New security software from Aruba will restrict the resources available to foreign wireless clients as they connect to a corporate network.

The Client Integrity Module software, designed with Sygate, lets sysadmins control access by unmanaged WLAN clients, such as a notebook or PDA brought on-site by a supplier, contractor, salesperson or other visitor. If these foreign devices pass inspection, they can be given controlled access to specific resources. If they fail, they can be blocked or shunted to a quarantine site to get the needed anti-virus upgrades or security patches.

Aruba worked with Sygate to incorporate the Sygate On-Demand Agent into the Aruba switch operating system, linking the agent with Aruba's built-in stateful firewall. When the switch detects an unmanaged client, it can activate the client's Web browser and download the Sygate agent, which is about 500KB.

The agent scans the client, based on one or more policies created by an administrator. It can check for up-to-date anti-virus software from vendors such as McAfee, Norton and Trend Micro, for personal firewalls, for Windows XP patches and software updates, for specific system registry values, and even for specific files. The results of the scan are sent back to the switch. The switch can adjust the firewall settings, to control what the client can access, and download additional modules, such as a Sygate program that cleans browser and file caches.

Sysadmins set up the system using a Sygate PC program, called On-Demand Manager, selecting the detailed information the agent is to check for such as the McAfee anti-virus software. The result is compiled into an XML file, which is then loaded on each Aruba switch in the WLAN. Separately, the administrator works on the designated Aruba master switch to set up the corresponding firewall policies. This process involves creating rules, such as "if the anti-virus check fails, redirect the client to the following location to get the latest anti-virus update".

The switch, using 802.1x authentication and Microsoft Group Policy Objects, can distinguish between managed clients, for example, a corporate notebook configured for the network, and an unmanaged client, such as an employee's personal notebook or PDA, according to Merwyn Andrade, Aruba's CTO.

The key, he says, is that the unmanaged devices will lack a digital certificate, and will be unknown to the network. Once the Aruba switch gains that information, it can start the process of downloading the Sygate agent.

The Sygate modules that now are part of Release 2.5 of the agent, and included in the Aruba offering, include one for blocking malicious code execution, for detecting keystroke loggers, and a secure virtual desktop.

The virtual desktop creates on the client a temporary space for working with specific confidential data. The desktop encrypts/decrypts data, limits what applications can be used with it, and whether and how the data can be saved.

This is Sygate's first such deal with a WLAN switch vendor. Aruba seems to be the first WLAN vendor to incorporate third-party client scanning software in an effort to control access by unmanaged clients.

The Client Integrity Module has a starting price of $500 per switch, for the entry-level Aruba 800-4 four-port device.