Tag Archives: wireless

The Rule of 10s and 3s

A while back I wrote a blog post explaining how an antenna works when it is connected to a wireless access point. Today I’m going to add to that lesson by explaining The Rule of 10s and 3s. Essentially, you can use this rule to figure out what your transmit power is going to be when you add various connectors, cables, and external antennas to your access points. Without further ado:

Please remember that using The Rule of 10s and 3s does not give you exact figures. It should only be used to perform rough calculations. Also, this video is not intended to be a technical deep-dive into the field of RF mathematics. Instead, my goal is to explain the basics of a complex topic so that almost anyone can understand it. (I’ve assumed knowledge of milliwatts and decibels though).

Dan C.

Bonus marks if you can explain why having this knowledge is important for anyone working with WLANs. Leave your answer in the comments section and share this video with anyone you think might benefit from knowing this rule.

Security Challenges and Strategies with the Use of Mobile Devices

Recently, I have been reading about the security challenges many organizations are facing with regards to the use of mobile devices in their networks, and the various security strategies they can implement.  

Use of mobile devices for business is growing at an exponential rate. This also increases the need for wirelessly-accessible peripherals, and exposure to new mobile applications. This is forcing IT departments to reassess their entire mobile security strategy and architecture. 

As more mobile devices access the corporate network, the risk of data loss, leakage of valuable intellectual property, and exposure to vulnerabilities (viruses/malware) increases significantly.

So how do you plan a successful mobile security strategy?  Below are some points to consider:

  1. Determine your mobility requirements. Who are the mobile employees and what IT resources do they need access to when they are mobile (i.e. corporate emails, calendars/contacts, corporate applications etc..)
  2. Establish corporate rules to give appropriate employees access to the necessary data and resources on their devices (crucial for productivity), and at the same  time to ensure that this data is restricted on the device and can be wiped when required (crucial for security).
  3. With the constant influx of new mobile devices and platforms in the market, it is very important to decide on what devices and operating systems should be supported based on the security capabilities of these platforms.
  4. Decide whether these devices will be owned by the company or if employees will pay for their own devices (BYOD), while taking privacy and legal implications into account.
  5. Define acceptable use policies and identify security control requirements (i.e. password complexities, encryption, application control).
  6. Identify additional technology requirements to enforce these security policies. (i.e. MDM, DLP, Encryption, Authentication)
  7. Create a training & awareness program for the employees, and ensure your support staff is prepared.

If you have any questions or require assistance in planning and designing your mobile security strategy, please contact your NCI rep today.

Ravish Shah

Using Aruba’s Tunneled-Node to Extend Wireless AAA Policies to the Wire

I recently recorded a 10 minute video demonstration of how you can use an Aruba Networks Mobility Access Switch to extend your existing wireless AAA and QoS policies out to the wired access layer.

Now that you’ve watched the video, here is a quick recap of some of the benefits and use cases for tunneled-node.

Benefits (In no specific order):

  • Management – AAA profiles for wired and wireless users are created in a single location.
  • Efficiency – Ideally, you already have strong AAA and QoS policies on the WLAN. Tunneled-Node means you don’t have to recreate the wheel. Instead just reuse the same policies and apply them to wired ports.
  • Security – This is the main driver now isn’t it? Clearly, having users/devices authenticate to receive derived roles matching their requirements is a much better way to go compared to wide open wired access for all.

Limitations:

  • Tunnels – The name kind of spells out the first limitation. Given that all traffic is tunneled to you mobility controller from the switch, you will need to make sure your controller is sized to handle the increased load.
  • Closed Architecture – Currently, this solution requires you to have both an Aruba mobility controller and mobility access switch. Both products function just fine without each other, but tunneled-node functionality requires both.

When is this solution a good fit?

In my opinion, the solution fits well in the following scenarios:

  • Board rooms and public spaces – A single switch could easily increase security in areas that host both employees and guests/contractors/students. Employees get internal access in boardrooms while guests get internet-only access even when plugging into the same port.
  • New WLAN deployments – If your organization is just deploying a new Aruba WLAN, then a mobility access switch could be of great benefit. You’ll need something to provide PoE power to the access points anyway.

I really don’t want this to come across as an Aruba advertisement. There are certainly other solutions on the market today but I think tunneled-node should be given serious consideration for any organization with an already deployed Aruba WLAN.

Daniel

Please feel free to contact us, or leave a comment, if you have questions about how this solution works. Also, the lab I used in the demo was built completely self-contained and portable. So, if you’d like to have a live demo, in-person, we can arrange that as well.

 

 

 

It’s More Than Just a Partner Conference

I’m happy to announce that I will be attending the 2012 Aruba Partner Summit from March 19th to March 21st in Las Vegas. I’ve never attended an Aruba partner conference before, but the impression I get is that this will be more than just another partner conference.

When I think of a typical partner conference, I envision a few speeches from CEOs and founders, maybe a hand-off demo or two, and possibly some whiz-bang-hey-look-how-awesome-we-are case study reviews. Boring. This will not be the case at the Aruba Partner Summit; just take a look at the agenda. The summit will have quite a few sales and technical information sessions to help get people exposed to the entire solution line-up.

Personally, I’m looking forward to the following two sessions:

  • Designing Wi-Fi Networks for High Density Environments
  • Overcoming Challenges in Outdoor Wireless

While these are the two sessions I’m looking forward to the most, I will be attending all of the technical sessions. I’ll try to post some updates during and after the summit to share what I can. Be sure to check back in a few weeks to get my thoughts on the summit and the future of wireless networking as Aruba sees it.

Daniel

If you’re interested in discussing any of the agenda items after the summit, please feel free to contact me. I’m always excited to sit and talk wireless with anyone who is interested in the technology.

Wireless UI Walkthroughs

Recently I created two wireless vendor UI walkthroughs and thought they would be worth sharing with the NCI crowd.

The first walkthrough is of the Meraki Systems Manager. This feature is built-in to the Meraki Enterprise Cloud Controller and offers a fairly extensive set of MDM features to Meraki customers at no extra cost.

 

The second walkthrough is of the Aruba Instant Virtual Controller UI. The Instant architecture does away with hardware controllers, feature licensing, and even simplifies the administrative experience.

 

I hope you find the videos interesting. As always, if you have any questions, or would like a live demonstration please do not hesitate to contact us.

Daniel

Bonus Marks: Did you spot the hidden surprise in one of the videos?

NCI’s @SimplyWifi Attending Wireless Field Day 2

The time has come. Today, one of NCI’s own will head to San Jose to attend the Wi-Fi Mobility Symposium and then be a delegate at Wireless Field Day 2!

This promises to be an amazing event and we are thrilled to have one of our own attending. Just look at the schedule:

Wednesday, January 25 – Wi-Fi Mobility Symposium

This event will cover important topics such as: Mobile Devices & BYOD, Gigabit Wi-Fi, and Hotspot 2.0.

Thursday, January 26 to Friday, January 27 – Wireless Field Day 2

Two days of in-depth, technical presentations and discussions with many of the wireless industries most exciting vendors (in order of presentations): Aerohive, MetaGeek, Ekahua, Meraki, Aruba Networks, HP, and Ruckus Wireless.

This even will also be streamed live (see display below):

NCI looks forward to sharing all that we learn from this event with our current and future clients. Wireless networking is set to really explode in 2012 and we are proud to be right in the middle of it!

The NCI Blogging Robot

 

WPS Brute Force follow-up information

On January 1st we posted a little bit of information regarding the Wi-Fi Protected Setup (WPS) brute force vulnerability. As a follow-up, I have performed a bit more research and analysis on the vulnerability and the attack tools. Here is a list of resources you might want to check out for more information: 

No Strings Attached Podcast 

I was privileged enough to participate in the @NSAShow’s episode 2 podcast: Wi-Fi Protected Setup, Battered or Broken? I highly recommend giving the podcast a listen as it contains a lot of good information. I’d also like to thank the host @revolutionwifi and the other guest @matthewsgast for a fun and insightful 45 minutes. 

Simply Wi-Fi 

We’ve already shared my video demonstration of how a WPS brute force attack works. Since then, I’ve created another video, seen below, demonstrating the use of a tool that identifies vulnerable wireless routers. I’ve also taken some frame captures of an attack and provided an explanation of the frames at different stages of the attack. Sample frames have also been made available for anyone who wants to take a closer look in Wireshark.

 

United States Computer Response Team (US-Cert) 

Here is the original vulnerability note created on December 27, 2011. It details the basic purpose of WPS and describes the vulnerability. 

Dan C.

If you are aware of any additional resources, please share them in the comments section below.

Wireless Field Day 2

I was originally going to post this in January, but I just couldn’t wait any longer. From January 25th to 27th, I will be a delegate at Wireless Field Day 2 (WFD2) in San Jose, CA.

My day job focuses primarily on Aruba Networks and Meraki, but I have always made an effort to keep up-to-speed with what everyone else is doing in the wireless industry. WFD2 will be a tremendous opportunity to do so. Sponsoring vendors include:

If the opportunity to get all these vendors in the same room and have a pointed, no-BS discussion about wireless technology wasn’t enough, there’s more! Along with the vendors, there will also be a list of delegates that is nothing short amazing! So far, delegates include:

That’s a lot of wireless knowledge to cram into a single room. Seriously, my Wi-Q will increase just by hanging out with these people for a few days – awesome!

I’ll be tweeting and blogging during the entire event to help make sure that everyone gets to benefit from this amazing event. If you’re interested, you can also check out the official WFD2 channels.

Dan C.

Be sure to check back for more news on WFD2 as we get closer to the event date.

