Archive for the ‘Best practices’ Category

The Growing Prevalence of Wi-Fi Extension with Mesh

April 21st, 2014

Industry professionals have tended to view mesh networking from a “realist” point-of-view as a niche solution to be avoided if possible, and have never considered the technology the most popular of Wi-Fi capabilities. This pragmatism is rooted in the typical negative performance implications of mesh networks. Just a few years ago mesh capability was limited to a few highly targeted products that served niche markets for large-scale outdoor deployments or service provider environments. These solutions typically relied on multi-radio mesh units, which provide frequency separation between uplink and downlink traffic paths as well as between upstream and downstream hops, in an attempt reduce the negative performance impact for high bandwidth backhaul links.


However, there exists a growing market for mesh networking that utilizes single-radio mesh units to provide an extension of network access across limited mesh hops for hard to wire locations. This is evidenced by the prevalence of single-radio mesh within enterprise wireless manufacturer equipment. Mesh extension capabilities are found in almost every enterprise wireless manufacturer product line and are targeted at a much broader audience ranging from SMB, mid-market, distributed enterprise, to large enterprise. While single-radio mesh units cannot provide the same high-bandwidth performance across multiple hops for backhaul traffic links that multi-radio mesh units can achieve, these products excel for networking deployments with mesh extension. They do so by offering integrated mesh capabilities from the same manufacturer, and often on the same AP hardware platforms, that customers use for their more prevalent Wi-Fi access networks. This allows for unified product procurement, network management, hardware re-use, and vendor support. Single-radio mesh also excels due to lower product cost compared to multi-radio mesh, and are targeted at situations where the focus is on network access and service extension for lower bandwidth use-cases.

Let’s take a look at a few of these use-cases:

Quick service restaurants (QSR) are leveraging  mesh to extend Wi-Fi coverage from the back-office areas into the public areas. Mesh networking allows the central IT teams to deploy new services quickly to the public facing areas of a large distributed number of locations or franchises without incurring large deployment costs by eliminating the requirement for a truck-roll; store employees are able to simply and easily deploy the AP without pulling additional cabling. This allows QSRs to take advantage of new guest Wi-Fi services for Internet access, promotional offers, brand loyalty sign-up, and analytics quickly and without hassle. Some QSRs are also leveraging mesh for outdoor drive-up lanes to increase efficiency of sales transactions and increase order throughput during peak times.

Grocery and supermarket stores are another interesting use-case with seasonal “pop-up” garden centers. The temporary nature of these retail spaces, often located in parking lot space, makes deployment of point-of-sale, inventory tracking, and guest services difficult and costly to deploy. Mesh extension is a simple and cost-effective solution that can enable employees to work more productively, eliminating the time-consuming process of walking inside to perform various tasks or to communicate with indoor personnel. Through the use of handheld barcode scanners, mobile point of sale (mPOS), and even mobile VoIP or push-to-talk devices, employees can use the same processes they use inside the main store outside as well while maintaining a highly secure environment and PCI compliance.

Hotels, casinos, resorts and other hospitality facilities can deploy mesh networks to extend services to outdoor seating and entertainment areas, such as patios, swimming pools, and outdoor bars. This enables availability to a wide range of guest services, such as tourism research, room service, food and beverage ordering, and concierge services.

AirTight introduced single-radio mesh networking capability with release 6.8. Simple to configure, yet completely secure mesh mode operation supports automatic routing and re-routing, automatic load distribution, multiple VLAN support and multiple overlapping mesh networks. Customers can cost-effectively and easily deploy Wi-Fi access, security, and services to new locations to extend coverage for employees and guests. Configuration and deployment is quick for one or numerous locations with our hierarchical and location-aware management console; simply add a mesh SSID into an existing or new device template. The template can be the default template for APs at one or more folders in the location tree, or you can assign the template to only a sub-set of APs that should have mesh networking enabled.

Mesh networking is proving to be more prevalent than you might expect, and a pragmatic approach in more use-cases than ever before. Its performance will never rival that of a wired Ethernet AP, but ultimate throughput and performance are not always the main objectives. But for those instances where cabling or cost become an issue, it’s nice to have integrated mesh capabilities in your arsenal from the same manufacturer you’re already doing business with. Your Procurement or Accounts Payable team will thank you.

Best practices, WiFi Access, Wireless mesh

Management System Diversity: “Manage WLANs from Anywhere Using Anything!”

April 2nd, 2014

So much competitive marketing noise has been made over the last half dozen years about managing WLANs that vendors are now trying to manage WLANs from anywhere using everything. It wouldn’t surprise me in the least to hear a vendor say that they can now manage a branch WLAN in France from the comfort of their kitchen’s refrigerator’s management widget. It has gotten downright silly. I thought I would recap just how diverse the WLAN management scene has become: first for a good laugh, and second as a reference for those newcomers to the Wi-Fi industry.

You may be thinking, “why are there so many ways to manage a Wi-Fi system?” There’s a variety of answers to that question, such as:

  • Cost
  • Differing use cases
  • Partner eco-system
  • User preference

Not every vendor provides each of the management methods described below, but rest assured that every vendor will tell you that you don’t need anything other than what they sell. Can I get an amen? Below, I have offered a visual reference of the seven prevalent methods of managing a Wi-Fi infrastructure. It’s important to note that I will not address Wi-Fi client management methodologies in this post.


WNMS in a Virtual Machine (VM)

One of the most popular methods of deploying a true WNMS today is as a VM. It’s a low-cost, flexible, scalable option that is profitable, easily updated, and easily distributed for vendors (since it’s only software). Customers love it because almost every organization has a VM infrastructure these days. Those who don’t typically use…you guessed it…the cloud. VM-based WNMS systems are classified as true WNMS because they can manage multiple elements across multiple locations, they usually handle policy-based management, compliance/reporting, location services, configuration/monitoring, planning, and much more.

