Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
com
Section 5: Security ........................................4 Wireless technology offers users portability and flexibility and allows
organizations to increase productivity while lowering network installation costs.
Section 6: Encrypted wireless tunnel ....5 By using these technologies to handle applications in settings as diverse as
retail, manufacturing shop floors and first-responder networks, organizations can
Section 7: Scalability ....................................5 realize dramatic cost savings.
Section 8: Consistent access .....................5 WLANs are becoming ubiquitous at home, in the local coffee shop and in the
enterprise. WLANs offer convenient access to network services but have security
Section 9: Dynamic network .....................5 risks that must be considered prior to any corporate or institutional deployment.
provisioning
Because wireless signals go through walls and into public spaces, where they
Section 10: Conclusion ...................................6 are easily intercepted using readily available tools, most organizations no longer
deploy open, unencrypted WLANs.
However, unsecured data is but one of the risks. Employees may connect
virus-infected laptops or access the network in ways that are inconsistent with
company usage policies, and outsiders may use valuable bandwidth.
For certain types of organizations, the wireless security challenge is even more
complex. Universities with many types of network access points have conflicting
demands for security and open access. Like many other organizations,
universities are required to secure personal information in order to keep it
private and meet a host of compliance regulations that require access control
and reporting.
WHITE PAPER 1
avaya.com
This paper describes the challenges associated with deploying a secure, authenticated wireless network and shows
how the Avaya Identity Engines portfolio can manage access and help ensure the appropriate level of security for
WLAN deployments.
The portfolio’s unique architecture is built around the Identity Engines Ignition Server, a policy engine, which
connects to corporate directories for identity, data and network systems for access enforcement. The Ignition
Server lets the administrator write a centralized set of identity-based policies that controls access to the entire
network, including WLAN, wired Ethernet, VPN and dialup connections.
The very nature of a wireless network means that access extends beyond the physical boundaries of the office or
building. Anyone equipped with a laptop computer in close proximity to a wireless access point has the potential
to use the enterprise network. Simply applying security settings to each access point is not only cumbersome, but
also ineffective, because employees can deploy rogue access points without the network administrators’ knowledge.
Management infrastructure
High availability Monitoring and logging
Wired
Directory
Avaya Guest
Policy Services Manager Provisioning
Engine Layer
Wireless • Virtualization
Avaya • Routing LDAP
Identity
Engines
VPN Protocol Portfolio RSA SecureID
Engine
Database Identity
nttit Stores
res
re
• RADIUS
• Device profiles Engine
• 802.1X
Firewall • VSAs Active Directory
2
avaya.com
These and other security concerns are forcing network administrators to design a security solution before deploying
WLAN networks. Organizations in industries where corporate protection data is crucial, such as financial services
and healthcare, have to balance business needs with secure access to the network. The type and level of security
must be appropriately applied, based on the sensitivity of the information transmitted over the network, the cost
and the users needs. Designing for security is not a simple task, as current network technologies offer many
alternatives to control access.
Widespread deployment of port-based access control on both wired and wireless networks has emerged as the
preferred approach for enforcing network access security and ensuring that users can only use the network in
ways appropriate to their roles and needs. Flexible authorization and provisioning policies that enable network
administrators to configure different access types for employees, contractors and guests is essential if the
organization is to efficiently maintain a secure WLAN network.
In order to incorporate network authorization and provisioning infrastructures, many enterprises are turning to
the 802.1X authentication framework, an IEEE standard for providing port-based access control. This standard is
gaining acceptance because, with the right tools, it is easy to deploy and can scale well as the number of users
and access points increases.
Networks with 802.1X-based authentication require the RADIUS protocol to handle user credential verification,
but most existing RADIUS solutions are inadequate to meet the challenges of the current enterprise environment.
Many products come from the service provider market and lack the essential features needed to deploy enterprise-
class network identity management. Legacy systems cannot flexibly configure network access policies according to
an organization’s rules, nor can they apply these policies consistently across all types of network access.
