BlueSocket - Untethered Education
Download
Report
Transcript BlueSocket - Untethered Education
Untethered Education:
Securing and Managing WLANs on Campus
CUMREC May 2004
Rohit Mehra
Director of Product Marketing
[email protected]
© 2003 Bluesocket, Inc. contents provided under NDA only
Proprietary and Confidential.
Secure Mobility™
Market Dynamics – Wireless LANs
WLANs have hit mainstream:
Shipments doubled in 2003 vs. 2002.
– Intel’s Centrino Effect
– Wide range of new mobile devices
– Generation “M”-Laptops are now requisite
equipment for today’s college student
Demand for security and management products
and services is increasing significantly
© 2003 Bluesocket, Inc. contents provided under NDA only
Proprietary and Confidential.
Faster APs and larger deployments require
high performance WLAN infrastructure
Universities seek simple yet comprehensive
solutions to bring security, simplicity, mobility,
compatibility, interoperability to
WLAN deployments
Secure Mobility™
Bluesocket Products Manage and Secure WLANs
For Hundreds of Customers Worldwide…
© 2003 Bluesocket, Inc. contents provided under NDA only
Proprietary and Confidential.
Secure Mobility™
Over 250 University Campuses
Singapore Polytechnic
© 2003 Bluesocket, Inc. contents provided under NDA only
Proprietary and Confidential.
Secure Mobility™
Key Issues in WLAN Deployments
Security
• Wireless does
not respect walls
• Default setting is
for no security
• Standard security
is sub-standard
Mobility
• Handover between
Access Points
• Roaming across
IP subnets?
• Security does not
roam with the user
• Support for
Voice and Data
© 2003 Bluesocket, Inc. contents provided under NDA only
Proprietary and Confidential.
Secure Mobility™
Management
• Who is on my network?
• Quality of Service
• No centralized
management
• Access Point dependent
• No logging or alerts
Students, Faculty, Staff Love Wireless
Anywhere, anytime education
Wireless fosters collaboration,
creativity and information
exchange
Universities want a consistent
access methodology:
dorm to library to classroom
Students expect and demand
wireless access
Users drive deployment…
whether you like it or not!
© 2003 Bluesocket, Inc. contents provided under NDA only
Proprietary and Confidential.
Secure Mobility™
Why College Network Admins Like WLANs
No “retrofit networking”, no renovation to buildings or pulling cables
Easy install into older (often historic) buildings
– Average university building in US is 45 yrs old
Enables access where wires can’t go (common areas, the Quad)
“The computer lab” now can be wherever you want it to be
Wireless is easy to install and maintain, lowers Total Cost of Ownership
Wireless is cost effective
– Buena Vista University example:
Wiring 41 classrooms cost $5000/room
Wireless access just $1000 per room
Wireless saves money and increases productivity
– Harvard’s eDocs program saved $150K in paper costs in Year-1
© 2003 Bluesocket, Inc. contents provided under NDA only
Proprietary and Confidential.
Secure Mobility™
And what keeps IT Admins awake at night?
Students are notorious for “experimenting”
–
–
–
WLANs need to support legacy wired
network deployments across the campus:
–
–
Apply current authentication schemas to WLANs
How frequently can you upgrade as new 802.11
standards are adopted? As vendors upgrade firmware?
Need for flexibility
–
–
Sensitive research resources also tempting
Spoofing servers, Piggy backing, DoS
Kazaa and other Peer-to-Peer challenges
Adding (registration) or removing a student; turn access on/off (exam)
Students change their minds/major at any time, and frequently.
Does your WLAN keep up?
Wireless puts info into the air
–
Need for “Air Traffic Control” to secure grades, financial aid, credit cards
© 2003 Bluesocket, Inc. contents provided under NDA only
Proprietary and Confidential.
Secure Mobility™
Security issues
It’s 9PM, do you know where your
signal is?
This image represents the signal
emitted from a single wireless
access point located in downtown
Lawrence, Kansas.
© 2003 Bluesocket, Inc. contents provided under NDA only
Proprietary and Confidential.
