CradlePoint Blog

The Quest for Five 9s Making For Strange Bedfellows

Posted by Lindsay Notwell on August 27, 2014

Today I’d like to discuss three facts that are leading to a tectonic shift in cellular carrier business practices, and the implications of this shift:

Fact One: The world of cellular carriers is fiercely competitive.
(After having spent 17 years with one of the largest cellular carriers, I can assure you it’s true.)

Fact Two: Enterprises are embracing wireless as the primary access connection for mission critical applications.
A 2013 Computerworld article citied a Vanson Bourne survey of 4G adoption among British organizations with at least 500 employees. Sixty percent of the more than 200 IT decision-makers surveyed said they want to take advantage of 4G in the near future.

Fact Three: These same enterprises are often demanding 99.999% (“Five 9s”) reliability.
(And there is general agreement within the industry that no single connection—whether wired, wireless, or fiber—can achieve Five 9s alone. Some sort of failover connection is necessary.)


Put these three facts together and you can see why something strange is afoot in the cellular carrier industry: Carriers are now, in certain cases, buying each others’ data capacity wholesale and selling it as a failover solution along with their own primary connection solution.  You got that right. These companies that normally fight against each other tooth and nail are behaving almost like “frenemies”—engaging in unheard of “coop-etition” to maintain account control of their customers.

Say, for example, that an enterprise with multiple branch locations purchases CradlePoint AER 2100 devices, each of which is equipped with two modems. A customer seeking Five 9s reliability could choose to subscribe to two carriers, assigning one modem to Carrier A as the primary connection, and the second to Carrier B as failover.

On the other hand, there’s that fierce competition thing. Carrier A sees this arrangement as tantamount to letting Carrier B get its foot inside the customer’s door. Carrier A avoids this by offering Carrier B’s services themselves. There are even times when Carrier A will engage a third party in order to facilitate the solution. At the end of the day, the customer gets the Five 9s they need and Carrier A protects its accounts.

The driving force behind this unheard-of coop-etition is Fact Two—enterprises dropping their DSL and cable services and going all-wireless. With the advent of 4G LTE, wireless is finally able to deliver the kind of bandwidth, security, flexibility, and reliability that enterprise-scale companies need, and it’s affordable too.

The bandwidth or the speed of a T1 connection is 1.5 Mbps.  A typical LTE connection delivers 5-12 Mbps downloads and 2-5 Mbps uploads.  That means wireless performance is now about triple that of a T1. And instead of paying $400-500 a month for a T1, enterprises are looking at average rates of maybe $100 a month for wireless. And what are already significant savings per location can quickly reach into the millions for companies with hundreds or even thousands of branch offices.

Having said that, I should note that not all companies are jumping to add a second modem and purchase one of these “strange bedfellow” packages. The fact that some companies use wireless without a failover solution is a testament to how far wireless has come in the past few years. Landlines get cut by backhoes. They get torn down in hurricanes and tornadoes. However very few things stop cell signals. First, there simply are no wires to break. When bad weather hits, most carriers are prepared with mobile towers, backup generators, and batteries to maintain continuity.  Can a single wireless connection consistently deliver Five 9s? No. But the reliability it does deliver is good enough for many applications and in many cases, better than the wire line alternative.

Of course, if you’re one of those enterprises that’s using wireless as your primary access connection for mission critical applications and absolutely must have Five 9s, most big cellular providers have a deal for you—no matter who they have to share a bed with to make it happen.

Specializing and Generalizing in the World of InfoSec

Posted by Kent Woodruff on August 19, 2014

DefCon Hackers

As with most professions these days, information security specialists need to continually strike a balance between focusing on the issues most relevant to their jobs—while keeping at least an eye on what’s going on everywhere else. One of the more efficient ways to do this is to attend conferences, which help you learn a lot about a lot of things—in a short amount of time.

My favorite such events are the Security BSides events, DefCon, and Black Hat. Each conference has its own unique attitude, focus and cost. Some attendees come straight from corporate; others from the steam punk or maybe just punk scene. But no matter where their attendees come from or what their focus is, these events allow you to immerse yourself for a day or two in everything from Penetration Testing and Forensics to 802.1X, POS, and Lockpick Village.

BSidesLV logo

BSidesLV is an Information/Security conference that takes place every year in… you guessed it… Las Vegas. BSides events take place all over the U.S. and the world (London, Warsaw, Singapore, and Canada just to name a few). Its organizers typically plan the shows to at least overlap with some of the bigger shows (including DefCon, Black Hat, and RSA).

While the bigger shows may cost thousands of dollars to attend, entry to BSides is free or a nominal charge. The presentations tend to be very technical, and are often attended less by corporate security department staff and more by people who are just really interested in security technology.

There is a bit of mystery around BSides events. They’re not usually well publicized, but they are always well attended. It helps to know someone who is a dedicated BSides attendee and knows all the ins and outs of getting into the best briefings.

In general, BSides events last two days, are attended by a lot of quirky people who like to dig into a wide range of quirky InfoSec issues—and who like to have crazy parties afterwards. BSides events also include lots of vendors and vendor booths.

DefCon ConferenceDefCon
Billing itself as the world’s longest running and largest underground hacking conference, DefCon might also be tagged :Disneyland of InfoSec conferences.” In addition to the chinos and button down shirts, you’ve also got your mohawks and beards; your blue hair and tattoos. Like BSides and Black Hat, DefCon is also serious business. It’s not uncommon for a well-received presentation first done at BSides to be picked up again at DefCon or Black Hat.

DefCon Lockpick VillageIn addition to sessions about everything from digital civil liberties, microcontrollers, and how to build robots for world dominion, DefCon also features its famous “Capture the Flag” hacking events. Like BSides, DefCon hosts “Lockpick Village,” where attendees can learn how to pick real metal locks of all shapes and sizes. And it hosts “Wireless Village,” where attendees can learn to hack wireless networks. Fun!

Where BSides is free or close to it, DefCon usually costs about $200-$250 (and knowing perhaps better than any other event organizers the pitfalls of plastic, they take only cash). Again, vendors are welcome. In fact, DefCon is famous for vendors who will sell just about any kind of gear—new or old. (If you’re looking for an old Cisco device to complete your router collection, this might be the place to check.)

Black Hat ConferenceBlack Hat
Black Hat (which might also be called “Black Tie” in terms of entry fee) is the most exclusive of the three events. Supported by large corporate sponsors, Black Hat can cost in the neighborhood of $2000+ for a two-day event. Attendees tend to be corporate security directors, CSOs, and higher.

But you’re not paying just for glitz (though there is plenty of that). Black Hat presentations are always compelling and often news-breaking. This year, presenters Karsten Nohl and Jakob Lell introduced a new form of malware that operates from controller chips inside USB devices (BadUSB: On Accessories that Turn Evil). Like many presentations at all of these events, Nohl and Lell explained the nature of the problem, showed how it works, then demonstrated how to solve it.

In upcoming blogs, I’d like to offer a more in-depth look at BSidesLV and Black Hat briefings I attended this August in Las Vegas.

In particular, I’d like to talk about the BSidesLV opening presentation “Beyond Good and Evil: Toward Effective Security” by Adam Shostack, and the Black Hat keynote, “Cybersecurity as Realpolitik” by Dan Geer.

Geer offers some very useful insight into the concept of trying to be a generalist in the change-at-the-speed-of-light world of InfoSec. Shostack amplifies and elaborates on a desperately needed change in the world of online security—something I too discussed last May on the Internet World blog (Let’s Take a Page from the Bad Actors’ Own Book on Network Security).

Mergers and Acquisitions: The Continuing Saga

Posted by David Rush on August 13, 2014

As I noted in a November 2013 blog post (Is LTE the Winner? Follow the Money), the wireless carrier industry continues to be “engaged in a kind of horse race to see who would be first to offer the best, broadest, and most powerful LTE network.”

The most recent twist in the race concerns the proposed merger of T-Mobile and Sprint. As of August 6th, 2014 Sprint announced they were calling it off and long-time CEO Dan Hesse has been replaced. In the realm of LTE giants, these two companies rank well below both Verizon and AT&T with respect to numbers of subscribers. (There are other measurement criteria, which I’ll discuss in a later post.) Combined, however, the new company would have been on more equal footing—with about 100 million subscribers versus the other two companies’ 110-120 million. With less than half the subscribers of either AT&T or Verizon, Sprint and T-Mobile lag their larger competitors in LTE network build-outs and the main rationale for the merger was to gain parity with their larger competitors.

Sprint cited FCC regulatory pressure as the primary reason they backed out. Some observers thought approval was a no-brainer: Instead of having two dominant players, there would now be three, which should improve competition and benefit end users. Others suggested (and it ended up being the case) that the FCC would oppose any attempt to further consolidate the market.

If you’ve been paying attention to the industry news, you will remember that AT&T tried—and failed—to buy T-Mobile back in 2011. One of the most vocal opponents back then was Sprint. (Because AT&T’s bid failed, it had to pay T-Mobile a tidy $4 Billion in cash and spectrum assets). Unsurprisingly, AT&T has been trying to stand in the way of the T-Mobile/Sprint play. As reported in June by the National Journal, AT&T Chairman and CEO Randall Stephenson said it was a "’stretch’ to see how [the merger] would get regulators' nod of approval, because it would reduce competition in the wireless industry from four major carriers to three.”

If the Sprint/T-Mobile merger had been approved, it would make the US wireless industry a three horse race, with MVNO TracFone as the next largest provider. (MetroPCS Communications would have moved up to the number 4 position, had T-Mobile not bought it last year for both its hardware and spectrum holdings. With MetroPCS out of the picture, TracFone is now nominally #5—but it isn’t really a carrier per se. TracFone’s main line of business consists of selling pre-paid cell cards from the major providers to low-income consumers.)

Since the Sprint/T-Mobile merger was called off, T-Mobile may be looking forward to another multi-billion-dollar payday, possibly receiving a $2 Billion break-up fee from its suitor. In the meantime French Company Iliad has an outstanding big to acquire 57% of T-Mobile for $15 billion which is reportedly too low for T-Mobile to consider. There are reports that they were looking to sweeten that offer by working with Dish Network, Cox Communications, and Charter Communications before the Sprint acquisition fell through.

Sprint is still in a good cash position. Last July, Tokyo-based SoftBank Corp. paid $21.6 Billion to acquire 72 percent of Sprint shares and later increased its stake to 80 percent. Sprint has used much of this cash infusion beef up its LTE network but they need the subscribers on those towers to ROI on their investment. To be fair, the total $6 Billion T-Mobile stands to get (from AT&T and Sprint merger break-up fees) is not just a windfall. It represents disruptions in their business resulting from these failed merger attempts.

The number of subscribers is a key indicator of market strength for cellular providers, but it isn’t the only one. In my next post, I’ll talk about spectrum holdings.

How Do You Guarantee Network Performance and Security at the Edge?

Posted by Michael Rotchford on July 23, 2014

Let's face it. For distributed enterprises, establishing and maintaining fast and secure networks at the edge is no easy task, especially in a world where hackers are more sophisticated than ever, and greater demands are being placed on the network for high performance and bandwidth. Today's branch locations process highly sensitive data but don't have onsite IT to perform hands on system monitoring to watch for attacks or connectivty outages. With customers, 3rd party vendors, cloud-based business solutions, and mission critical applications all requiring network access, the potential for a breach or network failure is higher than ever. So how can you increase network reliability and mitigate security threats?

Watch Gartner Vice President & Research Fellow Tim Zimmerman, CradlePoint CEO & Chairman of the Board and George Mulhern, as they lay out key steps distributed enterprises should take to safegaurd their networks at the edge while increasing performance to accomodate even the most challenging connectivity demands.

Guarantee Network Performance and Security at the Edge Splash Screen

Constant Improvement; Constant Innovation

Posted by John McVey on July 15, 2014

I talked in an earlier post (Creating More and Better Customer Connectivity Options) about how CradlePoint works hard to give our customers numerous connectivity choices. We’re also making improvements to the physical router hardware to make sure our products deliver durable, business-class performance. These improvements include metal construction, shock and vibe ratings, extended temperature and humidity ranges and rack mount kits.

We’ve combined these improvements with the ability to centrally control our devices through Enterprise Cloud Manager. The result has been the ability of organizations like New York City’s Metropolitan Transit Authority and San Francisco’s Golden Gate Bridge, Highway and Transportation District to be able to provide wireless connectivity to millions of commuters.

We’re always working to make our product more robust in challenging installations like school buses and commercial coaches. We’ve written a whitepaper on best practices to help assure reliable operation.  We also realize that various circumstances may lead to non-optimal installations and we work to anticipate those situations and be as “fool proof” as possible.

You might wonder if CradlePoint is targeting these kinds of niche applications or specifically the transportation industry.  The fact is that as public and private transportation companies hear about what our solutions can do for them, they seek us out, do trial testing and then move forward with a roll-out. So we’re being pulled by force of gravity into more and more industry sectors.  Our robust and versatile products will continue to make inroads into new markets by virtue of our product design intent.

Regardless of what industry is using our products, we will continue to build solutions that operate beyond our specifications. The fact is that we tend to spec things conservatively: our products continue to operate beyond our specs—typically better than a competitor with a wider specification than ours.  We make sure we outperform our own specs because when we tell a customer that our product is going to work, we know it will exceed their expectations.

Enterprise Cloud Manager + Universal Modems Means Fewer Truck Rolls

Posted by John McVey on July 07, 2014

CradlePoint has led the industry by making it very easy for our customers to choose their cellular carrier by virtue of our routers supporting “plug-n-play” modem technology.  Customers can also change their modem (and carrier) to reduce their data costs or improve their connection or service level.  This flexibility allows companies to take advantage of the competitive swings in the cellular market and change carriers when necessary to obtain the best combination of price and signal strength for each of their office locations.

As easy as it’s been for CradlePoint customers to change their modem or carrier on our products, it was still challenging for locations without on-premise IT staff (and for many companies that means just about every remote location).  Remote offices without technical staff would require dispatch of a service truck to physically change their modem.  These “truck rolls” are costly, and difficult to schedule during the slow times (evenings and weekends) when they would be least impactful to ongoing business.

CradlePoint MC400 Modem

Now, with the introduction of our new MC400 universal modems, customers have even more flexibility in their choice of carriers and can future-proof their network solution—while avoiding those painful truck rolls.

Suppose, for example, that your company has been using Carrier X but then realizes it could lower data costs or get better connectivity by switching to Carrier Y.  With the MC400 modem, you won’t need to go out and buy another piece of hardware to accommodate the new carrier because the ability to handle multiple carriers is built right in!

In a sense, our new MC400 is analogous to the ability to unlock a cell phone so that is can be used with any carrier. The net effect is to give our customers more choice and lower their network operating expenses.

Companies that use cellular data services may have felt “locked in” to a given carrier after their initial equipment deployment.  That’s because they knew the cost of a service visit for each remote location would consume most of the savings of a carrier switch.  Now, the MC400 removes these roadblocks and enables remote selection of your distributed locations’ cellular carriers.

Our relationship with the carriers has been symbiotic.  CradlePoint was first to bring low-cost, reliable cellular data to mainstream businesses.  We work very closely with the carriers to get our products certified on their networks.  As a result, the carriers know how well our devices work.  One of the things we hear all the time from new customers is that they chose CradlePoint because their cellular carrier recommended our products.

By removing the “lock” on data services, our “universal” MC400 modem might be said to be an industry disruptor. We’re confident the net effect will be good for our customers and the carriers. Our solution will give our customers more flexibility, which can lead to lower costs that over time will enable more businesses to use cellular data.  This brings more customers to our carrier partners, enabling them to continue to grow their networks and drive the technology forward.  We really like these win-win solutions.

Creating More and Better Connectivity Options

Posted by John McVey on July 02, 2014

I work on CradlePoint’s hardware side and one of the trends we’re working on is to expand the number of ways our devices can provide customers with broader networking solutions. One example is the way we’ve improved our Wi-Fi performance. We now cover both spectrum bands (2.4GHz and 5GHz) with higher transmit power and “11ac” speeds.  We also do quite a bit of work to make sure our Wi-Fi and embedded 3G/4G capabilities perform well without interfering with each other.

We’re also using more powerful processors with additional memory so we can provide higher throughput and greater security.  While a lot of companies are moving to the Cloud, some continue to express concern about the availability and security of Cloud connections.  If, heaven forbid, their cloud service were unavailable, perhaps due to an attack, these companies still need secure networking to maintain their business.  Our strategy is to provide persistent Internet connectivity with a sufficient level of security built into our routers.  For example, they can use any combination of wired, cellular or even Wi-Fi as their WAN source.  And if their Wi-Fi is unsecured, their CradlePoint router will make it secure.  Customers can share bandwidth across these various WAN connections, or use just one and, if it is interrupted, automatically and quickly switch to another.  Customers can prioritize their connection choices to minimize their data costs and get much higher up time with much lower cost of service.

Things never sit still in the world of network technology. By constantly innovating and building strong relationships with our industry partners, vendors, and the carriers, CradlePoint enables our customers to solve problems now—and future proof their network connectivity.

4G Creates a Firm Foundation for a Secure and Agile Network

Posted by Lindsay Notwell on June 26, 2014

Originally on the Internet World Blog, 06-11-2014

Common among today’s business leaders is the topic of agility and the need to stay ahead of the competition.  But naturally, as the conversation moves from C-level executives to the ones responsible for implementing so called “agility” the conversation shifts.  It shifts from discussing the benefits that include cost savings, greater return on investment and greater efficiencies to the challenges of bringing those benefits to fruition.  Regardless of market sector, the challenges typically relate back to the foundational technology, its ability to adapt, and for today’s IT professional, a myriad of security concerns.

2014 will be recognized as the year of the Internet of Things (IoT).  The evolving concept and benefits of the IoT movement are the catalyst for much of this conversation and the angst of most IT professionals.  How do companies that service a vast clientele and collect personal information support the Internet of Things in a way that improves the customer experience in a secure manner?  Most companies want to gain the agility and benefits of a connected environment, however their legacy technology infrastructure can’t keep up with today’s hackers, making it tough to deploy a scalable network that is secure.

Continued reading here.

As Networking Demands Grow, So Must Your Network Agility: CradlePoint MC400

Posted by Michael Rotchford on June 19, 2014

Here at CradlePoint, we pride ourselves at being in close touch with our customers and in providing them with solutions that meet their evolving needs. Lately, customers have been telling us that they want solutions that provide high bandwidth and agility to meet growing consumer demand for the “connected retail experience.”

In early January 2014, we launched our AER 2100 cloud-managed solution to enable our customers to meet this demand. Moore’s Law states that processor speeds will double every two years. That’s a good thing, but it also means consumers will begin to use more and more data hungry apps, creating greater demands for bandwidth. That’s why this month we’ve introduced the new CradlePoint MC400.

The MC400 allows two enterprise grade modems to be embedded within the CradlePoint AER 2100. That means greater bandwidth for today’s data-intensive applications and WAN Diversity™ for 99.999% reliability.

It also gives enterprise organizations the capability to support up to four SIM cards within a single router, giving them the flexibility to use whatever carrier offers the best service at any given location.

