HiPath Wireless Technical Presentation HWCSv4 HWMv2

Copyright © Siemens AG 2006. All rights reserved.

HiPath WirelessMarket IntroductionVersion 4.0 Update for Consulting and Engineering

August 2006

Page 2 August 2006 HiPath WirelessCopyright © Siemens AG 2006. All rights reserved.

HiPath WirelessDriving Value with Open Mobility Solutions

Presentation Contents

Introduction

Architectural Features

Operational Control Features

Solutions Enablement Features

Conclusion


Flexible Architecture

Operational Control

Converged Mobile

Enterprise

Solutions Enablement

HiPath WirelessDriving Value with Converged Mobility Solutions

HiPath Wireless drives value through superior Converged Mobility Solutions while maintaining control over network operations and costs


Product Foundation

Converged Mobility Solutions


HiPath Wireless Key Differentiators

HiPath Wireless unique differentiators lie in three key areas:

Flexible, Open Architecture

• A highly flexible architecture that can accommodate many different application solutions on a single architecture

• Minimal changes needed to the physical network

Unequaled Operational Control

• Industry-leading integrated WLAN security

• Most TCO-effective, efficient management

Exceptional Solutions Enablement

• Open partner ecosystem that offers existing high-value Converged Mobility Solutions and fast integration of new ones

• A complete voice portfolio and robust multimedia features to accelerate the integration of voice & data


HiPath WirelessConverged Mobility Solutions Portfolio

Converged Clients & DevicesConverged Clients & Devices

HiPath Wireless APs and SensorsHiPath Wireless APs and Sensors

HiPath Wireless Controllers HiPath Wireless Controllers

HiPath Wireless Management SuiteHiPath Wireless Management Suite

Converged Mobility ApplicationsConverged Mobility Applications


HiPath Wireless Access Point

AP 2610 & AP 2620 “Fit AP” model that efficiently shares processing load with

Controller Dual radio 802.11a + b/g External and Internal Antenna versions

RF Features Wi-Fi Certified Multi-SSID (16 per AP) with individual suppression Load balancing and auto-failover

Plug and Play installation Auto discovery of Controller Centralized configuration deployment

Enterprise Class Access Point 10/100bT with PoE (802.3af) Wall, ceiling, and plenum (UL 2043) mounting


SCALANCE W788-2RR: True Industrial-grade WLAN

Expands enterprise WLAN functionality to harsh industrial and outdoor environments

Dual-radio 802.11 a + b/g access point Runs HiPath Wireless Access Point software for complete device

management integration in mixed carpeted/concrete environments I-Safe compliant Industrial certification for:

ATEX (ex area) EMC UL FM

Rugged housing: IP65 protection against dust and water Chemically resistant and flame-retardant Halogen and Silicon-free Safe operating temperature range: -20 to 60°C


HiPath Wireless Controller

Each Controller Model runs consistent HiPath Wireless Convergence SW

Integrated HiPath Wireless Assistant web-based management interface

Full Layer 3 Routing Static OSPF

Mobile User Services AAA Services DHCP Services Mobility Management (Client-

independent) Roaming

Multiple Hardware PlatformsC1000 Controller

75-200 APs 4096 Users 2x Gig Ethernet Ports Redundant PSU

C100 Controller 31-75 APs 2048 Users 4x Fast Ethernet Ports Redundant PSU

C10 Controller 30 or fewer APs 512 Users 4x Fast Ethernet Ports


HiPath Wireless AssistantController-based integrated web management: Access Point deployment & configuration VNS user segmentation and policy Network Statistics

AP ManagementController ManagementSensor Management

HiPath Wireless Management Suite

HiPath Wireless ManagerMultiple Controller network management: Reporting, monitoring, and statistics Graphical network topology

HiPath Wireless ManagerAdvanced ServicesHiGuard Module Sophisticated wireless intrusion prevention Graphical location-based services Intuitive management dashboard & reports

HiGuard Reporting Module Assesses network compliance with

industry or regulatory specifications Intuitive reports facilitate conformance


HiPath Wireless Manager

Centralized multi-Controller management platform for large wireless networks:Comprehensive global network view provided by hierarchical map

Charts, statistics, and reports for network trend analysis

Detailed event logs and alerts make it easy to zoom in and troubleshoot issues

Advanced Services modules available to enhance WLAN capabilities:HiGuard – Wireless IPS and locationHiGuard Reporting – Compliance tool

Open APIs provide opportunity for further solution integration


HiPath Wireless ManagerHiGuard and HiGuard Reporting

Resolves unique “open air” challenges of managing wireless LANs

HiPath Wireless Manger HiGuard provides the following advanced services:State-of-the-art wireless intrusion detection and prevention capabilities

Visual mapping and location capabilitiesPerformance optimizationComprehensive dashboard leading to advanced charts, reports, and statistics

HiGuard Reporting delivers automated compliance assessments:Pre-defined regulatory reports (Sarbanes-Oxley, HIPAA, etc.)

Ability to create customized reports


HiPath Wireless Client Portfolio

Wireless Telephones and Softphones

optiClient130optiPoint WL2 professional

optiPoint WL1 professional

optiPocket

optiPoint WL2 professional WiFi Phone Features:

802.11b / g, SIP and CorNet IP Protocol Support Color Display (128 x 128), USB Port LDAP Dialing, Voice Recognition Dialing and Built-In

Headset Jack and Speakerphone Embedded Linux Operating System

Open Standards Based: WPA2/802.11i, WPA, WEP (64 / 128 bit), VPN, CCX, LEAP


Managed Services

Lifecycle ServicesProfessional Services

Network management

Security management

Multi-Vendor Support

Asset management

Service/Help Desk

24/7 Remote Monitoring

802.11 RF site survey

Network assessment

Applications assessment

Systems integration/design

Security planning

Remote monitoring, diagnostics, reporting

Hardware/software installation, maintenance, fixes, spare parts

Moves, Adds, Changes (MACs)

Training

Manage EducateSupportBuildDesignConsult

HiPath Wireless Services – Making WLAN even easier!


