Hobert Computing Symbol WS 5000 Wireless Switch

The WS 5000 Wireless Switch from Symbol Technologies redefines the standard for enterprise class wireless networks, delivering extensive functionality, security, scalability and management at a much lower total cost of ownership than first-generation access point-based networks. By centralizing intelligence that was previously distributed throughout a wireless network via access points, this 2nd generation wireless switch architecture delivers an unparalleled level of wireless LAN control, performance and management simplicity.

Combined with Symbol's Access Ports, the WS 5000 creates the heart of the Symbol's Wireless Switch System. The WS 5000 moves beyond access point wireless networking by utilizing an extensible, expandable media independent Access Port architecture that supports 802.11a, 802.11b, and 802.11g, as well as supporting legacy access points. Symbol Access Ports represent the evolution of the access point from a network node that is difficult to scale to a simple RF media access device for the wireless switch. True plug-and-play with ‘zero configuration', Access Ports are operational right out of the box, and can be mounted almost anywhere—even inside ceiling tiles. The power of the WS 5000 combined with the flexibility of Access Ports, results in a wireless LAN—Symbol's Wireless Switch System—with unsurpassed functionality.

End-to-end layered security
Our comprehensive suite of security mechanisms—including access-control, authentication, and encryption—can be deployed at various locations in the enterprise network: the perimeter, the network, the servers, and client devices. The result is a layered security model that delivers robust end-to-end security. With support for the wireless security standards of today, and the ability to easily upgrade to tomorrow's standards, the WS 5000 is the wireless gatekeeper for your enterprise network.

Centralized management
The WS 5000 simplifies day-to-day operations with unified management of hardware, software configuration, and network policies. Centralized management also enables the automatic distribution of configurations to all Access Ports—eliminating the need and the associated costs to configure and manage each access point.

Scales and grows easily
Adding capacity and new functionality is easier and less expensive than an access point-based wireless LAN. The WS 5000 enables your wireless network to scale easily as your company grows, with a slim 1RU form factor that fits easily into any standard network equipment rack. Each WS 5000 supports up to 30 Access Ports and 32 WLANs.

Lower Total Cost of Ownership—Outstanding Investment Protection
The WS 5000 removes the overhead and complexity of first-generation access point-based wireless LANs, delivering a wireless network that is less expensive to implement and manage. The extensive functionality, expandability, and centralized management eliminate the time and management costs associated with access point-based solutions, providing a lower total cost of ownership. And with the flexibility to support the standards of today and tomorrow, as well as the legacy wireless networks of yesterday, the WS 5000 provides outstanding investment protection.

The comprehensive feature set of the WS 5000 provides full control over wireless LAN traffic to provide peak performance. Extensive wireless LAN functionality enables you to maximize bandwidth and throughput, prioritize critical traffic, conserve power on mobile devices, and provide dependable connection speeds for users in challenging wireless environments.

Scalable Radio Architecture
Each WS 5000 supports up to 30 single or dual-band Access Port radios, easily accommodates new coverage, radio types, channels, and spectrum—offering the broadest radio technology support in the industry. The WS 5000 provides support across the 900 MHz, 2.4 GHz and 5 GHz frequencies with frequency hopping, direct sequence, and OFDM encoding techniques, as well as 802.11a/b/g, FH, and DS radio operations.

Access Ports: Next-Generation Access Points
Access Ports bring a new level of simplicity to wireless network implementation and management, as well as an unprecedented upgrade capability. The innovative design removes duplicate computing components and management requirements associated with using access points throughout a wireless LAN. Access Ports are easily upgraded with new features and functionality via the WS 5000, providing excellent investment protection. A wide range of 802.11a and 802.11b external antenna options enables the design of coverage patterns for the most challenging environments.

Per Device QoS with Bandwidth-Weighted Fair Queuing
The WS5000 controls Quality of Service (QoS) for each mobile device by guaranteeing bandwidth for specific traffic classes during periods of network congestion. With support for layer 2/3/4 classification, DiffServ, and 802.1p, packets are assigned into a bandwidth-weighted fair queuing scheduler that allocates a percentage of available bandwidth to each class queue. In addition, the Power Save Protocol (PSP) provides per device sleep-stage queues that maintain application performance for devices in sleep mode.

