Security, WIDS/WIPS and Aruba ECS

Reply
Contributor II
Posts: 58
Registered: ‎05-12-2009

Home Office Security

I have been experimenting with a RAP2 as a potential home office solution. The users will have a IP phone connected to the wired port and connect to the wireless via 802.1x. My concern is when I am connected to my secure SSID and now on the corporate network I can hardwire to the linksys router and obtain an IP address and that connection takes priority. I also notice the home wireless bieng detected as a rogue AP.
Are others running into this concern? If so have you completely replaced the home router with a RAP? I see in the design guide they recommend a home SSID that is spilt tunnel. I just see it difficult to replace the home router with a rap2. Any input would be appreciated.
Guru Elite
Posts: 20,559
Registered: ‎03-29-2007

Vbn vrd


I have been experimenting with a RAP2 as a potential home office solution. The users will have a IP phone connected to the wired port and connect to the wireless via 802.1x. My concern is when I am connected to my secure SSID and now on the corporate network I can hardwire to the linksys router and obtain an IP address and that connection takes priority. I also notice the home wireless bieng detected as a rogue AP.
Are others running into this concern? If so have you completely replaced the home router with a RAP? I see in the design guide they recommend a home SSID that is spilt tunnel. I just see it difficult to replace the home router with a rap2. Any input would be appreciated.




You could eliminate the wired Linksys issue by doing split-tunneling on the RAP for your employee network, so that your corporate laptop can reach local resources such as an IP printer, or a NAS device, but still reach corporate resources. Most users HATE to plug in their laptop to access anything, so making it so that they don't have to plug in, means that they are less likely to do that.

In the IDS profile, in the Unauthorized Device Profile of the AP-Group of those Remote APs, you can uncheck Rogue AP classification so that those APs are not reported. In the VBN VRD here: http://www.arubanetworks.com/pdf/technology/VBN_VRD.pdf the chart on page 32 says to make the "Family" SSID a BRIDGED, SSID, NOT a split-tunneled SSID. That SSID will dump all the traffic locally via a WPA/WPA2 PSK wireless network.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Aruba Employee
Posts: 455
Registered: ‎04-02-2007

Re: Home Office Security




This is pretty common, your laptop is preferring the the fastest connection. Colin has the right idea, enable split tunnel.

-awl

Andy Logan, ACDX
Director, Strategic Account Solutions
Aruba Networks
Contributor II
Posts: 58
Registered: ‎05-12-2009

Re: Home Office Security

Thanks for the input. I will check out the VBN VRD for sure. Our corporate policy for VPN is full tunnel. I geuss I was concerned less from a convenience standpoint and more from a security stance. I could filter by source on the controller firewall only allowing IP's in the secure SSID subnet to pass.
Aruba Employee
Posts: 509
Registered: ‎07-03-2008

Re: Home Office Security

Our policy is full tunnel as well. Basically, by policy, our Corporate laptops are not allowed to access the Internet unless its through our Corporate network (direct connect or VPN). Additionally, our laptops may not connect to any foreign network without immediately connecting to our VPN service. So, access to local network printers, etc. is out. Yeah, it's strict, but that's the reality when you're in a very highly regulated industry. That said, split-tunnel is out for us.

We do use Juniper OAC as our wireless client and enforce no-wireless when wired, so we're protected, from a bridging perspective, in the case of a user connecting to the RAP's SSID and simultaneously connecting to a Linksys router. I've kicked around providing a "family" SSID, but I think the reality of that is it's not enforceable and can't be considered a catch-all solution. You're also then on the hook to support a user's home network. When little Johnny can't get online to play Call of Duty with his 6th grade buddies , that's now your issue to resolve. The reality is that users will still have the Linksys, the Actiontech from Verizon FiOS, etc.

If you're ok with split-tunneling, one thing to watch out for is what networks do you split? Most home networks are something like 192.168.1.x, which a lot of companies use as well. So if there's an overlap, you have some decisions to make. Basically you can specify all your Corporate/EDU networks to tunnel and split everything else. However, that means Internet access will be split and if there's an overlap with a home/Corporate subnet, the user will only get access to that subnet on the Corporate/EDU side (since you would have specified that as a tunneled subnet). If you take the other approach of tunneling everything and selecting networks you split, you could still run into an overlap situation and the user won't be able to access that particular subnet on the Corporate/EDU side, but will on the local side. You also need knowledge of every user's home network and build roles specific for that.

Hopefully Colin and Andy will sanity check my thoughts and comments here...
Aruba Employee
Posts: 455
Registered: ‎04-02-2007

Re: Home Office Security

Good job Mike :)

I haven't seen the issue of overlapping IP space, most folks are running 10. in their corporate networks, so we don't run into that collision in general, I'm sure it's happened to someone. If you are using 192 in the corporate office you will have some split tunnel issues in general, I've run into 192.168.0 and 192.168.1 most commonly on consumer routers.

I personally run a RAP and an additional AP in my house and have never had a problem with either of them, the RAP simply works around my home AP setup. Having split tunnel on is a real advantage for me when I need to access local print and network storage resources, but unlike Mike my industry isn't quite as regulated.

-awl
Andy Logan, ACDX
Director, Strategic Account Solutions
Aruba Networks
Aruba Employee
Posts: 19
Registered: ‎04-27-2009

Adaptor priority

Another area you can investigate is forcing the laptops to prefer wireless over wired. On an individual laptop basis (XP) you access the Advanced Settings under Network Connections. The list of adaptors can be reordered. Windows will use the first connected adaptor in the list as the default route. So, if you move Wireless to the top and you connect both wired and wireless then the wireless will get all of the Internet and corporate traffic wile the wired will only get local subnet traffic.
Knowing Microsoft you probably have control over this in the GPO for the domain.
Search Airheads
Showing results for 
Search instead for 
Did you mean: