WS2000 Wireless Switch
Integrated Wired and Wireless Networking for Branch Office and Small/Medium Enterprises
The WS2000 Wireless Switch from Symbol Technologies is an integrated wiredand wireless networking solution, priced and designed to meet the needsof healthcare clinics, schools and colleges to warehouses, branchoffices of government agencies, retail stores, manufacturing plants andmore. Built on the same centralized packet switching architecture asSymbol's award-winning WS 5000 Wireless Switch, the WS2000 offersenterprise class security (802.11i, site-to-site IPSec VPN),public/private network segmentation and 802.11abg standards support andprovides:
- Extensive wireless LAN functionality and high performance
- Power and simplicity of centralized remote management
- Ability to scale to support future growth
…Investment protection and network simplicity.
All-in-One Integrated Wired and Wireless Networking
The needto purchase and manage additional network equipment is eliminated withthe elegant all-in-one design of the WS2000. Support for multiplewireless LAN protocols (Wi-Fi® IEEE 802.11b, 802.11a,802.11g), as well as integrated Ethernet switching (6 LAN ports),routing (RIP, Static Routes), Gateway and Power-over-Ethernet (PoE)simplifies network deployment and management, and reduces capitalexpense. Functionality includes an integrated Stateful PacketInspection Firewall, Network Address Translation (NAT), DHCP server (onmultiple subnets), and WAN connectivity support for flexible low costinstallation.
Second-Generation Wireless LAN: the Power of Centralized Intelligence
The WS2000 offers the power and cost-efficiencies of second-generationwireless networking. Intelligence previously distributed and duplicatedthroughout first-generation access point-based wireless LANs iscentralized and aggregated in the WS2000 Wireless Switch, deliveringunprecedented power and control, and reduced deployment and managementcosts. Instead of traditional access points, the WS2000 works inconjunction with low-cost Access Ports, which are essentially ‘zeroconfiguration' devices, operational right out of the box, and can bemounted almost anywhere—even inside ceiling tiles.
End-to-end layered security
WS2000supports a comprehensive suite of security mechanisms—includingaccess-control, IPSec VPN (site-to-site), 802.1X based authentication,and strong encryption. In addition, the WS2000 also integrates aStateful Packet Inspection Firewall for protection against varioustypes of Denial-of-Service attacks and filtering network traffic withinthe Local Area Network (LAN) and between the LAN and the Wide AreaNetwork (WAN). The result is a layered security model that deliversrobust end-to-end security. The WS2000 supports the best-in-classwireless security standards of today (including 802.11i), and is easilyupgradeable to tomorrow's standards.
The WS2000 simplifies day-to-day operations with unified management ofhardware, software configuration, and network policies. Centralizedmanagement also enables the automatic distribution of configurations toall Access Ports—eliminating the need and the associated costs toconfigure and manage each access point. The WS2000 also simplifieswireless network deployment across multiple locations (for example,multiple retail stores, restaurants or branch offices), deliveringnetwork design consistency and simplicity, as well as the ability tocentrally manage from a regional Network Operations Center (NOC) or adata center.
Scaleable and easy to upgrade
The WS2000 Wireless Switch System is designed to grow and adapt to changingnetwork and organizational needs. Adding capacity and new functionalityis easier and less expensive than an access point-based wireless LAN.Each WS2000 supports up to six Access Ports and four wireless LANs,each with its own security and network policies. The plug-and-playAccess Ports are ready to install right out of the box. Just attachdirectly to the WS2000 or to your layer 2 LAN with Power-over-Ethernetand the network is immediately operational—LAN network integration istransparent. And upgrading to support newer standards in the future isfast and easy.
Lower total cost of ownership—outstanding investment protection
The WS2000 removes the overhead and complexity of first generation accesspoint-based wireless LANs, delivering a wireless network that is lessexpensive to implement and manage. The extensive functionality,expandability, and centralized management eliminate the time andmanagement costs associated with access point-based solutions,providing a lower total cost of ownership. And the flexibility tosupport the standards of today and tomorrow, as well as the legacywireless networks of yesterday, protects this valuable investment.
