Network Management Archive

6GHz Wi-Fi technology moving towards room-by-room Gigabit Wi-Fi

Article

NETGEAR Orbi distributed WiFi system press image courtesy of NETGEAR

Distributed Wi-Fi setups like this NETGEAR Orbi will be heading towards the Gigabit Wi-Fi goal on the 6GHz waveband

ARRIS: How 6 GHz Wi-Fi will revolutionise the connected home | Wi-Fi Now

My Comments

ARRIS who make home-network equipment for the American market, are pushing the idea that the 6 GHz Wi-Fi network is a major evolution for the home network.

This is coming about due to various national government departments who have oversight over radiocommunications use within their jurisdiction working on regulatory instruments to open up unlicensed low-power indoor use of the 6 GHz radio waveband. Such regulation is expected to be passed by the FCC in the US by mid-year 2020 and OFCOM in the UK by 2021 with other jurisdictions to follow suit over the next few years.

It will open up seven new 160MHz channels for the Wi-Fi 6 technology with the feasibility to open up a Gigabit Wi-Fi network. This is expected to lead to the evolution of the self-configuring distributed Wi-Fi setup with a Gigabit Wi-Fi backbone plus each access point offering a 160MHz Wi-Fi 6 channel alongside support for low-power narrower-bandwidth 2.4GHz and 5GHz channels for legacy equipment.

There will be the implementation of Wi-Fi EasyMesh and Wi-Fi EasyConnect standards to permit secure setup and an open-frame heterogenous distributed-wireless network.

One limitation I do see confronting this ideal that Arris put forward is the short-wavelength Wi-Fi backbone which can be a hindrance with certain building materials and construction approaches like double-brick walls. There will also be the requirement to run many access points to make sure the average home is covered properly. Here, the wired backbone whether “new wires”  like Ethernet or “no new wires” like HomePlug AV2 powerline or MoCA TV-antenna coaxial still has toe be considered for a multiple-access-point network.

ARRIS was even positioning for the evolution of the distributed Wi-Fi network to have each room with its own access-point node capable of yielding Gigabit bandwidth. They also put forward ideas like having these access points mounted on the ceiling. But I would also prefer the idea of a normally-sessile endpoint device like a network printer, Amazon-Echo-style smart speaker or a smart TV being its own access point that is part of the distributed Wi-Fi network. It then avoids the need to equip a room with an extra access point if you are intending to have this kind of device in that room.

The use of Wi-Fi 6 technologies will also be about working with environments that are congested as far as Wi-Fi wireless networking is concerned. These environments like multiple-premises buildings, airports or hotels are likely to have many Wi-Fi devices operating on many Wi-Fi networks which with prior technologies leads to poor performance especially on the throughput and latency side.

It may have to take a few years for the Wi-Fi wireless network to hit the Gigabit throughput mark as the 6 GHz band opens up and more access-point and client devices come on the market.

Send to Kindle

20 Years of Wi-Fi wireless

From the horse’s mouth

Wi-Fi Alliance Wi-Fi Alliance 20th anniversary logo courtesy of Wi-Fi Alliance

20 Years of Wi-Fi (Press Release)

My Comments

“Hey, what’s the Wi-Fi password here?”. This is a very common question around the home as guests want to come on to your home network during their long-term visit to your home. Or one asks the barista or waiter at the cafe “Do you have Wi-Fi here?” with a view to some free Internet use in mind.

“What’s the Wi-Fi password?”

It is brought about by Wi-Fi wireless-network technology that has become a major lifestyle changer over the last 20 years. This has been propelled in the early 2000s with Intel advancing their Centrino Wi-Fi network-interface chipset which put forward the idea of highly-portable computing.

Dell XPS 13 9380 lifestyle press picture courtesy of Dell Corporation

The laptop like this Dell XPS 13 – part of the Wi-Fi lifestyle

The laptop computer, mobile-platform tablet and smartphone benefited from Wi-Fi due to their inherently-portable nature. This effectively allowed for “anywhere anytime” online work and play lifestyle including using that iPad or smartphone as a second screen while watching TV. Let’s not forget the use of Internet radios, network-based multiroom audio setups and those smart speakers answering you when you speak to them.

“Do you have free Wi-Fi here?”

Over the years there has been incremental improvements in bandwidth, security and quality-of-service for Wi-Fi networks both in the home and the office. Just lately, we are seeing home networks equipped with distributed Wi-Fi setups where there are multiple access-point devices working with a wired or wireless backhaul. This is to assure full coverage of our homes with Wi-Fi wireless signals, especially as we face different floorplans and building-material types that may not assure this kind of coverage.

But from this year onwards, the new Wi-Fi network will be based on WI-Fi 6 (802.11ax) technology and implement WPA3-grade security. There will also be the idea of opening up the 6GHz wavebands around the world to Wi-Fi wireless-network traffic, along with having support for Internet-of-Things applications.

