Legal Disclaimer: The resource assets in this website may include abbreviated and/or legacy terminology for HPE Aruba Networking products. See www.arubanetworks.com for current and complete HPE Aruba Networking product lines and names.
Integration with Prisma Access
A common network architecture today is to tunnel traffic between headquarters of an organization and branches over either MPLS Multiprotocol Label Switching. The MPLS protocol speeds up and shapes network traffic flows. or dedicated encrypted VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. links. As more services are moving to a cloud-based architecture, breaking out traffic locally from the branches allows faster delivery and efficient use of bandwidth as opposed to tunneling traffic back to an aggregation point before routing it to its final destination. However, allowing branch devices to directly connect to the Internet may introduce security issues.
The integration between the Aruba Branch Gateways and Prisma Access secures connection between the branch networks and one or several cloud-hosted enforcement points. Prisma Access is a cloud-based infrastructure that provides security to branch networks by allowing organizations to set up regional cloud-based firewalls Firewall is a network security system used for preventing unauthorized access to or from a private network.. The Aruba Branch Gateways can be configured to bring up secure tunnels to the Prisma Access firewall and redirect selected traffic flows through Prisma Access to provide advanced threat protection in an efficient and scalable way.
The integration between ClearPass ClearPass is an access management system for creating and enforcing policies across a network to all devices and applications. The ClearPass integrated platform includes applications such as Policy Manager, Guest, Onboard, OnGuard, Insight, Profile, QuickConnect, and so on. and Prisma Access also enables sharing the user context with the firewall and facilitates the creation of role-centric security policies.
The combined solution can offer the following benefits:
- Unified security management for campus and branch networks.
- Context-aware security policies driven by ClearPass.
- Intelligent routing of traffic based on user-role and application.
Deployment Scenarios
The SD-Branch and Prisma Access integration supports the following deployment scenarios:
Branch Gateways to Prisma Access
Aruba Branch Gateways can establish tunnels to one or several Prisma Access nodes (in different regions, as shown in the following figure) to secure user traffic going to public cloud services or to the Internet, thus providing high availability. The solution allows for active-active cloud firewalls.
Figure 1 Branch Gateways to Prisma Access
Regional Hub to Prisma Access
In certain deployments, the branch traffic is aggregated at a local hub and then routed to the Internet or to other corporate resources. In such scenarios, Aruba VPNCs can set up tunnels to the nearest Prisma Access firewall to allow branch traffic go through the distributed security service as shown in the following figure:
Figure 2 Regional Hub to Prisma Access
Supported IKE and IPSec Cryptographic Profiles
The tunnel configuration recommended for this integration are described in the following table:
Parameters |
Phase 1 |
Phase 2 |
---|---|---|
Confidentiality |
AES-256 |
|
Integrity |
SHA256 |
SHA1 |
Authentication |
Username/password |
N/A |
Key Exchange Method |
Diffie-Hellman |
Diffie-Hellman |
Diffie-Hellman Group |
14 |
14 |
Enabled |
N/A |
|
Dead Peer Detection |
Enabled |
|
Perfect Forward Secrecy |
N/A |
Yes |
VPN Type |
N/A |
Policy-based VPN |
To configure Prisma Access for integration with Aruba SD-Branch, see Configuring Prisma Access for Aruba SD-Branch Integration.
To configure Aruba Branch Gateways for Prisma Access integration, see Configuring Aruba Branch Gateways for Prisma Access Integration.