Aerohive Networks - Aerohive unleashes the potential of enterprise Wi-Fi

Aerohive HiveOS
HiveOS Network Operating System

HiveOS

HiveOS Wi-Fi Features:

Aerohive HiveOS is the network operating system that powers all Aerohive devices. HiveOS Wi-Fi delivers non-stop, high-performance wireless service, application-aware enterprise firewall security, and mobile device management to every Wi-Fi device.

All Aerohive devices support the feature-rich HiveOS Cooperative Control architecture. HiveOS enables Aerohive devices to organize into groups, or “hives”, which allows functionality like fast roaming, user-based access control and fully stateful application-aware firewall policies, as well as additional security and RF networking features—all without the need for a centralized or dedicated controller. This architecture has lower deployment and ownership costs with higher performance, reliability and scalability than any of the networking competitors in the market today.

Key Features and Benefits

Application Visibility and Control
HiveOS enables Aerohive Wi-Fi devices to have full context-based visibility and control of nearly 1000 layer 7 applications, including custom applications that may be in use on the network. By using the granular controls built into HiveOS, administrators can identify and prioritize applications important to specific users without having to create additional SSIDs or affect the entire network.

SLA Compliance Monitoring and Response
The SLA compliance solution brings determinism and visibility to the wireless network by enabling IT administrators to establish, monitor, and deliver reliable service to client devices. The SLA feature not only allows the ability to set a performance threshold for connected clients, but includes autoremediation capabilities to re-allocate airtime to connected clients who do not meet the established SLA without any administrator intervention.

Increased Network Capacity with Airtime Management
Aerohive’s Dynamic Airtime Scheduling enables faster clients, like 802.11n laptops, to get equal access to the airtime rather than allowing it to be monopolized by legacy or slow clients. In addition, Dynamic Airtime Scheduling can also track retries and manage upstream traffic to protect the network from misbehaving clients or users. Overall, Dynamic Airtime Scheduling can increase network capacity by up to ten times, just by keeping slow or legacy clients from dominating airtime.

Built-in Aerohive Spectrum Analysis
Spectrum Analysis is a critical tool for detecting interference from non-Wi-Fi radio devices such as Bluetooth, microwave ovens and cordless phones. In fact, detecting interference is so important to WLAN performance that Aerohive includes this capability with every access point shipped, with no additional hardware or licenses required. HiveOS uses spectrum analysis information to feed the Aerohive Channel Selection Protocol (ACSP) and boosts performance by avoiding interference from non-802.11 devices.

Product Features


Cooperative Control

  • Cooperative fast L2/L3 roaming
  • Cooperative RF contro
  • Aerohive Mobility Routing Protocol (AMRP) for mesh routing
  • Tunnel load balancing for L3 roaming

Wireless VPN

  • Remote office IPSec-based VPN solution
  • IPsec hardware acceleration supported
  • Profile-based split tunneling with NAT support
  • Supported across mesh
  • RADIUS, DHCP, NTLM, LDAP and NTP can selectively go to local or remote network

SLA Compliance

  • Client and AP Health – Monitor connection quality and automatically trigger and report on actions to improve quality
  • Airtime Boost – Automatically increase airtime allocation to clients best able to use it to meet performance targets
  • Load balancing – Direct clients to APs for improved connection quality

Security

  • Trusted Platform Module (TPM)—Hardware-based key storage and encryption
  • Wireless privacy and authentication Wi-Fi CERTIFIED™ WPA™ and WPA2™, 802.11i, WEP, 802.1X, PSK
  • Dual-band, single-radio scanning
  • Granular user profile-based management defines VLANs, QoS, mobility policies, and security policies for each user that enters the network
  • Dynamic profile assignment based on device attributes
  • Encryption: AES-CCMP, TKIP, and RC4 (WEP only)
  • Time-of-day and day-of-week access control and SSID enablement
  • On-board application-aware deep inspection firewall policy enforcement with session state sync with neighbors
  • ALG support for SIP, DNS, TFTP, and FTP
  • Destination-based MAC firewall support
  • Up to 16 SSIDs per radio for network segmentation
  • Tunneled guest networks
  • Hive-wide client isolation
  • WPA-TKIP vulnerability protection
  • 802.11w management frame protection

Captive Web Portal

  • Built-in customizable captive web portal on APs for guest access
  • Automatic multi-language support based on user browser
  • External captive web portal support and walled garden allows for easy integration with 3rd party Captive Web Portal solutions
  • RADIUS support for captive web portal
  • Microsoft Active Directory authentication for captive web portal

Cooperative RF Management

  • Cooperative channel selection, with DFS2 support
  • Real-time display and analysis of received RF signals with signature-based detection of non-Wi-Fi devices
  • Station (client) load balancing based on client count
  • Cooperative transmit power level control

Location and Asset Tracking

  • Built-in client location tracking with topology and heat maps
  • Partnership with AeroScout to act as a sensor
  • Partnership with Ekahau for location and asset tracking
  • Tracks laptops and asset tags

Authentication

  • 802.1X authentication for WEP, WPA, and WPA2
  • Private PSK authentication allows for unique preshared keys (PSK) for each user within a single SSID
  • Self-registration portal for dynamic PPSK creation and assignment
  • RADIUS support with PEAP, EAP-TLS, TTLS, LEAP, and EAP-FAST
  • LDAP authentication to directory servers, including OpenLDAP, Novell eDirectory, and Apple OpenDirectory
  • Authentication to Microsoft® Active Directory™ with local credentials caching, also supports Global Catalog and multiple forests
  • Multiple RADIUS server support (per AP, per SSID)
  • RADIUS server with local database or proxy
  • Standard Interchange Protocol, version 2 (SIP2) support for validation of users against a Library Information Systems (LIS)
  • Support for Operator-Name RADIUS attribute
  • MAC-based RADIUS authentication
  • Dynamic Change of Authorization (RFC3576)
  • User profile assignment based on any RADIUS attribute
  • 100 associated clients per radio

QoS for Voice, Video and Data at the Radio

  • Powerful QoS features usually only found on highend systems
  • Stateful VoIP roaming and failover
  • User profile-based queuing, scheduling and policing
  • Application prioritization and control for nearly 1000 layer 7 applications including custom applications
  • QoS assignment per VLAN, user profile, service, and MAC address
  • Protocol decoding and dynamic port detection for SIP calls
  • Full queuing support with 8 queues – strict and weighted round robin queuing mechanisms
  • Per VLAN, per user profile, per user, per service rate limiting
  • VoIP call admission control (CAC) with 802.11e traffic specification (TSPEC)
  • 802.11r fast roaming support with 802.11k radio measurement and 802.11v roaming management
  • Marking and policing – WMM® (802.11e) for wireless, 802.1p and/or DiffServ
  • Wi-Fi CERTIFIED WMM
  • WMM power save (U-APSD)
  • Support for Spectralink SVP protocol

Management

  • Central management
    • Management via HiveManager
    • Management via HiveManager Online
  • Device Configuration
    • CLI via Telnet, SSHv2, or console
  • Virtual Console automatically sets up an SSID with CLI access allowing configuration of new APs without the need for serial or Ethernet cables
  • Monitoring
    • SNMP v1, v2c, and syslog

Wireless IDS & IDP

  • Built-in in-network rogue AP detection
  • Integration with AirTight IDS & IDP solution
  • Rogue AP mitigation
  • Rogue client detection including ad hoc clients
  • 2.4GHz and 5GHz scanning on single-radio devices
  • Wireless compliance checking
  • Sophisticated L2/L3 DoS protection with a wide range of L2/L3 attack signatures
  • Port scan, IP spoofing, and IP address sweep protection provides added security, particularly for quarantine and guest networks
  • Wide array of security actions including logging, blocking, disassociation and banning to enable the network to automatically respond to threats

Mesh

  • Flexible radio configuration allows for simultaneous operation of mesh networking and client access functions
  • Ethernet bridging support across mesh connections for a single device or workgroup
  • Automatic neighbor detection and route determination
  • Mesh traffic encrypted with AES
  • L2 routing rather than Spanning Tree used for greater performance and less overhead
  • Self-healing enabled by dynamic path selection

High Availability

  • Full client session synchronization across APs
  • Stateful failover of any AP even in the event of a wire failure
  • AAA caching of credentials for remote office survivability
  • Mesh failover in the event of wire or switch failure
  • Dynamic mesh failover automatically changes access radio to backhaul radio in the event of a wire or switch failure
  • Wireless virtual access console
  • Track IP or Gateway automatically initiates failover or troubleshooting tools in the event of a failure

Services

  • DHCP server and DHCP relay
  • Client operating system detection by DHCP and HTTP User-Agent for policy assignment
  • Bonjour Gateway to enable network-wide advertisement of Bonjour services
  • Mobile Device Management enrollment support: require client device registration to receive network access

HiveOS Routing Features:

Aerohive HiveOS is the operating system that powers all Aerohive devices. HiveOS Routing delivers non-stop networking, routing with VPNs, and enterprise firewall security to remote and branch offices.

All Aerohive devices support the feature-rich HiveOS Cooperative Control architecture. HiveOS enables Aerohive devices to organize into groups, or “hives,” which allows functionality like fast roaming, user-based access control and fully stateful firewall policies, as well as additional security and RF networking features—all without the need for a centralized or dedicated controller. This architecture has lower deployment and ownership costs with higher performance, reliability and scalability than any of the networking competitors in the market today.

Secure Auto-configuration

Aerohive’s industry-leading secure auto-configuration avoids truck rolls. Secure auto-configuration prevents unauthorized users from gaining access to the home device. The administrator can enable an option which will require users to enter a device registration code when deploying routers remotely before HiveManager will be allowed to manage them. Doing so prevents unauthorized users from intercepting routers and using the auto provisioning feature to gain access to the corporate network.

Layer 3 IPSec VPN

With device-based IPSec VPN, HiveOS Routing enables remote users to get access to corporate resources via any authenticated device without having to worry about installing or maintaining software on their equipment. Combined with the local intelligence, cloud security services, and mobile device management capabilities of the Aerohive solution, every remote user experiences headquarters-like security and productivity, regardless of their location.

Cloud Proxy

Cloud-based security services ensure that branch office communications are “clean” without burdening IT with operating additional security appliances at each site, and without having to worry about configuring web proxy information on every end user device. Since most of the traffic generated at branch or remote locations is destined for the Internet, Aerohive’s patent-pending Cloud Proxy automatically diverts that traffic through a cloud-based web security service. This diversion vastly reduces bandwidth costs by eliminating the need to route branch, remote office or mobile-user traffic back to a central location for filtering.

Network Flow-based Stateful Firewall

HiveOS Routing uses an advanced Network Flow-based Firewall that enforces policy at the network level, allowing the Aerohive device to manage traffic via a combination of user identity and very granular mobile device management. A user is granted access to network resources based on both who they are and on the type of device that they are using. This provides an invaluable extra layer of differentiated security that can change as your users change devices.

Product Features


Cooperative Control

  • Cooperative fast L2 roaming
  • Cooperative RF control
  • Aerohive Mobility Routing Protocol (AMRP) for mesh routing to Aerohive APs

Support for 3G/4G USB-based WAN connectivity on BR platforms

Layer 3 IPSec VPN

  • Remote office IPSec-based VPN solution
  • IPSec hardware acceleration supported
  • Profile-based split tunneling with NAT support

SLA Compliance

  • Client and AP Health—Monitors connection quality and automatically triggers and reports on actions to improve quality

Security

  • Patent-pending Cloud Proxy functionality to provide content filtering services to branch locations
  • Wireless privacy and authentication Wi-Fi CERTIFIED™ WPA™ and WPA2™, 802.11i, WEP, 802.1X, PSK
  • Granular user profile-based management defines VLANs, QoS, mobility policies and security policies for each user that enters the network
  • Time-of-day and day-of-week access control
  • On-board stateful inspection firewall policy enforcement with session state sync with neighbors
  • ALG support for SIP, DNS, TFTP, and FTP
  • Destination-based MAC firewall support
  • Trusted Platform Module (TPM) - Hardwarebased key storage and encryption
  • Encryption: AES-CCMP, TKIP, and RC4 (WEP only)
  • Up to 16 SSIDs and networks for client segmentation
  • Industry-leading secure auto-configuration that avoids truck rolls

Flexible Route-based Load Balancing and WAN Redundancy

  • Active-Active USB 3G/4G and Eth0 WAN
  • Policy-based routes with failover
  • Flexible failover tunneling configuration

Authentication

  • 802.1X authentication for WEP, WPA and WPA2
  • Private PSK authentication allows for unique preshared keys (PSK) for each user within a single SSID
  • Self-registration portal for dynamic PPSK creation and assignment
  • RADIUS support with PEAP, EAP-TLS, TTLS, LEAP, and EAP-FAST
  • LDAP authentication to directory servers, including OpenLDAP, Novell eDirectory, and Apple OpenDirectory
  • Authentication to Microsoft® Active Directory™ with local credentials caching, also supports Global Catalog and multiple forests
  • Multiple RADIUS server support
  • RADIUS server with local database or RADIUS proxy
  • Standard Interchange Protocol, version 2 (SIP2) support for validation of users against a Library Information Systems (LIS)
  • MAC-based RADIUS authentication
  • Dynamic Change of Authorization (RFC3576)
  • Up to 100 associated clients per radio

Captive Web Portal

  • Built-in customizable captive web portal for securing wired port access
  • RADIUS support for captive web portal
  • Microsoft Active Directory authentication for captive web portal

QoS for Voice, Video and Data at the Radio

  • Powerful QoS features usually only found on highend routers
  • Stateful VoIP roaming and failover
  • User profile-based queuing, scheduling and policing
  • QoS assignment per VLAN, user profile, service, and MAC address
  • Protocol decoding and dynamic port detection for SIP calls
  • Full queuing support with 8 queues – strict and weighted round robin queuing mechanisms
  • Per VLAN, per user profile, per user, per service rate limiting
  • VoIP call admission control (CAC)
  • Marking and policing – WMM® (802.11e) for wireless, 802.1p and/or DiffServ
  • Wi-Fi CERTIFIED WMM

Wireless IDS & IDP

  • Built-in in-network rogue AP detection
  • Integration with AirTight IDS & IDP solution
  • Rogue AP mitigation
  • Rogue client detection including ad hoc clients
  • Wireless compliance checking
  • Sophisticated L2/L3 DoS protection with a wide range of L2/L3 attack signatures
  • Port scan, IP spoofing, and IP address sweep protection provides added security, particularly for quarantine and guest networks
  • Wide array of security actions including logging, blocking, disassociation and banning to enable the network to automatically respond to threats

Management

  • Central Management
    • Management via HiveManager NMS
    • Management via HiveManager Online NMS
  • Device Configuration
    • CLI via Telnet, SSHv2, or console
  • Monitoring
    • SNMP v1, v2c, and syslog

Services

  • DHCP Server
  • DNS Proxy
  • Cloud Proxy

High Availability

  • Full client session synchronization
  • AAA caching of credentials for remote office survivability
  • Wireless virtual access console
  • Track IP or Gateway automatically initiates failover to USB or Ethernet

Warranty and Support

Every Aerohive Networks device is backed by a limited lifetime hardware warranty. Extended product and technical support may be purchased separately and can include next day advanced replacement, 24x7 or 8x5 technical support, web and email support access, and software updates. For complete support terms go to www.aerohive.com/support.

HiveOS Switching Features:

Aerohive HiveOS is the operating system that powers all Aerohive devices. HiveOS Switching delivers enterprise-class switching functionality combined with security features like 802.1X, and contextual policy enforcement.

All Aerohive devices support the feature-rich HiveOS Cooperative Control architecture. HiveOS enables Aerohive devices to organize into groups, or “hives,” which allows functionality like fast roaming, user-based access control, as well as additional security and networking features—all without the need for a centralized or dedicated controller. This architecture has lower deployment and ownership costs with higher performance, reliability, and scalability than any of the networking competitors in the market today.

