Network Management Archive

Make VPN, VLAN and VoIP applications easy to set up in your network

Draytek Vigor 2860N VDSL2 business VPN-endpoint router press image courtesy of Draytek UK

Routers like the Draytek Vigor 2600N which support VPN endpoint and IP-PBX functionality could benefit from simplified configuration processes for these functions

Increasingly, the virtual private network, virtual local-area network and IP-based voice and video telephony setups are becoming more common as part of ordinary computing.

The VPN is being seen as a tool to protect our personal privacy or to avoid content-blocking regimes imposed by nations or other entities. Some people even use this as a way to gain access to video content available in other territories that wouldn’t be normally available in their home territory. But VPNs are also seen by business users and advanced computer users as a way to achieve a tie-line between two or more networks.

The VLAN is becoming of interest to householders as they sign up to multiple-play Internet services with at least TV, telephony and Internet service. Some of the telcos and ISPs are using the VLAN as a way to assure end-users of high quality-of-service for voice or video-based calls and TV content made available through these services.

AVM FRITZ!Box 3490 - Press photo courtesy AVM

… as could the AVM Fritz!Box routers with DECT base station functionality

It may also have some appeal with some multiple-premises developments as a tool to provide the premises occupiers access to development-wide network resources through the occupiers’ own networks. It will also appeal to public-access-network applications which share the same physical infrastructure as private networks such as FON-type community networks including what Telstra and BT are running.

VoIP and similar IP-based telecommunications technologies will become very common for home and small-business applications. This is driven by incumbent and competing telecommunications providers moving towards IP-based setups thanks to factors like IP-driven infrastructure or a very low cost-of-entry. It also includes the desire to integrate entryphone systems that are part of multi-premises buildings in to IP-based telecommunications setups including the voice-driven home assistants or IP-PBX business-telephony setups.

Amazon Echo on kitchen bench press photo courtesy of Amazon USA

A device like the Amazon Echo could be made in to a VoIP telephone through an easy-to-configure Alexa Skill

In the same context, an operating-system or other software developer may want to design a “softphone” for IP-based telephony in order to have it run on a common computing platform.

What is frustrating these technologies?

One key point that makes these technologies awkward to implement is the configuration interface associated with the various devices that benefit from these technologies like VPN endpoint routers or IP-based telephony equipment. The same situation also applies if you intend to implement the setup with multiple devices especially where different platforms or user interfaces are involved.

This kind of configuration also increases the chance of user error taking place during the process which then leads to the setup failing with the user wasting time on troubleshooting procedures to get it to work. It also makes the setup process very daunting for people who don’t have much in the way of IT skills.

For example, you have to complete many steps to enrol the typical VPN endpoint router with a consumer-facing privacy-focused VPN in order to assure network-wide access to these VPNs. This involves transcribing configuration details for one of these VPNs to the router’s Web-based management interface. The same thing also applies if you want to create a VPN-based data tie-line between networks installed at two different premises.

Similarly, IP-based telephony is very difficult to configure with customers opting for pre-configured IP telephone equipment. Then it frustrates the idea of allowing a customer to purchase equipment or software from different resellers thanks to the difficult configuration process. Even small businesses face this same difficult whether it is to add, move or remove extensions, create inter-premises tie-lines or add extra trunk lines to increase call capacity or provide “local-number” access.

This limits various forms of innovation in this space such as integrating a building’s entryphone system into one’s own telephone setup or allowing Skype, Facebook Messenger, WhatsApp or Viber to permit a business to have a virtual telephone link to their IP-telephony platforms.

It also limits the wide availability to consumers and small businesses of “open” network hardware that can answer these functions. This is more so with VPN-endpoint routers or routers that have IP-based telecommunications functionality which would benefit from this kind of simplified configuration process.

What can be done?

A core requirement to enable simplified provisioning of these technologies is to make use of an XML-based standard configuration file that contains all of the necessary configuration information.

It can be transferred through a download from a known URL link or a file that is uploaded from your computing device’s local file system. The latter approach can also apply to using removable storage to transfer the file between devices if they have an SD-card slot or USB port.

Where security is important or the application depends on encryption for its operation, the necessary binary public-key files and certificates could be in a standard form with the ability to have them available through a URL link or local file transfer. It also extends to using technologies based around these public keys to protect and authenticate the configuration data in transit or apply a digital signature or watermark on the configuration files to assert their provenance.

I would also see as being important that this XML-based configuration file approach work with polished provisioning interfaces. These graphically-rich user interfaces, typically associated with consumer-facing service providers, implement subscription and provisioning through the one workflow and are designed to he user-friendly. It also applies to achieving a “plug-and-play” onboarding routine for new devices where there is a requirement for very little user interaction during the configuration and provisioning phase.

This can be facilitated through the use of device-discovery and management protocols like UPnP or WSD with the ability to facilitate the upload of configuration files to the correct devices. Or it could allow the creation and storage of the necessary XML files on the user’s computer’s local storage for the user to upload to the devices they want to configure.

Another factor is to identify how a device should react under certain situations like a VPN endpoint router being configured for two or more VPNs that are expected to run concurrently. It also includes allowing a device to support special functions, something common in the IP-based telecommunications space where it is desirable to map particular buttons, keypad shortcodes or voice commands to dial particular numbers or activate particular functions like door-release or emergency hotline access.

Similarly, the use of “friendly” naming as part of the setup process for VLANs, VPNs and devices or lines in an IP-telephony system could make the setup and configuration easier. This is important when it comes to revising a configuration to suit newer needs or simply understanding the setup you are implementing.

