Archive

Author Archive

BOM Math for Secure Wi-Fi Deployments

May 1st, 2013

Dense or Distributed DeploymentsBy Hemant Chaskar

The building of the bill of materials (BOM) is an important factor in the Wi-Fi project plan. The cost of APs and the cost of other components in the Wi-Fi architecture contribute to the overall BOM. There are two types of large Wi-Fi deployments that we often see: distributed and dense. Examples of the distributed deployment are clinics, insurance offices, bank branches, retail stores, hospitality providers, etc. The number of sites in the distributed Wi-Fi can run into 100’s, 1000’s, or as in case of some of our retatil customers even 10,000’s. Dense deployments are typical of campus environments in which there are few campuses – each with large number of APs. There could be 100’s, or 1000’s of APs that may be required to cover a few campuses.

To compare and contrast BOM for different types of AP platforms for large distributed or dense deployments, we can think of these deployments in units of sections. For the distributed deployment with a number of sites and a few APs per site, the section can be a site such as insurance office, bank branch, retail store, etc. For the dense AP deployment, the section can be a floor of a multi-storied facility, part of the floor (e.g., East, West, North, South sections of floor plan), etc. For each such section, one can compute the number of APs which can be deployed in each section to stay within the overall Wi-Fi budget (the budget also has to account for the cost of Ethernet drops required for APs). For apples to apples comparison, let us say that the customer can negotiate the same street price for different types of APs. The tables below show how much functionality can be achieved with a given number of APs, in each section, and for different types of APs. Conversely, one can also think of it as how many APs per section are required to achieve certain functionality within each section.|

 

1) Dual radio APs without support for dedicated scanning radios (where only background scanning is supported)

 

Dual Radio
APs per Section
Traffic Radios WIPS Radios for Dual-band Scanning Limitations
1 2 0 Minimal security with background scanning only. Unable to detect and contain many types of vulnerabilities and attacks. VoIP radios cannot use background scanning so if you operate VoIP in say 5 GHz, even the minimal security protection is not obtained in the 5 GHz band.
2 4 0 Same limitations as above.
3 6 0 Same limitations as above.

|

2) Band-locked dual radio APs which can be either AP on both radios or WIPS sensor on both radios

|

Dual Radio
APs per Section
Traffic
Radios
WIPS Radios for Dual-band Scanning Limitations
1 2 0 Insecure
2 2 2 Full 2-radio device dedicated to WIPS is BOM inefficient.
3 4 2 Full 2-radio device dedicated to WIPS is BOM inefficient.

3) Band-unlocked dual radio APs with per-radio AP or per-radio dual band WIPS sensor configuration option

|

Dual Radio
APs per Section
Traffic Radios WIPS Radios for Dual-band Scanning Functionality Benefits over 2) Functionality Benefits over 1)
1 1 1 Secure VoIP + Full WIPS security
2 3 1 50% more traffic capacity + full WIPS VoIP + Full WIPS security
3 5 1 25% more traffic capacity + full WIPS VoIP + Full WIPS security

|AirTight-Stamp-best-value

Clearly, for secure Wi-Fi deployments, the dual radio AP platform with each radio independently software configurable as AP or as dual-band WIPS sensor gives maximum value for the given BOM in terms of both traffic capacity and security. This mode of operation is only possible with specialized AP platforms with band-unlocked radios. Let me elaborate below on what it means for the radios to be band-locked versus band-unlocked.

 

Dual radio APs with band-locked radios: Most dual radio enterprise APs are dual band, dual concurrent, but have band-locked radios. What it means is that one radio is configured for 2.4 GHz operation and the other for 5 GHz operation at boot time. So, once one of the radios is configured as AP in one band (say 2.4 GHz band), the other radio cannot scan channels in the 2.4 GHz band for WIPS functionality. The other radio can only scan 5 GHz channels as it is band locked to 5 GHz. As a result, these AP platforms cannot support the most efficient option 3) described above and it is then required to dedicate one full dual radio device for WIPS with one radio scanning 2.4 GHz channels and the other scanning 5 GHz channels for security monitoring (i.e., degrade to BOM inefficient option 2) described above).

