The document discusses the security features of Aruba wireless networks. It states that wireless can be made more secure than wired networks if implemented properly. It describes Aruba's approach which includes: 1) authenticating users before allowing network access, 2) encrypting all wireless traffic between clients and controllers, and 3) using a stateful firewall to monitor wireless packets and enforce access policies based on user identity. This architecture is said to prevent eavesdropping, unauthorized access, and intrusions while allowing centralized management of distributed wireless networks.

1. Security with Aruba Wireless
VFM Systems & Services (P) Ltd.

2. Enterprises Around the World
Depend on Aruba Networks
High Tech Internet Finance Media & Ent.
Education Government Healthcare Retail
Hospitality Public Transit Public Venues Services
Oil and Gas Manufacturing Logistics Telecom

3. Is this how you think about Wireless? (Unlikely..)
Wireless is
more secure
than wired
It is true …..
If you do it
right

4. Wired Network Security Questions
On your wired Network
 Do you authenticate your users?
 Do you encrypt all traffic?
 Do you control access to Network resources
based on user identity?
Aruba Wireless lets you do all this by
design.

5. The Pillars of Aruba Wireless Security
Stateful Firewall
Intrusion
Authentication All wireless to monitor all
Prevention for
before traffic encrypted wireless
identifying and
Admission into from client to packets and
thwarting
Network controller admit/deny
intruders
passage

6. All at one place
• Know the User • No
Identity eavesdropping
Authentication Encryption
Intrusion
Authorization
Prevention
• Detect and • Clear set of
Contain Allows and
rogues Denys

7. Aruba Unified Access Architecture
Centralized controller enables distributed networks
Access Points Network Services
Aruba Mobility
Controller
End-to-end Multi-vendor AirWave Network Management

8. Mobility Controller
Connects to Network
Backbone at the DC / Core
Switch through standard
CAT 5 cable
Access Points are placed at appropriate
locations in the offices (walls / false roofs)
and connect to the wired backbone
through standard CAT 5 cable

9. Authentication
802.1x / Captive Portal / VPN
Authentication with 802.1x
 Authenticate users before granting access to
L2 media
 Makes use of EAP (All forms of EAP
supported)
 On successful authentication IP address is
assigned

10. Encryption of Wireless Traffic
 Traffic is encrypted as it leaves a Wireless Client and is decrypted only at
the Controller (and not at the AP),as only the controller has the decryption
keys.
 Someone tapping to the airwaves sees only encrypted traffic
 Someone tapping into the Access Point sees only encrypted traffic
 Someone tapping into the wire between the AP and the controller sees only
encrypted traffic
 Risk of Loss of corporate information through man-in-the-middle eavesdropping
is completely ruled out
 This architecture is superior to decryption at the AP as then
 The AP is a vulnerable point for hacking and gaining decryption credentials to
eavesdrop
 The wire connecting the AP and the controller can be tapped to listen into
wireless traffic
 Risks of Man-in-the middle eavesdropping is very high
 Encryption Protocols Supported
 WPA/TKIP
 WPA2/AES

11. Wireless Users Access Restrictions
Once admitted into the wireless network after
stringent authentication, what a wireless user
can do is subject to policies defined in the
Stateful Inspection Firewall in the Controller
 Every wireless packet is decrypted and based on the
identity of the user – passed through the policies
defined for the user
 Unauthorized access of network resources is denied
 The firewall is ICSA certified, stateful and provides for
much higher level of security compared to stateless
ACLs

12. What does the Firewall do?

13. The Stateful Firewall in the Aruba Controller
 The firewall being in the controller is integrated to the
point of authentication and the point of decryption is able
to provide “User-centric” Network access policies by
 User name / User Groups provided by AD
 The source IP information of the data
 The destination IP information of the data
 The application data streams the client is generating
 The network protocol in use
 The required Quality of Service needs for that data stream
 Time of the Day ….. And so on.
 Thus the stateful firewall prevents unauthorized access
by users of the wireless network

14. User-Centric Networks Enable Mobility
Role-Based AAA
Access Control FastConnect
Access Rights
SSID-Based
Staff Access Control Executive RADIUS
LDAP
AD
Virtual AP 1
SSID: Corp Finance
Contractors Corporate
Services
Legal
Voice
Virtual AP 2 HR
Video SSID: GUEST
Secure Tunnel
Guest To DMZ
Captive Portal
Guest DMZ

15. The Wireless Intrusion Prevention System
 Contain uncontrolled Wireless devices
 Rogue Aps
 Laptops acting as bridges
 Ad-hoc networks
 Attacks against WLAN infrastructure
 Denial of Service/Flooding
 Forged deauthenticate/disassociate
 Man-in-the-middle
 WEP Cracking/ WPA-PSK cracking
“Protect the Air”

16. Wireless Intrusion Prevention Work Cycle
Discover Classify
Complete 802.11 Spectrum Monitoring
Policy-Based Threat Prioritization
Continuous RF monitoring of
wireless devices, activity and Automatic classification of threats
configuration across all 802.11 and non-threats is critical to RF
channels security
Alert and Audit Contain
Automated Compliance Reporting
Automated Threat Mitigation
Automated logging and report Automated containment to block any
distribution ensures compliance with rogue or intruder
wireless security policies and
regulations

17. Controlling Rogue APs
1. AP Detection
1. See all Aps
2. AP Classification
Are they
neighbors?
Are they rogues?
3. Rogue Containment
Stop users from
accessing Rogues
Over wire and
wireless
Leave neighbors
alone
4. Locate rogue.
Find where it is
and disconnect.

18. Intrusion Detection & Protection

19. Wireless Intrusion Prevention Features
Feature
Air monitor (2.4 and 5GHz) 
Wireless rogue scanning and identification 
Wired rogue containment 
Wireless rogue containment via de-authorization 
Wi-Fi interference detection 
Spectrum analysis 
Wi-Fi interference classification 
Wi-Fi interference visualization 
Wireless intrusion detection system attack signatures 
Security threat management visualization 
Wireless intrusion configuration wizard 
Total Watch enhanced air monitoring 
Air monitoring of all bands (2.4, 4.9 and 5GHz) 
Dynamic channel dwell times 
In-between channels rogue scanning 
Automated rule-based rogue classification 
Advanced wireless rogue containment via tarpitting 
Detect and contain Windows Bridge 
Security events correlation 

20. The Pillars of Aruba Wireless Security
Authentication All wireless Stateful Firewall Intrusion
before traffic encrypted to monitor all Prevention for
Admission into from client to wireless packets identifying and
Network controller and admit/deny thwarting
• Certificate + AD • No loss of passage intruders
credentials granted information to • All wireless traffic • Continuous
Corporate SSID eavesdropping subject to Firewall monitoring of RF
• Guest users with • No risk to man in policies space to identify
Credentials granted the middle attacks • Restrict SSIDs by intruders – rouge
Guest SSID • Leaves APs free to time of Day APs, unauthorized
• Others not granted monitor RF space • Restrict Users by employee APs,
access time of day, by Hackers – and
destination IP, by block them.
Protocol

21. For your attention and time.
Questions?
Write to : solutions@vfmindia.biz
Response Guaranteed