Page 66 / 193 Scroll up to view Page 61 - 65
66
Following is a list of the security modes available on the D-Link DWL-2210AP along
with a description of the key management, authentication, and encryption algorithms
used in each mode. We include some suggestions as to when one mode might be more
appropriate than another.
• When to Use Plain Text
• When to Use Static WEP
• When to Use IEEE 802.1x
• When to Use WPA with RADIUS
• When to Use WPA-PSK
When to Use Plain Text
Plain text mode by definition provides no security. In this mode, the data is not encrypted
but rather sent as “plain text” across the network. No key management, data encryption
or user authentication is used.
Recommendations
Plain text mode is
not recommended
for regular use on the Internal network because it
is not secure.
Plain text mode is the only mode in which you can run the Guest network, which is by
definition an unsecure
LAN
always virtually or physically separated from any sensitive
information on the Internal LAN.
Therefore, use plain text mode on the Guest network, and on the Internal network for
initial setup, testing, or problem solving only.
See Also
For information on how to configure plain text mode, see “Plaintext”
under “Configuring
Security Settings” in this manual.
When to Use Static WEP
Static
Wired Equivalent Privacy
(
WEP
) is a data encryption protocol for 802.11 wireless
networks. All wireless stations and access points on the network are configured with a
static 64-bit (40-bit secret key + 24-bit initialization vector (IV) or 128-bit (104-bit secret
key + 24-bit IV) Shared Key for data encryption.
Configuring Security
Page 67 / 193
67
If you set the Authentication
Algorithm to Shared Key, this
protocol provides a rudimentary
form of user authentication.
However, if the Authentication
Algorithm is set to “Open
System”, no authentication is
performed.
If the algorithm is set to
“Both”, only WEP clients are
authenticated.
Static
WEP
uses a fixed key that
is provided by the administrator.
WEP keys are indexed in different
slots (up to four on the D-Link
DWL -2210AP).
The client stations must have the
same key indexed in the same
slot to access data on the access
point.
An
RC4
stream cipher
is used to encrypt the
frame body and
cyclic
redundancy checking
(CRC) of each 802.11
frame.
Key Management
Encryption Algorithm
User Authentication
Recommendations
Static WEP was designed to provide the security equivalent of sending unencrypted
data through an Ethernet connection, however it has major flaws and it does not provide
even this intended level of security.
Therefore,
Static WEP is not recommended
as a secure mode. The only time to use Static
WEP is when interoperability issues make it the only option available to you and you
are not concerned with the potential of exposing the data on your network.
See Also
For information on how to configure Static WEP security mode, see “Static WEP”
under “Configuring Security Settings” in this manual.
When to Use IEEE 802.1x
IEEE
802.1x
is the standard for passing the Extensible Authentication Protocol (
EAP
)
over an 802.11 wireless network using a protocol called EAP Encapsulation Over
LANs (EAPOL). This is a newer, more secure standard than static WEP.
Configuring Security
Page 68 / 193
68
IEEE 802.1x mode supports
a variety of authentication
methods, like certificates,
Kerberos, and public key
authentication with a RADIUS
server.
You have a choice of using the
D-Link DWL-2210AP
embedded RADIUS server or
an external RADIUS server.
The embedded RADIUS server
supports Protected
EAP
(PEAP) and MSCHAP V2.
IEEE 802.1x provides
dynamically-
generated keys that
are periodically
refreshed.
There are different
Unicast
keys for
each station.
An
RC4
stream cipher is used to
encrypt the frame body and
cyclic
redundancy checking
(CRC) of
each 802.11 frame.
Key Management Encryption Algorithm
User Authentication
Recommendations
IEEE 802.1x mode is a better choice than Static WEP because keys are dynamically
generated and changed periodically. However, the encryption algorithm used is the same
as that of Static WEP and is therefore not as reliable as the more advanced encryption
methods such as
TKIP
and
CCMP
(
AES
) used in
Wi-Fi Protected Access
(
WPA
).
Additionally, compatibility issues may be cumbersome because of the variety of
authentication methods supported and the lack of a standard implementation
method.
Therefore, IEEE 802.1x mode is not as secure a solution as
Wi-Fi Protected Access
(
WPA
). If, you cannot use
WPA
because some of your client stations do not have WPA,
then a better solution than using IEEE 802.1x mode is to
use WPA with RADIUS mode
instead and check the “Allow non-WPA IEEE 802.1x clients” checkbox
to allow non-WPA
clients. This way, you get the benefit of IEEE 802.1x key management for non-WPA
clients along with even better data protection of TKIP and CCMP (AES) key management
and encryption algorithms for your WPA clients.
See Also
For information on how to configure IEEE 802.1x security mode, see “IEEE 802.1x”
under “Configuring Security Settings” in this manual.
When to Use WPA with RADIUS
Wi-Fi Protected Access
(
WPA
) with
Remote Authentication Dial-In User Service
(
RADIUS
) is a Wi-Fi Alliance subset of IEEE
802.11i
, which includes
Temporal Key
Integrity Protocol
(
TKIP
),
Counter mode/CBC-MAC Protocol
(
CCMP
), and
Advanced
Encryption Standard
(
AES
) mechanisms. This mode requires the use of a RADIUS
server to authenticate users. WPA with RADIUS provides the best security available
for wireless networks.
Configuring Security
Page 69 / 193
69
Keentication
Remote Authentication Dial-In
User Service
(
RADIUS
).
You have a choice of using
the D-Link DWL-2210AP
embedded RADIUS server or
an external RADIUS server.
The embedded RADIUS server
supports Protected
EAP
(PEAP) and MSCHAP V2.
Key Management Encryption Algorithm
User Authentication
WPA with RADIUS
provides dynamically
generated keys that
are periodically
refreshed.
There are different
Unicast
keys for
each station.
Temporal Key Integrity
Protocol
(
TKIP
)
Counter mode/CBC-MAC
Protocol
(
CCMP
)
Advanced
Encryption Standard
(
AES
)
Recommendations
WPA
with
RADIUS
mode is the
recommended mode
. The
CCMP
(
AES
) and
TKIP
encryption algorithms used with WPA modes are far superior to the
RC4
algorithm used
for Static
WEP
or IEEE 802.1x modes. Therefore, CCMP (AES) or TKIP should be used
whenever possible. All WPA modes allow you to use these encryption schemes, so WPA
security modes are recommended above the others when using WPA is an option.
Additionally, this mode (WPA with RADIUS) incorporates a RADIUS server for user
authentication which gives it an edge over WPA-PSK.
Use the following guidelines for choosing options within the WPA with RADIUS security
mode:
The best security you can have to date on a wireless network is WPA with RADIUS
using CCMP (AES) encryption algorithm. AES is a symmetric 128-bit block data
encryption technique that works on multiple layers of the network. It is the most effective
encryption system currently available for wireless networks. If all clients or other APs
on the network are WPA/CCMP compatible, use this encryption algorithm.
The second best choice is WPA with RADIUS with the encryption algorithm set to
“Both” (that is, both TKIP and CCMP). This lets WPA client stations without CCMP
associate, uses TKIP for encrypting
Multicast
and
Broadcast
frames, and allows clients
to select whether to use CCMP or TKIP for
Unicast
(AP-to-single-station) frames. This
WPA configuration allows more interoperability, at the expense of some security. Client
stations that support CCMP can use it for their
Unicast
frames. If you encounter AP-
to-station interoperability problems with the “Both” encryption algorithm setting, then
you will need to select TKIP instead.
The third best choice is WPA with RADIUS with the encryption algorithm set to
TKIP
.
Some clients have interoperability issues with CCMP and TKIP enabled at the same
time. If you encounter this problem, then choose TKIP as the encryption algorithm.
This is the standard WPA mode, and most interoperable mode with client Wireless
software security features. TKIP is the only encryption algorithm that is being tested
in
Wi-Fi WPA
certification.
1.
2.
3.
Configuring Security
Page 70 / 193
70
See Also
For information on how to configure WPA with RADIUS security mode, see “WPA with
RADIUS”
under “Configuring Security Settings” in this manual.
When to Use WPA-PSK
Wi-Fi Protected Access
(
WPA
) with
Pre-Shared Key
(
PSK
) is a Wi-Fi Alliance subset
of IEEE
802.11i
, which includes
Temporal Key Integrity Protocol
(
TKIP
)
Advanced
Encryption Algorithm
(
AES
), and
Counter mode/CBC-MAC Protocol
(CCMP)
mechanisms. This mode offers the same encryption algorithms as WPA with RADIUS
but without the ability to integrate a RADIUS server for user authentication.
WPA-PSK provides
dynamically-generated
keys that are periodically
refreshed.
There are different
Unicast
keys for
each station.
Temporal Key Integrity
Protocol
(
TKIP
)
Counter mode/CBC-MAC
Protocol
(
CCMP
)
Advanced
Encryption Standard
(
AES
)
The use of a Pre-Shared (
PSK
)
key provides user authentication
similar to that of shared keys in
WEP
.
Key Management
Encryption Algorithm
User Authentication
If there are older client stations on your network that do not support WPA, you can configure
WPA with RADIUS (with Both, CCMP, or TKIP) and check the “Allow non-WPA IEEE 802.1x
clients” checkbox to allow non-WPA clients. This way, you get the benefit of IEEE 802.1x
key management for non-WPA clients along with even better data protection of TKIP and
CCMP (AES) key management and encryption algorithms for your WPA clients.
A typical scenario is that one is upgrading a current 802.1x network to use WPA. You might
have a mix of clients; some new clients that support WPA and some older ones that do
not support WPA. You might even have other access points on the network that support
only 802.1x and some that support WPA with RADIUS. For as long as this mix persists,
use the “Allow non-WPA IEEE 802.1x clients” option.
When all the stations have been upgraded to use WPA, you should disable the “Allow
non-WPA IEEE 802.1x clients” option.
Configuring Security

Rate

4.5 / 5 based on 2 votes.

Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top