Security

I am setting up an Aruba Wireles system along with a guest Captive protal and it is working; however, I have been told I need to re-do the security rules.

The background on the Wireless setup is shown here: https://community.arubanetworks.com/t5/Wireless-Access/How-to-setup-a-guest-SSID-to-distribute-DHCP-from-the-local/td-p/485213

I currnelty have pre-authentication Role with specific policies to allow services from tehse IP addesses but deny access to other Networks(subnets).  And a post-authenticaiton Role with specific policies that are setup teh same way.

The Local controller  IP addresses are allowed for dns, http, https) (priority 1) and Deny access policies below for corporate networks(subnets).  I was told that I should design it the opposite way.  To deny all communication and only allow access to the controllers and to the bare minimal for Guest access.  When I tried adding a deny all rule to teh policy teh Captive protal di dnto work.

My copany has another location, that has Aruba Instant Wirless setup and there is a deny all rule in that setup, so it sounds as if it can be done.  

How can I structure the guest access by denying everything and then only allowing what is necessary?

You cannot deny everything and then allow the desired traffic. In Aruba (or almost all ACL structures) as soon as you hit the first match, rest of the statements are not evaluated. So, if you have deny any any at the top, the conditions below it will never be evaluated.

The proper way is allow the resources you want user to access (DHCP, DNS, captive portal and so on) and then deny everything.

What if you have hundreds of differen types of networks?  Are you supposed to create an individual rule for every subnet or is there a better way?

Thats the beauty of Aruba! You won't create it for individual network, rather for a user role. If a role type if guest, you can apply your policies to the role and assing it to as many SSIDs you want.

I dont see a use case where you will need 100 differen type of user roles.

How can I create a role that has policies and rules to:

1.  Deny alll 

2.  ALlow what is necessary?

 According to my manager it can be done; but, I do not know how with the Aruba technology.  Should I put in a rule that allows DNS from any source and make that rule a priority just like the controler IP address rules are a prioroty? 

Then create a rule that allows DHCP from the controlelrs just like how I currenlty allow https, https, DNS, from the controllers.

Then put in a deny all rule below that (not a prioroity rule) this way the priority rules for teh controlers and DNS everywhere will rules take precedence over the deny all rule?

I have created a Pre-Auth-Role and Post Auth Role for Guest portal access; but, currenlty those roles are allowing access but I am specifically blocking specific networks.

So what your manager is saying is technically achievable but it is always the othe way around, i.e. allow desired traffic and then deny everything. If you are denying everything, any allow statement after that will never be evaluated. Statements are always evaluated top to bottom.

You need to create a firewall policy to allow/deny desired trafic. You can visit following link to understand hw firewall policies work:

https://www.arubanetworks.com/techdocs/ArubaOS_63_Web_Help/Content/ArubaFrameStyles/Firewall_Roles/Policies.htm

After that you will create a user role and associate firewall policy(ies) to it. Following link will help you to create a user role:

https://www.arubanetworks.com/techdocs/ArubaOS_63_Web_Help/Content/ArubaFrameStyles/Firewall_Roles/User_Roles.htm#firewall_roles_981653125_1044482

Ok, this is what I have done.

1.  I have setup the Pre-Authentication rule with an 'any - source', 'any-destination' - 'any-service' - deny rule.

2.  I got ot to work by adding other IPv4 rules that were in the policies below (within the same pre-auth role) that were automatically created and named 

     a. logon-control

     b. Captive portal

Then it worked!!.  And it works quirte well.  The problem is with the Post-authetication Role. 

I was told by Aruba Support and it is true that for post authetication policies one wil need a permit any, any, any rule at the bottom for the policy (in the post auth role).  That permit rule is required because if I remove it then no internet or anything (ssh, apps on the phone) will work at all.

I even added a few any-source, any-destination, - Service-http(& https) - permit in place of the any permit rule and that did not help.  The captive portal needed the any, any, any, permit rule.  Is there anything else I can try?

What I did before was add a couple of 'network deny' rules above the any, any, any permit rule. But that was before I found out that we have hundreds of different network subnets.  Is there a better way to protect our network in the post authenticated role?

There are no other policies below the policy that I created for Post authenticaiton in the captive portal Post Auth Role.  Any suggestions?