After putting it off until the very last moment, I finally wrote and passed the Certified Wireless Security Professional (CWSP) PW0-204 exam. This was important since it had been almost 3 years since I passed the CWSP (PW0-200) exam and my credentials were set to expire on the 25th of June. Crisis averted! With the exam out of the way, I thought it would be worthwhile to share some thoughts on my experiences while preparing for it.
In no specific order, here are a few things I found very interesting about my time studying for PW0-204:
Wireless security was much less complicated 3 years ago. When I took the PW0-200 exam, I didn’t have to know anything about 802.11n, 802.11k, 802.11w, or 802.11r. All of these, now ratified, IEEE standard amendments come with their own set of additional security settings and concerns that must be taken into consideration when securing a WLAN. Continuing to educate yourself and staying on top of the latest industry developments is the easiest way to ensure that a certification’s body of knowledge doesn’t leave you behind.
Experience in the field helps immensely with this exam. When I first wrote the PW0-200 exam, 3 years ago, I had a great interest in the subject but very little real-world WLAN experience. This time around, after living and breathing WLANs for 3 years, I found I was able to quickly skim or review a lot of the CWSP Study Guide since I deal with 802.1X/EAP, PKI, and WIDS/WIPS solutions quite frequently in my role as a security consultant. In my opinion, the CWSP certification is a great example of an exam that goes beyond ‘textbook studying’ and really tries to incorporate lessons that can only truly be learned through hands-on experience. Certifications like that rock because they signify practical/useful knowledge instead of just the ability to memorize answers for a test.
Keeping my existing CWNA and CWSP credentials was just stop number one on this journey. With that out of the way, I’m now beginning my assault on the Certified Wireless Network Expert (CWNE) designation. Last time I check there were less than 100 CWNEs globally so it’s definitely going to be a challenge. I have to pass both the CWDP and CWAP exams first. Wish me luck and I look forward to posting my thoughts and insights on my next exam this summer.
Back in August I posted my thoughts on some different ways to measure the success of a WLAN deployment. My main argument was that we needed to start finding ways to measure the overall user experience (UX) in addition to all the speeds and feeds. To my delight, my thoughts were generally well received in the wireless industry and the overall consensus was that UX should be one of the primary concerns when designing a WLAN. With that in mind, I think it is time to take this to the next level and try to come up with a standard way of measuring and communicating the UX of a WLAN; I call it the Universal Wireless User Experience Index (UWUX).
To highlight the potential value of this type of index, begin by asking yourself the following two questions. If you answer yes to either of them, then having a UWUX could have helped you.
Consultants: Have you ever tried to talk a client out of certain WLAN UX design choices but failed because you couldn’t find a way to communicate just how user-unfriendly their WLAN was going to turn out?
Administrators: Have you ever been forced to go back and redesign the way your end users register, sign-in, authenticate, and gain authorization to your WLAN after it has already been deployed? Was it, by chance, because the users complained that the WLAN was just too hard or complicated to use?
As I stated above, having a standard way of scoring the UX of WLAN and showing how it compares to other networks could be a very valuable tool when it comes to design and deploying an end product that will live or die by the opinions and comments of the end users. Imagine being able to demonstrate how requiring proxy settings changes on an uncontrolled guest WLAN will lower the UWUX score below a certain threshold; resulting in a dramatic increase in helpdesk requests. The results could be shown in a numerical format and a graphical scale formatso that anyone could understand regardless of technical knowledge.
The benefits of the UWUX Index increase dramatically as more people adopt it. It’s a lot like IQ scoring since no single score has any real meaning. Only when we compare a score to the rest of the scores in the index are we able to start deriving meaning. It’s because of this that I’ve decided to share my plans with the community in the hopes that there will be others who want to help design a universal index that can be used by all WLAN professionals and administrators regardless of company affiliation.
Will it be a challenge to come up with repeatable measurements? Yes.
Will it be hard to create an index that serves everyone’s needs? Yes, but the goal is to have an index that serves most common needs instead of all needs.
Will the end result be incredibly useful? Time will tell but I think the answer is yes. In my opinion, if the end result is that we all focus more on designing for user and business needs, then it is well worth it.
If you would like to contribute ideas on what the UWUX Index should include please feel free to leave a comment below, DM me, or contact me through our website. I already have some ideas but am in the very early brainstorming stages so all ideas will be considered. Also, if you think this could fly, please retweet or share the post with WLAN, UX designers, or end-users so that we can gather ideas from as many different viewpoints as possible.
