Receive new posts as email.
This site operates as an independent editorial operation. Advertising, sponsorships, and other non-editorial materials represent the opinions and messages of their respective origins, and not of the site operator. Part of the FM Tech advertising network.
Entire site and all contents except otherwise noted © Copyright 2001-2010 by Glenn Fleishman. Some images ©2006 Jupiterimages Corporation. All rights reserved. Please contact us for reprint rights. Linking is, of course, free and encouraged.
Wi-Fi will expand to include new authentication methods, more enterprise support: The Wi-Fi Alliance, responsible for the brand name Wi-Fi and the certification and testing that stand behind it, will add two new authentication methods to the suite supported as part of WPA2: EAP-FAST and EAP-AKA. EAP (Extensible Authentication Protocol) is a generic method of sending messages between parties.
EAP-FAST (Flexible Authentication through Secure Tunneling) is a Cisco replacement for the long-deprecated LEAP (Lightweight EAP), which was broken back in 2004. Unlike PEAP and EAP-TTLS, popular ways of validating a WPA2 Enterprise session with server certificates and tunneling credentials, FAST uses certificates only as an option. (EAP-FAST is itself vulnerable, although those vulnerabilities can be avoided in a deployment.)
EAP-AKA (Authentication and Key Agreement) is the more critical of the two, an authentication system designed for use on 3G networks--both GMS and CDMA evolved system--with a lot of flexibility about the kind of credential that's used to authenticate a device to a network.
The alliance has long included testing of five other EAP methods, including TLS (per-device certificate), TTLS, PEAPv0 and PEAPv1, and SIM. EAP-SIM is used with 2G GSM devices.
Edgar Figueroa, the executive director of the Wi-Fi Alliance, said in an interview that EAP-AKA testing and certification goes along with the group's interest in Wi-Fi in handsets. "It's very much in alignment with our intent to continue to support convergence," he said.
Handsets need to be more capable of easily logging into Wi-Fi networks because of the constant increase in the scale of data being sent to handheld devices, coupled with the cost and limits of 3G data to subscribers. "Users may be cognizant they are paying for that data traffic really quickly if they don't get on that Wi-Fi network," Figueroa said.
I asked Figueroa about a related issue: the coming deluge of single-stream 802.11n devices which are aimed at handsets as a replacement for 802.11g. Single-stream N will use single antennas and a single radio chain, which means that the encoding speed could be much faster than 802.11g, but can't approach the 100 to 150 Mbps top rates possible with two-radio, wide-channel multi-stream 802.11n devices in laptops and base stations. (You can read more background about this in my article, "Does the iPhone Need 802.11n?", 26 March 2009.)
The potential for consumer confusion could be high, with two bands, multiple streams, and other options. "Simpler is better," he said. The alliance is discussing "how information is needed, and how much may be superfluous, and how much do we want to complicate our brand."
One item in the group's favor is that all the 802.11n devices I'm aware of that support the 5 GHz band also support 2.4 GHz. This could make 2.4 GHz the default mode for compatibility. An increasing number of consumer base stations are simultaneous dual band, too, which alleviates issues on the client side. (There may be some specialized enterprise gear that's 5 GHz 802.11a or 802.11n only.)
Unrelated to today's announcement, a minor security update is planned in the future for WPA2 to add 802.11w, which provides integrity for management frames. These specialized frames are used by access points to report various data or communicate messages without user data between an access point and client.
But, most critically, disassociation and deauthentication frames are sent in this fashion without any protection. A network attacker can disrupt a network by forging these requests, which aren't checked for validity. 802.11w uses an encryption method that prevents invalid requests from being carried out.
The minor flaw in the TKIP encryption method discovered last year won't have any impact on the security protocols or tests by the alliance, Figueroa said. "We have consistently advocated WPA2 as the protocol that people should be using"--a message echoed by all sensible security consultants, writers, and researchers.
On the enterprise side, Figueroa said the Wi-Fi Alliance had a few enterprise-oriented projects in the works with a timetable of about two years for reaching fruition.
One is WMM-Admission Control, which enhances the WMM (Wireless Multimedia) quality of service provisioning protocol (from 802.11e) with resource availability. WMM by itself allows data to be assigned one of several priority queues to ensure, for instance, that voice packets make it through.
The admission control addition would let a set of managed devices restrict a device from joining a given base station channel if the resources to support an additional call or stream weren't available. "If you allow that to happen otherwise, you end up having a non-elegant degradation for all who are using the network," Figueroa noted.
The ultimate protocol might include a form of "advice," in which a device was told a different channel to join that had resources free for what the device was intending to do.
A related future improvement is Voice-Enterprise, which will provide more robust testing of VoIP over Wi-Fi at the scale used in large networks. Currently VoIP testing by the alliance simulates a loaded network with four calls being placed; the enterprise flavor will test in a simulation of dozens of calls along with many access points in use and fast roaming among them.
Finally, Wireless Network Management will one day extend detailed network status information that's required for network monitoring and troubleshooting to network administrators. While Wi-Fi access points can report a fair amount of information today--and that varies by vendor and network design--the testing program would establish a baseline and interoperability parameters.
John Cox has an interesting rundown on large installations picking 802.11n for client use instead of upgrading or adding more Ethernet: Cox, in a Network World story, starts with the observation that some companies and many colleges are finding huge numbers of unused Ethernet ports, which means they're paying depreciation and operating expenses on gear they're not using.
One school he speaks to has 80 to 90 percent of its Ethernet switch capacity unused. The CalState system performed careful analysis of current use and opted to cut 2,500 switches, which will save $30m in hardware-related spending, exclusive of HVAC/electricity savings.
At colleges, this is a simpler matter, because campuses can simply eliminate new spending for Ethernet in dorms and elsewhere and pull switch plates and switches, or reduce the number of jacks by a large number without impairing functions. While some students might have desktop computers, surveys keep finding that most arrive at campus with laptops or purchase them on arrival. Businesses may still need to have Ethernet active because of their heavier desktop use.
For instance, in a 2008 survey of incoming students at the University of Virginia, with 95 percent of students surveyed, a single person in the 3,071 asked did not own a computer. That number was as high as 26 percent (634 of 2,437) in 1997, but has dropped to a negligible amount since 2003 (30, 10, 18, 4, and 4 in successive years had no computer).
Now out of those 3,070 computer owners in 2008, only 36 had desktops. That's a lot of spending on Ethernet for 1 percent of students. And those desktop systems might have had Wi-Fi built in if they were Macs (Mac Pros are the only model that requires an add-on build-to-order Wi-Fi adapter) and most student/entry-level oriented Wintel systems.
802.11n found its way into colleges quite early, but enterprises now have a wide range of affordable options from major and minor vendors alike that are proving more cost effective than 802.11g or a/g was because of the greater capacity and range of 802.11n. Everything I hear from companies and read in reports shows that dual-band 802.11n overcomes almost ally of the gating factors that made 802.11g useful but not strictly a wired replacement for clients.
Most clients don't need anything like the 100 to 150 Mbps throughput that 802.11n can offer in ideal cases. Rather, each client may need from 1 to 10 Mbps in a more or less reliable and guaranteed fashion, and with a multi-channel switched WLAN, enterprises can easily deliver that.
College campuses have lower requirements, seemingly, with Cox noting that 1 Mbps is a reasonable threshold for common activities. In those cases, you need networks that can support massive concurrent users in relatively small areas, like classrooms or quadrangles, a very different requirement from the business network.
No one's suggesting Ethernet will be pulled out. It's still the only way to run critical services, and you need quite a lot of it to backhaul all the WLAN systems that are being put in. But there's a growing divide between client Ethernet and server/backhaul Ethernet that can let companies and colleges trim their IT budgets without reducing utility for their users.
Novatel Wireless has introduced a sleek mobile 3G router that's seemingly far more than its competition: The MiFi is a cellular router due out in the first quarter of 2009, with pricing not yet disclosed. While there are several competitors on the market, notably from Junxion, a firm acquired by Sierra Wireless earlier this year, Novatel claims some unique qualities. The MiFi will have an internal battery that can offer 3G to Wi-Fi bridging for up to 4 hours of use and 40 hours of standby.
The slim unit appears to be designed around an integral card that's not removable, which is a departure from most similar designs, which allow interchangeable cards supplied by an integrator or an end-user. Novatel hasn't yet said what technology will be inside, but it's easier to see both EVDO Rev. A and HSPA versions with slots for inserting the necessary authentication card.
