alcatel omniaccess wireless
Download
Skip this Video
Download Presentation
Alcatel OmniAccess Wireless

Loading in 2 Seconds...

play fullscreen
1 / 35

Alcatel OmniAccess Wireless - PowerPoint PPT Presentation


  • 179 Views
  • Uploaded on

Alcatel OmniAccess Wireless. January 2006. Enterprises Are Buying Wireless LANs. Goldman Sachs report identifies Top 3 IT 2005 Spending priorities- Wireless LANs, Security and Mobile Computing devices

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Alcatel OmniAccess Wireless' - jeneva


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
enterprises are buying wireless lans
Enterprises Are Buying Wireless LANs
  • Goldman Sachs report identifies Top 3 IT 2005 Spending priorities- Wireless LANs, Security and Mobile Computing devices
  • 27% of Enterprises will deploy Voice Over Wireless LANs by 2006 (Infonetics Research)
  • Forrester Research Inc., forecasts 75% percent of Enterprises will be buying or evaluating wireless LANs in 2006.
  • Wireless LAN security market will reach $8.4 Billion by 2008 (source: In-Stat/MDR)
  • IDC forecasts that wireless laptops will be 95% of Mobile PC sales by 2006
  • Worldwide WiFi revenues are expected to grow from $7 billion in 2003 to over $44 billion by 2008, at a compounded annual rate of 44 percent (source: Insight Research Corporation ) 
slide3

Management

Policy

Mobility

Forwarding

Encryption

Authentication

802.11a/b/g

Antennas

Thin Access Point Architecture IETF CapWap terminology – Split MAC

Solving the Wireless “Challenge”

Centralized

WLAN Systems

“Fat”

Access Points

“Thin”

Access Points

flexible access point options
Flexible Access Point Options

Dual-Radio AP

Supports simultaneous

2.4GHz (b/g) and 5GHz (a) operation

Single-Radio APs

Software configurable

2.4GHz (b/g) or 5GHz (a)

AP70

Integrated dual-band antenna

and RP-SMA connectors

for external antennae.

Dual Ethernet ports for redundant

uplinks. (PoE Load Balanced)

USB port for future-proof expansion.

OAW-AP61

Integrated

dual-band antenna.

OAW-AP60

RP-SMA connectors

for external antennae.

product line up
Product Line Up

Number of AP’s

Branch

Regional HQ

Large Branch

Medium - Large HQ

512

OAW-6000-512

(Dual Supervisor II)

256

OAW-6000-256

(Supervisor II)

128

OAW-6000-128

(Supervisor I)

Pay as you grow

Capability

OAW-4324

48

OAW-4308

OAW-6000-48

(Supervisor I)

16

OAW-4304

Performance (Clear Text/Encrypted)

4

1 Gbps /200 Mbps

2 Gbps /400 Mbps

4 Gbps/1 Gbps

4 Gbps/3.6 Gbps

8 Gbps/7.2 Gbps

omniaccess wlan network examples
OmniAccess WLAN – Network Examples

OAW-AP70

OAW-4324

OAW-4308

or

OAW-4304

OAW-AP70

OAW-6000

HEADQUARTERS

WAN

OAW-AP61

OAW-AP61

BRANCH OFFICE

OAW-AP70

OAW-AP70

OAW-4324

SMALL / HOME OFFICE

REGIONAL HEADQUARTERS

omniaccess wlan network advantages remote access point security examples

Control Traffic over PPP/L2TP/IPSec NAT-T

Data Path: 802.11/GRE/IP/IPSec NAT-T

GUEST

CORP

VOICE

  • AP Provisioning
  • “AP [email protected]” “Password”
  • AAA with RADIUS
  • Automatically “enroll” & “disable” APs via AAA
  • IKE secret encrypted on FLASH – non transferable to other APs
OmniAccess WLAN Network AdvantagesRemote Access Point Security Examples

Extending Corporate WLAN Security Anywhere, Anytime

  • AP-Switch Security:
  • Diffie-Hellman Group 2 for IKE (uses Public Key Cryptography)
  • 3DES Encrypted IPSec

HQ

WLAN IN A BOX

Internet Services

GUEST

DMZ

CORP

WAN / Public Internet

Firewall/NAT

Firewall/NAT

VOICE

omniaccess wireless optional software modules
OmniAccess Wireless Optional Software Modules

SWITCH LEVEL OPTIONAL MODULES

  • Policy Enforcement Firewall (PEF) Module
  • VPN Server Module
  • Wireless Intrusion Protection (WIP) Module
  • Advanced AAA Module
  • Client Integrity Module (CIM)
  • External Services Interface (ESI) Module

INCREMENTAL CAPACITY BASED MODULES

  • Remote AP (RAP) Licenses
embedded rf spectrum management
Embedded RF Spectrum Management