I’ve said it before and I’ll say it again, the worst thing that can happen to the wireless industry is commoditization. Specifically, when I say commoditization, I am referring to the thinking that all WLANs are the same so we should just put out an RFQ and go with the lowest offer. Or, even worse, the quality of the WLAN can be determined by the price tag so we should just buy the most expensive solution we can afford. I’ve seen this happening more and more in the information security industry and I refuse to let it happen to the wireless industry without a fight. After all, look at all the good that commoditization has done for the state of security today.
Take a look at any industry and you will see examples of good products and bad products, feature-rich solutions and feature-poor solutions, feature-focused and unfocused solutions. There will always be a broad spectrum of craftsmanship to choose from but that doesn’t mean you can predict how well the solution will perform just by looking at the price tag. For example, give me a brand new Steinway & Sons Concert Grand Model D and I will play you a horrible rendition of Three Blind Mice. Take that same piano and give it to someone like Nora Jones and she’d play something that is much more worthy of such a fine instrument. When it comes to music, you can’t buy talent. Either you can play the piano well or you can’t and no amount of money is going to fix that.
The same holds true for WLANs. Either you, or your consultant, can design a WLAN properly or not. Give a skilled WLAN professional a low-cost WLAN solution and he/she will still be able to give you a functional and somewhat efficient WLAN. Conversely, give the top-line WLAN solution to an unskilled person and they will give you the type of WLAN disaster that will be used as a cautionary tale to others for years to come. How is this possible? The answer is quite simple, really. I’ve broken it down into three parts below:
A skilled WLAN professional has a deep understand of the underlying technology. Instead of just learning which checkboxes to select, a WLAN professional makes a point of knowing what happens under-the-hood when any given checkbox is selected.
A skilled WLAN professional probably has more experience deploying WLAN solutions. Remember the old saying: Practice makes perfect.
Lastly, and this is probably the most important reason, a skilled WLAN professional designs a WLAN with the intention of fulfilling specific business needs instead of just to implement the latest and greatest technology. Start a WLAN deployment by focusing on why it is being deployed instead of on what is being deployed and your chances of a successful deployment will increase dramatically.
We owe it to ourselves not to let commoditization get the best of our wireless networks. Maybe you have the budget for the Concert Grand Model D of WLANs and maybe you don’t. Focus on your business needs and you may find that a regular run-of-the-mill up-right piano is all you really needed to make beautiful music.
Are you currently stuck in the piano store staring, wide-eyed at all of the choices? You’re not alone. Leave a comment or send us a message and we would be happy to discuss your business needs and get you started down the road to wireless success.
I really want to be your friend. In fact, I want to be the kind of friend you can count on to tell you the truth no matter what the consequences. It’s with this thought in mind that I am forced to tell you that, and this may sting a little, you have completely lost your mind by deciding to deploy fifty home wireless routers in an attempt to become a wireless enterprise. There, I said it. For a few moments I thought about allowing you to experience this life lesson for yourself, but then I remembered what my grampa always used to say: “There’s two things friends should never do. First, friends don’t let friends use home wireless gear to perform enterprise deployments. The other thing friends never do is talk while I’m trying to watch TV. Won’t you be my friend?”.
It’s the first thing that grampa mentioned that forced me to write you this letter. I couldn’t, in good conscience, let you go through with this terrible mistake. Here’s why (I’ve enclosed a picture of grampa. If it helps soften the blow you can pretend he’s the one talking):
Hardware Quality – Home wireless routers are made to be affordable for personal use under average personal circumstances. The hardware used is not as well tested as enterprise gear, is generally not as sensitive, and is not as rugged. Also, home gear is usually designed to sit on a desk and not to be mounted on walls or ceilings. As such, home gear is probably not plenum rated like a lot of enterprise gear.
Management Interface – Home gear usually has a nice web interface you can use to configure your network. This works great for a single access point, but you are going to waste an entire day logging in to all fifty access points just to make a single configuration change. Enterprise gear is designed to allow easy configuration from a single console for all access points. Log in once, make the change once, and log out. Simple.
Channel and Power Management – Wireless networks operate over a shared-medium. Your access point’s signal is transmitting through the same physical space as your neighbours signal. This means there is bound to be some signal interference. Home routers have very poor capabilities for handling interference. Usually the only control you have is channel selection and maybe, if you’re lucky, transmit power. Do you really want to log in to every access point and manually adjust these settings on an hourly basis as your environment experiences different levels of interference? Enterprise wireless gear does this stuff for you. It’s designed to tune itself so that you only need to get involved in the really tricky situations.
Power – Enterprise access points can be powered via the ethernet cable (PoE). You can do this by using PoE-capable switches or mid-span PoE injectors. Either way, you don’t need to worry about how you’re going to run an extension cable from the access point’s location in the middle of the ceiling to the wall outlet behind a desk.
Features – Home access points are great for getting home users on the Internet because home users usually have very basic requirements: get me on the Internet, and keep me on the Internet. My friend (can I call you that yet?), I could tell you wonderous stories of the features I have seen on enterprise-grade solutions. These solutions can give you different levels of access based on who you are, where you are, which device you are using, and what time it is. These solutions can drop your traffic directly onto the local network or even send it through an encrypted tunnel to a completely different location without you even noticing. Deploying a wireless network in an enterprise is not the same as deploying one for your home. Considerations must be made for each different user, device, and circumstance and I just don’t think you’ll be able to keep up with your home access points. There are so many more feature I could write about but I think you get the point.
Security – How long does it take you to change the WPA2 pre-shared key (PSK) on your home access point? Now take that time and multiply it by the number of access points you have. That is the level of pain you are going to experience each time a contractor, guest, or employee leaves your company. Not to mention routine PSK changes as a matter of policy. (If you’re doing the math, that’s a lot of passphrase changes). So, you can either hire a co-op student to constantly change the PSK and notify every employee, or you can use an enterprise-grade solution that allows you to do away with pre-shared keys. That’s right, imagine having users connect to the network using the same usernames and passwords they use to log into their computers. Imagine being able to provision individual logon credentials for guests, contractors, and employees who bring in personal devices and want to get online. Again, I don’t think you’ll be able to keep up with those home access points.
I know home wireless gear is the ‘right price’. I get it, but good wireless networks are not commodity items that can just be picked up off the shelf and plugged in. Every wireless network is different and you are going to need to invest in a proper solution that meets and adapts to your specific needs. Sure you can save a few upfront dollars by sourcing home access points, but I think you’ll find the additional cost, in dollars and time, of tearing down that deployment because it doesn’t work and is too hard to manage, is not going to make you too happy. My potential friend, I urge you to heed my advice by not trying to design by dollars. Leave home (commodity) gear in the home and use the enterpise gear for your business.
P.S. If, after reading this letter you feel that we can still be friends, I’d love to hear back from you. Please send me a letter, or leave a note in the comments section below with any thoughts or questions. Also, please subscribe / follow us and share this with others so you can save them from making the same terrible mistake.
I’ve recently come to the sad realization that most technical experts are using the wrong measurements to determine the success of a WLAN deployment. Don’t get me wrong; measuring things like throughput, SNR, retry rate, and authentication/re-authentication times is very important. What I’m saying is: these are all measurements used to determine if the hardware and software components are playing nicely together. Am I the only one who finds it disturbing that we claim to design networks for people to use but we don’t have a good set of measurements to determine if the ‘people component’ plays well with the hardware and software components?
It would seem to me that the success, or potential for success, of a WLAN deployment is largely determined by the end-users. If the people components don’t jive with the infrastructure components, then your WLAN deployment will fail. After all, what is the use of having a fancy WLAN if nobody uses it? Let’s look at a few of the current measurements available to us:
Throughput – Using an application like iPerf, we can get some very accurate figures on just how much data we can cram through our wireless pipe. Higher Mbps values mean faster uploads and download speeds.
Retry Percentages – This measurement is important because a high percentage of retry frames means something is not right. There could be a major source of interference, hidden nodes, LAN-side cabling issues or any number of problems forcing your wireless clients to have to constantly have to repeat themselves. The goal is to have a very low retry percentage.
Latency – Just how long does it take your data frames to get from point A to point B? If latency is too high you’ll notice some applications start to act a bit flakey. A good example of this is VoIP: high latency leads to jitter and dropped calls. When it comes to latency you don’t want to shoot for the stars because they are far too high. Instead, shoot for the floor since it is nice and low.
I could go on, but giving a summary of all performance measurements is not really the purpose of this post. All I am trying to show is that the current measurements are only designed to give us very technical details about the infrastructure and not about the end-users. If we truly want to determine how successful our WLAN deployment is going to be, I propose a few more measurements:
User Awareness Level – Are the users even aware that your WLAN exists? Are they aware of where it exists? Who to contact if they have issues or questions? Add 1 point each time you answer no and aim for a score of zero.