WNMS in an Appliance

A WNMS in an Appliance is simply WNMS software that has been installed onto an appropriately-chosen hardware platform by the vendor. A set of recommended specifications are then documented by the vendor that informs user about the maximum number of devices that should/can be managed with the platform. Sometimes the vendor security-hardens the platform as a value-add.

Wireless Network Management System (WNMS) in the Cloud

Cloud management is all the rage. In fact, if you’re a vendor and don’t offer it, I dare say that you’ve fallen dreadfully behind the times. Cloud management is especially appropriate for users with distributed environments, remote or home-based workers, and those who prefer an OPEX-based (subscription-based) payment strategy.

Do not confuse putting a hardware or software controller (or set of controllers) in a data center for cloud management. A cloud management system is a multi-tenant system whereby system resources can be allocated and provisioned to various customers leveraging economies of scale. A cloud system is flexible enough to grow when/where needed and is essentially unlimited in scale. Vendor marketing departments love to cause confusion around cloud offerings when their company does not offer cloud management as an option, so be sure to ask your vendor to explain what their cloud is and how it works.

The term Public Cloud means pretty much the same thing across all vendors who use the term, but the term Private Cloud has varying meanings across vendors. It’s for that reason that I wanted to clarify the two prevailing definitions for Private Cloud:

  • Definition #1: WNMS (Appliance or VM) in a private data center
  • Definition #2: Dedicated (versus the normal shared) server space within a cloud infrastructure

Customers should ask their vendors to clarify what they mean when they use the term Private Cloud.

Application-based Management

Some vendors have chosen to put their configuration interface into an application, and these applications are now beginning to show up on mobile platforms (e.g. iPad). Application-based management software for mobile platforms is often a subset of the desktop version or controller-based management interface and is meant to offer the user an exceptionally good experience. Mobile applications are renowned for their simplicity, beauty, and flexibility. These applications are heavily focused on configuration, and are likely to have very little in the way of monitoring, reporting, location services, planning, etc.

Such management applications tend to be element managers rather than policy-based management systems, and are often not sophisticated. Their benefit lies in their simplicity and flexibility.

Controller-based Management

The reason that I don’t give controller-based management the moniker of WNMS is that controllers were never designed for full-scale management. You can think of the CLI or GUI within a controller as being designed in the original likeness of an autonomous AP. Autonomous APs had (and still have) an integrated GUI (and some had a CLI) designed primarily for configuration. While configuration is part of management, autonomous AP GUIs/CLIs had few monitoring, reporting, planning, mapping, or other management functions within the interface. Likewise, when the industry moved to controllers and controller-based APs, the controller became the original point of configuration.

While a reasonable amount of monitoring sophistication has been added to controllers over the years, controller-based management is still element-based (meaning that it only monitors itself) and contains almost none of the common enterprise-class, large-scale WNMS features.

Controller-in-Software Management

Yes, vendors actually do this. The make a software controller and run it as an application or within a VM. Either way, it acts exactly like a controller appliance and has all of the management shortcomings thereof. However, it may be offered to customers at no charge, which is a strong benefit. You still have to consider the cost of the hardware that the software must be installed onto, but that could well be a sunk cost already or minimal because it’s a set of shared commodity hardware within your data center. A saving grace of this approach is that with it being a pure software play, it’s possible for such platforms to morph more quickly into a true WNMS.

Master Access Point (AP) based Management

We have seen systems come and go over the years that sported this feature. Some vendors have installed the feature and then taken it back out again because they felt like it took away from their ability to sell other types of management (e.g. cloud). Managing a set of APs via a single Master AP can be very simple, free, and yet is always scale-limited by design. Depending on the vendor, this choice can be feature-rich or feature-poor, but it’s often great for small mid-market customers who have a single location or have a qualified administrator at each location.

Like Controller-based Management, the interface found in Master APs is usually highly geared toward configuration. There may be some modest amount of monitoring capability, but it’s not comparable to a WNMS. Further, other WNMS important features such as reporting, location services, and planning are missing. It’s for these reasons that I do not call this form of management a WNMS.


There are just so many….take your pick(s). Some are free. Some are crazy-expensive. Some are CAPEX-based, and some are OPEX-based. Most vendors offer at least two methods of managing their Wi-Fi infrastructure, and some vendors purposefully don’t offer specific types of management interfaces out of fear that it will cannibalize certain others that they sell. Some vendors go all-out and provide everything with the hope that their flexibility will win out in the end. There’s probably no best approach, so you should decide for yourself.

When you get into today’s frequently-overheard conversation about unified wired/wireless management (among the large campus enterprise vendors) the proper choice of WNMS becomes even more important. Should you go with a single-vendor or multi-vendor system? Some vendors have used multi-vendor WNMSs to woo customers away from their competitors over the years, and the strategy has worked remarkably well in some cases.

I could go on and on about management systems, but I think that gives you a good primer. What are your thoughts? Want to share any insights?

Best practices, Cloud computing, WiFi Access, WLAN planning

Restaurant Wi-Fi Primer – On-demand Webinar from Hospitality Technology Magazine

March 3rd, 2014

Last week we participated in the Restaurant Wi-Fi Primer webinar with Hospitality Technology Magazine, Boston Market and Spartan Computer Services.

Kevin McCauley presented on best practices in retail Wi-Fi analytics and social media integration. To view the webinar on demand, go to Hospitality Technology (free registration required).

You can also view AirTight’s slides on SlideShare.

HT’s latest research indicates that restaurants are planning to increase their IT budgets in 2014, and investments in networks and telecom are one category that’s steadily on the rise. A well-designed Wi-Fi network, such as the one Boston Market is currently deploying, can allow restaurants to roll out a variety of enterprise applications, ranging from mobile POS to networked kitchen tools, and can also draw in customer traffic.

View the webinar to learn about:

  • Leveraging the network for analytics and social engagement
  • Network design tips and considerations
  • Common installation pitfalls to avoid
  • Controlling customer traffic
  • Measuring ROI for your install

Best practices, PCI, Retail, WLAN networks

Corner Cases

February 26th, 2014

Most Wi-Fi manufacturer’s marketing departments would have you believe that 99% of all deployments are what I’d call “corner cases.” I call B.S. (as usual).

Here are the high-density/high-throughput (HDHT) corner cases that so many manufacturers would have you believe are so prevalent:

  • Large K-12 and University libraries, cafeterias, lecture halls, and auditoriums
  • Stadium or gymnasium bowls
  • Large entertainment venues (e.g. music and theater halls, night clubs)
  • Trade shows
  • Urban hotspots
  • Airports

Combined, these use cases comprise less than 1% of all Wi-Fi installations.  In other words, the opposite of what many marketing departments would have you believe. Let’s look at this from another angle. Here’s a list of use cases that do NOT fall into the category of HDHT, but may have other technical challenges or requirements, yet these same marketing departments want customers to believe they are HDHT environments.

  • K-12 classrooms*
  • Malls
  • Majority of airports

* Note: Some folks believe that one AP per classroom (or even one AP per two classrooms) is a bad idea due to adjacent channel interference (ACI) or co-channel interference (CCI), but that’s a design matter based on a long list of design criteria that can include wall construction materials, AP output power, client device type, client device output power, and MUCH more. I assert that one AP per one (or two) classrooms is a good network design in many K-12 environments, and this usually means less than 35 devices per classroom, worst case. 35-70 devices per AP (2 radios) does not constitute high-density, but may necessitate good L1, L2 QoS, and L7 handling.

Consider all of the common deployments that constitute the majority of WLAN environments:

  • Office environments
  • Warehouses
  • Manufacturing
  • Hospitals
  • Distributed healthcare facilities
  • Cafes
  • Bookstores
  • Hotels

So if HDHT handling isn’t a big deal in 99% of the use cases, what is important? If you ask that question to those same vendor’s marketing departments, they would say Performance! Once again, I call B.S.

After speaking with a variety of network administrators and managers, I’ve found it very difficult to find anyone who can produce statistics showing an AP sustaining more than 10Mbps over the course of an 8-hour business day. Even the peak throughput on the busiest APs aren’t all that high (a couple of hundred Mbps sustained only for a couple of minutes while large files are being transferred). It’s been my experience that busy branch offices, with a single AP serving 50-60 people, is where you find the most sustained WLAN traffic over a single AP.

If 10Mbps is considered “a very busy AP”, and decent 2×2:2 802.11n APs can sustain 200+Mbps of throughput across two radios given the right RF and client environment, then why is everyone talking about performance? I hear vendors bragging about their 3×3:3 11ac APs being capable of 900+Mbps of throughput under optimal conditions. While that kind of throughput is sexy to IT geeks who think that “too much is never enough”, most customers just want it to work. At 200-400 Mbps of throughput for 802.11n APs, why do we care so much about buying premium-priced 11ac APs again?

What do we get out of those 11ac APs anyway? 256QAM is useful only at short range and only for 11ac clients. TxBF is only good at mid-range, and only for thoses client that support it, which is basically none. Rate-over-range is better for uplink transmissions, but if you’re designing for capacity, voice, or RTLS, then this is of no consequence. There may be slightly fewer retransmissions due to better radio quality, but that’s mostly “who cares” also. Bottom line: don’t upgrade your 11n infrastructure for the purpose of speed. If speed (e.g. rate-over-range and raw throughput) is your goal, spend your budget on refreshing your 11ac clients first.

Customers who rush out to buy the latest, greatest, fastest AP end up paying a big price premium for a performance gain that they’ll never, ever, ever, ever use. It’s just silly. They get duped by the marketing message that HDHT handling and ultra high-performance matter in 99% of use cases, when in fact it matters in <1% of the real world use cases. Wi-Fi infrastructure technology is progressing quickly, and the PHY/MAC layers are so far ahead of typical use cases that customers should be focused on correct Layer-2 design and receiving value above Layer-2:

  • Robust, global, cloud management and services option
  • Strong security, compliance and reporting
  • Device tracking / location services
  • Social media integration (i.e. Facebook, LinkedIn, Twitter)
  • Guest and retail analytics
  • Managed services enablement

If you’re going to buy (or upgrade to) an 11ac infrastructure, there’s a very important reason to do it that is unrelated to the speed at which you move frames across the air: intelligence. Some APs don’t have the horsepower to do any significant local processing, and that leaves three options related to infrastructure intelligence:

1) don’t have any
2) send everything to the cloud
3) send everything to a controller

I prefer that APs have enough oomph to get the job done if that’s the optimal place to do the work. There are times when using the cloud makes sense (distributed, analytics), there are times when using the AP makes sense (application visibility/control), and there are times when using a controller makes sense (2008-2009). #CouldntResist

I’ll summarize all of this by asking that prospective customers of Wi-Fi infrastructure remember that they will likely never use even a small fraction of the throughput capabilities of an AP. What will have a significant impact is Wi-Fi system cost, Wi-Fi system architecture, and network design. Don’t get duped by the loud, obnoxious marketing hype around the speed/throughput. Think twice, buy once.


802.11ac, 802.11n, Best practices, WLAN planning

Will Target Breach Prompt Retailers to Raise the Security Bar?

January 8th, 2014

Did 2013 have to end with the somber news of a big credit card security breach? But it did! It is reported that 40 million credit cards were compromised in the security breach in stores of a major U.S. retailer Target. This is only a shade second to the earlier TJX breach in which 45 million credit cards were compromised. (After this blog was published, it was reported that the number of affected accounts in the Target breach is as high as 110 million, which would make it more that double the TJX breach!)

After any breach, and surely after the breach of such dimension, discussion on the data security issues at the retailers escalates. Earlier, the TJX breach resulted in stricter wireless PCI (Payment Card Industry) compliance requirements. The current Target breach can also trigger tightening of the compliance requirements. This breach may also prompt IT, security and compliance managers at major retailers to take a hard look at the information security aspects of the various technologies that they have deployed. Add to it the fact that retailers are aggressively deploying mobile and wireless technologies like POS, kiosks and tablets in stores. What are some of the core issues they should be looking at?

Don’t be content with “compliance”, demand “security”!

Retailers in these types of breaches often pass the security audits like PCI with flying colors. That exposes the harsh reality that security is distinct from compliance. 2014 is the year of the world cup soccer (football). So let us use soccer analogy to understand this distinction.

Compliance vs security, wireless PCIWhen you are defending a free kick in soccer, you make a wall and your goalkeeper is on alert to block the ball that could go through or around the wall. No soccer team would be comfortable with a sole reliance on the wall and allowing the goalkeeper a break during the free kick. The wall is like “compliance” – it’s one line of defense.

Retailers work hard to get check marks from auditors on their PCI compliance. Vendor marketing does a good job of selling features that help get those coveted check marks. Compliance does help improve the security posture, but is it adequate? Every now and then, this line of defense is breached and if the goalkeeper isn’t standing behind the wall, you are toast! However, if you demand security in addition to the compliance check marks, you can build that inner line of defense.

How will you know if you have the inner line of defense or not?

That is a hard question. One way to answer it is that whether you have it or not depends on the compliance solution you have chosen. If you are using a solution which has compliance reporting bolted on to meet the compliance standard in letter, you probably lack the inner line of defense. On the other hand, if your solution offers PCI compliance as a natural outcome of the strong security fundamentals, you automatically get the inner line of defense.

I can testify to this dichotomy from my experiences with the wireless PCI compliance standard and solutions that are touted to facilitate meeting that standard. Many Wi-Fi vendors have come up with bolt-on WIPS (Wireless Intrusion Prevention System) features with check mark PCI reporting. The real question to ask is: While these systems generate PCI reports in letter and may please your auditor, will they pass the security scrutiny in spirit? So, what are some of the questions you should be asking when scrutinizing the wireless PCI solution to ensure that you are getting the security in addition to the compliance?

  • How much of the security information that the PCI report contains is based on actual scanning of the environment? I have seen many PCI reports based mostly or even entirely on the Q&A type documentation or PASS/FAIL check marks merely based on what feature configuration in enabled in the system. That is fail on security.
  • Is threat scanning 24×7 or is it only occasional spot scanning? PCI does not require 24×7 scanning. It only requires quarterly scanning, but didn’t we just say that we are not interested in mere PCI check marks, we want security. Notably, entire Target breach occurred only over 3 weeks – that is much smaller period than a quarter!
  • Does the scan merely throw raw data at you or does it filter out genuine threats so you can actually act to mitigate them? All too often, I have seen wireless PCI reports simply document all APs seen across all locations to satisfy the so called rogue AP scanning requirement. So, if the report shows 10,000 APs found in of the scan of 100 remote retail locations or 100,000 APs found across 1000 remote retail locations, how in the world are you going to distinguish threat posing APs from this list? If you can’t, this report will meet the PCI clause in letter, but fail miserably on improving the security posture.
  • Is the solution capable of detecting all types of vulnerabilities? For example, can it identify various types of rogue APs? If it only can identify a few types of rogues (such as rogues with correlation between their wired and wireless MAC addresses – so called MAC adjacency), how can you trust that report since there could be unidentified rogue APs connected to your CDE (Cardholder Data Environment) among the large number of APs detected during the scan?
  • Is the solution capable of automatically containing the identified vulnerabilities? Although automatic mitigation is not a PCI requirement, in large nationwide deployments, automatic containment is a requirement for security. Automatic containment reduces the window of vulnerability. Moreover, automatic containment has to occur without  false alarms which can disrupt your  and neighbors’ legitimate operations.
  • Is the solution certified against security standards other than PCI? Again, this is not a PCI requirement, but it meets the litmus test of strong security fundamentals of the solution.
  • Is the solution capable of full security operation at the store level without critical dependence on WAN links?

Does security have to cost more than compliance?

Again, the answer depends on the compliance solution you have chosen. If the solution has PCI compliance reporting bolted on to check against clauses in the standard, you will probably have to add security on top of it, paying considerably more from a total cost of ownership perspective or continue to carry the risk of a breach. On the other hand, if the solution offers PCI compliance as a natural outcome of the strong security fundamentals, you can get security without the extra effort or cost.

With Airtight, there isn’t a chasm between compliance and security

AirTight provides a wireless PCI compliance solution that also meets the critical security criteria. Central to AirTight’s solution is its best in class wireless intrusion prevention engine, the only one today to earn the highest industry ranking. It excels both in the depth of security and the ease of use at the same time – due to core innovations and patented technology. So with this PCI solution, retailers can enjoy the same level of security that financials, governments and defense organizations demand without the additional complexity and cost.

In order to simplify the deployment and management across 100’s or across 100’000’s locations, AirTight provides cloud managed PCI solution with its plug & play APs/scanners in stores and centralized management console in the cloud. In fact, it was the first to launch such a solution when wireless scanning was added in the PCI standard after the TJX breach in the past.

24×7 wireless PCI scanning and WIPS are an intrinsic part of AirTight’s Secure Wi-Fi offering and is provided at no extra licensing cost. It also offers pure OPEX pricing model for its solution to further alleviate the cost burden. Moreover, retailers can also leverage AirTight’s social Wi-Fi and business analytics built into its retail Wi-Fi offering to increase brand following, recruit into brand loyalty programs and offer secure guest Wi-Fi services in stores. It can’t get better than that!

Wishing you a happy and SECURE 2014!

Upcoming events

Meet AirTight at NRF14 on Jan 13-14 and at ACTS event on Jan 15.

Tune in to AirTight’s technology sessions at WFD6.


Best practices, Compliance, PCI, Retail, Wireless security , , , , , , , ,

MU-MIMO: How may the path look like from standardization to implementation?

September 26th, 2013

In earlier blog posts on 802.11ac practical considerations, we reviewed 80 MHz channels, 256 QAM and 5 GHz migration. Continuing the 802.11ac insights series, in this post we will look at some practical aspects of MU-MIMO, which is the star attraction of the impending Wave-2 of 802.11ac.


MU-MIMO mechanics and 802.11ac standard


Illustration of 802.11ac MU-MIMO

Illustration of 802.11ac MU-MIMO

At a high level, MU-MIMO allows AP with multiple antennas to concurrently transmit frames to multiple clients, when each of the multiple clients has lesser antennas than AP. For example, AP with 4 antennas can use 2-stream transmission to a client which has 2 antennas and 1-stream transmission to a client which has 1 antenna, simultaneously. Implicit requirement to attain such concurrent transmission is beamforming, which has to ensure that bits of the first client coherently combine at its location, while bits of the second client do the same at the second client location. It is also important to ensure that bits of the first client form null beam at the location of the second client and vice versa.


What does 802.11ac standard offer for implementing MU-MIMO

  •  The standard provides Group ID Management procedure to form client groups. Clients in a given group can be considered together for co-scheduling of transmissions using the MU-MIMO beamforming.
  • To be able to perform peak/null adjustments in MU-MIMO beamforming as described above, the AP needs to have knowledge of Tx to Rx antennas channel matrix to each client in the group. For this, the standard provides well defined process for channel learning wherein AP transmits sounding packet called as NDP (Null Data Packet) to which clients respond with channel feedback frames (this is called explicit feedback mechanism).


 What the standard does not specify


There is more to MU-MIMO implementation that is outside of the scope of the standard. The true promise of MU-MIMO is also dependent on these additional implementation factors:

  •  AP has to identify clients that can be co-scheduled in a group. How to form these groups is implementation specific. It is dependent on prevalent channel conditions to different clients. AP will have to make smart decisions on group formation.
  • AP has to keep track of channel conditions for clients in different groups by sending regular sounding packets and receiving explicit feedback to the sounding packets from the clients.  Various implementations may differ based on how frequent channel learning is required in them. Frequent learning increases channel overhead, but may result into cleaner (non-interfering) MU-MIMO beams. Slow learning can result in stale information thereby causing inter-beam interference during concurrent transmissions.
  • When channel conditions change, re-grouping of clients is required. Implementations can differ based on re-grouping triggers and method of re-grouping.
  • Implementations can also differ based on how total antennas on AP are used for beamforming within any given group.
  • The performance of MU-MIMO also depends to some degree on the client side implementation. For demodulating the MU-MIMO signal, clients can implement additional techniques such as interference cancellation to eliminate inter-beam interference.
  • The formation of MU-MIMO groups at physical/MAC layer has to also coincide with traffic and QoS requirements of the clients at higher protocol level.

Practical impact

Practical implementation aspects of MU-MIMOThe above considerations are at practical implementation level. Many of them are in the domain of chip design. How well different chip vendors address them could differentiate them from one another in the MU-MIMO era.

They can also impact Wi-Fi chip design paradigm, which traditionally used similar designs for AP and client radios. With MU-MIMO, there will be bulk of tasks that will be performed at AP, resulting in significant design differences between AP side chipset and client side chipset.

Due to all the nuances of implementation and sensitivity to channel conditions, comparing different MU-MIMO implementations in practical network is difficult task. Notwithstanding, I can imagine MU-MIMO becoming table stake in RFPs after Wave-2 arrives, to which everyone will answer “yes” without heed to the exact implementation details. :-)

One radical thought

Given the cost and complexity of chip level tasks required in MU-MIMO, could there be some chip family which may just use all antennas on the AP to form beam to single client at a time. That is, sequential SU-MIMO, instead of parallel MU-MIMO. What will be pros and cons? Will MU-MIMO be only incrementally or significantly better than sequential SU-MIMO? Time will tell.

Devil is in Detail!


Addition Information:


802.11ac, Best practices, WiFi Access, WLAN networks , ,

11 Commandments of Wi-Fi Decision Making

September 4th, 2013


Are you considering new Wi-Fi deployment or upgrade of legacy system? Then you should be prepared to navigate the maze of multiple decision factors given that Wi-Fi bake-offs increasingly require multi-faceted evaluation.


Follow these 11 “C”ommandments to navigate the Wi-Fi decision tree:


  1. Cost

  2. Wi-Fi CommandmentsComplexity

  3. Coverage

  4. Capacity

  5. Capabilities

  6. Channels

  7. Clients

  8. Cloud

  9. Controller

  10. 11aC, and last but not least …

  11. seCurity!


|hemant C tweet


1) Cost:


Cost consideration entails both “price and pricing” nuances. Price is the size of the dent to the budget and everyone likes it to be as small as possible. Pricing is the manner in which that dent is made – painful or less painful (I don’t think it can ever be painless!). One aspect of pricing is the CAPEX/OPEX angle. Other aspects such as licensing, front loaded versus back loaded, maintenance fees etc. have been around for a long time, so I won’t drill into details of those other than to say that they exist and need to be considered. Enough said on cost.


2) Complexity:


Complexity consideration spans deployment, configuration and ongoing maintenance. One pitfall to avoid is to “like complexity in the lab and then repent it in the production”. Too many knobs to turn and tune, excessive configuration flexibility and exotic features are some of the things that can add to complexity. That said, complexity considerations cannot swing to the point of being simplistic. Rather, the balanced approach is to look for solutions that have mastered complexity to extract simplicity to meet your needs (borrowing from Don Norman’s terminology here).


