PHAT APsBy CWNP On 05/18/2009 - 15 Comments
Dude. PPSK. 'nuff said.
Well, actually, I have lots more to say, but you get my point. My friends at Aerohive would have you believe that their new solution, 'Private PSK' (let's just call it PPSK), was designed to:
1. Incease security on enterprise-class devices that either don’t support 802.1X/EAP or don’t support it very well (e.g. no fast/secure roaming)
2. Offer secure hotspot services
While on both counts they are right on the money, the story doesn't end there. When combined with their Virtual HiveManager (vHM), this stuff becomes the coolest thing since...well, the last Aerohive solution I wrote about: HiveUI. See my blog article called ‘Collectonomous’ and another cool article from Lisa Phifer here: http://www.wi-fiplanet.com/reviews/article.php/3812366 . There are SO many things you can do this type of, ‘half way between 802.1X/EAP and PSK’ solution! vHM is an online WNMS that manages their PHAT APs (my new term for describing the coolest, fastest, smartest APs I've ever seen). You just connect each AP, let it pull an IP (DHCP), SSH into it using the default un/pw, issue one command - 'hivemanager x.x.x.x' - and then 'save config'. Poof, you're off and running. Just log into vHM with your personal login, and you have control of your APs. SOOOOO simple. Now, where was I? Ah yes, PPSK...
The two setup modes –manual and automagic—make PPSK setup a snap for different uses, much like a sniper’s rifle and an A-bomb. If you want to make a personal login for your friend Mark Elliott, then you create a user for him within the manual PPSK feature, assign Mark to a group, generate (or manually enter) a PSK, and voila - you're done. If you want to create a thousand Private PSKs, then you create a PPSK group, give it a name and a prefix (e.g. 'User'), and voila, it'll create you a thousand unique users starting with User0001, each with their own passphrase. Here's a neat thing: you can enter an email address for each user (whether in manual or automagic mode) and have vHM email those PPSKs to those users with the push of a button. Holy cow that's cool. Perhaps you want to export 1, 5, 100, or 1000 of them to a .csv file. One button. You want to revoke a user because he left the company? No problem...one click. I think I'm in love. :-)
If you operate a hotspot and your guests want secure access, Aerohive has you covered. Captive portal solutions will no longer be necessary, but if you like the advertising aspects of them, then they will work fine in conjunction with PPSK. You can give your guests a quick printout with their passphrase, and off they go. The PPSK can be good forever, 15 minutes, or anything in between. It's like having 802.1X/EAP at your hotspot...without the 802.1X/EAP of course. Because of layer 2 encryption, cumbersome VPN solutions may not be needed for some users either. If you're a road warrior, you should suggest this solution to your favorite hotspot operators - especially hotels.
If you have legacy devices that support only PSK or have limited support of 802.1X/EAP , then PPSK is for you. Aerohive’s PPSK is also a graceful solution to the traditional problem of weak passphrases. For passphrase creation, you can use easy-to-remember passphrases (not recommended), long/hideous passphrases, or you can have the HM generate long/long/hideous passphrases for you - per device. Staples isn’t the only one with an “Easy” button. If you're worried about a protocol analyzer capturing and recording phone conversations, worry no more. You get all of PSK's fast/secure roaming advantages as well. Nice.
I think it's important to contrast Aerohive's solution with Ruckus's Dynamic PSK (DPSK). At first glance, they look similar...but that's about where the two solutions part ways. Aerohive's PPSK is aimed at increasing legacy device security and increasing security at hotspots (public access networks). Ruckus's DPSK is aimed at replacing 802.1X/EAP (so says their documentation). Both are good at what they do, but Aerohive's is more flexible and powerful in that it can do all of what Ruckus's does plus more. Kudos to Ruckus for starting this trend. Kudos to Aerohive for picking up the ball and running with it...running like Forrest Gump in fact. I think that, contrary to Aerohive’s intended market, a big handful of folks will want to replace 802.1X/EAP with PPSK as well. But, that's just my opinion. It performs equally well in all three usage scenarios. Replacing 802.1X/EAP in branch/home offices and some smaller SMBs, to be honest, is a good thing for some organizations (like CWNP). ;-)
It's been a while since I blogged about Aerohive, so I'll just go ahead and throw a few more updates out there while I'm at it. Here are some of my latest findings with their system:
1) The AP upgrade process is intuitive, flawless, and even fun to watch. Their interface must use flash or something because it's like watching an animation in progress. Very cool.
2) In only 1 hour of tinkering with HM (or vHM) you will have the hang of their interface. Not perfect, but very good nonetheless. It's extremely difficult to build intuitive and user-friendly interfaces when the system is this feature-rich. They pour as much time into making their interface easier to use as they do adding features. Big hug from CWNP! Feature fatigue due to a poor GUI is my #1 pet peeve.
3) System stability and speed are first rate. With most of the systems I test (which are most of them), throughput varies all over the place even during a single FTP download or Windows file transfer. Not these babies...these PHAT APs are stable as a rock. Uplink and downlink throughput, day-after-day-after-day, are exactly the same within about a 1 Mbps tolerance. That's just crazy. I have Dynamic Airtime Scheduling (DAS) enabled, so maybe that is contributing to this fact. I don't know for sure yet because I haven't put the DAS feature to the test just yet.
4) Their AP320 Access Points are gorgeous. I'd be willing to bet that if I covered the name with a piece of duct tape, then asked you to guess who made them, you'd say Apple. They look like a slightly larger--and even more beautiful--version of the Apple Airport Extreme. Their AP340 looks like a small Bradley fighting vehicle and is built just as tough. I'm partial to the AP320 because I like aesthetically pleasing things, but it’s certainly possible that those 6 spider-leg-looking antennas on the AP340 will provide better coverage.
If you've deployed or tested an Aerohive system, I'm interested to hear your take on their system or its features.
Follow me at www.twitter.com/DevinAkin
Blog Disclaimer: The opinions expressed within these blog posts are solely the author’s and do not reflect the opinions and beliefs of the Certitrek, CWNP or its affiliates.