Why is WiFi Hard?

As an Engineer for a Wireless manufacture, I get a lot of questions about wireless design. For those of you who have done this, you know there is more than one answer to every question. The question of why is it so hard is best explained with a story and a picture. Down the road from my house is a new hotel being built. Hotels are nightmares for wireless with all the rooms and long hallways, multiple floors, gadgets to interfere, etc.  Most interior walls are Sheetrock and the floors are pretty thick, so this should not be that bad. Do a heat map and you are good, right? The heat map is done and still you have issues. Why? Maybe this hidden gem will help.

 

 

 

 

 

 

 

All the wall are filled with steel studs. This is a reflection nightmare and it is all hidden behind the Sheetrock. Unless you saw it getting built, you would never know the studs were steel. This is why it is hard. RF energy has so many rules if you know all the variables. News Flash!!! You will never know all the variables. Moral of the story is you plan, design, pray, and hope for the best. Under sell and over deliver. Always do heat maps with worst case scenarios and the real world will never be that bad. No heat map will replace an onsite RF Survey, but it is a start. Just my thoughts when I saw the above picture.

 

David Ellis
Systems Engineer
Ruckus Networks

Some Security is Free and Easy, and We Still Don’t Use it!

The biggest concern in Information Technology today is the security posture of your systems. Servers, switches, routers, clients, and a whole host of devices are under constant attack. We have to secure the network and the systems on it, but it costs too much and it is too difficult. That is partially true. First thing to remember is, we do not have to build Fort Knox. We need to make it difficult for attackers to get in. The time it takes for an attacker to get what they want has to be worth the cost of the time. So, you do not have to make it impossible to get, just not worth their time.

The most important thing you can do is patch your systems. Most exploits are based on vulnerabilities due to a lack of patching of the OS or third-party software. Microsoft has a free tool called WSUS (Windows Server Update Service). It is free if you own the OS and most of you do. This server pushes OS updates to systems it controls. It is easy to manage and setup in an AD environment. If you have a small business, make sure Windows Updates is enabled and that it actually is doing updates once a week. Most third-party software has an auto update feature and all you need to do is turn it on. If you want to manage this installation, you can use a tool like SCCM (System Center Configuration Manager). This is a Microsoft tool that does patching, software, and configuration deployment. It is a bit difficult to build the packages, but is a necessity in large environments.

Now on to my favorite place, the network. There are several things we can do to secure the network that are free and easy. First is get rid of Telnet. If you are still running Telnet, you are wrong. Setup SSH, test it, and then cut off Telnet. Too easy! Now we can move on to things like DHCP snooping, BPDU Guard, and Port Security. DHCP Snooping helps to stop rouge DHCP servers from issuing out bogus IP Addresses into your network effectively causing a DoS attack. BPDU Guard looks for BPDUs on a port. If it sees a BPDU from another switch, it can put the port in an error-disabled state. Port Security, stops unknown devices from gaining access to your network. It does this by locking down a port to a specific MAC Address and only allows a specific number of new addresses to be added. For example, if port 1 is set to allow one MAC Address, the first device that connects has its address added to the database. Any other device that tries to connect to that port is denied access. I know you can spoof a MAC Address, but remember it is not about stopping them, it is about making it hard for them. The last thing is Access Lists (ACLs). These can be difficult at times but are free. If you start simple and work your way up, it will be easier. Start by restricting who can access the management of the devices by SSH and SNMP. Then move to securing Guest access and critical networks. Then move to ports and protocols. This is easily done with a firewall, but they cost money.

For wireless security, it is usually either free and hard or easy and cost money. The first and most important thing I will say about wireless is do not have an open SSID. You might as well let them come in and plug up to the network and be left alone. I know that WEP and WPA can be broken, but it is about their time and this is a good speed bump. These things may not stop some script kiddie from trying to break your keys, but they are usually not stealing information or doing damage. If you have an AD network, you can easily secure access with a version of EAP. EAP can be done with certificates (harder) or passwords (easier) to help secure and ease the access to the wireless network.

In conclusion, there are a lot of things you can do to help put speed bumps in the road for attackers. I will say that Antivirus and anti-malware are also necessary, but they are also not free and usually not easy to keep up to date. Firewalls on devices like Windows Firewall are a free speed bump as well. Security does not have to be the impossible task. Take it one piece at a time. Something is always better than nothing.

