Wi-Fi's Traffic Cops

Keerti Melkote and Pankaj Manglik had only worked for Intel's IT department a couple of years when, in February 1994, a strange protocol suddenly appeared on the chip-making giant's corporate network. Melkote and Manglik weren't hawking security software or developing IT products at Intel. They were in the trenches of Intel's network nerve center, fighting off the electronic antics of one of the most computer-savvy work forces in the country.

So when this unauthorized protocol with the odd name “HTTP” began traversing their networks — and employees began downloading a strange browsing program called Mosaic — Melkote and Manglik knew exactly what to do.

“It was sucking up fifty percent of our network capacity, and as far as we could tell, it had absolutely no value whatsoever,” Melkote said. “We told each other, ‘We should shut this down.’”

So Melkote and Manglik pulled the plug on the then-infant World Wide Web — or at least Intel's access to it. It may seem draconian, but keep in mind the Internet of the early 1990s wasn't the all-encompassing business and productivity tool it is today. Melkote and Manglik instead saw a bunch of Intel employees nosing into something they shouldn't have been. And with characteristic IT zeal, they put a stop to it. “We weren't the most popular guys at Intel that day,” Melkote chuckled.

Making the network run smoothly has been the duo's goal ever since — even if it means ruining everyone else's fun. In fact, they decided to base a new company on the idea of spoiling the fun. In October 2001, Melkote and Manglik got the idea to develop an intelligent wireless switch imbued with the same hard-nosed dedication to network security the two shared at Intel. Four months later, they founded Aruba Wireless Networks.

In title, Manglik is Aruba's CEO and Melkote its vice president of product management. But those monikers are essentially meaningless. The two men make all decisions together, and even finish each other's sentences. At meetings, they drive their staff crazy by communicating with one another with an intricate lexicon of facial expressions no one else can comprehend.

“It's weird — they seem to speak in one voice,” an Aruba spokesman said. “When one of them is drinking a glass of water, the other one isn't talking.”

Despite the quirkiness of its founders, Aruba has managed to execute their vision precisely. In less than a year, Aruba got its switch out of development and into trials. The handy little gizmo's primary function is to make the wireless network act as an extension of the LAN. But Aruba's Wi-Fi switch is also designed to clamp down on the biggest security problems plaguing wireless LANs today: rogue access points, unfettered guest access to the network, and — most threatening of all — hacking.

The reason? Wi-Fi's proliferation has turned once-secure wireline networks into wireless free-for-alls, which Manglik and Melkote cannot abide.

“The IT department is starting to lose control of the network,” Melkote said. “Some forty-five percent of all laptops are now wirelessly-enabled. Soon it'll be ninety percent, and all of those laptop users will expect to get on the network wirelessly. They're going into Best Buy and buying cheap access points that they plug into their Ethernet ports at the office. Employees are starting to take the network into their own hands — and it's starting to scare the hell out of IT people.”

Melkote's arguments aren't the paranoid rants of a network manager. Rogue access points are a growing problem among enterprise networks — even a single, freely broadcasting radio compromises the security of the entire network. And with the general availability of plug-and-play Wi-Fi equipment, it doesn't take an engineer to break a secure Ethernet network wide open. It only takes some joker with a wireless LAN card and malevolent intentions, and an enterprise network can be in serious trouble.

What's more, the growing popularity of Wi-Fi has made it hard to distinguish between networks, and access points are casting pools of coverage from office to office. For instance, an employee at a law firm may inadvertently log onto the network of the bank downstairs. Consequently, Aruba's switch incorporates all of the network's intelligence into a single location and communicates directly with the corporate LAN's servers. And while it may emulate a standard Ethernet network, the Aruba system has a quite a few buffed-up features designed specifically for the peculiarities of a radio network.

