The foundation of the secure wireless network is the SonicWALL UTM appliance, functioning as both a gateway and a UTM firewall. This chapter introduces the SonicOS management interface and guides through the process of configuring basic connectivity for the SonicWALL UTM appliance and then configuring security services that use SonicWALL's Deep Packet Inspection engine to protect the network. The SonicOS Web management interface provides an intuitive, easy-to-use graphical interface for configuring SonicWALL UTM appliances and SonicPoints. The SonicOS Setup Wizard quickly guides through the process of configuring basic network connectivity. Once the SonicWALL UTM appliance is online, but before deploying it to the production environment, one needs to license and configure the UTM security services to protect the network. SonicWALL security services can be customized for the different zones of the network to provide the appropriate level of protection for different types of network traffic. The SonicWALL UTM appliance provides UTM security services without the need for any modification to the existing network configuration. Two advanced configuration options that are available on SonicWALL NSA appliances, namely, Layer 2 Bridge mode and High Availability, are introduced. Layer 2 Bridge mode allows the SonicWALL UTM appliance to be seamlessly integrated into an existing network. High Availability is an advanced feature that deploys a second SonicWALL NSA appliance as a backup that can perform stateful synchronization for seamless failover in case the primary appliance goes down. By the end of the chapter, the users will have configured secure wired access to the network.

This chapter discusses Virtual Access Points (VAPs) to fine tune wireless access for segmented user groups. It provides an overview of the steps involved, and then a more in-depth examination of the configuration needed for a multi-purpose VAPs deployment. The process of how VAPs are implemented and used to create multiple unique SSIDs through a single access point is elaborated. The features of a VAP are much like that of the wired VLAN. Installation procedures include configuring the proper security zones and VLANs, then configuring and pushing VAP changes out to one or more SonicPoints. VAPs provide a method for using a single wireless access point to provide multiple wireless network environments for different classes of users. Since VAPs work in conjunction with VLAN tagging, one can think of them as an extension of the wired VLAN into the wireless space. In the simplest terms, VAPs allow a single physical Access Point to present itself as multiple discrete Access Points—each with its own authentication methods and access rights. One can control network access by configuring different VAPs with different profiles, accessible by different user classes. A SonicPoint VAP deployment requires several steps to configure. Each VAP is configured on a separate virtual subinterface. VAP objects and VAP groups can be used to organize multiple VAPs and simplify the configuration and maintenance processes.

This chapter provides an introduction to wireless technology and communications. Wireless devices such as cell phones, PDAs, and laptop computers provide mobility to users and enable them to keep in constant contact with both their work and personal lives. Modern wireless network communication essentially began in 1997 with the original 802.11 standard. In 1999, Wired Equivalency Protection (WEP) was introduced as the first attempt at a secure algorithm for wireless networks. By 2001, serious security flaws were found in WEP. Wi-Fi Protected Access (WPA) was introduced in 2003 as a stopgap measure that superseded WEP, and was quickly followed by WPA2 in 2004, which fully implemented the 802.11i standard. Other wireless standards have been introduced for wireless bridging, Quality of Service, vehicular use, microwave access, and cellular access. Malware is an umbrella term for all forms of malicious software—viruses, worms, botnets, and other threats. Modern day malware is a much more serious criminal threat to both wired and wireless networks. SonicWALL Unified Threat Management (UTM) provides content filtering, intrusion prevention, antivirus, and antispyware at the gateway. Wireless networks are susceptible to specialized threats that compromise access points, jam radio frequencies, and take advantage of the physical mobility of wireless devices. Although wireless security threats have multiplied with the phenomenal increase in Internet usage, network administrators demand the same level of security from a wireless network that they expect from a wired network. The WPA2 standard has eliminated any excuse for accepting inherent vulnerabilities in wireless networks.

Configuring the appropriate user authentication method for one's environment is a critical part of securing the network. Networks with a relatively small number of users can authenticate users with the SonicWALL UTM appliance's local user database. Authenticating users and controlling their access to the network is a critical security measure. One has several choices of user authentication methods. For large networks, one can configure SonicOS to use an external LDAP or RADIUS server for user authentication. SSO is available with both local and LDAP authentication. SonicOS offers a number of features for segmenting users to provide customized access control for different classes of users; Dynamic Address Objects (DAOs), Application Firewall, and Virtual Access Points (VAPs) provide unique ways of managing the users. The VAP feature enables a single SonicWALL UTM appliance to provide multiple wireless access points. One can use MAC DAOs to apply consistent firewall access rules to devices whose IP addresses are assigned by DHCP, and use FQDN DAOs in access rules that manage bandwidth to and from certain websites. Application Firewall provides granular control of network usage at the level of users, user groups, and email users. One can configure VAPs to provide customized wireless access for different classes of users. This chapter discusses the configuration tasks for implementing each of these features to achieve user segmentation.

This chapter divides the implementation of a complete secure wireless network into three phases: Unified Threat Management (UTM) gateway and wireless access, secure remote access, and centralized management. By dividing the implementation into three phases, a clear view of how the SonicWALL product line fits together to form a single, integrated network solution is achieved. The phased approach also helps a network designer determine which elements the network requires. This chapter explains all of the concepts necessary to understand the implementation sections that follow. Phase one covers the configuration of gateway devices with UTM security services and then the addition of wireless service. SonicWALL's UTM services use the deep packet inspection (DPI) engine to examine both the header and body of every packet that enters the network. Phase two covers VPN solutions that add secure remote access to the network. SonicWALL provides both client and clientless solutions, with several options for extra security such as two-factor authentication (2FA) and one-time passwords (OTPs). Phase Three adds centralized management and monitoring for larger networks. SonicWALL Global Management System (GMS) allows a single network administrator to remotely configure an entire network consisting of multiple appliances located in multiple remote sites from a single local management interface.

