HPE6-A78 Protect and Defend

Protect and Defend Detailed Explanation

The Protect and Defend section is all about securing Aruba wireless networks. The goal here is to understand how to protect these networks from unauthorized access and potential threats. This involves setting up methods to verify who is accessing the network, defining what devices can do once they’re connected, encrypting data to keep it safe, and using systems to detect and block any suspicious activities.

1.1 Authentication and Access Control

Authentication and Access Control help us decide who can connect to the network and what they are allowed to do. This section covers a few major points: the AAA Framework, 802.1X Authentication, EAP Types, and PSK.

AAA Framework

AAA stands for Authentication, Authorization, and Accounting:

• Authentication: This is the process of verifying the identity of a user or device trying to access the network. It answers the question, “Are you who you say you are?”
• Authorization: This determines what the authenticated user or device is allowed to do on the network. For example, an employee may have more access than a guest.
• Accounting: This logs user activities on the network, recording details like connection time, data usage, and actions performed.

In Aruba networks, AAA is often managed using two types of servers:

• RADIUS (Remote Authentication Dial-In User Service)
• TACACS+ (Terminal Access Controller Access Control System Plus)

These servers help enforce AAA by verifying users and deciding what they can do once authenticated. For the exam, you’ll need to know how to configure these servers so that they handle authentication and authorization dynamically for various users and devices.

802.1X Authentication

802.1X is a standard protocol specifically designed for authenticating users and devices on wireless networks, commonly paired with a RADIUS server.

The 802.1X Authentication Process involves three main parts:

• Supplicant: This is the user or device trying to access the network. For example, your laptop is the supplicant when you connect to Wi-Fi.
• Authenticator: This is typically the Aruba network device, like a wireless access point (AP), that acts as the "gatekeeper."
• Authentication Server: Usually, this is a RADIUS server that stores user credentials and verifies users trying to access the network.

In this process, the supplicant (user/device) sends its identity to the authenticator (e.g., access point), which then forwards this information to the authentication server. If the identity is confirmed, the user/device is granted network access.

EAP Types

EAP (Extensible Authentication Protocol) is the method that 802.1X uses for authentication. There are several types of EAP, each with its own method for validating identities. Here are the common ones:

• EAP-TLS (Transport Layer Security): This is a highly secure, certificate-based authentication method. Each user and device has a unique certificate that verifies their identity. Since it’s complex to set up and requires managing certificates, EAP-TLS is most often used in enterprises.

• PEAP (Protected EAP): PEAP creates an encrypted tunnel to protect user credentials during authentication. It usually relies on a username and password. PEAP is simpler to set up than EAP-TLS and is used in many enterprise and corporate environments.

• EAP-TTLS (Tunneled Transport Layer Security): Similar to PEAP, EAP-TTLS also provides an encrypted tunnel but supports multiple inner authentication protocols, making it flexible. It can use usernames and passwords but also supports other authentication types.

PSK (Pre-Shared Key)

PSK stands for Pre-Shared Key. It’s a simpler way of securing a network using a password, often called a “Wi-Fi password.” Everyone connecting uses the same key. It’s commonly used for:

• Small networks
• Guest networks, where users don’t need extensive access

However, because everyone uses the same key, PSK isn’t as secure as 802.1X and is mostly limited to networks where advanced security isn’t necessary.

1.2 ClearPass Security Policies

ClearPass is Aruba’s specialized tool for managing network access policies. It dynamically adjusts access based on things like the user’s role, the type of device, and their location.

ClearPass Policy Manager

ClearPass Policy Manager is the brain behind Aruba’s security policies. It allows the network administrator to create different rules and policies that control network access. For example:

• An employee might be given full access to internal resources.
• A guest might only have access to the internet.
• ClearPass can identify devices, apply different rules for phones versus laptops, and adjust access depending on the device type.

ClearPass helps ensure that only authorized users and devices get access to the network and that they only get the appropriate level of access based on defined roles.

Role Management and Policy Configuration

In ClearPass, administrators can set up User Roles and Access Control Policies:

• User Roles: Different roles are created based on the type of user or job. For instance:

  • Employees might have a role that gives them access to sensitive resources.
  • Guests might have a limited-access role.
  • Administrators have more permissions to manage the network.

• Access Control Policies: These policies set rules about what each user role is allowed to do. For example:

  • Time-based access can be set so that guests can only connect during working hours.
  • Location-based access could restrict access for certain users when they are outside a certain area.

Device Profiling

ClearPass can identify different device types, such as smartphones, tablets, or laptops. This is called Device Profiling. Based on the type of device, ClearPass can enforce different policies, like limiting a smartphone’s access to only basic services. This provides flexibility, making it easy to set policies that suit different device types and security needs.

1.3 Encryption and Data Protection

Encryption is about making sure that the data traveling through the network is protected. Aruba networks support several encryption protocols.

WPA2 and WPA3

WPA2 is the current standard for wireless security and uses AES (Advanced Encryption Standard) for strong encryption. WPA3 is the next generation, with added security features like:

• SAE (Simultaneous Authentication of Equals): This is a new handshake method that protects against offline password attacks, making it safer.
• Individualized Data Encryption: This means that each user’s data is separately encrypted. So, if there are multiple people connected to the same network, each connection is uniquely protected.

Dynamic Encryption Key Management

Dynamic Encryption Key Management improves security by making sure that every user has a unique encryption key:

• PMK (Pairwise Master Key): Each user session has a unique PMK, so if someone intercepts traffic, they can’t use it to view data from other sessions.
• GTK (Group Temporal Key): Used for broadcasting messages like “Hello” or network announcements, the GTK is shared among all users. However, Aruba’s setup ensures this is also securely managed.

By using unique keys for each session, Aruba networks reduce the risk of data interception.

1.4 Threat Prevention and Intrusion Detection

Even with strong authentication and encryption, threats can still attempt to access the network. This section covers tools that monitor the network for suspicious activities and block unauthorized access.

IDS and IPS

IDS (Intrusion Detection System) and IPS (Intrusion Prevention System) detect and prevent attacks:

• IDS watches for threats and alerts the network administrator when something unusual is detected.
• IPS goes one step further, automatically blocking any detected threats, like rogue APs (unauthorized access points), man-in-the-middle (MITM) attacks, or DoS (Denial of Service) attacks.

WIPS (Wireless Intrusion Prevention System)

WIPS is a system designed specifically for wireless networks to prevent unauthorized devices and malicious traffic. WIPS continuously scans the network for unusual activity and can take immediate action to stop devices that try to connect without permission.

For the exam, candidates should know how to configure WIPS to prevent unauthorized devices from joining the network, ensuring a secure wireless environment.

Summary

To review, Protect and Defend focuses on ensuring that:

1. Only trusted users and devices can access the network through AAA, 802.1X, and EAP.
2. ClearPass enforces access policies that match user roles, device types, and locations.
3. Encryption protocols like WPA2/WPA3 keep data secure as it travels across the network.
4. Intrusion detection and prevention systems (IDS/IPS and WIPS) keep unauthorized devices out and alert network administrators to suspicious activities.

Each of these steps ensures that the network remains secure and that only authorized users can access resources.

Protect and Defend (Additional Content)

1. Enhancing ClearPass Capabilities: ClearPass Guest & ClearPass OnGuard

ClearPass Guest: Managing Guest Network Access

Aruba ClearPass Guest is designed to securely manage guest access to enterprise networks. It provides temporary network access for visitors, contractors, and customers while ensuring proper authentication and authorization.

Features of ClearPass Guest

• Self-registration portal: Guests can register themselves using a captive portal.
• Sponsorship model: An internal employee (sponsor) approves guest access.
• Multi-method authentication:
  • SMS or email verification for credential delivery.
  • Social login integration (Google, Facebook, LinkedIn).
  • Pre-created guest accounts (conference or corporate visitors).
• Guest VLAN assignment: Assigns guests to isolated VLANs to prevent unauthorized access to internal resources.
• Time-based access policies: Guest access can be limited to specific time periods.

How to Configure ClearPass Guest

1. Create a Guest SSID on the Aruba Mobility Controller or Instant AP.
2. Enable captive portal authentication: Redirect guest users to the ClearPass Guest portal.
3. Configure self-registration settings: Set up user authentication methods (email, SMS, sponsor validation).
4. Define access policies: Assign VLANs and enforce role-based access (e.g., allow internet access but block internal servers).
5. Monitor guest sessions: Use ClearPass Insight for logging and auditing guest access activity.

ClearPass OnGuard: Endpoint Health Check & Compliance Enforcement

ClearPass OnGuard ensures that only healthy and compliant devices can access the network. It scans endpoint security posture before granting network access.

What OnGuard Can Check

• Antivirus status: Whether a recognized antivirus program is installed and up-to-date.
• OS Patch level: Ensures the device has the latest security updates.
• Firewall status: Checks if the endpoint firewall is enabled.
• Registry and process validation: Validates running processes to prevent malware-infected devices from connecting.
• Device type and ownership: Determines if the device belongs to an employee or a guest.

How to Configure OnGuard

1. Deploy ClearPass OnGuard Agent (persistent or dissolvable) to client devices.
2. Define compliance policies: Specify required security configurations (antivirus, OS patches, etc.).
3. Configure enforcement actions:

• Grant full access to compliant devices.
• Redirect non-compliant devices to a remediation VLAN for updates.
• Completely deny access to high-risk devices.

4. Monitor and report violations: Use ClearPass Insight to track and analyze non-compliant endpoints.

By integrating ClearPass Guest and ClearPass OnGuard, organizations can enforce strong security controls while providing flexibility in network access.

2. Expanding Threat Prevention: Protecting the Network from Cyber Threats

Rogue AP Detection

A Rogue AP is an unauthorized access point that is connected to the enterprise network, potentially posing security risks. Aruba Wireless Intrusion Prevention System (WIPS) continuously scans for:

• Unauthorized APs: APs physically connected to the network but not managed by IT.
• Neighboring APs: External APs that might interfere with enterprise networks.
• Impersonating APs: APs mimicking enterprise SSIDs to steal credentials.

How to Mitigate Rogue APs

1. Enable Aruba’s WIPS to detect unauthorized APs.
2. Use MAC address filtering to block rogue APs from connecting.
3. Conduct site surveys to ensure no unauthorized APs exist within enterprise premises.

Wireless Containment: Blocking Unauthorized APs

When a rogue AP is detected, Aruba solutions provide containment measures to prevent unauthorized access:

• De-authentication attacks: Forces clients to disconnect from rogue APs.
• Blacklisting rogue devices: Prevents rogue AP MAC addresses from associating with the network.
• 802.1X authentication: Ensures that only authorized APs and clients can connect.

Evil Twin Attack Prevention

An Evil Twin Attack occurs when an attacker sets up an AP with the same SSID as a legitimate network to trick users into connecting. Aruba WIPS defends against this by:

• Detecting SSID spoofing: Comparing the broadcasted SSIDs with the legitimate network.
• Using WPA3/SAE (Simultaneous Authentication of Equals): Prevents credential interception.
• Implementing network authentication: Requiring mutual authentication (e.g., EAP-TLS).

DoS Attack Mitigation

A Denial of Service (DoS) attack aims to overwhelm network resources, making them unavailable. Aruba’s security tools help defend against:

• De-authentication flood attacks: Attackers send fake de-auth packets to disconnect clients.
• Beacon and probe request floods: Attackers generate excessive beacon/probe traffic to overload APs.
• RF jamming: External signals disrupt Wi-Fi communication.

How to Prevent DoS Attacks

1. Enable Aruba’s Adaptive Radio Management (ARM) to mitigate interference.
2. Use ClearPass Policy Enforcement to limit excessive connection attempts.
3. Monitor RF environment using Aruba AirWave/Spectrum Analyzer to detect unusual RF activity.

3. Media Access Control Security (MACSec): Layer 2 Encryption

While WPA2/WPA3 secures wireless communication, MACSec (Media Access Control Security) provides encryption for wired Ethernet links at Layer 2.

MACSec Features

• Encrypts Ethernet traffic between switches, APs, and endpoints.
• Prevents Man-in-the-Middle (MitM) attacks on wired networks.
• Uses AES-128 encryption for high security.
• Operates independently of higher-layer encryption (like TLS or IPsec).

Key Components

• Pairwise Master Key (PMK): Used to establish secure communication between APs and clients.
• Group Master Key (GMK): Encrypts multicast traffic among devices in a secure group.

How to Configure MACSec

1. Enable MACSec on network switches to encrypt wired connections.
2. Use 802.1X authentication to authenticate devices before allowing access.
3. Ensure end-to-end encryption to protect against unauthorized interception.

4. Zero Trust Security Model in Aruba Networks

What is Zero Trust?

Zero Trust assumes that no user, device, or application should be trusted by default, even inside the enterprise network.

Zero Trust in Aruba ClearPass

• Role-Based Access Control (RBAC): Limits access based on user identity, device type, and location.
• Continuous User Behavior Monitoring:
  • Monitors abnormal login locations or devices.
  • Uses AI-driven anomaly detection to flag suspicious activity.
• Dynamic Access Enforcement:
  • Adjusts network privileges in real-time based on risk assessment.
  • Example: If a user's device suddenly logs in from another country, their access is reduced or revoked.

How to Implement Zero Trust in Aruba Networks

1. Deploy Aruba ClearPass to enforce role-based authentication.
2. Use dynamic segmentation to isolate devices based on risk level.
3. Enable multi-factor authentication (MFA) for accessing critical resources.
4. Monitor traffic continuously using Aruba Central AI Insights.

Final Thoughts

By implementing ClearPass Guest, OnGuard, MACSec, WIPS, and Zero Trust, Aruba networks significantly enhance security. These additional topics provide a comprehensive protection strategy against modern threats and ensure only trusted users and devices can access network resources.