Dynamic Segmentation: Together is Better
Dynamic Segmentation: Together is Better
IoT is everywhere and changing everything. From smart lighting to Internet-connected equipment—from magnetic resonance imaging (MRI) machines to heating, ventilation and air conditioning (HVAC) to security cameras and badge readers, operational technology (OT) is increasingly merging with information technology (IT) to increase the efficiency of conducting business.
About 50% of IoT devices are wired, and unlike mobile devices such as laptops and mobile phones, there is a wider range of IoT devices. And many, if not most, don’t come with security reinforcements such as antivirus software. They’re not subjected to the same level of scrutiny. As more Internet-connected devices come online, identifying them and authenticating their roles becomes critically important.
Let’s take an airport analogy. The moment you get to an airport, you’re asked to identify yourself using a passport, another form of identity or an iris scan. After this, your luggage is screened. Then you get access to the area near the gate. All the while, you are monitored via cameras and sometimes armed guards. When something strange happens, you may even be questioned or asked to move to a restricted area.
Unified Policy and Management to Secure IoT Networks
As organizations integrate IT and OT networks, unifying authentication and authorization for wired, wireless and IoT devices with existing IT usage models makes sense. Additionally, IT staff needs tools that help them automate the tasks of assigning policy and enforcing rules. Aruba’s Better Together story for wired, wireless and IoT centers on “Unified Policy, One Network Management System (NMS).”
ClearPass, Aruba’s unified policy manager, offers the ability to centrally manage and enforce access policy. It uses standards-based technologies to automate and secure wired, wireless and IoT networks. Its primary functions are device profiling, authentication and authorization. In addition, ClearPass identifies any change in device posture or device behavior.
Aruba IntroSpect, a User and Entity Behavior Analysis (UEBA) solution, monitors how users and entities behave while on the network or as users roam between locations. IntroSpect provides a risk score similar to your credit score. Like the airport scenario, when strange behavior is noticed, IntroSpect can request that ClearPass take action to quarantine or even blacklist the device.
Aruba’s wired and wireless products can be managed by Aruba AirWave or Aruba Central network management systems (NMS). This not only provides a single NMS to manage both wired and wireless, but also offers organizations a unified option for on-premises (AirWave) or cloud-based (Central) management.
The Aruba Mobility Controller is a crucial part of the solution, as it acts as the policy enforcer for wired, wireless and IoT traffic. All firewall policies, bandwidth contracts and other traffic restrictions are enforced by the controller.
Automatically Enforce Policy with Dynamic Segmentation
The overall solution comprising Aruba switches, Mobility Controllers, ClearPass Policy Manager and AirWave or Central is called Dynamic Segmentation. Together, the network is segmented a automatically based on device profiles and diverts traffic from selected devices to the controller for further inspection and policy enforcement.
Two features crucial to delivering Dynamic Segmentation are Downloadable User Roles and Tunnel Node. Downloadable User Roles enables ClearPass to act as a centralized policy definition point. It gives ClearPass the ability to tell an Aruba switch whether a device’s traffic should be processed locally or tunneled to a Mobility Controller for further inspection. It allows switches to automatically load policy to identify, profile and authenticate devices connected to it.
Aruba’s access switches implement Tunnel Node, a feature that allows wired traffic entering a switch port to be sent to an Aruba Mobility Controller in a GRE-encapsulated tunnel. In conjunction with Downloadable User Roles, Tunnel Node is a mechanism by which selected device traffic is automatically segmented and redirected to the controller. This enables stateful firewall processing of redirected traffic and advanced application control at the controller when necessary. Integration with IntroSpect can analyze traffic behavior and identify anomalies from these devices so no unauthorized activity occurs.
The cost and time savings of automatically managing policy and user roles during connections of users or IoT devices in an enterprise campus network is substantial. Manual configuration is time-consuming and error-prone, and dynamic segmentation eliminates this costly exercise.
How Dynamic Segmentation is Used
Businesses are deploying PoE-connected LED lighting, holographic workstations and 3D printers to create a digital workplace that inspires creativity and innovation. Hospitals are turning to connected medical devices to improve patient care and installing connected MRI machines to make maintenance more efficient and. Schools are using smart TVs and augmented reality/virtual reality to engage students more deeply in learning.
The time to physically connect these wired or wireless IoT devices may be the same, but manually configuring policies on every switch is painstaking, manual work. The security risks are very real: IoT devices are usually built for specialized tasks and optimized for cost and easy maintenance. They are not built with enterprise-class encryption or authentication. They depend on the network to provide security.
With Aruba, Dynamic Segmentation can provide that security and control.
ClearPass acts as a central repository of policies from which user profiles can be pushed out to the entire network—wired and wireless. Wired switches use these policies and authenticate users using 802.1X or MACAuth and quarantine unauthorized users in a captive portal.
This capability is especially useful when adding wired IoT devices such as security cameras, badge readers or 3D printers. Traffic from badge readers or PoE LED lights can be redirected to the Mobility Controller where policy is enforced, so no unauthorized or spurious connectivity is allowed. For example, if a PoE LED light tries to set up 1,000 TCP sessions, it will be quarantined. A connected HVAC will not be allowed to access the company’s ERP system.
Let’s quantify the benefits with an example where we install an additional security camera.
That is a total of 10 minutes for each IoT device. Considering the explosion of IoT devices, a manual process can be extremely time-consuming and prone to careless mistakes. An error can double, triple or quadruple the time it takes to bring a device online. Dynamic Segmentation secures your IoT network and completely eliminates these repetitive network configuration tasks, reducing the expensive risk of human error.
Deploy IoT with Confidence
IoT promises to deliver new efficiencies and user experiences, but it’s critical for organizations to have tight controls over the broad variety of new devices connecting to the network. Identifying connected devices and authenticating their roles before they connect to the wired or wireless network is critical to ensure smooth operations and mitigate security risks.
Aruba’s Better Together approach helps ensure this security, and Dynamic Segmentation leverages innovation and technology in a unified operations model. It seamlessly unifies NMS, policy management and enforcement functions for wired, wireless and IoT devices, enabling organizations to advance their IoT initiatives with confidence.
PG Menon is senior director of product and solutions marketing at Aruba.
Did you like this blog? Give it a thumbs-up or share it on social media using the buttons below.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.