This article is also available as a TechRepublic download.
Wireless networks are a two-edged sword. WLANs empower employees and guests, but they also introduce security risks.
While a wide variety of wireless strategies and devices are implemented, one very common solution involves deploying SonicWALL wireless-equipped firewalls. Here's what you need to know to configure SonicWALL wireless equipment. In these examples, we'll use a SonicWALL TZ 170 SP Wireless model, one of the most frequently encountered wireless routers in the field, although the steps will also work on other SonicWALL TZ wireless devices.
SonicWALL TZ wireless routers
SonicWALL's TZ wireless-equipped routers include several features not found on the non-wireless counterparts. In addition to protecting LANs with wireless intrusion detection services, which help monitor unauthorized access and the presence of rogue access points, a separate firewall exists for securing and separating wireless traffic from the wired LAN.
IPSec encryption and WPA team together to secure wireless communications between clients and the access point. Guest services can be configured, if desired, as can HotSpot messaging. Yet another feature SonicWALL wireless-equipped routers possess is distributed WLAN support for SonicPoint satellite access points.
SonicWALL wireless routers support both the 802.11b and 802.11g standards. In most installations the SonicWALL device serves as the access point for the network's wireless clients. A traditional UTP cable typically connects the router to the rest of the network.
To help prevent unauthorized network access, wireless clients must be authenticated by the SonicWALL's User Level Authentication. The devices also support a variety of security protocols, including WEP, WPA and WPA-EAP.
Selecting the access point location
Selecting a location for the wireless access point is the first step in configuring a wireless network. SonicWALL lists several recommendations for optimizing wireless performance:
- Place the wireless access point as close to the network's center as possible. Doing so helps reduce wireless signals from persisting beyond the intended location.
- Place the wireless access point in such a manner that minimizes the number of walls and ceilings the wireless communications must travel from the access point to intended client systems.
- Attempt to locate wireless devices within each unit's line of site.
- Wireless performance degrades whenever wireless access points are located near large solid obstructions such as walls, filing cabinets, elevator shafts, fire doors, large machinery and similar objects, so avoid place access points in locations where its wireless signals must penetrate such elements whenever possible. Even smaller metallic objects, such as PC and server cases, monitors and other equipment, can negatively impact wireless communications.
- If building or remodeling a site, remember that metal framing materials, UV window films, concrete and metallic-based paints all reduce the access point's effective operating range.
- Locate access points in higher locations (in which radio signals can avoid filing cabinets, desks, PCs and other low-lying equipment) to help improve wireless performance.
- Avoid placing access points and client systems near microwave ovens, television monitors, radios, and other electrical equipment that produces interference that degrades WLAN performance.
Once a proper location is selected, the next step is to configure the router's wireless settings.
Configuring wireless settings
As with other networking services, SonicWALL includes a wizard to simplify wireless network deployment. To configure a SonicWALL wireless router using the supplied wizard:
- Log on to the SonicWALL device as an administrator.
- Select the Wireless button from the left toolbar.
- Click the Wireless Wizard button that appears at the top right of the Wireless Status menu.
- The SonicWALL Wireless Configuration Wizard appears. Click Next to continue.
- The WLAN Network Settings configuration screen displays. Ensure the Enable WLAN box is checked to enable the wireless LAN. Enter the IP address you wish to use for the WLAN interface and supply the corresponding subnet mask. The default SonicWALL WLAN IP is 172.16.31.1. (Figure A)
|Ensure the Enable WLAN checkbox is selected and enter the IP address and subnet mask you wish for the access point to use.|
- Ensure the Enable Windows Networking Support between LAN and WLAN box is checked to provide wireless clients with access to LAN systems.
- The WLAN 802.11b/g Settings menu appears. Specify the SSID (the default is sonicwall), specify the radio mode (802.11g only is the default) and supply a country code and channel settings (defaults are US and AutoChannel). Then, click Next.
- The WLAN Security Settings menu appears. By default, SonicWALL's wizard will deploy WiFiSec VPN Security. Leave the option selected to implement a secure wireless connection that leverages IPSec to complete wireless connections using the SonicWALL Global VPN Client. Other options are WEP + Stealth Mode and simple unencrypted connectivity. To ensure a more secure connection, select WiFiSec VPN Security and click Next.
- With WiFiSec VPN selected, the next step prompts you to specify a user name and password for an account possessing Group VPN permission to join the network. Supply the user name and password and click Next.
- The Wireless Guest Services screen appears. If you wish to enable guest services, ensure the option is selected and enter the account name, password, account lifetime and session lifetime values, any comments and click Next.
- A configuration summary screen appears listing the settings that will be implemented. Review the configuration information carefully and, once you've confirmed all is proper, click the Apply button.
- The SonicWALL wizard will apply the changes. Upon finishing, the wizard will display a congratulatory screen. Click Finish to complete the wizard.
Editing the wireless configuration
Once the wizard completes, you can review the wireless settings by logging on to the router and clicking the Wireless button. The Status menu will display by default. It reveals whether the WLAN and WiFiSec security are enabled, displays channel information and critical IP address data, among other items. (Figure B)
|SonicWALL's Wireless Status menu displays critical WLAN configuration information.|
To edit or update the WLAN configuration:
- Log on to the SonicWALL device as an administrator.
- Click the Wireless button from the left navigation bar.
- Click Settings from the sub-navigation menu.
- Enter any required configuration changes. Among the options you can edit from the Wireless | Settings menu are the device's role, the SSID, the radio channels used, the WLAN IP address and more. Administrators also can disable the WLAN from this screen by removing the checkbox from the Enable WLAN box.
- Once edits and updates are complete, click the Apply button to save the changes.
The device's WEP/WPA configuration, meanwhile, is administered using the WEP/WPA Encryption menu. Select the menu from the left navigation bar to change the authentication type, WEP key mode and change the default key.
From the SonicWALL'sAdvanced menu, reached by clicking Advanced from the Wireless sub-navigation menu, administrators can disable SSID broadcasts, limit the number of maximum client associations the access point can possess and set the unit's transmission strength, among other options. The Restore Default Settings button, found at the bottom of this menu, supports returning the unit's wireless settings to factory presets.
Configuring MAC address filtering
To introduce additional security, many administrators enable MAC filtering. For SonicWALL TZ wireless devices you configure MAC filtering by:
- Logging on to the SonicWALL router as an administrator.
- Click the Wireless button.
- Click the MAC Filter List option from the left navigation bar.
- Ensure the Enable MAC Filter List checkbox is selected. (Figure C)
|Ensure the Enable MAC Filter List option is checked, and be sure to add authorized systems' MAC addresses using the provided Add button. Alternatively, you can also block specific MAC addresses using the Block radio button.|
- Click Add and supply the MAC address for the system you wish to provide with access to the WLAN. Once you add the MAC address, it'll appear within the MAC Filter List.
- Confirm the MAC addresses are properly set to Allow or Block those systems connecting to the wireless network.
- Click the Apply button to store any changes you make.
Once the WLAN is configured, administrators should leverage the SonicWALL's intrusion detection capabilities to monitor and protect the wireless network.
Configuring intrusion detection
Unlike lower-end devices, SonicWALL wireless-equipped routers can monitor intrusion attempts and even take steps to respond appropriately when unauthorized traffic is detected. To configure Wireless Intrusion Detection:
- Log on to the SonicWALL as an administrator.
- Click the Wireless button from the left navigation menu.
- Click IDS from the sub-menu.
- Ensure the Enable Client Null Probing Detection, Enable Association Flood Detection and Enable Rogue Access Point detection checkboxes are selected.
- Supply the MAC addresses for any other authorized access points using the provided Add button.
- Click the Apply button to save any changes you make. (Figure D)
|Wireless Intrusion Detection enables SonicWALL routers to identify, log and dynamically respond to unauthorized wireless traffic.|
The Enable Client Null Probing feature allows the SonicWALL device to detect and log Null Probes, such as those triggered by Netstumbler and other programs.
Associate Flood Detection, meanwhile, monitors for wireless denial of service attacks that attempt to overwhelm an access point with bogus traffic. Selecting the Block Station's MAC Address In Response To An Association Flood allows the SonicWALL to defend itself by logging such attacks and dynamically adding the MAC address of the offending system to its blocked list.
Rogue Access Point Detection works by scanning for other access points. If other access points are identified, they're considered rogue unless they're specifically added as authorized access points.
To enable detection logs, click Log | Categories and check the WLAN IDS box found within the Log Categories and Alerts section. The subsequent logs should then be reviewed periodically to ensure unauthorized access attempts are not succeeding.