Presentation is loading. Please wait.

Presentation is loading. Please wait.


Similar presentations

Presentation on theme: "© 2011 Aerohive Networks CONFIDENTIAL Troy Roberts 2012 THE NEW WI-FI PARADIGM – PREPARING YOUR NETWORK FOR THE MOBILE DEVICE AND APPLICATION EXPLOSION."— Presentation transcript:


2 © 2011 Aerohive Networks CONFIDENTIAL Agenda 2 Addressing the new Wi-Fi paradigm »Wi-Fi as the primary access layer »Wi-Fi client explosion »Consumer grade Wi-Fi devices are flooding the enterprise Architecting a Robust and Resilient WLAN »An architecture for 802.11n, 802.11ac, and beyond »Catering to consumer grade devices »Considerations for high density and high performing WLANs BYOD – Bring your own device »Access, Control, Resources »Device Fingerprinting and Policy Enforcement »Device Fingerprinting and contextual awareness The Complete Package »Bonjour Challenges – Airprint and Airplay »Security and Threat Assesment »The remote experience

3 © 2011 Aerohive Networks CONFIDENTIAL Wi-Fi Client Explosion 3 Wi-Fi primary access layer requirements 3x device explosion management burden BYOD and Corp iPad deployments Issues with low powered Wi-Fi devices

4 © 2011 Aerohive Networks CONFIDENTIAL The new Wi-Fi paradigm Wi-Fi as the primary access layer Majority of network devices will not have an Ethernet port › Faster clients, more demanding applications require faster, more deterministic, reliable, and affordable Wi-Fi infrastructure Wi-Fi client explosion 3-4x increase in number of devices As IT staff are typically not RF experts and Wi-Fi can be more difficult/expensive to manage › IT headcount will not increase to compensate and Wi-Fi needs to easier to use, deploy, and support Consumer Wi-Fi devices are flooding the enterprise IT has to manage employee/exec desire to BYOD Virtual Desktop Infrastructure (VDI) enables inexpensive consumer devices to run enterprise apps Consumer device Wi-Fi performance characteristics differ from enterprise devices › Wi-Fi infrastructure must compensate and harness 4

5 © 2011 Aerohive Networks CONFIDENTIAL The role of architecture in High Performance WI-FI 5 A New architecture »Architectural advantage to controller-less »Reliability, redundancy and fault tolerance »Infinite scalability »Purpose built for 802.11n, 802.11ac, and beyond »Catering to consumer grade devices Leveraging the cloud »Benefits of cloud-enabled approach »Addressing enterprise issues with cloud-enabled networks

6 © 2011 Aerohive Networks CONFIDENTIAL Introduction to Aerohive Networking pioneer with a history of innovation › Aerohive’s award-winning solutions eliminate complexity, cost, and single points of failure with: »Controller-less, distributed intelligence Wi-Fi »Public or private cloud-enabled networking »Branch office / Teleworker routing and VPN › Delivering mission critical reliability, granular security, simple management and the ability to start small and expand without limitations Branch & Teleworker Routers* Enterprise Wi-Fi Cloud Services Platform Public Partner Private (on-premise) * 2H 2011 Visionary Gartner Magic Quadrant 2011 Wireless Security 6 MQ

7 © 2011 Aerohive Networks CONFIDENTIAL Controller–less Wi-Fi Architecture Delivering simplicity, reliability and affordability 7 or WAN Tunnel Management Control Data Policy-based configuration Complete monitoring, debug Multi-admin, multi-entity Cloud-based, or on premise Not required for ongoing operation No bottlenecks, No single point of failure Autodiscovery & configuration Seamless secure roaming, Dynamic RF, RRM, SLA Per user QoS, security

8 © 2011 Aerohive Networks CONFIDENTIAL Consumer Devices Battery powered › Low power Consumer radios › Varying quality High expectations New 802.11n APs High performance › 3x3: 3 Stream - 450Mbps Custom-designed radios Custom-designed radios › High-power radios › High Rx sensitivity Better coverage, higher data rates, less errors Wi-Fi infrastructure has to compensate for consumer devices HiveAP 330 HiveAP 350 HiveAP 170 8 Infrastructure that compensates for Consumer Devices

9 © 2011 Aerohive Networks CONFIDENTIAL Why use High Powered Radios to aid Mobility? 9 Given that FCC and CE requirements limit power output, why bother with high-power radio? While this is mostly true, high-powered radios give other benefits › A high-power radio operating at the same power as a regular-power radio will deliver a lower error rate (lower EVM) Regular Power Radio High Power Radio Lower Error Rates 10W amp outputting 10W Amplifier set to 10 = DISTORTION 100W amp outputting 10W Amplifier set to 1 = MUSIC Audio Analogy

