Monday, 8 June 2015

Multi-user MIMO (MU-MIMO)

Multi-user MIMO (MU-MIMO)
MU-MIMO is supported in 802.11ac Wave 2 to enable simultaneous data transmission to Wave 2 capable clients, greatly improving overall use of network capacity. In extremely high device-density environments, multiple streams will reach multiple clients at the same time, reducing the data transmission time and opening up more bandwidth for more device connections. It is critical for live video streaming that demands higher bandwidth and lower latency, ensuring a better experience for end users.

4 spatial streams
The 320 series adds a 4th spatial stream that can boost the single client performance by 33%. However, we don’t realistically expect to see this boost until 4-stream client devices enter the market, which likely won’t be until 2016. The majority of clients will likely have a max of 1-, 2- or 3 streams. With the support of 4x4:3 streams for MU-MIMO, the 320 series will maximize the data throughput of those 1- or 2-stream clients in concert with MU-MIMO, delivering a switch-like experience to the wireless network.


How secure is your EAP-PEAP v0



How secure is your EAP-PEAP v0 deployment?

PEAP stands for Protected Extensible Authentication Protocol. PEAP is one of many types of EAPs available. EAP types are like different flavors of ice cream. You can have simple vanilla or a complex rocky road type of EAP. The different types of EAPs provide different levels of administration and security. Some EAPs are consider weak, like LEAP which can be breached with Asleap.

Commonly referenced EAPs used on WiFi networks:

EAP-PEAP
EAP-LEAP
EAP-TLS
EAP-TTLS
EAP-FAST

EAP-PEAP is the most common and widely deployed EAP used on wireless networks world wide. It is also very secure, if configured and deployed properly. EAP-PEAP has a few different versions. These versions identify what type of internal authentication is conducted AFTER the outer TLS tunnel is created. This internal tunnel is where credentials are passed. The most commonly used EAP-PEAP type used is EAP-PEAP v0 based on MsChapV2.

EAP-PEAP v0 - MsChapV2
EAP-PEAP v1 - GTC
EAP-PEAP v2 - TLS

The intent of this blog post is to keep the understanding and configuration of EAP-PEAP client side simple and easy to understand.

The reason why PEAPv0 is widely adopted is because Microsoft was part of PEAP development. Microsoft uses their own protocol MsChapV2 as the internal tunnel to pass credentials. The windows wireless supplicant natively supports PEAP v0. This resulted is wide adoption.

How you configured EAP-PEAPv0 is very important. If not properly configured you can expose yourself and your network to a man in the middle attack. To understand this process we need to understand some of the mechanics of PEAP.

SERVER SIDE CERTIFICATE

PEAPv0 uses a server side certificate. The certificate is installed on the radius server. This server side certificate is used to create the outer TLS tunnel between the client and the radius server. This prevents prying eyes from sniffing frames to expose the user ID and password.

When a WiFi client connects to a WLAN configured with EAP, the radius server sends the server side certificate to the client. The client then uses this server side certificate to hash his/her network credentials and passes it back to the radius server. The radius server has the private key for that server side certificate. You may recall when you created the CSR (certificate signing request) a private key was created in that process. The private key resides on the radius server. Think of the private key as a secret decoder ring. After the radius server decodes the client hash, it can send the user ID and password to AD for user authentication.


MAN IN THE MIDDLE

While there are other documented PEAP attacks. The most realistic and real world attack is the man in the middle attack. We just discussed how the server side certificate is used to securely pass user IDs and passwords.

What if we compromised the users connection by presenting our own server side certificate via a rogue access point broadcasting your WLAN, whereby collecting the user ID and password?

Imagine for a moment…………

You work for Acme Company. Your Acme computer is configured to a WLAN called ACME-WIRELESS-NETWORK. You connect each and every day without fail. One day you connect and get a validate certificate popup. You, like almost everyone else, click accept without reading the content of the popup. What you just did was accepted a server side certificate from a rogue radius server and you passed your user ID and password.

This article is not intended to share all the specifics on how to set up a man in the middle attack. You’re one google search and a FREE RADIUS setup away!

VALIDATING SERVER SIDE CERTIFICATE

It is important we validate the server side certificate on the wireless client that connects to our enterprise wireless network. In other words we are trusting only specific certificates from our own radius server(s). All other request get ignored and don't get displayed to the user as a popup to override. This is critical to prevent a man in the middle attack.

From an enterprise perspective this isn't a simple check box on the infrastructure and the problem goes away. Rather its standardizing on client side configuration and ensuring this configuration is deployed on every wireless device connecting to your network. The other problem, wireless supplicants aren't created equally. iOS and OSX you need to push a profile whereby validating the certificate like windows. Some supplicants may or may not allow you to validate certificates.

HUMAN FACTOR

You need to remove the human decision making process from this security equation. You don't want to give a user the ability to choose what certificate they should and should not validate when connecting to your enterprise network.

WINDOWS 7 / 8.1 - APPLE iOS and OSX

Windows 7, 8.1 and Apple devices require the user to validate a wireless network when presented with a certificate for wireless authentication, if a wireless profile is not setup for that WLAN. Once accepted the certificate trust is remembered in the WLAN profile. If you delete the WLAN profile these certificate trusts also get deleted. By manually configuration or profile pushing you can negate the certificate trust popup.

CONFIGURE VALIDATING SERVER SIDE CERTIFICATE DETAIL


Method 1: Limit the trusted root CAs that are available to the user
Overall, the best way to reduce these potential risks is to limit the trusted root CAs that are permitted for PEAPv0. To do this, click to clear the check boxes for all non-applicable CAs in the Trusted Root Certification Authorities list. This prevents the user from trusting new root CAs, because the user is presented with an explicit list of permitted authentication servers.

Method 2: Prevent the user from being prompted for certificate validation
PEAPv0 configuration includes an option that prevents the user from being prompted for certificate validation. This is the Do not prompt user to authorize new servers or trusted root certification authorities option. By default, this option is disabled. If you enable this option, the user is not presented with the UI that may be difficult for the user to understand. Therefore, the user cannot select an unapproved root certification authority.

To enable this option, follow these steps:
1 In the Protected EAP Properties dialog box, click to select the Validate server certificate check box.

2 Click to select the Do not prompt user to authorize new server or trusted certification authorities check box.

3 Install the root certificate of the server in the NTAuth store, or click to select the root certificate in Trusted Root Certificate Authorities list.

If you cannot use this method, you can educate users to make sure that they reject the request to authorize any new servers or certification authority.

Method 3: Limit authentication servers
PEAPv0 configuration lets you limit the servers that can be trusted for an authentication. The Connect to these servers option uses a list of server names, each separated by a semicolon, to explicitly define the servers against which the client may authenticate. When you enable this option and use the strict list of accepted servers, this man-in-the-middle attack is much more difficult to execute. Or, this attack may be impossible to execute, depending on the specific PKI structure that your organization uses.

To enable the Connect to these servers option, follow these steps:

1 In the Protected EAP Properties dialog box, click to select the Validate server certificate check box.

2 Click to select the Connect to these servers check box.

3 In the Connect to these servers box, type a list of all back-end authentication servers. Separate each server name with a semicolon. For example, type the following for the domain acme.com and for authentication servers auth1 and auth2: auth1.contoso.com;auth2.contoso.com

Overview
1 - Validate Server Certificate
- Select the CA that signed your server side certificate

2 - Enter the CN name of the server side certificate(s). If more than 1 CN is used (radius servers) separate CN with a “;” and make sure there are spaces between CNs.

3 - Check box the Do Not Prompt user ….. This is an extra fail safe that a user won’t get the popup.

4 - Enter enable identify privacy — Enter a value in this field. This field is presented in clear text during the EAP-PEAP process. Make sure its not a user ID. :)


aruba.eappeap.png

Wednesday, 21 January 2015

Guide to SSL Certificates

SSL stands for “Secure Socket Layer.” It is a technology that establishes a secure session
link between the visitor’s web browser and your website so that all communications transmitted
through this link are encrypted and are, therefore, secure. SSL is also used for transmitting secure email,
secure files, and other forms of information.

SSL creates a safe and private channel for you to communicate.

What Is an SSL Certificate? 

An SSL certificate is a digital computer file (or small piece of code) that has two
specific functions:
1   Authentication and Verification: The SSL certificate has information about
the authenticity of certain details regarding the identity of a person, business or
website, which it will display to visitors on your website when they click on the
browser’s padlock symbol or trust mark (e.g., the Norton™ Secured Seal). The
vetting criteria used by Certificate Authorities to determine if an SSL certificate
should be issued is most stringent with an Extended Validation (EV) SSL
certificate; making it the most trusted SSL certificate available.

2   Data encryption: The SSL certificate also enables encryption, which means that
the sensitive information exchanged via the website cannot be intercepted and
read by anyone other than the intended recipient.
In the same way that a identity document or passport may only be issued by the
country’s government officials, an SSL certificate is most reliable when issued by a
trusted Certificate Authority (CA). The CA has to follow very strict rules and policies
about who may or may not receive an SSL certificate. When you have a valid SSL
certificate from a trusted CA, there is a higher degree of trust by your customers,
clients or partners.


How Does SSL encryption Work?
In the same way that you lock and unlock doors using a key, encryption makes use
of keys to lock and unlock your information. Unless you have the right key, you will
not be able to “open” the information.

Each SSL session consists of two keys:
The public key is used to encrypt (scramble) the information.
The private key is used to decrypt (un-scramble) the information and restore it
to its original format so that it can be read.

The Process: Every SSL certificate that is issued for a CA-verified entity is issued for a specific server and website domain (website address). When a person uses their browser to navigate to the address of a website with an SSL certificate, an SSL handshake (greeting) occurs between the browser and server. Information is requested from the server – which is then made visible to the person in their browser window. You will notice changes to indicate that a secure session has been initiated – for example, a trust mark will appear.If you click on the trust mark, you will see additional information such as the validity period of the SSL certificate, the domain secured, the type of SSL certificate, and the issuing CA. All of this means
that a secure link is established for that session, with a unique session key, and secure communications can begin.

How Do I Know that a Site Has a Valid SSL Certificate?

1   A standard website without SSL security displays “http:// ” before the website
address in the browser address bar. This moniker stands for “Hypertext
Transfer Protocol,” and is the conventional way to transmit information over
the Internet.
2.  However, a website that is secured with a SSL certificate will display “https:// ”
before the address. This stands for “Secure HTTP.”

Where Would I Use an SSL Certificate?  

The short answer to this question is that you would use an SSL certificate anywhere
that you wish to transmit information securely.
Here are some examples:
Securing communication between your website and your customer’s Internet
         browser.
Securing internal communications on your corporate intranet.
Securing email communications sent to and from your network (or private email
         address).
Securing information between servers (both internal and external).
Securing information sent and received via mobile devices.

Different types of SSL Certificates 

There are a number of different SSL certificates on the market today.
The first type of SSL certificate is a self-signed certificate. As the name implies,
this is a certificate that is generated for internal purposes and is not issued by a
CA. Since the website owner generates their own certificate, it does not hold the
same weight as a fully authenticated and verified SSL certificate issued by a CA.

A Domain Validated certificate is considered an entry-level SSL certificate
and can be issued quickly. The only verification check performed is to ensure
that the applicant owns the domain (website address) where they plan to use
the certificate. No additional checks are done to ensure that the owner of the
domain is a valid business entity.

A fully authenticated SSL certificate is the first step to true online security and
confidence building. Taking slightly longer to issue, these certificates are only
granted once the organization passes a number of validation procedures and
checks to confirm the existence of the business, the ownership of the domain,
and the user’s authority to apply for the certificate.

Tips

A domain name is often used with a number of different host suffixes. For this
reason, you may employ a Wildcard certificate that allows you to provide full
SSL security to any host of your domain – for example, host.your_domain.com
(where “host” varies but the domain name stays constant).
Similar to a Wildcard certificate, but a little more versatile, the SAN (Subject 
Alternative Name) SSL certificate allows for more than one domain to be added
to a single SSL certificate.
Code signing certificates are specifically designed to ensure that the software
you have downloaded was not tampered with while en route. There are many
cybercriminals who tamper with software available on the Internet. They may
attach a virus or other malicious software to an innocent package as it is being
downloaded. These certificates make sure that this doesn’t happen.
Extended Validation (EV) SSL certificates offer the highest industry standard
for authentication and provide the best level of customer trust available. When
consumers visit a website secured with an EV SSL certificate, the address bar
turns green (in high-security browsers) and a special field appears with the
name of the legitimate website owner along with the name of the security
provider that issued the EV SSL certificate. It also displays the name of the
certificate holder and issuing CA in the address bar. This visual reassurance has
helped increase consumer confidence in e-commerce.

Monday, 12 January 2015

CCNA CCNP Special Offers Promotion

CISCO Special Offers


CCNA Promotion:

Receive a 20% discount on your CCNA Composite (#200-120) exam by using the promo code “CCNA20%India”, when you register for your exam with Pearson VUE. Please note that the number of available promotion codes for this promotion is limited and the discount will be provided on a first-come, first-served basis. This offer cannot be combined with any other promotion or discount. The exam promotion code must be redeemed by July 31, 2015, and only through Pearson VUE test centers in India.

Learn about how to apply the discount on your exam.


CCNP Promotion:

Receive an auto 20% discount on one or multiple CCNP certification exams of your choice: CCNP ROUTE (642-902), CCNP SWITCH (642-813) or CCNP TSHOOT (642-832), when you register for your exam with Pearson VUE. The promotion is only valid from Oct 7, 2014- Jan 29, 2015, and only through Pearson VUE testing centers in India.

Learn about how to apply the discount on your exam.

For more info,https://learningnetwork.cisco.com/docs/DOC-25504


Friday, 9 January 2015

10 Requirements for Optimizing Your Network for Mobility



  • Design Around the User, Not the Network.
  • Unify Wired and Wireless Management for Seamless Workflows and Optimized Application Performance 
  • Connect Users Properly To Begin Optimizing Around Them 
  • Implement Proper Authentication and Access even for Guest and BYO devices
  • Ensure Security and Enforcement Is At The Edge And User-centric .
  • Optimize Wireless (Radio Frequency) Connectivity 
  • Ensure the Network can handle the density that comes in with a Mobile-First Enterprise
  • Provide Zero-Configuration Services To Users to keep them productive.
  • Simplify Wireless Problem Remediation to ease IT’s burden
  • Provide The Same Access Everywhere Without Remote Hands




Monday, 5 January 2015

Bluetooth Smart Technology: Powering the Internet of Things

It is ultra-low powered, trusted, and most importantly, everywhere—especially in devices already in the hands of consumers.Eg. Nexus 7 , android 4.3


With all major operating systems now providing native Smart Ready support, it is easy for handset, tablet, TV and PC OEMs to make it available to consumers and use the premium Smart Ready brand.

This allows Bluetooth Smart OEMs, first-, and third-party app developers to bring virtually “anything” into the connected world with Bluetooth.

 From the novel to the life saving and everything in between, Bluetooth Smart is at the heart of this wireless revolution making everyday objects “smarter” through apps and the cloud.

 No other wireless technology operates at the scale that Bluetooth does with 2.5 billion Bluetooth enabled devices expected to ship this year—and that to double within the next 4 years.

 Ease, scale, and ubiquity are big reasons it is the trusted and preferred wireless technology for consumers, developers, OEMs and suppliers. It’s why Apple, Microsoft, BlackBerry, and now Google have gone “all in” for Bluetooth Smart Ready.


Tech Video on Youtube

Friday, 2 January 2015

Advantages of 802.11ac beamforming

802.11ac Beamforming

Devices that support beamforming focus their signals toward each client, concentrating the data transmission so that more data reaches the targeted device instead of radiating out into the atmosphere.


If the Wi-Fi client also supports beamforming, the router and client can exchange information about their respective locations in order to determine the optimal signal path. Any device that beamforms its signals is called a beamformer, and any device that receives beamformed signals is called a beamformee.  


Mathematically, the ability to steer energy is represented by the steering matrix, which is given the letter Q in 802.11ac.


 However, in 802.11ac Wave2, beam forming will be a standard feature on the chips and all vendors will offer it as something that’s table stakes. In reality, Broadcom has already implemented single user beam forming into its silicon, giving all the Broadcom-based Wi-Fi vendors that capability today. Wave 2 is when multi-user beam forming becomes a standard that will close the gap even more.

Multi-User (MU) Beamforming

MU-MIMO features prominently in the later update of the 802.11ac wireless specification (802.11ac Wave 2)


By simplifying beamforming to use one method of channel sounding, 802.11ac will enable wider use of standards-based beamforming. More significant, however, is the inclusion of multi-user (MU) MIMO beamforming in 802.11ac. Prior to the introduction of multi-user beamforming, all 802.11 devices could send a transmission to only one device at a time. Just as Ethernet switches reduced the scope for collisions from a large network down to a single port, multi-user MIMO reduces the spatial collision domain. By using MU-MIMO, an AP may transmit to multiple receiving stations simultaneously.