HiPath WirelessArchitectural Features

Operational Control &

Effectiveness

Converged Mobile

Enterprise


Operational Control



HiPath Wireless Network Topology

HiPath Wireless Controller and Convergence Software

• Routes IP Traffic to and from Mobile Users• Comprehensive Policy Management and

User Segmentation via VNS• Centralization of Moves/Adds/Changes

HiPath Wireless Access Points• Plug & Play anywhere on an IP Network• Communicates to WLAN Controller via IP

Mobile Units• IP Addresses are from virtual IP subnet

defined in the Controller• Includes VoWLAN phones and soft clients• Fast Secure Roaming

IP Network

IP Network

IP Network

WAN

Segment C(Guest Access)

Segment B(Factory)

Segment D(Voice)

Segment A(Real Time

Data)

RADIUS Server

VoIP Platform

HiPath Wireless Manager• Multi-controller full network management• Intuitive dashboard plus detailed trend

analysis and problem diagnosis• Sophisticated wireless intrusion prevention• Graphical location services


HiPath Wireless ArchitectureEnabling WLAN Mobile Convergence

Access Points Intelligence at edge Layer 2 bridge

Wireless LAN Switch Centralizes intelligence

100m from the edge Provides Layer 2 services

Mobile Session Management Full Layer 3 solution Centralizes intelligence

anywhere in the network Converged voice & data

VLAN Network

VLAN-based WLAN Appliance Centralizes intelligence with pre-

configured VLANs Provides Layer 2 services

IP Network


HiPath Wireless Architecture Split MAC versus HiPath Fit AP

IP NetworkFit AP Decentralizes dynamic decision

making (encryption, QoS, RF management)

Centralizes management and control

Split Mac Splits MAC function with controller

(encryption, QoS, RF management)

Not scalable to medium-large networks


HiPath WirelessFlexible, Non-disruptive Network Integration

Independent Wireless Domain

Best solutions for unique wireless challenges

Integrated Wired Network Services

Seamless handoff when wireless client touches wired network (or vice versa) for services and management

Intelligent Traffic Management

Optimal use of RF spectrum for peak performance, intelligent routing and switching in wireline network

Ap

plic

atio

n M

igra

tion


HiPath WirelessIEEE Standard Tracking

802.11a/b/g: certified

802.11i (WPA): certified

802.11i (WPA2): certified

802.11e (WMM): certified

802.11d: certified

802.11h: supported in V4

802.11j (extensions for Japan): supported

802.11k: pre-standard work done, but full implementation not ready until standard ratification

802.11m: planned

802.11n: planned

802.11r (Fast Roaming): planned

802.11s (Mesh Networking): WDS with ST planned

802.11v/u (Radio Management enhancements): planned


CAPWAP Tunneling Protocol (CTP)

Traffic is tunneled from Access Points to the Controller via CTP

Enables centralized WLAN management to stretch anywhere via IP

Ability to encapsulate and forward management traffic and/or user traffic

HiPath WirelessController (HWC)

Access Point


WAN

Building – Coordinated Mode• Central Management• Central Traffic Management• 100s APs

Small Office – Standalone Mode• Local Management• Local Traffic Management• Few APs

L2 or L3

L3

Internet

Public Access – Any Mode• Central Management• Central and Local

Traffic Management• Outdoor AP

L2 or L3

Network

Campus – Coordinated Mode• Central Management• Central Traffic Forwarding• Full Redundancy• 1000s of APs• DRM

Remote Office – Branch Mode• Central Management• Local Traffic Forwarding• Few APs

L2

GuestEmployee Voice Consultant Branch GuestGuestEmployeeEmployee VoiceVoice ConsultantConsultant BranchBranchVNS Groups:

HiPath Wireless ArchitectureMultiple Modes for Maximum Deployment Flexibility


Characteristics

Typical Controllers: C100 – 1536 users C1000 – 4096 users

Multiple Controllers can be combined to serve thousands of users HWCs load balance

with high availability

Controllers can be deployed centralized or distributed

Works with multiple router hops

WAN Network

Router

VoIP Call Server

Existing L2 switch

Med-Large Building/Campus

Deployment ScenariosHQ & Campus

Router

HWC

Existing L2 switch


Characteristics

Typically HWC: C10

WAN router optional

Controller at small office does not need an HQ Controller unless seamless inter-site roaming required

WAN RouterVoIP

Call Server

Existing L2 switches

WAN Network

Small Office/Department

Deployment ScenariosSME


Controllers

VPNGateway

Access Points

DMZVPN for Remote Users

Internet

Single logical network No VLANs required (no leakage or

configuration issues) Separate physical networks

Single VPN Gateway Remote User & Wireless Clients No Client Issues Same PKI infrastructure

WLAN Wireless Security as required WPA2 can be used on wireless link

Deployment ScenariosOne VPN Solution, One Logical Network!


Deployment Scenarios3rd Party AP Integration

3rd Party APs must reside separate LAN segments with the Controller as the default gateway

Controller implements policy on user traffic that traverses through it

3rd Party AP segment is defined as a special “VNS” with its own IP address space

3rd Party APs 3rd Party APs

LAN Segments

RADIUS

IP Network


Internet

Headquarters Office

Branch Office 1 Branch Office 2

Software-based Management

Appliance

Management Traffic

Internet

Headquarters Office

Branch Office 1 Branch Office 2

Controller

Mini-Controller Mini-Controller

Introduced management server to handle some distributed functionality

However, customers seeking full 3G functionality require separate WLANs

Introduced “branch controllers” to keep WLAN traffic local

However, this adds management complexity and is costly

Second Generation WLAN (Fat AP) Third Generation WLAN (Thin AP)

Branch SupportLimitations in Large Distributed Environments


HiPath Wireless Branch SupportTraffic Segmentation for Peak Performance

HiPath Wireless Access Points can dynamically decide if traffic should remain local or be routed to the Controller

Traffic segmentation policy defined at the Controller Sensitive real-time applications enjoy optimal performance

Internet

Headquarters

Branch Location

Local

Central


HiPath WirelessOperational Control Features

Operational Control &

Effectiveness

Converged Mobile

Enterprise


Operational Control



HiPath Wireless Meets Your Operational Needs

Maintenance & Configuration Centralized management User segmentation and policy management User adds/changes/deletes Software upgrades

Monitoring Visual network map and location services Support for standard management protocols Verbose charts, statistics, and reports Troubleshooting tools

Deployment Site Planning Easy device installation

Availability Controller & AP redundancy Dynamic RF management

Scalability Controller Capacity

Security Encryption & authentication support Wireless IDS/IPS

Performance Ability to define & optimize traffic flow Support for multi-site deployments Visual RF coverage mapping Voice optimization and QoS

Interoperability Standards support & certification

However, above all else:“Customers have moved from asking if the technology works and interoperates to asking how wireless LAN can benefit their company and how it can be deployed and managed in a secure and cost-effective fashion.”

Source: US WLAN Equipment 2005-2009 Forecast by Vertical Market, IDC 2005


Maintenance & ConfigurationHiPath Wireless Assistant

Web-based centralized management interface that resides on the Controller and administers all associated Access Points

Primary configuration interface for HiPath Wireless networks

Access Point deployment

Virtual Network Services (VNS) segmentation

Dynamic RF Management

Accounting, reports, alerts, and statistics


Maintenance & ConfigurationVirtual Network Services (VNS)

VNS groups can segment users, devices, or applications Each VNS tied to an SSID Each Controller supports up to

50 VNS groupsLogical layer 3 segmentation eliminates complicated configuration of VLANs

Network privacy maintained Each VNS has a discrete IP address space Network filters ensure that VNS groups are

kept separate Users can only see authorized resources

(eg. Guest web access)

InternalNetwork

Internet

SecureNetwork

Guests

VoIP Server

VoiceUsers

Captive Portal

Staff

Data

VNS Segmentation


Maintenance & ConfigurationVNS Management – Unique & Discrete Policy Control

Each VNS is configured with distinct settings: IP networking parameters Session timeout values Network resource Access Security policy QoS Settings Multicast settings Local or centralized traffic

forwarding 802.11 RF settings

Assign SSID and suppression Applicable APs and radios


Maintenance & ConfigurationVNS Management – Flexible Traffic Forwarding

Each VNS can be configured to bridge traffic locally at the AP instead of through the Controller (default)

Management information (statistics, logs, etc.) and authentication traffic are still forwarded centrally


Maintenance & ConfigurationVNS Management – Security Settings

Separate security options can be defined for each VNS group: Authentication

Captive Portal Internal or external server

MAC-based Authentication RADIUS, 802.1X

Tested interoperability with leading RADIUS vendors (Funk, Microsoft)

Privacy (Encryption) 64, 104 & 128 bit WEP WPA-PSK with AES WPA with TKIP WPA2 with AES (802.11i)


Maintenance & ConfigurationVNS Management – QoS Prioritization

QoS can be enabled or disabled on a per-VNS basis Six QoS options available:

1. Best Effort

2. WMM priority

3. Pre-WMM priority

4. Pre-WMM and WMM priority

5. Voice VNS without WMM

6. Voice VNS with WMM QoS policy is enforced by VNS Ensures high-priority user groups

and/or real-time applications get the performance they need


Maintenance & ConfigurationVNS Management - Filtering

VNS groups can only see specified resources

VNS groups are logically discrete and not viewable by other VNS groups

Filter characteristics: 2048 filters per HWC Default filters for pre and post

authenticated sessions Users can be assigned to

individual filters based on authorization response


Maintenance & ConfigurationAccess Point Software Upgrades

Centralized distribution of AP software updates minimizes ongoing maintenance costs Retrieve AP images Manage up to 10 different AP

image versions Upgrade behavior defined for

each AP: Controlled Upgrades push a

specific software version to a single AP or group of APs

Default AP image is loaded each time the AP boots


Maintenance & ConfigurationClient (Mobile Unit) Management

Disconnect at AP Effective to force re-

authentication Blacklist

MAC Addresses not allowed to associate with any AP

Import and export functions Up to 768 blacklist members per

Controller

Individual users can be identified to allow administrators to take immediate action:


MonitoringHiPath Wireless Assistant Reports


MonitoringManagement Logging

AP and Controller information is gathered into log files 5 different configurable priority levels

Log information can be directed to multiple locations: Local Controller log file External Syslog server

Up to 3 Syslog Reporting servers simultaneously

Traces can be set up for troubleshooting


MonitoringRADIUS Accounting

Either stored locally on Controller or externally to up to 3 RADIUS Accounting servers

Accounting Data User Information

Userid Mac Address VSAs

Usage Information Session Time Bytes/Packets Exchanged Terminate reason

Accounting information configured per VNS and sent as Call Detail Records (CDRs) or RADIUS Accounting


AP Discovery Acquire IP address Acquire Controller IP address(es) Provision via Controller configuration

DeploymentPlug & Play AP Installation

AP Registration Authenticate Get Configuration Be Managed Provide WLAN user service

Then

DHCP DNS

Plug & Play installation via automatic Controller discovery makes WLAN deployment faster and easier


DeploymentPlug & Play AP Installation – Discovery Options

Dynamic Discovery Enables more than one way for APs to discover HWC Enterprise can leverage infrastructure or apply preference

1.SLP – for highest reliability

2.DNS – for simplest automated discovery

3.SLP Multicast – for L2 only network All discovery mechanisms enabled

Continuously attempts all mechanisms until connected to a Controller

AP Discovery Order:1. Static2. SLP3. DNS4. SLP Multicast

Static Discovery APs can be manually configured with an IP

address and Controller IP address(es) to expedite discovery and registration

Remaining deployment information pushed from the Controller upon boot


High AvailabilityEnd-to-End WLAN Resiliency

Session continuity Survival through Access Point and network

outages

Redundant Controllers Ensure against controller outage Redundant power supplies Run in load sharing mode

Survives network failures Multiple interface support on controller Full functioning router


High AvailabilityLoad Sharing Controller Failover

Controllers are paired for redundancy and must continually provide Access Point information to its paired Controller

Each Controller monitors for Controller and/or network failure Once failure is detected, Controller will accept AP connections from its

availability partner AP capacity limit can be doubled in this circumstance

APs are re-associated with primary Controller via management interface once functionality is restored

Advantages over N+1 redundancy configurations: Unlike N+1 redundancy configurations, both primary and backup Controllers

are always actively servicing users Requires the minimum amount of hardware (less than or equal to N+1)


High AvailabilityLoad Sharing Controller Failover – The AP’s Role

Access Points learn address of failover Controller during discovery Keep alive mechanism to detect failure is built in to AP-Controller

communications (CTP):

VNS C

AP1

HWC 1 - Primary

AP2

HWC 2 - Secondary

AP 3 AP4

XVNS B’

VNS A’

VNS B

VNS A

Polling times are configurable Re-discovers to “secondary”

Controller after failure AP is assigned to a VNS pre-

configured by administrator


High AvailabilityDynamic Radio Management (DRM)

Dynamic optimization of RF power and channel selection performed cooperatively by Access Points

Centralized Controller-based configuration Managed RF signal co-existence with friendly neighbouring networks

X

High availability and performance through automatic Access Point fault tolerance and client load-balancing


High AvailabilityDRM Coverage Types

Management Power

Management Power

Data Power

Data Power

Shaped Coverage OFF

Shaped Coverage ON


SecurityComprehensive Integrated WLAN Security

HiPath Wireless lets enterprises achieve the benefits of WLAN without the security risks: 802.11i / WPA2 standard support

for Authentication and Data Confidentiality

Proactive Intrusion Detection and Prevention via HiPath Wireless Manager HiGuard

Captive Portal and Guest Services

Seamless integration with wired network VPN and authentication infrastructure

RF Level Security

(Wireless IPS)

RF Level Security

(Wireless IPS)

Frame Level Security

(802.11i/WPA2)

Frame Level Security

(802.11i/WPA2)

DataConfidentiality

and Integrity

AuthenticationAnd Access Control

Intrusion Detection and

Prevention

Session Level Security (802.1X)

Session Level Security (802.1X)


SecurityHiPath Wireless Full Range of Security Options

RF-Level Options

Multi-tasking APs scan network & provide access

“Dedicated IDS” Rogue Detection APs

HWM HiGuard Sensors• Threat Auto-classification

• Continuous Scanning

• Simultaneous attack prevention & detection

• Visual location and mapping

Frame-Level Options

WEP CRC-32 (RC4)

Encryption Pre-shared Key

Authentication

WPA TKIP (RC4)

Encryption 802.1X

Authentication

WPA2 (802.11i) CCMP (AES) Encryption 802.1X Authentication

Degree of Security

HiPath Wireless features an array of security features to meet your company’s specific needs


Security802.1x and EAP Authentication

802.1x security protocols are tunneled to the Controller 802.1x defines Extensible Authentication Protocol over LAN (EAPoL)

HiPath ControllerAccess Point RADIUS

EAP (TLS, TTLS, PEAP, SIM, FAST)

EAPoLRADIUS

The Controller terminates EAPoL and forwards EAP messages in RADIUS messages

Clients exchange EAP messages directly with the RADIUS server


SecurityImportance of Wireless IDS/IPS

Most enterprise WLAN vendors have standardized on 802.11i (WPA2) WLAN security

However, industry standards focus on securing packets and validating users, but ignore securing the air

No industry standard exists for securing the RF level

Wireless Intrusion Detection and Prevention (IDS/IPS) complements frame-level mechanisms for complete WLAN security

Ad Hoc

Denial of Service Attack

Rogue AP

Mis-Configured AP

Unauthorized Association

Mis-association

HoneypotEnterprise Network

Neighboring

Network

AP MAC Spoofing

Exploits & Attacks Unauthorized Access Denial of Service (DoS) Man in the Middle IP Spoofing Hijacking


SecurityIntegrated AP Rogue Detection

Scan Task Selected HiPath Wireless APs scan

the RF space at pre-defined intervals for Rogue APs and Ad Hoc networks

RFDC Collects the raw scanned information

from each scanning HiPath AP Forwards it to the Analysis Engine

Analysis engine Analyzes all information centrally Reports and events can be viewed

from HiPath Wireless Assistant SNMP alerts and traps can be sent

Scan Task

RFDC

Analysis Engine

SNMP Server(Unicenter, Tivoli, Openview)

HiPath Wireless Assistant


SecurityIntegrated AP Rogue Detection - Mitigator

Rogue AP detection information found in the Mitigator section of HiPath Wireless Assistant

Scan Groups define rogue detection parameters Designate scanning APs and intervals Configure channels and dwell time

Reports provide: Summary threat page Detailed information on each threat

Detecting APs Type of threat

Friendly AP incorporation Detected APs can be added to the

Friendly list Ability to manually add friendly APs 3rd Party APs automatically added


SecurityWebJail Quarantine

Security Ability to quarantine and redirect Dynamic policy management

Partner Ecosystem API Provides dynamic feedback on WLAN

and user states for customized user redirection

Actions: Blacklist an IP address Change VNS (to/from quarantine VNS)

Controller disassociates and automatically moves user to quarantine VNS

Dynamic traffic filtering

Internet

Approved

ApprovedGroup B

SecureNetwork

Network

QuarantinedRemedial Server:• Check Point Zone Labs• Bradford• Tipping Point• API link for customization


ScalabilityMulti-Controller Mobility

In a multi-Controller environment, Controllers are defined as either a “VN Manager” or a “VN Agent”

VN Manager is responsible for managing the distribution of client session information to all VN Agents

VN Agents associated with a VN Manager, creating a “Mobility Domain” VN Agents only communicate with the VN Manager If a VN Agent fails, VN Manager will clean up the session information

VN Agent VN Agent

VN Manager

VN Management Messages


HiPath Wireless ManagerCentralized Multi-Controller Management

Comprehensive global network view provided by hierarchical map Network auto-detection:

Installed Controllers and associated APs Mobility zones Availability pairs

Click on a Controller to automatically launch HiPath Wireless Assistant for configuration changes


HiPath Wireless ManagerComprehensive Monitoring Tools

Consolidated charts, statistics, and reports for network trend analysis

Detailed information kept on every associated user and device for easy problem isolation

Alerts can be set for: Specific events (eg. device failures) Surpassed thresholds

Associated Clients Aggregate Bandwidth (%, Mbps) Tunnel Traffic (bytes) Busiest Devices RADIUS Requests/Failures


HiPath Wireless Manager HiGuardArchitecture

HiPath Wireless Manager HiGuard:

1. Builds a model of the network

2. Directs real-time sensing of the network

3. Analyzes sensing results via heuristics

4. Forwards results to core RF management services:

Intrusion Prevention (IPS)

Location Services

Performance Optimization

Network Monitoring and Control

Real-time MonitoringReal-time Monitoring

HWMA Analysis Engine

HWMA Analysis Engine



Policy ManagerPolicy Manager

Intrusion PreventionIntrusion

Prevention



Location Services

Location Services

3rd Party Management

Tools

Mo

deling InterfaceM

odeling Interface

HiPath Wireless

Controllers

3rd Party Planning

Tools


HiPath Wireless Manager HiGuardSuperior Wireless Intrusion Prevention (IPS)

HWM HiGuard deploys sensors to continually scan the RF space to detect and defend against threats the standards (e.g. 802.11i) don’t touch

HiPath Wireless Manager HiGuard automatically: Identifies and classifies potential threats, enabling administrators to find and

remove them from the network Identifies friendly neighboring devices and users to allow co-existence

without compromising network resources

Proven best in class performance among both standalone and integrated IDS/IPS solutions 100% success vs 65%-75% from competitors (Tolly Group, 2006)

Visual representations of the RF coverage area and wireless devices make threat removal especially easy

NOTE: Defending the air space surrounding network should be a requirement even if there is no wireless LAN support


HiPath Wireless Manager HiGuardLocation Services

Locate any device on the network (3m accuracy):

By distance from sensors or by visual map

Temporarily activate additional APs as sensors for greater accuracy

Use for security, asset tracking, etc. or open interface into 3rd party apps


Multiple views available:

Coverage view by radio and AP

Link Speed view

Sensor IPS and IDS coverage

Real-time visualization enables optimal device placement to maximize performance and protection

HiPath Wireless Manager HiGuardVisualized Performance Optimization


Intuitive management dashboard provides summary evaluations at a glance

All views and reports can be launched from here (charts, graphs, logs, reports, etc.)

Automated compliance reporting (with HiGuard Reporting module)

HiPath Wireless Manager HiGuardMonitoring and Reporting


HiPath Wireless Manager HiGuard ReportingAutomated Compliance Reports

Audits conducted at defined intervals based on event history and compared with regulatory compliance specifications

Available pre-defined reports: DoD Directive 8100.2 Gramm-Leach-Bliley Sarbanes-Oxley HIPAA

Custom report tool enables definition of test criteria specific to your own company or industry


Converged Mobile

Enterprise


Operational Control




HiPath WirelessSolutions Enablement Features


HiPath Wireless Meets Your Solutions Needs

“Operational and security discussions will be augmented by the emergence of new applications and product functions that increase the value and ease the steps required to take advantage of network portability and mobility in the enterprise.”

Source: US WLAN Equipment 2005-2009 Forecast by Vertical Market, IDC 2005

Voice-over-WLAN and Multimedia H.323 and SIP support VoWLAN client interoperability Optimized voice performance and power-

saving 802.11e/WMM support Multicast support

Location-based Services Location accuracy Network Visualization Coordination with LBS applications Support for active RFID technology Visual network map and location services

Guest Networking Ability to segregate guest users Transparent, secure authentication Accounting and billing

Solution Integration Partner solutions portfolio Integration APIs Certification program


Enabling Mobility Solutions

HiPath Wireless makes it faster and easier to deliver complete converged mobility solutions that enhance your business processes

Converged Mobility Solutions deliver optimal performance & functionality through: A portfolio of existing partner solutions

A solution certification program for customers and system integrators

Open APIs for custom development: Location coordinates Presence information Call control information

HiPath Wireless Partners:


Voice-over-WLAN (VoWLAN)Secure Fast Roaming

HiPath Wireless method: Pre-Authentication with Key Caching Highest security Fast secure L3 roaming (< 40ms controller to controller)

Description Pro Con

WPA2 pre-authentication and Key Caching (HiPath Secure Fast Roaming)

Eliminates the latency contribution of 802.1x authentication

Maintains a high level of voice security

Requires handset support for WPA2

Extra authentication overhead due to pre-authentication

Key Sharing Eliminates the latency contribution of 802.1x authentication

Reduces the overall security by sharing PMK’s across the network.


Voice-over-WLAN (VoWLAN)Secure Fast Roaming

WPA2 client simultaneously establishes Pairwise Master Key (PMK) with primary AP and pre-establishes PMKs with neighboring APs

This forces the client to re-authenticate prior to roaming The Controller allows WPA2 to pre-authenticate

When roaming, the WLAN client is already pre-authenticated by controller and is allowed to roam seamlessly

PMK established with

primary AP

PMK established

with neighboring

AP

WPAv2 client


Voice-over-WLAN (VoWLAN)Quality of Service: 802.11e / WMM

Enabled per VNS/SSID

4 priority queues per radio

Recommended when voice and data traffic share same SSID

Prioritizes voice traffic

Adaptive (end-to-end) QoS:

CTP IP packet automatically configured to DSCP matching WMM marking

The HiPath Wireless Portfolio is Wi-Fi Multimedia (WMM) certified

WMM Priority Marking

Priority

(3=highest)

Description

AC_VO 3 Voice

AC_VI 2 Video

AC_PR 1 Prioritized non-RT Data

AC_DA 0 Data


Voice-over-WLAN (VoWLAN)Quality of Service: Adaptive QoS

HiPath Wireless maintains IP QoS prioritization between the wired and wireless networks IP TOS field (DiffServ/Precedence) copied to CTP header

Entire 8 bits are copied Client IP QoS maintained within CTP

Adapts seamlessly to existing wired QoS policies

Subnet y Subnet A

Subnet C

Subnet B

Subnet x

VNS

0 71 1 1 0 0 0 0 00 71 1 1 0 0 0 0 00 70 71 1 1 0 0 0 0 0

0 71 1 1 0 0 0 0 00 71 1 1 0 0 0 0 00 70 71 1 1 0 0 0 0 0

0 71 1 1 0 0 0 0 00 71 1 1 0 0 0 0 00 70 71 1 1 0 0 0 0 0

0 71 0 0 0 0 0 0 00 71 0 0 0 0 0 0 00 70 71 0 0 0 0 0 0 0

0 71 0 0 0 0 0 0 00 71 0 0 0 0 0 0 00 70 71 0 0 0 0 0 0 0

0 71 0 0 0 0 0 0 00 71 0 0 0 0 0 0 00 70 71 0 0 0 0 0 0 0

IP TOS

VoiceGateway


Voice-over-WLAN (VoWLAN) End-to-end Voice Quality of Service (QoS)

High Quality Voice R-value >78 for 12 concurrent calls Turbo Voice queue

Legacy QoS SpectraLink SVP (VIEW certified) Prioritization by SSID

Battery Life optiPoint WL2 power optimization UAPSD

End to end QoS 802.11e / WMM DiffServ Adaptive QoS

Call Admission Control TSPEC (client and AP)

