72E-130457-01 - AirDefense Enterprise 7.3.4 User Guide (Rev A)

M
AirDefense Enterprise 7.3.4

User Guide
2009 Motorola, Inc. All rights reserved. MOTOROLA and the Stylized M Logo are registered in the US Patent & Trademark Office. Symbol is a registered trademark of Symbol Technologies, Inc. All other product or service names are the property of their respective owners.
Contents
Chapter 1. Introduction
1.1 Chapter Contents. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1 1.2 Overview of an AirDefense Deployment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 1.2.1 Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 1.2.2 Sensors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 1.2.3 Server Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3 1.2.4 Network Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3 1.3 Deployment Lifecycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-4 1.3.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-4 1.3.2 Organization of this manual. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-4 1.3.3 Initial appliance configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-4 1.3.4 Configuring data collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5 1.3.5 Lean Back Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6 1.4 AirDefense Server Connection Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6 1.4.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6 1.4.2 Keyboard and Terminal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6 1.4.3 Static IP Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7 1.4.4 Serial Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7 1.4.5 SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7 1.4.6 About the User Interfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8 1.4.7 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8 1.5 Your Role as a User. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-9 1.5.1 How your user account was created . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-9 1.5.2 User types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-9 1.5.3 Additional Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-9 1.5.4 Effect of Domain-Based Partitioning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-9 1.5.5 Managing Your User Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-9 1.6 Basic Navigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10 1.6.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10 1.6.2 Tree Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-11 1.6.3 Tree Structure Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-11 1.6.4 Tree Contents Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-11 1.6.5 Device Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-11 1.6.6 Tree Filter Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-11 1.6.7 Tool Bar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-11 1.6.8 Dashboard Drill Down . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-12 1.7 AirDefense and Time. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-13 1.7.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-13 1.7.2 Alarm Time Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-13
TOC-2 AirDefense Enterprise User Guide
1.7.3 Exception . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-13 1.7.4 Automatic date translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-13
Chapter 2. Basic Server Settings

2.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1 2.1.1 About Basic Server Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1 2.1.2 Audience: Admin Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1 2.1.3 The System Settings Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1 2.1.4 Chapter Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1 2.2 System Name and Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2 2.2.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2 2.2.2 Changing Defaults for Security Purposes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2 2.2.3 New Port Number . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2 2.2.4 Navigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2 2.3 Enabling Device Termination and Port Suppression. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3 2.3.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3 2.3.2 Definition: Air Termination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3 2.3.3 Definition: Port Suppression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3 2.3.4 Enabling these Features During Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3 2.3.5 Enabling device termination on sensors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3 2.4 Enabling Domain-Based Partitioning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4 2.4.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4 2.4.2 Enabling this Feature During Setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4 2.5 Creating and Using a Login Banner. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4 2.5.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4 2.5.2 Security Policy Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4 2.5.3 Enabling this Feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4 2.5.4 Configuring the Login Banner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4 2.6 Controlling Auto Logout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5 2.6.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5 2.6.2 Enabling Auto Logout. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5 2.7 Backing Up Data / Server Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5 2.7.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5 2.7.2 Manual Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5 2.7.3 Scheduled Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5 2.7.4 Manual Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5 2.7.5 Automatic Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-6
Chapter 3. Users and User Preferences

3.1 Chapter Contents. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1 3.2 User Account Fundamentals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1 3.2.1 Overview of User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1 3.2.2 Overview of User Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1 3.2.3 Limited Functionality for Some Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2 3.2.4 The Five User Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2 3.2.5 Overview of User Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2 3.2.6 Viewing User Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2
TOC-3
3.3 Creating and Changing User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3 3.3.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3 3.3.2 Navigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3 3.3.3 Basic User Account Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3 3.3.4 Changing Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3 3.3.5 Strong Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3 3.4 Limiting Users Network Scope with Domain-Based Partitioning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-4 3.4.1 When to use Domain-Based Partitioning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-4 3.4.2 Who Can Assign Domains? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-4 3.4.3 Domain Strategy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-4 3.4.4 Example graphic. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-5 3.4.5 Setup process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-5 3.4.6 Defining Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-5 3.4.7 Assigning domains to users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-6 3.5 Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-7 3.5.1 User authentication options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-7 3.5.2 Which option should you use?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-7 3.5.3 Process. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-7 3.5.4 Navigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-7 3.5.5 What you need to know. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-7 3.6 User Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-9 3.6.1 Display Preferences Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-9 3.6.2 Current User Information Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-9 3.6.3 Other Preferences Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-9
Chapter 4. Certificates
4.1 Chapter Contents. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1 4.2 About Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1 4.2.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1 4.2.2 AirDefense Default Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2 4.2.3 Tomcat certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2 4.2.4 Root-signed certificates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2 4.2.5 SSL Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2 4.3 Security Alerts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3 4.3.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3
Chapter 5. Planning Your Sensor Deployment

5.1 Chapter Contents. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-1 5.2 Deployment Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2 5.2.1 Building Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2 5.2.2 Physical and Electromagnetic Interference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2 5.2.3 802.11a, b, g, n Device Density . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2 5.2.4 AP Placement. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2 5.2.5 Device Location Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2 5.2.6 Desired Monitoring and Intrusion Protection Functionality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2 5.2.7 Assets to be Protected. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3 5.2.8 Sensor Quantity, Location, and Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3 5.2.9 Power and Data cabling. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4
5.3 Sensor Placement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-5 5.3.1 Using AirDefense Architect to plan sensor placement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-5 5.3.1.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-5 5.3.1.2 Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-5 5.3.2 Using AirDefense Mobile to plan sensor placement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-5 5.3.2.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-5 5.3.2.2 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-5 5.3.2.3 Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-6 5.4 Sensor Placement with WEP Cloaking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-7 5.4.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-7 5.4.2 Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-7 5.4.3 For Adequate Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-7 5.5 Sensor Placement With Location Tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-8 5.5.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-8 5.5.2 Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-8 5.5.3 IDS versus Location Tracking. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-8 5.5.4 Example 1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-9 5.5.5 Example 2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-9
Chapter 6. Building Your Network Structure (Tree)

6.1 Chapter Contents. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1 6.2 Planning Your Network Structure (Tree) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1 6.2.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1 6.2.2 Triangulation considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1 6.2.3 Domain Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2 6.2.4 Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2 6.2.5 Policy Considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2 6.2.6 UI Scope Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2 6.2.7 Combining Considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2 6.3 Building Your Tree. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-3 6.3.1 Process. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-3 6.3.2 Create Locations and Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-3 6.3.3 Moving Locations/Groups/Sensors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-3 6.3.4 Placing Sensors in Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-4 6.3.5 Saving your changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-4
Chapter 7. Managing Sensors

7.1 Chapter Contents. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-1 7.2 Sensor Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2 7.2.1 Firmware Prerequisite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2 7.2.2 Sensor Interfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2 7.2.3 Sensor Network Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2 7.2.4 Enabling Device Termination on Sensors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2 7.3 Sensor Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-3 7.3.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-3 7.3.2 Access Points as Dedicated Sensors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-4 7.3.2.1 Motorola AP300 Access Port as a Sensor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-4
TOC-5
7.3.2.2 Trapeze Mobility Point MP-372 as a Sensor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-4 7.3.2.3 Enterasys AP1602 Access Point as a Sensor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-4 7.3.2.4 Nortel 2330 and 2330A Access Point as a Sensor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-4 7.3.3 Access Points as DedicatedSensors or Dual AP and Sensor Functionality . . . . . . . . . . . . . . . . . . . . . . . . . 7-5 7.3.3.1 Motorola Model 51xx . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-5 7.3.3.2 Motorola Model 71xx . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-5 7.4 Using the Sensor UI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-5 7.4.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-5 7.4.2 Mandatory tasks from the Sensor UI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-5 7.4.3 Access the Sensor UI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-6 7.4.4 Sensor UI Tabs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-6 7.4.5 Display Area. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-6 7.5 Viewing Sensor Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-7 7.5.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-7 7.5.2 Wired Configuration Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-7 7.5.3 Wireless Configuration Elements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-8 7.5.4 The Sensor Syslog Window. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-8 7.6 Configuring Sensors Using Sensor UI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-9 7.6.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-9 7.6.2 Model 500 Series Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-9 7.6.3 Connecting to AirDefense Sensors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-9 7.6.3.1 500 Series Sensors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-9 7.6.3.2 400 Sensors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-10 7.6.4 Accessing the Sensor Interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-10 7.6.4.1 Configure Sensor Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-11 7.6.4.2 Confirming Connectivity to the Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-13 7.6.4.3 Advanced Settings Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-13 7.7 Using the Sensor Network Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-16 7.7.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-16 7.7.2 Network Configuration Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-16 7.7.2.1 Identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-17 7.7.2.2 Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-17 7.7.2.3 IPv4. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-17 7.7.2.4 IPv6. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-18 7.7.2.5 DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-18 7.7.3 Advanced Configuration Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-19 7.7.3.1 Global Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-20 7.7.3.2 Syslog. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-20 7.7.3.3 Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-21 7.7.3.4 Radio Antenna Gain. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-21 7.8 Using the Monitoring Policy Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-22 7.8.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-22 7.8.2 Identification Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-23 7.8.3 Profile Configuration Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-24 7.8.3.1 Operational Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-25 7.8.3.2 Monitor Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-26 7.8.4 Override Profile Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-27
7.9 Troubleshooting Model 500 Series Sensors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-28 7.9.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-28 7.9.2 Model 510 Sensor LED Functionality. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-28 7.9.3 Model 520 Sensor LED Functionality. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-29 7.10 Zero-Configuration Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-30 7.10.1 Using Domain Name Resolution (DNS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-30 7.10.2 Using Vendor Options from the DHCP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-30 7.10.3 For Microsoft Windows 2000, 2003 DHCP Servers: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-31 7.10.4 For Linux: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-31 7.11 Scanning Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-32 7.11.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-32 7.11.2 Quick Scan Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-32 7.11.3 Scan Channels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-32 7.11.4 Lock On Channel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-32 7.11.5 Quick Scan and Scan Channels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-32 7.11.6 Extended Channel Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-32 7.11.7 Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-33 7.12 Rebooting a Sensor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-33
Chapter 8. Authorizing (Classifying) Devices

8.1 Chapter Topics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-1 8.2 Implications of Classification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2 8.2.1 Data Management Implications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2 8.2.2 Security Implications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2 8.2.3 Device Classification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2 8.2.3.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2 8.2.3.2 Authorized Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2 8.2.3.3 Unauthorized Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2 8.2.3.4 Ignored Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2 8.2.3.5 About Neighboring Devices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2 8.2.3.6 Deciding a devices classification state . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2 8.3 Manually Authorizing Individual Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-3 8.3.1 Manual authorization of individual devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-3 8.4 Importing Multiple Devices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-4 8.4.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-4 8.4.2 Navigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-4 8.4.3 Imported Access Points List. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-5 8.4.4 File Format for Importing APs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-5 8.4.4.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-5 8.4.4.2 Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-5 8.4.4.3 Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-6 8.4.5 File Format for Importing Stations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-6 8.4.5.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-6 8.4.5.2 Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-6 8.4.5.3 Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-7 8.5 Auto-Classifying Multiple Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-8 8.5.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-8
TOC-7
8.5.2 Navigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-8 8.5.3 On-Demand vs Scheduled Classification. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-8 8.5.3.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-8 8.5.3.2 Manual/On-Demand . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-8 8.5.3.3 Scheduled . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-8 8.5.4 Action Rules and Rule Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-9 8.5.4.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-9 8.5.4.2 Action Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-9 8.5.4.3 Rule Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-9 8.5.4.4 Sequence of rules in Rule Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-9 8.6 Device Synchronization Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-10 8.6.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-10 8.6.2 Common Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-10 8.6.3 WLSE Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-11 8.6.3.1 WLSE Synchronization Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-12 8.6.4 AirWave Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-12 8.6.4.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-12 8.6.4.2 Navigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-12 8.6.4.3 AirWave Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-13 8.6.5 LiveRF Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-15 8.6.5.1 Importing APs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-15 8.6.5.2 Importing Radios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-16
Chapter 9. Managing Switches

9.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-1 9.1.1 Chapter Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-1 9.1.2 Switch Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-1 9.1.3 How Does AirDefense Enterprise Use Switches?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-1 9.1.4 Requirements for Port Lookup and Port Suppression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-2 9.2 Switch Controller Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-3 9.2.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-3 9.2.2 Switch Controller Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-3 9.3 Adding Switches or WLAN Controllers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-4 9.3.1 Navigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-4 9.3.2 Required Switch Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-4 9.3.3 Switch Identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-5 9.3.4 Switch Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-5 9.3.5 Color Coding for Switch Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-7 9.4 Importing Switches or WLAN Controllers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-8 9.4.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-8 9.4.2 WLAN Controller Import . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-8 9.4.3 Navigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-8 9.4.4 Imported Switches List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-9 9.4.5 File Format for Importing Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-9 9.4.5.1 Syntax Ddescription. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-9 9.4.5.2 Syntax Example:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-10
9.5 Ending Unauthorized Device Communications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-11 9.5.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-11 9.5.2 About Port Lookup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-11 9.5.3 About Port Suppression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-11 9.5.4 Port Suppression Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-11
Chapter 10. Initial Policy Setup

10.1 Default Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-1 10.2 Chapter Contents. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-1 10.3 About Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-2 10.3.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-2 10.3.2 Scope of this Chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-2 10.3.3 Using the Tree to Control Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-2 10.3.4 Four Policy Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-2 10.3.5 Navigating to the Policy Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-2 10.3.6 Applying Policies Individually or in Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-3 10.4 Configuration Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-3 10.4.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-3 10.4.2 Strategy-Based Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-3 10.4.3 Specifying Channels Stations Can Use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-3 10.4.4 Data Rates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-3 10.4.5 Controlling VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-3 10.5 Performance Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-4 10.5.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-4 10.5.2 When is Performance Important? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-4 10.5.3 Determining Optimal Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-4 10.6 Vendor Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-5 10.6.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-5 10.6.2 Level of Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-5 10.6.3 The OIU Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-5
Chapter 11. Setting up Alarms

11.1 Chapter Contents. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-1 11.2 The AirDefense Alarm Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-2 11.2.1 Suppressed Alarm Repetition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-2 11.2.2 How an Alarm is Generated . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-2 11.2.3 Duration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-2 11.2.4 Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-3 11.2.5 Alarm Categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-3 11.2.6 Complete Instructions/Help. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-4 11.2.7 Detailed Alarm Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-4 11.3 Alarm Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-4 11.3.1 Effective Alarm Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-4 11.3.2 Navigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-4 11.4 Customizing Alarms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-5 11.4.1 Orientation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-5 11.4.2 Alarm criticality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-5 11.4.3 Detailed Alarm Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-6
TOC-9
Chapter 12. Notifications

12.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-1 12.1.1 Two Primary Purposes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-1 12.1.2 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-1 12.1.3 Chapter Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-2 12.1.4 Detailed Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-2 12.1.5 Navigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-2 12.2 Configuring Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-3 12.2.1 Notification Fundamentals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-3 12.2.2 Additional/Advanced Customization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-3 12.2.3 Notification Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-3 12.2.4 Distinct Alarms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-4 12.3 Setting Hostname, Domain Name, and Mail Relay Host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-4 12.3.1 Set the Mail Relay Host in GUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-4
Chapter 13. Assessing Threats

13.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-1 13.2 Considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-1 13.3 Assessing the Threat. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-1 13.3.1 Reviewing Alarms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-2 13.3.2 Acknowledging and Clearing Alarms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-2 13.3.3 Clearing Alarms from the Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-2 13.3.4 Enabling or Disabling Alarms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-2 13.4 Live View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-3 13.4.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-3 13.4.2 Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-3 13.4.3 Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-4 13.4.4 Devices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-4 13.4.5 Frames . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-5 13.5 Frame Capture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-6 13.5.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-6 13.6 Forensic Analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-7 13.6.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-7 13.6.2 Accessing Forensic Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-7 13.6.3 Forensic Time Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-7 13.6.4 Forensic Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-7
Chapter 14. Mitigation Strategies

14.1 Chapter Contents. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-1 14.2 Using Alarm Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-2 14.2.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-2 14.2.2 Detailed Alarm Description Tabs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-3 14.2.3 Escalation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-3 14.3 Rogue Mitigation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-4 14.3.1 Definition of a Rogue Device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-4 14.3.2 Rogue-on-my-network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-4 14.3.3 Mitigation Process. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-4
14.3.4 Ignoring Devices in Congested Environments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-4 14.4 Terminating Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-5 14.4.1 Termination Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-5 14.4.2 Air Termination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-5 14.4.2.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-5 14.4.2.2 Using Air Termination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-5 14.4.3 Policy-based Termination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-6 14.4.3.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-6 14.4.3.2 Prerequisites for Using Policy-based Termination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-6 14.4.3.3 Navigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-6 14.4.3.4 Configuring Policy-basedTermination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-6 14.5 Location Tracking (Triangulation) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-7 14.5.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-7 14.5.2 Implementing Location Tracking in AirDefense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-7 14.5.3 Accessing Location Tracking (Triangulation). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-7 14.5.4 Importing Maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-7 14.5.5 Location View Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-8 14.5.6 Scale Tool Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-8 14.5.7 Setting Images. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-9 14.5.7.1 Floor Plan Prerequisite. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-9 14.5.7.2 Advanced Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-9 14.5.8 Device Tracking Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-10 14.5.9 Location Tracking Right-Click Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-11 14.6 Action Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-12 14.6.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-12 14.6.2 Add/Edit Action Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-13 14.6.2.1 Settings Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-13 14.6.2.2 Actions Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-13 14.6.2.3 Filter Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-14 14.6.2.4 Advanced Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-14 14.7 Action Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-15 14.7.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-15 14.7.2 Action Control Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-15 14.7.3 Action Control Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-16
Chapter 15. Monitoring Scheduled Events

15.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-1 15.2 Altering Event Schedules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-2
Chapter 16. Reporting

16.1 Chapter Contents. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-1 16.2 Using Web Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-2 16.2.1 Accessing Web Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-2 16.2.2 Web Reporting Navigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-2 16.2.3 Creating a Report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-2 16.2.4 Adding Favorites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-3 16.2.5 Scheduling a Report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-3
TOC-11
16.3 Using the Report Builder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-4 16.3.1 Creating a Report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-4 16.3.2 Extensive Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-4 16.3.3 Navigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-5 16.3.4 Creating and Saving a Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-5 16.3.5 Building Your Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-5 16.3.6 Available Data Fields, Tables, and Charts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-7 16.3.7 Configuring Data Fields, Tables, and Charts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-8 16.3.8 Types of Filter Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-8 16.3.9 Deleting a Report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-9 16.3.10 Importing a Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-10 16.3.11 Exporting a Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-11
Chapter 17. Maintenance

17.1 Chapter Contents. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-1 17.2 System Status and Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-2 17.2.1 Utilities for Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-2 17.3 Restarting AirDefense. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-2 17.3.1 Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-2 17.4 Rebooting AirDefense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-2 17.4.1 Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-2 17.5 Halting AirDefense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-2 17.6 License Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-3 17.6.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-3 17.6.2 Navigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-3 17.6.3 View Current License Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-3 17.6.4 Install Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-5 17.6.5 Get Server Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-5 17.6.6 License Assignments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-5 17.7 Database Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-5 17.7.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-5 17.7.2 WIPSadmin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-5 17.7.3 GUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-6 17.7.3.1 Clearing the Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-6 17.7.3.2 Backing Up the System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-6 17.7.3.3 Recovering the Database. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-7 17.7.4 Restoring Intellicenter (Forensic) Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-7 17.7.5 Checking the Integrity of the Databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-9 17.7.6 Updating Vendor MAC Address Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-10 17.8 Upgrading Sensor Firmware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-12 17.8.1 Check the Current Sensor Version. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-12 17.8.2 Obtain the Upgrade File. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-12 17.8.3 Upload Sensor Firmware to Your Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-12 17.8.4 Upgrading Firmware Using the AirDefense GUI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-13 17.8.4.1 On-demand Upgrade from the Sensor Network Settings Window. . . . . . . . . . . . . . . . . . . . . . . . 17-13 17.8.4.2 Scheduling an Upgrade from the Sensor Network Settings Window . . . . . . . . . . . . . . . . . . . . . 17-13 17.8.5 Upgrading Using the Sensor UI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-14
Appendix A. System Setup Wizard

A.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-1 A.1.1 System Setup Wizard Navigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-1 A.1.2 Appendix Organization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-1 A.2 System Setup Wizard Pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-2 A.2.1 Setup System Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-2 A.2.2 Define Network Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-2 A.2.3 Create User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-3 A.2.4 Define Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-3 A.2.5 Configure Alarms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-3 A.2.6 Schedule Auto Classification. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-4 A.2.7 Configure Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-5 A.2.8 Import Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-5
Appendix B. WIPSadmin
B.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-1 B.1.1 Contents. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-1 B.2 Using WIPSadmin to Configure AirDefense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-1 B.2.1 Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-2 B.2.1.1 IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-2 B.2.1.2 IPv6. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-3 B.2.1.3 NETPORT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-3 B.2.1.4 DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-3 B.2.1.5 BONDING . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-4 B.2.1.6 HNAME . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-4 B.2.1.7 DNAME . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-4 B.2.1.8 TIME. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-5 B.2.1.9 TZ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-5 B.2.1.10 NTP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-6 B.2.1.11 UIPORT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-6 B.2.1.12 DTAGAUTH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-6 B.3 Manage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-7 B.4 Dbase. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-7 B.5 Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-8 B.6 Config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-8
Appendix C. Automated Data Retrieval

C.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C-1 C.1.1 SMXARCHIVE Command Line User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C-1 C.2 Retrievable Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C-1 C.2.1 Setting Up for Retrieval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C-1 C.2.2 Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C-2
TOC-13
Appendix D. Synchronizing Primary and Secondary Servers

D.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D-1 D.1.1 Contents. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D-1 D.2 Set Up Scheduled Database Backups on the Primary Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D-1 D.3 Set Up Automatic Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D-3 D.4 Set Up Automatic Forensics Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D-4
Appendix E. Add-on Products

E.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E-1 E.2 Advanced Forensic Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E-1 E.2.1 Scope Based Forensic Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E-2 E.2.2 Device Based Forensic Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E-3 E.3 Central Management Console (CMC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E-4 E.3.1 Tools. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E-5 E.3.2 Configuration Views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E-6 E.3.2.1 Servers View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E-6 E.3.2.2 Alarm Configuration View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E-6 E.3.2.3 User Accounts View. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E-7 E.3.2.4 Configure Devices View. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E-7 E.4 LiveRF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E-8 E.4.1 Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E-8 E.4.2 AP Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E-9 E.4.3 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E-9 E.5 Spectrum Analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E-10 E.6 Troubleshooting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E-11 E.6.1 AP Test. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E-11 E.6.1.1 Manual AP Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E-11 E.6.1.2 Automated (Scheduled) AP Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E-12 E.6.2 Troubleshooting Stations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E-13 E.7 Vulnerability Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E-14 E.7.1 Manual Vulnerability Assessment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E-14 E.7.2 Automated (Scheduled) Vulnerability Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E-16 E.8 WEP Cloaking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E-17 E.8.1 How Does WEP Cloaking Work? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E-17 E.8.2 What if there Is a Problem?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E-18 E.8.2.1 Are there any Recommendations?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E-18 E.8.3 How Do I Configure WEP Cloaking? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E-19
Appendix F. Customer Support

F.1 Motorolas Enterprise Mobility Support Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F-1 F.2 Customer Support Web Site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F-1
About This Guide

Preface
This guide is designed to help you use AirDefense Enterprise to protect your network from wireless threats and attacks, and to maximize wireless network performance and enforce policy compliance. This guide is intended for information security administrators and people who are responsible for reporting on and analyzing wireless LAN data.
Scope of Documentation
This guide covers: Server configuration Operational configuration Ongoing operation Maintenance Integration with other products. It does not cover initial hardware installation or the basic device configuration you need to perform to get the appliance up and running. This guide also does not cover upgrade instructions to server version 7.3 from previous server versions. Complete instructions for those procedures are included in the publication Upgrade Instructions, AirDefense Enterprise version 7.3.x.
Whats in the User Guide vs Online Help

The User Guide provides in-depth guidance and conceptual information about AirDefense Enterprise functionality, including why you might take certain actions, when you might take them, and what are any corollary actions/downstream consequences. The AirDefense Enterprise Online Help system provides information about using the UI to configure the system and evaluate data. The Online Help tells you what you see on the UI and how to use it. See the Online Help for quick information about how to do things.
viii AirDefense Enterprise User Guide
Document Conventions
The following conventions are used in this document to draw your attention to important information: NOTE: Indicate tips or special requirements.
CAUTION: Indicates conditions that can cause equipment damage or data loss.
WARNING! Indicates a condition or procedure that could result in personal injury or equipment damage.
Notational Conventions
The following additional notational conventions are used in this document: Italics are used to highlight the following: Chapters and sections in this and related documents Dialog box, window and screen names Drop-down list and list box names Check box and radio button names Icons on a screen. GUI text is used to highlight the following: Screen names Menu items Button names on a screen. Bullets () indicate: Action items Lists of alternatives Lists of required steps not necessarily sequential Sequential lists (those that describe step-by-step procedures) appear as numbered lists.
Introduction
1.1 Chapter Contents
This chapter includes the following sections:
Section Overview of an AirDefense Deployment Deployment Lifecycle Overview AirDefense Server Connection Options About the User Interfaces Your Role as a User Basic Navigation AirDefense and Time Page 1-2 1-4 1-6 1-8 1-9 1-10 1-13
1-2 AirDefense Enterprise User Guide
1.2 Overview of an AirDefense Deployment

1.2.1 Components
A basic AirDefense system consists of an AirDefense Appliance and one or more Sensors.
AirDefense Enterprises remote Sensors collect frames being transmitted by 802.11a-, b-, g-, and ncompliant devices, and sends that data to a central AirDefense Server for analysis and correlation. AirDefense provides the most advanced wireless LAN monitoring with a distributed architecture of remote sensors that communicate with a centralized server.
1.2.2 Sensors
Wireless LAN monitoring requires a sensor in the vicinity of the airwaves carrying the WLAN traffic. The smart sensors from AirDefense passively observe all wireless LAN traffic within 40,000 to 60,000 square feet of typical office space. Once the sensor collects wireless LAN traffic, the smart sensor analyzes the 802.11 frames and extracts meaningful data points to determine key attributes, such as: Wireless device associations Use of encryption and authentication Vendor identification of all devices
Introduction 1-3
Total data transferred. By preprocessing the data on the sensor, the smart sensors greatly reduce the need for bandwidth. In most cases the communication from the smart sensor to the server is less than 3 kbps.
1.2.3 Server Appliance

As part of an AirDefense system, the server appliance is a true plug-and-play system with a hardened operating system, optimized database, automated database maintenance, and all application software included. The AirDefense server appliance provides a scalable, secure, and manageable solution for enterprises to deploy in a single office or corporate campus. As an appliance, AirDefense does not require an enterprise to buy, install, configure, lockdown, and support a server, operating system, and database. A true appliance comes ready with the application and all supporting software pre-loaded.
1.2.4 Network Connections

There are various methods for connecting with AirDefense Enterprise. AirDefense, Inc. recommends using the most secure choice when possible. When connecting via browser, use SSL (HTTPS:443) when possible. Sensor-to-Server: may use unencrypted (port 80) or encrypted (port 443) communication. Sensor UI: new releases only allow encrypted access to the sensor UI (https: 443)
1.3 Deployment Lifecycle

1.3.1 Overview
AirDefense Enterprise is designed to be self-managing, meaning that after installation and an initial period of configuration activity, you should be able to focus your attention on analyzing data and responding to notifications that your specific organization is interested in. Periodic tuning should be minimal.
1.3.2 Organization of this manual

This manual is organized to roughly reflect this deployment lifecycle. In this manual, the configuration activity is addressed as two phases: Initial Appliance Configuration and Configuring Data Collection.
1.3.3 Initial appliance configuration

The following graphic shows the basic activities in this phase.
Introduction 1-5
1.3.4 Configuring data collection

The following graphic shows the basic activities in this phase.
1.3.5 Lean Back Monitoring

The following graphic depicts the activities that constitute ongoing activities associated with monitoring your WLANs security with AirDefense Enterprise.
1.4 AirDefense Server Connection Options

1.4.1 Overview
There are four ways to communicate directly with your AirDefense Server: Keyboard and Terminal Static IP Address Serial Port SSH
1.4.2 Keyboard and Terminal

You can physical access the server with a keyboard and terminal to communicate to communicate with the server. When using a keyboard and terminal, you can: Execute a fresh installation Configure a just shipped AirDefense server Upgrade a server via CD Apply a Service Module Conduct Troubleshooting
Introduction 1-7
Access WIPSadmin.
1.4.3 Static IP Address

You can physically connect a laptop to the servers Ethernet port to communicate through an IP address. The IP address will always be 192.168.100.2 and must be configured by AirDefense Operations. You can only configure a just shipped AirDefense server using the static IP address.
1.4.4 Serial Port

You can physically connect a laptop to the servers serial port to communicate with the server. This can be done only on 1150, 1250 and 3650 appliances. This feature is not available on 2230, 2270 and 4250 appliances. When communicating using the serial port, you can: Configure a just shipped AirDefense server Apply a Service Module Conduct Troubleshooting Access WIPSadmin. The following options must be set for the serial port: 9600 baud Databits "8" Parity "none" Stop bit "1" Software Flow Control.
1.4.5 SSH
You can communicate with a server using SSH on a workstation. The server must be configured with an IP address for network access When communicating with SSH, you can: Apply a Service Module Conduct Troubleshooting Access WIPSadmin.
1.4.6 About the User Interfaces 1.4.7 Overview

You manage AirDefense Enterprise components using a combination of interfaces. Each user interface has designated user names, passwords, and in, some cases, varying levels of privileges based on user roles. The table below describes the interfaces, the program area they manage, the functions within the program area, and the type of user required.
User Interfaces Enterprise Command Line Interface Program area WIPSadmin (utilities) Functionality Manage Dbase Software Config User Command Line User Note: Although you can perform some configuration tasks with WIPSadmin, AirDefense, Inc. recommends that after initial setup you use the GUI instead. User Note: In order to run the Enterprise GUI, a minimum of 512MB of RAM is required and 1GB of RAM is recommended for the client workstation.
Enterprise Graphical User Interface (GUI)
AirDefense Enterprise Wireless Intrusion Prevention System
Dashboard Rogue Performance Compliance Forensic Intrusion Alarms Device Manager Reports Configuration
Enterprise Thin Client Web Interface
Enterprise thin client web page
Dashboard Network Web reporting Troubleshooting Installer downloads
User
Sensor User Interface (Sensor UI)
AirDefense Sensor
Sensor Configuration
Sensor User
Introduction 1-9
1.5 Your Role as a User

