Zero Trust Overview
Zero Trust is a security model in which no device, user, or network segment is inherently trustworthy and must be treated as a potential threat.
Table of contents
To enhance security in modern enterprises where users and devices are remote and threats are bypassing traditional perimeter defenses, it is critical to adopt a rigorous security model that performs checks on a continuous basis. Before accessing the network, all devices and users should be identified and authenticated and given the least amount of access required, and then be continuously monitored
Benefits of Zero Trust
Zero Trust helps ensure network security for today’s era of mobility, IoT, and work from home environments. Key benefits of Zero Trust include:
- Limits exposure to security risks related to vulnerable IoT devices.
- Helps reduce the risk of advanced threats that bypass traditional perimeter security controls.
- Limits damage related to lateral movement by attackers and infected devices.
- Takes a more holistic approach to security regardless of who or what is connecting and from where.
- Applies best practice such as micro-segmentation for a “Least Access” approach.
Requirements of Zero Trust
Aruba views the following three items as requirements for achieving Zero Trust in the network. These items will be discussed in more detail throughout this policy guide:
Authentication and Authorization: Active and passive discovery of all users and devices on the network.
Least access micro-segmentation and control: Access control policies grant access only to resources that are absolutely necessary for a device or user and segment them from other resources that are not required.
Continuous monitoring and enforcement: Ongoing monitoring of users and devices on the network greatly reduces risks related to threats and malware.
Aruba Zero Trust Architecture
The Aruba Edge Services Platform (ESP) architecture provides flexible and highly reliable designs to ensure efficient access to applications and data for all authorized users, while simplifying operations and accelerating service delivery. Innovations in high availability combined with enhanced simplicity and programmability provide a best-in-class industry network solution for modern organizations.
Aruba ESP is an evolution of Aruba’s end-to-end architecture, providing a Unified Infrastructure with centralized management that leverages Artificial Intelligence Operations (AIOps) for an improved operational experience with a Zero Trust Security policy. Aruba ESP is the industry’s first platform that is built specifically for the new requirements of the Intelligent Edge.
Aruba ESP offers a breadth of services, including onboarding, provisioning, orchestration, security, analytics, location tracking, and management. AI Insights reveal issues before they impact users. Intuitive, workflow-centric navigation enables the organization to accomplish tasks quickly and easily using views that present multiple dimensions of correlated data. Policies are created centrally, and features such as Dynamic Segmentation enable the network administrator to implement them over an existing infrastructure. The Aruba ESP architecture is built in distinct layers, as shown in the figure below.
Aruba ESP Policy Layer
The policy layer for the Aruba ESP campus is implemented using overlay technologies and traffic filtering mechanisms to isolate user and application traffic. Data traffic can be tunneled back to a gateway cluster for centralized enforcement or handled within a switch fabric that provides policy enforcement at every node in the network.
ClearPass Policy Manager is typically used to provide network authentication (i.e., RADIUS) to a user database (i.e., LDAP) and to define user roles with associated policies enforced within the network. Device Insights ensure that the endpoint security posture is determined from information gathered from the network.
Aruba ESP’s powerful policy management is derived by separating policy from the network’s IP design. Traffic tunneled to a gateway cluster is tagged at ingress with a user role that determines how the gateway treats the traffic during forwarding. Traffic in a distributed fabric is tagged using the VXLAN-Group Based Policy (GBP) feature to assign a role ID to every frame in the fabric, ensuring consistent policy enforcement across LAN, WLAN, and WAN.
Aruba Central NetConductor
Aruba Central NetConductor is a collection of edge-to-cloud networking and security services designed to achieve a consistent Zero Trust network. Central NetConductor reduces the complexity of addressing connectivity and security challenges by automating deployment, operations, and security policy of the network in a cloud-native service.
The sections below describe the creation of roles and policy, applying roles to users, and the enforcement of policies based on roles within the NetConductor Framework
Policy Definition
Roles
A role is simply a way to represent a grouping of users or devices. A role is assigned when a new user or device is brought onto the network. Aruba uses various methods to assign roles, and there are multiple ways a role can impact policies.
Historically, roles and their accompanying policies were defined separately for each platform in the network in various places. Going forward, roles are defined in Aruba Central Global Policy Manager or Aruba Central, and this centralized configuration is applied consistently across all network infrastructure.
Roles are assigned to users and devices using a network access control (NAC) solution such as ClearPass or Cloud Auth.
Global Policy Manager
Aruba Central Global Policy Manager configures roles and role-to-role policies. To make these roles more powerful and consistent with the ESP architecture, they can be managed globally from Aruba Central. For example, if you have five roles in your network, a role-to-role policy is created by defining permissions from one role to another. By configuring this only once in Central, it is applied to all relevant network devices: from a Microbranch or Bridge Mode AP, to a Mobility Gateway, to a switch. There is no need to build three different formats of security policy.
Authentication and Authorization
ClearPass
ClearPass Policy Manager is a full-featured RADIUS, TACACS, guest lifecycle management, and captive portal platform. In a Zero Trust architecture, ClearPass can be responsible for Authentication and Authorization, providing initial onboarding for the network and assigning the Role or other attributes that are used in enforcement. ClearPass also provides continuous monitoring and enforcement, changing the access level of any device on the network based on monitored changes or events.
ClearPass can access user and device authentication information stored within a local database, a user database connected to the local network, or a cloud-hosted user database. ClearPass has the ability to query most sources for user information using a variety of authentication methods.
ClearPass Policy Manager provides secure role- and device-based network access control for Internet of Things (IoT), bring your own device (BYOD), and corporate devices as well as for employees, contractors, and visitors across wired, wireless, and VPN infrastructure. With a built-in, context-based policy engine, RADIUS, TACACS+, non-RADIUS enforcement using OnConnect, device profiling, posture assessment, onboarding, and visitor access options, ClearPass is unrivaled as a foundation for network security for organizations of any size.
ClearPass also supports secure self-service capabilities, making it easier to access the network. Users can securely configure their own devices for enterprise use or Internet access based on administrative policy controls. Aruba wireless customers get unique integration capabilities, such as AirGroup, as well as ClearPass Auto Sign-On (ASO). ASO passes users’ network authentication automatically to their enterprise mobile apps, so they can get right to work.
ClearPass Policy Manager Key Features
- Role-based, unified network access enforcement across multi-vendor networks
- Intuitive policy configuration templates and visibility troubleshooting tools
- Support for multiple authentication/authorization sources (AD, LDAP, SQL)
- Self-service device onboarding with built-in certificate authority (CA) for BYOD
- Visitor access with extensive customization, branding, and sponsor-based approvals
- Integration with key UEM solutions for in-depth device assessments
- Comprehensive integration with the Aruba 360 Security Exchange Program.
ClearPass is the only policy platform that centrally enforces all aspects of enterprise-grade NAC for any industry. Granular policy enforcement is based on a user’s role, device type and role, authentication method, unified endpoint management (UEM) attributes, device health, traffic patterns, location, and time of day. The scalable deployment supports tens of thousands of devices and authentications, surpassing the capabilities of legacy AAA solutions. Options are available for small to large organizations with centralized or distributed environments.
Cloud Auth
Cloud Auth on Aruba Central provides a seamless, cloud-based onboarding and NAC solution. Small and medium-sized organizations with limited IT personnel benefit from simplified workflows and secure role-based policies administered through Aruba Central to ensure that users and devices have appropriate network access.
In a Zero Trust architecture, Cloud Auth can be responsible for Authentication and Authorization, providing initial onboarding for the network, and assigning the Role or other attributes that are used in enforcement. Cloud Auth also provides continuous monitoring and enforcement, changing the access level of any device on the network based on monitored changes or events.
Enforcement
Central NetConductor gives network and security teams a shared toolbox to ensure optimal connectivity and the appropriate level of protection. It extends the capabilities of Aruba’s market-leading Dynamic Segmentation across multiple network overlays, making it easy to adopt comprehensive Zero Trust and SASE security.
NetConductor supports two deployment models, Centralized and Distributed.
Centralized
In a centralized policy model, wireless and/or wired data traffic is tunneled back to a gateway cluster for security enforcement and traffic-shaping.
In the example below, a user from the finance department authenticates to the campus network. Another user is logged into a guest kiosk computer directly connected to a UBT-enabled switch. Both the AP and the switch forward traffic via GRE tunnels to the Gateway. The Gateways decapsulate and analyze the traffic, apply security policy based on user roles and other attributes, then forward the traffic to their authorized destinations. In this case, all enforcement is performed at the Gateways.
Distributed
Distributed policy enforcement uses VXLAN tunnels to create virtual networks between switches. Aruba CX switches are able to enforce policy locally with many of the same capabilities found on gateways. This is particularly powerful when securing east-west traffic within a campus. These capabilities are described as the Aruba ESP NetConductor solution.
NetConductor pairs VXLAN with an MP-BGP EVPN control plane to ensure endpoint reachability across geographically diverse subnets and broadcast domains.
In the example below, a wired user from the finance department authenticates to the campus network. A different user is logged into a guest kiosk computer. The switches analyze the traffic locally, apply security policy based on user roles and other attributes, then forward the traffic to their authorized destinations. Using the native firewall capabilities of the switches, policy enforcement can be performed at the edge, allowing the traffic to take a more direct path to its destination. This strategy results in greater flexibility and scalability than the centralized model.
WAN Propagation
For a role based Zero-Trust model to be effective, the role must travel with data-packets across the WAN environment. Both of Aruba’s SD-WAN solutions, EdgeConnect SD-Branch and EdgeConnect SD-WAN, support this capability.
Summary
The table below summarizes the Aruba product that helps achieve various facets of Zero Trust.
Requirement | Zero Trust Architecture | Aruba ESP Solution |
---|---|---|
Know what is on the network | An organization protects resources by defining what resources it has | Aruba Central Client Insights ClearPass Policy Manager Cloud Auth |
Authenticate all users and devices | Create, store, and manage enterprise user accounts and identity records | ClearPass Policy Manager Cloud Auth |
Ensure that asset configuration and compliance guidelines are followed | Gather information about the enterprise asset’s current state and apply updates to configuration and software components | ClearPass Onguard |
Assign and enforce access policies in the network | All resource authentication and authorization are dynamic and strictly enforced before access is allowed by coordinating a policy engine and a policy enforcement point | See the Policy Enforcement page that discusses how Zero Trust policies are enforced throughout the network. Aruba Roles |
Communicate bi-directionally with the security ecosystem and respond to attacks | Provide real-time (or near real-time) feedback on the security posture of enterprise information systems; integrate with security information and event management systems | ClearPass Policy Manager/Aruba 360 Security Exchange |