Cluster Security

This chapter describes cluster security and the procedure for configuring cluster security DTLSDatagram Transport Layer Security. DTLS communications protocol provides communications security for datagram protocols. for secure communication. It includes the following topics:

Overview

Enabling Cluster Security

ZTP with Cluster Security

“Low Assurance Devices” on page 1

Cluster Security Debugging Logs

Verifying the Configuration

Overview

Cluster security is a communication protocol that secures control plane messages between Instant access points. Control plane messages such as configuration, cluster join, and other messages distributed between the devices in a cluster are secured using this protocol. Cluster security operates on the UDPUser Datagram Protocol. UDP is a part of the TCP/IP family of protocols used for data transfer. UDP is typically used for streaming media. UDP is a stateless protocol, which means it does not acknowledge that the packets being sent have been received. port 4434 and uses DTLSDatagram Transport Layer Security. DTLS communications protocol provides communications security for datagram protocols.  protocol to secure messages.

Cluster Security Using DTLS

Cluster security provides secure communication using DTLSDatagram Transport Layer Security. DTLS communications protocol provides communications security for datagram protocols. . A DTLSDatagram Transport Layer Security. DTLS communications protocol provides communications security for datagram protocols. connection is established between the Instant APs communicating with each other in the cluster.

Following are some of the advantages of using DTLSDatagram Transport Layer Security. DTLS communications protocol provides communications security for datagram protocols. for cluster security:

Mutual authentication is done between the Instant APs in a cluster using device certificate.

Peer MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address validation against AP whitelist can be enabled in the configuration.

Control plane messages between cluster members are transmitted securely using the DTLSDatagram Transport Layer Security. DTLS communications protocol provides communications security for datagram protocols. connection established.

 

If auto-join is enabled, backward compatibility and recovery of Instant APs is allowed on ARUBA UDPUser Datagram Protocol. UDP is a part of the TCP/IP family of protocols used for data transfer. UDP is typically used for streaming media. UDP is a stateless protocol, which means it does not acknowledge that the packets being sent have been received. port 8211. Messages required for image synchronization and cluster security DTLSDatagram Transport Layer Security. DTLS communications protocol provides communications security for datagram protocols. state synchronization are the only messages allowed.

If auto-join is disabled, the MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address of a peer Instant AP is verified against the AP whitelist during device certificate validation.

Locked Mode Slave Instant AP

A slave Instant AP with non-factory default configuration and DTLSDatagram Transport Layer Security. DTLS communications protocol provides communications security for datagram protocols. enabled in that configuration is considered to be in locked mode of operation. These slave Instant APs will not be able to join the existing non-DTLSDatagram Transport Layer Security. DTLS communications protocol provides communications security for datagram protocols.  cluster as backward compatibility and recovery is not allowed. This is done for security reasons.

To recover the slave Instant APs in locked mode:

Execute the disable-cluster-security-dtls action command on the slave Instant AP , or

Factory reset the slave Instant AP.

Enabling Cluster Security

You can enable cluster security using the WebUI or the CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions.. Ensure that the following pre-requisites are satisfied:

Pre-requisites

1. NTPNetwork Time Protocol. NTP is a protocol for synchronizing the clocks of computers over a network. server must be reachable—If internet is reachable, pool.ntp.org will be used by default, otherwise a static NTPNetwork Time Protocol. NTP is a protocol for synchronizing the clocks of computers over a network. server needs to be configured.

2. UDPUser Datagram Protocol. UDP is a part of the TCP/IP family of protocols used for data transfer. UDP is typically used for streaming media. UDP is a stateless protocol, which means it does not acknowledge that the packets being sent have been received. port 4434 should be permitted.

In the Old WebUI

To enable cluster security:

1. Navigate to System > General.

2. Select Enabled from the Cluster security drop-down list.

3. Click OK.

In the New WebUI

To enable cluster security:

1. Navigate to Configuration > System > General.

2. Toggle the Cluster security switch to enable.

3. Click Save.

 

Reboot all the Instant APs in the swarm for the configuration to take effect.

In the CLI:

To enable cluster security:

(Instant AP)(config)# cluster-security

(Instant AP)(cluster-security)# dtls

 

To disable cluster security DTLSDatagram Transport Layer Security. DTLS communications protocol provides communications security for datagram protocols. :

(Instant AP)(config)# cluster-security

(Instant AP)(cluster-security)# no dtls

 

To change per module logging level of cluster security:

(Instant AP)# cluster-security logging module <module_name> log-level <level>

 

To set individual log level for each module:

(Instant AP)# cluster-security logging module <module_name> log-level-individual <level>

 

After enabling or disabling the cluster security option, ensure that the Config Sync Status is TRUE in the output of the show summary command, before rebooting the cluster.

Cluster security is not supported for L3 mobility.

ZTP with Cluster Security

In the earlier versions of Aruba Instant, it was a criteria to disable DTLSDatagram Transport Layer Security. DTLS communications protocol provides communications security for datagram protocols. on a cluster before provisioning Instant APs through ZTPZero Touch Provisioning. ZTP is a device provisioning mechanism that allows automatic and quick provisioning of devices with a minimal or at times no manual intervention.. The user had to enable DTLSDatagram Transport Layer Security. DTLS communications protocol provides communications security for datagram protocols. on the cluster once again after ZTPZero Touch Provisioning. ZTP is a device provisioning mechanism that allows automatic and quick provisioning of devices with a minimal or at times no manual intervention. was complete, which proved to be a slightly cumbersome process. A slave Instant AP operating on an image that does not support DTLSDatagram Transport Layer Security. DTLS communications protocol provides communications security for datagram protocols.  could not join the cluster through ZTPZero Touch Provisioning. ZTP is a device provisioning mechanism that allows automatic and quick provisioning of devices with a minimal or at times no manual intervention.. Starting from Aruba Instant 8.4.0.0, certain enhancements have been made to allow a DTLSDatagram Transport Layer Security. DTLS communications protocol provides communications security for datagram protocols.  disabled slave Instant AP to join a DTLSDatagram Transport Layer Security. DTLS communications protocol provides communications security for datagram protocols.  enabled cluster through ZTPZero Touch Provisioning. ZTP is a device provisioning mechanism that allows automatic and quick provisioning of devices with a minimal or at times no manual intervention..

Adding Slave Instant APs to DTLS Enabled Clusters

In order for ZTPZero Touch Provisioning. ZTP is a device provisioning mechanism that allows automatic and quick provisioning of devices with a minimal or at times no manual intervention. to succeed when auto-join is disabled, the Instant AP should be added to the list of whitelist APs by Central or AirWave before it joins the cluster.

You can allow slaves to join a DTLSDatagram Transport Layer Security. DTLS communications protocol provides communications security for datagram protocols.  enabled cluster by using the Instant AP WebUI or CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions.:

In the Old WebUI:

1. Navigate to System > General .

2. Select Allow from the Non-DTLSDatagram Transport Layer Security. DTLS communications protocol provides communications security for datagram protocols. Slaves drop-down list.

3. Click OK.

In the New WebUI:

1. Navigate to Configuration > System > General .

2. Click Show advanced options.

3. Select Allow from the Non-DTLS Slaves drop-down list.

4. Click Save.

In the CLI:

The following command allows a slave Instant AP to join a DTLSDatagram Transport Layer Security. DTLS communications protocol provides communications security for datagram protocols.  enabled cluster:

(Instant AP)(config)# cluster-security

(Instant AP)(cluster-security)# no disallow-non-dtls-slaves

To prevent a DTLSDatagram Transport Layer Security. DTLS communications protocol provides communications security for datagram protocols. disabled slave Instant AP from joining a DTLSDatagram Transport Layer Security. DTLS communications protocol provides communications security for datagram protocols.  enabled cluster:

