Thursday 30 May 2013

Planning a wireless network?

Having worked in IT for a number of years, I remember planning wired networks, where we could work out easily how many points were needed for a network.  It was two network points per desk for the computer and telephone, and the odd point for printers and fax machines around the office.

Fast forward to the current day, and as well as the wired network, we have to consider what the wireless requirement is.  We are all aware of bad wireless deployments, where laptops revert to using a cable.  Some of the challenges were discussed in a previous blog post, "They even have wireless internet now!"

There are a number of considerations, challenges and questions that need to be addressed prior to tackling a wireless network project.

There is a need to understand what sort of access is required, and how you determine your policy and strategy can begin with the following questions:
  • What devices are you allowing to access the wireless network?
  • Will these devices be part of a BYOD (Bring Your Own Device) initiative, corporate devices supplied by the organisation or a mixture of the two?
  • Which parts of the network will these devices access, the corporate network or a guest network?
  • Will the devices be segmented by whether they fulfil a policy criteria, such as OS, AV, etc, using a NAC (Network Access Control) solution?
Understand the devices that will be access your network and determinerning whether these devices have a 5.0GHz AN wireless card, or a 2.4GHz BGN wireless card. Understand how many devices will be used, as some people carry three or four wireless enabled devices!

Understanding the number of devices and which frequency they can work in, means that channel conflicts can be dealt with at the planning stage, rather than trying to fix it post installation.

Sounds straight forward, but you'll need to know which areas will require wireless coverage.

Will your users need to roam with their devices?  Some wireless solutions deal better with roaming than others, so should a be a consideration when looking at the different vendor offerings.

Wireless networks can go beyond the confines of your building or coverage area.  With correct access point placement or signal manipulation, the wireless footprint can be made to fit the building, reducing the likelihood of access from outside the area of coverage.

Once you know which areas need wireless coverage, you'll need to understand the density requirements.  For example, a lecture theatre may have a requirement for up to 500 wireless devices connected at once, while the office down the hallway may have a requirement for one wireless device.  By understanding density, we can tackle how many radios are required in each area.

Another consideration is bandwidth, what do these devices need to do once they have access to the wireless network.  Do they need basic web access, streaming video, video conferencing or voice over wifi?  These all have differing demands on bandwidth, so it is essential the bandwidth requirements are met to give a good user experience.

It is shocking to see there are still a large number of unencrypted or open wireless networks out there.  We all know we should encrypted our networks, but depending on the solution this can cause large overheads on the network, especially with the traditional controller with controller-less access points, where the packets have to be sent back to the controller for decryption.  Open networks run quicker, but that doesn't mean we should configure them like that!  Protect that network, especially if it's offering corporate network access, and your footprint exceeds the building.

Is there a provision to the deal with the threat of rouge access points, which effectively extend your wired network via a wireless access point you are not aware of?  There are normally provisions for web filtering within an organisation, but what's to stop your corporate devices joining a neighbouring wireless network and getting unfiltered access (and the associated threats and malware) from the internet onto devices on your network?  How do you stop a device from becoming a wireless hotspot, even after they fulfil the policy laid down by your NAC solution?

The consideration with wireless is about access, but security comes a poor second when planning the network.  Ensure that there is a level of intrusion prevention on your wireless network, if you want to properly secure it.

(Can you spot the rogue access point here?)

To what end?
With a greater understanding of the various areas touched upon above, you can ensure you have a successful wireless deployment, that is secure, requiring little administration and exceeds the expectation of the user.

Thursday 23 May 2013

"They even have wireless internet now!"

The title is something a friend told me, about five years ago.  I tried to explain I'd had it for the previous three years, but it was lost on my non-technical friend!

Working in IT, I'm often asked if I can help with computer issues and more recently issues with wireless.  Fortunately wireless is something I have some understanding of, and have used it in a domestic environment for over eight years.

Without getting into too much detail, there are two frequencies that wireless devices will run on the very common 2.4GHz or the less common 5GHz.

Congested airwaves?

2.4GHz is commonly used within the domestic environment, so not only does wireless use this frequency, you also have the DECT telephones, wireless video senders, alarm system PIR sensors, wireless mice/keyboards, baby monitors, etc.  As you would expect, this can cause conflict and make your wireless network run slowly. 

How many times have you struggled with a poor wireless connection, but when you connect to the wired network it's fast?  You may have tried looking on your wireless router and see that there are channels 1 to 11 or 1 to 13, but changing them may make little difference.

Here is a diagram, I've borrowed from Xirrus:

As this diagram explains, there are three non-conflicting channels on the 2.4GHz frequency.  These are channels 1, 6 and 11.  As you can see, if you use channel 2, it will overlap with channel 1 and channel 6, causing issues for all.  Imagine a number of radio stations broadcasting on similar or close by frequencies, and the interference that this would cause.

As you can see from the diagram, you'd just use the 5GHz channel which will has 24 non-overlapping channels, rather than 2.4GHz with 3 non-overlapping channels.

So 5GHz is the answer?

