Escolar Documentos
Profissional Documentos
Cultura Documentos
Page 1 of 15
2/24/2014
Page 2 of 15
For more information on SonicOS Secure Wireless features, refer to the SonicWALL Secure Wireless Integrated Solutions Guide.
What Is an SSID?
A Service Set IDentifier (SSID) is the name assigned to a wireless network. Wireless clients must use this same, case sensitive SSID to communicate to the Sonic!oint. "he SSID consists of a te#t string u$ to %& '(tes long. )ulti$le Sonic!oints on a network can use the same SSIDs. *ou can configure u$ to + uni,ue SSIDs on Sonic!oints and assign different configuration settings to each SSID. Sonic!oints 'roadcast a 'eacon (announcements of availa'ilit( of a wireless network) for ever( SSID configured. -( default, the SSID is included within the 'eacon so that wireless clients can see the wireless networks. "he o$tion to su$$ress the SSID within the 'eacon is $rovided on a $er SSID (e.g. $er .A! or $er A!) 'asis to hel$ conceal the $resence of a wireless network, while still allowing clients to connect '( manuall( s$ecif(ing the SSID. "he following settings can 'e assigned to each .A!/ Authentication method .0A1 )a#imum num'er of client associations using the SSID SSID Su$$ression
2/24/2014
Page 3 of 15
What Is a BSSID?
A BSSID (Basic Service Set IDentifier) is the wireless equivalent of a MAC (Media Access Control) address, or a unique hardware address of an AP or VAP for the purposes of identification Continuin! the e"a#ple of the roa#in! wireless client fro# the $SSID section a%ove, as the client on the &sonicwall' $SSID #oves awa( fro# AP) and toward AP*, the stren!th of the si!nal fro# the for#er will decrease while the latter increases +he client's wireless card and driver constantl( #onitors these levels, differentiatin! %etween the (V)APs %( their BSSID ,hen the card-driver's criteria for roa#in! are #et, the client will detach fro# the BSSID of AP) and attach to the BSSID or AP*, all the while re#ainin! connected the &sonicwall' $SSID
Benefits of
+his section includes a list of %enefits in usin! the Virtual AP feature. Radio Channel Conservation/Prevents %uildin! overlapped infrastructures %( allowin! a sin!le Ph(sical Access Point to %e used for #ultiple purposes to avoid channel collision pro%le# Channel conservation Multiple providers are %eco#in! the nor# within pu%lic spaces such as airports ,ithin an airport, it #i!ht %e necessar( to support an 0AA networ1, one or #ore airline networ1s, and perhaps one or #ore ,ireless ISPs 2owever, in the 3S and $urope, 45* ))% networ1s can onl( support three usa%le (non6overlappin!) channels, and in 0rance and 7apan onl( one channel is availa%le 8nce the channels are utili9ed %( e"istin! APs, additional APs will interfere with each other and reduce perfor#ance B( allowin! a sin!le networ1 to %e used for #ultiple purposes, Virtual APs conserve channels Optimize SonicPoint LAN Infrastructure/Share the sa#e SonicPoint :A; infrastructure a#on! #ultiple providers, rather than %uildin! an overlappin! infrastructure, to lower down the capital e"penditure for installation and #aintenance of (our ,:A;s
Benefits of
Althou!h the i#ple#entation of VAPs does not require the use of V:A;s, V:A; use does provide practical traffic differentiation %enefits ,hen not usin! V:A;s, the traffic fro# each VAP is handled %( a co##on interface on the Sonic,A:: securit( appliance +his #eans that all traffic fro# each VAP will %elon! to the sa#e 9one and sa#e su%net (0ootnote. a future version of Sonic8S $nhanced will allow for traffic fro# different VAPs to e"ist on different su%nets within the sa#e 9one, providin! a #easure of traffic differentiation even without V:A; ta!!in!) B( ta!!in! the traffic fro# each VAP with a unique V:A; ID, and %( creatin! the correspondin! su%interfaces on the Sonic,A:: securit( appliance, it is possi%le to have each VAP occup( a unique su%net, and to assi!n each su%interface to its own 9one +his affords the followin! %enefits. $ach VAP can have its own securit( services settin!s (e ! <AV, IPS, C0S, etc ) +raffic fro# each VAP can %e easil( controlled usin! Access =ules confi!ured fro# the 9one level Separate ,ireless <uest Services (,<S) or :i!htwei!ht 2otspot Messa!in! (:2M) confi!urations can %e applied to each, facilitatin! the presentation of #ultiple !uest service providers with a co##on set of SonicPoint hardware Bandwidth #ana!e#ent and other Access =ule6%ased controls can easil( %e applied