Load Balancing QBSS Load, Neighbor reports

WMMIP TOS/Prec/DSCPIP TOS/Prec/DSCPIP TOS/Prec/DSCP

Subnet y

Subnet C

Subnet x

Subnet B

Subnet A

VoIP Gateway

LAN QoS Traffic Shaper


Beacon & Probe Request

(SSID, …, QBSS load)Beacon & Probe Request

(SSID, …, Q

BSS load)


(SSID, …

, QBSS load)

AP 3 QBSS LOAD

2.4G available bandwidth

4 MBps

5G available bandwidth

15 MBps

AP 1 QBSS LOAD


3 MBps


20 MBps

AP 4 QBSS LOAD


2 MBps


7 MBps

Voice-over-WLAN (VoWLAN)Enhanced Roaming with QBSS Load IE

AP 2 QBSS LOAD


8 MBps


12 MBps

Associated

Least Busy

Associated


Voice-over-WLAN (VoWLAN)AP Channel Report

Siemens proprietary IE provides details of all configured channels per radio/SSID for the entire wireless network

As a result, the client has less channels to scan Reduces roaming time Increases battery life

Beacon & Probe Request (SSID, …, APchannelreport1,6,11)


(SSID, …, APchannelreport1,6,11)


(SSID, …, APchannelreport

1,6,11)VNS-SSID Voice:Channels 1,6,11


Voice-over-WLAN (VoWLAN)Call Admission Control (CAC)

Client device requests a TSPEC (ADDTS) from the Access Point AP responds with success or failure

(accept or deny) AP responds based on CAC rules:

If Util < MAXNew Accept

If MAXNew < Util < MAXRoam Accept only established calls that are

roaming If Util > MAXRoam

Deny If denied, client attempts association

with the next best AP based on QBSS Load IE

AllowNew Calls

AllowRoaming

Deny

0%

100%

60% = MAXNew

80% = MAXRoam

ADDTS

Utilization (Util)


Security High-Performance Voice

Voice and data segregated by VLANs to maintain data WLAN securityThis does not work because:

Voice network is still vulnerableLimited application convergence

Voice and data segregated by VLANs to maintain data WLAN securityThis does not work because:

Voice network is still vulnerableLimited application convergence

Use of less robust but more efficient security (eg. WEP) ensures high quality voiceThis does not work because:

The security problem is not solved

Use of less robust but more efficient security (eg. WEP) ensures high quality voiceThis does not work because:

The security problem is not solved

Encryption: WPA2 & WPA2-PSKAuthentication: 802.1x or PSKRoaming: 802.1x w/ pre-authWIDS/WIPS: prevent credential compromises

Encryption: WPA2 & WPA2-PSKAuthentication: 802.1x or PSKRoaming: 802.1x w/ pre-authWIDS/WIPS: prevent credential compromises

QoS: 802.11e (WMM)AP reports for better roaming and load balancing decisions (eg. QBSS load IE)

Optimized end-to-end VoIP network with minimal packet loss and jitter

QoS: 802.11e (WMM)AP reports for better roaming and load balancing decisions (eg. QBSS load IE)

Optimized end-to-end VoIP network with minimal packet loss and jitter

802.11r – next generation secure fast roamingCAC: WMM TSPECPower save: U-APSD802.11k: better roaming decisions802.11u: advanced CAC (eg. e911)

802.11r – next generation secure fast roamingCAC: WMM TSPECPower save: U-APSD802.11k: better roaming decisions802.11u: advanced CAC (eg. e911)

Some suggest compromise:

To achieve Secure WLAN & VoWLAN today:

Further enhancements coming:

Voice-over-WLAN (VoWLAN)Balancing WLAN Security & Voice Performance


Consistent feature set & UI

Dual-mode VoWLAN – Public Network Roaming

EnterpriseIP Network

HiPath 8000softswitch

MobilityAppliance

HiPath WirelessNetwork

Public Mobile Network

Hand-over Control

Mobile on-/off-site

LAN

ONE mailbox & ONE directoryONE number service

Cellular communication

Enterprise on-site


Voice-over-WLAN (VoWLAN)HiPath WLAN Controller & HiPath Integration

HiPath 3-8KCommunicationPlatforms (incl GWs) HiPath

WLAN Controller

HiPathAccess PointsHiPath

WLANHandset

optiClient

Large Enterprise / Campus Small Enterprise / Building

optional

HiPath 3000 HiPath WLAN Controller

HiPathAccessPoints

optiClientHiPathWLANhandset

Branch Office

HiPathAccessPoints

HiPathWLANhandset

optiClient

All-in-One Solution:- HiPath 1/3K- Access Router- LAN-Switch- WLAN Controller

PSTN

PSTN

CorporateWAN


HiPath Wireless Guest Networking Solutions

Providing WLAN access to guests gives businesses:

An additional revenue stream

Increased customer satisfaction

Higher competitiveness and productivity for visiting employees or partners

Guest services over HiPath Wireless leverage existing infrastructure while maintaining corporate network security and performance

VNS defining unique security, performance, and network access

Partnership with Garderos delivers a complete Guest Services solution, including: User registration Authentication Accounting Billing


HiPath Wireless Location Service Solutions

Location-based Services (LBS) let companies: Track staff across campuses Find key equipment or inventory Efficiently deploy mobile resources

LBS boosts resource productivity and availability, and minimizes the costs of theft or loss

HiPath Wireless Manager HiGuard can locate any device on the network to within 3 meters, and represent it on a floor plan

Partnerships help to deliver real-time location services and can use RFID tags to track anything

Source: US WLAN Equipment 2005-2009 Forecast Update, IDC 2005

“A new class of enterprise application that… use[s] the mobile and ubiquitous nature of the WLAN to support business processes in ways a wired network cannot.

In essence, the network becomes a source of business data instead of a mere conduit.”