Telstra Gateway Frontier modem router press picture courtesy of Telstra

The Wi-Fi router – part of every household

The public-access Wi-Fi networks will be more about simple but secure login and usage experiences thanks to Wi-Fi Passpoint. This will include simplified roaming between multiple Wi-Fi public-access hotspot networks, whether this is based on business relationships or not. It will also lead to telcos using Wi-Fi networks as a method to facilitate complementary coverage for their mobile-broadband networks whether they use current technology or the new 5G technology.

What needs to happen for Wi-Fi is to see work take place regarding high-efficiency chipsets for Internet-of-Things applications where such devices will be required to run on a small number of commodity batteries for a long time. One requirement I would like to see for public-access Wi-Fi is the ability to create user-defined “secure device clusters” that allow devices in that cluster to discover each other across the same public-access network but other devices outside of the cluster can’t discover them.

So happy 20th Anniversary to the network technology that has effectively changed our online lifestyle – the Wi-Fi wireless network.

Send to Kindle

WPA3-Personal security–What does this mean for your Wi-Fi network

Article

Telstra Gateway Frontier modem router press picture courtesy of Telstra

Expect the next-generation Wi-Fi network to have WPA3 security

What is WPA3? And some gotchas to watch out for in this Wi-Fi security upgrade | Network World

My Comments

Over the next few years, Wi-Fi routers, access points and client devices like computers and smartphones will be supporting WPA3 as a media-specific network security protocol.

At the moment, I will be focusing on the WPA3-Personal variant which is relevant to small networks like the typical home or small-business network. This kind of network security is also implemented in an increasing number of venue-based public-access networks in order to allow the venue owner to protect and authenticate the network and preserve its role as an amenity for the venue’s customers.

The WPA3-Personal network security protocol has the same method of operation as for a WPA2-Personal network. This is using a “Wi-Fi password” commonly known across all access points and client devices that use the network segment.

But it describes this “Wi-Fi password” as Simultaneous Authentication Of Equals rather than the previous Pre-Shared Key used in previous WPA-Personal implementations. It also affects how this “Wi-Fi password” is represented and encrypted in order to protect it against an off-site brute-force cracking attempt.

As well, each connection between the client device and the access point is encrypted in a manner unique to that connection.

The initial onboarding process will be typically based on the traditional password-entry method. But it will also implement Wi-Fi EasyConnect which uses a QR code or WPS-based push-button setup.

The Wi-Fi WPA3 security protocol may take years to become mature while a secure surefire codebase for client-side and access-point-side implementations is worked out. The initial codebase was found to have software weaknesses in the early Personal-setup implementation and is being debugged now.

A question that will be raised is whether an upgrade to WPA3 security will require new hardware for either the client device or the access point or if this can be performed using revised firmware that has the necessary software code. This may depend on whether the hardware uses a purely software-defined approach for managing its functionality.

There will be situations that will take place regarding existing equipment and WPA3-capable equipment. Here, a WPA3 client like a smartphone can work with an existing WPA2-compliant Wi-Fi network segment but not have the full benefits. Similarly, a WPA3-capable Wi-Fi network segment will need to be operated in a “transition mode” to allow existing WPA2-compliant client devices to connect. Again, this doesn’t provide all the benefits of a Wi-Fi network segment secure to WPA3 standards.

You can also work around this limitation by implementing two Wi-Fi network segments that have separate ESSIDs. One of these could be configured to work the current WPA2-Personal standard while the other is set up purely for WPA3-Personal. This practice may come in to its own if you have a Wi-Fi network using the latest standards while you maintain another using tried-and-trusted standards.

Send to Kindle

Could a logical network be a data-security attribute?

Telstra Gateway Frontier modem router press picture courtesy of Telstra

The local network created by one of these routers could be seen as a way to attest proximity or effective control of these devices

In data security, there has to be a way to attest that a user has effective control of their computing devices when they are authenticating with a device or service. Increasingly, most of us are handling two or more devices in this context such as to move data between them, use one of them as an authentication factor or to verify mutual trust between two or more people.

The logical network, also called a subnet, represents the devices connected to the same router irrespective of what media they use to connect to this network like Ethernet or Wi-Fi wireless. It is represented at Layer 3 (Network Layer) on the OSI network model stack and is represented by IP (Internet Protocol) whether version 4 or 6. Routers that implement guest or hotspot/community network functionality create a separate logical network for the guest or hotspot network.

But a hotspot network can be set up to cover a large public area like a bar or cafe’s dining room or even the whole of a hotel or apartment block. As well, if a hotspot network is properly set up for the end users’ data security, it shouldn’t be feasible to discover other devices on that same logical network. This is thanks to IP-based isolation functionality that the router that serves the hotspot offers.

Here, the existence of devices on the same logical network can be used as a way to attest proximity of these devices or to attest effective control over them.

Use cases

Enhanced two-factor authentication

Increasingly, most of us who implement two-factor authentication use an app on a smartphone to provide the random key number that confirms what we have along with what we know. But in a lot of situations, we have the smartphone and the computer we want to use to gain access to the resources existing on the same network. This may be our home or business network, a public-access hotspot or tethering our laptop to a smartphone for Internet access via the mobile network.

