In Controller Mode(see figure 3)the EAs manages the APs and controls access to the wireless network but is not involved in the transfer of user data. in this mode the wireless network can be separated from the wired network with an additional firewall or fully integrated into the enterprise wired network access and manages Access Points Enterprise Switched or routed Access serve Firewall and/or VPN server Bluetooth 802.11 Access Point Access Point Figure 3: Enterprise Access Server in Controller Mode 5 Madge Wireless Security Model The Madge wireless LAN architecture supports a comprehensive and extensible security model based on industry-standards as shown in figure 4. Each element within the model is configurable allowing twork administrators to balance usability and security appropriate to their needs VPN wireless client connectivity(IPSec) Firewall Packet filtering/port blocking to protect enterprise networks from wireless intruders Mutual authentication between client Authentication devices, users and the network (802.1x EAP-TLS using certificates) Encryption Encrypting data to prevent eavesdropping Dynamic WEP, 802.1x EAP-TLS and 3DES) Device Authorization Authorizing network access to wireless devices(MAC address access control) Figure 4: Wireless security model Device Authorisation: wireless clients can be excluded from the network according to their hardware address(e.g. MAC address). The EAs maintains a database of authorised wireless clients and individual APs either pass or block traffic accordingly Encryption: the Madge WLAN family of products support the WEP, 3DES and TLs standards that use encryption to prevent eavesdropping. WEP keys can be generated on a per-user, per session basis WWP-001 Copyright@ 2002-2003 Madge Limited. All rights reserved Page 3In Controller Mode (see figure 3) the EAS manages the APs and controls access to the wireless network but is not involved in the transfer of user data. In this mode the wireless network can be separated from the wired network with an additional firewall or fully integrated into the enterprise wired network. Wired-side Wireless-side Switched or Routed Network Corporate Intranet Firewall and/or VPN server (optional) Bluetooth Access Point 802.11 Access Point Enterprise Access Server Controls access and manages Access Points Figure 3: Enterprise Access Server in Controller Mode 5 Madge Wireless Security Model The Madge wireless LAN architecture supports a comprehensive and extensible security model based on industry-standards as shown in figure 4. Each element within the model is configurable allowing network administrators to balance usability and security appropriate to their needs. Device Authorization Encryption Authentication Firewall VPN Packet filtering/port blocking to protect enterprise networks from wireless intruders Encrypting data to prevent eavesdropping (Dynamic WEP, 802.1x EAP-TLS and 3DES) Device Authorization Encryption Authentication Firewall VPN Packet filtering/port blocking to protect enterprise networks from wireless intruders Encrypting data to prevent eavesdropping (Dynamic WEP, 802.1x EAP-TLS and 3DES) VPN wireless client connectivity (IPSec) Mutual authentication between client devices, users and the network (802.1x EAP-TLS using certificates) Authorizing network access to wireless devices (MAC address access control) VPN wireless client connectivity (IPSec) Mutual authentication between client devices, users and the network (802.1x EAP-TLS using certificates) Authorizing network access to wireless devices (MAC address access control) Figure 4: Wireless security model Device Authorisation: wireless clients can be excluded from the network according to their hardware address (e.g. MAC address). The EAS maintains a database of authorised wireless clients and individual APs either pass or block traffic accordingly. Encryption: the Madge WLAN family of products support the WEP, 3DES and TLS standards that use encryption to prevent eavesdropping. WEP keys can be generated on a per-user, per session basis. WWP-001 Copyright © 2002-2003 Madge Limited. All rights reserved. Page 3