In a truly mobile environment, an organization's policies must apply whether a client is connected wirelessly or via a wire. This seems like such a common sense phrase but it has proven to be easier said than done.
More often than not, it seems that organizations place security requirements on wireless clients and do nothing on the wire. The common thinking here is that someone would have to get passed security before they could plug a cable in so the risk of unauthorized access is lower. Or, even worse, they tried a wired solution but it was too complicated and didn't work. This just doesn't fly.
In a BYOD world, it is highly likely that your own employees will be bringing in non-corporate devices and wanting them to have connectivity. While most of these devices will be wireless, it is still possible for some wired devices to come along for the ride. Factor in visitors, consultants, and malicious rogues and you've got a very compelling reason to extend your wireless policies out to the wired access layer. Yes, that's right, I actually said extend your wireless policy out to the wired access layer. Wired companies had their shot. It's time for the wireless companies to step up and show them how it's done.
It seems that wireless companies have a major advantage over traditional wired companies in this arena. Let's face it, they've been playing this game since the beginning so they are in a perfect position to grow into the wired access world. Take a look at the major wireless players and you'll likely see wired solutions creeping onto their line sheets.
I took the liberty of recording a demonstration of the Aruba Networks solution as one example of how you might extend wireless policies to the wired access layer:
Utilizing a tunneled-node configuration between an S3500 Mobility Access Switch and 620 Mobility Controller I was able to extend my wireless AAA policies, firewall polices, and bandwidth contracts out to the wired access layer. That means one location for policy configuration, one location for enforcement, and one location for auditing. Pretty sweet.
By extending my wireless policies out to the wired access layer I can now be comfortable knowing that corporate devices will get access to what they need, and guests/contractors will get only what they need without the ability to take up the entire pipe.
As I stated earlier, having policies enforced at both the wireless and wired access layers is something that we should have been doing all along. I'm not saying that this is anything new. What I am saying is that I think it makes more sense to have wireless AAA profiles pushed to the wire rather than the other way around. My past experiences with wired AAA profiles usually involved building policies from scratch because there were no pre-existing wired policies in place already. If you follow this method, you would have to then retrofit your existing wireless LAN to match the newly created wired policies or suffer different policies on the LAN and WLAN; what a pain in the you know what! It is far more efficient to take what you already have and just extend it. This is especially true since WLAN access is rapidly becoming the primary access medium for a lot of people.
Agree or disagree, I'm just glad that wireless companies have stepped up to the plate to create solutions that make this a viable and manageable possibility. Before you know it, they'll start becoming champions of the branch office. Oh wait, they already have!
While I only showed the Aruba Networks solution, I am aware that many other wireless companies have competing solutions. I've only had limited exposure to some of the other solutions out there and would be interested in hearing your thoughts on the subject. If you've got a solution you really believe in then please leave a comment below. Also, be sure to share this post with anyone you think might benefit from reading it.