Sonicwall 027 Users Manual

3 Configuring Wireless on the SOHO TZW

The SOHO TZW uses a wi reless p rotocol called I EEE 802.11b , commonl y known as W i-Fi, and
sends data via radio transmissions. Wi-Fi transmission speed is usually faster than broadband
connection speed, but it is slower than Ethernet.

The SonicWALL SOHO TZW combines three networking components to offer a fully secure
wireless firewall: an 802.11b Access Point, a secure wireless gateway, and a stateful firewall
with flexible NAT and VPN termination and initiation capabilities. With this combination, the
SOHO TZW offers the flexibility of wireless without compromising network security.

Typically, the SOHO TZW is the access point for your wireless LAN and serves as the central
access point for computers on your LAN. In addition, it shares a single broadband connection
with the computers on your network. Since the SOHO TZW also provides firewall protection,
intruders from the Internet cannot access the computers or files on your network. This is
especially important for an “always-on” connection such as a cable modem or T1 line that is
shared by computers on a network.

However, wireless LANs are vulnerable to “eavesdropping” by other wireless networks which
means you should establish a wireless security policy for your wireless LAN. Wired Equivalent
Privacy, WEP, should not be used as your only security policy.

On the SOHO TZW, wireless clients connect to the Access Point layer of the firewall. Instead
of bridging the connection directly to the wired network, wireless traffic is first passed to the
Secure Wireless Gateway layer where the client is r equired to be authenticated via User Level
Authenticati on. Access t o Wireless G uest Servi ces (WGS) and Access Co ntrol Lis ts (ACL) are
managed by the SOHO TZW. It is also at this layer that the SOHO TZW has the capability of
enforcing WiFiSec, and IPSec-based VPN overlay for wireless networking. As wireless network
traffic sucessfully passes through these layers, it is then passed to the VPN-NAT-Stateful
firewall layer where WiFiSec termination, address translation, and access rules are applied. If
all of the security criteria is met, then wireless network traffic can then pass via one of the
following Distribution Systems (DS):

•LAN

•WAN

• Wireless Client on the WLAN

• VPN tunnel

Page 24 SonicWALL Internet Security Appliance Administrator’s Guide

Considerations for Using Wireless Connections

• Mobility - if the majority of your network is laptop computers, wireless is more portable than
wired connections.

• Convenience - wireless networks do not require cabling of individual computers or opening
computer cases to install network cards.

• Speed - if network speed is important to you, you may want to consider using Ethernet
connections rather than wireless connections.

• Range and Coverage - if your network environment contains numerous physical barriers
or interference factors, wireless networking may not be suitable for your network.

• Security - wireless networks have inherent security issues due to the unrestrictive nature
of the wireless transmissions. However, the SOHO TZW is a firewall and has NAT
capabilities which provides security, and you can use WEP to secure data transmissions.

Recommendations for Optimal Wireless Performance

• Place the SOHO TZW near the center of your intended network. This can also reduce the
possibility of eavesdropping by neighboring wireless networks.

• Minimize the number of walls or ceilings between the SOHO TZW and the receiving points
such as PCs or laptops.

• Try to place the TZW in a direct line with other wireless components. Best performance is
achieved when wireless components are in direct line of sight with each other.

• Building construction can make a difference on wireless performance. Avoid placing the
TZX near walls, fireplaces, or other large solid objects. Placing the TZW near metal objects
such as computer cases, monitors, and appliances can affect performance of the unit.

• Metal framing, UV window film, concrete or masonry walls, and metallic paint can reduce
signal strength if the TZW is installed near these types of materials.

• Installing the TZW in a high place can help avoid obstacles and improve performance for
upper stories of a building.

• Neighboring wireless networks and devices can affect signal strength, speed, and range of
the SOHO TZW. Also, devices such as cordless phones, radios, microwave ovens, and
televisions may cause interference on the TZW.

Adjusting the SOHO TZW Antennas

The antennas on the SOHO TZW can be adjusted for the best radio reception. Begin with the
antennas pointing straight up, and then adjust as necessary. Note that certain areas, such as
the area directly below the SOHO TZW, get relatively poor reception. Pointing the antenna
directly at another wireless device does not improve reception. Do not place the antennas next
to metal doors or walls as this can cause interference.

Configuring Wireless on th e SOHO TZW Pa ge 25

Wireless Guest Services (WGS)

With your SOHO TZW, you can provide wireless guest services to wireless-equipped users
who are not part of your corporate network, for example, a consultant or a sales person. You
can offer authenticated wireless users access to the Internet through your SOHO TZW while
preventing them from accessing your corporate LAN, or allowing them access to specific
resources on the LAN and unencrypted access to the Internet.

