Owner manual
Chapter 10: Configuring Security
104
Understanding Security Issues on Wireless Networks 
Wireless mediums are inherently less secure than wired mediums. For 
example, an Ethernet NIC transmits its packets over a physical medium 
such as coaxial cable or twisted pair. A wireless NIC broadcasts radio 
signals allowing a wireless LAN to be easily tapped without physical 
access or sophisticated equipment. A hacker equipped with a laptop, a 
wireless NIC, and a bit of knowledge can easily attempt to compromise 
your wireless network. One does not even need to be within normal range 
of the access point. By using a sophisticated antenna on the client, a 
hacker may be able to connect to the network from many miles away.
For a more detailed explanation of security concepts, including a 
comparison of the advantages and disadvantages of using different 
security modes and suggestions on which mode to use, see Appendix B, 
“Configuring Security on Wireless Clients” on page 215.
How Do I Know
Which Security
Mode to Use?
In general, Allied Telesis recommends that you use the most robust 
security mode that is feasible in your environment on your internal 
network. When you configure security on the access point, you first must 
choose the security mode, then in some modes an authentication 
algorithm, and whether to allow clients not using the specified security 
mode to associate.
Wi-Fi Protected Access (WPA) with Remote Authentication Dial-In User 
Service (RADIUS) using the CCMP (AES) encryption algorithm provides 
the best data protection available and is clearly the best choice if all client 
stations are equipped with WPA supplicants. However, backward 
compatibility or interoperability issues with clients or even with other 
access points may require that you configure WPA with RADIUS with a 
different encryption algorithm or choose one of the other security modes.
Security may not be as much of a priority on some types of networks. If 
you are only providing Internet and printer access, as on a guest network, 
plain text mode (no security) may be the appropriate choice. To prevent 
clients from accidentally discovering and connecting to your network, you 
can disable the broadcast SSID so that your network name is not 
advertised. If the network is sufficiently isolated from access to sensitive 
information, this may offer enough protection in some situations. This level 
of protection is the only one offered for guest networks, and also may be 
the right trade-off for other scenarios where the priority is making it as 
easy as possible for clients to connect. (See “Does Prohibiting the 
Broadcast SSID Enhance Security?” on page 111.)
Following is a brief discussion of what factors make one mode more 
secure than another, a description of each mode offered, and when to use 
each mode.










