QoS and Security Decisions in WiFi

Telephony

Jonathan ZarkowerDirector – Product Management

The Intelligent Wireless Networking Choice

Agenda

Setting a Framework Next Generation Requirements/Architectures Summary Q&A

Setting a Framework

WLAN Adoption Trends

Pervasive clients Strong, standards based foundation; adequate security broadly

available Business cases established Management model and tools exist Large-scale deployment successes Interoperability enforced (WiFi)

Early Adopters1998-2000

Large-Scale Adoption2001-2004

Limited client availability Standards emerging; proprietary

implementations Technology push vs. business pull Trials, pilots, “islands” of limited deployment Interoperability and scalability not proven out

Multi-purposed “smart” clients Next Gen Standards; .11n, .11k, ,TR-

59, etc. WLAN-based Triple Play; QoS enabled Wholesaling, client Auto-provisioning,

Managed WLAN Services “WiFi Everywhere”

MultiService Generation2005+

Over the Next Two Years, WLANs will represent the emerging point of convergence for other leading technology sectors including Security, VoIP and RFID

Fourth Generation WLANsFourth Generation WLANs

Typical Multi-Service WLAN System

Access devices integrate with wireline network and deliver core WLAN services Controller/Switch enables enhanced WLAN services Centralized management system provides scalability

WLAN Management

Central Site/Campus

VLANSwitch/Router

Controller/Switch

AccessPoints

AAA, VPN, DHCP

Servers

LAN/WANBackbone

Remote Sites

Secure WLANGateway

A View of Current WLAN Services

Multi-Service Operating System

Public &Guest Access

SecureData

VoiceMulti-Media

MobileBusiness

Apps

WL

AN

S

ervi

ces

Net

wo

rkin

g

Fu

nct

ion

s

Multi-Layer

Security

WLANRF

Wireline/Wireless

Integration

En

d-T

o-E

nd

Man

agem

ent

NetworkQoS

• Multi-Service OS can deliver multiple WLAN services per network• Separate SSID/BSSID per service ensures client interoperability• Each service tunable for optimum application performance• Multiple Instances of any service provides flexibility

Key System Service FeaturesSecure Data Layer 2 (802.1x, WPA, WEP, MAC auth)

Layer 3 (complete VPN security, IP filtering) Integrates with corporate AAA database

Voice Flexible handset support Service-Aware soft-phone support (SIP, H.323) Fast hand-off/roaming, extended battery life

Multimedia 802.11e EDCA and Service-Aware QoS Wireline QoS integration (802.1p, TOS/DiffServ)

Mobile Business Apps

Configurable QoS and security policies for specialized client devices

Public and Guest Access

“Zero-config” client ease-of-use Multiple security and QoS profiles Support for major back-end billing services

Secure Data Services

Layer 3

IP address filtering limits destination addresses

VPN termination, aggregation, or filtering

Stateful Firewall provides session-aware security

Layer 2

Traffic segregation and VLAN mapping per SSID

802.1x authentication leverages existing AAA db

Layer 2 Isolation provides security at the client level

SSID=EmployeeSecurity=VPN LAN/WAN

WLAN Gateway

Data Center

AAA

VPN Server

Toll-Quality Voice

Broad QoS support for VoWLAN handsets

SpectraLink, 802.11e, Vocera, SIP and H.323 soft phones

Transparent client subnet roaming support

Traffic segregation and IP filters reinforce security

Support for 3rd party power-save modes

EmployeeServer

VoIPGateway

SSID=VOICESecurity= WEP

IP Filter=VoIP G/WQoS=P1

Router

Data Center

Subnet “A”Subnet “B”

Seamless Subnet Roaming

Multimedia

802.11e EDCA QoS protocol support

Four classes of service enable rich multimedia applications

Service-Aware QoS for non-protocol client devices

Enables legacy devices to access QoS

Mapping to wired network QoS policies

802.1p and TOS/DiffServ integration

Switch/Router

VideoServer

SSID=VIDEOSecurity=Open

Filter=Video serverQoS=P2

SSID=MultimediaSecurity=WPAQoS=802.11e

SurveillanceVideo Conference

Internet

Mobile Business Applications

Configurable security policy MAC authentication and IP filters

provide strong security for weak client devices

Separate SSID/BSSID per service Ensures compatibility with 3rd party

devices Configurable Power Save signaling

Configurable QoS policy Enables applications to be prioritized

Per AP flexibility enables tuning per RF footprint

Barcodescanners

Asset Tracking

TabletComputer

Specialized Client Devices

Any client device, user category, application typeAny client device, user category, application type

Public/Guest Internet Access “Zero configuration” user interface

Adapt to client PC configuration (IP add., web proxy, etc.) Web redirect and authentication simplifies login Adaptive NATTM ensures user access to VPN applications

Flexible AAA support Interoperates with 3rd party billing services Supports variety of business models (scratch card, credit card, etc) Usage or elapsed time session accounting

Rich access control features Captive portal support enables private content delivery Web proxy redirect and black list support controls user destinations Configurable bandwidth management limits access to Internet

bandwidth per user, or per service

Centralized WLAN System Management Optimizes total cost of ownership

Centrally managed WLAN device and security policies Auto discovery, configuration and firmware management Group policies simplify network operation

Scalable to manage 1000’s of devices and users Must work with distributed campus and branch topologies 3rd party NMS integration

Centralized WLAN Monitoring Comprehensive Rogue AP detection Performance and troubleshooting tools

Multi-vendor AP management Ease of migration from legacy to next generation

Management Tools Reduce TCO Ease of Deployment Tools

Automatic channel selection Auto Power Ongoing RF optimization to ensure consistent client performance

Strong Network Operations Tools Packet capture

• Remote debug tool to work with standard protocol analyzers

Client data rate matrix• Quickly identify client performance problems and optimize RF coverage

Client authentication trace• Identifies complex association and authentication problems with plain English messages

Syslog• Provides real-time information to network operators

SNMP• Standards-based Fault Management, Configuration, Accounting, Provisioning, Security

Next Generation Requirements/Architectu

re

Next Gen WLAN Requirements Scalability – Single architecture fits centralized and

distributed organizations, large and small facilities “WLAN adoption will accelerate over the next two years,

with more than 50% of organizations deploying WLAN by 2006”…Meta Group

High performance – >100 Mbps client bandwidth with QoS for multimedia applications

802.11n (MIMO), VoWLAN QoS

Reduced cost – TCO competitive with wired Ethernet Installation, operation and equipment costs

Rich services – Business mobility applications, plus access to wired network services

NAC, location-based applications, RFID

Current WLAN Architectures

Layer 2 security Strong access control and

privacy

Seamless roaming with security

Ease of deployment and operation

Centralized management Automatic RF configuration

Scale Sq ft “sweet spot” doesn’t

fit very small or large facilities

Performance 10 VoWLAN session limit Fork-lift upgrade for

802.11n

Cost $1.10 per sq ft.

Advantages Challenges

Fourth Generation Architecture

Distributed intelligence increases performance and scalability X more voice sessions 10x larger networks 50% better QoS (jitter and latency)

Data processing at WLAN edge reduces cost by ½ $0.5 per sq ft

Separate WLAN control and management appliances provide smooth upgrade to 802.11n

Distributed processing increases service reliability

LAN

DataDataPlanePlane

ControlControlPlanePlane

ManagementManagementPlanePlane

Client packet Forwarded

Client access & QoS control, roaming

WLAN RF & system mgt.

Switch/Controller

NMS

Access Points

Summary Voice is one of many services being added to WLAN Unique requirements exist for WLAN voice, as well

as other services WLAN leverages existing wired LAN QoS for end to

end toll quality voice Current architectures provide benefits, add

challenges Fourth Generation approach answers the challenges

Thank You!

Questions?