Posts

Wireless authentication with usernames and 802.1x

If you’re at all interested in keeping your network and data secure it’s necessary to implement 802.1x. This authentication standard has a few significant benefits over the typical wireless network password used by many companies.

  1. It makes sure wireless clients are logging into _your_ wireless network. It’s very easy for an attacker to create a wireless network with the same name as yours and have clients connect and unknowingly send sensitive data over it.
  2. Authentication is specific to the user. The wireless network password isn’t the same for everyone. People who leave and their account gets disabled lose access immediately.

All enterprise network hardware supports 802.1x and NetCal can implement it to keep your network flexible, fast and secure.

Network Management : Is SNMP here forever?

The first SNMP release came out in 1988. 28 years later, SNMP is still around, a go to Network Management tool … Will this still be the case in 10 years from now? Difficult to say but the odds are lower these days. Why are we predicting SNMP could go away?

If you’re already savvy about SNMP, check out this blog for getting insight into current SNMP limitations and why we are making this prediction.

SNMP was designed to make it simple for the NMS to request and consume data.  But those same data models and operations make it difficult for routers to scale to the needs of today’s networks. To understand this, you first need to understand the fundamentals of SNMP.

SNMP stands for Simple Network Management Protocol. It was introduced to meet the growing need for managing IP devices in a standard way. SNMP provides its users with a “simple” set of operations that allows these devices to be managed remotely. SNMP was designed to make it simple for the NMS to request and consume data. But those same data models and operations make it difficult for routers to scale to the needs of today’s networks.  To understand this, you first need to understand the fundamentals of SNMP.

For example, you can use SNMP to shut down an interface on your router or check the speed at which your Ethernet interface is operating. SNMP can even monitor the temperature on your router and warn you when it is getting too high.

The overall architecture is rather simple – there are essentially 2 main components (see Figure 1)

  • A centralized NMS system
  • Distributed agents (little piece of software running on managed network devices)

NMS is responsible for polling and receiving traps from agents in the network:

  • Polling a network device is the act of querying an agent for some piece of information.
  • A trap is a way for the agent to alert the NMS that something wrong has happened. Traps are sent asynchronously, not in response to queries from the NMS.

How is information actually structured on network devices? A Management Information Base (MIB) is present on every network device. This can be thought as a database of objects that the agent tracks. Any piece of information that can be accessed by the NMS is defined in a MIB.

Managed objects are stored into a treelike hierarchy as described in Figure 2:

The directory branch is actually not used. The management branch (mgmt) defines a standard set of objects that every network device needs to support. The experimental branch is for research purposes only and finally the private branch is for vendors to define objects specific to their devices.

Each managed object is uniquely defined by a name, e.g. an OID (Object Identifier). An object ID consists of a series of integers based on the nodes in the tree, separated by dots (.).

Under the mgmt branch, one can find the MIB-II that is an important MIB for TCP/IP networks. It is defined in RFC 1213 and you can see an extract in Figure 3.

With that mind, the OID for accessing information related to interfaces is: 1.3.6.1.2.1.2 and for information related to system: 1.3.6.1.2.1.1

Finally, there are 2 main SNMP request types to retrieve information.

GET request – request a single value by its Object identifier (see Figure 4)

GET-NEXT request – request a single value that is next in the lexical order from the requested Object Identifier (see Figure 5)

 


This is a repost of a blog by one of our service partners Cisco.

Understanding what NetFlow can do for your network

Traffic on the network can provide valuable insight into many areas of business and technology that would generally go un-noticed unless reported on or analyzed. NetFlow is one very simple technology that can be used to see what is really on your network.

NetFlow can be used to analyze many things such as:

  • Email trend and spam analysis
  • Employee Internet usage
  • Suspicious network activity
  • Legal claims
  • Virus, worm, and spyware detection

…but that is not all. Essentially everything you can create a query for using the parameters NetFlow tracks can be analyzed.

At NetCal, we primarily use this for things like tracking who is over-using an Internet connection, where someone was going on the Internet at a particular time, or looking up what we think might be suspicious network activity.

802.11AC Wave2

When 802.11AC was introduced, we found it to be the most amazing thing since sliced bread.  It was dramatically faster than 802.11N, backwards compatible, and mostly interference free.  Today, we will discuss what 802.11AC-Wave2 brings to the table and how we feel about it.

802.11AC-Wave2 – Features and Enhancements

  • Supports speeds up to 2.34 Gbps (more spatial streams) 

Pros:  Compared to 802.11AC-Wave1, which has a capacity of  1.3 Gbps, the new standard has much higher capacity for throughput.  This is due to an increase in spatial streams.  With 802.11AC-Wave2, we increase from 3 spatial streams to 4.  This translates to a 33% increase in throughput.

Cons:  Similar to 802.11AC-Wave1, most client devices implement only one or two spatial streams in order to save on power and space required for additional antennas.  Addtionally, upgrades to current network switching infrastructure is required to fully take advantage of the ~2Gbps throughput.  A high signal to noise ratio and line of sight is usually also required.

  • Supports multiuser multiple input, multiple output (MU-MIMO)

Pros:  First, we must understand that with each additional spatial stream, we gain additional throughput.  Unfortunately, 802.11AC-Wave1 spatial streams are transmitted over multiple antennas to only ONE client at a time. Let’s imagine a freeway with multiple lanes, which can accommodate all sorts of cars, even the “wide load” ones that carry mobile homes and big construction equipment.  Now, imagine only 1 car can move at a time on this freeway.  Most cars (tablets, phones, etc) only require the use of a single lane, yet they have all the lanes available to them.  As you can see, this isn’t very efficient because the other lanes essentially goes to waste.  MU-MIMO fixes this. It allows each stream (lanes) to be directed to a different one-stream client simultaneously. So potentially, three clients get serviced in the time it previously took to service one.  Qualcomm claims a 2x-2.5x performance improvement.

