For Sponsored Posts & Articles, please email us on 📧 networks.baseline@gmail.com

Aruba EdgeConnect (SD-WAN) - 1st to attain ICSA Lab Secure SD-WAN Certification!

 


ICSA Labs Certified Secured SD-WAN Solution??

Wait a minute ICSA Labs certified Secure SD-WAN Solution? A certification lab that certifies security solutions like Firewalls, Anti-Malware Protection, etc. What does it mean for an SD-WAN solution? Today’s article is all about unfolding these two questions. So let’s start.

ICSA Labs is authorized by the US Federal Government to validate the strength and performance of the diverse cybersecurity solutions in meeting the organizations’ complex and critical requirements. The idea here is for customers to buy a credible solution.

ICSA lab has 30 years of experience in certifying solutions based on security-related test cases. In 2019, ICSA lab started the testing services for SD-WAN and branded it “ICSA Labs Secure SD-WAN Certification Testing”.

ICSA-certified solution referred to as a “Secured SD-WAN Solution” with the following capabilities –

a.       SD-WAN Solution product components are secured

b.       All SD-WAN Communications (Control Plane and Data Plane) are secure

c.       The security policies enforcement for WAN & Firewall features

d.       Additional security coverage natively or through integration into external security stack (Anti-Malware, IPS/IDC, etc.)

While performing the security testing against the SD-WAN, it also covers the core SD-WAN functions. Can we understand the process or use cases that ICSA evaluates while certifying the SD-WAN solution in a real example?

Recently Aruba EdgeConnect Solution is certified as a “Secure SD-WAN Solution” by ICSA lab. In this article, we are going to explore what it means to have ICSA certified SD-WAN solution for a customer. Any SD-WAN solution that is secure, evaluated against predefined test cases categorized into two categories –


 

Figure 1- ICSA SD-WAN Tests Categories

  1. SD-WAN Core Functions Tests – SD-WAN core functionality testing ensure the SD-WAN solution is truly software-defined. It includes tests that support transport independence, dynamic path selection, ZTP, etc.  
  2. Secure SD-WAN Tests – it is more than a basic SD-WAN functionality test. It tests the appliance (SD-WAN device) from the firewall perspective and confirms has the same level of protection as a firewall. This testing is the same as it is done for any corporate enterprise-level firewall.

SD-WAN Core Function Test: Dynamic Path Selection

This tests the capability of the SD-WAN solution to select the alternate path in case one of the primary links is degraded and once the link condition improves. Traffic is restored to the initial premium path.

SD-WAN Core Function Test: Zero Touch Provisioning

This tests the capability of the SD-WAN solution to reduce the time and costs to bring up the new appliance in the network. It confirms the new appliance is security configured to the network.

SD-WAN Core Function Test: WAN Path

This test confirms the capability of the SD-WAN solution to establish a secure communication channel between the sites using any feasible media. Aruba EdgeConnect solution utilizes the IKE-less IPsec tunnels.

In addition to the above solution also ensures commodity links are treated as non-trusted and should utilize the Stateful firewalling configuration for all outbound connections. It means any communication initiated from the public domain to the inside will be blocked only the responses to internal to external communications are allowed.  

SD-WAN Core Function Test: Centralized Monitoring & Reporting Capabilities

The solution provides a single pane of glass interface for all your configuration tasks related to WAN, Applications, Cloud, and Security feature configurations. This management plane provides visibility around all the event logs and analytics details in real time.

Secure SD-WAN Test: Security logs

The solution is tested against the capability to securely log both allowed and denied traffic. Along with the generic logs, the solution has the capability to record DDoS profile hits – that includes hits for out-of-state ICMP Packets, invalid TCP connections etc.

As already explained, when the WAN interface is configured with Stateful NAT settings, arriving and is directed to the WAN interface from the external network.  

Secure SD-WAN Test: Policy Enforcement

In this test, SD-WAN appliance is tested against trivial DoS attacks, and confirms appliance is stateful and invulnerable to known attacks through configured security policies. The Firewall Protection Profile feature of the Aruba EdgeConnect solution allows to configure settings like – Enforce strict 3-way TCP, Discard non-syn TCP, Enforce IP Spoof Check, Enforce DPI validation, and granular DoS protection settings with various threshold settings.  

Secure SD-WAN Test: Cryptographic protection

It confirms all the Management, Control, and Data Plane Traffic is secured through a strong encryption algorithm. Also in any environment, there may be additional security features required that are not native to Aruba e.g., anti-malware, SWG, etc. For Aruba, additional security functionality is provided by service chaining with other eco-system partners Zscaler or Netskope. Aruba follows the native automated workflows to orchestrate the connectivity to these service providers.

As Aruba EdgeConnect Appliance may replace traditional routers, WAN optimization, and firewalls, it is critical for these appliances to provide the same level of security as network security devices as firewalls provide. Thus Aruba SD-WAN solution was tested by ICSA labs and certified as a “Secured SD-WAN Solution” that is invulnerable to attacks and provides encrypted communications for all traffic with industry-standard algorithms.

After successfully passing all functional and security test cases, Aruba EdgeConnect acquired the “ICSA Secured SD-WAN Solution” certification. On the date of writing, Aruba EdgeConnect SD-WAN solution is the first secured SD-WAN solution that is certified by ICSA Lab.

 

No comments

Note: Only a member of this blog may post a comment.