Tuesday, August 30, 2011

Defined - Project Quicksand

Project Quicksand - the act of being engaged for a small portion of a project in a consultative role and subsequently being unable to extract yourself from the project. This is typically accompanied by poor project objective and scope definition by the organizer.

Project quicksand is a common affliction of highly skilled talent.

Ref: see "Scope Creep"


Tuesday, August 16, 2011

Focus Enterprise Mobility on Building Organizational Value

Mobile devices are here to stay. Period.

A recent IDC survey highlighted the growth of mobile device use within the enterprise, as well as the burgeoning immaturity of corporate IT departments to take advantage of this trend with innovative use-cases and application development. Indeed, every organization that I have spoken with seems to be struggling with the mobile device trend in one fashion or another. Decisions abound from which platforms to support for corporate access, corporate liable versus personal liable ownership (and control), requirements definition, provisioning and management capabilities, and in-house application development versus outsourced (or none at all). Whew, what a lot for an organization to think about!

Given all of this work to be completed, how can organizations successfully embrace the emergence of mobile devices?

Focus on Business Strategy and Adding Value with Mobility
Organizations must remain focused on adopting mobile platforms for the correct reasons, namely to add value to the organization and drive competitive advantage. Work to identify existing business processes that can be improved through the use of mobile technologies and drive innovation into new capabilities and experiences for both employees and customers that disrupt current market dynamics. This can only be accomplished through collaboration across the organization, involving forward-thinking leaders from both core business teams and IT departments.

The vision is to leverage the broad and powerful capabilities of feature-rich mobile devices through nimble and innovative application development (in-house, outsourced, or purchased) that empower users to be more productive and have access to the full suite of business capabilities literally in the palm of their hands at all times, in an intuitive, integrated, and natural way. It's not simply enough to migrate existing processes into a mobile environment; organizations must re-invent core processes to take full advantage of mobile capabilities. The nirvana of this vision is to align business capabilities, ease-of-use, and mobility into one package with the resulting synergy creating powerful market disruption and competitive advantage.

Organizations should develop a comprehensive business strategy to incorporate mobilility by identifying core capabilities and processes that can benefit from mobile platforms. Building a parallel enterprise mobility strategy outside of the larger business context is the wrong approach and will ultimately result in mis-aligned capabilities that must be shoe-horned to fit business processes, deteriorating the value proposition.

It's also too easy to fall into the trap of adopting mobile platforms for the wrong reasons, such as consumer market trends, generic employee request, or executive fashion. It's actually interesting how many corporate mobile device initiatives begin at the executive level. How time's have changed from corporate IT forcing change to on an unwilling employee base, to employees and executives demanding support for the latest cool consumer gadget!

Different Scenarios Require Different Approaches
Organizations will need to build a framework of business processes, capabilities, and tools to meet various objectives, and deploy solutions as dictated by user role and responsibilities, if they have not done so already. Varying user roles will require unique workflows, interactions, and content which leverage various and mobile platforms and applications. Organizations must acknowledge and understand these variances, and be prepared to tailor solution requirements accordingly.

Here are a few examples:
  • Office users may require access to mobile email, calendaring, document collaboration, and eventually unified services such as voice and video collaboration.
  • Knowledge workers on the other hand may require more advanced capabilities to conduct in-depth research, prepare subject-matter design documents, view rich media content, and collaborate more broadly inside and outside the organization.
  • IT staff will benefit from access to networked systems for on-demand provisioning, maintenance and support, especially given the shortage of skilled IT workers within many enterprises. Allowing greater mobile and remote access will provide organizations flexibility to leverage workers with specialized skill sets more effectively.
  • Manual workers may require access to only a few, well designed applications that allow execution of well-defined tasks. For instance retail associates may require application functions to perform product lookup, inventory management (both in-store and online), transaction processing, and two-way radio communications.
  • Educational institutions may require unique workflows tailored to classroom use, allowing teachers and administrators to easily and intuitively control student mobile devices to enhance, rather than detract, the learning experience. Immersive and rich digital content are best suited for tablets to engage students.
No "one-size fits all" strategy will exist, and organizations should develop a broad ecosystem of platforms, capabilities, and applications tailored to fit varying user roles and processes. Strategies surrounding native versus web apps and in-house development versus sourced packages will need to be determined to meet varying business purposes, but the fact remains that mobile platforms should enable an immersive experience that is intuitive to the user. This also means that many organizations will have to settle on a hybrid device adoptance model, supporting both corporate-liable and personal-liable devices.

