|
WS2000 Wireless Switch
Integrated Wired and Wireless Networking for Branch Office and
Small/Medium Enterprises
The WS2000 Wireless Switch from Symbol Technologies is an
integrated wiredand wireless networking solution, priced and
designed to meet the needsof healthcare clinics, schools and
colleges to warehouses, branchoffices of government agencies,
retail stores, manufacturing plants andmore. Built on the same
centralized packet switching architecture asSymbol's award-winning
WS 5000 Wireless Switch, the WS2000 offersenterprise class security
(802.11i, site-to-site IPSec VPN),public/private network
segmentation and 802.11abg standards support andprovides:
- Extensive wireless LAN functionality and high performance
- Power and simplicity of centralized remote management
- Ability to scale to support future growth
…Investment protection and network simplicity.
All-in-One Integrated Wired and Wireless Networking
The needto purchase and manage additional network equipment is
eliminated withthe elegant all-in-one design of the WS2000. Support
for multiplewireless LAN protocols (Wi-Fi® IEEE 802.11b,
802.11a,802.11g), as well as integrated Ethernet switching (6 LAN
ports),routing (RIP, Static Routes), Gateway and
Power-over-Ethernet (PoE)simplifies network deployment and
management, and reduces capitalexpense. Functionality includes an
integrated Stateful PacketInspection Firewall, Network Address
Translation (NAT), DHCP server (onmultiple subnets), and WAN
connectivity support for flexible low costinstallation.
Second-Generation Wireless LAN: the Power of Centralized
Intelligence
The WS2000 offers the power and cost-efficiencies of
second-generationwireless networking. Intelligence previously
distributed and duplicatedthroughout first-generation access
point-based wireless LANs iscentralized and aggregated in the
WS2000 Wireless Switch, deliveringunprecedented power and control,
and reduced deployment and managementcosts. Instead of traditional
access points, the WS2000 works inconjunction with low-cost Access
Ports, which are essentially ‘zeroconfiguration' devices,
operational right out of the box, and can bemounted almost
anywhere—even inside ceiling tiles.
End-to-end layered security
WS2000supports a comprehensive suite of security
mechanisms—includingaccess-control, IPSec VPN (site-to-site),
802.1X based authentication,and strong encryption. In addition, the
WS2000 also integrates aStateful Packet Inspection Firewall for
protection against varioustypes of Denial-of-Service attacks and
filtering network traffic withinthe Local Area Network (LAN) and
between the LAN and the Wide AreaNetwork (WAN). The result is a
layered security model that deliversrobust end-to-end security. The
WS2000 supports the best-in-classwireless security standards of
today (including 802.11i), and is easilyupgradeable to tomorrow's
standards.
Centralized management
The WS2000 simplifies day-to-day operations with unified
management ofhardware, software configuration, and network
policies. Centralizedmanagement also enables the automatic
distribution of configurations toall Access Ports—eliminating the
need and the associated costs toconfigure and manage each access
point. The WS2000 also simplifieswireless network deployment across
multiple locations (for example,multiple retail stores, restaurants
or branch offices), deliveringnetwork design consistency and
simplicity, as well as the ability tocentrally manage from a
regional Network Operations Center (NOC) or adata center.
Scaleable and easy to upgrade
The WS2000 Wireless Switch System is designed to grow and adapt
to changingnetwork and organizational needs. Adding capacity and
new functionalityis easier and less expensive than an access
point-based wireless LAN.Each WS2000 supports up to six Access
Ports and four wireless LANs,each with its own security and network
policies. The plug-and-playAccess Ports are ready to install right
out of the box. Just attachdirectly to the WS2000 or to your layer
2 LAN with Power-over-Ethernetand the network is immediately
operational—LAN network integration istransparent. And upgrading to
support newer standards in the future isfast and easy.
Lower total cost of ownership—outstanding investment
protection
The WS2000 removes the overhead and complexity of first
generation accesspoint-based wireless LANs, delivering a wireless
network that is lessexpensive to implement and manage. The
extensive functionality,expandability, and centralized management
eliminate the time andmanagement costs associated with access
point-based solutions,providing a lower total cost of ownership.
And the flexibility tosupport the standards of today and tomorrow,
as well as the legacywireless networks of yesterday, protects this
valuable investment.
