The document discusses the security features of Aruba wireless networks. It states that wireless can be made more secure than wired networks if implemented properly. It describes Aruba's approach which includes: 1) authenticating users before allowing network access, 2) encrypting all wireless traffic between clients and controllers, and 3) using a stateful firewall to monitor wireless packets and enforce access policies based on user identity. This architecture is said to prevent eavesdropping, unauthorized access, and intrusions while allowing centralized management of distributed wireless networks.
2. Enterprises Around the World
Depend on Aruba Networks
High Tech Internet Finance Media & Ent.
Education Government Healthcare Retail
Hospitality Public Transit Public Venues Services
Oil and Gas Manufacturing Logistics Telecom
3. Is this how you think about Wireless? (Unlikely..)
Wireless is
more secure
than wired
It is true …..
If you do it
right
4. Wired Network Security Questions
On your wired Network
Do you authenticate your users?
Do you encrypt all traffic?
Do you control access to Network resources
based on user identity?
Aruba Wireless lets you do all this by
design.
5. The Pillars of Aruba Wireless Security
Stateful Firewall
Intrusion
Authentication All wireless to monitor all
Prevention for
before traffic encrypted wireless
identifying and
Admission into from client to packets and
thwarting
Network controller admit/deny
intruders
passage
6. All at one place
• Know the User • No
Identity eavesdropping
Authentication Encryption
Intrusion
Authorization
Prevention
• Detect and • Clear set of
Contain Allows and
rogues Denys
8. Mobility Controller
Connects to Network
Backbone at the DC / Core
Switch through standard
CAT 5 cable
Access Points are placed at appropriate
locations in the offices (walls / false roofs)
and connect to the wired backbone
through standard CAT 5 cable
9. Authentication
802.1x / Captive Portal / VPN
Authentication with 802.1x
Authenticate users before granting access to
L2 media
Makes use of EAP (All forms of EAP
supported)
On successful authentication IP address is
assigned
10. Encryption of Wireless Traffic
Traffic is encrypted as it leaves a Wireless Client and is decrypted only at
the Controller (and not at the AP),as only the controller has the decryption
keys.
Someone tapping to the airwaves sees only encrypted traffic
Someone tapping into the Access Point sees only encrypted traffic
Someone tapping into the wire between the AP and the controller sees only
encrypted traffic
Risk of Loss of corporate information through man-in-the-middle eavesdropping
is completely ruled out
This architecture is superior to decryption at the AP as then
The AP is a vulnerable point for hacking and gaining decryption credentials to
eavesdrop
The wire connecting the AP and the controller can be tapped to listen into
wireless traffic
Risks of Man-in-the middle eavesdropping is very high
Encryption Protocols Supported
WPA/TKIP
WPA2/AES
11. Wireless Users Access Restrictions
Once admitted into the wireless network after
stringent authentication, what a wireless user
can do is subject to policies defined in the
Stateful Inspection Firewall in the Controller
Every wireless packet is decrypted and based on the
identity of the user – passed through the policies
defined for the user
Unauthorized access of network resources is denied
The firewall is ICSA certified, stateful and provides for
much higher level of security compared to stateless
ACLs
13. The Stateful Firewall in the Aruba Controller
The firewall being in the controller is integrated to the
point of authentication and the point of decryption is able
to provide “User-centric” Network access policies by
User name / User Groups provided by AD
The source IP information of the data
The destination IP information of the data
The application data streams the client is generating
The network protocol in use
The required Quality of Service needs for that data stream
Time of the Day ….. And so on.
Thus the stateful firewall prevents unauthorized access
by users of the wireless network
14. User-Centric Networks Enable Mobility
Role-Based AAA
Access Control FastConnect
Access Rights
SSID-Based
Staff Access Control Executive RADIUS
LDAP
AD
Virtual AP 1
SSID: Corp Finance
Contractors Corporate
Services
Legal
Voice
Virtual AP 2 HR
Video SSID: GUEST
Secure Tunnel
Guest To DMZ
Captive Portal
Guest DMZ
15. The Wireless Intrusion Prevention System
Contain uncontrolled Wireless devices
Rogue Aps
Laptops acting as bridges
Ad-hoc networks
Attacks against WLAN infrastructure
Denial of Service/Flooding
Forged deauthenticate/disassociate
Man-in-the-middle
WEP Cracking/ WPA-PSK cracking
“Protect the Air”
16. Wireless Intrusion Prevention Work Cycle
Discover Classify
Complete 802.11 Spectrum Monitoring
Policy-Based Threat Prioritization
Continuous RF monitoring of
wireless devices, activity and Automatic classification of threats
configuration across all 802.11 and non-threats is critical to RF
channels security
Alert and Audit Contain
Automated Compliance Reporting
Automated Threat Mitigation
Automated logging and report Automated containment to block any
distribution ensures compliance with rogue or intruder
wireless security policies and
regulations
17. Controlling Rogue APs
1. AP Detection
1. See all Aps
2. AP Classification
Are they
neighbors?
Are they rogues?
3. Rogue Containment
Stop users from
accessing Rogues
Over wire and
wireless
Leave neighbors
alone
4. Locate rogue.
Find where it is
and disconnect.
19. Wireless Intrusion Prevention Features
Feature
Air monitor (2.4 and 5GHz)
Wireless rogue scanning and identification
Wired rogue containment
Wireless rogue containment via de-authorization
Wi-Fi interference detection
Spectrum analysis
Wi-Fi interference classification
Wi-Fi interference visualization
Wireless intrusion detection system attack signatures
Security threat management visualization
Wireless intrusion configuration wizard
Total Watch enhanced air monitoring
Air monitoring of all bands (2.4, 4.9 and 5GHz)
Dynamic channel dwell times
In-between channels rogue scanning
Automated rule-based rogue classification
Advanced wireless rogue containment via tarpitting
Detect and contain Windows Bridge
Security events correlation
20. The Pillars of Aruba Wireless Security
Authentication All wireless Stateful Firewall Intrusion
before traffic encrypted to monitor all Prevention for
Admission into from client to wireless packets identifying and
Network controller and admit/deny thwarting
• Certificate + AD • No loss of passage intruders
credentials granted information to • All wireless traffic • Continuous
Corporate SSID eavesdropping subject to Firewall monitoring of RF
• Guest users with • No risk to man in policies space to identify
Credentials granted the middle attacks • Restrict SSIDs by intruders – rouge
Guest SSID • Leaves APs free to time of Day APs, unauthorized
• Others not granted monitor RF space • Restrict Users by employee APs,
access time of day, by Hackers – and
destination IP, by block them.
Protocol
21. For your attention and time.
Questions?
Write to : solutions@vfmindia.biz
Response Guaranteed