(Instant AP)(config)# cluster-security

(Instant AP)(cluster-security)# disallow-non-dtls-slaves

To check if non-DTLSDatagram Transport Layer Security. DTLS communications protocol provides communications security for datagram protocols.  slave Instant APs are allowed to join a DTLSDatagram Transport Layer Security. DTLS communications protocol provides communications security for datagram protocols.  enabled cluster:

(Instant AP)# show cluster-security

Low Assurance Devices

Most of the Aruba devices contain a TPMTrusted Platform Module. TPM is an international standard for a secure cryptoprocessor, which is a dedicated microcontroller designed to secure hardware by integrating cryptographic keys into devices. chip that securely stores keys and performs cryptographic operations. However, some devices do not have a TPMTrusted Platform Module. TPM is an international standard for a secure cryptoprocessor, which is a dedicated microcontroller designed to secure hardware by integrating cryptographic keys into devices. chip. So, the unique private keys for those devices are stored in flash. Therefore, the level of protection for the device reduces.

To overcome this challenge, Instant has introduced a new PKIPublic Key Infrastructure. PKI is a security technology based on digital certificates and the assurances provided by strong cryptography. See also certificate authority, digital certificate, public key, private key. which issues device certificates to non-TPMTrusted Platform Module. TPM is an international standard for a secure cryptoprocessor, which is a dedicated microcontroller designed to secure hardware by integrating cryptographic keys into devices. devices. The device certificates consist of a policy OIDObject Identifier. An OID is an identifier used to name an object. The OIDs represent nodes or managed objects in a MIB hierarchy. The OIDs are designated by text strings and integer sequences and are formally defined as per the ASN.1 standard. indicating that they are issued by the PKIPublic Key Infrastructure. PKI is a security technology based on digital certificates and the assurances provided by strong cryptography. See also certificate authority, digital certificate, public key, private key.. Non-TPMTrusted Platform Module. TPM is an international standard for a secure cryptoprocessor, which is a dedicated microcontroller designed to secure hardware by integrating cryptographic keys into devices. devices are low assurance devices.

The following new features are introduced in the new PKIPublic Key Infrastructure. PKI is a security technology based on digital certificates and the assurances provided by strong cryptography. See also certificate authority, digital certificate, public key, private key.:

SHASecure Hash Algorithm. SHA is a family of cryptographic hash functions. The SHA algorithm includes the SHA, SHA-1, SHA-2 and SHA-3 variants. -256 is supported.

Non-TPMTrusted Platform Module. TPM is an international standard for a secure cryptoprocessor, which is a dedicated microcontroller designed to secure hardware by integrating cryptographic keys into devices. devices can be listed in the policy server.

Policies of new non-TPMTrusted Platform Module. TPM is an international standard for a secure cryptoprocessor, which is a dedicated microcontroller designed to secure hardware by integrating cryptographic keys into devices. Instant APs can be updated.

A 256-bit random number generated by non-TPMTrusted Platform Module. TPM is an international standard for a secure cryptoprocessor, which is a dedicated microcontroller designed to secure hardware by integrating cryptographic keys into devices. devices is used to encrypt a private keyThe part of a public-private key pair that is always kept private. The private key encrypts the signature of a message to authenticate the sender. The private key also decrypts a message that was encrypted with the public key of the sender. that is unique to each device. The keys is encrypted by AESAdvanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits. encryption. Non-TPMTrusted Platform Module. TPM is an international standard for a secure cryptoprocessor, which is a dedicated microcontroller designed to secure hardware by integrating cryptographic keys into devices. devices compress and store the encrypted private keyThe part of a public-private key pair that is always kept private. The private key encrypts the signature of a message to authenticate the sender. The private key also decrypts a message that was encrypted with the public key of the sender. file and the certificate files in Flash.The private keyThe part of a public-private key pair that is always kept private. The private key encrypts the signature of a message to authenticate the sender. The private key also decrypts a message that was encrypted with the public key of the sender. is maintained in an encrypted format. APIsApplication Programming Interface. Refers to a set of functions, procedures, protocols, and tools that enable users to build application software. are provided to applications that use the private keyThe part of a public-private key pair that is always kept private. The private key encrypts the signature of a message to authenticate the sender. The private key also decrypts a message that was encrypted with the public key of the sender..

