Like competitive wireless switch products (see reviews of products from Aruba, Hewlett-Packard, Symbol, Trapeze and BlueSocket), SonicWall’s Distributed Wireless Solution (DWS) is designed to make large scale wireless networking both secure and easy to manage.
However, instead of a central switch, DWS - announced earlier this year - is based on a SonicWall firewall/VPN appliance through which all wireless traffic is passed, the appliance adding facilities to authenticate users, check for viruses, filter content and so on. Over the air traffic is also protected using SonicWall’s own IPSec based VPN technology, plus it’s possible to detect and isolate “rogue” wireless devices. A wireless guest service is another important feature along with automatic, policy based, configuration for all wireless access points.
It’s all very impressive, but nonetheless a fairly complex solution which we found needed a fair amount of expertise and time to get right. That said, we did get it to work and the end result is a scalable wireless infrastructure that pretty much addresses most corporate security and management concerns.
Sum of the parts
As the name implies, the SonicWall Distributed Wireless Solution is made up of several components, starting with the central firewall/VPN appliance. This can be any of the big business SonicWall Pro units, or the TZ 170 for SME/branch office deployment. The difference is capacity: the TZ 170 supports just two wireless access points while128 or more can be configured on the top-end Pro 5060.
Next you need SonicWall’s own SonicPoint wireless access points (£432 each). These support both 5GHz 802.11a and 2.4GHz 802.11b/g wireless networking and are connected to specially designated ports on the SonicWall appliance. Any non-wireless traffic is dropped from these ports so access points need a dedicated infrastructure of their own or a custom VLAN setup.
Independent power injectors (£60 each) are also available to squirt AC alongside data to the SonicPoints. Plus you can complete the solution with SonicWall’s own wireless PC cards (from £65) although other adapters supporting WEP, WPA or, shortly, 802.11i security can also be used.
Putting it together
We encountered several problems when setting up the SonicWall DWS, caused mainly by a lack of documentation which was only just being finalised during our evaluation. We would also have liked to see one manual for DWS as a whole – something the product manager has promised to look into.
On the plus side, you don’t have to buy a new SonicWall appliance to deploy DWS. Existing models can be used - but they have to be upgraded to the latest SonicOS 2.5 software and this needs to be the enhanced version to get the wireless support - a chargeable upgrade costing £669 on the SonicWall Pro 2040 (base price £1335) we tested.
The SonicPoints are connected to the appliance and one or more management profiles defined using either the integrated Web interface or, on a larger network, SonicWall’s global management software. These activate the wireless interfaces, set the SSID and channel, specify the type of encryption, keys to use and so on and are distributed automatically using proprietary discovery and provisioning protocols. This facility worked extremely well on our tests, making sure each SonicPoint was configured within seconds of being turned on.
One or more wireless zones then have to be configured, to be included in firewall/VPN rules and used to manage wireless traffic, check for viruses, and so on - just as for fixed LAN/WAN ports.
Lastly it’s necessary to setup the IPSec VPN software both on the appliance and on each of the wireless clients. Alternatively you can allow access to clients with matching WPA or WEP keys, although levels of security and manageability aren’t then as high.
Coming from a security vendor, anti-virus and content filtering are available, but as optional extras.
How it fared
We tested the DWS with both SonicWall adapters and a number of third party cards. Somewhat surprisingly we got better performance and range with the latter, with the Atheros based SonicWall card performing best when using the 802.11a radio. Even then signal strength fell off rapidly at around 20 metres. We also encountered problems matching shared WPA keys using a Windows XP client.
In its favour the SonicWall VPN software worked faultlessly. Plus we had no problems roaming between access points and various “rogue” devices which were plugged into the network were quickly detected. Another useful feature was the guest service which allowed unauthenticated users to connect to the Internet but not gain entry to LAN resources. On the downside, however, there are no built-in site survey facilities as on some wireless switch products and no automatic fine tuning of signal strength to maximise coverage and limit signal leakage.
Overall we were impressed by what DWS has to offer and it compares well on price against wireless switch products. The complexity of the solution could be an issue although the wireless switch products can be just as baffling to setup. Most customers will have everything configured by a reseller - in which case the ability to get secure wireless networking from a respected security vendor is likely to outweigh the product's shortcomings.
SonicWall’s security credentials give the Distributed Wireless Solution an edge over many of the wireless switch products with which it competes. It also incorporates a corporate grade firewall/VPN appliance which can be used to protect more than just the wireless LAN: this could be a consideration for smaller companies without such protection already. In terms of price, too, it compares well although some care is required before buying as it is a rather complex product that needs to be deployed across the whole enterprise to be effective. It’s also a relative newcomer to the market (first shipped in June 2004) and resellers will need time to work through deployment issues.