Networking

Aruba secures remote wireless access with new software


Aruba Networks is an innovative wireless LAN developer known for quality equipment and being concerned about wireless security. So much so that Microsoft has contracted Aruba to replace all existing wireless devices on their networks with Aruba equipment.Aruba is taking a different approach which by design removes all of the responsibility for creating the secure VPN tunnel from the remote worker and places it on a specialized remote access point (RAP). Remote AP Module is the new software application that makes any existing Aruba access point special. To quote Aruba:

Remote AP software module enables any Aruba access point to be securely and easily connected from a remote location to an Aruba mobility controller across the Internet. Ideally suited for small remote offices, home offices, telecommuters and mobile executives. Aruba's Remote AP software module extends the mobile edge to any remote location by enabling seamless corporate wireless data and voice wherever a user finds an Internet-connected Ethernet port.

Many people would say no big deal, just use a VPN client application on the computer. That may be true, but just ask any experienced business traveler or remote worker what they really think having to use a remote access client. It's painful, too slow, and can cause a host of other frustrations.

Many see Aruba's approach as a win-win situation. The remote worker's only concerns quite simply become where to plug the RAP in and making sure to log on correctly. Most network administrators will be beside themselves as this design employs centralized management and security, leaving little to chance or fate depending on your viewpoint.

To summarize the benefits:

  1. Authentication can be handled through a variety of options such as Captive Portal, 802.1X, MAC-based, RADIUS, LDAP and SecureID.
  2. Mobile User Security is derived from identity based per user security policies that stay with the user.
  3. Key and Security information is centrally located and not stored on the remote access point.
  4. Wireless Encryption in all of the latest versions such as 802.11i and WPA2 is supported.  
  5. Almost no intervention is required from the remote worker to gain access to the company network.

There are a couple of drawbacks of Aruba to consider as well. First, the central office or VPN location is required to have an Aruba wireless network deployed or at least add an Aruba controller on the network's Internet perimeter. Also, all remote workers will require a RAP. This means the business travelers as well. The AP 41 access point is the logical choice and it weighs about a pound. Still many would groan at the thought of having to lug one more thing with them.

It isn't hard to see that this new technology will elicit many opinions from both sides of the aisle. I would be very interested to hear any comments from both business travelers and network administrators.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

5 comments
jogr66
jogr66

I don't know if I'm too jr in doing business this way and missing something, but haven't we (admins,vars,remote workers) been doing this for some time now? An example; One of my main office locations using a mid level Watchguard Firewall, the remote office and the person who travels uses a wireless firebox edge. The edge is set up with Dynamic DNS so where that box travels so does the VPN Tunnel. The VPN Tunnel is done through the Firewall appliances as is any other VPN Branch office connecting to the main office for a single source of admin. The issues with this are also the same, the remote traveler has to lug around one more box of hardware, you have to plug it in via a wired connection. A difference that I see; I can use "most" any other brand of Firewall or appliance to do this and have a central and secure control point of my choosing and flavor. I didn't think this was a bad choice in using a Firewall company that has a focus on security. So is this Aruba equipment really a better way of doing business and extending the edge? Is it more secure? Or is it just another brand trying to do what some of us are already doing but with new branded equipment? What I'm using works and with the next upgrade in the planning stages, I don't see any reason to change to Aruba.

Michael Kassner
Michael Kassner

I would like to hear opinions from network admins as well as remote workers, especially business travelers as to if this is a good idea or not?

Holelattanuttin
Holelattanuttin

The difference is that Aruba provides both wired and wireless access, including wireless IDS using a box that is 7 inches by 7 inches by 1 inch. No software is loaded on the box--all policy is created at home base and pushed to the endpoint where wireless or wired 802.1x, 802.1q tagging, WPA, WPA2 or web authentication takes place. After that, all traffic back to home base is tunneled via IPSec. In addition, troubleshooting functions like packet capture can be done on the clients that connect to the device, as well. Does this make it more clear?

Michael Kassner
Michael Kassner

I think the main difference as I see it is that the Aruba RAP is self sufficient and does not need to be initially configured or re-configured if changes are made. It only requires that the Remote AP Module software be installed. The device then receives all of the required information upon linking with the central office controller. That way the remote user is not involved in setup or configuration.

Holelattanuttin
Holelattanuttin

Michael, The Remote AP is just a software key that is entered in the controller to unlock the functionality. True that the AP does not have to be reconfigured and policies can be changed on the fly without rebooting the SOHO device. Devices like scanners and VOIP phones can be profiled so that they can only pass VOIP or scanner traffic to the hosts that they are supposed to. At my company, they connect a Cisco wired VOIP phone with a computer connected to the back of that to an Aruba remote AP, and that is their SOHO solution. The phone is connected to the AP, which is a trunk. Phone traffic ends up on one VLAN back at home base and the PC at the back of the phone ends up on another VLAN at home base, with the Cisco phone doing the trunking. We use this solution for business continuity, where certain employees cannot get to work.

Editor's Picks