Power Saving for Client Devices
The Power Save Protocol (PSP) polling feature provides two modes (doze and sleep) that enable devices to maximize battery life and maintain application performance. Doze mode enables devices to conserve power between wireless transmissions, while sleep mode ensures that packets are stored and reliably delivered when the device awakens.

The functionality of Four Access Points in One Access Port
Access Points with no virtual AP – Requires Four Devices to Support Four Virtual LANs

Without Virtual AP, an access point can only support one wireless LAN. Separate access points must be deployed for each wireless LAN required, significantly increasing expense and maintenance costs.

Access Points with Virtual AP – One Access Port Supports Four Virtual LANs

Virtual AP enables Access Ports to support up to four virtual LANs, enabling granular segmentation of the wireless network to best meet the needs of the enterprise. The result is more control, more functionality – with less capital and management expense.

Virtual AP Enables True Virtual LANS (VLANs)
Virtual AP enables the wireless LAN to be segmented into true multiple broadcast domains—the wireless equivalent of Ethernet VLANs—providing the ability to map multiple ESSIDs (Extended Service Set Identifiers) to multiple BSSIDs (Basic Service Set Identifiers). Wireless traffic engineering capabilities control client to-client visibility, broadcast/multicast/unicast packet forwarding behavior, and security policies.

Virtual AP provides complete control over broadcast traffic, which is associated with a BSSID. Control of broadcast traffic, including network level messages, is extremely important because of its potential negative effect on performance. Intelligent control of broadcast forwarding through proxy ARP and other mechanisms ensures that broadcast traffic is received only by the intended recipients. The resulting reduction in traffic maximizes bandwidth and network throughput; device battery life and overall performance are improved with the elimination of the processing of messages intended for other recipients; and the possible compromise in confidentiality and security of messages is eliminated since broadcast messages can no longer reach the wrong recipients.

Access Point VLAN Architecture: Single BSSID VLAN

Virtual AP Enables True Virtual LANs: In a typical access point architecture, VLANs are defined using multiple ESSIDs. Since access points support only one BSSID, broadcast traffic intended only for Faculty and Administration (ESSID1) will be snet to all VLANs – Students (ESSID2), Facilities and Security (ESSID3) and Guests and Visitors (ESSID4). The resulting processing of unnecessary messages reduces battery life and network throughput, and delivery of messages reduces battery life and network throughput, and delivery of messages to unintended recipients presents security and confidentiality issues.

Access Port VLAN Architecture: Multiple BSSID VLAN

Virtual AP provides support for multiple BSSIDs, enabling the creation of true wireless VLANs. Broadcast traffic is sent only to recipients within a specific wireless VLAN (ESSID), improving overall battery life of client devices and network throughput, and ensuring security and confidentiality for broadcast traffic.

Load Balancing and Pre-emptive Roaming
Normal roaming does not occur until the device connection has reached a minimum connection speed of 1 Mbps—normally well beyond the boundaries of a cell and approximately halfway through an adjacent cell. Two features, client load balancing and pre-emptive roaming, work hand-in-hand to ensure that devices roam before the connection quality erodes, providing users with more consistent connection speeds for smooth application performance.

Normal vs Pre-emptive Roaming

Normal Roaming
Frequently Results in Uneven Load Balancing and Poor Connection

Mobile devices communicate over the wireless network at 11, 5.5, 2 or 1 Mbps. Since normal roaming does not occur until device reaches 1 Mbps, many devices are well into another cell before the connection erodes to 1 Mbps, and actual roaming to the next access point occurs. The result is uneven load balancing—too many devices supported by the Cell 1 access point result in a lack of connection quality, while only a few devices are supported by the Cell 2 access point—even though the devices have technically roamed into Cell 2.

Pre-emptive Roaming
Results in Even Load Balancing and Higher Connection Speeds

Pre-emptive roaming occurs close to the cell ‘edges', ensuring that the load on any given access point is limited to those devices within the actual cell. Users experience higher and more consistent connection speeds, resulting in smoother running of applications.

Automatic Channel Selection
The degradation of RF performance due to environmental factors is eliminated with Automatic Channel Select (ACS). ACS optimizes radio channel planning and installation, scanning and selecting the best channel for each Access Port based on noise and signal properties. A complete set of configuration controls provides time, mode of operation and Access Port exclusion lists.

Transmit Power Control
Transmit Power Control minimizes radio interference for sites that require a very dense population of radios (Access Ports) to support bandwidth requirements. Configured from within the WS 5000, this can also be part of a group policy.

There is no element of networking—wired or wireless—more important than security. As a pioneer and leader in wireless LANs, Symbol has implemented a complete end-to-end layered security model that includes support for all of today's wireless security standards, and is easily upgradeable to support the standards of tomorrow. Policy-based classes enable the organization of security requirements in groups—public, low, medium, and high. Policies are then configured to specify the correct level of control for users, applications, and devices within those groups.

Layer 2/3/4 Access Control Lists provide filtering for advanced network traffic control, enabling administrators to forward, drop or redirect packets based on application type, protocol, IP Address, MAC Address and more.

Authentication
Authentication ensures that only authorized users and devices can access your network. The WS 5000 provides a comprehensive set of authentication mechanisms to support a variety of security requirements:

Pre-shared keys
Simple shared authentication through non-wireless distribution of authentication keys ensures secure key management.

802.1x/Extensible Authentication Protocol (EAP)
802.1X and Extensible Authentication Protocol (EAP) work hand-in-hand, providing the infrastructure for robust authentication and dynamic key rotation and distribution. EAP provides a means for mutual authentication. Authorized users identify themselves to the wireless network, and the wireless network identifies itself to the user—ensuring that unauthorized users cannot access your network, and authorized users do not inadvertently join a rogue network. A wide variety of authentication types can be used—from user name and password to voice signatures, public keys, biometrics, with the ability to upgrade to support future authentication types. And dynamic key rotation and distribution provides a new encryption key per user per session, greatly increasing the strength of the chosen encryption algorithm (WEP or TKIP) used to encode data. The WS 5000 supports a variety of EAP methods, including Microsoft^®—TLS, Funk Software^®—TTLS, and WPA—PEAP.

Kerberos
The industry-standard Kerberos v5 protocol meets all of the requirements for scalable, effective security in a mobile environment. Kerberos features mutual authentication and end-to-end encryption. All traffic is encrypted and security keys are generated on a per-client basis, keys are never shared or reused, and are automatically distributed in a secure manner. The Kerberos ticket-based security mechanism enables fast roaming, even with the highest levels of security.

Certificate Based Public Key Infrastructure (PKI)
PKI, used in conjunction with the AES-based VPN transport, uses secure digital certificates to provide robust authentication capabilities including verification of identity as well as integrity of data (ensuring that tampering or corruption has not occurred), and authorization for network access.

	Compound Security Layers	Device/User Class
HIGH	Two-stage Mutual Authentication 1st Stage: Device level w/PKI 2nd Stage: User Auth. w/Radius Multilayer Transport Security 1st WEP 128 2nd WTLS-AES -VPN Tunneling Access Scope from FW/ACLs	Core App's POS CRM/ERP Mobile Worker User Access to corporate network
MEDIUM	User Authentication EAP: TLS/TTLS/PEAP Kerberos Transport Security WEP w/TKIP Keyguard -MCM 802.11i (when ratified) Access Scope from FW/ACLs	VOIP Kiosks Controlled local access for PCs Client Bridge with Kerberos
LOW	NOS Based User Authentication Basic transport Security WEP 128 Encryption Access Scope Firewall Rules ACLS	Scales Price Checker Wireless Video Security Client Bridge Attached
OPEN	Open System Access	Public Access Hot Spot

Encryption
Encryption ensures that data privacy is maintained while in transmission. As a rule of thumb, the stronger the encryption, the more complex and expensive it is to implement and manage. The WS5000 supports a range of encryption options that provide basic to strong encryption techniques, providing the flexibility to select the right level for your data.

Wired Equivalent Privacy (WEP)
The 802.11 Wired Equivalent Privacy (WEP) provides static key encryption—a single key is distributed to all users for encryption and decryption of data. WEP generates either a 40- or 128-bit key using the widely used RC-4 encryption algorithm. WEP allows full interoperability with legacy clients and provides basic over-the-air security in less-critical environments, such as an open public-access application.

WPA—Temporal Key Integrity Protocol (TKIP)
WPA-TKIP addresses well-known vulnerabilities in WEP encryption. TKIP provides key rotation on a per-packet basis along with Michael message integrity check (MIC), which determines if data has been tampered or corrupted while in transit. This robust method of encryption provides a higher level of protection for your data and protects your network from a variety of types of attacks. Released by the WECA industry consortium, WPA-TKIP is an early version of the forthcoming IEEE 802.11i security standards.

KeyGuard^™—MCM
This implementation of TKIP is based on the IEEE 802.11i draft security standards. Like WECA's version of TKIP, KeyGuard provides a different key for every packet of data, but uses a different version of message integrity check (MIC) to determine if data has been tampered or corrupted during transmission.

WTLS Advanced Encryption Standard (AES) Virtual Private Networking (VPN)
Symbol's AirBEAM^® Safe VPN server provides a complete end-to-end VPN, ensuring the privacy, integrity and authentication of your wireless communications. The AES encryption algorithm (the standard encryption used by the U.S. government) provides a very high-level of security between clients and the VPN server. Support for session persistence and resume ensures continuous communications, protecting against interrupted transactions and preventing the need for repeated logins. Extensive client support for DOS, WIN CE, Pocket PC/Window Mobile 2003 and Windows PC platforms provides integration and security for all of your mobile devices.

As a pioneer and leader in wireless LANs, Symbol has implemented a complete end-to-end layered security model that includes support for all of today's wireless security standards, and is easily upgradeable to support the standards of tomorrow.

Features	Description	Benefit
Network Access Control	Network based packet filtering or ACLs that limit access based on MAC and IP addresses, and more	Restricts authorized users and devices to specific resources
Application Access Control	Authenticates users based on application or network-based packet filtering using TCP/UDP ports	Restricts authorized users and devices to specific applications
Device and User Authentication	Provides one-way or mutual authentication between the network and associated mobile clients	Allows control of who and what attaches to your network
Transport Encryption	Transforms or scrambles data into a form that is unreadable without the key	Enables privacy of data to be maintained when sending data across an insecure network
Encryption Key Management	Provides automatic distribution and maintenance of encryption keys	Reduces management overhead by automating key distribution and increases security by constantly changing base keys
Accounting	Creates audit logs of who/when/how	Allows tracking of activity and network status

Control Mechanism	Best Used for Securing…	Auth. Support	Mobility Support	Layer of Security
L2-4 Access Control Lists	Device Access, Application	No	Moderate	Low
Firewall	Device Access, Application	No	Moderate	Low
WEP 10/128	Transport	No	Moderate	Low
KeyGuard-MCM	Transport	No	Excellent	Medium
WPA-PSK	Transport	No	Poor	Medium
WPA-802.1x	Transport, User	Yes	Poor	Medium
IEEE 802.11i	Transport, User	Yes	Poor	Medium
Kerberos	Transport, User	Yes	Excellent	Medium
WTLS VPN	Device, Transport, User	Yes	Excellent	High

Management is intuitive and secure, and can be accessed via our command line interfaces (telnet, serial), embedded web-based java applet, and standard Simple Network Management Protocol (SNMP).

Policy-Based Management
Policy-based management enables the creation of user, application, and device groups with specific resource and network access configurations, including physical layer attributes, WLAN topologies, forwarding rules, and security components. A wide variety of parameters can be configured for each group for up to 32 WLANs, either manually or via easy-to-use wizards, such as radio settings, service definitions, Quality of Service (QoS), virtual LANs, ESS/BSSID domains, Layer 2/3 filtering, DHCP, NAT, and more.

Management Interfaces
Four interfaces provide flexibility for managing the WS 5000:

Automatic Access Port Management
The WS 5000 automatically provides the latest firmware to Access Ports upon installation, ensuring all components in the wireless LAN are always up-to-date. Management is simplified because there is no longer a need to configure and load firmware on each access point.