Delivering Zero Trust

This is a sample
Network Access Security
title
withslide
Aruba SASE
Speaker name and
Iman Manarul title
Arifin
Month DD, 20YY
November 2023

Confidential | Authorized
COMPLETE CAMPUS LEADER : 17x WIRED/WIRELESS and 6x SDWAN
CONSECUTIVE GARTNER LEADER
HPE (Aruba) Positioned as a Leader in the Gartner Magic Quadrant for SD-WAN

This is the sixth year in a row that HPE (Aruba) has

been positioned in the Leaders Quadrant.
 ARUBA SECURE EDGE PORTFOLIO
Internet SaaS Public Cloud Data Center

ZTNA SWG
CASB DEM

EdgeConnect EdgeConnect
EdgeConnect Lite Atmos ZTNA EdgeConnect SD-Branch SD-WAN
Micro Branch

Mobile Devices and End Users Branch, Campus, Cloud and Datacenter

CONFIDENTIAL | AUTHORIZED HPE PARTNER

Everybody talks about cost efficiency
and performance with internet
broadband link circuit for SDWAN,
but is true internet improves the
applications SLA?
Result of user testing* : file transfer From site to HUB (Sharepoint cloud
apps) with single Internet Link
Test 1 Data 4MB (additional 1% Packet Loss) Traditional
Test 1 Data 4MB (additional 1%
Packet Loss) Through Aruba
Edgeconnect
USER TESTING* COMPARISON SUMMARY FOR OFFICE365
SHAREPOINT APPS
Through Aruba
Traditional/Breakout
Packet Loss (%) Edgeconnect Tunnel
Response Time Response Time

Inherited INET Loss 00:26.32 00:15.67

Additional 1% 01:17.21 00:15.93

Additional 2% 02:12.98 00:18.84

Additional 3% 02:46.65 00:20.31

Additional 4% 03:05.25 00:24.55

INSPECTING AND MITIGATING PACKET DROPS WITH ARUBA

With Aruba Edgeconnect Without Aruba Edgeconnect

 HOW ARUBA DOES IT : TRUE LINK BONDING SDWAN
Application
Overlay
Combined 10 Mbps
Maximum Entire WAN Utilization with True Link
Bonding
Internet
Underlay
Individual 5 Mbps
Predictable, non-disruptive application performance
even during transport brownouts or outages MPLS
Individual 5 Mbps Underlay
• True Tunnel bonding
• Path conditioning
• Per-packet load sharing

MPLS 8 5 4 2 99.5%
44 hours downtime per year
8 7 6 5 4 3 2 1 Silver Peak Live View monitors network underlay
and application overlay performance in real time
INTERNET 7 6 3 1
98.0%
EdgeConnect
175 hours downtime per year

Tunnel bonding with sub-second failover improves app availability – significantly

New Statistical Availability Calculation

1 - (1 - 0.995) x (1 - 0.98)
= 99.99% Availability, 52.56 minutes down time per year
 HOW IT’s DONE : Mitigating the Lossy WAN

Parity calculated Lost packets rebuilt

for packets
Proven Working and Custom
Forward Error Correction
4 3P 3 2 1 4 3P 3 2 1 4 3 2 1
Packets lost in transit across
the WAN are rebuilt
Packets lost
over WAN

Packet Order Correction Packet order

marked on transmit
Packets reordered
on receipt
Packets delivered out-of-order
across the WAN are reordered 3 2 1 1 3 2 3 2 1
into the correct sequence

Packets sent over

different routes
Unified NGFW Branch Security
ICSA Secure SDWAN Certified

App aware firewall, Stateful FW, DPI, Anti

DOS, Logging, Security Policy Enforcement ICSA Threat visibility
Cert
• Threat trending overtime
• Overlay with app/user launch and
Deep packet inspection network direction
• Threat source and impact
Web Content/URL filtering & IP Reputation with
1st packet inspection

Correlate to manage incident

App/Domain Classification & control
• External events streamed to SOC
• Alerts & notifications based on business
impact
Cloud security integrations
• Stream events to REST endpoints

Dynamic Segmentation / Identity-based policy

 SDWAN MICROSEGMENTATON VISIBILITY AND IDENTITY
POLICY
Role-based down to device-based user visibility and control
Policy Engine Business intent

