Mobile endpoint security: What enterprise infosec pros must know now
A comprehensive collection of articles, videos and more, hand-picked by our editors
There are more than 900,000 apps available in in Apple's App Store and you couldn't blame Gregg Chottiner for thinking that at some point, users on his wireless network were trying to access every last one of them.
Chottiner, vice president of information technology and chief information officer at the Fashion Institute of Technology (FIT), manages a network that serves more than 10,000 students, as well as thousands of other users at FIT's Manhattan campus.
"My goal is simple," Chottiner said. "To provide an enterprise-class experience to students, faculty and visitors."
Until earlier this year, however, FIT's Wi-Fi service was far more Wal-Mart than haute couture. Students, faculty and visitors alike complained about slow connectivity speeds and spotty service that was exacerbated by the school's urban location. Groups renting out FIT facilities for events were equally frustrated because the school didn't have the capacity or management capabilities to easily provision Wi-Fi connectivity as needed.
That all changed when FIT commissioned a new WLAN infrastructure from Aruba Networks Inc. The deployment -- encompassing the supplier's 7240 wireless controller, ClearPass access, AirWave management and more than 700 AP-135 access points across FIT's nine-building campus -- erased the limitations Chottiner faced with the old system. But equally as important to Chottiner, the new network gave him application control he never had before -- control he intends to exploit as the new school year begins.
"It let us reassess our program," he said of the upgrade, which includes management modules that permit much deeper application visibility and more discrete oversight. The management controls not only allow Chottiner to fine-tune how and where apps can be delivered but set the stage for the delivery of new apps, including Google's collaborative Apps for Education.
"The nice thing [about the Aruba platform] is that it can detect where a dense population of users might be, so I can make adjustments for these kinds of things," Chottiner said. In the meantime, throughput has dramatically improved, with wireless access speeds in many cases mirroring FIT's wired infrastructure. "We are getting lots of positive feedback," he said.
Application visibility and control brings traffic optimization to wireless
FIT is among a growing number of organizations that have upgraded their wireless networks to include application visibility and control, or AVC. The platform offers IT administrators tools they can use to better understand traffic across their WLAN infrastructures, as well as optimize how that traffic is delivered.
The challenges associated with managing multiple apps and multiple devices are accelerating as both the number of applications and gadgets grow, said Philip Clarke, senior research analyst at Nemertes Research. "The goal of these systems is to accelerate your business apps and give a lower Quality of Service to your consumer apps. And that is particularly important as companies roll out more [802.11]n and [802.11]ac routers. They want to know why they are making these investments in upgrading their wireless infrastructure and how these investments are paying off."
While AVC is a familiar tool in the wired realm, it's now being offered to WLAN administrators as a resource, particularly as more traffic is being funneled to mobile users and higher-speed wireless connectivity gains traction. AVC also helps fill in the gap between wired and wireless network oversight, helping to meet the goal of unified management, Clarke said. Vendors including Aruba, Aerohive Networks and Cisco are among suppliers that have engineered additional AVC into their wireless controllers in the past 12 months.
Ballooning apps, devices make application control more critical
Aruba, for example, added beefed-up AVC to its 7200 Mobility Controller late last year, said Andy Logan, Aruba's director of campus solutions. "It's not just ballooning devices, but ballooning apps. [Managing traffic and ensuring adequate throughput] is not that big a deal when it's just me, but when it's thousands of users, it can be incredibly disruptive, and we need to put the control over the app itself."
The upgraded appliance also features greater scale. "Wireless was nice to have in the past," Logan said. "Now it's the primary access point." To that end, the controller can manage up to 2,000 apps. "From a network management standpoint, it's nice to have one place to look at performance."
Assuring high Wi-Fi performance is challenging, particularly with complex apps that incorporate elements including voice, data and file sharing. At FIT, for example, the school is constructing wireless labs, and those classrooms will have widely disparate requirements, said Chottiner. "In some of those labs, we will want to maximize video because some of these classes need access to Netflix. So we will be able to manage that more efficiently."
More granular oversight is particularly useful in an era where bare-bones mobile apps may share consumption with higher-bandwidth enterprise-class software like Adobe Photoshop and product lifecycle management applications. At the same time, mobile users are now armed with a plethora of personal devices, all of which represent specific management and delivery challenges as they access software from places ranging from secure offices to public plazas.
Wireless network performance identified
At the Madeira School, a 321-student boarding school in McLean, Va., AVC has provided Director of Technology Jeff Dayton with monitoring capabilities he never had before. The school added AVC earlier this year as part of a 6.0 software upgrade from vendor Aerohive Networks. "It's invaluable," he said. "I was able to get a vague picture [of wireless traffic before] by looking at the firewall, but now I have a daily report that shows me exactly what traffic is going into my network."
Except for BitTorrent, Madeira doesn't restrict students' access to applications, Dayton said. "[Aerohive] is the first app I've seen that can block BitTorrent at the edge; I was constantly getting cease and desist letters from ISPs [for illegal downloading], and fighting access to it was very difficult. With the block control, I haven't received a single letter." That said, Dayton retains the flexibility to control bandwidth usage or limit what users can do by time of day or by their location. The network has 51 access points, each of which can be individually programmed.
For now, Dayton said he doesn't need to optimize traffic; the school's 1 Gigabit Internet connection is more than adequate for Madeira's needs. "But the big test will [come this fall]. The highest use of our network comes in September, when the kids have more spare time."
Abby Strong, Aerohive's senior product marketing manager, said the AVC capabilities in the most recent version of the Aerohive OS was a result of "customers struggling with the number of apps" across the network.
"We have seen an explosion of devices in the network, and it's become even more apparent," with device-per-individual rates doubling as tablet penetration continues to grow and smartphones become more affordable.
"On the app side, customers wanted to not only see app usage, but devices by policy, [for example] all the devices in a conference room to let them see the usage on any device," she said. "The point is to give IT administrators' discrete and fine control of the apps traveling through their network."
Strong said Aerohive plans to fortify AVC in future releases with features like limiting how long a user can access a certain app, for example.
"We're looking at flexible assignments of policy to help networks work better for connected clients is something we will be focusing on," she said.
Extending application visibility and control across wired and wireless
Cisco, which in December extended its router-based network-based application recognition (NBAR) engine to its WLAN portfolio, will add bolstered app and device visibility to Cisco Prime 2.0 this fall. The December upgrade encompassed the use of deep packet inspection to identify apps. Chris Spain, Cisco's vice president of product management, enterprise networking group, said the vendor has signatures for approximately 1,500 apps with more on the way. With Prime 2.0, WLAN administrators will get a snapshot view of user, type of device and apps the user is authorized to access.
This information, in concert with Wi-Fi locational services and Cisco's Mobility Services Engine, can provide a deep well of contextual intelligence, Spain said. "If you think of this as a big data pie, I know who it is, I know the device, I know the apps they are running, so if we leverage that with [geo-location capabilities], we can locate the Wi-Fi device and monitor its movement across the network. All of that comes together to optimize [performance and access], and that is really going to be the game changer here."
These types of capabilities also dovetail with network security concerns, said Nemertes' Clarke. "It's not just unifying wired and wireless access but also being able to unify security. No matter where you are, who you are, if you are part of the organization, you will have policies applied to you, with the caveat that they are context-aware. So if you are on a cell network, you won't get virtual desktop infrastructure; you'll get HTML5. If you are connecting over a public access point, you'll receive a different security policy. The key takeaway is that they will apply to everyone."
About the author:
Chuck Moozakis is the site editor for SearchNetworking.com. Moozakis has covered networking, telecommunications, new media and newspaper and magazine production technologies for more than 25 years. Prior to joining TechTarget, he was editor-in-chief at News & Tech and also served as senior editor for InternetWeek.