Hung Ha

Configuring RF Monitoring and Protection

Wireless networks face additional vulnerabilities that must be considered when designing a network security policy. The Radio Frequency (RF) technology used in todays 802.11-based wireless networking devices poses an attractive target for intruders. If left unmonitored, RF devices can leave both wireless and wired networks open to a variety of outside threats, from DoS or Man-in-the-Middle attacks to network security breaches. This chapter describes the SonicOS wireless intrusion detection and RF monitoring features that help protect ones wireless devices from these attacks. With wireless intrusion detection and RF monitoring enabled on the SonicPoints, one can detect RF threats without interrupting the operation of the network. These features let the users scan the airwaves around the network for access points, examine their settings, and authorize those that are valid while blocking those that are invalid. RF monitoring can detect the signatures of a number of RF attack types, and also helps locate unauthorized access points by indicating proximity and direction. The features of wireless intrusion detection and RF threat management can allow a network administrator to be notified of and deal with wireless threats as they arise. In addition to alerts, SonicWALL also offers signal strength feedback and unique management and identification features that allow one to physically pinpoint wireless threat locations.

Chapter 14 – Configuring Secure Remote Access Solutions

VPN technology is a key part of securing remote network access. Wireless security mechanisms such as WPA2 provide for secure wireless connections in a controlled setting such as ones corporate office or classroom. When remote users connect wirelessly in a hotspot, a VPN tunnel can be implemented to ensure that the connection is secure, regardless of whether the wireless access point is secure. SonicWALL offers a number of VPN features for both small and large deployments, including NetExtender, two-factor authentication (2FA), one-time passwords (OTPs), Connect Mobile, and Virtual Assist. For applications where client-side software installations and integration within a single UTM appliance are preferred, SonicWALL offers site-to-client VPN connections with the SonicWALL Global VPN Client. This chapter discusses the implementation of several SonicWALL VPN solutions, including SonicWALL SSL VPN, SonicWALL GVC, and SonicWALL/Aventail Connect Mobile. Although these authentication and encryption options are most often used in remote access situations, they can be successfully implemented into a wireless scenario to provide security equal to that of the traditional wired network. This is especially true when a wired network already has a VPN for remote workers. Implementation of a SonicWALL SSL VPN solution brings with it the advantages of Two-Factor Authentication, OTPs, and Virtual Assist for local and remote wireless users.

SonicWALL Product Solutions Library

This chapter provides an overview of SonicWALLs security products and services. These appliances provide network gateway functionality, UTM security services, secure remote access, and centralized management—all of which are configured through intuitive, easy-to-use management interface. SonicWALL offers a range of products that scale from small to medium and large organizations to satisfy the key requirements of virtually any wired or wireless network deployment. This chapter allows users to see how each product line can be effectively used in the network deployment to provide secure wireless access. The SonicWALL Network Security Appliance (NSA) series of products offers the network administrator a complete security package in a single hardware platform. Along with the patented ability to provide fast, on-the-fly reassembly-free deep packet inspection (RF-DPI), the SonicWALL NSA series provides UTM protection services that are enforced at the gateway. SonicWALLs GMS solution provides a central point of management for both small and large SonicWALL distributed deployments. For deployments within a single site, SonicWALL GMS manages policies and compiles reports for all in-house SonicWALL appliances. In larger multiple-site deployments, SonicWALL GMS manages and monitors thousands of SonicWALL network nodes on a global level.

Introduction to Secure Wireless Networking

This chapter provides an introduction to wireless technology and communications. Wireless devices such as cell phones, PDAs, and laptop computers provide mobility to users and enable them to keep in constant contact with both their work and personal lives. Modern wireless network communication essentially began in 1997 with the original 802.11 standard. In 1999, Wired Equivalency Protection (WEP) was introduced as the first attempt at a secure algorithm for wireless networks. By 2001, serious security flaws were found in WEP. Wi-Fi Protected Access (WPA) was introduced in 2003 as a stopgap measure that superseded WEP, and was quickly followed by WPA2 in 2004, which fully implemented the 802.11i standard. Other wireless standards have been introduced for wireless bridging, Quality of Service, vehicular use, microwave access, and cellular access. Malware is an umbrella term for all forms of malicious software—viruses, worms, botnets, and other threats. Modern day malware is a much more serious criminal threat to both wired and wireless networks. SonicWALL Unified Threat Management (UTM) provides content filtering, intrusion prevention, antivirus, and antispyware at the gateway. Wireless networks are susceptible to specialized threats that compromise access points, jam radio frequencies, and take advantage of the physical mobility of wireless devices. Although wireless security threats have multiplied with the phenomenal increase in Internet usage, network administrators demand the same level of security from a wireless network that they expect from a wired network. The WPA2 standard has eliminated any excuse for accepting inherent vulnerabilities in wireless networks.

Three Phases for a Secure Wireless Network

This chapter divides the implementation of a complete secure wireless network into three phases: Unified Threat Management (UTM) gateway and wireless access, secure remote access, and centralized management. By dividing the implementation into three phases, a clear view of how the SonicWALL product line fits together to form a single, integrated network solution is achieved. The phased approach also helps a network designer determine which elements the network requires. This chapter explains all of the concepts necessary to understand the implementation sections that follow. Phase one covers the configuration of gateway devices with UTM security services and then the addition of wireless service. SonicWALLs UTM services use the deep packet inspection (DPI) engine to examine both the header and body of every packet that enters the network. Phase two covers VPN solutions that add secure remote access to the network. SonicWALL provides both client and clientless solutions, with several options for extra security such as two-factor authentication (2FA) and one-time passwords (OTPs). Phase Three adds centralized management and monitoring for larger networks. SonicWALL Global Management System (GMS) allows a single network administrator to remotely configure an entire network consisting of multiple appliances located in multiple remote sites from a single local management interface.

