colubris basic customer presentation
TRANSCRIPT
… … Extend Your Extend Your Business Mobilize Your Network … Business Mobilize Your Network …
Colubris NetworksColubris NetworksProduct OverviewProduct Overview
3
What is Wi-Fi?What is Wi-Fi?
• Wireless Ethernet – WLAN IEEE 802.11• Broadband wireless data service that connects mobile
devices to an Ethernet network Data rates: 11 to 54 MbpsData rates: 11 to 54 Mbps Distance: 300 ft, depending on antenna and environmentDistance: 300 ft, depending on antenna and environment
Wi-Fi Access Point
EthernetNetwork
4
Colubris OverviewColubris Overview
Mission: Industry-leading developer of unified multiservice WLAN/LAN systems
• Highly scalable business mobility solutions for enterprises and service providers
Market Leadership:
Over 1,000 customers worldwide• 60,000 WLAN devices installed, worldwide• #2 global market share in hospitality and
service provider; #1 in transportation
Founded in 2000; HQ in Waltham, MAProfile:• Strategic Partners – Alcatel, Juniper, Avaya• #1 privately held WLAN company
5
Distributed Intelligence Distributed Intelligence VPN Termination/AggregationVPN Termination/Aggregation
• Distributed Intelligence – VPN termination on AP eliminates separate WLAN infrastructure
• Secure VPN perimeter from client-to-corporate LAN On-board encryption accelerator optimizes performance
• Local termination enables simplicity, greater scale Back-end aggregation to fewer VPN tunnels
• Secure VPN management interface
SSID=EmployeeSecurity=VPN
Wide AreaNetwork
CN1250
Employees Corporate HQ
AAA
NMS
DHCP
VPN Server
6
Next Generation WLAN ArchitectureNext Generation WLAN Architecture
Smart Access
Management & Control
(incl. 1st Gen WLAN
Switch)
Scalability & Services Breadth
7
WLAN RF & system mgt.
QoS and security enforcement,
packet forwarding
Localized Services Policy ControlLocalized Services Policy Control
• Services applied at AP• Distributed architecture with
Centralized management and control NOT in Data Path
• Adds centralized WLAN QoS, security and roaming to existing LAN
• 10x higher scalability than WLAN switch solutions
• Leverages commercial AP chips for reduced costs
• Smooth migration to unified switch and 802.11n standards
AP AP
NMS
Central QoS and security control,
roamingMultiService
ControllerLAN
Policy Data Base
8
Colubris WLAN SolutionColubris WLAN Solution
InMotion
....
.... ........ .... .... .... ....
.... .... .... .... .... ....
VoIP-PBX
InCharge CNMSInCharge RF Security Server
L2/L3Switch
Internet Gateway
Internet
InReach
VLANSwitch
VLANSwitch
10
Free or Fee-based Hotspot ServicesFree or Fee-based Hotspot Services
• Cafes and restaurants• Hotels and marinas• Train stations
• Increase foot traffic• Customer stays longer• Generate revenue
FEE-BASED SERVICE OPPORTUNITIES
• Retailers, Malls• Municipalities
• Increase foot traffic• Attract techno-savvy clients
FREE SERVICE OPPORTUNITIES
NOC
CN3200AccessNetwork
Kiosk
Hotspot
11
Public InterfacePublic Interface
13
Internal Web Page
14
Original URL and Session Page
15
Customized Local (MSC) PagesCustomized Local (MSC) Pages
16
Rich Content Remote WEB server PageRich Content Remote WEB server Page
17
Interactive Captive Portal Interactive Captive Portal
18
Payment optionsPayment options
19
Credit Card PaymentCredit Card Payment
20
Public Internet Access Industry StructurePublic Internet Access Industry Structure
• Wireless service provider Owns and operates WLAN infrastructure
• Carrier Owns and operates Internet network service
• Back-office service provider Performs back-end authentication, billing, phone
support
• Venue owner (hotel, restaurant, etc.)