Conclusion

Using XML-based standard provisioning files and common data-transfer procedures for setup of VLAN, VPN and IP-based-telecommunications setups can allow for a simplified setup and onboarding experience. It can also allow users to easily maintain their setups such as to bring new equipment on board or factor in changes to their service.

Send to Kindle

Wi-Fi 6 is here for certain

Articles

TP-Link Archer AX6000 Wi-Fi 6 broadband router product picture courtesy of TP-Link USA

TP-Link Archer AX6000 Wi-Fi 6 broadband router – an example of a Wi-Fi 6 router

Wi-Fi 6: Better, faster internet is coming — here’s what you need to know | CNet

Should You Upgrade to Wi-Fi 6? | PC Mag

Previous Coverage

New nonenclature for Wi-Fi wireless networks

What will 802.11ax Wi-Fi wireless networking be about?

From the horse’s mouth

Wi-Fi Alliance

Wi-Fi CERTIFIED 6™ delivers new Wi-Fi® era (Prress Release)

Wi-Fi CERTIFIED 6™ delivers new Wi-Fi® era {Product Page)

My Comments

The Wi-Fi Alliance have started this week to certify devices as to whether they are compliant to the new Wi-Fi 6 (802.11ax) wireless-network standard. This effectively means that this technology will be ready for prime time.

But what will it offer?

NETGEAR Orbi with Wi-Fi 6 press picture courtesy of NETGEAR

NETGEAR Orbi Wi-Fi 6 – the first distributed Wi-Fi setup with Wi-Fi 6 technology

Wi-Fi 6 will offer a theoretical data throughput of 10Gbps which is 30% faster than Wi-Fi 5 setups. There will also be the ability for one access point or route to support many Wi-Fi client devices at once thus preventing that device from being “oversubscribed” and underperforming when many devices come on board. It answers a common situation where a small network that is typically served by one Wi-Fi router ends up having to support multiple Wi-Fi client devices like laptops, smartphones, smart speakers of the Amazon Echo kind, and set-top devices for streaming video. It is facilitated through the use of a higher-capacity MU-MIMO technology.

In addition, the Wi-Fi 6 routers and access points implement OFDMA technology to share channels and use them efficiently. It will mean that multiple Wi-Fi 6 networks can coexist without underperforming which will be of benefit for apartment dwellers or trade shows and conferences where multiple Wi-Fi networks are expected to coexist.

There is also the targeted wake time feature to “schedule” use of a Wi-Fi 6 network by battery-operated devices. This will allow them to know when to send data updates to the network especially if they don’t change status often, which will benefit “Internet-of-Things” devices where there is the desire to run them for a long time on commodity batteries.

A requirement that will be placed on Wi-Fi 6 devices is to support WPA3 security for their network security standard. It is to improve the expectation upon these devices for a secure Wi-Fi network.

At the moment, routers and access points based on Wi-Fi 6 will be positioned at the premium end of the market and be typically targeted towards “be first with the latest” early adopters. But over the next year or two, the market will settle out with devices at more affordable price points.

Premium smartphones, tablets and laptops that are being redesigned from the ground up with new silicon will end up with Wi-Fi 6 network interface chipsets. This will apply to the Samsung Galaxy S10 family, computers based on Intel Ice Lake CPUs and the Apple iPhone 11 family. As well, some network-hardware vendors are offering add-on Wi-Fi 6 network adaptors that plug in to your laptop computer’s USB port to enable it for the new technology.

At the moment, if you are running a network with a Wi-Fi 5 access point or router that is serving devices based on Wi-Fi 4 (802.11n) and Wi-Fi 5 (802.11ac) technology, you don’t need to upgrade the access point or router yet.

But if you have to replace that device due to the existing unit dying or you intend to set up a new Wi-Fi network, it may be worth investigating the purchase of network infrastructure equipment based on Wi-Fi 6.

You will also find that each device will be provided with “best case” performance based on its technology. This means that if you install a Wi-Fi 6 access point or router on your network then subsequently sign a subsidised-equipment post-paid service contract for a smartphone with Wi-Fi 6 technology built in, the smartphone will work to Wi-Fi 6 levels while your laptop that supports Wi-Fi 5 technology works to that prior technology without impeding your smartphone’s Wi-Fi 6 functionality.

If you bought one of the earlier Wi-Fi 6 routers or distributed Wi-Fi setups which works to pre-certification standards, check your manufacturer’s site for any new firmware that will have the device working to the current specifications and upload it to your device.

Wi-Fi 6 wireless networks will become a major boon for evolving local-area networks towards higher capacity and faster throughput on wireless segments.

Send to Kindle

6GHz Wi-Fi technology moving towards room-by-room Gigabit Wi-Fi

Article

NETGEAR Orbi distributed WiFi system press image courtesy of NETGEAR

Distributed Wi-Fi setups like this NETGEAR Orbi will be heading towards the Gigabit Wi-Fi goal on the 6GHz waveband

ARRIS: How 6 GHz Wi-Fi will revolutionise the connected home | Wi-Fi Now

My Comments

ARRIS who make home-network equipment for the American market, are pushing the idea that the 6 GHz Wi-Fi network is a major evolution for the home network.

This is coming about due to various national government departments who have oversight over radiocommunications use within their jurisdiction working on regulatory instruments to open up unlicensed low-power indoor use of the 6 GHz radio waveband. Such regulation is expected to be passed by the FCC in the US by mid-year 2020 and OFCOM in the UK by 2021 with other jurisdictions to follow suit over the next few years.