Prere#uisites
$ach Sonic,A:: SonicPoint #ust %e e"plicitl( ena%led for Virtual Access Point support %( selectin! the SonicPoint > SonicPoints > General Settin s !a". >$na%le SonicPoint? chec1%o" in the Sonic8S #ana!e#ent interface and ena%lin! either =adio A or < SonicPoints #ust %e lin1ed to a ,:A; 9one on (our Sonic,A:: 3+M appliance in order for provisionin! of APs to ta1e place ,hen usin! VAPs with V:A;s, (ou #ust ensure that the ph(sical SonicPoint discover( and provisionin! pac1ets re#ain unta!!ed (unless %ein! ter#inated nativel( into a V:A; su%interface on the Sonic,A::) @ou #ust also ensure that VAP pac1ets that are V:A; ta!!ed %( the SonicPoint are delivered unaltered (neither un6encapsulated nor dou%le6encapsulated) %( an( inter#ediate equip#ent, such as a V:A; capa%le switch, on the networ1
De$lo%ment Restrictions
,hen confi!urin! (our VAP setup, %e aware of the followin! deplo(#ent restrictions. Ma"i#u# SonicPoint restrictions appl( and differ %ased on (our Sonic,A:: securit( appliance =eview these restrictions in the >Custo# V:A; Settin!s? section
2/24/2014
Page 4 of 15
2/24/2014
Page 5 of 15
"etwor( *ones
This section contains the following subsections" #The 4ireless (one& section #$ustom 4ireless (one Settings& section
A networ! security ,one is a logical method of grouping one or more interfaces with friendly, user-configurable names, and applying security rules as traffic passes from one ,one to another ,one. 4ith the ,one-based security, the administrator can group similar interfaces and apply the same policies to them, instead of having to write the same policy for each interface. 'etwor! ,ones are configured from the Network > Zones page.
?or detailed information on configuring ,ones, see Chapter 18, Network > Zones.
2/24/2014
Page 6 of 15
Although SonicWALL provides the pre-configured Wireless zone, administrators also have the ability to create their own custom wireless zones. When using VA s, several custom zones can be applied to a single, or multiple Sonic oint access points. !he following three sections describe settings for custom wireless zones" #$eneral% section #Wireless% section #$uest Services% section
General
Description 'reate a name for your custom zone Select Wireless in order to enable and access wireless security options. Select this option to automatically create access rules to allow traffic to flow between the interfaces of a zone. !his will effectively allow users on a wireless zone to communicate with each other. !his option is often disabled when setting up Wireless $uest Services )W$S*. Select the security services you wish to enforce on this zone. !his allows you to e+tend your SonicWALL ,!- security services to your Sonic oints.
Wireless
Feature .nly allow traffic generated by a Sonic oint SSL V & 0nforcement
/edirects all traffic entering the Wireless zone to a defined SonicWALL SSL V & appliance. !his allows all wireless traffic to be authenticated and encrypted by the SSL V &, using, for e+ample, &et0+tender to tunnel all traffic. &ote" Wireless traffic that is tunneled through an SSL V & will appear to originate from the SSL V & rather than from the Wireless zone. SSL VPN Server - Select the Address .b1ect representing the SSL V & appliance to which you wish to redirect wireless traffic.
Wi2iSec 0nforcement
/e3uires all traffic be either ( sec or W A. With this option chec4ed, all non-guest connections must be ( sec enforced. WiFiSec Exception Service - Select the service)s* you wish to be e+empt from Wi2iSec 0nforcement.