Having both devices on the same network could be seen as a way to assess the security level of a multifactor authentication setup by assessing the proximity of the devices to each other. It is more so if the devices are communicating to each other behind the same Wi-Fi access point or Ethernet switch. This concept would be to prove that both devices are effectively being controlled by the same user.

It can also work as an alternative to Bluetooth or NFC as a device-to-device link for a transcription-free multi-factor authentication setup if you are thinking of two devices that are able to connect to a network via Wi-Fi. This is more so where the issue of phishing of multi-factor authentication setups involving the transcription of a one-time passcode has been raised.

Discovery of devices in the same network

The same concept can also be examined in the context of interlinking between devices that exist on the same network or even determining one’s “home” domain in the context of AV content rights. In some ways, the concept could also be about tokenised login for online services where a user’s credentials are held on one device like a smartphone but a session-based token is passed to another device like a set-top box to facilitate login from that device.

It is a practice that has been used with UPnP and Bonjour technologies primarily for device and content discovery. The most obvious situation would be to use Apple AirPlay or Google Chromecast to throw content to the big screen from a compatible mobile device. It also works in the same context when you set up and use a network-based printer from your computer or smartphone.

Across-the-room discovery and mutual-user authentication

Another use case this concept can apply to is “across-the-room” device discovery and mutual-user authentication. This would be used for data transfer, social networks or online gaming where you intend to share a resource with someone you talked with, invite them as a friend / follower in a social network or engage them in an online game.

Proof of presence at a particular location

Use of a logical network’s attributes can be a tool for proving one’s presence at a particular location. This is more so where the Internet service for that network is being provided using a wired-broadband or fixed-wireless-broadband approach for its last-mile, like with most home and business networks. It may not work with “Mi-Fi” setups where a mobile broadband network is being implemented for the last-mile connection.

Here, it could be used for time-and-attendance purposes including “proof of presence” for home-based carers. Or it could be used to conditionally enable particular functionality like app-based on-premises food-and-beverage ordering at a venue. To the same extent, it could be used to protect delivery services against orders that were instigated at one location being sent to another location.

Methods

Both devices existing on the same network

In a premises-specific network like most small networks, testing that both devices are on the same subnet / logical network behind the same gateway device (router) could be a way to attest that both devices are in the same premises. The same test can be performed by the use of a “hop count” on Layer 3 of the OSI network-layer tree, which also determines the number of logical networks passed.

It is a method used with a wide range of network-based AV and printing applications to constrain the discovery and control of devices by controller software to what is local to you.

But assessing whether the two devices are connecting to the same access point on a Wi-Fi network can be used to attest whether both devices are in the same room in a large Wi-Fi setup. It may not work in a network setup where different devices connect to a network using different connection media like Ethernet, Wi-Fi Wireless or HomePlug powerline. This also includes situations where multiple access points cover the same room or floor such as with large rooms or open-plan areas.

Another approach that can be used for Wi-Fi hotspot networks honouring the Hotspot 2.0 / Passpoint setup would be to read the “venue” metadata for that network and compare whether both devices are in the same venue. If this technology is able to support subdividing of a logical venue such as based on floors or rooms, this could work as a way of further attesting whether both devices are in close proximity.

A Wi-Fi wireless network can be attested through the use of the BSSID which identifies the same access point that the devices are connecting through or the ESSID which is the network’s “call sign”. The BSSID could be used for a public hotspot network including a “hotzone” network ran by a local government or ISP,or a large network that uses many access points while the ESSID approach could be used simply for a small network with a few access points.

Trusted networks with authentication certificates

On the other hand, there could be the concept of creating “trusted networks” where authentication certificates relating to the network are stored in the network’s gateway device or in infrastructure devices associated with that network. It could be used to work against man-in-the-middle attacks as well as a stronger approach to attesting trust between the client device and the network it proposes to access.

The initial appeal for this concept could be to attest the authenticity of a business’s network especially in the face of business partners or customers who want to use that network as a gateway to the Internet or use the host business’s resources.

It could have some appeal to the food, beverage and hospitality industry where particular cafes and bars are often seen by individuals and workgroups as favoured hangouts. In this context, if an individual wants to use the Wi-Fi public-access network in their favourite “watering hole” or “second office”, the “trusted network” approach can be used to verify to the customer that they have connected to the venue’s network at the venue to avoid “man-in-the-middle” attacks.

This approach is being implemented with the Wi-Fi Passpoint / Hotspot 2.0 technology to provide for the simple yet secure public-access Wi-Fi network.

The same approach can be used with a home network if the router can store data like digital certificates in onboard non-volatile memory. Then this data could be created by the ISP as a “known trusted network” with a network-specific certificate relating to the router and network equipment. Such a service could be offered by an ISP as a value-added service especially to cater for “proof-of-presence” applications.

Conclusion

Using a logical network as a data-security attribute can be effective as a security tool for some use cases. With current network equipment, this can be a surefire way of assessing device proximity.to other devices. But use of certificates stored on network-infrastructure devices like routers and provided by ISPs or similar entities can be of use for authenticated-network or proof-of-presence applications.

