By Lisa Phifer, Core Competence Inc.
Must traffic flow through a single policy enforcement point to assert centrally-defined security policies? Of course the answer is “no” – as demonstrated by many distributed security systems, from desktop anti-virus to wireless IPS.
But this flawed thinking may have lead to controller-hosted security functions such as captive portals, RADIUS servers, and packet inspection engines. While it can sometimes be convenient to control access or packets at a single “choke point”, it is certainly not necessary to do so.
In fact, many WLAN products that took this centralized approach at first are now pushing security enforcement out to the network edge for scalability and survivability. As per-client throughput pushes beyond gigabit rates, funneling all traffic into a single policy enforcement engine creates a bottleneck. No matter how much acceleration you throw into a single platform, it is easier to increase speed and expand capacity by adding nodes to an already-distributed system.
Furthermore, hub-and-spoke architectures just don’t cut it for distributed systems that require non-stop service. If remote branches are to rely on Wi-Fi for primary access, external dependencies simply must be eliminated.
Meanwhile, security policy management is moving in the other direction – migrating from physical controller to virtual or cloud managers. These days, it seems that everyone is jumping aboard the cloud bandwagon. When it comes to management, cloud benefits are clear-cut and compelling; to read more about why, see my Information Week report on Cloud-Managed WLANs. That’s why Aerohive introduced HiveManager as an online cloud service years ago. It’s taken some vendors a lot longer to reach this conclusion (witness Cisco’s recent Meraki acquisition). But whether you prefer public or private cloud, it’s getting harder and harder to make a case for physical controller-based management.
So: When security policy enforcement migrates into APs and switches, and security policy management migrates into the cloud, what crucial role(s) are left for WLAN controllers to play in security? Well, none. Go ahead … name one security function that can’t be enforced more efficiently at the network edge or managed more cost-effectively in the cloud. When it comes to WLAN security, eliminating the “middle man” just makes sense. Dollars and cents.
Lisa is president of Core Competence Inc. and has been involved in the design, implementation, and evaluation of networking, security, and management products for 30 years. Since joining Core Competence in 1995, she has advised companies large and small regarding network and security infrastructure needs, best practices, and business use of emerging technologies. Projects include industry research, RFP development, product testing, and vulnerability assessment. Lisa teaches about wireless and mobile security at events such as Interop and InfoSec World and has published hundreds of articles on these and other topics. Lisa holds an MS in Computer Science from Villanova University.