Reference Manual for the NETGEAR RangeMax™ Wireless Access Point WPN802

Wireless Networking Basics

B-7

202-10101-01, May 2005

WEP Configuration Options

The WEP settings must match on all 802.11 devices that are within the same wireless network as

identified by the SSID. In general, if your mobile clients will roam between access points, then all

of the 802.11 access points and all of the 802.11 client adapters on the network must have the same

WEP settings.

Note:

Whatever keys you enter for an AP, you must also enter the same keys for the client adapter

in the same order. In other words, WEP key 1 on the AP must match WEP key 1 on the client

adapter, WEP key 2 on the AP must match WEP key 2 on the client adapter, and so on.

Note:

The AP and the client adapters can have different default WEP Keys as long as the keys are

in the same order. In other words, the AP can use WEP key 2 as its default key to transmit while a

client adapter can use WEP key 3 as its default key to transmit. The two devices will communicate

as long as the AP’s WEP key 2 is the same as the client’s WEP key 2 and the AP’s WEP key 3 is

the same as the client’s WEP key 3.

Wireless Channels

The wireless frequencies used by 802.11b/g networks are discussed below.

IEEE 802.11b/g wireless nodes communicate with each other using radio frequency signals in the

ISM (Industrial, Scientific, and Medical) band between 2.4 GHz and 2.5 GHz. Neighboring

channels are 5 MHz apart. However, due to spread spectrum effect of the signals, a node sending

signals using a particular channel will utilize frequency spectrum 12.5 MHz above and below the

center channel frequency. As a result, two separate wireless networks using neighboring channels

(for example, channel 1 and channel 2) in the same general vicinity will interfere with each other.

Applying two channels that allow the maximum channel separation will decrease the amount of

channel cross-talk, and provide a noticeable performance increase over networks with minimal

channel separation.

The radio frequency channels used in 802.11b/g networks are listed in

Table B-2

:

Table B-2:

802.11b/g Radio Frequency Channels

Channel

Center Frequency

Frequency Spread

1

2412 MHz

2399.5 MHz - 2424.5 MHz

2

2417 MHz

2404.5 MHz - 2429.5 MHz

3

2422 MHz

2409.5 MHz - 2434.5 MHz

Reference Manual for the NETGEAR RangeMax™ Wireless Access Point WPN802

B-8

Wireless Networking Basics

202-10101-01, May 2005

Note:

The available channels supported by the wireless products in various countries are different.

For example, Channels 1 to 11 are supported in the U.S. and Canada, and Channels 1 to 13 are

supported in Europe and Australia.

The preferred channel separation between the channels in neighboring wireless networks is 25

MHz (5 channels). This means that you can apply up to three different channels within your

wireless network. There are only 11 usable wireless channels in the United States. It is

recommended that you start using channel 1 and grow to use channel 6, and 11 when necessary, as

these three channels do not overlap.

WPA and WPA2 Wireless Security

Wi-Fi Protected Access (WPA and WPA2) is a specification of standards-based, interoperable

security enhancements that increase the level of data protection and access control for existing and

future wireless LAN systems.

The IEEE introduced the WEP as an optional security measure to secure 802.11b (Wi-Fi) WLANs,

but inherent weaknesses in the standard soon became obvious. In response to this situation, the

Wi-Fi Alliance announced a new security architecture in October 2002 that remedies the

shortcomings of WEP. This standard, formerly known as Safe Secure Network (SSN), is designed

to work with existing 802.11 products and offers forward compatibility with 802.11i, the new

wireless security architecture that has been defined by the IEEE.

4

2427 MHz

2414.5 MHz - 2439.5 MHz

5

2432 MHz

2419.5 MHz - 2444.5 MHz

6

2437 MHz

2424.5 MHz - 2449.5 MHz

7

2442 MHz

2429.5 MHz - 2454.5 MHz

8

2447 MHz

2434.5 MHz - 2459.5 MHz

9

2452 MHz

2439.5 MHz - 2464.5 MHz

10

2457 MHz

2444.5 MHz - 2469.5 MHz

11

2462 MHz

2449.5 MHz - 2474.5 MHz

12

2467 MHz

2454.5 MHz - 2479.5 MHz

13

2472 MHz

2459.5 MHz - 2484.5 MHz

Table B-2:

802.11b/g Radio Frequency Channels

Channel

Center Frequency

Frequency Spread

Reference Manual for the NETGEAR RangeMax™ Wireless Access Point WPN802

Wireless Networking Basics

B-9

202-10101-01, May 2005

WPA and WPA2 offer the following benefits:

•

Enhanced data privacy

•

Robust key management

•

Data origin authentication

•

Data integrity protection

The Wi-Fi Alliance is now performing interoperability certification testing on Wi-Fi Protected

Access products. Starting August of 2003, all new Wi-Fi certified products have to support WPA.

NETGEAR is implementing WPA and WPA2 on client and access point products. The 802.11i

standard was ratified in 2004.

How Does WPA Compare to WEP?

