Aruba Networks has responded to the consumerization of IT -- the buzz phrase for employees demanding to use personal devices on the enterprise network from any location -- with a new architecture that delivers unified network management and context-aware network access control across wired and wireless networks.
Aruba's Mobile Virtual Enterprise (MOVE) architecture tries to address growing user demand for network access via their own mobile devices by delivering a context-aware network that can grant access by identity and mobile device fingerprinting -- a departure from traditional port- and VLAN-centric network architectures.
"Right now if you go to most vendors that have wired and wireless solutions, they have a wireless management solution with their wireless products and a wired management solution with their wired products," said Paul DeBeasi, vice president and research director for Gartner Inc.
"If you want unified policy, unified authentication and a unified ability to have certain policy enforcement for data forwarding, you have to provision all that stuff in two management systems. [With Aruba's MOVE architecture], you can provision all of that in one management system and have it applied across wired and wireless networks."
Consumerization of IT: User expectations are high
The consumerization of IT may be a hot buzz phrase among analysts and vendors, but it makes network engineers nervous. If CIOs give a green light to employee-owned tablets, smartphones and laptops connecting to corporate networks, engineers will face exponential growth in network complexity and security risks.
"One CIO [told us] he's seen more radical shifts around user expectations and the device landscape in the last six months than he's seen in the last five years," said Ben Gibson, chief marketing officer for Aruba Networks. "A lot of that shift is around the sharp increase in the number of mobile devices coming into the workplace. Unless the access network shifts and changes to get ahead of the mobility wave coming into the workplace, it's going to be both cost and service prohibitive [for IT organizations] to provide that user experience and service expectation.”
Countless vendors are offering ways to solve the consumerization of IT conundrum. Cisco Systems has rolled out its vast Borderless Networks architecture, a broad portfolio of wired and wireless network hardware, security products, and network services and software that promises to give users access to corporate resources regardless of what device and access network they use.
Smaller vendors are trying to solve pieces of the IT consumerization problem, too. Network access control (NAC) vendor ForeScout this week announced a new version of its CounterAct NAC product that uses device fingerprinting to provide real-time visibility and control over the mobile devices that employees bring into a network.
"Some enterprises are not going to allow any of these [consumer] devices to access the network," said Gord Boyce, CEO of ForeScout. "That's not going to work."
All of these strategies seek to move away from the common practice used today of assigning devices on the network to specific ports and VLANs within a wiring closet. Aruba argues that this approach doesn't scale for the consumerization of IT. When end users start bringing in their own mobile devices, network engineers need to provide access by policy rather than port, via technologies like user authentication and device fingerprinting, Gibson said.
Aruba's unified network management architecture spelled out
In order to provide this kind of access across both wired and wireless connections, Aruba has introduced its first series of Ethernet switches, the S3500 Mobility Access Switch, a stackable switch available in both 24 and 48 Gigabit port configurations that pulls its configuration and firmware from a wireless LAN controller, much like a wireless access point does. An enterprise can deploy the S3500 switches as an overlay to a campus LAN or as a replacement for existing access-layer switches in a campus LAN.
The switches work in tandem with Aruba's ArubaOS 6.1, which now features device fingerprinting for mobile devices. The company has also integrated the access management software from its recent Amigopod acquisition in order to provide access management for guests, as well as employee-owned devices.
With MOVE, Aruba hardware sits at both the wired and wireless edge, so network managers can apply the same policy-based network access through both wired and wireless connections.
"We see this as a significant potential cost reduction from a support point of view," said Pat Wren, managing director of operations at ATB Financial, a $26.5 billion financial institution based in Edmonton, Alberta. ATB is an Aruba wireless customer that is testing the S3500 switch for use in its network.
"In our branches we have tellers that have unique machines that can only plug into certain ports in our Cisco environment because we have to set them up by port control,” Wren said.
With Aruba's S3500 switches in Wren’s network, those bank tellers could plug their device into any port, and the Aruba wireless LAN controller allows or denies access based on policy rather than port.
"This allows us to fully use our switch for any user in the branch, and we see that as a reduction in the cost of management and set-up time. We define the teller's workstation. The device connects into a port, then it's recognized as what it is, and it applies the appropriate security settings or control settings that are necessary to manage that teller's connection," Wren said.
Considering network engineers have been relying on VLANs and port-based control for network access for nearly 20 years, some network engineers might balk at a policy-based approach like Aruba's, according to Paula Musich, senior analyst with Current Analysis. However, they also may realize that they have no choice but to adapt to a new networking world.
"It's not like IT is being handed this brand new section of their budget and being told, 'OK, here's all this money to manage all these new endpoints that are getting onto the network,'" she said.
Integrated networks can also offer network consolidation
While Aruba isn't trying to compete head-to-head with Cisco and HP Networking in the market for wiring closet switches, Aruba customers may find themselves needing fewer switches in their wiring closets. At ATB Financial, 3,000 of the company's 5,500 users are using a wireless connection continuously. That translates into fewer ports in wiring closets and more access points.
"We are in the process of doing a significant consolidation of our switches and routers, eliminating two or three switches in each of our branch locations or multiples of that in our corporate offices," Wren said. "We see the S3500 as becoming one of the switches we would deploy as part of a technology refresh."
Let us know what you think about the story; email Shamus McGillicuddy, News Editor.