The Mobile Edge

Network managers today are faced with three major IT trends that they must address: mobility, security, and convergence. Mobility is heavily driven by the users through technologies such as wireless LANs, cellular phones and VPNs to conduct business in the office, on the road and at home. Network security has become increasingly important in the age of Internet worms, viruses, and spyware. Data security —protecting information assets against unauthorized disclosure, alternation, or destruction—has taken on increased importance with the introduction of new government regulations related to privacy, confidentiality, and integrity of financial results. Finally, converged networks that support both data and voice offer financial benefits and support richer enterprise communications than separate voice and data networks.

The Mobility Challenge
The mobility, security and convergence trends intersect at the edge of the network – the point where users connect to enterprise services. The edge of the enterprise network today, built on the past decade of networking technology, is a fixed edge; that is, it’s wired. It was designed for a time when users and devices were not mobile, and when wireless was a point product used only in the warehouse and factory. The edge of today’s network is highly reliable and extremely simple. When users connect to a port, the network is there to provide them with instant high-speed access. But this simplicity does not lend itself to security – the network does not differentiate between authorized and unauthorized users, and it cannot make decisions about which people get which type of access. Traditional enterprise networks were built for best-effort data delivery. They were built before Power over Ethernet existed to supply power to desktop phones, and before application-aware quality of service (QoS) policies were needed to ensure high voice quality.

A traditional fixed network can be upgraded to address mobility, security, and convergence. The upgrade is a massive one, involving every closet switch, branch office router, core router, and even the physical cable plant.

However, there is an alternative to the disruption and expense that a massive network-wide upgrade would entail – the mobile edge – a non-disruptive overlay that solves security problems, enables ubiquitous mobility, and delivers new applications.

The Mobile Edge Solution
The mobile edge is a new architecture designed to meet the current and future requirements of a mobile workforce utilizing a distributed enterprise network. The mobile edge allows users and devices to connect over the air and across any network—including the LAN, WAN, and Internet—to securely gain access to enterprise data and voice resources. It is a new layer in the network that logically sits on top of existing fixed networks and fulfills the requirements of security, mobility and convergence without requiring major upgrades to the existing network. The mobile edge is architected to securely work over existing IP network facilities, and extends across both private enterprise networks as well as the public Internet. (See Figure 1)

Figure 1: The mobile edge is created as an overlay on top of the existing fixed network infrastructure, and securely extends the reach of the enterprise network across the campus, to regional and branch offices, retail location, home offices, hotel rooms and hotspots.

The mobile edge supports true mobility where users can seamlessly and securely roam across multiple locations. In addition, it delivers voice convergence through multimedia mobile devices and Voice over Wireless LAN (VoWLAN) handsets with high quality and reliability. This eliminates the significant expense of adding powered VoIP ports to the fixed edge.

Further, the mobile edge is built on the notion of identity-based security. Mobile users and devices, by definition, do not connect to the network through a fixed port. For this reason, the network must identify every user and device that joins the network. Once this identity is known, custom security policies may be applied to the network so that only access appropriate to the business needs of the user or device is provided. This drastically improves network security by eliminating excess privilege on the network while providing identity-based auditing. (See sidebar, “Wireless Security – Protecting a Moving Target”)

The mobile edge not only solves today’s challenges around mobility, security and convergence, but provides a roadmap to reduce overall costs for network infrastructure. The natural long-term evolution of the enterprise network edge is to become predominately wireless. When this happens, a radical transformation of enterprise network economics will be realized when the costs of cabling infrastructure and the operational expense of moves, adds and changes are eliminated.

A mobile edge can be implemented with an integrated WLAN system consisting of three components:

1. System software which provides all the intelligence for the mobile edge
2. Mobility controllers which are centralized service delivery platforms for the mobile edge
3. Controlled access points (APs) which tunnel wired and wireless user traffic to mobility controllers over the LAN, WAN and the Internet

Using a robust and sophisticated suite of system software to power the mobile edge, all mobile edge operations can be coordinated with advanced capabilities that include seamless mobility, identity-based security, non-disruptive integration into existing networks, mobile VoIP capabilities, adaptive radio management, enterprise-class resiliency, open APIs, end-to-end QoS and centralized management.

With fully integrated software running on all mobility controllers and controlled access points, a mobile edge system can work seamlessly in delivering services to users in all locations. A base feature set for each mobility controller should include sophisticated authentication and encryption, seamless mobility with fast roaming, RF management and analysis tools, centralized configuration, and location tracking.

A centralized management platform gives administrators a single point of control from which to locate and shut down rogue APs, identify and thwart malicious attacks and impersonations, load-balance traffic, detect coverage holes and interference, and create stateful role-based security policies that follow individuals as they move across the mobile edge.

Mobility controllers are high-performance networking platforms purpose-built to run centralized software functions such as controlled access point management, 802.11 station management, 802.11X authentication and encryption, site-to-site and client VPNs using IPSec/3DES encryption, stateful policy enforcement firewalls, L1-L7 intrusion protection, endpoint integrity checking, and seamless user roaming between access points and across mobility controllers.

In a mobile edge deployment, wired and wireless APs serve as distributed traffic collectors tunneling wired and wireless traffic to mobility controllers over IP networks. Wireless APs provide radio coverage and user connectivity services while simultaneously serving as surveillance devices that constantly monitor the air for radio-based security threats. They also perform intrusion protection functions when wireless threats are detected. Wireless APs can also run distributed software functions such as adaptive radio management, distributed encryption for local forwarding of wireless LAN traffic, wireless intrusion detection and protection, rogue AP detection and containment among others. Wired APs simply serve as traffic collectors and tunnel wired user traffic across a LAN or a WAN to a centralized mobility controller. All of these devices work as part of an integrated system with mobility controllers and mobility software to provide a high-performance, secure mobile edge.

Mobile Edge Technology
In order to deliver ubiquitous mobility and voice services securely, a mobile edge system should incorporate an integrated suite of security, multimedia and quality of service technologies.

A mobile edge system uses wireless LAN (WLAN) technology to create mobile connections for end users at the network edge. The mobile edge transcends the enterprise network perimeter and spans the LAN, WAN and the public Internet to create a single, secure system that follows the user, appearing wherever the user needs access to corporate network services.

Key enabling technologies include:

• Site-to-site VPN services, integrated into the mobile edge system, can be used to easily and economically interconnect multiple locations over the public Internet, creating a single mobility overlay at any location with Internet access.
• 802.11i secures wireless LANs in a mobile edge deployment. No extra client software is required for 802.11i which makes it very easy to deploy widely. 802.11i uses the 802.1X framework for user authentication. Authentication protocols include PEAP, EAP-TLS, EAP-TTLS, LEAP, and EAP-FAST for identifying and authenticating users when they request access to the wireless LAN.
• Remote AP system software can be deployed with a remote access point at small branch office locations and employee homes to securely extend the mobile edge to remote workers and telecommuters. A remote AP establishes a secure encrypted IPSec tunnel – even through NAT routers – to a central mobility controller, downloads all security policy and configuration directly from the mobility controllers, and brings up all the enterprise wireless services, including full encryption and authentication.
• Role-based access control allows enterprises to segment network access based on the organizational role of the user. Mobility controllers can dynamically derive a user’s access control policy by receiving their role membership information from an existing LDAP, RADIUS or Microsoft Active Directory server. The access control policy for a given role is configured at the central mobility controller to simplify the provisioning and deployment of fine-grained policies throughout the mobile edge.
• Using a built-in stateful firewall, a mobile edge system can marry identity networking with application-aware security. The resulting identity-based security system is an advanced solution for applying application-aware firewall policies to end users. This identity-based security follows the user and applies the same set of policies to the end user irrespective of the wired LAN port or wireless access point that they connect into.
• The mobile edge integrates wireless intrusion prevention and is able detect policy violations at Layers 1 through 7 in the TCP/IP protocol stack. Therefore, when an offending user or a rogue device is detected, they can be easily isolated and disconnected from the corporate network. A mobile edge system has many advanced features enabling detection, identification, location and suppression of rogue APs, both in the air and on the wired network.
• For voice over wireless, the mobile edge supports end-to-end QoS for multi-service applications, checking the legitimacy of client priority requests by following the voice signaling stream and respecting relevant L2 and L3 QoS tags. Other features for voice include call admission control based on the number of active calls on an AP, bandwidth control to limit the amount of bandwidth lower priority devices can use, and voice-aware RF management to prevent loss of voice quality by temporarily preventing APs supporting active voice calls from time-slicing to monitor other channels. The identity-based stateful firewall enables the mobile edge to deliver advanced features such as separating voice and data flows from a dual-mode client, giving each the requisite QoS treatment.

Mobile Edge Applications
The mobile edge is an enabling technology for new applications that can deliver increased productivity, cost savings, security improvements, and faster access to information. The mobile edge enables several major applications in the areas of mobility, security, and convergence.

For mobility, mobile edge deployments include extension of the enterprise, hotspots, and guest access. With a portable, personal remote access point a user can extend the mobile edge anywhere they travel including home and hotels. With any Internet connection, an identical, secure version of the corporate wireless network appears. Mobile edge technology also enables the deployment of both public and private hotspots that can be centrally managed and provisioned. Guest access is enabled for both wired and wireless authorized visitors, while keeping the internal network secure.

The mobile edge improves network security with centrally administered security applications. Identity-based security protects resources by identifying the business role of the user and then allowing only network access appropriate to that role. WLAN intrusion prevention prevents security breaches by identifying threats to the network from attackers and uncontrolled wireless devices. With endpoint integrity, a defined level of client security—such as anti-virus, anti-spyware, personal firewall software—is confirmed before network access is granted.

Finally, the mobile edge enables convergence solutions that combine voice and data on a single WLAN infrastructure. Voice over WLAN provides the cost advantages of Voice over IP with the mobility benefits of cellular voice. Converged mobile devices utilize quality of service and access control to deliver unified communications on a single device that integrates multi-media services such as voice, data, email, and fax. In the future, fixed-mobile convergence solutions will unify public and private voice networks by providing seamless handoffs between networks for dual-mode cellular/Wi-Fi voice devices.