Thursday, April 7, 2016

Security in Passwords

I spoke with a Network administrator at a school district a few days ago and he was having trouble with passwords being strong enough for the staff. He could not relay a way for them to get good passwords that were hard to crack so he asked me for some help in conveying the message and in coming up with a better way for them to do their passwords.

I creates this alphabet for him and I thought I'd share the idea so everyone can get an idea on  how to avoid having cracked passwords.

Security Alphabet
A = @
B = B
C = (
D = D
E = 3
F = F
G = &
H = #
i = !
J = ]
K = {
L = 1
M = M
N = N
O = 0(zero)
P = ?
Q = %
R = R
S = $
T = +
U = U
V = ^
W = W
X = *
Y = Y

Z = >
For passwords to be secure, you want something you can remember but also something that cannot be looked up in a dictionary.
Create a phrase you can remember:
“Pigs are good” then change the phrase to the security alphabet.
Then you know it can’t be cracked from a dictionary attack.

If you need a longer phrase, then create one:
His socks are smelly
Or break it up and modify it:


I hope this helps you to develop your own password strategy, and remember.... You should change it often.

Brett Hill, CWNE#147

Friday, March 4, 2016

Converting a Light weight AP to an Autonomous AP Using TFTP

     Occasionally, one might need to perform a conversion on an access point in order to use it as a survey tool, or convert a survey AP back to a light weight AP. The problem is this: We don't always do this and it can become very easy to forget the steps needed to be successful at it.

I recently had my Cisco 2602e loaned out to someone performing RF testing on it in a lab so I had to convert a new AP so I could use it to re-survey an industrial area that made a lot of modifications since the last survey.

Lucky for me, I have plenty of people available to reach out to to trigger my memory for such things as many of us do different tasks, and some much more than others. I reached out to Sam Clements, an old friend who is always willing to lend a hand when I need him.

Here are the steps in performing the conversion and I will add the big deal breaker here that I had to get from Sam (A Mac User), the TFTP Server that comes on the Mac doesn't work for this so I used my Mac to console in with My AIR CONSOLE (Love it) and set up my Dell Laptop as a TFTP Server using 3CDaemon (a free download) as my TFTP server program.

Console into the AP using the AIR CONSOLE Bluetooth connection from the Mac
(You can replace this step with simply using the Cisco console cable if you have a serial port on your PC).

 Press the MODE button (on the access point) and hold it down then power up the AP with the button held down.

As you see the AP boot up, the screen will show "Button Pressed. Waiting for release" and you can release the button at this time and the AP will boot into ROMMON mode.

Your first step will be to format the flash by simply typing this command:
format flash:

Next, you want to set up the network with these commands:

of course you can modify the network if you wish but you have to be sure your PC acting as the TFTP server is on the same subnet.

Next, you have to initiate the flash, the ethernet port on the AP, and the TFTP capability using these commands:

These three steps have to be performed.

Next you will use the xtract function and load your new image to the AP by using the following command string:
tar -xtract tftp:// flash:

*Note: the ip address in the string is the ip address of your PC used as the TFTP Server.

*Also note that the ".tar" extension has to be shown on the file of the directory your TFTP Server is pointing to. Type in the ap image exactly as it shows in that directory or you will not succeed.

You will see the file transfer begin, and it will take a little time to do but you are well on your way.

Once the file loads, you will need to reboot the AP and it will boot with the new image.

When you get to the prompt use Cisco for the username and Cisco for the password to log in and begin configuring the AP.

Here are your steps again in order:

format flash:
tar -xtract tftp:// flash:

Hang onto this command string for future use. You'll need it.

Brett Hill, CWNE #147

Monday, February 15, 2016

Coverage Hole Detection

I was asked last week about planning for coverage hole detection in a wireless network. The gentleman said he had a really good survey (design) and the guys that did the design really did a great job with their Air Magnet software and the heat maps proved it.

