Archive

Archive for 2012

Forbes – “stores are finally turning to WiFi” but is security lacking

December 14th, 2012

Really interesting article in Forbes by Verne Kopytoff on the reasons retailers have recognized the value of Wi-Fi for their customers and business processes. He notes that after years of resistance, stores have conceded that the shoppers have won the war. They want Wi-Fi and they will use their smartphones to check out deals.

There is no doubt that Wi-Fi has many positive effects on the shopping experience and, I would suggest, those effects outweigh the negatives of comparison shopping online in a store. There is also the obvious benefit of making sales associates more efficient and able to serve more customers faster.  Anyone who has ever gone into an Apple store near Christmas – and really who has not – has experienced just how fast one can get in and out even in a crowd.

However since retail stores have been late to this party, they need to think about the security implications of adding Wi-Fi and continuing to comply with the PCI DSS wireless scanning requirements.  Kopytoff points out that several large retailers added Wi-Fi capabilities just before the holiday season, which is unusual in and of itself since retailers rarely want to disrupt their systems too close to the holidays. In haste, they may have overlooked adding true Wi-Fi security processes to protect credit card data. It will be interesting to see if any problems arise during this season of manic shopping.

by Della Lowe

Retail , , , , ,

Wireless IDS/IPS horror stories from the field

December 12th, 2012

These are some recent stories of the IT organizations who brought in wireless intrusion prevention systems (WIPS) to secure their network environments against Wi-Fi vulnerabilities and attacks, and what they encountered was the incessant flow of security alerts that they could not keep up with. That is because, the systems constantly crunched signatures and thresholds from wireless traffic to generate volume of alerts for the security admins to consume. Admins could not grasp the enormity of problems that they would face in the production deployments based on the product previews done in the tiny lab setups and based on the marketing material they saw (hey look, we have Gazillion attack signatures, configuration settings, and thresholds in here!). Learn from their experiences, and avoid the destiny they faced by asking the right questions and making the right technology choices early on. AirTight Networks to date has helped thousands of customers avoid such misery by helping them with the strongest WIPS protection without the overhead of ongoing system management. Read more…

Wireless security , , , , , , , , , , , , ,

Cisco’s recent acquisition shows exciting times ahead for the lead players in the cloud Wi-Fi space

November 28th, 2012

Barely two weeks after I posted my last blog discussing benefits of the true cloud Wi-Fi over the controller over WAN architecture using Cisco FlexConnect as example for the latter; news of Cisco acquiring Meraki broke out. I got a kick out of it since it showed that my inferences on Cisco FlexConnect and other controller centric offerings were dead on spot, that they can never become real cloud Wi-Fi by incremental touchups and jargon experimentation. I also got a kick out of its timing — 1.2B acquisition barely 2 weeks after I wrote that post! There are several takeaways for the future of cloud Wi-Fi from this big event. First and most obvious is that the cloud Wi-Fi market is expanding rapidly. Another takeaway is that for the vendors already committed to the controller centric WLAN architecture, migration to cloud architecture is not incremental, but it is disruptive. Cisco could not do the migration in-house even after trying for few years with incremental changes like REAP, H-REAP, ELM, and FlexConnect. As I said in my last blog, cloud Wi-Fi is not about throwing controller over WAN, but is needs to be architected differently from the bottoms up. Finally, it also shows that with the standardization of access point platforms, differentiation in mainstream enterprise Wi-Fi will come from innovations in the application space such as network management, security, and integration with other services.

AirTight envisioned value of the cloud managed Wi-Fi solutions way back in 2008; when it was the first to launch wireless intrusion prevention (WIPS) and wireless PCI compliance solutions from the cloud (cloud used to be called SaaS at that time). It saw wholehearted acceptance from customers for Wi-Fi security and compliance applications. Having seen the benefits of the cloud Wi-Fi security offering, those same customers then wanted Wi-Fi access bundled with security in the AirTight cloud offering and AirTight answered their call in 2010. AirTight’s cloud managed Wi-Fi access with built in PCI compliance, saw tremendous success in the market. Riding on this second wave of success in the cloud strategy, AirTight then launched cloud managed enterprise grade Wi-Fi access with its highly acclaimed, absolute best-in-class WIPS buit into it.

Due to strong security posture, extreme scalability, and unique management capabilities, AirTight Cloud Services™ are not just for the midmarket, but also fit very well into scale many times as big. No wonder, organizations even as large as multiple 10,000’s distributed locations have selected AirTight cloud Wi-Fi over all competing Wi-Fi solutions! I am excited to see the cloud Wi-Fi market ignited by Cisco right at the time when AirTight has reached great level of maturity on its cloud Wi-Fi offerings over all these years.

Cloud computing , , , ,

Is your cloud Wi-Fi genuine, or is it controller over WAN imitation?

November 7th, 2012

With rising popularity of the cloud Wi-Fi in the distributed Wi-Fi deployments, there is also an attempt to pass off the legacy controller technology as the cloud Wi-Fi by deploying conventional controllers over the WAN. Realizing that it is infeasible to deploy many smaller controllers in the distributed Wi-Fi deployments such as retail, remote offices, etc., the controller over WAN architecture deploys bigger controllers at the HQ and calls it a cloud Wi-Fi. However, the controller over WAN Wi-Fi does not measure up to the true cloud Wi-Fi for many reasons as outlined below. We will use example of Cisco’s controller over WAN architecture to illustrate these differences. Earlier, Cisco called it H-REAP and ELM, now it calls it FlexConnect, but does changing terminology get controllers to measure up to the true cloud? Let us find out. Read more…

Cloud computing , , ,

3 things to consider in selecting 3×3:3 MIMO Wi-Fi access points

October 18th, 2012

Currently, market is inundated with announcements from vendors on 3-stream MIMO APs. Sure enough AirTight has also launched one being at the forefront of Wi-Fi technology. But what sticks out of some of those announcements is lopsided mention of high speed wireless connectivity, even to the extent of misleading claim of 900 Mbps for the dual radio 3-stream APs albeit with a sneaky word “upto” before the number. While connectivity speed is important consideration (actually now a commodity available out of 3-stream Wi-Fi chipsets), that consideration alone does not help to come up with a good game plan for deploying 3-stream Wi-Fi. A more holistic thinking taking into account real world performance, security, and next generation Wi-Fi architecture is required when selecting 3-stream MIMO APs. Read more…

WLAN planning , , ,

Why retailers embrace cloud for Wi-Fi access, PCI and wireless security

June 26th, 2012

Retailers are increasingly looking to deploy Wi-Fi in their stores. They want to provide guest Wi-Fi to their patrons and also want to deploy in-store applications such as wireless POS and printers, wireless kiosks, wireless digital signage, and HQ network access over Wi-Fi. Coupled with these business drivers there is also a wireless PCI compliance requirement to protect credit card transactions. Retailers however face some unique challenges which were hitherto not met by traditional autonomous or controller Wi-Fi solutions. Now cloud managed Wi-Fi has made it quite feasible for them to achieve these goals.
Read more…

PCI, Retail, WiFi Access, Wireless security

Securing your network from bring-your-own-device (BYOD)

June 12th, 2012

What makes network administrators and security professionals tear their hair out – the “cool” employee who is carrying 2 or 3 or more devices and only one of them is actually issued by the company. I admit, I am one of them but not sure how “cool”, just a gadget junkie. There is a lot of advice around these days about how to manage this deluge of personal smart devices entering the enterprise, but I found much of the advice given by Software Advice and CRM Market Analyst, Ashley Furness, very solid in her recent post, “Strategies to Secure Your Enterprise in the New World of BYOD“. Some of it may seem obvious,  but, often the obvious is overlooked for just that reason.  We all know folks who do not change their password from “admin”.  Ashley’s article is a good addition to the body of work out there about the challenges of BYOD in the enterprise. One area which is not mentioned, however, is wireless intrusion prevention (WIPS), which is the natural ally of MDM.  With MDM, employees have to have an incentive to get the agent on their devices. WIPS solves that problem.  AirTight WIPS as an example protects the network from being accessed by unauthorized devices – those which have credentials but are not an authorized device – by allowing administrators to set up rules which will automatically block unauthorized devices (not just rogue APs) from connecting to the network.

AirTight recently concluded a study of IT professionals to understand their attitudes, challenges and methods of dealing with BYOD and it became obvious that there is a lot of concern around this subject. As the BYOD tide rises, organizations will need to embrace various smartphones and tablets for the enterprise applications, while at the same time tackling the security challenges from consumerization. On one hand, it is necessary to ensure that the IT assigned authorized smart mobile devices are free of malware and that these devices and the data on them can be centrally managed and monitored by IT. On the other hand, IT will be required to deal with unmanaged personal mobile devices attempting to access the corporate IT
assets, since such personal mobile devices may not be within IT’s device management reach.

Additionally, increased consumerization of the smart mobile devices may also heighten the risk of rogue Wi-Fi connections on the enterprise premises. As a result, an all-encompassing approach to BYOD security will entail protection of IT assigned devices, gatekeeping the unmanaged mobile devices, and blocking rogue Wi-Fi connections. Security systems are available today which address different parts of the BYOD security problem. (See the tables below) The right combination of these security systems can be useful for a comprehensive BYOD security.


BYOD, Wireless security

Smart Mobile Devices — “Stress Test” for the WIPS of the Future

March 22nd, 2012

Traditionally, talking of wireless security in the enterprises we talked about embedded Centrio Wi-Fi, Linksys rogue APs, open source DoS tools, and compliance requirements (PCI, DoD, HIPAA). While these topics continue to be important today, the upcoming proliferation of the smart mobile devices is the new frontier for the enterprise wireless security to address. The inundation of smart mobile devices will result into new monitoring requirements, not hitherto discussed. These requirements would amount to ”stress test” for the WIPS and only the best of the breed can hold up. While the new monitoring requirements will be many and varied ranging from unauthorized BYOD to heightened rogue AP risk, in this post I wish to discuss some interesting and unique scenarios (numerous soft mobile hotspots, Nintendo chat blocking, wireless geo-fencing) I already encountered this year working with the customers.

Read more…

Wireless gadgets

Don’t let BYOD turn into “BYOR” in your network

February 27th, 2012

BYOD (Bring Your Own Device) seems to be the dominant theme for 2012 in the Wi-Fi infrastructure and security space. As people increasingly bring in personal smartphone devices on the enterprise premises, the network/security administrators are grappling with the security implications. Given how engaging the new smartphone and tablet apps are, conflict arises between the users’ desire and the network/security administrators’ intentions. You need to ensure that this conflict does not turn BYOD into BYOR (Bring Your Own Rogue AP)! Read more…

BYOD , , , ,

BYOD and WPA2 – not made for each other

February 21st, 2012

BYOD and WPA2: Not Made for Each Other!As the BYOD (Bring Your Own Device) tide rises, the  network and security admins wonder if their existing Wi-Fi infrastructure security will hold on. In particular, will WPA2 with PEAP, which is pretty much the norm for the Wi-Fi infrastructure security in the enterprise networks today, continue to be adequate? WPA2 with PEAP is simple enough, still strong enough, and has served the enterprise Wi-Fi security needs very well in the past several years. The forthcoming BYOD revolution however pops a new challenge for WPA2 and will require additional thinking on part of the network and security admins about how to complement PEAP to address some of the BYOD security issue. This new challenge comes from the ease with which people can bring in personal mobile devices on the enterprise premises and connect them to the WPA2 enterprise Wi-Fi network without administrator knowledge or help.

Read more…

Wireless security , , , , , , , ,