iPolicy Blocks Worms, Viruses Across 802.11 Nets

Network World Newsletter, Sept. 6, 2004
By Joanie Wexler

Much progress has been made to protect the traditional "WAN edge" from
Internet-bred worms and viruses that laptops and other mobile devices
might pick up and pass to a corporate network via remote connections.
But what about when infected portable devices link directly to the
corporate LAN?

Consider the case where users have had their Internet-attached laptops
with them on the road, then bring them into the office and connect to
the corporate network via an 802.11-based WLAN or plug directly into an
Ethernet port. In such cases, they will bypass the traditional firewall,
intrusion detection system, anti-virus check and so forth.
This can be an unfortunate situation. Once infected, internal computers
will generate increasing volumes of "bad" traffic, possibly creating
denial-of-service attacks.

WLAN switch vendors such as Aruba Wireless Networks have built stateful
firewalls into their products, which helps. These tend to support access
control lists only, however, filtering on IP source address or user
identity, but not checking for malicious signatures.
Intrusion prevention firewall maker iPolicy Networks bundles not only
access control but also a number of other security capabilities and
supports up to 4G bit/sec LAN connections in its equipment. So internal
LAN traffic can be secured in addition to traditional WAN-edge perimeter
traffic by an iPolicy device before being bounced through the LAN switch
and back out to other LAN devices, explains Antoine Gaessler, iPolicy
vice president of marketing.

In other words, WLAN client traffic could be put through the various
security paces that your enterprise runs in an iPolicy firewall -
intrusion detection/prevention, anti-virus updates, spam and URL
filters, and access control lists - before being granted access to LAN
resources.

The company, which has a reference-sell relationship with WLAN
switch-maker Meru Networks, last week added a bunch of new models to its
product suite, mixing and matching price/performance to the size and
throughput requirements of the enterprise site at hand. Considerations
are aggregate throughput, number of concurrent sessions and number of
new sessions-per-second supported. Lower-end products (the iPolicy 2000
series), with about 100M bit/sec throughput, start at about $5,000;
higher-end, multi-gigabit-speed products (the current iPolicy 6000
series) range in price from $50,000 to $200,000.
IPolicy touts its single-pass inspection engine, which allows its
devices to inspect a given packet just once against multiple rules. The
company says this improves performance compared with competing products
that inspect packets multiple times when running multiple security
applications