Falsely Accused: The Wireless Controller Story

Every day, innocent wireless controllers are framed for crimes they didn’t commit. This is the story of how one WLAN controller was falsely accused of connection murder…

The Crime Scene – WLAN Connection Murder

Testimony: A user is having difficulty connecting his brand new laptop to the lab WLAN using WPA2-PSK. He has been able to connect to the corporate WLAN but all attempts at the connecting to the lab have failed. Also, the user has been able to connect to other WPA2-PSK protected networks in the past.

Prime Suspect: Bystanders report seeing a WLAN Controller fleeing the scene.

Investigation performed by Detective @SimplyWifi

Are other clients having a similar issue? – No.

Are there comments in the controller’s release notes regarding this issue? – No.

Had client submit to a connectivity test and sent logs to the lab for analysis. Lab results below:

Deauth from sta: 24:77:03:xx:yy:zz: AP xxx.yyy.yyy.zzz-00:24:6c:aa:bb:cc-NameChanged-AP Reason Unspecified Failure

Offender Profile

Based on the resulting debug lab results, it was determined that the wireless client was successfully connecting. However, it would immediately disconnect itself due to an: ‘Unspecified Failure’. The important take-away was, the controller was not initiating the disconnect; it was the client deciding to disconnect. This information allowed the detective to provide the following offender profile:

Age: Less than 1 month old.

Height: ~1 ft.

Build: Standard corporate image.

Behavioural Patterns: The offender is highly mobile but tends to spend a lot of time resting on a docking station on a desk. When connected to the docking station, the offender will likely be physically connected to the wired network via an Ethernet cable.

The Takedown

The offender was located and, as predicted, it was found connected to a docking station. Upon removal from the docking station, the client was able to successfully connect to all corporate and lab WLANs. Detective @SimplyWifi told reporters: “This is another tragic case of the victim turning out to be our perp. Once we started looking at the evidence, it was clear that the WLAN controller was being falsely accused. After that, it was a simple matter of following the evidence back to the victim.”

Final Comments:

In this case, it turned out that an application on the client was blocking the ability to connect to both a wired and wireless network at the same time. As is usually the case, the issue was a client-side issue and required no controller changes to resolve the issue. It serves as a great reminder of the importance of performing detailed victimology in any wireless investigation.

Dan C.

Do you have a story about spending time troubleshooting the WLAN controller only to eventually determine that the issue was with the client? If so, we’d love to hear it in the comments section. Also, if you are having troubles resolving issues on your own WLAN, please contact us and we’d be happy to assist.

Designing by Dollars in a Wireless World

I’ve said it before and I’ll say it again, the worst thing that can happen to the wireless industry is commoditization. Specifically, when I say commoditization, I am referring to the thinking that all WLANs are the same so we should just put out an RFQ and go with the lowest offer. Or, even worse, the quality of the WLAN can be determined by the price tag so we should just buy the most expensive solution we can afford. I’ve seen this happening more and more in the information security industry and I refuse to let it happen to the wireless industry without a fight. After all, look at all the good that commoditization has done for the state of security today.

Take a look at any industry and you will see examples of good products and bad products, feature-rich solutions and feature-poor solutions, feature-focused and unfocused solutions. There will always be a broad spectrum of craftsmanship to choose from but that doesn’t mean you can predict how well the solution will perform just by looking at the price tag. For example, give me a brand new Steinway & Sons Concert Grand Model D and I will play you a horrible rendition of Three Blind Mice. Take that same piano and give it to someone like Nora Jones and she’d play something that is much more worthy of such a fine instrument. When it comes to music, you can’t buy talent. Either you can play the piano well or you can’t and no amount of money is going to fix that.

The same holds true for WLANs. Either you, or your consultant, can design a WLAN properly or not. Give a skilled WLAN professional a low-cost WLAN solution and he/she will still be able to give you a functional and somewhat efficient WLAN. Conversely, give the top-line WLAN solution to an unskilled person and they will give you the type of WLAN disaster that will be used as a cautionary tale to others for years to come. How is this possible? The answer is quite simple, really. I’ve broken it down into three parts below:

  1. A skilled WLAN professional has a deep understand of the underlying technology. Instead of just learning which checkboxes to select, a WLAN professional makes a point of knowing what happens under-the-hood when any given checkbox is selected.
  2. A skilled WLAN professional probably has more experience deploying WLAN solutions. Remember the old saying: Practice makes perfect.
  3. Lastly, and this is probably the most important reason, a skilled WLAN professional designs a WLAN with the intention of fulfilling specific business needs instead of just to implement the latest and greatest technology. Start a WLAN deployment by focusing on why it is being deployed instead of on what is being deployed and your chances of a successful deployment will increase dramatically.

We owe it to ourselves not to let commoditization get the best of our wireless networks. Maybe you have the budget for the Concert Grand Model D of WLANs and maybe you don’t. Focus on your business needs and you may find that a regular run-of-the-mill up-right piano is all you really needed to make beautiful music.

Dan C. @simplywifi

Are you currently stuck in the piano store staring, wide-eyed at all of the choices? You’re not alone. Leave a comment or send us a message and we would be happy to discuss your business needs and get you started down the road to wireless success.