HPE7-A02 Secure the WAN

Secure the WAN Detailed Explanation

1. SD-Branch Architecture

What is SD-Branch?
SD-Branch (Software-Defined Branch) is Aruba’s approach to simplify and secure the connectivity and operations of distributed branch offices. It combines branch gateways, cloud-based management, and intelligent traffic routing.

Branch Gateways (BGWs)

• BGWs are hardware devices placed at each branch site.

• They automatically register with Aruba Central (cloud management platform) as soon as they come online.

• Once registered, BGWs build secure IPsec tunnels back to central data centers or cloud services.

Security of the tunnels:

• Uses IKEv2 (Internet Key Exchange Version 2) for setting up the tunnel.

• Encrypts traffic using AES-GCM 256-bit, which is part of Suite B cryptography, approved for sensitive environments.

Dynamic Path Selection

• Aruba SD-Branch can connect to multiple WAN uplinks like:

  • MPLS (Multi-Protocol Label Switching) — reliable but expensive.

  • Internet broadband — high bandwidth, low cost.

  • LTE/5G — backup or remote area access.

Dynamic Path Selection evaluates:

• Jitter: variation in packet arrival time

• Latency: delay in packet delivery

• Loss: packet drops

It uses these real-time metrics to choose the best available link for each application.

Example:

• Voice traffic may prefer MPLS for stability.

• YouTube traffic may use broadband to save MPLS bandwidth.

Cloud-Managed Policies

• All traffic rules, segmentations, and failover logic are defined centrally in Aruba Central.

• Policies can be pushed to all branch gateways from the cloud—no need to manually configure every site.

• Central also enforces:

  • VLAN and segment mapping

  • Firewall and application control rules

  • Failover priorities and thresholds

2. WAN Security Features

IPsec Encryption

• IPsec (Internet Protocol Security) encrypts traffic between two endpoints—like branch gateways and a headend gateway.

• Aruba implements Suite B cryptography:

  • ECDSA (Elliptic Curve Digital Signature Algorithm) for key exchange and authentication.

  • AES-256-GCM for data encryption.

Why it matters:
Even if an attacker intercepts the data traveling over the internet, they can’t read or modify it.

Role-Based Access at the WAN Edge

• Aruba uses user roles to define what devices can and cannot access—even across the WAN.

• These roles are persistent, meaning they travel with the user/device from site to site.

Example:

• A guest device always gets internet-only access, even if it connects from a different branch.

• A corporate device keeps its full access role no matter the location.

Traffic inspection happens at the headend gateway (central data center or security point). This ensures policies are centrally enforced and consistent.

WAN Health Probing

• Aruba branch gateways constantly monitor link health:

  • Send probes to test packet delivery, delay, and jitter.

• If a link performs poorly, Aruba can:

  • Reroute traffic

  • Adjust application flows

  • Log alerts in Aruba Central

This ensures business-critical applications (like Zoom or Microsoft Teams) always use the most reliable path.

3. Remote User Access

Not all users are inside the office. Aruba offers secure access options for users working remotely or from personal devices.

Aruba VIA (Virtual Intranet Access)

• VIA is Aruba’s VPN client software.

• Available for:

  • Windows

  • macOS

  • iOS

  • Android

How it works:

• User launches the VPN client.

• VIA authenticates with ClearPass using:

  • EAP-TLS (certificate-based)

  • SAML (single sign-on with cloud identity like Azure AD)

• Before connecting, VIA can also check:

  • Antivirus status

  • Disk encryption

  • Firewall enablement

This is called posture checking—only healthy, secure devices are allowed to connect.

Clientless ZTNA (Zero Trust Network Access)

• Some Aruba customers integrate Aruba ClearPass with third-party ZTNA platforms (e.g., Zscaler, Palo Alto).

• These platforms allow users to access apps via a browser, without installing a VPN client.

• Identity federation lets ClearPass share user roles and device posture with the ZTNA provider.

Microsegmentation enforcement ensures:

• Each user/device gets access only to what they need, not the full network.

• Sensitive apps are isolated from guests or unknown devices.

Secure the WAN (Additional Content)

1. Aruba VIA: Auto-Connect and Failover Resilience

VIA (Virtual Intranet Access) is Aruba’s VPN client for remote users, providing secure connectivity back to the enterprise network.

Auto-Connect (Seamless User Experience)

• VIA can be preconfigured to auto-connect when the device:

  • Is outside the corporate network

  • Detects untrusted Wi-Fi

• Configuration is delivered via:

  • Aruba Central

  • Microsoft GPO or MDM (for enterprise deployment)

Key Options:

• Trusted Network Detection: Avoid VPN use on known safe networks (e.g., office SSID)

• Always-On VPN: Force tunnel even if local Wi-Fi is “safe”

• Auto-Failover: If the primary VPN gateway is unreachable, VIA retries backup gateways from a prioritized list

Resilience Benefits:

• Ensures always-available access

• Enables policy continuity even during home Wi-Fi or mobile transitions

• Minimizes user intervention and support calls

2. ZTNA Visibility in Aruba Central

Zero Trust Network Access (ZTNA) aims to verify every user and device continuously, even post-authentication.

Aruba Central as ZTNA Visibility Hub

While ZTNA enforcement might be handled by third-party platforms (e.g., Zscaler, Palo Alto), Aruba Central plays a key observability and orchestration role.

Key ZTNA Functions in Central:

• Identity Federation Logs:

  • Central receives user/device context from ClearPass or external IdPs (via SAML, RADIUS)

• Microsegmentation Insight:

  • Visualizes who has access to what (based on user roles, posture, location)

• Event Correlation:

  • Matches login events, access attempts, and posture results with:

    • Threat alerts

    • Gateway decisions

    • Enforcement outcomes

• Log Streaming:

  • Central can forward logs and telemetry to:

    • SIEM (e.g., Splunk, ArcSight)

    • SOAR for response automation

    • Third-party ZTNA dashboards

Why It Matters:

ZTNA isn’t only about blocking access—it’s about continuous monitoring and decision logic, and Aruba Central is central to that real-time coordination.

3. Dynamic Path Selection: Thresholds and Application-Aware Routing

Dynamic Path Selection enables branch gateways to intelligently route traffic over the best WAN uplink based on real-time link quality.

Key Metrics Monitored:

• Latency (ms)

• Jitter (variation in latency)

• Packet loss (%)

• Link state and availability

Customizable Thresholds

Administrators can define thresholds to trigger path failover or traffic shifting, e.g.:

Jitter > 30ms for 3 consecutive intervals → fail to secondary WAN
Loss > 2% over 5 seconds → shift voice traffic to MPLS

Application-Aware Policy Binding

• Aruba SD-WAN supports Deep Packet Inspection (DPI) to classify applications.

• Admins can bind apps to specific WAN paths:

  • Voice and video → MPLS (for guaranteed low latency)

  • Office 365, YouTube → Broadband

  • IoT telemetry → LTE backup

Sample Application Policy (Conceptual)

Application Category: Real-Time Collaboration
Matching Apps: Zoom, Microsoft Teams
Preferred Path: MPLS
Failover Trigger: Jitter > 25ms OR Loss > 1%
Fallback Path: Internet broadband

Result:

• Critical apps always take the best possible path

• Non-critical traffic offloads to lower-cost links

• Ensures optimal user experience and cost control

Summary

Topic	Benefit	Aruba Implementation
VIA Auto-Connect & Failover	Improves user experience and connection resilience	VIA client profile + gateway redundancy
ZTNA Visibility in Central	Centralized control and monitoring of identity, posture, access	Federation logs + event correlation + telemetry
Dynamic Path Selection (Advanced)	Fine-grained routing based on jitter/loss per application	Application-aware routing + failover thresholds