avaya.
com
Table of Contents
Section 1: Executive summary....................1
Section 2: The challenge ............................ 2
Section 3: WLAN security ..........................3
and the 802.1X standard
Section 4: The solution ................................4
Section 5: Security ........................................4
Section 6: Encrypted wireless tunnel ....5
Section 7: Scalability ....................................5
Section 8: Consistent access .....................5
Section 9: Dynamic network .....................5
provisioning
Section 10: Conclusion ...................................6
WHITE PAPER
Deploying secure wireless
network services
The Avaya Identity Engines portfolio
offers flexible, auditable management
for secure wireless networks.
Section 1: Executive summary
Deploying a secure, authenticated wireless network is a business challenge
that has to balance user flexibility with security. The Avaya Identity Engines
portfolio of network identity management products controls access and helps
ensure the appropriate level of auditability for enterprise wireless LAN (WLAN)
deployments.
Wireless technology offers users portability and flexibility and allows
organizations to increase productivity while lowering network installation costs.
By using these technologies to handle applications in settings as diverse as
retail, manufacturing shop floors and first-responder networks, organizations can
realize dramatic cost savings.
WLANs are becoming ubiquitous at home, in the local coffee shop and in the
enterprise. WLANs offer convenient access to network services but have security
risks that must be considered prior to any corporate or institutional deployment.
Because wireless signals go through walls and into public spaces, where they
are easily intercepted using readily available tools, most organizations no longer
deploy open, unencrypted WLANs.
However, unsecured data is but one of the risks. Employees may connect
virus-infected laptops or access the network in ways that are inconsistent with
company usage policies, and outsiders may use valuable bandwidth.
For certain types of organizations, the wireless security challenge is even more
complex. Universities with many types of network access points have conflicting
demands for security and open access. Like many other organizations,
universities are required to secure personal information in order to keep it
private and meet a host of compliance regulations that require access control
and reporting.
1
 avaya.com

This paper describes the challenges associated with deploying a secure, authenticated wireless network and shows
how the Avaya Identity Engines portfolio can manage access and help ensure the appropriate level of security for
WLAN deployments.

The portfolio’s unique architecture is built around the Identity Engines Ignition Server, a policy engine, which
connects to corporate directories for identity, data and network systems for access enforcement. The Ignition
Server lets the administrator write a centralized set of identity-based policies that controls access to the entire
network, including WLAN, wired Ethernet, VPN and dialup connections.

Section 2: The challenge

Wireless systems, although convenient, introduce some very real security issues to an organization, some of which
are similar to those of wired networks. The underlying communications medium, the airwave, is open to intruders,
making it the logical equivalent of an Ethernet port in the parking lot. Unauthorized users can gain access to
enterprise systems and information, corrupt the corporate data, consume network bandwidth, degrade network
performance, launch DoS attacks or use corporate network resources to launch attacks on other networks.

The very nature of a wireless network means that access extends beyond the physical boundaries of the office or
building. Anyone equipped with a laptop computer in close proximity to a wireless access point has the potential
to use the enterprise network. Simply applying security settings to each access point is not only cumbersome, but
also ineffective, because employees can deploy rogue access points without the network administrators’ knowledge.

Management infrastructure
High availability Monitoring and logging

Wired
Directory
Avaya Guest
Policy Services Manager Provisioning
Engine Layer
Wireless • Virtualization
Avaya • Routing LDAP
Identity
Engines
VPN Protocol Portfolio RSA SecureID
Engine
Database Identity
nttit Stores
res
re
• RADIUS
• Device profiles Engine
• 802.1X
Firewall • VSAs Active Directory

Figure 1. The Avaya Identity Engines architecture

2
 avaya.com

These and other security concerns are forcing network administrators to design a security solution before deploying
WLAN networks. Organizations in industries where corporate protection data is crucial, such as financial services
and healthcare, have to balance business needs with secure access to the network. The type and level of security
must be appropriately applied, based on the sensitivity of the information transmitted over the network, the cost
and the users needs. Designing for security is not a simple task, as current network technologies offer many
alternatives to control access.

Section 3: WLAN security and the 802.1X standard

Data encryption protocols for WLAN, such as WPA (Wi-Fi Protected Access) and TKIP (Temporal Key Integrity
Protocol) allow all traffic on the network to be encrypted and are essential to any secure wireless deployment. In
recent years, protocols such as 802.1X and EAP have been deployed to require user authentication before allowing
network access at any level. These protocols offer strong user authentication capabilities and can be deployed
in manageable and cost-effective ways. Deployment has become easier as many popular operating systems and
network equipment manufacturers now include support for 802.1X in their products, allowing port-based access
control technology to be part of any network infrastructure upgrade or new installation.

Widespread deployment of port-based access control on both wired and wireless networks has emerged as the
preferred approach for enforcing network access security and ensuring that users can only use the network in
ways appropriate to their roles and needs. Flexible authorization and provisioning policies that enable network
administrators to configure different access types for employees, contractors and guests is essential if the
organization is to efficiently maintain a secure WLAN network.

In order to incorporate network authorization and provisioning infrastructures, many enterprises are turning to
the 802.1X authentication framework, an IEEE standard for providing port-based access control. This standard is
gaining acceptance because, with the right tools, it is easy to deploy and can scale well as the number of users
and access points increases.

Networks with 802.1X-based authentication require the RADIUS protocol to handle user credential verification,
but most existing RADIUS solutions are inadequate to meet the challenges of the current enterprise environment.
Many products come from the service provider market and lack the essential features needed to deploy enterprise-
class network identity management. Legacy systems cannot flexibly configure network access policies according to
an organization’s rules, nor can they apply these policies consistently across all types of network access.

