Vfm security with aruba wireless

807 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
807
On SlideShare
0
From Embeds
0
Number of Embeds
7
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Vfm security with aruba wireless

  1. 1. Security with Aruba Wireless VFM Systems & Services (P) Ltd.
  2. 2. Enterprises Around the WorldDepend on Aruba Networks High Tech Internet Finance Media & Ent. Education Government Healthcare Retail Hospitality Public Transit Public Venues Services Oil and Gas Manufacturing Logistics Telecom
  3. 3. Is this how you think about Wireless? (Unlikely..) Wireless is more secure than wired It is true ….. If you do it right
  4. 4. Wired Network Security Questions On your wired Network  Do you authenticate your users?  Do you encrypt all traffic?  Do you control access to Network resources based on user identity? Aruba Wireless lets you do all this by design.
  5. 5. The Pillars of Aruba Wireless Security Stateful Firewall Intrusion Authentication All wireless to monitor all Prevention for before traffic encrypted wireless identifying and Admission into from client to packets and thwarting Network controller admit/deny intruders passage
  6. 6. All at one place • Know the User • No Identity eavesdropping Authentication Encryption Intrusion Authorization Prevention • Detect and • Clear set of Contain Allows and rogues Denys
  7. 7. Aruba Unified Access Architecture Centralized controller enables distributed networks Access Points Network Services Aruba Mobility Controller End-to-end Multi-vendor AirWave Network Management
  8. 8. Mobility Controller Connects to Network Backbone at the DC / Core Switch through standard CAT 5 cableAccess Points are placed at appropriatelocations in the offices (walls / false roofs)and connect to the wired backbonethrough standard CAT 5 cable
  9. 9. Authentication 802.1x / Captive Portal / VPN Authentication with 802.1x  Authenticate users before granting access to L2 media  Makes use of EAP (All forms of EAP supported)  On successful authentication IP address is assigned
  10. 10. Encryption of Wireless Traffic  Traffic is encrypted as it leaves a Wireless Client and is decrypted only at the Controller (and not at the AP),as only the controller has the decryption keys.  Someone tapping to the airwaves sees only encrypted traffic  Someone tapping into the Access Point sees only encrypted traffic  Someone tapping into the wire between the AP and the controller sees only encrypted traffic  Risk of Loss of corporate information through man-in-the-middle eavesdropping is completely ruled out  This architecture is superior to decryption at the AP as then  The AP is a vulnerable point for hacking and gaining decryption credentials to eavesdrop  The wire connecting the AP and the controller can be tapped to listen into wireless traffic  Risks of Man-in-the middle eavesdropping is very high  Encryption Protocols Supported  WPA/TKIP  WPA2/AES
  11. 11. Wireless Users Access Restrictions Once admitted into the wireless network after stringent authentication, what a wireless user can do is subject to policies defined in the Stateful Inspection Firewall in the Controller  Every wireless packet is decrypted and based on the identity of the user – passed through the policies defined for the user  Unauthorized access of network resources is denied  The firewall is ICSA certified, stateful and provides for much higher level of security compared to stateless ACLs
  12. 12. What does the Firewall do?
  13. 13. The Stateful Firewall in the Aruba Controller  The firewall being in the controller is integrated to the point of authentication and the point of decryption is able to provide “User-centric” Network access policies by  User name / User Groups provided by AD  The source IP information of the data  The destination IP information of the data  The application data streams the client is generating  The network protocol in use  The required Quality of Service needs for that data stream  Time of the Day ….. And so on.  Thus the stateful firewall prevents unauthorized access by users of the wireless network
  14. 14. User-Centric Networks Enable Mobility Role-Based AAA Access Control FastConnect Access Rights SSID-Based Staff Access Control Executive RADIUS LDAP AD Virtual AP 1 SSID: Corp Finance Contractors Corporate Services Legal Voice Virtual AP 2 HR Video SSID: GUEST Secure Tunnel Guest To DMZ Captive Portal Guest DMZ
  15. 15. The Wireless Intrusion Prevention System  Contain uncontrolled Wireless devices  Rogue Aps  Laptops acting as bridges  Ad-hoc networks  Attacks against WLAN infrastructure  Denial of Service/Flooding  Forged deauthenticate/disassociate  Man-in-the-middle  WEP Cracking/ WPA-PSK cracking “Protect the Air”
  16. 16. Wireless Intrusion Prevention Work Cycle Discover Classify Complete 802.11 Spectrum Monitoring Policy-Based Threat Prioritization Continuous RF monitoring of wireless devices, activity and Automatic classification of threats configuration across all 802.11 and non-threats is critical to RF channels security Alert and Audit Contain Automated Compliance Reporting Automated Threat Mitigation Automated logging and report Automated containment to block any distribution ensures compliance with rogue or intruder wireless security policies and regulations
  17. 17. Controlling Rogue APs 1. AP Detection 1. See all Aps 2. AP Classification Are they neighbors? Are they rogues? 3. Rogue Containment Stop users from accessing Rogues Over wire and wireless Leave neighbors alone 4. Locate rogue. Find where it is and disconnect.
  18. 18. Intrusion Detection & Protection
  19. 19. Wireless Intrusion Prevention Features Feature Air monitor (2.4 and 5GHz)  Wireless rogue scanning and identification  Wired rogue containment  Wireless rogue containment via de-authorization  Wi-Fi interference detection  Spectrum analysis  Wi-Fi interference classification  Wi-Fi interference visualization  Wireless intrusion detection system attack signatures  Security threat management visualization  Wireless intrusion configuration wizard  Total Watch enhanced air monitoring  Air monitoring of all bands (2.4, 4.9 and 5GHz)  Dynamic channel dwell times  In-between channels rogue scanning  Automated rule-based rogue classification  Advanced wireless rogue containment via tarpitting  Detect and contain Windows Bridge  Security events correlation 
  20. 20. The Pillars of Aruba Wireless Security Authentication All wireless Stateful Firewall Intrusion before traffic encrypted to monitor all Prevention for Admission into from client to wireless packets identifying and Network controller and admit/deny thwarting • Certificate + AD • No loss of passage intruders credentials granted information to • All wireless traffic • Continuous Corporate SSID eavesdropping subject to Firewall monitoring of RF • Guest users with • No risk to man in policies space to identify Credentials granted the middle attacks • Restrict SSIDs by intruders – rouge Guest SSID • Leaves APs free to time of Day APs, unauthorized • Others not granted monitor RF space • Restrict Users by employee APs, access time of day, by Hackers – and destination IP, by block them. Protocol
  21. 21. For your attention and time.Questions?Write to : solutions@vfmindia.bizResponse Guaranteed

×