Getting the most out of the Aruba Policy Enforcement Firewall

#ATM15 |

Policy Enforcement Firewall Balajee Krishnamurthy, PLM

Giridhar Shankar, PLMAmish Shah, TME

@ArubaNetworks

CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved2#ATM15 |

Agenda

• Trends and Challenges

• Aruba’s Policy Enforcement Firewall

• Demo

@ArubaNetworks


The New Normal

http://search.babylon.com/imageres.php?iu=http://www.everymac.com/images/cpu_pictures/apple_macbook_air.jpg&ir=http://www.everymac.com/systems/apple/macbook-air/specs/macbook-air-core-2-duo-1.6-13-specs.html&ig=http://t3.gstatic.com/images?q=tbn:ANd9GcT1GgWvXWkBCSrpbkH8DEwrLC5hqekv5CuQpTf2SUadzvjGZZwnGRld8w&h=235&w=260&q=apple+macbook&babsrc=TB_ss

http://search.babylon.com/imageres.php?iu=http://www.everymac.com/images/cpu_pictures/apple_macbook_air.jpg&ir=http://www.everymac.com/systems/apple/macbook-air/specs/macbook-air-core-2-duo-1.6-13-specs.html&ig=http://t3.gstatic.com/images?q=tbn:ANd9GcT1GgWvXWkBCSrpbkH8DEwrLC5hqekv5CuQpTf2SUadzvjGZZwnGRld8w&h=235&w=260&q=apple+macbook&babsrc=TB_ss


Creating a New Network Imperative

Mobility in Office

space, Dorms, Public

Venues, Outdoor, etc

Device Proliferation &

Bring your own device

Heavy multimedia use

Seamless Access Across

from Campus to Remote

Predominately Data

Traffic

IT Sanctioned

Devices

Mobility in Common

Areas Only

Disparate Networks


Creating a New Network Imperative

Mobility in Classrooms,

Dorms, Public Venues,

Outdoor, etc

Device Proliferation &

Bring your own device

Heavy multimedia use

Seamless Access Across

from Campus to Remote

Predominately Data

Traffic

IT Sanctioned

Devices

Mobility in Common

Areas Only

Disparate Networks

Extend Mobility securely

with Existing Resources

Secure Access based on

context

High quality of experience

for real time apps

Maintain Consistent Security & User Experience


Existing Networks Not Suited For Mobility

• Disparate networks

• Siloed services

• Built-for client-server

• No single view of users or devices

• No context awareness

Manager

1Manager

2Manager

3Manager

4Manager

5

VLAN

100VLAN

200VLAN

300VLAN

400VLAN

500

WIRELESS WIRED VPNREMOTE

OFFICEOUTDOOR

7#ATM15 |

Aruba Policy Enforcement Firewall


PEFVLAN

Pool

Em

plo

yee S

SID

AAA Server

Role A

(200 Users)

Role B

(300 Users)

Multi-Service Mobility Controller

User

Ap

pli

cati

on

s

Role A

Role B

Aruba WLAN Architecture with PEF


Aruba Firewall

• Identity-based Stateful firewall– Role/identity based

– Application Aware

– Stateful policies versus “access control lists”

• Bi-directional

• Session aware; more difficult to spoof

• Dynamic

• Extended features– Countermeasures (blacklisting)

– QOS

– Valid user access list


Rules, Policies, Roles and Users

Rule 1

Rule 2

Rule 3

Rule n

Rule 1

Rule 2

Rule 1 Rule 1

Rule 2

Rule 3

Rule 4

Rule 1

Rule 2

Rule 3

Rule 4

Policy 1 Policy 2 Policy 3 Policy 4 Policy 5

Role 1

Policy 1

Policy 2

Role 2

Policy 1

Policy 3

Policy 4

Role 3

Policy 4

Policy 5

Role 4

Policy 4

User1 User2 User3 User4 User5 User6 …………UserN

Role Derivation: 1) Locally Derived

2) Server Assigned

3) Default Role

Assigns users

to a roleMethods:

