Upload
aruba-networks-an-hp-company
View
569
Download
1
Tags:
Embed Size (px)
Citation preview
CONFIDENTIAL
© Copyright 2012. Aruba Networks, Inc.
All rights reserved
JOIN: community.arubanetworks.com
FOLLOW: @arubanetworks
DISCUSS: #airheadsconf
CONFIDENTIAL
© Copyright 2012. Aruba Networks, Inc.
All rights reserved #airheadsconf
MOBILE DEVICE FUNDAMENTALS
Keith Mataranglo
Aruba Networks Germany
May 21st, 2012
CONFIDENTIAL
© Copyright 2012. Aruba Networks, Inc.
All rights reserved
TODAY’S NETWORK
CONFIDENTIAL
© Copyright 2012. Aruba Networks, Inc.
All rights reserved 4 #airheadsconf
MOBILE DEVICE TYPES
Stationary Devices
Somewhat Mobile Devices (SMD)
Highly Mobile Devices (HMD)
Characteristics
Wireless Scale Laptop
CONFIDENTIAL
© Copyright 2012. Aruba Networks, Inc.
All rights reserved 5 #airheadsconf
Mobile Device Fundamentals Topics
Device Characteristics
WLAN Requirements
Aruba Design Pillars
• Portability
• Applications
• 802.11 support
• Management
• Roaming
• QOS and Access Control
• Speed and capabilities
• Security
• Device Configuration
• Airtime Optimization
• Roaming Optimization
• IP Mobility Configuration
• IP Multicast Optimization
• Interference Resistance
CONFIDENTIAL
© Copyright 2012. Aruba Networks, Inc.
All rights reserved 6 #airheadsconf 6
Principles of Optimizing the wlan
1. Device Configuration
• Some device changes require corresponding changes to the WLAN infrastructure, e.g., basic rate support & DTIM.
2. Airtime Optimization
• Roaming devices are sensitive to RF congestion and inefficiencies. Improve performance using load balancing across APs & channels.
3. Roaming Optimization • Roaming decisions can be influenced by optimizing data rates, output
power, retry thresholds and by using the Handoff Assist feature.
4. IP Mobility Configuration • Good IP mobility design is critical to environments. Selection of layer-2 (L2)
or layer-3 (L3) roaming requires careful planning
5. IP Multicast Optimization • Reducing and optimizing multicast traffic over the air and on the wire is
vital.
6. Interference Resistance • Devices are likely to encounter and by impacted by adverse RF conditions.
4. .
CONFIDENTIAL
© Copyright 2012. Aruba Networks, Inc.
All rights reserved 7 #airheadsconf
Principle #1 – Device Configuration
– Optimal device settings
– Shared or dedicated SSIDs
– Enable 802.11h (DFS/TPC)
– Maximize battery life
– End-to-End QoS for voice devices
– Push-to-talk (PTT)
– Security and encryption
– Mobile device management (MDM)
CONFIDENTIAL
© Copyright 2012. Aruba Networks, Inc.
All rights reserved 8 #airheadsconf
Mobile Device RF components
antenna
Internal
Radio and
WLAN NIC
CONFIDENTIAL
© Copyright 2012. Aruba Networks, Inc.
All rights reserved 9 #airheadsconf
Don’t do this!!
CONFIDENTIAL
© Copyright 2012. Aruba Networks, Inc.
All rights reserved 10 #airheadsconf
Mounting APs for coverage
Ceiling
Wall
CONFIDENTIAL
© Copyright 2012. Aruba Networks, Inc.
All rights reserved 11 #airheadsconf
Principle #2 – Airtime Optimization
– RF Optimizations • Band steering
• Spectrum load balancing
• Airtime fairness
• Mode-aware ARM
• Voice/Video-aware ARM
• Load-aware ARM
• PS-aware ARM
– Reducing broadcasts and multicasts
– Limiting “Chatty” protocols
– AP capacity planning (voice devices)
CONFIDENTIAL
© Copyright 2012. Aruba Networks, Inc.
