By Hemant Chaskar

The building of the bill of materials (BOM) is an important factor in the Wi-Fi project plan. The cost of APs and the cost of other components in the Wi-Fi architecture contribute to the overall BOM. There are two types of large Wi-Fi deployments that we often see: distributed and dense. Examples of the distributed deployment are clinics, insurance offices, bank branches, retail stores, hospitality providers, etc. The number of sites in the distributed Wi-Fi can run into 100’s, 1000’s, or as in case of some of our retatil customers even 10,000’s. Dense deployments are typical of campus environments in which there are few campuses – each with large number of APs. There could be 100’s, or 1000’s of APs that may be required to cover a few campuses.

To compare and contrast BOM for different types of AP platforms for large distributed or dense deployments, we can think of these deployments in units of sections. For the distributed deployment with a number of sites and a few APs per site, the section can be a site such as insurance office, bank branch, retail store, etc. For the dense AP deployment, the section can be a floor of a multi-storied facility, part of the floor (e.g., East, West, North, South sections of floor plan), etc. For each such section, one can compute the number of APs which can be deployed in each section to stay within the overall Wi-Fi budget (the budget also has to account for the cost of Ethernet drops required for APs). For apples to apples comparison, let us say that the customer can negotiate the same street price for different types of APs. The tables below show how much functionality can be achieved with a given number of APs, in each section, and for different types of APs. Conversely, one can also think of it as how many APs per section are required to achieve certain functionality within each section.|

1) Dual radio APs without support for dedicated scanning radios (where only background scanning is supported)

|

2) Band-locked dual radio APs which can be either AP on both radios or WIPS sensor on both radios

|

3) Band-unlocked dual radio APs with per-radio AP or per-radio dual band WIPS sensor configuration option

|

|

Clearly, for secure Wi-Fi deployments, the dual radio AP platform with each radio independently software configurable as AP or as dual-band WIPS sensor gives maximum value for the given BOM in terms of both traffic capacity and security. This mode of operation is only possible with specialized AP platforms with band-unlocked radios. Let me elaborate below on what it means for the radios to be band-locked versus band-unlocked.

Dual radio APs with band-locked radios: Most dual radio enterprise APs are dual band, dual concurrent, but have band-locked radios. What it means is that one radio is configured for 2.4 GHz operation and the other for 5 GHz operation at boot time. So, once one of the radios is configured as AP in one band (say 2.4 GHz band), the other radio cannot scan channels in the 2.4 GHz band for WIPS functionality. The other radio can only scan 5 GHz channels as it is band locked to 5 GHz. As a result, these AP platforms cannot support the most efficient option 3) described above and it is then required to dedicate one full dual radio device for WIPS with one radio scanning 2.4 GHz channels and the other scanning 5 GHz channels for security monitoring (i.e., degrade to BOM inefficient option 2) described above).

Dual radio APs with band-unlocked radios: Some differentiated dual radio AP platforms such as AirTight APs allow each radio to be independently software configurable as AP or as dual-band WIPS sensor.  So when one radio is configured in one band as AP (say 2.4 GHz band), the other radio can still scan both 2.4 GHz and 5 GHz bands. It takes RF expertise to design such APs. Such APs can support all of the above three deployment options, and in particular, uniquely support the most efficient option 3) described above.

|

|Follow AirTight Networks on Twitter

|

In addition to AP platform consideration, there are additional Wi-Fi architectural factors which also affect total cost of solution:

|

a) Controller vs controller-less architecture: This is particularly important in distributed deployments. Controller architectures, originally designed for campus deployments, require per-site controllers  to achieve full functionality of AP. Deploying centralized controllers at headquarters talking to APs over WAN links does not offer robust functionality in distributed environments. See my earlier blog post: Is your cloud Wi-Fi genuine, or is it controller over WAN imitation? Per-site controller requirement increases the total BOM, particularly when the number of APs per site is small (can you imagine 100 controllers for 100 site deployment with 3 APs per site!). On the other hand, controller-less Wi-Fi with smart edge APs does not incur this additional cost.

b) Centralized control as add-on versus built into solution: Large deployments require centralized console for configuration, management and reporting. Wi-Fi architectures with controllers embedded in APs, originally designed for small localized deployments, are not adequate for large deployments. These AP-embedded controller solutions require additional on-site management server assets for centralized control and may even require appliance controllers to fill the functionality gap between AP-embedded controllers and appliance controllers. These additional on-site server components add to overall cost. On the other hand, cloud managed Wi-Fi does not incur additional cost for centralized management. I have discussed differences between true cloud managed Wi-Fi and Wi-Fi solution with mere word cloud in it in one of the earlier posts: Different shades of cloud Wi-Fi: Rebranded, Activated, Managed.

c) Security as add on versus integrated into architecture: Some AP vendors offer WIPS as add-on to Wi-Fi infrastructure. These architectures require additional WIPS appliances and licenses to enable WIPS which can cause BOM to go up. On the other hand, if WIPS is built into solution it does not require additional appliances and licenses.

|

|As we saw, there are several factors such as AP capabilities and overall Wi-Fi architecture which can cause BOM for large Wi-Fi deployments to vary over a range as much as 2X. By making the right choices on each of the above fronts, the BOM can be significantly reduced, while obtaining the maximum value from the deployed Wi-Fi infrastructure. AirTight secure Wi-Fi can help to meet these goals – with band-unlocked dual radio APs, smart edge controller-less Wi-Fi architecture, HTML5 based central management console in the cloud, and the only top rated WIPS built into the solution.|

Hemant Chaskar 802.11ac, 802.11n, Best practices, mobile device management, WLAN networks, WLAN planning

Why Casinos Fear 802.11ac : Real life Ocean’s Eleven

|

By Hemant Chaskar|

The expression “it’s too good to be true … then it probably is” is befitting of a recent Ocean’s Eleven type caper.  In March, the Crown Casino in Melbourne, Australia was the victim of a skimming scheme.  Mark Butler of the Herald Sun reported that “a gambler has been able to get into the security system remotely and, … advise the player about what other cards the other players are holding, and he’s cleaned up to the tune of 32 million.”  Amazing isn’t it, but anything is possible for that kind of “ROI”!

|

|

Did you know that Wi-Fi can also be used for skimming a casino?

|

Last year, we worked with a customer in Macau (the Las Vegas of the East) who described a casino skimming sequence over Wi-Fi, which is no less amazing than the Crown Casino story. In this sequence, the player has a Wi-Fi enabled camera or smartphone tucked on him. It takes videos of wheel of fortune being spun, roulette wheel being turned, or cards being shuffled. The video is sent to the cloud in real time over Wi-Fi. Neighborhood Wi-Fi APs around the casino floor, which for this customer were mainly in the shops and restaurants around the gaming zone which had all installed Wi-Fi for guests, are used to send the video to the cloud. Cloud computers crunch the video frames to arrive at high probability estimate of the winning bet. The estimate is communicated to the player who places the bets accordingly.

|

Higher speeds with 802.11ac means Wi-Fi skimming is all that more possible

|

With 802.11ac, Wi-Fi link speeds will go up several times. That would make sending video to the cloud even faster and with higher resolution, it makes the above skimming scenario even more successful. So, even though boon for enterprises and consumers, 802.11ac would be a thing for the casinos to worry about.

|

AirTight WIPS as antidote to skimming casinos over Wi-Fi

|

We offered AirTight WIPS to the Macau casino as an antidote to protect against skimming over Wi-Fi. With location based policy enforcement, AirTight WIPS identifies when clients are in sensitive gaming areas and then does not allow their Wi-Fi radios to connect to any neighborhood APs. When clients are outside of the sensitive gaming areas such as in the lobby, restaurants or stores, WIPS automatically releases them from the containment, so they can now connect to Wi-Fi. We call it geo-fencing!

Another way WIPS helps casinos, which we have seen in the US, is to enforce gaming regulation that online gambling provided by casino like raffles, bingos and such is not allowed outside of the casino facility. WIPS can detect when clients cross the boundary of the legal gambling facility and then prevent them from connecting to the casino APs thereby ensuring that online gambling can only be done from the casino floors.

These are some examples of application of the technology one cannot envisage while building it. But how much of a diverse value deep technology can provide is very satisfying to watch.

