Preview only show first 10 pages with watermark. For full document please download

Enterprise Wireless Lan Evaluation Test Plan

Rating
Date

September 2018
Size

126.1KB
Views

8,091
Categories

Computers & electronics Networking Network management devices

Transcript

Enterprise WLAN Test Plan Enterprise Wireless LAN Evaluation Test Plan i Enterprise WLAN Test Plan 1.0 INTRODUCTION ....................................................................................................................................... 1 2.0 ADMINISTRATION AND MANAGEMENT .................................................................................................. 2 2.1 Controller and Access Point Installation .................................................................................... 2 2.2 Managing Multiple Controller and Access Points....................................................................... 3 2.3 RF Planning and Location Tracking Services ............................................................................ 4 2.4 Controller Redundancy Configuration ....................................................................................... 5 2.5 Troubleshooting and Debugging Functions ............................................................................... 6 3.0 RF MANAGEMENT AND QUALITY OF SERVICE...................................................................................... 7 3.1 Radio Management.................................................................................................................. 7 3.2 Adaptive RF Scanning and Dynamic RF ................................................................................... 8 3.3 Co-channel Interference Mitigation ........................................................................................... 9 3.4 Channel Re-Use Management ................................................................................................. 9 3.5 Mixed Mode Client Support .................................................................................................... 10 3.6 Spectrum Load Balancing ...................................................................................................... 10 3.7 VoWLAN Scalability ............................................................................................................... 12 3.8 Voice Aware 802.1x and Inter Controller Mobility .................................................................... 13 3.9 VoWLAN End-to-End QoS ..................................................................................................... 14 3.10 Multicast Video Distribution over WLAN.................................................................................. 15 3.11 Enterprise 802.11n Mesh ....................................................................................................... 16 4.0 NETWORK AND WIRELESS SECURITY ................................................................................................. 17 4.1 Security Architecture.............................................................................................................. 17 4.2 Access Rule and Policy Definitions......................................................................................... 18 4.3 User Authentication................................................................................................................ 19 4.4 Guest User Access ................................................................................................................ 20 4.5 Wireless Intrusion Detection Services (WIDS)......................................................................... 21 4.6 Blacklisting ............................................................................................................................ 22 5.0 L2 L3 FUNCTIONS AND REMOTE OFFICE SOLUTIONS ........................................................................ 23 5.1 L2 L3 Functions ..................................................................................................................... 23 5.2 Remote Office Solutions......................................................................................................... 24 ii Enterprise WLAN Test Plan 1.0 Introduction This document outlines the test plan to evaluate an enterprise WLAN solution and it is prepared to meet the different set of network infrastructure deployment, management, RF performance, quality of service and security requirements. The results of the tests conducted as a part of the evaluation provides the evaluator with the data required to compare different WLAN solutions and make an educated choice on the right solution. The different parameters that should be considered by an evaluator before choosing the solution are: Section Test 2.0 ADMINISTRATION and MANAGEMENT 3.0 RF MANAGEMENT and QUALITY OF SERVICE 4.0 NETWORK and WIRELESS SECURITY 5.0 L2-L3 FUNCTIONS and REMOTE OFFICE SOLUTIONS This test plan has been divided into different sections for the different areas that need to be tested and compared when evaluation a wireless LAN solution. While some of the test cases are designed to see if the WLAN solution under test can support a particular feature, some are explained in detail and require deployment of a WLAN testbed and (possibly repeated) execution of the test item. The WLAN solution under test should interoperate with wireless clients from different vendors at the same level without causing performance degradation. It is advised that performance and mobility tests are executed against different type of clients to get the best performance metrics from different WLAN equipment vendor solutions. Each section has a set of test cases. Each of the test cases has been presented in the following format: Test case Description for different items to test Results 1 Enterprise WLAN Test Plan 2.0 Administration and Management This section includes the test cases that validate the support for required set of administrative and management functions for an enterprise WLAN solution. 