Security with Aruba Wireless VFM Systems & Services (P) Ltd.
Enterprises Around the WorldDepend on Aruba Networks High Tech Internet Finance Media & Ent. Education Government Healthcare Retail Hospitality Public Transit Public Venues Services Oil and Gas Manufacturing Logistics Telecom
Is this how you think about Wireless? (Unlikely..) Wireless is more secure than wired It is true ….. If you do it right
Wired Network Security Questions On your wired Network Do you authenticate your users? Do you encrypt all traffic? Do you control access to Network resources based on user identity? Aruba Wireless lets you do all this by design.
The Pillars of Aruba Wireless Security Stateful Firewall Intrusion Authentication All wireless to monitor all Prevention for before traffic encrypted wireless identifying and Admission into from client to packets and thwarting Network controller admit/deny intruders passage
All at one place • Know the User • No Identity eavesdropping Authentication Encryption Intrusion Authorization Prevention • Detect and • Clear set of Contain Allows and rogues Denys
Mobility Controller Connects to Network Backbone at the DC / Core Switch through standard CAT 5 cableAccess Points are placed at appropriatelocations in the offices (walls / false roofs)and connect to the wired backbonethrough standard CAT 5 cable
Authentication 802.1x / Captive Portal / VPN Authentication with 802.1x Authenticate users before granting access to L2 media Makes use of EAP (All forms of EAP supported) On successful authentication IP address is assigned
Encryption of Wireless Traffic Traffic is encrypted as it leaves a Wireless Client and is decrypted only at the Controller (and not at the AP),as only the controller has the decryption keys. Someone tapping to the airwaves sees only encrypted traffic Someone tapping into the Access Point sees only encrypted traffic Someone tapping into the wire between the AP and the controller sees only encrypted traffic Risk of Loss of corporate information through man-in-the-middle eavesdropping is completely ruled out This architecture is superior to decryption at the AP as then The AP is a vulnerable point for hacking and gaining decryption credentials to eavesdrop The wire connecting the AP and the controller can be tapped to listen into wireless traffic Risks of Man-in-the middle eavesdropping is very high Encryption Protocols Supported WPA/TKIP WPA2/AES
Wireless Users Access Restrictions Once admitted into the wireless network after stringent authentication, what a wireless user can do is subject to policies defined in the Stateful Inspection Firewall in the Controller Every wireless packet is decrypted and based on the identity of the user – passed through the policies defined for the user Unauthorized access of network resources is denied The firewall is ICSA certified, stateful and provides for much higher level of security compared to stateless ACLs
The Stateful Firewall in the Aruba Controller The firewall being in the controller is integrated to the point of authentication and the point of decryption is able to provide “User-centric” Network access policies by User name / User Groups provided by AD The source IP information of the data The destination IP information of the data The application data streams the client is generating The network protocol in use The required Quality of Service needs for that data stream Time of the Day ….. And so on. Thus the stateful firewall prevents unauthorized access by users of the wireless network
User-Centric Networks Enable Mobility Role-Based AAA Access Control FastConnect Access Rights SSID-Based Staff Access Control Executive RADIUS LDAP AD Virtual AP 1 SSID: Corp Finance Contractors Corporate Services Legal Voice Virtual AP 2 HR Video SSID: GUEST Secure Tunnel Guest To DMZ Captive Portal Guest DMZ
The Wireless Intrusion Prevention System Contain uncontrolled Wireless devices Rogue Aps Laptops acting as bridges Ad-hoc networks Attacks against WLAN infrastructure Denial of Service/Flooding Forged deauthenticate/disassociate Man-in-the-middle WEP Cracking/ WPA-PSK cracking “Protect the Air”
Wireless Intrusion Prevention Work Cycle Discover Classify Complete 802.11 Spectrum Monitoring Policy-Based Threat Prioritization Continuous RF monitoring of wireless devices, activity and Automatic classification of threats configuration across all 802.11 and non-threats is critical to RF channels security Alert and Audit Contain Automated Compliance Reporting Automated Threat Mitigation Automated logging and report Automated containment to block any distribution ensures compliance with rogue or intruder wireless security policies and regulations
Controlling Rogue APs 1. AP Detection 1. See all Aps 2. AP Classification Are they neighbors? Are they rogues? 3. Rogue Containment Stop users from accessing Rogues Over wire and wireless Leave neighbors alone 4. Locate rogue. Find where it is and disconnect.
Wireless Intrusion Prevention Features Feature Air monitor (2.4 and 5GHz) Wireless rogue scanning and identification Wired rogue containment Wireless rogue containment via de-authorization Wi-Fi interference detection Spectrum analysis Wi-Fi interference classification Wi-Fi interference visualization Wireless intrusion detection system attack signatures Security threat management visualization Wireless intrusion configuration wizard Total Watch enhanced air monitoring Air monitoring of all bands (2.4, 4.9 and 5GHz) Dynamic channel dwell times In-between channels rogue scanning Automated rule-based rogue classification Advanced wireless rogue containment via tarpitting Detect and contain Windows Bridge Security events correlation
The Pillars of Aruba Wireless Security Authentication All wireless Stateful Firewall Intrusion before traffic encrypted to monitor all Prevention for Admission into from client to wireless packets identifying and Network controller and admit/deny thwarting • Certificate + AD • No loss of passage intruders credentials granted information to • All wireless traffic • Continuous Corporate SSID eavesdropping subject to Firewall monitoring of RF • Guest users with • No risk to man in policies space to identify Credentials granted the middle attacks • Restrict SSIDs by intruders – rouge Guest SSID • Leaves APs free to time of Day APs, unauthorized • Others not granted monitor RF space • Restrict Users by employee APs, access time of day, by Hackers – and destination IP, by block them. Protocol
For your attention and time.Questions?Write to : firstname.lastname@example.orgResponse Guaranteed