SonicWALL has designed their deep packet inspection firewall to detect Voice over IP traffic, simplifying firewall configurations to securely pass voice media. Recognized VoIP protocols include H.323 and SIP. You can also use MGCP and SCCP on your network, but you'll need to create custom rules, or limit use of those protocols to internal LAN communication. My network has an Asterisk VoIP server that utilizes SIP signaling with an external VoIP provider (www.broadvoice.com) for Long Distance calling.
I used the VoIP Server Address Object I created above to build an Access Rule that forwards SIP signaling from the WAN to my VoIP server's private IP address on the LAN.
The VoIP menu has a simple option, “Enable SIP Transformation,” which dynamically opens up the RTP/RTCP ports to pass the voice media in a SIP call. This is a more secure approach, as the RTP ports are opened per call instead of being permanently opened. The TZ 190 then monitors the status of all VoIP calls, allowing them to be logged and active calls to be displayed in the VoIP Call Status menu, as shown below.
Figure 16: VoIP Call Status menu
I found it interesting that SonicWALL has included Cisco Call Manager interoperability with the TZ 190. The TZ 190 DHCP server can be configured to send the IP addresses of up to three Cisco Call Manager servers to IP Phones.
The TZ 190 offers two levels of VPN functionality: Site-to-Site and Client to Gateway VPN, both using IPSec technology. You'd set up a Site-to-Site VPN tunnel to connect the routers at two different offices. Of course, SonicWALL has a Wizard makes to make it easy to set up a VPN tunnel between two SonicWALL routers, or you can set up an IPSec tunnel between a SonicWALL and another brand of router, as long as the options on both sides match.
Client to Gateway VPN functionality is also available for remote PCs to connect to the TZ 190. This requires each client PC to load the SonicWALL Global VPN client. Of note, SonicWALL's full release VPN client isn't ready for Vista. Most of SonicWALL's features and products are Vista ready; they have a matrix explaining release dates and compatibility here.
With a little hunting through SonicWALL's Web forum, I was able to locate, download, and install SonicWALL's Beta Global VPN Client for Vista on my laptop. The VPN Client software has a simple wizard (another wizard!) to input the home office IP address or domain, and select enable. From a remote location with a standard cable Internet connection, I was able to use the Vista VPN Client to connect to the TZ 190 and get an IP address from my LAN, which enabled me to access my servers and NAS devices securely and remotely.
I tested SonicWALL's Client VPN throughput using a free utility from Ixia called Qcheck between my laptop and a Windows server on my LAN. TCP throughput testing, using a 1000 KByte file size, showed relatively low numbers, averaging 1.572 Mbps from Client to Server and 1.149 Mbps from Server to Client. Note that this measurement was taken using 3DES encryption for both IKE and tunnel. I didn't test using the more secure and compute-intensive AES encryption.
As you can see from Table 1, performance was pretty consistent. While this VPN throughput is well matched to a T1 service, it’s on the low end of the range of what’s available from much less expensive products such as the NETGEAR FVS114.
|Speed in Mbps|
|Client to Server||1.572||1.719||1.515||1.483|
|Server to Client||1.149||1.125||0.984||1.338|
Table 1: VPN Client throughput
SonicWALL adds 802.11b/g Wi-Fi functionality in the TZ 190W, allowing it to function as either an Access Point or Wireless Bridge. Firing up the Access Point was a piece of cake, again using one of the SonicOS Wizards. I had no problem connecting Intel and Linksys wireless NICs, even a Nintendo DS, to the Access Point. The Wireless status menu indicates the TZ 190W will allow up to 32 simultaneous wireless connections. I got a kick out of using the WLAN and WWAN simultaneously. Talk about complete wireless nirvana; I was able to surf the Internet without wires from my PC to the router, and without wires from the router to the world!
The TZ 190W supports full wireless security, including WEP, WPA, WPA2 encryption, as well as MAC address filtering. As mentioned previously, the default Zone security settings disable WLAN client access to the wired LAN. In addition, the TZ 190W puts wireless clients on a separate subnet. The default configuration put wired LAN clients on the 192.168.168.0 /24 network, while WLAN clients are given addresses in the 172.16.31.0/24 network. This separation enables the firewall to more effectively control traffic between the inherently less secure WLAN and the sensitive devices on your LAN.
To further enhance security, a network administrator can configure the TZ 190W to enforce use of the VPN client software over the WLAN. This feature, referred to as WiFiSec, is an additional level of protection, and is recommended by SonicWALL if using WEP encryption.