4G Americas, a wireless industry trade association representing the 3GPP family of technologies, today applauded the final ratification of LTE-Advanced as an offical 4G standard by the International Telecommunication Union (ITU).
Both LTE Advanced and WirelessMAN-Advanced (802.16m) are the real deal — ITU sanctioned 4G standards. Both will deliver up to 100 Mbps (mobile) and up to 1 Gbps (fixed). In order to deliver those speeds, however, both need 20 Mhz wide channels and up to 4×4 MIMO antennas on both the receiver and basestation.
In its October meeting, ITU’s Radiocommunication Sector (ITU-R) completed the assessment of six candidate submissions and reached a milestone by deciding on LTE-Advanced and WirelessMAN-Advanced for the first release of IMT-Advanced, their package of offical 4G standards.
Final ratification of the full IMT-Advanced technology family took place at the ITU-R Study Group meeting on November 22 and 23, 2010 in Geneva, Switzerland.
The standards will now move into the final stage of the IMT-Advanced process, which provides for the development in early 2012 of an ITU-R Recommendation specifying the in-depth technical standards for these radio technologies.
“This day is a milestone to remember for mobile broadband connectivity,” said Chris Pearson, President of 4G Americas. The future for mobile broadband technologies has never been brighter to help progress societies in the Americas and throughout the world.”
Showing posts with label Wireless Network. Show all posts
Showing posts with label Wireless Network. Show all posts
November 24, 2010
November 6, 2010
Streamlining Campus Wireless Management
Handling the many wireless devices that must access a campus WiFi network at once is a common challenge in higher education, where the increasing proliferation of wireless devices can raise capacity issues. A related problem is IP address exhaustion, brought on by the tendency of devices such as smart phones to tie up and then fail to relinquish available IP addresses. Many campus wireless networks also need to maintain complex tracking records on who is accessing the wireless network, for budgetary and funding reasons.
To address those issues, and to make network access both easier and more secure for users, the University of California, Berkeley's Electrical Engineering; Computer Science (EECS) department moved late last year to new security appliances from Avenda Systems that help differentiate user access and better manage IP addresses and security. The department is the largest on campus and includes more than 2,400 undergraduates, 400 graduate students, and more than 100 faculty members.
The complex wireless environment within the department supports a variety of connection methods, including an internal wireless network specifically for the department, several portals that require user authentication, and the campuswide wireless network. The networks, all of which are open to users and running the wireless standard 802.11n, which supports devices using the a, b, g and n wireless standards, did not offer any sort of encryption for security purposes.
Security was one of the main reasons for the change to 802.1x, an authentication standard that can be used in either wired or wireless networking. The 802.1x standard provides better security because it uses the stronger WPA2 (WiFi Protected Access) encryption standard rather than the older WPA. The WPA2 standard is part of the 802.11n standard, but must be properly configured on a network in order to work. And WPA2 must use 802.1x for authentication, leading to the move to 802.1x.
The EECS department decided to make the move to the new appliances in order to address some additional complex challenges in managing its wireless network, according to Computing Infrastructure expert Mr. Fred Archibald. In a setup that is not uncommon on college campuses, Archibald was using two directory management systems, LDAP and Active Directory, to manage user authentication and authorization on the wireless network.
The dual-directory design is intended to help with user tracking needs related to budgeting, but it introduced complexities because the wireless network system must support two types of directory management schemes. Under the department's funding model, different members of the department are granted different types of access, Archibald explained, so users need to be first authenticated against Active Directory, then authorized against LDAP. That required a product that could easily handle both types of directories--a capability that Avenda offered.
Adding to the complexity was an IP address exhaustion issue. With the previous authentication scheme on the department's 802.11 network, powered-up mobile devices within reach of the wireless network, even those that weren't in use, could claim and then retain an IP address, eventually leading to address exhaustion. Use of the 802.1x standard helps rectify the IP address exhaustion issue, since 802.1x does not assigned an IP address until both authentication and authorization take place. Thus, wireless devices that are within wireless network range, and able to achieve authentication but not authorization, do not tie up an IP address.
In addressing the wireless issues, Archibald specifically wanted a solution in appliance form, he said, to replace the current appliance, and in order to have a single vendor providing both hardware and software. "We have limited IT staff, and they all wear a lot of hats, so we wanted to get [a vendor] in place who was really good," Archibald said. In choosing appliances from Avenda, he said, he hoped to obtain a solution that could be dropped into place relatively quickly. And with limited IT staff, he specifically wanted a vendor that could be relied upon for support as needed, with responsiveness a key factor.
Testing the new system began 15 months ago, and the appliances went into production a year ago. The department supports about 150 access points--Berkeley overall has close to 10 times that number of APs--using two Avenda appliances in a high-availability configuration should one unit fail.
If there is a downside to the new network, Archibald said it has to do with increased support. "When it works, it generally works well and is more convenient for users," Archibald said. With 802.1x, users have to authenticate much less--credentials are usually cached after the first use and so authentication can occur transparently.
However, getting clients configured at the start of a school year results in more help desk calls initially, Archibald said. "The initial setup sometime can be a bit of a roadblock because of all the different clients," he said. "Once you get it to work, however, it works really well."
To address those issues, and to make network access both easier and more secure for users, the University of California, Berkeley's Electrical Engineering; Computer Science (EECS) department moved late last year to new security appliances from Avenda Systems that help differentiate user access and better manage IP addresses and security. The department is the largest on campus and includes more than 2,400 undergraduates, 400 graduate students, and more than 100 faculty members.
The complex wireless environment within the department supports a variety of connection methods, including an internal wireless network specifically for the department, several portals that require user authentication, and the campuswide wireless network. The networks, all of which are open to users and running the wireless standard 802.11n, which supports devices using the a, b, g and n wireless standards, did not offer any sort of encryption for security purposes.
Security was one of the main reasons for the change to 802.1x, an authentication standard that can be used in either wired or wireless networking. The 802.1x standard provides better security because it uses the stronger WPA2 (WiFi Protected Access) encryption standard rather than the older WPA. The WPA2 standard is part of the 802.11n standard, but must be properly configured on a network in order to work. And WPA2 must use 802.1x for authentication, leading to the move to 802.1x.
The EECS department decided to make the move to the new appliances in order to address some additional complex challenges in managing its wireless network, according to Computing Infrastructure expert Mr. Fred Archibald. In a setup that is not uncommon on college campuses, Archibald was using two directory management systems, LDAP and Active Directory, to manage user authentication and authorization on the wireless network.
The dual-directory design is intended to help with user tracking needs related to budgeting, but it introduced complexities because the wireless network system must support two types of directory management schemes. Under the department's funding model, different members of the department are granted different types of access, Archibald explained, so users need to be first authenticated against Active Directory, then authorized against LDAP. That required a product that could easily handle both types of directories--a capability that Avenda offered.
Adding to the complexity was an IP address exhaustion issue. With the previous authentication scheme on the department's 802.11 network, powered-up mobile devices within reach of the wireless network, even those that weren't in use, could claim and then retain an IP address, eventually leading to address exhaustion. Use of the 802.1x standard helps rectify the IP address exhaustion issue, since 802.1x does not assigned an IP address until both authentication and authorization take place. Thus, wireless devices that are within wireless network range, and able to achieve authentication but not authorization, do not tie up an IP address.
In addressing the wireless issues, Archibald specifically wanted a solution in appliance form, he said, to replace the current appliance, and in order to have a single vendor providing both hardware and software. "We have limited IT staff, and they all wear a lot of hats, so we wanted to get [a vendor] in place who was really good," Archibald said. In choosing appliances from Avenda, he said, he hoped to obtain a solution that could be dropped into place relatively quickly. And with limited IT staff, he specifically wanted a vendor that could be relied upon for support as needed, with responsiveness a key factor.
Testing the new system began 15 months ago, and the appliances went into production a year ago. The department supports about 150 access points--Berkeley overall has close to 10 times that number of APs--using two Avenda appliances in a high-availability configuration should one unit fail.
If there is a downside to the new network, Archibald said it has to do with increased support. "When it works, it generally works well and is more convenient for users," Archibald said. With 802.1x, users have to authenticate much less--credentials are usually cached after the first use and so authentication can occur transparently.
However, getting clients configured at the start of a school year results in more help desk calls initially, Archibald said. "The initial setup sometime can be a bit of a roadblock because of all the different clients," he said. "Once you get it to work, however, it works really well."
November 5, 2010
Alcatel Lucent forecasts more opportunity after deals in U.S. and China
BERLIN — Alcatel Lucent, which has struggled in the wake of its 2006 merger, said last Thursday that it had reached a “turning point” after clinching $5.7 billion in deals to build high-speed wireless networks and supply other gear for the biggest mobile operators in the United States and China.
The company, based in Paris, announced the contracts at the same time it reported its first profitable quarter of the year, posting €25 million, or $35.3 million, in earnings compared to a €182 million loss in the third quarter a year earlier. Sales rose 10.5 percent to €4.1 billion. The results missed forecasts of analysts surveyed by Reuters and Bloomberg News and shares were down more than 3 percent in Paris at midday, however.
Ben Verwaayen, the Alcatel Lucent chief executive, described the agreements with Verizon Wireless, the largest U.S. mobile operator, and the three biggest mobile carriers in China as “massive” for the company, which had struggled to reorganize and streamline in a weak global market following the merger of the French company Alcatel with Lucent Technologies, which was formerly part of AT&T, the U.S. phone giant.
Although the quarterly profit was attributed primarily to tax benefits associated with ongoing adjustments from the merger, Mr. Verwaayen said he did not think it would be “a one-time event.” Mr. Verwaayen mentioned that he think this is a significant turning point in the transformation of the company. They are experiencing good demand for their products.
Without one-time items, the company reported an operating loss of €11 million for the quarter, compared with a €76 million loss a year earlier. But Jouni Forsman, an analyst at Gartner in Nice, France, said that Alcatel Lucent had repositioned itself to become more competitive in the fastest-growing segments of the wireless equipment industry, where demand for network software upgrades, services and applications is strong among mobile operators.
According to Mr. Forsman, the company is executing on the turnaround story. They are in a much better position than they were a couple of years ago. They are controlling costs and executing in a difficult market.
The agreement with Verizon Wireless will generate $4 billion in sales over four years, Alcatel Lucent said. Under the pact, Alcatel Lucent will upgrade the operator’s third-generation wireless network and build a faster network based on a technology called Long Term Evolution. LTE networks, which can download wireless data at speeds much more rapidly than existing systems, are helping operators meet the surge in data traffic from streaming video and social networking services.
Alcatel Lucent said it planned on Friday to sign agreements worth a total €1.18 billion with China Mobile, China Telecom and China Unicom during a visit to France by the Chinese president, Hu Jintao.
Mr. Verwaayen, the Alcatel Lucent chief executive, said “a large chunk” of the sales to the Chinese carriers was new business, with the rest being a reaffirmation of existing sales arrangements. The Verizon sales, Mr. Verwaayen said, was all new business for his company.
Verizon Wireless, a joint venture of Verizon and Vodafone, the British global mobile operator, is upgrading its 3G networks to LTE through 2013 as it sells more data-intensive smartphones and other devices. Some analysts expect Verizon later this year to announce that it will become the second U.S. operator to sell the iPhone, which has only been sold by AT&T.
The company, based in Paris, announced the contracts at the same time it reported its first profitable quarter of the year, posting €25 million, or $35.3 million, in earnings compared to a €182 million loss in the third quarter a year earlier. Sales rose 10.5 percent to €4.1 billion. The results missed forecasts of analysts surveyed by Reuters and Bloomberg News and shares were down more than 3 percent in Paris at midday, however.
Ben Verwaayen, the Alcatel Lucent chief executive, described the agreements with Verizon Wireless, the largest U.S. mobile operator, and the three biggest mobile carriers in China as “massive” for the company, which had struggled to reorganize and streamline in a weak global market following the merger of the French company Alcatel with Lucent Technologies, which was formerly part of AT&T, the U.S. phone giant.Although the quarterly profit was attributed primarily to tax benefits associated with ongoing adjustments from the merger, Mr. Verwaayen said he did not think it would be “a one-time event.” Mr. Verwaayen mentioned that he think this is a significant turning point in the transformation of the company. They are experiencing good demand for their products.
Without one-time items, the company reported an operating loss of €11 million for the quarter, compared with a €76 million loss a year earlier. But Jouni Forsman, an analyst at Gartner in Nice, France, said that Alcatel Lucent had repositioned itself to become more competitive in the fastest-growing segments of the wireless equipment industry, where demand for network software upgrades, services and applications is strong among mobile operators.
According to Mr. Forsman, the company is executing on the turnaround story. They are in a much better position than they were a couple of years ago. They are controlling costs and executing in a difficult market.
The agreement with Verizon Wireless will generate $4 billion in sales over four years, Alcatel Lucent said. Under the pact, Alcatel Lucent will upgrade the operator’s third-generation wireless network and build a faster network based on a technology called Long Term Evolution. LTE networks, which can download wireless data at speeds much more rapidly than existing systems, are helping operators meet the surge in data traffic from streaming video and social networking services.
Alcatel Lucent said it planned on Friday to sign agreements worth a total €1.18 billion with China Mobile, China Telecom and China Unicom during a visit to France by the Chinese president, Hu Jintao.
Mr. Verwaayen, the Alcatel Lucent chief executive, said “a large chunk” of the sales to the Chinese carriers was new business, with the rest being a reaffirmation of existing sales arrangements. The Verizon sales, Mr. Verwaayen said, was all new business for his company.
Verizon Wireless, a joint venture of Verizon and Vodafone, the British global mobile operator, is upgrading its 3G networks to LTE through 2013 as it sells more data-intensive smartphones and other devices. Some analysts expect Verizon later this year to announce that it will become the second U.S. operator to sell the iPhone, which has only been sold by AT&T.
October 24, 2010
Purdue University Deploying 4G Network as Part of Wireless Rollout
Purdue University will be one of the early recipients of Verizon Wireless' rollout of a 4G network starting this year. This fourth generation data network, which is using Long-Term Evolution (LTE) technology, is expected to provide four to 10 times the transmission speeds currently available in 3G networks.
The institution was chosen to participate in the deployment based on its track record with using mobile technology to enhance learning, according to Lowell McAdam, president and chief operating officer of Verizon. Recent technologies developed at Purdue include Mixable, an academic integration with Facebook; a student discussion tool, HotSeat, which allows students to interact with classmates and faculty with Twitter and text messages; and eStadium, to deliver athletic game services to spectators.
The university also contracted with Verizon Business to implement a campuswide 802.11n wireless network, which will encompass 6,000 access points in 256 buildings. That project is expected to be completed in the 2010-2011 academic year.
Verizon said the broader rollout of 4G will include 38 metropolitan areas and 60 commercial airports, including Indianapolis International Airport, located within 90 minutes of the West Lafayette-based university. The company is currently installing LTE equipment at existing cell sites and switching centers around the United States.
According to Mr. McAdam, the partnership with Purdue will explore the next phase of how 4G technology can improve education across our nation. Verizon Wireless said it expects 4G LTE average data rates to be 5 Mbps to 12 Mbps on the downlink and 2 Mbps to 5 Mbps on the uplink in real-world, loaded network environments.
"At Purdue, the advancement of mobile technology is critically important--both to students and faculty. The addition of Verizon's 4G network will contribute in a noticeable way to their success," said Gerry McCartney, Purdue's CIO and vice president for IT.
The institution was chosen to participate in the deployment based on its track record with using mobile technology to enhance learning, according to Lowell McAdam, president and chief operating officer of Verizon. Recent technologies developed at Purdue include Mixable, an academic integration with Facebook; a student discussion tool, HotSeat, which allows students to interact with classmates and faculty with Twitter and text messages; and eStadium, to deliver athletic game services to spectators.
The university also contracted with Verizon Business to implement a campuswide 802.11n wireless network, which will encompass 6,000 access points in 256 buildings. That project is expected to be completed in the 2010-2011 academic year.
Verizon said the broader rollout of 4G will include 38 metropolitan areas and 60 commercial airports, including Indianapolis International Airport, located within 90 minutes of the West Lafayette-based university. The company is currently installing LTE equipment at existing cell sites and switching centers around the United States.
According to Mr. McAdam, the partnership with Purdue will explore the next phase of how 4G technology can improve education across our nation. Verizon Wireless said it expects 4G LTE average data rates to be 5 Mbps to 12 Mbps on the downlink and 2 Mbps to 5 Mbps on the uplink in real-world, loaded network environments.
"At Purdue, the advancement of mobile technology is critically important--both to students and faculty. The addition of Verizon's 4G network will contribute in a noticeable way to their success," said Gerry McCartney, Purdue's CIO and vice president for IT.
July 9, 2010
How to Buy a Wireless Router
It's hard to imagine a modern home or business network without a wireless router, but that doesn't mean it's easy to pick the right router. Our guide can help you pick the best one for your network.
Routers are an essential element of modern business network, and they're an indispensable tool in the home, too. A wireless router lets your computer connect to the Web so that you can read favorite Web sites, check e-mail, IM friends, or teleconference with colleagues. If you want to do this without cluttering your setup with Ethernet cables, a wireless router is a must. And, if it's your first time going wireless, don't worry about giving up wired speed. All wireless routers offer at least some degree of wired connectivity, allowing you to get the best of both worlds.
The wireless router market offers many different types of routers that are tailored to tackle specific needs. Vendors offer everything from very basic single-band routers designed to simply get your computer online to advanced dual-band routers that contain bonus features (such as a built-in digital photo frame). With numerous models, options, and offerings available, purchasing a wireless router is no simple affair. You may need to research the features in order to wade through the marketing hype in order to determine which router is best for your home or home office. Our Wireless router buyer's guide will help you do just that.
Determine Your Usage
A single home user who just wants to Web surf doesn't require the same type of router as a heavy-duty gamer or small business. A single-band router like the $149 Cisco Valet Plus is a basic, decent performer that would suit the needs of anyone looking for simple Wi-Fi connectivity and easy setup. By contrast, the $359 D-Link Xtreme N Duo Media Router has power-user features such as Traffic Prioritizing; Virtual Servers and UPnP support. The Xtreme N is likely to be more of value to gamers, multimedia enthusiasts or anyone with advanced networking needs. A good rule of thumb: The more expensive the router, the more features it will contain. Higher price, however, doesn't necessarily mean better performance; in our testing, the Cisco Valet Plus performed just as well as pricier, more feature-rich routers.
A single home user who just wants to Web surf doesn't require the same type of router as a heavy-duty gamer or small business. A single-band router like the $149 Cisco Valet Plus is a basic, decent performer that would suit the needs of anyone looking for simple Wi-Fi connectivity and easy setup. By contrast, the $359 D-Link Xtreme N Duo Media Router has power-user features such as Traffic Prioritizing; Virtual Servers and UPnP support. The Xtreme N is likely to be more of value to gamers, multimedia enthusiasts or anyone with advanced networking needs. A good rule of thumb: The more expensive the router, the more features it will contain. Higher price, however, doesn't necessarily mean better performance; in our testing, the Cisco Valet Plus performed just as well as pricier, more feature-rich routers.
Single Band vs. Dual Band
While researching routers, you will inevitably stumble across the term "bands". The 2.4- and 5- GHz bands are the frequencies in which wireless communications operate. 802.11 B and G standard devices use the 2.4 GHz band, while 802.11N can use either the 2.4 GHz or 5 GHz band. A single-band, 2.4-GHz router, like the $65 Asus RT-N11 EZ Wireless-N Router is geared toward simple wireless networks. On the other hand, a dual-band router like the $119 Cisco Linksys E2000 Advanced Wireless-N supports both 2.4- and 5-GHz frequencies. The 5-GHz band is better equipped for throughput-intensive work within your home network such as gaming and file streaming. In fact, as mentioned in our "Setup and Small Home or Business Network" article, you will also get better internal network performance.
While researching routers, you will inevitably stumble across the term "bands". The 2.4- and 5- GHz bands are the frequencies in which wireless communications operate. 802.11 B and G standard devices use the 2.4 GHz band, while 802.11N can use either the 2.4 GHz or 5 GHz band. A single-band, 2.4-GHz router, like the $65 Asus RT-N11 EZ Wireless-N Router is geared toward simple wireless networks. On the other hand, a dual-band router like the $119 Cisco Linksys E2000 Advanced Wireless-N supports both 2.4- and 5-GHz frequencies. The 5-GHz band is better equipped for throughput-intensive work within your home network such as gaming and file streaming. In fact, as mentioned in our "Setup and Small Home or Business Network" article, you will also get better internal network performance.
Know Your Standards
Knowing which standard the majority of devices on a network support is important in deciding which router is best for your setup. For example, if you want to connect two slightly dated laptops which house 802.11b/g wireless cards to the Internet, and you have no need or plans to upgrade your client devices anytime soon, you could get away with a cheaper, single-band 2.4 GHz 802.11N router. Why? You can run the router in "Mixed Mode" setting, which will let the router connect to B and G clients. Secondly, only N routers can connect at the 5 GHz band, so you only need a 2.4 GHz router for B and G clients. A decent option would be a router like the Cisco Linksys E1000 Wireless-N Router, which is available for under $60 (if you can swing the extra $70, however, the Valet Plus is the better option).
Knowing which standard the majority of devices on a network support is important in deciding which router is best for your setup. For example, if you want to connect two slightly dated laptops which house 802.11b/g wireless cards to the Internet, and you have no need or plans to upgrade your client devices anytime soon, you could get away with a cheaper, single-band 2.4 GHz 802.11N router. Why? You can run the router in "Mixed Mode" setting, which will let the router connect to B and G clients. Secondly, only N routers can connect at the 5 GHz band, so you only need a 2.4 GHz router for B and G clients. A decent option would be a router like the Cisco Linksys E1000 Wireless-N Router, which is available for under $60 (if you can swing the extra $70, however, the Valet Plus is the better option).
If you have a mix of B, G and N devices (as most of us do), your best bet is to go with a simultaneous dual-band router like the $169 D-Link DIR-825 Xtreme N Dual Band Gigabit. This model excels at automatically connecting devices to the appropriate band, without user intervention. There are other dual-band routers that are good choices as well, like the $119 Linksys by Cisco Dual Band Wireless N Gigabit Router. This model requires user to be savvy enough to know how to configure settings so that all devices (be they B, G or N) can connect to the correct 2.4-GHz or 5-GHz band.
PC vs. Mac
We have tested numerous wireless routers from a variety of vendors, and have determined that it the make or model makes little difference on a Windows network. There's some anecdotal evidence from readers and the blogosphere that a network consisting of all Apple products works best with an Apple router. Many chimed in on an article about iPad Wi-Fi connectivity. Several readers stated they had none of the connectivity problems with their iPad when connecting it to an Apple AirPort.
We have tested numerous wireless routers from a variety of vendors, and have determined that it the make or model makes little difference on a Windows network. There's some anecdotal evidence from readers and the blogosphere that a network consisting of all Apple products works best with an Apple router. Many chimed in on an article about iPad Wi-Fi connectivity. Several readers stated they had none of the connectivity problems with their iPad when connecting it to an Apple AirPort.
Routers should theoretically work across the board for Windows, Apple and Linux clients. If you have an all-Apple or predominately Apple environment, save yourself any potential hassle and go with a router from Apple.
Coverage Area/Antennas
Router antennas can either be external or internal, with the former seemingly delivering stronger signals. One of the fastest Wi-Fi routers we have tested is the $79.99 D-Link DIR-825 Xtreme N Dual Band Gigabit, which has two external antennas. In some cases, it's possible to purchase signal amplifiers or upgrade the antenna to one that's more high-powered. The one drawback with external antennas is that they can be more problematic to discretely situate in a home than a router with internal antennas such as the Linksys Ultra RangePlus Wireless-N Router, which is built with Linksys/Cisco's familiar sleek design. Also, it's true that anything that sticks out can be broken off.
Router antennas can either be external or internal, with the former seemingly delivering stronger signals. One of the fastest Wi-Fi routers we have tested is the $79.99 D-Link DIR-825 Xtreme N Dual Band Gigabit, which has two external antennas. In some cases, it's possible to purchase signal amplifiers or upgrade the antenna to one that's more high-powered. The one drawback with external antennas is that they can be more problematic to discretely situate in a home than a router with internal antennas such as the Linksys Ultra RangePlus Wireless-N Router, which is built with Linksys/Cisco's familiar sleek design. Also, it's true that anything that sticks out can be broken off.
Accordingly, don't discredit routers with internal antennas. For most home purposes, new routers like the $179 Cisco Linksys's E3000 High Performance Wireless N Router have an almost unheard of 6 internal antennas with 2x3 transmit/receive. We have not tested the router yet (look for the test soon) but the E2000, which is the mid-router in the E series, was a decent performer that only has 3 internal antennas.
Keep in mind, despite whatever the antenna design is, large areas may sometimes need more than one wireless router for coverage. The average range for wireless coverage is 180 feet max indoors and 1,500 feet max in an open space—that's devoid of concrete walls or any other interference!
Feature Set
Most wireless routers have some basic functionality; port forwarding, DHCP, firewall and NAT are a few of the features inherent in just about every router within the last three years. There are routers with lots of extra features for advanced users, like the $129 Belkin Wireless PlayMax Router. The PlayMax has features like Guest Access, Channel Bonding (to boost wireless signal), Access Control and a Bit Torrent client. While we can't recommend the Play Max at this time, (further testing on it is to follow) because of underwhelming performance, the features set is truly impressive and is one that should appeal to avid gamers, torrent users, or even small businesses.
Most wireless routers have some basic functionality; port forwarding, DHCP, firewall and NAT are a few of the features inherent in just about every router within the last three years. There are routers with lots of extra features for advanced users, like the $129 Belkin Wireless PlayMax Router. The PlayMax has features like Guest Access, Channel Bonding (to boost wireless signal), Access Control and a Bit Torrent client. While we can't recommend the Play Max at this time, (further testing on it is to follow) because of underwhelming performance, the features set is truly impressive and is one that should appeal to avid gamers, torrent users, or even small businesses.
Some routers have USB ports for connecting a printer or storage device, the D-Link Xtreme N Storage Router. Not only does it have USB ports, but it has a slot for 2.5-inch SATA drive and doubled as a digital photo frame. This may not be a router option for anyone, but if you have additional networking needs and may be low on space on ports to connect extra devices, a fancy router like the Xtreme N Storage may be a good bet. Prepare to shell out some cash as this router listed for $300.00 at shipping.
Security
Most routers currently support standard WEP security as well as the more secure WPA and WPA2. If you want to control what users can access when they are connected to the router, you are doing to want one that offers decent Access Controls. Cisco's Valet Plus has very effective Access Control settings plus Parental Controls that allow limiting internet use based on time of day. Guess Access and an ability to create multiple SSIDs are also important security measures if you are using the router for a small business. Together, these two features let you, for example, segment your network into seperate areas for guests and trusted users.
Most routers currently support standard WEP security as well as the more secure WPA and WPA2. If you want to control what users can access when they are connected to the router, you are doing to want one that offers decent Access Controls. Cisco's Valet Plus has very effective Access Control settings plus Parental Controls that allow limiting internet use based on time of day. Guess Access and an ability to create multiple SSIDs are also important security measures if you are using the router for a small business. Together, these two features let you, for example, segment your network into seperate areas for guests and trusted users.
Wired Connectivity
Most wireless routers have Ethernet ports for hard-wiring devices to can take advantage of the greater transmission speeds that wired Ethernet has over a wireless connection. For faster transmission rates, invest in a router that has Gigabit Ethernet ports like the Netgear RangeMax Wireless-N Gigiabit Router. Use the Gigibit Ethernet ports to wire gaming consoles, NAS drives, or any other type of multimedia server that have Gigabit Ethernet adapters to take advantage of the faster performance.
Most wireless routers have Ethernet ports for hard-wiring devices to can take advantage of the greater transmission speeds that wired Ethernet has over a wireless connection. For faster transmission rates, invest in a router that has Gigabit Ethernet ports like the Netgear RangeMax Wireless-N Gigiabit Router. Use the Gigibit Ethernet ports to wire gaming consoles, NAS drives, or any other type of multimedia server that have Gigabit Ethernet adapters to take advantage of the faster performance.
June 15, 2010
Microsoft dumps Cisco wireless for Aruba
Microsoft has ditched Cisco in favour of WLAN start-up Aruba, as it upgrades one of the world's largest wireless LAN (WLAN) installations from old-fashioned fat access points.
Microsoft is taking out around 5,000 Cisco Aironet access points, and upgrading to an Aruba wireless switch system which will use five thousand thin access points to support 25,000 simultaneous WLAN users, in 277 buildings round the world.
The announcement will be a disappointment to Cisco, as its purchase of Aruba's rival Airespace was supposed to offer an upgrade path for customers like Microsoft who needed a centrally-managed wireless LAN system.
"This will surprise many spectators - including myself," said Richard Webb, wireless anayst at Infonetics Research. "People said that WLAN was a done deal, and large customers would automatically go to Cisco. They'll have to view Aruba in a new light, and some people will be raising eyebrows at the money Cisco paid for Airespace."
In fact, Cisco's efforts to integrate Airespace and provide an upgrade path have been lacklustre, while Aruba and its other main rival, Trapeze, have continued to innovate.
Although Aruba probably offered a very competitive price (no price has been revealed for the deal), Webb said that the deal must have been based on technical merits. "Microsoft isn't buying on price," he said. "The company is not short of money, so if Aruba weren't on the table in terms of technology, no amount of discount would have got the deal."
Security features such as Aruba's firewall and IDS may have been big factors, he said. Indeed, as we reported here a year ago, Microsoft has already been using Aruba for security. Aruba and Microsoft are also stressing support for voice on Wi-Fi, as well as guest networks that lets the office WLAN double as a hotspot for visitors.
Microsoft had extensive tests carried out by wireless test house Iometrix, and the University of New Hampshire's inter-operability lab, which covered security, scalability and performance - the results of which Aruba has promised to put on its site.
Microsoft plans to make some offices "wireless only", and will integrate the WLAN with its Network Access Protection Architecture that protects the network from infected clients. The WLAN will also support a guest access system which will allow visitors to Microsoft buildings to use the Internet.
Aruba is also keen to suggest that, as a result of this contract, it will have close links into Microsoft's future products. "Aruba plans to work with Microsoft to develop and test future software products to ensure they operate simply and easily over wireless networks," says its release. "Consequently, Aruba customers can be assured the best possible interaction and unprecedented interoperability between Microsoft products and Aruba mobility systems."
Original Source: Techworld.Com
Microsoft is taking out around 5,000 Cisco Aironet access points, and upgrading to an Aruba wireless switch system which will use five thousand thin access points to support 25,000 simultaneous WLAN users, in 277 buildings round the world.
The announcement will be a disappointment to Cisco, as its purchase of Aruba's rival Airespace was supposed to offer an upgrade path for customers like Microsoft who needed a centrally-managed wireless LAN system.
"This will surprise many spectators - including myself," said Richard Webb, wireless anayst at Infonetics Research. "People said that WLAN was a done deal, and large customers would automatically go to Cisco. They'll have to view Aruba in a new light, and some people will be raising eyebrows at the money Cisco paid for Airespace."
In fact, Cisco's efforts to integrate Airespace and provide an upgrade path have been lacklustre, while Aruba and its other main rival, Trapeze, have continued to innovate.
Although Aruba probably offered a very competitive price (no price has been revealed for the deal), Webb said that the deal must have been based on technical merits. "Microsoft isn't buying on price," he said. "The company is not short of money, so if Aruba weren't on the table in terms of technology, no amount of discount would have got the deal."
Security features such as Aruba's firewall and IDS may have been big factors, he said. Indeed, as we reported here a year ago, Microsoft has already been using Aruba for security. Aruba and Microsoft are also stressing support for voice on Wi-Fi, as well as guest networks that lets the office WLAN double as a hotspot for visitors.
Microsoft had extensive tests carried out by wireless test house Iometrix, and the University of New Hampshire's inter-operability lab, which covered security, scalability and performance - the results of which Aruba has promised to put on its site.
Microsoft plans to make some offices "wireless only", and will integrate the WLAN with its Network Access Protection Architecture that protects the network from infected clients. The WLAN will also support a guest access system which will allow visitors to Microsoft buildings to use the Internet.
Aruba is also keen to suggest that, as a result of this contract, it will have close links into Microsoft's future products. "Aruba plans to work with Microsoft to develop and test future software products to ensure they operate simply and easily over wireless networks," says its release. "Consequently, Aruba customers can be assured the best possible interaction and unprecedented interoperability between Microsoft products and Aruba mobility systems."
Original Source: Techworld.Com
June 23, 2009
Technical Comparison: iPhone 3GS vs. 3G vs Palm Pre
After the announcement of the iPhone 3GS of the hardware specs of the 3GS. Here we outlined the single chip CPU/GPU SoC as follows:
iPhone 3G (ARM11) iPhone 3GS (ARM Cortex A8) Manufacturing Process 90nm 65nm Architecture In-Order In-Order Issue Width 1-issue 2-issue Pipeline Depth 8-stage 13-stage Clock Speed 412MHz 600MHz L1 Cache Size 16KB I-Cache + 16KB D-Cache 32KB I-Cache + 32KB D-Cache L2 Cache Size N/A 256KB The iPhone 3GS uses an ARM Cortex A8 processor running at 600MHz, much like the Palm Pre. Many weren’t confident that the 3GS used the new ARM A8 core instead of a higher clocked ARM11
WiFi Apple iPhone 3G Apple iPhone 3GS Palm Pre T-Mobile G1 anandtech.com 16.3 s 7.8 s 8.2 s 17.2 s arstechnica.com 17.7 s 6.3 s 7.8 s 17.8 s hothardware.com 35.2 s 14.7 s 11.2 s 24.4 s pcper.com 33.3 s 15.0 s 18.0 s 34.0 s digg.com 34.3 s 15.0 s 22.1 s 40.0 s techreport.com 24.1 s 9.6 s 9.0 s 20.5 s tomshardware.com 21.4 s 16.4 s 13.8 s 26.0 s slashdot.org 26.0 s 10.0 s 20.9 s 46.0 s facebook.com 31.7 s 13.5 s 19.6 s 37.7 s iPhone 3GS Advantage over Palm Pre 21% iPhone 3GS Advantage over iPhone 3G 122% The new 3GS renders web pages 128% faster, on average, than the old iPhone 3G. The 45% clock speed boost alone isn’t enough to generate such a large performance increase, this is a new microarchitecture. Also, note that the 3GS’ performance mimics that of the Palm Pre - another Cortex A8 based phone.Not too surprising given the just-released nature of the Pre’s webOS, the 3GS is actually able to render webpages slightly faster than the Pre in some cases. The overall performance advantage ends up being 22.6% in favor of the 3GS over the Pre.Application launch time has also improved :
Application Launch Time in Seconds Web Browser Dialer Google Maps Camera Apple iPhone 3GS 0.7 s 0.7 s 2.7 s 2.8 s 0.8 s Apple iPhone 3G 0.8 s 1.2 s 3.3 s 3.9 s 1.2 s Palm Pre 3.0 s 1.5 s 8.6 s 4.4 s 3.3 s T-Mobile G1 5.4 s 2.0 s 4.4 s 4.9 s 2.0 s iPhone 3GS vs. 3G Performance Advantage 14% 71.5% 22.2% 39.4% 50% While the old iPhone 3G was no slouch, the 3GS is anywhere from 14 - 72% faster in basic application load times. It’s the magic of a brand new CPU architecture.
Source: ERM Blog
This is the gadget that I would recommed for IIUM wireless users to get connected through SSID iium-gadget. In addition, Blackberry also has almost similar performance with iPhone. You can feel the real performance of IIUM campus wide infrastructure. So far, Windows Mobile based phone still not recommended because it will drop the backward compatibility of default wifi 802.11g technology. Standard handphone running on wifi 802.11b and it will change the nearby channel to 11b instead of 11g. ITD will not tolerate to open the access for any gadget that able to down grade the nearby performance. If you own an iPhone or Blackberry, you are welcome to register for iium-gadget access.
For Symbion and Windows Mobile users, wait until new development. So far, even T-Mobile G1 performance, it take 5.4s to launch a web browser. Next time, before you purchase your handphone… carefully check the hadrware spec for clock speed, processor and cache size.