Cons:  Unfortunately, this feature is only available in the downstream.  Using the car analogy, imagine the efficient freeway is only available for northbound, not southbound.  This also is a fairly complex and new technology, stability in a real-world environment has not be verified yet.

  • Offers the option of using 160-MHz-wide channels for greater performance

Pros:  Channel bonding is the single biggest performance multiplier, and it is the foundation for vendors’ claims of 1.3 Gbps speeds for Wave 1, and from 2.3 Gbps for Wave 2 up to 6.7 Gbps.  To accomplish this, 802.11AC-Wave1 allows FOUR 20 MHz channels to be bonded into a single 80 MHz channel. 802.11AC-Wave2 builds on this to provide up to 160 MHz (contiguous channels and a non-contiguous 80 + 80 configuration).

Cons:  With the availability of just a SINGLE contiguous 160MHz channel, this capability is more useful in a point-to-point configuration than a corporate wireless network.  Corporate networks require a dense configuration, which would cause performance degrading co-channel intereference.  In practice, this means that when a nearby cell is using the channel, it makes the channel busy for other nearby cells on the same channel. Additionally, nearby does not only mean neighboring cells, but due to the nature of the Wi-Fi channel access method CSMA/CS, it also means that cells at a 1-3 cell distance may keep the channel reserved.

So, with everything said and done, what is NetCal’s stance on 802.11AC-Wave2?  To keep things simple again, we recommend upgrading to 802.11AC-Wave1 90% of the time to save money on client device, equipment and infrastructure upgrades costs.  As you can guess from the above information, the improvements can only be seen in very limited circumstances (backhauling, standalone, close range, line of sight, mesh nodes, point-to-point/point-to-multipoint bridges).

Wireless Myths

Myth #1: “The only interference problems are from other 802.11 networks.”

Summary: The unlicensed band is an experiment by the FCC in unregulated spectrum sharing. The experiment has been a great success so far, but there are significant challenges posed by RF interference that need to be given proper attention.

 

Myth #2: “My network seems to be working, so interference must not be a problem.”

Summary: Interference is out there. It’s just a silent killer thus far.

 

Myth #3: “I did an RF sweep before deployment. So I found all the interference sources.”

Summary: You can’t sweep away the interference problem. Microwave ovens, cordless phones, Bluetooth devices, wireless video cameras, outdoor microwave links, wireless game controllers, Zigbee devices, fluorescent lights, WiMAX devices, and even bad electrical connections-all these things can cause broad RF spectrum emissions. These non-802.11 types of interference typically don’t work cooperatively with 802.11 devices.

 

Myth #4: “My infrastructure equipment automatically detects interference.”

Summary: Simple, automated-response-to-interference products are helpful, but they aren’t a substitute for understanding of the underlying problem.

 

Myth #5: “I can overcome interference by having a high density of access points.”

Summary: It’s reasonable to over-design your network for capacity, but a high density of access points is no panacea for interference.

 

Myth #6: “I can analyze interference problems with my packet sniffer.”

Summary: You need the right tool for analyzing interference. In the end, it’s critical that you be able to analyze the source of interference in order to determine the best course of action to handle the interference. In many cases, the best action will be removing the device from the premises.

 

Myth #7: “I have a wireless policy that doesn’t allow interfering devices into the premises.”

Summary: You have to expect that interfering devices will sneak onto your premises.

 

Myth #8: “There is no interference at 5 GHz.”

Summary: You can run, but you can’t hide.

 

Myth #9: “I’ll hire a consultant to solve any interference problems I run into.”

 

Summary: You can’t afford to rely on a third party to debug your network.

 

Myth #10: “I give up. RF is impossible to understand.”

Summary: The cavalry is here!

 

Myth #11: “Wi-Fi interference doesn’t happen very often.”

 

Summary: There’s no point burying your head in the sand: Wi-Fi interference happens.

 

Myth #12: “I should look for interference only after ruling out other problem sources.”

Summary: Avoid wasting your time. Fix your RF physical layer first.

 

Myth #13: “There’s nothing I can do about interference if I find it.”

Summary: There’s always a cure for interference, but you need to know what’s ailing you.

 

Myth #14: “There are just a few easy-to-find devices that can interfere with my Wi-Fi.”

Summary: You need the right tool to find interference fast, and it’s not a magnifying glass.

 

Myth #15: “When interference occurs, the impact on data is typically minor.”

Summary: Interference can really take the zip out of your Wi-Fi data throughput.

 

Myth #16 “Voice data rates are low, so the impact of interference on voice over Wi-Fi should be minimal.”

Summary: Can you hear me now? Voice over Wi-Fi and interference don’t mix.

 

Myth #17: “Interference is a performance problem, but not a security risk.”

Summary: RF security doesn’t stop with Wi-Fi. Do you know who is using your spectrum?

 

Myth #18: “802.11n and antenna systems will work around any interference issues.”

Summary: Antennas are a pain reliever, but far from a cure.

 

Myth #19: “My site survey tool can be used to find interference problems.”

Summary: Site survey tools measure coverage, but don’t solve your RF needs.