Dual radio APs with band-unlocked radios: Some differentiated dual radio AP platforms such as AirTight APs allow each radio to be independently software configurable as AP or as dual-band WIPS sensor.  So when one radio is configured in one band as AP (say 2.4 GHz band), the other radio can still scan both 2.4 GHz and 5 GHz bands. It takes RF expertise to design such APs. Such APs can support all of the above three deployment options, and in particular, uniquely support the most efficient option 3) described above.

|

|Follow AirTight Networks on Twitter

|

In addition to AP platform consideration, there are additional Wi-Fi architectural factors which also affect total cost of solution:

|

a) Controller vs controller-less architecture: This is particularly important in distributed deployments. Controller architectures, originally designed for campus deployments, require per-site controllers  to achieve full functionality of AP. Deploying centralized controllers at headquarters talking to APs over WAN links does not offer robust functionality in distributed environments. See my earlier blog post: Is your cloud Wi-Fi genuine, or is it controller over WAN imitation? Per-site controller requirement increases the total BOM, particularly when the number of APs per site is small (can you imagine 100 controllers for 100 site deployment with 3 APs per site!). On the other hand, controller-less Wi-Fi with smart edge APs does not incur this additional cost.

Benefits of AirTight Networks cloud MANAGED WiFib) Centralized control as add-on versus built into solution: Large deployments require centralized console for configuration, management and reporting. Wi-Fi architectures with controllers embedded in APs, originally designed for small localized deployments, are not adequate for large deployments. These AP-embedded controller solutions require additional on-site management server assets for centralized control and may even require appliance controllers to fill the functionality gap between AP-embedded controllers and appliance controllers. These additional on-site server components add to overall cost. On the other hand, cloud managed Wi-Fi does not incur additional cost for centralized management. I have discussed differences between true cloud managed Wi-Fi and Wi-Fi solution with mere word cloud in it in one of the earlier posts: Different shades of cloud Wi-Fi: Rebranded, Activated, Managed.

c) Security as add on versus integrated into architecture: Some AP vendors offer WIPS as add-on to Wi-Fi infrastructure. These architectures require additional WIPS appliances and licenses to enable WIPS which can cause BOM to go up. On the other hand, if WIPS is built into solution it does not require additional appliances and licenses.

|AirTight Wi-Fi infrastructure

|As we saw, there are several factors such as AP capabilities and overall Wi-Fi architecture which can cause BOM for large Wi-Fi deployments to vary over a range as much as 2X. By making the right choices on each of the above fronts, the BOM can be significantly reduced, while obtaining the maximum value from the deployed Wi-Fi infrastructure. AirTight secure Wi-Fi can help to meet these goals – with band-unlocked dual radio APs, smart edge controller-less Wi-Fi architecture, HTML5 based central management console in the cloud, and the only top rated WIPS built into the solution.|

 

802.11ac, 802.11n, Best practices, mobile device management, WLAN networks, WLAN planning

Why Casinos Fear 802.11ac

April 14th, 2013

 

Why Casinos Fear 802.11ac : Real life Ocean’s Eleven

|

By Hemant Chaskar|

The expression “it’s too good to be true … then it probably is” is befitting of a recent Ocean’s Eleven type caper.  In March, the Crown Casino in Melbourne, Australia was the victim of a skimming scheme.  Mark Butler of the Herald Sun reported that “a gambler has been able to get into the security system remotely and, … advise the player about what other cards the other players are holding, and he’s cleaned up to the tune of 32 million.”  Amazing isn’t it, but anything is possible for that kind of “ROI”!

|

Crown Casino tweet

|

Did you know that Wi-Fi can also be used for skimming a casino?

|

casino player with hoodyLast year, we worked with a customer in Macau (the Las Vegas of the East) who described a casino skimming sequence over Wi-Fi, which is no less amazing than the Crown Casino story. In this sequence, the player has a Wi-Fi enabled camera or smartphone tucked on him. It takes videos of wheel of fortune being spun, roulette wheel being turned, or cards being shuffled. The video is sent to the cloud in real time over Wi-Fi. Neighborhood Wi-Fi APs around the casino floor, which for this customer were mainly in the shops and restaurants around the gaming zone which had all installed Wi-Fi for guests, are used to send the video to the cloud. Cloud computers crunch the video frames to arrive at high probability estimate of the winning bet. The estimate is communicated to the player who places the bets accordingly.

|

Higher speeds with 802.11ac means Wi-Fi skimming is all that more possible

|

With 802.11ac, Wi-Fi link speeds will go up several times. That would make sending video to the cloud even faster and with higher resolution, it makes the above skimming scenario even more successful. So, even though boon for enterprises and consumers, 802.11ac would be a thing for the casinos to worry about.

|

AirTight WIPS as antidote to skimming casinos over Wi-Fi

|

casino dealerWe offered AirTight WIPS to the Macau casino as an antidote to protect against skimming over Wi-Fi. With location based policy enforcement, AirTight WIPS identifies when clients are in sensitive gaming areas and then does not allow their Wi-Fi radios to connect to any neighborhood APs. When clients are outside of the sensitive gaming areas such as in the lobby, restaurants or stores, WIPS automatically releases them from the containment, so they can now connect to Wi-Fi. We call it geo-fencing!

