Companies struggle to control what goes in and comes out of corporate networks. The Web exacerbates that challenge because it can be a source for malware, productivity-killing sites and other problems. A variety of tools are available to help companies sort wanted from unwanted, and now a wireless provider is getting in on the act.
Today Xirrus announced Application Control, a new capability for its XR Series wireless arrays. The company says Application Control will identify applications on the wireless network and let administrators set a variety of policies, including blocking applications outright, prioritizing bandwidth for specific applications and limiting bandwidth for other applications.
This isn't a new idea, at least at in the DMZ, where traffic-shaping products and next-generation firewalls from vendors such as Palo Alto Networks can perform the same functions.
However, Xirrus said it's the first vendor to bring this technology into wireless arrays. Competitors including Meraki and Aerohive market similar functionality in their wireless offerings. When pressed on this point, Xirrus explained the competitive differences in its approach.
While access points from other vendors may do some degree of application classification and control, Xirrus says its latest arrays are purpose-built with between two and six processor cores for deep packet inspection (DPI). The company claims that this provides capabilities that go far beyond what can be achieved with single-processor APs. It has licensed a DPI engine from a third party, though Xirrus declined to reveal the provider. The company says the DPI engine allows its arrays to precisely identify applications, which will give administrators very granular control, such as the ability to block the use of Farmville within Facebook while still allowing users to access the social networking site.
I don't buy Xirrus' claim of "first to market" for distributed traffic control after having used competitors' products, but I will reserve judgment on whether Xirrus is better at application classification and control than other WLAN vendors until I have a chance to try for myself or see a valid comparative review.
That said, there is merit to Xirrus' approach. Regardless of whose logo is on the access point or array, the distributed nature of wireless networking offers new paradigms for the likes of traffic shaping and control. As a past or current customer of Packeteer, Allot and Palo Alto Networks, I've seen my share of issues with bringing an enterprise's worth of data to a central resource to pick it apart and enforce policy on it. When the central magic fails, the effect is embarrassing and disruptive. But if that same detailed classification can be distributed, things get interesting.
In my own environment, I have more than 3,500 access points. Though my APs can't do DPI, I can envision the power of the enforcement construct if they could. Instead of traffic from 15,000 wireless client devices needing to come back to the core to be analyzed, each AP would share the duty, resulting in far less traffic getting deeper into the network as unwanted applications are discarded or throttled.
The loss of any one AP would really not degrade my overall traffic control strategy by much, as AP topology includes robust self-healing. And as long as the classification and control functions were as centrally manageable as a core-located appliance, I would really favor the distributed model.
I can't say whether Xirrus' Application Control feature will entice new customers, but the premise behind it is a good idea that will no doubt gain traction in the WLAN space. Xirrus says Application Control will be available in December.Lee is a Network Engineer and Wireless Technical Lead for a large private university. He also teaches classes on networking, wireless network administrtaion, and wireless security. Lee's technical background includes 10 years in the US Air Force as an Electronc Warfare ... View Full Bio