WPA is not encrypting your customer traffic

There was a Facebook discussion that popped up tonight about how a WISP answers the question “Is your network secure?” There were many good answers and the notion of WEP vs WPA was brought up.

In today’s society, you need end-to-end encryption for data to be secure. An ISP has no control over where the customer traffic is going. Thus, by default, the ISP has no control over customer traffic being secure.  “But Justin, I run WPA on all my aps and backhauls, so my network is secure.”  Again, think about end-to-end connectivity. Every one of your access points can be encrypted, and every one of your backhauls can be encrypted, but what happens when an attacker breaks into your wiring closet and installs a sniffer on a router or switch port?What most people forget is that WPA key encryption is only going on between the router/ap and the user device.  “But I lock down all my ports.” you say.  Okay, what about your upstream? Who is to say your upstream provider doesn’t have a port mirror running that dumps all your customer traffic somewhere.  “Okay, I will just run encrypted tunnels across my entire network!. Ha! let’s see you tear down that argument!”. Again, what happens when it leaves your network?  The encryption stops at the endpoint, which is the edge of your network.

Another thing everyone hears about is hotspots. Every so often the news runs a fear piece on unsecured hotspots.  This is the same concept.  If you connect to an unsecured hotspot, it is not much different than connecting to a hotspot where the WPA2 key is on a sign behind the cashier at the local coffee shop. The only difference is the “hacker” has an easier time grabbing any unsecured traffic you are sending. Notice I said unsecured.  If you are using SSL to connect to a bank site that session is sent over an encrypted session.  No sniffing going on there.  If you have an encrypted VPN the possibility of traffic being sniffed is next to none. I say next to none because certain types of VPNs are more secure than others. Does that mean the ISP providing the Internet to feed that hotspot is insecure? There is no feasible way for the ISP to provide end to end security of user traffic on the open Internet.

These arguments are why things like SSL and VPNs exist. Google Chrome is now expecting all websites to be SSL enabled to be marked as secure. VPNs can ensure end-to-end security, but only between two points.  Eventually, you will have to leave the safety and venture out into the wild west of the internet.  Things like Intranets exist so users can have access to information but still be protected. Even most of that is over encrypted SSL these days so someone can’t install a sniffer in the basement.

So what is a WISP supposed to say about security? The WISP is no more secure than any other ISP, nor are then any less secure.  The real security comes from the customer. Things like making sure their devices are up-to-date on security patches.  This includes the often forgotten router. Things like secure passwords, paying attention to browser warnings, e-mail awareness, and other things are where the real user security lies. VPN connections to work. Using SSL ports on e-mail. Using SSH and Secure RDP for network admins. Firewalls can help, but they don’t encrypt the traffic. Does all traffic need encrypted? no.

Everything you wanted to know about NTP

Network Time Protocol (NTP) is a service that can be used to synchronize time on network connected devices.   Before we dive into what NTP is, we need to understand why we need accurate time.

The obvious thing is network devices need an accurate clock.  Things like log files with the proper time stamp are important in troubleshooting.  Accurate timing also helps with security prevention measures.  Some attacks use vulnerabilities in time stamps to add in bad payloads or manipulate data. Some companies require accurate time stamps on files and transactions as well for compliance purposes.

So what are these Stratum levels I hear about?
NTP has several levels divided into stratum. All this is the distance from the reference clock source.  A clock which relays UTC (Coordinated Universal Time) that has little to no delay (we are talking nanoseconds) are Stratum-0 servers. These are not used on the network. These are usually atomic and GPS clocks.  A Stratum-0 server is connected to time servers or stratum-1 via GPS or a national time and frequency transmission.  A Stratum 1 device is a very accurate device and is not connected to a Stratum-0 clock over a network.  A Stratum-2 clock receives NTP packets from a Stratum-1 server, a Stratum-3 receives packets from a Stratum-2 server, and so on.  It’s all relative of where the NTP is in relationship to Stratum-1 servers.