Another way WIPS helps casinos, which we have seen in the US, is to enforce gaming regulation that online gambling provided by casino like raffles, bingos and such is not allowed outside of the casino facility. WIPS can detect when clients cross the boundary of the legal gambling facility and then prevent them from connecting to the casino APs thereby ensuring that online gambling can only be done from the casino floors.

These are some examples of application of the technology one cannot envisage while building it. But how much of a diverse value deep technology can provide is very satisfying to watch.

When we worked with the Macau casino few years ago, AirTight WIPS was overlaid on Cisco WLC infrastructure that the casino had deployed for its own wireless applications. Now, AirTight offers its own state of the art enterprise WLAN access product line with controller-less, cloud managed, smart edge APs, and AirTight WIPS built in at no extra cost. So whatever the threat scenario may be – rogue APs, honeypots, PCI compliance, BYOD, CIPA compliance, gaming regulation or exotic casino skimming - with AirTight Wi-Fi access solution, you never have to worry about Wi-Fi security.

 |

Additional Information:

Crown casino hi-tech scam nets $32 million via Herald Sun

|

802.11ac, 802.11n, mobile device management, WiFi Access, Wireless scanning, Wireless security

Different Shades of Cloud Wi-Fi: Rebranded, Activated, Managed

February 10th, 2013
-

Did you know that all cloud Wi-Fi’s aren’t created equal?

-

The race is on to put cloud in Wi-Fi

Currently, the cloud managed Wi-Fi space is expanding rapidly. Naturally, Wi-Fi vendors, traditional and emerging, want to be in the cloud Wi-Fi game. Nobody wants to be without a “cloud” solution!  Controller-less Wi-Fi vendors have explicitly built cloud managed Wi-Fi from the ground up, while controller Wi-Fi incumbents have repositioned traditional offerings in the direction of cloud Wi-Fi.
-

The word “cloud” in the name doesn’t tell the whole story, one has to dig deeper. Here’s why.

-
When vendors associate the word cloud with their Wi-Fi solutions, they can be referring to completely different things. This is quite apparent in light of some recent developments.
-
Controllers over WAN REBRANDED as Cloud
-

Cloud computing, WiFi Access, Wireless security, WLAN networks , , , ,

Third time’s NOT the charm for Cisco’s adaptive WIPS (aWIPS)

January 26th, 2013
Can you beleive it? - yet another alert came out about a vulnerability in Cisco’s WIPS (adaptive Wireless Intrusion Prevention System or aWIPS as Cisco likes to call it):

 

Particularly interesting is Cisco’s proposed workarounds which state:

Cisco Wireless LAN Controllers Wireless Intrusion Prevention System Denial of Service Vulnerability

Proposed workarounds for vulnerabilities in Cisco wireless LAN Controllers

Read more…

802.11n, Wireless security, WLAN networks , , ,

How AirTight’s new network+security console tames distributed Wi-Fi

January 14th, 2013

As Wi-Fi deployments extend into large distributed environments, management of these Wi-Fi networks poses unique challenges. It could be the clinic-wide deployment for the medical facility running into 100’s of sites, branch-wide deployment for the bank running into 1000’s of sites, or store-wide deployment for the fast food restaurant running into 10,000’s sites. The network and security management needs for such deployments are very different from the traditional campus Wi-Fi. Accordingly, the network management console has to deliver on a number of fronts. Read more…

Cloud computing, WiFi Access, Wireless security, WLAN networks , , , , , ,

Wireless IDS/IPS horror stories from the field

December 12th, 2012

These are some recent stories of the IT organizations who brought in wireless intrusion prevention systems (WIPS) to secure their network environments against Wi-Fi vulnerabilities and attacks, and what they encountered was the incessant flow of security alerts that they could not keep up with. That is because, the systems constantly crunched signatures and thresholds from wireless traffic to generate volume of alerts for the security admins to consume. Admins could not grasp the enormity of problems that they would face in the production deployments based on the product previews done in the tiny lab setups and based on the marketing material they saw (hey look, we have Gazillion attack signatures, configuration settings, and thresholds in here!). Learn from their experiences, and avoid the destiny they faced by asking the right questions and making the right technology choices early on. AirTight Networks to date has helped thousands of customers avoid such misery by helping them with the strongest WIPS protection without the overhead of ongoing system management. Read more…

Wireless security , , , , , , , , , , , , ,

Cisco’s recent acquisition shows exciting times ahead for the lead players in the cloud Wi-Fi space

