Network Management Archive

WPA3-Personal security–What does this mean for your Wi-Fi network

Article

Telstra Gateway Frontier modem router press picture courtesy of Telstra

Expect the next-generation Wi-Fi network to have WPA3 security

What is WPA3? And some gotchas to watch out for in this Wi-Fi security upgrade | Network World

My Comments

Over the next few years, Wi-Fi routers, access points and client devices like computers and smartphones will be supporting WPA3 as a media-specific network security protocol.

At the moment, I will be focusing on the WPA3-Personal variant which is relevant to small networks like the typical home or small-business network. This kind of network security is also implemented in an increasing number of venue-based public-access networks in order to allow the venue owner to protect and authenticate the network and preserve its role as an amenity for the venue’s customers.

The WPA3-Personal network security protocol has the same method of operation as for a WPA2-Personal network. This is using a “Wi-Fi password” commonly known across all access points and client devices that use the network segment.

But it describes this “Wi-Fi password” as Simultaneous Authentication Of Equals rather than the previous Pre-Shared Key used in previous WPA-Personal implementations. It also affects how this “Wi-Fi password” is represented and encrypted in order to protect it against an off-site brute-force cracking attempt.

As well, each connection between the client device and the access point is encrypted in a manner unique to that connection.

The initial onboarding process will be typically based on the traditional password-entry method. But it will also implement Wi-Fi EasyConnect which uses a QR code or WPS-based push-button setup.

The Wi-Fi WPA3 security protocol may take years to become mature while a secure surefire codebase for client-side and access-point-side implementations is worked out. The initial codebase was found to have software weaknesses in the early Personal-setup implementation and is being debugged now.

A question that will be raised is whether an upgrade to WPA3 security will require new hardware for either the client device or the access point or if this can be performed using revised firmware that has the necessary software code. This may depend on whether the hardware uses a purely software-defined approach for managing its functionality.

There will be situations that will take place regarding existing equipment and WPA3-capable equipment. Here, a WPA3 client like a smartphone can work with an existing WPA2-compliant Wi-Fi network segment but not have the full benefits. Similarly, a WPA3-capable Wi-Fi network segment will need to be operated in a “transition mode” to allow existing WPA2-compliant client devices to connect. Again, this doesn’t provide all the benefits of a Wi-Fi network segment secure to WPA3 standards.

You can also work around this limitation by implementing two Wi-Fi network segments that have separate ESSIDs. One of these could be configured to work the current WPA2-Personal standard while the other is set up purely for WPA3-Personal. This practice may come in to its own if you have a Wi-Fi network using the latest standards while you maintain another using tried-and-trusted standards.

Send to Kindle

Could a logical network be a data-security attribute?

Telstra Gateway Frontier modem router press picture courtesy of Telstra

The local network created by one of these routers could be seen as a way to attest proximity or effective control of these devices

In data security, there has to be a way to attest that a user has effective control of their computing devices when they are authenticating with a device or service. Increasingly, most of us are handling two or more devices in this context such as to move data between them, use one of them as an authentication factor or to verify mutual trust between two or more people.

The logical network, also called a subnet, represents the devices connected to the same router irrespective of what media they use to connect to this network like Ethernet or Wi-Fi wireless. It is represented at Layer 3 (Network Layer) on the OSI network model stack and is represented by IP (Internet Protocol) whether version 4 or 6. Routers that implement guest or hotspot/community network functionality create a separate logical network for the guest or hotspot network.

But a hotspot network can be set up to cover a large public area like a bar or cafe’s dining room or even the whole of a hotel or apartment block. As well, if a hotspot network is properly set up for the end users’ data security, it shouldn’t be feasible to discover other devices on that same logical network. This is thanks to IP-based isolation functionality that the router that serves the hotspot offers.

Here, the existence of devices on the same logical network can be used as a way to attest proximity of these devices or to attest effective control over them.

Use cases

Enhanced two-factor authentication

Increasingly, most of us who implement two-factor authentication use an app on a smartphone to provide the random key number that confirms what we have along with what we know. But in a lot of situations, we have the smartphone and the computer we want to use to gain access to the resources existing on the same network. This may be our home or business network, a public-access hotspot or tethering our laptop to a smartphone for Internet access via the mobile network.

Having both devices on the same network could be seen as a way to assess the security level of a multifactor authentication setup by assessing the proximity of the devices to each other. It is more so if the devices are communicating to each other behind the same Wi-Fi access point or Ethernet switch. This concept would be to prove that both devices are effectively being controlled by the same user.

It can also work as an alternative to Bluetooth or NFC as a device-to-device link for a transcription-free multi-factor authentication setup if you are thinking of two devices that are able to connect to a network via Wi-Fi. This is more so where the issue of phishing of multi-factor authentication setups involving the transcription of a one-time passcode has been raised.

Discovery of devices in the same network

The same concept can also be examined in the context of interlinking between devices that exist on the same network or even determining one’s “home” domain in the context of AV content rights. In some ways, the concept could also be about tokenised login for online services where a user’s credentials are held on one device like a smartphone but a session-based token is passed to another device like a set-top box to facilitate login from that device.

It is a practice that has been used with UPnP and Bonjour technologies primarily for device and content discovery. The most obvious situation would be to use Apple AirPlay or Google Chromecast to throw content to the big screen from a compatible mobile device. It also works in the same context when you set up and use a network-based printer from your computer or smartphone.

Across-the-room discovery and mutual-user authentication

Another use case this concept can apply to is “across-the-room” device discovery and mutual-user authentication. This would be used for data transfer, social networks or online gaming where you intend to share a resource with someone you talked with, invite them as a friend / follower in a social network or engage them in an online game.

Proof of presence at a particular location

Use of a logical network’s attributes can be a tool for proving one’s presence at a particular location. This is more so where the Internet service for that network is being provided using a wired-broadband or fixed-wireless-broadband approach for its last-mile, like with most home and business networks. It may not work with “Mi-Fi” setups where a mobile broadband network is being implemented for the last-mile connection.

Here, it could be used for time-and-attendance purposes including “proof of presence” for home-based carers. Or it could be used to conditionally enable particular functionality like app-based on-premises food-and-beverage ordering at a venue. To the same extent, it could be used to protect delivery services against orders that were instigated at one location being sent to another location.

Methods

Both devices existing on the same network

In a premises-specific network like most small networks, testing that both devices are on the same subnet / logical network behind the same gateway device (router) could be a way to attest that both devices are in the same premises. The same test can be performed by the use of a “hop count” on Layer 3 of the OSI network-layer tree, which also determines the number of logical networks passed.

It is a method used with a wide range of network-based AV and printing applications to constrain the discovery and control of devices by controller software to what is local to you.

But assessing whether the two devices are connecting to the same access point on a Wi-Fi network can be used to attest whether both devices are in the same room in a large Wi-Fi setup. It may not work in a network setup where different devices connect to a network using different connection media like Ethernet, Wi-Fi Wireless or HomePlug powerline. This also includes situations where multiple access points cover the same room or floor such as with large rooms or open-plan areas.

Another approach that can be used for Wi-Fi hotspot networks honouring the Hotspot 2.0 / Passpoint setup would be to read the “venue” metadata for that network and compare whether both devices are in the same venue. If this technology is able to support subdividing of a logical venue such as based on floors or rooms, this could work as a way of further attesting whether both devices are in close proximity.

A Wi-Fi wireless network can be attested through the use of the BSSID which identifies the same access point that the devices are connecting through or the ESSID which is the network’s “call sign”. The BSSID could be used for a public hotspot network including a “hotzone” network ran by a local government or ISP,or a large network that uses many access points while the ESSID approach could be used simply for a small network with a few access points.

Trusted networks with authentication certificates

On the other hand, there could be the concept of creating “trusted networks” where authentication certificates relating to the network are stored in the network’s gateway device or in infrastructure devices associated with that network. It could be used to work against man-in-the-middle attacks as well as a stronger approach to attesting trust between the client device and the network it proposes to access.

The initial appeal for this concept could be to attest the authenticity of a business’s network especially in the face of business partners or customers who want to use that network as a gateway to the Internet or use the host business’s resources.

It could have some appeal to the food, beverage and hospitality industry where particular cafes and bars are often seen by individuals and workgroups as favoured hangouts. In this context, if an individual wants to use the Wi-Fi public-access network in their favourite “watering hole” or “second office”, the “trusted network” approach can be used to verify to the customer that they have connected to the venue’s network at the venue to avoid “man-in-the-middle” attacks.

This approach is being implemented with the Wi-Fi Passpoint / Hotspot 2.0 technology to provide for the simple yet secure public-access Wi-Fi network.

The same approach can be used with a home network if the router can store data like digital certificates in onboard non-volatile memory. Then this data could be created by the ISP as a “known trusted network” with a network-specific certificate relating to the router and network equipment. Such a service could be offered by an ISP as a value-added service especially to cater for “proof-of-presence” applications.

Conclusion

Using a logical network as a data-security attribute can be effective as a security tool for some use cases. With current network equipment, this can be a surefire way of assessing device proximity.to other devices. But use of certificates stored on network-infrastructure devices like routers and provided by ISPs or similar entities can be of use for authenticated-network or proof-of-presence applications.

Send to Kindle

NETGEAR to offer one of the first Wi-Fi 6 distributed-wireless setups

Article NETGEAR Orbi with Wi-Fi 6 press picture courtesy of NETGEAR

Netgear takes its Orbi mesh Wi-Fi system to the next level with Wi-Fi 6 | PC World

From the horse’s mouth

NETGEAR

LEADING A NEW ERA OF WI-FI, NETGEAR ANNOUNCES ORBI MESH WI-FI SYSTEM USING WI-FI 6 SPECIFICALLY DESIGNED FOR THE GIGABIT INTERNET HOME (Press Release)

Product Page

My Comments

As Wi-Fi 6 (802.11ax) wireless networking comes to the fore, there will be a desire to see distributed-wireless-network systems that support this technology. Here it’s about being able to support many Wi-Fi client devices like laptops, tablets and smartphones along with devices that are designed “Wi-Fi first” including smart-home devices.

NETGEAR have started to refresh the Orbi distributed Wi-Fi system by making a new version that supports this new technology as part of the product lineup they are premiering in Las Vegas at this year’s Consumer Electronics Show. It uses the separate radio backhaul that their Orbi system is know for, thus avoiding a dent in performance that can be brought about with systems that use the main “fronthaul” Wi-Fi segment for their backbone data transfer.

But it uses four data streams across the dedicated Wi-Fi 6 backhaul to allow high-speed high-capacity data transfer. It is in addition to four concurrent data streams on the 2.4GHz band and four concurrent data streams on the 5GHZ band for the client devices to use. The system is powered by Qualcomn networking system-on-chip silicon that allows for the higher data throughput.

It is expected to appear during the second half of 2019, primarily as an updated take of the RBK50 wide-coverage devices. A question that will perplex those of us who have an Orbi distributed-Wi-Fi setup is whether the existing Orbi equipment will work with the newer Wi-Fi 6 Orbi devices.

This is more so where smaller or specialised Orbi satellite modules like the RBS50 Orbi Outdoor Satellite unit or the Orbi Voice which is a combination of a satellite unit and Amazon-Alexa-driven smart speaker are part of your Orbi setup. Or you like the idea of “pushing down” existing equipment to secondary purposes so you get more value out of the equipment you own.

What is being highlighted is the idea of using Wi-Fi 6 as a future-proof approach for wireless local networking, including distributed- Wi-FI setups.

Send to Kindle

Staff panic buttons to drive networks to handle the Internet of Things

Article

Ekahau Wi-Fi Pager Tag panic button

Emergency-alert buttons like this Ekahau Wi-Fi name-tag panic-button setup will be influencing network architecture for the Internet Of Things

The Hotel Panic Button Could Redefine Hospitality Networking | IoT World Today

My Comments

In some workplaces where staff work alone at night or other times where they are in danger, portable emergency-call buttons are often used. Initially they were the same size as an older garage-door opener but they are becoming the size of a pendant, badge or fob. As well, rather than these devices lighting up a separate alert panel, they light up a message or “throw up” a map with an indicator on a regular computer running building-security software to show where the danger is.

Initially, they were being positioned for very-high-risk workplaces like psychiatric care or the justice and allied settings. But other workplaces where staff work alone are seeing these devices as an important safety measure, usually due to various occupational health-and-safety requirements.

