Aruba SD-Branch and Microbranch integration with Zscaler Internet Access
The SD-Branch and Microbranch solutions are part of Aruba’s Edge Services Platform (ESP), a key evolution of end-to-end network architecture, especially when it comes to edge-to-cloud security. ESP provides a unified infrastructure with centralized management that leverages artificial intelligence (AI) for improved operational experience. This helps customers enable a Zero Trust security policy on their existing infrastructure.
Security is an integral part of the Aruba ESP solution. First, because the solution is built from the ground up to be completely policy-driven (or, in Aruba terms, role-based). Secondly, because of the fact that in most cases branches will be directly exposed to the Internet, which will require very robust hardening policies. And lastly, due to the firm belief that “best-of-breed” layered security should also be built around branch networks.
This Zero Trust approach to security complements with Zscaler in building a fully orchestrated SASE Architecture.
Security Layers
The security in Aruba SD-Branch is built in layers, from the hardening of the operating system to the integration with best-of-breed security partners. ArubaOS, running on gateways and microbranch, is a tightly hardened platform. This includes:
- Secure boot; TPM signed software image. Heavily restricting communications until the Gateway has received its configuration from Aruba Central.
- Secure Zero Touch Provisioning; Leveraging the TPM loaded in the Aruba Gateways to secure communications with Aruba Central.
- AES 256 encryption for SD-WAN Overlay tunnels.
- Aruba Role-based Stateful firewall; With support for scalable configuration using firewall aliases, ALGs, and role-based policies.
- Deep Packet Inspection, using Qosmos’s application engine and signatures, with capacity to identify close to 3500 applications.
- Web content, reputation and geo-location filtering; using WebRoot’s machine learning technology to classify content, reputation, and geolocation for billions of URLs.
- Aruba Threat Defense; Powered by ProofPoint’s Threat Intelligence, Aruba 9000 Series gateways can perform IDS/IPS functions for all branch traffic.
Secondly, the Aruba ESP solution can integrate with ClearPass (or any other AAA server) to form a true policy-driven branch. This model dynamically assigns policies based on users, devices and applications, as opposed to the traditional way of assigning these policies manually based on ports, VLANs and IP addresses. This policy-driven branch can be enhanced by leveraging integrations with 140+ partners in the ClearPass Exchange program. This is further enhanced by the AI/ML driven Client Insights that are part of Aruba ESP.
Lastly, Aruba ESP is built to be integrated with best-of-breed third-party security infrastructure partners. With these integrations, the ESP architecture seeks to offer enterprise-grade advanced threat protection in a scalable manner. The integration with Zscaler’s Security as a Service offering, provides an extremely simple and scalable solution for advanced threat protection in branch networks.