from 9:00
– 17:00
APs are now grouped, however you like- not just by floor e.g
• Cubicles
• Conference Rooms
• Reception
• Open Space
Configuration Prior to 3.x
•
In AOS <3.x, the services over the
air from an AP was determined by 2
major groups of settings–
–
•
AP 1.1.3
Network wide settings such as IDS,
fast-roaming, mobility, XML API,
derivation rules, auth-server, AAA
Fastconnect, bandwidth contracts
AP location settings such as ESSID,
opmode, channel, ARM, tx-rates,
voip-cac, static keys, Virtual-APs
Network Wide Settings
0.0.0
Virtual-APs were an add-on that
lets you support multiple BSSIDs,
with limited configuration that
varies per release
…
1.0.0
1.1.0
1.1.1
1.1.2
…
1.1.0
1.1.3
1.2.1
1.2.2
…
Groups and Profiles
•
dot1x is
auth-profile
The heirarchy
now in the configuration-cp-profile
internal-CP
company-IAS
Define your
virtual-ap, QoS, RF, IDS, AP settings
and apply them to
all APs in your group
aaa-profile
ssid-profile
ssid-profile
aaa-profile
ssid-profile
• emp-WPA
Highly scalable
since
complexity
is
grouped
into
named
emp-WPA2
guest-cap
guest
company-dot1x
•
profiles- just apply one profile and all the rest follow
•
See the hierarchy virtual-ap-profile
with “show profile-hierarchy”
virtual-ap-profile
virtual-ap-profile
emp-WPA
emp-WPA2
guest
AP-Group AP-Group AP-Group
AP-Group
•
All profiles completely
modular and re-useable•
•
•
•
SSID
define a aaa profile and
apply it to multiple virtual APs
WMM
All unspecified profiles are
taken to be “default”
Ease of partitioning responsibilities
Links in with MMS2.0 configuration
AP-name
Override
Group
AP-Group
VirtualAP
2 APs share dot1x but have different SSIDs
AP- “Jacks_Office”
RF
Mgmt
WiredAP
a/g Radio
Settings
AAA
Authentication
ARM
AP
QoS
IDS
System
Profile
VoIP
Signatures
Ethernet
a/g
RF Mgmt
DOS
ServerGroup
Optimisation
Regulatory
Impersonation
XML-API
Event
Thresholds
SNMP
Unauthorised
Profile Power
•
2.x could only have most settings network-wide:
aaa dot1x auth-server foo1
–
–
•
Profiles let you re-use settings for ease of maintanance:
–
–
•
Sets the 802.1x auth server for the entire network
wms assoc-rate-threshold 15
Sets the IDS rate threshold for association frames for the entire network
Define a campus wide server-group for authentication and apply it to all chemistry &
engineering & arts groups
The rest of the settings can be defined as new or previously existing profiles, but to
add a new authentication server for everybody, you now can update only your one
server group
Virtual APs are now indistinguishable from the real AP
–
–
–
–
Physical Parameters (channel/rf etc) are now independent
EVERYTHING is now per Virtual-AP (eg. basic-rates, tx-rates, fast-roaming, mobility,
XML API, derivation rules, Mac-auth, AAA Fastconnect, OKC, bandwidth contracts,
etc)
Enable disable each virtual-ap at will
No more logon- each virtual AP has it’s own default role and captive portal
parameters are configured per-role
Configuration - Summary
• What does it all fundamentally mean?
– Per SSID/Group Enable/disable auth method
– TKIP & AES/ WPA & WPA2 any mix, any SSID,
any where
– Per role (thus SSID/Group) Captive Portal
– Per SSID/Group AAA Fastconnect
– Per Group RF Monitoring & IDS
– Arbitrary partitioning of Wireless Services to
SSIDs and/or Areas
New Features - Overview
•
•
•
•
Guest Connect
Syslog API
Remote-AP Enhancements
Mesh
GuestConnect
• Receptionist can
securely provision guest
access accounts
• Automatically generates
guest username and
password
• Prints guest ticket with
customized graphics and
acceptable use policy
™ Ticket Printing
Syslog Processor
Data
Cente
r
X
Quarantine
Corporate
Network
Mobility Controller
Cluster
Security
Appliance
• Integrate any security or network appliance
into the Mobile Edge Architecture
• Quarantine, change role, or blacklist clients
based on external processing
Per-SSID Bandwidth
Contracts
•
Allocates “air time” to virtual APs on a given physical AP
•
SSIDs may burst above configured limit as long as other SSIDs not starved
Network Continuity Services:
Remote AP
Internet
Services
Home / Nomadic Office
Split
Tunnel
Corporate HQ
Internet
Services
GUEST
GUEST
VLAN
DMZ
DSL Router
Mobility
Controller
CORP
Remote AP
INTERNET
Firewall/NAT
VOICE
VOICE
Split Tunneling for Internet Traffic
Built-in User-centric Firewall
Integrated User Access Control
HotelConnect™ Captive Portal Pass-Through
21
CORP
Concurrently Runs Multiple Forwarding
Architectures
Data Center
Split control and data
planes to meet application
and site requirements
Control
Only
IP Network
Internet
Ethernet
Internet
Local
Services
Centralized
Forwarding
22
Distributed
Forwarding
Split Tunnel
Forwarding
Remote Mesh
Forwarding
Only Integrated 802.11n Mesh
Mobility Controller with
Secure Enterprise Mesh Module
Existing Core Network
Remains Intact
•
•
•
•
Easy to deploy and operate
Centralized management tools
Centralized and distributed security
Integrated architecture for ALL enterprise wireless
needs
• Designed from the ground up for business-critical
applications
23
How Do I Upgrade?
• Upgrade could be complex if not planned
out.
• Tools available on Aruba’s Support Site:
– 2.5 to 3.x Migration Tutorial Videos
• Walks you through an upgrade
– 2.5 to 3.x Migration Tool
• Take your 2.5 config and upgrade to 3.x and
presents possible issues.
– 2.5 to 3.x Migration Guide
• Manual that discusses the upgrade process
24
Introducing MMS 2.0
MMS Evolution
MMS 1.0
Interactive UI
Monitoring
Reporting
Rapid Problem
Scoping
• Planning
•
•
•
•
MMS 2.0
+
ArubaOS 3.1
MMS 2.0
• UI L&F
• Dashboard
• Charting
Improvements
• High Availability
• AAA Integration
• Location API
• Association Trails
• Remote Auth
• Configuration
• Policy
Management
•
•
•
•
•
Rights Partitioning
Service
Access
Equipment
Security
New Aruba Products!
© Copyright 2008. Aruba Networks, Inc. All rights reserved
What Is Aruba
Announcing?
• Strengthened Commitment to Multi-Vendor
+
capability with acquisition of AirWave
Wireless
–
–
Availability Of
Applications
Integrated
–
• Continued growth of AirWave’s stand-alone
management portfolio
–
–
–
Applications
Structured as a separate product development unit
Focused, dedicated product development, support, and
service
Expanded roster of supported multiple vendor products
based on market share and customer demand – e.g. Cisco,
Aruba, Symbol
• AirWave powering new Aruba products
–
28
Leading multi-vendor wireless Network Management
Software for enterprise wireless LAN, mesh, WiMax and
point-to-point products from Cisco, Aruba,
Motorola/Symbol, Tropos, and others
Builds on Aruba’s existing multi-vendor partnering
initiatives
Preserves existing infrastructure, simplifies technology
migration, enables hybrid networks from multiple suppliers
AirWave Mobility Management System will enhance and
expand the management options already available from
The AirWave Universe
Once companies do take the wireless plunge, their priorities and concerns quickly shift. If you have
deployed, you know that security isn't the problem - it's the management.
Susan Breidenbach, Network World, 9 October 2006
29
AirWave Technology Complements Aruba’s
User-Centric Networks
• Simple Deployment and
Maintenance
– Automated set-up and continuous
network optimization
– Interoperates with legacy core
infrastructure
• Upgradeable Design
– Modular, software-downloadable
design to support new and future
technologies
• Client-to-Core Security
30
– Identity-based access control –
policies follow users
– High security encryption, guest
Integrating MMS and AMP Unique Features
•
•
•
•
Location Services: RTLS Tag and API Support
Aruba Profile-based configuration management
Advanced role-based access control
Aruba Mesh visualization
2008 Management Roadmap
•
•
•
•
•
•
User and bandwidth usage trend reporting
Integrated troubleshooting views
Help desk workflow and snapshots
Threshold based alerts
Device location history and replay
MoM Integration - Tivoli, HP Openview & others
• Multi-tier deployment architecture
31
Introducing Endpoint Compliance System
Permanent and
dissolvable agents
Pre- & Post-Connect Assessment:- Scan machines for anti-virus, upto-date definitions, additional required software prior to granting
network access
Client Remediation
Client Remediation: Isolate users that fail compliance and push to
remediation server.
Device Registration
Allow guests to register machines prior to access. Correlates MAC
address, IP address, username, connection location, connect time,
disconnect time (CALEA Compliance)
Wired and Wireless
Policy Compliance
32
Single point of control for all wired and wireless access policies
Mobile Access Policies (per user)
Usage Policies
Endpoint Compliance Policies
Network Access Control
What
is NAC?
(NAC)
– A means of limiting access
to network resources based
on a user’s business needs
and the real-time security
risk of the user or
networked device
How does NAC work?
– Assess Identity: sets access privileges
based on user-centric criteria so that policies
move with the user and are not bound to specific
ports or hardware
– Ensure Compliance: ensures that all
33
communications are authenticated, authorized,
and free from viruses, worms, and malware
What is NAC?
Identity
Use Cases
Managed Clients
(Employees)
Unmanaged Clients
(Guests, students)
Unmanageable
Devices
Auth, Role, Device,
Location, Time,
Application usage
Compliance
Health validation,
Remediation,
Ongoing compliance
Policy
enforcement,
Quarantine
802.1x,
AAA:
Radius/AD
TCG/TNC; NAP;
Proprietary protocols
Behavior evaluation
Granular policy:
Firewall
VLAN: 802.1X
Blacklisting
Captive Portal,
MAC Auth
Third party scanners;
dissolvable agents
Behavior evaluation
Granular policy:
Firewall
VLAN: 802.1X
Blacklisting
MAC
Authentication
Third-party scanners
Behavior evaluation
Granular policy:
Firewall
VLAN: 802.1X
Blacklisting
Pre- & Post-Connect Assessment
34
Enforcement
Endpoint Compliance For Wireless and Wired users
Execution Frequency:
Upon client connection, ongoing scans,
Endpoint Compliance
VALIDATION
Checks
reoccurring, or user definable
VULNERABILITY
Checks
Anti-virus Checks
Nessus Scans
Anti-spyware Checks
Custom Developed Scans
Operating System Checks
Independently Developed Scans
Required Software Checks
Prohibited Software Checks
Blaster,
Bagel,
MyDoom,
ASN.1,
Sasser,
etc…
Microsoft
35
Aruba
NAC
Deployment
Typical Corporate Network
Architecture
Interoperation with
broad range of Wired
switches for policy
enforcement
Wired Access
To Internet
Application
Server Farms
Switch
Employees
RADIUS,
Link Trap,
802.1X
Voice
Wireless Access
Accept
VLAN, Role, VSA
Aruba ECS
Aruba Mobility Controller
Contractors
RADIUS,
802.1x
Policy Enforcement Firewall
MAC-Address
Backend AAA
(RADIUS, AD, etc.)
Guest
Interoperates with
most client PC
Operating Systems
36
Active role based
usage policy
enforcement
Registration, Endpoint
integrity assessment,
Quarantine, Remediation
for wireless & wired users
Interoperability with existing
AAA infrastructure. (NAP,
CNAC, TCG/TNC, etc)
WIP Phase 2: Network
software
Chemistry Asset • Sensor
integration into
Aruba APs
Acquisition
• RFprotect console
integration into
Aruba MMS
37
Network Chemistry Acquisition
RFprotect Distributed
24/7 wireless monitoring and intrusion prevention system for protecting against
wireless threats in and around enterprise facilities
RFprotect Mobile
Portable laptop-based analyzer for automating site surveys, security
assessments, and incident response
38
RFprotect™ Distributed
• Automatically defends against wireless threats and vulnerabilities
• Wireless security policy enforcement
• Flexible policy and alarm management
• Auto rogue management
• Extensive regulatory compliance reporting
• Enterprise-class scalability
• Provides rapid deployment, ease-of-use and low TCO
Tightly Integrated With RFprotect Mobile - Improving Incident Response and Efficiency
39
Industry’s Largest Detection Library
“Network Chemistry has a comprehensive attack signature set,
detecting and accurately classifying the most attacks [of all
the products reviewed]”
- Network Computing Magazine, Product Lab Comparison, June 2005
Aruba ensures attack currency with WVE
40
Dashboard gives real-time view of wireless health
Classification
summary
Filter by
location
Network
performance
Security
and
remediation
metrics
System health and
recent events
(including what is
being shielded)
Save time and reduce resource needs through a unified dashboard view of critical security metrics
(including violations, exceptions, and anomalies)
41
Comprehensive Auditing and Reporting
•
Provides a full range of reports on network
operations including security management,
performance, policy enforcement, alerts, and asset
management
•
Pre-configured compliance reports, e.g. DoDD
8100.2, HIPAA, GLBA, PCI DSS
•
The ideal auditing tool archiving all measurements
into the database and creating reports that indicate
when a security policy is violated
Open database architecture with Crystal Reports
front-end allows the creation of custom reporting
•
•
Report flexibility to filter by device, device type,
location, alert severity, day and time
•
Reports can be exported in multiple formats
including those for application integration
Application Formats:
• Application
• Disk file
• Exchange Folder
• MAPI
User Report Formats:
• PDF
• Crystal reports
• HTML 3.2
• HTML 4.0
• MS Excel 97-2000
• MS Excel 97-2000 (Data only)
• MS Word
• Rich Text Format (RTF)
• Tab-separated text
• Text
Automate Operations, Meet Compliance Requirements
42
Integration Plan for RFProtectTM Distributed
NOW
Q1 FY 08
Q2 FY 08
Q3/4 FY 08
43
Re-brand RFProtect Server and sensor
Port sensor software AP-70
AP functions as dedicated sensor only
EOL Dedicated sensor hardware
Integrated sensor functionality with AP software
All Aruba APs can multi-task as sensors
Customer can also configure some APs as
dedicated sensors
Integration of server functionality into MMS
RFprotect™ Mobile
Hunt Down Rogues Quickly with RFProtect Mobile
• Walk-around vulnerability management tool
• Ensures accurate RF site surveys and
detailed WLAN troubleshooting
Coordinates with a GPS device to keep track
of surveyor’s location while conducting an
outdoor survey
Provides analysis across all 802.11 a/b/g
channels and Bluetooth
Accelerates threat response and mitigation
44
visual/audio “real-time” signal metering
802.11n – High Speed but
what's the Risk?
