22
S
ONIC
WALL S
ONIC
P
OINT
A
DMINISTRATOR
’
S
G
UIDE
:
MAC Filtering Using MAC Address Objects
MAC filtering has long been used by wireless Access Points as a rudimentary form of security.
Although easily thwarted, MAC filters still provide a fair first layer of defense in the area of wireless
security. To make the application of MAC filters fit better within the framework of SonicOS Enhanced
and the Secure Wireless Solution/Architecture, MAC Address Objects and Groups will be introduced
in SonicOS Enhanced 2.5, allowing for MAC Addresses, or Groups of MAC Addresses to be defined
and applied to SonicPoints. MAC Filters can be applied in either an “Allow” or a “Deny” fashion,
wherein Allowed MAC Filters will define the list of MAC addresses that can connect (denying all
others), and Deny MAC Filters will define the list of MAC addresses that cannot connect (allowing all
others).
Changes to MAC Filter settings, or the MAC Filter Objects or Groups themselves will take effect
immediately on all affected SonicPoints.
SonicPoint Profiles
SonicPoint Profiles provide a scalable and highly automated method of configuring and provisioning
multiple SonicPoints across a Secure Wireless Solution/Architecture. SonicPoint Profile definitions
will include all of the settings that can be configured on a SonicPoint, such as radio settings for the
2.4GHz and 5GHz radios, including SSID’s, encryption settings, MAC filters, channels of operation,
etc. Once defined, profiles can be applied at the Zone level in a fully flexible fashion, meaning that one
Wireless Zone can use one profile, while a different Wireless Zone uses another.
Automatic Provisioning (SDP & SSPP)
The SonicWALL Discovery Protocol (SDP) is a layer 2 protocol employed by SonicPoints and devices
running SonicOS Enhanced 2.5 and higher. SDP is the foundation for the automatic provisioning of
SonicPoint units using the following messages:
•
Advertisement: SonicPoint devices without a peer will periodically and on startup announce or
advertise themselves using a broadcast. The advertisement will include information that will be
used by the receiving SonicOS device to ascertain the state of the SonicPoint. The SonicOS
device will then report the state of all peered SonicPoints, and will take configuration actions as
needed.
•
Discovery: SonicOS devices will periodically send discovery request broadcasts to elicit responses
from L2 connected SonicPoint units.
•
Configure Directive: A unicast message from a SonicOS device to a specific SonicPoint unit to
establish encryption keys for provisioning, and to set the parameters for and to engage
Configuration Mode.
•
Configure Acknowledgement: A unicast message from a SonicPoint to its peered SonicOS device
acknowledging a Configure Directive.
•
Keepalive: A unicast message from a SonicPoint to its peered SonicOS device used to validate the
state of the SonicPoint.
If using the SDP exchange the SonicOS device ascertains that the SonicPoint requires provisioning or
a configuration update (such as on calculating a checksum mismatch, or when a firmware update is
available), the Configure directive will engage a 3DES encrypted, reliable TCP based SonicWALL
Simple Provisioning Protocol (SSPP) channel. The SonicOS device will then send the update to the
SonicPoint using this channel, and the SonicPoint will restart with the updated configuration. State
information will be provided by the SonicPoint, and will be viewable on the SonicOS security
appliance throughout the entire discovery and provisioning process.