Deploying secure wireless network services The Avaya Identity Engines portfolio offers flexible, auditable management for secure wireless networks.



Similar documents
Link Layer and Network Layer Security for Wireless Networks

Secure network guest access with the Avaya Identity Engines portfolio

Robust security is a requirement for many companies deploying a wireless network. However, creating a secure wireless network has often been

Link Layer and Network Layer Security for Wireless Networks

Network Access Control ProCurve and Microsoft NAP Integration

Industrial Network Security for SCADA, Automation, Process Control and PLC Systems. Contents. 1 An Introduction to Industrial Network Security 1

ADDENDUM 12 TO APPENDIX 8 TO SCHEDULE 3.3

Avaya Wireless LAN 8100 Series

NETWORK ACCESS CONTROL AND CLOUD SECURITY. Tran Song Dat Phuc SeoulTech 2015

WHITE PAPER. The Need for Wireless Intrusion Prevention in Retail Networks

Avaya Identity Engines Portfolio

All vulnerabilities that exist in conventional wired networks apply and likely easier Theft, tampering of devices

12/3/08. Security in Wireless LANs and Mobile Networks. Wireless Magnifies Exposure Vulnerability. Mobility Makes it Difficult to Establish Trust

INFORMATION TECHNOLOGY MANAGEMENT COMMITTEE LIVINGSTON, NJ ITMC TECH TIP ROB COONCE, MARCH 2008

Evolving Network Security with the Alcatel-Lucent Access Guardian

Wireless Services. The Top Questions to Help You Choose the Right Wireless Solution for Your Business.

Enabling Multiple Wireless Networks on RV320 VPN Router, WAP321 Wireless-N Access Point, and Sx300 Series Switches

Developing Network Security Strategies

Particularities of security design for wireless networks in small and medium business (SMB)

Design and Implementation Guide. Apple iphone Compatibility

Managed WiFi. Choosing the Right Managed WiFi Solution for your Organization. Get Started Now: to learn more.

1.1 Demonstrate how to recognize, perform, and prevent the following types of attacks, and discuss their impact on the organization:

How To Protect A Wireless Lan From A Rogue Access Point

Supporting Municipal Business Models with Cisco Outdoor Wireless Solutions

Aerohive Private PSK. solution brief

When SDN meets Mobility

Windows 7 Virtual Wi-Fi: The Easiest Way to Install a Rogue AP on Your Corporate Network

DATA SECURITY 1/12. Copyright Nokia Corporation All rights reserved. Ver. 1.0

Wireless Security with Cyberoam

Lecture Objectives. Lecture 8 Mobile Networks: Security in Wireless LANs and Mobile Networks. Agenda. References

Policy Management: The Avenda Approach To An Essential Network Service

How To Secure Wireless Networks

The following chart provides the breakdown of exam as to the weight of each section of the exam.

Industrial Communication. Securing Industrial Wireless

Running Head: WIRELESS DATA NETWORK SECURITY FOR HOSTPITALS

A Closer Look at Wireless Intrusion Detection: How to Benefit from a Hybrid Deployment Model

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

How To Unify Your Wireless Architecture Without Limiting Performance or Flexibility

Wireless Network Standard and Guidelines

Cisco Virtual Office Express

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 6. Wireless Network Security

Integrating Wired IDS with Wi-Fi Using Open-Source IDS to Complement a Wireless IDS/IPS Deployment

Cisco Secure ACS. By Igor Koudashev, Systems Engineer, Cisco Systems Australia 2006 Cisco Systems, Inc. All rights reserved.

Best Practices for Deploying Wireless LANs

Avaya WLAN Orchestration System

Cisco Wireless Control System (WCS)

All You Wanted to Know About WiFi Rogue Access Points

Ensuring HIPAA Compliance in Healthcare

Cisco TrustSec Solution Overview

Wireless Security and Healthcare Going Beyond IEEE i to Truly Ensure HIPAA Compliance

ARCHITECT S GUIDE: Mobile Security Using TNC Technology

Achieving PCI Compliance Using F5 Products

Avaya WLAN 9100 Series

Avaya WLAN Orchestration System

CISCO WIRELESS CONTROL SYSTEM (WCS)