This brings other challenges, not all hardware supports 5GHz, so if you have an iPad 2 or newer, an iPhone 4S or newer, many of the newer Android phones, some new laptops, or a MacBook, you probably don't have a client device which will support it.  That said, you wireless access point or wireless router will also need a 5GHz radio (which seems to be either rarer) and these are normally a premium over the 2.4GHz equivalent.

What frequency do your client devices support?

If like me you have a number of legacy devices, such as a Nintendo Wii, a PS3 or an older laptop/tablet/phone, then you will have 2.4GHz client devices on your network.  You probably also only have a 2.4GHz access point/wireless router, so unless you are investing a new hardware you need to optimise what you have.

I know my channel, what about my neighbours?

One of the biggest issues is knowing what wireless channel your neighbours are running.  There are a number of tools available and one of the best free ones I've seen is insider, and you can download the computer software here or download the app for your Android phone from Google Play.

Here is a capture I got when I was on a train to York from my Nexus 4:


You can see a majority of the networks are on channels 1, 6 and 11, but there are also a couple that span and will cause conflict.
Which channel to choose?
I would normally pick one that has the weakest signals on it, but also balance the number of the networks on that channel as well.  Remember to walk around your environment to check the signal strength in all the locations you would normally use the wireless network.
What about the other devices that can cause congestion?
I always use baby monitors as the example as when my daughter was born, she or rather her baby monitor broke my wireless network.
I bought a Wi-Spy to see what was going on in the air, so unlike the software above, which only shows wireless networks, the Wi-Spy shows the interference in the air from other devices running on the 2.4GHz frequency.
What else?
Test it to make sure it works, but more importantly secure your wireless network... but we'll discuss that another time!

Saturday 18 May 2013

Publishing Citrix XenApp 6.5 on UAG 2010

I'm not a fan of publishing XenApp on UAG.  Much as there is a wizard, it only works with older versions of XenApp, so you end up having to make a number of modifications to UAG whether it be coding or registry changes, which may end up breaking when you update to a new version of XenApp or apply UAG service packs.

Last week I had to publish Citrix XenApp 6.5, but on testing the main screen just loops.  So fortunately, Ben Ari came to my rescue via this blog post:

Another issue that pops-up with Citrix often, and has been reported to occur with Citrix 5.4 is a looping behavior, where trying to launch the application triggers the browser to loop through the login page repeatedly, ad infinitum. This is caused by a change to the way Citrix handles cookies. To fix it, one needs to configure UAG to treat the cookies a little differently, and that is done via a custom SRA and AppWrap configuration.

To resolve this, you will need to create two XML files on your server, and populate them with the content that I will include ahead. Be careful when copying the content, to preserve a good structure. If any of the XML tags gets broken, it cause UAG to produce a 500 error, so be prepared to back-out any changes if you run into issues. You may also contact me directly via the contact-me form to obtain the files directly from me. The 2nd file there is the more sensitive one, as it has a very long line of text that must be kept intact.

Here are the steps:

1. Copy the content of the first box below into a text file, and save it as “WhlFiltSecureRemote_HTTPS.XML” on your UAG server, under the folder <UAG Path>\Von\Conf\Websites\<Your Trunk>\Conf\CustomUpdate
2. Look at the path settings (highlighted below in green). Your actual path for the Citrix installation may differ (a common variation is /Citrix/XenApp/auth/). If so, change it in the file you create.
3. Copy the content of the second box below into a text file, and save it as “WhlFiltAppWrap_HTTPS.XML” on your UAG server, under the same folder
4. If there are files by those names in there already, STOP! The files CAN be combined, but it could be tricky to do, and I recommend opening a support case with Microsoft CSS to work-through that process.
5. Activate your UAG configuration
The code for the XML files are available from Ben's blog post.

I did encounter an issue though.  This works perfectly on UAG 2010 SP2, but as soon as I applied UAG 2010 SP3, it no longer worked.  Instead of taking you seamlessly into the XenApp application, it presented Windows 2008 R2 login screen.  If you enter your details it works, but if you try to start up another application it would prompt for a login again.  It seems that the SP3 update no longer passes the credentials for the XenApp SSO to work.  I'll update, if I can find out why.

Publishing Microsoft Lync 2010 using Microsoft UAG 2010

I've been working with Microsoft UAG since it's been available.  I had a head start as I was using and deploying IAG and Whale previously, which were the two predecessors to UAG.

I've published a few different applications, but a majority of the solutions will include Microsoft Exchange (whether it's OWA, full Outlook and/or ActiveSync), RDP connections (usually for administrators to access servers or to Terminal Servers), and some sort of Intranet or SharePoint site.  Some of the rarer occasions I've been asked to give terminal access to AS/400 solutions, publish VMware View, deliver the Neocoretech VDI solution using HTML 5 clients on iPads, etc, etc.

So when I was asked to deploy Lync 2010, I was pretty confident it would be straightforward.  I did some research to ensure I was following best practise, but ended up using a few documents to achieve a fully working solution.  Please note I wasn't doing this blind as I had deployed Lync in our office, but could make it work with UAG without real certificates (as is highlighted in the following instructions)

I was deploying an SSL-VPN portal as well as creating a Lync connection for the computers, which meant I modified some of the configurations given.

