如何构建易于部署、高效、低成本的大型安全企业无线网络 --- Aruba中国区技术总监 王跃霖 The purpose of this module is to give you the basics about Aruba, and to give you a foundation to prepare for other modules. It is not a customer sales pitch – it is base level information that you must know to successfully position and sell Aruba technology. The introduction to Aruba sales module is the first of many – it’s the basic material that you need to master before moving on. We’re not trying to make you fluent in everything Aruba offers in this module, but we do want you to be able to know when there’s an opportunity to sell Aruba and when you should position another solution or walk away from a potential deal.
单频,双频,三频,MESH,户外各种类型AP Aruba 完备的产品线 Aruba 6000 支持2048个AP的移动控制器 Aruba 800 支持16个AP的移动控制器 Aruba 3000 支持8-128个AP的移动控制器 Aruba 200 支持6个AP的移动控制器 Aruba 2400 支持48个AP的移动控制器 ArubaOS 移动应用软件 Airwave Management 网络管理,RF管理,服务创建 Aruba Access Points 单频,双频,三频,MESH,户外各种类型AP
Aruba 安全企业无线网络架构 数据中心 Aruba 移动控制器 有线网络 Aruba 接入点 无线终端 多功能控制器 隧道传输技术 基于ASIC-Based架构,线速转发 L2-7 的状态防火墙 隧道传输技术 不改变现有网络架构 客户端到核心安全加密 多功能无线接入点 WLAN接入, Air Monitor, Remote Access, Mesh Point 11a/b/g/n 即插即用 连接现有交换机 数据中心 Aruba 移动控制器 有线网络 Aruba 接入点 无线终端 3
Aruba独有集中式无线移动解决方案 AP 无线控制器 软件模块 WiFi 环境 WiFi 入侵侦测系统 WiFi 接入控管 网络访问控制 现场考察 数据包抓取 AP 无线电波监控 无线局域网侦测 POE 交换机 无线交换机/模块 网络访问控制 多功能服务开展 局域网结合 Captive Portal 无线控制器 VPN 网关 局域网防火墙 路由/QoS 设备 软件模块 网管 多层管理系统
Aruba 无线移动网络部署方案 无需升级现有IP网络 数据中心 LAN / WAN / INTERNET 总部 移动环境 分支 家庭无线网
企业总部无线网络部署 现有IP骨干网络无需升级 FLOOR 2 FLOOR 1 BUILDING/CAMPUS CORE BACKBONE AP FLOOR 1 现有IP骨干网络无需升级 AP The Aruba mobility controller is deployed in the core of a campus network at critical traffic exchange points such as a building basement or data center. Traffic to the mobility controller is directed from access points that are connected at the edge of the network. Access points transparently tunneled over the existing network infrastructure to the mobility controller requiring no physical or logical upgrades to the network. BUILDING/CAMPUS CORE Mobility Controller BACKBONE 6
便于扩展:随时随地对无线网络进行扩展 业界最强大的无线控制器 单台支持80G线速转发 单台管理2048个无线AP 从室内向室外扩展 Fan Tray Up to 4 M3 Mark I Redundant PSUs 40x 1000Base-X (SFP) 8x 10GBase-X (XFP) 业界最强大的无线控制器 单台支持80G线速转发 单台管理2048个无线AP 分支机构/办公室 公司总部 Internet 服务 来客Internet 访问 DMZ INTERNET GUEST CORP 语音 VOICE DSL 路由器 VLAN 分割隧道 用于传输互联网流量的分割隧道 以用户为中心的内置防火墙 防火墙/NAT 从室内向室外扩展 向更加广阔的Internet扩展 7
ARUBA安全移动网络特点-快速部署 mesh接入点 (MAP) WLAN Mesh技术 室内、室外一体化mesh解决方案 Mesh Cluster高可用性保障 现有控制器和AP通过软件License即可支持,无需专用设备
企业分支机构无线网络部署 主要特性 分支机构 公司总部 有线设备 无线 集中式无线局域网控制 策略执行防火墙 站点到站点 VPN 第二层以太网交 第三层 IP 路由 分支机构 有线设备 公司总部 Aruba 控制器之间的站点到站点 VPN 连接 Internet/ Enterprise WAN 无线 Centralized Configuration and Management – No need to deploy an IT person to deploy or maintain. Everything is done centrally through the master mobility controller or through the dedicated MMS. Centralized Wireless LAN control - L2 Ethernet Switching – The Aruba Mobility Controller can serve most requirements for a basic enterprise L2 switch. L3 IP Routing - The Aruba Mobility Controller can serve most requirements for a basic enterprise L3 router. There are basic feature such as DHCP client and auto-NAT policy that allow a remote user to plug the controller into a DSL router and it will just work. You don’t need to send out an IT person to get the remote site up and running. Policy Enforcement Firewall – If this is going to face the internet, it needs a firewall. Site to Site VPN – This provides the secure connection back to the corporate site by providing a VPN connection between two controllers Serial and Power over Ethernet – APs can be connected directly to the controller. Simplifying remote deployment. 移动性控制器提供有线交换、无线 LAN、NAT、VPN、防火墙 集中管理选项
