How Do I… Configure wireless connectivity on a SonicWALL router?

This article is also available as a TechRepublic download.

Wireless
networks are a two-edged sword. WLANs empower employees
and guests, but they also introduce security risks.

While
a wide variety of wireless strategies and devices are implemented, one very
common solution involves deploying SonicWALL
wireless-equipped firewalls. Here’s what you need to know to configure SonicWALL wireless equipment. In
these examples, we’ll use a SonicWALL TZ 170 SP
Wireless model, one of the most frequently encountered
wireless routers in the field, although the steps will also work on other SonicWALL TZ wireless devices.

SonicWALL TZ wireless routers

SonicWALL’s TZ wireless-equipped routers include several features not
found on the non-wireless counterparts. In addition to protecting LANs with
wireless intrusion detection services, which help monitor unauthorized access
and the presence of rogue access points, a separate firewall exists for
securing and separating wireless traffic from the wired LAN.

IPSec encryption and WPA team together to secure wireless communications between
clients and the access point. Guest services can be configured, if desired, as
can HotSpot messaging. Yet another feature SonicWALL wireless-equipped routers possess is distributed
WLAN support for SonicPoint satellite access points.

SonicWALL wireless routers support both the 802.11b and 802.11g
standards. In most installations the SonicWALL device
serves as the access point for the network’s wireless clients. A traditional
UTP cable typically connects the router to the rest of the network.

To
help prevent unauthorized network access, wireless clients must be
authenticated by the SonicWALL’s User Level
Authentication. The devices also support a variety of security protocols,
including WEP, WPA and WPA-EAP.

Selecting the access point location

Selecting
a location for the wireless access point is the first step in configuring a
wireless network. SonicWALL lists several
recommendations for optimizing wireless performance:

1. Place the wireless access point as close to the
   network’s center as possible. Doing so helps reduce wireless signals from
   persisting beyond the intended location.
2. Place the wireless access point in such a manner that
   minimizes the number of walls and ceilings the wireless communications
   must travel from the access point to intended client systems.
3. Attempt to locate wireless devices within each unit’s
   line of site.
4. Wireless performance degrades whenever wireless access
   points are located near large solid obstructions such as walls, filing
   cabinets, elevator shafts, fire doors, large machinery and similar
   objects, so avoid place access points in locations where its wireless
   signals must penetrate such elements whenever possible. Even smaller
   metallic objects, such as PC and server cases, monitors and other
   equipment, can negatively impact wireless communications.
5. If building or remodeling a site, remember that metal
   framing materials, UV window films, concrete and metallic-based paints all
   reduce the access point’s effective operating range.
6. Locate access points in higher locations (in which
   radio signals can avoid filing cabinets, desks, PCs and other low-lying
   equipment) to help improve wireless performance.
7. Avoid placing access points and client systems near
   microwave ovens, television monitors, radios, and other electrical
   equipment that produces interference that degrades WLAN performance.

Once a
proper location is selected, the next step is to configure the router’s
wireless settings.

Configuring wireless settings

As
with other networking services, SonicWALL includes a
wizard to simplify wireless network deployment. To configure a SonicWALL wireless router using the supplied wizard:

1. Log on to the SonicWALL
   device as an administrator.
2. Select the Wireless button from the left toolbar.
3. Click the Wireless Wizard button that appears at the
   top right of the Wireless Status menu.
4. The SonicWALL Wireless
   Configuration Wizard appears. Click Next to continue.
5. The WLAN Network Settings configuration screen
   displays. Ensure the Enable WLAN box is checked to enable the wireless
   LAN. Enter the IP address you wish to use for the WLAN interface and
   supply the corresponding subnet mask. The default SonicWALL
   WLAN IP is 172.16.31.1. (Figure A)

Figure A

Ensure the Enable WLAN checkbox is selected and enter the IP address and subnet mask you wish for the access point to use.

6. Ensure the Enable Windows Networking Support between
   LAN and WLAN box is checked to provide wireless clients with access to LAN
   systems.
7. The WLAN 802.11b/g Settings menu appears. Specify the
   SSID (the default is sonicwall), specify the
   radio mode (802.11g only is the default) and supply a country code and
   channel settings (defaults are US and AutoChannel).
   Then, click Next.
8. The WLAN Security Settings menu appears. By default, SonicWALL’s wizard will deploy WiFiSec
   VPN Security. Leave the option selected to implement a secure wireless
   connection that leverages IPSec to complete wireless connections using the
   SonicWALL Global VPN Client. Other options are
   WEP + Stealth Mode and simple unencrypted connectivity. To ensure a more
   secure connection, select WiFiSec VPN Security
   and click Next.
9. With WiFiSec VPN selected,
   the next step prompts you to specify a user name and password for an
   account possessing Group VPN permission to join the network. Supply the
   user name and password and click Next.
10. The Wireless Guest Services screen appears. If you wish
    to enable guest services, ensure the option is selected and enter the
    account name, password, account lifetime and session lifetime values, any
    comments and click Next.
11. A configuration summary screen appears listing the
    settings that will be implemented. Review the configuration information
    carefully and, once you’ve confirmed all is proper, click the Apply
    button.
12. The SonicWALL wizard will
    apply the changes. Upon finishing, the wizard will display a
    congratulatory screen. Click Finish to complete the wizard.

