Aruba Networks is now in Russia. Part 1 - Getting Acquainted
Greetings to all!
I wanted to tell the public about the relatively recent player in the Russian market in the field of corporate wireless network equipment - Aruba Networks, which paid great attention to wireless security. This post is primarily descriptive, designed to give a first glimpse of Aruba, so some things can be intentionally simplified.
Yes, “beyond the hill” Aruba Networks is very famous, and even is in the lead, according to the June version of Gartner, along with Cisco and HP Networking:
What is Aruba Networks? These are, first of all, solutions designed to build a secure wireless local area network in offices / geographically distributed corporations using public networks / relatively small open areas (stadiums, etc.). To build MAN-class wireless networks - the solution described below is not suitable, you need to use either Aruba Networks Mesh or Motorola solutions.
The main difference from Cisco products is the lower cost of the final solution (about 1.5 times) and the smaller amount of equipment (for example, in most cases, additional network management software is not required - the software built into the controller fully covers the needs of the enterprise, although, of course, there are exceptions, which can be discussed later).
In addition, the manufacturer offers some features that other manufacturers do not have for such money.
What can Aruba do, in addition to actually building a centrally controlled Wi-Fi network? The list of features is quite large. Below we will try to mention them all.
Solutions are offered from controllers for small offices (branch offices - in the terminology of Aruba Networks) that support 8 access points connected directly to them via LAN or up to 64 remote access points (I won’t remember right now - there are no specifications at hand) and up to modular ones on a single Chassis - Each module can support up to 2048 connected LAN points.
A small digression - why am I writing “LAN-connected-points” and “remote access points”? These are various, from the point of view of the controller, connections:
By LAN : access points are located within the organization’s network, the controller has a certain internal static address. Communication with points occurs according to the GRE protocol.
Remote Access Points. In Aruba Networks terminology, this is called a “remote access point” (while there is some confusion - more on that below). This means that the access point (hereinafter referred to as the AP) connects to the controller via the public network (Internet) using a VPN (IPSec protocol, but you can choose another one). This is good for organizing wireless networks in small remote branches, where, on the one hand, installing a controller is expensive, and it makes no sense, but you must provide access to the network with corporate security policies. In this case, the controller, of course, must have an IP visible from the outside, i.e. either located in the DMZ, or the ability to forward packets from the DMZ to the controller must be configured.
A little digression. I plan to describe the specific features of the implementation for each option in future articles, but now I’ll just say that in the case of “remote APs” it is possible to configure routing so that the user's Internet requests go directly to the Internet through a local provider, at the same time TD time of service requests to the controller and all user requests coming to the head office (access to the internal network, for example) will go through the VPN
nice feature when networking - no a direct th (physical) connection to the LAN AP - service information to them can come "over the air", using Mesh technology. In this case, you need to physically connect only 1 AP, because the controller does not have a built-in Wi-Fi module.
The junior series controllers (600 series) also have USB ports, which can be connected either to an external USB 3 / 4G modem (Yota, for example, works) or to organize a NAS / shared network printer / just plug a USB flash drive into the device, making it accessible to network users ( in accordance with access policies, if configured)
In addition, all controllers support the creation of a guest portal with the ability to create individual guest accounts with a limited validity period, various authentication schemes (LDAP, RADIUS, internal database, certificates, etc.), have a built-in firewall that can work with 2- go to the 7th level of the OSI model, the functions of preventing intrusion into the network (WIPS - Wireless Intrusion Prevention), the ability to suppress "foreign" access points (in fact, there is a suppression of the connection of client devices to foreign networks in the coverage area "TD), the ability to encrypt traffic on Suite B. Standards
Yes, there is a protocol for finding equipment on the local network - Aruba Discovery Protocol. Those. Having stuck an access point somewhere in the steel case of a giant plant, without much hassle we get all the necessary settings and policies on it. Unless, of course, you can get directions to the controller. ARM technology is also built-in - adaptive frequency control, which allows you to monitor the range and hang the client on the least loaded channel, somewhere to increase the transmitter power, somewhere lower ... Moreover, APs are combined into groups, each group has its own settings and security policies, so without problems, various policies are implemented in various branches. QoS for guaranteed channel width is also present; Besides,
Well, a few words about the aesthetic appearance. Mid-level controllers (3000 series), in general, like ordinary switches, probably familiar to everyone, can be put in a standard rack. Top-end - modular - three-unit chassis, supports up to 4 modules. The youngest series - 600 - is designed to be installed on any horizontal surface, and even some attempt was made to ennoble the design:
From above, a pot of cactus is asked to soothe workers in order to neutralize harmful radiation.
All controllers have 10/100 Ethernet (Fast) and 10/100/1000 Ethernet (Gigabit) Ethernet ports. Yes, part of the controller ports has PoE. Some models also have SFPs. Also, there is necessarily a console port RJ-45 (RS-232 protocol). You can connect to the controller via HTTPS or using SSH / Telnet to work with the CLI. And, it should be noted that some operations are easier to perform in the CLI than in the web-muzzle.
Controllers support almost all common traffic encryption algorithms and security protocols.
And also controllers can determine the location of "enemy" APs, client devices and track their movement. You need at least 3 TDs - because positioning is implemented on the principles of triangulation. True, there are also peculiarities here, but you can talk about them later, if there is interest.
Aruba Networks offers many access points - from simple devices that do what they should - provide a Wi-Fi network and ending with monsters for working in difficult conditions: in dusty shops, outdoors, etc.
All access points can operate in temperature ranges from 0 to 50 C (for a model designed for outdoor use - from -30, if the memory does not change, to +55 C), at a relative humidity of 0-95% without condensation (excluding again, access points intended for outdoor use). Next, we’ll talk about access points designed for indoor use.
Most models, except the most budget ones, are able to operate simultaneously in 2.4 and 5 GHz modes (802.11 a / b / g / n), use MIMO technology to increase the data transfer speed. Some models allow you to work only in one selected mode (2.4 or 5 GHz), the power of the point transmitter is regulated by the controller. The maximum, usually, reaches 21-23 dBm (excluding supplies for the Chinese - there are 30). Data transfer rates - from 150 to 300 Mbps, again, depends on the model. Additional features - like a spectrum analyzer - are supported already from mid-price models.
Common to all points: the same model, as a rule, is available in versions with internal or external antennas. In turn, some of the models are produced with external antennas "on board", and some with connectors for external antennas. All points support power from either PoE or power adapters.
Of the interfaces on the TD, there is Fast / Gigabit Ethernet and a console RJ 45 port. Of the additional features, it can be noted that APs can function in 2 modes: either under the control of a controller, or autonomously. In the latter case, the AP is able to perform the functions of a virtual controller for several other points connected to it. Or just be an expensive compact router. But there are limitations - “Home” (if it works in virtual controller mode), the AP must receive a DHCP address, otherwise the Wi-Fi modules will not rise, despite the joyful indication. This is due to some idiocy of the TD architecture, which, it seems, the manufacturer introduced consciously, because there are RAP class APs (see below), which this restriction does not apply to.
When you turn off the AP, no information about the network, policies, and so on. they do not remain, i.e. when turned on, the AP will request settings from the controller. This is due to the relatively large start time of the AP - from 5 to 7 minutes.
I propose to admire middle-class APs, so to speak:
For starters, all APs support the creation of 8 to 16 virtual access points. Those. one AP generates several networks, each with its own BSSID, correlates with its VLAN.
Here we come close to a confusion in terminology. rap is a type of connection of "ordinary" APs, and RAP is a special class of APs that resemble ordinary household wireless routers in functionality and appearance, but with the ability to work under the control of a controller and receive policies from it, with a large number of Ethernet ports suitable for connection, let's say a network printer, as well as the ability to connect a USB modem. The main difference from conventional APs is that there is no spectrum analyzer, and these APs can store information about networks, policies, etc. They can also work as a standalone router - and to work, it does not require an address at all, as for ordinary APs. But this type is devoid of the following features characteristic of ordinary APs:
It may look like the image below:
Roughly speaking, this is such an advanced router.
This good is intended for organizing wireless networks in a very distant darkness, where the Internet works for half a kilometer, but you still need to provide a network, and preferably with security policies. In general, the plus in this solution is gigantic: you can set up this box and hand it to the girl manager with the words “Masha, you will come to your place - plug the cable into this hole and plug it into the network. "Everything, the rest the piece of iron will do itself.
And finally, let's see how the web interface is implemented. The screenshots below are taken from the administrator account, but it is possible to make the observer role - only pages will be available to monitor clients or the system, without the ability to change the controller settings. When you go to the main page, we get to a page where we can find out about the number of connected clients, network performance and other useful information:
We can also get detailed information on the client:
And also on this tab you can find a section on network security, which shows the number of suppressed (rogue) networks, neighbor (interference) and other networks, including service ones. Naturally, in each network you can see the clients connected to it, get some information about bandwidth, etc., self-diagnosis, etc.:
Well, finally (I think everyone already understood which interface to work with Aruba), I’ll give Screenshot of RF environment analysis:
Just a few words. Since the solution is self-sufficient, in most cases everything goes quite simply - you need to find a free port on the switch and plug the controller into it. Decide how the APs will work - using mesh technology (in this case, it is enough for them to provide only 220 V power) or via LAN, configure the controller. Additional servers in most cases do not need to be set; if necessary, the controller can also be used as a router for some wired network segment. But it should be borne in mind that it is possible to detect the connection of devices to this network and mark them as illegal, as a result of which they will not work (yes, it is possible to detect unauthorized connections to the wired network segment).
In most cases, there is no need to install additional servers and software; installation of additional servers is needed if you need to implement functionality such as full-fledged RTLS (location tracking system), centralized management of network equipment of various vendors (you can, by the way, combine RTLS and a control system), transparent BYOD, etc.
With RTLS, Aruba Networks integrates seamlessly with Ekahau or Aeroscout.
Here I tried to talk about Aruba Networks, but, unfortunately, the topic of security is clearly not fully disclosed here, although this is a key, in general, feature of the product. Therefore, I will write how time will be, a more “technical” post on the topic of security of Aruba Networks, and also try to reveal the other Aruba chips - such as BYOD, for the implementation of which you do not need to install any software on client devices, AirWave multi-vendor control system, secure system access to VIA corporate LAN, implementation of one-time password functionality, etc. - but the latter is already in case of interest in the topic, probably.
It should be noted that, in contrast to the equipment of other vendors, the functional is already offered here, hardware implemented, for the inclusion of which only the purchase of appropriate solutions is required.
And, if someone is interested - in Moscow there are integrators who can build solutions based on Aruba Networks, but in order not to breed ads - please find out these questions through habrahpost.
Thank you all for your attention!
I wanted to tell the public about the relatively recent player in the Russian market in the field of corporate wireless network equipment - Aruba Networks, which paid great attention to wireless security. This post is primarily descriptive, designed to give a first glimpse of Aruba, so some things can be intentionally simplified.
Yes, “beyond the hill” Aruba Networks is very famous, and even is in the lead, according to the June version of Gartner, along with Cisco and HP Networking:
What is Aruba Networks? These are, first of all, solutions designed to build a secure wireless local area network in offices / geographically distributed corporations using public networks / relatively small open areas (stadiums, etc.). To build MAN-class wireless networks - the solution described below is not suitable, you need to use either Aruba Networks Mesh or Motorola solutions.
The main difference from Cisco products is the lower cost of the final solution (about 1.5 times) and the smaller amount of equipment (for example, in most cases, additional network management software is not required - the software built into the controller fully covers the needs of the enterprise, although, of course, there are exceptions, which can be discussed later).
In addition, the manufacturer offers some features that other manufacturers do not have for such money.
What can Aruba do, in addition to actually building a centrally controlled Wi-Fi network? The list of features is quite large. Below we will try to mention them all.
Controllers
Solutions are offered from controllers for small offices (branch offices - in the terminology of Aruba Networks) that support 8 access points connected directly to them via LAN or up to 64 remote access points (I won’t remember right now - there are no specifications at hand) and up to modular ones on a single Chassis - Each module can support up to 2048 connected LAN points.
A small digression - why am I writing “LAN-connected-points” and “remote access points”? These are various, from the point of view of the controller, connections:
By LAN : access points are located within the organization’s network, the controller has a certain internal static address. Communication with points occurs according to the GRE protocol.
Remote Access Points. In Aruba Networks terminology, this is called a “remote access point” (while there is some confusion - more on that below). This means that the access point (hereinafter referred to as the AP) connects to the controller via the public network (Internet) using a VPN (IPSec protocol, but you can choose another one). This is good for organizing wireless networks in small remote branches, where, on the one hand, installing a controller is expensive, and it makes no sense, but you must provide access to the network with corporate security policies. In this case, the controller, of course, must have an IP visible from the outside, i.e. either located in the DMZ, or the ability to forward packets from the DMZ to the controller must be configured.
A little digression. I plan to describe the specific features of the implementation for each option in future articles, but now I’ll just say that in the case of “remote APs” it is possible to configure routing so that the user's Internet requests go directly to the Internet through a local provider, at the same time TD time of service requests to the controller and all user requests coming to the head office (access to the internal network, for example) will go through the VPN
nice feature when networking - no a direct th (physical) connection to the LAN AP - service information to them can come "over the air", using Mesh technology. In this case, you need to physically connect only 1 AP, because the controller does not have a built-in Wi-Fi module.
The junior series controllers (600 series) also have USB ports, which can be connected either to an external USB 3 / 4G modem (Yota, for example, works) or to organize a NAS / shared network printer / just plug a USB flash drive into the device, making it accessible to network users ( in accordance with access policies, if configured)
In addition, all controllers support the creation of a guest portal with the ability to create individual guest accounts with a limited validity period, various authentication schemes (LDAP, RADIUS, internal database, certificates, etc.), have a built-in firewall that can work with 2- go to the 7th level of the OSI model, the functions of preventing intrusion into the network (WIPS - Wireless Intrusion Prevention), the ability to suppress "foreign" access points (in fact, there is a suppression of the connection of client devices to foreign networks in the coverage area "TD), the ability to encrypt traffic on Suite B. Standards
Yes, there is a protocol for finding equipment on the local network - Aruba Discovery Protocol. Those. Having stuck an access point somewhere in the steel case of a giant plant, without much hassle we get all the necessary settings and policies on it. Unless, of course, you can get directions to the controller. ARM technology is also built-in - adaptive frequency control, which allows you to monitor the range and hang the client on the least loaded channel, somewhere to increase the transmitter power, somewhere lower ... Moreover, APs are combined into groups, each group has its own settings and security policies, so without problems, various policies are implemented in various branches. QoS for guaranteed channel width is also present; Besides,
Well, a few words about the aesthetic appearance. Mid-level controllers (3000 series), in general, like ordinary switches, probably familiar to everyone, can be put in a standard rack. Top-end - modular - three-unit chassis, supports up to 4 modules. The youngest series - 600 - is designed to be installed on any horizontal surface, and even some attempt was made to ennoble the design:
From above, a pot of cactus is asked to soothe workers in order to neutralize harmful radiation.
All controllers have 10/100 Ethernet (Fast) and 10/100/1000 Ethernet (Gigabit) Ethernet ports. Yes, part of the controller ports has PoE. Some models also have SFPs. Also, there is necessarily a console port RJ-45 (RS-232 protocol). You can connect to the controller via HTTPS or using SSH / Telnet to work with the CLI. And, it should be noted that some operations are easier to perform in the CLI than in the web-muzzle.
Controllers support almost all common traffic encryption algorithms and security protocols.
And also controllers can determine the location of "enemy" APs, client devices and track their movement. You need at least 3 TDs - because positioning is implemented on the principles of triangulation. True, there are also peculiarities here, but you can talk about them later, if there is interest.
Access points
Aruba Networks offers many access points - from simple devices that do what they should - provide a Wi-Fi network and ending with monsters for working in difficult conditions: in dusty shops, outdoors, etc.
All access points can operate in temperature ranges from 0 to 50 C (for a model designed for outdoor use - from -30, if the memory does not change, to +55 C), at a relative humidity of 0-95% without condensation (excluding again, access points intended for outdoor use). Next, we’ll talk about access points designed for indoor use.
Most models, except the most budget ones, are able to operate simultaneously in 2.4 and 5 GHz modes (802.11 a / b / g / n), use MIMO technology to increase the data transfer speed. Some models allow you to work only in one selected mode (2.4 or 5 GHz), the power of the point transmitter is regulated by the controller. The maximum, usually, reaches 21-23 dBm (excluding supplies for the Chinese - there are 30). Data transfer rates - from 150 to 300 Mbps, again, depends on the model. Additional features - like a spectrum analyzer - are supported already from mid-price models.
Common to all points: the same model, as a rule, is available in versions with internal or external antennas. In turn, some of the models are produced with external antennas "on board", and some with connectors for external antennas. All points support power from either PoE or power adapters.
Of the interfaces on the TD, there is Fast / Gigabit Ethernet and a console RJ 45 port. Of the additional features, it can be noted that APs can function in 2 modes: either under the control of a controller, or autonomously. In the latter case, the AP is able to perform the functions of a virtual controller for several other points connected to it. Or just be an expensive compact router. But there are limitations - “Home” (if it works in virtual controller mode), the AP must receive a DHCP address, otherwise the Wi-Fi modules will not rise, despite the joyful indication. This is due to some idiocy of the TD architecture, which, it seems, the manufacturer introduced consciously, because there are RAP class APs (see below), which this restriction does not apply to.
When you turn off the AP, no information about the network, policies, and so on. they do not remain, i.e. when turned on, the AP will request settings from the controller. This is due to the relatively large start time of the AP - from 5 to 7 minutes.
I propose to admire middle-class APs, so to speak:
For starters, all APs support the creation of 8 to 16 virtual access points. Those. one AP generates several networks, each with its own BSSID, correlates with its VLAN.
A separate type of AP - RAP
Here we come close to a confusion in terminology. rap is a type of connection of "ordinary" APs, and RAP is a special class of APs that resemble ordinary household wireless routers in functionality and appearance, but with the ability to work under the control of a controller and receive policies from it, with a large number of Ethernet ports suitable for connection, let's say a network printer, as well as the ability to connect a USB modem. The main difference from conventional APs is that there is no spectrum analyzer, and these APs can store information about networks, policies, etc. They can also work as a standalone router - and to work, it does not require an address at all, as for ordinary APs. But this type is devoid of the following features characteristic of ordinary APs:
- Inability to work inside the LAN via GRE - only VPN connection. This is important, because there is a license for the number of connected APs, and this license also limits the number of points connected in each way.
- It cannot work in Mesh (although, by itself, it can be a Mesh portal for ordinary APs) (depending on the model)
RAP points are of several types; differ in size, number of ports and some other features. Most models have an integrated TPM chip (Trusted Platform Module).
It may look like the image below:
Roughly speaking, this is such an advanced router.
This good is intended for organizing wireless networks in a very distant darkness, where the Internet works for half a kilometer, but you still need to provide a network, and preferably with security policies. In general, the plus in this solution is gigantic: you can set up this box and hand it to the girl manager with the words “Masha, you will come to your place - plug the cable into this hole and plug it into the network. "Everything, the rest the piece of iron will do itself.
WEB interface
And finally, let's see how the web interface is implemented. The screenshots below are taken from the administrator account, but it is possible to make the observer role - only pages will be available to monitor clients or the system, without the ability to change the controller settings. When you go to the main page, we get to a page where we can find out about the number of connected clients, network performance and other useful information:
We can also get detailed information on the client:
And also on this tab you can find a section on network security, which shows the number of suppressed (rogue) networks, neighbor (interference) and other networks, including service ones. Naturally, in each network you can see the clients connected to it, get some information about bandwidth, etc., self-diagnosis, etc.:
Well, finally (I think everyone already understood which interface to work with Aruba), I’ll give Screenshot of RF environment analysis:
A bit about implementation
Just a few words. Since the solution is self-sufficient, in most cases everything goes quite simply - you need to find a free port on the switch and plug the controller into it. Decide how the APs will work - using mesh technology (in this case, it is enough for them to provide only 220 V power) or via LAN, configure the controller. Additional servers in most cases do not need to be set; if necessary, the controller can also be used as a router for some wired network segment. But it should be borne in mind that it is possible to detect the connection of devices to this network and mark them as illegal, as a result of which they will not work (yes, it is possible to detect unauthorized connections to the wired network segment).
In most cases, there is no need to install additional servers and software; installation of additional servers is needed if you need to implement functionality such as full-fledged RTLS (location tracking system), centralized management of network equipment of various vendors (you can, by the way, combine RTLS and a control system), transparent BYOD, etc.
With RTLS, Aruba Networks integrates seamlessly with Ekahau or Aeroscout.
In conclusion
Here I tried to talk about Aruba Networks, but, unfortunately, the topic of security is clearly not fully disclosed here, although this is a key, in general, feature of the product. Therefore, I will write how time will be, a more “technical” post on the topic of security of Aruba Networks, and also try to reveal the other Aruba chips - such as BYOD, for the implementation of which you do not need to install any software on client devices, AirWave multi-vendor control system, secure system access to VIA corporate LAN, implementation of one-time password functionality, etc. - but the latter is already in case of interest in the topic, probably.
It should be noted that, in contrast to the equipment of other vendors, the functional is already offered here, hardware implemented, for the inclusion of which only the purchase of appropriate solutions is required.
And, if someone is interested - in Moscow there are integrators who can build solutions based on Aruba Networks, but in order not to breed ads - please find out these questions through habrahpost.
Thank you all for your attention!