Aruba has taken steps to bolster the security and manageability of its branch-office networking package for customers with lots of branch sites.
The HPE company enhanced its SD-Branch software with identity-based attack detection and intrusion prevention, and improvements to its SD-WAN Orchestrator to make it easier to deploy security features on a large scale.
Aruba’s SD-Branch software runs on its branch gateways and includes a variety of integrated features like a firewall that support LAN, WAN, Wi-Fi networks, and segmentation as well integration with the company’s ClearPass policy-management software and its cloud-based package Aruba Central. The package can integrate its data with partner security platforms such as Check Point, Palo Alto Networks, and Z-Scaler.
Aruba has added role-based intrusion detection/intrusion prevention (IDS/IPS) features that let customers watch over and set security policies on individual or role-based access to branch endpoints, according to Kishore Seshadri, Aruba’s vice-president and general manager of SD-WAN Solutions.
Controlling the access each user has to resources is a component of zero-trust security, which is the direction Aruba has been heading, Seshadri said.
A recent Network World article defined the idea of zero-trust networks as simply: “trust no one. Verify everyone. Enforce strict access-control and identity-management policies that restrict employee access to the resources they need to do their job and nothing more.” According to a recent 451 Group survey, only around 13% of enterprises have started down the zero-trust path.
The new support lets customers monitor individual endpoints and block traffic when necessary, all based on policies set locally in ClearPass, Seshadri said.
The new package also supports threat visibility and trend analysis as well as the ability to correlate security events with sites, clients, applications and network infrastructure to help customers support larger branch implementations, the company said.
These capabilities allow enterprises to quickly detect and prevent unwanted traffic from entering or exiting their networks, said Brandon Butler, a senior research analyst with IDC. “The IDS and IPS systems allow users to set levels such as lenient, moderate, strict for traffic controls, and there are available integrations with messaging systems for alerting,” Butler said. “These features are atop what Aruba already has for security, including dynamic segmentation of traffic based on users, devices and apps, firewall capabilities and integration with cloud-based security solutions such as Zscaler.”
For its cloud-based network management, Aruba Central, the company bolstered the Orchestrator feature with the ability to deploy secure overlay topologies in a large-scale edge-computing infrastructure. The idea is to securely connect thousands of remote locations to applications in data centers and the cloud, Aruba said.
“We continue to see customers move away from traditional on-premises data centers and move more toward the cloud, and the Orchestrator can now help customers secure those environments,” Seshadri said.
Being able to extend security coverage will be important for Aruba and other networking companies as they link to cloud resources. For example, Aruba announced support for Amazon Web Services AWS Transit Gateway, which lets customers connect their Amazon Virtual Private Clouds (VPCs) and their on-premises networks to a single gateway. The idea is to simplify and enhance the performance of SD-WAN integration with AWS cloud resources.
Cisco, Versa and others have also announced support for the Transit Gateway. Aruba has an SD-WAN tie-in to Microsoft Azure and Google as well.
The final component of Aruba’s branch-connectivity upgrade was adding support for cellular backup, particularly LTE, to its branch-office gateways.
Built-in cellular access in Aruba 9004 Series Gateways gives customers the option to use the connection as a primary, secondary uplink or backup in a load-shared active-active mode with other broadband links, Seshadri said.
“IT staff are able tune and optimize connectivity by defining SLA policies across a combination of MPLS, internet and cellular links enforced with dynamic path steering in real-time with the ability to select the preferred cellular link,” Aruba stated. “The cellular link can also be used for remote locations or to accelerate the deployment of a new store until the dedicated MPLS or internet links are installed.”
This overall announcement is evidence of a broader shift in the market, said IDC’s Butler. “As deployments of SD-WAN scale up, enterprises are thinking more holistically about what network and security functions are needed at the edge of their networks, and enhanced security functionality is a key,” he said. “When enterprises deploy multiple network and security functions at the edge of their networks (such as SD-WAN with firewall, IPS/IDS, network analytics or WAN Op) we call this SD-Branch. We expect most SD-WAN vendors will increase their security and network-function capabilities that are packaged with SD-WAN, creating a new SD-Branch market.”
SD-WAN continues to be one of the fastest-growing segments of the network infrastructure market, Butler added. In the first half of 2019, the market doubled in size compared to the year earlier: $1.1B for SD-WAN infrastructure (hardware + software, but not services) revenues in the first half of 2019, versus $1.4B for the full year 2018, he said.