Extensive WLAN Functionality
Thecomprehensive feature set of the WS2000 provides full control
overwireless LAN traffic to provide peak performance. Extensive
wirelessLAN functionality enables you to maximize bandwidth and
throughput,secure network traffic, prioritize voice traffic,
conserve power onmobile devices, and provide dependable connection
speeds for users inchallenging wireless environments.
Scalable Radio Architecture
Each WS2000 supports up to six single or dual-band Access Port
radios (802.11band 802.11abg) in the 2.4 and 5 GHz
frequencies—offering the broadestradio technology support in the
industry. The WS2000 supports a totalof four wireless LANs.
Access Ports: Next-Generation Wireless Access Devices
AccessPorts bring a new level of simplicity to wireless
networkimplementation and management, as well as an unprecedented
upgradecapability. Access Ports are easily upgraded with new
features andfunctionality via the WS2000, providing excellent
investmentprotection. A wide range of 802.11a, 802.11b and 802.11g
externalantenna options enables the design of coverage patterns for
the mostchallenging environments. Each Access Port/radio supports
up to fourwireless LANs.
TheAccess Port AP300 supports simultaneous 802.11bg and 802.11a
operationsand aids in high bandwidth applications. Support for
Dynamic FrequencySelection (DFS) and Transmit Power Control (TPC)
is included with theAP300 for regulatory compliance and radar
detection and avoidance. Boththe 802.11bg and 802.11a radios
support four BSSIDs (which are mappedto four ESSIDs).
Voice Prioritization
The WS2000 provides voice prioritization capabilities for
devices such asVoIP phones, guaranteeing priority for voice traffic
during periods ofnetwork congestion.
Power Saving for Client Devices
ThePower Save Protocol (PSP) polling feature enables devices to
maximizebattery life and maintain application performance. The
implementationallows devices to conserve power between wireless
transmissions andalso ensures that packets are stored and reliably
delivered when thedevice awakens.
Virtual AP Enables True Virtual Wireless LANS
VirtualAP enables the wireless LAN to be segmented into true
multiplebroadcast domains—the wireless equivalent of Ethernet
VLANs—providingthe ability to map multiple ESSIDs (Extended Service
Set Identifiers)to multiple BSSIDs (Basic Service Set
Identifiers).
VirtualAP provides complete control over broadcast traffic.
Control ofbroadcast traffic, including network level messages, is
extremelyimportant because of its potential negative effect on
performance.Intelligent control of broadcast forwarding through
proxy ARP and othermechanisms ensures that only the intended
recipients receive broadcasttraffic. The resulting reduction in
traffic maximizes bandwidth andnetwork throughput; device battery
life and overall performance areimproved with the elimination of
the processing of messages intendedfor other recipients; and the
possible compromise in confidentialityand security of messages is
eliminated since broadcast messages can nolonger reach the wrong
recipients.
Load Balancing and Pre-emptive Roaming
Normalroaming does not occur until the device connection has
reached aminimum connection speed of 1 Mbps—normally well beyond
the boundariesof a cell and approximately halfway through an
adjacent cell. Twofeatures, client load balancing and pre-emptive
roaming, workhand-in-hand to ensure that devices roam before the
connection qualityerodes, providing users with more consistent
connection speeds forsmooth application performance. The WS2000
provides the informationneeded for roaming decisions, ensuring that
critical wirelessconnections—such as real-time voice and data
connections—are maintained
Transmit Power Control
TransmitPower Control minimizes radio interference for sites
that require avery dense population of radios (Access Ports) to
support bandwidthrequirements. The transmit power along with
antenna gain can be set onall supported Access Ports.
Multicast Masking
Thisfeature enables multicast traffic to be sent to intended
clientswithout any queuing, providing essential support for
push-to-talk andother multimedia applications.
Proxy ARP
ProxyARP enables the WS2000 to respond to ARP requests on behalf
of amobile client, acting as the client's agent or Proxy. No
longerburdened with the processing of ARP requests, the mobile
client cantemporarily suspend the WLAN adapter. The result is
substantial savingsof battery power on the client device, while
preserving the integrityof the IP connection.
Storage of Software Update Packages for Client Devices
With the WS2000 and AirBEAM®Smart, managing and
updating software on Symbol mobile devices is fast,easy—and
automatic. The WS2000 acts as an FTP server, storing
softwareupdates via a CompactFlash™ card. AirBEAM Smart, Symbol's
softwaremanagement program resident on Symbol mobile devices,
accesses the WS2000 to automatically download and install
everything from new orupdated wireless applications and drivers to
operating systems on bootup.
End-to-End Layered Security
There isno element of networking—wired or wireless—more
important thansecurity. The WS2000 offers an integrated firewall as
well as acomplete end-to-end layered security model that supports
all of today'swireless security standards, and is easily
upgradeable to support thestandards of tomorrow. Users can
configure security policies thatspecify the correct level of
control for users, applications, anddevices within those
groups.
Network Access Control
Layer2 Access Control Lists provide filtering for advanced
network trafficcontrol, enabling administrators to forward or drop
packets based onprotocol type or MAC Addresses.
Stateful Packet Inspection Firewall
Firewallsprevent unauthorized access to and from a private
network by inspectingdata packets that leave and enter the network,
blocking data packetsthat do not meet certain criteria. In
addition, firewalls preventvarious types of Denial-of-Service
attacks initiated both internallyand externally.
Theintegrated firewall in the WS2000 is always enabled on the
WANinterface by default, providing instant protection against
intrudersand a wide variety of attacks. The Stateful Packet
Inspection Firewalloffers advanced packet inspection and
filtering—much strongerprotection than standard simple packet
inspection engines. "Statefulinspection" keeps track of information
in the packet header, such asSequence numbers, source/destination
IP address, source/destinationport numbers, as well as the state of
all TCP sessions passing throughthe firewall. The firewall checks
for compatibility between the headerof the responding packets (TCP
Acks) and the associated sessioninformation in the inspection
table. If the information does not match,the packet is dropped.
The default Firewall settings also protect against the following
types of attacks:
- IP Spoofing
- Ping of Death
- Land Attacks
- IP Reassembly attacks
Configurablefilters guard against other types of attacks
including Syn Flooding,Source Routing, Winnuke, FTP Bounce,
Sequence Number Prediction, IPUnaligned Timestamp, and Mime Flood
Attack. Defense against a total ofmore than 50 types of attacks is
provided by WS2000.
Betweeneach of the available subnets, the WS2000 also provides
filteringcapabilities based on protocol, port and IP source and
destinationaddresses.
802.1x/Extensible Authentication Protocol (EAP)
802.1xand Extensible Authentication Protocol (EAP) work
hand-in-hand,providing the infrastructure for robust authentication
and dynamic keyrotation and distribution. EAP provides a means for
mutualauthentication. Authorized users identify themselves to the
wirelessnetwork, and the wireless network identifies itself to
theuser—ensuring that unauthorized users cannot access your
network, andauthorized users do not inadvertently join a rogue
network. A widevariety of authentication types can be used—from
user name and passwordto voice signatures, public keys, and
biometrics, with the ability toupgrade to support future
authentication types. And dynamic keyrotation and
distribution provides a new encryption key per user persession,
greatly increasing the strength of the chosen encryptionalgorithm
(WEP, AES or TKIP) used to encode data. The WS2000 supportsa
variety of EAP methods, including TLS, TTLS, PEAP and SIM.
Kerberos
Theindustry-standard Kerberos protocol meets all of the
requirements forscalable, effective security in a mobile
environment. Kerberos featuresmutual authentication and end-to-end
encryption. All traffic isencrypted and security keys are generated
on a per-client basis, keysare never shared or reused, and are
automatically distributed in asecure manner. WS2000 requires an
external Key Distribution Center(KDC), such as a Windows 2000
server.
Encryption
Encryptionensures that data privacy is maintained while in
transmission. As acommon rule, the stronger the encryption, the
more complex andexpensive it is to implement and manage. The WS2000
supports a rangeof encryption options (including AES and 3DES that
support wirelessnetworking, SNMP access and site-to-site VPN) that
provide basic tostrong encryption techniques, providing the
flexibility to select theright level for your data.
Wired Equivalent Privacy (WEP)
The802.11 Wired Equivalent Privacy (WEP) provides static key
encryption—asingle key is distributed to all users for encryption
and decryption ofdata. WEP generates either a 40- or 128-bit key
using the widely usedRC-4 encryption algorithm. WEP allows full
interoperability with legacyclients and provides basic over-the-air
security in less-criticalenvironments, such as an open
public-access application.
WPA—Temporal Key Integrity Protocol (TKIP)
WPA-TKIPaddresses well-known vulnerabilities in WEP encryption.
TKIP provideskey rotation on a per-packet basis along with Michael
message integritycheck (MIC), which determines if data has been
tampered or corruptedwhile in transit. This robust method of
encryption provides a higherlevel of protection for your data and
protects your network from avariety of types of attacks.
WPA2 (AES/CCMP)
WPArelies on RC4 and TKIP. In order to completely eliminate the
WEPrelated flaws, IEEE recently ratified a new security standard,
802.11i(termed WPA2 by the Wi-Fi Alliance). WPA2 specifies the use
of strongercipher systems such as AES (Advanced Encryption
Standard) and asecurity protocol called CCMP (Counter Mode CBC MAC
Protocol). CCMPuses AES for encryption and a well-proven method
called CBC-MAC (CipherBlock Chaining Message Authentication Code)
to compute the messageintegrity check (MIC) (for data integrity
checks). CCMP in a sense isthe equivalent of TKIP used in the
original WPA but much stronger.
As partof the WPA2 implementation, support for PMK (Pairwise
Master Key)Caching, Pre-Authentication, and "Opportunistic" PMK
Caching isavailable, enabling fast roaming of mobile clients
between AccessPorts. These mechanisms basically act by foregoing
either the 802.1Xpart of the authentication or the 4-way handshake
associated with CCMPmessage exchanges between the client and the
Access Port.
KeyGuard™—MCM
Similarto WECA's version of TKIP, KeyGuard provides a different
key for everypacket of data, but uses a different version of
message integrity check(MIC) to determine if data has been tampered
or corrupted duringtransmission. KeyGuard was developed by Symbol
prior to WPA. It issupported on Symbol mobile clients and due to
its small footprint, hasthe advantage of being supported even in
older DOS based devices.
IPSec VPN (Site-to-Site)
VirtualPrivate Networking (VPN) provides a cost-effective,
secure solution forbusinesses to take advantage of the public
Internet instead ofdedicated leased WAN links to transmit
information between remotebranch offices (Intranet) or with
external customers/partners(Extranet).
The WS2000 supports IPSec (Internet Protocol Security) based VPN
for securingcommunication between a WS2000 in a branch location and
another VPNGateway at the main office. The implementation in WS2000
includes acomplete IPSec engine, IKE engine, DES/3DES/AES
encryption and NATTraversal support.
Wired Networking Services
Inaddition to wireless network connectivity, data switching
capabilitiesare also provided for wired devices (such as Store
Servers, wiredPoint-of-Sales Systems, wired printers, etc.) that
are connected to anyof the six Ethernet ports on the WS2000.
Virtual LANs
Up tofour independent subnets (broadcast domains) can be
configured in theWS2000. The six physical ports and four wireless
LANs are mapped toone of the four subnets. Separate IP addressing
and outbound networkpolicies (filtering traffic based on Protocol
type and Port ranges, IPSource and Destination addresses or
completely blocking traffic betweensubnets and the WAN) can be
applied on a per subnet basis. Thisprovides a great deal of
flexibility in segmenting and securing thenetwork.
Routing
The WS2000 supports Layer 3 services. It supports Routing
InformationProtocol (RIP) v1 and v2. The primary benefits of RIP
are ease ofconfiguration and suitability for small networks (less
than 15 hops).If RIP is enabled on any of the four private
interfaces, RIP broadcastsare periodically sent over that
interface, and the routing table isalso updated based on the
broadcast received on that interface fromother connected routers.
Static routes can be configured for each IPinterface on the private
side as well.
Integrated Gateway
The WS2000 integrates gateway functionality for ease of
provisioning networkservices—Network Address Translation (NAT),
DHCP Server, Firewall—forSMBs.
DHCP Client and Server
The WS2000 offers integrated DHCP services for all four of its
subnets. Theneed to purchase, manage and maintain additional
network equipment toobtain this functionality is eliminated–saving
capital as well asoperational expenses.
Each ofthe four private interfaces (Subnets 1-4) can be
configured as a staticIP address or either as a DHCP (Dynamic Host
Configuration Protocol)client or a DHCP server. The WAN interface
can have a static IP addressor be configured to be a DHCP
client.