WEP is a data encryption method and is not intended as a user authentication mechanism. WPA

user authentication is implemented using 802.1x and the Extensible Authentication Protocol

(EAP). Support for 802.1x authentication is required in WPA. In the 802.11 standard, 802.1x

authentication was optional. For details on EAP specifically, refer to IETF's RFC 2284.

With 802.11 WEP, all access points and client wireless adapters on a particular wireless LAN must

use the same encryption key. A major problem with the 802.11 standard is that the keys are

cumbersome to change. If you do not update the WEP keys often, an unauthorized person with a

sniffing tool can monitor your network for less than a day and decode the encrypted messages.

Products based on the 802.11 standard alone offer system administrators no effective method to

update the keys.

For 802.11, WEP encryption is optional. For WPA, encryption using Temporal Key Integrity

Protocol (TKIP) is required. TKIP replaces WEP with a new encryption algorithm that is stronger

than the WEP algorithm, but that uses the calculation facilities present on existing wireless devices

to perform encryption operations. TKIP provides important data encryption enhancements

including a per-packet key mixing function, a message integrity check (MIC) named Michael, an

extended initialization vector (IV) with sequencing rules, and a re-keying mechanism. Through

these enhancements, TKIP addresses all of known WEP vulnerabilities.

Reference Manual for the NETGEAR RangeMax™ Wireless Access Point WPN802

B-10

Wireless Networking Basics

202-10101-01, May 2005

How Does WPA Compare to WPA2 (IEEE 802.11i)?

WPA is forward compatible with the WPA2 security specification. WPA is a subset of WPA2 and

used certain pieces of the early 802.11i draft, such as 802.1x and TKIP. The main pieces of WPA2

that are not included in WPA are secure IBSS (Ad-Hoc mode), secure fast handoff (for specialized

802.11 VoIP phones), as well as enhanced encryption protocols, such as AES-CCMP. These

features were either not yet ready for market or required hardware upgrades to implement.

What are the Key Features of WPA and WPA2 Security?

The following security features are included in the WPA and WPA2 standard:

•

WPA and WPA2 Authentication

•

WPA and WPA2 Encryption Key Management

–

Temporal Key Integrity Protocol (TKIP)

–

Michael message integrity code (MIC)

–

AES support (WPA2, requires hardware support)

•

Support for a mixture of WPA, WPA2, and WEP wireless clients to allow a migration strategy,

but mixing WEP and WPA/WPA2 is discouraged

These features are discussed below.

WPA/WPA2 addresses most of the known WEP vulnerabilities and is primarily intended for

wireless infrastructure networks as found in the enterprise. This infrastructure includes stations,

access points, and authentication servers (typically RADIUS servers). The RADIUS server holds

(or has access to) user credentials (for example, user names and passwords) and authenticates

wireless users before they gain access to the network.

The strength of WPA/WPA2 comes from an integrated sequence of operations that encompass

802.1X/EAP authentication and sophisticated key management and encryption techniques. Its

major operations include:

•

Network security capability determination. This occurs at the 802.11 level and is

communicated through WPA information elements in Beacon, Probe Response, and (Re)

Association Requests. Information in these elements includes the authentication method

(802.1X or Pre-shared key) and the preferred cipher suite (WEP, TKIP, or AES).

Reference Manual for the NETGEAR RangeMax™ Wireless Access Point WPN802

Wireless Networking Basics

B-11

202-10101-01, May 2005

The primary information conveyed in the Beacon frames is the authentication method and the

cipher suite. Possible authentication methods include 802.1X and Pre-shared key. Pre-shared

key is an authentication method that uses a statically configured pass phrase on both the

stations and the access point. This obviates the need for an authentication server, which in

many home and small office environments will not be available nor desirable. Possible cipher

suites include: WEP, TKIP, and AES (Advanced Encryption Standard). We talk more about

TKIP and AES when addressing data privacy below.

•

Authentication. EAP over 802.1X is used for authentication. Mutual authentication is gained

by choosing an EAP type supporting this feature and is required by WPA. 802.1X port access

control prevents full access to the network until authentication completes. 802.1X

EAPOL-Key packets are used by WPA to distribute per-session keys to those stations

successfully authenticated.

The supplicant in the station uses the authentication and cipher suite information contained in

the information elements to decide which authentication method and cipher suite to use. For

example, if the access point is using the pre-shared key method then the supplicant need not

authenticate using full-blown 802.1X. Rather, the supplicant must simply prove to the access

point that it is in possession of the pre-shared key. If the supplicant detects that the service set

does not contain a WPA information element then it knows it must use pre-WPA 802.1X

authentication and key management in order to access the network.

•

Key management. WPA/WPA2 features a robust key generation/management system that

integrates the authentication and data privacy functions. Keys are generated after successful

authentication and through a subsequent 4-way handshake between the station and Access

Point (AP).

•

Data Privacy (Encryption). Temporal Key Integrity Protocol (TKIP) is used to wrap WEP in

sophisticated cryptographic and security techniques to overcome most of its weaknesses.

•

Data integrity. TKIP includes a message integrity code (MIC) at the end of each plaintext

message to ensure messages are not being spoofed.