Key Features and Benefits

Unified Control and Policy
Revolutionary user interfaces makes it easy and intuitive to create and deploy unified wired and wireless access policies across the entire network. Users will be granted the same permissions to the network based on identity and device type, regardless of how or where they attach to the network. HiveOS Cooperative Control protocols ensure all devices securely share policy information across the entire network, including 802.1X security policies.

Zero-Touch Provisioning
Aerohive’s zero-touch provisioning feature avoids the need for pre-configuration and costly truck rolls. Devices can be shipped to the install site, and once powered up and connected to the Internet, will automatically use the Aerohive Cloud Services Platform Redirector service to securely locate their HiveManager - whether that HiveManager is in the Aerohive public cloud or in a customer private cloud. Once connected to HiveManager, the switches will automatically download updated firmware and policy configuration information and immediately provide service to connected devices, without any need for administrator intervention.

Enterprise-Class Cloud-Enabled Switching
HiveOS supports advanced switching functionality like user-based QoS, storm control, and 802.1X multiple authentication for voice and data coexistance, along with traditional switch features such as LLDP, Spanning Tree, Jumbo Frames, and IGMP snooping. Combining these capabilities with cloud-based services such as on-demand provisioning, hands-free configuration and updates, and unified wired and wireless policies allows Aerohive HiveOS and Cooperative Control to provide a seamless, high-quality enterprise-class experience for all connected users.

Integrated Branch Routing (For SR2024P Switch Only)
HiveOS also supports integrated branch routing, including features such as stateful firewall, IPsec VPN, identity-based routing, and Cloud Proxy. Aerohive devices can manage traffic via a combination of user identity and very granular mobile device management, which when combined with the local intelligence, cloud security services, and mobile device management capabilities of the Aerohive solution, gives every remote user headquarters-like security and productivity, regardless of their location.

Product Features


Unified Control and Policy

  • Create and Deploy Unified LAN/WLAN policies across the entire network
  • Granular user-profile-based management defines VLANs, QoS, access, and security policies for each user and device

Security

  • Advanced 802.1X support
  • Time-of-day and day-of-week access control
  • Dual-authentication for MAC auth and 802.1X
  • Trusted Platform Module (TPM) - Hardwarebased key storage and encryption
  • Industry-leading auto-configuration that avoids truck rolls

Authentication

  • 802.1X authentication with MAC-based authentication fallback for legacy devices
  • RADIUS support with PEAP, EAP-TLS, TTLS, LEAP, and EAP-FAST
  • LDAP authentication to directory servers, including OpenLDAP, Novell eDirectory, and Apple OpenDirectory
  • Authentication to Microsoft® Active Directory™ with local credentials caching, also supports Global Catalog and multiple forests
  • Multiple RADIUS server support
  • RADIUS server with local database or RADIUS proxy
  • Standard Interchange Protocol, version 2 (SIP2) support for validation of users against a Library Information Systems (LIS)
  • MAC-based RADIUS authentication
  • Dynamic Change of Authorization (RFC3576)

PoE Management

  • Allocate, prioritize, and control your PoE budget to make sure critical devices stay powered

QoS for Voice and Data

  • Powerful QoS features usually only found on high-end switches
  • User profile-based queuing, scheduling and policing
  • QoS assignment per VLAN, user profile, service, and MAC address
  • Hardware-assisted DSCP and 802.1p classification and marking

Topology Protection

  • STP/RSTP to create loop-free, resilient topologies
  • MSTP to allow multiple VLANs to be managed by a single STP instance
  • Hardware-assisted storm and flood control

Management

  • Central management
    • Management via HiveManager
    • Management via HiveManager Online
  • Device Configuration
    • CLI via SSHv2 or console
  • Monitoring
    • SNMP v1, v2c, and syslog

Services

  • DHCP Server
  • RADIUS Server
  • PPSK Server

Warranty and Support

Every Aerohive Networks device is backed by a limited lifetime hardware warranty. Extended product and technical support may be purchased separately and can include next day advanced replacement, 24x7 or 8x5 technical support, web and email support access, and software updates. For complete support terms go to www.aerohive.com/support.