Wireless/Status

The SonicWALL TZ 170 Wireless and TZ 170 SP Wireless support two wireless protocols called IEEE 802.11b and 802.11g, commonly known as Wi-Fi, and send data via radio transmissions. The SonicWALL TZ 170 Wireless combines three networking components to offer a fully secure wireless firewall: an Access Point, a secure wireless gateway, and a stateful firewall with flexible NAT and VPN termination and initiation capabilities. With this combination, the TZ 170 Wireless offers the flexibility of wireless without compromising network security.

Note: The information in this chapter refers to the wireless features of the TZ 170 Wireless and TZ 170 SP Wireless security appliances running SonicOS Enhanced. When the text in this chapter refers to the TZ 170 Wireless, the information applies to both security appliances.

Typically, the TZ 170 Wireless is the access point for your wireless LAN and serves as the central access point for computers on your LAN. In addition, it shares a single broadband connection with the computers on your network. Since the TZ 170 Wireless also provides firewall protection, intruders from the Internet cannot access the computers or files on your network. This is especially important for an "always-on" connection such as a DSL or T1 line that is shared by computers on a network.

However, wireless LANs are vulnerable to "eavesdropping" by other wireless networks which means you should establish a wireless security policy for your wireless LAN. On the TZ 170 Wireless, wireless clients connect to the Access Point layer of the firewall. Instead of bridging the connection directly to the wired network, wireless traffic is first passed to the Secure Wireless Gateway layer where the client is required to be authenticated via User Level Authentication. Wireless access to Guest Services and MAC Filter Lists are managed by the TZ 170 Wireless. It is also at this layer that the TZ 170 Wireless has the capability of enforcing WiFiSec, an IPsec-based VPN overlay for wireless networking. As wireless network traffic successfully passes through these layers, it is then passed to the VPN-NAT-Stateful firewall layer where WiFiSec termination, address translation, and access rules are applied. If all of the security criteria is met, then wireless network traffic can then pass via one of the following Distribution Systems (DS):

LAN
WAN
Wireless Client on the WLAN
DMZ or other zone on Opt port
VPN tunnel

Considerations for Using Wireless Connections

Mobility - if the majority of your network is laptop computers, wireless is more portable than wired connections.
Convenience - wireless networks do not require cabling of individual computers or
opening computer cases to install network cards.
Speed - if network speed is important to you, you may want to consider using Ethernet connections rather than wireless connections.
Range and Coverage - if your network environment contains numerous physical barriers or interference factors, wireless networking may not be suitable for your network.
Security - wireless networks have inherent security issues due to the unrestricted nature of the wireless transmissions. However, the TZ 170 Wireless is a firewall and has NAT
capabilities which provides security, and you can use WiFiSec to secure data
transmissions.

Recommendations for Optimal Wireless Performance

Place the TZ 170 Wireless near the center of your intended network. This can also reduce the possibility of eavesdropping by neighboring wireless networks.
Minimize the number of walls or ceilings between the TZ 170 Wireless and the receiving points such as PCs or laptops.
Try to place the TZ 170 Wireless in a direct line with other wireless components. Best performance is achieved when wireless components are in direct line of sight with each other.
Building construction can make a difference on wireless performance. Avoid placing the TZ 170 Wireless near walls, fireplaces, or other large solid objects. Placing the TZ 170 Wireless near metal objects such as computer cases, monitors, and appliances can affect performance of the unit.
Metal framing, UV window film, concrete or masonry walls, and metallic paint can reduce signal strength if the TZ 170 Wireless is installed near these types of materials.
Installing the TZ 170 Wireless in a high place can help avoid obstacles and improve performance for upper stories of a building.
Neighboring wireless networks and devices can affect signal strength, speed, and range of the TZ 170 Wireless. Also, devices such as cordless phones, radios, microwave ovens, and televisions may cause interference on the TZ 170 Wireless.

Adjusting the Antennas

The antennas on the TZ 170 Wireless can be adjusted for the best radio reception. Begin with the antennas pointing straight up, and then adjust as necessary. Note that certain areas, such as the area directly below the TZ 170 Wireless, get relatively poor reception. Pointing the antenna directly at another wireless device does not improve reception. Do not place the antennas next to metal doors or walls as this can cause interference.

Wireless Node Count Enforcement

Users connecting to the WLAN or connecting through the SonicWALL GroupVPN are not counted towards the node enforcement on the SonicWALL. Only users on the LAN and non-Wireless zones on the Opt port are counted towards the node limit.

The Station Status table lists all the wireless nodes connected.

MAC Filter List

The SonicWALL TZ 170 Wireless networking protocol provides native MAC address filtering capabilities. When MAC address filtering is enabled, filtering occurs at the 802.11 layer, wireless clients are prevented from authenticating and associating with the wireless access point. Since data communications cannot occur without authentication and association, access to the network cannot be granted until the client has given the network administrator the MAC address of their wireless network card.

