Aruba EdgeConnect (SD-WAN) - 1st to attain ICSA Lab Secure SD-WAN Certification!
ICSA Labs Certified Secured SD-WAN Solution??
Wait a minute ICSA Labs certified Secure SD-WAN Solution? A certification
lab that certifies security solutions like Firewalls, Anti-Malware Protection,
etc. What does it mean for an SD-WAN solution? Today’s article is all about unfolding
these two questions. So let’s start.
ICSA Labs is authorized by the US Federal Government to
validate the strength and performance of the diverse cybersecurity solutions in
meeting the organizations’ complex and critical requirements. The idea here is
for customers to buy a credible solution.
 |
| Fig 1.1- Aruba Edge Connect SDWAN |
ICSA lab has 30 years of experience in certifying solutions
based on security-related test cases. In 2019, ICSA lab started the testing
services for SD-WAN and branded it “ICSA Labs Secure SD-WAN Certification
Testing”.
ICSA-certified solution referred to as a “Secured SD-WAN
Solution” with the following capabilities :
- SD-WAN Solution product components are secured
- All SD-WAN Communications (Control Plane and Data Plane) are secure
- The security policies enforcement for WAN & Firewall features
- Additional security coverage natively or through integration into external security stack (Anti-Malware, IPS/IDC, etc.)
- Additional security coverage natively or through integration into external security stack (Anti-Malware, IPS/IDC, etc.)
While performing the security testing against the SD-WAN, it
also covers the core SD-WAN functions. Can we understand the process or use
cases that ICSA evaluates while certifying the SD-WAN solution in a real
example?
Recently Aruba EdgeConnect Solution is certified as a “Secure
SD-WAN Solution” by ICSA lab. In this article, we are going to explore what it means
to have ICSA certified SD-WAN solution for a customer. Any SD-WAN solution that
is secure, evaluated against predefined test cases categorized into two
categories –
Figure 1- ICSA SD-WAN Tests Categories
- SD-WAN Core Functions Tests – SD-WAN core functionality testing ensure the SD-WAN solution is truly software-defined. It includes tests that support transport independence, dynamic path selection, ZTP, etc.
- Secure SD-WAN Tests – it is more than a basic SD-WAN functionality test. It tests the appliance (SD-WAN device) from the firewall perspective and confirms has the same level of protection as a firewall. This testing is the same as it is done for any corporate enterprise-level firewall.
SD-WAN Core Function Test: Dynamic Path Selection
This tests the capability of the SD-WAN solution to select
the alternate path in case one of the primary links is degraded and once the link
condition improves. Traffic is restored to the initial premium path.
SD-WAN Core Function Test: Zero Touch Provisioning
This tests the capability of the SD-WAN solution to reduce
the time and costs to bring up the new appliance in the network. It confirms
the new appliance is security configured to the network.
SD-WAN Core Function Test: WAN Path
This test confirms the capability of the SD-WAN solution to establish
a secure communication channel between the sites using any feasible media. Aruba EdgeConnect solution utilizes the IKE-less IPsec tunnels.
In addition to the above solution also ensures commodity
links are treated as non-trusted and should utilize the Stateful firewalling
configuration for all outbound connections. It means any communication initiated
from the public domain to the inside will be blocked only the responses to
internal to external communications are allowed.
SD-WAN Core Function Test: Centralized Monitoring & Reporting Capabilities
The solution provides a single pane of glass interface for
all your configuration tasks related to WAN, Applications, Cloud, and Security feature
configurations. This management plane provides visibility around all the event
logs and analytics details in real time.
Secure SD-WAN Test: Security logs
The solution is tested against the capability to securely log
both allowed and denied traffic. Along with the generic logs, the solution has the
capability to record DDoS profile hits – that includes hits for out-of-state ICMP
Packets, invalid TCP connections etc.
As already explained, when the WAN interface is configured with
Stateful NAT settings, arriving and is directed to the WAN interface from the external
network.
Secure SD-WAN Test: Policy Enforcement
In this test, SD-WAN appliance is tested against trivial DoS
attacks, and confirms appliance is stateful and invulnerable to known attacks
through configured security policies. The Firewall Protection Profile feature of
the Aruba EdgeConnect solution allows to configure settings like – Enforce strict
3-way TCP, Discard non-syn TCP, Enforce IP Spoof Check, Enforce DPI validation,
and granular DoS protection settings with various threshold settings.
Secure SD-WAN Test: Cryptographic protection
It confirms all the Management, Control, and Data Plane
Traffic is secured through a strong encryption algorithm. Also in any environment,
there may be additional security features required that are not native to Aruba e.g., anti-malware, SWG, etc. For Aruba, additional security functionality is provided
by service chaining with other eco-system partners Zscaler or Netskope. Aruba follows
the native automated workflows to orchestrate the connectivity to these service
providers.
As Aruba EdgeConnect Appliance may replace traditional
routers, WAN optimization, and firewalls, it is critical for these appliances
to provide the same level of security as network security devices as firewalls
provide. Thus Aruba SD-WAN solution was tested by ICSA labs and certified as a “Secured
SD-WAN Solution” that is invulnerable to attacks and provides encrypted
communications for all traffic with industry-standard algorithms.
After successfully passing all functional and security test
cases, Aruba EdgeConnect acquired the “ICSA Secured SD-WAN Solution” certification.
On the date of writing, Aruba EdgeConnect SD-WAN solution is the first secured SD-WAN
solution that is certified by ICSA Lab.
++++++++++++++++++++++++++++++++++++++++++++++++++++
Aruba EdgeConnect: Ruggedize First Mile Connectivity - The Network DNA
An Introduction to Aruba SD-WAN: Business Intent Overlays - The Network DNA
Aruba EdgeConnect: Path Conditioning - The Network DNA
Aruba SD-WAN: BOOST Feature - The Network DNA
Aruba SD-WAN: Dynamic Path Control - The Network DNA
++++++++++++++++++++++++++++++++++++++++++++++++++++