It will open up seven new 160MHz channels for the Wi-Fi 6 technology with the feasibility to open up a Gigabit Wi-Fi network. This is expected to lead to the evolution of the self-configuring distributed Wi-Fi setup with a Gigabit Wi-Fi backbone plus each access point offering a 160MHz Wi-Fi 6 channel alongside support for low-power narrower-bandwidth 2.4GHz and 5GHz channels for legacy equipment.

There will be the implementation of Wi-Fi EasyMesh and Wi-Fi EasyConnect standards to permit secure setup and an open-frame heterogenous distributed-wireless network.

One limitation I do see confronting this ideal that Arris put forward is the short-wavelength Wi-Fi backbone which can be a hindrance with certain building materials and construction approaches like double-brick walls. There will also be the requirement to run many access points to make sure the average home is covered properly. Here, the wired backbone whether “new wires”  like Ethernet or “no new wires” like HomePlug AV2 powerline or MoCA TV-antenna coaxial still has toe be considered for a multiple-access-point network.

ARRIS was even positioning for the evolution of the distributed Wi-Fi network to have each room with its own access-point node capable of yielding Gigabit bandwidth. They also put forward ideas like having these access points mounted on the ceiling. But I would also prefer the idea of a normally-sessile endpoint device like a network printer, Amazon-Echo-style smart speaker or a smart TV being its own access point that is part of the distributed Wi-Fi network. It then avoids the need to equip a room with an extra access point if you are intending to have this kind of device in that room.

The use of Wi-Fi 6 technologies will also be about working with environments that are congested as far as Wi-Fi wireless networking is concerned. These environments like multiple-premises buildings, airports or hotels are likely to have many Wi-Fi devices operating on many Wi-Fi networks which with prior technologies leads to poor performance especially on the throughput and latency side.

It may have to take a few years for the Wi-Fi wireless network to hit the Gigabit throughput mark as the 6 GHz band opens up and more access-point and client devices come on the market.

Send to Kindle

20 Years of Wi-Fi wireless

From the horse’s mouth

Wi-Fi Alliance Wi-Fi Alliance 20th anniversary logo courtesy of Wi-Fi Alliance

20 Years of Wi-Fi (Press Release)

My Comments

“Hey, what’s the Wi-Fi password here?”. This is a very common question around the home as guests want to come on to your home network during their long-term visit to your home. Or one asks the barista or waiter at the cafe “Do you have Wi-Fi here?” with a view to some free Internet use in mind.

“What’s the Wi-Fi password?”

It is brought about by Wi-Fi wireless-network technology that has become a major lifestyle changer over the last 20 years. This has been propelled in the early 2000s with Intel advancing their Centrino Wi-Fi network-interface chipset which put forward the idea of highly-portable computing.

Dell XPS 13 9380 lifestyle press picture courtesy of Dell Corporation

The laptop like this Dell XPS 13 – part of the Wi-Fi lifestyle

The laptop computer, mobile-platform tablet and smartphone benefited from Wi-Fi due to their inherently-portable nature. This effectively allowed for “anywhere anytime” online work and play lifestyle including using that iPad or smartphone as a second screen while watching TV. Let’s not forget the use of Internet radios, network-based multiroom audio setups and those smart speakers answering you when you speak to them.

“Do you have free Wi-Fi here?”

Over the years there has been incremental improvements in bandwidth, security and quality-of-service for Wi-Fi networks both in the home and the office. Just lately, we are seeing home networks equipped with distributed Wi-Fi setups where there are multiple access-point devices working with a wired or wireless backhaul. This is to assure full coverage of our homes with Wi-Fi wireless signals, especially as we face different floorplans and building-material types that may not assure this kind of coverage.

But from this year onwards, the new Wi-Fi network will be based on WI-Fi 6 (802.11ax) technology and implement WPA3-grade security. There will also be the idea of opening up the 6GHz wavebands around the world to Wi-Fi wireless-network traffic, along with having support for Internet-of-Things applications.

Telstra Gateway Frontier modem router press picture courtesy of Telstra

The Wi-Fi router – part of every household

The public-access Wi-Fi networks will be more about simple but secure login and usage experiences thanks to Wi-Fi Passpoint. This will include simplified roaming between multiple Wi-Fi public-access hotspot networks, whether this is based on business relationships or not. It will also lead to telcos using Wi-Fi networks as a method to facilitate complementary coverage for their mobile-broadband networks whether they use current technology or the new 5G technology.

What needs to happen for Wi-Fi is to see work take place regarding high-efficiency chipsets for Internet-of-Things applications where such devices will be required to run on a small number of commodity batteries for a long time. One requirement I would like to see for public-access Wi-Fi is the ability to create user-defined “secure device clusters” that allow devices in that cluster to discover each other across the same public-access network but other devices outside of the cluster can’t discover them.

So happy 20th Anniversary to the network technology that has effectively changed our online lifestyle – the Wi-Fi wireless network.

Send to Kindle

WPA3-Personal security–What does this mean for your Wi-Fi network

Article

Telstra Gateway Frontier modem router press picture courtesy of Telstra

Expect the next-generation Wi-Fi network to have WPA3 security

What is WPA3? And some gotchas to watch out for in this Wi-Fi security upgrade | Network World

My Comments

Over the next few years, Wi-Fi routers, access points and client devices like computers and smartphones will be supporting WPA3 as a media-specific network security protocol.