Compared to consumer grade USB modems, the MC400 is enterprise tested for 24x7 use, includes high-gain external antennas, and comes with world-class support.

Are you ready to keep up with your end users? Learn more about how the CradlePoint MC400 lets you take full advantage of the speed and dependability of 4G LTE.

In the Wake of Heartbleed Part 3: How Enterprise Cloud Manager Gave Customers an Advantage over Heartbleed

Posted by Chris Rorris on May 22, 2014

As the old saying goes, when you’re being chased by a bear, you don’t have to run faster than the bear. You just have to run faster than the people you’re with. The same is true when it comes to data security.

With any malware or virus or bug, there are always exploits intruders can string together to defeat even the highest levels of security. But the fact of the matter is that if you erect decent security measures, intruders are typically going to move on in search of easier targets.

Hackers are out there scanning IP addresses for listening and responding ports, thereby potentially exposing weaknesses. CradlePoint uses and recommends Five Strategies to protect your servers and devices from intruders:

  • Strategy 1: Default Configuration. On each of our router devices is a configuration setting to enable or disable remote web-based administration. We disable that setting by default. It would have to be turned “On” for an intruder to be able to even attempt to log in and administer the device from the Internet.
  • Strategy 2: Access Control Lists. If a customer does enable web-based administration, the second strategy is an access control list. This list specifies what other systems and IP addresses should be granted access to do remote web-based administration. Both of these things would effectively prevent someone from using the Heartbleed vulnerability.
  • Strategy 3: Non-standard Web Ports. Our security strategy for Enterprise Cloud Manager is to not use standard web port 80 or 443. It uses different ports.
  • Strategy 4: Bypass Web-Based Admin. If you are using the Enterprise Cloud Manager, you don't need to have the remote web-based administration turned on or enabled to be able to remotely manage the device. Enterprise Cloud Manager provides an interface that looks almost exactly like what you would see if you were on one of our router’s web interfaces. All of the configurations you create are inside the Enterprise Cloud Manager environment and are then automatically pushed down to the actual router device when you hit apply.
  • Strategy 5: TLS. There are a number of different encryption and communication protocols in the background of Enterprise Cloud Manager that push configurations and pull data from the CradlePoint to the Enterprise Cloud Manager server.  We use TLS (transport layered security) for that encryption. The way Enterprise Cloud Manager works is it is only administers the CradlePoint, so none of the customer data that flows through the device is ever seen by Enterprise Cloud Manager.

I know from personal experience what it’s like trying to manage technology in thousands of locations at the same time. Without something like Enterprise Cloud Manager, you have to remotely go into each router through the web interface (assuming you have that turned on) or through a telnet/ssh session. In either scenario, you’d have to determine the correct firmware, download it, and only then execute the upgrade.

Needless to say, if you wanted to upload new firmware to neutralize Heartbleed—and if you have 100's or 1000's of devices to upgrade – that could take a significant amount of time and resources. With Enterprise Cloud Manager, devices are grouped together for configuration and firmware upgrades. You simply select the new firmware version from a drop-down box in the group configuration. Enterprise Cloud Manager then automatically pushes the firmware down to the group, without having to go into each device individually. It’s as simple as that.

Enterprise Cloud Manager also gives you status and reporting updates so you know what firmware version all your devices are on, and what devices may still need an upgrade. If a device was offline when you initiated the firmware upgrade, as soon as it comes back up, Enterprise Cloud Manager senses that device and automatically pushes down the firmware upgrade.

Finally, I just wanted to point out while Enterprise Cloud Manager is a paid service, we gave customers who don’t pay for this service the opportunity to get a 30-day Enterprise Cloud Manager account for no charge so they could use it to update their devices as quickly as possible. I guess you could call that Strategy #6.

In the Wake of Heartbleed Series:

Part 1: Three Observations
Part 2: All Hands on Deck
Part 3: How Enterprise Cloud Manager Gave Customers an Advantage Over Heartbleed