/e3uire Wi2iSec for Site-to-site V & !unnel !raversal !rust W A5W A6 traffic as Wi2iSec Sonic oint rovisioning rofile
2or use with Wi2iSec enforcement, re3uires Wi2iSec security on all site-tosite V & connections through this zone. Allows W A or W A6 to be used as an alternative to Wi2iSec. Select a predefined Sonic oint rovisioning rofile to be applied to all current and future Sonic oints on this zone.
Guest Services
!he Enable Wireless Guest Services option allows the following guest services to be applied to a zone"
2/24/2014
Page 7 of 15
Feature Enable inter-guest communication Bypass AV Chec !or "uests Enable #ynamic Address $ranslation %#A$&
Description Allows guests connecting to SonicPoints in this Wireless zone to communicate directly and wirelessly with each other. Allows guest tra!!ic to bypass Anti-Virus protection #ynamic Address $ranslation %#A$& allows the SonicPoint to support any 'P addressing scheme !or W"S users. '! this option is disabled %unchec ed&( wireless guest users must either ha)e #*CP enabled( or an 'P addressing scheme compatible with the SonicPoint+s networ settings.
Enable E,ternal "uest Authentication Custom Authentication Page Post Authentication Page Bypass "uest Authentication
-e.uires guests connecting !rom the de)ice or networ you select to authenticate be!ore gaining access. $his !eature( based on /ightweight *otspot 0essaging %/*0& is used !or authenticating *otspot users and pro)iding them parametrically bound networ access. -edirects users to a custom authentication page when they !irst connect to a SonicPoint in the Wireless zone. Clic Con!igure to set up the custom authentication page. Enter either a 1-/ to an authentication page or a custom challenge statement in the te,t !ield( and clic 23. #irects users to the page you speci!y immediately a!ter success!ul authentication. Enter a 1-/ !or the post-authentication page in the !iled. Allows a SonicPoint running W"S to integrate into en)ironments already using some !orm o! user-le)el authentication. $his !eature automates the W"S authentication process( allowing wireless users to reach W"S resources without re.uiring authentication. $his !eature should only be used when unrestricted W"S access is desired( or when another de)ice upstream o! the SonicPoint is en!orcing authentication. -edirects S0$P tra!!ic incoming on this zone to an S0$P ser)er you speci!y. Select the address ob4ect to redirect tra!!ic to. Bloc s tra!!ic !rom the networ s you speci!y. Select the subnet( address group( or 'P address to bloc tra!!ic !rom. Automatically allows tra!!ic through the Wireless zone !rom the networ s you select. Speci!ies the ma,imum number o! guest users allowed to connect to the Wireless zone. $he de!ault is 67.
VLAN Subinterfaces
A Virtual /ocal Area 5etwor %V/A5& allows you to split your physical networ connections %89( 8:( etc...& into many )irtual networ connection( each carrying its own set o! con!igurations. $he V/A5 solution allows each VAP to ha)e its own separate subinter!ace on an actual physical inter!ace. V/A5 subinter!aces ha)e most o! the capabilities and characteristics o! a physical inter!ace( including zone assignability( security ser)ices( WA5 assignability %static addressing only&( "roupVP5( #*CP ser)er( 'P *elper( routing( and !ull 5A$ policy and Access -ule controls. ;eatures e,cluded !rom V/A5 subinter!aces at this time are VP5 policy binding( WA5 dynamic client support( and multicast support. V/A5 subinter!aces are con!igured !rom the Network > Interfaces page.
Feature =one
Description Select a zone to inherit zone settings !rom a prede!ined or custom user-de!ined zone.
2/24/2014
Page # of 15
Specify the VLAN ID for this subinterface. Select a physical parent interface (X2 X! etc..." for the VLAN. #reate an IP a$$ress an$ Subnet %as& in accor$ance 'ith your net'or& configuration. Select the (a)i(u( nu(ber of SonicPoints to be use$ on this interface. *elo' are the (a)i(u( nu(ber of SonicPoints per interface base$ on your Sonic+ALL ,T% har$'are-
Select the protocols you 'ish to use 'hen (anaging this interface. Select the protocols you 'ill (a&e a.ailable to clients 'ho access this subinterface.