Planning Wireless Access Point Deployments

This chapter discusses the existing wireless standards in the 802.11x arena and how each standard is uniquely applicable to different wireless networking situations. The focus is on the wireless site survey and planning, including managed and unmanaged switches, preparation of the site, wired/wireless hardware decisions, and actual placement of the access points within ones deployment area. Wireless standards play as much of a role in planning a wireless deployment as the technological bits and pieces that make up ones wireless deployment. There are currently four widely adopted standards for 802.11 wireless network types: a, b, g, and n. Although 802.11 n is the newest and highest capacity standard, each of the four standards has its own strengths and weaknesses. It is wise to consider the full range of 802.11 standards when determining the specific deployment needs. This chapter answers questions about implementation on a physical level. The wireless site survey section explores certain physical elements that affect the radio frequency (RF) waves, helps plan for these obstructions, and elaborates on how to design a secure wireless network. The steps to be taken before conducting a wireless site survey are listed. The findings will be invaluable to the functionality and security of the wireless network. The concepts covered in this chapter are critical for all deployments, especially for large-scale distributed deployments.

Designing for User Segmentation

This chapter discusses methods to design and configure a network to handle and benefit from different user classifications. The goal of network design is to determine how the network will be used—and how to maximize usability and convenience while maintaining security and reliability. This chapter also discusses the various authentication mechanisms, their features, and when to use them. SonicWALL uses zones to define logical network segments that are governed by access rules. Address objects are used to define IP addresses on the network segments. Dynamic address objects and address object groups can be used to configure similar groups of devices to dynamically react to flexible network environments. Bulletproof user authentication mechanisms are fundamental to the effectiveness of user classes. SonicWALL provides a number of methods for segmenting different classes of users. User segmentation allows one to provide appropriate levels of security and access for different users in different scenarios. Virtual Access Points provide the ability to configure multiple wireless access points with different authentication methods and access rights on a single physical interface. The Application Firewall feature can be used to control virtually any aspect of network traffic for various classes of users. It provides granular control over application layer traffic in the areas of Web browsing, file transfer, bandwidth management, and email.

Configuring Virtual Access Points

This chapter discusses Virtual Access Points (VAPs) to fine tune wireless access for segmented user groups. It provides an overview of the steps involved, and then a more in-depth examination of the configuration needed for a multi-purpose VAPs deployment. The process of how VAPs are implemented and used to create multiple unique SSIDs through a single access point is elaborated. The features of a VAP are much like that of the wired VLAN. Installation procedures include configuring the proper security zones and VLANs, then configuring and pushing VAP changes out to one or more SonicPoints. VAPs provide a method for using a single wireless access point to provide multiple wireless network environments for different classes of users. Since VAPs work in conjunction with VLAN tagging, one can think of them as an extension of the wired VLAN into the wireless space. In the simplest terms, VAPs allow a single physical Access Point to present itself as multiple discrete Access Points—each with its own authentication methods and access rights. One can control network access by configuring different VAPs with different profiles, accessible by different user classes. A SonicPoint VAP deployment requires several steps to configure. Each VAP is configured on a separate virtual subinterface. VAP objects and VAP groups can be used to organize multiple VAPs and simplify the configuration and maintenance processes.

Optimizing Your Secure Wireless Network

This chapter discusses SonicWALL GMS features that are useful for network maintenance. SonicWALL GMS contributes to the security of the network by monitoring network events such as threats, inappropriate Web use, and bandwidth usage to provide real-time alerts and detailed reports about this network activity. These comprehensive reports provide valuable information for use when setting network policies, adjusting content filtering settings, or managing bandwidth for the network. SonicWALL GMS also provides a capacity planning feature that allows users to monitor ones database and log files. Critical alerts for the entire network are provided by the SonicWALL GMS Granular Event Management feature. In addition to monitoring for the purpose of reporting and alerting, the SonicWALL GMS management interface provides real-time monitoring of SonicWALL appliances, VPN tunnels, network devices, and syslog information. Real-time monitoring of the network allows users to quickly locate failed devices and remedy trouble spots as soon as they occur. Network-wide reporting and alerting are valuable tools that can help one understand and control activities in the network. By using these real-time monitoring capabilities to expose the health of the network at the physical and media layers, one can better control and optimize their network.

Configuring SonicWALL UTM Gateway Appliances

The foundation of the secure wireless network is the SonicWALL UTM appliance, functioning as both a gateway and a UTM firewall. This chapter introduces the SonicOS management interface and guides through the process of configuring basic connectivity for the SonicWALL UTM appliance and then configuring security services that use SonicWALLs Deep Packet Inspection engine to protect the network. The SonicOS Web management interface provides an intuitive, easy-to-use graphical interface for configuring SonicWALL UTM appliances and SonicPoints. The SonicOS Setup Wizard quickly guides through the process of configuring basic network connectivity. Once the SonicWALL UTM appliance is online, but before deploying it to the production environment, one needs to license and configure the UTM security services to protect the network. SonicWALL security services can be customized for the different zones of the network to provide the appropriate level of protection for different types of network traffic. The SonicWALL UTM appliance provides UTM security services without the need for any modification to the existing network configuration. Two advanced configuration options that are available on SonicWALL NSA appliances, namely, Layer 2 Bridge mode and High Availability, are introduced. Layer 2 Bridge mode allows the SonicWALL UTM appliance to be seamlessly integrated into an existing network. High Availability is an advanced feature that deploys a second SonicWALL NSA appliance as a backup that can perform stateful synchronization for seamless failover in case the primary appliance goes down. By the end of the chapter, the users will have configured secure wired access to the network.