The Early Focus on Security

By Keerti Melkote, Blog Contributor
Share Post

Series Introduction

Sometimes you have to look to the past to figure out the right strategy for the future. As I work with my team to define the network solutions of the future, I have been pondering the history of our industry and trying to analyze our architectural choices and those of our competitors. I have found this exercise to be really useful in our efforts towards generating our next generation products. As I chat with customers about our next generation architectures and products, I find that framing the conversation with the historical context in mind to be a powerful way to show our path. This is the first blog in a series, so check back for more.

When I started Aruba in 2002, there were two key challenges enterprises were trying to solve. One was related to security and the second was related to management of enterprise-scale WLANs. I want to focus this post on security since the security model we originally built for mobility in WLANs has translated well into today’s wired LAN requirements.  I also see the increasing need for a robust enterprise IoT security architecture and similarities between those requirements and the capabilities we built early on in Aruba’s life.

When building our WLAN security architecture the first thing we solved for was authentication. The challenge with radio waves is that they are not necessarily contained within the walls of a building; they can be ‘heard’ from areas that cannot be controlled by physical access restrictions such as the parking lot or next door. Since the nature of RF allowed for users not controlled by physical access to connect to the network, the architecture required some kind of admission control to understand who was trying to connect and whether they had the right to connect. This step is called Authentication and allowed us to ensure that only authorized users and devices were connecting to the network.

The next thing we had to solve for was encryption. By solving for authentication, we eliminated the risk of unauthorized users connecting to the network, but they could still snoop on data transmissions from physically inside and outside the organization. We looked to some of the strongest cryptography suites on the market at the time to solve this problem. The combination of authentication and encryption led to the creation of the 802.11i standard which is now more popularly known as WPA or WPA2. Most vendors stopped here since this is what was required to be standards compliant.

At Aruba, we took it one step further and asked the question, “What are these users and devices allowed to do once they are authenticated and encrypted?”. This is commonly called Authorization and is a critical step in ensuring security. At the time, if you were implementing your wireless LAN as an extension of your wired LAN, then typically existing authorization policies such as ACLs were simply extended from the wired to the wireless LAN. However, if you think in a mobile-first manner, then the wired LAN becomes infrastructure to support wireless users and access control policies are tied to users and not the wired LAN to which they connect. This was the key insight behind how we built our authorization framework.

We determined that we should build a system that tied a policy to a user and that the policy must follow the user wherever they roam on the network. This is how our tagline “People Move. Networks Must Follow.” came to be. Next, we defined the types of policies that network administrators would need to secure (and control) their network. This led to the crucial decision of building a stateful firewall to enforce the kind of advanced policies we wanted to deliver to our customers. The challenge we put upon ourselves was that this needed to be a firewall that could control traffic down to the per-user level rather than what a network firewall could accomplish at the per-interface or per-VLAN level.

Per-user firewalls became a central point of differentiation for Aruba. To this day they remain a core aspect of our differentiation. We have been building upon its capabilities as we saw the need within our customers’ networks moving from a stateful firewall to an application-aware firewall, and finally to a firewall that leverages reputation to protect endpoints. Our customers will continue to see innovations in this space as we see it as a pivotal part of the security architecture.

We started our journey on wireless but when I looked at the requirements for wired networks, they are nearly the same; network administrators need the ability to identify the user or endpoint connecting to the network, the ability to safely transmit its data across the network, and the ability to enforce a policy on that traffic to ensure security. That is the reason why we simply extended our architecture to wired LAN rather than re-inventing the wheel. As we look forward at the requirements for secure IoT networks, a lot of the capabilities that we already built for user networks translated extremely well into the world of IoT. One such example is our Client Isolation feature and its ability to disallow traffic between IoT endpoints to thwart the spread of malware. I am proud of the security architecture we defined early on at Aruba as it has proven the test of time.

An interesting trend I have noticed lately is many of our competitors talking about a need policy and the ability for policy to follow users around the network as “New Capabilities”; they are touting they have revolutionized campus security by building policy enforcement engines into their network offerings. My peers in blue have been very vocal about this lately with “DNA” and “SD-Access”. I believe in the notion “imitation is the sincerest form of flattery” but they have made some “interesting” design choices in how they got there. More on this in a future post.

At Aruba, we like to think of ourselves as a security company hiding in the body of a networking company and I feel that is due to our deep roots and continued focus on helping our customers build the most secure networks in the world. In my next post, I want to talk about the evolution and Aruba’s general thoughts on segmentation.