ARUBA MULTIZONE DATA SHEET

Similar documents
With Aruba Central, you get anywhere-anytime access to ensure that your network is up and performing efficiently.

QuickSpecs. Aruba ClearPass Guest Software. Overview. Aruba ClearPass Guest Software A ClearPass Policy Manager Application.

WI-FI: SECURE ENOUGH FOR FEDERAL GOVERNMENT?

White paper. Combatant command (COCOM) next-generation security architecture

Aruba Instant. Validated Reference Design. Chapter 2 Branch Connectivity. Version Roopesh Pavithran Andrew Tanguay

This solution is fully reproducible and has been deployed in live environments.

FEDERAL SECURED WIRELESS BRIEF - CSFC

TECHNICAL NOTE MSM & CLEARPASS HOW TO CONFIGURE HPE MSM CONTROLLERS WITH ARUBA CLEARPASS VERSION 3, JUNE 2016

ARUBA COMPETITIVE WLAN TRADE-IN PROMOTION

CLEARPASS GUEST. A ClearPass Policy Manager Application DATA SHEET KEY FEATURES THE CLEARPASS ADVANTAGES

Document Information:

WLAN high availability

QuickSpecs. Aruba Airwave Usage Licenses. Overview. Aruba Airwave Usage Licenses. Product overview. Features and Benefits

Expected Outcomes Able to design the network security for the entire network Able to develop and suggest the security plan and policy

Aruba ACMP. Aruba Certified Mobility Professional

HP ProCurve MultiService Controller Series

HP A-F1000-A-EI_A-F1000-S-EI VPN Firewalls

HPE Aruba Airwave Installation and Startup Service

QuickSpecs. Aruba ClearPass OnGuard Software. Overview. Product overview. Key Features

PowerConnect W-Series...Mobility Controllers. Validated Reference Design Version 8

Latest IT Exam Questions & Answers

AIRPLAY AND AIRPRINT ON CAMPUS NETWORKS AN ARUBA AIRGROUP SOLUTION GUIDE

HP0-Y27: DEPLOYING HP ENTERPRISE WIRELESS NETWORKS

Free4Dump. Free demo and valid vce dump for certification exam prep

FIPS Validated i WLAN

Technology Solution Guide

The Aruba Mobile Virtual Enterprise for Government. The Next Generation Network Access Architecture for Mobile Technology

HPE Knowledge Article

HPE FlexNetwork MSR Router Series

Aruba Central. Tech Webinar, October 6 th Christian Dupont, Britto Jagadesh & Barath Srinivasan

HPE FlexNetwork MSR Router Series

WIDS Technology White Paper

ARUBA AIRWAVE. Management and monitoring for multi-vendor campus networks DATA SHEET CONNECTIVITY ANALYTICS REAL-TIME MONITORING AND VISIBILITY RAPIDS

HP0-Y33: IMPLEMENTING HP WIRELESS NETWORKS

Aerohive Private PSK. solution brief

Models HP ProCurve M110 Access Point WW

Secure Access Configuration Guide For Wireless Clients

Vendor: Aruba. Exam Code: ACMP_6.1. Exam Name: Aruba Certified Mobility Professional 6.1. Version: Demo

Aerohive and IntelliGO End-to-End Security for devices on your network

Aruba ridefinisce il futuro del Mobile, Cloud e IoT

VPN Routers DSR-150/250/500/1000AC. Product Highlights. Features. Overview. Comprehensive Management Capabilities. Web Authentication Capabilities

ARUBA AIRWAVE. Visibility and management for multi-vendor access networks DATA SHEET REAL-TIME MONITORING AND VISIBILITY

The Aruba S3500 Mobility Access Switch

Additional License Authorizations

ARUBA, A HEWLETT PACKARD ENTERPRISE COMPANY, IS REDEFINING THE INTELLIGENT EDGE WITH MOBILITY AND IOT SOLUTIONS FOR ORGANIZATIONS

Additional License Authorizations

Tunneling Configuration Guide for Enterprise

MSP Solutions Guide. Version 1.0

Standard For IIUM Wireless Networking

Achieving a FIPS Compliant Wireless Infrastructure using Intel Centrino Mobile Technology Clients

QuickSpecs. Key Features and Benefits. HP C-Series MDS 9000 Storage Media Encryption (SME) Software. Overview. Retired

PRODUCT LINE MATRIX: Mobility Controllers

WHITE PAPER AX WAIT, DID WE JUST BUILD A WIRELESS SWITCH?