Send to Kindle

NETGEAR to offer one of the first Wi-Fi 6 distributed-wireless setups

Article NETGEAR Orbi with Wi-Fi 6 press picture courtesy of NETGEAR

Netgear takes its Orbi mesh Wi-Fi system to the next level with Wi-Fi 6 | PC World

From the horse’s mouth

NETGEAR

LEADING A NEW ERA OF WI-FI, NETGEAR ANNOUNCES ORBI MESH WI-FI SYSTEM USING WI-FI 6 SPECIFICALLY DESIGNED FOR THE GIGABIT INTERNET HOME (Press Release)

Product Page

My Comments

As Wi-Fi 6 (802.11ax) wireless networking comes to the fore, there will be a desire to see distributed-wireless-network systems that support this technology. Here it’s about being able to support many Wi-Fi client devices like laptops, tablets and smartphones along with devices that are designed “Wi-Fi first” including smart-home devices.

NETGEAR have started to refresh the Orbi distributed Wi-Fi system by making a new version that supports this new technology as part of the product lineup they are premiering in Las Vegas at this year’s Consumer Electronics Show. It uses the separate radio backhaul that their Orbi system is know for, thus avoiding a dent in performance that can be brought about with systems that use the main “fronthaul” Wi-Fi segment for their backbone data transfer.

But it uses four data streams across the dedicated Wi-Fi 6 backhaul to allow high-speed high-capacity data transfer. It is in addition to four concurrent data streams on the 2.4GHz band and four concurrent data streams on the 5GHZ band for the client devices to use. The system is powered by Qualcomn networking system-on-chip silicon that allows for the higher data throughput.

It is expected to appear during the second half of 2019, primarily as an updated take of the RBK50 wide-coverage devices. A question that will perplex those of us who have an Orbi distributed-Wi-Fi setup is whether the existing Orbi equipment will work with the newer Wi-Fi 6 Orbi devices.

This is more so where smaller or specialised Orbi satellite modules like the RBS50 Orbi Outdoor Satellite unit or the Orbi Voice which is a combination of a satellite unit and Amazon-Alexa-driven smart speaker are part of your Orbi setup. Or you like the idea of “pushing down” existing equipment to secondary purposes so you get more value out of the equipment you own.

What is being highlighted is the idea of using Wi-Fi 6 as a future-proof approach for wireless local networking, including distributed- Wi-FI setups.

Send to Kindle

Staff panic buttons to drive networks to handle the Internet of Things

Article

Ekahau Wi-Fi Pager Tag panic button

Emergency-alert buttons like this Ekahau Wi-Fi name-tag panic-button setup will be influencing network architecture for the Internet Of Things

The Hotel Panic Button Could Redefine Hospitality Networking | IoT World Today

My Comments

In some workplaces where staff work alone at night or other times where they are in danger, portable emergency-call buttons are often used. Initially they were the same size as an older garage-door opener but they are becoming the size of a pendant, badge or fob. As well, rather than these devices lighting up a separate alert panel, they light up a message or “throw up” a map with an indicator on a regular computer running building-security software to show where the danger is.

Initially, they were being positioned for very-high-risk workplaces like psychiatric care or the justice and allied settings. But other workplaces where staff work alone are seeing these devices as an important safety measure, usually due to various occupational health-and-safety requirements.

For example, hotels in the USA are moving towards having Housekeeping staff use these devices in response to workplace agreements, industry safe-work safe-premises initiatives or city-based legal requirements. But these systems are being required to work in conjunction with the Wi-Fi networks used by staff and guests for business and personal data transfer.

A device of the kind that I had covered previously on HomeNetworking01.info was the Ekahau Real Time Location System. This was a pendant-style “panic-button” device, known as the T301BD Pager Tag which had an integrated display and call button. It also had a setup that if the tag was pulled at the nexkstrap, it would initiate an emergency response.  I also wrote an article about these Ekahau devices being deployed in a psychiatric hospital as a staff emergency-alert setup in order to describe Wi-Fi serving a security/safety use case with the home network.

This application is being seen as a driver for other “Internet-of-Things” and smart-building technologies in this usage case, such as online access-control systems, energy management or custom experiences for guests. As I have said before when talking about what the smart lock will offer, the hotel may be seen as a place where most of us may deal with or experience one or more of the smart-building technologies. Also I see these places existing as a proving ground for these technologies in front of many householders or small-business owners who will be managing their own IT setups.

One of the issues being drummed up in this article is quality-of-service for the Internet Of Things whereupon the device must be able to send a signal from anywhere on the premises with receiving endpoints receiving this signal with no delay. It will become an issue as the packet-driven technologies like the Internet replace traditional circuit-based technologies like telephone or 2-way radio for signalling or machine-to-machine communication.

The hotel application is based around the use of multiple access points, typically to provide consistent Wi-Fi service for staff and guests. Such a setup is about making sure that staff and guests aren’t out of range of the property’s Wi-Fi network and the same quality of service for all network and Internet use cases is consistent throughout the building. Here, concepts like mesh-driven Wi-Fi, adaptive-antenna approaches, load-balancing and smart smooth roaming are effectively rolled in to the design of these networks.