Novatel also says it will differentiate the MiFi by allowing third-party applications to run on the system, and supporting external storage with a microSD slot that can handle formats up to 8 GB. That means that the MiFi could act as a caching Web server, a store-and-forward mail server, a VPN end point, and other purposes as well.
Apple adds enterprise features to the iPhone, including 802.1X, and opens it to developers: Today's announcement from Steve Jobs was full of surprises, including the fact that Apple licensed Microsoft's ActiveSync for full Exchange support, and the level at which developers will have access to iPhone hardware and information.
The 2.0 software, free to all current owners of iPhone, will be available in June, which kind of tips the hand as to when we'll see a 3G iPhone, too, I imagine. iPod touch owners will pay a "nominal" upgrade fee, as Apple books iPhone revenue over 24 months and iPod revenue as units are sold.
Apple will pile in all the stuff that enterprises demanded from Research in Motion in the Blackberry platform--and that RIM built in--including support for 802.1X (including WPA2 Enterprise) for authenticated Wi-Fi login, two-factor authentication, certificates, and additional VPN types. They're also adding "remote bricking," a critical feature that allows a stolen or misused phone to be remotely and securely wiped.
On the developer side, Apple is opening up the whole puppy in a way that I didn't expect. I assumed the firm would put limits on whether the cell data connection could be used by apps, but not restrict the Wi-Fi side. The announcement puts nothing off limits except VoIP over cell data, although there's a list of characteristics that software can't contain, such as being malicious or a bandwidth hog. All software is distributed and installed via App Store, available on an iPhone or in iTunes for synchronization. This includes free software. Apple will therefore vet, and ostensibly be able to halt use of programs that exhibit behavior they deem bad. Jobs said, "We can turn off the spigot if we need to." Every app will be signed by a developer certificate.
Developers can have access to location information provided by Google (cell towers) and Skyhook (Wi-Fi) for use in their programs. No mention was made of privacy settings for such. Skyhook's Loki toolbar requires that you grant permission to Web sites that want to obtain your location details; I expect a system-wide approach to that, too.
No mention was made today of a few particular problems with iPhone security, such as the ability to tunnel and traverse a VPN across multiple network media, such as using an iPhone for a secure connection while you travel from work, across the EDGE network, and to hotspots. This likely could be built on top of the enterprise features. You'd also need policy management, such as disallowing certain kinds of connections without a VPN being active or over non-trusted Wi-Fi networks.
Certainly, this is a big step forward for corporate users, mobile applications, and consumer ease on the iPhone platform. The beta is available today to developers; you can become a developer for $99. Amazingly, Apple's developer site crashed and is still unavailable two hours after the press conference ended.
Cisco releases full details on problem at Duke: While widely reported that one or two Apple iPhones out of about 150 used on Duke University's Wi-Fi network were bringing down groups of a dozen to 30 access points at one time, it turns out it was a Cisco fault all along that the iPhone triggered. A Duke assistant IT director initially blamed the iPhone for the problem. He later posted a note on his blog that he "regret[ted]" sounding quite so sure it was the iPhones' fault.
Cisco's security advisory, "Wireless ARP [Address Resolution Protocol] Storm Vulnerabilities," explains how in a very particular set of circumstances, a mobile device moving between access points and retaining certain information could cause Cisco network controllers to produce a storm of ARP requests. When I first heard about this problem in email from Miller--I declined to write about this because I thought it was too speculative at the time--the 18,000 ARP requests being made per second seemed like far too high a number to be produced over a wireless connection by a single mobile device.
While the advisory doesn't cite the Duke situation, the company confirmed that the Duke situation was what triggered this advisory and update, according to Network World.
The iPhone is now in the clear as the culprit, just the trigger. It's likely we'll see more vulnerabilities and bugs show up, however, because of the extreme mobility and promiscuity of the iPhone. It's willing to connect to any network it knows whenever it sees it, and to hop off onto EDGE whenever the network performance drops too low.
Network World reports that Bluesocket will release MIMO access point: Bluesocket has an enterprise-scale wireless LAN system that specializes in policy-based management and access control. The new AP will cost $795 when it's available in July, twice its predecessor, but MIMO's increased coverage area could reduce the amount of equipment necessary by more than 50 percent. Less equipment reduces per-AP expenses for management, too.
Hotspot and access point aggregated management software company Sputnik expands, updates its product line: The company specializes in providing a centralized console that allows management and reporting across a network of Wi-Fi access points, whether for academia, hotspot networks, hotzones, or companies.
Sputnik Server 110 is a 1U rack-mounted server pre-loaded with 10 AP licenses and the Control Center software for $2,699; additional licenses can be purchased. The company's new AP 210 ($279) has a 285 milliwatt transceiver and the 260 ($399) has two such radios. They're designed for extended coverage, and can handle, the company says, point-to-point links of up to two miles. They have the nice feature of keeping traffic isolated, so that users on the network can't turn on promiscuous mode to examine other users' data.
They also released a Linksys WRT54GL firmware image which allows the new Linux-based model (an old model renumbered and sold at a higher price) to run the Sputnik Agent software. The firmware works on older WRT54Gs and all models of WRT54GS. They'll sell you preflashed WRT54GLs for $99 and WRT54GSs for $109.
The WLAN management tool company adds radio features, site planning: I've spoken to a number of IT managers, largely but not exclusively in academia, who turned to AirWave as a way to better manage often hetergeneous wireless LANs that are comprised of equipment from many vendors. Some prefer AirWave to vendors' own management tools, too.
The latest version of their software includes site planning with visualization overlays--which boiled down means they can show RF patterns on a drawing. The planning tool doesn't offer simulation of signal propagation, which are part of other vendor-specific tools.
This version also adds rogue access point detection using the wired LAN as a primary tool to ferret out commodity APs without requiring constant network scanning. (This assumes undisguised APs, of course.) The company has extended the makers and brands of access points and switches they support, as well.
This new version ships this month.
Software aggregates up to 1,000 nodes; 4.9 GHz gear for public safety and first responders: Any time you start assembling networks with many identical pieces, these pieces need aggregated management. It happened by 2002 in the WLAN space, with several companies offering (and still offering) tools to configure up to thousands of WLAN APs at once.
Firetide now offers their HotView Pro mesh management software for up to 1,000 of their nodes. The software coordinates tasks, like load balancing across different routes, and can treat multiple meshes as a seamless entity for managing data flows.
The 4.9 GHz space in the U.S. has become very active lately, with many companies deciding that the public safety sector interest in wireless needs to be acted upon using existing equipment rejiggered to handle the licensed spectrum. Firetide's HotPort 4.9 GHz equipment will be part of the enormous Rio Rancho, N.M., deployment.
Using the 4.9 GHz public safety band ensures that first responders and public safety officers and workers will have access to unfettered bandwidth--no worries about local Wi-Fi networks or hotzone congestion.
The press release avoids the word "hack," but Sputnik isn't working with Linksys, just its routers: The Linksys WRT54G is one of the bestselling routers in the world, and its firmware uses software that comes with a variety of open-source and free software licensing requirements for publishing changes. Thus, there are many projects which hack the Linksys, turning its inexpensive hardware into powerful components of larger systems, like mesh networks. (Switched WLAN is more difficult as Linksys uses Broadcom chips, which do not have open-source but only binary distributions.)
By using a commodity AP, which has always been Sputnik's plan, they allow powerful centralized network management and monitoring through their applications, and that's where they insert value and extract revenue. The AP cost becomes so low that's its efficient to deploy more of them since management time and expense doesn't grow per AP.
Sputnik's Agent software works on the Linksys WRT54G and WRT54GS. Read the press release.
iPass now supports 3G: The Sierra Wireless AirCard 580 can be supported using iPassConnect, the front-end software that iPass sells to corporate customers for their roaming employees to have access to tens of thousands of hotspots and hundreds of thousands of dial-up numbers worldwide. Adding 1xRTT and EVDO in the U.S. means that one more component of mobile data is now swept under a centrally managed and metered plan.
You have nothing to lose but your cubicles and your sense of day-to-day security: Companies are starting to look big-time into allowing flexible work environment that don't lock people into a single cubicle or office. This allows them to use office space more densely but flexibly and lets people work more to their liking. Of course, some people like a cubicle, don't they?
One of the drivers for increased mobility is that thin APs require less management--a claim long made by thin AP makers and confirmed when Cisco bought Airespace--and greater flexibility. It's clear Microsoft chose Aruba not just because they were thin, but because their approach is commodity-driven with enterprise-class management: that is, magic in the APs is less important than magic in the central console. (Microsoft may also have chosen Aruba because of its remote AP option in which APs can be added using IPsec security over any remote Internet network.)
The other drive is, of course, 802.11i and its integration into branded standards as WPA2. With WPA2 Enterprise, companies finally feel like they have the strongest possible security at their disposal.
The companies discussed in this excellent article have found big cost savings across the board, but those also come with more worker satisfaction and increase productivity.
I'll be curious on a long-term if workers without a place to hang their hat reliably every day who do spend most of their time in an office feel less tied to a company. In a classic Dilbert, after offices are deassigned, Wally moves his stuff around in a grocery cart and engages in office graffiti.
Aruba beats out Cisco (Airespace), Trapeze: The Microsoft campus and worldwide offices will be upgraded from its current Cisco infrastructure to use 5,000 Aruba access points, part of a WLAN switched network. The Wall Street Journal reports the deal covers 281 buildings in 83 countries to support 25,000 simultaneous Wi-Fi sessions. One of Aruba's bits of magic is IPsec tunneled remote APs that can use a centralized switch located over a WAN.
This is an enormous win for Aruba, which has been accumulating customers, but it seemed that the safe money was on Cisco because of the Airespace acquisition.
The first fruits of the Airespace acquisition produce a tracking device: The Wireless Location Appliance 2700 allows network managers to track anything with a Wi-Fi adapter in it, whether the adapter is part of a Wi-Fi-based RFID tracking system for high-priced assets (like hospital equipment), a laptop, or an employee with a Wi-Fi VoIP phone.
In a briefing earlier this week, Cisco managers explained that assets and individuals can be tracked both over time and in real-time with thousands of devices trackable per location appliance. This would, for instance, allow a company to pinpoint when a device had moved out of a building and disappeared--allowing them to check that date and time with various security cameras.
The appliance works at relatively high protocol layers and has an API that will allow it to be integrated into other systems that already handle the front end of asset management, such as PanGo Locator offered by PanGo Networks. With companies already tracking assets by number in these systems, tying them into a real-time display can allow hospitals--and early and obvious market--to know precisely where equipment is before it's needed.
Cisco acquired Airespace mere weeks ago and this is the first fruit of collaborative labor between existing Cisco product teams and the upstarts with their fancy lightweight access points.
iPass says they have 20,092 hotspots in 51 countries: The enterprise mobile worker connectivity firm has been aggressively courting operators around the world to amass this portfolio which includes 55 networks. Sprint PCS now claims over 19,000 hotspots in their fixed-fee network, and it would be interested to do a side-by-side comparison--but also quite difficult.
iPass uses metered rates for hotspot, dial-up, ISDN, and wired access for its customers which allow corporations to use a single network login both within their enterprise and with the iPass Connect client software. Instead of each user paying a fee for unlimited access on a number of networks, iPass aggregates not just networks but usage. So a worker who is on the road a few days a month may average out the usage of a worker who is constantly on the road. From a cost containment standpoint, this approach appears to be one that enterprises like. But it requires scale of locations especially for international companies or those with international sales.
Sprint PCS aggregates locations from SBC, Boingo, AirPath, Wayport, STSN, and other, but the majority of their locations are domestic. They offer unlimited usage plans for businesses on a per-user basis that can include metered rates for dial-up. They also offer a client. Sprint PCS works extensively with enterprises, too, in some cases building their networks through a managed services division.
I would not have thought a few weeks ago that the battle for corporate hotspot pocketbooks would be fought between iPass and Sprint PCS. But here we are. Sprint PCS is in the middle of a large transition as a carrier with its Nextel merger in the works; iPass is a publicly traded firm that once had a stock price five times higher than today and market cap of well over a billion dollars.
Moving into competition with Sprint PCS may not be a bad thing for iPass at all; it's good company.
It's not clear whether "open-source" means boot our code in this scenario: Aruba has released its bootloader, a method by which an access point with the right hardware can load Aruba's AP code when detected by its central WLAN switch on a network. That's all well and good, but it doesn't bring much to the table--yet. Aruba promises more. In this article at Linux Pipeline, I examine the promise of open source for Aruba and the industry, and get a little into the issue of the latest proposal for WLAN switch AP interoperability.
