Monday, January 31, 2011

Dynamic VLAN Assignment

In my previous post, Wireless Network Segmentation Options, I described the need to minimize wireless SSIDs and provided 3 options for practical network segmentation within complex networks.

As a follow-up, I would like to briefly show administrators how to implement the second option, dynamic VLAN assignment. This allows a single SSID to serve multiple user roles tied to separate back-end network VLANs (as long as the same wireless authentication, key management, and encryption ciphers are used).

To prevent client devices from associating to the access point using an unauthorized VLAN, you can assign the user or group to a VLAN on your RADIUS authentication server.

The VLAN-mapping process consists of these steps:

  1. A client device associates to the access point using any SSID configured on the access point.
  2. The client begins RADIUS authentication.
  3. When the client authenticates successfully, the RADIUS server maps the client to a specific VLAN, regardless of the VLAN mapping defined for the SSID the client is using on the access point. If the server does not return any VLAN attribute for the client, the client is assigned to the VLAN specified by the SSID mapped locally on the access point.

The RADIUS attributes to configure for VLAN assignment are IETF RADIUS attributes 64, 65, and 81, which control VLAN assignment of users and groups. See RFC 2868 for more information.

  • 64 (Tunnel-Type) should be set to VLAN (Integer = 13)
  • 65 (Tunnel-Medium-Type) should be set to 802 (Integer = 6)
  • 81 (Tunnel-Private-Group-ID) should be set to the VLAN number. This can also be set to VLAN name if using a Cisco IOS device (excludes Aironet and Wireless Controllers however).

Cisco Autonomous Environment Notes
Unicast and multicast cipher suites advertised in WPA information element (and negotiated during 802.11 association) may potentially mismatch with the cipher suite supported in an explicitly assigned VLAN. If the RADIUS server assigns a new VLAN ID which uses a different cipher suite from the previously negotiated cipher suite, there is no way for the access point and client to switch back to the new cipher suite. Currently, the WPA and CCKM protocols do not allow the cipher suite to be changed after the initial 802.11 cipher negotiation phase. In this scenario, the client device is disassociated from the wireless LAN.

Cisco Unified Environment Notes
The Allow AAA Override option of a WLAN allows you to configure the WLAN for identity networking. It allows you to apply VLAN tagging, QoS, and ACLs to individual clients based on the returned RADIUS attributes from the AAA server.

Cisco wireless LAN controllers also support Airespace vendor specific attributes that can allow an administrator to define a WLC Interface-Name, QoS-Level, or Access Control List (ACL) to be applied to the user or group being authenticated.

Radius attribute 26 (Vendor Specific Attribute) should be used to configure the Airespace values. The Airespace Vendor ID is 14179.
  • Aire-Interface-Name (Type 5) should be a string matching the name of the WLC interface to map the user into
  • Aire-QoS-Level (Type 2) should be a value (0-3) mapping to the following QoS levels:
    • 0 = Bronze (Background)
    • 1 = Silver (Best Effort)
    • 2 = Gold (Video)
    • 3 = Platinum (Voice)
  • Aire-ACL-Name (Type 6) should be a string matching the name of the ACL to apply to the user session

Also, ensure that the RADIUS server is using a NAS type of "Cisco-Airespace" when returning Airespace VSAs, otherwise the attributes will not be returned to the controller. If not using Airespace VSAs, a NAS type of "Cisco-Aironet" will work.


Shamrockin' the Wireless Industry

The first ever Wireless Tech Field Day will be held over St. Patrick's Day in San Jose, CA on March 17-18th, 2011. This event follows in the footsteps of 5 previous Tech Field Days, but is specifically focused on wireless LAN technology.

Delegates are chosen who are typically independently-minded thought leaders in the field. They are knowledgeable, well-spoken, experienced individuals who are able to identify key trends and advancements in the industry, engage vendors with unique perspectives, are excited to learn, and are willing to challenge vendors to excellence.