Why are there levels?
The further you get away from Stratum-0 the more delay there is.  Things like jitter and network delays affect accuracy.  Most of us network engineers are concerned with milliseconds (ms) of latency.  Time servers are concerned with nanoseconds (ns). Even a server directly connected to a Stratum-0 reference will add 8-10 nanoseconds to UTC time.

My Mikrotik has an NTP server built in? Is that good enough?
This depends on what level of accuracy you want. Do you just need to make sure all of your routers have the same time? then synchronizing with an upstream time server is probably good enough. Having 5000 devices with the same time, AND not having to manually set them or keep them in sync manually is a huge deal.

Do you run a VOIP switch or need to be compliant when it comes to transactions on servers or need to be compliant with various things like Sox compliance you may need a more accurate time source.

What can I do for more accurate time?
Usually, a dedicated appliance is what many networks use.  These are purpose built hardware that receives a signal from GPS. the more accurate you need the time, the more expensive it will become.  Devices that need to be accurate to the nanosecond are usually more expensive than ones accurate to a microsecond.

If you google NTP Appliance you will get a bunch of results.  If you want to setp up from what you are doing currently you can look into these links:

http://www.satsignal.eu/ntp/Raspberry-Pi-NTP.html

How to Build a Stratum 1 NTP Server Using A Raspberry Pi

 

Building a Stratum 1 NTP Server with a Raspberry Pi

 

5.8 Cambium Elevated Devices & Max EIRP

Lately, we have had a few clients run into signals becoming worse when they elevated clients to ePMP.   This is not a result of the software being bad, but it enforcing the max EIRP on the units.  This boils down to older devices compliant with original FCC grants which allowed unlimited EIRP.  The Cambium elevate recognizes the latest grant for the devices.  This grant allows for a max of 41 dBM on 5/10/20 mhz channels and 38dBM on 40mhz.

So if you have elevated some older devices from UBNT your signals may have dropped.  This is due to compliance with the latest rules for the device.   As our industry matures, becoming compliant will become more and more important.  On the UBNT units, newer firmware from UBNT also does this.

Cambium has a forum post on this. http://community.cambiumnetworks.com/t5/ePMP-Elevate/5-8-GHz-Elevated-Devices-Maximum-EIRP-in-the-United-States/m-p/73141#M475

We have some tricks of the trade we can do. Contact MTIN for how we can help.

The Importance of cable support in LTE deployments

As the number of WISP LTE deployments increase, there are many things WISPs will need to be mindful of.  One such item is properly supporting antenna cables. LTE systems are more sensitive to cable issues.  In a previous blog post, I talked about pim and low-pim cables.   One of the things that can cause low pim is improperly mated cables.  If cables are not supported they can become loose over time.  Vibration from equipment or even the wind can loosen connections.

How do we support cables?
We can take a cue from the cellular industry. The following are some examples of proper cable support.  Thanks to Joshua Powell for these pics.

Where can you get these?
A good place to start are sites like sitepro1 or Tessco has a selection.

So the next time you are planning your LTE deployment think about cable support.

Learning, certifications and the xISP

One of the most asked questions which comes up in the xISP world is “How do I learn this stuff?”.   Depending on who you ask this could be a lengthy answer or a simple one sentence answer.  Before we answer the question, let’s dive into why the answer is complicated.

In many enterprise environments, there is usually pretty standard deployment of networking hardware.  Typically this is from a certain vendor.  There are many factors involved. in why this is.  The first is total Cost of Ownership (TCO).  It almost always costs less to support one product than to support multiples.  Things like staff training are usually a big factor.  If you are running Cisco it’s cheaper to train and keep updated on just Cisco rather than Cisco and another vendor.

Another factor involved is economies of scale.  Buying all your gear from a certain vendor allows you to leverage buying power. Quantity discounts in other words.  You can commit to buying product over time or all at once.

So, to answer this question in simple terms.  If your network runs Mikrotik, go to a Mikrotik training course.  If you run Ubiquiti go to a Ubiquiti training class.

