The Aruba Security Software Bundle includes Policy Enforcement Firewall (PEF) and Wireless Intrusion Protection (WIP).
Aruba's Policy Enforcement Firewall (PEF) module for ArubaOS provides identity-based controls to enforce application-layer security, prioritization, traffic forwarding, and network performance policies for wired and wireless networks. Using PEF, organizations can enforce network access policies that specify who may access the network, which areas of the network they may access, and the performance thresholds of various applications. Administrators can build a unified, integrated system for network policy enforcement by leveraging PEF's open interfaces to external services such as content security appliances, NAC policy engines, performance monitors, and authentication/authorization servers. For organizations adopting emerging applications such as Voice over Wi-Fi, the PEF module provides advanced voice management capabilities with enhanced visibility and control into voice sessions. Features such as SIP protocol decoding, phone number tracking, dial plan mapping, SIP-based authentication, and fine-grained queue management make large-scale enterprise voice deployments a reality.
Aruba's Wireless Intrusion Protection (WIP) module protects the mobile edge of the network against wireless threats to network security. By integrating wireless intrusion protection into the mobile edge infrastructure, the need for a separate system of RF sensors and security appliances is eliminated. The WIP module provides extraordinary capabilities to Aruba's enterprise mobility system, giving administrators visibility into the network, along with the power to thwart malicious wireless attacks, impersonations and unauthorized intrusions.
ARUBA'S POLICY ENFORCEMENT FIREWALL (PEF) MODULE FEATURES:
Identity-based policy controls
PEF provides user-level awareness of all traffic across the network. Enterprises today need to support a broad variety of users, devices, and applications - all of which want mobility. Traditional network architectures mandate that parallel networks be constructed to address the different needs of each constituent - for example, one network for employees and full-time contractors, another for guests, and a third for voice. Even when these networks can be constructed using the same physical hardware, there is an associated complexity and resulting high cost.
Stateful firewalls for every user
PEF implements a full stateful firewall instance around every user, tightly controlling what the user is permitted to do and providing separation between user classes. The VLAN-based security used in traditional network designs is both cumbersome to configure and deficient in security. External firewalls are limited because they understand only ports and IP subnets. To provide high level of security, a firewall requires knowledge of user identity when making access control decisions.
Application-aware Quality of Service controls
Once application flows have been identified, standard firewall security actions such as permit, drop, log, or reject can be applied. However, PEF is capable of more than just robust security. Rule actions can also tag packets with an 802.1p or DSCP marking, prioritize the traffic into multiple queues, or even redirect specific protocols to different destinations. Advanced awareness of voice and video protocols permits appropriate QoS to be applied to both the control protocol and the call sessions automatically.
Dynamic traffic management
PEF provides controls to optimize wireless network bandwidth usage, which can be a limited resource in many networks. Role-based policies can limit the maximum amount of bandwidth consumption for a particular user or class of users, preventing "power users" from monopolizing network resources. At the same time, traffic management policies also guarantee a minimum amount of bandwidth to ensure that devices are not starved.
High-performance traffic processing
With PEF, policy enforcement does not come at the expense of performance. All Aruba controllers are purpose-built for high-speed processing of network traffic with dedicated hardware for control processing, network traffic processing, and encryption. The result is high-speed low-latency policy enforcement that scales up to thousands of users and hundreds of thousands of active sessions.
External authentication and authorization interfaces
Extended authorization control allows fine-grained control of users from authorization and authentication servers. Controls such as automatic disconnection from the network, role re-assignment, and dynamic updates of firewall policies can be enabled. This functionality is enabled by two Application Programming Interfaces (APIs): IETF standard RFC 3576, and a simple, yet flexible, XML-based API. These APIs both allow external systems to exert user and policy control over an Aruba controller.
Ease network security deployments
The External Services Interface (ESI) allows a wide array of network service appliances to be co-located with an Aruba controller to provide their services to clients on the network. Appliances providing services such as virus protection, content inspection and filtering, intrusion detection and prevention, content transformation, protocol-based bandwidth shaping and more are all enabled centrally.
Comprehensive voice management and control
PEF adds extensive voice management functionality for networks using SIP, providing detailed reporting and troubleshooting capabilities. To ensure sufficient voice capacity in the Wi-Fi network, Voice Call Admission Control (CAC) prevents any single AP from becoming congested with too many voice calls. This is accomplished by limiting the number of active voice calls allowed on a radio or by setting voice bandwidth thresholds.
ARUBA'S WIRELESS INTRUSION PROTECTION (WIP) MODULE FEATURES:
Unique station and user classification
Aruba's classification system automatically identifies and classifies all APs and stations connected to the network. The system works by comparing traffic seen in the air with traffic seen on the wire. When a match is found, it is known with certainty that the device belongs to the local network rather than a neighboring network. This avoids false alarms for the administrator, because only true rogue devices are classified as such.
Detecting and disabling rogue APs
Aruba's classification algorithms allow the system to accurately determine who is a threat and who is not. Once classified as rogue, these APs can be automatically disabled. Administrators are also notified of the presence of rogue devices, along with their precise physical location on a floorplan, so that they may be removed from the network.
Denial of service and impersonation protection
Wireless networks, by their nature, make an attractive target for denial of service attacks. Such attacks include software that floods the network with association requests, attacks that make a laptop look like thousands of APs, and de-authentication floods. Aruba mobility controllers equipped with the ArubaOS WIP module maintain signatures of many different wireless attacks and are able to block them so service is not disrupted.
One of the common attacks possible in wireless networks is the "man-in-the-middle" attack. During a man-in-the-middle attack, a hacker masquerades as a legitimate AP. Then, acting as a relay point, this man-in-the-middle fools users and other APs into sending data through the unauthorized device. An attacker can then modify or corrupt data or conduct password-cracking routines.
Policy definition and enforcement
The ArubaOS WIP module provides a number of policies that can be configured to take automatic action when a policy is violated. Examples of wireless policies include weak WEP implementation detection, AP misconfiguration protection, ad-hoc network detection and protection, unauthorized NIC type detection, wireless bridge detection and more.
Using wireless to protect your wired network
Even if Wireless LANs are not sanctioned at this time, no security conscious company can afford to do nothing. Aruba's WIP will keep wireless traffic from working its way into the wired network through rogue APs unknowingly attached to a network port. With Aruba's mobility system equipped with WIP, the enterprise network is protected against wireless security holes.
Using wireless to protect your existing wireless network
Aruba's mobility system with WIP delivers the detection and protection necessary to keep your existing wireless network safe from undesirable wireless access. ArubaOS WIP complements and enhances any existing WLAN deployment, including Cisco deployments, by providing advanced RF security and control features not found in first-generation wireless products.