Figure 1: The Role of the Bluesocket Wireless Gateway in a WLAN

Transcription

1 Bluesocket Overview Bluesocket manufactures a family of Wireless Gateways that provides security, management, and mobility for Wireless LANs (WLANs). The Bluesocket Wireless Gateway (WG) is typically deployed on the trust boundary between the WLAN access points and the wired LAN, and aggregates all wireless traffic before it reaches the secured, corporate network. This deployment model requires no changes to the existing wired network or user client software (as shown in Figure 1). Figure 1: The Role of the Bluesocket Wireless Gateway in a WLAN The WG mediates access between the wireless or un-trusted network (i.e., the managed side of the WG) and the wired or trusted network (i.e., the protected side of the WG). Two WGs may be coupled to provide fault-tolerant operation, and multiple WGs may be installed for large sites with higher data density requirements. User Authentication By default, the Bluesocket Wireless Gateway blocks all traffic. To verify the identity of a user, the WG provides several alternatives for authentication. Once the user submits a username and password (or other credentials) from his or her wireless device, the WG first checks its internal user database (for stand-alone use) and then an external RADIUS, LDAP, Active Directory, or Kerberos authentication server in turn for a valid match. If a match is found, the WG grants the user access to the network. If the WG cannot authenticate the user, the user is denied access. If 802.1x Transparent or NTLM/Transparent Windows authentication is available on the network, the WG passively monitors the connection and then transparently authenticates the user into a role without the need for the user to separately log into the WLAN. Role-based Authorization After the user is authenticated, the WG uses role-based authorization to define which network resources and destinations in the enterprise the user may access, the Revision: 2.5 Page 1

2 bandwidth he or she may use, and whether a secure tunneling protocol such as IPSec or PPTP is required for the user connection. Figure 2 illustrates how a Role is configured on the Bluesocket WG using the WG s HTML-based administrator interface. Figure 2: Configuring a Role on the WG Bluesocket s unique role-based approach provides convenient management of privileges for different categories of users. Bluesocket Wireless Gateways match user permissions to your organizational structure. IT Administrators can define destinations (such as a finance server, router or IP address subnet), services (such as HTTP, FTP, or POP3), user locations, time/date schedules, and available bandwidth to control which users have access to each resource. Multiple service and destination groups simplify policy creation, and reduce the complexity and cost of administration of large-scale networks. Figure 3: Sample Roles Configured on the WG Revision: 2.5 Page 2

3 Secure Mobility In addition to providing comprehensive security and policy management, the Bluesocket Wireless Gateway provides Secure Mobility. Secure Mobility, or subnet roaming, is the ability for mobile users to cross subnet boundaries without losing network connectivity or having to re-authenticate or re-establish a VPN connection. This feature does not require any client software or configuration of the client. The Bluesocket Wireless Gateway makes the network infrastructure smart enough to provide this functionality without having to touch the wireless client. Compatibility and Interoperability Figure 4: The Bluesocket Secure Mobility Matrix Bluesocket Wireless Gateways support any Wireless Access Point/NIC manufacturer, technology, or standard. As a gateway, the Bluesocket solution requires only IP traffic over Ethernet. Use of the Bluesocket Wireless Gateway allows a single consistent approach to securing and managing WLANs in any environment, today and in the future. The gateway approach allows for the rapid adoption of new wireless technologies and vendors without having to re-invent security and policy management or having to secure and manage different users/devices/networks in different ways. The Bluesocket Wireless Gateway can also be used to secure wired connections. Many Bluesocket customers run conference room (or other public access) Ethernet ports through the same WG. Many educational institutions have deployed WGs to secure and manage their ResNet deployments for wired and wireless ports. Revision: 2.5 Page 3

4 How Bluesocket Secures Your Network The un-trusted wireless traffic is isolated and directed to the Bluesocket Wireless Gateway(s) through VLANs or dedicated hubs/switches. The Bluesocket Wireless Gateway can support one or multiple VLANs on both the Managed (wireless) and Protected (wired) sides of the gateway. A user/device that connects to the wireless network is given an IP address and then forced to authenticate through the Bluesocket Wireless Gateway. The Bluesocket Wireless Gateway can act as a DHCP Server or forward a DHCP request through DHCP Relay to an existing DHCP Server. If the Bluesocket Wireless Gateway functions as the DHCP Server, Network Address Translation (NAT) between the Managed and Protected interfaces is an option. Authentication Methods There are many different methods of authentication supported in the Bluesocket Wireless Gateway. Any combination of authentication methods can be configured simultaneously. This is important because not all devices and operating systems have the same authentication capabilities, and it is possible that not all users exist on the same authentication servers. You can configure the Bluesocket Wireless Gateway to support one or more of the following authentication methods simultaneously: Microsoft NTLM/Active Directory RADIUS LDAP 802.1x/WPA Local WG Database MAC Address Digital Certificate Cisco 802.1x EAP-FAST Kerberos Cosign Pubcookie Central Authentication Server (CAS) Based on how a user or device is authenticated, or who the user or device is defined as on an authentication server (by an attribute in LDAP for example), the WG places the user into a Role. As described earlier, Roles determine user bandwidth, encryption, and access. Intrusion Detection and Worm Protection Unlike signature based tools or OS-specific scanners, Bluesocket has implemented realtime monitoring of Wi-Fi users' data to detect malicious traffic based on the users' actual behavior without requiring any client-side software. This enables administrators to automatically block network access to hackers or worm infected users even for zeroday attacks well before traditional signature-based tools have updates available. Revision: 2.5 Page 4

5 VPN Tunneling Protocols The Bluesocket Wireless Gateway terminates IPSec and PPTP tunnels. By using the Bluesocket Wireless Gateway Role-based architecture, the network manager has the capability to determine whose data traffic must be encrypted. Bluesocket supports many different IPSec clients including: Native Windows 2000/XP IPSec clients (including L2TP/IPSec) Safenet SSH Funk AdmitOne Certicom Movian PGPNet FreeSWan MAC OS 10.2 Bluesocket also terminates any standard 40-bit and 128-bit PPTP client. Different types and strengths of encryption can enforced for different users and devices with the WG s Role-based architecture. This is very important because not all devices, operating systems or VPN clients have the same encryption capabilities. In addition different types and strengths of encryption may be required based on the sensitivity of what certain users are given access to in their Roles, the horsepower of the device or based on ease-of-use considerations. Data Encryption The Bluesocket Wireless Gateway supports all levels of DES and AES encryption and the use of pre-shared keys/passwords or x.509 certificates for VPN tunnel authentication. Bluesocket Wireless Gateways ship with Bluesocket Certificates/ Certificate Authority as well as the ability to use third-party certificates such as Verisign, Entrust, or any x.509 certificates. Bluesocket does not require any proprietary software to be placed on the client. If encryption is required, the client will have to have some encryption client or capability available (such as the IPSec client built into Windows XP). Firewall Services The Bluesocket Wireless Gateway is also a stateful firewall. This enables the network manager to control what traffic (port/protocol numbers) is allowed in which directions (wired to wireless, wireless to wired, or both) to what destinations (servers, networks). Bluesocket s Role-based architecture allows you to give the appropriate level of access to disparate users and devices. As a stateful firewall, the Bluesocket Wireless Gateway provides very granular control of how the WLAN can be used and by whom. Bandwidth Control Bandwidth control is very important because a WLAN is a shared and limited resource. The ability to limit bandwidth by user/device or group of users allows the protection of business critical applications and users. Applications such as VoIP need to be protected from other users, devices, and applications. Revision: 2.5 Page 5

6 The Bluesocket End-user Experience As with the introduction of any new technology it is very important to understand the effects on the end-user population. The end-user experience of the Bluesocket Wireless Gateway largely depends on the authentication method(s) enabled. As mentioned earlier, the Bluesocket Wireless Gateway can support any combination of authentication methods simultaneously. Transparent Authentication With some authentication methods the Bluesocket Wireless Gateway is transparent to the user. These methods include NTLM/Active Directory Domain Authentication, 802.1x and straight MAC-based authentication (MAC authentication can also be combined with another user authentication method). A transparent Domain Authentication means that the user connection process is no different than that on a wired connection. The Bluesocket Wireless Gateway is intelligent and identifies users who are trying to log into the Domain and dynamically communicates with the defined Domain Controllers in the Bluesocket configuration. If successful, the user is not only logged into the Domain but is also placed into a Role in the Bluesocket Wireless Gateway based on which Domain Controller the user authenticated against, or some user attribute returned by Active Directory. Web-based User Logins When leveraging Bluesocket s native authentication directory or an external RADIUS or LDAP server, a user typically authenticates via an SSL login screen returned to the user when he or she launches a web browser as shown in Figure 5. Figure 5: The Default User Login Page Revision: 2.5 Page 6

7 Customizing the User Login Page The WG login screen can be customized using standard HTML to create the look, feel or branding desired. Many customers also include instructions, usage/policy statements and tech support information on this login screen. On this login screen there is a username and password box for Registered Users and possibly a Guest Login box. Bluesocket provides default user login prompts in six languages: English, Spanish, French, Italian, Swedish, and Portuguese. You can also supply your own login prompt translations in other languages. You can create multiple custom user login pages to display for each possible user location (i.e., physical interface, VLAN, or remote subnet) in your network. The Un-Registered Role To enable use of this web-based login, there is a default Un-Registered Role in the Bluesocket Wireless Gateway. The Un-Registered Role is where users/devices are placed after they get their IP address. The Un-Registered Role only allows DNS outgoing (from the wireless-to-wired direction in the stateful firewall). DNS is allowed so that the user can launch their browser. The Bluesocket Wireless Gateway intercepts this web page request and returns the customized login page. Until a user logs in, he or she will not be granted any access to the network. Once the user authenticates, he or she is placed into a Role as described previously. Guest or Visitor Access Many Bluesocket customers require the ability to allow guests or visitors at their locations to be able to access the Internet or other resources on their network. Guest access may be required for customers, partners, or consultants who visit the customer s site. These customers need to provide this access but only in a controlled, secure manner. There is an optional Guest Role which can be enabled in the Bluesocket Wireless Gateway that satisfies this need. If enabled, a Guest Login box will appear on the customized login screen describe earlier. To login as a guest, a user only needs to provide their address. The Guest Role is a Role like any other, so it determines bandwidth, encryption and access for the user. But the Guest Role is unique in that the user need not exist as a user on any authentication server. Most Guest Roles allocate only a small amount of bandwidth. This prevents guests from adversely affecting the level of service for those whom the WLAN is primarily intended the employees and operations of the company. In addition, the Guest Role does not require encryption, blocks access to the private corporate network, and only allows access to the Internet, so the guest can surf the web, check , or VPN back into his or her own corporate network. Providing for Scalability, Management, and Mobility There are currently three models in the Bluesocket Wireless Gateway product family. All have the same features/functionality and run the same system software. None of the models restrict the number of wireless access points that can be on the Managed (wireless) side of the gateway. Revision: 2.5 Page 7

8 Bluesocket Wireless Gateway Product Family Bluesocket offers a range of scalable Wireless Gateways to support enterprise WLAN deployments from the network edge to the core. The Bluesocket WG-1100 SOE (Small Office Edition) supports small offices and workgroups of 15 concurrent users; while the WG-1100 can support entire office floors of up to 100 users (at 30 Mbps encrypted/100 Mbps unencrypted); for medium to large enterprises, the WG-2100 offers hardwarebased encryption acceleration, delivering encrypted-data performance up to 150 Mbps, and up to 400 Mbps for clear, unencrypted traffic. For larger enterprises requiring higher throughput, and centralized WLAN management and control, the WG-5000 provides a core infrastructure platform supporting up to 1000 users with two Gigabit copper or fiber ports, delivering industry leading 400 Mbps performance for IPSec traffic, and 1 Gbps for clear traffic. Remote Management Capabilities Bluesocket Wireless Gateways are simple to manage and maintain. The primary means of management is through the SSL Web-based Graphical User Interface (GUI). This GUI, referred to as the administrator interface, is highly intuitive and well designed with a tab/menu-driven layout as shown in Figure 6. It is possible to create as many different levels of Administrator access as required to fit a given environment. Each Administrator account requires its own password and dictates what changes can be made to what components of the system. Figure 6: The Bluesocket HTML-based Administrator Interface The ability to create multiple levels of Administrator accounts is very important when you have different levels of network administrators supporting and trouble-shooting a large network, such as a help desk worker, network admin, network manager, and network architect. In addition to creating different Administrative users, it is also possible to control where the WG can be managed from (defined by IP address/es or subnet/s). Bluesocket Wireless Gateways can be managed using SNMP as well. The Bluesocket Wireless Gateways support V2c and V3 SNMP Agents and MIB II. In addition to MIB II support, Bluesocket also provides its own private MIB for SNMP. Using this private MIB, it is possible to manage the gateways through network management platforms such as HP OpenView or Tivoli. Revision: 2.5 Page 8

9 Multiple-gateway Deployments Depending on the scale of the WLAN deployment or the network design there may be one or multiple Bluesocket Wireless Gateways deployed at any given location. If multiple Bluesocket Wireless Gateways exist in a network infrastructure, whether at one or multiple sites, they can be managed centrally through the establishment of one of the WGs as a Master. If the same policy (Roles, Authentication Servers, etc.) is to be enforced in all locations, the establishment of the Master WG eliminates the need to manage each Gateway individually. Configuration and policy changes are only required on the Master. Once changes are committed to the Master, all other WGs are updated as well. This creates a meshed network architecture, providing consistent policy management across the enterprise regardless of where the user or device is located. It is important to understand that each Bluesocket Wireless Gateway is an integrated network appliance that can operates in stand-alone mode as a complete system. There are other wireless gateways and switches on the market that require multiple pieces, an edge device and a central controller. With these solutions, if the central controller goes down or becomes unavailable due to WAN link failures, each edge device becomes useless. Load Sharing The WG provides a load sharing feature for use in environments where many wireless clients log onto the network simultaneously via a limited number of access points. The load sharing feature should be used when the collective traffic load from a group of wireless and wired clients exceeds the throughput or CPU utilization limits of a single WG. Bluesocket WGs that share user traffic are members of a load sharing group (LSG).An administrator must first configure the replication feature for all WGs that are to have membership in an LSG. All WGs in the local replication setup are eligible for membership in a load sharing group, however a given load sharing group may have a maximum of six members. Logging and Monitoring Capabilities As with any network device detailed logging and monitoring is very important. The Bluesocket Wireless Gateway supports local logging (Figure 7) as well as Syslog. As for monitoring WLAN usage, the GUI can provide active user connection information. This active connection table displays username, IP address, MAC address, Role assigned, start time, authentication type/server and current and average bandwidth for each user. Revision: 2.5 Page 9

10 Figure 7: A Sample Bluesocket Wireless Gateway Event Log There are also snapshots (Figure 8) available that display how many total users are connected to the WLAN, how many have logged into the Bluesocket Wireless Gateway, how many have not logged into the Gateway, how many users are encrypted and the total bandwidth traversing the Gateway. Figure 8: A Sample Graphical Monitor Display Revision: 2.5 Page 10

