Home > Netgear > Router > Netgear Router WGT624 V3 User Manual

Netgear Router WGT624 V3 User Manual

    Download as PDF Print this page Share this page

    Have a look at the manual Netgear Router WGT624 V3 User Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 137 Netgear manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.

    							Reference Manual for the 108 Mbps Wireless Firewall Router WGT624 v3
    Wireless Networking Basics D-5
    202-10090-01, April 2005
    This process is illustrated below.
    Figure 7-5:  Shared key authentication
    Overview of WEP Parameters
    Before enabling WEP on an 802.11 network, you must first consider what type of encryption you 
    require and the key size you want to use. Typically, there are three WEP Encryption options 
    available for 802.11 products:
    1. Do Not Use WEP: The 802.11 network does not encrypt data. For authentication purposes, the 
    network uses Open System Authentication.
    2. Use WEP for Encryption: A transmitting 802.11 device encrypts the data portion of every 
    packet it sends using a configured WEP Key. The receiving device decrypts the data using the 
    same WEP Key. For authentication purposes, the network uses Open System Authentication.
    3. Use WEP for Authentication and Encryption: A transmitting 802.11 device encrypts the data 
    portion of every packet it sends using a configured WEP Key. The receiving device decrypts the 
    data using the same WEP Key. For authentication purposes, the wireless network uses Shared Key 
    Authentication.
    Note: Some 802.11 access points also support Use WEP for Authentication Only (Shared Key 
    Authentication without data encryption). 
    IN TER N ET LO CA LACT
    12 3 4 5 678 LNK
    LNK/ACT 10 0Cable/DSLProSafe Wireless VPN Security FirewallMODELFVM318PWR TESTWLANEnable
    Access Point 1) Authentication
    request sent to AP
    2) AP sends challenge text
    3) Client encrypts
    challenge text and
    sends it back to AP
    4) AP decrypts, and if correct,
    authenticates client
    5) Client connects to network
    Shared Key
    Authentication Steps
    Cable or
    DLS modem
    Client
    attempting
    to connect 
    						
    							Reference Manual for the 108 Mbps Wireless Firewall Router WGT624 v3
    D-6 Wireless Networking Basics
    202-10090-01, April 2005
    Key Size
    The IEEE 802.11 standard supports two types of WEP encryption: 40-bit and 128-bit.
    The 64-bit WEP data encryption method allows for a five-character (40-bit) input. Additionally, 24 
    factory-set bits are added to the forty-bit input to generate a 64-bit encryption key. The 24 
    factory-set bits are not user-configurable). This encryption key will be used to encrypt/decrypt all 
    data transmitted via the wireless interface. Some vendors refer to the 64-bit WEP data encryption 
    as 40-bit WEP data encryption since the user-configurable portion of the encryption key is 40 bits 
    wide.
    The 128-bit WEP data encryption method consists of 104 user-configurable bits. Similar to the 
    forty-bit WEP data encryption method, the remaining 24 bits are factory set and not user 
    configurable. Some vendors allow passphrases to be entered instead of the cryptic hexadecimal 
    characters to ease encryption key entry.
    128-bit encryption is stronger than 40-bit encryption, but 128-bit encryption may not be available 
    outside of the United States due to U.S. export regulations. 
    When configured for 40-bit encryption, 802.11 products typically support up to four WEP Keys. 
    Each 40-bit WEP Key is expressed as 5 sets of two hexadecimal digits (0-9 and A-F). For 
    example, “12 34 56 78 90” is a 40-bit WEP Key.
    When configured for 128-bit encryption, 802.11 products typically support four WEP Keys but 
    some manufacturers support only one 128-bit key. The 128-bit WEP Key is expressed as 13 sets of 
    two hexadecimal digits (0-9 and A-F). For example, “12 34 56 78 90 AB CD EF 12 34 56 78 90” 
    is a 128-bit WEP Key.
    Table D-1: Encryption Key Sizes
    Note: Typically, 802.11 access points can store up to four 128-bit WEP Keys but some 802.11 
    client adapters can only store one. Therefore, make sure that your 802.11 access and client 
    adapters’ configurations match.
    Encryption Key Size# of Hexadecimal DigitsExample of Hexadecimal Key Content
    64-bit (24+40) 10 4C72F08AE1
    128-bit (24+104) 26 4C72F08AE19D57A3FF6B260037 
    						
    							Reference Manual for the 108 Mbps Wireless Firewall Router WGT624 v3
    Wireless Networking Basics D-7
    202-10090-01, April 2005
    WEP Configuration Options
    The WEP settings must match on all 802.11 devices that are within the same wireless network as 
    identified by the SSID. In general, if your mobile clients will roam between access points, then all 
    of the 802.11 access points and all of the 802.11 client adapters on the network must have the same 
    WEP settings. 
    Note: Whatever keys you enter for an AP, you must also enter the same keys for the client adapter 
    in the same order. In other words, WEP key 1 on the AP must match WEP key 1 on the client 
    adapter, WEP key 2 on the AP must match WEP key 2 on the client adapter, and so on.
    Note: The AP and the client adapters can have different default WEP Keys as long as the keys are 
    in the same order. In other words, the AP can use WEP key 2 as its default key to transmit while a 
    client adapter can use WEP key 3 as its default key to transmit. The two devices will communicate 
    as long as the AP’s WEP key 2 is the same as the client’s WEP key 2 and the AP’s WEP key 3 is 
    the same as the client’s WEP key 3.
    Wireless Channels
    The wireless frequencies used by 802.11b/g networks are discussed below.
    IEEE 802.11b/g wireless nodes communicate with each other using radio frequency signals in the 
    ISM (Industrial, Scientific, and Medical) band between 2.4 GHz and 2.5 GHz. Neighboring 
    channels are 5 MHz apart. However, due to spread spectrum effect of the signals, a node sending 
    signals using a particular channel will utilize frequency spectrum 12.5 MHz above and below the 
    center channel frequency. As a result, two separate wireless networks using neighboring channels 
    (for example, channel 1 and channel 2) in the same general vicinity will interfere with each other. 
    Applying two channels that allow the maximum channel separation will decrease the amount of 
    channel cross-talk, and provide a noticeable performance increase over networks with minimal 
    channel separation.
    The radio frequency channels used in 802.11b/g networks are listed in Ta b l e  D - 2:
    Table D-2: 802.11b/g Radio Frequency Channels
    ChannelCenter FrequencyFrequency Spread
    1 2412 MHz 2399.5 MHz - 2424.5 MHz
    2 2417 MHz 2404.5 MHz - 2429.5 MHz
    3 2422 MHz 2409.5 MHz - 2434.5 MHz 
    						
    							Reference Manual for the 108 Mbps Wireless Firewall Router WGT624 v3
    D-8 Wireless Networking Basics
    202-10090-01, April 2005
    Note: The available channels supported by the wireless products in various countries are different. 
    For example, Channels 1 to 11 are supported in the U.S. and Canada, and Channels 1 to 13 are 
    supported in Europe and Australia.
    The preferred channel separation between the channels in neighboring wireless networks is 25 
    MHz (5 channels). This means that you can apply up to three different channels within your 
    wireless network. There are only 11 usable wireless channels in the United States. It is 
    recommended that you start using channel 1 and grow to use channel 6, and 11 when necessary, as 
    these three channels do not overlap.
    WPA and WPA2 Wireless Security
    Wi-Fi Protected Access (WPA and WPA2) is a specification of standards-based, interoperable 
    security enhancements that increase the level of data protection and access control for existing and 
    future wireless LAN systems. 
    The IEEE introduced the WEP as an optional security measure to secure 802.11b (Wi-Fi) WLANs, 
    but inherent weaknesses in the standard soon became obvious. In response to this situation, the 
    Wi-Fi Alliance announced a new security architecture in October 2002 that remedies the 
    shortcomings of WEP. This standard, formerly known as Safe Secure Network (SSN), is designed 
    to work with existing 802.11 products and offers forward compatibility with 802.11i, the new 
    wireless security architecture that has been defined by the IEEE. 
    4 2427 MHz 2414.5 MHz - 2439.5 MHz
    5 2432 MHz 2419.5 MHz - 2444.5 MHz
    6 2437 MHz 2424.5 MHz - 2449.5 MHz
    7 2442 MHz 2429.5 MHz - 2454.5 MHz
    8 2447 MHz 2434.5 MHz - 2459.5 MHz
    9 2452 MHz 2439.5 MHz - 2464.5 MHz
    10 2457 MHz 2444.5 MHz - 2469.5 MHz
    11 2462 MHz 2449.5 MHz - 2474.5 MHz
    12 2467 MHz 2454.5 MHz - 2479.5 MHz
    13 2472 MHz 2459.5 MHz - 2484.5 MHz
    Table D-2: 802.11b/g Radio Frequency Channels
    ChannelCenter FrequencyFrequency Spread 
    						
    							Reference Manual for the 108 Mbps Wireless Firewall Router WGT624 v3
    Wireless Networking Basics D-9
    202-10090-01, April 2005
    WPA and WPA2 offer the following benefits: 
    • Enhanced data privacy
    • Robust key management
    • Data origin authentication
    • Data integrity protection 
    The Wi-Fi Alliance is now performing interoperability certification testing on Wi-Fi Protected 
    Access products. Starting August of 2003, all new Wi-Fi certified products have to support WPA. 
    NETGEAR is implementing WPA and WPA2 on client and access point products. The 802.11i 
    standard was ratified in 2004. 
    How Does WPA Compare to WEP?
    WEP is a data encryption method and is not intended as a user authentication mechanism. WPA 
    user authentication is implemented using 802.1x and the Extensible Authentication Protocol 
    (EAP). Support for 802.1x authentication is required in WPA. In the 802.11 standard, 802.1x 
    authentication was optional. For details on EAP specifically, refer to IETFs RFC 2284. 
    With 802.11 WEP, all access points and client wireless adapters on a particular wireless LAN must 
    use the same encryption key. A major problem with the 802.11 standard is that the keys are 
    cumbersome to change. If you do not update the WEP keys often, an unauthorized person with a 
    sniffing tool can monitor your network for less than a day and decode the encrypted messages. 
    Products based on the 802.11 standard alone offer system administrators no effective method to 
    update the keys.
    For 802.11, WEP encryption is optional. For WPA, encryption using Temporal Key Integrity 
    Protocol (TKIP) is required. TKIP replaces WEP with a new encryption algorithm that is stronger 
    than the WEP algorithm, but that uses the calculation facilities present on existing wireless devices 
    to perform encryption operations. TKIP provides important data encryption enhancements 
    including a per-packet key mixing function, a message integrity check (MIC) named Michael, an 
    extended initialization vector (IV) with sequencing rules, and a re-keying mechanism. Through 
    these enhancements, TKIP addresses all of known WEP vulnerabilities.  
    						
    							Reference Manual for the 108 Mbps Wireless Firewall Router WGT624 v3
    D-10 Wireless Networking Basics
    202-10090-01, April 2005
    How Does WPA Compare to WPA2 (IEEE 802.11i)?
    WPA is forward compatible with the WPA2 security specification. WPA is a subset of WPA2 and 
    used certain pieces of the early 802.11i draft, such as 802.1x and TKIP. The main pieces of WPA2 
    that are not included in WPA are secure IBSS (Ad-Hoc mode), secure fast handoff (for specialized 
    802.11 VoIP phones), as well as enhanced encryption protocols, such as AES-CCMP. These 
    features were either not yet ready for market or required hardware upgrades to implement. 
    What are the Key Features of WPA and WPA2 Security?
    The following security features are included in the WPA and WPA2 standard: 
    • WPA and WPA2 Authentication
    • WPA and WPA2 Encryption Key Management
    – Temporal Key Integrity Protocol (TKIP)
    – Michael message integrity code (MIC)
    – AES support (WPA2, requires hardware support)
    • Support for a mixture of WPA, WPA2, and WEP wireless clients to allow a migration strategy, 
    but mixing WEP and WPA/WPA2 is discouraged
    These features are discussed below.
    WPA/WPA2 addresses most of the known WEP vulnerabilities and is primarily intended for 
    wireless infrastructure networks as found in the enterprise. This infrastructure includes stations, 
    access points, and authentication servers (typically RADIUS servers). The RADIUS server holds 
    (or has access to) user credentials (for example, user names and passwords) and authenticates 
    wireless users before they gain access to the network.
    The strength of WPA/WPA2 comes from an integrated sequence of operations that encompass 
    802.1X/EAP authentication and sophisticated key management and encryption techniques. Its 
    major operations include:
    • Network security capability determination. This occurs at the 802.11 level and is 
    communicated through WPA information elements in Beacon, Probe Response, and (Re) 
    Association Requests. Information in these elements includes the authentication method 
    (802.1X or Pre-shared key) and the preferred cipher suite (WEP, TKIP, or AES). 
    						
    							Reference Manual for the 108 Mbps Wireless Firewall Router WGT624 v3
    Wireless Networking Basics D-11
    202-10090-01, April 2005
    The primary information conveyed in the Beacon frames is the authentication method and the 
    cipher suite. Possible authentication methods include 802.1X and Pre-shared key. Pre-shared 
    key is an authentication method that uses a statically configured pass phrase on both the 
    stations and the access point. This obviates the need for an authentication server, which in 
    many home and small office environments will not be available nor desirable. Possible cipher 
    suites include: WEP, TKIP, and AES (Advanced Encryption Standard). We talk more about 
    TKIP and AES when addressing data privacy below.
    • Authentication. EAP over 802.1X is used for authentication. Mutual authentication is gained 
    by choosing an EAP type supporting this feature and is required by WPA. 802.1X port access 
    control prevents full access to the network until authentication completes. 802.1X 
    EAPOL-Key packets are used by WPA to distribute per-session keys to those stations 
    successfully authenticated.
    The supplicant in the station uses the authentication and cipher suite information contained in 
    the information elements to decide which authentication method and cipher suite to use. For 
    example, if the access point is using the pre-shared key method then the supplicant need not 
    authenticate using full-blown 802.1X. Rather, the supplicant must simply prove to the access 
    point that it is in possession of the pre-shared key. If the supplicant detects that the service set 
    does not contain a WPA information element then it knows it must use pre-WPA 802.1X 
    authentication and key management in order to access the network.
    • Key management. WPA/WPA2 features a robust key generation/management system that 
    integrates the authentication and data privacy functions. Keys are generated after successful 
    authentication and through a subsequent 4-way handshake between the station and Access 
    Point (AP).
    • Data Privacy (Encryption). Temporal Key Integrity Protocol (TKIP) is used to wrap WEP in 
    sophisticated cryptographic and security techniques to overcome most of its weaknesses.
    • Data integrity. TKIP includes a message integrity code (MIC) at the end of each plaintext 
    message to ensure messages are not being spoofed. 
    						
    							Reference Manual for the 108 Mbps Wireless Firewall Router WGT624 v3
    D-12 Wireless Networking Basics
    202-10090-01, April 2005
    WPA/WPA2 Authentication: Enterprise-level User  
    Authentication via 802.1x/EAP and RADIUS
    Figure 4-6:  WPA/WPA2 Overview
    IEEE 802.1x offers an effective framework for authenticating and controlling user traffic to a 
    protected network, as well as providing a vehicle for dynamically varying data encryption keys via 
    EAP from a RADIUS server, for example. This framework enables using a central authentication 
    server, which employs mutual authentication so that a rogue wireless user does not join the 
    network. 
    It is important to note that 802.1x does not provide the actual authentication mechanisms. When 
    using 802.1x, the EAP type, such as Transport Layer Security (EAP-TLS), or EAP Tunneled 
    Transport Layer Security (EAP-TTLS), defines how the authentication takes place. 
    Note: For environments with a Remote Authentication Dial-In User Service (RADIUS) 
    infrastructure, WPA supports Extensible Authentication Protocol (EAP). For environments 
    without a RADIUS infrastructure, WPA supports the use of a pre-shared key.
    Together, these technologies provide a framework for strong user authentication. 
    Windows XP implements 802.1x natively, and several NETGEAR switch and wireless access 
    point products support 802.1x. 
    Certificate 
    Authority 
    (for 
    example 
    Win Server,
    Ve r i S i g n )WPA/WPA2 
    enabled 
    wireless 
    client with 
    “supplicant”
    TCP/IP
    Ports Closed
    Until 
    Authenticated
    RADIUS Server
    Wired Network with Optional 
    802.1x Port Based Network 
    Access Control
    WPA/WPA2 
    enabled
    Access Point 
    using
    pre-shared key 
    or 802.1x
    TCP/IP
    Ports Opened
    After 
    Authenticated
    Wireless LAN 
    Login
    Authentication 
    						
    							Reference Manual for the 108 Mbps Wireless Firewall Router WGT624 v3
    Wireless Networking Basics D-13
    202-10090-01, April 2005 Figure 4-7:  802.1x Authentication Sequence
    The AP sends Beacon Frames with WPA/WPA2 information element to the stations in the service 
    set. Information elements include the required authentication method (802.1x or Pre-shared key) 
    and the preferred cipher suite (WEP, TKIP, or AES). Probe Responses (AP to station) and 
    Association Requests (station to AP) also contain WPA information elements.
    1.Initial 802.1x communications begin with an unauthenticated supplicant (client device) 
    attempting to connect with an authenticator (802.11 access point). The client sends an 
    EAP-start message. This begins a series of message exchanges to authenticate the client. 
    2.The access point replies with an EAP-request identity message. 
    1
    2
    3
    4
    5 6
    7
    Client with a WPA/
    WPA2-enabled wireless  
    adapter and supplicant 
    (Win XP, Funk,  
    Meetinghouse) 
     
    For example, a  
    WPA/WPA2-enabled 
    AP  
     
     
    For example, a  
    RADIUS server  
    						
    							Reference Manual for the 108 Mbps Wireless Firewall Router WGT624 v3
    D-14 Wireless Networking Basics
    202-10090-01, April 2005
    3.The client sends an EAP-response packet containing the identity to the authentication server. 
    The access point responds by enabling a port for passing only EAP packets from the client to 
    an authentication server located on the wired side of the access point. The access point blocks 
    all other traffic, such as HTTP, DHCP, and POP3 packets, until the access point can verify the 
    clients identity using an authentication server (for example, RADIUS). 
    4.The authentication server uses a specific authentication algorithm to verify the clients identity. 
    This could be through the use of digital certificates or some other EAP authentication type. 
    5.The authentication server will either send an accept or reject message to the access point. 
    6.The access point sends an EAP-success packet (or reject packet) to the client. 
    7.If the authentication server accepts the client, then the access point will transition the clients 
    port to an authorized state and forward additional traffic. 
    The important part to know at this point is that the software supporting the specific EAP type 
    resides on the authentication server and within the operating system or application “supplicant” 
    software on the client devices. The access point acts as a “pass through” for 802.1x messages, 
    which means that you can specify any EAP type without needing to upgrade an 802.1x-compliant 
    access point. As a result, you can update the EAP authentication type to such devices as token 
    cards (Smart Cards), Kerberos, one-time passwords, certificates, and public key authentication, or 
    as newer types become available and your requirements for security change. 
    WPA/WPA2 Data Encryption Key Management
    With 802.1x, the rekeying of unicast encryption keys is optional. Additionally, 802.11 and 802.1x 
    provide no mechanism to change the global encryption key used for multicast and broadcast 
    traffic. With WPA/WPA2, rekeying of both unicast and global encryption keys is required. 
    For the unicast encryption key, the Temporal Key Integrity Protocol (TKIP) changes the key for 
    every frame, and the change is synchronized between the wireless client and the wireless access 
    point (AP). For the global encryption key, WPA includes a facility (the Information Element) for 
    the wireless AP to advertise the changed key to the connected wireless clients.
    If configured to implement dynamic key exchange, the 802.1x authentication server can return 
    session keys to the access point along with the accept message. The access point uses the session 
    keys to build, sign and encrypt an EAP key message that is sent to the client immediately after 
    sending the success message. The client can then use contents of the key message to define 
    applicable encryption keys. In typical 802.1x implementations, the client can automatically change 
    encryption keys as often as necessary to minimize the possibility of eavesdroppers having enough 
    time to crack the key in current use.  
    						
    All Netgear manuals Comments (0)

    Related Manuals for Netgear Router WGT624 V3 User Manual