At the moment, I will be focusing on the WPA3-Personal variant which is relevant to small networks like the typical home or small-business network. This kind of network security is also implemented in an increasing number of venue-based public-access networks in order to allow the venue owner to protect and authenticate the network and preserve its role as an amenity for the venue’s customers.

The WPA3-Personal network security protocol has the same method of operation as for a WPA2-Personal network. This is using a “Wi-Fi password” commonly known across all access points and client devices that use the network segment.

But it describes this “Wi-Fi password” as Simultaneous Authentication Of Equals rather than the previous Pre-Shared Key used in previous WPA-Personal implementations. It also affects how this “Wi-Fi password” is represented and encrypted in order to protect it against an off-site brute-force cracking attempt.

As well, each connection between the client device and the access point is encrypted in a manner unique to that connection.

The initial onboarding process will be typically based on the traditional password-entry method. But it will also implement Wi-Fi EasyConnect which uses a QR code or WPS-based push-button setup.

The Wi-Fi WPA3 security protocol may take years to become mature while a secure surefire codebase for client-side and access-point-side implementations is worked out. The initial codebase was found to have software weaknesses in the early Personal-setup implementation and is being debugged now.

A question that will be raised is whether an upgrade to WPA3 security will require new hardware for either the client device or the access point or if this can be performed using revised firmware that has the necessary software code. This may depend on whether the hardware uses a purely software-defined approach for managing its functionality.

There will be situations that will take place regarding existing equipment and WPA3-capable equipment. Here, a WPA3 client like a smartphone can work with an existing WPA2-compliant Wi-Fi network segment but not have the full benefits. Similarly, a WPA3-capable Wi-Fi network segment will need to be operated in a “transition mode” to allow existing WPA2-compliant client devices to connect. Again, this doesn’t provide all the benefits of a Wi-Fi network segment secure to WPA3 standards.

You can also work around this limitation by implementing two Wi-Fi network segments that have separate ESSIDs. One of these could be configured to work the current WPA2-Personal standard while the other is set up purely for WPA3-Personal. This practice may come in to its own if you have a Wi-Fi network using the latest standards while you maintain another using tried-and-trusted standards.

Send to Kindle

Could a logical network be a data-security attribute?

Telstra Gateway Frontier modem router press picture courtesy of Telstra

The local network created by one of these routers could be seen as a way to attest proximity or effective control of these devices

In data security, there has to be a way to attest that a user has effective control of their computing devices when they are authenticating with a device or service. Increasingly, most of us are handling two or more devices in this context such as to move data between them, use one of them as an authentication factor or to verify mutual trust between two or more people.

The logical network, also called a subnet, represents the devices connected to the same router irrespective of what media they use to connect to this network like Ethernet or Wi-Fi wireless. It is represented at Layer 3 (Network Layer) on the OSI network model stack and is represented by IP (Internet Protocol) whether version 4 or 6. Routers that implement guest or hotspot/community network functionality create a separate logical network for the guest or hotspot network.

But a hotspot network can be set up to cover a large public area like a bar or cafe’s dining room or even the whole of a hotel or apartment block. As well, if a hotspot network is properly set up for the end users’ data security, it shouldn’t be feasible to discover other devices on that same logical network. This is thanks to IP-based isolation functionality that the router that serves the hotspot offers.

Here, the existence of devices on the same logical network can be used as a way to attest proximity of these devices or to attest effective control over them.

Use cases

Enhanced two-factor authentication

Increasingly, most of us who implement two-factor authentication use an app on a smartphone to provide the random key number that confirms what we have along with what we know. But in a lot of situations, we have the smartphone and the computer we want to use to gain access to the resources existing on the same network. This may be our home or business network, a public-access hotspot or tethering our laptop to a smartphone for Internet access via the mobile network.

Having both devices on the same network could be seen as a way to assess the security level of a multifactor authentication setup by assessing the proximity of the devices to each other. It is more so if the devices are communicating to each other behind the same Wi-Fi access point or Ethernet switch. This concept would be to prove that both devices are effectively being controlled by the same user.

It can also work as an alternative to Bluetooth or NFC as a device-to-device link for a transcription-free multi-factor authentication setup if you are thinking of two devices that are able to connect to a network via Wi-Fi. This is more so where the issue of phishing of multi-factor authentication setups involving the transcription of a one-time passcode has been raised.

Discovery of devices in the same network

The same concept can also be examined in the context of interlinking between devices that exist on the same network or even determining one’s “home” domain in the context of AV content rights. In some ways, the concept could also be about tokenised login for online services where a user’s credentials are held on one device like a smartphone but a session-based token is passed to another device like a set-top box to facilitate login from that device.

It is a practice that has been used with UPnP and Bonjour technologies primarily for device and content discovery. The most obvious situation would be to use Apple AirPlay or Google Chromecast to throw content to the big screen from a compatible mobile device. It also works in the same context when you set up and use a network-based printer from your computer or smartphone.

Across-the-room discovery and mutual-user authentication

Another use case this concept can apply to is “across-the-room” device discovery and mutual-user authentication. This would be used for data transfer, social networks or online gaming where you intend to share a resource with someone you talked with, invite them as a friend / follower in a social network or engage them in an online game.

Proof of presence at a particular location

Use of a logical network’s attributes can be a tool for proving one’s presence at a particular location. This is more so where the Internet service for that network is being provided using a wired-broadband or fixed-wireless-broadband approach for its last-mile, like with most home and business networks. It may not work with “Mi-Fi” setups where a mobile broadband network is being implemented for the last-mile connection.

Here, it could be used for time-and-attendance purposes including “proof of presence” for home-based carers. Or it could be used to conditionally enable particular functionality like app-based on-premises food-and-beverage ordering at a venue. To the same extent, it could be used to protect delivery services against orders that were instigated at one location being sent to another location.

Methods

Both devices existing on the same network

In a premises-specific network like most small networks, testing that both devices are on the same subnet / logical network behind the same gateway device (router) could be a way to attest that both devices are in the same premises. The same test can be performed by the use of a “hop count” on Layer 3 of the OSI network-layer tree, which also determines the number of logical networks passed.

It is a method used with a wide range of network-based AV and printing applications to constrain the discovery and control of devices by controller software to what is local to you.

But assessing whether the two devices are connecting to the same access point on a Wi-Fi network can be used to attest whether both devices are in the same room in a large Wi-Fi setup. It may not work in a network setup where different devices connect to a network using different connection media like Ethernet, Wi-Fi Wireless or HomePlug powerline. This also includes situations where multiple access points cover the same room or floor such as with large rooms or open-plan areas.

Another approach that can be used for Wi-Fi hotspot networks honouring the Hotspot 2.0 / Passpoint setup would be to read the “venue” metadata for that network and compare whether both devices are in the same venue. If this technology is able to support subdividing of a logical venue such as based on floors or rooms, this could work as a way of further attesting whether both devices are in close proximity.

A Wi-Fi wireless network can be attested through the use of the BSSID which identifies the same access point that the devices are connecting through or the ESSID which is the network’s “call sign”. The BSSID could be used for a public hotspot network including a “hotzone” network ran by a local government or ISP,or a large network that uses many access points while the ESSID approach could be used simply for a small network with a few access points.

Trusted networks with authentication certificates

On the other hand, there could be the concept of creating “trusted networks” where authentication certificates relating to the network are stored in the network’s gateway device or in infrastructure devices associated with that network. It could be used to work against man-in-the-middle attacks as well as a stronger approach to attesting trust between the client device and the network it proposes to access.

The initial appeal for this concept could be to attest the authenticity of a business’s network especially in the face of business partners or customers who want to use that network as a gateway to the Internet or use the host business’s resources.

It could have some appeal to the food, beverage and hospitality industry where particular cafes and bars are often seen by individuals and workgroups as favoured hangouts. In this context, if an individual wants to use the Wi-Fi public-access network in their favourite “watering hole” or “second office”, the “trusted network” approach can be used to verify to the customer that they have connected to the venue’s network at the venue to avoid “man-in-the-middle” attacks.

This approach is being implemented with the Wi-Fi Passpoint / Hotspot 2.0 technology to provide for the simple yet secure public-access Wi-Fi network.

The same approach can be used with a home network if the router can store data like digital certificates in onboard non-volatile memory. Then this data could be created by the ISP as a “known trusted network” with a network-specific certificate relating to the router and network equipment. Such a service could be offered by an ISP as a value-added service especially to cater for “proof-of-presence” applications.

Conclusion

Using a logical network as a data-security attribute can be effective as a security tool for some use cases. With current network equipment, this can be a surefire way of assessing device proximity.to other devices. But use of certificates stored on network-infrastructure devices like routers and provided by ISPs or similar entities can be of use for authenticated-network or proof-of-presence applications.

Send to Kindle

NETGEAR to offer one of the first Wi-Fi 6 distributed-wireless setups

Article NETGEAR Orbi with Wi-Fi 6 press picture courtesy of NETGEAR

Netgear takes its Orbi mesh Wi-Fi system to the next level with Wi-Fi 6 | PC World

From the horse’s mouth

NETGEAR

LEADING A NEW ERA OF WI-FI, NETGEAR ANNOUNCES ORBI MESH WI-FI SYSTEM USING WI-FI 6 SPECIFICALLY DESIGNED FOR THE GIGABIT INTERNET HOME (Press Release)

Product Page

My Comments

As Wi-Fi 6 (802.11ax) wireless networking comes to the fore, there will be a desire to see distributed-wireless-network systems that support this technology. Here it’s about being able to support many Wi-Fi client devices like laptops, tablets and smartphones along with devices that are designed “Wi-Fi first” including smart-home devices.

NETGEAR have started to refresh the Orbi distributed Wi-Fi system by making a new version that supports this new technology as part of the product lineup they are premiering in Las Vegas at this year’s Consumer Electronics Show. It uses the separate radio backhaul that their Orbi system is know for, thus avoiding a dent in performance that can be brought about with systems that use the main “fronthaul” Wi-Fi segment for their backbone data transfer.

But it uses four data streams across the dedicated Wi-Fi 6 backhaul to allow high-speed high-capacity data transfer. It is in addition to four concurrent data streams on the 2.4GHz band and four concurrent data streams on the 5GHZ band for the client devices to use. The system is powered by Qualcomn networking system-on-chip silicon that allows for the higher data throughput.

It is expected to appear during the second half of 2019, primarily as an updated take of the RBK50 wide-coverage devices. A question that will perplex those of us who have an Orbi distributed-Wi-Fi setup is whether the existing Orbi equipment will work with the newer Wi-Fi 6 Orbi devices.