2.1 Controller and Access Point Installation Test Case Verify that the WLAN solution offers an easy way to install WLAN controllers and access points within the WLAN infrastructure. Test Items 1. Verify that the WLAN controller can be configured with multiple IP interfaces easily and management IP address can be any of the ones configured. Verify that specific access rules can be assigned (eg. source subnet) during the management access to the WLAN controller. 2. Verify that WLAN controller can be setup through the web user interface during initial installation or through the setup dialog using the serial console. 3. Verify that AP installation, SSID configuration, AAA configuration and access rule definitions can be configured through the use of setup wizards – instead of requiring navigation through different set of configuration windows. 4. Verify that both external antenna and integrated antenna versions of 802.11n access points can be fully functional with 802.3af PoE – external power injectors or high power switches should not be required. 5. Verify that the successful communication path between the authentication server (eg. RADIUS) can be tested from within the controller, without requiring an external wireless client. 6. Verify that WLAN controller offers copper Gigabit Ethernet, SFP Fiber Gigabit Ethernet, 10Gbps Ethernet, Ethernet Port Channel connectivity options to the existing wired network infrastructure in order to enable ease of deployment. 7. Verify that WLAN controller can be installed in a “bump in the wire” configuration with one or more of the Ethernet ports ‘serving’ access points and other Ethernet ports ‘serving’ the applications and networked users. 8. Verify that the WLAN controller comes with a defined set of network access rules (eg. guest, voice, etc.), network services definitions (eg. HTTP, FTP) in order to reduce the setup time for user policy management Results 1– 2– 3– 4– 5– 6– 7– 8– 2 Enterprise WLAN Test Plan 2.2 Managing Multiple Controller and Access Points Test Case Verify that the WLAN solution offers a reliable and efficient way to manage a multicontroller multiple AP network. Note down the extra operational requirements if the WLAN solution requires the use of a Network Management System (NMS) to execute the related set of functions. Test Items 1. Verify the support for fast and reliable upgrade for controllers and APs – record the expected time of upgrade for a controller supporting 200 APs. 2. Verify the support for “no-touch” pre-configuration (access points not active and connected to the controllers) of AP SSID, radio configuration, enc-type, rate, mode of operation, VLAN, rf-mgmt, etc. properties 3. Verify the support for online or offline provisioning of “groups” of APs from within the WLAN controller 4. Verify the support for central management (configuration, monitoring, updates, etc.) of AAA Services, Wireless Intrusion Detection Services (WIDS), access control, mobility, RF management services within the multi-controller network – configuration on one of the controllers should be automatically synchronized to the other controller within the WLAN. Results 1– 2– 3– 4– 3 Enterprise WLAN Test Plan 2.3 RF Planning and Location Tracking Services Test Case Verify that the WLAN solution offers built-in RF planning and location tracking services for multiple client devices. Note down the extra operational requirements if the WLAN solution requires the use of an NMS solution to execute the related set of functions. Note if the solution requires ‘RF fingerprinting’ (manual measurement of signal strength) in order to enable accurate location tracking information. Test Items 1. Verify the support for a central RF planning management within a multiple controller WLAN with multiple “building”, “floor” definitions 2. Verify the support for “sensor” planning, as well as the AP planning, as part of the capacity and coverage planning 3. Verify the support for live RF heatmap visualization based on SNR, RSSI, coverage rate, etc. after the access points are deployed 4. Verify the support for real-time location tracking of multiple client devices, interfering APs, etc. Note down the number of appliances (WLAN controller, NMS, location tracking appliance, etc.) to enable accurate tracking of clients 5. Verify the support for re-optimization of RF plan data after manual changes to the coverage / capacity / AP placement information. After access point placement is changed, location tracking information should be updated by the infrastructure automatically (another round of RF fingerprinting data should not be required). Results 1– 2– 3– 4– 5– 4 Enterprise WLAN Test Plan 2.4 Controller Redundancy Configuration Test Case Verify that the WLAN solution offers easy-to-manage redundancy architecture and fast-recovery for critical pieces of the WLAN solution. Test Items 1. Verify that the APs and Sensors can be deployed to support active-active and active-standby N to 1 redundancy scenarios. Test and note down the recovery time for the real client data traffic. 2. Verify that the WLAN solutions offers Offline design and deployment of redundancy architecture without requiring the APs to be online or without storing the active / standby controller information on the access points, in order to ease of network deployment during moves, adds and changes 3. Verify that the WLAN solution offers controller redundancy for “centralized” mobility, AAA, RF management, WIPS Services as part of a WLAN Results 1– 2– 3– 5 Enterprise WLAN Test Plan 2.5 Troubleshooting and Debugging Functions Test Case Verify that the WLAN solution offers several ways to debug and troubleshoot client, AP, controller, mobility, authentication related problems. Test Items 1. Verify that the WLAN solution offers “real-time” (without disrupting active clients on the radios) packet capture on the APs 2. Verify that the WLAN solution provides support for Ethereal / Wireshark, Omnipeek or any other enterprise analyzer tools for real-time packet capture 3. Verify that the real-time packet capture can be configured with filters based on src/dst 802.11 MAC, packet type, etc. 4. Verify that the WLAN controller support port mirroring on the Ethernet ports present on the controller 5. Verify that the WLAN controller supports packet capture on the control path, in order to quickly resolve any authentication, encryption related issues 6. Verify that the individual L3-L7 “sessions” for a client device can be monitored for debugging, authentication and health monitoring 7. Verify the ability to perform controller log search, logging level definitions, generate / view / download tech-support logs directly from the WLAN controller webUI and/or network management system 8. Verify the ability to monitor the internal voltage readings, temperature state, fan status, and similar hardware readings on the WLAN controllers Results 1– 2– 3– 4– 5– 6– 7– 8– 6 Enterprise WLAN Test Plan 3.0 RF Management and Quality of Service This section includes the test cases that aim to validate the enterprise grade voice over Wi-Fi service support for the WLAN solution. 3.1 Radio Management Test Case Verify that the WLAN solution can offer high performance RF connectivity to 802.11abgn wireless clients and is capable of managing RF and traffic management capabilities to offer reliable throughput for end user applications. Test Items 1. Intel 4965agn, Intel 5300agn, Broadcom 4321agn and Atheros agn, 11n capable, internal WLAN NICs should be made part of the test plan and the client mix – as they are the most widely available client types in the market today. 2. Ensure that the system under test can perform RF scanning (a) for wireless security purposes (b) to monitor the availability (error rates, retry rates, noise floor, etc.) of other 802.11 channels. 3. As the RF scanning continues, ensure that system under test is able to select best channel of operation and power level automatically for each of the APs deployed – without requiring manual intervention. This is required in order to move away from neighbor interference and noise, act as a good neighbor, and maximize per AP and overall network performance. 4. Channel and power changes on the AP should cause AP reboots and extended periods of service outages. 5. Verify that all APs within a WLAN discover their neighbors and channel selection decisions are performed as a system, instead of on a per AP basis 6. With multiple APs, ensure that the system under test is able to automatically create channel blankets by assigning different channels to different APs dynamically without requiring network admin involvement for static channel assignments per AP – hence improving the total available network capacity at any given location within the WLAN. Results 1– 2– 3– 4– 5– 6– 7 Enterprise WLAN Test Plan 3.2 Adaptive RF Scanning and Dynamic RF Test Case As the RF scanning is performed within the WLAN, system under test should make sure that high load of client traffic and delay sensitive applications are not adversely affected. Verify that the WLAN solution can offer mechanisms to adapt to presence of different applications and high load on the radio as it decides to perform RF scanning and channel/power change functions. Test Items 1. During a voice call test, system under test should be capable of understanding whether the call is in place or not, and delaying RF scanning activities accordingly. Turning off RF scanning completely should not be an acceptable solution. Delaying RF scanning due to presence of traffic on the voice queue should not be accepted as well, since this approach is prone to errors. 2. During high load 11n performance tests, system under test should be capable of delaying RF scanning activities in order to prevent high data loss. Threshold in which this protection takes place should be configurable by the network administrator. 