Tag: network infrastructure

The UK to mandate security standards for home network routers and smart devices

Articles UK Flag

UK mulls security warnings for smart home devices | Engadget

New UK Laws to Make Broadband Routers and IoT Kit More Secure | ISP Review

From the horse’s mouth

UK Government – Department of Digital, Culture, Media and Sport

Plans announced to introduce new laws for internet connected devices (Press Release}

My Comments

A common issue that is being continually raised through the IT security circles is the lack of security associated with network-infrastructure devices and dedicated-function devices. This is more so with devices that are targeted at households or small businesses.

Typical issues include use of simple default user credentials which are rarely changed by the end-user once the device is commissioned and the ability to slip malware on to this class of device. This led to situations like the Mirai botnet used for distributed denial-of-service attacks along with a recent Russia-sponsored malware attack involving home-network routers.

Various government bodies aren’t letting industry handle this issue themselves and are using secondary legislation or mandated standards to enforce the availability of devices that are “secure by design”. This is in addition to technology standards bodies like Z-Wave who stand behind logo-driven standards using their clout to enforce a secure-by-design approach.

Netgear DG834G ADSL2 wireless router

Home-network routers will soon be required to have a cybersecurity-compliance label to be sold in the UK

The German federal government took a step towards having home-network routers “secure by design”. This is by having the BSI who are the country’s federal office for information security determine the TR-03148 secure-design standard for this class of device.  This addresses minimum standards for Wi-Fi network segments, the device management account and user experience, along with software quality control for the device’s firmware.

Similarly, the European Union have started on the legal framework for a “secure-by-design” certification approach, perhaps with what the press describe as an analogy to the “traffic-light” labelling on food and drink packaging to indicate nutritional value. It is based on their GDPR data-security and user-privacy efforts and both the German and European efforts are underscoring the European concern about data security and user privacy thanks to the existence of police states within Europe through the 20th century.

Amazon Echo on kitchen bench press photo courtesy of Amazon USA

… as will smart-home devices like the Amazon Echo

But the UK government have taken their own steps towards mandating home-network devices be designed for security. It will use their consumer-protection and trading-standards laws to have a security-rating label on these devices, with a long-term view of making these labels mandatory. It is in a similar vein to various product-labelling requirements for other consumer goods to denote factors like energy or water consumption or functionality abilities.

Here, the device will be have requirements like proper credential management for user and management credentials; proper software quality and integrity control including update and end-of-support policies; simplified setup and maintenance procedures; and the ability to remove personal data from the device or reset it to a known state such as when the customer relinquishes the device.

Other countries may use their trading-standards laws in this same vein to enforce a secure-by-design approach for dedicated-function devices sold to consumers and small businesses. It may also be part of various data-security and user-privacy remits that various jurisdictions will be pursuing.

The emphasis on having proper software quality and integrity requirements as part of a secure-by-design approach for modem routers, smart TVs and “smart-home” devices is something I value. This is due to the fact that a bug in the device’s firmware could make it vulnerable to a security exploit. As well, it will also encourage the ability to have these devices work with highly-optimised firmware and implement newer requirements effectively.

At least more countries are taking a step towards proper cybersecurity requirements for devices sold to households and small businesses by using labels and trading-standards requirements for this purpose.

20 Years of Wi-Fi wireless

From the horse’s mouth

Wi-Fi Alliance Wi-Fi Alliance 20th anniversary logo courtesy of Wi-Fi Alliance

20 Years of Wi-Fi (Press Release)

My Comments

“Hey, what’s the Wi-Fi password here?”. This is a very common question around the home as guests want to come on to your home network during their long-term visit to your home. Or one asks the barista or waiter at the cafe “Do you have Wi-Fi here?” with a view to some free Internet use in mind.

“What’s the Wi-Fi password?”

It is brought about by Wi-Fi wireless-network technology that has become a major lifestyle changer over the last 20 years. This has been propelled in the early 2000s with Intel advancing their Centrino Wi-Fi network-interface chipset which put forward the idea of highly-portable computing.

Dell XPS 13 9380 lifestyle press picture courtesy of Dell Corporation

The laptop like this Dell XPS 13 – part of the Wi-Fi lifestyle

The laptop computer, mobile-platform tablet and smartphone benefited from Wi-Fi due to their inherently-portable nature. This effectively allowed for “anywhere anytime” online work and play lifestyle including using that iPad or smartphone as a second screen while watching TV. Let’s not forget the use of Internet radios, network-based multiroom audio setups and those smart speakers answering you when you speak to them.

“Do you have free Wi-Fi here?”

Over the years there has been incremental improvements in bandwidth, security and quality-of-service for Wi-Fi networks both in the home and the office. Just lately, we are seeing home networks equipped with distributed Wi-Fi setups where there are multiple access-point devices working with a wired or wireless backhaul. This is to assure full coverage of our homes with Wi-Fi wireless signals, especially as we face different floorplans and building-material types that may not assure this kind of coverage.

But from this year onwards, the new Wi-Fi network will be based on WI-Fi 6 (802.11ax) technology and implement WPA3-grade security. There will also be the idea of opening up the 6GHz wavebands around the world to Wi-Fi wireless-network traffic, along with having support for Internet-of-Things applications.

Telstra Gateway Frontier modem router press picture courtesy of Telstra

The Wi-Fi router – part of every household

The public-access Wi-Fi networks will be more about simple but secure login and usage experiences thanks to Wi-Fi Passpoint. This will include simplified roaming between multiple Wi-Fi public-access hotspot networks, whether this is based on business relationships or not. It will also lead to telcos using Wi-Fi networks as a method to facilitate complementary coverage for their mobile-broadband networks whether they use current technology or the new 5G technology.

