Home » ZyXEL Manuals » Networking » ZyXEL P-2802HWL-I1 » Manual Viewer

ZyXEL P-2802HWL-I1 User Guide - Page 371

Security Parameters Summary

Get ZyXEL P-2802HWL-I1 PDF manuals and user guides

Add to My Manuals
Save this manual to your list of manuals

Page 371 highlights

Appendix D Wireless LANs Encryption WPA improves data encryption by using Temporal Key Integrity Protocol (TKIP) or Advanced Encryption Standard (AES), Message Integrity Check (MIC) and IEEE 802.1x. TKIP uses 128-bit keys that are dynamically generated and distributed by the authentication server. It includes a per-packet key mixing function, a Message Integrity Check (MIC) named Michael, an extended initialization vector (IV) with sequencing rules, and a re-keying mechanism. TKIP regularly changes and rotates the encryption keys so that the same encryption key is never used twice. The RADIUS server distributes a Pairwise Master Key (PMK) key to the AP that then sets up a key hierarchy and management system, using the PMK to dynamically generate unique data encryption keys to encrypt every data packet that is wirelessly communicated between the AP and the wireless stations. This all happens in the background automatically. AES (Advanced Encryption Standard) also uses a secret key. This implementation of AES applies a 128-bit key to 128-bit blocks of data. The Message Integrity Check (MIC) is designed to prevent an attacker from capturing data packets, altering them and resending them. The MIC provides a strong mathematical function in which the receiver and the transmitter each compute and then compare the MIC. If they do not match, it is assumed that the data has been tampered with and the packet is dropped. By generating unique data encryption keys for every data packet and by creating an integrity checking mechanism (MIC), TKIP makes it much more difficult to decrypt data on a Wi-Fi network than WEP, making it difficult for an intruder to break into the network. The encryption mechanisms used for WPA and WPA-PSK are the same. The only difference between the two is that WPA-PSK uses a simple common password, instead of user-specific credentials. The common-password approach makes WPA-PSK susceptible to brute-force password-guessing attacks but it's still an improvement over WEP as it employs an easier-touse, consistent, single, alphanumeric password. Security Parameters Summary Refer to this table to see what other security parameters you should configure for each Authentication Method/ key management protocol type. MAC address filters are not dependent on how you configure these security features. Table 166 Wireless Security Relational Matrix AUTHENTICATION METHOD/ KEY MANAGEMENT PROTOCOL ENCRYPTIO N METHOD ENTER MANUAL KEY ENABLE IEEE 802.1X Open None No No Open WEP No Enable with Dynamic WEP Key Yes Enable without Dynamic WEP Key Yes Disable P-2802H(W)(L)-I Series User's Guide 371

Section	Page
User's Guide	1
About This User's Guide	3
Document Conventions	4
Safety Warnings	6
Contents Overview	9
Table of Contents	11
List of Figures	21
List of Tables	27
Introduction	33
Introducing the ZyXEL Device	35
1.1 Overview	35
1.2 Ways to Manage the ZyXEL Device	36
1.3 Good Habits for Managing the ZyXEL Device	37
1.4 Applications for the ZyXEL Device	37
1.4.1 Secure Internet Access	37
1.4.2 Wireless LAN Application	38
1.4.3 Making Calls via Internet Telephony Service Provider	38
1.4.4 Making Peer-to-peer Calls	39
1.5 LEDs	40
1.6 The RESET Button	41
1.6.1 Using The Reset Button	41
Introducing the Web Configurator	43
2.1 Web Configurator Overview	43
2.1.1 Accessing the Web Configurator	43
2.2 Web Configurator Main Screen	46
2.2.1 Title Bar	46
2.2.2 Navigation Panel	47
2.2.3 Main Window	49
2.2.4 Status Bar	49
Wizard	51
Internet and Wireless Setup Wizard	53
3.1 Introduction	53
3.2 Internet Access Wizard Setup	53
3.3 Wireless Connection Wizard Setup	58
3.3.1 Manually Assign a WPA-PSK key	61
3.3.2 Manually Assign a WEP Key	61
VoIP Wizard And Example	65
4.1 Introduction	65
4.2 VoIP Wizard Setup	65
Advanced	71
Status Screens	73
5.1 Status Screen	73
5.2 Any IP Table	76
5.3 WLAN Status (“W” models only)	77
5.4 Packet Statistics	77
5.5 VoIP Statistics	79
WAN Setup	83
6.1 WAN Overview	83
6.1.1 PPP over Ethernet	83
6.1.2 IP Address Assignment	83
6.1.3 Nailed-Up Connection (PPP)	84
6.2 Internet Access Setup	84
6.2.1 Advanced Internet Access Setup	86
6.3 WAN Interface Setup	87
LAN Setup	89
7.1 LAN Overview	89
7.1.1 LANs, WANs and the ZyXEL Device	89
7.1.2 DHCP Setup	90
7.2 DNS Server Addresses	90
7.3 LAN TCP/IP	90
7.3.1 IP Address and Subnet Mask	91
7.3.2 RIP Setup	92
7.3.3 Multicast	92
7.3.4 Any IP	93
7.4 Configuring LAN IP	94
7.4.1 Configuring Advanced LAN Setup	95
7.5 DHCP Setup	96
7.6 LAN Client List	97
7.7 LAN IP Alias	99
Wireless LAN	101
8.1 Wireless Network Overview	101
8.2 Wireless Security Overview	102
8.2.1 SSID	102
8.2.2 MAC Address Filter	102
8.2.3 User Authentication	102
8.2.4 Encryption	103
8.2.5 One-Touch Intelligent Security Technology (OTIST)	104
8.3 Additional Wireless Terms	104
8.4 General WLAN Screen	104
8.4.1 No Security	105
8.4.2 WEP Encryption Screen	106
8.4.3 WPA(2)-PSK	107
8.4.4 WPA(2) Authentication Screen	109
8.4.5 Wireless LAN Advanced Setup	110
8.5 OTIST Screen	111
8.5.1 Notes on OTIST	113
8.6 MAC Filter	114
Network Address Translation (NAT) Screens	117
9.1 NAT General Overview	117
9.1.1 NAT Definitions	117
9.1.2 What NAT Does	118
9.1.3 How NAT Works	118
9.1.4 NAT Application	118
9.1.5 NAT Mapping Types	119
9.2 SUA (Single User Account) Versus NAT	120
9.3 NAT General Setup	120
9.4 Port Forwarding	121
9.4.1 Default Server IP Address	122
9.4.2 Port Forwarding: Services and Port Numbers	122
9.4.3 Configuring Servers Behind Port Forwarding (Example)	122
9.5 Configuring Port Forwarding	123
9.5.1 Port Forwarding Rule Edit	124
9.6 Address Mapping	125
9.6.1 Address Mapping Rule Edit	126
9.6.2 SIP ALG	128
Voice	129
10.1 Introduction to VoIP	129
10.2 SIP	129
10.2.1 SIP Identities	129
10.2.2 SIP Call Progression	130
10.2.3 SIP Servers	130
10.2.4 RTP	132
10.2.5 Pulse Code Modulation	132
10.2.6 Voice Coding	132
10.2.7 PSTN Call Setup Signaling	133
10.2.8 MWI (Message Waiting Indication)	133
10.2.9 Custom Tones (IVR)	133
10.3 Quality of Service (QoS)	134
10.3.1 Type of Service (ToS)	134
10.3.2 DiffServ	134
10.3.3 VLAN Tagging	135
10.4 SIP Settings Screen	135
10.5 Advanced SIP Setup Screen	137
10.6 SIP QoS Screen	141
10.7 Phone	141
10.7.1 Voice Activity Detection/Silence Suppression	141
10.7.2 Comfort Noise Generation	142
10.7.3 Echo Cancellation	142
10.8 Analog Phone Screen	142
10.9 Advanced Analog Phone Setup Screen	143
10.10 Common Phone Settings Screen	144
10.11 Phone Services Overview	145
10.11.1 The Flash Key	145
10.11.2 Europe Type Supplementary Phone Services	145
10.11.3 USA Type Supplementary Services	147
10.12 Phone Region Screen	148
10.13 Speed Dial	148
10.14 Incoming Call Policy Screen	150
10.15 PSTN Line (“L” models only)	152
10.16 PSTN Line Screen (“L” models only)	152
Firewalls	155
11.1 Firewall Overview	155
11.1.1 Stateful Inspection Firewall	155
11.1.2 About the ZyXEL Device Firewall	155
11.1.3 Guidelines For Enhancing Security With Your Firewall	156
11.2 General Firewall Policy Overview	156
11.3 Security Considerations	158
11.4 Triangle Route	158
11.4.1 The “Triangle Route” Problem	158
11.4.2 Solving the “Triangle Route” Problem	159
11.5 General Firewall Policy	160
11.6 Firewall Rules Summary	161
11.6.1 Configuring Firewall Rules	163
11.6.2 Customized Services	166
11.6.3 Configuring A Customized Service	166
11.7 Example Firewall Rule	167
11.8 Firewall Thresholds	171
11.8.1 Threshold Values	172
11.8.2 Configuring Firewall Thresholds	172
Content Filtering	175
12.1 Content Filtering Overview	175
12.2 Configuring Keyword Blocking	175
12.3 Configuring the Schedule	176
12.4 Configuring Trusted Computers	177
Introduction to IPSec	179
13.1 VPN Overview	179
13.1.1 IPSec	179
13.1.2 Security Association	179
13.1.3 Other Terminology	179
13.1.4 VPN Applications	180
13.2 IPSec Architecture	180
13.2.1 IPSec Algorithms	181
13.2.2 Key Management	181
13.3 Encapsulation	181
13.3.1 Transport Mode	182
13.3.2 Tunnel Mode	182
13.4 IPSec and NAT	182
VPN Screens	185
14.1 VPN/IPSec Overview	185
14.2 IPSec Algorithms	185
14.2.1 AH (Authentication Header) Protocol	185
14.2.2 ESP (Encapsulating Security Payload) Protocol	185
14.3 My IP Address	186
14.4 Secure Gateway Address	186
14.4.1 Dynamic Secure Gateway Address	187
14.5 VPN Setup Screen	187
14.6 Keep Alive	189
14.7 VPN, NAT, and NAT Traversal	189
14.8 Remote DNS Server	190
14.9 ID Type and Content	191
14.9.1 ID Type and Content Examples	192
14.10 Pre-Shared Key	193
14.11 Editing VPN Policies	193
14.12 IKE Phases	198
14.12.1 Negotiation Mode	199
14.12.2 Diffie-Hellman (DH) Key Groups	199
14.12.3 Perfect Forward Secrecy (PFS)	200
14.13 Configuring Advanced IKE Settings	200
14.14 Manual Key Setup	202
14.14.1 Security Parameter Index (SPI)	202
14.15 Configuring Manual Key	203
14.16 Viewing SA Monitor	205
14.17 Configuring Global Setting	207
14.18 Telecommuter VPN/IPSec Examples	207
14.18.1 Telecommuters Sharing One VPN Rule Example	207
14.18.2 Telecommuters Using Unique VPN Rules Example	208
14.19 VPN and Remote Management	210
Certificates	211
15.1 Certificates Overview	211
15.1.1 Advantages of Certificates	212
15.2 Self-signed Certificates	212
15.3 Configuration Summary	212
15.4 My Certificates	212
15.5 My Certificate Import	214
15.5.1 Certificate File Formats	215
15.6 My Certificate Create	216
15.7 My Certificate Details	218
15.8 Trusted CAs	221
15.9 Trusted CA Import	223
15.10 Trusted CA Details	224
15.11 Trusted Remote Hosts	226
15.12 Verifying a Trusted Remote Host’s Certificate	228
15.12.1 Trusted Remote Host Certificate Fingerprints	228
15.13 Trusted Remote Hosts Import	229
15.14 Trusted Remote Host Certificate Details	229
15.15 Directory Servers	232
15.16 Directory Server Add and Edit	233
Static Route	235
16.1 Static Route	235
16.2 Configuring Static Route	235
16.2.1 Static Route Edit	236
Quality of Service (QoS)	239
17.1 QoS Overview	239
17.1.1 IEEE 802.1Q Tag	239
17.1.2 IP Precedence	240
17.1.3 DiffServ	240
17.1.4 Automatical Priority Queue Assignment	241
17.2 Configuring QoS General Screen	241
17.3 Class Setup	242
17.3.1 Class Configuration	243
17.3.2 QoS Example	246
17.4 QoS Monitor	248
Dynamic DNS Setup	251
18.1 Dynamic DNS Overview	251
18.1.1 DYNDNS Wildcard	251
18.2 Configuring Dynamic DNS	251
Remote Management Configuration	255
19.1 Remote Management Overview	255
19.1.1 Remote Management Limitations	256
19.1.2 Remote Management and NAT	256
19.1.3 System Timeout	256
19.2 WWW (HTTP and HTTPS)	257
19.3 WWW	258
19.4 HTTPS Example	259
19.4.1 Internet Explorer Warning Messages	259
19.4.2 Netscape Navigator Warning Messages	260
19.4.3 Avoiding the Browser Warning Messages	260
19.4.4 Login Screen	261
19.5 Telnet	263
19.6 Configuring Telnet	263
19.7 Configuring FTP	264
19.8 SNMP	265
19.8.1 Supported MIBs	266
19.8.2 SNMP Traps	267
19.8.3 Configuring SNMP	267
19.9 Configuring DNS	268
19.10 Configuring ICMP	269
Universal Plug-and-Play (UPnP)	271
20.1 Introducing Universal Plug and Play	271
20.1.1 How do I know if I'm using UPnP?	271
20.1.2 NAT Traversal	271
20.1.3 Cautions with UPnP	271
20.2 UPnP and ZyXEL	272
20.2.1 Configuring UPnP	272
20.3 Installing UPnP in Windows Example	273
20.4 Using UPnP in Windows XP Example	276
Maintenance, Troubleshooting and Specifications	283
System	285
21.1 General Setup and System Name	285
21.1.1 General Setup	285
21.2 Time Setting	287
Logs	289
22.1 Logs Overview	289
22.1.1 Alerts and Logs	289
22.2 Viewing the Logs	289
22.3 Configuring Log Settings	290
22.4 SMTP Error Messages	292
22.4.1 Example E-mail Log	293
22.5 Log Descriptions	294
Tools	303
23.1 Introduction	303
23.2 Filename Conventions	303
23.3 File Maintenance Over WAN	304
23.4 Firmware Upgrade Screen	305
23.5 Backup and Restore	306
23.5.1 Backup Configuration	307
23.5.2 Restore Configuration	307
23.5.3 Reset to Factory Defaults	308
23.6 Restart	309
23.7 Using FTP or TFTP to Back Up Configuration	309
23.7.1 Using the FTP Commands to Back Up Configuration	309
23.7.2 FTP Command Configuration Backup Example	310
23.7.3 Configuration Backup Using GUI-based FTP Clients	310
23.7.4 Backup Configuration Using TFTP	310
23.7.5 TFTP Command Configuration Backup Example	311
23.7.6 Configuration Backup Using GUI-based TFTP Clients	311
23.8 Using FTP or TFTP to Restore Configuration	312
23.8.1 Restore Using FTP Session Example	312
23.9 FTP and TFTP Firmware and Configuration File Uploads	312
23.9.1 FTP File Upload Command from the DOS Prompt Example	313
23.9.2 FTP Session Example of Firmware File Upload	313
23.9.3 TFTP File Upload	313
23.9.4 TFTP Upload Command Example	314
Diagnostic	315
24.1 General Diagnostic	315
24.2 DSL Line Diagnostic	315
Troubleshooting	317
25.1 Power, Hardware Connections, and LEDs	317
25.2 ZyXEL Device Access and Login	318
25.3 Internet Access	320
25.4 Phone Calls and VoIP	321
25.5 Problems With Multiple SIP Accounts	322
25.5.1 Outgoing Calls	322
25.5.2 Incoming Calls	323
Product Specifications	325
Appendices and Index	335
Setting up Your Computer’s IP Address	337
Pop-up Windows, JavaScripts and Java Permissions	349
IP Addresses and Subnetting	355
Wireless LANs	363
Services	373
Internal SPTGEN	377
Legal Information	401
Customer Support	405

Match case Limit results 1 per page

Appendix D Wireless LANs

P-2802H(W)(L)-I Series User’s Guide

371

Encryption

WPA improves data encryption by using Temporal Key Integrity Protocol (TKIP) or

Advanced Encryption Standard (AES), Message Integrity Check (MIC) and IEEE 802.1x.

TKIP uses 128-bit keys that are dynamically generated and distributed by the authentication

server. It includes a per-packet key mixing function, a Message Integrity Check (MIC) named

Michael, an extended initialization vector (IV) with sequencing rules, and a re-keying

mechanism.

TKIP regularly changes and rotates the encryption keys so that the same encryption key is

never used twice.

The RADIUS server distributes a Pairwise Master Key (PMK) key to the AP that then sets up

a key hierarchy and management system, using the PMK to dynamically generate unique data

encryption keys to encrypt every data packet that is wirelessly communicated between the AP

and the wireless stations. This all happens in the background automatically.

AES (Advanced Encryption Standard) also uses a secret key. This implementation of AES

applies a 128-bit key to 128-bit blocks of data.

The Message Integrity Check (MIC) is designed to prevent an attacker from capturing data

packets, altering them and resending them. The MIC provides a strong mathematical function

in which the receiver and the transmitter each compute and then compare the MIC. If they do

not match, it is assumed that the data has been tampered with and the packet is dropped.

By generating unique data encryption keys for every data packet and by creating an integrity

checking mechanism (MIC), TKIP makes it much more difficult to decrypt data on a Wi-Fi

network than WEP, making it difficult for an intruder to break into the network.

The encryption mechanisms used for WPA and WPA-PSK are the same. The only difference

between the two is that WPA-PSK uses a simple common password, instead of user-specific

credentials. The common-password approach makes WPA-PSK susceptible to brute-force

password-guessing attacks but it’s still an improvement over WEP as it employs an easier-to-

use, consistent, single, alphanumeric password.

Security Parameters Summary

Refer to this table to see what other security parameters you should configure for each

Authentication Method/ key management protocol type. MAC address filters are not

dependent on how you configure these security features.

Table 166

Wireless Security Relational Matrix

AUTHENTICATION

METHOD/ KEY

MANAGEMENT PROTOCOL

ENCRYPTIO

N METHOD

ENTER

MANUAL KEY

ENABLE IEEE 802.1X

Open

None

Open

WEP

Enable with Dynamic WEP Key

Yes

Enable without Dynamic WEP

Key

Yes

Disable