1. Home
    2. /
  2. Manuals
    3. /
  3. Zyxel
    4. /
  4. P-660HN-F1Z
    5. /
  5. 26
Page 126 / 421 Scroll up to view Page 121 - 125
Chapter 7 Wireless LAN
P-660HN-FxZ Series User’s Guide
126
These security standards vary in effectiveness. Some can be broken, such as the old Wired
Equivalent Protocol (WEP). Using WEP is better than using no security at all, but it will not
keep a determined attacker out. Other security standards are secure in themselves but can be
broken if a user does not use them properly. For example, the WPA-PSK security standard is
very secure if you use a long key which is difficult for an attacker’s software to guess - for
example, a twenty-letter long string of apparently random numbers and letters - but it is not
very secure if you use a short key which is very easy to guess - for example, a three-letter word
from the dictionary.
Because of the damage that can be done by a malicious attacker, it’s not just people who have
sensitive information on their network who should use security. Everybody who uses any
wireless network should ensure that effective security is in place.
A good way to come up with effective security keys, passwords and so on is to use obscure
information that you personally will easily remember, and to enter it in a way that appears
random and does not include real words. For example, if your mother owns a 1970 Dodge
Challenger and her favorite movie is Vanishing Point (which you know was made in 1971)
you could use “70dodchal71vanpoi” as your security key.
The following sections introduce different types of wireless security you can set up in the
wireless network.
7.9.3.1
SSID
Normally, the ZyXEL Device acts like a beacon and regularly broadcasts the SSID in the area.
You can hide the SSID instead, in which case the ZyXEL Device does not broadcast the SSID.
In addition, you should change the default SSID to something that is difficult to guess.
This type of security is fairly weak, however, because there are ways for unauthorized wireless
devices to get the SSID. In addition, unauthorized wireless devices can still see the
information that is sent in the wireless network.
7.9.3.2
MAC Address Filter
Every device that can use a wireless network has a unique identification number, called a
MAC address.
1
A MAC address is usually written using twelve hexadecimal characters
2
; for
example, 00A0C5000002 or 00:A0:C5:00:00:02. To get the MAC address for each device in
the wireless network, see the device’s User’s Guide or other documentation.
You can use the MAC address filter to tell the ZyXEL Device which devices are allowed or
not allowed to use the wireless network. If a device is allowed to use the wireless network, it
still has to have the correct information (SSID, channel, and security). If a device is not
allowed to use the wireless network, it does not matter if it has the correct information.
This type of security does not protect the information that is sent in the wireless network.
Furthermore, there are ways for unauthorized wireless devices to get the MAC address of an
authorized device. Then, they can use that MAC address to use the wireless network.
1.
Some wireless devices, such as scanners, can detect wireless networks but cannot use wireless networks.
These kinds of wireless devices might not have MAC addresses.
2.
Hexadecimal characters are 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, A, B, C, D, E, and F.
Page 127 / 421
Chapter 7 Wireless LAN
P-660HN-FxZ Series User’s Guide
127
7.9.3.3
User Authentication
Authentication is the process of verifying whether a wireless device is allowed to use the
wireless network. You can make every user log in to the wireless network before using it.
However, every device in the wireless network has to support IEEE 802.1x to do this.
For wireless networks, you can store the user names and passwords for each user in a RADIUS
server. This is a server used in businesses more than in homes. If you do not have a RADIUS
server, you cannot set up user names and passwords for your users.
Unauthorized wireless devices can still see the information that is sent in the wireless network,
even if they cannot use the wireless network. Furthermore, there are ways for unauthorized
wireless users to get a valid user name and password. Then, they can use that user name and
password to use the wireless network.
7.9.3.4
Encryption
Wireless networks can use encryption to protect the information that is sent in the wireless
network. Encryption is like a secret code. If you do not know the secret code, you cannot
understand the message.
The types of encryption you can choose depend on the type of authentication. (See
Section
7.9.3.3 on page 127
for information about this.)
For example, if the wireless network has a RADIUS server, you can choose
WPA
or
WPA2
.
If users do not log in to the wireless network, you can choose no encryption,
Static WEP
,
WPA-PSK
, or
WPA2-PSK
.
Usually, you should set up the strongest encryption that every device in the wireless network
supports. For example, suppose you have a wireless network with the ZyXEL Device and you
do not have a RADIUS server. Therefore, there is no authentication. Suppose the wireless
network has two devices. Device A only supports WEP, and device B supports WEP and
WPA. Therefore, you should set up
Static WEP
in the wireless network.
"
It is recommended that wireless networks use
WPA-PSK
,
WPA
, or stronger
encryption. The other types of encryption are better than none at all, but it is
still possible for unauthorized wireless devices to figure out the original
information pretty quickly.
When you select
WPA2
or
WPA2-PSK
in your ZyXEL Device, you can also select an option
(
WPA compatible
) to support WPA as well. In this case, if some of the devices support WPA
and some support WPA2, you should set up
WPA2-PSK
or
WPA2
(depending on the type of
wireless network login) and select the
WPA compatible
option in the ZyXEL Device.
Table 43
Types of Encryption for Each Type of Authentication
NO AUTHENTICATION
RADIUS SERVER
Weakest
No Security
WPA
Static WEP
WPA-PSK
Strongest
WPA2-PSK
WPA2
Page 128 / 421
Chapter 7 Wireless LAN
P-660HN-FxZ Series User’s Guide
128
Many types of encryption use a key to protect the information in the wireless network. The
longer the key, the stronger the encryption. Every device in the wireless network must have
the same key.
7.9.4
Signal Problems
Because wireless networks are radio networks, their signals are subject to limitations of
distance, interference and absorption.
Problems with distance occur when the two radios are too far apart. Problems with
interference occur when other radio waves interrupt the data signal. Interference may come
from other radio transmissions, such as military or air traffic control communications, or from
machines that are coincidental emitters such as electric motors or microwaves. Problems with
absorption occur when physical objects (such as thick walls) are between the two radios,
muffling the signal.
7.9.5
BSS
A Basic Service Set (BSS) exists when all communications between wireless stations or
between a wireless station and a wired network client go through one access point (AP).
Intra-BSS traffic is traffic between wireless stations in the BSS. When Intra-BSS traffic
blocking is disabled, wireless station A and B can access the wired network and communicate
with each other. When Intra-BSS traffic blocking is enabled, wireless station A and B can still
access the wired network but cannot communicate with each other.
Figure 63
Basic Service set
Page 129 / 421
Chapter 7 Wireless LAN
P-660HN-FxZ Series User’s Guide
129
7.9.6
MBSSID
Traditionally, you need to use different APs to configure different Basic Service Sets (BSSs).
As well as the cost of buying extra APs, there is also the possibility of channel interference.
The ZyXEL Device’s MBSSID (Multiple Basic Service Set IDentifier) function allows you to
use one access point to provide several BSSs simultaneously. You can then assign varying QoS
priorities and/or security modes to different SSIDs.
Wireless devices can use different BSSIDs to associate with the same AP.
7.9.6.1
Notes on Multiple BSSs
A maximum of eight BSSs are allowed on one AP simultaneously.
You must use different keys for different BSSs. If two wireless devices have different
BSSIDs (they are in different BSSs), but have the same keys, they may hear each other’s
communications (but not communicate with each other).
MBSSID should not replace but rather be used in conjunction with 802.1x security.
7.9.7
Wireless Distribution System (WDS)
The ZyXEL Device can act as a wireless network bridge and establish WDS (Wireless
Distribution System) links with other APs. You need to know the MAC addresses of the APs
you want to link to. Once the security settings of peer sides match one another, the connection
between devices is made.
At the time of writing, WDS security is compatible with other ZyXEL access points only.
Refer to your other access point’s documentation for details.
The following figure illustrates how WDS link works between APs. Notebook computer
A
is a
wireless client connecting to access point
AP 1
.
AP 1
has no wired Internet connection, but
can establish a WDS link with access point
AP 2
, which does. When
AP 1
has a WDS link
with
AP 2
, the notebook computer can access the Internet through
AP 2
.
Figure 64
WDS Link Example
7.9.8
WiFi Protected Setup (WPS)
Your ZyXEL Device supports WiFi Protected Setup (WPS), which is an easy way to set up a
secure wireless network. WPS is an industry standard specification, defined by the WiFi
Alliance.
WPS allows you to quickly set up a wireless network with strong security, without having to
configure security settings manually. Each WPS connection works between two devices. Both
devices must support WPS (check each device’s documentation to make sure).
WDS
AP 2
AP 1
A
Page 130 / 421
Chapter 7 Wireless LAN
P-660HN-FxZ Series User’s Guide
130
Depending on the devices you have, you can either press a button (on the device itself, or in its
configuration utility) or enter a PIN (a unique Personal Identification Number that allows one
device to authenticate the other) in each of the two devices. When WPS is activated on a
device, it has two minutes to find another device that also has WPS activated. Then, the two
devices connect and set up a secure network by themselves.
7.9.8.1
Push Button Configuration
WPS Push Button Configuration (PBC) is initiated by pressing a button on each WPS-enabled
device, and allowing them to connect automatically. You do not need to enter any information.
Not every WPS-enabled device has a physical WPS button. Some may have a WPS PBC
button in their configuration utilities instead of or in addition to the physical button.
Take the following steps to set up WPS using the button.
1
Ensure that the two devices you want to set up are within wireless range of one another.
2
Look for a WPS button on each device. If the device does not have one, log into its
configuration utility and locate the button (see the device’s User’s Guide for how to do
this - for the ZyXEL Device, see
Section 7.5 on page 118
).
3
Press the button on one of the devices (it doesn’t matter which). For the ZyXEL Device
you must press the WPS button for more than three seconds.
4
Within two minutes, press the button on the other device. The registrar sends the
network name (SSID) and security key through an secure connection to the enrollee.
If you need to make sure that WPS worked, check the list of associated wireless clients in the
AP’s configuration utility. If you see the wireless client in the list, WPS was successful.
7.9.8.2
PIN Configuration
Each WPS-enabled device has its own PIN (Personal Identification Number). This may either
be static (it cannot be changed) or dynamic (in some devices you can generate a new PIN by
clicking on a button in the configuration interface).
Use the PIN method instead of the push-button configuration (PBC) method if you want to
ensure that the connection is established between the devices you specify, not just the first two
devices to activate WPS in range of each other. However, you need to log into the
configuration interfaces of both devices to use the PIN method.
When you use the PIN method, you must enter the PIN from one device (usually the wireless
client) into the second device (usually the Access Point or wireless router). Then, when WPS
is activated on the first device, it presents its PIN to the second device. If the PIN matches, one
device sends the network and security information to the other, allowing it to join the network.
Take the following steps to set up a WPS connection between an access point or wireless
router (referred to here as the AP) and a client device using the PIN method.
1
Ensure WPS is enabled on both devices.
2
Access the WPS section of the AP’s configuration interface. See the device’s User’s
Guide for how to do this.
3
Look for the client’s WPS PIN; it will be displayed either on the device, or in the WPS
section of the client’s configuration interface (see the device’s User’s Guide for how to
find the WPS PIN - for the ZyXEL Device, see
Section 7.4 on page 117
).
4
Enter the client’s PIN in the AP’s configuration interface.

Rate

4 / 5 based on 1 vote.

Popular Zyxel Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top