For example, hotels in the USA are moving towards having Housekeeping staff use these devices in response to workplace agreements, industry safe-work safe-premises initiatives or city-based legal requirements. But these systems are being required to work in conjunction with the Wi-Fi networks used by staff and guests for business and personal data transfer.

A device of the kind that I had covered previously on HomeNetworking01.info was the Ekahau Real Time Location System. This was a pendant-style “panic-button” device, known as the T301BD Pager Tag which had an integrated display and call button. It also had a setup that if the tag was pulled at the nexkstrap, it would initiate an emergency response.  I also wrote an article about these Ekahau devices being deployed in a psychiatric hospital as a staff emergency-alert setup in order to describe Wi-Fi serving a security/safety use case with the home network.

This application is being seen as a driver for other “Internet-of-Things” and smart-building technologies in this usage case, such as online access-control systems, energy management or custom experiences for guests. As I have said before when talking about what the smart lock will offer, the hotel may be seen as a place where most of us may deal with or experience one or more of the smart-building technologies. Also I see these places existing as a proving ground for these technologies in front of many householders or small-business owners who will be managing their own IT setups.

One of the issues being drummed up in this article is quality-of-service for the Internet Of Things whereupon the device must be able to send a signal from anywhere on the premises with receiving endpoints receiving this signal with no delay. It will become an issue as the packet-driven technologies like the Internet replace traditional circuit-based technologies like telephone or 2-way radio for signalling or machine-to-machine communication.

The hotel application is based around the use of multiple access points, typically to provide consistent Wi-Fi service for staff and guests. Such a setup is about making sure that staff and guests aren’t out of range of the property’s Wi-Fi network and the same quality of service for all network and Internet use cases is consistent throughout the building. Here, concepts like mesh-driven Wi-Fi, adaptive-antenna approaches, load-balancing and smart smooth roaming are effectively rolled in to the design of these networks.

Wi-Fi access points in the smart-building network will also be expected to serve as bridges between IP-based networks and non-IP “Internet-of-Things” networks like Bluetooth Low Energy (Bluetooth Smart), Zigbee, Z-Wave or DECT-ULE. These latter networks are pushed towards this application class due to the fact that they are designed to support very long battery runtimes on commodity batteries like AA Duracells or coin-style watch batteries. There will be an emphasis on localised bridging and the IP-network-as-backbone to provide better localisation and efficient operation.

These systems are being driven towards single-screen property-specific dashboards where you can see the information regarding the premises “at a glance”. I would reckon that operating-system-native applications and, perhaps, Progressive Web App versions will also be required to use operating-system-specific features like notification-panels to improve their utility factor in this context.

As far as the home network is concerned, I do see most of these technological concepts being rolled out to the smart home with an expectation to provide a similar service for householders and small businesses. This is more important as ISPs in competitive markets see the “Internet of Things” and improved Wi-Fi as a product differentiator.

The use of multiple Wi-Fi access points to cover an average home being made real for a home network thanks to HomePlug wireless access points, Wi-Fi range extenders and distributed-Wi-Fi systems that will bring this kind of localised Wi-Fi to the smart home. Typically this is to rectify Wi-Fi coverage shortcomings that crop up in particular architecture scenarios like multi-storey / split-level premises and use of building materials and furniture that limit RF throughput. It is also brought about thanks to the use of higher-frequency wavebands like 5GHz as Wi-Fi network wavebands.

There will be an industry expectation to require access points and similar devices to provide this kind of “open-bridging” for Internet-of-Things networks. This is more so where battery-operated sensor or controller devices like thermostatic radiator valves and smart locks will rely on “low-power” approaches including the use of Zigbee, Z-Wave or similar network technology.

It will also be driven typically by carrier-supplied routers that have home-automation controller functionality which would work with the carrier’s or ISP’s home-automation and security services.

To the same extent, it may require “smart-home / building-automation” networks to support the use of IP-based transports like Wi-Fi, HomePlug and Ethernet as an alternative backhaul in addition to their meshing or similar approaches these technologies offer to extend their coverage.

In some cases, it may be about Zigbee / Z-Wave setups with very few devices located at each end of the house or with devices that can’t always be “in the mesh” for these systems due to them entering a “sleep mode” due to inactivity, or there could be the usual RF difficulties that can plague Wi-Fi networks affecting these technologies.

DECT-ULE, based on the DECT cordless-phone technology and is being championed by some European technology names, doesn’t support meshing at all and IP-based bridging and backhauls could work as a way to extend its coverage.

Such situation may be rectified by access points that use a wired backbone like Ethernet or HomePlug powerline.

In the context of the staff panic button use-case, it will roll out to the home network as part of a variety of applications. The common application that will come about will be to allow the elderly, disabled people, convalescents and the like who need continual medical care to live at home independently or with support from people assuming a carer role.

This will be driven by the “ageing at home” principle and similar agendas that are being driven by the fact that people born during the post-war baby boom are becoming older as well as the rise of increased personal lifespans.

Similarly, this application may also be underscored as a security measure for those of us who are concerned about our loved ones being home alone in a high-risk environment. This is more so in neighbourhoods where the risk of a violent crime being committed is very strong.

But I would see this concept work beyond these use cases. For example, a UK / European central-heating system that is set up with each radiator equipped with a “smart” thermostatic radiator valve that is tied in with the smart-home system. Or the use of many different control surfaces to manage lighting, comfort and home-entertainment through the connected home. This is something that will rise up as most of us take on the concept of the smart home as the technology standardises and becomes more affordable.

What is being highlighted is the requirement for high quality-of-service when it comes to sending “Internet-of-Things” signalling or control data as our networks become more congested with more gadgets. Similarly, it is about being able to use IP-based network technology as a backhaul for non-IP network data that is part of the Internet-of-Things but providing the right kind of routing to assure proper coverage and quality-of-service.

Send to Kindle

5G mobile broadband and Wi-Fi can complement each other

Article

Netgear Nighthawk 5G Mobile Hotspot press image courtesy of NETGEAR USA

Netgear Nighthawk 5G Mobile Hotspot – first retail 5G device

Why You’ll Still Need Wifi When 5G Is Everywhere, According To The Wi-Fi Alliance | Gizmodo

Wi-Fi Alliance: Wi-Fi, 5G will be complementary | FierceWireless

My Comments

There is some hype being driven by organisations defending the 5G mobile broadband and Wi-Fi wireless LAN technologies about their technology being the only one for our connected lives.

Some existing devices use 5G mobile-broadband technology but connect to endpoint devices like mobile phones using Wi-Fi. Initially they are routers being deployed by mobile carriers as a proof of concept or for network trials while AT&T were offering a “Mi-Fi” for retail sale in the USA that implements 5G technology. At the moment, 5G hasn’t been rolled out in the form of a smartphone or a mobile-broadband modem that is integrated in or connected by USB to a host computer.

Both Wi-Fi 5 (802.11ac and prior technologies) and 4G LTE mobile broadband have seen widespread deployment with each technology being seen by mobile users as offering a complementary role. Networks and equipment running the newer technologies (5G and Wi-Fi 6) will be backward compatible and offer a best-case approach to this compatibility. That is if both the network and end-user equipment run the same technology, the user gains the most benefit from what the new technology offers.

It has been identified that both technologies at their latest specification can complement each other. Here, 5G will earn its keep in the outdoors and in a mobile context while the Wi-Fi 6 (802.11ax) technology will earn its keep indoors. This is although public-access Wi-Fi networks will be seen by mobile carriers as a cost-effective data-offload tool.

Wi-Fi also has supporting technologies like WiGig and Wi-Fi HaLow. The former one will match 5G for speed but uses a short range equivalent to an ordinary room in the house, while the latter benefits from long range and power efficiency but doesn’t have the speed. Wi-Fi HaLow will then end up in the smart-home, smart-building, connected-car and smart-city application spaces where data throughput isn’t all that necessary. This is while WiGig will end up with virtual reality, augmented reality, 4G video and other bandwidth-intensive applications.

Then there is also the kind of spectrum available for each technology. Wi-Fi technologies primarily rely on unlicensed radio spectrum which makes them popular for households and businesses to deploy. It is in contrast to 5G which, like other cellular mobile telecommunications technologies, relies on licensed radio spectrum which the mobile carrier has to deal with the national radiocommunications authority organise and purchase a license to use.

There is also a trend regarding wireless-network equipment design where there is a software-defined approach towards the media-level components. This is facilitated with small-footprint high-capability computing power and can allow the same piece of equipment to honour newer standards.

Another factor that is never raised is the concept of the local network where data can be transferred between co-located devices at the same premises. 5G is really positioned as a wireless “last mile” setup for providing telecommunications and Internet service to the end-user. This is while Wi-Fi is intended primarily to work as a local network but is used to distribute a single broadband service to multiple endpoint devices.

What really is now seen is that the new 5G mobile broadband and Wi-Fi 6 (802.11ax) LAN technologies can complement each other in a horses-for-courses manner.

Send to Kindle

Germany to set a minimum security standard for home-network routers

Article

Telstra Gateway Frontier modem router press picture courtesy of Telstra

Germany has defined a minimum standard for secure broadband router design

Germany proposes router security guidelines | ZDNet

From the horse’s mouth

BSI (German Federal Office for Information Security)

TR-03148 Secure Broadband Router 1.0 (PDF)

My Comments

It is being identified that network connectivity devices and devices that are part of the Internet-Of-Things are being considered the weakest point of the secure Internet ecosystem. This is due to issues like security not being factored in to the device’s design along with improper software quality assurance when it comes to the devices’ firmware.

The first major incident that brought this issue to the fore was the Mirai botnet attack on some Websites and dynamic-DNS servers through the use of compromised firmware installed in network videosurveillance cameras. Recently in 2016, a similar Mirai-style attack attempt was launched by the “BestBuy” hacker involving home-network routers built by Zyxel and Speedport.There was a large installed base of these routers because they were provided as standard customer-premises equipment by Deutsche Telekom in Germany. But the attempt failed due to buggy software and the routers crashed.

Now the BSI who are Germany’s federal information-security government department have taken steps towards a baseline set of guidelines concerning security-by-design for these home-network routers. It addresses both the Internet-based attacker sithation and the local-network-based attacker situation such as a computer running malware.

Key requirements

Wi-Fi segments

There are requirements concerning the LAN-side private and guest Wi-Fi segments created by these devices. They have to work using WPA2 or newer standards as the default security standard and the default ESSIDs (wireless network names) and Wi-Fi passphrases can’t relate to the router itself like its make or model or any interface’s MAC address.

As well, guest Wi-Fi and community / hotspot Wi-Fi have to be treated as distinct separate logical networks on the LAN side and they have to be “fenced off” from each other. They will still have access to the WAN interfaces which will be the Internet service. The standard doesn’t address whether these networks should implement client-device isolation because there may be setups involving a requirement to discover printers or multimedia devices on these networks using client software.

Router management

The passwords for the management account or the Wi-Fi segment passphrases have to be tested against a password-strength algorithm when a user defines a new password. This would be to indicate how strong they are, perhaps through a traffic-light indicator. The minimum requirement for a strong password would be to have at least eight characters with at least 2 each of uppercase, lowercase, number and special characters.

For the management account, there has to be a log of all login attempts along with lockout-type algorithms to deter brute-force password attacks. It would be similar to a code-protected car radio that imposes a time delay if the wrong passcode is entered in the radio. There will be an expectation to have session-specific security measures like a session timeout if you don’t interact with the management page for a certain amount of time.

Other requirements for device management will include that the device management Webpage be only accessible from the main home network represented by the primary private Wi-Fi segment or the Ethernet segment. As well, there can’t be any undocumented “backdoor” accounts on the router when it is delivered to the customer.

Firmware updating

But the BSI TR-03148 Secure Broadband Router guidelines also addresses that sore point associated with router firmware. They address the issue of updating your router with the latest firmware whether through an online update or a file you download to your regular computer and upload to the router.

But it is preferred that automatic online updates take place regarding security-related updates. This will most likely extend to other “point releases” which address software quality or device performance. Of course, the end-user will need to manually update major versions of the firmware, usually where new functionality or major user-interface changes take place.

The router manufacturer will be required to rectify newly-discovered high-severity security exploits without undue delay once they are notified. Here, the end users will be notified about these software updates through the manufacturer’s own public-facing Website or the router’s management page.

Like with most regular-computer and mobile operating systems, the use of software signatures will be required to authenticate new and updated firmware. Users could install unsigned firmware like the open-source highly-functional firmware of the OpenWRT kind but they will need to be warned about the deployment of unsigned firmware on their devices as part of the deployment process. The ability to use unsigned firmware was an issue raised by the “computer geek” community who liked to tinker with and “soup up” their network hardware.

Users will also need to be notified when a manufacturer ceases to provide firmware-update support for their router model. But this can hang the end-user high and dry especially if there are newly-discovered weaknesses in the firmware after the manufacturer ceases to provide that software support.

The standard also places support for an “anti-bricking” arrangement where redundant on-device storage of prior firmware can exist. This is to avoid the router from “bricking” or irreversibly failing if downloaded firmware comes with software or file errors.

Other issues that need to be addressed

There are still some issues regarding this standard and other secure-by-design mandates.

One of these is whether there is a minimum length of time for a device manufacturer to continue providing security and software-quality firmware updates for a router model or series after it is superseded. This is because of risks like us purchasing equipment that has just been superseded typically to take advantage of lower prices,  or us keeping a router in service for as long as possible. This may be of concern especially if a new generation of equipment is being released rather than a model that was given a software-compatible hardware refresh.

Solutions that could be used include open-sourcing the firmware like what was done with the Linksys WRT-54G or establishing a known-to-be-good baseline firmware source for these devices while continuing to rectify exploits that are discovered in that firmware.

Another is the existence of a logo-driven “secure-by-design” campaign directed at retailers and the general public in order to encourage us to buy or specify routers that are compliant to this standard.

An issue that needs to be raised is whether to require that the modem routers or Internet-gateways supplied as standard customer-premises-equipment by German ISPs and telcos have a “secure-by-design” requirement. This is more of an issue with Internet service provided to the average household where these customers are not likely to fuss about anything beyond getting Internet connectivity.

Conclusion

The BSI will definitely exert market clout through Europe, if not just the German-speaking countries when it comes to the issue of a home network that is “secure by design”. Although the European Union has taken some action about the Internet Of Things and a secure-by-design approach, they could have the power to make these guidelines a market requirement for equipment sold in to the European, Middle Eastern and African areas.

It could also be seen by other IT bodies as an expected minimum for proper router design for home, SOHO and SME routers. Even ISPs or telcos may see it as an obligation to their customers to use this standard when it comes to specifying customer-premises equipment that is supplied to the end user.

At least the issue of “secured by design” is being continually raised regarding home-network infrastructure and the Internet Of Things to harden these devices and prevent them from being roped in to the next Mirai-style botnet.

Send to Kindle

New nonenclature for Wi-Fi wireless networks

Article ASUS RT-AC5300 router press picture courtesy of ASUS

802.11ac? 802.11n? Wi-Fi Alliance stops with the jargon, goes with Wi-Fi 6 | Android Authority

Wi-Fi Alliance Simplifies Things With Version Numbers | Tom’s Hardware

From the horse’s mouth

Wi-Fi Alliance

Wi-Fi Alliance® introduces Wi-Fi 6 (The Beacon blog)

My Comments

The Wi-Fi Alliance have decided to adopt a new nonenclature for the different main standards that Wi-Fi networks support. This  is in stark contrast to referring to each standard by its IEEE reference which can sound confusing.

It will be used in product marketing material and specifications sheets to refer to the effective “generation” that the router / access point or client device will support so one can know what is the expected “best” capability offered by that device.

But the device’s operating system or firmware will be able to indicate on devices with some sort of dynamic visual user interface the “generation number” the network connection will support. In the case of client devices like computers or smartphones, this will be to indicate the “best available” network expectation for the current connection.

Similarly, people and companies who provide a public-access Wi-Fi network can reference the kind of performance expected out of this network by using the “generation number” indicating what technology it would support. It could be use as a means to gauge the network’s suitability for handling peak loads such as, for example, a transit station during peak hours or a fully-occupied hotel.

802.11b Wi-Fi 1
802.11a Wi-Fi 2
802.11g Wi-Fi 3
802.11n Wi-Fi 4 Determined by Wi-Fi Alliance
802.11ac Wi-Fi 5 Determined by Wi-Fi Alliance
802.11ax Wi-Fi 6 Determined by Wi-Fi Alliance

A question that will come up will be is what way will the device indicate whether it is a simultaneous multi-band device or how many MIMO streams it concurrently runs. This will be of importance with Wi-Fi 4 / 5 / 6 (802.11n/ac/ax) devices that can work on two or more bands and have MIMO abilities but at differing levels of capability and performance.

Classic examples of this could be some low-cost access points and Wi-Fi extenders capable of working to dual-stream 802.11n on the 2.4GHz band known as N300 devices or mobile devices working on single-stream or dual-stream MIMO chipsets as part of battery conservation.

On this site going forward, I will be using the new “Wi-Fi generation number” along with the IEEE standard reference for describing the Wi-Fi network technology offered by a network device. It will also apply to describing minimum Wi-Fi standards particular to a networking situation that I write about.

For example, I may describe the Dell XPS 13’s Wi-Fi abilities as Wi-Fi 5 (802.11ac) dual-stream to reflect the effective generation Wi-Fi supported by that Ultrabook.

At least this new nonenclature will be a barometer to indicate whether a Wi-Fi network is running new technology to allow it to perform properly.

Send to Kindle

NETGEAR implements a multi-tiered approach to Power-Over-Ethernet

Articles – From the horse’s mouth

NETGEAR GS108PP ProSafe Gigabit Unmanaged 8-port Switch with Power-Over-Ethernet Plus press picture courtesy of NETGEAR

The NETGEAR GS108PP switch is able to run with different power supplies to offer different Power-Over-Ethernet power budgets

NETGEAR

NETGEAR LAUNCHES INDUSTRY’S FIRST UNMANAGED SWITCH WITH FLEXIBLE POWER OVER ETHERNET OPTIONS {Press Release)

Flexible PoE Switch with Power Upgrade Options {Blog Post}

Product Page

Previous Coverage

NETGEAR offers an affordable 8-port Gigabit unmanaged switch with Power Over Ethernet Plus on all ports

My Comments

I had previously written up about the NETGEAR GS108PP 8-port Gigabit Ethernet switch with Power Over Ethernet Plus available on all ports as an example of this company offering an Ethernet switch with desirable features at a price that would be seen to be reasonable for small-network applications. Here, it was about each of the eight ports being “powered” to the Power-Over-Ethernet-Plus (802.3at) standard rather than half of the ports, something that was happening with affordable “few port” Power-Over-Ethernet gear that was fit for small networks.