1.5.1 How your user account was created
The person who initially installed your AirDefense server created at least one user account with the role of Admin. AirDefense lets Admin users create numerous other users with role-based permissions that control which functionality each user can access. The Admin user who created your account assigned you a user type (or role) that will determine whether or not you can use some AirDefense features.
1.5.2 User types

The five types of users and their permissions are: Adminread and write access to all areas of AirDefense server and sensor administration, including creation of other admin users Managerread and write access to all areas of AirDefense server and sensor administration, except for creation of other admin users Network Operatorprimarily read-only access, plus the ability to acknowledge, clear, and purge alarms Troubleshootercan conduct AP Test in the GUI and access the Troubleshooting application through the Enterprise thin client web page. Guestcan create and save alarm filters, plus read-only access to: Dashboard Alarms Sensor Policy Notification.
1.5.3 Additional Limitations

The way AirDefense Server is configured can have some other effects on how you use AirDefense Enterprise. Some of the features described in this book may not appear in the interface, or may be grayed out, depending on whether they are enabled or disabled. Example: If Air Termination is disabled, you will not see options for using it.
1.5.4 Effect of Domain-Based Partitioning

If the Admin user who configured your server is using Domain-Based Partitioning to limit the data each user sees, you may only be able to view or use data for the part of the network assigned to you.
1.5.5 Managing Your User Preferences

No matter what user type you are, you can choose certain options, or user preferences, for how you view data on the UI.
1.6 Basic Navigation

1.6.1 Overview
Understanding some basic concepts about the AirDefense UI will make it easy to navigate. The following graphic shows where to find the elements described below.
Introduction 1-11
1.6.2 Tree Structure

The tree structure is critical to navigation in the UI. You can control the scope of the data you see in the right pane by selecting the appropriate node in the tree. The scope you select in the tree is persistent while you drill down into the data in the right pane.
1.6.3 Tree Structure Options

You can easily change the order of the elements in the tree so that it matches the way you need to view your environment. Example: In a no-wireless zone, you may want to see stations before APs or SSIDs.
1.6.4 Tree Contents Options

You can choose what to include in the tree to customize its level of detail. Because you do this from a simple menu, you can toggle between detail levels with just a couple of clicks.
1.6.5 Device Search

The Enterprise Device Search enables you to find specific Access Points, Stations, or Sensors that are being detected by AirDefense.
1.6.6 Tree Filter Options

Filtering the tree makes it easy to focus on the devices and data that are important to you. Although you may have rights for the entire network, you can use filters to narrow down what you see. Example: Ignore devices below -85 dBm because theyre likely outside of your building.
1.6.7 Tool Bar

The tool bar gives a subset of information to help you focus on the data you want to see.
1.6.8 Dashboard Drill Down

The dashboard lets you quickly assess your overall security and performance status, then lets you drill down into detailed information about the data the dashboard summarizes. You can then drill even farther down into specific device or event information. The following graphic shows dashboard drill-down.
Introduction 1-13
1.7 AirDefense and Time

1.7.1 Overview
AirDefense reports alarms and device information, and traffic statistics, every minute. To understand the data that appears in AirDefense, you must understand how AirDefense addresses system time versus the local GUI time, particularly in regard to alarms.
1.7.2 Alarm Time Reporting

When an alarm occurs, AirDefense detects the alarm in system time, and records this time in its database. You configure AirDefense system time by using the Command Line Interface, found in the Configuration program area. When reporting the alarm to your local GUI, however, AirDefense adjusts the report time to your local system time zone. It uses this time to report alarms to the Alarms panel, and it also reports other statistical data in this manner. The last updated time on each GUI program screen (indicated by the time stamp) correlates to the local system where the browser is running. You configure the GUI time in your local system.
1.7.3 Exception
An exception to this is the Alarm Details panel in Alarms. This panel reports alarm details in system time. The Alarm Details time stamp correlates to the AirDefense Server's system time.This is the same time stamp you use for SNMP and Email Notifications. You can use this as a point of reference if more than one Web User is viewing the GUI from different time zones.
1.7.4 Automatic date translation

AirDefense Server also translates the date. The date drop-downs in the applicable programs of your GUI in New York City will turn over to the next day according to local time.
Basic Server Settings

2.1 Overview
2.1.1 About Basic Server Settings
This brief chapter explains any guidelines you should consider while setting several of the most basic configuration elements of AirDefense Enterprise server.
2.1.2 Audience: Admin Users

The activities in this chapter must be performed by a user with Admin privileges.
2.1.3 The System Settings Tab

This chapter, like all others in this book, is task-based. Each topic addresses a different task you need to perform to get your system set up. However, most of the settings discussed in this chapter are located on a single tab in the UI: the System Settings tab. You can navigate to the System Settings tab at Configuration > Appliance Manager > System > Settings tab.
2.1.4 Chapter Contents

Topics in this chapter include:
Topic System Name and Port Enabling Device Termination and Port Suppression Enabling Domain-Based Partitioning Creating and Using a Login Banner Controlling Auto-Logout Backing up Data Page 2-2 2-3 2-4 2-4 2-5 2-5
2.2 System Name and Port

2.2.1 Overview
By default, the AirDefense Enterprise server is named WIPS (Wireless Intrusion Prevention System) and communicates on port 8543. The system name appears at the top of the directory tree in the UI. It also appears on the Dashboard Daily View and in Email notifications. You can change both the system name and port as part of your infrastructure hardening strategy.
2.2.2 Changing Defaults for Security Purposes

AirDefense recommends that if you want to maximize the security level of your Enterprise deployment, you should change the server name to something that does not indicate that it is a security appliance. You should also consider changing the port to a less-well-known port. If you keep the defaults, employees on your network or intruders can potentially identify the appliance by its name, and then attempt attacks more easily.
2.2.3 New Port Number

If you want to change the port number, you can choose any unused port between 1024 and 65535. AirDefense Enterprise server will not let you choose a port that is already in use.
2.2.4 Navigation
To change the system name or port number, navigate to Configuration > Appliance Manager > System and make the changes on the Settings tab. Then click Apply.
Basic Server Settings 2-3
2.3 Enabling Device Termination and Port Suppression

2.3.1 Overview
Device termination and Port Suppression are two of the most powerful ways AirDefense, Inc. helps you secure your wireless network, because they let you remotely disconnect rogue devices.
2.3.2 Definition: Air Termination

Air termination lets you terminate the connection between your wireless LAN and any Access Point or station that is associated with it. If the device is an Access Point, AirDefense server de-authenticates and disassociates all Stations associated with the Access Point. If the device is a station, AirDefense server terminates the Station-to-Access Point connection. There are two types of device termination over the air: Air Terminationlets you manually disconnect a device from your network. Policy-Based Terminationlets you create a policy that specifies your criteria for terminating devices. AirDefense server then automatically terminates devices that do not comply with the policy.
2.3.3 Definition: Port Suppression

Port suppression lets you turn off the wired-side switch port that a rogue wireless device is using to communicate with your network.
2.3.4 Enabling these Features During Setup

Before you can configure these features as part of your operational configuration, you must first enable them as part of your basic system setup. Navigate to Configuration > Appliance Manager > System > Settings tab and enable the features you want to use. Then click Apply. NOTE: Policy-based termination cannot be enabled without Air Termination.
2.3.5 Enabling device termination on sensors

In addition to enabling Device Termination on the server, as described in this topic, you must also enable it on the appropriate sensors. This process is described in <crossref>Chapter 7, Managing Sensors.
2.4 Enabling Domain-Based Partitioning

2.4.1 Overview
Domain-Based Partitioning lets you define domains within the network, and then assign them to users, thereby restricting the data each user can view to that of his own domain. Each domain can include multiple Locations and corresponding Groups. This feature is particularly important to Managed Security Services Providers who offer a Managed Service and host multiple customers on the same appliance.
2.4.2 Enabling this Feature During Setup

Before you can configure Domain-Based Partitioning as part of your operational configuration, you must first enable it as part of your basic system setup. Navigate to Configuration > Appliance Manager > System > Settings tab and enable Domain-Based Partitioning. Then click Apply.
2.5 Creating and Using a Login Banner

2.5.1 Overview
AirDefense server lets you create a custom login banner, and then enable it so that it appears whenever the AirDefense server UI is launched.
2.5.2 Security Policy Compliance

Many organizations require a startup banner that notifies anyone logging in to a system about authorizations or responsibilities regarding that system. Making it easy for you to customize a login banner is an important way that AirDefense server helps you enforce your security policy.
2.5.3 Enabling this Feature

Before you can configure a login banner, you must first enable the feature. Navigate to Configuration > Appliance Manager > System > Settings tab and enable Login Banner. Then click Apply.
2.5.4 Configuring the Login Banner

After you enable the feature, the Banner button appears in the Appliance Managers button bar. Click the Banner button to open the Banner settings tab. AirDefense not only lets you customize the banner text, it also lets you define the text on the Accept/Reject buttons. You can use html tags to format your text.
Basic Server Settings 2-5
2.6 Controlling Auto Logout

2.6.1 Overview
AirDefense Enterprise server makes it easy to configure automatic log out from the server UI. Security policies and best practices sometimes call for automatically logging users out of critical systems after a specified period time. Automatic log out helps ensure that users are properly authenticated, and reduces the chance that an unauthorized person has gained physical access to an unattended computer running a critical system.
2.6.2 Enabling Auto Logout

Enable auto logout by navigating to Configuration > Appliance Manager > System > Settings. Select Auto-Logout Enabled, choose the amount of time a session can last before an automatic logout, and then click Apply.
2.7 Backing Up Data / Server Synchronization

2.7.1 Overview
AirDefense Enterprise lets you back up your data manually at any time, but for maximum data protection, you should also schedule backups to occur automatically Enterpriseon a regular basis. AirDefense Enterprise also provides a feature that allows you to synchronize the configuration on your primary and secondary servers. Synchronization can be done manually or automatically (scheduled). Navigate to Configuration > Appliance Manager > Backups.
2.7.2 Manual Backup

You should perform a manual backup whenever you plan to update your server, such as before you apply a Service Module or before you upgrade to a new version. Executing a manual backup will back up all of your system configuration files.
2.7.3 Scheduled Backup

You should create a backup schedule that complies with either your IT backup policy or security policy, whichever is more strict. Scheduled backups are backed up on your AirDefense Enterprise Server. You may optionally back up to another AirDefense Enterprise Server. Scheduled backups are exectued on a daily or weekly basis.
2.7.4 Manual Synchronization

You should perform a manual synchronization whenever you make a major configuration change/update and you want to copy it immediately to another server.
2.7.5 Automatic Synchronization

You should schedule server synchronization on a regular basis. Any every day or minor configuration changes/updates are automatically copied to the appropriate server(s).
Users and User Preferences

This chapter discusses all aspects of AirDefense Enterprise server user accounts, including how each users role affects his ability to interact with the server, and the preferences he can control.

This chapter includes the following topics:
Topic User Account Fundamentals Creating and Changing User Accounts Limiting Users Network Scope with Domain-Based Partitioning Authentication User Preferences Page 3-1 3-3 3-4 3-7 3-9
3.2 User Account Fundamentals

3.2.1 Overview of User Accounts
During initial setup of the AirDefense server, at least one user account was created with the role of admin (an Admin User). That Admin user may create other Admin users. All Admin users have the ability to create and change additional user accounts. AirDefense Enterprise Server also tracks some functionality by user account, regardless of role, such as keeping track of private vs shared reports and logging server activity.
3.2.2 Overview of User Roles

AirDefense Enterprise Server contains four role types. The Admin user who creates each user account assigns one of these roles to each user. The roles have different levels of access to AirDefense server functionality.
3.2.3 Limited Functionality for Some Roles

For some user roles (types), some functionality may be grayed out or may not be visible in the interface at all. If there is functionality that you want to use, but that is unavailable to you, you may want to contact the system administrator to discuss your user role (type).
3.2.4 The Five User Roles

The role types and their related functions are: AdminCan manage all aspects of the AirDefense Enterprise system. ManagerCan manage all aspects of the AirDefense Enterprise system except for creating new Users and editing logs. Network OperatorCan view all data about network activity, and can acknowledge, clear, and purge alarms. TroubleshooterCan only access the Troubleshooting application through the Enterprise thin client web page. GuestCan set their own user preferences and passwords, create alarm filters, and view data about: Network activity (on the Dashboard) Alarms Sensors Policies Notifications.
3.2.5 Overview of User Preferences

Regardless of the user type assigned to you, you can customize some aspects of how the server displays data. You can also change your own password, provided you know your current password.
3.2.6 Viewing User Information

You can view the following information about existing user accounts from Configuration >Appliance Manager > Users: Username Role Full Name Description.
Users and User Preferences 3-3
3.3 Creating and Changing User Accounts

3.3.1 Overview
AirDefense makes it easy to balance easy access to the system with a high level of system security and the ability to track the actions of users. Users with Admin or Manager privileges can create numerous user accounts with varying levels of system access.
3.3.2 Navigation
You can create and change user accounts at Configuration > Appliance Manager > Users.
3.3.3 Basic User Account Information

For each account you create, you will need to enter the following information: User name Role (Admin, Manager, Network Operator, Troubleshooter, or Guest) NOTE: Only Admin users can create other Admin users. Authentication method (Local or an external authentication profile you have previously configured. See <crossref>Authentication on page 7.) Domain (if you have configured Domain-Based Partitioning. See <crossref>Limiting Users Network Scope with Domain-Based Partitioning on page 4.) Full Name Description Password NOTE: You must confirm any changes by clicking the Apply button.
3.3.4 Changing Passwords

If you are a user with Admin privileges, you can change passwords for other users. You do not need to know the current password. Additionally, all users can change their own password on the User Preferences tab, but they must know their current password to change it. Non-admin users who have forgotten their password will need an Admin user to create a new one.
3.3.5 Strong Passwords

Users must create strong passwords that meet the following criteria. Passwords must contain: No spaces or tabs At least 5 characters (up to 34 characters max.) At least one digit At least one uppercase character
At least one lowercase character At least one of the following symbols: ~ ! @ # $ % ^ & * ( ) _ + - = ? < > { } [ ] | \ : ; , . / Example: Admin!23
Important! You should change the default admin account user password at your first opportunity. Leaving the default password on the system poses a security risk.
3.4 Limiting Users Network Scope with Domain-Based Partitioning

3.4.1 When to use Domain-Based Partitioning
Domain-Based Partitioning lets you limit the scope of what network locations, groups, and devices each user can view and manage, by creating network domains, and then restricting each user to a domain. This is helpful when: Different users have responsibility for different parts of the network Different users have responsibility for different customer accounts on the same appliance (such as managed security services) Your security policy requires users scope to be limited You want to limit the number of alarms a user is likely to see. Each domain can include multiple Locations and corresponding Groups.
3.4.2 Who Can Assign Domains?

Only users with Administrative privileges can assign domains.
3.4.3 Domain Strategy

There is a one-to-one relationship between users and domains, but there can be a many-to-many relationship between domains and locations. You should keep this in mind when you create domains, to minimize the number of domains for effective management. For smaller and less complex deployments, the domain assignment strategy may be as simple as creating domains for a few physical locations, and then assigning each domain to the user responsible for that domain. For larger and more complex deployments with multiple locations, domains, and users, you should plan which domains can be shared by multiple users (possibly with multiple different roles) and which cannot.
3.4.4 Example graphic

The following example shows how you might set up locations and domains for an international company. Each location might have multiple groups, such as buildings or floors.
3.4.5 Setup process

Setting up Domain-Based Partitioning is a four-stage process:
Stage 1 Action Enable Domain-Based Partitioning. Until it is enabled, you will not see or be able to use UI controls for Domain-Based Partitioning. Configuration > Appliance Manager > System > Domain Partitioning Enabled 2 Add locations that will make up your domains. Right-click on the server node > Add Location 3 4 Define domains (described below). Assign domains to users (described below).
3.4.6 Defining Domains

To define a domain: 1. Navigate to Configuration > Appliance Manager > Domains.
2. Type domain information on the General tab.
3. Select locations to include in the domain on the Locations tab. You may need to click Apply to activate the controls on the Locations tab.
3.4.7 Assigning domains to users

To assign domains to users: 1. Navigate to Configuration > Appliance Manager > Users. 2. Choose an existing user account to edit or create a new one. 3. Select a domain from the Domain drop down menu. 4. Click OK.
3.5 Authentication
3.5.1 User authentication options
This section describes your options for controlling how AirDefense server authenticates users. By default, it uses local authentication. However, you can alternatively use existing remote authentication sources like a RADIUS or LDAP authentication server.
3.5.2 Which option should you use?

Deciding which method your organization wishes to use should be done during the hardening of the infrastructure. Remote authentication lets your organization consolidate authentication databases for easier administration. A potential problem with remote authentication may arise if the authentication server is not available because of network problems or problems on the server hosting the authentication service. For this reason, you should maintain one or more Admin user accounts with local authentication. AirDefense Enterprise offers the security of being an appliance-based solution, so the default local authentication may meet your networks requirements without the introduction of remote services.
3.5.3 Process
Setting users up for local authenication is a two-step process: 1. Configure local authentication on the AirDefense server. 2. Assign local authentication to existing or new users. Setting users up for remote authentication is a three-step process: 1. Configure the authentication server on the AirDefense server. 2. Create an authentication profile for the server. 3. Assign the authentication profile to existing or new users.
3.5.4 Navigation
Configure local authentication at Configuration > Appliance Manager > Authentication > Local Authentication. Configure remote authentication at Configuration > Appliance Manager > Authentication > Remote Authentication. Assign user profiles at Configuration > Appliance Manager > Users.
3.5.5 What you need to know

To set up local authentication, you will need to know: If you will have password aging and the number of days a password can be used before it expires If you will require users to use a highly complex password when creating passwords If you will place a time limit on the user login process and the amount of time (in minutes) a user has to successfully log into the system The maximum amount of login attempts before a user is locked out of an account.
To set up remote authentication, you will need to know: RADIUS server: IP Address of the RADIUS Server Protocol (PAP, CHAP, MSCHAP, and MSCHAPv2) Radius Port (RADIUS authorization server port number) Radius Accounting Port (RADIUS accounting authorization server port number) Shared Secret (The password that is used and shared by both the Authentication Server and the Authentication Profile) The time (in seconds) when a connection process will time out The number of connection retries to be allowed User Prefix/User Suffix you will use to create a custom user string. Example: <Windows-Domain>\<UserName> LDAP server: IP Address of the LDAP Server Protocol (LDAP or LDAPS) LDAP Port (authorization server port number) User Prefix/User Suffix you will use to create a custom user string. Example: <Windows-Domain>\<UserName>
3.6 User Preferences

Every user can control some aspects of the way the AirDefense Enterprise GUI displays information. Users can do this themselves, or, if you are an admin user, you can set up user preferences for other users. Select Configuration > User Preferences to display the four tabs that let you control your user preferences: User Display Preferences Current User Info Other Preferences
3.6.1 Display Preferences Tab

You can set display preferences for APs, Stations, and Sensors, and to define the order of preferences for how you view devices. Device Identifiers appear next to stateful color-coded icons throughout the AirDefense GUI.The Display Preference tab lets each user determine whether he would like the GUI to identify each device by its MAC address, vendor prefix, IP address, or user-selected name, etc. If you choose not to use MAC addresses (default), AirDefense server displays your preferred setting instead. Example: AirDefense server can display Access Points throughout the GUI as a MAC address, a Vendor Prefix, an IP address, a DNS name, or as a user-defined Name.
3.6.2 Current User Information Tab

The Current User Information tab displays your user name and role, and lets you change your password, regardless of whether you are an admin user or another type of user. Changing your own password To change your password, type your current password, and then type your new password in both fields. Click Apply to save your change.
3.6.3 Other Preferences Tab

This tab controls two things: The warning window that displays when you access Spectrum View. Enable or disable the warning window for Spectrum View by checking or unchecking the checkbox for the Show Spectrum Analysis warning field. The appearance and refresh rate of the Dashboard window. Select the rate at which you want the Dashboard to refresh. The default refresh rate is 10 minutes. Choose the Dashboard view that you want to be your own default view. Choose from: Manager (default): Displays a combination of security and performance charts Performance: Displays performance charts Security: Displays security charts Vintage: Displays data in list form, as did previous versions of the AirDefense Enterprise GUI. Regardless of which view you choose as your default, you can change the view at any time by choosing a view from the Data View drop-down on the Dashboard.
Certificates
This chapter describes your choices for using certificates to verify the authenticity of the AirDefense server to users connecting to it. You must have a user role of Admin or Manager to manage certificates.

Topic About Certificates Security Alerts Page 4-1 4-3
4.2 About Certificates

4.2.1 Overview
Certificates can prevent hijacking of sessions between your browser and the AirDefense Server, and can even alert you to physical replacement of the AirDefense Server. Certificates install into the AirDefense Server and are sent by the Server directly to your Windows session, enabling you to use AirDefense over a secure, TLS-encrypted https web session. You can choose from four server certificate options: AirDefense default certificate Tomcat (self-signed) certificates Root-signed (CA) certificates SSL certificate. CAUTION: Motorola AirDefense Solutions recommends that you replace the preinstalled security certificate with at least a self-signed certificate for every AirDefense Server in your network.
4.2.2 AirDefense Default Certificate

AirDefense, Inc. ships the AirDefense Server with a pre-installed security certificate. The AirDefense certificate represents a minimal level of security. It is a working certificate that provides TLS encryption, but has not been verified and digitally signed by a root Certificate Authority (CA). The host name identified in the certificate will not match the actual host name of your AirDefense Server.
4.2.3 Tomcat certificates

The AirDefense server has a default certificate pre-installed, but it can also issue and use self-signed Tomcat Certificates. A self-signed certificate represents an intermediate level of security. When you generate a Tomcat certificate, you specify the host name of the AirDefense Server in the certificate, but do not have the certificate verified and digitally signed by a root Certificate Authority.
Client stations attempting to access the server may not recognize these certificates. If that happens, you will be prompted to accept the connection on a temporary or permanent basis.
4.2.4 Root-signed certificates

AirDefense Enterprise also supports external root-signed certificates. A root-signed certificate represents a high level of security. A root-signed certificate is a public certificate verified by a root Certificate Authority (CA). This is a digitally signed certificate that ensures the authenticity of the AirDefense Server These may be generated by your organization using your own certificate authority (CA) or may come from a third party CA.
Your organizations own CA

Using your own CA lets you create and manage certificates internally to comply with your organizations security policy. Certificates from your own CA do not have the additional expense of a third-party CA. Certificates from your own CA require more work than using the built-in Tomcat certificates.
A third-party CA
Useful when two or more organizations are working together and require highly secure communications and external validation of clients. Adds significant cost in deployment due to the introduction of third party services and related overhead and expense.
4.2.5 SSL Certificate

A SSL certificate represents the highest level of security. SSL certificates create a secure connection between a client and a server. The client is usually a web browser transmitting private information over the internet. The URL for SSL connections start with https:// instead of http://.
Certificates 4-3
4.3 Security Alerts

4.3.1 Overview
You may receive self-descriptive alert screens if certain certificate criteria are not met when you open a session with AirDefense server, regardless of what type certificate you are using.
Security Alert Window.
The Security Alert window appears if the certificate does not meet all of the following criteria: The AirDefense Server must have a certificate signed by a trusted Certificate Authority installed, and the certificate must be applied to the AirDefense GUI. NOTE After you install a certificate, you must use the WIPSadmin to restart the AirDefense server processes.
Your workstations current date range must be within the range of valid dates generated for the certificate. The host name generated for the certificate must match the name of the AirDefense Server.
Java Security Warninghost name mismatch

The Java Security Warning window for host name mismatch appears during initial Enterprise login if your certificate host name does not match the host name of the security certificate.
Planning Your Sensor Deployment

AirDefense uses remote sensors to collect data transmitted by 802.11a-, b-, g-, and n-compliant devices and to send that data to a central AirDefense Server for analysis and correlation. Because the sensors are passive devices that function primarily in listen-only mode, a single sensor can monitor multiple APs. You should leverage any site surveys you conduct for placement of Access Points as aids to Sensor placement decisions.

Topic Deployment Considerations Sensor Placement Sensor Placement with WEP Cloaking Sensor Placement with Location Tracking Page 5-2 5-5 5-7 5-8
5.2 Deployment Considerations

5.2.1 Building Structure
Many materials used in building construction may significantly impact the propagation of signals in the 2.4GHz spectrum. Concrete reinforcement bars Elevator shafts Electric motors (for example, blowers and generators) Lighting fixtures.
5.2.2 Physical and Electromagnetic Interference

Many devices can interfere with sensors monitoring of the wireless network, including: Cordless phones and headsets Bluetooth devices Microwave ovens Consumer cordless devices (for example, surveillance cameras, baby monitors, and video transmission extenders).
5.2.3 802.11a, b, g, n Device Density

You should consider the density of 802.11a, b, g, and n devices:
Support of a high number of users Support of high bandwidth consumption Localization of wireless network service.
5.2.4 AP Placement
The sensors should be separated by at least 10 feet from any installed AP's to avoid radio desense. The active transmissions of an AP can desensitize the sensor receiver radio on the same channel when placed in close proximity of an AP.
5.2.5 Device Location Information

While a single AirDefense Sensor can monitor a very large area, distributing multiple sensors in such an area can provide a much better idea of where a rogue device is physically located. By comparing the RSSI values each sensor detects, you can find the device more easily.
5.2.6 Desired Monitoring and Intrusion Protection Functionality

Your decisions about sensor placement should also take into account what functionality you plan to use. Five important functions that are somewhat dependent on sensor density or placement are: WEP CloakingFor effective WEP Cloaking, several sensors should be deployed around the perimeter of a building. Higher sensor density will typically yield better protection for your legacy encryption devices.
Planning Your Sensor Deployment 5-3
Location TrackingTo track a device, the device must be observed by three or more Sensors on the same floor plan. Higher sensor density will typically yield higher accuracy results. Connection TerminationTo terminate a devices connection to your network, the device must be in range of a Sensor sending termination signals. Policy EnforcementTo ensure adherence to policies or to detect attacks against managed devices, Sensors must be able to receive a representative sampling of traffic sent by all devices they are monitoring. Rogue DetectionEven sporadic emanations from wireless Stations and Access Points can reveal the presence of rogues. You need to place Sensors where transmissions from rogue devices can be detected as soon as they enter the scanning area.
5.2.7 Assets to be Protected

Wireless-capable devices that contain sensitive data must be protected. Wired networks protecting the wire from wireless breach. This approach is key to making wireless monitoring deployment decisions in very large installations, such as military bases, airports, power plants, campuses, etc. A common perception is that wireless devices must be detected and monitored throughout a given property. This becomes impractical in many cases. A more practical approach is one that protects the wired network while using more sane decisions for monitoring.
5.2.8 Sensor Quantity, Location, and Installation

Application choice will significantly impact the sensor density and sensor placement. For example, rogue detection in a no wireless zone needs fewer sensors as even sporadic emanations from a wireless device, at the lowest data rate and longest range, can reveal the presence of a rogue. As the applications become more complex, they may require a representative sample of frames or meet certain minimum signal level thresholds, increasing the sensor density requirement. Using these factors in baseline decisions with regard to Sensor placement, the following coverage area guidelines may be applied to establish an effective deployment. (All numbers are in square feet.)
WEP Cloaking & Location Tracking 15,000 19,000 25,000 Connection Termination 17,000 22,000 30,000 Policy Enforcement 20,000 30,000 40,000 Rogue Detection 30,000 45,000 60,000
802.11 b/g/n Indoor/Office Warehouse, Distribution, Manufacturing Outdoor, Hangar
802.11 a/n Indoor/Office Warehouse, Distribution, Manufacturing Outdoor, Hangar
WEP Cloaking & Location Tracking 11,000 17,000 19,000
Connection Termination 14,000 19,000 24,000
Policy Enforcement 17,000 26,000 30,000
Rogue Detection 25,000 35,000 45,000
Where a sanctioned wireless LAN deployment is being monitored (as opposed to enforcement of a nowireless policy), one sensor is typically needed for every six to eight Access Points. Based on the above, one sensor per 20,000 sq/ft of area to be monitored is a sound guideline. Sensors that may be exposed to harsh environments can be placed in accessory enclosures (NEMA-4) that protect the Sensor and provide code, regulatory compliance, or both.
5.2.9 Power and Data cabling

Sensors are often placed in areas that take advantage of pre-existing power and data cabling. These areas include wiring closets and other areas where IDFs may be located. Where these locations are somewhat shielded from the wireless environment, the Sensor may be extended to just outside of these spaces using standard power cords and pre-terminated data cables, obviating the need for additional, costly fixed runs. Choosing facilities that come as close to centrally locating the Sensors in the intended monitoring space should be done when practical. In instances where wiring closets, IDFs, or both are not ideally located for Sensor placement, Sensors may take advantage of Power Over Ethernet, either from a single power injector or a compliant switch. PoE injectors are available from AirDefense. If there are gaps in coverage, or if deployment cost is a factor (due to the required density of Sensors or the cost of wiring to place Sensors in strategic locations), there are several relatively inexpensive remedies. Where wiring for placement in an ideal location is impractical, employ additional Sensors to correct as necessary. FCC Rules regulate the use of antennas as aids to reception for the Sensors, in regard to the Sensors 802.11 component. If antennas would greatly enhance the overall deployment, AirDefense is available to advise on the best approach for antenna application, considering both regulatory guidelines and the physical design of the Sensors. In either case, always use facility floor plans to indicate where Sensors are placed and to indicate areas where a coverage test was done.
5.3 Sensor Placement

