Hi Matt,

I haven’t been thrilled with the Enterprise version of Open Mesh, but the basic Open Mesh units are still…functioning. In a situation where you really need mesh, I’d probably look at them again. Only for limited internet access though, not really for robust LAN networking. They fill a need, but anywhere I can I’m using Ubiquity’s UniFi APs instead of Open Mesh. They do have wireless uplinks that are OK (not true mesh, you control each uplink) but if you can wire all or more access points, they’re a much better solution that’s more flexible and powerful, and reliable. At around the same price; less if you consider they include their PoE (proprietary, not standard PoE) adapter and the Open Mesh adapters cost an extra $20. For a single building where I can get wires to switches and APs, I’d do UniFi all day long (I’ve done several small deployments plus one 8-AP and one 20-AP deployment of UniFi and they’re all working great).

There are also some other Ubiquity products such as the NanoStations and NanoBridges that can do directional point-to-point connections, and PicoStations that are omnidirectional but use the same software as the Nano devices instead of the centralized “Enterprise wifi” controller of the UniFi solution. It might cost a little more, but I’d actually prefer a solution using all Ubiquity gear over the Open Mesh stuff. For example, I’d have a central building with a PicoStation AP with each remote building using a NanoStation or NanoBridge directional unit pointed at the PicoStation and running a cable to a UniFi AP that would serve clients at each location. Preferably the central location would also be directional but if they’re close enough, a PicoStation (or possibly even a UniFi AP) placed centrally with directionals pointing in toward it would probably work well enough. If you can do all the backhaul on 5GHz (not possible with UniFi AP as central since it only does 2.4GHz but PicoStation comes in 5GHz flavors) and then use UniFi on 2.4GHz for clients you’ll be even better off, if you can get line-of-sight for 5GHz. Nice thing is for larger buildings you could still put a switch in and put multiple UniFi APs off of it around the building.

I’d need a lot more detail about the physical structures to make any more specific recommendations. However, I’m just “mostly satisfied” with Open Mesh and not really thrilled or excited about it. It still works where I put it in, but I probably wouldn’t do it that way again.

David

PLEASE contact me with your observations and thoughts.
Thank you.
Matt

That comment seems a bit jumbled, but yes I have found it frustrating when something is written for Internet Explorer and subsequent versions of IE don’t work. Switch firmware is not immune from this. Fortunately, better companies’ newer products seem to be coming with much more cross-browser compatibility (especially as the last several releases of browsers gain more dynamic features and are a little more standardized in how they are implemented) which also tends to fix the “new browser doesn’t work” issue as a nice little side-effect.

Doesn’t help the old stuff that’s still poorly-written of course. But eventually (and in some churches, eventually is a long time!) this gear will be obsolete and will be replaced. It is a slow cycle.

Check your Outlook Rules and Alerts settings. I had a customer recently who had this happening and they had a recently-created rule that sent everything sent “directly to me” to the Junk E-Mail folder (thus only getting stuff they were BCC’d on and such, but nothing with their email address in the To: field).

I mean all that HP strategy called “Fix problems” instead of “Go for the goal”. HP and Microsoft in technical terms are very alike, they both go for money fixing problems. Instead of getting money offering better designed and implemented products. As the result, for example, HP management software can’t run on Microsoft OS because HP did not expect Microsoft to fix new bugs in IE making HP Insight Manager incompatible.

It is bad solution when some problem created by messy network planning is “fixed” by the device that is not supposed to deal with such problems.

Anyway, thank you for the article, now we know what to do if some switch stops switching…

Some encryption programs use TPM to prevent attacks. Will TrueCrypt use it too?

No. Those programs use TPM to protect against attacks that require the attacker to have administrator privileges, or physical access to the computer, and the attacker needs you to use the computer after such an access. However, if any of these conditions is met, it is actually impossible to secure the computer (see below) and, therefore, you must stop using it (instead of relying on TPM).

If the attacker has administrator privileges, he can, for example, reset the TPM, capture the content of RAM (containing master keys) or content of files stored on mounted TrueCrypt volumes (decrypted on the fly), which can then be sent to the attacker over the Internet or saved to an unencrypted local drive (from which the attacker might be able to read it later, when he gains physical access to the computer).

If the attacker can physically access the computer hardware (and you use it after such an access), he can, for example, attach a malicious component to it (such as a hardware keystroke logger) that will capture the password, the content of RAM (containing master keys) or content of files stored on mounted TrueCrypt volumes (decrypted on the fly), which can then be sent to the attacker over the Internet or saved to an unencrypted local drive (from which the attacker might be able to read it later, when he gains physical access to the computer again).

The only thing that TPM is almost guaranteed to provide is a false sense of security (even the name itself, “Trusted Platform Module”, is misleading and creates a false sense of security). As for real security, TPM is actually redundant (and implementing redundant features is usually a way to create so-called bloatware). Features like this are sometimes referred to as security theater [6].

~~~~~

For me, I can download and scrutinize the TC code (and I have done this, even compiling it and running it) so I would expect that if I can do this, many people smarter than me have done so and we’d know about any back-doors in TrueCrypt by now.

With respect to M$ backdoors; how would you trace through M$ source? Personally I don’t think M$ would have a back-door either, but you have to admit that you can be less sure about that, than for TrueCrypt.

As far as the hibernation issues go, it solved. Microsoft finally provided an API that Truecrypt employs. So no unencrypted keys floating around as some may still think. I still see comments that reference the infamous “coldboot” attack. For starters, I know bitlocker at least can force an overwrite of memory. Regardless, if you simply wait until the computer shuts off, they wait a minute longer. Unless you’re on the arctic tundra, you can be well assured the RAM is unrecoverable at this point. Key point though, remember that standby will, by definition, keep the RAM refreshed. Hibernation writes the contents of RAM to the disk that is encrypted, therefore no issues there.

Last point is regarding backdoors. No I didn’t trace line by line thru MS code, but I am quite sure there are no backdoors. Why am I so confident? 1.) MS gains nothing. 2.) They risk their credibility. 3.) Rememeber that whole anti-trust thing?? Yeah, somehow I doubt MS will be rushing anytime soon to help the gov’t. 4.) There has never been an mandate for encryption makers to add backdoors for govt access. This is the US afterall.

Good one Kyle; perfectly balanced opinion.

I’ve personally used both and both were easy enough to set up but over the years I have settled on TrueCrypt; it handles RAID0, RAID1, and is generally very robust.

Oh, and I use it on multiple Windows 7 systems without a single problem ever, so who knows what entalazar is on about.