Extensive WLAN Functionality
Thecomprehensive feature set of the WS2000 provides full control overwireless LAN traffic to provide peak performance. Extensive wirelessLAN functionality enables you to maximize bandwidth and throughput,secure network traffic, prioritize voice traffic, conserve power onmobile devices, and provide dependable connection speeds for users inchallenging wireless environments.
Scalable Radio Architecture
Each WS2000 supports up to six single or dual-band Access Port radios (802.11band 802.11abg) in the 2.4 and 5 GHz frequencies—offering the broadestradio technology support in the industry. The WS2000 supports a totalof four wireless LANs.
Access Ports: Next-Generation Wireless Access Devices
AccessPorts bring a new level of simplicity to wireless networkimplementation and management, as well as an unprecedented upgradecapability. Access Ports are easily upgraded with new features andfunctionality via the WS2000, providing excellent investmentprotection. A wide range of 802.11a, 802.11b and 802.11g externalantenna options enables the design of coverage patterns for the mostchallenging environments. Each Access Port/radio supports up to fourwireless LANs.
TheAccess Port AP300 supports simultaneous 802.11bg and 802.11a operationsand aids in high bandwidth applications. Support for Dynamic FrequencySelection (DFS) and Transmit Power Control (TPC) is included with theAP300 for regulatory compliance and radar detection and avoidance. Boththe 802.11bg and 802.11a radios support four BSSIDs (which are mappedto four ESSIDs).
The WS2000 provides voice prioritization capabilities for devices such asVoIP phones, guaranteeing priority for voice traffic during periods ofnetwork congestion.
Power Saving for Client Devices
ThePower Save Protocol (PSP) polling feature enables devices to maximizebattery life and maintain application performance. The implementationallows devices to conserve power between wireless transmissions andalso ensures that packets are stored and reliably delivered when thedevice awakens.
Virtual AP Enables True Virtual Wireless LANS
VirtualAP enables the wireless LAN to be segmented into true multiplebroadcast domains—the wireless equivalent of Ethernet VLANs—providingthe ability to map multiple ESSIDs (Extended Service Set Identifiers)to multiple BSSIDs (Basic Service Set Identifiers).
VirtualAP provides complete control over broadcast traffic. Control ofbroadcast traffic, including network level messages, is extremelyimportant because of its potential negative effect on performance.Intelligent control of broadcast forwarding through proxy ARP and othermechanisms ensures that only the intended recipients receive broadcasttraffic. The resulting reduction in traffic maximizes bandwidth andnetwork throughput; device battery life and overall performance areimproved with the elimination of the processing of messages intendedfor other recipients; and the possible compromise in confidentialityand security of messages is eliminated since broadcast messages can nolonger reach the wrong recipients.
Load Balancing and Pre-emptive Roaming
Normalroaming does not occur until the device connection has reached aminimum connection speed of 1 Mbps—normally well beyond the boundariesof a cell and approximately halfway through an adjacent cell. Twofeatures, client load balancing and pre-emptive roaming, workhand-in-hand to ensure that devices roam before the connection qualityerodes, providing users with more consistent connection speeds forsmooth application performance. The WS2000 provides the informationneeded for roaming decisions, ensuring that critical wirelessconnections—such as real-time voice and data connections—are maintained
Transmit Power Control
TransmitPower Control minimizes radio interference for sites that require avery dense population of radios (Access Ports) to support bandwidthrequirements. The transmit power along with antenna gain can be set onall supported Access Ports.
Thisfeature enables multicast traffic to be sent to intended clientswithout any queuing, providing essential support for push-to-talk andother multimedia applications.
ProxyARP enables the WS2000 to respond to ARP requests on behalf of amobile client, acting as the client's agent or Proxy. No longerburdened with the processing of ARP requests, the mobile client cantemporarily suspend the WLAN adapter. The result is substantial savingsof battery power on the client device, while preserving the integrityof the IP connection.
