Sonicwall 027 802.11b VPN Access point User Manual user2

Sonicwall, Inc. 802.11b VPN Access point user2

Contents

user2

Page 24 SonicWALL Internet Security Appliance Administrator’s Guide 3 Configuring Wireless on the SOHO TZWThe SOHO TZW uses a wireless protocol called IEEE 802.11b, commonly known as Wi-Fi, and sends data via radio transmissions. Wi-Fi transmission speed is usually faster than broadband connection speed, but it is slower than Ethernet.The SonicWALL SOHO TZW combines three networking components to offer a fully secure wireless firewall: an 802.11b Access Point, a secure wireless gateway, and a stateful firewall with flexible NAT and VPN termination and initiation capabilities. With this combination, the SOHO TZW offers the flexibility of wireless without compromising network security. Typically, the SOHO TZW is the access point for your wireless LAN and serves as the central access point for computers on your LAN. In addition, it shares a single broadband connection with the computers on your network. Since the SOHO TZW also provides firewall protection, intruders from the Internet cannot access the computers or files on your network. This is especially important for an “always-on” connection such as a cable modem or T1 line that is shared by computers on a network.However, wireless LANs are vulnerable to “eavesdropping” by other wireless networks which means you should establish a wireless security policy for your wireless LAN. Wired Equivalent Privacy, WEP, should not be used as your only security policy. On the SOHO TZW, wireless clients connect to the Access Point layer of the firewall. Instead of bridging the connection directly to the wired network, wireless traffic is first passed to the Secure Wireless Gateway layer where the client is required to be authenticated via User Level Authentication. Access to Wireless Guest Services (WGS) and Access Control Lists (ACL) are managed by the SOHO TZW. It is also at this layer that the SOHO TZW has the capability of enforcing WiFiSec, and IPSec-based VPN overlay for wireless networking. As wireless network traffic sucessfully passes through these layers, it is then passed to the VPN-NAT-Stateful firewall layer where WiFiSec termination, address translation, and access rules are applied. If all of the security criteria is met, then wireless network traffic can then pass via one of the following Distribution Systems (DS):•LAN•WAN• Wireless Client on the WLAN• VPN tunnel
Configuring Wireless on the SOHO TZW Page 25Considerations for Using Wireless Connections•Mobility - if the majority of your network is laptop computers, wireless is more portable than wired connections.•Convenience - wireless networks do not require cabling of individual computers or opening computer cases to install network cards.•Speed - if network speed is important to you, you may want to consider using Ethernet connections rather than wireless connections. •Range and Coverage - if your network environment contains numerous physical barriers or interference factors, wireless networking may not be suitable for your network.•Security - wireless networks have inherent security issues due to the unrestrictive nature of the wireless transmissions. However, the SOHO TZW is a firewall and has NAT capabilities which provides security, and you can use WEP to secure data transmissions.Recommendations for Optimal Wireless Performance• Place the SOHO TZW near the center of your intended network. This can also reduce the possibility of eavesdropping by neighboring wireless networks. • Minimize the number of walls or ceilings between the SOHO TZW and the receiving points such as PCs or laptops. • Try to place the TZW in a direct line with other wireless components. Best performance is achieved when wireless components are in direct line of sight with each other. • Building construction can make a difference on wireless performance. Avoid placing the TZX near walls, fireplaces, or other large solid objects. Placing the TZW near metal objects such as computer cases, monitors, and appliances can affect performance of the unit. • Metal framing, UV window film, concrete or masonry walls, and metallic paint can reduce signal strength if the TZW is installed near these types of materials. • Installing the TZW in a high place can help avoid obstacles and improve performance for upper stories of a building. • Neighboring wireless networks and devices can affect signal strength, speed, and range of the SOHO TZW. Also, devices such as cordless phones, radios, microwave ovens, and televisions may cause interference on the TZW. Adjusting the SOHO TZW AntennasThe antennas on the SOHO TZW can be adjusted for the best radio reception. Begin with the antennas pointing straight up, and then adjust as necessary. Note that certain areas, such as the area directly below the SOHO TZW, get relatively poor reception. Pointing the antenna directly at another wireless device does not improve reception. Do not place the antennas next to metal doors or walls as this can cause interference.
