Wireless Unlike traditional wired networks, wireless networks, all data transmission, to avoid interference in the air, network management, security, borders and access way compared to a wired network environment is more difficult to control, which is the financial enterprise IT management brought new challenges, how controllable protect corporate strategy to promote new business and security risks to strike a balance between the two areas? IT managers exploring WLAN access technology faces the following challenges:

1, how to make wireless networks as secure as wired networks and controllable management visualization?

2, how to improve the internal and external user experience?

3, WLAN products and solutions dazzled, we can be like wired networks to deploying our WLAN access network?

4, after the deployment of WLAN, whether it can achieve the expected return on investment? WLAN access networks, will fall into the situation looks beautiful?

 

        A branch / office WLAN access network architecture using a wireless controller AC -AP access centralized networking mode. AC in the primary branches / company; primary branches / companies, two branches / branched companies, network deployment between AP, AP, AC through CAPWAP (Controlling and Provisioning of Wireless Access Point Wireless Access Point control and supply) tunnel communication, used between the terminal and the AC AES128-bit encryption algorithm to ensure the secure transmission of data, authentication server, centralized management platform unified deployment level branches / company access to the whole network terminal unified certification, AC, AP and centralized monitoring configuration and monitoring.

 

 Security Design

1.1 SSID Hiding

Way to reduce the use of hidden SSID SSID broadcasting potential safety risks;

1.2 user equipment identification legitimacy

1) identity compliance checks

That the use of 802.1X user authentication is required when accessing the user can use security certificates, one-time password (OTP), AD domain user data docking, or fixed set of user name as a password to access the network credentials to perform access authentication through the user allowed to access the network without authentication of the client is denied access.

WLAN networks and major product lines have been unified authentication platform are completed docking and comprehensive support for industry-all WLAN security access.

2) terminal compliance check

MAC address authentication platform can be used, the user name and SSID binding way, good access to ensure the legitimacy of the user equipment, to ensure that legitimate people use a fixed terminal access specific scenes.

3) AP device compliance checks

AC wireless controller end, the AP uses the whitelist management mode, to access the AP unified management, the subsequent expansion of the AP, you should first add a new terminal at AC AP's MAC address. AP prevent noncompliant random access corporate networks.

1.3 link encryption

Use WPA2 + AES data encryption manner to ensure confidentiality of data. WPA2 key length of 128 bits encryption algorithm to solve the traditional problem of the key length is too short, and in WPA2, RADIUS servers to solve the authentication process of a single password mechanism. That is the user prior to access a wireless network, you first need to provide proof of identity, the identity of the database with the user authentication information for comparison checks to determine whether the client has permission to dynamically distribute key used to encrypt data.

Network is also a member of the WAPI alliance, according to the perfection of the universality of the terminal support WAPI case and user authentication backend of the underlying platform, WAPI encryption methods can be used to further protect the confidentiality and integrity of data.

1.4 Terminal isolation

Wireless access in the financial environment, if you do not use the terminal isolation technology, there will be cases of mutual influence, on the one hand transfer large files AP serious loss of resources between the terminal, on the other hand may cause any visits malicious data theft, send virus files, etc., will be a serious threat to network security.