11 Bluesocket Feature Summary This section summarizes the features provided by the Bluesocket Wireless Gateway. Interfaces The WG has three (3) Ethernet network interfaces as described below. Managed Interface The managed interface is either logically or physically connected to the wireless access points (untrusted network), where wireless users may authenticate receive network services. The purpose of the interface is to provide network connectivity between the WG and wireless clients. The interface is 10/100/1000 Mbps Ethernet with a RJ-45 connector (optional 1000Base-SX Fiber Interface available), except on the WG-1100 which only has 10/100 ports. Protected Interface The protected interface is either logically or physically connected to the corporate LAN (trusted network). The purpose of the interface is to provide network connectivity between the WG and the corporate or trusted network. The interface is 10/100/1000 Mbps Ethernet with a RJ-45 connector (optional 1000Base-SX Fiber Interface available), except on the WG-1100 which only has 10/100 ports. Failover Interface The failover interface can be connected via a cross-over cable to a second WG in order to provide redundant/backup capabilities. The interface is 10/100 Mbps Ethernet with a RJ-45 connector, except on the WG-5000 which offers a Gigabit failover port. Interface IP Addressing The administrator configures the protected interface with either a fixed IP Address or to receive an IP Address via DHCP with the following information to achieve network connectivity: DHCP Assigned (Enter the IP Address of your DHCP Server) Fixed IP (Enter the IP Address, Netmask, Gateway, Primary & Secondary DNS, Optional Default Domain, Hostname) The administrator configures the managed interface with either a fixed IP Address or to receive an IP Address via DHCP with the following information to achieve network connectivity: DHCP Assigned (Enter the IP Address of your DHCP Server) Fixed IP (Enter the IP Address, Netmask) The failover interface automatically becomes active when a redundant/backup WG is connected and no IP Addressing configuration is required. Interface Connection Settings The Bluesocket Wireless Gateway supports the following Ethernet Interface connection settings on both the managed and protected interfaces: Revision: 2.5 Page 11

12 Auto-Negotiate Speed and Duplex Fixed (10Mbps, 100Mbps, 1000Mbps) Half Duplex Full Duplex Multicast Support The WG supports Multicast Traffic (DVMRP) on both the managed and protected interfaces. Proxy ARP Support The WG supports proxy ARP on both the managed and protected interfaces. Client IP Addressing In order to gain network connectivity, clients on the managed side (i.e. wireless clients) must utilize an IP address. The WG supports the following IP addressing methods: DHCP Server The WG can provide DHCP Server services and allocate administrator configurable IP Address information (IP, Netmask, Gateway, and DNS) to wireless clients. Administrators can configure advanced WG DHCP Server options (vendor-classidentifier, dhcp-message-type, etc.) or their own custom DHCP Server option. DHCP Relay The WG can act as a relay to an existing DHCP server located on the protected network. The existing DHCP server will then serve IP Address information to wireless clients. Fixed IP Addresses The WG can be configured to recognize Wireless Clients utilizing fixed IP addresses. NAT Support The WG can provide Network Address Translation (NAT) services, to clients on its managed side (i.e. wireless clients). DNS Proxy The WG can act as a DNS Proxy, thus responding to all DNS requests from managed side clients (i.e. wireless clients), and proxy those requests to a administrator configurable DNS server located on the protected network. VLAN Support The WG supports IEEE 802.1q VLANs on both the managed and protected interfaces. Cryptographic Services You can define virtual private networks (VPNs) to secure a wireless user s connection to the WG and your network. The WG supports use of the following tunneling protocols: Point-to-Point Tunneling Protocol (PPTP) Revision: 2.5 Page 12

13 IPSec (DES, 3DES, AES) Layer 2 Tunneling Protocol over IPSec (L2TP/IPSec) In addition to the above protocols, you can define and enable your own IPSec configurations and subnet VPNs. The WG implements the following FIPS-approved cryptographic algorithms to protect user data: SHA-1 (Certificate #169) per FIPS PUB Triple-DES (Certificate #187) per FIPS PUB 46-3 DES (Certificate #223) per FIPS PUB 46-3 AES (Certificate #76) per FIPS PUB 197 SNMP Support The WG supports SNMP V2c and/or V3 MIB-II for monitoring fault and performance characteristics. Logging The WG provides an administrator configurable level of local logging, which can be displayed on the administrator interface. Additionally, logs can be sent to an external syslog server, using a configurable syslog facility. Intrusion Detection System The WG provides an administrator-configurable Intrusion Detection System (IDS) to defend itself and the network it is protecting from intruders, worms, and other targeted attacks. The WG IDS detects and protects your network against many forms of intrusion, including: a flood of packets on one or more ports using one or more IP addresses sniffing, network mapping, ping flooding, port scanning, tcp-session oriented attacks noise generators users infected with Internet worms that scan or flood the network, and impact network performance negatively Configuration Backup-Restore Administrators can back up the running configuration on the WG either manually through the interface or by scheduling automatic backups at a predetermined interval. A backup configuration can be restored to the running configuration via the WG administrator interface. Revision: 2.5 Page 13

14 RADIUS Accounting The WG provides RADIUS Accounting messages, if enabled by the administrator, and will send the RADIUS Accounting attributes listed in Table 1. Table 1: RADIUS Accounting Attributes Sent by the WG Attribute Acct-Status-Type Description The client device's current accounting status. Possible statuses include ACCT_START and ACCT_STOP. The WG sends an ACCT_START frame to the accounting server when a client successfully authenticates through any supported external authentication server that has been configured to send accounting statistics to this RADIUS accounting server. When using a RADIUS or LDAP/Active Directory server for authentication, the WG sends an ACCT_STOP frame to the accounting server when a client logs out of the WG. When using a Transparent NTLM Windows server for authentication, ACCT_STOP messages are only sent when the user shuts off their computer. Simply logging out of the domain does not send an ACCT_STOP message. Calling-Station-Id Framed-IP-Address Acct-Session-ID MAC address of the client device. IP address of the client device. A unique account identifier to expedite matching of accounting records. The account identifier maps to the connection ID that is stored in the WG connection table. Note: This identifier is only unique to a specific NAS-Identifier (see the NAS-Identifier attribute below). User-Name Acct-Authentic NAS-Identifier NAS-IP-Address Acct-Session-Time Acct-Input-Octets User name that the WG uses to authenticate the user. The method by which the user is authenticated: 1 = RADIUS 2 = Local 3 = Remote (all other external authentication methods) Host name of the WG protected interface. IP address of the WG protected interface. The elapsed time in seconds that the client is logged in to the WG. The WG sends this attribute only with the ACCT_STOP status type. The number of octets received by the client over the wireless network since the client logged into the WG. This attribute is only present in Accounting-Request records of the ACCT_STOP status type. Revision: 2.5 Page 14

15 Attribute Acct-Output-Octets Acct-Input-Packets Acct-Output-Packets Description The number of octets sent by the client over the wireless network since the client logged into the WG. This attribute is only present in Accounting-Request records of the ACCT_STOP status type. The number of packets received by the client over the wireless network since the client logged into the WG. This attribute is only present in Accounting-Request records of the ACCT_STOP status type. The number of packets sent by the client over the wireless network since the client logged into the WG. This attribute is only present in Accounting-Request records of the ACCT_STOP status type. Time & Date The WG supports manual time and date entries or automatic updates via the Network Time Protocol (NTP). SMTP Redirection In certain circumstances, wireless users sending via SMTP may not have access to their home SMTP server due to ISP blocking for SPAM prevention. The WG supports redirection of SMTP traffic to an administrator-configurable SMTP server to allow wireless users forwarding capabilities regardless of their ISP s mail server configuration. Reporting The WG provides the capability to create and export Reports based on any logged attribute. Reports can be viewed via the administrative interface or can be exported in Text, CSV or XML format via FTP or . Diagnostics The WG provides advanced diagnostic and troubleshooting capabilities via the administrative interface including the following functions: Ping Trace Route Netstat ARP Show Running Processes Capture Traffic (Packet Capture Tool) Software Upgrades The WG software image can be upgraded by selecting the appropriate software image and uploading it to the WG via the administrator interface. Revision: 2.5 Page 15

16 Software Patches In certain circumstances, Bluesocket may issue a software patch instead of a complete image upgrade. The WG software can be patched by selecting the appropriate patch and uploading it to the WG via the administrator interface. The WG software image can be upgraded by selecting the appropriate software image and uploading it to the WG via the administrator interface. Switch Software Images The WG maintains two separate partitions, housing two separate software images. Administrators can switch between these images via the administrator interface. Replication When multiple WGs are installed in a network, they can operate as a mesh, where one WG, called the Replication Master, can replicate its configuration to other WGs in the mesh (called Replication Nodes). This greatly eases overall configuration maintenance, allowing the administrator to make changes on the master WG and have those changes propagate out to all other WGs in the mesh. Secure Mobility Secure Mobility, or subnet roaming, allows wireless users to move from access point to access point, including those connected on different subnets, without losing their connection or requiring them to reboot/re-authenticate. Load Sharing The WG provides a load-sharing feature to distribute user traffic on demand to support greater numbers of wireless users. An administrator may configure up to six to share user traffic loads in a WG load sharing group. Customized Login Page Administrators can create their own custom login page, logout pop-up and thank you pages for users to view by uploading HTML via the administrator interface. Bluesocket provides default user login prompts in six languages: English, Spanish, French, Italian, Swedish, and Portuguese. Administrators can also supply your own translations in other languages. Administrators can create multiple custom user login pages to display for each possible user location (i.e., physical interface, VLAN, or remote subnet) in your network. Schedules The WG supports the creation of schedules, to be used in setting user-based policies. A schedule can be based on time, date, day, week, month or various combinations. For example, a schedule called Work-Day can be configured as Monday through Friday, 9AM to 5PM and user policies can be enforced only during that period. Locations The WG supports the creation of locations, to be used in setting user-based policies. A location is represented as a VLAN on the managed side of the WG (i.e. wireless side). Revision: 2.5 Page 16

17 For example, a location called lobby could be linked to access points on VLAN#5 and user policies can be enforced only when a user is on VLAN#5 (i.e. in the lobby location). QoS The WG can apply the following QoS functions to wireless user traffic to ensure that no one user hogs all of the available bandwidth and that specific types of traffic are processed according to their priority. Bandwidth Management The WG can limit the maximum amount of bandwidth a user or group of users can send. For example, a guest can be limited to 128Kbps, while an executive can have a limit of 5Mbps. Prioritization The WG can be configured to prioritize traffic (high, medium or low) based on what role a particular user is in or what type of traffic the user is sending (i.e. FTP, HTTP, etc ) Differentiated Services The WG supports Differentiated Services (DiffServ) Code Marking, to mark packets based on what role a particular user is in or what type of traffic the user is sending (i.e. FTP, HTTP, etc ). This allows characterization and marking of traffic at the wireless edge to seamlessly fit into the organization existing Differentiated Services QoS Policy. HP OpenView Integration Bluesocket integrates custom device icons and diagnostic tools within HP OpenView Network Node Manager (NNM) for customers who want to manage their enterprise and WLAN access networks using a single management platform. Bluesocket s integration with HP OpenView provides: auto-discovery of Bluesocket devices custom device icons for Bluesocket Wireless Gateways (WGs) ability to monitor individual WG network links access to the Bluesocket WG administrator interface GUI for device configuration, management, and status ability to manage Bluesocket WGs from a Microsoft Windows 2000 or Sun Solaris workstation VoIP Firewall Support Bluesocket provides for stateful monitoring of TFTP and H323 protocols commonly used in VoIP deployments. Bulk Data File Upload/Download Administrators can export and import local user database files, MAC device authentication database files and fixed IP address authentication files. Importing local user information, fixed IP addresses, or device MAC addresses can simplify and speed up the WG configuration process. Revision: 2.5 Page 17

18 ipass Client Support ipass, Inc. has created a virtual network of thousands of Wi-Fi hotspots deployed in airports, hotels, coffee shops and other public locations. Users who wish to access an ipass hotspot must run ipass client software on their wireless device. The Bluesocket WG is ipass-client aware. ipass clients may attempt to log into any WG. The WG will attempt to authenticate an ipass client against an external RADIUS server that has been configured on the WG with the word ipass in its Name. Enhanced Integration for Cisco Networks The WG provides features for enhanced integration into Cisco AP-based networks including the capability to: support of Cisco 802.1x EAP-FAST (in combination with LEAP, PEAP, TLS, and TTLS) monitor Cisco APs and identify users associated to the APs and the bandwidth they use display the model and firmware revisions on Cisco APs pass Cisco Discovery Protocol through the WG Revision: 2.5 Page 18