Aruba vs. Cisco WLAN Infrastructure Security
02-23-2018 03:07 AM - last edited on 02-23-2018 06:50 AM by cappalli
Confidentiality Integrity and Availability
Or just CIA are the basic elements of security. How secure is your WLAN Infrastructure. Can you clone an AP (exposing AP's integrity), can you sniff on WLAN encrypted traffic (exposing client traffic confidentiality), or do you need a maintainance window to upgrade or a faliover time in case a controller failure (reducing WLAN availability). Let's find out why Aruba WLAN Infrastructure is more secure than Cisco
Access Point integrity
Every Aruba device like Controller or Access Point has a TPM (Trusted Platform Module). A TPM provides several advantages when it comes to an Access Point. One of them is to ensure AP integrity, such that no one can clone or tamper with the AP.
Every AP is equipped with a factory-installed X.509 certificate. The common name (CN) of this certificate is the LAN MAC address and serial number of the AP. The private key of this certificate is installed on the TPM module. The TPM prohibits any malicious activity to extract the private key. Vendors that don’t have a TPM module like Cisco install the private key along with the factory certificate in the flash memory.
Why is having a TPM important?
The controller needs to identify the AP as a legitimate one before pushing the configuration onto it. Aruba does that by whitelisting AP’s MAC on the controller. The controller is sure that AP with MAC address X is the one who is claimed to be because the CN of the certificate is the MAC address. Then session keys are exchanged and a secure communication path for the control plane between AP and Controller is established. The configuration can now be pushed.
However the story looks a bit different for Cisco that has the certificate private key stored in flash. The key can be extracted if someone has physical access to the AP (APs are usually placed in unsecured areas), which has also been demonstrated. Now a malicious user can obtain the configuration which contains information like Radius shared secrets, PSK passphrases and more as we will see later.
Client Traffic Security
The client WLAN traffic by Aruba is encrypted and decrypted on the controller. The AP will in no point of time come in touch with clear text client traffic. Exposing the AP to Clear-Text client traffic adds an additional risk by opening a door to Man-in-the-Middle attacks. Aruba provides end-end traffic encryption.
Cisco does encrypt and decrypt WLAN traffic on the AP. The client traffic is then encrypted again in a proprietary protocol before it is sent to the controller. The AP comes in touch with Clear-Text client traffic. More tragically, if a malicious user exposes AP Integrity (cloning the AP for instance) as described before, the whole WLAN security is jeopardized. When Fast Roaming is configured, the PMK (Pairwise Master Key which is the key from which the WPA2 keys are derived) are pre-placed on the APs. If one can clone the AP that is authorized for a given network, one can then passively collect WPA2 keys for the entire network.
In some scenarios the managed AP has to broadcast an SSID, but the traffic of this SSID is to be completely isolated from other traffic. Two use cases:
Use Case 1: Guest Traffic needs to terminate to a controller in a DMZ and should not come in contact with the controller or any other device in the internal network.
Use Case 2: An external organization (or internal division) needs to broadcast its SSID on my own APs. The traffic from this SSID should terminate directly to their controller.
Aruba introduced a feature called MultiZone. It allows IT organizations to have multiple and separate secure networks while using the same Access Point. With MultiZone enabled, one AP can terminate to up to 5 different controllers or zones (under different management domains). The controller managing the AP is called the Primary Zone. Controllers on which the AP only terminates client traffic is called Data Zone. The data is encrypted from the client to the controller. When the data is flowing through the AP it is still encrypted. This means the networks are completely separate and secure even though the traffic runs through the same AP.
For the uses cases before:
Use Case 1: A separate controller is placed in the DMZ (Data Zone). The Guest SSID broadcasted on the AP is tunneled back to this controller and not to the Primary Zone controller.
Use Case 2: The administrator allows the external organization to broadcast their SSID on his own AP. They act as a Data Zone, the traffic from their SSID is directly terminated to their controller.
Cisco does not have a feature similar to MultiZone.
Compared to Cisco, Aruba enhances WLAN availability by providing: Ture Clustering, Live Upgrades and Loadable Service Modules.
Aruba provides true clustering. Controllers in a cluster (up to 12 controllers) have the client high-value sessions synchronized among them. Hi-value sessions are like FTP, SSH VoIP …, HTTP Sessions on the other hand are not high-value, reestablishing a HTTP session will have almost no impact. In a case of a controller failure, clients who were managed on the failed controller are moved to another controller and because their session table is already synced, the client applications will not notice. In other words if a client is having a VoIP call on WLAN and the controller on which the client traffic was terminated fails, the client traffic will terminate to another cluster member. The VoIP call will continue, the client will not notice any interruption.
Usually when updating the firmware of the controller a maintenance window has to be found and WLAN is not available (or with limited functionality) during this time.
Aruba can upgrade clusters without the need for a maintenance window. This is done as following:
One Cluster member is freed from APs, these APs are moved to other cluster members.
This controller is upgraded to the newest firmware.
Some APs at a time are freed from clients. These clients are transferred to adjacent APs without affecting their sessions.
The freed APs are upgraded and moved to the already upgraded cluster member(s).
This process is repeated until all APs and controller are upgraded.
During the upgrade process clients will face minimal RF impact and client disruptions.
Loadable Service Modules
LSM feature allows customers to individually upgrade supported applications/service modules at the run-time without requiring an upgrade of the whole system or reboot. Such services that can be upgraded during run time are:
AppRF: for application detection
Airmatch: the process to assign the best channel, power and channel width for the AP
WebCC: Web Categorization, the process of categorizing web pages.
Last word: Security Certification
Aruba and Cisco are equivalent from a WLAN security certification standpoint. However, the Aruba controller is a Common Criteria accredited firewall and VPN gateway, which Cisco's controller is not. That is a key reason why in high security networks, Aruba is approved to support guest + internal Wi-Fi access on the same equipment, because it has an accredited firewall that keeps those two network separate. Cisco has to rely on VLAN separation with an external firewall, which is not as secure.