Application name
DNS/URL • Quality of service
Application-driven
Addresses policy • Availability & SLA objective
Ports • Segmentation
…. • Breakout vs. backhaul
• Security policy
Role • Routing policy
Device type • Optimization policy
From Context-driven
Clearpass Username policy • WAN Policy
Security
• To SASE
posture
….
The SDWAN Solution with Detail User/Device Identity and Role
Visibility/Policy

Identity Role
jhendricks Dev
camera2209 Camera
camera2247 Camera

General Identity
jhendricks Dev
spingkerton Dev
fnowitzki Dev
User/Device jhendricks
jhendricks Dev
Role Dev
spingkerton Dev
Group ENGINEERING fnowitzki Dev
Domain SPEAK jhendricks Dev
MAC 00:00:00:a1:2b:cc spingkerton Dev
OS Windows10 fnowitzki Dev
Posture HEALTHY spingkerton Dev

• Detailed identity information for every single flow showed in real time and historical
• Enables new reports based on identity, role, security posture
• Proactive Monitoring and Troubleshooting before problem might arise
 EDGE SECURITY : ANATOMY OF A VPN-BASED
RANSOMWARE ATTACK

97% of 1 Threat actor scans Internet for unpatched VPN servers

security 2 Remote access to network is achieved

leaders know 3 Attackers view logs and cached password

4 Domain admin access is gained

VPNs are 5 Lateral movement takes place across the network

exploited 6 MFA and endpoint security is disabled

7 Malware (ex. Sodinokibi, Cring) is pushed to network

8 Company data held for ransom

For Internal and Partner 13

VPN architectures create security risks
DMZ

Firewall ACLs

User-1
Internet Firewall

VPN Concentrator DDoS Defense NAC+ADC SSL Decryption IPS

User-2

Cloud App App VDJ Jump Server IDS + PAM

App
App Serves

VPNS EXPOSE IPs VPNs EXTEND NETWORK ACCESS VPNs GIVE OVER PRIVILEGED ACCESS
VPNs are like beacons, looking to be found. Unknown users from unknown devices are extended Once on the network, users can move laterally. In the event
Consequentially, IPs are exposed creating an attack surface network access, increasing attack surface. of a breach, cybercriminals can do a lot of damage due to
to be exploited. lack of segmentation.

For Internal and Partner 14

AXIS DELIVERS ZERO TRUST NETWORK ACCESS FOR ALL
DMZ

Firewall ACLs

User Internet

VPN Concentrator DDoS Defense NAC+ADC SSL Decryption IPS

Cloud IDS + PAM

App App App VDJ Jump Server App
Serves

THE INVISIBLE NETWORK APPLICATION ACCESS, NEVER NETWORK GRANULAR LEAST PRIVILEGE ACCESS
ACCESS
Inside-out connections make apps completely invisible and never Remote users only receive access to authorized applications App-to-user connections provide built-in app segmentation
exposed to the internet. without placing user or device on the corporate network. without complex network segmentation. One-to-one connections
make lateral movement impossible for unauthorized users.

For Internal and Partner 15

DELIVERING HIGHER CLOUD APPS PERFORMANCE
• Over 60% of orgs have 3-6
VPN gateways globally

• Traffic is backhauled for miles

causing slow connection
speed, especially for resource
hosted in cloud

• Users deal with repeated

326
( m s)
52
( ms
) logins and network reconnects

For Internal and Partner 16

Aruba Axis in Motion
Internet
1. User requests access
2. Identity + MFA verified
Policy
3. Policy is evaluated for access
4. Cloud brokers connection
5. Cloud continuously inspects, adapts, and
Data Center
protects data
Atmos SWG
Employee access to resources
Atmos ZTNA
Branch user & server access
Atmos CASB
Third-party
access

Public Cloud
Benefits
• Visibility into all user traffic
Identity Provider
• Flexible policy assignment
• Simple for admins & users
SaaS
• SaaS application control

17
BUILT ON A THREE TIER CLOUD ARCHITECTURE

TIER 1- Major cloud providers

Main Cluster

Caching
• Traffic is never backhauled
TIER 2- Cloud providers & local hosting services because of Atmos cloud
architecture | +350 edges
Local PoPs

• Atmos automatically chooses the

Traffic acceleration best connectivity path with smart
TIER 3- Peered to local ISPs across the world routing capabilities

350 Edge
Locations
• Users receive continuous access
even if networks change

Atmos Agent Atmos Connector

For Internal and Partner 18

UNIFIED SASE POLICY WITH ARUBA AXIS

Block access
from risky
destinations
Define access to
internal and external
apps in a single
policy

Leverage rich
devices posture
for context
Use app tags to
simplify
management

Securely enable
developer workflows

For Internal and Partner 19

DELIVERING MORE SECURE AND ADVANCED ZTNA
Criteria ZTNA 1.0 Atmos ZTNA

Keep Users Off The Network  

Reduce attack surface of infrastructure  

DDoS proof Private Apps  

App Discovery  

Agentless Web, SSH, RDP, Git, DB Access 

Deep Inspection/ Continuous Authorization / Visibility 

Per app segments, Granular Control 

Any Port / Protocol (P2P / VOIP, etc.) 

Server Initiated Flows / Push Patching 

1+ GBPS Speeds & Low Latency 

For Internal and Partner 20

AXIS SSE KEY CAPABILITIES

ZTNA CASB
Zero Trust Network Access Cloud Access Security Broker
• Secure access to applications • Access private SaaS applications
hosted in private cloud/ DC • Data loss prevention
• Least privilege access • Monitor & block
• Agent or agentless upload/download from SaaS
• VPN replacement

Atmos SSE Platform

SWG
Secure Web Gateway DEM
• Protect against malicious web Digital Experience Monitoring
traffic • Monitor user performance
• Provide URL and DNS • Troubleshoot user access issues
filtering for all traffic

21
One policy to easily control access to all apps

Block access from risky

destinations

Define access to internal and

external apps in a single
policy

Leverage rich device

posture for context
22
GET CONTROL FOR INTERNET & SAAS TRAFFIC

• Full SSL inspection

• Proactive malware scanning:

• Send uploaded files to be scanned

• Send downloaded files to be scanned

• In-line CASB tracks activity for

+10,000 SaaS apps

24
PREVENTING DATA LOSS/BREACH WITH AXIS DLP

Easily control the flow of your data with

DLP functionality across SWG, CASB,
and ZTNA traffic.
• File Content Control
Control data transfer within files based on
patterns. Allow only specific file types to be
uploaded / downloaded

• File Metadata Control

Control file transfer based on various metadata
attributes (name, type, size)

• Regex support with OCR

Searches a string of characters
(text. .gif, .png, .jpeg images) for patterns and
applies controls.

25
AND ENSURE A GREAT USER EXPERIENCE TOO

• Dynamic monitoring of user

experience issues

• Endpoint telemetry i.e. CPU,

resource consumption, memory
use

• Unified application health

monitoring

• Hop by hop network path metrics

between users and business apps

26
 Connect & Secure
Hybrid
Secure Third- Secure Access to
Workforce Party Access Cloud & Web

• Enable work from • Employ least • Monitor, inspect and

More SSE Use Cases anywhere with least
privileged access
privileged access for
external users
filter all web traffic
incl. URL and content
• Replace legacy VPN • Secure access without filtering
• Provide endpoint an agent on the device • Ensure sensitive data
control and visibility • Gain visibility on what remains protected &
third parties are prevent data leakage
accessing

28
Customer Reference

• Apps hosted in IaaS, DC & • Unable to provide secure access • NVIDIA has very sensitive lab
SaaS to contractors to build business environments with highly P&C
Proble • 30K+ users accessing via a mix critical applications research facilities
m of EVP, VPN and VDI • Challenge brokering access • Lacked visibility into unmanaged
connections users and devices, user behaviour
between networks due to M&A
of hotel properties and access control

• Axis agentless ZTNA third • Axis was able to set up remote • Axis agentless ZTNA improved user
party access solution reduced access for their HR application experience for 3rd parties
cost 5-10x per user while in less than 30mins • Accelerated access to private apps
Impact accelerating the time to across geographically distributed
provision access • During Covid, ZTNA agent & network
agentless was rolled out to • Looking at full VPN replacement in
10K+ employees / contractors Phase 2

29
THANK
YOU