Is Managing Network Access Policy Spiraling Out of Control?

By Dave Chen, Senior Product Marketing Manager
Share Post

This blog is the first in a series that explores how organizations can use Dynamic Segmentation.

Sam just finished a huge project helping the facilities team install a new building access control system and expand the use of surveillance cameras. Sam, who is an IT generalist, worked with Tri, who’s also on the IT staff, on the installation. Together, they spent hours and hours creating network access policies, planning out VLANs and configuring switches. It was tedious, repetitive and time-consuming but absolutely necessary.

Put an End to VLAN Changes
VLANs have long been at the heart of secure mobility in enterprises, college campuses and retail stores alike, providing a way to ensure that users always have access to their appropriate resources regardless of their location. VLANs exploded with the rise of BYOD and mobile devices, and few IT staff look forward to maintaining a complex VLAN architecture.

VLANs are a familiar pain, but the rise of IoT devices is going to intensify that pain. We’ve all read the news stories, and we all know that IoT devices must be regarded as suspect. As organizations embrace smart connected devices for environmental controls, physical security, lighting and many other functions, network managers will need to expand the use of network segmentation to ensure seamless connectivity while isolating IoT devices from the rest of the business traffic.

The problem for most organizations is that IT requirements are growing but IT resources are stagnant.

Use Dynamic Segmentation on the Network Instead
Aruba’s Dynamic Segmentation solution is a modern way to get control over the rising complexity of managing and enforcing network access policies. Dynamic Segmentation extends unified control over the wired and wireless access networks to simplify and secure the entire network infrastructure.

With Dynamic Segmentation, rich, role-based policies define user and device access, and those policies are automatically enforced by the network through per-user firewalling, Layer 7 application visibility and automated device profiling.

There’s simply no need to configure VLANs, ACLs, subnets or port-based controls anymore to create and enforce policies manually. Dynamic Segmentation puts an end to VLAN sprawl and vastly simplifies network management.

The moves, adds and changes that are a constant reality for IT staff like Sam and Tri are drastically reduced. If you don’t have Dynamic Segmentation, a single change in policy could mandate changes for SSIDs, ACLs and subnets at every point in the enterprise network.

Now, when the organization wants to automate meeting room reservations or offer wayfinding for the campus, Sam or Tri can simply create the new policies using Aruba ClearPass. They can leverage user and device roles to dynamically assign rules or privileges for sensors, control systems, users and administrators, regardless of the SSID, port or location. Privileges follow users and devices wherever they go. Building security and office managers can access their applications, but the sensors can only communicate with their cloud service—and nowhere else. The IoT devices are automatically segmented from business applications, minimizing the chance that a compromised sensor or system can wreak havoc.

Getting Started with Dynamic Segmentation
Dynamic Segmentation can be used on traditional enterprise campuses and branch offices without disruption. It’s a flexible solution that allows IT managers to create an overlay for their existing network. There’s no forklift upgrade to get better security and to simplify management. Most Aruba customers will have most of the building blocks of Dynamic Segmentation already.

Aruba ClearPass is your single point of policy definition. ClearPass Policy Manager provides centralized policy management and automatically profiles devices. Dynamic segmentation works across the ecosystem of Aruba APs, Mobility Controllers, and switches for the enterprise campus. To extend dynamic segmentation to branch offices, just plug in the Aruba Branch Gateway to enable segmentation.

You can take Dynamic Segmentation to the next level with ClearPass Device Insight, which provides complete visibility into all connected devices—even ones that aren’t in your IT asset databases. Device Insight provides full visibility into device type, vendor, hardware version and behavior including applications and resources accessed. Device Insight overcomes the challenge that many IoT devices are difficult or impossible to identify with any level of useful detail.

Go Deeper
Read our other blogs about Dynamic Segmentation. 

Watch Dynamic Segmentation in action.