Policie

sR

ole

sD

eri

vati

on


Policies Overview

• Policies are group of firewall rules

• Evaluated top down

– First rule matched is applied; more specific items at top of list

– All other rules are ignored

– Implicit “deny all” rule at the end of the firewall policy

<source> <destination> <service> <action> <extended action>

Addresses HTTP

FTP

DNS

Application

Etc

Deny

Permit

Nat

Log

Queue

802.1p assignment

TOS

Time Range


Aliases

• Represent one or more networks, host addresses or services

• Types of aliases

– Destination

– Network services


Aruba Firewall Actions

• Basic actions: Permit, Drop, Reject

• NAT’ing actions: : Src-nat, dst-nat, dual-nat

• Re-direct actions: Redirect to tunnel (group), Redirect to ESI group (External Services Interface

• Routing Actions: Route (src-nat), route dst-nat


Advanced Policy Actions

• Log - generate a log message if rule gets applied

• Mirror – mirrors traffic to another destination

• Queue - assign priority queue of the flow (high/low)

• Time-Range - for time-based policies

• Pause ARM Scanning – delays ARM scanning for real time sessions

• Black list – deny access AND blacklist a client matching this rule

• TOS - set DSCP bits in IP header

• 802.1p-priority - assign 802.1p priority

• Classify Media – monitor all untagged UDP flows to classify them as media and tag accordingly


Roles

• Every user in an Aruba Mobility Controller is assigned a role

• Roles– Each role has one or more firewall policies applied

• Role Derivation– User-derived

– Server-derived

– Default based on access method (802.1X, VPN etc.)


Role Derivation (in sequence)

• Initial Role

– Pre-authenticated Role

– Always assigned

• User-Derived Roles

– Assigned using device specific attributes

– Executed before client authentication

P

R

E

-

A

U

T

H

E

N

T

I

C

A

T

E

D


Role Derivation

• VSA-Derived Roles (Vendor Specific Attributes)

– Provide features not supported in standard RADIUS attributes

– Can derive user role and VLAN for RADIUS authenticated clients

• Server Derived Roles

– Different access privileges based on security policy

– Can use single SSID for all users/devices

– Role assignment based on attributes from authentication server

• Default Roles

– Configurable by authentication method (AAA Profile)

• Captive Portal

• 802.1X

• VPN

• MAC

P

O

S

T

-

A

U

T

H

E

N

T

I

C

A

T

E

D


Role Assignment Workflow

User associates

to an SSID

User placed in the initial role

(logon by default)

Check for user derived rule

If present user gets new

role

User authentication

Check for Server derived rules ,

if present assign role No server derived rules present ,

then assign Default Role


Controller Server communication

Radius Request

+ attributes

Guests

Employees

Mobile Devices

Radius Reply

+ Radius attributes

Or

+ Aruba VSA

Derivation Based on

User

BSSID

Location

Authentication type

Device type

Time of day

Depending on

type of server


Aruba Controller and Clearpass

Authentication

Aggregated device info:

- Profiling

- Posture

- Onboarding

- Guests

- AD Attributes

Enforcement Action

Role, VLAN, Bandwidth limits

Redirect to Web page

Download ACL,

(Aruba VSA)

Guests

Employees

Mobile Devices

Accounting

Change of Authorization

Post-authentication

Tracking

- Data caps

- Session limits

- MDM

- Posture

Radius Attributes, Aruba VSA


ClearPass Downloadable Roles

Aggregated device info:

- Profiling

- Posture

- Onboarding

- Guests

- AD Attributes

Enforcement Action

Role Finance, VLAN, Bandwidth limits

Redirect to Web page

Download ACL,

(Aruba VSA)

Radius Attributes, Aruba VSA


Varying the Role according to the AP Group


Bandwidth Contracts

To configure global bandwidth contracts IN CLI:

(host)(config) #dpi global-bandwidth-contract[app|appcategory]

<name>[downstream|upstream][kbits|mbits]<256..2000000>

Configuration

aaa bandwidth-contract "Internet access" mbits 10

dpi global-bandwidth-contract app youtube downstream kbits 500

dpi global-bandwidth-contract app youtube upstream kbits 500


Apply BW-Contract To The Role


OS Fingerprinting on Aruba Controllers

• OS Fingerprinting allows the Aruba Controller to classify device type and assign a role

– DHCP

• Monitor dhcp-option (User Class Option) included in client’s request

– Browser HTTP

• Watches HTTP traffic from the station looking for user-agent string


Blacklisting

• What is blacklisting – De-authenticate client from the network– Block association to APs– Blocked from other SSIDs

• Methods of blacklisting supported – Manually blacklist

• Administratively blacklisting a user: Monitoring>Controller> Clients

– Firewall policy • Any firewall rule can be configured with the blacklist parameter

– Authenticate Failures• Blacklist client based on (configurable) number of authentication failures

– IDS Attack• The detection of a denial of service or man in the middle (MITM) attack in the network.


Global Firewall Settings


PEF for Wired Access Control

• The Aruba solution provides the ability to control – wireless access – wired side access

• Policies may be applied to individual Port and/or VLAN– No authentication

• Authentication on the wired side can be handled by– 802.1X – Captive Portal authentication

• No Authentication, initial Role assignment

• Wired access control is available on – APs with more than one Ethernet jack,– All ports on APs as Mesh Points– Mobility Controllers


Secure Wired Access on Aruba Products

• Trusted Ports (default)- Acts like an L2 switch

- Policy may be added

• Non-Trusted Ports or VLANs- Wired access AAA Profile

- Assign Initial role

- Initiate Authentication

• APs– The second Ethernet port on an AP with Dual Ethernet ports

– Single or Dual port APs as Mesh Points

93H


Wired AAA Profiles


Captive Portal Process

Core

Network

Internet

Aruba

DNS

APClient

Client Associates to CP enabled SSID

Client placed in initial role, gets IP address.

Client requests web page and performs DNS lookup.

Client starts TCP 3-way handshake with web server,

Aruba controller watches for HTTP SYN and

performs Destination NAT to the CP page.

Client authenticates and controller sends HTTP redirect

to client.


VLAN13 (guest-vlan)

DHCP pool

192.168.1.0/24

Access Control

Authentication

AAA-Profileguest –aaaInitial role = guest logon

Server Groupguest- SG = Internal DB

L3 Auth-Profile -> CP Auth profile

guest –cp

Default role = AuthGuest roleServer group= guest-SG

AP Configuration

Group- MasterWLAN

VAP- guest – vapVLAN = guest-vlan

AAA = guest -aaaSSID – guest - vap

User RolesGuest Logon RoleDHCP, DNS, Captive PortalCaptive portal profile = guest-cp

AuthGuest RoleBlock corporate networkDHCP, DNS, Internet

Network

Captive Portal Configuration Sequence

33#ATM15 |

QoS for Voice and Video

33


pkt L3 ToS L2 CoS L3

ToS

L2

Cos

Tagging - Downstream

CASE 1 : No ACLs configuring ToS, CoS

Pkt L3 ToS L2 CoS Pkt L3 ToS L2 CoS

CASE 2 : Session ACLs on the MC configured to modify ToS or CoS

Pkt L3 ToS L2 CoS pkt L3 ToS L2 CoS L3

ToS

L2

Cos Pkt L3 ToS L2 CoS

The ToS or CoS bits for specific traffic

streams can be modified by setting the new

CoS / ToS values to the session ACLs

matching the upstream traffic flow

The new ToS and CoS settings on the packet and

GRE encapsulation header will reflect the values

configured using the Access Policies. If none

configured then the original ToS and CoS settings

will be used as in Case 1.

Direction of Traffic Flow


L3

ToS

L2

Cos

Tagging - Upstream


PktL3 ToSL2 CoS PktL3 ToSL2 CoS


L3

ToS

L2

Cos











PktL3 ToSL2 CoS

PktL3 ToSL2 CoSPktL3 ToSL2 CoSPktL3 ToSL2 CoS

The AP does not set the CoS bits


L3

ToS

L2

Cos

Tagging - Upstream


PktL3 ToSL2 CoS PktL3 ToSL2 CoS


L3

ToS

L2

Cos











PktL3 ToSL2 CoS

PktL3 ToSL2 CoSPktL3 ToSL2 CoSPktL3 ToSL2 CoS

The AP does not set the CoS bits


Automatic Prioritization on the Aruba System

Prioritization in the Downstream Direction

SIP Voice trafficData Traffic

Session ACLS

SIP traffic CoS = 7 Tos = 45 Queue = High

Data Traffic Cos = 1 Queue Low

ToS 45 CoS 7CoS 1

ToS 45 CoS 7Default CoS and

ToS settings

Voice traffic uses high priority queue

All other traffic uses low priority queue

Session ACLS

SIP traffic CoS = 7 Tos = 45 Queue = High

Data Traffic Cos = 1 Queue Low

Prioritization in the Upstream Direction

The AP remembers the ToS CoS tags used for the

downstream SIP traffic to the voice client and tags

the upstream SIP traffic from the voice client with

the same values.


Voice/UC Aware Firewall

• SIP and SCCP

• H323

• Vocera

• NoE

• Lync Heuristics

• Lync SDN API (Skype for Enterprise)

• Wi-Fi calling

39#ATM15 |

AppRF

39


DPI/AppRF

Simple Control

• Select by:

• app group

• app,

• role

• address

• Apply policy (block,throttle, prioritize)

• Eliminates complexity of configuration


How does classification work?

• Website URL information identifies popular websites

• Signatures are used for “easy to identify” applications

• Uses protocol grammar analysis to understand complex applications and their current state

• Uses advanced heuristics when required

• Detects encrypted applications via certificate common names


Application Categories


Applications per Category


Encrypted Applications

• Primary method of classification for encrypted flows is use of the unencrypted certificate information

– Primarily Common Name

• Certificate is exchanged as part of the initial application startup

• Only allows granularity reflected in the cert name

– All of facebook, for example, uses a cert with “Facebook” as the CN

• Extraction of metadata or any deeper analysis isn’t possible

44


AppRF 2.0 Platform Support

• Support on 70xx, 72xx

• Solution will support mixed 72x0/older controller networks

– App level rules can be configured on non-70xx/72xx masters

– App rules will be pushed to local controllers, but won’t be written into configuration

• On non-master 72x0, filter dashboard works but the “action” buttons are greyed out

• On older platforms, “users” replace App Categories, and Apps use old AppRF

45


New Policy Containers

• To simplify security rules, we have created a “Global Policy” and a “Role-Specific” policy

• These are the first two Policies in every Role– Global policy is applied first– Role-Specific policy is applied second– All other configured policies are applied in turn afterwards

• Use of these is optional – if left empty, nothing changes about how the configuration is applied and the rules enforced

46


Global ACL

• To simplify security rules, we have created a “Global Policy” and a “Role-Specific” policy

• These are the first two Policies in every Role– Global policy is always on 1st position and applied to all user roles

– Role-Specific policy always on 2nd position and applied to specific user role

– All other configured policies are applied in turn afterwards

• Use of these is optional – if left empty, nothing changes about how the configuration is applied and the rules enforced


Two configuration models for AppRF

• “Traditional” Role-Based Workflow– Configuration>Access Control>Role>Policy>ACL

– Traditional CLI commands with extensions for apps/categories

• “Simplified” Dashboard-Based Workflow– Leverages new policy containers “Global Policy” and “Role Policy”

48


Configuration Knobs

• There are 3 configuration knobs related to AppRF

• “Firewall Visibility” global knob – turns on/off dashboard display

• Default is “on”

• “DPI” global knob – turns on DPI and detection of the 1500 applications

• If performance overhead becomes a problem

• For privacy reasons

• Default is “on”

• Per-role DPI knob

• Privacy reasons

• Performance reasons – only inspect the traffic you want to inspect

49


ALGs vs. DPI

• AOS ALGs are used to classify, monitor, and QoS certain types of traffic, especially UCC protocols

• Sessions can only be classified by one method

• Old-school Aruba ALGs or DPI

• ALGs take precedence

• No ALG traffic can be blocked, QoS, or BW limited via DPI

• Will show in Dashboard

• If an ACL is written using an ALG app, it will be ignored

50


Application Bandwidth Contracts

• Bandwidth contracts for applications or application groups will be supported at FCS

• Only Role-Based Bandwidth contracts will be supported

– Not User or AP Group

• Application-based and “generic bandwidth based” contracts will co-exist but not cooperate in this first release

• “Traditional” and “Dashboard” methods can be used to configure bandwidth contracts

• Global and Role-Based BW contracts are supported

51

52#ATM15 |

Web Content Classification


Web Content Classification

Simple Control

• Select by:

• Web category

• URL

• Role

• Apply policy (block,throttle, prioritize)

• Web reputation scores


High Level Feature set

• New dashboard for URL classification and reputation classification• Classifies web browsing history by categories and risks

• 82 web categories and 5 web reputation groups

• Web traffic can be blocked, QoS, mirrored etc. based on ACLs created.

• Works in the cloud with a local cache file

• Supported on both controller and Instant product lines

• Database includes five security categories that identify malware, phishing, botnet, and other malicious sites

• Full AMON logging of web site information to AirWave for a future dashboard

• Very simple web notification to users who violate policy


Web Policy database includes 82 categories


Web Reputation Scores

• Provides a reputation score for each website

• Score based on risk of malware, phishing, etc –NOT on morality

• Recent malware infections, age of site, linking to bad sites are major influencers of the score


Web Content security categories

Blocking these categories will help protect end users against malware


Differences between AppRF applications and Web Content categories

• Application Categories

• Functional – Enterprise Apps, Network Protocols

• Actionable – Peer-to-Peer, Streaming Media, Social Media

• Static – contain set number of defined applications

• 1-1 – a given App or website is in only one category

• Web Categories

• Totally content based

• Completely dynamic – changed/added to continuously

• Indeterminate – can’t ask the cloud for a complete list of category members

• 1-Many – Each website can be a member of up to 5 categories


Feature Details

• Global knob to enable/disable content analysis

• Configuration>Advanced>Stateful Firewall>General

• “firewall web-cc”

• Role-based control for enable/disable content analysis

• Global knob to control default behavior for a cache miss

• Permit or block – default to permit

• Platform Support – New controllers only

• 72x0, 70xx


Controller Licenses for AppRF and Webcontent Filter

• PEF license is required per AP for AppRF

• Additional per AP subscription is required for WebContentFiltering.

– Subscription will be free during an early preview period till AOS 6.4.3


Important – Requires DNS Configuration!

• Feature requires DNS client functionality be enabled so that the controller can find the cloud resources

• On the CLI, “ip name-server <ip address>”

• In the GUI, “Configuration>IP > Routes & DNS”


Frequently Asked Questions

• What if I want to block a category, but there is a website in it I don’t want to block

– Simply create a “net destination” ACL for the website by hostname and put it before the web category ACL in the policy list

• How do I know what category a web site is a member of? Or why the reputation score is so high/low?• Look up the URL here - http://www.brightcloud.com/tools/url-ip-lookup.php

• What if I disagree with a categorization and want to have it changed?

– Use BrightCloud’s help form here -http://www.brightcloud.com/tools/change-request-url-categorization.php

http://www.brightcloud.com/tools/change-request-url-categorization.php


FAQ Continued

• Should I use “application categories” or “web categories” to block content like streaming media?

– Easiest, most comprehensive way to do this is to use the Web Content feature whenever there is an overlap between app category and web category

– Exception would be if the administrator wants to know exactly what they are blocking, and the application category includes the applications they are interested in


AppRF comparison on controller and Instant AP

Features Controllers Instant

Global ACL

Create ACL from dashboard

Detailed Web Content Filtering view on dashboard Top 6 or Top 9 category view

along with web reputation and

URL destination information

Classifies web reputations but

no detail information about URL

destinations

Dashboard visibility Centralized view of all the user

data flowing through the controller

With Instant OS 4.1.1 onwards,

we have aggregate data for

SSID

Dashboard Refresh period Refreshes data every 2 mins Option to view either 1 min or 15

min data

Web URL Cache 1 million URL cached locally Very small cache on IAP

WAN dependency for Web Content filtering Less. Only if URL does not match

the locally cached database of 1

million URLs

High

THANK YOU

65#ATM15 | @ArubaNetworks

Technology

Getting the most out of the Aruba Policy Enforcement Firewall