First of all, Aruba's access points are capable of monitoring the frequency traffic in their vicinity. But these air monitors don't just listen — they act. If they detect an unauthorized data stream zipping through the airwaves — whether to an internal or external access point — they “spoof” the offending WLAN card, sending signals forcing it to shut down. Aruba's air monitor also detects when its client computers are wandering and reigns them back in. The access points essentially act as guard dogs, keeping authorized computers on the network's turf and keeping unauthorized computers off.

Melkote and Manglik call the process “locking the airspace,” and once implemented, they claim the wireless LAN might as well be in situated in an underground bunker. Their network doesn't exist entirely in a vacuum, though — even the most hardened IT manager has to allow for exceptions. Though the Aruba switch permits authorized guests onto the network for Internet access, it keeps them outside the network firewall, which allows for roaming between access points but keeps them from poking around on the corporate servers.

For good measure, Aruba has beefed up the switch's authentication and security software in the event that anyone tries to exploit these openings as a weakness. And to prevent its air monitors from going ape on a neighboring Wi-Fi network, Aruba has built in verification protocols that allow the access points to distinguish another network from its own. For every questionable wireless data stream it detects, the switch verifies whether there is a corresponding data stream running through the wired network; if it doesn't find one, it leaves the WLAN card in peace, thus preventing it from shutting down every Wi-Fi network in the building.

“Access points, for all of their sophistication, are not social animals,” Melkote said. “They're not aware they are part of a larger network. We're teaching them to function in a larger society.”

But is the enterprise world ready for a socially aware access point? According to Meta Senior Research Analyst Chris Kozup, it is. Any network that can intelligently manage the sprawling wireless needs of large enterprises is just what the sector is screaming for, Kozup said.

“The biggest problem in this industry is how to make wireless LANs big enough and robust enough to be deployed by enterprises,” Kozup said. “No one seems to have the answer.”

Although intelligent Wi-Fi networks are nothing new, approaches vary. A few giants dominate the market, the most gargantuan of them all being Cisco Systems, which has adopted a decentralized approach that puts the network intelligence into the access points. While that sort of architecture may work for smaller business, the hundreds of access points required by enterprises send costs skyward. Wireless networking developer Proxim was the first out of the gate with a centralized intelligent architecture, but Aruba bypasses the complexity of Proxim's systems by merging all network elements into a single switch, Kozup said.

Superior technology, however, doesn't necessarily guarantee success. Wi-Fi is primarily a business technology, and businesses are accustomed to buying their equipment from the same people who sold them their fixed LAN technology, Kozup said. Aruba has designed its equipment to work with most of the major vendors' access points, but unless Aruba strikes a deal — either an OEM agreement or acquisition by a major vendor — it will find it impossible to compete in this market, Kozup said.

Acquisitions seem to be far from Melkote's and Manglik's minds, at least for the time being. Melkote pointed out that the company is barely a year old, receiving its first funding only in January 2002. Aruba's first priority is instead to get a commercial product on the market. And while battles with companies like Cisco, Proxim and Symbol may be some distance down the road, there are now several other ventures, including Trapeze Networks, AirFlow Networks and Blackstorm Networks, that are developing wireless switch technology and looming in Aruba's rearview mirror. The technologies they are using vary, as do their feature sets. But because the Wi-Fi market is expanding so rapidly, the first out of the gate will gain a tremendous advantage.

In the meantime, Melkote and Manglik already have plans for their next-generation switch. Ironically, they plan to make their networks more accessible and integrated with public networks, going against the IT manager's “keep off the grass” creed. Aruba's switch is already compatible with all Wi-Fi technologies, whether 802.11a, b or c, but Melkote said Aruba plans to extend that connectivity to wireless mobile networks and hot spots, carrying the network's mobile firewall and security features along with it.

“It's the new groundswell technology,” Melkote said. “Public and private networks are integrating, and the security issues for those networks are even greater.”

Just think: Once Aruba's second-generation switch hits the market, an employee's network access could feasibly be shut down even if he's half a continent away.

That has to make the IT managers in Melkote and Manglik very, very happy.