© 2003 bluesocket, inc. contents provided under nda only proprietary and confidential. secure...

© 2003 Bluesocket, Inc. contents provided under NDA onlyProprietary and Confidential. Secure

Mobility™

Untethered Education:Securing and Managing WLANs on

Campus

CUMREC May 2004

Rohit MehraDirector of Product Marketing

[email protected]


Mobility™

Market Dynamics – Wireless LANs

WLANs have hit mainstream: Shipments doubled in 2003 vs. 2002.

– Intel’s Centrino Effect– Wide range of new mobile devices– Generation “M”-Laptops are now requisite

equipment for today’s college student Demand for security and management products

and services is increasing significantly Faster APs and larger deployments require

high performance WLAN infrastructure Universities seek simple yet comprehensive

solutions to bring security, simplicity, mobility, compatibility, interoperability to WLAN deployments


Mobility™

Bluesocket Products Manage and Secure WLANs For Hundreds of Customers Worldwide…


Mobility™

Over 250 University Campuses

Singapore Polytechnic


Mobility™

Key Issues in WLAN Deployments

Security Mobility Management

• Wireless does not respect walls

• Default setting is for no security

• Standard security is sub-standard

• Handover between Access Points

• Roaming across IP subnets?

• Security does not roam with the user

• Support for Voice and Data

• Who is on my network?• Quality of Service• No centralized

management• Access Point dependent• No logging or alerts


Mobility™

Students, Faculty, Staff Love Wireless

Anywhere, anytime education Wireless fosters collaboration,

creativity and information exchange

Universities want a consistent access methodology: dorm to library to classroom

Students expect and demand wireless access

Users drive deployment…whether you like it or not!


Mobility™

Why College Network Admins Like WLANs No “retrofit networking”, no renovation to buildings or pulling cables Easy install into older (often historic) buildings

– Average university building in US is 45 yrs old Enables access where wires can’t go (common areas, the Quad) “The computer lab” now can be wherever you want it to be Wireless is easy to install and maintain, lowers Total Cost of Ownership Wireless is cost effective

– Buena Vista University example:Wiring 41 classrooms cost $5000/roomWireless access just $1000 per room

Wireless saves money and increases productivity– Harvard’s eDocs program saved $150K in paper costs in Year-1


Mobility™

And what keeps IT Admins awake at night?

Students are notorious for “experimenting” – Sensitive research resources also tempting– Spoofing servers, Piggy backing, DoS– Kazaa and other Peer-to-Peer challenges

WLANs need to support legacy wirednetwork deployments across the campus: – Apply current authentication schemas to WLANs– How frequently can you upgrade as new 802.11

standards are adopted? As vendors upgrade firmware?

Need for flexibility– Adding (registration) or removing a student; turn access on/off (exam)– Students change their minds/major at any time, and frequently.

Does your WLAN keep up?

Wireless puts info into the air– Need for “Air Traffic Control” to secure grades, financial aid, credit cards


Mobility™

Security issues

It’s 9PM, do you know where your signal is?

This image represents the signal emitted from a single wireless access point located in downtown Lawrence, Kansas.


Mobility™

WLAN Security Threat Model

Four Main Threats1. Unauthorized access2. Eavesdropping (interception of data)3. Man in the middle attack (fake AP)4. Back door (rogue AP)

Invader

AP

LAN

Rogue AP

Fake APEavesdropper

Wireless Link


Mobility™

Fixing WLAN Security: How Much Is Enough?

What problem are we trying to solve?

– Anywhere, anytime secure access What is the security architecture?

– Authentication, Privacy, Access Control The need for a consistent solution

– Interoperability is a key driver

– Need for seamless mobility What are the unique characteristics

– Applications and deployments are driving network designs

– Use cases break traditional fixed approaches


Mobility™

The Bluesocket Wireless GatewaySecure Mobility™ for The Enterprise

Authentication Servers: LDAP, Radius, NT Domain Server

802.11b, 802.11a, 802.11a/b, 802.11g, Bluetooth, ...


Mobility™

Bluesocket Wireless Gateways

Universal Authentication Based on username/password combinations,

digital certificates, smart cards or secure token technologies-- depending on security needs

User information can reside in local or central (LDAP, RADIUS or NT Domain) databases for ease of management

Security "Role-based" management of privileges

for different categories of users Strong encryption based on PPTP, L2TP

or IPSec to protect user data

Secure Mobility ™ Users roam seamlessly across subnets

while maintaining airlink privacy

Management Elegant Web-based interface enables network

to be managed centrally and conveniently

Quality of Service Prioritization and DiffServ Marking

occur at the network edge Packet delay and jitter are minimized

to improve performance of time-critical applications

Policy Enforcement Granular support for WLAN policy enforcement based on role,

user, location, time, and services Each type of user can be assigned a

maximum bandwidth to maintain CoS

Interoperability Provides vendor-agnostic connectivity Works with Access Points from all

major vendors: past, present, future Supports a broad range of mobile devices

without requiring client software


Mobility™

Authentication

Encryption

Firewall

Mobility

QOS/ BWM

Policy

Interoperability

Bandwidth Mgt

Bluesocket Reduces Cost and ComplexitySingle Component, Multiple Functions


Mobility™

Enterprise-Class WLAN User Management Tools

“Real-Time” Monitoring and Control

Fine-Grained User Policy Management


Mobility™

WG-1100$5,995

WG-1100-SOE$3,495

WG-2100$12,995

Performance

Dat

a D

ensi

ty

Low

Medium

High

100 Mbps Clear15 Mbps 3DES

100 Mbps Clear

30 Mbps 3DES

400 Mbps Clear150 Mbps 3DES

50-300 Users10-50 APs

15-100 Users1-20 APs

Small

Medium

Large

Very large

Up to 1000 UsersHundreds of APs

WG-5000$24,995

1 Gbps Clear350 Mbps 3DES

1-15 Users1-3 APs

Bluesocket Wireless Gateway FamilyFlexibility, performance and scalability


Mobility™

WLAN Policy Enforcement on Campus

Enforce fine-grained Policy and Bandwidth Management

– Role-based– Location-based– Time-based– Services-based– User-based

Examples:– Faculty:

Given HTTPS access to research databases/library

– Adminstrators: E-mail and Web access with IPSec encryption

– Students/Visitors: Access to resources based on location/schedule


Mobility™

Importance of Policy-Based Networking for Campus WLANs

Type of user (e.g., undergrads, grads, faculty, staff, alumni, visitors)

Enforce encryption like IPSec, PPTP, 802.1x Inbound vs. outbound controls (e.g., MP3) Network/destination access Bandwidth management (ability to scale

bandwidth based on users, service, etc.) To which server should they authenticate?

(Different schools, different mechanisms) Network server access based on location Limit network access during exam period


Mobility™

Example of Policy Management of Services

For each service (can create from the dropdown create box), you can specify:

• Service name• TCP, UDP, TCP/UDP, other• Port, list of ports, or port range• Enable QoS• Incoming & outgoing priority and DiffServ marking


Mobility™

Example of Active Directory Authentication

Group mappings within the external directory are made to roles in the Bluesocket Wireless Gateway.

Any attribute returned for an individual user can be used for mapping to roles.


Mobility™

Example of Controlled Guest Access

Control what they do, when they can do it---without having to touch their machines


Mobility™

Interoperability across the campus

For all users and devices– Vendor Agnostic– Device Agnostic (Laptop, PDA, Mac, 802.11 VoIP Phone, Scanner)– Technology Agnostic (Not limited to Windows)– Protocol Agnostic (Any 802.11 radio standard)

Proprietary Client not required even for strong encryption– Support for IPSec, PPTP, and SSL

Central Policy & Security Management for the entire university system, campus, satellite campuses/colleges, Departments, Libraries, etc.

Ability to manage new “standards” rolling out without compromising on interoperability across devices and protocol

Bluesocket support for standards based XML/RPC API– API allows for custom applications to integrate with WLAN policies– Examples:

• School application automatically logs students off the WLAN during test periods• Professors’ scheduling application allows specific students access to online material during class


Mobility™

WLAN Gateways: Ensuring InteroperabilityBluesocket is an open, standards-based solution

802.1xAdmin

PPTPFaculty

IPsecFaculty

Interoperable today and tomorrow

ClearStudent

ACSLDAP

RadiusNT Domain

Bluesocket Wireless Gateway


Mobility™

Authenticate Users, not Devices

Use existing back-end authentication servers where possible– RADIUS, LDAP,

Windows 2000, NT Domain

Web-based authentication and encryption (SSL) – no client software required

Branded and Customized Authentication Portal

Case Study: Universal AuthenticationHarvard University


Mobility™

Encryption and Airlink PrivacyRutgers University

RUWireless:Serving 48,000 students/9,000 faculty on5 New Brunswick and Piscataway campuses

Best + worst thing about wireless: it’s open! IPSec provides wireless airlink privacy

All traffic is encrypted to protect student,departmental, sensitive information:“Without a VPN it would be possible for a hacker to view your information.”

