sales@net-ctrl.com
01473 281 211

Net-Ctrl Blog

Managing multiple Unleashed networks

September 17th, 2018

In this Unleashed blog post, we’ll take a closer look at the Ruckus Unleashed Multi-Site Manager (UMM), which offers SMBs more advanced options for managing multiple Unleashed networks deployed in various geographic locations.

Unleashed Multi-Site Manager (UMM): Key Features

The Ruckus Unleashed Multi-Site Manager (UMM) – which supports up to 1,000 Unleashed networks or a total of 10,000 APs – is designed to provide a ‘single pane of glass’ view to manage Unleashed networks deployed across multiple locations. It provides intuitive and customizable dashboards that display near real-time insights about connected access-points and clients, along with detailed geographic (map) views of network activity.

The Ruckus Unleashed Multi-Site Manager also enables SMBs to create customized reports and alerts, as well as easily perform key administrative tasks such as the creation of role-based access and management of SSL certificates with a simple click of the mouse. SMBs can also create custom device groups and perform administrative tasks for/on a specific group. In addition, UMM enables users to build a database backup file with relevant site configuration data – and easily replicate the network at another site with a ‘cookie-cutter’ backup file.

Let’s take a closer look at some of our key UMM features below:

Dashboard – Provides SMBs with a near real-time view of connected APs and clients, along with the distribution of client operating systems. UMM customizable dashboards display comprehensive Google Map views of all Unleashed networks, as well as a detailed and pinpointed list of recent events. All information is colour coded, enabling SMBs to quickly gain a holistic view of connectivity status, signal quality, client throughput data, the number of networks, as well as connected APs and clients.

Reports – Creates detailed and customizable reports about APs, WLANs, client connectivity trends, rogue APs or mesh changes within a specified date range. These can include customized graphs that display bandwidth utilization per application or per user, AP airtime utilization and APs with the most associated clients. UMM also generates service-centric agreement graphs and reports that list percentage uptime for AP groups and specific clients, backhaul uptime and client potential throughput. Additional reports include connection and association, user action audits and system logs.

Single Sign-On – Drills down into individual Unleashed networks. Meaning, SMBs only need to sign into Unleashed Multi-Site Manager once – without having to know the assigned credentials for each network. It should be noted that UMM also supports multi-tiered management access (RBAC) and secure access with remote SSL.

Network Upgrade – Schedules an upgrade of all devices across multiple locations. Allows SMBs to conveniently create groups of devices and plan upgrades of groups.

NAT Traversal – Accesses all the Unleashed networks as a central management system. More specifically, SSH tunnels are established between UMM and the APs behind the NAT server.

Conclusion

SMBs are demanding fast, reliable and always-on connectivity for dozens or even hundreds of connected devices. However, small and medium businesses often lack the budget, time and in-house resources to install and manage complex Wi-Fi deployments. This is precisely why we are making Wi-Fi easy for SMBs with Ruckus Unleashed. Our controller-less, high-performance and affordable portfolio of access points (APs) can be installed and up and running in five minutes or less. Unleashed also enables anyone to manage their network from an intuitive mobile app or website browser, while the Unleashed Multi-Site Manager (UMM) supports up to 1,000 Unleashed networks or 10,000 APs for SMBs that manage multiple networks in disparate geographic locations.


Essentially, the Ruckus Unleashed Multi-Site Manager (UMM) – which supports up to 1,000 Unleashed networks or a total of 10,000 APs – is designed to provide a ‘single pane of glass’ view to manage Unleashed networks deployed across multiple locations. It provides customizable dashboards that display near real-time insights about connected access-points (APs) and clients, along with map views of networks and recent activity. Moreover, the Ruckus Unleashed Multi-Site Manager enables SMBs to create customized reports and alerts, as well as easily perform key administrative tasks such as the creation of role-based access and management of SSL certificates with a click of the mouse.

Interested in learning more about Ruckus Unleashed for SMBs? You can visit the Ruckus Unleashed product page here, download our Unleashed data sheet here and access our Multi-Site Manager data sheet here.

View the original article at The Ruckus Room.

Three ways unsecured Wi-Fi can contribute to a data breach

September 17th, 2018

This blog entry connects unsecured network access to increased risk for data compromise—commonly called a data breach—in a concrete way. We’re talking specifically about BYOD and guest devices, and failure to properly secure the way in which they connect to the network. When people discuss BYOD security, often they focus only on encryption for wireless data over the air. As we will see, that’s an important element, but it’s not the whole story.

Before we get started, please note that this is far from an exhaustive list of ways that improper security measures around network access can imperil sensitive data. And although our blog title references unsecured Wi-Fi, the first two points below are also relevant to devices that access the network over a wired connection.

Lack of role-based network access for BYOD and guest users leaves the door open for data breaches

Secure network access means access on a need-to-know basis. Not every breach is the stuff of hoody-wearing cybercriminals hiding in the shadows. Many data breaches come from unintended disclosure. Well-meaning stakeholders sometimes make mistakes and disclose data improperly. The more people that have access to a given set of data, the more likely someone will make that kind of mistake. As much as we don’t like to think about it, stakeholders can also disclose sensitive data intentionally.

A sound data governance strategy requires that users should be able to access only those network resources appropriate to their role in the organization. Policy-based controls are a cornerstone of such a strategy, and if you don’t enable these controls, it leaves the door open to data compromise. If you don’t have the means to define and manage policies to restrict access, the chance of a breach is greater.

Even within the organization, when someone not authorized to view certain data does so, that’s a breach. To pick a very specific example, call center employees should not have access to the server containing an Excel file with employee payroll data. Role-based policy capability for network access is essential, and lack of differentiated network access risks data compromise.

Failure to perform a security posture check for BYOD and guest users can lead to trouble, too

Most of us would agree that BYOD programs increase employee productivity. And visitors to most environments expect easy connectivity for their devices, just as employees do—whether the location is an office, government agency worksite, public venue, school, college or most anywhere. That’s a lot of unmanaged devices accessing the network—either over wireless or via a wired connection. IT teams don’t control those devices the way they can for IT-owned devices, and if not managed properly this can also leave the door open to a data breach.

Failure to perform an up-front security posture check before BYOD and guest devices connect is a risk area as well. Malware is one of the leading causes of data breaches—for example, keyloggers that capture every character typed into the keyboard of an infected device. You don’t want malware like that spreading into your environment. If you let an employee connect their BYOD laptop without checking that anti-malware has been installed, that’s a security hole that needs to be plugged. More than that, the malware signatures for that software need to be up to date. A security posture check during network onboarding can make sure that BYOD and guest devices employ basic security measures.

Most tech-savvy users of mobile devices have a PIN enabled in their phone or tablet. But imagine what would happen if an employee connects their BYOD phone to the network, which thereby gains access to network resources housing confidential data. Suppose it’s a new phone and they don’t have a PIN enabled yet. Then someone steals the phone.

The network does not know the thief isn’t the employee, and the device can still access those same network resources. This is where lack of a security posture check leaves the door open to data compromise. A proper security posture check would have included remediation for that device—just require that employees have a PIN enabled before they can connect.

Unencrypted wireless data traffic is another IT security hole

This section discusses a security hole that applies only to wireless access. Unless you encrypt data traffic in transit between wireless access points and devices, prying eyes can view it using commercially available network analysis tools. (The same way anyone can spy on what you do over an open public Wi-Fi connection at the local coffee shop).

Of course, many websites are themselves encrypted these days. But often not all page components are encrypted, and users have no way of knowing which components those are. Mobile applications may or may not encrypt their data traffic. App developers have an incentive not to encrypt data traffic, because encryption imposes overhead on the back-end systems that support their apps.

In an enterprise environment, you might think anyone would be crazy not to encrypt wireless traffic over the air. But MAC authentication—one of the default methods for connecting devices—does not encrypt wireless data traffic. (Read more about the security flaws in default methods for network onboarding and authentication.) It’s also not unheard of for IT to provide one or more open SSIDs in some environments—if only for guest users—especially when the organization lacks a system for secure network onboarding. Whatever the circumstances, unencrypted data traffic is a risk area.

One way to plug these (and other) network security holes

Fortunately, you can easily plug these and other security holes that result from unsecured network access mechanisms. Just deploy a system for secure onboarding and network authentication. Here at Ruckus, we believe that our own Cloudpath Enrollment System offers the industry’s best combination of ease of deployment and powerful security features. If the security risks discussed in this blog concern you, now’s a great time to explore this offering—start with our new product overview video. Then dig deeper on the product page, where you can even request a live online demo when you’re ready.

To view the original post by Vernon Shure, SR. Product Marketing Manager, Security at Ruckus Networks, click here.

Three common Wi-Fi myths about capacity, interference and roaming

September 3rd, 2018

It’s time to clear the air about Wi-Fi. Once you sort out some common misconceptions, a lot of the fogginess around Wi-Fi dissipates. Let’s look at three common Wi-Fi myths about capacity, interference and roaming.

The same laws of physics (specifically electromagnetism) that govern radio and cell phones also govern Wi-Fi. Which means that certain things about Wi-Fi behavior are predictable.

Wi-Myths about capacity: Higher capacity means an AP talks to more devices at the same time

How many devices can an AP talk to at one time? The answer is always the same: one.

So how does an AP appear to be talking to many devices concurrently? And how do Ruckus APs support greater capacity than other APs?

You know what it’s like to talk to people at a noisy party? You can’t make out what everyone is saying when they’re talking at the same time. If APs liked to party (and who’s to say they don’t?), they’d appear to be talking to everyone (everyone being devices) simultaneously. What they’re actually doing is listening or talking to each device in turn, but doing it at superhuman speed.

That’s not all there is to this super-cool party skill. The AP-device conversations are also based on assumptions that each “conversation” will be brief. A request to connect. Done. Request to download. Done. Request to upload. Done. In other words, devices aren’t talking to the AP continuously. It’s just a constant, super-fast series of interactions.

So how does a Ruckus AP achieve superior capacity? (Independent analyst testing shows Ruckus beats competitors in video QoS and data throughput.) That’s where we depart from the norm. Not the laws of physics (those still hold for everyone, thankfully). But Ruckus invests in the development of sophisticated RF software where other companies may use off-the-shelf firmware.

We optimize the processing capabilities of our APs. Our APs are, in essence, faster or more efficient (depending on how you look at it) at handling concurrent connections. We also use algorithms to factor in how much capacity is required for things like buffering streaming video.

BeamFlex+, which is our Adaptive Antenna Technology, also plays a role in capacity. The AP’s antenna, working in an omnidirectional mode, can detect a client trying to connect from, say, the edge of a room. It can then adapt the antenna to a directional mode to get a stronger signal to that device.

Wi-Myths about Interference: Add more APs to get more capacity

Here’s why it’s important to understand this law of physics—because you don’t want a Wi-Fi designer to tell you that putting two APs close to each other will necessarily increase capacity. Remember that devices have to wait their turn to talk to an AP. If two APs share the same channel, they’re going to create interference, not extra capacity. It doesn’t matter if there are two APs or two dozen: if they share the same channel, only one will transmit at any given moment. The others are just hanging out (literally).

Wi-Myths about Roaming: It’s not about APs dropping the ball (or signal)

Have you ever lost a call on your cell phone when moving between cell towers? Roaming is a wonderful feature, but usually not during that handoff period. It’s a common misconception that the APs are in charge of roaming—that they call out to devices, “Hey, disconnect from that AP and connect to me now!” That would make APs great air traffic controllers, but that’s not their job description. Or in those pesky laws of physics.

It’s actually the devices that look for connections to the closest AP. But devices don’t have the connection smarts that APs have. As a result, they can be really clumsy about disconnecting from one AP and connecting with another. Sorry devices, but those dead spots and garbled channels are on you.

Ruckus does apply a couple of proprietary AP technologies that make roaming more seamless. One of these clever techniques is SmartRoam+: as a device begins to move away (roam) from an AP, the signal weakens. The device should look for a stronger signal, right? But often a device will hold on until the signal has gotten really bad. Before it reaches that point, however, the SmartRoam+ technology will sing out to the device “Let it go!” and disconnect it from the fading AP. The client will search for—and find— a closer AP with the stronger signal.

It’s good to dispel the myths about Wi-Fi. It can help you avoid mistakes in design. It can also help you appreciate how smart design—without messing with the laws of physics—can give you better Wi-Fi.

Johnson Controls announces Net-Ctrl winner of CEM Systems Business Partner of the Year Awards 2018

August 23rd, 2018

Johnson Controls has announced the winners of the CEM Systems Business Partner of the Year Awards, EMEA, 2018. Winners were honoured at CEM Systems’ annual security conference, held 23—24 May at the Galgorm Resort & Spa, Northern Ireland. Net-Ctrl received the Business Partner of the Year Award for the UK and Ireland South region.

“Johnson Controls is very fortunate to be involved in many exciting and often iconic access control projects around the world and 2018 is no exception” said Philip Verner, regional sales director, Building Technologies & Solutions, Johnson Controls. “Through customer endorsements and the support of our committed Approved Reseller channel, we have successfully opened up CEM Systems innovative access solutions to many new sectors and territories throughout Europe, Middle, East and Africa (EMEA). The 2018 Business Partner of the Year Awards are not only given to our top EMEA business partners for high levels of sales, but are given in recognition for their ongoing commitment to accredited CEM Systems training, joint marketing initiatives and their tireless endeavour to go above and beyond when delivering successful customer projects within their respective regions.”

For the UK & Ireland, South region, Net-Ctrl received the Business Partner of the Year award in recognition of their success within the education sector. As a relatively new channel partner, Net-Ctrl has promoted CEM Systems products at various education events this year and has successfully won a number of prominent UK school security projects including Bradfield College.

Unleashing Wi-Fi for SMBs

August 23rd, 2018

With over 30 billion connected “things” expected by 2020, it has become quite clear that consumer-grade Wi-Fi routers are simply no longer capable of meeting the needs of small and medium businesses (SMBs). These days, even smaller businesses are demanding fast, reliable, always-on connectivity for dozens or hundreds of connected devices. However, small and medium businesses often lack the budget, time and in-house resources to install and manage complex Wi-Fi deployments.

This is precisely why we are making Wi-Fi easy for SMBs with Ruckus Unleashed. Our controller-less, high-performance and affordable portfolio of access points (APs) can be up and running in five minutes or less. In addition, Unleashed enables anyone to manage their network from an intuitive Unleashed mobile app or website browser. Let’s take a closer look at the Ruckus Unleashed solution below, starting with our access points.

Ruckus Unleashed Access Points (APs)

Our Unleashed access points leverage a range of advanced Ruckus technologies to deliver higher speeds, optimized coverage and more reliable connections for SMBs. Examples include BeamFlex+, which helps APs provide optimal performance for every device – every time – by adaptively re-configuring antenna patterns.

