In 2019, consulting company Miercom conducted an independent technology assessment of the Cisco Catalyst 6 Series Wi-Fi 9800 Controllers. For this study, a test bench was assembled from Cisco Wi-Fi 6 controllers and access points, and the technical solution was evaluated in the following categories:
- Availability;
- Security;
- Automation.
The results of the study are shown below. Since 2019, the functionality of the Cisco Catalyst 9800 series controllers has been significantly improved - these points are also reflected in this article.
You can read about other benefits of Wi-Fi 6 technology, examples of implementation and applications.
Solution overview
Wi-Fi 6 Cisco Catalyst 9800 Series Controllers
The Cisco Catalyst 9800 Series Wireless Controllers based on the IOS-XE operating system (which is also used for Cisco switches and routers) are offered in a variety of flavors.
The older 9800-80 controller model supports wireless network bandwidth up to 80 Gbps. One 9800-80 controller supports up to 6000 access points and up to 64 wireless clients.
The mid-range model, the 9800-40 controller, supports up to 40 Gbps throughput, up to 2000 access points, and up to 32 wireless clients.
In addition to these models, the 9800-CL wireless controller (CL stands for Cloud) was also included in the competitive analysis. Model 9800-CL runs in virtual environments on VMWare ESXI and KVM hypervisors, and its performance depends on dedicated hardware resources for the controller virtual machine. In the maximum configuration, the Cisco 9800-CL controller, like the older model 9800-80, supports scalability up to 6000 access points and up to 64 wireless clients.
When conducting a study with controllers, Cisco Aironet AP 4800 series access points were used, which support operation at frequencies of 2,4 and 5 GHz with the ability to dynamically switch to dual 5-GHz mode.
Test stand
As part of the testing, a stand was assembled from two Cisco Catalyst 9800-CL wireless controllers operating in a cluster and Cisco Aironet AP 4800 series access points.
Dell and Apple laptops, as well as an Apple iPhone smartphone were used as client devices.
Accessibility Testing
Accessibility is defined as the ability of users to access and use a system or service. High availability refers to continuous access to a system or service, independent of events.
High availability has been tested in four scenarios, the first three scenarios are predictable or scheduled events that can take place during business hours or non-business hours. The fifth scenario is the classic failure, which is an unpredictable event.
Description of scenarios:
- Bug fixing is a micro-update of the system (bugfix or security patch), which allows you to fix a particular error or vulnerability without a complete update of the system software;
- Functional update - adding or expanding the current functionality of the system by installing functional updates;
- Full update - updating the controller software image;
- Adding an access point - adding a new model of access point to the wireless network without the need to reconfigure or update the software of the wireless controller;
- Fault - failure of the wireless controller.
Fixing bugs and vulnerabilities
In many competitive solutions, patching often requires a complete update of the wireless controller system software, which can lead to unplanned downtime. In the case of a solution from Cisco, patching is performed without stopping the product. Patches can be installed on any of the components while the wireless infrastructure continues to run.
The procedure itself is quite simple. The patch file is copied to the bootstrap folder on one of the Cisco wireless controllers, and then the operation is confirmed through the GUI or command line. In addition, you can also undo and remove the patch via the GUI or command line, again without interrupting the system.
Functional update
Functional software updates are applied to enable new features. One such improvement is the update of the application signature database. This package was installed on Cisco controllers as a test. Just as with hotfixes, a feature update is applied, installed, or removed without downtime or interruption to the system.
Full update
At the moment, a full update of the controller software image is performed in the same way as a functional one, that is, without downtime. However, this feature is only available in a cluster configuration where there is more than one controller. A full update is performed sequentially: first on one controller, then on the second.
Adding a New Access Point Model
Connecting new access points that have not previously been used with the controller software image used to connect to a wireless network is a fairly common operation, especially in large networks (airports, hotels, factories). Quite often, in competitor solutions, this operation requires updating the system software or rebooting the controllers.
When connecting new Wi-Fi 6 access points to a cluster of Cisco Catalyst 9800 series controllers, there are no such problems. The connection of new points to the controller is carried out without updates to the controller software, and this process does not require a reboot, thus without affecting the wireless network in any way.
Controller failure
The test environment uses two controllers (Active / StandBy) Wi-Fi 6 and the access point has a direct connection to both controllers.
One wireless controller is active, and the other, respectively, is a standby. If the active controller fails, the standby controller takes control and changes its status to active. This procedure occurs without interruption for the access point and Wi-Fi for clients.
Security
This section discusses aspects of security, which is an extremely urgent task in wireless networks. The security of the solution is evaluated according to the following characteristics:
- Application recognition;
- Tracking the flow of traffic (Flow tracking);
- Analysis of encrypted traffic;
- Intrusion detection and prevention;
- Means of authentication;
- Security tools for client devices.
Application recognition
Among the diverse products in the enterprise and industrial Wi-Fi market, there are differences in how well the products identify application traffic. Products from different manufacturers may identify a different number of applications. At the same time, many of the applications that are indicated by competitive solutions as possible for identification are, in fact, websites, and not unique applications.
There is another interesting feature of application recognition: solutions vary greatly in identification accuracy.
Taking into account all the tests carried out, we can responsibly state that the Cisco Wi-Fi-6 solution performs application recognition very accurately: Jabber, Netflix, Dropbox, YouTube and other popular applications, as well as web services, were accurately detected. Cisco solutions can also dive deeper into data packets using DPI (Deep Packet Inspection).
Tracking traffic flows
Another test was run to see if the system could accurately track and report on data flows (such as large file movements). To test this, a 6,5 megabyte file was sent over the network using File Transfer Protocol (FTP).
The Cisco solution did the job perfectly and was able to track this traffic thanks to NetFlow and its hardware capabilities. Traffic was detected and identified immediately with the exact amount of data transferred.
Analysis of encrypted traffic
User data traffic is increasingly encrypted. This is done in order to protect it from being tracked or intercepted by intruders. But at the same time, hackers are increasingly using encryption to hide their malware and carry out other dubious operations, such as Man-in-the-Middle (MiTM) or, for example, keylogging attacks.
Most enterprises inspect some of the encrypted traffic by first decrypting it using firewalls or intrusion prevention systems. But this process takes a lot of time and does not benefit the performance of the network as a whole. In addition, once decrypted, this data becomes vulnerable to prying eyes.
Cisco Catalyst 9800 series controllers successfully solve the problem of encrypted traffic analysis by other means. The solution is called Encrypted Traffic Analytics (ETA). ETA is a technology currently unmatched by competitors that detects malware in encrypted traffic without the need to decrypt it. ETA is a core IOS-XE feature that includes Enhanced NetFlow and uses advanced behavioral algorithms to detect malicious traffic patterns lurking in encrypted traffic.
ETA does not decrypt messages, but collects metadata profiles of encrypted traffic flows - packet size, time intervals between packets, and much more. The metadata is then exported in NetFlow v9 records to Cisco Stealthwatch.
The key function of Stealthwatch is to constantly monitor traffic, as well as create a baseline of regular network activity. With the help of the encrypted stream metadata sent to it by ETA, Stealthwatch uses multi-layer machine learning to identify behavioral traffic anomalies that may indicate suspicious events.
Last year, Cisco engaged Miercom to independently evaluate the Cisco Encrypted Traffic Analytics solution. During this assessment, Miercom separately sent known and unknown threats (viruses, trojans, ransomware) in encrypted and unencrypted traffic across large ETA and non-ETA networks to identify threats.
For testing, malicious code was run on both networks. In both cases, suspicious activity gradually came to light. In the ETA network, threats were detected 36% faster at the initial stage than in the non-ETA network. At the same time, in the course of work, the detection productivity in the ETA network began to increase. As a result, after several hours of work in the ETA network, two-thirds of active threats were successfully detected, which is twice as much as in the non-ETA network.
The ETA functionality is well integrated with Stealthwatch. Threats are ranked by severity, displayed with detailed information, and remediation options once confirmed. Conclusion - ETA works!
Intrusion detection and prevention
Cisco now has another effective security tool, the Cisco Advanced Wireless Intrusion Prevention System (aWIPS): a mechanism for detecting and preventing threats to wireless networks. aWIPS operates at the controller, access point, and Cisco DNA Center management software levels. Threat detection, alert, and prevention combines network traffic analysis, network device and network topology information, signature-based methods, and anomaly detection to achieve high accuracy and wireless threat prevention.