Innovative product vendors will be brought in to present their visions and roadmaps for the future. No formal announcements have been made as of yet. However, the wireless industry is seeing a boom of innovation in the recent several years. Startups from 3-5 years ago are finding their voices (and markets) quite well, with innovation at every turn. I doubt there will be a shortage of qualified presenters with engaging material to keep us on our toes, asking questions, and challenging new solutions.

Delegates for the first-ever Wireless Tech Field Day include:
Marcus BurtonCWNP@MarcusBurton
Samuel ClementsSam’s wireless@Samuel_Clements
Rocky GregoryIntensified@BionicRocky
Jennifer HuberWireless CCIE, Here I Come!@JenniferLucille
Chris LyttleWiFi Kiwi’s Blog@WiFiKiwi
Keith ParsonsWireless LAN Professionals@KeithRParsons
George Stefanickmy80211@WirelesssGuru
Andrew vonNagyRevolution Wi-Fi@RevolutionWiFi
Steve WilliamsWiFi Edge@SteveWilliams_

Whoa, what a list! I am honored to be selected along with such a great group of experienced wireless LAN professionals.

Throughout the two-day event, I plan on blogging, tweeting, and sharing photos with the larger community. The value of knowledge compounds when shared, and I plan on keeping you all in the loop! However, some NDA material may be presented by sponsors that will definitely be omitted.

Discolure - All travel, lodging, and meals are being paid for by the event sponsors. However, I am under no obligation to write positive reviews of participating sponsors, and am encouraged to provide my honest opinion of what is discussed during the events.

Personally, I am excited to have the opportunity to preview vendor roadmaps for the future, network with peers, question vendor strategy, learn from some very smart individuals, provide relevant insight and feedback from my personal experiences, and discuss everything and anything related to wireless technology in a collaborative and social setting.

To my fellow delegates, vendors, presenters, and hosts - let's rock the wireless industry St. Patty style and make the first wireless tech field day a successful one!


Pictures courtesy of and Gestalt IT.

Saturday, January 29, 2011

Article Round-Up: 01/28/2011

Here are a collection of articles from the past week that I have found useful, interesting, or enlightening. As always, for a complete list of articles check out my shared article feed from Google Reader.

General Wi-Fi Articles

First, President Obama pledged to make wireless Internet available to 98% of all Americans. Of course the freed up TV White-Space frequencies and "Super Wi-Fi" will be a large component of that vision.

"Within the next five years, we'll make it possible for businesses to deploy the next generation of high-speed wireless coverage to 98 percent of all Americans. This isn't just about faster Internet or fewer dropped calls. It's about connecting every part of America to the digital age."

"President Barack Obama on Tuesday called for expanding high-speed wireless services for consumers and businesses, during his State of the Union Speech."

"The proposal by President Barack Obama to bring wireless broadband to 80 percent of the United States is a fine idea that’s already mired in the Federal Communication Commission’s net neutrality mess."

"The Federal Communications Commission on Wednesday conditionally granted nine companies the opportunity to manage databases that will serve to coordinate the usage of 'white spaces' -- underutilized frequencies of the broadcast spectrum -- for high-speed wireless broadband networking."

Also this week, security and cloud management articles dominated the news. It will be interesting to see how cloud management reduces feature disparity between consumer / SMB wireless equipment and Enterprise equipment. I expect new markets for cloud-managed service providers to spring up for SMBs looking to outsource this task.

"Traditionally, wireless network segmentation has been accomplished by creating separate Extended Service Set Identifiers (ESSID / SSID), and mapping each to a different network VLAN with access restrictions performed by some upstream device such as a firewall or router. However, that approach is increasingly ill-suited for today's complex wireless networks"

"enterprises are beginning to seek wireless IPS products that will look beyond the Wi-Fi spectrum for wireless security threats from cellular activity and other wireless devices."

Disclosure - I provided a brief interview and contributed to this article.

