After continuously monitoring for my application status, finally on the blessed day of 14th April 2020, I was able to see my application status as approved, Alhumdulillah. This is exactly a day after my birthday and 4 days short of my baby turning 1 month 🙂
From the date of my submitting the application, the review process took over 14 days. Application was submitted on 1st of April and was able get the update by 14th April.
It had been 40 days since I got the chance today to update about my delight on achieving my dream certification. Had been engaged heavily in the Network migrations and newly attained parenthood and finally got the chance to write about the post on my first Eid holiday 🙂
For all those who are planning to take the certification path in CWNE, as a personal experience have found the journey as worthy as would be the achieving the CWNE number.
Its always best to start the journey as soon as possible and not to hurry in completing the certifications in quick sessions. Appear for exams only once you are completely through in the subject as it is only the exam preparation that will serve the ‘PURPOSE’ of a student getting compelled to know the intricacies of the subject. Always try to co-relate every day to day work in office related to wireless networking with the knowledge that you gain from the studies of certification and add more value to the work and refinement of knowledge.
The journey at first may look difficult but when started with sincere intentions and with consistent efforts will surely help one to get through it one day.
Summarizing the on going journey in Wireless Networking as follows:
One of the most wished for certification for me in the networking domain is CWNE. I started my career in Wireless domain back in the year 2010 in Cisco’s Wireless Networking Business Unit in Bangalore. Directly out from college was very enthusiastic about my job and excited to embrace a career in Wireless.
While all other networking domains (Routing & Switching, Security, VOIP….) had enough literature for one to increase the reader’s depth & breadth knowledge, however vendor specific literature during that time was not sufficient enough for one truly qualify as the Wireless Engineer.
Unlike other Networking domains, Wireless is strictly more about standards and protocols and very discrete about propriety technologies. While vendor specific literature available helped me to get the procedural knowledge to operate on a specific vendor’s product line but deep inside I was very disturbed for failing to co-relate the procedures with adequate logic. This is when I started exploring the alternatives and on a blessed day was able to find CWNA book in the shelves of a book store. It was 2011 when I finally started to give proper direction to my studies on Wireless.
Certification was not the real goal for me that time and specifically struggled a lot to grasp the concepts on CWAP. CWNP though remained the primary source of knowledge, I finally made up my mind that to achieve the certifications on same from 2015. Had spent enough time to grasp the concepts from CWNP books and finally gathered all the courage to appear for my first CWNP exam in 2017. I had enough gaps in between my exam to ensure that I had enough from the literature before appearing for the exam. Finally on 1st April 2020 the day had arrived when I completed all the pre-requisites for CWNE certification and submitted my application.
The beauty of CWNE certification is in the way the programme is developed. Unlike other certifications, which tests a candidate against the parameters defined by certification authority, CWNE programme tests the candidates against their own potential.
Alhumdulillah had been blessed with my first child on 18th March 2020. Getting blessed with the long awaited certification during this time frame will add no limits to my happiness.
With the application currently in queue to be reviewed by CWNE board, eagerly awaiting the results. Will have a separate post shortly after my application status is updated.
One amongst the most overlooked configuration in Wireless
LAN is the Wireless Access Point hostnames. Few network administrators leave
the
Hostnames to their factory shippped defaults, while few will
use all the characters that are permissible (for instance 32 characters in
Cisco) to make the name self-illustrative.
Both approaches have their own disadvantages and the rather
recommended limit is of only 15 characters as will be illustrated in preceding
section.
Disadvantages of Leaving the Wireless Access Point Hostnames to their
defaults
By default the Wireless Access Points comes with their
hostnames as their mac address typically appended by character “AP”. This
approach is rather considered a most careless approach since once we see
Wireless Access Point(s) going down on the Wireless LAN Controller / Network
Management Solution, it would be difficult to determine which specific location
of an Access Point has gone down.
On the contrary having a meaningful AP host name which
depicts the location of an Access Point makes it lot more easier to determine
the area of compromise and also the to take an appropriate action. These
actions could include verifying the PoE status on the AP’s switchport, rectify
the patch cord related issues or identify similar issues and accordingly
address them for the specific AP identified through its descriptive Hostname.
Disadvantages of Using the Wireless Access Point Hostnames with its full
permissible limits.
Vendors like Cisco does allow the AP hostnames to be of up
to 32 characters. This has a major drawback during troubleshooting when we are
require to take Over the Air Packet captures and the information element would
be restricted with only 15 characters in length.
The snippets below reflects the configured AP Hostname
characters and those reflected in the IE Element of Wireshark Packet capture.
Configured AP Hostname
Reflected AP Hostname
Recommended Wireless Access Point Hostnames
Its thus recommended to use the Wireless Access Point Hostnames
which are self descriptive and also at the same time well within the character
limit of 15 else any hostname that is beyond 15 character will not get
reflected in the OTA packet captures.
In order to meet this requirement, its recommended to develop a naming convention document for your project/ site wherein shorter length codes are used to signify the campus, building & Floor name or number. Based on your site (indoor/ outdoor) you will have to innovate accordingly so as to have it well within 15 characters. Below table is one such example.
Step 1: Evaluate the image that you wish to put on the WLC
Look for the Cisco suggested image
For the deployments which are not particular about availing
the most recent features, its always a safer approach to look for Cisco suggest
image. This is generally depicted by having a “star” beside the image on CCO
page.
Step 2: Evaluate the WLC code compatibility matrix
The WLAN infrastructure traditionally comprises of Cisco
WLC, Prime, CMX and MSE (wIPS). Thus while planning to upgrade the WLC code, it
quite essential to evaluate the code compatibility matrix as you may be
required to consider upgrading these components as well.
When ever we are trying to upgrade the WLC image to the
latest available code, identifying the upgrade path is quite essential. If the
WLC is running a very older code, then it may be required to proceed with step
upgrade by moving to the intermediate image and then the image of interest.
The current Cisco WLC code available at the time of writing
is 8.8.x and in order to have this code the minimum code, the WLC should be
running is 8.5.x
Step 4: Preliminary tasks before the schedule of code upgrade
a.
Make sure no firewall policies are changed.
Evaluate if there has been any changes to the firewall
policies. When a network is being deployed, people generally prefer allowing
communication between infrastructure devices. Once the network matures, deployments
generally prefer introducing stringent firewall rules allowing communication
between only specific devices and on specific ports.
The unique part is, these firewall policies would not immediately
be seen taking into effect for the already established TCP sessions between the
network devices. The moment we reset these TCP sessions (in our case the reload
of WLC resulting from code upgrade), the existing TCP session would go down and
firewall rules to only allow specific communication kicks in. If the firewall
rules misses to have any communication between the networking equipment then
they would not be able to communicate.
While the WLCs are operating in box to box HA, the code on
them cannot be upgraded separately.
The code has to be
first uploaded on the primary which automatically gets pushed on to the
standby. Once the active WLC is successfully upgraded, the active WLC executes
all the upgrade scripts and transfers the entire image to the Standby WLC using
the Redundant Port.
Standby WLC starts executing the upgrade scripts upon
receiving the entire image on the active WLC.
Verification of WLC image pre-download
On the WLC is uploaded with the desired image of interest,
cross check from the
The Payment Card Industry Data Security Standard (PCI DSS) is
a set of security standards designed to ensure that ALL companies that accept,
process, store or transmit credit card information maintain a secure
environment.
2. PCI Compliance applicability
The PCI DSS
applies to ANY organization, regardless of size or number of transactions, that
accepts, transmits or stores any cardholder data.
In-scope cards
include any debit, credit, and pre-paid cards branded with one of the five card
association/brand logos that participate in the PCI SSC – American Express,
Discover, JCB, MasterCard, and Visa International.
An organization
is required to be PCI compliant in either of the below two situations:
All business that store, process or
transmit payment cardholder data
All business that even just process or
transmit payment cardholder data
A vulnerability scan involves an
automated tool that checks a merchant or service provider’s systems for
vulnerabilities. The tool will conduct a non-intrusive scan to remotely review
networks and web applications based on the external-facing Internet protocol
(IP) addresses provided by the merchant or service provider. The scan
identifies vulnerabilities in operating systems, services and devices that
could be used by hackers to target the company’s private network. As provided
by an Approved Scanning Vendors (ASV’s) such as ControlScan, the scan does not require the merchant or service
provider to install any software on their systems, and no denial-of-service
attacks will be performed.
3.1 Approved Scanning Vendors (ASVs)
Approved
Scanning Vendors (ASVs) are organizations that validate adherence to certain
DSS requirements by performing vulnerability scans of Internet-facing
environments of merchants and service providers.
As a company,
ControlScan revalidates with the PCI Security Standard Council every year, and
our ASV employees requalify annually, too. This means that we’re up to date on
the very latest vulnerabilities. We’re also experts in scanning your
Internet-facing environment and working with you to resolve any issues and
achieve PCI compliance.