Feature Na(e
Description #hoose a frien$ly na(e for this VAP Profile. #hoose so(ething $escripti.e an$ easy to re(e(ber as you 'ill later apply this profile to ne' VAPs. Set to SonicPoint by $efault. ?etain this $efault setting if using SonicPoints as VAPs (currently the only supporte$ ra$io type" *elo' is a list a.ailable authentication types 'ith $escripti.e features an$ uses for each-
Type
Authentication Type
2/24/2014
Page 9 of 15
WEP Lower security For use with older legacy devices, PDAs, wireless printers WPA Good security (uses TK P! For use with trusted corporate wireless clients Transparent authentication with Windows log"in #o client so$tware needed in %ost cases WPA& 'est security (uses AE(! For use with trusted corporate wireless clients Transparent authentication with Windows log"in )lient so$tware install %ay *e necessary in so%e cases (upports +,&-..i /Fast 0oa%ing1 $eature #o *ac2end authentication needed a$ter $irst log"in (allows $or $aster roa%ing! WPA&"A3T4 Tries to connect using WPA& security, i$ the client is not WPA& capa*le, the connection will de$ault to WPA3nicast )ipher 5ulticast )ipher 5a6i%u% )lients The unicast cipher will *e auto%atically chosen *ased on the authentication typeThe %ulticast cipher will *e auto%atically chosen *ased on the authentication type)hoose the %a6i%u% nu%*er o$ concurrent client connections per%issi*le $or this virtual access point-
Description The shared passphrase users will enter when connecting with P(K" *ased authenticationThe ti%e period (in seconds! during which the WPA8WPA& group 2ey is en$orced to *e updated-
Description The na%e8location o$ your 0AD 3( authentication server The port on which your 0AD 3( authentication server co%%unicates with clients and networ2 devices-
2/24/2014
Page 10 of 15
0AD 3( (erver . (ecret 0AD 3( (erver & 0AD 3( (erver & Port 0AD 3( (erver & (ecret Group Key nterval
The secret passcode $or your 0AD 3( authentication server The na%e8location o$ your *ac2up 0AD 3( authentication server The port on which your *ac2up 0AD 3( authentication server co%%unicates with clients and networ2 devicesThe secret passcode $or your *ac2up 0AD 3( authentication server The ti%e period (in seconds! during which the WPA8WPA& group 2ey is en$orced to *e updated-
Description (elect the 2ey to use $or WEP connections to this 9AP- WEP encryption 2eys are con$igured in the SonicPoint > SonicPoints page under SonicPoint Provisioning Profiles-
Feature (( D 9LA# D
Description )reate a $riendly na%e $or your 9APWhen using plat$or%s that support 9LA#, you %ay optionally select a 9LA# D to associate this 9AP with- (ettings $or this 9AP will *e inherited $ro% the 9LA# you selectEna*les this 9AP(uppresses *roadcasting o$ the (( D na%e and disa*les responses to pro*e re:uests- )hec2 this option i$ you do not wish $or your (( D to *e seen *y unauthori7ed wireless clients-
2/24/2014
Page 11 of 15
802.11a Radio &nable +,2.--a .adio SS#D .adio 1ode 2hannel A20 &nforcement Authentication (ype Schedule #DS Scan Data .ate Antenna Diversity )es / Al'ays on SonicWA00 "41bps / +,2.--a Auto2hannel Disabled W&P / 3oth %pen System 4 Shared 5ey Disabled 3est 3est
802.11g Radio &nable +,2.--g .adio SS#D .adio 1ode 2hannel A20 &nforcement Authentication (ype Schedule #DS Scan Data .ate Antenna Diversity )es / Al'ays on SonicWA00 2.4 G ! "41bps / +,2.--g Auto2hannel Disabled W&P / 3oth %pen System 4 Shared 5ey Disabled 3est 3est
2/24/2014
Page 12 of 15
The following is a sample VAP network configuration, describing four separate VAPs: VAP #1, Corporate Wireless Users A set of users who are commonly in the office, and to whom should be given full access to all network resources, providing that the connection is authenticated and secure. These users already belong to the network s !irectory "ervice, #icrosoft Active !irectory, which provides an $AP interface through %A" %nternet Authentication "ervices. VAP#2, Legacy Wireless Devices A collection of older wireless devices, such as printers, P!As and handheld devices, that are only capable of &$P encryption. VAP#3, Visiting Partners 'usiness partners, clients, and affiliated who fre(uently visit the office, and who need access to a limited set of trusted network resources, as well as the %nternet. These users are not located in the company s !irectory "ervices. VAP# 4, G est Users Visiting clients to whom you wish to provide access only to untrusted )e.g. %nternet* network resources. "ome guest users will be provided a simple, temporary username and password for access. VAP#!, "re# ent G est Users "ame as +uest ,sers, however, these users will have more permanent guest accounts through a back-end database.
