This new access point is for businesses that want enterprise-grade wireless security without breaking the bank.
Small and mid-sized businesses that want plenty of network management choices and tight wireless security will love WatchGuard's AP420. It can be managed as a standalone access point, remotely via WatchGuard’s FireBox UTM appliances or online via WatchGuard’s Wi-Fi Cloud service.
This Wave 2 AC2500 dual-band access point may look pretty unassuming, but it has a great trick up its sleeve: it has not two, but three radios. Along with the 2.4GHz and 5GHz bands, the WP420 has a WIPS (wireless intrusion prevention system) radio designed to sniff out unauthorised wireless APs and quarantine them.
WIPS calms your concerns about wireless containment as the AP420 only takes an interest in APs that are physically wired into the same network. It has a very particular set of skills and if someone tries to sneak their own AP onto the network, it will find it, alert you to its presence and, if intrusion prevention is enabled, disable it.
Setting up and securing
WIPS requires a Wi-Fi Cloud account and we started deployment by using its Go portal to create wireless SSID profiles. All you do is provide a name, choose an encryption scheme, enter a key and you’re done.
We tested the AP420 along with the cheaper AP320 devices and soon as they were powered on and linked to our cloud account, they received the relevant default template and started advertising the secure SSIDs. Our next stop was the main Wi-Fi Cloud portal. This opens with a Launchpad providing quick access to sections for management, demographics analysis and an Engage app for creating marketing campaigns for guest user portals.
The management portal provides a customisable dashboard showing everything you need to know about wireless networks, clients and rogue APs. Templates provide full control over wireless networks and include settings for all four WatchGuard AP models, where you choose the SSIDs to be assigned to them.
SSIDs can have a captive portal, walled garden, rules-based traffic and application firewalls, traffic shaping and QoS for voice and video traffic. BYOD onboarding redirects smartphones and tablets to an authorization URL or walled garden, you can enforce black and white MAC address lists and enable automatic packet capture for failed client connections.
WIPS works passively out of the box, where it identified 47 APs in our vicinity and classed those with no physical network connection as external. We connected a ZyXEL dual-radio AP to the network which popped up in the portal as a rogue and to test containment; we logged a Windows client onto the AP and enabled WIPS intrusion prevention.
It took two minutes for the change to propagate from the cloud portal but when it did, our wireless client was kicked off the AP and kept from associating with it. WIPS defaults to disrupting rogue APs by firing ‘deauth’ (deauthentication) packets at up to two 11n and two 11ac channels but you can change to blocking, interrupting or degrading levels depending on how many channels you want affected and lock the list of authorised APs to stop more being added.
Performance and bottom line
The AP420 is a good performer as well, with real world file copies using a 5GHz 11ac connection on a Windows 10 Pro desktop averaging 60MB/sec at close range dropping to 56MB/sec at 10 metres. Coverage is good too, as the SweetSpots app on our iPad only registered a loss of signal after we got 45 metres down the main building corridor.
As wireless access points go, the AP420 isn’t cheap. It sells from around $1300 – and you can add another $200 if you want a one-year Wi-Fi Cloud subscription. However, for the enterprise-grade security and administration features on offer, it’s very good value. The cloud portal is one of the best we've yet seen, performance is great and WatchGuard's WIPS delivers smart wireless security.