THE BLOG ★ Ramblings on WiFi & stuff.

So, You Wanna Start a Business?

Estimated reading time: 9 minutes, 8 seconds. Contains 1829 words

I was referred to THIS post, written by Devin Akinon his first 6 months in business by @80211Alan. Really good stuff. I’ve been wanting to write something about my experiences as well, and after reading Devin’s post it spurred to write this one.

Actually, this started as a comment on his blog agreeing with his points, but then I realized it was getting long. So, I’m basically posting the response to his post here. So, here are things I’ve learned in my 5 years with CommunicaONE:

 

FOCUS

CommunicaONE is my 3rd attempt, and I’ve sucked at all of them except this last one. FINALLY realized that you can’t do EVERYTHING, business is NOT the same as engineering, and everyone is NOT your customer. Pick the things you CAN and WANT to do well, and then strive to be better than the rest at those SPECIFIC things.

I dropped voice, I dropped the server stuff, I dropped saying, “Sure, I’ll do that. How hard can it be?”, and FOCUSED on WLAN and networking. They complement each other and I can focus on learning to do them well. I’m not saying don’t learn about other things. I’m saying, as a SMALL business, focus your energies on what you can do quickly, efficiently, and well.

 

REACH OUT TO OTHERS

Devin hit the nail on the head here. No man’s an island. On this 3rd attempt I got a business consultant (who is now my partner). This was NIGHT and DAY different from my previous attempts. I had someone to hold me accountable, and help with areas I knew nothing about. Also, I got involved in the WLAN community and I can tell you that as the Good Book says, “Iron Sharpens Iron”.
 

PROVERBS 27:17
"As iron sharpens iron,
so one person sharpens another.”
 

One last thing on this point, I send work to to other companies. It’s true. If a potential customer is not in my actual wheelhouse, or I don’t have the bandwidth to support them at that time, I will hook them up with a competitor. I’m crazy, I know, but I’ve built relationships with other people where we trust each other. I’m not stealing their clients, their not stealing ours, and we help each other out if one can’t do the project. Sometimes, it means referring a customer, other times it means we’ll sub each other out to fill in.

All I’m saying is, I’d rather have a good competitor that helps keep the skill-level up in our region than have a bunch of rinky-dink ones bringing everyone else down. 

 

BE EFFICIENT

DO NOT spend money where it’s not needed, but DO ABSOLUTELY spend money where it will do the most good. For example - DON’T waste money on fancy office furniture (or an office for that matter), especially if no one will ever see it! But, DO SPEND on say a quality office chair. You’ll be working there a lot and it makes a difference. Don’t spend on advertising, or Web designs, or for heaven’s sake don’t wrap your car in fancy graphics (“Kewl Kats Komputing - we’ll fix ANYTHING!”), but do pay for a Sqaurespace account (if like me, you’re no web designer), or another quality web host. You DO NOT want your Web site, or e-mail going down when you’re in the middle of a bid, or RFP. Post relevant content online, use social media, CALL PEOPLE. These are FREE.

Also, take this for what it’s worth, but if you need to learn (as I did/do) SPEND MONEY ON LEARNING! Not only do we need qualified WLAN pros out there, but word gets around. When you specialize, and put time/money/effort into becoming better at what you do - PEOPLE NOTICE.

Money cometh! Or, at least, opportunities will present themselves, because the people with the money (at least the customers you WANT) are looking for the best bang for their buck. Not the cheapest dude around (I ran 2 companies into the ground under that fallacy). But, in order to price yourself well you need to be worth it.

It’s important to understand, however, that you don’t make money by saving money. What I mean is - be frugal, but not stingy. I buy my team the most expensive MacBook I can afford. Not because we need fancy computers, but because they compliment our workflow, are phenomenally stable, are UNIX/BSD based, and the battery lasts forever. I don’t have time to be my own SysAdmin. This saves time AND money. I know this from experience.

 

DON’T FEEL OBLIGATED TO LOOK LIKE OTHER COMPANIES

You’re not IBM. You’re not Accuvant. You’re not Presidio. Be yourself. Your success DOES NOT have to look like theirs. I don’t have 50, 60, 100 people on staff (I don’t ever want to ), but I do have the people I WANT, who are easy to work with, and are passionate about what we do. Also, what works them may not necessarily work for you. Think about what you want your business to look like.

Here’s the nitty-gritty - DECIDE who your customer is. I mean actually THINK about what that looks like. Are they retail? Are they big? Are they small? Do they have multiple locations? Local companies (you hate to travel), or national firms (you love to travel)? Are they companies with strong IT departments, or weak ones? If they’re weak maybe you can be their outsourced IT. If they’re strong you come in as the high-priced specialist.

What I’m saying is everyone DOES NOT have to be your customer. If they are not a fit say no. Just because you ran sound for band in High School  does not mean you should be installing A/V at a Law firm. Focus your energies on finding customers that your company can best compliment.

Believe me, money cannot make up for a horrible customer/vendor experience. It’ll suck for you because you’ll feel slighted and they may tell others not so pleasant things about you. It’ll suck for them because they will not have gotten their money’s worth and feel ripped-off.

Nobody wins.

 

FINANCES

I personally have no interest in doing my own finances. I’m not good at it and I’ve already ruined 2 companies trying to save money here. This is one place I absolutely put money in to. Good bookkeepers are not cheap, but if they are good, they’re fast, and will make sure you’re not screwing yourself.

ABSOLUTELY, get a payroll service. Even if you can’t pay yourself much, or at all in the beginning, this will make sure you are compliant with State, and Federal taxes. This is from painful experience. If you’re not up to the challenge of keeping tabs on this stuff use a payroll service.

Personally, I use Quickbooks Online because it downloads all my transactions automatically, and I can access everything (invoices, payroll, balances) anywhere, even on my smartphone. I don’t have to be on top of making sure my Quickbooks and bank show the same thing. Also, I use their payroll because it’s pretty inexpensive and it integrates with QBO. It’s a monthly expense I’m willing to make because it saves me time and money.

 

SAY NO

When you start out you’re gonna be desperate for work. You have a mortgage to pay, probably kids, a spouse, a car payment, etc. But, hear this: When you start a business alone, YOU are the sales team, YOU are the marketing team, YOU are the support team, YOU are Accounts Payable AND Receivable.

If you are spending all your time doing small projects that suck your time away how will you: Get new clients? Market your company? Support your existing clients? Invoice your customers and pay your vendors? Remember, each of these things takes TIME. If we learned anything from INTERSTELLAR it’s that TIME IS A RESOURCE.

When you start a business you’re going to need time for: Learning/Training, Research, Selling, Marketing, putting together SoWs, Invoicing, Collecting. And how about actually DOING THE WORK? 

The hardest part of starting new is getting work and getting paid. Which brings me to the next bit…

 

CHARGE A LOT

Ok, I’m being a bit facetious here. What I am saying is that your time, your knowledge, your skill, has VALUE. Even if you don’t think so, it does. DO NOT be the guy that’s gonna win the market because you’re cheaper than the incumbent. Be reasonable, but don’t sell yourself short.

Here’s a secret - the customers you want ARE NOT looking at price. At least, not as the primary, or deciding factor. They are looking to see if you can get the project done, on-time, on-budget, with the least friction as possible. I’ve gotten jobs where we were BY FAR the most expensive option they looked at, but they chose us because they believed we brought the skills and expertise they needed. Also, believe it, or not, a higher rate makes you stick out - as in, “why are they so much more than company A?”. They assume (and it’s your job to make it TRUE) that you cost more because you are better. Plain & simple.

 

OWNING A BUSINESS AIN’T NO VACATION

Despite what your friends/family/acquaintances say, you can’t just take time-off whenever you want because “you work for yourself”. I think it’s pretty insulting when people say how nice it must be to work for myself because I can do whatever I want. REALITY CHECK - if you want to be successful, if you want to make money, if you want people to take you seriously, you have to put TIME AND EFFORT into your business. I love what I do. I can’t imagine doing anything else, but I never for a minute forget I’m running a business.

You’ll be working a lot - especially in the beginning. More than a regular job. Why? Remember earlier, ” YOU are the sales team, YOU are the marketing team, YOU are the support team, YOU are Accounts Payable AND Receivable”? When do you think this stuff happens? If you’re working on projects who’s selling? Who’s invoicing? Who’s updating the Web site?

You are, my friend.

Be prepared to kiss your wife/husband, and kids goodnight after dinner so you can go through Quickbooks and make sure that your invoices are up to date, you sales taxes are paid, that the SoW you promised your customer will be in their inbox in the morning - is in their inbox in the morning. That’s all you.

You may be on the couch with a Firefly (the greatest show evar.) marathon playing in the background on the TV, but it’s all you. Unless you’re starting with a crack staff on day one - you will be busy.

Eventually, as your business grows, and you maybe bring on some people, as you figure out the best workflows, you’ll be able to take that month vacation, buy that fancy new car, pay off your kid’s appendectomy. But, in the beginning, you’ll be wearing a lot of ill-fitting hats.

Now, with clear eyes, and full hearts, get out there and make some business!

Cellular Exploitation on a Global Scale

Wow, this is probably one of the worst security exploits in a series of recent massive security exploits. Matt Solnik at Accuvant Labs broke the news on this OTA exploit. This was a few months ago, but I’ve only really recently heard of it.

It’s possible to exploit bad carrier management client software and remotely compromise most smartphones on the planet. Seriously, scary stuff.

Here is the pdf of his slides


Listen to the Risky Business podcast where he talks about the exploit
(The interview starts at 29:15)

APs In Hallways - Don't Do It!

APs IN  HALLWAYS - DON’T DO IT!  -from Eddie Forero (@HeyEddie) on Vimeo.

*A caveat on the video:

These APs are using omni-directional antennas. This does not account for using some type of directional antenna, or putting real thought into the design. But, in reality, most hotel “designs” are just drop APs in hallways and crank up the volume.

Also, I recorded this in a coffee shop using a bluetooth headset, because when inspiration hits you move!

En Route to the 1St CWNP Conference 2014

Estimated reading time: 1 minute, 21 seconds. Contains 273 words

I’m on my way to the CWNP Conference in Raleigh, North Carolina, and I’m currently stuck in Charlotte for two hours waiting for my connection. :-( But, it gives me a little time to make this blog post, so at least there’s that!   :-)

I’m really looking forward to this first of hopefully many CWNP conferences. The biggest thing I’m looking forward to is catching up with friends from WLPC and making new ones there in Raleigh. Putting faces to Twitter handles is becoming a new hobby!

One thing I’ve found is that the wireless community is very generous with their knowledge (and their opinions) :-). Most of the people I’ve met via Twitter, conferences, and various projects have been very supportive of me and my ignorance as I make my way through the labyrinth of 802.11. It’s been this support that has helped me grow in knowledge and confidence as I voyage through my chosen profession.

Of course I’m also looking forward to the sessions that will be going on - particulary the sessions on stadium design, healthcare, Zaib’s session on cloud Wi-Fi performance testing, and whatever GT Hill will be talking about!

I encourage anyone who’s involved in wireless - be it as a VAR, if you work for a vendor, or it’s part of your job responsibility - to not just look at the CWNP certification path, but also get involved in the community. Questions can be answered, ideas validated, methods questioned, and techniques shared. Whether it’s through social media, or conferences, I can only see it as a plus for anyone looking at a career in wireless.

See you at CWNP 2014!


* Posted on iPhone 6, Silver. ™ 😜

What’s been impossible on iOS, but easy on Android for years, has finally come (back) in iOS 8.

Wi-Fi scanning can now be performed. You can see SSIDs, even hidden ones, and view RSSI. For now, it’s only available via the Apple Airport Utility and it needs to be manually enabled in settings.

Sorry, no API access for 3rd party developers (yet), but at least WLAN aficionados can finally scan wi-fi on iOS devices!

Download Apple Airport Utility:

https://appsto.re/us/YJ7Dz.i

802.11ac Analysis Webinar from CWNP

Presented by Tom Carpenter.

In this webinar, CWNP offers suggestions and information on the hardware and software available in the fall of 2014 to perform analysis of 802.11ac WLANs. Hardware demonstrated includes the Linksys WRT1900ac, the Cisco WAP371, the Edimax EW-7822UAC, the NETGEAR A6200 and the Wi-Spy DBx. Software includes Omnipeek, Commview for WiFi, Airmagnet, and Wireshark.

Leverage DHCP Fingerprinting in ArubaOS

image

Estimated reading time: 6 minutes, 16 seconds. Contains 1254 words

I was recently at a customer site upgrading an Aruba controller and doing some basic WLAN “best-practices”. During this I was asked by the customer if there was a way to keep mobile devices off the corporate network. Without something like Aruba’s ClearPass it’s not easy to identify and restrict these devices

My initial thought was with their current solution (Microsoft NPS) they couldn’t easily keep 802.1X capable devices from connecting to the corporate WLAN if they had valid AD credentials. Then as I was working it occurred to me that Aruba mobility controllers use DHCP fingerprinting to profile devices. I could leverage that ability to help keep mobile devices off the corp WLAN. It’s not 100% accurate *(and should not be considered a complete security solution), and I let the customer know this, but it identifies iOS and Android devices pretty well.

Essentially, a DHCP fingerprint is an “almost” unique identifier for OSes, or device types. The DHCP protocol (RFC 2132) allows for information other than just IP requests and acknowledgments to be sent. These DHCP “options” includes vendor specific information which makes it possible to identify devices and even OSes by their unique signature. That being the case we can use the fact the ArubsOS supports this to create roles for these various devices and OSes and thus provide some level of management of these devices.

For example, we can create a rule that says if a device is an iPhone it will be placed in the “Mobile_Device” role. This role can than be restricted to Internet only with no access to internal resources, placed in another VLAN, or just sandboxed altogether. *Not the best overall solution, but it works well enough.

Step one is to identify the DHCP fingerprint for that specfic device. There are several ways to do this and a simple Google search will give you plenty of options. You can also search for the specific fingerprint as well and hopefully someone will have posted it. In this post we’ll just focus on using Aruba OS to find the fingerprint. But here is a list I’ve compiled so far from various blog-posts and from the Aruba Airheads community:

 

  • Android_device - (3C64686370636420342E302E3135)
  • Android 2.X - (3c6468637063642034)
  • Android 2.2 - (3701792103061c333a3b)
  • Android 2.3.X - (0c616E64726F69645F)
  • Android 4.0.X - (37012103060f1c333a3b)
  • Android 4.0.X(2) - (37012103061c333a3b)
  • Blackberry 2 - (3C426C61636B4265727279)
  • Blackberry(2) - (370103060F775ffc2c2e2f)
  • iOS Device - (370103060F77FC)
  • iPad - (37011c02030f06770c2c2f1a792a)
  • OS X 10.6 - (370103060f775ffc2c2e2f)
  • OS X 10.7 - (370103060f775ffc2c2e)
  • Win Mobile6 - (370103060f2c2e2f)

 

How To Find A DHCP Fingerprint

Step 1

Log in to the CLI of your Aruba controller and go to enable mode. Once there go to configure mode and enable logging level debug for DHCP by entering:

(config)# logging level debugging network

Step 2

Connect your device to the appropriate WLAN and then use the show command to view all the recent network entries. Search for the MAC address of the device and locate the DHCP option:

(config)#show log network all | include options

You should then see a output like this:

Sep 7 12:54:43 :202536: |dhcpdwrap| |dhcp| Datapath vlan10: REQUEST b8:e8:56:xx:xx:xx Transaction ID:0xb78173e6 reqIP=192.168.15.6 Options 37:0103060f77fc 39:05dc 3d:01b8e856f1e09c 33:0076a700 0c:46697265666c79 Sep 7 12:55:15 :202536: |dhcpdwrap| |dhcp| Datapath vlan1: REQUEST 00:60:2e:xx:xx:xx Transaction ID:0x464bcafb reqIP=192.168.15.248

Options 3d:0100602e024a08

3c:756468637020302e392e392d707265 

37:0103060c0f1c Sep 7 12:57:20 :202536: |dhcpdwrap| |dhcp| Datapath vlan10: REQUEST b8:e8:56:xx:xx:xx Transaction ID:0xb78173ef reqIP=192.168.15.6 Options 37:0103060f77fc 39:05dc 3d:01b8e856f1e09c 33:0076a700 0c:46697265666c79

You’re looking for options that start with 37, 0C, 32, or 33. These are hex for DHCP options 12, 55, 60, and 81. In the above example the fingerprint for my device is 37:0103060f77fc, an iPhone. So, what I would use is that value without the colon (:) - just 370103060f77fc. Now that we have found the DHCP fingerpring we can create our rules and start enforcing policy.

Create a User Role

A user role us just a set of policies for the user/device in that role. This role can simply be an “allow-all” policy that does not restrict access, or it can be very specific like only allowing DHCP, DNS, and http/hhtps to the Internet. Or, as stated previously, placing the device in a different VLAN. It can even just be a role that denies access altogether. Regardless, the role needs to be created first so we can apply it in the User Rules for the devices later on. Since roles are pretty common usage in ArubaOS I’ll just say create the roles you want how you want. You can call it “iPhones”, or “MacBooks”, or “Android”, etc. If don’t know how to create roles page 265 in the Aruba OS User Guide walks you step-by-step.

Create A User Rule for the DHCP Fingerprints

  1. In the controller UI go to Security > Authentication > User Rules.
  2. Click on “Add” to create a new User Rule. Give it a name like “Mobile_devices.” You will be able to add multiple fingerprints in one rule so you don’t have to create multiples if don’t need to.
  3. Now click on your newly created rule and then click “Add” to start adding your rules. Here’s an example of adding iOS signature:
  • In this image the “set-type” is Role since we want a specific role to be assigned this device when it connects.
  • "Rule Type" says we’re looking at the DHCP options.
  • "Condition" is what condition is met to trigger this rule - so "equals" is what we want.
  • "Value" is what the condition of "equals" will match. This will be your DHCP fingerprint.
  • "Role" is the role you created earlier.
  • And lastly the description of the this rule. (i.e. iOS Device, Android Phone, AppleTV, etc.)

Finally, click “add” and you’ve created your first rule!

Apply The New User Rule

So, now we have the User Role that will be assigned to devices matching the DHCP fingerprints we have added in the User Rule. So, to make the magic happen we need to apply the User Rule to the AAA profile assigned to the specific VAP (Virtual AP) that you want this rule to function on.

  1. In the controller UI navigate to Configuration > Security > Authentication > AAA Profiles.
  2. Click on the profile for the WLAN/SSID you want to apply the User Rules to.
  3. On the right you should see an option called "User derivation rules". From the drop-down select the User Rule you created. Click "Apply" to save you changes.

Now connect your fingerprinted device to the appropriate SSID. If your device was recently connected it may still have same role it had before. This is because it has not yet aged out of the database. To ensure that the device gets the correct role you should delete it from the database. The best way to do this is from the CLI. SSH into the controller, go to enable mode, and enter the following:

(Master-7010) #aaa user delete mac [device mac address]

Now you should reconnect and see that your device has been given the new mobile device role that you assigned in your User Rule for that specific devices DHCP fingerprint. The controller matched the DHCP fingerprtint of your device with the rule you created and assigned the appropriate User Role.

Now, as I said in the beginnig this isn’t 100% fool-proof, but it catch most modern devices. It’s already part of the OS and short of purchasing ClearPass this is a great way to manage devices on your WLAN.

*UPDATE: As one reader has already mentioned this should not be considered as a high-security solution. At best it allows you maybe keep some devices off, or keep others from using ip DHCP space, etc. For a more comprehensive way to secure and manage BYOD you should look at products such as Aruba’s ClearPass.

In any case, if all you have is an Aruba WLAN this is another useful tool to have in your tool bag.