Professional Documents
Culture Documents
Operations
.2 r7
AirDefense Operations Guide, Release 7.2, Issue 1.0, December, 2006 Copyright 2003, 2004, 2005, 2006 by AirDefense, Inc. All rights reserved worldwide. Printed in the United States of America
Proprietary Notices
AirDefense is licensed software and hardware. Its use is subject to the terms and conditions of a license agreement or nondisclosure agreement between AirDefense, Inc. and its customers. It is against the law to copy the software on any medium except as specifically allowed in the license or nondisclosure agreement. Information contained in this document is subject to change. No part of this manual and/or software may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or information storage and retrieval systems, for any purpose other than personal use by AirDefense, Inc. without the express written permission of AirDefense, Inc.
Trademarks
AirDefense is a trademark of AirDefense, Inc. in the U.S. and other countries. Air Termination, Active Defenses, Anywhere, Anytime, and Self-Managing are trademarks of AirDefense, Inc. All other trademarks are the property of their respective owners.
Table of Contents
Proprietary Notices................................................................................................................... 3 Trademarks .............................................................................................................................. 3 Call Center Support.................................................................................................................. 3
Introduction
About this Guide....................................................................................................................... 2 Product Overview..................................................................................................................... 3 About the User Interfaces ........................................................................................................ 4 AirDefense and Time ............................................................................................................... 6
Contents
Contents
Chapter 13 Reporting
Using Web Reporting ........................................................................................................... 180 Using the Report Builder ...................................................................................................... 182
Appendix A: ADDadmin Utilities Appendix B: Automated Data Retrieval Software License Agreement
191 195 i
Introduction
Welcome to AirDefense Enterpriseyour key to achieving the ultimate rogue management, policy enforcement, intrusion protection, and health monitoring solution for your wireless LAN.
Introduction
1.1
This guide describes operational information and some procedures for using the AirDefense Enterprise Wireless LAN protection and management system. This guide is organized by functional areas of the product, because while some functions may require you to use the Command Line Interface (ADDadmin), the majority can be accessed from the Graphical User Interface. Each chapter addresses logical functional areas, regardless of which interface they require. Some chapters include practical applications to help you get the most value out of AirDefense.
1.1.1 Scope
It is not the intent of this guide to give step-by-step instructions on how to install and set up the AirDefense Server or AirDefense Sensors. For these instructions, refer to the AirDefense Server Quick Start, Sensor Quick Start, and Web User Quick Start guides. If you do not have these guides, contact AirDefense, Inc. or download the documentation from the self-support site (search solutions at http://support.airdefense.net You will find the contact numbers on the inside front cover of this guide. Additionally, it is not the intent of this guide to give you step-by-step instructions on how to use all aspects of the AirDefense GUI. For these instructions, use the Online Help on the Help menu in the Airdefense GUI.
1.1.3 Audience
The audience for this guide includes AirDefense customers and partners who want to use AirDefense and other AirDefense wireless LAN security solutions in their wireless LANs. Familiarity with wireless technology and networks is advisable.
Important!
In the interest of security, you must be a Web User with the role of Admin to use all functions in AirDefense. AirDefense enables you to assign Web User roles to individuals. Your ability to access AirDefense GUI programs depends on your Web User role. It is advisable that the AirDefense administrator have the necessary competency with regard to understanding the basic precepts of wireless networks. Additionally, since the role of Admin represents the highest level of security clearance, it is highly advisable that the administrator be a person who is at the appropriate clearance level to maintain and protect enterprise security.
1.2
Product Overview
AirDefense Enterprise is the ultimate rogue management, policy enforcement, intrusion protection, and health monitoring solution for your wireless LAN. It is the industry's first Self-Managing wireless intrusion protection system (IPS), providing automated protection against wireless threats and attacks. As a key layer of security, AirDefense Enterprise complements wireless VPNs, encryption, and authentication. AirDefense Enterprise is part of the AirDefense family of products that include AirDefense Mobile and AirDefense Personal, offering Anywhere, Anytime Protection for your wireless network.
Introduction
1.3
A basic AirDefense system consists of an AirDefense Server and one or more Sensors. You manage these components using a combination of interfaces. Each user interface has designated user names, passwords, and in, some cases, varying levels of privileges, based on user roles. The table below describes the interfaces, the program area they manage, the functions within the program area, and the type of user required. The user interfaces are described in detail in Chapter 1. Users are described in detail in Chapter 2.
Functionality Manage Dbase Software Config Dashboard Rogue Performance Compliance Forensic Intrusion Alarms Reports Config Web reporting Installer downloads Sensor Configuration
User
Enterprise Thin Client Web Interface Sensor User Interface (Sensor UI) Sensor Console Interface (Sensor CI) only on Model 400
User
AirDefense Sensor
Sensor User
AirDefense Sensor
Sensor Configuration
A Command Line User smxmgr account An AirDefense Graphical User Interface (GUI) Web User account with the role of Admin
You can find instructions on how to acquire these accounts in the AirDefense Server Quick Start Guide and in Chapter 2 of this guide, Managing Users.
Introduction
1.4
AirDefense reports alarms and device information, and traffic statistics, every minute. To understand the data that appears in AirDefense, you must understand how AirDefense addresses system time versus the local GUI time, particularly in regard to alarms. When an alarm occurs, AirDefense detects the alarm in system time, and records this time in its database. You configure AirDefense system time by using the Command Line Interface, found in the Configuration program area. When reporting the alarm to your local GUI, however, AirDefense adjusts the report time to your local system time zone. It uses this time to report alarms to the Alarms panel, and it also reports other statistical data in this manner. The last updated time on each GUI program screen (indicated by the time stamp) correlates to the local system where the browser is running. You configure the GUI time in your local system. Additionally, the AirDefense Server translates the date. The date drop-downs in the applicable programs of your GUI in New York City will turn over to the next day according to local time.
Exception
An exception to this is the Alarm Details panel in Alarms. This panel reports alarm details in system time. The Alarm Details time stamp correlates to the AirDefense Server's system time.This is the same time stamp you use for SNMP and Email Notifications. You can use this as a point of reference if more than one Web User is viewing the GUI from different time zones.
Thin client web download and reporting interface Command Line Interface Graphical User Interface (GUI) Sensor User Interface (Sensor UI) Sensor Console Interface (Sensor CI)
Chapter 1
https://<server_ip_address>:8543 https://<server_name>:8543
After you finish the GUI installation, you can log in remotely from a browser.
1.2
The Command Line Interface (CLI) contains a set of utilities, called ADDadmin utilities, which you use for initial configuration of the AirDefense Enterprise server. The Command Line Interface also lets you manage file storage and retrieval. You can access the Command Line Interface remotely via SSH, or directly. There are two types of Command Line Users: smxmgr and smxarchive. Each Command Line User requires a password. (For more information on smxarchive, see Appendix B.) The Command Line Interface has the following ADDadmin program areas, all of which appear on the ADDadmin main screen. Each program area contains ADDadmin utilities for performing AirDefense operations. The ADDadmin program areas are:
Local Access
Step 1 Action Turn on power to the AirDefense Server. As the AirDefense Server is booting up, a command-line login prompt appears on the monitor. At the login prompt, enter smxmgr as your Command Line User name, followed by your Command Line User password.
AirDefense Enterprise Server 7.2 Operations Guide
10
3 After logging in, enter ADDadmin (case-sensitive!) to launch ADDadmin. The ADDadmin main screen appears.
Chapter 1
Remote Access
Step 1 Action Launch your SSH client and connect to the AirDefense Servers IP address. Note: You must have a client that supports SSH protocol 2, installed on the remote workstation from which you wish to connect to the AirDefense Server. If your client attempts to use SSH protocol 1, you will receive protocol error messages in syslog. Example: 6/4/2003 16:45:22 sshd(pam_unix) LOGGED: authentication failure, logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=tparkerpc.hitest.com user=root 2 3 At the login prompt, enter smxmgr as your Command Line User name, followed by your Command Line User password. After logging in, enter ADDadmin (case-sensitive!) to launch ADDadmin. The ADDadmin main screen appears.
11
1.3
The AirDefense Graphical User Interface (GUI) is the interface you use to do most of the daily operational and administrative tasks in AirDefense. Users of the GUI are called Web Users in some program areas.
Each User requires a User password. Users can be added to the system. Users can have varying levels of user privileges, based on roles. The roles are Admin, Manager,
Guest, and Network Operator. For more information, see Chapter 2. Users can be assigned a Domain consisting of one or more locations. The view of data will be restricted to those Domains. For more information, refer to Domain Based Partitioning.
The GUI provides innovative hierarchical trees and advanced filtering for navigation in some program
areas and in the Net Map. Hierarchical trees have color-coded icons that represent the components that comprise your wireless LAN. These are Locations, Groups, Sensors, Access Points, Stations and Switches. These icons appear in the trees and in information panels throughout the GUI. Icons represent the devices and their associations in the wireless LAN. Colors represent the state of each device in the wireless LAN. The Net Map enables you to see a logical map of the devices in your wireless LAN. You can determine how each Device Type appears throughout the GUI. This is called a Display Preference. For example, you can set Sensors to appear as a Name, an IP address, or a MAC address. The GUI enables you to drill down into any device using the Forensic Analysis Wizard, which provides detailed Device, Traffic Association, and Forensic data for further analysis. The GUI provides access to Analysis Wizards, such as Rogue Analysis, Performance Analysis, Compliance Analysis, and Intrusion Analysis for a summary of all relevant events pertaining to the category selected. The GUI enables you to see a Live View of each device in your wireless LAN. Live View displays a Summary, Details, and Decodes for any device you select and enables you to perform a packet capture. The GUI enables you to terminate an unauthorized or rogue device, disabling the connection of the device from your wireless LAN. This is called Termination.
12
Chapter 1
https://<server_ip_address>:8543 https://<server_name>:8543
After you finish the GUI installation, you can log in remotely from a browser. The GUI is not accessible directly from the AirDefense Server.
Nine navigation icons to access each GUI program area Six command icons Two status indicators
This program/window enables you to... See a complete overview of the device and alarm activity taking place in your wireless LAN since midnight. In the Dashboard program area, you can access four different views using the Select View drop down list: Manager, Performance, Security and Vintage views. Graphs can be switched between total and daily trending views. All four Dashboard views provide: A system activity panel that provides lists for the number of Sensors, Access Points, Stations and active Alarms on your wireless network. Pie charts and bar charts displaying the top 5 items that are generating alarms in your wireless network, or the scope as selected in the tree panel. Manager View The Dashboard window's default Manager View window provides information relevant to administrators based on a summary of both Performance and Security data, and includes analysis data for: Security Threat, Rogue Threat, Intrusion Threat, WLAN Health, WLAN Congestion, and WLAN Utilization.
13
This program/window enables you to... (continued) Performance View The Performance View provides information based on Performance data relevant to a network administrator. This view includes analysis data for: WLAN Health, WLAN Congestion, WLAN Utilization, WLAN Protocol Usage, WLAN Connection Speed, and Alarms. Security View The Security View provides information based on Security data relevant to the administrator. This view includes analysis data for: Security Threat Indications, Rogue Threat, Intrusion Threat, Enterprise Policy Compliance, Station Behavior Threat, and Alarms. Vintage View The Vintage View provides a non-role based, device and alarm information in a table layout similar to the older Enterprise v4.0 Dashboard. This shows you all of the devices seen in the last 15 minutes on the system at a quick glance. The window displays information in the following layout: Sensors, Access Points, Stations and Alarm count row View Selection Row; Last update date-time-group Recent Access Points table Recent Stations table Recent Alarms table
The hierarchical tree is also a navigation tool. The Dashboard Tree uses color-coded icons to display the identity and location of each System, Sensor Location, Sensor Group, and connected Sensor in your wireless LAN. The tree represents data that AirDefense has accumulated since the system began running. You can use filter selections to customize which types of Sensors appear in the tree. You can search for a specific device. The tree has a Search Dialog you can use to find any Sensor, AP or Station in your wireless LAN. The Dashboard displays data for any item or scope you select in the tree. Select the Refresh button to update the view.
14
Chapter 1
This program/window enables you to... Provides a list of devices detected by AirDefense which pose the greatest risk to the security of your network and how to manage them. The Rogues can be viewed by the Indicator to prioritize the threats, and then allow you to scrutinize a device so that decisive action can be taken quickly. Using the Rogue Device Analysis window, you can view:
The name of the location and group where the devices has been
seen. The type of Rogue, SSID, last seen time, signal strength and channel of the device. Right-click on the Device to view additional device detail by accessing the Forensic Analysis Wizard for further investigation. Exploits Views display devices within the selected scope that are causing or are experiencing intrusions/exploits in your WLAN. Exploits can come in the form of denial of service, identity theft, manipulation of frames and protocol, penetration attempts by malicious users and reconnaissance activities. Using the Exploits Analysis window, you can view:
The priority of the exploit threat by color coded threat level, and
group.
The name of the location and group where the devices have
been seen. The type of exploit, last seen, time signal strength and channel of the device. Right-click on the Device to view additional device detail by accessing the Forensic Analysis Wizard for further investigation. Vulnerability Displays devices within the selected scope that provide an analysis of device configuration and how susceptible to attack they are. Exploits are events in which a user is actively interacting with the wireless network or wireless medium. By exploiting wireless vulnerabilities a malicious user could cause wireless network disruptions or use the wireless medium to gain access to corporate resources and confidential data. The vulnerabilities may exist due to network configuration, corporate policy, or an inherent flaw in the 802.11 protocol. Using the Vulnerability Analysis window you can view:
15
This program/window enables you to... Policy Compliance events provide information about the observed operational configuration compared to the configured configuration as set in the AirDefense policy manager. Using the Policy Analysis window, you can view:
The name of the Location and Group where the devices have
been seen. The type of policy violation alarm, SSID, last seen time, signal strength and channel of the device. Select a policy violation and right-click on a device to edit policy configuration. Right-click on the Device to view additional device detail by accessing the Forensic Analysis Wizard for further investigation. Reconnaissance The Reconnaissance window gives an overview of devices that are currently scanning, and/or actively monitoring what is occurring on your network. Using the Reconnaissance Analysis window you can view: Performance The priority of the reconnaissance threat by color coded threat level, and group. The name of the location and group where the external devices have been seen. The type of alarm, last seen, time signal strength and channel generated by the external device.
The Performance Analysis window is the view where you can assess at a glance the overall status and health of device activity on your network, identify potential problem areas and then escalate action against it. This window identifies problem areas, by showing all performance-based alarms that appear in your environment. Using the Performance Analysis Wizard you can view: The criticality of the device issue. The name of the location and group where the devices have been seen. The type of performance issues, device SSID, last seen time, signal strength, and channel. Right-click on the Device to view additional device detail by accessing the Forensic Analysis Wizard for further investigation.
16
Chapter 1
This program/window enables you to... View the alarms that are occurring in your wireless LAN, or in selected scope, manage alarms and termination policies. Using the Alarms window, you can: See which Sensors, Access Points, and Stations are generating alarms, when the alarms are being generated, and what conditions are triggering the alarms. View Details and Summaries on any selected single alarm, and suggest a course of action. Expert Help is also available on specified alarms and provides more information on the alarm cause, effect and potential remedy. Determine which alarms to display in the Alarms panel, and how to summarize the data for a particular alarm. Use built-in (default) filters or design custom filters to determine the data content of information panels. Group alarms into Alarm Priorities or other groupings. Enable, re-enable, clear, or remove one or more alarms from AirDefense. Enable or disable any specific alarm, either globally or by device. Change the Alarm Priority of any alarm in AirDefense. Edit device termination policies (Action Plans) for Policy-based Terminations.
Location
Go to the Location Tracking (Triangulation) window for location tracking configuration and device tracking. Using the Location Tracking sub-window, you can: Upload multiple bitmap layouts of your Location. Accurately measure distances using the Set Scale function. Click and drag devices into your uploaded map. Perform triangulation on a device with a minimal of 3 Sensors. Review all of the basic stats of a detected rogue device.
17
This program/window enables you to... Review specific device information and analyzes what it is currently doing in AirDefense. This window is a universally applicable function, which provides detailed Device, Traffic Association, and Forensic data for further analysis of a suspicious device (AP or Station). The window also allow users to analyze a device which may not have been listed as an offending device in any of the other analysis drill-downs. Using the Forensic Analysis Wizard window you can view:
Threat Analysis tab which lists all alarms and displays the
Threat Level of a particular device.
device status and traffic activity. Device Forensics tab display device traffic flow patterns to and from access points/stations, associations and additional data to ascertain device traffic and determine device activity. Locate Device tab where you can access Live View, and/or locate devices using triangulation or signature. The Locate tab also shows a Behavior map and signal strength for sensors seeing the device. Threat Mitigation tab which enables you to take further action. The options are: configure device policy, terminate wirelessly, or look-up the wired port.
18
Chapter 1
Use the GUIs four drop down menu bar options located in the upper left corner, to access all of AirDefenses categories of functions and system information. Program Area/Window File This program/window enables you to... Log out of the AirDefense Enterprise. Refresh the content of the program area being currently displayed. Closes and exits out of the AirDefense Server. View Tools Help Access the Dashboard, Rogue, Exploits, Vulnerability, Policy, Reconnaissance, Performance, Alarms, Location, Terminations, and Port Suppression program areas. Access the Tools related program areas of AirDefense: Configuration, Forensics, Network Map, Reports and Reports Builder. Access all instructional, help and reference material: Online Help, Operations Guide (PDF), Icon Key (PDF), Glossary (PDF), as well as technical support information.
When connectivity to the AirDefense Graphical User Interface (GUI) is properly connected to its data source with all systems functioning normally and is successfully receiving updates, there is no visible indication on your AirDefense GUI. If your status disconnects, you must reload the browser and log in again.
19
This program/window enables you to... View and manage user preferences Using the Config windows User Preferences, you can: Change the display preferences. Change the current user password. Change the Dashboard refresh rate.
View and manage Alarms and Alarm Priorities Using the Config windows Manage Alarms, you can: Enable or disable alarms. Adjust the priorities of each Alarm. Clean or purge the Alarms.
View and configure the Sensors in your wireless LAN. Using the Config windows Sensor Manager, you can: View the status and location of Sensors in your wireless LAN, organized in a hierarchical tree. The Sensor Tree shows the associations and behaviors of each Sensor, represented by a colorcoded icon. Beside each icon is a letter designation (a,b,g), representing the protocol of the device. Icons and folders also display a number (nn), representing the number of devices that appear below them in the tree. Build your AirDefense hierarchy of devices, consisting of Location, Group, and Sensor. Identify Sensor Locations and Sensor Groups. Configure the settings for Sensors. Add managed switches for wired-side rogue detection and port lookup.
20
Chapter 1
This program/window enables you to... Define and manage policies for the devices in your wireless LAN, and to add Access Points and Stations to your wireless LAN. Using the Config windows Policy Manager window, you can: View the location of devices in your wireless LAN, organized in a hierarchical tree. The Policy Tree shows the associations and behaviors of each device, represented by a color-coded icon. Beside each icon is a letter designation (a,b,g), representing the protocol of the device. Icons and folders also display a number (nn), representing the number of devices that appear below them in the tree. Create policies to apply to individual Sensors, Access Points, and Stations in your wireless LAN. This includes setting Access Point Configuration Policies to allow a VPN (Virtual Private Network). Add Access Points and Stations to your wireless LAN. Import Access Points and Stations into your wireless LAN. Delete devices from your wireless LAN. Manage Access Point policies.
Monitor the use of VLANs that are partitioned on the Access Point by an SSID, and to alarm if they are not being used where required. Config > NotificationManager Specify how AirDefense delivers its alarm notifications and reports to designated recipients. Using the Config windows Notification Manager window, you can: Set the default intervals for the notification system. You can toggle notifications on and off. You can enable or disable all Email, SNMP, and Syslog notifications, and configure the Email, SNMP, and Syslog intervals (in minutes) for each type of notification. This is the minutes that lapse between the Email, SNMP, and Syslog notifications (applies only to alarm notifications). Configure Email Notifications. You can configure options for individuals who will receive alarm and report notifications by email, and if desired, configure daily or weekly management reports. There are standard settings and advanced settings, which include filters and utilities that enable you to customize email notifications. You can send email notifications immediately to selected recipients, using the Send Now feature.
21
Configure SNMP Notifications. AirDefense can send traps to your SNMP server. There are standard settings and advanced settings, which include filters and utilities that enable you to customize SNMP notifications. Configure Syslog Alarm Notifications. AirDefense can send notifications to your Syslog server. There are standard settings and advanced settings, which include filters and utilities, that enable you to customize Syslog notifications.