In addition, ChannelFly utilizes advanced machine learning to select the least congested channels, while SmartMesh wireless meshing technology dynamically creates self-forming and self-healing mesh networks. In addition, Unleashed APs are packed with a range of enterprise-class features that are simple for just about anyone to manage. These include WPA encryption and DPSK security, guest connectivity services via a self-service portal or through social media, in-depth monitoring of network usage patterns (deep packet inspection), application-specific access rules and network resiliency.

As we discussed above, Ruckus Unleashed access points are designed for small and midsize businesses, such as law firms, health clinics and insurance agencies. They can be deployed in small and midsize retail outlets, including stores, restaurants and coffee shops. Ruckus Unleashed APs are also the perfect choice for multi-dwelling units (MDUs) like large homes, small apartments and housing structures that require uninterrupted, pervasive coverage. In addition, Ruckus Unleashed APs can benefit smaller primary school classrooms that require higher-bandwidth and uninterrupted Wi-Fi coverage for digital learning. Ruckus Unleashed access points support single or multiple location installation options, with up to 25 APs and/or 512 concurrently connected clients per deployment.

The Ruckus Unleashed Mobile App

A Ruckus Unleashed network can be installed in under five minutes by simply configuring a single Ruckus master access point. The master AP settings are automatically replicated and subsequently pushed to all network APs via our Unleashed Zero-Touch Mesh feature. Put simply, we make installation, configuration and basic network management easy for even non-technical users with the Ruckus Unleashed mobile app for iOS and Android.

Indeed, SMBs can use the Ruckus Unleashed mobile app to monitor and manage their networks from anywhere in the world. More specifically, the mobile app enables SMBs to see how many clients and APs are connected, monitor ongoing network traffic, observe which applications are using the most data on the network, view important alerts at a glance and create rules to deny access to any website.

In addition, SMBs can quickly create a new wireless LAN or edit an existing network, run SpeedFlex to test Wi-Fi speeds, conduct basic troubleshooting using ping test or trace route, reboot APs and block misbehaving clients. The Ruckus Unleashed Mobile App, which is built around an intuitive user interface (UI), also features detailed dashboards, graphs and charts. These allow SMBs to drill down and view in-depth data, such as how much (uplink/downlink) traffic has been flowing through specific APs, for example.

Ruckus Unleashed Multi-Site Manager

The Ruckus Unleashed Multi-Site Manager (UMM) – which supports up to 1,000 Unleashed networks or 10,000 APs – offers SMBs more advanced options for managing multiple Unleashed networks deployed across various geographic locations. Designed to provide ‘single pane of glass’ view with intuitive and customizable dashboards, the Ruckus Unleashed Multi-Site Manager displays near real-time insights about connected access-points (APs) and clients, along with map views of networks and recent activity.

In addition, the Ruckus Unleashed Multi-Site Manager enables SMBs to create customized reports and alerts, as well as easily perform key administrative tasks such as the creation of role-based access and management of SSL certificates with a click of the mouse. SMBs can also use the Multi-Site Manager to build a database backup file with relevant site configuration data, replicate the network at a different site with the ‘cookie-cutter’ backup file and quickly restore a site in case of disruption.

Conclusion

The proliferation of connected devices has made it almost impossible for consumer-grade Wi-Fi routers to continue meeting the needs of small and medium businesses. However, SMBs often lack the budget, time and in-house resources to install and manage complex Wi-Fi deployments. That is why we are making Wi-Fi easy with Ruckus Unleashed.

Our controller-less, high-performance and affordable portfolio of access points (APs) can be up and running in just five minutes using the Ruckus Unleashed mobile app for Android or Apple iOS.

Interested in learning more about Ruckus Unleashed for SMBs? You can visit our Unleashed product page here, download our Unleashed data sheet here.

View the original post by Ruckus Networks.

Are All Your Critical Network Management Processes Automated?

August 20th, 2018

There are several network management processes that should be performed on a regular basis to ensure the network is running optimally with minimum downtime. However, these tasks are often tedious and repetitive to perform manually so they are commonly delayed or not completed, leaving the network potentially vulnerable and in a less than optimal state.

For example:

Compliance Processes: Do all switches and access points configurations comply with the organisation’s policies? The security settings of the routers, switches and access points and the network management settings need to be checked on a regular basis against network policies. Are all network devices configured to send syslog to the correct repository?

Network Utilisation: Are there unused switch ports, and could connections be consolidated and perhaps some switches be re-deployed to other network locations? Or is the network getting close to full capacity and should new switches and access points be deployed to handle more traffic and users?

Network Resiliency: Does the network offer sufficient L2 and L3 redundancy? For example, are first hop redundancy protocols (like VRRP) configured and operating correctly?

Backing up configuration files: Are all the configuration files saved to non-volatile storage on the device and to backup storage?

Many network management platforms (NMS) offer tools to enable network administrators to perform these tasks interactively but having IT personnel run these tasks manually is time-consuming, error-prone and expensive. These tasks should be automated to ensure that the network is running optimally.

Many NMS are designed without automation in mind so traditional network automation approaches bypass the NMS to monitor and control network devices directly through SNMP, SSH, or other standard or proprietary protocols.

Limitations of the traditional approach:

The device discovery and registration process and the intelligence provided by the NMS cannot be accessed programmatically. The same applies to historical data aggregation and correlation. Data polling is inefficient and resource intensive. Compliance can suffer because company-specific compliance processes are too hard to automate.

SmartZoneOS 5 offers a comprehensive library of well documented REST-APIs that enables any application applications to programmatically invoke just about any network management function offered by the SmartZone OS graphical user interface (GUI) or command line interface (CLI).

IT managers and third-party applications can automate network processes by accessing the SmartZoneOS functions from within their own management and automation platforms and issue direct commands without creating error-prone proprietary scripts. Ruckus itself makes use of these APIs within its own products.

A full set of near real-time MQTT/protocol buffer data streams enable 3rd party applications to ingest all network data, statistics, and alarms (from: client, AP, switch, WLAN, controller, cluster) with little delay, no fidelity loss, and no need to create a firewall pinhole. These data streams enable the recreation of SmartZone dashboard elements or custom dashboards for internal and external consumption. Ruckus itself makes use of this capability to enable its own network analytics and reporting software.

Each SmartZone network controller supports access to a complete set of network machine-level metrics, enabling it to plug directly into existing automated backend systems and provide a ‘headless’ interface for the network infrastructure.

View the original post by Ruckus Networks.

What Is Secure Onboarding, and Why Is It Such a Challenge?

August 20th, 2018

At Ruckus Networks, they have a lot of discussions with customers and prospective customers around secure onboarding. We’ve come to realise that it’s a term that is not universally understood. The thing that it describes is a thing, but people don’t always use that term to describe it. We need to do some work to familiarise the IT world with the term in a networking context. So what exactly do we mean when we say “secure onboarding”?

Let’s Start by Defining “Onboarding”

You have probably heard the term onboarding used to refer to a human resources process that’s about getting new employees integrated into an organisation. When someone starts a new job, they fill out some paperwork (or these days, online forms), go through an orientation, get a tour of their new office building and so on. That’s not the kind of onboarding we’re talking about in the context of network infrastructure and connectivity, which might be a source of confusion.

Actually, though, it’s tangentially related because when new employees arrive, one of their first questions is likely to be “How do I connect to the Wi-Fi with my tablet?” Or their phone or their personal laptop. The same thing happens on move-in day at college campuses, where the range of devices that need to connect is often much broader. It also occurs in primary and secondary schools where students are allowed to connect with personal devices.

Precision matters here, and what we are really talking about is network onboarding. Simply stated, in a networking context, onboarding means the process by which a BYOD or guest user gains access to the network for the first time with a device (or an IT-owned device connects to the network, for that matter). Every environment is different, but users in a variety of organisations often struggle with this process. This can lead to user frustration and excess trouble tickets for the IT team.

User Expectations Are Set by Experiences with the Carrier Network and Home Wi-Fi

What creates this frustration with network onboarding? Why do organisations find this process such a challenge? It originates in the gap between user expectations and user experience. When someone activates a new mobile phone, the service desk at the carrier retail outlet plugs in a SIM and you’re good to go. It’s a set-it-and-forget-it experience.

User experience with your home Wi-Fi network is also simple. They look for the name of their Wi-Fi source and enter the password, or pre-shared key (PSK). They don’t roam between different sources of connectivity within the home, always connecting to the same home router. The device always seems to connect without problems when they return after going out. Users control their own Wi-Fi password—when it changes, and whether it changes at all. Or their roommate or spouse can easily give them a heads up when that person changes the PSK, so no big deal. Between their experience with the carrier network and home Wi-Fi, users are conditioned to expect easy connectivity without having to think much about it.

Things get much more complicated in an enterprise office environment, and in schools and colleges. But those expectations for a set-it-and-forget-it experience remain. We’ve blogged before about the user experience issues with default methods of network onboarding and authentication. Historically, organisations have often relied on default methods of network onboarding, but more and more they are adopting systems to streamline this process.

Secure Network Onboarding Plugs Wireless Security Holes

There’s one aspect of the secure onboarding challenge that we haven’t addressed yet, and that’s the security piece. Secure network access is an often-overlooked area within the IT security domain. It’s a challenge because too many IT organisations rely on the default methods for network onboarding and authentication that are built into their networking infrastructure.

The risks inherent in unsecured Wi-Fi don’t get as much attention as some other threats, but they are very real. Prying eyes can spy on unencrypted data traffic, and undifferentiated access can leave sensitive data exposed to unauthorised users. The latter is an issue even over a wired connection. Insecure devices can bring malware, ransomware and other bad things into your environment. For more detail on these and other potential security holes related to network access, please refer to our previous blog on this topic.

Network onboarding alone isn’t enough—secure network onboarding is essential to plug these security holes. Adding on to our previous definition, secure network onboarding means the process by which a BYOD or guest user securely gain access to the network for the first time with a device. And those security holes must stay plugged on subsequent connections, too.

Often there are trade-offs between user experience and security. We’d all be a lot safer if we just unplugged our computers from the internet—but no one could get any work done that way. Or users and devices would be safer if IT locked down every computer so that no new software could be installed. That’s at best impractical (for IT-owned devices) and at worst impossible (for unmanaged BYOD devices).

Secure network onboarding is that rare product category where the usual trade-offs between user experience and security do not apply. You can have your cake and eat it too—better user experience and increased security for users, devices, data and the network. If this sounds intriguing, now is a great time to consider Cloudpath Enrollment System, the Ruckus Networks offering in this corner of the security taxonomy. Our new product overview video encapsulates the value it provides in less than two and a half minutes.

View the original post by Ruckus Networks.

Gemalto Boosts Cloud Security with a Scalable Virtual Key Management Solution

August 14th, 2018

Gemalto announced a next-generation key management solution, SafeNet Virtual KeySecure, for simpler and stronger cloud security. Companies can extend their data protection policies to private and public clouds and centralize encryption and key management operations across multiple cloud environments.

SafeNet Virtual KeySecure integrates with leading cloud service providers and virtual platforms such as AWS, Microsoft Azure, Google Cloud Platform, IBM Cloud, VMware, Microsoft Hyper-V and OpenStack, to provide companies with a single key management solution spanning multiple private or public cloud environments.

As a result of the ongoing digital transformation within many organizations, data now resides across a growing number of cloud environments and web applications. Security teams are finding it ever more challenging to manage data protection policies, and solutions are often time-consuming and manual. Data protection operations can be simplified by using SafeNet Virtual KeySecure to uniformly view, control, and administer cryptographic policies and keys for sensitive data.

Companies can improve key security and simplify the audit preparation process by retaining ownership and control of encryption keys.

“Businesses need options when it comes to cloud security and shouldn’t be limited to working in just one environment. With SafeNet Virtual KeySecure, organizations are able to move more workloads to the cloud and easily monitor the access and movement of their encrypted data,” said Todd Moore, senior vice president of Encryption Products at Gemalto. “We are seeing a lot of customers who are interested in taking advantage of the business continuity offered by cloud environments, without compromising the security of their most critical asset, data. Current KeySecure customers would also be able to benefit from this new platform and we will be sharing details of a clear migration path with them in the near future.”

SafeNet Virtual KeySecure offers customers:

  • Centralized Key Management: Centralized, efficient auditing of key management offers simplified compliance for cloud environments and consolidates key security policies across multiple, disparate encryption systems, protecting current investments
  • Flexibility: Customers can easily deploy flexible, high-availability configurations which are built on the latest industry standards, including containers and microservices, across geographically dispersed data centers or cloud service providers.
  • Compatibility: Compatibility with the OASIS Key Management Interoperability Protocol (KMIP) standard provides support for a large, growing partner ecosystem, including the SafeNet Data Protection portfolio which provides customers with a broad spectrum of use cases that can be supported. SafeNet Virtual KeySecure also supports key storage in on-premise hardware security modules (HSMs).

According to Sudesh Kumar, Founder and CEO of Kapalya, Californian-based start-up: “As businesses connect to more devices and cloud platforms, they need solutions that offer security without limiting their potential for innovation. With SafeNet Virtual KeySecure, we’re now able to offer the ability to protect data in a seamless and cost-effective way across endpoints, public clouds and private clouds. Businesses should no longer be held back in making full use of the cloud while retaining control of some of their most important assets.”

Additional resources:

Reddit Breach Takeaways: MFA and Access Management

August 14th, 2018

For years corporations and security professionals have been urged to implement multi-factor authentication (MFA) as the solution for cybersecurity concerns. While MFA isn’t a silver bullet that solves all your cybersecurity concerns, it is a key component in elevating the security of an organization and adding a very important layer of protection. Industry trends are taking MFA to new levels by incorporating it into Access Management Solutions. This shift is being driven by concerns around an evolving IT perimeter where traditional solutions are being exploited and organizations are falling victim to cyber-attacks.

The recent news about a breach from Reddit validates the momentum in the cybersecurity world towards access management solutions. The social media platform, considered the 5th top rated website in the U.S., shared that a few of their employees’ administrative accounts were hacked. While they did in fact have their sensitive resources protected with two-factor authentication (2FA), they were surprised to learn that SMS-based authentication was not as secure as they had hoped.

“On June 19, we learned that between June 14 and June 18, an attacker compromised a few of our employees’ accounts with our cloud and source code hosting providers. Already having our primary access points for code and infrastructure behind strong authentication requiring two-factor authentication (2FA), we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept. We point this out to encourage everyone here to move to token-based 2FA.” – Reddit

 

The weakness in security on the SMS tokens was discussed in 2016 –the draft guideline of the U.S. National Institute for Standards and Technology (NIST) stated that SMS-based two-factor authentication is risky. We also wrote about this in August 2016 in our blog encouraging the use of software tokens which leverage PUSH authentication like the SafeNet MobilePASS+ token.

SAML-based Access Management mitigates risks

Since the issues with SMS have been exposed, why didn’t Reddit implement strong multi-factor using software or hardware based tokens? It turns out they in fact do, as a general practice. In a separate string, Reddit CTO Chris Stowe said that the company, as a rule, had required staff with data access to use a two-factor authentication solution that included a time-based one-time password (TOTP). However, he added, “there are situations where we couldn’t fully enforce this on some of our providers since there are additional “SMS reset” channels that we can’t opt out of via account policy.” Had they protected their resources with a SAML based Access Management Solution this option would be over-ridden immediately mitigating the risk involved with this option. The fact remains that through SMS-based authentication they were exposed –but how did that happen?