• Aggregator Markets services to end-users Aggregates service operated by 3rd party WSPs
End User
Venue Owner
Wireless Service Provider
Back Office Service Provider
Carrier
22
Public Access Service Business ModelsPublic Access Service Business Models
• Service branding Private label for venue Wireless service provider brand Aggregator brand
• Revenue models Service paid by venue owner Service paid by end user and split with venue
owner Service paid by aggregator and split with service
provider and venue owner
• Various back office and carrier outsourcing models
Aggregator
Wireless Service Provider
Back Office Service Provider
Carrier
24
Public Access Service Network ComponentsPublic Access Service Network Components
BackOffice
Firewall/Router
WLAN Access Point (s)
Service Provider NOC
Service Provider
NMS
Broadband client connectivity
Client authentication, service presentation, billing support
Routing services, security
Access GatewayNMS manages and controls public access infrastructure,Portal delivers web content to clients
Back OfficeSubscriber authentication, Credit card processing
Public Internet Access VenuePortal
Carrier Internet Service
Cable/DSL Modem
25
CIMS Fully Integrated Public Access SolutionCIMS Fully Integrated Public Access Solution
BackOffice
InMotion MSC InReach MAP(s)InCharge Colubris
NMS (CNMS)
Service Provider
• MultiService client connectivity
• Turnkey public access CPE solution
• Integrated access gateway, router, firewall, access point
• CNMS manages and controls geographically distributed public access infrastructure
Back Office
• Comprehensive support for AAA and back-office billing systems
Public Access VenuePortal
Carrier Internet Service
Cable/DSL Modem
CNMS
MultiService Controller MultiService
Access Point
29
SSID and Windows XPSSID and Windows XP
30
VAPs – Access Contol lists and Backend VAPs – Access Contol lists and Backend ServicesServices
LAN/WAN
Back-end RADIUS 4 & WEB
AAA
NMS
Billing
Portal
SSID=AdminSecurity=VPN
QoS=P2RADIUS Profile 2
ACL 3
SSID=VoiceSecurity=WEP
QoS=P1RADIUS Profile 2
ACL - 4
SSID= POSSecurity=MAC
QoS=P2RADIUS Profile 2
ACL - 2
SSID=GuestSecurity=Open
QoS=P3RADIUS Profile 3
ACL - 5
POSServer
VoIP Gateway
SSID=HotspotSecurity=Open
QoS=P4RADIUS Profile 3
ACL - 6
• Services ControllerServices Controller• Access DevicesAccess Devices
Back-end RADIUS 3 & WEB
AAA
NMS
Billing
Portal
Back-end RADIUS 2 & WEB
AAA
NMS
Billing
Portal
Back-end RADIUS 1 & WEB
AAA
NMS
Billing
Portal
Radius Profile 1 – Walled Garden ACL’a
31
Multi-Service WLANs for Higher Multi-Service WLANs for Higher EducationEducation
LAN/MAN/WANSSID=FacultySecurity=VPN
QoS=P2
SSID=VoiceSecurity=WEP
QoS=P1
Staff
SSID=StudentSecurity=Open
QoS=P4
Admin Services
StudentServices
VoIP Gateway
Faculty
Data Center
SSID=AssetsSSID=AssetsSecurity=WPASecurity=WPA
QoS=P2QoS=P2
Students
CNMS WLAN CNMS WLAN MgmtMgmt
AAA/VPN Server
• Services ControllerServices Controller• Access DevicesAccess Devices
Internet
32
GSM / Wi-Fi phones are hereGSM / Wi-Fi phones are here
33
Toll-Quality Voice ServiceToll-Quality Voice Service
• Broad QoS support for VoWLAN handsets SpectraLink, 802.11e,
Vocera, SIP and H.323 softphones
• Transparent client subnet roaming support
• Traffic segregation and IP filters reinforce security
• Open support for 3rd party power-save modes
EmployeeServer
VoIPGateway
CN1250
SSID=VOICESecurity= WEP
IP Filter=VoIP G/WQoS=P1
Router
Data Center
Subnet “A”Subnet “B”
Seamless Subnet Roaming
35
Colubris: QoS Enforced at the AP EdgeColubris: QoS Enforced at the AP Edge
• Policies applied at WLAN/wired network boundary Mapping between WLAN and LAN/WAN policies
• Embedded processors provide scalability to large networks Each AP adds processing power for 16 services to network
• CNMS centrally configures QoS policies for ease of operation
IP Backbone
LAN Backbone
802.1p
TOS/DiffServ
QoS Policy EnforcementSSID
802.1pWME
802.1pTOS/DiffServ
ApplicationsCorporate HQSuppliers
36
Interoperability with QoS-Capable Interoperability with QoS-Capable ClientsClients
• Protocol-based policy enables client device to request priority 802.11e WME provides
open voice, video, data interoperability
SVP support provides interoperability with SpectraLink phones
• Part of end-to-end QoS scheme Client-AP-Ethernet
SVP QoSWME QoS No QoS
Ethernet
Wi-Fi
1 2 3 4
Protocol-basedForwarding
SSID=MultimediaSecurity=OpenQoS=Protocol
38
Problems with next generation SolutionsProblems with next generation Solutions
....
.... ........ .... .... .... ....
.... .... .... .... .... ....
VoIP-PBX
Management
VLANSwitch
Subnet A
Master VLANSwitch
IP Router
Internet
RADIUSServer
DNSServer
VLANSwitch
Subnet B
Phone IP
NEW IP
Inter AP Roam – re associate & KEY
39
Large Site / Campus deploymentLarge Site / Campus deployment
VLANSwitch
In Motion MSC
....
.... ........ .... .... .... ....
.... .... .... .... .... ....
VoIP-PBX
Control / mgmt
Call Setup
Legend:
Call
CNMS Management
VLANSwitch
Master VLANSwitch
IP Router
Internet
Secure Control IP Tunnel
In Motion MSC
40
InMotionInMotion™™ Delivers New Services Delivers New Services
• New Industry-leading Voice Over WLAN Service Highest R-values and voice session capacity More than 28% lower jitter than competitors
• New Fast, Secure Intra/Inter Subnet Roaming Service Mobility for real-time applications MOBILE IP Protocol Secure WPA2 hand-offs < 50 milliseconds
• New Plug-and-Play Deployment Service Automatic MAP discovery and configuration Mutual authentication and encryption for security
• Industry-Leading Public/guest Network Access Service “Zero configuration” for easy client access Rich service management policies
MultiService Controllers
43
Data Network SecurityData Network Security
3 Requirements1. Access Control – Bi directional, verifiable, centrally
Managed 2. Confidentiality – Encryption3. Data Integrity – Frame Check and Sequencing
Cipher Cipher TextTextDATADATA DATADATA
Encryption Encryption EngineEngine
Encryption Encryption EngineEngine
Encryption KEYEncryption KEY Encryption KEYEncryption KEY
RC4
DES/3DES
CCMP AES
RC4
DES/3DES
CCMP AES
Static – PSKCertificate
PMK TKIP
44
Wi-Fi SecurityWi-Fi Security
• WEP – Wired Equivalent Privacy Original 802.11 encryption scheme RC4 - Static Weak Key
• VPN – Virtual Private Network (DES, 3DES) cryptography – VPN client and Gateway
• IEEE 802.1x – Access Control EAP protocol using Radius Authentication
• WPA – Wireless Protected Access Strong encryption TKIP RC4 Requires access to authentication server
• IEEE 802.11i – WPA2 Strongest encryption (AES) Government approved
• HTML Access Control Public Access via Captive Portal authentication
WLAN System ComponentsWLAN System Components
49
Colubris ProductsColubris Products
Product Type 1 Radio2 ports total
2 Radios3 ports total
Appliance No Radio, 4 Ethernet Ports only
In ReachMAP – MultiService Access Point
MAP-320MAP-320RCN320
WAP-200 2 VAP no QOS
MAP-330MAP-330RCN330
In MotionMSC – MultiService Access Contoller
MSC-3200MSC-3200RCN3200100 concurrent Users
MSC-3300MSC-3300RCN3300100 concurrent Users
MSC-5200CN3400500 concurrent Users
MSC-55002000 concurrent Users2-1000BASE-T4
MGW – MultiService Gateway
MGW-1250CN1250
MGW-3500CN3500 1000 concurrent Users
51
Product PositioningProduct Positioning
Performance- User Capacity, Future Proofing
Feat
ures
- Con
nect
ivity
, Sec
urity
, Mob
ility
MSC-3200 MSC-3300
MSC-5500MSC-5200
100 Users
500 Users/25 AP
MGW-3500
1000 Users
2000 Users/200 AP
52
InMotionInMotion™™ MultiService Controllers MultiService Controllers
Specifications MSC-5200 MSC-5500
Software Configuration COS Access Service
COS Service Pack
COS Access Service
COS Service Pack
ServicesVoWLANFast RoamingPlug & Play DeploymentPublic/Guest Access
Maximum MAPs N.A. 25 N.A. 200
Max. Public/Guest Access Users 500 500 2,000 2,000
53
FirewallFirewall
54
NATNAT
55
VPN ClientVPN Client
To protect the VPN, add the following definitions to the access list:access-list=vpn,DENY,all,192.168.30.0/24,alluse-access-list=vpn
56
Centralized Mode Centralized Mode
57
Dual Radio Access Device FeaturesDual Radio Access Device Features
• Industry first dual a/b/g radios Two channels on single band increases performance, coverage
• Configurable AP, WDS Bridge and Monitor operating modes Flexibility and investment protection Enables continuous full-spectrum rogue scanning for increased
security• Robust monitor and diagnostic capability
Eliminates cost of redundant probes/monitors
Configurability Radio 1 Radio 2
Transceiver Mode a/b/g a/b/g
Operating Mode AP, Bridge, Monitor
AP, Bridge, Monitor
59
Extended Access Control NetworkExtended Access Control Network
60
Network Topology - WDSNetwork Topology - WDS
MAP-330
MAP-330
MAP-330
MAP-330
MAP-330
Access line
Client
Client
client
Client
Client
Client
Client
MAP-330
MAP-3300
MAP-330
MAP-330
MAP-330
MAP-330
MAP-330
Internet
MAP-330
Client
Client
Client
Client
Client
Client .11g or 11a (WDS)
.11b ch 1 area (AP)
.11b ch 6 area (AP)
.11b ch 11 area (AP)
MAP-3300/MAP-330 – one radio in AP mode and the other radio in WDS mode
Potential hidden node issue, for shared
WDS/AP radios
61
Rogue AP Detection and ReportingRogue AP Detection and Reporting
• Wireless RF Scanning Use of existing, authorized APs for wireless scans Differentiates between true “rogues” and “ignored” 3rd
party APs Multi-vendor support enables most comprehensive
Rogue AP detection• Wireline Rogue Discovery
Scans network via multiple protocols Automatically IDs the “fingerprints” of rogue APs
• Integrated Rogue AP Reporting Correlates all information to rapidly locate and disable
rogues
62
Outdoor Rated Enclosure: MSC-3200R, MAP-320ROutdoor Rated Enclosure: MSC-3200R, MAP-320R
This slide for planning purposes only, content and dates subject to change
• Die-Cast Aluminum, NEMA 67 rating• 2 waterproof N-type Antennas option• Waterproof, quick disconnect RJ-45 connector• 3 point silicone-rubber gasket• Pole-top and wall-mount mounting options• Colubris Logo Applied
63
Locking Mounting BracketLocking Mounting Bracket
This slide for planning purposes only, content and dates subject to change
• Die-Cast Aluminum• Wall or Ceiling Mountable• Compatible with standard product enclosure (slides in and out)• Padlock not included• List Price $50 (USD)
64
CNMS - WiFi Network Management CNMS - WiFi Network Management
65
WiFi Network Management WiFi Network Management
66
CNMS OverviewCNMS Overview
NMSAuthentication
RADIUS SNMP
NOC
WAN/LAN
Campus A Campus B
CN3200 CN320CN3200
CN1250
SNMP/HTTP/TFTP
CNMS
• Monitor AP discovery User monitoring Rogue AP detection NMS & AAA integration
• Analyze Alerts & diagnostics Performance reports RF event correlation
• Act Multi-vendor
config mgt Firmware distribution Grouping & scheduling
67
Colubris Networks Offers a Comprehensive RF Colubris Networks Offers a Comprehensive RF Security and Management SolutionSecurity and Management Solution
• InCharge RF Server• InReach 330P
• InCharge RF Planner
• Automatically prevent Wi-Fi security attacks• Perform real-time network audits• Assist performance troubleshooting• Monitor wireless LAN health
68
InCharge RF Server Two appliance models support up to 50 sensors
or up to 200 sensors Correlates sensor data Analyzes and classifies Wi-Fi devices Enforces security policy Web interface Within CNMS, launch InCharge RF Server
screens in Phase 1 Tight integration with CNMS in Phase 2
InCharge RF Server, InReach 330P, InCharge RF Server, InReach 330P, InCharge RF PlannerInCharge RF Planner
InReach 330P Scans 2.4 and 5 GHz bands Centrally managed and configured by Server Dedicated sensor function in Phase 1 Concurrent AP and Sensor function at Phase 2; Phase 1 InReach 330P
devices can be upgraded to Phase 2 capability Power over Ethernet
InReach330P
Web InterfaceInCharge RF Server
InChargeSecurity Server
InCharge RF PlannerStand-alone Windows-based application
Models wireless LAN coverage without a physical site survey
Evaluates security risk from wireless LAN spillage outside building
Assesses changes with simple drag and drop techniques
Generates equipment lists for installation team Provides powerful predictive planning
Input floor planInput floor plan Add building material typeAdd building material type Specify 802.11b, g or aSpecify 802.11b, g or a Input minimum bandwidth requirementsInput minimum bandwidth requirements Drag and drop APsDrag and drop APs
Supports dynamic floor plan models RF coverageRF coverage ChannelsChannels Signal strengthSignal strength SpillageSpillage
69
The Threat!!!; Eight Major Classes of The Threat!!!; Eight Major Classes of Wi-Fi ThreatsWi-Fi Threats
Firewalls, VPNs, and 802.11 Security StandardsDo Not Prevent These Wi-Fi Threats on Either Wired or Wireless Networks
Enterprise Network
Neighboring Network
?
Ad Hoc
Denial of
Service Attack
AP MAC Spoofing
Rogue AP
Mis-configured AP
Unauthorized Association
Mis-association
Honeypot
• Common Rogue Access Points Mis-configured Access
Points Ad hoc connections Client mis-associations Unauthorized client
associations• Malicious
Honeypot APs MAC Spoofing APs
Client > Malicious APClient > Malicious AP Denial of Service
De-authentication De-authentication floodflood
Packet stormPacket storm
70
Monitor/DetectMonitor/Detect
• Scan all bands• 2.4 GHz and 5 GHz
• Detect all Wi-Fi activity• Access points, soft APs, NATing
APs, clients
• Correlate information from multiple sensors
• Eliminate confusing duplicate reports of the same device
71
VisualizeVisualize
• Make your airwaves visible
• View RF coverage in real time Handhelds only provide a
snapshot in time
• Plan for security and Wi-Fi coverage Only integrated solution that
ensures proper sensor placement Model detection and prevention
levels
• Self-calibrating Site-specific RF
characteristics Deployment orientation
Good Coverage
No RF Coverage Poor RF Coverage
72
Auto-ClassifyAuto-Classify
• Comprehensive Access points
Authorized, Rogue, ExternalAuthorized, Rogue, External Clients
Authorized and UnauthorizedAuthorized and Unauthorized• Accurate and Reliable
No false positives/no false negatives• Instantaneous
No manual user intervention required
InCharge RF Server dashboard automatically classifies Access Points and Clients into appropriate categories.
73
PreventPrevent• Over-the-air
Ensures non-stop protection• Instantaneous
Based on quarantine policy and accurate auto-classification
Doesn’t require manual administrator intervention
• No harm policy Won’t disrupt your own or neighbor’s
networks• Most comprehensive solution
All major classes of threats Rogue access points, Evil Twin/Honey
Pot APs, MAC spoofing APs, mis-configured APs, rogue clients, client mis-associations, ad hoc networks and DoS attacks
InCharge RF Server dashboard shows rogue access points that has been
quarantined; I.e. automatically blocked to prevent any and all client connections.