Secure Mobility™
WLAN Security Threat Model
Wireless Link
Invader
LAN
AP
Rogue AP
Eavesdropper
Fake AP
Four Main Threats
1.
2.
3.
4.
Unauthorized access
Eavesdropping (interception of data)
Man in the middle attack (fake AP)
Back door (rogue AP)
© 2003 Bluesocket, Inc. contents provided under NDA only
Proprietary and Confidential.
Secure Mobility™
Fixing WLAN Security: How Much Is Enough?
What
problem are we trying to solve?
– Anywhere, anytime secure access
What is the security architecture?
– Authentication, Privacy, Access Control
The need for a consistent solution
– Interoperability is a key driver
– Need for seamless mobility
What are the unique characteristics
– Applications and deployments are driving network designs
– Use cases break traditional fixed approaches
© 2003 Bluesocket, Inc. contents provided under NDA only
Proprietary and Confidential.
Secure Mobility™
The Bluesocket Wireless Gateway
Secure Mobility™ for The Enterprise
802.11b, 802.11a, 802.11a/b,
802.11g, Bluetooth, ...
Authentication
Servers:
LDAP, Radius,
NT Domain Server
© 2003 Bluesocket, Inc. contents provided under NDA only
Proprietary and Confidential.
Secure Mobility™
Bluesocket Wireless Gateways
Universal Authentication
Quality of Service
Prioritization and DiffServ Marking
occur at the network edge
Packet delay and jitter are minimized
to improve performance of time-critical
applications
Based on username/password combinations,
digital certificates, smart cards or secure token
technologies-- depending on security needs
User information can reside in local or central
(LDAP, RADIUS or NT Domain) databases
for ease of management
Security
Policy Enforcement
"Role-based" management of privileges
for different categories of users
Granular support for WLAN policy enforcement
based on role, user, location, time, and services
Strong encryption based on PPTP, L2TP
or IPSec to protect user data
Each type of user can be assigned a
maximum bandwidth to maintain CoS
Interoperability
Secure Mobility ™
Provides vendor-agnostic connectivity
Works with Access Points from all
major vendors: past, present, future
Supports a broad range of mobile devices
without requiring client software
Users roam seamlessly across subnets
while maintaining airlink privacy
Management
Elegant Web-based interface enables network
to be managed centrally and conveniently
© 2003 Bluesocket, Inc. contents provided under NDA only
Proprietary and Confidential.
Secure Mobility™
Bluesocket Reduces Cost and Complexity
Single Component, Multiple Functions
Authentication
Encryption
Firewall
Mobility
QOS/ BWM
Policy
Interoperability
Bandwidth Mgt
© 2003 Bluesocket, Inc. contents provided under NDA only
Proprietary and Confidential.
Secure Mobility™
Enterprise-Class WLAN User Management Tools
Fine-Grained User Policy
Management
© 2003 Bluesocket, Inc. contents provided under NDA only
Proprietary and Confidential.
“Real-Time” Monitoring
and Control
Secure Mobility™
Bluesocket Wireless Gateway Family
Flexibility, performance and scalability
WG-5000
$24,995
WG-2100
Data Density
High
$12,995
Up to 1000 Users
Hundreds of APs
WG-1100
$5,995
Medium
50-300 Users
10-50 APs
Very large
Large
WG-1100-SOE
$3,495
15-100 Users
1-20 APs
Medium
Low
1-15 Users
1-3 APs
100 Mbps Clear
15 Mbps 3DES
Small
100 Mbps Clear
30 Mbps 3DES
400 Mbps Clear
150 Mbps 3DES
Performance
© 2003 Bluesocket, Inc. contents provided under NDA only
Proprietary and Confidential.
Secure Mobility™
1 Gbps Clear
350 Mbps 3DES
WLAN Policy Enforcement on Campus
Enforce fine-grained Policy
and Bandwidth Management
– Role-based
– Location-based
– Time-based
– Services-based
– User-based
Examples:
– Faculty:
Given HTTPS access to
research databases/library
– Adminstrators:
E-mail and Web access
with IPSec encryption
– Students/Visitors:
Access to resources based
on location/schedule
© 2003 Bluesocket, Inc. contents provided under NDA only
Proprietary and Confidential.
