New HPE Aruba Networking Central device discovery and profiling leverages AI and network data to automate access policies for users and devices
- More than ever, networking teams need to be working hand-in-hand with security teams.
- Networks can be both a security sensor and a security enforcement tool – it’s built into the infrastructure itself. We have new capabilities in both areas within the past six months.
- AI/machine learning provides a powerful means of answering “What’s on my network?” in a way that was difficult to do in the past with signature-based approaches.
Given current events, ransomware is on everyone’s mind and the focus is how to plug the security gaps that allow attackers access. Last week’s cybersecurity executive order from President Joe Biden made this a top priority with a focus on the well-established Zero Trust security framework.
Vulnerabilities come in many forms and we have known for a long time that the onslaught of IoT devices onto corporate networks is largely unprotected. It’s little wonder that when the Ponemon Institute surveyed 4,000 security professionals and asked why breaches still happen, the top answer was the increasing attack surface. As a networking vendor, connecting people and things is part of our core mission. But that’s not good enough anymore – we and our customers can’t continue down the “networks connect everything; the security team will install firewalls to block the things they don’t want” path. That is why we have increasingly focused not just on connecting and managing users and devices, but also building security into our networks with support for frameworks like Zero Trust and SASE, forging an essential partnership between networking and security.
Built-in security has been our hallmark since day one. Starting life as we did in 2002, as a Wi-Fi company with the breaking of WEP encryption fresh in our minds, we heavily invested in security to assure our enterprise customers that Wi-Fi could be done securely. Today, our evolving security architecture allows us to offer customers a very prescriptive Zero Trust Security foundation in five key areas:
- Visibility: It’s hard to protect something when you don’t know it’s there. We answer the fundamental question, “What’s on my network?”
- Authentication: Employing a variety of technologies to clearly identify who and what is trying to obtain access.
- Role-based Access Control: Just because a device is connected to an Ethernet port or a Wi-Fi network doesn’t mean it gets unfettered access to the entire network. We apply business-driven access policies, based on identity and mapped to a role, enforced with a built-in L4-7 Policy Enforcement Firewall.
- Continuous Monitoring: Looking for changes in security status that can indicate a compromise.
- Attack Response: Changing network access privileges in response to a breach.
(For the Cybersecurity Framework fans out there, you might recognize the above as covering four of the five: Identify, Protect, Detect, and Respond.)
For years HPE Aruba Networking customers have been using our built-in Policy Enforcement Firewall, a Layer 7 stateful firewall, combined with ClearPass Policy Manager to deliver these five capabilities. But, as I mentioned, we’ve put a lot of focus on the IoT problem over the last several years as the influx of these devices into the enterprise world has accelerated.
From vending machines to building controls to a professor’s Raspberry Pi-based experiments, “things” are flooding onto the network at an exponentially increasing rate. They are driving much of the new customer experiences and business models that make up digital transformation, and aside from the general IoT management issues, these devices come with little or no security controls or protection. In that same Ponemon survey, over 75% percent said they had little or no confidence in protecting IoT devices. Our customers tell us that they can’t see up to 50% of what is connected to their network.
That is why we introduced ClearPass Device Insight (CDPI) in 2019. CPDI uses network traffic analysis to spot everything connected to the network, and machine learning to automatically determine what the device is. This answers the question, “What’s on my network?” in a much more definitive way than was previously possible.
When CPDI launched, packet-level visibility was provided by a “collector” – a virtual or physical appliance connected to a SPAN port or a network packet broker. Such a collector is typical in the security industry – but we wanted to do better. From the beginning, we wanted this sort of telemetry to come directly from the network infrastructure itself.
So now our network is a security sensor. Can we use it for security enforcement as well? Absolutely. As CPDI collects data about network activity, it develops a detailed view of what each connected device is doing: protocols, ports, and behavior patterns. That information flows to ClearPass Policy Manager, which uses it to decide the appropriate role and access privileges, and to the Policy Enforcement Firewall to enforce access rights and traffic segmentation. No more blind spots. No more security cameras with free access the ERP system.
All of this is managed and delivered via HPE Aruba Networking ESP (Edge Services Platform) and our cloud-native network management solution, HPE Aruba Networking Central. A practical example of the power of role-based access control is the recently introduced Aruba IoT Transport for Azure. This Aruba Central service allows IoT devices connected to Aruba access points (APs) to securely and bi-directionally communicate with the Azure IoT Hub.
We suspect you’ll be hearing a lot about IoT security, network data and ML. That’s a good thing. In our interconnected world, networks without built-in security controls leave us all more vulnerable. We’re proud to lead the pack in bringing Zero Trust principles to enterprise networks, and as the need grows stronger, we’ll continue to lead.
Ready to learn more?
To learn more about the state of Zero Trust, SD-WAN, and SASE architectures, view the infographic.
For more information about HPE Aruba Networking security solutions, visit www.arubanetworks.com/security.