Exam Questions CWSP-205

HP D6000 Disk Enclosure Direct Connect Cabling Guide

HP ProCurve Mobility Access Point Series

About the HP MSR Router Series

QuickSpecs HP ProCurve Manager Plus 3.1

Business Guest WiFi Access the Easy Way

About the HP 830 Series PoE+ Unified Wired-WLAN Switch and HP 10500/ G Unified Wired-WLAN Module

BYOD: BRING YOUR OWN DEVICE.

QuickSpecs. HPE OfficeConnect M n Access Point Series. Overview. HPE OfficeConnect M n Access Point Series

Cisco Aironet 1815T (Teleworker) Access Point Deployment Guide

TECHNICAL DIVE INTO ARUBA OS 8.X

Your wireless network

Secure wired and wireless networks with smart access control

Network Deployment Guide

OmniAccess Stellar Enterprise SE Remote Demo Script

Unified Services Routers

New Windows build with WLAN access

ARUBA CLEARPASS POLICY MANAGER

Technology Solution Guide. Deploying Entuity s Eye of the Storm with Aruba Networks Secure Mobility Solution

HPE ilo mobile app for ios

HP ProCurve Manager Plus 3.0

WHITE PAPER ARUBA SD-BRANCH OVERVIEW

HPE Security ArcSight Connectors

HP E-PCM Plus Network Management Software Series Overview

HPE ConvergedSystem 700 for Hyper-V Deployment Accelerator Service

Securing BYOD with Cisco TrustSec Security Group Firewalling

ArubaOS Remote Networking Version 3.1

HPE Enhanced Network Installation and Startup Service for HPE BladeSystem

QuickSpecs. HP Mobile Hotspot. Model. HP Mobile Hotspot. Overview. Back View. Front View. Top View. 1. Wireless signal strength. 4.

QuickSpecs. Models. Features and benefits Application highlights. HP 7500 SSL VPN Module with 500-user License Overview

HP0-Y36: DEPLOYING HP ENTERPRISE NETWORKS

HP IMC Smart Connect Virtual Appliance Software

Ruckus ZoneDirector 1106 WLAN Controller (up to 6 ZoneFlex Access Points)

Additional License Authorizations. For Cloud Center and Helion Cloud Suite software products

Aruba Instant

Exam Questions SY0-401

Cisco ISE Features. Cisco Identity Services Engine Administrator Guide, Release 1.4 1

Wireless LAN Solutions

Ruckus ZoneDirector 3450 WLAN Controller (up to 500 ZoneFlex Access Points)

Simplifying the Branch Network

Testkings.ACMP_ QA

Testkings.ACMP_ questions. Aruba ACMP_6.3. Aruba Certified Mobility Professional 6.3

HPE 3PAR Remote Copy Extension Software Suite Implementation Service

Cloud Security Best Practices

ArubaOS RNG. Release Notes. What s New in this Release. Termination of IAP VPN tunnels. Termination of IAP GRE tunnels

About the Configuration Guides for HP Unified

Enterprise Guest Access

Transcription:

Aruba s centralized architecture provides a more secure Wi-Fi environment that is different from any other Wi-Fi vendor on the market today. Among the key security advantages of this architecture are: Client to core controller encryption, where thin s do not perform encryption and perform a pass-through by tunneling encrypted Wi-Fi traffic between itself and the controller across the wired infrastructure. Role-based authentication and access to users and devices, centrally within the controller. Integrated policy enforcement firewall capability based on assigned roles of users and devices. Enhanced security in that there are no encryption keys present on any Aruba (unlike most other vendor solution). With Aruba s centralized architecture, there are no encryption session keys or certificates present on the that are used for user data transmissions. Because traffic is tunneled between the and controller, all configuration and security mechanisms are implemented centrally on the controller. Up to this point, the has authenticated to the controller and establishes a GRE tunnel with that controller. s only communicate to that single controller. However, environments exist that need additional separation due to security requirements. Aruba s centralized architecture makes it possible to provide additional separation and security by designing and creating separate zones for each separation instance. Examples of this kind of separation are: Federal unclassified networks vs classified networks Separate operating networks (unclassified or classified) within a single environment Department/Contractor/Visitor/Guest access Multi-tenant facilities END-TO-END CRYPTO BOUNDARY PER-USER VIRTUAL CONNECTION Command CLEARPASS AAA RADIUS LD AD PKI Virtual 1 SSID: Corp Virtual 2 SSID: Visitor Staff Partner Guest Enterprise Network IS UNTRUSTED CENTRALIZED CRYPTO SESSIONS Flow/Application Classification Role-based Firewalls ROLE-BASED ACCESS CONTROL SECURITY BOUNDARY Figure 1: Aruba s Centralized Architecture

