ARUBA WIRELESS NEWORKS BREAKS NEW GROUND WITH WIRELESS IDS AND SECURE TRAFFIC ENGINEERING CAPABILITIES

New Version of AirOS Adds WLAN Intrusion Detection, Crypto-VLANs, Automatic VLAN Membership Bandwidth Contracts and Traffic Prioritization

SAN JOSE, CA - October 20, 2003 - Aruba Wireless Networks today made available a new version of its award-winning AirOS Wi-Fi switching software that brings together a collection of advanced 802.11 wireless intrusion detection (IDS) and traffic engineering capabilities never before available on a single system.

With Aruba's AirOS 2.0 software, corporations have new power over wireless attacks as well as sophisticated 802.11 tools that let them shape and control wireless traffic flows throughout the enterprise with unprecedented ease and security.

Protecting Against Wireless Intruders

With Aruba's AirOS 2.0, corporations can now protect themselves against innocuous and malicious wireless attacks that compromise both the wired and wireless environments. Wireless attacks typically involve an intruder trying to gain unauthorized access to corporate resources or disrupt the network through denial of service (DoS) attacks.

AirOS 2.0 DoS protection allows corporations to automatically detect and actively protect against common WLAN man-in the middle attacks, such as ASLEAP, deauthentication floods, and void11. These attacks attempt to disrupt wireless LAN traffic or decrypt NT passwords by impersonating stations or access points.  

With AirOS 2.0, Aruba access points analyze and classify traffic patterns as well as examine common 802.11-specific attributes like RF signal strength (RSSI) and sequence numbers to identify and block illegal activity.

AirOS 2.0 WLAN IDS capabilities also include detecting common network penetration tools such as NetStumbler, DStumber and Wellenreiter using signature analysis on each Aruba access point.   New signatures can be configured to extend IDS capabilities to detect future network penetration tools without code upgrades. This obviates the need for corporations to deploy an overall wireless LAN IDS infrastructure in order to combat unauthorized wireless access.

Secure Traffic Engineering for Adding New Standards and Applications

AirOS 2.0 adds advanced traffic engineering features that now give network administrators:

• Crypto-VLANs created through multiple ESSIDs on a single AP
• Role-based VLAN membership to automatically segment users into the correct VLANs already established on the wired network
• Per user bandwidth contracts to enforce user limits and provide preferential user treatment
• Wireless quality and class of service for delay-sensitive traffic flows

Centralized Crypto-VLANs prevent VLAN Explosion in the Wiring Closet

With new standardized encryption schemes such as WPA emerging, the enterprise is one step closer to implementing a secure WLAN network. However, if the point of integration of such new capabilities continues to be at the access point, this results in a VLAN explosion in the wiring closet causing the network administrator to reconfigure the wired networks.

Aruba's AirOS 2.0 now offers that ability to create crypto-VLANs in the air. Crypto-VLANs are created through discrete ESSIDs emanating from a single AP, each of which has a unique encryption profile and VLAN association. Each Aruba AP simultaneously supports up to 16 different ESSIDs.

"WPA and WEP do not and should not be mixed" said Merv Andrade, Chief Technology Officer of Aruba. "If you do, you run the risk of compromising secure WPA users due to the weaknesses of WEP. These 2 encryption schemes must be isolated on their own VLANs. To avoid a VLAN explosion in the network, the ideal place for such a function to occur is in a centralized switch".

Crypto-VLANs allow non-WPA devices, for instance, to use the wireless network while WPA-capable devices, using the same AP, make use of the latest security protocols.   Different ESSIDs can be assigned to different VLANs so guest access to the Internet can be provided over one ESSID while secure employee traffic traverses a separate ESSID.

Putting Wireless Users in their Place with Role-Based VLAN Association

Aruba's role-based VLAN association automatically derives the correct VLAN membership through 802.1X.   Role-based VLAN derivation tied with Crypto-VLANs is attractive because it provides logical segmentation of workgroup traffic automatically.   This enables seamless integration with VLANs and associated user policies already configured on wired networks.

Create and Enforce User Bandwidth Contract to Limit Low Priority Users

With AirOS 2.0, administrators can now create bandwidth contracts to enforce rate limits. These contracts, defined on a per user or per group basis, set a ceiling on the amount of bandwidth consumed through the Wi-Fi switching system.   In turn, administrators can ensure specific users or user groups are guaranteed a pre-determined level of bandwidth according to their application requirements.

Traffic Prioritization Brings Predictability to Wireless Networks

Aruba Wi-Fi switches now support both quality and class of services (QoS/CoS) capabilities through the addition of stateful application classification.    Applications that require stateful following, such as FTP, RTSP, or voice over IP (VOIP) can have QoS and firewall policies automatically applied.   Wireless traffic streams can be classified on both application type and user role simultaneously.

Queues within Aruba's APs are used to prioritize isochronous traffic, such as VOIP, that has stringent latency and jitter requirements. As traffic enters the wireless environment it is tagged by the Aruba switch and queued for delivery at each Aruba AP.

-30-