 

David Ellis
Systems Engineer
Ruckus Networks/Brocade

You really do have Multicast in your network.

I hear people say all the time that they do not have any multicast devices in their network so they do not need to configure it. This is absolutely incorrect! Apple devices use all kinds of multicast to make life easier for users. Airplay, Apple TV, and others were created to reach out on the single VLAN and connect to other like devices. Since it was designed for home use, it works great there, but in the enterprise, this is a different story. Well, I do not have any Apple devices you say. Do you have Windows devices? They use UPnP or Universal Plug and Play which uses multicast under the covers to do the same thing as Apple, make life easier. On everyone but you!

OK, how do I fix this? Can you cut it off? The short answer is yes, but you may not want to. This is all useful technology, it just needs to be handled correctly. The first thing you need to do is see if IGMP Snooping is configured on your Layer 2 switching and wireless infrastructure. There will be some show command to verify if it is on or not. If it is not on, enable it. IGMP Snooping controls multicast traffic at Layer 2 by stopping the switch from flooding it all ports in a broadcast domain. Traffic is only sent to port that are joined to a valid multicast group. You can see how this can significantly reduce the traffic on your network. If you need to route multicast across Layer 3 boundaries, you will need to look at a Bonjour gateways and/or PIM.

The purpose of this article is not to teach you to configure these things, but to let you know that thinking something (multicast) doesn’t exist in your network is killing it. I have seen CPU on a switch go from a constant 20% CPU utilization to 1% utilization just by turning on IGMP Snooping. We all need to know our environment. Download Wireshark and run it on your network for a few minutes. It will show you all the things going on in your network. Even the things you do not want to see or didn’t know where there. Once again, my goal is to help every admin become the “Maytag Man” (if you are too young to know the reference, Google it). I want us all to be drinking coffee and letting everyone thing we are magicians behind the curtain as the whole thing runs like a well-oiled machine.

David Ellis
Systems Engineer
Ruckus Networks/Brocade

Do you know your Spanning-tree?

I have customers tell me all the time that spanning-tree is broken or it is worthless and they want to cut it off. The problem is not spanning-tree, it is the fact you do not know it. Most people open a switch box, install a few lines of code (VLANs, IP Addresses, username, and password) and send it on its way. Since 802.1d spanning-tree is on by default, they never look. This is where the problem begins. By default, the priority is 32768, so the lowest MAC address wins the root bridge election. You say, “I only have one path in the network so root bridge does not matter.” Well that is mostly true. First, do you want the oldest switch in your network making topology change decisions for a protocol that takes 50 seconds to converge? Second, do you want to run your network or let it run you?

As a Network Administrator, you need to know your network or you cannot effectively maintain it. You have to dictate what is going on in the network. It is up to you to stop the Gremlins in the network by setting up the network to fit your organization.

Configure the root bridge priority on the core switch at the top of the Layer 2 network with a lower priority than 32768. This will make it the root bridge for the spanning-tree topology. I use 8192 as my priority to keep it lower but still allow room for growth in the network. You can use 0, but that is the lowest you can go and it leaves no room to grow.

Configure rapid spanning-tree on your network. Rapid spanning-tree is based off of the 8.0.1w standard and converges faster than 802.1d spanning-tree (around 5 seconds). This is a suggestion and not a rule. You have to know your network before you make this change. Even though it is a standard, not all vendors play nice together. I have tested, Ruckus/Brocade, Cisco, HP, Adtran, and Nortel/Avaya for interoperability. All, but Avaya/Nortel play well together with a bit of tweaking. Avaya/Nortel needs to be in a single instance configuration to be compatible. You can look on the NetAdmin site for interoperability documents.

Lastly, just run the show spanning-tree command (or something close) to see how your spanning-tree is configured. Those show commands, a piece of paper and pencil, and a few minutes of your time will make your network stronger and you a more capable admin. My goal is to help every admin become the “Maytag Man” (if you are too young to know the reference, Google it). I want us all to be drinking coffee and letting everyone thing we are magicians behind the curtain as the whole thing runs like a well-oiled machine.

David Ellis
Systems Engineer
Ruckus Networks/Brocade

Welcome!

Welcome to the NetAdmin Blog. I hope this blog adds to the overall content of the site and provides a wealth of information.