His problem wasn't the overlap of cells, co-channel interference, or anything like that... His main problem was that the survey was performed at the max power level of his VoIP devices (802.11 wireless phones). In doing so, in the event a coverage hole issue was triggered, the controller was turning the nearby access points up 3dB higher than the max power of the VoIP phones and issues were arising because of it.

The solution is to really go back and re-survey at a lower power level so that when a coverage hole detection is triggered and the controller has to turn the power up on a couple of access points, the power level will not be raised above the max power of the VoIP phones.

In his case, since the installation was complete and the moving of the access points was going to be really costly, we set his VoIP phones to the "G only" setting and allowed lower data rates on the network (Nothing 11MBs and below).

The spectrum analysis showed a clean environment for 2.4GHz and the phones were the only devices using the 2.4GHz band so it worked out great and he had no more issues with his phones.

Another lesson to remember when starting a new design (survey). Always know the devices you are going to have on your wireless network before designing it, and survey at power levels below the max power level of the weakest device you are going to deploy. This prepares you for a coverage hole detection without compromising the integrity of your wireless network.

Brett Hill, CWNE #147

Wednesday, January 27, 2016

dB to mW Conversion Table

Always remember that 3dB is Half Power in either direction, and the measurements are "Relative".

View the chart below and notice there is another factor of ten (10) hi-lighted in red. This chart will help you understand the back and forth conversions. Some access points show power settings in mW and some show it in dB. It is helpful to memorize the two (2) patterns.


     10W           =          40dBm          =          10,000mW

       8W           =          39dBm          =            8,000mW

       4W           =          36dBm          =            4,000mW

       2W           =          33dBm          =            2,000mW

       1W           =          30dBm          =            1,000mW

800mW           =          29dBm                                       27dBm           =      512mW

400mW           =          26dBm                                       24dBm           =      256mW

200mW           =          23dBm                                       21dBm           =      128mW

100mW           =          20dBm                                       20dBm           =      100mW

 50mW            =          17dBm                                       18dBm           =        64mW

 25mW            =          14dBm                                       15dBm           =        32mW

12.5mW          =          11dBm                                       12dBm           =        16mW

10mW             =          10dBm                                       10dBm           =        10mW

6.25mW          =           8dBm                                          9dBm           =          8mW

3.125mW        =           5dBm                                          6dBm           =          4mW

1.56mW          =           2dBm                                          3dBm           =          2mW

     1mW          =           0dBm                                          0dBm           =          1mW

Brett Hill, CWNE #147 

Saturday, January 23, 2016

Understanding Milliwatt to dB conversion in the Wireless Survey

     Decibel to milliwatt conversion is important in most every aspect of 802.11 wireless. We use it for antennas, cable loss, signal amplifiers, radio transmitters, etc..

     One place that we do not always apply this knowledge and understanding is in the design stages of the wireless network. Particularly in the survey.

     Depending on the data rate you are wanting to provide to all of your devices in the network, you will survey accordingly. We have to understand that every three (3) dB gained or lost in our rf signal is a direct result of half of our power being gained or lost.

     For example: A transmitter set to 20dB power output is transmitting 100mW of power. If we transmit at 17dB, then our power output is cut in half to 50mW. That is a drastic difference to several applications and devices in 802.11 wireless based on the circumstance.

     If you are using the Air Magnet or Ekahau survey tool to design your wireless network, you have to pay close attention to your measurement tools provided:

RSSI - Received Signal Strength Indicator - The signal from your transmitter

     Noise Floor - Other devices in the area causing a signal to be detected on the frequency you are surveying with.

     SNR - Signal - to - Noise - Ratio - The difference between the signal level your transmitter is transmitting and the signal received from the noise floor created by other devices.

     The SNR is your usable signal and it is read in a positive decibel number compared to milliwatts. The RSSI and the noise floor are both read in a negative decibel number compared to milliwatts.

     If you have a RSSI level of -70 and a noise floor of -92 then your SNR is the difference between the two numbers 22 and it is read in decibels compared to milliwatts (22dBm).

     Where the understanding of the conversions comes into play is when your RSSI or the Noise Floor changes: -67 RSSI and a Noise Floor of -89. you still have 22dBm as a SNR. If the measurement of the RSSI is -64 on the meter, then you naturally think you have a better signal strength, but if the noise floor changes, then you have to factor in the change in the Noise Floor before believing you have a good signal for your design.

     Remember, the SNR is the signal that really matters, and a 3dB difference in that effects your power by half. Sure the industry standard for Voice over wireless is a -67dB RSSI at the edge, but that is assuming a noise floor of -92dB or better. That's a minimum SNR of 25dBm.

     If the Noise Floor goes from a -92dB to a -89dB then you have lost half of your power and that can have serious effects on certain applications in your network.

     If your Noise Floor gains 1dB then you should increase your RSSI gain by 1dB to compensate for it. This is why most all survey engineers go ahead and survey for a RSSI of -65dB in the event that the Noise Floor fluctuates. It gives you a safety zone for your SNR because that is the number that really matters.

    This is why a Spectrum Analysis is Imperative before starting your survey. You have to identify the noise floor you will be dealing with before you can provide a good design.

     3dB changes your transmit and/or receive power by half. This can lead to one way audio at times and it can lead to a downshift in data rates on either transmit, receive, or both. Keep your mind on the math as you survey.

Tuesday, January 19, 2016

Time Difference of Arrival

     How does TDoA work?

     The best way to describe TDoA is to give a reference of yourself and the way you hear things. The human ear is very remarkable by nature because it is used by the body to turn the head and eyes toward a sound that is heard. The really cool thing of this is that both ears hear the sound and process it over and over as they hear it (if it repeats or sustains). The reason why we are able to turn and look at what caused the noise is TDoA.

     Time difference of arrival is math calculations that take place on frequencies heard by both ears to determine which ear is closer to the frequency, which direction the noise is coming from, and how far away the noise is.

     When both ears hear the noise and the left ear heard it 5 micro seconds before the right ear heard it, then the math begins to direct the eyes to the left because TDoA determined that the noise came in to the left ear quicker than it did the right.

     The TDoA calculations in 802.11 wireless location services operate similarly in the same manner. The signal from the same transmitting device is picked up from multiple access points and/or antennas and the calculations determine which access point the device is closer to as well as the direction the device is from each access point, resulting in calculating the location of a device.

   There are several more cool factors in location services, but hopefully you now have an idea of what TDoA is and how it works.

Wednesday, January 13, 2016

Deploying Cisco WIPS - Overlay vs Integrated

When making choices about security for your wireless network, there are some ups and downs about everything you are going to have as options.

     When deploying a Wireless Intrusion Prevention System, you should look into the abilities of both types of deployments to see which one is going to work for your environment.

     Overlay WIPS- an overlay deployment is specifically a whole different set of access points designated to intrusion prevention only. In other words, after you have surveyed and designed the wireless coverage for client devices to access your network, you will go back to your floor plans and design a WIPS network that consist of a totally different set of access points deployed within the same area as the wireless network.

     These WIPS access points will be deployed in monitor mode, then you will check the enhanced WIPS engine check box and choose WIPS in monitor mode optimization. You will then click save and you will be prompted to reboot the access point.

     ***Take note that you will have to disable the radio and admin status of the radio before configuring these settings. After you are done and the access point comes back up, you will need to enable both the radio and admin status.

     The overlay option of deployment places the WIPS access points in a full time spectrum scan so that all channels can be scan on a continuous basis.

     The Integrated option only scans part time, and that is only in between transmissions of data. If the access point is in use, the WIPS scan is not working and the network has a level of vulnerability. Also, when the access point is scanning in between transmissions, it doesn't always have a chance to scan all channels. It will only get through a few channels before it comes back to service client data again.

     ***Note  Integrated is also often referred to as a WIPS deployment that controls its WIPS access points and its infrastructure access points all on the same controller. Many WIPS deployments (especially those for a large campus) will have separate controllers for each deployment. One for the infrastructure and one for the WIPS deployment. This is the most expensive option but is also the best approach to utilizing WIPS.

I've provided a Cisco link to the configuration of WIPS below: