Secure Wireless Networks

Version 2.2 INTEGRATED SOLUTIONS GUIDE Secure Wireless Networks Gateway Anti-Virus n Intrusion Prevention n Content Security Management n Secure Wireless n VoIP n Firewall/VPN

SonicWALL Secure Wireless Network Integrated Solutions Guide Version 2.2 SonicWALL, Inc. 1143 Borregas Avenue Sunnyvale, CA 94089-1306 Phone: +1.408.745.9600 Fax: +1.408.745.9300 E-mail: info@sonicwall.com

Copyright Notice 2005 SonicWALL, Inc. All rights reserved. Under the copyright laws, this manual or the software described within, can not be copied, in whole or part, without the written consent of the manufacturer, except in the normal use of the software to make a backup copy. The same proprietary and copyright notices must be affixed to any permitted copies as were affixed to the original. This exception does not allow copies to be made for others, whether or not sold, but all of the material purchased (with all backup copies) can be sold, given, or loaned to another person. Under the law, copying includes translating into another language or format. Specifications and descriptions subject to change without notice. Trademarks SonicWALL is a registered trademark of SonicWALL, Inc. Microsoft Windows 98, Windows NT, Windows 2000, Windows XP, Windows Server 2003, Internet Explorer, and Active Directory are trademarks or registered trademarks of Microsoft Corporation. Netscape is a registered trademark of Netscape Communications Corporation in the U.S. and other countries. Netscape Navigator and Netscape Communicator are also trademarks of Netscape Communications Corporation and may be registered outside the U.S. Adobe, Acrobat, and Acrobat Reader are either registered trademarks or trademarks of Adobe Systems Incorporated in the U.S. and/or other countries. Other product and company names mentioned herein may be trademarks and/or registered trademarks of their respective companies and are the sole property of their respective manufacturers. Limited Warranty SonicWALL, Inc. warrants that commencing from the delivery date to Customer (but in any case commencing not more than ninety (90) days after the original shipment by SonicWALL), and continuing for a period of twelve (12) months, that the product will be free from defects in materials and workmanship under normal use. This Limited Warranty is not transferable and applies only to the original end user of the product. SonicWALL and its suppliers' entire liability and Customer's sole and exclusive remedy under this limited warranty will be shipment of a replacement product. At SonicWALL's discretion the replacement product may be of equal or greater functionality and may be of either new or like-new quality. SonicWALL's obligations under this warranty are contingent upon the return of the defective product according to the terms of SonicWALL's then-current Support Services policies. This warranty does not apply if the product has been subjected to abnormal electrical stress, damaged by accident, abuse, misuse or misapplication, or has been modified without the written permission of SonicWALL. DISCLAIMER OF WARRANTY. EXCEPT AS SPECIFIED IN THIS WARRANTY, ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS, AND WARRANTIES INCLUDING, WITHOUT LIMITATION, ANY IMPLIED WARRANTY OR CONDITION OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT, SATISFACTORY QUALITY OR ARISING FROM A COURSE OF DEALING, LAW, USAGE, OR TRADE PRACTICE, ARE HEREBY EXCLUDED TO THE MAXIMUM EXTENT ALLOWED BY APPLICABLE LAW. TO THE EXTENT AN IMPLIED WARRANTY CANNOT BE EXCLUDED, SUCH WARRANTY IS LIMITED IN DURATION TO THE WARRANTY PERIOD. BECAUSE SOME STATES OR JURISDICTIONS DO NOT ALLOW LIMITATIONS ON HOW LONG AN IMPLIED WARRANTY LASTS, THE ABOVE LIMITATION MAY NOT APPLY TO YOU. THIS WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS, AND YOU MAY ALSO HAVE OTHER RIGHTS WHICH VARY FROM JURISDICTION TO JURISDICTION. This disclaimer and exclusion shall apply even if the express warranty set forth above fails of its essential purpose. DISCLAIMER OF LIABILITY. SONICWALL'S SOLE LIABILITY IS THE SHIPMENT OF A REPLACEMENT PRODUCT AS DESCRIBED IN THE ABOVE LIMITED WARRANTY. IN NO EVENT SHALL SONICWALL OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER, INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION, LOSS OF INFORMATION, OR OTHER PECUNIARY LOSS ARISING OUT OF THE USE OR INABILITY TO USE THE PRODUCT, OR FOR SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL, OR PUNITIVE DAMAGES HOWEVER CAUSED AND REGARDLESS OF THE THEORY OF LIABILITY ARISING OUT OF THE USE OF OR INABILITY TO USE HARDWARE OR SOFTWARE EVEN IF SONICWALL OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. In no event shall SonicWALL or its suppliers' liability to Customer, whether in contract, tort (including negligence), or otherwise, exceed the price paid by Customer. The foregoing limitations shall apply even if the above-stated warranty fails of its essential purpose. BECAUSE SOME STATES OR JURISDICTIONS DO NOT ALLOW LIMITATION OR EXCLUSION OF CONSEQUENTIAL OR INCIDENTAL DAMAGES, THE ABOVE LIMITATION MAY NOT APPLY TO YOU.