Storage of Software Update Packages for Client Devices
With the WS2000 and AirBEAM®Smart, managing and updating software on Symbol mobile devices is fast,easy—and automatic. The WS2000 acts as an FTP server, storing softwareupdates via a CompactFlash™ card. AirBEAM Smart, Symbol's softwaremanagement program resident on Symbol mobile devices, accesses the WS2000 to automatically download and install everything from new orupdated wireless applications and drivers to operating systems on bootup.
End-to-End Layered Security
There isno element of networking—wired or wireless—more important thansecurity. The WS2000 offers an integrated firewall as well as acomplete end-to-end layered security model that supports all of today'swireless security standards, and is easily upgradeable to support thestandards of tomorrow. Users can configure security policies thatspecify the correct level of control for users, applications, anddevices within those groups.
Network Access Control
Layer2 Access Control Lists provide filtering for advanced network trafficcontrol, enabling administrators to forward or drop packets based onprotocol type or MAC Addresses.
Stateful Packet Inspection Firewall
Firewallsprevent unauthorized access to and from a private network by inspectingdata packets that leave and enter the network, blocking data packetsthat do not meet certain criteria. In addition, firewalls preventvarious types of Denial-of-Service attacks initiated both internallyand externally.
Theintegrated firewall in the WS2000 is always enabled on the WANinterface by default, providing instant protection against intrudersand a wide variety of attacks. The Stateful Packet Inspection Firewalloffers advanced packet inspection and filtering—much strongerprotection than standard simple packet inspection engines. "Statefulinspection" keeps track of information in the packet header, such asSequence numbers, source/destination IP address, source/destinationport numbers, as well as the state of all TCP sessions passing throughthe firewall. The firewall checks for compatibility between the headerof the responding packets (TCP Acks) and the associated sessioninformation in the inspection table. If the information does not match,the packet is dropped.
The default Firewall settings also protect against the following types of attacks:
- IP Spoofing
- Ping of Death
- Land Attacks
- IP Reassembly attacks
Configurablefilters guard against other types of attacks including Syn Flooding,Source Routing, Winnuke, FTP Bounce, Sequence Number Prediction, IPUnaligned Timestamp, and Mime Flood Attack. Defense against a total ofmore than 50 types of attacks is provided by WS2000.
Betweeneach of the available subnets, the WS2000 also provides filteringcapabilities based on protocol, port and IP source and destinationaddresses.
802.1x/Extensible Authentication Protocol (EAP)
802.1xand Extensible Authentication Protocol (EAP) work hand-in-hand,providing the infrastructure for robust authentication and dynamic keyrotation and distribution. EAP provides a means for mutualauthentication. Authorized users identify themselves to the wirelessnetwork, and the wireless network identifies itself to theuser—ensuring that unauthorized users cannot access your network, andauthorized users do not inadvertently join a rogue network. A widevariety of authentication types can be used—from user name and passwordto voice signatures, public keys, and biometrics, with the ability toupgrade to support future authentication types. And dynamic keyrotation and distribution provides a new encryption key per user persession, greatly increasing the strength of the chosen encryptionalgorithm (WEP, AES or TKIP) used to encode data. The WS2000 supportsa variety of EAP methods, including TLS, TTLS, PEAP and SIM.
Theindustry-standard Kerberos protocol meets all of the requirements forscalable, effective security in a mobile environment. Kerberos featuresmutual authentication and end-to-end encryption. All traffic isencrypted and security keys are generated on a per-client basis, keysare never shared or reused, and are automatically distributed in asecure manner. WS2000 requires an external Key Distribution Center(KDC), such as a Windows 2000 server.
Encryptionensures that data privacy is maintained while in transmission. As acommon rule, the stronger the encryption, the more complex andexpensive it is to implement and manage. The WS2000 supports a rangeof encryption options (including AES and 3DES that support wirelessnetworking, SNMP access and site-to-site VPN) that provide basic tostrong encryption techniques, providing the flexibility to select theright level for your data.
Wired Equivalent Privacy (WEP)
The802.11 Wired Equivalent Privacy (WEP) provides static key encryption—asingle key is distributed to all users for encryption and decryption ofdata. WEP generates either a 40- or 128-bit key using the widely usedRC-4 encryption algorithm. WEP allows full interoperability with legacyclients and provides basic over-the-air security in less-criticalenvironments, such as an open public-access application.