Full integration of aWIPS into the network infrastructure allows you to continuously monitor wireless traffic on both wired and wireless networks and use it to automatically analyze potential attacks from many sources in order to identify and prevent possible attacks as comprehensively as possible.
Means of authentication
At the moment, in addition to the classic means of authentication, WPA9800 support is available in the Cisco Catalyst 3 series solutions. WPA3 is the latest version of WPA and is a set of protocols and technologies that provide authentication and encryption for Wi-Fi networks.
WPA3 uses Simultaneous Authentication of Equals (SAE) to provide the most secure user protection against password guessing attempts by third parties. When a client connects to an access point, it performs an SAE exchange. If successful, each of them will create a cryptographically strong key, from which the session key will be derived, and then they will enter the confirmation state. After that, the client and the access point can go into confirmation states each time a session key needs to be generated. The method uses forward secrecy, where an attacker can crack one key, but not all other keys.
That is, SAE is designed in such a way that an attacker intercepting traffic has only one attempt to guess the password before the intercepted data becomes useless. To organize a long-term password guessing, you will need physical access to the access point.
Client Device Security
Cisco Catalyst 9800 Series Wireless Solutions currently use Cisco Umbrella WLAN, a cloud-based network security service that operates at the DNS level with automatic detection of both known and new threats, as the primary means of protecting clients in the Cisco Catalyst XNUMX Series Wireless Solutions.
Cisco Umbrella WLAN provides client devices with a secure connection to the Internet. This is achieved through content filtering, that is, by blocking access to resources on the Internet in accordance with the policy of the enterprise. Thus, client devices on the Internet are protected from malware, ransomware, and phishing. Policy enforcement is based on 60 continuously updated content categories.
Automation
Modern wireless networks are much more flexible and complex, so traditional ways to configure and extract information from wireless controllers are not enough. Network administrators and security professionals require tools for automation and analytics, which is driving wireless network vendors to offer such tools.
To solve these problems, the Cisco Catalyst 9800 series wireless controllers, along with the traditional API, support the RESTCONF / NETCONF network configuration protocol with the YANG (Yet Another Next Generation) data modeling language.
NETCONF is an XML-based protocol that applications can use to query and change the configuration of network devices such as wireless controllers.
In addition to these methods, the Cisco Catalyst 9800 Series Controllers provide the ability to acquire, sample, and analyze flow data using the NetFlow and sFlow protocols.
For security and for traffic modeling, the ability to track specific flows is a valuable tool. To solve this problem, the sFlow protocol was implemented, which allows you to capture two packets out of every hundred. However, sometimes this may not be enough for analysis and adequate study and evaluation of the flow. Therefore, an alternative is NetFlow, implemented by Cisco, which allows you to 100% collect and export all packets in a specified stream for further analysis.
Another feature, however, available only in the hardware implementation of the controllers, which allows you to automate the operation of the wireless network in the Cisco Catalyst 9800 series controllers, is the built-in support for the Python language as an add-on for using scripts directly on the wireless controller itself.
Finally, the Cisco Catalyst 9800 Series Controllers support the time-honored SNMP protocol versions 1, 2, and 3 for monitoring and management operations.
Thus, in terms of automation, the Cisco Catalyst 9800 Series solutions fully meet today's business requirements, offering both new and unique, and time-tested tools for automated operations and analytics in wireless networks of any size and complexity.
Conclusion
In solutions based on Cisco Catalyst 9800 Series controllers, Cisco has demonstrated excellent results in the categories: high availability, security and automation.
The solution fully satisfies all high availability requirements such as sub-second failover during unplanned events and zero downtime for scheduled events.
The Cisco Catalyst 9800 Series Controllers provide end-to-end security that provides deep packet inspection for application discovery and management, complete visibility into data flows, identification of threats hidden in encrypted traffic, and advanced client device authentication and protection.
For operations and analytics automation, the Cisco Catalyst 9800 Series solutions are powerful using popular standard models: YANG, NETCONF, RESTCONF, traditional APIs, and native Python scripting.
Thus, Cisco once again confirms its status as the world's leading manufacturer of network solutions, keeping up with the times and taking into account all the challenges of modern business.
For more information about the Catalyst Switch Family, visit cisco.
Source: habr.com