5.3.1 Using AirDefense Architect to plan sensor placement
5.3.1.1 Overview
AirDefense Architect is a revolutionary software package that enables you to efficiently design, model, and measure 802.11a, 802.11b, 802.11g, and 802.11n networks, as well as plan your sensor coverage. Building facilities and campus environments can be quickly modeled using menus that guide you step-by-step. You can quickly place access points and predict signal coverage during the WLAN design phase. Post-WLAN deployment, you can use AirDefense Architects powerful features for measuring network performance and validating network designs.
5.3.1.2 Features
Rapidly Design and Deploy More Efficient Networks: AirDefense Architect helps design quality wireless networks by helping to overcome the challenges of coverage holes, poor service areas and improper capacity and network resource allocation. Avoid Costly Retrofits: AirDefense Architect minimizes design and deployment costs by helping the designer visualize the physical location and configuration of installed network equipment, automatically placing and configuring access points, and accurately predicting network coverage and capacity. Simplify Complex Wireless Environments: Designers can quickly compare site-survey measurements to the expected network performance, enabling real-time and accurate design modifications. AirDefense Architect is intuitive and helps users rapidly operate and design in all phases of WLAN build-out and management. Included: AirDefense Survey functionality, which provides real-time, in-field measurements for site surveys. Seamlessly integrated into AirDefense Architect, measurements from AirDefense Survey can be used to optimize and compare its predictions. In addition to planning all your Access Points prior to deployment, Architect also offers a Sensor planning feature. You can use the same building maps to carefully plan sensor placement, ensuring maximum coverage and no dead spots.
5.3.2 Using AirDefense Mobile to plan sensor placement

5.3.2.1 Overview
After you map out anticipated sensor locations, you can assess the effectiveness of coverage by correlating site survey data and assumptions discussed previously. You can also use the test procedure described here to validate sensor location. Because sensors are passive devices that do not have the capability to transmit data, the process of determining sensor coverage depends on a reverse site survey process in which a device introduces a signal in your Wireless LAN, and then the signal is tracked through the facility using the deployed sensors.
5.3.2.2 Prerequisites
Documents that can help you determine sensor placement include: Floor Plans Existing Site Surveys
Wiring layouts Regulatory rules and codes for wiring, construction, materials, etc., where applicable. Tools you will need: A laptop running AirDefense Mobile r4.0 or later (or AirDefense Survey r1.1) An 802.11a/g wireless device (Station or Access Point). The ideal output power for this device (around 40 mW) would be that of a retail quality Station card or Access Point, as these are likely rogue candidates. NOTE: A soft Access Point on a laptop is often an ideal target because it can be Locked On a channel and is battery powered through being hosted on a laptop. Wiring layouts Regulatory rules and codes for wiring, construction, materials, etc., where applicable During the survey, access to all areas to be monitored is required.
5.3.2.3 Procedure
Following is a step-by-step process to accomplish this task. 1. Obtain Maps/Layouts of the facility and determine the traversal plan. 2. Start AirDefense Mobile. 3. Turn on the target device (Access Point, soft Access Point, or laptop/PDA with Station card). 4. AirDefense Mobile should detect the target device. 5. Identify the target device in the AirDefense Mobile device tree and use your mouse to right-click on it to display a list of options. 6. Use AirDefense Mobile Options to Lock On the channel on which the target device is discovered. 7. Right-click select the device in the Dashboard tree; select LiveView. 8. Focus on Signal Strength in the Decode tab in LiveView. Verify that the target device is being tracked by AirDefense Mobile. 9. When a Station card is being used as a target, significant peaks and valleys are observable in Signal Strength as the Station card rotates through channels probing for an Access Point. The peaks are indicative of the effective signal strength relative to AirDefense Mobile. 10.Move the target device to the anticipated fringe where a neighboring Sensor would become primary. 11.At the fringe of coverage, signal strength should be no less than -70 dBm to assure termination ability. 12.Move AirDefense Mobile to the anticipated location of the next Sensor and use the same procedure to ensure that its anticipated coverage area is valid. 13.If the above Sensor placement proves adequate from a coverage and cost of placement perspective, factors observed during this analysis may be extrapolated to other locations of similar construction.
5.4 Sensor Placement with WEP Cloaking

5.4.1 Overview
WEP Cloaking will typically require a higher density of sensor deployment than most other applications. This puts WEP cloaking in the highest category sensor density deployments similar to Location Tracking.
5.4.2 Considerations
For effective WEP Cloaking, there are two important considerations: Spatial coverage - The sensors enabled with WEP Cloaking must at a minimum cover the same area as the authorized Access Points and Stations they are protecting. For this requirement, you should leverage any site surveys you conduct or have conducted for placement of Access Points as aids to sensor placement decisions. Another option is using a WLAN simulation tools such as AirDefense Architect. Figure 4 below shows a simulation of access point coverage based on the building's RF properties loaded into the system. For example, in a typical retail location most wireless point-of-sale devices will be in the front of the store near the check-out stations. Assuming the hacker would be outside of the building, sitting in the front parking lot, it would make sense to place at least 2 sensors in each of the corners in the front of the store. If there is public access from the back of the building or the retail location is surrounded by parking areas, you may want to consider additional sensors in the back for complete protection. Channel coverage - A single sensor should not be required to cloak more than 3 authorized access points at a time. For effective cloaking there must be sufficient chaff WEP frames to confuse the statistical WEP cracking tools. At the same time, the sensors must perform regular Wireless IPS scanning on other channels. The sensors are designed to intelligently adjust their frequency scanning patterns. However, to maximize cloaking effectiveness and scan all other channels for possible intrusions, sensors should not be expected to cloak more than three authorized AP's, or more specifically 3 unique communication channels at a time.
5.4.3 For Adequate Protection

Typically, it will take several sensors deployed at the perimeter of the building to adequately protect all wireless devices with WEP Cloaking. This also implies that, even in small stores, it may take more than one sensor for adequate WEP Cloaking protection; the higher the density of sensors you deploy, the better your legacy encryption devices will be protected. Any deployment should start with a site survey or RF simulation of the WLAN environment, followed by a mapping of sensor coverage to access point coverage of unique channels.
5.5 Sensor Placement With Location Tracking

5.5.1 Overview
Sensor density and sensor placement are the most important factors regarding overall positioning resolution. To achieve accurate results, the system requires RSSI values from at least three independent sensors on the same floor plan. Due to the nature of high frequency signals (2.4 GHz and 5 GHz) and limited signal strength resolution in 802.11 devices, the positioning resolution and stability tends to be better near receivers/sensors. Therefore, AirDefense recommends placing a sensor in each area where accurate resolution is required or to increase overall sensor density to ensure high RSSI values.
5.5.2 Considerations
Every site is unique in terms of actual sensor coverage; this section merely describes sensor placement and respective coverage in a simplified way. Actual signal propagation is a very complex issue due to environmental factors like the reflection/absorption properties of materials (walls, furniture), large moving object, etc. Sensors should be placed in corners, preferably in a way which minimizes random fluctuations in signal strength caused by people moving around, opening / closing doors, windows or large objects which may be moved during operation, etc. Sensors should not be placed in a straight lineto eliminate the possibility of having two or more similar RSSI values from sensor combinations for different location, combined coverage areas for the sensors should not be symmetric. Place additional sensors in areas where accuracy is importantto achieve repeatable and consistent positioning resolution, sensors should be placed so that they measure unique signal strengths and sensor combinations for each location considered significant.
5.5.3 IDS versus Location Tracking

Ideal sensor placement for Wireless IDS differs from that for Location Tracking.
For Intrusion Detection System
With Location Tracking
5.5.4 Example 1
You have a small office of 10,000 sq. ft. For Wireless IDS/IPS you would only need 1 sensor; to maximize the coverage it makes sense to place the sensor in the center of the building. When location tracking is need in this same scenario, a minimum of 3 sensors for each floorplan would be required, and recommended placement is at the corners.
5.5.5 Example 2
You have a multi-floor building with 3 floors. Depending on floor construction the RF may travel through each floor. If only Wireless IDS/IPS is required, you may be able to leverage detection through the floor and ceiling and place sensors on every other floor. Depending on the floor characteristics, you may need a sensor on each floor, however it may make sense to off-set each sensor on each floor and take advantage of the detection through the floor and ceiling. If location tracking is needed, the same 3 sensors for each floor plan would be required and the recommended placement is 3 sensors in the corners of each floor.
Building Your Network Structure (Tree)

This chapter discusses the two basic stages for building your network tree.

Topic Planning Your Network Structure (Tree) Building Your Tree Page 6-1 6-3
6.2 Planning Your Network Structure (Tree)

6.2.1 Overview
Deciding how to structure your AirDefense tree depends on: Whether you want to use triangulation for location tracking Whether you want to use domain-based partitioning How you plan to apply policies to devices How the tree affects the scope in the UI.
6.2.2 Triangulation considerations

To use triangulation, you must load AirDefense server with a two-dimensional map of the floor your sensors are located on. Maps must be loaded at the group or location level. Therefore, you need each floor to be a group or a location. If you want to use triangulation AND you want to divide one or more floors into groups, such as departments, in order to apply different policies to them, then the floor must be a location. If you want the building to be the location, you must make the floors groups. You cannot use triangulation over multiple floors, so you cannot make groups comprised of multiple floors if you want to use triangulation. If you dont want to do triangulation, you can combine groups from multiple floors into a single location.
6.2.3 Domain Considerations

You must also consider how you plan to use domains to control the data each user can access. You cannot create domains at the group level; you must use locations. You should not place multiple groups in one location if you want to create a domain containing a subset of those groups.
6.2.4 Example
You are creating groups and locations for a multi-tenant office. You create a location called 5th Floor, consisting of groups by company on that floor. You have two users responsible for monitoring WLAN security on the floor: Nathan monitors Company A, and Maria monitors Company B. To prevent Nathan and Maria from accessing each others AirDefense server data, you must create one location for Company A and another location for Company B. Consequently, you cant create Locations for higher-level network grouping, but you can create domains at higher levels, such as building, city, or country. If it is not critical that Nathan and Maria be unable to access each others data, you could let them share the same domain and use tree filters to limit the data they view, for management purposes.
6.2.5 Policy Considerations

When you are creating groups, you should group together devices that you expect to share common policies. Although you can certainly apply policies at the device level, it is often more convenient to apply them at higher levels (group or location).
6.2.6 UI Scope Considerations

You control the scope of data you see at any time by selecting nodes in the tree. If you want to view data from one area of your WLAN separately from data about the rest of the WLAN, you should consider how you can create a location or group for that area. Then viewing its data discretely is as easy as clicking on that node in the tree. If you cant reconcile this need with the other considerations in this section, you may be able to achieve your goal using tree filters.
6.2.7 Combining Considerations

Example
A company with four buildings with multiple floors plans to use triangulation and domain partitioning. Two AirDefense users each manage the WLAN security for one building, and a third user manages the two other buildings. An overall system security administrator oversees all users and buildings. Buildings A, B, C, and D = locations A, B, C, and D Floors = groups Create Domains: Domain 1 contains Location A and is assigned to User 1 Domain 2 contains Location B and is assigned to User 2 Domain 3 contains Locations C and D and is assigned to User 3 You could create a domain for the overall administrator, but you do not need to, because the System domain provided with AirDefense server contains all locations and domains.
Building Your Network Structure (Tree) 6-3
Result
Each user can see only the data for the building(s) he manages. He can apply policy and view data by group (floor) within his building, and perform location tracking with triangulation by importing a map for each floor.
6.3 Building Your Tree

6.3.1 Process
While there are several important considerations when planning how to build your tree, actually building it is quite simple. Ideally, you should use the System Setup Wizard to build your tree. However, you can do it anywhere that there is access to the Network Tree. The person who installed your server UI may have created all or part of your tree during setup. You can always revisit the System Setup Wizard to add to or adjust your tree (Configuration > Configuration Wizard).
6.3.2 Create Locations and Groups

In the System Setup Wizard, you add locations and groups by clicking the appropriate buttons. Any time you add a location, it appears in the tree in alphabetical order. Alternatively, to control which location a group is added to, you should click the correct location before you click the Add Group button. In the Network Tree, you right click on the system to add locations, and on a location to add groups.
6.3.3 Moving Locations/Groups/Sensors

In Network Tree, you can drag and drop groups and sensors from one location to another. In the System Setup Wizard, you can drag and drop or use the up and down arrow buttons to move groups or sensors.
6.3.4 Placing Sensors in Groups

When sensors are detected by the server, but are not yet in a group, they can be found in the Default group. Drag them from the Default group to the group you want them reporting through.
6.3.5 Saving your changes

If you edit the tree in the System Setup Wizard, you must click Finish to save your changes.
Managing Sensors
This chapter describes how to manage AirDefense sensors, including information about communications, interfaces, and using APs as sensors.

This chapter contains the following topics.
Topic Sensor Basics Sensor Overview Using the Sensor UI Viewing Sensor Status Configuring Sensors Using Sensor UI Using the Sensor Network Settings Using the Monitoring Policy Manager Troubleshooting Model 500 Series Sensors Zero Configuration Options Scanning Mode Rebooting a Sensor Page 7-2 7-3 7-5 7-7 7-9 7-16 7-22 7-28 7-30 7-32 7-33
7.2 Sensor Basics

7.2.1 Firmware Prerequisite
AirDefense Enterprise 7.3 supports sensors at firmware version 4.6.x or higher.
7.2.2 Sensor Interfaces

AirDefense provides three user interfaces for managing the Sensors in your system. The three interfaces are: Sensor User Interface (Sensor UI)Typically, you use this web-based interface to configure Sensor settings for the first time. Monitoring Policy Manager (Enterprise GUI)Typically, you use this window in the AirDefense GUI to define profiles for all individual Sensors and to define auto placement rules for Sensors. Sensor Network Settings (Enterprise GUI)Typically, you use this window in the AirDefense GUI to configure network settings for Sensors.
Important! You must configure and physically install each Sensor on your network. For additional information on installation and deployment, see the AirDefense Sensor Quick Start that accompanied your AirDefense Server.
7.2.3 Sensor Network Connections

You must have the appropriate ports open for communication between the Sensors and the AirDefense Server, and for administrative sessions with the AirDefense Server.
TCP Port TCP 80 (httpnot secure) TCP 443 (httpssecure) Connection between... Sensor and AirDefense Server no encryption. This port is automatically selected when Encryption Mode is Off in the Sensor UI. Sensor and AirDefense Server encryption. (default) Sensor and Sensor UI browser client encryption (https). This port is automatically selected when Encryption Mode is On in the Sensor UI.
7.2.4 Enabling Device Termination on Sensors

In addition to enabling device termination on the server, as described Chapter 2, you must also enable it on the appropriate sensors.
Managing Sensors 7-3
7.3 Sensor Overview

7.3.1 Introduction
AirDefense offers several Sensor models, where most models function the same, and are similar from an installation and configuration standpoint. The three most common Sensors deployed with AirDefense systems are:
AirDefense Model 400 Sensor

The AirDefense Model 400 Sensor, with firmware V.4.6.x or higher, monitors 802.11a, 802.11b, and 802.11g traffic.

The AirDefense Model 510 Sensor, with firmware V.4.6.x or higher, monitors 802.11a, 802.11b, and 802.11g traffic. The Model 510 Sensor has internal antennas and external antenna capabilities and must be powered by 802.3af compliant Power-over-Ethernet. The Model 510 Sensor is also plenum rated and ROHS compliant.

The AirDefense Model 520 Sensor, with firmware V.4.6.x or higher, monitors 802.11a, 802.11b, and 802.11g traffic. The Model 520 Sensor comes with two external antennas (using RP-SMA connectors) which can be oriented in any direction to maximize coverage. The 520 can be powered by the supplied DC adapter or 802.3af compliant Power-over-Ethernet. The Model 520 Sensor is also plenum rated and ROHS compliant.
7.3.2 Access Points as Dedicated Sensors

In addition to the AirDefense Sensor models listed in the previous section, AirDefense Enterprise can support some Access Points that have been converted to a dedicated Sensor. AirDefense Enterprise r7.3 supports the following Access Points as a Sensor: Motorola AP300 Motorola AP51xx Motorola AP71xx Trapeze Mobility Point MP-372 Enterasys AP1602 Nortel 2330 and 2330A.
7.3.2.1 Motorola AP300 Access Port as a Sensor

AirDefense Enterprise r7.3 or later also supports Motorola AP300 Access Points that have been converted to Sensors. The converted AP will operate as a dedicated sensor, continuously monitoring all 802.11a, 802.11b and 802.11g traffic. For AirDefense Enterprise r7.3.2, a converted AP300 must have firmware V.4.5.1x or higher installed. The user must have the sensor conversion software or switch infrastructure to convert an AP300 Access Point to a Sensor. This is Windows-based application that is available from Motorola, Inc. The same application can convert an AP300 sensor back into an Access Point.
7.3.2.2 Trapeze Mobility Point MP-372 as a Sensor

AirDefense Enterprise r7.3 or later supports Trapeze Mobility Points (MP-372) that have been converted to a Sensor. The converted AP will operate as a dedicated sensor, continuously monitoring all 802.11a, 802.11b and 802.11g traffic. The user must have Trapeze Mobility System version 6.2 or higher, and download the sensor conversion software called adconvert.bin. After copying the sensor conversion software on the Trapeze MX switch that manages the AP to be converted; the sensor software can be loaded into the AP. The sensor can be converted back to an MP-372 Access Point through the AirDefense Enterprise GUI or Sensor UI.
7.3.2.3 Enterasys AP1602 Access Point as a Sensor

AirDefense Enterprise r7.3 or later supports Enterasys RoamAbout Access Points (AP1602) that have been converted to a Sensor. The converted AP will operate as a dedicated sensor, continuously monitoring all 802.11a, 802.11b and 802.11g traffic. The user must have the Enterasys RoamAbout Switch Manager and RBT-8xxx series Wireless Switch deployed to convert an AP into a sensor and back.
7.3.2.4 Nortel 2330 and 2330A Access Point as a Sensor

AirDefense Enterprise r7.3 or later supports Nortel 2300 series Access Points (2330 & 2330A) that have been converted to a Sensor. The converted AP will operate as a dedicated sensor, continuously monitoring all 802.11a, 802.11b and 802.11g traffic. The user must have the Nortel 2300 series WLAN Management System (WMS) and WLAN Security Switch deployed to convert an AP into a sensor and back.
7.3.3 Access Points as DedicatedSensors or Dual AP and Sensor Functionality

In addition to the AirDefense Sensor models and the Access Points functioning as dedicated Sensors, AirDefense Enterprise 7.3.4 can support some Access Points that function as dedicated Sensors or Sensors that function as an AP and Sensor. The following Access Points are supported: Motorola Model 51xx Motorola Model 71xx.
7.3.3.1 Motorola Model 51xx

The Motorola AP51xx can operate as an Access Point, a dedicated 802.11 a/b/g Sensor or both. The AP51xx with AP firmware 2.1.x or higher has built in WIPS code and one radio can be configured for dedicated monitoring of 802.11 a/b/g traffic. A dual-radio unit can simultaneously serve either 802.11 a or 802.11 b/g clients.
7.3.3.2 Motorola Model 71xx

The Motorola AP71xx can operate as an 802.11n Access Point, a dedicated 802.11n Sensor or both. The AP71xx with AP firmware 3.2.x or higher has built in WIPS code and one radio can be configured for dedicated monitoring of 802.11 a/g/n traffic. A dual-radio unit can simultaneously serve either 802.11 a/n or 802.11 g/n clients. The AP7131 is available with integrated antenna faade (as shown) or external antennas.
7.4 Using the Sensor UI

7.4.1 Overview
The Model 400, 510, and 520 Sensor UI is an HTML-based web server that resides on the Sensor. To access the web-based Sensor UI, you must log in remotely from a web browser.
7.4.2 Mandatory tasks from the Sensor UI

All Sensor network settings can be modified from either the Sensor UI or from the Sensor program area in the AirDefense GUI. Several settings are required for initial Sensor setup, in order for the Sensor to communicate with the AirDefense Server. You can use the Sensor UI to configure several more optional settings, or you can configure these later from the Server GUI. This includes adding another Sensor to your wireless LAN. However, you must use the Sensor UI to do the following: Enable/disable remote maintenance mode (SSH) to the Sensor (Model 400 only) Change the password for the Sensor Web User (Admin user or Monitor user)
Configure external antenna radio gain Configure Extended Channel Scan Restore Sensor configuration to factory defaults Remotely reboot Sensor.
7.4.3 Access the Sensor UI

To access the Sensor UI, you must know the sensors IP address. You can find the sensor IP address in the Enterprise GUI or you can access the sensor directly using the sensor default IP alias https://192.68.100.100 (see section Connect to AirDefense Sensors). Open a browser and establish a secure connection to sensor by typing https://<sensor IP address>.
7.4.4 Sensor UI Tabs

The Sensor UI consists of a display area and four tabs, which will be discussed in this book: Configure SensorDiscussed in this chapter View StatusDiscussed in this chapter Update SoftwareDiscussed in the Maintenance chapter Advanced Settings Discussed in this chapter.
7.4.5 Display Area

The display area appears at the top of the window and lists information that the sensor has automatically detected: MAC address Software Version Hardware Model Sensor Up-time Information about the connection.
7.5 Viewing Sensor Status

7.5.1 Overview
The View Status tab displays information about the Sensor and lets you access the syslog. Information is displayed in two panes to reflect whether it pertains to the Wired or Wireless configuration.
7.5.2 Wired Configuration Elements

Configuration elements include: Ethernet IP Address Netmask Gateway MTU.
7.5.3 Wireless Configuration Elements

Configuration elements include: Transmit Mode status 2.4GHz information 5GHz information.
7.5.4 The Sensor Syslog Window

You can click the View Syslog button at the bottom of the View Status tab to see syslog details. The Sensor Syslog window displays real-time data on the sensors status and events. Use the following buttons to manage the data the syslog displays: Refresh Return Clear Log Show device table in syslog.
7.6 Configuring Sensors Using Sensor UI

7.6.1 Overview
This section contains instructions for configuring sensors for use with AirDefense Enterprise server.
7.6.2 Model 500 Series Prerequisites

You must have the hardware and software components listed below: One (minimum) AirDefense Enterprise Server running version 7.3 or higher. Model 500 Series Sensor running firmware version 4.6.x. or higher. Power Source for the Sensor: Model 510 sensor: The model 510 sensor must receive Power over Ethernet (PoE) from a switch or other network device that supplies power over the network cable based on the IEEE 802.3af standard (not included). Model 520 sensor: The model 520 sensor can be powered by an AC to DC power adapter (supplied). The sensor does not have a power switch; it is powered on when connected to the power adapter, and the power adapter is connected to a power source (100-240 Volts at 50 or 60 Hz). The model 520 sensor may also receive Power over Ethernet (PoE) from a switch or other network device that supplies power over the network cable based on the IEEE 802.3af standard (not included). Note that if the sensor is connected to a PoE source device and also connected to a local power source through the AC power adapter, PoE will be disabled.
Important! The Model 510 and Model 520 Sensors are designed to receive power from an 802.3afcompliant source, an 802.3af compliant switch, or an AirDefense-approved power injector. Connecting a sensor to a Power-over-Ethernet device that is not approved by AirDefense can damage the equipment.
7.6.3 Connecting to AirDefense Sensors

Follow the instructions below to connect each AirDefense Sensor.
7.6.3.1 500 Series Sensors

1. Directly connect the Sensor to your station using the supplied Ethernet cable: If an AirDefense PoE injector is used, connect your Station to Data In and connect your Sensor to Data and Power out.
Model 510 Plug Ethernet Cable into port 1 or 2.
Model 520 Plug Ethernet Cable into port PoE in.
2. Power up the Sensor with the AC/DC power adapter (Model 520 only) or power up the Sensor with your 802.3af compliant PoE source.
7.6.3.2 400 Sensors

1. Directly connect the Sensor to your workstation or laptop using one of two methods: Method One: Connect the Sensor and your workstation or laptop to a hub, using standard Ethernet cables. AirDefense, Inc. recommends this method, which eliminates some equipment incompatibilities. Method Two: Connect the Sensor to your workstation or laptop using a crossover Ethernet cable (supplied). On the Sensor side, the Ethernet cable plugs into the LAN port on the back of the Model 400 Sensor. 2. Connect the Sensor power cord and DC adapter between a standard AC receptacle and the DC input connector on the Sensor back panel. 3. Power up the Sensor.
7.6.4 Accessing the Sensor Interface

Follow the instructions below to set up each AirDefense Sensor in your wireless LAN. You will be using the Sensor User Interface (Sensor UI) for this setup, an HTML-based interface that resides on the Sensor. Use the Sensor UI to initially configure Sensors, and to perform some maintenance activities after the initial installation. To access the Sensor UI, you must log in remotely from your workstation web browser. 1. Set your workstations IP address to 192.168.100.10 and subnet mask to 255.255.255.0. 2. Type https://192.168.100.100 in your browser; press <Enter>. 3. The Sensor UI login screen appears. 4. Enter the default user name and password in the login screen: User Name: admin Password: airsensor
Important! In the interest of security, change the Sensor Web User login password at your earliest opportunity.
7.6.4.1 Configure Sensor Tab

The Configure Sensor tab (below) is the default tab in the Sensor UI.
It contains controls that let you specify basic sensor settings.
Configure Sensor Tab Fields

The following table lists the fields on the Configure Sensor tab.
Field Sensor Name Primary AirDefense Server IP Address Secondary AirDefense Server IP Address Use DHCP Description Enter a friendly user name for the Sensor. When you open AirDefense, this is the name the Sensors will have in the tree panel area. Enter the Primary AirDefense Server IP address or the server DNS name as defined in your DNS system. Enter the Secondary AirDefense Server IP address or the server DNS name as defined in your DNS system. If you do not have a Secondary server, enter the Primary Server address or DNS name again. Select the option of setting up your Sensor to use DHCP. It is enabled by default. If you do not want to use DHCP, choose No, and then type the sensors: IP Address Netmask Gateway IP Address.
Field Obtain DNS Automatically
Description Automatically obtaining DNS is disabled by default. If you want to automatically obtain DNS, select the Yes button. If not, leave the No button selected, and then type the following: Primary DNS Secondary DNS Domain Name.
New Admin Password/ Verify Admin Password New Monitor Password/ Verify Monitor Password
To change the password for an admin user, type the new password, and then verify it by typing it again. To change the password for a monitor user, type the new password, and then verify it by typing it again.
Setting Addresses You must provide a valid IP address, netmask, and gateway IP address for the Sensor to communicate with the AirDefense Server. You can manually set each Sensors static IP address, Sensor Netmask, and Gateway IP address, or you can automatically receive these address settings from a DHCP (Dynamic Host Control Protocol) server. NOTE
For dedicated monitoring applications/devices, manually setting the addresses is often used to provide well known IP addresses for sensors and thus facilitate troubleshooting.
Use the Sensor UI to set the addresses. A detailed description is located in this chapter. After configuration After you enter or change configuration information on the Configure Sensor tab, use the buttons along the bottom of the screen to: Canceldiscards changes. Save Basic Settingsapplies changes and saves them on the AirDefense server. The following screen shows the confirmation you see after your changes are saved and the sensor is about to reboot:.
7.6.4.2 Confirming Connectivity to the Server

Confirm connectivity to the Sensor by looking at the tree panel on the Sensor Dashboard panel of the Sensor UI as follows: 1. Log into the AirDefense Server. 2. View the Sensor tree in the Dashboard tree panel. It should display the list of Sensors currently in your network. The new sensor will be listed under: Default Location > Default Group.
7.6.4.3 Advanced Settings Tab

The Advanced Settings tab contains controls that let you specify the advanced sensor settings.
Advance Settings Tab Fields

The following table lists the fields on the Advanced Settings tab:
Field Radio A Antenna Gain Radio B/G Antenna Gain Use Remote Syslog Link Speed and MTU Extended Channel Scan Description Increases the signal level of radio A antennas by the specified value (in dBi). Increases the signal level of radio B/G antennas by the specified value (in dBi). Enter the IP address of the Remote Syslog Host server to which the Sensor data can be routed. This option is disabled by default. Choose the link speed and Maximum Transmission Unit. Link Speed Control enables you to set the Ethernet interface to either auto-negotiate (default), or to fix the interface to 10Mbs or 100Mbs, Full or Half duplex. Extended Channel Scans are disabled by default. They monitor all 802.11a channels that attackers or specialized equipment vendors might use; every 5MHz increment in both 2.4GHz and 5GHz ranges are observed. If you want this sensor to be able to perform extended channel scans, select the Yes radio button. See Extended Channel Scan for more details about Extended Channel Scans. FIPS Level Encryption FIPS Level Encryption is disabled by default. FIPS level encryption is generally not needed. If you do want to use FIPS level encryption, select the Yes radio button. This setting controls the https encryption level between the sensor and the browser. When selected, the sensor will only allow AES encryption to the browser (sensor UI). Only browsers that support this type of encryption will be able to connect to the sensor UI (e.g. Firefox) once this setting is configured to 'yes. If you are using IE, do not select this option. Communication between the sensor and the server is not affected by this setting, and is always negotiated for AES. Note: FIPS level encryption is incompatible with Internet Explorer. Restore Configuration to Factory Defaults Reboot Sensor Locate Sensor When the Restore Now button is clicked, removes your changes and any other changes made in the past, and restores all fields to their default. When the Reboot Now button is clicked, reboots the sensor. This feature helps you physically locate and/or identify a Sensor. You should only turn this feature on when you need to find a sensor. It is disabled by default. Select the Yes radio button to enable the Locate Sensor function. When you enable this button and then click Save, sensor LEDs begin blinking amber. Model 510: both LED1 and LED3 begin blinking amber while LED2 is solid amber. Model 520: LED1 and LED2 blinking green alternately with LED3 and LED4 blinking green. Important! You must turn the Locate function off (select No) after you have completed your Sensor search.
Field Enable IP Alias Enable IPv6
Description This feature allows you to use DNS name instead of the IP address for the Sensor. Select the Yes radio button to enable this feature. This feature allows you to use IPv6 addresses if your network is IPv6 enabled. IPv6 addresses can only be obtained via IPv6 Auto-Configuration. Select the Yes radio button to enable this feature.
After Configuration After you enter or change configuration information on the Advanced Settings tab, use the buttons along the bottom of the screen to: Canceldiscards changes. Save Advanced Settingsapplies changes and saves them on the AirDefense server and Syslog server (if configured). You will receive the same confirmation as when the Save Basic Settings is clicked on the Configure Sensor tab.
7.7 Using the Sensor Network Settings

7.7.1 Overview
The Sensor Network Settings are used to configure network settings for Sensors that are connected to your AirDefense appliance. One or more Sensors may be configured at the same time.
The Sensor Network Settings window has two tabs: Network Configuration and Advanced Configuration. The tabs are where you configure network settings for Sensors.
7.7.2 Network Configuration Tab

The Network Configuration tab (see screen shot in Overview) contains fields that configure your Sensors to communicate with your network. The tab is divided into five sections: Identification Servers IPv4 IPv6 DNS.
7.7.2.1 Identification
The Identification section contains information that identifies an individual Sensor. The only editable field is the Sensor ID field. The other field information is auto-detected by AirDefense and cannot be edited. The following information is displayed:
Field Name MAC Address Hardware Model Software Version Description The Sensors name (editable field) The Sensor's MAC address The Sensor's model number The firmware version number of the Sensor software
7.7.2.2 Servers
The Server Information section is where you provide information about your AirDefense Enterprise server.
Field Name Primary AD Server Secondary AD Server Description Enter the Primary AirDefense Server IP address or the server DNS name as defined in your DNS system. Enter the Primary AirDefense Server IP address or the server DNS name as defined in your DNS system. Enter the Secondary AirDefense Server IP address or the server DNS name as defined in your DNS system. If you do not have a Secondary server, enter the Primary Server address or DNS name again.
7.7.2.3 IPv4
The IPv4 section is where you provide IPv4 information for your Sensor.
Field Use DHCP Description DHCP, short for Dynamic Host Configuration Protocol, is a protocol for assigning dynamic IP addresses to devices in a network. If you want to use a DHCP server, enable DHCP. If you want to manually enter the IP address, Sensor Netmask, and Gateway IP address, disable DHCP. Note: For dedicated monitoring applications, manually setting the Sensors IP address, Sensor Netmask, and Gateway IP address may better serve device connection reliability throughout the entire wireless LAN. IP Address Static IP address for the Sensor. Note: Field is grayed out if DHCP is enabled.
Field Net Mask
Description Subnet to which the Sensor belongs. Note: Field is grayed out if DHCP is enabled.
Gateway
Gateway IP address to the Sensor. Note: Field is grayed out if DHCP is enabled.
7.7.2.4 IPv6
The IPv6 section is where you provide IPv6 information for your Sensor. This entire section is grayed out if your system cannot handle IPv6 traffic
Field Enabled Use DHCP Description If your Sensor and network has IPv6 capability enable this field to use IPv6. Otherwise, disable this field. DHCP, short for Dynamic Host Configuration Protocol, is a protocol for assigning dynamic IP addresses to devices in a network. If you want to use a DHCP server, enable DHCP. If you want to manually enter the IP address, Sensor Netmask, and Gateway IP address, disable DHCP. Note: For dedicated monitoring applications, manually setting the Sensors IP address, Sensor Netmask, and Gateway IP address may better serve device connection reliability throughout the entire wireless LAN. Static Enabled Static Prefix Length Static IP Address Enable or disable the static fields. Static prefix length as a decimal value. Static IP address for the Sensor. Note: Field is grayed out if DHCP is enabled. Static Gateway Gateway IP address to the Sensor. Note: Field is grayed out if DHCP is enabled.
7.7.2.5 DNS
The DNS section is where you provide information on your Domain Name Server.
Field Obtain DNS Automatically Description Specify whether you want to automatically obtain DNS information. Note: If you decide not to automatically obtain DNS information, the other fields in the DNS section are grayed out. IP address for the primary DNS server. IP address for the secondary DNS server. Domain name for your DNS server.
Primary DNS Secondary DNS Domain Name
7.7.3 Advanced Configuration Tab

The Advanced Configuration tab contains fields that configures your more advanced Sensor network settings. The tab is divided into four sections: Global Settings Syslog Passwords Radio Antenna Gain.
7.7.3.1 Global Settings

The Global Settings section is where you provide global information for your Sensor.
Field Enable IP Alias Enable CDP CDP Interval FIPS Mode Description Turns on or off IP alaising. Enables or disables the Cisco Discovery Protocol. Sets the CDP interval in seconds. Note: FIPS Level Encryption is disabled by default. FIPS level encryption is generally not needed. Controls the https encryption level between the sensor and the browser. When enabled, the sensor will only allow AES encryption to the browser (sensor UI). Only browsers that support this type of encryption will be able to connect to the sensor UI (e.g. Firefox). If you are using IE, do not enable this option. Communication between the sensor and the server is not affected by this option, and is always negotiated for AES. Link Speed Enables you to set the Ethernet interface to either auto-negotiate (default), or to fix the interface to 10Mbps (Full or Half duplex) or 100Mbps (Full or Half duplex). Sets the Maximum Transmission Unit. Sets the region to a specific country.
MTU Country
7.7.3.2 Syslog
The Syslog section is where you supply Syslog information for your Sensor.
Field Remote Syslog Syslog IP Syslog Port Description Specifies whether or not you want to use a Syslog host. Sets the IP address of the remote Syslog host server to which the Sensor data can be routed. This option is disabled by default. Sets the port number of the remote Syslog host server. This option is disabled by default.
7.7.3.3 Passwords
The Password section is where you change and verify passwords for administrators and monitors.
Field New Admin Password / Verify Admin Password New Monitor Password / Verify Monitor Password Description Changes the password for an admin user / verifies a changed password for an admin user. Changes the password for an monitor user / verifies a changed password for an monitor user.
7.7.3.4 Radio Antenna Gain

The Radio Antenna Gain section is where you supply information about a custom radio antenna.
Field Custom Antenna Gain Radio Antenna Gain Description Specifies whether you want to use a custom antenna gain or not. Increases the signal level of radio A antennas by the specified value (in dBi).
7.8 Using the Monitoring Policy Manager

7.8.1 Overview
The Monitoring Policy Manager is used to define profiles for all individual Sensors that are connected to the AirDefense appliance and to define auto placement rules for Sensors. Sensor profiles determine whether or not the following features are turned on or off: Air Termination Background scans for Spectrum Analysis (must have a valid license for Spectrum Analysis) Limiting bandwidth during upgrades WEP Cloaking (provided you have installed the WEP Cloaking add-on tool). Profiles also allow you to set Sensor scan type.
The Monitoring Policy Manager has three tabs: Identification, Profile Configuration, and Override Profile.
7.8.2 Identification Tab

The Identification tab (see graphic in Overviiew) contains information that identifies an individual Sensor. The information is auto-detected by AirDefense and cannot be edited. The following information is displayed:
Field Sensor ID MAC Address Description Identifies the Sensor by name. Displays the Sensor's MAC address
You can also reclassify a Sensor using the Auto Placement Rules. Administrators can establish auto placement rules that determine where a Sensor belongs in the network. For example, if you wanted all Sensors assigned to a particular DNS server to be part of a particular group, you can create an auto placement rule to make it happen. Auto Placement Rules have the following properties:
Property Name Destination Type Description Identifies the rule. Names are established automatically but you can change them. Identifies where a Sensor is placed when an auto placement rule is executed. The destination is always a group. The type of rules may be one of the following seven types: Network Address MAC Address Range DHCP Sensor Model IP Range DNS_Server Sensor Name. Rule This is the actual rule. The type determines which rule will be used.
7.8.3 Profile Configuration Tab

The Profile Configuration tab is where you actually define Sensor profiles. Sensor profiles are defined at the system level but may be defined individually. Individual Sensors inherit their profile from the system level profile. When you view a profile that is not a system level profile, you have the option to configure the profile at that level. This is a screen shot of a system level profile.
An administrator defines the default profile for all Sensors. Policy Configuration has two configurable tabs: Operational and Monitor.
7.8.3.1 Operational Tab

The Operational tab (see previous screen shot) allows you to configure the following features/functions:
Feature/Function Air Termination Background SA Scan WEP Cloak Description Air Termination lets you terminate the connection between your wireless LAN and any Access Point or Station associated with it. By default ,Air Termination is disabled. Spectrum Analysis has the capability to run background scans. By default, background scans are disabled. WEP Cloaking is an add-on tool that injects noise into a WEP-protected environment by transmitting frames that appear to be sourced from valid devices but are encrypted with an invalid WEP key. By default, WEP Cloaking is disabled.. This feature allows you to automatically upgrade a Sensor if new Sensor firmware is available on the server. You can choose which channels to monitor by selecting one of the following scan types: Default Scan (scans standard channels) Extended Channel Scan (scans standard channels plus extended channels) Extended and Emergency Channel Scan (scans all channels including emergency channels) Custom Scan (scans selected 2 GHz and 5 GHz channels)
Auto Upgrade Sensors Scan Type
Lock on Channel is used to lock a Sensor on a specific channel for monitoring. When a channel is selected, the table is updated to reflect the channel that has been locked on.
7.8.3.2 Monitor Tab

The Monitor tab allows you to configure the thresholds for monitoring. If a threshold value is exceeded, an alarm is generated.
The following thresholds can be configured for monitoring.

Threshold CRC Errors Excessive APs Excessive Stations Avg. Signal Strength (dBm) APs per Channel Channel Noise (dBm) Description Cyclic redundancy check (CRC) errors should not exceed the specified percentage value. APs on your network are considered excessive if the specified value is exceeded. Stations on your network are considered excessive if the specified value is exceeded. The average signal strength (in dBm) of APs on your network should not exceed the specified value. The number of APs on any particular channel should not exceed the specified value. Channel noise is monitored to ensure that the noise does not exceed the specified value.
7.8.4 Override Profile Tab

The Override Profile tab allows administrators to temporarily override the profile for a specific Sensor. When accessed, the Enable Configuration Override feature is disabled and the options are grayed out. You must enable the feature to change the options.
Basically, you set up an override profile the same way you set up Sensor profiles except there is an additional feature/function included in the Override Profile tab that is not included in the Profile Configuration tab. It is Override Time which is used to specify how long the profile will be overridden. Also, the Auto Upgrade Sensors feature/function is not part of the Override Profile tab.
7.9 Troubleshooting Model 500 Series Sensors

7.9.1 Overview
All sensor models have LEDs (Light Emitting Diodes) that provide status information about the device.
7.9.2 Model 510 Sensor LED Functionality

The standard orientation of the model 510 sensor is to have all LEDs at the bottom of the device.
LED 1 (bottom left) = Radio activity indicator (802.11 a/b/g) LED 2 (center) = Power & Hardware indicator LED 3 (bottom right) = Network connectivity indicator.
LEDs
Appearance LED 1: blinking GREEN LED 2: solid GREEN LED 3: solid GREEN LED 1: off LED 2: solid AMBER LED 3: off LED 1: off LED 2: solid GREEN LED 3: off LED 1: off LED 2: solid GREEN LED 3: blinking AMBER LED 1: off LED 2: solid GREEN LED 3: blinking GREEN
Description Sensor is receiving power, is connected to the server, and is detecting radio traffic. Hardware problem.
Possible Cause & Remedy Sensor is operating correctly.
Radio(s) not functioning properly or other hardware failure. Contact AirDefense customer support. Sensor is likely in process of booting up. Wait approximately one minute for process to complete. Check network cable connections. No DHCP server available on network. Consider setting a static IP address on the sensor. Sensor is likely in process of booting or cannot find the AirDefense server (primary or secondary). Wait approximately one minute. If this condition continues, contact AirDefense customer support. No 802.11a, b or g radio traffic is being observed. If you are sure that there is wireless traffic nearby, contact AirDefense customer support.
Sensor is receiving power, has not yet established a network connection. Sensor is receiving power, a connection to the switch has been established, but sensor is not receiving a DHCP address. Sensor is receiving power, has received DHCP or is configured for static IP, and is attempting to connect to the AirDefense server. Sensor is receiving power, is connected to the server, and is not detecting any radio traffic (a, b or g)
LED 1: off LED 2: solid GREEN LED 3: solid GREEN
LED 1: N/A LED 2: solid AMBER
Sensor firmware is being upgraded.
Sensor firmware upgrade in process do not unplug.
N/A
LED 3: solid AMBER LED 1: blinking AMBER LED 2: solid AMBER LED 3: blinking AMBER Sensor is receiving power, and Sensor Locate command has been issued. You can physically locate a Sensor, by sending Locate command from Sensor UI. Log into Sensor UI and turn Locate option off.
7.9.3 Model 520 Sensor LED Functionality

The standard orientation or positioning for the Model 520 Sensor is to have all LEDs at the bottom right of the device as you have it facing you.
LED1: Power Indicator (Pwr) LED2: Link Indicator (Link) LED3: Network Connectivity Indicator (CON) LED4: Radio Activity (a/b/g) Indicator (Radio).
LEDs
LED Appearance PWR: off Link: solid GREEN CON: off Radio: off PWR: solid GREEN
Description Sensors is booting up
Possible Cause & Remedy Wait approximately 30 seconds for boot up process to complete
PWR
Link
CON
Radio
PWR
Link
CON
Radio
Link: solid GREEN CON: off Radio: off PWR: solid GREEN
Ethernet link detected but no DHCP (if DHCP enabled)
No DHCP server available on network. Consider setting a static IP address on the sensor.
PWR
Link
CON
Radio
Link: solid GREEN CON: blinking GREEN Radio: off PWR: solid GREEN
Sensor has detected active Ethernet link and is attempting to connect to the AirDefense server (primary or secondary). Sensor has detected active Ethernet link and is connected to the AirDefense server.
PWR
Link
CON
Radio
Link: solid GREEN CON: solid GREEN Radio: off
Sensor is attempting to connect to the AirDefense server. Wait approximately one minute. If this condition continues, contact AirDefense support. You may want to verify server IP address setting. No 802.11a, b or g radio traffic is being observed. If you are sure that there is wireless traffic nearby, contact AirDefense support.
PWR: solid GREEN

PWR Link CON Radio
Link: solid GREEN CON: solid GREEN Radio: blinking GREEN PWR: solid AMBER
Sensor is connected to the AirDefense server and the radio is detecting 802.11 traffic. Sensor firmware is being upgraded.
Normal operation in wireless environment.
PWR
Link
CON
Radio
Link: solid GREEN CON: solid GREEN Radio: blinking GREEN PWR & Link alternate blinking GREEN with CON & Radio blinking GREEN
Sensor firmware upgrade in process do not unplug.
PWR
Link
CON
Radio
Sensor is connected to network, and sensor Locate command has been issued.
User can physically locate a Sensor, by sending Locate command from Sensor UI. Log into Sensor UI and turn Locate off.
7.10 Zero-Configuration Options

As an alternative to the manual IP configuration described earlier in this guide, AirDefense provides two options that let you install Sensors without locally configuring the primary Enterprise server on each sensor. The Zero-Configuration options are: Using Domain Name Resolution (DNS) Using Vendor Options from the DHCP Server
7.10.1 Using Domain Name Resolution (DNS)

Sensor deployment can be simplified by having the Sensor find the primary server via DNS (Domain Name System) resolution. Each sensor is shipped with primary AirDefense server configured as airdefense1 and the secondary server configured as airdefense2. 1. Determine the IP addresses of your Primary and Secondary AirDefense server appliance 2. Configure your DNS (Domain Name Server) to resolve the hostname to the appropriate IP address.
7.10.2 Using Vendor Options from the DHCP Server

Before you Start
You must first download a utility to generate the vendor options string. Contact Support for Zero-Config utility or log in to your Self Support account at http://support.airdefense.net and search for Setting up Zero Config DHCP for Sensor under Solutions. Download the Zero-Config utility: For Windows, download gendhcp.exe For Linux, download gendhcp
Run the Zero-Config Utility

"gendhcp primary_address [secondary_address]" Secondary IP address is optional. If the secondary option is left blank, both the primary and secondary servers will be set up the same. gendhcp.exe 192.168.100.2 192.168.100.3 will produce the string: 01:06:41:44:77:69:64:73:02:04:c0:a8:64:02:03:04:c0:a8:64:03:ff
7.10.3 For Microsoft Windows 2000, 2003 DHCP Servers:

For Microsoft DHCP servers, you choose the 043 Vendor Specific Info option from the existing DHCP options. With option 043 configured, the sensors will be able to automatically request AirDefense primary server information from the DHCP server. This lets you add a sensor to the network with no pre-configuration.
Procedure:
Open the DHCP utility, then go to the scope options for the DHCP scope you are placing the sensors in. Right click on Configure Options. On the General tab, scroll down to 043 Vendor Specific Info. OR If you are configuring a specific DHCP Vendor Class: 1. Create a new Vendor Class with any name unique to that system. 2. Add the vendor ID adsensor to the ASCII portion of the Vendor ID field. 3. From the server options, select Predefined Options for this vendor class. 4. From the list of predefined options, choose 043 to be added to this vendor class. 5. In the new 043 Vendor Specific Info, enter the new binary data from the output of genDHCP into the Binary area of the data field. NOTE: This generated string is in Binary and must be typed into the binary field; this cannot be cut and pasted into the ASCII field, as the string will be treated as ASCII instead of binary.
Important! At the time of this release, some versions of the Microsoft DHCP Server do not correctly implement predefined options under vendor class.
7.10.4 For Linux:

For Linux DHCP servers, you usually must add the 043 Vendor-Specific option into a configuration file. The following example shows the necessary lines to add to the dhcpd.conf file: option dhcp-class-identifier "adsensor"; option vendor-encapsulated-options 01:06:41:44:77:69:64:73:02:04:ac:10:00:44:03:04:ac:10:00:b5:ff;
7.11 Scanning Mode

7.11.1 Overview
Sensors have three user-selectable scanning modes: Quick Scan Mode Scan Channels Lock on Channel.
7.11.2 Quick Scan Mode

Quick Scan (default setting) provides a method for continuously monitoring of all standard Sensor channels. Enabling Quick Scan simply places a one-second scan on each channel. NOTE: AirDefense, Inc. highly recommends that you use Quick Scan Mode as your primary mode for comprehensive monitoring of your WLAN. Other modes, like Lock On Channel, are useful for in-depth data gathering for specific periods of time, such as for close examination of suspicious activity.
7.11.3 Scan Channels

Select Scan Channels if you want the Sensor to continuously scan one or more channels that you select, and spend a length of time (in seconds) you define scanning each channel. While in Edit mode, selecting this option enables Set Scan Pattern. Click this to select channels and the length of time the Sensor should listen on each channel.
7.11.4 Lock On Channel

Select Lock On Channel if you want the Sensor to listen to network traffic on the selected channel. If you choose Lock on Channel, you must configure the channel in the Select Channel drop-down. Although you configure the Sensor to receive data on a particular channel (1-14 for 802.11b/g) depending on protocol, it may also receive data from adjacent channels, due to the overlapping nature of radio signals. This data also appears in the AirDefense GUI.
7.11.5 Quick Scan and Scan Channels

You can use Quick Scan Mode in conjunction with Scan Channels. Use Scan Channels to specify scan times on specific channels, and then enable Quick Scan. The Sensor scans the specified channels for the amount of time you define, and then performs 1-second spot scans of all remaining channels. Quick Scan does not override previously configured scan times on any channel.
7.11.6 Extended Channel Scan

The standard channels scanned by a model 500 series sensor are as follows: 14 802.11b/g channels between 2412 and 2484 MHz 28 802.11a channels between 5170 and 5825 MHz channels 8 (5040MHz), 12 (5060 MHz), and 16 (5080 MHz) channels 184 (4920 MHz), 188 (4940 MHz), 192 (4960 MHz), and 196 (4980MHz).
A total of 49 channels are scanned in standard mode or QuickScan mode; irrespective of regional configuration. AirDefense can scan 2.4 and 5 GHz concurrently with model 500 series sensors as they are equipped with two concurrent dual band radios. In addition to the standard channels listed above, the Extended Channel Scan feature, when turned on, scans all channels from 4.9GHz to 6.1 GHz in 5 MHz increments. Extended channel scanning is turned off by default. It should only be enabled when there is a requirement to monitor all 802.11a channels that specialized equipment vendors might use. Therefore, most users should not enable the Extended Channel Scan feature. Quick Scan must be enabled before you can select the extended channel mode. If Quick Scan is not enabled, the Extended Channel Scan field in the Sensor UI is disabled (grayed out). Extended Channel Scans are reported in the UI and report as follows: All extended channels below 5170 MHz will be reported as channel 34. All extended channels above channel 5825 MHz will be reported as channel 165. Extended channels between 34 and 165 will be reported to the closest standard channels.
7.11.7 Recommendations
Only use lock on channel when you are investigating a device, because it maximizes the traffic seen on the advertised channel. For example, you can lock on channel when you are using file capture or location tracking. During normal operation, the sensors should always be configured for Quick Scan or Scan Channels in combination with Quick Scan. From a security perspective, it is important that all channels are continuously monitored to catch any suspicious activity or events on channels outside advertised channels. Do not enable the Extended Channel Scan feature unless you are certain that your sensors support extended channels. If you enable the feature and your sensors do not support the extended channels, you will just waste valuable system time scanning non-existent channels.
7.12 Rebooting a Sensor

This feature is only available from the Sensor UI and for use only by Sensor web users who have the role of Admin. A Reboot Now button is located in the Sensor UI Advanced Settings tab. Clicking on the Reboot Now button reboots the Sensor from a remote location.
Authorizing (Classifying) Devices

This chapter discusses classification of devices. Classification is often thought of in terms of authorizing devices, but classification also includes unauthorizing devices and ignoring devices. All three states are explained in this chapter. This chapter also covers the multiple ways AirDefense Enterprise helps you authorize devices, including: Manually authorizing individual devices Importing devices Automatically authorizing (classifying) devices Synchronizing AirDefense data with third party infrastructure management systems, including AirWave and Cisco WLSE Integration with Motorola, Trapeze, Enterasys, Cisco, and Nortel WLAN switch controllers.
8.1 Chapter Topics

This chapter contains the following topics:
Topic Implications of Classification Manually Authorizing Individual Devices Importing Multiple Devices Auto-Classifying Multiple Devices Device Synchronization Configuration Page 8-2 8-3 8-4 8-8 8-10
8.2 Implications of Classification

8.2.1 Data Management Implications
Having the devices in your wireless network properly classified can help you suppress unnecessary Unauthorized AP alarms and let you focus on the alarms and devices that are actually behaving in a suspicious manner.
8.2.2 Security Implications

It may be obvious, but because of the important security implications, you should only authorize devices that you know to be approved on your network. AirDefense server still detects attacks that violate security policy, even from authorized devices. An intruder with a device you erroneously authorized would be able to perform activities that harm your organization while appearing to be legitimate, such as downloading data.
8.2.3 Device Classification

8.2.3.1 Overview
There are three classifications for APs and stations: Authorized, Unauthorized, and Ignored. When AirDefense Server first sees a device, it treats the device as Unauthorized and displays it in the UI in RED by default, until you classify it otherwise.
8.2.3.2 Authorized Devices

Devices that should be authorized are generally those that are known to you (that were purchased within your organization) and conform with your security policies.
8.2.3.3 Unauthorized Devices

Unauthorized devices are those that have been seen by an AirDefense sensor, but are not approved to be on your network. Rogue devices are a subset (type) of Unauthorized devices that have connected to your wired network.
8.2.3.4 Ignored Devices

You may want to ignore devices that have been seen by an AirDefense sensor, that are not interacting with your network, and that you consider to be unimportant to your network security, such as devices belonging to neighbors. If an Ignored device begins to interact with your infrastructure, it triggers an alarm. You can then mitigate the threat by changing the devices state to Unauthorized, among other possible actions.
8.2.3.5 About Neighboring Devices

Neighboring devices cannot be avoided with the widespread use of wireless networking. These devices are not attached to your LAN and should be categorized as Ignored to avoid excessive alarms.
8.2.3.6 Deciding a devices classification state Considerations

Only you can decide what criteria you will use to authorize or ignore devices. You may want to consider your organizations overall security policy and your tolerance for risk versus users need for network access. Some questions that may be useful in deciding how to classify a device are: Does the device conform to any vendor requirements you have?
Authorizing (Classifying) Devices 8-3
What is the signal strength of the device? Is it likely that the device is outside your physical perimeter? Is the device properly configured according to your security policies?
8.3 Manually Authorizing Individual Devices

8.3.1 Manual authorization of individual devices
AirDefense sensors detect individual devices as they are added to your network, either with your approval or without. As these devices begin to appear in the tree, they are automatically considered Unauthorized by the server. You must determine whether you want to authorize or ignore each device. If you decide to authorize a device, it can be done in one of the following ways: Right click on the device in the tree and select View/Edit Policy. Configure the device as Authorized and complete information about the device as needed. Use the Set Device Authorization dropdown menu in the Device Manager. You can access the Device Manager by clicking the Devices in your wireless network button. After you authorize the device, its icon changes to green.
8.4 Importing Multiple Devices

8.4.1 Overview
When you want to authorize a number of devices at once, particularly when you are installing AirDefense Enterprise, you can import a file that lists all the devices and classifies them automatically. The file format, described below, includes a value that determines whether the device is automatically authorized or unauthorized. The AP or station automatically moves under the detecting sensor in the tree.
8.4.2 Navigation
Device Manager > Show APs > Import AP button
8.4.3 Imported Access Points List

The following table describes the functions and options found in the Import Access Points window.
Function Import Import Status Number of Switches Imported Description Select the Import button to open the file Open window, browse to the location of the appropriate Access Point file to import and select the Open button. This read-only field indicates whether you have successfully or unsuccessfully imported a Access Point file into AirDefense. This read-only field lists the number of Access Points that have been imported.
The Imported APs field is a read-only list that displays columns for the Access Point ID and the Access Point Name.
8.4.4 File Format for Importing APs

8.4.4.1 Overview
You must use a specific file format for importing APs. AirDefense server will check the format and display a message if you need to correct the format. The file for importing Access Points should contain rows of data, one row for each Access Point being imported into your AirDefense wireless LAN. Each row is separated by a carriage return or new line character. If the AP being imported is already in the system, the import overwrites the field values, based on the MAC address.The text field values are overwritten, regardless of letter case.
8.4.4.2 Guidelines
Use the following guidelines. Each row of data must consist of a comma-separated list of field values for each AP (as defined in the table below, for example: MAC address, alias, IP address, DNS name, description, authorize, bridge). You do not have to use all field values for the AP, but you must use the MAC address. Always use colons to separate the six groups of hexadecimal digits in the MAC address (xx:xx:xx:xx:xx:xx). Spell out null for any field value that you do not want to use, for example: 00:02:2d:01:23:04, null, null, null, null, yes, no Do not leave any field values as empty spaces. Separate each row by a carriage return or new line character. Separate all field values with commas. These are the delimiters. You must use colons in MAC addresses.
White space must exist between each column.

Field Name MAC address alias IP Address DNS name description authorize bridge Valid Values Valid MAC address Text string or null if not defined Valid IP address or null if not defined Text string or null if not defined Text string or null if not defined yes or no yes or no
8.4.4.3 Examples
aa:aa:aa:aa:aa:aa, My Access Point, 172.16.0.232, machine@xyz.com, this is my access point, yes, yes bb:bb:bb:bb:bb:bb, AP B, 145.16.0.232, box2@xyz.com, null, no, no
8.4.5 File Format for Importing Stations

8.4.5.1 Overview
The file for importing Stations should contain rows of data, one row for each Station being imported into your AirDefense wireless LAN. Each row is separated by a carriage return or new line character. If the Station being imported is already in the system, the import overwrites the field values, based on the MAC address. The text field values are overwritten, regardless of letter case.
8.4.5.2 Guidelines
Use the following guidelines. Each row of data must consist of a comma-separated list of field values for each Station (as defined in the table below, for example: MAC address, alias, DNS name, description, authorize, list of commaseparated APs). You do not have to use all field values for the Station, but you must use the MAC address. Always use colons to separate the six groups of hexadecimal digits in the MAC address (xx:xx:xx:xx:xx:xx). Spell out null for any field value that you do not want to use, for example: 00:02:2d:01:23:04, null, null, null, null, null, yes, aa:aa:aa:aa:aa:aa, bb:bb:bb:bb:bb:bb. Do not leave any field values as empty spaces. Separate each row by a carriage return or new line character. Separate all field values with commas. These are the delimiters.
White space must exist between each column.

