Dynamic Segmentation Explained
Dynamic Segmentation utilizes policy-based access control across wired, wireless, and WAN infrastructure, ensuring that users and devices can only communicate with destinations consistent with their access permissions— foundational for Zero Trust and SASE frameworks.
What is Dynamic Segmentation?
Dynamic Segmentation establishes least privilege access to IT resources by segmenting traffic based on roles and associated access permissions. This is a fundamental concept of both Zero Trust and SASE frameworks where trust is based on identity and policies, rather than where and how a user or device connects.
A role is a logical grouping of permissions. Permissions can include applications and services that can be accessed, users and devices that can be reached, or even days of the week a particular user can connect to the network.
Because roles and policies define access and segmentation, Dynamic Segmentation eliminates the need to manually configure SSIDs, ACLs, subnets, and port-based controls. This reduces complex network segmentation, sprawling VLANs, and costly administrative functions.
How does Dynamic Segmentation work?
Aruba ESP supports two models of Dynamic Segmentation based on an organization’s overall network architecture and choice of overlay: centralized and distributed.
With the centralized model of Dynamic Segmentation, traffic is kept secure and separate with the use of GRE tunnels between access points and Aruba Gateways. Cloud Auth cloud-native network access control (NAC), ClearPass, and Aruba Central NetConductor policy manager provide role and access definition and management capabilities. Gateways function as ingress policy enforcement points via the Aruba ESP Layer 7 Policy Enforcement Firewall (PEF).
The distributed model of Dynamic Segmentation uses an EVPN/VXLAN overlay, cloud-native NAC, and Central NetConductor cloud-native services such as a fabric wizard and policy manager for network configuration and policy propagation respectively. Policy is enforced inline via Aruba Gateways and fabric-capable switches that interpret access control information carried in standards-based global policy identifiers (GPIDs).
With Central NetConductor, Dynamic Segmentation roles and policies can be managed via the cloud, enabling organizations to automatically configure network infrastructure for optimal performance and consistently enforce granular access control security policies at global scale. By decoupling business intent from physical network construction, organizations can dramatically reduce the time and resources required to operate the network for enhanced IT productivity.
Why use Dynamic Segmentation?
Businesses are accelerating their digital transformation initiatives to deliver new user experiences, support hybrid work, implement new business models, and achieve greater IT efficiency. This gives rise to increasingly complex, globally distributed networks with unique visibility and security challenges that are driving adoption of Zero Trust and SASE network security frameworks. Organizations need to segment traffic more efficiently, control access to sensitive applications, and ensure data privacy.
In addition, IT needs more visibility and control of endpoint clients that are on their network. The reality is that most IT managers simply aren’t aware of all the devices connected to the network—and with the growing adoption of IoT and hybrid work, this problem is only going to get worse. IT needs visibility into what clients are on their network to effectively segment traffic and control access in real-time.
Aruba Dynamic Segmentation is the one solution that simplifies the adoption of Zero Trust and SASE architectures at global scale, regardless of the size and complexity of the network.
Benefits of Dynamic Segmentation
Enhanced endpoint visibility
Discovering, profiling, and monitoring devices on the network is a critical component of Dynamic Segmentation. AI-powered Client Insights on Aruba Central is agentless and leverages native infrastructure telemetry from access points, switches, and gateways to identify and accurately profile a wide variety of clients with ML-based classification models.
Cloud-based management and automation of authorization and access control
Leverage intent-based, easy-to-use workflows for policy definition and network configuration with Central NetConductor. Ease security operations and simplify the creation of overlays with push-button automation, automatic updates, and continuously enforced policy.
Global policy enforcement without performance compromise
Group policy identifiers (GPIDs) allow the network to carry access control information via the traffic for inline policy enforcement by fabric-capable switches and gateways, enabling optimal security and performance.
Flexibility of adoption
Organizations currently using centralized policy enforcement approaches for Dynamic Segmentation can continue with that approach and adopt over time a distributed approach in which enforcement is done by access devices, without rip and replace of existing infrastructure.