Table of Contents Table of Contents Wireless LAN Overview............................................ 2 What is a WLAN?............................................... 2 How Does a WLAN Work?....................................... 2 WLAN Design Considerations........................................ 3 WLAN Design Top Ten Checklist.................................. 3 SonicWALL Secure Wireless Architecture.............................. 5 SonicWALL Secure Wireless Architecture Components................. 6 SonicWALL Secure Wireless Network Deployment Solutions.............. 16 Solution #1: Securing WLANs with SonicWALL Security Services...... 19 Solution #2: Configuring a SonicWALL PRO Series Security Appliance to Manage a WLAN of SonicPoints and SonicWALL Long Range Wireless Clients........... 26 Solution #3: Configuring Wireless Guest Services.................... 55 Solution #4: Configuring Wireless Intrusion Detection Services.......... 67 Solution #5: Configuring Microsoft IAS Server for WPA with PEAP..... 71 Solution #6: Configuring Steel-Belted RADIUS Server for WPA with PEAP............................................ 84 Solution #7: Configuring a Wireless Client for WPA with PEAP......... 96 Solution #8: Configuring a Lightweight Hotspot Messaging Network.... 106 Solution #9: Integrating SonicWALL SSL-VPN and SonicWALL Secure Wireless Solutions........................ 117 Solution #10: Configuring a Secure Wireless Bridge from a SonicWALL TZ 170 Wireless to a SonicPoint................. 142 Deploying SonicWALL GMS for a SonicWALL Secure Wireless Network.. 154 iii

Device Characteristics.............................................180 SonicWALL Secure Wireless Solution Enablers Device Characteristics..........................................180 SonicWALL PRO Series Device Characteristics.....................182 SonicWALL TZ Series Wireless Device Characteristics...............184 Glossary........................................................186 Related Documents...............................................189 Product Datasheets............................................189 User Guides..................................................190 TechNotes...................................................190 Contributors.....................................................191 Index iv

SonicWALL Secure Wireless Network Integrated Solutions Guide Document Scope This solutions document describes how to plan, design, implement, and maintain a SonicWALL Secure Wireless network. The Secure Wireless Network solutions presented in this document are based on actual customer deployments and are SonicWALL-recommended deployment best practices. These solutions were tested and verified in a lab environment. This document contains the following sections: Wireless LAN Overview section on page 2 WLAN Design Considerations section on page 3 SonicWALL Secure Wireless Architecture section on page 5 SonicWALL Secure Wireless Network Deployment Solutions section on page 16 Solution #1: Securing WLANs with SonicWALL Security Services section on page 19 Solution #2: Configuring a SonicWALL PRO Series Security Appliance to Manage a WLAN of SonicPoints and SonicWALL Long Range Wireless Clients section on page 26 Solution #3: Configuring Wireless Guest Services section on page 55 Solution #4: Configuring Wireless Intrusion Detection Services section on page 67 Solution #5: Configuring Microsoft IAS Server for WPA with PEAP section on page 71 Solution #6: Configuring Steel-Belted RADIUS Server for WPA with PEAP section on page 84 Solution #7: Configuring a Wireless Client for WPA with PEAP section on page 96 Solution #8: Configuring a Lightweight Hotspot Messaging Network section on page 106 Solution #9: Integrating SonicWALL SSL-VPN and SonicWALL Secure Wireless Solutions section on page 117 Solution #10: Configuring a Secure Wireless Bridge from a SonicWALL TZ 170 Wireless to a SonicPoint section on page 142 Deploying SonicWALL GMS for a SonicWALL Secure Wireless Network section on page 154 1

Wireless LAN Overview Wireless LAN Overview This section provides an introduction to Wireless Local Area Networks (WLANs). This section contains the following subsections: What is a WLAN? section on page 2 How Does a WLAN Work? section on page 2 After reading the Wireless LAN Overview section, you will be able to define the difference between a WLAN and a hard-wired LAN, obtain key design considerations for WLAN outdoor and indoor deployments, and learn the recent advancements in Wireless IPSec (WiFiSec) and WPA secure data transmission over traditional wireless deployments. What is a WLAN? A WLAN is a LAN that uses radio waves as the physical medium on which you are sending and receiving network data signals. In a conventional hard-wired LAN, client workstations are connected together with physical cables, such as shielded copper wire to fiber-optic cables. Hard-wired LANs are very expensive to implement due to the amount of effort required to install physical cabling. In addition to the high cost, you will face distance limitations depending on the type of cable you are using. Each type of physical cable has a length limitation or a maximum distance before the signal traveling on the wire deteriorates. In addition to high cost, cabling distance limitations, hard-wired LANs limit laptop client mobility, since you are leashed to your connection, to a modem, wall jack, or networking device, such as a hub, switch or routing device. Each time you want to move your laptop client from conference room to another conference room, you are required to disconnect and then reconnect once you have moved locations. How Does a WLAN Work? The standards used for WLAN communications are based on the Institute of Electrical and Electronic Engineers (IEEE) 802.11 series of standards. The IEEE 802.11 standards help to define and regulate the Physical and Media Access Control (MAC) layers of operation in a WLAN. For example, the IEEE 802.11b standard defines the use of the 2.4 Gigahertz (GHz) band in radio frequency (RF) for high-speed data communications, 802.11b supports data rates of 2 Mbps up to 11 Mbps. The IEEE 802.11g standard supports data rates up to 54 Mbps while also using the 2.4 GHz frequency band. 2