3. System under test should also support a mechanism to define different set of delay sensitive applications where RF scanning delay would be required – hence should be scalable for future applications. Results 1– 2– 3– 8 Enterprise WLAN Test Plan 3.3 Co-channel Interference Mitigation Test Case As the WLANs are pervasively deployed with multiple APs in a single floor, co-channel interference (where multiple APs operate in the same channel) management becomes important. This is especially true in 2.4GHz (where there are only 3x 20MHz channels for client devices to work with), multi-story buildings (as inter-floor co-channel interference increases) and voice deployments (as most voice clients require 2.4GHz operation). Test Items 1. With multiple APs operating in close proximity and on the same 2.4GHz channel, associate multiple 11n 20MHz clients (at least one per AP), and run data throughput test across all clients. Make sure that the total throughput of the channel is around the same as one would get with a single AP and single client. This is to ensure that the performance of the system under test does not degrade as more APs and clients are made part of the same channel. 2. Repeat the test with 11bg 20MHz clients. 3. Repeat the test in 5GHz band with 11n 40MHz clients. 4. Repeat the test in 5GHz band with 11a 20MHz clients. Results 1– 2– 3– 4– 3.4 Channel Re-Use Management Test Case As multiple number of APs are deployed as part of a WLAN, the 802.11 channels available for use by the access point radios (3x 20MHz channels in 2.4GHz, and 8x (22x if DFS capable) 20MHz 5GHz channels) are limited in number. Hence the “reuse” of these channels at as shorter distances as possible for increased performance of the WLAN is desirable. Test Items 1. With two APs operating at 100ft away from each other on the same 2.4GHz channel (say channel 6), associate 11n 20MHz clients (at least one per AP) nearby to the APs, and run data throughput test across all clients. Make sure that the total throughput of the channel is higher than the total of the channel capacity measured – the increase is due to the re-use of the channel by the APs under test. 2. Repeat the test in 40MHz 5GHz band in channel 36+. Results 1– 2– 9 Enterprise WLAN Test Plan 3.5 Mixed Mode Client Support Test Case Different types and speeds of client devices should be supported within a WLAN infrastructure. System under test should provide methods that offer preferred access to faster clients against slow clients – in order to prevent old legacy clients to adversely affect overall network performance. This method of preferred access should be adaptive to the number of clients in each category and should not require any static bandwidth contracts assigned to different client types. Test Items 1. Associate an 802.11b and 802.11g client to a 2.4GHz radio. Run simultaneous throughput test against each client, and make sure that 802.11g client gets its fair share to the channel and achieves higher throughput compared to the 802.11b client. 2. Repeat the same test with 802.11b, 802.11g and 802.11n clients. 3. Repeat the same test with 802.11a and 802.11n clients. 4. Repeat the same test with two 802.11g clients – one of them nearby the AP and the other one 20-30m away from the AP 5. Repeat the same test with two 5GHz 40MHz 802.11n clients – one of them nearby the AP and the other one 20-30m away from the AP Results 1– 2– 3– 4– 5– 3.6 Spectrum Load Balancing Test Case Verify that the WLAN solution offers a method to load balance different types of wireless clients across different radios with different channels. One of the key features required in an enterprise WLAN is the capability to load balance wireless clients across different APs and radios in order to maximize the available bandwidth for each client, and increase the overall network performance. Since the bottleneck in terms of WLAN performance is measured by 802.11 channels available, system under test should offer a method to load balance clients across different 802.11 channels – considering noise, interference, traffic load, client load as the criteria during load balancing of wireless clients. Test Items 1. Enable multiple data clients (preferably more than 10) across three different APs operating in 5GHz band. Make sure that all APs assign different channel of operation to different APs, and all clients are load-balanced properly across these three different channels based on the criteria mentioned above. 2. Repeat the same test with all the APs configured with 2.4GHz band only. Results 1– 2– 10 Enterprise WLAN Test Plan 11 Enterprise WLAN Test Plan 3.7 VoWLAN Scalability Test Case Verify that the WLAN solution offers several methods and features to implement a scalable and secure VoWLAN infrastructure Test Items 1. Verify the support for data and voice services on the single SSID & VLAN, while providing separate access rules & access policies for different types of users for security & end-to-end QoS purposes. It is critical to support “converged” devices & platforms for scalable VoWLAN implementations. 2. Verify that the WLAN infrastructure can automatically classify a VoWLAN session even if the QoS settings are not programmed. This should apply to widely used protocols such as SIP. 3. Verify the support for client-agnostic battery life enhancements such as broadcast / multicast traffic to unicast conversion, large DTIM-value configuration for power-save clients, proxy ARP, VRRP / HSRP traffic filtering. 