Wi-Fi access points in the smart-building network will also be expected to serve as bridges between IP-based networks and non-IP “Internet-of-Things” networks like Bluetooth Low Energy (Bluetooth Smart), Zigbee, Z-Wave or DECT-ULE. These latter networks are pushed towards this application class due to the fact that they are designed to support very long battery runtimes on commodity batteries like AA Duracells or coin-style watch batteries. There will be an emphasis on localised bridging and the IP-network-as-backbone to provide better localisation and efficient operation.

These systems are being driven towards single-screen property-specific dashboards where you can see the information regarding the premises “at a glance”. I would reckon that operating-system-native applications and, perhaps, Progressive Web App versions will also be required to use operating-system-specific features like notification-panels to improve their utility factor in this context.

As far as the home network is concerned, I do see most of these technological concepts being rolled out to the smart home with an expectation to provide a similar service for householders and small businesses. This is more important as ISPs in competitive markets see the “Internet of Things” and improved Wi-Fi as a product differentiator.

The use of multiple Wi-Fi access points to cover an average home being made real for a home network thanks to HomePlug wireless access points, Wi-Fi range extenders and distributed-Wi-Fi systems that will bring this kind of localised Wi-Fi to the smart home. Typically this is to rectify Wi-Fi coverage shortcomings that crop up in particular architecture scenarios like multi-storey / split-level premises and use of building materials and furniture that limit RF throughput. It is also brought about thanks to the use of higher-frequency wavebands like 5GHz as Wi-Fi network wavebands.

There will be an industry expectation to require access points and similar devices to provide this kind of “open-bridging” for Internet-of-Things networks. This is more so where battery-operated sensor or controller devices like thermostatic radiator valves and smart locks will rely on “low-power” approaches including the use of Zigbee, Z-Wave or similar network technology.

It will also be driven typically by carrier-supplied routers that have home-automation controller functionality which would work with the carrier’s or ISP’s home-automation and security services.

To the same extent, it may require “smart-home / building-automation” networks to support the use of IP-based transports like Wi-Fi, HomePlug and Ethernet as an alternative backhaul in addition to their meshing or similar approaches these technologies offer to extend their coverage.

In some cases, it may be about Zigbee / Z-Wave setups with very few devices located at each end of the house or with devices that can’t always be “in the mesh” for these systems due to them entering a “sleep mode” due to inactivity, or there could be the usual RF difficulties that can plague Wi-Fi networks affecting these technologies.

DECT-ULE, based on the DECT cordless-phone technology and is being championed by some European technology names, doesn’t support meshing at all and IP-based bridging and backhauls could work as a way to extend its coverage.

Such situation may be rectified by access points that use a wired backbone like Ethernet or HomePlug powerline.

In the context of the staff panic button use-case, it will roll out to the home network as part of a variety of applications. The common application that will come about will be to allow the elderly, disabled people, convalescents and the like who need continual medical care to live at home independently or with support from people assuming a carer role.

This will be driven by the “ageing at home” principle and similar agendas that are being driven by the fact that people born during the post-war baby boom are becoming older as well as the rise of increased personal lifespans.

Similarly, this application may also be underscored as a security measure for those of us who are concerned about our loved ones being home alone in a high-risk environment. This is more so in neighbourhoods where the risk of a violent crime being committed is very strong.

But I would see this concept work beyond these use cases. For example, a UK / European central-heating system that is set up with each radiator equipped with a “smart” thermostatic radiator valve that is tied in with the smart-home system. Or the use of many different control surfaces to manage lighting, comfort and home-entertainment through the connected home. This is something that will rise up as most of us take on the concept of the smart home as the technology standardises and becomes more affordable.

What is being highlighted is the requirement for high quality-of-service when it comes to sending “Internet-of-Things” signalling or control data as our networks become more congested with more gadgets. Similarly, it is about being able to use IP-based network technology as a backhaul for non-IP network data that is part of the Internet-of-Things but providing the right kind of routing to assure proper coverage and quality-of-service.

Send to Kindle

5G mobile broadband and Wi-Fi can complement each other

Article

Netgear Nighthawk 5G Mobile Hotspot press image courtesy of NETGEAR USA

Netgear Nighthawk 5G Mobile Hotspot – first retail 5G device

Why You’ll Still Need Wifi When 5G Is Everywhere, According To The Wi-Fi Alliance | Gizmodo

Wi-Fi Alliance: Wi-Fi, 5G will be complementary | FierceWireless

My Comments

There is some hype being driven by organisations defending the 5G mobile broadband and Wi-Fi wireless LAN technologies about their technology being the only one for our connected lives.

Some existing devices use 5G mobile-broadband technology but connect to endpoint devices like mobile phones using Wi-Fi. Initially they are routers being deployed by mobile carriers as a proof of concept or for network trials while AT&T were offering a “Mi-Fi” for retail sale in the USA that implements 5G technology. At the moment, 5G hasn’t been rolled out in the form of a smartphone or a mobile-broadband modem that is integrated in or connected by USB to a host computer.

