How does station isolation protect the network – USRobotics Instant802 APSDK User Manual
Page 106
Professional Access Point
Administrator Guide
Security - 106
1. The best security you can have to-date on a wireless network is WPA/WPA2 Enterprise (RADIUS)
mode using CCMP (AES) encryption algorithm. AES is a symmetric 128-bit block data encryption
technique that works on multiple layers of the network. It is the most effective encryption system
currently available for wireless networks. If all clients or other APs on the network are WPA/CCMP
compatible, use this encryption algorithm. If all clients are WPA2 compatible, choose to support only
WPA2 clients.
2. The second best choice is WPA/WPA2 Enterprise (RADIUS) with the encryption algorithm set to
Both
(that is, both TKIP and CCMP). This lets WPA clients without CCMP associate, uses TKIP for encrypt-
ing
and
frames, and allows clients to select whether to use CCMP or TKIP for
(access-point-to-single-station) frames. This WPA configuration allows more interoperability, at
the expense of some security. Clients that support CCMP can use it for their
frames. If you
encounter access-point-to-station interoperability problems with the
Both
encryption algorithm setting,
then you will need to select TKIP instead.
3. The third best choice is WPA/WPA2 Enterprise (RADIUS) with the encryption algorithm set to
.
Some clients have interoperability issues with CCMP and TKIP enabled at same time. If you encounter
this problem, then choose TKIP as the encryption algorithm. This is the standard WPA mode, and
most interoperable mode with client wireless software security features. TKIP is the only encryption
algorithm that is being tested in
certification.
S
EE
A
LSO
For information on how to configure this security mode, see “WPA/WPA2 Enterprise (RADIUS)” on
page 117 under “Configuring Security Settings”.
Does Prohibiting the Broadcast of SSID Enhance Security?
You can prohibit the broadcast of the AP’s SSID to discourage stations from automatically discovering
your access point. When the access point’s SSID broadcast is prohibited, the network name is not
displayed in the
List of Available Networks
on a client device. Instead, the client must have the exact network
name configured in the supplicant before the client will be able to connect.
Prohibiting the SSID broadcast is sufficient to prevent clients from accidentally connecting to your network,
but it will not prevent even the simplest of attempts by a hacker to connect or to monitor insecure traffic.
This offers a minimum level of protection on an otherwise exposed network (such as a guest network)
where the priority is making it easy for clients to get a connection and where no sensitive information is
available.
How Does Station Isolation Protect the Network?
When
Station Isolation
is enabled, the access point blocks communication between wireless clients. The
access point allows data traffic between its wireless clients and wired devices on the network, but not
among wireless clients.
The traffic blocking extends to wireless clients connected to the network via
links; these clients
cannot communicate with each other when Station Isolation is on. See “Wireless Distribution System” on
page 153 for more information about WDS.