Aruba的Virtual Branch Network 解决方案 Controllers 控制器 VPN 集中器 PLUS 集中式远程网络功能 PLUS 虚拟化远程网络操作 1 Datacenters Data Center Remote Access Points (RAPs) VPN LAN 延伸 PLUS 本地局域网连接 PLUS 本地策略执行 2 AirWave 管理平台 架构设置管理 PLUS 运行管理 3 BNV works by placing a low-cost Remote Access Point (RAP) at each site. The RAP is responsible for virtualizing network services from your corporate datacenter into each branch location. These RAPs can operate anywhere a network connection is available - public Internet, leased line, DSL, cable, or cellular. This flexibility makes remote network setup a plug-and-play event. Virtualize the branch into the data center and extend the network out Easier to deploy and manage at a lower cost Simpler to operate More scalable in smaller sites without functionality compromises 10
Aruba 控制器 PEF Remote Wireless LAN Control Remote Wired Security RADIUS/LDAP/AD APIs/Integration Management Hooks PEF Distributed Policy Enforcement Firewall Engine Remote Wireless LAN Control VPN Server To Branch Remote Wired Security Control BNV works by placing a low-cost Remote Access Point (RAP) at each site. The RAP is responsible for virtualizing network services from your corporate datacenter into each branch location. These RAPs can operate anywhere a network connection is available - public Internet, leased line, DSL, cable, or cellular. This flexibility makes remote network setup a plug-and-play event. Virtualize the branch into the data center and extend the network out Easier to deploy and manage at a lower cost Simpler to operate More scalable in smaller sites without functionality compromises 集中的,全面的远程接入实时控制解决方案 11
Per User/Device/Session Dynamic Policies via Controller Aruba 远程接入点 To Datacenters Client VPN WAN Plug-Play Client Enterprise Secure Wi-Fi LAN Local Connectivity Wired PEF Distributed Policy Enforcement Firewall Engine LAN/WAN/Internet BNV works by placing a low-cost Remote Access Point (RAP) at each site. The RAP is responsible for virtualizing network services from your corporate datacenter into each branch location. These RAPs can operate anywhere a network connection is available - public Internet, leased line, DSL, cable, or cellular. This flexibility makes remote network setup a plug-and-play event. Virtualize the branch into the data center and extend the network out Easier to deploy and manage at a lower cost Simpler to operate More scalable in smaller sites without functionality compromises Access Forwarding Priority Per User/Device/Session Dynamic Policies via Controller 12
AirWave 管理系统 一套综合业务管理解决方案 报告 & 分析 提供 & 配置 遵循 网管 & 安全 监测 &可视化 将有线和无线统一在 习惯& 趋势报告 触发器& 警告 APIs for 3rd party integration Executive Management Network Engineering 提供 & 配置 系统提供 集中式设置&变更控 制 系统诊断 Security & Audit Team 遵循 网管 & 安全 自动审核&报告 无线&有线的入侵检 测 监测 &可视化 全面且充分的了解 每一个远程客户及 设备 远程诊断和故障排 除 L1/L2 Help Desk 将有线和无线统一在 基于角色的访问控制下 一套综合业务管理解决方案 13
全面的功能性 安全的 企业无线 PEF 实施策略 IP 语音 & 影像 可靠的 企业有线 动态的 每一个 用户/设备/Session 入侵防护 企业无线局域网 访客连接 PEF 实施策略 动态的 每一个 用户/设备/Session Local Forwarding Split IP 语音 & 影像 拓展的PBX 本地的PBX PEF PEF NAS & 服务器 打印机 网络设备 有线客户端 可靠的 企业有线 Aruba’s BNV lets you leverage existing investments in network and security infrastructure rather than repurchasing and rebuilding those services at every site. The BNV provides a secure LAN extension that gives full data center connectivity – including voice, video, and data applications – anywhere your users are working. Applications just work because the remote user experience is the same as the HQ experience 面向用户 实时可见 实时控制 14
End User Installable, No Truck-Rolls! 易于部署 my.controller.com Secure Corp Network PEF Secure Corp Network PEF Secure Corp Network PEF 接入RAP 于任何网络 2. 输入控制器地址 3. 建立安全的连接 4. 控制器将自动更新并提供给 RAP 5. 安全的远程网络自动连接完成 End User Installable, No Truck-Rolls! 15
独立于传输介质 LAN Challenge Solved Management Solved Transport Is A “Cloud” 用户连通性 安全策略 流量策略 Management Solved 实时可见 实时控制 Secure Corp Branch Network Any WAN/LAN Transport Is A “Cloud” Buy transport from the most convenient supplier RAP Drops Traffic To It or Tunnels Through It 16
