Airheads get ClearPass
I attended both the Aruba partner summit and Airheads conference this week. This to me was interesting on several levels. Victoria Poncini gave a fascinating talk at the Airheads conference on the history of wireless at Microsoft and what she called the ‘Bill G’ initiative which was wireless connectivity everywhere, long before most companies thought that was important. The subject of this post, however, is Aruba’s new ClearPass solution.
Aruba has developed and broadened their portfolio of products. When I first started to learn about their products, back in 2007, it was pretty much all about the controller and AP. How fast it was, what speeds were supported, how can we design this deployment to give great coverage as well as good connectivity for clients. For me as a consultant this was great, as I could develop a set of skills and solutions related to integrating the Aruba deployment into my customers networks. Things were simpler as we really only had to worry about one class of device, windows laptops (yes voice was out there, just we seldom had to deploy it), and two classes of users, employees and guests. So we set about developing standard methodologies surrounding how to securely deploy wireless access for those scenarios.
Fast forward to 2012, we now not only have several classes of possible devices, from tablets, to smartphones to various flavors of laptops, but we also have several shades of gray when it comes to user classes as well. The whole BYOD phenomenon has highlighted several flaws in the traditional thinking around controlling the enterprise in that it shows that with these new types of devices that corporate IT is too inflexible to be able to handle the different ways employees want to stay connected to do their jobs. Aruba showed it clearly gets this in the conferences this week and that it is thinking about how to enable corporate IT to be able to meet user’s needs yet still have control of the data flowing across the network.
Aruba’s latest addition to its portfolio of products is one that specifically attacks the BYOD problem of how to provide secure access to users to the corporate network from whatever device they want to use. Not only this, but provide that access easily, without needing the user to call corporate IT to get on. This, in my security focused mind, is way more important than simply bumping your AP’s to 4 antennas to support 450 Mbps. I believe most users have sufficient speeds on wireless networks these days no matter which manufacturer you are using. I also think that spectrum analysis, while useful, is really only a small and ultimately in the long term not so important functionality. Aruba’s ClearPass, however, helps to solve a broad and difficult problem. This problem, incidentally, is one that colleges and educational institutions have been dealing with for years, namely how to deal with a large influx of new devices you have little to no control over and get them securely onto the network to access resources they need.
ClearPass is focused on managing and securing network access across wired, wireless and VPNs.
It has 4 primary modules. The first, Guest, is the module that manages guest access which was formerly known as Amigopod. The next, Onboard, is probably the most powerful part in that it enables automatic configuration of any device connecting to the network. Just think of the situation where you are managing 2000 new devices all coming on your network because of a conference, new semester, etc. On you don’t have to touch any of them to do that securely. This is massive for IT helpdesk staff. Next up we have Profile. This module gives corporate IT the ability to gather information through profiling of exactly what kind of endpoint is connecting to the network. It uses a 5 tier system to identify the device, instead of relying simply on MAC addresses or DHCP fingerprinting. This means that you can set different security roles for joe connecting on his home iPad vs his corporate iPhone vs his corporate laptop. Last we have OnGuard. This module provides NAC/NAP capabilities and can use either an agent (dissolvable or installed) to do in depth posture assessments or use built in functionality such as Microsoft’s NAP.
These modules are all built on top of the ClearPass Policy Manager which supports RADIUS and TACACS+ and enables enterprises to have fully redundant and highly available authentication services. This is critical as having a system that is controlling all user access to both the wired and wireless network means the system has to be able to handle a lot of connections (I overhead its been tested up to 2 million sessions) without falling to its knees and bringing down a barrage of complaints with it.
Aruba has in my mind introduced a platform with ClearPass that solves a large IT problem and finally makes me believe that apart from in very simple deployments the traditional Microsoft RADIUS server is no longer enough to secure network access. I think that this product will give MDM (Mobile Device Management) and NAC (Network Access Control) vendors a scare too in that it gives corporate IT a way of controlling the explosion of devices on their network and at the same time reducing the number of support staff needed to manage those devices. This broadening of Aruba’s vision to encompass not only Wi-Fi but also the supporting technologies surrounding it makes total sense. I applaud Aruba for recognizing that there is more to wireless than simply access and seeing a way to simplify a difficult problem that many corporate IT departments have, giving users access from any device they have.