Non-proprietary VPN-class encryption (Supporting wide range of mobile devices and APs from Cisco, Linksys, SMC, Orinoco and Apple)

Medical schools with link to hospitalsrequire encryption to be HIPAA compliant


Mobility™

Role-Based Access Control/AuthenticationUniversity of Pittsburgh University of Pittsburgh’s PittNet

lights up office, public (e.g. library, student commons), and classrooms

9,600 employees, 3,800 faculty members, 32,000 students, 132 acre campus

Bluesocket directs all web traffic to log-in page. Students, faculty and staff authenticate themselves via their University Computer Account username and password to access wireless and wired network resources

Role-Based Access Control defines who can do what, where…even when

Jane Smith, sophomore– can access the sociology dept. server, but not financial aid or grades


Mobility™

Policy EnforcementUniversity of Texas at Dallas 14,000 students Largest apartment complex in North Dallas area

managed off of one Bluesocket box Wireless across in library, classrooms, student

union, common areas, servicing hundreds of students simultaneously

The WLAN’s high traffic volume requires “traffic engineering” (TE) to:

– Defend against Kazaa using bandwidth controls(abuse of university property, copyright infringements, possible school/university liability)

– Ensure each student has individual access controls and students don’t hog bandwidth

– Certain applications must take priority overother wireless applications of less importance

– Especially important when considering 300 kbps video streaming on an 8-11 Mbps line.


Mobility™

Interoperability:University of Edinburgh

400 year old university– old buildings, large area, 3 campuses, 20 hotspots, 21,000 students

Principal benefit of wireless at UoE:ubiquitous connectivity

University of Edinburgh uses Bluesocket Wireless Gateways to manage all air traffic and support a legacy Cisco VPN concentrator(for secure remote access)

Imperative: Support what the university had already (Cisco infrastructure in wired LAN) and support what it will need---easy instant wireless access for visiting conference delegates: with “Guest” privileges


Mobility™

Mobility: University of Georgia’s Wireless Cloud

U/GA’s wireless campus: PAWS (Personal Access WirelessWalkup System)

Learning how wireless will be part of student’s world is part of curriculum(New Media)

Press file stories via WiFifrom UGA stadiumduring football games

Wireless Athens Group:A “Gown to Town” Wireless Cloud links the university, stadium anddowntown shopping district

Virtual and physical communities connect with one another


Mobility™

Bluesocket in Wired Networks

Since Bluesocket Wireless Gateways aggregate user traffic via Ethernet, they are also ideally suited for integrated wired/wireless rollouts:

– ResNets • Limit student bandwidth to control costs with Internet pipes

• Control student ability to provide files using P2P apps

– Conference centers• Do you know who connected to an individual Ethernet connection

• Control access without additional client software

– Libraries• Dynix authentication support


Mobility™

Bluesocket Wireless Gateways:Proven Leadership in Education environments

Provide Security and Management for the Campus WLAN while seamlessly integrating into existing network infrastructure

Support Multiple Users/Roles in an integrated WLAN: – Students– Faculty– Admin Staff– Visitors and Alumni

Need to go beyond proprietary WLAN solutions– Client-less support for diverse user types– Not limited a single vendor’s proprietary

implementation– Ability to roam between subnets

Efficient policy enforcement based on user, role, location, time or VLAN

Traffic-engineering improves productivity for everyone– Streaming applications or large downloads by

students don’t hog all the bandwidth– Mobility profile based on type of user


Mobility™

Q & A

Managing Wireless Authentication and Access on Campus……

© 2003 bluesocket, inc. contents provided under nda only proprietary and confidential. secure...

Documents

secure mobility students

secure wlans

room wireless access

secure mobility key

wlan deployments slide

demand wireless access

security standard security

access points