Due to the need for sophisticated antenna systems and signal processing, MU-MIMO in 802.11ac can be used only in the downstream direction, from an AP to multiple client devices.


One important capability that MU-MIMO brings to 802.11ac is its support of single-stream devices. Prior to 802.11ac, beamforming worked to increase the signal-to-noise ratio of a link to a single device, but the devices on the network often limited its benefits. Many small battery-powered devices are capable of only a single spatial stream, and thus receive only limited benefits from single-user MIMO. With 802.11ac’s multi-user MIMO, a single transmission time can be used to send frames to multiple single-stream receivers. The 802.11ac standard allows up to four different receiver groups within one MU-MIMO transmission.


Multi-user MIMO can transmit simultaneously to multiple single-stream devices, which enables the network to more efficiently serve increasingly common battery-powered devices such as phones and tablets.

If one device (such as the router) supports beamforming, but the other (such as the Wi-Fi adapter in your router) doesn’t, they’ll still work together. They just won’t take advantage of the technology.  

Top 10 IT Technology Trends for 2015




Gartner: Top 10 Technology Trends for 2015 IT can’t ignore

Rise of smart machines, ubiquitous access and software-defined architectures will reshape IT, Gartner says
Gartner defines its Strategic Technology Trends as those technologies that have the most potential to drive great change in the enterprise IT arena in the next three years.
Indeed this year’s crop has that potential as trends like software-defined networks and 3D printing take center stage in Gartner’s list.
 “You need to be looking at linking to customers in new and unique ways; what technologies set the foundation to enable these moves,” said Gartner vice president David Cearley. IT will be dealing with everything from virtual technologies to intelligent machines and analytics data everywhere, he said. “And in the end all things run through a completely secure environment.”
So Gartner’s Top 10 Strategic Technology Trends for 2015 list looks like this:
1. Computing everywhere: Cearley says the trend is not just about applications but rather wearable systems, intelligent screens on walls and the like. Microsoft, Google and Apple will fight over multiple aspects of this technology. You will see more and more sensors that will generate even more data and IT will have to know how to exploit this—think new ways to track users and their interactions with your company—in an effective, positive way.
2. The Internet of things: Yes this one is getting old it seems, but there’s more to it than the hype. Here IT will have to manage all of these devices and develop effective business models to take advantage of them. Cearley said IT needs to get new projects going and to embrace the “maker culture” so people in their organizations can come up with new solutions to problems.
3. 3D Printing: Another item that has been on the Gartner list for a couple years. But things are changing rapidly in this environment. Cearley says 3D printing has hit a tipping point in terms of the materials that can be used and price points of machines. It enables cost reduction in many cases. IT needs to look at 3D printing and think about how it can make your company more agile.  Can it 3D printing drive innovation?
4. Advanced, Pervasive and Invisible Analytics: Security analytics are the heart of next generation security models. Cearley said IT needs to look at building data reservoirs that can tie together multiple repositories which can let IT see all manner of new information – such as data usage patterns and what he called “meaningful anomalies” it can act on quickly.
5. Context-Rich Systems: This one has been a Gartner favorite for a long time – and with good reason. The use of systems that utilize “situational and environmental information about people, places and things” in order to provide a service, is definitely on the rise. IT needs to look at creating ever more intelligent user interfaces linking lots of different apps and data.
6. Smart Machines: This one is happening rapidly. Cearley pointed to IBM’s Watson, which is “learning” to fight cancer, and a mining company – Rio Tinto—which is using automated trucks in its mines. Virtual sages, digital assistants and other special service software agents will about in this world, he said.
7. Cloud/Client Computing: This trend was on last year’s list as well but Gartner says the need to develop native apps in the cloud versus migrating existing apps is the current issue.
8. Software-Defined Applications and Infrastructure: In order to get to the agility new environments demand we cannot have hard codes and predefined networks, Cearley said. IT needs to be able construct dynamic relationships. Software Defined technologies help on that scale.
9. Web-Scale IT: This trend remains pretty much the same as last year. Gartner says Web-scale IT is a pattern of global-class computing technologies that  deliver the capabilities of large cloud service providers. The likes of Amazon, Google and others are re-inventing the way IT services can be delivered. Still requires a cultural IT shift to be successful.
10. Risk-Based Security and Self-protection: Cearley said all roads to the digital future success lead through security. Trends here include building applications that are self-protecting.