Link Search Menu Expand Document
calendar_month 07-Mar-24

Setting Security Policy

The following procedure will cover role identification, configuring security zones and network segments. The combination of each segmentation methodology will allow for flexible segmentation see details below.

Table of contents
Security PolicySegmentation typeDescription
User RolesMicro SegmentationDevice Level Policy that abstracts IP, and can be applied within
the same Subnet or outside of the Subnet
Security ZonesMezzo SegmentationSubnet level Policy, that applies to a subnet or group of subnets.
Allowing or denying connectivity between groups of subnets.
SegmentsMacro SegmentationNetwork Level policy that separates entire segments of the network
from the rest of the network. (VRF)

Role should be identified first before configuring anything else. The following roles will be used by the Access Point, switch and SD-WAN Gateway.

Role NameVLAN
EMPLOYEE101
CAMERA102
BADGE_ACC103
MEETING_KIOSK103
THERMOSTAT103
GUEST104
REJECT105
CRITICAL_AUTH106
QUARENTINE107

Caution: The role name is case sensitive, ensure its the same on all devices, including Clearpass.

Configuring Security Zones

The following section will demonstrate how to configured Security zones which will define the type and direction of traffic is allowed to flow between zones.

Step 1 Select the Configuration tab in the top left hand side.

Step 2 In the Overlay & Security column select Firewall Zones.

Step 3 Click Add Zone in the input box enter : LAN

Step 4 Click Add Zone in the input box enter : WAN

Step 5 Click Add Zone in the input box enter : IOT

Step 6 Click Save.

2023-02-03_16-11-47

Configuring Network Segments

Network segments are completely isolated and only allowed to route between the same segment, by default. Network segments will be used to segment the Guest and Quarantine traffic.

Step 1 Select the Configuration tab in the top left hand side.

Step 2 In the Networking column select Routing Segmentation (VRF).

Step 3 Click + Add Segment, enter: Guest

Step 4 Click + Add Segment, enter: Quarantine

2023-02-03_16-28-10

Configure Segment Policy

The Overlay Breakout policy will be used to restrict Guest and Quarantine devices, from using the higher priority BIO’s.

Step 1 On the Routing Segmentation (VRF) page.

Step 2 Navigate to the Overlay & Breakout Polices column.

Step 3 Click +Add for any segment.

Step 4 For the quarantine and guest segments, click the include button.

2023-02-03_16-52-21

Configure Firewall Zone Policy

The following section of the guide will demonstrate how to configure a Firewall Zone Policy Rule this process will be used to configure the Firewall Zone Policy for each segment.

Configure Default Segment

Using the following steps the table below will be configured. Defualt_segment_zone_policy

Step 1 In Firewall Zone Policy column click +Add.

Step 2 Click the Default to WAN box.

Step 3 Click Add Rule

Step 4 In the ruleset table Delete the Match Everything rule.

Step 5 Move to the Action column change the Deny rule to Allow.

Step 6 Click Ok

Step 7 Repeat Steps 1-6 to configure the remaining allow All policies using the table below.

2023-02-10_11-39-52

Step 8 Select the LAN to IOT box

Step 9 Click Add Rule.

Step 10 Select the Match Criteria column.

Step 11 Check the User Role box, and check the SRC:Dest box.

Step 12 Enter the Source role as EMPLOYEE and destination as THERMOSTAT .

Step 13 Click OK.

Step 14 Repeat the inverse of the rule set for the IOT to LAN box.

Step 15 Click Save.

Step 16 (Optional) Enter a comment, Click Save.

Step 17 Hit the X in the top right.

2023-02-10_12-18-55

Configure Address Groups

Step 1 Click Configuration in the Templates & Polices column click Address Groups.

Step 2 On the Address Groups page click Add Group.

Step 3 Enter the following.

  • Name :RFC1918
  • IP Space: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16

Step 4 Click Add.

2023-02-10_15-18-06

Step 5 On the Address Groups page click Add Group.

Step 6 Enter the following.

  • Name :DHCP_DNS
  • IP Space: 10.2.120.99, 10.2.120.98

Step 7 Click Add.

2023-02-10_15-39-46

Step 8 On the Address Groups page click Add Group.

Step 9 Enter the following.

  • Name: Clearpass
  • IP Space: 10.2.120.94, 10.2.120.95.

Step 10 Click Add.

2023-02-10_15-57-57

Configure Quarantine Segment Firewall Policy

The quarantine segment needs to be able to access the WAN and HoneyPot services over the WAN. The following section will demonstrate how to configure inter-segment security policy.

Step 1 In Firewall Zone Policy column click +Add.

Step 2 Click the Default to WAN box.

Step 3 Click Add Rule.

Step 4 In the ruleset table Delete the Match Everything rule.

Step 5 Move to the Action column change the Deny rule to Allow.

Step 6 Click Ok.

ServiceActionDestination
DHCPAllowDHCP_DNS (Address Group)
DNSAllowDHCP_DNS (Address Group)
All servicesAllow10.13.120.0/26
All servicesDenyAll Destinations

2023-02-10_16-10-53

Configure Guest Segment Firewall Policy

The Guest segment needs to speak to internal DNS, DHCP and ClearPass servers, this section will demonstrate how to configure inter-segment security policy to allow the guest network to reach these services.

Step 1 In Firewall Zone Policy column click +Add.

Step 2 Click the Default to WAN box.

Step 3 Click Add Rule.

Step 4 In the ruleset table Delete the Match Everything rule.

Step 5 Move to the Action column change the Deny rule to Allow.

Step 6 Click Ok.

ServiceActionDestination
DHCPAllowDHCP_DNS (Address Group)
DNSAllowDHCP_DNS (Address Group)
HTTPS/HTTPAllowClearPass (Address Group)
All servicesDenyRFC1918 (Address Group)
All servicesAllowAll Destinations

2023-02-10_16-24-09

Configure Inter-Segment Routing and DNAT

In the previous section, security policies between segments were configured. However, the firewall policy alone does not allow inter-segment communication, it is used only to enforce security within a segment.

To allow full inter-segment communication, Inter-segment Routing and DNAT must be configured.

Each segment is configured with the appropriate subnet going to and from each segment. Use the following steps to configure inter-segment routing.

Step 1 Go to the Routing Segmentation (VRF) page. In the Default Segment row and the Inter-Segment Routing & DNAT column, click +Add.

Step 2 At the top right, click the +Add Rule button.

Step 3 Enter the Match condition as: 10.14.52.0/24

Step 4 Set the Send to Segment to : Guest

Step 5 In the comment enter: BOIBR-GUEST

Step 6 Repeat steps 2 to 5 swapping each input for the items shown in the table below.

Source SegmentDestination SegmentMatch ConditionComment
DefaultGuest10.14.52.0/24BOIBR-GUEST
DefaultQuarantine10.14.55.0/24BOIBR-QUAR
DefaultGuest10.14.44.0/24PORBR-GUEST
DefaultQuarantine10.14.47.0/24PORBR-QUAR
DefaultGuest10.14.36.0/24CHIBR-GUEST
DefaultQuarantine10.14.39.0/24CHIBR-QUAR

Step 7 Click Save.

2023-08-10_09-16-27

Step 8 In the Quarantine segment row of the Inter-Segment Routing & DNAT column, click +Add.

Step 9 At the top right, click the +Add Rule button. Use the table below to configure the rules.

Step 10 Repeat steps 8 to 9 for the guest segment, using the table below.

Source SegmentDestination SegmentMatch ConditionComment
Quarantine/guestDefault10.2.120.98/31DHCP/DNS
Quarantine/guestDefault10.2.120.94/31ClearPass
QuarantineDefault10.13.120.0/26Honeypot

2023-08-10_08-29-00


Back to top

© Copyright 2024 Hewlett Packard Enterprise Development LP. The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. Aruba Networks and the Aruba logo are registered trademarks of Aruba Networks, Inc. Third-party trademarks mentioned are the property of their respective owners. To view the end-user software agreement, go to Aruba EULA.