Chris Stowe claimed that he knew that the target’s phone wasn’t hacked. However, it is important to understand that the hacking of a phone is only one of the avenues where SMS authentication can be hijacked. We’ve seen examples in movies where a phone is cloned, or when enterprising hackers call the cellphone company to request that the SIM be redirected to a new phone (i.e. call-forwarding).

The intrinsic problem with SMS tokens is that they rely on SS7 or Signaling System Number 7. SS7 is a telephony signaling protocol used by more than 800 telecommunication operators worldwide for information, cross-carrier billing, and enabling roaming, to name a few. There are a number of tools available that can intercept the SS7.

How then did Reddit find themselves exposed? The fact is given enough money and determination, cyber criminals can find ways around many of the safeguards that are put in place today. The most likely scenario is that the hacked users fell victim to phishing or various other social engineering attacks.

Taking Identity and Access Management Solutions to New Levels

These forms of attacks are ultimately what is prompting many security professionals to take their digital security practices to new levels, combining technologies to implement zero trust networks. The importance of implementing a strong authentication solution provided by a trusted vendor cannot be overestimated, organizations simply cannot rely on the use of static passwords any longer.

While Reddit bemoans posthumously that SMS based authentication wasn’t as strong as they thought, this is not the only lesson that can be learned from their exposure. What they were truly lacking was a complete solution which not only enforced multi-factor authentication but also enabled access management controls to be implemented.

Effective Identity Management Integration

Consider for a moment that Reddit had implemented an access management solution alongside their use of 2FA (even with the SMS tokens). A strong access management solution would enable them to create policies around their applications and groups of users, which would have enabled them to continue using their choice 2FA method, but would have added an additional layer of security in the form of context-based authentication, which could have prevented this breach from occurring.

Some examples of beneficial policies for an access management solution would be to consider Reddit’s primary offices being located in the US and Ireland, they could have set up an access policy that would deny access from any country outside of those locations. Or they could set a policy for the group of administrative users who found the use of the multi-factor token cumbersome to leverage their Kerberos ticket when they were in the office and only prompt for OTP when they are working remotely, thus balancing user experience and security and protecting their environment from outsider attacks.

Forbidden Workers Access Policy

Access Policy with Integrated Windows Authentication (Kerberos)

By integrating their systems with an access management solution that supports multiple different authentication methods they could still use the preferred SMS authentication option, but add an access policy which requires them to provide a new unique OTP any time a resource is accessed, or requires the user to input both an OTP as well as their password for an extra layer of authentication security.

Identity Access Management solutions: Access controls adds protection

With a strong access management solution, they would also have access to logs and reporting. This would enable them to isolate and track exactly which users were accessing applications at a given time. If the users were leveraging a software token like MobilePASS+, they would have received a notification when an access attempt was being made by their userID and subsequently had the opportunity to deny the attempt or report it immediately to their security desk.

The problem in this case wasn’t that they were using a weak authentication method, though that certainly didn’t help: The real issue was that the organization was lacking the appropriate access controls ­­— with effective Cloud Access Management, including multifactor authentication, organizations can sufficiently protect their employee’s user identities, their applications containing sensitive data, and prevent customers’ data from being exposed.

Want to prevent breaches and strengthen your Access Management strategy? Read about SafeNet Trusted Access here or join a Gemalto 30-minute live demo webinar.

View the original Press Release at Gemalto.com.

How Ruckus Can Deliver More Consistent Performance

July 24th, 2018

In today’s hyper-connected world, Wi-Fi networks form a critical part of the IT infrastructure for all types of businesses and educational institutions.

Without a reliable Wi-Fi network capable of delivering good and consistent connectivity, productivity suffers. For retail businesses, this poor experience can lead to customer frustration and potential loss of revenue. Additionally, as organizations become increasingly digital-focused, reliable Wi-Fi will play an even more integral role in back-end operations.

When it comes to wireless access point (AP) deployment in real-world situations, interference, competing clients, and even building construction material all have an effect on the performance of the wireless network. The future will bring more users, more bandwidth-intensive applications, and a more diverse range of devices such as wearable tech, VR, and IoT. This will inevitably increase demand for Wi-Fi access and place additional pressure on your radio frequency (RF) environment.

Preparing for this exponential growth without exceeding your budget presents a number of challenges. You need a solution that can manage unpredictable and fluctuating Wi-Fi demands now and can easily accommodate future needs

Better Airtime Efficiency = Greater Capacity

It’s important to note that a higher AP count does not automatically equate to greater capacity. The capacity of a single AP is equal to the number of clients (i.e., devices) that can successfully transmit over a period of time.

Why is client data rate important? Wi-Fi is a shared medium, so the longer a client spends on air transmitting, the longer other devices must wait before they can transmit. If fewer devices are given an opportunity to transmit in any given timeslot, overall capacity is reduced.

To support more clients in high-density situations, simply installing additional APs will not resolve capacity issues. That’s because there is a finite number of available channels. When channel reuse occurs, any performance improvement can be diminished due to noise, co-channel and adjacent channel interference. Network deployments with multiple APs that use overlapping channels with wider channel bandwidth have a higher probability of problematic co-channel interference.

So, not only does installing more APs drive up costs significantly, this expensive approach is unlikely to result in the better experience users expect.

Ruckus resolves this problem by enhancing airtime efficiency so that all clients can simultaneously transmit to multiple devices, thereby drastically improving overall throughput and availability. This allows a given Ruckus AP to accommodate more clients than the equivalent competing vendor’s APs.

When it comes to capacity, it’s not just about the overall capacity of an AP. What’s important is ‘usable capacity’ for each client on that AP. You want each connected user to receive the required Quality of Service (QoS). A client that is connected at very slow speeds or continually times-out is not being adequately served by the network.

Ruckus’ patented BeamFlex® and ChannelFly technologies have been extensively tested in real-world deployments in which interference, noise, and physical barriers impact usable capacity.

ChannelFly is a new approach to optimizing RF channel selection based on capacity averages across all channels. Specialized algorithms select the best channel based on historical values.

BeamFlex is able to select antenna patterns that focus RF energy away from the direction of interference, thereby attenuating noise to the receiving station. This enables significant improvements in signal gain, increased capacity and enables Ruckus to support more devices in high-density situations, covering a larger area than competitors’ APs.

Here we delve deeper into how BeamFlex’s innovative technology is able to increase airtime efficiency for clients connecting to your wireless network.

BeamFlex® Adaptive Antenna Technology

BeamFlex technology encompasses a combination of patented software algorithms and multiple high-gain horizontally and vertically polarized antenna elements. This adaptive antenna system creates optimal antenna patterns for each device with which it communicates, resulting in significantly increased stability, performance and range.

Unlike omnidirectional antennas that radiate signals in all directions, BeamFlex technology focuses the antenna pattern on each client. Unlike fixed-position, directional antennas, BeamFlex technology dynamically configures and re-configures antenna patterns to optimize signal quality at the client. And unlike any other approaches, BeamFlex technology reconfigures the antenna pattern on a packet-by-packet basis, so it’s always being optimized for each client.

And because BeamFlex technology focuses RF energy where it’s needed, it reduces interference between APs and clients, increasing available capacity and enabling higher average throughput per client.

The net result: each AP delivers more capacity over a larger area as compared to competitive vendor APs and, thus, fewer APs are needed to deliver the capacity and coverage required. That means more reliable client connectivity and an enhanced Wi-Fi experience at considerably lower cost than alternatives

No Client Left Behind

Increased adoption of video communications is driving worldwide growth in business IP traffic. Yet, delivering high quality video over wireless is still challenging. Video and voice are examples of applications in which latency and jitter, in addition to inadequate bandwidth, can negatively impact end-user Quality of Experience (QoE). That’s why Wi-Fi performance testing should also include tests of video-streaming capability.

Ruckus commissioned an independent third party to test the performance of a mid-range Ruckus AP against those of competitors. The tests consisted of 60 Chromebooks running video and two Mac Mini clients running data only. The number of successful simultaneous video streams supported by the AP before and after a data load was introduced was measured. The number of clients with stall-free video was recorded along with the aggregate data throughput associated with the data-only clients.

Results

The test showed that Ruckus APs delivered perfect video quality of experience in a challenging, high-density environment. Ruckus APs were able to stream high-resolution video to 60 video clients without a single stalled video while simultaneously supporting 150Mbps data throughput associated with the data clients.

Most vendor APs couldn’t deliver stall-free video to all sixty clients, even with no other traffic on the network. And no vendor except Ruckus could deliver stall-free video to sixty clients while under simultaneous data loading. These results demonstrate that Ruckus can deliver on its capacity promise.

The ever-growing number of users and devices dictates that demand for Wi-Fi bandwidth will continue its remarkable growth trajectory. But that doesn’t automatically mean that IT departments will get more budget to meet the demand. Organizations can use fewer Ruckus APs to support a given number of clients, yielding a more cost-efficient infrastructure.

Conclusion

Wi-Fi usage will continue to grow and demand for an accessible, reliable and fast network will continue to be a priority. It makes sound economic sense to choose high performance, high density-capable APs that lower your total cost of ownership, now and in the long-term.

Ruckus APs have been proven to support 30-50% more clients and to provide up to 30% better coverage than competitors’ products – without a performance penalty. More usable capacity per AP saves on capital outlay for additional APs, associated subscription fees, installation costs and other related overhead.

Patented RF technologies combat the signal degradation, noise and interference that disrupt service and make users unhappy. The result is fast and reliable Wi-Fi for everyone without the need to overprovision APs. With Ruckus, you also have the flexibility of being able to migrate from one management architecture—virtual controller, appliance-based controller, controller-less, or cloud—to another (or a hybrid deployment) without throwing away your AP investment.

If you would like to find out more about Ruckus and what they can bring to your organisation, call Net-Ctrl on 01473 281 211, or complete our Contact Form.

Net-Ctrl Blog - mobile

Managing multiple Unleashed networks

September 17th, 2018

In this Unleashed blog post, we’ll take a closer look at the Ruckus Unleashed Multi-Site Manager (UMM), which offers SMBs more advanced options for managing multiple Unleashed networks deployed in various geographic locations.

Unleashed Multi-Site Manager (UMM): Key Features

The Ruckus Unleashed Multi-Site Manager (UMM) – which supports up to 1,000 Unleashed networks or a total of 10,000 APs – is designed to provide a ‘single pane of glass’ view to manage Unleashed networks deployed across multiple locations. It provides intuitive and customizable dashboards that display near real-time insights about connected access-points and clients, along with detailed geographic (map) views of network activity.

The Ruckus Unleashed Multi-Site Manager also enables SMBs to create customized reports and alerts, as well as easily perform key administrative tasks such as the creation of role-based access and management of SSL certificates with a simple click of the mouse. SMBs can also create custom device groups and perform administrative tasks for/on a specific group. In addition, UMM enables users to build a database backup file with relevant site configuration data – and easily replicate the network at another site with a ‘cookie-cutter’ backup file.

Let’s take a closer look at some of our key UMM features below:

Dashboard – Provides SMBs with a near real-time view of connected APs and clients, along with the distribution of client operating systems. UMM customizable dashboards display comprehensive Google Map views of all Unleashed networks, as well as a detailed and pinpointed list of recent events. All information is colour coded, enabling SMBs to quickly gain a holistic view of connectivity status, signal quality, client throughput data, the number of networks, as well as connected APs and clients.

Reports – Creates detailed and customizable reports about APs, WLANs, client connectivity trends, rogue APs or mesh changes within a specified date range. These can include customized graphs that display bandwidth utilization per application or per user, AP airtime utilization and APs with the most associated clients. UMM also generates service-centric agreement graphs and reports that list percentage uptime for AP groups and specific clients, backhaul uptime and client potential throughput. Additional reports include connection and association, user action audits and system logs.

Single Sign-On – Drills down into individual Unleashed networks. Meaning, SMBs only need to sign into Unleashed Multi-Site Manager once – without having to know the assigned credentials for each network. It should be noted that UMM also supports multi-tiered management access (RBAC) and secure access with remote SSL.

Network Upgrade – Schedules an upgrade of all devices across multiple locations. Allows SMBs to conveniently create groups of devices and plan upgrades of groups.

NAT Traversal – Accesses all the Unleashed networks as a central management system. More specifically, SSH tunnels are established between UMM and the APs behind the NAT server.

Conclusion

SMBs are demanding fast, reliable and always-on connectivity for dozens or even hundreds of connected devices. However, small and medium businesses often lack the budget, time and in-house resources to install and manage complex Wi-Fi deployments. This is precisely why we are making Wi-Fi easy for SMBs with Ruckus Unleashed. Our controller-less, high-performance and affordable portfolio of access points (APs) can be installed and up and running in five minutes or less. Unleashed also enables anyone to manage their network from an intuitive mobile app or website browser, while the Unleashed Multi-Site Manager (UMM) supports up to 1,000 Unleashed networks or 10,000 APs for SMBs that manage multiple networks in disparate geographic locations.


Essentially, the Ruckus Unleashed Multi-Site Manager (UMM) – which supports up to 1,000 Unleashed networks or a total of 10,000 APs – is designed to provide a ‘single pane of glass’ view to manage Unleashed networks deployed across multiple locations. It provides customizable dashboards that display near real-time insights about connected access-points (APs) and clients, along with map views of networks and recent activity. Moreover, the Ruckus Unleashed Multi-Site Manager enables SMBs to create customized reports and alerts, as well as easily perform key administrative tasks such as the creation of role-based access and management of SSL certificates with a click of the mouse.

Interested in learning more about Ruckus Unleashed for SMBs? You can visit the Ruckus Unleashed product page here, download our Unleashed data sheet here and access our Multi-Site Manager data sheet here.

View the original article at The Ruckus Room.

Three ways unsecured Wi-Fi can contribute to a data breach

September 17th, 2018

This blog entry connects unsecured network access to increased risk for data compromise—commonly called a data breach—in a concrete way. We’re talking specifically about BYOD and guest devices, and failure to properly secure the way in which they connect to the network. When people discuss BYOD security, often they focus only on encryption for wireless data over the air. As we will see, that’s an important element, but it’s not the whole story.

Before we get started, please note that this is far from an exhaustive list of ways that improper security measures around network access can imperil sensitive data. And although our blog title references unsecured Wi-Fi, the first two points below are also relevant to devices that access the network over a wired connection.

Lack of role-based network access for BYOD and guest users leaves the door open for data breaches

Secure network access means access on a need-to-know basis. Not every breach is the stuff of hoody-wearing cybercriminals hiding in the shadows. Many data breaches come from unintended disclosure. Well-meaning stakeholders sometimes make mistakes and disclose data improperly. The more people that have access to a given set of data, the more likely someone will make that kind of mistake. As much as we don’t like to think about it, stakeholders can also disclose sensitive data intentionally.

A sound data governance strategy requires that users should be able to access only those network resources appropriate to their role in the organization. Policy-based controls are a cornerstone of such a strategy, and if you don’t enable these controls, it leaves the door open to data compromise. If you don’t have the means to define and manage policies to restrict access, the chance of a breach is greater.

Even within the organization, when someone not authorized to view certain data does so, that’s a breach. To pick a very specific example, call center employees should not have access to the server containing an Excel file with employee payroll data. Role-based policy capability for network access is essential, and lack of differentiated network access risks data compromise.

Failure to perform a security posture check for BYOD and guest users can lead to trouble, too

Most of us would agree that BYOD programs increase employee productivity. And visitors to most environments expect easy connectivity for their devices, just as employees do—whether the location is an office, government agency worksite, public venue, school, college or most anywhere. That’s a lot of unmanaged devices accessing the network—either over wireless or via a wired connection. IT teams don’t control those devices the way they can for IT-owned devices, and if not managed properly this can also leave the door open to a data breach.

Failure to perform an up-front security posture check before BYOD and guest devices connect is a risk area as well. Malware is one of the leading causes of data breaches—for example, keyloggers that capture every character typed into the keyboard of an infected device. You don’t want malware like that spreading into your environment. If you let an employee connect their BYOD laptop without checking that anti-malware has been installed, that’s a security hole that needs to be plugged. More than that, the malware signatures for that software need to be up to date. A security posture check during network onboarding can make sure that BYOD and guest devices employ basic security measures.

Most tech-savvy users of mobile devices have a PIN enabled in their phone or tablet. But imagine what would happen if an employee connects their BYOD phone to the network, which thereby gains access to network resources housing confidential data. Suppose it’s a new phone and they don’t have a PIN enabled yet. Then someone steals the phone.

The network does not know the thief isn’t the employee, and the device can still access those same network resources. This is where lack of a security posture check leaves the door open to data compromise. A proper security posture check would have included remediation for that device—just require that employees have a PIN enabled before they can connect.

Unencrypted wireless data traffic is another IT security hole

This section discusses a security hole that applies only to wireless access. Unless you encrypt data traffic in transit between wireless access points and devices, prying eyes can view it using commercially available network analysis tools. (The same way anyone can spy on what you do over an open public Wi-Fi connection at the local coffee shop).

Of course, many websites are themselves encrypted these days. But often not all page components are encrypted, and users have no way of knowing which components those are. Mobile applications may or may not encrypt their data traffic. App developers have an incentive not to encrypt data traffic, because encryption imposes overhead on the back-end systems that support their apps.

In an enterprise environment, you might think anyone would be crazy not to encrypt wireless traffic over the air. But MAC authentication—one of the default methods for connecting devices—does not encrypt wireless data traffic. (Read more about the security flaws in default methods for network onboarding and authentication.) It’s also not unheard of for IT to provide one or more open SSIDs in some environments—if only for guest users—especially when the organization lacks a system for secure network onboarding. Whatever the circumstances, unencrypted data traffic is a risk area.

One way to plug these (and other) network security holes

Fortunately, you can easily plug these and other security holes that result from unsecured network access mechanisms. Just deploy a system for secure onboarding and network authentication. Here at Ruckus, we believe that our own Cloudpath Enrollment System offers the industry’s best combination of ease of deployment and powerful security features. If the security risks discussed in this blog concern you, now’s a great time to explore this offering—start with our new product overview video. Then dig deeper on the product page, where you can even request a live online demo when you’re ready.

To view the original post by Vernon Shure, SR. Product Marketing Manager, Security at Ruckus Networks, click here.

Three common Wi-Fi myths about capacity, interference and roaming

September 3rd, 2018

It’s time to clear the air about Wi-Fi. Once you sort out some common misconceptions, a lot of the fogginess around Wi-Fi dissipates. Let’s look at three common Wi-Fi myths about capacity, interference and roaming.

The same laws of physics (specifically electromagnetism) that govern radio and cell phones also govern Wi-Fi. Which means that certain things about Wi-Fi behavior are predictable.

Wi-Myths about capacity: Higher capacity means an AP talks to more devices at the same time

How many devices can an AP talk to at one time? The answer is always the same: one.

So how does an AP appear to be talking to many devices concurrently? And how do Ruckus APs support greater capacity than other APs?

You know what it’s like to talk to people at a noisy party? You can’t make out what everyone is saying when they’re talking at the same time. If APs liked to party (and who’s to say they don’t?), they’d appear to be talking to everyone (everyone being devices) simultaneously. What they’re actually doing is listening or talking to each device in turn, but doing it at superhuman speed.

That’s not all there is to this super-cool party skill. The AP-device conversations are also based on assumptions that each “conversation” will be brief. A request to connect. Done. Request to download. Done. Request to upload. Done. In other words, devices aren’t talking to the AP continuously. It’s just a constant, super-fast series of interactions.

So how does a Ruckus AP achieve superior capacity? (Independent analyst testing shows Ruckus beats competitors in video QoS and data throughput.) That’s where we depart from the norm. Not the laws of physics (those still hold for everyone, thankfully). But Ruckus invests in the development of sophisticated RF software where other companies may use off-the-shelf firmware.

We optimize the processing capabilities of our APs. Our APs are, in essence, faster or more efficient (depending on how you look at it) at handling concurrent connections. We also use algorithms to factor in how much capacity is required for things like buffering streaming video.

BeamFlex+, which is our Adaptive Antenna Technology, also plays a role in capacity. The AP’s antenna, working in an omnidirectional mode, can detect a client trying to connect from, say, the edge of a room. It can then adapt the antenna to a directional mode to get a stronger signal to that device.

Wi-Myths about Interference: Add more APs to get more capacity

Here’s why it’s important to understand this law of physics—because you don’t want a Wi-Fi designer to tell you that putting two APs close to each other will necessarily increase capacity. Remember that devices have to wait their turn to talk to an AP. If two APs share the same channel, they’re going to create interference, not extra capacity. It doesn’t matter if there are two APs or two dozen: if they share the same channel, only one will transmit at any given moment. The others are just hanging out (literally).

Wi-Myths about Roaming: It’s not about APs dropping the ball (or signal)

Have you ever lost a call on your cell phone when moving between cell towers? Roaming is a wonderful feature, but usually not during that handoff period. It’s a common misconception that the APs are in charge of roaming—that they call out to devices, “Hey, disconnect from that AP and connect to me now!” That would make APs great air traffic controllers, but that’s not their job description. Or in those pesky laws of physics.

It’s actually the devices that look for connections to the closest AP. But devices don’t have the connection smarts that APs have. As a result, they can be really clumsy about disconnecting from one AP and connecting with another. Sorry devices, but those dead spots and garbled channels are on you.

Ruckus does apply a couple of proprietary AP technologies that make roaming more seamless. One of these clever techniques is SmartRoam+: as a device begins to move away (roam) from an AP, the signal weakens. The device should look for a stronger signal, right? But often a device will hold on until the signal has gotten really bad. Before it reaches that point, however, the SmartRoam+ technology will sing out to the device “Let it go!” and disconnect it from the fading AP. The client will search for—and find— a closer AP with the stronger signal.

It’s good to dispel the myths about Wi-Fi. It can help you avoid mistakes in design. It can also help you appreciate how smart design—without messing with the laws of physics—can give you better Wi-Fi.

Johnson Controls announces Net-Ctrl winner of CEM Systems Business Partner of the Year Awards 2018

August 23rd, 2018

Johnson Controls has announced the winners of the CEM Systems Business Partner of the Year Awards, EMEA, 2018. Winners were honoured at CEM Systems’ annual security conference, held 23—24 May at the Galgorm Resort & Spa, Northern Ireland. Net-Ctrl received the Business Partner of the Year Award for the UK and Ireland South region.

“Johnson Controls is very fortunate to be involved in many exciting and often iconic access control projects around the world and 2018 is no exception” said Philip Verner, regional sales director, Building Technologies & Solutions, Johnson Controls. “Through customer endorsements and the support of our committed Approved Reseller channel, we have successfully opened up CEM Systems innovative access solutions to many new sectors and territories throughout Europe, Middle, East and Africa (EMEA). The 2018 Business Partner of the Year Awards are not only given to our top EMEA business partners for high levels of sales, but are given in recognition for their ongoing commitment to accredited CEM Systems training, joint marketing initiatives and their tireless endeavour to go above and beyond when delivering successful customer projects within their respective regions.”

For the UK & Ireland, South region, Net-Ctrl received the Business Partner of the Year award in recognition of their success within the education sector. As a relatively new channel partner, Net-Ctrl has promoted CEM Systems products at various education events this year and has successfully won a number of prominent UK school security projects including Bradfield College.

Unleashing Wi-Fi for SMBs

August 23rd, 2018

With over 30 billion connected “things” expected by 2020, it has become quite clear that consumer-grade Wi-Fi routers are simply no longer capable of meeting the needs of small and medium businesses (SMBs). These days, even smaller businesses are demanding fast, reliable, always-on connectivity for dozens or hundreds of connected devices. However, small and medium businesses often lack the budget, time and in-house resources to install and manage complex Wi-Fi deployments.

This is precisely why we are making Wi-Fi easy for SMBs with Ruckus Unleashed. Our controller-less, high-performance and affordable portfolio of access points (APs) can be up and running in five minutes or less. In addition, Unleashed enables anyone to manage their network from an intuitive Unleashed mobile app or website browser. Let’s take a closer look at the Ruckus Unleashed solution below, starting with our access points.

Ruckus Unleashed Access Points (APs)

Our Unleashed access points leverage a range of advanced Ruckus technologies to deliver higher speeds, optimized coverage and more reliable connections for SMBs. Examples include BeamFlex+, which helps APs provide optimal performance for every device – every time – by adaptively re-configuring antenna patterns.

In addition, ChannelFly utilizes advanced machine learning to select the least congested channels, while SmartMesh wireless meshing technology dynamically creates self-forming and self-healing mesh networks. In addition, Unleashed APs are packed with a range of enterprise-class features that are simple for just about anyone to manage. These include WPA encryption and DPSK security, guest connectivity services via a self-service portal or through social media, in-depth monitoring of network usage patterns (deep packet inspection), application-specific access rules and network resiliency.

As we discussed above, Ruckus Unleashed access points are designed for small and midsize businesses, such as law firms, health clinics and insurance agencies. They can be deployed in small and midsize retail outlets, including stores, restaurants and coffee shops. Ruckus Unleashed APs are also the perfect choice for multi-dwelling units (MDUs) like large homes, small apartments and housing structures that require uninterrupted, pervasive coverage. In addition, Ruckus Unleashed APs can benefit smaller primary school classrooms that require higher-bandwidth and uninterrupted Wi-Fi coverage for digital learning. Ruckus Unleashed access points support single or multiple location installation options, with up to 25 APs and/or 512 concurrently connected clients per deployment.

The Ruckus Unleashed Mobile App

A Ruckus Unleashed network can be installed in under five minutes by simply configuring a single Ruckus master access point. The master AP settings are automatically replicated and subsequently pushed to all network APs via our Unleashed Zero-Touch Mesh feature. Put simply, we make installation, configuration and basic network management easy for even non-technical users with the Ruckus Unleashed mobile app for iOS and Android.

Indeed, SMBs can use the Ruckus Unleashed mobile app to monitor and manage their networks from anywhere in the world. More specifically, the mobile app enables SMBs to see how many clients and APs are connected, monitor ongoing network traffic, observe which applications are using the most data on the network, view important alerts at a glance and create rules to deny access to any website.

In addition, SMBs can quickly create a new wireless LAN or edit an existing network, run SpeedFlex to test Wi-Fi speeds, conduct basic troubleshooting using ping test or trace route, reboot APs and block misbehaving clients. The Ruckus Unleashed Mobile App, which is built around an intuitive user interface (UI), also features detailed dashboards, graphs and charts. These allow SMBs to drill down and view in-depth data, such as how much (uplink/downlink) traffic has been flowing through specific APs, for example.

Ruckus Unleashed Multi-Site Manager

The Ruckus Unleashed Multi-Site Manager (UMM) – which supports up to 1,000 Unleashed networks or 10,000 APs – offers SMBs more advanced options for managing multiple Unleashed networks deployed across various geographic locations. Designed to provide ‘single pane of glass’ view with intuitive and customizable dashboards, the Ruckus Unleashed Multi-Site Manager displays near real-time insights about connected access-points (APs) and clients, along with map views of networks and recent activity.

In addition, the Ruckus Unleashed Multi-Site Manager enables SMBs to create customized reports and alerts, as well as easily perform key administrative tasks such as the creation of role-based access and management of SSL certificates with a click of the mouse. SMBs can also use the Multi-Site Manager to build a database backup file with relevant site configuration data, replicate the network at a different site with the ‘cookie-cutter’ backup file and quickly restore a site in case of disruption.

Conclusion

The proliferation of connected devices has made it almost impossible for consumer-grade Wi-Fi routers to continue meeting the needs of small and medium businesses. However, SMBs often lack the budget, time and in-house resources to install and manage complex Wi-Fi deployments. That is why we are making Wi-Fi easy with Ruckus Unleashed.

Our controller-less, high-performance and affordable portfolio of access points (APs) can be up and running in just five minutes using the Ruckus Unleashed mobile app for Android or Apple iOS.

Interested in learning more about Ruckus Unleashed for SMBs? You can visit our Unleashed product page here, download our Unleashed data sheet here.

View the original post by Ruckus Networks.

Are All Your Critical Network Management Processes Automated?

August 20th, 2018

There are several network management processes that should be performed on a regular basis to ensure the network is running optimally with minimum downtime. However, these tasks are often tedious and repetitive to perform manually so they are commonly delayed or not completed, leaving the network potentially vulnerable and in a less than optimal state.

For example:

Compliance Processes: Do all switches and access points configurations comply with the organisation’s policies? The security settings of the routers, switches and access points and the network management settings need to be checked on a regular basis against network policies. Are all network devices configured to send syslog to the correct repository?

Network Utilisation: Are there unused switch ports, and could connections be consolidated and perhaps some switches be re-deployed to other network locations? Or is the network getting close to full capacity and should new switches and access points be deployed to handle more traffic and users?

Network Resiliency: Does the network offer sufficient L2 and L3 redundancy? For example, are first hop redundancy protocols (like VRRP) configured and operating correctly?

Backing up configuration files: Are all the configuration files saved to non-volatile storage on the device and to backup storage?

Many network management platforms (NMS) offer tools to enable network administrators to perform these tasks interactively but having IT personnel run these tasks manually is time-consuming, error-prone and expensive. These tasks should be automated to ensure that the network is running optimally.

Many NMS are designed without automation in mind so traditional network automation approaches bypass the NMS to monitor and control network devices directly through SNMP, SSH, or other standard or proprietary protocols.

Limitations of the traditional approach:

The device discovery and registration process and the intelligence provided by the NMS cannot be accessed programmatically. The same applies to historical data aggregation and correlation. Data polling is inefficient and resource intensive. Compliance can suffer because company-specific compliance processes are too hard to automate.

