Getting the most out of the Aruba Policy Enforcement Firewall

#ATM15 |
Policy Enforcement Firewall
Balajee Krishnamurthy, PLM
Giridhar Shankar, PLM
Amish Shah, TME
@ArubaNetworks

CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved2#ATM15 |
Agenda
• Trends and Challenges
• Aruba’s Policy Enforcement Firewall
• Demo
@ArubaNetworks

The New Normal

Creating a New Network Imperative
Mobility in Office
space, Dorms, Public
Venues, Outdoor, etc
Device Proliferation &
Bring your own device
Heavy multimedia use
Seamless Access Across
from Campus to Remote
Predominately Data
Traffic
IT Sanctioned
Devices
Mobility in Common
Areas Only
Disparate Networks

Creating a New Network Imperative
Mobility in Classrooms,
Dorms, Public Venues,
Outdoor, etc
Device Proliferation &
Bring your own device
Heavy multimedia use
Seamless Access Across
from Campus to Remote
Predominately Data
Traffic
IT Sanctioned
Devices
Mobility in Common
Areas Only
Disparate Networks
Extend Mobility securely
with Existing Resources
Secure Access based on
context
High quality of experience
for real time apps
Maintain Consistent
Security & User
Experience

Existing Networks Not Suited For Mobility
• Disparate networks
• Siloed services
• Built-for client-
server
• No single view of
users or devices
• No context
awareness
Manager
1
Manager
2
Manager
3
Manager
4
Manager
5
VLAN
100
VLAN
200
VLAN
300
VLAN
400
VLAN
500
WIRELESS WIRED VPN
REMOTE
OFFICE
OUTDOOR

7#ATM15 |
Aruba Policy Enforcement
Firewall

PEF
VLAN
Pool
EmployeeSSID
AAA Server
Role A
(200 Users)
Role B
(300 Users)
Multi-Service Mobility Controller
User
Applications
Role A
Role B
Aruba WLAN Architecture with PEF

Aruba Firewall
• Identity-based Stateful firewall
– Role/identity based
– Application Aware
– Stateful policies versus “access control lists”
• Bi-directional
• Session aware; more difficult to spoof
• Dynamic
• Extended features
– Countermeasures (blacklisting)
– QOS
– Valid user access list

Rules, Policies, Roles and Users
Rule 1
Rule 2
Rule 3
Rule n
Rule 1
Rule 2
Rule 1 Rule 1
Rule 2
Rule 3
Rule 4
Rule 1
Rule 2
Rule 3
Rule 4
Policy 1 Policy 2 Policy 3 Policy 4 Policy 5
Role 1
Policy 1
Policy 2
Role 2
Policy 1
Policy 3
Policy 4
Role 3
Policy 4
Policy 5
Role 4
Policy 4
User1 User2 User3 User4 User5 User6 …………UserN
Role Derivation: 1) Locally Derived
2) Server Assigned
3) Default Role
Assigns users
to a role
Methods:
PoliciesRolesDerivation

Policies Overview
• Policies are group of firewall rules
• Evaluated top down
– First rule matched is applied; more specific items at top of list
– All other rules are ignored
– Implicit “deny all” rule at the end of the firewall policy
<source> <destination> <service> <action> <extended action>
Addresses HTTP
FTP
DNS
Application
Etc
Deny
Permit
Nat
Log
Queue
802.1p assignment
TOS
Time Range

Aliases
• Represent one
or more
networks, host
addresses or
services
• Types of
aliases
– Destination
– Network
services

Aruba Firewall Actions
• Basic actions: Permit, Drop, Reject
• NAT’ing actions: : Src-nat, dst-nat, dual-nat
• Re-direct actions: Redirect to tunnel (group), Redirect to
ESI group (External Services Interface
• Routing Actions: Route (src-nat), route dst-nat

Advanced Policy Actions
• Log - generate a log message if rule gets applied
• Mirror – mirrors traffic to another destination
• Queue - assign priority queue of the flow (high/low)
• Time-Range - for time-based policies
• Pause ARM Scanning – delays ARM scanning for real time sessions
• Black list – deny access AND blacklist a client matching this rule
• TOS - set DSCP bits in IP header
• 802.1p-priority - assign 802.1p priority
• Classify Media – monitor all untagged UDP flows to classify them as
media and tag accordingly

Roles
• Every user in an Aruba Mobility Controller is
assigned a role
• Roles
– Each role has one or more firewall policies applied
• Role Derivation
– User-derived
– Server-derived
– Default based on access method (802.1X, VPN etc.)