When we worked with the Macau casino few years ago, AirTight WIPS was overlaid on Cisco WLC infrastructure that the casino had deployed for its own wireless applications. Now, AirTight offers its own state of the art enterprise WLAN access product line with controller-less, cloud managed, smart edge APs, and AirTight WIPS built in at no extra cost. So whatever the threat scenario may be – rogue APs, honeypots, PCI compliance, BYOD, CIPA compliance, gaming regulation or exotic casino skimming - with AirTight Wi-Fi access solution, you never have to worry about Wi-Fi security.

 |

Additional Information:

Crown casino hi-tech scam nets $32 million via Herald Sun

|

Hemant Chaskar 802.11ac, 802.11n, mobile device management, WiFi Access, Wireless scanning, Wireless security

By Kaustubh Phanse  – AirTight Chief Evangelist

|

If predictions from leading technology analyst firms are to be believed, the worldwide Wi-Fi market will continue to grow.

Dell’Oro estimates the Wi-Fi market to grow to $9.9 billion by 2016 of which the enterprise WLAN segment alone is estimated to be over $5 billion in revenues.

Gartner anticipates an even faster growth for the enterprise WLAN segment, with spending expected to reach $7.9 billion in 2016.

Here are a few trends (some of which are already happening!), which will go hand-in-hand with this next wave of massive growth in the enterprise WLAN market.

Distributed Wi-Fi, Centrally Managed

A growing number of enterprises will want to extend their Wi-Fi rollout across remote locations, e.g., branch offices, retail stores, distribution centers, restaurants, and the list could go on. The key challenge then would be to have centralized visibility and management of the entire deployment—ideally from a single console.

This trend will make the traditional controller-based architecture outdated sooner than later because it was not designed to manage Wi-Fi networks across geographically distributed sites. It’s too complex, costly, and does not scale. The change of guards is evidenced in the number of recent announcements by controller-based WLAN vendors. Some are hiding the controller in the cloud, some are hiding them in arrays, some are saying that they are giving customers a “choice” to turn it off (without telling them what functions will stop working without it!), while some are simply giving their marketing a “controller-less” spin. Unfortunately, you can’t turn a fork into a spoon overnight to eat soup instead of spaghetti! Or maybe you can!

Naturally, an increasing number of enterprises are looking for an alternative that:

Linearly scales to tens, hundreds or thousands of distributed locations, but can be managed centrally from a single console;

Enables literally plug-and-play installation and true zero-touch configuration of access points (APs) at remote sites without IT staff;

Is fault-tolerant by design so the full wireless network and security functionality continues to work without depending on access to a central management server;

Supports a new paradigm of network and security management and role-based administration of distributed locations in the context of locations and not in the context of “SSIDs” alone.

WLAN as a Managed Service

That brings me to my next trend, which will redefine how enterprise Wi-Fi networks are managed: Cloud! Enterprises have adopted cloud technologies in recent years to replace software applications that they once ran on their own network. But in 2013 and beyond, an increasing number of companies will look up to the cloud to manage their distributed Wi-Fi networks and related services such as wireless security and compliance. And in many cases, they will outsource their network and security management to managed service providers (MSPs). In fact, we have seen a significant growth in our partnerships with MSPs wanting to host cloud-managed WLAN services. But, not all clouds are made equal. So providers looking for cloud partnerships should carefully assess how cloudy is the cloud before making the leap. Only a true multi-tenant cloud solution will allow them to manage hundreds of customers in a cost-effective way, i.e., without having to host a server (appliance or VM instance) for every customer!

 |

Follow AirTight Networks on Twitter

Bring Your Own Device (BYOD)

The BYOD trend, with employees using personal smartphones and tablets at work, has significantly driven Wi-Fi adoption and evolution over the last couple of years. It has also led to a growing trend of other unauthorized Wi-Fi devices, e.g., Rogue APs, Soft Rogue APs and mobile Wi-Fi hotspots, on enterprise networks. While mobile device management (MDM) and NAC vendors have tried to market themselves as the silver bullet for managing BYOD, neither of them have complete visibility into the Wi-Fi activity of these personal devices and hence cannot provide comprehensive access control for BYOD. Naturally, questions are being raised on whether MDM is really needed or is it dead?

A growing number of enterprises are opting for a reliable wireless intrusion prevention system (WIPS) – either as an overlay on top of existing WLAN solutions or as a built-in feature with their WLAN solution – to provide them with 24/7 wireless monitoring and policy enforcement, including BYOD. Automatic and accurate classification of Wi-Fi devices detected in the enterprise airspace, automatic fingerprinting and onboarding of smartphones and tablets onto the enterprise network, and the ability to reliably block any unauthorized devices or those violating security policies will be crucial to minimize security exposure and ensure compliance with regulatory requirements, while avoiding excessive burden on the IT security staff.

A New Standard, Higher Speeds!

Last, but not the least, 2013 is also expected to see the ratification of a new Wi-Fi standard in the form of IEEE 802.11ac, nicknamed as Gigabit Wi-Fi! 802.11ac uses wider channels (80 MHz and 160 MHz) as compared to 802.11n (20 MHz and 40 MHz) in the relatively clean 5 GHz frequency band and enables data rates up to 1.3 Gbps. Some pre-standard 802.11ac products are already in the market, with the approval of the standard expected in late 2013. Like it was the case with 802.11n, the early 802.11ac rollouts will be mainly access points. This year has already seen some rumors and some announcements of 802.11ac support in mobile devices. However, widespread adoption of 802.11ac is expected only by 2014-2015 when majority of Wi-Fi clients will support the standard. Till then, enterprises are likely to postpone the investment in an 802.11ac upgrade of their WLAN infrastructure to maximize the ROI.

Listen to the ebook

Additional Information:

Kaustubh Phanse 802.11n, BYOD, mobile device management, WiFi Access, Wireless security, WLAN networks

What makes network administrators and security professionals tear their hair out – the “cool” employee who is carrying 2 or 3 or more devices and only one of them is actually issued by the company. I admit, I am one of them but not sure how “cool”, just a gadget junkie. There is a lot of advice around these days about how to manage this deluge of personal smart devices entering the enterprise, but I found much of the advice given by Software Advice and CRM Market Analyst, Ashley Furness, very solid in her recent post, “Strategies to Secure Your Enterprise in the New World of BYOD“. Some of it may seem obvious,  but, often the obvious is overlooked for just that reason.  We all know folks who do not change their password from “admin”.  Ashley’s article is a good addition to the body of work out there about the challenges of BYOD in the enterprise. One area which is not mentioned, however, is wireless intrusion prevention (WIPS), which is the natural ally of MDM.  With MDM, employees have to have an incentive to get the agent on their devices. WIPS solves that problem.  AirTight WIPS as an example protects the network from being accessed by unauthorized devices – those which have credentials but are not an authorized device – by allowing administrators to set up rules which will automatically block unauthorized devices (not just rogue APs) from connecting to the network.

AirTight recently concluded a study of IT professionals to understand their attitudes, challenges and methods of dealing with BYOD and it became obvious that there is a lot of concern around this subject. As the BYOD tide rises, organizations will need to embrace various smartphones and tablets for the enterprise applications, while at the same time tackling the security challenges from consumerization. On one hand, it is necessary to ensure that the IT assigned authorized smart mobile devices are free of malware and that these devices and the data on them can be centrally managed and monitored by IT. On the other hand, IT will be required to deal with unmanaged personal mobile devices attempting to access the corporate IT
assets, since such personal mobile devices may not be within IT’s device management reach.

Additionally, increased consumerization of the smart mobile devices may also heighten the risk of rogue Wi-Fi connections on the enterprise premises. As a result, an all-encompassing approach to BYOD security will entail protection of IT assigned devices, gatekeeping the unmanaged mobile devices, and blocking rogue Wi-Fi connections. Security systems are available today which address different parts of the BYOD security problem. (See the tables below) The right combination of these security systems can be useful for a comprehensive BYOD security.

Della Lowe BYOD, mobile device management, smartphones, Wireless security

With the explosive growth of smart devices in the enterprise, Mobile Device Management (MDM) is a hot topic among IT departments these days.  In order to secure the network and protect sensitive data on mobile endpoints, many organizations are deploying tools to secure, monitor, and manage smart devices accessing their networks.  Installing an MDM agent on mobile assets gives the IT department the ability to enforce VPNs, remotely wipe data off stolen/lost devices, and ensure that devices under management by the IT staff are running the most current and secure applications.

But is this really enough to protect you?

No.  In today’s “BYOD” (bring your own device) culture, the reality is that personal smart devices will continue to attach to your network. These devices may not have your favorite MDM agents running on them, thus exposing your network and data to security threats again.  Enterprises need a “gatekeeper” control to ensure that only approved devices with an installed MDM agent can attach to the corporate network. By adding a strong WIPS solution to your enterprise security portfolio, you will have the ability to enforce such control and complete your mobile security strategy.