3) Coverage:


When you hear terms like neg 55, neg 60, neg 65, you know people are reconciling coverage expectations to the number of access points. There’s no explanation needed for how important the coverage is for your wireless network, but the important factor is that the coverage determines the number of access points needed to cover the physical area. At the planning stage, RF predictive planning comes in handy to estimate the coverage BOM (a site survey can complement it for sample areas during the evaluation stage).


4) Capacity:


While coverage determines how far, capacity determines how many or how much. Capacity determines how small or large cells can be. Using practical models for Wi-Fi usage, capacity objectives can be set and network design can be evaluated against these factors. Capacity also determines the number of access points needed to provide the desired capacity in the physical area. RF predictive planning tools can be invaluable during the evaluation phase for capacity estimation.


5) Capabilities:


By capabilities, I mean feature set. This is one of the most important aspects because this is where you ask the question: “Will the Wi-Fi serve the needs of the business?” This is very industry specific. Some features are extremely critical for one vertical, but won’t even be noticed in others. So, it’s important to identify both the features you care about and also those for which you don’t.  Once identified, you move on to thoroughly evaluate the ones you care about.


6) Channels:


One aspect of channels is making decision on how the RF network will be provisioned along the lines of 2.4 GHz and 5 GHz operation. There are advantages to 5 GHz operation, but 2.4 GHz is not EOL yet. How applications are split between the two bands determines the number and type of radios required in the design. Tools and techniques that are needed to plan, monitor and adapt to the dynamic RF environment are also an important consideration.


7) Clients:


Much of what is achievable in Wi-Fi network depends upon the capabilities of the client devices that will access the wireless network. One set of considerations is mainly around the radio capabilities of clients such as 2.4 GHz/5 GHz operation, number of radio streams, implementation of newer standards in clients etc. Another set of considerations revolves around the applications they run and the traffic profile these applications generate. Yet another set of considerations centers around the level of mobility of the clients. BYOD is another consideration that has become important in the the clients arena.


8) Cloud or 9) Controller:


Today, we see pure cloud architecture, pure controller architecture and also architectures confused between the two concepts. While vendors and experts spar over which is the right architecture for today’s and tomorrow’s Wi-Fi, evaluators should focus on comparing them based on their derived value. It is also important to understand what cloud and controller concepts actually mean from the data, control and management plane perspective. Cloud and controller are distinct ways of organizing overall Wi-Fi solution functionality.


10) 11aC:


Making judicious decisions on “what to deploy today or whether to upgrade now” is a tricky one. There are many views around it. One reason is because of how the features of 802.11ac are split between Wave-1 and Wave-2. It is also important to note that immediate 802.11ac benefits are application and vertical specific. Several practical network engineering considerations exist beyond the casual description of the new 802.11ac speeds that are often marketed. So, listen to vendors, listen to business needs, listen to experts, analyze yourself, and in the end, do what is the best for your environment and situation. Speed is nice IF it can be leveraged in practice!


11) SeCurity:


Any information system sans security is worse than worthless – especially today. That said, level of security required by the wireless environment depends on factors such as the value of information at risk, compliance requirements and enterprise security policies. Desired security level determines the right mix of data inline security (encryption, authentication) and security from unmanaged devices (WIPS). Talking of WIPS, the biggest red flags to watch for are trigger happy solutions that generate false alarms, boast long list of ”popcorn” alerts and require excessive manual involvement in the security process.

letter spoonfull|

My hope is that these “C”ommandments will help serve as guidelines in your Wi-Fi decision making process. You can follow them in any order you like to ensure holistic evaluation of options before you. Every vendor, big or small, has sweet spots on some dimensions and not so sweet spots on others. So, despite what they tell you, nobody scores all A’s on all C’s. Hence one has to work on the evaluation criteria until the palatable scorecard is achieved consistent with requirements and budget.


Additional References:


802.11ac, 802.11n, Best practices, WiFi Access, WLAN networks, WLAN planning , , , , ,

The WIPS Detective

August 13th, 2013


With the ever increasing importance of Wi-Fi as the de facto access technology, WIPS plays a key role in overall enterprise network infrastructure security.


wips detective with listThe U.S. Department of Defense (DoD) recently created a separate category for wireless intrusion detection/prevention in its approved product listing for deployments in defense agencies.

Gartner now recommends including WIPS as critical requirement in all new RFPs for wireless technologies.

Drivers for WIPS such as PCI compliance for retailers and BYOD for enterprises are compelling.

Secure Wi-Fi is also seen as medium to increase efficiency of government and public services. UK courts recently announced a program to install secure Wi-Fi in 500 court rooms. WIPS is required to make Wi-Fi secure.


Evaluating any information security solution has always been difficult due to the comprehensive coverage of tests required to fully validate the solution. Though there is no substitute for thorough testing, there are some obvious clues which indicate the level of security and operational feasibility of a particular WIPS solution.  As long as you know where to look …  The WIPS Detective reviews some of the tell tale signs starting with Rogue AP protection.  Other signs are addressed in subsequent posts.


Rogue AP Protection


Rogue AP protection – protection from unmanaged APs connected to the enterprise network – is one of the most critical features of WIPS.

If you are deploying WIPS, then solid Rogue AP protection is the first thing you want out of it. Rogue AP protection is also one of the most important requirements for wireless PCI DSS compliance. While certain types of Rogue APs are trivial to detect, certain others are extremely difficult to detect. Also, there are many caveats to workflow for Rogue AP protection in large enterprise networks.

To the extent these aspects are addressed by different solutions, there is a wide spectrum from checkmark to genuine value. Below are some simple clues that help gauge the level of rogue protection obtained from a specific WIPS solution.


Clue #1: Automatic Rogue Containment


Some WIPS systems show a legal warning when you attempt to activate automatic rogue protection.