SECURING ENTERPRISE NETWORK 3 LAYER APPROACH FOR BYOD

Best Practices in Deploying a Secure Wireless Network

Certified Wireless Security Professional (CWSP) Course Overview

Ensuring HIPAA Compliance in Healthcare

How To Manage A Wireless Network With Avaya Wlan 9100 Series (Wlan) System (Wos)

Lucent VPN Firewall Security in x Wireless Networks

Network Security Best Practices

WLAN Information Security Best Practice Document

Enterprise A Closer Look at Wireless Intrusion Detection:

The Payment Card Industry (PCI) Data Security Standards (DSS) v1.2 Requirements:

Best Practices for Outdoor Wireless Security

WHITEPAPER. Wireless LAN Security for Healthcare and HIPAA Compliance

Security Design.

Protecting the Extended Enterprise Network Security Strategies and Solutions from ProCurve Networking

POLICY SECURE FOR UNIFIED ACCESS CONTROL

PCI Wireless Compliance with AirTight WIPS

Security (WEP, WPA\WPA2) 19/05/2009. Giulio Rossetti Unipi

Microsoft Windows Server System White Paper

Security Requirements for Wireless Local Area Networks

1 Purpose Scope Roles and Responsibilities Physical & Environmental Security Access Control to the Network...

NXC5200/ NWA5000-N Series Wireless LAN Controller/ a/b/g/n Managed Access Point

WHITE PAPER. WEP Cloaking for Legacy Encryption Protection

PCI Solution for Retail: Addressing Compliance and Security Best Practices

Potential Security Vulnerabilities of a Wireless Network. Implementation in a Military Healthcare Environment. Jason Meyer. East Carolina University

Network Virtualization Network Admission Control Deployment Guide

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

WHITEPAPER. Addressing Them with Secure Network Access Control. Executive Summary... An Evolving Network Environment... 2

Deploying the ShoreTel IP Telephony Solution with a Meru Networks Wireless LAN

Permeo Technologies WHITE PAPER. HIPAA Compliancy and Secure Remote Access: Challenges and Solutions

HIPAA Compliance and Wireless Networks Cranite Systems, Inc. All Rights Reserved.

Overview. Summary of Key Findings. Tech Note PCI Wireless Guideline

Transcription:

Table of Contents Section 1: Executive summary...1 Section 2: The challenge...2 Section 3: WLAN security...3 and the 802.1X standard Section 4: The solution...4 Section 5: Security...4 Section 6: Encrypted wireless tunnel... 5 Section 7: Scalability...5 Section 8: Consistent access...5 Section 9: Dynamic network...5 provisioning Section 10: Conclusion...6 Deploying secure wireless network services The Avaya Identity Engines portfolio offers flexible, auditable management for secure wireless networks. Section 1: Executive summary Deploying a secure, authenticated wireless network is a business challenge that has to balance user flexibility with security. The Avaya Identity Engines portfolio of network identity management products controls access and helps ensure the appropriate level of auditability for enterprise wireless LAN (WLAN) deployments. Wireless technology offers users portability and flexibility and allows organizations to increase productivity while lowering network installation costs. By using these technologies to handle applications in settings as diverse as retail, manufacturing shop floors and first-responder networks, organizations can realize dramatic cost savings. WLANs are becoming ubiquitous at home, in the local coffee shop and in the enterprise. WLANs offer convenient access to network services but have security risks that must be considered prior to any corporate or institutional deployment. Because wireless signals go through walls and into public spaces, where they are easily intercepted using readily available tools, most organizations no longer deploy open, unencrypted WLANs. However, unsecured data is but one of the risks. Employees may connect virus-infected laptops or access the network in ways that are inconsistent with company usage policies, and outsiders may use valuable bandwidth. For certain types of organizations, the wireless security challenge is even more complex. Universities with many types of network access points have conflicting demands for security and open access. Like many other organizations, universities are required to secure personal information in order to keep it private and meet a host of compliance regulations that require access control and reporting. WHITE PAPER 1