Page 26 SonicWALL Internet Security Appliance Administrator’s GuideWireless Guest Services (WGS)With your SOHO TZW, you can provide wireless guest services to wireless-equipped users who are not part of your corporate network, for example, a consultant or a sales person. You can offer authenticated wireless users access to the Internet through your SOHO TZW while preventing them from accessing your corporate LAN, or allowing them access to specific resources on the LAN and unencrypted access to the Internet. When WGS is active, wireless clients can authenticate and associate with the Access Layer of the SonicWALL. When a Web browser is launched, the wireless user is prompted to provide a user name and password to gain access to WGS. The browser is redirected to the HTTP (unencrypted) management address of the SOHO TZW, but the user name and password is not transmitted. Instead, a secure hash is transmitted rendering the information useless to anyone “eavesdropping” on the network. After authentication, WGS is tracked and controlled by the client MAC address as well as Account and Session lifetimes. In order to take advantage of Wireless Guest Services, you must provide a guest with a user name and password which they use to authenticate themselves using HTTP and a Web browser, creating a secure HTTP session. For more information on configuring Wireless Guest Services, see page X, Configuring Wireless Guest Services. Easy ACL (Access Control Lists)802.11 wireless networking protocol provides native MAC address filtering capabilities. When MAC address filtering occurs at the 802.11 layer, wireless clients are prevented from authenticating and associating with the wireless access point. Since data communications cannot occur without authentication and association, access to the network cannot be granted until the client has given the network administrator the MAC address of their wireless network card. The SOHO TZW uses its WGS to overcome this limitation by moving MAC address filtering to the Secure Wireless Gateway layer. This allows wireless users to authenticate and associate with the Access Point layer of the SonicWALL, and be redirected to the WGS by the Secure Wireless Gateway where the user authenticates and obtains WLAN to WAN access. Easy ACL is an extension of WGS that simplifies the administrative burden of manually adding MAC addresses to the ACL. Users can add themselves to the ACL by providing a user name and password assigned to them by the SonicWALL administrator. WGS must be enabled on the SOHO TZW before Easy ACL can be implemented. WiFiSec EnforcementEnabling WiFiSec Enforcement on the SonicWALL enforces the use of IPSec-based VPN for access from the WLAN to the LAN, and provides access from the WLAN to the WAN independent of WGS. Access from one wireless client to another is configured on the Wireless>Advanced page where you can disable or enable access between wireless clients. WiFiSec uses the easy provisioning capabilities of the SonicWALL Global VPN client making it easy for experienced and inexperienced administrators to implement on the network. The level
Configuring Wireless on the SOHO TZW Page 27of interaction between the Global VPN Client and the user depends on the WiFiSec options selected by the administrator. WiFiSec IPSec terminates on the WLAN/LAN port, and is configured using the Group VPN Security Policy including noneditable parameters specifically for wireless access. •Apply NAT & Firewall Rules - On•Forward Packets to Remote VPNs - On•Default LAN Gateway - <management IP Address> if left unspecified•VPN Terminated at the LAN/WLAN - to differentiate between VPN Security Associations terminated at the WAN port. Configuring Your Wireless NetworkYou can use the Wireless Wizard to quickly and easily set up your wireless network. Log into the SOHO TZW, and click Wireless on the menu bar. Click Wireless Wizard to launch the wizard and begin the configuration process. Welcome to the SonicWALL Wireless Configuration Wizard1. When the Wireless Wizard launches, the Welcome page is displayed. Click Next to continue configuration.
Page 28 SonicWALL Internet Security Appliance Administrator’s GuideWLAN Network Settings2. Select Enable WLAN to activate the wireless feature of the SOHO TZW. Use the default IP address for the WLAN or choose a different private IP address. The default value works for most networks. Click Next to continue. Alert! You cannot use the same private IP address range as the LAN port of the SOHO TZW.WLAN 802.11b Settings3. Enter a unique identifier for the SOHO TZW in the SSID field. It can be up to 32 alphanumeric characters in length and is case-sensitive. The default value is the serial number of the appliance.
Configuring Wireless on the SOHO TZW Page 29WLAN Security Settings4. Select the desired security setting for the SOHO3 TZW. WiFiSec is the most secure and enforces IPSec over the wireless network. If you have an existing wireless network and want to use the SOHO TZW, select WEP + Stealth Mode. WiFiSec - VPN Client User Authentication5. Select Give all users VPN Client privileges if all wireless clients use the SonicWALL Global VPN Client software. Create a new user with VPN Client privileges by typing a user name and password in the User Name and Password fields.
Page 30 SonicWALL Internet Security Appliance Administrator’s GuideWireless Guest Services6. Enable Wireless Guest Services is selected by default. You can create guest wireless accounts to grant access to the WAN only. If you enable Wireless Guest Services, type a name for the account in the Account Name field, and a password in the Account Password field. The Account Lifetime is set to one hour by default, but you can enter a value and then select Minutes, Hours, or Days to determine how long the guest account is active. Determine how long the connection can be inactive before disconnecting and enter the value in the Session Timeout field. Select Minutes, Hours, or Days. Any comments about the connection can be entered in the Comment field. Wireless Configuration Summary7. Review your wireless settings for accuracy. If you want to make changes, click Back until the settings are displayed. Then click Next until you reach the Summary page.
Configuring Wireless on the SOHO TZW Page 31Congratulations!8. Congratulations! You have successfully configured your WLAN port on the SOHO TZW.
Page 32 SonicWALL Internet Security Appliance Administrator’s GuideConfiguring Additional Wireless FeaturesThe SonicWALL SOHO TZW has the following features available:•WiFiSec Enforcement - an IPSec-based VPN overlay for wireless networking•WEP Encryption - configureWired Equivalent Privacy (WEP) Encryption •Beaconing and SSID Controls - manage transmission of the wireless signal.•Wireless Client Communications - configure wireless client settings.•Advanced Radio Settings - •MAC Filtering - use MAC addresses for allowing access or blocking access to the SOHO TZW. •Wireless Guest Services - configure limited access accounts for non-employees.To begin configuring advanced features on the SOHO TZW, log into the management interface, and click Wireless. The Status page is displayed and contains information relating to the WLAN connection.Access Point Status
Configuring Wireless on the SOHO TZW Page 33WLAN StatisticsStation StatusThe Station Status table displays information about wireless connections associated with the SOHO TZW. •Station - the name of the connection used by the MAC address•MAC Address - the wireless network card MAC address•Authenticated - status of 802.11b authentication•Associated - status of 802.11b association•Association ID - assigned by the SonicWALL•Tx Rate - in Mbps•Timeout - number of seconds left on the session•Power Mgmt - if power management is enabled on your wireless network card, the setting is displayed here. •Configure - delete the entry or add the entry to the MAC Filter List. WLAN Settings ValueWLAN: Enabled or DisabledWiFiSec: Enabled or DisabledSSID: Network Identification InformationMAC Address: Serial Number of the SOHO TZWWLAN IP Address: IP address of the WLAN portWLAN Subnet Mask: Subnet informationChannel Channel Number selected for transmitting wireless signalLink Status: Network speed in mbps, full or half duplexWEP Encryption: Enabled or DisabledACL: Enabled or DisabledWireless Guest Services Enabled or DisabledWireless Firmware:Associated Stations: Number of clients associated with the SOHO TZW
Page 34 SonicWALL Internet Security Appliance Administrator’s GuideWireless>SettingsOn the Wireless Settings page, you can enable or disable the WLAN port by selecting or clearing the Enable WLAN checkbox. WiFiSec EnforcementSelect WiFiSec Enforcement to use IPSec-based VPN for access from the WLAN to the LAN, and also provide access from the WLAN to WAN independent of Wireless Guest Services. When WiFiSec Enforcement is selected, a second check box, Require WiFiSec for VPN Tunnel Traversal is selected by default. When Require WiFiSec for VPN Tunnel Traversal is selected, any wireless traffic destined for a remote network with a VPN tunnel is secured by WiFiSec. If WiFiSec Enforcement is not selected, you can select or clear the Require WiFiSec for VPN Tunnel Traversal checkbox.
