Security

Our company is looking into Clearpass and Axis as tools to replace existing solutions for network access control, private access, and improve our internal and external threat exposure. We have a few questions relating to this.

We looked into both products and noticed that, when it comes to supported posture conditions, Clearpass seems to have more options available than Axis. With that in mind can we use Clearpass posturing as part of Axis SSE privilege level determination? 

In addition to this question, can Axis be used to provide client access instead of an 802.1X based solution in the campus?

Does Axis also fit into a micro-segmentation solution, for example one based on based on VXLAN-GBP?

Martijn,

How I see it, Axis and NAC/ClearPass/micro-segmentation complement each other by different approaches and multiple layers.

Axis is an overlay technology that granularly controls the access to applications and the outside world for clients that have users behind them or can run an Axis agent and can be inside or outside the network (via the internet). Axis delivers that access from/through the cloud, so connectivity is available from both inside your networks and outside, from the internet. It can do application scanning, web scanning, data-leakage protection, CASB authorization/control for web applications, so it's more application traffic.

NAC/ClearPass/Colorless ports/UBT/micro-segmentation controls access and segments the (LAN) network and in that way works for any device, even those that can't run agents. Control and enforcement happens on the network level and by controlling who/what can communicate with who/what allows to define what devices are allowed on the network and what they are allowed to communicate to.

For example, if you have IoT devices, printers, etc, those typically can't run an Axis agent, but also don't need to be outside your network. For those, with network segmentation you can prevent them from accessing servers/services in (or outside) your network, which is a big thing when someone with bad intentions is inside your network (or tries to get access to your network). This prevents someone from plugging into the network and starting to attack other devices on the same network.

Both technologies allow posture checking, to allow traffic/applications only based on the device posture (updated, security tools running, etc.). As of today I don't think you can use the ClearPass OnGuard agent for use with Axis. 

VXLAN-GPB is one technology for segmentation where the enforcement is distributed and can happen inside your network switches and prevent undesired network flows to protect the network, clients and services on the network. Axis can run on top of that, using the network as transport, but will also work on other networks as carrier for the applications.

Your Aruba partner or local Aruba sales team can probably schedule a demo for you to see both products in action.

Our company is looking into Clearpass and Axis as tools to replace existing solutions for network access control, private access, and improve our internal and external threat exposure. We have a few questions relating to this.

We looked into both products and noticed that, when it comes to supported posture conditions, Clearpass seems to have more options available than Axis. With that in mind can we use Clearpass posturing as part of Axis SSE privilege level determination? 

In addition to this question, can Axis be used to provide client access instead of an 802.1X based solution in the campus?

Does Axis also fit into a micro-segmentation solution, for example one based on based on VXLAN-GBP?

Thanks for your answer Herman, so to summarize:

• Users that use the Axis client can be inside of the corporate network or outside of the corporate network to control access to applications, it works at the application level
• Although clientless control is available for Axis, the most granular control is achieved through the client.
• NAC/Clearpass/Microsegmentation/etcetera supports all connected users, it does not require client software.
• Posture is supported on both but onguard does not support Axis

This leaves me with one question left about Axis, does the enforcement (what to allow an deny) always happen in the cloud, or can you also do enforcement for corporate users (in the office) in the datacenter?

Thank you

Martijn,

How I see it, Axis and NAC/ClearPass/micro-segmentation complement each other by different approaches and multiple layers.

Axis is an overlay technology that granularly controls the access to applications and the outside world for clients that have users behind them or can run an Axis agent and can be inside or outside the network (via the internet). Axis delivers that access from/through the cloud, so connectivity is available from both inside your networks and outside, from the internet. It can do application scanning, web scanning, data-leakage protection, CASB authorization/control for web applications, so it's more application traffic.

NAC/ClearPass/Colorless ports/UBT/micro-segmentation controls access and segments the (LAN) network and in that way works for any device, even those that can't run agents. Control and enforcement happens on the network level and by controlling who/what can communicate with who/what allows to define what devices are allowed on the network and what they are allowed to communicate to.

For example, if you have IoT devices, printers, etc, those typically can't run an Axis agent, but also don't need to be outside your network. For those, with network segmentation you can prevent them from accessing servers/services in (or outside) your network, which is a big thing when someone with bad intentions is inside your network (or tries to get access to your network). This prevents someone from plugging into the network and starting to attack other devices on the same network.

Both technologies allow posture checking, to allow traffic/applications only based on the device posture (updated, security tools running, etc.). As of today I don't think you can use the ClearPass OnGuard agent for use with Axis. 

VXLAN-GPB is one technology for segmentation where the enforcement is distributed and can happen inside your network switches and prevent undesired network flows to protect the network, clients and services on the network. Axis can run on top of that, using the network as transport, but will also work on other networks as carrier for the applications.

Your Aruba partner or local Aruba sales team can probably schedule a demo for you to see both products in action.

Our company is looking into Clearpass and Axis as tools to replace existing solutions for network access control, private access, and improve our internal and external threat exposure. We have a few questions relating to this.

We looked into both products and noticed that, when it comes to supported posture conditions, Clearpass seems to have more options available than Axis. With that in mind can we use Clearpass posturing as part of Axis SSE privilege level determination? 

In addition to this question, can Axis be used to provide client access instead of an 802.1X based solution in the campus?

Does Axis also fit into a micro-segmentation solution, for example one based on based on VXLAN-GBP?