Cisco WLC-Fluke aWIPS verion 7.4

Cisco WLC-Fluke aWIPS verion 7.4


WIPS detective red flagThis means that “rogue on wire” detection is false alarm prone.  In other words, the system can incorrectly tag friendly neighborhood APs as rogues on wire (called “false positive”). With that possibility, it is impossible to automate rogue containment, since the user would otherwise be taking the liability of neighbor disruption on his head. Seriously, how many users would feel comfortable proceeding after reading this legal disclaimer?  

Accordingly, possibility of any false positive (there isn’t any leeway here) = automatic containment not practical due to liability of neighbor disruption.


Clue #2: Rogue Detection via Wired / Wireless MAC Relation


The most primitive rogue connectivity detection is to look for numerical relation (numerical neighborhood of 2 and 64 are common) between APs’ wired and wireless MAC addresses.  In fact, many run-of-the-mill WIPS actually do that to get their rogue detection checkmark in the product with the least amount of depth.

|Rogue detection via wired _ wireless MAC relation


WIPS detective red flagSaying that WIPS detects rogues on the wire using MAC relations is the same as saying that it fails to detect rogue APs which do not possess any relationship between their wired and wireless MAC addresses.  When it is known that some configurations of rogue APs are outside of the system’s scope for network connectivity detection, the entire neighbor AP list is suspect.

It is like old classic game of minesweeper where every unturned tile is a suspect. Playing minesweeper is fun, but manually examining thousands of APs to ensure that there is no undetected rogue among them is not fun!

 In short, partial “rogue on wire” detection (called false negative) = mountain of manual work to ensure there is no undetected rogue and high risk of lapses.


The 2 clues outlined above illustrate that the writing is on the wall and reflect on the level of robustness of the underlying security platform - in a particular for a WIPS solution. I will cover many more of these tell tale clues in this rolling blog series. Stay tuned.


Additional Information:


802.11n, Best practices, PCI, WiFi Access, Wireless security, WLAN networks

Retail Survival: Enabling the Consumer

July 30th, 2013

The age of the empowered consumer is upon us. According to a recent Harvard Business Review article called Mobile Shopping’s Data Goldmine, some 44% of shoppers use their smartphones while they’re shopping; more than a third of them are comparing prices. The impact of mobile research can be profound, affecting the buying behavior of nearly 90% of mobile shoppers,” according to the HBR article.


HBR Blog Network _ Mobile Shopping's Data Goldmine


Customer empowerment is extending beyond mobile as consumers become comfortable interacting with retail companies through any channel available, including ecommerce, online, kiosk, voice, webchat, and more. The question is how aggressively retailers are moving to enable this new reality for the customer.


As the following short (and funny) video below shows, shoppers want to take a lot more into their own hands.


she's in your stuff


How to Respond?


The video shows a future that is frightening to many retailers, but it needn’t be. Leading retailers are taking a number of steps now to get in front of this approaching tidal wave.


1) Optimize in-store shopping 


Accenture Seamless Retail Study

Accenture Seamless Retail Study

Rather than fear consumer empowerment, retailers should embrace it. In a survey of 6,000 consumers polled across eight countries (US, UK, Germany, Sweden, France, Brazil, China and Japan), Accenture found that the majority of respondents believe that integrating in-store, online and mobile is the number one thing that retailers can do to improve the shopping experience. An IBM study found that, contrary to expected concerns about loss of privacy, “the majority of shoppers were willing to contribute 20 minutes on average to help a retailer better understand their desires in order to provide them with more meaningful offers based on their past purchases.”

By encouraging in-store customers to use their own devices to join a social Wi-Fi portal, retailers can further bridge the gap between the physical and online space.  They can raise awareness about their mobile app and loyalty program.  Stores can deliver personalized offers tailored to specific interests or particular profiles, allow for social sharing and feedback, as well as collect profile information and user analytics (ideally after opt-in).


2) Create a “Wow” Store Experience


As consumers increasingly use technology to find the products and services they want at the price they want, what’s the value of the store? Certainly not for inventory lookup and ordering when shoppers can do this themselves. And no longer for immediate gratification as Amazon and other ecommerce sites neutralize this physical store advantage by partnering with same-day delivery services.

Create a “Wow” Store ExperienceThe purpose of the store will evolve to provide an exciting, rich physical experience. Consider a new flagship AT&T store in NY where the “experience” of shopping for mobile or network technologies is being transformed and includes:

    • 130 digital screens
    • The Explorer Lounge to play and learn about apps that interest them.
    • The App Bar where “app-tenders” serve up one-on-one or group demos, which are also displayed on multiple video monitors on the Apps Wall.
    • An 18-foot-high Connect Wall that shows interactive content and product information visible to the entire store and passers-by.
    • Products, apps and accessories organized by needs in the Lifestyle Boutiques, including Get Fit, Be Productive, Share Your Life and Chicagoland.


3) Empower Frontline Sales


You don’t want your sales associates to have less power or knowledge than your customers. But in many stores customers are outfitted with the latest mobile devices, while sales staff has no electronic equipment beyond the register. If equipped with smartphones and tablets and targeted apps, however, sales associates can demonstrate how products work or immerse customers in interactive mobile environments.   The approach can be as simple as training staff to guide customers through existing tools.

At Burberry stores, some 20% of Burberry’s total sales are on iPads, and half of these are from staff iPads in store, according to the Harvard Business Review article mentioned earlier. The article also noted that “by engaging in activities like these, salespeople shift into the role of helping customers rather than simply selling to them.”

AT&T is also having success at its New York City store by arming its salespeople. The retailer rolled out a mobile POS system that has changed AT&T’s concept of retail, expanding the store’s capacity during busy times. Using tablets added efficiency and promoted interaction, creating transparent, friendly, knowledgeable experiences. According to Paul Roth, president of AT&T retail sales and service.