$+a,ples 3orporate wireless, guest access, visiting partners, wireless devices are all common user types, each re(uiring their own VAP 9our 3onfigurations:
&ol tions Plan out the number of different VAPs needed. 3onfigure a .one and V5A8 for each VAP needed
A corporate campus has :;; employees, all of whom have wireless capabilities A corporate campus often has a few do.en wireless capable visitors 9our 3onfigurations:
The !/3P scope for the visitor .one is set to provide at least :;; addresses The !/3P scope for the visitor .one is set to provide at least 0< addresses
3onfigure &PA0-$AP
2/24/2014
Page 13 of 15
A corporate user who has access to corporate LAN resources. A guest user who is restricted to only Internet access A legacy wireless printer on the corporate LAN #our onfigurations$ Enable WGS but configure no security settings onfigure WE! and enable "A address filtering
A corporate user who needs access to the corporate LAN and all internal LAN resources' including other WLAN users. A wireless guest who needs to access InternetInternet and should not be allowed to co&&unicate with other WLAN users. #our onfigurations$
Enable Interface (rust on your corporate )one. *isable Interface (rust on your guest )one.
orporate users who you want protected by the full SonicWALL security suite. Guest users who you do not gi+e a hoot about since they are not e+en on your LAN. #our onfigurations$
Enable all SonicWALL security ser+ices. *isable all SonicWALL security ser+ices.
2/24/2014
Page 14 of 15
Configuring a #one
In this section you will create and configure a new wireless )one with guest login capabilities. Step 1 Log into the &anage&ent interface of your SonicWALL 5(" appliance. Step 2 In the left-hand &enu' na+igate to the Network > Zones page. Step 3 lic% the Add... button to add a new )one.
2/24/2014
Page 15 of 15
In this section you will create and configure a new VLAN subinterface on your current WLAN. This VLAN will be linked to the zone you created in the Configuring a one! section. Step 1 In the Network > Interfaces "age# click the Add Interface button. Step 2 In the Zone dro"$down %enu# select the zone you created in Configuring a one. In this case# we ha&e chosen VAP-Guest. Step 3 'nter a VLAN Ta for this interface. This nu%ber allows the (onic)oint*s+ to identify which traffic belongs to the VA)$,uest! VLAN. -ou should choose a nu%ber based on an organized sche%e. In this case# we choose 2!! as our tag for the VA)$,uest VLAN. Step " In the Parent Interface dro"$down %enu# select the interface that your (onic)oint*s+ are "hysically connected to. In this case# we are using #2# which is our WLAN interface. Step $ 'nter the desired IP Address for this subinterface. Step % (elect a li%it for the nu%ber of (onic)oints fro% the Son&cPo&nt L&'&t dro"$down %enu. This defines the total nu%ber of (onic)oints your VLAN will su""ort. Step ( ."tionally# you %ay add a co%%ent about this subinterface in the )o''ent field. Step * Click the +, button to add this subinterface. -our VLAN subinterface now a""ears in the Interface Sett&n s list.
2/24/2014