Tag Archives: WLAN

Thoughts After Passing the CWSP PW0-204 Exam

After putting it off until the very last moment, I finally wrote and passed the Certified Wireless Security Professional (CWSP) PW0-204 exam. This was important since it had been almost 3 years since I passed the CWSP (PW0-200) exam and my credentials were set to expire on the 25th of June. Crisis averted! With the exam out of the way, I thought it would be worthwhile to share some thoughts on my experiences while preparing for it.

In no specific order, here are a few things I found very interesting about my time studying for PW0-204: 

  1. Wireless security was much less complicated 3 years ago. When I took the PW0-200 exam, I didn’t have to know anything about 802.11n, 802.11k, 802.11w, or 802.11r. All of these, now ratified, IEEE standard amendments come with their own set of additional security settings and concerns that must be taken into consideration when securing a WLAN. Continuing to educate yourself and staying on top of the latest industry developments is the easiest way to ensure that a certification’s body of knowledge doesn’t leave you behind.
  2. Experience in the field helps immensely with this exam. When I first wrote the PW0-200 exam, 3 years ago, I had a great interest in the subject but very little real-world WLAN experience. This time around, after living and breathing WLANs for 3 years, I found I was able to quickly skim or review a lot of the CWSP Study Guide since I deal with 802.1X/EAP, PKI, and WIDS/WIPS solutions quite frequently in my role as a security consultant. In my opinion, the CWSP certification is a great example of an exam that goes beyond ‘textbook studying’ and really tries to incorporate lessons that can only truly be learned through hands-on experience. Certifications like that rock because they signify practical/useful knowledge instead of just the ability to memorize answers for a test.
Next Step

Keeping my existing CWNA and CWSP credentials was just stop number one on this journey. With that out of the way, I’m now beginning my assault on the Certified Wireless Network Expert (CWNE) designation. Last time I check there were less than 100 CWNEs globally so it’s definitely going to be a challenge. I have to pass both the CWDP and CWAP exams first. Wish me luck and I look forward to posting my thoughts and insights on my next exam this summer.

Dan C.

 

The Rule of 10s and 3s

A while back I wrote a blog post explaining how an antenna works when it is connected to a wireless access point. Today I’m going to add to that lesson by explaining The Rule of 10s and 3s. Essentially, you can use this rule to figure out what your transmit power is going to be when you add various connectors, cables, and external antennas to your access points. Without further ado:

Please remember that using The Rule of 10s and 3s does not give you exact figures. It should only be used to perform rough calculations. Also, this video is not intended to be a technical deep-dive into the field of RF mathematics. Instead, my goal is to explain the basics of a complex topic so that almost anyone can understand it. (I’ve assumed knowledge of milliwatts and decibels though).

Dan C.

Bonus marks if you can explain why having this knowledge is important for anyone working with WLANs. Leave your answer in the comments section and share this video with anyone you think might benefit from knowing this rule.

Wireless UI Walkthroughs

Recently I created two wireless vendor UI walkthroughs and thought they would be worth sharing with the NCI crowd.

The first walkthrough is of the Meraki Systems Manager. This feature is built-in to the Meraki Enterprise Cloud Controller and offers a fairly extensive set of MDM features to Meraki customers at no extra cost.

 

The second walkthrough is of the Aruba Instant Virtual Controller UI. The Instant architecture does away with hardware controllers, feature licensing, and even simplifies the administrative experience.

 

I hope you find the videos interesting. As always, if you have any questions, or would like a live demonstration please do not hesitate to contact us.

Daniel

Bonus Marks: Did you spot the hidden surprise in one of the videos?

Wireless Field Day 2

I was originally going to post this in January, but I just couldn’t wait any longer. From January 25th to 27th, I will be a delegate at Wireless Field Day 2 (WFD2) in San Jose, CA.

My day job focuses primarily on Aruba Networks and Meraki, but I have always made an effort to keep up-to-speed with what everyone else is doing in the wireless industry. WFD2 will be a tremendous opportunity to do so. Sponsoring vendors include:

If the opportunity to get all these vendors in the same room and have a pointed, no-BS discussion about wireless technology wasn’t enough, there’s more! Along with the vendors, there will also be a list of delegates that is nothing short amazing! So far, delegates include:

That’s a lot of wireless knowledge to cram into a single room. Seriously, my Wi-Q will increase just by hanging out with these people for a few days – awesome!

I’ll be tweeting and blogging during the entire event to help make sure that everyone gets to benefit from this amazing event. If you’re interested, you can also check out the official WFD2 channels.

Dan C.

Be sure to check back for more news on WFD2 as we get closer to the event date.

Amigopod and PAN User-ID Integration

Question: What happens when two vendors work together with the common goal of making your life easier?

Answer: Your life gets easier.