November 28th, 2012

Barely two weeks after I posted my last blog discussing benefits of the true cloud Wi-Fi over the controller over WAN architecture using Cisco FlexConnect as example for the latter; news of Cisco acquiring Meraki broke out. I got a kick out of it since it showed that my inferences on Cisco FlexConnect and other controller centric offerings were dead on spot, that they can never become real cloud Wi-Fi by incremental touchups and jargon experimentation. I also got a kick out of its timing — 1.2B acquisition barely 2 weeks after I wrote that post! There are several takeaways for the future of cloud Wi-Fi from this big event. First and most obvious is that the cloud Wi-Fi market is expanding rapidly. Another takeaway is that for the vendors already committed to the controller centric WLAN architecture, migration to cloud architecture is not incremental, but it is disruptive. Cisco could not do the migration in-house even after trying for few years with incremental changes like REAP, H-REAP, ELM, and FlexConnect. As I said in my last blog, cloud Wi-Fi is not about throwing controller over WAN, but is needs to be architected differently from the bottoms up. Finally, it also shows that with the standardization of access point platforms, differentiation in mainstream enterprise Wi-Fi will come from innovations in the application space such as network management, security, and integration with other services.

AirTight envisioned value of the cloud managed Wi-Fi solutions way back in 2008; when it was the first to launch wireless intrusion prevention (WIPS) and wireless PCI compliance solutions from the cloud (cloud used to be called SaaS at that time). It saw wholehearted acceptance from customers for Wi-Fi security and compliance applications. Having seen the benefits of the cloud Wi-Fi security offering, those same customers then wanted Wi-Fi access bundled with security in the AirTight cloud offering and AirTight answered their call in 2010. AirTight’s cloud managed Wi-Fi access with built in PCI compliance, saw tremendous success in the market. Riding on this second wave of success in the cloud strategy, AirTight then launched cloud managed enterprise grade Wi-Fi access with its highly acclaimed, absolute best-in-class WIPS buit into it.

Due to strong security posture, extreme scalability, and unique management capabilities, AirTight Cloud Services™ are not just for the midmarket, but also fit very well into scale many times as big. No wonder, organizations even as large as multiple 10,000’s distributed locations have selected AirTight cloud Wi-Fi over all competing Wi-Fi solutions! I am excited to see the cloud Wi-Fi market ignited by Cisco right at the time when AirTight has reached great level of maturity on its cloud Wi-Fi offerings over all these years.

Cloud computing, PCI, WiFi Access, Wireless security , , , ,

Is your cloud Wi-Fi genuine, or is it controller over WAN imitation?

November 7th, 2012

With rising popularity of the cloud Wi-Fi in the distributed Wi-Fi deployments, there is also an attempt to pass off the legacy controller technology as the cloud Wi-Fi by deploying conventional controllers over the WAN. Realizing that it is infeasible to deploy many smaller controllers in the distributed Wi-Fi deployments such as retail, remote offices, etc., the controller over WAN architecture deploys bigger controllers at the HQ and calls it a cloud Wi-Fi. However, the controller over WAN Wi-Fi does not measure up to the true cloud Wi-Fi for many reasons as outlined below. We will use example of Cisco’s controller over WAN architecture to illustrate these differences. Earlier, Cisco called it H-REAP and ELM, now it calls it FlexConnect, but does changing terminology get controllers to measure up to the true cloud? Let us find out. Read more…

802.11n, Cloud computing, WiFi Access , , ,

3 things to consider in selecting 3×3:3 MIMO Wi-Fi access points

October 18th, 2012

Currently, market is inundated with announcements from vendors on 3-stream MIMO APs. Sure enough AirTight has also launched one being at the forefront of Wi-Fi technology. But what sticks out of some of those announcements is lopsided mention of high speed wireless connectivity, even to the extent of misleading claim of 900 Mbps for the dual radio 3-stream APs albeit with a sneaky word “upto” before the number. While connectivity speed is important consideration (actually now a commodity available out of 3-stream Wi-Fi chipsets), that consideration alone does not help to come up with a good game plan for deploying 3-stream Wi-Fi. A more holistic thinking taking into account real world performance, security, and next generation Wi-Fi architecture is required when selecting 3-stream MIMO APs. Read more…

Cloud computing, WiFi Access, Wireless security , , ,

Why retailers embrace cloud for Wi-Fi access, PCI and wireless security

June 26th, 2012

Retailers are increasingly looking to deploy Wi-Fi in their stores. They want to provide guest Wi-Fi to their patrons and also want to deploy in-store applications such as wireless POS and printers, wireless kiosks, wireless digital signage, and HQ network access over Wi-Fi. Coupled with these business drivers there is also a wireless PCI compliance requirement to protect credit card transactions. Retailers however face some unique challenges which were hitherto not met by traditional autonomous or controller Wi-Fi solutions. Now cloud managed Wi-Fi has made it quite feasible for them to achieve these goals.
Read more…

802.11n, Cloud computing, PCI, WiFi Access, Wireless scanning, Wireless security, WLAN networks