Field Name MAC address alias DNS name description authorize Valid Values Valid MAC address Text string or null if not defined Text string or null if not defined Text string or null if not defined yes or no If yes or no is selected, the next field (aplist) should be defined and this station will be either authorized (yes value) or unauthorized (no value) for every access point in the aplist aplist all (for all access points), comma-separated list of access point mac addresses
8.4.5.3 Example
cc:cc:cc:cc:cc:cc, Station C, machine1@xyz.com, this is my access point, yes, all dd:dd:dd:dd:dd:dd, Station D, machine2@xyz.com, null, no, aa:aa:aa:aa:aa:aa, bb:bb:bb:bb:bb:bb ee:ee:ee:ee:ee:ee, Station E, machine3@xyz.com, this is station e, null ef:ef:ef:ef:ef:ef, Station EF, machine3@xyz.com, this is station fe, yes, aa:aa:aa:aa:aa:aa ef:ef:ef:ef:ef:ef, Station EF, machine3@xyz.com, this is station fe, no, bb:bb:bb:bb:bb:bb
Interpretation
The following statements represent the results of loading the example file above into AirDefense Server: Station C will be entered into the system, authorized on all access points. Station D will be entered into the system, unauthorized on access points aa:aa:aa:aa:aa:aa, bb:bb:bb:bb:bb:bb. Station E will be entered into the system with configuration information only. Station EF will be entered into the system, authorized on access point aa:aa:aa:aa:aa:aa, unauthorized on bb:bb:bb:bb:bb:bb.
8.5 Auto-Classifying Multiple Devices

8.5.1 Overview
AirDefense Enterprises auto-classification feature makes it easy to classify large numbers of devices automatically. Two of the main advantages of auto-classification are: You can automatically ignore whole groups of devices that dont interest you, to limit the alarm count caused by unauthorized devices. Example: In an environment with many transient or neighboring devices, you can schedule AirDefense server to periodically ignore all devices below a specified signal strength. You can automatically authorize whole groups of devices that you need to rapidly add to the AirDefense server. Example: If your company deploys a large number of new wireless devices, you can specify criteria they need to meet (configuration, vendor, etc.), and then AirDefense server will automatically authorize all that meet your criteria. You can also unauthorize and delete devices automatically.
8.5.2 Navigation
Configuration > Policy Manager > Auto Classification
8.5.3 On-Demand vs Scheduled Classification

8.5.3.1 Overview
You can auto-classify devices on demand or you can schedule auto-classification to occur periodically.
8.5.3.2 Manual/On-Demand
The on-demand option lets you classify all devices in the system at any time. You should consider this option for initial system setup, but it is also useful whenever new, unauthorized devices are discovered by AirDefense sensors. After you start an on-demand classification, AirDefense server displays a list of discovered devices, along with data about how they compare to your auto-classification criteria. You can edit the list, manually overriding the auto-classification for single or multiple devices. The devices are actually assigned the new classification only after you confirm that you want to apply the results.
8.5.3.3 Scheduled
Scheduled auto-classification is very helpful when you want to ignore groups of devices with certain attributes, such as low signal strength or those from unapproved vendors.
Important! You should schedule auto-classification to authorize devices with caution, considering the rules that control which devices are authorized (below) carefully, to avoid accidentally authorizing a device in error.
Because auto-classification places a minor burden on the system, AirDefense, Inc. recommends that you schedule auto-classification to occur only once or twice a day.
8.5.4 Action Rules and Rule Sets

8.5.4.1 Overview
AirDefense Enterprise uses a combination of Action Rules and Rule Sets to let you specify exactly which devices to authorize, ignore, unauthorize, or even delete. First, you create Action Rules, and then you create Rule Sets, which are combinations of Action Rules.
8.5.4.2 Action Rules

The Action Rules tab of the Auto Classification page lets you create a very specific set of rules for classifying devices. The more criteria you include, the more accurate the resultant classification will be, and the less likely it is that a device will be mis-classified. After you add or select a rule, you specify the type of device the rule classifies, whether the rule is intended to authorize, ignore, unauthorize, or delete devices, and whether you want the classification to occur if the devices match the criteria or do not match the criteria. You then specify the criteria that control whether each device is classified according to the rule. You can use any or all of the following fields to include or exclude devices that do not meet your criteria: MAC IP Address Vendor Channel SSID Signal Strength Protocol Authorization 802.x Username Last Seen Connectivity Association Extended Authentication Key Generation Specific EAP Type Encryption
NOTE: Each field you add to the filter changes to bold onscreen, to help you track your actions.
8.5.4.3 Rule Sets

After you create Action Rules specifying exactly what criteria you want to use to auto-classify devices, you combine the Action Rules into Rule Sets to simplify auto-classification, and to let you schedule multiple autoclassification actions in a single Rule Set. Example: You can create a rule to ignore all APs with a very low signal strength and a rule to authorize all APs that meet your standard vendor and configuration criteria. You then combine those rules in a single Rule Set that you schedule to run every morning at 3 am.
8.5.4.4 Sequence of rules in Rule Sets

After you add Action Rules to a Rule Set, you should consider the order in which they appear in the list. As AirDefense Server examines devices during auto-classification, it looks for the first match between a device and an Action Rule in the Rule Set. You should place the least restrictive Action Rule at the top of the list, and the most restrictive at the bottom of the list.
8.6 Device Synchronization Configuration

8.6.1 Overview
AirDefense Enterprises Device Synchronization Configuration window allows you to configure devices automatically by extracting information from third party wireless management systems such as Cisco WLSE and AirWave.
8.6.2 Common Settings

This tab allows you to specify a different configuration for a device originating from the external system depending on the device's SSID. The supported configurations are authorize/unauthorize or ignore. Example: A user might want to specify on the Common Settings tab that all devices using SSID "Guest" should be ignored while the ones using "CORP" should be automatically authorized. NOTE: When importing devices from AirWave, the SSID information is not available for the imported APs. Because of this AirWave limitation, all imported devices will take the action assigned to the <Unknown_SSID> in the common settings dialog. The default action for this setting is authorize. To add a new device SSID configuration: 1. In the text box adjacent to the SSID List column, enter the SSID number of the device you wish to synchronize on the system. Then select the appropriate radio button to designate the device SSID to be Authorized, Unauthorized or Ignored on the system. 2. Use the Cancel button to discard any changes made in this text box and/or radio button without saving any changes. 3. Select the Add SSID button. The new SSID is saved and added to the SSID List column.
NOTE: Once you have added new device entries to the SSID List, you can go to the highlight the device row and click on the action in the Action column to open a drop down list with the same options to Authorize, Unauthorize or Ignore the device on the AirDefense system
1. To remove SSID devices that have been added to the SSID List, highlight the device row and select the Remove SSID(s) button. The device is immediately removed from the list. 2. To commit the device(s) that you have added to the SSID List to the AirDefense system, select the Apply button. The devices are then detectable by AirDefense and all options on the Common Settings tab are disabled.
8.6.3 WLSE Tab

Use the WLSE tab configuration options to synchronize information between a Cisco Systems, Inc. CiscoWorks WLSE (Wireless LAN Solution Engine) Server and the AirDefense Server so that they can interface with each other. NOTE: A user with proper credentials is required to access the WLSE functions. Once you configure the AirDefense Server for WLSE, it will periodically synchronize itself with a WLSE Server.
8.6.3.1 WLSE Synchronization Configuration Synchronization Period

Choose a synchronization period from the available drop down list: Your choice determines how often your AirDefense Server will retrieve information from a WLSE Server.
Important! Motorola AirDefense Solutions recommends that you use this parameter with caution. In large networks the synchronization could become very time consuming. The recommended settings are 24 hours or 2 hours. Choose a period lower than that only if you are certain that it will not affect the performance of the server. It is also recommended that you run a test synchronization (using the Run button) to determine how long the AirDefense Server takes to perform this operation.
Sync Station Authorization

For Sync Station Authorization, select this radio button option if you want Stations associated with managed APs to be considered authorized in AirDefense. The reason for taking this action is that Stations associated with managed APs probably went through proper authentication, and can therefore be considered authorized. However, this may not always be true.
Troubleshooting WLSE connectivity

If you are having difficulties synchronizing AirDefense with WLSE, select the WLSE tabs Run button, which allows you to request a synchronization immediately. When the Run button is selected, an Import Status window appears, displaying devices imported into the system. The imported devices are represented by blue icons until the devices are actually detected by any of the sensors.
8.6.4 AirWave Integration

8.6.4.1 Overview
The AirWave Management Platform (AMP) software is a vendor-agnostic network management application that allows you to configure every device and monitor all users on your network. To make it easier and less time-consuming to secure your wireless network, AirDefense and AirWave have integrated the AirWave Management Platform with AirDefense Enterprise. To accurately report unauthorized devices on your network without generating false positive alerts, AirDefense Enterprise must always have an accurate list of all your known and managed access points. On large wireless LANs with hundreds or thousands of wireless APs, manually maintaining an accurate inventory of all valid devices can be extraordinarily time-consuming. Using APIs developed by the two companies, AMP automatically synchronizes with AirDefense Enterprise, continually updating the list of known devices even as your wireless network expands. These APs are then loaded into AirDefense as authorized devices to ensure device list accuracy, without user intervention. The synchronization period is configurable by the administrator. Pre-requisities: AirWave Management Platform v4.1 or higher AirDefense Enterprise v7.0.5 or higher
8.6.4.2 Navigation
Configuration > Appliance Manager > Device Sync > AirWave
8.6.4.3 AirWave Tab

The AirWave tab provides configuration management for AirWave servers, and enables AirDefense to detect station and AP devices that reside on it. Use this function to add server parameters so that devices can be imported and monitored by AirDefense.
Button Add Delete Run
Description Activates fields for entering a new server. Deletes the current AirWave server you have selected. Allows you to request synchronization immediately. This feature is particularly useful for troubleshooting connectivity issues with AirWave.
AirWave Tab Functionality

The following fields are available to configure AirWave servers:
Field Name Server Synchronization Period Description A drop down list of server names that were previously entered in this field. A drop down list where you can select the synchronization period. These are time intervals when AirDefense pings the AirWave server for the status of devices. The periods include: disabled, 5 min, 30 min, 1hr, 2hr, or 24hr. The name of the AirWave Host or its IP address. The name of the AirWave user to be used for authentication. The user password. Confirmation of the user password. A drop down list where you can specify the protocol (https or http). The port number. Stations associated with managed APs probably already went through proper authentication and can therefore be considered authorized. This field allows your to automatically authorize Stations associated with managed APs. Yes: Enable automatic Station authorization. No: Disable automatic Station authorization.
AirWave Host or IP Address User Password Confirm Password Protocol Port Sync Station Authorization
8.6.5 LiveRF Tab

LiveRF is an add-on module to AirDefense Enterprise, which you can purchase and license separately from AirDefense. Refer to the AirDefense LiveRF User Guide for details about the LiveRF application. The LiveRF tab is used to configure LiveRF and is available only if you have installed the LiveRF add-on module. To configure LiveRF, you need to import the APs and radios that AirDefense Enterprise will monitor. NOTE: Import APs first, then radios.
Button Importing APs Importing Radios Remove Clear All
Description Imports Access Points defined in an external file. Imports radios defined in an external file. Removes the highlighted AP or radio. Removes all APs and radios.
8.6.5.1 Importing APs

To import APs, click the Importing APs button and following the prompts. The file for importing APs is a comma delimited file containing rows of data, one row for each AP being imported. If the AP being imported is already in the system, the import overwrites the field values, based on the MAC address. The text field values are overwritten, regardless of letter case. Use the following guidelines to ensure you import Access Points correctly: Device Identifier (required) Device Identifier Type (required): "IP Address", "MAC Address", or "Name" Device Name (optional) AccessPointType.Manufacturer (optional) AccessPointType.Model (optional) MAC Address (required): 00:00:00:00:00:00 format Device IP Address (optional)
Device State (optional): e.g. "online", "offline" Able To Transmit RF (optional): TRUE or FALSE (will default to TRUE if left empty). NOTE: Optional values can be left empty.
8.6.5.2 Importing Radios

To import radios, click the Importing Radios button and following the prompts. The file for importing radios should contain rows of data, one row for each radio being imported. If the radio being imported is already in the system, the import overwrites the field values, based on the MAC address. The text field values are overwritten, regardless of letter case. Use the following guidelines to ensure you import radios correctly: Access Point Device Idenfitier (required): must match Device Identifier from AP list Operational RF Modes (required): "/"-separated list of "a", "b", "g", "n". E.g., "b/g" Able To Transmit RF (optional): TRUE or FALSE Tx Channel (required): channel # Tx Power (required): power level Transmit Power Unit (required): "dBm" or "mW" or "%" MAC Addresses (required): "/"-separated list of radio MAC Addresses Unicast Packet Count (optional) Non-Unicast Packet Count (optional) Packet Count (optional) Rx Error Count (optional) Tx Error Count (optional) Averaging Window (optional) Bit Speed (optional) Throughput (optional) Radio SSIDs (optional): "/"-separated list of SSIDs. NOTE: Optional values can be left empty.
Managing Switches
9.1 Introduction
This chapter provides information about how AirDefense Enterprise uses the switches in your network to help defend it from wireless attackers.

Topic Switch Controller Integration Adding Switches or WLAN Controllers Importing Switches or WLAN Controllers Ending Unauthorized Device Communication (Port Lookup and Port Suppression) Page 9-3 9-4 9-8 9-11
9.1.2 Switch Definition

In networks, a switch is a device that filters and forwards packets between LAN segments. Switches operate at the data link layer (layer 2) and sometimes the network layer (layer 3) of the OSI Reference Model and therefore support any packet protocol. LANs that use switches to join segments are called switched LANs or, in the case of Ethernet networks, switched Ethernet LANs.
9.1.3 How Does AirDefense Enterprise Use Switches?

AirDefense Enterprise uses switches in the following ways: To detect stations and APs via the wired network To terminate communication from unauthorized devices by suppressing the switch port they are communicating on To synchronize authorized devices from infrastructure WLAN switch controllers.
9.1.4 Requirements for Port Lookup and Port Suppression

For AirDefense Enterprise to use switches for port lookup and suppression, the following requirements must be met: The switch must support SNMPv2c or SNMPv3. The switch's SNMP agent must be enabled and accepting SNMPv2 or SNMPv3 requests. The switch must correctly and fully implement the standard used in MIB-II. This is a very common Management Information Base (MIB) that most network devices implement. The switch must correctly and fully implement the standard used in BRIDGE-MIB. This is a MIB that most high-end ethernet managed switches support. This is also true for any of the following MIBs: Q-Bridge Entity Cisco VLAN Trunk Protocol (VTP) Cisco IF-Extension. If the SNMP agent of the switch supports security views, you must configure the AirDefense server to communicate with the switch within a community that has full read access to all objects (variables and tables) of both MIBs: MIB-II and BRIDGE-MIB. If you want to use both the port look-up feature and the port suppression feature, you need read/write access to both MIBs: MIB-II and BRIDGE-MIB. AirDefense server uses the Read Community for read access and the Write Community for write access (shutting down the port). UDP connectivity must exist between the AirDefense server and the switch. If there is a firewall between the AirDefense server and the switch, make sure the port the server and switch are communicating on is open. The standard port for SNMP agents is 161. You can configure a different port on the server, but not all switches allow you to configure the port; make sure the same port is configured on both the server and switch.
Managing Switches 9-3
9.2 Switch Controller Integration

9.2.1 Overview
The integration reduces deployment and operational support cost through automated synchronization of authorized wireless devices between AirDefense Enterprise and the WLAN switch controller. To accomplish this, you can import lists of authorized APs from a WLAN switch controller. Adding a third party WLAN switch controller to allow synchronization of authorized network devices is done in the same way as adding a SNMP managed switch for port lookup and port shut down. If you are adding a WLAN switch controller, simply select the UI option to use the correct MIB. If you are importing a list of switches, specify the MIB in the import file, as discussed later in this chapter. After you add switch controllers, the Enterprise system recognizes all Access Points managed by the switches as authorized devices.
9.2.2 Switch Controller Support

AirDefense Enterprise supports the following switch controllers: Motorola WS5100/RFS6000/RFS7000 and WS2000 Trapeze MX series WLAN Controller Nortel 23xx series WLAN Switch Enterasys Roam About 8000 series Wireless Switch Cisco WLC.
9.3 Adding Switches or WLAN Controllers

9.3.1 Navigation
Device Manager > Show Switches Select the Add Switch button to open the Switch Configuration window and select the Switch Settings tab.
9.3.2 Required Switch Information

In order to add a switch, you must identifiy the switch in the Switch Identification tab and configure the switch in the Switch Settings tab. The Apply and Cancel buttons are located in each tab. Use these buttons to: Save (apply) any changes that you have made. Once you have saved changes the new Switch will appear in the AirDefense tree panel when you click the Tree structure options dropdown menu and select Switch. Cancel any changes that you have made and close the Switch Configuration window.
9.3.3 Switch Identification

The following table describes the fields used to identify a switch.
Field Name Description Enter the name you want to use for the Switch. You may want to use a name that helps you identify the switch within your logical or physical network. Type comments about the switch, its location, purpose, etc. The server automatically populates this field with the name of the switch manufacturer when the switch is brought online and connected. The specific model of the Switch is automatically added if the system is able to connect to the Switch. Specify Yes or No or the switch to be enabled/disabled for device imports and automatic scans. When the switch is enabled (Yes), the switch icon graphic in the tree panel will be green. When the switch is not enabled (No), the switch icon graphic in the tree panel will be red. Online (read-only) Status Message (read only) The online status is determined by the server's communication with the switch, and cannot be accessed by an AirDefense user. This is a read-only section that gives updates on the connectivity status of the switch to the network.
Description Vendor Model (read-only) Enabled
9.3.4 Switch Settings

The following table describes the functions and options used to configure a switch.
Function IP Address Description Enter the IP address or hostname of the Switch. This entry is mandatory. SNMP Port SNMP Version Read Community Write Community Enter the Simple Network Management Protocol number for this Switch. This is normally 161, but it can be different. In this drop down list, choose between V1, V2c or V3 as the SNMP version used. Enter the Read Community string, which is used for the SNMP authentication. Enter the Write Community string, which is used for the SNMP authentication.
Function Authentication Algorithm Authentication Passphrase Privacy Algorithm Privacy Passphrase SNMP User Enabled Features
Description
These are all SNMP V3 parameters that must match what is set on the switch.
This is the name of the V3 user, which is configured on the switch for SNMP V3 access. You may enable any of the following features by checking the feature's checkbox: Switch Port Lookup Device Import RSSI Data Retrieval Access Control List.
MIB Support
You can manually select one or more of the following MIBs that are supported by checking the MIB's checkbox: Bridge Q-Bridge Entity Cisco VLAN Trunk Protocol (VTP) Cisco IF-Extension Motorola WS5100/RFS6000/RFS7000 Switch Motorola WS2000 Switch Trapeze Mobility Exchange Nortel 23xx WLAN Switch Enterasys Wireless Switch Cisco WLC. The Auto-Detect MIB support button is used to automatically detect which MIBs are supported.
NOTE: After you add switches into the AirDefense server, they appear in the tree panel when you select Switch from the Tree structure options dropdown menu.
9.3.5 Color Coding for Switch Icons

Switch icons are color coded to reflect their ability to perform Port Lookup and Suppression. The switch must be able to scan MAC addresses for it to be able to perform either Port Lookup or Suppression. If you have read-only access to the switch, you can only perform Port Lookup, but not Port Suppression. The following table shows the switch color that represents the possible states:
Able to scan MAC Addresses Yes No (off-line) No (Imported) Online (read-only) Yes No No
Tree-panel Icon Color Green Gray Blue
9.4 Importing Switches or WLAN Controllers

9.4.1 Overview
AirDefense Enterprise lets you expand your ability to monitor your network by integrating with your existing switch infrastructure. Import Switches allows you to add multiple switch devices to AirDefense at the same time.
9.4.2 WLAN Controller Import

Motorola, Trapeze, Nortel, Enterasys, and Cisco WLAN controllers are added or imported in the same way as any other switch. You simply select the pertinent MIB (Managed Information Base) at the time you add the switch. If you are importing the switch, you specify the appropriate MIB in the import file. After the you add or import the switches, the Enterprise system recognizes all Access Points managed by the switches as authorized devices.
9.4.3 Navigation
Device Manager > Show Switches > Import Switch button
9.4.4 Imported Switches List

The following table describes the functions and options found in the Import Switches window.
Function Import Description Select the Import button to open the file Open window, browse to the location of the appropriate Switch file to import and select the Open button. This read-only field indicates whether you have successfully or unsuccessfully imported a Switch file into AirDefense. This read-only field lists the number of Switches that have been imported.
Import Status Number of Switches Imported
This read-only list displays columns for the Switch Name and the Host. After you have successfully imported a Switch, these columns will appear as the following:
9.4.5 File Format for Importing Switches

9.4.5.1 Syntax Ddescription
The switch import file must contain one row of data for each Switch being imported into the AirDefense server. Rows must be separated by a carriage return or new line character. If AirDefense server detects that a switch being imported is already in the system (based on its address), the text field values are overwritten, regardless of letter case. Each row in the file must include the following information about the switch. The field descriptions are the same as those described in the preceding section, <crossref>Adding Switches or WLAN Controllers. Name IP Port SNMP Version Read Community Write Community SNMP User Auth Algorithm Auth Pass Phrase Private Algorithm
Private Pass Phrase Enabled Features Supported MIBs Enabled (Scan MAC addresses) Description Group Location
Important! If you are not going to use a field in a Switch file, or specify any detail in it, enter null for its value. If you import a Switch to a Location/Group that does not exist in the system, the system imports switches into the Default Location/Group.
9.4.5.2 Syntax Example:

Switch Name,Switch IP Address,SNMP Port,SNMP Version,Read Community,Write Community,SNMP User,Authentication Algorithm,Authentication Passphrase,Private Algorithm,Private Passphrase,Enabled Feature;Enabled Feature;Enabled Feature,Supported MIB;Supported MIB;Supported MIB,Enabled (True or False),Description,Group,Location
Example 1:
SwitchA,172.16.0.168,161,V2c,public,private,null,null,null,null,null,PORTLOOKU P;DEVICEIMPORT;RSSIDATA;ACL,BRIDGE;QBRIDGE;ENTITY;VTPVLAN;IFEXT;SYMBOL5100;SYM BOL2000;TRAPEZE;NORTEL;ENTERASYS;CISCOWLC,true,Imported Cisco Switch,Default Group,Default Location
Example 2:
SwitchB,172.17.0.15,161,V2c,public,private,null,null,null,null,null,PORTLOOKUP ;DEVICEIMPORT;RSSIDATA;ACL,BRIDGE;QBRIDGE;ENTITY;VTPVLAN;IFEXT;SYMBOL5100;SYMB OL2000;TRAPEZE;NORTEL;ENTERASYS;CISCOWLC,true,Imported HP Switch,Default Group,Default Location
9.5 Ending Unauthorized Device Communications

9.5.1 Overview
AirDefense Enterprise features Port Lookup and Port Suppression to help you stop unauthorized wireless devices from communicating with your network through network switches.
9.5.2 About Port Lookup

Port Lookup is a convenient way to quickly locate the physical switch port that a device is using to connect to your network. It creates a list of MAC Addresses of devices that are connected to a given switch. You can then analyze the behavior of those devices to determine if any of them should not be communicating with your network. For port lookup, you will need to add the SNMP managed switches closest to the edge of the network.
9.5.3 About Port Suppression

After you identify the port the device is communicating on, you can suppress communication on that port, effectively ending the connection between the unauthorized device and your network. For port suppression, SNMP write access is required.
9.5.4 Port Suppression Prerequisites

Before you can perform Port Suppression, you must enable it on the server (Configation > Appliance Manager > System). Then you must configure the switches to allow Port Suppression (Device Manager > Show Switches > Add Switch button).
Initial Policy Setup

This chapter discusses the types of policies in AirDefense Enterprise and considerations for how you can set them up to maximize network security and enforce security policy compliance.
10.1 Default Policies

AirDefense Enterprise ships with a complete set of default policies that you can use out-of-the-box or customize for your organizations security policy and network requirements.

Topic About Policies Configuration Policy Performance Policy Vendor Policy Page 10-2 10-3 10-4 10-5
10.3 About Policies

10.3.1 Overview
Policies let you set the rules of engagement for how wireless devices can interact with your network. AirDefense server cannot use policies to actually force devices to behave in a particular way; instead, it compares the policies to the way devices are actually behaving and produces alarms when it detects violations.
10.3.2 Scope of this Chapter

This chapter provides conceptual information about setting up policies, and guidance about best practices. Detailed information about all of the fields within the policy pages is located in the online help. Use the Search tab in the help to find specific information about any field or page.
10.3.3 Using the Tree to Control Scope

In the Policy Manager, you can select a location, group, or device in the tree, and then view the associations and behaviors of each device, represented by a color-coded icon. Beside each icon is a letter designation (a,b,g), representing the protocol of the device. Icons and folders also display a number (nn), representing the number of devices that appear below them in the tree. As in other areas of AirDefense Enterprise, the node you select in the tree controls the scope of data in the right pane. If you want to manage policy for a location, for example, choose that location in the tree.
10.3.4 Four Policy Types

The three policies that you can apply to APs are described in detail later in this chapter: ConfigurationAP policy PerformanceAP policy VendorAP policy There are no policies for stations; each station must comply with the policies of the AP it associates with. If a station roams, it must comply with the policies of each AP it encounters along the way.
10.3.5 Navigating to the Policy Manager

Among the ways to navigate to the Policy Manager, you may prefer a path based on what you want to do: If you want to apply or manage policies for specific individual devices or groups of devices, click on the device, group, or location, right click, and then select Policy Manager. This results in the Policy Manager opening with the device(s) you selected in focus, with the appropriate tabs for the device(s) displayed. If you want to create or edit policies that you want to use globally or at another time, choose Configuration > Policy Manager. This results in the Policy Manager opening with system-wide focus and the individual policy buttons readily available (Configuration, Performance, Vendor, and Channel).
Initial Policy Setup 10-3
10.3.6 Applying Policies Individually or in Groups

AirDefense Enterprise lets you apply policies to individual devices or groups of devices. This lets you configure your AirDefense policies to very closely match the security policy of the wireless network, even if the security policy varies widely between wireless deployments. After you choose the group that contains the device(s) you want to apply a policy to, AirDefense server displays a standard multiple selection list, so you can use ctrl+ or shift+ to select devices in the usual way. Additionally, you can filter the list and display only those devices that meet certain criteria. Example: you can display only authorized APs in the list. When you are ready to apply a new policy, you can select a pre-configured policy from the drop-down list. You can also use the Policy Editor button to create additional policies that will subsequently appear in the drop-down list.
10.4 Configuration Policy

10.4.1 Overview
Configuration policies are arguably the most important, because they define the fundamental security configuration you require for APs on your network. Also, AP configuration policies define how stations associate and communicate with APs.
10.4.2 Strategy-Based Policies

If you have different security strategies for various APs in your network, you may want to create multiple policies reflecting those strategies. The more restrictive or specific your policy is for each strategy, the more closely your alarm data will represent the events that are of concern to you.
10.4.3 Specifying Channels Stations Can Use

Does your corporate policy only allow stations to communicate with the network over certain channels? Use the Fixed Channels tab to specify the allowed channel(s), and then AirDefense server will show an alarm when stations try to communicate with the AP on other channels.
10.4.4 Data Rates

Sometimes APs use different rates than they have been configured to use. If certain APs encounter a lot of noise in the air, they may throttle the data rate to maximize stability. You may want to tune the data rates in the Configuration policy if you suspect that data rate alarms you are seeing are the result of AP rate throttling.
10.4.5 Controlling VLANs

AirDefense Enterprise gives you control of the VLANs on your network through AP policies. You can: Monitor the use of VLANs that are partitioned on the Access Point by an SSID, and to alarm if they are not being used where required. Enforce configuration and vendor policy specifically for the VLAN, within the AP policy. To configure policy for a VLAN, navigate to the appropriate AP in the Policy Manager. Enable VLAN on the Access Point Policy tab, and then configure the VLAN policy.
10.5 Performance Policy

10.5.1 Overview
AirDefense Server collects a very large amount of data about your wireless network. In addition to providing extensive information about your wireless networks security, this data can help you manage its performance.
10.5.2 When is Performance Important?

Many organizations provide wireless access as a courtesy to customers or as an easy way for employees to access the wired network from locations other than their desk. Critical business functions are generally not affected by performance of such wireless networks. However, in some environments, such as those using VOIP, or where there may be a remote location without wired access to the network, the Performance policy can be very helpful in maintaining high levels of performance.
10.5.3 Determining Optimal Settings

You should configure Performance policy settings to reflect normal levels on your wireless network when it is performing well. After you configure the policy to reflect normal performance, the system begins to generate alarms only for anomalies. You can determine what these normal levels are in a number of ways, including: Third party toolssome third party tools provide information you can use to derive settings for Performance policies Observation of AirDefense datamany AirDefense customers simply observe the alarms generated using the default policy over time, and then adjust values to tune out unnecessary alarms. Creating a custom reportYou can use the Report Builder to create a report that gives you information about your networks performance, and then use that information to customize Performance policy settings. All of the settings in the policy are available as fields in the Report Builder. You can create a report that contains exactly the settings that are important to you. You can also report on a time period that you consider to have good performance, to ensure that resultant policy settings will require little tuning.
Initial Policy Setup 10-5
10.6 Vendor Policy

10.6.1 Overview
The Vendor policy helps you prevent non-sanctioned AP use in your WLAN. For example, if your organization has purchased only Motorola APs, you can create a policy that generates an alarm when an AirDefense sensor detects a non-Motorola AP. You can also use the Vendor policy to control how MAC addresses are displayed in the Tree.
10.6.2 Level of Control

The Vendor policy works best in environments that have a great deal of control over what devices are allowed on the WLAN. A high degree of coordination is required between AirDefense users and the people who manage the deployment of devices, such as stations, within the organization. The Vendor policy is not suited for environments that see normal traffic from devices with a variety of vendors, such as hotspots.
10.6.3 The OIU Database

AirDefense Server determines whether an AP is from an approved vendor by comparing its MAC address to the Organizationally Unique Identifier (OUI) database within the AirDefense Server. AirDefense can display the vendor name, even if it has not observed the AP, because it is based on the MAC address' first three octets. Anyone can query the IEEE public OUI listings to find the vendor of a MAC Address. Go to http:// standards.ieee.org/regauth/oui/index.shtml It is necessary to periodically update the OUI database within the AirDefense Server, so it includes the most recent device OUIs. If you cannot update the database, but you are seeing alarms on late-model devices, you can disable such alarms until you can update the database.
Setting up Alarms
AirDefense Enterprise constantly monitors your WLAN for policy violations. You can analyze alarms about these violations periodically on the server UI, or you can configure notifications to alert you when certain alarms occur.

