Home » ZyXEL Manuals » Networking » ZyXEL P-662HW-61 » Manual Viewer

ZyXEL P-662HW-61 User Guide - Page 403

Dynamic WEP Key Exchange, WPA and WPA2

Get ZyXEL P-662HW-61 PDF manuals and user guides

Add to My Manuals
Save this manual to your list of manuals

Page 403 highlights

Appendix D Wireless LANs Dynamic WEP Key Exchange The AP maps a unique key that is generated with the RADIUS server. This key expires when the wireless connection times out, disconnects or reauthentication times out. A new WEP key is generated each time reauthentication is performed. If this feature is enabled, it is not necessary to configure a default encryption key in the wireless security configuration screen. You may still configure and store keys, but they will not be used while dynamic WEP is enabled. " EAP-MD5 cannot be used with Dynamic WEP Key Exchange For added security, certificate-based authentications (EAP-TLS, EAP-TTLS and PEAP) use dynamic keys for data encryption. They are often deployed in corporate environments, but for public deployment, a simple user name and password pair is more practical. The following table is a comparison of the features of authentication types. Table 161 Comparison of EAP Authentication Types EAP-MD5 EAP-TLS EAP-TTLS PEAP LEAP Mutual Authentication No Yes Yes Yes Yes Certificate - Client No Yes Optional Optional No Certificate - Server No Yes Yes Yes No Dynamic Key Exchange No Yes Yes Yes Yes Credential Integrity None Strong Strong Strong Moderate Deployment Difficulty Easy Hard Moderate Moderate Moderate Client Identity Protection No No Yes Yes No WPA and WPA2 Wi-Fi Protected Access (WPA) is a subset of the IEEE 802.11i standard. WPA2 (IEEE 802.11i) is a wireless security standard that defines stronger encryption, authentication and key management than WPA. Key differences between WPA or WPA2 and WEP are improved data encryption and user authentication. If both an AP and the wireless clients support WPA2 and you have an external RADIUS server, use WPA2 for stronger data encryption. If you don't have an external RADIUS server, you should use WPA2-PSK (WPA2-Pre-Shared Key) that only requires a single (identical) password entered into each access point, wireless gateway and wireless client. As long as the passwords match, a wireless client will be granted access to a WLAN. If the AP or the wireless clients do not support WPA2, just use WPA or WPA-PSK depending on whether you have an external RADIUS server or not. Select WEP only when the AP and/or wireless clients do not support WPA or WPA2. WEP is less secure than WPA or WPA2. P-662H/HW-D Series User's Guide 403

Section	Page
User’s Guide	1
About This User's Guide	3
Document Conventions	4
Safety Warnings	6
Contents Overview	9
Table of Contents	11
List of Figures	23
List of Tables	31
Introduction and Wizards	37
Getting To Know Your ZyXEL Device	39
1.1 Introducing the ZyXEL Device	39
1.1.1 Applications of the ZyXEL Device	39
1.1.2 Firewall for Secure Broadband Internet Access	40
1.1.3 Front Panel LEDs	41
Introducing the Web Configurator	43
2.1 Web Configurator Overview	43
2.2 Accessing the Web Configurator	43
2.3 Resetting the ZyXEL Device	46
2.3.1 Using the Reset Button	46
2.4 Navigating the Web Configurator	47
2.4.1 Navigation Panel	47
2.4.2 Status Screen	50
2.4.3 Status: Any IP Table	53
2.4.4 Status: WLAN Status	53
2.4.5 Status: Bandwidth Status	54
2.4.6 Status: VPN Status	54
2.4.7 Status: Packet Statistics	55
2.4.8 Changing Login Password	57
Wizard Setup for Internet Access	59
3.1 Introduction	59
3.2 Internet Access Wizard Setup	59
3.2.1 Automatic Detection	61
3.2.2 Manual Configuration	61
3.3 Wireless Connection Wizard Setup	66
3.3.1 Automatically assign a WPA key	69
3.3.2 Manually assign a WPA-PSK key	69
3.3.3 Manually assign a WEP key	69
Bandwidth Management Wizard	73
4.1 Introduction	73
4.2 Predefined Media Bandwidth Management Services	73
4.3 Bandwidth Management Wizard Setup	74
Network	79
WAN Setup	81
5.1 WAN Overview	81
5.1.1 Encapsulation	81
5.1.2 Multiplexing	82
5.1.3 VPI and VCI	82
5.1.4 IP Address Assignment	82
5.1.5 Nailed-Up Connection (PPP)	83
5.1.6 NAT	83
5.2 Metric	83
5.3 Traffic Shaping	84
5.3.1 ATM Traffic Classes	85
5.4 Zero Configuration Internet Access	85
5.5 Internet Connection	86
5.5.1 Configuring Advanced Internet Connection	87
5.6 Configuring More Connections	89
5.6.1 More Connections Edit	90
5.6.2 Configuring More Connections Advanced Setup	92
5.7 Traffic Redirect	94
5.8 Configuring WAN Backup	94
5.9 WAN Backup Advanced Screen	96
5.10 Dial Backup Modem Setup	99
LAN Setup	101
6.1 LAN Overview	101
6.1.1 LANs, WANs and the ZyXEL Device	101
6.1.2 DHCP Setup	102
6.1.3 DNS Server Address	102
6.1.4 DNS Server Address Assignment	102
6.2 LAN TCP/IP	103
6.2.1 IP Address and Subnet Mask	103
6.2.2 RIP Setup	104
6.2.3 Multicast	104
6.2.4 Any IP	105
6.3 Configuring LAN IP	106
6.3.1 Configuring Advanced LAN Setup	107
6.4 DHCP Setup	108
6.5 LAN Client List	109
6.6 LAN IP Alias	110
Wireless LAN	113
7.1 Wireless Network Overview	113
7.2 Wireless Security Overview	114
7.2.1 SSID	114
7.2.2 MAC Address Filter	114
7.2.3 User Authentication	114
7.2.4 Encryption	115
7.2.5 One-Touch Intelligent Security Technology (OTIST)	116
7.3 Wireless Performance Overview	116
7.3.1 Quality of Service (QoS)	116
7.4 Additional Wireless Terms	116
7.5 General Wireless LAN Screen	117
7.5.1 No Security	118
7.5.2 WEP Encryption Screen	119
7.5.3 WPA(2)-PSK	120
7.5.4 WPA(2) Authentication Screen	122
7.5.5 Wireless LAN Advanced Setup	124
7.6 OTIST	125
7.6.1 Enabling OTIST	125
7.6.2 Starting OTIST	127
7.6.3 Notes on OTIST	128
7.7 MAC Filter	129
7.8 WMM QoS	130
7.8.1 WMM QoS Example	130
7.8.2 WMM QoS Priorities	130
7.8.3 Services	131
7.9 QoS Screen	131
7.9.1 ToS (Type of Service) and WMM QoS	131
7.9.2 Application Priority Configuration	132
7.10 Multiple SSID (P-662HW-D Models only)	133
7.10.1 Multiple SSID Commands	134
7.10.2 Multiple SSID Example	135
DMZ	137
8.1 Introduction	137
8.2 Configuring DMZ	137
8.3 DMZ Public IP Address Example	139
Network Address Translation (NAT) Screens	141
9.1 NAT Overview	141
9.1.1 NAT Definitions	141
9.1.2 What NAT Does	142
9.1.3 How NAT Works	142
9.1.4 NAT Application	142
9.1.5 NAT Mapping Types	143
9.2 SUA (Single User Account) Versus NAT	144
9.3 NAT General Setup	144
9.4 Port Forwarding	145
9.4.1 Default Server IP Address	146
9.4.2 Port Forwarding: Services and Port Numbers	146
9.4.3 Configuring Servers Behind Port Forwarding (Example)	146
9.5 Configuring Port Forwarding	147
9.5.1 Port Forwarding Rule Edit	148
9.6 Address Mapping	149
9.6.1 Address Mapping Rule Edit	150
9.7 Trigger Port	151
9.8 Edit Trigger Port	153
Security	155
Firewalls	157
10.1 Firewall Overview	157
10.2 Types of Firewalls	157
10.2.1 Packet Filtering Firewalls	157
10.2.2 Application-level Firewalls	158
10.2.3 Stateful Inspection Firewalls	158
10.3 Introduction to ZyXEL’s Firewall	158
10.3.1 Denial of Service Attacks	159
10.4 Denial of Service	159
10.4.1 Basics	159
10.4.2 Types of DoS Attacks	160
10.5 Stateful Inspection	162
10.5.1 Stateful Inspection Process	163
10.5.2 Stateful Inspection and the ZyXEL Device	164
10.5.3 TCP Security	164
10.5.4 UDP/ICMP Security	165
10.5.5 Upper Layer Protocols	165
10.6 Guidelines for Enhancing Security with Your Firewall	166
10.6.1 Security In General	166
10.7 Packet Filtering Vs Firewall	167
10.7.1 Packet Filtering:	167
10.7.2 Firewall	167
Firewall Configuration	169
11.1 Access Methods	169
11.2 Firewall Policies Overview	169
11.3 Rule Logic Overview	170
11.3.1 Security Ramifications	170
11.3.2 Key Fields For Configuring Rules	171
11.4 Connection Direction	171
11.4.1 LAN to WAN Rules	172
11.4.2 Alerts	172
11.5 General Firewall Policy	172
11.6 Firewall Rules Summary	173
11.6.1 Configuring Firewall Rules	175
11.6.2 Customized Services	178
11.6.3 Configuring A Customized Service	178
11.7 Example Firewall Rule	179
11.8 Predefined Services	183
11.9 Anti-Probing	185
11.10 DoS Thresholds	186
11.10.1 Threshold Values	186
11.10.2 Half-Open Sessions	187
11.10.3 Configuring Firewall Thresholds	187
Content Filtering	191
12.1 Content Filtering Overview	191
12.2 Configuring Keyword Blocking	191
12.3 Configuring the Schedule	192
12.4 Configuring Trusted Computers	193
Content Access Control	195
13.1 Content Access Control Overview	195
13.1.1 Content Access Control WLAN Application	195
13.1.2 Configuration Steps	195
13.2 Activating CAC and Creating User Groups	196
13.2.1 Configuring Time Schedule	197
13.2.2 Configuring Services	198
13.2.3 Configuring Web Site Filters	200
13.2.4 Testing Web Site Access Privileges	205
13.3 User Account Setup	206
13.4 User Online Status	207
13.5 Trusted Devices	208
13.6 Trusted-external Websites	208
13.7 Content Access Control Logins	209
13.7.1 User Login	209
13.7.2 Administrator Login	210
Register	211
14.1 myZyXEL.com overview	211
14.1.1 Subscription Services Available on the ZyXEL Device	211
14.2 Registration	212
14.3 Service	213
Introduction to IPSec	215
15.1 VPN Overview	215
15.1.1 IPSec	215
15.1.2 Security Association	215
15.1.3 Other Terminology	215
15.1.4 VPN Applications	216
15.2 IPSec Architecture	216
15.2.1 IPSec Algorithms	217
15.2.2 Key Management	217
15.3 Encapsulation	217
15.3.1 Transport Mode	218
15.3.2 Tunnel Mode	218
15.4 IPSec and NAT	218
VPN Screens	221
16.1 VPN/IPSec Overview	221
16.2 IPSec Algorithms	221
16.2.1 AH (Authentication Header) Protocol	221
16.2.2 ESP (Encapsulating Security Payload) Protocol	221
16.3 My IP Address	222
16.4 Secure Gateway Address	222
16.4.1 Dynamic Secure Gateway Address	223
16.5 VPN Setup Screen	223
16.6 Keep Alive	225
16.7 VPN, NAT, and NAT Traversal	225
16.8 Remote DNS Server	226
16.9 ID Type and Content	227
16.9.1 ID Type and Content Examples	228
16.10 Pre-Shared Key	229
16.11 Editing VPN Policies	229
16.12 IKE Phases	233
16.12.1 Negotiation Mode	234
16.12.2 Diffie-Hellman (DH) Key Groups	235
16.12.3 Perfect Forward Secrecy (PFS)	235
16.13 Configuring Advanced IKE Settings	235
16.14 Manual Key Setup	238
16.14.1 Security Parameter Index (SPI)	238
16.15 Configuring Manual Key	238
16.16 Viewing SA Monitor	241
16.17 Configuring Global Setting	242
16.18 Telecommuter VPN/IPSec Examples	243
16.18.1 Telecommuters Sharing One VPN Rule Example	243
16.18.2 Telecommuters Using Unique VPN Rules Example	244
16.19 VPN and Remote Management	245
Certificates	247
17.1 Certificates Overview	247
17.1.1 Advantages of Certificates	248
17.2 Self-signed Certificates	248
17.3 Configuration Summary	248
17.4 My Certificates	248
17.5 My Certificate Import	250
17.5.1 Certificate File Formats	251
17.6 My Certificate Create	252
17.7 My Certificate Details	254
17.8 Trusted CAs	257
17.9 Trusted CA Import	259
17.10 Trusted CA Details	260
17.11 Trusted Remote Hosts	262
17.12 Verifying a Trusted Remote Host’s Certificate	264
17.12.1 Trusted Remote Host Certificate Fingerprints	264
17.13 Trusted Remote Hosts Import	265
17.14 Trusted Remote Host Certificate Details	265
17.15 Directory Servers	268
17.16 Directory Server Add or Edit	269
Advanced	271
Static Route	273
18.1 Static Route Overview	273
18.2 Configuring Static Routes	274
18.2.1 Static Route Edit	275
Bandwidth Management	277
19.1 Bandwidth Management Overview	277
19.2 Application-based Bandwidth Management	277
19.3 Subnet-based Bandwidth Management	277
19.4 Application and Subnet-based Bandwidth Management	278
19.5 Scheduler	278
19.5.1 Priority-based Scheduler	278
19.5.2 Fairness-based Scheduler	279
19.6 Maximize Bandwidth Usage	279
19.6.1 Reserving Bandwidth for Non-Bandwidth Class Traffic	279
19.6.2 Maximize Bandwidth Usage Example	279
19.6.3 Bandwidth Management Priorities	281
19.7 Configuring Summary	281
19.8 Bandwidth Management Rule Setup	282
19.8.1 Rule Configuration	283
19.9 Bandwidth Monitor	286
Dynamic DNS Setup	287
20.1 Dynamic DNS Overview	287
20.1.1 DYNDNS Wildcard	287
20.2 Configuring Dynamic DNS	287
Remote Management Configuration	291
21.1 Remote Management Overview	291
21.1.1 Remote Management Limitations	292
21.1.2 Remote Management and NAT	292
21.1.3 System Timeout	292
21.2 WWW	292
21.3 Telnet	294
21.4 Configuring Telnet	294
21.5 Configuring FTP	295
21.6 SNMP	296
21.6.1 Supported MIBs	297
21.6.2 SNMP Traps	297
21.6.3 Configuring SNMP	297
21.7 Configuring DNS	299
21.8 Configuring ICMP	299
21.9 TR-069	300
Universal Plug-and-Play (UPnP)	303
22.1 Introducing Universal Plug and Play	303
22.1.1 How do I know if I'm using UPnP?	303
22.1.2 NAT Traversal	303
22.1.3 Cautions with UPnP	303
22.2 UPnP and ZyXEL	304
22.2.1 Configuring UPnP	304
22.3 Installing UPnP in Windows Example	305
22.4 Using UPnP in Windows XP Example	308
Maintenance, Troubleshooting and Specifications	315
System	317
23.1 General Setup and System Name	317
23.1.1 System Configuration	317
23.2 Time Setting	319
Logs	323
24.1 Logs Overview	323
24.1.1 Alerts and Logs	323
24.2 Viewing the Logs	323
24.3 Configuring Log Settings	324
24.4 SMTP Error Messages	326
24.4.1 Example E-mail Log	327
Tools	329
25.1 Firmware Upgrade	329
25.2 Configuration Screen	331
25.2.1 Backup Configuration	331
25.2.2 Restore Configuration	332
25.2.3 Back to Factory Defaults	333
25.3 Restart	333
Diagnostic	335
26.1 General Diagnostic	335
26.2 DSL Line Diagnostic	336
Troubleshooting	337
27.1 Problems Starting Up the ZyXEL Device	337
27.2 Problems with the LAN	337
27.3 Problems with the WAN	338
27.4 Problems Accessing the ZyXEL Device	338
27.4.1 Pop-up Windows, JavaScripts and Java Permissions	339
27.4.2 ActiveX Controls in Internet Explorer	344
Product Specifications	347
28.1 General ZyXEL Device Specifications	347
28.2 Wall-mounting Instructions	351
Appendices and Index	353
Setting up Your Computer’s IP Address	355
Pop-up Windows, JavaScripts and Java Permissions	377
IP Addresses and Subnetting	385
Wireless LANs	395
Management with Wireless Zero Configuration	409
Common Services	423
Virtual Circuit Topology	427
Importing Certificates	429
NetBIOS Filter Commands	435
Command Interpreter	437
Internal SPTGEN	443
Log Descriptions	459
Legal Information	475
Customer Support	479

Match case Limit results 1 per page

Appendix D Wireless LANs

P-662H/HW-D Series User’s Guide

403

Dynamic WEP Key Exchange

The AP maps a unique key that is generated with the RADIUS server. This key expires when

the wireless connection times out, disconnects or reauthentication times out. A new WEP key

is generated each time reauthentication is performed.

If this feature is enabled, it is not necessary to configure a default encryption key in the

wireless security configuration screen. You may still configure and store keys, but they will

not be used while dynamic WEP is enabled.

EAP-MD5 cannot be used with Dynamic WEP Key Exchange

For added security, certificate-based authentications (EAP-TLS, EAP-TTLS and PEAP) use

dynamic keys for data encryption. They are often deployed in corporate environments, but for

public deployment, a simple user name and password pair is more practical. The following

table is a comparison of the features of authentication types.

WPA and WPA2

Wi-Fi Protected Access (WPA) is a subset of the IEEE 802.11i standard. WPA2 (IEEE

802.11i) is a wireless security standard that defines stronger encryption, authentication and

key management than WPA.

Key differences between WPA or WPA2 and WEP are improved data encryption and user

authentication.

If both an AP and the wireless clients support WPA2 and you have an external RADIUS

server, use WPA2 for stronger data encryption. If you don't have an external RADIUS server,

you should use WPA2-PSK (WPA2-Pre-Shared Key) that only requires a single (identical)

password entered into each access point, wireless gateway and wireless client. As long as the

passwords match, a wireless client will be granted access to a WLAN.

If the AP or the wireless clients do not support WPA2, just use WPA or WPA-PSK depending

on whether you have an external RADIUS server or not.

Select WEP only when the AP and/or wireless clients do not support WPA or WPA2. WEP is

less secure than WPA or WPA2.

Table 161

Comparison of EAP Authentication Types

EAP-MD5

EAP-TLS

EAP-TTLS

PEAP

LEAP

Mutual Authentication

Yes

Certificate – Client

Yes

Optional

Certificate – Server

Yes

Dynamic Key Exchange

Yes

Credential Integrity

None

Strong

Moderate

Deployment Difficulty

Easy

Hard

Moderate

Client Identity Protection

Yes