Sun Sep 12, 2010 12:25 am
Thank you.
So I have a choice of:
A. Using WPA2 security profiles to both protect the routers from unauthorised access and encypt all traffic across the network to prevent it being intercepted and read, or
B. Try to secure the routers with Access Lists and only encrypt user's traffic with end-to-end tunnels? This opens the further possibility of only encrypting 'sensitive' traffic like mail, and http for the paranoid. I assume VoIP, YouTube and streaming TV work better without encryption, and why should you want to encrypt that anyway?
The first is clearly more secure, but with three hops across the network from CPE to gateway all the traffic would presumably have to be decrypted and re-encrypted at every router it passes through - which surely imposes a load on the hardware.
The second would seem to be faster, with encryption only occurring at the CPE and the gateway which has the motor to handle it, but how secure is the Access List system?
I see there is provision in the AP's Access List for a private key to be defined, but the Connect List only calls on a Security Profile. However a Security Profile can define a static key.
Can I take it, then, that a static key defined in an Access List and a station's Security Profile simply authenticates and encrypts traffic between the two? Once the connection is authorised 'normal' traffic is not encrypted?