Policy Definition
Definition of policy involves business-oriented discussion more than a technical one. It requires categorizing users and devices based on their connectivity needs and specifying the access permissions for each group. This is accomplished by defining Aruba Roles and then associating those roles to a policy in Global Policy Manager.
Roles
An Aruba role is simply a way to represent a grouping of users or devices, which is assigned when connecting to the network. Aruba ESP provides the ability to assign a role to any connected client in the network and enforce the policy based on the role.
IT administrators define a role for every type of user or device attempting to gain access. All traffic for an assigned role is subject to its associated policy throughout network.
During the authentication and authorization process, organizations can apply a long list of built-in and customizable attributes that Aruba devices support based on the role assigned. These attributes provide administrators with additional classifications to allow or deny network access.
Available attributes include:
- Hostname
- IP address
- Location of a gateway
- MDM membership status
- Firewall traffic classification
- Client OS version
- Time of day
- Profiled device type.
Precise assignment of a role is an important foundation for enforcing Zero Trust policy in an organization.
Roles defined for users and devices should be grouped with a common set of security requirements. Keep the number of roles as small as possible, while still obtaining the desired security policy. The fewer roles in use, the easier it is to understand and maintain policy.
Policies
A policy and its assigned roles must be defined carefully to serve as a comprehensive solution that provides appropriate, uninterrupted access to all trusted network devices, while securing the network from threats.
A policy is a set of rules governing client behavior on the network. A policy rule defines the traffic permitted or denied traffic between roles. Roles are often dynamically assigned during authentication, and all traffic from the associated user or device is marked with a role ID for that access instance.
After traffic is marked with a unique role ID, the policy can be enforced on any Aruba device, which ensures a consistent security posture across all areas of the network.
Global Policy Manager
The Aruba Central cloud platform hosts applications to manage policy across the ESP architecture. Central provides an interface identified as Global Policy Manager (GPM). Within GPM, an operator defines the roles and role-to-role policies. These elements are then pushed to relevant networking infrastructure for enforcement.
An example of GPM in use today is a NetConductor fabric. The switches and gateways in a NetConductor fabric use a policy ID (Aruba Role) marked in the VXLAN header of every packet in the overlay to enable policy enforcement anywhere in the network. Policies are configured through the Client Roles interface in the gateway Security configuration section on Central.
Additional Policy Managers
Global Policy Manager is the future for unified policy definition at Aruba. Policy definition within GPM will continue to be enhanced and support more Aruba products in the future. Today, policy also is managed in the following additional products:
- Campus policy on AOS-10 Gateways
- Data center policy with Pensando Policy Manager
- SD-WAN policy on AOS-10 Gateways
- SD-WAN policy on EdgeConnect SD-WAN gateways