Administer your AirDefense system. The programs you will be able to use depend on your Web User role. Using the Appliance Manager area, you can: Configure User Display Preferences and Current User Information. View and configure Web Users. Export and back up data. Instead of backing up the entire database, you to just back up user-supplied configurations, including policies and system configurations, without backing up the entire statistics and alarm databases. Update AirDefense licenses. View and create security certificates and perform other administrative tasks concerning requesting and installing certificates. Use the User Edits panel to view and track edits to AirDefense. Configure Location Tracking (Signature) settings, manage calibration settings, and manage tracking sessions for Location Tracking (Signature). Synchronize device information between a server third party management and the AirDefense Server.
Give your AirDefense system a name; set a system port for access to the AirDefense GUI; enable or disable Air Termination, Policy-based Termination, and Port Suppression for the system; adjust the Threat Level Sensitivity for the system.
22
Chapter 1
This program/window enables you to... The System Setup Wizard that guides the user through a basic list of system settings required for AirDefense system configuration. All eight configuration step categories are optional and can be finished at any point. Using the Configuration System Setup Wizard, you can: Setup System Settings Define Network Structure Create User Accounts Define Policies Configure Alarms Schedule Autoclassification Enable Notifications Import Devices
23
You can re-size the width of panel columns by dragging the column separators with your mouse.
(Column size persists as pages are refreshed, but not if the screen reloads. In this case, the columns return to their default size.) You can sort the contents of the panel by clicking any column heading (see Column Sorting, below).
The cursor changes to a two-sided arrow when you drag over a column separator.
Column Sorting
In any column, you can click on the column header to sort the contents of the column. The black sorting arrow will only appear when the header is selected. Sorting can affect the data across the entire row. Sorting of numeric columns toggles the data from greatest to least (down arrow) or from least to greatest (up arrow). Sorting of alphanumeric columns toggles the data alphabetically, from A to Z (up arrow) or from Z to A (down arrow).
24
Chapter 1
Using the Navigation Trees, you can access data based on a combination of the network topology and the type of information you are looking for. You can easily isolate the devices you want to receive data on, and customize the data that appears. The trees work in conjunction with the actual information panels. The Navigation Trees provide filters that enable you to determine the contents of the tree, effectively reducing the number of devices in the tree, making navigation easier. Using the Tree Filter, you can select from over 30 different criteria, depending on the device type. This includes isolating devices by a, b, and g protocols.
display Access Points observed (during the selected time range), followed by their SSID. AP>Station The hierarchical order changes to display Access Points observed (during the selected time range), followed by associated Stations. SSID>AP>Station The hierarchical order changes to display SSIDs observed (during the selected time range), followed by Access Points, then Stations under the SSID. Station>AP>SSID The hierarchical order changes to display Stations observed (during the selected time range), followed by their associated APs, then their SSIDs. Switch The hierarchical order changes to display device Switch IP addresses and Port Numbers.
Icons show the Sensor Location, Sensor Group, Sensor, Access Point, and Station associations in your network. In GUI programs where the tree appears, you can click on the individual network elements in the tree to access information and configuration screens that apply to the element.
25
Static icons represent network elements. Each network element in the AirDefense wireless LAN is represented by an icon. Static icons represent logical associations, such as a SSID, a Location, or a Group. The AirDefense GUI Help contains full descriptions of AirDefense icons. You can also access the AirDefense Icon Key .PDF file, also found under the Help drop down list.
26
Chapter 1
Color Red
Meaning Red indicates the following: Access Point: Unauthorized. All Access Points are unauthorized when they are first discovered by AirDefense. They remain unauthorized until a Web User with the role of Admin changes their state to authorized. Station: Unauthorized on a given Access Point. Unauthorized indicates that the Station is not authorized for the Access Point it appears under. The same Station can appear as Red or Green, depending on whether or not they are authorized on the Access Point they are under. Stations have a W on Red if they are on the Watch List. Sensor: Offline, which indicates that the Sensor has been observed by the Server, but is currently not communicating with the AirDefense Server. If you did not intentionally take a Sensor offline, reboot it. (see Managing Sensors on page 105). Stations Station is authorized under the Access Point and has been observed as associated to that Access Point. Stations have a W on Green if they are on the user-configurable Watch List (for information on how to configure the Watch List, go to the Policy program area in the GUI and click on Quick Help from the Help Menu). Access Points Access Point is authorized and has been observed by a Sensor. Sensor Online, which indicates that the Sensor is functioning normally and in communication with the AirDefense Server.To be in this state, the Sensor must be connected to the AirDefense Server.
Green
Domain Location Group Sensors seeing the device Access Point that the device is connected to (in case of a Station)
27
28
Chapter 1
Frame Capture
Frame Capture allows you to capture all transmitted frames in the air for a specific device. The data can then be exported to external tools such as Ethereal or AiroPeek to analyze real-time data.
29
30
Chapter 1
1.4
The Sensor User Interface (Sensor UI) is an HTML-based interface that resides on the Sensor. Each Sensor actually contains a small web server. The Sensor UI enables you to initially configure Sensors and to perform some maintenance activities after the initial installation. There are two types of Sensor Web Users, admin and monitor. These roles have varying levels of user privileges. Each Sensor Web User requires a password.
Change the password for the Sensor Web User (Admin or Monitor user)
31
1.5
The Sensor Console Interface (Sensor CI) enables Sensor maintenance via direct access of the Sensor through its serial (console) port; this section only applies to the Model 400 Sensor. This feature is useful in the event of a lost Sensor IP address, or if the default IP address of the Sensor already exists in another device on the network. Without an IP address, you cannot access the Sensor UI to configure the Sensor.
32
Chapter 1
Managing Users
33
2 Managing Users
AirDefense lets you create numerous users with role-based permissions that control which functionality each user can access. You can also limit each users exposure to alarms to specific areas of the network, and customize the default navigation tree views for each user. Although the primary way you manage users on the AirDefense Enterprise server is through the GUI, you can use the CLI (ADDadmin) for some functions. AirDefense, Inc. recommends that you use the GUI. This chapter focuses primarily on managing users through the GUI.
34
Chapter 2
2.1
AirDefense Enterprise Server contains four role types that you can assign to users in the system. Each role has access privileges appropriate for various roles in your organization. The role types are: Admin Manager Network Operator Guest
Admin
Users with the role of admin have read and write access to all areas of AirDefense server and sensor administration, including creation of other admin users. An individual with Admin privileges can change all configurations.
Important!
Because of the level of responsibility for configuring the AirDefense server and the implications for enterprise security, you should make sure that any users with the role of admin have a comprehensive understanding of networking, wireless devices, and security, as well as the appropriate network access and clearance to implement the system.
Manager
Manager represents the second level of security clearance. Users with the role of Manager have the same privileges as the Admin, with the exception that a Manager cannot manage users.
Network Operator
Network Operator represents the third level of security clearance. Users with the role of Network Operator have primarily read-only access, but they can acknowledge, clear, and purge alarms in the Alarms program area.
Guest
Guest represents the lowest level of security clearance. Users with the role of Guest have readonly access to the following GUI program areas:
Set their own user preferences and passwords in the Admin program area Create and save alarm filters in Alarms
Managing Users
35
2.2
Managing Users
User Mgmt (Config > Appliance Manager > User Mgmt) opens the User Management tab. You can use this panel to view and configure user configurations in AirDefense.
ViewView user names, roles, full names, and descriptions for all users. Configure
Add users Change user passwords Delete users Limit user views to devices and alarms for specific Locations and Groups Configure Local or External Authentication
Strong Passwords
The AirDefense Enterprise GUI requires strong passwords that meet the following criteria:
Contain no spaces or tabs At least 5 characters (up to 34 characters max.) Contain at least one digit Contain at least one uppercase character Contain at least one lowercase character Contain at least one of the following symbols: ~ ! @ # $ % ^ & * ( ) _ + - = ? < > { } [ ]|\:;,./
36
Example: Admin!23
Chapter 2
Important!
You should change the default admin account user password at yoru first opportunity. Leaving the default password on the system poses a security risk.
Procedure
Step 1 2 3 4 5 6 7 8 Action Log in to the AirDefense GUI. Click Tools > Configuration to open the Configuration program area. Click the Appliance Manager button. Select the User Mgmt button to open the User Management window. Select the name of the user whose password you want to change. Click the Configure tab and type the new password. Type the new Web User password in the Verify Password box. Click Apply to save.
Managing Users
37
2.3
User Preferences
Every user can control some aspects of the way the AirDefense Enterprise GUI displays information. Users can do this themselves, or, if you are an admin user, you can set up user preferences for other users. Select Config > User Preferences to display the three tabs that let you control your user preferences:
Manager (default): Displays a combination of security and performance charts Performance: Displays performance charts Security: Displays security charts Vintage: Displays data in list form, as did previous versions of the AirDefense Enterprise GUI
Regardless of which view you choose as your default, you can change the view at any time by choosing a view from the Data View drop-down on the Dashboard.
38
Chapter 2
Different users have responsibility for different parts of the network Different users have responsibility for different customer accounts on the same appliance (such as
managed security services) You want to limit the amount of alarms a user is likely to see Each domain can include multiple Locations and corresponding Groups. Only users with Administrative privileges can assign domains.
Instructions for defining domains and assigning them to users are located in Chapter 10, Configuring Enterprise Features.
Managing Users
39
2.5
Authentication
AirDefense server provides options for the way it authenticates users. By default, it uses Local Authentication. If you want the system to authenticate users using passwords stored on a RADIUS or LDAP server, you can configure Authentication profiles and assign them to users. To access the Configuration window for External Authentication profiles, go to Tools > Configuration > Appliance Manager > External Auth. After you define Authentication Profiles, you can assign profiles to users. Step 1 2 3 4 5 6 Action Select Tools > Configuration to open the System Configuration window. Select the Appliance Manager button, and then click the Users button. If you are assigning a profile to an existing user, Select a user from the View tab. Select the Configure tab and click the Edit button Under Authentication, select one of the pre-defined profiles from the drop down menu. Click Apply to save.
40
Chapter 2
2.6
Sensor UI Users
The Sensor UI enables you to view and configure Sensor UI User names, roles, and passwords. You can assign user access to the Sensor UI according to the roles of individuals in your organization. The access privileges differ for each role. The role determines which settings are activated for use in the Sensor UI.
Admin The Sensor UI User with the role of Admin has both read and write privileges. This enables
the Admin to make changes to Sensor settings.The Admin can add new Sensor UI Users and can assign them to a role, including as another Admin. An individual with Admin privileges can change all Sensor settings. MonitorThe Sensor UI User with the role of Monitor can only view settings.
Managing Users
41
2.7
Although you perform most User configuration activity on the Enterprise GUI, there are two ADDadmin utilities that you can perform from the CLI.
Add a Web User to AirDefense, and assign a role to the new Web User (this can be either an Admin,
Manager, Guest, or Network Operator)
Delete a Web User from AirDefense Set or change the password for a Web User
1 2 3 4
Log in to the Command Line Interface. See Using the Interfaces on page 7 for instructions on how to do this. Type m, press <Enter> at the command prompt. The Manage screen appears. Type webu, then press <Enter>. If you want to add a user: Type A, and then press Enter. Type the new user name. Assign a role to the new user by typing Admin, Manager, Guest, or Network Operator. Type the new Web User password, and then confirm it by typing it again. If you want to delete a user: Type d, and then press Enter. Type the name of the user to delete, press <Enter>, and then type yes to confirm
42
6
Chapter 2
If you want to change a users password: Select Change a Password. Type the name of the user whose password you want to change, and then press <Enter>. Type the current password; press <Enter>. Type the new password; press <Enter>. Type the new password again; press <Enter>. Type yes to confirm, and then press <Enter>.
If you are logged in as user smxmgr, you can change passwords for smxmgr and smxarchive. If you are logged in as user smxarchive, you can change the password for smxarchive.
Step 1 2 3 4 Action Log in to the Command Line Interface. Type m, press <Enter> at the command prompt. The Manage screen appears. Type passwd, press <Enter> at the prompt. Type the line number of the user whose password you want to change (smxmgr or smxarchive). Press <Enter>. If you are the Command Line User smxmgr and you pressed 1, AirDefense prompts you for your current UNIX password. Type in your password now. AirDefense then prompts you for a new password. Go to step 5. If you are the Command Line User smxarchive and you pressed 2, AirDefense prompts you for a new password. Go to step 5. Type the new password. Press <Enter>. If the system accepts the format of your new password, it returns Retype new password: Type the new password again. Press <Enter>. If the system accepts your password, it returns All authentication tokens updated successfully.
Managing Alarms
43
3 Managing Alarms
To manage alarms, you use both the AirDefense Enterprise GUI and the ADDadmin utilities in the Command Line Interface. GUI: Using the Alarms program area in the AirDefense GUI, you can:
Acknowledge alarms, or clear alarms from the Alarms counters. Clear or purge alarms from the AirDefense database. Change the priority of any entire alarm type in AirDefense. Enable or disable specific alarm types. Manage Policy-based Terminations
ADDadmin: Using ADDadmin utilities in the Dbase program area, you can:
Enable / Disable AirDefenses automated alarm management feature. Change the maximum alarm count.
44
Chapter 3
3.1
GUI
The GUIs Alarms program area has an Alarms panel that contains details about the alarms triggered/generated in your wireless LAN. This includes information about which Sensors, APs, and Stations are generating alarms, when the alarms are being generated, and what conditions are triggering the alarms. This panel also has a feature you can use to acknowledge and clear an alarm or group of alarms. When you acknowledge or clear an alarm in this panel, AirDefense records your user name and the time, and the alarm remains active.
Enable or disable types of alarms from occurring. Adjust alarm priorities for an entire alarm type by highlighting an alarm in the table, right-clicking, and
selecting Alarm Configuration. Each alarm type in AirDefense has one of five Criticalities: Severe, Critical, Major, Guarded/Minor and Low/Safe. These priorities are system-wide, and are independent of the user. Clear all alarms from the display panels, remove all cleared alarms from the AirDefense database, or remove ALL alarms from the database. You can also remove cleared alarms from the database for the time range you specify, or remove ALL alarms from the database for the time range you specify. See the online help for more information.
Managing Alarms
45
46
Chapter 3
You can disable the alarm for devices as specified by their MAC address in the Disabled for Devices field. The devices that appear in this list can only be specified and entered on the Alarm Manager window. Use the adjacent Remove button to remove them from the list.
Managing Alarms
47
3.2
ADDadmin
The ADDadmin Dbase program area has an ALARMS utility that you can use to:
Enable AirDefenses automatic alarm management feature (default) Disable AirDefenses automatic alarm management feature Change the maximum alarm count (default is 15,000)
When automatic alarm management is enabled, the AirDefense system begins automatically deleting repetitious alarms when the number of alarms exceeds a maximum alarm count that you specify, leaving one alarm of a specific device type and day for each alarm. Depending on the volume of incoming alarms, AirDefense begins deleting the oldest alarms first, at fifteen minute intervals. This moves to intervals of one hour, twelve hours, one day, and thirty days, until the number of alarms is equal to or less than the specified count. To use the Alarms utility, do the following: Step 1 2 Action Access the Command Line Interface. Type d, press <Enter> at the command prompt. The Dbase screen appears.
Type alarms, then press <Enter>. The current alarm state appears, followed by these choices: (E) Enable Automatic Alarm MGMT this is the default setting on the current alarm state window. When you open this window, the following message is listed at the top: Automatic Alarm Management currently enabled with maximum alarms set to 15000. This message just lets you know that alarms are now enabled with the specified alarm count. This setting will remain until you select one of the following two options.
48
Chapter 3
(D) Disable Automatic Alarm MGMT indicates that the alarms are now disabled. A message asks you to save the current alarms state as shown, which is now disabled. Type yes to confirm that you want alarms disabled, type no to return to the Dbase settings screen, leaving the database untouched. (C) Change max alarm count asks you to enter a new maximum alarm count, by either pressing <Enter> to keep the existing count, or by entering a new number. Once you do this, a message indicates that alarms are now enabled with the specified alarm count. A message asks you to save the current alarms state as shown, which is now enabled. Type yes to confirm that you want alarms enabled with the specified count, type no to return to the Dbase settings screen, leaving the database untouched. 4 Type q, press <Enter> to return to the main screen.
Managing Alarms
49
3.3
Practical Applications
The Email, SNMP, and Syslog alarm notifications you receive from AirDefense (see Managing Notifications on page 51) indicate the alarm priority of each alarm. You should set the alarm priorities as desired for the notifications. Use the Auto Classification panel (Tools > Configuration > Policy Manager > Auto Classification) to apply a series of rules to detected devices on your network at one time. This forms the basis on how the system will automatically classify each device discovered in the system as Authorized, Unauthorized, Ignored or marked for deletion. You can classify a large list of devices simultaneously and unauthorize/unauthorize/ignore or devices on your network, bypassing the labor-intensive process of applying policy settings to individual devices.
50
2
Chapter 3
Go to the Rule Sets tab view the available Rule Set or define a new Rule Set; add Action Rules to your new Rule Set (at least one Rule). The various rules in a Rule Set will be handled in sequence, top to bottom-- i.e., 1st Rule + action, 2nd Rule + action. Go to On Demand to select a Rule Set, click on the Classify Devices button, and run it based on the Rule Set selected. You must select the Apply button to confirm the selection.
Scope
Apply Results
Max
Managing Alarms
Function Scroll Buttons Description Use the horizontal scroll buttons to move front and back through multiple pages of classification results.
51
Name
52
Chapter 3
Description Select this button to delete an existing Action Rule. Select an existing Action Rule and then click this button to transfer it and/or modify it to create a new Action Rule. Choose an existing Action Rule to open from this drop down list. When creating a new Action Rule enter the name of that rule in this text box. Existing names can be edited here. Select whether the rule applies to APs or Stations in this drop down list. Select the particular action for this rule: Authorize, Delete, Ignore, or Unauthorize, to be taken if the Condition is met. Select whether the device must met all, met any, fail all, or fail any of the conditions.
Conditions
Managing Alarms
Function Filter Parameters Description The user can select and highlight any or multiple parameters from the provided list and define filters for them:
53
Vendor Channel SSID Signal Strength Protocol 802.1x Username Last Seen Connectivity Base Authentication Extended Authentication Key Generation Encryption
After you have modified a parameter, it appears bold. Example: Action Rule authorizes APs that meet the Vendor name filter and the SSID filter: Multiple parameters and filters can be selected. Once the user clicks Apply the selections will be saved for that Action Rule.
WARNING!
Scheduled Auto Classification should be used with CAUTION. The System will periodically re-classify all devices that meet a pre-defined Rule Set. Based on the criteria you specify, the system will automatically and periodically authorize, ignore, or delete devices detected by the system.
Enable scheduled Classification - This checkbox must be selected first in order for scheduled classification to be added and enabled.
54
Chapter 3 Reclassify authorized and ignored devices - Auto-classification usually considers only unauthorized
devices, however the Reclassify option can also be configured to consider authorized and ignored devices. Function Scope Description Select the Scope for Auto Classification; the Scope can be the whole System, a Domain, Location or Group. Select the interval for each update, and can be measured in Minutes, Hours, or Days from the available drop down list. Enter the date that the re-classification will begin in this text box, and in the adjacent drop down list, enter the specific time of day. Select the Rule Set that will be used for re-classification from this drop down list. The selections that appear here must be first added in the Rule Set tab.
Update Interval
Update Start
Rule Set
After you click Apply, the selections made will be saved for that scheduled classification rule.
Managing Software
55
4 Managing Software
To manage AirDefense software and licenses, you use the ADDadmin utilities in the Command Line Interface. You must perform all operations in the sequence prescribed in this chapter. This chapter includes information about:
Adding Software Service Modules Updating AirDefense licenses Managing security certificates
ADDadmin: Using the utilities in the ADDadmin Software program area, you can:
Install a service module into the AirDefense software Display the current AirDefense license Install a new AirDefense license Create a package of AirDefense system keys
56
Chapter 4
4.1
Feature enhancements and improvements to the modules in your existing version of AirDefense software are available through the Support Center portal at http://support.airdefense.net or on CD-ROM from AirDefense. Once you download the module bundle into your local server, you must connect and log in to AirDefense Enterprise via SSH, access the Command Line Interface, and use the ADDadmin SERVMOD utility (Software program area) to install the module. The SERVMOD utility adds the module to your current AirDefense software version. Step 1 2 Action Access the Command Line Interface. See Accessing the ADDadmin utilities on page 9 for instructions on how to do this. Type s, then press <Enter> at the command prompt on the main screen. The Software screen displays.
Type servmod, then press <Enter>. The system asks you to enter the fully qualified directory path where the update bundle resides, or to type C if the bundle is on CD-ROM. Type in the fully-qualified directory path, or type <C> for CD-ROM. If you type the directory path: The Server gives a list of service modules in the directory; we must select the service module we want to install and then follow the on-screen directions. Once selected, AirDefense retrieves and installs the service module. The system then returns you to the Software screen. If you type <C> The system prompts you to install the CD-ROM. The service module installation takes place once you install the CD-ROM. Type q and press <Enter> to return to the main screen.
Managing Software
57
4.2
Managing Licenses
Managing licenses is a function of both the ADDadmin utilities in the Command Line Interface and the GUI.
4.2.1 ADDadmin
The ADDadmin Software program area provides three utilities. These enable you to: display the current AirDefense license (CURRLIC); install a new AirDefense license (LICENSE); and create a package of AirDefense system keys that can be used by AirDefense support to repair corrupt licenses (KEYPKG).
4.2.2 CURRLIC
CURRLIC displays information on the current AirDefense license. To view the current license: 1 2 3 Access the Command Line Interface. See Using the Interfaces on page 7 for instructions on how to do this. Type s, press <Enter> at the command prompt on the main screen. The Software screen displays Type currlic, then press <Enter>. Information on the current AirDefense license displays. 4 MAC address of the current licensed system License version number Number of authorized Access Points allowed Number of Sensors allowed License expiration date Maintenance expiration date
4.2.3 LICENSE
LICENSE installs a new AirDefense license into AirDefense or renews an expired license. AirDefense, Inc. supplies the license file.
Important!
If your license has expired and you wish to renew it, contact AirDefense, Inc. to obtain a replacement license file. You can then use the ADDadmin License utility to install the license. Note: You can use the AirDefense GUI to update an existing (not expired) license. to install a license Step 1 2 Action Access the Command Line Interface. See Using the Interfaces on page 7 for instructions on how to do this. Type s, then press <Enter> at the command prompt on the main screen. The Software screen displays
58
3
Chapter 4
Type license, then press <Enter>. You are prompted to enter the fully-qualified (complete) path name of the license file. AirDefense, Inc. supplies this file, either on CD or via email, which you can load onto your server. Alternately, you can press <CR> to exit without changes. 4 5 Select the file and press <Enter>. This loads the license into AirDefense. Type q and press <Enter> to return to the main screen.
4.2.4 KEYPKG
KEYPKG enable you to create a package of AirDefense system keys. AirDefense, Inc. support personnel can use these keys to update your license or repair it if it becomes corrupted.
TO CREATE SYSTEM KEYS
Step 1 2 3
Action Access the Command Line Interface. See Using the Interfaces on page 7 for instructions on how to do this. Type s, then press <Enter> at the command prompt on the main screen. The Software screen displays Type keypkg, then press <Enter>. The system displays the key package and location, for example, /usr/local/tmp/WIPSKeys-0000D60991456-2005-03-29.16.17.tar.gz Press <Enter> to return to the main screen.
Managing Software
59
4.3
GUI
The GUI Configuration program area provides a Software program that enables you to update licenses to authorize more Access Points or Sensors for your wireless LAN. This is accomplished using the AirDefense License Management panel.
Update unexpired licenses to authorize more Access Points in your wireless LAN. Update unexpired licenses to authorize more Sensors in your wireless LAN. View the parameters of your current license.
For complete step-by-step instructions on how to use the GUIs license management features, see the Online Help for Appliance Manager > Software.
60
Chapter 4
4.4
Managing Certificates
Managing security certificates is a function of the GUI. You must be a Web User with the role of Admin to manage certificates. Certificates verify the authenticity of the AirDefense Server. They can prevent hijacking of administrative sessions between your window session and the AirDefense Server, and can even alert you to physical replacement of the AirDefense Server. Certificates install into the AirDefense Server and are sent by the Server directly to your window session, enabling you to use AirDefense over a secure, TLS-encrypted https web session.
Important!
AirDefense, Inc. recommends using a security certificate for every AirDefense Server in your network. Furthermore, we recommend that you replace the pre-installed security certificate from AirDefense with either a self-signed certificate or a root-signed certificate. For complete step-by-step instructions on how to use the GUIs certificate features, see the Quick Help for Admin: Certificates.
4.4.1 GUI
The Configuration program area has a Certificates program that enables you to view and create security certificates, and to perform other certificate-related administrative tasks, such as installing certificates. There are three types of certificates from which to choose, each represents a different level of security.
AirDefense certificate (minimal level of security) Self-signed certificate (intermediate level of security) Root-signed certificate (high level of security)
AirDefense Certificate
The AirDefense certificate represents a minimal level of security. AirDefense, Inc. ships the AirDefense Server with a pre-installed security certificate. It is a working certificate that provides TLS encryption, but has not been verified and digitally signed by a root Certificate Authority (CA). The host name identified in the certificate will not match the actual host name of your AirDefense Server. Unless the certificate meets all required criteria, you will receive one or more alert screens when you open a session with AirDefense (see Security Alerts on page 61).
Self-Signed Certificate
A self-signed certificate represents an intermediate level of security. A self-signed certificate (also called Tomcat certificate) is a certificate that you generate, in which you specify the host name of the AirDefense Server in the certificate, but do not have the certificate verified and digitally signed by a root Certificate Authority. Unless the certificate meets all required criteria, you will receive one or more alert screens when you open a session with AirDefense (see Security Alerts on page 61).
61
A root-signed certificate is a public certificate verified by a root Certificate Authority (CA). This is a digitally signed certificate that ensures the authenticity of the AirDefense Server.
Security Alerts
During the initial Enterprise GUI login, Security Alert windows pop-up that alert you to certificate statuses. There is one Security Alert window, and two Java Security Alert windows that can appear.
The Security Alert window appears if the certificate does not meet any of the three criteria listed on the window. A yellow triangle indicates that the certificate does not meet the criteria. A green checked circle indicates that the certificate meets the criteria.
62
Chapter 4
Once all three criteria are met, this screen no longer appears when you log in. Click on View Certificate to view and install a certificate. The table below describes the criteria. Criteria The security certificate is from a trusted certifying authority. Explanation To meet this criteria, the AirDefense Server must have a certificate signed by a trusted Certificate Authority installed, and the certificate must be applied to the AirDefense GUI. Hint: For the installation to take effect, you must restart AirDefense by using the ADDadmin RESTART utility. The security certificate has expired or is not yet valid. The name on the security certificate is invalid or does not match the name of the site. To meet this criteria, the range of valid dates generated for the certificate must be within the current date range in your workstation. To meet this criteria, the host name generated for the certificate must match the name of the AirDefense Server.
Managing Notifications
63
5 Managing Notifications
To manage notifications, you use both the ADDadmin utilities in the Command Line Interface and the AirDefense GUI. ADDadmin: Using ADDadmin utilities in the Config program area, you can:
Set the Hostname for the AirDefense Server. Set the Domain Name for the AirDefense Server. Configure the Mail Relay host for the AirDefense Server.
Using the Notification Manager program area in the AirDefense GUI, you can specify how AirDefense delivers its alarm notifications to designated recipients. You can:
Enable or disable notifications for the system. Set the default intervals for notifications. Configure a recipient to receive alarm notifications, or to just view configurations. Configure options for receiving Email, SNMP, and Syslog alarm notifications. There are standard options and advanced options that include filters for limiting alarm notifications, and tools for customizing alarm notifications. Important! Notifications are suspended during some maintenance activities you may perform using the ADDadmin utilities, such as those for reboot (REBOOT), restart (RESTART), clear databases (CLRU, CLRALL), and recover databases (RCVRDB).
64
Chapter 5
5.1
ADDadmin
The ADDadmin Config program area contains utilities that you can use to:
Set the Hostname for the AirDefense Server (HNAME) Set the Domain Name for the AirDefense Server (DNAME) Configure the Mail Relay host for the AirDefense Server (MRELAY)
For complete steps on how to set the Host Name, Domain Name, and Mail Relay Host for the AirDefense Server, see Practical Applications on page 66.
Managing Notifications
65
5.2
GUI
The GUIs Notification Manager program area gives you the information and tools you need to specify how AirDefense delivers its alarm notifications to designated recipients and destinations. Alarm notifications list specific alarms that AirDefense generates. The Notification Manager program area enables you to:
Toggle notifications on and off and set the default interval for notifications. You can enable or disable
all Email, SNMP, and Syslog notifications, and configure the Email, SNMP, and Syslog intervals (either in minutes, or by selecting Instant) for each type of notification. Configure what individuals and email destinations will receive alarm notifications. Configure standard options for notifications. Standard options include selecting recipients, inserting email addresses, filtering notifications by alarm priority or by Sensor, selecting a format for the notifications, and selecting a time interval for receiving the notifications. Configure advanced options for notifications. Advanced options include creating advanced filter expressions for specific alarm notifications (actual Boolean expressions that you can build and edit), designating custom templates for notifications, filtering out repetitious alarms, and setting queue size for optimum system performance. For complete steps on how to configure and manage Email, SNMP, and Syslog notifications, see the Online Quick Help for Notification Manager.
66
Chapter 5
5.3
Practical Applications
Managing Notifications
67
68
Chapter 5
69
GUI:
Clear the database except for user data, or clear the database of all data. Backup database configuration information. Recover database configuration information. Back up the database. Recover the database. Check the integrity of the databases. Update vendor MAC address information in database.
Using the Appliance Manager program area in the GUI, you can:
Export report data from the database. Export report data now, or schedule an export of report data. Back up the database now, or schedule a backup of the database.
70
Chapter 6
6.1
You cannot use the GUI to clear the AirDefense database. To clear portions or all of the AirDefense database, you must use the ADDadmin utilities CLRU, or CLRALL. These utilities enable you to clear the AirDefense database at varying degrees.
CLRU clears all data, except user data CLRALL clears all data
6.1.1 ADDadmin
Step 1 2 Action Access the Command Line Interface. See Using the Interfaces on page 7 for instructions on how to do this. Type d, then press <Enter> at the command prompt. The Dbase screen displays.
6.1.2 CLRU
This utility clears the database, except user data. Use this utility to delete and rebuild the AirDefense database, with the exception of user information.
Important! This utility deletes and rebuilds the AirDefense database, but saves your current user information. Use this utility, for example, when you move AirDefense to a new network and want to start fresh with new data and policies, but want to maintain your user information.
Step 1 Action Type clru, then press <Enter> to clear databases, except user data. You are prompted to confirm by typing yes or no.
71
6.1.3 CLRALL
1 Type clrall, then press <Enter> to clear databases of all data. This deletes and rebuilds the AirDefense databaseit deletes all data (including network statistics), user information, and policies. You are prompted to confirm by typing yes or no. 2 Type yes or no. No returns you to the Dbase settings screen, leaving the database untouched. Yes deletes and rebuilds the databaseincluding deletion of all network statistics, policies, and user dataand returns you to the Dbase settings screen. 3 Type q, then press <Enter> to return to the main screen.
72
Chapter 6
6.2
Exporting data is a function of the GUI. For complete step-by-step instructions on how to use the GUIs data export feature, see the Online Quick Help for Config > Appliance Manager > Data Mgmt. The GUIs Appliance Manager window provides a Data Mgmt program that enables you to export report data from the AirDefense Server into your local system. Using this program, you can:
73
6.3
Backing up the database is a function of the ADDadmin utilities and the GUI.
6.3.1 ADDadmin
The ADDadmin Dbase program area provides a BCKUPDB utility that enables you to back up the AirDefense database, and a BUDBCFG utility that enables you to backup only database configuration information.
Type bckupdb, then press <Enter>. The database backs up to a specified directory. When complete, the Dbase screen appears. Type q, then press <Enter> to return to the main screen.
74
Chapter 6
Type budbcfg, then press <Enter>. The database configuration backs up to the specified directory /usr/local/smx/backups/ on the AirDefense Server. When complete, a prompt to press <Enter> to return to the previous menus appears. Type q, then press <Enter> to return to the main screen.
6.3.2 GUI
The GUIs Config > Appliance Manager window provides a Data Mgmt program that enables you to backup the contents of the AirDefense Server database. For complete step-by-step instructions on how to use the GUIs data export feature, see the Online Quick Help for Config > Data Mgmt. Using this program, you can:
75
To copy the data backups to another server, log into the Command Line Interface as smxmgr. You can manually back up all data or just policy and configuration data, or to schedule a backup of all data to the AirDefense Server. Files back up a specific directory on the AirDefense Server (/usr/local/smx/backups). To recover the backups, you must use the ADDadmin utility, RCVRDB command. Note: For information on how to automate retrieval of files from the AirDefense Server, see Appendix B.
76
Chapter 6
6.4
The ADDadmin Dbase program area provides the RCVRDB utility for database recovery, and the RCDBCFG utility to recover database configuration information. You cannot use the GUI to recover the database. Note: Due to database incompatibility between Enterprise versions, a database backup can only be recovered to a system of the same build number.
6.4.1 ADDadmin
To Recover the Database
Use the RCVRDB utility to recover the AirDefense database from backups. Step 1 2 Action Access the Command Line Interface. See Using the Interfaces on page 7 for instructions on how to do this. Type d, then press <Enter> at the command prompt. The Dbase screen displays.
3 4
Type rcvrdb, then press <Enter>. You are prompted to enter the directory in which database recovery files reside. Press <Enter>. The database restores from the directory you entered, or if you did not enter a directory, from the default directory. When complete, the Dbase screen appears. Type q, then press <Enter> to return to the main screen.
77
3 4
Type rcdbcfg, then press <Enter>. You are prompted to enter the directory in which backup config file resides. Enter the directory in which the backup config file resides. Press <Enter>. The database configuration information restores from the directory you entered, or if you did not enter a directory, from the default directory usr/local/smx/backups/. When complete, the Dbase screen appears. Type q, then press <Enter> to return to the main screen.
78
Chapter 6
6.5
The file for importing Access Points should contain rows of data, one row for each Access Point being imported into your AirDefense wireless LAN. Each row is separated by a carriage return or new line character.If the AP being imported is already in the system, the import overwrites the field values, based on the MAC address.The text field values are overwritten, regardless of letter case.
6.5.1 Guidelines
Use the following guidelines.
Each row of data must consist of a comma-separated list of field values for each AP (as defined in
the table below, for example: MAC address, alias, IP address, DNS name, description, authorize, bridge). You do not have to use all field values for the AP, but you must use the MAC address. Spell out null for any field value that you do not want to use, for example: 00:02:2d:01:23:04, null, null,
null, null, yes, no.
Do not leave any field values as empty spaces. Separate each row by a carriage return or new line character. Separate all field values with commas. These are the delimiters. You must use colons in MAC addresses. White space must exist between each column. Field Name mac address alias ip Address dns name description authorize bridge Valid Values Valid mac address Text string or null if not defined Valid ip address or null if not defined Text string or null if not defined Text string or null if not defined yes or no yes or no
Examples
aa:aa:aa:aa:aa:aa, My Access Point, 172.16.0.232, machine@xyz.com, this is my access point, yes, yes bb:bb:bb:bb:bb:bb, AP B, 145.16.0.232, box2@xyz.com, null, no, no
79
6.5.3 Guidelines
Use the following guidelines.
Each row of data must consist of a comma-separated list of field values for each Station (as defined
in the table below, for example: MAC address, alias, DNS name, description, authorize, list of comma-separated APs). You do not have to use all field values for the Station, but you must use the MAC address. Spell out null for any field value that you do not want to use, for example: 00:02:2d:01:23:04, null, null,
null, null, null, yes, aa:aa:aa:aa:aa:aa, bb:bb:bb:bb:bb:bb.
Do not leave any field values as empty spaces. Separate each row by a carriage return or new line character. Separate all field values with commas. These are the delimiters. White space must exist between each column. Field Name mac address alias dns name description authorize Valid Values Valid mac address Text string or null if not defined Text string or null if not defined Text string or null if not defined yes, no, or null If yes or no is selected, the next field (aplist) should be defined and this station will be either authorized (yes value) or unauthorized (no value) for every access point in the aplist aplist all (for all access points), comma-separated list of access point mac addresses
Examples
cc:cc:cc:cc:cc:cc, Station C, machine1@xyz.com, this is my access point, yes, all dd:dd:dd:dd:dd:dd, Station D, machine2@xyz.com, null, no, aa:aa:aa:aa:aa:aa, bb:bb:bb:bb:bb:bb ee:ee:ee:ee:ee:ee, Station E, machine3@xyz.com, this is station e, null ef:ef:ef:ef:ef:ef, Station EF, machine3@xyz.com, this is station fe, yes, aa:aa:aa:aa:aa:aa ef:ef:ef:ef:ef:ef, Station EF, machine3@xyz.com, this is station fe, no, bb:bb:bb:bb:bb:bb
80
Chapter 6
Station C will be entered into the system, authorized on all access points. Station D will be entered into the system, unauthorized on access points aa:aa:aa:aa:aa:aa, bb:bb:bb:bb:bb:bb. Station E will be entered into the system with configuration information only. Station EF will be entered into the system, authorized on access point aa:aa:aa:aa:aa:aa, unauthorized on bb:bb:bb:bb:bb:bb.
81
6.6
The ADDadmin Dbase program area provides an INTCK utility for checking the integrity of the AirDefense databases. You cannot use the GUI to perform this function.
Type intck, then press <Enter> The system displays three choices for a database integrity check: Main Database (see step 4) Users Database (see step 5) All of the Above Databases (see step 6) Type 1 <Enter> to check the Main Database. The system executes a limited examination. The result is either PASSED or FAILED. If the test fails, it is because it detected a database integrity problem in the Main Database (smx_main). The system will prompt you to re-index the database. Click y (yes) to fix the most common source of database corruption without deleting data. If the test passes, the system executes Test 2, which is a full data traversal. If Test 2 fails, the system will prompt you to re-index the database. Click y (yes) to fix the most common source of database corruption without deleting data. Type 2 <Enter> to check the Users Database. The system executes a limited examination. The result is either PASSED or FAILED.
82
Chapter 6
If the test fails, it is because it detected a database integrity problem in the Main Database (smx_users). The system will prompt you to re-index the database. Click y (yes) to fix the most common source of database corruption without deleting data. If the test passes, the system executes Test 2, which is a full data traversal. If Test 2 fails, the system will prompt you to re-index the database. Click y (yes) to fix the most common source of database corruption without deleting data. Type 3 <Enter> to check both the Main and Users databases simultaneouly. The system executes a limited examination. The result is either PASSED or FAILED. If the test fails, it is because it detected a database integrity problem in the Main Database (smx_main), the Users Database (smx_users), or both. The system will prompt you to re-index the databases. Click y (yes) to fix the most common source of database corruption without deleting data. If the test passes, the system executes Test 2, which is a full data traversal. If Test 2 fails, the system will prompt you to re-index the databases. Click y (yes) to fix the most common source of database corruption without deleting data. Type q and press <Enter> to return to the main screen.
6.7
The ADDadmin Dbase program area provides an OUI utility for updating vendor MAC address information to the AirDefense database. You cannot use the GUI to update vendor MAC address information. The OUI (organizationally unique identifier) utility adds new vendor MAC addresses to the AirDefense database. Step 1 2 Action Access the Command Line Interface. Type d, then press <Enter> at the command prompt on the main screen. The Dbase screen displays.
83
Type OUI, then press <Enter>. The system asks you to enter the fully qualified directory path where the OUI update resides (use this if you downloaded the OUI table of vendor MAC addresses from the IEEE Server), or to type I if you wish to access the IEEE Server directly (via the internet) to download the new OUI table of vendor MAC addresses. Type in the fully-qualified directory path, or type <I>. If you type the directory path: AirDefense retrieves and installs the update file directly from your local server. The system then returns you to the Dbase screen. If you type <I>: The system accesses the IEEE Server via the internet and automatically downloads the new OUI table into the AirDefense database. Type q and press <Enter> to return to the main screen.
84
Chapter 6
85
86
Chapter 7
7.1
ADDadmin
The ADDadmin Config program area provides the following utilities for configuring AirDefense: IPuse this to change the IP address, subnet mask, and default gateway of the AirDefense Server NETPORTuse this to change network interface settings, and to toggle Autonegotiation on and off DNSuse this to add or delete a DNS nameserver (Domain Name Server) ARPuse this to configure a permanent ARP table HALLOWuse this to configure which systems are allowed to connect to the AirDefense Server HDENYuse this to identify which computers are not allowed to connect to the AirDefense Server PINGuse this to enable/disable ping to the AirDefense Server CADuse this to enable/disable [Ctrl] [Alt] [Del] for system reboot TIME use this to configure the AirDefense Servers operating time and date TZ use this to configure the time zone in which the AirDefense Server operates NTP use this to configure a specific network time server, instead of setting TIME and TZ UIPORTuse this to change the network port you are using for the GUI
To use ADDadmin utilities, you must access the Command Line Interface. Step 1 2 Action Access the Command Line Interface. See Using the Interfaces on page 7 for instructions on how to do this. Type c, then press <Enter> at the command prompt. The Config screen displays.