At the time of the previous article, MWAVE, an independent online computer-parts reseller, offered this device to the Australian market for AUD$169 tax inclusive before shipping, but now this price has dropped to AUD$155 tax inclusive.

It is part of a family of 8-port and 16-port Gigabit Ethernet switches with Power Over Ethernet Plus power-supply on all ports that NETGEAR has taken an interesting approach with the overall power budget that these devices could offer.

Here, they offer different power budgets for the GS108LP / GS108PP (8 port) and GS116LP / GS116PP (16 ports) by packaging different power supplies with the different units so these have a different power budget depending on what you buy. They also offer a range of power adaptors with the same voltage (54VDC) but with different current outputs that are available through the aftermarket.

NETGEAR has established this arrangement to allow a network installer to buy an Ethernet switch with a Power-Over-Ethernet power budget that is “right-sized” for the user’s current needs. Then if these need change, they can upgrade the power supply to answer these newer needs.

Power Supply
Bold text is “in-box” option
GS108LP GS108PP GS116LP GS116PP
54VDC 1.25A (67.5W) 60W 60W
54VDC 1.66A (90W) 83W 83W 76W 76W
54VDC 2.4A (130W) 123W 123W 115W 115W
54VDC 3.7A (200W) 183W 183W

This could suit a reality with installations where you are running one or two Power-Over-Ethernet devices to see how you go with this new idea. It may include you upgrading an older device powered by its own “wall-wart” to a simplified Power-Over-Ethernet setup thanks to an active splitter box. Then you decide to add on more Power-Over-Ethernet devices or upgrade extant devices to those with better capabilities while giving them the same kind of treatment as a typical fridge or TV – “bumping” the older unit down to a secondary role in the installation.

Here, you simply switch out the not-so-powerful power supply with one that is more powerful when you are wanting to add more power to the installation rather than junking a perfectly-good Power-Over-Ethernet switch and replacing it with something more powerful. The NETGEAR Ethernet switch can exist in your network for a longer time, serving the higher power load, until newer needs come about such as to head towards a managed switch or something better. Typically this is a plug-and-play upgrade but you may have to flick a slider on the NETGEAR switch to allow it to work with the different power load.

Network installers who sell these switches can also find it useful to keep more of the power supplies as well as these switches so that they can “right-size” their installations through the installation’s life. It can also allow for the ability for them to retain the lower-output power supplies from an “upsized” installation to use on another lower-power-demand installation if the original power supply at that installation burnt out.

What I like about this approach that NETGEAR took with these unmanaged Power-Over-Ethernet switches is the idea of providing an upgrade path for people who own an existing unit but have different needs. It also avoids the need to throw away perfectly-working equipment just because you have a different power requirement.

As well, the NETGEAR GS108LP Power-Over-Ethernet switch could be offered at a two-figure price for people and businesses who want to get their feet wet with a Power-Over-Ethernet setup. This is especially if they are seeing the idea of using active splitters to power existing devices like access points or 5-port Ethernet switches “down the line” before going “full steam” with new devices.

Send to Kindle

An ideal home network for an apartment

Apartment blockIncreasingly, as the cities become more dense, most of us will be either living in an apartment or looking towards doing so. In some cases, some of you may be living in a larger house in a rural or peri-urban area but maintain an apartment as a city-based “family house” if you or your family are making frequent trips downtown.

There will be issues that will impact how you set up your personal IT and home network in these apartments in order to make sure that it can coexist with your neighbours’ networks. Let’s not forget that those of you who are active in your building’s management committee may face discussions and questions about building-wide IT including the Internet Of Things. Here, I will be regularly publishing articles that may be of relevance to you and your situation.

When you are thinking of “downsizing” towards that small apartment, you may find that your needs change as far as your home network is concerned. As well, you may have to set things up so that your network coexists properly with your neighbours’ home networks especially as far as data privacy / security and network performance is concerned.

In most cases, setting up your home network and Internet connection at your apartment may be a simple task with you just installing a wireless router to use with your portable devices and, in most cases, a HomePlug AV500 powerline network segment for desktop computers and home-entertainment equipment.

But not all apartments may come across as a simple setup. For example, you may come across places with internal walls or plenums that are constructed of dense materials like double-brick, cinderblock or reinforced concrete or use metal as part of their construction, which can impede reliable Wi-Fi wireless signal reception.

As well, you need to be sure with HomePlug powerline or Wi-Fi wireless technologies that your operation of these technologies doesn’t impede on your neighbours’ use of them. This includes being sure that your data on your network stays private while theirs also stays private.

Equipment

Wireless Router

Telstra Gateway Frontier modem router press picture courtesy of Telstra

Most recent-spec Wi-Fi routers may serve you well for apartment-based networks

You can get by with most Internet routers, whether you buy them yourself or have them supplied as part of your Internet service. This may be true for a studio, one-bedroom or small two-bedroom location but you may have to consider something with improved Wi-Fi wireless performance for larger two-bedroom or three-bedroom spaces.

It is more so if your apartment follows the typical path of having the Internet connection like the telephone socket installed at one end of the dwelling which is opposite to another end where a lot of your living takes place.

Wireless connectivity

But you need to be sure that the Wi-Fi wireless functionality is of current specification. You may not need to worry about whether the router uses external high-gain antennas because of the smaller area that it is expected to cover. But I would make sure that this functionality works across two bands simultaneously especially as the 5GHz band is still seen as “new territory” for network coverage and can facilitate high throughput. Such a router will be described as 802.11a/b/g/n simultaneous dual-band or the routers that have 802.11ac functionality will be simultaneous dual-band devices.

Internet (WAN) connectivity for next-generation services

If your building is provisioned with next-generation broadband Internet service, find out whether the equipment supplied in your apartment includes router functionality or is simply a modem or optical-network terminator. In the latter situation, you would just need to use a broadband router with an Ethernet WAN (Internet) connection. It is also worth noting that a lot of FTTB (fibre-to-the-building / fibre-to-the-basement) setups will implement VDSL2 for the copper path to your apartment so you would need to use a modem router that supports this technology on the WAN side. This is a feature that is becoming available with newer mid-range and high-end DSL modem routers and is slowly trickling to economy equipment as this technology becomes more common.

In some cases, you may be lucky enough to have an FTTB setup which implements Cat5 Ethernet wiring to all of the apartments like with Spirit Telecom in Australia. The same would hold true for an FTTP (fibre-to-the-premises) setup which simply uses an optical-network terminator. Such setups would simply use a broadband router with an Ethernet WAN connection.

It is also worth noting that a lot of premium DSL modem routers including some equipment offered by carriers are offering a “dual-WAN” or “multiple-WAN” functionality where they have two different paths for connection to the Internet. This is typically an Ethernet and a DSL connection with the ability for you to select between these connection types using the configuration Web interface that they provide. Some of these modem routers have one of the Ethernet ports able to be switched between a LAN (home network) connection or a WAN (Internet) connection rather than a dedicated WAN Ethernet port and you would have to make sure you select the right type of connection for the purpose in mind.

When you move in to a new building as part of your downsizing efforts, you may need to find out from whoever is in charge of the building such as the owners corporation whether it has been provisioned for a fibre-based next-generation broadband service. Here, you would need to know what technology is being used along with whoever is providing the Internet service. This is so you can be sure you have the right equipment for the service.

That headline Wi-Fi Internet service offered by your building

Android main interactive lock screen

Those headline Wi-Fi Internet services offered by the apartment building will work well with smartphones, tablets and computers only and are best used for casual Internet use

Avoid the temptation to use for your main Internet service that free Wi-Fi service that your building offers as a headline amenity. The kind of developments that typically offer this kind of service are “resort” apartment developments, retirement villages or so-called “residence” apartments let out on a similar business model to a hotel. It also includes hotels that have rooms and apartments available to let for long-term residence but in the same “inn-style” business context with rent; light, heat and power; telecommunications, food and similar living expenses as one payment to that hotel.

This is because of the fact that most of these networks aren’t secure, typically being set up as open wireless networks with a Web-based login experience and intended for casual login. If these networks are properly set up as a public-access network, they will be set up with client isolation so that client devices cannot discover each other across the network.

Therefure, they don’t play well with anything other than a regular (desktop or laptop) or mobile (smartphone or tablet) computing device. I encountered this problem through an online conversation from someone who bought the Sony CMT-MX750Ni network-capable micro music system that I reviewed and couldn’t run its integrated Internet radio and online content functionality and further correspondence that I had with the commenter revealed that this stereo was installed in a “resort” apartment which had this kind of free Wi-Fi Internet access. They ended up having to use it with an iOS device connected to the Wi-Fi network and running a content app for online content.

There is still the security risk of having all the network traffic associated with everyone in the building using that network being “sniffed out” especially in an improperly-configured network, along with the risk of a commonly-known password that is rarely changed.

These Wi-Fi internet services are best used when you want to use Internet-based services from your laptop, tablet or smartphone while in a common space. But you won’t be able to use your home network’s resources from a device connected to one of these Wi-Fi Internet services.

Your home network

Wired-network segment

NETGEAR GS108PP ProSafe Gigabit Unmanaged 8-port Switch with Power-Over-Ethernet Plus press picture courtesy of NETGEAR

It may be worth having your apartment wired for Ethernet if you are buying “off the plan”

It is important to consider establishing a wired-network segment alongside your Wi-Fi wireless network segment. This is more important with the arrival of Smart TVs and network-connected video peripherals so you can be sure that they work properly and provide enjoyable viewing. In some cases, if you are locating a desktop computer or network-capable printer away from the router, you may find that a wired network segment may do the job.

If your apartment is being newly built such as when you buy one “off the plan”, it may be worth considering having an Ethernet connection installed if you can afford it. Here, you could have it set up to link to the main living area, the bedrooms and / or study / office space. Here, this is important for larger spaces like two-bedroom or larger apartments, dual-level maisonettes and the like. In this context, the areas you will need to cover are where the router will be and where you will be watching TV or using games consoles or similar equipment.

HomePlug AV adaptor

HomePlug networks can work well with apartment setups as a “wired no-new-wires” network

On the other hand, you can set up a HomePlug AV500 or better powerline network segment to cover your apartment. This is more important if you are on a tight budget or are dealing with a small apartment, and would earn its keep with existing developments.

Some of you may think that you could use a HomePlug powerline network segment to temporarily extend your home network from your apartment out to a common area or your neighbour’s apartment. You wouldn’t see reliable operation if you are doing this in a larger building due to the way the building is wired for many households or the fact that the building’s electrical subsystem is also serving various pieces of  “big-time” electrical equipment like lifts or building-wide heating / air-conditioning equipment which can yield electrical interference.

Wireless access point

You may find that your your home network’s Wi-Fi wireless segment can cover your apartment easily but there are some situations where these places can yield patchy coverage especially for smartphones and tablets.

For example, your apartment may have one or more interior walls made of a dense material like double-brick or concrete and these could impede the Wi-Fi coverage. This can also include where a building uses metal ducts or plenums running from floor to ceiling in the apartment for central heating and air-conditioning, garbage disposal or other purposes. It also includes where you are dealing with pre-1960s buildings where fireplaces used to exist or still exist but in a cosmetic manner. Similarly, you may be living in a “maisonette” or similar-styled apartment where your apartment is across two levels and your network’s coverage may not span both levels properly.

Devolo dLAN 550 WiFi HomePlug AV500 access point press picture courtesy of Devolo AG

The compact Devolo dLAN 550 WiFi HomePlug wireless access point – fills in the Wi-Fi gaps

Here, you may have to consider implementing an extension wireless access point to improve your network’s reception in those patchy areas. Typically the HomePlug wireless access points that use your apartment’s AC wiring as the backbone can answer this need very easily, providing just the right amount of coverage to fill in that dead-spot. Similarly, some wireless range extenders that can be set up to become access points for a wired backbone can provide that same level of coverage. At the most, you will typically end up with using two wireless access points in your setup – one that is part of the router as well as one extension access point.

How do I set this up?

The Wi-Fi wireless network

NETGEAR Orbi distributed WiFi system press image courtesy of NETGEAR

Distributed Wi-Fi setups like this NETGEAR Orbi can assure coverage across that large apartment, penthouse or two-level maisonette

In this area, you may have to identify a vacant operating frequency for the network using a Wi-Fi finder app, available for most regular-computer platforms and Android mobile platforms. Here, the channel you use would be the one where there is the lowest signal strength because no nearby networks are using that channel.