3.2 Frequency of validations for PCI Compliance
PCI compliance
requires businesses to submit quarterly passing network scans by a PCI SSC Approved Scanning Vendor (ASV) such as ControlScan for
each of their location.
4 Significance of SSL
Certificate in PCI compliance
4.1 SSL
SSL (Secure Sockets Layer) is the standard technology for
keeping an internet connection secure and safeguarding any sensitive data that
is being sent between two systems, preventing eavesdroppers from reading and
manipulating any information transferred, including potential personal details.
The two systems can be a server and a client (for example, a shopping website
and browser) or server to server (for example, an application with personal
identifiable information or with payroll information). SSL uses encryption
algorithms to scramble data in transit, preventing hackers from reading it as
it is sent over the connection.
4.2 TLS
TLS is more efficient and secure than SSL as it has stronger
message authentication, key-material generation and other encryption
algorithms. For example, TLS supports pre-shared keys, secure remote passwords,
elliptical-curve keys and Kerberos whereas SSL does not. TLS and SSL are not interoperable, but TLS
does offer backward compatibility for older devices still using SSL.
The TLS protocol specification defines two layers. The TLS
record protocol provides connection security, and the TLS handshake protocol
enables the client and server to authenticate each other and to negotiate
security keys before any data is transmitted.
The TLS handshake is a multi-step process. A basic TLS
handshake involves the client and server sending “hello” messages, and the
exchange of keys, cipher message and a finish message. The multi-step process
is what makes TLS flexible enough to use in different applications because the
format and order of exchange can be modified.
4.3 SSL Certificate
To create this secure connection, an SSL
certificate (also referred to as a “digital certificate”) is installed on
a web server and serves two functions:
It authenticates the identity of the website
(this guarantees visitors that they’re not on a bogus site)
It encrypts the data that’s being transmitted
SSL certificates are issued by Certificate
Authorities (CAs), organizations that are trusted to verify the identity and
legitimacy of any entity requesting a certificate.
The CA’s role is to accept certificate
applications, authenticate applications, issue certificates, and maintain
status information on certificates issued.
Even though a SSL Certificate facilitates for TLS but still
while buying SSL you will notice that it is referred to as an SSL certificate.
This is primarily for the reason that the SSL is the most commonly term used.
4.4 HTTPS
HTTPS (Hyper Text Transfer Protocol Secure) appears in the
URL when a website is secured by an SSL certificate. The details of the
certificate, including the issuing authority and the corporate name of the
website owner, can be viewed by clicking on the lock symbol on the browser bar.
4.5 Compliance to PCI while
using the SSL certificate
A system cannot be considered as PCI compliant for using SSL
certificates as mere usage of SSL certificate alone won’t guarantee for
securing a web server from malicious attacks or intrusions.
SSL and early TLS should not be used as a security control to
meet the PCI requirement.
High assurance SSL certificates provide the first tier of
customer security and reassurance such as the below, but there are other steps
to achieve PCI compliance.
A
secure connection between the customer’s browser and the web server
Validation
that the website operators are a legitimate, legally accountable
organization
Mobility
Express Capability is exhibited only by Wave 2 Access points from Cisco. These
are primarily called as COS APs.
The
predecessor of COS APs were the IOS APs which can support only the Autonomous
AP capability. Though both Autonomous and ME APs do not require an AP license
and the controller, however ME APs are more advantagous in a sense that the ME
AP attains the role of a controller (referred as master AP) and can terminate
upto 100 APs (referred to as sub-ordinate APs) while the autonomous AP just act
as a single independent AP with no posibility of co-ordination with other APs
in the network.
