ZyXEL Communications max208m 209

Appendix A WiMAX Security

•Authorization request and reply

The MS/SS presents its public certificate to the base station. The base station verifies the certificate and sends an authentication key (AK) to the MS/SS.

•Key request and reply

The MS/SS requests a transport encryption key (TEK) which the base station generates and encrypts using the authentication key.

•Encrypted traffic

The MS/SS decrypts the TEK (using the authentication key). Both stations can now securely encrypt and decrypt the data flow.

CCMP

All traffic in a WiMAX network is encrypted using CCMP (Counter Mode with Cipher Block Chaining Message Authentication Protocol). CCMP is based on the 128-bit Advanced Encryption Standard (AES) algorithm.

‘Counter mode’ refers to the encryption of each block of plain text with an arbitrary number, known as the counter. This number changes each time a block of plain text is encrypted. Counter mode avoids the security weakness of repeated identical blocks of encrypted text that makes encrypted data vulnerable to pattern-spotting.

‘Cipher Block Chaining Message Authentication’ (also known as CBC-MAC) ensures message integrity by encrypting each block of plain text in such a way that its encryption is dependent on the block before it. This series of ‘chained’ blocks creates a message authentication code (MAC or CMAC) that ensures the encrypted data has not been tampered with.

Authentication

The WiMAX Device supports EAP-TTLS authentication.

EAP-TTLS (Tunneled Transport Layer Service)

EAP-TTLS is an extension of the EAP-TLS authentication that uses certificates for only the server- side authentications to establish a secure connection (with EAP-TLS digital certifications are needed by both the server and the wireless clients for mutual authentication). Client authentication is then done by sending username and password through the secure connection, thus client identity is protected. For client authentication, EAP-TTLS supports EAP methods and legacy authentication methods such as PAP, CHAP, MS-CHAP and MS-CHAP v2.

	209
WiMAX Device Configuration User’s Guide	209

Contents

Copyright © ZyXEL Communications Corporation Page About This User's Guide Document Conventions Page Safety Warnings Contents Overview Page Table of Contents Part I: User’s Guide Chapter System Status WiMAX Network Setting The VoIP General Screens The VoIP Account Screens The VoIP Line Screens Maintenance Page Page Page Introduction to the Series 1.1 About Your WiMAX Device FEATURE FREQUENCY NUMBER OF Figure 1.2 Good Habits for Managing the WiMAX Device Introduction to the Web Configurator 2.1 Overview Table LABEL DESCRIPTION LABELDESCRIPTION 2.2 The Main Screen MENU Page Setup Wizard 3.1 Overview Page Page By Range Start Frequency Page Setup Wizard PHONE Page N mixed None WEP WPA Personal WEP Wizard Setup Tutorials 4.1 Overview 4.2WiMAX Connection Settings 4.3 Setting Up a Small Network for the LAN Network Setting > LAN > DHCP Server Network Setting > WAN Operation Mode 4.4 Making a Telephone Call Over the Internet 4Click VoIP > Account > SIP SIP Account VoIP > Account > Status Connect Register Status 4.5 Blocking Web Access from the WiMAX Device 4.6 Restricting Wireless Access to the WiMAX Device Network Setting Security Firewall MAC Filter Blacklist 4.7 Allowing Internet Users to use Internal Servers Port Forwarding 4.8 Access the WiMAX Device with a Domain Name http://www.dyndns.org UserName1 •Hostname: mywimax.dyndns.org •Service Type: Host with IP address 4.9Configuring Static Route for Routing to Another Network DEVICE / COMPUTER IP ADDRESS 4.10 Remotely Managing Your WiMAX Device 4.11Changing Certificate to Communicate with Other Networks 4.12Using Virtual Networks User Get IP Method WAN IP Address WAN IP Subnet Mask Gateway IP Address Link Type PVID Tag/Untag VID Ports Page LAN1 Page Page Page Page Page Name VID Ports Filter Setting LAN1 Page Page System Status 5.1 Overview 5.2 System Status Table 11 Status Scanning Disconnected Network Entry Normal Disabled Page WiMAX 6.1 Overview AAA Site Survey 6.2 Connection Settings WiMAX > Profile > Connection Settings By CINR 6.3 Frequency Settings WiMAX > Profile > Frequency Settings List By Range WiMAX > Wide Scan screen Setting 6.4 Authentication Settings Page EAP-TLS 6.5 Channel Plan Settings WiMAX > ND&S > Channel Plan Settings 6.6 CAPL Settings WiMAX > ND&S > CAPL Settings: Add 6.7 RAPL Settings 6.8 Home NSP Settings 6.9 Connect Table 20 Connect WiMAX > Profile > Frequency Settings WiMAX > Wide Scan WiMAX > Wide Scan Join Wide Scan Result 6.10 Wide Scan WiMAX > Wide Scan Table 21 Wide Scan 6.11 Link Status 6.12 Link Statistics 6.13 Connection Info 6.14 Service Flow Page Network Setting 7.1 Overview Primary Secondary DNS Server RIP Direction RX/TX RX Only Page 7.2 WAN Figure 43 WAN Screen Table 26 WAN Ethernet From ISP 7.3 PPPoE 7.4 GRE 7.5 EtherIP 7.6 IP 7.7 DHCP 7.8 WLAN Network Setting > WLAN Table 32 WLAN 802.11B/G mixed Auto Personal 7.9 WPS 7.10 MAC Address Filter 7.11 Static Route 7.12 Static Route Add 7.13 RIP Network Setting > Route > RIP Figure 54 RIP Screen Table 37 RIP 7.14 Port Forwarding 7.15 Port Trigger Network Setting > NAT > Port Trigger Page 7.16DMZ 7.17 ALG 7.18 QoS 7.19 UPnP Network Setting > UPnP Table 45 UPnP 1Click Start > Control Panel 2Double-click Network Connections Network Connections Start Control Panel Properties Internet Connection Properties Settings Page 1Click Start and then Control Panel 3Select My Network Places under Other Places Local Network Invoke 7.20 VLAN Network Setting > VLAN Table 46 VLAN Network Setting > WAN Access Trunk 7.21 DDNS Table 47 DDNS IP Update Policy 7.22 IGMP Proxy 7.23 Content Filter Page Security 8.1 Overview 8.2 IP Filter 8.3 MAC Filter 8.4 DDOS Security > Firewall > DDOS Table 52 DDOS 8.5 PPTP VPN Server 8.6 PPTP VPN Client 8.7 PPTP VPN Client: Add Security > PPTP VPN > PPTP Client > Add MPPE 40 MPPE 128 8.8 L2TP VPN Server Page 8.9 L2TP VPN Client 8.10 L2TP VPN Client: Add Security > L2TP VPN > L2TP Client > Add 8.11 IPSec VPN Page Security > IPSec VPN > Add Local ID Type Pre-Shared Key Content Endpoint DES 3DES AES128 AES192 Remote Endpoint Tunnel Transport Authentication Algorithm 8.12 Technical Reference ESP Outside header Inside header 8.12.3IKE Phases DH1 DH2 Negotiation Mode Main Mode Aggressive Mode Main Mode SECURITY PROTOCOL NAT Traversal LOCAL ID TYPE= CONTENT Local ID type Remote ID type E-mail WIMAX DEVICE A Page The VoIP General Screens 9.1 VoIP Overview Page 9.2 Media 9.3 QoS 9.4 SIP Settings 9.5 Speed Dial 9.6 Technical Reference The VoIP Account Screens 10.1 Overview Page Figure 91 STUN 10.2 Status 10.3 Server Registrar 10.4 SIP G.711 aLaw G.711 muLaw • G.729 NONE than the Min Session Timer 10.5 Feature 10.6 Dialing 10.7 FAX 10.8 Technical Reference Page Page Page The VoIP Line Screens 11.1 Overview 11.2 Phone 11.3 Voice 11.4 Region Page Maintenance 12.1 Overview Page Page TRAP # TRAP NAME Basic Access Authentication Digest Access Authentication Hash Message Authentication Code Operator MP3s 12.2 Password 12.3 HTTP 12.4 Telnet 12.5 SSH 12.6 SNMP 12.7 CWMP Maintenance > Remote MGMT > CWMP Figure 110 CWMP Screen Table 86 CWMP 12.8 OMA-DM Basic Server Auth Type Server Auth Type 12.9 Date/Time 12.10 Time Zone 12.11 Upgrade File 12.12 Upgrade Link 12.13 CWMP Upgrade 12.14 Backup/Restore 12.15 Restore 12.16 Factory Defaults 12.17 Log Setting 12.18 Log Display 12.19 Network Test 12.20 Traceroute 12.21 About 12.22 Reboot Page Troubleshooting 13.1Power, Hardware Connections, and LEDs 13.2 WiMAX Device Access and Login 13.3 Internet Access Strength Indicator 13.4 Wireless Internet Access (for Models with WiFi) 13.5Phone Calls and VoIP (for Models with Phone Ports) 13.6 Reset the WiMAX Device to Its Factory Defaults Product Specifications Page Page Page WiMAX Security Page Page Page Importing Certificates 2Click Continue to this website (not recommended) 3In the Address Bar, click Certificate Error > View certificates 4In the Certificate dialog box, click Install Certificate 5In the Certificate Import Wizard, click Next Select Certificate Store 9In the Completing the Certificate Import Wizard screen, click Finish Security Warning Website Identification Page 1Open Internet Explorer and click TOOLS > Internet Options 2In the Internet Options dialog box, click Content > Certificates Certificates Root Certificate Store 2Select Accept this certificate permanently and click OK Page Info > Security 1Open Firefox and click TOOLS > Options 2In the Options dialog box, click ADVANCED > Encryption > View Certificates Select File Page Certificate Manager Web Sites 4In the Delete Web Site Certificates dialog box, click OK Install Security information 1Open Opera and click TOOLS > Preferences 2In Preferences, click ADVANCED > Security > Manage certificates 3In the Certificates Manager, click Authorities > Import Import certificate Open 5In the Install authority certificate dialog box, click Install 2In Preferences, ADVANCED > Security > Manage certificates Certificates manager Authorities 2Click Continue Forever Figure KDE SSL Information 2In the Certificate Import Result - Kleopatra dialog box, click OK Kleopatra 1Open Konqueror and click Settings > Configure Konqueror Configure Crypto Peer SSL Certificates Remove Page Common Services Page Page Page Open Software Announcements Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Legal Information 注意 Page Regulatory Information European Union Page Page Page Page AAA68 CA 69 CCMP 207 70 68 67 Page STUN 158 TTLS 207 ALG 93