3
5
74
LocateLocate
• Precise• Locates rogues and other Wi-
Fi security threats for physical remediation
• Pinpoints all AP and client device locations
• Authorized, unauthorized Authorized, unauthorized and neighborand neighbor
• Immediate• One click operation
• Site calibrated• Displays location on a
floor plan
• One click operation provides graphical probability analysis of location
• Not just a red ‘X’InCharge RF Server integrates a floor plan to show a range of probable locations of
rogue APs or clients.
75
Prevent Wi-Fi Threats in a Non Wi-Fi NetworkPrevent Wi-Fi Threats in a Non Wi-Fi Network
• Even if you have no 802.11 AP’s, most laptops have 802.11 cards
• A laptop radio is default configured to ‘automatically associate’ with the strongest signal from a list of SSID’s
• Hackers simple sit outside the building with an AP configured to a common SSID and wait for a number of laptops to connect
SSID: linksys
Corporate FirewallInternet
XX X
X
Honeypot attack lures in multiple laptops to miss-associate.
76
Rogue AP BlockingRogue AP Blocking
• Rogue AP is Detected
Over-the-air detection Network connect tested Auto-classified
• No False Positives Does not rely on switch
• Blocked over-the-air De-auth all Clients 100% accurate Any network / switch
• Better than port blocking Port blocking is not reliable Port blocking may cause DoS
Rogue AP
Wi-Fi Ready Laptop
XCorporate Firewall
Internet
77
Prevent Client Mis-AssociationPrevent Client Mis-Association
C orp ora te F irewa llIn ternet
Enterprise Network
Neighboring Network
SSID: a1b2c3
SSID: a1b2c3
SSID: a1b2c3
X X X X • Clients associate to strongest signal
• Blocks clients that mis-associate
• Prevents SSID spoofing Client roaming
78
C orpo ra te F irewa llIn ternet
Enterprise Network
SSID: a1b2c3MAC: 00.20.A6.4C.1A.46
SSID: a1b2c3MAC: 00.20.A6.4C.1A.46X
X
• Detects MAC Spoofing • Blocks unauthorized
spoofed AP’s• Prevent malicious threats
Evil Twin Man-in-the-middle
Prevent MAC & Air-Jack AttackPrevent MAC & Air-Jack Attack
79
Denial of Service Attack PreventionDenial of Service Attack Prevention
• Wi-Fi Denial of Service can shut down your network
• Blocks DoS attacks Exclusive vendor DoS
prevention
• Patented ‘Virtual Selective Jamming’
technique
Corporate FirewallInternet
Enterprise Network
X XX
DoS attack
80
Complete Protection Requires Complete Protection Requires Simultaneous Threat PreventionSimultaneous Threat Prevention
Corporate FirewallInternet
Enterprise Network X
X XX
X
SSID: linksys
Rogue AP
Single Sensor must block
multiple Clients and multiple
Rogue AP’s on multiple channels
simultaneously
81
Knowledge-Based TroubleshootingKnowledge-Based Troubleshooting• Step-by-step flowchart
Connectivity and performance problems
Client and access point issues
• Not just problem identification Suggests remedies
• Easy to use Helpdesks Remote administrators
• Live over-the-air packet capture Ethereal
82
Knowledge-based Troubleshooting Knowledge-based Troubleshooting (cont’d) (cont’d)
1. Administrator logs into the InCharge RF Server & chooses the device to troubleshoot
2. Administrator selects the appropriate sensor to troubleshoot the device
Step 1
Step 2
Live Packet stream
83
Customizable ReportsCustomizable Reports
This custom report captures uncategorized & unauthorized
clients that are not quarantined!
84
Security & Performance MonitoringSecurity & Performance Monitoring
• Monitor & alert for security and performance issues
• Total of 140 events!
