How to manually configure WiFiSec Enforcement in SonicOS Enhanced (on SonicWall Pro & NSA series)

03/26/2020 8 13293

DESCRIPTION:
How to manually configure WiFiSec Enforcement in SonicOS Enhanced (on SonicWall Pro & NSA series)

RESOLUTION:

Overview:

WiFiSec Enforcement is the ability to require that all traffic that enters into the WLAN Zone interface be either IPSec traffic, WPA traffic, or both. With WiFiSec Enforcement enabled, all non-guest wireless clients connected to SonicPoints (SonicWall Wireless Devices) attached to an interface belonging to a Zone on which WiFiSec is enforced are required to use the strong security of IPSec. The VPN connection inherent in WiFiSec terminates at the "WLAN GroupVPN", which you can configure independently of "WAN GroupVPN" or other Zone GroupVPN instances.

Enforcing WiFiSec ensures that wireless users are authenticated and that their wireless traffic is fully encrypted. This method of deployment ensures that only authorized users are attaching to the SonicWall, and that the wireless traffic of authorized users is truly secure against interception and decoding from undesired third parties. Activating this causes the SonicWallto pass only IPSec, WPA or both packets to and from its WLAN Zone.

All wireless clients must connect to the SonicWall using the SonicWall Global VPN Client if they wish to access anything (policy-allowed LAN resources, policy-allowed WAN access, and other wireless clients). The encryption and authentication run transparently over any manufacturer's wireless card no need to worry about patching or updating the card's software driver to support it.

 Scenario:

This scenario ensures that wireless users are authenticated and that their wireless traffic is fully encrypted:

• In this scenario, wireless computers must use WPA-PSK encryption to initially associate with the wireless network. (other wireless encryptions may also be used)
• Wireless traffic passing thru the WLAN Zone is secured by IPSec.
• Managing the SonicWall Appliance via WLAN Zone is completely disabled.
• All Wireless users must authenticate and use SonicWall Global VPN Client (GVC) to access the network.
• Internet Access is allowed only via the SonicWall Appliance, this ensures that the wireless traffic is also checked by SonicWall Security Services (Intrusion Prevention Service, Gateway Anti-Virus, Content Filtering Service, etc).

The configuration procedure is divided into two parts:

PART ONE: Configuration on the SonicWall Appliance

Step 1: Assigning an available interface to the WLAN Zone (You must connect a SonicPoint to this Interface).

Step 2: Enabling WiFiSec Enforcement on the WLAN Zone to allow only IPSEC traffic.

Step 3: Configuring SonicPoint Profiles (Wireless settings enabling WPA-PSK encryption)

Step 4: Connecting the SonicPoint Device to the SonicWall Appliance

Step 5: Configuring the WLANGroupVPN policy (IPSEC Settings)

Step 6: Configuring DHCP over VPN to lease an IP Address to Wireless clients connecting via Global VPN Client (GVC)

Step 7: Configuring User Authentication to allow access only to authenticated wireless users.

PART TWO: Configuration on the Wireless client computer

Step 1: Connectivity using the Wireless card utility for initial association with the WLAN Zone.

Step 2: Connectivity using SonicWall Global VPN Client (GVC) to ensure that the wireless traffic is encrypted with IPSec.

Part One: Configuration on the SonicWall Appliance�

Step 1: Assigning an available Interface to the WLAN Zone��

A Wireless interface is an interface that has been assigned to a Wireless zone and is used to support SonicWall SonicPoint secure access points.

1. Log into the SonicWall Management GUI, go to Network > Interfaces.

2. Click on the Configure icon in the Configure column for the Interface you want to modify. The Edit Interface window is displayed. You can configure X2 through X9, Opt, a VLAN sub-interface or a PortShield interface.

3. In the Zone list, select WLAN or a custom Wireless zone.

4. Enter the IP address (172.16.31.1) and subnet mask (255.255.255.0) of the Zone in the IP Address and Subnet Mask fields.

5. In the SonicPoint Limit field, select the maximum number of SonicPoints allowed on this interface. (you can accept the default value)

6. Enter any optional comment text in the Comment field. This text is displayed in the Comment column of the Interface table.

7. Uncheck all supported management protocol(s): HTTP, HTTPS, SSH, Ping, SNMP, and/or SSH. (In this scenario we are not allowing wireless clients to manage the SonicWall to ensure complete security).

