Insights from Aruba Atmosphere 2022

“Why is David Holmes, a security analyst, at a networking conference?” You could be forgiven for asking yourself that question. The answer will crystalize halfway through this post, with some private insights about a possible future for network security. But before we get there, let’s quickly cover off the headline news from Aruba Atmosphere 2022.

This year’s Atmosphere was many a wireless engineer’s return to an in-person conference, as the last one they had attended prior to the pandemic was, in fact, Atmosphere 2020. Unlike AWS Re:invent, hosted in same center in December, this conference did not require (nor discourage) masks, but asked for a digitized vaccine passport in advance (expect to see this for a while). 

The 3500 attendees gathered at the Las Vegas Venetian/Palazzo conference center were treated to:

• The debut of the new Aruba exec team, headed by brits Phil Mottram and Dave Hughes. Mr. Mottram themed his keynote on Aruba being 20 years old now, and a 20 year old is supposed to take risks.
• Heavy hitters Antonio Neri, CEO of parent tech conglomerate HPE, and his friend John Chambers as keynote speakers. John still “has it”, by the way, he can capture audience in seconds and hold them.
• The public debut of “Aruba Central NetConductor”. Central NetConductor, besides being a mouthful, is a centralized platform sitting above data lake generated by 2m Aruba devices from 120,000 customers. One customer I talked to about it understood its value proposition but was waiting for full feature parity with the on-premises equivalent.
• A game show keynote. Dave Hughes’ keynote on the second day stole the show with a charming (and I do mean that) game show format featuring 20-year Aruba veteran and CSO Jon Green playing the straight man to the antics of Aruba funnyman “Dan” from Foggy Bridge (he’s actually a regular employee who just happens to be really good at this stuff). Through it they gave some great demos that resonated with the audience. I LOLed several times, and later told Mr. Mottram to give Dan a bonus.
• Self-locating APs. Speaking of demos, this one got the biggest audience applause, as all the Aruba APs in the conference registered themselves on a map. Yes, GPS is involved but the math was beyond this poor security analyst.

But why was David Holmes there, you’re asking yourself again.

The answer was Zero Trust. Zero Trust on a local network should enforce least privilege access between physical hosts. Expressed as a technology, we call this ‘microsegmentation,’ which I consider the original marquee ZT technology. Some solutions achieve maximum granularity in segmentation by installing an endpoint agent on each server but doing so is not always possible (think IoT or OT devices) nor desirable (agent fatigue is real). Others achieve the segmentation by building security into the network infrastructure. Aruba’s Dynamic Segmentation is among the latter group, but they do it with an interesting twist that I didn’t understand fully until I came to Atmosphere 2022. Aruba’s access points and switches wrap the layer 2 connections with VXLAN (remember VXLAN?) into which they also encode metadata allowing a policy engine to make real time decisions about what traffic needs to go where, and what traffic should be disallowed.

I asked Jon Green later if the metadata was signed for maximum security. It’s not, and that’s understandable because of the usual key distribution headaches you’d instantly inherit, and besides, no one wants to re-invent IPSEC tunnels.

Aruba, broadly known for trying to be infrastructure agnostic and compatible into their customer’s environments, should be commended for using VXLAN here. Most of the time you see VXLAN in the cloud, where it solves scalability problems, but it’s widely supported among switch fabrics for local networks, too. Clever use of VXLAN could increase network security, as Aruba shows.

I snuck into a breakout and sat next to someone who had actually implemented a couple of Dynamic Segmentation projects as an integrator. “You end up having to go HA for the policy enforcers unless you want a SPOF, but other than that it’s pretty awesome,” he said. 

I gently challenged him, “Yeah but wouldn’t an environment have to be both Aruba for wireless AND wired for this work to maximum effect?”

“The customer was doing an infrastructure refresh anyway, and they selected Aruba for wired, too, so yeah it was a teardown and rebuild but they were going to do that anyway. It’s been running great for 2 months afterward.”

Now, aside from that story being a neat little homily, it also brings up an interesting point. Anecdotally, while Aruba is known for its wireless, they are clearly displacing the wired switching of a vendor formerly associated with one of the guest speakers. Aruba seemed to go out of their way to not talk about wired displacements during Atmosphere, but one has to wonder if that’s the real near-term future for the company; eating the lunch of the Silicon Valley behemoth who’s infrastructure business is shrinking every year.