Many network equipment vendors provide extensions and enhancements beyond basic RADIUS capabilities, but to
deploy these advanced features, network administrators must have a deep understanding of 802.1X, EAP and the
RADIUS protocol.

The Avaya Identity Engines portfolio delivers a network identity management solution that allows network
administrators to address these issues and deploy user authentication simply and cost-effectively as part of their
enterprise WLAN solution.

3
 avaya.com

Section 4: The solution

Avaya offers an end-to-end solution including identity- and policy-based network access control (NAC) as well as
the WLAN infrastructure itself. The Ignition Server provides centralized control over diverse network access points
including wireless, wired, VPN and dialup. It applies policies based on network location, connection security and
access type, dynamically assigning the user to a specific VLAN, setting QoS and assigning ACLs. The Ignition
Server also combines network parameters with user and group information in order to make the appropriate access
control decision.

Though Identity Engines supports WLAN infrastructures from all major vendors, the Avaya WLAN 8100 series
is a leading-edge WLAN solution that enables enterprises to achieve new levels of workforce productivity and
operational efficiency. It offers extensive wireless capacity, performance, and coverage through 802.11n and helps
lower Total Cost of Ownership through a simplified unified wired/wireless network infrastructure. The WLAN 8100
series addresses security in a number of ways:

• Authentication and Encryption: WLAN 8100 series supports today’s strongest security standards (802.11i,
WPA/WPA2, 802.1X, WEP, Proactive Key Caching) helping preserve user privacy and data confidentiality.

• Wireless Intrusion Detection: WLAN 8100 series provides basic and advanced WIDS capabilities, providing RF
surveillance to detect rogue network activity and malicious attacks.

• Secure Network Access: WLAN 8100 series integrates with Avaya’s Identity Engines portfolio helping ensure
network access control is enforced and providing protection from infected clients.

Section 5: Security
The key to deploying a secure WLAN solution is end-to-end security with validation at every step of the process.
End-user devices require an 802.1X-enabled client called a supplicant. When a device attempts to connect to
the network through a wireless access point, the supplicant negotiates a secure communication tunnel with the
authentication server and uses that tunnel to send the user’s credentials to the server. During this process, the
wireless access point is responsible for forwarding packets between the supplicant and the authentication server.

The authentication server performs the necessary authentication, including user credential verification, and sends
a message to the wireless access point to permit or deny access. The access point complies with the request and
generates a RADIUS accounting message describing the event. A record of the user’s access request is stored in
the logging system in order to provide auditing and report generation capabilities.

As a further level of protection, all wireless access points must be configured to submit authentication requests to
the Avaya Identity Engines Ignition Server. Likewise, the Ignition Server only responds to requests from wireless
access points it knows. Having one system handle authentication and authorization for the entire network provides
a unified, real-time view of who is using the network.

4
 avaya.com

Section 6: Encrypted wireless tunnel

If the authentication and authorization policy decisions indicate the user is permitted to access the network, the
Identity Engines Ignition Server generates an encryption key and sends the key to the wireless access point. This
key establishes a secure, encrypted session between the user’s client machine and the access point.

Section 7: Scalability
As wireless network usage grows, more wireless access points may be added to the network. Because policy
decisions are made by the Avaya Identity Engines Ignition Server for all access points, the network administrator
can easily deploy additional access points, knowing policy decisions will be made consistently across the
enterprise.

Configuring user access policies individually on each access point can lead to poor scalability and cause security
vulnerabilities when users need to be de-provisioned from the network. With the Ignition Server, access policies are
set centrally, helping ensure the network remains secure as it grows.

Section 8: Consistent access

Deploying port-based access control using 802.1X allows users to obtain consistent network access since access is
dependent on a user’s identity and not on location, port or some other proxy of user identity. For example, when a
user accesses the network from an access point in a conference room, she would be able to have the same level of
network access as she would receive at her desk.

Section 9: Dynamic network provisioning

The Identity Engines Ignition Server makes it easy to grant users network access, and provision different types
of users to different VLANs based on users’ records in back-end directory stores and on information about
authenticators and transactions. The screenshot in Figure 2 shows a typical configuration where users are assigned
to a specific VLAN based on their group membership.

5
 Section 10: Conclusion
As enterprises continue to deploy wireless networking for increasing portions of their network infrastructure,
network administrators must address the security issues that accompany this technology. With the emergence of
802.1X, most network equipment now offers the basic tools to address network access control needs. Without
an enterprise-wide strategy and tools to manage these controls, security administration becomes expensive, time-
consuming, and potentially unreliable. The Avaya Identity Engines portfolio addresses this problem by offering a
solution that lets organizations harness the 802.1X controls built into their network equipment to provide scalable,
cost-effective user authentication.

Figure 2. Setting provisioning policies in the Avaya Identity Engines Ignition Server

To learn more about the Avaya Identity Engines solution, contact your Avaya Account Manager or Avaya Authorized
Partner. Or, visit us online at avaya.com.

About Avaya
Avaya is a global leader in enterprise communications systems. The company
provides unified communications, contact centers, and related services directly
and through its channel partners to leading businesses and organizations
around the world. Enterprises of all sizes depend on Avaya for state-of-the-art
communications that improve efficiency, collaboration, customer service and
competitiveness. For more information please visit www.avaya.com.

© 2010 Avaya Inc. All Rights Reserved.

Avaya and the Avaya Logo are trademarks of Avaya Inc. and are registered in the United States and other countries.
All trademarks identified by ®, TM or SM are registered marks, trademarks, and service marks, respectively, of Avaya Inc. avaya.com
All other trademarks are the property of their respective owners. Avaya may also have trademark rights in other terms used herein.
References to Avaya include the Nortel Enterprise business, which was acquired as of December 18, 2009.
06/10 • DN5244