Home » ZyXEL Manuals » Networking » ZyXEL NBG334W » Manual Viewer

ZyXEL NBG334W User Guide - Page 255

Encryption, User Authentication

Get ZyXEL NBG334W PDF manuals and user guides

Add to My Manuals
Save this manual to your list of manuals

Page 255 highlights

Appendix E Wireless LANs Key differences between WPA(2) and WEP are improved data encryption and user authentication. Encryption Both WPA and WPA2 improve data encryption by using Temporal Key Integrity Protocol (TKIP), Message Integrity Check (MIC) and IEEE 802.1x. In addition to TKIP, WPA2 also uses Advanced Encryption Standard (AES) in the Counter mode with Cipher block chaining Message authentication code Protocol (CCMP) to offer stronger encryption. Temporal Key Integrity Protocol (TKIP) uses 128-bit keys that are dynamically generated and distributed by the authentication server. It includes a per-packet key mixing function, a Message Integrity Check (MIC) named Michael, an extended initialization vector (IV) with sequencing rules, and a re-keying mechanism. TKIP regularly changes and rotates the encryption keys so that the same encryption key is never used twice. The RADIUS server distributes a Pairwise Master Key (PMK) key to the AP that then sets up a key hierarchy and management system, using the pair-wise key to dynamically generate unique data encryption keys to encrypt every data packet that is wirelessly communicated between the AP and the wireless clients. This all happens in the background automatically. WPA2 AES (Advanced Encryption Standard) is a block cipher that uses a 256-bit mathematical algorithm called Rijndael. The Message Integrity Check (MIC) is designed to prevent an attacker from capturing data packets, altering them and resending them. The MIC provides a strong mathematical function in which the receiver and the transmitter each compute and then compare the MIC. If they do not match, it is assumed that the data has been tampered with and the packet is dropped. By generating unique data encryption keys for every data packet and by creating an integrity checking mechanism (MIC), TKIP makes it much more difficult to decode data on a Wi-Fi network than WEP, making it difficult for an intruder to break into the network. The encryption mechanisms used for WPA and WPA-PSK are the same. The only difference between the two is that WPA-PSK uses a simple common password, instead of user-specific credentials. The common-password approach makes WPA-PSK susceptible to brute-force password-guessing attacks but it's still an improvement over WEP as it employs an easier-touse, consistent, single, alphanumeric password. User Authentication WPA or WPA2 applies IEEE 802.1x and Extensible Authentication Protocol (EAP) to authenticate wireless clients using an external RADIUS database. If both an AP and the wireless clients support WPA2 and you have an external RADIUS server, use WPA2 for stronger data encryption. If you don't have an external RADIUS server, you should use WPA2 -PSK (WPA2 -Pre-Shared Key) that only requires a single (identical) password entered into each access point, wireless gateway and wireless client. As long as the passwords match, a wireless client will be granted access to a WLAN. If the AP or the wireless clients do not support WPA2, just use WPA or WPA-PSK depending on whether you have an external RADIUS server or not. Select WEP only when the AP and/or wireless clients do not support WPA or WPA2. WEP is less secure than WPA or WPA2. NBG334W User's Guide 255

Section	Page
User’s Guide	1
About This User's Guide	3
Document Conventions	5
Safety Warnings	7
Contents Overview	9
Table of Contents	11
List of Figures	19
List of Tables	23
Introduction	27
Getting to Know Your NBG334W	29
1.1 Overview	29
1.2 AP Mode	29
1.3 Router Mode	30
1.4 Router Features vs. AP Features	30
1.5 Ways to Manage the NBG334W	31
1.6 Good Habits for Managing the NBG334W	31
1.7 LEDs	31
Introducing the Web Configurator	33
2.1 Web Configurator Overview	33
2.2 Accessing the Web Configurator	33
2.3 Resetting the NBG334W	35
2.3.1 Procedure to Use the Reset Button	35
2.4 Navigating the Web Configurator	35
2.5 The Status Screen in Router Mode	35
2.5.1 Navigation Panel	38
2.5.2 Summary: Any IP Table	40
2.5.3 Summary: Bandwidth Management Monitor	40
2.5.4 Summary: DHCP Table	41
2.5.5 Summary: Packet Statistics	41
2.5.6 Summary: Wireless Station Status	42
Connection Wizard	45
3.1 Wizard Setup	45
3.2 Connection Wizard: STEP 1: System Information	46
3.2.1 System Name	46
3.2.2 Domain Name	47
3.3 Connection Wizard: STEP 2: Wireless LAN	47
3.3.1 Basic (WEP) Security	49
3.3.2 Extend (WPA-PSK or WPA2-PSK) Security	50
3.4 Connection Wizard: STEP 3: Internet Configuration	50
3.4.1 Ethernet Connection	51
3.4.2 PPPoE Connection	51
3.4.3 PPTP Connection	52
3.4.4 Your IP Address	54
3.4.5 WAN IP Address Assignment	54
3.4.6 IP Address and Subnet Mask	55
3.4.7 DNS Server Address Assignment	55
3.4.8 WAN IP and DNS Server Address Assignment	56
3.4.9 WAN MAC Address	57
3.5 Connection Wizard: STEP 4: Bandwidth management	58
3.6 Connection Wizard Complete	58
AP Mode	61
4.1 AP Mode Overview	61
4.2 Setting your NBG334W to AP Mode	61
4.3 The Status Screen in AP Mode	62
4.3.1 Navigation Panel	64
4.4 Configuring Your Settings	65
4.4.1 LAN Settings	65
4.4.2 WLAN and Maintenance Settings	66
4.5 Logging in to the Web Configurator in AP Mode	66
Network	67
Wireless LAN	69
5.1 Wireless Network Overview	69
5.2 Wireless Security Overview	71
5.2.1 SSID	71
5.2.2 MAC Address Filter	71
5.2.3 User Authentication	72
5.2.4 Encryption	72
5.3 Roaming	73
5.3.1 Requirements for Roaming	74
5.4 Quality of Service	74
5.4.1 WMM QoS	75
5.5 General Wireless LAN Screen	75
5.5.1 No Security	76
5.5.2 WEP Encryption	77
5.5.3 WPA-PSK/WPA2-PSK	79
5.5.4 WPA/WPA2	80
5.6 MAC Filter	82
5.7 Wireless LAN Advanced Screen	83
5.8 Quality of Service (QoS) Screen	84
5.8.1 Application Priority Configuration	86
Wireless Tutorial	89
6.1 How to Connect to the Internet from a Notebook	89
6.1.1 Example Parameters	89
6.2 Enable and Configure Wireless Security on your NBG334W	89
6.3 Configure Your Notebook	91
WAN	93
7.1 WAN Overview	93
7.2 WAN MAC Address	93
7.3 Multicast	93
7.4 Internet Connection	94
7.4.1 Ethernet Encapsulation	94
7.4.2 PPPoE Encapsulation	95
7.4.3 PPTP Encapsulation	98
7.5 Advanced WAN Screen	101
LAN	103
8.1 LAN Overview	103
8.1.1 IP Pool Setup	103
8.1.2 System DNS Servers	103
8.2 LAN TCP/IP	103
8.2.1 Factory LAN Defaults	103
8.2.2 IP Address and Subnet Mask	104
8.2.3 Multicast	104
8.2.4 Any IP	104
8.3 LAN IP Screen	106
8.4 LAN IP Alias	106
8.5 Advanced LAN Screen	107
DHCP	109
9.1 DHCP	109
9.2 DHCP Server General Screen	109
9.3 DHCP Server Advanced Screen	110
9.4 Client List Screen	111
Network Address Translation (NAT)	113
10.1 NAT Overview	113
10.2 Using NAT	113
10.2.1 Port Forwarding: Services and Port Numbers	113
10.2.2 Configuring Servers Behind Port Forwarding Example	114
10.3 General NAT Screen	114
10.4 NAT Application Screen	115
10.4.1 Game List Example	117
10.5 Trigger Port Forwarding	118
10.5.1 Trigger Port Forwarding Example	118
10.5.2 Two Points To Remember About Trigger Ports	119
10.6 NAT Advanced Screen	119
Dynamic DNS	123
11.1 Dynamic DNS Introduction	123
11.1.1 DynDNS Wildcard	123
11.2 Dynamic DNS Screen	123
Security	125
Firewall	127
12.1 Introduction to ZyXEL’s Firewall	127
12.1.1 What is a Firewall?	127
12.1.2 Stateful Inspection Firewall	127
12.1.3 About the NBG334W Firewall	127
12.1.4 Guidelines For Enhancing Security With Your Firewall	128
12.2 Triangle Routes	128
12.2.1 Triangle Routes and IP Alias	128
12.3 General Firewall Screen	129
12.4 Services Screen	130
Content Filtering	133
13.1 Introduction to Content Filtering	133
13.2 Restrict Web Features	133
13.3 Days and Times	133
13.4 Filter Screen	133
13.5 Schedule	135
13.6 Customizing Keyword Blocking URL Checking	136
13.6.1 Domain Name or IP Address URL Checking	136
13.6.2 Full Path URL Checking	136
13.6.3 File Name URL Checking	136
Management	137
Static Route Screens	139
14.1 Static Route Overview	139
14.2 IP Static Route Screen	139
14.2.1 Static Route Setup Screen	140
Bandwidth Management	143
15.1 Bandwidth Management Overview	143
15.2 Application-based Bandwidth Management	143
15.3 Subnet-based Bandwidth Management	143
15.4 Application and Subnet-based Bandwidth Management	144
15.5 Bandwidth Management Priorities	144
15.6 Predefined Bandwidth Management Services	145
15.6.1 Services and Port Numbers	146
15.7 Default Bandwidth Management Classes and Priorities	148
15.8 Bandwidth Management General Configuration	149
15.9 Bandwidth Management Advanced Configuration	149
15.9.1 Rule Configuration	151
15.10 Bandwidth Management Monitor	152
Remote Management	153
16.1 Remote Management Overview	153
16.1.1 Remote Management Limitations	153
16.1.2 Remote Management and NAT	154
16.1.3 System Timeout	154
16.2 WWW Screen	154
16.3 Telnet	155
16.4 Telnet Screen	155
16.5 FTP Screen	156
16.6 DNS Screen	157
Universal Plug-and-Play (UPnP)	159
17.1 Introducing Universal Plug and Play	159
17.1.1 How do I know if I'm using UPnP?	159
17.1.2 NAT Traversal	159
17.1.3 Cautions with UPnP	159
17.2 UPnP and ZyXEL	160
17.3 UPnP Screen	160
17.4 Installing UPnP in Windows Example	161
Maintenance and Troubleshooting	171
System	173
18.1 System Overview	173
18.2 System General Screen	173
18.3 Time Setting Screen	174
Logs	177
19.1 View Log	177
19.2 Log Settings	178
19.3 Log Descriptions	181
Tools	191
20.1 Firmware Upload Screen	191
20.2 Configuration Screen	192
20.2.1 Backup Configuration	193
20.2.2 Restore Configuration	193
20.2.3 Back to Factory Defaults	194
20.3 Restart Screen	194
Configuration Mode	197
Sys Op Mode	199
22.1 Overview	199
22.1.1 Router	199
22.1.2 AP	199
22.2 Selecting System Operation Mode	200
Troubleshooting	203
23.1 Power, Hardware Connections, and LEDs	203
23.2 NBG334W Access and Login	204
23.3 Internet Access	206
23.4 Resetting the NBG334W to Its Factory Defaults	207
23.5 Wireless Router/AP Troubleshooting	207
23.6 Advanced Features	208
Appendices and Index	209
Product Specifications and Wall- Mounting Instructions	211
Pop-up Windows, JavaScripts and Java Permissions	217
IP Addresses and Subnetting	223
Setting up Your Computer’s IP Address	231
23.6.1 Verifying Settings	246
Wireless LANs	247
23.6.2 WPA(2)-PSK Application Example	256
23.6.3 WPA(2) with RADIUS Application Example	256
Services	259
Legal Information	263

Match case Limit results 1 per page

Appendix E Wireless LANs

NBG334W User’s Guide

255

Key differences between WPA(2) and WEP are improved data encryption and user

authentication.

Encryption

Both WPA and WPA2 improve data encryption by using Temporal Key Integrity Protocol

(TKIP), Message Integrity Check (MIC) and IEEE 802.1x. In addition to TKIP, WPA2 also

uses Advanced Encryption Standard (AES) in the Counter mode with Cipher block chaining

Message authentication code Protocol (CCMP) to offer stronger encryption.

Temporal Key Integrity Protocol (TKIP) uses 128-bit keys that are dynamically generated and

distributed by the authentication server. It includes a per-packet key mixing function, a

Message Integrity Check (MIC) named Michael, an extended initialization vector (IV) with

sequencing rules, and a re-keying mechanism.

TKIP regularly changes and rotates the encryption keys so that the same encryption key is

never used twice. The RADIUS server distributes a Pairwise Master Key (PMK) key to the AP

that then sets up a key hierarchy and management system, using the pair-wise key to

dynamically generate unique data encryption keys to encrypt every data packet that is

wirelessly communicated between the AP and the wireless clients. This all happens in the

background automatically.

WPA2 AES (Advanced Encryption Standard) is a block cipher that uses a 256-bit

mathematical algorithm called Rijndael.

The Message Integrity Check (MIC) is designed to prevent an attacker from capturing data

packets, altering them and resending them. The MIC provides a strong mathematical function

in which the receiver and the transmitter each compute and then compare the MIC. If they do

not match, it is assumed that the data has been tampered with and the packet is dropped.

By generating unique data encryption keys for every data packet and by creating an integrity

checking mechanism (MIC), TKIP makes it much more difficult to decode data on a Wi-Fi

network than WEP, making it difficult for an intruder to break into the network.

The encryption mechanisms used for WPA and WPA-PSK are the same. The only difference

between the two is that WPA-PSK uses a simple common password, instead of user-specific

credentials. The common-password approach makes WPA-PSK susceptible to brute-force

password-guessing attacks but it's still an improvement over WEP as it employs an easier-to-

use, consistent, single, alphanumeric password.

User Authentication

WPA or WPA2 applies IEEE 802.1x and Extensible Authentication Protocol (EAP) to

authenticate wireless clients using an external RADIUS database.

If both an AP and the wireless clients support WPA2 and you have an external RADIUS

server, use WPA2 for stronger data encryption. If you don't have an external RADIUS server,

you should use WPA2 -PSK (WPA2 -Pre-Shared Key) that only requires a single (identical)

password entered into each access point, wireless gateway and wireless client. As long as the

passwords match, a wireless client will be granted access to a WLAN.

If the AP or the wireless clients do not support WPA2, just use WPA or WPA-PSK depending

on whether you have an external RADIUS server or not.

Select WEP only when the AP and/or wireless clients do not support WPA or WPA2. WEP is

less secure than WPA or WPA2.