Upload
aruba-networks-an-hp-company
View
1.613
Download
0
Tags:
Embed Size (px)
Citation preview
#ATM15 |
Policy Enforcement Firewall Balajee Krishnamurthy, PLM
Giridhar Shankar, PLMAmish Shah, TME
@ArubaNetworks
CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved2#ATM15 |
Agenda
• Trends and Challenges
• Aruba’s Policy Enforcement Firewall
• Demo
@ArubaNetworks
CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved3#ATM15 |
The New Normal
CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved4#ATM15 |
Creating a New Network Imperative
Mobility in Office
space, Dorms, Public
Venues, Outdoor, etc
Device Proliferation &
Bring your own device
Heavy multimedia use
Seamless Access Across
from Campus to Remote
Predominately Data
Traffic
IT Sanctioned
Devices
Mobility in Common
Areas Only
Disparate Networks
CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved5#ATM15 |
Creating a New Network Imperative
Mobility in Classrooms,
Dorms, Public Venues,
Outdoor, etc
Device Proliferation &
Bring your own device
Heavy multimedia use
Seamless Access Across
from Campus to Remote
Predominately Data
Traffic
IT Sanctioned
Devices
Mobility in Common
Areas Only
Disparate Networks
Extend Mobility securely
with Existing Resources
Secure Access based on
context
High quality of experience
for real time apps
Maintain Consistent Security & User Experience
CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved6#ATM15 |
Existing Networks Not Suited For Mobility
• Disparate networks
• Siloed services
• Built-for client-server
• No single view of users or devices
• No context awareness
Manager
1Manager
2Manager
3Manager
4Manager
5
VLAN
100VLAN
200VLAN
300VLAN
400VLAN
500
WIRELESS WIRED VPNREMOTE
OFFICEOUTDOOR
7#ATM15 |
Aruba Policy Enforcement Firewall
CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved8#ATM15 |
PEFVLAN
Pool
Em
plo
yee S
SID
AAA Server
Role A
(200 Users)
Role B
(300 Users)
Multi-Service Mobility Controller
User
Ap
pli
cati
on
s
Role A
Role B
Aruba WLAN Architecture with PEF
CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved9#ATM15 |
Aruba Firewall
• Identity-based Stateful firewall– Role/identity based
– Application Aware
– Stateful policies versus “access control lists”
• Bi-directional
• Session aware; more difficult to spoof
• Dynamic
• Extended features– Countermeasures (blacklisting)
– QOS
– Valid user access list
CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved10#ATM15 |
Rules, Policies, Roles and Users
Rule 1
Rule 2
Rule 3
Rule n
Rule 1
Rule 2
Rule 1 Rule 1
Rule 2
Rule 3
Rule 4
Rule 1
Rule 2
Rule 3
Rule 4
Policy 1 Policy 2 Policy 3 Policy 4 Policy 5
Role 1
Policy 1
Policy 2
Role 2
Policy 1
Policy 3
Policy 4
Role 3
Policy 4
Policy 5
Role 4
Policy 4
User1 User2 User3 User4 User5 User6 …………UserN
Role Derivation: 1) Locally Derived
2) Server Assigned
3) Default Role
Assigns users
to a roleMethods:
Policie
sR
ole
sD
eri
vati
on
CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved11#ATM15 |
Policies Overview
• Policies are group of firewall rules
• Evaluated top down
– First rule matched is applied; more specific items at top of list
– All other rules are ignored
– Implicit “deny all” rule at the end of the firewall policy
<source> <destination> <service> <action> <extended action>
Addresses HTTP
FTP
DNS
Application
Etc
Deny
Permit
Nat
Log
Queue
802.1p assignment
TOS
Time Range
CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved12#ATM15 |
Aliases
• Represent one or more networks, host addresses or services
• Types of aliases
– Destination
– Network services
CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved13#ATM15 |
Aruba Firewall Actions
• Basic actions: Permit, Drop, Reject
• NAT’ing actions: : Src-nat, dst-nat, dual-nat
• Re-direct actions: Redirect to tunnel (group), Redirect to ESI group (External Services Interface
• Routing Actions: Route (src-nat), route dst-nat
CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved14#ATM15 |
Advanced Policy Actions
• Log - generate a log message if rule gets applied
• Mirror – mirrors traffic to another destination
• Queue - assign priority queue of the flow (high/low)
• Time-Range - for time-based policies
• Pause ARM Scanning – delays ARM scanning for real time sessions
• Black list – deny access AND blacklist a client matching this rule
• TOS - set DSCP bits in IP header
• 802.1p-priority - assign 802.1p priority
• Classify Media – monitor all untagged UDP flows to classify them as media and tag accordingly
CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved15#ATM15 |
Roles
• Every user in an Aruba Mobility Controller is assigned a role
• Roles– Each role has one or more firewall policies applied
• Role Derivation– User-derived
– Server-derived
– Default based on access method (802.1X, VPN etc.)
CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved16#ATM15 |
Role Derivation (in sequence)
• Initial Role
– Pre-authenticated Role
– Always assigned
• User-Derived Roles
– Assigned using device specific attributes
– Executed before client authentication
P
R
E
-
A
U
T
H
E
N
T
I
C
A
T
E
D
CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved17#ATM15 |
Role Derivation
• VSA-Derived Roles (Vendor Specific Attributes)
– Provide features not supported in standard RADIUS attributes
– Can derive user role and VLAN for RADIUS authenticated clients
• Server Derived Roles
– Different access privileges based on security policy
– Can use single SSID for all users/devices
– Role assignment based on attributes from authentication server
• Default Roles
– Configurable by authentication method (AAA Profile)
• Captive Portal
• 802.1X
• VPN
• MAC
P
O
S
T
-
A
U
T
H
E
N
T
I
C
A
T
E
D
CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved18#ATM15 |
Role Assignment Workflow
User associates
to an SSID
User placed in the initial role
(logon by default)
Check for user derived rule
If present user gets new
role
User authentication
Check for Server derived rules ,
if present assign role No server derived rules present ,
then assign Default Role
CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved19#ATM15 |
Controller Server communication
Radius Request
+ attributes
Guests
Employees
Mobile Devices
Radius Reply
+ Radius attributes
Or
+ Aruba VSA
Derivation Based on
User
BSSID
Location
Authentication type
Device type
Time of day
Depending on
type of server
CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved20#ATM15 |
Aruba Controller and Clearpass
Authentication
Aggregated device info:
- Profiling
- Posture
- Onboarding
- Guests
- AD Attributes
Enforcement Action
Role, VLAN, Bandwidth limits
Redirect to Web page
Download ACL,
(Aruba VSA)
Guests
Employees
Mobile Devices
Accounting
Change of Authorization
Post-authentication
Tracking
- Data caps
- Session limits
- MDM
- Posture
Radius Attributes, Aruba VSA
CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved21#ATM15 |
ClearPass Downloadable Roles
Aggregated device info:
- Profiling
- Posture
- Onboarding
- Guests
- AD Attributes
Enforcement Action
Role Finance, VLAN, Bandwidth limits
Redirect to Web page
Download ACL,
(Aruba VSA)
Radius Attributes, Aruba VSA
CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved22#ATM15 |
Varying the Role according to the AP Group
CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved23#ATM15 |
Bandwidth Contracts
To configure global bandwidth contracts IN CLI:
(host)(config) #dpi global-bandwidth-contract[app|appcategory]
<name>[downstream|upstream][kbits|mbits]<256..2000000>
Configuration
aaa bandwidth-contract "Internet access" mbits 10
dpi global-bandwidth-contract app youtube downstream kbits 500
dpi global-bandwidth-contract app youtube upstream kbits 500
CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved24#ATM15 |
Apply BW-Contract To The Role
CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved25#ATM15 |
OS Fingerprinting on Aruba Controllers
• OS Fingerprinting allows the Aruba Controller to classify device type and assign a role
– DHCP
• Monitor dhcp-option (User Class Option) included in client’s request
– Browser HTTP
• Watches HTTP traffic from the station looking for user-agent string
CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved26#ATM15 |
Blacklisting
• What is blacklisting – De-authenticate client from the network– Block association to APs– Blocked from other SSIDs
• Methods of blacklisting supported – Manually blacklist
• Administratively blacklisting a user: Monitoring>Controller> Clients
– Firewall policy • Any firewall rule can be configured with the blacklist parameter
– Authenticate Failures• Blacklist client based on (configurable) number of authentication failures
– IDS Attack• The detection of a denial of service or man in the middle (MITM) attack in the network.
CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved27#ATM15 |
Global Firewall Settings
CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved28#ATM15 |
PEF for Wired Access Control
• The Aruba solution provides the ability to control – wireless access – wired side access
• Policies may be applied to individual Port and/or VLAN– No authentication
• Authentication on the wired side can be handled by– 802.1X – Captive Portal authentication
• No Authentication, initial Role assignment
• Wired access control is available on – APs with more than one Ethernet jack,– All ports on APs as Mesh Points– Mobility Controllers
CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved29#ATM15 |
Secure Wired Access on Aruba Products
• Trusted Ports (default)- Acts like an L2 switch
- Policy may be added
• Non-Trusted Ports or VLANs- Wired access AAA Profile
- Assign Initial role
- Initiate Authentication
• APs– The second Ethernet port on an AP with Dual Ethernet ports
– Single or Dual port APs as Mesh Points
93H
CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved30#ATM15 |
Wired AAA Profiles
CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved31#ATM15 |
Captive Portal Process
Core
Network
Internet
Aruba
DNS
APClient
Client Associates to CP enabled SSID
Client placed in initial role, gets IP address.
Client requests web page and performs DNS lookup.
Client starts TCP 3-way handshake with web server,
Aruba controller watches for HTTP SYN and
performs Destination NAT to the CP page.
Client authenticates and controller sends HTTP redirect
to client.
CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved32#ATM15 |
VLAN13 (guest-vlan)
DHCP pool
192.168.1.0/24
Access Control
Authentication
AAA-Profileguest –aaaInitial role = guest logon
Server Groupguest- SG = Internal DB
L3 Auth-Profile -> CP Auth profile
guest –cp
Default role = AuthGuest roleServer group= guest-SG
AP Configuration
Group- MasterWLAN
VAP- guest – vapVLAN = guest-vlan
AAA = guest -aaaSSID – guest - vap
User RolesGuest Logon RoleDHCP, DNS, Captive PortalCaptive portal profile = guest-cp
AuthGuest RoleBlock corporate networkDHCP, DNS, Internet
Network
Captive Portal Configuration Sequence
33#ATM15 |
QoS for Voice and Video
33
CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved34#ATM15 |
pkt L3 ToS L2 CoS L3
ToS
L2
Cos
Tagging - Downstream
CASE 1 : No ACLs configuring ToS, CoS
Pkt L3 ToS L2 CoS Pkt L3 ToS L2 CoS
CASE 2 : Session ACLs on the MC configured to modify ToS or CoS
Pkt L3 ToS L2 CoS pkt L3 ToS L2 CoS L3
ToS
L2
Cos Pkt L3 ToS L2 CoS
The ToS or CoS bits for specific traffic
streams can be modified by setting the new
CoS / ToS values to the session ACLs
matching the upstream traffic flow
The new ToS and CoS settings on the packet and
GRE encapsulation header will reflect the values
configured using the Access Policies. If none
configured then the original ToS and CoS settings
will be used as in Case 1.
Direction of Traffic Flow
CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved35#ATM15 |
L3
ToS
L2
Cos
Tagging - Upstream
CASE 1 : No ACLs configuring ToS, CoS
PktL3 ToSL2 CoS PktL3 ToSL2 CoS
CASE 2 : Session ACLs on the MC configured to modify ToS or CoS
L3
ToS
L2
Cos
The ToS or CoS bits for specific traffic
streams can be modified by setting the new
CoS / ToS values to the session ACLs
matching the upstream traffic flow
The new ToS and CoS settings on the packet and
GRE encapsulation header will reflect the values
configured using the Access Policies. If none
configured then the original ToS and CoS settings
will be used as in Case 1.
Direction of Traffic Flow
PktL3 ToSL2 CoS
PktL3 ToSL2 CoSPktL3 ToSL2 CoSPktL3 ToSL2 CoS
The AP does not set the CoS bits
CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved36#ATM15 |
L3
ToS
L2
Cos
Tagging - Upstream
CASE 1 : No ACLs configuring ToS, CoS
PktL3 ToSL2 CoS PktL3 ToSL2 CoS
CASE 2 : Session ACLs on the MC configured to modify ToS or CoS
L3
ToS
L2
Cos
The ToS or CoS bits for specific traffic
streams can be modified by setting the new
CoS / ToS values to the session ACLs
matching the upstream traffic flow
The new ToS and CoS settings on the packet and
GRE encapsulation header will reflect the values
configured using the Access Policies. If none
configured then the original ToS and CoS settings
will be used as in Case 1.
