The Converging Network

If you were doubting whether WiMAX/802.16 would materialize as a broadband wireless access service, Cisco put their $330m where their acquisition machine is by gobbling up WiMAX antenna and base station maker Navini Networks. The prevailing argument (including from Cisco) is that WiMAX eats into existing WiFi's products' revenues, but it's inevitable that carriers offer a wireless broadband network with much broader coverage over longer ranges. Carriers aren't going to leave broadband's wireless "last mile" revenues just to cell phone networks. Cable modems and DSL need a healthy wireless competitor and WiMAX is best equipped to bring it on.

Predictions are that WiMAX will make most of its inroads in developing countries where there's much less wired and fiber infrastructure. Maybe so but there's no reason WiMAX can't make big inroads in North America where we all depend on intermittent low-WiFi 802.11 hot spots and cell phone networks for Internet access on PDA phones and tethered PDAs and laptops.

I tether my PDA phone and laptop all the time but would much prefer to ditch the "last 2 feet" of wire between my laptop and PDA phone, for a WiMAX standard in my laptop that could ride on broadband wireless offered by multiple carriers. Bring it on, Cisco. We want WiMAX.

Rumors are that Skype is introducing their own cell phone in the UK, Hong Kong, Italy and Australia the end of this month. No news yet on a US offering. Calls will cost the same as calls from the Skypes PC client to outside lines but calls to Skype IDs will be free. The phone uses the iskoot software which basically acts like a Skype client on your phone. iskoot supports a number of popular existing cell phones and pdas. See who's online, chat with them, make and receive calls on the "Skype network". Hmm... Now things are getting interesting.

While the Apple iPhone is disruptive because of Apple's product design excellence in making a multimedia phone accessible and easy to use by the masses, the Skype phone is disruptive because of it's free calling between Skype users. How well the rest of the phone hardware and software will be put together is yet to be seen.

Most importantly, what this validates is the trend for non-traditional players to enter the wireless cell phone game. Apple, the Google phone, and now Skype. Should any one of them really catch on it could be very disruptive. My bet is on Google, who could really tailor web 2.0 content and applications and be a real game changer in the wireless industry. Things are heating up and I have a feeling we're seeing just the beginning of fundamental changes to how we view our cell phones.

Do you really think turning off broadcasting the SSID of a wireless 802.11 access point increases security?

It may hide it from your non-technical neighbor who might want to dine-n-dash on your broadband connection but it certainly wouldn't stop a minimally competent hacker who'd just sniff traffic and watch the SSID fly by as devices associate and authenticate to a wireless access point. PC magazine blog agrees. It's no better than hiding your house key under the front door welcome mat.

Your best bet - secure it with a good password using WPA or WPA2. For a bit (just a bit) more complicated solution, put the WAP on you firewall DMZ port and only allow authenticated users past the firewall into the network.

Don't both messing with turning off SSID broadcasting or MAC address filtering lists. Those are "feel good" security features that only take your precious time to set up and don't help keep real intruders out.

Jamey Heary of the Network World Cisco Subnet blog discusses the benefits of the Cisco IPS' ability to request wireless access points disconnect offenders when malicious traffic is detected. Is this something many people use? Or is this a "feature" masking the need for better IPS capabilities needed in WAPs compared to the Layer 2 IPS built into most wireless access points? Seems like a poor substitute for designing an IPS implementation that addresses coverage of wireless traffic.

Unless it's very finely tuned, this is likely to generate lots of calls to the help desk line. Kicking users off the network completely, wireless or not, when an IPS finds some offending traffic is likely to create more cry wolf events than thwarting real attacks. Blocking packets and stateful sessions is much more the norm. Seems like one of those features you'd try out and then very quickly turn off after a few false alarms.

Blocking offending packets or quarantining users with limited access is likely the better solution. But maybe I'm wrong and am missing something here. I would be very interested to hear if any Cisco IPS and WAP customers use this feature and what their experiences have been.

