Roughly, what is the difference about encryption key management between controller-based and controllerless networks? When I say controller-based solution I refer to tunnel mode. I understand in a controller-based solution in tunnel mode all the keys are managed and stored in the controller, whereas in a controllerless or Instant solution the keys are stored in each IAP, is that right? I have heard that for that reason, the controller-based solution is more secure than the Instant solution, is that right?
I don't think that is the case (that it is necessarily more secure). Since you cannot recover the configuration from an Instant AP, you cannot recover the keys. Controller-based is more secure than other "fat" aps, where you can recover the configuration.
Please let me know who you heard that from.
You might have seen that in the Aruba Networks Government Solutions Guide, more specific Requirement 3:
"In an Aruba (added: controller) network, sensitive information such as user encryption keys remains inside the data center in the Controller. In our opinion, AP-based crypto does not provide end-to-end encryption, as mandated by DoD Directive 8100.2 – because encryption ends at the AP, not the core of the network. This mandate has forced some organizations to deploy “overlay cryptography” solutions to ensure FIPS, UC-APL and/or DoD Directives compliance, which in turn increase complexity, and causes significant design challenges and awkward end-device behavior."
What I personally like in the centralized encryption is that because there is no user traffic crypto processing and thus the keys needed for that in the AP, you can consider the AP and all network between the AP and the controller out-of-scope for your security evaluation of the wireless. That means that you can place APs even in untrusted environments while keeping the wireless traffic itself secured. With encryption in the AP you probably can get to an acceptable security level on most deployments if you take the AP itself, and the port it is connected to, in-scope and evaluate the overall security. Instant APs can even run in FIPS mode to get validated crypto operations.
There is some good reading in the article mentioned above.
Indeed it makes a lot of sense. With a tunnel controller-based solution the security remains through the switched network up to the data center/core where the controller is. With the decrypt-tunnel mode or Instant solution the traffic travels unencrypted throught the switched network. I will have a look to that document. Many thanks.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2020 Hewlett Packard Enterprise Development LPAll Rights Reserved.