Spec Sheet

ManualsBrandsSymbol ManualsWireless ControllerWS 2000 Wireless Controller

Wired Equivalent Privacy (WEP)

The 802.11 Wired Equivalent Privacy (WEP) provides

static key encryption—a single key is distributed to all

users for encryption and decryption of data. WEP

generates either a 40- or 128-bit key using the widely

used RC-4 encryption algorithm. WEP allows full

interoperability with legacy clients and provides basic

over-the-air security in less-critical environments, such

as an open public-access application.

WPA—Temporal Key Integrity Protocol (TKIP)

WPA-TKIP addresses well-known vulnerabilities in WEP

encryption. TKIP provides key rotation on a per-packet basis

along with Michael message integrity check (MIC), which

determines if data has been tampered or corrupted while in

transit. This robust method of encryption provides a higher

level of protection for your data and protects your network

from a variety of types of attacks.

WPA2 (AES/CCMP)

WPA relies on RC4 and TKIP. In order to completely

eliminate the WEP related flaws, IEEE recently ratified a new

security standard, 802.11i (termed WPA2 by the Wi-Fi

Alliance). WPA2 specifies the use of stronger cipher systems

such as AES (Advanced Encryption Standard) and a security

protocol called CCMP (Counter Mode CBC MAC Protocol).

CCMP uses AES for encryption and a well-proven method

called CBC-MAC (Cipher Block Chaining Message

Authentication Code) to compute the message integrity check

(MIC) (for data integrity checks). CCMP in a sense is the

equivalent of TKIP used in the original WPA but much stronger.

Configurable filters guard against other types of attacks including

Syn Flooding, Source Routing, Winnuke, FTP Bounce, Sequence

Number Prediction, IP Unaligned Timestamp, and Mime

Flood Attack. Defense against a total of more than 50 types of

attacks is provided by WS 2000.

Between each of the available subnets, the WS 2000 also provides

filtering capabilities based on protocol, port and IP source and

destination addresses.

802.1x/Extensible Authentication Protocol (EAP)

802.1x and Extensible Authentication Protocol (EAP) work

hand-in-hand, providing the infrastructure for robust

authentication and dynamic key rotation and distribution.

EAP provides a means for mutual authentication. Authorized

users identify themselves to the wireless network, and the

wireless network identifies itself to the user—ensuring that

unauthorized users cannot access your network, and authorized

users do not inadvertently join a rogue network. A wide variety

of authentication types can be used—from user name and

password to voice signatures, public keys, and biometrics, with

the ability to upgrade to support future authentication types.

And dynamic key rotation and distribution provides a new

encryption key per user per session, greatly increasing the

strength of the chosen encryption algorithm (WEP, AES or

TKIP) used to encode data. The WS 2000 supports a variety of

EAP methods, including TLS, TTLS, PEAP and SIM.

Kerberos

The industry-standard Kerberos protocol meets all of the

requirements for scalable, effective security in a mobile

environment. Kerberos features mutual authentication and

end-to-end encryption. All traffic is encrypted and security

keys are generated on a per-client basis, keys are never shared

or reused, and are automatically distributed in a secure

manner. WS 2000 requires an external Key Distribution

Center (KDC), such as a Windows

2000 server.

Encryption

Encryption ensures that data privacy is maintained while in

transmission. As a common rule, the stronger the encryption,

the more complex and expensive it is to implement and

manage. The WS 2000 supports a range of encryption options

(including AES and 3DES that support wireless networking,

SNMP access and site-to-site VPN) that provide basic to strong

encryption techniques, providing the flexibility to select the

right level for your data.

End-to-End Layered Security

There is no element of networking—wired or wireless—more

important than security. The WS 2000 offers an integrated

firewall as well as a complete end-to-end layered security model

that supports all of today’s wireless security standards, and is

easily upgradeable to support the standards of tomorrow. Users

can configure security policies that specify the correct level of

control for users, applications, and devices within those groups.

Network Access Control

Access Control Lists (ACLs)

Layer 2 Access Control Lists provide filtering for advanced

network traffic control, enabling administrators to forward or

drop packets based on protocol type or MAC Addresses.

Stateful Packet Inspection Firewall

Firewalls prevent unauthorized access to and from a private

network by inspecting data packets that leave and enter the

network, blocking data packets that do not meet certain criteria.

In addition, firewalls prevent various types of Denial-of-Service

attacks initiated both internally and externally.

The integrated firewall in the WS 2000 is always enabled on

the WAN interface by default, providing instant protection

against intruders and a wide variety of attacks. The Stateful

Packet Inspection Firewall offers advanced packet inspection

and filtering—much stronger protection than standard simple

packet inspection engines. “Stateful inspection” keeps track of

information in the packet header, such as Sequence numbers,

source/destination IP address, source/destination port numbers,

as well as the state of all TCP sessions passing through the firewall.

The firewall checks for compatibility between the header of the

responding packets (TCP Acks) and the associated session

information in the inspection table. If the information does not

match, the packet is dropped.

The default Firewall settings also protect against the following

types of attacks:

䊳

IP Spoofing

䊳

Ping of Death

䊳

Land Attacks

䊳

IP Reassembly attacks

As part of the WPA2 implementation, support for PMK

(Pairwise Master Key) Caching, Pre-Authentication, and

“Opportunistic” PMK Caching is available, enabling fast

roaming of mobile clients between Access Ports. These

mechanisms basically act by foregoing either the 802.1X part of

the authentication or the 4-way handshake associated with CCMP

message exchanges between the client and the Access Port.

KeyGuard

™

—MCM

Similar to WECA’s version of TKIP, KeyGuard provides a

different key for every packet of data, but uses a different

version of message integrity check (MIC) to determine if data

has been tampered or corrupted during transmission.

KeyGuard was developed by Symbol prior to WPA. It is

supported on Symbol mobile clients and due to its small

footprint, has the advantage of being supported even in older

DOS based devices.

IPSec VPN (Site-to-Site)

Virtual Private Networking (VPN) provides a cost-effective,

secure solution for businesses to take advantage of the public

Internet instead of dedicated leased WAN links to transmit

information between remote branch offices (Intranet) or with

external customers/partners (Extranet).

The WS 2000 supports IPSec (Internet Protocol Security)

based VPN for securing communication between a WS 2000

in a branch location and another VPN Gateway at the main

office. The implementation in WS 2000 includes a complete

IPSec engine, IKE engine, DES/3DES/AES encryption and

NAT Traversal support.

IPSec VPN

Server

(Corporate)

IPSec VPN Tunnel

WS 2000 with

IPSec VPN Client

(Branch Office VPN Router)

Internet

Corporate Office

Branch Office 2

Branch Office 1

Branch Office n

Site-to-Site VPN Diagram