Wireless client security options include WEP, WPA, WPA-2 and MAC address filtering. For much of my testing, I was connected to the TZ100W via the wireless interface, and I had no issues with dropped connections or poor performance.
The TZ100W has Wireless Intrusion Detection Services (IDS) which will detect other Access Points, a nice feature for network administrators trying to control internal users from enabling their own Access Points. As you can see in Figure 7, my test TZ100W detected five other Access Points nearby.
Figure 6: AP Discovery
To expand the physical range of a wireless network, SonicWall Access Points, called SonicPoints integrate directly with the TZ100W, allowing for expanded network coverage with centralized network management.
Wireless networks are a security risk. The TZ100W separates the wireless network into a different security zone than the wired networks. Security features can be enabled or disabled for the wireless clients, just as with the wired clients, they just need to be applied to the WLAN zone.
By default, the WLAN zone is considered Untrusted, which means wireless clients can't access devices on the LAN unless rules are created in the firewall to enable them. I'll cover firewall rules shortly.
The TZ100W is a Unified Threat Management (UTM) network device designed to provide an array of security functions at the core of a small network. In addition to a complex firewall, the TZ100W provides Anti-Spam, Real-time Black Listing, Content Filtering, Gateway Anti-Virus, Intrusion Prevention, and Anti-Spyware.
Detailed testing of these security functions require sophisticated tools. Subsequently, many UTM manufacturers submit their devices to third party organizations, such as AVTest.org. SonicWall is not one of those manufacturers, however. I did run some limited checks of the TZ100W's UTM features. But I think it would be good if Sonicwall submitted its product for independent Anti-Virus and malware effectiveness testing.
SonicWall's “Comprehensive” Anti-Spam feature is a server based tool, designed to work with an Exchange or other SMTP email server. To enable and configure the Anti-Spam tool, you have to enter the local IP address of your email server. Once configured, the Anti-Spam tool will filter email at the network level, giving you the option to Tag, Store, Reject, or Delete emails detected as Spam.
SonicWall’s Anti-Spam service uses the Global Response Intelligent Defense (GRID) Network, which it has expanded since its acquisition of MailFrontier in 2006. Essentially, when a user connected to the GRID network marks an email as Spam, the information about the email sender, its content, and associated links are uploaded to the GRID, enabling devices such as the TZ100W to block this newly identified source of spam.
If you don't have your own Email server, the TZ100W blocks spam through the use of Real-Time Black List (RBL) services. The RBL feature works by comparing the source IP address of an email to lists of known spammer IP addresses and dropping the matches. Connections to two well known RBL providers, spamhaus.org and sorbs.net, are enabled by default. Additional Black List services can be added. Note, however, that the TZ100W does not filter spam based on actual analysis of email content or via heuristics.
The value of blocking Spam at the mail serverl is improved network and PC performance. Blocking the spam before it enters your network improves bandwidth on the LAN, as well as frees up LAN PC processors from filtering Spam independently. The Anti-Spam features are managed directly through the Anti-Spam menu.
The rest of the TZ100W security features are enabled or disabled by network zones. As you can see in Figure 7, I've enabled Content Filtering on the LAN, WAN and WLAN zones. Further, I've enabled Gateway Anti-Virus, Anti-Spyware, and Intrusion Prevention on the LAN and WAN zones.
Figure 7: Zones
Content filtering on the TZ100W can be configured via policies to block up to 56 different categories of content leveraging a database of “millions of URLS, IP addresses and domains” maintained at worldwide SonicWALL facilities.
I can tell you this, if you create and apply a policy that blocks all 56 categories, you might as well turn off your computer. With the default policy blocking all 56 categories, I received the message shown in Figure 9 just surfing to Yahoo.com and couldn't find a web page I could access.
Figure 8: Content Filter block message
I found the last filtering category, “Not Rated” to be useful. If you're worried SonicWall's database isn't complete enough, filtering unrated websites will block all websites not found in the SonicWall database. Finally, in the event a blocked site should be permitted, the TZ100W has a custom list feature, allowing for adding allowed or blocked domains as well as keyword blocking.
Although the SonicWall Content Filtering was effective in blocking rated websites based on selected categories, like most other content filters I have tested, it wasn't difficult to defeat. With the category pornography selected for content filtering, the TZ100W blocked browsing to adult sites. However, simply typing “porn” in a search on Yahoo.com and clicking the images option presented adult images that should have been blocked.