ArubaOS and Controllers

Reply
Occasional Contributor I
Posts: 8
Registered: ‎05-02-2009

IPS + Controller

Apologies for this lengthy thread – but I had to

We want to introduce a new SSID for personal handheld devices, laptops… etc to increase Aruba utilization since the only exiting SSID is based on EAP-TLS.

This new SSID will use captive portal for authentication and no encryption. Only http and https ports will be allowed. This SSID went under risk assessment and was considered a High Risk to the LAN network.

----My question for Security Experts, do you really think the introduction of this SSID should be rated at high risk? Here is the official answer I received from our security group:

The personal devices, which will be used to connect to our network, may not have up-to date antivirus protection or its operating system may not be patched. Consequently, our network can be infected by virus or malware. The risk is considered High.
The users’ personal device may be infected by a spyware. In this case, the username and password could be compromised since the spyware has ability to steal the password. The risk is High.
Port 80 and port 443 will be only opened for the traffic. However, there are a malware that can use these two ports. Some malware has ability to hide itself and pass the firewall thorough port 80 and 443. Since there is no control and we cannot guarantee the security of the personal device, the risk is considered medium.
And here is the recommendation:

It is recommended to monitor all the users’ traffic which is broadcasting from the new wireless SSID network. IPS device should be deployed to detect malicious packets and block the traffic before it does any damage.
----my other question: What defense capabilities Aruba might have to help on this issue? It is hard to go and install an IPS for each controller we have (total of 30 controllers).
Help!
Guru Elite
Posts: 21,272
Registered: ‎03-29-2007

IPS for each controller


Apologies for this lengthy thread – but I had to

We want to introduce a new SSID for personal handheld devices, laptops… etc to increase Aruba utilization since the only exiting SSID is based on EAP-TLS.

This new SSID will use captive portal for authentication and no encryption. Only http and https ports will be allowed. This SSID went under risk assessment and was considered a High Risk to the LAN network.

----My question for Security Experts, do you really think the introduction of this SSID should be rated at high risk? Here is the official answer I received from our security group:

The personal devices, which will be used to connect to our network, may not have up-to date antivirus protection or its operating system may not be patched. Consequently, our network can be infected by virus or malware. The risk is considered High.
The users’ personal device may be infected by a spyware. In this case, the username and password could be compromised since the spyware has ability to steal the password. The risk is High.
Port 80 and port 443 will be only opened for the traffic. However, there are a malware that can use these two ports. Some malware has ability to hide itself and pass the firewall thorough port 80 and 443. Since there is no control and we cannot guarantee the security of the personal device, the risk is considered medium.
And here is the recommendation:

It is recommended to monitor all the users’ traffic which is broadcasting from the new wireless SSID network. IPS device should be deployed to detect malicious packets and block the traffic before it does any damage.
----my other question: What defense capabilities Aruba might have to help on this issue? It is hard to go and install an IPS for each controller we have (total of 30 controllers).
Help!




Ghubari,

Aruba's Endpoint Compliance System http://www.arubanetworks.com/products/endpoint_compliance.php does not require that you install a separate appliance for each controller. Depending on the number of simultaneous users on this wireless network and your connectivity, you could only require hardware in a single location. ECS can do policy checking, to make sure Antivirus and Anti-spyware is installed and up to date before a user connects to your network, dealing with a whole slew of problems. In addition you can leverage the power of the Policy Enforcement module like here: https://airheads.arubanetworks.com/article/using-policy-control-performance You can block traffic to other wireless devices to ensure that nothing spreads within your environment.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 100
Registered: ‎11-07-2008

Re: IPS + Controller

We have 2 SSIDs, one is WPA2 802.1x with peap, that we use a NAC appliance with, same software/hardware as what Colin stated, but from the manufacturer. We don't run compliance checking on our OPEN SSID though. Reason being is it is mainly used for those systems who can't use end-point compliance software or have WPA2 capabilities.

With Aruba though you can do a few things to help "high risk" behavior. First deny any connection to internal network computers, that means port 80 and 443 even. Deny inter-user bridging which will deny spoofing on the same controller. Deny user to user communications. Separate your vlans out so you have 1 or more strictly for the open network. Tell users on the captive portal page that their connection is not secure and they need to use either VPN or not connect to websites that don't use SSL for secure logins.

But if they are still considering the network at high risk at this point, best thing to do is buy the ECS device. It does take some getting use to, and quite a bit of programming/maintenance but it will make sure everyone is using anti-spyware/anti-virus programs. You can also check out www.packetfence.com for a less robust NAC system.
Search Airheads
Showing results for 
Search instead for 
Did you mean: