Archive

Archive for the ‘BYOD’ Category

Away from Corner Cases: High Density, Low Throughput Wi-Fi

March 19th, 2014

In my blog called Corner Cases, I mentioned that high density, high throughput (HDHT) cases are in the extreme minority (<1%). In this blog, I would like to discuss High Density, Low Throughput (HDLT), which I believe will be the situation that over half of the installed Wi-Fi infrastructures of the world will face at some point over the next 5-7 years. I want to clarify that that when I use the term “high density”, I’m referring to client density (lots of clients in a physical area), not AP density (lots of APs in a physical area).

Unless you’ve been camping out under a rock, you may have heard the term “Internet of Things” or IoT for short. This moniker refers to the movement toward connecting previously-unconnected devices onto the Internet. To clarify, things are being connected to the Internet, thus we get Internet of Things. So how many of these things are we talking about? Oh… a few I suppose. Gartner is saying there will be 26 billion IoT devices and an additional 7.3 billion smartphones/tablets/PCs by 2020. The vast majority of these devices will connect wirelessly, so we’re about to see a crazy explosion in device density. Obviously it doesn’t all grind to a stop in the year 2020, which is truly just around the corner.

The important point to make here is how device density affects: 1) network design, and 2) the type of equipment you purchase to appropriately support your customers (over the lifecycle of your next infrastructure upgrade/refresh). Most vendor marketing departments like to tightly bind high-density and high-throughput requirements together, but they are completely separate topics. You can have the following scenarios:

  • Low Density, Low Throughput (LDLT)
  • Low Density, High Throughput (LDHT)
  • High Density, Low Throughput (HDLT)
  • High Density, High Throughput (HDHT)

HDLT: the de facto standard

I don’t think that comes as a surprise to anyone. In the Corner Cases blog, I specifically addressed HDHT networks and pointed out that they are in the extreme minority today. HDLT networks are reasonably common today, but usually not to any extreme. When IoT bears its full weight on the market (which will be far sooner than you might realize), HDLT networks will be the de facto standard. In a nutshell, this means that APs will need to associate (connect) lots of devices (I foresee 100+ devices per radio becoming common fairly soon), but the traffic to/from each of those connected devices may often be sparse. APs will likely need good QoS, a good understanding of client behavior and needs, and of course security will be all-the-more important with the breadth of devices connecting to the network.

Let’s consider a specific scenario, the average branch office (perhaps real estate or insurance) with 20 employees, to make my point. Today, the branch could possibly have the following devices connected to the Wi-Fi infrastructure:

  • Laptops
  • Tablets
  • Smartphones
  • Printers (let’s hope not, but you never know)

Let’s fast-forward to the year 2020 and consider how that same branch office might look from a technology standpoint. What items within the office could feasibly be Internet-connected in addition to what they have today?

  • Security cameras
  • Printers (they definitely will)
  • Digital signage
  • Digital picture frames at workers’ desks
  • Appliances (e.g. refrigerator, water cooler, coffee maker)
  • Cars that are within range of the in-building (or outdoor) Wi-Fi
  • Wearable technology (watch computers, eyeglass computers, etc.)
  • Building controls (thermostats, security systems, fire systems, etc.)

I’m sure I could go on and on, but for the sake of time, I’ll stop listing things. I’m sure you got my point. It’ll be a ton of things for sure. Some will want some bandwidth (e.g. picture frames sucking down 3MB photos from a file share on a server at a pace of 1 new photo every 5 minutes times 10 picture frames in the office), and some will want very little (e.g. your digital watch updating you on the temperature outside). All-in-all, the bandwidth requirements will be modest at best, but the number of devices will be ridiculous.

Remember how BYOD started? Companies tried to stop it by creating company policies. Yeah, that worked out… NOT. It will be the same way for IoT. It will progress like this:

Users: We want our things on the Wi-Fi.
Admin: No.
Users: Yes, because if you don’t, _________.
Admin: OK, you win, but your devices will be firewalled, rate-limited, and highly controlled.
Users: I don’t care so long as they work properly. Hey wait, why doesn’t my picture frame work properly. It probably needs more bandwidth. Fix it.
Admin: No.
Users: We’ll tell.
Admin: Ugh! OK, it’s fixed, now leave me alone.

BYOD stands for Bring Your Own Device, and trust me, they will, but not just smartphones, tablets, and laptops. They’re going to bring Internet-enabled pens, shoes, and heart monitors. You, Mr. Admin, will be powerless to stop it. You thought all of this BYOD stuff had just about fizzled and was limited to just a few vertical markets didn’t you? Ha. It’s barely even begun, and you haven’t seen complexity yet… just wait. How will you manage those Internet-enabled pens again? No, I don’t mean just at Layer-2… that’s the first step. I mean at Layer-7 also. Sorry I had to break that news to you. Bumpy ride ahead.

There are companies today who are building cloud infrastructures that are specifically designed to manage all kinds of IoT devices for the manufacturers who make them. That’s good thinking. Not every company in the world wants to build a cloud to keep their Internet-enabled devices up-to-date and to push content to them.

In closing, I will reiterate that it will soon be the number of devices, not high throughput, that will become the more significant issue across a large section of the Wi-Fi market as a whole. Make a note, it’s coming.

BYOD, mobile device management, smartphones, WiFi Access, WLAN planning

How to implement BYOD with Wi-Fi / WIPS assist

June 18th, 2013

BYOD Bring Your Own Device

|

Wi-Fi has become the de facto access medium for smart mobile devices in enterprise networks. Sitting at the edge of the network, Wi-Fi can assist greatly in implementing secure and disciplined BYOD in these networks.

There is no one-size-fits-all when it comes to BYOD management in the enterprise. However, from my experiences working with Wi-Fi and WIPS deployments, I have seen certain features that are particularly useful for organizations in implementing BYOD. This blog post explores some of these in greater detail. |

 

1)      Monitor new devices entering Wi-Fi

 

Monitoring for new smart devices entering the network is a first and important step in the implementation of disciplined BYOD. Wireless clients connecting to Wi-Fi are fingerprinted using packet level and protocol level characteristics to identify smart mobile devices.

|

WPA2 alone is not sufficient to stop personal devices from entering the protected Wi-Fi network.

|Monitor new devices entering Wi-Fi

|

2)      Enforce pre-configured policies on new devices entering Wi-Fi

 

Once a new smart mobile device is detected in the Wi-Fi network, different types of pre-configured policies can be automatically implemented. For example, one policy would be to block or limit access to new smart devices pending authorization. The Wi-Fi/WIPS solution can facilitate such policy enforcement by blocking new devices from accessing the secure network or provide them only limited access (e.g., access to only Guest SSID) until they are approved by IT administrator. |

Devices pending review |

3)      Automated approval/onboarding of new devices on secure Wi-Fi

 

Using mobile apps provided by Wi-Fi/WIPS vendor:  With the rising volume of new devices entering the network, manual approval and inventory may prove to be cumbersome. Using onboarding apps provided by the Wi-Fi/WIPS vendor, this process can be automated. New smart mobile devices are redirected to a portal and upon installation of the onboarding app, devices are allowed to enter the protected Wi-Fi. The onboarding app facilitates automated inventory and tracking for smart devices after they are admitted into the secure network. This app can also automatically configure secure WPA2 settings on the device without administrator intervention.

| Onboarding with AirTight Mobile app

|

Using third party MDM agents: Many organizations deploy specialized MDM (Mobile Device Management) systems to manage smart mobile devices accessing corporate assets. Several MDM systems choices are available in the market. So, BYOD onboarding workflow in a Wi-Fi solution that facilitates device onboarding with third party MDM agents is useful. With this workflow, new devices attempting to connect the network without hosting the MDM agent prescribed by IT are detected and redirected to install the MDM agent. Upon installing the MDM agent, they are allowed to enter the protected Wi-Fi. A point to note here is that MDM alone does not complete the BYOD story, combination of MDM and Wi-Fi gatekeeping is what is required. This is because MDM can control only managed devices, but Wi-Fi/WIPS gatekeeping detects unmanaged devices and helps bring them under MDM control. Airtight Wi-Fi provides API to implement this workflow using third party MDM agents.

|

4)      Wireless security for the admitted devices

 

Once admitted into the network, the mobile devices need to be afforded strong protection from vulnerable wireless connections and wireless attacks including rogue APs, tethering, personal hotspots, Wi-Phishing, client connections to neighborhood APs, ad hoc connections, etc.  With BYOD, the sheer volume of wireless endpoints seen in the wireless environment is expected to triple or quadruple over next 2-3 years. As a result, fully automated strong WIPS, free from false alarms and not requiring excessive configuration and signature maintenance is needed to be the part of the Wi-Fi solution in order to implement truly secure BYOD. |

As we can see, enterprises can take advantage of many Wi-Fi and WIPS features to implement secure and disciplined BYOD in their networks. These features range from identifying new smart devices entering the network to assist in smooth onboarding of the new devices to securing the new devices once they are admitted into the secure Wi-Fi networks. So don’t get stressed by BYOD, there are Wi-Fi and WIPS to assist you.

|

Additional Information:

|

802.11ac, 802.11n, Best practices, BYOD, mobile device management, smartphones, WiFi Access, WLAN networks, WLAN planning

The Future of Enterprise WLAN in 2013 and Beyond

April 9th, 2013

By Kaustubh Phanse  – AirTight Chief Evangelist

|

If predictions from leading technology analyst firms are to be believed, the worldwide Wi-Fi market will continue to grow.

Dell’Oro estimates the Wi-Fi market to grow to $9.9 billion by 2016 of which the enterprise WLAN segment alone is estimated to be over $5 billion in revenues.

Gartner anticipates an even faster growth for the enterprise WLAN segment, with spending expected to reach $7.9 billion in 2016.

Here are a few trends (some of which are already happening!), which will go hand-in-hand with this next wave of massive growth in the enterprise WLAN market.

 

Distributed Wi-Fi, Centrally Managed

 

A growing number of enterprises will want to extend their Wi-Fi rollout across remote locations, e.g., branch offices, retail stores, distribution centers, restaurants, and the list could go on. The key challenge then would be to have centralized visibility and management of the entire deployment—ideally from a single console.

Controlled in the cloudThis trend will make the traditional controller-based architecture outdated sooner than later because it was not designed to manage Wi-Fi networks across geographically distributed sites. It’s too complex, costly, and does not scale. The change of guards is evidenced in the number of recent announcements by controller-based WLAN vendors. Some are hiding the controller in the cloud, some are hiding them in arrays, some are saying that they are giving customers a “choice” to turn it off (without telling them what functions will stop working without it!), while some are simply giving their marketing a “controller-less” spin. Unfortunately, you can’t turn a fork into a spoon overnight to eat soup instead of spaghetti! Or maybe you can! ;-)

 

Naturally, an increasing number of enterprises are looking for an alternative that:

Linearly scales to tens, hundreds or thousands of distributed locations, but can be managed centrally from a single console;

Enables literally plug-and-play installation and true zero-touch configuration of access points (APs) at remote sites without IT staff;

Is fault-tolerant by design so the full wireless network and security functionality continues to work without depending on access to a central management server;

Supports a new paradigm of network and security management and role-based administration of distributed locations in the context of locations and not in the context of “SSIDs” alone.

 

WLAN as a Managed Service

 

cloud managed via tabletThat brings me to my next trend, which will redefine how enterprise Wi-Fi networks are managed: Cloud! Enterprises have adopted cloud technologies in recent years to replace software applications that they once ran on their own network. But in 2013 and beyond, an increasing number of companies will look up to the cloud to manage their distributed Wi-Fi networks and related services such as wireless security and compliance. And in many cases, they will outsource their network and security management to managed service providers (MSPs). In fact, we have seen a significant growth in our partnerships with MSPs wanting to host cloud-managed WLAN services. But, not all clouds are made equal. So providers looking for cloud partnerships should carefully assess how cloudy is the cloud before making the leap. Only a true multi-tenant cloud solution will allow them to manage hundreds of customers in a cost-effective way, i.e., without having to host a server (appliance or VM instance) for every customer!

 |

Follow AirTight Networks on Twitter

 |
 

Bring Your Own Device (BYOD)

 

The BYOD trend, with employees using personal smartphones and tablets at work, has significantly driven Wi-Fi adoption and evolution over the last couple of years. It has also led to a growing trend of other unauthorized Wi-Fi devices, e.g., Rogue APs, Soft Rogue APs and mobile Wi-Fi byod word cloudhotspots, on enterprise networks. While mobile device management (MDM) and NAC vendors have tried to market themselves as the silver bullet for managing BYOD, neither of them have complete visibility into the Wi-Fi activity of these personal devices and hence cannot provide comprehensive access control for BYOD. Naturally, questions are being raised on whether MDM is really needed or is it dead?

A growing number of enterprises are opting for a reliable wireless intrusion prevention system (WIPS) – either as an overlay on top of existing WLAN solutions or as a built-in feature with their WLAN solution – to provide them with 24/7 wireless monitoring and policy enforcement, including BYOD. Automatic and accurate classification of Wi-Fi devices detected in the enterprise airspace, automatic fingerprinting and onboarding of smartphones and tablets onto the enterprise network, and the ability to reliably block any unauthorized devices or those violating security policies will be crucial to minimize security exposure and ensure compliance with regulatory requirements, while avoiding excessive burden on the IT security staff.

 

A New Standard, Higher Speeds!

 

Last, but not the least, 2013 is also expected to see the ratification of a new Wi-Fi standard in the form of IEEE 802.11ac, nicknamed as Gigabit Wi-Fi! 802.11ac uses wider channels (80 MHz and 160 MHz) as compared to 802.11n (20 MHz and 40 MHz) in the relatively clean 5 GHz frequency band and enables data rates up to 1.3 Gbps. Some pre-standard 802.11ac products are already in the market, with the approval of the standard expected in late 2013. Like it was the case with 802.11n, the early 802.11ac rollouts will be mainly access points. This year has already seen some rumors and some announcements of 802.11ac support in mobile devices. However, widespread adoption of 802.11ac is expected only by 2014-2015 when majority of Wi-Fi clients will support the standard. Till then, enterprises are likely to postpone the investment in an 802.11ac upgrade of their WLAN infrastructure to maximize the ROI.

