Inequality between friends

Wi-Fi can be thought of as two-way traffic down a one-lane street.  The two-way communication is your device on one side and the local Wi-Fi network the other.

Your device is only one-half of the story. Almost always, both sides of the Wi-Fi link have different capabilities.  The local Wi-Fi system usually has serious grunt behind it and can push signals quite far.  Your smartphone on the other hand…Not so much.

A good analogy is a concert.  You can be quite some distance from the stage where powerful speakers push the sound quite far.  Even if there were no other people at the concert, if you were a fair way back, the stage would hardly hear your voice and maybe not at all.

Say there are a couple of walls between your smartphone and the Wi-Fi network.  Your phone says it sees a clear, strong signal, right?  But the performance is not as you’d expect it to be.  Why is that?

Your phone cannot push signals as far, or through walls as well, as our friend on the other side of the link.  For an Access Point trying to receive your phone’s weaker data transmissions, it can be a challenge for it to receive everything being sent.  There can be data loss or corruption and time-consuming retries.  Essentially, there are unequal capabilities between the Wi-Fi network device and your personal device and this impacts efficient throughput of data.

There are simple ways to balance this relationship.  One way is to tune the power of your network Wi-Fi to match that of smartphones or tablets – which can be done with enterprise-grade equipment.

To sum up, similar qualities are needed for both parties to communicate well.  A one-sided relationship doesn’t last long.

Analogies galore spring to mind with that one.

A simple BYOD definition

We all know what it stands for but what is it really?

BYOD is a company defined set of policies, applied to the network infrastructure.

Together these policies or framework, control access to different areas of your company network depending on the who/what/where scenario: who’s asking, what device they’re using and the location they’re using the device at.

For example, a corporate-issued laptop accessing the network from within the office.  Usually, full access to company resources.  Personal smartphone over a public Wi-Fi hotspot?  This may have some restrictions.

For organisations, their decision to introduce a BYOD framework comes down to a balance of improved productivity vs cost of implementation/integration and the higher risk of loss of sensitive data.

 

Coverage, Capacity, Density.

Last year at a seminar, wireless coverage inside the convention centre was excellent.  The numbers of people (density) jumping on the service however, affected the capacity of the centre’s network. While accessibility was excellent, the use of the application on the service was really slow.

Enterprise wireless coverage is more than just reach. It usually has to support x numbers of users seamlessly roaming between business areas without dropping connectivity and support a connection quality to complete business activities in an expedient manner.

Wi-Fi should invisibly and reliably, work in the background.  A slow network or a blackspot area quickly becomes noticed – internal social media is often the place where problems are ‘discussed’. Plugging these gaps usually has a cost involved but the value gained from increased productivity and job satisfaction, often outweighs this.

In the wired world, coverage means both ends of the link are connected.  With wireless, the strongest device has the better coverage. The power and ability of antennas (and therefore the reach and signal quality) on a tablet or smartphone will not match that of a laptop or the wireless infrastructure.  Both ends of a Wi-Fi link should therefore be aligned in order that the quality of coverage expectations are consistent.

So what are the factors that determine our Wi-Fi service experience? Fundamentally, it is a combination of coverage, capacity, type of business activity (e.g multimedia), numbers of users and the types of devices being used. Client device selection has a measurable impact in a wireless environment; since Wi-Fi is a shared resource, too many ‘slow’ devices will lower performance for everyone.

To sum up, coverage and capacity define the infrastructure needed to deliver a certain level of service, to an expected density of user devices.  Get it right and you won’t notice the network at all.

Cease and desist

A rogue, according to the Oxford dictionary, is a person who is dishonest and unprincipled.

In the wireless industry Rogue Access Points (APs) are unauthorised wireless devices that are either connected to your internal network infrastructure (this is the part where you go white) or are performing some malicious activity against your network.

Since a rogue is a security threat to the business, how do we find them?  And if we find them, how do we stop them?

Enter the Wireless Intrusion Detection System (WIDS) or Intrusion Prevention System (WIPS).  A WIDS/WIPS takes time to setup and burn in but done right it can be a valuable asset to minimise the threat of Rogue APs.

WIDS and WIPS are easy to explain.  WIDS is a monitor, detect-only system; basically it will discover a problem and alert you to it.  WIPS will go a step further and depending on how it is configured, either begin an automated or a manual action to contain the threat.

Most enterprise wireless security offerings these days provide a combined WIDS/WIPS solution.  These commercial solutions provide reporting and an audit trail than can be useful for management and if required, legal purposes.

It is worth considering installing dedicated sensors in your network. Sensor Access Points are normal APs, but configured as ‘listen-only’ or ‘monitor-mode’.  This way they can spend 100% of their time scanning for threats (or mitigating them) and they do not interfere with the production wireless network.

Sensor APs provide a great service to the production WiFi system in two areas: they offload the task of scanning and they offload the task of containment/mitigation.  Relieving your primary, production wireless system of these tasks means it can be left alone to fulfil its primary purpose in life: service the user community.

One other useful advantage to sensor APs is that if they are of the same model as the production APs; they can be rapidly converted to production use should a production Access Point fail.

To finish up, which would you believe to be the most common Rogue AP threat to businesses out of:
a) Hackers
b) Internal staff
c) Contractors

The answer is, overwhelmingly, internal staff.  Who have no malicious intent and are probably trying to be more productive when they connect a personal AP to the internal network.

But when this happens, out the window goes the company security policies and you are left with another entry/exit point to your internal network. One that for potentially months at a time, no-one will be any the wiser.

802.11ac – Is it worth the investment? Part 2 of 2.

A brief recap:  in Part 1, I talked about what 802.11ac can provide and left it asking whether we should invest in 11ac.

If you are in a greenfield (new) situation, I would recommend 802.11ac.  Even if you do not need the technology at this stage, newer devices will have support for it and will be able to take advantage of it if it is there.  The population of client devices in your organisation supporting 11ac will only increase.  This is a natural progression, as newer standards become the norm.

If at present there are only a few laptops that support 11ac, for a small percentage of the user base, a costly redesign and upgrade exercise may not make an adequate return on investment.

I touched on caveats in Part 1.  One of these is that in order to reach the highest speeds, your environment may require that you deploy larger numbers of Wireless Access Points than what you have now.  The reason for this is that the particular speed increases that look so attractive require no obstructions (e.g. walls) between client and Access Point.  More Access Points may be required to service the same number of users today.

As each business environment is unique and by that I mean not the organisation as a whole but each location or operations within that business may have different technology in use and operate in different environments.  For example a warehouse vs an office vs on-board a train or a ship, etc.  Should a particular environment not lend itself to the performance enhancements that 11ac offers, then it may be a difficult sell to push for an upgrade.

One option is to wait for Wave 2 before any significant investment is to be made.  Wave 2 promises something Wi-Fi has not yet been able to do: deliver data to more than one client simultaneously.  It may seem that it does that already, with a group of you sharing the Wi-Fi in your office.  But what the wireless service is actually doing is slicing up the airtime at a very fast rate (in microseconds) and sharing it between you, so that it appears as if you are downloading at the same time.  With 11ac Wave 2, you actually will be.

802.11ac – Is it worth the investment? Part 1 of 2.

Why would you invest in 802.11ac technology?

It’s a good question, and a common one.  For most businesses to invest in 11ac (IEEE 802.11ac), the business value of the technology needs to be measured.  This can be hard.  To assist us, it is worthwhile to set a baseline. Before we look at that however, just what is 802.11ac?

In a nutshell, it is the latest technology advancement in the IEEE standard for Wi-Fi performance or speed. Before this, there was [IEEE 802.11] a,b,g and n.  Each amendment progressively supplies faster, more efficient service to Wi-Fi clients and consequently better performance for all over a wireless medium.  From a business standpoint, you may ask how faster Wi-Fi helps your productivity?  I will attempt to answer that below.

Back to the baseline.  The baseline can be measured in two parts.

  • First, we can look at which stage of evolution your business Wi-Fi is at.
  • Second, we note which benefits 11ac can bring to an organisation’s network and what it promises in the future.