This is more so where smaller or specialised Orbi satellite modules like the RBS50 Orbi Outdoor Satellite unit or the Orbi Voice which is a combination of a satellite unit and Amazon-Alexa-driven smart speaker are part of your Orbi setup. Or you like the idea of “pushing down” existing equipment to secondary purposes so you get more value out of the equipment you own.

What is being highlighted is the idea of using Wi-Fi 6 as a future-proof approach for wireless local networking, including distributed- Wi-FI setups.

Send to Kindle

Staff panic buttons to drive networks to handle the Internet of Things

Article

Ekahau Wi-Fi Pager Tag panic button

Emergency-alert buttons like this Ekahau Wi-Fi name-tag panic-button setup will be influencing network architecture for the Internet Of Things

The Hotel Panic Button Could Redefine Hospitality Networking | IoT World Today

My Comments

In some workplaces where staff work alone at night or other times where they are in danger, portable emergency-call buttons are often used. Initially they were the same size as an older garage-door opener but they are becoming the size of a pendant, badge or fob. As well, rather than these devices lighting up a separate alert panel, they light up a message or “throw up” a map with an indicator on a regular computer running building-security software to show where the danger is.

Initially, they were being positioned for very-high-risk workplaces like psychiatric care or the justice and allied settings. But other workplaces where staff work alone are seeing these devices as an important safety measure, usually due to various occupational health-and-safety requirements.

For example, hotels in the USA are moving towards having Housekeeping staff use these devices in response to workplace agreements, industry safe-work safe-premises initiatives or city-based legal requirements. But these systems are being required to work in conjunction with the Wi-Fi networks used by staff and guests for business and personal data transfer.

A device of the kind that I had covered previously on HomeNetworking01.info was the Ekahau Real Time Location System. This was a pendant-style “panic-button” device, known as the T301BD Pager Tag which had an integrated display and call button. It also had a setup that if the tag was pulled at the nexkstrap, it would initiate an emergency response.  I also wrote an article about these Ekahau devices being deployed in a psychiatric hospital as a staff emergency-alert setup in order to describe Wi-Fi serving a security/safety use case with the home network.

This application is being seen as a driver for other “Internet-of-Things” and smart-building technologies in this usage case, such as online access-control systems, energy management or custom experiences for guests. As I have said before when talking about what the smart lock will offer, the hotel may be seen as a place where most of us may deal with or experience one or more of the smart-building technologies. Also I see these places existing as a proving ground for these technologies in front of many householders or small-business owners who will be managing their own IT setups.

One of the issues being drummed up in this article is quality-of-service for the Internet Of Things whereupon the device must be able to send a signal from anywhere on the premises with receiving endpoints receiving this signal with no delay. It will become an issue as the packet-driven technologies like the Internet replace traditional circuit-based technologies like telephone or 2-way radio for signalling or machine-to-machine communication.

The hotel application is based around the use of multiple access points, typically to provide consistent Wi-Fi service for staff and guests. Such a setup is about making sure that staff and guests aren’t out of range of the property’s Wi-Fi network and the same quality of service for all network and Internet use cases is consistent throughout the building. Here, concepts like mesh-driven Wi-Fi, adaptive-antenna approaches, load-balancing and smart smooth roaming are effectively rolled in to the design of these networks.

Wi-Fi access points in the smart-building network will also be expected to serve as bridges between IP-based networks and non-IP “Internet-of-Things” networks like Bluetooth Low Energy (Bluetooth Smart), Zigbee, Z-Wave or DECT-ULE. These latter networks are pushed towards this application class due to the fact that they are designed to support very long battery runtimes on commodity batteries like AA Duracells or coin-style watch batteries. There will be an emphasis on localised bridging and the IP-network-as-backbone to provide better localisation and efficient operation.

These systems are being driven towards single-screen property-specific dashboards where you can see the information regarding the premises “at a glance”. I would reckon that operating-system-native applications and, perhaps, Progressive Web App versions will also be required to use operating-system-specific features like notification-panels to improve their utility factor in this context.

As far as the home network is concerned, I do see most of these technological concepts being rolled out to the smart home with an expectation to provide a similar service for householders and small businesses. This is more important as ISPs in competitive markets see the “Internet of Things” and improved Wi-Fi as a product differentiator.

The use of multiple Wi-Fi access points to cover an average home being made real for a home network thanks to HomePlug wireless access points, Wi-Fi range extenders and distributed-Wi-Fi systems that will bring this kind of localised Wi-Fi to the smart home. Typically this is to rectify Wi-Fi coverage shortcomings that crop up in particular architecture scenarios like multi-storey / split-level premises and use of building materials and furniture that limit RF throughput. It is also brought about thanks to the use of higher-frequency wavebands like 5GHz as Wi-Fi network wavebands.

There will be an industry expectation to require access points and similar devices to provide this kind of “open-bridging” for Internet-of-Things networks. This is more so where battery-operated sensor or controller devices like thermostatic radiator valves and smart locks will rely on “low-power” approaches including the use of Zigbee, Z-Wave or similar network technology.

It will also be driven typically by carrier-supplied routers that have home-automation controller functionality which would work with the carrier’s or ISP’s home-automation and security services.

To the same extent, it may require “smart-home / building-automation” networks to support the use of IP-based transports like Wi-Fi, HomePlug and Ethernet as an alternative backhaul in addition to their meshing or similar approaches these technologies offer to extend their coverage.

In some cases, it may be about Zigbee / Z-Wave setups with very few devices located at each end of the house or with devices that can’t always be “in the mesh” for these systems due to them entering a “sleep mode” due to inactivity, or there could be the usual RF difficulties that can plague Wi-Fi networks affecting these technologies.

