Home » ZyXEL Manuals » Networking » ZyXEL P-660HW-T1 v2 » Manual Viewer

ZyXEL P-660HW-T1 v2 User Guide - Page 329

Dynamic WEP Key Exchange, WPA and WPA2

Get ZyXEL P-660HW-T1 v2 PDF manuals and user guides

View all ZyXEL P-660HW-T1 v2 manuals

Add to My Manuals
Save this manual to your list of manuals

Page 329 highlights

P-660HW-T v2 User's Guide Dynamic WEP Key Exchange The AP maps a unique key that is generated with the RADIUS server. This key expires when the wireless connection times out, disconnects or reauthentication times out. A new WEP key is generated each time reauthentication is performed. If this feature is enabled, it is not necessary to configure a default encryption key in the Wireless screen. You may still configure and store keys here, but they will not be used while Dynamic WEP is enabled. Note: EAP-MD5 cannot be used with Dynamic WEP Key Exchange For added security, certificate-based authentications (EAP-TLS, EAP-TTLS and PEAP) use dynamic keys for data encryption. They are often deployed in corporate environments, but for public deployment, a simple user name and password pair is more practical. The following table is a comparison of the features of authentication types. Table 148 Comparison of EAP Authentication Types Mutual Authentication Certificate - Client Certificate - Server Dynamic Key Exchange Credential Integrity Deployment Difficulty Client Identity Protection EAP-MD5 No No No No None Easy No EAP-TLS Yes Yes Yes Yes Strong Hard No EAP-TTLS Yes Optional Yes Yes Strong Moderate Yes PEAP Yes Optional Yes Yes Strong Moderate Yes LEAP Yes No No Yes Moderate Moderate No WPA and WPA2 Wi-Fi Protected Access (WPA) is a subset of the IEEE 802.11i standard. WPA2 (IEEE 802.11i) is a wireless security standard that defines stronger encryption, authentication and key management than WPA. Key differences between WPA or WPA2 and WEP are improved data encryption and user authentication. If both an AP and the wireless clients support WPA2 and you have an external RADIUS server, use WPA2 for stronger data encryption. If you don't have an external RADIUS server, you should use WPA2-PSK (WPA2-Pre-Shared Key) that only requires a single (identical) password entered into each access point, wireless gateway and wireless client. As long as the passwords match, a wireless client will be granted access to a WLAN. If the AP or the wireless clients do not support WPA2, just use WPA or WPA-PSK depending on whether you have an external RADIUS server or not. Appendix K Wireless LANs 329

Section	Page
P-660HW-T v2	1
User’s Guide	1
Copyright	3
Certifications	4
Safety Warnings	6
ZyXEL Limited Warranty	8
Customer Support	9
Table of Contents	11
List of Figures	21
List of Tables	27
Preface	31
Getting To Know Your ZyXEL Device	33
1.1 Introducing the ZyXEL Device	33
1.2 Features	33
1.2.1 Wireless Features	36
1.3 Applications for the ZyXEL Device	37
1.3.1 Protected Internet Access	37
1.3.2 LAN to LAN Application	38
1.4 Front Panel LEDs	38
1.5 Hardware Connection	39
Introducing the Web Configurator	41
2.1 Web Configurator Overview	41
2.2 Accessing the Web Configurator	41
2.3 Resetting the ZyXEL Device	43
2.3.1 Using the Reset Button	43
2.4 Navigating the Web Configurator	43
2.4.1 Navigation Panel	43
2.4.2 Status Screen	46
2.4.3 Status: Any IP Table	49
2.4.4 Status: WLAN Status	49
2.4.5 Status: Bandwidth Status	50
2.4.6 Status: Packet Statistics	51
2.4.7 Changing Login Password	52
Wizard Setup for Internet Access	55
3.1 Introduction	55
3.2 Internet Access Wizard Setup	55
3.2.1 Automatic Detection	57
3.2.2 Manual Configuration	57
3.3 Wireless Connection Wizard Setup	62
3.3.1 Manually assign a WPA-PSK key	65
3.3.2 Manually assign a WEP key	66
Bandwidth Management Wizard	69
4.1 Introduction	69
4.2 Predefined Media Bandwidth Management Services	69
4.3 Bandwidth Management Wizard Setup	70
WAN Setup	75
5.1 WAN Overview	75
5.1.1 Encapsulation	75
5.1.2 Multiplexing	76
5.1.3 Encapsulation and Multiplexing Scenarios	76
5.1.4 VPI and VCI	77
5.1.5 IP Address Assignment	77
5.1.6 Nailed-Up Connection (PPP)	78
5.1.7 NAT	78
5.2 Metric	78
5.3 Traffic Shaping	79
5.3.1 ATM Traffic Classes	80
5.4 Zero Configuration Internet Access	80
5.5 Internet Connection	81
5.5.1 Configuring Advanced Internet Connection Setup	83
5.6 Configuring More Connections	84
5.6.1 More Connections Edit	85
5.6.2 Configuring More Connections Advanced Setup	88
5.7 Traffic Redirect	89
5.8 Configuring WAN Backup	90
Wireless LAN	93
6.1 Wireless Network Overview	93
6.2 Wireless Security Overview	94
6.2.1 SSID	94
6.2.2 MAC Address Filter	94
6.2.3 User Authentication	95
6.2.4 Encryption	95
6.2.5 One-Touch Intelligent Security Technology (OTIST)	96
6.3 Wireless Performance Overview	96
6.4 General Wireless LAN Screen	96
6.4.1 No Security	98
6.4.2 WEP Encryption	98
6.4.3 WPA-PSK/WPA2-PSK	99
6.4.4 WPA/WPA2	101
6.4.5 Wireless LAN Advanced Setup	103
6.5 OTIST	105
6.5.1 Enabling OTIST	105
6.5.2 Starting OTIST	107
6.5.3 Notes on OTIST	108
6.6 MAC Filter	108
LAN Setup	111
7.1 LAN Overview	111
7.1.1 LANs, WANs and the ZyXEL Device	111
7.1.2 DHCP Setup	112
7.1.3 DNS Server Address	112
7.1.4 DNS Server Address Assignment	113
7.2 LAN TCP/IP	113
7.2.1 IP Address and Subnet Mask	113
7.2.2 RIP Setup	114
7.2.3 Multicast	115
7.2.4 Any IP	115
7.3 Configuring LAN IP	117
7.3.1 Configuring Advanced LAN Setup	117
7.4 DHCP Setup	119
7.5 LAN Client List	120
7.6 LAN IP Alias	121
Network Address Translation (NAT) Screens	125
8.1 NAT Overview	125
8.1.1 NAT Definitions	125
8.1.2 What NAT Does	126
8.1.3 How NAT Works	126
8.1.4 NAT Application	127
8.1.5 NAT Mapping Types	127
8.2 SUA (Single User Account) Versus NAT	128
8.3 NAT General Setup	128
8.4 Port Forwarding	129
8.4.1 Default Server IP Address	130
8.4.2 Port Forwarding: Services and Port Numbers	130
8.4.3 Configuring Servers Behind Port Forwarding (Example)	131
8.5 Configuring Port Forwarding	131
8.5.1 Port Forwarding Rule Edit	132
8.6 Address Mapping	133
8.6.1 Address Mapping Rule Edit	135
Firewalls	137
9.1 Firewall Overview	137
9.2 Types of Firewalls	137
9.2.1 Packet Filtering Firewalls	137
9.2.2 Application-level Firewalls	138
9.2.3 Stateful Inspection Firewalls	138
9.3 Introduction to ZyXEL’s Firewall	138
9.3.1 Denial of Service Attacks	139
9.4 Denial of Service	139
9.4.1 Basics	139
9.4.2 Types of DoS Attacks	140
9.5 Stateful Inspection	143
9.5.1 Stateful Inspection Process	144
9.5.2 Stateful Inspection and the ZyXEL Device	144
9.5.3 TCP Security	145
9.5.4 UDP/ICMP Security	145
9.5.5 Upper Layer Protocols	146
9.6 Guidelines for Enhancing Security with Your Firewall	146
9.6.1 Security In General	146
9.7 Packet Filtering Vs Firewall	147
9.7.1 Packet Filtering:	147
9.7.2 Firewall	148
Firewall Configuration	149
10.1 Access Methods	149
10.2 Firewall Policies Overview	149
10.3 Rule Logic Overview	150
10.3.1 Rule Checklist	150
10.3.2 Security Ramifications	150
10.3.3 Key Fields For Configuring Rules	151
10.4 Connection Direction	151
10.4.1 LAN to WAN Rules	152
10.4.2 Alerts	152
10.5 General Firewall Policy	152
10.6 Firewall Rules Summary	153
10.6.1 Configuring Firewall Rules	155
10.6.2 Customized Services	158
10.6.3 Configuring a Customized Service	159
10.7 Example Firewall Rule	159
10.8 Predefined Services	163
10.9 Anti-Probing	165
10.10 DoS Thresholds	166
10.10.1 Threshold Values	166
10.10.2 Half-Open Sessions	167
10.10.3 Configuring Firewall Thresholds	168
Content Filtering	171
11.1 Content Filtering Overview	171
11.2 Configuring Keyword Blocking	171
11.3 Configuring the Schedule	172
11.4 Configuring Trusted Computers	173
Static Route	175
12.1 Static Route	175
12.2 Configuring Static Route	175
12.2.1 Static Route Edit	176
Bandwidth Management	179
13.1 Bandwidth Management Overview	179
13.2 Application-based Bandwidth Management	179
13.3 Subnet-based Bandwidth Management	179
13.4 Application and Subnet-based Bandwidth Management	180
13.5 Scheduler	180
13.5.1 Priority-based Scheduler	180
13.5.2 Fairness-based Scheduler	181
13.6 Maximize Bandwidth Usage	181
13.6.1 Reserving Bandwidth for Non-Bandwidth Class Traffic	181
13.6.2 Maximize Bandwidth Usage Example	182
13.6.3 Bandwidth Management Priorities	183
13.7 Over Allotment of Bandwidth	184
13.8 Configuring Summary	184
13.9 Bandwidth Management Rule Setup	185
13.9.1 Rule Configuration	187
13.10 Bandwidth Monitor	189
Dynamic DNS Setup	191
14.1 Dynamic DNS Overview	191
14.1.1 DYNDNS Wildcard	191
14.2 Configuring Dynamic DNS	191
Remote Management Configuration	195
15.1 Remote Management Overview	195
15.1.1 Remote Management Limitations	195
15.1.2 Remote Management and NAT	196
15.1.3 System Timeout	196
15.2 WWW	196
15.3 Telnet	197
15.4 Configuring Telnet	197
15.5 Configuring FTP	198
15.6 SNMP	199
15.6.1 Supported MIBs	200
15.6.2 SNMP Traps	201
15.6.3 Configuring SNMP	201
15.7 Configuring DNS	202
15.8 Configuring ICMP	203
15.9 TR-069	204
Universal Plug-and-Play (UPnP)	207
16.1 Introducing Universal Plug and Play	207
16.1.1 How do I know if I'm using UPnP?	207
16.1.2 NAT Traversal	207
16.1.3 Cautions with UPnP	208
16.2 UPnP and ZyXEL	208
16.2.1 Configuring UPnP	208
16.3 Installing UPnP in Windows Example	209
16.3.1 Installing UPnP in Windows Me	209
16.3.2 Installing UPnP in Windows XP	211
16.4 Using UPnP in Windows XP Example	212
16.4.1 Auto-discover Your UPnP-enabled Network Device	212
16.4.2 Web Configurator Easy Access	215
System	219
17.1 General Setup	219
17.1.1 General Setup and System Name	219
17.1.2 General Setup	219
17.2 Time Setting	221
Logs	225
18.1 Logs Overview	225
18.1.1 Alerts and Logs	225
18.2 Viewing the Logs	225
18.3 Configuring Log Settings	226
18.3.1 Example E-mail Log	228
18.4 Log Descriptions	229
Tools	245
19.1 Firmware Upgrade	245
19.2 Configuration Screen	247
19.2.1 Backup Configuration	247
19.2.2 Restore Configuration	248
19.2.3 Back to Factory Defaults	249
19.3 Restart	249
Diagnostic	251
20.1 General Diagnostic	251
20.2 DSL Line Diagnostic	252
Troubleshooting	253
21.1 Problems Starting Up the ZyXEL Device	253
21.2 Problems with the LAN	253
21.3 Problems with the WAN	254
21.4 Problems Accessing the ZyXEL Device	255
Product Specifications	257
About ADSL	261
Internal SPTGEN	263
Wall-mounting Instructions	279
Setting up Your Computer’s IP Address	281
IP Subnetting	297
Command Interpreter	305
Firewall Commands	309
NetBIOS Filter Commands	315
Splitters and Microfilters	317
Wireless LANs	321
Pop-up Windows, JavaScripts and Java Permissions	335
Triangle Route	343
Index	345
Numerics	345
A	345
B	345
C	345
D	346
E	346
F	347
G	347
H	347
I	347
L	348
M	348
N	348
O	348
P	348
Q	349
R	349
S	349
T	350
U	350
V	351
W	351

Match case Limit results 1 per page

P-660HW-T v2 User’s Guide

Appendix K Wireless LANs

329

Dynamic WEP Key Exchange

The AP maps a unique key that is generated with the RADIUS server. This key expires when

the wireless connection times out, disconnects or reauthentication times out. A new WEP key

is generated each time reauthentication is performed.

If this feature is enabled, it is not necessary to configure a default encryption key in the

Wireless screen. You may still configure and store keys here, but they will not be used while

Dynamic WEP is enabled.

Note:

EAP-MD5 cannot be used with Dynamic WEP Key Exchange

For added security, certificate-based authentications (EAP-TLS, EAP-TTLS and PEAP) use

dynamic keys for data encryption. They are often deployed in corporate environments, but for

public deployment, a simple user name and password pair is more practical. The following

table is a comparison of the features of authentication types.

WPA and WPA2

Wi-Fi Protected Access (WPA) is a subset of the IEEE 802.11i standard. WPA2 (IEEE

802.11i) is a wireless security standard that defines stronger encryption, authentication and

key management than WPA.

Key differences between WPA or WPA2 and WEP are improved data encryption and user

authentication.

If both an AP and the wireless clients support WPA2 and you have an external RADIUS

server, use WPA2 for stronger data encryption. If you don't have an external RADIUS server,

you should use WPA2-PSK (WPA2-Pre-Shared Key) that only requires a single (identical)

password entered into each access point, wireless gateway and wireless client. As long as the

passwords match, a wireless client will be granted access to a WLAN.

If the AP or the wireless clients do not support WPA2, just use WPA or WPA-PSK depending

on whether you have an external RADIUS server or not.

Table 148

Comparison of EAP Authentication Types

EAP-MD5

EAP-TLS

EAP-TTLS

PEAP

LEAP

Mutual Authentication

Yes

Certificate – Client

Yes

Optional

Certificate – Server

Yes

Dynamic Key Exchange

Yes

Credential Integrity

None

Strong

Moderate

Deployment Difficulty

Easy

Hard

Moderate

Client Identity Protection

Yes