Many network equipment vendors provide extensions and enhancements beyond basic RADIUS capabilities, but to
deploy these advanced features, network administrators must have a deep understanding of 802.1X, EAP and the
RADIUS protocol.
The Avaya Identity Engines portfolio delivers a network identity management solution that allows network
administrators to address these issues and deploy user authentication simply and cost-effectively as part of their
enterprise WLAN solution.
3
avaya.com
Though Identity Engines supports WLAN infrastructures from all major vendors, the Avaya WLAN 8100 series
is a leading-edge WLAN solution that enables enterprises to achieve new levels of workforce productivity and
operational efficiency. It offers extensive wireless capacity, performance, and coverage through 802.11n and helps
lower Total Cost of Ownership through a simplified unified wired/wireless network infrastructure. The WLAN 8100
series addresses security in a number of ways:
• Authentication and Encryption: WLAN 8100 series supports today’s strongest security standards (802.11i,
WPA/WPA2, 802.1X, WEP, Proactive Key Caching) helping preserve user privacy and data confidentiality.
• Wireless Intrusion Detection: WLAN 8100 series provides basic and advanced WIDS capabilities, providing RF
surveillance to detect rogue network activity and malicious attacks.
• Secure Network Access: WLAN 8100 series integrates with Avaya’s Identity Engines portfolio helping ensure
network access control is enforced and providing protection from infected clients.
Section 5: Security
The key to deploying a secure WLAN solution is end-to-end security with validation at every step of the process.
End-user devices require an 802.1X-enabled client called a supplicant. When a device attempts to connect to
the network through a wireless access point, the supplicant negotiates a secure communication tunnel with the
authentication server and uses that tunnel to send the user’s credentials to the server. During this process, the
wireless access point is responsible for forwarding packets between the supplicant and the authentication server.
The authentication server performs the necessary authentication, including user credential verification, and sends
a message to the wireless access point to permit or deny access. The access point complies with the request and
generates a RADIUS accounting message describing the event. A record of the user’s access request is stored in
the logging system in order to provide auditing and report generation capabilities.
As a further level of protection, all wireless access points must be configured to submit authentication requests to
the Avaya Identity Engines Ignition Server. Likewise, the Ignition Server only responds to requests from wireless
access points it knows. Having one system handle authentication and authorization for the entire network provides
a unified, real-time view of who is using the network.
4
avaya.com
Section 7: Scalability
As wireless network usage grows, more wireless access points may be added to the network. Because policy
decisions are made by the Avaya Identity Engines Ignition Server for all access points, the network administrator
can easily deploy additional access points, knowing policy decisions will be made consistently across the
enterprise.
Configuring user access policies individually on each access point can lead to poor scalability and cause security
vulnerabilities when users need to be de-provisioned from the network. With the Ignition Server, access policies are
set centrally, helping ensure the network remains secure as it grows.
5
Section 10: Conclusion
As enterprises continue to deploy wireless networking for increasing portions of their network infrastructure,
network administrators must address the security issues that accompany this technology. With the emergence of
802.1X, most network equipment now offers the basic tools to address network access control needs. Without
an enterprise-wide strategy and tools to manage these controls, security administration becomes expensive, time-
consuming, and potentially unreliable. The Avaya Identity Engines portfolio addresses this problem by offering a
solution that lets organizations harness the 802.1X controls built into their network equipment to provide scalable,
cost-effective user authentication.
Figure 2. Setting provisioning policies in the Avaya Identity Engines Ignition Server
To learn more about the Avaya Identity Engines solution, contact your Avaya Account Manager or Avaya Authorized
Partner. Or, visit us online at avaya.com.
About Avaya
Avaya is a global leader in enterprise communications systems. The company
provides unified communications, contact centers, and related services directly
and through its channel partners to leading businesses and organizations
around the world. Enterprises of all sizes depend on Avaya for state-of-the-art
communications that improve efficiency, collaboration, customer service and
competitiveness. For more information please visit www.avaya.com.