The first document I used was this one:

Ensure you have all the domain names for the various Lync components, but I used a different document for this.

As ever, I was deploying a Celestix WSA solution, which was straightforward.  I followed Georg Thomas' instructions, but did not follow the section on the "Additional Trunk Configuration" as this would impact my SSL-VPN portal.  I did create the registry key as described, but also follow Erez Ben Ari's blog here with the additional registry key:

I would typically use wildcard certificates, but as these do not work with Lync on UAG, we has to use a SAN (Subject Alternate Name) certificate.  As I have never done this before, I followed these comprehensive instructions:  The request of the certificate from the provider is the same as a "normal" or wildcard certificate, as is the installation.

Thanks the well written documents abover, the publishing of Lync 2010 was straightforward.

Friday 3 May 2013

Backups, a necessary evil?

It may be unfair of me to compare backups to car insurance, but here goes!
  • We all know we need it, but not everyone has it. 
  • We buy it, hoping to never have to use it.
  • We never know how effective it is until we have to use it.
  • We ignore the extra offerings, believing we can get it cheaper elsewhere.
  • Most people will buy on price, rather than looking at what it covers.
With most back up solutions there is a limitation with the platform on which the backup solutions runs.  Some are software only, some are appliance only, some only have agents and push to the internet, some only run in a virtual environment, and many vendors will only give one or two of these choices.

Looking at the agents and application support, some specialise with virtualised environments, some only with Windows servers, some have limited integration agents and therefore struggle to back up vital servers within your network.

Some have the ability to create bare metal backups in case of a disaster, but they can only restored on similar hardware.  Most people will struggle to find similar hardware, once it's over a year old, as the manufacturers are continuing to release new hardware.

Then there's the media it will back up to, some will only go to tape, disk, SAN, NAS, removable media, to the internet (cloud), or to a private network/cloud, but again some will only give limited choices.

We at e92plus, currently work with Unitrends, who can offer the following:
  • Choice of platform, supporting either a backup appliance or a virtual appliance for either Microsoft Hyper-V or VMware vSphere.
  • Backup a variety of operating systems, including Microsoft Windows, Linus, Apple Mac OS X, AIX and Solaris.
  • Integrates with Microsoft Hyper-V and VMware virtualisation environments, including instant recovery for VMware.
  • The ability to archive to Disk, tape, NAS and SAN.
  • The ability to replicate to another appliance, to another virtual appliance, to the Unitrends Cloud, or to a private cloud (hosted by either you or a trusted partner/supplier).
  • Utilising compression and de-duplication technologies to the reduce the size of the backups.
  • The ability to create bare metal backups, and restore to dissimilar hardware.
Unitrends sounds too good to be true, but a number of environments (have a look on Spiceworks) and I are currently using and very happy with the solution.

The pricing is very competitive as well, but you probably won't believe it until you try it, so have a look here to download your Free Edition, which will allow you to protect four virtual machines, forever, for free!

Wednesday 1 May 2013

Shoulder Surfing...

Working in IT security, I understand and advocate the importance of PINs and passwords, as well as explaining why they shouldn't be shared.  My 8 year old and 6 year old have computer lessons at school from which they understand the importance of keeping passwords secret. 

On our home PC, I've created profiles for them where they insisted on having passwords and even I as the administrator/father don't know their passwords.  It makes me proud when I try and trick the password out of the them, that they won't tell me.

Imagine my surprise when my wife recounts her day, where my 2 year old son was happily playing on the iPad and listening to iTunes.  I tell my wife that my iPad is PIN protected!  I've been "shoulder surfed" by my two year old son!

Not a major problem as I don't keep important information on it, but he can play Angry Birds whenever he wants (and pretty much does)...

What if this was a work environment, it would not be acceptable if this had happened.  In fact, I would suspect someone would get either a verbal or written warning for such a security lapse.  Maybe I have a certain amount of paranoia, but I don't check my email on my mobile when there are people close enough to shoulder surf me.  Not that I have anything that private or personal, but I don't know what's in that email until I open it.
The facts around visual security are pretty much as you expect:
  • 80% chance that you've already become a victim of others reading over your shoulder
  • £1.9 million is the average cost to businesses per incident of physical data theft
  • 96% of data breaches in 2010 were avoidable
  • 52% of laptop users in the UK are ignoring visual security issues
  • 67% of working professionals surveys in the US had worked on some type of sensitive data outside of the office.
Visual security of on-screen data can be a key part of the implementation of ISO 27001.  So if you excuse the reflection, you can see both my laptop and desktop screen when looking at them head on.
Here is my screen from an angle and slightly above to give the view of a shoulder surfer, you can see my 3M privacy filters working their magic.

When the view angle exceeds 30 degrees, the screen is protected.  You can also see a notch in the top right allowing these to be removed to give the normal visibility back.
e92plus have started distributing the 3M privacy filters and free samples can be requested from here: