IPolicy blocks worms, viruses across 802.11 nets

Much progress has been made to protect the traditional “WAN edge” from Internet-bred worms and viruses that laptops and other mobile devices might pick up and pass to a corporate network via remote connections. But what about when infected portable devices link directly to the corporate LAN?

Consider the case where users have had their Internet-attached laptops with them on the road, then bring them into the office and connect to the corporate network via an 802.11-based WLAN or plug directly into an Ethernet port. In such cases, they will bypass the traditional firewall, intrusion detection system, anti-virus check and so forth.

This can be an unfortunate situation. Once infected, internal computers will generate increasing volumes of “bad” traffic, possibly creating denial-of-service attacks.

WLAN switch vendors such as Aruba Wireless Networks have built stateful firewalls into their products, which helps. These tend to support access control lists only, however, filtering on IP source address or user identity, but not checking for malicious signatures.

Intrusion prevention firewall maker iPolicy Networks bundles not only access control but also a number of other security capabilities and supports up to 4G bit/sec LAN connections in its equipment. So internal LAN traffic can be secured in addition to traditional WAN-edge perimeter traffic by an iPolicy device before being bounced through the LAN switch and back out to other LAN devices, explains Antoine Gaessler, iPolicy vice president of marketing.

In other words, WLAN client traffic could be put through the various security paces that your enterprise runs in an iPolicy firewall – intrusion detection/prevention, anti-virus updates, spam and URL filters, and access control lists – before being granted access to LAN resources.

The company, which has a reference-sell relationship with WLAN switch-maker Meru Networks, last week added a bunch of new models to its product suite, mixing and matching price/performance to the size and throughput requirements of the enterprise site at hand. Considerations are aggregate throughput, number of concurrent sessions and number of new sessions-per-second supported. Lower-end products (the iPolicy 2000 series), with about 100M bit/sec throughput, start at about $5,000; higher-end, multi-gigabit-speed products (the current iPolicy 6000 series) range in price from $50,000 to $200,000.

IPolicy touts its single-pass inspection engine, which allows its devices to inspect a given packet just once against multiple rules. The company says this improves performance compared with competing products that inspect packets multiple times when running multiple security applications.