Archive for September, 2018

Ruckus. 802.11ax fundamentals: Target Wake Time (TWT)

Friday, September 28th, 2018

The Wi-Fi industry experiences a seismic change approximately every five years – and 802.11ax is the latest generation of Wi-Fi that bridges the performance gap towards 10-gigabit speeds. The new Wi-Fi standard will deliver faster network performance, connect more devices simultaneously and transition Wi-Fi from a ‘best-effort’ endeavour to a deterministic wireless technology that is now the de-facto medium for internet connectivity.

With an expected four-fold capacity increase over its 802.11ac Wave 2 predecessor, 802.11ax deployed in dense device environments will support higher service-level agreements (SLAs) to more concurrently connected users and devices with more diverse usage profiles. This is made possible by a range of technologies that optimize spectral efficiency, increase throughput and reduce power consumption. These include Target Wake Time (TWT), OFDMA and MU-MIMO, Uplink MU-MIMO, sub-carrier spacing and MAC/PHY enhancements.

In this article, we’ll be taking a closer look at Target Wake Time and how 802.11ax wireless access points (APs) can utilize this mechanism to extend the battery life of client devices and optimize spectrum utilization.

TWT: From IEEE 802.11ah to 802.11ax

Target Wake Time enables devices to determine when and how frequently they will wake up to send or receive data. Essentially, this allows 802.11ax access points (Ruckus R730) to effectively increase device sleep time and significantly conserve battery life, a feature that is particularly important for the IoT. In addition to saving power on the client device side, Target Wake Time enables wireless access points and devices to negotiate and define specific times to access the medium. This helps optimize spectral efficiency by reducing contention and overlap between users.

The Target Wake Time mechanism first appeared in the IEEE 802.11ah “Wi-Fi HaLow” standard. Published in 2017, the low-power standard is specifically designed to support the large-scale deployment of IoT infrastructure – such as stations and sensors – that intelligently coordinate signal sharing. The TWT feature further evolved with the IEEE 802.11ax standard, as stations and sensors are now only required to wake and communicate with the specific Beacon(s) transmitting instructions for the TWT Broadcast sessions they belong to. This allows the wireless IEEE 802.11ax standard to optimize power saving for many devices, with more reliable, deterministic and LTE-like performance.

As Maddalena Nurchis and Boris Bellalta of the Universitat Pompeu Fabra in Barcelona noted in a recent paper, TWT also “opens the door” to fully maximizing new MU capabilities in 802.11ax by supporting the scheduling of both MU-DL and MU-UL transmissions. In addition, TWT can be used to collect information from stations, such as channel sounding and buffers occupancy in pre-defined periods. Last, but certainly not least, TWT can potentially help multiple WLANs in dense deployment scenarios reach consensus on non-overlapping schedules to further improve Overlapping Basic Service Set (OBSS) co-existence.

Conclusion

Designed for high-density connectivity, the new IEEE 802.11ax standard offers up to a four-fold capacity increase over its 802.11ac Wave 2 predecessor. With 802.11ax, multiple APs deployed in dense device environments can collectively deliver required quality-of-service (QoS) to more clients with more diverse usage profiles.

This is made possible by a range of technologies – such as Target Wake Time (TWT) – that reduce power consumption and improve spectral efficiency. TWT is clearly an important part of both the new 802.11ah and 802.11ax standards. From our perspective, TWT will play a critical role in helping Wi-Fi evolve into a collision-free, deterministic wireless technology as the IEEE looks to integrate future iterations of the mechanism into new wireless standards to support the IoT and beyond.

View the original article by Dennis Huang at theruckusroom.com.

Three ways to use network access policies beyond IT security

Friday, September 28th, 2018

If you have been following Ruckus Networks for a while, you have probably heard us frequently mention “security” and “policy” in the same breath. In many cases, the two do go hand in hand, and that’s certainly the case when it comes to network access policies.