Additionally, capabilities and solutions will need to evolve to meet changing demands. This should be fluid throughout the organization, from business strategy, tactical planning, application development, provisioning, support, and troubleshooting. For instacne, while office workers may be requesting simple email and calendar integration today, tommorrow will bring a new set of requirements. Are your organizational processes able to quickly adapt to support document collaboration, video conferencing, or voice on mobile devices? If not, how will you get there? Being able to deliver new capabilities fast and efficiently will be required in this fast-paced environment and will be a point of differentiation.

Non-Functional Requirements
But many may be wondering, "what about security concerns to control data access and prevent information theft?" Let me go out on a limb here and say that while mobile device security is part of the overall consideration, it should not be the focus of enterprise mobility. Organizations should focus on incorporating enterprise mobility into the broader business strategy, identifying and prioritizing business areas where integration makes the most sense.

Don't Overreact About Mobile Device Security

A level-headed approach to determining non-functional requirements, including security, should be sought. Many organizations fear the unknown and the information security personnel are quick to point out the risks of supporting mobile devices. Although security is a key consideration for mobile device adoption, it should not overshadow the potential business value. Organizations that are quick to dismiss enterprise mobility due to security concerns will suffer a comparitive disadvantage versus competitors, and will likely work just as hard to enforce draconian constraints. These efforts would be better utilized by identifying gaps and architecting a multi-layered security strategy to minimize risk.
The new challenge for IT and for enterprise application owners will not be around technology and standards -- setting limits and narrowing choice -- but around helping manage this new hybrid infrastructure and in providing guidance to the business on the optimal deployment models for application productivity. IT is truly moving from a custodian role of setting standards and constraints to a far more strategic, trusted advisory role helping to guide key technology, policy and business-related considerations.

- Nicholas Evans, ComputerWorld
Enterprise mobile environment management and controls have been discussed ad-nauseum by various sources. Therefore, I will only outline the capabilities that should be considered and what functionality each provides.
  • Information Security Policies define data classifications and controls that form the framework that guides conduct and appropriate use of corporate information. These policies should be in place and updated to protect information based on context including data classification, user role, location, date/time, and device/platform.

  • Mobile Device Management enables corporate IT departments to effectively manage corporate-liable devices for provisioning and maintenance. This includes device inventory, settings, firmware updates, locking, and wiping. Many organizations inaccurately confuse MDM with mobile security, but the two are distinctly seperate. Although MDM may incorporate a subset of security capabilities, such as locking and wiping, it's core function is ... get this ... management of those devices. Not device security or data security. The confusion stems from MDM market vendors realizing the concerns over mobile device security and playing the tune to customers' ears. Overall, the MDM market is fairly robust, if not quite mature.

  • Mobile Application Management will provide methods for organizations to deploy and manage corporate and 3rd party applications on mobile devices. This includes both corporate and personal liable devices. Application management should form the tactical focus for IT since this capability is core to enabling enterprise mobility. Enterprises should also pay close attention to how public application storefronts handle volume purchasing and distribution since these processes today are immature and often times too prohibitive.

    Another core feature is application security and data security. Due to the dual-purpose nature of almost all mobile devices, separating personal data from corporate data on mobile devices is becoming a mounting concern. This topic has been covered by The Enterprise Mobility Forum in their article on Personal Clouds Vs. Remote Device Wiping, and Douglas Haider in his ComputerWorld articles on The App Internet and Mobile Environment Management.

    Enterprise mobile application management is definitely immature today, look for advancements over the next 3 years to provide solutions in this space.

  • Network Access Controls enable the organization to enforce information security policies through context-aware access enforcement throughout a corporate network. Solutions are emerging by network vendors that redefine network access controls to enable dynamic policy enforcement by closely matching policy. Example solutions include Cisco ISE/TrustSec, Aruba MOVE, and Aerohive Cooperative Control architecture. This goes beyond firewall and NAC capabilities, to provide true user and device identification, profiling, centralized policy management, edge policy enforcement, and comprehensive visibility.
Overall, it's important to understand that no single vendor provides comprehensive device, application, and data segmentation capabilities. Organizations will have to research and analyze solutions to meet their needs.

Combined together with the right approach, these capabilities will enable comprehensive mobile environment management without detracting from the the main objective of building organizational value through the strategic use of mobile technologies.

Revolution or Evolution? - Andrew's Take
Organizations are rushing to adopt mobile technologies, often without taking time to plan a strategic approach. Instead, organizations can build greater value by focusing these initiatives on strategically incorporating mobile capabilities into key business processes, tailoring the experience to the situation and the user, adopting a nimble and responsive application development and delivery framework, and taking a level-headed approach to meeting non-functional requirements.

Enterprise mobility is here to stay, spurred on by the advancements in mobile device platforms that are transforming our economy and culture. Mobile applications represent a disruptive shift in how consumers and users want to interact with the broader world.

Don't be left looking like grandpa!


Friday, August 12, 2011

Adopting Wireless Client Testing & Verification Procedures

As many professionals in the industry know, Wi-Fi clients cause the majority of issues on wireless networks. This is due to the ambiguity of implementation details for many features within the IEEE 802.11 specification. With the current 802.11-2007 standard clocking in at over 1,200 pages in length and the 802.11n amendment adding another 500+ pages, it's already tremendously complex. Yet it still does not define how some functions should be implemented in shipping product. This leads to varying interpretations of the standard, inconsistent behavior between different devices (and often-time between devices of the same model / part number), and at worst product incompatibilities. The Wi-Fi Alliance does an adequate job ensuring basic compatibility. However, inconsistencies between infrastructure and client devices still exist and can cause major headaches for corporate IT departments burdened with supporting the mobile device influx as well as standard corporate owned devices.

Organizations should adopt internal testing and verification procedures that certify all changes to infrastructure and client devices in a lab prior to rollout in production environments. These procedures and testing ensure that most wireless connectivity and performance issues will be identified in a lab environment and corrected prior to rollout. This will greatly improve network stability and reduce downtime.

In addition, since Wi-Fi utilizes a shared medium, understanding the capabilities and limitations of your client device base will enable network engineers and architects to design a solid solution that meets ALL client requirements in their environment. Unfortunately, this also means that the wireless network typically must be designed to support the least common denominator as far as client devices are concerned. Knowing device limitations will enable an organization to identify, prioritize, and appropriately budget for device replacement as well as integrate new requirements into device sourcing events.

Consider including the following types of tests in your procedures:
  1. Client Basic Association Test - assess the ability of the client device to establish a connection to the network using the applicable authentication and encryption methods approved for use.
  2. Radio Coverage Association Test - assess the ability of the device to re-establish a network connection after moving outside of the AP coverage area then back into the coverage area.
  3. Radio Strength Test - assess the RF signal strength and signal quality of the client device.
  4. Radio Interference Test - verify the ability of a device to remain associated to an AP during periods of interference at varying levels.
  5. Radio Scan Test - assess the ability for the device to scan only a subset of channels to improve active scanning performance and reduce latency during association and roaming.
  6. Radio Poor Signal Test - assess the ability for the client device to establish a network connection in an area with poor coverage to determine effective receive sensitivity and coverage boundary.
  7. Radio Roaming Analysis - assess the performance of the device when roaming between multiple APs using the applicable authentication and encryption methods approved for use. Hint - breakdown the roaming into several sections to determine where delays may be occurring (probing, association, EAP, EAPoL key). Also look for anomolies including de-authentication or dis-associations.
  8. DHCP Roaming Analysis - assess the client DHCP behavior and performance during network roaming (including DHCP renewal behavior).
  9. Application Behavior Testing - verify the ability for the application to function correctly under the given scenario, sometimes also referred to as User Acceptance Testing (UAT). This can also identify performance problems due to incorrect application design or development (typically due to strict application timers designed to work over low-latency wired local area networks, not wireless networks).
  10. Network WAN Latency Test - assess the client and application performance given varying WAN latency (if the RADIUS or application server is remote across a WAN).
  11. Network WAN Load Test - assess the client and application performance given varying WAN load (if the RADIUS or application server is remote across a WAN).
  12. Network WLAN Load Test - assess the client and application performance with varying levels of WLAN clients on the same access point or channel.
  13. Network WLAN QoS Test - assess the client and application support for QoS traffic classification, marking, and prioritization over the air using 802.11e and IP DSCP.
  14. Battery Life Test - assess the battery life of mobile devices under various load conditions, usage frequency, and battery ages.
  15. Radio Power Save Operation - assess the interoperability and performance of the device with various power save modes of operation (PS Polling, U-APSD, PS Multi-Poll).
  16. Device Sleep / Hibernation / Screen Lock Behavior - assess the behavior of the device after being placed into a sleep, hibernate, or screen lock state and brought back awake.
Document each test sceanario and include a detailed description of the test case, devices to be tested, test setup, test execution steps, results to be measured, measurement methods, expected outcomes (success criteria), and include a logical diagram of the test environment and execution.

Also, document the procedures in a clear, concise, and detailed fashion to ensure process repeatability. This will allow the organization to establish consistent testing processes, establish netwok and device performance baselines, and allow comparison of new results to historical results. Repeatable and well-documented procedures will also allow process handover to new staff members as roles and responsibilities change, as well as aid in network troubleshooting should the procedure need to executed by an untrained employee at a remote site in an emergency.

Upon execution of each test case, the following data points should recorded, analyzed, and included in test reports (may vary between tests):
  • Infrastructure hardware models, software  versions and configurations deployed (perhaps grouped into configuration "releases" similar to common software development practices)
  • Client device operating system version, supplicant used, software versions, and driver versions
  • Functional test scenario observation of results
  • Multi-Channel packet capture and analysis
  • Automated protocol analysis (includes high level wireless statistics, such as retransmissions, channel utilization, etc.)
  • Spectrum analysis
Execution and analysis of these tests will require investment in advanced professional-grade wireless LAN tools, specifically for packet capture, protocol analysis, and spectrum analysis.

Organizations should invoke these testing procedures in the following circumstances:
  • Wi-Fi infrastructure code upgrades
  • Wi-Fi infrastructure configuration changes
  • Device software upgrades (OS, driver, or supplicant)
  • New device deployments
  • New application deployments on wireless clients
A dedicated lab environment should be created to mimic the production environment as closely as possible. This will also allow testing to be performed in an isolated environment which cannot impact the production network.

Revolution or Evolution? - Andrew's Take
Defining, implementing, and regularly executing wireless network and device verification procedures can be time consuming but can drastically improve network uptime and performance. The initial cost of time, labor, and investment in professional tools will quickly be recouped through the elimination of support incidents, subsequent resource utilization and loss of business. As wireless networks continue to grow more complex and client diversity explodes with the "i-Everything" and BYOD trends, investing time up-front in client testing and verification will reap dividends with improved network stability and should reduce support expenses in the long-run. It will also make your network users (and management) happier!


Other Posts You Might Like:

Wednesday, August 10, 2011

Cisco Sunsets 1250 Series Wireless APs and the CSSC Supplicant

The Nasty Smell of a Cisco 1250 Series AP
Ah, the smell of dying product. It's quite distinct, as "once promising" products that were shiny and new not that long ago are quietly sent off to into the sunset, never to ship again. It's a fond time to look back and remember all the marketing material and product hype that pre-sales teams attempted to sell to customers. While some products hold true to their hype and live a long healthy lifespan, others, well... just don't quite ever live up to the expectations and the benefits never quite materialize.

The end of sale / end of life announcements for the Cisco 1250 series APs (Aug. 1, 2011) and Cisco Secure Services Client (CSSC) (July 30, 2011) are examples of the latter; products that never quite fulfilled the vision they were sent out to market with.

The 1250 series APs were released in early 2008 prior to the official ratification of the IEEE 802.11n amendment. At that time, the Wi-Fi Alliance was already certifying 802.11n Draft 2.0 equipment but fear remained (to a certain extent) in the industry around compatibility with the final ratified standard. To that end, Cisco released the 1250 series as a modular dual-radio 11n AP that offered field-upgradability by customers should the final standard prove to be incompatible. Those fears were largely unfounded, as the final amendment was released in Sep. 2009 and proved to be fully backwards compatible.

While the 1250 series excelled as a rugged business-class 802.11n access point providing MIMO, high throughput data rates, better signal quality, and flexible antenna options, it failed spectacularly in product vision. The need for modular hardware never materialized, and Cisco never released upgraded radios as there was never a need to do so. Additionally, product design choices required additional investment by customers to realize the full capabilities of the device. First, higher power draw of 18.5W is required in order to support both radios operating with two spatial streams. Customers without a Cisco proprietary POE+ switch were forced to make a trade-off: power the APs using power injectors or a local power supply, or operate without full 11n MIMO capabilities. Second, the product weighed in at a very hefty 5.1 pounds which created a safety risk if not installed and mounted with proper strain relief. This further increased solution expense for customers requiring additional parts, time, and labor to properly install this husky AP.

The final nail in the coffin came with the removal of the 1250 series from the CCIE Wireless version 2.0 blueprints this past May.

The Cisco Secure Services Client (CSSC) was born out of the 2006 acquisition of security vendor Meetinghouse and their AAA software product line, which included the Aegis SecureConnect wireless supplicant. This was in direct response to Juniper's acquisition of Funk and their Odyssey client package, which was at the time the Cisco recommended solution for clients.

The CSSC client was late to market and wasn't formally unveiled until 2007, but by then the market had matured and customers had found adequate alternatives elsewhere. This was Cisco's first attempt at a unifed software package to provide an 802.1X authentication framework for both wired and wireless networks, as well as VPN connectivity.

However, CSSC never took hold with customers and made minimal market impact. The software was burdened with poor end-user usability and difficult administration and maintenance, requiring administrators to use a separate management utility to pre-define configurations, create packages, and bundle license keys for enterprise deployments. In addition, 802.1X timer settings within the software often caused usability and support issues post deployment if administrators were not careful to modify default values. Common problems included the pre-mature failover to secondary or subsequent network profiles if authentication and DHCP did not complete within default strict timer settings.

The CSSC Was Not Particularly "User-Friendly"

So, it's long past due that Cisco sunset these products, retire them to pasture, and move forward with alternative solutions. The emergence of the ruggedized Cisco 1260 series APs and the Cisco AnyConnect client have superseded the need for these products. The quality of native operating system supplicants within Windows 7 and Mac OS X also obviate the need for 3rd party supplicants to a large extent.

I bid adieu, willingly and gratefully!


Friday, August 5, 2011

Cisco Live Twitter Presence

I previously discussed the value of Cisco Live! as a professional networking tool to bring virtual communities together. Well, the highlight video compiled reflects the direct influence that social media had during the event.

A Few Members of our Twitter Group Give a Shout-Out for the Camera!
Includes left-to-right (@networkingnerd, @DougTrex600, @aconaway,
@revolutionwifi@okonovalov@avalonhawk, @amyengineer, and @radzima)
You can see our Twitter group represented in the following highlight video at the 1:06-1:08 mark (un-official tweetup table outside registration, aka "Tom's Corner" @networkingnerd) and again at the 3:11-3:13 mark (customer appreciation event, reserved tweetup area).

A special thanks goes out to conference organizer and tweetup promoter @Kappadonna!

The power of social media!


Be sure to check out some of these other recaps from our Cisco Live! 2011 Twitter group:

Custom Wireless Access Point Mounts

Quite often the topic of access point mounting options comes up when discussing Wi-Fi solutions and exchanging best practices and experiences with professional peers.

It is not surprising that many professionals in the industry find the vendor supplied AP mounting brackets insufficient, and search for mounting solutions that can better meet their needs in a cost-effective manner. The standard access point mounting brackets bundled by many vendors are usually ineffective for common deployments. By common deployments I mean cubicles, offices, carpeted areas, or generally open and accessible spaces that require omni-directional RF coverage.

Standard Vendor Wall and
Ceiling Mount Brackets - bleh!
Vendors typically provide either wall-plate or drop-ceiling frame brackets. Wall-plate brackets are easy to deploy, but having APs visible in the workplace is usually not very aestethically pleasing (let's face it, most enterprise grade APs are ugly, but some have been getting better) and in many environments wall mounted APs also cannot provide an optimal RF coverage or capacity for the physical space (think of large open areas without interior walls and exterior walls too distant to effectively cover the center of area). Drop-ceiling frame brackets also typically leave ugly APs exposed and also can be a pain to install, having to cut out holes in existing ceiling tiles to run Ethernet cables through to the APs. This may not be of big concern for a small company, but deployments of any significant size will quickly realize the inefficiencies involved when installing hundreds or thousands of access points in this manner. Additionally, standard vendor brackets are usually a pain to install with tegular ceiling tiles where the tiles are not flush with the framing structure, but reveal below the edge.

Hence the need for most wireless installers to seek alternative mounting options.

Off-the-Shelf Mounts
A quick search on the Internet will yield hundreds of solutions for off the shelf 3rd party mounts for most wireless manufacturers and AP models. Although much more aesthetically pleasing, these solutions are typically extremely expensive. Mounts that cost upwards of $200-$300 each are not uncommon and can significantly increase the solution cost. Consider enterprise grade access points that can be acquired for $300-$600 each (depending on vendor, list price, discount structure, customer contract details, etc.), those 3rd party mounts could very well increase a project budget by 30-70%. That's a significant additional expense for to an organization without adding much value.

Note - certain exceptions do exist where specific access point mounting features are required and can drive value for the organization, such as NEMA enclosures for deployment in harsh environments or secured locking enclosures in high risk environments.

Sample 3rd Party Wireless AP Mount - Nice, but Expensive!
Custom Mounts - A Better Solution for Many Applications
Rather than use the vendor supplied mounts or expensive 3rd party mounts, consider creating or sourcing custom mounts that fit your specific needs. For instance, custom drop ceiling mounts can be sourced from a plastics manufacturer that look aesthetically pleasing, cost significantly less (especially when ordered in bulk), and can provide optimal coverage for common spaces requiring omni-directional access point antennas. Here is an example:

Cisco 3502i Custom CELTEC PVC Foam Drop-Ceiling Mount
You can see that the 2'x2' custom mount looks very similar to the 3rd party mount. However, instead of being manufactured out of powder-coated steel or aluminum, this is made with CELTEC PVC Foam. This plastic is highly durable and can easily support the weight and load of most wireless access points.

This mount was made specifically for a Cisco 3502i wireless access point. Partnership with a plastics company was quick and resulted in a fairly simple, yet elegant design. The mount itself is only 1/4" thick allowing for bulk packaging and shipment. The plastic has a custom machined hole that is beveled to match the contour of the front face of the access point. On the reverse side, a neoprene sleeve secures the access point in place to prevent shifting and eliminate risk of injury during installation and maintenance. The neoprene sleeve has a specially designed hole at the center for heat dissipation and stretches for AP installation. A second hole has been engineered to provide easy routing of cables to the access point.

Pricing for the custom mounts is much more reasonable, and can range from $25-$40 each depending on the volume ordered, and typically reduces related expense down to 4-13% of project budget.

Revolution or Evolution? - Andrew's Take
Custom access point mounts can fit a variety of needs in a cost-effective and aestethically pleasing manner, and allow deployment flexibility to meet RF design requirements. Minimal up-front engineering effort is required when partnering with a plastics manufacturer. Prior to purchasing wireless access points, determine the mounting requirements and leave the mounting kit that most vendors supply out of the purchase. They're usually not worth it anyways. Avoid 3rd party mounts unless you can source them at a reasonable price, and don't get caught paying for extra features (such as swing doors and locking mechanisms) that are not required for your environment. CELTEC PVC Foam mounts provide durable and quality mounts for most deployments. Find a plastics manufacturer that can deliver on your design requirements and are responsive to customer needs.