Beruflich Dokumente
Kultur Dokumente
Copyright 2005
Handout Page-1
Copyright 2005
Objectives
Upon completion of this seminar, you will: Know some of the customer requirements to ask about when conducting a WLAN design Know how to improve the quality of your WLAN designs Understand various common WLAN design models, their pros and cons Understand Cisco technical capabilities, their pros and cons Understand gotchas, interactions between features Understand a flowchart for determining WLAN customer requirements
4 Copyright 2005
Handout Page-2
Rationale
WLAN designs and installations are not all the same, different designs fit different needs
Not just picking up a bunch of Linksys WAPs at Best Buy and scattering them around Costly to built WLAN then have to redo to support new/changed requirements
Copyright 2005
Handout Page-3
Starting Assumptions
Not going to discuss site survey, going to focus on higher-level, features and topology Good to avoid large Spanning Tree Protocol (STP) domains and large-scale L2 approaches Standard routing gives traffic a chance to breach isolation, requiring extensive ACLs or other measures for security WLAN security level and authentication should match the WIRED network This represents my opinions, not specifically approved or endorsed by Cisco!
7 Copyright 2005
Copyright 2005
Handout Page-4
Copyright 2005
CD1: Discussion
Pro
Secure, in the sense of isolating WAPs and mobile users Does allow ACL controls at point of attachment to WIRED network
Con
Does not in itself secure WLAN authentication or provide confidentiality Cost Separate wiring infrastructure (cost) More equipment to manage (cost) Secure management of WLAN switches? Overkill?
10
Copyright 2005
Handout Page-5
Coax connects in-building antennas to building aggregation box WAPs connect to coax via aggregation box
Does allow centralization of WAP chassis
CD1B: Discussion
Pro
If youre doing this sort of thing for cell phones, leveraging it for WAPs may make sense
Con
Cost high Divergent wiring infrastructure (opposite of convergence?) The products dont seem to use IP or even normal networking on the coax and fiber (troubleshooting?) Youre doing something non-standard: risk Still leaves data-side connectivity of WAPs up in the air (so to speak) really more about antennas
12 Copyright 2005
Handout Page-6
13
Copyright 2005
CD2A: Discussion
This used to be a very common approach for those who knew of WEPs vulnerabilities Pro
Simple Can work well for Internet access for guests, mobile users Allows IDS monitoring of WLAN user traffic Can work reasonably well for collapsed core campuses Can use one isolation VLAN per floor for smaller STP domains
Con
Tempting to create large STP domains for roaming, which weve seen cause instability Connecting to the firewall is problematic in routed core campuses see below
14 Copyright 2005
Handout Page-7
Trunks Servers
15 Copyright 2005
CD2B: Discussion
This is the form in which isolation VLANs are usually used
The graphic shows use of several isolation VLANs
Con
The VPN Concentrator can be a bottleneck PDAs, phones & IPsec??? Contractor, consultant support (internal/external; VPN client?)
16 Copyright 2005
Handout Page-8
17
Copyright 2005
CD2C: Discussion
Notes
Some WLAN switches provide for a remote switch, e.g. in data center Find out if they use tunneling (L2, GRE, IPsec, other) between WAP and WLAN switch? Configured how? How secure?
Handout Page-9
CD2C: Discussion
Pro
Web authentication and per-user/group access controls are simple, can leverage SSH for secure authentication
Con
Wireless-side confidentiality? Some need one box per L2 domain They assume flat world model, with one WLAN VLAN site-wide Multiple WAP VLAN approach requires more boxes Cost; management complexity More total boxes to manage, plus more vendors Potential bottleneck (failover, behavior under DDoS, etc.?)
19
Copyright 2005
20
Copyright 2005
Handout Page-10
Cisco BBSM Blue Socket Vernier Bradford Software device (see below, it does a bit more) Airespace* (?) [Docs not visible online, yet] WLSM, below, is a clean alternative but can act as a large-scale choke point
21 Copyright 2005
22
Copyright 2005
Handout Page-11
CD3: Discussion
Can do separate WLAN VLANs, but theyre for STP reasons, not isolation protect wired STP stability As of WPA and 802.11i, WAP authentication / crypto are now quite acceptable (at most sites)
Non-snooped / cracked login & password Confidentiality of data on wireless link
Pro
Best throughput Avoids MTU and other IPsec issues
Con
Driver support for older PCs, NICs, etc. Device support while PDAs, phones catch up Should some WLAN technology security issue show up (how likely?), theres no easy way to quickly apply ACLs, IDS, etc. for monitoring, control, or cutoff of wireless user traffic
23 Copyright 2005
24
Copyright 2005
Handout Page-12
CD4A: Discussion
Cisco technology insights:
Can use different VLANs and SSIDs to support devices with different authentication and encryption capabilities Can then apply different ACLs to control traffic based on VLAN / subnet, restrict less-trusted devices traffic
Pro
Flexible accommodation of devices with different capabilities More critical as 802.1x & NAC added to WPA, 802.11i More secure than one SSID/VLAN fits all
Con
More complex Does lead to IP subnet multiplication, see also Clever Addressing Schemes, at http://www.netcraftsmen.net/welcher/papers/addressing.html If the distribution / core is routed, potential for ACL proliferation (cf. WLSM below, however)
25
Copyright 2005
26
Copyright 2005
Handout Page-13
CD4B: Discussion
This is similar to static SSIDs/VLANs, except that the VLANs are assigned dynamically based on 802.1x login (user/group info), based on RADIUS server
Can do this for both WIRED and WLAN networks WIRED does require 3550, 3750, 4500, 6500
Pro
Very powerful for heavily mobile user base and flexibility No client-side SSID reconfiguration if group VLAN mapping changes Can combine with MS login
Con
Adds one more thing to troubleshoot Routed links present the same issue in larger networks
27 Copyright 2005
28
Copyright 2005
Handout Page-14
What is Bradford?