Configuring Wireless on the SOHO TZW Page 35Deployment Scenario for WiFiSec and VPN Tunnel TraversalA site-to-site VPN tunnel is configured between Site 1 and Site 2, both sites using a SOHO TZW, and Site 1 has a wireless client on the LAN. When the wireless client at Site 1 attempts to send data to Site 2 over the VPN tunnel, all data is encrypted between the wireless client, the SOHO TZW at Site 1, and then over the Internet to Site 2. To configure the WLAN Settings, log into the SonicWALL, and click Wireless, then Settings. 1. Select Enable WLAN to allow wireless communication over the WLAN port. 2. Select WiFiSec Enforcement to encrypt all traffic over the WLAN. If you choose not to enforce WiFiSec on your network, clear the check box. You can then select or clear the Require WiFiSec for VPN Tunnel Traversal check box. 3. Type the IP address of the WLAN in the WLAN IP Address field or use the default IP address. The default IP address is acceptable for most networks.4. Type the subnet mask in the WLAN Subnet Mask field. 5. Type a name for the SSID in the SSID field or use the default value which is SonicWALL. 6. Select a channel from the Channel list. The most frequently used channels are 1, 6, and 11. Channel 11 is considered to be the optimal channel for wireless networking.Insert Graphic Here
Page 36 SonicWALL Internet Security Appliance Administrator’s GuideWireless>WEP EncryptionWEP (Wired Equivalent Protocol) can be used to protect data as it is transmitted over the wireless network, but it provides no protection past the SonicWALL. It is designed to provide a minimal level of protection for transmitted data, and is not recommended for network deployments requiring a high degree of security. WEP Encryption SettingsOpen-system authentication is the only method required by 802.11b. In open-system authentication, the SonicWALL allows the wireless client access without verifying its identity. Shared-key authentication uses WEP and requires a shared key to be distributed to wireless clients before authentication is allowed. The SOHO TZW provides the option of using Open-system, Shared-key, or both when WEP is used to encrypt data.To configure WEP on the SonicWALL, log into the SonicWALL and click Wireless, then WEP Encryption.1. Select the authentication type from the Authentication Type list. Both (Open System & Shared Key) is selected by default. 2. Select 64-bit or 128-bit from the WEP Key Mode. 128-bit is considered more secure than 64-bit. This value is applied to all keys. 64-bit keys are 5 characters long and 128-bit keys are 13 characters in length. WEP Encryption Keys3. Select the key number, 1,2,3, or 4, from the Default Key menu.4. Select the key type to be either Alphanumeric or Hexadecimal.
Configuring Wireless on the SOHO TZW Page 37Wireless>AdvancedTo access Advanced configuration settings for the SOHO TZW, log into the SonicWALL, click Wireless, and then Advanced. Beaconing & SSID Controls1. Select Hide SSID in Beacon.2. Select Block Response to Unspecified SSID3. Type a value in milliseconds for the Beacon Interval. Decreasing the interval time makes passive scanning more reliable and faster because Beacon frames announce the network to the wireless connection more frequently. Wireless Client Communications1. Enter the number of clients to associate with the SHO3 TZW in the Maximum Client Associations field. 2. If you do not want wireless clients communicating to each other, select Disabled from the Interclient Communications menu. If you want wireless clients communicating with each other, select Enabled. 3. Guests on the wireless network can download the SonicWALL Global VPN Client to install on their computer or laptop. Type the URL location for the software in the VPN Client Download URL http:// field.