Secure Mobility™
Importance of Policy-Based Networking
for Campus WLANs
Type of user (e.g., undergrads, grads, faculty,
staff, alumni, visitors)
Enforce encryption like IPSec, PPTP, 802.1x
Inbound vs. outbound controls (e.g., MP3)
Network/destination access
Bandwidth management (ability to scale
bandwidth based on users, service, etc.)
To which server should they authenticate?
(Different schools, different mechanisms)
Network server access based on location
Limit network access during exam period
© 2003 Bluesocket, Inc. contents provided under NDA only
Proprietary and Confidential.
Secure Mobility™
Example of Policy Management of Services
For each service (can create from
the dropdown create box), you
can specify:
•
•
•
•
•
© 2003 Bluesocket, Inc. contents provided under NDA only
Proprietary and Confidential.
Service name
TCP, UDP, TCP/UDP, other
Port, list of ports, or port range
Enable QoS
Incoming & outgoing priority
and DiffServ marking
Secure Mobility™
Example of Active Directory Authentication
Group mappings within the external
directory are made to roles in the
Bluesocket Wireless Gateway.
Any attribute returned for an
individual user can be used for
mapping to roles.
© 2003 Bluesocket, Inc. contents provided under NDA only
Proprietary and Confidential.
Secure Mobility™
Example of Controlled Guest Access
Control what they do, when they can do it--without having to touch their machines
© 2003 Bluesocket, Inc. contents provided under NDA only
Proprietary and Confidential.
Secure Mobility™
Interoperability across the campus
For all users and devices
– Vendor Agnostic
– Device Agnostic (Laptop, PDA, Mac, 802.11 VoIP Phone, Scanner)
– Technology Agnostic (Not limited to Windows)
– Protocol Agnostic (Any 802.11 radio standard)
Proprietary Client not required even for strong encryption
– Support for IPSec, PPTP, and SSL
Central Policy & Security Management for the entire university system, campus,
satellite campuses/colleges, Departments, Libraries, etc.
Ability to manage new “standards” rolling out without compromising on
interoperability across devices and protocol
Bluesocket support for standards based XML/RPC API
– API allows for custom applications to integrate with WLAN policies
– Examples:
• School application automatically logs students off the WLAN during test periods
• Professors’ scheduling application allows specific students access to online material during class
© 2003 Bluesocket, Inc. contents provided under NDA only
Proprietary and Confidential.
Secure Mobility™
WLAN Gateways: Ensuring Interoperability
Bluesocket is an open, standards-based solution
Interoperable today and tomorrow
PPTP
Faculty
IPsec
Faculty
Bluesocket
Wireless Gateway
802.1x
Admin
ACS
LDAP
Radius
NT Domain
Clear
Student
© 2003 Bluesocket, Inc. contents provided under NDA only
Proprietary and Confidential.
Secure Mobility™
Case Study: Universal Authentication
Harvard University
Authenticate Users,
not Devices
Use existing back-end
authentication servers
where possible
– RADIUS, LDAP,
Windows 2000, NT
Domain
Web-based authentication
and encryption (SSL) –
no client software required
Branded and Customized
Authentication Portal
© 2003 Bluesocket, Inc. contents provided under NDA only
Proprietary and Confidential.
Secure Mobility™
Encryption and Airlink Privacy
Rutgers University
RUWireless:
Serving 48,000 students/9,000 faculty on
5 New Brunswick and Piscataway campuses
Best + worst thing about wireless: it’s open!
IPSec provides wireless airlink privacy
All traffic is encrypted to protect student,
departmental, sensitive information:
“Without a VPN it would be possible for
a hacker to view your information.”
Non-proprietary VPN-class encryption
(Supporting wide range of mobile devices and APs
from Cisco, Linksys, SMC, Orinoco and Apple)
Medical schools with link to hospitals
require encryption to be HIPAA compliant
© 2003 Bluesocket, Inc. contents provided under NDA only
Proprietary and Confidential.
