Wifisec Enforcement / Wpa - SonicWALL SonicPoint Administrator's Manual

:
assigned at the User or Group level (such as to 'WLAN RemoteAccessNetworks', which is effectively
'0.0.0.0' or 'Any') for access to the Internet and trusted resources.
Access types not covered by the default levels of trust (such as WiFiSec to WiFiSec) will require
custom Access Rules, and changes to the above default behaviors can be made more or less
restrictive by modifying the default rules.

WiFiSec Enforcement / WPA

As introduced on the SonicWALL TZ 170 Wireless, WiFiSec Enforcement is the ability to require that
all traffic that traverse the wireless network be IPSec (VPN) traffic. We will be able to enforce the
same level of security with the Secure Wireless Solutions/Architecture by providing WiFiSec
Enforcement at the Zone level; all non-guest wireless clients connected to SonicPoints attached to an
interface belonging to a Zone on which WiFiSec is enforced will be required to use the strong security
of IPSec. The VPN connection will terminate at the "WLAN GroupVPN", which can be configured
independently of "WAN GroupVPN" or other Zone GroupVPN instances.
f
Sensitive to the fact that WPA (WiFi Protected Access) provides security rivaling that of WiFiSec,
albeit in a more complicated and less versatile fashion, administrators enabling WiFiSec Enforcement
on a Wireless Zone will have the option to accept WPA as an allowable alternative to IPSec. Both
WPA-PSK (Pre-shared key) and WPA-EAP (Extensible Authentication Protocol using an external
802.1x/EAP capable RADIUS server) will be supported on SonicPoints.
Consider the above example where there are two SonicPoints connected to the WLAN Zone where
WiFiSec is enforced. SonicPoint1 does not have WPA enabled, but WPA is enabled and is 'Trusted
as WiFiSec' (meaning it has been allowed as an acceptable alternative to WiFiSec) on SonicPoint2.
Non-Guest clients that are connected to SonicPoint1 will have to use IPSec to communicate through
the X2 interface on the PRO, or the traffic will be dropped at the interface. Guest clients will be able to
associate with SonicPoint1, and use Guest Services. Because WPA is enabled on SonicPoint2,
clients connecting to SonicPoint2 must use WPA, since WPA is an all-or-nothing technology. This
means that Guest clients will either have to have WPA credentials, or they will not be able to
associate with SonicPoint2. Once a client provides WPA credentials and successfully associates with
SonicPoint2, as traffic passes from SonicPoint2 to the X2 interface, SonicPoint2 will tag the packets
as having been transmitted using WPA. The X2 interface will recognize these tags, and will accept the
traffic, even if it is not IPSec.
The all-or-nothing restriction of WPA, along with the added complexity of having to maintain an
external EAP capable directory service, is perhaps the greatest drawbacks of WPA as compared to
WiFiSec. Take, for example, a wireless network wishing to simultaneously offer Guest Services to
visiting users and encryption enforcement for access to trusted resources. This combination of
differentiated access could easily be afforded by SonicPoint1 using WiFiSec, but Guest users
connecting to SonicPoint2 would require the WPA pre-shared key or a previously created EAP
account, effectively defeating the extemporaneous and dynamic nature of Guest Services.
16
S WALL S P
ONIC ONIC OINT
A ' G
DMINISTRATOR S UIDE