February 08, 2016

Spectrum 101

Spectrum-101

A tremendous amount of ink has been ‘shed’ over the last 3+ years debating the various technical proposals for LTE operation in unlicensed spectrum (Ruckus has certainly weighed in when we’ve had something worthwhile to say). But maybe it’s time to back up and reexamine why these proposals are so contentious in the first place. And that will take us up to a 100,000- foot view of spectrum – how it is managed and how it is utilized.

Spectrum is managed and allocated by policymakers and/or regulators, with different countries and regions having their own unique approaches. For the sake of illustration, let’s look at the US. In the US, responsibility for spectrum management is given to the National Telecommunications and Information Administration (NTIA) and to the FCC, with the NTIA overseeing federal spectrum usage (for DoD, NASA, etc.) and the FCC overseeing commercial and other non-federal usage. Spectrum allocated by the FCC for commercial uses can further be broken down into licensed and unlicensed categories.

So, this leaves us with a US spectrum management and allocation structure roughly like this:

NTIA

  • Federal Spectrum Uses

FCC

  • Commercial Licensed Uses
    Commercial Unlicensed Uses
    Public Safety, Health, Education Uses (non-Federal)

Not surprisingly, the services that have been developed to use these different types of spectrum have been tightly aligned with a specific category. For instance, over-the-air TV, broadcast radio, cellular and commercial satellite services have made use of dedicated licensed spectrum; while cordless telephones, garage door openers, Bluetooth and Wi-Fi have made use of shared unlicensed spectrum.

This is one reason that proposals to link unlicensed usage with a licensed spectrum holding are hard for some to accept, because, ‘it’s never been done that way before’. But perhaps these proposals are also highlighting one of the limitations such a strict spectrum management regime imposes. And the need to identify additional spectrum for commercial uses is drawing attention to another issue with the current paradigm—some previously allocated bands (especially some allocated for federal use) are very lightly used, or not used at all in many locations.

Which will set us up nicely for a follow on introduction to coordinated shared spectrum (CSS) regimes. These new spectrum management proposals will provide regulators with an option to allocate bands for flexible use, spanning the entire range of needs from federal to commercial (both licensed and unlicensed).

AUTHOR: Dave Wright, Advanced Technologist

February 04, 2016

College students need food, sleep… and Wi-Fi. [VIDEO]

Evangel

How important is Wi-Fi to education? When it comes to earning a college degree, reliable Wi-Fi is essential. Students want to be connected anywhere, any time in classrooms, dorm rooms, student centers, stadiums, or just walking across the quad.

Reliable Wi-Fi is not only fundamental in promoting consistent learning, but it is also a major factor when students are selecting a school. Why? Because Wi-Fi is almost considered a utility—as essential as water or electricity. Now, students carry more than just a cell phone; they have tablets and laptops in their bags, a smart watch or fitness tracker on their wrist, all seeking connection at the same time. With the fast growing capabilities we are all witnessing in smart devices, the lines between using technology for educational and recreation has blurred and students expect higher education institutions to support this growing trend.

 

As students spend more time on their devices, teachers have noticed. They have taken steps to modernize their teaching, integrating smart devices into everyday classroom activities and curriculum delivery. Now, the classroom includes online testing platforms, in-class research, distance learning, polling and more. To make this all possible, reliable Wi-Fi is key—a wireless network that can support waves of high density connections both inside and outside the classroom.

Until recently, Evangel University has been struggling to meet the needs for reliable Wi-Fi. With an outdated Wi-Fi network, students and teachers were complaining almost daily about the poor Wi-Fi experience throughout the campus. Within the past year, the university made a change. Working with Ruckus Wireless, Evangel upgraded its entire WLAN infrastructure, leveraging the ZoneFlex R710 indoor access point (AP), the world’s first enterprise-class Wave 2 11ac AP. And the benefits were instantaneous. To learn more, check out the case study.

 

Author: Diana Shtil, Product Marketing Manager

2645423

February 02, 2016

What is the Wi-Fi password?

BlogImages-06

This is one of the most common questions heard in small and mid-sized businesses (SMBs) today. With the shift in technology and consumer expectations of connectivity, SMBs do more than just provide products and services to their customers—they provide Wi-Fi.

