Você está na página 1de 41

JOIN: community.arubanetworks.

com
FOLLOW: @arubanetworks
DISCUSS: #airheadsconf

CONFIDENTIAL
Copyright 2012. Aruba Networks, Inc.
All rights reserved
Keith Mataranglo
Aruba Networks
Germany
May 21st, 2012

MOBILE DEVICE FUNDAMENTALS

CONFIDENTIAL
Copyright 2012. Aruba Networks, Inc.
All rights reserved #airheadsconf
TODAYS NETWORK

CONFIDENTIAL
Copyright 2012. Aruba Networks, Inc.
All rights reserved
MOBILE DEVICE TYPES

Highly
Mobile
Somewhat Devices
Mobile (HMD)
Devices
Stationary (SMD)
Devices

Wireless Scale Laptop


CONFIDENTIAL
Copyright 2012. Aruba Networks, Inc.
All rights reserved 4 #airheadsconf
Mobile Device Fundamentals Topics
Portability
Applications
Device 802.11 support
Characteristics Management

Roaming
WLAN QOS and Access Control
Speed and capabilities
Requirements Security

Device Configuration
Airtime Optimization
Aruba Design Roaming Optimization
IP Mobility Configuration
Pillars IP Multicast Optimization
Interference Resistance

CONFIDENTIAL
Copyright 2012. Aruba Networks, Inc.
All rights reserved 5 #airheadsconf
Principles of Optimizing the wlan
1. Device Configuration
Some device changes require corresponding changes to the WLAN
infrastructure, e.g., basic rate support & DTIM.
2. Airtime Optimization
Roaming devices are sensitive to RF congestion and inefficiencies. Improve
performance using load balancing across APs & channels.
3. Roaming Optimization
Roaming decisions can be influenced by optimizing data rates, output
power, retry thresholds and by using the Handoff Assist feature.
4. IP Mobility Configuration
4. . Good IP mobility design is critical to environments. Selection of layer-2 (L2)
or layer-3 (L3) roaming requires careful planning
5. IP Multicast Optimization
Reducing and optimizing multicast traffic over the air and on the wire is
vital.
6. Interference Resistance
Devices are likely to encounter and by impacted by adverse RF conditions.

CONFIDENTIAL
Copyright 2012. Aruba Networks, Inc.
All rights reserved
6
6 #airheadsconf
Principle #1 Device Configuration

Optimal device settings


Shared or dedicated SSIDs
Enable 802.11h (DFS/TPC)
Maximize battery life
End-to-End QoS for voice devices
Push-to-talk (PTT)
Security and encryption
Mobile device management (MDM)

CONFIDENTIAL
Copyright 2012. Aruba Networks, Inc.
All rights reserved 7 #airheadsconf
Mobile Device RF components

antenna

Internal
Radio and
WLAN NIC

CONFIDENTIAL
Copyright 2012. Aruba Networks, Inc.
All rights reserved 8 #airheadsconf
Dont do this!!

CONFIDENTIAL
Copyright 2012. Aruba Networks, Inc.
All rights reserved 9 #airheadsconf
Mounting APs for coverage

Ceiling

Wall

CONFIDENTIAL
Copyright 2012. Aruba Networks, Inc.
All rights reserved 10 #airheadsconf
Principle #2 Airtime Optimization
RF Optimizations
Band steering
Spectrum load balancing
Airtime fairness
Mode-aware ARM
Voice/Video-aware ARM
Load-aware ARM
PS-aware ARM
Reducing broadcasts and
multicasts
Limiting Chatty protocols
AP capacity planning (voice
devices)

CONFIDENTIAL
Copyright 2012. Aruba Networks, Inc.
All rights reserved 11 #airheadsconf
Principle #3 Roaming Optimization
Ensuring complete Wi-Fi coverage
VLAN pooling
Fast roaming (802.11r & OKC)
Device-specific roaming settings:
ARM power adjustments (match client and AP power)
Retry and failure settings (voice devices)
PMK Caching results in 4x faster roaming speeds than Non-
PMK Caching.

CONFIDENTIAL
Copyright 2012. Aruba Networks, Inc.
All rights reserved 12 #airheadsconf
Principle #4 IP Mobility Configuration
Layer 2 mobility L2 Mobility design
Client maintains IP address
as it roams and is assigned
address from same IP subnet
Layer 3 mobility
User roams from AP-Subnet
A to an AP-Subnet B
Layer 3 network address L3 Mobility design
must change to maintain L3
connectivity on Subnet B
Aruba L3 Mobility allows the
roaming client to maintain the
same IP address

CONFIDENTIAL
Copyright 2012. Aruba Networks, Inc.
All rights reserved 13 #airheadsconf
Principle #5 IP Multicast Optimization

Effects of multicast: reduce multicast traffic over the air


and the wire to improve channel efficiency
IGMP snooping/proxy to eliminate unnecessary data
replication and controller processing
Multicast rate optimization to increase lowest base rate
Dynamic multicast optimization (DMO) to convert
multicast frames with unicast headers
Use of ToS/QoS on controller and wired infrastructure,
port-based session ACL or user
Block mDNS (if not required) with user roles
Use bandwidth contracts to protect unicast traffic

CONFIDENTIAL
Copyright 2012. Aruba Networks, Inc.
All rights reserved 14 #airheadsconf
Principle #6 Interference Resistance

FHSS and non-802.11


interference
Noise immunity
Fixed frequency interference
802.11 co-channel (CCI) and
adjacent channel interference
(ACI)
RX sensitivity channel
reuse
Aruba Spectrum Monitor

CONFIDENTIAL
Copyright 2012. Aruba Networks, Inc.
All rights reserved 15 #airheadsconf
TOPIC OVERVIEW

Device Profiling

Management Tools

Policy Enforcement

CONFIDENTIAL
Copyright 2012. Aruba Networks, Inc.
All rights reserved
CONFIDENTIAL Copyright 2012. Aruba Networks, Inc. All rights reserved
Overview

MANAGED VS. UNMANAGED DEVICES

DEVICES AND USERS Security

iOS Android Ultrabooks

reliable & intuitive


VPN

ANY NETWORK

Simplified
management
ANY USER

CONFIDENTIAL
Copyright 2012. Aruba Networks, Inc.
All rights reserved
Overview

MANAGED DEVICES

Primarily Windows Laptops


Managed using Windows Active Directory Policies
Client 802.1x Supplicant is configured by IT staff to
connect securely
Applications can be limited by user
Machine Authentication can be enforced
WLAN policies or VPN software can be configured by IT
Staff

CONFIDENTIAL
Copyright 2012. Aruba Networks, Inc.
All rights reserved
Overview

UNMANAGED DEVICES

Network Services are needed for unmanaged devices


to access the WLAN securely

Management Mobility Access

WLAN Policy
WLAN
Network Management
Controller
Management

CONFIDENTIAL
Copyright 2012. Aruba Networks, Inc.
All rights reserved
TOPIC OVERVIEW

Overview

Management Tools

Policy Enforcement

CONFIDENTIAL
Copyright 2012. Aruba Networks, Inc.
All rights reserved
CONFIDENTIAL Copyright 2012. Aruba Networks, Inc. All rights reserved
Device Profiling

DEVICE PROFILING AND ROLE

Type of Device allowed Role determines access:


on the WLAN Firewall policy
Bandwidth constraints
VLAN
QoS

Based on AOS 6.0.1 or 6.1.1

CONFIDENTIAL
Copyright 2012. Aruba Networks, Inc.
All rights reserved
OS FINGERPRINTING PURPOSE

OS Fingerprinting allows the Aruba Controller to


classify device type and assign a role
iOS
Blackberry
etc

Two Methods
Monitor dhcp-option (User Class Option) included in
clients request
Browser HTTP user-agent string identification
Watches HTTP traffic from the station looking for user-
agent string

CONFIDENTIAL
Copyright 2012. Aruba Networks, Inc.
All rights reserved
FINGERPRINTING PROCESS

Identify the device value of the DHCP


option
Create a firewall role
Write and apply a user derivation rule

CONFIDENTIAL
Copyright 2012. Aruba Networks, Inc.
All rights reserved
IDENTIFYING THE DEVICE SIGNATURE

Enable DHCP debugging:


# configure terminal
# logging level debugging network subcat dhcp

View debug output:


#show log network all | include Option

Apr 23 07:01:55 :202536: <DBUG> |dhcpdwrap|


|dhcp| Datapath vlan1: REQUEST 00:0d:4b:78:9f:07
reqIP=192.168.1.242 Options 36:c0a80103
37:0103060f0c 0c:4e502d4b3041304458303236373936

Apr 23 07:01:55 :202536: <DBUG> |dhcpdwrap|


|dhcp| Datapath vlan1: REQUEST 00:0d:4b:78:9f:07
reqIP=192.168.1.242 Options 36:c0a80103
37:0103060f0c 0c:4e502d4b3041304458303236373936

CONFIDENTIAL
Copyright 2012. Aruba Networks, Inc.
All rights reserved
CREATE FIREWALL DERIVATION RULE

Inspection and role assignment enabled through User Derived


Rules
New UDR condition dhcp-option
aaa derivation-rules user abc
set role condition dhcp-option equals 370103060F77FC set role ios

set role condition dhcp-option starts-with 0c616E64726F69645F set role android


set role condition dhcp-option equals 3C426C61636B4265727279 set role blackberry

Note that 37 0103060F77FC means dhcp option 55 (hex 37)


and the value is 010306

CONFIDENTIAL
Copyright 2012. Aruba Networks, Inc.
All rights reserved
CONFIGURATION IN WEB UI

CONFIDENTIAL
Copyright 2012. Aruba Networks, Inc.
All rights reserved
TOPIC OVERVIEW

Overview

Device Profiling

Policy Enforcement

CONFIDENTIAL
Copyright 2012. Aruba Networks, Inc.
All rights reserved
CONFIDENTIAL Copyright 2012. Aruba Networks, Inc. All rights reserved
Management Tools

MOBILE DEVICE ACCESS CONTROL

802.11n Wi-Fi
Device Fingerprinting, Security & BW
policies by Device,
Role Based Access Multimedia Grade

Web Login Server


Self-Service Device
Configuration Portal Device Authorization

Management Server
Device and OS Troubleshooting &
Capacity Planning
Visibility

CONFIDENTIAL
Copyright 2012. Aruba Networks, Inc.
All rights reserved
Management Tools

DEVICE MANAGEMENT VS ACCESS CONTROL

Access Mobile Device


Control Management (MDM)

Protect the network


Restrict usage and bandwidth
Device-level visibility
Configure net/sec settings
Remote wipe & remote
control
Manage applications and
firmware
CONFIDENTIAL
Copyright 2012. Aruba Networks, Inc.
All rights reserved
Management Tools

WHEN TO USE MDAC & MDM

Employee Liable Corporate Liable

Business-specific
Email, Intranet
Apps

Use MDAC Only Use MDAC + MDM

Remotely configure network Remotely configure net


access access AND applications
Protect network Protect network AND device
Device visibility data
Cost-effective Device troubleshooting

CONFIDENTIAL
Copyright 2012. Aruba Networks, Inc.
All rights reserved
Management Tools

IT POLICY

Tolerated
(Employee Liable)
Employee Owned (BYOD)
Partially secured and
Trusted controlled
(Corporate Liable) Limited to safe
Corporate Issued interactions
Fully Controlled and
secured
Unrestricted

CONFIDENTIAL
Copyright 2012. Aruba Networks, Inc.
All rights reserved
Management Tools

MOBILE DEVICE PROVISIONING

Bring Your iPad to Work

4. Context Aware
2. Device Access Control 3. iPad Self
Fingerprinting Registration

802.11n AP Mobility
Controller
Amigopod

1. User
Fingerprinting
Zero IT touch,
context aware access
Auto-identification of
Active
user, device, application Directory
Monitoring, reporting
per user and per device
CONFIDENTIAL
Copyright 2012. Aruba Networks, Inc.
All rights reserved
TOPIC OVERVIEW

Overview

Device Profiling

Management Tools

CONFIDENTIAL
Copyright 2012. Aruba Networks, Inc.
All rights reserved
CONFIDENTIAL Copyright 2012. Aruba Networks, Inc. All rights reserved
Policy Enforcement

SECURE NETWORK ACCESS FOR MOBILE DEVICES

1 Provision
Device
2 Invoke a
Policy

3
Enforce Policy

CONFIDENTIAL
Copyright 2012. Aruba Networks, Inc.
All rights reserved
Policy Enforcement

AUTOMATE DEVICE CONFIGURATION

Access Network 1. Connects to web


portal
Policy
Manager
Server

VPN

2. Configures 802.1x, VPN & e-


mail and provisions device
credentials

3. Application installer
*Windows only at launch

CONFIDENTIAL
Copyright 2012. Aruba Networks, Inc.
All rights reserved
Policy Enforcement

CONTROL COMPROMISED DEVICES

Access Network Policy Manager

Detect unsecure
devices

Minimal Risk to Network

Block access to network resources


across wired, wireless & remote
Auto-Remediate the device
CONFIDENTIAL
Copyright 2012. Aruba Networks, Inc.
All rights reserved
Policy Enforcement

AUTOMATE ACCESS
New Visitor
Policy Manager
Access Network

3.
Sponsor
Account enabled,

1.
visitor notified via
Collect visitor screen, SMS, or email
information

2.
Sponsor prompted
to confirm that
guest is valid
CONFIDENTIAL
Copyright 2012. Aruba Networks, Inc.
All rights reserved
Policy Enforcement

ACCESS POLICY

BYOD Policy
Allow personal devices into
a limited access zone (LAZ)

Executive Class Policy


Deliver executive traffic with
higher priority

Multimedia Policy
Optimize delivery of Lync
traffic over the air Policy

Unauthorized Use Policy


Disable Rogue AP,
Blacklist User

Device Revocation Policy VPN

Disable device access, not


user access, if stolen/lost

Device Quarantine Policy


Quarantine unhealthy
devices for remediation
CONFIDENTIAL
Copyright 2012. Aruba Networks, Inc.
All rights reserved
New Certification!

CONFIDENTIAL
Copyright 2012. Aruba Networks, Inc.
All rights reserved CONFIDENTIAL Copyright 2012. Aruba Networks, Inc. All rights reserved
Aruba Certifications

ACMX
ACMA ACMP
ACDX
Product Training
Mobility and Mesh certifications
End-to-End, Solutions Based
CCxx Aruba Certified Solutions
MCxx ACSP Professional (ACSP) Certification
CWxx Open to all IT engineers
Practical training on RF, secure
network access and mobile
Become one of the few devices
experts on secure mobility.
Make a good move for your
career, get certified.

CONFIDENTIAL
Copyright 2011. Aruba Networks, Inc.
40 All rights reserved
ACSP Training Classes

Part 1 Module 1 Module 2 Module 3


802.11 RF Wi-Fi Authentication Mobile Device Wi-Fi
April, 2012 Fundamentals & Encryption Best Practices

Part 2 Module 4
Module 5
Module 6
RF Design in Mobile Device
Centralized WLAN
Challenging Management &
August, 2012 Design
Environments Security

Part 3 Module 7 Module 8 Module 9


Advanced Topics in WLAN Security for Multimedia and UC
January, 2013 Wi-Fi Design Compliance Services over Wi-Fi

CONFIDENTIAL
Copyright 2011. Aruba Networks, Inc.
41 All rights reserved