Starting May 2, 2024, find new blogs on HPE Community. Questions? Contact us

Go to new blog site

HPE Aruba Networking Blogs

Zero Trust, UTM, and Best-of-Breed SASE – Without Compromise!

By Karan Singh Dagar, Product Marketing Manager, Aruba

In today’s cloud-first world, the WAN and network security are more intertwined than ever before. To realize the full promise of digital transformation, work from anywhere, and the Secure Access Service Edge (SASE) model, enterprises must transform both their WAN and security architectures to support business applications hosted and accessed from anywhere, by anyone authorized to access them, and from any device.

Zero Trust: Securing the Edge by Application, User/Device Identity, and Role-Based Context

With the increase in cloud applications, mobile devices, remote workers, and IoT-connected devices, enterprises must align their security policies based on business intent while also striving for consistency. Aruba ClearPass integration with the Aruba EdgeConnect SD-WAN edge platform augments application intelligence with the user and device identity and role information. The additional identity-based context enables fine-grained segmentation and consistent security policy enforcement that can be enforced network-wide, from the edge to the cloud, while also accelerating troubleshooting and problem resolution.

IoT is a use case for Zero Trust segmentation since these devices don't allow third-party VPN or ZTNA software clients to run on them. Because of this, a SASE architecture doesn't fully address the security challenges posed by the IoT devices in the enterprise network. With the combination of Aruba ClearPass and EdgeConnect, customers can segment IoT device traffic at the network edge and isolate it from other traffic in the network. This new layer of context enables fine-grained segmentation without the complexity of managing multiple VLANs. For instance, a fine-grained segmentation policy can prevent IoT security cameras from accessing credit card transactions or HVAC systems. Zero trust segmentation helps enterprises isolate potential security threats by device type, role, and application while helping them meet industry compliance requirements such as PCI, HIPAA, and SOX.

Comprehensive Edge-to-Cloud Security

Today, SASE is becoming the de-facto model that describes the convergence of networking and security services. SASE is a cloud-first framework that outlines both the network and security capabilities for managing distributed enterprise networks.

WAN Edge Network Functions: This includes advanced SD-WAN, routing, branch firewall, segmentation, network and application visibility, WAN Optimization.

Cloud Security Functions: This includes cloud-delivered security services such as FWaaS, CASB, ZTNA, SWG, browser isolation, DLP, sandboxing, DNS security and more.

When customers look towards deploying a SASE architecture, it comes down to whether a single vendor or a multi-vendor solution will meet the requirements of the business. A multi-vendor SASE utilizes a best-of-breed strategy to offer customers both freedom and flexibility not just for today but many years to come. Working with a single vendor may provide more functionality under the same roof, but it also means higher long-term costs as you have committed to a single vendor and their roadmap.

The Aruba EdgeConnect SD-WAN edge platform enables enterprises to break out cloud-destined traffic intelligently and securely locally from branch sites over the internet. Plus, it supports micro-segmentation capabilities and granular security policy enforcement, enabling enterprises to secure their WAN, adhere to compliance mandates, and defend against security breaches.

Automated Orchestration for Seamless Multi-vendor SASE Deployments

Automated orchestration of an industry-leading, cloud-delivered security service with the application and identity-aware Aruba EdgeConnect provides a powerful SASE solution without compromising network functionality or security capabilities. Implementing a SASE architecture that combines cloud security with an advanced SD-WAN eliminates both the cost and complexity of managing multiple on-prem next-generation firewalls.

The EdgeConnect zone-based stateful firewall with unified threat management (IDPS) protects branch sites from any incoming malicious threats. The integration of Aruba Threat Defense with the Aruba EdgeConnect SD-WAN edge platform extends advanced intrusion detection and prevention (IDPS) capabilities to the SD-WAN fabric. Both physical and virtual instances of EdgeConnect leverage Aruba threat infrastructure and threat feeds from Aruba Central, enabling enterprises to deliver east-west lateral security and secure internet breakout from branch office locations. Threat logging provides network and security analytics back to Aruba Central or a third-party SIEM such as Splunk to deliver comprehensive edge-to-cloud UTM capabilities.

As the threat landscape continues to evolve, enterprises must retain the ability to be agile when adopting new security solutions quickly and cost-effectively. They should evaluate platforms that avoid vendor lock in and offer the freedom of choice to integrate best-of-breed cloud security services now and in the future.

The Aruba EdgeConnect SD-WAN edge platform is a crucial foundational pillar of a best-of-breed SASE architecture that not only avoids being locked into proprietary single-vendor solutions or settling for basic SD-WAN features and capabilities but also supports essential branch security functions such as Zero Trust segmentation with ClearPass, unified threat management with built-in IDPS, and consistent end-to-end security policy enforcement spanning the LAN, WAN, data center, and the cloud.

For more details, please read the Aruba EdgeConnect Segmentation Solution Brief.

Related Resources