Now that the simple question has been answered, let’s move on to the complicated, and typically the real world answer and scenario.  Many of our xISP clients have gear from several vendors deployed.  They may have several different kinds of Wireless systems, a switch solution, a router solution, and different pieces in-between.  So where does a person start?

We recommend the following path. You can tweak this a little based on your learning style, skill level, and the gear you want to learn.

1.Start with the Cisco Certified Network Associate (CCNA) certification in Routing and Switching (R&S).  There are a ton of ways to study for this certification.   There are Bootcamps (not a huge fan of these for learning), iPhone and Android Apps (again these are more focused on getting the cert), online, books, and even youtube videos. Through the process of studying for this certification, you will learn many things which will carry over to any vendor.  Things like subnetting, differences between broadcast and collision domains, and even some IPV6 in the newest tracks.  During the course of studying you will learn, and then reinforce that through practice tests and such.  Don’t necessarily focus on the goal of passing the test, focus on the content of the material.  I used to work with a guy who went into every test with the goal of passing at 100%.  This meant he had to know the material. CompTIA is a side path to the Cisco CCNA.  For reasons explained later, COMPTIA Network+ doesn’t necessarily work into my plan, especially when it comes to #3. I would recommend COMPTIA if you have never taken a certification test before.

2.Once you have the CCNA under your belt, take a course in a vendor you will be working the most with.  At the end of this article, I am going to add links to some of the popular vendor certifications and then 3rd party folks who teach classes. One of the advantages of a 3rd party teacher is they are able to apply this to your real world needs. If you are running Mikrotik, take a class in that. Let the certification be a by-product of that class.

3.Once you have completed #1 and #2 under your belt go back to Cisco for their Cisco Certifed Design Associate (CCDA). This is a very crucial step those on a learning path overlook.  Think of your networking knowledge as your end goal is to be able to build a house.  Steps one and two have given you general knowledge, you can now use tools, do some basic configuration.  But you can’t build a house without knowing what is involved in designing foundations,  what materials you need to use, how to compact the soil, etc.  Network design is no different. These are not things you can read in a manual on how to use the tool.  They also are not tool specific.   Some of the things in the Cisco CCDA will be specific to Cisco, but overall it is a general learning track.  Just follow my philosophy in relationship to #1. Focus on the material.

Once you have all of this under your belt look into pulling in pieces of other knowledge. Understanding what is going on is a key to your success.  If you understand what goes on with an IP packet, learning tools like Wireshark will be easier.  As you progress let things grow organically from this point.  Adding equipment in from a Vendor? Update your knowledge or press the new vendor for training options.  Branch out into some other areas ,such as security, to add to your overall understanding.

Never stop learning! Visit our online store for links to recommend books and products.

WISP Based Traning Folks.
These companies and individuals provide WISP based training. Some of it is vendor focused. Some are not.  My advice is to ask questions. See if they are a fit for what your goals are.
-Connectivity Engineer
Butch Evans
Dennis Burgess
Rickey Frey
Steve Discher
Baltic Networks

Vendor Certification Pages
Ubiquiti
Mikrotik
Cisco
Juniper
CWNA
CompTIA

If you provide training let me know and I will add you to this list.

LigoWave APC Button First view

Ligowave has recently launched a small form factor 802.11N radio. This is one of the growing number of devices designed for the SOHO and small and medium enterprise installs. You can read the full data sheet here. https://www.ligowave.com/public/downloads/APC%20button.pdf

IMG_2890

IMG_2891

One of the first things I do with a unit like this is login and look at the existing firmware.  My unit came with Version 5.95 and the latest available was 7.02.  Since this is a new platform for me, I can’t speak to the in the firmware, other than what I saw on the surface.

I noticed some cool things about this unit, which some other vendors are lacking at the moment

Spectrum Analyzer
The spectrum analyzer under tools loaded very quickly.  No complicated Java or slow load times.  The following is a screenshot from it sitting on my desk.

.Screen Shot 2016-05-06 at 12.15.49 AM (2)

Site Survery
Just like the spectrum scan the site survey was quick and trouble-free. It picked up everything I expected it to see. It is very handy to just pop into a unit and see what it sees.

