Tunneled Internet Gateway: Wi-Fi Access for Mobile Devices in High Security Environments

By Jon Green, Chief Security Officer
Share Post

In government buildings, you can always spot people heading to a meeting.  They are the ones carrying a bundle with laptops, wireless mice, and power cords and usually coffee.  In this post-PC era, you'd think people would take more portable devices, such as smartphones or tablets to stay connected in other parts of the building without having to relocate their entire desk.

One reason may be the regulations concerning which devices are permitted to connect to restricted wireless networks.  Maybe there is a WLAN at your agency, but it could be restricted and only for use by those with 'approved' equipment, such as laptops.  These "mobile" devices are under IT control as part of the agency domain and may have been equipped with security features such as CAC readers, monitoring software, or encrypted storage.  But what about real portable devices like tablets or smartphones?  An unmodified iPad, just like all other stock commercial tablets and smartphones, is not compliant with federal data security guidelines for connecting to restricted networks.  And frankly, you often don't need to connect it to restricted networks – but simple Internet access would greatly increase your productivity by enabling numerous "cloud" applications.

One obvious possibility is to deploy a physical WLAN dedicated for Internet-only access - but that means running an extra set of APs, cables, controllers, and so on.  Or you could turn on a second SSID on your existing WLAN, but then you have to convince IA people that this isn't a security policy violation.  Aruba has created a solution (approved by DISA, for the DoD readers out there) that will allow you to connect your commercial mobile device to a WLAN, with traffic passing THROUGH a restricted network on its way to the Internet, without breaking federal data security regulations.  The solution is called Tunneled Internet Gateway, and as the name suggests, it creates an encrypted data session between the mobile device and the Aruba Mobility Controller.  Traffic is then forwarded to an Internet gateway in the DMZ, or other location, through another secure encrypted tunnel.  This encrypted tunnel allows Internet access while preventing (through cryptographic strong separation) any mixing of Internet data and restricted data, as well as blocking access to restricted network resources by unapproved devices or users.

It's also incredibly useful if you need to visit colleagues at other branches or agencies.  Since Tunneled Internet Gateway can be configured on any new or existing Aruba Networks controller-based WLAN, you can access an Internet gateway while working at a branch office across town or across the country.  You no longer need to rely on a decent 4G signal to remain connected.  You can use your mobile device, connect to an Internet gateway, and that 10 lb. laptop can stay where it belongs - on your desk.

For more information on Aruba Tunneled Internet Gateway click here.