4. Verify that the APs support active load balancing (call-admission-control (CAC)) functions for voice in order to to prevent “starvation” for the data clients on the access points in the presence of high load of voice traffic. 5. Verify that the CAC functions can preemptively move inactive clients between APs to accommodate for better “multi-tier” load balancing. 6. Verify that the CAC functions can be configured separately for different set of VoWLAN protocols (SIP, SVP, etc.) 7. Verify the support for “Push-to-Talk” function as part of the VoWLAN solution. Results 1– 2– 3– 4– 5– 6– 7– 12 Enterprise WLAN Test Plan 3.8 Voice Aware 802.1x and Inter Controller Mobility Test Case Verify that the WLAN solution offers methods to protect QoS assignments to different traffic flows as clients are enabled with 802.1x and as they roam across WLAN controllers Test Items 1. Verify the support for end to end QoS after clients roam from one WLAN controller to the other; confirm that the mobility tunnel between foreign and home agent controllers carry the appropriate DSCP/802.1p tags across for end-to-end QoS 2. Verify the availability of an option to dynamically change the home agent of a voice client after it roamed to a new controller and after the voice call has ended, in an effort to reduce the infrastructure delays within mobility tunnels across different controllers 3. Verify that 802.1x unicast and multicast re-keying does not take place in the middle of a voice call and the WLAN controller has the intelligence to delay the re-keying until the end of a voice call. Results 1– 2– 3– 13 Enterprise WLAN Test Plan 3.9 VoWLAN End-to-End QoS Test Case Verify that the WLAN solution offers the required set of features to provide end-to-end QoS for voice deployments Test Items 1. Verify that the system under test can mark particular “sessions” of VoWLAN traffic with desired DSCP & CoS values, in case they are not marked outside of the system under test. Verify that such DSCP mappings can be customized to be mapped against AP radio WMM (802.11e) queues for ease of deployment. 2. Verify that the stateful VoWLAN protocols (eg. SIP) are provided same level of QoS service when they are using dynamic ports. 3. Verify that the QoS configuration changes do not require the WLAN SSIDs to be put out of service. 4. Verify that infrastructure provides real time stats and call status monitoring for the voice handsets within the WLAN Results 1– 2– 3– 4– 14 Enterprise WLAN Test Plan 3.10 Multicast Video Distribution over WLAN Test Case Verify that the WLAN solution will provide an efficient method to transfer multicast video from wired servers to wireless clients, without overloading the wireless network and without adversely affecting the quality of the video services. Test Items 1. System under test should perform intelligent forwarding of multicast on the wire by utilizing IGMP proxy within the WLAN controller which would eliminate the need to deploy a multicast router. 2. IGMP proxy will also control which APs would receive the multicast data; the ones that do not have any clients subscribed to multicast data should not receive traffic, saving wired bandwidth. 3. System under test should perform intelligent forwarding of multicast on wireless by making sure that multicast traffic should be transmitted from the APs towards the clients with unicast 802.11 header. This would allow higher bandwidth within the WLAN for data (since it will allow unicast 802.11 rates to be utilized), provide quality of service over data traffic and improve video quality by enabling 802.11 acknowledgements between the AP and the wireless client. 4. Dynamic RF scanning and automatic channel assignment functions should adapt to the presence of video traffic on the air – WLAN controller should provide the option for APs not to perform RF scanning and change channels in order to prevent disruptions in video quality. Results 1– 2– 3– 15 Enterprise WLAN Test Plan 3.11 Enterprise 802.11n Mesh Test Case Verify that the 802.11n access points within the WLAN solution provide enterprise mesh functionality in order to enable high performance wireless backhaul – in order to enable RF coverage for locations that are hard to reach with Ethernet cabling. Test Items 1. Verify that access points can be configured as mesh portals and mesh points without any additional license required on the APs or the WLAN controller. 2. Verify that mesh functionality can be enabled on any 802.11n access point radio without disrupting client access – mesh backhaul and WLAN access can be enabled simultaneously on the same radio. 3. Verify that wireless mesh across multiple access points offer self healing and auto recovery of mesh tree in case of failures within the mesh links. 4. Verify that wired Ethernet (eg. secure video cameras) traffic backhaul can be enabled across the mesh links. Also verify that user traffic can be locally bridged on the mesh access point without traveling to the WLAN controller. Results 1– 2– 3– 4– 16 Enterprise WLAN Test Plan 4.0 Network and Wireless Security This section includes the test cases that aim to validate the enterprise grade security services support for the WLAN solution. 4.1 Security Architecture Test Case Verify that the WLAN solution offers an enhanced architecture in order to meet the scalability and performance requirements of a secure WLAN solution Test Items 1. Verify the support for session and application aware security through the use of a built-in stateful firewall that is capable of detecting and preventing L3 and higher level attacks. Note down whether it is ICSA Labs Corporate Firewall certified or not. 2. Verify that the WLAN controllers contain a dedicated “crypto” processor for centralized encryption and decryption besides the network processor. Note down the performance in Gbps of this processor. Verify that all encryption and decryption processes take place on the WLAN controller. 3. Verify that the WLAN gear under test is FIPS certified for user data encryption and decryption functions, and ICSA Labs WLAN Security and Common Criteria certified for wireless IDS functions. 4. Verify that the WLAN controller detects and prevents ping, session, TCP SYN, TCP RST attacks from the internal users accessing the network. 5. Verify that the WLAN solution offers a syslog parser and XML API for 3rd party wired IDS integration (eg. Fortinet), content filtering services (eg. Snort, Fireeye) to provide blacklisting or quarantine of wireless users in order to protect the network against internal threats. Results 1– 2– 3– 4– 5– 17 Enterprise WLAN Test Plan 4.2 Access Rule and Policy Definitions Test Case Verify that the WLAN solution offers wide-variety of options to configure access rules and easy administration of security policies for different groups of users. Test Items 1. Verify the support for src / dst IP, src / dst port (TCP and UDP), src / dst net configuration options within access rule definitions 2. Verify the support for “logging”, “reject” options for the access rules that will provide easy client activity monitoring and troubleshooting (Note: “reject” should provide ICMP unreachable message back to sender) 3. Verify the support for “ToS / CoS” assignments within the access rule definition that will help to provide end-to-end QoS for high-quality applications 4. Verify the support for “time-of-day” option within the definitions of the access rules that will provide restricted access management capabilities 5. Verify the support for “blacklist” option for the access rules that will provide deep-level of security against internal threats (eg. Voice SSID being used to access other network resources in a WLAN) 6. Verify the support for “destination NAT and source NAT” options for the access rules and/or access policies that can drastically simplify WLAN implementation details and reduce deployment time Results 1– 2– 3– 4– 5– 6– 18 Enterprise WLAN Test Plan 4.3 User Authentication Test Case Verify that the WLAN solution offers various ways to enhance the security architecture and performance of the WLAN network by providing enhanced authentication functions Test Items 1. Verify that the access rules and access policies can be driven based on several administrator defined criteria, such as client SSID, BSSID, encryptiontype, location, authentication method used (user and server derivation rules) 2. Verify that the WLAN solution is able to apply different set of access policies to different set of users within the same VLAN and SSID, providing better scalability and security for the WLAN 3. Verify the support for “wired” authentication for client devices that will enable same set of security and AAA rules / policies for the client devices whether they are using the wireless network or the wired network. This is crucial in supporting “wired” and “wireless” integration by providing single authentication and authorization medium for the same client within the enterprise 4. Verify the support for “two-tier” authentication for increased security – eg. 802.1x with Captive Portal, MAC-auth with VPN etc Results 1– 2– 3– 4– 19 Enterprise WLAN Test Plan 4.4 Guest User Access Test Case Verify that the WLAN solution offers extensive set of capabilities in terms of guest user account management and guest WLAN security Test Items 1. Verify that WLAN controllers under test support multiple captive portal instances, each assigned to a different type or location of guest users. 2. Verify that guest users can be limited to certain amount of ‘air time’ on 802.11 Wi-Fi in order not to waste available ‘air time’ and prevent access to resources by the employee / staff. 3. Verify that guest users can be limited to certain amount of upstream and downstream packet per second data rate on the wire in order not to waste available LAN and WAN resources. 4. Verify that guest user accounts can be created through a customizable user interface on the controller where company information, visitors name, email address and other personal information can be entered 5. Verify that WLAN controller implements an integrated SMTP client so that guest user information can be emailed to the guest – in order to prevent requiring interaction with a receptionist and to verify the validity of the email address provided during the account creation. 