ArubaOS and Controllers

Reply
New Contributor
Posts: 3
Registered: ‎08-15-2011

Best Practice - Local AP(LAP)/Remote AP(RAP)

Hi, I was wondering if there is a Best Practice Documentation that discuss in great detail what policies/rules/acls/roles should we implement prior and during the authentication process for both workstations or mobile devices and user through either Local AP(LAP) and/or Remote AP(RAP)?

Please consider the following:
--------------------------------------
For End-Devices:
Granted, we have to give some form of initial access for the end-devices(computer, mobile devices, etc) to access the controller thru the LAP or RAP for the following services:

- DHCP to get initial IP address so it can communicate with the controller
- DNS not sure if required, but assuming we are using the hostname not ip addr
- DC For Windows AD Device and User Authentication
- RADIUS For 802.1x Authentication
- CERT Certificate Server for AD Device and User Authentication
- Other Perhaps some server so client devices can access/update their AV files, Windows Updates files, etc.

All the above server are in the enterprise network and of course need to be protected.

Users:
- After the device AAA, user has to be authenticated. For this to happen, the devices/workstation/computer that the end user reside has to have the above servers access, doesn't it?
- There are 2 possibilities,
a) if the user authentication fail, fallback to e.g. internet access only whereas the only access he/she has to the enterprise network is the dns server port-53
b) if use auth successful, depending where the device/user is located, put them in a specified role(s).

In addition, the fact that we have both local and remote workstations/devices and users, how do we secure our inside network from the malicious remote devices and remote users considering that they are outside the corporate physical boundary which in traditional local devices and local users, once authenticated have virtually full access to the enterprise? Although one can argue that there should be no difference, but local devices and local users can be tracked(could be as simple as tracing down their location thru what switch/port or SSID they are connected to) whereas remote devices and remote users are not.

With all those consideration,
1) should we have different policies for local/remote users/workstations? Consider also that we do not want to tax the local workstation/user experience in term of speed and accessibility. How?
2) what is the best practice to protect our inside network by means of centralization(all access controlled by the controller) or distributed(whereas the LAP/RAP will have some policing to do to weed out bad devices and bad users). How?

What it comes down to is that what is the "minimum requirements" to have the secure access to our protected resources(inside network) prior, during, and after?

Thank you.
Guru Elite
Posts: 20,586
Registered: ‎03-29-2007

Re: Best Practice - Local AP(LAP)/Remote AP(RAP)


Hi, I was wondering if there is a Best Practice Documentation that discuss in great detail what policies/rules/acls/roles should we implement prior and during the authentication process for both workstations or mobile devices and user through either Local AP(LAP) and/or Remote AP(RAP)?

Please consider the following:
--------------------------------------
For End-Devices:
Granted, we have to give some form of initial access for the end-devices(computer, mobile devices, etc) to access the controller thru the LAP or RAP for the following services:

- DHCP to get initial IP address so it can communicate with the controller
- DNS not sure if required, but assuming we are using the hostname not ip addr
- DC For Windows AD Device and User Authentication
- RADIUS For 802.1x Authentication
- CERT Certificate Server for AD Device and User Authentication
- Other Perhaps some server so client devices can access/update their AV files, Windows Updates files, etc.

All the above server are in the enterprise network and of course need to be protected.

Users:
- After the device AAA, user has to be authenticated. For this to happen, the devices/workstation/computer that the end user reside has to have the above servers access, doesn't it?
- There are 2 possibilities,
a) if the user authentication fail, fallback to e.g. internet access only whereas the only access he/she has to the enterprise network is the dns server port-53
b) if use auth successful, depending where the device/user is located, put them in a specified role(s).

In addition, the fact that we have both local and remote workstations/devices and users, how do we secure our inside network from the malicious remote devices and remote users considering that they are outside the corporate physical boundary which in traditional local devices and local users, once authenticated have virtually full access to the enterprise? Although one can argue that there should be no difference, but local devices and local users can be tracked(could be as simple as tracing down their location thru what switch/port or SSID they are connected to) whereas remote devices and remote users are not.

With all those consideration,
1) should we have different policies for local/remote users/workstations? Consider also that we do not want to tax the local workstation/user experience in term of speed and accessibility. How?
2) what is the best practice to protect our inside network by means of centralization(all access controlled by the controller) or distributed(whereas the LAP/RAP will have some policing to do to weed out bad devices and bad users). How?

What it comes down to is that what is the "minimum requirements" to have the secure access to our protected resources(inside network) prior, during, and after?

Thank you.




Without quoting any whitepapers, these are what questions you should ask:

1 - What devices do I want connected to my network?
2 - What applications do I want to support on these devices and what protocols are necessary for them to work reliably?
3 - Do I want to support different applications depending on if these devices are remote as opposed to locally connected?
4 - Do my users today require different requirements for remote access as opposed to local access?
5 - What database do I use to authenticate users on those devices (Active Directory, LDAP)?
6 - Are there existing security requirements that will allow the desired applications to to be run on those devices no matter where I need them to?

The applications that can be run on wireless devices today are almost limitless, so you will not find a great deal of detail about how all applications can be secured specifically, but if you start with an "allowall" policy, model what protocols are needed for your list of applications in #2, you can then whittle the necessry protocols down as your pilot your application deployment on your devices. Each WLAN typically is different. What matters is the users, applications and devices that you want to run those applications on.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

New Contributor
Posts: 3
Registered: ‎08-15-2011

Re: Best Practice - Local AP(LAP)/Remote AP(RAP)

Colin, thank you for taking time to read my post especially on the weekend where you can enjoy the nice weather outside.

> 1 - What devices do I want connected to my network?
Mainly workstation/laptop running windows XP, PDA such as Blackberry, iPhone/iPad, and Windows Mobile, handheld scanner.

> 2 - What applications do I want to support on these devices and what protocols are necessary for them to work reliably? Email, web browsing to the internet/intranet, some fat application which I can understand that we have to define what ports it needs for access to e.g. database servers, file servers, perhaps LDAP servers.

> 3 - Do I want to support different applications depending on if these devices are remote as opposed to locally connected?
Yes, this is actually one of my concern. What is the Best Practice says -- should we differentiate between locally connected application as supposed to remotely connected application? How do we create an extra layer security for remotely connected devices because they are not within the building physical boundary and therefore it's not easily tracked if malicious devices/users are(or try) accessing our protected resources. Perhaps the answers is that the best we can do is that to make sure that the AAA is implemented uniformly both on wired/wireless on locally/remotely connected devices? Is it doable without sacrificing application performance and usability?

> 4 - Do my users today require different requirements for remote access as opposed to local access?
Assuming that they are accessing the same applications, to be secure, should we create different requirements for locally and remotely accessed application?
The idea is, on the client side, is to make them have the same experience remotely as they are locally, whereas on the admin/server side, we do not sacrifice security nor performance.

> 5 - What database do I use to authenticate users on those devices (Active Directory, LDAP)?
We have both, which one is preferable? Or can it co-exist without reducing our security level. Currently we are using the AD thru the RADIUS servers.

>6 - Are there existing security requirements that will allow the desired applications to to be run on those devices no matter where I need them to?
Not really! We have some requirements such as - the AV has to be updated, Windows Update should be as current as possible, and the laptop/workstation should be member of the domain. But this is for locally(within the building) connected devices/users. With the nice features of the Aruba RAP, now we can easily extend our corporate boundary beyond our physical buildings.

I am not sure if this is just my paranoia but does anyone has any concern at all extending your network beyond the physical boundary of the enterprise(buildings) both wired and wireless?

I do agree with you that depending what application, there are different set of requirements of what protocol(s)/port(s) to allow or deny; and this will not to easy either. Some ill-behave application require more protocols/ports than it needs(and some of those ports are actively used by hackers to gain access to the protected resources) but I guess this is where the management should come into play and decide which to sacrifice - accessibility/functionality vs security (unfortunately, they are inversely related). Perhaps this could be another thread but for now, I'd like to know what type of security should we implement to at least "we can guarantee" the AAA (Authentication - they are who/what they are, Authorization - give them the access they are entitled to, and Accounting - extensive log as to who/what accesses what,where,when,whom, and how so we can always backtrack to the device/user, which again if this is remotely access, it will present a problem.

Thanks again for your thoughts.
Guru Elite
Posts: 20,586
Registered: ‎03-29-2007

Re: Best Practice - Local AP(LAP)/Remote AP(RAP)

Please see >> Inline.


Colin, thank you for taking time to read my post especially on the weekend where you can enjoy the nice weather outside.

