Archive for March, 2018

You Don’t Know What You’re Missing on Your Network

Tuesday, March 27th, 2018

Today’s cyber threats hide in plain sight amidst your network traffic, making them nearly impossible to defend against. These advanced threats use applications as their infiltration vector, exhibit application-like evasion tactics and they leverage commonly used network applications for exfiltration.

Legacy point products are blind to much of what goes on in the network. Hackers exploit this.

Net-Ctrl and Palo Alto Networks are offering an assessment that reveals the Unknown in your network.

Here is some of what you will see:

  • Malware and spyware on your network
  • Unauthorised applications
  • Violations of your security policies
  • Malicious websites employees are accessing
  • Non-work-related applications and activity
  • Shadow IT

How it works: We put the Palo Alto Networks® Next-Generation Security Platform on your network to passively monitor traffic for just one week.

We deliver to you the Security Lifecycle Review (SLR). The SLR reveals under-the-radar activity on your network and the risks to your business. We meet with you to explain the findings, answer your questions, and offer practical recommendations. The SLR is cost-free, risk-free and obligation-free.

To schedule or learn more about the SLR, please complete our Contact Form and we will schedule a call with one of our engineers.

Secure Wi-Fi Access Using Dynamic Pre-Shared Keys

Wednesday, March 7th, 2018

You’ve heard us talk a lot about digital certificates as a way to deliver secure onboarding and network authentication in support of Bring Your Own Device (BYOD) initiatives. Digital certificates provide a much higher level of security than conventional pre-shared keys, which are typically the default method of providing Wi-Fi network access for internal BYOD users. You may remember Ruckus’ previous blog about the security problems associated with conventional PSKs and MAC authentication.

Certificates ensure that every session is secure because data in transit is encrypted using WPA2-Enterprise, as well as providing a variety of other security measures. Certificate-based authentication also improves end-user and IT experience because as long as the certificate remains valid, users don’t have to enter login credentials again after initial onboarding.

Digital certs are often not appropriate for guest users though—in which case a technology called a dynamic pre-shared key (DPSK) can help optimise both security and usability.

Why Not Just Use Digital Certificates for Guest Wi-Fi Access?

Certificates work great for internal BYOD users, who need network access on an ongoing basis. However, they require the user to download and install the certificate on their device as part of the onboarding process. You could take this approach for guest users too—the up-front investment of time for the user is not onerous. But it probably does not make sense from a usability perspective for someone who will only be in your environment for an hour or a day. And yet you don’t want to revert to default measures such as conventional PSKs and MAC authentication due to the security issues mentioned previously. Ideally, you want to employ an alternative method that provides similar security benefits while not asking the guest user to download a certificate.

Why Dynamic Pre-Shared Keys Are the Answer for Guest Wi-Fi Access

Dynamic pre-shared keys are a Ruckus-patented technology found in Cloudpath Enrollment System, our software/SaaS platform for delivering secure network access for BYOD, guest users, and IT-owned devices (including IoT devices). DPSKs fit the guest access use case perfectly. With DPSKs, each user gets a unique access code for Wi-Fi access, which the Cloudpath system provides by SMS, email, or even printed voucher.

Organisations usually let guest users access only the internet—not internal network servers—over the wired/wireless connection. You still want to associate every device with a user, perform an up-front posture check during onboarding, and apply relevant policies. It’s also important to be able to revoke access at any time for specific users and devices. (Imagine if you became aware that a visitor was using that network connection to do something malicious such as sending spam emails linking to a phishing site. You’d want to revoke their access in a hurry. Now, we’re sure your guests would not do that, but better safe than sorry.) Encryption for data in transit may not be as critical for guest users, but it’s not a bad idea either.

The DPSK method for network authentication, in the context of Cloudpath Enrollment System, lets you do all of these things. Since it does not require the user to install a certificate, you increase security while also optimising usability for your visitors.

The “D” in DPSK Makes All the Difference for Secure Wi-Fi

DPSK and PSK can’t be that different right, since only a “D” separates them? Quite the opposite! Most of the security measures referenced above simply don’t exist with a conventional PSK. That’s why we are so careful to use the term “conventional” or “traditional” when we refer to the garden-variety PSK. Sure, it encrypts data between the device and the access point. But that’s where the similarity ends. Using conventional PSKs, you could potentially direct guests to a separate SSID with only internet access, supplying them with the relevant PSK. But they could share that PSK with anyone or use it past the time of their visit.

Remember, with traditional PSKs everyone accessing a given SSID uses the same key. With DPSKs, each guest user gets his or her own access key. That “D” in front of PSK makes all the difference because it provides much greater security for users, devices, and the network. Think of the DPSK as a precision surgical scalpel in comparison to the blunt instrument that is the PSK. Organisations often also use MAC authentication via captive portal for providing guest access—which also fails to provide adequate levels of protection. (Once more, refer to our previous blog to understand the shortcomings of the default methods, which the patented DPSK technology in Cloudpath software addresses.)

Digital Certificates and DPSKs—Secure Network Access for BYOD, Guest and Even IoT Devices

In summary, digital certificates and DPSKs are a great tandem. Cloudpath Enrollment System uses both technologies for streamlined secure onboarding and network authentication. It supports both internal users (with digital certificates) and guest users (typically with DPSKs). Cloudpath software also supports IT-owned devices. As IoT devices become more common in enterprise environments, schools, and institutions of higher education, certificates and DPSKs are also a great way to securely support those devices. DPSKs will be especially important for consumer IoT devices that make their way into enterprise environments because many of those devices are not equipped to accept certificates. But that’s a topic for another blog.

View the original post at The Ruckus Room.

Ruckus: Get Wired for Success!

Monday, March 5th, 2018

You’ve just bought a brand new sports car, one that can do zero to 60 in under four seconds and you are excited to try it out. But all you have to drive it on is a gnarly, rutted, steep and rocky dirt road. Good luck taking advantage of all that horsepower.

That’s the analogy Department of Health and Services CIO Beth Killoran used to describe the current challenge facing federal IT modernization initiatives. New technology, from cloud computing and mobility to big data and the Internet of Things, are promising increases in efficiency and the ability to increase mission success, but some organisations are still lacking the basic infrastructure investment to make full use of it. The old infrastructure put in place just wasn’t designed to handle today’s IT environment.

Wired Isn’t Dead

Increasingly, users are connected to networks via exclusively wireless means, whether from mobile phones, tablets and laptops. Yet, while fewer devices will be relying on a direct wired connection to the network, they are still out there: desktops, VoIP devices, even many IoT devices and network-connected operational technology. All of these devices remain central to agency missions and crucial to end-user satisfaction.

Wireless affords increased mobility, which enables increased efficiency and worker satisfaction. But behind every strong wireless deployment, there must exist an equally strong, wired network as well. It is the part that connects your wireless end-points to your datacenter and the outside world and many devices will continue to connect directly to it for some time. This means that as part of your network modernisation strategy, wired has to remain an important part of the mix.

The Benefits of Ruckus ICX Switches

In buildings with potentially thousands of active users and high density, networks must be able to scale to the increasing per capita bandwidth demand. Often that means squeezing more throughput into smaller spaces.

The Ruckus ICX line of campus switches gives networking capabilities that can grow to agency scale without hassle with their small form factors and high throughput. They are small, low profile and easily stack as network demands increase.

Most importantly, ICX switches allow organisations to manage their wired and wireless infrastructure using the same management tools, minimising software complexity and spending overhead.

Wireless Networks Are the Future. But So Are Wired.

Wireless is undoubtedly the future of IT, but the very convenience and ease at which wireless devices connect to the network is a threat if the wired infrastructure that supports it does not also keep pace.

With new waves of IT modernisation organisations need to ensure their wireless and wired infrastructure are keeping pace. Otherwise, what’s the point of that nice car?

For more information on Ruckus ICX Switches and how they can allow you to scale your networks, please visit