Professional Access Point

Administrator Guide

1.The best security you can have to-date on a wireless network is WPA/WPA2 Enterprise (RADIUS) mode using CCMP (AES) encryption algorithm. AES is a symmetric 128-bit block data encryption technique that works on multiple layers of the network. It is the most effective encryption system currently available for wireless networks. If all clients or other APs on the network are WPA/CCMP compatible, use this encryption algorithm. If all clients are WPA2 compatible, choose to support only WPA2 clients.

2.The second best choice is WPA/WPA2 Enterprise (RADIUS) with the encryption algorithm set to Both (that is, both TKIP and CCMP). This lets WPA clients without CCMP associate, uses TKIP for encrypt- ing Multicast and Broadcast frames, and allows clients to select whether to use CCMP or TKIP for Uni- cast (access-point-to-single-station) frames. This WPA configuration allows more interoperability, at the expense of some security. Clients that support CCMP can use it for their Unicast frames. If you encounter access-point-to-station interoperability problems with the Both encryption algorithm setting, then you will need to select TKIP instead.

3.The third best choice is WPA/WPA2 Enterprise (RADIUS) with the encryption algorithm set to TKIP. Some clients have interoperability issues with CCMP and TKIP enabled at same time. If you encounter this problem, then choose TKIP as the encryption algorithm. This is the standard WPA mode, and most interoperable mode with client wireless software security features. TKIP is the only encryption algorithm that is being tested in Wi-Fi WPA certification.

SEE ALSO

For information on how to configure this security mode, see “WPA/WPA2 Enterprise (RADIUS)” on page 117 under “Configuring Security Settings”.

Does Prohibiting the Broadcast of SSID Enhance Security?

You can prohibit the broadcast of the AP’s SSID to discourage stations from automatically discovering your access point. When the access point’s SSID broadcast is prohibited, the network name is not displayed in the List of Available Networks on a client device. Instead, the client must have the exact network name configured in the supplicant before the client will be able to connect.

Prohibiting the SSID broadcast is sufficient to prevent clients from accidentally connecting to your network, but it will not prevent even the simplest of attempts by a hacker to connect or to monitor insecure traffic.

This offers a minimum level of protection on an otherwise exposed network (such as a guest network) where the priority is making it easy for clients to get a connection and where no sensitive information is available.

How Does Station Isolation Protect the Network?

When Station Isolation is enabled, the access point blocks communication between wireless clients. The access point allows data traffic between its wireless clients and wired devices on the network, but not among wireless clients.

The traffic blocking extends to wireless clients connected to the network via WDS links; these clients cannot communicate with each other when Station Isolation is on. See “Wireless Distribution System” on page 153 for more information about WDS.

Security - 106

Page 105 Page 107
Page 106
Image 106
USRobotics Instant802 APSDK manual Does Prohibiting the Broadcast of Ssid Enhance Security?
Page 105 Page 107
Top Page Image Contents