Dynamic Segmentation Explained
Driven by the ballooning number of mobile and IoT devices connecting to the network, we’re seeing a fundamental shift in the complexity of campus and branch networks.
Dynamic Segmentation simplifies and secures the network by unifying policy enforcement across the wired, wireless, and VPN infrastructure.
What is Dynamic Segmentation?
Aruba的设备分割简化并通过统一有线,无线和VPN基础架构统一策略实施来保护网络。通过策略执行防火墙(PEF),第7层应用程序可见性和自动分析,Aruba的统一性Policy Enforcement Firewall可以应用Rich,基于角色的访问控制来自动形状流量行为。
由于策略定义访问和分段,因此无需再配置VLAN,ACL,子网或基于端口的控件。这消除了复杂的网络分段,滚动VLAN和昂贵的管理功能。
The graphic below shows a left-to-right flow for how traffic can be segmented across the network based on the applications being used by users and devices. With Device Segmentation, traffic flows simply adapt to the assigned user and device roles.
Aruba ClearPass and the Mobility Controller are instrumental in Device Segmentation. All wired and wireless traffic is encapsulated in GRE tunnels back to a Mobility Controller for inspection by the built-in Policy Enforcement Firewall (PEF). This is where the user firewall and Layer 7 application visibility reside. Aruba ClearPass creates contextual policies based on identities, device type, and location for different groups of users or devices. Aruba ClearPass provides centralized policy definitions and integrated device profiling capabilities.
Why use Dynamic Segmentation?
The need for policy-centric networking is growing. Organizations are increasingly converging multiple systems onto the same infrastructure, and they need to segment that traffic more efficiently and securely. They may need to protect sensitive applications and ensure data privacy in a more highly controlled way. They may be rolling out IoT systems, such as video surveillance, building access control or smart lighting, and want to ensure that any IoT device vulnerabilities don’t spread across the organization.
此外,它需要更多的可见性和控制网络上的设备。现实是,大多数IT经理只是不了解所有连接的设备 - 以及越来越多的IOT和智能工作场所,这个问题只是变得更糟。它需要可见性的设备在其网络上以及实时控制网络访问和这些设备的经验质量。
Benefits of Dynamic Segmentation
Automate connectivity to reduce the IT workload
设备分割reduces the burden of manual configuration. It saves time and energy that IT would otherwise spend configuring managing access policies for mobile, IoT and other devices. Automated policy also minimizes the errors that creep in when configurations are done individually. Strong, consistent controls across both wired and wireless access are imperative to maintaining integrity and preventing breaches.
分段用户和设备以增强安全性
使用设备分割,用户和设备基于其基于其角色,位置,时间和其他因素来访问适当的网络路由。动态分割是IOT设备的理想选择,这些设备非常不安全,通常位于无担保的公共区域。但是,现在,例如,可以使用将流量限制为指定服务器的权限,并且无处其他。
Centralize policy to ensure enterprise-wide consistency
Administrators can define rules that leverage user, device, application, and location data—all from one place. With centralized policies, there are no variations based on the location or the style of the network administrator. Policy changes don’t need to be made multiple times for each individual network element. Policies are consistent and up-to-date everywhere in the enterprise and enforced within a broader context.
Related resources