May 4, 2009
802.11n throughput testing for Aruba AP 125
This morning we did some testing with a high-throughput wlan (see profile at the bottom of the page) using the Aruba 125. We setup the VennLab HT SSID for testing locally using 802.11n on the 5Ghz channels exclusively. We also enabled the 40Mhz wide channel in order to maximize throughput. Our testing yielded very good results as you can see below.
Our test setup consists of two MacBook Pro’s each running the iperf network utility (via MacPorts) with manually configured IP addresses. To establish a baseline, we first connected to RLAB, a network that is already established on our Aruba infrastructure. This is an 802.11g only isolated wlan that also allows client to client connectivity.
Connected to "RLAB" to get a baseline, the airport sees an RSSI of –49 which is typical of a very good connection and shows a transmit rate of 54 as would be expected. Here are the iperf stats using the default settings:
Macintosh-214:~ donwright$ iperf -s
------------------------------------------------------------
Server listening on TCP port 5001
TCP window size: 256 KByte (default)
------------------------------------------------------------
Tested first with RLAB (802.11g standard wlan)
[ 4] local 10.10.10.4 port 5001 connected with 10.10.10.3 port 49335
[ ID] Interval Transfer Bandwidth
[ 4] 0.0-10.1 sec 8.45 MBytes 7.04 Mbits/sec
This seems low, but maybe that’s an iperf thing, which is kind of confusing since they use the capital M for megabits. If I take this at face value and move on, the increase with 802.11n does show up.
Connecting to my 802.11n "VennLab" shows a similar RSSI of 50, but with a Transmit Rate of 300, a 6X increase. This increase seems to be validated in the iperf tests below which average about a 6X jump to 50 Mbits/sec.
[ 4] local 10.10.10.4 port 5001 connected with 10.10.10.3 port 49336
[ ID] Interval Transfer Bandwidth
[ 4] 0.0-10.0 sec 57.5 MBytes 48.2 Mbits/sec
[ 4] local 10.10.10.4 port 5001 connected with 10.10.10.3 port 49337
[ ID] Interval Transfer Bandwidth
[ 4] 0.0-10.0 sec 56.1 MBytes 47.0 Mbits/sec
[ 4] local 10.10.10.4 port 5001 connected with 10.10.10.3 port 49338
[ ID] Interval Transfer Bandwidth
[ 4] 0.0-10.0 sec 64.4 MBytes 53.9 Mbits/sec
[ 4] local 10.10.10.4 port 5001 connected with 10.10.10.3 port 49339
[ ID] Interval Transfer Bandwidth
Previously, when we did the same test with equivalent Cisco AP. We didn't get that good reading. Cisco wireless still far behind Aruba technology. For me, Aruba Network still the best in wireless infrastructure. That is why, they conquer the world wide campus solutions for wireless networking. The security features offered by Aruba complied with US Military requirement.. (implemented for US Air Force). Major telco companies also choose Aruba solution. There are still the best in the market.
Our test setup consists of two MacBook Pro’s each running the iperf network utility (via MacPorts) with manually configured IP addresses. To establish a baseline, we first connected to RLAB, a network that is already established on our Aruba infrastructure. This is an 802.11g only isolated wlan that also allows client to client connectivity.
Connected to "RLAB" to get a baseline, the airport sees an RSSI of –49 which is typical of a very good connection and shows a transmit rate of 54 as would be expected. Here are the iperf stats using the default settings:
Macintosh-214:~ donwright$ iperf -s
------------------------------------------------------------
Server listening on TCP port 5001
TCP window size: 256 KByte (default)
------------------------------------------------------------
Tested first with RLAB (802.11g standard wlan)
[ 4] local 10.10.10.4 port 5001 connected with 10.10.10.3 port 49335
[ ID] Interval Transfer Bandwidth
[ 4] 0.0-10.1 sec 8.45 MBytes 7.04 Mbits/sec
This seems low, but maybe that’s an iperf thing, which is kind of confusing since they use the capital M for megabits. If I take this at face value and move on, the increase with 802.11n does show up.
Connecting to my 802.11n "VennLab" shows a similar RSSI of 50, but with a Transmit Rate of 300, a 6X increase. This increase seems to be validated in the iperf tests below which average about a 6X jump to 50 Mbits/sec.
[ 4] local 10.10.10.4 port 5001 connected with 10.10.10.3 port 49336
[ ID] Interval Transfer Bandwidth
[ 4] 0.0-10.0 sec 57.5 MBytes 48.2 Mbits/sec
[ 4] local 10.10.10.4 port 5001 connected with 10.10.10.3 port 49337
[ ID] Interval Transfer Bandwidth
[ 4] 0.0-10.0 sec 56.1 MBytes 47.0 Mbits/sec
[ 4] local 10.10.10.4 port 5001 connected with 10.10.10.3 port 49338
[ ID] Interval Transfer Bandwidth
[ 4] 0.0-10.0 sec 64.4 MBytes 53.9 Mbits/sec
[ 4] local 10.10.10.4 port 5001 connected with 10.10.10.3 port 49339
[ ID] Interval Transfer Bandwidth
 |
| Click to enlarge: Benchmarking of Aruba throughput 802.11n |
April 20, 2009
Securing Wireless Network
The security of wireless local area network (WLAN) solution works better with Wi-Fi Protected Access (WPA) WLAN protection compared to Wired Equivalent Privacy (WEP).
Currently, ITD have to admit there are some potential difficulties faced by IIUM user with using WPA, which include:
• Manual configuration of WPA settings: The support for setting Windows XP client WPA settings using group policy is not available in the versions of Windows earlier than Windows Server™ 2003 Service Pack 1. Until Service Pack 1 is available and you have deployed it in your organization, you will have to configure your clients manually (there is no way to script WLAN settings for Windows XP). You need to install Service Pack 1 only on the server on which you are editing the WLAN settings Group Policy object (GPO); it is not required on the clients, domain controllers, or IAS servers.
• Restricted availability of WLAN clients: At the time of writing, Microsoft only provides WPA support for Windows XP Service Pack 2 and later. PDA and Smart Phone operating systen running on Windows Mobile and Symbion does not support WPA yet. The only operating system that really support secured wireless environment is MacOS for iPhone and iPod. For those who want to get connected through SSID iium-gadgetmust comply with WPA requirement.
• Availability of WPA compliant hardware: Although WPA support is now mandatory for all Wi-Fi certified hardware, existing network equipment may need to be upgraded to support WPA. You will need to obtain firmware updates for any access points or network adapters that do not currently support WPA. In some (rare) cases, you may need to replace equipment if the manufacturer does not produce WPA updates. Again, it is a common problem to the low-end Microsoft product.
Manually Configuring Windows XP WLAN Settings for WPA
Until GPO support becomes available in Windows Server 2003 Service Pack 1, you must configure WPA settings on the client manually. WPA is supported on Windows XP Service Pack 1 with the WPA client download installed (or on Windows XP Service Pack 2).
Note: When GPO support becomes available, you can also use the following procedure to create a Wireless Network Policy using the same settings.
To manually configure WPA WLAN settings:
1. Open the properties of the Wireless Network interface. If the WLAN is displayed in the Available Networks list, select it, and click Configure…, otherwise click Add (in the Preferred Networks section).
2. Type the WLAN name into the Network Name (SSID) field (if it is not already displayed there) and, in the Description field, enter a description of the network.
Note: If you have an existing WLAN and you intend to run this side–by–side with the 802.1X–based WLAN of this solution, you must use a different Service Set Identifier (SSID) for the new WLAN. This new SSID should then be used here.
3. In the Wireless Network Key section, select WPA (not WPA PSK) as the Network Authentication type and TKIP as the Data Encryption type. (If your hardware supports it, you can choose the higher strength Advanced Encryption Standard (AES) in place of TKIP).
4. Click the IEEE 802.1x tab, and select Protected EAP (PEAP) from the EAP Type drop–down list.
5. Click the Settings… button to modify the PEAP settings. From the Trusted Root Certificate Authorities list, select the root CA certificate for the CA.
Important: If you ever need to re–install your CA from scratch (not just restore from backup), you will need to edit the client settings and select the root CA certificate for the new CA.
6. Ensure that Secured Password (EAP-MS-CHAP v2) is selected in the Select Authentication Method and check the Enable Fast Reconnect option.
7. Close each properties window by clicking OK.
Configuring Pocket PC 2003/PDA/Smart Phone for WPA
WPA was not supported natively in Pocket PC 2003 using Windows Mobile and Symbion at the time of writing; however, this may be implemented in the future. Support for WPA on other type of Pocket PC available from other vendors such Mac OS (iPhone and iPod),
Original Post : ERM Blog
August 17, 2008
Define Wireless Network Security Policies
With a wireless network, you must consider security policies that will protect resources from unauthorized people. Let’s take a look at what you should include in a wireless network security policy for an enterprise. Consider the following recommendations:
Activate 802.11 encryption to make data unintelligible to unauthorized users. WEP has weaknesses, making it inadequate for protecting networks containing information extremely valuable to others. There are some good hackers out there who can crack into a WEP-protected network using freely-available tools. The problem is that 802.11 doesn’t support the dynamic exchange of WEP keys, leaving the same key in use for weeks, months, and years. For encryption on enterprise networks, aim higher and choose WPA, which is now part of the 802.11i standard. Just keep in mind that WPA (and WEP) only encrypts data traversing the wireless link between the client device and the access point. That may be good enough if your wired network is physically secured from hackers. If not, such as when users are accessing important information from Wi-Fi hotspots, you’ll need more protection.
Utilize IPSec-based Virtual Private Network (VPN) technology for end-to-end security. If users need access to sensitive applications from Wi-Fi hotspots, definitely utilize a VPN system to provide sufficient end-to-end encryption and access control. Some companies require VPNs for all wireless client devices, even when they’re connecting from inside the secured walls of the enterprise. A “full-throttle” VPN solution such as this offers good security, but it becomes costly and difficult to manage when there are hundreds of wireless users (mainly due to the need for VPN servers). As a result, consider implementing 802.11 encryption when users are operating inside the enterprise and VPNs for the likely fewer users who need access from hotspots.
Utilize 802.1x-based authentication to control access to your network. There are several flavors of 802.1x port-based authentication systems. Choose one that meets the security requirements for your company. For example, EAP-TLS may be a wise choice if you have Microsoft servers.
Establish the wireless network on a separate VLAN. A firewall can then help keep hackers located on the VLAN associated with the wireless network from having easy access to corporate servers located on different, more secured VLANs (i.e., not accessible from the wireless network). In this manner, the wireless network is similar to a public network, except you can apply encryption and authentication mechanisms to the wireless users.
Ensure firmware is up-to-date in client cards and access points. Vendors often implement patches to firmware that fix security issues. On an ongoing basis, make it a habit to check that all wireless devices have the most recent firmware releases.
Ensure only authorized people can reset the access points. Some access points will revert back to factory default settings (i.e., no security at all) when someone pushes the reset button on the access point. We’ve done this when performing penetration testing during security assessments to prove that this makes the access point a fragile entry point for a hacker to extend their reach into the network. As a result, provide adequate physical security for the access point hardware. For example, don’t place an access point within easy reach. Instead, mount the access points out of view above ceiling tiles. Some access points don’t have reset buttons and allow you to reset the access point via an RS-232 cable through a console connection. To minimize risks of someone resetting the access point in this manner, be sure to disable the console port when initially configuring the access point.
Disable access points during non-usage periods. If possible, shut down the access points when users don’t need them. This limits the window of opportunity for a hacker to use an access point to their advantage as a weak interface to the rest of the network. To accomplish this, you can simply pull the power plug on each access point; however, you can also deploy power-over-Ethernet (PoE) equipment that provides this feature in a more practical manner via centralized operational support tools.
Assign “strong” passwords to access points. Don’t use default passwords for access points because they are also well known, making it easy for someone to change configuration parameters on the access point to their advantage. Be sure to alter these passwords periodically. Ensure passwords are encrypted before being sent over the network.
Don’t broadcast SSIDs. If this feature is available, you can avoid having user devices automatically sniff the SSID in use by the access point. Most current computer operating systems and monitoring tools will automatically sniff the 802.11 beacon frames to obtain the SSID. With SSID broadcasting turned off, the access point will not include the SSID in the beacon frame, making most SSID sniffing tools useless. This isn’t a foolproof method of hiding the SSID, however, because someone can still monitor 802.11 association frames (which always carry the SSID, even if SSID broadcasting is turned off) with a packet tracer. At least shutting off the broadcast mechanism will limit access.
Reduce propagation of radio waves outside the facility. Through the use of directional antennas and RF shielding, you can direct the propagation of radio waves inside the facility and reduce the “spillage” outside the perimeter. This not only optimizes coverage, it also minimizes the ability for a hacker located outside the controlled portion of the company to eavesdrop on user signal transmissions and interface with the corporate network through an access point. This also reduces the ability for someone to jam the wireless LAN - a form of denial-of-service attack - from outside the perimeter of the facility. In addition, consider setting access points near the edge of the building to lower transmit power to reduce range outside the facility. This testing should be part of the wireless site survey.
Implement personal firewalls. If a hacker is able to associate with an access point, which is extremely probable if there is no encryption or authentication configured, the hacker can easily access (via the Windows operating system) files on other users’ devices that are associated with an access point on the same wireless network. As a result, it’s crucial that all users disable file sharing for all folders and utilize personal firewalls. These firewalls are part of various operating systems, such as Windows XP and Vista, and 3rd party applications as well.
Control the deployment of wireless LANs. Ensure that all employees and organizations within the company coordinate the installation of wireless LANs with the appropriate information systems group. Forbid the use of unauthorized access points. Mandate the use of approved vendor products that you’ve had a chance to verify appropriate security safeguards. Maintain a list of authorized radio NIC and access point MAC addresses that you can use as the basis for identifying rogue access points.
With these recommendations in mind, you have a basis for forming a solid security policy. When deciding on which techniques to implement, however, be sure to consider actual security needs.
Activate 802.11 encryption to make data unintelligible to unauthorized users. WEP has weaknesses, making it inadequate for protecting networks containing information extremely valuable to others. There are some good hackers out there who can crack into a WEP-protected network using freely-available tools. The problem is that 802.11 doesn’t support the dynamic exchange of WEP keys, leaving the same key in use for weeks, months, and years. For encryption on enterprise networks, aim higher and choose WPA, which is now part of the 802.11i standard. Just keep in mind that WPA (and WEP) only encrypts data traversing the wireless link between the client device and the access point. That may be good enough if your wired network is physically secured from hackers. If not, such as when users are accessing important information from Wi-Fi hotspots, you’ll need more protection.
Utilize IPSec-based Virtual Private Network (VPN) technology for end-to-end security. If users need access to sensitive applications from Wi-Fi hotspots, definitely utilize a VPN system to provide sufficient end-to-end encryption and access control. Some companies require VPNs for all wireless client devices, even when they’re connecting from inside the secured walls of the enterprise. A “full-throttle” VPN solution such as this offers good security, but it becomes costly and difficult to manage when there are hundreds of wireless users (mainly due to the need for VPN servers). As a result, consider implementing 802.11 encryption when users are operating inside the enterprise and VPNs for the likely fewer users who need access from hotspots.
Utilize 802.1x-based authentication to control access to your network. There are several flavors of 802.1x port-based authentication systems. Choose one that meets the security requirements for your company. For example, EAP-TLS may be a wise choice if you have Microsoft servers.
Establish the wireless network on a separate VLAN. A firewall can then help keep hackers located on the VLAN associated with the wireless network from having easy access to corporate servers located on different, more secured VLANs (i.e., not accessible from the wireless network). In this manner, the wireless network is similar to a public network, except you can apply encryption and authentication mechanisms to the wireless users.
Ensure firmware is up-to-date in client cards and access points. Vendors often implement patches to firmware that fix security issues. On an ongoing basis, make it a habit to check that all wireless devices have the most recent firmware releases.
Ensure only authorized people can reset the access points. Some access points will revert back to factory default settings (i.e., no security at all) when someone pushes the reset button on the access point. We’ve done this when performing penetration testing during security assessments to prove that this makes the access point a fragile entry point for a hacker to extend their reach into the network. As a result, provide adequate physical security for the access point hardware. For example, don’t place an access point within easy reach. Instead, mount the access points out of view above ceiling tiles. Some access points don’t have reset buttons and allow you to reset the access point via an RS-232 cable through a console connection. To minimize risks of someone resetting the access point in this manner, be sure to disable the console port when initially configuring the access point.
Disable access points during non-usage periods. If possible, shut down the access points when users don’t need them. This limits the window of opportunity for a hacker to use an access point to their advantage as a weak interface to the rest of the network. To accomplish this, you can simply pull the power plug on each access point; however, you can also deploy power-over-Ethernet (PoE) equipment that provides this feature in a more practical manner via centralized operational support tools.
Assign “strong” passwords to access points. Don’t use default passwords for access points because they are also well known, making it easy for someone to change configuration parameters on the access point to their advantage. Be sure to alter these passwords periodically. Ensure passwords are encrypted before being sent over the network.
Don’t broadcast SSIDs. If this feature is available, you can avoid having user devices automatically sniff the SSID in use by the access point. Most current computer operating systems and monitoring tools will automatically sniff the 802.11 beacon frames to obtain the SSID. With SSID broadcasting turned off, the access point will not include the SSID in the beacon frame, making most SSID sniffing tools useless. This isn’t a foolproof method of hiding the SSID, however, because someone can still monitor 802.11 association frames (which always carry the SSID, even if SSID broadcasting is turned off) with a packet tracer. At least shutting off the broadcast mechanism will limit access.
Reduce propagation of radio waves outside the facility. Through the use of directional antennas and RF shielding, you can direct the propagation of radio waves inside the facility and reduce the “spillage” outside the perimeter. This not only optimizes coverage, it also minimizes the ability for a hacker located outside the controlled portion of the company to eavesdrop on user signal transmissions and interface with the corporate network through an access point. This also reduces the ability for someone to jam the wireless LAN - a form of denial-of-service attack - from outside the perimeter of the facility. In addition, consider setting access points near the edge of the building to lower transmit power to reduce range outside the facility. This testing should be part of the wireless site survey.
Implement personal firewalls. If a hacker is able to associate with an access point, which is extremely probable if there is no encryption or authentication configured, the hacker can easily access (via the Windows operating system) files on other users’ devices that are associated with an access point on the same wireless network. As a result, it’s crucial that all users disable file sharing for all folders and utilize personal firewalls. These firewalls are part of various operating systems, such as Windows XP and Vista, and 3rd party applications as well.
Control the deployment of wireless LANs. Ensure that all employees and organizations within the company coordinate the installation of wireless LANs with the appropriate information systems group. Forbid the use of unauthorized access points. Mandate the use of approved vendor products that you’ve had a chance to verify appropriate security safeguards. Maintain a list of authorized radio NIC and access point MAC addresses that you can use as the basis for identifying rogue access points.
With these recommendations in mind, you have a basis for forming a solid security policy. When deciding on which techniques to implement, however, be sure to consider actual security needs.
February 18, 2008
The Theory of Vehicular Ad-Hoc Network
With the Internet becoming an increasingly significant part of our lives, the dream of a WiFi-enabled city is becoming closer and closer to reality. One of the hindrances to that dream, however, is the high router requirement; for wireless internet to blanket a city, thousands of wireless routers must be strategically placed to ensure constant coverage. Since this is a process that can become quite complicated and costly, researchers at UCLA began looking for an existing technology to which routers could be attached or involved. Since Los Angeles is a city already plagued with traffic problems, the UCLA Vehicular Network Lab was established to study the possibility of wirelessly connected automobiles.
The Vehicular Ad-Hoc Network, or VANET, is a technology that uses moves cars as nodes in a network to create a mobile network. VANET turns every participating car into a wireless router or node, allowing cars approximately 100 to 300 metres of each other to connect and, in turn, create a network with a wide range. As cars fall out of the signal range and drop out of the network, other cars can join in, connecting vehicles to one another so that a mobile Internet is created. It is estimated that the first systems that will integrate this technology are police and fire vehicles to communicate with each other for safety purposes.
Some related video links (could not be embedded due to copyright reasons):
http://www.vehicularlab.org/video/BigBro.wmv
An emulation of a terrorist detection system using VANET. Police cars, provided with threat-detection sensors (e.g. for threats such as chemicals, radiation, etc.) can communicate and collaborate to neutralize the situation.
An emulation of a terrorist detection system using VANET. Police cars, provided with threat-detection sensors (e.g. for threats such as chemicals, radiation, etc.) can communicate and collaborate to neutralize the situation.
http://www.vehicularlab.org/video/Mobility_Comparison.mov
A computer simulation of communication protocols and algorithms based very accurate vehicular traffic mobility traces. From the UCLA labs so it is quite technical.
A computer simulation of communication protocols and algorithms based very accurate vehicular traffic mobility traces. From the UCLA labs so it is quite technical.
ORGANIZATIONAL USES: THE PROS
VANET offers countless benefits to organizations of any size. Automobile high speed Internet access would transform the vehicle’s on-board computer from a nifty gadget to an essential productivity tool, making virtually any web technology available in the car. While such a network does pose certain safety concerns (for example, one cannot safely type an email while driving), this does not limit VANET’s potential as a productivity tool. It allows for “dead time”—time that is being wasted while waiting for something—to be transformed into “live time”—time that is being used to accomplish tasks. A commuter can turn a traffic jam into a productive work time by having his email downloaded and read to him by the on-board computer, or if traffic slows to a halt, read it himself. While waiting in the car to pick up a friend or relative, one can surf the Internet. Even GPS systems can benefit, as they can integrated with traffic reports to provide the fastest route to work. Lastly, it would allow for free, VoIP services such as GoogleTalk or Skype between employees, lowering telecommunications costs.
ORGANIZATIONAL USES: THE CONS
While the Internet can be a useful productivity tool, it can also prove to be quite distracting, resulting in safety and actually time-wasting concerns. Like cellular phones, the Internet can be tempting and can distract users from the road. Checking emails, surfing the web or even watching YouTube videos can engross drivers and lead to accidents.
Similarly, while drivers may have the opportunity to do work while on the road, they also may use this opportunity to engage in other leisurely tasks, such as VoIP with family, watch news highlights or listen to podcasts.
THE FINAL WORD
While still years away, VANET is a technology that could significantly increase productivity during times that are usually unproductive. However, to achieve this, VANET users must first overcome the leisurely temptations and distractions that the Internet provides.
REFERENCES:
Piquepaille, Roland. “Turning Cars into Wireless Network Nodes.” ZDNet
Tech 3 Jun. 2007. 30 Sep. 2007
Available at: <http://blogs.zdnet.com/emergingtech/?p=593>.
Tech 3 Jun. 2007. 30 Sep. 2007
Available at: <http://blogs.zdnet.com/emergingtech/?p=593>.
Vehicular Network Lab @ UCLA – Implementing the First Campus
Vehicular Testbed. Vehicular Lab. 30 Sep. 2007
Available at: <http://www.vehicularlab.org/>.
Vehicular Testbed. Vehicular Lab. 30 Sep. 2007
Available at: <http://www.vehicularlab.org/>.
McCloskey, Paul. “UC Profs as Car Traffic as Basis of Mobile Internet.”
Campus Technology 4 Jun. 2007. 30 Sep. 2007
Available at: <http://www.campustechnology.com/article.aspx?aid=48374>
Campus Technology 4 Jun. 2007. 30 Sep. 2007
Available at: <http://www.campustechnology.com/article.aspx?aid=48374>
“The Mobile Internet: Your Car Could Save a Life.” medGadget 29 May
2007. 30 Sep. 2007
Available at: <http://www.medgadget.com/archives/2007/05/the_mobile_internet_cars_firetrucks_ambulances_oh_my.html>.
2007. 30 Sep. 2007
Available at: <http://www.medgadget.com/archives/2007/05/the_mobile_internet_cars_firetrucks_ambulances_oh_my.html>.
May 23, 2006
The Hidden Downside of Wireless Networking
Wi-Fi can cause big trouble--and you may not even know it. Here's how to keep the hackers at bay.
Going wireless offers a panoply of attractive benefits to school districts. Because you don't have to run cables to every classroom, it's cheaper to deploy a wireless network than an old-fashioned wired network. Wireless makes it more convenient for administrators, teachers and students to connect.
But there's a perilous downside: A wireless network is easier for hackers to break into. Without the proper security measures, going wireless means opening a gaping hole in your computer systems' defenses.
Worse, you may already have a wireless security problem-even if your technology staff hasn't deployed a single wireless access point. At many school districts, parents and teachers have installed unofficial Wi-Fi hotspots that connect to the school's existing wired network. (Wi-Fi, short for "wireless fidelity," is the trade name for a family of wireless networking standards.) In so doing, they may have inadvertently compromised the school's network, and your district's IT staff may be none the wiser.
Rogue Hotspots
Charlie Garten, the former chief information officer for the Poway Unified School District in southern California, says his district's struggles with Wi-Fi security began as early as 2002. "We weren't surprised that there were ways to jump over our firewall using wireless," says Garten, who retired in 2005. "We were caught a little bit by surprise by the number of rogue access points that had been plugged in." In some cases, his staff would receive complaints about network slowdowns at a school; on investigating, they would find as many as 10 Wi-Fi hotspots that had been installed without the IT department's knowledge. "Well-meaning people wanted to get more access for the kids, but they didn't understand all the consequences of just throwing in a bunch of wireless access points," adds Garten.
In the Palo Alto (Calif.) Unified School District, the security holes introduced by rogue hotspots had a much more public and embarrassing effect. Located in the heart of tech-savvy Silicon Valley, Palo Alto's parent community includes many people who work for companies that supply Wi-Fi equipment. As a result, these parents brought wireless networking into their children's schools at a very early stage.
"We had open networks. When they were first installed, folks could sit in the parking lot if they wanted to get some access," says Marie Scigliano, the director of technology for the district. Scigliano's staff was aware of the security problem but hadn't been able to address it completely when, in the summer of 2003, a local reporter found that she could access the district office's network through an unsecured Wi-Fi connection. Worse, the reporter was able to log on to the student information system and download students' grades, phone numbers, home addresses, medical information, psychological evaluations and even full-color photos.
The district quickly took the network offline and began correcting the problem, according to Scigliano. "We came back up with secure networks, logons, authentication and so forth," she says. However, the story received wide national coverage-thanks in part to the severity of the breach-causing a significant public relations problem for the school.
While the reporter didn't publish or alter student records, press reports noted that it would have been easy for her to do so, if she had been a more malicious hacker. That in turn would have exposed the district to serious liability problems and could possibly have put its students in danger.
Steps for Safer Wi-Fi Wireless doesn't have to be a security nightmare. Here are some tips from Brian Hernacki, an architect with Symantec Research Labs, on how you can keep your Wi-Fi network safe and sound: Turn on encryption Set your network to use Wired Equivalent Privacy or even stronger Wi-Fi Protected Access encryption, which encodes every transmission on the network, making it harder for hackers to "sniff" the data as it goes by. Neither form of encryption will keep hackers out entirely, but they set the bar a lot higher. If you use WEP, make sure you use a 128-bit key, which requires a 26-character pass phrase. WPA is harder to crack and uses easier-to-remember passwords for access, so it's a better choice if your equipment supports it. Limit access Wi-Fi networks can be configured to accept connections only from certain computers, using those computers' Media Access Control addresses, a unique number that's attached to the network adapter in every piece of networked equipment. MAC addresses are difficult to spoof, so limiting access to certain MAC addresses helps you ensure that you control who's on your network.
On the down side, you need to maintain an up-to-date list of permitted machines. Require usernames and passwords Configure your network so that users can gain access only with the proper username and password. If you issue unique usernames to each student, teacher and administrator, you'll be able to track any misuse of the system. Because people may share passwords with each other, be sure to change these every month or every quarter. Keep the network inside By carefully locating Wi-Fi routers and using directional antennas (which focus the signal in a particular direction), you may be able to limit the accessibility of your network outside school grounds. This will make it harder for hackers to do their dirty work unobserved. Turn it off at night Turning off the Wi-Fi network after-hours means that hackers will need to make their intrusion attempts during the day, when they're more likely to be noticed by staff or students. Educate your staff Make sure teachers and administrators are aware of the security risks of using Wi-Fi. For the maximum security, permit access to student information systems (such as grades databases) via wired networks only, and ensure that computers connecting to these systems do not also have Wi-Fi capability.
Going wireless offers a panoply of attractive benefits to school districts. Because you don't have to run cables to every classroom, it's cheaper to deploy a wireless network than an old-fashioned wired network. Wireless makes it more convenient for administrators, teachers and students to connect.
But there's a perilous downside: A wireless network is easier for hackers to break into. Without the proper security measures, going wireless means opening a gaping hole in your computer systems' defenses.
Worse, you may already have a wireless security problem-even if your technology staff hasn't deployed a single wireless access point. At many school districts, parents and teachers have installed unofficial Wi-Fi hotspots that connect to the school's existing wired network. (Wi-Fi, short for "wireless fidelity," is the trade name for a family of wireless networking standards.) In so doing, they may have inadvertently compromised the school's network, and your district's IT staff may be none the wiser.
Rogue Hotspots
Charlie Garten, the former chief information officer for the Poway Unified School District in southern California, says his district's struggles with Wi-Fi security began as early as 2002. "We weren't surprised that there were ways to jump over our firewall using wireless," says Garten, who retired in 2005. "We were caught a little bit by surprise by the number of rogue access points that had been plugged in." In some cases, his staff would receive complaints about network slowdowns at a school; on investigating, they would find as many as 10 Wi-Fi hotspots that had been installed without the IT department's knowledge. "Well-meaning people wanted to get more access for the kids, but they didn't understand all the consequences of just throwing in a bunch of wireless access points," adds Garten.
In the Palo Alto (Calif.) Unified School District, the security holes introduced by rogue hotspots had a much more public and embarrassing effect. Located in the heart of tech-savvy Silicon Valley, Palo Alto's parent community includes many people who work for companies that supply Wi-Fi equipment. As a result, these parents brought wireless networking into their children's schools at a very early stage.
"We had open networks. When they were first installed, folks could sit in the parking lot if they wanted to get some access," says Marie Scigliano, the director of technology for the district. Scigliano's staff was aware of the security problem but hadn't been able to address it completely when, in the summer of 2003, a local reporter found that she could access the district office's network through an unsecured Wi-Fi connection. Worse, the reporter was able to log on to the student information system and download students' grades, phone numbers, home addresses, medical information, psychological evaluations and even full-color photos.
The district quickly took the network offline and began correcting the problem, according to Scigliano. "We came back up with secure networks, logons, authentication and so forth," she says. However, the story received wide national coverage-thanks in part to the severity of the breach-causing a significant public relations problem for the school.
While the reporter didn't publish or alter student records, press reports noted that it would have been easy for her to do so, if she had been a more malicious hacker. That in turn would have exposed the district to serious liability problems and could possibly have put its students in danger.
Steps for Safer Wi-Fi Wireless doesn't have to be a security nightmare. Here are some tips from Brian Hernacki, an architect with Symantec Research Labs, on how you can keep your Wi-Fi network safe and sound: Turn on encryption Set your network to use Wired Equivalent Privacy or even stronger Wi-Fi Protected Access encryption, which encodes every transmission on the network, making it harder for hackers to "sniff" the data as it goes by. Neither form of encryption will keep hackers out entirely, but they set the bar a lot higher. If you use WEP, make sure you use a 128-bit key, which requires a 26-character pass phrase. WPA is harder to crack and uses easier-to-remember passwords for access, so it's a better choice if your equipment supports it. Limit access Wi-Fi networks can be configured to accept connections only from certain computers, using those computers' Media Access Control addresses, a unique number that's attached to the network adapter in every piece of networked equipment. MAC addresses are difficult to spoof, so limiting access to certain MAC addresses helps you ensure that you control who's on your network.
On the down side, you need to maintain an up-to-date list of permitted machines. Require usernames and passwords Configure your network so that users can gain access only with the proper username and password. If you issue unique usernames to each student, teacher and administrator, you'll be able to track any misuse of the system. Because people may share passwords with each other, be sure to change these every month or every quarter. Keep the network inside By carefully locating Wi-Fi routers and using directional antennas (which focus the signal in a particular direction), you may be able to limit the accessibility of your network outside school grounds. This will make it harder for hackers to do their dirty work unobserved. Turn it off at night Turning off the Wi-Fi network after-hours means that hackers will need to make their intrusion attempts during the day, when they're more likely to be noticed by staff or students. Educate your staff Make sure teachers and administrators are aware of the security risks of using Wi-Fi. For the maximum security, permit access to student information systems (such as grades databases) via wired networks only, and ensure that computers connecting to these systems do not also have Wi-Fi capability.
January 7, 2006
University research aims at more secure wireless network
Researchers at Carleton University, Ottawa, Canada, have reported positive results for a novel means of securing Wi-Fi and other wireless networks from hackers and other unauthorized intrusion.
The technology depends on the RF signal "fingerprints" or profiles that make every wireless transceiver in the world virtually unique. The RF fingerprints are the result of variations in the silicon and other electronic components that comprise the transceiver.
Although the components all fall within the manufacturing tolerances required by the vendor and generate valid signals, the combinations of their variances create unique signal characteristics, says Jeyanthi Hall, a graduate student at the university who is the lead researcher for the project supervised by professors Michel Barbeau and Evangelos Kranakis.
Variances are most evident in the transient signals created when the transceiver attempts to gain access to the network. In a Wi-Fi network, this means the fingerprint is acquired in approximately 2 microseconds.
A probabilistic neural network is used to compare the fingerprint to others stored in the access point (or some central location in the network) that have been verified by the network system administrator as authentic.
The researchers are also exploring the use of self-organizing map technology and clustering technology to reduce the storage capacity required for the authenticated signatures and to speed authentication.
Algorithms from The MathWorks.com MATLAB technical computing software are tuned and used for the authentication process. During the research phase of the project, the transient RF signals from the transceivers are acquired using Anritsu's Signature High Performance Signal Analyzer.
As the technology moves into more refined stages, Hall said, the signal analyzer will be replaced by a DSP-based data acquisition board.
The signal fingerprinting technology being researched at Carleton University complements and utilizes traditional security measures such as MAC-address control lists.
With spoofing techniques, hackers can circumvent the effectiveness of a MAC-address control list. With RF fingerprinting included in the security arrangements, however, a transceiver that dishonestly reports itself as having a specific MAC address can be uncovered by checking its fingerprint against the authenticated transceiver's.
Hall's research still has several hurdles to clear before it can appear as commercial product. Chief among them are scalability and the stability of the algorithms employed to create the fingerprint and compare it to other RF fingerprints.
The technology depends on the RF signal "fingerprints" or profiles that make every wireless transceiver in the world virtually unique. The RF fingerprints are the result of variations in the silicon and other electronic components that comprise the transceiver.
Although the components all fall within the manufacturing tolerances required by the vendor and generate valid signals, the combinations of their variances create unique signal characteristics, says Jeyanthi Hall, a graduate student at the university who is the lead researcher for the project supervised by professors Michel Barbeau and Evangelos Kranakis.
Variances are most evident in the transient signals created when the transceiver attempts to gain access to the network. In a Wi-Fi network, this means the fingerprint is acquired in approximately 2 microseconds.
A probabilistic neural network is used to compare the fingerprint to others stored in the access point (or some central location in the network) that have been verified by the network system administrator as authentic.
The researchers are also exploring the use of self-organizing map technology and clustering technology to reduce the storage capacity required for the authenticated signatures and to speed authentication.
Algorithms from The MathWorks.com MATLAB technical computing software are tuned and used for the authentication process. During the research phase of the project, the transient RF signals from the transceivers are acquired using Anritsu's Signature High Performance Signal Analyzer.
As the technology moves into more refined stages, Hall said, the signal analyzer will be replaced by a DSP-based data acquisition board.
The signal fingerprinting technology being researched at Carleton University complements and utilizes traditional security measures such as MAC-address control lists.
With spoofing techniques, hackers can circumvent the effectiveness of a MAC-address control list. With RF fingerprinting included in the security arrangements, however, a transceiver that dishonestly reports itself as having a specific MAC address can be uncovered by checking its fingerprint against the authenticated transceiver's.
Hall's research still has several hurdles to clear before it can appear as commercial product. Chief among them are scalability and the stability of the algorithms employed to create the fingerprint and compare it to other RF fingerprints.
Subscribe to:
Posts (Atom)
