The ArubaOS Policy Enforcement Firewall (PEF) module Once the role of the user or device is determined, policies are
provides identity-based controls to enforce application-layer applied based on a series of administrator-defined templates.
security and prioritization. These policies follow the user throughout the network and are
applied uniformly across wireless, wired and VPN connections.
With PEF, IT can enforce network access policies that specify
who may access the network, with which mobile devices and Intelligent application identification
which areas of the network they may access.
Deep insight into Layer 4-7 traffic and intelligent analysis allows
The Aruba AppRF technology integrated with PEF delivers mobile Aruba AppRF technology to identify many new types of applications:
application traffic visibility through a simple dashboard that shows Mobile applications: Aruba AppRF technology distinguishes
the applications in use by user and device. corporate applications like Box from personal applications like Apple
FaceTime, even when they are running on the same mobile device.
Working with Aruba Adaptive Radio Management (ARM)
Network services like Apple AirPrint and AirPlay: Aruba
technology, which optimizes Wi-Fi client behavior and makes sure
optimizes IP multicast video traffic and automatically prioritizes
that APs stay clear of RF interference, PEF makes intelligent services, and adds policy controls.
decisions over the air based on its knowledge of mobile apps Web-based applications: Many web-based applications use
and devices. the same port to communicate with clients and appear as HTTP
traffic. Aruba AppRF technology resolves the destination address to
Identity-based policy controls identify unique applications like Facebook, Twitter, Box, WebEx and
PEF with AppRF technology provides user-level awareness of all hundreds of others.
traffic across the network. Aruba Mobility Controllers support Encrypted applications: For encrypted traffic, Aruba AppRF
multiple user categories on a single network, spanning wired, technology uses heuristics to look for traffic patterns and establishes
wireless and VPNs. a unique fingerprint to identify those applications.
During the network sign-on process, the identity and role of each Application dashboard
user or device is learned. Employees and other authorized internal
For the first time, Aruba gives IT a simple, powerful view of mobile
users can be treated as a single class or further subdivided
app usage and performance on the WLAN. Mobility Controllers
according to information found in a directory server.
display clickable charts with overview information on applications in
use, which are sortable by user ID, application, role and other criteria.
PEF features controls that optimize WLAN bandwidth utilization. Phone number association SIP-enabled devices can be tracked
Role-based policies can limit the maximum amount of bandwidth and displayed by their phone number.
consumption for a particular user or class of users, and prevents Call quality tracking Automatically calculate, display and track
power users from monopolizing network resources. the R-value for each SIP call being processed through a
Mobility Controller.
At the same time, traffic management policies can guarantee SIP authentication tracking Track the registration of SIP devices to
minimum amounts of bandwidth for devices to ensure that an IP PBX to determine if they are authenticated.
users stay productive. On WLANs, PEF optimizes Call detail records (CDRs) Display calls made to and from Wi-Fi
performance-robbing broadcast and multicast traffic to improve clients, including originator, terminator, termination reason, rejected
application performance. and failed calls, duration, and call quality.
Real-time call admission control (CAC) information Quickly
Other bandwidth-hungry protocols such as mDNS, ARP and determine call density, CAC state and active calls for load balancing.
NetBIOS broadcasts can be completely filtered and confined only
to specific portions of the network. High-performance traffic processing
With PEF, policy enforcement does not come at the expense of
Application-aware quality of performance or require additional external hardware.
service controls
After mobile apps are identified and visualized, access controls Aruba Mobility Controllers are purpose-built for high-speed
and policies can be applied to prioritize the performance of processing of network traffic with dedicated hardware for control
enterprise applications over personal ones. As mobile devices processing, network traffic processing and encryption.
contend for Wi-Fi bandwidth, AppRF technology protects the apps
The result is high-speed, low-latency policy enforcement that
you care most about.
scales up to many thousands of users and hundreds of thousands
Network services like Apple AirPrint and AirPlay are optimized, IP of active sessions.
multicast video traffic is automatically prioritized, and proprietary
Stateful firewalls for every user
Apple FaceTime traffic and encrypted voice and video sessions
like Microsoft Lync are automatically identified and prioritized. PEF implements a full stateful firewall instance around every user,
tightly controlling what the user is permitted to do and providing
In addition, common web services like Pandora, Netflix, Google separation between user classes.
Drive, Citrix GoToMeeting, Salesforce.com and Dropbox can be
prioritized over Wi-Fi based on user, device and location. For the highest level of network security, Mobility Controllers
support client-to-data center encryption, whether providing Wi-Fi
PEF can apply a number of firewall security actions to traffic, services or VPN tunneling. PEF provides a unified point for
including permit, drop, log or reject. Packets can also be tagged authentication, encryption and policy enforcement.
with 802.1p or DSCP markings, prioritized into multiple queues
and redirected to different destinations based on protocols. External authentication and
authorization interfaces
Advanced awareness of voice and video protocols permits
PEF extends fine-grained control over of users from authorization
appropriate QoS to be applied to both the control protocol and the
and authentication servers. Controls such as automatic
call sessions automatically.
disconnection from the network, role reassignment, and dynamic
PEF ensures that the appropriate priority level is mapped to the updates of firewall policies can be enabled.
associated protocol. For instance, if traffic to or from a user is
This functionality is enabled by two application programming
inconsistent with the associated QoS setting for voice, then that
interfaces (APIs) IETF standard RFC 3576 and a simple yet
traffic is reclassified to the appropriate priority.
flexible XML-based API. Both APIs allow external systems to exert
Most powerfully, knowledge of call status enables smarter user and policy control over Mobility Controllers.
voice-over-IP management across the air. Capabilities like RF
A third integration interface, a syslog processor, accepts syslog
management and load balancing do not affect voice quality during
messages from outside systems, processes them according to
a call. Instead, PEF waits until voice handsets are on-hook to
a regular-expression rule language, and then provides
perform RF optimization.
configurable actions such as changing a user role or placing a
user on a blacklist.
Aruba Policy Enforcement Firewall with Aruba AppRF Technology Aruba Data Sheet
Ordering Information
Part Number Description
Policy Enforcement Firewall module (## AP license) Applies to user traffic entering the Mobility Controller through an Aruba AP
LIC-PEFNG-##
or through a Mobility Controller wired port.
Policy Enforcement Firewall module for xx Mobility Controller model Applies to user traffic entering the Mobility Controller
LIC-PEFV-xx
through a VPN tunnel.
www.arubanetworks.com
2012 Aruba Networks, Inc. Aruba Networks trademarks include AirWave, Aruba Networks, Aruba Wireless Networks, the registered Aruba the Mobile Edge Company logo, Aruba Mobility
Management System, Mobile Edge Architecture, People Move. Networks Must Follow, RFProtect, and Green Island. All rights reserved. All other trademarks are the property of their respective
owners. DS_PEF_112112