En Garde!

Based on what I have learned over the last few years regarding mobility and security, I propose some foundational guidelines for protecting any enterprise mobility environment.
Hidden SSID
In an age where a hidden SSID can be easily discovered, this is step is merely meant to limit visibility and deter the accidental threat. The accidental threat is someone who never intended to connect to a wireless network. However, when this person sees the revealed SSID, he attempts to access the network multiple times with various passphrases. Based on alerting settings, this harmless user will send false alarms.
MAC Authentication
Once again we are in an age where there is a counter measure to this level of protection. Similar to the hidden SSID, MAC authentication deters the accidental and harmless threat. This person will connect to the network, realize that there is essentially no access to the network and disconnect.
WPA2/PSK Encryption
As of March of 2014 it has been documented that this method of security also has vulnerabilities. With those vulnerabilities, WPA/PSK becomes another deterrent for an accidental and rather pedestrian threat.
Now that pedestrian intruders have been weeded out, you as an administrator know that any unknown device that is connected to a hidden SSID, bypassed MAC authentication, and decrypted WPA2/PSK has access to the network and is a legitimate threat. For intruders like the one just mentioned, at minimum, this next level of protection is required.
Wireless Intrusion Detection
With WIDS enabled the network will detect any oddities within the network. That includes any rogue access points, unauthorized devices, MAC spoofing, and various attacks at the disposal of a malicious intruder. In the event that the deployed network is the only wireless network within the area, an administrator could configure the system to automatically take action (WIPS) without human intervention.
Access Point Power Settings
Keeping the signal within the coverage area [as best as possible] reduces coverage bleed and can help keep unwanted users off the network. This requires network intruders to come into the coverage area attempt to threaten the network. With security cameras properly deployed the area and/or an observant store manager, an administrator may be able to physically identify the network intruder and possibly put a device to a person.
Probe Response Threshold
Setting the probe response threshold provides a minimum signal strength for network connectivity and its purpose is similar to adjusting the power settings. Although this functionality does not reduce coverage bleed, it require network intruders to come preferably within the coverage area. When coupled with some additional vigilance, an administrator can put a face to a device.
Time-Based Access Restrictions
Without the proper access restrictions the previous two protection methods may not provide the desired results. A network intruder could wait until closing hours or the weekend to attempt malicious attacks. In the event that some minimum coverage bleed exists, closing hours gives him all the time in the world to find the coverage leak, gain access to the network and wreak havoc.
Temporary “Self-Destruct” Accounts
In many mobility deployments of enterprise networks, installers that are not employees install and configure the network. Using various automation tools administrators can push parameters to all network equipment and protect access credentials. When network verification is required, this becomes a challenge. Many environments have employees that are not qualified to properly verify mobility services within the environment. When coupled with installers that are not employees, proper verification is a challenge. This can be resolved with temporary accounts that provide installers with just enough access and time to verify that the network has been properly configured and performs according to specifications.
Security Appliance
Now that the wireless portion of the network has been protected, turn your attention to the wired portion of the network. Although this may be a small percentage of the network, it is just as important. I recommend employing as many of the same security measures on the wired network that have been employed on the wireless network. This protects
For some this may appear to be over the top. But when protecting a wireless network from unwanted users, think of this network as a home in a tough part of town. What tools would a resident use to protect his family and/or himself from unwanted intruders?
  1. Shut and Close all Windows and Curtains (Hidden SSID)
  2. Keys for Residents Only (MAC Authentication)
  3. Locked Doors (WPA2/PSK Encryption)
  4. Few Items of Interest (Access Point Power Settings/Probe Response Threshold)
  5. Minimal Visitors (Time-Based Access Restrictions)
  6. Security Cameras/Alarm System (WIDS)
  7. Contact Authorities/Take Immediate Action (WIPS)

A Tool’s Got To Know Its Limitation​s


One of the wonderful things about mobility and its related technologies is that, from the simple to the complex, you can learn something new everyday. In this post, I will address something that is relatively simple…
…virtual site surveys
For simple environments an engineer can get away with a virtual site survey. In some instances, a site inspection can be conducted as well. Many customers like virtual site surveys because it is low-cost and requires a small financial commitment (normally a couple hundred dollars). However, many buildings, especially older constructions, require a more detailed assessment with some type of physical site survey. A physical site survey can be expensive. Before understanding the price and before deciding to deploy a mobility solution, many customers reject the idea of spending upwards of a few thousands dollars to determine the price of deployment. In sticky situations like these a virtual site survey can bring the customer and you together. Remember, a virtual site survey is low-cost and if done properly, can provide a relatively accurate access point count. Based on a general access point count, the customer may decide to move forward. If so, the larger investment of physical site survey will dictate where access points should be installed.
Before using a site planning tool to conduct a virtual site survey, realize that the results generated from this tool are no substitute for an active site survey. Within complex environments the purpose of a virtual site survey are the following:
  • sets customer expectations
  • helps customer understand the required budget
  • helps customer understand the installation scope
  • helps customer save money
The virtual site survey also provides comparative data to the physical site survey. This becomes important for customers for hundreds of locations that require a mobility solution. The customer may be willing to pay for only ten to twenty physical site surveys and have an aggressive deployment deadline. Results from the comparative data may provide information that allows the engineer to successfully install the remaining sites with only a virtual site survey and an inspection. In order to do that, one must gather accurate information. That information must consists of the following:
Floor Plan Drawn to Scale
Think of the floor plan as the canvas and the results of the site survey as the painting. Without a floor plan drawn to scale you are working on a horrible canvas. …And when start with a horrible canvas, you get a horrible painting. In other words, a solid floor plan is a requirement and non-negotiable.
Coverage Area, Ceiling Height, and Dimensions
The customer must determine whether the entire property requires coverage or just an area that is critical to business (i.e. back-office, showroom, food court, etc.). The dimensions and ceiling height inform you of your horizontal and vertical boundaries. Together, this information helps predict how many access points may be required to cover an area at a certain signal strength.
Age of Structure
The age of a structure can provide insight into the signal propagation of each access point deployed. Newer structures tend to use newer materials that allow a signal to better propagate throughout a building. Similar to the usage of lead paint before 1977, older structures tend to have materials with higher attenuation values. As a result, when conducting a virtual site survey, I use standard attenuation values for more recent buildings. For older buildings that use concrete interior walls, I tend to adjust the attenuation value to a number higher within the range.
Overall WLAN Purpose
This information helps determine the access point that will be used to conduct the virtual site survey (and for that matter, the active site survey). Purposes such as general Internet access, line busting, VoWi-Fi, and Unified Communications will dictate whether an access point that supports 802.11g/n, 802.11a/n, or 802.11ac is included within the survey results.
Device Type, Version, Age, Density
Often overlooked, this device information is just as important as coverage area, ceiling height, and dimensions. It is not enough to focus on the access points sending the signal. With so many devices on a network, it is important to plan based on the lowest common denominator. For example, a customer may deploy an open Internet network and a back office that is primarily used for inventory. Most likely, there will be few laptops. However, there will be a range of old and new tablets, smart phones, and most importantly, scanners. Generally, scanners are sensitive to signal propagation. In areas furthest from an access point, other mobile devices may connect with ease. But scanners may not see the network at all. In such a situation, it is important to know the model of scanner being used and understand its signal threshold.
The overall device density may dictate that a different access point be used in a particular area. For example, access points that support more devices may be deployed in the banquet hall of a hotel, but access points that support a standard number of devices may be deployed throughout the remainder of the building. In addition, a mixture of mobile and stationary wireless devices may dictate final survey results.
With this information a relatively accurate virtual site survey can be conducted. But when conducting a virtual site survey, my final piece of advice is to use…
Regions with a Dash of Walls
When I initially began conducting virtual site survey I would spend an hour or more attempting to account for every wall, door and window within a floor plan. But within site planning tools, the region functionality creates a coverage area with the desired environment and wall type. Based on my assessment, using the region functionality has been more accurate than manually drawing the walls, doors, and windows.
As you can see, the information required to conduct a successful virtual site survey is similar to the information required for a successful physical site survey. In one instance, we must rely on the property manager or owner. In the other, we rely on the engineer to gather the information. Although a virtual site survey is not always appropriate, it can help mobility professionals deploy both complex and simple structures.

The Technology Is Right… Are You Right For the Technology​?

When I began writing the outline for this post, I thought that I would discuss the roles and responsibilities within an organization’s mobility team. I wanted to further describe how, when done properly, an organization gets mobility right. Then I realized that the roles and responsibilities that I have defined may not be within other organizations and, for the purpose of this post, are irrelevant. As a result, I decided to blog about what an organization must do to get mobility right. Given the audience I imagine that we all know how to properly deploy a wireless network. So, in addition to designing, deploying, and supporting the right wireless network, getting mobility right requires that you perform the following:

Get Educated On Mobility Services, Not Just Wireless Networking.
More and more businesses require that the service do more than just provide Internet access. With every service that is provided, businesses are trying to find ways to attract more people, connect the customer with the brand, create and control the experience, and develop customer loyalty. These steps can, in turn, generate more revenue. By itself, the right mobility solution cannot accomplish this. However, the right mobility solution can be a key component to achieving success. Your knowledge of the mobility component of the overall plan is where you add our value.
Get Educated On WAN Technologies. (“My wireless is slow.”)
Mobility services and WAN services work hand-in-hand. Today it is rare that a customer wants a closed wireless network. Most customers want secure, not closed, access. That secure access allows them to safely utilize the Internet as an extended resource. That secure access is only viable if users can access those Internet resources within a reasonable amount of time. Given the overall requirements and [potential] mobile device count, build a network – wireless and wide-area, that meets the customer’s needs. Furthermore, many customers do not separate the access point’s device density from the wireless LAN from the wide-area network. Have you noticed that when connected to a wired network people are likely to state that the computer OR the network is slow? However, when connected to a wireless network almost all complaints regarding performance relate solely to the speed of the wireless network. Our customers associate the WAN with the wireless network. So should you.
Understand The Short-, Long-Term Benefits of a Mobility Deployment.
Many customers see mobility as an added expense with no added value. It is important that you educate customers on what seems obvious to us. For example, mobility deployments and upgrades are less expensive than comparable wired deployments. For the purpose of servicing patrons, wireless networks are more scalable that wired networks. Wireless network provide access to information and additional mobility services from anywhere coverage is provided. This access empowers both the patron (limitless information) and the customer (visibility and control).
Recognize Mobility Opportunities.
Recognize and understand a customer’s cues as it relates to mobility. A customer may not know that a mobility solution is best suited to solve the problem. All a customer may do is present you with his end-game and give you the responsibility to help him meet that goal. That is your cue to step in and propose a mobility solution that is right for that opportunity. For example, if a customer states that he wants patrons to have access throughout the building, strategically placed wireless kiosks may solve the immediate problem. But what if this initiative is very successful? The kiosk solution will not scale. Present the customer with the idea of turning every patrons’ smart phone and tablet into a mobile kiosk. This way he will never run out of kiosks and the solution will scale more easily. The next phase of the service may only consist of a WAN upgrade and not finding space for more kiosks.
Understand Your Customer.
Without understanding what your customer does, the problem that has been identified, how much they are willing to spend, etc. you cannot attempt to offer any type of solution. You are wasting your time. I will give you an example.
Last year I had the opportunity to provide a wireless network to a customer that wanted to generate more revenue. The customer thought that a wireless network with Internet access would get people into the stores. Once in the stores, patrons would comparison shop and realize that this store offered the best price. In turn, patrons would buy more products. I thought that this was the perfect customer. He knew what he wanted and knew that it would work. I never thought to inquire about the validity of the customer’s game plan or end game. I thought that my job started and stopped with the wireless deployment.
In hindsight, it is obvious that I was wrong. The customer did not properly market the availability of the service. When you couple that with the fact the company’s website did not have a shopping component to it, patrons had no reason to use the Internet access as a tool to comparison shop. Patrons used the network to browse the Internet, read e-mail, and update mobile apps. Had I taken some time to ask the right questions, I would have been able to tell the customer that in order to achieve the success he wants, a mobility strategy is required. This is not the Field of Dreams. If you make it they will not necessarily come.
Know The Tools At Your Disposal.
Similar to wireless and wide-area networks, knowing your offerings goes hand-in-hand with understanding your customer. You must first understand if the solution you offer meets the needs of the market. Otherwise, you are wasting everyone’s time. Based on my experience, the last thing you want to do is provide the wrong solution to any customer. Providing the wrong solution is like buying a car that is classified as a lemon. No matter how many times you put it in the shop, it will never run in the intended manner. Your best option is get rid of it and start anew.
As you perform the above you may realize that you must shut the door on many opportunities or shut the doors entirely. But acting on the answer may open doors to not just new opportunities, but new “real” business and “real” deployments. However, in order to maximize your time and resources, a tough decision must be made.

Enterprise Mobility Redefined??

A couple of weeks ago I submitted a post regarding what I feel is a forgotten strategy of security and compliance of enterprise networks. The post was based on an article that I read. Although my comments within the post focused on security and compliance during the deployment (installation, configuration, verification) of a network, I did pose a question regarding the real-time security and compliance of a wireless network. The response I received addressed real-time protection in the form of deep packet inspection within a wireless environment. The contributor’s response (Thanks Nik!) also pointed out that the current methods (hidden SSID, WPA2/PSK, MAC authentication) used to protect a wireless enterprise network all have known vulnerabilities (hyperlinks to supporting articles below). I was aware that someone could get around hiding the SSID and MAC authentication. But I was not aware that deciphering the WPA2 passphrase was well known. The response post and the supporting articles caused me to consider that spectrum analysis and WIDS, at the very least, must be a standard feature to any enterprise network. This may not be news to others in the forum, but to me this is major.
If WIDS becomes a standard for enterprise networks the baseline feature set for wireless equipment changes. Autonomous access points and mobility controllers will have to offer WIDS, WIPS, and stateful firewall functionality. Deep packet inspection would no longer be a key differentiator. In the event that a security breach occurs and a customer decided not to sign up for WIDS, at the very least, service contracts will have to contain language that excludes the MSP from responsibility. This new information has cause me to pose the following questions:

Within enterprise networks, should WIDS functionality be a new requirement?
If WIDS (and possibly WIPS) functionality is enabled, is there a need to ensure that installers have restricted access to the network during deployment?
Should WIPS functionality be a new requirement as well? If so, what features could be enabled that minimize the probability of lawsuits?
What are some of the best tools to certify WIDS/WIPS functionality?
In deploying a wireless network, does increased resources required to enable WIDS/WIPS become a factor?
Despite the vulnerabilities of a hidden SSID, WPA2, and MAC authentication, should these still be used in conjunction with WIDS, WIPS, and a stateful firewall?


Customers Are Just Like Infants…

…when it comes to mobility. This time last year I was in the process of preparing for the installation of ten customer test sites with the potential for much more. The customer’s intention was to determine if adding a guest Wi-Fi network added any value to his business. Although the customer had simple requirements, we left no stone unturned. Thankfully all network deployments went well and the customer had no complaints – except one. With the deployment of a guest Wi-Fi network the customer did not see any increase in sales and did not want to pursue an enterprise-wide deployment. Our team put in a great deal of work and had very little to show for the effort. I was disgusted, but I later learned that I should have seen this coming. Now fast forward to the fall of last year.  I am a first time father with a steep learning curve. Up until this point I was scared to hold another parent’s baby. Now my wife and I had one of our own. There is no training for waking up in the middle of the night to the screams of a newborn. You cannot predict how you will react when your baby poops in your hand. (My child literally pooped in my hand.) And for the first couple of months reading our child’s cues seemed impossible. But like most parents, my wife and I want the best for our child and are determined to figure it out. Somewhere during this early stage of fatherhood it hit me. When it comes to mobility, customers are just like infants. Infants are new to this world and are learning along the way. Many of our customers are new to mobility and have no idea what they really want. Many of our customers surprise us with requirements and requests that seem harmless to them. But to us, it is the equivalent of pooping in our hands. Many customers are not going to just tell us that they want a mobility solution either. We have to read their cues (i.e. “I want a tablet in the hands of all of my employees.”). During most customer discussions making sense of the seemingly harmless statements and reading the cues are what shape a customer’s mobility needs. If you are determined to deploy not just the right wireless network but the right mobility service, you put yourself in the position to provide your customer with the right solution. That is not what I did a year ago. Because I did not read the cues, our customer did not achieve their goal (generate more sales). The point of this post is not to insult customers in any way. Because just as there are parallels between infants and mobility customers, there are parallels between parents and mobility professionals. This post attempts to illustrate how we as mobility professionals should approach customer engagements. Although we do not have to love our customers as they are our children, we must have a passion to get mobility right. That even includes telling a customer that based on what you want to accomplish, a wireless solution is not right for your enterprise (as in the example above). You, Mr. Customer, require a mobility solution. From that passion to get mobility right should come the patience required to listen to customer requirements, read their cues, calmly guide them through all viable options, and develop a cohesive solution that is right for them. If mobility professionals take this approach with customers, I am confident that there will be fewer disappointed customers and fewer disgusted mobility professionals.


A Forgotten Strategy of Security and Compliance

A few days ago I read an article regarding security and compliance in retail. As we are well aware a retail space can consist of both guest and enterprise environments. Of course, the article rightfully focused on the protection of enterprise systems (i.e. POS, back office, inventory, etc.) within an enterprise environment. The strategies presented were accurate and consisted of such topics as detection throughout a transactional process, multi-level protection, and security education. As a wireless and (aspiring) security professional I immediately realized that, although accurate, the strategies presented did not account for a wireless environment. More specifically, the article did not account for the installation and verification (or sign-off) of an enterprise wireless environment. Before applying any post-deployment strategies a network architect must ensure that the environment is, at the very least, initially pristine.

Many retail organizations handle the wireless deployment (installation, configuration, verification) in-house. For organizations that adopt that model, hiding the SSID, changing the passphrase to the SSID after every deployment, MAC authentication, and the proper ACLs may be enough. But what if the retail organization is a nationwide enterprise with 500+ locations and has employed the services of an MSP? One can still hide the SSID, but now the SSID and passphrase are known by someone outside of the retail organization – namely, the installer. In fact, the “hidden” SSID and passphrase can be potentially known by 500+ WLAN installers (non-employees). In such an environment, changing the passphrase and/or SSID after every deployment is no longer scalable.

Part of ensuring that the environment is pristine consists of ensuring that only those that require network credentials to the enterprise environment actually have the credentials to the environment. Without a viable, comprehensive solution to this potential catastrophe, not only is the network in danger, but so are the installers. If there is a security breach during the deployment of this large nationwide network, the integrity of the installers, along with anyone else that has knowledge of the network SSID and its credentials, comes into question. So my questions to the community are the following:

  1. How do we better protect the networks?
  2. How do we better protect the installers?