易于管理 x 1 Image Mgmt Config Mgmt IP Mgmt Firmware Monitoring Changes Troubleshooting End-User Help-Desk “Assist” Tools Image Mgmt Config Mgmt IP Mgmt Firmware Monitoring Changes Troubleshooting x “N” Traditional Image Mgmt Config Mgmt IP Mgmt Firmware Monitoring Changes Troubleshooting x 1 End-User Help-Desk “Assist” Tools 虚拟化&集中化的关键 多种管理功能集于一身的设备 实时的远程可见性和控制性 User Level Packet Level Instant Changes We have Controllers - Define and run the virtual branch We Have RAPs - Lower cost remote access points that provide user services We Have Secure Overlay Tunnels No VPNs for users to use, nothing new for them to learn how to use Aruba RAPs can work anywhere that a Ethernet/IP connection or USB 3G connection is available. Select the connection that is available and meets your needs, and deploy the simplest device possible to connect to that cloud. 17
ONE NETWORK 所有的分支,一种解决方案 多用户 多设备 多策略 Employees Contractors Partners Suppliers Guests PC’s Printers Phones Cameras Machines 多用户 多设备 多策略 ONE NETWORK Today each scenario you need to support ends up with a different technology due to scale, user, etc. Aruba is simpler to deploy and manage because we know who is on the connection Advantage Centralized Operations, Control, Management vs. Distributed costs, risks, complexity Zero-Touch Provisioning, End User Installable vs. hand configured and onsite engineers Policy Driven, User Adaptive System vs Multiple, Desperate Static Configurations based on ports, vlans, subnets, and interfaces 18
企业小型分支机构无线网络快速部署 小型分支机构 小型分支机构 Remote AP enterprise-ssid Remote AP Mesh for extended, instant coverage Internet 小型分支机构 小型分支机构 enterprise-ssid enterprise-ssid 19
企业移动/临时办公环境快速部署 家庭办公 临时办公(酒店) Remote AP Internet enterprise-ssid 20
快速搭建和扩展远程无线网络 3G Link 3G USB MODEM 运营商 3G网络 企业总部: Aruba 控制器 Internet
企业临时办公环境快速部署
企业临时办公环境快速部署
统一管理的网络 数据中心 LAN VBN 室内 室外 Master Aruba 6000 Aruba Airwave Local WLAN Traffic Central Security Policy Central Management For Remote APs For Rapid Deployment For remote controller failover Aruba Airwave For Multi-Vendor For Multi-controller mgmt Redundant Aruba 6000 Optional Backs up Master Controller Shares AP Load 数据中心 WAN/3G Internet LAN VBN 室内 室外
统一的无线策略集中管理与自动优化:不需要人工干预的智能网络 物理位置 时间 可用信道 挑战 – 动态射频环境 在一定的覆盖范围,可以使用的工作信道并不是一成不变的,与环境中存在的干扰和用户密度、流量负载等有关 自适应射频管理(Adaptive Radio Management™ )基于可用频谱对WLAN进行持续优化 对频谱进行实时扫描和监视 自动选择最佳信道和功率,降低网络冲突和干扰,并在AP失效时自动对盲区进行覆盖 同频干扰抑制 基于用户和流量进行负载均衡 对双频段用户提供频段指引 公平接入快速和慢速客户端 基于负载感知的射频扫描 基于应用感知的射频扫描 大厅 自习室 会议室 办公室/工位
Aruba新一代的智能射频控制技术(ARM2.0) ——提供领先的无线连接性能和可靠性 性能不稳定 With ARM 2.0 >20% 公平分配网络性能 >40% 大幅降低干扰影响 >30% 提升网络整体性能 >100 超高密度用户接入 网络性能 Wi-Fi 实时性应用受到影响 无线终端频繁掉线 Without ARM 2.0 网络复杂性 无线用户密度 复杂的无线应用 各种各样的终端 不同的操作系统 26
传统有线网络的安全策略 网络攻击 路由器 WWW 固定的安全检查点 领导 职工 防火墙/VPN Internet 合同工 接入交换机 汇聚交换机 核心交换机 路由器 访客
传统有线网络的安全策略 ??? 路由器 问题: 1)防火墙内侧安全控制? 2)分支机构的安全控制? 3)小型办公机构的快速展开? WWW 固定式的安全检查点 领导 职工 Internet 防火墙/VPN ??? 合同工 接入交换机 汇聚交换机 核心交换机 路由器 问题: 1)防火墙内侧安全控制? 2)分支机构的安全控制? 3)小型办公机构的快速展开? 4)全网用户身份如何识别? 5)访客如何接入? 6)新兴业务如何开展? 访客
基于用户角色的安全策略 ARUBA 移动控制器 Aruba AP WWW 企业有线 IP网络 Internet AAA 服务 领导 职工 访客 职工 核心交换机 路由器 WEB 页面认证 AAA 服务 RADIUS, LDAP, AD ARUBA 移动控制器 Rights, QoS, VLAN 领导 语音终端 合同工 SSID: UNIV SSID: GUEST Aruba AP SSID: VOICE 企业有线 IP网络 Internet WWW
能区分不同的用户及应用 领导 职工 访客 单一物理网络设施 不同级别的接入控制 区分用户、终端、应用 网络策略推动 强制策略 语音 合作伙伴 INTERNET 接入服务 访客 VOIP 服务 语音 合作伙伴 子网 职工 职工子网 领导 领导 子网 单一物理网络设施 不同级别的接入控制 区分用户、终端、应用 网络策略推动 强制策略
传统的AP的安全 Disconnect WLAN Wired LAN Firewall Key Issues 数据加密 Malicious insiders can spoof valid clients External firewall cannot tell difference No identity is maintained end-to-end Malicious Insider Firewall Decrypted traffic Disconnect Employee Identification 数据加密 Authentication Before we talk about how Aruba does security, let's take a step back and examine how security has traditionally been implemented in legacy wireless LANs. In this type of topology, we have a firewall between the wireless LAN and the internal corporate LAN. Attached to the wireless network are the fat APs. The firewall protects the internal network from anyone who might compromise the wireless LAN. The wireless network is protected from wireless attackers by encrypting and authenticating all packets transmitted over the air. At first glance, this seems like a good model for security. Firewalls are an excellent way of protecting trusted networks from untrusted users. Virtually every network attached the Internet employs a DMZ for this exact purpose. Likewise the wireless network itself uses encryption, thus an attack that tries to spoof a valid user who be detected through encryption failure. However, in a traditional wireless LAN such as this, encryption is done at the AP. This means the only verifiable point of authentication is at the AP itself rather than anywhere else in the network. Once user traffic is transmitted past the AP, the decrypted traffic for all wireless users intermingles. One packet looks much like another. So a malicious attacker could spoof a user from the wired side of the network instead. Of course if the attacker is a guest or an internal user on the wireless network, then protection through encryption is lost. MACs are typically not encrypted with most wireless encryption protocols and are easily spoofed. At this point, the only way for traffic to get off of the wireless network is to go through the firewall. The firewall is the last point between the wireless and internal wired network where authorization is enforced and complex security inspection is done. If any device is going to detect the attacker, it will have to be the firewall. However the firewall has no concept of identification or authentication of users. It also cannot distinguish between a packet that originated on the wireless 802.11 LAN versus one that originated on the wired 802.3 side of the network. By the time these packets arrive at the firewall they are all 802.3 packets. At this point, the firewall has no context to allow it to effectively enforce role-based or identity-based access control. It cannot distinguish between a wired or wireless packet. Nor was it part of the authentication process. In other words, there is a fundamental disconnect between the authentication state in the AP and the authorization state in the firewall. This leaves the entire network vulnerable. Authorization Encrypted traffic Internal corporate LAN
端到端的安全 WLAN Wired LAN Advantages 数据加密 Malicious Insider Employee (Data Center) Advantages Authentication & firewall together Firewall policies based on identity, not MAC or IP End-to-end encryption Spoofing attacks defeated Aruba Mobility Controller 数据加密 Identification Encrypted traffic Decrypted traffic Authentication Authorization Malicious Insider Employee This diagram shows how Aruba addresses these issues. Here we have a similar topology to the previous network of a traditional wireless network. This one is implemented with Aruba technology instead of the traditional model. However there are key differences. Like the previous model, APs are attached to the wired network. But in this case they are thin APs that tunnel all of their traffic back to the Aruba mobility controller. The mobility controller is placed between the wireless and wired network and serves several purposes: To serve as the point for encryption and decryption for all wireless traffic To provide authentication and authorization, including firewall functionality To manage the thin APs These changes are fundamentally different from the previous model. Let’s explore these differences in more detail. Earlier we mentioned that, in a traditional model, once the wireless traffic is placed on the wired network the packets intermingle and the firewall cannot tell the difference between these packets – other than by IP address and MAC. As a matter of fact, the firewall does not even know which packets originated on the wireless network versus the wired network. This is not true in the Aruba model. By terminating wireless traffic on the mobility controller, we know exactly which traffic originated on the wireless traffic. No other traffic will be placed into the tunnel. Therefore, all tunneled traffic came from a wireless device and all other traffic is from a wired device. Since all wireless traffic comes to the