87
7.1.1 IP
Step 1 Action Type ip, then press <Enter> at the prompt to change the IP address, subnet mask, and default gateway of the AirDefense Server you are logged onto. The IP configuration screen opens, displaying the current network configuration. Type a new IP address at the prompt. Press <Enter>. You are prompted to enter a new subnet mask. Type a new subnet mask. Press <Enter>. You are prompted to enter a new gateway. Type a new gateway address. Press <Enter>. Your new values display in bold text. Type yes or no at the prompt to commit the changes. This returns you to the previous network screen. AirDefense reboots on exit from the ADDadmin.
2 3 4 5
Important!
If you are logging in remotely using SSH, check these values carefully for accuracy before typing yes or no to commit the changes. Committing incorrect information will cause you to lose connectivity to the AirDefense Server.
7.1.2 NETPORT
Use NETPORT to configure the network interface link speed, duplex setting, and to toggle Autonegotiation on and off. The Autonegotiation feature enables the AirDefense Server to analyze the network and find the most efficient network interface available in some cases. Step 1 Action Type netport, then press <Enter> at the prompt to configure network link speed, duplex, and to turn Autonegotiation On and Off. The Netport configuration screen opens, displaying current network interface configuration...Enter on of off for Autonegotiation. At the prompt, press <Enter> to keep the Autonegotiation at its current status, or type in on or off to change the configuration. Press <Enter> again. The screen displays the link speed selections. At the prompt, press <Enter> to keep the current link speed, or type in the desired value. Choices are: 10, 100, or 1000 Mb/s. Press <Enter> again. The screen displays the duplex setting selections. At the prompt, press <Enter> to keep the current duplex setting, or type in the desired setting. Choices are half (for half duplex) and full (for full duplex). Press <Enter> again. The screen displays the new network interface configuration. At the prompt, type yes to commit the changes, or no to cancel the operation. Press <Enter>. You are returned to the Config settings screen.
Note: The following steps appear only if the off option is selected. 3
5 6
88
Chapter 7
7.1.3 DNS
Step 1 Action Type dns, then press <Enter> at the prompt to define DNS Servers. This adds or deletes a DNS nameserver (Domain Name Server). This is the name of the server you give to your DNS server. The NameServer screen opens, displaying your current DNS servers IP address in bold text. 2 At the prompt, type either a to add a new DNS server, or d to delete a server. To add an entry: type a at the prompt and type the IP address at the ensuing prompt. Press <Enter> to add the new DNS server to the list of nameServers. To delete an entry: type d at the prompt. At the next prompt, type in the number of the nameserver you want to delete. (If you delete a DNS server that is followed by other servers, all the ones with a lower preference will move up in priority.)
Important!
Multiple DNS servers process DNS requests in order. The first DNS server on the list (identified by the number 1) is the first to offer name resolution, the second DNS server on the list (identified by the number 2) is the second to process the request if the first is unable to do so. To change the order preference of multiple servers, you must delete them all, and re-enter them in the order you want them to process your DNS requests. The first DNS server you enter will become number 1the first to process name resolution. 3 4 Type q, then press <Enter> to quit and return to the main screen. You are prompted to save your changes. Type yes or no, then press <Enter>.
7.1.4 ARP
Use ARPs to configure a permanent ARP table. ARP (Address Resolution Protocol) is a TCP/IP protocol used to obtain a node's physical address. A client station broadcasts an ARP request onto the network with the IP address of the target node it wishes to communicate with, and the node with that address responds by sending back its physical address so that packets can be transmitted. ARP returns the layer 2 address for a layer 3 address. ARP requests are broadcast onto the network, requiring every station in the subnet to process the request. Creating a permanent ARP table that contains ARP records for your gateway and other important machines protect connections between the AirDefense Server and remote administrators from being hijacked by man-in-the-middle ARP blasts (that redirect traffic for the AirDefense Servers IP address to an alternate MAC address). Step 1 2 Action Type arp, then press <Enter> at the prompt to configure a permanent ARP table. The ARP screen displays your current ARP records in bold text. Type a to add an entry, or d to delete an entry. To add an entry: type a at the prompt and type the hardware (MAC) address of a device. Next, type the IP address associated with the MAC address. An invalid entry will cause an abort, unreachable IP addresses will display a warning
89
3 4
message. Press <Enter> to add the device to the ARP table. Now, when opening a connection to that device, the device will first look in its own ARP table to discover how to connect to it, instead of relying on an ARP broadcast. To delete an entry: type d at the prompt. At the next prompt, type the number of the record in the ARP table you want to delete. Type q, press <Enter> to return to the parent screen. You are prompted to save your changes. Type yes or no, press <Enter>.
7.1.5 HALLOW
Step 1 Action Type hallow, then press <Enter> at the prompt to configure which systems are allowed to connect to the AirDefense Server. You may specify which computers are allowed to connect to an AirDefense Server. Only those containing IP address, subnet, fully qualified host name, or domain name match an entry in this list are allowed to connect to a AirDefense Server to run ADDadmin. The Allow list screen displays your current list of allowed computers in bold text. 2 Type a to add an entry, or d to delete an entry. To add an entry: Type a at the prompt. At the next prompt, do the following: Type either a single host IP address (123.456.789.963), class A, B, or C subnet (123., 123.456., 123.456.789.note the trailing . in the subnets), AND Fully qualified host name (myhostname.mydomainname.com), OR Domain name at the ensuing prompt. Anyone within a specified subnet, or from a specified host or domain, may connect to an AirDefense Server. Repeat as desired. To delete an entry: type d at the prompt and, at the ensuing prompt, enter the number of the record in the allow table you want to delete. Type q, then press <Enter> to return to the parent screen. You are prompted to save your changes. Type yes or no, then press <Enter>.
3 4
7.1.6 HDENY
Step 1 Action Type hdeny, then press <Enter> at the prompt to identify which devices are not allowed to connect to the AirDefense Server. Any device containing: IP address, subnet, fully qualified host name, or domain name matches an entry in this list are not allowed to connect to a AirDefense Server to run ADDadmin. Note: HALLOW takes precedence over HDENY. For example, if 123.456.789.963 is on the allow list, yet the subnet 123.456.789. is on the deny list, the individual system above is allowed to connect to the AirDefense Server. Note: Do not unwittingly lock yourself out of the AirDefense Server by creating a deny policy that affects your wireless LAN. Ensure that you create an allow policy for yourself. The Deny list screen displays your current list of denied systems in bold text. 2 Type a to add an entry, or d to delete an entry.
90
Chapter 7
To add an entry: type a at the prompt and enter either a single host IP address (123.456.789.963), class A, B, or C subnet (123., 123.456., 123.456.789note the trailing . in the subnets), fully qualified host name. (myhostname.mydomainname.com), or domain name at the ensuing prompt. Anyone within a specified subnet, or from a specified host or domain, is not allowed to connect to the AirDefense Server. Repeat as desired. To delete an entry: type d at the prompt and, at the ensuing prompt, enter the number of the record in the allow table you want to delete. 3 4 Type Q, then press <Enter> to return to the parent screen. You are prompted to save your changes. Type yes or no, then press <Enter>.
7.1.7 PING
Use PING to change the ping setting for the AirDefense Server. PING is enabled by default. PING makes it possible for you to ping the AirDefense Server from a remote location, and also allows outgoing pings from the AirDefense Server to other network nodes. The main purpose of a ping is to test a system on the Internet to see if it is working. Pinging an AirDefense Server can test the response time of the Server while connected to the Internet. This is helpful in finding Internet bottlenecks, so that data transfer paths can be re-routed the most efficient way. Step 1 2 Action Type ping, then press <Enter> at the prompt. A status line at the top of the screen indicates the current status. Type E to enable ping, or D to disable ping. E: type E at the prompt, then press <Enter> to enable pinging (default). The status line reads: Pinging currently enabled. D: type D at the prompt, then press <Enter> to disable pinging. The status line reads: Pinging currently not enabled.
7.1.8 CAD
Use this to enable/disable [Ctrl] [Alt] [Del] for system reboot. CAD is enabled by default. CAD makes it possible for you to reboot AirDefense without having to access the Command Line Interface REBOOT utility. Step 1 2 Action Type CAD, then press <Enter> at the prompt. A status line at the top of the screen indicates the current status. Type E to enable CAD, or D to disable CAD. E: type E at the prompt, then press <Enter> to enable CAD (default). The status line reads: CTRL-ALT-DEL currently enabled. D: type D at the prompt, then press <Enter> to disable CAD. The status line reads: CTRL-ALT-DEL currently disabled.
91
7.1.9 TIME
Important!
Changing the system time/date could affect the integrity of the database. Any change will cause a system reboot on exit from ADDadmin. Setting AirDefense time consists of setting the Time and Date (TIME) and the Timezone (TZ), or alternately, enabling an NTP server (NTP). You must set the correct time--time of day, timezone, and date--or alternately, enable an NTP server when you first setup AirDefense. Changing the time configurations after your AirDefense has accumulated data can have an adverse affect on the integral state, time, and event associations that are essential to accurate data reporting. Step 1 Action Type time, then press <Enter> at the prompt to change the AirDefense Servers operating time and date The current date and time displays. You are prompted to enter a date in MMDDYYYY format. (Do not use colon, forward slash, or other delimiters.) 2 3 4 Press <Enter>. You are prompted to enter a time in 24-hour HHMM or HHMMSS format. Press <Enter>. You are prompted to save your changes. Type yes or no, then press <Enter>. You return to the Config settings screen.
7.1.10 TZ
Important! I
Any change will cause a system reboot on exit from ADDadmin.
Step 1
Action Type tz, then press <Enter> at the prompt to change the AirDefense Servers time zone. The Time zone screen displays a list of global, continental regions. AirDefense prompts you to choose a global area in which your AirDefense Server resides.
2 3
Enter the corresponding number (to the left of your region name). Press <Enter>. A list of nations appears. Enter the abbreviation of your nationality (to the left of the nation) in which the AirDefense Server resides. Press <Enter>. A list of nationalities appears. Enter the number of the region within your nationality in which the AirDefense Server resides. Press <Enter>. You are prompted to save your changes. Type yes or no, press <Enter>. Typing yes or no reboots and clears the database on exit from ADDadmin.
92
Chapter 7
7.1.11 NTP
Instead of setting the AirDefense Time (TIME) and Timezone (TZ), you can enable automatic time synchronization with an NTP. If you change the AirDefense time because,
Example: If you change the AirDefense time such as when you move the AirDefense Servers location from the east to west coast of the United States, you must also locate a new network time server in the same time zone.
Step 1
Action Type ntp at the command prompt to enable or disable a specific network time server (NTP). The NTP screen displays your current status in bold text, whether or not you are currently set to use NTP. Type e to enable NTP. You are prompted to enter the IP address or fully qualified host name (hostname.domainname.com) of a network time server. Alternately, you can type d to disable NTP. No additional input is requiredNTP is immediately disabled.
To save the network time server settings, type q to quit. You are prompted to save your settings.
Important! I
Entering an invalid time server generates an error and logs you out of ADDadmin. Also, changing the time configurations after your AirDefense has accumulated data can have an adverse affect on the integral state, time, and event associations that are essential to accurate data reporting.
7.1.12 UIPORT
You can change the port the GUI is using. Step 1 2 Action Type UIPORT at the command prompt to change the port the GUI is currently using. The UIPORT screen displays the current UI port in use. At the prompt, type yes to change the current port, or no to keep the current port. If you typed no, go to step 3. If you typed yes, go to step 4. If you type no, the operation is canceled. Press <Enter> to return to the Config settings screen. If you type yes, the system asks you to enter a new port. Enter a new port number and press <Enter>. AirDefense automatically accepts the change. Press <Enter> again. You are returned to the Config settings screen.
3 4
93
7.1.13 FALLOW/FDENY
The Advanced Forensic Analysis Engine is an add-on module to the Enterprise System that provides the user the ability to mine the vast amount of data stored in IntelliCenter. The console is a separate application that runs on a Window PC and can be used to extract pertinent historical data from the server for forensic analysis. Use FALLOW to allow a specific client, which is an external PC with the Advanced Forensic application, to connect to the AirDefense server. Step 1 2 Action Type FALLOW at the prompt and press <Enter>. The system prompts you to enter the IP address of your PC running the Advanced Forensic Analysis application. FALLOW must be set for EACH PC running the Advanced Forensic Application. Use the exact address of the specific Forensic Client PC. Press <Enter>. The system prompts you to save your changes. Type yes or no, then press <Enter>. The system returns you to the ADDadmin main window. Do not exit from ADDadmin; this will cause the system to reboot.
3 4
About FDENY
The ADDadmin utility FDENY is the direct opposite of FALLOW. Use this utility to deny a specific Forensic Client PC from connecting to the AirDefense Enterprise Server.
94
Chapter 7
7.2
GUI
The Configuration program area of the AirDefense GUI provides the Appliance Manger window that enables you to name the AirDefense Server, set the system port for GUI access, enable (or disable) Air Termination, Policy-based Termination, and Port Suppression, as well as set Threat Levels (for the Dashboard) at the system level. For complete step-by-step instructions on how to use the GUIs System naming and port selection features, see the Online Help.
Air Termination: Where the Access Point connection is terminated and all Stations associated to the
Access Point are de-authenticated, or the connection between a Station and an Access Point is terminated. Port Suppression: When a network port through which a device is communicating is shut off. For more information on Air Termination, see the Online Help
95
Policy-based Termination is an automated version of Air Termination. This feature enables you to formulate an Action Plan to automatically terminate the connection between your wireless LAN and any associated authorized or unauthorized Access Point or Station, based on alarms. For more information on Policy-based Termination, see the Online Quick Help
96
Chapter 7
97
98
Chapter 8
8.1
ADDadmin provides a Manage program area that has the following utilities for system statuses and logs:
are three entries: Notice, Error, and Debug. You can either display the logs on screen, or write logs to a text file (syslogdata.txt). CLRLOG Clears rotated system logs if /var partition is approaching 100% usage, clears overly large postgresql log.
STATUS Displays the process and disk status of the system. SYSLOG Displays system log entries resulting from authentication and sendmail failures. There
99
8.2
Restarting AirDefense
Step 1 Action Type restart, press <Enter>. The AirDefense Server automatically shuts down some processes and restarts. ADDadmin enables you to restart all processes (10), or to choose a specific process to restart. The choices are: (1) Notification Manager (2) Report Server (3) Integration Server (4) Location Tracking Interface (5) Network Behavior Engine (6) Protocol Analysis Engine (7) Database (8 Graphical User Interface (9) ALL OF THE ABOVE 2 3 Type the number of the process option you wish to use. Type q, then press <Enter> to return to the main screen.
The ADDadmin Manage program area provides a RESTART utility to restart AirDefense processes. You can choose individual processes to restart or restart all processes (This is not a full reboot!).
100
Chapter 8
8.3
Rebooting AirDefense
Step 1 Action Type reboot, then press <Enter> to reboot the AirDefense Server. The AirDefense Server automatically shuts down and restarts.
The ADDadmin Manage program area provides a REBOOT utility to perform a soft reboot of AirDefense. Use this utility to reboot the AirDefense Server.
101
8.4
Halting AirDefense
Step 1 Action Type halt, then press <Enter> to halt AirDefense. AirDefense immediately stops and runs its shutdown routine.
The ADDadmin Manage program area provides a HALT utility to halt AirDefense.
102
Chapter 8
8.5
You can set AirDefense Sensors for Frame Capture. When you set the Sensor for Frame Capture ON, the Sensor captures raw data packets and sends them to the AirDefense Server. You can place a maximum of five Sensors in this mode. This feature is OFF by default. When off, the Sensor only sends information needed for analysis to the AirDefense Server. See Chapter 9, Managing Sensors, for information on setting the Sensor for Frame Capture Mode, and on setting the Frame Capture Filter. If you choose to capture files, you must use Command Line Interface utilities to export the captured files. The Frame Capture Filter limits the raw data packets that are transmitted. You can specify which packets AirDefense captures.
8.5.1 SAVECAP
The ADDadmin Manage program area provides a SAVECAP utility that enables you to export frame capture files into one of two file formats: a peek format, for viewing using AiroPeek NX, or a pcap format, for viewing using Ethereal or tcpdump. SAVECAP enables you to access captured packets (pcapture files) in the pcaptures directory of the AirDefense Server (/usr/local/smx/pcaptures), and save them as either a peek (AiroPeek) or a pcap (tcpdump) formatted file. The AirDefense Server archives frame captures into two files, one at a time. Each has a 300 Mb capacity. When the second file reaches 300 Mb, captured data moves to the first file and overwrites the existing data. Using SAVECAP, you can save one captured file at a time into the directory, and your format of choice. You can then use a secure copy utility, for example WINScp, to copy the exported files from the AirDefense Server to your local server. Once on your local server, you can use AiroPeek, Ethereal, or tcpdump to view the data, depending on how you saved the files.
Important!
Because of space limitations, you can only save one captured file in the pcaptures directory at any one time. If you have a file of previously saved capture data, ADDadmin will prompt you to save it into /home/smxmgr. If you do not, AirDefense automatically deletes the file out of the pcaptures directory. AirDefense, Inc. recommends that you scp the files to another machine for archiving if you want to keep the data. You can also perform a Capture from the AirDefense GUI using Live View.
103
8.6
The ADDadmin Manage program area provides a CLRCAP utility that enables you to clear frame capture files from the AirDefense Server, freeing up space in the pcaptures directory (/usr/local/smx/pcaptures). Use this if you would like to completely delete all pcaptures from the AirDefense Server. The ADDadmin Manage program also provides a disk STATUS utility that displays the percentage of allowed disc space use in the /usr/local/smx/pcaptures directory (see System Displays in this Chapter). If this directory becomes full, it will impact the integrity of frame capture data.
104
Chapter 8
Managing Sensors
105
9 Managing Sensors
9.0.1 Firmware Prerequisite
AirDefense Enterprise 7.2 supports sensors at firmware version 4.4.x or higher.
Sensor User Interface (Sensor UI)Typically, you use this web-based interface to configure Sensor settings for the first time.
Sensor Manager (Enterprise GUI)Typically, you use this window in the AirDefense GUI to administer Sensors after initial configuration for most settings. Sensor Console Interface (Sensor CI)This interface is for special circumstances. It requires direct interface to the console port of the Sensor. This is only available on Model 400 Sensors. Important! You must configure and physically install each Sensor on your network. For additional information on installation and deployment, see the AirDefense Sensor Quick Start that accompanied your AirDefense Server.
106
Chapter 9
9.1
Sensor Overview
AirDefense, Inc. offers several Sensor models, where most models function the same, and are similar from an installation and configuration standpoint. The three most common Sensors deployed with AirDefense systems are: AirDefense Model 400 Sensor
Model 400
The AirDefense Model 400 Sensor, with firmware V.4.x, monitors 802.11a, 802.11b, and 802.11g traffic.
The AirDefense Model 510 Sensor, with firmware V.4.2.x, monitors 802.11a, 802.11b, and 802.11g traffic. The Model 510 Sensor has internal antennas and external antenna capabilities and must be powered by 802.3af compliant Power-over-Ethernet. The Model 510 Sensor is also plenum rated.
The AirDefense Model 520 Sensor, with firmware V.4.2.x, monitors 802.11a, 802.11b, and 802.11g traffic. The Model 520 Sensor comes with two external antennas (using RP-SMA connectors) and can be powered by a DC adapter or 802.3af compliant Power-over-Ethernet. The Model 520 Sensor is also plenum rated.
Managing Sensors
Trapeze Mobility Point MP-372 as a Sensor
107
AirDefense Enterprise r7.0.5-SM2 or later supports Trapeze Mobility Points (MP-372) that have been converted to a Sensor. The converted AP will operate as a dedicated sensor, continuously monitoring all 802.11a, 802.11b and 802.11g traffic The user must have Trapeze Mobility System version 5.0 and download the sensor conversion software called adconvert.bin. After copying the sensor conversion software on the Trapeze MX switch that manages the AP to be converted; the sensor software can be loaded into the AP. The sensor can be converted back to an MP-372 Access Point through the AirDefense Enterprise GUI or Sensor UI. Symbol AP300 Access Port as a Sensor AirDefense Enterprise r7.0.5 or later also supports Symbol AP300 Access Points that have been converted to Sensors. The converted AP will operate as a dedicated sensor, continuously monitoring all 802.11a, 802.11b and 802.11g traffic. The user must have the sensor conversion software to convert an AP300 Access Point to a Sensor. This is Windows-based application that is available from Symbol Technologies, Inc. The same application can convert an AP300 sensor back into an Access Point.
108
Chapter 9
9.2
The Sensor UI is an HTML-based web server that resides on the Sensor. To access the web-based Sensor UI, you must log in remotely from a web browser. Use the Sensor UI for initial configuration during Sensor installation. After initial configuration, you can administer Sensors using the Sensor program area of the AirDefense GUI, in most cases. This includes adding another Sensor to your wireless LAN. However, you must use the Sensor UI to do the following:
Enable/disable remote maintenance mode (SSH) to the Sensor. Change the password for the Sensor Web User (Admin user or Monitor user).
Managing Sensors
109
9.3
Follow the steps below to install Sensors, access the Sensor UI, and then configure the Sensor for use in AirDefense Enterprise.
One (minimum) AirDefense Enterprise Server running version 7.0.5-SM1 or higher. Model 500 Series Sensor running firmware version 4.3.x.x or higher. Power Source for the Sensor:
Model 510 sensor: The model 510 sensor must receive Power over Ethernet (PoE) from a switch or other network device that supplies power over the network cable based on the IEEE 802.3af standard (not included). Model 520 sensor: The model 520 sensor can be powered by an AC to DC power adapter (supplied). The sensor does not have a power switch; it is powered on when connected to the power adapter, and the power adapter is connected to a power source (100-240 Volts at 50 or 60 Hz). The model 520 sensor may also receive Power over Ethernet (PoE) from a switch or other network device that supplies power over the network cable based on the IEEE 802.3af standard (not included). Note that if the sensor is connected to a PoE source device and also connected to a local power source through the AC power adapter, PoE will be disabled. Important! The Model 510 and Model 520 Sensors are designed to receive power from an 802.3af-compliant source, an 802.3af compliant switch, or an AirDefense-approved power injector. Connecting a sensor to a Power-overEthernet device that is not approved by AirDefense can damage the equipment.
500 Series Sensors Step 1 Action Directly connect the Sensor to your station using the supplied Ethernet cable:
110
Chapter 9
Note: If an AirDefense PoE injector is used, connect your Station to Data In and connect your Sensor to Data and Power out.
Power up the Sensor with the AC/DC power adapter (Model 520 only) or power up the Sensor with your 802.3af compliant PoE source.
400 Sensors Step 1 Action Directly connect the Sensor to your workstation or laptop using one of two methods: Method One: Connect the Sensor and your workstation or laptop to a hub, using standard Ethernet cables. AirDefense, Inc. recommends this method, which eliminates some equipment incompatibilities. Method Two: Connect the Sensor to your workstation or laptop using a crossover Ethernet cable (supplied). On the Sensor side, the Ethernet cable plugs into the LAN port on the back of the Model 400 Sensor. 2 3 Connect the Sensor power cord and DC adapter between a standard AC receptacle and the DC input connector on the Sensor back panel. Power up the Sensor.
Managing Sensors
111
112
Chapter 9
9.4
Sensor UI
All Sensor network settings can be modified from either the Sensor UI or from the Sensor program area in the AirDefense GUI. Correct network settings are necessary for proper Sensor configuration. The Sensor UI consists of a display area and three tabs:
MAC address Software Version Hardware Model Sensor Up-time Information about the connection
Managing Sensors
113
Description Enter a friendly user name for the Sensor. When you open AirDefense, this is the name the Sensors will have in the tree panel area. This feature helps you physically locate and/or identify a Sensor. Select the Yes radio button to enable the Locate Sensor function. When you enable this button and then click Save, sensor LEDs begin blinking amber. Model 510: both LED1 and LED2 begin blinking. Model 520: LED1 and LED2 blink alternately with LED2 and LED3. WARNING! You must turn the Locate function off (select No) after you have completed your Sensor search.
Primary AirDefense Server IP Address Secondary AirDefense Server IP Address Use DHCP
Select the option of setting up your Sensor to use a DHCP Server. Choose Yes or No. If you choose No, type the servers: IP Address Netmask Gateway IP Address
Select the Yes or No radio button to indicate whether you want to automatically obtain DNS. If you select No, type the following: Primary DNS Secondary DNS Domain Name
Select the Yes radio button to use a Syslog host server for the Sensor data to be routed or not routed. Enter the IP address of the Syslog Host server to which the Sensor data can be routed.
114
Chapter 9
Model 500 Sensor Link Speed and MTU New Admin Password/ Verify Admin Password New Monitor Password/ Verify Monitor Password Extended Channel Scan FIPS Level Encryption
Description Choose the link speed and Maximum Transmission Unit. Link Speed Control enables you to set the Ethernet interface to either auto-negotiate (default), or to fix the interface to 10Mbs or 100Mbs, Full or Half duplex. To change the password for an admin user, type the new password, and then verify it by typing it again. To change the password for a monitor user, type the new password, and then verify it by typing it again. Select Yes or No to indicate whether you want this sensor to be able to perform extended channel scans. Select Yes or No to indicate whether you want to use FIPS level encryption. This setting controls the https encryption level between the sensor and the browser. When selected, the sensor will only allow AES encryption to the browser (sensor UI). Only browsers that support this type of encryption will be able to connect to the sensor UI (e.g. Firefox) once this setting is configured to 'yes. If you are using IE, do not select this option. Communication between the sensor and the server is not affected by this setting, and is always negotiated for AES.
After entering or changing configuration information, use the buttons along the bottom of the screen to:
Restore to Factory Defaultsremoves your changes and any other changes made in the past Rebootreboots the sensor Canceldiscards changes. Saveapplies changes and saves them on the AirDefense server and Syslog server.
The following screen shows the confirmation you see after your changes are saved and the sensor is about to reboot.
Managing Sensors
115
To update the sensor software, type the URL in the text box, and then click the Update button. The file will be downloaded by the sensor via anonymous FTP server from the FTP server and checked for validity. This includes checks for the following: Check to see if the File was signed via MD5. Check to see if the file was generated at AirDefense for the model 510 or model 520 sensors. Check to see if the proper length file was transmitted (not cut short or expanded along the way). Check to see if the whole file was transmitted without errors.
116
Chapter 9
Wired:
Ethernet IP Address Netmask Gateway
MTU
Wireless
Transmit Mode status 2.4GHz information
5GHz information
Managing Sensors
117
The Sensor Syslog Window You can click the View Syslog button at the bottom of the View Status tab to see syslog details. The Sensor Syslog window displays real-time data on the sensors status and events. Use the following buttons to manage the data the syslog displays:
118
Chapter 9
LED 1 (bottom left) = Radio Activity Indicator LED 2 (center) = Power & Hardware Indicator LED 3 (bottom right) = Network Connectivity Indicator
Managing Sensors
119
Off Solid AMBER LED3: Network Connectivity Indicator Blinking AMBER - slow Blinking AMBER - fast Blinking GREEN - slow Solid GREEN LED1, LED2, and LED3 LED1, LED2, and LED3 LED1 and LED3 All LEDs GREEN for 1-2 seconds All LEDs AMBER Both blinking AMBER-(fast)
120
Chapter 9
LED1: Power Indicator (Pwr) LED2: Link Indicator (Link) LED3: Network Connectivity Indicator (CON) LED4: Radio Activity (a/b/g) Indicator (Radio)
Managing Sensors
121
Blinking GREEN LED1 off and LED2 Solid GREEN LED1 solid AMBER, LED2 and LED3 solid GREEN LED (1&2) alternate blinking as a pair with LED (3&4)
122
Chapter 9
9.6
The Sensor Console Interface (Sensor CI) enables Sensor maintenance via direct access of the Sensor through its serial (console) port. This feature is particularly useful in the event of a lost Sensor IP address, or if the default IP address of the Sensor already exists in another device on the network. Without an IP address, you cannot initially access the Sensor UI to configure the Sensor.
4 5
If the REBOOT option on the menu is not active, reboot the Sensor by manually powering down and powering up for the new settings to take effect. Once set, you can use the Sensor UI to further configure the Sensor.
Managing Sensors
123
9.7
Zero-Configuration Option
The Quick Start Guide describes the scenario for manual configuration of the IP address of the primary AirDefense appliance using the Sensor UI. After initial configuration, the user can administer Sensors by using the Sensor program area of the AirDefense Enterprise GUI. Alternatively, the network administrator can use the Zero-Configuration DHCP option, which allows you to issue vendor options from the DHCP server. On Linux DHCP servers the 043 vendor specific option will usually have to be added into a configuration file, for Microsoft DHCP servers it is chosen from the existing DHCP option 043 Vendor Specific Info. With option 043 configured, the sensors will be able to automatically request AirDefense primary server information from the DHCP server. This allows the user to add a sensor to the network with no preconfiguration.
124
Chapter 9
Note: This generated string is in Binary and must be typed into the binary field; this cannot be cut and pasted into the ASCII field as the string will be treated as ASCII instead of binary. Important! At the time of this release, some versions of the Microsoft DHCP Server do not correctly implement predefined options under vendor class.
Managing Sensors
125
9.8
In order to access the web-based Sensor UI, you must first log in remotely from a web browser. This requires you to first determine and obtain the Sensors IP address. Use the Sensor UI for initial configuration during Sensor installation. After initial configuration, you can administer Sensors by using the Sensor program area of the AirDefense GUI, in most cases. There are 2 methods to determine the Sensors IP address:
Method One: Observe broadcast UDP packet on port 10999 during start-up (Model 510 and 520
Sensors only)
Method Two: Use the Enterprise GUI to view each sensors IP address
Reboot the Sensor (by briefly removing the power connection), and monitor the messages.
126
Chapter 9
Note: The user must be on the same subnet and you must temporarily turn off any personal firewalls.
5 6
Match the Sensor MAC address to find the appropriate IP address. Now access the Sensor UI by opening your Internet browsers and typing: https://<sensor_IP_address>
Managing Sensors
127
128
Chapter 9
9.9
Once you have initially set up the Sensor, you can use the Sensor window in the AirDefense GUI to make subsequent settings to Sensors. You can also use the Sensor window to manage Locations, Groups, and individual Sensors in your wireless LAN, to update Sensors with the latest firmware, and to manage Terminations. (Also see Practical Applications on page 134.)
Add Sensor Locations to your wireless LAN. Configure the settings for individual Sensors and Groups of Sensors in your wireless LAN.These
include operation and network settings. Note: You must use the Sensor UI or the Sensor CI to make initial Sensor settings. Once complete, the configurations you are able to perform using Sensor are identical to the configurations you are able to perform using the Sensor UI or Sensor CI. Additionally, Sensor gives configuration information that is unique to the GUI.
Identify the Location of Sensors in your wireless LAN, including their Groups. You can search for any
Location, Group, or individual Sensor in your wireless LAN. View the status of a Sensorwhether or not it is active, and online with the AirDefense Server. Begin building your AirDefense hierarchy of devices, consisting of Location, Group, and Sensor. For complete step-by-step instructions on how to manage Sensors using the GUI, see the Online Quick Help for Sensor: Sensors.
Managing Sensors
129
9.10
Updates to Sensor firmware are available from AirDefense, Inc. You can use either the web-based AirDefense GUI or the web-based Sensor UI to update Sensor firmware. Hint: Upgrading a Sensor places the firmware update file into the AirDefense database. The only way to remove it from the database is to use the ADDadmin utility DELFU, which is in the ADDadmin Manage program area.
Example: If your current firmware version is 4.1.0.24, and the file in the current directory is SNfirmware-M4004-2.0.17, this indicates that a more current firmware version is available.
130
Chapter 9
Managing Sensors
3
131
This opens the Select Sensor Update File sub-window where you select the Sensor Firmware Files (*.img).
Once you have selected the needed *.img file, select OK to return to the Sensor Upgrades window.
Part 2 Step 1 Action After entering the new Sensor firmware in the AirDefense Server and it appears in the Available Sensor Update scroll list, you can add Sensors to the Sensor Update List by clicking the Add button, which opens the Choose Sensor Set sub-window.
Click and highlight the Sensor you wish to add and click OK. This closes the sub-window and the Sensor then appears in the Sensor Update List.
132
3
Chapter 9
After the new Sensors are entered in the Sensor Update List, highlight the Sensors you wish to update, and click on Update to begin the update process. Sensors will only update with the versions that are displayed in the Available Sensor Update scroll list. The Update Status column keeps you informed of the update, indicating whether it is in progress, new or completed. Close the Manage Sensors window once you have finished. The intended update can only take place if the firmware version that displays in the Sensor Update List matches the firmware version in the Available Sensor Update List, as in the example below.
To update a Sensor with a version of firmware other than the currently loaded version (the version that currently displays in the Available Sensor Update scroll list), you must first delete the Sensor off the Sensor Update List, load the new update into the AirDefense Server (so that it appears in the Available Sensor Update scroll list), then re-add the Sensor to the Sensor Update List. You can then proceed with the update.
Managing Sensors
133
The upgrade was interrupted on the Sensor end, for example, by a power outage. During the upload process, the Sensor receives the new firmware file, checks the data, and burns the data into its flash memory. If a power interruption takes place during this process, the Sensor will either reboot itself, or will have to be remotely rebooted. In this case, the Sensor reverts back to its factory-installed firmware version. The Sensor you are upgrading is on a different subnet from the default subnet (sshd 172.16.0.). To correct this, add the Sensor's new subnet to the AirDefense hosts.allow file. To do this, you must use the ADDadmin Configuration utility Hallow to edit the hosts.allow file. For instructions on using Hallow, see Configuring the System on page 85.
134
Chapter 9
9.11
Practical Applications
Important! You must match each Sensor with the wireless LAN environment and to configure Sensors properly to ensure accurate data reporting.
Managing Sensors
2
135
You can use Quick Scan Mode alone, which enables the Sensor to do a one-second scan of all channels.
Use the Capture button to capture all frames sent to and from this device. This function basically acts as a "sniffer" of that device's real-time frames, and you can then export the data to external analyzer tools such as Ethereal or AiroPeek. 1 2 Select the Capture button; a Save As sub-window appears. In the sub-window's provided text box, enter the name that you would like to save the file as. Select Save. The file is automatically saved in AiroPeek (.apc) format.
136
3
Chapter 9
The Frame Capture window appears indicating that the function is now "sniffing" the device's data:
This window provides the device number and the location on your local client of where the file is being saved, and the number of frames captured are indicated. These are the actual packets of 802.11 protocol that have been observed by the AirDefense sensor for that given device. The longer you keep the Frame Capture up, the more frames will be captured. 4 Select the Stop button to cease the frame capture. The sample is then saved as an .apc formatted file.
Managing Sensors
137
Limiting the bandwidth is especially useful if you are monitoring remote facilities with limited bandwidth, for example, sites that use 128 Kbps or 56 Kbps links. Sensors under bandwidth control use an adaptive algorithm to maintain monitoring fidelity while minimizing bandwidth consumption. Minimum Bandwidth Mode When you configure a Sensor for Minimum Bandwidth Mode On, the Sensor will use a minimum amount of bandwidth. This limits the amount of traffic that takes place on the wired side, between the Sensor and the AirDefense Server, regardless of how much traffic the Sensor is picking up in the air. If you also have Frame Capture Mode on for at least one Sensor radio, frame information may still be limited. When you configure a Sensor for Minimum Bandwidth Mode Off, the Sensor operates in its standard mode, i.e., sends logically compressed frames. (If Frame Capture Mode is On, the Sensor will use full frames.)
Many materials used in building construction may significantly impact the propaga
tion of signals in the 2.4-GHz spectrum. Concrete reinforcement bar Elevator shafts Electric motors (for example, blowers and generators) Lighting fixtures
Cordless phones and headsets Bluetooth devices Consumer cordless devices (for example, surveillance cameras, baby monitors, and
video transmission extenders) 802.11a, b, g Device Density
Chapter 9
While a single AirDefense Sensor may be capable of monitoring a very large area, it is often useful to consider a distribution of Sensors that, when reporting on a device, will give a sense of location of that device relative to a Sensor. For example, if there is only one Sensor in a large building, that Sensor may be able to see devices in most parts of the building. However, the only information available to the Sensor that it can use to locate an Access Point is that the Access Point is in the building. It is possible to distribute Sensors in such a manner as to provide a better idea of where a device is operating, such as by floor or wing where, even though many Sensors may see activity from a device, it is observable which Sensor receives the strongest, most consistent signal from the device. This allows for a significant narrowing of the possible locations of the device. Desired Monitoring and Intrusion Protection Functionality Organizations have varying requirements for monitoring and controlling the wireless medium around them. These requirements can be divided into four categories.
within range of a Sensor sending termination signals. Policy Enforcement To ensure adherence to policies or to detect attacks against managed devices Sensors must be able to receive a representative sampling of traffic sent by all devices they are monitoring. Rogue Detection Even sporadic emanations from wireless Stations and Access Points can reveal the presence of rogues. You need to place Sensors where transmissions from rogue devices can be detected in a timely fashion as soon as they enter the scanning area. Assets to be Protected
Wireless-capable devices that contain sensitive data must be protected. Wired networks protecting the wire from wireless breach. This approach is key to
making wireless monitoring deployment decisions in very large installations, such as military bases, airports, power plants, campuses, etc. A common perception is that wireless devices must be detected and monitored throughout a given property. This becomes impractical in many cases and an approach that protects the wired backbone allows for sane decisions about monitoring coverage.
Managing Sensors
(All numbers are in square feet.) Location Tracking 15000 19000 25000 Connection Termination 17000 22000 30000 Policy Enforcement 20000 30000 40000 Rogue Detection 30000 45000 60000
139
Where a sanctioned wireless LAN deployment is being monitored (not just rogue), this typically equates to six to eight Access Points per Sensor. A solid working guidance based on the above represents approximately one Sensor per 20,000 sq/ft of area to be monitored. In areas where Sensors may be exposed to harsh environments, Sensors may be placed in accessory enclosures (NEMA-4) that protect the Sensor and provide code, regulatory compliance, or both.
140
Chapter 9
Rapidly Design and Deploy More Efficient Networks: AirDefense Architect helps design quality wireless networks by helping to overcome the challenges of coverage holes, poor service areas and improper capacity and network resource allocation. Avoid Costly Retrofits: AirDefense Architect minimizes design and deployment costs by helping the designer visualize the physical location and configuration of installed network equipment, automatically placing and configuring access points, and accurately predicting network coverage and capacity. Simplify Complex Wireless Environments: Designers can quickly compare site-survey measurements to the expected network performance, enabling real-time and accurate design modifications. AirDefense Architect is intuitive and helps users rapidly operate and design in all phases of WLAN build-out and management. Included: AirDefense Survey functionality, which provides real-time, in-field measurements for site surveys. Seamlessly integrated into AirDefense Architect, measurements from AirDefense Survey can be used to optimize and compare its predictions. In addition to planning all your Access Points prior to deployment, Architect also offers a Sensor planning feature. You can use the same building maps to carefully plan sensor placement, ensuring maximum coverage and no dead spots.
Floor Plans Existing Site Surveys Wiring layouts Regulatory rules and codes for wiring, construction, materials, etc., where applicable
During the survey, access to all areas to be monitored is required. Once Sensor placement recommendations are determined based on the above guidelines, the next step in the deployment is to assess the coverage being provided by the Sensors at the specified locations. Since Sensors are passive devices that do not have the capability to transmit data, the process of determining the Sensor coverage depends on a reverse site-survey process in which a signal is introduced in your Wireless LAN by a device, and the signal is tracked through the facility using the deployed Sensors.
Managing Sensors
Procedure: Following is a step-by-step process to accomplish this task. Step 1 2 Action
141
Prepare a laptop that will run AirDefense Mobile r4.0 or later (or AirDefense Survey r1.1). Prepare an 802.11a/g wireless device (Station or Access Point). The ideal output power for this device (around 40 mW) would be that of a retail quality Station card or Access Point, as these are likely rogue candidates. Note: A soft Access Point on a laptop is often an ideal target because it can be Locked On a channel and is battery powered through being hosted on a laptop. Obtain Maps/Layouts of the facility and determine the traversal plan. Start AirDefense Mobile. Turn on the target device (Access Point, soft Access Point, or laptop/PDA with Station card). AirDefense Mobile should detect the target device. Identify the target device in the AirDefense Mobile device tree and use your mouse to right-click on it to display a list of options. Use AirDefense Mobile Options to Lock On the channel on which the target device is discovered. Right-click select the device in the Dashboard tree; select LiveView. Focus on Signal Strength in the Decode tab in LiveView. Verify that the target device is being tracked by AirDefense Mobile. When a Station card is being used as a target, significant peaks and valleys are observable in Signal Strength as the Station card rotates through channels probing for an Access Point. The peaks are indicative of the effective signal strength relative to AirDefense Mobile. Move the target device to the anticipated fringe where a neighboring Sensor would become primary. At the fringe of coverage, signal strength should be no less than 25% to assure termination ability. Move AirDefense Mobile to the anticipated location of the next Sensor and use the same procedure to ensure that its anticipated coverage area is valid. If the above Sensor placement proves adequate from an coverage and cost of placement perspective, factors observed during this analysis may be extrapolated to other locations of like construction.
