03-24-2008 09:37 AM
This is one of those situations that ends up going into the long term "War Story" file, you know...?
I am, no kidding; the FOURTH back-fill contractor in my slot here at a state government agency in Ohio. The LAST guy simply failed to show up for work one day and has for all practical purposes never been heard from again. Wit-less protection maybe? Regardless, when he left; he took all of his knowledge of how he had set things up WITH him.
So I'm his replacement, which makes me the "Wireless Guy" here. Ironically, I am not allowed to log into the Aruba 6000 MC that we have in the NOC; unless a supervisor is with me. There seem to be some trust issues that the last guy created.
Anyway, there have apparently been multiple WLAN implementations here. TWO implementations ago it was a Cisco setup that may or may not have been done correctly and nobody really knows.
The most recent and still current setup is Aruba, which I am trying to learn. (My background is Cisco Networking)
Our current setup is a small network of 15 AP-61's that have just been set on top of filing cabinets and plugged into RJ-45 ports that were apparently intended for Nortel VoIP phones. These connections return to neither an Aruba MC nor even a Nortel box, but rather; to a Cisco 3750 PoE switch. We do HAVE an Aruba 6000, as I previously mentioned, but as I also mentioned; the WAPs do not return directly to that box. Instead, it's filled with two Supervisor cards, two 2-port Gigabit Line cards with one GBIC in each card and two 200w power supplies. (Which means that with a 196watt current load, there is no redundant safety margin; but that's another story.)
Which brings me to the issue I am facing:
The intention of the WLAN here was to create internet access for visiting contractors and such. Naturally though, the various employees who happen to have wireless access (More than you might think.) are using it to do things with the internet that they shouldn't. I will leave THAT to your imagination.
So the boss comes to me and says; "Hey, we have to stop this problem." (Meaning of course that -> I <- have to stop it.)
At the moment, I am diligently searching the archives here at The Edge to see if I can find the post from the last guy who had this problem. Unfortunately, I haven't found it yet. And naturally, I am still learning the equipment.
So two questions, the first one being easy:
1) What is the default username/password on the console port? ((The serial port right next to the OOB management ethernet port..))
2) What are the WISE choices for preventing WLAN users from going to individual sites? Please keep in mind that the WAPs are, unfortunately; NOT connected directly to the 6000MC, so if that has an effect on any ideas...
And to anticipate what I would imagine the first response will be, because it's the first thing that occurred to ME: "Why aren't we already using whatever we are doing for the wired side?"...
I don't know. I am still trying to find out how the packets are routed internally before they head to the edge.
What I am looking for HERE is solutions that allow me to leverage the Aruba equipment to it's maximum benefit.
Finally, as if this post isn't already ridiculously long; please keep in mind that the people who are abusing the WLAN are not regular end users. This is the MIS department. So, I have to assume that they know the usual tricks for getting around things; which is of course how I ended up in this mess to begin with.
And thank you VERY much, in advance; for any ideas you may have.
I am now going to go see if I can get a supervisor to log into the web interface for me so that I can get acquainted with it and perhaps even scare up a laptop so I can console in.
07-10-2009 02:00 PM
One good solution for blocking sites is using a free solution called open DNS. this solution has worked great for me in many cases for blocking websites. As for the default password, this is setup by whoever configured the controller.
Hope this helps...
07-10-2009 03:45 PM
I think you hit the nail on the head when you mentioned looking into what is currently being done for wired access. That said here's a few bits of info that may help you out and clarify some issues you may be worried about.
* No need to worry about the APs not being directly connected to the controller. All traffic still goes through the controller.
* The built-in policy enforcement firewall can be used to restrict the types of traffic the contractors can use. For example, you could restrict them to just HTTP and HTTPS. This would at least narrow the need for filtering to having a web proxy set up.
* You can also use the PEF to restrict the destination. So, in the case of an HTTP proxy you could force them through the proxy and deny all other traffic.
Similar ideas can be used for other protocols.
Depending on the capabilities of your target users you can expect them to do the following:
* Route common clients (IM, BitTorrent, etc) over HTTP
* Set their own DNS entries to known-good values.
* Attempt to use IP over HTTP proxies
* Use web anonomizers, personal proxies, or redirectors.
* Use SSH over port 443 (https) and SOCKS for a generic services proxy. (ie ssh -D)
As you explore secure web proxies you should keep these in mind.