The Ruckus Room

If you ever have the chance to meet our CEO, Selina Lo, don't look her in the eyes, look her in the feet. 

She's the proud owner of hundreds of pairs of shoes that are quietly kept in their own living space. That's right.  People think it's just something we conjured up to make her sound eccentric.  It's not. 

So when I recently got access to her house, I thought I'd document it for all to see.  The video doesn't really do this justice but will give you some idea of the depth and breadth of this fetish.

She goes on shoe binges whenever she's in Milan, Hong Kong, or well, let's be honest, anywhere. I've had first-hand experience of one of these binges before - watching her drop thousands of dollars like a drunken sailor on two or three pairs of shoes in about 10 minutes.

She typically has two or three shoe salesmen running around Lane Crawford, Nordstrom's or Jimmy Choo's, getting her this and that  Her favorite shoes are the skull and crossbone boots pictured in the video.  What a surprise.

All her shoes are kept in a custom room with layers of  floor-to-ceiling shoes shelves on rollers. Behind the shelves are MORE shoes, handbags, scarves, etc.  It's a walk-in shoe closet essentially. Can you say ISSUES? (she had just bought a new pair of tennis shoes that day to play tennis in).

Ever heard one vendor praising a competitor in public?  Well, here it comes.

Not only did Aerohive recently give us a great a new CFO but they recently announced a very familiar (and well-loved) wireless security feature they called “Private PSK.”

It's almost identical (but not) to our own Dynamic PSK (so we were very flattered). But they've added some very cool knobs.

Like our Dynamic PSK technology, Private PSK fills a gap between WPA-PSK (pre shared key) technology and WPA enterprise mode (802.1X).

You’re probably familiar with WPA-PSK already, practically every consumer-grade wireless AP lets you setup WPA-PSK encryption where you define a key on the AP. Any wireless device that tries to connect to that network will need to type in the same key to connect. This technology has been widely implemented because it is easy to deploy and understand.

While WPA-PSK works fine in a small environment, when you have multiple people sharing the same key, in a company for example, you start to have problems keeping the key a secret. What's more, if the key is ever compromised, the only way to re-secure your network is to change the key on the AP (easy enough). But then you’ll have to update the key on every client device manually (major suckage).

WPA Enterprise (another way to really say 802.1X) solves this problem by requiring that clients authenticate against a RADIUS server first before they are allowed onto the network. Every user has a different username and password on the RADIUS server somewhere. So if a user needs to be revoked, the administrator can delete their entry. All of the other users would remain unaffected by the change.

In the real world, this can be exceedingly complex to deploy and manage. Many companies don’t have RADIUS servers, so one will have to be setup and maintained. Furthermore, the setup on the client side is very complex. Instead of typing in a single key like you would with a WPA-PSK secured network, multiple configuration adjustments need to be made (eg. the client computer must also have a certificate installed that is used to check against the certificate listed in the server).

In a typical 802.1X configuration this can easily add up to ten separate steps. This frustrates users and puts an increased burden on systems administrators who will need to assist each user in configuring their device. And devices that don't support WPA Enterprise remain unsecured with this approach.

Our Dynamic PSK (as well as Aerohive’s Private PSK) takes the "best of both worlds" approach to solve this security dilemma. See fairly fair comparison chart.

Administrators can choose to enable Dynamic PSK and have the system automatically generate a unique key for each user. Our approach actually downloads and installs the PSK automatically on the client along with the requisite SSID - and we bind the Dynamic PSK to the MAC address of a given device.

Aerohive's lets you manually generate keys or groups of keys that can be emailed and there's no need to login - but users still must install the key (also note that Aerohive's Private PSK requires the HiveManager appliance and the Guest Manager application to fully function which is kinda weird given their religious bent toward a "controller-less architecture"...but whatever we have our own problems).

Each user can then use their own unique key to connect to the wireless network, just like a traditional WPA-PSK network.This is especially convenient for devices without a WebUI. If a key is compromised, administrators can choose to selectively revoke that single key and generate a new one to replace it.

All other keys remain valid, so other users do not need to take any action in this case. Another advantage of this approach is on devices (such as mobile phones) where WPA Enterprise security is either very complex to setup or missing entirely. With AeroHive's implementation, a Private PSK can be used on multiple devices at the same time and each of these devices is shown as a different session when looking at their HiveManager management system.

With these new approaches users just need only enter their unique key into the device and they are ready to go.

But with Aerohive's Private PSK, administrators can choose to go a step further. They can assign user-based policies based on their key. In this way, different users, even if they are connecting to the same SSID, can have different VLAN, QoS or firewall settings depending on what key they use to login. That’s cool.  

So whether it’s theirs or ours, ultimately the simplicity that these technologies bring to wireless LAN security is truly game changing. Administrators will be able to maintain user-level control of encryption keys without the cost and complexity of deploying a full 802.1x RADIUS authentication system.

When schools install Wi-Fi they often come across a nasty surprise: securely authenticating users isn't so easy (sorry in advance for the following book but it's worth the read... especially if you're a school).

It's pretty simple: schools want a wireless LAN that's easy to set up, works with any device and is supported natively by the client's operating system.They also want to implement an open SSID using a captive portal function for authentication but also want a secure SSID for faculty as well as students.

The problem is that many schools (K-12 and higher ed) use an LDAP (Lightweight Directory Access Protocol) directory server, such as Apple Open Directory, OpenLDAP, or MS-Active Directory to authenticate users. 

Today's "best practice" is to encrypt all over-the-air traffic and to authenticate each device and user. 802.11i (WPA2) with AES is the choice dejour for authenticating users against the existing directory server since that's where the information sits.

But WPA2 doesn't offer full support for LDAP. WPA2 includes 802.1x and EAP-PEAP (extensible authentication protocol) support for authenticating users with a backend server (such as RADIUS).  However, WPA2 with PEAP requires a RADIUS server and few schools have one (especially K-12) - or WANT one. 

Truth be told, RADIUS servers CAN talk to an LDAP domain server using PEAP but only if that LDAP server uses Microsoft's Active Directory (you see, PEAP only hashes passwords ina format that only MS AD understands). Well that just plain sucks.

Once impregnated with some (other vendor's) Wi-Fi system, schools figure out (cuz these vendors don't tell them) that they now must find and use some RADIUS server.

Luckily for schools, this problem has been solved with new technology called Dynamic PSK.  Dynamic PSK gives schools an ultra-easy way to encrypt traffic while requiring user authentication via Captive Portal talking to an LDAP server. Here's how it works:

First, the user connects to the network (wired or wireless) and points their browser to an activation or authentication Web page. The user is prompted to enter his/her credentials, which are checked against the LDAP directory server.

If successful, the user is sent to a new Web page that lists the wireless LANs they may connect to, the security type (e.g. WPA or WPA2) and a unique PSK (Pre-Shared Key) that is bound to the users specific device once they connect to the WLAN.

If the device is a Windows machine, they can choose to download a script that will automatically configure their wireless card for them (it installs the unique PSK and the requisite SSID). Or they can simply cut and paste the information.

This unique key is stored in a central database (the Ruckus ZoneDirector internal database). Each key will only work for the device it was issued to and can include an expiration date after which the key will no longer work. Keys are easily managed or revoked on an individual basis. This is quite different from a normal PSK network in which each device shares the same encryption key.

Schools dig this.