CheckPoint Safe@Office continues to surprise

Back about 9 months ago I got a CheckPoint Safe@Office unit.  These are very low powered boxes suitable for protecting small office networks from attackers.  It is essentially the same hardware as the ZoneAlarm Z100, but with a few more software features (I believe – not sure on this as I don’t have a Z100).  I can say that if the Z100 is as full featured as this one, I would highly recommend it to any home user.

Anyhow, I’ve posted before about how stoked I was to see the feature set of this puppy.  It’s an amazing little box.  It’s a firewall, access point, can be its own radius server (for Enterprise Authentication), supports 802.1X on the internal ports, supports VLANs, etc.

Since I’m a security NUT, I set up Enterprise Authentication after the 8.0 firmware came out late last year (It was the version unleashing WPA Enterprise support without needing an external Radius server).

Anyhow, I started working seriously today toward enabling the USB Loader for my Wii.  I won’t bore you with the details, but it’s a long process that ends up with my kids being able to play our Wii games without needing the game disks.  (I decided to do this after my 5 year old broke our Wii inserting a disk and it cost $85 to get it fixed!)  Anyhow, the problem I ran into was that while I can get the Wii to access the USB drive, I can’t hit my wired network at the same time via my network USB adapter.  I thought that the internal wireless NIC would probably not have this issue, but the Wii doesn’t support WPA Enterprise.

So, I figured I would take my spare Apple AirPort and bring it up as an additional AP, plug it into a port on the Safe@Office, VLAN it to that port and add firewall rules so it was only able to reach the Internet, and not any of my wired (or WPA Enterprise wireless) machines.  I didn’t really want another wireless access point, especially when it would only serve one device, but figured it was neccesary if I wanted to move forward with my Wii/USB project.

When I went into the Safe@Office to add this, I found myself on the “VLAN Network” page when I selected Add Network.  The “Typ”e field defaulted to “Tag Based VLAN”.  Thinking that “Port Based VLAN” would probably be my other option, I hit the pull down menu, only to be suprised by two items (other than what I was looking for):  “Wireless Distribution System” and “Virtual Access Point”.

Whoa!  Virtual Access Point?  Was this what I thought it was?  I selected it, and a Wireless Settings section appeared near the bottom, where I could set a new SSID, along with its own security mechanism.  After adding a rule to let devices on that network go to the Internet, but blocking all other destinations (my highly secured networks), I tested it out and it worked fine!  My Wii could connect to this new SSID, running on the same hardware as another SSID with different security.

This little box is full of surprises!