Configuring Wlan Firewall Support - Motorola Solutions WiNG 5.2.6 Reference Manual

6 - 26 WiNG 5.2.6 Access Point System Reference Guide
WEP 128 and Keyguard Deployment Considerations

WEP 128 and KeyGuard
Before defining a WEP 128 supported configuration on a WLAN, refer to the following deployment guidelines to
ensure the configuration is optimally effective:
• Motorola Solutions Solutions recommends additional layers of security (beyond WEP) be enabled to minimize the
likelihood of data loss and security breaches. WEP enabled WLANs should be mapped to an isolated VLAN with
Firewall policies restricting access to hosts and suspicious network applications.
• WEP enabled WLANs should only be permitted access to resources required by legacy devices.
• KeyGuard is not supported on AP-6511 model access points.
• If WEP support is needed for WLAN legacy device support, 802.1X EAP authentication should be also configured
in order for the WLAN to provide authentication and dynamic key derivation and rotation.

6.1.3 Configuring WLAN Firewall Support


Wireless LANs
A Firewall is a mechanism enforcing access control, and is considered a first line of defense in protecting proprietary
information within an access point managed WLAN. The means by which this is accomplished varies, but in principle,
a Firewall can be thought of as mechanisms both blocking and permitting data traffic. For a Firewall overview, see
Wireless Firewall on page
WLANs use Firewalls like Access Control Lists (ACLs) to filter/mark packets based on the WLAN from which they
arrive, as opposed to filtering packets on Layer 2 ports. An ACL contains an ordered list of Access Control Entries
(ACEs). Each ACE specifies an action and a set of conditions (rules) a packet must satisfy to match the ACE. The order
of conditions in the list is critical because the wireless controller stops testing conditions after the first match.
IP based Firewall rules are specific to source and destination IP addresses and the unique rules and precedence orders
assigned. Both IP and non-IP traffic on the same Layer 2 interface can be filtered by applying both an IP ACL and a
MAC
A MAC Firewall rule uses source and destination MAC addresses for matching operations, where the result is a
typical allow, deny or mark designation to WLAN packet traffic.
Keep in mind IP and non-IP traffic on the same Layer 2 interface can be filtered by applying both an IP ACL and a MAC
ACL to the interface.
To review existing Firewall configurations, create a new Firewall configuration or edit the properties of a WLAN's
existing Firewall:
1. Select Configuration
WLANs.
2. Select the
WLAN.
3. Select Firewall
7-2.
> Wireless LANs
Add button to create a new WLAN or
from the WLAN options.
> Wireless LANs to display a high-level display of the existing
Edit to modify the properties of an existing wireless controller