Securing the Distributed Enterprise 

Share Post

Security is a critical component of an SD-Branch solution for both the WAN and the LAN. Customers using SD-WAN and SD-Branch (a superset of SD-WAN that includes the branch LAN) need to know that their network and services are well protected.

The goal of zero trust, according to NIST, is to provide “network security paradigms that narrow defenses from wide network perimeters to individuals or small groups of resources.” This is in response to the ever-heightening emphasis on cloud-based assets and remote users, as opposed to enterprise-controlled network boundaries.

One of the key tenets of zero trust assumes that any entity on the internal network may be untrusted or at worst malicious. For instance, SD-Branch looks at communications between internal devices and users and Internet resources. Within the branch, intrusion detection and protection functionality (IDS/IPS) inspects inter- and intra-branch traffic for attacks on the network, preventing malware (and other compromised traffic) from communicating with a home based of attack such as a command-and-control server.

Security Layers
The security of the Aruba SD-Branch solution is built in layers, from the hardening of the operating system to the integration with best-of-breed security partners (see Figure 1 below).

Security Layers in the Aruba SD-Branch Solution

Figure 1. Security Layers in the Aruba SD-Branch Solution

Aruba’s SD-Branch portfolio provides a comprehensive solution across all aspects of WAN and LAN performance and branch security. With Aruba SD-Branch, built-in integrated security provides stateful firewall, intrusion detection and prevention, deep packet inspection (DPI), web content filtering, and other policy-based security, privacy, and compliance controls, all managed from Aruba Central.

Furthermore, the solution implements and mandates very robust hardening policies, which is critical since branches are directly exposed to the Internet. Finally, Aruba-based branch networks benefit from “best-of-breed” security.

Aruba branch gateways include rich firewall functionality that can be hardened to further ensure a secure branch.

Solution Components
Zero-trust security in Aruba branch and headend gateways begins with ArubaOS: a tightly hardened operating system. The functionality of ArubaOS includes:

  • Secure boot: Heavily restricting communications until the gateway has received its configuration from Aruba Central. Only trusted systems can boot the device.
  • IPsec VPN: Aruba branch gateways and headend gateways support high-performance IPsec VPN for secure overlay networking across the Internet or other untrusted networks. Aruba uses AES-256 encryption (using trusted key exchanges) for all branch-to-hub tunnels. Notably, Aruba branch gateways and headend gateways support VPN termination from client endpoints directly. In a branch, this enables employees or contractors to access internal systems, such as security cameras or Internet of Things (IoT) sensors, based on their allowed role.
  • Role-based Stateful firewall: The Aruba Policy Enforcement Firewall (PEF) is a full, stateful firewall able to tightly control what users and devices are permitted to do, enabling application-layer security and providing separation between user roles. Roles are trusted or not based on their profiles. This gives network administrators insight into the applications running on the network and who is using them.
  • Deep Packet Inspection (DPI) module: Includes the capacity to identify close to 3,200 known and/or trusted applications via application fingerprinting.
  • Intrusion detection and prevention (IDS/IPS): This is part of an advanced threat defense, which will be detailed more in an upcoming blog. This is preventing communications from untrusted systems.
  • Web content and reputation filtering: The Aruba branch gateway uses Webroot cloud-based machine learning classification technology. Websites are classified for content-based filtering. The reputation of all public IP address space is monitored to detect and block threats such as spam, exploits, botnets, phishing, proxies, and mobile threats. Geolocation information allows you to block IP ranges based on country. Only safe or trusted domains and locations are permitted.
  • Cloud security integration: This allows organizations that use cloud security services from third parties to have the same policy applied to user groups in the branch or at headquarters. Aruba delegates control to our third-party partners for trust authorization.
  • Dynamic segmentation: Users can tunnel connections on Aruba wired switch ports to the branch gateway and apply consistent policy to the user or device the same way you apply policy to wireless users. Trust is based upon user and device roles.

The Aruba SD-Branch solution integrates with Aruba ClearPass (or other AAA servers) to form a zero-trust, policy-driven branch. This model dynamically assigns policies based on users and devices, as opposed to the traditional way of assigning these policies manually based on ports, VLANs, and IP addresses.

Finally, the Aruba SD-Branch solution can integrate with best-of-breed third-party security infrastructure partners in the Aruba 360 Security Exchange Program. With these integrations, the Aruba SD-Branch architecture seeks to offer enterprise-grade advanced threat protection in a scalable manner.

For more information on Aruba’s zero-trust security approach for SD-WAN and SD-Branch, follow the links in the article and check with you Aruba representative (account manager to systems engineer).