Home > xSec
Choose a sub category:
WebCC xSec
xSec Support
ARUBAOS XSEC MODULE

xSec is a highly secure data link layer (Layer 2) protocol that provides a
unified framework for securing all wired and wireless connections using strong
encryption and authentication. xSec is a Federal Information Processing
Standard (FIPS)-compliant mechanism to provide identity-based security to
government agencies and commercial entities that need to transmit extremely
sensitive information. xSec provides greater security than other Layer 2
encryption technologies through the use of longer keys, FIPS–validated
encryption algorithms (AES-CBC-256 with HMAC-SHA1), and the encryption
of Layer 2 header information including MAC addresses. xSec was jointly
developed by Aruba Networks and Juniper Networks.

UNIFIED SECURITY FRAMEWORK
• Universal authentication and encryption for wired and wireless
users, regardless of network access method

FIPS VALIDATED
• FIPS 140-2 compliant and certified

LEGACY INVESTMENT PROTECTION
• Software-based client solution means legacy wireless access
points and NIC cards do not need to be replaced

DESIGNED FOR COMPATIBILITY
• Based on IEEE 802.1x framework with support for all secure
EAP methods

ROGUE AP PREVENTION
• Rogue AP detection, classification, location and automatic
containment

THE NEED FOR LAYER 2 ENCRYPTION
Traditionally, encryption has been performed at Layer 3 (Network Layer)
in the form of IPsec. IPsec uses 3DES or AES encryption and can
encrypt the IP packet including the source and destination IP addresses
in the header. IPsec provides a commonly accepted, secure method of
communication over untrusted networks since the only information left
unencrypted are packet headers and pure Layer 2 traffic such as ARP
(Address Resolution Protocol) and DHCP (Dynamic Host Configuration
Protocol) packets.
While the confidentiality of IPsec-encrypted data is not in question, the
possibility exists that an attacker with direct link-layer access to other
devices on a network could carry out attacks against those devices. For
example, a wireless network secured with WEP and IPsec could put
client devices at risk if an attacker obtains the WEP key and gains Layer 2
access to the network. In addition, there is concern among many security
groups that exposure of any packet header information could be used as
the basis of an attack.
For this reason, many government agencies and commercial entities
mandate that strong Layer 2 encryption technologies be deployed to
ensure absolute data privacy. Many defense agencies require commercial
wireless devices provide Layer 2 encryption for all data transmissions.
Cryptographic engines used for all sensitive U.S. government
communications must be validated as meeting FIPS 140-2 requirements,
and xSec has been designed to address this requirement plus provide a
number of additional benefits.




UNIFIED SECURITY FRAMEWORK
xSec enables universal authentication and encryption regardless of access
method. Every client that connects to the network, wireless or wired,
can authenticate to an Aruba Mobility Controller using an xSec client.
Authentication inside the xSec protocol is accomplished using standard
802.1x EAP (Extensible Authentication Protocol) and a standard RADIUS
server to validate credentials. xSec supports authentication using
passwords, certificates, smart cards, token cards, and other credentials
supported by the chosen EAP type.