What needs to happen for Wi-Fi is to see work take place regarding high-efficiency chipsets for Internet-of-Things applications where such devices will be required to run on a small number of commodity batteries for a long time. One requirement I would like to see for public-access Wi-Fi is the ability to create user-defined “secure device clusters” that allow devices in that cluster to discover each other across the same public-access network but other devices outside of the cluster can’t discover them.

So happy 20th Anniversary to the network technology that has effectively changed our online lifestyle – the Wi-Fi wireless network.

Could a logical network be a data-security attribute?

Telstra Gateway Frontier modem router press picture courtesy of Telstra

The local network created by one of these routers could be seen as a way to attest proximity or effective control of these devices

In data security, there has to be a way to attest that a user has effective control of their computing devices when they are authenticating with a device or service. Increasingly, most of us are handling two or more devices in this context such as to move data between them, use one of them as an authentication factor or to verify mutual trust between two or more people.

The logical network, also called a subnet, represents the devices connected to the same router irrespective of what media they use to connect to this network like Ethernet or Wi-Fi wireless. It is represented at Layer 3 (Network Layer) on the OSI network model stack and is represented by IP (Internet Protocol) whether version 4 or 6. Routers that implement guest or hotspot/community network functionality create a separate logical network for the guest or hotspot network.

But a hotspot network can be set up to cover a large public area like a bar or cafe’s dining room or even the whole of a hotel or apartment block. As well, if a hotspot network is properly set up for the end users’ data security, it shouldn’t be feasible to discover other devices on that same logical network. This is thanks to IP-based isolation functionality that the router that serves the hotspot offers.

Here, the existence of devices on the same logical network can be used as a way to attest proximity of these devices or to attest effective control over them.

Use cases

Enhanced two-factor authentication

Increasingly, most of us who implement two-factor authentication use an app on a smartphone to provide the random key number that confirms what we have along with what we know. But in a lot of situations, we have the smartphone and the computer we want to use to gain access to the resources existing on the same network. This may be our home or business network, a public-access hotspot or tethering our laptop to a smartphone for Internet access via the mobile network.

Having both devices on the same network could be seen as a way to assess the security level of a multifactor authentication setup by assessing the proximity of the devices to each other. It is more so if the devices are communicating to each other behind the same Wi-Fi access point or Ethernet switch. This concept would be to prove that both devices are effectively being controlled by the same user.

It can also work as an alternative to Bluetooth or NFC as a device-to-device link for a transcription-free multi-factor authentication setup if you are thinking of two devices that are able to connect to a network via Wi-Fi. This is more so where the issue of phishing of multi-factor authentication setups involving the transcription of a one-time passcode has been raised.

Discovery of devices in the same network

The same concept can also be examined in the context of interlinking between devices that exist on the same network or even determining one’s “home” domain in the context of AV content rights. In some ways, the concept could also be about tokenised login for online services where a user’s credentials are held on one device like a smartphone but a session-based token is passed to another device like a set-top box to facilitate login from that device.

It is a practice that has been used with UPnP and Bonjour technologies primarily for device and content discovery. The most obvious situation would be to use Apple AirPlay or Google Chromecast to throw content to the big screen from a compatible mobile device. It also works in the same context when you set up and use a network-based printer from your computer or smartphone.

Across-the-room discovery and mutual-user authentication

Another use case this concept can apply to is “across-the-room” device discovery and mutual-user authentication. This would be used for data transfer, social networks or online gaming where you intend to share a resource with someone you talked with, invite them as a friend / follower in a social network or engage them in an online game.

Proof of presence at a particular location

Use of a logical network’s attributes can be a tool for proving one’s presence at a particular location. This is more so where the Internet service for that network is being provided using a wired-broadband or fixed-wireless-broadband approach for its last-mile, like with most home and business networks. It may not work with “Mi-Fi” setups where a mobile broadband network is being implemented for the last-mile connection.

Here, it could be used for time-and-attendance purposes including “proof of presence” for home-based carers. Or it could be used to conditionally enable particular functionality like app-based on-premises food-and-beverage ordering at a venue. To the same extent, it could be used to protect delivery services against orders that were instigated at one location being sent to another location.

Methods

Both devices existing on the same network

In a premises-specific network like most small networks, testing that both devices are on the same subnet / logical network behind the same gateway device (router) could be a way to attest that both devices are in the same premises. The same test can be performed by the use of a “hop count” on Layer 3 of the OSI network-layer tree, which also determines the number of logical networks passed.

It is a method used with a wide range of network-based AV and printing applications to constrain the discovery and control of devices by controller software to what is local to you.

But assessing whether the two devices are connecting to the same access point on a Wi-Fi network can be used to attest whether both devices are in the same room in a large Wi-Fi setup. It may not work in a network setup where different devices connect to a network using different connection media like Ethernet, Wi-Fi Wireless or HomePlug powerline. This also includes situations where multiple access points cover the same room or floor such as with large rooms or open-plan areas.

Another approach that can be used for Wi-Fi hotspot networks honouring the Hotspot 2.0 / Passpoint setup would be to read the “venue” metadata for that network and compare whether both devices are in the same venue. If this technology is able to support subdividing of a logical venue such as based on floors or rooms, this could work as a way of further attesting whether both devices are in close proximity.

A Wi-Fi wireless network can be attested through the use of the BSSID which identifies the same access point that the devices are connecting through or the ESSID which is the network’s “call sign”. The BSSID could be used for a public hotspot network including a “hotzone” network ran by a local government or ISP,or a large network that uses many access points while the ESSID approach could be used simply for a small network with a few access points.

Trusted networks with authentication certificates

On the other hand, there could be the concept of creating “trusted networks” where authentication certificates relating to the network are stored in the network’s gateway device or in infrastructure devices associated with that network. It could be used to work against man-in-the-middle attacks as well as a stronger approach to attesting trust between the client device and the network it proposes to access.

The initial appeal for this concept could be to attest the authenticity of a business’s network especially in the face of business partners or customers who want to use that network as a gateway to the Internet or use the host business’s resources.

It could have some appeal to the food, beverage and hospitality industry where particular cafes and bars are often seen by individuals and workgroups as favoured hangouts. In this context, if an individual wants to use the Wi-Fi public-access network in their favourite “watering hole” or “second office”, the “trusted network” approach can be used to verify to the customer that they have connected to the venue’s network at the venue to avoid “man-in-the-middle” attacks.

This approach is being implemented with the Wi-Fi Passpoint / Hotspot 2.0 technology to provide for the simple yet secure public-access Wi-Fi network.

The same approach can be used with a home network if the router can store data like digital certificates in onboard non-volatile memory. Then this data could be created by the ISP as a “known trusted network” with a network-specific certificate relating to the router and network equipment. Such a service could be offered by an ISP as a value-added service especially to cater for “proof-of-presence” applications.

Conclusion

Using a logical network as a data-security attribute can be effective as a security tool for some use cases. With current network equipment, this can be a surefire way of assessing device proximity.to other devices. But use of certificates stored on network-infrastructure devices like routers and provided by ISPs or similar entities can be of use for authenticated-network or proof-of-presence applications.

Germany to set a minimum security standard for home-network routers

Article

Telstra Gateway Frontier modem router press picture courtesy of Telstra

Germany has defined a minimum standard for secure broadband router design

Germany proposes router security guidelines | ZDNet

From the horse’s mouth

BSI (German Federal Office for Information Security)

TR-03148 Secure Broadband Router 1.0 (PDF)

My Comments

It is being identified that network connectivity devices and devices that are part of the Internet-Of-Things are being considered the weakest point of the secure Internet ecosystem. This is due to issues like security not being factored in to the device’s design along with improper software quality assurance when it comes to the devices’ firmware.

The first major incident that brought this issue to the fore was the Mirai botnet attack on some Websites and dynamic-DNS servers through the use of compromised firmware installed in network videosurveillance cameras. Recently in 2016, a similar Mirai-style attack attempt was launched by the “BestBuy” hacker involving home-network routers built by Zyxel and Speedport.There was a large installed base of these routers because they were provided as standard customer-premises equipment by Deutsche Telekom in Germany. But the attempt failed due to buggy software and the routers crashed.

Now the BSI who are Germany’s federal information-security government department have taken steps towards a baseline set of guidelines concerning security-by-design for these home-network routers. It addresses both the Internet-based attacker sithation and the local-network-based attacker situation such as a computer running malware.

Key requirements

Wi-Fi segments

There are requirements concerning the LAN-side private and guest Wi-Fi segments created by these devices. They have to work using WPA2 or newer standards as the default security standard and the default ESSIDs (wireless network names) and Wi-Fi passphrases can’t relate to the router itself like its make or model or any interface’s MAC address.

As well, guest Wi-Fi and community / hotspot Wi-Fi have to be treated as distinct separate logical networks on the LAN side and they have to be “fenced off” from each other. They will still have access to the WAN interfaces which will be the Internet service. The standard doesn’t address whether these networks should implement client-device isolation because there may be setups involving a requirement to discover printers or multimedia devices on these networks using client software.

Router management

The passwords for the management account or the Wi-Fi segment passphrases have to be tested against a password-strength algorithm when a user defines a new password. This would be to indicate how strong they are, perhaps through a traffic-light indicator. The minimum requirement for a strong password would be to have at least eight characters with at least 2 each of uppercase, lowercase, number and special characters.

For the management account, there has to be a log of all login attempts along with lockout-type algorithms to deter brute-force password attacks. It would be similar to a code-protected car radio that imposes a time delay if the wrong passcode is entered in the radio. There will be an expectation to have session-specific security measures like a session timeout if you don’t interact with the management page for a certain amount of time.

Other requirements for device management will include that the device management Webpage be only accessible from the main home network represented by the primary private Wi-Fi segment or the Ethernet segment. As well, there can’t be any undocumented “backdoor” accounts on the router when it is delivered to the customer.

Firmware updating

But the BSI TR-03148 Secure Broadband Router guidelines also addresses that sore point associated with router firmware. They address the issue of updating your router with the latest firmware whether through an online update or a file you download to your regular computer and upload to the router.

But it is preferred that automatic online updates take place regarding security-related updates. This will most likely extend to other “point releases” which address software quality or device performance. Of course, the end-user will need to manually update major versions of the firmware, usually where new functionality or major user-interface changes take place.

The router manufacturer will be required to rectify newly-discovered high-severity security exploits without undue delay once they are notified. Here, the end users will be notified about these software updates through the manufacturer’s own public-facing Website or the router’s management page.

Like with most regular-computer and mobile operating systems, the use of software signatures will be required to authenticate new and updated firmware. Users could install unsigned firmware like the open-source highly-functional firmware of the OpenWRT kind but they will need to be warned about the deployment of unsigned firmware on their devices as part of the deployment process. The ability to use unsigned firmware was an issue raised by the “computer geek” community who liked to tinker with and “soup up” their network hardware.

Users will also need to be notified when a manufacturer ceases to provide firmware-update support for their router model. But this can hang the end-user high and dry especially if there are newly-discovered weaknesses in the firmware after the manufacturer ceases to provide that software support.

The standard also places support for an “anti-bricking” arrangement where redundant on-device storage of prior firmware can exist. This is to avoid the router from “bricking” or irreversibly failing if downloaded firmware comes with software or file errors.