But you may find that some wireless routers, access points or distributed-Wi-Fi systems may offer this functionality as part of their setup procedure or may even automatically tune themselves as part of an “easy-setup” routine.

Then you determine a unique SSID (wireless network name) and passphrase for your network and configure your router and other wireless-network equipment to work to these specifications. Some of the routers, especially those offered by ISPs, may have a unique pre-defined SSID and passphrase, but it may be worth changing the SSID on these devices or. if you are comfortable with it, connecting your client devices to this new SSID configuration.

Shared-Internet-access setups

Some of you may use FON, Telstra Air or similar “shared Internet access” setups which require your home network router to be part of a wireless public-access network. Such services have it that you offer bandwidth to other users that aren’t part of your household, then are able to get bandwidth for free due to you offering that bandwidth to others.

This is achieved by it maintains the Wi-Fi access for your home network along with a separate Wi-Fi local network for this public-access network, typically by having two SSIDs on the same frequency – one for the public-access network and the other for your home network.

You may find that other people in the street can’t use the public-access network as expected because your router is located high up and away from street level. This can manifest with the remote device used by the person on the street acting as though it is in a fringe area and exhibiting patchy reception. It is something I have experienced in Docklands where it was a hit-and-miss affair to use the Telstra Air service offered by an apartment dweller living in one of the buildings that was facing a public walkway from my smartphone outside the building.

On the other hand, the only people who would benefit are others who are walking up and down the corridor outside your apartment.

The HomePlug powerline network

Western Digital LiveWire HomePlug AV Ethernet switch

You may have to use the SYNC or SimpleConnect buttons on your home network devices like this WD LiveWire HomePlug AV switch to assure reliable secure connectivity in your apartment-based HomePlug setup

Here, this network may be a simpler affair where you just use the SimpleConnect buttons on the HomePlug adaptors to create a new network segment with its own encryption. This is a procedure that I bad described in this IT assistance article where I was instructing my former pastor over the phone about how to set up a HomePlug segment for his desktop computer when he moved to a new location. But it is imperative to perform this process when you are setting up a HomePlug segment for the first time so as to avoid your data “creeping on” to your neighbour’s HomePlug segment or vice versa.

If you are adding other HomePlug devices, you need to follow the routine for using SimpleConnect buttons to add these devices – press the button on the new device then on the existing device while watching for the lights to flicker in a certain way.

When it comes to connecting a cluster of co-located network-capable equipment together like a home-entertainment system, you can either purchase a HomePlug-Ethernet switch that has multiple Ethernet connections. On the other hand, you can simply get by with a desktop Ethernet switch connected to a HomePlug adaptor to bring all the equipment in that cluster online – most of these desktop Ethernet switches do cost very little to purchase for a five-port Gigabit type.

Devolo dLAN 1200+ HomePlug AV2 MIMO adaptor press picture courtesy of Devolo

HomePlug AV2 like what is offered by this Devolo dLAN 1200+ adaptor may provide more stable operation when competing with large motors in the building (European setup)

Most apartment setups may be able to get by with the HomePlug AV500 powerline networks but you may find that HomePlug AV2 1200 MIMO-based technology may suit your needs better. This may be of relevance for those of you who may benefit from the extra bandwidth or who find that the highly-robust technology may cope with the high concentration of heavy-duty motors used in these buildings for things like air-conditioning or lifts better.

Other notes

If you are using a network-attached storage device or something similar, it may be preferable to connect it directly to the router rather than via a Wi-FI or HomePlug network because this assures a more reliable connection when it comes to making sure files arrive at the NAS complete.

Conclusion

An apartment can come across as a simple place to set up a home network within but there are some issues to work out so that you have a reliable secure home network that coexists with your neighbours’ home networks easily.

Send to Kindle

What could be done to simplify your router upgrade

Telstra Gateway Frontier modem router press picture courtesy of Telstra

There needs to be a standard filetype to simplify the process of upgrading your home network router without reconfiguring your home network

An issue that will crop up through the life of a home network is to upgrade the router. This will be brought on with replacement of carrier-supplied equipment with retail equipment, replacing that half-dead router that you are always powering off and on many times a week, or upgrading to higher-performance equipment.

But you will end up having to transcribe out configuration data from your old equipment so you can enter it in to your new equipment especially if you want to avoid having to reconfigure other network equipment on your same home network.

Most routers offer a way for users to back up the current configuration details. This is typically to allow a user to do things like perform a factory resent or to test a configuration without losing a prior known-to-work state.

The process typically requires the user to download a configuration file to the computer they are configuring the router from in a similar manner to downloading a resource from the Web. But there isn’t a consistent file schema for storing this data in a manner for transferring to devices supplied by different vendors. In some cases, you may not be able to transfer the configuration data to newer equipment from the same vendor such as to install a newer router model.

AVM have taken steps in the right direction by allowing users to save a configuration from an older Fritz!Box router and upload it to a newer Fritz!Box router running a newer version of the Fritz!OS firmware. It is also to factor in allowing the router to persist your configuration to a newer version of the firmware.

But what can be done to make this work better would be to use a standard file format, preferably an XML-based schema which could be used for storing a router configuration. This would have to be agreed upon by all of the vendors to provide true vendor interoperability.

There would also be issues about providing multiple methods of storing this data. It could be about maintaining the traditional HTTP download / upload approach with Web clients on the same local network. Or it could also be about transferring the data between a USB Mass Storage device and the router such as to facilitate an out-of-box install.

Such a setup could allow for a range of scenarios like simplifying the upgrade path or to make it easier for support staff to keep information about different configurations they are responsible for.

The configuration data would have to cater for WAN (Internet) and LAN details including details regarding Wi-Fi wireless network segments, advanced network setups like VLAN and VPN setups, VoIP endpoint setups as well as general and security-related data.

Of course an issue that will crop up would be assuring the user of proper network security and sovereignty, something that could be assured through not persisting the management password to a new router. Also you won’t be able to keep Wi-Fi channel data especially if you deal with self-optimising equipment, because you may have to face an evolving Wi-Fi spectrum landscape.

What will need to happen is to provide methods to allow seamless upgrading of devices that serve as your network-Internet “edge” so you can simplify this upgrade process and get the most out of the new equipment.

Send to Kindle