WiFiSec Enforcement

Enabling WiFiSec Enforcement on the TZ 170 Wireless enforces the use of IPsec-based VPN for access from the WLAN to the WAN or LAN, and provides access from the WLAN to the WAN independent of WGS. Access from one wireless client to another is configured on the Wireless > Advanced page where you can disable or enable access between wireless clients.

WiFiSec uses the easy provisioning capabilities of the SonicWALL Global VPN client making it easy for experienced and inexperienced administrators to implement on the network. The level of interaction between the Global VPN Client and the user depends on the WiFiSec options selected by the administrator. WiFiSec IPsec terminates on the WLAN/LAN port, and is configured using the Group VPN Security Policy including noneditable parameters specifically for wireless access.

Wireless > Status

The Wireless > Status page provides status information for wireless network, including WLAN Settings, WLAN Statistics, and Station Status.

The Wireless > Status page has three tables:

WLAN Settings
WLAN Statistics
Station Status

WLAN Settings

The WLAN Settings table lists the configuration information for the built-in radio. All configurable settings in the WLAN Settings table are hyperlinks to their respective pages for configuration. Enabled features are displayed in green, and disabled features are displayed in red. Click on a setting to go the page in the Management Interface where you can configure that setting.

WLAN Settings

WLAN Settings	Value
WLAN	Enabled or Disabled
WiFiSec Enforcement	Enabled or Disabled
SSID	Wireless network identification information
MAC Address (BSSID)	Serial Number of the TZ 170 Wireless
WLAN IP Address	IP address of the WLAN port
WLAN Subnet Mask	Subnet information
Regulatory Domain	FCC - North America for domestic appliances ETSI - Europe for international appliances
Channel	Channel Number selected for transmitting wireless signal
Radio Tx Rate	Network speed in Mbps
Radio Tx Power	Current power level of the radio signal transmission
Authentication Type	Encryption settings for the radio, or Disabled--see the Wireless > WEP/WPA Encryption page
MAC Filter List	Enabled or Disabled
Wireless Guest Services	Enabled or Disabled
Intrusion Detection	Enabled or Disabled
Wireless Firmware	Firmware version on the radio card
Associated Stations	Number of clients associated with the TZ 170 Wireless
Radio Mode	Current power level of the radio signal transmission

b

WLAN Statistics

WLAN Statistics: The WLAN Statistics table lists all of the traffic sent and received through the WLAN. The Wireless Statistics column lists the kinds of traffic recorded, the Rx column lists received traffic, and the Tx column lists transmitted traffic.

Wireless Statistics	Rx/TX
Unicast Frames	Number of frames received and transmitted
Multicast Frames	Total number of frames received and transmitted as broadcast or multicast. Typically a lower number than Unicast frames.
Fragments	Total number of fragmented frames received and sent. This is a general indication of activity at this wireless device.
Total Packets	Total number of packets received and transmitted.
Total Bytes	Total number of bytes received and transmitted.
Errors	Number of times a transmission resulted in an error.
Signal Retry Frames	Number of messages retransmitted a single time being acknowledged by the receiving device. Retransmission is normal for 802.11b to quickly recover from lost messages.
Multiple Retry Frames	Number of messages retransmitted multiple times before acknowledgement by the receiving device. A relatively high value can indicate interference or a heavy wireless data load.
Retry Limit Exceeded	Number of messages undelivered after the maximum number of transmissions. Along with Discards, it can indicate a wireless network under heavy interference or excessive load of wireless data traffic.
Discards	Number of messages untransmitted due to congestion. Normally, the messages are temporarily stored in an internal buffer until transmitted. When the buffer is full, frames are discarded until the buffer is cleared. When the number is high, it may indicate a wireless network with a heavy load of traffic.
Discards: Bad WEP Key	Number of times a received message was discarded because it could not be decrypted. This could indicate mismatched keys or one device does not support encryption or does not have encryption enabled.
FCS Errors	Number of received frames or frame parts containing an erroneous checksum requiring deletion. Messages are recovered using ACK and retransmitted by the sending device.
Frames Received	Total number of frames received.
Frames Aborted	Total number of frames aborted while receiving
Frames Aborted Phy	Total number of frames aborted
Duplicate Frames	Number or duplicate frames received.

Station Status

The Station Status table displays information about wireless connections associated with the TZ 170 Wireless.

Station - the name of the connection used by the MAC address
MAC Address - the wireless network card MAC address
Authenticated - status of 802.11b authentication
Associated - status of 802.11b association
AID - Association ID, assigned by the security appliance
Signal - strength of the radio signal
Timeout - number of seconds left on the session
Configure
- configure power management on the wireless network card of this station, if enabled.
- block the station from the security appliance and add it to the Deny MAC Filter List.
- dissociate the station from the security appliance.

SonicWALL, Inc. http://www.sonicwall.com 1160 Bordeaux Drive Sunnyvale, CA 94089-1209