An Exploration of End-to-End Network Segmentation—Part I: Hyper-Segmentation

More than 90% of businesses say they have some sort of cybersecurity framework in place, but here’s the truth: a network security strategy will never be effective if a company’s underlying architecture isn’t what it needs to be. Traditional, hierarchical, client-server architecture is simply not built to support today’s next-generation network, or protect against the increased risk of exposure inherent in it (this is something I recently blogged about for the Huffington Post). This is like riding a horse and buggy down the freeway and expecting life-saving crash protection.

Cue the thousands of solution providers vying for market share, all selling the concept of failsafe network security. But let’s be honest: any provider that claims to offer foolproof security is only fooling you. Considering today’s rapid pace of innovation, we’ll hopefully see this day soon. Until then, not even the best provider can absolutely guarantee network security 24×7.

There are, however, a few ways to safeguard your organization with a (near) impenetrable network that significantly minimizes security risks and reduces exposure. It all comes down to the technology you use and from whom you get that technology. At Avaya, we believe companies need to take a foundational approach to network security by implementing an end-to-end segmentation solution that inherently protects from the inside out. This approach consists of three core capabilities:

  • Hyper-Segmentation:

    The ability to create stealth segments that span the entire network.

  • Native Stealth:

    The characteristic of a hyper-segment that’s invisible to hackers.

  • Automated Elasticity:

    Extending and retracting hyper-segments access automatically.

The way we see it, endorsed by many cyber security experts, end-to-end segmentation is the holy grail of network security today. This critical level of protection should be as simple as safety is for a driver getting behind the wheel. All companies need to do is buckle up and enjoy the ride.

At Avaya, our goal is always the same: equip business leaders with the necessary skills, knowledge and know-how to do what’s ultimately best for their organizations. For IT leaders contemplating a better way to protect their networks, I’ve put together a three-part series that pulls back the veil on our all-new end-to-end segmentation solution and its core capabilities of hyper-segmentation, stealth and elasticity.

Ready to join me? If so, let’s kick things off by exploring the incredible concept of hyper-segmentation.

Out with the Old

A classic segmentation method, in which virtual local area networks (VLANs) are created, is one that companies have been using for 20+ years. This method involves isolating segments in order to maximize quality of service, ensuring one type of traffic doesn’t impact the other. In this case, each segment carries different traffic types that require different characteristics to deliver the desired quality of experience.

For example, one segment may carry real-time voice traffic while another would carry best-effort data traffic such as web browsing. This approach sounds simple, but there’s one big problem: as organizations grow, so too must their segments. This creates high levels of complexity and increases risk of failure, as VLANs used are subject to loops created by human errors while having to learn about each node that physically joins the virtual network.

So, these segments must inevitably grow in order to meet evolving network and application needs. As they do, they become increasingly difficult to troubleshoot and manage, leading to greater network strain and performance issues. At this point, a company’s only resolution is to create more smaller segments, which simply introduces more complexity into their already intricate network environments.

All the while, these network segments aren’t truly isolated from one another; rather, they’re communicating extensively when IP services are enabled. These are known as Layer 2 virtualized networks. To make matters worse, Layer 3 virtualization is also typically required when IP services need to be isolated from one another. Think of two departments or two tenants wanting to share a common networking infrastructure. At that point, the concept of VRF (Virtual Route Forwarding) needs to be introduced. Once again, each node participating in this Layer 3 virtualized network must be configured.

Hence, end to end segmentation is achieved by performing complex nodal configuration. Not very scalable when you think about it, yet it does work! Add to this other services such as multicast and you now have a fragile house of cards to deal with, as all these layers have interdependency. Because of this interdependency, this stack can (and will) collapse if just one layer is affected (think of how easy it is to knock down a house of cards with just a flick of the finger). Each layer depends on one another in order to keep the stack running and secure. For businesses relying on legacy architecture, this setup of multiple interdependent protocol layers can lead to tragic outcomes if even just one segment is affected. This is exactly what happened with the infamous 2013 Target breach. An HVAC vendor, external to Target, had authorized access to service the HVAC system. As the network was statically configured using VLANs, hackers were able to get into that HVAC virtual segment. But rather than being contained there (we’ll get to that shortly), they broke out of the HVAC segment and into the segment that hosts credit card data. So you see, in this environment, the inherent lack of security at layer 2 (e.g., HVAC segment) negatively impacted other layers — including the mission-critical apps that resided in them. Safe to say this is not the business outcome you want.

The goal, then, is to greatly simplify the way segmentation can be achieved. I guess you could say, let’s manage less and, in doing so, better converge, sustain and control the network. Right? Well, sort of. This “less is more” approach can also lead to network complexities. Hear me out: fewer segments to manage means greater risk in terms of network performance and outages. Without a certain level of segment isolation, one misbehaving device, human error or system glitch can create instability to the entire network. In other words, you should be cautious about putting all of your eggs in one basket (one huge virtual segment).

Are there any other options? Well, MPLS has been designed to deliver what many considered “true” end-to-end virtualization. However, does it really deliver what companies need? It’s true that MPLS does offer end-to-end virtualization, but it’s still based on a restrictive nodal labeling methodology with even more layers of protocols. Obviously, end-users don’t notice this, as this complexity is expertly masked by providers or IT using highly sophisticated provisioning tools. These tools allow them to quickly deploy an end-to-end virtualized network while hiding all backend complexity. It’s a powerful and scalable solution, yet in the end built on a similar and unfortunately more complex foundation.

In with the New

Now I want to clarify that there’s nothing necessarily wrong with MPLS. Many large organizations still run on an MPLS model they deployed long ago. This is fine if you have the skill set and have made the investment in provisioning tools. What businesses are beginning to realize, however, is that they need to better support the dynamic changes happening not just within the data center, but where all data is consumed by mobile users and other devices. Nothing is static anymore. They must be able to add new services on the fly, make changes to existing services within minutes and build new network segments on demand across the entire enterprise. Remember, end users and IoT devices don’t sit in the data center!

You simply can’t deny that today’s business environment looks drastically different than it did 20+ years ago. So, why would we still rely on legacy segmentation methods from that period? The only way to flexibly and securely meet today’s network needs is to deploy a solution that eliminates nodal configuration and yet achieves true segmentation. Hyper-segmentation does just this by using the concept of end-to-end Virtual Services Networks (VSNs). This enables businesses to provision their networks only at specific points of service. In other words, where the service is offered and where the service is being consumed by end users or device(s). That’s it! The core becomes an automated and intelligent virtualized transport.

By eliminating nodal configuration, companies are able to drastically reduce complexity and create hundreds—even thousands—of agile and secure virtual segments that are completely isolated from one another (meaning no communication by default). This allows companies to decide if they want to establish communication between segments, verses having to prevent it. With hyper-segmentation, segments can be quickly created (and easily provisioned) without the need for time-consuming or error-prone network nodal configurations.

This result is achieved because of the technology’s ability to isolate segments by default on one secure, converged network. This transforms network protection by allowing security tools to focus on performing the specific functions they’re implemented for, verses having to serve as a barrier between segments to prevent chatter. In this way, hyper-segmentation allows companies to gain maximum transparency into how their networks are behaving in order to quickly prevent, identify and mitigate security incidents.

Remember Target? With hyper-segmentation, the hackers would have been contained to the HVAC segment (in other words, isolated there). All other segments would have been invisible (natively stealth) to them. It doesn’t matter how skilled of a hacker they are. You can’t hack what you can’t see.

In this new world, multilayer protocols exist only because we must maintain backwards inter-operability with the legacy model, but new virtualized services can be delivered with just one protocol. No more house of cards, unless you absolutely need it!

Now if your company depends on MPLS, you may be thinking, “Where does this leave me?” Here’s my advice: leave your MPLS network environment as static as possible so you can embrace the dynamic configuration of hyper-segmentation and leverage its strength of provisioning at the point-of-service only. In doing so, you’ll benefit from some of the next-generation segmentation technology without having to forklift your current investment as hyper-segments can now traverse any IP WAN solutions including IP MPLS or SD-WAN solutions from vendors such as FatPipe. In the end, it’s now up to you to decide how you want to implement end-to-end hyper-segmentation. No more dependency on the service provider’s to configure and extend a service (VLAN, VRF, DC inter-connect, etc.) across the WAN … you now control your own destiny!

Now on to the next question: what role does native stealth play in end-to-end segmentation? Learn more in Part II next week.

 

Related Articles:

Time for a New Network Engine: Start Running on a Software-Defined Network

I grew up on a wheat farm in the 70s. I spent much of my teens and early 20s working on farm machinery, before starting my career in software and computer technology. I learned distributor caps, points, carburetors, plugs, etc. to be able to tune up an engine to get it run well. I still have a timing light and dwell meter to be able to work on my old Studebaker. However, I don’t work on my modern vehicles—I have a trustworthy mechanic with the tools to interact with the onboard computer systems.

Engines have progressed a long way since the 70s. I had a 1979 Hurst/Olds Cutlass, one of the top factory muscle cars of the late 70s. Engine was rated at 170 HP and got 12 MPG on a good day. A 2014 Mustang GT500 has 662 HP and gets 24 MPG, or almost four times the HP and twice the mileage.  Aerodynamics has some effect, but the big difference is engine technology (plus modern transmissions, but bear with my analogy for a few more paragraphs).

OEM (original equipment manufacturer) and aftermarket parts companies proposed many components to try to improve the good old 70s V8 engines. Distributors and points were replaced by electronic ignition systems, providing more accurate spark and reduced component deterioration. Carburetors were replaced by throttle body fuel injectors that eliminated the bowls and floats and provided better fuel delivery. These components helped but weren’t capable of delivering orders of magnitude improvement required to deliver horsepower to a mileage conscious consumer (or government agencies).

Modern engines are a marvel of computer technology. The fundamentals of the internal combustion engine haven’t changed: compress a mixture of air and fuel, introduce a spark, convert the explosion to mechanical energy, exhaust the spent fuel, and repeat. Now, computers do a better job of tuning the engine than I could ever dream of and tuning is performed constantly, adjusting the engine for atmospherics, load, fuel quality, terrain, driver style, etc. to maximize efficiency.

The networking industry is at a similar place today as engine designers were in the 80s. We’re trying to modernize the 90s network technology by adding Software-Defined Network (SDN) controllers. As requirements for network services evolved, network manufacturers created protocols (some open, some proprietary) to deliver the services. The result is a stack of network protocols that present a very complex management challenge.

I read a book in my teens (Danny Dunn and the Homework Machine, Abrashkin and Williams, 1958) about a student who programmed a NASA computer to do his math homework. The student’s math teacher found out about the program. The student assumed he was going to fail the class because he didn’t do his own homework. However, the teacher said the student had to understand more about how to solve the math problems to program the computer than was required to do the problems. This story has stuck with me for 40+ years because of the underlying truth: You have to understand a problem very well to be able to automate a solution.

I don’t claim to be a network admin, but I know several. They tell me managing the full network stack is as much art as it is science. Put a half-dozen network experts around a table with an endless supply of beer, and the beer will run out before they come to a consensus on how to best architect and operate a complex network. If they can’t agree how to manage a network, how can there be an agreement on the best way to automate it?

If auto manufacturers had tried to computerize a carburetor and dynamically adjust timing by putting a step motor on the distributer, we’d still be driving sub-200 HP performance cars with poor reliability and complex service requirements. To significantly improve the network, we need to start by simplifying the network. This doesn’t mean that we need an entirely new network paradigm. Engine designers maintained the core hardware design with pistons, valves, cam- and crank-shafts (though some people did play with a rotary engine concept). The basic network is fine—cabling, switches, Ethernet, TCP/IP, etc. However, the delivery of upper level services needs to be greatly simplified to achieve the promise of a significantly improved network.

But what’s meant by “improved network”? Engine designers were driven to improve the engine efficiency to get more power from a unit of fuel. But I’m sure there were other secondary goals, such as improved reliability that allowed vehicle manufacturers to offer much longer product warrantees. So what are the goals of an improved network?

  • Security:

    Data security is top of mind (and front of newspapers) today. Complexity is an antagonist of safety. Complex environments provide too many attack surfaces and make it very easy for well-intentioned maintenance to accidentally open a back door to your data.

  • Flexibility:

    Complex environments are hard to change. It used to be that provisioning a server took weeks and configuring the network took minutes. With virtualization, a server can be provisioned in minutes, but a VLAN takes weeks to create (safely).

  • Resiliency:

    In the 7×24 connected world, taking minutes to hours to recover from a network component failure isn’t acceptable.

  • Manageability:

    This is somewhat a self-fulfilling statement. Less complex environments are simpler to understand and simpler to manage effectively.

Avaya’s SDN Fx™ Architecture, based on SPB or Shortest Path Bridging (802.1aq), provides an alternative to the traditional network protocol stack for L2/L3 unicast and multicast network services. SPB has several attributes that make it a much better engine to drive the requirements of modern networks.

  • Provisioned at the edge:

    Network services are defined on the access switches, turning the core of network into a vehicle for date transfer, which is never touched. (See point No. 3 in Top 10 things you need to know about Avaya Fabric Connect.)

  • Hyper-segmentation:

    SPB supports 16 million virtual networks, so every service can have its own virtual network segment, a key to providing network level data security. (For more information, see Avaya Chief Technologist of SDA Jean Turgeon’s three-part blog on network segmentation. Read about hyper-segmentation, native stealth and elasticity.)

  • Very fast re-convergence:

    SPB identifies all possible paths through the network and selects the best path. If a path disappears, the next best path is already determined and chosen in a couple of hundred milliseconds or less. (See point No. 7 in Top 10 things you need to know about Avaya Fabric Connect.)

  • Internet of Things (IoT) support:

    SPB works equally well connecting racks of virtualized compute infrastructure as connecting Wireless Access Points (WAPs), CCTV cameras, sensors, controls, phones, etc. See the blog Security and the IoT: Where to Start, How to Solve for more information.

One benefit that engine designers had that network engineers don’t have is the new model year. Consumers don’t expect to take their old car into the dealer and get an engine upgrade. They take their car in to get an entirely new car. Network engineers are expected to upgrade the network by replacing parts, usually while the network is still running. Avaya’s Fabric Extend allows SPB to be deployed by simply replacing the edge switches and utilizing your existing core network. Spanning the core of the network doesn’t provide all of the benefits of a full fabric deployment, but does provide a means to execute a rolling fabric conversion, kind-of-like upgrading the carburetor while the car is running.

Security and the IoT: Where to Start, How to Solve

I recently attended the 2016 North America IoT Tech Expo in Santa Clara, California. This event highlights how the most innovative advancements in technology are affecting the Internet of Things (IoT). Visitors can listen to case studies and tracks covering the IoT ecosystem including: smart cities, connected living, wearables, developing and IoT technologies, connected industry, connected services, and data and security. To that end, I was counting on leaving there with a stronger sense of direction, clarity, and future vision around the IoT. Hey, I’m a total tech nerd. I’ve spent my career in the telecom, networking, computer, and storage industries. So as you can imagine, I couldn’t wait to geek out with all the cool futurist gadgets and things. In my mind, that’s what the IoT is all about. Not so fast.

I visited with sponsors and passed through many trade show booths, finding a mix of home-based automation systems and devices, as well as a series of industrial sensor companies (most of whom were names you wouldn’t expect to see at this show). Interesting technologies were on display for sure, but definitely not what I expected. Where were the automation, virtual reality, and artificial intelligence integrations? You know, all the cool things you see in a George Lucas film that make you wonder, “Is that really possible?”

As I attended the many breakout sessions, I quickly picked up that the IoT is less about integrating the super cool, and more about integrating the practical, or the basic things that many of us need but take for granted. And top of mind for every business today is how to solve challenges around the IoT and security, and the proactive measures we can take to adopt IoT innovations while also protecting our enterprises from cyber-attacks. Not particularly sexy but very necessary.

IoT: The Basics

So let’s look at the fundamentals. The IoT is a huge topic (which is why it’s often referred to as the “Internet of Overwhelming Things”). It’s transformative. It’s practical. It had its big push from home automation. Today, it spans across multiple industries and governments from smart cities (which includes transportation, public safety, water works, citizen services, waste management, et al) to smart industries like manufacturing, healthcare, and consumers, to name a few.

Everyone deploying an IoT model or strategy is faced with similar challenges, but perhaps none as great as security. In fact, Gartner predicts by 2020, more than 25% of identified attacks in enterprises will involve the IoT, although the IoT will account for less than 10% of IT security budgets. That’s an unbelievable disconnect. Further, Gartner suggests that vendors will focus too much on spotting vulnerabilities and exploits, rather than segmentation and other long-term means that better protect the IoT.

The key word in that last sentence is “segmentation” and it’s where our “securing the everywhere perimeter” comes in. (Recently, Avaya Chief Technologist of SDA Jean Turgeon explored Avaya’s #EverywherePerimeter in a three-part blog series that tackled the three core pillars of this groundbreaking fabric networking solution: hyper-segmentation, native stealth and elasticity.)

A Proactive Solution for Cyber-Attacks

Leveraging core network technologies like Avaya Fabric Connect simplifies the most complex part of any network deployment. It’s tremendously scalable, as we’ve proven time and again with large global 100 and global 50 customers. And it provides a secure networking infrastructure, or as we like to call it: stealth networking. Stealth networking can significantly reduce exposure and risks associated with cyber-attacks. Avoiding many of the conventional hooks and typical tools that hackers seek to exploit, businesses can reduce their exposure and more tightly focus their security efforts. Because Avaya Fabric doesn’t need or use IP in the core, there isn’t anything to see or hack using IP-based hacking tools or methods. We’ve proven this time and time again at hackathons around the world. In the simplest terms, you can’t hack what you can’t see!

Hyper-segmentation allows you to span beyond the data center, building or campus. We call it a “single global network fabric.” With hyper-segmentation, organizations can establish borders to defend against unauthorized lateral movement, reduce their attack profile, deliver highly effective breach isolation, improve the effectiveness of anomaly scanning and greatly improve the value of specialist security appliances. Virtual LANs (VLANs) have traditionally been used to create segmentation, but this creates high levels of complexity and increases risk of failure, as VLANs used are subject to loops created by human errors while having to learn about each node that physically join the virtual network.

We’re using industry standard technologies, leveraging IEEE Shortest Path Bridging (SPB) in the core. Once the core is established, making changes and adding capacity or remote sites is quick and simple, unlike traditional networking where you need to be a VLAN or MPLS expert. With Avaya Fabric, you can now extend these same services to the edge or closer to the IoT devices. Then using technologies like Fabric Attach, you can have automated and secure connections created between the core and the edge switches and/or the WAP (Wireless Access Points). The edge now becomes more plug and play.

At this point, all that’s left to do is decide where you want your IoT devices connected and whether you want to have devices segmented or grouped together without the need for cumbersome things like Access Control Lists.

Finally, you can start connecting devices to the network. Well, sort of. You see, traditional IT admins keep the network jacks you see in buildings disabled until a request is made to turn them back on. Then they enable the network jack you want to connect your device to, providing you wired access or granting that device access to the wireless network (in a closed environment), thereby creating that secure end-to-end connection all the way to the device. So far so good, right? Here’s the thing, often we find these “enabled” jacks left exposed and in plain sight after the user has disconnected from the network and left the building. This provides hackers with a secure connection into your environment.

With Automatic Elasticity (the third pillar of our #Everywhere Perimeter solution), businesses can stretch their network services (contained in hyper-segments) to the edge of the network, only as required and only for the duration of a specific application session. As applications terminate (or end-point devices close down or disconnect), those networking services retract from the edge. It’s as simple as that. This makes your network safe and less vulnerable to intrusions.

This Avaya Network Fabric technology can be used in all the IoT environments I cited up top: cities, buildings, retail, manufacturing, etc. We’ve been delivering these solutions to customers of all sizes, from the Sochi 2014 Winter Olympics to the tallest building in the world, the Burj Khalifa in Dubai.

How Wi-Fi Location-Based Services Can Step Up Your Public Safety Game

My first job out of college was working on Sonar Systems for the U.S. Navy. Modern sonar systems passively listen in the ocean to identify targets by the sounds they make. To the Sonar System everything is a target. Targets are classified as unknown, hostile or friendly. Target classification is determined by noise signatures, behavior, heuristics, etc.

Wi-Fi location-based solutions provide similar capabilities as a sonar system. As part of normal operations, a mobile device will probe the network looking for Wireless Access Points (WAPs). Probing helps the device identify and acquire service from the WLAN. When the device is connected to the network, it continues to probe, enabling the device to effectively roam between WAPs. Essentially Wi-Fi enabled devices are projecting energy into the air similar to a ship projecting sound into the ocean.

WAPs listen and respond to the probe messages as part of service delivery. Listening also provides a mechanism to track these devices. A Wi-Fi device probe message includes the Media Access Control (MAC) address of the device, a globally unique identifier. Since most devices probe the network several times a minute, it’s possible to identify the location of a device every few seconds. Therefore, a Wi-Fi location-based solution can identify the location of every wireless device in range of the WLAN.

Wi-Fi location-based services are usually discussed in the realm of suppliers trying to improve customer engagement. However, as Avaya Chief Technologist of SDA Jean Turgeon points out in his recent blog on public safety, there’s an epidemic of man-created tragedies, where people are targeted for harm by other people. Providing safety for the public when a member of the public wants to harm other members of the public is a tough task. Finding a potential antagonist in the crowd is similar to finding the potentially hostile ship in the ocean of ships. Wi-Fi Location-Based Services (WLBS) offer an additional data set that can be used to help identify potential hostiles, and help first responders identify where the friendlies are located.

WLBS uses the signals received by multiple WAPs to triangulate the location of the probing device. In the Avaya solution, performing WLBS is as simple as telling the WAPs to send distance information to an Avaya Breeze™ snap-in that performs the calculation.

Wi-Fi Location-Based Services

The triangulation process provides the ability to identify all of the targets in the WLAN ocean. The next step is to sort the targets. However, rather than classifying as friendly or hostile, the first objective is to sort out known from unknown device owners. Device ownership can be determined in a number of ways, for instance:

  • Connections to the corporate network

    . Employees, contractors, etc. who provide credentials to access the corporate network will have device ownership uniquely identified. Though a single employee may have multiple devices (laptop, phone, tablet) identified to their persona at one time, a device will have a single owner.

  • Device resident apps, such as loyalty apps

    . Apps that provide coupons, track transaction points, etc. can be set up to identify the owner when the app connects to the network.

  • Uniquely identifiable splash page logins

    . Gaining access to a guest network often requires acknowledging appropriate usage parameters on a splash page. The splash page can be set up to require uniquely identifiable information, such as an email address, to gain access.

Therefore, it’s possible to have uniquely identifiable information about the owner of every device that’s connected to your WLAN. Devices that aren’t connected to the network would have unknown owners. However, if the solution maintains an historical database, it may be possible to classify a device if the MAC address has ever been associated to an owner. The current owner may not be the same as the historical, but it’s a starting point.

Now that a mechanism to identify device owners has been established, rules for addressing unknown devices can be generated. The easiest to visualize is the guest-out-of-bounds rule. Most public buildings (civil center, library, court house, school, etc.) consist of areas that are open to the public and areas that are restricted to certain personnel.

When a non-employee’s device is detected in a restricted area, WLBS raises an alert to be processed up-stream. For instance, the feed from the CCTV camera covering the area identified by WLBS could be directed to the security guards computer monitor. The security guard could find the closest member of the security team by looking at a dynamic floor plan display with indicators showing the location of all security personnel (based on their known devices). A message could be sent to closest security person to go to the area and perform a credential check. As the non-employee moves through the area, his position would be updated by the WLBS solution to continue to track the individual. The CCTV and WLBS displays could be routed to the mobile security guard to provide current situational information.

WLBS is dependent on the person of interest having a device with an active Wi-Fi antenna. If the non-employee above is simply lost, they won’t bother to turn off their device. On the other hand, if the person intends harm, they may go to airplane mode. In this case, the security system is relying on more traditional detection methods.

WLBS also has value when looking at people at a macro level. One of the man-created tragedies is the active shooter scenario. In many disaster scenarios, the best course of action is to flee. However, in the active shooter scenario, the best course of action is often to hide. Take a school or shopping mall, people are going to hide all over the place. One of the tasks of first responders is to find where all of the friendlies are hiding without causing the friendlies to expose themselves unnecessarily. WLBS would show where all of the devices are, which provides a good indicator of where people are hiding. So as the first responders are pursuing the hostiles, they would have data to help them understand if the hostiles are heading towards friendlies. Perhaps, the friendlies can be evacuated before a hostile reaches them or the hostiles can be driven to a safer location.

WLBS provides a stealthy way to identify where people are. It isn’t a fool-proof solution. Unlike a ship in the ocean, a person can decide to be silent and thus untraceable. However, in many situations, WLBS will provide valuable information about the location and movement of people. Even if the hostile defeats Wi-Fi tracking, WLBS still provides information about the friendlies. In this case, tracking hostiles may require other technology such as CCTV. (Satellites are used to track ships also.)

The best part of a WLBS solution is that it runs on the WLAN that organizations must deploy to participate in the 21st century. Location data is available on enterprise class WAPs—it’s simply a matter of collecting and acting on the data. With Avaya’s 9100 WLAN, data analysis and workflow development is a Breeze.