The TZW provides a very broad set of wireless controls, monitoring features (Figure 10), and of course, security!
Figure 10: Wireless Status
(click on the image for a full-sized view)
It takes a little doing to wrap your brain around all that's going on in the TZW's wireless section - especially the security features. There are so many layers and options for your wireless client to get through that I strongly recommend you use the built-in Wireless Wizard when setting up the first time. Read this description from the TZW's Administrator Guide and you'll see why.
On the SOHO TZW, wireless clients connect to the Access Point layer of the firewall. Instead of bridging the connection directly to the wired network, wireless traffic is first passed to the Secure Wireless Gateway layer where the client is required to be authenticated via User Level Authentication.
Access to Wireless Guest Services (WGS) and MAC Filter Lists are managed by the SOHO TZW. It is also at this layer that the SOHO TZW has the capability of enforcing WiFiSec, an IPSec-based VPN overlay for wireless networking.
As wireless network traffic successfully passes through these layers, it is then passed to the VPN-NAT-Stateful firewall layer where WiFiSec termination, address translation, and access rules are applied. If all of the security criteria is met, then wireless network traffic can then pass via one of the following Distribution Systems (DS):
• Wireless Client on the WLAN
• VPN tunnel
Got all that? A diagram would've helped a lot, but basically it means that there are three choices for letting wireless clients authenticate with the TZW's AP:
- Normal - Via the 802.11 ESSID authentication process.
- Guest Services - This is a "hotspot"-like function that lets clients associate, but blocks all traffic until the user fires up a web browser and logs in with a username and password.
- WiFiSec - This mode also allows a client to associate, but requires that the client authenticate and encrypt all traffic via IPsec before allowing data to pass.
Using WiFiSec requires installing a custom version of Sonicwall's Windows-based Global VPN client on your notebook. No, this doesn't mean that Sonicwall is now giving away their IPsec client, because although the version that comes on the TZW's CD will work for any number of wireless connections, it will support only one WAN-based wired tunnel. Although Sonicwall doesn't limit the number of WiFiSec connections via licensing, it recommends only a maximum of 20-25 simultaneous clients for satisfactory WLAN performance.
This is a very powerful feature set, and I especially like the ability to run both WiFiSec and Guest Service connections at the same time. Note that it's possible to have multiple clients using the same Guest Service account, so all you have to do is freely post the username and password if you want folks to have open access to the Internet via your TZW, while keeping them safely off your wired LAN. You won't be able to post this information on the login page, however, since the login message is not customizable. You can, however, set how long your "guests" can stay and how long guest accounts themselves are good for.
Although you can enable Guest Services and WiFiSec independently, turning either one of them on kills the ability to use only plain-vanilla 802.11 ESSID authentication. You can, however, enable 64 or 128 bit WEP in any of the three modes, although why you'd want to run it at all given the TZW's other security features is a reasonable question. But it's there if you really want it.
And while I'm on the subject of 802.11-based security, I'll note that neither 802.1x-based authentication nor WPA enhanced security is supported, nor are they likely to be. Sonicwall's position is that its IPsec-based security takes the place of all that and does it in a way compatible with the wide number of IPsec client and gateway products that have been around for years.
MAC address association control (MAC Filter) works in addition to the above authentication schemes. Once enabled, the MAC Filter list prevents all clients from even associating with the TZW's AP until their MAC address is entered into the list. Two negatives on this feature are that you can't load or save the Filter list and it doesn't present a pick-list of associated or in-range clients to ease the job of adding clients to the list.
The other thing to note about the MAC Filter list is that it's automatically brought into play when Guest Services are enabled and is used to control "guest" AP association. But Guest Services clients don't show up in the MAC Filter list and the MAC Filter isn't automatically disabled when you disable Guest Services. Since the MAC Filter defaults to blocking all stations that are not entered into its list, you'll need to remember to shut it off when disabling Guest Services - something that I forgot to do on more than one occasion during my testing!
Once authenticated, clients must then run the TZW's firewall gauntlet, which is default configured to allow only Internet access to wireless clients. You can set a firewall rule to allow traffic to pass between WLAN and LAN, but it will be ignored for traffic authenticated via Guest Services. The firewall also defaults to not allow wireless client-to-client communication, but this can be turned off.
Other wireless settings of interest are the ability to set transmit power, Beacon and DTIM intervals, and RTS and Fragmentation thresholds. You can also limit the number of client associations (default is 32), authentication timeout, length of association, and terminate an associated client. You can separately limit the number of clients using Guest Services and choose whether to apply the TZW's firewall filtering to their traffic. And happily, there's the strongest wireless security feature of all - the ability to shut off the AP entirely!