A robust wireless IPS solution (WIPS) will detect, identify and locate unauthorized smart devices connecting to the network, generate a real time alert or even better – block those unmanaged devices from connecting in the first place.  Better yet, a good WIPS will allow you to define your security policy by device type, VLAN, and location.  For example, iPhones could be allowed to connect to the guest network for Internet access, but could still be blocked from accessing the internal network.

Watch this technical webinar for more information.

Mike Baglietto Best practices, mobile device management, smartphones, WiFi Access, Wireless security, WLAN networks Android, iPhone, mdm, mobile, secure WiFi, security policy, WiFi security

A special Aberdeen Group report titled, “Wireless LAN 2011: Readying the Invisible Network for the Smart Revolution is the first industry study to track the impact of the rapid rise of smart devices on the WLAN.

The proliferation of embedded WiFi devices – smartphones, tablets, and Machine-to-Machine sensors (M2M) – and the explosion of wireless activity in and around the enterprise make maintaining a good security posture and meeting regulatory compliance requirements more challenging than ever.

According to Andrew Borg, senior research analyst, Wireless & Mobility for Aberdeen, and the report’s author, “A network is suboptimal unless network performance and security are both addressed. It isn’t enterprise class if it isn’t secure. As a consequence top-performing organizations are consistent in considering network security a high priority.”

This report is available immediately at no cost, courtesy of AirTight Networks.

Mike Baglietto Best practices, Compliance, mobile device management, smartphones, Wireless scanning, Wireless security, WLAN networks

There’s been a lot of news in recent weeks surrounding the Sony PlayStation Network breaches.  One of the questions that I have received multiple times since this started is whether or not this was a wireless breach or if wireless was  in any way part of the Sony vulnerability.

From what we understand, no.  It sounds like web servers were compromised.  But could these types of attacks happen over Wi-Fi?  You bet.

“Hacktivists” essentially volunteer to participate in these coordinated attacks. The tools used are often easy to use and freely available.  They just need people willing to join the cause to create the distributed denial of service.   Firewalls are supposed to keep the “bad guys” out, but there is nothing stopping anyone from putting these same tools on a smartphone and carrying out these same attacks from INSIDE an organization, not just remotely from the Internet.

These same techniques used against Sony, MasterCard, and Visa as well as the type of attack that breached TJX can now be launched from personal smart devices (Iphones, Ipads, Androids, etc.) inside your network.   In fact, Gopinath K.N., Director of Engineering at AirTight Networks has demonstrated just this type of scenario at various security conferences and on-line presentations.  See his demo here.

Additionally, smartphone malware can be distributed in the form of an application easily downloaded from the Internet (think of all the gaming and social media apps available for iPhones and Androids). Its really no different than how PCs become infected with worms, viruses and malware by visiting untrusted sites and downloading insecure applications.

Once the malware is installed, if that compromised smart device attaches to the corporate network, the malware can be used to launch a stealthy attack from inside the corporate network – with or without the knowledge or consent of the smart device owner .  Sensitive data could even be sent off-site via the device’s own Wi-Fi or 3G radio.

Considering that smart devices and tablets now outnumber PCs in new sales, this may not be so far fetched.  A major difference between PC security and smart devices is that the tools to detect and defend PCs from these vulnerabilities is significantly more mature and widely deployed then smartphone security in practice today.  Organizations need to determine whether or not unauthorized smartphones are allowed to attach to their Wi-Fi  networks (guest and corporate), and how they will enforce wireless security policies to keep themselves secure.

Mike Baglietto Best practices, Compliance, mobile device management, PCI, smartphones, Wireless security

If you are concerned about the proliferation of smart devices (Iphones, Droids, tablets) and the impact on  your network security, then this is a “can’t miss” webinar.   The inability to detect and block unauthorized personal devices from attaching to your network puts your business at risk.  AirTight CTO and Founder Pravin Bhawat discusses the challenges with mobile device management and the limitations of existing wireless network security measures.

Listen to the recorded webinar here.

Mike Baglietto 802.11n, Best practices, Compliance, mobile device management, smartphones, Wireless scanning, Wireless security, WLAN networks