WPA—Temporal Key Integrity Protocol (TKIP)
WPA-TKIPaddresses well-known vulnerabilities in WEP encryption. TKIP provideskey rotation on a per-packet basis along with Michael message integritycheck (MIC), which determines if data has been tampered or corruptedwhile in transit. This robust method of encryption provides a higherlevel of protection for your data and protects your network from avariety of types of attacks.
WPArelies on RC4 and TKIP. In order to completely eliminate the WEPrelated flaws, IEEE recently ratified a new security standard, 802.11i(termed WPA2 by the Wi-Fi Alliance). WPA2 specifies the use of strongercipher systems such as AES (Advanced Encryption Standard) and asecurity protocol called CCMP (Counter Mode CBC MAC Protocol). CCMPuses AES for encryption and a well-proven method called CBC-MAC (CipherBlock Chaining Message Authentication Code) to compute the messageintegrity check (MIC) (for data integrity checks). CCMP in a sense isthe equivalent of TKIP used in the original WPA but much stronger.
As partof the WPA2 implementation, support for PMK (Pairwise Master Key)Caching, Pre-Authentication, and "Opportunistic" PMK Caching isavailable, enabling fast roaming of mobile clients between AccessPorts. These mechanisms basically act by foregoing either the 802.1Xpart of the authentication or the 4-way handshake associated with CCMPmessage exchanges between the client and the Access Port.
Similarto WECA's version of TKIP, KeyGuard provides a different key for everypacket of data, but uses a different version of message integrity check(MIC) to determine if data has been tampered or corrupted duringtransmission. KeyGuard was developed by Symbol prior to WPA. It issupported on Symbol mobile clients and due to its small footprint, hasthe advantage of being supported even in older DOS based devices.
IPSec VPN (Site-to-Site)
VirtualPrivate Networking (VPN) provides a cost-effective, secure solution forbusinesses to take advantage of the public Internet instead ofdedicated leased WAN links to transmit information between remotebranch offices (Intranet) or with external customers/partners(Extranet).
The WS2000 supports IPSec (Internet Protocol Security) based VPN for securingcommunication between a WS2000 in a branch location and another VPNGateway at the main office. The implementation in WS2000 includes acomplete IPSec engine, IKE engine, DES/3DES/AES encryption and NATTraversal support.
Wired Networking Services
Inaddition to wireless network connectivity, data switching capabilitiesare also provided for wired devices (such as Store Servers, wiredPoint-of-Sales Systems, wired printers, etc.) that are connected to anyof the six Ethernet ports on the WS2000.
Up tofour independent subnets (broadcast domains) can be configured in theWS2000. The six physical ports and four wireless LANs are mapped toone of the four subnets. Separate IP addressing and outbound networkpolicies (filtering traffic based on Protocol type and Port ranges, IPSource and Destination addresses or completely blocking traffic betweensubnets and the WAN) can be applied on a per subnet basis. Thisprovides a great deal of flexibility in segmenting and securing thenetwork.
The WS2000 supports Layer 3 services. It supports Routing InformationProtocol (RIP) v1 and v2. The primary benefits of RIP are ease ofconfiguration and suitability for small networks (less than 15 hops).If RIP is enabled on any of the four private interfaces, RIP broadcastsare periodically sent over that interface, and the routing table isalso updated based on the broadcast received on that interface fromother connected routers. Static routes can be configured for each IPinterface on the private side as well.
The WS2000 integrates gateway functionality for ease of provisioning networkservices—Network Address Translation (NAT), DHCP Server, Firewall—forSMBs.
DHCP Client and Server
The WS2000 offers integrated DHCP services for all four of its subnets. Theneed to purchase, manage and maintain additional network equipment toobtain this functionality is eliminated–saving capital as well asoperational expenses.
Each ofthe four private interfaces (Subnets 1-4) can be configured as a staticIP address or either as a DHCP (Dynamic Host Configuration Protocol)client or a DHCP server. The WAN interface can have a static IP addressor be configured to be a DHCP client.
If theinterface is configured to be a DHCP client, the IP address is obtainedfrom an external DHCP server. If the interface is configured to be aDHCP server, the WS2000 serves (leases) IP addresses to connectedclients (wired or wireless). The scope of IP addresses (the range) isconfigurable per subnet. The clients also receive DNS configuration anddefault route information from the DHCP server on the WS2000.
Theadvanced DHCP configuration allows for specification of lease time,WINS Server and static IP mappings (mapping individual MAC addresses tospecific IP addresses).
Network Address Translation (NAT) with Application Layer Gateway (ALG)
WithNAT, the IP addresses of client devices in the internal network areinvisible to the external world. Identity is protected, while theclient devices connect to the Internet through the WS2000 as ifdirectly on the Internet. The WS2000 supports three different NATconfigurations:
- One-to-One —A pool of available public IP address can beused to map to an individual (internal) client IP address. One-to-oneNAT translates the IP address on behalf of the client.
- Many-to-One—The IP addresses for a group of mobile clientsin the internal network can be mapped to a group with a single publicIP address. The WS2000 allows the range of IP addresses in each of thethree subnets to be mapped to the same (or different) public IP address.
- Port Forwarding—This inbound network policy allowscommunication from the public network to a computer on the internalnetwork via a specified port. Essentially, this allows the creation ofa tunnel through the firewall, between the computer on the LAN and theInternet. This is useful, for example, to run a Web Server (Port 80) orFTP Server (Port 23) using a single IP address. The WS2000 also allowsthe port translation and forwarding of all unspecified ports to aspecific IP address on the internal network.
ApplicationLayer Gateways (ALGs) enable applications that embed addressinginformation in the payload (such as FTP, Quicktime, Real Networks,Net2Phone and Netmeeting), and protocols (such as PPTP, L2TP, IKE andIPSec) to work when NAT is enabled. ALGs for over 40 differentapplications and protocols are supported.
Theintegrated uplink 10/100 Ethernet Port enables the WS2000 to connectto a WAN access device (such as a DSL or Cable modem, or Frame RelayAccess Device), enabling client devices to share Internet connectivity.
Inaddition, the WS2000 provides support for industry-standard PPP(Point-to-point) and PPPoE (PPP over Ethernet) protocols. The PPPoEprotocol enables multiple LAN users to connect to the Internet througha single DSL modem.
Ease of Management
The WS2000 is easy to configure, and even easier to manage. The configurationof any WS2000 can be easily replicated for fast and simple deploymentof additional WS2000 Wireless Switches. The configuration file can beexported to a text file and directly imported into the WS2000, orpublished to a remote FTP or TFTP server that is accessible to your WS2000 Wireless Switches. Firmware can be easily updated as well, eithervia FTP or TFTP servers.
Support for different interfaces is provided to ensure a maximum flexibility in configuring and managing the WS2000:
- Command Line Interface (CLI) —Designed with well-known industry semantics and provides complete baseline management through the Telnet or Serial interfaces.
- Web-based Management—Provides anytime-anywhere managementwith an intuitive, web-based (Java) GUI that supports step-by-step,easy configuration of all the system features.
- Simple Network Management Protocol (SNMP)—The SNMPimplementation in the WS2000 provides support for commands forupdating configuration and firmware files and allows for remotemonitoring of system health and key RF parameters. Supported MIBsinclude:
- MIB II (RFC 1213)
- Ping and Traceroute MIB (RFC 2925)
- Symbol MIB (802.11 related)
The WS2000 provides several key RF statistics that help in real-timemonitoring of the network health. These statistics (such as throughput,percentage of retries, average signal strength and SNRs on per MU,Access Port, and Switch basis) are updated frequently and available viaall supported interfaces (CLI, Web, SNMP). Key system traps are alsosupported. Traps can be configured when any of the key systemperformance parameters fall outside the user configured bounds. Thetraps can be forwarded to any enterprise management system and provideearly notification of network problems related to Access Port adoption,Mobile Unit association and system resets.