(Similar
concept exists in Aruba for the APs exhibiting controller capability and they
refer it as IAP. Every model of Aruba AP comes in two forms, either Aruba AP or
Aruba Instant AP. When ordered as Aruba Instant AP, it can be converted back to
normal AP but when ordered as Aruba AP, it cannot be converted back to Aruba
Instant AP. Thus care should be taken while placing the order )
Pre-requisites
Cisco Wave 2
Access Point
Laptop / PC
with ethernet interface
Configuring the Windows Network Adaptor to
connect on to the ME AP
Go to Network & Internet Settings
Click on “Change adapter options”
Click on “Ethernet adaptor” which is connected
to the Access Point’s Ethernet port
(In my case it is the 5G Port of 4800 Access
Point)
Assign an IPV4 address on your PC / Laptop
Determining the Com Port In use by Console Cable
Connect the console to the AP and determine the corresponding COM port
Devmgmt.msc Ă
Ports (COM & LPT) will list the USB serial port in use
Configuring the AP for Conversion to Mobility Express
(Optional) If AP has previously existing configuration delete it (capwap ap erase all)
Login into the AP and assign a static IP address
Syntax: capwap ap ip <ap ip>
<mask> <gateway>
capwap ap ip 192.168.1.11 255.255.255.0
192.168.1.10
In this example we are assigning the AP an IP
of 192.168.1.11
Verify the AP’s wired 0 interface has taken up
the configured IP addresses
Since the AP has two Ethernet interfaces, two
wired interfaces could be found listed viz: wired0 & wired1
Open the TFTP application and give the ME image
path
Supply in the command in AP cli to download the
ME image
Syntax: ap-type mobility-express
tftp://<tftp IP address>/<ME AP image>.tar
Once the AP comes up after manual reload, wait
for couple of minutes
After
couple of minutes, it will again go a second subsequent reload on its own and
comes up as ME Controller
Configure the AP via the installation wizard
ME Controller comes up after reloading with initial configuration
Configuring the internal DHCP for the ME express
The internal AP inside the ME will not come up
until:
The ME is connected to a switch and it obtains
the DHCP IP from it
Or an internal DHCP server is configured.
Since for RF
coverage testing scenarios (AP on a stick), we won’t be having the AP connected
on to the switch, lets first connect the ME on a switch to let it obtain a DHCP
and have its internal AP up and running.
Often we would be require to get the Over the Air captures in
order to understand and troubleshoot the Wi-Fi behavior. The generally assumed easiest
choices for getting the wireless sniffer trace / OTA is either a Mac Laptop or
a Wireless Access Point in sniffer mode. These options have a limitation that
they won’t be able to obtain OTA over all the channels, specifically the UNII-3
Channels.
For instances as these, the Kali linux tool along with
Proxim wireless adaptor would come in handy. The reason for me specifically pointing
to the Proxim adaptor is its ease of availability with Wireless Network
Engineers. Most of the wireless network engineers will be running the Airmagnet
/ Ekahau application license mapped against the Proxim adaptor. A proxim adaptor
though may not be able to simulate an AP on all the channels but when it comes
to sniffing it would be able to sniff on all the channels. For instance, in my
case the proxim adaptor is not able to simulate as an AP on UNII-3 Channels,
however it still can be set in monitor mode on UNII-3 Channels.
Prerequisites:
Wifi Adaptor which supports monitor mode. ( I am
using Proxim 8494-WD)
Kali Linux
Steps:
Connect the Wifi-Adaptor and Open the Kali Linux
application.
Obtain the name of the Wireless Interface.
Issuing “iwconfig” will fetch us
the wireless interface name. In our case, it is found to be “wlan0”
Verify whether the WiFi adaptor is capable of
supporting the “monitor” mode.
Issuing “iw list” will list all
wireless devices and their capabilities.
Under the “Supported Interface
Mode”, you should be able to see monitor
Stop network managers then kill interfering
processes left
Issue the command “airmon-ng check kill”
It is very important to kill the network managers before
putting a card in monitor mode!
Create a monitoring mode wifi-interface by
issuing the command “airmon-ng start wlan0”
Verify that the interface is being set to
“Monitor” mode and its operating channel
Note that the frequency would be in GHz,
you will have to determine its corresponding channel number.
Configure the monitoring on the appropriate
channel of choice
Start the wireshark by issuing the command
“wireshark”
The Project planning in Wireless Deployments is often
broken down into following phases and the same in illustrated in sections
below:
Identifying the customer requirement
Identifying the customer requirement either by directly
obtaining the information from the customer or by self-assessment is the most
important part in any successful Wi-Fi deployment. The requirement of two
different business types may not necessarily be the same. Even the requirement of
same business type could be unique across the projects.
Following are the compressive list of generally found
Business types and are the ones that I had personally dealt with:
Schools
Universities
Shopping Malls
Airports
Sea Ports
Bus Stations / Metro Stations
Casinos
Hotels
Service Apartments
Stadiums
Exhibitions
Determining the deployment model that suits the customer requirement
High-Density
Specific Wi-Fi Deployment Model:
High-Density Wi-Fi deployments are generally warranted when we anticipate large
number of WiFi devices operate in a relatively smaller area. High-Density
specific Wi-Fi Deployment model would require us to take into consideration the
following:
Maximum
expected user density in any given area.
Identifying
the devices and applications that will be used.
Delay
sensitivity the applications can withstand while using the WLAN services.