Both Wi-Fi 5 (802.11ac and prior technologies) and 4G LTE mobile broadband have seen widespread deployment with each technology being seen by mobile users as offering a complementary role. Networks and equipment running the newer technologies (5G and Wi-Fi 6) will be backward compatible and offer a best-case approach to this compatibility. That is if both the network and end-user equipment run the same technology, the user gains the most benefit from what the new technology offers.

It has been identified that both technologies at their latest specification can complement each other. Here, 5G will earn its keep in the outdoors and in a mobile context while the Wi-Fi 6 (802.11ax) technology will earn its keep indoors. This is although public-access Wi-Fi networks will be seen by mobile carriers as a cost-effective data-offload tool.

Wi-Fi also has supporting technologies like WiGig and Wi-Fi HaLow. The former one will match 5G for speed but uses a short range equivalent to an ordinary room in the house, while the latter benefits from long range and power efficiency but doesn’t have the speed. Wi-Fi HaLow will then end up in the smart-home, smart-building, connected-car and smart-city application spaces where data throughput isn’t all that necessary. This is while WiGig will end up with virtual reality, augmented reality, 4G video and other bandwidth-intensive applications.

Then there is also the kind of spectrum available for each technology. Wi-Fi technologies primarily rely on unlicensed radio spectrum which makes them popular for households and businesses to deploy. It is in contrast to 5G which, like other cellular mobile telecommunications technologies, relies on licensed radio spectrum which the mobile carrier has to deal with the national radiocommunications authority organise and purchase a license to use.

There is also a trend regarding wireless-network equipment design where there is a software-defined approach towards the media-level components. This is facilitated with small-footprint high-capability computing power and can allow the same piece of equipment to honour newer standards.

Another factor that is never raised is the concept of the local network where data can be transferred between co-located devices at the same premises. 5G is really positioned as a wireless “last mile” setup for providing telecommunications and Internet service to the end-user. This is while Wi-Fi is intended primarily to work as a local network but is used to distribute a single broadband service to multiple endpoint devices.

What really is now seen is that the new 5G mobile broadband and Wi-Fi 6 (802.11ax) LAN technologies can complement each other in a horses-for-courses manner.

Send to Kindle

Germany to set a minimum security standard for home-network routers

Article

Telstra Gateway Frontier modem router press picture courtesy of Telstra

Germany has defined a minimum standard for secure broadband router design

Germany proposes router security guidelines | ZDNet

From the horse’s mouth

BSI (German Federal Office for Information Security)

TR-03148 Secure Broadband Router 1.0 (PDF)

My Comments

It is being identified that network connectivity devices and devices that are part of the Internet-Of-Things are being considered the weakest point of the secure Internet ecosystem. This is due to issues like security not being factored in to the device’s design along with improper software quality assurance when it comes to the devices’ firmware.

The first major incident that brought this issue to the fore was the Mirai botnet attack on some Websites and dynamic-DNS servers through the use of compromised firmware installed in network videosurveillance cameras. Recently in 2016, a similar Mirai-style attack attempt was launched by the “BestBuy” hacker involving home-network routers built by Zyxel and Speedport.There was a large installed base of these routers because they were provided as standard customer-premises equipment by Deutsche Telekom in Germany. But the attempt failed due to buggy software and the routers crashed.

Now the BSI who are Germany’s federal information-security government department have taken steps towards a baseline set of guidelines concerning security-by-design for these home-network routers. It addresses both the Internet-based attacker sithation and the local-network-based attacker situation such as a computer running malware.

Key requirements

Wi-Fi segments

There are requirements concerning the LAN-side private and guest Wi-Fi segments created by these devices. They have to work using WPA2 or newer standards as the default security standard and the default ESSIDs (wireless network names) and Wi-Fi passphrases can’t relate to the router itself like its make or model or any interface’s MAC address.

As well, guest Wi-Fi and community / hotspot Wi-Fi have to be treated as distinct separate logical networks on the LAN side and they have to be “fenced off” from each other. They will still have access to the WAN interfaces which will be the Internet service. The standard doesn’t address whether these networks should implement client-device isolation because there may be setups involving a requirement to discover printers or multimedia devices on these networks using client software.

Router management

The passwords for the management account or the Wi-Fi segment passphrases have to be tested against a password-strength algorithm when a user defines a new password. This would be to indicate how strong they are, perhaps through a traffic-light indicator. The minimum requirement for a strong password would be to have at least eight characters with at least 2 each of uppercase, lowercase, number and special characters.

For the management account, there has to be a log of all login attempts along with lockout-type algorithms to deter brute-force password attacks. It would be similar to a code-protected car radio that imposes a time delay if the wrong passcode is entered in the radio. There will be an expectation to have session-specific security measures like a session timeout if you don’t interact with the management page for a certain amount of time.

Other requirements for device management will include that the device management Webpage be only accessible from the main home network represented by the primary private Wi-Fi segment or the Ethernet segment. As well, there can’t be any undocumented “backdoor” accounts on the router when it is delivered to the customer.

Firmware updating

But the BSI TR-03148 Secure Broadband Router guidelines also addresses that sore point associated with router firmware. They address the issue of updating your router with the latest firmware whether through an online update or a file you download to your regular computer and upload to the router.

But it is preferred that automatic online updates take place regarding security-related updates. This will most likely extend to other “point releases” which address software quality or device performance. Of course, the end-user will need to manually update major versions of the firmware, usually where new functionality or major user-interface changes take place.

The router manufacturer will be required to rectify newly-discovered high-severity security exploits without undue delay once they are notified. Here, the end users will be notified about these software updates through the manufacturer’s own public-facing Website or the router’s management page.

Like with most regular-computer and mobile operating systems, the use of software signatures will be required to authenticate new and updated firmware. Users could install unsigned firmware like the open-source highly-functional firmware of the OpenWRT kind but they will need to be warned about the deployment of unsigned firmware on their devices as part of the deployment process. The ability to use unsigned firmware was an issue raised by the “computer geek” community who liked to tinker with and “soup up” their network hardware.

Users will also need to be notified when a manufacturer ceases to provide firmware-update support for their router model. But this can hang the end-user high and dry especially if there are newly-discovered weaknesses in the firmware after the manufacturer ceases to provide that software support.

The standard also places support for an “anti-bricking” arrangement where redundant on-device storage of prior firmware can exist. This is to avoid the router from “bricking” or irreversibly failing if downloaded firmware comes with software or file errors.

Other issues that need to be addressed

There are still some issues regarding this standard and other secure-by-design mandates.

One of these is whether there is a minimum length of time for a device manufacturer to continue providing security and software-quality firmware updates for a router model or series after it is superseded. This is because of risks like us purchasing equipment that has just been superseded typically to take advantage of lower prices,  or us keeping a router in service for as long as possible. This may be of concern especially if a new generation of equipment is being released rather than a model that was given a software-compatible hardware refresh.

Solutions that could be used include open-sourcing the firmware like what was done with the Linksys WRT-54G or establishing a known-to-be-good baseline firmware source for these devices while continuing to rectify exploits that are discovered in that firmware.

Another is the existence of a logo-driven “secure-by-design” campaign directed at retailers and the general public in order to encourage us to buy or specify routers that are compliant to this standard.

An issue that needs to be raised is whether to require that the modem routers or Internet-gateways supplied as standard customer-premises-equipment by German ISPs and telcos have a “secure-by-design” requirement. This is more of an issue with Internet service provided to the average household where these customers are not likely to fuss about anything beyond getting Internet connectivity.

Conclusion

The BSI will definitely exert market clout through Europe, if not just the German-speaking countries when it comes to the issue of a home network that is “secure by design”. Although the European Union has taken some action about the Internet Of Things and a secure-by-design approach, they could have the power to make these guidelines a market requirement for equipment sold in to the European, Middle Eastern and African areas.

It could also be seen by other IT bodies as an expected minimum for proper router design for home, SOHO and SME routers. Even ISPs or telcos may see it as an obligation to their customers to use this standard when it comes to specifying customer-premises equipment that is supplied to the end user.

At least the issue of “secured by design” is being continually raised regarding home-network infrastructure and the Internet Of Things to harden these devices and prevent them from being roped in to the next Mirai-style botnet.

Send to Kindle

New nonenclature for Wi-Fi wireless networks

Article ASUS RT-AC5300 router press picture courtesy of ASUS

802.11ac? 802.11n? Wi-Fi Alliance stops with the jargon, goes with Wi-Fi 6 | Android Authority

Wi-Fi Alliance Simplifies Things With Version Numbers | Tom’s Hardware

From the horse’s mouth

Wi-Fi Alliance

Wi-Fi Alliance® introduces Wi-Fi 6 (The Beacon blog)

My Comments

The Wi-Fi Alliance have decided to adopt a new nonenclature for the different main standards that Wi-Fi networks support. This  is in stark contrast to referring to each standard by its IEEE reference which can sound confusing.

It will be used in product marketing material and specifications sheets to refer to the effective “generation” that the router / access point or client device will support so one can know what is the expected “best” capability offered by that device.

But the device’s operating system or firmware will be able to indicate on devices with some sort of dynamic visual user interface the “generation number” the network connection will support. In the case of client devices like computers or smartphones, this will be to indicate the “best available” network expectation for the current connection.

Similarly, people and companies who provide a public-access Wi-Fi network can reference the kind of performance expected out of this network by using the “generation number” indicating what technology it would support. It could be use as a means to gauge the network’s suitability for handling peak loads such as, for example, a transit station during peak hours or a fully-occupied hotel.

802.11b Wi-Fi 1
802.11a Wi-Fi 2
802.11g Wi-Fi 3
802.11n Wi-Fi 4 Determined by Wi-Fi Alliance
802.11ac Wi-Fi 5 Determined by Wi-Fi Alliance
802.11ax Wi-Fi 6 Determined by Wi-Fi Alliance

A question that will come up will be is what way will the device indicate whether it is a simultaneous multi-band device or how many MIMO streams it concurrently runs. This will be of importance with Wi-Fi 4 / 5 / 6 (802.11n/ac/ax) devices that can work on two or more bands and have MIMO abilities but at differing levels of capability and performance.

Classic examples of this could be some low-cost access points and Wi-Fi extenders capable of working to dual-stream 802.11n on the 2.4GHz band known as N300 devices or mobile devices working on single-stream or dual-stream MIMO chipsets as part of battery conservation.

On this site going forward, I will be using the new “Wi-Fi generation number” along with the IEEE standard reference for describing the Wi-Fi network technology offered by a network device. It will also apply to describing minimum Wi-Fi standards particular to a networking situation that I write about.

For example, I may describe the Dell XPS 13’s Wi-Fi abilities as Wi-Fi 5 (802.11ac) dual-stream to reflect the effective generation Wi-Fi supported by that Ultrabook.

At least this new nonenclature will be a barometer to indicate whether a Wi-Fi network is running new technology to allow it to perform properly.

Send to Kindle

NETGEAR implements a multi-tiered approach to Power-Over-Ethernet

Articles – From the horse’s mouth

NETGEAR GS108PP ProSafe Gigabit Unmanaged 8-port Switch with Power-Over-Ethernet Plus press picture courtesy of NETGEAR

The NETGEAR GS108PP switch is able to run with different power supplies to offer different Power-Over-Ethernet power budgets

NETGEAR

NETGEAR LAUNCHES INDUSTRY’S FIRST UNMANAGED SWITCH WITH FLEXIBLE POWER OVER ETHERNET OPTIONS {Press Release)

Flexible PoE Switch with Power Upgrade Options {Blog Post}

Product Page

Previous Coverage

NETGEAR offers an affordable 8-port Gigabit unmanaged switch with Power Over Ethernet Plus on all ports

My Comments

I had previously written up about the NETGEAR GS108PP 8-port Gigabit Ethernet switch with Power Over Ethernet Plus available on all ports as an example of this company offering an Ethernet switch with desirable features at a price that would be seen to be reasonable for small-network applications. Here, it was about each of the eight ports being “powered” to the Power-Over-Ethernet-Plus (802.3at) standard rather than half of the ports, something that was happening with affordable “few port” Power-Over-Ethernet gear that was fit for small networks.

At the time of the previous article, MWAVE, an independent online computer-parts reseller, offered this device to the Australian market for AUD$169 tax inclusive before shipping, but now this price has dropped to AUD$155 tax inclusive.

It is part of a family of 8-port and 16-port Gigabit Ethernet switches with Power Over Ethernet Plus power-supply on all ports that NETGEAR has taken an interesting approach with the overall power budget that these devices could offer.

Here, they offer different power budgets for the GS108LP / GS108PP (8 port) and GS116LP / GS116PP (16 ports) by packaging different power supplies with the different units so these have a different power budget depending on what you buy. They also offer a range of power adaptors with the same voltage (54VDC) but with different current outputs that are available through the aftermarket.

NETGEAR has established this arrangement to allow a network installer to buy an Ethernet switch with a Power-Over-Ethernet power budget that is “right-sized” for the user’s current needs. Then if these need change, they can upgrade the power supply to answer these newer needs.

Power Supply
Bold text is “in-box” option
GS108LP GS108PP GS116LP GS116PP
54VDC 1.25A (67.5W) 60W 60W
54VDC 1.66A (90W) 83W 83W 76W 76W
54VDC 2.4A (130W) 123W 123W 115W 115W
54VDC 3.7A (200W) 183W 183W

This could suit a reality with installations where you are running one or two Power-Over-Ethernet devices to see how you go with this new idea. It may include you upgrading an older device powered by its own “wall-wart” to a simplified Power-Over-Ethernet setup thanks to an active splitter box. Then you decide to add on more Power-Over-Ethernet devices or upgrade extant devices to those with better capabilities while giving them the same kind of treatment as a typical fridge or TV – “bumping” the older unit down to a secondary role in the installation.

Here, you simply switch out the not-so-powerful power supply with one that is more powerful when you are wanting to add more power to the installation rather than junking a perfectly-good Power-Over-Ethernet switch and replacing it with something more powerful. The NETGEAR Ethernet switch can exist in your network for a longer time, serving the higher power load, until newer needs come about such as to head towards a managed switch or something better. Typically this is a plug-and-play upgrade but you may have to flick a slider on the NETGEAR switch to allow it to work with the different power load.

Network installers who sell these switches can also find it useful to keep more of the power supplies as well as these switches so that they can “right-size” their installations through the installation’s life. It can also allow for the ability for them to retain the lower-output power supplies from an “upsized” installation to use on another lower-power-demand installation if the original power supply at that installation burnt out.

What I like about this approach that NETGEAR took with these unmanaged Power-Over-Ethernet switches is the idea of providing an upgrade path for people who own an existing unit but have different needs. It also avoids the need to throw away perfectly-working equipment just because you have a different power requirement.

As well, the NETGEAR GS108LP Power-Over-Ethernet switch could be offered at a two-figure price for people and businesses who want to get their feet wet with a Power-Over-Ethernet setup. This is especially if they are seeing the idea of using active splitters to power existing devices like access points or 5-port Ethernet switches “down the line” before going “full steam” with new devices.

Send to Kindle