ZyXEL Communications P320W 802.11g Wireless Firewall Router User Manual ZyBook
ZyXEL Communications Corporation 802.11g Wireless Firewall Router ZyBook
Contents
- 1. Users Manual 1
- 2. Users Manual 2
- 3. Users Manual 3
- 4. Users Manual 4
- 5. Users Manual 5
Users Manual 5
| Download: |  |
| Mirror Download [FCC.gov] | |
| Document ID | 598767 |
| Application ID | J77H3mpKzl7SRIrtSERLYw== |
| Document Description | Users Manual 5 |
| Short Term Confidential | No |
| Permanent Confidential | No |
| Supercede | No |
| Document Type | User Manual |
| Display Format | Adobe Acrobat PDF - pdf |
| Filesize | 138.62kB (1732729 bits) |
| Date Submitted | 2005-11-03 00:00:00 |
| Date Available | 2005-11-03 00:00:00 |
| Creation Date | 2005-11-03 14:03:35 |
| Producing Software | Acrobat Distiller 5.0.5 (Windows) |
| Document Lastmod | 2005-11-03 15:38:09 |
| Document Title | ZyBook.book |
| Document Creator | FrameMaker 7.1 |
| Document Author: | 11947 |
P-320W User’s Guide Figure 119 Windows XP: Internet Protocol (TCP/IP) Properties 8 Click OK to close the Internet Protocol (TCP/IP) Properties window. 9 Click Close (OK in Windows 2000/NT) to close the Local Area Connection Properties window. 10 Close the Network Connections window (Network and Dial-up Connections in Windows 2000/NT). 11Turn on your Prestige and restart your computer (if prompted). Verifying Settings 1 Click Start, All Programs, Accessories and then Command Prompt. 2 In the Command Prompt window, type "ipconfig" and then press [ENTER]. You can also open Network Connections, right-click a network connection, click Status and then click the Support tab. Macintosh OS 8/9 1 Click the Apple menu, Control Panel and double-click TCP/IP to open the TCP/IP Control Panel. Appendix C Setting up Your Computer’s IP Address 181 P-320W User’s Guide Figure 120 Macintosh OS 8/9: Apple Menu 2 Select Ethernet built-in from the Connect via list. Figure 121 Macintosh OS 8/9: TCP/IP 3 For dynamically assigned settings, select Using DHCP Server from the Configure: list. 182 Appendix C Setting up Your Computer’s IP Address P-320W User’s Guide 4 For statically assigned settings, do the following: • • • • From the Configure box, select Manually. Type your IP address in the IP Address box. Type your subnet mask in the Subnet mask box. Type the IP address of your Prestige in the Router address box. 5 Close the TCP/IP Control Panel. 6 Click Save if prompted, to save changes to your configuration. 7 Turn on your Prestige and restart your computer (if prompted). Verifying Settings Check your TCP/IP properties in the TCP/IP Control Panel window. Macintosh OS X 1 Click the Apple menu, and click System Preferences to open the System Preferences window. Figure 122 Macintosh OS X: Apple Menu 2 Click Network in the icon bar. • • • Select Automatic from the Location list. Select Built-in Ethernet from the Show list. Click the TCP/IP tab. 3 For dynamically assigned settings, select Using DHCP from the Configure list. Appendix C Setting up Your Computer’s IP Address 183 P-320W User’s Guide Figure 123 Macintosh OS X: Network 4 For statically assigned settings, do the following: • • • • From the Configure box, select Manually. Type your IP address in the IP Address box. Type your subnet mask in the Subnet mask box. Type the IP address of your Prestige in the Router address box. 5 Click Apply Now and close the window. 6 Turn on your Prestige and restart your computer (if prompted). Verifying Settings Check your TCP/IP properties in the Network window. Linux This section shows you how to configure your computer’s TCP/IP settings in Red Hat Linux 9.0. Procedure, screens and file location may vary depending on your Linux distribution and release version. 184 Appendix C Setting up Your Computer’s IP Address P-320W User’s Guide Note: Make sure you are logged in as the root administrator. Using the K Desktop Environment (KDE) Follow the steps below to configure your computer IP address using the KDE. 1 Click the Red Hat button (located on the bottom left corner), select System Setting and click Network. Figure 124 Red Hat 9.0: KDE: Network Configuration: Devices 2 Double-click on the profile of the network card you wish to configure. The Ethernet Device General screen displays as shown. Figure 125 Red Hat 9.0: KDE: Ethernet Device: General Appendix C Setting up Your Computer’s IP Address 185 P-320W User’s Guide • • If you have a dynamic IP address, click Automatically obtain IP address settings with and select dhcp from the drop down list. If you have a static IP address, click Statically set IP Addresses and fill in the Address, Subnet mask, and Default Gateway Address fields. 3 Click OK to save the changes and close the Ethernet Device General screen. 4 If you know your DNS server IP address(es), click the DNS tab in the Network Configuration screen. Enter the DNS server information in the fields provided. Figure 126 Red Hat 9.0: KDE: Network Configuration: DNS 5 Click the Devices tab. 6 Click the Activate button to apply the changes. The following screen displays. Click Yes to save the changes in all screens. Figure 127 Red Hat 9.0: KDE: Network Configuration: Activate 7 After the network card restart process is complete, make sure the Status is Active in the Network Configuration screen. Using Configuration Files Follow the steps below to edit the network configuration files and set your computer IP address. 