For Scaling to Large WLAN Systems

  • This used to be an art
  • With the Alcatel OmniAccess Wireless it all just happens
    • Auto Calibration
    • Continuous Tuning
    • Rogue AP detection, classification and location
    • Rogue AP containment (optional WIP SW module)
    • 802.11 attack signature detection (optional WIP SW module)
    • Interference Detection/Management
    • Load Balancing
    • Coverage Hole Detection
    • AP failure self-healing
    • Wiretap/Packet Capture
    • Location/Tracking
    • Automated RF Site Surveys
  • Now It’s Routine

Cafeteria

Lobby

Conference Rooms

Offices/Cubicles

embracing best of breed mobile security user authentication and authorization
Embracing Best-of-Breed Mobile SecurityUser Authentication and Authorization

MAC @

Radius Server

802.1x

User

User Role

Web portal

  • Stateful FW rules (SVP, SIP, Skinny FW pin holing)
  • ACLs
  • Traffic redirection
  • BW contracts
  • VLAN Membership

User

User Role

VPN

user authentication and authorization silver bullets configuration guide
User Authentication and AuthorizationSilver bullets – Configuration Guide
  • Embedded per user FW - Traffic Classification at up to Layer 7
    • Enforce application policies
      • Spectralink Voice Protocol, SIP, Cisco Skinny de-code support
      • Secures first generation handset by restricting network use to voice protocols only
    • Classify traffic by application for QoS
      • Provides QoS for voice on softphones (VoIP enabled PCs, PDA, RIM)
      • Does not require separate SSID for Voice and Data
  • Configuration Guide
    • Base SW: MAC, 802.1x authentication, dynamic VLAN assignment
    • PEF: Web authentication, full role assignment and FW support
    • VPN: VPN authentication and encryption (IPSec)
embracing best of breed mobile security client less host integrity check
Embracing Best-of-Breed Mobile SecurityClient-less Host Integrity Check

Host Integrity Check

  • Propagation of Virus/Worms facilitated by outdated systems
    • Need policy enforcement of OS version / patch level / Anti-Virus / AV signature file…
    • If station fails policy check, access to remediation area for self remediation
  • Client-less implementation eases administrative burden
    • No need to touch every station in network
    • Compatible with guest access, student access
  • Unique integration in WLAN switch
  • Requires PEF and CIM modules installed

Web portal

embracing best of breed mobile security content inspection
Embracing Best-of-Breed Mobile SecurityContent Inspection
  • Enables Content Inspection
  • Used for risky users / flows
  • Will detect/block malware
  • Can quarantine infected host
  • Can ban infected host (black listing)
  • Requires PEF and ESI modules

Fortinet Appliances Cluster

From AP

To Network

Corporate VLAN

  • Stateful FW rules
  • ACLs
  • Traffic redirection
  • BW contracts
  • VLAN Membership

Guest VLAN

User

User Role = Guest

leading vowlan solution
Leading VoWLAN Solution
  • Industry recognition
    • Aruba Network World Clear Choice
      • Number of terminal supported by AP
      • Voice Quality
      • Roaming capabilities
  • Voice aware ARM (Adaptive RF Management)
    • No RF scanning when voice active terminals are present
    • Preserves Voice QoS
  • Voice Connection Admission Control
    • Keeps number of terminals per AP below defined level
    • Works with Load balancing
    • Classifies on-call and on-hook phones
    • Preserves Voice QoS
  • Joint work with Alcatel - improving end user experience
    • Improved battery life (U-APSD) – 1H 2006
    • E911 (emergency call location) – 1H 2006
real time location tracking
Real-Time Location Tracking
  • Multi-point triangulation enables fine granularity (within 1-3 meters)
  • Real-time location service tracks radio source as it moves
  • Automatic RF prediction: eliminates manual walkabout to fingerprint RF propagation
  • Independent of the client device and drivers
  • API available from WLAN switch
  • One application: Location tracking of RFID tags
alcatel wireline wireless integration omnivista rogue access point containment
Alcatel Wireline – Wireless IntegrationOmniVista / Rogue Access Point Containment

OmniVista

(discovery, topology, trap management, element manager launch for OmniAccess WLAN)

  • Rogue AP/Clients have been detected
  • MAC addresses are located
  • Port is shut down

Rogue APs

Syslog Interface – Rogue AP messages

Workgroup

Switch

WLAN Controller

Data Center / Aggregation

LAN Switch

Light APs

slide18

Traditional WLAN Solution vs.OmniAccess WLAN Solution

Traditional WLAN Solution

OmniAccess WLAN Solution

Access Points

Site Survey

Access Points

Packet capture

Air Monitors

WLAN Switches

WiFi IDS / IPS

An Integrated, Total Solution

Better Security

Easier To Grow/Scale

More Functionality

Easier To Manage

Easier To Deploy

Lower Total Cost of Ownership

WLAN Switches/Blades

Captive Portal

VPN Concentrator

LAN-speed Firewall

QoS Devices

cisco solution problems upgrade every wired closet network disruption high costs

VPN BLADE

L4 - L7 BLADE

AAA SERVICES

FIREWALL BLADE

QUARANTINE SERVICES

WLAN BLADE

LOCATION SERVICES

NEW SUPERVISOR

Cisco Solution & Problems- Upgrade Every Wired Closet , Network Disruption, High Costs