Location specific Wi-Fi
deployments are generally warranted when the customer is more interested in
tracking the movement of visitors in their venue. This is also required to facilitate
people in indoor navigations wherein the Wi-Fi deployments are integrated with
SDKs for Indoor Navigation.
Though the indoor navigation
would have an additional requirement of app installation on visitor devices,
but it comes at an unique advantage of indoor navigation wherein GPS fails
miserably.
Location Specific Wi-Fi
Deployment Model would require us to take into consideration the following:
a. Area of interest wherein we expect greater location accuracy to be obtained.
This area should be having the wireless access points deployed in a convex hull
fashion.
b. Wireless Access Points that
supports Hyperlocation. There are certain Cisco Access Points having integrated
antennas to support Hyperlocation for example the 4800 series Access Point.
Also the modular access points with the option of Hyperlocation module could be
considered.
c. Mounting height of the
Wireless Access Points. Generally it is recommended that for location specific
deployments the wireless access points are mounted not higher than 4.5 meters.
Application
Specific/ Wireless VoIP Wi-Fi deployment model.
While taking into
consideration the Application specific deployment model, the Wireless VoIP deployment
model can be most thought of as a solution, since wireless VoIP deployment
model will warrant strict design considerations. This includes:
Preference
to 5 GHz only SSID.
Lesser
number of SSIDs in the venue to enhance the airtime fairness.
Design
to guarantee atleast -65 dBm signal strength and a SNR better than 20 dBm
Disabling
of Lower data rates.
Sufficient
channel overlap to facilitate smooth roaming
Understanding the application and services the customer
is intending to use is lot more vital in successful deployment of WiFi.
While few of the customers will be technically competent
to understand their requirement in entirely and develop a “Specification
Document” thus mandating it for the integrators to full fill all their project
requirements.
However there are as well few customers who may not be in
a position to completely understand their current requirement and / or forecast
their future requirement. For such customers, it should be the moral
responsibility for the integrators to help them understand in full their
current and future requirement and develop a “Specification Document”.
Developing the Specification Document
Specification document generally helps us capture the
customer requirement covering their current and future needs and the obligation
of the integrator in meeting those requirements.
In most of the cases, the Specification Document is
developed by the customer or the customer appointed consultant. However in
scenarios wherein the specification document is not available from customer,
integrator should go ahead and prepare one for the customer. This shall help to
agree and set right expectations that needs to be validated during project
closure.
Specification Document
should at-least include the following:
Scope of Work
Minimum Qualification of Managers, Engineer
& Technicians working on the project.
Submittals that has to developed and shared with
customer during the course of project execution. This includes:
List of Design Documents and Drawings.
Material Approval Requests
Material Samples
Datasheets of products.
Supplier and Manufacturer Details
Method Statements detailing the installation
process of each individual component
Design documents and drawings at different
stages of the project for customer’s review and approval.
Generally no design could get completed in
one go and it is always advisable for large projects that their design is
broken into different phases as follows:
Stage 1: 30 % Design Documents and Drawings.
Stage 2: 60 % Design Documents and Drawings.
Stage 3: 90 % Design Documents and Drawings.
Stage 4: 100 % Design Document and Drawings
Once the Design reaches Stage 4 and is completely reviewed
by customer or the customer appointed consultant, the physical installation of
the equipment could begin.
Predictive Site Survey Design Documents.
Predictive site survey shall be performed that is modeling
the facilities and RF environment in order to predict the WLAN requirements
(access point types, location, channel utilization, signal to noise ratios,
channel interference, etc.)
On-Site Site Survey Design Documents
The predictive site surveys being simulator based would aid
only for the purposes of developing the initial BOQ. However this in no way are
the substitute for actual onsite site survey with actual model of Wireless
Access Points. On-Site site survey are all about mounting the specific models
of Wireless Access Points with specific antennas on typical locations and then
studying the resultant coverage pattern by tweaking in the Tx Power to develop
the optimal AP placement with right model of Access Point / Antenna.
Post deployment site survey documents and drawings
Final site survey shall be performed after the WLAN system is
online to compare the design and specification requirements with the actual
performance values. This shall held the integrator’s responsibility to rectify
any issues of non-compliance with the requirements.
Interface Control Documents
In large scale deployments, wireless will not be operational
as a standalone system and needs to get integrated with different systems and
subsystems. ICDs in such cases shall help us determine the validating
parameters to conclude the integration is successful.
Installation, Operation and Maintenance manuals.
Operation and Maintenance Manuals shall help the customer once
the project is handed over to maintain the deployment.
Developing the compliance matrix document
Compliance matrix summarizes compliance or non-compliance
with each specification component.
