1 / 36

the New Wi-FI Paradigm – Preparing your network for the Mobile Device and Application explosion

the New Wi-FI Paradigm – Preparing your network for the Mobile Device and Application explosion. James Forbes 2013. Agenda. Addressing the new Wi-Fi paradigm Wi-Fi as the primary access layer Wi-Fi client explosion Consumer grade Wi-Fi devices are flooding the enterprise

lamar
Download Presentation

the New Wi-FI Paradigm – Preparing your network for the Mobile Device and Application explosion

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. the New Wi-FI Paradigm – Preparing your network for the Mobile Device and Application explosion James Forbes 2013

  2. Agenda • Addressing the new Wi-Fi paradigm • Wi-Fi as the primary access layer • Wi-Fi client explosion • Consumer grade Wi-Fi devices are flooding the enterprise • Fastest Adopted Technology Ever? • Architecting a Robust and Resilient WLAN • An architecture for 802.11n, 802.11ac, and beyond • Catering to consumer grade devices • Considerations for high density and high performing WLANs • BYOD – Bring your own device • Access, Control, Resources • Device Fingerprinting and Policy Enforcement • Device Fingerprinting and contextual awareness • The Complete Package • Bonjour Challenges – Airprint and Airplay • Security and Threat Assesment • The remote experience

  3. What is the Fastest Adopted Technology?

  4. More Than Seven Years Before the iPhone IBM Simon 1994 Ericsson GS 88 'Penelope‘ 1997 First Use of Term “Smart Phone”

  5. Smart Phones after the iPhone Release

  6. Mobile Internet – Fastest Adopted Consumer Technology

  7. Mobile Internet -- Driving WiFi

  8. Introduction to Aerohive: • Visionary Network Infrastructure Company • Redefining Enterprise Access • Cloud-enabled, Controller-less Wi-Fi, Routing, VPN, Switching • Growing 2-3x y/y • 7000+ Customers • 400+ Employees • Most Visionary Vendor - Gartner MQ for Wired & Wireless LAN 2012 Education Enterprise Healthcare Retail Logistics Cloud Services Platform Private (on-premise) Public Partner Branch & Teleworker Routers / Switches Enterprise Wi-Fi

  9. Customer Focus Healthcare Education Distrib. Enterprise Retail / Logistics Intelligent, scalable, cost effective, resilient infrastructure Seminole County Public Schools

  10. Distributed (Controller-less) Wi-Fi Architecture Delivering simplicity, reliability and affordability Management Management within the network only Centralized cloud-based or Local management Redundancy No single point of failure Self healing mesh architecture No controller tax Requires multiple controllers Local data forwarding..what do you lose? Scalability and future proofing No feature licensing Start small and grow Distributed intelligence Controller capacity? Feature licenses? (FW, RADIUS, CWP, BYOD, Bonjour GW) Performance No data bottlenecks Service Level Agreements QoS & Spectrum analysis included Data bottlenecks QoS, Spectrum analysis..$$$ How does it work? Architectural Alternatives Central Vs. Distrib. Control

  11. Enterprise Wireless LAN Comparison Controller-Based Distributed Control • Aerohive Benefit • No U-turns, Bottlenecks or Single Points of Failure • Flexible Expansion • Superior Branch Performance & Survivability • Real Mesh Support • Increased Reliability & Reduced Cost (No Controller$) • Advanced Value-Added Functionality Data Center NMS HiveManager Access Layer Access Layer Cooperative Control APs Thin APs Network Network FW WIDS RADIUS QoS MESH Tunnels Control Data

  12. Aerohive – Controller Free Aerohive’s “cooperative control architecture, which eliminates the need for a dedicated controller and provides a cost competitive solution without sacrificing functionality.” --Gartner

  13. Infrastructure that compensates for Consumer Devices • Consumer Devices • Battery powered • Low power • Consumer radios • Varying quality • High expectations • New 802.11n APs • High performance • 3x3: 3 Stream - 450Mbps • Custom-designed radios • High-power radios • High Rx sensitivity • Better coverage, higher data rates, less errors • Wi-Fi infrastructure has to compensate for consumer devices HiveAP 170 HiveAP 330 HiveAP 350

  14. Why use High Powered Radios to aid Mobility? Given that FCC and CE requirements limit power output, why bother with high-power radio? • While this is mostly true, high-powered radios give other benefits • A high-power radio operating at the same power as a regular-power radio will deliver a lower error rate (lower EVM) Lower Error Rates High Power Radio Regular Power Radio Audio Analogy 100W amp outputting 10W 10W amp outputting 10W Amplifier set to 10 = DISTORTION Amplifier set to 1 = MUSIC

