Aruba Networks

Cloud-based, Multi-Tenant Architecture

Unlike traditional hosted, single-tenant architectures that require all traffic to pass through a single appliance in a specific data center, Aruba's Content Security Service (CSS) uses the closest policy enforcement point to the user. Each user is routed to the geographically closest data center, eliminating unnecessary latency from the backhauling of traffic experienced with traditional threat management appliances, while maintaining consistent policy no matter where the user travels. CSS works with any Aruba remote access point (RAP) or branch office controller (BOC); there are no additional appliances to deploy on site and there are no client dependencies or software needed.

Comprehensive Threat Detection and Prevention

• URL filtering with dynamic classification and enforcement - Traditional URL blacklisting is no longer sufficient today where content is dynamic and user-generated. Dynamic scanning of content allows for rapid, automatic classification and policy enforcement. Safe search technology filters search material for web, image, and video searches. Enforcement levels include allow, deny, and user warnings.
• Anti-Virus & Anti-Spyware - CSS provides multi-tier scanning for malicious content with a two-pronged approach to detection. First CSS leverages a combination of internal research to detect threats using data mining, offline scans, pattern matching, and malicious content examination. The second source comes from partnerships with leading AV/AS companies for data feeds and advanced threat information.
• Detection of botnets, phishing attempts, and embedded malicious content - CSS monitors for suspicious activity such as botnet control traffic and key loggers, as well malicious content from suspicious URLs, then uses both data feeds and page characteristics to prevent phishing. Controlling or eliminating P2P traffic also can not only save bandwidth, but also prevent accidental leakage of sensitive data or sharing of confidential corporate information.
• Control over browser type, version, and plug-ins - ensure that only secure, up-to-date browsers are being used in the organization. CSS allows policy to be configured on acceptable browser software, required patch levels, allowed plug-ins/extensions, and allowed browser based applications. Organizations can even schedule weekly scans with warnings to the user if the browser is vulnerable, all without any client side software.
• Limit access to social media sites, streaming media, and blogs - CSS allows the organization to set limits on when or if social media can be used, and can differentiate this access by group. As an example, teams such as marketing may be allowed to use the tools while other users may be limited to occasional use on break times or not at all.
• Monitor IM sessions and web-based email applications - Internet based instant messenger services and web-based email allow users to bypass the logging and control of corporate security systems. This can be a source of not only data leakage for the organization, but also affect employee productivity. CSS allows organizations to set policy, control access, and secure these systems to the same standard as internal corporate networks.
• Control user bandwidth by application - CSS gives the organization the ability to limit traffic to particular applications, and can even lift those restrictions during specific times of day. This system could be used to limit traffic to video sharing sites during work hours, while allowing streaming of web conferencing tools to pass through unaffected. This granularity of control can even be extended to lift limits on video sharing sites after hours or at break time.
• Advanced data loss prevention (DLP) tools - When confidential information leaks outside of the organization it can not only harm the reputation of the organization but may have financial, regulatory, and legal repercussions. CSS uses proprietary tools to detect and prevent data loss. Sophisticated algorithms detect the leakage of credit card and Social Security numbers without false positives. Advanced self-learning algorithms create dictionaries for the leakage of source code, financial statements, and Protected Health Information (PHI). Pattern matching engines evaluate data based on the weighted scores of various phrases. All of this combines to help the organization meet legal and regulatory requirements, and protect both sensitive customer data and the intellectual property of the organization.

Centralized Management and Reporting

• Web-based interface provides intuitive control over policy
• Dashboard provides a real-time view of the network and user traffic
• Customizable reporting across the entire distributed enterprise from a single interface
• Full data mining and forensic capabilities to meet legal and regulatory requirements

Service Options to Meet Deployment Needs

• Flexible policy engine allows access to be based on any combination of application, time of day, location, and user group
• Incremental user licensing model scales to meet any deployment size
• Feature bundles are matched to the security needs of the organization
• Available in one and three year subscriptions

Solutions Overview

• Remote Access Point (RAP): A lightweight, low-cost network access device that is installed in branch offices and teleworker homes. RAPs provide network access through traditional wired Ethernet connections or through secure wireless LAN, and are centrally controlled and managed by Aruba Mobility Controllers. The RAP automatically diverts internet destined content to the CSS cloud-based enforcement point.
• Aruba Mobility Controller: Network infrastructure hardware in the enterprise datacenter or network core that is responsible for control, configuration, and management of all Aruba RAPs. All communication between RAPs and the Mobility Controller is secured through IPsec tunnels.
• Content Security Service: A network of cloud-based policy enforcement points that provide scanning of Internet bound traffic. Each user logs into the service the first time, and their organization's individual policy is applied. Acting as an invisible proxy, the CSS enforcement points scan requests and returned content for appropriateness, returning either clean traffic or a denial message to the user.