Post on 17-Jul-2015
Aruba Networks CONFIDENTIAL. © 2010 All Rights Reserved.
Aruba PEF Overview
Jon Green Product Manager jgreen@arubanetworks.com
Aruba Networks CONFIDENTIAL. © 2010 All Rights Reserved.
User Mobility
Wireless LANs
Mobile Devices
Remote Access
Enterprise Security
Access Control
Data Protection
Regulatory Mandates
The Modern CIO Agenda
Balancing Mobility and Security
Aruba Networks CONFIDENTIAL. © 2010 All Rights Reserved.
What does PEF do?
Guests, Students
Phones, Printers
80Gbps Wire-Speed Policy Enforcement Firewall (PEF)
Enterprise Resources Access Networks
Employees, Contractors
Mobility Controller
Identify the User
Control Access per User
Prioritize Applications
Optimize Performance
Follow the User
Aruba Networks CONFIDENTIAL. © 2010 All Rights Reserved.
Traditional Security Limits User Mobility
Data Center
Enterprise VPN Firewall
Enterprise Perimeter
Hackers
Visitors
Remote
Employee
VPN
Consultants
Employees
Aruba Networks CONFIDENTIAL. © 2010 All Rights Reserved.
Mobility and Wireless Dissolve Perimeters
Data Center
Dissolving Enterprise Perimeter
Hackers Visitors
Consultants
Employees
Branch Partner Site
Hotel Home
Aruba Networks CONFIDENTIAL. © 2010 All Rights Reserved.
PEF Takes Policy to the User
Data Center
Consultants
Employees
The Mobile Enterprise
Branch Partner Site
Hotel Home
Hackers Visitors
Only at the network edge is user identity known!
Aruba Networks CONFIDENTIAL. © 2010 All Rights Reserved.
Rules Match a specific flow (source IP, dest IP, protocol, source port, dest
port) Apply an action (permit, deny, redirect, change TOS, queue, etc.)
Policies Made up of one or more rules (in priority order) Some policies are not rule-based (e.g. bandwidth contracts)
Roles A classification into which users are placed when connected to an
Aruba system Assigned role may change throughout a session (e.g. moving from
pre-authentication role to post-authentication role) Incorporate one or more policies (in priority order) Controls other parameters (IP address pools, VLAN, bandwidth
contract, VIA profile, etc.)
PEF Basics
Aruba Networks CONFIDENTIAL. © 2010 All Rights Reserved.
PEF Architecture
Corporate Services
Guest
Finance
Legal
HR
Executive
Virtual AP 1 SSID: Corp
Virtual AP 2 SSID: GUEST
DMZ
RADIUS LDAP AD
Captive Portal
Role-Based Access Control
Access Rights
Secure Tunnel To DMZ
SSID-Based Access Control Staff
Contractors
Voice
Video
Guest
Aruba Networks CONFIDENTIAL. © 2010 All Rights Reserved.
Default Roles
• Configurable by authentication method
• SSID
User Rules
• Device-specific attributes
• Encryption type • AP used (by name or
BSSID)
Server Derived Roles
• Role assignment based on attributes from authentication server
• Different access privileges based on security policy
• Can use single SSID for all users/devices
Role Derivation
Aruba Networks CONFIDENTIAL. © 2010 All Rights Reserved.
User access authenticated through enterprise directory services (AD, LDAP, RADIUS, etc.)
Group membership information from directory used to derive user role
User role controls policy
Role Derivation
RADIUS
Domain Controller
PERMIT AD Group = Marketing
PERMIT FilterID = Marketing
User = Jon
Role = Marketing
Policy = permit_facebook
Aruba Networks CONFIDENTIAL. © 2010 All Rights Reserved.
Security without PEF
Firewall
Employee
Authentication Authorization Identification
Encryption
Malicious Insider
Disconnect
Aruba Networks CONFIDENTIAL. © 2010 All Rights Reserved.
Security with PEF + Centralized Crypto
Employee
Authentication Authorization Identification
Encryption
Malicious Insider
Aruba Networks CONFIDENTIAL. © 2010 All Rights Reserved. CONFIDENTIAL © Copyright 2010. Aruba Networks, Inc. All rights reserved 15 CONFIDENTIAL © Copyright 2010. Aruba Networks, Inc. All rights reserved
Why Worry About Authorization? Where is the “network perimeter” today?
Mobility brings us: Disappearance of physical
security New mobile users, devices
appearing everyday Increased exposure to
malware Assuming that “the bad guys
are outside the firewall, the good guys are inside” is a recipe for disaster
We meet
again, 007!
Aruba Networks CONFIDENTIAL. © 2010 All Rights Reserved.
Integration with NAC Works with any 3rd party AAA and PDP Policy Enforcement Point cluster shares user state & policy information Correlates many policy inputs for continuous threat mitigation
Managed Clients (Employees)
Unmanageable Devices
Unmanaged Clients (Guests, students)
CNAC
Pre-Admission
Post-Admission
IDS/IPS,
A/V scanning,
Etc.
Access
Requester (AR)
Policy Decision
Point (PDP)
Policy Enforcement
Point (PEP) Cluster
Aruba Networks CONFIDENTIAL. © 2010 All Rights Reserved.
Application Aware QoS
SIP Server
SIP Flow = High Priority
HTTP Flow = Low Priority
Device gets role regardless of traffic type. Only voice flow gets priority.
VLAN 1 = High Priority
Device gets high priority regardless of traffic type. Others using web browser can reduce call quality.
SIP Server
Without PEF
With PEF
Aruba Networks CONFIDENTIAL. © 2010 All Rights Reserved.
Voice Flow Classification (VFC)
Deep packet inspection of each traffic flow through centralized mobility controller
Based on Aruba’s role-based stateful firewall Uniquely identifies, classifies and prioritizes voice traffic Pre-configured support for major voice protocols
SpectraLink SVP Vocera Cisco SCCP Session Initiation Protocol (SIP)
DATA
VOICE
Aruba Networks CONFIDENTIAL. © 2010 All Rights Reserved.
Wireless Networking's Silent Killers
Multicast/
Broadcast
Chatty
Protocols
Power Users
Stealing B/W
Malicious or
Misconfigured
Clients Lack of Policy Impacts Network Reliability & Performance
• What are Multicast and Broadcast currently being used for? • What problems am I creating by using large VLANs to solve
mobility issues? • What non-critical applications are consuming bandwidth? • Should users be connecting to 3rd party WLANs? • Should users be setting up their own WLANs? • Should users be connected to wireless while wired? • How are “Power” Users affecting others? • How are unauthorized users affecting network availability
Bonjour!
Aruba Networks CONFIDENTIAL. © 2010 All Rights Reserved.
Solution: Policy For Performance
mDNS
LLMNR
? IPv6
Aruba Networks CONFIDENTIAL. © 2010 All Rights Reserved.
Layer 3 Mobility
PEF policies follow mobile users as they roam in the network User/firewall state anchored in one controller (home agent) When client roams to another controller (foreign agent), FA establishes
a tunnel back to the HA
L3 Network
Mobile IP Tunnel
Roaming Client
Home Agent
Foreign Agent