SmartZoneOS 5 offers a comprehensive library of well documented REST-APIs that enables any application applications to programmatically invoke just about any network management function offered by the SmartZone OS graphical user interface (GUI) or command line interface (CLI).

IT managers and third-party applications can automate network processes by accessing the SmartZoneOS functions from within their own management and automation platforms and issue direct commands without creating error-prone proprietary scripts. Ruckus itself makes use of these APIs within its own products.

A full set of near real-time MQTT/protocol buffer data streams enable 3rd party applications to ingest all network data, statistics, and alarms (from: client, AP, switch, WLAN, controller, cluster) with little delay, no fidelity loss, and no need to create a firewall pinhole. These data streams enable the recreation of SmartZone dashboard elements or custom dashboards for internal and external consumption. Ruckus itself makes use of this capability to enable its own network analytics and reporting software.

Each SmartZone network controller supports access to a complete set of network machine-level metrics, enabling it to plug directly into existing automated backend systems and provide a ‘headless’ interface for the network infrastructure.

View the original post by Ruckus Networks.

What Is Secure Onboarding, and Why Is It Such a Challenge?

August 20th, 2018

At Ruckus Networks, they have a lot of discussions with customers and prospective customers around secure onboarding. We’ve come to realise that it’s a term that is not universally understood. The thing that it describes is a thing, but people don’t always use that term to describe it. We need to do some work to familiarise the IT world with the term in a networking context. So what exactly do we mean when we say “secure onboarding”?

Let’s Start by Defining “Onboarding”

You have probably heard the term onboarding used to refer to a human resources process that’s about getting new employees integrated into an organisation. When someone starts a new job, they fill out some paperwork (or these days, online forms), go through an orientation, get a tour of their new office building and so on. That’s not the kind of onboarding we’re talking about in the context of network infrastructure and connectivity, which might be a source of confusion.

Actually, though, it’s tangentially related because when new employees arrive, one of their first questions is likely to be “How do I connect to the Wi-Fi with my tablet?” Or their phone or their personal laptop. The same thing happens on move-in day at college campuses, where the range of devices that need to connect is often much broader. It also occurs in primary and secondary schools where students are allowed to connect with personal devices.

Precision matters here, and what we are really talking about is network onboarding. Simply stated, in a networking context, onboarding means the process by which a BYOD or guest user gains access to the network for the first time with a device (or an IT-owned device connects to the network, for that matter). Every environment is different, but users in a variety of organisations often struggle with this process. This can lead to user frustration and excess trouble tickets for the IT team.

User Expectations Are Set by Experiences with the Carrier Network and Home Wi-Fi

What creates this frustration with network onboarding? Why do organisations find this process such a challenge? It originates in the gap between user expectations and user experience. When someone activates a new mobile phone, the service desk at the carrier retail outlet plugs in a SIM and you’re good to go. It’s a set-it-and-forget-it experience.

User experience with your home Wi-Fi network is also simple. They look for the name of their Wi-Fi source and enter the password, or pre-shared key (PSK). They don’t roam between different sources of connectivity within the home, always connecting to the same home router. The device always seems to connect without problems when they return after going out. Users control their own Wi-Fi password—when it changes, and whether it changes at all. Or their roommate or spouse can easily give them a heads up when that person changes the PSK, so no big deal. Between their experience with the carrier network and home Wi-Fi, users are conditioned to expect easy connectivity without having to think much about it.

Things get much more complicated in an enterprise office environment, and in schools and colleges. But those expectations for a set-it-and-forget-it experience remain. We’ve blogged before about the user experience issues with default methods of network onboarding and authentication. Historically, organisations have often relied on default methods of network onboarding, but more and more they are adopting systems to streamline this process.

Secure Network Onboarding Plugs Wireless Security Holes

There’s one aspect of the secure onboarding challenge that we haven’t addressed yet, and that’s the security piece. Secure network access is an often-overlooked area within the IT security domain. It’s a challenge because too many IT organisations rely on the default methods for network onboarding and authentication that are built into their networking infrastructure.

The risks inherent in unsecured Wi-Fi don’t get as much attention as some other threats, but they are very real. Prying eyes can spy on unencrypted data traffic, and undifferentiated access can leave sensitive data exposed to unauthorised users. The latter is an issue even over a wired connection. Insecure devices can bring malware, ransomware and other bad things into your environment. For more detail on these and other potential security holes related to network access, please refer to our previous blog on this topic.

Network onboarding alone isn’t enough—secure network onboarding is essential to plug these security holes. Adding on to our previous definition, secure network onboarding means the process by which a BYOD or guest user securely gain access to the network for the first time with a device. And those security holes must stay plugged on subsequent connections, too.

Often there are trade-offs between user experience and security. We’d all be a lot safer if we just unplugged our computers from the internet—but no one could get any work done that way. Or users and devices would be safer if IT locked down every computer so that no new software could be installed. That’s at best impractical (for IT-owned devices) and at worst impossible (for unmanaged BYOD devices).

Secure network onboarding is that rare product category where the usual trade-offs between user experience and security do not apply. You can have your cake and eat it too—better user experience and increased security for users, devices, data and the network. If this sounds intriguing, now is a great time to consider Cloudpath Enrollment System, the Ruckus Networks offering in this corner of the security taxonomy. Our new product overview video encapsulates the value it provides in less than two and a half minutes.

View the original post by Ruckus Networks.

Gemalto Boosts Cloud Security with a Scalable Virtual Key Management Solution

August 14th, 2018

Gemalto announced a next-generation key management solution, SafeNet Virtual KeySecure, for simpler and stronger cloud security. Companies can extend their data protection policies to private and public clouds and centralize encryption and key management operations across multiple cloud environments.

SafeNet Virtual KeySecure integrates with leading cloud service providers and virtual platforms such as AWS, Microsoft Azure, Google Cloud Platform, IBM Cloud, VMware, Microsoft Hyper-V and OpenStack, to provide companies with a single key management solution spanning multiple private or public cloud environments.

As a result of the ongoing digital transformation within many organizations, data now resides across a growing number of cloud environments and web applications. Security teams are finding it ever more challenging to manage data protection policies, and solutions are often time-consuming and manual. Data protection operations can be simplified by using SafeNet Virtual KeySecure to uniformly view, control, and administer cryptographic policies and keys for sensitive data.

Companies can improve key security and simplify the audit preparation process by retaining ownership and control of encryption keys.

“Businesses need options when it comes to cloud security and shouldn’t be limited to working in just one environment. With SafeNet Virtual KeySecure, organizations are able to move more workloads to the cloud and easily monitor the access and movement of their encrypted data,” said Todd Moore, senior vice president of Encryption Products at Gemalto. “We are seeing a lot of customers who are interested in taking advantage of the business continuity offered by cloud environments, without compromising the security of their most critical asset, data. Current KeySecure customers would also be able to benefit from this new platform and we will be sharing details of a clear migration path with them in the near future.”

SafeNet Virtual KeySecure offers customers:

  • Centralized Key Management: Centralized, efficient auditing of key management offers simplified compliance for cloud environments and consolidates key security policies across multiple, disparate encryption systems, protecting current investments
  • Flexibility: Customers can easily deploy flexible, high-availability configurations which are built on the latest industry standards, including containers and microservices, across geographically dispersed data centers or cloud service providers.
  • Compatibility: Compatibility with the OASIS Key Management Interoperability Protocol (KMIP) standard provides support for a large, growing partner ecosystem, including the SafeNet Data Protection portfolio which provides customers with a broad spectrum of use cases that can be supported. SafeNet Virtual KeySecure also supports key storage in on-premise hardware security modules (HSMs).

According to Sudesh Kumar, Founder and CEO of Kapalya, Californian-based start-up: “As businesses connect to more devices and cloud platforms, they need solutions that offer security without limiting their potential for innovation. With SafeNet Virtual KeySecure, we’re now able to offer the ability to protect data in a seamless and cost-effective way across endpoints, public clouds and private clouds. Businesses should no longer be held back in making full use of the cloud while retaining control of some of their most important assets.”

Additional resources:

Reddit Breach Takeaways: MFA and Access Management

August 14th, 2018

For years corporations and security professionals have been urged to implement multi-factor authentication (MFA) as the solution for cybersecurity concerns. While MFA isn’t a silver bullet that solves all your cybersecurity concerns, it is a key component in elevating the security of an organization and adding a very important layer of protection. Industry trends are taking MFA to new levels by incorporating it into Access Management Solutions. This shift is being driven by concerns around an evolving IT perimeter where traditional solutions are being exploited and organizations are falling victim to cyber-attacks.

The recent news about a breach from Reddit validates the momentum in the cybersecurity world towards access management solutions. The social media platform, considered the 5th top rated website in the U.S., shared that a few of their employees’ administrative accounts were hacked. While they did in fact have their sensitive resources protected with two-factor authentication (2FA), they were surprised to learn that SMS-based authentication was not as secure as they had hoped.

“On June 19, we learned that between June 14 and June 18, an attacker compromised a few of our employees’ accounts with our cloud and source code hosting providers. Already having our primary access points for code and infrastructure behind strong authentication requiring two-factor authentication (2FA), we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept. We point this out to encourage everyone here to move to token-based 2FA.” – Reddit

 

The weakness in security on the SMS tokens was discussed in 2016 –the draft guideline of the U.S. National Institute for Standards and Technology (NIST) stated that SMS-based two-factor authentication is risky. We also wrote about this in August 2016 in our blog encouraging the use of software tokens which leverage PUSH authentication like the SafeNet MobilePASS+ token.

SAML-based Access Management mitigates risks

Since the issues with SMS have been exposed, why didn’t Reddit implement strong multi-factor using software or hardware based tokens? It turns out they in fact do, as a general practice. In a separate string, Reddit CTO Chris Stowe said that the company, as a rule, had required staff with data access to use a two-factor authentication solution that included a time-based one-time password (TOTP). However, he added, “there are situations where we couldn’t fully enforce this on some of our providers since there are additional “SMS reset” channels that we can’t opt out of via account policy.” Had they protected their resources with a SAML based Access Management Solution this option would be over-ridden immediately mitigating the risk involved with this option. The fact remains that through SMS-based authentication they were exposed –but how did that happen?

Chris Stowe claimed that he knew that the target’s phone wasn’t hacked. However, it is important to understand that the hacking of a phone is only one of the avenues where SMS authentication can be hijacked. We’ve seen examples in movies where a phone is cloned, or when enterprising hackers call the cellphone company to request that the SIM be redirected to a new phone (i.e. call-forwarding).

The intrinsic problem with SMS tokens is that they rely on SS7 or Signaling System Number 7. SS7 is a telephony signaling protocol used by more than 800 telecommunication operators worldwide for information, cross-carrier billing, and enabling roaming, to name a few. There are a number of tools available that can intercept the SS7.

How then did Reddit find themselves exposed? The fact is given enough money and determination, cyber criminals can find ways around many of the safeguards that are put in place today. The most likely scenario is that the hacked users fell victim to phishing or various other social engineering attacks.

Taking Identity and Access Management Solutions to New Levels

These forms of attacks are ultimately what is prompting many security professionals to take their digital security practices to new levels, combining technologies to implement zero trust networks. The importance of implementing a strong authentication solution provided by a trusted vendor cannot be overestimated, organizations simply cannot rely on the use of static passwords any longer.

While Reddit bemoans posthumously that SMS based authentication wasn’t as strong as they thought, this is not the only lesson that can be learned from their exposure. What they were truly lacking was a complete solution which not only enforced multi-factor authentication but also enabled access management controls to be implemented.

Effective Identity Management Integration

Consider for a moment that Reddit had implemented an access management solution alongside their use of 2FA (even with the SMS tokens). A strong access management solution would enable them to create policies around their applications and groups of users, which would have enabled them to continue using their choice 2FA method, but would have added an additional layer of security in the form of context-based authentication, which could have prevented this breach from occurring.

Some examples of beneficial policies for an access management solution would be to consider Reddit’s primary offices being located in the US and Ireland, they could have set up an access policy that would deny access from any country outside of those locations. Or they could set a policy for the group of administrative users who found the use of the multi-factor token cumbersome to leverage their Kerberos ticket when they were in the office and only prompt for OTP when they are working remotely, thus balancing user experience and security and protecting their environment from outsider attacks.

Forbidden Workers Access Policy

Access Policy with Integrated Windows Authentication (Kerberos)

By integrating their systems with an access management solution that supports multiple different authentication methods they could still use the preferred SMS authentication option, but add an access policy which requires them to provide a new unique OTP any time a resource is accessed, or requires the user to input both an OTP as well as their password for an extra layer of authentication security.

Identity Access Management solutions: Access controls adds protection

With a strong access management solution, they would also have access to logs and reporting. This would enable them to isolate and track exactly which users were accessing applications at a given time. If the users were leveraging a software token like MobilePASS+, they would have received a notification when an access attempt was being made by their userID and subsequently had the opportunity to deny the attempt or report it immediately to their security desk.

The problem in this case wasn’t that they were using a weak authentication method, though that certainly didn’t help: The real issue was that the organization was lacking the appropriate access controls ­­— with effective Cloud Access Management, including multifactor authentication, organizations can sufficiently protect their employee’s user identities, their applications containing sensitive data, and prevent customers’ data from being exposed.

Want to prevent breaches and strengthen your Access Management strategy? Read about SafeNet Trusted Access here or join a Gemalto 30-minute live demo webinar.

View the original Press Release at Gemalto.com.

How Ruckus Can Deliver More Consistent Performance

July 24th, 2018

In today’s hyper-connected world, Wi-Fi networks form a critical part of the IT infrastructure for all types of businesses and educational institutions.

Without a reliable Wi-Fi network capable of delivering good and consistent connectivity, productivity suffers. For retail businesses, this poor experience can lead to customer frustration and potential loss of revenue. Additionally, as organizations become increasingly digital-focused, reliable Wi-Fi will play an even more integral role in back-end operations.

When it comes to wireless access point (AP) deployment in real-world situations, interference, competing clients, and even building construction material all have an effect on the performance of the wireless network. The future will bring more users, more bandwidth-intensive applications, and a more diverse range of devices such as wearable tech, VR, and IoT. This will inevitably increase demand for Wi-Fi access and place additional pressure on your radio frequency (RF) environment.

Preparing for this exponential growth without exceeding your budget presents a number of challenges. You need a solution that can manage unpredictable and fluctuating Wi-Fi demands now and can easily accommodate future needs

Better Airtime Efficiency = Greater Capacity

It’s important to note that a higher AP count does not automatically equate to greater capacity. The capacity of a single AP is equal to the number of clients (i.e., devices) that can successfully transmit over a period of time.

Why is client data rate important? Wi-Fi is a shared medium, so the longer a client spends on air transmitting, the longer other devices must wait before they can transmit. If fewer devices are given an opportunity to transmit in any given timeslot, overall capacity is reduced.

To support more clients in high-density situations, simply installing additional APs will not resolve capacity issues. That’s because there is a finite number of available channels. When channel reuse occurs, any performance improvement can be diminished due to noise, co-channel and adjacent channel interference. Network deployments with multiple APs that use overlapping channels with wider channel bandwidth have a higher probability of problematic co-channel interference.

So, not only does installing more APs drive up costs significantly, this expensive approach is unlikely to result in the better experience users expect.

Ruckus resolves this problem by enhancing airtime efficiency so that all clients can simultaneously transmit to multiple devices, thereby drastically improving overall throughput and availability. This allows a given Ruckus AP to accommodate more clients than the equivalent competing vendor’s APs.

When it comes to capacity, it’s not just about the overall capacity of an AP. What’s important is ‘usable capacity’ for each client on that AP. You want each connected user to receive the required Quality of Service (QoS). A client that is connected at very slow speeds or continually times-out is not being adequately served by the network.

Ruckus’ patented BeamFlex® and ChannelFly technologies have been extensively tested in real-world deployments in which interference, noise, and physical barriers impact usable capacity.

ChannelFly is a new approach to optimizing RF channel selection based on capacity averages across all channels. Specialized algorithms select the best channel based on historical values.

BeamFlex is able to select antenna patterns that focus RF energy away from the direction of interference, thereby attenuating noise to the receiving station. This enables significant improvements in signal gain, increased capacity and enables Ruckus to support more devices in high-density situations, covering a larger area than competitors’ APs.

Here we delve deeper into how BeamFlex’s innovative technology is able to increase airtime efficiency for clients connecting to your wireless network.

BeamFlex® Adaptive Antenna Technology

BeamFlex technology encompasses a combination of patented software algorithms and multiple high-gain horizontally and vertically polarized antenna elements. This adaptive antenna system creates optimal antenna patterns for each device with which it communicates, resulting in significantly increased stability, performance and range.

Unlike omnidirectional antennas that radiate signals in all directions, BeamFlex technology focuses the antenna pattern on each client. Unlike fixed-position, directional antennas, BeamFlex technology dynamically configures and re-configures antenna patterns to optimize signal quality at the client. And unlike any other approaches, BeamFlex technology reconfigures the antenna pattern on a packet-by-packet basis, so it’s always being optimized for each client.

And because BeamFlex technology focuses RF energy where it’s needed, it reduces interference between APs and clients, increasing available capacity and enabling higher average throughput per client.

The net result: each AP delivers more capacity over a larger area as compared to competitive vendor APs and, thus, fewer APs are needed to deliver the capacity and coverage required. That means more reliable client connectivity and an enhanced Wi-Fi experience at considerably lower cost than alternatives

No Client Left Behind

Increased adoption of video communications is driving worldwide growth in business IP traffic. Yet, delivering high quality video over wireless is still challenging. Video and voice are examples of applications in which latency and jitter, in addition to inadequate bandwidth, can negatively impact end-user Quality of Experience (QoE). That’s why Wi-Fi performance testing should also include tests of video-streaming capability.

Ruckus commissioned an independent third party to test the performance of a mid-range Ruckus AP against those of competitors. The tests consisted of 60 Chromebooks running video and two Mac Mini clients running data only. The number of successful simultaneous video streams supported by the AP before and after a data load was introduced was measured. The number of clients with stall-free video was recorded along with the aggregate data throughput associated with the data-only clients.

Results

The test showed that Ruckus APs delivered perfect video quality of experience in a challenging, high-density environment. Ruckus APs were able to stream high-resolution video to 60 video clients without a single stalled video while simultaneously supporting 150Mbps data throughput associated with the data clients.

Most vendor APs couldn’t deliver stall-free video to all sixty clients, even with no other traffic on the network. And no vendor except Ruckus could deliver stall-free video to sixty clients while under simultaneous data loading. These results demonstrate that Ruckus can deliver on its capacity promise.

The ever-growing number of users and devices dictates that demand for Wi-Fi bandwidth will continue its remarkable growth trajectory. But that doesn’t automatically mean that IT departments will get more budget to meet the demand. Organizations can use fewer Ruckus APs to support a given number of clients, yielding a more cost-efficient infrastructure.

Conclusion

Wi-Fi usage will continue to grow and demand for an accessible, reliable and fast network will continue to be a priority. It makes sound economic sense to choose high performance, high density-capable APs that lower your total cost of ownership, now and in the long-term.

Ruckus APs have been proven to support 30-50% more clients and to provide up to 30% better coverage than competitors’ products – without a performance penalty. More usable capacity per AP saves on capital outlay for additional APs, associated subscription fees, installation costs and other related overhead.

Patented RF technologies combat the signal degradation, noise and interference that disrupt service and make users unhappy. The result is fast and reliable Wi-Fi for everyone without the need to overprovision APs. With Ruckus, you also have the flexibility of being able to migrate from one management architecture—virtual controller, appliance-based controller, controller-less, or cloud—to another (or a hybrid deployment) without throwing away your AP investment.

If you would like to find out more about Ruckus and what they can bring to your organisation, call Net-Ctrl on 01473 281 211, or complete our Contact Form.

Net-Ctrl Blog

Managing multiple Unleashed networks

September 17th, 2018

In this Unleashed blog post, we’ll take a closer look at the Ruckus Unleashed Multi-Site Manager (UMM), which offers SMBs more advanced options for managing multiple Unleashed networks deployed in various geographic locations.

Unleashed Multi-Site Manager (UMM): Key Features

The Ruckus Unleashed Multi-Site Manager (UMM) – which supports up to 1,000 Unleashed networks or a total of 10,000 APs – is designed to provide a ‘single pane of glass’ view to manage Unleashed networks deployed across multiple locations. It provides intuitive and customizable dashboards that display near real-time insights about connected access-points and clients, along with detailed geographic (map) views of network activity.

The Ruckus Unleashed Multi-Site Manager also enables SMBs to create customized reports and alerts, as well as easily perform key administrative tasks such as the creation of role-based access and management of SSL certificates with a simple click of the mouse. SMBs can also create custom device groups and perform administrative tasks for/on a specific group. In addition, UMM enables users to build a database backup file with relevant site configuration data – and easily replicate the network at another site with a ‘cookie-cutter’ backup file.

Let’s take a closer look at some of our key UMM features below:

Dashboard – Provides SMBs with a near real-time view of connected APs and clients, along with the distribution of client operating systems. UMM customizable dashboards display comprehensive Google Map views of all Unleashed networks, as well as a detailed and pinpointed list of recent events. All information is colour coded, enabling SMBs to quickly gain a holistic view of connectivity status, signal quality, client throughput data, the number of networks, as well as connected APs and clients.

Reports – Creates detailed and customizable reports about APs, WLANs, client connectivity trends, rogue APs or mesh changes within a specified date range. These can include customized graphs that display bandwidth utilization per application or per user, AP airtime utilization and APs with the most associated clients. UMM also generates service-centric agreement graphs and reports that list percentage uptime for AP groups and specific clients, backhaul uptime and client potential throughput. Additional reports include connection and association, user action audits and system logs.

Single Sign-On – Drills down into individual Unleashed networks. Meaning, SMBs only need to sign into Unleashed Multi-Site Manager once – without having to know the assigned credentials for each network. It should be noted that UMM also supports multi-tiered management access (RBAC) and secure access with remote SSL.

Network Upgrade – Schedules an upgrade of all devices across multiple locations. Allows SMBs to conveniently create groups of devices and plan upgrades of groups.

NAT Traversal – Accesses all the Unleashed networks as a central management system. More specifically, SSH tunnels are established between UMM and the APs behind the NAT server.

Conclusion

SMBs are demanding fast, reliable and always-on connectivity for dozens or even hundreds of connected devices. However, small and medium businesses often lack the budget, time and in-house resources to install and manage complex Wi-Fi deployments. This is precisely why we are making Wi-Fi easy for SMBs with Ruckus Unleashed. Our controller-less, high-performance and affordable portfolio of access points (APs) can be installed and up and running in five minutes or less. Unleashed also enables anyone to manage their network from an intuitive mobile app or website browser, while the Unleashed Multi-Site Manager (UMM) supports up to 1,000 Unleashed networks or 10,000 APs for SMBs that manage multiple networks in disparate geographic locations.


Essentially, the Ruckus Unleashed Multi-Site Manager (UMM) – which supports up to 1,000 Unleashed networks or a total of 10,000 APs – is designed to provide a ‘single pane of glass’ view to manage Unleashed networks deployed across multiple locations. It provides customizable dashboards that display near real-time insights about connected access-points (APs) and clients, along with map views of networks and recent activity. Moreover, the Ruckus Unleashed Multi-Site Manager enables SMBs to create customized reports and alerts, as well as easily perform key administrative tasks such as the creation of role-based access and management of SSL certificates with a click of the mouse.

Interested in learning more about Ruckus Unleashed for SMBs? You can visit the Ruckus Unleashed product page here, download our Unleashed data sheet here and access our Multi-Site Manager data sheet here.

View the original article at The Ruckus Room.

Three ways unsecured Wi-Fi can contribute to a data breach

September 17th, 2018

This blog entry connects unsecured network access to increased risk for data compromise—commonly called a data breach—in a concrete way. We’re talking specifically about BYOD and guest devices, and failure to properly secure the way in which they connect to the network. When people discuss BYOD security, often they focus only on encryption for wireless data over the air. As we will see, that’s an important element, but it’s not the whole story.

Before we get started, please note that this is far from an exhaustive list of ways that improper security measures around network access can imperil sensitive data. And although our blog title references unsecured Wi-Fi, the first two points below are also relevant to devices that access the network over a wired connection.

Lack of role-based network access for BYOD and guest users leaves the door open for data breaches

Secure network access means access on a need-to-know basis. Not every breach is the stuff of hoody-wearing cybercriminals hiding in the shadows. Many data breaches come from unintended disclosure. Well-meaning stakeholders sometimes make mistakes and disclose data improperly. The more people that have access to a given set of data, the more likely someone will make that kind of mistake. As much as we don’t like to think about it, stakeholders can also disclose sensitive data intentionally.

A sound data governance strategy requires that users should be able to access only those network resources appropriate to their role in the organization. Policy-based controls are a cornerstone of such a strategy, and if you don’t enable these controls, it leaves the door open to data compromise. If you don’t have the means to define and manage policies to restrict access, the chance of a breach is greater.

Even within the organization, when someone not authorized to view certain data does so, that’s a breach. To pick a very specific example, call center employees should not have access to the server containing an Excel file with employee payroll data. Role-based policy capability for network access is essential, and lack of differentiated network access risks data compromise.

Failure to perform a security posture check for BYOD and guest users can lead to trouble, too

Most of us would agree that BYOD programs increase employee productivity. And visitors to most environments expect easy connectivity for their devices, just as employees do—whether the location is an office, government agency worksite, public venue, school, college or most anywhere. That’s a lot of unmanaged devices accessing the network—either over wireless or via a wired connection. IT teams don’t control those devices the way they can for IT-owned devices, and if not managed properly this can also leave the door open to a data breach.

Failure to perform an up-front security posture check before BYOD and guest devices connect is a risk area as well. Malware is one of the leading causes of data breaches—for example, keyloggers that capture every character typed into the keyboard of an infected device. You don’t want malware like that spreading into your environment. If you let an employee connect their BYOD laptop without checking that anti-malware has been installed, that’s a security hole that needs to be plugged. More than that, the malware signatures for that software need to be up to date. A security posture check during network onboarding can make sure that BYOD and guest devices employ basic security measures.

Most tech-savvy users of mobile devices have a PIN enabled in their phone or tablet. But imagine what would happen if an employee connects their BYOD phone to the network, which thereby gains access to network resources housing confidential data. Suppose it’s a new phone and they don’t have a PIN enabled yet. Then someone steals the phone.

The network does not know the thief isn’t the employee, and the device can still access those same network resources. This is where lack of a security posture check leaves the door open to data compromise. A proper security posture check would have included remediation for that device—just require that employees have a PIN enabled before they can connect.

Unencrypted wireless data traffic is another IT security hole

This section discusses a security hole that applies only to wireless access. Unless you encrypt data traffic in transit between wireless access points and devices, prying eyes can view it using commercially available network analysis tools. (The same way anyone can spy on what you do over an open public Wi-Fi connection at the local coffee shop).

Of course, many websites are themselves encrypted these days. But often not all page components are encrypted, and users have no way of knowing which components those are. Mobile applications may or may not encrypt their data traffic. App developers have an incentive not to encrypt data traffic, because encryption imposes overhead on the back-end systems that support their apps.

In an enterprise environment, you might think anyone would be crazy not to encrypt wireless traffic over the air. But MAC authentication—one of the default methods for connecting devices—does not encrypt wireless data traffic. (Read more about the security flaws in default methods for network onboarding and authentication.) It’s also not unheard of for IT to provide one or more open SSIDs in some environments—if only for guest users—especially when the organization lacks a system for secure network onboarding. Whatever the circumstances, unencrypted data traffic is a risk area.

One way to plug these (and other) network security holes

Fortunately, you can easily plug these and other security holes that result from unsecured network access mechanisms. Just deploy a system for secure onboarding and network authentication. Here at Ruckus, we believe that our own Cloudpath Enrollment System offers the industry’s best combination of ease of deployment and powerful security features. If the security risks discussed in this blog concern you, now’s a great time to explore this offering—start with our new product overview video. Then dig deeper on the product page, where you can even request a live online demo when you’re ready.

To view the original post by Vernon Shure, SR. Product Marketing Manager, Security at Ruckus Networks, click here.

Three common Wi-Fi myths about capacity, interference and roaming

September 3rd, 2018

It’s time to clear the air about Wi-Fi. Once you sort out some common misconceptions, a lot of the fogginess around Wi-Fi dissipates. Let’s look at three common Wi-Fi myths about capacity, interference and roaming.

The same laws of physics (specifically electromagnetism) that govern radio and cell phones also govern Wi-Fi. Which means that certain things about Wi-Fi behavior are predictable.

Wi-Myths about capacity: Higher capacity means an AP talks to more devices at the same time

How many devices can an AP talk to at one time? The answer is always the same: one.

So how does an AP appear to be talking to many devices concurrently? And how do Ruckus APs support greater capacity than other APs?

You know what it’s like to talk to people at a noisy party? You can’t make out what everyone is saying when they’re talking at the same time. If APs liked to party (and who’s to say they don’t?), they’d appear to be talking to everyone (everyone being devices) simultaneously. What they’re actually doing is listening or talking to each device in turn, but doing it at superhuman speed.

That’s not all there is to this super-cool party skill. The AP-device conversations are also based on assumptions that each “conversation” will be brief. A request to connect. Done. Request to download. Done. Request to upload. Done. In other words, devices aren’t talking to the AP continuously. It’s just a constant, super-fast series of interactions.

So how does a Ruckus AP achieve superior capacity? (Independent analyst testing shows Ruckus beats competitors in video QoS and data throughput.) That’s where we depart from the norm. Not the laws of physics (those still hold for everyone, thankfully). But Ruckus invests in the development of sophisticated RF software where other companies may use off-the-shelf firmware.

We optimize the processing capabilities of our APs. Our APs are, in essence, faster or more efficient (depending on how you look at it) at handling concurrent connections. We also use algorithms to factor in how much capacity is required for things like buffering streaming video.

BeamFlex+, which is our Adaptive Antenna Technology, also plays a role in capacity. The AP’s antenna, working in an omnidirectional mode, can detect a client trying to connect from, say, the edge of a room. It can then adapt the antenna to a directional mode to get a stronger signal to that device.

Wi-Myths about Interference: Add more APs to get more capacity

Here’s why it’s important to understand this law of physics—because you don’t want a Wi-Fi designer to tell you that putting two APs close to each other will necessarily increase capacity. Remember that devices have to wait their turn to talk to an AP. If two APs share the same channel, they’re going to create interference, not extra capacity. It doesn’t matter if there are two APs or two dozen: if they share the same channel, only one will transmit at any given moment. The others are just hanging out (literally).

Wi-Myths about Roaming: It’s not about APs dropping the ball (or signal)

Have you ever lost a call on your cell phone when moving between cell towers? Roaming is a wonderful feature, but usually not during that handoff period. It’s a common misconception that the APs are in charge of roaming—that they call out to devices, “Hey, disconnect from that AP and connect to me now!” That would make APs great air traffic controllers, but that’s not their job description. Or in those pesky laws of physics.

It’s actually the devices that look for connections to the closest AP. But devices don’t have the connection smarts that APs have. As a result, they can be really clumsy about disconnecting from one AP and connecting with another. Sorry devices, but those dead spots and garbled channels are on you.

Ruckus does apply a couple of proprietary AP technologies that make roaming more seamless. One of these clever techniques is SmartRoam+: as a device begins to move away (roam) from an AP, the signal weakens. The device should look for a stronger signal, right? But often a device will hold on until the signal has gotten really bad. Before it reaches that point, however, the SmartRoam+ technology will sing out to the device “Let it go!” and disconnect it from the fading AP. The client will search for—and find— a closer AP with the stronger signal.

It’s good to dispel the myths about Wi-Fi. It can help you avoid mistakes in design. It can also help you appreciate how smart design—without messing with the laws of physics—can give you better Wi-Fi.

Johnson Controls announces Net-Ctrl winner of CEM Systems Business Partner of the Year Awards 2018

August 23rd, 2018

Johnson Controls has announced the winners of the CEM Systems Business Partner of the Year Awards, EMEA, 2018. Winners were honoured at CEM Systems’ annual security conference, held 23—24 May at the Galgorm Resort & Spa, Northern Ireland. Net-Ctrl received the Business Partner of the Year Award for the UK and Ireland South region.

“Johnson Controls is very fortunate to be involved in many exciting and often iconic access control projects around the world and 2018 is no exception” said Philip Verner, regional sales director, Building Technologies & Solutions, Johnson Controls. “Through customer endorsements and the support of our committed Approved Reseller channel, we have successfully opened up CEM Systems innovative access solutions to many new sectors and territories throughout Europe, Middle, East and Africa (EMEA). The 2018 Business Partner of the Year Awards are not only given to our top EMEA business partners for high levels of sales, but are given in recognition for their ongoing commitment to accredited CEM Systems training, joint marketing initiatives and their tireless endeavour to go above and beyond when delivering successful customer projects within their respective regions.”

For the UK & Ireland, South region, Net-Ctrl received the Business Partner of the Year award in recognition of their success within the education sector. As a relatively new channel partner, Net-Ctrl has promoted CEM Systems products at various education events this year and has successfully won a number of prominent UK school security projects including Bradfield College.

Unleashing Wi-Fi for SMBs

August 23rd, 2018

With over 30 billion connected “things” expected by 2020, it has become quite clear that consumer-grade Wi-Fi routers are simply no longer capable of meeting the needs of small and medium businesses (SMBs). These days, even smaller businesses are demanding fast, reliable, always-on connectivity for dozens or hundreds of connected devices. However, small and medium businesses often lack the budget, time and in-house resources to install and manage complex Wi-Fi deployments.

This is precisely why we are making Wi-Fi easy for SMBs with Ruckus Unleashed. Our controller-less, high-performance and affordable portfolio of access points (APs) can be up and running in five minutes or less. In addition, Unleashed enables anyone to manage their network from an intuitive Unleashed mobile app or website browser. Let’s take a closer look at the Ruckus Unleashed solution below, starting with our access points.

Ruckus Unleashed Access Points (APs)

Our Unleashed access points leverage a range of advanced Ruckus technologies to deliver higher speeds, optimized coverage and more reliable connections for SMBs. Examples include BeamFlex+, which helps APs provide optimal performance for every device – every time – by adaptively re-configuring antenna patterns.

In addition, ChannelFly utilizes advanced machine learning to select the least congested channels, while SmartMesh wireless meshing technology dynamically creates self-forming and self-healing mesh networks. In addition, Unleashed APs are packed with a range of enterprise-class features that are simple for just about anyone to manage. These include WPA encryption and DPSK security, guest connectivity services via a self-service portal or through social media, in-depth monitoring of network usage patterns (deep packet inspection), application-specific access rules and network resiliency.

As we discussed above, Ruckus Unleashed access points are designed for small and midsize businesses, such as law firms, health clinics and insurance agencies. They can be deployed in small and midsize retail outlets, including stores, restaurants and coffee shops. Ruckus Unleashed APs are also the perfect choice for multi-dwelling units (MDUs) like large homes, small apartments and housing structures that require uninterrupted, pervasive coverage. In addition, Ruckus Unleashed APs can benefit smaller primary school classrooms that require higher-bandwidth and uninterrupted Wi-Fi coverage for digital learning. Ruckus Unleashed access points support single or multiple location installation options, with up to 25 APs and/or 512 concurrently connected clients per deployment.

The Ruckus Unleashed Mobile App

A Ruckus Unleashed network can be installed in under five minutes by simply configuring a single Ruckus master access point. The master AP settings are automatically replicated and subsequently pushed to all network APs via our Unleashed Zero-Touch Mesh feature. Put simply, we make installation, configuration and basic network management easy for even non-technical users with the Ruckus Unleashed mobile app for iOS and Android.

Indeed, SMBs can use the Ruckus Unleashed mobile app to monitor and manage their networks from anywhere in the world. More specifically, the mobile app enables SMBs to see how many clients and APs are connected, monitor ongoing network traffic, observe which applications are using the most data on the network, view important alerts at a glance and create rules to deny access to any website.

In addition, SMBs can quickly create a new wireless LAN or edit an existing network, run SpeedFlex to test Wi-Fi speeds, conduct basic troubleshooting using ping test or trace route, reboot APs and block misbehaving clients. The Ruckus Unleashed Mobile App, which is built around an intuitive user interface (UI), also features detailed dashboards, graphs and charts. These allow SMBs to drill down and view in-depth data, such as how much (uplink/downlink) traffic has been flowing through specific APs, for example.

Ruckus Unleashed Multi-Site Manager

The Ruckus Unleashed Multi-Site Manager (UMM) – which supports up to 1,000 Unleashed networks or 10,000 APs – offers SMBs more advanced options for managing multiple Unleashed networks deployed across various geographic locations. Designed to provide ‘single pane of glass’ view with intuitive and customizable dashboards, the Ruckus Unleashed Multi-Site Manager displays near real-time insights about connected access-points (APs) and clients, along with map views of networks and recent activity.

In addition, the Ruckus Unleashed Multi-Site Manager enables SMBs to create customized reports and alerts, as well as easily perform key administrative tasks such as the creation of role-based access and management of SSL certificates with a click of the mouse. SMBs can also use the Multi-Site Manager to build a database backup file with relevant site configuration data, replicate the network at a different site with the ‘cookie-cutter’ backup file and quickly restore a site in case of disruption.

Conclusion

The proliferation of connected devices has made it almost impossible for consumer-grade Wi-Fi routers to continue meeting the needs of small and medium businesses. However, SMBs often lack the budget, time and in-house resources to install and manage complex Wi-Fi deployments. That is why we are making Wi-Fi easy with Ruckus Unleashed.

Our controller-less, high-performance and affordable portfolio of access points (APs) can be up and running in just five minutes using the Ruckus Unleashed mobile app for Android or Apple iOS.

Interested in learning more about Ruckus Unleashed for SMBs? You can visit our Unleashed product page here, download our Unleashed data sheet here.

View the original post by Ruckus Networks.

Are All Your Critical Network Management Processes Automated?

August 20th, 2018

There are several network management processes that should be performed on a regular basis to ensure the network is running optimally with minimum downtime. However, these tasks are often tedious and repetitive to perform manually so they are commonly delayed or not completed, leaving the network potentially vulnerable and in a less than optimal state.

For example:

Compliance Processes: Do all switches and access points configurations comply with the organisation’s policies? The security settings of the routers, switches and access points and the network management settings need to be checked on a regular basis against network policies. Are all network devices configured to send syslog to the correct repository?

Network Utilisation: Are there unused switch ports, and could connections be consolidated and perhaps some switches be re-deployed to other network locations? Or is the network getting close to full capacity and should new switches and access points be deployed to handle more traffic and users?

Network Resiliency: Does the network offer sufficient L2 and L3 redundancy? For example, are first hop redundancy protocols (like VRRP) configured and operating correctly?

Backing up configuration files: Are all the configuration files saved to non-volatile storage on the device and to backup storage?

Many network management platforms (NMS) offer tools to enable network administrators to perform these tasks interactively but having IT personnel run these tasks manually is time-consuming, error-prone and expensive. These tasks should be automated to ensure that the network is running optimally.

Many NMS are designed without automation in mind so traditional network automation approaches bypass the NMS to monitor and control network devices directly through SNMP, SSH, or other standard or proprietary protocols.

Limitations of the traditional approach:

The device discovery and registration process and the intelligence provided by the NMS cannot be accessed programmatically. The same applies to historical data aggregation and correlation. Data polling is inefficient and resource intensive. Compliance can suffer because company-specific compliance processes are too hard to automate.

SmartZoneOS 5 offers a comprehensive library of well documented REST-APIs that enables any application applications to programmatically invoke just about any network management function offered by the SmartZone OS graphical user interface (GUI) or command line interface (CLI).

IT managers and third-party applications can automate network processes by accessing the SmartZoneOS functions from within their own management and automation platforms and issue direct commands without creating error-prone proprietary scripts. Ruckus itself makes use of these APIs within its own products.

A full set of near real-time MQTT/protocol buffer data streams enable 3rd party applications to ingest all network data, statistics, and alarms (from: client, AP, switch, WLAN, controller, cluster) with little delay, no fidelity loss, and no need to create a firewall pinhole. These data streams enable the recreation of SmartZone dashboard elements or custom dashboards for internal and external consumption. Ruckus itself makes use of this capability to enable its own network analytics and reporting software.

Each SmartZone network controller supports access to a complete set of network machine-level metrics, enabling it to plug directly into existing automated backend systems and provide a ‘headless’ interface for the network infrastructure.

View the original post by Ruckus Networks.

What Is Secure Onboarding, and Why Is It Such a Challenge?

August 20th, 2018

At Ruckus Networks, they have a lot of discussions with customers and prospective customers around secure onboarding. We’ve come to realise that it’s a term that is not universally understood. The thing that it describes is a thing, but people don’t always use that term to describe it. We need to do some work to familiarise the IT world with the term in a networking context. So what exactly do we mean when we say “secure onboarding”?

Let’s Start by Defining “Onboarding”

You have probably heard the term onboarding used to refer to a human resources process that’s about getting new employees integrated into an organisation. When someone starts a new job, they fill out some paperwork (or these days, online forms), go through an orientation, get a tour of their new office building and so on. That’s not the kind of onboarding we’re talking about in the context of network infrastructure and connectivity, which might be a source of confusion.

Actually, though, it’s tangentially related because when new employees arrive, one of their first questions is likely to be “How do I connect to the Wi-Fi with my tablet?” Or their phone or their personal laptop. The same thing happens on move-in day at college campuses, where the range of devices that need to connect is often much broader. It also occurs in primary and secondary schools where students are allowed to connect with personal devices.

Precision matters here, and what we are really talking about is network onboarding. Simply stated, in a networking context, onboarding means the process by which a BYOD or guest user gains access to the network for the first time with a device (or an IT-owned device connects to the network, for that matter). Every environment is different, but users in a variety of organisations often struggle with this process. This can lead to user frustration and excess trouble tickets for the IT team.

User Expectations Are Set by Experiences with the Carrier Network and Home Wi-Fi

What creates this frustration with network onboarding? Why do organisations find this process such a challenge? It originates in the gap between user expectations and user experience. When someone activates a new mobile phone, the service desk at the carrier retail outlet plugs in a SIM and you’re good to go. It’s a set-it-and-forget-it experience.

User experience with your home Wi-Fi network is also simple. They look for the name of their Wi-Fi source and enter the password, or pre-shared key (PSK). They don’t roam between different sources of connectivity within the home, always connecting to the same home router. The device always seems to connect without problems when they return after going out. Users control their own Wi-Fi password—when it changes, and whether it changes at all. Or their roommate or spouse can easily give them a heads up when that person changes the PSK, so no big deal. Between their experience with the carrier network and home Wi-Fi, users are conditioned to expect easy connectivity without having to think much about it.

Things get much more complicated in an enterprise office environment, and in schools and colleges. But those expectations for a set-it-and-forget-it experience remain. We’ve blogged before about the user experience issues with default methods of network onboarding and authentication. Historically, organisations have often relied on default methods of network onboarding, but more and more they are adopting systems to streamline this process.

Secure Network Onboarding Plugs Wireless Security Holes

There’s one aspect of the secure onboarding challenge that we haven’t addressed yet, and that’s the security piece. Secure network access is an often-overlooked area within the IT security domain. It’s a challenge because too many IT organisations rely on the default methods for network onboarding and authentication that are built into their networking infrastructure.

The risks inherent in unsecured Wi-Fi don’t get as much attention as some other threats, but they are very real. Prying eyes can spy on unencrypted data traffic, and undifferentiated access can leave sensitive data exposed to unauthorised users. The latter is an issue even over a wired connection. Insecure devices can bring malware, ransomware and other bad things into your environment. For more detail on these and other potential security holes related to network access, please refer to our previous blog on this topic.

Network onboarding alone isn’t enough—secure network onboarding is essential to plug these security holes. Adding on to our previous definition, secure network onboarding means the process by which a BYOD or guest user securely gain access to the network for the first time with a device. And those security holes must stay plugged on subsequent connections, too.

Often there are trade-offs between user experience and security. We’d all be a lot safer if we just unplugged our computers from the internet—but no one could get any work done that way. Or users and devices would be safer if IT locked down every computer so that no new software could be installed. That’s at best impractical (for IT-owned devices) and at worst impossible (for unmanaged BYOD devices).

