ZyXEL SBG3300 User Manual

SBG3300 Series

IPSec VPN and Multiple-WAN Small Business Gateway

(Green Product)

Support Notes

January 2013

Edition 1.0

Content

Why use the SBG3300? .................................................................................. 5

Key Application Scenario ............................................................................................ 8

Access Application Notes ......................................................................................... 11

Web GUI ....................................................................................................... 11

ADSL 2+ WAN Mode ..................................................................................... 13

IP Multicast Introduction ............................................................................. 16

NAT Introduction .......................................................................................... 16

Data Service FTP Downloading Scenario ..................................................... 17

Port Forwarding Configuration .................................................................... 19

How to switch USE mode from storage to modem ..................................... 20

Wireless Application Notes ...................................................................................... 29

Wireless Introduction ................................................................................... 29

Wireless Configuration ................................................................................. 39

Virtual Private Network Application Notes .............................................................. 44

What is a Virtual Private Network? .......................................................................... 44

IPSec VPN configuration ............................................................................... 45

L2TP VPN configuration ............................................................................... 48

PPTP VPN Overview ..................................................................................... 49

PPTP VPN Settings Configuration ................................................................. 49

WPS Application Notes ............................................................................................ 54

What is WPS? ............................................................................................... 54

WPS configuration........................................................................................ 55

Maintenance Log...................................................................................................... 56

Internal Maintenance................................................................................... 56

Maintenance Tools ................................................................................................... 58

Maintenance Procedure .............................................................................. 58

Product FAQ ............................................................................................................. 61

Will the device work with my Internet connection?.................................... 61

Why do I need to use SBG3300? .................................................................. 61

What is PPPoE? ............................................................................................ 61

Does the device support PPPoE? ................................................................. 62

How do I know I am using PPPoE? ............................................................... 62

Why does my provider use PPPoE? ............................................................. 62

Which Internet Applications can I use with the device? ............................. 62

How can I configure the device? .................................................................. 62

What can we do with the device?................................................................ 63

Does the device support dynamic IP addressing? ....................................... 63

What is the difference between the internal IP and the real IP from my ISP?

...................................................................................................................... 63

What DHCP capability does the device support? ........................................ 63

How do I use the reset button, and what parameters will be reset by the

reset button? ................................................................................................ 64

What network interfaces does the new device series support? ................. 64

How does the device support TFTP? ........................................................... 64

Can the device support TFTP over WAN? .................................................... 64

When do I need NAT? .................................................................................. 64

What is BOOTP/DHCP? ................................................................................. 65

What is DDNS? ............................................................................................. 65

When do I need DDNS service? ................................................................... 66

Wireless FAQ ............................................................................................................ 67

What is a Wireless LAN? .............................................................................. 67

What are the advantages of Wireless LANs? ............................................... 67

What are the disadvantages of Wireless LANs? .......................................... 68

Where can you find wireless 802.11 networks? .......................................... 68

What is an Access Point? ............................................................................. 68

What is IEEE 802.11? .................................................................................... 68

What is 802.11b? ......................................................................................... 69

How fast is 802.11b? .................................................................................... 69

What is 802.11a? ......................................................................................... 69

What is 802.11g? ......................................................................................... 70

What is 802.11n? ......................................................................................... 70

Is it possible to use products from a variety of vendors? ............................ 70

What is Wi-Fi? .............................................................................................. 70

What types of devices use the 2.4 GHz Band? ............................................ 71

Does the 802.11 interfere with Bluetooth devices? .................................... 71

Can radio signals pass through walls?.......................................................... 71

What are potential factors that may cause interference for WLAN products?

...................................................................................................................... 72

What's the difference between a WLAN and a WWAN? ............................. 72

What is Ad Hoc mode? ................................................................................. 72

What is Infrastructure mode? ...................................................................... 73

How many Access Points are required in a given area? .............................. 73

What is Direct-Sequence Spread Spectrum Technology – (DSSS)? .............. 73

What is Frequency-hopping Spread Spectrum Technology – (FHSS)? ......... 73

Do I need the same kind of antenna on both sides of a link? ..................... 74

What is the 2.4 GHz Frequency range? ........................................................ 74

What is Server Set ID (SSID)? ....................................................................... 74

What is an ESSID?......................................................................................... 74

How do I secure the data across an Access Point's radio link? .................... 75

What is WEP? ............................................................................................... 75

What is the difference between 40-bit and 64-bit WEP? ............................ 75

What is a WEP key? ...................................................................................... 76

Can the SSID be encrypted? ......................................................................... 76

By turning off the broadcast of SSID, can someone still sniff the SSID? ...... 76

What are Insertion Attacks? ......................................................................... 76

What is a Wireless Sniffer? .......................................................................... 77

What is the difference between Open System and Shared Key of

Authentication Type? ................................................................................... 77

What is 802.1x? ............................................................................................ 77

What is the difference between No authentication required, No access

allowed and Authentication required? ........................................................ 77

What is AAA? ................................................................................................ 78

What is RADIUS? .......................................................................................... 78

What is WPA? ............................................................................................... 79

What is WPA-PSK? ........................................................................................ 79

What is WPA2? ............................................................................................. 79

Why use the SBG3300?

 Key features of the SBG3300

The SBG3300 is a VDSL2 gateway providing high speed Internet access for

triple-play applications. It features VDSL2/ADSL2+ functionality, which

supports up to 17a profile in VDSL2. It is also equipped with 4-ports of Gigabit

Ethernet for LAN connections, 2-port USB host interfaces for file sharing or 3G

WAN backup, and built-in 802.11n (2 x 2 configuration) WLAN bringing relief

to those troublesome wirings.

 VDSL2 high speed Internet access

The SBG3300 provides VDSL2 up to profile 17a with data rates up to

100 Mbps in downstream direction and 45 Mbps in upstream direction. The

VDSL2 technology can support the wide deployment of Triple Play services

such as voice, video, data, high definition television (HDTV) and interactive

gaming, it also enables operators and carriers to gradually, flexibly, and cost

efficiently upgrade existing xDSL-infrastructure.

 Dual mode VDSL2/ADSL2+ functionality

SBG3300 series supports dual-mode functionality that enables service

providers to support ATM or PTM on the same device. It offers bi-directional

high speed VDSL2, VDSL connection with speed of up to 100/45 Mbps in PTM

mode and 24/1 Mbps ADSL2+, ADSL2 and ADSL connection in ATM mode. This

powerful feature ensures the service provider can support connections not

only on the IP network but also on the legacy ATM network without changing

the CPE.

 Internet Access through 3G Networks

The SBG3300 with a USB interface for 3G USB dongles provides convenient

Internet access through 3G networks to eliminate the restrictions of wired

networks and to further extend last-mile connectivity. In Internet-challenged

environments, such as rural or mountain areas, 3G connectivity may be the

only viable solution; and it can be used to provide temporary Internet access

to places such as exhibition booths as well. Furthermore, 3G access can be

used as a WAN backup for high-availability Internet connections in office

environments.

 802.11n wireless access

Built in with 802.11n technology, SBG3300 provides the ultimate solution

for speed and coverage. With data rate up to 300 Mbps, it provides stable and

reliable wireless connections for high speed data and multimedia delivery. It

eliminates dead zones and extends coverage by using coming IEEE 802.11n

technology and backwards compatible with any IEEE 802.11b/g/n Wi-Fi

certified device.

 Quality of Service (QoS)

The SBG3300 series comes equipped with both ATM and IP QoS features. The

service provider can base its QoS policy on the service plan to freely design

and prioritize mission-critical services such as IPTV. This increases the network

efficiency and productivity to enable the service provider to bring real

multi-play into residential user’s life.

 TR-069 Remote Management

With TR-069 standard management specifications, the service provider is able

to manage and configure the client devices remotely without end-user’s

manual intervention. This unique feature not only offers user truly

“plug-and-play” experience but also reduces the complexity of deployment

and therefore saves service provider’s operating and maintenance costs.

 PPP over Ethernet

Since PPPoE benefits both Telco’s and ISPs, the SBG3300 implements this

feature and has tested it thoroughly with PPPoE servers.

 NAT

NAT provides system administrators with an easy solution to create a private

IP network for security and IP management. Powered by NAT technology, the

SBG3300 supports complete NAT mapping and most popular Internet

multimedia applications, such as NetMeeting, MSN Messenger, Skype, ICQ,

IPTV, QuickTime, Real Player (RSP/RTSP), etc.

Key Application Scenario

 Multi-Service application Scenario

The ZyXEL device provides shared Internet Access by connecting the DSL port to the

DSL or Modem jack on a splitter or your telephone jack. The SBG3300 serves as a

home gateway, providing high speed Internet service, and High Quality IPTV service.

Internet Connection

A typical Internet access application of the SBG3300 is shown below. For a small

office, some components need to be checked before accessing the Internet.

 Before we begin.

The device is shipped with the following factory defaults:

1. IP address = 192.168.1.1, subnet mask = 255.255.255.0 (24 bits).

2. DHCP server enabled with IP pool starting from 192.168.1.33.

3. Default user’s username/password = user/1234.

 Setting up the PC (Windows OS).

1. Ethernet Connection

 All PCs must have an Ethernet adapter card installed.

2. TCP/IP Installation

You must first install the TCP/IP software on each PC before you can use it for the

Internet access. If you have already installed the TCP/IP protocol, go to the next

section to configure it; otherwise, follow these steps to install:

 In the Control Panel/Network window, click Add button.
 In the Select Network Component Type windows, select Protocol and click

Add.

 In the Select Network Protocol windows, select Microsoft from the list of

manufacturers, then select TCP/IP from the Network Protocols and click OK.

3. TCP/IP Configuration

Follow these steps to configure Windows TCP/IP:

 In the Control Panel/Network window, click the TCP/IP entry to select it and

click Properties button.

 In the TCP/IP Properties window, select obtain an IP address automatically.

Note: Do not assign any arbitrary IP address and subnet mask to your PCs; otherwise,

you will not be able to access the Internet.

 Click the WINS configuration tab and select Disable WINS Resolution.
 Click the Gateway tab. Highlight any installed gateways and click the Remove

button until there are none listed.

 Click the DNS Configuration tab and select Disable DNS.
 Click OK to save and close the TCP/IP properties window.
 Click OK to close the Network window. You will be prompted to insert your

Windows CD or disk. When the drivers are updated, you will be asked if you

want to restart the PC. Make sure that your Device is powered on before

answering “Yes” to the prompt. Repeat the aforementioned steps for each

Windows PC on your network.

Access Application Notes

Web GUI

The following procedure describes the most typical operation of the device using a

browser. The device features an embedded Web server that allows you to use Web

browser to configure it. Please make sure there is no Telnet or Console login session

before configuring the router using a browser.

- Accessing the Prestige Web

Please enter the LAN IP address of the Prestige router in the URL location to retrieve

the web screen from the device. The default LAN IP of the device is 192.168.1.1. See

the example below.

- Log into the SBG3300 via Web GUI.

1. Set up your PC/NB IP address to be a DHCP client.

2. Connect to a LAN port of SBG3300 via RJ45 Ethernet cable and open your

Web browser.

3. The default IP of SBG3300 is 192.168.1.1

Username/password = admin/1234

3G Backup Connection

1. Go to Network Setting> Broadband > 3G WAN.

2. Card Description will show what dongle model is plugged into

SBG3300 Series.

3. If SBG3300 Series supports that dongle, 3G status will read Enable.

4. Fill in the PIN number.

5. Enter the APN string or number.

Application Scenario

The following example demonstrates a Triple Play service configuration running Data

and IPTV. The step by step guide beneath the following scenario illustration will take

you through the setup of the WAN Interface, NAT Port forwarding (using FTP service

to demonstrate Data service), Quality of Service and WLAN setting (to demonstrate

WPS setup).

The following figure is a simplified overall scenario diagram of WAN interface

configuration.

ADSL 2+ WAN Mode

In the ADSL WAN mode, we will set up two WAN interfaces: for data and IPTV

services. Based on the current implementation, the IPTV service will go through the

data WAN interface in routing mode.

1. Go to Networking Setting > Broadband and select Broadband tag.

2. Click the “Add new WAN Interface” button to create the data WAN interface.

3. In Add New Interface, give this interface a name (e.g. IPTV) and select the

ADSL over ATM interface Type.

4. Set interface Mode to Routing.

5. Choose IPoE (IP over Ethernet) WAN service Type.

6. Configure the PVC parameters (VPI/VCI). In this example, set 0/33.

7. Please set Service Category to “UBR without PCR” for Data and IPTV service

for medium priority.

8. Set IP Address to “Obtain an IP Address Automatically”.

9. Enable all Routing Features: select NAT Enable, IGMP Proxy Enable and Apply

as Default Gateway.

10. For DNS Server setting, choose “Obtain DNS info Automatically”.

11. Click Apply.

After completion, you will see two new WAN interfaces as shown in the following

screenshot.

IP Multicast Introduction

 What is the IP Multicast?

Traditionally, the IP packets are transmitted in two ways: unicast or broadcast.

Multicast is a third way to deliver the IP packets to a group of hosts. Host groups are

identified by class D IP addresses, i.e., those with "1110" as their higher-order bits. In

dotted decimal notation, host group addresses range from 224.0.0.0 to

239.255.255.255. Among them, 224.0.0.1 is assigned to the permanent IP hosts

group, and 224.0.0.2 is assigned to the multicast routers group.

The IGMP (Internet Group Management Protocol) is the protocol used to support

multicast groups. The latest version is version 2 (See RFC2236). The IP hosts use

IGMP to report their multicast group membership to any immediate-neighbor

multicast routers, so the multicast routers can decide if a multicast packet needs to

be forwarded. At the start-up, the Prestige queries all directly connected networks to

gather group membership.

After that, the CPE updates the information by periodic queries. The device

implementation of IGMP is also compatible with version 1. The multicast setting can

be turned on or off on the Ethernet and remote nodes.

NAT Introduction

 What is NAT?

NAT (Network Address Translation-NAT RFC 1631) is the translation of an

Internet Protocol address used within one network to a different IP address known

within another network. One network is designated as the inside network and the

other is the outside. Typically, a company maps its local inside network addresses to

one or more global outside IP addresses and "unmaps" the global IP addresses on

the incoming packets back into local IP addresses. The IP addresses for NAT can be

either fixed or dynamically assigned by the ISP. In addition, you can designate servers,

e.g., a Web server and a Telnet server, on your local network and make them

accessible to the outside world. If you do not define any servers, the NAT offers the

additional benefit of firewall protection. In such case, all incoming connections to

your network will be filtered out by the CPE, thus preventing intruders from probing

your network.

For more information on IP address translation, please refer to RFC 1631, The IP

Network Address Translator (NAT).

 How does NAT work?

According to the following figure, we define the local IP addresses as the Internal

Local Addresses (ILA) and the global IP addresses as the Inside Global Addresses

(IGA). The term 'inside' refers to the set of networks that are subject to translation.

The NAT operates by mapping the ILA to the IGA required for communication with

hosts on other networks. It replaces the original IP source address (and TCP or UDP

source port numbers) and then forwards each packet to the Internet ISP, thus

making the packets appear as if they came from the NAT system itself (e.g., the CPE

router). The CPE keeps track of the original addresses and port numbers, so the

incoming reply packets can have their original values restored.

Data Service FTP Downloading Scenario

 Topology

NAT provides system administrators with an easy solution to create a private IP

network for security and IP management. Powered by NAT technology, the SBG3300

supports complete NAT mapping and most popular Internet multimedia applications.

This functionality is best demonstrated with the NAT port forwarding feature

implemented in the CPE. In a scenario shown in the above diagram, we have an FTP

server installed behind the CPE with an IP assigned by the local DHCP server

(192.168.1.33). How should we configure the SBG3300, so that the notebook at the

WAN site can access the FTP server? The following step-by-step guide illustrates the

setup procedure.

PS: Make sure that NAT is enabled on the WAN interface.

Port Forwarding Configuration

a. Create a port forwarding rule for the FTP server.

1. Go to Network Setting> NAT > Port Forwarding and click “add new rule”.

2. Write the Service Name, e.g. “FTP”.

3. Select the WAN Interface, e.g. “ETHWAN”.

4. Enter the Server IP Address, e.g. “192.168.1.33”.

5. Click Apply.

How to switch USE mode from storage to modem

To add new 3G USB dongle, there are several information you need to fill in. These

information is Default VID, Default PID and Message Content.

To get above information, we need to plug the 3G usb dongle into the USB port of

SBG-3300 and then connect the console cable to SBG3300.

After login the command line, first thing is we need to enable the 3GWWAN debug

mode with command “celld Debug” via console.

After enabled the debug mode, we need to use “sh” command first to change the

shell mode.

To get the DefaultVID, DefaultPID and Message Content, please follow below steps.

First step is to mount the USB dongle with the command “mount –t usbfs”

If you saw “usbfs on /proc/bus/usb, then it means this step was success, also you

can use command “mount” to show.

The secondary step is to show the USB dongle information with command “cat

/proc/bus/usb/devices”.

Then please try to find the 3G USB dongle manufacturer in the output. For example,

the 3G USB dongle I used in this example is Huawei. The DefaultVID is the value for

Vendor and DefaultPID is the value for ProdID.

Based on above picture, we can know the DefaultVID is 12d1 and the DefaultPID is

1446.

Afterward, the next thing we have to find out is the message content, the message

content is based on DefaultVID and DefaultPID, in this example they are 12d1 and

1446.

Also there is one more thing that you need to check, if the Driver=usb-storage, which

means this 3G USB dongle still works as a storage, not modem.

Open a web Brower and go to below link

(http://www.draisberghof.de/usb_modeswitch/device_reference.txt)

At above link, you can find the message content via search DefaultVendor =0x12d1

and DefaultProduct = 0x1446 and the message content we found is

55534243123456780000000000000011060000000000000000000000000000

After got all information, we can open the web browser again and go to Broadband >

Add New 3G Dongle page.

Click Add New Entry button and fill in related information.

Unplug the 3G USB dongle and plug in again to make sure the changes could work

properly

After plug in the 3G USB dongle, you can use the same commands “cat

/proc/bus/usb/devices” to show device information as below

We can find the value of Driver already changed to usbserial_generic. This means

that the step to add a new 3G USB dongle is already done.

File Sharing

This feature allows sharing files on a USB memory stick or hard drive connected to

the SBG3300 with other users on the network. The topology shown below allows PCs

A, B & C to access files on the USB hard drive.

1. Plug a flash disk into the USB port.

2. Go to Network Setting >USB Service.

3. Select “Enable” of File Sharing Services function.

4. Set the Workgroup name (e.g. “Workgroup”)

5. Select the Folder for sharing.

6. Click on “Apply”.

7. When the File Sharing feature is enabled, SBG3300 will find the attached

USB hard drive. By default, there are 2 user accounts. One is “admin” with

password “1234”, Administrator group and writable root USB file directory.

The other is “zyuser” with password “1234”, User group and not writable

root USB file directory.

SBG3300

8. Add a new user:

Click “Add new user” to add a new user.

Enter a Password, using the Password format structure: at least one

numeric, at least one alphabetic character, and the Password must NOT

contain the account User Name. The Password MUST have a minimum

length of 6 characters. This field can’t be empty.

Retry Times field can’t be more than 1 character.

Idle Timeout field can’t be more than 2 characters.

Lock Period field can’t be more than 2 characters.

Enable/Disable file sharing service (SAMBA).

File Share Name can’t be empty when file sharing service (SAMBA) is

enabled. Used for Windows directory name.

File Share Directory can’t be empty when file sharing service (SAMBA) is

enabled. Used for home directory.

Set File Share Writable to “yes” to allow files under shared directory to be

writable.

Set File Share Writable to “no” to make any files under share directory to

be read only.

After clicking the “Apply” button, make sure the User Account List is

correct.

9. Edit user:

Click the “Edit” button to edit a user.

When changing the Password, you must follow the format structure: at

least one numeric, at least one alphabetic character, and the password

must NOT contain the account User Name. The Password MUST have a

minimum length of 6 characters. This field can’t be empty.

Retry Times field can’t be more than 1 character.

Idle Timeout field can’t be more than 2 characters.

Lock Period field can’t be more than 2 characters.

Enable/Disable file sharing service (SAMBA).

File Share Name can’t be empty when file sharing service (SAMBA) is

enabled. Used for Windows directory name.

File Share Directory can’t be empty when file sharing service (SAMBA) is

enabled. Used for home directory.

Set File Share Writable to “yes” to allow files under share directory to be

writable.

Set File Share Writable to “no” to make any files under share directory to

be read only.

QoS Support

Introduction of QoS

 Quality of Service (QoS) refers to both a network’s ability to deliver data with

minimum delay, and to the networking methods used to control the use of

bandwidth. QoS allows the ZyXEL device to group and prioritize application

traffic and fine-tune network performance.

 Without QoS, all traffic data is equally likely to be dropped when the network is

congested. This can cause a reduction in network performance and make the

network unfit for time critical applications such as video-on-demand.

1. Click Network Setting > QoS > General; if you want to modify the QoS

configuration you need to disable this feature first.

2. Click on “Queue Setup”.

3. You can “Add new Queue” or “Edit” the Queues displayed in the

screenshot. The Priority and Weight can be adjusted.

4. Again, Click “Add new Queue”, activate the new queue, name it

“Dat_IPTV”, set priority to 5 and weight to 8

5. Click on the “Class Setup” tab to set up QoS Classifiers

6. Configure the first Class rule for IPTV. Select “Data_IPTV” in “To

Queue:” and input a name for it. E.g. “IPTV” as follows:

7. Enable the From Interface and set it to “Local”, and set the Ether Type

criteria accordingly.

8. Set the Destination IP address to the media server’s IP address.

9. Click “Apply”. Now we have completed the Class rule for the IPTV

service.

10. Click “Add new Classifier” to add the second class rule.

11. To make sure the Class rules are correctly configured, you can go to

Network Setting > QoS > Monitor.

5. Select 5 sec as the refresh interval time, and monitor the ZyXEL device’s

QoS packet statistics.

Wireless Application Notes

Wireless Introduction

WEP Configuration (Wired Equivalent Privacy) Introduction

The 802.11 standard describes the communication that occurs in wireless LANs.

The Wired Equivalent Privacy (WEP) algorithm is used to protect wireless

communication from eavesdropping, because wireless transmissions are easier to

intercept than transmissions over wired networks, and wireless is a shared medium.

Everything that is transmitted or received over a wireless network can be

intercepted.

The WEP relies on a secret key that is shared between a mobile station (e.g. a

laptop with a wireless Ethernet card) and an access point (i.e. a base station). The

secret key is used to encrypt packets before they are transmitted, and an integrity

check is used to ensure that packets are not modified during the transmission. The

standard does not discuss how the shared key is established. In practice, most

installations use a single key that is shared between all mobile stations and access

points.

The WEP employs the key encryption algorithm, Ron's Code 4 Pseudo Random

Number Generator (RC4 PRNG). The same key is used to encrypt and decrypt the

data.

The WEP has defenses against the playback attack. To avoid encrypting two

cipher texts with the same key stream, an Initialization Vector (IV) is used to

augment the shared WEP key (secret key) and produce a different RC4 key for each

packet. The IV is also included in the package. The WEP keys (secret key) are

available in two types, 64-bit and 128-bit. Often you will see them referenced as

40-bit and 104-bit instead. The reason for this misnomer is that the WEP key (40/104

bits) is concatenated with the initialization vector (24 bits) resulting in a 64/128 bit

total key size.

Setting up the Access Point

Most access points and clients have the ability to hold up to 4 WEP keys

simultaneously. You need to specify one of the 4 keys as the default Key for data

encryption. To set up the Access Point, you will need to set one of the following

parameters:

o 64-bit WEP key (secret key) with 5 characters.
o 64-bit WEP key (secret key) with 10 hexadecimal digits.
o 128-bit WEP key (secret key) with 13 characters.
o 128-bit WEP key (secret key) with 26 hexadecimal digits.

IEEE 802.1x Introduction

The IEEE 802.1x port-based authentication is designed to prevent unauthorized

devices (clients) from gaining access to the network. As LANs extend to hotels,

airports and corporate lobbies, insecure environments could be created. The 802.1x

port-based network access control makes use of the physical access characteristics

of IEEE 802 LAN infrastructures, such as the 802.3 Ethernet, 802.11 Wireless LAN

and ADSL LRE (Long Reach Ethernet), in order to provide a means of authenticating

and authorizing devices attached to a LAN port that has point-to-point connection

characteristics, and of preventing access to that port in case of the failure of

authentication process.

The IEEE 802.1x authentication is a client-server architecture delivered with the

EAPOL (Extensible Authentication Protocol over LAN). The authentication server

authenticates each client connected to an Access Point (for Wireless LAN) or switch

port (for Ethernet) before accessing any services offered by the Wireless AP. The

802.1x contains three major components:

1. Authenticator:

The device (i.e. Wireless AP) that facilitates the authentication for supplicant

(Wireless client) attached to the Wireless network. Authenticator controls the

physical access to the network based on the authentication status of the client. The

authenticator acts as an intermediary (proxy) between the client and the

authentication server (i.e. RADIUS server), requesting the identity information from

the client, verifying that information with the authentication server and relaying a

response to the client.

2. Supplicant:

The station (i.e. Wireless client) that is being authenticated by an authenticator

attached to the Wireless network. The supplicant requests access to the LAN services

and responds to the requests from the authenticator. The station must be running

802.1x-compliant client software, such as that offered in the Microsoft Windows XP

operating system, Meeting House AEGIS 802.1x client or Odyssey 802.1x client.

3. Authentication Server:

The device (i.e. RADIUS server) that provides an authentication service to an

authenticator. This service determines, from the credentials provided by the

supplicant, whether the supplicant is authorized to access the services provided by

the authenticator. The authentication server performs the actual authentication of

the client. It validates the identity of the supplicant. Because the authenticator acts

as a proxy, the authentication service is transparent to the supplicant.

Some Wireless APs (i.e. ZyXEL Wireless AP) have a built-in authentication server,

therefore an external RADIUS authentication server is not needed. In this case, the

Wireless AP acts as both authenticator and authentication server.

 Authentication Port State and Authentication Control

The port state determines whether or not the supplicant (Wireless Client) is

granted access to the network behind the Wireless AP. There are two authentication

port states on the AP, authorized state and unauthorized state.

By default, the port starts in the unauthorized state. While in this state, the port

disallows all incoming and outgoing data traffic, except for 802.1x packets. When a

supplicant is successfully authenticated, the port transits to the authorized state,

allowing all the traffic for client to flow normally. If a client that does not support the

802.1x is connected to an unauthorized 802.1x port, the authenticator requests the

client’s identity. In this situation, the client does not respond to the 802.1x request;

the port remains in the unauthorized state and the client is not granted access to the

network.

When 802.1x is enabled, the authenticator controls the port authorization state

by using the following control parameters. The following three authentication

control parameters are applied in the Wireless AP.

1. Force Authorized: Disables the 802.1x and causes the port to transit to the

authorized state without any authentication exchange required. The port transmits

and receives normal traffic without the 802.1x-based authentication of the client.

This is the default port control setting. While the AP is setup as Force Authorized,

Wireless clients (supported 802.1x client or none-802.1x client) can always access

the network.

2. Force Unauthorized: Causes the port to remain in the unauthorized state, ignoring

all attempts by the client to authenticate. The authenticator cannot provide

authentication services to the supplicants through the port. While the AP is setup as

Force Unauthorized, Wireless clients (supported 802.1x client or none-802.1x client)

can never have the access for the network.

3. Auto: Enables the 802.1x and causes the port to begin in the unauthorized state,

allowing only EAPOL frames to be sent and received through the port. The

authentication process begins when the link state of port transitions from down to

up or when an EAPOL-start frame is received. The AP requests the identity of the

client and begins relaying authentication messages between supplicant and the

authentication server. Each supplicant attempting to access the network is uniquely

identified by the authenticator by using the client’s MAC address. While the AP is

setup as Auto, only the Wireless clients supporting the 802.1x client can access the

network.

 Re-Authentication

The administrator can enable periodic 802.1x client re-authentication and specify

how often it occurs. When the re-authentication is time runs out, the authenticator

will send the EAP-Request/Identity to reinitiate the authentication process. In the

ZyXEL Wireless AP 802.1x implementation, if you do not specify a time period before

enabling the re-authentication, the period between re-authentication attempts is

1,800 seconds (30 minutes).

 EAPOL (Extensible Authentication Protocol over LAN)

The authenticators and supplicants communicate with one another by using the

Extensible Authentication Protocol (EAP and RFC-2284). The EAP was originally

designed to run over PPP and to authenticate the dial-in users, but the 802.1x

defines an encapsulation method for passing the EAP packets over Ethernet frames.

This method is referred to as the EAP over LANs, or EAPOL. Ethernet type of EAPOL

is 88-8E, two octets in length. The EAPOL encapsulations are described for IEEE 802

compliant environment, such as the 802.3 Ethernet, 802.11 Wireless LAN and Token

Ring/FDDI.

The EAP protocol can support multiple authentication mechanisms, such as

MD5-challenge, One-Time Passwords, Generic Token Card, TLS and TTLS etc.

Typically, the authenticator will send an initial Identity Request followed by one or

more Requests for authentication information. When the supplicant receives the

EAP request, it will reply with the associated EAP response. So far, the ZyXEL

Wireless AP only supports the MD-5 challenge authentication mechanism, but will

support the TLS and TTLS in the future.

EAPOL Exchange between 802.1x Authenticator and Supplicant

The authenticator or supplicant can initiate the authentication. If you enable

802.1x authentication on the Wireless AP, the authenticator must initiate

authentication when it determines that the Wireless link state transits from down to

up. It then sends an EAP-request/identity frame to the 802.1x client to request its

identity. (Typically, the authenticator sends an initial identity/request frame

followed by one or more requests for authentication information.) Upon the receipt

of frame, the supplicant responds with an EAP-response/identity frame.

However, if during boot-up, the supplicant does not receive an

EAP-request/identity frame from the Wireless AP, the client can initiate the

authentication by sending an EAPOL-Start frame, which prompts the switch to

request the supplicant’s identity. In the above case, the authenticator is co-located

with the authentication server. When the supplicant supplies its identity, the

authenticator directly exchanges the EAPOL to the supplicant until the

authentication succeeds or fails. If the authentication succeeds, the port becomes

authorized. If the authentication fails, the port becomes unauthorized. When the

supplicant does not need the wireless access any more, it sends an EAPOL-Logoff

packet to terminate its 802.1x session and the port state will become unauthorized.

The following figure displays the EAPOL exchange ping-pong chart.

The EAPOL packet contains the following fields: protocol version, packet type,

packet body length, and packet body. Most of the fields are obvious. The packet type

can have four different values and these values are described as follows:

 EAP-Packet: Both the supplicant and authenticator send this packet when the

authentication is taking place. This is the packet that contains either the

MD5-Challenge or TLS information required for authentication.

 EAPOL-Start: This supplicant sends this packet when it wants to initiate the

authentication process.

 EAPOL-Logoff: The supplicant sends this packet when it wants to terminate its

802.1x session.

 EAPOL-Key: This is used for the TLS authentication method. The Wireless AP

uses this packet to send the calculated WEP key to the supplicant after the

TLS negotiation has been completed between the supplicant and RADIUS

server.

Wi-Fi Protected Access Introduction

The Wi-Fi Protected Access (WPA) is a subset of the IEEE 802.11i security

specification draft. Key differences between the WAP and WEP are user

authentication and improved data encryption. The WAP applies the IEEE 802.1x

Extensible Authentication Protocol (EAP) to authenticate wireless clients using an

external RADIUS database. You cannot use the P-660HW-Tx v2's local user database

for WPA authentication purposes, since the local user database uses the MD5 EAP

which cannot generate keys.

The WPA improves data encryption by using Temporal Key Integrity Protocol

(TKIP), Message Integrity Check and IEEE 802.1x. Temporal Key Integrity Protocol

uses 128-bits keys that are dynamically generated and distributed by the

authentication server. It includes a per-packet key mixing function, a Message

Integrity Check (MIC) named Michael, an extend initialization vector (IV) with

sequencing rules and a re-keying mechanism.

If you do not have an external RADIUS and server, you should use the WPA-PSK

(WPA Pre-Share Key) that only requires a single (identical) password entered into

each access point, wireless gateway and wireless client. As long as the passwords

match, a client will be granted to access to a WLAN.

Brief in WPA2

WPA2 (Wi-Fi Protected Access 2) is the Wi-Fi Alliance interoperable

implementation of the ratified IEEE 802.11i standard. WPA2 implements the National

Institute of Standards and Technology (NIST) recommendation whose security is

higher than WPA, as it introduces an AES-based algorithm and Cipher Block Chaining

Message Authentication Code Protocol (CCMP) and offers stronger encryption than

WPA uses (TKIP). WPA2 encryption keys that are used for each client on the network

are unique and specific to that client. Eventually, each packet which is sent over the

air is encrypted with a unique key. The higher security is enhanced with the use of a

new and unique encryption key because there is no key reuse.

WPA &WPA2

Both WPA & WPA2 offer a high level security for end users and administrators by

utilizing EAP (Extensible authentication Protocol) for authentication; both WPA and

WPA2 also support Personal and Enterprise mode. Because WPA2 provides a

stronger encryption mechanism through AES (Advanced Encryption Standard),

WPA2’s level and standard is a requirement for some corporate and government

users.

Wireless Configuration

Activate the WLAN interface of the SBG3300 and connect the notebook

(802.11bg wireless NIC required) under the WPA-PSK security mode.

a. Wireless Setup.

1. Go to Network Setting > Wireless > General.

2. Check the Active Wireless LAN box.

3. Enter the Network Name (SSID), e.g. “Test_01”.

4. Select the Security Mode, e.g. “WPA-PSK”.

5. You can choose to “Generate password automatically”.

6. Click Apply.

View all the available wireless networks on your notebook (802.11bg wireless NIC

required):

Enter the WPA-PSK pre-shared key.

We can see that the notebook is now connected to the WLAN interface of the

SBG3300.

b. Wireless Setup Hiding the SSID.

1. Go to Network Setting > Wireless LAN > General.

2. Check the Enable Wireless LAN box.

3. Enter the Wireless Network Name (SSID), e.g. “TEST_01”.

4. Check the Hide SSID box.

5. Select the Security Mode, e.g. “WPA2-PSK”.

6. Enter the Pre-Shared Key, e.g. “E3617BF1AC ”.

7. Click Apply.

View all the available wireless networks on your notebook:

As we can see, we cannot find the SSID “TEST_01”.

To connect to “TEST_01”, we need to configure the “Wireless Network Connection

Properties” of the notebook WLAN interface:

Go to the “Connection” tab and check “Connect when this network is in range”

checkbox.

We can then see the notebook connects to the “TEST_01”, even though the SSID is

not displayed in the broadcast network list.

Virtual Private Network Application Notes

What is a Virtual Private Network?

VPN stands for ‘Virtual Private Network’. In the past, when we needed to

transmit data in a secure way, we would need to have a site-to-site leased line

between the sites. This incurred very high costs for installing the lines.

A VPN gives users a secure way to access corporate network resources over the

Internet or other public or private networks without the expense of leasing

site-to-site lines.

A secure VPN is a combination of tunneling, encryption, authentication, access

control and auditing technologies/services used to transport traffic over the Internet

or any insecure network that uses the TCP/IP protocol suite for communication.

L2TP/IPSec VPN Overview

The Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol used to support

virtual private networks (VPNs). However, it does not provide any encryption or

confidentiality by itself; it relies on an encryption protocol that it passes within the

tunnel to provide privacy. For this reason, L2TP is often implemented along with

IPSec. This is referred to as L2TP/IPSec.

IPSec VPN tunnel is established first and then an L2TP tunnel is built inside it.

When the process is complete, L2TP packets between the endpoints are

encapsulated by IPSec.

Since the L2TP packets themselves are wrapped and hidden within the IPSec

packets, no information about the internal private network can be garnered from the

encrypted packets. Also, it is not necessary to open UDP port 1701 (used for L2TP) on

firewalls between the endpoints, since the inner packets are not acted upon until

after IPSec data has been decrypted and stripped, which only takes place at the

endpoints.

IPSec VPN configuration

This section describes the external interface of the IPSec VPN features.

Users can configure IPSec VPN using either the simple wizard of the web

configuration GUI. The simple IPSec VPN Wizard and management of the IPSec VPN

are described first, followed by the description of the web configuration GUI.

IPSec VPN setup:

1. Go to VPN > IPSec VPN > Modify.

2. Check the “Enable” box for IPSec VPN.

3. Select the scenario that best describes your intended VPN connection.

Site-to-site - Choose this if the remote IPSec router has a static IP address

or a domain name. This SP Gateway can initiate the VPN tunnel.

Site-to-site with Dynamic Peer - Choose this if the remote IPSec router has

a dynamic IP address. Only the remote IPSec router can initiate the VPN

tunnel.

Remote Access (Server Role) - Choose this to allow incoming connections

from IPSec VPN clients. The clients have dynamic IP addresses and are also

known as dial-in users. Only the clients can initiate the VPN tunnel.

4. This case we choose the Application Scenario for “Site-to-Site”.

5. Select the interface for My Address.

6. Fill in the Peer Gateway Address.

7. Click the “Apply” button.

8. Download the GreenBow VPN Client version 4.7 and install it on your PC.

Note: GreenBow VPN Client v5.0 will sometimes become unresponsive and

a reboot of the PC is required for the client to work again, so we

recommend using version 4.7.

a. Open the VPN client configuration.
b. Create a new Phase 1.
c. Set the Interface to "Any", Remote Gateway to the WAN IP address of

SBG3300.

d. Pre-shared key, encryption, authentication and key group must be the

same for both VPN server and client.

e. Click Save & Apply.
f. Create a new Phase 2. Set the address type to "Subnet address", set

the remote LAN address and subnet mask.

g. Encryption and authentication must be the same for both VPN server

and client.

h. Mode must be set to "Tunnel".
i. PFS must be unchecked.
j. Click Save & Apply.
k. Click Open Tunnel.

9. Click “Monitor” to check the VPN status

L2TP VPN configuration

1. Go to VPN >L2TP VPN

2. Check the “Enable” box for L2TP.

PPTP VPN Overview

The Point-to-Point Tunneling Protocol (PPTP) is a method for implementing VPN.

It allows a user to create a secure VPN connection remotely to the local networks.

The intended use of this protocol is to provide similar levels of security and remote

access as typical VPN products.

PPTP VPN Settings Configuration

1. Go to VPN >PPTP VPN.

2. Check the “Enable” box for PPTP VPN.

3. Use the Windows 7 built-in PPTP VPN client.

a. Go to Start and click on Control Panel.

b. Proceed to click View network status

c. Network and Sharing Center window will appear, proceed to click

on Set up a new connection or network.

d. Set up a Connection or Network window appears. Choose Connect

to a workplace option and click Next.

e. Proceed to click on Use my Internet connection (VPN) (your

computer should be connected to the network).

f. Fill in the IP address or host name of the VPN server computer

that you plan to connect to and also name the connection.

Click Next.

g. Type your VPN user name and password, after that click

on Create.

h. Please click on Connect now to establish the VPN connection if you

are ready. If not, click Close and connect it later.

i. If you click on network icon (right hand corner of taskbar area), you

will notice that new VPN connection item has been created and you

can click Connect to establish the VPN connection.

WPS Application Notes

What is WPS?

Wi-Fi Protected Setup (WPS) is a standard created by the Wi-Fi Alliance for easy

and secure establishment of a wireless home/office network. The goal of the WPS

protocol is to simplify the process of configuring the security of the wireless network,

and thus is called Wi-Fi Protected Setup.

There are several different methods defined in WPS to simplify the process of

configuration. SBG3300 supports two of those methods, which are the PIN Method

and the PBC Method.

PIN Method:

A PIN (Personal Identification Number) has to be read from either a sticker on the

new wireless client device or a display, and entered at either the wireless access

point (AP) or a Registrar on the network.

PBC Method:

A simple action of “pushing a button” suffices the process to activate the security of

the wireless network and at the same time subscribe the device to it.

WPS configuration

a. WPS Setup

1. Go to Network Setting > Wireless > WPS.

2. Check the “Enable” box for WPS.

3. Click Apply.

Note: You must press the other wireless device’s WPS button within 2 minutes of

pressing this button.

Maintenance Log

Internal Maintenance

The SBG3300 has the ability to record the events occurring in the CPE in a system log

(according to the severity) and maintain this log in itself.

a. Activate the Maintenance Log.

1. Go to Maintenance > Log setting.

2. Select “Enable” for Syslog Logging.

3. Insert the parameters, for example the syslog server address.

4. Select the logging conditions according to user’s needs.

5. Click “Apply”.

b. View the log in the Web GUI.

1. Go to System Monitor > Log.

Maintenance Tools

Maintenance Procedure

a. Upgrading Firmware.

1. Go to Maintenance > Firmware Upgrade.

2. Click “Browse”.

3. Select the Firmware to upload and click “Open”.

4. Click “Upload”.

b. Backing-up the Configuration.

1. Go to Maintenance > Backup/Restore.

2. Click “Backup”.

3. Click “Save”.

4. Select the directory to save the configuration file and click “Save”.

c. Upload Configuration.

1. Go to Maintenance > Tools > Configuration.

2. Click “Browse”.

3. Select the configuration file to upload and click Open.

Product FAQ

Will the device work with my Internet connection?

SBG3300 is designed to be compatible with major ISPs that utilize ADSL as a

broadband service. SBG3300 offers Ethernet ports to connect to your computer so

the device is placed in the line between the computer and your ISP. If your ISP

supports PPPoE you can also use the device, because PPPoE is supported by the

device.

Why do I need to use SBG3300?

You need an ADSL modem/router to use with ADSL line, SBG3300 is an ideal device

for such application. The device has 4 Ethernet ports (LAN ports) and one ADSL WAN

port. You should connect your computer to the LAN port and connect the ADSL line

to the WAN port. If the ISP uses PPPoE, you need a user account and password to

access the Internet.

What is PPPoE?

PPPoE stands for Point-to-Point Protocol over Ethernet; it is an IETF draft standard

specifying how a computer interacts with a broadband modem (i.e. xDSL, cable,

wireless, etc.) to achieve access to the high-speed data networks via a familiar PPP

dialer such as 'Dial-Up Networking' user interface. PPPoE supports a broad range of

existing applications and services including authentication, accounting, secure access

and configuration management. There are many service providers running of PPPoE

today. Before configuring PPPoE in the device, please make sure your ISP supports

PPPoE.

Does the device support PPPoE?

Yes. The device supports PPPoE.

How do I know I am using PPPoE?

PPPoE requires a user account to log in to the provider's server. If you need to

configure a user name and password on your computer to connect to the ISP you are

probably using PPPoE. If you are simply connected to the Internet when you turn on

your computer, you probably are not using PPPoE. You can also check with your ISP’s

hotline or check the information sheet provided by the ISP. Please choose PPPoE as

the encapsulation type in the device if the ISP uses PPPoE.

Why does my provider use PPPoE?

PPPoE emulates a familiar Dial-Up connection. It allows your ISP to provide services

using their existing network configuration over the broadband connections. Besides,

PPPoE supports a broad range of existing applications and services including

authentication, accounting, secure access and configuration management.

Which Internet Applications can I use with the device?

Most common applications include MIRC, PPTP, ICQ, Cu-SeeMe, NetMeeting, IP/TV,

RealPlayer, VDOLive, Quake, QuakeII, QuakeIII, StarCraft, & Quick Time.

How can I configure the device?

a. By accessing the Telnet remote management-driven user interface for easy

remote management.

b. Web browser – Using the embedded web server for easy configuration.

What can we do with the device?

Browse the World Wide Web (WWW), send and receive individual e-mail, and

download software. These are just a few of many benefits you can enjoy when you

put the whole office on-line with the device.

Does the device support dynamic IP addressing?

The device supports either a static or dynamic IP address from the ISP.

What is the difference between the internal IP and the

real IP from my ISP?

Internal IPs are sometimes referred to as virtual IPs. They are a group of up to 255

IPs that are used and recognized internally on the local area network. They are not

intended to be recognized on the Internet. The real IP from ISP, instead, can be

recognized or pinged by another real IP. The Device works like an intelligent router

that routes between the virtual IP and the real IP.

What DHCP capability does the device support?

The device supports DHCP client (Ethernet encapsulation) on the WAN port and

DHCP server on the LAN port. The device's DHCP client allows it to get the Internet IP

address from ISP automatically if your ISP uses DHCP as a method to assign IP

address. The device's internal DHCP server allows it to automatically assign IPs and

DNS addresses to the clients on the local LAN.

How do I use the reset button, and what parameters

will be reset by the reset button?

You can use a blunt pointed object (e.g. paperclip) and insert it into the little reset

button hole beside the power connector. Press down the reset button and hold

down for approx. 5 seconds, the unit will be reset. When the reset button is

pressed, all the device parameters will be reset back to factory defaults, including

password and IP address.

The default IP address is 192.168.1.1, default password is 1234.

What network interfaces does the new device series

support?

The new device series supports auto MDI/MDIX 10/100M Ethernet LAN port to

connect to the computer or Switch on LAN.

How does the device support TFTP?

In addition to the direct console port connection, the device supports uploading and

download of the firmware and configuration file using TFTP (Trivial File Transfer

Protocol) over LAN.

Can the device support TFTP over WAN?

Although TFTP should work over WAN as well, it is not recommended because of the

potential data corruption problems.

When do I need NAT?

a. Make local server accessible from outside Internet

When NAT is enabled the local computers are not accessible from outside. You can

use Multi-NAT to make an internal server accessible from outside.

b. Support Non-NAT Friendly Applications

Some servers providing Internet applications such as some IRC servers do not allow

users to login using the same IP address. Thus, users on the same network cannot

login to the same server simultaneously.

What is BOOTP/DHCP?

BOOTP stands for Bootstrap Protocol. DHCP stands for Dynamic Host Configuration

Protocol. Both are mechanisms to dynamically assign an IP address to a TCP/IP client

by the server. In this case, the device is a BOOTP/DHCP server. Win95 and WinNT

clients use DHCP to request an internal IP address, while WFW and WinSock clients

use BOOTP. TCP/IP clients may specify their own IP or utilize BOOTP/DHCP to

request an IP address.

What is DDNS?

The Dynamic DNS service allows you to alias a dynamic IP address to a static

hostname, allowing your computer to be more easily accessed from various

locations on the Internet. To use the service, you must first apply for an account

from one of several free Web servers such as WWW.DYNDNS.ORG.

Without DDNS, our users will always need to use the WAN IP of the SBG3300 to

reach our internal server. It is inconvenient for the users if this IP is dynamic. With

DDNS supported by the device, you can apply for a DNS name (e.g.,

www.zyxel.com.tw) for your server (e.g., Web server) from a DDNS server. The

outside users can always access the web server using the www.zyxel.com.tw

regardless of the WAN IP of the SBG3300.

When the ISP assigns the device (SBG3300) a new IP, the device updates this IP to

the DDNS server so that the server can update its IP-to-DNS entry. Once the

IP-to-DNS table in the DDNS server is updated, the DNS name for your web server

(i.e., www.zyxel.com.tw) remains usable.

When do I need DDNS service?

When you want your internal server to be accessed by using DNS name rather than

using the dynamic IP address we can use the DDNS service. The DDNS server allows

to alias a dynamic IP address to a static hostname. Whenever the ISP assigns you a

new IP, the device sends this IP to the DDNS server to update its records.

Wireless FAQ

What is a Wireless LAN?

Wireless LANs provide all the functionality of wired LANs, without the need for

physical connections (wires). Data is modulated onto a radio frequency carrier and

transmitted through the ether. Typical bit-rates are 11 Mbps and 54 Mbps, although

in practice data throughput is half of this. Wireless LANs can be formed simply by

equipping PC's with wireless NICs. If connectivity to a wired LAN is required, an

Access Point (AP) is used as a bridging device. AP's are typically located close to the

center of the wireless client population.

What are the advantages of Wireless LANs?

a. Mobility:

Wireless LAN systems can provide LAN users with access to real-time information

anywhere in their organization. This mobility supports productivity and service

opportunities not possible with wired networks.

b. Installation Speed and Simplicity:

Installing a wireless LAN system can be fast and easy and can eliminate the need to

pull cable through walls and ceilings.

c. Installation Flexibility:

Wireless technology allows the network to go where wires cannot go.

d. Reduced Cost-of-Ownership:

While the initial investment required for wireless LAN hardware can be higher than

the cost of wired LAN hardware, overall installation expenses and life-cycle costs can

be significantly lower. Long-term cost benefits are greatest in dynamic environments

requiring frequent moves and changes.

e. Scalability:

Wireless LAN systems can be configured in a variety of topologies to meet the needs

of specific applications and installations. Configurations are easily changed and range

from peer-to-peer networks suitable for a small number of users to full infrastructure

networks of thousands of users that enable roaming over a broad area.

What are the disadvantages of Wireless LANs?

The speed of Wireless LANs is still relatively slower than that of wired LAN. The most

popular wired LAN standard operates at 100 Mbps, which is more than 4 times of

that of Wireless LAN (effectively around 25 Mbps). A faster wired LAN standard (1000

Mbps), which is 40 times faster, is becoming popular as well. The setup cost of

Wireless LAN is relatively higher because the equipment costs which includes access

points and Wireless LAN cards is higher than hubs and CAT 5 cables.

Where can you find wireless 802.11 networks?

Airports, hotels, and even coffee shops like Starbucks are deploying 802.11 networks

so that customers can wirelessly access the Internet with their laptops. As these

types of networks spread, this will create additional security risk for remote users if

not properly protected.

What is an Access Point?

The AP (access point also known as a base station) is a wireless server with an

antenna and a wired Ethernet connection that broadcasts information using radio

signals. An AP typically acts as a bridge for the clients. It can pass information to

wireless LAN cards that have been installed in computers or laptops allowing those

computers to connect to the campus network and the Internet without wires.

What is IEEE 802.11?

The IEEE 802.11 is a wireless LAN industry standard, and the objective of IEEE 802.11

is to make sure that different manufacturers' wireless LAN devices can communicate

with each other. 802.11 provides 1 or 2 Mbps transmission data rates in the 2.4 GHz

ISM band using either FHSS or DSSS modulation.

What is 802.11b?

802.11b is the first revision of 802.11 standard allowing data rates up to 11 Mbps in

the 2.4GHz ISM band. It is also known as 802.11 High-Rate and Wi-Fi. 802.11b only

uses DSSS modulation, and the maximum speed of 11 Mbps has fallbacks to 5.5, 2

and 1 Mbps.

How fast is 802.11b?

The IEEE 802.11b standard has a nominal speed of 11 megabits per second (Mbps).

However, depending on signal quality and how many other people are using the

wireless Ethernet through a particular Access Point, usable speed will be much lower

(on the order of 4 or 5 Mbps, which is still substantially faster than most dialup, cable

and DSL modems).

What is 802.11a?

802.11a is the second revision of 802.11 that operates in the unlicensed 5 GHz band

and allows transmission rates of up to 54 Mbps. 802.11a uses OFDM (orthogonal

frequency division multiplexing) modulation as opposed to FHSS or DSSS. Higher data

rates are possible by combining channels. Due to higher frequency, range is less than

lower frequency systems (i.e., 802.11b and 802.11g) and can increase the cost of the

overall solution because a greater number of access points may be required. 802.11a

is not directly compatible with 802.11b or 802.11g networks. In other words, a user

equipped with an 802.11b or 802.11g radio card will not be able to interface directly

with an 802.11a access point. Multi-mode NICs can solve this problem.

What is 802.11g?

802.11g is an extension of 802.11b. 802.11g increases 802.11b's data rates to 54

Mbps and still utilizes the 2.4 GHz ISM band. Modulation is based upon OFDM

(orthogonal frequency division multiplexing) technology. An 802.11b radio card will

interface directly with an 802.11g access point (and vice versa) at 11 Mbps or lower

depending on range. The range at 54 Mbps is less than for 802.11b operating at

11 Mbps.

What is 802.11n?

802.11n supports frequencies in both 2.4 GHz and 5 GHz radio bands and its data

rate ranges from 54 Mbit/s up to 600 Mbit/s in theory, using the 802.11n Channel

Doubling technology which can double the channel bandwidth from 20 MHz to 40

MHz and effectively doubles data rates and throughput. It adds the MIMO feature,

which utilizes multiple transmission and reception antennas to allow higher raw data

rate, and resolves more information than possible using a single antenna

configuration. 802.11n also uses the “Alamouti coding” coding scheme to increase

transmission range.

Is it possible to use products from a variety of vendors?

Yes, as long as the products comply with the same IEEE 802.11 standard. The Wi-Fi

logo is used to define 802.11 compatible products.

What is Wi-Fi?

The Wi-Fi logo signifies that a product is interoperable with wireless networking

equipment from other vendors. A Wi-Fi logo product has been tested and certified by

the Wireless Ethernet Compatibility Alliance (WECA). If a Wireless LAN Card is Wi-Fi

certified, that means that it will work (interoperate) with any brand of Access Point

that is also Wi-Fi certified.

What types of devices use the 2.4 GHz Band?

Various spread spectrum radio communication applications use the 2.4 GHz band.

This includes WLAN systems (not necessarily of the type IEEE 802.11b), cordless

phones, wireless medical telemetry equipment and Bluetooth™ short-range wireless

applications, which includes connecting printers to computers and connecting

modems or hands-free kits to mobile phones.

Does the 802.11 interfere with Bluetooth devices?

Any time devices are operated in the same frequency band, there is a potential for

interference.

Both the 802.11b and Bluetooth devices occupy the same 2.4-to-2.483 GHz

unlicensed frequency range-the same band. But a Bluetooth device would not

interfere with other 802.11 devices much more than another 802.11 device would

interfere. While more collisions are possible with the introduction of a Bluetooth

device, they are also possible with the introduction of another 802.11 device, or a

new 2.4 GHz cordless phone for that matter. But, Bluetooth devices are usually

low-power, so the effects that a Bluetooth device may have on an 802.11 network, if

any, aren't far-reaching.

Can radio signals pass through walls?

Transmitting through a wall is possible depending upon the material used in its

construction. In general, metals and substances with high water content do not allow

radio waves to pass through. Metals reflect radio waves and concrete attenuates

radio waves. The amount of attenuation suffered in passing through concrete will be

a function of its thickness and the amount of metal reinforcement used.

What are potential factors that may cause interference

for WLAN products?

Factors of interference:

1. Obstacles: walls, ceilings, furniture… etc.

2. Building Materials: metal doors, aluminum studs.

3. Electrical devices: microwaves, monitors, electric motors.

Solution:

1. Minimize the number of walls and ceilings between clients and APs.

2. Position Antennas for best reception.

3. Keep WLAN products away from electrical devices, e.g.: microwaves, monitors,

electric motors… etc.

4. Add additional APs if necessary.

What's the difference between a WLAN and a WWAN?

WLANs are generally privately owned, wireless systems that are deployed in a

corporation, warehouse, hospital, or educational campus setting. Data rates are high

and there are no per-packet charges for data transmission.

WWANs are generally publicly shared data networks designed to provide coverage in

metropolitan areas and along traffic corridors. WWANs are owned by a service

provider or carrier. Data rates are low and charges are based on usage. Specialized

applications are characteristically designed around short, burst messaging.

What is Ad Hoc mode?

A wireless network consists of a number of stations without access points or any

connection to a wired network.

What is Infrastructure mode?

Infrastructure mode implies connectivity to a wired communications infrastructure. If

such connectivity is required the Access Points must be used to connect to the wired

LAN backbone. Wireless clients have their configurations set for "infrastructure

mode" in order to utilize access points for relaying data.

How many Access Points are required in a given area?

This depends on the surrounding terrain, the diameter of the client population, and

the number of clients. If an area is large with dispersed pockets of populations then

extension points can be used for extend coverage.

What is Direct-Sequence Spread Spectrum

Technology – (DSSS)?

DSSS spreads its signal continuously over a wide frequency band. DSSS maps the

information bearing bit-pattern at the sending station into a higher data rate bit

sequence using a "chipping" code. The chipping code (also known as processing gain)

introduces redundancy which allows data recovery if certain bit errors occur during

transmission. The FCC rules the minimum processing gain should be 10, typical

systems use processing gains of 20. IEEE 802.11b specifies the use of DSSS.

What is Frequency-hopping Spread Spectrum

Technology – (FHSS)?

FHSS uses a narrowband carrier which hops through a predefined sequence of

several frequencies at a specific rate. This avoids problems with fixed channel

narrowband noise and simple jamming. Both transmitter and receiver must have

their hopping sequences synchronized to create the effect of a single "logical

channel". To an unsynchronized receiver an FHSS transmission appears to be

short-duration impulse noise. 802.11 may use FHSS or DSSS.

Do I need the same kind of antenna on both sides of a

link?

No. Provided the antenna is optimally designed for 2.4 GHz or 5 GHz operation.

WLAN NICs often include an internal antenna which may provide sufficient reception.

What is the 2.4 GHz Frequency range?

This frequency range has been set aside by the FCC, and is generally labeled the ISM

band. A few years ago Apple and several other large corporations requested that the

FCC allow the development of wireless networks within this frequency range. What

we have today is a protocol and system that allows for unlicensed use of radios

within a prescribed power level. The ISM band is populated by Industrial, Scientific

and Medical devices that are all low power devices, but can interfere with each

other.

What is Server Set ID (SSID)?

SSID is a configurable identification that allows clients to communicate to the

appropriate base station. With proper configuration, only clients that are configured

with the same SSID can communicate with base stations having the same SSID. SSID

from a security point of view acts as a simple single shared password between base

stations and clients.

What is an ESSID?

ESSID stands for Extended Service Set Identifier and identifies the wireless LAN. The

ESSID of the mobile device must match the ESSID of the AP to communicate with the

AP. The ESSID is an up to 32-character string and is case-sensitive.

How do I secure the data across an Access Point's radio

link?

Enable Wired Equivalency Protocol (WEP) or Wi-Fi Protected Access (WPA) to encrypt

the payload of packets sent across a radio link.

What is WEP?

Wired Equivalent Privacy. WEP is a security mechanism defined within the 802.11

standard and designed to make the security of the wireless medium equal to that of

a cable (wire). WEP data encryption was designed to prevent access to the network

by "intruders" and to prevent the capture of wireless LAN traffic through

eavesdropping. WEP allows the administrator to define a set of respective "Keys" for

each wireless network user based on a "Key String" passed through the WEP

encryption algorithm. Access is denied by anyone who does not have an assigned key.

WEP comes in 40/64-bit and 128-bit encryption key lengths. Note that WEP was

shown to have fundamental flaws in its key generation processing.

What is the difference between 40-bit and 64-bit WEP?

40-bit WEP & 64-bit WEP are the same encryption level and can interoperate. The

lower level of WEP encryption uses a 40 bit (10 Hex character) as "secret key" (set by

user), and a 24 bit "Initialization Vector" (not under user control) (40+24=64). Some

vendors refer to this level of WEP as 40 bit, others as 64 bit.

What is a WEP key?

A WEP key is a user defined string of characters used to encrypt and decrypt data.

Can the SSID be encrypted?

WEP, the encryption standard for 802.11, only encrypts the data packets, not the

802.11 management packets; however, the SSID is in the beacon and probe

management messages. The SSID is not encrypted if WEP is turned on. The SSID is

transmitted over the air in clear text. This makes obtaining the SSID easy by sniffing

802.11 wireless traffic.

By turning off the broadcast of SSID, can someone still

sniff the SSID?

Many APs by default have broadcasting the SSID turned on. Sniffers typically will find

the SSID in the broadcast beacon packets. Turning off the broadcast of SSID in the

beacon message (a common practice) does not prevent getting the SSID, since the

SSID is sent in the clear in the probe message when a client associates to an AP. A

sniffer just has to wait for a valid user to associate with the network to see the SSID.

What are Insertion Attacks?

The insertion attacks are based on placing unauthorized devices on the wireless

network without going through a security process and review.

What is a Wireless Sniffer?

An attacker can sniff and capture legitimate traffic. Many of the sniffer tools for

Ethernet are based on capturing the first part of the connection session, where the

data would typically include the username and password. An intruder can

masquerade as that user by using this captured information. An intruder who

monitors the wireless network can apply this same attack principle on the wireless.

What is the difference between Open System and

Shared Key of Authentication Type?

Open System:

The default authentication service that simply announces the desire to associate with

another station or access point. A station can authenticate with any other station or

access point using open system authentication if the receiving station designates

open system authentication.

Share Key:

The optional authentication that involves a more rigorous exchange of frames,

ensuring that the requesting station is authentic. For a station to use shared key

authentication, it must implement WEP.

What is 802.1x?

IEEE 802.1x Port-Based Network Access Control is an IEEE (Institute of Electrical and

Electronics Engineers) standard, which specifies a standard mechanism for

authenticating, at the link layer (Layer 2), users' access to IEEE 802 networks such as

Ethernet (IEEE 802.3) and Wireless LAN (IEEE 802.11). For IEEE 802.11 WLAN, IEEE

802.1x authentication can be based on username/password or digital certificate.

What is the difference between No authentication

required, No access allowed and Authentication

required?

No authentication required—disables 802.1X and causes the port to transition to the

authorized state without any authentication exchange required. The port transmits

and receives normal traffic without 802.1X-based authentication of the client.

No access allowed—causes the port to remain in the unauthorized state, ignoring all

attempts by the client to authenticate. The switch cannot provide authentication

services to the client through the interface.

Authentication required—enables 802.1X and causes the port to begin in the

unauthorized state, allowing only EAPOL frames to be sent and received through the

port. The authentication process begins when the link state of the port transitions

from down to up, or when an EAPOL-start frame is received. The switch requests the

identity of the client and begins relaying authentication messages between the client

and the authentication server. Each client attempting to access the network is

uniquely identified by the switch by using the client's MAC address.

What is AAA?

AAA is the acronym for Authentication, Authorization, and Accounting and refers to

the idea of managing subscribers by controlling their access to the network, verifying

that they are who they say they are (via login name and password or MAC address)

and accounting for their network usage.

What is RADIUS?

RADIUS stands for Remote Authentication Dial-In User Service. RADIUS is a standard

that has been implemented into several software packages and networking devices.

It allows user information to be sent to a central database running on a RADIUS

server, where it is verified. RADIUS also provides a mechanism for accounting.

What is WPA?

WPA (Wi-Fi Protected Access) is a subset of the IEEE 802.11i security specification

draft. Key difference between WPA and WEP are user authentication and improved

data encryption.

What is WPA-PSK?

WPA-PSK (Wi-Fi Protected Access Pre-Shared Key) can be used if users do not have a

RADIUS server but still want to benefit from WPA security, because WPA-PSK only

requires a single password to be entered on wireless AP/gateway and wireless client.

As long as the passwords match, a client will be granted access to the WLAN.

What is WPA2?

WPA2 (Wi-Fi Protected Access 2) offers a higher security level than WPA, because it

introduces an AES-based algorithm and CCMP in it and offers stronger encryption

then WPA uses (TKIP). WPA2 encryption keys that are used for each client on the

network are unique and specific to that client. Eventually, each packet which is sent

over the air is encrypted with a unique key. The higher security is enhanced with the

use of a new and unique encryption key because there is no key reuse.