• Complete protection Sensors scan ALL
channels Independent of
regulatory domain
• Details provided for each event Suggested remedies
85
AvailabilityAvailability
• Phase 1: GA End of October InReach 300P (dedicated sensor) InCharge RF Server appliance InCharge RF Planning Tool
• Phase 2: target GA of 1Q06 Multi-function MAP-330 will support AP and sensor function or
act as a dedicated sensor Software migration path from Phase 1 to Phase 2 capability Tight integration of InCharge CNMS and RF server
86
A New ParadigmA New Paradigm
• Determine AP and security sensor placement without physical walk around
• Much more efficient method than physical site survey
• What-if analysis
• Predictive planning enables simply, easily
Building floor plan with predicted RF coverage
87
How it WorksHow it Works
• Predictive planning Input floor plan Add building material type Specify 802.11b, g or a Input minimum
bandwidth requirements Drag and drop APs
• Dynamic floor plan models RF coverage Channels Signal strength Spillage
88
InCharge RF Planner InCharge RF Planner Wi-Fi Site PlanningWi-Fi Site Planning
• InCharge RF Planner Site Planner for Wireless LAN Access Point Coverage Site Planner for Performance Optimization Planning for WLAN Security Sensors Coverage
• Advantages Software solution does not require manual site surveys Automatic RF Mapping with ‘True Map’ Automatic report generation
Planning for Coverage,
Performance and Security
89
Good security coverage
blind spots
Wi-Fi Site PlanningWi-Fi Site Planning• Software Planning Tool
• Import or create floor plans• State-of-the-art RF propagation
modeling for wireless LAN and security sensor coverage
• Models site specific parameters• Ensure optimum performance
• Capacity and coverage• Allows for redundancy planning• Ensures no blind spots• Provides visual confirmation
• Determine security level needed• Detection vs. prevention
coverage areas• Security sensitivity modeling
90
Wireless LAN CoverageWireless LAN Coverage
• Model building RF reflection, refraction, and absorption
• Import floor map from virtually any electronic format
• Plan for complete and optimum coverage
91
Redundancy PlanningRedundancy Planning
• Eliminate blind spots
• Model 802.11 a/b/g
• Minimize AP requirements
92
Link SpeedLink Speed
• Performance optimization modeling
• Model 802.11a/b/g
• Building specific
93
Channel AllocationChannel Allocation
• Visualize Channel Overlap to minimize interference
• Model various scenarios Vendor APs Antennae Antennae direction Power a/b/g
94
Channel InterferenceChannel Interference
• Minimize Interference
• Model multiple scenarios
• Optimize performance
95
Security ExposureSecurity Exposure
• Know where you are vulnerable
• Model various scenarios to minimize risk
96
Comprehensive Security Coverage Comprehensive Security Coverage PlanningPlanning
• Accurately determines number of sensors based on
customer specific risk profile
• Five specific variables used to model coverage level Site specific
characteristics Detection vs. prevention
range Detection range vs.
transmit power of rogue or attacker
Redundancy
• Other solutions blindly quote coverage ranges with no real method to determine actual security level
SpectraGuard Enterprise shows precisely the detection (blue) versus protection (purple)
range of each sensor.
97
Work OrderWork Order
• Automatic work order generation
• Detailed management reporting
• Ease deployment and maintain performance of your WLAN project
Access Point ID Vendor / Model From NW
corner Supported Protocols
Channel (a, b, g)
Transmit Power (mW)
(a, b, g)
Antenna (a, b, g)
AP01 Generic ABG 45 ft E, 16 ft S b,a,g 36,1,1 40,50,30
Generic_2.2dBi Dipole,
Generic_2.2dBi Dipole,
Generic_2.2dBi Dipole
AP02 Generic ABG 120 ft E, 26 ft S b,a,g 44,11,11 40,50,30
Generic_2.2dBi Dipole,
Generic_2.2dBi Dipole,
Generic_2.2dBi Dipole
AP03 Generic ABG 119 ft E, 79 ft S b,a,g 40,6,6 40,50,30
Generic_2.2dBi Dipole,
Generic_2.2dBi Dipole,
Generic_2.2dBi Dipole
AP04 Generic ABG 35 ft E, 80 ft S b,a,g 36,1,1 40,50,30
Generic_2.2dBi Dipole,
Generic_2.2dBi Dipole,
Generic_2.2dBi Dipole
AP05 Generic ABG 49 ft E, 51 ft S b,a,g 44,11,11 40,50,30
Generic_2.2dBi Dipole,
Generic_2.2dBi Dipole,
Generic_2.2dBi Dipole
Sensor01 AirTight Networks SS-200-AT
18 ft E, 55 ft S a,b,g 48,6,6 100,100,10
0
Generic_2.2dBi Dipole,
Generic_2.2dBi Dipole,
Generic_2.2dBi Dipole
Sensor02 AirTight Networks SS-200-AT
106 ft E, 48 ft S a,b,g 52,6,6 100,100,10
0
Generic_2.2dBi Dipole,
Generic_2.2dBi Dipole,
Generic_2.2dBi Dipole
98
Global Customer DeploymentsGlobal Customer Deployments
New Zealand
Argentina
Wireline Wireless Cable ISP
Hospitality Retail Education Transportation Sporting Venues
Serv
ice
Prov
ider
s Ve
rtic
als
Part
ners
99
Customer Success: McDonald’s Customer Success: McDonald’s RestaurantsRestaurants
Trigger Events: • 500+ “Store of the Future” WLAN Program Initiative
McDonald's is the leading global foodservice retailer with more than 30,000 restaurants serving nearly 47 million people in more than 120 countries each day.
Why Colubris: • Open systems, multiservice platform provided a simple, cost-effective means to evaluate and launch new business applications to improve quality and speed of service
• Scale and manageability to potentially thousands of locations• Simple integration with existing Juniper infrastructure
Goals: • Enhanced customer satisfaction and revenue throughput• Consistent quality monitoring• Real-time inventory management• Timely corporate communications
Vision Point: • Use wireless mobility to improve customer service, quality and cost across business systems
Solution: • CN3200 AP/SC platform, CNMS Management
Competition: • Cisco & Symbol
100
McDonald’s “Store of the Future”McDonald’s “Store of the Future”
VSC 1
VSC 2
Roaming Quality Audits
• Segment Traffic • WPA Security VSC 3
Public Internet Access
• Segment Traffic • Access Control
• Best Effort Priority
Quality &
Inventory
Internet
POS
Line Busting
Hotspot
Quality Control
Mobile Order Taking
• Segment Traffic • WEP Security
Intelligent Access & Service Control • 3 VSCs deliver separate service
through single WLAN system
• VSC security and QoS policies tailored to each application
• Open support for wide range of devices, users and apps.
• Applications under evaluation: Wireless telemetry, Inventory
management, VoIP (drivethru), Signage
WLAN Management
101
Customer Success: Wendy'sCustomer Success: Wendy's
Trigger Events: • Interoperable, low cost WLAN equipment widely available
Wendy’s is one of the world's largest restaurant operating and franchising companies with more than 9,500 restaurants
under the Wendy's Old Fashioned Hamburgers®, Tim Horton's and Baja Fresh® Mexican Grill brands.
Why Colubris: • Delivers multiple private and public WLAN services in one device• Integrated IP routing and VPN security services• Centralized management of 1000s of remote sites• Easy to deploy solution for autonomous franchises
Goals: • Wireless mobility for all headquarters and regional employees• Real-time network automation of restaurant equipment• Single WLAN architecture for campus, regional offices and stores• Eliminate cabling expenses• Offer customers public Internet access services
Vision Point: • Common wireless infrastructure for restaurant automation, enhanced customer service and human resource productivity initiatives
Solution: • CN1250 (HQ), CN3200 (Restaurant), CNMS management
Competition: • Cisco, Sonic Wall, ReefEdge
102
Wendy’s Common WLAN Wendy’s Common WLAN InfrastructureInfrastructure
Restaurant Automation
• Segment Traffic • P2 Priority
Public Internet Access
• Segment Traffic • Access Control
• Best Effort Priority
Equipment
Controller
Internet
POS
HotSpot(Future)
EquipmentAutomation & Telemetry
Regional Mgr Network
• Segment Traffic • VPN Security
• Wireless connectivity to HQ VPN network
• VSC security and QoS policies segment traffic tailored to each application
• CNMS centralizes management for HQ, regional offices and restaurants
WLAN ManagementIntelligent Access &
Service Control
VPN access to HQ applications
Headquarters
Intelligent Access & Service Control
Point of Sale/ Line Busting
(Future)
POS
• Segment Traffic• VPN Security
VSC 3VSC 4
VSC 2
VSC 1
VPN Server
103
Gander Mountain “Store of the Future”Gander Mountain “Store of the Future”
VSC 1: Associate Communication
• Segment Traffic• WEP Security• Voice Priority
VSC 2: Inventory Control
• Segment Traffic• WPA Security
VSC 3: Corporate Employee
• Segment Traffic• WPA Security• Best Effort Priority
Quality & Inventory
Management
POS
WLAN Management
Intelligent Access & Service Control
Internet
• VSCs deliver 3 separate services through single WLAN system
• VSC security and QoS policies segment traffic tailored to each application
• VSCs provide open support for wide range of devices, users and applications
VoWLAN
Wire Replacement
Wire Replacement
104
Customer Success: Emory Customer Success: Emory UniversityUniversity
Trigger Events: • Availability of unified WLAN voice and data network technology
Why Colubris: • VSC capabilities• Leadership VoFi and QoS solution• Central management for scalability and ease of operation
Goals: • Easy access to network services from any campus location• Instant voice communications for all staff members• Wireless student Net access• Guest Internet access in hospitals
Vision Point: • Improved staff, faculty, student productivity through ubiquitous broadband network services
Solution: • CN1250 Secure Gateway, CNMS Management
Competition: • Cisco
Emory University is recognized as one of the U.S.’s top 25 national universities. It is known for its demanding academics, outstanding undergraduate college of arts and sciences, highly ranked professional schools and state-of-the-art research facilities.
105
Emory University Ubiquitous WLANEmory University Ubiquitous WLAN
VSC 1
VSC 2
VPN Data Service
• Segment Traffic • VPN Security VSC 4
Public Internet Access
• Segment Traffic • Access Control
• Best Effort Priority
Data Servic
es
Internet
VoIP Gatewa
yVoFi
Hotspot(hospital)
Student, Staff,
Faculty
Voice Service
• Segment Traffic • High Priority
Intelligent Access & Service Control
• SpectraLink VoWLAN phone support
• Smooth migration from VPN to WPA capable devices
• Student, Staff and Faculty security privileges set by RADIUS authentication
WLAN Management
VSC 3
WPA Data Service
• Segment Traffic • WPA Security
Student, Staff,
Faculty
106
Customer Success: SJCustomer Success: SJ
Trigger Events: • “Internet On Track” -- The first full fleet roll out by a train operator of an onboard wireless Internet service and the world's first implementation of 3G/Satellite -enabled Wi-Fi service
Why Colubris: • VSC capabilities• Security policies ensure internal applications are protected from
public Internet traffic• Corporate responsiveness and networking expertise
Goals: • Integrate an Internet access service into business class ticket• Optional fee service for coach class ticket holders• Separate internal WLAN service for train monitoring
Vision Point: • Continuous broadband Internet service improves passenger experience
Solution: • CN320 Intelligent MultiService Access Point
Competition: • Cisco, Proxim
SJ is Sweden’s leading rail traffic company and operator of the X2000, Sweden’s high-speed train, and its new X40 fleet – servicing 85 trains beginning in summer 2005.