You can allow low assurance devices by using the WebUI or the CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions.:

In the Old WebUI

To allow low assurance devices to a cluster:

1. Navigate to System > General.

2. Click Show advanced options.

3. Select Enabled from the Cluster security drop-down list.

4. Select Allow from the Low assurance PKI drop-down list.

5. Click OK.

In the New WebUI

To allow low assurance devices to a cluster:

1. Navigate to Configuration > System > General.

2. Click Show advanced options.

3. Toggle the Cluster security switch to enable.

4. Select Allow from the Low assurance PKI drop-down list.

5. Click Save.

In the Instant CLI

(Instant AP)(config)# cluster-security

(Instant AP)(cluster-security)# allow-low-assurance-devices

 

When a DTLSDatagram Transport Layer Security. DTLS communications protocol provides communications security for datagram protocols. connection is denied to low assurance Instant APs, the connection will not be allowed even if the Instant AP is in the allowed Instant AP whitelist.

If a mixed mode cluster (combination of non-TPMTrusted Platform Module. TPM is an international standard for a secure cryptoprocessor, which is a dedicated microcontroller designed to secure hardware by integrating cryptographic keys into devices. Instant APs and regular Instant APs) is preferred, ensure to set the low assurance devices parameter to allow.

Zeroization of TPM Keys

Zeroization is a process that involves the erasing of sensitive parameters (electronically stored data, cryptographic keys, and critical security parameters) to prevent their disclosure when a device is compromised.

Instant 8.4.0.0 introduces zeroization of TPMTrusted Platform Module. TPM is an international standard for a secure cryptoprocessor, which is a dedicated microcontroller designed to secure hardware by integrating cryptographic keys into devices. keys in FIPSFederal Information Processing Standards. FIPS refers to a set of standards that describe document processing, encryption algorithms, and other information technology standards for use within non-military government agencies, and by government contractors and vendors who work with these agencies.-based Instant APs under circumstances that present a threat to their integrity such as unauthorized removal of FIPSFederal Information Processing Standards. FIPS refers to a set of standards that describe document processing, encryption algorithms, and other information technology standards for use within non-military government agencies, and by government contractors and vendors who work with these agencies.-based Instant APs, evidence of tampering, and so on.

You can zeroise TPMTrusted Platform Module. TPM is an international standard for a secure cryptoprocessor, which is a dedicated microcontroller designed to secure hardware by integrating cryptographic keys into devices. keys by using the Instant CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions.:

In the CLI

(Instant AP)# zeroize-tpm-keys

Cluster Security Debugging Logs

Cluster security logging is organized into modules based on functionality. The following are the core modules which are useful and should be used for debugging:

peer—The peer module is used to log connection initiation, renegotiation, collision and active connection updates. The log-level should be set to debug level while debugging any issues.

conn—The connection module is used to log connection creation, establishment, data transfer and maintenance updates. The log-level should be set to debug level for debugging DTLSDatagram Transport Layer Security. DTLS communications protocol provides communications security for datagram protocols. connection issues.

mcap—The module capture module is used to log messages sent and received to the socket. Set log-level to debug to log only control messages. Set log-level to debug1 to log control and data messages.

The following command can be used to set per module logging level:

(Instant AP)# cluster-security logging module <module_name> log-level <level>

Once the log-level is set, logs can be viewed using:

(Instant AP)# show log papi-handler

Verifying the Configuration

The following show commands can be used to view the cluster security configuration:

To view current cluster security Configuration and running state

(Instant AP)# show cluster-security

To view the cluster security statistics:

(Instant AP)# show cluster-security stats

To view the cluster security connection table:

(Instant AP)# show cluster-security connections

To view the cluster security peers:

(Instant AP)# show cluster-security peers

To view the message handler process logs:

(Instant AP) # show log papi-handler <count>