Topic The AirDefense Alarm Model Alarm Configuration Customizing Alarms Page 11-2 11-4 11-5
11.2 The AirDefense Alarm Model

11.2.1 Suppressed Alarm Repetition
AirDefense has made significant advancements in the Enterprise Alarm Model, dramatically decreasing the occurrence of repetitious alarms. In the new Alarm Model, AirDefense Server leverages the extensive data it collects about security events to determine whether events are: Unique events Repeat occurrences of activities that constitute a single security event Repeat observances of a single, ongoing event Based on this distinction, AirDefense Enterprise is able to display alarms for unique events and suppress repetitive alarms for ongoing events. This provides better correlation between individual security events and individual alarms.
11.2.2 How an Alarm is Generated

In past versions, the system generated alarms every minute, in response to policy violations detected by sensors. In the new Alarm Model, these violations are reported internally to the server every minute as events. AirDefenses industry leading wireless security research team maintains algorithms for correlating observed security events, to identify when a pre-defined high water mark for the event is reached. The high water mark, in its simplest terms, is a number of identical events that occur within a specific period of time. When the high water mark is reached, it triggers an alarm on the Server UI.
11.2.3 Duration
The alarm stays active for a period of time after the security event ends. This period of time is called the duration. The duration is user-configurable, although AirDefense has determined default duration times correlated to the expected lifecycle of each specific event. When the duration time ends, the alarm becomes inactive. You can use the forensic analysis to view historical alarms.
Setting up Alarms 11-3
11.2.4 Example
Three XYZ events within a 30-minute period defines the high-water mark for XYZ events. If the server detects three or more such events within any 30-minute period, an alarm is triggered.
11.2.5 Alarm Categories

AirDefense Enterprise server groups alarms into eight categories, to make it easier for you to decide which events are critical to you, versus those which are not important to you. Furthermore, AirDefense has identified functional subcategories within each category. After you examine what types of security events trigger alarms in each category and subcategory, you may find that you can make decisions about enabling and disabling alarms by groups, rather than individually. Example: If you are not concerned with WLAN performance, you may be able to disable the entire Performance category. Behavior Devices that operate outside of their normal behavior settings and generate events that could indicate anomalous or suspicious activity. Exploits Events caused by a potentially malicious user actively interacting on your Wireless LAN using a laptop/PC as a wireless attack platform. Performance Wireless LAN traffic that exceeds set performance thresholds for devices. Policy Compliance Wireless LAN traffic that violates established or default policies for devices. Reconnaissance Monitors and tracks external devices that are attempting to monitor your Wireless LAN. Rogue Activity Unauthorized Devices detected by AirDefense which pose a risk to the security of your network.
System Health Events that provide information about the state of the AirDefense appliance and its sensors. Vulnerabilities Devices that are detected to be susceptible to attack.
11.2.6 Complete Instructions/Help

For complete instructions for acknowledging alarms, enabling/disabling alarms, adjusting their priorities, or clearing/purging alarms, go to the Alarms program area in the GUI and click on Help in the Help Menu.
11.2.7 Detailed Alarm Descriptions

AirDefense, Inc. provides you with extensive information about each alarm to not only help you identify your security risk, but also to guide you through the mitigation process. Alarm details tabs include: Summary: A summary description of the Alarm Description: More detailed description of the alarm and the likely cause Investigation: Instructions for using tools and features in AirDefense Enterprise to investigate the Alarm Mitigation: Suggestions on how to mitigate the problem. Escalation: (optional) Information specific to your organization, such as device locations and physical security information, phone numbers of specific people to notify, etc. You can add notes to each of the details tabs to record information about the specific occurrence of the alarm, such as actions taken to mitigate the threat.
11.3 Alarm Configuration

11.3.1 Effective Alarm Configuration
The key to effectively managing your WLAN security with AirDefense Enterprise is properly configuring alarms to reflect your security policy and environment.
11.3.2 Navigation
There are two main ways to navigate to the Alarm Configuration window: Configuration > Alarm Configuration. Select the alarm you want to configure from the tree, which is divided into alarm categories, and then subcategories. Select an alarm from the Alarms panel. Right-click on it, and then select Alarm Configuration.
Setting up Alarms 11-5
11.4 Customizing Alarms

11.4.1 Orientation
You can customize many aspects of AirDefense Enterprise alarms.
11.4.2 Alarm criticality

AirDefenses wireless security research team has assigned a default criticality level to each alarm type, on a scale of 0 to 100. You can change the numeric criticality level of each alarm, to reflect its importance within your organization.The new numerical value will be used to calculate Threat Scores. Example: In a no-wireless zone, Reconnaissance alarms are very important, but in an active business environment, they are less important. Numeric criticality levels are grouped in ranges, which are reflected throughout the AirDefense server UI:
Criticality Safe/Green Minor/Yellow Major/ Orange Critical/Red Severe/ Purple Numeric Range Associated Risk 0 0-29 30-59 60-89 90-100 Alarms on devices that pose no immediate threat to your WLAN network. Suggested potential problem alarms that may develop into worse issues if ignored. Potentially serious alarms that require priority attention. Serious alarms that require immediate attention. Serious alarms that may have catastrophic effects on your WLAN network.
11.4.3 Detailed Alarm Descriptions

AirDefense Enterprise now includes extensive descriptions of each alarm, including information about assessing the threat and mitigating devices if necessary. Of the four tabs, you can customize the Escalation tab to include information specific to your organization, such as device locations and physical security information, phone numbers of specific people to notify, etc.
Notifications
12.1 Overview
Notifications are emails, SNMP traps, or syslog entries that you configure the AirDefense server to send in response to certain alarms. Notifications include information about the Sensors, APs, and Stations that generate the alarm, when the alarm is generated, and what conditions triggered the alarm. You can control when and where notifications are sent, and you can customize many other aspects of them. In fact, the flexibility of the Action Manager makes it easy to create notifications that are as global or as granular as you want, down to the level of specific alarms occurring on specific devices, reflecting very specific violations of policy data ranges.
12.1.1 Two Primary Purposes

AirDefense Enterprise notifications provide extensive flexibility. However, many users use notifications in two primary ways. They use: Email to notify individual administrators about critical alarms that are immediately actionable, such as rogue alarms SNMP and Syslog to send alarm information to a Security Information Management (SIM) system, such as ArcSight, that correlates event data from multiple vendor sources and escalates them accordingly.
12.1.2 Prerequisites
To use notifications, you must first: Set the Hostname for the AirDefense Server. Set the Domain Name for the AirDefense Server. Configure the Mail Relay host for the AirDefense Server. Configure at least one DNS server. Enable notifications for the system.
Important! Notifications are suspended during some maintenance activities you may perform using the WIPSadmin utilities, such as those for reboot (REBOOT) and restart (RESTART).

Topic Configuring Notifications Setting the Hostname, Domain Name, and Mail Relay Host Page 12-3 12-4
12.1.4 Detailed Help

For complete instructions for configuring email, SNMP, and Syslog notifications, see the Online Help for Action Manager.
12.1.5 Navigation
The majority of notification configuration activities occur in the Action Manager. Tools > Action Manager
Notifications 12-3
12.2 Configuring Notifications

12.2.1 Notification Fundamentals
The fundamental concept of notifications is captured in the sentence: let me know within a certain period of time when certain sensors trigger an alarm of a given criticality. Beyond that basic concept, AirDefense Enterprise lets you customize your notifications extensively.
12.2.2 Additional/Advanced Customization

Advanced customization lets you: Decide how often you want to be notified about distinct alarms and define your criteria for distinct alarms. Create Boolean expressions that filter alarm data and focus notifications on the events you are interested in Choose a template for the notification, including any custom templates you may have created Set the queue size for optimum system performance.
12.2.3 Notification Filters

Using the Action Manager, you can use advanced notification filters to create extremely granular notifications. You can specify the exact data or data range you want the notification to trigger on, even if the original alarm did not go to that level of granularity. This provides an additional level of notification tuning separate from your alarm tuning. Example: You want to collect data on all Default SSID in Use alarms, but you want to send notifications about such alarms in different groups to different administrators. You would create email notifications for the different administrators that filter for Default SSID in Use alarms in their group. You can filter on the following:
Alarm Type Category Channel Criticality Criticality Level Device IP Device MAC Device Name Device Type Group Location Sensor IP Sensor MAC Sensor Name Signal Strength SubCategory
12.2.4 Distinct Alarms

Significant advancements in the AirDefense Enterprise Alarm Model greatly reduce the number of repetitious alarms. However, the server still makes it possible for you to indicate what you consider to be distinct alarms, and to tune notifications to disregard them. Specify the criteria that you want the server to use to differentiate between alarms. Choose two or more of the following; the server then will require them to be exactly the same before disregarding an alarm as the same as a previous alarm that occurred within the time frame you specified.
Criticality Level SubCategory Device Type Location Sensor Category Alarm Type Device Group Channel
12.3 Setting Hostname, Domain Name, and Mail Relay Host

Use the WIPSadmin utilities HNAME and DNAME in the Command Line Interface Config program area to set the hostname and domain name for the sender address for Email notifications. Use the System Settings of the Appliance Manager to set the mail relay host for the sender address for Email notifications. NOTE: Hostnames and Domain Names are considered valid based on RFC 952, RFC 1035, RFC 1123 Section 2.1, and RFC 1591 Section 2. RFCs can be examined online at http:// rfc.net.
Important! Whenever you change either the host name or the domain name of the AirDefense Server, you must also modify its host name or domain name in all devices that refer to it (e.g., DNS Servers). Also, if AirDefense is given a static IP address, but is not specifically assigned a hostname or domain name, it will pull its host name/domain name info from a responding DNS server. Domain name cannot be assigned until a specific host name is assigned to the system. That host name can even be the same host name the DNS server would give it. The difference is that when AirDefense pulls its info from DNS, it merges the host name and domain name info. When you assign a specific host name, the info is kept discrete, so it can be changed separately.
12.3.1 Set the Mail Relay Host in GUI

Your network setup may require that you designate a server that relays AirDefense email notifications outside of a firewall or other secure network configuration. If this is the case, you must configure your mail server to allow the AirDefense Server to relay email messages through it, or at least to direct its mail to another mail server that will relay email. Additionally, you must define at least one DNS server for this function to operate correctly. Configuration > Appliance Manager > System
Assessing Threats
13.1 Introduction
This chapter describes some of the tools AirDefense Enterprise provides to help you assess the threat associated with alarms.
13.2 Considerations
Take some time to look at the alarms to determine the events that trigger them. Sort them by type and count. You can then begin to work through the alarms to determine your network status. Alarm forensics are helpful when you analyze alarms; it is helpful to know that an event occurred but it is even better to know when, how often, and where the event occurred, as well as what devices were involved.
13.3 Assessing the Threat

AirDefense helps you assess the threat associated with alarms. The following table provides an outline of how you might use these tools.
To... Investigate what was detected Do this... Review alarm Right-click to review policy Determine which device was involved Rogue drilldown Filters Investigate the device Discover what the device has done Determine if the device is active Mitigate the threat Device Forensic Analysis Device Forensic Analysis Live View Air Termination Switch port suppression
To... Locate the device
Do this... Signal triangulation Location tracking AirDefense Mobile
Remediate the device
Physically remove the device Clear alarms
13.3.1 Reviewing Alarms

The alarms you see in Alarm Manager are current, ongoing alarms. NOTE: To view alarms that occurred earlier, right click on an alarm and use
Forensic Analysis.
13.3.2 Acknowledging and Clearing Alarms

You can acknowledge an alarm or clear itfor a period of time or permanently. When you acknowledge or clear an alarm, AirDefense server records the time and username, and the alarm remains active.
13.3.3 Clearing Alarms from the Database

You can remove cleared alarms from the database for the time range you specify, or remove ALL alarms from the database for the time range you specify. The GUIs Alarms program area has an Alarms panel that contains details about the alarms taking place in your wireless LAN. This includes which Sensors, APs, and Stations are generating alarms, when the alarms are being generated, and what conditions are triggering the alarms.
13.3.4 Enabling or Disabling Alarms

You can customize AirDefense Enterprises alarm structure to reflect your organizations security priorities by enabling or disabling specific alarms. You can enable or disable alarms for: All devices Only authorized devices Only unauthorized devices Only ignored devices You can also disable alarms for devices by their MAC address.
Assessing Threats 13-3
13.4 Live View

13.4.1 Overview
AirDefense gives you a Live View of the Sensors, APs, and Stations operating in your wireless LAN. Live View capability exists throughout the AirDefense GUI, wherever a device icon appears in an information panel or navigation tree. You access Live View by right-clicking on the device and selecting Live View, which automatically limits the data to the specific device you choose. Only five Live View sessions can be running at one time. If you attempt to open more than five sessions, an error displays. A Live View window will open but the monitoring session will not start. You cannot run Spectrum Analysis and Live View at the same time on any one sensor. If Spectrum Analysis is running and you attempt to start a Live Monitoring session on the same sensor, a warning displays. Live View consists of four main categories of information: Data Connections Devices Frames.
13.4.2 Data
Live View Data provides a variety of charts that allows you to analyze different types of data transmitted and received to/from a particular device. Different charts are displayed according to four customizable views.
View Summary Description Provides a summary of frame data using the following charts: Traffic By Authorization Retry Traffic By Rate Traffic By Channel Devices By Authorization. This is the default view. Device Analysis Channel Analysis B/G Changes the frame data focus to device information. Charts relating to device information are displayed. Changes the frame data focus to channel information for 802.11b/g network traffic. Charts relating to channel information are displayed. Changes the frame data focus to channel information for 802.11a network traffic. Charts relating to channel information are displayed.
Channel Analysis A
13.4.3 Connections
Live View Connections display device relationships (connections) between your wireless and wired networks with APs being the central point. Options are provided to display devices with broadcast frames, devices with multicast frames, or both.
13.4.4 Devices
Live View Devices display the devices that have been seen during a Live Monitoring session in tabular form. Options are provided to show all devices, only APs, or only Stations. If more than 50,000 frames have been captured during the live monitoring session, only the most recent 50,000 frames are displayed. The device table displays the following information:
Column Device MAC Address SSID Description Lists the different devices that have been seen during the Live Monitoring session. Displays the MAC address of the seen device. Lists the Service Set Identifiers, a 32- character unique identifier attached to the header of packets sent over a WLAN that acts as a password when a mobile device tries to connect to the BSS (Basic Service Set) and are the logical groups that Access Points belong. Lists the WLAN channel that the device is operating on. Lists the device's signal strength connectivity on the WLAN. Displays number the frames, which are the actual packets of 802.11 protocol, that have been observed by the AirDefense sensor for the given device. Displays the byte count seen by the device. Displays the time and date the device was first seen. Displays the time and date the device was last seen. Displays the number of unique WEP IVs seen by the device.
Channel Signal (dBm) Frames
Bytes First Seen Last Seen WEP IVs
13.4.5 Frames
Live View Frames display the frames that were captured during a Live Monitoring session. If more than 50,000 frames have been captured during the live monitoring session, only the most recent 50,000 frames are displayed. Frames data is displayed as follows: Frames table (located on top) Hex values for a selected frame (located on bottom left) Decodes for a selected frame (located on bottom right). The frame table lists the following information:
Column Time Source Destination BSSID Transmitter Receiver Address 1 Address 2 Address 3 Address 4 Channel Rate Signal (dBm) Size 802.11 Type Protocol Sensor Description Displays the time the frame was seen. Lists the device where the frame originated. Lists the device where the frame was sent. Displays the Basic Service Set Identifier. Lists the device that transmitted the frame. Lists the device that actually received the frame. Lists the first address in the frame. Lists the second address in the frame. Lists the third address in the frame. Lists the fourth address in the frame. Lists the WLAN channel that the device is operating on. Displays the data rate (in Mbps) being used by the device that sent the packet. Lists the device's signal strength connectivity on the WLAN. Displays the size of the frame. Displays the 802.11 protocol type used in the frame. Displays the protocol type used in the frame. Displays the MAC address of the Sensor that observed the device that sent the packet.
13.5 Frame Capture

13.5.1 Overview
Live View saves session frame data in a temporary file on your AirDefense server. This process is called Frame Capture. You can save the temporary file to a permanent file on the server or to a file on your workstation. To save a file, you must first stop the Live View session and then select File > Save from the Live View window to display the Save Frame Capture popup window. Once the file is saved, you can view it using Frame Capture Analysis. You can access this feature from the Tools menu in the main GUI window. Just select Tools > Frame Capture Analysis and then select capture file. The frame data is displayed in the Capture File window.
The Capture File window is basically the same as the Live View window minus the buttons and menus that are not needed for Frame Capture Analysis. The tabs display the same information as the Live View window.
13.6 Forensic Analysis

13.6.1 Overview
Forensic Analysis is used to review specific device information and provides detailed device communication and association status. Whether you are investigating a suspicious device or troubleshooting a WLAN problem, use the Forensic Analysis tool to analyze any device seen by the system and display threat level of the device, device alarms, device associations, and detailed device statistics. This window is a universally applicable function, which furnishes additional detail on APs and Stations detected by AirDefense Enterprise.
13.6.2 Accessing Forensic Analysis

To access Forensic Analysis, select an AP or station in the Navigation panel, then click the Access forensic analysis data icon button on the main toolbar. The user can also right-click on a wireless device (Station, AP) anywhere in the application to access the forensic analysis window for that device. Right-click on the device and select Forensic Analysis to drill down into the device statistics.
13.6.3 Forensic Time Window

Forensic Analysis, by default, only shows 24 hours worth of data. For detailed historical analysis, you can change the 24 hour time period by selecting a new date and time. However, you cannot view more than 24 hours of data at any one time.
13.6.4 Forensic Data

When Forensic Analysis is first accessed, a summary of forensic data is provided with information about threats, associations, device information, transmitting traffic, and receiving traffic.
If you select one of the following tabs, the summary is expanded into more detailed forensic data so that you can learn more about the wireless device and if necessary, take immediate action: Device Info displays the current settings for the device being analyzed. Threat Analysis displays a table of alarms generated by the device being analyzed. Association Analysis lists the associations between the device being analyzed and other wireless devices. Traffic Analysis displays traffic transmitted and received by the device being analyzed. Signal Analysis displays a device's signal strength (in dBm) as measured by various sensors.
Mitigation Strategies
This chapter describes some of the ways you can mitigate risks associated with devices producing alarms on your wireless network.

Topic Using Alarm Descriptions Rogue Mitigation Terminating Devices Location Tracking (Triangulation) Action Manager Action Control Page 14-2 14-4 14-5 14-7 14-12 14-15
14.2 Using Alarm Descriptions

14.2.1 Overview
The enhanced alarm descriptions in the server UI should be your first resource for information about dealing with alarms. When you select a specific alarm, AirDefense server displays summary information about the alarm. Click the Alarm Details button to access detailed information.
Mitigation Strategies 14-3
14.2.2 Detailed Alarm Description Tabs

Alarm descriptions contain specific mitigation strategies for individual alarms. You can even customize them by adding information to the Escalation tab. The following is a small example showing the type of information and guidance contained in the alarm descriptions.
14.2.3 Escalation
The escalation section is editable by the user and allows the organization to specify a detailed escalation procedure for the network operation.
14.3 Rogue Mitigation

14.3.1 Definition of a Rogue Device
A rogue device is more than just an unknown device detected by the system. A rogue device is an unauthorized device that is associated with an authorized device or is attached to the authorized network. AirDefense Enterprise server uses proprietary algorithms to definitively determine if a rogue AP is connected to your wired side network. Example: A station in the office next door to you that has associated with a device on your bounded network would be reported as a rogue. Non-example: An AP, installed in the office next door to you, but not connected to your network or associated with any of your authorized devices, is not a rogue, even though your AirDefense sensors detect it. This would simply be reported as an unauthorized AP.
14.3.2 Rogue-on-my-network
Rogue-on-my-network is a patent-pending feature that can determine if a rogue is connected to the internal network, and if it requires immediate attention. The Rogue-on-my-network alarm is a very serious warning that will NOT yield a false positive.
14.3.3 Mitigation Process

Rogue devices should be treated as a very serious threat to your network and addressed as quickly as possible. You should have documented corporate standards with regard to handling rogues. The following is a high level outline for mitigating rogues: Eliminate the rogue device, either on command through the console or automatically, using a predefined network policy. Physically locate the rogue device and have it removed. Some situations, based upon individual security requirements, may warrant frame captures, Live View and Location Tracking prior to the removal or termination of a rogue for evidentiary purposes. For advice on mitigation steps to take, view the alarm and read the description and mitigation steps offered in Alarm Manager for the individual alarm.
14.3.4 Ignoring Devices in Congested Environments

In congested wireless environments, such as office parks or multi-tenant buildings, AirDefense Enterprise may detect many unauthorized devices. You should investigate unauthorized devices to determine if they are a threat to your networks security. If you determine that an unauthorized device is harmless, such as a neighbors AP that is not connecting to your network, you can configure it as Ignored. Ignored devices are known devices that are not on the network. Ignored is a subset of Unauthorized.
14.4 Terminating Devices

14.4.1 Termination Controls
AirDefense Enterprise 7.3 is designed to comply with FCC and ITU regulations. AirTermination and Policybased Termination can be enabled by a user with Administrator rights. However, the system has internal controls that prevent AirDefense users from indiscriminately terminating wireless devices. AirDefense products only allow targeted termination of the specific devices that fall into one of the following categories: Unauthorized Access Points (APs) detected as physically attached to your private wired network Unauthorized clients attacking (known signature) or improperly connecting to your authorized wireless network of APs Authorized clients and authorized APs; to handle internal policy or misuse scenarios, including cases where authorized clients are improperly attaching to unauthorized APs. A different method, channel blocking or RF jamming, will cause all 802.11 traffic to cease on one or more channels. It is important to note that channel blocking will affect all devices on the channel, including neighboring ignored devices. Although effective, this method is illegal in most countries, and consequently it is not used in AirDefense Enterprise.
14.4.2 Air Termination

14.4.2.1 Overview
Use Air Termination to terminate the connection between your wireless LAN and any associated authorized or unauthorized Access Point or Station. Devices must be associated. To use this feature, you must be an Administrator or Manager. You can use Air Termination to terminate the connection of any authorized Access Point or Station, or any Rogue device. Unauthorized devices in the trees or panels may be terminated if they are exhibiting rogue behavior. This includes the Dashboard, Manage Alarms, Policy Manager, and Reports. Air Termination supports: Single Device Termination, in which the Access Point connection is terminated and all Stations associated to the Access Point are de-authenticated, or the connection between a Station and an Access Point is terminated Multiple Device Termination, allows security administrators to terminate connectivity for multiple stations and devices simultaneously.
14.4.2.2 Using Air Termination

When Air Termination is first enabled, it is executed by right-clicking on a device icon and selecting Air Terminate/Disconnect from the drop-down selection options. The Terminate selection is only visible if you are a user with the role of Admin or Manager. If Terminate is gray, the device cannot be terminated. Additionally, AirDefense will immediately indicate if your Sensor is not enabled for termination, or if you cannot terminate the device because the Sensor is not capable of termination. Air Termination is managed using the Terminations management sub-window, which is accessed via the View > Terminations drop down menu. For more information on how to determine if a Sensor is Air Termination-ready, and to configure and use Air Termination, refer to the online Help.
14.4.3 Policy-based Termination

14.4.3.1 Overview
Policy-based Termination is the automated form of AirDefense Air Termination. Using Policy-based Termination, you can formulate an action plan to automatically terminate the connection between your wireless LAN and any authorized or unauthorized Access Point or Station, based on alarms. Devices must be associated. To use this feature, you must be an AirDefense user with the role of Admin or Manager. You can use Policy-based Termination to automatically terminate the connection of any authorized or unauthorized Access Point or Station that receives any alarm you specify, and for any Sensor you specify. Policy-based Termination can be configure and set up using the Action Manager. More details on the Action Manager is included later in this chapter and in the AirDefense Enterprise Online Help.
14.4.3.2 Prerequisites for Using Policy-based Termination

To use Policy-based Termination, you must first enable the feature on the server and the sensor. For more information on how to configure and use Policy-based Termination, see the Online Help.
14.4.3.3 Navigation
Tools > Action Manager
14.4.3.4 Configuring Policy-basedTermination

To configure policy-based termination, you must first add an Action Rule using the Action Manager and select Termination as your Action. Then, you must determine the scope of your Action, meaning will it apply to your entire system wide, location, or a specific group. Once you determine and select a scope, you must choose (add) the alarms that you believe reflect security violations severe enough to warrant automatic termination of the connection between a device and your wireless LAN. You can configure termination policies for groups of alarms and sensors, or you can create very granular policies for individual alarm and sensor combinations.
For further instructions on configuring policy-based termination, see the AirDefense Enterprise Online Help.
14.5 Location Tracking (Triangulation)

14.5.1 Overview
Location Tracking is a technology that enables you to locate and track rogue devices that may be threatening your wireless LAN. Location Tracking (Triangulation) uses the RSSI (Received Signal Strength Indications) of the device as seen by at least 3 sensors to triangulate a position relative to the sensor locations. To use this feature, the user must first import a building map and place at least 3 sensors on their corresponding location.
14.5.2 Implementing Location Tracking in AirDefense

AirDefense Location Tracking enables you to locate and track rogue devices that may be threatening your wireless LAN. NOTE: In order for Location Tracking to open and function properly you must have:
One (minimum) AirDefense Enterprise Server (running r7.3 or later) Three (minimum) AirDefense Sensors (running r4.6.x or later) per map loaded.
14.5.3 Accessing Location Tracking (Triangulation)

You can open the Location Tracking window anywhere in the application when you select the Location Tracking button (compass) from the control panel. This window can also be accessed from the network tree panel by right-clicking on a device and selecting Locate (Triangulation). To track a device (provided the map has been loaded and sensors positioned on the map).
14.5.4 Importing Maps

To use the built-in Location Tracking (Triangulation) feature, you will need to import a map first and place the sensors at their specific locations. NOTE: Each map can be loaded by Location or Group. You may have to re-arrange the sensors to accommodate a map for each Location or Group. You will also need a minimum of three sensors per map. NOTE: A map can only be linked to one sensor group at a time. In a multi floor building, sensors should be grouped by floor for more accurate location tracking and each floor associated with its own map. At least 3 sensors per floor plan are required for location triangulation.
Example: Location Atlanta HQ has 2 Floors with 3 Sensors on each floor for Location:
14.5.5 Location View Functions

Function Zoom Tools Refresh Tools Description Use these tools to zoom in and examine greater detail in a particular location of the map. Select the time interval for when the Location Tracking data is refreshed in its window, which can be 15 min, 5 min, 1 min, 30 seconds, 10 seconds or switched off. Select the undo and redo buttons to apply to actions made in the Location Tracking map. Use your mouse to click and drag devices from the AirDefense tree panel into the Location Tracking map.
Undo/Redo Click & Drag
14.5.6 Scale Tool Functions

Select the Scale Tool button to set the scale of the map in order to calculate a device's precise location. To set tracking scale:
14.5.7 Setting Images

Click the Set Image button to import a map. This will open a sub-window and you can select the appropriate map, which can be in .gif, .jpg, or .png files (less than 500kb in size). Select the desired floor plan and select Open. The map is then displayed in the Location Tracking window.
Important! File sizes of imported maps cannot exceed 500kb per map.
14.5.7.1 Floor Plan Prerequisite

One or more maps or floor plans of the tracking coverage area, in .jpg format are needed for this to work. You can obtain floor plans from any source, including producing your own by using drawing tools. Most applications will require multiple maps, for example, if you are setting up multiple buildings. Each map must be stored in a separate location or group.
14.5.7.2 Advanced Settings

Click the Advanced... button to open the Advanced Settings sub-window which contains the following two setting options:
Function Loss Factor Description Loss Factor represents the density of the network environment, which affects the power levels measured by the sensors. Use the slide button to compensate for loss factor values that are caused by environment, work area, and other spatial factors. The smoothing value is the number of power measurements averaged together to get the final power level, and is a global setting that applies to the entire location tracking system. Use the slide button to set a high smoothing value, which creates a more accurate power level for a stationary device, or a low smoothing value, which is better able to handle devices in motion.
Smoothing
14.5.8 Device Tracking Information

The Tracking information panel, located on the right side of the Location Tracking window, provides the basic statistics and information about the device being tracked. Click the
Feature Device drop down list Status MAC Channel SSID
button to open this panel, which reveals the following features:

Description This drop down list contains all of the devices that are to be found on the map and are viewable. Displays the status of locating the device. Displays the Media Access Control address of the device being tracked. Displays which wireless channel the device is operating on. Displays the device's Service Set Identifier, which is a 32- character unique identifier attached to the header of packets sent over a WLAN that acts as a password when a mobile device tries to connect to the BSS and are the logical groups that Access Points belong. Lists one of the four protocols for 802.11 WLAN traffic: 802.11a, 802.11b, 802.11g, and 802.11n. Protocols can differ based on their frequency range, radio channels, and data rates. Lists the date/time group when the device was last seen in AirDefense. This field area lists the name of the sensors that are detecting the device. There need to be at least 3 sensors in order for devices to be detected. If you have fewer than 3 sensors per map, you will not see any devices on the Location Tracking map. When this button is selected, it removes the device from your tracking window. Note: You can also right-click on a device in the map and cancel tracking from there.
Protocol
Last Seen Sensors
Stop Tracking
14.5.9 Location Tracking Right-Click Options

Right click on... To access the following options...
Location Level Group Level
At the Location and Group levels, you can... Create a new device locationing map Delete a map that is already stored in that group Load a new device locating map from a file external from the application.
Sensor Level
At the Sensor level, you can... Add a sensor to the device locationing map Remove a sensor on the device locating map.
Access Point Stations At the Access Point and Station levels... Add a Device to the device locationing map Remove a Device from the map Initiate device tracking Stop device tracking.
14.6 Action Manager

14.6.1 Overview
The Action Manager allows you to automatically respond to alarms in your system with a predetermined action called an Action Rule. You may define as many Action Rules as you need to mange your network.
Action Rules are added to the Action Manager to define an action (response) to an alarm. Multiple actions may be assigned to a rule. The Action Manager table displays one rule per row using the following columns:
Column Name Actions Scope Alarms Exceptions Advanced Filter User Description The name of the Action Rule. The action(s) triggered by the Action Rule. The scope to which the Action Rule applies. The alarms or alarm categories that trigger the Action Rule. Exceptions to the Action Rule related to the scope, alarms, or devices. Custom filter or expression used as a filter. The name of the user who created the Action Rule. Note: Only administrators will see this column. Domain The domain name of the user. Note: Only administrators will see this column.
Once an Action Rule is added to the Action Manager, you can edit, copy, or delete it by clicking on the appropriate button.
14.6.2 Add/Edit Action Rule

The Edit Action Rule window is where you add an Action Rule or edit an existing Action Rule.
The Edit Action Rule window has four tabs that are used to define an Action Rule.
14.6.2.1 Settings Tab

The Settings tab is where you identify and enable your Action Rule. You can also specify notes to give information about the rule.
14.6.2.2 Actions Tab

The Actions tab is where you define the actions for your Action Rules. Available actions are: Action Termination Port Suppression ACL Report E-Mail Syslog SNMP Trap Frame Capture Description Terminates devices that generate a certain alarm defined in the Filter tab. Suppresses communication between unauthorized devices and switches on your network. Enables the Access Control List on switches that meet the conditions defined in the Filter tab. Runs a specific report if the conditions defined in the Filter tab are met. Sends information about an alarm via email to a recipient if the conditions defined in the Filter tab are met. Sends an alarm notification to your Syslog server if the conditions defined in the Filter tab are met. Sends an SNMP notification to your SNMP server if the conditions defined in the Filter tab are met. Monitors and analyzes real-time data traffic flow from devices in your wireless LAN and saves the data in a file if the conditions defined in the Filter tab are met.
14.6.2.3 Filter Tab

The Filter tab is where you define the scope, alarms and exceptions for an Action Rule. Three types of filters are available:
Filter Scope Alarm Description Limits the scope of the Action Rule to the system level, location level, or group level. Specifies an alarm that will trigger your Action Rule. The following alarms may be used as triggers: Behavior Exploits Performance Policy Reconnaissance Rogue Activity System Health Vulnerabilities. Exceptions Adds an exception if you want to specify an exception condition for the Action Rule. There are three types of exceptions: Scope Alarms Device.
14.6.2.4 Advanced Tab

The Advanced Filter tab allows you to build a custom alarm filter or an expression to use as a alarm filter. Two advanced filters are available:
Filter Filter List Expression Editor Description Builds an alarm filter using dropdown menus to form an expression. Allows you to build an alarm filter using custom expressions.
14.7 Action Control

14.7.1 Overview
Action Control displays a table listing specific actions that are occurring to devices seen on your WLAN. The type of actions displayed are: Air Termination Port Suppression ACL Frame Capture.
Selecting an action displays details about the action in the Action Details window.
14.7.2 Action Control Table

The Action Control table displays specific information about an action that is taking place. The following information is included:
Column Start Time Name Device ID Action Type Description The date and time the action was initiated The name of the device the action was performed on The MAC address of the device The type of action that was performed
Column Initiator Action Rule
Description The user name of the person who initiated the action The name of the Action Rule if action was initiated by an Action Rule
14.7.3 Action Control Commands

Also, while an action is highlighted, you can right click on the action to display options (commands) that can be performed on that action. The following commands are available:
Action Air Termination Port Suppression ACL Available Commands Cancel Cancel Port Suppression (re-enable port) Cancel Access Control (remove from ACL) Re-Apply Access Control List Refresh Access Control List Status Frame Capture Cancel Frame Capture
You may select more than one action. If you select one or more actions that are the same, the commands for that action are available. If you select one or more actions that are different, the only command available is Cancel All which will cancel any highlighted action.
Monitoring Scheduled Events

15.1 Overview
AirDefense Enterprise allows you to schedule events throughout the application. The Scheduled Events feature allows you to monitor all scheduled events from one source. You can access Scheduled Events by selecting Configuration > Scheduled Events.
You can elect to view all the scheduled events (default) or you can narrow the events to one of the following types: AP Test Auto Classification Backups Firmware Upgrade Frame Capture Server Synchronization Forensic Backup.
You cannot schedule new events using the Scheduled Events feature. You can only view, edit, or delete Scheduled Events. The following information is displayed for each event:
Column Type Schedule Description Type of event that is scheduled. How often the scheduled event will be conducted.
Column Last Run Next Run Duration Last Result
Description Last time the scheduled event was conducted. Next time the scheduled event will be conducted. Amount of time the scheduled event lasted. Result of the last scheduled event.
15.2 Altering Event Schedules

You can alter an event schedule by highlighting the scheduled event and clicking the Edit Schedule button.
You can change how often the event is conducted by selecting One Time Schedule, Intra-Day Schedule, Daily Schedule, Weekly Schedule, or Monthly Schedule from the dropdown menu. Depending on the interval you select, fill in the related fields using the following table:
Interval One Time Schedule Action Choose a time for the backup by selecting a time from the Time dropdown menu. Then, select a day for the backup by clicking the Calendar button in the Date field and selecting a date. Select a time to begin the backup. Then, select a frequency in hours. Select a frequency in day, weekdays only, or weekends only. Then, select a time of day. Choose a frequency in days. Then, select a day or multiple days to conduct the backup by clicking the checkbox next to the day to place a checkmark in the box. Choose the months that you want to run a backup by clicking the checkbox next to the month(s) to place a checkmark in the box(es). Then, select a day of the month to conduct the backup. Last, specify a time of day.
Intra-Day Schedule Daily Schedule Weekly Schedule Monthly Schedule
Reporting
AirDefense Enterprise's dual approach to reporting consists of a web interface for populating report templates with data, and a flexible interface for creating additional custom report templates. The Web Reporting interface makes it easy to choose report templates and define the scope of data you want to include, then view the resulting report in a selection of formats. You can also save reports, share them with others, and schedule reports to run automatically. The Report Builder application within the GUI lets more advanced users create report templates, either basing them on the templates delivered with AirDefense or designing them from scratch. Reports you create with the report builder become available as templates in the Web Reporting interface.

Topic Using Web Reporting Using the Report Builder Page 16-2 16-4
16.2 Using Web Reporting

16.2.1 Accessing Web Reporting
To access the Web Reporting web site: Select Reports from the Tools menu. Log in with your Enterprise Username and Password. The report names are displayed by category.
16.2.2 Web Reporting Navigation

The Web Reporting application consists of three tabs, described below. To move from one page to another, click the tab name. Reports The Reports tab is the default tab; it lists standard and custom report templates by category. You can select a report, specify applicable settings, and then display the report with data. Published The Published tab lists the reports that you have run and saved as a published report. You cannot view a report published by another user unless that user shares the report. Once a report is published, you can: View published report data by clicking on the report's name. Delete a published report by checking its checkbox and clicking Delete. Share a published report by checking its checkbox and clicking Share. Make a published report private by checking its checkbox and clicking Unshare. Rename a published report by clicking Rename, typing in a new report name, and then clicking Apply. Favorites The Favorites tab is where you save reports that you run often. When a report is designated as a favorite, you can: Edit the favorite report settings that are set when you create a report by clicking Edit Settings. Schedule the report to run automatically as described in Scheduling a Report. Delete a favorite report by checking the checkbox next to the report and then clicking the Delete button.
16.2.3 Creating a Report

From the Reports tab, follow these steps: 1. Click on the report name that you want to run. The report settings for that report will display. 2. Specify a start and end time for your report. The default time is the last 24 hours. 3. Select the report scope. You can select your entire system, a location, or a group. 4. If you wish to publish the report, click the Publish report data checkbox, type a simple name in the Name field, and select whether you want the report to be private or shared. 5. If you wish to email the report to someone, click the Email checkbox and type the email address in the To field. 6. Select a format for the report (HTML, PDF, or CSV) from the dropdown menu.
Reporting 16-3
7. Click Run Report. NOTE: If you are publishing or emailing a report, you have the option of running the report in the background. Just click the Run Unattended button.
16.2.4 Adding Favorites

From the Reports tab, follow these steps: 1. Click Add to Favorites next to the report name. The report settings for a favorite report will display. 2. Specify a report range by selecting Hour(s), Day(s), or Week(s), and typing in the number of hours days, or weeks. For example, if you select Hour(s) and type in 24, this specifies the previous 24 hours. 3. If you wish to email the report to someone, click the Email checkbox and type the email address in the To field. 4. Select a format for the report (HTML, PDF, or CSV) from the dropdown menu. 5. Click Apply.
16.2.5 Scheduling a Report

NOTE: A report must be in your Favorites tab before you can schedule the report to run automatically. From the Favorites tab, follow these steps: 1. Click Edit Schedule next to the report that you want to run automatically. The report settings for schedules will display. 2. Click the Enable Schedule Execution checkbox to enable scheduling for the report. 3. In the Time(s) field, type in the times that you want to run the report. 4. If you want to run the report weekly, click the checkbox next to the day of the week that you want to run the report. 5. You may choose more than one day of the week. 6. If you want to run the report monthly, click the checkbox next to the day of the month that you want to run the report. 7. You may choose more than one day of the month. 8. Click Apply.
16.3 Using the Report Builder

16.3.1 Creating a Report
Report Builder lets advanced users create completely original reports from blank templates. Alternatively, you can choose a report template you like and edit it. All report components are based on whether you want a report on a single device or multiple devices. Different components are available for single device reports than for multiple device reports.
16.3.2 Extensive Data

AirDefense Enterprise collects extensive data about traffic on your WLAN. The Report Builder lets you create reports using virtually any data point the server collects. The graphic below shows an example tree in the Report Builder on the left and some elements from the resultant report on the right, along with tips about how to add different types of components.
Reporting 16-5
16.3.3 Navigation
Tools > Report Builder
NOTE: This may take a few minutes to load the first time you use it.
16.3.4 Creating and Saving a Report

1. Click New on the tool bar. 2. Choose a template. Either choose an existing report to edit, or choose the blank report for either a single device or for multiple devices. NOTE: You cannot change the number of devices after you start a report on the same report; you must create a new report. 3. Type the name you want to use for this report. NOTE: The name must start with a letter and cannot have any spaces or symbols, with the exception of _ (underscore). 4. Click OK, and then click Save.
16.3.5 Building Your Report

After you have created and saved a report, regardless of whether you started with a blank template or an existing report, use the following guidelines for building it out: NOTE: Right-click menus make it easy to work with report components. Report Builder displays the right-click options that are available, and grays out those that are not. Add sectionsRight-click on the name of the report in the tree. Select Insert Simple Components, and then select Section. Sections are simply containers for the columns in a report area. For example, if you want three tables to appear side-by-side, you create a section, add three columns, then insert the tables as described below. Use the up and down arrow buttons to move sections up and down in the tree to place them where you want them. Its a good idea to use the word Section or the letter S in the section name to help you keep track of components. You can add an empty buffer section between sections. You must have at least one column per section. Add columnsRight-click on a section, select Insert Simple Components, and then select Column. Columns cause items in your report to appear side-by-side. You can add one (minimum) or more columns to each section. You can add an empty buffer column between columns.
Its a good idea to use the word Column or the letter C in the section name to help you keep track of components. Add simple componentsClick Edit on the tool bar or right-click on the name of your report in the tree. Select Insert Simple Components, and then select the item you want to add. In addition to sections and columns, simple components include page breaks, headers and footers, and more. Add data fields, tables, and chartsTo add one of these report components to the highest level in the tree, click the name of the report in the tree (the top-level node). To add a report component to a section, click the column in that section that you want to add the component to. Then either right-click or click Edit on the tool bar. Select the item you want to add. NOTE: When building alarm tables with an ap_MAC column, the ap_MAC column will only show data for alarms that were triggered by a station associated to an AP. Other alarms will leave this field blank.. Use the up and down arrows to move items within the tree.
Reporting 16-7
16.3.6 Available Data Fields, Tables, and Charts

The following diagram shows the components, data fields, tables, and charts that are available for you to add at different points in the report tree.
16.3.7 Configuring Data Fields, Tables, and Charts

Every report component (data field, table, or chart) has configuration options you can use to create reports that contain the exact information you need. After you add a report component to your report tree, Report Builder displays the configuration options for that component. You can name the component, and then configure filters.
Hint: You may want to include the units of measure in the name you give the field. For example: Alarm (count).
16.3.8 Types of Filter Windows

There are four types of filter windows. When you choose to edit a filter, Report Builder displays filter choices in the appropriate type of window: Radio buttons (example):
Checkboxes (example):
Reporting 16-9
Boolean (example):
Text box (example):
16.3.9 Deleting a Report

1. Click File > Delete Report in the tool bar. A confirmation Window appears. 2. Select (highlight) the report that you want to delete. 3. Click Delete Report to delete. 4. Click Yes to confirm.
16.3.10 Importing a Report

You can import a report through the Import Reports window.
To import a report, follow these steps: 1. Select File > Import. 2. Click the Add button. 3. Navigate to the report, select (highlight) it, and click the Open button. The report is added to the Report Files list. You may add as many reports as you like. 4. If a report name already exists, click the Overwrite existing reports checkbox. 5. Click the OK button.
Reporting 16-11
16.3.11 Exporting a Report

You can export a report through the Export Reports window.
To export a report, follow these steps: 1. Click File > Export. 2. Select (highlight) one or more reports that you want to export. 3. Click the Add button to add the reports to the Selected Reports list. The Add All button adds all of the available reports to the Selected Reports list. The Remove button removes selected (highlighted) reports from the Selected Reports list. The Remove All button removes all reports from the Selected Reports list. 4. Click the Browse button and navigate to the directory where you want to save the exported report(s). 5. Select the directory by clicking on it. 6. Click the Open button. 7. Click the OK button.
Maintenance
This chapter describes various maintenance activities for the AirDefense Enterprise server and sensors.

Topic System Status and Logs Restarting AirDefense Rebooting AirDefense Halting AirDefense GUI License Management Database Management Upgrading Sensor Firmware Page 17-2 17-2 17-2 17-2 17-3 17-5 17-12
17.2 System Status and Logs

17.2.1 Utilities for Logs
In the Command Line Interface, WIPSadmin provides a Manage program area that has the following utilities for system status and logs: STATUS Displays the process and disk status of the system. SYSLOG Displays system log entries resulting from authentication and sendmail failures. There are three entries: Notice, Error, and Debug. You can either display the logs on screen, or write logs to a text file (syslogdata.txt). TRIMLOG Clears rotated system logs if /var partition is approaching 100% usage, clears overly large postgresql log.
17.3 Restarting AirDefense

17.3.1 Procedure
In the Command Line Interface, the WIPSadmin Manage program area provides a RESTART utility to restart AirDefense processes. This utility will restart all processes (This is not a full reboot!). 1. Type restart, press <Enter>. The AirDefense Server automatically shuts down processes and restarts. 2. Type q, then press <Enter> to return to the main screen.
17.4 Rebooting AirDefense

17.4.1 Procedure
In the Command Line Interface, the WIPSadmin Manage program area provides a REBOOT utility to perform a soft reboot of AirDefense. Use this utility to reboot the AirDefense Server. 1. Type reboot, then press <Enter> to reboot the AirDefense Server. The AirDefense Server automatically shuts down and restarts. You can also reboot the AirDefense Server from a console directly attached to its keyboard and monitor ports by typing [Ctrl] [Alt] [Del].
17.5 Halting AirDefense

In the Command Line Interface, the WIPSadmin Manage program area provides a HALT utility to halt AirDefense. 1. Type halt, then press <Enter> to halt AirDefense. AirDefense immediately stops and runs its shutdown routine.
Maintenance 17-3
17.6 License Management

17.6.1 Overview
The AirDefense Enterprise GUI now handles license management for Enterprise and any add-on modules. Using the Appliance Manager program area in the GUI, you can: View current license agreement information Install licenses Get server keys.
17.6.2 Navigation
Configuration > Appliance Manager > Licenses
17.6.3 View Current License Information

License information is displayed about WirelessIntrusionPrevention (base license) and the following add-on modules in the Licenses window: LiveRF SwitchIntegration WEPCloaking AdvancedForensics Spectrum Analysis. NOTE: Add-on modules are only displayed when they are installed. License status is determine by: A green check mark indicates the license is OK. A yellow flag indicates the license requires attention. It may expire soon. A red X indicates the license has expired. Clicking on a license will display the following information about the license::
Field ID Order Number Purchase Date Count
Description Indicates the license ID number. Indicates the order number of the license. Indicates the date the license was purchased. Includes the following information: The number of units. The number of active units cannot exceed this number. Unit counts may be 0, a specific number, or unlimited. A style that specifies that the unit count is fixed or floating. Fixed licenses get consumed as they are used and are not released. Floating licenses get released when they are not being used anymore. A unit identifier. Units may be sensors, APs, switch, etc. A maximum value limiting the number of units. A warning limit used to display an alarm that the unit count is being approached and that user should consider purchasing additional licenses.
Active Date
Displays the expiration date and the start date of the license. A warning date is also displayed, indicating when the customer will be issued a warning that the license will soon expire. Unlimited indicates an expiration date of 9999-12-31. Displays the expiration date and start date of the maintenance agreement with the customer. Unlimited indicates an expiration date of 9999-12-31.
Maintenance Date
Maintenance 17-5
17.6.4 Install Licenses

Installing a license is easy. Just click the Update Licenses button to begin.
There are three ways to install a license: Using a license file Using an authorization code Requesting a license or checking on a pending request.
17.6.5 Get Server Keys

You can upoad server keys to your server from the Licenses window. Use the Get Server Keys button.
17.6.6 License Assignments

The Assignments button allows you to view which license is assigned to a device. In case of a fixed license, you can assign a license to a device. NOTE: Once you assign a fixed license to a device, you cannot move it to another device.
17.7 Database Management

17.7.1 Overview
To manage the AirDefense database, you use both the WIPSadmin utilities in the Command Line Interface and the AirDefense GUI.
17.7.2 WIPSadmin
Using the utilities in the WIPSadmin Dbase program area, you can: Restore Intellicenter files (IRESTORE). Check the integrity of the databases (INTCK). Update vendor MAC address information in database (OUI).
17.7.3 GUI
Using the Appliance Manager program area in the GUI, you can: Clear the specific parts of the database or clear the database of all data. Back up the database now or schedule a backup of the database. Recover database information. Export report data from the database. Synchronize primary and secondary servers.
17.7.3.1 Clearing the Database

To clear portions or all of the AirDefense database, you must use the GUI. These utilities enable you to clear the AirDefense database at varying degrees. Optionally clear any of the following data: Appliciance Network System (will also clear Policies, Devices and Sensors Alarm Configuration User Configuration Custom Reports User Edits Forensic Files AD Personal (will also clear AD Personal Alarms) Clear all data. The GUIs Appliance Manager window provides a Backups program that enables you to clear some or all of the contents of the AirDefense Server database. For complete step-by-step instructions on how to use the GUIs Backups program, see the Online Help for Configuration > Appliance Manager > Backups.
17.7.3.2 Backing Up the System

Starting with AirDefense Enterprise version 7.3, all backups are done from the GUI.
Important! Back up your database regularly. AirDefense purges its data every 7 days. If you want to archive your data, AirDefense recommends that you use the GUIs Backups program to download data into your local system, or to completely back up your database using the same Backups program.
The GUIs Appliance Manager window provides a Backups program that enables you to back up the contents of the AirDefense Server database. For complete step-by-step instructions on how to use the GUIs Backup program, see the Online Help for Configuration > Appliance Manager > Backups. Using this program, you can: Manually back up all data (Backup Configuration) Schedule a backup of data.
Maintenance 17-7
You can manually back up all data to the AirDefense Server, or schedule an automatic backup of all data. You can then pull the database off the AirDefense Server and archive it to your local system.
Important! Back up your database regularly. To copy the data backups to another server, you must use the automatic backup feature. Manual backups are backed up to your AirDefense Server. You can specify where to back up files back on another server. To recover the backups, you must use the Restore Configuration feature of the Backups program.
17.7.3.3 Recovering the Database

The Backups program provides a Restore Configuration feature for database and database configuration recovery. For complete step-by-step instructions on how to recover a backup, see the Online Help for Configuration > Appliance Manager > Backups. NOTE: Due to database incompatibility between Enterprise versions, a database backup can only be recovered to a system of the same build number.
17.7.4 Restoring Intellicenter (Forensic) Files

The WIPSadmin Dbase program area provides an IRESTORE utility for restoring Intellicenter (forensic) files. NOTE: Restoration of forensic files is done from the Command Line Interface on your appliance server. However, you must first remove any existing forensic data before you restore archived forensic files. 1. Log into the GUI and navigate to Configuration > Appliance Manager > Backups > Clear Data. 2. Click the Forensics Files checkbox to select it and then click Next. 3. Select Yes to confirm that you want to clear the forensics data and then click Next. 4. Close the Clear Data window. 5. Using SCP, copy all adstatlog files with a number appended to it over to the appliance server into /usr/ local/tmp EXCEPT for the adstatlog file with the highest number appended to it. 6. Once the initial copy from step 5 finishes you will need to wait a couple of minutes and then SCP the adstatlog file with the highest number appended to it. 7. Access the Command Line Interface.
8. Access WIPSadmin and then go to the Dbase screen.
9. Type irestore, then press <Enter>. The system prompts you to enter a fully-qualified directory name where the archived Intellicenter files reside. 10.Type /usr/local/tmp and then press <Enter>. 11.Type all and then press <Enter> to move the files into the IntelliCenter. The database restores the files from the directory you entered. When complete, the Dbase screen appears. 12.Type q, then press <Enter> to return to the main screen. 13.Exit WIPSadmin. The next time the system does a forensic file rollover it will automatically create the adstatlog.nextfile. In doing so it will do an ls -lrt to find the file with the most recent timestamp and key the number off that file. Since you waited to copy the most recent adstatlog in step 6, it caused it to have the most recent timestamp where the others would all have the same timestamp a minute or two earlier. This will allow the system to correctly do its next rollover.
Maintenance 17-9
17.7.5 Checking the Integrity of the Databases

The WIPSadmin Dbase program area provides an INTCK utility for checking the integrity of the AirDefense databases. You cannot use the GUI to perform this function. NOTE: The AirDefense database is actually subdivided into two databases: Main and Users. The Users database holds login and password information. 1. Access the Command Line Interface. 2. Type d, then press <Enter> at the command prompt on the main screen. The Dbase screen appears.
3. Type intck, then press <Enter>. The system displays three choices for a database integrity check: Main Database (see step 4) Users Database (see step 5) All of the Above Databases (see step 6) 4. Type 1 <Enter> to check the Main Database. The system executes a limited examination. The result is either PASSED or FAILED. If the test fails, it is because it detected a database integrity problem in the Main Database (smx_main). The system will prompt you to re-index the database. Type y (yes) to fix the most common source of database corruption without deleting data. If the test passes, the system executes Test 2, which is a full data traversal. If Test 2 fails, the system will prompt you to re-index the database. Type y (yes) to fix the most common source of database corruption without deleting data.
5. Type 2 <Enter> to check the Users Database. The system executes a limited examination. The result is either PASSED or FAILED. If the test fails, it is because it detected a database integrity problem in the Main Database (smx_users). The system will prompt you to re-index the database. Type y (yes) to fix the most common source of database corruption without deleting data. If the test passes, the system executes Test 2, which is a full data traversal. If Test 2 fails, the system will prompt you to re-index the database. Type y (yes) to fix the most common source of database corruption without deleting data. 6. Type 3 <Enter> to check both the Main and Users databases simultaneously. The system executes a limited examination. The result is either PASSED or FAILED. If the test fails, it is because it detected a database integrity problem in the Main Database (smx_main), the Users Database (smx_users), or both. The system will prompt you to re-index the databases. Type y (yes) to fix the most common source of database corruption without deleting data. If the test passes, the system executes Test 2, which is a full data traversal. If Test 2 fails, the system will prompt you to re-index the databases. Type y (yes) to fix the most common source of database corruption without deleting data. 7. Type q and press <Enter> to return to the main screen.
17.7.6 Updating Vendor MAC Address Information

The WIPSadmin Dbase program area provides an OUI utility for updating vendor MAC address information to the AirDefense database. You cannot use the GUI to update vendor MAC address information. The OUI (organizationally unique identifier) utility adds new vendor MAC addresses to the AirDefense database. 1. Access the Command Line Interface.
Maintenance 17-11
2. Type d, then press <Enter> at the command prompt on the main screen. The Dbase screen appears.
3. Type OUI, then press <Enter>. The system alerts you that continuing the update will automatically cause the server processes to restart after the update has completed. 4. Type yes, then press <Enter> to continue. The system asks you to enter the fully qualified directory path where the OUI update resides (use this if you downloaded the OUI table of vendor MAC addresses from the IEEE Server), or to type I if you wish to access the IEEE Server directly (via the internet) to download the new OUI table of vendor MAC addresses. 5. Type in the fully-qualified directory path, or type I. If you type the directory path: AirDefense retrieves and installs the update file directly from your local server. The system then returns you to the Dbase screen. If you type I: The system accesses the IEEE Server via the internet and automatically downloads the new OUI table into the AirDefense database. 6. Type q and press <Enter> to return to the main screen.
17.8 Upgrading Sensor Firmware

Updates to Sensor firmware are available from AirDefense, Inc. You can use either the web-based AirDefense GUI (preferred method) or the web-based Sensor UI to update Sensor firmware.
17.8.1 Check the Current Sensor Version

Check to see if you require a Sensor upgrade. 1. Access the Sensor Network Settings by clicking Configuration > Sensor Network Settings. 2. Click on the group that your Sensor is in on the Network Tree. 3. Look at the current firmware version for the Sensor under the Current Firmware column in the right panel. 4. Look at the latest firmware version for the Sensor shown under the Uploaded Firmware column in the right panel. This is the latest version available on your server. NOTE: You should occasionally check for the latest firmware version on the AirDefense Support website at http://www.airdefense.net/support/latest_ga.php. 5. Compare the current firmware version to the latest firmware version to see if you need to upgrade a sensor. Example: If your current firmware version is 4.6.0.1 and the latest firmware version is 4.6.0.5, you should probably upgrade the Sensor.
17.8.2 Obtain the Upgrade File

If you went to the AirDefense Support website and determined that there was a firmware version later than what is available on your server, you can download it to your workstation. Upgrades are available on the AirDefense Self Support Portal at http://support.airdefense.net. NOTE: You must have a current maintenance agreement, and a valid username and password to access the AirDefense Self Support Portal.
17.8.3 Upload Sensor Firmware to Your Server

NOTE: You only have to upload Sensor Firmware to your server after you have downloaded an upgrade from the AirDefense Self Support Portal. 1. Access the Sensor Network Settings window by clicking Configuration > Sensor Network Settings. 2. Click the Upload Sensor Firmware button. The Select Sensor Update File window displays. 3. Navigate to the directory (folder) where you downloaded the Sensor firmware upgrade file. The upgrade file will have an IMG extension. 4. Select (highlight) the upgrade file and then click OK. The file is uploaded to your server and the firmware version is now displayed under the Uploaded Firmware column for that Sensor.
Maintenance 17-13
17.8.4 Upgrading Firmware Using the AirDefense GUI

Use the Sensor Network Settings window to update Sensors with the latest Sensor firmware.You can schedule upgrades using the Sensor Upgrades button or you can upgrade a Sensor on-demand by right clicking on it and selecting Upgrade Sensor. Click Configuration > Sensor Network Settings to access the Sensor Network Settings window. NOTE: You may also select a group, location, or system and right-click. When you do, all the Sensors in the selected scope will be upgraded, if applicable.
17.8.4.1 On-demand Upgrade from the Sensor Network Settings Window

1. Right-click on a Sensor, group, location, or system. 2. Select Upgrade Sensor (Sensor selected) or Upgrade Sensors (group, location or system selected). A Schedule Sensor Upgrades window is displayed. 3. Change/select options as necessary and click Upgrade. You may check on the upgrade status by clicking the Sensor Upgrades button.
17.8.4.2 Scheduling an Upgrade from the Sensor Network Settings Window

1. Click the Sensor Upgrades button. 2. Click the Schedule button.
3. Change/select options as necessary. 4. Click OK.
17.8.5 Upgrading Using the Sensor UI

1. Log in to the Sensor. 2. Depending on the type of Sensor follow one of these steps: a. Model 400: In the Update Firmware panel, Click Browse to navigate to the locally saved firmware file and select the file. Click Commit. The Sensor firmware automatically upgrades. This process will take from one to two minutes, after which a status screen appears indicating success. If you receive a success indicator, you are finished. If you receive a failure indicator, go to step 3. b. Model 500: The 500 Series Sensors have two ways to update the firmware software. Both methods are done from the from the Update Software tab. Via anonymous FTP: In the Sensor Software Update URL field, type a URL containing the IP address of the FTP server and the filename of the load to be burned into FLASH. Then, click Update. For example, <ftp://169.254.1.3/SNfirmware-M510-4-6-0-2.img> (without the greater-than/lessthan brackets). Via update file: In the Sensor Software Update File field, click Browse and navigate to the locally saved firmware file. Select the file and click Open. The file name filename along with its path information is displayed in the field. Click Update to update the Sensor firmware. NOTE: During the upload process, the Sensor goes offline. It returns to an online state on completion of the upload. If you receive a success indicator, you are finished. If you receive a failure indicator, go to step 3. 3. Reboot the Sensor and repeat the firmware upgrade. NOTE: The upgrade will fail if one or more of the following occur: An incorrect Sensor update file was uploaded. The upgrade was interrupted on the Sensor end, for example, by a power outage. During the upload process, the Sensor receives the new firmware file, checks the data, and burns the data into its flash memory. If a power interruption takes place during this process, the Sensor will either reboot itself, or will have to be remotely rebooted. In this case, the Sensor reverts back to its factory-installed firmware version.
System Setup Wizard

A.1 Overview
The AirDefense Enterprise GUI includes a System Setup Wizard that guides you through typical settings required for an effective AirDefense system configuration. All configuration steps are optional and can be finished at any time. The System Setup Wizard starts automatically after you install or upgrade the system. You can also start the System Setup Wizard at any time thereafter by selecting Configuration > Configuration Wizard.
A.1.1 System Setup Wizard Navigation

Use the Back and Next buttons to let the wizard guide you through the tasks sequentially, or select a link from the menu of pages on the left side of the wizard to navigate directly to that page. You can exit the wizard at any time and use it again later. As you make changes to the pages, the wizard displays blue asterisks next to the page names to help you track which pages you have worked on. When you are finished working in the wizard, click the Finish button in the top right corner.
A.1.2 Appendix Organization

This appendix is organized in the same order as the Wizards pages. The System Setup Wizard contains the following pages:
Topic Page
Setup System Settings Define Network Structure Create User Accounts Define Policies Configure Alarms Schedule Auto Classification Configure Actions Import Devices
A-2 A-2 A-3 A-3 A-3 A-4 A-5 A-5
A-2 AirDefense Enterprise User Guide
A.2 System Setup Wizard Pages