We called him crazy, but he just kept coming at us: Peter Judge writes about Extricom, the company that produced a barrage of what appeared to be overblown throughput claims last November, but now offers enough details to evaluate their technology. Their claims of huge throughput weren't across the entire system--that is, 1 Gbps everywhere--but rather aggregated throughput from multiple cells on the same network using the same channels.
The system promotes channel reuse by leveraging the collision detection that's at the heart of 802.11 and Ethernet systems to better use the empty spaces that are wasted in routine Wi-Fi communication. Each Extricom switch has multiple thin APs on the same channel. The switch decides which AP handles which client without switching channels, and thus the client doesn't change its connection (which means handoff latency is reduced far below any conventional system) and the switch maximizes the use of the RF space.
APs are coordinated at the switch level to avoid interference, but the 802.11 specification can handle co-channel interference as well. Between those two parts, the amount of interference is dramatically reduced. The goal is to allow many simultaneous voice conversations by bringing each client's available bandwidth as close to the maximum throughput for their particular standard.
The only complaint from a test site seems to be the current eight-AP limit on their first switch model. That model will ship in May for $8,000 to $14,000 based on quantity and options like Power over Ethernet, according to the Techworld report. A 32-port switch will follow in the fall.
It's ingenious, and I've confirmed that this could work (if implemented properly) with a Wi-Fi expert. It's too bad they didn't explain this more clearly six months ago.
Sprint now claims 19,000 hotspots in its aggregated network: The company announced that it will gain another 6,000 locations from Quiconnect, 3,800 from Fiberlink, and several hundred from Pronto, Opti-Fi, and Nomadix. (The Fiberlink locations are actually resold from Boingo's aggregation platform, although that fact isn't mentioned anywhere.)
Sprint previously had arranged deals with SBC, Wayport, Airpath, STSN, and Concourse, as well as limited bilateral roaming with AT&T Wireless (now Cingular) for airport access. Those locations must have totaled 10,000, although I'm having a little difficulty adding up all of the component networks.
One of the key elements Sprint is pushing is its Extended Workplace, a way of having a single user interface for connecting across all kinds of communications methods, including dial-up, Wi-Fi, cell data, and Ethernet. Extended Workplace provides companies with a way of enforcing end-user policies, like VPN usage or anti-virus protection--just as with software from remote-access providers like iPass.
Pricing for Extended Workplace is $120 per month per user for unlimited Wi-Fi and Sprint PCS Vision (its brand name for 1xRTT data service) with additional metered fees for dial-up and other connection services.
The article bizarrely quotes a Sprint business development manager stating that Sprint started building airport Wi-Fi service in 2000 and now has seven airports. Now I've been writing about and researching airport Wi-Fi since 2000, and I can state categorically that Sprint didn't start getting into the business as a provider until 2003. If they were providing the back-end outsourced services, then they were handling it for Nokia and other companies without revealing their brand at the time. Nokia, Wayport, and MobileStar unwired the first airports in North America that I'm aware of all before 2001.
Microsoft and VeriSign have own flavor of how to protect networks from infected computers: This new architecture will be based on Microsoft's Network Access Protection (NAP) and VeriSign's Unified Authentication platforms. It's supposed to protect networks by checking that a laptop trying to connect over Wi-Fi has been issued a clean bill of health with the latest patches and virus definitions, among other factors.
But this announcement doesn't mention a press release from yesterday from the Trusted Computing Group's Trusted Network Connect specification will also work with NAP. The TNC spec allows computers that connect to a network through any medium to validated for security before being allowed access. It ties nicely into 802.1X port-based authentication. If a computer fails validation, it's segregated on a protected VLAN that only offers access to patches and updates, but can't reach the rest of the network.
Trapeze has added support for several Cisco APs: WIth a command-line change, a Cisco AiroNet 350, 1100, or 1200 can be part of a Trapeze-managed WLAN switched network. This should make it an easier sell for Trapeze VARs walking into Cisco-oriented enterprises, especially with Cisco VARs and direct sales folk trying to push new Airespace equipment into existing installations. This announcement ranks up there with AirWave's recent 3.1 version bump that allows AirWave's software management tool for WLANs to handle Cisco Airespace devices, too.