8. Click OK.

Step 2: Enabling WiFiSec Enforcement on the WLAN Zone to allow only IPSEC traffic

1. Go to Network > Zones; Click the Edit icon for the WLAN zone. The Edit Zone window is displayed.

2. In the General tab, uncheck Allow Interface Trust. Select any of the following settings to enable the SonicWall Security Services on the WLAN Zone.

 Enforce Content Filtering Service - Enforces content filtering on multiple interfaces in the same Trusted, Public and WLAN zones.

 

 Enforce Client Anti-Virus Service - Enforces managed anti-virus protection on multiple interfaces in the same Trusted, Public or WLAN zones. SonicWall Client Anti-Virus manages an anti-virus client application on all clients on the zone.

 Enable Gateway Anti-Virus - Enforces gateway anti-virus protection on multiple interfaces in the same Trusted, Public or WLAN zones. SonicWall Gateway Anti-Virus manages the anti-virus service on the SonicWall appliance.

 Enable IPS - Enforces intrusion detection and prevention on multiple interfaces in the same Trusted, Public or WLAN zones.

 

 Enable Anti-Spyware Service - Enforces anti-spyware detection and prevention on multiple interfaces in the same Trusted, Public or WLAN zones.

 

 Enforce Global Security Clients - Enforces security policies for Global Security Clients on multiple interfaces in the same Trusted, Public or WLAN zones.

3. Click the Wireless tab, select Only allow traffic generated by a SonicPoint to allow only traffic from SonicWall SonicPoints to enter the WLAN Zone interface. This allows maximum security of your WLAN.

Please Note: SonicOS Enhanced firmware 5.1.3.2 onwards the WifiSec Enforcement settings are not available on the WLAN Zone > Wireless tab, these settings are hidden and have to be enabled from the diag.html page (Eg: 192.168.168.168/diag.html).

For complete instructions refer KBID 6496: UTM: Wireless WifiSec Enforcement settings not visible in the WLAN Zone > Wireless tab

4. Select WiFiSec Enforcement.
All wireless clients must connect to the SonicWall via the SonicWall Global VPN Client if they wish to access anything (policy-allowed LAN resources, policy-allowed WAN access, and other wireless clients).

5. When WiFiSec Enforcement is enabled, you can specify services that are allowed to bypass the WiFiSec enforcement by checking WiFiSec Exception Service and then selecting the service you want to exempt from WiFiSec enforcement.

6. When WiFiSec Enforcement is enabled, you can select Require WiFiSec for Site-to-Site VPN Tunnel Traversal to require WiFiSec security for all wireless connections through the WLAN zone that are part of a site-to-site VPN.

7. Uncheck Trust WPA traffic as WiFiSec. (This will ensure all wireless clients must connect to the SonicWall via the SonicWall Global VPN Client if they wish to access the resources)

8. Under the SonicPoint Settings heading, select the SonicPoint Provisioning Profile you want to apply to all SonicPoints connected to this zone. Whenever a SonicPoint connects to this zone, it will automatically be provisioned by the settings in the SonicPoint Provisioning Profile, unless you have individually configured it with different settings.

9. Click the Guest Services tab. Uncheck Enable Wireless Guest Services (In this scenario we will not be enabling Wireless Guest Users)

10. Click OK to apply these settings to the WLAN zone.

Step 3: Configuring SonicPoint Profiles (Wireless settings enabling WPA-PSK encryption)

SonicPoint Provisioning Profiles provide a scalable and highly automated method of configuring and provisioning multiple SonicPoints across a Distributed Wireless Architecture. SonicPoint Profile definitions include all of the settings that can be configured on a SonicPoint, such as radio settings for the 2.4GHz and 5GHz radios, SSID's, and channels of operation. Once you have defined a SonicPoint profile, you can apply it to a Wireless zone.

1. Go to SonicPoint > SonicPoints.

2. To add a new profile click Add below the list of SonicPoint provisioning profiles. To edit an existing profile, select the profile and click the edit icon in the same line as the profile you are editing.

3. In the General tab of the Add Profile window, specify:

 Select Enable SonicPoint.

 

 Name Prefix: Enter a prefix for the names of all SonicPoints connected to this zone. When each SonicPoint is provisioned it is given a name that consists of the name prefix and a unique number, for example: "SonicPoint 126008."

 

 Country Code: Select the country where you are operating the SonicPoints. The country code determines which regulatory domain the radio operation falls under.

4. In the 802.11g tab, Configure the radio settings for the 802.11g (2.4GHz band) radio:

 Select Enable 802.11g Radio

 SSID: Enter a recognizable string for the SSID of each SonicPoint using this profile. This is the name that will appear in clients' lists of available wireless connections. (For example: SonicLAB)

TIP: If all SonicPoints in your organization share the same SSID, it is easier for users to maintain their wireless connection when roaming from one SonicPoint to another.

 ACL Enforcement: Select this to enforce Access Control by allowing or denying traffic from specific devices. Select a MAC address group from the Allow List to automatically allow traffic from all devices with MAC address in the group. Select a MAC address group from the Deny List to automatically deny traffic from all devices with MAC address in the group. The deny list is enforced before the Allow list.

 Authentication Type: Select WPA PSK and enter a Passphrase (Min 8 - Max 63 characters)

5. In the 802.11g Advanced tab, configure the performance settings for the 802.11g radio. For most 802.11g advanced options, the default settings give optimum performance.

The settings in the 802.11a Radio and 802.11a Advanced tabs are similar to the settings in the 802.11g Radio and 802.11g Advanced tabs.

Step 4: Connecting a SonicPoint Device to the SonicWall Appliance

1. Now go ahead and physically connect the SonicPoint LAN port to the WLAN Interface port on the SonicWall Appliance

TIP: If you had already connected the SonicPoint; unplug and plug-in the cable from the port, this will ensure that the SonicPoint provisioning profile is accurately synchronized.

Step 5: Configuring the WLANGroupVPN Policy (IPSec Settings)

1. Go to VPN > Settings; enable the WLAN GroupVPN checkbox and click the Edit icon to configure.

2. In the General tab, IKE using Preshared Secret is the default setting for Authentication Method. A Shared Secret is automatically generated by the SonicWall security appliance in the Shared Secret field, or you can generate your own shared secret. Shared Secrets must consist of a minimum of four characters. You cannot change the name of any GroupVPN policy.

3. Click the Proposals tab, (You can accept default settings or change the settings to suit your requirements)

 Uncheck the option Perfect forward secrecy

Note: Ensure that the IPsec (Phase 1 and Phase 2) proposal values are the same; otherwise, you will not be able to establish a successful GVC connection.

4. Click the Advanced tab,

 Select Enable Windows Networking (NetBIOS) broadcast - Allows access to remote network resources by browsing the Windows Network

Neighborhood.

 

 Uncheck the HTTP and HTTPS checkboxes in the Management via this SA.

 

 Select Require Authentication of VPN Clients via XAUTH - Ensures that all inbound traffic on this VPN tunnel is from an authenticated user. Unauthenticated traffic is not allowed on the VPN tunnel. The Trusted users group is selected by default (Select Everyone if you have configured Wireless Guest Services settings from the User Group for XAUTH users list.)

5. Click the Client tab,

 Under Virtual Adapter Settings select DHCP Lease (The GVC Virtual Adapter will obtain its IP configuration from the DHCP Server only, as configured on the VPN > DHCP over VPN page.)

 

 Under Allow Connections to select All Secured Gateways (Allows one or more connections to be enabled at the same time. Traffic matching the destination networks of each gateway is sent through the VPN tunnel of that specific gateway. If this option is selected along with Set Default Route as this Gateway, then Internet traffic is also sent through the VPN tunnel. If this option is selected without Set Default Route as this Gateway, then the Internet traffic is blocked. Only one of the multiple gateways can have Set Default Route as this Gateway enabled).

 

 Select Set Default Route as this Gateway - You can only configure one VPN policy to use this setting.

 

 Select Use Default Key for Simple Client Provisioning (The GVC will fetch the Pre-shared Secret automatically; this allows administrators can change the Shared Secret key anytime without notifying the users).

6. Click OK.

Step 6: Configuring DHCP over VPN to lease an IP Address to Wireless clients connecting via GVC

1. Go to VPN > DHCP over VPN.

2. Select Central Gateway from the DHCP Relay Mode menu.

3. Click the Configure button. The DHCP over VPN Configuration window is displayed

4. Select Use Internal DHCP Server to enable the SonicWall Global VPN Client, a remote firewall or both to use an internal DHCP server to obtain IP addressing