"Cisco has enhanced its Adaptive Wireless Intrusion Prevention System (wIPS) so that its Wi-Fi access points can both forward traffic and scan for security anomalies. The company contends that the move should make it more affordable for enterprises to add the wireless intrusion prevention capabilities required to better protect their airwaves. The new Enhanced Local Mode (ELM) is available as a free software download to Cisco 802.11n APs."

"3) Smartphones Trigger Data Breaches - Consumers will bring their 2010 holiday toys to work. Of course, when those 'toys' include devices that can connect to the enterprise network and store sensitive information, organizations must take steps to either block or secure such devices."

"Deloitte claims businesses will account for 25 percent of total tablets purchased in 2011 despite the fact that the market Apple's iPad forged is so young and immature."

"The cloud isn't just the most important trend in IT - it's also essential to the future of mobility. We're already seeing a lot of activity here, with 2011 perhaps becoming the pivot point in the market's overall thinking from 3G/4G to WLAN management."

"With this acquisition, Wi-Fi vendor Aerohive will integrate Pareto’s routing, VPN and cloud services technology into Aerohive’s operating system (HiveOS) and Cloud Services Platform (HiveManager Online). New features and platforms will begin to be delivered in Q2 2011."

"Enables Wireless Access Points and Routers to be Managed Via the Cloud, Simplifies Networking for Small and Medium Enterprises"

"This will fill the product gap between non-scalable, consumer-grade Wi-Fi products and complex, expensive enterprise platforms within the SMB market."

"On Wednesday O2 announced that it would be rolling out a free Wi-Fi network, paid for by venues hosting it and backed by advertising model that deserves a little more attention."

"The Wi-Fi covers 12 indoor and outdoor venues and be offered as a free service to festival patrons... The entire Wi-Fi network across all venues includes 20 Ruckus ZoneFlex 7962 802.11n dual-band access points, 20 ZoneFlex 7762 802.11n outdoor dual-band APs, and two long-range 802.11n point-to-point bridges (for backhaul)."

"Ford believes intelligent vehicles that talk to each other through advanced Wi-Fi are the next frontier of collision avoidance innovations that could revolutionize the driving experience and hold the potential of helping reduce many crashes"

"Wi-Fi has cornered the connected home market thanks to the ubiquity of cable operators' in-home Wi-Fi routers and the economies of scale offered by the technology"

"There’s no question that wireless carriers are cozying up to Wi-Fi more than ever... The broad support, in turn, will help advance Wi-Fi beyond basic connectivity to a smoother overall user experience, says networking giant Cisco."

Cisco advances the need for seamless roaming between cellular and Wi-Fi networks in this Forbes article.

"within 2 to 3 years, I expect 25 to 35 percent of business users to employ a mobile smart phone device exclusively and abandon use of a fixed line desk phone. The impact to businesses will be significant as they embrace this mobile enabled mindset."

Be prepared to support Voice over Wi-Fi, personal devices, and hybrids over your Wi-Fi network soon!

Retail Wi-Fi / Mobility Articles

Mashops anyone? Get to know this term.

"What’s a Mashop, you ask? It’s a shopping experience that combines the best of the physical and virtual worlds in one"

"Interesting article today from Stores Magazine about Mashop - the retail version of the Mashup.  The basic premise is that shoppers now want all of the information that they get from the web at the same time they are physically shopping for an item.  I think this is a great name for something that is drastically changing human behavior; the way we shop."

"why are online retailers growing so fast, and conventional stores so slowly? The answer, many retailers are starting to realize, is that the experience is better online than in stores."

"The report concludes by noting that applications and websites tailored to mobile shoppers are a must-have for retailers. As smartphone use increases, more customers will turn to the mobile channel to find price and product information before making a purchase."

"Any retailer not actively working to develop, measure and refine its mobile experience is leaving money on the table for competitors."

Hey, Target made this list (along with most other top 2010 mobile retailer lists too)!

1. Globalization is rebalancing and returning to historical patterns.
2. The millennial “Sunday night/Monday morning” effect.”
3. Cloud plus social networks plus broadband plus mobility equals a new computing model.
4. Pace of Innovation will accelerate.
5. The mobile channel is transforming retailing.
6. Take the store to the shopper.
7. Mobile POS signals death of traditional POS.
8. All-channel synchronization changes zero-sum game to win-win.
9. Death of the task worker.
10. Engagement-centric retailing takes hold.

"The availability of free Wi-Fi service has a direct impact on whether people select to go to certain venues, according to a new report from In-Stat."

"For an IT leader, mobile is a game-changer. Unlike many other emerging technologies where an immediate strategy is not a concern, mobile is front and center now to your users and customers."

"In order to make payments via NFC, an entire ecosystem of players must cooperate. That includes network operators, handset makers, banks, credit card companies, application developers, and so on. (We’d be kidding ourselves to think that they don’t all want a piece of the mobile payment pie.)"

"Apple plans to introduce “Near-Field Communication,” services, reports Bloomberg, that would let customers use its iPhone and iPad computer to make purchases."

Miscellaneous Articles

This week, I'm highlighting a few articles that focus on soft-skills, rather than technical skills. As engineers it's easy for us to learn, know, embrace the technology. But often times, the communication of technology benefits, solutions, or alternatives is lacking the persuasive punch and is not correctly adjusted to reach it's intended audience. I cannot stress the importance of soft-skills and communication skills enough for engineers of all types. If you want to be truly effective in your position, know how to effectively communicate messages to management and other parties.

"One of the hardest lessons I’ve ever learned is that PERCEPTION IS REALITY. That is, whatever a person sees of a problem, and the way that THEY see it, is the only REALITY that they know... Therefore, as an engineer, you need to understand how to hack other peoples brain such that they perceive correctly."

"One tip for building successful presentations was to spend time thinking about and *really* getting to know and understand your audience. Seems like kind of an obvious one, but think about it…"

"the purpose of this post is to identify, in my opinion the process every network engineer should be following, irrespective of the change management processes in place in the organisation where the change is being made."

"Working for larger companies, and adding expertise and skills seem to be the two most effective ways of boosting salary. Location also matters."

"Businesses are better off deploying multivendor networks, no matter what Cisco and other large network vendors may tell you, according to a recent report from Gartner."

I have seen dramatic expense reduction first-hand within a large enterprise by introducing a second competitor into the network infrastructure. Gartner's findings seem to be spot-on in my estimation.

Comic for the Week!
Upside-Down-Ternet (with reference to XKCD)

Cheers (and happy reading),

Tuesday, January 25, 2011

Wireless Network Segmentation Options

Wireless Network Segmentation Requirements
Wireless networks often have as one of their many goals the secure segmentation of different user roles. This is typically due to various reasons including distinct device capabilities (or lack thereof), varying network/application/data access rights among user classes, support for guest or partner Wi-Fi networks, or separation of user classes from one another.

Traditionally, wireless network segmentation has been accomplished by creating separate Extended Service Set Identifiers (ESSID / SSID), and mapping each to a different network VLAN with access restrictions performed by some upstream device such as a firewall or router.

However, that approach is increasingly ill-suited for today's complex wireless networks, which are tasked with supporting multiple user roles, device classes, and information security distinctions over the same network infrastructure equipment. Creating separate SSIDs for each security scenario can quickly tailspin a Wi-Fi network into sluggish performance due to the overhead created to support each virtual BSS.  For an overview of this issue, see "Limit SSIDs and Data Rates to Maintain Network Performance." And the need for segmentation is only growing with the expanding Consumerization of Enterprise Wi-Fi and IT in general. If your organization hasn't seen an influx of smartphones, tablets, and personal computing devices, it will soon.

Couldn't we just use a single SSID to support all these various user roles, you may ask? The good news is that you can. A single SSID can be used for all similarly capable device classes, such as all devices that support 802.1x / EAP authentication with WPA2, but user role distinctions do not necessarily need different SSIDs (a few SSIDs may still be required to advertise and support varying authentication and encryption security methods, but in general many similarly capable devices can be collapsed into the same SSID). Centralized RADIUS can be used to distinguish user-roles based on group mappings and return security attributes to the wireless network for enforcement. This is called Identity Based Networking, and it has traditionally involved RADIUS servers returning a dynamic VLAN assignment for the authenticated user to the network.

The downside to this method is that multiple back-end VLANs, IP subnets, and security enforcement points are still required on the wired network. This causes increased administrative management and support, wasted IP addressing space, difficulty in appropriately sizing various network segments (especially considering the tremendous growth and fluctuation of wireless endpoint requirements), and leaving a disconnect between policy assignment (at the wireless AP) and policy enforcement (at an upstream firewall / router).

Private VLAN Concepts
Private VLANs are one method to provide network segmentation between hosts without wasting IP addressing space. This is accomplished by creating one large Layer 3 subnet and using special (Cisco proprietary) Layer 2 VLAN segmentation at the port-level to create security boundaries between hosts, rather than rely on a static one-to-one mapping of VLAN to IP subnet as is traditionally done.

Essentially, one 'Parent' VLAN is mapped to the IP subnet for all hosts, then secondary 'Child' VLANs are used to segment traffic between different security domains. These child VLANs can be either 'Isolated' or 'Community'. Isolated child VLANs allow the host(s) on assigned ports to only communicate with the default gateway. Community child VLANs allow the host(s) on assigned ports to communicate with the default gateway as well as other hosts in the same community child VLAN. For a good primer on Private VLANs see Jeremy Stretch's article on Basic Private VLAN Configuration over at

Private VLANs and Wi-Fi Networks
Using Identity Based Network integrated with Private VLANs would seem to be a logical extension of identity based networks for wireless networks. First, since wireless networks involve user mobility, using a single large client VLAN is appealing to reduce Layer 3 roaming requirements between subnets. As clients move throughout the wireless environment they need to retain the same IP address to maintain application sessions and provide a good user experience. Second, the large growth of wireless endpoints on corporate networks makes reducing IP address and VLAN ID waste attractive. Third, the requirement to support various external user roles on the same network is growing as more organizations need to support various business partners and vendors on the corporate wireless infrastructure. In essence, private organizations are leveraging their wireless infrastructure like a managed service provider, facilitating business processes that involve external entities. All of these external entities may need similar network access such as Internet, VPN, and on-site collaboration capability within their group, yet should be segmented from other external entities also at the customer / partner site.

However, using Private VLANs for wireless users is not possible due to capability limitations of Cisco wireless equipment. As Jeremy Stretch pointed out in Private VLANs on Trunks and SVIs, when PVLAN information is tagged across 802.1q trunk links the Parent VLAN ID is used for traffic sourced from promiscuous ports, and the Child VLAN ID is used for traffic sourced from child ports. This incongruity in VLAN tagging breaks down on trunk ports to wireless access points.

Let's use the following illustration to demonstrate:

Here we can see that the Private VLANs are setup with VLAN 100 as the Parent, and VLANs 101 and 102 as Child Community VLANs. The goal is to have clients be able to communicate with other hosts in their child VLAN, but not hosts in other child VLANs. However, we see that wireless integration with PVLANs breaks down because wireless equipment does not understand the PVLAN concept of parent and child VLAN associations, as wired switches do. In order for communication to function correctly across trunk links, both ends must understand the child to parent relationship, since only the source VLAN is tagged across the trunk link.

In this example, the client in VLAN 102 associates to the AP and issues a DHCP Request. This frame transits the trunk link using a tag of 102. The wired switch understands the parent and child VLAN association and is able to forward the frame out of the promiscuous port to the router (default gateway) without any tag since this is an access port in VLAN 100. The router responds with a DHCP Offer frame, which transits the trunk link using a tag of 100 (the parent VLAN). The AP receives this frame and drops it because no SSID is associated with VLAN 100. Creating another SSID tied to VLAN 100 also won't help because the client will still be associated to the VLAN 102 SSID. And moving the client into an SSID tied to VLAN 100 causes the client to be considered "promiscuous" and defeats the entire purpose of private VLAN segmentation.

Therefore, we end up with one-way communication. Ultimately, the lack of wireless equipment's ability to understand private VLAN concepts prevents the association of parent and child VLANs. This prevents the use of private VLANs with Cisco Autonomous, Lightweight (local mode), and Lightweight (H-REAP) wireless networks.

Note - Routers do not understand private VLAN concepts either, which requires them to be connected to the switch using an access port rather than a trunk port.

Wireless Network Segmentation Options
The options left for wireless network segmentation include:
  1. Multiple SSIDs mapped to separate VLANs and IP subnets (the traditional solution)
    Benefits - secure segmentation between user roles; straight-forward network administration and support.
    Drawbacks - increased wireless network overhead and reduced performance; wasted VLAN IDs and IP address space; static policy definitions are not flexible to address changing needs.

  2. Single SSID integrated with identity based networking concepts, RADIUS dynamic VLAN assignment, spearate VLANs and IP subnets, and upstream firewall or router policy enforcement.
    Benefits - secure segmentation between user roles; reduced wireless network overhead and improved performance.
    Drawbacks - wasted VLAN IDs and IP address space; complex network administration and support; disconnect between policy assignment and policy enforcement implemented in different equipment.

  3. Single SSID integrated with identity based networking concepts, RADIUS policy definition, and edge firewall policy enforcement capabilities in the access points, and a single wired VLAN and IP subnet for wireless clients.
    Benefits - secure segmentation between user roles; reduced wireless network overhead and improved performance; preservation of VLAN IDs and IP address space; straight-forward network administration and support; integrated policy assignment and enforcement in the same equipment.
    Drawbacks - limited wireless vendor support for integrated firewall capability in access points; may require more powerful access point hardware to maintain performance.
Option 1 is clearly the traditional and most well-understood of the three options. However, it suffers from lack of scalability and fairly rigid user classifications and policy enforcement that is not easily changed without major effort. This option has broad market support in almost every enterprise-class Wi-Fi product.

Option 2 improves the situation by reducing wireless network overhead, but adds complexity by requiring correct centralized policy assignment through RADIUS attributes in order for security access to be controlled correctly. It also fails to address the back-end wired network complexity and similarly suffers from lack of scalability and rigid policy enforcement. However, this option also has broad market support.

Option 3 is clearly the best of all options, as it combines improved wireless network performance, easily scalable growth, simplifies back-end wired network complexity by reducing VLAN IDs and preserving IP addressing space, centralizes policy management, and integrates policy assignment and enforcement in the same equipment. However, this option may require more powerful access points to process user traffic, inspect and apply appropriate security controls, and maintain throughput and low-latency performance. This option also has limited market support, with only a handful of vendors supporting integrated firewall capability in access points.

Any of these three options will provide adequate network security when designed properly.


Saturday, January 22, 2011

Article Round-Up: 01/21/2011

Here are a collection of articles from the past week that I have found useful, interesting, or enlightening. As always, for a complete list of articles check out my shared article feed from Google Reader.

General Wi-Fi Related Articles
Aruba Networks and SOTI Partner to Enable Advanced Mobile Device Management (MDM)
"SOTI MobiControl will be integrated with Aruba’s AirWave Wireless Management Suite for mobile device management."
This strategic partnership by Aruba Networks underscores the growing importance of proper management of your corporate mobile device fleet, as well as the need for IT departments to wrap their arms around supporting and securing personal / consumer class devices like tablets and smartphones.