Editing the wireless configuration

Once
the wizard completes, you can review the wireless settings by logging on to the
router and clicking the Wireless button. The Status menu will display by
default. It reveals whether the WLAN and WiFiSec
security are enabled, displays channel information and critical IP address
data, among other items. (Figure B)

Figure B

SonicWALL’s Wireless Status menu displays critical WLAN configuration information.

To
edit or update the WLAN configuration:

1. Log on to the SonicWALL
   device as an administrator.
2. Click the Wireless button from the left navigation bar.
3. Click Settings from the sub-navigation menu.
4. Enter any required configuration changes. Among the
   options you can edit from the Wireless | Settings menu are the device’s
   role, the SSID, the radio channels used, the WLAN IP address and more.
   Administrators also can disable the WLAN from this screen by removing the
   checkbox from the Enable WLAN box.
5. Once edits and updates are complete, click the Apply
   button to save the changes.

The
device’s WEP/WPA configuration, meanwhile, is administered using the WEP/WPA
Encryption menu. Select the menu from the left navigation bar to change the
authentication type, WEP key mode and change the default key.

From
the SonicWALL’sAdvanced
menu, reached by clicking Advanced from the Wireless sub-navigation menu,
administrators can disable SSID broadcasts, limit the number of maximum client
associations the access point can possess and set the unit’s transmission
strength, among other options. The Restore Default Settings button, found at
the bottom of this menu, supports returning the unit’s wireless settings to
factory presets.

Configuring MAC address filtering

To
introduce additional security, many administrators enable MAC filtering. For SonicWALL TZ
wireless devices you configure MAC filtering by:

1. Logging on to the SonicWALL
   router as an administrator.
2. Click the Wireless button.
3. Click the MAC Filter List option from the left
   navigation bar.
4. Ensure the Enable MAC Filter List checkbox is selected.
   (Figure C)

Figure C

Ensure the Enable MAC Filter List option is checked, and be sure to add authorized systems’ MAC addresses using the provided Add button. Alternatively, you can also block specific MAC addresses using the Block radio button.

5. Click Add and supply the MAC address for the system you
   wish to provide with access to the WLAN. Once you add the MAC address,
   it’ll appear within the MAC Filter List.
6. Confirm the MAC addresses are properly set to Allow or
   Block those systems connecting to the wireless network.
7. Click the Apply button to store any changes you make.

Once
the WLAN is configured, administrators should leverage the SonicWALL’s
intrusion detection capabilities to monitor and protect the wireless network.

Configuring intrusion detection

Unlike
lower-end devices, SonicWALL wireless-equipped
routers can monitor intrusion attempts and even take steps to respond
appropriately when unauthorized traffic is detected. To configure Wireless
Intrusion Detection:

1. Log on to the SonicWALL as an
   administrator.
2. Click the Wireless button from the left navigation
   menu.
3. Click IDS from the sub-menu.
4. Ensure the Enable Client Null Probing Detection, Enable
   Association Flood Detection and Enable Rogue Access Point detection
   checkboxes are selected.
5. Supply the MAC addresses for any other authorized
   access points using the provided Add button.
6. Click the Apply button to save any changes you make. (Figure D)

Figure D

Wireless Intrusion Detection enables SonicWALL routers to identify, log and dynamically respond to unauthorized wireless traffic.

The
Enable Client Null Probing feature allows the SonicWALL
device to detect and log Null Probes, such as those triggered by Netstumbler and other programs.

Associate
Flood Detection, meanwhile, monitors for wireless denial of service attacks
that attempt to overwhelm an access point with bogus traffic. Selecting the
Block Station’s MAC Address In Response To An
Association Flood allows the SonicWALL to defend
itself by logging such attacks and dynamically adding the MAC address of the
offending system to its blocked list.

Rogue
Access Point Detection works by scanning for other access points. If other
access points are identified, they’re considered rogue unless they’re
specifically added as authorized access points.

To
enable detection logs, click Log | Categories and check the WLAN IDS box found
within the Log Categories and Alerts section. The subsequent logs should then
be reviewed periodically to ensure unauthorized access attempts are not
succeeding.