Integration with Prisma Access

A common network architecture today is to tunnel traffic between headquarters of an organization and branches over either MPLS Multiprotocol Label Switching. The MPLS protocol speeds up and shapes network traffic flows. or dedicated encrypted VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. links. As more services are moving to a cloud-based architecture, breaking out traffic locally from the branches allows faster delivery and efficient use of bandwidth as opposed to tunneling traffic back to an aggregation point before routing it to its final destination. However, allowing branch devices to directly connect to the Internet may introduce security issues.

The integration between the Aruba Branch Gateways and Prisma Access secures connection between the branch networks and one or several cloud-hosted enforcement points. Prisma Access is a cloud-based infrastructure that provides security to branch networks by allowing organizations to set up regional cloud-based firewalls Firewall is a network security system used for preventing unauthorized access to or from a private network.. The Aruba Branch Gateways can be configured to bring up secure tunnels to the Prisma Access firewall and redirect selected traffic flows through Prisma Access to provide advanced threat protection in an efficient and scalable way.

The integration between ClearPass ClearPass is an access management system for creating and enforcing policies across a network to all devices and applications. The ClearPass integrated platform includes applications such as Policy Manager, Guest, Onboard, OnGuard, Insight, Profile, QuickConnect, and so on. and Prisma Access also enables sharing the user context with the firewall and facilitates the creation of role-centric security policies.

The combined solution can offer the following benefits:

  • Unified security management for campus and branch networks.
  • Context-aware security policies driven by ClearPass.
  • Intelligent routing of traffic based on user-role and application.

Deployment Scenarios

The SD-Branch and Prisma Access integration supports the following deployment scenarios:

Branch Gateways to Prisma Access

Aruba Branch Gateways can establish tunnels to one or several Prisma Access nodes (in different regions, as shown in the following figure) to secure user traffic going to public cloud services or to the Internet, thus providing high availability. The solution allows for active-active cloud firewalls.

Figure 1  Branch Gateways to Prisma Access

Regional Hub to Prisma Access

In certain deployments, the branch traffic is aggregated at a local hub and then routed to the Internet or to other corporate resources. In such scenarios, Aruba VPNCs can set up tunnels to the nearest Prisma Access firewall to allow branch traffic go through the distributed security service as shown in the following figure:

Figure 2  Regional Hub to Prisma Access

Supported IKE and IPSec Cryptographic Profiles

The tunnel configuration recommended for this integration are described in the following table:

Table 1: Tunnel Encryption

Parameters

Phase 1

Phase 2

Confidentiality

AES Advanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits.-256

AES-256

Integrity

SHA256

SHA1

Authentication

Username/password

N/A

Key Exchange Method

Diffie-Hellman

Diffie-Hellman

Diffie-Hellman Group

14

14

NAT Network Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device.-Transversal

Enabled

N/A

Dead Peer Detection

Enabled

 

Perfect Forward Secrecy

N/A

Yes

VPN Type

N/A

Policy-based VPN

To configure Prisma Access for integration with Aruba SD-Branch, see Configuring Prisma Access for Aruba SD-Branch Integration.

To configure Aruba Branch Gateways for Prisma Access integration, see Configuring Aruba Branch Gateways for Prisma Access Integration.