With the first part, your business may be one of three places right now:

  1. There is no existing wireless solution but there is a new business need that requires it.
  2. The business has an existing Wi-Fi installation that is over three years old and due for an upgrade. Or it is opening a new site with no Wi-Fi and is considering deploying the latest Wireless Access Points there.
  3. The business needs cutting edge technology.  It has a relatively recent installation of 802.11n and is looking to take advantage of the latest Wi-Fi enhancements in 11ac.

The second part of the baseline is understanding that 11ac technology is essentially coming in two waves.  Wave 1, the 11ac that we can buy today, provides at least a 30% speed increase over 802.11n, sometimes even 150% – but this comes with lots of caveats – more on that later. Wave 2, where the promise of the real spectacular is (at least to Wi-Fi professionals like myself), are anticipated to be released by some enterprise wireless manufacturers sometime in 2015.

Why is the speed increase important?  More throughput usually equals higher productivity.  Users can do their work faster if they are not waiting to “use” the network.  Unlike the dedicated network cable connected to your laptop with all that bandwidth just for you, wireless is a shared medium; where only one device can talk at one time and where all devices connected to the same Wi-Fi Access Point queue up, to send and receive traffic on it.  The speed increase means that devices with faster technology use the shared medium for less time to send the same amount of data.  Basically, you’re on and off faster which means a quicker performance for everyone.

So faster speed = better productivity.  But to a business, it must examine the material benefit: if my Wi-Fi transfers data say, 50% faster than before, does that provide any real value?  If I sit at my desk sending emails, preparing documents and browsing the web, is this network performance increase going to equate to markedly improved productivity on my part?  Perhaps not.  If the Wi-Fi is doing a lot of file transfers, video/voice or other downloads, then yes. I believe it is something that only each organisation can calculate for themselves.

It all ties back to the “Should I invest” question: the answer is entirely dependent upon where your business is at in the adoption of wireless.  I will talk about this in Part 2.

 

 

Are you using protection?

I don’t think anybody wants an infection.  The consequences are hard to clean up, it may be expensive to fix and public knowledge of the fact will damage your image.

Remember when the only protection you needed (in the network) was a firewall because the only access to your internal network was the cabled connection from outside the building? Those were the days.

Wi-Fi has brought us welcome flexibility at work.  However, wireless signals from your network can extend outside the walls of your building meaning your network is outside the building.  If that data is important, we should protect it. An attacker can intercept and capture these wireless signals for analysis and have specialised software run attacks against the data looking for weaknesses in order to gain network access or decrypt the data.

What are the business risks?

  1. Data Theft/Loss/Corruption due to hackers accessing internal data.
  2. Denial of Service, where the ability to work over Wi-Fi is compromised.
  3. External brand damage – following public knowledge of data theft.
  4. Reputational Risk – amongst business partners, suppliers…

What is weak security?

Well, WEP has been around the longest and it is basically an open gate so please don’t use that.  WPA-Personal and WPA2-Personal are what most of us use at home these days and it consists of using the one shared Wi-Fi password for the network.  Utilised by everyone.  If used in business, this poses opportunities for a determined hacker who can try to reverse-engineer or gain the static password through social engineering.  Once the password is obtained, the business risks identified above are all possible.

What is strong security?

Strong network security relies on protocols that secure your data using authorised, authenticated network access and dynamic (not static) encryption of your data over the network.  These protocols are an industry standard and are likely built into the devices already present on your network.  Leverage this built-in security.  Its Wi-Fi Alliance name is ‘WPA2-Enterprise’ and it is often more secure than your wired LAN.

The first step to securing your data is…

Maintain the paranoia.  Worry enough about the consequences of a security breach and a plan for remedial action usually follows.

An audit is a good start.  A focused security review of your networks by internal or external specialists.  It may also uncover unknown (and undesired) equipment or operations.

In addition, the creation of a living corporate policy document that outlines the security policy of the company is recommended.  One that is updated as technology changes and new threats are identified.  A clear document that protects a company from it’s own staff making errors of judgement and one that defines procedures for dealing with “events”.

We know that installing security measures after the fact is common, but often its too late to repair the damage or to keep your reputation i.e. your brand, intact.  Let’s encourage prevention.  Check your WiFi now and stay safe.