3 4 5 6 7 8 9 10 11
12 13 14 15
142
Chapter 9
143
144
Chapter 10
10.1
Use Air Termination to terminate the connection between your wireless LAN and any associated authorized or unauthorized Access Point or Station. Devices must be associated. To use this feature, you must be a user with the role of Admin or Manager. You can use Air Termination to terminate the connection of any authorized or unauthorized Access Point or Station that appears either in the hierarchical trees or in information panels throughout AirDefense programs. This includes the Dashboard, Manage Alarms, Policy Manager, and Reports. Air Termination supports:
Single Device Termination, in which the Access Point connection is terminated and all Stations
associated to the Access Point are de-authenticated, or the connection between a Station and an Access Point is terminated Multiple Device Termination, allows security administrators to terminate connectivity for multiple stations and devices simultaneously.
145
10.2
Policy-based Termination is the automated form of AirDefense Air Termination. Using Policy-based Termination, you can formulate an action plan to automatically terminate the connection between your wireless LAN and any authorized or unauthorized Access Point or Station, based on alarms. Devices must be associated. To use this feature, you must be an AirDefense user with the role of Admin or Manager. You can use Policy-based Termination to automatically terminate the connection of any authorized or unauthorized Access Point or Station that receives any alarm you specify, and for any Sensor you specify. Because Policy-based Termination is based on alarm selection, you must use the Manage Alarms program area in the AirDefense GUI to manage Policy-based Termination Action Plans (also see Managing Alarms on page 43).
146
Chapter 10
Use this editor to formulate an Action Plan that, based on alarms, automatically terminates the connection between your wireless LAN and any authorized or unauthorized Access Point or Station. You can do this for any single alarm and for any single Sensor.
For complete steps on how to use the GUI to activate Air Termination and Policy-based Termination in AirDefense, and how to formulate Action Plans for Policy-based Terminations, go to the Alarms program area in the GUI and click on Quick Help in the Help Menu.
147
10.3
AirDefense r7.2 Air Termination and Policy-based Termination have internal controls that prevent AirDefense users from indiscriminately terminating devices. AirDefense only allows targeted termination of the specific devices that fall into one of the following categories: Unauthorized APs detected as physically attached to your private wired network Unauthorized clients attacking (known signature) or improperly connecting to your authorized wireless network of APs Authorized clients and authorized APs; to handle internal policy or misuse scenarios, including cases where authorized clients are improperly attaching to unauthorized APs
148
Chapter 10
10.4
Domain-Based Partitioning
Domain-Based Partitioning allows a user with Administrator privileges to partition the Locations by user and restrict the data each user can view to the domain defined for that user. Each domain can include multiple Locations and corresponding Groups. After you enable Domain Partitioning, users with admin permissions can define Domains, and then assign them to other users. This feature is particularly important to Managed Security Services Providers who offer a Managed Service and host multiple customers on the same appliance. Only users with Administrative privileges can assign the domain for a user. Note: The Domain Management window does not appear in the Appliance Manager list unless Domain Partitioning Enabled is first activated on the System window.
2 3 4 5 6
149
Click on the System icon button to open the System Settings window. A Domain consists of one or more Locations. You can edit, add or delete a domain under the General tab. Under the Locations tab, you can edit, add or delete a Location to a Domain.
Use the following buttons for both the General and Location tabs to complete an operation. Button Add Delete Description Select to add a new profile record. Select to delete a profile on record.
150
Chapter 10
Select the Apply button in order to activate the features on the Locations tab and use the arrow buttons to move Domains from the All Locations section to the Locations In This Domain section and vice versa.
151
10.5
About VLAN
AirDefense enables you to monitor the use of VLANs that are partitioned on the Access Point by an SSID. If the VLAN is not used correctly, AirDefense generates an alarm.
10.5.1 Policy
The Policy program area has full support for VLAN configuration. You can do the following in Policy:
Indicate an AP is a VLAN. Authorize SSIDs. Configure the Configuration Policy for each SSID. Configure the Vendor Policy for each SSID. Authorize Stations per VLAN.
152
Chapter 10
10.6
AirDefense Enterprises Device Synchronization Configuration window allows you to configure devices automatically by extracting information from third party wireless management systems such as Cisco, WLSE, and AirWave. This window contains the following three tabs,
3 4
Note: Once you have added new device entries to the SSID List, you can go to the Action column and double-click on it, opening a drop down list with the same options to Authorize, Unauthorize or Ignore the device on the AirDefense system.
153
To remove SSID devices that have been added to the SSID List, highlight the device row and select the Remove SSID(s) button. The device is immediately removed from the list. To commit the device(s) that you have added to the SSID List to the AirDefense system, select the Apply button. The devices are then detectable by AirDefense and all options on the Common Settings tab are disabled.
154
Chapter 10
10
155
If you are having difficulties synchronizing AirDefense with WLSE, select the WLSE tabs Run button, which allows you to request a synchronization immediately. When the Run button is selected, an Import Status window appears, displaying devices imported into the system. The imported devices are represented by blue icons until the devices are actually detected by any of the sensors.
156
Chapter 10
Managing Switches
157
11 Managing Switches
This chapter is provided to help you properly configure the AirDefense enterprise and adapt it to optimally serve your diverse network needs. This chapter contains the following topics:
158
Chapter 11
11.1
Adding/Configuring a Switch
The Add Switch and Import Switches buttons on the Sensor Manager window control the addition of switch devices to the AirDefense appliance so that devices (such as APs and stations) that are connected to that switch can be detected. When switches are added, they will appear as icons in the tree panel branching off the major Groups from the Enterprise system to which they are assigned. In networks, a switch is a device that filters and forwards packets between LAN segments. Switches operate at the data link layer (layer 2) and sometimes the network layer (layer 3) of the OSI Reference Model and therefore support any packet protocol. LANs that use switches to join segments are called switched LANs or, in the case of Ethernet networks, switched Ethernet LANs. For more information on the icon designations of switches that are found in the tree-panel, refer to the online help topic for Icons, Switches.
The switch needs to support SNMPv2c or SNMPv3. The switch's SNMP agent needs to be enabled and accepting SNMPv2 or SNMPv3 requests. The switch needs to 'correctly' and 'fully' implement RFC 1213, also known as MIB-II. This is a very
common MIB that most network devices implement. The switch needs to 'correctly' and 'fully' implement RFC 1493, also known as BRIDGE-MIB. This is a MIB that most high-end ethernet managed switches support. If the SNMP agent of the switch supports security views, the community configured in AirDefense to communicate with the switch needs to have full read-access to all objects (variables and tables) of both MIBs, MIB-II and BRIDGE-MIB. If it is desired to use not only the port-look up feature but also the port suppression feature, read-write access to those MIBs will have to be provided as well. AirDefense will use the Read Community for read access and the Write Community for write access (shutting down the port). UDP connectivity between the AD server and the switch is necessary. The standard port for SNMP agents is 161 (configurable in AirDefense, some switches will also allow you to configure this as well). If there is a firewall in between, that port needs to be open.
Managing Switches
159
Test Switch
Name IP Address
Enter the name of the Switch. Enter the IP address of the Switch. Note: This entry is mandatory.
Enter the Simple Network Management Protocol number for this Switch. This is normally 161, but it can be different. In this drop down list choose between v2c or v3 as the SNMP version used. Enter the Read Community string, which is used for the SNMP authentication.
160
Chapter 11
Function Write Community SNMP User Authentication Algorithm Authentication Passphrase Privacy Algorithm Privacy Passphrase MIB Support
Description Enter the Write Community string, which is used for the SNMP authentication. This is the name of the v3 user, which is configured on the switch for SNMP v3 access.
These are all SNMP v3 parameters that have to match what is set on the switch.
Choose the checkbox for which type of Management Information Base (MIB) support the switch has. Bridge MIB - When selected, designates the switch as a source of wired-side MACs. Trapeze MIB - When selected, designates the switch for importing Trapeze Access Points.
Enabled Yes/No
Select the Yes or No radio buttons for the Switch to be enabled/disabled for MAC Address lookups in AirDefense. When the switch is enabled (Yes), the switch icon graphic in the tree panel will be green. When the switch is not enabled (No), the switch icon graphic in the tree panel will be red.
Add any miscellaneous information about the Switch in this text. The online status is determined by the server's communication with the switch, and cannot be accessed by an AirDefense user. The manufacturer of the Switch is automatically added if the system is able to connect to the Switch. The specific model of the Switch is automatically added if the system is able to connect to the Switch.
Managing Switches
161
Note: Once you have added a few switches into AirDefense they will appear in the tree panel when you go to the Display Order drop down list (top one) and select Switch. The list will appear similar to the following:
162
Chapter 11
Description This read-only field indicates whether you have successfully or unsuccessfully imported a Switch file into AirDefense. This read-only field lists the number of Switches that have been imported.
This read-only list displays columns for the Switch Name and the Host. Once you have successfully imported a Switch, these columns will appear as the following:
Switch Name Switch IP Address SNMP Port SNMP Version Read Community Write Community SNMP User Authentication Algorithm Authentication Passphrase Private Algorithm Private Passphrase Bridge MIB Support (True or False) Trapeze MIB Support (True or False) Enabled (True or False) Description Group Location
Managing Switches
163
Important! If you are not going to use a field in a Switch file, or specify any detail in it, enter null for its value. If you import a Switch to a Location/Group that does not exist in the system, the system will import switches into the Default Location/Group.
Example 2:
myswitch_02,192.168.0.81,161,v2c,public,private,null,null,null,null, null,false,true,true,mydescription,Main Building[Group],New York[Location]
164
Chapter 11
11.2
This window, which is accessed from either the AirDefense tree panel or by right-clicking individual devices on window table lists, allows for a convenient method to quickly locate the physical port that an authorized/unauthorized device is using to connect to your network. The following table provides detail on the Port Lookup window's functions and features. Function Device MAC Address MAC Address List Add MACs In Range checkbox Description A read-only line that provides the device type icon (typically an Access Point) and its MAC Address. Lists the MAC Addresses of devices that are connected to the device you are performing Port Lookup on. Use this checkbox option to perform a range lookup of MAC addresses for devices in order to find a hacker/intruder or unauthorized device. Select the up/down arrows to add/remove additional ranges of device returns. For example suppose you are performing Port Lookup for a device whose last 2 characters are:04, when you select 3 for Add MACs In Range, 3 tiers of MAC Addresses above and below the 04 address appear: 07, 06, 05 -- 04 -- 03, 02, 01. When this option is de-selected, nothing will appear in the MAC Address List. Note: Range default is 1, maximum is 10. Add Associated Stations checkbox Additional MACs Add/Remove buttons Start Lookup When this checkbox is selected, Port Lookup searches for any stations associated with the selected device and lists them with their MAC Addresses below the devices that it finds. In the Additional MACs text box, enter the MAC Address for any additional devices you wish to look up the status of their ports. Click this button to open the Port Status window. This window lists all devices that match the MAC Address List column and any additional MAC Addresses you entered manually. If any unauthorized devices are connected to the device's ports, they will appear here, with their address and the switch port number.
Once you have determined that you have an unauthorized device accessing your network through a port, you can then go to the Manage Sensors sub-window on the Sensor Management window, and access the Port Suppression features to disconnect the port.
Managing Switches
165
11.3
The Port Suppression feature enables you to suppress the communications port for any network device. The Port Suppression feature turns off the port on the network switch through which a device is communicating. You can suppress the communications port for any network device, effectively shutting down the communication port for the device. You must enable (or disable) Port Suppression using the GUI (Config>Appliance Manager>System). Then you must set up configuration for switches that manage the servers (Config>Sensor Manager>Add Switch).
166
Chapter 11
Location Tracking
167
12 Location Tracking
This chapter is provided to help you properly configure AirDefense Enterprise server and adapt it to optimally serve your diverse network needs.
168
Chapter 10
12.1
Location tracking is a critical tool in wireless security management as it enables the network security administrator to locate and remove rogue devices. AirDefense offers different methods for location tracking, RF Triangulation and RF Fingerprinting (or Signature).
The RF Triangulation option is built into the Enterprise 7.0 product. It only requires the user to
import location maps and place the sensors on the map. The RF Fingerprinting or Signature option is an add-on module that requires additional hardware and software. With the same number of sensors used, the RF Fingerprinting method will generally yield better results, however accurate calibration of each floor plan is required.
12.1.1 RF Triangulation
The RF triangulation method uses the RSSI to estimate the distance between transmitter and receiver, based on a typical power loss curve. However, the actual direction is still unknown. To uniquely identify the source's location in a space (for example, the distance to receiver and the direction from where it originated), RSSI data points from at least three independent receivers at fixed locations are required. Therefore, the transmitting source needs to be in the coverage area of at least three independent sensors at any point within the building.
Location Tracking
169
12.2
Location Tracking is a technology that enables you to locate and track rogue devices that may be threatening your wireless LAN. Location Tracking (Triangulation) uses the RSSI (Received Signal Strength Indications) of the device as seen by at least 3 sensors to triangulate a position relative to the sensor locations. To use this feature, the user must first import a building map and place at least 3 sensors on their corresponding location.
One (minimum) AirDefense Enterprise Server (running r7.2 or later) Three (minimum) AirDefense Sensors (running r4.4.x or later) per map loaded
Importing Maps
To use the built-in Location Tracking (Triangulation) feature, you will need to import a map first and place the sensors at their specific locations. Note: Each map can be loaded by Location or Group. You may have to re-arrange the sensors in the Sensor Manager to accommodate a map for each Location or Group (go to Config > Sensor Manager). You will also need a minimum of three sensors per map.
170
Chapter 10
Example: Location Atlanta HQ has 2 Floors with 3 Sensors on each floor for Location:
Step 1 2
Action Click on the Binoculars button to open the Location Tracking (Triangulation) application: Select the Group or Location where you want to add a map, right-click and hit Create Map.
Note: Selecting the Create Map button will activate the windows, buttons and functions at the top of the window (Set Scale, Set Image and Advanced). 3 4 5 Click on the Set Image button (see Set Image function) to import a map. Click on the Select Scale button (see Set Scale function) to set the scale of your map with a known distance. Select at least three sensors from the same Location or Group and place these on the map. You can drag the sensor and place the sensor on the map corresponding to its exact location. Select the Advanced button to modify the Loss Factor and Smoothing Factor (see Advancedfunction).
Location Tracking
171
Refresh Tools
Select the time interval for when the Location Tracking data is refreshed in its window, which can be 15 min, 5 min, 1 min, 30 seconds, 10 seconds or switched off. Select the undo and redo buttons to apply to actions made in the Location Tracking map. Use your mouse to click and drag devices from the AirDefense tree panel into the Location Tracking map.
Undo/Redo
Important! File sizes of imported maps cannot exceed 500kb per map.
172
Chapter 10
Advanced Settings
Click the Advanced... button to open the Advanced Settings sub-window which contains the following two setting options: Function Loss Factor Description Loss Factor represents the density of the network environment which affects the power levels measured by the sensors. Use the slide button to compensate for loss factor values which are caused by environment, work area and other spatial factors. The smoothing value is the number of power measurements averaged together to get the final power level and is a global setting which applies to the entire location tracking system. Use the slide button to set a high smoothing value which creates a more accurate power level for a stationary device, or a low smoothing value which is more responsive to handle devices in motion.
Smoothing
Location Tracking
173
Feature Protocol
Description Lists one of the three protocols for 802.11 WLAN traffic: 802.11a, 802.11b, and 802.11g. Protocols can differ based on their frequency range, radio channels, and data rates. Lists the date/time group when the device was last seen in AirDefense. This field area lists the name of the sensors that are detecting the device. There need to be at least 3 sensors in order for devices to be detected. If you have fewer than 3 sensors per map, you will not see any devices on the Location Tracking map. When this button is selected, it removes the device from your tracking window. Note: You can also right-click on a device in the map and cancel tracking from there.
Stop Tracking
174
Chapter 10
Location Level At the Location and Group levels, you can... Group Level Create a new device locationing map Delete a map that is already stored in that group Load a new device locating map from a file external from the application
Sensor Level
At the Sensor level, you can... Add a sensor to the device locationing map Remove a sensor on the device locating map
Access Point At the Access Point and Station levels... Stations Add a Device to the device locationing map Remove a Device from the map Initiate device tracking Stop device tracking
Location Tracking
175
12.3
Signature-based Location Tracking is a tracking technology available as an option to your AirDefense Enterprise system. It enables you to locate and track rogue devices that may be threatening your wireless LAN. AirDefense Location Tracking is a collaboration of two technologies: AirDefense Enterprise and the AirDefense Positioning Platform, which contains the ADLT Positioning Engine and the ADLT Manager. The combination of these technologies enables you to efficiently and accurately pinpoint the real-time location of rogue Stations and Access Points from a centralized location. Location Tracking (Signature) uses RF fingerprinting technology. Each map must first be calibrated to store the sample RSSI values for each location. Alternatively, you can use Location Tracking (Triangulation), which requires no calibration. The following instructions give a brief overview of the steps necessary to implement Location Tracking (Signature) in AirDefense.
176
Chapter 10
communicates this information to the ADLT Positioning Engine. The AirDefense Server then receives exact location coordinates for the selected device back from the ADLT Positioning Engine, and displays the floor plan and device location in the AirDefense GUI.
Location Tracking
177
One (minimum) AirDefense Enterprise Server (running r6.2 or later) Three (minimum) AirDefense Model 400 Sensors (running r4.2.0.24 or later) One Windows XP machine, which will run the ADLT Positioning Engine. Recommendation: Since the Positioning Engine is a server application, AirDefense recommends that this machine be a desktop PC. Minimum requirements: 1Gz, 256 Mb RAM, 500 Mb HD. You must have one or more wireless laptop PCs, equipped with Windows XP or 2000 and a 802.11 a/b/g wireless network adapter. These laptops, which will each run the ADLT Manager, will serve as the approved, registered laptops that you will use to devise your positioning model (calibrated floor plan) for your tracking area. This process is called calibration. Minimum requirements: Pentium III, 256 Mb RAM, 500 Mb HD.
Software Prerequisites
AirDefense Location Tracking Installation CD-ROM and a set of license files. (supplied by AirDefense, Inc.). The license files are:
ADLT Positioning Engine license ADLT Manager license AirDefense JAVA SDK license
AirDefense Enterprise r6.2 or later (on the AirDefense Server) AirDefense Sensor firmware r4.1.1-0 or later (installed on AirDefense Sensors) The ADLT Positioning Engine, r1.0 or later (to install on the Windows XP desktop) The ADLT Manager, r1.0 or later (to install on one or more wireless Windows XP or 2000 laptop PCs)
For complete step-by-step procedures on how to install and set up Location Tracking in AirDefense, see the standalone.pdf document: AirDefense Location Tracking User Guide.
On the Forensic Analysis Wizard window's Locate Device tab and select Locate (Signature).
178
Chapter 10
By right-clicking on either an Access Point or Station in the AirDefense tree panel and selecting
Locate (Signature).
179
Click OK. The AirDefense Server connects to the ADLT Positioning Engine and receives the x-y coordinates of the device. The Device Location View window appears, displaying a location dot on a floor plan, indicating the device location.
Cancel
180
Chapter 10
Reporting
179
13 Reporting
AirDefense Enterprise's dual approach to reporting consists of a web interface for populating report templates with data, and a flexible interface for creating additional custom report templates. data you want to include, then view the resulting report in a selection of formats. You can also save reports, share them with others, and schedule reports to run automatically. The Report Builder application within the GUI lets more advanced users create report templates, either basing them on the templates delivered with AirDefense or designing them from scratch. Reports you create with the report builder become available as templates in the Web Reporting interface. AirDefense Enterprise features a web-based reporting interface that lets you create reports from templates using data you specify. You can also save reports, share them with others, and schedule reports to run automatically. You access Web Reporting from the same page as the AirDefense Enterprise GUI application download.
The Web Reporting interface makes it easy to choose report templates and define the scope of
180
Chapter 13
13.1
Report types
The Report Types page is the default page; it lists standard and custom report templates by type. You can select a report, specify applicable settings, and then load the report with data.
Scheduled Reports
The Scheduled Reports page lists reports that have been scheduled to run automatically.
Saved Reports
The Saved Reports page lists the reports that you created and saved. You cannot view reports saved by other users unless the other users Share the reports (see below). You can delete a report by selecting its checkbox and clicking Delete. You can share a report by selecting its checkbox and clicking Share. You can view report data by clicking on the report's name.
Shared Reports
The Shared Reports page lists reports that you or other users created, saved, and then shared. If you do not share a report, only you can view it.
1 2 3 4
Select a report from the Report Type list. The Report Settings page for that report appears. Complete the settings so that the data in the report reflects the format, scope, and time frame you want. If you want to email the report to someone, type the email address in the Mail to box. Click Preview to load the report with data. The report appears.
Create a printer-friendly version of the report Save the report on the server Schedule the report to run automatically later
A control area on the left lets you:
List the current report settings Change the settings and re-run the report
You can view additional information about devices listed in the report in one of two ways:
Reporting
181
When the cursor hovers over a device, a popup lists basic information including MAC address, IP
address, vendor, channel, SSID, signal strength, and last seen time. If you select the Run Device Report link next to a device, a device-specific report is launched in a new window.
You can schedule reports to run automatically by clicking the Schedule link to the right of the report
name on the Report Types page.
After running a report, you may decide to schedule it to run automatically again later.
1 2 3 4 When you are viewing the report, click Add to Scheduled. The scheduling page appears. Type a Name for the report and choose the report format. Choose one or both of the following destinations for the report: To save the report to a file, select Save to File. To email the report, type the email addresses of report recipients. Select the Enable Report checkbox to make this schedule active. If you want to deactivate this schedule later, clear the checkbox. Use the tree in the Display Settings area to make sure the scope of the report reflects the part of your network you want to include. In the Scheduled Execution area, type the time of day you want the report to run and the number of days, hours, or minutes you want the report to cover. Choose the frequency for the report: If you want the report to run weekly, select the Weekly radio button and then select the day of the week you want it to run. If you want the report to run monthly, select the Monthly radio button, and then select the day of the month you want it to run.
5 6 7 8 9 10
182
Chapter 13
13.2
Report Builder lets you create, edit, and copy report templates.
4 5
5 6 7
183
184
5 6 7 8 9
Chapter 13
Changing the order of items in the report Open a report. In the tree, select the item you want to move. Use the up and down arrows at the top of the tree to move the item where you want it to appear in the report. Click Save on the tool bar.
185
14.1
You can exit the wizard at any time and use it again later. As you make changes to the pages, the wizard displays blue asterisks next to the page names to help you track which pages you have worked on. When you are finished working in the wizard, click the Finish button in the top right corner.
14.2
186
2
Chapter 14
Enable active termination You can select the Active termination check box to enable users with admin privileges to disable the connection between wireless devices (Air Termination). Enable policy-based terminationYou can select the Enable policy-based termination check box to allow users with admin privileges to create policies that automatically terminate wireless devices based on specific alarms or policy violations. Enable port suppressionYou can select the Enable port suppression check box to allow users to suppress communication on the network switch port that a device is using to communicate with the network, if inappropriate activity is detected.
Add a new Location. Add a new Group. Delete a Location, Group, or Sensor. Select a Location, Group, or Sensor, and move it up in the tree. Select a Location, Group, or Sensor, and move it down in the tree.
To add a name or description for a Location or Group in the tree, select the Location or Group, and then type the name or description. You can use the Sensor Manager to make additional changes to the network structure. Select Tools > Configuration > Sensor Manager
187
You can make additional changes to User Accounts by selecting Tools > Configuration > User Management
Define Policies
The privacy policy defines the security configurations you require for stations to be authorized in your wireless LAN. Settings you choose on this page update the default privacy policy. Alternative navigation: Tools > Configuration > Configuration Wizard > Define Policies Select or clear checkboxes in the following areas to define the privacy policy:
You can use the Policy Manager to create additional policies with alternative settings. Select Tools > Configuration > Policy Management
Configure Alarms
The Configure alarms page provides three pre-defined Security Sensitivity modes to let you quickly specify the alarms you want to enable. You can use the pre-defined policies as-is or customize them. Alternative navigation: Tools > Configuration > Configuration Wizard > Configure Alarms The Alarms you choose and their criticality may depend on your wireless environment. For example: an unauthorized station alarm would be considered critical and deserve immediate attention in a no-wireless zone, but it could be safely ignored in a public place in a congested area with many transient devices, such as a university campus. Select the pre-defined Security Sensitivity mode that best suits your organization, and then click Advanced if you want to customize it. Pre-defined modes include:
Monitored WLANgenerally for networks where both performance and security are
concerns Monitored WLAN Security Onlygenerally for networks where security is the top priority Monitored WLAN congested areasgenerally for networks that are more tolerant of transient or neighboring devices To customize the sensitivity level, select the checkboxes next to the alarms you want to enable and clear the checkboxes next to the alarms you want to disable. At that point, the Custom Sensitivity radio button automatically becomes selected to indicate that you have customized one of the pre-defined modes. You can make additional changes to the Alarm criticality by selecting Tools > Configuration > Alarm Manager
188
Chapter 14
caused by unauthorized devices. This page lets you define the rules that the system will use to automatically classify each device. It also lets you schedule auto classification to occur on a regular basis. Alternative navigation: Tools > Configuration > Configuration Wizard > Schedule Auto Classification To schedule Auto Classification: Select the Enable scheduled classification checkbox. Select the Reclassify authorized and ignored devices checkbox if you want to enable that option. 3 Use the Scope drop-down to choose the part of the network for which you want to schedule auto classification. 4 Indicate the interval at which you want the classification to occur and the time and day you want to start. 5 Type the Rule Set Name of the rule set that contains the classification rules you want to use to classify devices. You can make additional changes to Auto Classification by selecting Tools > Configuration > Policy Manager > Auto Classification 1 2
Enable Notifications
Configure the notification engine to send E-Mail messages, SNMP traps, or Syslog messages when alarms occur. Alternative navigation: Tools > Configuration > Configuration Wizard > Enable Notifications To add a notification: 1 2 3 4 Click Add. Choose the type of notification you want to add. Some of the controls on this page change to reflect the notification type you chose. Type or choose the settings you want the notification to use. Click OK.
To Edit a notification, select the notification, and then click Edit. Make changes to the settings, and then click OK. To Delete a notification, select the notification, and then click Delete. You can make additional changes to the Notifications by selecting Tools > Configuration > Notification Manager
Import Devices
You can import a list of access points or stations, including device information, from an external file. Alternative navigation: Tools > Configuration > Configuration Wizard > Import Devices 1 2 To import a file, select Load AP File or Load Station File. Browse to the file location, select the file, and then click Open. A status window appears, displaying the number of lines processed and any error messages. Click Close.
You can import additional devices by selecting Tools > Configuration > Policy Manager
189
190
Chapter 14
ADDadmin Utilities
191
A.0.1 Manage
ADDadmin Utility STATUS SYSLOG Use this utility to... Display the process and disk status of the system. Display system log entries resulting from authentication and sendmail failures.You can either display the logs on screen, or write logs to a text file (syslogdata.txt). Clear rotated system logs if /var partition is approaching 100% usage; clear overly large postgresql log. To access captured packets (pcapture files) in the pcaptures directory of the AirDefense Server (usr/local/smx/pcaptures) and save them as either a peek or a pcap formatted file. Clear frame capture files to free up space in the directory /usr/local/smx/pcaptures on the AirDefense Server. Delete a Sensor firmware update that you have loaded into the GUI (via Manage Sensor Updates). Manage AirDefense GUI Web User names and passwords. Use this utility to: PASSWD Add a Web User for the AirDefense GUI. Delete a Web User for the AirDefense GUI. Change a password for a Web User for the AirDefense GUI.
CLRLOG SAVECAP
Change the password of a Command Line User (smxmgr and smxarchive). (For more information on smxarchive, see Appendix B, Automated Data Retrieval) Restart AirDefense processes (not a full reboot!). Reboot AirDefense (full reboot). Halt AirDefense (stop processes).
192
Appendix A
A.0.2 Dbase
ADDadmin Utility ALARMS CLRU CLRALL BUDBCFG RCDBCFG BCKUPDB RCVRDB INTCK OUI Use this utility to... Enable / disable automatic alarm management. Clear databases, except user data. Clear databases of all data. Backup database configuration information. Recover database configuration information. Backup databases. Recover databases. Check integrity of databases. Update vendor MAC address information in the database.
A.0.3 Software
ADDadmin Utility CURRLIC LICENSE KEYPKG SERVMOD RESCUE Use this utility to... Display the current AirDefense license. Install a new AirDefense license. Create a package of AirDefense system keys that can be used by AirDefense support to repair corrupt licenses. Update the current version of AirDefense software with feature enhancements or improvements. Perform AirDefense rescue of a troubled upgrade. Hint: All data will be lost in this process! ADPKG Install AirDefense supplemental packages.
ADDadmin Utilities
193
A.0.4 Config
ADDadmin Utility IP NETPORT DNS HNAME DNAME MRELAY ARP HALLOW HDENY PING CAD TIME TZ NTP UIPORT FALLOW Use this utility to... Change the IP address, subnet mask, and default gateway of the AirDefense Server you are logged into. Change the network interface connections, and to toggle the Autonegotiation feature On or Off. Add or delete a DNS nameserver (Domain Name Server). Change the name of the AirDefense Server. Change the domain to which the AirDefense Server belongs. Configure the AirDefense Server to point to a Mail Relay Host. Configure a permanent ARP table. Configure which systems are allowed to connect to the AirDefense Server. Identify which laptops and workstations are not allowed to connect to the AirDefense Server. Change the ping setting for the AirDefense Server (ping enable, ping disable). Enable or Disable [Ctrl] [Alt] [Del] for reboot. Change the AirDefense Servers operating time and date. Change the time zone in which the AirDefense Server is operating. Enable or disable a specific network time server (NTP). Change the network port number over which the GUI is running. Use FALLOW to allow a specific client, which is an external PC with the Advanced Forensic application, to connect to the AirDefense server on the Advanced Forensic Analysis Engine. See page 93 of Chapter 7 for more information. The ADDadmin utility FDENY is the direct opposite of FALLOW. Use this utility to deny a specific Forensic Client PC from connecting to the AirDefense Enterprise Server. See page 93 of Chapter 7 for more information.
FDENY
194
Appendix A
195
B.0.1 Introduction
To automatically retrieve archived data from the AirDefense Server, you must log in to the AirDefense Server from a local backup server. Additionally, the login must be secure, using SCP or SSH. For example, you may want to write a script that you run via Cron.
Export Datareports
Using the Data Mgmt program in Admin, you can export data to the AirDefense Server as report files. Files export in a tab-delimiter format to a.txt file and are placed in a specific directory on the AirDefense Server (/usr/local/smx/reports).
Backup Databackups
Using the Data Mgmt program in Admin, you can backup the database. Database backup files back up to a specific directory on the AirDefense Server (/usr/local/smx/backups).
196
Appendix B
ADServer = IP address or hostname of your AirDefense Server LocalServer = IP address or hostname of the local server that will retrieve the files LocalUser = the username used on LocalServer
Step 1 2 Action On LocalServer, log in as LocalUser. Run the following command to generate the keys for the LocalUser: /usr/bin/ssh-keygen -d -f $HOME/.ssh/id_dsa At the passphrase prompts, do not enter a passphrase. Hit Return. This action creates the keys for the LocalUser: id_dsa and id_dsa.pub, in the LocalUsers.ssh directory. These keys must keep these names while on this server. 3 Transfer the LocalUsers public key to your AirDefense Server. (It is a good idea to change the name of the key in the process, so it does not become confused with any other keys on the AirDefense Server.) /usr/bin/scp $HOME/.ssh/id_dsa.pub smxarchive@ADServer:LocalUser.pub Log on the AirDefense Server via SSH as smxarchive: /usr/bin/ssh smxarchive@ADServer Enter your password at the prompt. 5 Install the public key as an authorized entry. To do this, add the new public key to the authorized key file: /bin/cat $HOME/LocalUser.pub >> $HOME/.ssh/authorized_keys Ensure the permissions are correct on the key file by modifying the permissions on authorized_keys file: /bin/chmod 600 $HOME/.ssh/authorized_keys Exit the SSH session: exit Verify that the logon works correctly. From LocalServer run: /user/bin/ssh smxarchive@ADServer
7 8
LocalUser@LocalServer can now ssh and scp to and from smxarchive@ADServer. You should be able to log on without using a password, using only certificate authentication. LocalUser@LocalServer now has all of the access privileges of the smxarchive@ADServer. Once automated retrieval is set up, you can use the scp UNIX utility to copy files from the AirDefense Server to your local server. AirDefense does not support FTP or telnet.
IMPORTANT - THIS MASTER LICENSE AGREEMENT (THIS "AGREEMENT") GOVERNS THE USE OF THE AIRDEFENSE SYSTEM. READ THIS MASTER LICENSE AGREEMENT CAREFULLY PRIOR TO USING THE AIRDEFENSE SYSTEM (OR ANY PORTION THERETO). IN ORDER TO USE THIS AIRDEFENSE SYSTEM (OR ANY PORTION THERETO), YOU MUST INDICATE YOUR ACCEPTANCE OF THIS AGREEMENT, AND THE ACCEPTANCE OF THE CORPORATE OR BUSINESS ENTITY WHICH PURCHASED THE AIRDEFENSE SYSTEM (the "Licensee"), TO THESE TERMS AND CONDITIONS BY CLICKING ON THE "Accept" BUTTON ON YOUR SCREEN. BY INDICATING YOUR AGREEMENT, YOU ALSO REPRESENT AND WARRANT THAT YOU ARE A DULY AUTHORIZED REPRESENTATIVE OF THE LICENSEE AND THAT YOU HAVE THE RIGHT AND AUTHORITY TO ENTER INTO THIS AGREEMENT ON ITS BEHALF. By using the AirDefense System, Licensee expressly agrees with AirDefense, Inc., a Georgia corporation ("AirDefense"), to be bound by all of the terms and conditions of this Agreement. If Licensee does not agree with any of the terms or conditions of this Agreement, Licensee is not authorized to use the AirDefense System (or any part thereto) for any purpose whatsoever; please immediately cease use and contact AirDefense immediately at airdefensemla@airdefense.net. Please print a copy of this Agreement for Licensee's records.
1. Definitions.
a) "Hardware" means AirDefense remote sensors or server appliances. b) "Products" mean any Hardware, Software, or Third Party Vendor Items provided by AirDefense under this Agreement. c) "Software" means computer programs in object code form or firmware which is owned or licensed by AirDefense, and is copyrighted and licensed, not sold. Software consists of machine-readable instructions, its components, data, audio-visual content (such as images, text, recordings or pictures) and related licensed materials including all whole or partial copies. d) "Third Party Vendor Item" includes "Third Party Hardware" and "Third Party Software" and means any non-AirDefense hardware and/or software supplied or used by the Licensee under this Agreement.
2. General. AirDefense grants Licensee a non-exclusive, non-transferable, non-assignable license to use a copy of the Software in operating an approved configuration of the Products to the extent of the activation or authorized usage level. This Agreement also authorizes Licensee to use the related written materials and "online" or electronic documentation ("Documentation") solely in conjunction with Licensee's authorized use of the Products. AirDefense and its suppliers retain title to all copyright, trademarks, trade names and other intellectual property rights in the Software, Hardware, and Documentation. Licensee is not granted any right, title, or interest in the Software, Hardware, and Documentation, except the right to use them in accordance with this Agreement. Licensee may use the Products only to process Licensee's own data and may not rent or sell the Products or use thereof to any third party. Any other individual or company, including any of Licensee's parent, subsidiary, or affiliate entities, shall require a separate license to use the Products
ii
(or any part thereof). Licensee may not transfer any part of the Products or any rights hereunder to any third party without the express written consent of AirDefense. Licensee further agrees that the terms contained in any AirDefense or third party "shrink wrap" or "click" licenses shall govern the use of such software. 3. Term. The License of the Products (and each part thereof) and Documentation is effective upon effectiveness of this Agreement and will continue in effect until terminated: (i) by Licensee at any time by notifying AirDefense in writing; (ii) automatically and immediately upon Licensee's breach of any material term or condition of this Agreement which is not corrected within ten (10) days following the breach; or (iii) automatically upon Licensee's failure to make any payment due to AirDefense under any agreement to do so within ten (10) days of receipt of written notice that the amount is past due. In the event of termination, Licensee must return the Products to AirDefense and destroy all copies of the Software and Documentation. 4. Copyright. The Software and Documentation are owned by AirDefense or its suppliers and are protected by United States and other applicable copyright and other laws. Therefore, Licensee may not copy (except as otherwise expressly permitted by this Agreement or by applicable copyright law) the Software or Documentation. Except as expressly permitted by this Agreement or required under applicable law, Licensee may not modify, adapt, translate, decompile, disassemble, or reverse engineer the Software in any manner; Licensee may not merge or embed the Software into any other computer program or work; Licensee may not create derivative works of the Software or the Documentation; and Licensee may not use the Software on any computer hardware except the AirDefense Hardware on which it is installed. 5.Specific Restrictions. Licensee may not remove or alter AirDefense's or its suppliers' copyright notices and other intellectual property rights notices included in the Products or Documentation. 6.Government Use. If any Software or Documentation is acquired by or on behalf of a unit or agency of the United States Government, such Software or Documentation is "commercial computer software" or "commercial computer software documentation" and, absent a written agreement to the contrary, the Government's rights with respect to such Software or Documentation are limited by the terms of this Agreement, pursuant to FAR 12.212(a) and its successor regulations and/or DFARS 227.7202-1(a) and its successor regulations, as applicable. 7.Limitation of Warranties. Licensee assumes responsibility for the selection of the Products to achieve Licensee's intended results and for the installation and use of, and the results obtained from, the Products. Neither AirDefense nor any of its suppliers warrants that the functions or features contained in the Products will meet Licensee's requirements or that the operation of the Products will be uninterrupted or error free.