DECT-ULE, based on the DECT cordless-phone technology and is being championed by some European technology names, doesn’t support meshing at all and IP-based bridging and backhauls could work as a way to extend its coverage.

Such situation may be rectified by access points that use a wired backbone like Ethernet or HomePlug powerline.

In the context of the staff panic button use-case, it will roll out to the home network as part of a variety of applications. The common application that will come about will be to allow the elderly, disabled people, convalescents and the like who need continual medical care to live at home independently or with support from people assuming a carer role.

This will be driven by the “ageing at home” principle and similar agendas that are being driven by the fact that people born during the post-war baby boom are becoming older as well as the rise of increased personal lifespans.

Similarly, this application may also be underscored as a security measure for those of us who are concerned about our loved ones being home alone in a high-risk environment. This is more so in neighbourhoods where the risk of a violent crime being committed is very strong.

But I would see this concept work beyond these use cases. For example, a UK / European central-heating system that is set up with each radiator equipped with a “smart” thermostatic radiator valve that is tied in with the smart-home system. Or the use of many different control surfaces to manage lighting, comfort and home-entertainment through the connected home. This is something that will rise up as most of us take on the concept of the smart home as the technology standardises and becomes more affordable.

What is being highlighted is the requirement for high quality-of-service when it comes to sending “Internet-of-Things” signalling or control data as our networks become more congested with more gadgets. Similarly, it is about being able to use IP-based network technology as a backhaul for non-IP network data that is part of the Internet-of-Things but providing the right kind of routing to assure proper coverage and quality-of-service.

Send to Kindle

5G mobile broadband and Wi-Fi can complement each other

Article

Netgear Nighthawk 5G Mobile Hotspot press image courtesy of NETGEAR USA

Netgear Nighthawk 5G Mobile Hotspot – first retail 5G device

Why You’ll Still Need Wifi When 5G Is Everywhere, According To The Wi-Fi Alliance | Gizmodo

Wi-Fi Alliance: Wi-Fi, 5G will be complementary | FierceWireless

My Comments

There is some hype being driven by organisations defending the 5G mobile broadband and Wi-Fi wireless LAN technologies about their technology being the only one for our connected lives.

Some existing devices use 5G mobile-broadband technology but connect to endpoint devices like mobile phones using Wi-Fi. Initially they are routers being deployed by mobile carriers as a proof of concept or for network trials while AT&T were offering a “Mi-Fi” for retail sale in the USA that implements 5G technology. At the moment, 5G hasn’t been rolled out in the form of a smartphone or a mobile-broadband modem that is integrated in or connected by USB to a host computer.

Both Wi-Fi 5 (802.11ac and prior technologies) and 4G LTE mobile broadband have seen widespread deployment with each technology being seen by mobile users as offering a complementary role. Networks and equipment running the newer technologies (5G and Wi-Fi 6) will be backward compatible and offer a best-case approach to this compatibility. That is if both the network and end-user equipment run the same technology, the user gains the most benefit from what the new technology offers.

It has been identified that both technologies at their latest specification can complement each other. Here, 5G will earn its keep in the outdoors and in a mobile context while the Wi-Fi 6 (802.11ax) technology will earn its keep indoors. This is although public-access Wi-Fi networks will be seen by mobile carriers as a cost-effective data-offload tool.

Wi-Fi also has supporting technologies like WiGig and Wi-Fi HaLow. The former one will match 5G for speed but uses a short range equivalent to an ordinary room in the house, while the latter benefits from long range and power efficiency but doesn’t have the speed. Wi-Fi HaLow will then end up in the smart-home, smart-building, connected-car and smart-city application spaces where data throughput isn’t all that necessary. This is while WiGig will end up with virtual reality, augmented reality, 4G video and other bandwidth-intensive applications.

Then there is also the kind of spectrum available for each technology. Wi-Fi technologies primarily rely on unlicensed radio spectrum which makes them popular for households and businesses to deploy. It is in contrast to 5G which, like other cellular mobile telecommunications technologies, relies on licensed radio spectrum which the mobile carrier has to deal with the national radiocommunications authority organise and purchase a license to use.

There is also a trend regarding wireless-network equipment design where there is a software-defined approach towards the media-level components. This is facilitated with small-footprint high-capability computing power and can allow the same piece of equipment to honour newer standards.

Another factor that is never raised is the concept of the local network where data can be transferred between co-located devices at the same premises. 5G is really positioned as a wireless “last mile” setup for providing telecommunications and Internet service to the end-user. This is while Wi-Fi is intended primarily to work as a local network but is used to distribute a single broadband service to multiple endpoint devices.

What really is now seen is that the new 5G mobile broadband and Wi-Fi 6 (802.11ax) LAN technologies can complement each other in a horses-for-courses manner.

Send to Kindle

Germany to set a minimum security standard for home-network routers

Article

Telstra Gateway Frontier modem router press picture courtesy of Telstra

Germany has defined a minimum standard for secure broadband router design

Germany proposes router security guidelines | ZDNet

From the horse’s mouth

BSI (German Federal Office for Information Security)

TR-03148 Secure Broadband Router 1.0 (PDF)

My Comments

It is being identified that network connectivity devices and devices that are part of the Internet-Of-Things are being considered the weakest point of the secure Internet ecosystem. This is due to issues like security not being factored in to the device’s design along with improper software quality assurance when it comes to the devices’ firmware.