Wireless networks face additional vulnerabilities that must be considered when designing a network security policy. The Radio Frequency (RF) technology used in today's 802.11-based wireless networking devices poses an attractive target for intruders. If left unmonitored, RF devices can leave both wireless and wired networks open to a variety of outside threats, from DoS or Man-in-the-Middle attacks to network security breaches. This chapter describes the SonicOS wireless intrusion detection and RF monitoring features that help protect one's wireless devices from these attacks. With wireless intrusion detection and RF monitoring enabled on the SonicPoints, one can detect RF threats without interrupting the operation of the network. These features let the users scan the airwaves around the network for access points, examine their settings, and authorize those that are valid while blocking those that are invalid. RF monitoring can detect the signatures of a number of RF attack types, and also helps locate unauthorized access points by indicating proximity and direction. The features of wireless intrusion detection and RF threat management can allow a network administrator to be notified of and deal with wireless threats as they arise. In addition to alerts, SonicWALL also offers signal strength feedback and unique management and identification features that allow one to physically pinpoint wireless threat locations.

The Wireless Guest Services (WGS) feature in SonicOS enables one to offer guest users wireless access to the Internet while ensuring that they cannot access the protected local network. This chapter describes how to implement WGS as part of a secure wireless solution. WGS can be used in a corporate environment to provide Internet access to visitors while still providing secure access to local resources for WiFiSec authenticated users. WGS access can be controlled by implementing user authentication for guests and by governing access rights using firewall access rules. One can safely allow guest users to access a wireless network by managing guest accounts with SonicWALL Wireless Guest Services. The users can also control guests' Internet access, view their statuses, and log them out. In its purest and unprotected open form, free wireless Internet access (Wi-Fi) does not require users to enter login credentials. One simply clicks to connect on an available, unsecured SSID, and he or she is ready to launch his or her browser or any application he or she chooses. While WGS is very useful in wireless hotspot scenarios, the technology is often implemented in tandem with other security mechanisms, allowing both guest access and secured user access. For wireless hotspots that require either backend authentication or more robust interfaces for adding and provisioning wireless guests, SonicWALL offers the Lightweight Hotspot Messaging (LHM) protocol. This powerful yet simple solution allows for completely custom interfaces and procedures when guests log onto the wireless network, including options for secure payment processing, user tracking, and integration with any backend database.

VPN technology is a key part of securing remote network access. Wireless security mechanisms such as WPA2 provide for secure wireless connections in a controlled setting such as one's corporate office or classroom. When remote users connect wirelessly in a hotspot, a VPN tunnel can be implemented to ensure that the connection is secure, regardless of whether the wireless access point is secure. SonicWALL offers a number of VPN features for both small and large deployments, including NetExtender, two-factor authentication (2FA), one-time passwords (OTPs), Connect Mobile, and Virtual Assist. For applications where client-side software installations and integration within a single UTM appliance are preferred, SonicWALL offers site-to-client VPN connections with the SonicWALL Global VPN Client. This chapter discusses the implementation of several SonicWALL VPN solutions, including SonicWALL SSL VPN, SonicWALL GVC, and SonicWALL/Aventail Connect Mobile. Although these authentication and encryption options are most often used in remote access situations, they can be successfully implemented into a wireless scenario to provide security equal to that of the traditional wired network. This is especially true when a wired network already has a VPN for remote workers. Implementation of a SonicWALL SSL VPN solution brings with it the advantages of Two-Factor Authentication, OTPs, and Virtual Assist for local and remote wireless users.

SonicWALL Global Management System (GMS) is a powerful tool that helps one scale the management efforts as the network grows whether one is a service provider or is managing an enterprise, hospital, or any other type of organization. It is a Web-based application that can configure, manage, and monitor thousands of SonicWALL UTM appliances from a central location. SonicWALL GMS also provides monitoring support for non-SonicWALL TCP/IP and SNMP-enabled devices and applications. One can administer security services, add VPN licenses to SonicWALL appliances, and configure VPN settings at the global, group, or individual unit level using SonicWALL GMS. Cohesive security policies can be applied to large groups of appliances, enabling one to protect and control the network and helping to comply with standards and regulations. This chapter discusses the deployment of a solution for centralized management of all of the SonicWALL security appliances. A consistent, integrated security policy across the network is easier to maintain. It is also a key part of wireless security, regulatory compliance, and network reliability.

A network security policy defines who can get into the network and who can get out. It can limit what Internet content the internal users can access, and what kind of data can cross from local to public networks. The ideas behind wireless network security are not unlike those of traditional wired networks. In terms of infrastructure, wired and wireless networks are united by very similar themes that can be applied across a broad spectrum of applications. A sound network security policy is a critical factor in securing one's network. This chapter discusses the elements, both technological and conceptual, that make up a comprehensive security policy. These components include everything from hardware to user authentication methods to the human processes for dealing with wireless equipment. The concepts covered in this chapter give the user building blocks to design a wireless networking policy. The implementation of hardware components and their software counterparts plays an important role in a network security policy, but so does enhancement of employee habits and basic security knowledge through proper training. Events that are beyond the control of a network administrator to prevent can still effectively be planned for. The concepts from this chapter provide the user with a solid start to flesh out the personal wireless network security policy.