Reference Manual for the Wireless Cable Modem Gateway CG814WG v2

Networks, Routing, and Firewall Basics

B-11

Stateful Packet Inspection

Unlike simple Internet sharing routers, a firewall uses a process called stateful packet inspection to

ensure secure firewall filtering to protect your network from attacks and intrusions. Since

user-level applications such as FTP and Web browsers can create complex patterns of network

traffic, it is necessary for the firewall to analyze groups of network connection “states.” Using

Stateful Packet Inspection, an incoming packet is intercepted at the network layer and then

analyzed for state-related information associated with all network connections. A central cache

within the firewall keeps track of the state information associated with all network connections.

All traffic passing through the firewall is analyzed against the state of these connections in order to

determine whether or not it will be allowed to pass through or rejected.

Denial of Service Attack

A hacker may be able to prevent your network from operating or communicating by launching a

Denial of Service (DoS) attack. The method used for such an attack can be as simple as merely

flooding your site with more requests than it can handle. A more sophisticated attack may attempt

to exploit some weakness in the operating system used by your router or gateway. Some operating

systems can be disrupted by simply sending a packet with incorrect length information.

Wireless Networking Overview

The CG814WG v2 Gateway conforms to the Institute of Electrical and Electronics Engineers

(IEEE) 802.11b standard for wireless LAN

s (WLANs). On an 802.11b wireless link, data is

encoded using direct-sequence spread-spectrum (DSSS) technology and is transmitted in the

unlicensed radio spectrum at 2.5GHz. The maximum data rate for the wireless link is 11 Mbps, but

it will automatically back down from 11 Mbps to 5.5, 2, and 1 Mbps when the radio signal is weak

or when interference is detected.

The 802.11b standard is also called Wireless Ethernet or Wi-Fi by the Wireless Ethernet

Compatibility Alliance

(WECA, see

), an industry standard group promoting

interoperability among 802.11b devices. The 802.11b standard offers two methods for configuring

a wireless network - ad hoc and infrastructure.

Infrastructure Mode

With a wireless Access Point, you can operate the wireless LAN in the infrastructure mode. This

mode provides wireless connectivity to multiple wireless network devices within a fixed range or

area of coverage, interacting with wireless nodes via an antenna.

Reference Manual for the Wireless Cable Modem Gateway CG814WG v2

B-12

Networks, Routing, and Firewall Basics

In the infrastructure mode, the wireless access point converts airwave data into wired Ethernet

data, acting as a bridge between the wired LAN and wireless clients. Connecting multiple Access

Points via a wired Ethernet backbone can further extend the wireless network coverage. As a

mobile computing device moves out of the range of one access point, it moves into the range of

another. As a result, wireless clients can freely roam from one Access Point domain to another and

still maintain seamless network connection.

Ad Hoc Mode (Peer-to-Peer Workgroup)

In an ad hoc network, computers are brought together as needed; thus, there is no structure or fixed

points to the network - each node can generally communicate with any other node. There is no

Access Point involved in this configuration. This mode enables you to quickly set up a small

wireless workgroup and allows workgroup members to exchange data or share printers as

supported by Microsoft networking in the various Windows operating systems. Some vendors also

refer to ad hoc networking as peer-to-peer group networking.

In this configuration, network packets are directly sent and received by the intended transmitting

and receiving stations. As long as the stations are within range of one another, this is the easiest

and least expensive way to set up a wireless network.

Network Name: Extended Service Set Identification (ESSID)

The Extended Service Set Identification

(ESSID) is one of two types of Service Set Identification

(SSID). In an ad hoc wireless network with no access points, the Basic Service Set Identification

(BSSID) is used. In an infrastructure wireless network that includes an access point, the ESSID is

used, but may still be referred to as SSID.

An SSID is a thirty-two character (maximum) alphanumeric key identifying the name of the

wireless local area network. Some vendors refer to the SSID as network name. For the wireless

devices in a network to communicate with each other, all devices must be configured with the

same SSID.

Reference Manual for the Wireless Cable Modem Gateway CG814WG v2

Networks, Routing, and Firewall Basics

B-13

Authentication and WEP

The absence of a physical connection between nodes makes the wireless links vulnerable to

eavesdropping and information theft. To provide a certain level of security, the IEEE 802.11

standard has defined two types of authentication methods, Open System and Shared Key. With

Open System authentication, a wireless PC can join any network and receive any messages that are

not encrypted. With Shared Key authentication, only those PCs that possess the correct

authentication key can join the network. By default, IEEE 802.11 wireless devices operate in an

Open System network.