Aruba s MultiZone feature is the key to providing the additional separation that is required in the above examples. With Aruba MultiZone, all current s authenticate against a defined Primary Zone controller to start. Additional zones are defined and configured on the Primary Zone controller. Once authenticated, these s receive a configuration from the Primary Zone controller, which direct the to authenticate to additional Data Zone controllers to receive another configuration for that particular zone. Up to 4 Data Zone controllers may be defined from the Primary Zone controller. The establishes a per SSID GRE tunnel against multiple controllers. This provides several advantages. Among them are: Each zone controller may be configured and managed by separate entities, providing more control for each separate entity. Partitioned zone traffic is directed away from a single centralized controller and is forwarded to a separate zone controller for processing. Individual role-based access and policy enforcement rules can be implemented on each zone controller, tailored to the security requirements of that zone. A single RF infrastructure of s can be utilized, even though there are different WLAN controllers implemented for each zone. Let s take some use case examples from above to demonstrate the advantages of Aruba s overall architecture and how including MultiZone can provide ease of deployment. COMMERCIAL SOLUTIONS FOR CLASSIFIED CAMPUS WLAN CABILITY PACKAGE 2. The NSA s CSfC program provides a way to implement secure solutions that protect classified information. By following the guidelines within their Capability Packages, these solutions may be implemented using Commercial Off The Shelf products that meet all the requirements within the capability package. If we take a look at the Campus WLAN Capability Package, page 14, Figure 2, it depicts the following: The Black/Gray boundary can be at the (s) or Controller, depending on the vendor. GRAY NETWORK END USER DEVICE WLAN Controller Black Network Gray Firewall Red Network Figure 2: CSfC Campus WLAN Security Boundary

With any non-aruba solution, the is the black/gray security boundary because it is performing crypto functions. With an Aruba solution, the security black/gray boundary is at the controller, not at the. Since Aruba s do not perform crypto functions on user traffic, they are considered to be part of the black network, thus not part of the security boundary. We will see that this is significant when considering the ability to do multiple data classifications, which is introduced in version 2.0 of the Capability Package. Figure 3 below shows this (as in the Campus WLAN Capability Package on page 10). This figure shows that while multiple classifications are allowed, it also shows that a VPN solution needs to be implemented for the unclassified (NIPR) portion of the overall solution. This is because with this figure, unclassified traffic potentially traverses the gray network. That gray network requires one tunnel of encrypted data. Taking this a step further, the amount of design and implementation effort to provide VPN capabilities to potentially thousands of unclassified EUDs can be a huge undertaking. Because the security boundary on an Aruba CSfC solution is at the controller (not the ), we can offer an alternative to implementing VPN capabilities on the unclassified data classification. This alternative is called MultiZone. With the Aruba MultiZone feature, additional zones can be implemented (for example, an unclassified network) where a VPN solution will NOT be required. The reason is that unclassified traffic will be directed away from the CSfC controller towards a Data Zone unclassified controller. This is a key advantage versus competitor solutions. Figure 4 depicts this scenario. As an added value, the non-classified networks don t require a CSfC registration package and follow already well-established federal and DoD wireless access requirements. TS Network END USER DEVICE Gray Data Network TS Services WLAN Access System Black Network Wireless Authentication Server Gray Network Gray Firewall Gray Services S Services S Network U Network U Services Figure 3: Overview of Campus WLAN CP

Email Database CA/Authentication SIPR Network Services Voice/Video File Servers SSID: CSfC Outer Tunnel Black Network (Unclass) Gray Network Client VPN: VPN Inner Tunnel SSID: NIPR Email Database CA/Authentication NIPR Network Services Voice/Video File Servers Figure 4: Aruba MultiZone to separate data classifications SEPARATE GOVERNMENT NETWORKS In this use case, we ll consider two different government networks that operate at the same government building or facility. An example of this is two different MAJCOMs operating at the same facility. Each MAJCOM uses a different network, from authentication and access to operation and management. Configuring the MultiZone capability, one controller is configured as the primary zone controller. This Primary Zone controller will manage the s and RF for the environment. A configuration is implemented on the primary zone controller to provide EUDs the ability to authenticate using CAC certificates with E-TLS and (AES-CCM) as the data payload encryption algorithm. Also, the Primary Zone controller has a configuration telling the s to authenticate to a Data Zone controller. The s are whitelisted to the Data Zone controller just like on the Primary Zone controller. The Data Zone controller has a different configuration in place that supports the same authentication/access capabilities, but the controller connects to a completely separate network. A different network operations/management team provides its services to its own network and controller that is connected to that network. SSID: GovNet1 Primary Zone GovNet1 SSID: GovNet2 Data Zone GovNet2 Figure 5: Aruba MultiZone to separate two different Government networks