WLAN Design Considerations WLAN Design Considerations Designing wireless networks opens up the door to an unbelievable array of connectivity options and benefits anywhere from a shop owner wishing to provide free wireless Internet access to customers, to a large company wishing to free thousands of employees from their hard-wired workstations. Unfortunately, the current state of wireless networking is far less secure than it needs to be, and improper installation of wireless networking equipment can lead to unforeseen security risks. The interim standard WPA is an interim solution that will be replaced. SonicWALL security appliances provide a wide array of active and passive security features that can be enabled to deter attempts to gain unauthorized wireless access to your protected networks. The following is a top-ten checklist of SonicWALL-recommended deployment design considerations for your WLAN. WLAN Design Top Ten Checklist This section provides a top-ten checklist to securing your distributed wireless network with SonicWALL s Secure Wireless Solutions. Traditional Wireless Security Tips lists recommend such actions as Disabling SSID Broadcasts, Enabling MAC Filter, and Disabling DHCP Services for the sake of obscuring the wireless network. While this will likely minimize the chances wireless network trespassing, it will certainly make your wireless network more difficult to use for your authorized wireless users. SonicWALL recommends better methods of network defense than security through obscurity, and goes to great efforts to ensure not only a secure network, but a secure network that is effortless and uncomplicated to use. Although the three aforementioned tactics are possible with SonicWALL wireless equipment, SonicWALL instead recommends the following checklist for securing your wireless network: 1. Install a SonicWALL security appliance at your network gateway, and secure your network with Wireless IPSec (WiFiSec). Enabling WiFiSec causes the SonicWALL security appliance to pass only IPSec packets to and from its wireless interface. Enforcing WiFiSec ensures that wireless users are authenticated and that their wireless traffic is fully encrypted. Running SonicOS 2.5 Software and higher, WiFiSec is enabled by default to provide your network with end-to-end wireless traffic encryption using standard IPSec security mechanisms. This method of deployment ensures that only authorized users are connecting to the SonicWALL security appliance, and that the wireless traffic of authorized users is truly secure against interception and decoding from undesired third parties. 2. Install the SonicWALL Global VPN Client on your wireless clients. Note This will require your Wireless clients to connect to the SonicWALL security appliance using the SonicWALL Global VPN Client for remote access to policy-allowed LAN resources, policy-allowed WAN access, and to other wireless clients. Enable Gateway Anti-Virus (GAV), Intrusion Prevention Service (IPS), Content Filtering Service (CFS) security services on your WLAN zones. 3

WLAN Design Considerations 3. As an alternative to (or even in conjunction with) the use of the SonicWALL Global VPN client, use WiFi (WPA Protected Access) in either the WPA-PSK or the WPA-EAP variety, both of which are supported by SonicWALL wireless products. WPA-PSK allows for the use of a pre-shared key or password for associating and authenticating with the wireless network, while WPA-EAP uses an extensible authentication protocol scheme, typically with a back-end user database such as RADIUS. Since WPA-EAP requires an external authentication server, it can be fairly complicated to configure, and is generally used infrequently by smaller networks. Also, using WPA requires that your wireless clients are WPA capable this requires WPA compatible client cards (such as the SonicWALL Long-Range/Dual-Band wireless card) with current drivers, and a WPA supplicant or natively WPA-capable operating system. 4. Use the radio scheduling feature on your SonicWALL wireless equipment to disable the wireless radios when they are not in use. If your wireless network is only in use from 7am to 10pm, you can schedule the radio to disable itself entirely during off-hours, completely eliminating the possibility of unwanted or unauthorized detection or access without impeding regular use. 5. Enforce the use of Wireless Guest Services (WGS). By enabling this feature, all wireless clients must authenticate themselves to the SonicWALL security appliance using HTTP or HTTPS before they are allowed access to resources on the WAN. The user and password database can either be stored onboard the SonicWALL security appliance or, the SonicWALL security appliance can authenticate users from external RADIUS servers. A recent online review of WGS said Instead of having visitors and conference room attendees locked out of Wi-Fi goodness, [WGS] shunts them to a different place, the Internet. Using WGS, network administrators can configure their SonicWALL security appliances to allow wireless guests access to the Internet, but with blocked access to your corporate network. 6. Activate the SonicWALL security appliance s Wireless Intrusion Detection Services (IDS) features. This will allow your SonicWALL security appliance to perform active and passive scans of the 802.11b wireless channels to detect rogue access points, wireless access points that were installed on your internal network without your corporate IT network administrator s approval. It also allows the SonicWALL security appliance to protect itself against association flood attacks and to detect possible disassociation attacks launched against your wireless clients using sequence number analysis. 7. If you are not using WiFiSec, WEP, or WPA use applications that can be directly secured, such as HTTPS Web browser sessions, SSH, or SSL-enabled applications like SFTP. Make sure these applications are password-secured, use strong passwords, and have their passwords changed often. 8. Select an SSID that is recognizable by your authorized users, but which does not disclose any sensitive information. 9. Adjust the SonicWALL security appliance s wireless radio power settings and management frame settings. Tuning these settings properly can prevent your wireless signal from bleeding into unwanted areas (such as public areas with adjacent buildings occupied by other wireless users). Wardrivers often look for public spots into which a usable signal has leaked, so take this into account when adjusting your SonicWALL security appliance. 10. Do not advertise your wireless network unnecessarily. When possible, place your wireless radios away from the perimeters of your premises to avoid the radio signal bleeding beyond required boundaries. And finally, to reach the zenith of physical security for your wireless network, consider an elemental Faraday cage in a can: http://www.forcefieldwireless.com/products.html Tip Document a clearly defined network security policy. This will help you ensure your users have the information they need in order to connect using wireless clients. Make sure your users understand why these settings are required, and make sure that the security policy does not directly conflict with their network access needs. 4

SonicWALL Secure Wireless Architecture SonicWALL Secure Wireless Architecture SonicWALL s Secure Wireless solution provides a framework for the easy integration of all three IEEE 802.11 a/b/g standards for WLANs. At the center of the SonicWALL Secure Wireless network is a SonicWALL PRO Series (platform class) Internet security appliance that integrates IEEE 802.11a/b/g wireless management and security enforcement capabilities into an enterprise class firewall/vpn gateway. Figure 1 provides a network diagram of a SonicWALL Global Management System (GMS)-managed deployment of a SonicWALL Secure Wireless network. Figure 1 SonicWALL Secure Wireless Architecture 5

SonicWALL Secure Wireless Architecture SonicWALL Secure Wireless Architecture Components SonicWALL s Secure Wireless Architecture incorporates the following product components that create the fully integrated wireless network and security infrastructure: SonicWALL PRO Series Security Appliances section on page 6 SonicWALL SonicPoints and SonicWALL PoE Injectors section on page 13 SonicWALL Long Range Dual Band Wireless Cards and the SonicWALL Global VPN Client section on page 14 SonicWALL PRO Series Security Appliances In addition to being an integrated firewall and VPN security appliance, a SonicWALL PRO Series appliance functions as a secure wireless switch and controller that automatically detects and configures SonicPoints as they are added to the network. Through the SonicWALL Discovery Protocol (SDP), the SonicWALL PRO Series security appliance and the SonicPoint automatically locate each other on the network. After this discovery, SonicWALL Simple Provisioning Protocol (SSPP) auto-provisions the SonicPoints with a predefined configuration through an encrypted tunnel between the SonicWALL PRO Series security appliance and the SonicPoint. Benefits For a list of SonicWALL PRO Series deployment benefits and latest platform features, refer to the SonicWALL PRO Series product data sheets located in Product Datasheets section on page 189. SonicWALL PRO Series Security Appliance Platforms The SonicWALL PRO Series security appliances running SonicOS Enhanced 2.5 or greater are the security appliances that provides central security management of both wired and wireless networks while also automatically detecting SonicPoint access points as they are added to the network. This section contains the following subsections: SonicWALL PRO 2040 section on page 7 SonicWALL PRO 3060 section on page 8 SonicWALL PRO 4060 section on page 9 SonicWALL PRO 4100 section on page 10 SonicWALL PRO 5060 section on page 12 6

SonicWALL Secure Wireless Architecture SonicWALL PRO 2040 The SonicWALL PRO 2040 utilizes a robust four-port architecture to deliver powerful firewall throughput and IPSec VPN in an affordable, rack-mounted appliance, making it an outstanding value for small to mid-sized networks. As a comprehensive network security, mobility and productivity solution targeting networks comprised of 200 or fewer nodes or 50 or fewer network locations, the SonicWALL PRO 2040 offers the configuration flexibility and redundancy features typically associated with more expensive appliances. In addition to firewall performance up to 200 Mbps, the PRO 2040 features the ability to run SonicOS Enhanced, enabling optional upgrades such as ISP failover, WAN redundancy and load balancing, and object and policy-based management. With the upgrade to SonicOS Enhanced, the WAN and LAN ports stay static while the other two ports are fully customizable as a second LAN, a second WAN, a DMZ, another customized network zone, or a hardware failover port. The SonicWALL PRO 2040 supports SonicWALL s advanced security services, including Intrusion Prevention Service, Gateway Anti-Virus, Network Anti-Virus, Content Filtering Service, and Global Security Client and can be managed by SonicWALL s award-winning Global Management System. Benefits For a list of SonicWALL PRO 2040 deployment benefits and latest platform features, refer to the SonicWALL PRO 2040 product data sheet located in the Product Datasheets section on page 189. Figure 2 displays the front and back panel of the SonicWALL PRO 2040. Figure 2 SonicWALL PRO 2040 Supports up to 8 SonicPoints. Recommended number of SonicPoints per WLAN interface: 4 7

SonicWALL Secure Wireless Architecture SonicWALL PRO 3060 The SonicWALL PRO 3060 is a total security platform for complex networks featuring a deep packet inspection architecture and six fully configurable Ethernet ports that can be configured as multiple WANs, LANs, DMZs or user defined interfaces. This high performance ICSA-certified deep packet inspection firewall accommodates 128,000 simultaneous connections and comes standard with IPSec VPN, 25 concurrent VPN Client licenses and 1,000 site-to-site VPN policies. The SonicWALL PRO 3060 supports SonicWALL s advanced security services, including Intrusion Prevention Service, Gateway Anti-Virus, Network Anti-Virus, Content Filtering Service, and Global Security Client and can be managed by SonicWALL s award-winning Global Management System. Benefits For a list of SonicWALL PRO 3060 deployment benefits and latest platform features, refer to the SonicWALL PRO 3060/4060 product data sheet located in the Product Datasheets section on page 189. Figure 3 displays the front and back panel of the SonicWALL PRO 3060. Figure 3 SonicWALL PRO 3060 Supports up to 32 SonicPoints. Recommended number of SonicPoints per WLAN interface: 8 8

SonicWALL Secure Wireless Architecture SonicWALL PRO 4060 The SonicWALL PRO 4060 is a total security platform for complex networks, utilizing a deep packet inspection architecture and six fully configurable Ethernet ports that can be configured as multiple WANs, LANs, DMZs or user defined interfaces. This high performance ICSA-certified deep packet inspection firewall accommodates 500,000 simultaneous connections and comes standard with IPSec VPN, 1,000 concurrent VPN Client sessions, 3,000 site-to-site VPN policies, and Hardware Failover. The SonicWALL PRO 4060 supports SonicWALL s advanced security services, including Intrusion Prevention Service, Gateway Anti-Virus, Network Anti-Virus, Content Filtering Service, and Global Security Client and can be managed by SonicWALL s award-winning Global Management System. Benefits For a list of SonicWALL PRO 4060 deployment benefits and latest platform features, refer to the SonicWALL PRO 3060/4060 product data sheet located in the Product Datasheets section on page 189. Figure 4 displays the front and back panel of the SonicWALL PRO 4060. Figure 4 SonicWALL PRO 4060 Supports up to 64 SonicPoints. Recommended number of SonicPoints per WLAN interface: 16 9

SonicWALL Secure Wireless Architecture SonicWALL PRO 4100 The SonicWALL PRO 4100 is a real-time unified threat management firewall appliance utilizing 10 gigabit interfaces to deliver internal and external network protection for corporate central sites, distributed environments and data centers. The PRO 4100 combines high-speed gateway anti-virus, anti-spyware, intrusion prevention and powerful deep packet inspection capabilities with an extensive array of advanced networking and configuration features in an affordable platform that is flexible to deploy and manage in a wide variety of environments. With 10 configurable gigabit Ethernet interfaces and built-in secure wireless LAN functionality, the PRO 4100 is an ideal solution for a host of wired and wireless applications requiring high-speed access and heavy workgroup segmentation. Using the innovative SonicWALL Clean VPN, the PRO 4100 ensures mobile user connections and branch office traffic are decontaminated to prevent vulnerabilities and malicious code from being propagated. Robust trusted network protection is achieved across all Ethernet ports, virtual LANs and connected wireless LANs to eliminate threats originating inside corporate networks, between networked departments or data center zones. To extend flexibility and performance throughout the network, the PRO 4100 also supports virtual local area networks (VLANs), enterprise class-routing and QoS features as standard offerings. The PRO 4100 s dynamic security platform incorporates real-time gateway anti-virus, anti-spyware, intrusion prevention and anti-spam technologies for application-level attack prevention against viruses, worms, Trojans, spyware, phishing schemes, spam and other malicious threats. The dynamically updatable architecture ensures around-the-clock security updates without any administrator intervention. In addition to security and performance optimizations, the PRO 4100 ships with powerful SonicWALL SonicOS Enhanced firmware, enabling business continuity and flexibility features including onboard Quality of Service (QoS) features, advanced routing services such as Open Shortest Path First (OSPF) and Router Information Protocol (RIP), ISP failover, WAN redundancy, zone management and more. With SonicOS Enhanced, the ports are customizable as a second LAN, a second WAN, a DMZ, another customized network zone, or a hardware failover port for continuous network uptime. SonicOS Enhanced also features standards-based Voice over IP (VoIP) capabilities, enabling organizations to inexpensively transport audio and video media such as telephone calls and streaming video over wired and wireless IP-based networks. The PRO 4100 integrates support for SonicWALL s portfolio of advanced security services and can be managed by the award-winning SonicWALL Global Management System. Bundled with 1,500 Global VPN Client licenses, the PRO 4100 allows easy network access from any location, using any Internet connection, over any IP network. Every SonicWALL PRO 4100 comes standard with one year of Gateway Anti-Virus, Anti-Spyware and Intrusion Prevention Service, 30 days of Content Filtering Service (Premium Edition), 30 days of 50-user McAfee gateway-enforced Network Anti-Virus, ViewPoint reporting software and 90-day email and telephone support. Extended 8x5 and 24x7 hardware replacement and software upgrade support contracts are available. (Note: 8x5 support available in US, Canada, Europe and Japan. 24x7 support available in the US, Canada and EMEA only.) Benefits For a list of SonicWALL PRO 4100 deployment benefits and latest platform features, refer to the SonicWALL PRO 4100 product data sheet located in the Product Datasheets section on page 189. 10

SonicWALL Secure Wireless Architecture Figure 5 displays the front and back panel of the SonicWALL PRO 4100. Figure 5 SonicWALL PRO 4100 Supports up to 128 SonicPoints. Recommended number of SonicPoints per WLAN interface: 32 11

SonicWALL Secure Wireless Architecture SonicWALL PRO 5060 The SonicWALL PRO 5060 is a high-performance, multi-service gigabit security appliance designed for medium-to-large networks. The SonicWALL PRO 5060 integrates high-speed intrusion prevention, content filtering, enforced anti-virus, stateful firewall and IPSec VPN into a single solution that is easy to deploy and manage. Available in both 10/100/1000 copper and copper/fiber interface configurations, the SonicWALL PRO 5060 incorporates a wide array of networking and security features, making it an ideal solution for a multitude of applications. In addition to gigabit stateful inspection performance, the SonicWALL PRO 5060 ships with SonicOS Enhanced, enabling business continuity and flexibility features such as ISP failover, WAN redundancy and load balancing, object and policy-based management and more. With SonicOS Enhanced, the ports are customizable as a second LAN, a second WAN, a DMZ, another customized network zone, or a Hardware Failover port. The SonicWALL PRO 5060 supports SonicWALL s advanced security services, including Intrusion Prevention Service, Gateway Anti-Virus, Network Anti-Virus, Content Filtering Service, and Global Security Client and can be managed by SonicWALL s award-winning Global Management System. Benefits For a list of SonicWALL PRO 5060 deployment benefits and latest platform features, refer to the SonicWALL PRO 5060 product data sheet located in the Product Datasheets section on page 189. Figure 6 displays the front and back panel of the SonicWALL PRO 5060. Figure 6 SonicWALL PRO 5060 Supports up to 128 SonicPoints. Recommended number of SonicPoints per WLAN interface: 32 12

SonicWALL Secure Wireless Architecture SonicWALL SonicPoints and SonicWALL PoE Injectors This section provides hardware and software specifications for the following SonicWALL Secure Wireless architecture components: SonicPoint Access Points section on page 13 SonicWALL PoE Injector section on page 14 SonicPoint Access Points The SonicWALL SonicPoint is a tri-mode, dual band, dual radio, IEEE 802.11a/b/g compliant, secure, satellite access point that is centrally managed and configured by any SonicWALL TZ 170 or SonicWALL PRO Series security appliance. As a SonicWALL Secure Wireless Solution Enabler, SonicPoints deliver a secure wireless solution that scales to meet the specific wireless needs of mid- to large-sized networks. Utilizing SonicPoints, SonicWALL Secure Wireless Solution delivers features such as Wireless Intrusion Detection Services, wireless firewalling, secure wireless roaming and Wireless Guest Services (WGS). The SonicPoint G provides 802.11b/g (2.4 GHz radio band) wireless connections, and provides detachable antennas. The SonicPoint G can be managed by a SonicWALL security appliance running SonicOS Enhanced 3.1.0.6, or higher. Figure 7 displays the front and back panel of the SonicPoint and SonicPoint G. Figure 7 SonicPoint and SonicPoint G SonicPoint SonicPoint G Benefits For a list of SonicPoint deployment benefits and latest SonicWALL Secure Wireless Solution Enabler features, refer to the SonicWALL Secure Wireless Solution product data sheet located in the Product Datasheets section on page 189. 13

SonicWALL Secure Wireless Architecture SonicWALL PoE Injector The SonicWALL PoE Injector is an IEEE 802.3af compliant power injector featuring an advanced auto-sensing algorithm that automatically detects the presence of PoE-compatible devices and injects the appropriate power into the data cable. A plug-and-play device, the PoE Injector fits easily into wireless Ethernet infrastructures and requires no configuration or management. When deployed into a wireless network, the PoE Injector reduces costs, lowers downtime, and provides easier maintenance and greater flexibility than traditional cabling. Figure 8 displays the front panel of the SonicWALL PoE Injector. Figure 8 SonicWALL PoE Injector Benefits For a list of SonicWALL PoE Injector deployment benefits and latest SonicWALL Secure Wireless Solution Enabler features, refer to the SonicWALL Secure Wireless Solution product data sheet located in the Product Datasheets section on page 189. SonicWALL Long Range Dual Band Wireless Cards and the SonicWALL Global VPN Client SonicWALL s Secure Wireless Architecture incorporates the following products to enable long range wireless VPN networking and security for WLAN clients: SonicWALL Long Range Dual Band Wireless Card section on page 15 SonicWALL Global VPN Client section on page 15 14

SonicWALL Secure Wireless Architecture SonicWALL Long Range Dual Band Wireless Card The SonicWALL Long Range Dual Band Wireless Card is a tri-mode, dual band, IEEE 802.11a/b/g-compliant CardBus PC card that complements the high-power wireless capability of SonicWALL's Secure Wireless solutions. When combined with any SonicWALL secure wireless appliance, the SonicWALL Long Range Dual Band Wireless Card delivers superior throughput, range and bulletproof wireless IPSec security. Included with the SonicWALL Long Range Dual Band Wireless Card is SonicWALL's Global VPN Client software, creating a complete secure wireless solution. Figure 9 displays the SonicWALL Long Range Dual Band Wireless Card. Figure 9 SonicWALL Long Range Dual Band Wireless Card Benefits SonicWALL Global VPN Client For a list of SonicWALL Long Range Dual Band Wireless Card deployment benefits and latest SonicWALL Secure Wireless Solution Enabler features, refer to the SonicWALL Secure Wireless Solution product data sheet located in the Product Datasheets section on page 189. SonicWALL Global VPN Client (GVC) provides mobile users with secure, easy-to-use access to mission-critical network resources through broadband, wireless and dial-up connections. SonicWALL GVC software is supported on notebooks and desktop computers running Windows operating systems (Windows 98 SE, Windows Me, Windows NT 4.0, Windows 2000 Professional, Windows XP Professional, Windows XPE, and Windows XP Home Edition) and on handheld devices running Microsoft PocketPC 2003. SonicWALL GVC is not compatible with VPN gateways from other vendors. Benefits For a list of SonicWALL GVC deployment benefits and latest SonicWALL security upgrade software features, refer to the SonicWALL Global VPN Client product data sheet located in the Product Datasheets section on page 189. 15

SonicWALL Secure Wireless Network Deployment Solutions This section provides multiple SonicWALL Secure Wireless network deployment solutions. For enterprise-class security for any size wireless network, the following are SonicWALL best-practice solutions that scale in network deployments from the small cafe hotspot to large enterprise and campus network deployments. The deployment solutions apply if you are adding WLANs to an existing network infrastructure or creating a new SonicWALL Secure Wireless network from the ground up. SonicWALL recommended Secure Wireless network best practice solutions are described in the following subsections: Solution #1: Securing WLANs with SonicWALL Security Services section on page 19 Solution #2: Configuring a SonicWALL PRO Series Security Appliance to Manage a WLAN of SonicPoints and SonicWALL Long Range Wireless Clients section on page 26 Solution #3: Configuring Wireless Guest Services section on page 55 Solution #4: Configuring Wireless Intrusion Detection Services section on page 67 Solution #5: Configuring Microsoft IAS Server for WPA with PEAP section on page 71 Solution #6: Configuring Steel-Belted RADIUS Server for WPA with PEAP section on page 84 Solution #7: Configuring a Wireless Client for WPA with PEAP section on page 96 Solution #8: Configuring a Lightweight Hotspot Messaging Network section on page 106 Solution #9: Integrating SonicWALL SSL-VPN and SonicWALL Secure Wireless Solutions section on page 117 Solution #10: Configuring a Secure Wireless Bridge from a SonicWALL TZ 170 Wireless to a SonicPoint section on page 142 16