But providing Wi-Fi can be a challenge to SMBs who have financial constraints and limited expertise in wireless networking. The options for SMBs are:

  • A low-cost, consumer-grade Wi-Fi router. This comes with a drawback. The SMB who goes this route will likely deal with connectivity issues, poor performance and the inability support high-density environments.
  • A feature-rich, expensive WLAN infrastructure. In this scenario, the business will need to have the IT knowledge or staff to deploy and maintain the complex infrastructure, something SMBs typically do not have.
  • A fully functioning, high performance controller-less Wi-Fi network. With this option, SMBs will benefit from a network that is easy to set up and manage while supporting the connectivity needs of the SMB customers while on-site.

In a traditional Wi-Fi network, the controller provides consolidated management for the entire Wi-Fi network in one place. These devices can be physical or virtual, and communicate with all APs in the network at the same time. But, the set up of a Wi-Fi network with a controller can take time, costs money and often needs IT expertise.

This is where Ruckus Unleashed comes into play. With Unleashed, the functionality of the Ruckus ZoneDirector platform is embedded directly into the Unleashed APs. Any Unleashed AP can act as the master, or controller. Unleashed is designed for a single site deployment of up to 25 APs or 512 concurrent consumer device connections. (For larger deployments or to support branch offices, ZoneDirector or SmartZone platforms are better options.) Unleashed features advanced RF performance, redundancy and resiliency all in a cost-effective package.

To learn more about Ruckus Unleashed, check out the solution brief, brochure or learn how to buy.

 

Author: Diana Shtil, Product Marketing Manager

2645423

January 21, 2016

Sacramento Kings choose Ruckus to put extra bounce in their arena Wi-Fi

BallCourt-blog-IMG

By Kash Shaikh, vice president of marketing

Out with the old, in with the new. It’s a familiar phrase that still holds true. Civilization around the globe has drastically changed due to one thing: Wi-Fi. Something we lived without for so long, people can’t seem to be without for even a moment. Many companies, even those you wouldn’t expect (such as sports stadiums), now see Wi-Fi as table-stakes, and the services available through Wi-Fi as a competitive advantage.

As recent as a decade ago, nobody would have thought accessibility to the Internet would be a competitive imperative at a basketball game. And a few years ago, Dallas Mavericks owner Mark Cuban said he wanted fans off their phones to focus on the game. That mindset has since changed. Stadiums are on the race to digitize. Pro sports teams are taking notice of the changing demographics of fans. Millennials and younger have the need to stay connected. It’s come to an age where fans are leaving the college games during half time because they can’t connect to the Internet or upload pictures to social media. The younger generation has an expectation to be connected anywhere at any time. Therefore, stadiums are on a mission to bring in the new, a future proof infrastructure.

To keep fans connected, Ruckus Wireless and a number of other technology companies are teaming to provision Sacramento, California’s Golden 1 Center, the new home of the Sacramento Kings, with the most connected indoor sports and entertainment venue in the world. Slated to open in time for the 2016/17 basketball season, this venue will feature state-of-the-art indoor/outdoor Smart Wi-Fi system based on the newest 802.11ac Wave 2 standard. The network will enable the Kings to deliver a variety of new value-added and location-aware services, including multicast replays from exclusive arena camera angles, seat upgrades, real time statistics, enhanced fan engagement and wayfinding services – all at exceptional speeds.

Ruckus Wireless will be deploying next-generation Wi-Fi access points, placed to maximize efficiency and connectivity throughout the arena, public plaza and surrounding mixed-use development. Providing unprecedented Wi-Fi coverage with the highest density of access points per fan, this venue will have a strong and reliable connection no matter how many people are using the Internet. So let the games begin! With Wi-Fi, that is.

December 15, 2015

Big Dog Predictions: Let’s Fetch Our Crystal Ball

It’s that time of year again. Time for every media outlet, analyst firm, technology pundit and prognosticator to make predictions about the year ahead. Why? Just to commemorate a change in the calendar year? So be it. We don’t want to be left out of the prediction parade, so we asked several Ruckus technology experts to share their perspective for the wireless industry in 2016 and beyond:

What’s your number one prediction for the wireless industry in 2016?

Greg Beach (Vice President of Product Management): We’ll see an insurgence of MU-MIMO capable clients and resulting capacity benefits in high client density environments.

Sundar Sankaran (Chief Wireless Architect): New business models will evolve to monetize “free” Wi-Fi.

