6. Network Management
Admin
802.1x 1000BASE-T
RADIUS
Port-based VLAN
AP Controller L3 Switch
Management
VLAN
HTTPS Web GUI HTTPS Web GUI
management, SSH management, SSH
telnet, SNMP. telnet, SNMP.
PoE
7. References
How to configure VLANs with 802.1X for WLAN authorization. (2009, June). TechTarget.
Retrieved from http://searchsecurity.techtarget.com/feature/How-to-configure-VLANs-with-8021X-for-WLAN-
authorization
Javvin Company. (n.d.). IEEE 802.1p: LAN Layer 2 QoS/CoS Protocol for Traffic Prioritization. Retrieved
from http://www.javvin.com/protocol8021P.html
Netgear. (2009). WNDAP350 User Manual. Retrieved from http://support.netgear
.com/app/products/model/a_id/12823
Netgear. (2010). ProSafe Quad WAN Gigabit SSL VPN Firewall SRX5308. Retrieved from
http://ftp://downloads.netgear.com/files/SRX5308_DS_12Mar10.pdf
Netgear. (2012). ProSafe 24-Port 10/100/1000 Smart PoE Switch GS724TP. Retrieved from http://www.
netgear.com/business/products/switches/smart-switches/gs724tp.aspx
Netgear. (2012). ProSafe 48-Port Gigabit L3 Managed Stackable Switch GSM7352S-200. Retrieved from
http://www.netgear.com/service-provider/products/switches/fully-managed-
switches/gsm7352s-200.aspx#two
Netgear. (2012). ProSafe 20-AP Wireless Controller WC7520. Retrieved from
http://www.netgear.com/business/products/access-points-wireless-controllers/wireless-
management/WC7520.aspx#two
Editor's Notes
The access points can broadcast up to eight SSIDs per radio and each SSID can be configured with different security controls, according to Netgear, (2009). When a guest associates with an access point guest SSID, the access point applies 802.1Q tagging to guest packets. As mentioned in “How to configure VLANs with 802.1x for WLAN authorization,” 2009) access points can tag wireless traffic in order to segregate it as it moves through the wired LAN. All LAN equipment supports 802.1Q tagging and funnels guest traffic to the internet. By tagging the guest packets, 802.1Q segregates guest traffic from the internal network traffic. 802.1x authentication prevents users from accessing network resources.
The access points support 802.11e QoS giving high priority to voice and video traffic over data transfers such as FTP, applications. Low priority data such as FTP receives a best effort or background priority while high priority such as voice data sees minimal latency. Each access point applies an 802.1Q tag to packets in order to indicate priority level. The switches, controller, and firewall are connected over 1000BASE-T Ethernet cable and support 802.1p Class of Service (CoS). 802.1p allows switches to prioritize traffic, according to Javvin Company (n.d.).
Remote clients can access the corporate network over SSL VPN anywhere there is access to the internet. The firewall supports simultaneous SSL VPN tunnels. Firewall supports user authentication through RADIUS server. VPN users are first authenticated by the RADIUS server before accessing the corporate network. VPN user traffic is protected over-the-air by SSL AES 128-bit encryption.
Admin PC is connected to the network over 1000BASE-T Ethernet using a port-based static VLAN. The PC has personal firewall and virus protection software installed. The admin PC must first be authenticated as the administrator through the RADIUS server over 802.1x. This helps prevent unauthorized users from gaining administrator privileges. The Layer 3 switch is managed by web GUI with SSL HTTPS encryption, SSH telnet, command line interface (CLI) with SSH, or SNMP (Netgear, 2012). The access controller can be managed by VLAN connection through the HTTPS web GUI, telnet with SSH, and SNMP (Netgear, 2012). The PoE switch can be maintained through SSL web GUI, or SNMP. The PoE switch also offers port-based security through MAC filtering (Netgear, 2012). The access point can be configured though HTTPS web GUI, SSH telnet, CLI with SSH, and SNMP (Netgear, 2009). The firewall can be managed through HTTPS web GUI, SSH telnet, or SNMP (Netgear, 2010).