Secure network onboarding is that rare product category where the usual trade-offs between user experience and security do not apply. You can have your cake and eat it too—better user experience and increased security for users, devices, data and the network. If this sounds intriguing, now is a great time to consider Cloudpath Enrollment System, the Ruckus Networks offering in this corner of the security taxonomy. Our new product overview video encapsulates the value it provides in less than two and a half minutes.

View the original post by Ruckus Networks.

Gemalto Boosts Cloud Security with a Scalable Virtual Key Management Solution

August 14th, 2018

Gemalto announced a next-generation key management solution, SafeNet Virtual KeySecure, for simpler and stronger cloud security. Companies can extend their data protection policies to private and public clouds and centralize encryption and key management operations across multiple cloud environments.

SafeNet Virtual KeySecure integrates with leading cloud service providers and virtual platforms such as AWS, Microsoft Azure, Google Cloud Platform, IBM Cloud, VMware, Microsoft Hyper-V and OpenStack, to provide companies with a single key management solution spanning multiple private or public cloud environments.

As a result of the ongoing digital transformation within many organizations, data now resides across a growing number of cloud environments and web applications. Security teams are finding it ever more challenging to manage data protection policies, and solutions are often time-consuming and manual. Data protection operations can be simplified by using SafeNet Virtual KeySecure to uniformly view, control, and administer cryptographic policies and keys for sensitive data.

Companies can improve key security and simplify the audit preparation process by retaining ownership and control of encryption keys.

“Businesses need options when it comes to cloud security and shouldn’t be limited to working in just one environment. With SafeNet Virtual KeySecure, organizations are able to move more workloads to the cloud and easily monitor the access and movement of their encrypted data,” said Todd Moore, senior vice president of Encryption Products at Gemalto. “We are seeing a lot of customers who are interested in taking advantage of the business continuity offered by cloud environments, without compromising the security of their most critical asset, data. Current KeySecure customers would also be able to benefit from this new platform and we will be sharing details of a clear migration path with them in the near future.”

SafeNet Virtual KeySecure offers customers:

  • Centralized Key Management: Centralized, efficient auditing of key management offers simplified compliance for cloud environments and consolidates key security policies across multiple, disparate encryption systems, protecting current investments
  • Flexibility: Customers can easily deploy flexible, high-availability configurations which are built on the latest industry standards, including containers and microservices, across geographically dispersed data centers or cloud service providers.
  • Compatibility: Compatibility with the OASIS Key Management Interoperability Protocol (KMIP) standard provides support for a large, growing partner ecosystem, including the SafeNet Data Protection portfolio which provides customers with a broad spectrum of use cases that can be supported. SafeNet Virtual KeySecure also supports key storage in on-premise hardware security modules (HSMs).

According to Sudesh Kumar, Founder and CEO of Kapalya, Californian-based start-up: “As businesses connect to more devices and cloud platforms, they need solutions that offer security without limiting their potential for innovation. With SafeNet Virtual KeySecure, we’re now able to offer the ability to protect data in a seamless and cost-effective way across endpoints, public clouds and private clouds. Businesses should no longer be held back in making full use of the cloud while retaining control of some of their most important assets.”

Additional resources:

Reddit Breach Takeaways: MFA and Access Management

August 14th, 2018

For years corporations and security professionals have been urged to implement multi-factor authentication (MFA) as the solution for cybersecurity concerns. While MFA isn’t a silver bullet that solves all your cybersecurity concerns, it is a key component in elevating the security of an organization and adding a very important layer of protection. Industry trends are taking MFA to new levels by incorporating it into Access Management Solutions. This shift is being driven by concerns around an evolving IT perimeter where traditional solutions are being exploited and organizations are falling victim to cyber-attacks.

The recent news about a breach from Reddit validates the momentum in the cybersecurity world towards access management solutions. The social media platform, considered the 5th top rated website in the U.S., shared that a few of their employees’ administrative accounts were hacked. While they did in fact have their sensitive resources protected with two-factor authentication (2FA), they were surprised to learn that SMS-based authentication was not as secure as they had hoped.

“On June 19, we learned that between June 14 and June 18, an attacker compromised a few of our employees’ accounts with our cloud and source code hosting providers. Already having our primary access points for code and infrastructure behind strong authentication requiring two-factor authentication (2FA), we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept. We point this out to encourage everyone here to move to token-based 2FA.” – Reddit

 

The weakness in security on the SMS tokens was discussed in 2016 –the draft guideline of the U.S. National Institute for Standards and Technology (NIST) stated that SMS-based two-factor authentication is risky. We also wrote about this in August 2016 in our blog encouraging the use of software tokens which leverage PUSH authentication like the SafeNet MobilePASS+ token.

SAML-based Access Management mitigates risks

Since the issues with SMS have been exposed, why didn’t Reddit implement strong multi-factor using software or hardware based tokens? It turns out they in fact do, as a general practice. In a separate string, Reddit CTO Chris Stowe said that the company, as a rule, had required staff with data access to use a two-factor authentication solution that included a time-based one-time password (TOTP). However, he added, “there are situations where we couldn’t fully enforce this on some of our providers since there are additional “SMS reset” channels that we can’t opt out of via account policy.” Had they protected their resources with a SAML based Access Management Solution this option would be over-ridden immediately mitigating the risk involved with this option. The fact remains that through SMS-based authentication they were exposed –but how did that happen?

Chris Stowe claimed that he knew that the target’s phone wasn’t hacked. However, it is important to understand that the hacking of a phone is only one of the avenues where SMS authentication can be hijacked. We’ve seen examples in movies where a phone is cloned, or when enterprising hackers call the cellphone company to request that the SIM be redirected to a new phone (i.e. call-forwarding).

The intrinsic problem with SMS tokens is that they rely on SS7 or Signaling System Number 7. SS7 is a telephony signaling protocol used by more than 800 telecommunication operators worldwide for information, cross-carrier billing, and enabling roaming, to name a few. There are a number of tools available that can intercept the SS7.

How then did Reddit find themselves exposed? The fact is given enough money and determination, cyber criminals can find ways around many of the safeguards that are put in place today. The most likely scenario is that the hacked users fell victim to phishing or various other social engineering attacks.

Taking Identity and Access Management Solutions to New Levels

These forms of attacks are ultimately what is prompting many security professionals to take their digital security practices to new levels, combining technologies to implement zero trust networks. The importance of implementing a strong authentication solution provided by a trusted vendor cannot be overestimated, organizations simply cannot rely on the use of static passwords any longer.

While Reddit bemoans posthumously that SMS based authentication wasn’t as strong as they thought, this is not the only lesson that can be learned from their exposure. What they were truly lacking was a complete solution which not only enforced multi-factor authentication but also enabled access management controls to be implemented.

Effective Identity Management Integration

Consider for a moment that Reddit had implemented an access management solution alongside their use of 2FA (even with the SMS tokens). A strong access management solution would enable them to create policies around their applications and groups of users, which would have enabled them to continue using their choice 2FA method, but would have added an additional layer of security in the form of context-based authentication, which could have prevented this breach from occurring.

Some examples of beneficial policies for an access management solution would be to consider Reddit’s primary offices being located in the US and Ireland, they could have set up an access policy that would deny access from any country outside of those locations. Or they could set a policy for the group of administrative users who found the use of the multi-factor token cumbersome to leverage their Kerberos ticket when they were in the office and only prompt for OTP when they are working remotely, thus balancing user experience and security and protecting their environment from outsider attacks.

Forbidden Workers Access Policy

Access Policy with Integrated Windows Authentication (Kerberos)

By integrating their systems with an access management solution that supports multiple different authentication methods they could still use the preferred SMS authentication option, but add an access policy which requires them to provide a new unique OTP any time a resource is accessed, or requires the user to input both an OTP as well as their password for an extra layer of authentication security.

Identity Access Management solutions: Access controls adds protection

With a strong access management solution, they would also have access to logs and reporting. This would enable them to isolate and track exactly which users were accessing applications at a given time. If the users were leveraging a software token like MobilePASS+, they would have received a notification when an access attempt was being made by their userID and subsequently had the opportunity to deny the attempt or report it immediately to their security desk.

The problem in this case wasn’t that they were using a weak authentication method, though that certainly didn’t help: The real issue was that the organization was lacking the appropriate access controls ­­— with effective Cloud Access Management, including multifactor authentication, organizations can sufficiently protect their employee’s user identities, their applications containing sensitive data, and prevent customers’ data from being exposed.

Want to prevent breaches and strengthen your Access Management strategy? Read about SafeNet Trusted Access here or join a Gemalto 30-minute live demo webinar.

View the original Press Release at Gemalto.com.

How Ruckus Can Deliver More Consistent Performance

July 24th, 2018

In today’s hyper-connected world, Wi-Fi networks form a critical part of the IT infrastructure for all types of businesses and educational institutions.

Without a reliable Wi-Fi network capable of delivering good and consistent connectivity, productivity suffers. For retail businesses, this poor experience can lead to customer frustration and potential loss of revenue. Additionally, as organizations become increasingly digital-focused, reliable Wi-Fi will play an even more integral role in back-end operations.

When it comes to wireless access point (AP) deployment in real-world situations, interference, competing clients, and even building construction material all have an effect on the performance of the wireless network. The future will bring more users, more bandwidth-intensive applications, and a more diverse range of devices such as wearable tech, VR, and IoT. This will inevitably increase demand for Wi-Fi access and place additional pressure on your radio frequency (RF) environment.

Preparing for this exponential growth without exceeding your budget presents a number of challenges. You need a solution that can manage unpredictable and fluctuating Wi-Fi demands now and can easily accommodate future needs

Better Airtime Efficiency = Greater Capacity

It’s important to note that a higher AP count does not automatically equate to greater capacity. The capacity of a single AP is equal to the number of clients (i.e., devices) that can successfully transmit over a period of time.

Why is client data rate important? Wi-Fi is a shared medium, so the longer a client spends on air transmitting, the longer other devices must wait before they can transmit. If fewer devices are given an opportunity to transmit in any given timeslot, overall capacity is reduced.

To support more clients in high-density situations, simply installing additional APs will not resolve capacity issues. That’s because there is a finite number of available channels. When channel reuse occurs, any performance improvement can be diminished due to noise, co-channel and adjacent channel interference. Network deployments with multiple APs that use overlapping channels with wider channel bandwidth have a higher probability of problematic co-channel interference.

So, not only does installing more APs drive up costs significantly, this expensive approach is unlikely to result in the better experience users expect.

Ruckus resolves this problem by enhancing airtime efficiency so that all clients can simultaneously transmit to multiple devices, thereby drastically improving overall throughput and availability. This allows a given Ruckus AP to accommodate more clients than the equivalent competing vendor’s APs.

When it comes to capacity, it’s not just about the overall capacity of an AP. What’s important is ‘usable capacity’ for each client on that AP. You want each connected user to receive the required Quality of Service (QoS). A client that is connected at very slow speeds or continually times-out is not being adequately served by the network.

Ruckus’ patented BeamFlex® and ChannelFly technologies have been extensively tested in real-world deployments in which interference, noise, and physical barriers impact usable capacity.

ChannelFly is a new approach to optimizing RF channel selection based on capacity averages across all channels. Specialized algorithms select the best channel based on historical values.

BeamFlex is able to select antenna patterns that focus RF energy away from the direction of interference, thereby attenuating noise to the receiving station. This enables significant improvements in signal gain, increased capacity and enables Ruckus to support more devices in high-density situations, covering a larger area than competitors’ APs.

Here we delve deeper into how BeamFlex’s innovative technology is able to increase airtime efficiency for clients connecting to your wireless network.

BeamFlex® Adaptive Antenna Technology

BeamFlex technology encompasses a combination of patented software algorithms and multiple high-gain horizontally and vertically polarized antenna elements. This adaptive antenna system creates optimal antenna patterns for each device with which it communicates, resulting in significantly increased stability, performance and range.

Unlike omnidirectional antennas that radiate signals in all directions, BeamFlex technology focuses the antenna pattern on each client. Unlike fixed-position, directional antennas, BeamFlex technology dynamically configures and re-configures antenna patterns to optimize signal quality at the client. And unlike any other approaches, BeamFlex technology reconfigures the antenna pattern on a packet-by-packet basis, so it’s always being optimized for each client.

And because BeamFlex technology focuses RF energy where it’s needed, it reduces interference between APs and clients, increasing available capacity and enabling higher average throughput per client.

The net result: each AP delivers more capacity over a larger area as compared to competitive vendor APs and, thus, fewer APs are needed to deliver the capacity and coverage required. That means more reliable client connectivity and an enhanced Wi-Fi experience at considerably lower cost than alternatives

No Client Left Behind

Increased adoption of video communications is driving worldwide growth in business IP traffic. Yet, delivering high quality video over wireless is still challenging. Video and voice are examples of applications in which latency and jitter, in addition to inadequate bandwidth, can negatively impact end-user Quality of Experience (QoE). That’s why Wi-Fi performance testing should also include tests of video-streaming capability.

Ruckus commissioned an independent third party to test the performance of a mid-range Ruckus AP against those of competitors. The tests consisted of 60 Chromebooks running video and two Mac Mini clients running data only. The number of successful simultaneous video streams supported by the AP before and after a data load was introduced was measured. The number of clients with stall-free video was recorded along with the aggregate data throughput associated with the data-only clients.

Results

The test showed that Ruckus APs delivered perfect video quality of experience in a challenging, high-density environment. Ruckus APs were able to stream high-resolution video to 60 video clients without a single stalled video while simultaneously supporting 150Mbps data throughput associated with the data clients.

Most vendor APs couldn’t deliver stall-free video to all sixty clients, even with no other traffic on the network. And no vendor except Ruckus could deliver stall-free video to sixty clients while under simultaneous data loading. These results demonstrate that Ruckus can deliver on its capacity promise.

The ever-growing number of users and devices dictates that demand for Wi-Fi bandwidth will continue its remarkable growth trajectory. But that doesn’t automatically mean that IT departments will get more budget to meet the demand. Organizations can use fewer Ruckus APs to support a given number of clients, yielding a more cost-efficient infrastructure.

Conclusion

Wi-Fi usage will continue to grow and demand for an accessible, reliable and fast network will continue to be a priority. It makes sound economic sense to choose high performance, high density-capable APs that lower your total cost of ownership, now and in the long-term.

Ruckus APs have been proven to support 30-50% more clients and to provide up to 30% better coverage than competitors’ products – without a performance penalty. More usable capacity per AP saves on capital outlay for additional APs, associated subscription fees, installation costs and other related overhead.

Patented RF technologies combat the signal degradation, noise and interference that disrupt service and make users unhappy. The result is fast and reliable Wi-Fi for everyone without the need to overprovision APs. With Ruckus, you also have the flexibility of being able to migrate from one management architecture—virtual controller, appliance-based controller, controller-less, or cloud—to another (or a hybrid deployment) without throwing away your AP investment.

If you would like to find out more about Ruckus and what they can bring to your organisation, call Net-Ctrl on 01473 281 211, or complete our Contact Form.