© Copyright 2008. Aruba Networks, Inc. All rights reserved
Enterprise Mobility Adoption Continuum
# of network users
Wired
No Use
Convenience
Reduce Costs
Wireless
No Wireless Guest
Policy
Access
No Use
Corporate
HotSpots
Convenience
No Wireless Guest
Policy
Access
46
Business-Critical
Corporate
HotSpots
Pervasive
Employee
Access
Primary
Access
Method
Business-Critical
Pervasive
Employee
Access
Primary
Access
Method
Allwireless
workplace
Reduce Costs
Allwireless
workplace
A New Inflection Point In Enterprise Mobility
Right Technology
More Secure
Than Wired
As Reliable
As Wired
Right Time
Worldwide Wireless Laptop Shipments
(Million Units)
140
120
WLAN
100
80
60
40
20
0
20
04
20
05
20
06
20
07
20
08
20
09
20
10
Equal To Or
Faster Than
Wired
A new industry architecture for enterprise
mobility
using 802.11n as the primary access method
47
Wireless Is The Only Viable
Network
Guest
Services
Network
Value
Campus
Retail
Wireless
Rogue
Prevention
Location
Services
Student
information
systems
Learning
Management
Home
Access
Voice
Service
Broadcast
Video
Emergency
Response
Video
Surveillance
Adds/Moves/
Changes
Student
Communications
Applications
48
802.11n Makes It Possible
Eliminate the Mobility Tax
• Exceeds the throughput of fast
Ethernet
– Over 5x Throughput
– Handle dense environments like lecture
halls more easily
• Extends network coverage
indoor and out
– Over 2x Range
– Improves coverage to outdoor and RFchallenged indoor areas
49
• Improves reliability for critical
applications
ARM Enables a Smooth Migration Path to ‘n’
• 802.11n Overlay
Existing
802.11a/g Access Points
New
802.11n Access Points
– 5 Ghz operation makes it
easy to co-exist with
legacy WLAN
– ARM ensures seamless
integration into the RF
domain
• 802.11n Replacement
• Reuse existing cabling and PoE
infrastructure with AP-120 series
• Point substitution for speedspots or network-wide
substitution
Existing
802.11a/g Access Points
New
802.11n Access Points
• 802.11n Greenfield
• No site surveys needed
• RF planning tool provides
estimates of AP placement
• ARM does fine tuning
50
802.11n Access Points
50
Network Design: Wired
Backhaul
• 802.11n dual-radio capable of >600Mbps
peak traffic
– Recommend Gigabit Ethernet for future
proofing
– Cat5e or Cat6 cabling
– Current aggregated traffic from the AP’s
unlikely to saturate even a 100Mbps link.
• POE
– 802.3af (new edge switches or power
injectors)
51
51
AP 124/5 PoE Profiles
• Aruba’s differentiation – dual radios, 3x3
or 2x3Profile
MIMO
on 802.3af
1
Profile 2
Profile 3
Power
• Some initial results
52
>48.5V, <350mA, 16W max power
consumption
802.3at, some high end 802.3af
45.1-48.5V, <350mA, 15W max
power consumption
most high voltage 802.3af
37-45.1V, <350mA, 13.5W max
power consumption
most 802.3af
MIMO
3x3
3x3
2x3
GigE
Both
One
One
52
Get Ready With Aruba
• New Family of HighPerformance MIMO Access
Points
–
–
–
–
Evolution to Higher Speeds with 802.11a/b/g/‘draft-n’
Support
MIMO Capabilities Improve Reliability and Performance
Powered from Existing POE Switches Lowering Migration
Costs
Built-in TPM Module Stores Encryption Keys in a Secure
Vault
• New Family of HardwareBased Multiservice Mobility
Controllers
–
–
53
–
–
Up to 80 Gbps capacity per controller
Only Controller Capable of Scaling to Large-scale 11n
Networks
Centralized WLAN Architecture Makes Integration Easy
53
Controller Clustering Enables Large-scale Deployments
AP 120 802.11n MIMO Access Point Family:
Small Size, High Performance, Field
Multi-Function Radio Device
Upgradeable
MIMO
Antenna Technology
• 802.11a/b/g/n Air Monitor
• Integral, dual-band, high-gain, omni-directional
• 802.11 a/b/g/n WLAN AP
• High-performance Wi-Fi for
Branch Office AP, Power Users
Indoor Bridging Applications
• 3x3 MIMO for maximum performance
• Adjustable for optimal RF Performance
Deployed on Wall or Ceiling
Small Form Factor
• Discreet Industrial Design
• Blends into Environment
• Suitable for Desktop Installation
• Indoor Use
Enterprise Class
• High Performance MIPS
CPU
• HW Accelerated Crypto
•TPM Security Module
Modular Mounting System
• Wall, Ceiling, Tile Rail, Desktop
• Reusable with AP-65 mounts
• Fully Modular Design
• Tool-less
Dual Multi-Function, HighPerformance 802.11n Radios
RJ-45 Console Interface
• 600Mbps Performance
• 802.11a/n + b/g/n
• Increased Range & Performance
• Multi-Function
Visual Status LEDs
• Power
• Gigabit Ethernet Link/Activity
• Radio On/Off
Dual Gigabit Ethernet Interfaces
• 100/1000Base-T RJ-45 (auto-sensing)
• Supports 802.3af, 802.3at or PoE+
• Intelligent Power Management
• Redundancy - high availability operation
• Gigabit Secure-Jack
54
Certifications
5VDC Power Interface
54
• Global Regulatory
• UL2043 Plenum Rated
• Wi-Fi Certified
Aruba Multi-Service Mobility
• Capacity
Module Mark I
• Up to 512 Campus Connected APs
• Up to 2048 Remote APs
• 8,192 Users
Aruba Mobility ProcessingMulti-Core, Multi-threaded
Network processor
• Performance
• Up to 8Gbps crypto performance (3DES)
• Up to 4Gbps crypto performance (AES-CCM)
• Up to 10Gbps wired Non-encrypted Throughput
Performance (full-duplex)
• Multi-Service Mobility Module (M3)
Interfaces
•
•
•
•
10x 1000Base-X (SFP)
2x 10GBase-X (XFP)
1x 10/100Base-T Management Port (RJ-45)
1 x Serial Console Port (RJ-45)
• Programmable Architecture
• Aruba Mobility Processing
• Multi-Core, Multi-threaded Network Processor
• Dedicated Crypto Cores
55
10x 1000Base-X
(SFP)
2x 10GBase-X
(XFP)
Serial Console
Port
10/100 Base-T
Management Port
(RJ-45)
Controllers Handle High-Speed 802.11n Packets
Multi-Core
Network Processor
56
CP
CP
CP
CP
CP
CP
CP
DP
DP
DP
DP
DP
DP
CRYPTO
DP
DP
DP
DP
DP
DP
CRYPTO
DP
DP
DP
DP
DP
DP
CRYPTO
DP
DP
DP
DP
DP
DP
CRYPTO
Aruba
Mobility Processor
Non-Blocking
Switch Fabric
CP
20
Gbps
20
Gbps
Software-Based Services
•ArubaOS Control Plane
•ArubaOS Data Plane
•Centralized Crypto
• 8 CP, 24 DP Threads
• 4 Crypto Cores
Hardware-Based
Services
•Policy Enforcement
•Stateful Firewall, NAT
•IP Forwarding, Bridging
•Data Plane Acceleration
Performance
• 3 Million PPS
• 20 Gbps Clear-text
Performance
•15 Million PPS
•20 Gbps Clear-text
56
10 x 1GE
External
Ports
2 x 10GE
External
Ports
Connectivity Options
• 2 XFP Ports for 10GE Connectivity
• 10 SFP Ports for GE Connectivity
The Real-World Advantages Of ARM With
802.11n
57
The Real-World Advantages Of ARM With
802.11n:
Airtime Fairness, Balanced Client Performance
Throughput Summary
Aruba: >100Mbps for all clients, >150Mbps for MacBook Pro
Cisco: <100Mbps for all clients
Meru: <100Mbps for most clients, ≈0Mbps with Broadcom clients
58
New Aruba Products!
© Copyright 2008. Aruba Networks, Inc. All rights reserved
What Is Aruba
Announcing?
• Strengthened Commitment to Multi-Vendor
+
capability with acquisition of AirWave
Wireless
–
–
Availability Of
Applications
Integrated
–
• Continued growth of AirWave’s stand-alone
management portfolio
–
–
–
Applications
Structured as a separate product development unit
Focused, dedicated product development, support, and
service
Expanded roster of supported multiple vendor products
based on market share and customer demand – e.g. Cisco,
Aruba, Symbol
• AirWave powering new Aruba products
–
60
Leading multi-vendor wireless Network Management
Software for enterprise wireless LAN, mesh, WiMax and
point-to-point products from Cisco, Aruba,
Motorola/Symbol, Tropos, and others
Builds on Aruba’s existing multi-vendor partnering
initiatives
Preserves existing infrastructure, simplifies technology
migration, enables hybrid networks from multiple suppliers
AirWave Mobility Management System will enhance and
expand the management options already available from
The AirWave Universe
Once companies do take the wireless plunge, their priorities and concerns quickly shift. If you have
deployed, you know that security isn't the problem - it's the management.
