Aruba Networks News
The University of Cambridge has been around for just a little while, with over eight hundred years of teaching, research and worldwide collaboration we can say, as one of the oldest universities, we have made a real positive difference to the world.
Providing services to such a prestigious institution is a real privilege but can also be daunting. At Cambridge, the whole City is the campus as University Departments and Colleges span the City. Networking on such a distributed scale is a challenge; we have to take both the narrow and wider view at the same time. 25 years ago, the University had the foresight to begin deploying a pan-city fibre optic network, the Granta Backbone Network, to connect the hundreds of University buildings together. Today this encompasses 60 km of multicore fibre over which we run a core and distribution router network. Therefore, as all our buildings are networked together, you would think that deploying Wi-Fi on the back of that must be easy. That could not be further from the truth, as hinted at already, Cambridge is far from simple.
The most basic thing you do for a wireless deployment is a Wi-Fi survey. Here at Cambridge, we have a myriad of buildings of all shapes, sizes and types. For example, we have buildings that are eight hundred years old right through to modern structures. The construction of these buildings is amazingly diverse, from metre thick stone walls to concrete monoliths right through to simple buildings made up of modern partition walls. The latter sounds simple until you come across that surprise hefty wall with four layers of unexpected insulation or a signal killing chimney hidden in the wall. We also have constructions as varied as residential buildings, (that can also act as hotels out of term), office blocks, state of the art laboratories, lecture theatres and seminar rooms, libraries and warehouses. This means that the University Wireless Team have their work cut out surveying each of these unique environments while trying to get ubiquitous Wi-Fi into all areas. We estimate that if we surveyed each building end to end, it would take more than five years.
So, presuming we can survey the building and find an acceptable deployment (for example, imagine finding cable routes and dealing with the aesthetics in an 800-year-old building), how do we manage the system itself? In the University, we are approaching 5000 indoor and outdoor Aruba access points installed across the City. With such a large deployment, we need a solution that just works and we need a solution that is easy to monitor and manage centrally. Aruba AirWave allows us to have visibility of the status and statistics of every access point from our office in West Cambridge and that avoids the need for time-consuming site visits. The level of information it provides is staggering; we just would not be able to manage such a large and widespread deployment without it.
Wireless connectivity has become essential to University business and for many people, it is the default connection method. If we are to stay ahead in student experience, teaching, research and other areas, we need to continue investing in mobility. To do this we are periodically reviewing our wireless deployment and undertaking continual technology refresh. Right now, we are upgrading to a 2N resiliency model for the central infrastructure, investigating new authentication technologies, including Aruba ClearPass and introducing the new 802.11ac wave 2 access points while making a large investment in phasing out some of the oldest models. We are expanding outdoor coverage to provide mobility in-between University buildings and are working in collaboration with the local authorities to provide public Wi-Fi in the public parks and streets. Lastly, we hope to build on all this hard work to add extra depth to wireless network access. One example would be geolocation technology such as the Aruba Meridian and beacon platform.
This is clearly a lot of hard work and demonstrates we cannot stand still; we have to continue to be responsive. Growth in wireless usage on the University network is going through the roof and reacting to this is a continual challenge. By keeping up with the technology curve, and responding to the demand in network growth and digital transformation we are continuing to ensure that University Wireless is fit for tomorrow’s evolving needs.
If fellow Airheads members have questions around the deployment, feel free to reach out to me @Alexander.
The need for increased business agility is pushing every enterprise towards digital transformation. As a result, enterprise networks must demonstrate improved flexibility and hardiness, increased operational visibility and programmable automation. Following the recent announcement of Aruba 8400 chassis-based core switch, the new 8320 fixed-form factor device expands the switching product portfolio and extends Aruba’s intelligent edge architecture into the enterprise aggregation and core.
Intelligent edge invariably consists of both wireless and wired devices. It could be legacy workstations, medical devices, industrial machines or IoT. Aruba’s Mobile First Architecture hence encompasses both wired and wireless edge devices. But digital transformation cannot be limited to the edge and must be pervasive across enterprise networks. The aggregation and core must also evolve to drive business transformation. While hardware speeds and feeds are important, it is the software that’s instrumental is effecting change.
The Aruba 8320 and 8400 wired switches run Aruba’s new OS-CX network operating system that is built from the ground up to drive agility and enable transformation in the digital enterprise. This is achieved by three key tenets of ArubaOS-CX—its micro-services style software architecture, programmable REST APIs and the built-in Network Analytics Engine.
ArubaOS-CX, a modern network operating system
Modular, micro-services style architecture in ArubaOS-CX is usually only seen in high-priced data center switches and not seen in enterprise-optimized campus switches. Micro-services style, database-driven software development is a key innovation that replaces monolithic network operating system code. It simplifies many critical and complex network tasks, enabling independent monitoring and restart of software modules, and improves system availability and fault tolerance by allowing individual modules to be independently upgraded.
REST APIs for programmable network operations
The state information in the database is accessible to internal network functions and to external management and automation software through REST APIs for operational automation.
By implementing programmable REST APIs, Aruba switches may be integrated with Aruba AirWave and ClearPass for policy-based management. Furthermore, rather than manually driven mechanisms that are less agile and more error-prone, configuration and management can be tackled by higher-level software languages such as Python.
Network Analytics Engine
Faster troubleshooting and debug is crucial to network assurance in an agile network. Today network devices produce vast quantities of data to offer visibility into network operations. In conjunction with a built-in time-series database and programmable REST APIs, the onboard network analytics engine (NAE) framework in ArubaOS-CX gives customers a means to analyze the switch’s operational state. By using the REST APIs, a network operator can rewind and playback network behavior, or request additional information from the switch as means to quickly and efficiently troubleshoot problems, avoid performance bottlenecks and predict security problems.
The age of digital transformation is upon us, driven by the large-scale deployment of mobile devices, sensors and IoT. ArubaOS-CX and the 8320 will help transform the campus network and drive innovation in your enterprise.
Read Tom Black’s blog “ArubaOS-CX: A Modern, Programmable Network for the Mobile and IoT Age.”
Read Michael Dickman’s blog “Three Reasons Campus Networking Needs a New Approach.”
I recently visited a hospital to discuss their requirements for an asset tracking solution. The primary use case is to locate medical equipment when it is due for its annual maintenance. They went into detail on the magnitude of the task for the operations and maintenance team, and how much time is lost. They needed a solution that was simple to set up and easy to use.
They said it is not uncommon for a $25,000 specialty bed to end up in the wrong department, and then for it to accidentally get placed into a storage closet and not seen for months. Neither the hospital staff nor someone responsible for maintaining the bed would know where it was.
That situation led to the secondary use case, which was to ensure that all equipment was actively in use. They went on to explain a scenario I have heard many times. When staff is routinely unhappy that they can’t find a piece of equipment when they need it, the facility team rents or purchases more. They must not have enough, right? Of course, this practice meant that the amount of equipment that needs service grows. A vicious cycle of inefficiency ensues…
They talked more specifically about the $25,000 beds and $10,000 stretchers that were purchased—and then found in a storage area after being unused for months. The same for bariatric beds, which were rented for more than $2,000 per month. At this point, we weren’t even talking about other types of expensive equipment, such as infusion pumps, portable ultrasound machines, and wheelchairs.
Business Value of Asset Tracking
The statistics I have commonly seen on lost equipment at hospitals are stagering. On average, 10% to 20% of a group of medical assets are lost over their lifetime. Doing some simple back-of-the-envelope calculations, if this facility could place asset tags on 500 beds in the hospital, and prevent just 5% of the beds (half the typical loss rate) from going missing, it would save $625,000 in replacement cost!
25 beds * $25,000 per bed = $625,000 lost value
That is easily a saving of approximately three to four times the cost of a full Bluetooth-based asset tracking solution deployment! And remember this is just the replacement cost of beds! Other cost savings to consider:
- Lost time that maintenance and healthcare staff spends searching for assets
- Out-of-maintenance devices posing a health risk and potential lawsuits
- The cost of buying or renting more equipment than is really needed
- The cost of not meeting compliance requirements
It was clear to me—and this customer—that there is a huge cost to NOT investing in an asset tracking solution. The ROI argument is clear, and the payback is delivered in an incredibly short amount of time. By leveraging their Aruba Wi-Fi infrastructure and standard mobile devices, they could have the solution working in days, not weeks or months.
As I left and headed back to my car, I walked past the same seemingly abandoned wheelchair near the parking lot that I saw on my way in. I wondered if anyone knew if this wheelchair was just sitting here, and how many people were waiting upstairs for a wheelchair to go home.
People’s high expectations for speed and mobility have put pressure on IT to deliver better services, including back-end operations and customer experience in stores and branch locations. Supporting the exploding number of mobile and IoT devices that bring value to the overall store experience requires an intensive amount of backend IT work. Most critical is equipping the branch with the right WAN technology to handle customers’ mobile-first mindset. After all, without the bandwidth and intelligence to seamlessly direct network traffic and support the digital transformation in retail, new mobile and IoT devices can do more harm than good to the customer experience.
For retailers and other businesses that have hundreds or thousands of branch locations managed by a limited number of IT staff, rapid growth in mobility has left IT with big challenges to solve around WAN bandwidth and visibility. The network is experiencing more pressure from the spike in users, but IT has limited resources and control over traffic, leaving them with the following questions:
- How can IT increase bandwidth without increasing costs?
- How can IT visualize and prioritize network traffic to maximize branch efficiency?
Maximize Bandwidth, Minimize Cost
Business leaders are often forced to make the decision to upgrade after their legacy networks are unable to handle the rise in network traffic. Increasing bandwidth traditionally involves increasing expensive MPLS uplinks, which adds pressure on IT to find a more cost-effective way to meet the organization’s bandwidth needs.
To mitigate costs, branches are utilizing Internet uplinks to supplement their more secure and reliable MPLS uplinks. Enterprises across the board are reacting to changing WAN requirements by implementing hybrid WANs. Networking Computing reports that “by 2020, more than 60% of enterprises will have deployed direct internet access in their branch offices.” By adding cost-effective Internet links, branches can reduce WAN costs and improve connectivity for guests by alleviating pressure on the legacy MPLS uplinks. Legacy MPLS links are freed up for business-critical applications such as real-time video surveillance or point-of-sale (POS) transactions.
Regain Lost Visibility and Control
Having more than one uplink relieves pressure on the network, but given that there are different levels of priority for network activity, it is crucial for IT to manage up links intelligently. A hybrid WAN can help. Critical business operations should be prioritized by utilizing reliable, SLA-quality MPLS up links and less critical activity sent over raw Internet to segment bandwidth use. For example, in retail, a customer’s POS transaction should be prioritized and sent over MPLS while in-store video streaming should be directed to the Internet. However, with traditional WAN technology, IT lacks visibility and control over network traffic, preventing maximum branch efficiency.
New software-defined WAN (SD-WAN) technology mitigates these issues by providing features such as dynamic routing (and others) for private or public traffic so IT can regain control of the network. As the network is flooded with new users, devices, and applications, IT can leverage application awareness to properly segment and prioritize network activity. With SD-WAN, IT can route traffic over the best-performing hybrid WAN uplinks using application awareness.
It is critical that branches are equipped with the correct WAN technology to maintain reliable connectivity as the success of a business’ digital transformation leans heavily on IT’s ability to prevent and mitigate bandwidth issues. Technology implemented in retail stores meant to improve customer experience and streamline store operations cannot fulfill its role without a properly managed WAN to support IT’s back-end responsibilities.
Get a deeper understanding of security. Read the blog “Secure the last mile: From access to the WAN.”
As patient care increasingly relies on access to mobile access clinical applications, and as smart medical devices and sensors become widespread, Wi-Fi becomes more critical than ever. But hospitals are some of the toughest environments for wireless LANs.
- Hospitals are 24 X 7 operations – with no time to take down a network for maintenance.
Fortunately, my family and I are pretty healthy, and I don’t spend a lot of time in a hospital outside of customer visits. Unfortunately, when I do go to a hospital, it is usually the emergency room, outside of business hours. The network has to work at all hours. You can’t turn off the Wi-Fi on Tuesday from 3 am to 5 am because you will probably be providing care to critically injured patients. Even when a network piece has to be replaced, if it is in a patient room (like an access point), IT will have to wait for the room to be open (with no current patient assigned), and after installation, the room has to be sanitized – especially if the ceiling tiles were moved.
- Clinicians use a combination of hospital-provided and personal devices to provide care.
Next time you go to a hospital, pay attention to the devices caregivers use to record data and manage your visit. Laptops, tablets, smartphones, and other communication devices are all commonly connected. These devices run a wide variety of software. Windows, iOS, and Android are all prevalent, and individual devices have different network connectivity capabilities. Devices, especially personal ones, are upgraded frequently and need to be on-boarded quickly so care workflow is not interrupted.
- Hospitals employ a huge variety of medical devices, which are all important to care.
A colleague in Australia told me a horror story about upgrading the wireless network in a hospital. During the initial tune up, the connectivity for a single type of device was terrible. After hours of troubleshooting, he discovered all of the devices of that type had the same MAC address! No wonder it didn’t work during in a modern network. The point is there are a wide variety of devices that are important to patient care and they need to be on the network. Proper planning and understanding of the vast number of devices on a hospital network is a daunting task.
- Hospitals are a very challenging RF environment.
There are two main issues in planning networking for a hospital. Many hospital campuses have grown over time, adding wings and wards as expansion requires. This creates a maze of connections and hallways and building materials, all of which affect RF propagation. Also, some areas are shielded for RF, such as Radiology, which makes extending a wireless signal problematic. Proper planning and understanding of all the networking use cases, and using the best method for providing reliable connectivity, is critical to success.
- Hospitals often have a hodgepodge of networking gear.
Most Aruba customers embrace a best-of-breed, multivendor approach, and healthcare is no exception. Due to the growth in health systems and their acquisitions of smaller hospitals and systems, health IT staff is faced with integrating all kinds of different network vendors, and switches, routers, access points, and even network management software can be from many different vendors. The staff has to figure out how they can coexist and must know how to troubleshoot each brand. Combine the mix of gear with a lack of available downtime for maintenance (See Number 1 above), and it is difficult to keep healthcare networks up-to-date.
As the world moves towards a full digital healthcare experience, the challenges presenting in health IT need be overcome. Fortunately, Aruba’s mobile first, open platform works toward making many of these challenges easier to conquer. Aruba Mobility Master and Live Upgrade help eliminate maintenance windows. Aruba ClearPass and Introspect manage the onboarding and security of users and things. AirWave manages wired and wireless networks, as well as provides network health information, for all major network vendors.
Regardless of what challenges you might face, Aruba is there for you. Customer First, Customer Last.
h/t for advice and sanity checking
What’s your experience deploying wireless in healthcare? Tell us your story in the comments below.
We tend to think of cyberattacks in medieval terms: attackers swarm the walls that protect the castle, hammering away with zombie servers strung together like a battering ram of old to execute a distributed denial-of-service (DDoS) attack or ransomware.
This still happens. The difference is that is not just desktop and laptop devices that are vulnerable. There are also thermostats, dishwashers, fire alarms, and even light bulbs — the group of simple devices that, when networked together, comprise what we call the Internet of Things (IoT). Too many of these devices aren’t protected. Aruba recently surveyed the market and found 84 percent had experienced a breach in their IoT implementations.
What to do?
Rethink security. Instead of building bigger walls, companies need to take a cue from leading security thinkers and implement Active Cyber Defense (ACD), a four-step architecture that emphasizes continuous monitoring to detect and then deal with compromised or malicious users and devices before they do damage.
On the Network, Time Heals No Wounds
Today’s targeted attacks are designed to stay “under the radar” by moving in small, circumspect steps over long periods of time — often with legitimate credentials coopted from a compromised user.
“It’s no longer a matter of if you’ll get breached. It’s a matter of when,” said my colleague, Art Wong, senior vice president and global general manager of enterprise security services for Hewlett Packard Enterprise. IT experts have introduced ACD with this more complex and dangerous threat landscape in mind.
The goal with ACD is to move from being reactive to proactive in dealing with cyber threats while delivering more comprehensive coverage of a constantly changing IT ecosystem. At its core, ACD defines a four-stage pipeline consisting of sensing, sense making, decision making, and action. The overarching goal is to accelerate the progression through the pipeline and automate the stages as much as possible. The better the intelligence in sensing, sense making, and decision making, the more confident and timely the resulting action can be.
ACD at Work: 4 Steps to Building Intelligent, Real-Time Threat Response
ACD is a systematic, 360-degree approach to providing security for the digital workplace that aims to close open loops and make the entire networked ecosystem more secure. Here’s how it works at each stage:
- Sensing. If properly monitored, the network can act as a massive sensor. Packets, flows, logs, and more provide raw material that good analytics systems (see below) use to detect anomalies. The more insight into the network that analytics have, the more precise and predictive the response architecture can be.
- Sense-making. This is where giant strides in cybersecurity technology are being made. A new technology called user and entity behavior analytics (UEBA) uses a combination of supervised and unsupervised machine learning models to find and alert against attacks that have evaded real-time defenses. It is only by seeing, aggregating, and interpreting small changes in behavior that these sorts of low-profile attacks get detected before they do damage.
- Decision-making. With innovative, AI-based analytics raising precision alerts, it is now possible to codify a set of policies that make changes in user and device access to IT infrastructure based on the type of alert and entity affected. This can be as simple as a re-authorization or as aggressive as a quarantine or block. Even modest responses buy time for security analysts, who can then use the integrated incident investigation to further diagnose the situation and take further steps.
- Action. Automated, policy-driven action creates the conditions for closed-loop security. The key is integrating the analytics, sense-making UEBA platforms with programmable systems for implementing policy automatically and responsibly. When done right it’s the perfect setup for organizations that most need intelligent, proportional, real-time threat response.
The key to Active Cyber Defense is having the right components in position to execute on all four of the stages and this usually entails stringing together many different solutions. The promise has rarely, if ever, been delivered by one vendor in a seamlessly integrated solution.
With Aruba IntroSpect, an advanced machine-learning based UEBA, combined with Aruba’s market leading ClearPass family of admission control, profiling and policy management solutions, the visibility, intelligence and proactive security that ACD envisions are now delivered in an integrated solution.
Every CSO needs to vigilantly guard against the growth and sophistication of external cyber-threats, but the biggest cyber-risk may be what is lurking within their own network. Negligent employees, malicious insiders, and compromised users and hosts often have the benefit of legitimate credentials to exploit weaknesses in traditional security infrastructure.
Traditional perimeter defenses give free rein to those credentials. But to determine if those “users” are part of an attack, enterprises really need to focus security on the behavior of who or what is using authorized credentials.
In a recent discussion on Verizon’s 2017 Data Breach Investigation Report, the company’s senior security specialist and RISK Team leader, John Grim, told Computer Business Review that “[in] 81% of the data breaches that we looked at this year in terms of data sets, the threat actors are leveraging those default passwords, those weak passwords, or those passwords that have been stolen.”
One in five employees in a recent survey indicates they keep passwords in plain sight. Another survey finds that 23% of workers would share sensitive, confidential, or regulated company information if they believed the risk was low and the potential benefit high.
Other risks come from authorized guests. Guest networks may not be necessarily well-protected, allowing those guests to move into places they shouldn’t be allowed to go and to access data that should be restricted.
Trusted partners represent yet another threat vector. As CSO pointed out recently, “The use of third-party providers is widespread, as are breaches associated with them.”
The breach of Target’s point-of-sale systems in 2013 was traced to a heating and air conditioning vendor whose legitimate credentials had been stolen, according to KrebsOnSecurity.
A bad actor with legitimate credentials, whether an insider or outsider, can probe for weaknesses once on the network. In that type of situation, the only way to defend the enterprise is by finding the changes in the actor’s behavior that would indicate an attack is under way.
With the benefit of machine learning, user and entity behavior analytics (UEBA) can detect anomalous actions that may indicate unauthorized activity and attacks. Aruba IntroSpect utilizes supervised and unsupervised machine learning models to ensure that the system is self-learning, continually adapting, and accurately identifying anomalies and confirming malicious activity before attacks inflict damage.
Bad behaviors on the network can be detected if you know what to look for and have the capabilities to do so. For example, when users access systems, how long do they stay on an application? What amount of data do they access? From where and with what devices are they doing so?
All those activities can be used to build baselines, or profiles, of what is normal behavior; anomalies can then be detected individually and correlated over time, alerting security professionals to take appropriate action when certain threshold conditions are met. With UEBA, baselines can be built around the activities of peer groups, so that if for example, a member of the finance group is behaving differently from his or her peers, it can be quickly detected.
Knowing what is going on in your network is as important as knowing who is on it.
It’s hardly a secret that the increasing use of mobile devices has vastly complicated the lives of IT and security leaders. It’s bad enough that the traditionally defined security perimeter is leaky as a sieve, but CSOs must now contend with growing numbers of devices that reside outside that perimeter and can connect to the enterprise network or cloud at will.
Enterprises have invested in cyber-defense tools such as antivirus, firewalls, and more. It’s not enough. What enterprises need are a combination of visibility, intelligence, and proactive security in a seamless, integrated architecture.
A recent study from Dimensional Research indicates that almost two-thirds of enterprise security professionals doubt their organizations could prevent a mobile cyber-attack. A stunning 94% of those surveyed expect mobile attacks to increase, and 79% say it is growing more difficult to protect mobiles devices.
Many enterprises are now in a mobile-first world, heavily dependent on the mobile devices in use by their employees, while accessing assets hosted by third parties such as Salesforce.
But it’s not just the growing numbers of smartphones, tablets, and laptops that enterprises must confront. As SearchCIO points out in a recent report, “Protecting the mobile enterprise today means dealing with augmented reality and virtual reality devices and wearables, from smart watches to industry-specific technologies (i.e., connected medical monitors used in healthcare and smart glasses used in utilities).” And that is just the tip of the Internet of Things (IoT) iceberg or an increasingly connected enterprise.
With that many moving parts, it’s virtually certain that enterprises are going to get hacked. Not only were traditional tools constructed to protect a physical perimeter that in the main no longer exists, but it turns out those tools aren’t designed for the planned, targeted attacks that are making today’s headlines.
“Threats are getting more advanced, more insidious, and more expensive, and they will doubtlessly continue to do so—in order to combat this, businesses really do have to be secure from the edge, to the core, and up into the cloud,” technology analyst Patrick Moorhead writes in Forbes.
Rising to the Challenge
Many enterprises are operating under the pretense that security information and event management (SIEM) solutions provide the last line of defense through the constant monitoring and analysis of the alerts produced by network devices and security software. But these solutions don’t scale very well in a world of mobile and cloud and can produce “alarm fatigue” as staff respond to non-threatening incidental events.
Don’t lose hope, though. Help is on the way.
“We are in the midst of an artificial intelligence security revolution,” says Dimitrios Pavlakis, industry analyst at ABI Research. According to ABI, “User and Entity Behavioral Analytics (UEBA) along with Deep Learning algorithm designs are emerging as the two most prominent technologies in cybersecurity offerings.”
UEBA, writes Gartner’s Anton Chuvakin, “offers profiling and anomaly detection based on a range of analytics approaches, usually using a combination of basic analytics methods (e.g., rules that leverage signatures, pattern matching and simple statistics) and advanced analytics (e.g., supervised and unsupervised machine learning).”
UEBA complements SIEM’s ability to monitor what is going on by adding context and insight into the who, how, and why of that activity. It is the realization of the Active Cyber Defense (ACD) goals of “sensing, sense making, decision making, and action” that are crucial for an effective security architecture in a mobile-first world.
Watch the video to learn how Aruba Introspect behavioral analytics solution accelerates the exposure of cyber threats and efficiently prioritizes and investigates those that really matter, so you can proactively respond before the damage is done.