Gateway 7001 Series Network Card User Manual


 
80
www.gateway.com
Configuring network security
Understanding security issues on wireless networks
Wireless mediums are inherently less secure than wired mediums. For example, an Ethernet
NIC transmits its packets over a physical medium such as coaxial cable or twisted pair. A
wireless NIC broadcasts radio signals over the air allowing a wireless LAN to be easily tapped
without physical access or sophisticated equipment. A hacker equipped with a laptop, a
wireless NIC, and a bit of knowledge can easily attempt to compromise your wireless
network. One does not even need to be within normal range of the access point. By using
a sophisticated antenna on the client, a hacker may be able to connect to the network
from many miles away.
The Gateway 7001 Series self-managed AP provides a number of authentication and
encryption schemes to make sure that your wireless infrastructure is accessed only by the
intended users. The details of each security mode are described in the following sections.
How do I know which security mode to use?
In general, we recommend that on your internal network you use the most robust security
mode that is feasible in your environment. When configuring security on the access point,
you first must choose the security mode, then in some modes an authentication algorithm,
and whether to allow clients not using the specified security mode to associate.
Wi-Fi Protected Access (WPA) with Remote Authentication Dial-In User Service (RADIUS)
using the CCMP (AES) encryption algorithm provides the best data protection available
and is clearly the best choice if all client stations are equipped with WPA supplicants.
However, backward compatibility or interoperability issues with clients or even with other
access points may require that you configure WPA with RADIUS with a different encryption
algorithm or choose one of the other security modes.
That said, however, security may not be as much of a priority on some types of networks.
If you are simply providing internet and printer access, as on a guest network, plain text
mode (no security) may be the appropriate choice. To prevent clients from accidentally
discovering and connecting to your network, you can disable the broadcast SSID so that
your network name is not advertised. If the network is sufficiently isolated from access to
sensitive information, this may offer enough protection in some situations. This level of
protection is the only one offered for guest networks, and also may be the right
convenience trade-off for other scenarios where the priority is making it as easy as possible
for clients to connect. (See “Does Prohibiting the Broadcast SSID Enhance Security?” on
page 86.)
Following is a brief discussion of what factors make one mode more secure than another,
a description of each mode offered, and when to use each mode.