Controller Based WLANs

What does the Aruba Policy Enforcement Firewall module do?

Product and Software: This article applies to all Aruba mobility controllers and ArubaOS 3.x.

The Aruba Policy Enforcement Firewall module provides identity-based security, Quality of Service (QoS) control, and traffic-management capabilities to a user-centric network. Identity-based security is essential because mobile users can enter a network at any point, wired or wireless.


The Aruba ICSA-certified stateful firewall enables user classification on the basis of user identity, device type, location, and time of day, and it provides differentiated access for different classes of users.


Identity-based Stateful Firewalls


Firewall rules are aware of the user, not just IP addresses, which leads to greater visibility and more complete control.


 ICSA Certification


Industry-standard verification of firewall quality and security provides assurance that complete independent testing has been performed.


 Policy-based Access Control


This policy permits translation of corporate security policy into action. Compliance with corporate security policy becomes mandatory and enforced, rather than simply monitored.


 QoS Control


Stateful flow classification enables identification of application flows for special treatment, such as providing enhanced QoS for voice.


 Role-based Access Control


This control permits templates to be applied based on group membership, which simplifies administration.


High-Performance Security


·       Hardware-accelerated encryption/decryption and firewall rule processing eliminates bottlenecks.


·       Separation of control and data plane allows for scalability.


 Mobile networks are missing the physical layer of security, so mobile users need to be treated with greater security than traditional fixed users. Firewalls are a mandatory part of an enterprise's layered security strategy for the mobile network, and Aruba's unique identity-based stateful firewall technology enables enterprises to define access controls for any user or group of users on the network.


Identity-based Stateful Firewalls


Aruba mobility controllers provide a single point of encryption/decryption, authentication, and firewall enforcement. Because they are identity-aware and also terminate encryption, Aruba mobility controllers are immune from spoofing attacks that plague traditional network-based firewalls that filter on IP address rather than user identity.

Complete Policy-based Access Control


All organizations have written IT security policies. Policies can dictate the network access, protocols, and applications that are permitted or denied, and levels of services that are provided. In most enterprises, policy compliance is monitored to varying degrees, but violations are discovered and dealt with after the fact. Aruba permits policies to be actively enforced, even in a mobile environment, with policies following the users as they roam across the edge of the network.


 Easy to use GUI for firewall policy configuration center:


QoS Service Control


After application flows have been identified by the firewall, standard firewall actions, such as permit, drop, log, or reject, can be applied. However, the Aruba stateful firewall capability enables more than just robust security. Rule actions can also tag packets with an 802.1p or DSCP marking, prioritize the traffic into multiple queues, or even redirect specific protocols to different destinations. Flow classification is stateful for many popular protocols, such as SIP, which permits appropriate QoS to be applied to both the control protocol and the call sessions.


Role-based Access Control


The Aruba stateful Policy Enforcement Firewall enables access to network resources based on the role of the user. This role is assigned or derived through a variety of different mechanisms, such as external authentication databases, ESSID, or physical location. After the role has been assigned to a user, differentiated policies can be applied.


 High-Performance Wireless Security

Until now, enterprises have been forced to quarantine wireless users into a DMZ, where they were authenticated and firewalled as if they were coming in from the Internet. While this mechanism works from a security standpoint, the performance offered to the wireless user is severely impacted due to limitations with DMZ-based VPN gateways and firewalls. Aruba allows corporate users to be authenticated, encrypted, and firewalled within the corporate intranet with the highest degree of security and performance, which provides the connecting point between mobile users and the wired network.


Version History
Revision #:
1 of 1
Last update:
‎07-09-2014 03:09 PM
Updated by:
Labels (1)
Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.