All rights reserved 12 #airheadsconf
Principle #3 – Roaming Optimization
• Ensuring complete Wi-Fi coverage
• VLAN pooling
• Fast roaming (802.11r & OKC)
• Device-specific roaming settings:
• ARM power adjustments (match client and AP power)
• Retry and failure settings (voice devices)
• PMK Caching results in 4x faster roaming speeds than Non-
PMK Caching.
CONFIDENTIAL
© Copyright 2012. Aruba Networks, Inc.
All rights reserved 13 #airheadsconf
Principle #4 – IP Mobility Configuration
• Layer 2 mobility • Client maintains IP address
as it roams and is assigned
address from same IP subnet
• Layer 3 mobility • User roams from AP-Subnet
A to an AP-Subnet B
• Layer 3 network address
must change to maintain L3
connectivity on Subnet B
• Aruba L3 Mobility allows the
roaming client to maintain the
same IP address
L2 Mobility design
L3 Mobility design
CONFIDENTIAL
© Copyright 2012. Aruba Networks, Inc.
All rights reserved 14 #airheadsconf
Principle #5 – IP Multicast Optimization
• Effects of multicast: reduce multicast traffic over the air
and the wire to improve channel efficiency
• IGMP snooping/proxy to eliminate unnecessary data
replication and controller processing
• Multicast rate optimization to increase lowest base rate
• Dynamic multicast optimization (DMO) to convert
multicast frames with unicast headers
• Use of ToS/QoS on controller and wired infrastructure,
port-based session ACL or user
• Block mDNS (if not required) with user roles
• Use bandwidth contracts to protect unicast traffic
CONFIDENTIAL
© Copyright 2012. Aruba Networks, Inc.
All rights reserved 15 #airheadsconf
Principle #6 – Interference Resistance
• FHSS and non-802.11
interference
• Noise immunity
• Fixed frequency interference
• 802.11 co-channel (CCI) and
adjacent channel interference
(ACI)
• RX sensitivity channel
reuse
• Aruba Spectrum Monitor
CONFIDENTIAL
© Copyright 2012. Aruba Networks, Inc.
All rights reserved CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved
TOPIC OVERVIEW
Management Tools
Device Profiling
Policy Enforcement
CONFIDENTIAL
© Copyright 2012. Aruba Networks, Inc.
All rights reserved
MANAGED VS. UNMANAGED DEVICES
Overview
ANY NETWORK
DEVICES AND USERS
VPN
iOS Android Ultrabooks
ANY USER
Security
reliable & intuitive
Simplified
management
CONFIDENTIAL
© Copyright 2012. Aruba Networks, Inc.
All rights reserved
MANAGED DEVICES
• Primarily Windows Laptops
• Managed using Windows Active Directory Policies
• Client 802.1x Supplicant is configured by IT staff to connect securely
• Applications can be limited by user
• Machine Authentication can be enforced
• WLAN policies or VPN software can be configured by IT Staff
Overview
CONFIDENTIAL
© Copyright 2012. Aruba Networks, Inc.
All rights reserved
UNMANAGED DEVICES
Overview
WLAN
Network
Management
Management Mobility Access
WLAN
Controller
Network Services are needed for unmanaged devices to access the WLAN securely
Policy
Management
CONFIDENTIAL
© Copyright 2012. Aruba Networks, Inc.
All rights reserved CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved
TOPIC OVERVIEW
Policy Enforcement
Management Tools
Overview
CONFIDENTIAL
© Copyright 2012. Aruba Networks, Inc.
All rights reserved
DEVICE PROFILING AND ROLE
Device Profiling
Based on AOS 6.0.1 or 6.1.1
Type of Device allowed
on the WLAN Role determines access:
• Firewall policy
• Bandwidth constraints
• VLAN
• QoS
CONFIDENTIAL
© Copyright 2012. Aruba Networks, Inc.
All rights reserved
• OS Fingerprinting allows the Aruba Controller to classify device type and assign a role
– iOS
– Blackberry
– etc
• Two Methods
– Monitor dhcp-option (User Class Option) included in client’s request
• Browser HTTP user-agent string identification
– Watches HTTP traffic from the station looking for user-agent string
OS FINGERPRINTING PURPOSE
CONFIDENTIAL
© Copyright 2012. Aruba Networks, Inc.
All rights reserved
• Identify the device value of the DHCP option
• Create a firewall role
• Write and apply a user derivation rule
FINGERPRINTING PROCESS
CONFIDENTIAL
© Copyright 2012. Aruba Networks, Inc.
All rights reserved
IDENTIFYING THE DEVICE SIGNATURE
Enable DHCP debugging: # configure terminal
# logging level debugging network subcat dhcp
View debug output: #show log network all | include Option
Apr 23 07:01:55 :202536: <DBUG> |dhcpdwrap| |dhcp| Datapath vlan1: REQUEST 00:0d:4b:78:9f:07 reqIP=192.168.1.242 Options 36:c0a80103 37:0103060f0c 0c:4e502d4b3041304458303236373936
Apr 23 07:01:55 :202536: <DBUG> |dhcpdwrap| |dhcp| Datapath vlan1: REQUEST 00:0d:4b:78:9f:07 reqIP=192.168.1.242 Options 36:c0a80103 37:0103060f0c 0c:4e502d4b3041304458303236373936
CONFIDENTIAL
© Copyright 2012. Aruba Networks, Inc.
All rights reserved
• Inspection and role assignment enabled through User Derived Rules
– New UDR condition “dhcp-option”
• Note that 37 0103060F77FC means dhcp option 55 (hex 37)
and the value is 010306…
CREATE FIREWALL DERIVATION RULE
aaa derivation-rules user abc
set role condition dhcp-option equals 370103060F77FC set role ios
set role condition dhcp-option starts-with 0c616E64726F69645F set role android
set role condition dhcp-option equals 3C426C61636B4265727279 set role blackberry
CONFIDENTIAL
© Copyright 2012. Aruba Networks, Inc.
All rights reserved
CONFIGURATION IN WEB UI
CONFIDENTIAL
© Copyright 2012. Aruba Networks, Inc.
All rights reserved CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved
TOPIC OVERVIEW
Policy Enforcement
Overview
Device Profiling
CONFIDENTIAL
© Copyright 2012. Aruba Networks, Inc.
All rights reserved
MOBILE DEVICE ACCESS CONTROL
Management Tools
802.11n Wi-Fi
Device Fingerprinting,
Role Based Access
Security & BW policies by Device, Multimedia Grade
Web Login Server
Self-Service Device
Configuration Portal Device Authorization
Management Server
Device and OS
Visibility
Troubleshooting & Capacity Planning
CONFIDENTIAL
© Copyright 2012. Aruba Networks, Inc.
All rights reserved
DEVICE MANAGEMENT VS ACCESS CONTROL
Access
Control
Mobile Device
Management (MDM)
Protect the network
Restrict usage and bandwidth
Device-level visibility
Configure net/sec settings Remote wipe & remote
control Manage applications and
firmware
Management Tools
CONFIDENTIAL
© Copyright 2012. Aruba Networks, Inc.
All rights reserved
WHEN TO USE MDAC & MDM
Management Tools
Email, Intranet Business-specific
Apps
Use MDAC Only
• Remotely configure network
access
• Protect network
• Device visibility
• Cost-effective
Use MDAC + MDM
• Remotely configure net
access AND applications
• Protect network AND device
data
• Device troubleshooting
Employee Liable Corporate Liable
CONFIDENTIAL
© Copyright 2012. Aruba Networks, Inc.
All rights reserved
Tolerated
(Employee Liable)
• Employee Owned (BYOD)
• Partially secured and controlled
• Limited to safe interactions
IT POLICY
Management Tools
Trusted
(Corporate Liable) • Corporate Issued
• Fully Controlled and
secured
• Unrestricted
CONFIDENTIAL
© Copyright 2012. Aruba Networks, Inc.