When WGS is active, wireless clients can authenticate and associate with the Access Layer of
the SonicWALL. When a Web browser is launched, the wireless user is prompted to provide a
user name and password to gain access to WGS. The browser is redirected to the HTTP
(unencrypted) management address of the SOHO TZW, but the user name and password is
not transmitted. Instead, a secure hash is transmitted rendering the information useless to
anyone “eavesdropping” on the network. After authentication, WGS is tracked and controlled
by the client MAC address as well as Account and Session lifetimes.

In order to take advantage of Wireless Guest Services, you must provide a guest with a user
name and password which they use to authenticate themselves using HTTP and a Web
browser, creating a secure HTTP session. For more information on configuring Wireless Guest
Services, see page X, Configuring Wireless Guest Services.

Easy ACL (Access Control Lists)

802.11 wireless networking protocol provides native MAC address filtering capabilities. When

MAC address filtering occurs at the 802.11 layer, wireless clients are prevented from
authenticating and associating with the wireless access point. Since data communications
cannot occur without authentication and association, access to the network cannot be granted
until the client has given the network administrator the MAC address of their wireless network
card.

The SOHO TZW uses its WGS to overcome this limitation by moving MAC address filtering to
the Secure Wireless Gateway layer. This allows wireless users to authenticate and associate
with the Access Point layer of the SonicWALL, and be redirected to the WGS by the Secure
Wireless Gateway where the user authenticates and obtains WLAN to WAN access.

Easy ACL is an extension of WGS that simplifies the administrative burden of manually adding
MAC addresses to the ACL. Users can add themselves to the ACL by providing a user name
and password assigned to them by the SonicWALL administrator. WGS must be enabled on
the SOHO TZW before Easy ACL can be implemented.

WiFiSec Enforcement

Enabling WiFiSec Enforcement on the SonicWALL enforces the use of IPSec-based V PN for
access from the WLAN to the LAN, and provides access from the WLAN to the WAN
independent of WGS. Access from one wireless client to another is configured on the
Wireless>Advanced page where you can disable or enable access between wireless clients.

WiFiSec uses the easy provisioning capabilities of the SonicWALL Global VPN client making it
easy for experienced and inexperienced administrators to implement on the network. The level

Page 26 SonicWALL Internet Security Appliance Administrator’s Guide

of interaction between the Global VPN Client and the user depends on the WiFiSec options
selected by the administrator. WiFiSec IPSec terminates on the WLAN/LAN port, and is
configured using the Group VPN Security Policy including noneditable parameters specifically
for wireless access.

• Apply NAT & Firewall Rules - On

• Forward Packets to Remote VPNs - On

• Default LAN Gateway - <manageme nt IP Address > if left unspecified

• VPN Terminated at the LAN/WLAN - to di ff erentiate between VPN Securit y A ssociations
terminated at the WAN port.

Configuring Your Wireless Network

You can use the Wireless Wizard to quickly and easily set up your wireless network. Log into
the SOHO TZW, and click Wireless o n the menu bar. Click Wirele ss Wizard to launch the
wizard and begin the configuration process.

Welcome to the SonicWALL Wireless Configuration Wizard

1. When the Wireless Wizard launches, the Welcome page is displayed. Click Next to
continue configuration.

Configuring Wireless on th e SOHO TZW Pa ge 27

WLAN Network Settings

2. Select Enable WLAN to activate the wireless feature of the SOHO TZW. Use the default
IP address for the WLAN or choose a different private IP address. The default value works
for most networks. Click Next to continue.

Alert! You cannot use the same private IP address range as the LAN port of the SOHO TZW.

WLAN 802.11b Settings

3. Enter a unique identifier for the SOHO TZW in the SSID field. It can be up to 32
alphanumeric characters in length and is case-sensitive. The default value is the serial
number of the appliance.

Page 28 SonicWALL Internet Security Appliance Administrator’s Guide

WLAN Security Settings

4. Select the desired security setting for the SOHO3 TZW. WiFiSec is the most secure and
enforces IPSec over the wireless network. If you have an existing wireless network and
want to use the SOHO TZW, select WEP + Stealt h Mod e .

WiFiSec - VPN Client User Authentication

5. Select Give all users VPN Client privileges if all wireless clients use the SonicWALL
Global VPN Client software. Create a new user with VPN Client privileges by typing a user
name and password in the User Name and Password fields.

Configuring Wireless on th e SOHO TZW Pa ge 29