Here is a quick ~5 minute video showing the integration capabilities between Aruba Networks’ Amigopod and Palo Alto Networks’ User-ID Agent. Aruba and PAN have allowed their systems to share user-ID information between each other; the benefit to you is that users can receive the same user-based firewall policy whether they are connected via wire or wirelessly. Watch the video, you’ll see what I mean.

 

Pretty neat stuff, no? Tight integration between wired and wireless solutions is going to be very important as we move into 2012. It’s good to see that some vendors are not only working on expanding their own offerings, but also taking the time to ensure that they play nicely with others.

Dan C.

We’d love to hear what you think of the video. Please leave a comment or contact us with your thoughts, comments, or questions.

Falsely Accused: The Wireless Controller Story

Every day, innocent wireless controllers are framed for crimes they didn’t commit. This is the story of how one WLAN controller was falsely accused of connection murder…

The Crime Scene – WLAN Connection Murder

Testimony: A user is having difficulty connecting his brand new laptop to the lab WLAN using WPA2-PSK. He has been able to connect to the corporate WLAN but all attempts at the connecting to the lab have failed. Also, the user has been able to connect to other WPA2-PSK protected networks in the past.

Prime Suspect: Bystanders report seeing a WLAN Controller fleeing the scene.

Investigation performed by Detective @SimplyWifi

Are other clients having a similar issue? – No.

Are there comments in the controller’s release notes regarding this issue? – No.

Had client submit to a connectivity test and sent logs to the lab for analysis. Lab results below:

Deauth from sta: 24:77:03:xx:yy:zz: AP xxx.yyy.yyy.zzz-00:24:6c:aa:bb:cc-NameChanged-AP Reason Unspecified Failure

Offender Profile

Based on the resulting debug lab results, it was determined that the wireless client was successfully connecting. However, it would immediately disconnect itself due to an: ‘Unspecified Failure’. The important take-away was, the controller was not initiating the disconnect; it was the client deciding to disconnect. This information allowed the detective to provide the following offender profile:

Age: Less than 1 month old.

Height: ~1 ft.

Build: Standard corporate image.

Behavioural Patterns: The offender is highly mobile but tends to spend a lot of time resting on a docking station on a desk. When connected to the docking station, the offender will likely be physically connected to the wired network via an Ethernet cable.

The Takedown

The offender was located and, as predicted, it was found connected to a docking station. Upon removal from the docking station, the client was able to successfully connect to all corporate and lab WLANs. Detective @SimplyWifi told reporters: “This is another tragic case of the victim turning out to be our perp. Once we started looking at the evidence, it was clear that the WLAN controller was being falsely accused. After that, it was a simple matter of following the evidence back to the victim.”

Final Comments:

In this case, it turned out that an application on the client was blocking the ability to connect to both a wired and wireless network at the same time. As is usually the case, the issue was a client-side issue and required no controller changes to resolve the issue. It serves as a great reminder of the importance of performing detailed victimology in any wireless investigation.

Dan C.

Do you have a story about spending time troubleshooting the WLAN controller only to eventually determine that the issue was with the client? If so, we’d love to hear it in the comments section. Also, if you are having troubles resolving issues on your own WLAN, please contact us and we’d be happy to assist.

DHCP Fingerprinting with ArubaOS

If you’ve read any of my previous blog posts, you have probably noticed that I make an effort to confine my posts to vendor-neutral topics. However, every now and then I come across vendor-specific technology implementations that are so cool that I just have to say something about them. In this case, it is DHCP fingerprinting by Aruba Networks.

Without getting into too much technical detail, this technology watches the DHCP requests of wireless clients and identifies the operating system based on the way each device asks for an address. This feature is really cool because it means you can allow a user to connect to the same ESSID (read: wireless network), using the same username/password, with a variety of different devices, and get different levels of access depending on the specific device type. For example, if the user connects to the WLAN with a company issued laptop then they get access to the internal network. However, if they connect using an iPad they get Internet access only. Didn’t I say this was cool?

Enough typing, I recorded a little demonstration of DHCP fingerprinting for your viewing enjoyment:

As BYOD becomes more prevalent, I think we are going to start seeing technologies like this popping up all over the place. This is a good thing since it gives administrators the ability to allow BYODs onto the network without having to give up on security and control.

Dan C.

How do you deal with BYODs in your environment? If you have thoughts or comments regarding the proper way of dealing with BYODs please share them in the comments section. Also, as usual, please share this post with others if you found it useful or interesting.

A Universal Wifi User Experience Index (UWUX Index)

Back in August I posted my thoughts on some different ways to measure the success of a WLAN deployment. My main argument was that we needed to start finding ways to measure the overall user experience (UX) in addition to all the speeds and feeds. To my delight, my thoughts were generally well received in the wireless industry and the overall consensus was that UX should be one of the primary concerns when designing a WLAN. With that in mind, I think it is time to take this to the next level and try to come up with a standard way of measuring and communicating the UX of a WLAN; I call it the Universal Wireless User Experience Index (UWUX).

To highlight the potential value of this type of index, begin by asking yourself the following two questions. If you answer yes to either of them, then having a UWUX could have helped you.

  1. Consultants: Have you ever tried to talk a client out of certain WLAN UX design choices but failed because you couldn’t find a way to communicate just how user-unfriendly their WLAN was going to turn out?
  2. Administrators: Have you ever been forced to go back and redesign the way your end users register, sign-in, authenticate, and gain authorization to your WLAN after it has already been deployed? Was it, by chance, because the users complained that the WLAN was just too hard or complicated to use?

As I stated above, having a standard way of scoring the UX of WLAN and showing how it compares to other networks could be a very valuable tool when it comes to design and deploying an end product that will live or die by the opinions and comments of the end users. Imagine being able to demonstrate how requiring proxy settings changes on an uncontrolled guest WLAN will lower the UWUX score below a certain threshold; resulting in a dramatic increase in helpdesk requests. The results could be shown in a numerical format and a graphical scale formatso that anyone could understand regardless of technical knowledge.

The benefits of the UWUX Index increase dramatically as more people adopt it. It’s a lot like IQ scoring since no single score has any real meaning. Only when we compare a score to the rest of the scores in the index are we able to start deriving meaning. It’s because of this that I’ve decided to share my plans with the community in the hopes that there will be others who want to help design a universal index that can be used by all WLAN professionals and administrators regardless of company affiliation.

Will it be a challenge to come up with repeatable measurements? Yes.

Will it be hard to create an index that serves everyone’s needs? Yes, but the goal is to have an index that serves most common needs instead of all needs.

Will the end result be incredibly useful? Time will tell but I think the answer is yes. In my opinion, if the end result is that we all focus more on designing for user and business needs, then it is well worth it.

More to come…

Dan C. (@SimplyWifi)

If you would like to contribute ideas on what the UWUX Index should include please feel free to leave a comment below, DM me, or contact me through our website. I already have some ideas but am in the very early brainstorming stages so all ideas will be considered. Also, if you think this could fly, please retweet or share the post with WLAN, UX designers, or end-users so that we can gather ideas from as many different viewpoints as possible.

Designing by Dollars in a Wireless World

I’ve said it before and I’ll say it again, the worst thing that can happen to the wireless industry is commoditization. Specifically, when I say commoditization, I am referring to the thinking that all WLANs are the same so we should just put out an RFQ and go with the lowest offer. Or, even worse, the quality of the WLAN can be determined by the price tag so we should just buy the most expensive solution we can afford. I’ve seen this happening more and more in the information security industry and I refuse to let it happen to the wireless industry without a fight. After all, look at all the good that commoditization has done for the state of security today.

Take a look at any industry and you will see examples of good products and bad products, feature-rich solutions and feature-poor solutions, feature-focused and unfocused solutions. There will always be a broad spectrum of craftsmanship to choose from but that doesn’t mean you can predict how well the solution will perform just by looking at the price tag. For example, give me a brand new Steinway & Sons Concert Grand Model D and I will play you a horrible rendition of Three Blind Mice. Take that same piano and give it to someone like Nora Jones and she’d play something that is much more worthy of such a fine instrument. When it comes to music, you can’t buy talent. Either you can play the piano well or you can’t and no amount of money is going to fix that.

The same holds true for WLANs. Either you, or your consultant, can design a WLAN properly or not. Give a skilled WLAN professional a low-cost WLAN solution and he/she will still be able to give you a functional and somewhat efficient WLAN. Conversely, give the top-line WLAN solution to an unskilled person and they will give you the type of WLAN disaster that will be used as a cautionary tale to others for years to come. How is this possible? The answer is quite simple, really. I’ve broken it down into three parts below:

  1. A skilled WLAN professional has a deep understand of the underlying technology. Instead of just learning which checkboxes to select, a WLAN professional makes a point of knowing what happens under-the-hood when any given checkbox is selected.
  2. A skilled WLAN professional probably has more experience deploying WLAN solutions. Remember the old saying: Practice makes perfect.
  3. Lastly, and this is probably the most important reason, a skilled WLAN professional designs a WLAN with the intention of fulfilling specific business needs instead of just to implement the latest and greatest technology. Start a WLAN deployment by focusing on why it is being deployed instead of on what is being deployed and your chances of a successful deployment will increase dramatically.

We owe it to ourselves not to let commoditization get the best of our wireless networks. Maybe you have the budget for the Concert Grand Model D of WLANs and maybe you don’t. Focus on your business needs and you may find that a regular run-of-the-mill up-right piano is all you really needed to make beautiful music.

