Wireless Security and Monitoring via the Cisco Aironet 3600 Expansion Module
A recent highway project in Orlando had proposed that an off-ramp be built for a future neighborhood and development center. Because the area was planned for future development, this caused some debate within the community. Some argued that that there was no point to spending money on something that might not be possible in the future. Others argued that it was good idea to build the off-ramp and spend the money now so when the neighborhood and development center was ready, a cost savings would occur since building it now would save money in the future. Both sides have good arguments and after some healthy debate, the off-ramp was built for the future neighborhood and development center, which both are now thriving.
Well, what does this have to do with Cisco and wireless technology? This is a good example of how the 3600 Access Point was designed. Even with the pressures of time to market and cost management, the development team took the extra time to add the option for future modular expansion. The same debates in the Orlando community took place here between development engineering and product management. “It will cost too much and delay the release of the product (especially in an industry where time to market is essential)” versus “Let’s have modularity so we can address whatever future technology is available so our customers can take advantage of it without having to rip & replace their APs”. We like to say we’re “future proofing” the AP.
Well, the future proofing argument won, and the 3600 was released last January with an expansion module for additional features and emerging technology. Already in May we announced the 802.11ac Radio Module that will support the emerging standard.
Now, we have another addition to this expansion: the Security and Monitor Module.This module, much like the 802.11ac module, will simply plug into your existing 3600 Access Point. The Security & Monitor Module will provide for the RF excellent features such as CleanAir for interference mitigation. It will also provide customers the ability to monitor the spectrum for security threats such as Denial of Service attacks, rogue APs etc. In summary, the new Security & Monitor Module features:
- A field upgradeable self-contained 2.4 and 5 GHz XOR radio, with integrated antennas
- Always-on, zero configuration required, complete spectrum visibility for security and interference scanning – of all channels in both bands
- Offloads all monitoring and security services from the data serving radios to the security monitor module:
- CleanAir Technology
- Rogue Detection
- Location-Context Aware
- Radio Resource Management
A separate Security Monitor Module provides a new option to deploying a monitoring and security systems. Previous to this, there were two methods to deploying a security system. The first deployment is called Enhanced Local Mode (ELM) where an AP will serve the data clients as well as monitor the network. In this mode, the monitoring capabilities are primarily focused on the active data channels, going off channel to monitor when able and the active data channels are idle. If clients were occupying some channels for data connectivity, these channels were skipped by the security monitor.
The other called Monitor Mode (MM) where a separate set of APs are installed throughout the network and each are used exclusively for wireless spectrum monitoring and security scanning. This is more efficient in terms of being able to monitor more channels, versus ELM. However, it is more costly since these access points are a separate physical overlay to the data serving access points, and require their own Ethernet cabling, upstream Ethernet switch port and potentially separate power source if they are not leveraging Power over Ethernet (PoE). Also this adds to the number of devices monitored and managed, so adding to both the capex and opex costs of the wireless network.
With the Security Monitor Module, the new security model allows for each AP to provide data access, and always–on full-spectrum monitoring and security scanning over a single Ethernet cable and Ethernet switch port —with no compromise in data performance, CleanAir based monitoring or wIPS based security scanning. The Shared Monitor Mode provides:
- Always-on CleanAir based spectrum monitoring
- 24×7 dual band wIPS security scanning
- Does not require a dedicated AP and the cost of the separate Ethernet infrastructure
- Complete scanning on all channels for both 2.4 and 5 GHz bands
If you want to hear more on the Security Monitor Module, we recorded a webinar on August 16th that covers the Security Monitor Module in more detail. To watch the webinar, follow this link: http://www.cisco.com/go/semreg/urls/95949/2/000043840