Your SlideShare is downloading. ×
0
無線網路架構(二)
無線網路架構(二)
無線網路架構(二)
無線網路架構(二)
無線網路架構(二)
無線網路架構(二)
無線網路架構(二)
無線網路架構(二)
無線網路架構(二)
無線網路架構(二)
無線網路架構(二)
無線網路架構(二)
無線網路架構(二)
無線網路架構(二)
無線網路架構(二)
無線網路架構(二)
無線網路架構(二)
無線網路架構(二)
無線網路架構(二)
無線網路架構(二)
無線網路架構(二)
無線網路架構(二)
無線網路架構(二)
無線網路架構(二)
無線網路架構(二)
無線網路架構(二)
無線網路架構(二)
無線網路架構(二)
無線網路架構(二)
無線網路架構(二)
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

無線網路架構(二)

231

Published on

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
231
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Title: Wireless Roaming - Encryption
    Animation: None
    Discussion: The IEEE 802.11 standard does provide with a way to ensure that even is the data is “sniffed” via the airwaves it is still protected. This is done with the Wired Equivalent Privacy technology and we can take the normally clear text data between the client and the Access Point and scramble it with WEP-40 and WEP-128 bit which are from the 802.11 specification and based on RC4 encryption algorithms . Customers shouldn’t blindly invoke this level of security with every Wireless vendor since encryption can be resource intensive and hurt performance of the system. Cisco has taken this into consideration and added hardware acceleration into the Wireless hardware (NIC and Access Points) so that users can enjoy robust security without sacrificing performance.
    (Click to the next slide)
  • <number>
  • <number>
  • <number>
  • <number>
  • <number>
  • <number>
  • <number>
  • <number>
  • <number>
  • <number>
  • <number>
  • <number>
  • Transcript

    • 1. 1© 2000, Cisco Systems, Inc. Wireless LAN Roadmap: Performance and Hardware Features 1
    • 2. Cisco Aironet 340 Series WirelessCisco Aironet 340 Series Wireless LAN SolutionLAN Solution • PC Card/PCI Client Adapters • Access Points • Line-of-Sight Bridge Products • Antennas & Accessories The Cisco Aironet 340 Series of 802.11b compliant high speed wireless solutions offers the best performance, manageability, scalability and security for both in-building and building to building wireless applications Editors’ Choice: Wireless LANs (PC Magazine, March 20000) ”Cisco Aironet Beats Rivals--With Ease” (Network Computing, Editors’ Choice July 2000)
    • 3. WLAN Vision:WLAN Vision: Client OptionsClient Options • Workgroup Bridges – Plug and play wireless for single or multiple clients • USB – Easy to install NIC alternative • Multi-function and embedded client devices – In partnership with Xircom • Client Drivers/Services – Macintosh/Linux drivers – Automated country radio localization – Improved diagnostics tools
    • 4. WLAN Vision: PerformanceWLAN Vision: Performance  IEEE 802.11a/b Ratified Radio Network Speed 1999 2000 2001 100 Mbps Superset 5 GHz 6-54 Mbps .11a Std 22 Mbps .11b Ext. 900 MHz 11Mbps 2.4 GHz 802.11b Standard • Small, Medium and Large Enterprises − High power and performance • Telecommuter − Cost and Manageability 2002
    • 5. WLAN Vision:WLAN Vision: Infrastructure OptionsInfrastructure Options W/C Cisco Access Point 925 In-line pwr capable switch • Office applications –Simplify and reduce installations costs •In-line power • Warehouse (extreme applications) –Extended temperature
    • 6. Telecommuter Base StationTelecommuter Base Station • 802.11 compliant • Fully managed • Simplified configuration • Embedded Modem and Ethernet Designed for the WLAN TelecommuterDesigned for the WLAN Telecommuter
    • 7. 7© 2000, Cisco Systems, Inc. Wireless LANs Services Directions 7
    • 8. Cisco’s Services VisionCisco’s Services Vision • Security –Centralized device authentication –Future flexible user authentication services • Management –Enhanced auto-configuration and enforcement for client/infrastructure • Policy –Enhanced PCF services for enterprise quality QoS • Mobility –Scale L2/L3 roaming services Cisco Access Point 925
    • 9. Security ServicesSecurity Services • Current capabilities –No Encryption –40-Bit Encryption –128-Bit Encryption –Hardware based encryption •Negligible performance impact (<3%) –Mac-based exclusion filtering • Encryption Choices (defined at Access Point) –No Encryption –Allow client to specify (optional) –Forced (Required)
    • 10. Security Directions SummarySecurity Directions Summary • Utilize HW-based 802.11 encryption – Best price/performance – Minimizes impact on client and network • 1st phase (Committed): Device authentication – Cell phone security analogy – Supports all client device types • 2nd phase: User authentication (in development) – Universal user authentication through 802.1x Extensible Authentication Protocols (EAP)
    • 11. Security Directions SummarySecurity Directions Summary (cont.)(cont.) • Centralized Authentication –Phase1: Enhanced RADIUS servers •CiscoSecure Authentication Server •Directory services integration through LDAP/X.500 –Phase 2: EAP support Kerberos & PKI support • Dynamic Key Generation/Distribution –Unique 128 bit key per user per session –Roaming Pre-authentication
    • 12. Centralized User-BasedCentralized User-Based AuthenticationAuthentication AuthenticatorAuthenticator (e.g. Access(e.g. Access Point, CatalystPoint, Catalyst Switch)Switch)SupplicantSupplicant Semi-PublicSemi-Public Network /Network / Enterprise EdgeEnterprise Edge AuthenticationAuthentication Server such asServer such as ACS2000 v2.6ACS2000 v2.6 R A D I U S EAP Over Wireless/LAN EAP Over Wireless/LAN (EAPOW/EAPOL) (EAPOW/EAPOL) EAP Over EAP Over RADIUS RADIUS Extended Enterprise (Branch Office, Home, etc.) Enterprise Intranet
    • 13. Dynamic WEP Key ManagementDynamic WEP Key Management EAPOL-Start EAP-Request/Identity EAP-Response/Identity EAP-Request Radius-Access-Request Radius-Access-Challenge EAP-Response (credential) Radius-Access-Request EAP-Success Access blocked Radius-Access-Accept RADIUS EAPOW 802.11802.11 Associate Access allowed EAPW-Key (WEP) Laptop computer R A D I U S Fast Ethernet
    • 14. Services in DevelopmentServices in Development • Rogue AP detection requirement – Only IT installed/configured devices deliver infrastructure access – Authenticated clients learn trusted APs in area – Untrusted APs are detected, reported and, if possible, isolated and shut down •Investigating best way to control non-Cisco APs AP Authentication
    • 15. Wireless QoS VisionWireless QoS Vision • SpectraLink Voice Prioritization (SVP) –Prioritizes IP voice traffic in AP queue –User configurable beacon period helps determine voice quality Committed ServicesCommitted Services
    • 16. Wireless QoS Vision (cont.)Wireless QoS Vision (cont.) • Extend existing 802.11 QoS services –Utilize and enhance Point Coordination Function (PCF) •Standards-based •Backwards compatibility, investment protection •Time-to-market • Integration with existing IETF & IEEE standards •Integrated Services over Specific Link Layers (ISSLL) •802.1(p) priorities Services in ProcessServices in Process
    • 17. Proposal for Enhanced WirelessProposal for Enhanced Wireless QoSQoS • Better to approach it as an integrated system •Address queue management in the infrastructure devices – Contention-free period can only be sustained if the queues on the access point or stations are adequately managed •Address medium access limitations to ensure access – Chicken-egg problem; polling to manage medium access – potential contention to get on polling list •Address unlicensed band regulations – Some regulatory domains do not allow constant occupancy by one device •Maximize investment protection – While also acknowledging that some legacy devices may require an enhanced DCF • Systems always spend some time in the DCF
    • 18. Wireless QoS SummaryWireless QoS Summary • Simple but efficient –Easy to implement –Good support for legacy stations –Inline with what is standardized by other workgroups and standardization bodies • Simulations will prove concept • Some ‘loose-ends’ need to be worked out
    • 19. Additional Network Services:Additional Network Services: Load BalancingLoad Balancing • AP’s configured for load sharing use different RF channels in coverage area • Policy based on number of users, bit error rate, or signal strength Channel 1 Channel 6
    • 20. Additional Network Services: HotAdditional Network Services: Hot StandbyStandby • AP’s co-located for hot standby use SAME RF channel in coverage area • Standby AP acts as probe for monitoring and management Active Standby Channel X Channel X
    • 21. Summary: Vision for MobileSummary: Vision for Mobile ConnectivityConnectivity Channels Products Solutions Partners • Offer key services to accommodate wireless data, voice and video that is: –Secure –Manageable –Scalable –Delivers improved Price/Performance • Preserve customers investment in existing WLAN infrastructure • Partner to enhance wireless hardware and software solutions for customers
    • 22. 802.1X Security Architecture802.1X Security Architecture Controlled port: Data traffic Open port: Authentication traffic User Client/Supplicant Authentication Server Authentication Client/Control Point Pieces of the system.
    • 23. EAP ArchitectureEAP Architecture EAPEAP LayerLayer MethodMethod LayerLayer EAPEAPEAPEAP TLSTLSTLSTLS MediaMedia LayerLayer NDISNDIS APIsAPIs EAPEAP APIsAPIs PPPPPP 802.3802.3 802.5802.5 802.11802.11 IKEIKEIKEIKEGSS_APIGSS_APIGSS_APIGSS_API
    • 24. 802.1X Security Services802.1X Security Services Supplicant Authentication ServerAuthentication client/control point Cisco/ Microsoft Cisco/ Microsoft, etc.Cisco Device Mini-certificate (MD5/PAP-CHAP) Future 802.11 supplicant for Win2K/WinCE 3.0 (User authentication options) Radius server available from Cisco Future enhanced servers available from others Non-IP communications until device authenticated
    • 25. Authentication ProcessAuthentication Process Normal Data Authentication traffic Wireless laptop Radius ServerAccess Point Authentication traffic Radius traffic Wireless client assoc. at 802.11 layer. Data blocked by AP. Access Point blocks everything except authentication traffic. The authentication traffic is allowed to flow. The Access point relays authentication traffic.
    • 26. Authentication Process cont.Authentication Process cont. Normal Data Authentication traffic Wireless laptop Radius ServerAccess Point Radius traffic Wireless client mutually authenticates with Radius Server Client receives grant WEP key. Client stack is initiated. DHCP request and subsequent traffic is encrypted with session key Authentication traffic Radius server authenticates client and creates a WEP key. AP receives grant and key. Key is installed in data base and normal data is forwarded to client
    • 27. Authentication Process cont.Authentication Process cont. Normal Data Authentication traffic Wireless laptop Access Point 802.11 traffic IP traffic Wireless client and AP use WEP key. AP allows traffic to flow. AP pre-authenticates client for intra subnet roaming Secure traffic. No performance impact Enterprise Intranet
    • 28. Future User Authentication forFuture User Authentication for non- EAP/802.1x Clientsnon- EAP/802.1x Clients • Options under consideration –Device level authentication w/passwords •Create APIs to pass username and password to LEAP • For generic support, statically assign username and password into card. –This becomes device security.
    • 29. Pre-Authentication for RoamingPre-Authentication for Roaming APs multicast keys of authenticated clients as part of Inter Access Point Protocol (IAPP) Pre-authentication m-casts encrypted APs cache pre-authenticated clients (1000s of entries).
    • 30. Pre-Authentication and RoamingPre-Authentication and Roaming Roam from AP1 to AP2 AP2 AP1 Disassociation Pre- auth When roam occurs, AP1 sends a disassociation notice. AP2 associates client, cached key and retrieves queued data from AP1.

    ×