What are the best wireless security settings for my router

3

1

I am using older SOHO router wl500gP (it is v1 but I think this is not important) with custom Oleg firmware which allows me to use one of the following "Authentication Method":

Authentication Method:
- Open System
- Shared Key
- WPA-Personal
- WPA2-Personal
- WPA-Auto-Personal
- WPA-Enterprise
- WPA2-Enterprise
- Radius with 802.1x

Bellow are further options available on my router. Availability of those options is depending upon which "Authentication Method" was chosen.

WPA Encryption:
- TKIP
- AES
- TKIP + AES


WPA Pre-Shared Key:

WEP Encryption:
- WEP 64-bits
- WEP 128-bits

Passphrase:

WEP Key 1 (10 or 26 hex digits):

WEP Key 2 (10 or 26 hex digits):

WEP Key 3 (10 or 26 hex digits):

WEP Key 4 (10 or 26 hex digits):

Key Index:

Network Key Rotation Interval:

This is my current configuration. I've set it some time ago and did not changed it because it simply works:

Authentication Method:
- WPA-Personal

- WPA Encryption:
  - TKIP

- WPA Pre-Shared Key:   # Here I fill my secret password

- WEP Encryption:
 - None

Now after a long time I want to explore what is the best security that my router offers. I am just exploring the web interface of the router and I have noticed that the router allows me to use "WEP Encryption" option no matter which "Authentication Method" I've chosen (it also works under "Open System"). In contrast "WPA Encryption" option is available only if some of following "Authentication Method" were chosen

- WPA-Personal
- WPA2-Personal
- WPA-Auto-Personal
- WPA-Enterprise
- WPA2-Enterprise
  • How is possible that I can also use both WEP and WPA together? Is this allowed by wireless standard or is it just mistake from router vendor?
  • What are differences between Personal vs Enterprise authentication methods?
  • What does those options (TKIP, AES, TKIP + AES) under "WPA Encryption" mean? I was thinking that WPA differs from WEP and this is the whole story. Now it seems that there are several WPA encryptions that can be used.
  • I have also noticed that under WPA there is no more option for choosing bits for key length (64 or 128) as it was in WEP. Does this mean that WPA uses some unified key length?

I apologize for this type of questions, I am not expert in this area and basically what I know is the order of encryptions from least secure to most secure (WEP < WPA < WPA2) and that the fact that longer key means more secure key.

Wakan Tanka

Posted 2015-04-03T21:00:27.913

Reputation: 609

Answers

4

Super short answer:

If you want good security without a lot of hassles, use WPA2-Personal, with only the "AES" (also known as "AES-CCMP") cipher enabled.

Short answer:

For your encryption, use WPA2 (no WEP, no WPA) with AES-CCMP (no WEP, no TKIP).

For your authentication mechanism:

  • If you want everyone to share one passphrase, use PSK (a.k.a. Personal).
  • If you want to set up separate authentication credentials for each user (like usernames and passwords, or public key certificates), then use Enterprise.

Note, though, that most APs can't do Enterprise authentication themselves; you have to set up a separate RADIUS server on your network and point the AP at that server. If this sounds like too much hassle for you, you'll have to stick with PSK.

Don't mess with WEP or original WPA or TKIP unless you have really old 802.11 gear from 13+ years ago that can't do WPA2, and you don't mind weakening or destroying your security for the sake of getting your aging gear onto the network.

As for your key length question, AES, as used by WPA2, always uses 256-bit keys. Whatever passphrase you use gets hashed, and mixed with some other parameters, to generate a 256-bit session key.

Spiff

Posted 2015-04-03T21:00:27.913

Reputation: 84 656

Thank you for reply. I am not sure if I have WPA2 only (I have Personal and Enterprise) also I did not find nowhere the AES-CCMP. Can you please also explain following: if WEP and WPA can be set together? TKIP vs AES vs TKIP + AES? Does WPA uses some unified key length? Thank you very much – Wakan Tanka – 2015-04-03T21:18:55.933

1If the UI just says "AES", it implies "AES-CCMP". You don't want to enable any kind of WEP, original WPA (as opposed to WPA2), or TKIP, because they are weak by today's standards, and you probably don't have any ancient Wi-Fi gear that can't do WPA2. – Spiff – 2015-04-03T21:21:56.137

Thank you very much, this is the most complete answer regarding wireless security I've found on whole Internet. – Wakan Tanka – 2015-04-03T21:33:04.557

Asked: 2015-04-03T21:00:27.913

Viewed: 22 443 times

Active: 2015-04-03T21:30:49.353