6. Verify that within the same SSID, different types of guests can be serviced with different network access rules, bandwidth definitions, etc. 7. Verify that the guest network SSID can be disabled during certain time of day – for instance after 5pm through 8am next day Results 1– 2– 3– 4– 5– 6– 7– 20 Enterprise WLAN Test Plan 4.5 Wireless Intrusion Detection Services (WIDS) Test Case Verify that the WLAN solution offers an extensive WIDS support for increased enterprise-level WiFi security. Test Items 1. Verify the support for “rogue AP aware” dynamic RF management, where the APs change channel to attack an unsecure rogue AP 2. Verify the support for “auto-classification” of unsecure and interfering rogue APs and clients 3. Verify the support for “auto-containment” of unsecure rogue APs and clients (wired ARP poisoning, wired switch shutdown and/or wireless deauth) 4. Verify the support for “auto-containment” of adhoc networks, honeypot APs, and of misconfigured APs (based on SSID, enc-type, channel, AP MAC OUIs, etc.) 5. Verify the support for Auth, Assoc, Probe, Disassoc, Deauth frame rate analysis per channel and / or per device MAC with threshold configuration 6. Verify the built-in support to detect well-known WiFi attack signatures. Verify the ability to add new signatures based on BSSID, src-dst MAC, frameType, payload, seq numbers, etc. 7. Verify the support to auto-detect spoofed disassociation, deauthentication, broadcast deauth, fakeAP based on SSID/BSSID, the use of weak IV for WEP encryption, sequence number anomalies and EAP handshake anomalies 8. Verify the support to prevent “valid enterprise clients” roaming to interfering neighbor access points 9. Verify the support for preventing Man In the Middle Attacks (MITM) by disabling disassoc / deauth processing on the access points Results 1– 2– 3– 4– 5– 6– 7– 8– 9– 21 Enterprise WLAN Test Plan 4.6 Blacklisting Test Case Verify that the WLAN solution offers several ways to prevent external and internal threats to the WLAN network clients, infrastructure and data. Test Items 1. Verify the support to “blacklist” a client after crossing a configurable threshold of authentication failures. Note down if the functionality is support for all authmethods: 802.1x, Captive Portal, VPN, MAC, MachineAuth 2. Verify that a client that is under attack by an impersonation AP (another form of MITM attack) can be blacklisted for a pre-defined period of time 3. Verify that, as a result of frame rate analysis, clients that cross the pre-defined thresholds can be blacklisted 4. Verify that clients can be blacklisted on demand 5. Verify that clients can be blacklisted for a pre-defined configurable period of time or indefinitely 6. Verify that access rule and access policy definitions can blacklist a client as a result of an attempt to access other data resources within the network (eg. client device trying to access data resources while within voice access policy) Results 1– 2– 3– 4– 5– 6– 22 Enterprise WLAN Test Plan 5.0 L2 L3 Functions and Remote Office Solutions This section includes the test cases that aim to verify the WLAN solution support for L2-L3 switching / routing features that significantly reduces the complexity and duration of a WLAN deployment, while enabling additional set of services / solutions as part of the WLAN infrastructure. 5.1 L2 L3 Functions Test Case Verify that the WLAN solution offers an enhanced set of switching and routing functionalities to provide ease of integration to today’s wired networks as an “overlay”. Test Items 1. Verify that the WLAN controller supports 802.1q tagging, STP protocol, policy enforcement and L2 Ethernet bridging on its interfaces 2. Verify that WLAN controller supports static IP routing and OSPF routing in the WLAN controller in order to ease controller deployment 3. Verify that the WLAN controllers also support L2 and L3 GRE tunnel rd configuration (interoperable with 3 party routers and switches) to enable improved security and increased flexibility during deployment 4. Verify that the WLAN controllers can support bandwidth contract on a per VLAN basis Results 1– 2– 3– 4– 23 Enterprise WLAN Test Plan 5.2 Remote Office Solutions Test Case Verify that the WLAN solution offers an enhanced set of features to enable same level of mobility, AAA and security functions at SOHO deployments, branch offices and regional offices Test Items 1. Verify that WLAN controllers support site-to-site VPN functionality in order to easily “extend” the reach of a WLAN across different sites without requiring external VPN firewall appliance installations 2. Verify the support for IPSec and NAT traversal enabled remote AP that will act as an enterprise AP in a remote location but managed centrally 3. Verify the support for local traffic termination as part of the remote AP functionality; verify that local traffic and centralized traffic flows can be enabled on the same SSID on the remote AP with the use of split tunneling 4. Verify that the per user policy enforcement on the remote AP is performed on a per user basis with stateful firewall 5. Verify that the WLAN controller Ethernet ports can be configured to terminate PPPoE and dynamically assign IP addresses to VLANs through DHCP 6. Verify that the access points support a second Ethernet port for wired user authentication (eg. 802.1x) or wired VoIP phone support Results 1– 2– 3– 4– 24

Enterprise Wireless Lan Evaluation Test Plan

Rating

Date

Size

Views

Categories

Share

Transcript

Forgot your password?.