Page 38 SonicWALL Internet Security Appliance Administrator’s GuideAdvanced Radio Settings1. Select High from the Transmit Power menu to send the strongest signal on the WLAN.2. Select Short or Long from the Preamble Length menu. Short is recommended for efficiency and improved throughput on the wireless network.3. The Fragmentation Threshold (bytes) is 2346 by default. Increasing the value means that frames are delivered with less overhead but a lost or damaged frame must be discarded and retransmitted. 4. The RTS Threshold (bytes) is 2432 by default. If network throughput is slow or a large number of frame retransmissions is occurring, decrease the RTS threshold to enable RTS clearing. 5. The default value for the DTIM Interval is 3. Increasing the DTIM Interval value allows you to conserve power more effectively.6. The Authentication process times out after 10 seconds by default. If your network is very busy, you can increase the timeout by increasing the number of seconds in the Authentication Timeout (seconds) field. 7. The Association Timeout (seconds) is 300 seconds by default. If your network is very busy, you can increase the timeout by increasing the number of seconds in the Authentication Timeout (seconds) field. 8. Broadcast Rate?
Configuring Wireless on the SOHO TZW Page 39Wireless>MAC Filter ListWireless networking provides native MAC filtering capabilities which prevents wireless clients from authenticating and associating with the SOHO TZW. If you enforce MAC filtering on the WLAN, wireless clients must provide you with the MAC address of their wireless networking card. To set up your MAC Filter List, log into the SonicWALL, and click Wireless, then MAC Filter List. 1. Click Add to add a MAC address to the MAC Filter List. 2. Select Allow from the Action menu to allow access to the WLAN. To deny access, select Block. 3. Type the MAC address in the MAC Address field. The two character groups should be separated by a hyphen. 4. Type a name or comment in the Comment field. The Comment field can be used to identify the source of the MAC address. 5. Click OK to add the MAC address.
Page 40 SonicWALL Internet Security Appliance Administrator’s GuideOnce the MAC address is added to the MAC Address List, you can select Allow or Block next to the entry. For example, if the user with the wireless card is not always in the office, you can select Block to deny access during the times the user is offsite. Click on the Notepad icon under Configure to edit the entry. Click on the Trashcan icon to delete the entry. To delete all entries, click Delete All. Wireless>Guest ServicesWireless Guest Services allow you to create access accounts for temporary use that allow wireless clients to connect from the WLAN to the WAN. To configure Wireless Guest Services, log into the SonicWALL, and click Wireless, then Guest Services. 1. Select Enable Wireless Guest Services. 2. If your Guest Accounts are associated with the Users feature of the SonicWALL, you can select Bypass Filters for Guest Accounts. See the Users, page X, Chapter X, Objects, for information on configuring User Level Access.
Configuring Wireless on the SOHO TZW Page 41TIP! You can have Wireless Guest Accounts without configuring User Level Access. Wireless Guest Accounts are considered more temporary than permanent. 3. Type the number of wireless clients that can use the same Guest Account in the Maximum Concurrent Guests field. 4. To add a Guest Account, click Add. 5. Enable Account is selected by default. 6. Enter a name for Guest Account in the Account Name field. In the example above, it is “Joe User”. 7. Enter a password in the Account Password field. 8. Configure the Account Lifetime by entering a value in the field, and then selecting Minutes, Hours, or Days.9. Configure the Session Timeout by entering a value in the field, and then selecting Minutes, Hours, or Days. 10. Enter any comments in the Comment field, and click OK to add the Guest Account. Guest Account information is displayed in the Guest Account table. To disable a Guest Account, clear the Enable check box in the Guest Account entry line. To edit an existing Guest Account, click on the Notepad icon under Configure. To delete a Guest Account, click the Trashcan icon under Configure. To delete all Guest Accounts, click Delete All.

Navigation menu