Cisco’s Motion announcement on May 28th was huge for enterprise mobility. It defined some new terms which we will be hearing a lot: “Cisco Motion,” “Mobility Services Architecture” and “Mobility Services Engine.” Cisco Motion is the name of the “vision.” The Mobility Services Engine 3350 is a $20,000 appliance that embodies the Mobility Services Architecture, which is a part of Cisco’s Service Oriented Network Architecture.

Cisco has published a lot of useful information about these new products. A good place to start is the launch webinar, which includes an informative Powerpoint presentation. The Mobility Services Architecture is described in a white paper. There are two press releases: a conventional press release consisting of written words, and a “social media release” consisting of links to YouTube clips and podcasts.

What we’re doing here is abstracting the network control element of the architecture and the services and application integration piece. This reflects what we have been talking about for the last 2 plus years around the Services Oriented Network Architecture. It’s about how we can drive new capabilities into the network, that can be married up with a host of different applications and turned into a solution for our customers. It’s not just applications running over the network. Increasingly with this architecture, it is about applications running “with” the network.

Ben Gibson, Senior Director Mobility Solutions, Cisco Systems

Cisco describes the MSE as a “platform for partnering,” the idea being that it exposes network-level information through an open application programming interface (API) to applications delivered by independent software vendors (ISVs).

Adding wirelessness to the IP world generates network-layer information that can be useful to applications, notably information about the location of known devices, and the intrusion of unknown devices. The MSE orders that information and presents it through the API.

Cisco Motion also addresses some downsides of mobility. Adding mobility to the IT world brings a lot of new headaches:

• There are multiple network types (currently cellular and Wi-Fi, later WiMAX)
• There is a profusion of new device types (currently smart phones) which must be managed and tracked
• There is a wave of innovation in consumer applications. Employees are demanding these applications in the enterprise environment.
• Mobility also complicates compliance with data confidentiality regulations like PCI and HIPAA.

So far Cisco has identified four categories of application that can run on the MSE: Context-Aware applications, Wireless Intrusion Prevention Systems, Client Management and Intelligent Roaming.

Context Aware Applications
“Context Aware applications” seems to be Cisco’s term for applications that do asset tracking. Cisco is partnering with ISVs in both horizontal and vertical markets. These ISVs are OAT, Intellidot, Aeroscout, Pango/Innerwireless and Airetrak. The Context-Aware software is scheduled to ship in June 2008.

Adaptive Wireless Intrusion Prevention Systems

Overlay wireless intrusion prevention systems add devices to monitor wireless traffic looking for rogue access points and clients. The innovation here appears to be that the MSE exposes information from the access points and wireless controllers that eliminates the need for these overlay devices. IPS software running on the MSE can substitute for the overlay IPS, while yielding equivalent depth of reporting and features. A further benefit of running the IPS over the MSE API is that the same software will be able to handle future wireless networks in addition to Wi-Fi. The Adaptive WIPS software is scheduled to ship in the second half of 2008.

Mobile Intelligent Roaming

This is enterprise Fixed-Mobile Convergence. The MSE isn’t a mobility controller; it issues an event up through the API when it determines that the Wi-Fi network needs to hand the call off to the cellular network. This event is handled by mobility controller software from an ISV. Cisco’s launch partners for this are Nokia for phones, and Agito on the mobility controller side. The Mobile Intelligent Roaming software is scheduled to ship in the second half of 2008.

Secure Client Manager

This works with Cisco’s 802.1X and CCX products. Cisco estimates that 80% of IT’s wireless and mobility effort goes to client troubleshooting and security provisioning. The Secure Client Manager will help mitigate this problem for the imminent wave of mobile devices. The Secure Client Manager is scheduled to ship in the first half of 2009.

Unified Wireless Network Software

Cisco Motion requires a new software load for the access points and WLAN controllers: the Cisco Unified Wireless Network Software Release 5.1, which shipped in May 2008.

Ken Dulaney, Gartner VP distinguished analyst and general mobile device guru, told the crowd at the Gartner Mobile & Wireless Summit today that he still can’t recommend businesses adopt the iPhone — even with an SDK. Dulaney said that he recently wrote Apple a letter in which he outlined several things Apple would need to do with the iPhone before Gartner could change its mind about it. The directives included:
- Permit the device to be wiped remotely if lost or stolen
- Require strong passwords
- Stop using iTunes for syncing with a computer
- Implement full over-the-air sync for calendar and PIM

Jason Hiner, TechRepublic March 5th, 2008

On the same day Dulaney said this in Chicago, Phil Schiller of Apple was holding a news conference in Santa Clara granting some of these wishes, and many more:

• Microsoft Exchange support with built-in ActiveSync.
• Push email
• Push calendar
• Push contacts
• Global address lists
• Additional VPN types, including Cisco IPsec VPN
• Two-factor authentication, certificates and identities
• Enterprise-class Wi-Fi, with WPA2/802.1x
• Tools to enforce security policies
• Tools to help configure thousands of iPhones and set them up automatically
• Remote device wiping

At the news conference Apple wheeled out several corporate endorsers: Genentech, Stanford University, Nike and Disney.

At first blush, the new enterprise-oriented capabilities of the iPhone appear to be an IT manager’s dream come true (though it will be a while before the dream is a reality.) Even this contrarian post concedes that it will make the iPhone more competitive with the Blackberry, while faulting Apple for not having a comprehensive enterprise strategy.

Apple is clearly serious about the enterprise smartphone market, and this strategy is sound. The business market supports price points that easily accommodate the iPhone, and this strategy spills over to the business PC market in two ways: today by acting as a door-opener for Mac sales, tomorrow by evolving the iPhone into a PC replacement for many users.

George Ou of ZDNet reports that the 802.1X authentication techniques used on some Wi-Fi handsets may be vulnerable. The problem is that these handsets may not validate the certificate from the authentication server. This design choice speeds up roaming, but means that the handset could disclose user login credentials to a sophisticated, determined attacker. Ou suggests using WPA-PSK with a long password instead of 802.1X with these handsets.

Vocera’s documentation, which Ou references, has more depth on the performance trade-offs of various Wi-Fi security options.

QoS metrics are important, and several companies have products that measure packet loss, jitter, latency and so on. But you can have perfect QoS, and your VoIP system can still be defective for all sorts of reasons.

I spoke with Gurmeet Lamba, VP of Engineering, at Clarus Systems at the Internet Telephony Expo this week. He said that even if a VoIP system is perfectly configured on installation, it can decay over time to the point of unusability. Routers go down and are brought up again with minor misconfigurations; moves, adds and changes accumulate bad settings and policy violations.

VoIP systems are rarely configured perfectly even on installation. For example, IP phones have built-in switches so you can plug your PC into your desk phone. Those ports are unlocked by default. But some phones are installed in public areas like lobbies. It’s easy for installers to forget to lock those ports, so anybody sitting in the lobby can plug their laptop into the LAN. There are numerous common errors of this kind. Clarus has an interesting product that actively and passively tests for them; it monitors policy compliance and triggers alarms on policy violations.

Clarus uses CTI to do active testing of your VoIP system, looking for badly configured devices and network bottlenecks. Currently it works only on Cisco voice networks, but Clarus plans to support other manufacturers.

Clarus started out focusing on automated testing of latency, jitter and packet loss for IP phone systems. It went on to add help desk support with remote control of handsets, and the ability to roll back phone settings to known good configurations.

The next step was to add “Business Information,” certifying deployment configurations, and helping to manage ongoing operations with change management and vulnerability reports. Clarus’ most recent announcement added passive monitoring based on a policy-based rules engine.

Clarus claims to have tested over 350 thousand endpoints to date. It has partners that offer network monitoring services.

Instat published a report today, predicting that corporate spending on wireless voice and data services will outstrip spending on wireline services by 2010. The report is pitched at service providers, pointing out that corporate users are more profitable. Of course some service providers, like Sotto, already pin their strategy on this. The report also encourages corporations to unify their wireless spending, rather than have employees get their service piecemeal and expense it. I wrote about this in an earlier posting.

As cell phones get smarter and as they get more tightly bound into corporate networks, security becomes a major concern. This is the subject of two stories in today’s Wall Street Journal. The first tells how the iPhone is precipitating a standoff between IT managers who don’t want it on their networks, and users who want to use it as a corporate email client. The second explains how iPods, iPhones and any device with storage and a USB connector constitute network security threats.

My May column in Internet Telephony Magazine is about the Jericho Forum, which proposes a radical solution to the security concerns of the wireless enterprise.

Ray Naraine talks about exploits on Wi-Fi networks, how easy they are, first with a tool called Silica, then with free software running on a Nokia N800.

Exploits of this type can be prevented by elementary network hygiene, using the authentication and encryption techniques of 802.11i.
A different kind of vulnerability has been described by “Johnny Cache.” This type of vulnerability is more insidious.

In lab tests it has been possible for a device masquerading as an access point to respond to probe frames (which must always be sent in the clear before any authentication can take place) with a mal-formed packet that causes a buffer overrun in the computer that is looking for a network. Because these buffer overruns are in the 802.11 driver they can be designed to execute hostile code in kernel mode.
Of course this type of vulnerability is specific to particular implementations of the Wi-Fi driver, and all the reported ones have been fixed. More reassuring, there is no reported case of this type of exploit actually being done in the wild. But the principle remains that a badly written network driver can compromise your security regardless of the higher level measures you take, and that wireless networks are more vulnerable to this type of exploit than wired.

So, is Wi-Fi too insecure for corporate use? Neither of the two classes of vulnerability discussed here seem to be stoppers. The Naraine exploits are addressed by simple common sense; the known driver vulnerabilities were repaired before anybody exploited them in the wild. There are almost certainly more like that waiting to be found, but on the scale of risks, this has so far ranked low compared to the many widely publicized instances of physical theft of a laptop.