User's Guide

ManualsBrandsStrix Systems ManualsComputers & Accessories802.11 a/b/g Wireless Access Point

Table Of Contents

USER GUIDE

USER SECURITY CONSIDERATIONS

The topic of security may be split into two categories: network-level security (inter-Network

Node) and user security (station/user device to Network Node). Network-level security is an

integral part of the Access/One Network and requires no external resources. User security may

require an external resource (such as a RADIUS server), specific hardware (an AES capable

NIC), or even a redundant security system (like a VPN client/server) depending on the level of

user security desired. Adherence to newer security standards (WiFi WPA and IEEE 802.11i) will

require a RADIUS server supporting EAP at a minimum. The following table summarizes the

levels of wireless security typically available in an 802.11 network:

Minimum Better (WPA) Best (Strix)

Authentication

Local

MAC address

control list

Remote

802.1x EAP

Remote

802.1x EAP

(TLS or TTLS)

Encryption Static WEP

128-bit WEP with TKIP

(or Dynamic WEP)

Dynamic AES

Supplemental

Requirements

None RADIUS server

RADIUS server

AES NICs

Achieving a secure network requires that the user authenticate to the Network Node to validate

that the user is allowed access to the network and the data must then be encrypted to prevent

other users from eavesdropping. Some definitions may help to clarify your security choices:

Cipher Types

– The Access/One Network supports both the WEP and AES cipher suites. A

more detailed discussion regarding these can be found later in this user guide. In summary, the

older WEP cipher has been shown to have significant weaknesses. Since WEP is widely

deployed, the WiFi WPA specification is designed to address these weaknesses and should only

require a driver update to realize these benefits. The 802.11i specification (a superset of WPA)

also requires a newer cipher, AES, which has additional benefits but also an additional cost

(AES typically requires hardware acceleration which only newer NICs support).

Key Types

– The previous table indicates that there are both static and dynamic cipher keys.

The distinction is how individualized the key is per user device/station. A static default key is

configured within the Access/One Network Node and the same key is used for each station

(unicast and multicast traffic). A unique static key provides additional protection by assigning a

specific, unique key to each station for unicast traffic based on MAC address. This is more

secure but not very scalable. A dynamic key is generated for each user by the network-based

RADIUS server when the user remotely authenticates. The key is dynamic because it is created

when the user authenticates and will change every time the session begins. This is more secure

because the key isn’t manually administered and changes frequently.