In this day and age, it's probably a good idea to get your WLAN ready for voice and video. And it's also a good idea to classify and prioritize web applications based on policies you set. Protecting your mobile devices and network infrastructure against outside or inside attacks needs to be part of the plan, too. Join to us to learn more about these and other functions of Aruba's policy enforcement firewall integrated to its access points, switches, and controllers.

1. #ATM16
Policy
Enforcement
Firewall
Amish Shah, PLM @ArubaNetworks |

2. 2#ATM16
Agenda
– Trends and Challenges
– Aruba’s Policy Enforcement Firewall
– AppRF
– WebCC
– IP Rep
– Geo Location
– Demo
@ArubaNetworks |

3. 3#ATM16
Growing demands for the Digital Workplace
BYOD Video
68%
employee owned
(BYOD) devices
access business
apps 1
>50%
of mobile traffic in
the next 5 years
will be from video 3
269B
application
downloads by
20174
1 IDC: Enhancing Business Value with HP Wireless Networking
Solutions (October 2013)
2Sources: Internet of Things 2015, Statista.com
3 Mobile Data and Video Traffic, 2012, Gartner, August 2012
4 Gartner press release January 22, 2014
Applications
User experience Connectivity Video quality Download speed
24B
IoT devices by
2020 1
IoT

4. 7
Policy Enforcement Firewall

5. 8#ATM16
PEF
VLAN
Pool
EmployeeSSID
AAA Server
Role A
(200 Users)
Role B
(300 Users)
Multi-Service Mobility Controller
User
Applications
Role A
Role B
Aruba WLAN Architecture with PEF

6. 9#ATM16
Aruba Firewall Advantages
– Identity-based Stateful firewall
– Role/identity based
– Application Aware
– Stateful policies versus “access control lists”
– Bi-directional
– Session aware; more difficult to spoof
– Dynamic

7. 10#ATM16
Rules, Policies, Roles and Users
Rule 1
Rule 2
Rule 3
Rule n
Rule 1
Rule 2
Rule 1 Rule 1
Rule 2
Rule 3
Rule 4
Rule 1
Rule 2
Rule 3
Rule 4
Policy 1 Policy 2 Policy 3 Policy 4 Policy 5
Role 1
Policy 1
Policy 2
Role 2
Policy 1
Policy 3
Policy 4
Role 3
Policy 4
Policy 5
Role 4
Policy 4
User1 User2 User3 User4 User5 User6 …………UserN
Role Derivation: 1) Locally Derived
2) Server Assigned
3) Default Role
Assigns users
to a role
Methods:
PoliciesRolesDerivation

8. 11#ATM16
Policy Implementation Overview
– Policies are a group of firewall rules
– Evaluated top down
– First rule matched is applied; more specific items at top of list
– All other rules are ignored
– Implicit “deny all” rule at the end of the firewall policy
<source> <destination> <service> <action> <extended action>
Addresses HTTP
FTP
DNS
Application
Etc
Deny
Permit
Nat
Log
Queue
802.1p assignment
TOS
Time Range

9. 13#ATM16
Aliases
– Represent one or
more networks,
host addresses or
services
– Types of aliases
– Destination
– Network services

10. 14#ATM16
Aruba Firewall Actions
– Basic actions: Permit, Drop, Reject
– NAT’ing actions: Src-nat, dst-nat, dual-nat
– Re-direct actions: Redirect to tunnel (group)

11. 15#ATM16
Advanced Policy Actions
– Log: generate a message if rule gets applied
– Mirror: traffic is mirrored to another destination
– Time-Range: create policies based on time
– Pause ARM Scanning: delays ARM scanning for real time sessions
– Black list: deny access AND blacklist a client matching this rule
– TOS: set DSCP bits in IP header
– 802.1p-priority: assign CoS (Class of Service) priority
– Classify Media: monitor all untagged UDP flows to classify them as media and tag
accordingly

12. 16#ATM16
Roles
– Every user in an Aruba Mobility Controller is assigned a role
– Roles
– Each role has one or more firewall policies applied
– Role Derivation
– User-derived
– Server-derived
– Default based on access method (802.1X, VPN etc.)

13. 17#ATM16
Role Assignment Workflow
User associates
to an SSID
User placed in the initial role
(logon by default)
Check for user derived rule If
present user gets new role
User Authentication
Check for Server derived rules,
if present assign role
No server derived rules present,
then assign Default Role

14. 18#ATM16
Role Derivation (in sequence)
– Initial Role
– Pre-authenticated Role
– Always assigned
– User-Derived Roles
– Assigned using device specific attributes
– Executed before client authentication
P
R
E
-
A
U
T
H
E
N
T
I
C
A
T
E
D

15. 19#ATM16
Role Derivation
–VSA-Derived Roles (Vendor Specific Attributes)
–Provide features not supported in standard RADIUS attributes
–Can derive user role and VLAN for RADIUS authenticated clients
–Server Derived Roles
–Different access privileges based on security policy
–Can use single SSID for all users/devices
–Role assignment based on attributes from authentication server
–Default Roles
–Configurable by authentication method (AAA Profile)
–Captive Portal
–802.1X
–VPN
–MAC
P
O
S
T
-
A
U
T
H
E
N
T
I
C
A
T
E
D

16. 20#ATM16
Controller - AAA Server communication
Radius Request
+ attributes
• Guests
• Employees
• Mobile Devices
Radius Reply
+ Radius attributes
Or
+ Aruba VSA
Derivation Based on
User
BSSID
Location
Authentication type
Device type
Time of day
Depending on
type of server
7220

17. 22#ATM16
ClearPass Downloadable Roles
Aggregated device info:
- Profiling
- Posture
- Onboarding
- Guests
- AD Attributes
Enforcement Action
Role Finance, VLAN, Bandwidth limits
Redirect to Web page
Download ACL,
(Aruba VSA)
Radius Attributes, Aruba VSA
7220

18. 29#ATM16
PEF for Wired Access Control
– The Aruba solution provides the ability to control
– Wired side access
– And Wireless access
– Policies may be applied to individual Port and/or VLAN
– No authentication
– Authentication on the wired side can be handled by
– 802.1X
– Captive Portal authentication
– No Authentication, initial Role assignment
– Wired access control is available on
– APs with more than one Ethernet jack,
– All ports on APs as Mesh Points
– Mobility Controllers

19. 30#ATM16
Secure Wired Access on Aruba Products
– Trusted Ports (default)
- Acts like an L2 switch
- Policy may be added
– Non-Trusted Ports or VLANs
- Wired access AAA Profile
- Assign Initial role
- Initiate Authentication
– APs
–The second Ethernet port on an AP with Dual Ethernet ports
–Single or Dual port APs as Mesh Points

20. 35
AppRF
35

21. 36#ATM16
DPI/AppRF
Simple Control
• Select by:
• app group
• app,
• role
• address
• Apply policy (block,
throttle, prioritize)
• Eliminates complexity of
configuration

22. 37#ATM16
How does classification work?
– Website URL information identifies popular websites
– Signatures are used for “easy to identify” applications
– Uses protocol grammar analysis to understand complex
applications and their current state
– Uses advanced heuristics when required
– Detects encrypted applications via certificate common
names

23. 38#ATM16
Application Categories
• Antivirus
• Gaming
• Streaming
• Etc.

24. 42#ATM16
New Policy Containers
• To simplify security rules, we have created a “Global Policy” and a “Role-Specific” policy
• These are the first two Policies in every Role
– Global policy is applied first
– Role-Specific policy is applied second
– All other configured policies are applied in turn afterwards
• Use of these is optional – if left empty, nothing changes about how the configuration is
applied and the rules enforced

25. 46#ATM16
Application Bandwidth Contracts
• Bandwidth contracts for applications or application groups
• Only Role-Based Bandwidth contracts will be supported
–Not User or AP Group
• “Traditional” and “Dashboard” methods can be used to configure bandwidth
contracts
• Global and Role-Based BW contracts are supported
46

26. 47
Web Content Classification

27. 48#ATM16
Web Content Classification
Simple Control
• Select by:
• Web category
• URL
• Role
• Apply policy (block,
throttle, prioritize)
• Web reputation scores

28. 49#ATM16
High Level Feature set
• New dashboard for URL classification and reputation classification
• Classifies web browsing history by categories and risks
• 82 web categories and 5 web reputation groups
• Web traffic can be blocked, QoS, mirrored etc. based on ACLs created.
• Works in the cloud with a local cache file
• Supported on both controller and Instant product lines
• Database includes five security categories that identify malware,
phishing, botnet, and other malicious sites
• Very simple web notification to users who violate policy

29. 51#ATM16
Web Policy database includes 82 categories

30. 52#ATM16
Web Reputation Scores
• Provides a reputation score for
each website
• Score based on risk of malware,
phishing, etc – NOT on morality
• Recent malware infections, age
of site, linking to bad sites are
major influencers of the score

31. 53#ATM16
Web Content Security Categories
Blocking these categories will help protect end users against malware

32. 58#ATM16
• Re-direct WebCC blocked sessions to an external web server
• Ability to work in the presence of a web proxy
AOS 6.5.0 : WebCC Enhancements
WebCC Policy: Block “adult” category
Re-direct user to splash page
www.adult.com External web server hosting a customizable splash page
WEBROOT
CLOUD
www.urlx.com
WebCC cache on controller
does not know about urlx.com
Proxy Server
Controller
Controller

33. 59
Blocked Session Dashboard

34. 60#ATM16
AOS 6.5.0: Blocked Session Enhancements
• Visualize blocked sessions with info like user, role, destination/app, reason, policy rule etc.

35. 61
IP Reputation

36. 62#ATM16
IP Reputation
WEBROOT
• Ability to detect threats associated with an IP
address
• Leverages Webroot's cloud based service that
has visibility into 4.3 billion IP addresses
• Both IPv4 and IPv6
• IP threat types detected: Spam Sources,
Windows Exploits, Web Attacks, Botnets,
Scanners, Denial of Service, Reputation,
Phishing, Proxies, and Mobile Threats
• Controller has a cache of 12 million IP addresses
• Periodic and real time updates
• PEF can be leveraged to apply policies
• NEW dashboards on controller and AirWave*
12 million IP database
Real time
checks
every 30
min
Database
update every
24 hours

37. 63#ATM16
AOS 6.5.0: Firewall Enhancements: IP Reputation
• Visualize threats &
other associated
metadata on a NEW
dashboard
• Associate threats
with the origin

38. 66
Geo-Location Filtering

39. 67#ATM16
Geo-location Filtering
WEBROOT
• Ability to associate source/destination IP addresses
with location
• Leverages Webroot's cloud based service that has
geo-location database
• IP ranges can be tied with countries
• Controller has a cache of half a million IP addresses
• Periodic updates
• PEF can be leveraged to apply policies to
permit/drop inbound/outbound communication with
certain countries
• NEW dashboards on controller and AirWave*
500k IP database
Database
update
every 24
hours

40. 68#ATM16
Geo-location Filtering
• Visualize the
in-bound and
out-bound flow of
traffic on a NEW
dashboard

41. 69#ATM16
Join Aruba’s Titans of Tomorrow
force in the fight against network
mayhem. Find out what your
IT superpower is.
Share your results with friends
and receive a free superpower
t-shirt.
www.arubatitans.com

42. @ArubaNetworks
THANK YOU