WLANs break the enterprise security model

The former Chairman of Aruba, and now its recently appointed CEO, says enterprise wireless LANs are about to get much less interesting.

That's because, says Dominic Orr, the increasing commoditization of WLAN gear, along with the advent of the 100+Mbps 802.11n standard will make wireless connectivity a routine part of the enterprise net infrastructure.

But what won't be routine is the challenge WLANs have created to the traditional conventions and architectures for network authentication and security.

"The security architecture for wired nets, based on using physical port-based conventions, won't work," he says. "You need specific, user-oriented identification, content and location data [to secure the net]."

This is where the emerging enterprise battleground lies, according to Orr.

"'WLAN' is, if not dead, then uninteresting," he says. "Once it's 'spec-able' by the IEEE, most of the profit goes the silicon makers. Eighteen months after 802.11n is standardized, the WLAN is no longer an interesting business. It's a very small window, and it's quickly being commoditized."

But it creates a huge hole in the traditional enterprise security model, which assumes the person at the far end of a wire linked to a specific switch port is the person who is supposed to be sitting at that desk.

What's needed is 'secure mobility' as a logical add-on to the enterprise net, he says.

This will become increasing obvious and increasingly urgent as more enterprise workers become mobile. Today, only about 5 percent of workers are mobile, but that will rise to over 20 percent in two or three years," says Orr.

The analogy he uses is the shift from landline phones, one device tethered to a wire inside the home, to cell phones, which can be used anywhere. "With a cell phone, you're calling another cell phone user, who can be in New York City or Singapore," Orr says. "The phones work with the [carrier's] network to figure out where he is and complete the call."

In order for enterprise nets to do a similar kind of thing, there needs to be new functions and new information higher up in the network stack. Most WLAN innovation so far has been at layers 1-3, focusing simply on wireless Ethernet -- connectivity, according to Orr. Aruba is now specifically focusing on Layers 4-7 in its line of WLAN controllers and companion thin access points.

"Our goal is mobile access control: who is this person [on the wireless link], what is his role in the organization, what device is he using, what applications?"

He points to large-scale wireless deployments in higher education. These enterprises have highly mobile populations, which move en mass hourly. The populations are in specific subgroups, such as law students, medical students. Regardless of where on campus they connect wirelessly, a law student wants to access his or her own applications, data, and services. Students and faculty, including visiting faculty and medical center doctors, may have different rights to the physical net at different times of day, even in different locations.

Aruba's software on its WLAN controllers is designed to deal this flexible, constantly shifting enterprise mobility, regardless of whether any wireless links actually exist.

One Aruba customer, whom Orr wouldn't name, is a large consulting company that's spent over a US$1 million on Aruba products. But the customer has no wireless connectivity. Instead, they're using Aruba controllers on the wired net to create and manage secure, authenticated, managed connectivity for visiting staff and clients, including a VPN link back to the client's home network.

"We create a 'mobile edge' to the network," Orr says, citing one of Aruba's marketing terms. "We are front-ending the network for network access control, security, authentication, user privileges. You want the network infrastructure to recognize the user, his role, and profile, and then treat him accordingly."

What's more, he says, Aruba does this simply and easily: there is no network reconfiguration needed at Layers 1 and 2, and Aruba can work with whatever network access control scheme, for example from Cisco or Microsoft, that the enterprise decides to adopt. "Whatever security policy you adopt, Aruba will enforce it at our edge controllers," says Orr.

One result, he insists, is a radically simplified way to make moves/adds/changes/deletes related to users. "We do this centrally at one location and then apply this throughout the net," says Orr.

Aruba executives say they're not worried that network vendors like Cisco and security vendors like Check Point are all attacking this same issue, albeit in different ways.

Orr, who's competed fiercely with Cisco for years based on his many switch start-ups and his stint at Nortel, is almost dismissive of the network giant.

Cisco's WLAN focus is on connectivity. "They're all Layer 1 and 2 networking devices," he says. "Cisco has initiatives in security, content networking, and connectivity technologies. We just don't see how this will all come together."

But the really critical constraint is that Cisco needs to grow total revenue by US$4 billion a year in incremental business to maintain a stock price roughly in the area of US$20 per share, Orr says. "Gigabit Ethernet to the desktop, whether you need it or not, and VOIP... these are the kinds of big network upgrades that are being pushed by Cisco," he says.

The network security vendors are indeed addressing user-oriented security issues, acknowledges Aruba vice president of marketing, and co-founder, Keerti Melkote. But they remain focused on fixed clients -- wired desktops, he says. Most of these solutions require placing a small agent program on each client, something most enterprises simply will find unacceptable. That's because it requires additional management and monitoring, and because installing a client on a foreign client device, such as that carried by visiting business partners, suppliers, and customers, is simply not possible.

To exploit this opportunity, privately held Aruba is taking the first steps toward an initial public offering. According to Orr, that means setting in order its finances and government compliance over the next two months or so, and then timing the offering. The company is in talks with several investment banking firms to handle to the details.

Currently Aruba an "annual run rate" of just over US$100 million, Orr says. It is sometimes profitable, depending on changing decisions of how much of that income to re-invest in different areas of the business.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about ADVENTAruba Wireless NetworksBillionCheck Point Software TechnologiesCiscoHISIEEELogicalMicrosoftNortel

Show Comments