Location Partners:


HiPath Wireless Healthcare Solutions One infrastructure for all solutions

Mobile Data Access

Mobile Monitoring

Monitor Alerting

VoWLAN and Nurse Call

Hotspot for Patients and

Visitors

RFID Services

Key HiPath Wireless Features:Excellent QoS and fast secure roamingAbility to segregate voice traffic from

mission-critical data via VNS

Siemens Solution Components:HiPath IP Communications PlatformsoptiPoint WL2 professional phone and

optiClient soft phone

Partners:VoceraSpectraLink

Benefits:Always reachable and able to communicateFast emergency response

Key HiPath Wireless Features:HiPath Wireless CAC to ensure that alerts

receive uninterrupted priority access

Siemens Solution Components:DACS Alerting ServeroptiPoint WL2 professional phoneHiPath IP Communications Platforms

Benefits:Staff receive alerts immediatelyFast emergency response

Key HiPath Wireless Features:Segregation medical staff from patients and

visitors via VNSStrict WPA2 (802.11i) authentication and

encryption comply with industry regulations

PartnersDraeger WinView

Benefits:Secure real-time access to centralized

patient data for medical staff everywhere in the hospital and in branches

Elimination of paper files and separate, error-prone data transfer into IT system

Key HiPath Wireless Features:VNS-segregated patient services and guest

networking from medical staff and resourcesCaptive Portal – All guest traffic is directed

to a login page (internal or external)

VoWLAN Solution Components:HiMed

PartnersGarderos

Benefits:Additional revenue stream Improved patient service

Key HiPath Wireless Features:VNS segregation of high-priority vital sign

traffic with QoSAccess Points bridge monitoring traffic

locally for highest performance & reliability, while forwarding other traffic centrally

Siemens Solution Components:HiPath QoS 2000

Partners:Draeger Infinity One Net

Benefits:Centralized monitoring and remote control from

Draeger MultiView WorkStationsFast emergency response


MultimediaReal-time Application Optimization

Challenges:

Monitoring and alerting must be responsive and resilient

End-to-end QoS is needed

Atypical network applications

HiPath Wireless Ensures:

WLAN multicast support for real-time monitoring via Dräger Infinity OneNet, etc.

Fit APs can locally bridge specific applications for dedicated high performance

Interoperability with HiPath QoS 2000 for end-to-end QoS

HiPath Wireless is the industry’s only Dräger-certified WLAN, and delivers the

most optimized solution for real-time healthcare applications with unique

multicast and traffic bridging support

HospitalWLAN

Segregated DrägerNetwork

HospitalLAN

VoIP Server

VoiceUsers

Dräger Infinity OneNe

t

Staff

Data

Dräger Monitor

Local traffic bridging and multicast support enabledCentralized management

Dräger Real-time Optimization


Location Partners:

HiPath Wireless Manager HiGuard can locate any device on the network to within 3 meters, and represent it on a floor plan

Tight integration with RFID-based vendors provides hospitals with complete real-time location services

RFID wristbands identify patients

Tracking and identification of pharmaceutical inventories

Access and inventory of pharmaceutical cabinets and Medical Records

Real-time patient location systems

Accurate identification of medications for safety check

Asset & equipment tracking

Access to parking areas

Tissue sample and other medical product identification

RFID wristbands identify patients

Tracking and identification of pharmaceutical inventories

Access and inventory of pharmaceutical cabinets and Medical Records

Real-time patient location systems

Accurate identification of medications for safety check

Asset & equipment tracking

Access to parking areas

Tissue sample and other medical product identification

RFID Application Scenarios in Healthcare


HiPath Wireless Manufacturing Solutions One infrastructure for all solutions

VoWLANData Entry

Bar Coding and Inventory

Location Services

Mobility for Outdoor & Harsh

Environments


HiPath Wireless Manufacturing SolutionsNetwork Topology

HiPath 3-8KHiPathWireless Controllers

HiPath Wireless Access Points

optiClient

PSTN

CompanyWAN

HiPathWireless Controller

HiPathQoS2000

HiPathQoS2000

W788 -1PRO

W788 -1PRO

W744-1PRO

ET200S PN

IE/PB Link PN IO

ET200X

W744-1PRO

PROFIBUSIO-Devices

Industrie Ethernet

Shop FloorInduststrial WLAN

Office Space


Corporate Office Plant Floor

HiPath Wireless Manufacturing Differentiators:SCALANCE W Industrial-grade WLAN Integration

Challenges:

Overcome harsh climate and interference issues

Centralized management of dispersed infrastructure

Unified WLAN across carpeted office and plant floor

Use of enterprise applications

SCALANCE W Delivers:

Highly rugged housing and industry certifications

Full management and feature integration with centralized HiPath Wireless Portfolio

Integration of the SCALANCE W Access Point extends WLAN access and the

unique Converged Mobility Solutions to harsh manufacturing environments

Centralized management of all Access Points

Users can seamlessly move between the office and the plant floor

SCALANCE W Integration


Conclusion


Driving Value with Converged Mobility Solutions

HiPath Wireless drives value through superior Converged Mobility Solutions while maintaining control over network operations and costs

A strong foundation for the Converged Mobile Enterprise:

Flexible, open architecture

Highly secure and easy to manage

A suite of network-aware converged applications supported by a robust partner program

Converged mobility solutions are able to build on the initial WLAN foundation to continually drive value as enterprise needs evolve

HiPath Wireless can help your organization develop into a more competitive, adaptive, and flexible Converged Mobile Enterprise


Why Choose HiPath Wireless?

Complete Enterprise Communications Solutions Global leader in converged IP voice communications Platforms, client devices, applications, professional services Long-standing leadership in wireless and radio communications

Investment Protection Scalable, ‘future proof’ design based on industry standards Architected and ready for voice/data convergence Vendor commitment and viability

Trusted Provider Proven leadership in innovation Worldwide enterprise communications revenue of over $3.5 billion Global presence


BACKUP


What’s so Different?Technology

Split MAC AP

Fit AP

Fat AP

Coord

inate

d

Mod

e

Sta

nd

-A

lon

e

Mod

eFit AP

(coordinated)Fit AP(branch)

Split MAC Fat AP

Termination of PHY AP AP AP AP

Termination of MAC AP AP Controller AP

Termination of management protocols Controller Controller Controller AP

Optimal Deployment Overlay Branch Wiring Closet Branch


What’s so Different?Technology

Function Fit AP Split MAC Fat AP

802.11 management protocol (RADIUS, 802.1x, SNMP, etc.)

