Manual
Chapter 10: Configuring Security
106
Understanding Security Issues on Wireless Networks
Wireless mediums are inherently less secure than wired mediums. For
example, an Ethernet NIC transmits its packets over a physical medium
such as coaxial cable or twisted pair. A wireless NIC broadcasts radio
signals allowing a wireless LAN to be easily tapped without physical
access or sophisticated equipment. A hacker equipped with a laptop, a
wireless NIC, and a bit of knowledge can easily attempt to compromise
your wireless network. One does not even need to be within normal range
of the access point. By using a sophisticated antenna on the client, a
hacker may be able to connect to the network from many miles away.
For a more detailed explanation of security concepts, including a
comparison of the advantages and disadvantages of using different
security modes and suggestions on which mode to use, see Appendix B,
“Configuring Security on Wireless Clients” on page 217.
How Do I Know
Which Security
Mode to Use?
In general, Allied Telesyn recommends that you use the most robust
security mode that is feasible in your environment on your internal
network. When you configure security on the access point, you first must
choose the security mode, then in some modes an authentication
algorithm, and whether to allow clients not using the specified security
mode to associate.
Wi-Fi Protected Access (WPA) with Remote Authentication Dial-In User
Service (RADIUS) using the CCMP (AES) encryption algorithm provides
the best data protection available and is clearly the best choice if all client
stations are equipped with WPA supplicants. However, backward
compatibility or interoperability issues with clients or even with other
access points may require that you configure WPA with RADIUS with a
different encryption algorithm or choose one of the other security modes.
Security may not be as much of a priority on some types of networks. If
you are only providing Internet and printer access, as on a guest network,
plain text mode (no security) may be the appropriate choice. To prevent
clients from accidentally discovering and connecting to your network, you
can disable the broadcast SSID so that your network name is not
advertised. If the network is sufficiently isolated from access to sensitive
information, this may offer enough protection in some situations. This level
of protection is the only one offered for guest networks, and also may be
the right trade-off for other scenarios where the priority is making it as
easy as possible for clients to connect. (See “Does Prohibiting the
Broadcast SSID Enhance Security?” on page 113.)
Following is a brief discussion of what factors make one mode more
secure than another, a description of each mode offered, and when to use
each mode.