The first major incident that brought this issue to the fore was the Mirai botnet attack on some Websites and dynamic-DNS servers through the use of compromised firmware installed in network videosurveillance cameras. Recently in 2016, a similar Mirai-style attack attempt was launched by the “BestBuy” hacker involving home-network routers built by Zyxel and Speedport.There was a large installed base of these routers because they were provided as standard customer-premises equipment by Deutsche Telekom in Germany. But the attempt failed due to buggy software and the routers crashed.

Now the BSI who are Germany’s federal information-security government department have taken steps towards a baseline set of guidelines concerning security-by-design for these home-network routers. It addresses both the Internet-based attacker sithation and the local-network-based attacker situation such as a computer running malware.

Key requirements

Wi-Fi segments

There are requirements concerning the LAN-side private and guest Wi-Fi segments created by these devices. They have to work using WPA2 or newer standards as the default security standard and the default ESSIDs (wireless network names) and Wi-Fi passphrases can’t relate to the router itself like its make or model or any interface’s MAC address.

As well, guest Wi-Fi and community / hotspot Wi-Fi have to be treated as distinct separate logical networks on the LAN side and they have to be “fenced off” from each other. They will still have access to the WAN interfaces which will be the Internet service. The standard doesn’t address whether these networks should implement client-device isolation because there may be setups involving a requirement to discover printers or multimedia devices on these networks using client software.

Router management

The passwords for the management account or the Wi-Fi segment passphrases have to be tested against a password-strength algorithm when a user defines a new password. This would be to indicate how strong they are, perhaps through a traffic-light indicator. The minimum requirement for a strong password would be to have at least eight characters with at least 2 each of uppercase, lowercase, number and special characters.

For the management account, there has to be a log of all login attempts along with lockout-type algorithms to deter brute-force password attacks. It would be similar to a code-protected car radio that imposes a time delay if the wrong passcode is entered in the radio. There will be an expectation to have session-specific security measures like a session timeout if you don’t interact with the management page for a certain amount of time.

Other requirements for device management will include that the device management Webpage be only accessible from the main home network represented by the primary private Wi-Fi segment or the Ethernet segment. As well, there can’t be any undocumented “backdoor” accounts on the router when it is delivered to the customer.

Firmware updating

But the BSI TR-03148 Secure Broadband Router guidelines also addresses that sore point associated with router firmware. They address the issue of updating your router with the latest firmware whether through an online update or a file you download to your regular computer and upload to the router.

But it is preferred that automatic online updates take place regarding security-related updates. This will most likely extend to other “point releases” which address software quality or device performance. Of course, the end-user will need to manually update major versions of the firmware, usually where new functionality or major user-interface changes take place.

The router manufacturer will be required to rectify newly-discovered high-severity security exploits without undue delay once they are notified. Here, the end users will be notified about these software updates through the manufacturer’s own public-facing Website or the router’s management page.

Like with most regular-computer and mobile operating systems, the use of software signatures will be required to authenticate new and updated firmware. Users could install unsigned firmware like the open-source highly-functional firmware of the OpenWRT kind but they will need to be warned about the deployment of unsigned firmware on their devices as part of the deployment process. The ability to use unsigned firmware was an issue raised by the “computer geek” community who liked to tinker with and “soup up” their network hardware.

Users will also need to be notified when a manufacturer ceases to provide firmware-update support for their router model. But this can hang the end-user high and dry especially if there are newly-discovered weaknesses in the firmware after the manufacturer ceases to provide that software support.

The standard also places support for an “anti-bricking” arrangement where redundant on-device storage of prior firmware can exist. This is to avoid the router from “bricking” or irreversibly failing if downloaded firmware comes with software or file errors.

Other issues that need to be addressed

There are still some issues regarding this standard and other secure-by-design mandates.

One of these is whether there is a minimum length of time for a device manufacturer to continue providing security and software-quality firmware updates for a router model or series after it is superseded. This is because of risks like us purchasing equipment that has just been superseded typically to take advantage of lower prices,  or us keeping a router in service for as long as possible. This may be of concern especially if a new generation of equipment is being released rather than a model that was given a software-compatible hardware refresh.

Solutions that could be used include open-sourcing the firmware like what was done with the Linksys WRT-54G or establishing a known-to-be-good baseline firmware source for these devices while continuing to rectify exploits that are discovered in that firmware.

Another is the existence of a logo-driven “secure-by-design” campaign directed at retailers and the general public in order to encourage us to buy or specify routers that are compliant to this standard.

An issue that needs to be raised is whether to require that the modem routers or Internet-gateways supplied as standard customer-premises-equipment by German ISPs and telcos have a “secure-by-design” requirement. This is more of an issue with Internet service provided to the average household where these customers are not likely to fuss about anything beyond getting Internet connectivity.

Conclusion

The BSI will definitely exert market clout through Europe, if not just the German-speaking countries when it comes to the issue of a home network that is “secure by design”. Although the European Union has taken some action about the Internet Of Things and a secure-by-design approach, they could have the power to make these guidelines a market requirement for equipment sold in to the European, Middle Eastern and African areas.

It could also be seen by other IT bodies as an expected minimum for proper router design for home, SOHO and SME routers. Even ISPs or telcos may see it as an obligation to their customers to use this standard when it comes to specifying customer-premises equipment that is supplied to the end user.

At least the issue of “secured by design” is being continually raised regarding home-network infrastructure and the Internet Of Things to harden these devices and prevent them from being roped in to the next Mirai-style botnet.

Send to Kindle