186 Appendix C Setting up Your Computer’s IP Address P-320W User’s Guide 1 Assuming that you have only one network card on the computer, locate the ifconfigeth0 configuration file (where eth0 is the name of the Ethernet card). Open the configuration file with any plain text editor. • If you have a dynamic IP address, enter dhcp in the BOOTPROTO= field. The following figure shows an example. Figure 128 Red Hat 9.0: Dynamic IP Address Setting in ifconfig-eth0 DEVICE=eth0 ONBOOT=yes BOOTPROTO=dhcp USERCTL=no PEERDNS=yes TYPE=Ethernet • If you have a static IP address, enter static in the BOOTPROTO= field. Type IPADDR= followed by the IP address (in dotted decimal notation) and type NETMASK= followed by the subnet mask. The following example shows an example where the static IP address is 192.168.1.10 and the subnet mask is 255.255.255.0. Figure 129 Red Hat 9.0: Static IP Address Setting in ifconfig-eth0 DEVICE=eth0 ONBOOT=yes BOOTPROTO=static IPADDR=192.168.1.10 NETMASK=255.255.255.0 USERCTL=no PEERDNS=yes TYPE=Ethernet 2 If you know your DNS server IP address(es), enter the DNS server information in the resolv.conf file in the /etc directory. The following figure shows an example where two DNS server IP addresses are specified. Figure 130 Red Hat 9.0: DNS Settings in resolv.conf nameserver 172.23.5.1 nameserver 172.23.5.2 3 After you edit and save the configuration files, you must restart the network card. Enter ./network restart in the /etc/rc.d/init.d directory. The following figure shows an example. Appendix C Setting up Your Computer’s IP Address 187 P-320W User’s Guide Figure 131 Red Hat 9.0: Restart Ethernet Card [root@localhost init.d]# network restart Shutting down interface eth0: Shutting down loopback interface: Setting network parameters: Bringing up loopback interface: Bringing up interface eth0: [OK] [OK] [OK] [OK] [OK] Verifying Settings Enter ifconfig in a terminal screen to check your TCP/IP properties. Figure 132 Red Hat 9.0: Checking TCP/IP Properties [root@localhost]# ifconfig eth0 Link encap:Ethernet HWaddr 00:50:BA:72:5B:44 inet addr:172.23.19.129 Bcast:172.23.19.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:717 errors:0 dropped:0 overruns:0 frame:0 TX packets:13 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:730412 (713.2 Kb) TX bytes:1570 (1.5 Kb) Interrupt:10 Base address:0x1000 [root@localhost]# 188 Appendix C Setting up Your Computer’s IP Address P-320W User’s Guide APPENDIX D PPPoE PPPoE in Action An ADSL modem bridges a PPP session over Ethernet (PPP over Ethernet, RFC 2516) from your computer to an ATM PVC (Permanent Virtual Circuit) which connects to a DSL Access Concentrator where the PPP session terminates (see Figure 133 on page 190). One PVC can support any number of PPP sessions from your LAN. PPPoE provides access control and billing functionality in a manner similar to dial-up services using PPP. Benefits of PPPoE PPPoE offers the following benefits: It provides you with a familiar dial-up networking (DUN) user interface. It lessens the burden on the carriers of provisioning virtual circuits all the way to the ISP on multiple switches for thousands of users. For GSTN (PSTN and ISDN), the switching fabric is already in place. It allows the ISP to use the existing dial-up model to authenticate and (optionally) to provide differentiated services. Traditional Dial-up Scenario The following diagram depicts a typical hardware configuration where the computers use traditional dial-up networking. Appendix D PPPoE 189 P-320W User’s Guide Figure 133 Single-Computer per Router Hardware Configuration How PPPoE Works The PPPoE driver makes the Ethernet appear as a serial link to the computer and the computer runs PPP over it, while the modem bridges the Ethernet frames to the Access Concentrator (AC). Between the AC and an ISP, the AC is acting as a L2TP (Layer 2 Tunneling Protocol) LAC (L2TP Access Concentrator) and tunnels the PPP frames to the ISP. The L2TP tunnel is capable of carrying multiple PPP sessions. With PPPoE, the VC (Virtual Circuit) is equivalent to the dial-up connection and is between the modem and the AC, as opposed to all the way to the ISP. However, the PPP negotiation is between the computer and the ISP. ZyWALL as a PPPoE Client When using the ZyWALL as a PPPoE client, the computers on the LAN see only Ethernet and are not aware of PPPoE. This alleviates the administrator from having to manage the PPPoE clients on the individual computers. Figure 134 ZyWALL as a PPPoE Client 190 Appendix D PPPoE P-320W User’s Guide APPENDIX E PPTP What is PPTP? PPTP (Point-to-Point Tunneling Protocol) is a Microsoft proprietary protocol (RFC 2637 for PPTP is informational only) to tunnel PPP frames. How can we transport PPP frames from a computer to a broadband modem over Ethernet? A solution is to build PPTP into the ANT (ADSL Network Termination) where PPTP is used only over the short haul between the computer and the modem over Ethernet. For the rest of the connection, the PPP frames are transported with PPP over AAL5 (RFC 2364) The PPP connection, however, is still between the computer and the ISP. The various connections in this setup are depicted in the following diagram. The drawback of this solution is that it requires one separate ATM VC per destination. Figure 135 Transport PPP frames over Ethernet PPTP and the ZyWALL When the ZyWALL is deployed in such a setup, it appears as a computer to the ANT. In Windows VPN or PPTP Pass-Through feature, the PPTP tunneling is created from Windows 95, 98 and NT clients to an NT server in a remote location. The pass-through feature allows users on the network to access a different remote server using the ZyWALL's Internet connection. In SUA/NAT mode, the ZyWALL is able to pass the PPTP packets to the internal PPTP server (i.e. NT server) behind the NAT. You need to configure port forwarding for port 1723 to have the ZyWALL forward PPTP packets to the server. In the case above as the remote PPTP Client initializes the PPTP connection, the user must configure the PPTP clients. The ZyWALL initializes the PPTP connection hence; there is no need to configure the remote PPTP clients. Appendix E PPTP 191 P-320W User’s Guide PPTP Protocol Overview PPTP is very similar to L2TP, since L2TP is based on both PPTP and L2F (Cisco’s Layer 2 Forwarding). Conceptually, there are three parties in PPTP, namely the PNS (PPTP Network Server), the PAC (PPTP Access Concentrator) and the PPTP user. The PNS is the box that hosts both the PPP and the PPTP stacks and forms one end of the PPTP tunnel. The PAC is the box that dials/answers the phone calls and relays the PPP frames to the PNS. The PPTP user is not necessarily a PPP client (can be a PPP server too). Both the PNS and the PAC must have IP connectivity; however, the PAC must in addition have dial-up capability. The phone call is between the user and the PAC and the PAC tunnels the PPP frames to the PNS. The PPTP user is unaware of the tunnel between the PAC and the PNS. Figure 136 PPTP Protocol Overview Microsoft includes PPTP as a part of the Windows OS. In Microsoft’s implementation, the computer, and hence the ZyWALL, is the PNS that requests the PAC (the ANT) to place an outgoing call over AAL5 to an RFC 2364 server. Control & PPP Connections Each PPTP session has distinct control connection and PPP data connection. Call Connection The control connection runs over TCP. Similar to L2TP, a tunnel control connection is first established before call control messages can be exchanged. Please note that a tunnel control connection supports multiple call sessions. The following diagram depicts the message exchange of a successful call setup between a computer and an ANT. 192 Appendix E PPTP P-320W User’s Guide Figure 137 Example Message Exchange between Computer and an ANT PPP Data Connection The PPP frames are tunneled between the PNS and PAC over GRE (General Routing Encapsulation, RFC 1701, 1702). The individual calls within a tunnel are distinguished using the Call ID field in the GRE header. Appendix E PPTP 193 P-320W User’s Guide 194 Appendix E PPTP P-320W User’s Guide APPENDIX F Wireless LANs Wireless LAN Topologies This section discusses ad-hoc and infrastructure wireless LAN topologies. Ad-hoc Wireless LAN Configuration The simplest WLAN configuration is an independent (Ad-hoc) WLAN that connects a set of computers with wireless stations (A, B, C). Any time two or more wireless adapters are within range of each other, they can set up an independent network, which is commonly referred to as an Ad-hoc network or Independent Basic Service Set (IBSS). The following diagram shows an example of notebook computers using wireless adapters to form an Ad-hoc wireless LAN. Figure 138 Peer-to-Peer Communication in an Ad-hoc Network BSS A Basic Service Set (BSS) exists when all communications between wireless stations or between a wireless station and a wired network client go through one access point (AP). Intra-BSS traffic is traffic between wireless stations in the BSS. When Intra-BSS is enabled, wireless station A and B can access the wired network and communicate with each other. When Intra-BSS is disabled, wireless station A and B can still access the wired network but cannot communicate with each other. Appendix F Wireless LANs 195 P-320W User’s Guide Figure 139 Basic Service Set ESS An Extended Service Set (ESS) consists of a series of overlapping BSSs, each containing an access point, with each access point connected together by a wired network. This wired connection between APs is called a Distribution System (DS). This type of wireless LAN topology is called an Infrastructure WLAN. The Access Points not only provide communication with the wired network but also mediate wireless network traffic in the immediate neighborhood. An ESSID (ESS IDentification) uniquely identifies each ESS. All access points and their associated wireless stations within the same ESS must have the same ESSID in order to communicate. 196 Appendix F Wireless LANs P-320W User’s Guide Figure 140 Infrastructure WLAN Channel A channel is the radio frequency(ies) used by IEEE 802.11a/b/g wireless devices. Channels available depend on your geographical area. You may have a choice of channels (for your region) so you should use a different channel than an adjacent AP (access point) to reduce interference. Interference occurs when radio signals from different access points overlap causing interference and degrading performance. Adjacent channels partially overlap however. To avoid interference due to overlap, your AP should be on a channel at least five channels away from a channel that an adjacent AP is using. For example, if your region has 11 channels and an adjacent AP is using channel 1, then you need to select a channel between 6 or 11. RTS/CTS A hidden node occurs when two stations are within range of the same access point, but are not within range of each other. The following figure illustrates a hidden node. Both stations (STA) are within range of the access point (AP) or wireless gateway, but out-of-range of each other, so they cannot "hear" each other, that is they do not know if the channel is currently being used. Therefore, they are considered hidden from each other. Appendix F Wireless LANs 197 P-320W User’s Guide Figure 141 RTS/CTS When station A sends data to the AP, it might not know that the station B is already using the channel. If these two stations send data at the same time, collisions may occur when both sets of data arrive at the AP at the same time, resulting in a loss of messages for both stations. RTS/CTS is designed to prevent collisions due to hidden nodes. An RTS/CTS defines the biggest size data frame you can send before an RTS (Request To Send)/CTS (Clear to Send) handshake is invoked. When a data frame exceeds the RTS/CTS value you set (between 0 to 2432 bytes), the station that wants to transmit this frame must first send an RTS (Request To Send) message to the AP for permission to send it. The AP then responds with a CTS (Clear to Send) message to all other stations within its range to notify them to defer their transmission. It also reserves and confirms with the requesting station the time frame for the requested transmission. Stations can send frames smaller than the specified RTS/CTS directly to the AP without the RTS (Request To Send)/CTS (Clear to Send) handshake. You should only configure RTS/CTS if the possibility of hidden nodes exists on your network and the "cost" of resending large frames is more than the extra network overhead involved in the RTS (Request To Send)/CTS (Clear to Send) handshake. If the RTS/CTS value is greater than the Fragmentation Threshold value (see next), then the RTS (Request To Send)/CTS (Clear to Send) handshake will never occur as data frames will be fragmented before they reach RTS/CTS size. Note: Enabling the RTS Threshold causes redundant network overhead that could negatively affect the throughput performance instead of providing a remedy. Fragmentation Threshold A Fragmentation Threshold is the maximum data fragment size (between 256 and 2432 bytes) that can be sent in the wireless network before the AP will fragment the packet into smaller data frames. 198 Appendix F Wireless LANs P-320W User’s Guide A large Fragmentation Threshold is recommended for networks not prone to interference while you should set a smaller threshold for busy networks or networks that are prone to interference. If the Fragmentation Threshold value is smaller than the RTS/CTS value (see previously) you set then the RTS (Request To Send)/CTS (Clear to Send) handshake will never occur as data frames will be fragmented before they reach RTS/CTS size. Preamble Type A preamble is used to synchronize the transmission timing in your wireless network. There are two preamble modes: Long and Short. Short preamble takes less time to process and minimizes overhead, so it should be used in a good wireless network environment when all wireless stations support it. Select Long if you have a ‘noisy’ network or are unsure of what preamble mode your wireless stations support as all IEEE 802.11b compliant wireless adapters must support long preamble. However, not all wireless adapters support short preamble. Use long preamble if you are unsure what preamble mode the wireless adapters support, to ensure interpretability between the AP and the wireless stations and to provide more reliable communication in ‘noisy’ networks. Select Dynamic to have the AP automatically use short preamble when all wireless stations support it, otherwise the AP uses long preamble. Note: The AP and the wireless stations MUST use the same preamble mode in order to communicate. IEEE 802.11g Wireless LAN IEEE 802.11g is fully compatible with the IEEE 802.11b standard. This means an IEEE 802.11b adapter can interface directly with an IEEE 802.11g access point (and vice versa) at 11 Mbps or lower depending on range. IEEE 802.11g has several intermediate rate steps between the maximum and minimum data rates. The IEEE 802.11g data rate and modulation are as follows: Table 85 IEEE802.11g DATA RATE (MBPS) MODULATION DBPSK (Differential Binary Phase Shift Keyed) DQPSK (Differential Quadrature Phase Shift Keying) 5.5 / 11 CCK (Complementary Code Keying) 6/9/12/18/24/36/48/54 OFDM (Orthogonal Frequency Division Multiplexing) Appendix F Wireless LANs 199 P-320W User’s Guide IEEE 802.1x In June 2001, the IEEE 802.1x standard was designed to extend the features of IEEE 802.11 to support extended authentication as well as providing additional accounting and control features. It is supported by Windows XP and a number of network devices. Some advantages of IEEE 802.1x are: • User based identification that allows for roaming. • Support for RADIUS (Remote Authentication Dial In User Service, RFC 2138, 2139) for centralized user profile and accounting management on a network RADIUS server. • Support for EAP (Extensible Authentication Protocol, RFC 2486) that allows additional authentication methods to be deployed with no changes to the access point or the wireless stations. RADIUS RADIUS is based on a client-server model that supports authentication, authorization and accounting. The access point is the client and the server is the RADIUS server. The RADIUS server handles the following tasks: • Authentication Determines the identity of the users. • Authorization Determines the network services available to authenticated users once they are connected to the network. • Accounting Keeps track of the client’s network activity. RADIUS is a simple package exchange in which your AP acts as a message relay between the wireless station and the network RADIUS server. Types of RADIUS Messages The following types of RADIUS messages are exchanged between the access point and the RADIUS server for user authentication: • Access-Request Sent by an access point requesting authentication. • Access-Reject Sent by a RADIUS server rejecting access. • Access-Accept Sent by a RADIUS server allowing access. 200 Appendix F Wireless LANs P-320W User’s Guide • Access-Challenge Sent by a RADIUS server requesting more information in order to allow access. The access point sends a proper response from the user and then sends another AccessRequest message. The following types of RADIUS messages are exchanged between the access point and the RADIUS server for user accounting: • Accounting-Request Sent by the access point requesting accounting. • Accounting-Response Sent by the RADIUS server to indicate that it has started or stopped accounting. In order to ensure network security, the access point and the RADIUS server use a shared secret key, which is a password, they both know. The key is not sent over the network. In addition to the shared key, password information exchanged is also encrypted to protect the network from unauthorized access. EAP Authentication EAP (Extensible Authentication Protocol) is an authentication protocol that runs on top of the IEEE802.1x transport mechanism in order to support multiple types of user authentication. By using EAP to interact with an EAP-compatible RADIUS server, the access point helps a wireless station and a RADIUS server perform authentication. The type of authentication you use depends on the RADIUS server or the AP. The following figure shows an overview of authentication when you specify a RADIUS server on your access point. Figure 142 EAP Authentication The details below provide a general description of how IEEE 802.1x EAP authentication works. For an example list of EAP-MD5 authentication steps, see the IEEE 802.1x appendix. 1 The wireless station sends a “start” message to the device. 2 The device sends a “request identity” message to the wireless station for identity information. Appendix F Wireless LANs 201 P-320W User’s Guide 3 The wireless station replies with identity information, including username and password. 4 The RADIUS server checks the user information against its user profile database and determines whether or not to authenticate the wireless station. Types of Authentication This section discusses some popular authentication types: EAP-MD5, EAP-TLS, EAPTTLS, PEAP and LEAP. The type of authentication you use depends on the RADIUS server or the AP. Consult your network administrator for more information. EAP-MD5 (Message-Digest Algorithm 5) MD5 authentication is the simplest one-way authentication method. The authentication server sends a challenge to the wireless station. The wireless station ‘proves’ that it knows the password by encrypting the password with the challenge and sends back the information. Password is not sent in plain text. However, MD5 authentication has some weaknesses. Since the authentication server needs to get the plaintext passwords, the passwords must be stored. Thus someone other than the authentication server may access the password file. In addition, it is possible to impersonate an authentication server as MD5 authentication method does not perform mutual authentication. Finally, MD5 authentication method does not support data encryption with dynamic session key. You must configure WEP encryption keys for data encryption. EAP-TLS (Transport Layer Security) With EAP-TLS, digital certifications are needed by both the server and the wireless stations for mutual authentication. The server presents a certificate to the client. After validating the identity of the server, the client sends a different certificate to the server. The exchange of certificates is done in the open before a secured tunnel is created. This makes user identity vulnerable to passive attacks. A digital certificate is an electronic ID card that authenticates the sender’s identity. However, to implement EAP-TLS, you need a Certificate Authority (CA) to handle certificates, which imposes a management overhead. EAP-TTLS (Tunneled Transport Layer Service) EAP-TTLS is an extension of the EAP-TLS authentication that uses certificates for only the server-side authentications to establish a secure connection. Client authentication is then done by sending username and password through the secure connection, thus client identity is protected. For client authentication, EAP-TTLS supports EAP methods and legacy authentication methods such as PAP, CHAP, MS-CHAP and MS-CHAP v2. 202 Appendix F Wireless LANs P-320W User’s Guide PEAP (Protected EAP) Like EAP-TTLS, server-side certificate authentication is used to establish a secure connection, then use simple username and password methods through the secured connection to authenticate the clients, thus hiding client identity. However, PEAP only supports EAP methods, such as EAP-MD5, EAP-MSCHAPv2 and EAP-GTC (EAP-Generic Token Card), for client authentication. EAP-GTC is implemented only by Cisco. LEAP LEAP (Lightweight Extensible Authentication Protocol) is a Cisco implementation of IEEE 802.1x. WEP Encryption WEP encryption scrambles the data transmitted between the wireless stations and the access points to keep network communications private. It encrypts unicast and multicast communications in a network. Both the wireless stations and the access points must use the same WEP key. WEP Authentication Steps Three different methods can be used to authenticate wireless stations to the network: Open System, Shared Key, and Auto. The following figure illustrates the steps involved. Appendix F Wireless LANs 203 P-320W User’s Guide Figure 143 WEP Authentication Steps Open system authentication involves an unencrypted two-message procedure. A wireless station sends an open system authentication request to the AP, which will then automatically accept and connect the wireless station to the network. In effect, open system is not authentication at all as any station can gain access to the network. Shared key authentication involves a four-message procedure. A wireless station sends a shared key authentication request to the AP, which will then reply with a challenge text message. The wireless station must then use the AP’s default WEP key to encrypt the challenge text and return it to the AP, which attempts to decrypt the message using the AP’s default WEP key. If the decrypted message matches the challenge text, the wireless station is authenticated. When your device authentication method is set to open system, it will only accept open system authentication requests. The same is true for shared key authentication. However, when it is set to auto authentication, the device will accept either type of authentication request and the device will fall back to use open authentication if the shared key does not match. Dynamic WEP Key Exchange The AP maps a unique key that is generated with the RADIUS server. This key expires when the wireless connection times out, disconnects or reauthentication times out. A new WEP key is generated each time reauthentication is performed. If this feature is enabled, it is not necessary to configure a default encryption key in the Wireless screen. You may still configure and store keys here, but they will not be used while Dynamic WEP is enabled. 204 Appendix F Wireless LANs P-320W User’s Guide Note: EAP-MD5 cannot be used with Dynamic WEP Key Exchange For added security, certificate-based authentications (EAP-TLS, EAP-TTLS and PEAP) use dynamic keys for data encryption. They are often deployed in corporate environments, but for public deployment, a simple user name and password pair is more practical. The following table is a comparison of the features of authentication types. Table 86 Comparison of EAP Authentication Types EAP-MD5 EAP-TLS EAP-TTLS PEAP LEAP Mutual Authentication No Yes Yes Yes Yes Certificate – Client No Yes Optional Optional No Certificate – Server No Yes Yes Yes No Dynamic Key Exchange No Yes Yes Yes Yes Credential Integrity None Strong Strong Strong Moderate Deployment Difficulty Easy Hard Moderate Moderate Moderate Client Identity Protection No No Yes Yes No WPA User Authentication WPA applies IEEE 802.1x and Extensible Authentication Protocol (EAP) to authenticate wireless stations using an external RADIUS database. Encryption WPA improves data encryption by using Temporal Key Integrity Protocol (TKIP) or Advanced Encryption Standard (AES), Message Integrity Check (MIC) and IEEE 802.1x. TKIP uses 128-bit keys that are dynamically generated and distributed by the authentication server. It includes a per-packet key mixing function, a Message Integrity Check (MIC) named Michael, an extended initialization vector (IV) with sequencing rules, and a re-keying mechanism. TKIP regularly changes and rotates the encryption keys so that the same encryption key is never used twice. The RADIUS server distributes a Pairwise Master Key (PMK) key to the AP that then sets up a key hierarchy and management system, using the PMK to dynamically generate unique data encryption keys to encrypt every data packet that is wirelessly communicated between the AP and the wireless stations. This all happens in the background automatically. AES (Advanced Encryption Standard) also uses a secret key. This implementation of AES applies a 128-bit key to 128-bit blocks of data. Appendix F Wireless LANs 205 P-320W User’s Guide The Message Integrity Check (MIC) is designed to prevent an attacker from capturing data packets, altering them and resending them. The MIC provides a strong mathematical function in which the receiver and the transmitter each compute and then compare the MIC. If they do not match, it is assumed that the data has been tampered with and the packet is dropped. By generating unique data encryption keys for every data packet and by creating an integrity checking mechanism (MIC), TKIP makes it much more difficult to decrypt data on a Wi-Fi network than WEP, making it difficult for an intruder to break into the network. The encryption mechanisms used for WPA and WPA-PSK are the same. The only difference between the two is that WPA-PSK uses a simple common password, instead of user-specific credentials. The common-password approach makes WPA-PSK susceptible to brute-force password-guessing attacks but it’s still an improvement over WEP as it employs an easier-touse, consistent, single, alphanumeric password. Security Parameters Summary Refer to this table to see what other security parameters you should configure for each Authentication Method/ key management protocol type. MAC address filters are not dependent on how you configure these security features. Table 87 Wireless Security Relational Matrix AUTHENTICATION ENCRYPTION ENTER METHOD/ KEY METHOD MANUAL KEY MANAGEMENT PROTOCOL ENABLE IEEE 802.1X Open None No No Open WEP No Enable with Dynamic WEP Key Yes Enable without Dynamic WEP Key Yes Disable No Enable with Dynamic WEP Key Yes Enable without Dynamic WEP Key Yes Disable Shared WEP WPA WEP No Yes WPA TKIP No Yes WPA-PSK WEP Yes Yes WPA-PSK TKIP Yes Yes Roaming A wireless station is a device with an IEEE 802.11 mode compliant wireless adapter. An access point (AP) acts as a bridge between the wireless and wired networks. An AP creates its own wireless coverage area. A wireless station can associate with a particular access point only if it is within the access point’s coverage area. 206 Appendix F Wireless LANs P-320W User’s Guide In a network environment with multiple access points, wireless stations are able to switch from one access point to another as they move between the coverage areas. This is roaming. As the wireless station moves from place to place, it is responsible for choosing the most appropriate access point depending on the signal strength, network utilization or other factors. The roaming feature on the access points allows the access points to relay information about the wireless stations to each other. When a wireless station moves from a coverage area to another, it scans and uses the channel of a new access point, which then informs the access points on the LAN about the change. The new information is then propagated to the other access points on the LAN. An example is shown in Figure 144. If the roaming feature is not enabled on the access points, information is not communicated between the access points when a wireless station moves between coverage areas. The wireless station may not be able to communicate with other wireless stations on the network and vice versa. Figure 144 Roaming Example The steps below describe the roaming process. 1 As wireless station Y moves from the coverage area of access point P1 to that of access point 2 P2, it scans and uses the signal of access point P2. 3 Access point P2 acknowledges the presence of wireless station Y and relays this information to access point P1 through the wired LAN. 4 Access point P1 updates the new position of wireless station. 5 Wireless station Y sends a request to access point P2 for re-authentication. Appendix F Wireless LANs 207 P-320W User’s Guide Requirements for Roaming The following requirements must be met in order for wireless stations to roam between the coverage areas. 1 All the access points must be on the same subnet and configured with the same ESSID. 2 If IEEE 802.1x user authentication is enabled and to be done locally on the access point, the new access point must have the user profile for the wireless station. 3 The adjacent access points should use different radio channels when their coverage areas overlap. 4 All access points must use the same port number to relay roaming information. 5 The access points must be connected to the Ethernet and be able to get IP addresses from a DHCP server if using dynamic IP address assignment. 208 Appendix F Wireless LANs P-320W User’s Guide APPENDIX G Antenna Selection and Positioning Recommendation An antenna couples RF signals onto air. A transmitter within a wireless device sends an RF signal to the antenna, which propagates the signal through the air. The antenna also operates in reverse by capturing RF signals from the air. Choosing the right antennas and positioning them properly increases the range and coverage area of a wireless LAN. Antenna Characteristics Frequency An antenna in the frequency of 2.4GHz (IEEE 802.11b) or 5GHz (IEEE 802.11a) is needed to communicate efficiently in a wireless LAN. Radiation Pattern A radiation pattern is a diagram that allows you to visualize the shape of the antenna’s coverage area. Antenna Gain Antenna gain, measured in dB (decibel), is the increase in coverage within the RF beam width. Higher antenna gain improves the range of the signal for better communications. For an indoor site, each 1 dB increase in antenna gain results in a range increase of approximately 2.5%. For an unobstructed outdoor site, each 1dB increase in gain results in a range increase of approximately 5%. Actual results may vary depending on the network environment. Antenna gain is sometimes specified in dBi, which is how much the antenna increases the signal power compared to using an isotropic antenna. An isotropic antenna is a theoretical perfect antenna that sends out radio signals equally well in all directions. dBi represents the true gain that the antenna provides. Appendix G Antenna Selection and Positioning Recommendation 209 P-320W User’s Guide Types of Antennas For WLAN There are two types of antennas used for wireless LAN applications. • Omni-directional antennas send the RF signal out in all directions on a horizontal plane. The coverage area is torus-shaped (like a donut) which makes these antennas ideal for a room environment. With a wide coverage area, it is possible to make circular overlapping coverage areas with multiple access points. • Directional antennas concentrate the RF signal in a beam, like a flashlight. The angle of the beam width determines the direction of the coverage pattern; typically ranges from 20 degrees (less directional) to 90 degrees (very directional). The directional antennas are ideal for hallways and outdoor point-to-point applications. Positioning Antennas In general, antennas should be mounted as high as practically possible and free of obstructions. In point-to –point application, position both transmitting and receiving antenna at the same height and in a direct line of sight to each other to attend the best performance. For omni-directional antennas mounted on a table, desk, and so on, point the antenna up. For omni-directional antennas mounted on a wall or ceiling, point the antenna down. For a single AP application, place omni-directional antennas as close to the center of the coverage area as possible. For directional antennas, point the antenna in the direction of the desired coverage area. 210 Appendix G Antenna Selection and Positioning Recommendation P-320W User’s Guide Index Numerics 110V AC 6 230V AC 6 802.1x 70 Abnormal Working Conditions 7 AC 6 Accessories 6 Acts of God 7 Airflow 6 Alternative Subnet Mask Notation 167 American Wire Gauge 6 Antenna Directional 210 Omni-directional 210 Antenna gain 209 AP (access point) 197 Authentication 203 Authority 4 AWG 6 Certifications 5 Changes or Modifications 4 Channel 197 Interference 197 Channel ID 64 Charge 7 Circuit 4 Class B 4 Communications 4 Compliance, FCC 4 Components 7 Condition 7 Configuration 41, 95 Connecting Cables 6 Consequential Damages 7 Contact Information 8 Contacting Customer Support 8 Copyright 3 Correcting Interference 4 Corrosive Liquids 6 Covers 6 CTS (Clear to Send) 198 Customer Support 8 Backup 147 Basement 6 Basic wireless security 49 BSS 195 CA 202 Cables, Connecting 6 Certificate Authority 202 Damage 6 Dampness 6 Danger 6 Dealer 4 Default 148 Defective 7 Denmark, Contact Information 8 DHCP 41, 93, 95, 96, 136 DHCP Table Summary 41 DHCP_client list 97 Disclaimer 3 Discretion 7 Domain Name 102 Dust 6 211 P-320W User’s Guide Dynamic DNS 136 Dynamic WEP Key Exchange 204 DYNDNS Wildcard 136 EAP 61 EAP Authentication 201, 202 ECHO 102 Electric Shock 6 Electrical Pipes 6 Electrocution 6 Encryption 205 Equal Value 7 ESS 196 Ethernet 163 Ethernet Encapsulation 102 Europe 6 Exposure 6 Extended Service Set 196 Extended Service Set IDentification 64 Extended wireless security 50 Factory LAN Defaults 93 Failure 7 FCC 4 Compliance 4 Rules, Part 15 4 FCC Rules 4 Federal Communications Commission 4 Finger 102 Finland, Contact Information 8 Firewall 109, 110 Firmware File Maintenance 146 Fitness 7 Fragmentation Threshold 198 Fragmentation threshold 198 France, Contact Information 8 FTP 93, 102, 119, 136 FTP Restrictions 119 Functionally Equivalent 7 212 Gas Pipes 6 General Setup 135 General wireless LAN screen 63 Germany, Contact Information 8 Global 100 God, act of 7 Harmful Interference 4 Hidden node 197 High Voltage Points 6 Host 136 Host IDs 165 HTTP 102 IBSS 195 IEEE 802.11g 30, 199 IEEE 802.11i 30 Independent Basic Service Set 195 Indirect Damages 7 initialization vector (IV) 205 Inside 100 Inside Global Address 99 Inside Local Address 99 Install UPnP Windows XP 128 Insurance 7 Interference 4 Interference Correction Measures 4 Interference Statement 4 Internet Access Setup 152 IP Address 41, 94, 97, 101, 102, 104, 105 IP Addressing 165 IP Classes 165 IP Pool 96 IP Pool Setup 93 P-320W User’s Guide Labor 7 LAN Setup 81, 93 LAN TCP/IP 93 Legal Rights 7 Liability 3 License 3 Lightning 6 Liquids, Corrosive 6 Local 100 MAC Address Filter Action 77 MAC Address Filtering 76 MAC Filter 76 MAC filter 62 Management Information Base (MIB) 121 Materials 7 Merchantability 7 Message Integrity Check (MIC) 205 Metric 82, 117 Modifications 4 NAT 101, 102 Definitions 99 How NAT Works 100 Server Sets 102 What NAT does 100 Navigation Panel 39 Network Management 102 New 7 NNTP 102 North America 6 North America Contact Information 8 Norway, Contact Information 8 OTIST 72 OTIST Wizard 51 Out-dated Warranty 7 Outlet 4 Outside 100 Packet statistics 42 Pairwise Master Key (PMK) 205 Parts 7 Patent 3 Permission 3 Photocopying 3 Pipes 6 Point-to-Point Tunneling Protocol 87, 102 Pool 6 POP3 102 Port Numbers 102 Postage Prepaid. 7 Power Adaptor 6 Power Cord 6 Power Outlet 6 Power Supply 6 Power Supply, repair 6 PPPoE 189 PPTP 102 Preamble Mode 199 Product Model 8 Product Page 5 Product Serial Number 8 Products 7 Proof of Purchase 7 Proper Operating Condition 7 Purchase, Proof of 7 Purchaser 7 Qualified Service Personnel 6 Opening 6 Operating Condition 7 Radio Communications 4 213 P-320W User’s Guide Radio Frequency Energy 4 Radio Interference 4 Radio Reception 4 Radio Technician 4 RADIUS 200 Shared Secret Key 201 RADIUS Message Types 200 RADIUS Messages 200 Receiving Antenna 4 Registered 3 Registered Trademark 3 Regular Mail 8 Related Documentation 25 Relocate 4 Re-manufactured 7 Remote Management and NAT 119 Remote Management Limitations 119 Removing 6 Reorient 4 Repair 6, 7 Replace 7 Replacement 7 Reproduction 3 Restore 7, 147 Return Material Authorization (RMA) Number 7 Returned Products 7 Returns 7 RF (Radio Frequency) 30 Rights 3 Rights, Legal 7 Risk 6 Risks 6 RMA 7 Roaming 78, 206 Example 207 Requirements 208 RTS (Request To Send) 198 RTS Threshold 197, 198 Safety Warnings 6 Security Parameters 206 Separation Between Equipment and Receiver 4 Serial Number 8 Service 6, 7 Service Personnel 6 Service Set 64 214 Service Type 152 Services 102, 111 Shipping 7 Shock, Electric 6 SMTP 102 SNMP 102, 110, 121 Manager 121 MIBs 122 Spain, Contact Information 9 Stateful Inspection 109 Static DHCP 96 Static Route 115 SUA 102, 103 Subnet Mask 94 Subnet Masks 166 Subnetting 166 Supply Voltage 6 Support E-mail 8 Sweden, Contact Information 9 Swimming Pool 6 Syntax Conventions 25 System information 46 System Timeout 120 Tampering 7 TCP/IP 94 Telecommunication Line Cord. 6 Telephone 8 Television Interference 4 Television Reception 4 Temporal Key Integrity Protocol (TKIP) 205 TFTP Restrictions 119 Thunderstorm 6 Time Zone 137 Trademark 3 Trademark Owners 3 Trademarks 3 Traffic Redirect 90 Translation 3 Trigger Port Forwarding Process 106 TV Technician 4 P-320W User’s Guide Undesired Operations 4 Universal Plug and Play (UPnP) 125 User Authentication 205 User Name 137 Workmanship 7 Worldwide Contact Information 8 WPA 67 Written Permission 3 Value 7 Vendor 6 Ventilation Slots 6 Viewing Certifications 5 Voltage Supply 6 Voltage, High 6 VPN 87 ZyNOS 3 ZyXEL Communications Corporation 3 ZyXEL Home Page 5 ZyXEL Limited Warranty Note 7 ZyXEL Network Operating System 3 Wall Mount 6 WAN advanced 89 WAN MAC address 57 WAN Wizard 52 Warnings 6 Warranty 7 Warranty Information 8 Warranty Period 7 Water 6 Water Pipes 6 Web 120 Web Configurator 35, 37 Web Site 8 WEP (Wired Equivalent Privacy) 31 WEP Encryption 66, 68 WEP encryption 65, 203 Wet Basement 6 Wi-Fi Protected Access 67 Wi-Fi Protected Access (WPA) 30 Wireless association list summary 42 Wireless Client WPA Supplicants 69 Wireless LAN MAC Address Filtering 31 Wireless LAN Wizard 47 Wireless security 61 WLAN Interference 197 Security parameters 206 215
Source Exif Data:
File Type : PDF File Type Extension : pdf MIME Type : application/pdf PDF Version : 1.4 Linearized : No Encryption : Standard V2.3 (128-bit) User Access : Print, Annotate, Fill forms, Extract, Print high-res Page Count : 35 XMP Toolkit : XMP toolkit 2.9.1-14, framework 1.6 About : uuid:46d82e61-13ba-42c4-889f-15263d068b6c Modify Date : 2005:11:03 15:38:09+08:00 Create Date : 2005:11:03 14:03:35+08:00 Metadata Date : 2005:11:03 15:38:09+08:00 Document ID : uuid:6cf2d010-812f-441e-9ac4-55bcdbeecbde Format : application/pdf Tagged PDF : Yes Title : ZyBook.book Creator : FrameMaker 7.1 Author : 11947 Producer : Acrobat Distiller 5.0.5 (Windows)EXIF Metadata provided by EXIF.tools