107
SJ “Internet On Track” ServiceSJ “Internet On Track” Service
Internet
Data CollectionTrain
Data Monitor
Hotspot
Intelligent Access & Service Control
• Segment traffic per VSC for security
• Strong security for internal train applications
• Selective Layer 2 isolation prevents snooping on passenger hotspot service while enabling peer-peer monitoring connections
VSC 2
Public Internet Access
• Segment Traffic • Access Control
• Best Effort Priority
VSC 1
Data Collection
• Segment Traffic• WPA Security • High Priority
108
Wi-Fi on the TrainWi-Fi on the Train
Head CarRear Car Middle Cars (7)
Mobility Router
GPRS, EDGE, CDMA, UMTS, WCDMA, 3G and satellite technologies.
Provide wireless multi-service applications in a single footprint
Provide Access Control
CN330 CN320 CN330 CN3300
Public Access – internet for passengers
Personnel Access – ticket sales, inter cart communication
Video surveillance
SSID 1SSID 2
SSID 3
Internet
109
Customer Success: SprintCustomer Success: Sprint
Trigger Events: • Previous vendors unable to reach vision point
Why Colubris: • VSC capabilities: traffic segmentation, security & QoS policies per VSC
• Ease of management with CNMS• Interoperability with 3rd party hotspot back-end services
Goals: • Upsell existing WAN service customers to managed Wi-Fi• Offer revenue-generating hotspot service to retailers and public
venue operators• Flexibility to add new software-defined Wi-Fi service offerings
(training, video surveillance, point-of-sale system, credit card service)
Vision Point: • Managed Wi-Fi service for installed base of 8,000 enterprises
Solution: • CN3200 AP/SC platform, CNMS Management
Competition: • Cisco, Nomadix, AireSpace
Sprint is a Fortune 100 company with more than $27 billion in annual revenues in 2004, Sprint is widely recognized for developing, engineering and deploying state-of-the-art network technologies.
110
Sprint “Enterprise Wi-Fi Access” Sprint “Enterprise Wi-Fi Access” ServiceService
Internet
Hotspot
Intelligent Access & Service Control
• Segment traffic per VSN for security
• Authenticate hotspot users via Airpath back-end service
• CNMS in NOC centralizes management for all customer sites
• Additional VSCs available for future services
VSC 1
Public Internet Access
• Segment Traffic • Access Control
• Best Effort Priority
Security Surveillance
Service(Future)
VSC 2
Video Surveillance
• Segment Traffic• High Priority
Back-end Hotspot Service
Point of SaleCredit Verification
(Future)POS
• Segment Traffic• VPN Security
VSC 3
Enterprise Customer Premise
WLAN Management
Sprint NOC
111
Customer Success: Best Western Customer Success: Best Western EuropaEuropa
Trigger Events: • Best Western mandate to offer Wi-Fi Internet access in all properties
Why Colubris: • VSC capabilities• Strong security policy enforcement• VoWLAN and QoS support
Goals: • Differentiate by offering wireless keycard and wireless guest authentication services
• Upgrade path to VoWLAN service for guests• Reduce operating costs while expanding guest services
Vision Point: • Leverage Wi-Fi to provide multiple wireless customer conveniences
Solution: • CN3200 AP/SC platform, CN320 AP, CNMS Management
Competition: • Cisco
The Europa is a 180-room business hotel located in downtown Montreal and a franchise of the Best Western hotel chain.
112
Best Western MultiService WLANBest Western MultiService WLAN
Internet
Guest Internet Access Service
Intelligent Access & Service Control
• Segment traffic per VSC for security
• Authenticate hotspot users via Airpath back-end service
• Additional VSCs available for future services
VSC 1
Public Internet Access
• Segment Traffic • Access Control
• Best Effort Priority
Wireless Guest
Authentication and Direct
Billing
VSC 2
Guest Authentication
• Segment Traffic• WPA Security
Guest Wireless Voice Service
(Future)Telephony
• Segment Traffic• High priority
VSC 3
VoIP Gatewa
y
Property Management
System
113
Veteran Leadership TeamVeteran Leadership Team Barry Fougere - President & CEO• A.T. Kearney, EDS, Cambridge Strategic Mgt Group
Pierre Trudeau - Co-founder & CTO• Eicon Technology, Touch Tones Digital Jukebox
Larry Whitman - CFO• WaveSmith Networks, Shiva
John O’Hara – VP, Engineering• WaveSmith Networks, New Oak Communications
Marty Falaro – VP, Sales & Business Development• Altiga Networks, Cisco, PictureTel
Roger Sands – VP, Enterprise Development• Accton Technoloogies, US Robotics
Ken MacLure – VP, Operations• Narad Networks, Cascade
Michael Welts – VP, Marketing• Unisphere, Castle Networks, Bay Networks
114
Demonstration SetupDemonstration Setup
Internet
MSC-3300MAP-330
5.8GHz WDS Secure Link
In Charge
CNMS192.168.2.20
RADIUS/Apache192.168.2.99
WIN2KServer
192.168.2.100Gateway Router