Susan Breidenbach, Network World, 9 October 2006
61
AirWave Technology Complements Aruba’s
User-Centric Networks
• Simple Deployment and
Maintenance
– Automated set-up and continuous
network optimization
– Interoperates with legacy core
infrastructure
• Upgradeable Design
– Modular, software-downloadable
design to support new and future
technologies
• Client-to-Core Security
62
– Identity-based access control –
policies follow users
– High security encryption, guest
Integrating MMS and AMP Unique Features
•
•
•
•
Location Services: RTLS Tag and API Support
Aruba Profile-based configuration management
Advanced role-based access control
Aruba Mesh visualization
2008 Management Roadmap
•
•
•
•
•
•
User and bandwidth usage trend reporting
Integrated troubleshooting views
Help desk workflow and snapshots
Threshold based alerts
Device location history and replay
MoM Integration - Tivoli, HP Openview & others
• Multi-tier deployment architecture
63
Introducing Endpoint Compliance System
Permanent and
dissolvable agents
Pre- & Post-Connect Assessment:- Scan machines for anti-virus, upto-date definitions, additional required software prior to granting
network access
Client Remediation
Client Remediation: Isolate users that fail compliance and push to
remediation server.
Device Registration
Allow guests to register machines prior to access. Correlates MAC
address, IP address, username, connection location, connect time,
disconnect time (CALEA Compliance)
Wired and Wireless
Policy Compliance
64
Single point of control for all wired and wireless access policies
Mobile Access Policies (per user)
Usage Policies
Endpoint Compliance Policies
Network Access Control
What
is NAC?
(NAC)
– A means of limiting access
to network resources based
on a user’s business needs
and the real-time security
risk of the user or
networked device
How does NAC work?
– Assess Identity: sets access privileges
based on user-centric criteria so that policies
move with the user and are not bound to specific
ports or hardware
– Ensure Compliance: ensures that all
65
communications are authenticated, authorized,
and free from viruses, worms, and malware
What is NAC?
Identity
Use Cases
Managed Clients
(Employees)
Unmanaged Clients
(Guests, students)
Unmanageable
Devices
Auth, Role, Device,
Location, Time,
Application usage
Compliance
Health validation,
Remediation,
Ongoing compliance
Policy
enforcement,
Quarantine
802.1x,
AAA:
Radius/AD
TCG/TNC; NAP;
Proprietary protocols
Behavior evaluation
Granular policy:
Firewall
VLAN: 802.1X
Blacklisting
Captive Portal,
MAC Auth
Third party scanners;
dissolvable agents
Behavior evaluation
Granular policy:
Firewall
VLAN: 802.1X
Blacklisting
MAC
Authentication
Third-party scanners
Behavior evaluation
Granular policy:
Firewall
VLAN: 802.1X
Blacklisting
Pre- & Post-Connect Assessment
66
Enforcement
Endpoint Compliance For Wireless and Wired users
Execution Frequency:
Upon client connection, ongoing scans,
Endpoint Compliance
VALIDATION
Checks
reoccurring, or user definable
VULNERABILITY
Checks
Anti-virus Checks
Nessus Scans
Anti-spyware Checks
Custom Developed Scans
Operating System Checks
Independently Developed Scans
Required Software Checks
Prohibited Software Checks
Blaster,
Bagel,
MyDoom,
ASN.1,
Sasser,
etc…
Microsoft
67
Aruba
NAC
Deployment
Typical Corporate Network
Architecture
Interoperation with
broad range of Wired
switches for policy
enforcement
Wired Access
To Internet
Application
Server Farms
Switch
Employees
RADIUS,
Link Trap,
802.1X
Voice
Wireless Access
Accept
VLAN, Role, VSA
Aruba ECS
Aruba Mobility Controller
Contractors
RADIUS,
802.1x
Policy Enforcement Firewall
MAC-Address
Backend AAA
(RADIUS, AD, etc.)
