Zyxel NBG-416N Router Manual PDF (Setup & Configuration Guide)

Page 201 / 244 Scroll up to view Page 196 - 200

Appendix D Wireless LANs

NBG-416N User’s Guide

201

If this feature is enabled, it is not necessary to configure a default encryption key

in the Wireless screen. You may still configure and store keys here, but they will

not be used while Dynamic WEP is enabled.

Note: EAP-MD5 cannot be used with dynamic WEP key exchange

For added security, certificate-based authentications (EAP-TLS, EAP-TTLS and

PEAP) use dynamic keys for data encryption. They are often deployed in corporate

environments, but for public deployment, a simple user name and password pair

is more practical. The following table is a comparison of the features of

authentication types.

WPA(2)

Wi-Fi Protected Access (WPA) is a subset of the IEEE 802.11i standard. WPA2

(IEEE 802.11i) is a wireless security standard that defines stronger encryption,

authentication and key management than WPA.

Key differences between WPA(2) and WEP are improved data encryption and user

authentication.

Encryption

Both WPA and WPA2 improve data encryption by using Temporal Key Integrity

Protocol (TKIP), Message Integrity Check (MIC) and IEEE 802.1x. In addition to

TKIP, WPA2 also uses Advanced Encryption Standard (AES) in the Counter mode

with Cipher block chaining Message authentication code Protocol (CCMP) to offer

stronger encryption.

Temporal Key Integrity Protocol (TKIP) uses 128-bit keys that are dynamically

generated and distributed by the authentication server. It includes a per-packet

key mixing function, a Message Integrity Check (MIC) named Michael, an

extended initialization vector (IV) with sequencing rules, and a re-keying

mechanism.

Table 67

Comparison of EAP Authentication Types

EAP-MD5

EAP-TLS

EAP-TTLS

PEAP

LEAP

Mutual Authentication

No

Yes

Certificate – Client

No

Yes

Optional

No

Certificate – Server

No

Yes

No

Dynamic Key Exchange

No

Yes

Credential Integrity

None

Strong

Moderate

Deployment Difficulty

Easy

Hard

Moderate

Client Identity

Protection

No

Yes

No

Page 202 / 244

Appendix D Wireless LANs

NBG-416N User’s Guide

202

TKIP regularly changes and rotates the encryption keys so that the same

encryption key is never used twice. The RADIUS server distributes a Pairwise

Master Key (PMK) key to the AP that then sets up a key hierarchy and

management system, using the pair-wise key to dynamically generate unique data

encryption keys to encrypt every data packet that is wirelessly communicated

between the AP and the wireless clients. This all happens in the background

automatically.

WPA2 AES (Advanced Encryption Standard) is a block cipher that uses a 256-bit

mathematical algorithm called Rijndael.

The Message Integrity Check (MIC) is designed to prevent an attacker from

capturing data packets, altering them and resending them. The MIC provides a

strong mathematical function in which the receiver and the transmitter each

compute and then compare the MIC. If they do not match, it is assumed that the

data has been tampered with and the packet is dropped.

By generating unique data encryption keys for every data packet and by creating

an integrity checking mechanism (MIC), TKIP makes it much more difficult to

decode data on a Wi-Fi network than WEP, making it difficult for an intruder to

break into the network.

The encryption mechanisms used for WPA and WPA-PSK are the same. The only

difference between the two is that WPA-PSK uses a simple common password,

instead of user-specific credentials. The common-password approach makes WPA-

PSK susceptible to brute-force password-guessing attacks but it's still an

improvement over WEP as it employs an easier-to-use, consistent, single,

alphanumeric password.

User Authentication

WPA or WPA2 applies IEEE 802.1x and Extensible Authentication Protocol (EAP) to

authenticate wireless clients using an external RADIUS database.

If both an AP and the wireless clients support WPA2 and you have an external

RADIUS server, use WPA2 for stronger data encryption. If you don't have an

external RADIUS server, you should use WPA2 -PSK (WPA2 -Pre-Shared Key) that

only requires a single (identical) password entered into each access point, wireless

gateway and wireless client. As long as the passwords match, a wireless client will

be granted access to a WLAN.

If the AP or the wireless clients do not support WPA2, just use WPA or WPA-PSK

depending on whether you have an external RADIUS server or not.

Select WEP only when the AP and/or wireless clients do not support WPA or WPA2.

WEP is less secure than WPA or WPA2.

Page 203 / 244

Appendix D Wireless LANs

NBG-416N User’s Guide

203

21.0.2

WPA(2)-PSK Application Example

A WPA(2)-PSK application looks as follows.

1

First enter identical passwords into the AP and all wireless clients. The Pre-Shared

Key (PSK) must consist of between 8 and 63 ASCII characters (including spaces

and symbols).

2

The AP checks each wireless client's password and (only) allows it to join the

network if the password matches.

3

The AP derives and distributes keys to the wireless clients.

4

The AP and wireless clients use the TKIP or AES encryption process to encrypt

data exchanged between them.

Figure 133

WPA(2)-PSK Authentication

21.0.3

WPA(2) with RADIUS Application Example

You need the IP address of the RADIUS server, its port number (default is 1812),

and the RADIUS shared secret. A WPA(2) application example with an external

RADIUS server looks as follows. "A" is the RADIUS server. "DS" is the distribution

system.

1

The AP passes the wireless client's authentication request to the RADIUS server.

2

The RADIUS server then checks the user's identification against its database and

grants or denies network access accordingly.

3

The RADIUS server distributes a Pairwise Master Key (PMK) key to the AP that

then sets up a key hierarchy and management system, using the pair-wise key to

dynamically generate unique data encryption keys to encrypt every data packet

that is wirelessly communicated between the AP and the wireless clients.

Page 204 / 244

Appendix D Wireless LANs

NBG-416N User’s Guide

204

Security Parameters Summary

Refer to this table to see what other security parameters you should configure for

each Authentication Method/ key management protocol type. MAC address filters

are not dependent on how you configure these security features.

Table 68

Wireless Security Relational Matrix

AUTHENTICATION

METHOD/ KEY

MANAGEMENT

PROTOCOL

ENCRYPTIO

N METHOD

ENTER

MANUAL KEY

IEEE 802.1X

Open

None

No

Disable

Enable without Dynamic WEP

Key

Open

WEP

No

Enable with Dynamic WEP

Key

Yes

Enable without Dynamic WEP

Key

Yes

Disable

Shared

WEP

No

Enable with Dynamic WEP

Key

Yes

Enable without Dynamic WEP

Key

Yes

Disable

WPA

TKIP

No

Enable

WPA-PSK

TKIP

Yes

Enable

WPA2

AES

No

Enable

WPA2-PSK

AES

Yes

Enable

Page 205 / 244

NBG-416N User’s Guide

205

A

PPENDIX

E

Services

The following table lists some commonly-used services and their associated

protocols and port numbers.

•

Name

: This is a short, descriptive name for the service. You can use this one or

create a different one, if you like.

•

Protocol

: This is the type of IP protocol used by the service. If this is

TCP/

UDP

, then the service uses the same port number with TCP and UDP. If this is

User-Defined

, the

Port(s

) is the IP protocol number, not the port number.

•

Port(s)

: This value depends on the

Protocol

.

• If the

Protocol

is

TCP

,

UDP

, or

TCP/UDP

, this is the IP port number.

• If the

Protocol

is

USER

, this is the IP protocol number.

•

Description

: This is a brief explanation of the applications that use this service

or the situations in which this service is used.

Table 69

Examples of Services

NAME

PROTOCOL

PORT(S)

DESCRIPTION

AH

(IPSEC_TUNNEL)

User-Defined

51

The IPSEC AH (Authentication Header)

tunneling protocol uses this service.

AIM

TCP

5190

AOL’s Internet Messenger service.

AUTH

TCP

113

Authentication protocol used by some

servers.

BGP

TCP

179

Border Gateway Protocol.

BOOTP_CLIENT

UDP

68

DHCP Client.

BOOTP_SERVER

UDP

67

DHCP Server.

CU-SEEME

TCP/UDP

7648

24032

A popular videoconferencing solution

from White Pines Software.

DNS

TCP/UDP

53

Domain Name Server, a service that

matches web names (e.g.

www.zyxel.com

) to IP numbers.

ESP

(IPSEC_TUNNEL)

User-Defined

50

The IPSEC ESP (Encapsulation

Security Protocol) tunneling protocol

uses this service.

FINGER

TCP

79

Finger is a UNIX or Internet related

command that can be used to find out

if a user is logged on.

Rate

Popular Zyxel Models

Famous Router IPs

Famous Router Companies

Bookmark Our Site

Share