qos and security decisions in wifi telephony jonathan zarkower director – product management the...
TRANSCRIPT
QoS and Security Decisions in WiFi
Telephony
Jonathan ZarkowerDirector – Product Management
The Intelligent Wireless Networking Choice
WLAN Adoption Trends
Pervasive clients Strong, standards based foundation; adequate security broadly
available Business cases established Management model and tools exist Large-scale deployment successes Interoperability enforced (WiFi)
Early Adopters1998-2000
Large-Scale Adoption2001-2004
Limited client availability Standards emerging; proprietary
implementations Technology push vs. business pull Trials, pilots, “islands” of limited deployment Interoperability and scalability not proven out
Multi-purposed “smart” clients Next Gen Standards; .11n, .11k, ,TR-
59, etc. WLAN-based Triple Play; QoS enabled Wholesaling, client Auto-provisioning,
Managed WLAN Services “WiFi Everywhere”
MultiService Generation2005+
Over the Next Two Years, WLANs will represent the emerging point of convergence for other leading technology sectors including Security, VoIP and RFID
Typical Multi-Service WLAN System
Access devices integrate with wireline network and deliver core WLAN services Controller/Switch enables enhanced WLAN services Centralized management system provides scalability
WLAN Management
Central Site/Campus
VLANSwitch/Router
Controller/Switch
AccessPoints
AAA, VPN, DHCP
Servers
LAN/WANBackbone
Remote Sites
Secure WLANGateway
A View of Current WLAN Services
Multi-Service Operating System
Public &Guest Access
SecureData
VoiceMulti-Media
MobileBusiness
Apps
WL
AN
S
ervi
ces
Net
wo
rkin
g
Fu
nct
ion
s
Multi-Layer
Security
WLANRF
Wireline/Wireless
Integration
En
d-T
o-E
nd
Man
agem
ent
NetworkQoS
• Multi-Service OS can deliver multiple WLAN services per network• Separate SSID/BSSID per service ensures client interoperability• Each service tunable for optimum application performance• Multiple Instances of any service provides flexibility
Key System Service FeaturesSecure Data Layer 2 (802.1x, WPA, WEP, MAC auth)
Layer 3 (complete VPN security, IP filtering) Integrates with corporate AAA database
Voice Flexible handset support Service-Aware soft-phone support (SIP, H.323) Fast hand-off/roaming, extended battery life
Multimedia 802.11e EDCA and Service-Aware QoS Wireline QoS integration (802.1p, TOS/DiffServ)
Mobile Business Apps
Configurable QoS and security policies for specialized client devices
Public and Guest Access
“Zero-config” client ease-of-use Multiple security and QoS profiles Support for major back-end billing services
Secure Data Services
Layer 3
IP address filtering limits destination addresses
VPN termination, aggregation, or filtering
Stateful Firewall provides session-aware security
Layer 2
Traffic segregation and VLAN mapping per SSID
802.1x authentication leverages existing AAA db
Layer 2 Isolation provides security at the client level
SSID=EmployeeSecurity=VPN LAN/WAN
WLAN Gateway
Data Center
AAA
VPN Server
Toll-Quality Voice
Broad QoS support for VoWLAN handsets
SpectraLink, 802.11e, Vocera, SIP and H.323 soft phones
Transparent client subnet roaming support
Traffic segregation and IP filters reinforce security
Support for 3rd party power-save modes
EmployeeServer
VoIPGateway
SSID=VOICESecurity= WEP
IP Filter=VoIP G/WQoS=P1
Router
Data Center
Subnet “A”Subnet “B”
Seamless Subnet Roaming
Multimedia
802.11e EDCA QoS protocol support
Four classes of service enable rich multimedia applications
Service-Aware QoS for non-protocol client devices
Enables legacy devices to access QoS
Mapping to wired network QoS policies
802.1p and TOS/DiffServ integration
Switch/Router
VideoServer
SSID=VIDEOSecurity=Open
Filter=Video serverQoS=P2
SSID=MultimediaSecurity=WPAQoS=802.11e
SurveillanceVideo Conference
Internet
Mobile Business Applications
Configurable security policy MAC authentication and IP filters
provide strong security for weak client devices
Separate SSID/BSSID per service Ensures compatibility with 3rd party
devices Configurable Power Save signaling
Configurable QoS policy Enables applications to be prioritized
Per AP flexibility enables tuning per RF footprint
Barcodescanners
Asset Tracking
TabletComputer
Specialized Client Devices
Any client device, user category, application typeAny client device, user category, application type
Public/Guest Internet Access “Zero configuration” user interface
Adapt to client PC configuration (IP add., web proxy, etc.) Web redirect and authentication simplifies login Adaptive NATTM ensures user access to VPN applications
Flexible AAA support Interoperates with 3rd party billing services Supports variety of business models (scratch card, credit card, etc) Usage or elapsed time session accounting
Rich access control features Captive portal support enables private content delivery Web proxy redirect and black list support controls user destinations Configurable bandwidth management limits access to Internet
bandwidth per user, or per service
Centralized WLAN System Management Optimizes total cost of ownership
Centrally managed WLAN device and security policies Auto discovery, configuration and firmware management Group policies simplify network operation
Scalable to manage 1000’s of devices and users Must work with distributed campus and branch topologies 3rd party NMS integration
Centralized WLAN Monitoring Comprehensive Rogue AP detection Performance and troubleshooting tools
Multi-vendor AP management Ease of migration from legacy to next generation
Management Tools Reduce TCO Ease of Deployment Tools
Automatic channel selection Auto Power Ongoing RF optimization to ensure consistent client performance
Strong Network Operations Tools Packet capture
• Remote debug tool to work with standard protocol analyzers
Client data rate matrix• Quickly identify client performance problems and optimize RF coverage
Client authentication trace• Identifies complex association and authentication problems with plain English messages
Syslog• Provides real-time information to network operators
SNMP• Standards-based Fault Management, Configuration, Accounting, Provisioning, Security
Next Gen WLAN Requirements Scalability – Single architecture fits centralized and
distributed organizations, large and small facilities “WLAN adoption will accelerate over the next two years,
with more than 50% of organizations deploying WLAN by 2006”…Meta Group
High performance – >100 Mbps client bandwidth with QoS for multimedia applications
802.11n (MIMO), VoWLAN QoS
Reduced cost – TCO competitive with wired Ethernet Installation, operation and equipment costs
Rich services – Business mobility applications, plus access to wired network services
NAC, location-based applications, RFID
Current WLAN Architectures
Layer 2 security Strong access control and
privacy
Seamless roaming with security
Ease of deployment and operation
Centralized management Automatic RF configuration
Scale Sq ft “sweet spot” doesn’t
fit very small or large facilities
Performance 10 VoWLAN session limit Fork-lift upgrade for
802.11n
Cost $1.10 per sq ft.
Advantages Challenges
Fourth Generation Architecture
Distributed intelligence increases performance and scalability X more voice sessions 10x larger networks 50% better QoS (jitter and latency)
Data processing at WLAN edge reduces cost by ½ $0.5 per sq ft
Separate WLAN control and management appliances provide smooth upgrade to 802.11n
Distributed processing increases service reliability
LAN
DataDataPlanePlane
ControlControlPlanePlane
ManagementManagementPlanePlane
Client packet Forwarded
Client access & QoS control, roaming
WLAN RF & system mgt.
Switch/Controller
NMS
Access Points
Summary Voice is one of many services being added to WLAN Unique requirements exist for WLAN voice, as well
as other services WLAN leverages existing wired LAN QoS for end to
end toll quality voice Current architectures provide benefits, add
challenges Fourth Generation approach answers the challenges