Close

HPE Aruba Networking Blogs

Beyond the Hype: A Real Step Toward Zero Trust Network Security

By Jennifer Minella, VP of Engineering and Security, Carolina Advanced Digital


Most readers know that I've worked very deeply in network security for more than 15 years, and throughout that time have been constantly frustrated with the egregious gap between marketing hype and practical function of many network security products. With that background in mind, it may be alarming to you that I'm sharing what may be the first solution set offering real, tangible Zero Trust networking.

Just a few years ago, Aruba debuted the “colorless port” and leveraged its wireless controller architecture for a very limited port segmentation feature. Limited in that it wasn't scalable to manage all, or even most, ports on even small networks. “Cute,” I thought at the time. I, like many of you, desperately yearned for a world without complex VLAN and ACLs configurations to achieve security (and auditable) segmentation. Even with our best NAC products, the infrastructure still had to be configured to support segmentation at layers 2 and/or 3—there's just no way around it. The colorless ports and port tunnel in essence gave granular port-level control from a central control plane (the controller). It was magical fairy dust, but you only got a few grains of it.

As I watched the Aruba Atmosphere Digital event this summer, I didn't expect much beyond the presentations of products and roadmaps we already knew about (as part of the Aruba’s worldwide partner ambassador program and as a top tier partner, we already access to a lot of product info). But as I clicked through the demos in the Innovation Zone, and as I watched the Airheads track presentations on Zero Trust, the pieces started coming together. I realized Aruba's “cute” little port tunnel mode had grown up. Aruba married some of its UEBA and AI technology, and they had a Zero Trust love child. Or, maybe I should say it's a micro-segmentation love child that will grow up to be Zero Trust. Oh, to be at that graduation.

I know, I know. Buzzword bingo. Let's break it down into real talk. Here's what I saw that excited me:

  • Scalable enterprise-grade dynamic segmentation that's like having a firewall on every switch/Wi-Fi port
  • Infrastructure that can block inter-device traffic even on the same subnet (no VLANs or ACLs required)
  • Advanced profiling technology with AI/ML and UEBA
  • Endpoint security with cross-referenced CVEs against discovered and profiled platforms for meaningful and targeted risk management
  • Full visibility without span and tap ports through switches, gateways, and APs with built-in traffic collectors and analyzers
  • Behavioral data (from traffic analysis) overlaid for troubleshooting, AIOps, profiling, and security

Diving into the dynamic segmentation and inter-device blocking, if you're familiar with the concept of roles in Aruba's Wi-Fi portfolio, you already have the gist of this. Imagine extending that control to every switch port or edge gateway device. If the role concept is new to you, it allows you to profile and/or label endpoints and resources, and then put access policies in place based on those labels. A network could have contractors and employees on the same SSID and even the same VLAN (or same switch, same VLAN). The rule may say contractors can't access internal resources except for printers. In a traditional segmentation model, the best you could do would be a downloadable dynamic ACL (not fun) but with this model, even if they're on the same subnet, the infrastructure will block the restricted traffic and allow what you specified in the policy. It's that simple and it's truly that granular.

The advanced profiling with Aruba ClearPass Device Insight may be one of the biggest advancements in profiling technology of late. We talk about visibility and discovery on the network, but the truth is accurate and thorough device profiling (how we figure out *what* something really is) is difficult. It's the most time-consuming part of NAC and visibility projects and it's very labor-intensive. Aruba's integration with AI/ML and UEBA technology, coupled with the ability of the infrastructure to act as traffic collectors is huge. The system will not only use traditional profiling mechanisms (like DHCP fingerprinting, port scans, WMI polls, etc.) but also watches all the traffic going to/from the endpoints to make intelligent decisions around what that thing really is. It automates the most tedious tasks we face in endpoint profiling today. And, your security policies and segmentation policies are only as good as your profiling.

To get all this juicy Zero Trust goodness, there's not a magic button or single product to buy. It's more of an orchestration of various Aruba components throughout the infrastructure. But you don't have to have Aruba from end-to-end to use it. Most of these features are realized with partial Aruba deployments, although it sometimes requires additional configuration.

As always, time will tell if the whole ecosystem works as seamlessly as Aruba promises. But, having seen and touched several components of the new Aruba Edge Services Platform, I remain, as always, cautiously optimistic!

Go Deeper

Watch ATM Digital sessions on AIOps, Unified Infrastructure, and Zero Trust Security. 

See more highlights from this year's ATM Digital.