Dave Wright (Advanced Technologist): I’ll give you two for the price of one. First, I predict that web-scale content companies (social media, search, hosted services, etc.) will launch some very-large-scale Public Access Wi-Fi projects in developing markets. Second, I expect we’ll see an acquisition or merger between a Tier 1 MSO and a Tier 1 MNO.

How will the “wireless experience” change in the next 2-3 years?

Greg: The end-user experience related to accessing Wi-Fi hotspots and BYOD-enabled enterprise networks will be easier and more secure through the use of Hotspot 2.0 and certificate-based device onboarding solutions.

Sundar: Whole home coverage will become a reality, and people will “show off” their home network at dinner parties using a smartphone app.

Dave: Hotspot 2.0 will become the de facto standard for public access and hospitality Wi-Fi. Now that we have Hotspot 2.0 support in all major mobile and laptop operating systems, Hotspot 2.0 deployments will accelerate by service providers and hotel brands. Carrier Wi-Fi calling will be one driver for this.  

Where do you expect to see the most technology innovation in the next 2-3 years?

Greg: The biggest innovation will be Wi-Fi + cellular cross-pollination and convergence (802.11ax, LAA, LWA). Other possibilities include:

  • Mainstream use of analytics to drive user experience, business process optimization and monetization;
  • Cloud interconnections and service chaining of networking services to seamlessly tie together best-of-breed technologies;
  • Secure, manageable and scalable IoT platforms that leverage multiple sensor types and wireless protocols to provide business intelligence for enterprises and cities; and
  • Continued virtualization of networking services to enable service providers to more efficiently scale and more quickly roll out new services.

Sundar: We’ll see Wi-Fi spectral efficiency and network capacity improvements through multi-user techniques such as MU-MIMO and OFDMA, along with clever scheduling schemes that steer Wi-Fi away from CSMA/CA.

Dave: Many of the traditional distinctions in the wireless industry will be “blurred” due to technology, regulatory and business advances. Blurring will happen between: licensed and unlicensed; service provider and enterprise; and, public versus private. Specific advances that will affect these include: unlicensed LTE, 802.11ax, Wi-Fi calling, enterprise IMS and WebRTC, CBRS, private LTE and Hotspot 2.0.

That’s it for now. We’ll share more insights, ideas and perspective on these trends via the Ruckus Room over the next year. And we can predict with confidence that we’ll be back next December with a new slate of predictions.

December 08, 2015

Mythbuster: Christmas and Wi-Fi Are Indeed Compatible

AUTHOR: Sundar Sankaran, Chief Wireless Architect – Wi-Fi
 
Just in time for the holidays, we can confirm it’s safe to put up your Christmas lights – without degrading your Wi-Fi connection. Yes, we actually tested it. And unless you’re Clark Griswold, you’ll be safe.
 
The back story: British regulators at Ofcom reported last Tuesday with an in-depth look at the UK telecoms and wireless networks. Ofcom also unveiled a Wi-Fi Checker app that people could use in their homes to test wireless and broadband signals – and the news release said home Wi-Fi can be hampered by “interference from other electronic devices, such as a microwave oven, baby monitor, a lamp - or even Christmas fairy lights.”
 
The Guardian quickly picked up on the “festive angle” with a breaking story under the headline: “Warning that Christmas fairy lights can slow your Wi-Fi.” And thus a global news meme was born, sparking a range of commentary, speculation, advice and hundreds of mostly cheeky comments about “first world problems.” While some of the discussion was thoughtful and even offered a reality check, we didn’t see any new data to counter Ofcom’s non-data.
 
So…three of us spent an afternoon last week in the Faraday cage, a “clean room” approach to testing equipment while blocking electrostatic and electromagnetic influences.
 
IMG_6291Here’s what we did to test the latest meme (see visual evidence below): We went to a local Target and bought four of the craziest LED “fairy lights” we could find. We took them into the Faraday cage and used a powerful spectrum analyzer ($50K+) to determine if the lights were emitting any energy that would interfere with Wi-Fi. We plugged in each strand one by one, and then all at once. We then did a second test setting up a Wi-Fi network with an access point and client devices to do a “lights on” and “lights off” test to see if there was any degradation of Wi-Fi performance.
 
IMG_6280
 
The result? Nada. Zip. Zilch. LED Christmas lights emitted no detectable interference in the first test, and had zero effect on Wi-Fi performance in the second. Suffice it to say that LED lights are not the scrooge of Wi-Fi-mas.
 
So go ahead and plug in your Christmas lights. While doing so, consider these pointers:
  • Speed-testing apps and sites are a very limited way to test wireless and broadband interference; they’re okay for spot-checks but many variables can change the results depending on when and where you run them.
  • “Interference” and “obstruction” differ. Interference is caused by other devices that use radio frequencies – it’s unpredictable yet can be turned on or off. Obstruction is caused by walls, floors and physical barriers – the degradation of Wi-Fi signals is constant and predictable based on location and material.
  • Wi-Fi interference can be caused by microwave ovens, baby monitors, wireless security cameras, older cordless phones and some other wireless electronic devices – typically higher-powered ones that emit more radio energy.
  • The broadband “pipe” coming into your home often provides less bandwidth than your Wi-Fi network, and thus can be culprit in performance overall.
P.S. Let us know if you find a set of Christmas lights that purportedly degrades your home or office Wi-Fi performance. We’re happy to go back in the Faraday cage…
   

November 05, 2015

Living in a virtualized world …

Gamers are used to living in a virtualized world. Battling imaginary villains and taking castle towers. However, this is not the only virtualized world that exists today. Our computer addicted world is going virtualized in virtual machines. Like with any new technology shift, a new vocabulary emerges to describe the entities that "live in this world". With the advent of companies like VMWare, applications are now created and run in this context on "virtual" computers that allow the business world to leverage their investment in VM Software and minimize expense of real computer hardware systems.

With the virtual solutions becoming entrenched in businesses, other concepts of how to use this technology have emerged. One important evolutionary step with virtual technologies is: Network Functions Virtualization (NFV). NFV takes the basic virtual computer concept one-step further, adding design flexibility by decoupling major network application functions and allowing them to operate in independent VM contexts.

VM_Context_Image

This "application body" disassociation results in a network deployment flexibility that has never before been possible. VM solutions freed businesses from physical hardware restrictions. NFV can compound that by freeing businesses from physical location restrictions. Depending upon the application and specific customer requirements, decoupled VM-NFV elements can be deployed either distributed or centralized and still be viewed as a cohesive service used to meet user needs. Additionally, the flexibility of NFV also enables better scaling of network components across a network and can have a direct impact on lowering CAPEX and TCO. There are a plethora of examples of how NFV can impact your virtual world. When taken into consideration at design time, applications can be developed to fit a segmented deployment model across multiple VM systems. If a VM system maxes out its current resources, expansion only requires deploying additional NFV-VM resources as a business or network grows. The whole solution may be co-resident in the same facility or be distributed but can be expanded seamlessly.

One obvious example where NFV can play a vital role in optimizing a network, is in managing user data flows. There are two major classes of data streams in all computer networks:  

  1. Control - that information which is used to configure, provision, monitor, and troubleshoot the operation of the network itself. It has nothing to do with the applications that are used on the network.
  2. Data - network traffic that is received or transmitted data by network nodes is support of applications.

Often user data becomes the predominant traffic on the network and whether distributed or centralized, such data may require special handling as to security and QoS. Traditionally, this was achieved through managing flows as VLANs and provisioning switches and routers to direct the flows to the correct target. This approach works but can be tedious for IT team members and limited in the desired class of services that can be implemented and sustained. Client nodes and switches/routers have to be configured which becomes increasingly cumbersome with network growth. One concept to simplify this problem is to create a NFV service that eliminates the complexity of configuring VLANs for clients and network infrastructures. Such a virtual service can aggregate user data based on SSIDs, apply encryption and policies to the data, and route that steam to the designated receivers. One natural example of this in a business context would be to collect and securely route all "guest" traffic to the Internet with a minimum of management overhead. The NFV approach requires only that special SSIDs be created at the APs and clients are no longer VLAN tagged. Aggregation happens at the access point which is then transmitted to the NFV service provider for ultimate forwarding.

An NFV approach can amplify deployment options, lower costs through proper resource scaling and amplify performance within a network. Ruckus sees real value is such an approach and has begun implementing unique NFV solutions in our virtualized SmartZone product portfolio.

 

October 29, 2015

Wi-Fi’s Whipping Boy Complex

Stop-fault-findingIf you’ve ever attended a large conference or exhibition, chances are everyone whined about the Wi-Fi. But the truth is, a lot of the time, it’s not Wi-Fi’s fault at all.

While there is a litany of Wi-Fi-specific deployment options that can cause problems in increasingly crowded Wi-Fi networks, such as: too many or too few APs, improper channel planning, haphazard AP placement, or too many SSIDs – even when all of these are handled perfectly, Wi-Fi still tends to get the blame when anything goes haywire.

Not an exhaustive list of every possible networking problem, here are some of the more common culprits that cause Wi-Fi to be everyone’s whipping boy, especially in highly dense wireless conditions.

 
More Broadband Please!

 The most frequent and obvious problem for which Wi-Fi is castigated is lousy or slow broadband connectivity. The purpose of almost all Wi-Fi networks is to provide local connectivity for clients to get to the Internet. The fastest Wi-Fi networks on the planet that can now deliver local connection speeds at hundreds of megabits per second to clients, come to a crawl if there isn’t enough backhaul to the Internet. Even a 100Mbps Internet connection is too slow when you have thousands of clients served by dozens of APs capable of near gigabit speeds. This makes Wi-Fi appear slow or unreliable.

Another major problem, not directly related to Wi-Fi, is simply poor wired network design. Switching, routing and higher layer functions such as DHCP and DNS systems not configured correctly to support the explosion of Wi-Fi network connections can wreak havoc on the network but still appears to be a Wi-Fi problem. 


Addressing Users

There are a number of ways that setting up DHCP improperly will cause problems that will look to most people like Wi-Fi is broken.  The Dynamic Host Configuration Protocol (DHCP) is a method for automatically configuring TCP/IP network settings on computers, printers, and other network devices.

With DHCP, a common problem can be too long of a DHCP lease. This is the amount of time that a device is allowed to retain an IP address. In a standard network configuration, this period of time can be hours, or even days. Active devices will ask to renew their lease from the DHCP server when the lease is half up.  An inactive device will simply lose its lease and the address will be released and available to be assigned to another device.  

Over a long period of time in a high-density network it is possible to run out of IP addresses. It’s sort of like a train station where people come and go all day long. When the lease is too long, the DHCP server can run out of assignable addresses again giving the impression that Wi-Fi is broken. Shorter leases will generate a slight bit of additional traffic with the renewals but is worth the tradeoff versus depleting the available IP addresses.


Lost in Translation

 A domain network service (DNS) is a vital part of any network.  Whenever a device needs to know what address to use when passing traffic, the DNS server provides a translation from a name, or URL, to an actual IP address.

If a DNS server is underpowered, in a busy or dense Wi-Fi environment, it can fall way behind in its role by trying to provide address translation for more devices than it has processing power to complete. And If a DNS server crashes or clients can’t reach it, the users are effectively dead in the water. This causes devices to only sporadically be able to pass traffic and gives the impression of a Wi-Fi network that is overloaded even though every client is properly connected.

 DNS redundancy in this case is a helpful fix, especially in highly dense Wi-Fi conditions. A properly devised network has redundancy built in, providing multiple DNS servers to support large numbers of users.  


The Big MAC Attack

Every device has a unique media access control (MAC) address used by network switches to move traffic around. Different types of switches have different limitations on the number of MAC addresses of which they can keep track. 

A core switch typically has a large MAC table that lets it track a lot of devices while an edge switch has more MAC table limitations. When that limit is reached, the switches lose the ability to properly pass traffic where it needs to go and end up flooding all ports in an attempt to find the correct path.  When this happens there is already quite a large amount of traffic being passed, resulting in dropped packets, a lot of them.

If a large number of devices are attempting to access the network at the same time, DHCP requests and ARPs become affected and we once again see a problem that looks like the Wi-Fi is broken even though the problem has nothing to do with Wi-Fi.                       

A more devious limitation than the number of MAC addresses a switch can handle is the number that it can handle on any one virtual LAN or subnet.  A guest WLAN is generally configured for a single VLAN.  But edge switches are often limited to a smaller number of MAC addresses per VLAN than they are for the switch as a whole.  At an event with a very large number of people attending, the guest network is generally configured for a single VLAN. In this case every edge switch ends up seeing every MAC address of every guest connected to the network, possibly exceeding the limit of those switches for a single VLAN.  Correctly sizing the edge switches, controlling broadcast domains, using multiple VLANs where possible, or tunneling traffic to beefier core switches will help avoid this problem.


Now Broadcasting

When broadcast (UDP) packets are sent by a device over Wi-Fi, they are sent at much lower speeds than if they were sent directly the end receiving device (web server, VPN, etc.).  Broadcast traffic has no expectation of an acknowledgement. This means the device doesn’t always know if the packet was received.  Broadcast packets are typically sent multiple times because of this.

The effect is that broadcasts take up a lot more airtime than unicast (TCP) traffic. Because Wi-Fi is a shared medium where users contend for access and wait for the network to be available before they can transmit or receive traffic, too many broadcasts will bring a network to its knees. But certain types of broadcast, such as DHCP requests and ARPs (the address resolution protocol used to get the MAC addresses of devices on the network based on IP addresses) are necessary. Simply turning off broadcast traffic is not an option.

Good network design always accommodates broadcasts but limits them as much as possible. A large, flat, Layer 2 network, such as is typical for an event like a trade show or football game, is a perfect opportunity for broadcasts to kill the network. Every device sees every other devices broadcasts – whether they need to or not. Worse yet, while traffic is broadcast, no other devices can't send real data.

Too many broadcasts within a wired network will be just as deadly as too many broadcasts over the air.  The result looks like the Wi-Fi network is overloaded when that is not the case at all.  Packets will be dropped at the switches when a packets per second limitation is reached.

On the Wi-Fi side, client isolation can help to reduce the effect and also provide security to the wireless devices.  It’s also necessary to control broadcasts within the switched side of the network too; using VLANs to reduce broadcast domains. Switches that allow VLANs to be dynamically assigned to a single or group of devices help solve this problem.

Got Perspective?

Ultimately, Wi-Fi often gets a bad rap when it is completely undeserved.  Yes, Wi-Fi is not perfect, but at the end of the day, Wi-Fi is also dependent on the wired network that connects everything together and can never exceed its capabilities. Although only touching the surface of the many challenges that impact Wi-Fi that are not Wi-Fi-related, hopefully these common wired pitfalls will give Wi-Fi whiners some much needed perspective.

The Path for Cloudpath = Multi-Vendor Wi-Fi Security

Houser_130718_8022Author: Greg Beach, Ruckus VP, Product Management

Looks like we created a Ruckus last week with our Cloudpath acquisition.

Many customers and partners jumped on board to praise the deal, which we believe will simplify Wi-Fi onboarding and security for the industry. Cloudpath customer and blogger Lee Badman called it a “force multiplier for Wi-Fi support” – reducing support tickets and expediting users onto secure WLANs. Ruckus channel partner Gary Berzack (CTO of eTribeca) said the deal gives Ruckus “a stake in making a whole onboarding solution” and “is going to help us sell into the mid-market more easily”.

Not surprisingly, our competitors weren’t so generous in their commentary. Some jumped in to scare customers and partners with assertions that Ruckus Cloudpath will stop supporting networks that use competitive WLAN equipment. While this is a predictable competitive response, it couldn’t be farther from the truth.  

Let me make it clear that Ruckus intends to continue multi-vendor support in Cloudpath. We know it’s one of the reasons Cloudpath customers love this solution, which delivers secure and user-friendly policy management for both BYOD and IT devices. Our customers likewise rely on Wi-Fi for their business, and they want to make it easier and more pervasive – exactly what Cloudpath has been doing for nine years.

Why does this help Ruckus? Well, simply put, our goal is to deliver the best wireless experience in the industry. It’s not all about access points and controllers. It is all about the wireless experience – and that experience requires more performance, great reliability, easier onboarding and better security. That’s who we are – #SimplyBetterWireless.

It’s worth noting that Cloudpath is built entirely on standards-based protocols including 802.1X (an IEEE security framework), RADIUS (an IETF standard AAA protocol), EAP-TLS (an IETF authentication protocol utilizing certificates) and X.509 certificates (a standard for public key infrastructure).

Screen Shot 2015-10-29 at 4.48.13 PM

Competitive products are RADIUS-centric, though Cloudpath is designed to be smarter – using the standard functions present in all RADIUS servers while leaving the choice of RADIUS server to the customer. New customers can use the RADIUS server that comes with Cloudpath, or if they have an existing RADIUS server, we can extend their investment to deliver certificate-based security across their infrastructure. This contrasts with our competitors, whose solutions revolve around their RADIUS server and are priced accordingly—even if “their” RADIUS server is actually the open-source FreeRADIUS.

Cloudpath software can actually act as a single point of policy control across all wired, wireless and remote infrastructure. Cloudpath also offers a cloud-hosted solution for customers who prefer to abstract the complexity of an on-premise solution – an offering our competitors lack. Cloudpath founder and CEO Kevin Koster – who continues to lead the Cloudpath team within Ruckus – says it best: “Our core architectural principal is to avoid dictating a security architecture to our customers. This is what enables us to provide increased security using certificates, without increasing cost and complexity.”

Finally, we’re well aware that Ruckus’ position as the #1 pure-play wireless infrastructure company is due in part to our open standards commitment. This commitment enables us to continue expanding our ecosystem of hardware, services and software partners across the enterprise, carriers, education, hospitality and other verticals.

The bottom line: We bought Cloudpath because we believe the Wi-Fi authentication market is ripe for disruption – and Cloudpath has the easiest-to-use and most secure software in the market. Cloudpath’s architectural approach provides interesting ways for access points, controllers, devices and applications to become even smarter about how they use certificates. Ruckus is committed to leading the way in certificate-based Wi-Fi security – building new features and capabilities into our Wi-Fi infrastructure that take advantage of Cloudpath capabilities, while helping our customers improve the wireless experience regardless of what badge is on the access point.

# # #

September 16, 2015

Securing the World's Most Hostile Wi-Fi Network

Black-hat-imageWi-Fi security recently took on the ultimate challenge at the infamous Black Hat USA 2015 security conference held this year at Mandalay Bay in Las Vegas.

One of the world’s premiere hacking events, Black Hat attracts some 10,000 security super geeks who like to break stuff.

Wi-Fi has always been a prime security target for Black Hat, who describes the network “the most hostile Wi-Fi network in the world.” And this year was no different.  So Black Hat wanted to do something unique, something better.

Rgnets_logoSo we took the challenge, teaming with RG Nets, a little known but super sophisticated Wi-Fi application gateway innovator, to create a virtually unhackable network.

Blackhat-signThe Black Hat Wi-Fi network is infamous as a playground for attendees to try out the latest hacking tools against not only the greater Internet, but each other. Black Hat faced two fundamental challenges:

  1. providing high-speed, high density Wi-Fi connectivity to delegates while
  2. ensuring bullet-proof Wi-Fi security that could prevent attendees from using the Wi-Fi to compromise the entire network and each other.

Historically, Black Hat used a WPA2 pre-shared key (PSK) to provide hardened encryption that keeps Wi-Fi data secure by neatly tucking it away in a cozy AES encrypted shell. But that just wasn’t enough for this crowd.

When the bad guys already know the PSK, simply having an encrypted SSID is not good enough. Devices on the network are still able to communicate with each other, creating a ripe environment for ARP spoofing attacks, broadcast storms, DoS, and exploit scanning, not to mention visibility of unsecured services such as file shares and remote desktops.

Black-hat-boxesWireless client isolation somewhat mitigates this problem, but only within a single access point. Traditional network segmentation techniques such as implementing a handful of VLANs fail to create enough isolation between clients. Even "modern" VLAN pooling systems often fail to sufficiently minimize the number of devices that can talk to each other in high density environments, due to lazy assignment algorithms and a limited number of supported VLANs. The ideal solution for maximum security between users is to tag each device's traffic with its own unique VLAN ID, which effectively places each user in his or her own "sandbox" network. This per-device VLAN strategy prevents a would-be attacker from harming the network infrastructure and other users by making ARP spoofing, IP address conflicts, rogue DHCP servers, network scans, and other attacks and exploits irrelevant against anyone but themselves.


So Ruckus teamed up with RG Nets to create a safer and more reliable high-density Wi-Fi network by utilizing a fancy dynamic VLAN assignment and routing engine to provide thousands of isolated networks for Black Hat attendees.

The real goal was not only to try and provide secure, high-speed Wi-Fi, but also find a way to automate an 802.1X framework that provides AES-level encryption and authentication while dynamically assigning each device or a group of devices to a discrete VLAN.  

Rxg-box-with-shadowThis would require a close interworking between a cluster of Ruckus WLAN controllers, Ruckus SCGs in this case, and the RG Nets rXg Wireless Application Gateway system.

 RG Nets configured its system to act as a firewall in between the Ruckus SCG and rXg clusters. The wired network to which the Ruckus APs were connected was completely locked down. The MAC address OUIs of the Ruckus APs were programmed into the rXg system.

RXg-dash2
RG Nets rXg Dashboard

This ensured that only the Ruckus APs authorized could utilize the wired network and communicate with the rXg's RADIUS server. Routing out the Internet was completely disabled on the wired network. This was particularly important for Black Hat because it was very easy to sit on the floor in the Mandalay Bay conference area, unplug an AP, and instead connect a laptop via Ethernet to the same wired fabric. Disconnected APs were actively monitored throughout the event. Any "missing" AP MAC addresses were blacklisted to prevent someone from spoofing the MAC address of an AP and gaining access to the management network.


HOW IT ALL WORKED

When any Black Hat user associated with the Ruckus Wi-Fi network, a RADIUS 802.1X request would be sent from the Ruckus controller to the in-line rXg system that would then dynamically assign each user, or a small group of users, to a unique VLAN that would follow them wherever they roamed.

The rXg is able, among a myriad of sophisticated packet processing chores, to support thousands of dynamic VLAN assignments, allowing each user, if needed, to have their own logical network, while keeping track of each user and their VLAN assignment.

With 802.1X MAC authentication configured on the Ruckus WLAN controllers, when a client tried to access the Wi-Fi network using a pre-shared key, the rXg system would receive a RADIUS access request from the WLAN cluster.

That access request contains the client’s MAC address and some other information used by the rXg to assign a VLAN tag.  The rXg then responded to the Ruckus controllers with a RADIUS Access-Accept response that contains the VLAN ID for each client or group of clients. 

SCG-dashboard
Ruckus SCG Dashboard

Using this information from the rXg, the Ruckus WLAN controllers accepted the connection from the client and each AP would then tag client traffic with the assigned VLAN ID.

With all the traffic trunked to the Ruckus WLAN cluster and rXg system, the architecture proved to be extremely secure and successful, drastically reducing the attack “surface area” at Black Hat.

If compromised, a hacker would be able to “see” users and services only within a particular VLAN and not the entire network. So each user or user group effectively had their own virtual network that could follow them around coupled with AES encryption on the airlink. Wow.

And to ensure consistent, high-speed connectivity and fair use of the available wired and wireless bandwidth available, the rXg was also configured to provide per-device bandwidth queuing of 20Mbps down and 10Mbps up.

What’s more, the rXg cluster was also used to provide DHCP to Black Hats from a pool of public IPs, while controlling the routing of traffic to the Internet and preventing delegates from attacking the Ruckus controllers or APs.

A double SSH tunnel (VPN) through the rXg cluster was utilized to securely gain access to the RG Nets and Ruckus management consoles over the Wi-Fi network. SSH was blocked on the network as well other than from specific laptops. And SSH and HTTPS anomaly detection was enabled on the rXg just to be safe.

BLOCKING THE BAD BOYS

Ultimately, hundreds of malicious network scans and malware proliferation attempts were detected by the rXg and a variety of malicious events that would have turned into greater problems for network stability, were blocked. These events usually entail wide use of many types of attacks, particularly DoS, ARP spoofing, traffic storms, etc.

 Behavioral connection IPS, using fancy heuristics, was used to block all sorts of malicious activity. rXg's DPI engine was configured with emerging threat signatures to detect intrusion attempts, malware, etc. Before the event was over nearly 1000 instances of threat signatures occurred on the network, which is far more than other conference environments.

 
SECURE HIGH DENSITY WI-FI DELIVERED

The AP network, consisting of some 80 Ruckus 802.11ac Smart Wi-Fi access points managed by a cluster of Ruckus SCG controllers, was never compromised, and no notable attacks or exploits were reported between Wi-Fi end-users due to the implementation of VLAN client isolation.

 Data use at Black Hat was higher than average for a typical conference. Over 3 terabytes of traffic was routed over the Ruckus Wi-Fi network during the event. SSL traffic made up over half of all data usage, as many of the delegates who were brave enough to connect to the Wi-Fi encrypted their connections through an external VPN.

During the conference, the network operations team saw concurrent Wi-Fi client connections peak to over 2300 with some APs able to take on 300 simultaneous users with no performance compromises.

So yes, we’ve been asked back next year.