IT policies that govern network access enhance security by limiting access to network resources to only those users whose role merits access to those resources. The HR and payroll departments get access to a server that houses confidential payroll data, but the call centre and marketing department do not.

Even with many applications moving to the cloud, lots of sensitive data still resides within the network. Organizations can use network access policies as an important tool for implementing sound data governance practices. Who gets access to what resources is an important element of this. Network access policies can be defined and managed centrally for enforcement within the wired and wireless network infrastructure itself. (The Ruckus SaaS/software product that lets you define and manage policies for secure network access is Cloudpath Enrollment System).

While this policy capability is a powerful way to enhance IT security as part of a layered defence, the uses of network access policies also extend beyond the security realm. Let’s examine a few ways that you might use this type of policy that doesn’t explicitly have to do with IT security.

Network bandwidth management—sometimes not all network traffic is created equal

IT teams might want to favour one user, application or device over another, and network access policies can help do that. There are many examples of this, but one mission-critical one that comes to mind is in a hospital setting. If you are an IT admin in a hospital, you probably want network traffic generated by doctors accessing clinical applications to get priority over, say, someone visiting a sick relative accessing streaming video for entertainment purposes. A policy-based approach is one way to make sure that your network prioritizes the traffic that’s most important to your organization’s success.

Tiered service levels—monetizing network infrastructure based on willingness to pay

In some scenarios, the IT team might want to provide different levels of service to different users in proportion to their willingness to pay. This is where tiered service levels come into play. Imagine an airport setting where the facility wants to give some basic level of internet access for airline patrons for free—say speeds fast enough for checking email on their laptops. It might also want to provide faster service for someone willing to pay for it—say speeds fast enough to watch streaming video. This scenario also might present itself in a hospitality setting. Tiered service levels are another use case where the ability to centrally define and manage network access policies, and map those to users and devices, can really come in handy.

Separate VLANs for a personalized user experience

Certain settings call for not one large network, but rather something that looks like a lot of smaller networks—each of which is accessible only by a single user or small group of users. One example that springs to mind is in higher education—specifically in a college dormitory. The right policy implementation can give students a personalized experience so that they only see their own network resources or those that they have been granted access to. If a printer is in someone else’s dorm room down the hall, there is no need for a student to even see that resource. Why not put each student on their own VLAN? The right tools for a policy-based approach make it possible. The same scenario applies in an MDU (multi-dwelling unit) setting, such as a senior living centre, or for any communal living situation.

Cloudpath Enrollment System for centralized network access policy management

You’ve probably heard us here at Ruckus talk more about the security aspects of network access policy than these other scenarios. The security element is front and centre when it comes to describing the policy capabilities of Cloudpath Enrollment System, our SaaS/software platform for secure network onboarding. But as we have seen in this blog, the benefits of centrally managed policies for network access extend beyond enhancing IT security. As you might have guessed by now, Cloudpath software can help you address the scenarios mentioned above.

You don’t have to switch out your existing wired/wireless infrastructure to use Cloudpath software, either. It works with any vendor’s network infrastructure. If this sounds interesting, you can learn more on the Cloudpath product page. You can even request a live online demo there when you’re ready.

View the original article at theruckusroom.com.

Managing multiple Unleashed networks

Monday, September 17th, 2018

In this Unleashed blog post, we’ll take a closer look at the Ruckus Unleashed Multi-Site Manager (UMM), which offers SMBs more advanced options for managing multiple Unleashed networks deployed in various geographic locations.

Unleashed Multi-Site Manager (UMM): Key Features

The Ruckus Unleashed Multi-Site Manager (UMM) – which supports up to 1,000 Unleashed networks or a total of 10,000 APs – is designed to provide a ‘single pane of glass’ view to manage Unleashed networks deployed across multiple locations. It provides intuitive and customizable dashboards that display near real-time insights about connected access-points and clients, along with detailed geographic (map) views of network activity.

The Ruckus Unleashed Multi-Site Manager also enables SMBs to create customized reports and alerts, as well as easily perform key administrative tasks such as the creation of role-based access and management of SSL certificates with a simple click of the mouse. SMBs can also create custom device groups and perform administrative tasks for/on a specific group. In addition, UMM enables users to build a database backup file with relevant site configuration data – and easily replicate the network at another site with a ‘cookie-cutter’ backup file.

Let’s take a closer look at some of our key UMM features below:

Dashboard – Provides SMBs with a near real-time view of connected APs and clients, along with the distribution of client operating systems. UMM customizable dashboards display comprehensive Google Map views of all Unleashed networks, as well as a detailed and pinpointed list of recent events. All information is colour coded, enabling SMBs to quickly gain a holistic view of connectivity status, signal quality, client throughput data, the number of networks, as well as connected APs and clients.

Reports – Creates detailed and customizable reports about APs, WLANs, client connectivity trends, rogue APs or mesh changes within a specified date range. These can include customized graphs that display bandwidth utilization per application or per user, AP airtime utilization and APs with the most associated clients. UMM also generates service-centric agreement graphs and reports that list percentage uptime for AP groups and specific clients, backhaul uptime and client potential throughput. Additional reports include connection and association, user action audits and system logs.

Single Sign-On – Drills down into individual Unleashed networks. Meaning, SMBs only need to sign into Unleashed Multi-Site Manager once – without having to know the assigned credentials for each network. It should be noted that UMM also supports multi-tiered management access (RBAC) and secure access with remote SSL.

Network Upgrade – Schedules an upgrade of all devices across multiple locations. Allows SMBs to conveniently create groups of devices and plan upgrades of groups.

NAT Traversal – Accesses all the Unleashed networks as a central management system. More specifically, SSH tunnels are established between UMM and the APs behind the NAT server.

Conclusion

SMBs are demanding fast, reliable and always-on connectivity for dozens or even hundreds of connected devices. However, small and medium businesses often lack the budget, time and in-house resources to install and manage complex Wi-Fi deployments. This is precisely why we are making Wi-Fi easy for SMBs with Ruckus Unleashed. Our controller-less, high-performance and affordable portfolio of access points (APs) can be installed and up and running in five minutes or less. Unleashed also enables anyone to manage their network from an intuitive mobile app or website browser, while the Unleashed Multi-Site Manager (UMM) supports up to 1,000 Unleashed networks or 10,000 APs for SMBs that manage multiple networks in disparate geographic locations.


Essentially, the Ruckus Unleashed Multi-Site Manager (UMM) – which supports up to 1,000 Unleashed networks or a total of 10,000 APs – is designed to provide a ‘single pane of glass’ view to manage Unleashed networks deployed across multiple locations. It provides customizable dashboards that display near real-time insights about connected access-points (APs) and clients, along with map views of networks and recent activity. Moreover, the Ruckus Unleashed Multi-Site Manager enables SMBs to create customized reports and alerts, as well as easily perform key administrative tasks such as the creation of role-based access and management of SSL certificates with a click of the mouse.

Interested in learning more about Ruckus Unleashed for SMBs? You can visit the Ruckus Unleashed product page here, download our Unleashed data sheet here and access our Multi-Site Manager data sheet here.

View the original article at The Ruckus Room.

Three ways unsecured Wi-Fi can contribute to a data breach

Monday, September 17th, 2018

This blog entry connects unsecured network access to increased risk for data compromise—commonly called a data breach—in a concrete way. We’re talking specifically about BYOD and guest devices, and failure to properly secure the way in which they connect to the network. When people discuss BYOD security, often they focus only on encryption for wireless data over the air. As we will see, that’s an important element, but it’s not the whole story.

Before we get started, please note that this is far from an exhaustive list of ways that improper security measures around network access can imperil sensitive data. And although our blog title references unsecured Wi-Fi, the first two points below are also relevant to devices that access the network over a wired connection.

Lack of role-based network access for BYOD and guest users leaves the door open for data breaches

Secure network access means access on a need-to-know basis. Not every breach is the stuff of hoody-wearing cybercriminals hiding in the shadows. Many data breaches come from unintended disclosure. Well-meaning stakeholders sometimes make mistakes and disclose data improperly. The more people that have access to a given set of data, the more likely someone will make that kind of mistake. As much as we don’t like to think about it, stakeholders can also disclose sensitive data intentionally.

A sound data governance strategy requires that users should be able to access only those network resources appropriate to their role in the organization. Policy-based controls are a cornerstone of such a strategy, and if you don’t enable these controls, it leaves the door open to data compromise. If you don’t have the means to define and manage policies to restrict access, the chance of a breach is greater.

Even within the organization, when someone not authorized to view certain data does so, that’s a breach. To pick a very specific example, call center employees should not have access to the server containing an Excel file with employee payroll data. Role-based policy capability for network access is essential, and lack of differentiated network access risks data compromise.

Failure to perform a security posture check for BYOD and guest users can lead to trouble, too

Most of us would agree that BYOD programs increase employee productivity. And visitors to most environments expect easy connectivity for their devices, just as employees do—whether the location is an office, government agency worksite, public venue, school, college or most anywhere. That’s a lot of unmanaged devices accessing the network—either over wireless or via a wired connection. IT teams don’t control those devices the way they can for IT-owned devices, and if not managed properly this can also leave the door open to a data breach.

Failure to perform an up-front security posture check before BYOD and guest devices connect is a risk area as well. Malware is one of the leading causes of data breaches—for example, keyloggers that capture every character typed into the keyboard of an infected device. You don’t want malware like that spreading into your environment. If you let an employee connect their BYOD laptop without checking that anti-malware has been installed, that’s a security hole that needs to be plugged. More than that, the malware signatures for that software need to be up to date. A security posture check during network onboarding can make sure that BYOD and guest devices employ basic security measures.

Most tech-savvy users of mobile devices have a PIN enabled in their phone or tablet. But imagine what would happen if an employee connects their BYOD phone to the network, which thereby gains access to network resources housing confidential data. Suppose it’s a new phone and they don’t have a PIN enabled yet. Then someone steals the phone.

The network does not know the thief isn’t the employee, and the device can still access those same network resources. This is where lack of a security posture check leaves the door open to data compromise. A proper security posture check would have included remediation for that device—just require that employees have a PIN enabled before they can connect.

Unencrypted wireless data traffic is another IT security hole

This section discusses a security hole that applies only to wireless access. Unless you encrypt data traffic in transit between wireless access points and devices, prying eyes can view it using commercially available network analysis tools. (The same way anyone can spy on what you do over an open public Wi-Fi connection at the local coffee shop).

Of course, many websites are themselves encrypted these days. But often not all page components are encrypted, and users have no way of knowing which components those are. Mobile applications may or may not encrypt their data traffic. App developers have an incentive not to encrypt data traffic, because encryption imposes overhead on the back-end systems that support their apps.

In an enterprise environment, you might think anyone would be crazy not to encrypt wireless traffic over the air. But MAC authentication—one of the default methods for connecting devices—does not encrypt wireless data traffic. (Read more about the security flaws in default methods for network onboarding and authentication.) It’s also not unheard of for IT to provide one or more open SSIDs in some environments—if only for guest users—especially when the organization lacks a system for secure network onboarding. Whatever the circumstances, unencrypted data traffic is a risk area.

One way to plug these (and other) network security holes

Fortunately, you can easily plug these and other security holes that result from unsecured network access mechanisms. Just deploy a system for secure onboarding and network authentication. Here at Ruckus, we believe that our own Cloudpath Enrollment System offers the industry’s best combination of ease of deployment and powerful security features. If the security risks discussed in this blog concern you, now’s a great time to explore this offering—start with our new product overview video. Then dig deeper on the product page, where you can even request a live online demo when you’re ready.

To view the original post by Vernon Shure, SR. Product Marketing Manager, Security at Ruckus Networks, click here.

Three common Wi-Fi myths about capacity, interference and roaming

Monday, September 3rd, 2018

It’s time to clear the air about Wi-Fi. Once you sort out some common misconceptions, a lot of the fogginess around Wi-Fi dissipates. Let’s look at three common Wi-Fi myths about capacity, interference and roaming.

The same laws of physics (specifically electromagnetism) that govern radio and cell phones also govern Wi-Fi. Which means that certain things about Wi-Fi behavior are predictable.

Wi-Myths about capacity: Higher capacity means an AP talks to more devices at the same time

How many devices can an AP talk to at one time? The answer is always the same: one.

So how does an AP appear to be talking to many devices concurrently? And how do Ruckus APs support greater capacity than other APs?

You know what it’s like to talk to people at a noisy party? You can’t make out what everyone is saying when they’re talking at the same time. If APs liked to party (and who’s to say they don’t?), they’d appear to be talking to everyone (everyone being devices) simultaneously. What they’re actually doing is listening or talking to each device in turn, but doing it at superhuman speed.

That’s not all there is to this super-cool party skill. The AP-device conversations are also based on assumptions that each “conversation” will be brief. A request to connect. Done. Request to download. Done. Request to upload. Done. In other words, devices aren’t talking to the AP continuously. It’s just a constant, super-fast series of interactions.

So how does a Ruckus AP achieve superior capacity? (Independent analyst testing shows Ruckus beats competitors in video QoS and data throughput.) That’s where we depart from the norm. Not the laws of physics (those still hold for everyone, thankfully). But Ruckus invests in the development of sophisticated RF software where other companies may use off-the-shelf firmware.

We optimize the processing capabilities of our APs. Our APs are, in essence, faster or more efficient (depending on how you look at it) at handling concurrent connections. We also use algorithms to factor in how much capacity is required for things like buffering streaming video.

BeamFlex+, which is our Adaptive Antenna Technology, also plays a role in capacity. The AP’s antenna, working in an omnidirectional mode, can detect a client trying to connect from, say, the edge of a room. It can then adapt the antenna to a directional mode to get a stronger signal to that device.

Wi-Myths about Interference: Add more APs to get more capacity

Here’s why it’s important to understand this law of physics—because you don’t want a Wi-Fi designer to tell you that putting two APs close to each other will necessarily increase capacity. Remember that devices have to wait their turn to talk to an AP. If two APs share the same channel, they’re going to create interference, not extra capacity. It doesn’t matter if there are two APs or two dozen: if they share the same channel, only one will transmit at any given moment. The others are just hanging out (literally).

Wi-Myths about Roaming: It’s not about APs dropping the ball (or signal)

Have you ever lost a call on your cell phone when moving between cell towers? Roaming is a wonderful feature, but usually not during that handoff period. It’s a common misconception that the APs are in charge of roaming—that they call out to devices, “Hey, disconnect from that AP and connect to me now!” That would make APs great air traffic controllers, but that’s not their job description. Or in those pesky laws of physics.

It’s actually the devices that look for connections to the closest AP. But devices don’t have the connection smarts that APs have. As a result, they can be really clumsy about disconnecting from one AP and connecting with another. Sorry devices, but those dead spots and garbled channels are on you.

Ruckus does apply a couple of proprietary AP technologies that make roaming more seamless. One of these clever techniques is SmartRoam+: as a device begins to move away (roam) from an AP, the signal weakens. The device should look for a stronger signal, right? But often a device will hold on until the signal has gotten really bad. Before it reaches that point, however, the SmartRoam+ technology will sing out to the device “Let it go!” and disconnect it from the fading AP. The client will search for—and find— a closer AP with the stronger signal.

It’s good to dispel the myths about Wi-Fi. It can help you avoid mistakes in design. It can also help you appreciate how smart design—without messing with the laws of physics—can give you better Wi-Fi.