Wireless in the Data Centre has long been considered inappropriate due to possible security breaches and interruption to critical IT facilities. This is no longer the case however as this presentation demonstrates. Modern wireless technologies are just as safe, if not safer than a hard wired equivalent.
5. Enterpise Class Wi-Fi (Aerohive Networks)
Cloud-managed Mobile Networking Company
– Cloud (Public & Private),
Controller-less Wi-Fi, Routing,
VPN, Switching
– Visionary Vendor - Gartner
MQ for Wired & Wireless
LAN 2013
22/07/2014
Copyright 2014, All rights reserved 5
Branch &
Teleworker
RoutersEnterprise Wi-Fi
Cloud Services Platform
Public Partner Private
(on-premise)
Access
Switches
6. Firewall (L2 –L7)
– UTM level integration
– Application control
– Deep packet inspection
– 712 application signatures
User Profile
– Identity based networking
– Granular separation of users and devices
– Separate by device classification
Security
22/07/2014
Copyright 2014, All rights reserved 6
7. Wireless Intrusion Prevention
– Wireless DoS detection and prevention
– Rogue detection (AP and client)
– Countermeasures
– Compliance monitoring
Security
22/07/2014
Copyright 2014, All rights reserved 7
8. Authentication
– 802.1x with RADIUS, Active Directory, OpenLDAP
• Aerohive APs can act as RADIUS server(s) or RADIUS proxy
– Captive Web Portal (CWP) authentication
Private Pre Shared Key
– Dedicated key per user
– People know PSKs
– Secure (AES encryption)
– Flexibility of PSK with enterprise security of 802.1x
Security
22/07/2014
Copyright 2014, All rights reserved 8
9. Trusted vs Untrusted
Trusted Devices
– White list
• Corporate Laptops
• 802.1x
• Directory Services
Integration
Untrusted Devices
– Black list
• Non corporate
guests
22/07/2014
Copyright 2014, All rights reserved 9
Everything in between
– Shades of grey
• BYOD
• Staff owned
• Corporate Owned
personal
• Corporate Owned
shared
10. BYOD/ CYOD
Corporate Owned
Devices
– Choose Your Own
Device
– Tablets
– Smartphones
– Corporate owned
data
– Remote wipe
22/07/2014
Copyright 2014, All rights reserved 10
Staff Owned
Devices
– Bring Your Own
Device
– Corporate Data
– Ring fenced
– Containerised apps
Staff Owned
Devices (2)
– No corporate data
– Guest Access
11. Mobile Device Management (MDM)
Mobile Device Onboarding
– Configuration profiles
• Wi-Fi configuration/ keys/ certs
• Mail/ VPN
Mobile Content Management
– Secure content access
• Data Loss Prevention
Mobile Application Management
– App store front/ redirection
– Authentication enforcement
22/07/2014
Copyright 2014, All rights reserved 11
13. Guest Access
Aerohive ID Manager
– Cloud Enabled Guest Management
– Private PSKs more secure than
traditional “Starbucks” style CWP
– Key delivery options (Mail, SMS,
Printed Voucher, Twitter!)
– Kiosk Mode
22/07/2014
Copyright 2014, All rights reserved 13
14. Secure Guest Access in Data Centre’s
Key management
– Temporary PPSKs
– Role based key drops into specific user profile/ VLAN
– Different user profiles for different customers
– Key dies as soon as customer leaves building
22/07/2014
Copyright 2014, All rights reserved 14
15. Secure Separation of Guest Networks
22/07/2014
Copyright 2014, All rights reserved 15
Core Switch
Edge Switch
Access
Points
Internet
DMZ
Guest Network
separation using tunneling
Corporate Gateway
GRE Tunnel
Normal Traffic
16. Secure Separation of Guest Networks
22/07/2014
Copyright 2014, All rights reserved 16
DMZ
Edge DMZ
Core Switch
Edge Switch
Access
Points
Internet
Guest Network
separation using physical separation
Corporate Gateway
Dual
Ports
Normal Traffic
Guest Traffic
17. Independent Monitoring Network
22/07/2014
Copyright 2014, All rights reserved 17
DMZ
Edge DMZ
Core Switch
Edge Switch
Access
Points
Internet
Monitoring Network
Can be separate to Corporate Network
Corporate Gateway
Dual
Ports
Traffic via DMZ
Not under your control
20. iPDU Adoption Life Cycle – varies by region
22/07/2014
Copyright 2014, All rights reserved 20
21. Wired Monitoring Connectivity
IP Address per device
– 5 per cabinet
– 350 cabinets = 1750 IP addresses
Proprietary Solution
– Single point of failure
– 350 cabinets = 200+ IP addresses
22/07/2014
Copyright 2014, All rights reserved 21
T1
T2
T3
IP 1
T1
T2
T3
IP 1 IP 2 IP 3 IP 5IP 4
23. Wireless iPDUs now available
Easy deployment of best practice
monitoring of each rack
– Temperature - top middle & bottom
– Humidity
Saves ethernet ports
– hundreds of PDUs per access point
Can be an ‘isolated’ Wi-fi network
– This one has its own ‘SSID’
Typical Wi-Fi Dongle shown
22/07/2014
Copyright 2014, All rights reserved 23
Wi-Fi Dongle
24. PX-IOS App PDView
Tablet based PDU management
Features:
– View PDU configuration
– See kW, VA, pF, kWh etc
– Switch outlets on and off
22/07/2014
Copyright 2014, All rights reserved 24
25. PDView – Per Outlet View
22/07/2014
Copyright 2014, All rights reserved 25
Control – On/Off
Per Outlet Power
27. Health Map of Demo Data Centre
22/07/2014
Copyright 2014, All rights reserved 27
28. Tabular Reports - Bill Back Report per Customer
22/07/2014
Copyright 2014, All rights reserved 28
29. Tabular Reports - Load per IT Device
22/07/2014
Copyright 2014, All rights reserved 29
30. Tabular Reports- Rack KW per cabinet
22/07/2014
Copyright 2014, All rights reserved 30
31. Secure Cabinet Access Authentication System
What is SCAAS?
– Door locking application for
Cabinets and Containment
Example
– French Bank
– 3 Containments, 84 Cabinets,
174 Doors, 6 Card Readers,
72 iPDUs
22/07/2014
Copyright 2014, All rights reserved 31
32. Secure Cabinet Access Authentication System
SCAAS VA software
Door Control Sensor
EMKA door handle
Benefits
Connects into PX iPDUs
Can be wireless
22/07/2014
Copyright 2014, All rights reserved 32
33. SCAAS Features (1)
Collective Door Access Control
– Containment Doors, Cabinet Doors (front and back)
– A single ID-card reader controls a collection of doors
according to privileges of card-owner
Centralized Management of
– Operation (unlock/lock, history-log)
– Access Administration (cards, card-owners, privileges)
– Site Setup (Containment, Cabinets, Doors, etc.)
22/07/2014
Copyright 2014, All rights reserved 33
34. SCAAS Features (2)
Access Log
– All activity is logged: presented card, user, unlocked/locked
doors, opened/closed doors, alarms.
– Length of log is configurable
Audible Alarms
– Unlocked doors by timeout or inside containment
– Make use of iPDU buzzer
22/07/2014
Copyright 2014, All rights reserved 34
35. Connectivity Summary
The following functionality could potentially use 5
switch ports per rack;
– 2 x iPDU
– 3 x temperature/humidity
– 1 x access control
– 1 x web cam
This would be 300 switch ports in a 60 rack data
centre compared to 5 (or less) if wireless enabled
– Multi-use, non-proprietary, open standards
– Easily scalable
22/07/2014
Copyright 2014, All rights reserved 35
36. Summary
Speed of deployment
Reduced cost of deployment
No dead patch panel ports to worry about
No delays while IT services team provision a switch port
for each iPDU or environmental management appliance
Non proprietary solution – all product is based on open
standard
Up to 6,400 sensors and 2,000 metered outlets on a
single AP!
Cost of a Wi-Fi dongle circa £25
22/07/2014
Copyright 2014, All rights reserved 36
39. Real Time Tracking of Assets within the DC
RTLS - Real Time Location Solution
Uses same wireless infrastructure – not zigbee or 433.92MHz
Tracking where people go (security/alerting)
Lone-worker safety (man down)
Asset Tracking & Sensors (locating equipment)
22/07/2014
Copyright 2014, All rights reserved 39
Asset tags:
Wearable tags:Staff badge/pager:
Temp/RH sensors:
40. Tracking Personnel in the DC
22/07/2014
Copyright 2014, All rights reserved 40
A complete Wi-Fi-based Real Time Location System
for tracking the location and status of assets, inventory
and people.
Ekahau Applications
Ekahau RTLS Controller
Ekahau Wi-Fi Tags
Ekahau Site Survey
Asset tags:
Wearable tags:Staff badge/pager:
Temp/RH sensors:
Location beacons:
41. Staff Safety and Alarm Escalation
22/07/2014
Copyright 2014, All rights reserved 41
SOS key
Man-down
SOS
Alert with detail location
Send email,
Screen popup
Send alerts to local staff,
remotely open doors.
reposition video cameras etc
42. Patented RSSI Modeling Approach for Indoor Positioning
1. Patented, probabilistic
multi-hypothesis tracking
algorithms enable the
industry’s leading
location accuracy and
reliability
2. RF characteristics such as
multi-path reflections are
recorded during the site
calibration.
3. Calibration data is stored
in the location server
4. Based on the calibration
data and the information
received from the
tag/client, the server
software calculates the
real-time location
Ekahau RTLS - Technology
43. WLAN Best Practice
• Physical design of the WLAN and placement of access points plays a critical role in RTLS
accuracy
• RTLS accuracy relies on ‘Location Coverage’, a combination of access point density and
placement, signal quality, and signal differentiation.
• Triangulation is important
• Access points (green circles), placed every 50 to 75 feet around the edge, as well as
centre of building
46. Mobile Devices & DCIM software
WLAN enables tablets, laptops and mobiles installed with
DCIM apps to update at the rack
22/07/2014
Copyright 2014, All rights reserved 46
47. Mobile Devices & DCIM software
Speeding up the auditing and importing of data
Manage change control by issuing work orders directly to mobile devices
Making it easier to maintain accurate records including photographs
22/07/2014
Copyright 2014, All rights reserved 47
48. WORKSMART
Summary
Copyright 2014, All rights reserved 4822/07/2014
Contact – www.ait-pg.co.uk
tel: 0845 293 2790
email: customer.services@ait-pg.co.uk
49. How Enterprise WLAN enables Best Practise!
Reduce the cost, and speed up the time, of deploying iPDUs,
sensors, access control, asset tracking and DCIM software.
Use 90% less switch ports then wired networks saving costs
and reducing dependency on corporate IT teams
An open 802.11 infrastructure will support mobile computing,
as well as monitoring and management applications which
means you no longer have to depend on multiple proprietary
point solutions.
AIT have the expertise to convince your IT teams that security
is no longer a valid objection to implementing a WLAN in a
data centre.
22/07/2014
Copyright 2014, All rights reserved 49