Segmentation and Visibility Simplify Network Management and Security

By Richard McIntosh, Blog Contributor
Share Post

With Aruba’s Dynamic Segmentation and ClearPass Device Insight, network engineers can provide secure access without having to manually configure new VLANs, ACLs, interface configurations or any other manual tasks that take time away from more important ones.

Simpler, Secure Configuration
With Dynamic Segmentation, administrators can configure every switch across the organization with a similar basic configuration. When a device or user connects, we can use that authentication plus other context such as date and time, location or type of device to dynamically apply a policy from ClearPass Policy Manager.

Let’s say a teammate connects her personal laptop to the docking station behind her VoIP phone. First, the phone is identified and the switch port is assigned a policy to keep the traffic local; no need to tunnel this traffic. Then, her laptop is identified as a guest device and should be tunneled to a mobility controller using user-based tunnels, segmented from all other devices with access only to the internet. Since the policy is centrally managed in ClearPass Policy Manager, and we have configured guest devices, and policies are enforced at the mobility controller. When that laptop moves to wireless or to another switch in the organization, it receives the same policy and segmentation.

How Well Is Your Network Segmented?
During Episode 3, When Security and Networking Join Forces, of the Aruba Unplugged podcast, Jon Green, chief security technologist at Aruba, brought up a surprising fact about the Target credit card breach of 2013. Jon explained how HVAC systems controllers were used as a jumping point to compromise the point-of-sale devices. Immediately, we start to ask why didn’t they have ACLs in place or other protection mechanisms in place? Well, the answer may not always be that straightforward.

In this case, it was a lack of defined manual, segmentation. But in your own network, do you know if your HVAC system isn’t talking to a database server in your data center? Is that expected behavior? Are you even aware of the HVAC controller connected to that switch in the basement IDF?

We can now have these questions answered by ClearPass Device Insight. ClearPass Device Insight is a cloud application that talks to a collector within your network to gather information about the devices through deep packet inspection, active and passive discovery techniques.

In our example with the HVAC controller, a typical NAC solution may be able to identify this IoT device based on its MAC address or the operating system that is running. Unfortunately, this can cause misidentification of devices. The controller may be a Windows 10 device, but it won’t be performing the same duties as a Windows 10 laptop and both will need different policies.

With ClearPass Device Insight, the traffic flows can be baselined. Machine learning is used to find similarities between this device and others like it, and information is crowdsourced from other ClearPass Device Insight customers that have already identified this device. Now, we know what the device is, what it’s supposed to be doing, and more importantly, what it’s not supposed to do.

If we bring ClearPass Device Insight into our Dynamic Segmentation deployment, we are able to provide additional context and automation to our actions. This HVAC controller is automatically segmented and only allowed to speak with other HVAC controllers. If it attempts to go outside those boundaries or starts to show indicators of compromise, we can quarantine the device, send an alert to the security analyst, and sleep peacefully through the night–since all these actions were performed automatically.

Learn More 
Are You Leaving the Network Door Wide Open?

Lock Down Your Wired Network to Mitigate Insider Threat

Video: Take a deep technical dive into dynamic segmentation.