Please email me with your experiences if you would. Thanks.

Aruba's purchase of NetChem's wireless IPS technology is not a surprising move but actually one I think has been long in the coming. It's a natural fit for the wireless gateway management products to extend their product lines into wireless intrusion prevention.

The question is will Aruba start to embed more of NetChem's IPS technology into their existing product line over time to further differentiate them in market, or continue with a parallel product line of wireless IPS products. Integration makes sense but selling separate boxes for gateway and w-IPS needs could be a hassle for customers who want fewer boxes (but could be more profitable). This could signal a buy of other w-IPS vendors AirDefense, AirMagnet and AirTight (but I'm not so sure of that yet.) Either way, this is a good move and we'll wait to see what Aruba does.

Martin started a series on the Cobia blog discussing various network configurations using Cobia. Most of them are oriented towards use in an SMB and his first post is about configuring Cobia with your wireless access points in wireless DMZ. I've included a diagram below to give you an idea.

While only a basic scenario (we call these use cases internal at my company) it shows some of the versatility of Cobia. I'm sure other up coming scenarios Martin will be adding will do that as well. Head on over to the Cobia blog if you would like more information.

We've hit 40 on our podcast count. Pretty amazing and it's been a lot of fun getting here so for. Lets hope the next 40 are just as fun or more so.

This week it's Alan and me talking about the happenings at Las Vegas Interop (at least most of the happenings), giving you our unique perspective on what the show was about, who announced what, and the things that stood out to us as important.

I always enjoy having guests on our show but it is nice once in a while to give it a rest and kick back and listen to ourselves talk, lol. We do have a long list of exciting guests that we lined up while at Interop, including a podcast with Microsoft and TCG, so keep your podcast ear buds close to the ground for an announcement coming up about that.

In this week's The Converging Minute I talk about the ecosystem (that seems to be the word these days) developing around the unified network platform, Cobia, and how ISVs, hardware manufactures, OEMs and VARs are finding new avenues for revenue through this convergence platform.

During our special edition of This Week In Security, Las Vegas Interop Style Alan and I discuss the Microsoft/TCG announcement, Google's acquisition of Green Border (Is Google a security play now?), the move to 10G and gigabit IPSs, the prevalence of SMG and wireless at Interop, and a few other tasty morsels.

This week we have a new feature. Our friends from South Africa, Sensepost have a special offer for those who would like to attend their hacking classes at Black Hat this year.  Anyone who signs up for this offer can also pick up a StillSecure T-shirt by coming by our booth at Black Hat with proof of signing up for the course.  Please have a listen to this message and visit their site.

We really enjoy hearing from you, especially your questions and topic ideas so please email us at podcast@stillseccure.com.  Thanks for listening!

mp3 file

Earlier this month, Cisco announced the bundling of multiple Cisco products aimed at the SMB market, specifically businesses with 8-16 employees (i.e. that's how many phone sets are supported.) Dubbed the Smart Business Communications System, it consists of a bundle of of Cisco VoIP, switch, router, firewall, wireless access point, VPN and management software.

Cisco announced this at their partner summit, clearly indicating who would be the channel for delivering, and more importantly installing, these services for customers. Businesses that small rely on a service provider or integrator to sell and install voice and network services unless someone in the business has a pre-existing "geek chromosome".

Rather than a "business network in a box", this is a bundling of multiple Cisco products: hardware - UC 500 router/IP PBX/firewall/VPN, CE500-8PC power-over-Ethernet switch, 7931 IP phone, Wireless Express Access Point (pre-configured for security), and software - Smart Assistant remote configuration and troubleshooting software, Configuration Assistant (to configure all SBCS elements), and Monitor Manager and Manage Director.

Everyone has wondered what Cisco would do in SMB after its investment in the retail market through Linksys, and SBCS represents a clear move into the lower end of the SMB market. Cisco is treading into a part of the SMB market many have feared and question how to make money in. Key to this working of course will be showing the channel they can make more money with Cisco gear rather than other providers. The cost to the customer has got to be very competitive as opposed to other alternatives. This is yet to be seen so we'll have to watch the uptake on Cisco SBCS by the channel.

In addition to hardware/software cost, a very important part of this profit equation is largely going to be the ease of installation and operation of Cisco's SMB equipment. (Garrett Smith of Smith on VoIP commented on this as well.) Installers are going to insist that installation be quick and easy so they can either focus on other differentiated services or (more likely) quickly move on to the next customer installation. Ease of use has never been a Cisco strength. Even recent attempts through the Express product line and it's GUI-like configuration software haven't changed the minds of many about Cisco's ease of use.

When it comes down to it, in this part of the market hardware is hardware - the customers don't much care. If the last Linksys broadband router failed, then lets try Netgear this time. It's about cost to the customer and cost incurred by the channel to deliver.  A  law office with a staff of 8 isn't going to care if it is Cicso, Netgear or XYZ gear. They just want it to get installed quick, and never have to call the service provider back because of problems. The secret to solving the problem here is enabling the channel to deliver services cost effectively and make good money at the same time.

Ever use a consumer networking product but expect to be able to get support at a knowledgeable level? I’ve pretty much given up on expecting anything resembling knowledgeable support for low end networking gear such as routers, broadband routers, and wireless units. Even doing a basic firmware upgrade can be a risky proposition – I learned my lesson on that one the hard way; make sure Best Buy is open or have a plan B option ready before you upgrade. If it’s under $200 and you can’t figure it out yourself, time to throw it away and get something better.

Jack Wallen blogged about his experience just trying to get Linksys to answer a simple question about whether his Linksys router was blocking his traceroute. A simple question turned in to protracted discussion about his use of Linux and that Linux isn't supported with his Linksys router. (Funny, given that the Linksys device ran Linux as it’s OS.)

Remember that consumer products and their support are a matched set. A knowledgeable engineer on the phone with tech support many times is like an impedance mismatch. How many times have you been told to reboot your machine just to get it to request a DHCP address, or something similarly simple.

Most tech support doesn’t try to assess your knowledge level and then ratchet up the conversation to where you operate. How my mom would talk to a Linksys or similar support person (let’s hope she doesn’t call them anytime soon, or I'll be fixing her network again) would be very different than if I or another network engineer would call to discuss a problem. Actually, the problem we would call about would be much different too.

So for anything other than an RMA, I don’t call tech support much for consumer devices. It’s usually not worth the time or the mental anguish.

Today, StillSecure is announcing our open source UNP product, Cobia(tm). The press release is available here. Visit the Cobia site to learn more and download the Cobia software at http://cobia.stillsecure.com.

The following is the product description of Cobia:

Cobia™ Unified Network Platform™ is a modular, open source software platform for networking and security in SMB and enterprise remote office networks. Overcoming the limitations and upgrade hassles of traditional fixed-appliances, Cobia offers greater flexibility through its plug-n-play software modules, operates on off-the-shelf Intel/AMD hardware, and brings virtualization capabilities to networking and security. The Cobia software is comprised of a base software platform with routing, firewall, DHCP and other modules that are installed when and where needed within the network. Cobia runs as a dedicated device or as a VMware virtual appliance on Intel/AMD servers, computers and hardware appliances.

Cobia is a next generation open source product, offered under a dual-use license structure. The community license includes Cobia source code and allows organizations to use Cobia for free as part of their business or personal network infrastructure. Commercial licensing is available for those who bundle Cobia with hardware, integrate Cobia as part of their product or service, or create products utilizing Cobia. StillSecure will be offering commercial support (email, phone and 24x7) and commercial paid-for Cobia modules and products in the near future. Cobia partner and channel programs are available for resellers, integrators, hardware providers and ISVs. Currently in beta, Cobia software download, forum-based support, source code and licensing information are available at http://cobia.stillsecure.com.