Zero Trust Framework
Network Access Control
To provide secure access to the network infrastructure, a critical component is implementing a Network Access Control (NAC) solution, with an authentication, authorization, accounting, and device profiling feature-set to ensure that only known and authorized clients are connected and dynamically placed in the appropriate network segment.
HPE ArubaNetworking includes two options for Network Access Control (NAC) that are compatible with the NetConductor solution. The gold standard for NAC, ClearPass Policy Manager offers the most complete and flexible feature set available and enables integration with AI-powered Client Insights for device profiling, automated segmentation, and enforcement. Aruba Central includes Aruba CloudAuth that provide a core set of features, currently limited to use Cloud based authentication sources such as Microsoft Entra ID, Google Auth, or Okta. Additionally, third-party NAC solutions can be used for secure onboarding, as long as the NAC server can be defined and reply with Aruba-User-Role RADIUS Server Vendor Specific Attributes (VSA) in its Authorization policy.
Aruba CX switches, access points and gateway support colorless ports and role-based micro-segmentation. Colorless ports enable consistent configuration for ports with authentication. Clients can connect to any switch port across the enterprise. Based on the AAA authentication and authorization profile configured with assigned Aruba-User-Role, the client can be automatically placed in the right segment and provide role-based micro-segmentation.
Monitoring and Visibility
Aruba Central includes AI-powered Client Insights to provide visibility and granular profiling. Client Insights uses native infrastructure telemetry from Aruba’s access points, switches, gateways, and controlled crowd-sourced Machine Learning to validate fingerprints and provide precision classification capabilities. Client/Endpoint classification enables organizations to label devices and assign the Aruba-User-Role from ClearPass Policy Manager as they connect to the network.
Client Insights enables continuous monitoring of clients and, when paired with Aruba ClearPass Policy Manager, provides closed loop, end-to-end access control with automated policy enforcement. If the client has been compromised or acts suspiciously, the client can be quarantined by issuing a dynamic change-of-authorization to disconnect or change the User-Role with limited access for test, repair, or replacement.
Macro vs. Micro Segmentation (VRF and/or Subnet vs. User Role)
Traditionally, macro segmentation of networks depended on placing the end user or device in a subnet with other similar users or devices, then using ACLs to permit or deny traffic based on source and destination IPs, port numbers, etc. Aruba NetConductor can replace the need for subnets with User Roles and Role-based policies that are easier to manage. In both cases, it is appropriate to use multiple VRFs to isolate large blocks of users/devices that never have reason to connect directly with one another. Usage varies, but some typical examples include guest networks, data center management networks, and production plant or lab equipment that rely on older, less secure operating systems, etc.
User Role and Policy Design
A user role is simply a way to represent a grouping of users or devices that share a common set of access policies. A role is assigned when a new user or device is brought onto the network. Aruba uses various methods to assign roles, and a role can impact policies in multiple ways.
Historically, roles and their accompanying policies were defined separately for each platform in the network in various places. Going forward, user roles are defined in Aruba Central Global Policy Manager, and the centralized configuration is applied consistently across all network infrastructure.
User Roles are assigned to users and devices using a network access control (NAC) solution such as ClearPass, CloudAuth, or a third-party solution.
Aruba Central Global Policy Manager configures User Roles and role-to-role policies. To make these roles more powerful and consistent with the ESP architecture, they can be managed globally from Aruba Central. For example, if you have five roles in your network, a role-to-role policy is created by defining permissions from one role to another. By configuring this only once in Central, it is applied to all relevant network devices: from a Microbranch or Bridge Mode AP, to a Mobility Gateway, to a switch. There is no need to build three different formats of security policy.
Detailed architecture and design information for NetConductor Global Policy Manager is available in the Policy Design Validated Solution Guide.