avaya.com This paper describes the challenges associated with deploying a secure, authenticated wireless network and shows how the Avaya Identity Engines portfolio can manage access and help ensure the appropriate level of security for WLAN deployments. The portfolio s unique architecture is built around the Identity Engines Ignition Server, a policy engine, which connects to corporate directories for identity, data and network systems for access enforcement. The Ignition Server lets the administrator write a centralized set of identity-based policies that controls access to the entire network, including WLAN, wired Ethernet, VPN and dialup connections. Section 2: The challenge Wireless systems, although convenient, introduce some very real security issues to an organization, some of which are similar to those of wired networks. The underlying communications medium, the airwave, is open to intruders, making it the logical equivalent of an Ethernet port in the parking lot. Unauthorized users can gain access to enterprise systems and information, corrupt the corporate data, consume network bandwidth, degrade network performance, launch DoS attacks or use corporate network resources to launch attacks on other networks. The very nature of a wireless network means that access extends beyond the physical boundaries of the office or building. Anyone equipped with a laptop computer in close proximity to a wireless access point has the potential to use the enterprise network. Simply applying security settings to each access point is not only cumbersome, but also ineffective, because employees can deploy rogue access points without the network administrators knowledge. Management infrastructure High availability Monitoring and logging Wired Wireless VPN Firewall Directory Services Layer Policy Engine Protocol Engine Avaya Identity Engines Portfolio RADIUS Device profiles 802.1X VSAs Avaya Guest Manager Provisioning Virtualization Routing LDAP RSA SecureID Database Engine Identity nttit Stores res re Active Directory Figure 1. The Avaya Identity Engines architecture 2

These and other security concerns are forcing network administrators to design a security solution before deploying WLAN networks. Organizations in industries where corporate protection data is crucial, such as financial services and healthcare, have to balance business needs with secure access to the network. The type and level of security must be appropriately applied, based on the sensitivity of the information transmitted over the network, the cost and the users needs. Designing for security is not a simple task, as current network technologies offer many alternatives to control access. Section 3: WLAN security and the 802.1X standard Data encryption protocols for WLAN, such as WPA (Wi-Fi Protected Access) and TKIP (Temporal Key Integrity Protocol) allow all traffic on the network to be encrypted and are essential to any secure wireless deployment. In recent years, protocols such as 802.1X and EAP have been deployed to require user authentication before allowing network access at any level. These protocols offer strong user authentication capabilities and can be deployed in manageable and cost-effective ways. Deployment has become easier as many popular operating systems and network equipment manufacturers now include support for 802.1X in their products, allowing port-based access control technology to be part of any network infrastructure upgrade or new installation. Widespread deployment of port-based access control on both wired and wireless networks has emerged as the preferred approach for enforcing network access security and ensuring that users can only use the network in ways appropriate to their roles and needs. Flexible authorization and provisioning policies that enable network administrators to configure different access types for employees, contractors and guests is essential if the organization is to efficiently maintain a secure WLAN network. In order to incorporate network authorization and provisioning infrastructures, many enterprises are turning to the 802.1X authentication framework, an IEEE standard for providing port-based access control. This standard is gaining acceptance because, with the right tools, it is easy to deploy and can scale well as the number of users and access points increases. Networks with 802.1X-based authentication require the RADIUS protocol to handle user credential verification, but most existing RADIUS solutions are inadequate to meet the challenges of the current enterprise environment. Many products come from the service provider market and lack the essential features needed to deploy enterpriseclass network identity management. Legacy systems cannot flexibly configure network access policies according to an organization s rules, nor can they apply these policies consistently across all types of network access. Many network equipment vendors provide extensions and enhancements beyond basic RADIUS capabilities, but to deploy these advanced features, network administrators must have a deep understanding of 802.1X, EAP and the RADIUS protocol. The Avaya Identity Engines portfolio delivers a network identity management solution that allows network administrators to address these issues and deploy user authentication simply and cost-effectively as part of their enterprise WLAN solution. 3

Section 4: The solution Avaya offers an end-to-end solution including identity- and policy-based network access control (NAC) as well as the WLAN infrastructure itself. The Ignition Server provides centralized control over diverse network access points including wireless, wired, VPN and dialup. It applies policies based on network location, connection security and access type, dynamically assigning the user to a specific VLAN, setting QoS and assigning ACLs. The Ignition Server also combines network parameters with user and group information in order to make the appropriate access control decision. Though Identity Engines supports WLAN infrastructures from all major vendors, the Avaya WLAN 8100 series is a leading-edge WLAN solution that enables enterprises to achieve new levels of workforce productivity and operational efficiency. It offers extensive wireless capacity, performance, and coverage through 802.11n and helps lower Total Cost of Ownership through a simplified unified wired/wireless network infrastructure. The WLAN 8100 series addresses security in a number of ways: Authentication and Encryption: WLAN 8100 series supports today s strongest security standards (802.11i, WPA/WPA2, 802.1X, WEP, Proactive Key Caching) helping preserve user privacy and data confidentiality. Wireless Intrusion Detection: WLAN 8100 series provides basic and advanced WIDS capabilities, providing RF surveillance to detect rogue network activity and malicious attacks. Secure Network Access: WLAN 8100 series integrates with Avaya s Identity Engines portfolio helping ensure network access control is enforced and providing protection from infected clients. Section 5: Security The key to deploying a secure WLAN solution is end-to-end security with validation at every step of the process. End-user devices require an 802.1X-enabled client called a supplicant. When a device attempts to connect to the network through a wireless access point, the supplicant negotiates a secure communication tunnel with the authentication server and uses that tunnel to send the user s credentials to the server. During this process, the wireless access point is responsible for forwarding packets between the supplicant and the authentication server. The authentication server performs the necessary authentication, including user credential verification, and sends a message to the wireless access point to permit or deny access. The access point complies with the request and generates a RADIUS accounting message describing the event. A record of the user s access request is stored in the logging system in order to provide auditing and report generation capabilities. As a further level of protection, all wireless access points must be configured to submit authentication requests to the Avaya Identity Engines Ignition Server. Likewise, the Ignition Server only responds to requests from wireless access points it knows. Having one system handle authentication and authorization for the entire network provides a unified, real-time view of who is using the network. 4

Section 6: Encrypted wireless tunnel If the authentication and authorization policy decisions indicate the user is permitted to access the network, the Identity Engines Ignition Server generates an encryption key and sends the key to the wireless access point. This key establishes a secure, encrypted session between the user s client machine and the access point. Section 7: Scalability As wireless network usage grows, more wireless access points may be added to the network. Because policy decisions are made by the Avaya Identity Engines Ignition Server for all access points, the network administrator can easily deploy additional access points, knowing policy decisions will be made consistently across the enterprise. Configuring user access policies individually on each access point can lead to poor scalability and cause security vulnerabilities when users need to be de-provisioned from the network. With the Ignition Server, access policies are set centrally, helping ensure the network remains secure as it grows. Section 8: Consistent access Deploying port-based access control using 802.1X allows users to obtain consistent network access since access is dependent on a user s identity and not on location, port or some other proxy of user identity. For example, when a user accesses the network from an access point in a conference room, she would be able to have the same level of network access as she would receive at her desk. Section 9: Dynamic network provisioning The Identity Engines Ignition Server makes it easy to grant users network access, and provision different types of users to different VLANs based on users records in back-end directory stores and on information about authenticators and transactions. The screenshot in Figure 2 shows a typical configuration where users are assigned to a specific VLAN based on their group membership. 5

Section 10: Conclusion As enterprises continue to deploy wireless networking for increasing portions of their network infrastructure, network administrators must address the security issues that accompany this technology. With the emergence of 802.1X, most network equipment now offers the basic tools to address network access control needs. Without an enterprise-wide strategy and tools to manage these controls, security administration becomes expensive, timeconsuming, and potentially unreliable. The Avaya Identity Engines portfolio addresses this problem by offering a solution that lets organizations harness the 802.1X controls built into their network equipment to provide scalable, cost-effective user authentication. Figure 2. Setting provisioning policies in the Avaya Identity Engines Ignition Server To learn more about the Avaya Identity Engines solution, contact your Avaya Account Manager or Avaya Authorized Partner. Or, visit us online at avaya.com. About Avaya Avaya is a global provider of business collaboration and communications solutions, providing unified communications, contact centers, data solutions and related services to companies of all sizes around the world. For more information please visit www.avaya.com. 2011 Avaya Inc. All Rights Reserved. Avaya and the Avaya Logo are trademarks of Avaya Inc. and are registered in the United States and other countries. All trademarks identified by,, or SM are registered marks, trademarks, and service marks, respectively, of Avaya Inc. All other trademarks are the property of their respective owners. Avaya may also have trademark rights in other terms used herein. References to Avaya include the Nortel Enterprise business, which was acquired as of December 18, 2009. 06/11 DN5244-01 avaya.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information