Barriers to Entry – How difficult is it to get started? Which credentials are required and how do users go about obtaining and configuring them? Does the WLAN work with native wireless supplicants or will users need to install additional software? If your sign-up process requires a lot of technical knowledge or technical staff intervention, then you’ve got a very high score. Hint: High scores are evil.
Number of User Interactions – From the moment the user decides to connect, to the moment they open their first website, how many user inputs were required? Lowering the number of items that users have to click or enter each time they connect will dramatically improve user satisfaction and adoption.
While infrastructure-focused measurments are very important, we should not allow ourselves to believe that they provide any real insights into the success of a WLAN initiative. The majority of WLANs being deployed are supposed to be making it easier for people to live a mobile lifestyle. Taking some time to think of the users, before and after the technical work begins, should be a mandatory step in any WLAN initiative. Applications and infrastructure care about Mbps, retries, EAP types, and other technical mumbo-jumbo. Users care about the experience. Get it right by measuring both and I predict a successful WLAN deployment in your future.
Do you have any thoughts on what should be measured regarding a WLANs performance, effectiveness, and success? I really like to hear what you have to say on this topic. Leave a note in the comments section or share this post with your colleagues if you feel this is worth further discussion.
A quick look at the June and July usage statistics from the Milton Public Library guest wireless network reveals some interesting statistics regarding device usage versus data usage. Based on the past two months, iDevices (iPhones, iPods, and iPads) tend to have a much smaller data usage footprint than standard laptops.
First let’s look at the number of unique devices that connected to the guest WLAN in the month of July. Not surprisingly, iDevices accounted for 45% of all devices using the guest network. This can be attributed to the portability of these devices compared to standard laptops.
When we look at the total data usage by device type we see that iDevices only accounted for 19% of the total while laptops accounted for a disproportionate 80% of all data usage in July. This indicates that, while more popular and abundant, iDevices are not putting as much load on the guest WLAN infrastructure and data pipe as standard laptops.
Why the discrepancy?
There are several reasons why iDevices currently use far less data than their laptop counterparts:
Mobile versions of videos and other web-content are generally smaller than the full-sized, HD versions being consumed by laptops.
Application updates on laptops are generally much larger than on iDevices.
OS updates can occur wirelessly on laptops and not on iDevices (this will be changing very shortly in iOS 5).
People tend to use laptops and desktops as their primary file-sharing platforms rather than iDevices due to functionality and storage limitations. That being said, peer-to-peer networking did not make the top 10 list of apps used on the MPL guest WLAN thanks to some well-defined traffic shaping rules.
Apple’s iCloud service might take iDevices from ‘low data consumption’ status to ‘high data consumption’ status in the next few months to come. There is potential for a huge increase in data usage for these devices as more and more people take advantage of iCloud’s music syncing service. The month of June saw iTunes related traffic account for 3.3% of all guest WLAN usage. This grew to 8.2% in the month of July. It will be interesting to see just how much higher this percentage will climb in the near future. If the climb does occur, iDevices may be shifted from the ‘best friend’ category to the ‘worst enemy’ category rather quickly.
I would like to thank the Milton Public Library for allowing me to reference their WLAN statistics. Without their assistance, this post would not have been possible. If you have any questions or thoughts on this post please leave a comment.
A few days ago I was given the opportunity to sit down with the CEO of Aruba Networks, Dominic Orr, and a few members of his Canadian team. While the swordfish was great, I thought the conversation was even better. Listening to and discussing thoughts on the future of mobility with a team of like-minded individuals is an amazing way to spend an evening.
Here are some quick points and discussion summaries from the evening:
Wireless networking and mobility is growing at an incredible rate (no surprise there). With the ever growing number of devices that are ‘wireless only’ it is more important than ever to start planning your mobility strategy. That means immediately. Not tomorrow, not next week, immediately. You don’t want to be caught in a reactive stance when your environment gets hit by the tidal wave of BYODs.
It’s great to see that one of the top players in the wireless/mobility space is making a conscious effort not to leave smaller clients behind during this period of enormous market growth. Solutions like Aruba Instant allow SMBs to take advantage of enterprise-level features without going over budget. Mobility is primed to be a game-changer for everyone; not just the richest companies.