Using the SonicOS Software Management Console Interface The SonicOS Management Interface allows you to configure all aspects of the SonicWALL security appliance. Figure 10 SonicOS Management Interface 17

The SonicOS Web Management Interface provides an intuitive, easy-to-use graphical interface for configuring your SonicWALL security appliances and SonicPoints. Perform SonicOS management functions through a Web browser. The left-navigation panel on the SonicOS Web Management Interface includes a hierarchy of console settings. The management console on the SonicOS Enhanced software includes the console settings described in Table 1. Table 1 SonicOS Enhanced Management Console Settings Console Setting System Network Wireless Firewall VPN Users Hardware Failover Security Services Log Wizards Help Logout Functions From the System > Administration page, set the administrative username and password. From the Network > Interfaces page, configure the LAN, WAN, and Wireless (WLAN) interfaces. From the Network > Zones page, select a SonicPoint Profile for all SonicPoints on the Wireless (WLAN) zone. From the Network > Zones page, enable or disable security services for each network zone. From the Network > DHCP Server page, configure the DHCP server ranges for each network zone. From the Wireless > SonicPoints page, configure and manage your SonicPoints. From the Wireless > Station Status page, obtain reports on wireless clients connected to each SonicPoint. From the Wireless > IDS page, obtain reports and block rogue access points and other wireless intrusions. Configure and manage access policies. From the VPN > Settings page, configure and manage GroupVPN policies. GroupVPN is required on Wireless security zones for WiFiSec security. From the Users > Settings page, manage the user authentication with a RADIUS server or configure management of all users locally. From the Users > Local Users page, configure individual user access to resources with GroupVPN policies. From the Users > Local Groups page, configure user groups and group access to resources with GroupVPN policies. Manage failover to a backup SonicWALL security appliance. Manage subscription-based security services. From the Log > View page, obtain log event message reports on network activity and user configuration on your SonicWALL security appliance. Launch SonicOS Wizards to guide you through initial Setup, VPN configuration, and adding Public Servers to your network. Access online help documentation on using the SonicOS management console interface. Log out of the SonicOS management console interface. 18

Solution #1: Securing WLANs with SonicWALL Security Services This section provides an introduction to SonicWALL Security Services that provide unified threat management against objectionable and inappropriate Web content, viruses, worms, Trojans, and malicious code for your wired and wireless networks. This section contains the following subsections: SonicWALL Gateway Anti-Virus/Anti-Spyware/Intrusion Prevention Service section on page 19 SonicWALL Content Filtering Service section on page 24 After reading the Deploying SonicWALL Security Services section, you will understand how these security services protect your network, how to activate the service on your SonicWALL security appliance, and how to enable the service to provide layered security for your WLAN. SonicWALL Gateway Anti-Virus/Anti-Spyware/Intrusion Prevention Service SonicWALL Gateway Anti-Virus (GAV), Anti-Spyware and Intrusion Prevention Service (IPS) is SonicWALL s unified threat management solution that integrates gateway anti-virus, anti-spyware and intrusion prevention to deliver intelligent, real-time network security protection against sophisticated application layer and content-based attacks. Utilizing a configurable, high-performance deep packet inspection architecture, SonicWALL GAV, Anti-Spyware and IPS secures the network from the core to the perimeter against a comprehensive array of dynamic threats including viruses, spyware, worms, Trojans, and software vulnerabilities such as buffer overflows, as well as peer-to-peer and instant messenger applications, backdoor exploits, and other malicious code. Because new threats emerge daily and are often unpredictable, the deep packet inspection architecture is constantly updated to deliver the highest protection possible against an ever-changing threat landscape. This unique solution features a powerful deep packet inspection engine that delivers threat protection directly on the security gateway by matching downloaded, e-mailed and compressed files against an extensive signature database created by a combination of SonicWALL s SonicAlert Team and third-party sources. SonicWALL GAV, Anti-Spyware and IPS inspects over e-mail, Web, file transfer and a multitude of stream-based protocols as well as instant messaging and peer-to-peer applications, providing comprehensive network threat prevention and control. As an added layer of security, SonicWALL GAV, Anti-Spyware and IPS provides application layer attack protection not only against external threats, but also against those originating inside the network. Because files containing malicious code, viruses and worms can be compressed and therefore inaccessible to conventional solutions, SonicWALL GAV, Anti-Spyware and IPS integrates advanced decompression technology that automatically decompresses and scans files on a per packet basis. Supported compression formats include ZIP, Deflate and GZIP. Unlike other threat management solutions, SonicWALL GAV, Anti-Spyware and IPS has the capacity to analyze files of any size in real-time without the need to add expensive hardware drives or extra memory. SonicWALL GAV, Anti-Spyware and IPS includes a pro-active alerting mechanism that notifies network administrators when a new threat is discovered. Granular policy tools and an intuitive user interface enable administrators to configure a custom set of detection or prevention policies tailored to their specific network environment. Available as a subscription-based security service for SonicWALL TZ and PRO Series security appliances, GAV, Anti-Spyware and IPS is a fundamental requirement for ultimate security protection and a key component of SonicWALL s strategy of providing scalable, multi-layered security to networks of all sizes. 19

