Zyxel VFG6005N Router Manual PDF (Setup & Configuration Guide)

Page 146 / 162 Scroll up to view Page 141 - 145

137

If this feature is enabled, it is not necessary to configure a default encryption key in the Wireless screen. You may still

configure and store keys here, but they will not be used while Dynamic WEP is enabled.

Note: EAP-MD5 cannot be used with dynamic WEP key exchange

For added security, certificate-based authentications (EAP-TLS, EAP-TTLS and PEAP) use dynamic keys for data

encryption. They are often deployed in corporate environments, but for public deployment, a simple user name and

password pair is more practical. The following table is a comparison of the features of authentication types.

Comparison of EAP Authentication Types

EAP-MD5

EAP-TLS

EAP-TTLS

PEAP

LEAP

Mutual Authentication

No

Yes

Certificate

–

Client

No

Yes

Optional

No

Certificate

–

Server

No

Yes

No

Dynamic Key Exchange

No

Yes

Credential Integrity

None

Strong

Moderate

Deployment Difficulty

Easy

Hard

Moderate

Client Identity Protection

No

Yes

No

WPA(2)

Wi-Fi Protected Access (WPA) is a subset of the IEEE 802.11i standard. WPA2 (IEEE 802.11i) is a wireless security

standard that defines stronger encryption, authentication and key management than WPA.

Key differences between WPA(2) and WEP are improved data encryption and user authentication.

Page 147 / 162

138

Encryption

Both WPA and WPA2 improve data encryption by using Temporal Key Integrity Protocol (TKIP), Message Integrity Check

(MIC) and IEEE 802.1x. In addition to TKIP, WPA2 also uses Advanced Encryption Standard (AES) in the Counter mode

with Cipher block chaining Message authentication code Protocol (CCMP) to offer stronger encryption.

Temporal Key Integrity Protocol (TKIP) uses 128-bit keys that are dynamically generated and distributed by the

authentication server. It includes a per-packet key mixing function, a Message Integrity Check (MIC) named Michael, an

extended initialization vector (IV) with sequencing rules, and a re-keying mechanism.

TKIP regularly changes and rotates the encryption keys so that the same encryption key is never used twice. The RADIUS

server distributes a Pairwise Master Key (PMK) key to the AP that then sets up a key hierarchy and management system,

using the pair-wise key to dynamically generate unique data encryption keys to encrypt every data packet that is wirelessly

communicated between the AP and the wireless clients. This all happens in the background automatically.

WPA2 AES (Advanced Encryption Standard) is a block cipher that uses a 256-bit mathematical algorithm called Rijndael.

The Message Integrity Check (MIC) is designed to prevent an attacker from capturing data packets, altering them and

resending them. The MIC provides a strong mathematical function in which the receiver and the transmitter each compute

and then compare the MIC. If they do not match, it is assumed that the data has been tampered with and the packet is

dropped.

By generating unique data encryption keys for every data packet and by creating an integrity checking mechanism (MIC),

TKIP makes it much more difficult to decode data on a Wi-Fi network than WEP, making it difficult for an intruder to break

into the network.

The encryption mechanisms used for WPA and WPA-PSK are the same. The only difference between the two is that

WPA-PSK uses a simple common password, instead of user-specific credentials. The common-password approach

makes WPA-PSK susceptible to brute-force password-guessing attacks but it's still an improvement over WEP as it

employs an easier-to-use, consistent, single, alphanumeric password.

User Authentication

WPA or WPA2 applies IEEE 802.1x and Extensible Authentication Protocol (EAP) to authenticate wireless clients using an

external RADIUS database.

If both an AP and the wireless clients support WPA2 and you have an external RADIUS server, use WPA2 for stronger

data encryption. If you don't have an external RADIUS server, you should use WPA2 -PSK (WPA2 -Pre-Shared Key) that

only requires a single (identical) password entered into each access point, wireless gateway and wireless client. As long as

the passwords match, a wireless client will be granted access to a WLAN.

If the AP or the wireless clients do not support WPA2, just use WPA or WPA-PSK depending on whether you have an

external RADIUS server or not.

Page 148 / 162

139

Select WEP only when the AP and/or wireless clients do not support WPA or WPA2. WEP is less secure than WPA or

WPA2.

34.1.2

WPA(2)-PSK Application Example

A WPA(2)-PSK application looks as follows.

1

First enter identical passwords into the AP and all wireless clients. The Pre-Shared Key (PSK) must consist of

between 8 and 63 ASCII characters (including spaces and symbols).

2

The AP checks each wireless client's password and (only) allows it to join the network if the password

matches.

3

The AP derives and distributes keys to the wireless clients.

4

The AP and wireless clients use the TKIP or AES encryption process to encrypt data exchanged between

them.

Figure 174

WPA(2)-PSK Authentication

34.1.3

WPA(2) with RADIUS Application Example

You need the IP address of the RADIUS server, its port number (default is 1812), and the RADIUS shared secret. A

WPA(2) application example with an external RADIUS server looks as follows. "A" is the RADIUS server. "DS" is the

distribution system.

1

The AP passes the wireless client's authentication request to the RADIUS server.

2

The RADIUS server then checks the user's identification against its database and grants or denies network

access accordingly.

Page 149 / 162

140

3

The RADIUS server distributes a Pairwise Master Key (PMK) key to the AP that then sets up a key hierarchy

and management system, using the pair-wise key to dynamically generate unique data encryption keys to

encrypt every data packet that is wirelessly communicated between the AP and the wireless clients.

Security Parameters Summary

Refer to this table to see what other security parameters you should configure for each Authentication Method/ key

management protocol type. MAC address filters are not dependent on how you configure these security features.

Wireless Security Relational Matrix

AUTHENTICATION

METHOD/ KEY

MANAGEMENT

PROTOCOL

ENCRYPTI

ON

METHOD

ENTER

MANUAL KEY

IEEE 802.1X

Open

None

No

Disable

Enable without Dynamic WEP

Key

Open

WEP

No

Enable with Dynamic WEP Key

Yes

Enable without Dynamic WEP

Key

Yes

Disable

Shared

WEP

No

Enable with Dynamic WEP Key

Yes

Enable without Dynamic WEP

Key

Yes

Disable

Page 150 / 162

141

WPA

TKIP

No

Enable

WPA-PSK

TKIP

Yes

Enable

WPA2

AES

No

Enable

WPA2-PSK

AES

Yes

Enable

Appendix E

Common Services

The following table lists some commonly-used services and their associated protocols and port numbers. For a

comprehensive list of port numbers, ICMP type/code numbers and services, visit the IANA (Internet Assigned Number

Authority) web site.

•

Name

: This is a short, descriptive name for the service. You can use this one or create a different one, if you like.

•

Protocol

: This is the type of IP protocol used by the service. If this is

TCP/UDP

, then the service uses the same port

number with TCP and UDP. If this is

USER-DEFINED

, the

Port(s

) is the IP protocol number, not the port number.

•

Port(s)

: This value depends on the

Protocol

. Please refer to RFC 1700 for further information about port numbers.

•

If the

Protocol

is

TCP

,

UDP

, or

TCP/UDP

, this is the IP port number.

•

If the

Protocol

is

USER

, this is the IP protocol number.

•

Description

: This is a brief explanation of the applications that use this service or the situations in which this service is

used.

Commonly Used Services

NAME

PROTOCOL

PORT(S)

DESCRIPTION

AH

(IPSEC_TUNNEL)

User-Defined

51

The IPSEC AH (Authentication Header)

tunneling protocol uses this service.

Rate

Popular Zyxel Models

Famous Router IPs

Famous Router Companies

Bookmark Our Site

Share