Integrating SD-Branch and Microbranch Devices with SSE Partners

Listed below are the high-level working principles of Security Service Edge Edge is a device persona that connects endpoints to the fabric. (SSE) partner integration with Aruba SD-Branch and Microbranch devices:

IPsec Tunnel Establishment

The first step in cloud security integration is to establish IPSec tunnels between the Gateways or Microbranch devices and the nearest SSE remote endpoints. This is done to preserve data privacy, leverage IKEv2 Internet Key Exchange version 2. IKEv2 uses the secure channel established in Phase 1 to negotiate Security Associations on behalf of services such as IPsec. IKEv2 uses pre-shared key and Digital Signature for authentication. See RFC 4306. for authentication, and allow more flexibility by traversing NAT Network Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. or PAT boundaries and sourcing traffic from dynamically assigned IP addresses.

Policy Based Routing

Once the IPSec tunnels are established, the next step is to ensure that traffic is sent through these tunnels. SD-Branch Gateways and Microbranch APs use policy-based routing to determine which traffic flows are to be sent through the SSE partner. Listed below are the parameters that should be taken into consideration while determining the traffic types to be sent through the SSE partner:

Table 1: PBR Parameters

Parameter

Description

VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN./User Role

PBR Policy-based Routing. PBR provides a flexible mechanism for forwarding data packets based on polices configured by a network administrator. policies can be applied to roles or VLANs.

Stateful Firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. attributes

Protocol, source/destination address, and source/destination port.

FQDN Fully Qualified Domain Name. FQDN is a complete domain name that identifies a computer or host on the Internet. (Fully Qualified Domain Name)

ArubaOS supports creating netservices based on FQDN, which can be used to build PBR policies.

Application/Application Group

With caching capabilities in the DPI Deep Packet Inspection. DPI is an advanced method of network packet filtering that is used for inspecting data packets exchanged between the devices and systems over a network. DPI functions at the Application layer of the Open Systems Interconnection (OSI) reference model and enables users to identify, categorize, track, reroute, or stop packets passing through a network. engine, gateways support the first packet classification technologies necessary to route traffic based on applications or application groups.

Uplink Load-balancing and Dynamic Path Steering on Branch Gateways

Aruba Branch Gateway (BGWs) support uplink load-balancing. The Branch Gateway establishes a tunnel from every WAN Wide Area Network. WAN is a telecommunications network or computer network that extends over a large geographical distance. interface to each SSE partner's remote endpoint. To ensure traffic symmetry, all the traffic that enters SSE partner end-points through a tunnel should return (egress) through the same tunnel.

Aruba Branch Gateways can select the WAN circuit to be used by each traffic flow based on policies such as the ones built for PBR. The routing engine (global routing table or PBR) provides a set of next-hops, and the DPS engine selects the optimal path. Also, Branch Gateways can monitor different WAN circuits to steer traffic to the optimal path based on SLAs set for each application. For monitoring, Branch Gateways can send synthetic probes to the tunnel monitoring IP addresses provided by SSE partners to measure loss, latency, and jitter over the tunnels.

If the measured SLA for INET drops, the gateway steers it to an active tunnel that meets the SLA. If none of the circuits meet the SLA, the system chooses the one that deviates the least from the configured SLA.

Automating IPSec tunnel establishment through Custom Cloud Connect Service

The Custom Cloud Connect service provides network administrators with a mechanism to efficiently orchestrate the connectivity between Aruba SD-Branch Gateways and Microbranch APs with cloud enforcement points from leading SSE providers such as Aruba SSE, Netskope, CheckPoint, McAfee, Palo Alto, Symantec, iBoss, and so on. Integrating Aruba SD-Branch Gateways and Microbranch APs with SSE vendors allows the network administrators to deploy a secure SD-WAN Software-Defined Wide Area Network. SD-WAN is an application for applying SDN technology to WAN connections that connect enterprise networks across disparate geographical locations. network, in addition to providing the following benefits:

  • Unified security management for campus and branch networks

  • Intelligent routing of traffic based on user roles and application

  • Security event logging and monitoring

To start using the Custom Cloud Connect service, you must first define a custom SSE partner in Cloud Connect by configuring the tunnel settings and populating all the remote endpoints. For deployment, you can select the device groups to connect with one or two remote endpoints. This connection is considered as one deployment. The Cloud Connect service uses the tunnel orchestrator to send tunnel definitions to SD-Branch and Microbranch devices. The devices connect to the SSE partners using the default IKE Internet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. and IPSec policies recommended for each service provider. After deployment, you can download the VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. configuration in JSON JavaScript Object Notation. JSON is an open-standard, language-independent, lightweight data-interchange format used to transmit data objects consisting of attribute–value pairs. JSON uses a "self-describing" text format that is easy for humans to read and write, and that can be used as a data format by any programming language. or CSV Comma-Separated Values. A file format that stores tabular data in the plain text format separated by commas. format to upload to the SSE management console.

Points to Remember

  • Cloud Connect will orchestrate IPSec tunnels from uplinks labeled as INET or LTE Long Term Evolution. LTE is a 4G wireless communication standard that provides high-speed wireless communication for mobile phones and data terminals. See 4G..

  • When you add a new uplink to a Gateway in a group configured to connect to a remote endpoint, Cloud Connect automatically sends the tunnel configuration to the Gateway for that uplink.

  • When you add a new device to a group or move a device from one group to another, Cloud Connect automatically sends or updates tunnel configurations to the device based on the group configuration. For example, consider a scenario where Group A has Cloud Connect to Netskope and Group B has Cloud Connect to Palo Alto. If a device is moved from Group A to Group B, then Cloud Connect will push the tunnel configurations of Palo Alto (and remove the Netskope configuration) to the moved device.

  • If you add or delete a device from a group, Cloud Connect will update the corresponding tunnel configurations. After the update, the CSV or JSON export file is changed, so you can download it again and push it to the SSE management console.

The following figure illustrates the integration of SD-Branch and Microbranch Gateways with a custom SSE provider network:

Figure 1   Integration of SD-Branch and Microbranch Gateways with a Custom SSE Provider

To integrate SD-Branch and Mobility devices with SSE vendors through Custom Cloud Connect service, complete the following steps:

  1. Integrating a Custom SSE Partner in Cloud Connect

  2. Deploying Groups to Custom Partner Account through Cloud Connect Service

  3. Downloading Partner Configuration