> 1 - What devices do I want connected to my network?
Mainly workstation/laptop running windows XP, PDA such as Blackberry, iPhone/iPad, and Windows Mobile, handheld scanner.

> 2 - What applications do I want to support on these devices and what protocols are necessary for them to work reliably? Email, web browsing to the internet/intranet, some fat application which I can understand that we have to define what ports it needs for access to e.g. database servers, file servers, perhaps LDAP servers.
>>Most users ask for a username and password and if that is validated, they just allow all traffic to all resources that a regular user would need (allowall), but then deny them specific ip addresses and ports (no SSH to the management subnet for example), and take it from there. You do not need to get specific about ports and destinations to allow. You can allow everything, except what you explicitly do not want, which is easier.

> 3 - Do I want to support different applications depending on if these devices are remote as opposed to locally connected?
Yes, this is actually one of my concern. What is the Best Practice says -- should we differentiate between locally connected application as supposed to remotely connected application? How do we create an extra layer security for remotely connected devices because they are not within the building physical boundary and therefore it's not easily tracked if malicious devices/users are(or try) accessing our protected resources. Perhaps the answers is that the best we can do is that to make sure that the AAA is implemented uniformly both on wired/wireless on locally/remotely connected devices? Is it doable without sacrificing application performance and usability?

>>You can put remote access points in a different AP-group, which, upon authentication will put users in a different role which would have a subset of what regular users onsite would get. Alternatively, if you are doing something like screensavers that lock after 15 minutes of inactivity, there is no real reason why you cannot give remote users the same amount of access, provided that they authenticate successfully.

> 4 - Do my users today require different requirements for remote access as opposed to local access?
Assuming that they are accessing the same applications, to be secure, should we create different requirements for locally and remotely accessed application?
The idea is, on the client side, is to make them have the same experience remotely as they are locally, whereas on the admin/server side, we do not sacrifice security nor performance.

>>Well, then do a pilot where they receive the same rights, and get feedback on the user, as well as the administration and security side. The idea is to make remote users just as productive as when they are at work.

> 5 - What database do I use to authenticate users on those devices (Active Directory, LDAP)?
We have both, which one is preferable? Or can it co-exist without reducing our security level. Currently we are using the AD thru the RADIUS servers.

>>If you have AD with radius already configured, that is all that you will need to do what you want.

>6 - Are there existing security requirements that will allow the desired applications to to be run on those devices no matter where I need them to?
Not really! We have some requirements such as - the AV has to be updated, Windows Update should be as current as possible, and the laptop/workstation should be member of the domain. But this is for locally(within the building) connected devices/users. With the nice features of the Aruba RAP, now we can easily extend our corporate boundary beyond our physical buildings.

I am not sure if this is just my paranoia but does anyone has any concern at all extending your network beyond the physical boundary of the enterprise(buildings) both wired and wireless?

I do agree with you that depending what application, there are different set of requirements of what protocol(s)/port(s) to allow or deny; and this will not to easy either. Some ill-behave application require more protocols/ports than it needs(and some of those ports are actively used by hackers to gain access to the protected resources) but I guess this is where the management should come into play and decide which to sacrifice - accessibility/functionality vs security (unfortunately, they are inversely related). Perhaps this could be another thread but for now, I'd like to know what type of security should we implement to at least "we can guarantee" the AAA (Authentication - they are who/what they are, Authorization - give them the access they are entitled to, and Accounting - extensive log as to who/what accesses what,where,when,whom, and how so we can always backtrack to the device/user, which again if this is remotely access, it will present a problem.

Thanks again for your thoughts.




>> In the end, if you make it too hard to connect, your users will not use what you are putting out. Do a pilot where your remote environment is the same as your existing and take notes, and take it from there. There is no need to restrict users' access unless the device that they connect with is NOT secure. If a user is connecting with an already secure device (one of your domain devices) and they provide valid credentials with said device, that could be considered two-factors and you could arguably allow a domain user on a secure device rights to do what they need. Pilot, take feedback, make changes.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

New Contributor
Posts: 3
Registered: ‎08-15-2011

Re: Best Practice - Local AP(LAP)/Remote AP(RAP)

Colin,
Thanks again for your thoughts. You rocks!
Search Airheads
Showing results for 
Search instead for 
Did you mean: