Aruba SD-Branch Solution enables companies to reduce CAPEX and fix many problems that they are encountering today in their branch sites. The Aruba SD-WAN branch gateway solution offers multiple functions such as firewall, router, DPI engine, and WAN optimization in a single device thus reducing the number of devices to deploy and manage and maintain.

SD-WAN as a service offers economical WAN connection types and transport independence. With the Aruba SD-WAN solution we can combine traditional WAN links with Internet links in an active-active setup. The solution offers excellent load-balancing and traffic steering based on RBAC, device type, application, and path quality across a variety of WAN links.

There is no more dependence on a physical security model anymore. A role-based model enables many benefits for branch operations and. An administrator can easily configure policies that are access- and location-agnostic, delivering a single policy framework for wired, wireless, and WAN. Wired switches can act as “wired APs” tunneling all user traffic to the branch gateway so a single consistent policy can be applied. Organizations get end-to-end segmentation of traffic enforced at the branch and maintained across the entire network.

The Aruba SD-Branch solution consists of the following four main components:

1. Cloud Management — Aruba Central, a cloud-based management service that offers a single pane of glass management and control for all devices (Aruba APs, switches, branch and headend gateways). The SD-WAN overlay VPN can be automatically configured by Aruba Central along with detailed topology views of the network. Aruba Central also compares different sets of network information in order to provide insights.
2. Branch Gateway — The branch gateway is the appliance at the branch that connects to WAN uplinks and participates as an end-point in the SD-WAN overlay fabric. The branch gateway handles policy enforcement for wired, wireless, security, and WAN including routing. The gateway functions include stateful firewall, web content classification, hybrid WAN connectivity, IPsec VPN, QoS, and WAN path monitoring and selection. The Aruba 7000 series appliances run the branch gateway as a software function.
3. Branch WLAN/LAN — Aruba LAN networking devices such as switches and APs offer wired/wireless connectivity for users at branch sites. Access to the branch network is controlled by the Aruba network infrastructure, using role-based policies centralized in the headend or data center, thus allowing any device to connect via wired or wireless and authenticate on to the network.
4. Headend Gateway — The Aruba headend gateway plays the role of a VPN concentrator at the headend site in hub-and-spoke. It is responsible for terminating IPsec VPN tunnels and participating in the DC and campus routing. The headend gateway also contributes in the SD-WAN fabric overlay topology. The Aruba 7200 series appliances run the headend gateway as a software function.

Key Features

• Cloud management—Aruba Central is the cloud based management, monitoring, and troubleshooting portal for Aruba gateways, instant access points, and wired switches. It can seamlessly be integrated with third-party, cloud-based security providers. Broad use of templates allows for simple branch provisioning and onboarding.  Aruba Central replaces on-site network management.
• Real-time health monitoring — Cape can deploy cloud-managed sensors at each branch site to monitor application performance from a centralized location, 24/7/365.
• Zero-touch provisioning — All of the Aruba branch devices can be configured with ZTP, including the gateway, APs, and switches. In order to learn the address of Aruba Mobility Master and self-provision without operator intervention, Aruba devices use DHCP or DNS to connect with Aruba Activate. The devices have TPM crypto-processors embedded in hardware in order to allow for secure, mutual authentication.
• Automatic VPN setup — The Aruba solution takes away the complexity of setting up secure VPN tunnels by automatically establishing the overlay topology and advertising routes available over the overlay.

SECURITY

• IPsec VPN — Aruba branch gateways and headend gateways support high-performance IPsec VPN for secure overlay networking across the Internet or other untrusted networks.
• Client VPN — Aruba branch gateways and headend gateways support VPN termination from client endpoints directly. This enables employees or contractors in a branch to access internal systems, such as security cameras or IoT sensors, based on their permitted role.
• Dynamic segmentation — The ports on the Aruba switches can be tunneled to the branch gateway and same user policy that we apply to wireless users, can be applied to wired users.
• Stateful firewall — The Aruba Policy Enforcement Firewall is a complete, stateful firewall able to strictly control what users and devices are permitted to do, enabling application-layer security and providing separation between user-roles. This gives network administrators insight into the applications running on the network and who is using them.
• Web content classification & reputation — The classification technology used by Aruba branch gateway is Webroot cloud-based machine learning . Web site classification is used for content- filtering. The reputation of all public IP address space is examined to detect and block threats such as spam, exploits, botnets, phishing, proxies, and mobile threats. Geo-location information can be used to block IP ranges based on country.
• Cloud security integration — Select traffic that is bound for the Internet can be redirected to cloud security services such as Zscaler or Palo Alto Networks GlobalProtect. This will allow companies that use cloud-security services to have the same policy applied to user groups in the branch or at headquarters.