自从今年一月宣布以来,然后于6月推出WPA3has been dominating the Wi-Fi network security headlines. This is well deserved, as it represents a major step forward in several key areas of Wi-Fi security. Today, however, I want to celebrate an often-overlooked security feature offered by Aruba: Control Plane Security (CPSec).
To Secure Users, First Secure the Network
While WPA3 provides many new security protections, including individualized data encryption, none can help users who mistakenly connect to a compromised or rogue AP. To ensure your users’ security, you must first secure your network. That’s where CPSec comes in.
CPSec does two things. First, it uses IPSec to provide a secure, encrypted communication channel between authorized APs and mobility controllers. Second, it allows you to define the allowlist of authorized APs.
IPSec
启用CPSEC的最明显好处可能是,它加密了授权AP及其控制器之间的所有控制平面通信。该加密由行业标准,公钥,基于证书的IPSEC协议套件来处理。两种类型的证书可用于证明AP并加密其控制平面消息:
- 自签名证书 -When using self-signed certificates, the Conductor controller generates the certificates and then sends them to local controllers, which use them to certify the APs terminating on that controller. If there are no local controllers, the Conductor sends its certificates directly to the APs that it terminates.
- Factory-installed certificates –Newer AP models are equipped with a TPM (Trusted Platform Module) chip, which stores a unique certificate. These APs (models from AP-105 & AP-12** and above) do not need a certificate downloaded from the Conductor controller.
In both cases, the certificates enable IPSec encryption for all control/management plane communication. Since the Conductor controller is the trust anchor, APs can failover between local controllers without issue.
Campus AP Allowlist
While the benefits of encrypting traffic, especially the traffic that controls your Wi-Fi network, may be obvious, another benefit of enabling (and properly managing) CPSec is perhaps just as important: AP allowlisting.
您可能已经注意到我使用了上面的“授权AP”一词。使用CPSEC时,仅允许授权的AP与控制器进行通信。您可以通过将其MAC地址(和可选描述)添加到校园AP允许列表中来授权AP。这为您提供了特定而直接的控制,允许哪些AP加入您的Wi-Fi网络。没有更多的流氓AP!
CPSEC有趣的事实
虽然配置CPSEC非常简单,但我已经看到很多同事绊倒了一些细节。为了帮助打击这一点,这里有一些有趣的事实,要注意的事情,避免的潜在陷阱,并注明:
- CPSec is enabled by default for new deployments.这是理想的选择,因为使它成为一种最佳实践,并且随着APS重新启动以实现安全通信,稍后将其打开可能会导致几分钟的停机时间。
- The Campus AP allowlist can be created manually (the default) or automatically.自动至关重要ly authorizes any AP that contacts the controller, so this method should only be used when you are sure there are no rogue APs present. You can limit the automatic authorization with an IP range. I strongly recommend that even when you use automatic (auto-cert) provisioning, you disable it after initial setup to prevent unwanted APs.
- Once an AP is authorized, you can revoke its certificate or simply delete it from the allowlist.如果您找到Rogue AP或需要替换AP,那就太好了。
- The Campus AP allowlist is synchronized between all Conductor and Member controllers.This is great in day-to-day operations but can be troublesome if you move a mobility controller to a new campus. Be sure to always purge the allowlist before redeploying a controller.
- When using CPSec, user traffic is unaffected.It is still sent via GRE tunnel.
- CPSec cannot be used with Remote APs (RAP).Since RAPs already encrypt all traffic (user and control) with IPSec, adding CPSec to double-encrypt control plane traffic would add too much overhead and is not an option. Also, when using RAP and CPSec, there are two allowlists, one for Campus APs and one for Remote APs.
- 目前,CPSEC仅支持IPv4。This is a major bummer, but for now, if your controller terminates any IPv6 APs, do not enable CPSec.
Tl;dr:
While WPA3 is all the rage these days, don’t forget basic security hygiene. Aruba’s CPSec is a valuable tool that is both simple and powerful. To learn more, check out the“Control Plane Security”chapter in your ArubaOS User Guide.
Follow Chris Grundemann on Twitter @ChrisGrundemann.
