Aruba PEF Overview - Airheads...

Aruba Networks CONFIDENTIAL. © 2010 All Rights Reserved.

Aruba PEF Overview

Jon Green Product Manager [email protected]

mailto:[email protected]


User Mobility

Wireless LANs

Mobile Devices

Remote Access

Enterprise Security

Access Control

Data Protection

Regulatory Mandates

The Modern CIO Agenda

Balancing Mobility and Security


What does PEF do?

Guests, Students

Phones, Printers

80Gbps Wire-Speed Policy Enforcement Firewall (PEF)

Enterprise Resources Access Networks

Employees, Contractors

Mobility Controller

Identify the User

Control Access per User

Prioritize Applications

Optimize Performance

Follow the User


Traditional Security Limits User Mobility

Data Center

Enterprise VPN Firewall

Enterprise Perimeter

Hackers

Visitors

Remote

Employee

VPN

Consultants

Employees


Mobility and Wireless Dissolve Perimeters

Data Center

Dissolving Enterprise Perimeter

Hackers Visitors

Consultants

Employees

Branch Partner Site

Hotel Home


PEF Takes Policy to the User

Data Center

Consultants

Employees

The Mobile Enterprise

Branch Partner Site

Hotel Home

Hackers Visitors

Only at the network edge is user identity known!


Rules Match a specific flow (source IP, dest IP, protocol, source port, dest

port) Apply an action (permit, deny, redirect, change TOS, queue, etc.)

Policies Made up of one or more rules (in priority order) Some policies are not rule-based (e.g. bandwidth contracts)

Roles A classification into which users are placed when connected to an

Aruba system Assigned role may change throughout a session (e.g. moving from

pre-authentication role to post-authentication role) Incorporate one or more policies (in priority order) Controls other parameters (IP address pools, VLAN, bandwidth

contract, VIA profile, etc.)

PEF Basics


PEF Architecture

Corporate Services

Guest

Finance

Legal

HR

Executive

Virtual AP 1 SSID: Corp

Virtual AP 2 SSID: GUEST

DMZ

RADIUS LDAP AD

Captive Portal

Role-Based Access Control

Access Rights

Secure Tunnel To DMZ

SSID-Based Access Control Staff

Contractors

Voice

Video

Guest


PEF Identifies the User


Default Roles

• Configurable by authentication method

• SSID

User Rules

• Device-specific attributes

• Encryption type • AP used (by name or

BSSID)

Server Derived Roles

• Role assignment based on attributes from authentication server

• Different access privileges based on security policy

• Can use single SSID for all users/devices

Role Derivation


User access authenticated through enterprise directory services (AD, LDAP, RADIUS, etc.)

Group membership information from directory used to derive user role

User role controls policy

Role Derivation

RADIUS

Domain Controller

PERMIT AD Group = Marketing

PERMIT FilterID = Marketing

User = Jon

Role = Marketing

Policy = permit_facebook


PEF Enforces Security Policy


Security without PEF

Firewall

Employee

Authentication Authorization Identification

Encryption

Malicious Insider

Disconnect


Security with PEF + Centralized Crypto

Employee

Authentication Authorization Identification

Encryption

Malicious Insider

Aruba Networks CONFIDENTIAL. © 2010 All Rights Reserved. CONFIDENTIAL © Copyright 2010. Aruba Networks, Inc. All rights reserved 15 CONFIDENTIAL © Copyright 2010. Aruba Networks, Inc. All rights reserved

Why Worry About Authorization? Where is the “network perimeter” today?

Mobility brings us: Disappearance of physical

security New mobile users, devices

appearing everyday Increased exposure to

malware Assuming that “the bad guys

are outside the firewall, the good guys are inside” is a recipe for disaster

We meet

again, 007!


Integration with NAC Works with any 3rd party AAA and PDP Policy Enforcement Point cluster shares user state & policy information Correlates many policy inputs for continuous threat mitigation

Managed Clients (Employees)

Unmanageable Devices

Unmanaged Clients (Guests, students)

CNAC

Pre-Admission

Post-Admission

IDS/IPS,

A/V scanning,

Etc.

Access

Requester (AR)

Policy Decision

Point (PDP)

Policy Enforcement

Point (PEP) Cluster


PEF Enforces QoS Policy


Application Aware QoS

SIP Server

SIP Flow = High Priority

HTTP Flow = Low Priority

Device gets role regardless of traffic type. Only voice flow gets priority.

VLAN 1 = High Priority

Device gets high priority regardless of traffic type. Others using web browser can reduce call quality.

SIP Server

Without PEF

With PEF

http://www.rim.net/news/press/2004/pr-18_10_2004-02.shtml

http://www.rim.net/news/press/2004/pr-18_10_2004-02.shtml


Voice Flow Classification (VFC)

Deep packet inspection of each traffic flow through centralized mobility controller

Based on Aruba’s role-based stateful firewall Uniquely identifies, classifies and prioritizes voice traffic Pre-configured support for major voice protocols

SpectraLink SVP Vocera Cisco SCCP Session Initiation Protocol (SIP)

DATA

VOICE


PEF Enforces Performance Policy


Wireless Networking's Silent Killers

Multicast/

Broadcast

Chatty

Protocols

Power Users

Stealing B/W

Malicious or

Misconfigured

Clients Lack of Policy Impacts Network Reliability & Performance

• What are Multicast and Broadcast currently being used for? • What problems am I creating by using large VLANs to solve

mobility issues? • What non-critical applications are consuming bandwidth? • Should users be connecting to 3rd party WLANs? • Should users be setting up their own WLANs? • Should users be connected to wireless while wired? • How are “Power” Users affecting others? • How are unauthorized users affecting network availability

Bonjour!

http://www.youtorrent.com/


Solution: Policy For Performance

mDNS

LLMNR

? IPv6


PEF Follows the User


Layer 3 Mobility

PEF policies follow mobile users as they roam in the network User/firewall state anchored in one controller (home agent) When client roams to another controller (foreign agent), FA establishes

a tunnel back to the HA

L3 Network

Mobile IP Tunnel

Roaming Client

Home Agent

Foreign Agent

Aruba PEF Overview - Airheads...

Documents

Transcript of Aruba PEF Overview - Airheads...