Screen Shot 2016-05-06 at 12.15.32 AM (2)

SNMP and SMTP traps
Something that is very handy for the small office or small deployment was under services…System alerts. You can have the device send an e-mail or SNMP trap based upon some things most folks would really like to know about. For example, if the noise floor gets greater than a certain DB it will let you know.  Pretty cool

Screen Shot 2016-05-06 at 12.23.21 AM (2)

These have a street price in the $40-50 range. This has just been a quick overlook.  I hope to get into some real world uses of these in the near future for a followup to this.

Why every ISP should be deploying hAP Lite to customers

So Mikrotik has a very cheap hAP Lite coming out.   This is a 4 port, 2.4 b/g/n router/access point which retails for $21.95. Baltic networks has pre-orders for $18.95.

Why should you deploy this little gem and how? We have found over the years routers account for more than half of the support issues. In some networks this number is closer to 80-90%. Whether it be a substandard router, one with out of date firmware, or poor placement by the customer.

Deployment of the hAP lite can be approached in one of two ways.  Both ways accomplish the same goal for the ISP. That goal is to have a device to test from that closely duplicates what the customer would see. Sure you can run tests from most modern wireless CPE, but it’s not the same as running tests m the customer side of the POE.

Many ISPs are offering a managed router service to their customers.  Some charge a nominal monthly fee, while others include it in the service.  This is a pretty straightforward thing.  The customer DMARC becomes the wireless router.  The ISP sets it up, does firmware updates, and generally takes care of it should there be issues.  The managed router can be an additional revenue stream in addition to providing a better customer experience.  Having a solid router that has been professionally setup by the ISP is a huge benefit to both the provider and the customer.  We will get into this a little later.

Second option lends itself better to a product such as the hAP lite. With the relative cheap cost you can install one as a “modem” if the customer chooses their own router option.  The actual method of setup can vary depending on your network philosophy.  You can simply bridge all the ports together and pass the data through like a switch.  The only difference is you add a “management ip” to the bridge interface on your network. This way you can reach it.  Another popular method, especially if you are running PPPoE or other radius methods, is to make the “modem” the PPPoE client.  This removes some of the burden from the wireless CPE onto something a little more powerful.   There are definite design considerations and cons for this setup.  We will go into those in a future article. But for now let’s just assume the hAP is just a managed switch you can access.

So what are the benefits of adding one of these cheap devices?
-You can run pings and traceroutes from the device.  This is helpful if a customer says they can’t reach a certain web-site.
-Capacity is becoming a larger and larger issue in the connected home.  iPads, gaming consoles, tvs, and even appliances are all sharing bandwidth.  If you are managing the customer router you can see the number of connected devices and do things like Torch to see what they are doing. If a customer calls and says its slow, being able to tell them that little Billy is downloading 4 megs a second on a device called “Billy’s xbox” can help a customer. It could also lead to an upsell.
-Wireless issues are another huge benefit.  If the customer bought their own router and stuck it in the basement and now their internet is slow you have a couple of tricks to troubleshoot without a truck roll.  If the hAP is in bridge mode simply enable the wireless, setup an SSID for the customer to test with and away you go.  This could uncover issues in the house, issues with their router, or it might even point to a problem on your side.
-Physical issues and ID10T errors can be quickly diagnosed.  If you can’t reach your device it’s either off or a cabling issue.  If you can reach the hAP and the port has errors it could be cabling or POE.

These are just a few benefits you can gleam from sticking a $20 Mikrotik device on your customer side network. It becomes a troubleshooting tool, which makes it money back if it saves you a single truck roll. The implementation is not as important as having a tool closer to the customer.  There several vendoars you can order the hAP lite from.  Baltic Networks is close to me so they are my go-to.  http://www.balticnetworks.com/mikrotik-hap-lite-tc-2-4ghz-indoor-access-point-tower-case-built-in-1-5dbi-antenna.html .

This isn’t practical for business and Enterprise customers, but you should already be deploying a router which has these features anyway right? 🙂