 

Listen to the ebook

Listen to the ebook

Additional Information:

802.11n, BYOD, mobile device management, WiFi Access, Wireless security, WLAN networks

Securing your network from bring-your-own-device (BYOD)

June 12th, 2012

What makes network administrators and security professionals tear their hair out – the “cool” employee who is carrying 2 or 3 or more devices and only one of them is actually issued by the company. I admit, I am one of them but not sure how “cool”, just a gadget junkie. There is a lot of advice around these days about how to manage this deluge of personal smart devices entering the enterprise, but I found much of the advice given by Software Advice and CRM Market Analyst, Ashley Furness, very solid in her recent post, “Strategies to Secure Your Enterprise in the New World of BYOD“. Some of it may seem obvious,  but, often the obvious is overlooked for just that reason.  We all know folks who do not change their password from “admin”.  Ashley’s article is a good addition to the body of work out there about the challenges of BYOD in the enterprise. One area which is not mentioned, however, is wireless intrusion prevention (WIPS), which is the natural ally of MDM.  With MDM, employees have to have an incentive to get the agent on their devices. WIPS solves that problem.  AirTight WIPS as an example protects the network from being accessed by unauthorized devices – those which have credentials but are not an authorized device – by allowing administrators to set up rules which will automatically block unauthorized devices (not just rogue APs) from connecting to the network.

AirTight recently concluded a study of IT professionals to understand their attitudes, challenges and methods of dealing with BYOD and it became obvious that there is a lot of concern around this subject. As the BYOD tide rises, organizations will need to embrace various smartphones and tablets for the enterprise applications, while at the same time tackling the security challenges from consumerization. On one hand, it is necessary to ensure that the IT assigned authorized smart mobile devices are free of malware and that these devices and the data on them can be centrally managed and monitored by IT. On the other hand, IT will be required to deal with unmanaged personal mobile devices attempting to access the corporate IT
assets, since such personal mobile devices may not be within IT’s device management reach.

Additionally, increased consumerization of the smart mobile devices may also heighten the risk of rogue Wi-Fi connections on the enterprise premises. As a result, an all-encompassing approach to BYOD security will entail protection of IT assigned devices, gatekeeping the unmanaged mobile devices, and blocking rogue Wi-Fi connections. Security systems are available today which address different parts of the BYOD security problem. (See the tables below) The right combination of these security systems can be useful for a comprehensive BYOD security.


BYOD, mobile device management, smartphones, Wireless security

Smart Mobile Devices — “Stress Test” for the WIPS of the Future

March 22nd, 2012

Traditionally, talking of wireless security in the enterprises we talked about embedded Centrio Wi-Fi, Linksys rogue APs, open source DoS tools, and compliance requirements (PCI, DoD, HIPAA). While these topics continue to be important today, the upcoming proliferation of the smart mobile devices is the new frontier for the enterprise wireless security to address. The inundation of smart mobile devices will result into new monitoring requirements, not hitherto discussed. These requirements would amount to ”stress test” for the WIPS and only the best of the breed can hold up. While the new monitoring requirements will be many and varied ranging from unauthorized BYOD to heightened rogue AP risk, in this post I wish to discuss some interesting and unique scenarios (numerous soft mobile hotspots, Nintendo chat blocking, wireless geo-fencing) I already encountered this year working with the customers.

Read more…

BYOD, smartphones, Windows 7, Wireless gadgets, Wireless security

1 Minute Survey: BYOD – Love it/Hate it?

March 16th, 2012

Take the BYOD survey and enter to win an 8GB iPod Touch.

The BYOD trend is causing new security concerns for enterprise network and data security. Corporate users (e.g. employees, contractors) are accessing enterprise network and data, and bypassing corporate security controls using their personal Wi-Fi devices. This uncontrolled access can open wireless backdoors into the enterprise network, malicious activity, leakage of sensitive data, and exposure to malware.

Click the link to take the BYOD survey and enter to win an 8GB iPod Touch.

https://www.surveymonkey.com/s/ATNBYODsurvey2012

 

Phones are increasingly becoming portals to the outside world, with their own networks that can bridge WiFi security and provide an unauthorized laptop access. AirTight would like a minute of your time to understand how pervasive these devices are in your organization and if they have affected the way you address network security.

As a thank you for helping AirTight with this short survey, two names will be drawn at random to win an 8GB iPod Touch. To be entered in the drawing please submit your contact information at the end of this survey.

BYOD, Wireless security , , , , ,