Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Axis and Clearpass

This thread has been viewed 24 times
  • 1.  Axis and Clearpass

    Posted Feb 12, 2024 05:12 PM

    Our company is looking into Clearpass and Axis as tools to replace existing solutions for network access control, private access, and improve our internal and external threat exposure. We have a few questions relating to this.

    We looked into both products and noticed that, when it comes to supported posture conditions, Clearpass seems to have more options available than Axis. With that in mind can we use Clearpass posturing as part of Axis SSE privilege level determination? 

    In addition to this question, can Axis be used to provide client access instead of an 802.1X based solution in the campus?

    Does Axis also fit into a micro-segmentation solution, for example one based on based on VXLAN-GBP?



  • 2.  RE: Axis and Clearpass

    EMPLOYEE
    Posted Feb 16, 2024 06:26 AM

    Martijn,

    How I see it, Axis and NAC/ClearPass/micro-segmentation complement each other by different approaches and multiple layers.

    Axis is an overlay technology that granularly controls the access to applications and the outside world for clients that have users behind them or can run an Axis agent and can be inside or outside the network (via the internet). Axis delivers that access from/through the cloud, so connectivity is available from both inside your networks and outside, from the internet. It can do application scanning, web scanning, data-leakage protection, CASB authorization/control for web applications, so it's more application traffic.

    NAC/ClearPass/Colorless ports/UBT/micro-segmentation controls access and segments the (LAN) network and in that way works for any device, even those that can't run agents. Control and enforcement happens on the network level and by controlling who/what can communicate with who/what allows to define what devices are allowed on the network and what they are allowed to communicate to.

    For example, if you have IoT devices, printers, etc, those typically can't run an Axis agent, but also don't need to be outside your network. For those, with network segmentation you can prevent them from accessing servers/services in (or outside) your network, which is a big thing when someone with bad intentions is inside your network (or tries to get access to your network). This prevents someone from plugging into the network and starting to attack other devices on the same network.

    Both technologies allow posture checking, to allow traffic/applications only based on the device posture (updated, security tools running, etc.). As of today I don't think you can use the ClearPass OnGuard agent for use with Axis. 

    VXLAN-GPB is one technology for segmentation where the enforcement is distributed and can happen inside your network switches and prevent undesired network flows to protect the network, clients and services on the network. Axis can run on top of that, using the network as transport, but will also work on other networks as carrier for the applications.

    Your Aruba partner or local Aruba sales team can probably schedule a demo for you to see both products in action.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 3.  RE: Axis and Clearpass

    Posted Feb 16, 2024 09:10 AM

    Thanks for your answer Herman, so to summarize:

    • Users that use the Axis client can be inside of the corporate network or outside of the corporate network to control access to applications, it works at the application level
    • Although clientless control is available for Axis, the most granular control is achieved through the client.
    • NAC/Clearpass/Microsegmentation/etcetera supports all connected users, it does not require client software.
    • Posture is supported on both but onguard does not support Axis

    This leaves me with one question left about Axis, does the enforcement (what to allow an deny) always happen in the cloud, or can you also do enforcement for corporate users (in the office) in the datacenter?

    Thank you




  • 4.  RE: Axis and Clearpass

    EMPLOYEE
    Posted Feb 16, 2024 10:30 AM

    No, Axis does not always require a client, there is clientless access as well, which is great for example for contractors. They can access internal applications from the outside through just a web browser, and based on policy you can just allow access to that application, optionally even only in a specific time window. But there is an actual user behind it that logs in and interacts with the application (web, SSH, remote desktop, and more), and the communication runs through the Axis cloud. This replaces VPNs where the problem generally is that when you have access to the VPN, you typically have more access than needed and logging is very limited. The policy decision is made in the Axis cloud.

    With an Axis agent installed, it's more transparent for the user as they can just use applications as if they are on the local network, so no need to go through the portal. It's not that one or the other is more granular. With the agent you can also do more posture as the agent has access to the client where it's running on.

    Enforcement indeed happens in the cloud. For example if you provide access to a server in your datacenter, there is no further control what you can access from there. That makes network segmentation is still needed there. But with more and more applications running in the public cloud, for Axis it doesn't really matter if the applications are inside your own datacenter or running on the internet.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------