Wired Equivalent Privacy

(WEP) data encryption is used when the wireless devices are configured

to operate in Shared Key authentication mode. There are two shared key methods implemented in

most commercially available products, 64-bit and 128-bit WEP data encryption.

802.11b Authentication

The 802.11b standard defines several services that govern how two 802.11b devices communicate.

The following events must occur before an 802.11b Station can communicate with an Ethernet

network through an access point such as the one built in to the CG814WG v2:

1.

Turn on the wireless station.

2.

The station listens for messages from any access points that are in range.

3.

The station finds a message from an access point that has a matching SSID.

4.

The station sends an authentication request to the access point.

5.

The access point authenticates the station.

6.

The station sends an association request to the access point.

7.

The access point associates with the station.

8.

The station can now communicate with the Ethernet network through the access point.

An access point must authenticate a station before the station can associate with the access point or

communicate with the network. The IEEE 802.11b standard defines two types of authentication:

Open System and Shared Key.

•

Open System Authentication

allows any device to join the network, assuming that the device

SSID matches the access point SSID. Alternatively, the device can use the “ANY” SSID

option to associate with any available Access Point within range, regardless of its SSID.

•

Shared Key Authentication

requires that the station and the access point have the same WEP

Key to authenticate. These two authentication procedures are described below.

Reference Manual for the Wireless Cable Modem Gateway CG814WG v2

B-14

Networks, Routing, and Firewall Basics

Open System Authentication

The following steps occur when two devices use Open System Authentication:

1.

The station sends an authentication request to the access point.

2.

The access point authenticates the station.

3.

The station associates with the access point and joins the network.

This process is illustrated in below.

Figure B-4:

802.11b open system authentication

Shared Key Authentication

The following steps occur when two devices use Shared Key Authentication:

1.

The station sends an authentication request to the access point.

2.

The access point sends challenge text to the station.

3.

The station uses its configured 64-bit or 128-bit default key to encrypt the challenge text, and

sends the encrypted text to the access point.

4.

The access point decrypts the encrypted text using its configured WEP Key that corresponds

to the station’s default key. The access point compares the decrypted text with the original

challenge text. If the decrypted text matches the original challenge text, then the access point

and the station share the same WEP Key and the access point authenticates the station.

5.

The station connects to the network.

FVM318

Access Point

1) Authentication request sent to AP

2) AP authenticates

3) Client connects to network

802.11b Authentication

Open System Steps

Cable or

DLS modem

Client

attempting

to connect

Reference Manual for the Wireless Cable Modem Gateway CG814WG v2

Networks, Routing, and Firewall Basics

B-15

If the decrypted text does not match the original challenge text (i.e., the access point and station do

not share the same WEP Key), then the access point will refuse to authenticate the station and the

station will be unable to communicate with either the 802.11b network or Ethernet network.

This process is illustrated in below.

Figure B-5:

802.11b shared key authentication

Overview of WEP Parameters

Before enabling WEP on an 802.11b network, you must first consider what type of encryption you

require and the key size you want to use. Typically, there are three WEP Encryption options

available for 802.11b products:

1.

Do Not Use WEP:

The 802.11b network does not encrypt data. For authentication purposes,

the network uses Open System Authentication.

2.

Use WEP for Encryption:

A transmitting 802.11b device encrypts the data portion of every

packet it sends using a configured WEP Key. The receiving 802.11b device decrypts the data

using the same WEP Key. For authentication purposes, the 802.11b network uses Open

System Authentication.

3.

Use WEP for Authentication and Encryption:

A transmitting 802.11b device encrypts the

data portion of every packet it sends using a configured WEP Key. The receiving 802.11b

device decrypts the data using the same WEP Key. For authentication purposes, the 802.11b

network uses Shared Key Authentication.

FVM318

Access Point

1) Authentication

request sent to AP

2) AP sends challenge text

3) Client encrypts

challenge text and

sends it back to AP

4) AP decrypts,and if correct,

authenticates client

5) Client connects to network

802.11b Authentication

Shared Key Steps

Cable or

DLS modem

Client

attempting

to connect