As wireless networking continues to edge wired Ethernet towards the margins, the same worries that once prevailed on the wire have migrated to the WLAN. Among these concerns is Network Access Control (NAC). Traditionally, NAC has been a stand-alone service that you "point" a given VLAN or set of users at. Interactions between the NAC system and network switches provide on-ramps to the network, or quarantine users when their computers don't pass muster based on requirements for antivirus, operating system patches, user credentials or other parameters. The entire process has tended to be external to WLAN hardware, even when wireless clients are being controlled. A newly announced partnership between Aruba Networks and Impulse Point puts a fresh spin on the NAC process, and leverages the best of both company's feature sets.
As an Impulse Point customer, I am quite familiar with the company's Safe Connect NAC system. In my environment, Safe Connect operates as a managed service that interacts with our Cisco 6500 switches to write and update dynamic access rules for wireless clients on our Cisco WLAN, based on client status as reported by the system's lightweight agent. If a client is healthy and has the agent, it's allowed on the network in accordance with granular policies that map to specific Active Directory groups for our clients. If the agent isn't present or the client fails to meet an access requirement, the client is shunted off for remediation and eventual reinstatement. Because Safe Connect works directly with our core network boxes, the complexities of VLAN steering and manipulation that other NAC solutions rely on are not a factor. However, there is no totally free lunch: under heavy loads we do see occasional, and significant, increases in resource utilization on our 6500s, where Safe Connect works its per-client magic writing ever-changing access lists.
Aruba Networks is not the biggest fish in the WLAN pond, but the company is gaining market share and plays in the same customer and distribution spaces as Impulse Point. Aruba's roll-based control for wireless clients is popular with customers who rely on the integrated Policy Enforcement Firewall (PEF) in the company's mobility controllers to keep the wireless client mixture sorted and in compliance with operational policy.
By now, you may have guessed where this is going. Impulse Point and Aruba now communicate thanks to the latest version of code for each product. Wireless clients with the Safe Connect agent on the Aruba WLAN still report to the NAC appliance, which can dynamically manipulate Aruba's PEF directly. This makes for a tighter system integration and leaves core boxes alone to route and switch. I spoke with Dennis Muley, president of Impulse Point, about the partnership. He sees Aruba's PEF is a natural fit for control by the Safe Connect NAC system that enforces full-time, real-time usage control via the firewall. Rather than have users placed in a quarantine VLAN where they can still see each other, the firewall approach means users get just enough access to reach remediation servers.
The integration between Impulse and Aruba isn't exclusive. Muley has his sights on other wireless providers. "The Aruba firewall for us is just another aggregation and control point. We're hoping to expand on this sort of integration and work with other wireless systems directly for NAC in the near future," says Muley. Sounds good to me.