In the first part of this blog series we focused on how HPE Aruba Networking Central NAC can help you identify every user and device and build simple policies to assign each to the desired user-role. That’s a great first step in your zero trust journey! In this second post, we’re going to look at how to build on top of that with segmentation policies that will give every user and device access to what they need… And only to what they need!

Least-privilege access

Ok, so you’re now at a point where you have reasonably good control over who or what is connecting to the network. It’s time to talk about least-privilege access or, as we like to call it in, “Role Based Access”. To put this in practice, I believe there’s no simpler way than Dynamic Segmentation [1]. With this technology, the AOS-10 Gateway will play the role of “Policy Enforcement Point” described in the Zero Trust Architecture [2] document published by NIST (US National Institute of Standards and Technology):

With the combination of User Based Tunnels and WLAN networks tunneled to a set of “Segmentation Gateways” (or SD-Branch Gateways if you also want them to be WAN-Facing) you effectively connect client devices directly into the Segmentation Gateway. This means that all traffic gets inspected, including intra-VLAN lateral movement. Here’s a short video that expands a little more on this.

Tunneled WLAN

For your WLAN to tunnel all traffic to an AOS-10 Gateway (your Policy Enforcement Point), configure your access points to “tunnel” traffic to the gateway cluster in the same site. Central will take care of automatically establishing tunnels to the gateways in the same site and setting up that gateway cluster as RADIUS proxy to facilitate authentications and keep track of user roles.

The outcome, as mentioned before, will be that client devices will be virtually "connected" to your UTM:

This should really be all you need to do.  If you want to learn all the details about how the technology works behind the covers, feel free to go through the AOS-10 design fundamentals guide [3].

User-based tunnels

Tunneled WLANs solve part of the problem (no lateral movement for wireless clients). For the other part (wired access) you can make use of UBT (User Based Tunnels). With this technology, HPE Aruba Networking switches can tunnel all client traffic to the same AOS-10 gateways being used to centralize traffic from WLAN clients. Set up your switches to authenticate against Cloud Auth and configure the different user-roles to tunnel traffic to the gateways. 

You can of course find much more details in the AOS-CX security guide[5], but that summarizes the gist of it!

Continuous monitoring

HPE Aruba Networking Central and Gateways and are monitoring all user and device activity for potential security threats. Don’t forget that you have everything directly plugged into a UTM (Unified Threat Management)[5]. Any suspicious lateral movement will be immediately detected, and the necessary actions (block risky traffic, quarantine device, etc.) will be taken. All this is of course reported by Central and can be further streamed to your SIEM to trigger remediation actions. It can also be integrated with HPE Zerto to automate ransomware recovery, as explained in this short video.

To set this up, simply enable IDS/IPS in your gateway group, select a traffic inspection policy (you can optionally use selective inspection to bypass certain roles) and your gateway will be inspecting all traffic flows going through it. Once again, you can find full details in the IDPS Feature guide[6].

In addition to that, New Central brings new AI-driven Network Detection & Response capabilities to your cloud management, alerting you whenever any IoT devices are behaving irregularly. HPE Aruba Networking AI-powered IoT-device behavioral baselining gives security teams a view of anomalies that could be a signal of compromise or attack.

It also helps network and security administrators build tighter security policies around IoT devices by observing the traffic flows overtime and recommending what flows should be allowed in your policy, blocking everything else as per your zero trust strategy.

Conclusion

As part of this journey, we’ve covered a lot of concepts; Network Access Control, Dynamic Segmentation, IDS/IPS, ransomware recovery and even AI-Powered NDR! The good news is that most of these capabilities come delivered as a service and are included in your HPE Aruba Networking Central subscription. You just need to start using them!

In other words, the zero trust journey may not be as challenging or as expensive as you were initially fearing… On top of that, you don’t need to do all at once. You can take iterative steps to secure the different “protect surfaces” connected to your network; Perhaps start with IoT, or even with a subset of it, and build from there. One great thing about adopting a zero trust strategy is that every you take will most likely be a step in the right direction.

If you want to learn more about how to easily implement a zero trust approach to your network, please watch this webinar where we cover this journey through live examples.