In the modern enterprise, wireless network access is increasingly becoming the preferred form of connectivity, which is good news for Wi-Fi vendor Aruba Networks. Aruba today announced its new Mobility Defined Networking vision, which expands on its existing software capabilities without introducing new hardware.
Among the new features that Aruba is highlighting as part of its Mobility Defined Networking approach is a mobility firewall technology. Robert Fenstermacher, director of Product and Solutions Marketing at Aruba, explained to Enterprise Networking Planet that Aruba’s mobility firewall is a Deep Packet Inspection (DPI) statefull firewall.
Fenstermacher said that the firewall also provides visibility into over 1,500 apps as well as categories of apps.
“It also provides extensive application policy controls where you can have the network automatically apply QoS, block, limit bandwidth or redirect traffic,” Fenstermacher said. “This can be done per app or for groups of apps. And it can be done globally for the entire organization, per user group or per user.”
Fenstermacher explained that the firewall capability resides in the mobility controller when APs are configured for “campus” mode in a controller-based deployment. When APs are put in “Instant” mode in a controller-less deployment, the Next Generation Mobility Firewall resides in the AP. While the mobility firewall technology is a key feature in Aruba’s Mobility Defined Networking effort, it is not technology that Aruba developed itself.
“The Next-Generation Mobility Firewall is sourced from another vendor and fully integrated with the Aruba infrastructure,” Fenstermacher said. “We are not disclosing where this technology comes from.”
The fact that Aruba is now integrating firewall technology into its’ own technology doesn’t mean that enterprises’ existing firewall technologies are not useful. Fenstermacher noted that Aruba’s mobility firewall is complementary to Internet-facing next-generation application firewalls. That said, Fenstermacher noted that Aruba’s Next-Generation Mobility Firewall is directed at the access network with the intent of providing additional security and efficiency for the Wi-Fi experience.
“Aruba’s Next-Generation Mobility Firewall can apply advanced application policy controls on the network, ensuring the best use of shared Wi-Fi resources,” Fenstermacher said. “It can also apply stateful firewall rules to enforce network policies at the access layer that are more flexible and secure than VLAN-based enforcement mechanisms.”
Aruba is also enhancing its BYOD efforts with the launch of the ClearPass Exchange API. ClearPass is a BYOD system that Aruba has been talking about since 2012. ClearPass leverages the open-source FreeRADIUS access control solution as a way to enforce Network Access Control (NAC) policies.
ClearPass Exchange now allows for integration with other access control solutions, including Mobile Device Management (MDM) solutions. Fenstermacher said that MDM is just one piece of a solution for securing an enterprise for mobile devices.
“MDM has extensive visibility and control over the device, but no visibility or control in the network,” Fenstermacher said. “Similarly, NAC and AAA systems have extensive visibility and control of the network but limited visibility of the device.”
Fenstermacher noted that, for instance, MDM may discover device-specific policy violations, such as jailbroken OSes or blacklisted apps installed on the device. By making ClearPass aware of this policy violation, the device can be quarantined on the network, ensuring complete access control.
“Also, if a network policy is violated, it’s useful to make the MDM system aware of this policy violation to enforce device-level controls or send a message to the device using the MDM agent,” Fenstermacher said.
The ClearPass system has built-in integration with most of the major MDM vendors to gather information on the device and implement policy controls bi-directionally.
“ClearPass Exchange is a set of open REST-based APIs that we publish for our partners and customers to write integration on their own to other MDM and security solutions that they are using,” Fenstermacher explained.
Sean Michael Kerner is a senior editor at Enterprise Networking Planet and InternetNews.com. Follow him on Twitter @TechJournalist