10 © 2011 Aerohive Networks CONFIDENTIAL Client Health Score at a glance…understanding a client’s health. Automatic Optimazation and Remediation Automatically Remediate Client & Network Issues Move Clients › Band steer or load balance clients triggered by low client health score Airtime Boost › Boosts clients’ airtime if unable to hit performance target Visibility and Control Detail 10

11 © 2011 Aerohive Networks CONFIDENTIAL A Cloud Services Platform – Redefining Ease of Management HiveManager Online › Scalable multi-tenant cloud services platform »Ease of bring up – time to value »Zero touch device provisioning »Flexible expansion »Management from anywhere »Improved supportability »Reduced costs: backup, power, cooling, rack space »On demand upgrades Topology Reporting Heat Maps SLA Compliance RF Survey & Planner WAN Aerohive Cloud Services Customer 2 HQ / Campus / Hospital Customer 1 Branch 1 Customer 1 Branch 2 Partner Admin Configuration and Reporting 11

12 © 2011 Aerohive Networks CONFIDENTIAL BYOD – Bring your won device 12 Managing different devices with different needs »Determining my BYOD Strategy »Device Fingerprinting and contextual awareness »Access Control and applying the right policy

13 © 2011 Aerohive Networks CONFIDENTIAL Device Ownership and Management 13 What is the difference between these iPads? Almost Everything Company-Owned Consumer devices qualified, bought and deployed by IT (Consumerization of IT) Replace legacy devices Lower HW costs Flexible, powerful Enable new working models BYOD Enable employees to bring their device of choice Not owned or controlled by IT Wide range of devices Driven by employee satisfaction and shifting of CapEx spend Embrace MDM Agents on Devices More App Flexibility Contain Network-based MDM Secure Apps Only (e.g. VDI, Citrix)

14 © 2011 Aerohive Networks CONFIDENTIAL Limited Access Zone: The Third “Network” Limited Access Zone Corporate Network Managed Device Credentials Guest Network Managed Device Credentials Managed Device Credentials

15 © 2011 Aerohive Networks CONFIDENTIAL Policy based on Context Identity, Device, Location, Time of Day 15 RADIUS PPSKCWP L2-4 Firewall Corp user Corp user - BYOD Guest user CORP Policy Corp VLAN LAN & Web FW 10Mbps per user 24HR Access BYOD Policy Restricted VLAN Email & Web FW 5Mbps per user M-F 8am-9pm GUEST Policy DMZ Web Only FW 1Mbps per user M-F 9am-5pm OS Detection

16 © 2011 Aerohive Networks CONFIDENTIAL Device Fingerprinting and Policy Application 16 Internet Corp HR email VDI Active Directory Guest Secure Guest (SSID) Access (SSID) Corp (SSID) Private PSK Corp Laptop (full access) Personal iPhone Encrypted with a unique revocable key Corporate access to email only and internet Captive Web Portal User Agent Safari iOS4, iPhone 4 Secure Guest Access Guest self-registration via CWP Assigned unique Private-PSK Personal Device Access CWP can also authenticate users to AD Device can be determined by various means Specific personal MIDs policy can be applied Does not require certificates leverages PPSK Can be set to work with only one device Corp Device Access Self-registration with AD or Preconfigured 802.1X or Assigned unique Private-PSK Device can be determined by various means Policy applied based on role or identity limiting access and applying QoS › VDI protocols can be prioritized Corp iPad (business APPs only) Private PSK Or 802.1X SaaS Corporate access to business APPs only

17 © 2011 Aerohive Networks CONFIDENTIAL Solution Scenarios: Network & Profile-Based MDM Solutions 17 www Corp Contain (BYOD) Access Isolate Network-based MDM Enrollment - CWP, PPSK - AD integration Access Control - Device/OS Type - Domain Membership Policy Enforcement - QoS, Security - Apps (e.g., VDI only) Profile-based MDM Device Management App/SW Installs & Updates Policy Enforcement and Compliance eBook distribution www Corp Embrace (Corporate-Deployed) MDM Quarantine Enroll Force MDM profile install

18 © 2011 Aerohive Networks CONFIDENTIAL THE COMPLETE PACKAGE 18 Apple Devices »Managing Bonjour Extending The Enterprise »Mobile Hotspots »Teleworker »Small Branch office Security and Threat Assessment »Rogue Detection »Mitigation Bringing it all together

19 © 2011 Aerohive Networks CONFIDENTIAL Bonjour Gateway – Aerohive & Non Aerohive Networks 19 Router / L3 Switch iPad can AirPrint or AirPlay Server: (file sharing etc) Printer (AirPrint) AppleTV (AirPlay) SSID “Subnet #1” SSID “Subnet #2” iPad can print and project via AirPrint & AirPlay Bonjour GW Feature ON “with filters” Optionally attach to both subnets for non Aerohive Multi-Vendor – Works in both Aerohive and Non-Aerohive networks Plug and Play – No requirement for VLAN and Multicast gymnastics Flexible – Supports bi-directional service advertisements Efficient – No tunneling, only sends changes in service, with option to filter Secure and Scalable – Preserves enterprise security & data forwarding methodology Available for beta Q2; shipping mid year Share Services List

20 © 2011 Aerohive Networks CONFIDENTIAL Work Is something you do, not somewhere you go ! 20

21 © 2011 Aerohive Networks CONFIDENTIAL Internet Consistent Policy, Security, and Permissions 21 Corp @ Home Home Printer Work Laptop Personal iPhone @ Corporate Personal iPhone Work Laptop Guest Laptop @ Branch Corp VoIP Phone Work Laptop Personal iPhone Guest Laptop

22 © 2011 Aerohive Networks CONFIDENTIAL Aerohive Branch on Demand™ 22

23 © 2011 Aerohive Networks CONFIDENTIAL Internet HiveManager Online HQ WAN/VPN Gateway Cloud VPN Gateway (VPN Concentration) Cloud Service Platform Deployment Scenarios - Teleworker 23 Corporate Access via VPN & Internet via Cloud Security Home Network - Internet Access Only 3G/4G Primary/Backup Corporate Access Guest Access Deployment Scenarios – Small Branch

24 © 2011 Aerohive Networks CONFIDENTIAL The Complete Mobility Solution 24 Branch Office / Teleworker Solution VPN Mobile Applications VPN Retail / Point of Sale VPN Guest Access / BYOD / Fingerprinting Access control and Policy Indoor / Outdoor / Mesh Stadiums / Theatres / Lecture Hall High Density Solutions I Security / WIPS / Location Tracking I-device, AppleTV, Projector, Printer Bonjour Gateway Cloud Services Platform (Management) 3G / 4G

25 © 2011 Aerohive Networks CONFIDENTIAL Reducing Capex and Opex costs 25 Less Infrastructure Cost › Wi-Fi access reduces cabling »Integrated Mesh, RADIUS, AD integration and QoS also reduces costs › Controller-less architecture + Cloud »Reduced H/W, sparing & energy costs › Cloud Mgmt moves Capex to Opex Start Small & Expand › Cloud Wi-Fi Mgmt per AP service › No over provisioning › No feature licenses › Linear cost growth curve – add APs Easy to Use Management › Easy to use, cloud-enabled, policy-based mgmt simplifies deployments › Vertical specific apps »StudentManager/TeacherView Aerohive Cisco Cost Comparisons

26 © 2011 Aerohive Networks CONFIDENTIAL THANK YOU! 26

27 © 2011 Aerohive Networks CONFIDENTIAL Use of Discreet Components: Better Quality Signal, Less APs, Balanced Links Using discrete radio components High-powered radios are discrete components, affording the opportunity to improve receive sensitivity by also using better receive components (e.g. Low- Noise Amp (LNA)) Superior receive sensitivity can improve upstream performance, especially of low-power consumer devices, balancing the AP/client link AP Tx AP Rx AP Tx AP Rx Marginal Performance AP Tx AP Rx Increase AP Density/Reduce Power AP Tx AP Rx Increase AP Receive Sensitivity 27

28 © 2011 Aerohive Networks CONFIDENTIAL The Value of Sensitivity The extra 5 dB sensitivity beyond a standard AP can even out coverage for various client types Better 5Ghz coverage enables 2.4GHz to be preserved for single band devices 20 dB 2.4 GHz 8 -10 dB 15 -17 dB 10 – 15 dB HiveAP 320 HiveAP 330 5 dB 5 GHz 2.4 GHz 28

29 © 2011 Aerohive Networks CONFIDENTIAL Enhanced Visibility and Control 29

30 © 2011 Aerohive Networks CONFIDENTIAL How Aerohive automates client self healing Move Clients › Encourage clients to move to different radio (band steer) or a different AP (load balance) › Triggered by low client health score Enhanced Airtime Boost › Boosts clients’ airtime if unable to hit performance target › Enhancement – only does this for healthy clients based on Client Health Score 30

31 © 2011 Aerohive Networks CONFIDENTIAL Rogue Mitigation and WIPS 31 Rogue Detection › Supports 802.11 a/b/g & 802.11n › Detect Both Rogue & AdHocPC’s › Detect “On-Network” Rogue › Confirm compliant BSSID, SSID, WMM › Generate Reports on rogue activity Rogue Mitigation › Mitigate rogue APs and clients connected to Rogue APs IP & MAC DoS Detection › Detect RF 802.11 Management Layer Attacks (i.e Probes & association floods etc.) › Detect Wireless Authentication attacks › Detect IP Dos (i.e Port scan, flood & TCP syn Check ect) › Mitigate attacks at the RF layer and “BAN” client for determined period of time HiveAP’s periodically scan all channels.. (HiveAP’s coordinate scan & do not impact VoIP or data app’s) os/Patches/PP116.jpg “On-Network” Rogue Trusted Client Launching IP DoS attack 

32 © 2011 Aerohive Networks CONFIDENTIAL Time 2 Fast Clients 1 Slow Client, 1 Fast Client With Contention, Fast Clients Wait for Airtime and Perform Like the Slowest Client Principles of Dynamic Airtime Scheduling 32 Time 2 Fast Clients 1 Slow Client, 1 Fast Client Dynamic Airtime Scheduling Allows Fast Clients to Transmit more Packets, Finish Quickly and Free Up the Air for the Slow Clients Throughput Fast Client Slow Client Speed of the network is subject to the slowest client Throughput Fast Client Slow Client Faster clients dramatically improve their performance without impacting slower clients 10x faster

33 © 2011 Aerohive Networks CONFIDENTIAL Feedback Dynamic Airtime Scheduling How it works Measures actual airtime for each packet - faster clients consume less airtime Measures retries as well If the clients have equal weight, they get equal access to airtime – faster clients get to send more often Additional weight can applied by User Policy 33 Fast 802.11n Client (135Mbps) 802.11g Client (48 Mbps) Distant or Legacy Client (5.5 Mbps) 90  s 253  s 2208  s 650  s RF Medium HiveOS Microsecond Air Interface  Distributed control plane puts control and data intelligence in the same place as the radio –Enables near instantaneous reaction to client behavior  Requires intelligence in the AP not milliseconds away

34 © 2011 Aerohive Networks CONFIDENTIAL Dynamic Airtime Scheduling How it works 34 Client A (135Mbps) Client B (48 Mbps) Client C (5.5 Mbps) Time Client A Web Server Client B Client C Equal Airtime Allocation Aerohive QoS Engine Scheduler Schedules traffic (based on airtime allocation & airtime consumed) into the Wireless Multi-Media hardware queues Client C has used up its share of airtime Client B has used up its share of airtime Faster clients are able to send more often achieving higher throughput 6 Frames 3 Frames 2 Frames

35 © 2011 Aerohive Networks CONFIDENTIAL Goodput Kbps Time (s) Veriwave WiMix TCP Downlink Test Mixed 802.11a & 802.11n – 20,000 Frames 35 n@270M, n@108M, n@54M a@54M, a@12M, n@6M ~ 100 Seconds 6 x.11a/n clients - n@270M, n@108M, n@54M, a@54M, a@12M, a@6M Without Dynamic Airtime Scheduling With Dynamic Airtime Scheduling n@270M - 10sec ~ 10x performance improvement n@108M - 15sec ~ 6x performance improvement n@54M - 30sec ~ 3x performance improvement a@6M a@54M - 35sec ~ 2.5x improvement a@12M - 65sec ~ 1.5x improvement Goodput Kbps Time (s) Upstream IxChariot

36 © 2011 Aerohive Networks CONFIDENTIAL Wireless Mesh Network Access Switches Distribution Switches Wired Network Wired Uplink Wireless Uplink HiveAPs Wireless Client 36 Scalable Wireless Mesh Inherent wireless mesh eases the deployment of wireless APs in hard to wire locations Automatic Dynamic Routing makes mesh easy to deploy and resilient Automatic loop prevention allows more than one portal to be active at once Voice Ready - Low latency, QoS enabled Mesh 36


Similar presentations

Ads by Google