GUEST/VISITOR ACCESS Aruba had an initial Guest access capability which was called Tunneled Internet Gateway. The solution covering this use case was accomplished by placing guest access users/devices into its own dedicated VLAN after captive portal based authentication. Guest traffic was tunneled (using IPsec encryption and GRE tunnel) to another network device (i.e. typically an Internet gateway that resided in a DMZ) and provided Internet-only access. At the time, we had the appropriate DISA approvals because the solution met the definition of logical separation. The following figures show an example of a Tunneled Internet Gateway network topology and logical topology. Aruba Mobility Controller CLEARPASS ACCESS MANAGEMENT Internet Facility Core Router Boundary Router Inside Firewall Outside Firewall Distribution Switches Restricted Secure Laptop User Connects to SSID: Restricted SSID: Restricted Aruba Access Point SSID: Internet Gateway Commercial Mobile Device User Connects to SSID: Internet Gateway Figure 6: Tunneled Internet Gateway Network Topology WPA2 Encryption Wire Restricted Network Transport Secure Laptop SSID: Restricted SSID: Internet Gateway Outer Tunnel: IPSec Controller to Gateway WPA2 Encryption NAT Inner Tunnel: L3 GRE Controller to Gateway Commercial Mobile Device Internet Gateway Figure 7: Tunneled Internet Gateway Logical Topology

MultiZone changes the design from the tunneled Internet Gateway solution by configuring a Data Zone controller to have the s forward authenticated guest traffic to a dedicated guest controller (still typically residing in a DMZ). This guest traffic will no longer be terminated at a single controller that resides in the core of the production network. Also, the establishment of an IPsec tunnel over a Layer 3 GRE tunnel between the production controller and Internet Gateway is no longer a requirement since the guest traffic will not touch the production Primary Zone controller. The network topology of Guest Access using MultiZone is shown below. MULTI-TENANCY With this use case, we will consider the scenario where the Government, contractors, and vendors require Wi-Fi access to their respective network resources. This can be provided in the way of a small enclave on the backside of their respective controllers or simply providing Internet access to establish VPN connectivity to their home base. SSID: NIPR Primary Zone GovNet1 SSID: Guest Open Data Zone DMZ Internet CLEARPASS ACCESS MANAGEMENT Figure 8: Guest Access MultiZone Network Topology

In the example listed in Figure 9, the Primary Zone controller is implemented to allow the Government facility to provide Data Zone controllers, along with having management control of the s and RF. The tenants would purchase their own Data Zone controller to be implemented (perhaps a DMZ). The contractor and vendor will have configuration control of their respective Data Zone controller. Note that the Primary Zone controller shows an example of a three-node controller cluster for expansion and redundancy, along with the use of a Mobility Master virtual machine to configure the cluster. IN SUMMARY When discussing WLAN designs with prospective and existing customers, it s key to stress the importance of their selection of an overall Wi-Fi architecture design upfront. They should consider not only their current Wi-Fi requirements, but also future requirements that may need additional separation for security reasons. This is why Aruba s architecture is superior from both a security and ease of deployment perspective. Aruba s solution, which includes MultiZone, provides a way to easily expand the overall Wi-Fi solution to provide data separation where it makes sense and is required. When it comes to security separation, this cannot be done with any competitor solution. PRIMARY ZONE Mobility Master/Standby Virtual Virtual Appliance Appliance Contractor1 ESSID CONTRACTOR Standalone Govt ESSID Vendor1 ESSID VENDOR Standalone Standalone Standalone 3-node Cluster Standalone Figure 9: Multi-Tenancy Example MultiZone Configuration www.arubanetworks.com 3333 SCOTT BLVD SANTA CLARA, CA 95054 1.844.473.2782 T: 1.408.227.4500 FAX: 1.408.227.4550 INFO@ARUBANETWORKS.COM Copyright 2018 Hewlett Packard Enterprise Development LP. The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. DS_ArubaMultiZone_070218

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback