Course list http://www.c-jump.com/bcc/
Wi-Fi is a connectivity technology for wireless local area network (WLAN) based on the IEEE 802.11 standards.
Wi-Fi = Wireless Connectivity
There are many Wireless Products available.
This presentation focuses on
wireless router configuration, and
wireless network security.
Read the router manual before starting to configure it.
Using a web browser, enter IP address
http://192.168.1.1
This is factory default IP typically assigned to the router.
If your IP is different, refer to your wireless router manual.
The LAN IP address (the wired LAN IP) is a private IP on the network and cannot be seen from the internet.
It is typical to set router with IP 192.168.1.1 and subnet mask 255.255.255.0.
The router can automatically detect, download, and install a new version of firmware if one is available on the Internet.
Note that this can be very time consuming and take hours to complete.
Consider running the Firmware Upgrade overnight.
Does Your Internet Connection Require A Login?
Depends on your ISP. Select Yes, if:
login needed every time you connect to the Internet
you have PPPoE account with your ISP
Note: if PPP is installed, such as WinPoET from Earthlink or Enternet from PacBell, then you have PPPoE -- no need to run PPP software to connect to the Internet.
Otherwise, select No.
Account Name, also known as Host Name, or System Name.
Most users use user/account name. For example, if main mail account is User123@ISP.com, enter User123 in this box.
If ISP has given a specific Host name, use that instead, for example, CCA7324-A.
For most users, Domain Name is left blank, unless required by the ISP.
Otherwise it can be a domain name of your ISP:
if mail server is mail.xxx.yyy.zzz, type xxx.yyy.zzz here.
Earthlink Cable may require a Host name of the home;
Comcast sometimes supplies its domain name.
If you have a cable modem, this is usually the Workgroup name.
Unless you use fixed (static) IP address, the router will use its own dynamic IP Address:
Router IP is used on the wired LAN.
Dynamic IP is obtained automatically by the router upon connecting to the wired LAN.
For most users -- select Get Dynamically From ISP.
For Static IP Address specify Subnet Mask and Gateway IP Address, for example:
IP Address: 24.218.156.183
Subnet Mask: 255.255.255.0
Gateway IP Address: 24.218.156.1
DNS Address specifies location of the Domain Name System (DNS) server.
DNS server resolves website IP addresses based on their domain names.
For most users, select Get Automatically From ISP.
If ISP provides one or two DNS addresses, select Use These DNS Servers and specify the primary and secondary addresses.
Note: If you get Address not found errors when navigating to a Web site, it is likely the DNS server set up is wrong.
Contact your ISP to get the DNS server addresses.
Router's MAC Address on the wired LAN port is visible to the ISP.
Each computer has unique local address on the network, referred to Media Access Control, or MAC address.
The format for the MAC address is XX:XX:XX:XX:XX:XX.
Most users select Use Default MAC Address.
If ISP requires MAC authentification, select either
Use Computer MAC address to disguise the Router's MAC address with the Computer's own MAC address, or
enter specific MAC Address manually and enter the desired MAC address.
The Service Set Identifier identifies the network.
Most access points have well-known defaults.
Best to change SSID from the default to something obscure.
However, obscure SSID alone is only a weak line of defense against first-grade hackers.
Even most obscure SSID is easy to get around.
Access point can regularly broadcast its SSID to allow wireless devices detect the network and join in.
If possible, you should disable periodic broadcast of the SSID for a more secure network, BUT:
disabling SSID brooadcast provides virtually no protection;
disabling SSID brooadcast prevents only a casual unauthorized user from connecting to the network.
Your wireless clients must already know network's SSID to join the network. However,
SSID is easily discovered because it is present in other transmissions sent by the wireless router
Turning off SSID beaconing may impact mobility of some users, because their wireless devices may have hard time moving freely from one wireless network to another.
Select one of 11 channels on which to broadcast
Cordless phones also operate on these channels, so they may interfere with Wi-Fi
For best security/performance, set your security option to WPA2-PSK!
The following options are available:
None -- no data encryption
WEP -- Wired Equivalent Privacy, using WEP 64- or 128-bit data encryption.
Note: Wi-Fi Protected Setup function is disabled when the security setting is WEP with Auto/Shared-Key authentication.
WPA-PSK [TKIP] -- Wi-Fi Protected Access with Pre-Shared Key using WPA-PSK standard encryption with TKIP encryption type.
TKIP (Temporal Key Integrity Protocol) is a 128-bit per-packet key which dynamically generates a new key for each data packet.
WPA2-PSK [AES] -- Wi-Fi Protected Access version 2 with Pre-Shared Key using WPA2-PSK standard encryption with the AES encryption type.
WPA-PSK [TKIP] + WPA2-PSK [AES] -- allow clients to use either
WPA-PSK [TKIP], or
WPA2-PSK [AES].
See also WPA-PSK Step-by-Step Tutorial from wi-fiplanet.com.
WPA setup is a crucial step in wireless network configuration!
WPA (WPA Enterprise) -- requires a Radius server
WPA-PSK (WPA Personal) -- known as WPA-PSK
PSK stands for Pre-shared key mode.
Encryption mechanisms for WPA and WPA-PSK are almost the same:
In WPA-PSK authentication is reduced to a single common password.
In WPA Enterprise each wireless client has user-specific credentials.
Pre-shared key mode (PSK)
All transmissions are encrypted.
The encryption key is
generated from the pre-configured WPA/WPA2 passphrase.
renewed after the number of seconds specified by the Group Key Renewal parameter.
provides strong data protection by 128-bit encryption
utilizes encryption keys and dynamic session keys
strong access controls
user authentication.
Single password is entered into each Wireless LAN node which supports WPA security:
Client PCs -- Laptops -- Smart Phones -- etc.
Access Points
Wireless Routers
Bridges
Users provide the PSK password to verify access to the network.
If password matches, the client is granted access to the WLAN.
The Pre-Shared Key (PSK) mode of WPA is considered vulnerable to the same risks as any other shared password system.
Dictionary attacks against WPA-PSK are possible.
Another issue -- key management difficulties arise after a user is removed:
Once access has been granted, the key is shared among multiple users, therefore, the shared key must be changed/updated on every client.
Enable Wireless Router Radio: Wireless Access Point routing on this device can be enabled or disabled for wireless clients.
If enabled, the clients can access the Internet, cannot otherwise.
If Enable SSID Broadcast is enabled, SSID will be broadcast to any wireless client.
Fragmentation Threshold, CTS/RTS Threshold, Preamble Mode -- these settings are reserved for wireless testing and advanced configuration only. Do not change these settings.
Wi-Fi Protected Setup (WPS) is a standard for easy and secure establishment of a wireless home network
Router's PIN -- the PIN number you use on a registrar, (such as Network Explorer on Vista Windows PC) to configure the router's wireless settings through WPS.
PIN is ususally printed on your wireless device label.
Disable Router's PIN: most users disable Router's PIN.
If PIN is enabled, you can
configure the router's wireless settings through WPS
add a wireless client through WPS with the router's PIN number.
This function may be temporarily disabled if router detects suspicous attemtps to break into wireless settings through WPS.
Keep Existing Wireless Settings shows whether the router is in WPS Configured state:
Most users keep this checked.
If unchecked, adding a new wireless client will change router's wireless settings to an automatically generated random SSID and security key.
If checked, some external registrar (e.g. Network Explorer on Vista Windows) may not see this router.
By default, any wireless PC using correct SSID will be allowed access to the wireless network.
For increased security, access can be restricted to only allow specific MAC addresses.
Note: If Turn Access Control On is enabled and the Access Control List is blank, then none of the wireless clients will be able to connect to the wireless network.
Allow only known and approved devices
Prevent physical access to devices
Enable strong encryption
Change default settings
Choose SSIDs wisely to limit info leakage
Authenticate users
Use strong passphrases and passwords
Encrypt data transmission
Change keys frequently
Example of LAN with two routers:
Essential for multi-router setup -- two routers are set to different IP addresses:
wired router -- 192.168.1.1
wireless router -- 192.168.2.1
Wireless router is connected to one of the wired router's LAN ports via a normal UTP patch cable
Wireless router's wired LAN IP is shown as 192.168.1.100, but it could be any IP address in the 192.168.1.X subnet of the wired router's dynamic IP range.
It is best to set wireless router to be a DHCP client, so it can obtain its IP on the wired LAN port automatically.