www.bradford-sw.com Combines NetReg functionality with dynamic VLAN assignment across vendors (switches, WAPs) Colleges adapted Bradford heavily this past Fall Reviews mixed
You do need to do your homework Rapid development lead to some bugs Bradford swamped by new customers May have scaling issues (5000+?)
Uses SNMP traps to the box to trigger port VLAN assignment (via CLI or RADIUS)
Does DHCP into walled garden VLAN for pre-scan (virus, vulnerabilities, etc.), then re-assign VLAN and re-DHCP Registers MACs for permanent dynamic VLAN assignment and subsequent connections
29 Copyright 2005
CD4C: Discussion
Pro
Solves several problems for colleges Forced pre-admission virus / worm scan Forced patch application Lack of client-side drivers supporting 802.1x etc.
Con
Complex They did some smart things to scale but are counting on reliably receiving SNMP traps as PCs connect may not be a good foundation, especially at high-volume times Supports L3 core (mostly) but started out in the VLAN-spansthe-campus (students, faculty, admin) world
30
Copyright 2005
Handout Page-15
Handout Page-16
L2 work-arounds can get ugly (plumbing) Can try PBR for this, it gets as ugly or uglier
33
Copyright 2005
34
Copyright 2005
Handout Page-17
Topics
Previous and Current Common WLAN Designs
35
Copyright 2005
WLSM!
Cisco Networkers 2004 slides about WLSM Sources:
http://www.networkers04.com/published/ACC2011/ACC-2011.pdf http://www.networkers04.com/published/RST2506/RST-2506.zip
Handout Page-18
38
Copyright 2005
Handout Page-19
References: WLSM
WLSM links can seem well-hidden
Some are under switch services modules, some under WAP 1200 alternative: use Search to find them
Topics
Previous and Current Common WLAN Designs WLSM Module: Added Capabilities
40
Copyright 2005
Handout Page-20
Start
Get Wired
Collect information about any existing or planned WIRED infrastructure L3 to access? How far? Security: match WIRED 802.1x or NAC? IPsec in use for remote access? CS/ACS in place? PoE: match WIRED
Does the WIRED design use a L3 core?
A successful design must consider requirements for the next 2 or more years to minimize the risk and costs of substantial infrastructure changes
Layer 3 core & distribution switches: consider WLSM in light of other requirements.
WAP power alternatives: 1) All switch blades: IPT deployment 2) Add a PoE blade to support WAPs 3) Add power injectors at closet 4) Add power circuits to point of WAP deployment (time, cost)
It usually makes sense to have WAP authentication and admission control match the wired network.
To Page-2
41
Copyright 2005
Roaming, Authentication
Gather info about any near-term roaming, mobility requirements Ask about sources of potential wireless authentication issues (PDA, phone, etc.) Listen to whether desktop drivers may be an issue
From Page-1
Consider VoIP over WLAN, wireless PDA, etc. Determine L2 vs. L3 mobility needs. Consider WLSM. VoWLAN also increases site survey complexity and costs, and equipment costs.
Consider PDAs, phones, bar code scanners, WLAN smoke detectors, etc. May need multiple SSIDs, VLANs. Determine capabilities and needs.
Colleges, etc. may not want to deal with desktop drivers for 802.1x, etc.
To Page-3
42
Copyright 2005
Handout Page-21
43
Copyright 2005
Handout Page-22
Security
Listen to management concerning wireless security fears, needs, requirements Look at existing security policy, if available Examine potential risks (snooping, adverse publicity, etc.) Find out if multiple static or dynamic VLANs match site security needs Listen for any other security needs that might interact with the WLAN Document requirements, cycle with customer
From Page-2
To Page-4
45
Copyright 2005
Security
Really need to understand customer security requirements and plans, on the WIRED as well as the WLAN side Web login? 802.1x & NAC? Dynamic VLANs? (Which form of them?) Needs regarding secure WLAN authentication Needs concerning WLAN confidentiality Risks and needs and policies concerning guest & contractor access Risks and fears concerning WLAN, liability
46 Copyright 2005
Handout Page-23
Do you trust WLAN authentication to be at least as secure as your wired port authentication technique?
