Presentation on theme: "Securing The Network EDGE December 2010"— Presentation transcript:
1 Securing The Network EDGE December 2010 Hello and welcome to this training module.My name is Bobby Guhasarkar, and over the next 30 minutes or so, I will give you an introduction to Aruba networks.Securing The Network EDGE December 2010
3 Enterprises Around the World Depend on Aruba Networks High TechInternetFinanceMedia & Ent.EducationGovernmentHealthcareRetailHospitalityPublic TransitPublic VenuesServicesOil and GasManufacturingLogisticsTelecom
6 Infrastructure for the Workforce 1990–2007HQ Based Employees Tied to DeskConvenience WLAN TechnologyFiles, Data, and Apps Are Stored on Local Servers
7 But, Everything Is Changing 2007 and BeyondBranch OfficeHQ Based Employees Tied to DeskConvenience WLAN TechnologyRemote OfficeWorkforce is mobileLaptops + Smartphones Are the Computing and Communications DevicesHome OfficeFiles, Data, and Apps Are Stored on Local ServersMobileFiles, Data, and Apps Are Stored in Private and Public CloudsHigh Performance WLAN Technology
8 Mobile Devices are Everywhere Laptops/Tablets22% growth in Q2,201043.4% of Enterprise workers use WLANs today, growing to 58% by 201437% growth in Q2,20103.2M iPads in 80 days8.4M iPhones60% of Fortune 500400 Higher Ed institutionsSmartphones2.7M Smartphones in Q2,10$484M total WLAN market highest ever840K access points47% of 11n units, 64% of revenueCisco’s 47% is 11n, Moto’s is 30% is 11n, Aruba’s 80% is 11nNo wonder cisco’s customers are complaining about performance!Number of APs per controller going up for every vendor except MotoCompare 11n revenue numbers, Cisco makes $265M total, $30M of autonomous APsAcerAppleBlackBerryHTCLGMotorola Nokia Samsung12.1M BlackBerries in Q2,10
9 How do you define what is the enterprise security boundary? RF Performance11g to 11n: 54Mbps to 150Mbps on 20MHz channel --- channel bonding: 300Mbps with 40MHz channel overhead: Goodput on a 40MHz channel between an 11n client and an 11n AP would be 180Mbps. 30 clients per AP, results in 6Mbps --- bandwidth is the most valuable asset in WLANs – one needs to maximize it (ARM), guarantee its availability for all clients (ARM 2.0), and ensure that it is protected (ARM + Spectrum).18 clients load balanced across 2.4GHz and 5GHz bands (6 + 12) with band balancing, 5GHz clients are load balanced across available 40MHz channels and 2.4GHz clients are load balanced across available 20MHz channels with spectrum load balancing, and individual clients are given a share of the WLAN medium per radio with air-time fairness.Voice and video requires Application Layer Gateway functionality built-in to the products – without it voice/video quality will suffer.Secure MobilityPort VLAN ACL relationship that is tied to the routing table used to work great for the wired 100Mbps/1Gbps links. Full duplex, predictable link speed, and static mapping of configuration at the expense of mobility. But we want to go mobile with Wi-Fi. So what’s the solution? Port has disappeared – instead end user devices need to connect to a Wi-Fi access point supporting other Wi-Fi devices on the same radio. Keeping track of the VLAN to enforce policy everywhere a user shows up is no longer scalable. User Groups are the solution x already integrates with existing AAA infrastructure to authenticate end users and their devices and return user group information. Aruba maps these user groups to individual roles – roles carry end user policies instead of VLANs. VLAN and IP routing is still used for transport but they do not have any say in policy enforcement for mobile users across the enterprise, whether they are in a building in the campus, at home or at one of the branch offices. Their policies are virtualized and appear wherever they are connecting to the Aruba network – since the users are not static and now mobile, their policies are virtualized and enforcement is mobile.Each of the policy rules incorporate knowledge of mixed mode devices. Mobile device means multi-capable device. Aruba will apply individual QoS rules to different applications running on the same device. No other infrastructure can enable this.Network ManagementAirWave’s differentiation comes from its capability to enable a user based network monitoring and reporting solution. All information that is presented to the administrator is prepared in an effort to create visibility into the WLAN clients and their health. Network security reporting for policy compliance, client tracking capability for location based services or for network troubleshooting, multi-vendor WLAN management, multi-vendor edge switch management, mobile device management, live RF visualization supported by RF planning are all integrated to AirWave – reducing total cost of ownership for capital expense and results in significant operational savings.
10 Wired Network Security Questions On your wired network...Do you authenticate all users and devices?Do you encrypt all traffic?Do you control access to network resources based on user identity?Wireless lets you do all of this – by design
11 Port-Centric Networks Prohibit Mobility HackersVisitorsConsultantsEmployeesBranchPartner SiteHotelHomePort-Centric Network DesignOptimized for a fixed, deskbound workplaceCannot follow mobile users and applications
13 Military-Grade WLAN Security Data PrivacyTPM on the AP, Centralized Encryption on the Mobility ControllerNetwork ProtectionAttack prevention with ICSA certified stateful firewallIdentifythe userValidatethe deviceAccess ControlStateful authentication and policy enforcement per userTPM: Trusted Platform ModuleIntrusion PreventionIntegrated protection against advanced wireless attacksNo special AP hardware or management appliance requiredClassifythe trafficControl access per user
14 Full Spectrum Visibility Cost EffectiveIntegrated to Wi-Fi chipset in all Aruba n APsDoes not require specialized AP or external laptop for monitoringAlways OnNo specialized chip in APNo need to spare scanning timeRecord and Playback on DemandDetailed Charts14 simultaneous views within the Aruba Mobility ControllerNo need for external laptop
15 User-Centric Network Management Scales to 100,000 DevicesSupports multi-generation, multi-vendor productsCustomer ExamplesReduced time to resolution by 75% across a multi-vendor environment.Simple Enough for AnyoneDesigned for use by any member of the IT organizationUser based management – fast troubleshooting time – user tracking across multiple technologies based on authentication nameIntegrate with leading enterprise management systems such as HP OpenView, IBM Tivoli, BMC Remedy, CA Spectrum, and EMC SMARTS.Manage more Cisco access points than Cisco canMap management to 'multi-vendor, lifecycle, operations mgmt, network availability, inventory management‘Largest WLANs managed by AirWave: Motorola’s, Cisco’s, HP’s, Meru’sYou need to be able to delegate responsibility across the IT organization — letting the service desk troubleshoot routine issues so that network engineering staff can work on the most difficult and important problems. And that’s what AirWave 7 is all about. The service desk gets intuitive charts and tables they can use to triage user problems, while desktop support, network engineering, and security have one place they can go to access diagnostic information and alerts. Executive Management can even access the system to view network health and other management reports.With visibility into wired and wireless infrastructure as well as client devices, AirWave 7 enables you to perform comprehensive root-cause analysis and get to answers.Redundancy integratedCentralized operations managementConfiguration of wired and wireless devicesFirmware distributionAutomated complianceAirWave VisualRF gives you an accurate view of your entire network without ever leaving your desk. It automatically generates a map of your RF environment and the underlying wired topology, showing you what your network looks like — in real time. VisualRF builds this map using RF measurements gathered from your active wireless access points and controllers, without requiring you to buy a costly, separate location appliance.Key points to make:Simple setup process that doesn’t require site surveys or additional dedicated sensors, exciters, or location serversSupports the full network lifecycle, from planning, to installation, to troubleshootingHas free, stand-alone planning tool delivers identical planning capabilities in an online or offline environmentCombination of methods to provide the most accurate information: dynamic RF sampling and a predictive model based on site and infrastructure characteristics for areas where RF sampling isn’t availableGenerally achieves resolution below 10 meters without additional tuning activitiesReal-time location tracking for users and devicesOpen API provides for a cost-effective way to utilize location data to a variety of location-based business applicationsOffline planning applications for pre-deployment planningCan be run in the cloudStorage of user and device statistics for up to 2 yearsGrouping of different sets of devices into “folders”Real time per SSID usage statistics and reportingAutomated reporting with , HTML, XMLCustomized reporting of network usage and statsMemory, CPU, port, device reports across the WLANVirtualized network management of different functions and hardware with role based administrator accessCentralized management of more than 100K APsMultiple Aruba master controller domain managementScheduled firmware upgrades for the WLANArchive prior configurationsAutomated historical reporting for security complianceAutomated configuration policy auditing of WLAN infrastructure supported with alerts and triggersRogue AP switch port identification and wired network rogue AP scans where WLAN is not presentPolicy and rule based wireless intrusion detectionMore efficient division of tasks between engineering, installation, field services.User Level VisibilityPurpose built to manage mobile environmentsResolves most problems without dispatching a technician.
16 Aruba’s Purpose Built Secure Mobility Solution Head OfficeBranch OfficeHome OfficeMobile EmployeeUnified Network ManagementCentralized ControllersOne NetworkMultiple usersMultiple devicesMultiple policies