Aruba's Policy Enforcement Firewall (PEF) module for ArubaOS provides identity-based controls to enforce application-layer security, prioritization, traffic forwarding, and network performance policies for wired and wireless networks. Using PEF, organizations can enforce network access policies that specify who may access the network, which areas of the network they may access, and the performance thresholds of various applications. Administrators can build a unified, integrated system for network policy enforcement by leveraging PEF's open interfaces to external services such as content security appliances, NAC policy engines, performance monitors, and authentication/authorization servers.
For organizations adopting emerging applications such as voice over Wi-Fi, the PEF module provides advanced voice management capabilities with enhanced visibility and control into voice sessions. Features such as SIP protocol decoding, phone number tracking, dial plan mapping, SIP-based authentication, and fine-grained queue management make large-scale enterprise voice deployments a reality.
Identity-based policy controls
PEF provides user-level awareness of all traffic across the network. Enterprises today need to support a broad variety of users, devices, and applications - all of which want mobility. Traditional network architectures mandate that parallel networks be constructed to address the different needs of each constituent - for example, one network for employees and full-time contractors, another for guests, and a third for voice. Even when these networks can be constructed using the same physical hardware, there is an associated complexity and resulting high cost.
Stateful firewalls for every user
PEF implements a full stateful firewall instance around every user, tightly controlling what the user is permitted to do and providing separation between user classes. The VLAN-based security used in traditional network designs is both cumbersome to configure and deficient in security. External firewalls are limited because they understand only ports and IP subnets. To provide the highest level of security, a firewall requires knowledge of user identity when making access control decisions.
Application-aware quality of service controls
Once application flows have been identified, standard firewall security actions such as permit, drop, log, or reject can be applied. However, PEF is capable of more than just robust security. Rule actions can also tag packets with an 802.1p or DSCP marking, prioritize the traffic into multiple queues, or even redirect specific protocols to different destinations. Advanced awareness of voice and video protocols permits appropriate QoS to be applied to both the control protocol and the call sessions automatically. Knowledge of call status enables smarter wireless radio supervision; functions such as RF management and load balancing will not impact call quality while a voice call is active, instead waiting until voice handsets are on-hook to perform RF optimization.
Dynamic traffic management
PEF provides controls to optimize wireless network bandwidth usage, which can be a limited resource in many networks. Role-based policies can limit the maximum amount of bandwidth consumption for a particular user or class of users, preventing "power users" from monopolizing network resources. At the same time, traffic management policies also guarantee a minimum amount of bandwidth to ensure that devices are not starved. On Wi-Fi networks, PEF optimizes performance-robbing broadcast and multicast traffic to improve application performance. Other bandwidth-hungry protocols such as mDNS, ARP, and NetBIOS broadcasts can be filtered completely and confined only to specific portions of the network.
High-performance traffic processing
With PEF, policy enforcement does not come at the expense of performance. All Aruba controllers are purpose-built for high-speed processing of network traffic with dedicated hardware for control processing, network traffic processing, and encryption. The result is high-speed low-latency policy enforcement that scales up to thousands of users and hundreds of thousands of active sessions.
External authentication and authorization interfaces
Extended authorization control allows fine-grained control of users from authorization and authentication servers. Controls such as automatic disconnection from the network, role reassignment, and dynamic updates of firewall policies can be enabled. This functionality is enabled by two Application Programming Interfaces (APIs): IETF standard RFC 3576, and a simple, yet flexible, XML-based API. These APIs both allow external systems to exert user and policy control over an Aruba controller.
Ease network security deployments
The External Services Interface (ESI) allows a wide array of network service appliances to be co-located with an Aruba controller to provide their services to clients on the network. Appliances providing services such as virus protection, content inspection and filtering, intrusion detection and prevention, content transformation, protocol-based bandwidth shaping and more are all enabled centrally. Until now, deploying such services in the interior of the network required placement of network service devices in every wiring closet, where they were placed in-line with all network traffic. ESI permits a centralized approach, enabling scalable and manageable deployments that minimize both capital and operational costs.