Have you thought about conference rooms and unused wall ports lately? Visitor controls?
Do you want to isolate the WLANs in case future security issues turn up? Do you have WLAN guest users? Consider personal firewall for WLAN users (home or away)!!!
47 Copyright 2005
Need secure way to manage WLAN infrastructure switches and WAPs Cisco WLAN Solution Engine (WLSE) Separate management VLAN ACLs restricting traffic to/from mgmt VLAN SSH instead of telnet TFTP: no authentication, but must be enabled to launch image transfer
48 Copyright 2005
Handout Page-24
Design
After determining requirements and other factors, build a design First make big choice (WLSM or not) Then layout topology Then fill in high-level features to be used Site survey: there are choices on this Document design and rationale, and cycle with customer
From Page-3
SSIDs, VLANs, dynamic VLANs, addressing, authentication, encryption, roaming support, etc.
49
Copyright 2005
Topics
Previous and Current Common WLAN Designs WLSM Module: Added Capabilities Determining WLAN Requirements
WLAN Gotchas
Other Parts of the Solution Conclusion
50
Copyright 2005
Handout Page-25
Wired replacement with WLAN means you have a lot of VPN clients and throughput
Stresses VPN Concentrators Need more VPN Concentrators ($$$$) Encrypted traffic & QoS?
Alternative
Infrastructure plus VLANs, WLSM?
51 Copyright 2005
Gotcha #2: Not All Devices Are Created Equal What else might you want on your WLAN?
Wireless phones 802.11-capable cell phone of the near future PDA with 802.11 Sensors with PoE and 802.11 (HVAC, smoke, door, etc.)
Potential issue: authentication and encryption! This is where the flexibility of multiple SSIDs and VLANs provides future-proofing
52 Copyright 2005
Handout Page-26
Handout Page-27
Suggestions:
Dont get overly uptight about WLAN security and overlook WIRED security Do consider using similar authentication for both, e.g. 802.1x WLAN does need encryption on wireless transmissions for confidentiality
55
Copyright 2005
Minor
Needed with WLSE for assisted walkabout, client-side rogue detection, etc. See http://www.cisco.com/en/US/partners/pr46/pr1 47/partners_pgm_partners_0900aecd800a7907 .html for vendor support Should be fairly well supported
56
Copyright 2005
Handout Page-28
Topics
Previous and Current Common WLAN Designs WLSM Module: Added Capabilities Determining WLAN Requirements WLAN Gotchas
57
Copyright 2005
Other: WLSE
Management of WAPs
Configuration archival Templates to send out configlets to WAPs WAP Fault Management WAP Performance Exception Management RF management, assisted walk-through, rogue WAP tracking
http://whatever:1741
58
Copyright 2005
Handout Page-29
59
Copyright 2005
VPN Concentrator
Consider VPN Service Module for 6500
IDS
Consider IDS Services Module for 6500
Firewall
Consider Firewall Services Module for 6500
60
Copyright 2005
Handout Page-30
Topics
Previous and Current Common WLAN Designs WLSM Module: Added Capabilities Determining WLAN Requirements WLAN Gotchas Other Parts of the Solution
Conclusion
61
Copyright 2005
62
Copyright 2005
Handout Page-31
Cisco Press
Cisco Wireless LAN Security by Krishna Sankar, Sri Sundaralingam, Darrin Miller, Andrew Balinsky http://www.amazon.com/exec/obidos/tg/detail//1587051540/qid=1105022925 802.11 Wireless Network Site Surveying and Installation by Bruce Alexander http://www.amazon.com/exec/obidos/tg/detail//1587051648/qid=1105022925/ Wireless Local-Area Network Fundamentals by Pejman Roshan, Jonathan Leary http://www.amazon.com/exec/obidos/tg/detail//1587050773/qid=1105023211/
63 Copyright 2005
Summary
Having completed this seminar, you should now: Know some of the customer requirements to ask about when conducting a WLAN design Know how to improve the quality of your WLAN designs Understand various common WLAN design models, their pros and cons Understand Cisco technical capabilities, their pros and cons Understand gotchas, interactions between features Understand a flowchart for determining WLAN customer requirements Thanks for coming!
64 Copyright 2005
Handout Page-32
Any Questions?
For a presentation copy, please email pjw@netcraftsmen.net Chesapeake Netcraftsmen Can Provide
Network design review: how to make what you have work better Periodic strategic advice: whats the next step for your network or staff Network management tools & procedures advice: whats right for you Implementation guidance (your staff does the details) or full implementation
Handout Page-33