There is no one simple answer here. At some point, maybe in 5 years, the time to invest will be “NOW!” But when we talk about investment into 802.11ac, we like to take a slow and progressive approach.
The news is out. 802.11ac is worlds faster than 802.11n. Or is it?
Written by: Jeremy Rouse
Want to save money on your next wireless network rollout, without spending big bucks on underutilized controllers and still have High Availability? Check out Aruba Instant Access Points:
Large enterprises typically deploy wireless local area networks (WLAN) with access points managed by a central controller. But not every company needs the horse power or featuresof a physical controller-based WLAN. Considering the costs associated with a central controller, an additional controller for high availability (HA), plus licenses; the price tag can be substantial. Controller based WLAN certainly has it's benefits, and is appropriate in certain environments. In this article, we will focus on the benefits of a controller-less architecture.
Aruba Instant Access Point (IAP) is a controller-less architecture for WLAN, enabling companies to rapidly deploy wireless networks. In an IAP deployment, the primary IAP is configured and the rest of the IAPs inherit their configurations from the primary.
The system includes a virtual controller embedded into the access point providing administrators with features that are available on physical hardware controllers. Everything from central management, reporting, role based access and adaptive radio management; all is supported with Aruba Instant.
Like Aruba's controller based access points, IAPs leverage patented ClientMatch technology to ensure that devices are connected to the best AP, which prevents the Wi-Fi network from slowing down as people move throughout your campus.
Aruba’s integrated next-generation mobility firewall leverages deep packet inspection. It classifies traffic by application or application groups so that you can apply prioritization and policies based on your business needs. Additionally, Aruba access points support RFProtect, which provides integrated IPS and spectrum analysis capabilities.
Aruba Instant employs a fully distributed architecture and is resilient to failure. The primary virtual controller serves as both an Aruba access point and a full functioning "controller". If an Aruba IAP functioning as the primary virtual controller fails, another IAP automatically inherits the role of the primary virtual controller with no service disruption.
I recently had a customer who wanted to upgrade their existing wireless network. Due to the high costs of the controllers and HA requirements, they decided not to move forward even though their legacy WLAN was problematic and out of compliance. When we introduced them to Aruba Instant, they discovered that deploying Aruba IAPs provided all the controller features, security and high availability they required. In addition, they were able to leverage the latest 802.11ac standard without expensive controllers. Our wireless team put together a complete solution that included professional services to migrate off of their existing infrastructure and tuning to maximize coverage. They have rolled out IAPs to multiple sites and are very pleased with the performance.
If you would like to learn more about Aruba's controller-less wireless architecture, please contact your local Bird Rock Systems representative or visit our contact page.
In coming articles, I will discuss how Aruba Instant access points integrate with the Aruba’s cloud solution (Aruba Central), integration with AAA solutions like Clearpass, and discuss Airwave for administering and monitoring multiple IAP networks.
Written By: Larry Hoehn
In my last post, I discussed combining technologies to provide secure BYOD access. Before we jump into the specifics, let’s pick apart the technology components – starting with the wireless technology.
Modern wireless solutions provide awareness of all traffic across the network to support a variety of users, devices, and applications. Old-school network architectures mandate that parallel networks be constructed to address different needs– for example, one VLAN for employees, a second for full-time contractors, and a third for guests. In other cases, multiple SSIDs were required. Today’s design methods support multiple user categories on a single network.
How It Works
During the network sign-on process, the identity and role of each user or device is learned. Employees and other authorized users may be treated as a single class, or divided according to a series of administrator-defined policies. These policies follow the user throughout the network, and are applied uniformly across wireless, wired, and remote access connections.
This entire premise is made possible by using a firewall instance around every user: tightly controlling what the user is permitted to do and providing separation between user classes. To provide the highest level of security, the solution requires knowledge of user identity when making access control decisions. Our wireless and next-generation firewall solutions enable us to deliver this level of security.
The wireless technologies we work with provide us an important point of authentication and policy enforcement. Policy control is tied to user identity rather than port, IP address, or MAC address. This makes it impossible for a user to bypass security controls, except in the case of breached credentials. (Protect your passwords! We will talk about that in a future post.)
A use case for this is a guest user on the guest network that attempts to bypass the guest network by configuring a laptop with the MAC address and IP address of an employee also known as spoofing an address. With the proper policies in place, that malicious guest user will be denied access to the employee network because of his guest privileges regardless of mac address or IP address of the device.
Role Based Policy, Granular Control & API Integration
Taking this a step further, role-based policies can limit maximum and guarantee minimum amounts of bandwidth for a particular user or class of users. This allows IT to provision a specified amount of service to bandwidth-hungry applications. In addition, granular control of users, such as automatic disconnect from the network, role re-assignment, and dynamic updates of firewall policies are available as well.
Behind the scenes, additional functionality is enabled by powerful API integration between various IT solutions from different manufacturers. The APIs can enable captive portal authentication systems, or query external databases to control advanced behavior. This includes integration with solutions that provide services such as virus protection, content inspection and filtering, intrusion detection and prevention, and content transformation.
An example of this could be a posture assessment. A check can be performed to make sure anti-virus scans have been run within the past week and provide different network access depending on the criteria of this test.
We Can Help!
As you can see, there is a lot of flexibility, control and added security that can be delivered with the proper solutions, policy and controls in place when it comes to BYOD. For more information, please contact your local Bird Rock Systems Account Manager or send us a message on our Contact page.
In my next post, I will do a deeper dive on the next-generation firewall part of the equation. Then I’ll wrap the wireless and firewall technologies together. Stay tuned!
Photo credit: John.Karakatsanis / Foter / Creative Commons Attribution-ShareAlike 2.0 Generic (CC BY-SA 2.0)