EXCEPT AS PROVIDED HEREIN, THE PRODUCTS ARE BEING PROVIDED "AS IS" WITHOUT ANY WARRANTY OF ANY KIND. AIRDEFENSE AND ITS SUPPLIERS HEREBY DISCLAIM ALL WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, INCLUDING, WITHOUT LIMITATION, ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, AND ANY WARRANTIES AS TO NON-INFRINGEMENT RELATED TO THE PRODUCTS PROVIDED HEREUNDER. THIS SECTION SHALL SURVIVE TERMINATION OR EXPIRATION OF THIS AGREEMENT.
iii
8.Limitation Remedies and Damages. The remedies provided in this Agreement are the sole and exclusive remedies available to Licensee for any breach to which such remedy pertains. The aggregate liability of AirDefense to Licensee for any and all costs, liabilities, losses, and expenses (including, but not limited to, reasonable attorneys' fees) (each a "Loss" and collectively, "Losses") resulting from any claim, suit, action, or proceeding arising out of or related to this Agreement for all claims of every kind and nature that arise or accrue, regardless of the form of action that imposes liability, whether in contract, indemnity, equity, negligence, intended conduct, tort or otherwise, will be limited to and will not exceed, in the aggregate, the amount actually paid by Licensee for the Products purchased pursuant to a specific purchase order out of which the Loss arises. In any event AirDefense shall have no liability for any Loss arising (x) after the expiration of twelve (12) months from the date of the purchase order for the Products out of which the Loss arises or (y) upon termination of this Agreement or any support services agreement between AirDefense and Licensee. IN NO EVENT SHALL AIRDEFENSE OR ITS SUPPLIERS BE LIABLE FOR ANY SPECIAL, INCIDENTAL, INDIRECT, CONSEQUENTIAL, OR EXEMPLARY DAMAGES WHATSOEVER, INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION ARISING OUT OF THE USE OF OR INABILITY TO USE ALL OR PART OF THE PRODUCTS OR THE PROVIDING OF OR FAILURE TO PROVIDE SUPPORT SERVICES, EVEN IF AIRDEFENSE OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IF LICENSEE'S PRODUCTS INCLUDES THE AIRTERMINATION FEATURE, AIRDEFENSE SHALL NOT BE LIABLE WITH RESPECT TO ANY FIRSTOR THIRD-PARTY CLAIMS, LOSSES AND EXPENSES WHATSOEVER RELATED THERETO AND LICENSEE SHALL INDEMNIFY AIRDEFENSE AND HOLD AIRDEFENSE HARMLESS FROM ALL SUCH CLAIMS, LOSSES AND EXPENSES RELATED THERETO. THIS SECTION SHALL SURVIVE TERMINATION OR EXPIRATION OF THIS AGREEMENT. 9.Taxes. Licensee agrees to be responsible for and to pay, or to reimburse AirDefense on written request if AirDefense is required to pay or collect, any sales, use, or other tax (excluding any tax that is based solely on AirDefense's net income), duty, or other charge of any kind or nature that is levied or imposed by any governmental authority on Licensee's purchase/license of the Products, this Agreement or Licensee's use of the Products or Documentation. 10.Export Restrictions. THIS AGREEMENT IS SUBJECT TO ALL LAWS, REGULATIONS, ORDERS OR OTHER RESTRICTIONS WHICH MAY BE IMPOSED FROM TIME TO TIME BY THE GOVERNMENT OF THE UNITED STATES OF AMERICA ON THE EXPORT OF THE PRODUCTS OR COMPONENTS THEREOF OR OF INFORMATION ABOUT THE AIRDEFENSE PRODUCTS. NOTWITHSTANDING ANYTHING CONTAINED IN THIS AGREEMENT TO THE CONTRARY, LICENSEE SHALL NOT EXPORT OR REEXPORT, DIRECTLY OR INDIRECTLY, THE PRODUCTS, THE SOFTWARE, OR THE DOCUMENTATION OR ANY AIRDEFENSE PRODUCT (OR COMPONENT THEREOF) OR PROPRIETARY INFORMATION PERTAINING THERETO TO ANY COUNTRY TO WHICH SUCH EXPORT OR RE-EXPORT IS RESTRICTED OR PROHIBITED, OR AS TO WHICH SUCH GOVERNMENT OR ANY AGENCY THEREOF REQUIRES AN EXPORT LICENSE OR OTHER GOVERNMENTAL APPROVAL AT THE TIME OF EXPORT OR RE-EXPORT WITHOUT FIRST OBTAINING SUCH LICENSE OR APPROVAL. ADDITIONALLY, LICENSEE AGREES TO COMPLY WITH ALL LAWS, REGULATIONS, ORDERS OR OTHER RESTRICTIONS WHICH MAY BE IMPOSED BY ANY GOVERNMENTAL AUTHORITY WHICH HAS JURISDICTION OVER LICENSEE'S USE OF THE PRODUCTS, SOFTWARE OR DOCUMENTATION OR ANY AIRDEFENSE PRODUCT (OR COMPONENT THEREOF) OR PROPRIETARY INFORMATION PERTAINING THERETO.
iv
11.Purchases from Resellers. LICENSEE UNDERSTANDS THAT IF LICENSEE PURCHASED THE PRODUCTS OR SERVICES FROM AN AUTHORIZED RESELLER OF AIRDEFENSE, THAT RESELLER IS NOT AIRDEFENSE'S AGENT AND IS NOT AUTHORIZED TO MAKE ANY REPRESENTATIONS OR WARRANTIES ON AIRDEFENSE'S BEHALF OR TO VARY ANY OF THE TERMS OR CONDITIONS OF THIS AGREEMENT. IN ADDITION, LICENSEE ACKNOWLEDGES THAT, UNLESS OTHERWISE AGREED UPON BY THAT RESELLER IN WRITING OR PROHIBITED BY LAW, THE LIMITATIONS OF WARRANTIES AND LIABILITY SET FORTH IN THIS AGREEMENT ALSO APPLY TO AND BENEFIT THAT RESELLER.
12.Indemnification.
(a) AirDefense will indemnify and hold harmless Licensee and Licensee's directors, officers, employees or agents (each an "Indemnified Party" and collectively the "Indemnified Parties"), against all third-party claims, actions and demands (each a "Claim" and collectively, "Claims") brought against any Indemnified Party including, without limitation, judgments, settlements and reasonable costs and expenses, including reasonable attorneys' fees, incurred by an Indemnified Party in connection with a Claim that the use of the Products by Licensee violates any patents, copyrights or other intellectual property rights of a third party. (b) In the event that any such intellectual property in the opinion of AirDefense is likely to or does become the subject of a Claim, AirDefense may, at its sole option and expense, either (i) procure for the Indemnified Party the right to continue using such intellectual property, (ii) modify the intellectual property to make it non infringing, (iii) substitute intellectual property of similar capability, or (iv) terminate this Agreement and refund a pro-rata portion of the purchase price of the Products based on a three-year useful life. (c) The obligations of AirDefense under this Section are conditioned on the Indemnified Party's giving AirDefense: (i) prompt written notice of any Claim for which indemnification is sought; (ii) complete control of the defense and settlement of such Claim if requested by AirDefense; and (iii) assistance and cooperation in such defense as AirDefense may reasonably request provided that reasonable out of pocket expenses incurred by the Indemnified Party shall be reimbursed promptly by AirDefense. (d) Notwithstanding the foregoing, AirDefense assumes no liability for (i) infringement resulting from the use, operation or combination of the Products or any part thereof with any non-AirDefense product (that is not provided by AirDefense) if such liability would have been avoided but for such use, operation or combination; (ii) infringement involving the modification or servicing of the Products or any part thereof, by an entity other than AirDefense; (iii) failure of Licensee to implement any updates to the Software (which updates must be purchased separately under a support services agreement with AirDefense), if the infringement would have been avoided by the use of the update; and (iv) infringement arising from uses of the Products which do not comply with the uses permitted under this Agreement. (e) Licensee shall indemnify and defend AirDefense and hold it harmless against any claims asserted by third parties that arise out of Licensee's use of the Products (or any part thereof). (f) The indemnities in this Section 11 shall survive the termination or expiration of this Agreement.
13.Confidential Information. Licensee acknowledges that the Products (including Hardware, Software and Documentation), and Products and support services pricing, limitation of liability, indemnification and warranty terms are confidential and constitute valuable trade secrets of AirDefense. Licensee agrees to take all reasonably necessary action to protect such confidential and proprietary information, including appropriate instruction and agreement with employees and agents of Licensee. In the event of any breach of this Section each party acknowledges that the non-breaching party would suffer irreparable harm and shall therefore be entitled to seek injunctive relief. This Section shall survive termination or expiration of this Agreement.
This Agreement is the complete and exclusive statement of the agreement between Licensee and AirDefense, and this Agreement supersedes any prior proposal, agreement, or communication, oral or written, pertaining to the subject matter of this Agreement and there are no inducements to enter into this Agreement which are not set forth herein. This Agreement shall be governed by the laws of the State of Georgia and of the United States of America, excluding (i) its conflicts of law principles and (ii) the United Nations Convention on Contracts for the International Sale of Goods. All questions concerning the terms and conditions of this Agreement should be directed to AirDefense in writing addressed to airdefensemla@airdefense.net. 15.Audit Rights. Licensee grants AirDefense the right, which AirDefense will exercise at its own expense and no more than once per year, to enter Licensee's premises during business hours for the sole purpose of examining Licensee's records and other information relating to the Licensee's use of the Products. If this examination reveals that Licensee has improperly used the Products, AirDefense shall invoice Licensee for such unauthorized use based upon AirDefense's standard fees in effect at the time the examination is completed. If the underpaid fees exceed five percent (5%) of the fees actually paid, then Licensee shall also pay AirDefense's reasonable costs of conducting the examination 16.Dispute Resolution. All disputes arising out of or relating to this Agreement shall be finally settled by arbitration conducted in Atlanta, Georgia, United States under the rules of commercial arbitration of the American Arbitration Association. The parties shall bear equally the cost of the arbitration (exclusive of legal fees and expenses of the parties, all of which each party shall bear separately). All decisions of the arbitrator(s) shall be final and binding on both parties and enforceable in any court of competent jurisdiction. Notwithstanding the foregoing, in the event of breach by a party of its obligations hereunder, the non-breaching party may seek injunctive or other equitable relief in any court of competent jurisdiction. Licensee acknowledges that infringement of intellectual property of AirDefense or unauthorized copying would cause irreparable harm to AirDefense. 17.Publicity. Licensee agrees that during the term of this Agreement AirDefense may publicly refer to Licensee, orally and in writing, as a customer of AirDefense. Any other written reference to Licensee by AirDefense requires the prior approval of Licensee.
vi
Index
Symbols
/usr/local/smx/backups 75 /usr/local/smx/pcaptures 102, 103 /usr/local/smx/reports 72
A
About Location Tracking (Signature) 174 About Termination Controls 147 Accessing the Command Line Interface 9 Accessing the Sensor CI 31 Active Termination 94 ADDadmin 89, 92 ADDadmin main screen 9, 10 ADDadmin program areas 9 ADDadmin utilities 9 ADDadmin utility 56 Adding Switches 159 Adjust Alarm Configurations 45 Admin (GUI program area) 60, 72 Admin, Sensor Web User 30, 31, 108 Admin, Web User 60, 72 Admin, Web User Role 4, 34 ADPKG 192 AirDefense certificate 60 AirDefense License Management panel 59 AirDefense Quick Start 5 AirDefense Sensor 4 AirDefense Server 4 AirDefense system keys (also see KEYPKG) 58 AirDefense system time 6, 29 AirDefense user interfaces 7 airdefense, Sensor CI login password 122 AiroPeek 102 AirTermination 144, 145 AirTermination, RF jamming Method 94 AirTermination, Single and Multiple Device 144 AirTermination, Standard Method 94 AirWave Tab 155 Alarm Manager (GUI program area) 44 Alarm Manager window 44
Alarm notifications 49, 65 ALARMS 192 ALARMS (ADDadmin utility--also see Dbase program area) 47 Alarms, GUI program area 16 Allow list screen 89 Appliance Manager (GUI program area) 74 Appliance Manager, GUI program area 21 ARP 193 ARP (ADDadmin utility--also see Config program area) 86, 88 ARP table 86
B
Back Up Database Configuration Information 74 Backup Now 74 Backup the Database 73 BCKUPDB 192 BCKUPDB (ADDadmin utility--also see Dbase program area) 72, 73 Blue, Icon Color--Also see Icons 25 BUDBCFG 73, 192 Building a new report 182
C
CAD 90, 193 CAD (ADDadmin utility-also see Config program area) 90 Certificate Authority 60, 61 Certificate Security Alerts 61 Check the Current Sensor Version 129 Checking the Integrity of the Databases 81 Clear an alarm 44 Clearing the Database 70 CLRALL 192 CLRALL (ADDadmin utility--also see Dbase program area) 70, 71 CLRALL (ADDadmin utility-also see Dbase program area) 63 CLRCAP 191 CLRCAP (ADDadmin utility-also see Manage program area) 103 CLRLOG 191 CLRLOG (ADDadmin utility-also see Manage
Index program area) 98 CLRU 192 CLRU (ADDadmin utility--also see Dbase program area) 70 Colors 11 Command Line Interface 4, 9 Command Line Interface, local access to 9 Command Line Interface, remote access to 10 Command Line User 4, 42 Common Settings Tab 152 Config (ADDadmin program area-also see ADDadmin utilities) 66, 193 Config (Addmin program area-also see ADDadmin utilities) 64, 86 Config screen 66 Config settings screen 86 Configuration (GUI program area) 59 Configuring a Switch 158 Configuring the Model 500 Series Sensor 109 Connecting Sensors, Model 400 Sensor 110 Connection Termination 138 Create, report template 182 Creating Reports 180 CURRLIC 192 CURRLIC (ADDadmin utility-also see Software program area) 57 DNAME (ADDadmin utility-also see Config program area) 66, 67 DNS 193 DNS (ADDadmin utility--also see Config program area) 86, 88 DNS name--Also see Display Preferences 29 DNS servers 66, 88 Domain Name 64, 66, 67, 89 Domain Name Server 86
E
Email (notifications) 65 Encryption Mode 108 Ethereal 102 Exporting Report Data From the Database 72
F
FALLOW 193 FDENY 93, 193 File for importing Access Points 78 File Format for Importing Stations 79 File Format for importing Switches 162 Frame Capture Filter 102 Frame Capture Mode 102, 135 Fully qualified Host Name 89
D
Dashboard Preferences tab 37 Dashboard, GUI program area 13 Data Mgmt program 72, 73, 74 Data Port 136 Dbase (ADDadmin program area-also see ADDadmin utilities) 69, 73, 76, 81, 82, 192 Dbase (ADDadmin utility--also see Dbase program area) 47 Dbase screen 81, 82 Dbase settings screen 47, 70, 73, 74, 76, 77 DELFU 191 DELFU (ADDadmin utility--also see Manage program area) 129 Deny list 89 Device Identifiers 29 Device Synchronization Configuration 152 DHCP 111 DNAME 193
G
Graphical User Interface (GUI) 4 Graphical User Interface--Also see GUI 11 Green, Icon Color--Also see Icons 26 Grey, Icon Color--Also see Icons 25 Guest, Web User Role 34 GUI, Current User Information tab 37 GUI, Dashboard Preferences tab 37 GUI, Navigation Icons 12 GUI, Preferences tab 37 GUI, Refresh and Activity Icons 17 GUI, Status Indicators 18 GUI, User Management panel 35 GUI, User Mgmt 35
H
HALLOW 193 HALLOW (ADDadmin utility--also see Con-
AirDefense Operations Guide fig program area) 86, 89 HALT 191 HALT (ADDadmin utility-also see Manage program area) 101 Halt AirDefense 101 HDENY 193 HDENY (ADDadmin utility--also see Config program area) 86, 89 HHMM format 91 HHMMSS format 91 HNAME 193 HNAME (ADDadmin utility-also see Config program area) 66, 67 Host Name 64, 66, 67, 68 How Location Tracking (Signature) Works 175 Live View 27 local system time 6 Location Tracking 138, 169 Location Tracking Right-Click Options 174 Lock On Channel 134 Lost Sensor IP address 31
M
MAC address 29 Mail Relay Host 64 Mail Relay host screen 68 Manage (ADDadmin program area-also see ADDadmin utilities) 98, 99, 100, 101, 102, 103 Manage (Addmin program area-also see ADDadmin utilities) 98 Manage screen 41 Manager, Web User Role 34 Managing Policy-based Terminations 47 Managing the Database 69 Manual backup of data 74 Maximum alarm count 47 midnight 72 Minimum Bandwidth Mode 137 Minute 6 MMDDYYYY format 91 Model 400 Sensor 106 Model 510 Sensor 106 Model 510 Sensor LED Functionality 118 Model 520 Sensor 106 Model 520 Sensor LED Functionality 120 Monitor, Sensor Web User 30, 31, 108 MRELAY 193 MRELAY (ADDadmin utility-also see Config program area) 66, 68
I
Icons 11, 25 IEEE MAC address--Also see Display Preferences 29 Importing Switches 161 Installing a License 57 INTCK 192 IP 193 IP ((ADDadmin utility--also see Config program area) 87 IP (ADDadmin utility--also see Config program area) 86 IP address 29, 68, 89, 92
K
Keyboard and monitor 9 KEYPKG 192 KEYPKG (ADDadmin utility-also see Software program area) 58
N
Name--Also see Display Preferences 29 NETPORT 86, 87, 193 Network Operator, Web User Role 34, 41 Notification (GUI program area) 65 Notification, GUI program area 20, 21 NTP 193 NTP (ADDadmin utility--also see Config program area) 86, 92
L
LEAP, username--Also see Display Preferences 29 Left antenna 134 LICENSE 192 LICENSE (ADDadmin utility-also see Software program area) 57 Link Speed Control 136
Index
O
Obtain the Sensor Upgrade File 129 OUI 192 OUI (ADDadmin utility--also see Dbase program area) 81, 82
P
PASSWD 42, 191 pcapture files 102 pcaptures directory 102, 103 PING 193 PING (ADDadmin utility--also see Config program area) 86, 90 Policy Enforcement 138 Policy, GUI program area 20 Policy-based Termination 145 Policy-based Termination System Enabled 94 Port 443 136 Port 80 136 Port Lookup 164 Port Lookup and Port Suppression Requirements 158 Port Suppression 165 Port Suppression System Enabled 95 ports, Sensor connections 108 Precedence, of HALLOW over HDENY 89
Recover Database Configuration Information 76 Recovering the Database 76 Red, Icon Color--Also see Icons 26 Report Data Export 72 Reports, building 182 Reports, creating 180 Reports, scheduling 181 Reports, templates 182 RESCUE 192 RESTART 191 RESTART (ADDadmin utility-also see Manage program area) 63, 99 Retrievable Data 195 Right antenna 134 Rogue Detection 138 Root-signed certificate 60, 61
S
Save, Command Icon 17 SAVECAP 102, 191 SAVECAP (ADDadmin utility-also see Manage program area) 102 Scale Tool Functions 171 Scan Channels 134 Scanning Mode 134 Scheduling reports 181 Self-signed certificate 60 Sendmail failures 98 Sensor CI--Also see Sensor Console Interface 31, 122 Sensor Console Interface (Sensor CI) 4 Sensor Console Interface--Also see Sensor CI 31, 122 Sensor Console User 4 Sensor Coverage Survey Process 140 Sensor Deployment Considerations 137 Sensor IP address 122 Sensor Manager, GUI program area 19 Sensor Netmask 111 Sensor Network settings, Model 500 Sensor 112 Sensor Quantity, Location, and Installation 138 Sensor Reboot 136 Sensor Syslog window 116 Sensor UI 108
Q
Quick Scan Mode 134
R
Radio 1 134 Radio 2 134 Radio Settings 134 RCDBCFG 192 RCVRDB 192 RCVRDB (ADDadmin utility--also see Dbase program area) 76 RCVRDB (ADDadmin utility-also see Dbase program area) 63 REBOOT 191 REBOOT (ADDadmin utility-also see Manage program area) 63, 100 Rebooting AirDefense 100
AirDefense Operations Guide Sensor UI for the Model 500 Series 112 Sensor UI Web User login password 110 Sensor UI--Also see Sensor User Interface 30 Sensor Upgrades window 129 Sensor User Interface (Sensor UI) 4 Sensor User Interface--Also see Sensor UI 30 Sensor, GUI program area 128 Sensors 4 SERVMOD 192 SERVMOD (ADDadmin utility-also see Software program area) 56 Setting the Domain Name 67 Setting the Host Name 67 Setting Up for Retrieval 196 Shutdown routine 101 smxarchive, Command Line User 9, 195 smxarchive, Command Line User password 42 smxmgr, Command Line User 9, 195 smxmgr, Command Line User password 4, 10, 42 SNMP (notifications) 65 Soft reboot 100 Software (ADDadmin program area-also see ADDadmin utilities) 55, 57 Software (GUI program) 59 Software screen 56, 57, 58 SSH 56 SSH Protocol 2 9 stateful color-coded icons 22 Station Authorization 151 STATUS 191 STATUS (ADDadmin utility-also see Manage program area) 98, 103 Subnet 89 Subnet, class A, B, and C 89 support, Sensor CI login name 122 Switch Configuration Access 159 SYSLOG 191 SYSLOG (ADDadmin utility-also see Manage program area) 98 Syslog (notifications) 65 syslogdata.txt 98 System log entries 98 System reboot 10 System Setup Wizard 185
T
tcpdump 102 The 158 TIME 193 TIME (ADDadmin utility--also see Config program area) 86, 91 Time Stamp 6, 29 TLS encryption 60 To set the Mail Relay Host 68 Tomcat certificate 60 Tracking Options window 178 Trapeze Integration 158 Trusted certifying authority 62 TZ 193 TZ (ADDadmin utility--also see Config program area) 86, 91
U
UIPORT 92, 193 UIPORT (ADDadmin utility--also see Config program area) 86 Updating Vendor MAC Address Information 82 Upgrading Sensor Firmware 129 Upgrading Sensor Firmware Using the Sensor UI 132 Using the Sensor CI 122 Using the Sensor CI for Model 400 Sensor 122 Using the Sensor Manager (GUI) 128 Using the Sensor Upgrades window 130 usr/local/smx/pcaptures 103
V
View Certificate 62 VLAN 151
W
Web Reporting Interface 180 Web User 60, 72 Web User, changing the password of 148 WEBU 41, 191 WEBU (ADDadmin utility-also see Manage program area) 41 Wizard, System Setup 185
Z
Zero-Configuration Option 123
Notes
Operations Guide
Copyright 2003, 2004, 2005, 2006 by AirDefense, Inc. All Rights Reserved Worldwide.
4800 North Point Parkway Alpharetta, Georgia 30022 770-663.8115 www.airdefense.net info@airdefense.net