802.11, BYOD, MDM, Mobile Security, Wireless Field Day No comments yet

Aruba is now a Mobility company not just a WLAN company

By on May 18th, 2013

I’ve watched with interest over several years how Aruba Networks seems to have an uncanny ability to bring to market, or acquire, technologies needed to stay at the forefront of the WLAN market. They seem to keep a close eye on competitors and move the focus of their company when needed with as much agility as a small startup does. Wireless is evolving at a very fast pace and this sort of focus is the difference, I believe, between has been companies and companies that really get what their customers and market space is about.

In addition to this observation I think that there is a more fundamental shift going on in wireless right now. What I call this is the shift from the story being about how to build wireless networks to how to enable users and businesses to work/live/play while mobile. The following is a dictionary definition of mobility;

Mobility

  1. The ability to move or be moved freely and easily.
  2. The ability to move between different levels in society or employment.

In the enterprise we tend to focus on the first meaning and I would argue that Aruba is now well on its way to redefining itself as being a Mobility company and not just a WLAN company. This is indeed where the heat and customer angst is with mobile devices in the enterprise and focuses squarely on a problem that is in need of multi-faceted solutions. In my own work place this is widely recognized by both the technical and not technical folks as being a top concern for our customers. They are really looking for help with enabling their employees to use mobile devices. As an amusing (to me) aside, this is partially being driven by executives looking to be able to do their jobs while out of the office.

A few months ago I attended the Aruba Airheads conference in Las Vegas. One of the keynote speakers there was Paul DeBeasi from Gartner who talked about the above shifts and Gartner’s research on it. It was very interesting to me to hear Paul speak and that he was confirming many of the conclusions I had come to myself. The following diagram from Gartner illustrates how a mobile architecture looks and what pieces need to be considered;

Mobile Architecture Requirements

If you consider Aruba to just be a wireless infrastructure company, then only one of the above circles applies. I would argue, however, that Aruba is steadily developing a portfolio of solutions to mobility needs in the enterprise. An example would be ClearPass Policy Manager. This fits clearly into the identity and security circle. The recently announced acquisition of Meridian Apps also fits clearly into the application architecture circle.

The WLAN market is clearly changing. This is a good thing as we are moving beyond simply how to get things to work (which is of course still important) to enabling people to be more flexible and satisfied at work. This survey on BYOD and Mobile Security (slide 2) puts the number one benefit of BYOD as being greater employee satisfaction and productivity. I would encourage others to shift their focus as well to looking at the bigger picture of what we are doing in this business. We are transforming the way people work, live and play in giving them the tools to be mobile and always connected.

BYOD, Deep Packet Inspection, Mobile Security, Security, Wireless 1 comment

Finding the lazy bee’s – Aerohive’s application visibility and control

By on March 9th, 2013

This week Aerohive announced their new switch line along with an upgrade to the Hivemanager and HiveOS to version 6.0. There are other reviews that went into this announcement quite well, including Lee H. Badman over at Network Computing and fellow blogger Tom Hollingsworth. What I would like to comment on in this blog is how I believe the addition of application visibility and control is actually a bigger deal than the announcement of new hardware, important though that is for the mobile enterprise.

As more and more businesses discover that their employees are bringing shiny new mobile devices to work (often it happens to be executives that are the primary people doing this) the IT department discovers they have a problem, namely they can’t easily tell the difference between devices connected to their WLAN and more importantly, what those devices are doing. Many enterprises are setup to monitor and filter wired traffic from workstations with web filters, IDS, IPS and the like but it is common for guest WLANs to not have such strict monitoring. Top of the questions I get asked when talking about the issues around BYOD and mobile devices is what can we do to have more insight into what mobile devices are doing on our network. Add in that the apps used in mobile devices many times just simply use standard http/s and it becomes very difficult to use the simple approach of filtering just on ports, protocols and IP addresses

Deep packet inspection

In order to help their customer’s solve this issue Aerohive has added into their OS the ability to inspect packet’s to discover where that packet is destined and what type of data is flowing across a connection. This type of functionality is commonly referred to as deep packet inspection, but Aerohive in keeping with their company mantra to Simpli-fi the WLAN calls it Application Visibility and Control. This perhaps more accurately describes what is gained by their customers in having this great feature added to their Aerohive devices. As I covered in a previous post, I believe that this functionality will eventually make WIPS irrelevant, so I am glad to see that more WLAN vendors are adding it.

If you look from a much higher level at how much mobile devices and cloud connectivity are changing enterprise IT security, this is really a first major step beyond simply authenticating users towards control at an individual device level of the data being accessed by users. Many a CIO or CSO is concerned by the collapse of their controlled perimeter and they know that the only way they can begin to understand what is happening to the different types of data inside their network is to have visibility at an application level as to how mobile devices access that data. If you consider that today many employees access that data via the WLAN, Aerohive is providing them with the tools they need to see what is being accessed, by who and with what types of devices. The next step of being able to control what happens to their data is built into this release and pushes the control to the edge, exactly where it’s needed.

Application Visibility and Control

Managing mobile security

I call this new functionality that is migrating into the WLAN the next generation of WLAN security as its pushing functionality that has been centralized on IT perimeter firewalls out to the edge of the network, to where devices are accessing the network. I recognize, however, that more needs to happen than simply adding this in. Security is a many layered thing and starts with a thorough mobile device access policy that gives employees clear lines of responsibility for what they do with their devices when they access the WLAN. There also needs to be a solid authentication architecture, which can differentiate authorization of what can be accessed based on user, device and location. Aerohive’s Application Visibility and Control gives you the ability to enforce those policies and gain a much greater insight into what is happening on your WLAN than previously. I’m sure that many IT department’s will thank Aerohive for giving them better tools to address management concerns about mobile devices.

My take on wireless has always been from a security point of view and I for one am glad that Aerohive in implementing functionality into their platform to help solve the security problems brought on by the explosion of mobile devices. Aerohive is quite rightly recognized as a lead innovator in the WLAN market and they are taking steps to maintain that lead and solve their customer’s problems in an innovative way. I look forward to seeing what else they have up their sleeves. It’s a great time to be in wireless.

Security, Wireless, Wireless Field Day No comments yet

Building Meraki’s cloud controller architecture

By on February 22nd, 2013

Meraki is an interesting company. They took a very different approach to the Wi-Fi market. Instead of concentrating on speeds and feeds, like many other companies, their major innovation and idea was to build a cloud controller for their products and make the refinement of that interface the focus of their efforts. This has resulted in a highly customer focused company. I admit I’ve taken a while to warm up to their offering, but I do see its value for customers and I admire what they have built. Meraki has participated in three Wireless Field Days. They chose this time to give us an in depth look at how they designed their distributed cloud based infrastructure. It was fascinating on several levels for me. First, it was really a ballsy move to open up and show the world what they had built. Next it answered directly some lingering criticisms that I have heard about their company using customer data in nefarious ways. It also showed exactly what the value proposition was that made Cisco spend $1.2 billion on this company and indeed from the brilliance displayed here I can see it was worth that price. Last, but not least, the technical details that went into building their platform and how they solved the various problems they encountered are simply a spell binding story.

As I don’t believe I could do a better job at telling the story than the presenter, Sean Rhea I will instead give you the video below of his presentation and then end with my thoughts on it. He managed to hold an entire room of wireless geeks spellbound and even mentioned storage to the delight of Stephen Foskett, who is the driving force behind the Tech Field Days.

Meraki Cloud Architecture Deep Dive with Sean Rhea

Here is a few observations that I have taken from the video;

  • Customers are allocated to a partition called a shard, which is on a physical server in their datacenter and is also replicated to another site for redundancy.
  • When you login, its to a master shard which then redirects you to the shard that hosts your data.
  • They have the ability to keep functioning even if they lose completely a datacenter due to the way the tunnel is designed from the Meraki APs and devices.
  • Each shard has thousands of Meraki devices, hundreds of thousands of clients per day and gathers 300GB of statistics going back over a year. The shards get new data every 45 seconds from their devices or every second if you are logged in and monitoring a device.

That is a huge amount of data and a massive amount of servers to monitor and look after. The way Sean described it though, they have put a lot of thought into making the system as efficient and redundant as possible.

  • In order to access the Meraki devices behind NAT and corporate firewalls they developed an IPSEC like tunnel mechanism called mtunnel. It uses AES encryption and certificates that are shipped with every device.
  • Mtunnel has redundancy for the connection back to the datacenter and if a shard isn’t accessible can reroute to the backup shard.

This says to me there is a massive amount of cryptographic processing going on here with each device tunnelling back. I’ve worked large VPN projects before and in order to get this right you have to put a lot of thought into making sure your components can handle that.

  • Meraki developed their own mechanism for getting all the useful stats from their devices and shipping it back for use by the dashboard called Poder.
  • The RPC engine used by it has reduced the data being sent by 80-90%, uses UDP and can talk to 10,000 devices in 20 seconds.
  • It uses a modular approach and is written in a Java like language called Scala. Each module is small (200-400 lines) and single threaded).

That achieves two very important things for such a massive undertaking, speed and low bandwidth use. The other problem that cropped up is what to do once you’ve got the data.

  • Standard OTLP databases are not good at hot clustering and unless their data set fits into RAM can take many seeks to grab the data off disk. They also often load too much of the wrong type of data, noise that you are not interested in, into RAM, which wastes RAM on that other data.
  • Meraki wrote a custom database called Little Table to solve these problems. It uses in memory ordered trees which are sorted by network_ID and MAC address. It also has a method to retrieve the data needed from disk with a single seek if needed.
  • It is a very high performance database compared to commercial one’s with 8MB/s inserts and 40MB/s query’s.

The last part of the video, which is a bit muffled as Sanjit Biswas was away from the mic, we talked about the pains that Meraki takes to maintain customer privacy. They do regular audits and have SAS70 certification. This was comforting to hear.

I would say that Meraki has set the bar pretty high on how to make a customer driven management and monitoring solution for the enterprise. Their feedback feature where customers can ask for a change or new feature to their platform and the speed at which they add those requested features into their interface shows they are constantly listening to their customer’s needs. This is actually quite a challenge for Cisco, who is pretty slow to respond to customer complaints and tends often to beta test new code with their customers, or so it seems. It will be interesting to see if Meraki is able to retain their agility as they are absorbed into Cisco’s ways of doing things.

I know this post has been fairly short on wireless specifics, but I have always been of the mind that there is much more to the WLAN than simply how a wireless AP is designed or what a controller can do. The interesting bits I see are how the wireless devices fit into an overall solution that solves a customer’s needs. There is a balancing act in solving those customer problems while at the same time making sure you cover things like security, performance and just basic expectations like making sure it works consistently for people. I’m sure most people out there maintaining a WLAN want their system to be able to keep their users in a happy place of being connected while pleasing their bosses needs for protecting their business from risks. Making a system that solves those problems in a way that makes an administrator’s job easier is no mean feat, so kudos’ for Meraki for concentrating on a cloud solution that focused on an easy to use, customer driven interface.