Role Derivation (in sequence)
• Initial Role
– Pre-authenticated Role
– Always assigned
• User-Derived Roles
– Assigned using device specific attributes
– Executed before client authentication
P
R
E
-
A
U
T
H
E
N
T
I
C
A
T
E
D

Role Derivation
• VSA-Derived Roles (Vendor Specific Attributes)
– Provide features not supported in standard RADIUS attributes
– Can derive user role and VLAN for RADIUS authenticated clients
• Server Derived Roles
– Different access privileges based on security policy
– Can use single SSID for all users/devices
– Role assignment based on attributes from authentication server
• Default Roles
– Configurable by authentication method (AAA Profile)
• Captive Portal
• 802.1X
• VPN
• MAC
P
O
S
T
-
A
U
T
H
E
N
T
I
C
A
T
E
D

Role Assignment Workflow
User associates
to an SSID
User placed in the initial role
(logon by default)
Check for user derived rule
If present user gets new
role
User authentication
Check for Server derived rules ,
if present assign role
No server derived rules present ,
then assign Default Role

Controller Server communication
Radius Request
+ attributes
Guests
Employees
Mobile Devices
Radius Reply
+ Radius attributes
Or
+ Aruba VSA
Derivation Based on
User
BSSID
Location
Authentication type
Device type
Time of day
Depending on
type of server

Aruba Controller and Clearpass
Authentication
Aggregated device info:
- Profiling
- Posture
- Onboarding
- Guests
- AD Attributes
Enforcement Action
Role, VLAN, Bandwidth limits
Redirect to Web page
Download ACL,
(Aruba VSA)
Guests
Employees
Mobile Devices
Accounting
Change of Authorization
Post-authentication
Tracking
- Data caps
- Session limits
- MDM
- Posture
Radius Attributes, Aruba VSA

ClearPass Downloadable Roles
Aggregated device info:
- Profiling
- Posture
- Onboarding
- Guests
- AD Attributes
Enforcement Action
Role Finance, VLAN, Bandwidth limits
Redirect to Web page
Download ACL,
(Aruba VSA)
Radius Attributes, Aruba VSA

Varying the Role according to the AP Group

Bandwidth Contracts
To configure global bandwidth contracts IN CLI:
(host)(config) #dpi global-bandwidth-contract[app|appcategory]
<name>[downstream|upstream][kbits|mbits]<256..2000000>
Configuration
aaa bandwidth-contract "Internet access" mbits 10
dpi global-bandwidth-contract app youtube downstream kbits 500
dpi global-bandwidth-contract app youtube upstream kbits 500

Apply BW-Contract To The Role

OS Fingerprinting on Aruba Controllers
• OS Fingerprinting allows the Aruba Controller to
classify device type and assign a role
– DHCP
• Monitor dhcp-option (User Class Option) included in client’s request
– Browser HTTP
• Watches HTTP traffic from the station looking for user-agent string

Blacklisting
• What is blacklisting
– De-authenticate client from the network
– Block association to APs
– Blocked from other SSIDs
• Methods of blacklisting supported
– Manually blacklist
• Administratively blacklisting a user: Monitoring>Controller> Clients
– Firewall policy
• Any firewall rule can be configured with the blacklist parameter
– Authenticate Failures
• Blacklist client based on (configurable) number of authentication failures
– IDS Attack
• The detection of a denial of service or man in the middle (MITM) attack in the network.

Global Firewall Settings

PEF for Wired Access Control
• The Aruba solution provides the ability to control
– wireless access
– wired side access
• Policies may be applied to individual Port and/or VLAN
– No authentication
• Authentication on the wired side can be handled by
– 802.1X
– Captive Portal authentication
• No Authentication, initial Role assignment
• Wired access control is available on
– APs with more than one Ethernet jack,
– All ports on APs as Mesh Points
– Mobility Controllers

Secure Wired Access on Aruba Products
• Trusted Ports (default)
- Acts like an L2 switch
- Policy may be added
• Non-Trusted Ports or VLANs
- Wired access AAA Profile
- Assign Initial role
- Initiate Authentication
• APs
– The second Ethernet port on an AP with Dual Ethernet ports
– Single or Dual port APs as Mesh Points
93H

Wired AAA Profiles

Captive Portal Process
Core
Network
Internet
Aruba
DNS
AP
Client
Client Associates to CP enabled SSID
Client placed in initial role, gets IP address.
Client requests web page and performs DNS lookup.
Client starts TCP 3-way handshake with web server,
Aruba controller watches for HTTP SYN and
performs Destination NAT to the CP page.
Client authenticates and controller sends HTTP redirect
to client.

VLAN
13 (guest-vlan)
DHCP pool
192.168.1.0/24
Access Control
Authentication
AAA-Profile
guest –aaa
Initial role = guest logon
Server Group
guest- SG = Internal DB
L3 Auth-Profile -> CP Auth
profile
guest –cp
Default role = AuthGuest role
Server group= guest-SG
AP Configuration
Group- Master
WLAN
VAP- guest – vap
VLAN = guest-vlan
AAA = guest -aaa
SSID – guest - vap
User Roles
Guest Logon Role
DHCP, DNS, Captive Portal
Captive portal profile = guest-cp
AuthGuest Role
Block corporate network
DHCP, DNS, Internet
Network
Captive Portal Configuration Sequence

33#ATM15 |
QoS for Voice and Video
33

pkt L3 ToS L2 CoS L3
ToS
L2
Cos
Tagging - Downstream
CASE 1 : No ACLs configuring ToS, CoS
Pkt L3 ToS L2 CoS Pkt L3 ToS L2 CoS
CASE 2 : Session ACLs on the MC configured to modify ToS or CoS
Pkt L3 ToS L2 CoS pkt L3 ToS L2 CoS L3
ToS
L2
Cos Pkt L3 ToS L2 CoS
The ToS or CoS bits for specific traffic
streams can be modified by setting the new
CoS / ToS values to the session ACLs
matching the upstream traffic flow
The new ToS and CoS settings on the packet and
GRE encapsulation header will reflect the values
configured using the Access Policies. If none
configured then the original ToS and CoS settings
will be used as in Case 1.
Direction of Traffic Flow

L3
ToS
L2
Cos
Tagging - Upstream
PktL3 ToSL2 CoS PktL3 ToSL2 CoS
L3
ToS
L2
Cos
PktL3 ToSL2 CoS
PktL3 ToSL2 CoSPktL3 ToSL2 CoSPktL3 ToSL2 CoS
The AP does not set the CoS bits

Automatic Prioritization on the Aruba System
Prioritization in the Downstream Direction
SIP Voice traffic
Data Traffic
Session ACLS
SIP traffic CoS = 7 Tos = 45 Queue = High
Data Traffic Cos = 1 Queue Low
ToS 45 CoS 7
CoS 1
ToS 45 CoS 7
Default CoS and
ToS settings
Voice traffic uses high priority queue
All other traffic uses low priority queue
Session ACLS
SIP traffic CoS = 7 Tos = 45 Queue = High
Data Traffic Cos = 1 Queue Low
Prioritization in the Upstream Direction
The AP remembers the ToS CoS tags used for the
downstream SIP traffic to the voice client and tags
the upstream SIP traffic from the voice client with
the same values.

Voice/UC Aware Firewall
• SIP and SCCP
• H323
• Vocera
• NoE
• Lync Heuristics
• Lync SDN API (Skype for Enterprise)
• Wi-Fi calling

DPI/AppRF
Simple Control
• Select by:
• app group
• app,
• role
• address
• Apply policy (block,
throttle, prioritize)
• Eliminates complexity of
configuration

How does classification work?
• Website URL information identifies popular
websites
• Signatures are used for “easy to identify”
applications
• Uses protocol grammar analysis to understand
complex applications and their current state
• Uses advanced heuristics when required
• Detects encrypted applications via certificate
common names

Application Categories

Applications per Category

Encrypted Applications
• Primary method of classification for encrypted
flows is use of the unencrypted certificate
information
– Primarily Common Name
• Certificate is exchanged as part of the initial
application startup
• Only allows granularity reflected in the cert
name
– All of facebook, for example, uses a cert with “Facebook”
as the CN
• Extraction of metadata or any deeper analysis
isn’t possible
44

AppRF 2.0 Platform Support
• Support on 70xx, 72xx
• Solution will support mixed 72x0/older controller networks
– App level rules can be configured on non-70xx/72xx masters
– App rules will be pushed to local controllers, but won’t be written into
configuration
• On non-master 72x0, filter dashboard works but the “action” buttons
are greyed out
• On older platforms, “users” replace App Categories, and Apps use old
AppRF
45

New Policy Containers
• To simplify security rules, we have created a “Global Policy” and a
“Role-Specific” policy
• These are the first two Policies in every Role
– Global policy is applied first
– Role-Specific policy is applied second
– All other configured policies are applied in turn afterwards
• Use of these is optional – if left empty, nothing changes about how
the configuration is applied and the rules enforced
46

Global ACL
• To simplify security rules, we have created a “Global Policy” and a
“Role-Specific” policy
• These are the first two Policies in every Role
– Global policy is always on 1st position and applied to all user roles
– Role-Specific policy always on 2nd position and applied to specific user role
– All other configured policies are applied in turn afterwards
• Use of these is optional – if left empty, nothing changes about how the
configuration is applied and the rules enforced

Two configuration models for AppRF
• “Traditional” Role-Based Workflow
– Configuration>Access Control>Role>Policy>ACL
– Traditional CLI commands with extensions for apps/categories
• “Simplified” Dashboard-Based Workflow
– Leverages new policy containers “Global Policy” and “Role Policy”
48

Configuration Knobs
• There are 3 configuration knobs related to AppRF
• “Firewall Visibility” global knob – turns on/off dashboard display
• Default is “on”
• “DPI” global knob – turns on DPI and detection of the 1500
applications
• If performance overhead becomes a problem
• For privacy reasons
• Default is “on”
• Per-role DPI knob
• Privacy reasons
• Performance reasons – only inspect the traffic you want to inspect
49

ALGs vs. DPI
• AOS ALGs are used to classify, monitor, and QoS certain types of
traffic, especially UCC protocols
• Sessions can only be classified by one method
• Old-school Aruba ALGs or DPI
• ALGs take precedence
• No ALG traffic can be blocked, QoS, or BW limited via DPI
• Will show in Dashboard
• If an ACL is written using an ALG app, it will be ignored
50

Application Bandwidth Contracts
• Bandwidth contracts for applications or application groups will be
supported at FCS
• Only Role-Based Bandwidth contracts will be supported
– Not User or AP Group
• Application-based and “generic bandwidth based” contracts will
co-exist but not cooperate in this first release
• “Traditional” and “Dashboard” methods can be used to configure
bandwidth contracts
• Global and Role-Based BW contracts are supported
51

52#ATM15 |
Web Content Classification

Web Content Classification
Simple Control
• Select by:
• Web category
• URL
• Role
• Apply policy (block,
throttle, prioritize)
• Web reputation scores

High Level Feature set
• New dashboard for URL classification and reputation classification
• Classifies web browsing history by categories and risks
• 82 web categories and 5 web reputation groups
• Web traffic can be blocked, QoS, mirrored etc. based on ACLs created.
• Works in the cloud with a local cache file
• Supported on both controller and Instant product lines
• Database includes five security categories that identify malware,
phishing, botnet, and other malicious sites
• Full AMON logging of web site information to AirWave for a future
dashboard
• Very simple web notification to users who violate policy

Web Policy database includes 82 categories

Web Reputation Scores
• Provides a reputation
score for each website
• Score based on risk of
malware, phishing, etc –
NOT on morality
• Recent malware
infections, age of site,
linking to bad sites are
major influencers of the
score

Web Content security categories
Blocking these categories will help protect end users against malware

Differences between AppRF applications and Web
Content categories
• Application Categories
• Functional – Enterprise Apps, Network Protocols
• Actionable – Peer-to-Peer, Streaming Media, Social Media
• Static – contain set number of defined applications
• 1-1 – a given App or website is in only one category
• Web Categories
• Totally content based
• Completely dynamic – changed/added to continuously
• Indeterminate – can’t ask the cloud for a complete list of category
members
• 1-Many – Each website can be a member of up to 5 categories

Feature Details
• Global knob to enable/disable content analysis
• Configuration>Advanced>Stateful Firewall>General
• “firewall web-cc”
• Role-based control for enable/disable content analysis
• Global knob to control default behavior for a cache miss
• Permit or block – default to permit
• Platform Support – New controllers only
• 72x0, 70xx

Controller Licenses for AppRF and Webcontent Filter
• PEF license is required per AP for AppRF
• Additional per AP subscription is required for WebContent
Filtering.
– Subscription will be free during an early preview period till AOS 6.4.3

Important – Requires DNS Configuration!
• Feature requires DNS client functionality be enabled so that the
controller can find the cloud resources
• On the CLI, “ip name-server <ip address>”
• In the GUI, “Configuration>IP > Routes & DNS”

Frequently Asked Questions
• What if I want to block a category, but there is a website in it I
don’t want to block
– Simply create a “net destination” ACL for the website by hostname and put
it before the web category ACL in the policy list
• How do I know what category a web site is a member of? Or
why the reputation score is so high/low?
• Look up the URL here - http://www.brightcloud.com/tools/url-ip-lookup.php
• What if I disagree with a categorization and want to have it
changed?
– Use BrightCloud’s help form here -
http://www.brightcloud.com/tools/change-request-url-categorization.php

FAQ Continued
• Should I use “application categories” or “web categories” to
block content like streaming media?
– Easiest, most comprehensive way to do this is to use the Web Content
feature whenever there is an overlap between app category and web
category
– Exception would be if the administrator wants to know exactly what they
are blocking, and the application category includes the applications they
are interested in

AppRF comparison on controller and Instant AP
Features Controllers Instant
Global ACL
 
Create ACL from dashboard
 
Detailed Web Content Filtering view on dashboard Top 6 or Top 9 category view
along with web reputation and
URL destination information
Classifies web reputations but
no detail information about URL
destinations
Dashboard visibility Centralized view of all the user
data flowing through the controller
With Instant OS 4.1.1 onwards,
we have aggregate data for
SSID
Dashboard Refresh period Refreshes data every 2 mins Option to view either 1 min or 15
min data
Web URL Cache 1 million URL cached locally Very small cache on IAP
WAN dependency for Web Content filtering Less. Only if URL does not match
the locally cached database of 1
million URLs
High

THANK YOU
65#ATM15 | @ArubaNetworks

Getting the most out of the Aruba Policy Enforcement Firewall

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Getting the most out of the Aruba Policy Enforcement Firewall

Similar to Getting the most out of the Aruba Policy Enforcement Firewall (20)

More from Aruba, a Hewlett Packard Enterprise company

More from Aruba, a Hewlett Packard Enterprise company (20)

Recently uploaded

Recently uploaded (20)

Getting the most out of the Aruba Policy Enforcement Firewall