This section contains the following subsections: SonicWALL IPS Protection for Your WLANs section on page 20 SonicWALL GAV Protection for Your WLANs section on page 20 SonicWALL Anti-Spyware Protection for Your WLANs section on page 21 Activating SonicWALL GAV/Anti-Spyware/IPS section on page 21 Enabling SonicWALL IPS section on page 22 Enabling SonicWALL GAV section on page 23 Enabling SonicWALL Anti-Spyware section on page 24 Note When you activate SonicWALL IPS, SonicWALL GAV and Anti-Spyware are also activated. SonicWALL GAV/Anti-Spyware/IPS security services are managed directly from the SonicWALL security appliance. SonicWALL IPS Protection for Your WLANs SonicWALL IPS delivers a configurable, high performance Deep Packet Inspection engine for extended protection of key network services such as Web, e-mail, file transfer, Windows services, and DNS. SonicWALL IPS is designed to protect against application vulnerabilities as well as worms, Trojans, peer-to-peer, spyware, and back-door exploits. The extensible signature language used in SonicWALL s Deep Packet Inspection engine also provides proactive defense against newly discovered application and protocol vulnerabilities. SonicWALL IPS offloads the costly and time-consuming burden of maintaining and updating signatures for new hacker attacks through SonicWALL s industry-leading Distributed Enforcement Architecture (DEA). Signature granularity allows SonicWALL IPS to detect and prevent attacks based on a global, attack group, or per-signature basis to provide maximum flexibility and control false positives. Alternatively, SonicWALL Global Management System provides global management capabilities that enable administrators to manage SonicWALL IPS across multiple SonicWALL security appliances from a central location. SonicWALL GMS solutions allow administrators to create detailed reports based on attack source, destination and type of intrusion, such as Top Intrusions, Destinations Over Time, and Intrusions Over Time. SonicWALL GAV Protection for Your WLANs SonicWALL GAV delivers real-time virus protection directly on the SonicWALL security appliance by using SonicWALL s IPS-Deep Packet Inspection v2.0 engine to inspect all traffic that traverses the SonicWALL gateway. Building on SonicWALL s reassembly-free architecture, SonicWALL GAV inspects multiple application protocols, as well as generic TCP streams, and compressed traffic. Because SonicWALL GAV does not have to perform reassembly, there are no file-size limitations imposed by the scanning engine. Base64 decoding, ZIP, LHZ, and GZIP (LZ77) decompression are also performed on a single-pass, per-packet basis. SonicWALL GAV delivers threat protection directly on the SonicWALL security appliance by matching downloaded or e-mailed files against an extensive and dynamically updated database of threat virus signatures. Virus attacks are caught and suppressed before they travel to desktops. New signatures are created and added to the database by a combination of SonicWALL s SonicAlert Team, third-party virus analysts, open source developers and other sources. 20

SonicWALL GAV can be configured to protect against internal threats as well as those originating outside the network. It operates over a multitude of protocols including SMTP, POP3, IMAP, HTTP, FTP, NetBIOS, peer-to-peer, instant messenger applications, and dozens of other stream-based protocols, to provide administrators with comprehensive network threat prevention and control. Because files containing malicious code and viruses can also be compressed and therefore inaccessible to conventional anti-virus solutions, SonicWALL GAV integrates advanced decompression technology that automatically decompresses and scans files on a per-packet basis. SonicWALL Anti-Spyware Protection for Your WLANs The SonicWALL Anti-Spyware Service protects networks from intrusive spyware by cutting off spyware installations and delivery at the gateway and denying previously installed spyware from communicating collected information outbound. SonicWALL Anti-Spyware works with other anti-spyware programs, such as programs that remove existing spyware applications from hosts. You are encouraged to use or install host-based anti-spyware software as an added measure of defense against spyware. SonicWALL Anti-Spyware analyzes inbound connections for the most common method of spyware delivery, ActiveX-based component installations. It also examines inbound setup executables and cabinet files crossing the gateway, and resets the connections that are streaming spyware setup files to the LAN. These file packages may be freeware bundled with adware, keyloggers, or other spyware. If spyware has been installed on a LAN workstation prior to the SonicWALL Anti-Spyware solution install, the service will examine outbound traffic for streams originating at spyware infected clients and reset those connections. For example, when spyware has been profiling a user's browsing habits and attempts to send the profile information home, the SonicWALL security appliance identifies that traffic and resets the connection. Activating SonicWALL GAV/Anti-Spyware/IPS If you do not have a SonicWALL GAV/Anti-Spyware/IPS Activation Key, you must purchase a license from a SonicWALL reseller or through your mysonicwall.com account. Note Your SonicWALL security appliance must be registered at mysonicwall.com to activate any SonicWALL security service. You can create a mysonicwall.com account and register your SonicWALL security appliance via the management interface on the System > Status page. For more detailed instructions on registering a SonicWALL security appliance, refer to the SonicOS Enhanced Administrator s Guide located on the SonicWALL Web site: <http://www.sonicwall.com/support/documentation.html>. You must activate the bundled SonicWALL GAV/Anti-Spyware/IPS license for SonicWALL IPS first. The Activation Key for SonicWALL IPS is a parent key for SonicWALL GAV. When you activate the SonicWALL IPS license, the SonicWALL GAV child key is automatically activated on the SonicWALL security appliance. To activate SonicWALL GAV/Anti-Spyware/IPS with an Activation Key: Step 1 Step 2 Select the Security Services > Intrusion Prevention page in the SonicWALL security appliance management interface. Click the SonicWALL IPS Subscription link. The mysonicwall.com Login page is displayed. 21