“They just like us more when we use a tablet. This changed the way we do business.”


Additional Information:

Evaluating a Wi-Fi Solutions Provider? Make Sure They Talk SMAC

Evaluating a Wi-Fi Solutions Provider? Make Sure They Talk SMAC

Mobile Shopping’s Data Goldmine via Harvard Business Review

Accenture Seamless Retail Study

IBM Retail Study

Evaluating a Wi-Fi Solutions Provider? Make Sure They Talk SMAC

Sometimes you gotta talk some SMAC!   by Geoffrey Moore @geoffreymoore

AirTight Social Solution Brief


Another Controller-less Wi-Fi Solution by Matthew Norwood @matthewnorwood

The ‘New’ Enterprise WLAN Vendor by Lee H Badman @WiredNot

Product Review: AirTight Networks Wi-Fi by Craig Mathias via @NetworkWorld


AirTight Networks expands cloud-Wi-Fi product line


Catch @AirTight at Wireless Field Day 5, August 8th from 8 to 10 am PT (live) or via #WFD5 video archive


802.11n, Best practices, mobile device management, PCI, smartphones, WiFi Access, WLAN networks , , , , , , ,

Controller Wi-Fi, controller-less Wi-Fi, cloud Wi-Fi: What does it mean to the end user?

July 17th, 2013

A New Twist on Wi-Fi

Wi-Fi architectures today come in three main flavors: controllers, controller-less and cloud. While vendors spar over which is the right architecture for today’s and tomorrow’s Wi-Fi, customers are mostly interested in comparing them based on their derived value.

In this blog post, we examine the economics, manageability and ease of deployment of these 3 architecture flavors. On these fronts, I have often seen the following 8 points to be most relevant to customers while making architecture choice for their Wi-Fi project. 

In the following discussion, I use the term controller to indicate an architecture which uses a tunneled or locally switched data plane, but where the control plan is driven wholly or partially from the controller. Controller-less architecture is smart-edge architecture where the control plane resides at the edge. Cloud is controller-less, and in addition, provides manageability from a console hosted in the cloud.  


1)      Equipment required on customer premises


APs always need to be deployed onsite.

In a controller architecture (with or without local switching), it is also necessary to deploy controller appliances on customer premises. In addition, for central manageability of large networks, a manager appliance overseeing the controllers is required to be deployed on customer premises.

In a controller-less architecture (without cloud option), APs are either smart-edge or they include partial controller functionality in them. However, for central manageability, a manager appliance is still required to be installed on customer premises. Even when the manager is provided as virtual server, it still consumes server farm resources on the customer premises.

In contrast to the other two, a true cloud architecture is not only controller-less, but also provides manager in the cloud. It thus  requires the least equipment to be installed on customer premises (only APs need to be onsite).


2)      Operational overheads for customer


Any equipment customers have to deploy on their premises and in their networks adds to operational overheads. These include ensuring redundancy (redundancy also means double the equipment purchase), backup processes, patch and upgrade management, and rack space management. By delegating as many functions to the cloud as possible, such operational overheads can be eliminated.


3)      Suitability for distributed networks


The controller architecture model was designed with localized campus deployment in mind. For distributed networks as in retail and branch office networks, it is not practical to deploy a controller for each site. It is also not efficient to operate a “controller over WAN” link even with local switching, because the control plane going back to controllers is subject to the WAN link performance which in turn impacts services at the edge.

Distributed architectures also require comprehensive centralized monitoring, so controller-less alone is not adequate. Cloud architectures are best suited for distributed networks as they are controller-less and also provide comprehensive management console in the cloud.

True cloud Wi-Fi solutions such as the one provided by AirTight are consciously designed to decouple services at the edge from dependency on the manager so that services at the edge run uninterrupted even if cloud manager is not reachable from APs.


4)      Configuration and management paradigm


The overall configuration and management workflow of controller Wi-Fi is traditionally tied to boxes and appliances, whereas cloud Wi-Fi allows managing your network on logical and business paradigms. Cloud can provide powerful features of web interfaces such as HTML5 for advanced configuration and management interfaces.


5)      Pricing


Controller architectures are priced on traditional models involving upfront capital expenses, and licensing and maintenance costs. Even some controller-less products follow similar pricing models. Cloud offerings on the other hand offer more flexibility and economy in overall solution cost because of the flexibility levers of capital expenses and cloud subscription. Customers often find cloud pricing models more affordable.


6)      Network growth


Controller Wi-Fi requires planning ahead for network expansion or requires purchasing additional controller equipment and licenses as the network grows. This is great for the vendor but not so much for the end-user.  Some controller-less offerings may also require planning for central manager capacity either upfront or purchasing additional capacity in discrete consignments as the network grows.

Cloud on the other hand does not require any manager side capacity pre-planning and you can grow requirements organically without incurring inefficiencies of unused capacity. True cloud Wi-Fi consoles such as AirTight’s are also designed to be horizontally scalable allowing virtually an unlimited number of devices to be managed from a single pane of glass.


7)      Multi-tenancy


Cloud Wi-Fi can leverage multi-tenancy for compute, memory and disc resources at the data center. This provides economies and efficiencies of resource sharing at the data center thereby making the overall offering more attractively priced.


8)      Value added services


Cloud Wi-Fi enables the deployment of value added services on Wi-Fi, which are also hosted in the cloud. Examples are social channel integration, integration with analytics applications, advanced guest managers etc. The value added services can be vendor provided or provided by third parties.


Controller Wi-Fi, controller-less Wi-Fi, cloud Wi-Fi

Additional Information:

A New Twist on Wi-Fi

Secure Cloud Wi-Fi for the Distributed Enterprise


Catch AirTight at Wireless Field Day 5 | August 7-9 2013


Best practices, mobile device management, WiFi Access, WLAN networks