Direction of Traffic Flow
PktL3 ToSL2 CoS
PktL3 ToSL2 CoSPktL3 ToSL2 CoSPktL3 ToSL2 CoS
The AP does not set the CoS bits
CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved37#ATM15 |
Automatic Prioritization on the Aruba System
Prioritization in the Downstream Direction
SIP Voice trafficData Traffic
Session ACLS
SIP traffic CoS = 7 Tos = 45 Queue = High
Data Traffic Cos = 1 Queue Low
ToS 45 CoS 7CoS 1
ToS 45 CoS 7Default CoS and
ToS settings
Voice traffic uses high priority queue
All other traffic uses low priority queue
Session ACLS
SIP traffic CoS = 7 Tos = 45 Queue = High
Data Traffic Cos = 1 Queue Low
Prioritization in the Upstream Direction
The AP remembers the ToS CoS tags used for the
downstream SIP traffic to the voice client and tags
the upstream SIP traffic from the voice client with
the same values.
CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved38#ATM15 |
Voice/UC Aware Firewall
• SIP and SCCP
• H323
• Vocera
• NoE
• Lync Heuristics
• Lync SDN API (Skype for Enterprise)
• Wi-Fi calling
39#ATM15 |
AppRF
39
CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved40#ATM15 |
DPI/AppRF
Simple Control
• Select by:
• app group
• app,
• role
• address
• Apply policy (block,throttle, prioritize)
• Eliminates complexity of configuration
CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved41#ATM15 |
How does classification work?
• Website URL information identifies popular websites
• Signatures are used for “easy to identify” applications
• Uses protocol grammar analysis to understand complex applications and their current state
• Uses advanced heuristics when required
• Detects encrypted applications via certificate common names
CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved42#ATM15 |
Application Categories
CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved43#ATM15 |
Applications per Category
CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved44#ATM15 |
Encrypted Applications
• Primary method of classification for encrypted flows is use of the unencrypted certificate information
– Primarily Common Name
• Certificate is exchanged as part of the initial application startup
• Only allows granularity reflected in the cert name
– All of facebook, for example, uses a cert with “Facebook” as the CN
• Extraction of metadata or any deeper analysis isn’t possible
44
CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved45#ATM15 |
AppRF 2.0 Platform Support
• Support on 70xx, 72xx
• Solution will support mixed 72x0/older controller networks
– App level rules can be configured on non-70xx/72xx masters
– App rules will be pushed to local controllers, but won’t be written into configuration
• On non-master 72x0, filter dashboard works but the “action” buttons are greyed out
• On older platforms, “users” replace App Categories, and Apps use old AppRF
45
CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved46#ATM15 |
New Policy Containers
• To simplify security rules, we have created a “Global Policy” and a “Role-Specific” policy
• These are the first two Policies in every Role– Global policy is applied first– Role-Specific policy is applied second– All other configured policies are applied in turn afterwards
• Use of these is optional – if left empty, nothing changes about how the configuration is applied and the rules enforced
46
CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved47#ATM15 |
Global ACL
• To simplify security rules, we have created a “Global Policy” and a “Role-Specific” policy
• These are the first two Policies in every Role– Global policy is always on 1st position and applied to all user roles
– Role-Specific policy always on 2nd position and applied to specific user role
– All other configured policies are applied in turn afterwards
• Use of these is optional – if left empty, nothing changes about how the configuration is applied and the rules enforced
CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved48#ATM15 |
Two configuration models for AppRF
• “Traditional” Role-Based Workflow– Configuration>Access Control>Role>Policy>ACL
– Traditional CLI commands with extensions for apps/categories
• “Simplified” Dashboard-Based Workflow– Leverages new policy containers “Global Policy” and “Role Policy”
48
CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved49#ATM15 |
Configuration Knobs
• There are 3 configuration knobs related to AppRF
• “Firewall Visibility” global knob – turns on/off dashboard display
• Default is “on”
• “DPI” global knob – turns on DPI and detection of the 1500 applications
• If performance overhead becomes a problem
• For privacy reasons
• Default is “on”
• Per-role DPI knob
• Privacy reasons
• Performance reasons – only inspect the traffic you want to inspect
49
CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved50#ATM15 |
ALGs vs. DPI
• AOS ALGs are used to classify, monitor, and QoS certain types of traffic, especially UCC protocols
• Sessions can only be classified by one method
• Old-school Aruba ALGs or DPI
• ALGs take precedence
• No ALG traffic can be blocked, QoS, or BW limited via DPI
• Will show in Dashboard
• If an ACL is written using an ALG app, it will be ignored
50
CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved51#ATM15 |
Application Bandwidth Contracts
• Bandwidth contracts for applications or application groups will be supported at FCS
• Only Role-Based Bandwidth contracts will be supported
– Not User or AP Group
• Application-based and “generic bandwidth based” contracts will co-exist but not cooperate in this first release
• “Traditional” and “Dashboard” methods can be used to configure bandwidth contracts
• Global and Role-Based BW contracts are supported
51
52#ATM15 |
Web Content Classification
CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved53#ATM15 |
Web Content Classification
Simple Control
• Select by:
• Web category
• URL
• Role
• Apply policy (block,throttle, prioritize)
• Web reputation scores
CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved54#ATM15 |
High Level Feature set
• New dashboard for URL classification and reputation classification• Classifies web browsing history by categories and risks
• 82 web categories and 5 web reputation groups
• Web traffic can be blocked, QoS, mirrored etc. based on ACLs created.
• Works in the cloud with a local cache file
• Supported on both controller and Instant product lines
• Database includes five security categories that identify malware, phishing, botnet, and other malicious sites
• Full AMON logging of web site information to AirWave for a future dashboard
• Very simple web notification to users who violate policy
CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved55#ATM15 |
Web Policy database includes 82 categories
CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved56#ATM15 |
Web Reputation Scores
• Provides a reputation score for each website
• Score based on risk of malware, phishing, etc –NOT on morality
• Recent malware infections, age of site, linking to bad sites are major influencers of the score
CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved57#ATM15 |
Web Content security categories
Blocking these categories will help protect end users against malware
CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved58#ATM15 |
Differences between AppRF applications and Web Content categories
• Application Categories
• Functional – Enterprise Apps, Network Protocols
• Actionable – Peer-to-Peer, Streaming Media, Social Media
• Static – contain set number of defined applications
• 1-1 – a given App or website is in only one category
• Web Categories
• Totally content based
• Completely dynamic – changed/added to continuously
• Indeterminate – can’t ask the cloud for a complete list of category members
• 1-Many – Each website can be a member of up to 5 categories
CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved59#ATM15 |
Feature Details
• Global knob to enable/disable content analysis
• Configuration>Advanced>Stateful Firewall>General
• “firewall web-cc”
• Role-based control for enable/disable content analysis
• Global knob to control default behavior for a cache miss
• Permit or block – default to permit
• Platform Support – New controllers only
• 72x0, 70xx
CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved60#ATM15 |
Controller Licenses for AppRF and Webcontent Filter
• PEF license is required per AP for AppRF
• Additional per AP subscription is required for WebContentFiltering.
– Subscription will be free during an early preview period till AOS 6.4.3
CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved61#ATM15 |
Important – Requires DNS Configuration!
• Feature requires DNS client functionality be enabled so that the controller can find the cloud resources
• On the CLI, “ip name-server <ip address>”
• In the GUI, “Configuration>IP > Routes & DNS”
CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved62#ATM15 |
Frequently Asked Questions
• What if I want to block a category, but there is a website in it I don’t want to block
– Simply create a “net destination” ACL for the website by hostname and put it before the web category ACL in the policy list
• How do I know what category a web site is a member of? Or why the reputation score is so high/low?• Look up the URL here - http://www.brightcloud.com/tools/url-ip-lookup.php
• What if I disagree with a categorization and want to have it changed?
– Use BrightCloud’s help form here -http://www.brightcloud.com/tools/change-request-url-categorization.php
CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved63#ATM15 |
FAQ Continued
• Should I use “application categories” or “web categories” to block content like streaming media?
– Easiest, most comprehensive way to do this is to use the Web Content feature whenever there is an overlap between app category and web category
– Exception would be if the administrator wants to know exactly what they are blocking, and the application category includes the applications they are interested in
CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved64#ATM15 |
AppRF comparison on controller and Instant AP
Features Controllers Instant
Global ACL
Create ACL from dashboard
Detailed Web Content Filtering view on dashboard Top 6 or Top 9 category view
along with web reputation and
URL destination information
Classifies web reputations but
no detail information about URL
destinations
Dashboard visibility Centralized view of all the user
data flowing through the controller
With Instant OS 4.1.1 onwards,
we have aggregate data for
SSID
Dashboard Refresh period Refreshes data every 2 mins Option to view either 1 min or 15
min data
Web URL Cache 1 million URL cached locally Very small cache on IAP
WAN dependency for Web Content filtering Less. Only if URL does not match
the locally cached database of 1
million URLs
High
THANK YOU
65#ATM15 | @ArubaNetworks