Dan C. @simplywifi

Are you currently stuck in the piano store staring, wide-eyed at all of the choices? You’re not alone. Leave a comment or send us a message and we would be happy to discuss your business needs and get you started down the road to wireless success.

A letter to my potential wireless friend

Dear Potential Friend,

I really want to be your friend. In fact, I want to be the kind of friend you can count on to tell you the truth no matter what the consequences. It’s with this thought in mind that I am forced to tell you that, and this may sting a little, you have completely lost your mind by deciding to deploy fifty home wireless routers in an attempt to become a wireless enterprise. There, I said it. For a few moments I thought about allowing you to experience this life lesson for yourself, but then I remembered what my grampa always used to say: “There’s two things friends should never do. First, friends don’t let friends use home wireless gear to perform enterprise deployments. The other thing friends never do is talk while I’m trying to watch TV. Won’t you be my friend?”.

It’s the first thing that grampa mentioned that forced me to write you this letter. I couldn’t, in good conscience, let you go through with this terrible mistake. Here’s why (I’ve enclosed a picture of grampa. If it helps soften the blow you can pretend he’s the one talking):

  1. Hardware Quality – Home wireless routers are made to be affordable for personal use under average personal circumstances. The hardware used is not as well tested as enterprise gear, is generally not as sensitive, and is not as rugged. Also, home gear is usually designed to sit on a desk and not to be mounted on walls or ceilings. As such, home gear is probably not plenum rated like a lot of enterprise gear.
  2. Management Interface – Home gear usually has a nice web interface you can use to configure your network. This works great for a single access point, but you are going to waste an entire day logging in to all fifty access points just to make a single configuration change. Enterprise gear is designed to allow easy configuration from a single console for all access points. Log in once, make the change once, and log out. Simple.
  3. Channel and Power Management – Wireless networks operate over a shared-medium. Your access point’s signal is transmitting through the same physical space as your neighbours signal. This means there is bound to be some signal interference. Home routers have very poor capabilities for handling interference. Usually the only control you have is channel selection and maybe, if you’re lucky, transmit power. Do you really want to log in to every access point and manually adjust these settings on an hourly basis as your environment experiences different levels of interference? Enterprise wireless gear does this stuff for you. It’s designed to tune itself so that you only need to get involved in the really tricky situations.
  4. Power – Enterprise access points can be powered via the ethernet cable (PoE). You can do this by using PoE-capable switches or mid-span PoE injectors. Either way, you don’t need to worry about how you’re going to run an extension cable from the access point’s location in the middle of the ceiling to the wall outlet behind a desk.
  5. Features – Home access points are great for getting home users on the Internet because home users usually have very basic requirements: get me on the Internet, and keep me on the Internet. My friend (can I call you that yet?), I could tell you wonderous stories of the features I have seen on enterprise-grade solutions. These solutions can give you different levels of access based on who you are, where you are, which device you are using, and what time it is. These solutions can drop your traffic directly onto the local network or even send it through an encrypted tunnel to a completely different location without you even noticing. Deploying a wireless network in an enterprise is not the same as deploying one for your home. Considerations must be made for each different user, device, and circumstance and I just don’t think you’ll be able to keep up with your home access points. There are so many more feature I could write about but I think you get the point.
  6. Security – How long does it take you to change the WPA2 pre-shared key (PSK) on your home access point? Now take that time and multiply it by the number of access points you have. That is the level of pain you are going to experience each time a contractor, guest, or employee leaves your company. Not to mention routine PSK changes as a matter of policy. (If you’re doing the math, that’s a lot of passphrase changes). So, you can either hire a co-op student to constantly change the PSK and notify every employee, or you can use an enterprise-grade solution that allows you to do away with pre-shared keys. That’s right, imagine having users connect to the network using the same usernames and passwords they use to log into their computers. Imagine being able to provision individual logon credentials for guests, contractors, and employees who bring in personal devices and want to get online. Again, I don’t think you’ll be able to keep up with those home access points.

I know home wireless gear is the ‘right price’. I get it, but good wireless networks are not commodity items that can just be picked up off the shelf and plugged in. Every wireless network is different and you are going to need to invest in a proper solution that meets and adapts to your specific needs. Sure you can save a few upfront dollars by sourcing home access points, but I think you’ll find the additional cost, in dollars and time, of tearing down that deployment because it doesn’t work and is too hard to manage, is not going to make you too happy. My potential friend, I urge you to heed my advice by not trying to design by dollars. Leave home (commodity) gear in the home and use the enterpise gear for your business.

Yours Truly,

 

Dan C. (My friends call me @SimplyWifi)

P.S. If, after reading this letter you feel that we can still be friends, I’d love to hear back from you. Please send me a letter, or leave a note in the comments section below with any thoughts or questions. Also, please subscribe / follow us and share this with others so you can save them from making the same terrible mistake.