Wired Intelligent Edge

last person joined: 16 hours ago 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of your switching devices, and find ways to improve security across your network to bring together a mobile-first solution
Back to discussions
Expand all | Collapse all

Securing GRE tunnels in tunnelled mode?

This thread has been viewed 12 times

  • 1.  Securing GRE tunnels in tunnelled mode?

    Posted Dec 19, 2019 01:13 AM
    Hi all,

    I’m looking to get some 7210 controllers and then use tunnelled mode from ports on my 3810 switches.

    I understand by default these create GRE tunnels back to the controller. My question is, how can I secure these GRE tunnels? Can I add MACSEC to them or something similar?

    The traffic I tunnel from these ports; I want to encrypt to protect the traffic from other users on the switch.

    Thanks


  • 2.  RE: Securing GRE tunnels in tunnelled mode?

    MVP GURU
    Posted Dec 19, 2019 01:58 PM

    Hi,

     

    Why encrypt ? because other use on the switch we don't see the traffic...



  • 3.  RE: Securing GRE tunnels in tunnelled mode?

    Posted Dec 19, 2019 02:23 PM
    I’d like to other assurance that these networks are in separate encryption domains.

    Ideally I’d like users in different departments to authenticate with dot1x using certs ... then Clearpass looks at their AD group membership and gives them a role / ACL based on that. Each switch port uses an encrypted tunnel back to the controller much like you find on wireless.

    On wireless you get your own encrypted tunnel back to the controller then a role. I would like the same for wired if possible?

    Thanks


  • 4.  RE: Securing GRE tunnels in tunnelled mode?

    EMPLOYEE
    Posted Dec 19, 2019 04:16 PM
    @redford1980 wrote:
    I’d like to other assurance that these networks are in separate encryption domains.
    Tunneled Node operates over GRE, so it tunnels.  It does not encrypt traffic.
    Ideally I’d like users in different departments to authenticate with dot1x using certs ... then Clearpass looks at their AD group membership and gives them a role / ACL based on that.
    You can definitely do that on a switchport.  That is separate from tunneled node.
    Each switch port uses an encrypted tunnel back to the controller much like you find on wireless.
    Tunneled node is GRE so it does not provide that.  It is a transport that extends your wired network out further.

    On wireless you get your own encrypted tunnel back to the controller then a role. I would like the same for wired if possible?  On wireless, encryption is provided by the client.  Most client application traffic nowadays is encrypted, so encrypting it further would add overhead and complexity.  Even clients in the same VLAN would only be able to see broadcast/multicast traffic from other clients, anyways...similar to a wired network.  If someone was tapping into your wired network and looking at your traffic, that would mean that you do not have the uplinks on your switch infrastructure physically secured.  Again..most applications nowadays are encrypted.

    Thanks

     



  • 5.  RE: Securing GRE tunnels in tunnelled mode?

    Posted Dec 19, 2019 04:32 PM
    Thanks - appreciate the detailed response.

    How about this:

    1. wireless - make one SSID and segregate out lots of individual access with roles tied to an AD security group. So we can connect up lots of departments on one SSID, but individually they have their own role / ACL

    2. On wired; give these laptop the VIA client, they tunnel through the LAN with this encryption back to a controller with same role derivation. Essentially VPN with their own encryption to the controller.

    Would these work? Can I use the same controllers (2x7240’s) for both wireless and vpn concentrator?

    Thanks


  • 6.  RE: Securing GRE tunnels in tunnelled mode?
    Best Answer

    EMPLOYEE
    Posted Dec 19, 2019 04:40 PM

    You certainly can do that.