如何构建易于部署、高效、低成本的大型安全企业无线网络 --- Aruba中国区技术总监 王跃霖

Slides:



Advertisements
Similar presentations
© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 思科零售行业 统一通信解决方案.
Advertisements

高考短文改错专题 张柱平. 高考短文改错专题 一. 对短文改错的要求 高考短文改错的目的在于测试考生判断发现, 纠正语篇中 语言使用错误的能力, 以及考察考生在语篇中综合运用英 语知识的能力. 二. 高考短文改错的命题特点 高考短文改错题的形式有说明文. 短文故事. 书信等, 具有很 强的实用性.
智慧老伯的一席話 原稿 : 溫 Sir 中譯 : 老柳 A man of 92 years, short, very well- presented, who takes great care in his appearance, is moving into an old people’s.
考研英语复试 口语准备 考研英语口语复试. 考研英语复试 口语准备 服装 谦虚、微笑、自信 态度积极 乐观沉稳.
第七课:电脑和网络. 生词 上网 vs. 网上 我上网看天气预报。 今天早上看了网上的天气预报。 正式 zhèngshì (报告,会议,纪录) 他被这所学校正式录取 大桥已经落成,日内就可以正式通车 落伍 luòw ǔ 迟到 chídào 他怕迟到,六点就起床了.
教育局資訊科技教育組 程序表講者 簡介計劃目的 佘孟先生 ( 教育局資訊科技教育組總課程發展主任 ) 使用津貼安排 傅永洪先生 ( 教育局資訊科技教育組高級行政主任 ) 專業發展課程 卓偉嘉先生 ( 教育局資訊科技教育組高級課程發展主任 ) 技術顧問及項目管理服務 林詠宜女士.
云计算辅助教学风云录 黎加厚 上海师范大学教育技术系 2010年8月9日.
Bomgar Remote Support 最安全的遠端資訊服務系統平台
營運部胡乃馨副總 /技術部汪坤宏副總/業務部 陳富賢
高雄應用科技大學 有線網路建置實習(IV)
目录 1 教育行业趋势 2 华为无线园区解决方案 3 成功故事.
實驗 9: 無線安全網路之建設.
专题八 书面表达.
Chapter 17 數位革命與全球電子市場 Global Marketing Warren J. Keegan Mark C. Green.
:sisu Password:
陕西凝远绿色建材实业有限责任公司网络系统工程
Chapter6 無線區域網路商業應用 姓名 : 洪嘉蓬 駱俊霖 學號 : N N
移动创星擂台 2017年3月19日星期日 2017/3/19 此模板可用作起始文件以更新项目里程碑的更新。 节
多样化的场景和应用对网络提出诸多挑战 随时随地 丰富应用 成千上万个学生 在线支付/账号登陆 不同地点 不同时间
Routing Protocols and Concepts – Chapter 3
寻找适合您的工业4.0 Dell/曾峰.
云实践引导产业升级 沈寓实 博士 教授 MBA 中国云体系产业创新战略联盟秘书长 微软云计算中国区总监 WinHEC 2015
Module 5 Shopping 第2课时.
Ericsson Solutions for Intelligent Transport Systems and Solutions
馬太福音 Matthew 11: 那時,耶穌說:「父啊,天地的主,我感謝你!因為你將這些事向聰明通達人就藏起來,向嬰孩就顯出來。26 父啊,是的,因為你的美意本是如此。27 一切所有的,都是我父交付我的; 25 At that time Jesus said, “I praise you,
W371 如何使网络设备更好的和Windows Vista工作
David liang 数据通信安全教程 防火墙技术及应用 David liang
無線技術 家庭和小型企業網路 – 第七章.
虛擬私有網路 VPN (Virtual Private Network) VPN的資料安全 - PPTP、L2TP、IPSec
Zebra官方網站:
MiniVPN_White (WE101VWT) MiniVPN_Black (BE101VWT)
網路技術管理進階班---區域網路的技術發展
網路技術管理進階班---網路連結 講師 : 陳鴻彬 國立東華大學 電子計算機中心.
ARUBA 無線網路教育訓練.
从UNIX到Windows的 电信软件移植实践
MiniVPN_White (WE101VWT) MiniVPN_Black (BE101VWT)
圖形溝通大師 Microsoft Visio 2003
第 17 章 數位革命與 全球電子市場 © 2005 Prentice Hall.
Draft Amendment to STANDARD FOR Information Technology -Telecommunications and Information Exchange Between Systems - LAN/: R: Fast BSS.
第4章 网络互联与广域网 4.1 网络互联概述 4.2 网络互联设备 4.3 广域网 4.4 ISDN 4.5 DDN
创建型设计模式.
但是如果你把它发给最少两个朋友。。。你将会有3年的好运气!!!
思科无线产品销售指南 零售行业 China Mobility Product Team July,
IT基础设施运营管理服务 – 定义、实现、展示
微软新一代云计算 面向企业的 Office 365 客户培训大纲
第5單元 實習1 ilon10 setup.
建设 21 世纪 具有国际先进水平的 教育与科研计算机网
中国农村沼气政策与发展战略 李景明 中国北京 农业部科技发展中心能源生态处处长 中国沼气学会秘书长.
基于课程标准的校本课程教学研究 乐清中学 赵海霞.
如何增加对欧贸易出口 中国制造展销中心(英国)有限公司 首席执行官 理查德·赛斯
IBM SWG Overall Introduction
第二讲 网络基础与网络设备 主讲:史宝慧.
Guide to a successful PowerPoint design – simple is best
中国科学技术大学计算机系 陈香兰 2013Fall 第七讲 存储器管理 中国科学技术大学计算机系 陈香兰 2013Fall.
虚 拟 仪 器 virtual instrument
Cisco Troubleshooting and Maintaining Cisco IP Networks (TSHOOT)
突出语篇语境,夯实词汇语法 一模试卷单选完形分析 及相应的二轮复习对策 永嘉罗浮中学 周晓媚.
关联词 Writing.
True friendship is like sound health;
期未報告:公眾無線網路的架構,比較 通訊所 鍾國麟 主要的內容還是S.Y.
高考应试作文写作训练 5. 正反观点对比.
WIRELESS LAN B 邱培哲 B 張宏安.
NASA雜談+電腦網路簡介 Prof. Michael Tsai 2015/03/02.
Distance Vector vs Link State
Chapter 10 Mobile IP TCP/IP Protocol Suite
Distance Vector vs Link State Routing Protocols
Hospitality English 酒店商务英语 讲师:罗云利 工商与公共管理学院.
Requirements for SPN Information Modeling
陳情表之外     with 三仁 三樂 歐陽宜璋製於 /10/23.
Presentation transcript:

如何构建易于部署、高效、低成本的大型安全企业无线网络 --- Aruba中国区技术总监 王跃霖 The purpose of this module is to give you the basics about Aruba, and to give you a foundation to prepare for other modules. It is not a customer sales pitch – it is base level information that you must know to successfully position and sell Aruba technology. The introduction to Aruba sales module is the first of many – it’s the basic material that you need to master before moving on. We’re not trying to make you fluent in everything Aruba offers in this module, but we do want you to be able to know when there’s an opportunity to sell Aruba and when you should position another solution or walk away from a potential deal.

单频,双频,三频,MESH,户外各种类型AP Aruba 完备的产品线 Aruba 6000 支持2048个AP的移动控制器 Aruba 800 支持16个AP的移动控制器 Aruba 3000 支持8-128个AP的移动控制器 Aruba 200 支持6个AP的移动控制器 Aruba 2400 支持48个AP的移动控制器 ArubaOS 移动应用软件 Airwave Management 网络管理,RF管理,服务创建 Aruba Access Points 单频,双频,三频,MESH,户外各种类型AP

Aruba 安全企业无线网络架构 数据中心 Aruba 移动控制器 有线网络 Aruba 接入点 无线终端 多功能控制器 隧道传输技术 基于ASIC-Based架构,线速转发 L2-7 的状态防火墙 隧道传输技术 不改变现有网络架构 客户端到核心安全加密 多功能无线接入点 WLAN接入, Air Monitor, Remote Access, Mesh Point 11a/b/g/n 即插即用 连接现有交换机 数据中心 Aruba 移动控制器 有线网络 Aruba 接入点 无线终端 3

Aruba独有集中式无线移动解决方案 AP 无线控制器 软件模块 WiFi 环境 WiFi 入侵侦测系统 WiFi 接入控管 网络访问控制 现场考察 数据包抓取 AP 无线电波监控 无线局域网侦测 POE 交换机 无线交换机/模块 网络访问控制 多功能服务开展 局域网结合 Captive Portal 无线控制器 VPN 网关 局域网防火墙 路由/QoS 设备 软件模块 网管 多层管理系统

Aruba 无线移动网络部署方案 无需升级现有IP网络 数据中心 LAN / WAN / INTERNET 总部 移动环境 分支 家庭无线网

企业总部无线网络部署 现有IP骨干网络无需升级 FLOOR 2 FLOOR 1 BUILDING/CAMPUS CORE BACKBONE AP FLOOR 1 现有IP骨干网络无需升级 AP The Aruba mobility controller is deployed in the core of a campus network at critical traffic exchange points such as a building basement or data center. Traffic to the mobility controller is directed from access points that are connected at the edge of the network. Access points transparently tunneled over the existing network infrastructure to the mobility controller requiring no physical or logical upgrades to the network. BUILDING/CAMPUS CORE Mobility Controller BACKBONE 6

便于扩展:随时随地对无线网络进行扩展 业界最强大的无线控制器 单台支持80G线速转发 单台管理2048个无线AP 从室内向室外扩展 Fan Tray Up to 4 M3 Mark I Redundant PSUs 40x 1000Base-X (SFP) 8x 10GBase-X (XFP) 业界最强大的无线控制器 单台支持80G线速转发 单台管理2048个无线AP 分支机构/办公室 公司总部 Internet 服务 来客Internet 访问 DMZ INTERNET GUEST CORP 语音 VOICE DSL 路由器 VLAN 分割隧道 用于传输互联网流量的分割隧道 以用户为中心的内置防火墙 防火墙/NAT 从室内向室外扩展 向更加广阔的Internet扩展 7

ARUBA安全移动网络特点-快速部署 mesh接入点 (MAP) WLAN Mesh技术 室内、室外一体化mesh解决方案 Mesh Cluster高可用性保障 现有控制器和AP通过软件License即可支持,无需专用设备

企业分支机构无线网络部署 主要特性 分支机构 公司总部 有线设备 无线 集中式无线局域网控制 策略执行防火墙 站点到站点 VPN 第二层以太网交 第三层 IP 路由 分支机构 有线设备 公司总部 Aruba 控制器之间的站点到站点 VPN 连接 Internet/ Enterprise WAN 无线 Centralized Configuration and Management – No need to deploy an IT person to deploy or maintain. Everything is done centrally through the master mobility controller or through the dedicated MMS. Centralized Wireless LAN control - L2 Ethernet Switching – The Aruba Mobility Controller can serve most requirements for a basic enterprise L2 switch. L3 IP Routing - The Aruba Mobility Controller can serve most requirements for a basic enterprise L3 router. There are basic feature such as DHCP client and auto-NAT policy that allow a remote user to plug the controller into a DSL router and it will just work. You don’t need to send out an IT person to get the remote site up and running. Policy Enforcement Firewall – If this is going to face the internet, it needs a firewall. Site to Site VPN – This provides the secure connection back to the corporate site by providing a VPN connection between two controllers Serial and Power over Ethernet – APs can be connected directly to the controller. Simplifying remote deployment. 移动性控制器提供有线交换、无线 LAN、NAT、VPN、防火墙 集中管理选项

Aruba的Virtual Branch Network 解决方案 Controllers 控制器 VPN 集中器 PLUS 集中式远程网络功能 PLUS 虚拟化远程网络操作 1 Datacenters Data Center Remote Access Points (RAPs) VPN LAN 延伸 PLUS 本地局域网连接 PLUS 本地策略执行 2 AirWave 管理平台 架构设置管理 PLUS 运行管理 3 BNV works by placing a low-cost Remote Access Point (RAP) at each site. The RAP is responsible for virtualizing network services from your corporate datacenter into each branch location. These RAPs can operate anywhere a network connection is available - public Internet, leased line, DSL, cable, or cellular. This flexibility makes remote network setup a plug-and-play event. Virtualize the branch into the data center and extend the network out Easier to deploy and manage at a lower cost Simpler to operate More scalable in smaller sites without functionality compromises 10

Aruba 控制器 PEF Remote Wireless LAN Control Remote Wired Security RADIUS/LDAP/AD APIs/Integration Management Hooks PEF Distributed Policy Enforcement Firewall Engine Remote Wireless LAN Control VPN Server To Branch Remote Wired Security Control BNV works by placing a low-cost Remote Access Point (RAP) at each site. The RAP is responsible for virtualizing network services from your corporate datacenter into each branch location. These RAPs can operate anywhere a network connection is available - public Internet, leased line, DSL, cable, or cellular. This flexibility makes remote network setup a plug-and-play event. Virtualize the branch into the data center and extend the network out Easier to deploy and manage at a lower cost Simpler to operate More scalable in smaller sites without functionality compromises 集中的,全面的远程接入实时控制解决方案 11

Per User/Device/Session Dynamic Policies via Controller Aruba 远程接入点 To Datacenters Client VPN WAN Plug-Play Client Enterprise Secure Wi-Fi LAN Local Connectivity Wired PEF Distributed Policy Enforcement Firewall Engine LAN/WAN/Internet BNV works by placing a low-cost Remote Access Point (RAP) at each site. The RAP is responsible for virtualizing network services from your corporate datacenter into each branch location. These RAPs can operate anywhere a network connection is available - public Internet, leased line, DSL, cable, or cellular. This flexibility makes remote network setup a plug-and-play event. Virtualize the branch into the data center and extend the network out Easier to deploy and manage at a lower cost Simpler to operate More scalable in smaller sites without functionality compromises Access Forwarding Priority Per User/Device/Session Dynamic Policies via Controller 12

AirWave 管理系统 一套综合业务管理解决方案 报告 & 分析 提供 & 配置 遵循 网管 & 安全 监测 &可视化 将有线和无线统一在 习惯& 趋势报告 触发器& 警告 APIs for 3rd party integration Executive Management Network Engineering 提供 & 配置 系统提供 集中式设置&变更控 制 系统诊断 Security & Audit Team 遵循 网管 & 安全 自动审核&报告 无线&有线的入侵检 测 监测 &可视化 全面且充分的了解 每一个远程客户及 设备 远程诊断和故障排 除 L1/L2 Help Desk 将有线和无线统一在 基于角色的访问控制下 一套综合业务管理解决方案 13

全面的功能性 安全的 企业无线 PEF 实施策略 IP 语音 & 影像 可靠的 企业有线 动态的 每一个 用户/设备/Session 入侵防护 企业无线局域网 访客连接 PEF 实施策略 动态的 每一个 用户/设备/Session Local Forwarding Split IP 语音 & 影像 拓展的PBX 本地的PBX PEF PEF NAS & 服务器 打印机 网络设备 有线客户端 可靠的 企业有线 Aruba’s BNV lets you leverage existing investments in network and security infrastructure rather than repurchasing and rebuilding those services at every site. The BNV provides a secure LAN extension that gives full data center connectivity – including voice, video, and data applications – anywhere your users are working. Applications just work because the remote user experience is the same as the HQ experience 面向用户 实时可见 实时控制 14

End User Installable, No Truck-Rolls! 易于部署 my.controller.com Secure Corp Network PEF Secure Corp Network PEF Secure Corp Network PEF 接入RAP 于任何网络 2. 输入控制器地址 3. 建立安全的连接 4. 控制器将自动更新并提供给 RAP 5. 安全的远程网络自动连接完成 End User Installable, No Truck-Rolls! 15

独立于传输介质 LAN Challenge Solved Management Solved Transport Is A “Cloud” 用户连通性 安全策略 流量策略 Management Solved 实时可见 实时控制 Secure Corp Branch Network Any WAN/LAN Transport Is A “Cloud” Buy transport from the most convenient supplier RAP Drops Traffic To It or Tunnels Through It 16

易于管理 x 1 Image Mgmt Config Mgmt IP Mgmt Firmware Monitoring Changes Troubleshooting End-User Help-Desk “Assist” Tools Image Mgmt Config Mgmt IP Mgmt Firmware Monitoring Changes Troubleshooting x “N” Traditional Image Mgmt Config Mgmt IP Mgmt Firmware Monitoring Changes Troubleshooting x 1 End-User Help-Desk “Assist” Tools 虚拟化&集中化的关键 多种管理功能集于一身的设备 实时的远程可见性和控制性 User Level Packet Level Instant Changes We have Controllers - Define and run the virtual branch We Have RAPs - Lower cost remote access points that provide user services We Have Secure Overlay Tunnels No VPNs for users to use, nothing new for them to learn how to use Aruba RAPs can work anywhere that a Ethernet/IP connection or USB 3G connection is available. Select the connection that is available and meets your needs, and deploy the simplest device possible to connect to that cloud. 17

ONE NETWORK 所有的分支,一种解决方案 多用户 多设备 多策略 Employees Contractors Partners Suppliers Guests PC’s Printers Phones Cameras Machines 多用户 多设备 多策略 ONE NETWORK Today each scenario you need to support ends up with a different technology due to scale, user, etc. Aruba is simpler to deploy and manage because we know who is on the connection Advantage Centralized Operations, Control, Management vs. Distributed costs, risks, complexity Zero-Touch Provisioning, End User Installable vs. hand configured and onsite engineers Policy Driven, User Adaptive System vs Multiple, Desperate Static Configurations based on ports, vlans, subnets, and interfaces 18

企业小型分支机构无线网络快速部署 小型分支机构 小型分支机构 Remote AP enterprise-ssid Remote AP Mesh for extended, instant coverage Internet 小型分支机构 小型分支机构 enterprise-ssid enterprise-ssid 19

企业移动/临时办公环境快速部署 家庭办公 临时办公(酒店) Remote AP Internet enterprise-ssid 20

快速搭建和扩展远程无线网络 3G Link 3G USB MODEM 运营商 3G网络 企业总部: Aruba 控制器 Internet

企业临时办公环境快速部署

企业临时办公环境快速部署

统一管理的网络 数据中心 LAN VBN 室内 室外 Master Aruba 6000 Aruba Airwave Local WLAN Traffic Central Security Policy Central Management For Remote APs For Rapid Deployment For remote controller failover Aruba Airwave For Multi-Vendor For Multi-controller mgmt Redundant Aruba 6000 Optional Backs up Master Controller Shares AP Load 数据中心 WAN/3G Internet LAN VBN 室内 室外

统一的无线策略集中管理与自动优化:不需要人工干预的智能网络 物理位置 时间 可用信道 挑战 – 动态射频环境 在一定的覆盖范围,可以使用的工作信道并不是一成不变的,与环境中存在的干扰和用户密度、流量负载等有关 自适应射频管理(Adaptive Radio Management™ )基于可用频谱对WLAN进行持续优化 对频谱进行实时扫描和监视 自动选择最佳信道和功率,降低网络冲突和干扰,并在AP失效时自动对盲区进行覆盖 同频干扰抑制 基于用户和流量进行负载均衡 对双频段用户提供频段指引 公平接入快速和慢速客户端 基于负载感知的射频扫描 基于应用感知的射频扫描 大厅 自习室 会议室 办公室/工位

Aruba新一代的智能射频控制技术(ARM2.0) ——提供领先的无线连接性能和可靠性 性能不稳定 With ARM 2.0 >20% 公平分配网络性能 >40% 大幅降低干扰影响 >30% 提升网络整体性能 >100 超高密度用户接入 网络性能 Wi-Fi 实时性应用受到影响 无线终端频繁掉线 Without ARM 2.0 网络复杂性 无线用户密度 复杂的无线应用 各种各样的终端 不同的操作系统 26

传统有线网络的安全策略 网络攻击 路由器 WWW 固定的安全检查点 领导 职工 防火墙/VPN Internet 合同工 接入交换机 汇聚交换机 核心交换机 路由器 访客

传统有线网络的安全策略 ??? 路由器 问题: 1)防火墙内侧安全控制? 2)分支机构的安全控制? 3)小型办公机构的快速展开? WWW 固定式的安全检查点 领导 职工 Internet 防火墙/VPN ??? 合同工 接入交换机 汇聚交换机 核心交换机 路由器 问题: 1)防火墙内侧安全控制? 2)分支机构的安全控制? 3)小型办公机构的快速展开? 4)全网用户身份如何识别? 5)访客如何接入? 6)新兴业务如何开展? 访客

基于用户角色的安全策略 ARUBA 移动控制器 Aruba AP WWW 企业有线 IP网络 Internet AAA 服务 领导 职工 访客 职工 核心交换机 路由器 WEB 页面认证 AAA 服务 RADIUS, LDAP, AD ARUBA 移动控制器 Rights, QoS, VLAN 领导 语音终端 合同工 SSID: UNIV SSID: GUEST Aruba AP SSID: VOICE 企业有线 IP网络 Internet WWW

能区分不同的用户及应用 领导 职工 访客 单一物理网络设施 不同级别的接入控制 区分用户、终端、应用 网络策略推动 强制策略 语音 合作伙伴 INTERNET 接入服务 访客 VOIP 服务 语音 合作伙伴 子网 职工 职工子网 领导 领导 子网 单一物理网络设施 不同级别的接入控制 区分用户、终端、应用 网络策略推动 强制策略

传统的AP的安全 Disconnect WLAN Wired LAN Firewall Key Issues 数据加密 Malicious insiders can spoof valid clients External firewall cannot tell difference No identity is maintained end-to-end Malicious Insider Firewall Decrypted traffic Disconnect Employee Identification 数据加密 Authentication Before we talk about how Aruba does security, let's take a step back and examine how security has traditionally been implemented in legacy wireless LANs. In this type of topology, we have a firewall between the wireless LAN and the internal corporate LAN. Attached to the wireless network are the fat APs. The firewall protects the internal network from anyone who might compromise the wireless LAN. The wireless network is protected from wireless attackers by encrypting and authenticating all packets transmitted over the air. At first glance, this seems like a good model for security. Firewalls are an excellent way of protecting trusted networks from untrusted users. Virtually every network attached the Internet employs a DMZ for this exact purpose. Likewise the wireless network itself uses encryption, thus an attack that tries to spoof a valid user who be detected through encryption failure. However, in a traditional wireless LAN such as this, encryption is done at the AP. This means the only verifiable point of authentication is at the AP itself rather than anywhere else in the network. Once user traffic is transmitted past the AP, the decrypted traffic for all wireless users intermingles. One packet looks much like another. So a malicious attacker could spoof a user from the wired side of the network instead. Of course if the attacker is a guest or an internal user on the wireless network, then protection through encryption is lost. MACs are typically not encrypted with most wireless encryption protocols and are easily spoofed. At this point, the only way for traffic to get off of the wireless network is to go through the firewall. The firewall is the last point between the wireless and internal wired network where authorization is enforced and complex security inspection is done. If any device is going to detect the attacker, it will have to be the firewall. However the firewall has no concept of identification or authentication of users. It also cannot distinguish between a packet that originated on the wireless 802.11 LAN versus one that originated on the wired 802.3 side of the network. By the time these packets arrive at the firewall they are all 802.3 packets. At this point, the firewall has no context to allow it to effectively enforce role-based or identity-based access control. It cannot distinguish between a wired or wireless packet. Nor was it part of the authentication process. In other words, there is a fundamental disconnect between the authentication state in the AP and the authorization state in the firewall. This leaves the entire network vulnerable. Authorization Encrypted traffic Internal corporate LAN

端到端的安全 WLAN Wired LAN Advantages 数据加密 Malicious Insider Employee (Data Center) Advantages Authentication & firewall together Firewall policies based on identity, not MAC or IP End-to-end encryption Spoofing attacks defeated Aruba Mobility Controller 数据加密 Identification Encrypted traffic Decrypted traffic Authentication Authorization Malicious Insider Employee This diagram shows how Aruba addresses these issues. Here we have a similar topology to the previous network of a traditional wireless network. This one is implemented with Aruba technology instead of the traditional model. However there are key differences. Like the previous model, APs are attached to the wired network. But in this case they are thin APs that tunnel all of their traffic back to the Aruba mobility controller. The mobility controller is placed between the wireless and wired network and serves several purposes: To serve as the point for encryption and decryption for all wireless traffic To provide authentication and authorization, including firewall functionality To manage the thin APs These changes are fundamentally different from the previous model. Let’s explore these differences in more detail. Earlier we mentioned that, in a traditional model, once the wireless traffic is placed on the wired network the packets intermingle and the firewall cannot tell the difference between these packets – other than by IP address and MAC. As a matter of fact, the firewall does not even know which packets originated on the wireless network versus the wired network. This is not true in the Aruba model. By terminating wireless traffic on the mobility controller, we know exactly which traffic originated on the wireless traffic. No other traffic will be placed into the tunnel. Therefore, all tunneled traffic came from a wireless device and all other traffic is from a wired device. Since all wireless traffic comes to the Aruba mobility controller, it is subject to stateful inspection. This applies even for traffic between two wireless users on the same AP. But even this traffic could be subject to a malicious attacker on the wireless network spoofing another wireless user. This is prevented by two things. First, all traffic is encrypted and decrypted at the mobility controller, rather than the AP. This means no user traffic is transmitted in the clear or can be intercepted by a malicious user. Second, the authentication and authorization of the user is also performed on the Aruba mobility controller. This has several implications. First, no traffic can leave the firewall without a associating that data with a user identity rather than the source IP or MAC that a typical firewall would use. Unlike our previous example where the AP was the final source of user identity, an Aruba mobility controller knows exactly who generated the traffic and whether that traffic may be passed on to the internal corporate LAN. Second, because the controller is aware of which data originated from the wireless network, it has an awareness of which users are wireless and which are wired. This means the Aruba mobility controller can do things that no other simple firewall can do such as blacklist a wireless user based that user’s violation of a firewall policy. Together, these features create a truly trustworthy mobility infrastructure that provides end to end security that is the equal of, if not better than, most wired networks. Encrypted traffic Internal corporate LAN

AP 分类 部署 Aruba WIP 的环境 临近的无线热点 停车场 Valid Interfering Known Interfering 移动控制器 核心交换 Rogue 停车场

集成了无线Sensor的多功能接入点 主要特性 与 WLAN 基础设施集成,不需要另外购买昂贵的无线探测器和分析软件 对恶意接入点进行检测、定位和控制,消除来自空中的网络入侵隐患 拒绝服务攻击检测,提供API支持用户自定义攻击类型 对各种无线设备、终端和RFID标签进行定位,可以为第三方定位提供API接口 非法AP 非法用户 Integration with WLAN Infrastructure – this is the biggest advantage. You don’t need a separate WIDS system. It’s built into the mobility controller and APs. Many enterprises start out using Aruba for WIDS and very easily and inexpensively move on to providing access. Rogue AP Detection, Classification, and Location – Aruba provides classification to determine if a detected rogue is a threat - Is the AP on the corporate network or a neighbors network. Automatic Rogue AP Containment – If a rogue is found and classified as a threat, automatic action can be taken to shut it down. Client Bridging Detection – is an laptop misconfigured to bridge wired and wireless together. This is a signature that can be detected using the aruba system. 3rd-party AP Monitoring – We can be deployed along side a 3rd party wlan network such as cisco for use as a WIDS deployment. Denial of Service Attack Detection

实现移动性和安全性的完美结合 认证 分类 控制 Access per User 优化 跟随 80Gbps线速转发 个人策略防火墙 the User 分类 the Traffic 控制 Access per User 优化 the Air 跟随 学生 Aruba’s approach to network security is modeled after the best security practices widely used in the defense and intelligence gather sectors. Every user is treated as un-trusted entity until they prove themselves to be trustworthy and after that each users activities are monitored and usage rights are constantly enforced. This capability is achieved through a combination of centralized encryption and built-in firewall in the Aruba controller. Each user’s identity is not based on just their username or MAC address; a user’s identity is validated through 802.1X authentication and other contextual information such as the device type, location and application. This identity is then used to apply access control on the user. This is the opposite of a model where networks assumed that because you are plugged into a particular port you must be user “A” – in the new world, users are mobile and can plug in anywhere in the building or at another location even; this is the reason why we need to ensure access based on identity and not on physical LAN port. 教师 接入网络 多业务移动控制器 企业网络资源 80Gbps线速转发 个人策略防火墙 电话、打印机 35 35

谢谢! www.arubanetworks.com 36