Guest
Interoperates with
most client PC
Operating Systems
68
Active role based
usage policy
enforcement
Registration, Endpoint
integrity assessment,
Quarantine, Remediation
for wireless & wired users
Interoperability with existing
AAA infrastructure. (NAP,
CNAC, TCG/TNC, etc)
Network Chemistry Acquisition
RFprotect Distributed
24/7 wireless monitoring and intrusion prevention system for protecting against
wireless threats in and around enterprise facilities
RFprotect Mobile
Portable laptop-based analyzer for automating site surveys, security
assessments, and incident response
69
RFprotect™ Distributed
• Automatically defends against wireless threats and vulnerabilities
• Wireless security policy enforcement
• Flexible policy and alarm management
• Auto rogue management
• Extensive regulatory compliance reporting
• Enterprise-class scalability
• Provides rapid deployment, ease-of-use and low TCO
Tightly Integrated With RFprotect Mobile - Improving Incident Response and Efficiency
70
Industry’s Largest Detection Library
“Network Chemistry has a comprehensive attack signature set,
detecting and accurately classifying the most attacks [of all
the products reviewed]”
- Network Computing Magazine, Product Lab Comparison, June 2005
Aruba ensures attack currency with WVE
71
Dashboard gives real-time view of wireless health
Classification
summary
Filter by
location
Network
performance
Security
and
remediation
metrics
System health and
recent events
(including what is
being shielded)
Save time and reduce resource needs through a unified dashboard view of critical security metrics
(including violations, exceptions, and anomalies)
72
Comprehensive Auditing and Reporting
•
Provides a full range of reports on network
operations including security management,
performance, policy enforcement, alerts, and asset
management
•
Pre-configured compliance reports, e.g. DoDD
8100.2, HIPAA, GLBA, PCI DSS
•
The ideal auditing tool archiving all measurements
into the database and creating reports that indicate
when a security policy is violated
Open database architecture with Crystal Reports
front-end allows the creation of custom reporting
•
•
Report flexibility to filter by device, device type,
location, alert severity, day and time
•
Reports can be exported in multiple formats
including those for application integration
Application Formats:
• Application
• Disk file
• Exchange Folder
• MAPI
User Report Formats:
• PDF
• Crystal reports
• HTML 3.2
• HTML 4.0
• MS Excel 97-2000
• MS Excel 97-2000 (Data only)
• MS Word
• Rich Text Format (RTF)
• Tab-separated text
• Text
Automate Operations, Meet Compliance Requirements
73
Integration Plan for RFProtectTM Distributed
NOW
Q1 FY 08
Q2 FY 08
Q3/4 FY 08
74
Re-brand RFProtect Server and sensor
Port sensor software AP-70
AP functions as dedicated sensor only
EOL Dedicated sensor hardware
Integrated sensor functionality with AP software
All Aruba APs can multi-task as sensors
Customer can also configure some APs as
dedicated sensors
Integration of server functionality into MMS
RFprotect™ Mobile
Hunt Down Rogues Quickly with RFProtect Mobile
• Walk-around vulnerability management tool
• Ensures accurate RF site surveys and
detailed WLAN troubleshooting
Coordinates with a GPS device to keep track
of surveyor’s location while conducting an
outdoor survey
Provides analysis across all 802.11 a/b/g
channels and Bluetooth
Accelerates threat response and mitigation
75
visual/audio “real-time” signal metering
Thank You….Any Questions?
© Copyright 2008. Aruba Networks, Inc. All rights reserved
Questions & Answers
Next Meeting April 4th, 2008!
Fortinet and Tripp Lite Presenting
And as always, a FREE Lunch!!