This blog is part of a continuing series on Aruba’s Dynamic Segmentation solution.检查继续洞察力。
你认为什么啊f when you hear the term “micro-segmentation”? For me, the first thing that comes to mind is the data center, where micro-segmentation is used to securely separate cloud and data center workloads based on policies. But segmentation doesn’t just end at the data center—increasingly we’re seeing practical applications at the edge as well.
Driven by the growing number of Wi-Fi users, therising IT investmentin public cloud infrastructure and theballooning numberof mobile and IoT devices in the workplace, we’re seeing a fundamental shift in the role of campus and branch networks that is wreaking havoc to traditional edge architecture—but it’s also offering IT a chance to combine the best networking technologies from the campus and data center to manage this complexity.
我在边缘看到了三个关键变化:
- 交通从东方(客户到客户)转移到南北(客户到互联网)。
- 应用程序现在托管在公共云基础架构(IAAS和SaaS)中。
- A growing number of business decisions are now being made at the edge
The first two are fairly simple, but the third is more difficult to manage. The business is converging on the network even as it’s rapidly expanding technology use cases beyond the realms of IT—IoT itself generates a massive amount of data.
The underlying network fabric has become a veritable melting pot of activity where every new device or every new application can mean countless configuration changes that impact SSIDs, ACLs, VLANs and subnets at every hop in the network – as well as looming threats to network security and visibility.
So let’s take a look at how Aruba is addressing these challenges.
What is Dynamic Segmentation?
阿鲁巴的动态分割is a solution that simplifies and secures the network by unifying policy enforcement across the wired and wireless access layer. With a unique user firewall, Layer 7 application visibility, and automated profiling, Aruba’s unified policy enforcement engine can apply rich, role-based access control to automatically shape traffic behavior.
自从策略定义访问和分段, there’s no need to configure VLANs, ACLs, subnets or port-based controls anymore. This eliminates complex network segmentation, sprawling VLANs and costly administrative functions.
The graphic below shows a left-to-right flow for how traffic can be segmented across the network based on the applications being used by users and devices. With Dynamic Segmentation, traffic flows simply adapt to the assigned user and device roles.
As you can see,ClearPassand theMobility Controllerare instrumental in Dynamic Segmentation. All wired and wireless traffic is encapsulated in GRE tunnels back to a Mobility Controller for inspection by the built-inPolicy Enforcement Firewall(PEF)。这是用户防火墙和第7层应用程序可见性所在的位置。lexpass用于根据不同用户或设备组的身份,设备类型和位置创建上下文策略。Clearpass提供集中策略定义和集成设备分析功能。
Three Reasons to Use Dynamic Segmentation
The need for policy-centric networking is growing. Organizations are increasingly converging multiple systems onto the same infrastructure, and they need to segment that traffic more efficiently and securely. They may need to protect sensitive applications and ensure data privacy in a more highly controlled way. They may be rolling out IoT systems, such as video surveillance, building access control or smart lighting, and want to ensure that any IoT device vulnerabilities don’t spread across the organization.
At the same time, IT needs more visibility and control of devices that are on their network. The reality is that most IT managers simply aren’t aware of all of the connected devices—and with the embrace of IoT and smart workplaces, this problem is only going to get worse. IT needs visibility into what devices are on their network as well as a way to control network access and the quality of experience for those devices in real-time.
动态分割can:
- Automate policy to reduce the IT workload- 动态分割减少了手动配置的负担。它节省了时间和精力,否则它将为移动,IOT和其他设备提供管理访问策略 - 以及任何正在进行的移动添加和更改(Mac)。自动策略还会最大限度地减少配置完成时蠕动的错误。有线和无线访问的强大,一致的控制是维持完整性和防止违规的必要条件。
- 分部政策to enhance security- 使用动态分割,用户和设备基于它们的角色,位置,日常因素授予对适当的网络路线的访问。动态分割是IOT的理想选择。像自动化照明一样的IOT部署,安全摄像机和安全访问门带来了许多好处,但如果这些设备在与敏感或关键业务数据相同的网络路由上,它们也会创建安全风险。物联网设备非常不安全,通常位于无担保的公共区域。但是现在,安全摄像机可以使用将流量限制为指定的服务器的权限,并无处。
- Centralize policy to ensure enterprise-wide consistency- 管理员可以定义利用用户,设备,应用程序和位置数据的规则 - 全部来自一个地方。使用集中策略,没有基于网络管理员的位置或样式的变化。对于每个单独的网络元素,不需要多次尝试策略更改。政策在企业中无处不在,最新。和政策在更广泛的背景下执行。
动态分割, leveraging ClearPass and Aruba wired and wireless networks, can simplify network operations and improve visibility and control over all kinds of devices, including IoT.
My next blog will dive into thekey building blocks for Dynamic Segmentationas well as two ways you can把它带到一个下一级。
Related Content
See a演示从去年的技术主题演讲并阅读动态分割solution brief.
了解有关动态分割如何支持IOT的更多信息我的同事苏吉布斯的博客。