If theinterface is configured to be a DHCP client, the IP
address is obtainedfrom an external DHCP server. If the interface
is configured to be aDHCP server, the WS2000 serves (leases) IP
addresses to connectedclients (wired or wireless). The scope of IP
addresses (the range) isconfigurable per subnet. The clients also
receive DNS configuration anddefault route information from the
DHCP server on the WS2000.
Theadvanced DHCP configuration allows for specification of lease
time,WINS Server and static IP mappings (mapping individual MAC
addresses tospecific IP addresses).
Network Address Translation (NAT) with Application Layer
Gateway (ALG)
WithNAT, the IP addresses of client devices in the internal
network areinvisible to the external world. Identity is protected,
while theclient devices connect to the Internet through the WS2000
as ifdirectly on the Internet. The WS2000 supports three different
NATconfigurations:
- One-to-One
—A pool of available public IP address can beused to map to an
individual (internal) client IP address. One-to-oneNAT translates
the IP address on behalf of the client.
- Many-to-One—The IP addresses for a group of mobile
clientsin the internal network can be mapped to a group with a
single publicIP address. The WS2000 allows the range of IP
addresses in each of thethree subnets to be mapped to the same (or
different) public IP address.
- Port Forwarding—This inbound network policy
allowscommunication from the public network to a computer on the
internalnetwork via a specified port. Essentially, this allows the
creation ofa tunnel through the firewall, between the computer on
the LAN and theInternet. This is useful, for example, to run a Web
Server (Port 80) orFTP Server (Port 23) using a single IP address.
The WS2000 also allowsthe port translation and forwarding of all
unspecified ports to aspecific IP address on the internal
network.
ApplicationLayer Gateways (ALGs) enable applications that embed
addressinginformation in the payload (such as FTP, Quicktime, Real
Networks,Net2Phone and Netmeeting), and protocols (such as PPTP,
L2TP, IKE andIPSec) to work when NAT is enabled. ALGs for over 40
differentapplications and protocols are supported.
WAN Connectivity
Theintegrated uplink 10/100 Ethernet Port enables the WS2000 to
connectto a WAN access device (such as a DSL or Cable modem, or
Frame RelayAccess Device), enabling client devices to share
Internet connectivity.
Inaddition, the WS2000 provides support for industry-standard
PPP(Point-to-point) and PPPoE (PPP over Ethernet) protocols. The
PPPoEprotocol enables multiple LAN users to connect to the Internet
througha single DSL modem.
Ease of Management
The WS2000 is easy to configure, and even easier to manage. The
configurationof any WS2000 can be easily replicated for fast and
simple deploymentof additional WS2000 Wireless Switches. The
configuration file can beexported to a text file and directly
imported into the WS2000, orpublished to a remote FTP or TFTP
server that is accessible to your WS2000 Wireless Switches.
Firmware can be easily updated as well, eithervia FTP or TFTP
servers.
Support for different interfaces is provided to ensure a maximum
flexibility in configuring and managing the WS2000:
- Command Line Interface (CLI)
—Designed with well-known industry semantics and provides complete
baseline management through the Telnet or Serial interfaces.
- Web-based Management—Provides anytime-anywhere
managementwith an intuitive, web-based (Java) GUI that supports
step-by-step,easy configuration of all the system features.
- Simple Network Management Protocol (SNMP)—The
SNMPimplementation in the WS2000 provides support for commands
forupdating configuration and firmware files and allows for
remotemonitoring of system health and key RF parameters. Supported
MIBsinclude:
- MIB II (RFC 1213)
- Ping and Traceroute MIB (RFC 2925)
- Symbol MIB (802.11 related)
The WS2000 provides several key RF statistics that help in
real-timemonitoring of the network health. These statistics (such
as throughput,percentage of retries, average signal strength and
SNRs on per MU,Access Port, and Switch basis) are updated
frequently and available viaall supported interfaces (CLI, Web,
SNMP). Key system traps are alsosupported. Traps can be configured
when any of the key systemperformance parameters fall outside the
user configured bounds. Thetraps can be forwarded to any enterprise
management system and provideearly notification of network problems
related to Access Port adoption,Mobile Unit association and system
resets.
|
WS2000 Specs