Troubleshooting Checklist for 802.1X on Your WLAN
"Though 802.1X isn't the easiest protocol to implement, it should be a must for all organizations with more than a couple of employees using the wireless network. In this tutorial, we'll discuss how to troubleshoot 802.1X client issues."
Surveying with a 3502 (followup post)
"Cisco 3502i Access Points have different radios in them than then 1142 Access Point making the 1142 an unsuitable substitute for a site survey... "
WLC: Generate Third Party Web Authentication Certificate for a WLC
"This is a step by step “how to” creating a CSR (Certificate Signing Request) with OPENSSL, processing a third-party certificate that is CHAINED and download it to the Cisco WLC."
Efficient enterprise Wi-Fi coverage requires hybrid approach
"The growing need for enterprise Wi-Fi coverage will prompt other new hybrid approaches to emerge, combining aspects of DAS, femtocell and FMC... By making your indoor network infrastructure investments do more, you may well be able to improve indoor coverage for many wireless services at a reduced total cost."
Organizations are increasingly looking to leverage a common infrastructure for both cellular and Wi-Fi solutions. However, converging these networks is not a simple task and market solutions need more time to mature.

Cloudy, With A Chance Of Networking - Network Computing
"Wireless providers are venturing into wired networking, a major acquisition has taken place, and one vendor makes commodity-class hardware compete with enterprise-grade components... The cloud is heating up, and the lines between wireless and wired networking are blurring."
Wi-Fi and wireline technologies continue to merge as evidenced by these three announcements. Aerohive expands into wired networking with it's acquisition of Pareto Networks as a strategic play for cloud network management, Meraki does the same with their new MX series routers with cloud control and management, and PowerCloud Systems turns commodity D-Link consumer routers into cloud-enabled enterprise devices.

Wi-Fi Direct Still Finding Its Stride - PCWorld
"About 20 products have been approved, but there were few new Wi-Fi Direct gadgets at the recent International Consumer Electronics Show... ''One of the challenges for Wi-Fi Direct was launching in October,' Broadcom's Brown said. 'It's really not timed very well for the fall selling season.' "
The poorly timed release of Wi-Fi Direct is a plausible conclusion. Given product development cycles, I would have expected product announcement to lag behind the feature certification availability. At this point, I wouldn't read too much into the lack of Wi-Fi Direct capable devices, they will come.

Videoconferencing to hit critical mass on mobile
"One of the most exciting areas in videoconferencing today is the integration of mobile devices and video, especially as end users grow increasingly comfortable with the form factor of smart phones and tablets"
Wi-Fi will be required for video for a while until 4G networks are built that can handle the traffic load. Even then, Wi-Fi will be the preferred delivery method to carry most of the load. Prepare your networks for video now!

Retail Wi-Fi / Mobile Articles
I posted two articles on the new PCI DSS v2.0 standard and what it means for Wi-Fi network administrators, Cisco announced the results of a recent PCI survey, and also announced a new PCI security solution for retail:

Best Practices to Achieve PCI Compliance for Wireless Networks - CWNP
"The recent release of PCI DSS version 2.0 provides a good opportunity to review these “minimum” industry guidelines for wireless networks and provide advice for retail organizations to achieve a successful audit."
Wireless PCI Compliance Resources - Revolution Wi-Fi
"it's important to understand the capabilities, limitations, and design choices available in your own environment. This can vary depending on the infrastructure vendor chosen."
Cisco Issues PCI Compliance Pulse Survey Findings – Results Reveal Changing Views on Data Security Compliance - Cisco News
"This survey demonstrates that the PCI Council is being successful in communicating and getting the active participation and increased adoption of the PCI standards among stakeholders. The findings also suggest that organizations are increasingly aware of the benefits of compliance."

"Cisco is announcing significant improvements to its wireless network solutions that allow retailers to secure their wireless networks from attacks and improve security where point-of-sale data is transmitted wirelessly... new 'Enhanced Local Mode' (ELM) feature"
Cisco brings an integrated wireless intrusion prevention system (WIPS) to market to improve retail security, reduce CAPEX and OPEX expenses, and maintain market share leadership in the retail industry. If their solution proves capable enough to compete with overlay WIPS vendors, they'll have a compelling solution that cannot be ignored. This comes on the heels of Aruba Network's ArubaOS 6.0 release which enabled similar security functionality.

New mobile blueprint provides fresh insights
"retailers don’t want to share the space,” says David Dorf, Director of Technology for Oracle. “Retailers want to control their customer experience and they want to brand it to themselves."
It's important to understanding the "how's" and "why's" of retail mobile use cases to build effective mobile commerce and marketing solutions. Simply web-enabling current applications and consumer-facing services will lead to a poor user experience. Watch for retailers to innovate in mobile service delivery over the next year in order to differentiate from the crowd.

Surveys Highlight Sales Clerks' Problems
"Two surveys conducted for Motorola Solutions Inc. in December indicate that shoppers are becoming more informed than sales clerks, and sales clerks are sometimes frustrated by a dearth of store information."
A key component of retail e-commerce and m-commerce initiatives will be to outfit the sales clerks and customer representatives with enough information to enhance the customer experience in-store, driving greater foot traffic, providing a positive customer experience, and preventing customers from using brick-and-mortar stores as showroom floors for subsequent Internet purchases.

The Web's Chipping Away at Brick 'n' Mortar
"Shifting consumer buying patterns will drive changes in retail business models, fueling more e-commerce and hybrid approaches (order on the Web, pick up at your local store in an hour)."
I like the title of this article, as it does a pretty good job summing up the state of retail right now!

What will drive Mobile Marketing & Advertising in 2011?
"1. Relevance will be the key revenue driver for new mobile based services: With advanced trends such as Location-Based Services (LBS)... 
5. Rise of mobile based coupons, loyalty programs & deals..."
Starbucks Launches Mobile Barcode Payments
"Could this be the service that, finally, popularizes mobile payments and/or barcodes with mainstream US consumers?"
Mobile payments will come into their own in 2011, just as mobile coupons did in 2010. Look for both features to expand dramatically.

Expansion At Hand As M-Commerce Plans Gain
"M-commerce is also high on retailers' radar, with 69% of the executives surveyed saying mobile is an important strategic initiative -- up from 28% a year ago."
1% of shoppers say mobile is their primary online buying channel - Internet Retailer
"though mobile may not be most consumers’ primary buying channel, shoppers do turn to their web-enabled mobile devices to help them shop."
Evidence surfacing that mobile payments catching on in the U.S.
"communications service providers, financial institutions and retailers all seem to be ready to push ahead to allow consumers to make payments with mobile devices."
Christmas 2010 saw spike in mobile shopping: study - Mobile Commerce Daily - Research
"the spike in page views for Amazon on both Black Friday and Cyber Monday shows a clear trend towards consumers using the mobile Web as a tool for comparison-shopping or actual mobile commerce, or both."
Miscellaneous Articles
Top 10 Data Breaches of 2010 -
"Surprisingly few of these big breaches are associated with trendy new technologies. Instead, many can be attributed to either old fashioned hacks, basic omissions in security best practices, or errors in security policies and processes."
Although Wi-Fi security tends to grab headlines, Lisa Phifer explains the real threats are more old fashioned.

IPv6: Smartphones compromise users' privacy - The H Security: News and Features
"operating systems transfer an ID that discloses information about their users... The problem is currently only affecting a small number of users because IPv6 is not yet in widespread use. However, German Telekom and several other IPs plan to offer IPv6 in addition to the old IPv4 during this year."
As the Internet migration to IPv6 accelerates with the now complete exhaustion of IPv4 addresses by the IANA, IPv6 security gaps will be exposed with increasing regularity.

Phone Home - Your Fridge Just Tweeted
"The most surprising revelations at CES, however, came on the household appliance front. Manufacturers presented a world where the Internet of Things is gradually realized"
Simplicity to Stimulate Innovation -Freedom to Think and Dream Big
"The best ideas are the simplest ones, and after you hear them they’re totally obvious, yet they evade us for years and years and years. You don’t have to be Albert Einstein or Stephen Hawking to have great ideas. You just have to think and keep your eyes open.” ~ Steve Levitt"
Comic for the week!
Doghouse Diaries - To Fi or Not to Fi
I suppose you could always leave it unlocked but make the network name something like, I’M A HACKER AND I’LL SNIFF YOUR PACKETS.

Cheers (and happy reading),