Other issues that need to be addressed

There are still some issues regarding this standard and other secure-by-design mandates.

One of these is whether there is a minimum length of time for a device manufacturer to continue providing security and software-quality firmware updates for a router model or series after it is superseded. This is because of risks like us purchasing equipment that has just been superseded typically to take advantage of lower prices,  or us keeping a router in service for as long as possible. This may be of concern especially if a new generation of equipment is being released rather than a model that was given a software-compatible hardware refresh.

Solutions that could be used include open-sourcing the firmware like what was done with the Linksys WRT-54G or establishing a known-to-be-good baseline firmware source for these devices while continuing to rectify exploits that are discovered in that firmware.

Another is the existence of a logo-driven “secure-by-design” campaign directed at retailers and the general public in order to encourage us to buy or specify routers that are compliant to this standard.

An issue that needs to be raised is whether to require that the modem routers or Internet-gateways supplied as standard customer-premises-equipment by German ISPs and telcos have a “secure-by-design” requirement. This is more of an issue with Internet service provided to the average household where these customers are not likely to fuss about anything beyond getting Internet connectivity.

Conclusion

The BSI will definitely exert market clout through Europe, if not just the German-speaking countries when it comes to the issue of a home network that is “secure by design”. Although the European Union has taken some action about the Internet Of Things and a secure-by-design approach, they could have the power to make these guidelines a market requirement for equipment sold in to the European, Middle Eastern and African areas.

It could also be seen by other IT bodies as an expected minimum for proper router design for home, SOHO and SME routers. Even ISPs or telcos may see it as an obligation to their customers to use this standard when it comes to specifying customer-premises equipment that is supplied to the end user.

At least the issue of “secured by design” is being continually raised regarding home-network infrastructure and the Internet Of Things to harden these devices and prevent them from being roped in to the next Mirai-style botnet.

Consumer Electronics Show 2017–Accessories and the Home Network

In this article about the Consumer Electronics Show 2017 that occurred in Las Vegas, Nevada, I will be covering the trends affecting computer peripherals and accessories and the home network.

1: Computer Trends

2: Accessories And The Home Network

Peripherals and Accessories

A very dominant usage case being highlighted for laptops and 2-in-1 computers is the creation of a fully-fledged workstation at your main workspace or game-playing space. This involves connecting the portable computer to at least one larger-sized screen along with a desktop-grade full-size keyboard and mouse. Such workstations may even be the place where you connect extra non-portable storage devices like USB hard disks or optical drives or connect to your network via a blue Ethernet cable rather than the Wi-Fi wireless connection for improved reliability.

Lenovo ThinkPad X1 Carbon USB-C Thunderbolt-3 detail image - press picture courtesy of Lenovo USA

USB Type-C or Thunderbolt 3 ports will be seen as the way to connect expansion docks, peripherals and the like to your laptop

The USB-C connector and its higher-speed variant, the Thunderbolt 3 connector have been valued as a way to provide a single-cable connection option between your laptop and the normally-sessile peripherals once you used an expansion module, commonly known as a docking station or dock. Here, you would connect all the peripherals to this expansion module then connect your laptop computer to that same device via USB-C or Thunderbolt. This is also underscored by a significant number of these devices being equipped with USB Power Delivery to power the portable computer from that same device, underscoring that “one cable to connect” goal.

Let’s not forget that some manufacturers are integrating this “dock” functionality in to some of their display monitors so that these screens are where you can connect your keyboard, mouse and external hard disk.

Lenovo had pitched the ThinkVision P24h and P27h monitors which have a qHD (2560×1440) display resolution and an sRGB high colour gamut “out of the box”. These monitors, with the super-narrow bezel, implement a USB-C connection to the host computer facilitating a DisplayPort 1.2 connection, the data connection, and a Power Delivery connection with a power budget of 45W, along with a four-port self-powered USB hub.

LG's 32" 4K monitor with HDR10 - press picture courtesy of LG USA

LG’s 32″ 4K monitor with HDR10

LG had teased a 32” 4K monitor which has the narrow bezel and can handle HDR10 video but also offer this similar USB-C connectivity and USB hub. They also tweaked the monitor’s integral speakers for that bit of extra “kick” from the bass. They also are pleasing the gamer clans by offering the UltraFine 34” 5K and 4K UHD gaming monitors with features like AMD’s FreeSync technology and 1ms motion-blur reduction.

Dell had advanced a range of monitors including the UltraSharp 32” 8K UHD model and the 27” Ultrathin monitor which has its electronics housed in its base. This monitor implements USB-C connectivity to the host along with a QHD display.

Dell UP3218K 8K 32" monitor press image courtesy of Dell

It’s not 4K resolution in this Dell 32″ monitor, it is 8K resolution

They even advanced the 24” Touch monitor with an integral 10-point touchscreen along with the 24” Video Conferencing Monitor which has an integral Full-HD IR Webcam that has a privacy shutter. This monitor’s camera also adds on support for facial-recognition login under Windows Hello while the sound is catered for with a pair of 5-watt speakers and a noise-cancelling microphone built in.

Dell S2718D 27" slimline monitor press image courtesy of Dell

Dell’s slimline 27″ monitor with its electronics in its base

Even households aren’t left out with a range of monitors from Dell that are designed with aesthetics and high-grade on-screen experiences. For example, the Dell 24 and 27 monitors (S2418HX / S2718HX) implement the ultra-narrow-bezel design being implemented in most of Dell’s laptops and all-in-ones plus the ability to support HDR along with Waves.Maxx sound tuning.

For those of us who have a screen that currently “ticks the boxes” for our computing experience at our desks, most of the manufacturers are offering highly-capable Thunderbolt 3 and USB-C docks. Remember that you can daisy-chain 6 Thunderbolt-3 peripherals from the same Thunderbolt-3 bus, which can open up a range of possibilities.

For example, Lenovo and Dell are offering these expansion modules as part of their official accessory lineups. Lenovo’s contribution is in the form of the ThinkPad Thunderbolt 3 dock (US279) with video connectivity in the form of 2 DisplayPort, HDMI and VGA ports; 5 USB 3.0 ports; audio jack for those speakers; a Gigabit Ethernet port; and USB Power Delivery for the host computer with a power budget of 60 watts. There is a USB-C variant that offers similar functionality for computers not equipped with Thunderbolt 3 connectivity.  But Belkin have previewed the Thunderbolt 3 version of their original Thunderbolt 2 Express Dock, which will have 3 USB-3 connections, 2 Thunderbolt 3 / USB-C connections, two audio connections, a DisplayPort video connection and a Gigabit Ethernet connection. This device can supply a USB Power Deliver power-demand of 85 watts, again reducing the need for extra power supplies for your computer.

In the last post I wrote about CES 2017, I had cited Zotac’s external “card-cage” graphics module which uses Thunderbolt 3 connectivity as a way to enhance their “midget PC” product. This isn’t the only product of its kind to appear at this show. MSI also premiered the GUS (Graphics Upgrade System) “card-cage” external GPU system. This is styled for gaming and is a refresh of their original GUS external graphics module that they launched in 2012, but implementing the Thunderbolt 3 standard. It has a 500W power supply and USB 3.0 Type-C and Type-A connections.

Beyond the docking stations or, should I say, expansion modules, there have been a few other computer accessories with one being of note in the form of a Kingston 2Tb USB thumb drive.

The home network

A key trend affecting the home network this year at the CES 2017 is the concept of distributed Wi-Fi wireless systems. This consists of kits that use multiple devices to spread the Wi-Fi network’s coverage over a large area. They have appeared because most householders have run in to issues with their home network’s Wi-Fi wireless segment not providing reliable wireless coverage everywhere in their house.

They are typically based on a single chipset and most of them implement a dedicated wireless backhaul between the slave devices and the master access point. A significant number of these devices implement a “mesh” topology where there is a “root” node that works as a router along with multiple access point “nodes” that connect with each other and the “root” node to provide Wi-Fi coverage, using multiple backhaul connections for load-balancing, fail-safe operation and increased bandwidth. Other systems implement the traditional router and range-extender method with a single upstream connection but have a simplified setup method and properly-simple roaming between the access points.

The problem with these systems is that you have to use equipment that is offered by the manufacturer as part of that same system. This means that there isn’t any of the interoperability available which, at the moment, is stifling innovation.

Qualcomm launched their Wi-Fi mesh chipsets which can implement Bluetooth, CSRMesh and Zigbee also to support the “Internet Of Things”. The software is based also around a dedicated software framework and cloud-services. But these systems also support wired backhauls and multiple-hop mesh setups.

D-Link Covr router and wireless extender package press image courtesy of D-Link

D-Link Covr router and wireless extender package

D-Link had premiered the Covr distributed Wi-Fi system which consists of a router and a wireless extender that implements the automatic setup and simplified roaming. For those of us with existing home networks, they also offered a Covr HomePlug system consisting of two wireless access points linked by a HomePlug AV2 powerline backbone. Another example that purely uses a Wi-Fi backbone is the NETGEAR Orbi which implements a router and a satellite extender device.

On the other hand, Linksys provided a true-mesh setup in the form of the Velop Wi-Fi system that implements multiple nodes. The Velop system even is able to work with Amazon’s Alexa voice assistant such as controlling the guest Wi-Fi network or asking Alexa to quote your network’s credentials. Click or tap on this link to see a Linksys YouTube video which explains what Velop is about if you can’t see it below.

As well, Linksys have launched the WRT32X Gaming Router which implements the Rivet Networks Killer Wi-Fi chipset similar to what is implemented in the Dell XPS 13 Kaby Lake Ultrabook. Here, it is optimised to work with client devices that implement the Rivet Networks Killer chipsets but is a 3×3 802.11ac MU-MIMO system that supports 160kHz bandwidth. There is also the EA8300 Max-Stream AC2200 Tri-band MU-MIMO Gigabit Router which is a more affordable device based on a 2×2 802.11ac three-radio design. Both these routers are equipped with Gigabit Ethernet for LAN and WAN (Internet) connections.

Linksys even offered a WUSB400M dual-band MU-MIMO 802.11ac USB wireless network adaptor as a way to retrofit your existing laptop or desktop computer for the new-spec Wi-Fi segments. This network adaptor connects to the host computer via USB 3.0 and can work at a 2×2 AC1200 setup.

What Linksys have been offering is a representative of another trend affecting the home network’s Wi-Fi segment where Wi-Fi network infrastructure hardware is working on a simultaneous three-band approach, operating on the 2.4GHz, 5.0GHz and 5.8GHz wavebands at the same time. As well, Wi-Fi repeaters are even being setup to implement the 5GHz bands as the preferred backhaul. Amped Wireless is another company also offering the three-band Wi-Fi network-infrastructure equipment in the form of a router and an extender.

NETGEAR Nighthawk S8000 Gaming And Media Switch press picture courtesy of NETGEAR

NETGEAR Nighthawk S8000 Gaming And Media Switch – for the home network or home entertainment unit

NETGEAR’s not silent here with the Nighthawk S8000 Media Switch which is a media-optimised Ethernet switch implementing some of the quality-of-service technologies in their managed switches but optimised for household use. As well, this house-friendly switch can support functions like link-aggregation for increased throughput on supported devices like desktop computers and NAS units with two Gigabit Ethernet connections supporting this mode.

This is also intended to complement the Nighthawk X10 gaming and media router which has an integrated Plex Media Server for USB Mass-Storage devices connected to this router’s USB ports. It is also one of the first few home routers to offer 802.11ad WiGig (60GHz) same-room wireless network LAN segment capable of a throughput three times that of the fastest 802.11ac Wi-Fi network; along with the 802.11ac 4×4 MU-MIMO three-band Wi-Fi wireless LAN segment.

As well, there are 8 Gigabit Ethernet ports which can also support port-trunking for failover or high-throughput operation like the Nighthawk S8000 switch along with the WAN (Internet) side being looked after by a Gigabit Ethernet connection. The processing horsepower in this performance router is looked after by a 1.7GHz four-core CPU and it can support VLAN setups of the port or 802.1q tag variety.

Both these devices are pitched at “core” online and VR gaming enthusiasts with those hotted-up gaming rigs along with people who are in to streaming 4K ultra-high-definition TV content. But they can also earn their keep with those of us who run our businesses from home and want “big-business-grade” connectivity for IP-based communications or cloud computing.

Another trend that is surfacing is security-optimised broadband routers for the home network. These offer the “unified threat management” abilities associated with business-grade Internet setups but in a manner that appeals to the ordinary household. The latest from this class of network-Internet “edge” device is the Norton Core router. This device implements content-filtering and security software that is also focused towards the Internet-of-Things devices in your household due to the increased awareness of security risks and poor software maintenance practices associated with these devices.

The self-updating router works with Symantec’s DNS service to prevent DNS hijacks as well as implementing deep-packet inspection on unencrypted traffic to screen for malware and network intrusions. As for encrypted traffic, the Norton Core router will inspect packet headers for and connections of this traffic class. It also comes with Norton Core Security Plus endpoint-protection software which is a variant of the business-grade Security Premium endpoint software and can be run on 20 devices running either Windows, MacOS, iOS or Android but the router is dependent on this endpoint software for the full protection..

Lenovo Smart Storage home NAS press picture courtesy of Lenovo USA

Lenovo Smart Storage home NAS

Most of the network-attached-storage units were focused on the “personal cloud” trend with the device being the centre of your data-storage universe while software and services work to locate these devices from afar. Similarly, some of them are using rich media servers which can do things like obtain further data about your media content. One of these devices is one that Lenovo launched called the Smart Storage 6Tb NAS which implements facial image recognition along with event-driven recognition to make it easier to identify and organise pictures of people just like what Facebook and Windows Photo Gallery were about. This unit has 802.11ac 2×2 Wi-Fi for portable use but can be connected to your home network via an Ethernet cable.

The next article about the 2017 CES will be highlighting the trends affecting home entertainment including the new smart TVs that will be showing up.

How to effectively establish that Wi-Fi-based mobile network

Brother PocketJet PJ-773 Wireless Mobile Thermal Printer

Brother PocketJet PJ-773 Wi-Fi mobile printer – one of the mobile peripheral devices pitched to smartphone and tablet users

A major trend that has become strong over the last few years is the arrival of mobile network devices that connect to each other and to client computer devices via Wi-Fi wireless networking technology.

These are represented in the form of:

  • mobile network-attached-storage devices
  • mobile printers
  • wireless speakers, and
  • mobile broadcast-LAN tuners that work with terrestrial or satellite broadcast systems,
Network setup for mobile NAS and smartphone

Network setup for Wi-Fi-based mobile peripheral devices

What is common about all of these devices, and is treated as a key marketing feature by their vendors, is that they can be set up to be their own access point with their own DHCP server as well as being client devices to existing wireless networks. Some of these devices like most mobile NAS devices are able to work effectively as bridges or routers between an existing wireless network and the network that they create.

This may work well if you are just using the one mobile peripheral device with your mobile client devices but may not work well when you intend to run two or more mobile peripheral devices. Here, you will end up switching between different wireless networks just to benefit from the different mobile peripheral devices.

Mobile NAS as bridge setup

Wireless NAS as a bridge between mobile client devices and another Internet-providing network

But you may want to run one or more of these wireless mobile devices together to serve multiple laptops, tablets or smartphones. Situations that may come about that will call for these setups would be where you are using a mobile NAS and, perhaps, a camera that has Wi-Fi functionality or one of the new Wi-Fi-capable mobile printers. This will call for you to create a proper mobile wireless network for all of these devices.

Use a router-class device as the main device

Here, you would have to run one wireless network device as a DHCP server and “master” access point and this function can be best served by a router-class device.

"Mi-Fi" portable wireless router

A typical “Mi-Fi” portable wireless router for a mobile-broadband service

The most common examples of devices of this class that apply to “on-the-road” use are the “Mi-Fi” mobile routers that work with a mobile broadband service or one of the travel routers pitched to work with a hotel’s wired Internet service. Some mobile NAS devices may also do this wireless-bridging functionality in an adept manner and could be the hub of your “travel network”. Similarly, one of the mobile-broadband wireless routers being integrated in to some new cars by the likes of BMW and Chrysler may also answer these needs.

You may think of using your smartphone’s Wi-Fi mobile-broadband-router functionality but this may encumber your smartphone for what you want to really use it for.

Some highly-sophisticated “Mi-Fi” and travel-router devices may also expose an Ethernet connection for LAN use, perhaps through an optional extended-functionality dock. This can come in handy if you want to increase your coverage area with another wireless access point or want to use devices like games consoles with your mobile network.

You may find that you don’t need to run the Internet connection on the Mi-Fi or travel router if you are simply establishing a link between multiple mobile peripheral devices and client devices and aren’t reliant on Internet functionality for their operation. Similarly, by having your mobile devices working this way, you avoid the need to authenticate with a Wi-Fi hotspot that implements Web-based authentication to do something like gain access to your mobile NAS’s data from your iPad.

Set up known wireless network parameters

Mobile network wiht "Mi-Fi" router and 2 Wi-Fi-capable mobile peripheral devices

Mobile wireless network for two or more mobile devices and mobile client devices – uses a router-class device like a “Mi-Fi” router

When you set up your “Mi-Fi” or travel router, you make this device the hub of your mobile network and have every device “point” to this device’s local-network by associating with its SSID (wireless network name) and security parameters.

Most of the mobile network devices that work on an “open-frame” approach can be quickly associated to this “mobile hub” thanks to WPS-based push-button setup. For devices that don’t support this quick setup mode like most Apple devices, you will need to note down the “mobile hub’s” SSID and security passphrase. Some “Mi-Fi” devices that have a display may be able to show these details on their display, perhaps at the request of the user.

For that matter, a good practice would be to assign a unique SSID for your “mobile hub” device i.e. your Mi-Fi or travel router. This is important when you use these setups in campgrounds, caravan parks or hotels where many of these devices will be used at once.

All wireless devices to link with router-class device

It will also mean that the mobile NAS, mobile printer or other similar device has to work as a client device rather than as its own access point. This also applies to your computing devices like laptops, tablets and smartphones which also associate with the “mobile hub” device.

When positioning your mobile-network devices, make sure that they are in the range of your “mobile network hub” device i.e. the Mi-Fi or the travel router. All the wireless traffic that goes between these devices will pass through the “mobile network hub” device rather than between the devices themselves.

You may find that if you want to avoid draining your “Mi-Fi” router’s battery too quickly, it may be a good idea to have it run from a USB charger that runs from house current or your vehicle’s cigar-lighter socket. Similarly, a high-capacity USB power-pack can also earn its keep with these devices if you are away from power.

What I stand for when reviewing or researching mobile devices

When I review any device for this Website that is capable of being its own wireless network such as a mobile NAS or mobile printer, I test the device with my home network’s Wi-Fi wireless segment as if it is a client device. This is so I am sure they can work in this kind of setup as well as the highly-promoted “own access point” setup. As well, as part of researching a mobile device that uses Wi-Fi wireless technology as part of its link with client computer devices, I verify that it can work as part of an existing wireless-network segment as well as being its own segment.

Similarly, when I research a mobile router-class device like a Mi-Fi or travel router, I would expect the device to support WPS single-push connectivity along with other essential Wi-Fi connectivity and security standards. Similarly, such a device would have to be easy to configure including setting up the SSID and passphrase. As well, the Mi-FI device can’t be very thirsty with its battery if the goal is to have it as a “hub” device.

Conclusion

Once you are able to set up a mobile multi-device network, you can then be able to use it to store or print data while you are “on the road” without needing to constantly switch networks for each different task.

A clear reality surfaces with the Internet Of Things

Article

Linksys EA8500 broadband router press picture courtesy of Linksys USA

A tight healthy operating software update cycle can keeep routers and other devices from being part of botnets

Hacked Shopping Mall CCTV Cameras Are Launching DDoS Attacks | Tripwire – The State Of Security

My Comments

What is being highlighted now is that devices that are normally dedicated-purpose devices are becoming more sophisticated in a way that they are effectively computers in their own right. This was highlighted with some network video-surveillance cameras used as part of a shopping mall’s security armour.

What had happened was that these cameras were found to be compromised and loaded with malware so that they also are part of a botnet like what comonly happened in the 2000s where multiple computers loaded with malware were used as part of zombie attacks on one or more targets. In a similar way to a poorly-maintained computer, they were found to run with default passwords of the “admin – admin” kind and were subject to brute-force dictionary attacks.

AVM FRITZ!Box 3490 - Press photo courtesy AVM

AVM FRITZ!Box – self-updating firmware = secure network infrastructure

The article’s author highlighted that there need to be work done concerning dedicated-purpose devices, whether they are the network-infrastructure devices like routers or devices that are part of the “Internet Of Everything”.

Here, the devices need to run constantly-updated software, which is something that is considered necessary if the device is expected to have a long service life. The best example would be some of the routers offered to the European market like the Freebox Révolution or the AVM Fritz!Box where they receive constantly-updated firmware that at least can be downloaded at the click of an option button or, preferably, automatically updated like what happens with Windows and OS X and what is done with recent iterations of the AVM Fritz!Box firmware.

As well, a device’s setup routine should require the user to create secure credentials for the management interface. In some cases, if a device is part of a system, the system-wide management console could exchange system-specific access credentials with the member devices.

What has commonly been said is that the Internet of Things needs to face a severe security incident as a “wake-up call” for such devices to be “designed for security”. This is similar to incidents involving desktop computing, the Internet and mobile computing have served a similar purpose like the way Windows implemented privilege escalation on an as-needed basis since Windows Vista.

Assistance Journal–Linking a desktop computer to a home network

HomePlug AV adaptor

The HomePlug powerline adaptor – a no-new-wires network best for that desktop computer

This last Saturday, my church’s pastor opened up to me that he was running in to difficulties with connecting his desktop computer to his home network. This happened after he moved to a new location due to a new ministry placement.

In his previous location he ran an integrated Wi-Fi setup because the router for his home network was located in the lounge area, next to his home office and this wasn’t causing any problems for him. But the new location required the computer and router to be further away from each other.

A follow-up call led me to find that he had bought a wireless range extender with an intent to use as a wireless-Ethernet bridge but found that this device was difficult to configure. Here I suggested something better in the form of a HomePlug AV500 powerline network segment which is something I have always advocated on this site as a “no new wires” solution for situations involving desktop computers and similar devices. He was confused about how these network segments worked because he was used to either a “new-cables” Ethernet setup or a wireless setup as a network setup and though this technology wasn’t going to work in his situation.

After the church service, we went out to lunch at a local shopping centre and afterwards, he and I went to a local JB Hi-Fi store in the shopping centre and he bought a HomePlug AV500 kit upon my recommendation. I had him have a look at the concept diagrams that were on the boxes of some of the other HomePlug devices stocked nearby this kit to understand what these devices were about and how they work.

Later on, my pastor rang me for assistance in setting up the HomePlug AV500 network and I helped him over the phone through the setup process where you have to press the SimpleConnect paring buttons to pair the adaptors over the AC wiring and establish the connection. This involved holding down the SimpleConnect button on one device for 10 seconds then pressing the SimpleConnect button on the other device for 2 seconds but watching for the lights to flicker in a certain way.  I also suggested that this procedure is done on power outlets that are located close to each other before finally connecting them to the desktop computer and the router.

I also stressed that these adaptors had to be plugged directly in to the wall or in to an ordinary powerboard or double adaptor that doesn’t have surge-protecting or line-conditioning features. A few minutes later, I received a text-message of success that he had established the HomePlug AV500 powerline segment and set this up with the desktop computer and router.

Here, this support situation illustrated the fact that Wi-Fi wireless networking doesn’t suit all network needs and situations; and that a HomePlug AV500 powerline network can provide a better “no-new-wires” solution for sessile devices like desktop computers or home entertainment equipment.

Pay-TV providers are pushing for integrating access-point functionality in to consumer-electronics devices

Article

Time for Pay TV industry to get serious about Wi-Fi | VideoNet

My Comments

LG's 4K OLED curved TV press picture courtesy of LG America

Could a smart TV like one of these be an access point for your lounge area?

Previously I have raised the idea of having integrated Wi-Fi access point functionality in consumer electronics devices as a way to provide infill coverage for your wireless network. This is due to an increasing number of network-capable consumer-electronics devices like printers, set-top boxes, smart TVs and the like having network functionality in the form of both an Ethernet socket and integrated Wi-Fi wireless networking.

Some of these devices actually repurpose the Wi-Fi network functionality as an access point during their setup routine so you can supply your home network’s Wi-Fi credentials from a smartphone or tablet for subsequent wireless-network operation. But I was drawing attention to situations like a Wi-Fi-capable smart TV installed in the secondary lounge down the back of the house where there isn’t the good Wi-FI coverage and this TV is connected to the home network via a HomePlug AV500 powerline segment, or a premium desktop printer with Wi-Fi and Ethernet used in the garage that serves as the home office and. again, is linked to the home network via a HomePlug AV2 powerline segment.

There was some attention in the TV-technology scene when AirTies put forward their Air 4920 802.11ac concurrent-dual-band wireless-network repeater which was considered capable of pushing out 4K UHDTV data streams reliably. It led to the device winning the Connected TV Award for the Best Consumer Device.  This was due to it also supporting Wi-Fi Mesh functionality which uses a mesh setup in a Wi-FI network.

But TV Connect also showed interest in a 4K set-top box which also implemented the Wi-Fi Mesh technology for receiving the data but having an integrated wireless access point. It was also targeted with the point of view of a broadband provider who provides a multi-play service that includes pay-TV being able to troubleshoot and service the Wi-FI connectivity if the connection is below par.

Of course, wired backbones are used by pay-TV providers to link set-top boxes to the home network typically to provide IPTV services, download video-on-demand content or stream content from a DVR to another set-top device servicing the bedroom TV. Typically this is facilitated using a “no-new-wires” technology like HomePlug AV powerline or MoCA  coaxial-cable which links back to the home network’s router. Why hasn’t the integrated access point functionality been investigated in these setups?

The concept can be easily implemented in to most of these devices using WPS-assisted “network-clone” functionality and automatic tuning for a simplified setup experience. As well, the ability to detect a wired-backbone connection can be used to determine whether to set up the integrated Wi-Fi functionality as a n access point, a standalone Wi-Fi network like a guest network or not run it at all.

At least those in the pay-TV scene are waking up to the idea that an access point which is part of Wi-Fi network infrastructure doesn’t have to be part of a dedicated network-infrastructure device. Instead it can be part of a device that makes use of the network.

Linksys LRT-224 VPN router–the first of its class with an easy-to-provision VPN

Article

Linksys LRT-224 Product Review (Page 3) | SmallNetBuilder

Previous Coverage

VPNs and remote access in the home and small-business space – a lot of unanswered questions

From the horse’s mouth

Linksys

Product Page (LRT-224)

My Comments

I was skimming through a SmallNetBuilder review of the Linksys LRT-224 VPN endpoint router and came across a feature that could appeal to those of us who are creating “box-to-box” VPNs between networks.

This feature is called “Easylink VPN” and requires the creation of an account username and password on the destination router and the user to supply to the origin router  the outside (WAN) IP address, account username and password for the destination router to establish a “box-to-box” VPN.

I do see some limitations with this concept as it is applied nowadays. One is that it is set up to work onliy with VPNs that have the Linksys LRT-2×4 series VPN routers at each end which doesn’t bode well for the goal of an interoperable easy-to-set-up VPN.

Similarly, there isn’t a way of identifying whether an IP-address conflict could occur once the VPN is established. As well, there isn’t support for dynamic-DNS setups which can make things easier for people who implement most residential and small-business Internet services that are “DHCP-only” rather than having the option to create an IP address.

But what I see of this is an attempt to allow home-office-plus-shopfront business operators and similar users to create a “box-to-box” VPN between locations without creating extra room for mistakes during the setup and provisioning phase/ It could also work well with the UPnP RemoteAccess and ContentSync profiles as part of the goal of a multiple-device personal “cloud”.