All rights reserved
✔ Zero IT touch,
context aware access
✔ Auto-identification of
user, device, application
✔ Monitoring, reporting
per user and per device
Active Directory
Amigopod
2. Device
Fingerprinting
4. Context Aware
Access Control 3. iPad Self
Registration
1. User
Fingerprinting
Mobility Controller
802.11n AP
MOBILE DEVICE PROVISIONING
Management Tools
Bring Your iPad to Work
CONFIDENTIAL
© Copyright 2012. Aruba Networks, Inc.
All rights reserved CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved
TOPIC OVERVIEW
Management Tools
Overview
Device Profiling
CONFIDENTIAL
© Copyright 2012. Aruba Networks, Inc.
All rights reserved
SECURE NETWORK ACCESS FOR MOBILE DEVICES
Policy Enforcement
Provision
Device
1
Invoke a
Policy
2
Enforce Policy
3
CONFIDENTIAL
© Copyright 2012. Aruba Networks, Inc.
All rights reserved
AUTOMATE DEVICE CONFIGURATION
Policy Enforcement
Configures 802.1x, VPN & e-mail and provisions device
credentials
1. Connects to web portal
3.
Access Network
2. VPN
Policy
Manager
Server
Application installer *Windows only at launch
CONFIDENTIAL
© Copyright 2012. Aruba Networks, Inc.
All rights reserved
CONTROL COMPROMISED DEVICES
Policy Enforcement
Detect unsecure
devices
• Block access to network resources
across wired, wireless & remote
• Auto-Remediate the device
• Minimal Risk to Network
Access Network
Policy Manager
CONFIDENTIAL
© Copyright 2012. Aruba Networks, Inc.
All rights reserved
AUTOMATE ACCESS
Policy Enforcement
1. 3.
Access Network
2. Sponsor prompted
to confirm that
guest is valid
Policy Manager
Account enabled,
visitor notified via
screen, SMS, or email Collect visitor
information
New Visitor
Sponsor
CONFIDENTIAL
© Copyright 2012. Aruba Networks, Inc.
All rights reserved
ACCESS POLICY
Policy Enforcement
Policy
VPN
Allow personal devices into
a limited access zone (LAZ)
BYOD Policy
Deliver executive traffic with
higher priority
Executive Class Policy
Optimize delivery of Lync
traffic over the air
Multimedia Policy
Disable Rogue AP,
Blacklist User
Unauthorized Use Policy
Disable device access, not
user access, if stolen/lost
Device Revocation Policy
Quarantine unhealthy
devices for remediation
Device Quarantine Policy
CONFIDENTIAL
© Copyright 2012. Aruba Networks, Inc.
All rights reserved CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved
New Certification!
CONFIDENTIAL
© Copyright 2011. Aruba Networks, Inc.
All rights reserved 40
Aruba Certifications
• Become one of the few
experts on secure mobility.
• Make a good move for your
career, get certified.
Product Training
• Mobility and Mesh certifications
End-to-End, Solutions Based
• Aruba Certified Solutions Professional (ACSP) Certification
• Open to all IT engineers
• Practical training on RF, secure network access and mobile devices
ACMA ACMP
ACSP
CCxx
MCxx
CWxx
ACMX
ACDX
CONFIDENTIAL
© Copyright 2011. Aruba Networks, Inc.
All rights reserved 41
ACSP Training Classes
Module 1
802.11 RF Fundamentals
Module 3
Mobile Device Wi-Fi Best Practices
Module 2
Wi-Fi Authentication & Encryption
April, 2012
Part 1
Module 5
Centralized WLAN Design
Module 4
RF Design in Challenging
Environments
Module 6
Mobile Device Management &
Security August, 2012
Part 2
Module 8 WLAN Security for
Compliance
Module 7 Advanced Topics in
Wi-Fi Design
Module 9 Multimedia and UC Services over Wi-Fi
January, 2013
Part 3