WIRING CLOSET UPGRADES

1. 802.1X FOR PORT SECURITY

2. PoE LAN PORTS FOR VOIP PHONES

3. POWER & COOLING CAPACITY UPGRADES

  • High cost of managing disparate solutions
  • Port-based security model inappropriate for mobility
  • Additional appliances needed to complete solution
    • Network solution cannot keep up with rapid evolution
  • Never ending upgrade cycle very disruptive

CORE UPGRADES

wlan network design
WLAN Network Design
  • Conservative rules
    • AP can cover 10,000 sqf
    • AP can support 10 users
    • AM can cover 30,000 sqf
    • Exceptions
      • Hospitals
      • Libraries
      • High BW requirements (5-10Mbps per users)
  • RF Plan
    • Application part of Management suite
    • Also available as stand alone
    • Takes into account
      • Building shape
      • Size
      • Number of users
      • Performance requirements
  • Pro service – Wireless Valley RF simulation tool
    • Invoiced to the customer if deal is won
omniaccess wireless base feature set factory load
OmniAccess Wireless Base Feature Set (factory load)

~ BASE = DEFAULT FACTORY INSTALLED FEATURE SET BEFORE ADDING LICENSES ~

vpn server module
VPN Server Module

NOTE: VPN server module NOT required for Remote AP services

client integrity module
Client Integrity Module

Embedded Sygate On Demand Agent also requires the “SODA Manager application”

- Free application downloadable from eservice.ind.alcatel.com (service web site)

- Requires a license key and company name for activation both available on

service web site

- Alcatel OmniAccess WLAN documentation missing CIM section

- Missing section can be found on service web site

- Sygate – Aruba integration document (produced by Sygate) also

found on service web site

- SODA manager application runs on PC (Windows OS only – no MAC/LINUX)

NOTE: *Policy Enforcement Module required in addition

external services interface module
External Services Interface Module

NOTE: *Policy Enforcement Module required in addition

remote ap license module
Remote AP License Module

NOTE: VPN server module NOT required for Remote AP services

note on the xsec optional module
Note on the xSec Optional Module
  • Requires specific, non GA Client from FUNK Limited scope of applications/verticals (defense/government specific use) Not introduced as part of initial Alcatel launch If feature required, product management should be contacted
roadmap

Roadmap

November 2005

omniaccess wlan roadmap
OmniAccess WLANRoadmap

November 05

Q1 06

Q2 06

ACCESS POINT

WLAN SWITCH

OAW-4302 (low cost branch switch)

Outdoor AP (OAW-AP80P)

OAW-AP65 Cost red AP70

OAW-AP41 Cost red AP61

Airespace OAW-1200

Retrofitted w/ G2 FW

Release 2.4.1

Support of Airspace APs (OAW 1200)

Local Switching (Remote AP)

DiffServ/ToS marking (GRE tunnel)

  • Release 2.5
  • Switch to switch IPSec VPN
  • Guest account creation login
  • Voice CAC phase I:
  • 1st Thold: load balance stdby wifi phones
  • 2nd Thold: load balance in-roaming wifi phones
  • 3rdnd Thold: reject in-roaming wifi phones
  • Manual black listing (Base OS)

Release 3.0

AMAP

TACACS+ for Admin Users

802.1s

RIPv2 routing

Mobility Domains

U-APSD: battery saving

WMM: QoS over the air (timeslot)

Voice CAC phase 2 (T-Spec)

AOS - W

OmniVista Mobility

OmniVista Mobility 1.0

System Dashboards

RF Plan / RF Live

System Monitoring

System Reporting/Trending

omniaccess wireless retrofitted oaw 1200 support
OmniAccess Wireless Retrofitted OAW-1200 support

New Generation OAW switch

First Generation OAW switch/appliance

LWAPP

PAPI/GRE

After “Brain Transplant” OAW-1200 becomes an Aruba AP

2h05 alcatel wireline wireless integration policy enforcement

!!! Attack has been detected You Can:

  • The attack comes from WLAN
  • You can “Black List” the faulty MAC

QM

Data Center

Switch

Workgroup

Switches

Critical

Resources

End stations

2H05 - Alcatel Wireline – Wireless IntegrationPolicy Enforcement
  • Application-Level attack containment (End 05)
    • Full integration with OV Quarantine Manager: from wired user containment to wired + wireless user containment
ad