Controller Controller AP

Probe, Authentication and Association Messages AP Controller AP

Frame Translation (802.11 to 802.3) AP Controller AP

Encryption AP Controller AP

Dynamic RF Management Operation (DRM) AP Controller External SW

QoS (802.11) AP AP AP

QoS (802.3/IP reassignment) AP Controller AP

Bridging AP (branch mode)

Controller (coordinated)

Controller AP

L2 Roaming AP (branch)

Controller (coordinated)

Controller AP

L3 Roaming Controller Controller External SW


DHCP DNS

Multiple Discovery Approaches First try Static config If fail – then try DHCP Option 78 & SLP If fail – then try Domain Name Service If fail – then try Layer 2 Multicast (SLP) If all fail, then repeat process indefinitely.

Method that is successful

remembered upon next reboot/restart Failure = unsuccessful after N retries

and M seconds between retries. N

and M are configurable from GUI

DHCP

DNS

Multicast

AP Discovery in Detail


Mobile Voice

Mobile Voice & Data

Mobile Data

DECT

HiPath CordlessPreferred Solution for voice only:- Cost effective- High quality- Mature, proven technology

- DECT does not provide wireless data- DECT and WLAN parallel to be considered for substantial existing DECT installations

- DECT does not provide wireless data

WLAN- Deploy WLAN if later expansion to wireless data is planned

HiPath WirelessConverged WLAN for voice and data- Fast secure roaming- Premium voice quality (QoS)- WLAN phones and soft clients

HiPath WirelessLeading-edge WLAN solution for enterprise-wide deployment- Security- Scalability- Manageability- Virtual WLANs, Hosting

Distinct Roles for VoWLAN and DECT


Quality of Service: SVP Support (WL1)

End-to-End QoS w/ SVP support (SpectraLink Voice Priority)

• SVP “Backoff”

• SVP PDU prioritized

Works with any other VoWLAN solution

Adaptive QoS on wired LAN

Prioritized SSID required, unless WMM client

VNS #1

VoiceGatewayVNS= “Enterprise VoWLAN”SSID= “VoWLAN”SVP= enabled

VNS= “Enterprise Data”SSID= “Employee”SVP= disabled

Subnet y

Subnet C

Subnet B

Subnet x

VNS

Subnet A


Deployment Model

All devices must sit on the same LAN

segment

• Phones cannot roam across subnets

without dropping calls

• Gateways and Servers cannot support

a set IP address change during call

Multicast required for registration and

“Push-to-Talk”

• Requires infrastructure enabled with

multicast

Support over a single segment

VoWLAN Solution with optiPoint WL1 professional


Deployment Model

APs can be deployed across router hops

• Solution can now scale to support a larger

network with APs on multiple subnets

• Phones don’t have to exist on a single

subnet

• Phones don’t need to support subnet

roaming

Works without multicast being enabled

on the infrastructure

Intranet

HiPath Wireless Proposition with a WL1 Solution


WL1 Solution

SpectraLink Radio Protocol (SRP)• SpectraLink’s proprietary IP protocol for providing communication between their voice sets and

their gateway products• Phone and Gateway do IGMP version 1 – Group Membership Report• UDP & IP multicast to SPECTRALINK.MCAST.NET group (IP group address 224.0.1.116) for

discovery and registration• SRP Unicast (IP port 119) for voice (like RTP) and other signaling

SpectraLinkSpectraLinkNetLink e340/i640NetLink e340/i640

HiPath Controller Support SpectraLink’s multicast was designed not to work over router hops (i.e. TTL set to 1) HiPath Controller treats this as a special case and will forward these packets to ensure

delivery to devices and gateways

HiPath WirelessHiPath WirelessControllerController

Access Points

SpectraLinkSpectraLinkNetLink GatewayNetLink Gateway


WL1 Solution

SpectraLink Voice Priority (SVP) is the de facto standard for offering QoS for voice services on 802.11 today

• SVP was defined in the absence of any 802.11 QoS mechanisms• It is defined as a specific mechanism to allow prioritization of packets from an

AP to a SpectraLink device• It requires SRP packets to be queued in front of all other packets• Sets the 802.11 contention backoff period to 0 for those packets

Access Point Support of SVP

• Based on our implementation of WMM (WiFi Multimedia)• SRP packets are placed in the high priority queue (AC3) according to WMM

rules• AC3 defines specific backoff mechanisms to support high quality voice


Glossary of Terms

3PAP Third Party AP

AAA Authentication, Authorization, Accounting

AES Advanced Encryption Standard

AP Access Point

BSSID Basic Service Set Identifier

CAPWAP Control and Provisioning of Wireless Access Points

CCX Cisco Compatible Extensions

CDR Call Detail Record

CLI Command Line Interface

CTP CAPWAP Tunnelling Protocol

DECT Digital Enhanced Cordless Telecommunications

DHCP Dynamic Host Configuration Protocol

DRM Dynamic RF Management

DSCP Differentiated Services Code Point

EAP Extensible Authentication Protocol


Glossary of Terms

HWC HiPath Wireless Controller

ICMP Internet Control Message Protocol (Ping, etc.)

IGMP Internet Group Management Protocol (Multicast)

IPSec IP Security (VPN)

LEAP Lightweight EAP

MAC Media Access Control (Layer 2)

MOS Mean Opinion Score (Voice quality standard)

MU Mobile User

NAPT Network Address Port Translation

OSPF Open Shortest Path First (Dynamic routing protocol)

PBX Private Branch Exchange

PKI Public Key Infrastructure (Digital Certificates)

PMK Pairwise Master Key

PoE Power over Ethernet

PSK Pre-shared Key


Glossary of Terms

PSTN Public Switched Telephone Network

PSU Power Supply Unit

QoS Quality of Service

RADIUS Remote Authentication Dial In User Service

RF Radio Frequency

RU Replaceable Unit

SIP Session Initiation Protocol

SLP Service Location Protocol

SNMP Simple Network Management Protocol

SRP SpectraLink Radio Protocol

SSID Service Set Identifier (Wireless Network Name)

SVP SpectraLink Voice Priority

TKIP Temporal Key Integrity Protocol

TOS Type of Service

VLAN Virtual LAN


Glossary of Terms

VNS Virtual Network Services

VoIP Voice over IP

VoWLAN Voice over Wireless LAN

VPN Virtual Private Network

VSA Vendor Specific Attribute

WEP Wired Equivalent Privacy

WMM Wi-Fi Multimedia

WPA/WPA2

Wi-Fi Protected Access

Date post:	14-Nov-2014
Category:	Documents
Upload:	api-3852468
View:	111 times
Download:	0 times

HiPath Wireless Technical Presentation HWCSv4 HWMv2

Documents