  15. Automatic Optimazation and Remediation • Client Health Score at a glance…understanding a client’s health. Automatically Remediate Client & Network Issues • Move Clients • Band steer or load balance clients triggered by low client health score • Airtime Boost • Boosts clients’ airtime if unable to hit performance target Visibility and Control Detail

  16. Enterprise Wi-Fi Features Distribution Optimization Mobility Band Steering SLA, QoS & Dynamic Airtime Scheduling Layer 3 Roaming Load Balancing 450Mbps 54Mbps 11Mbps 2.4 GHz 5 GHz High Powered Radios, Receive Sensitivity & RRM Resilient Mesh Layer 2 Roaming Layer 2/3 Roaming Receive Sensitivity

  17. BYO and Corp Deployed Devices MDM Enrollment Access defined by ID & Device User Profiles Corp www MDM Quarantine Enroll L2-4 Firewall OS Detection Bonjour Gateway CWP PPSK RADIUS Corp user Guest user Corp user - BYOD BYOD & MDM Bonjour GW

  18. Security and Authentication Features • Authentication support for common directory servers • Eliminates standalone RADIUS server • Credential caching for remote/branch survivability • MAC (L2) based firewall • Stateful TCP/IP firewall (L3/L4) • ALGs for DNS/FTP/SIP • Policy Based Client Isolation Wireless Intrusion Prevention Captive Web Portal Multiple CWPs able to serve scalably from every AP WIPS Private PSK Stateful Inspection FW Multiple users, same SSID - easy but unique revocable keys Directory Integration Remote Site Content Security

  19. Limited Access Zone: The Third “Network” Limited AccessZone Corporate Network Guest Network  Managed Device Managed Device Managed Device   Credentials Credentials Credentials

  20. Policy based on Context Identity, Device, Location, Time of Day L2-4 Firewall OS Detection RADIUS CWP PPSK Corp user Guest user Corp user - BYOD

  21. Device Fingerprinting and Policy Application Corp Secure Guest Access • Guest self-registration via CWP • Assigned unique Private-PSK Personal Device Access • CWP can also authenticate users to AD • Device can be determined by various means • Specific personal MIDs policy can be applied • Does not require certificates leverages PPSK • Can be set to work with only one device Corp Device Access • Self-registration with AD or Preconfigured • 802.1X or Assigned unique Private-PSK • Device can be determined by various means • Policy applied based on role or identity limiting access and applying QoS • VDI protocols can be prioritized SaaS Internet HR VDI email • User Agent • Safari • iOS4, • iPhone 4 Active Directory Secure Guest (SSID) Access (SSID) Corp (SSID) Encrypted with a unique revocable key Corporate access to email only and internet Corporate access to business APPs only Captive Web Portal Guest Private PSK Or 802.1X Private PSK Private PSK Personal iPhone Corp iPad (business APPs only) Corp Laptop (full access)

  22. Solution Scenarios:Network & Profile-Based MDM Solutions Contain (BYOD) Embrace (Corporate-Deployed) Corp Corp www www MDM Access Isolate Quarantine Enroll • Network-based MDM • Enrollment • - CWP, PPSK • - AD integration • Access Control • - Device/OS Type • - Domain Membership • Policy Enforcement • - QoS, Security • - Apps (e.g., VDI only) • Profile-based MDM • Device Management • App/SW Installs & Updates • Policy Enforcement and Compliance • eBook distribution Force MDM profile install

  23. Monitoring and Reporting Features Monitor Support Manage Simple GUI Cloud Management Topology & Location Tracking PCI Compliance Spectrum Analysis Client Monitor & Packet Capture Management Views

  24. AerohivePlatforms * AP170 AP350 AP141 AP330 BR100 AP121 AP110 Indoor Industrial Indoor Outdoor 1-Radio 802.11b/g/n Dual Radio 802.11n 1-Radio 802.11n 1x1:1 65 Mbps Radio 2x2:2 300 Mbps Radio 2x2:2 300 Mbps High Power Radios 3x3:3 450 Mbps High Power Radios 2x2:2 300 Mbps 11n High Power Radios N/A TPM Security Chip 5X Fast.E 1X Gig.E 2X Gig.E 1X Gig.E N/A PoE (802.3af + 802.3at) and AC Power PoE (802.3at) Water Proof (IP 68) Plenum Rated Plenum & Dust Proof N/A -40 to 55°C 0 to 40°C -20 to 55°C N/A USB for future use N/A USB for 3G Modem *BR acting as AP does not support WIPS, DFS (no 5Ghz radio), RADIUS proxy or server, SNMP, locationing or TeacherView

  25. Aerohive Routing Platforms * Cloud VPN Gateway BR100 BR200 WP AP330 AP350 L2 & L3 IPSec VPN Gateway (VMware) Single Radio Dual Radio 1x1 11bgn 3x3:3 450 Mbps 11abgn 5-10 Mbps FW/VPN 30-50Mbps FW/VPN ~500 Mbps VPN 5X 10/100 5X 10/100/1000 2X 10/100/1000 Ethernet 1000 Tunnels 0 PoE PSE 2X PoE PSE 0 PoE PSE 2 Virtual Interfaces * Also available as a non-Wi-Fi, non PoE device (BR200)

  26. Aerohive software platforms SW Config, & Policy, RF Planning, Reporting, SLA Compliance, Guest Management, Trouble Shooting, Spectrum Analysis • Scalable multi-tenant platform, Redundant data centers with diversity, Backup & Recovery, Zero touch device provisioning, Flexible expansion, On demand upgrades, Pay as you grow HiveManager Online • VMware ESXi, HA redundancy • 15,000s APs with specified configuration HiveManager Virtual Appliance • Redundant power & fans, HA redundancy, 5000 APs HiveManager Appliance – 2U • HA redundancy, 500 APs HiveManager Appliance – 1U • VMware ESXi • Up to 50,000 students StudentManager

  27. Single architecture for the enterprise • Cooperative control enables the same functions across multiple devices to work as if they are one device • Network firewall on the router knows identity of the clients on APs? Context Aware Switch Unified policy and security mgmt, from the cloud Service Aware Wi-Fi Same Policy and Network Wired Routing / FW VPN

  28. Huge Questions on Device Ownership and Management What is the difference between these iPads? Almost Everything • BYOD • Enable employees to bring their device of choice • Not owned or controlled by IT • Wide range of devices • Driven by employee satisfaction and shifting of CapEx spend • Consumerization of IT • Consumer devices qualified, bought and deployed by IT • Replace legacy devices • Lower HW costs • Flexible, powerful • Enable new working models Contain Network-based MDM Secure Apps Only (e.g. VDI, Citrix) Embrace MDM Agents on Devices More App Flexibility

  29. Solution Scenarios:Network & Agent Based MDM Solutions Contain (BYOD) Embrace (Consumerization of IT) Corp Corp www www MDM Access Isolate Quarantine Enroll • Network-based MDM • Enrollment • - CWP, PPSK • - AD integration • Access Control • - Device/OS Type • - Domain Membership • Policy Enforcement • - QoS, Security • - Apps (e.g., VDI only) • Profile-based MDM • Device Mgmt • App Mgmt • Policy Enforcement and Compliance Force MDM profile install

  30. Solution automates MDM Enrollment HiveManager Administrator specifies JAMF enrollment URL in HiveManager Policy Configuration iOS device MDM server Aerohive AP Apple device attaches to network AP queries JSS server: is this a known device? If an unknown device, the device is redirected to JSS Server for enrollment 1 2 3 4 Click here to enroll your device and begin using the network. . . Please enroll your device on the following page. . .

  31. Contain Strategies Enhanced by Service Aware Infrastructure Contain Strategy Access to the Right Resources Corp www • Bonjour Gateway • Let AirPlay and AirPrint work in the Enterprise • Service aware network • Enable & control service advertisement and discovery across subnets Guest, BYOD AppleTV (AirPlay) Printer (AirPrint) Bonjour

  32. Bonjour Gateway – Aerohive & Non Aerohive Networks Router / L3 Switch AppleTV (AirPlay) Optionally attach to both subnets for non Aerohive 192.168.1.1 192.168.200.1 Share Services List Bonjour GW Feature ON “with filters” Printer (AirPrint) SSID “Subnet #2” Server: (file sharing etc) SSID “Subnet #1” • Multi-Vendor – Works in both Aerohive and Non-Aerohive networks • Plug and Play – No requirement for VLAN and Multicast gymnastics • Flexible – Supports bi-directional service advertisements • Efficient – No tunneling, only sends changes in service, with option to filter • Secure and Scalable – Preserves enterprise security & data forwarding methodology • Available for beta Q2; shipping mid year iPad can AirPrint or AirPlay iPad can print and project via AirPrint & AirPlay

  33. What Else Does Gartner Say “Aerohive should be considered for any overlay WLAN enterprise opportunities in North America… --Gartner

  34. Customer’s Are Buying “Aerohive's innovation and market messaging are driving annual growth of ~130% higher than the 30% compound annual growth rate (CAGR) of the WLAN…market…” --Gartner

  35. Fast 500 Ranking

  36. Thank you!

More Related