Upload
amy-elliott
View
215
Download
1
Tags:
Embed Size (px)
Citation preview
© 2003 Bluesocket, Inc. contents provided under NDA onlyProprietary and Confidential. Secure
Mobility™
Untethered Education:Securing and Managing WLANs on
Campus
CUMREC May 2004
Rohit MehraDirector of Product Marketing
© 2003 Bluesocket, Inc. contents provided under NDA onlyProprietary and Confidential. Secure
Mobility™
Market Dynamics – Wireless LANs
WLANs have hit mainstream: Shipments doubled in 2003 vs. 2002.
– Intel’s Centrino Effect– Wide range of new mobile devices– Generation “M”-Laptops are now requisite
equipment for today’s college student Demand for security and management products
and services is increasing significantly Faster APs and larger deployments require
high performance WLAN infrastructure Universities seek simple yet comprehensive
solutions to bring security, simplicity, mobility, compatibility, interoperability to WLAN deployments
© 2003 Bluesocket, Inc. contents provided under NDA onlyProprietary and Confidential. Secure
Mobility™
Bluesocket Products Manage and Secure WLANs For Hundreds of Customers Worldwide…
© 2003 Bluesocket, Inc. contents provided under NDA onlyProprietary and Confidential. Secure
Mobility™
Over 250 University Campuses
Singapore Polytechnic
© 2003 Bluesocket, Inc. contents provided under NDA onlyProprietary and Confidential. Secure
Mobility™
Key Issues in WLAN Deployments
Security Mobility Management
• Wireless does not respect walls
• Default setting is for no security
• Standard security is sub-standard
• Handover between Access Points
• Roaming across IP subnets?
• Security does not roam with the user
• Support for Voice and Data
• Who is on my network?• Quality of Service• No centralized
management• Access Point dependent• No logging or alerts
© 2003 Bluesocket, Inc. contents provided under NDA onlyProprietary and Confidential. Secure
Mobility™
Students, Faculty, Staff Love Wireless
Anywhere, anytime education Wireless fosters collaboration,
creativity and information exchange
Universities want a consistent access methodology: dorm to library to classroom
Students expect and demand wireless access
Users drive deployment…whether you like it or not!
© 2003 Bluesocket, Inc. contents provided under NDA onlyProprietary and Confidential. Secure
Mobility™
Why College Network Admins Like WLANs No “retrofit networking”, no renovation to buildings or pulling cables Easy install into older (often historic) buildings
– Average university building in US is 45 yrs old Enables access where wires can’t go (common areas, the Quad) “The computer lab” now can be wherever you want it to be Wireless is easy to install and maintain, lowers Total Cost of Ownership Wireless is cost effective
– Buena Vista University example:Wiring 41 classrooms cost $5000/roomWireless access just $1000 per room
Wireless saves money and increases productivity– Harvard’s eDocs program saved $150K in paper costs in Year-1
© 2003 Bluesocket, Inc. contents provided under NDA onlyProprietary and Confidential. Secure
Mobility™
And what keeps IT Admins awake at night?
Students are notorious for “experimenting” – Sensitive research resources also tempting– Spoofing servers, Piggy backing, DoS– Kazaa and other Peer-to-Peer challenges
WLANs need to support legacy wirednetwork deployments across the campus: – Apply current authentication schemas to WLANs– How frequently can you upgrade as new 802.11
standards are adopted? As vendors upgrade firmware?
Need for flexibility– Adding (registration) or removing a student; turn access on/off (exam)– Students change their minds/major at any time, and frequently.
Does your WLAN keep up?
Wireless puts info into the air– Need for “Air Traffic Control” to secure grades, financial aid, credit cards
© 2003 Bluesocket, Inc. contents provided under NDA onlyProprietary and Confidential. Secure
Mobility™
Security issues
It’s 9PM, do you know where your signal is?
This image represents the signal emitted from a single wireless access point located in downtown Lawrence, Kansas.
