![[Cisco Connect 2018 - Vietnam] Shamil fernando hcmc next-gen cisco sd-wan (vi...](https://cdn.slidesharecdn.com/ss_thumbnails/shamilfernandohcmcnext-genciscosd-wanviptelaarchitecture-180504040914-thumbnail.jpg?width=640&height=640&fit=bounds)
Wireless Security Policy
- 1.
- 2. Security Policy Authentication and Encryption ◦ IEEE 802.11i ◦ WPA2-Enterprise 802.1x RADIUS authentication with EAP-TLS. ◦ AES 128-bit encryption. ◦ Broadcast SSIDs, up to eight per radio, each with unique security controls (guest VLAN, 802.1Q, 802.11e, employee network). Access Point and RF Management ◦ Plenum-rated AP’s, ceiling-mounted. ◦ Limit RF power levels to coverage area.
- 3. Guest VLAN Database 802.1Q L3 Switch tagging RADIUS PoE Guest Guest SSID 802.1x
- 4. Traffic Prioritizing High Priority 802.1p L3 Switch AP Controller Voice/Video Supports 802.11e 802.11e PoE 802.1Q FTP/Applications tagging Low Database Priority
- 5. VPN Access RADIUS ISP 802.1x VPN Tunnel SSL VPN Corporate Mobile Network Broadband
- 6. Network Management Admin 802.1x 1000BASE-T RADIUS Port-based VLAN AP Controller L3 Switch Management VLAN HTTPS Web GUI HTTPS Web GUI management, SSH management, SSH telnet, SNMP. telnet, SNMP. PoE
- 7. References How to configureVLANs with 802.1X for WLAN authorization. (2009, June). TechTarget. Retrieved from http://searchsecurity.techtarget.com/feature/How-to-configure-VLANs-with-8021X-for-WLAN- authorization Javvin Company. (n.d.). IEEE 802.1p: LAN Layer 2 QoS/CoS Protocol for Traffic Prioritization. Retrieved from http://www.javvin.com/protocol8021P.html Netgear. (2009). WNDAP350 User Manual. Retrieved from http://support.netgear .com/app/products/model/a_id/12823 Netgear. (2010). ProSafe Quad WAN Gigabit SSL VPN Firewall SRX5308. Retrieved from http://ftp://downloads.netgear.com/files/SRX5308_DS_12Mar10.pdf Netgear. (2012). ProSafe 24-Port 10/100/1000 Smart PoE Switch GS724TP. Retrieved from http://www. netgear.com/business/products/switches/smart-switches/gs724tp.aspx Netgear. (2012). ProSafe 48-Port Gigabit L3 Managed Stackable Switch GSM7352S-200. Retrieved from http://www.netgear.com/service-provider/products/switches/fully-managed- switches/gsm7352s-200.aspx#two Netgear. (2012). ProSafe 20-AP Wireless Controller WC7520. Retrieved from http://www.netgear.com/business/products/access-points-wireless-controllers/wireless- management/WC7520.aspx#two
Editor's Notes
- #4 The access points can broadcast up to eight SSIDs per radio and each SSID can be configured with different security controls, according to Netgear, (2009). When a guest associates with an access point guest SSID, the access point applies 802.1Q tagging to guest packets. As mentioned in “How to configure VLANs with 802.1x for WLAN authorization,” 2009) access points can tag wireless traffic in order to segregate it as it moves through the wired LAN. All LAN equipment supports 802.1Q tagging and funnels guest traffic to the internet. By tagging the guest packets, 802.1Q segregates guest traffic from the internal network traffic. 802.1x authentication prevents users from accessing network resources.
- #5 The access points support 802.11e QoS giving high priority to voice and video traffic over data transfers such as FTP, applications. Low priority data such as FTP receives a best effort or background priority while high priority such as voice data sees minimal latency. Each access point applies an 802.1Q tag to packets in order to indicate priority level. The switches, controller, and firewall are connected over 1000BASE-T Ethernet cable and support 802.1p Class of Service (CoS). 802.1p allows switches to prioritize traffic, according to Javvin Company (n.d.).
- #6 Remote clients can access the corporate network over SSL VPN anywhere there is access to the internet. The firewall supports simultaneous SSL VPN tunnels. Firewall supports user authentication through RADIUS server. VPN users are first authenticated by the RADIUS server before accessing the corporate network. VPN user traffic is protected over-the-air by SSL AES 128-bit encryption.
- #7 Admin PC is connected to the network over 1000BASE-T Ethernet using a port-based static VLAN. The PC has personal firewall and virus protection software installed. The admin PC must first be authenticated as the administrator through the RADIUS server over 802.1x. This helps prevent unauthorized users from gaining administrator privileges. The Layer 3 switch is managed by web GUI with SSL HTTPS encryption, SSH telnet, command line interface (CLI) with SSH, or SNMP (Netgear, 2012). The access controller can be managed by VLAN connection through the HTTPS web GUI, telnet with SSH, and SNMP (Netgear, 2012). The PoE switch can be maintained through SSL web GUI, or SNMP. The PoE switch also offers port-based security through MAC filtering (Netgear, 2012). The access point can be configured though HTTPS web GUI, SSH telnet, CLI with SSH, and SNMP (Netgear, 2009). The firewall can be managed through HTTPS web GUI, SSH telnet, or SNMP (Netgear, 2010).