Arriba Aruba! — Intelligent secure network infrastructure

Kerstin Stief
8 min readJun 2, 2021

--

This article is about network security, higher resilience and modern network infrastructure. The size of the enterprise doesn’t matter.

Dynamic infrastructure for a connected world

Protection no longer happens at the perimeter. Networks must be protected from within and preferably as transparently to the user respectively as automatically as possible. data://disrupted® editor-in-chief Kerstin was a delegate at the 25th Network Field Day. One of the presenting partners, Aruba Networks, combined network management with IT security.

Aruba Edge Services Platform ESP

Every industry faces its own challenges when it comes to IT security. However, a few measures apply globally to all:

  • Analyze and secure services, applications, users, devices and protocols.
  • Making complex network and IT infrastructures more transparent.
  • Digitize corporate policies and regulatory requirements.
  • Automate administrative tasks such as network segmentation.

Aruba can do all this with the Aruba Edge Services Platform (ESP). The company also supports the 6E advanced Wi-Fi standard for its access points.

What the E?!

Wi-Fi 6 (IEEE 802.11ax standard) is limited to radio spectrum in the 2.4 GHz and 5 GHz bands. Overlapping channels used by you, your neighbours and other aliens must share the theoretically possible bandwidth of 4.8 Gbit/s per client.

The frequency range between 5.925 and 6.425 MHz (in the U.S. even up to 7.125 GHz) is exclusively available for WiFi 6E, which should allow up to six additional 80 MHz and up to three additional 160 MHz channels (in the U.S. 14 and 7 additional channels each) for WLAN. What does this mean?

Channels and frequencies in the Wi-Fi6 standard and in Wi-Fi 6E

Even when many devices are connected, the 6 GHz band of Wi-Fi 6E enables:

  • higher data rates
  • greater bandwidth
  • lower latency (less than one millisecond).

You’re poison, but I need to break these chains

As with all sprinters, the same is true for the wavelengths used in the 6 GHz spectrum: Fast, but only for a short range. And please, no hurdles! It doesn’t like long distances; walls and ceilings — unavoidable in most of the buildings — make its life even more difficult.

So in addition to Wi-Fi 6E-compatible devices, you don’t just need new access points — you need more of them, too. The new devices are also a bit hungrier. Power over Ethernet (PoE) should deliver more than 30W. and that is not enough: 1Gbps Ethernet speed is no longer sufficient to enjoy full bandwidth.

Is this really necessary? Yes! At the same time don’t hesitate to scrap your antiquated security concept and make it better. Seriously.

Aruba Networks itself already brings a level of security to the network that makes some traditional security products obsolete. The acquisition of Silver Peak also brings one of the three market leaders for WAN, SD-WAN and hybrid networks in-house. Aruba EdgeConnect not just replaces traditional branch routers. It combines SD-WAN, firewall, segmentation, routing, WAN optimisation, application visibility and control into a single appliance.

The unified Edge Services Platform (ESP) orchestrates, provisions, analyses, and manages networks and devices across datacenter, production sites (IoT, iIoT), campuses, cloud locations, branch offices and work-from-anywhere places in an automated and AI-powered manner. Zero-trust, UTM capabilities, continuous monitoring and policy enforcement protect users, data and infrastructure.

With ESP, Aruba unifies network management across platforms.

They haven’t yet taken the final step to a single-pass engine and true NG technology — but we’re convinced it’s only a matter of time.

Aruba Networks is not the only company following this path. We’re seeing integrated IT security in more and more network solutions. What’s interesting about Aruba is the unification of infrastructure from wireless to wired networks, software-defined wide area networks (SD-WAN), 5G to IoT. Not everyone can do that yet. Either they don’t support Wi-Fi, and if they can, they don’t yet do 6E, or there is no 5G integration. Why all this is so important?

Livin’ on the edge!

More and more devices, that want to communicate with each other faster and faster, don’t just pose an increased security risk. In an increasingly connected world with ever more complex communication structures, administrative tasks must take care of themselves — fully automated and autonomous. Anything else is a security risk and can no longer be solved error-free by any human.

In addition, silos are crumbling and network boundaries are becoming increasingly nebulous. Data is increasingly being processed in real time in the network periphery. Work from Anywhere (fka Work from Home fka Consumerisation fka BYOD) distributes workstations across hotels and campgrounds around the world. In addition, more and more devices are communicating with each other: Fridges, cars, industrial plants, traffic lights, people (respectively their communication devices) and entire companies (aka supply chains).

No one can control everything and end-to-end anymore. This requires things like automation, artificial intelligence (AI) and machine learning (ML).

Ready or not, here I come, you can’t hide.

Transparency is one of the things that is essential for comprehensive security of your infrastructure. The firewall of the future and other security mechanisms become part of the fabric of the network itself and invisible to it — with no perceptible impact on throughput or latency.

With the Edge Services Platform (ESP), Aruba Networks, owned by Hewlett Packard Enterprise (HPE) since 2015, offers an AI-powered solution for automation-driven networks. ESP is cloud-native, making it suitable for small and midsize businesses.

The platform pursues three approaches:

  • Unified Infrastructure
  • Zero Trust Security
  • AIOps (Artificial Intelligence for IT Operations)
Unified management and more security for network infrastructure

The Aruba ESP approach

Artificial Intelligence (AI), Machine Learning (ML) and Big Data automate, monitor and optimise IT services and operations. To do this, ESP keeps the network topology as flat as possible without adding an extra layer of complexity to the communications system. The entire network is considered, not just the interfaces of individual network segments. Security is added as an overlay network.

Dynamic segmentation of network objects at Aruba

All network objects are dynamically discovered and handled. Clearpass Device Insight is a feature of the platform that classifies and dynamically embeds every device on the network. Machine learning (ML) is used to analyse device behaviour and attributes. This allows network objects to be automatically assigned and grouped more easily. This is supported by a range of active (NMAP, WMI, SNMP, SSH) and passive discovery methods (SPAN, DHCP, NetFlow/SFlow/IPFIX).

Together with Aruba ClearPass Policy Manager, ClearPass Device Insight enables closed loop end-to-end access control. A set of rules automatically enforces policies and dynamically adjusts rules, such as when a user’s or device’s behaviour changes. This is equivalent to a security level of a network segmented for each individual device. In this way, the granularity of security instructions is increased.

Matrix for communication relationship in network

Continuous monitoring tracks communication activity between devices on the network, regardless of location or segment. Inappropriate behaviour can be quickly located and contained, such as when a device has been compromised by malware or a user suddenly starts acting strangely. Unifying the network infrastructure and a software defined approach help: only those who can see and have access to all devices in a network can capture and analyse the connection between individual devices.

For Aruba ESP, events are analysed in real time across network flows. Historical events are also taken into account during correlation. This means that patterns and connections between seemingly unrelated events can also be detected. This is a major advantage over traditional SIEM approaches. SIEM (Security Incident & Event Management) systems correlate based on logs provided by potentially already infected devices. They are not trustworthy any longer. Better is a SOAR (Security Orchestration, Automation & Response) approach, which solutions like Aruba’s take.

I, I can be your painkiller?

Many organisations implement additional security by segmenting their networks into smaller parts, typically based on classification of information (need-to-know principle). Classically, the network is then divided into VLANs (virtual layers in the LAN, the local area network). VLANs are anything but flexible. In the age of agility, dev(sec)ops and work-from-anywhere models, they are no longer state of the art.

Segmentation is also very rarely used as a strategic defence. In most cases, segmentation is established once and then forgotten. The increasing number of security breaches makes it more important than ever to not only implement network segmentation, but to carefully maintain it. Segmentation intelligence and automation help to dynamically adjust segmentation based on agile processes.

Logical segmentation with context-aware access control in a distributed network

The additional application of firewall rules to traffic increases security. Instead of only once, at a central point, all traffic is permanently checked for vulnerabilities or rule violations.

The correlation of events makes it possible to react quickly to changed or undesired behaviour for individual devices or a specific data flow. The trust level of a device, user or communication relationship changes automatically. The device, user, application or connection can be isolated or dynamically adjusted. Network segmentation remains.

Let me entertain you!

Aruba ESP is designed as a cloud-native service. The centralised management platform, Aruba Central, is delivered by Aruba as Software as a Service (SaaS). Aruba Central is multi-tenant and available as a cloud service or on-premises version. As a cloud service, Aruba Central runs in AWS datacenter. For the EU and Germany, Aruba operates the service at the Frankfurt/M. location.

Managed service providers can operate the service for their clients. This benefits small and medium-sized enterprises in particular that do not have their own IT department. With Network as a Service (NaaS), SMEs receive a modern and secure infrastructure without having to maintain knowledge or resources themselves. OPEX models are also a financial advantage for companies and give them planning safety.

So what’s the bad news? With all the automation and AI support, you still need to understand your business and have a plan.

Recording of Aruba Networks’ talk at #NFD25:

https://vimeo.com/548678739

Our Editor-in-Chief thanks the Fugees, Judas Priest, Alice Cooper, Robbie Williams and Aerosmith for the headlines. The article originally has been published in German here: https://data-disrupted.de/arriba-aruba-intelligente-netzwerk-infrastruktur/

--

--

Kerstin Stief
Kerstin Stief

Written by Kerstin Stief

Publisher & Editor in Chief data-disrupted.de | Cocktail Mixer | House Electrician | Copy Cat | PR as a Service mende.media | B2B | ICT only | Open Source first

No responses yet