Starting now, or in the very near future, context will be king. It is no longer good enough to only plan for coverage, capacity, or even secure access. To take full advantage of mobility, you will need to start providing coverage, capacity, and security based on the context of the individual users and devices connecting to your network. Using identity, device type, time, location, and application usage as the context in which you create your policies will allow for optimal, secure, and efficient use of wireless networks and mobility in the workplace.
Overall, I left that dinner feeling energized and excited about the future of mobility. Am I ready to cut all of my cables right now? No. However, as more and more device manufacturers take the option of a wired connection away, it is comforting to know that networks are set to adapt and offer a far more customized level of service than ever before.
What are your thoughts on the future of mobility? Do you need help developing your strategy? Leave a comment or contact us directly and let’s start the discussion.
Full Disclosure: NCI is a partner/reseller of Aruba Networks.
Day 2 of the Implementing Aruba WLANs course has come to a close and we have managed to make a nice mess of the room. It’s amazing how quickly 6 people can fill a room with controllers, access points, cables, laptops, and courseware!
Much like the first day of the course, the second day was very educational. Focusing mainly on authentication, access control, and roles, I’d say this day represented the meat of the course. Here are my thoughts after day 2:
To securely deploy a wireless network you had better brush up on your 802.1X, RADIUS, and PKI knowledge. Home WLANs are not the same thing as Enterprise WLANs; pre-shared keys (PSK) are not a scalable or manageable solution in most enterprise deployments. All SMB, or enterprise WLAN vendors support robust authentication when it comes to wireless networks so take advantage of these features.
Role derivation is awesome! Having the ability to assign specific access policies and VLAN assignments to clients based on device type or group membership is a great way to avoid excessive SSID creation and provide granular control that matches the capabilities and requirements of each user/device. Regardless of the WLAN vendor you are using, I would highly recommned looking into this feature the next time you are thinking about creating a new SSID for a new business requirement. You just might save your self some configuration effort and eliminate needless wireless beacons at the same time.
Overall I’d say day 2 was a success. WLAN security is incredibly important so I was very happy to see that we spent the entire day exploring the various options available to us.
If you have thoughts, comments, or questions about WLAN security, please leave a note in the comments section.
I firmly believe that the only way to stay on top of the wireless networking industry is to fully embrace the idea of lifelong learning. To me, this doesn’t just mean learning new skills and products, but also taking the time to revisit and refresh the things you think you already know. That’s why I jumped at the chance to sit in on a three-day Implementing Aruba WLANs course being held at my office. True, I do already have my ACMA, but I attained this back when controllers were running ArubaOS 3.x. Now that ArubaOS 6.x is out, I figured it couldn’t hurt to revisit the course and make sure I’m still up to date. Here are a few observations after completing the first day:
Regardless of how simple a WLAN controller is to configure, anyone involved in designing, securing, or administering a WLAN must still understand the underlying 802.11 technology. Fancy wizards and snazzy interfaces are great when things are working fine, but don’t expect your WLAN to run as efficiently, securely, or resiliently if you don’t know what all those knobs and dials are actually doing. That beings said, Aruba Networks has done a great job improving and enhancing their configuration wizards. These wizards do such a good job of simplifying the basics of configuring your controller(s) that someone could technically get a secure WLAN up and running with very little wireless knowledge or experience. Unfortunately, there is no WLAN Administration Wizard. Until that day arrives, hit the books and start learning the underlying technology. A good place to look for vendor neutral wireless certification is the CWNP organization.
Wireless networks are at a critical, and potentially dangerous, juncture in their relatively short lives. If we spend the time to properly plan, design, and secure wireless networks they have the potential to dramatically affect the way we work and play in a very positive and reliable way. However, if we rely too heavily on the perceived simplicity of deploying wireless networks without doing our homework first, then we are setting mobile computing up for failure or, at the very least, an existence that falls very short of the true potential of wireless networking.
Overall, day one was very informative and a lot of fun. It’s always great to see people putting in the time and effort required to properly implement a wireless network. So far the Deploying Aruba WLANs course has delivered what was promised and I am looking forward to sharing my thoughts on the next two days.
Most of the people I have spoken to lately have had a minor misunderstanding about how their wireless antennas actually work. Everyone gets the part about “extending the range of the signal” correct but it is usually incorrectly attributed to active gain instead of passive gain. In the picture, below, you can see a flashlight bulb, and a flashlight. These two items can serve as pretty decent analogies for how your standard omni-directional and directional antennas work.