Configuring Wlan Firewall Support - Motorola WiNG 5.4.2 System Reference Manual

WEP 128 and Keyguard Deployment Considerations
WEP 128 and KeyGuard
Before defining a WEP 128 supported configuration on a WLAN, refer to the following deployment guidelines to ensure the
configuration is optimally effective:
• Motorola Solutions recommends additional layers of security (beyond WEP) be enabled to minimize the likelihood of data
loss and security breaches. WEP enabled WLANs should be mapped to an isolated VLAN with Firewall policies restricting
access to hosts and suspicious network applications.
• WEP enabled WLANs should only be permitted access to resources required by legacy devices.
• KeyGuard is not supported on AP6511 model access points.
• If WEP support is needed for WLAN legacy device support, 802.1X EAP authentication should be also configured in order
for the WLAN to provide authentication and dynamic key derivation and rotation.

6.1.3 Configuring WLAN Firewall Support

Wireless LANs
A Firewall is a mechanism enforcing access control, and is considered a first line of defense in protecting proprietary
information within an access point managed WLAN. The means by which this is accomplished varies, but in principle, a Firewall
is a mechanism that blocks and permits data traffic. For a Firewall overview, see
WLANs use Firewalls like Access Control Lists (ACLs) to filter/mark packets based on the WLAN from which they arrive, as
opposed to filtering packets on Layer 2 ports. An ACL contains an ordered list of Access Control Entries (ACEs). Each ACE
specifies an action and a set of conditions (rules) a packet must satisfy to match the ACE. The order of conditions in the list is
critical because the wireless controller stops testing conditions after the first match.
IP based Firewall rules are specific to source and destination IP addresses and the unique rules and precedence orders
assigned. Both IP and non-IP traffic on the same Layer 2 interface can be filtered by applying both an IP ACL and a MAC.
A MAC Firewall rule uses source and destination MAC addresses for matching operations, where the result is a typical allow,
deny or mark designation to WLAN packet traffic.
Keep in mind, IP and non-IP traffic on the same Layer 2 interface can be filtered by applying both an IP ACL and a MAC ACL to
the interface.
To review existing Firewall configurations, create a new Firewall configuration or edit the properties of a WLAN's existing
Firewall:
1. Select the Configuration
2. Select Wireless.
3. Select Wireless LANs
4. Select the Add button to create a new WLAN or
5. Select Firewall
tab from the Web UI.
to display a high level display of existing WLANs.
from the WLAN options.
Edit to modify the properties of an existing wireless controller WLAN.
Wireless Firewall on page 8-2.
6 - 23