© 2003 Bluesocket, Inc. contents provided under NDA onlyProprietary and Confidential. Secure
Mobility™
WLAN Security Threat Model
Four Main Threats1. Unauthorized access2. Eavesdropping (interception of data)3. Man in the middle attack (fake AP)4. Back door (rogue AP)
Invader
AP
LAN
Rogue AP
Fake APEavesdropper
Wireless Link
© 2003 Bluesocket, Inc. contents provided under NDA onlyProprietary and Confidential. Secure
Mobility™
Fixing WLAN Security: How Much Is Enough?
What problem are we trying to solve?
– Anywhere, anytime secure access What is the security architecture?
– Authentication, Privacy, Access Control The need for a consistent solution
– Interoperability is a key driver
– Need for seamless mobility What are the unique characteristics
– Applications and deployments are driving network designs
– Use cases break traditional fixed approaches
© 2003 Bluesocket, Inc. contents provided under NDA onlyProprietary and Confidential. Secure
Mobility™
The Bluesocket Wireless GatewaySecure Mobility™ for The Enterprise
Authentication Servers: LDAP, Radius, NT Domain Server
802.11b, 802.11a, 802.11a/b, 802.11g, Bluetooth, ...
© 2003 Bluesocket, Inc. contents provided under NDA onlyProprietary and Confidential. Secure
Mobility™
Bluesocket Wireless Gateways
Universal Authentication Based on username/password combinations,
digital certificates, smart cards or secure token technologies-- depending on security needs
User information can reside in local or central (LDAP, RADIUS or NT Domain) databases for ease of management
Security "Role-based" management of privileges
for different categories of users Strong encryption based on PPTP, L2TP
or IPSec to protect user data
Secure Mobility ™ Users roam seamlessly across subnets
while maintaining airlink privacy
Management Elegant Web-based interface enables network
to be managed centrally and conveniently
Quality of Service Prioritization and DiffServ Marking
occur at the network edge Packet delay and jitter are minimized
to improve performance of time-critical applications
Policy Enforcement Granular support for WLAN policy enforcement based on role,
user, location, time, and services Each type of user can be assigned a
maximum bandwidth to maintain CoS
Interoperability Provides vendor-agnostic connectivity Works with Access Points from all
major vendors: past, present, future Supports a broad range of mobile devices
without requiring client software
© 2003 Bluesocket, Inc. contents provided under NDA onlyProprietary and Confidential. Secure
Mobility™
Authentication
Encryption
Firewall
Mobility
QOS/ BWM
Policy
Interoperability
Bandwidth Mgt
Bluesocket Reduces Cost and ComplexitySingle Component, Multiple Functions
© 2003 Bluesocket, Inc. contents provided under NDA onlyProprietary and Confidential. Secure
Mobility™
Enterprise-Class WLAN User Management Tools
“Real-Time” Monitoring and Control
Fine-Grained User Policy Management
© 2003 Bluesocket, Inc. contents provided under NDA onlyProprietary and Confidential. Secure
Mobility™
WG-1100$5,995
WG-1100-SOE$3,495
WG-2100$12,995
Performance
Dat
a D
ensi
ty
Low
Medium
High
100 Mbps Clear15 Mbps 3DES
100 Mbps Clear
30 Mbps 3DES
400 Mbps Clear150 Mbps 3DES
50-300 Users10-50 APs
15-100 Users1-20 APs
Small
Medium
Large
Very large
Up to 1000 UsersHundreds of APs
WG-5000$24,995
1 Gbps Clear350 Mbps 3DES
1-15 Users1-3 APs
Bluesocket Wireless Gateway FamilyFlexibility, performance and scalability
© 2003 Bluesocket, Inc. contents provided under NDA onlyProprietary and Confidential. Secure
Mobility™
WLAN Policy Enforcement on Campus
Enforce fine-grained Policy and Bandwidth Management
– Role-based– Location-based– Time-based– Services-based– User-based
Examples:– Faculty:
Given HTTPS access to research databases/library
– Adminstrators: E-mail and Web access with IPSec encryption
– Students/Visitors: Access to resources based on location/schedule
© 2003 Bluesocket, Inc. contents provided under NDA onlyProprietary and Confidential. Secure
Mobility™
Importance of Policy-Based Networking for Campus WLANs
Type of user (e.g., undergrads, grads, faculty, staff, alumni, visitors)
Enforce encryption like IPSec, PPTP, 802.1x Inbound vs. outbound controls (e.g., MP3) Network/destination access Bandwidth management (ability to scale
bandwidth based on users, service, etc.) To which server should they authenticate?
(Different schools, different mechanisms) Network server access based on location Limit network access during exam period
© 2003 Bluesocket, Inc. contents provided under NDA onlyProprietary and Confidential. Secure
Mobility™
Example of Policy Management of Services
For each service (can create from the dropdown create box), you can specify:
• Service name• TCP, UDP, TCP/UDP, other• Port, list of ports, or port range• Enable QoS• Incoming & outgoing priority and DiffServ marking
© 2003 Bluesocket, Inc. contents provided under NDA onlyProprietary and Confidential. Secure
Mobility™
Example of Active Directory Authentication
Group mappings within the external directory are made to roles in the Bluesocket Wireless Gateway.
Any attribute returned for an individual user can be used for mapping to roles.
© 2003 Bluesocket, Inc. contents provided under NDA onlyProprietary and Confidential. Secure
Mobility™
Example of Controlled Guest Access
Control what they do, when they can do it---without having to touch their machines
© 2003 Bluesocket, Inc. contents provided under NDA onlyProprietary and Confidential. Secure
Mobility™
Interoperability across the campus
For all users and devices– Vendor Agnostic– Device Agnostic (Laptop, PDA, Mac, 802.11 VoIP Phone, Scanner)– Technology Agnostic (Not limited to Windows)– Protocol Agnostic (Any 802.11 radio standard)
Proprietary Client not required even for strong encryption– Support for IPSec, PPTP, and SSL
Central Policy & Security Management for the entire university system, campus, satellite campuses/colleges, Departments, Libraries, etc.
Ability to manage new “standards” rolling out without compromising on interoperability across devices and protocol
Bluesocket support for standards based XML/RPC API– API allows for custom applications to integrate with WLAN policies– Examples:
• School application automatically logs students off the WLAN during test periods• Professors’ scheduling application allows specific students access to online material during class
© 2003 Bluesocket, Inc. contents provided under NDA onlyProprietary and Confidential. Secure
Mobility™
WLAN Gateways: Ensuring InteroperabilityBluesocket is an open, standards-based solution
802.1xAdmin
PPTPFaculty
IPsecFaculty
Interoperable today and tomorrow
ClearStudent
ACSLDAP
RadiusNT Domain
Bluesocket Wireless Gateway
© 2003 Bluesocket, Inc. contents provided under NDA onlyProprietary and Confidential. Secure
Mobility™
Authenticate Users, not Devices
Use existing back-end authentication servers where possible– RADIUS, LDAP,
Windows 2000, NT Domain
Web-based authentication and encryption (SSL) – no client software required
Branded and Customized Authentication Portal
Case Study: Universal AuthenticationHarvard University
© 2003 Bluesocket, Inc. contents provided under NDA onlyProprietary and Confidential. Secure
Mobility™
Encryption and Airlink PrivacyRutgers University
RUWireless:Serving 48,000 students/9,000 faculty on5 New Brunswick and Piscataway campuses
Best + worst thing about wireless: it’s open! IPSec provides wireless airlink privacy
All traffic is encrypted to protect student,departmental, sensitive information:“Without a VPN it would be possible for a hacker to view your information.”
Non-proprietary VPN-class encryption (Supporting wide range of mobile devices and APs from Cisco, Linksys, SMC, Orinoco and Apple)
Medical schools with link to hospitalsrequire encryption to be HIPAA compliant
© 2003 Bluesocket, Inc. contents provided under NDA onlyProprietary and Confidential. Secure
Mobility™
Role-Based Access Control/AuthenticationUniversity of Pittsburgh University of Pittsburgh’s PittNet
lights up office, public (e.g. library, student commons), and classrooms
9,600 employees, 3,800 faculty members, 32,000 students, 132 acre campus
Bluesocket directs all web traffic to log-in page. Students, faculty and staff authenticate themselves via their University Computer Account username and password to access wireless and wired network resources
Role-Based Access Control defines who can do what, where…even when
Jane Smith, sophomore– can access the sociology dept. server, but not financial aid or grades
© 2003 Bluesocket, Inc. contents provided under NDA onlyProprietary and Confidential. Secure
Mobility™
Policy EnforcementUniversity of Texas at Dallas 14,000 students Largest apartment complex in North Dallas area
managed off of one Bluesocket box Wireless across in library, classrooms, student
union, common areas, servicing hundreds of students simultaneously
The WLAN’s high traffic volume requires “traffic engineering” (TE) to:
– Defend against Kazaa using bandwidth controls(abuse of university property, copyright infringements, possible school/university liability)
– Ensure each student has individual access controls and students don’t hog bandwidth
– Certain applications must take priority overother wireless applications of less importance
– Especially important when considering 300 kbps video streaming on an 8-11 Mbps line.
© 2003 Bluesocket, Inc. contents provided under NDA onlyProprietary and Confidential. Secure
Mobility™
Interoperability:University of Edinburgh
400 year old university– old buildings, large area, 3 campuses, 20 hotspots, 21,000 students
Principal benefit of wireless at UoE:ubiquitous connectivity
University of Edinburgh uses Bluesocket Wireless Gateways to manage all air traffic and support a legacy Cisco VPN concentrator(for secure remote access)
Imperative: Support what the university had already (Cisco infrastructure in wired LAN) and support what it will need---easy instant wireless access for visiting conference delegates: with “Guest” privileges
© 2003 Bluesocket, Inc. contents provided under NDA onlyProprietary and Confidential. Secure
Mobility™
Mobility: University of Georgia’s Wireless Cloud
U/GA’s wireless campus: PAWS (Personal Access WirelessWalkup System)
Learning how wireless will be part of student’s world is part of curriculum(New Media)
Press file stories via WiFifrom UGA stadiumduring football games
Wireless Athens Group:A “Gown to Town” Wireless Cloud links the university, stadium anddowntown shopping district
Virtual and physical communities connect with one another
© 2003 Bluesocket, Inc. contents provided under NDA onlyProprietary and Confidential. Secure
Mobility™
Bluesocket in Wired Networks
Since Bluesocket Wireless Gateways aggregate user traffic via Ethernet, they are also ideally suited for integrated wired/wireless rollouts:
– ResNets • Limit student bandwidth to control costs with Internet pipes
• Control student ability to provide files using P2P apps
– Conference centers• Do you know who connected to an individual Ethernet connection
• Control access without additional client software
– Libraries• Dynix authentication support
© 2003 Bluesocket, Inc. contents provided under NDA onlyProprietary and Confidential. Secure
Mobility™
Bluesocket Wireless Gateways:Proven Leadership in Education environments
Provide Security and Management for the Campus WLAN while seamlessly integrating into existing network infrastructure
Support Multiple Users/Roles in an integrated WLAN: – Students– Faculty– Admin Staff– Visitors and Alumni
Need to go beyond proprietary WLAN solutions– Client-less support for diverse user types– Not limited a single vendor’s proprietary
implementation– Ability to roam between subnets
Efficient policy enforcement based on user, role, location, time or VLAN
Traffic-engineering improves productivity for everyone– Streaming applications or large downloads by
students don’t hog all the bandwidth– Mobility profile based on type of user