Aruba mobility controller, it is subject to stateful inspection. This applies even for traffic between two wireless users on the same AP. But even this traffic could be subject to a malicious attacker on the wireless network spoofing another wireless user. This is prevented by two things. First, all traffic is encrypted and decrypted at the mobility controller, rather than the AP. This means no user traffic is transmitted in the clear or can be intercepted by a malicious user. Second, the authentication and authorization of the user is also performed on the Aruba mobility controller. This has several implications. First, no traffic can leave the firewall without a associating that data with a user identity rather than the source IP or MAC that a typical firewall would use. Unlike our previous example where the AP was the final source of user identity, an Aruba mobility controller knows exactly who generated the traffic and whether that traffic may be passed on to the internal corporate LAN. Second, because the controller is aware of which data originated from the wireless network, it has an awareness of which users are wireless and which are wired. This means the Aruba mobility controller can do things that no other simple firewall can do such as blacklist a wireless user based that user’s violation of a firewall policy. Together, these features create a truly trustworthy mobility infrastructure that provides end to end security that is the equal of, if not better than, most wired networks. Encrypted traffic Internal corporate LAN
AP 分类 部署 Aruba WIP 的环境 临近的无线热点 停车场 Valid Interfering Known Interfering 移动控制器 核心交换 Rogue 停车场
集成了无线Sensor的多功能接入点 主要特性 与 WLAN 基础设施集成,不需要另外购买昂贵的无线探测器和分析软件 对恶意接入点进行检测、定位和控制,消除来自空中的网络入侵隐患 拒绝服务攻击检测,提供API支持用户自定义攻击类型 对各种无线设备、终端和RFID标签进行定位,可以为第三方定位提供API接口 非法AP 非法用户 Integration with WLAN Infrastructure – this is the biggest advantage. You don’t need a separate WIDS system. It’s built into the mobility controller and APs. Many enterprises start out using Aruba for WIDS and very easily and inexpensively move on to providing access. Rogue AP Detection, Classification, and Location – Aruba provides classification to determine if a detected rogue is a threat - Is the AP on the corporate network or a neighbors network. Automatic Rogue AP Containment – If a rogue is found and classified as a threat, automatic action can be taken to shut it down. Client Bridging Detection – is an laptop misconfigured to bridge wired and wireless together. This is a signature that can be detected using the aruba system. 3rd-party AP Monitoring – We can be deployed along side a 3rd party wlan network such as cisco for use as a WIDS deployment. Denial of Service Attack Detection
实现移动性和安全性的完美结合 认证 分类 控制 Access per User 优化 跟随 80Gbps线速转发 个人策略防火墙 the User 分类 the Traffic 控制 Access per User 优化 the Air 跟随 学生 Aruba’s approach to network security is modeled after the best security practices widely used in the defense and intelligence gather sectors. Every user is treated as un-trusted entity until they prove themselves to be trustworthy and after that each users activities are monitored and usage rights are constantly enforced. This capability is achieved through a combination of centralized encryption and built-in firewall in the Aruba controller. Each user’s identity is not based on just their username or MAC address; a user’s identity is validated through 802.1X authentication and other contextual information such as the device type, location and application. This identity is then used to apply access control on the user. This is the opposite of a model where networks assumed that because you are plugged into a particular port you must be user “A” – in the new world, users are mobile and can plug in anywhere in the building or at another location even; this is the reason why we need to ensure access based on identity and not on physical LAN port. 教师 接入网络 多业务移动控制器 企业网络资源 80Gbps线速转发 个人策略防火墙 电话、打印机 35 35
谢谢! www.arubanetworks.com 36