View
993
Download
6
Embed Size (px)
Citation preview
#ATM16
Policy Enforcement FirewallAmish Shah, PLM @ArubaNetworks |
2#ATM16
Agenda
– Trends and Challenges– Aruba’s Policy Enforcement Firewall– AppRF– WebCC– IP Rep– Geo Location– Demo
@ArubaNetworks |
3#ATM16
Growing demands for the Digital Workplace
BYOD Video
68% employee owned (BYOD) devices access business
apps 1
>50% of mobile traffic in the next 5 years
will be from video 3
269B application
downloads by 20174
1 IDC: Enhancing Business Value with HP Wireless Networking Solutions (October 2013) 2Sources: Internet of Things 2015, Statista.com
3 Mobile Data and Video Traffic, 2012, Gartner, August 2012 4 Gartner press release January 22, 2014
Applications
User experience Connectivity Video quality Download speed
24B IoT devices by
2020 1
IoT
7
Policy Enforcement Firewall
8#ATM16
PEFVLANPool
Empl
oyee
SSI
D
AAA Server
Role A(200 Users)
Role B(300 Users)
Multi-Service Mobility Controller
Use
r
App
licat
ionsRole A
Role B
Aruba WLAN Architecture with PEF
9#ATM16
Aruba Firewall Advantages
– Identity-based Stateful firewall– Role/identity based– Application Aware– Stateful policies versus “access control lists”
– Bi-directional– Session aware; more difficult to spoof– Dynamic
10#ATM16
Rules, Policies, Roles and Users
Rule 1Rule 2Rule 3Rule n
Rule 1Rule 2
Rule 1 Rule 1Rule 2Rule 3Rule 4
Rule 1Rule 2Rule 3Rule 4
Policy 1 Policy 2 Policy 3 Policy 4 Policy 5
Role 1 Policy 1 Policy 2
Role 2 Policy 1 Policy 3 Policy 4
Role 3 Policy 4 Policy 5
Role 4 Policy 4
User1 User2 User3 User4 User5 User6 …………UserN
Role Derivation: 1) Locally Derived2) Server Assigned3) Default Role
Assigns usersto a role
Methods:
Polic
ies
Role
sDer
ivat
ion
11#ATM16
Policy Implementation Overview– Policies are a group of firewall rules– Evaluated top down
– First rule matched is applied; more specific items at top of list– All other rules are ignored– Implicit “deny all” rule at the end of the firewall policy
<source> <destination> <service> <action> <extended action>
Addresses HTTPFTPDNSApplicationEtc
DenyPermitNat
LogQueue802.1p assignmentTOSTime Range
13#ATM16
Aliases
– Represent one or more networks, host addresses or services
– Types of aliases – Destination – Network services
14#ATM16
Aruba Firewall Actions
– Basic actions: Permit, Drop, Reject– NAT’ing actions: Src-nat, dst-nat, dual-nat– Re-direct actions: Redirect to tunnel (group)
15#ATM16
Advanced Policy Actions
– Log: generate a message if rule gets applied– Mirror: traffic is mirrored to another destination– Time-Range: create policies based on time– Pause ARM Scanning: delays ARM scanning for real time sessions– Black list: deny access AND blacklist a client matching this rule– TOS: set DSCP bits in IP header– 802.1p-priority: assign CoS (Class of Service) priority– Classify Media: monitor all untagged UDP flows to classify them as media and tag
accordingly
16#ATM16
Roles
– Every user in an Aruba Mobility Controller is assigned a role– Roles
– Each role has one or more firewall policies applied
– Role Derivation– User-derived– Server-derived– Default based on access method (802.1X, VPN etc.)
17#ATM16
Role Assignment Workflow
User associates to an SSID
User placed in the initial role(logon by default)
Check for user derived rule If present user gets new role
User Authentication
Check for Server derived rules, if present assign role
No server derived rules present, then assign Default Role
18#ATM16
Role Derivation (in sequence)
– Initial Role– Pre-authenticated Role– Always assigned
– User-Derived Roles– Assigned using device specific attributes– Executed before client authentication
PRE-AUTHENTICATED
19#ATM16
Role Derivation–VSA-Derived Roles (Vendor Specific Attributes)
–Provide features not supported in standard RADIUS attributes–Can derive user role and VLAN for RADIUS authenticated clients
–Server Derived Roles–Different access privileges based on security policy–Can use single SSID for all users/devices–Role assignment based on attributes from authentication server
–Default Roles–Configurable by authentication method (AAA Profile)
–Captive Portal–802.1X–VPN–MAC
POS T-AUTHENT ICATED
20#ATM16
Controller - AAA Server communication
Radius Request+ attributes
• Guests• Employees• Mobile Devices
Radius Reply+ Radius attributes
Or+ Aruba VSA
Derivation Based on UserBSSIDLocationAuthentication typeDevice typeTime of day
Depending on type of server
7220
22#ATM16
ClearPass Downloadable Roles
Aggregated device info:- Profiling- Posture- Onboarding- Guests- AD Attributes
Enforcement ActionRole Finance, VLAN, Bandwidth limitsRedirect to Web pageDownload ACL, (Aruba VSA)
Radius Attributes, Aruba VSA7220
29#ATM16
PEF for Wired Access Control
– The Aruba solution provides the ability to control – Wired side access – And Wireless access
– Policies may be applied to individual Port and/or VLAN– No authentication
– Authentication on the wired side can be handled by– 802.1X – Captive Portal authentication
– No Authentication, initial Role assignment– Wired access control is available on
– APs with more than one Ethernet jack,– All ports on APs as Mesh Points– Mobility Controllers
30#ATM16
Secure Wired Access on Aruba Products
– Trusted Ports (default)- Acts like an L2 switch- Policy may be added
– Non-Trusted Ports or VLANs- Wired access AAA Profile
- Assign Initial role- Initiate Authentication
– APs–The second Ethernet port on an AP with Dual Ethernet ports–Single or Dual port APs as Mesh Points
35
AppRF
35
36#ATM16
DPI/AppRF
Simple Control• Select by:
• app group
• app,
• role
• address
• Apply policy (block,throttle, prioritize)
• Eliminates complexity of configuration
37#ATM16
How does classification work?
– Website URL information identifies popular websites– Signatures are used for “easy to identify” applications– Uses protocol grammar analysis to understand complex
applications and their current state– Uses advanced heuristics when required– Detects encrypted applications via certificate common
names
38#ATM16
Application Categories
• Antivirus• Gaming• Streaming• Etc.
42#ATM16
New Policy Containers• To simplify security rules, we have created a “Global Policy” and a “Role-Specific” policy• These are the first two Policies in every Role
– Global policy is applied first– Role-Specific policy is applied second– All other configured policies are applied in turn afterwards
• Use of these is optional – if left empty, nothing changes about how the configuration is applied and the rules enforced
46#ATM16
Application Bandwidth Contracts
• Bandwidth contracts for applications or application groups• Only Role-Based Bandwidth contracts will be supported
–Not User or AP Group
• “Traditional” and “Dashboard” methods can be used to configure bandwidth contracts
• Global and Role-Based BW contracts are supported
46
47
Web Content Classification
48#ATM16
Web Content Classification
Simple Control
• Select by:
• Web category
• URL
• Role
• Apply policy (block,throttle, prioritize)
• Web reputation scores
49#ATM16
High Level Feature set
• New dashboard for URL classification and reputation classification• Classifies web browsing history by categories and risks• 82 web categories and 5 web reputation groups• Web traffic can be blocked, QoS, mirrored etc. based on ACLs created.
• Works in the cloud with a local cache file • Supported on both controller and Instant product lines• Database includes five security categories that identify malware,
phishing, botnet, and other malicious sites• Very simple web notification to users who violate policy
51#ATM16
Web Policy database includes 82 categories
52#ATM16
Web Reputation Scores• Provides a reputation score for
each website• Score based on risk of malware,
phishing, etc – NOT on morality• Recent malware infections, age
of site, linking to bad sites are major influencers of the score
53#ATM16
Web Content Security Categories
Blocking these categories will help protect end users against malware
58#ATM16
• Re-direct WebCC blocked sessions to an external web server
• Ability to work in the presence of a web proxy
AOS 6.5.0 : WebCC Enhancements
WebCC Policy: Block “adult” categoryRe-direct user to splash page
www.adult.com External web server hosting a customizable splash page
WEBROOT CLOUD
www.urlx.com
WebCC cache on controller does not know about urlx.com
Proxy Server
Controller
Controller
59
Blocked Session Dashboard
60#ATM16
AOS 6.5.0: Blocked Session Enhancements
• Visualize blocked sessions with info like user, role, destination/app, reason, policy rule etc.
61
IP Reputation
62#ATM16
IP Reputation
WEBROOT
• Ability to detect threats associated with an IP address
• Leverages Webroot's cloud based service that has visibility into 4.3 billion IP addresses
• Both IPv4 and IPv6
• IP threat types detected: Spam Sources, Windows Exploits, Web Attacks, Botnets, Scanners, Denial of Service, Reputation, Phishing, Proxies, and Mobile Threats
• Controller has a cache of 12 million IP addresses
• Periodic and real time updates• PEF can be leveraged to apply policies• NEW dashboards on controller and AirWave*12 million IP database
Real time checks every 30 min
Database update every 24 hours
63#ATM16
AOS 6.5.0: Firewall Enhancements: IP Reputation
• Visualize threats & other associated metadata on a NEW dashboard
• Associate threats with the origin
66
Geo-Location Filtering
67#ATM16
Geo-location Filtering
WEBROOT
• Ability to associate source/destination IP addresses with location
• Leverages Webroot's cloud based service that has geo-location database
• IP ranges can be tied with countries• Controller has a cache of half a million IP addresses
• Periodic updates• PEF can be leveraged to apply policies to permit/drop
inbound/outbound communication with certain countries
• NEW dashboards on controller and AirWave*500k IP database
Database update every 24 hours
68#ATM16
Geo-location Filtering
• Visualize the in-bound and out-bound flow of traffic on a NEW dashboard
69#ATM16
Join Aruba’s Titans of Tomorrow force in the fight against network mayhem. Find out what your IT superpower is.
Share your results with friends and receive a free superpower t-shirt.
www.arubatitans.com
@ArubaNetworks
THANK YOU