Secure Mobility™
Role-Based Access Control/Authentication
University of Pittsburgh
University of Pittsburgh’s PittNet
lights up office, public (e.g. library, student
commons), and classrooms
9,600 employees, 3,800 faculty members,
32,000 students, 132 acre campus
Bluesocket directs all web traffic to
log-in page. Students, faculty and staff
authenticate themselves via their
University Computer Account username
and password to access wireless and
wired network resources
Role-Based Access Control defines
who can do what, where…even when
Jane Smith, sophomore– can access
the sociology dept. server, but not
financial aid or grades
© 2003 Bluesocket, Inc. contents provided under NDA only
Proprietary and Confidential.
Secure Mobility™
Policy Enforcement
University of Texas at Dallas
14,000 students
Largest apartment complex in North Dallas area
managed off of one Bluesocket box
Wireless across in library, classrooms, student
union, common areas, servicing hundreds of
students simultaneously
The WLAN’s high traffic volume requires
“traffic engineering” (TE) to:
– Defend against Kazaa using bandwidth controls
(abuse of university property, copyright
infringements, possible school/university liability)
– Ensure each student has individual access controls
and students don’t hog bandwidth
– Certain applications must take priority over
other wireless applications of less importance
– Especially important when considering
300 kbps video streaming on an 8-11 Mbps line.
© 2003 Bluesocket, Inc. contents provided under NDA only
Proprietary and Confidential.
Secure Mobility™
Interoperability:
University of Edinburgh
400 year old university– old buildings,
large area, 3 campuses, 20 hotspots,
21,000 students
Principal benefit of wireless at UoE:
ubiquitous connectivity
University of Edinburgh uses Bluesocket
Wireless Gateways to manage all
air traffic and support a legacy
Cisco VPN concentrator
(for secure remote access)
Imperative:
Support what the university had already
(Cisco infrastructure in wired LAN) and support
what it will need---easy instant wireless access for
visiting conference delegates: with “Guest” privileges
© 2003 Bluesocket, Inc. contents provided under NDA only
Proprietary and Confidential.
Secure Mobility™
Mobility:
University of Georgia’s Wireless Cloud
U/GA’s
wireless campus: PAWS
(Personal Access Wireless
Walkup System)
Learning how wireless will be part of
student’s world is part of curriculum
(New Media)
Press file stories via WiFi
from UGA stadium
during football games
Wireless Athens Group:
A “Gown to Town” Wireless Cloud
links the university, stadium and
downtown shopping district
Virtual and physical communities
connect with one another
© 2003 Bluesocket, Inc. contents provided under NDA only
Proprietary and Confidential.
Secure Mobility™
Bluesocket in Wired Networks
Since
Bluesocket Wireless Gateways aggregate user traffic
via Ethernet, they are also ideally suited for integrated
wired/wireless rollouts:
– ResNets
• Limit student bandwidth to control costs with Internet pipes
• Control student ability to provide files using P2P apps
– Conference centers
• Do you know who connected to an individual Ethernet connection
• Control access without additional client software
– Libraries
• Dynix authentication support
© 2003 Bluesocket, Inc. contents provided under NDA only
Proprietary and Confidential.
Secure Mobility™
Bluesocket Wireless Gateways:
Proven Leadership in Education environments
Provide Security and Management for the Campus
WLAN while seamlessly integrating into existing
network infrastructure
Support Multiple Users/Roles in an integrated WLAN:
– Students
– Faculty
– Admin Staff
– Visitors and Alumni
Need to go beyond proprietary WLAN solutions
– Client-less support for diverse user types
– Not limited a single vendor’s proprietary
implementation
– Ability to roam between subnets
Efficient policy enforcement based on user, role,
location, time or VLAN
Traffic-engineering improves productivity for everyone
– Streaming applications or large downloads by
students don’t hog all the bandwidth
– Mobility profile based on type of user
© 2003 Bluesocket, Inc. contents provided under NDA only
Proprietary and Confidential.
Secure Mobility™
Managing Wireless Authentication and Access on
Campus……
Q&A
© 2003 Bluesocket, Inc. contents provided under NDA only
Proprietary and Confidential.
Secure Mobility™