A.2.1 Setup System Settings
The Setup System Settings page lets you set the system name and enable key system features. Alternative navigation: Configuration > Configuration Wizard > Setup System Settings 1. System NameType the system name that you want to appear in the tree as your highest level system domain. The default name is WIPS. 2. Enable active termination You can select the Active termination check box to enable users with admin privileges to disable the connection between wireless devices (Air Termination). NOTE: Users with admin privileges can make active termination available to all domains configured in the appliance. Users with manage privileges can make active termination available only within the domains they manage and the default domain. 3. Enable policy-based terminationYou can select the Enable policy-based termination check box to allow users with admin privileges to create policies that automatically terminate wireless devices based on specific alarms or policy violations. NOTE: Users with admin privileges can create termination policies for all domains configured in the appliance. Users with manage privileges can create termination policies only within the domains they manage and the default domain. 4. Enable port suppressionYou can select the Enable port suppression check box to allow users to suppress communication on the network switch port that a device is using to communicate with the network, if inappropriate activity is detected. NOTE: Users with admin privileges can enable port suppression for all domains configured in the appliance. Users with manage privileges can enable port suppression only within the domains they manage and the default domain.
A.2.2 Define Network Structure

The System Setup Wizard lets you quickly define Locations and Groups in the tree structure and place sensors in them. Alternative navigation: Configuration > Configuration Wizard > Define Network Structure Use the buttons along the top of the tree window to: Add a new Location. Add a new Group. Delete a Location, Group, or Sensor. Select a Location, Group, or Sensor, and move it up in the tree. Select a Location, Group, or Sensor, and move it down in the tree. To add a name or description for a Location or Group in the tree, select the Location or Group, and then type the name or description. You can make additional changes to the network structure from the Network Tree.
A-3
A.2.3 Create User Accounts

Use this page to Add, Edit, or Remove User Accounts. Alternative navigation: Configuration > Configuration Wizard > Create User Accounts To add a user account: 1. Click the Add button. 2. Type or select values for user account settings. 3. Click OK. To edit a user account: 1. Select the account in the list. 2. Click Edit. 3. Edit the user account settings. 4. Click OK. To delete a user account: 1. Select the account in the list. 2. Click Delete. You can make additional changes to User Accounts by selecting Configuration > User Preferences.
A.2.4 Define Policies

The privacy policy defines the security configurations you require for stations to be authorized in your wireless LAN. Settings you choose on this page update the default privacy policy. Alternative navigation: Configuration > Configuration Wizard > Define Policies Select or clear checkboxes in the following areas to define the privacy policy: Base Authentication Extended Authentication Key Generation Encryption You can use the Policy Manager to create additional policies with alternative settings. Select Configuration > Policy Manager.
A.2.5 Configure Alarms

The Configure alarms page provides three pre-defined Security Sensitivity modes to let you quickly specify the alarms you want to enable. You can use the pre-defined policies as-is or customize them. Alternative navigation: Configuration > Configuration Wizard > Configure Alarms The Alarms you choose and their criticality may depend on your wireless environment. For example: an unauthorized station alarm would be considered critical and deserve immediate attention in a no-wireless zone, but it could be safely ignored in a public place in a congested area with many transient devices, such as a university campus.
Select the pre-defined Security Sensitivity mode that best suits your organization, and then click Advanced if you want to customize it. Pre-defined modes include: Monitored WLANgenerally for networks where both performance and security are concerns Monitored WLAN Security Onlygenerally for networks where security is the top priority Monitored WLAN congested areasgenerally for networks that are more tolerant of transient or neighboring devices To customize the sensitivity level, select the checkboxes next to the alarms you want to enable and clear the checkboxes next to the alarms you want to disable. At that point, the Custom Sensitivity radio button automatically becomes selected to indicate that you have customized one of the pre-defined modes. You can make additional changes to the Alarm criticality by selecting Configuration > Alarm Configuration.
A.2.6 Schedule Auto Classification

The AirDefense application classifies devices it detects in your wireless network as Authorized, Unauthorized, Ignored, or to be deleted. You should periodically have the application reclassify devices. In environments with many transient devices, this can help you limit the alarm count caused by unauthorized devices. This page lets you define the rules that the system will use to automatically classify each device. It also lets you schedule auto classification to occur on a regular basis. Alternative navigation: Configuration > Configuration Wizard > Schedule Auto Classification To schedule Auto Classification: 1. Select the Enable scheduled classification checkbox. 2. Select the Reclassify authorized and ignored devices checkbox if you want to enable that option. 3. Use the Scope drop-down to choose the part of the network for which you want to schedule auto classification. 4. Indicate the interval at which you want the classification to occur and the time and day you want to start. 5. Type the Rule Set Name of the rule set that contains the classification rules you want to use to classify devices. You can make additional changes to Auto Classification by selecting Configuration > Policy Manager > Auto Classification.
A-5
A.2.7 Configure Actions

Configure Action Rules that respond to alarms in your system with a predetermined action. Actions Rules are also defined in the Action Manager. Alternative navigation: Configuration > Configuration Wizard > Configure Actions To add an Action Rule: 1. Click Add. 2. Identify Action Rule by entering a name in the Settings tab. 3. Select the Actions tab, then the Add button to add an action. 4. Define an action. Available Actions are: Termination Port Suppression ACL Report E-Mail Syslog Snp Trap Frame Capture 5. Select the Filter tab and select a scope, an alarm, and specify any exceptions. 6. Select the Advanced Filter tab and define a filter list as appropriate. 7. Return to the Settings tab and select the Rule Enabled checkbox. 8. Click OK. You can make additional changes to Action Rules by selecting Tools > Action Manager.
A.2.8 Import Devices

You can import a list of access points or stations, including device information, from an external file. Alternative navigation: Configuration > Configuration Wizard > Import Devices 1. To import a file, select Load AP File or Load Station File. 2. Browse to the file location, select the file, and then click Open. A status window appears, displaying the number of lines processed and any error messages. 3. Click Close. You can import additional devices by selecting Configuration > Policy Manager.
WIPSadmin
B.1 Overview
You use the WIPSadmin utilities in the Command Line Interface to perform initial AirDefense configurations, then use the GUI for ongoing configuration. NOTE: Use the GUI to name the AirDefense Server; set the system port for GUI access; enable (or disable) Air Termination, Policy-based Termination, Domain Management, and Port Suppression; and set a Threat Level (for the Dashboard) at the system level.
B.1.1 Contents
This appendix contains a description of each function within the WIPSadmin program. The functions are: Manage Dbase Software Config.
B.2 Using WIPSadmin to Configure AirDefense

The WIPSadmin Config program area provides the following utilities for configuring AirDefense: IP use this to change the IP address, subnet mask, and default gateway of the AirDefense Server. IPv6 use this to change the IPv6 address of the AirDefense Server. NETPORT use this to change network interface settings, and to toggle Autonegotiation on and off. DNS use this to add or delete a DNS nameserver (Domain Name Server) BONDING use this to enable the High Availability Ethernet. HNAME use this to change the name of the AirDefense server. DNAME use this to change the domain domain to which the AirDefense Server belongs. TIME use this to configure the AirDefense servers operating time and date. TZ use this to configure the time zone in which the AirDefense Server operates. NTP use this to configure a specific network time server, instead of setting TIME and TZ. UIPORT use this to change the network port you are using for the GUI.
B-2 AirDefense Enterprise User Guide
DTAGAUTH use this to import destop agent stations either on a schedule or on demand.
B.2.1 Procedure
To use WIPSadmin Config program, you must: 1. Access the Command Line Interface. 2. Type c, then press <Enter> at the command prompt. The Config screen displays.
B.2.1.1 IP
1. Type ip, then press <Enter> at the prompt to change the IP address, subnet mask, and default gateway of the AirDefense Server you are logged onto. The IP configuration screen opens, displaying the current network configuration. 2. Type a new IP address at the prompt. Press <Enter>. 3. Type a new subnet mask. Press <Enter>. 4. Type a new gateway address. Press <Enter>. Your new values display in bold text. 5. Type yes at the prompt to commit the changes. This returns you to the previous network screen. AirDefense reboots on exit from the WIPSadmin.
Important! If you are logging in remotely using SSH, check these values carefully for accuracy before typing yes or no to commit the changes. Committing incorrect information will cause you to lose connectivity to the AirDefense Server.
B-3
B.2.1.2 IPv6
1. Type ipv6, then press <Enter> at the prompt to change the IPv6 address. The IPv6 configuration screen opens, displaying the current network configuration. 2. If this is your first time using IPv6, you are prompted to enable IPv6. Just type yes and press <Enter>. 3. Type a new IPv6 address at the prompt. Press <Enter>. 4. Type yes at the prompt to commit the changes. This returns you to the previous network screen. AirDefense reboots on exit from the WIPSadmin.
B.2.1.3 NETPORT
Use NETPORT to configure the network interface link speed, duplex setting, and to toggle Autonegotiation on and off. The Autonegotiation feature enables the AirDefense Server to analyze the network and find the most efficient network interface available in some cases. 1. Type netport, then press <Enter> at the prompt to configure network link speed, duplex, and to turn Autonegotiation On and Off. The Netport configuration screen opens, displaying current network interface configuration...Enter on of off for Autonegotiation. 2. At the prompt, press <Enter> to keep the Autonegotiation at its current status, or type in on or off to change the configuration. Press <Enter> again. NOTE: The following steps appear only if the off option is selected. 3. At the prompt, press <Enter> to keep the current link speed, or type in the desired value. Choices are: 10, 100, or 1000 Mb/s. Press <Enter> again. The screen displays the duplex setting selections. 4. At the prompt, press <Enter> to keep the current duplex setting, or type in the desired setting. Choices are half (for half duplex) and full (for full duplex). Press <Enter> again. The screen displays the new network interface configuration. 5. At the prompt, type yes to commit the changes, or no to cancel the operation. 6. Press <Enter>. You are returned to the Config settings screen.
B.2.1.4 DNS
1. Type dns, then press <Enter> at the prompt to define DNS Servers. This adds or deletes a DNS nameserver (Domain Name Server). This is the name of the server you give to your DNS server. The NameServer screen opens, displaying your current DNS servers IP address in bold text. 2. At the prompt, type either a to add a new DNS server, or d to delete a server. To add an entry: type a at the prompt and type the IP address at the ensuing prompt. Press <Enter> to add the new DNS server to the list of nameServers.
To delete an entry: type d at the prompt. At the next prompt, type in the number of the nameserver you want to delete. (If you delete a DNS server that is followed by other servers, all the ones with a lower preference will move up in priority.)
Important! Multiple DNS servers process DNS requests in order. The first DNS server on the list (identified by the number 1) is the first to offer name resolution, the second DNS server on the list (identified by the number 2) is the second to process the request if the first is unable to do so. To change the order preference of multiple servers, you must delete them all, and re-enter them in the order you want them to process your DNS requests. The first DNS server you enter will become number 1the first to process name resolution.
3. Type q, then press <Enter> to quit and return to the main screen. You are prompted to save your changes. 4. Type yes, then press <Enter>.
B.2.1.5 BONDING
1. At the command prompt, type bonding, then press <Enter> to enable the High Availability Ethernet. 2. Type b, then press <Enter>. You will receive confirmation that bonding is enabled. 3. Type q, then press <Enter> to return to the Config settings screen.
B.2.1.6 HNAME
1. At the command prompt, type hname, then press <Enter> to change the hostname. The current hostname is displayed. 2. Type in the new hostname for your AirDefense server, then press <Enter>. You are prompted to save your changes. 3. Type yes, then press <Enter>.
B.2.1.7 DNAME
NOTE: If your system is set up to use DHCP, you will not be able to change the domain name using the WIPSadmin Config program. 1. At the command prompt, type dname, then press <Enter> to change the domain name. The current domain name is displayed. 2. Type in the new domain name for your AirDefense server, then press <Enter>. You are prompted to save your changes. 3. Type yes, then press <Enter>.
B-5
B.2.1.8 TIME
Important! Changing the system time/date could affect the integrity of the database. Any change will cause a system reboot on exit from WIPSadmin. Setting AirDefense time consists of setting the Time and Date (TIME) and the Timezone (TZ), or alternately, enabling an NTP server (NTP). You must set the correct timetime of day, timezone, and dateor alternately, enable an NTP server when you first setup AirDefense. Changing the time configurations after your AirDefense has accumulated data can have an adverse affect on the integral state, time, and event associations that are essential to accurate data reporting.
1. Type time, then press <Enter> at the prompt to change the AirDefense Servers operating time and date The current date and time displays. You are prompted to enter a date in MMDDYYYY format. (Do not use colon, forward slash, or other delimiters.) 2. Press <Enter>. You are prompted to enter a time in 24-hour HHMM or HHMMSS format. 3. Press <Enter>. You are prompted to save your changes. 4. Type yes, then press <Enter>.
B.2.1.9 TZ
Important! Any change will cause a system reboot on exit from WIPSadmin.
1. Type tz, then press <Enter> at the prompt to change the AirDefense Servers time zone. The Time zone screen displays a list of global, continental regions. AirDefense prompts you to choose a global area in which your AirDefense Server resides. 2. Enter the corresponding number (to the left of your region name). Press <Enter>. A list of nations appears. 3. Enter the abbreviation of your nationality (to the left of the nation) in which the AirDefense Server resides. Press <Enter>. A list of nationalities appears. 4. Enter the number of the region within your nationality in which the AirDefense Server resides. Press <Enter>. You are prompted to save your changes. 5. Type yes, press <Enter>. Typing yes or no reboots and clears the database on exit from WIPSadmin.
B.2.1.10 NTP
Instead of setting the AirDefense Time (TIME) and Timezone (TZ), you can enable automatic time synchronization with an NTP. Example: If you change the AirDefense time such as when you move the AirDefense Servers location from the east to west coast of the United States, you must also locate a new network time server in the same time zone. 1. Type ntp at the command prompt to enable or disable a specific network time server (NTP). The NTP screen displays your current status in bold text, whether or not you are currently set to use NTP. 2. Type e to enable NTP. You are prompted to enter the IP address or fully qualified host name (hostname.domainname.com) of a network time server. Alternately, you can type d to disable NTP. No additional input is requiredNTP is immediately disabled. 3. To save the network time server settings, type q to quit. You are prompted to save your settings.
Important! Entering an invalid time server generates an error and logs you out of WIPSadmin. Also, changing the time configurations after your AirDefense has accumulated data can have an adverse affect on the integral state, time, and event associations that are essential to accurate data reporting.
B.2.1.11 UIPORT
You can change the port the GUI is using. 1. Type UIPORT at the command prompt to change the port the GUI is currently using. The UIPORT screen displays the current UI port in use. 2. At the prompt, type yes to change the current port, or no to keep the current port. If you typed no, go to step 3. If you typed yes, go to step 4. 3. If you type no, the operation is canceled. Press <Enter> to return to the Config settings screen. 4. If you type yes, the system asks you to enter a new port. Enter a new port number and press <Enter>. AirDefense automatically accepts the change. 5. Press <Enter> again. You are returned to the Config settings screen.
B.2.1.12 DTAGAUTH
1. Type dtaguath at the command prompt. 2. At the prompt, type E to schedule the imports of desktop agent stations or type I to import desktop agent stations immediately. You will receive a confirmation message indicating success. 3. Press <Enter>. You are returned to the Config settings screen.
B-7
B.3 Manage
WIPSadmin Utility STATUS SYSLOG Use this utility to... Display the process and disk status of the system. Display system log entries resulting from authentication and sendmail failures.You can either display the logs on screen, or write logs to a text file (syslogdata.txt). Truncate system log files when they become too large. Manage AirDefense GUI Web User names and passwords. Use this utility to: Add a Web User for the AirDefense GUI. Delete a Web User for the AirDefense GUI. Change a password for a Web User for the AirDefense GUI. PASSWD Change the password of a Command Line User (smxmgr and smxarchive). (For more information on smxarchive, see Appendix D, Automated Data Retrieval.) Restart AirDefense processes (not a full reboot!). Reboot AirDefense (full reboot). Halt AirDefense (stop processes).
TRIMLOG WEBU
RESTART REBOOT HALT
B.4 Dbase
WIPSadmin Utility IRESTORE INTCK OUI Use this utility to... Restore Intellicenter files. Check integrity of databases. Update vendor MAC address information in the database.
B.5 Software
WIPSadmin Utility KEYPKG SERVMOD Use this utility to... Create a package of AirDefense system keys that can be used by AirDefense support to repair corrupt licenses. Update the current version of AirDefense software with feature enhancements or improvements.
B.6 Config
WIPSadmin Utility IP IPv6 NETPORT DNS BONDING HNAME DNAME TIME TZ NTP UIPORT DTAGAUTH Use this utility to... Change the IP address, subnet mask, and default gateway of the AirDefense Server you are logged into. Change the IPv6 address of the AirDefense Server you are logged into. Change the network interface connections, and to toggle the Autonegotiation feature On or Off. Add or delete a DNS nameserver (Domain Name Server). Change the High Availability Ethernet settings. Change the name of the AirDefense Server. Change the domain to which the AirDefense Server belongs. Change the AirDefense Servers operating time and date. Change the time zone in which the AirDefense Server is operating. Enable or disable a specific network time server (NTP). Change the network port number over which the GUI is running. Import destop agent stations either on a schedule or on demand.
Automated Data Retrieval

C.1 Overview
This appendix gives detailed instructions on how to set up automated retrieval of data from the AirDefense Server, using a local backup server running UNIX. To automatically retrieve archived data from the AirDefense Server, you must log in to the AirDefense Server from a local backup server. Additionally, the login must be secure, using SCP or SSH. For example, you may want to write a script that you run via Cron.
C.1.1 SMXARCHIVE Command Line User

The AirDefense Server is administered by the smxmgr Command Line User. The smxmgr has full access to the WIPSadmin utilities on the AirDefense Server, including the ability to set the password for the smxarchive Command Line User. The smxarchive account is a limited access account that is intended for use in automated data retrieval. The smxarchive has limited access privileges to the AirDefense Server, but can set up and perform automated retrieval. AirDefense highly recommends that you designate an smxarchive for retrieval operations.
C.2 Retrievable Data

AirDefense enables you to export data as report files, to backup the data, or to archive raw data packets (frames) into specified directories on the AirDefense Server that are separate from the database. You can set up automated retrieval of these archive files from the AirDefense Server to a backup local server. You can set up automated retrieval of backup data (backups). Using the Data Mgmt program in Admin, you can back up the database. Database backup files back up to a specific directory on the AirDefense Server (/ usr/local/smx/backups).
C.2.1 Setting Up for Retrieval

Follow the steps below to set up certificate authenticated SSH access from the AirDefense Server to your local backup server. These instructions assume you are the smxarchive Command Line User. The following abbreviations are used in the instructions: ADServer = IP address or hostname of your AirDefense Server LocalServer = IP address or hostname of the local server that will retrieve the files
C-2 AirDefense Enterprise User Guide
LocalUser = the username used on LocalServer
C.2.2 Procedure
1. On LocalServer, log in as LocalUser. 2. Run the following command to generate the keys for the LocalUser: /usr/bin/ssh-keygen -d -f $HOME/.ssh/id_dsa At the passphrase prompts, do not enter a passphrase. Hit Return. This action creates the keys for the LocalUser: id_dsa and id_dsa.pub, in the LocalUsers.ssh directory. These keys must keep these names while on this server. 3. Transfer the LocalUsers public key to your AirDefense Server. (It is a good idea to change the name of the key in the process, so it does not become confused with any other keys on the AirDefense Server.) /usr/bin/scp $HOME/.ssh/id_dsa.pub smxarchive@ADServer:LocalUser.pub 4. Log on the AirDefense Server via SSH as smxarchive: /usr/bin/ssh smxarchive@ADServer Enter your password at the prompt. 5. Install the public key as an authorized entry. To do this, add the new public key to the authorized key file: /bin/cat $HOME/LocalUser.pub >> $HOME/.ssh/authorized_keys 6. Ensure the permissions are correct on the key file by modifying the permissions on authorized_keys file: /bin/chmod 600 $HOME/.ssh/authorized_keys 7. Exit the SSH session: exit 8. Verify that the logon works correctly. From LocalServer run: /user/bin/ssh smxarchive@ADServer LocalUser@LocalServer can now ssh and scp to and from smxarchive@ADServer. You should be able to log on without using a password, using only certificate authentication. LocalUser@LocalServer now has all of the access privileges of the smxarchive@ADServer. Once automated retrieval is set up, you can use the scp UNIX utility to copy files from the AirDefense Server to your local server. AirDefense does not support FTP or telnet.
Synchronizing Primary and Secondary Servers

D.1 Overview
You should set up automated synchronization to backup your primary server on a secondary server. NOTE: Synchronization should only be done on a primary and backup of the same build version. The database files are not compatible on different Enterprise versions.
D.1.1 Contents
This appendix contains the automated synchronization procedure for backup of the primary server to a secondary server.
D.2 Set Up Scheduled Database Backups on the Primary Server

1. Log into the primary server's GUI. 2. Navigate to Configuration > Appliance Manager > Backups. 3. Click on the Configuration Backup button. 4. Enable automatic backups by clicking the Enable Automatic Configuration Backup checkbox to place a checkmark in the box. 5. Click the Add button and type in a name for the backup (Name field) or select a name from the dropdown menu. NOTE: No names will display in the dropdown menu until after you have scheduled at least one other backup. 6. Decide how often you want to run the backup by selecting One Time Schedule, Intra-Day Schedule, Daily Schedule, Weekly Schedule, or Monthly Schedule from the dropdown menu.
D-2 AirDefense Enterprise User Guide
7. Depending on the interval you selected in the previous step, fill in the related fields using the following table:
Interval One Time Schedule Intra-Day Schedule Daily Schedule Weekly Schedule Monthly Schedule Action Choose a time for the backup by selecting a time from the Time dropdown menu. Then, select a day for the backup by clicking the Calendar button in the Date field and selecting a date. Select a time to begin the backup. Then, select a frequency in hours. Select a frequency in day, weekdays only, or weekends only. Then, select a time of day. Choose a frequency in days. Then, select a day or multiple days to conduct the backup by clicking the checkbox next to the day to place a checkmark in the box. Choose the months that you want to run a backup by clicking the checkbox next to the month(s) to place a checkmark in the box(es). Then, select a day of the month to conduct the backup. Last, specify a time of day.
8. Click Apply button to set the automatic backup schedule.
D-3
D.3 Set Up Automatic Synchronization

NOTE: Automatic synchronization is a pull setup, where the backup server pulls the configuration from the Primary server. Therefore, you only need to set up automatic synchronization on the backup system (Secondary server) to ensure the same configuration on a Primary and Secondary server. No settings on the Primary server are required.
1. Log into the secondary server's GUI. 2. Navigate to Configuration > Appliance Manager > Backups. 3. Click on the Configuration Sync button. 4. Enable automatic synchronization by clicking the Enable Automatic Configuration Sync checkbox to place a checkmark in the box. 5. Click the Add button and type in a name for the synchronization (Name field) or select a name from the dropdown menu. NOTE: No names will display in the dropdown menu until after you have scheduled at least one other synchronization. 6. In the Address field, type in the primary serverss IP address. 7. In the Port Number field, type in the port number of the primary servers IP address. 8. In the Username field, type in an administrators username on the primary server. NOTE: It is a good practice to setup an admin account (using the same username and password) on both the primary and secondary server. 9. In the Password field, type in the password of the administrator on the primary server. 10.Decide how often you want to run the synchronization by selecting One Time Schedule, Intra-Day Schedule, Daily Schedule, Weekly Schedule, or Monthly Schedule from the dropdown menu. 11.Depending on the interval you selected in the previous step, fill in the related fields using the following table:
Interval One Time Schedule Action Choose a time for the synchronization by selecting a time from the Time dropdown menu. Then, select a day for the synchronization by clicking the Calendar button in the Date field and selecting a date. Select a time to begin the synchronization. Then, select a frequency in hours. Select a frequency in day, weekdays only, or weekends only. Then, select a time of day.
Intra-Day Schedule Daily Schedule
D-4 AirDefense Enterprise User Guide
Interval Weekly Schedule
Action Choose a frequency in days. Then, select a day or multiple days to conduct the synchronization by clicking the checkbox next to the day to place a checkmark in the box. Choose the months that you want to run a synchronization by clicking the checkbox next to the month(s) to place a checkmark in the box(es). Then, select a day of the month to conduct the backup. Last, specify a time of day.
Monthly Schedule
12.Click Apply button to set the automatic synchronization schedule.
D.4 Set Up Automatic Forensics Backup

NOTE: When you first turn on automatic Forensics backup, only new forensic files are backed up. Existing forensic files will not be backed up. You will have to save old files if you want to copy them to another server. 1. Log into the secondary server's GUI. 2. Navigate to Configuration > Appliance Manager > Backups. 3. Click on the Forensics Backup button. 4. Enable automatic forensics backup by clicking the Enable AutomaticForensics Backup checkbox to place a checkmark in the box. 5. Fill in the fields described in the following table:
Field Protocol Host Name Port Number Username Password Description The file transfer protocol to use for backing up forensics. The name of the server where you want to back up forensics. This can be an IP address or a DNS name defined by your DNS server. The port number to use during the backup. The username used to log in on the destination server. The password used to log in on the destination server.
6. Click Apply button to enable automatic forensics backup. Now, whenever a forensics file is created, it is automatically backed up on the host specified in the Host Name field. This completes the process for setting up synchronization.
Add-on Products
E.1 Overview
The following modules are licensed separately and must be purchased in addition to the base Enterprise product. These AirDefense modules provide enhanced functionality to the Enterprise solution. Advanced Forensic Analysis Central Management Console (CMC) LiveRF Spectrum Analysis Troubleshooting Vulnerability Assessment WEP Cloaking.
E.2 Advanced Forensic Analysis

The Advanced Forensic Analysis add-on module unleashes the full potential of AirDefenses Forensic Analysis. When installed, Advanced Forensic Analysis replaces the basic Forensic Analysis that is included in the AirDefense Enterprise application. Advanced Forensic Analysis has all the features of the basic Forensic Analysis plus some very powerful enhancements. There are two categories of Advanced Forensic Analysis: Scope Based Forensic Analysis Device Based Forensic Analysis The extra features include: The ability to show forensic data for the entire system, a single location, a single group or a single sensor (Scope Based only) The ability to analyze for more than a 24 hour time period The ability to adjust the time window using sliders Graphical views added to all tabs Data filters are enabled Location Analysis tab is activated (Device Based only).
E-2 AirDefense Enterprise User Guide
Administrators can view the activity of a suspect device over a period of months and drill down to minuteby- minute detail of wireless activity. Records are kept over a long period of time so that administrators can review events months later to improve network security posture, assist in forensic investigations, and ensure policy compliance. These records can be used to provide evidence that an attacker has made repeated attempts to break into the wireless network and to know where the attack was launched. Advanced Forensic Analysis stores and manages 325 data points every minute for each wireless device on a network. This feature provides administrators more insight into wireless LAN performance and specific wireless device activity. Trends in network usage can easily be visualized to assist in performance troubleshooting such as identification of abnormal usage and capacity planning. See the AirDefense Enterprise Online Help for details on how to use Advanced Forensic Analysis.
E.2.1 Scope Based Forensic Analysis

Scope Based Forensic Analysis provides forensic data for the System level, Location level, Group level, and Sensors in the Network Tree.
The following forensic data is included with Scope Based Forensic Analysis: A summary that includes high-level information about the threat level, device counts and traffic for the entire scope over the selected time range (Summary tab). Active alarm information (Threat Analysis tab). Threat level information on items within the selected scope (Threat Breakdown tab). Transmitted and received traffic by all devices in the selected scope. (Traffic Analysis tab). Total traffic seen by the top 100 devices in the selected scope (Traffic Breakdown tab).
E-3
Device count for each channel over time (Channel Analysis tab). Device counts for Devices and Sensors (Device Analysis tab). Wired bandwidth usage of the Sensors in the selected Scope over time (Bandwidth Analysis tab).
E.2.2 Device Based Forensic Analysis

Device Based Forensic Analysis provides forensic data on APs and Stations.
Device Based Forensic Analysis provides Administrators with the same forensic data that Basic Forensic Analysis does, but includes the extra features mentioned earlier. The same tabs are included plus an extra Location Analysis tab. The Location Analysis tab provides information to help administrators locate devices in their wireless network. A Heat Map and a Location Map are used to locate a device. A table view is provided to display the coordinates of a device. To use the map feature, you must first import the location map that is used by Location Analysis.
E.3 Central Management Console (CMC)

The Central Management Console (CMC) is a centralized management system that allows an administrator to administer multiple AirDefense appliances from one location. The CMC application can be used to ensure that configurations are the same across multiple server appliances. Administrators no longer have to configure their appliances separately. One appliance is designated as the master server. Configuration changes can be maintained from the master server and distributed across all server appliances. Changes/updates can be made to: Alarm Configuration User Accounts Authorized Stations. The CMC is bundled with the Enterprise application but runs as a separated client-side application. It has its own login interface, separate from AirDefense Enterprise. To access the CMC from MS Windows, select start > All Programs > AirDefense > Enterprise > AirDefense CMC. The login window is displayed.
Enter the Server Address, Username, and Password. Then, click Login. The CMC is displayed. NOTE: The server address is usually an IP address but can be a fully qualified host name. The username and password are case sensitive.
E-5
The CMC application allows the administrator to push out configuration changes only. Any changes made to a slave server are not automatically synchronized with the master server. Also, any changes made to configuration using CMC will override configuration settings on the slave devices.
E.3.1 Tools
CMC has a set of tools that allow administrators to: Search for devices on any of the managed servers. Load all configuration policies from the managed servers and check to see if there are any discrepancies in wireless policy settings between different, managed servers. After detecting policy differences, administrators can make the policies the same across all the managed servers. Download log files from the managed servers to a local directory (folder) on a workstation. Once the file is in a local folder, administrators can view and examine them at any time. Upload Enterprise Service Modules to all managed servers at once.
E.3.2 Configuration Views

The CMC has four configuration views: Servers Alarm Configuration User Accounts Configured Devices. Using the configuration views, administrators can change configurations for all servers from one location. A brief description of each view is given in this guide. More details are included in the AirDefense Enterprise Online Help.
E.3.2.1 Servers View

The Servers view lists all the servers managed by particular master server. Servers may be added to the list or deleted from the list as necessary. Also, adminstrators can manage a particular server by accessing the Enterprise GUI for that server.
E.3.2.2 Alarm Configuration View

The Alarm Configuration view allows administrators to edit and push alarm configurations to managed servers.
E-7
E.3.2.3 User Accounts View

The User Accounts view allows administrators to edit and push user account information to managed servers.
E.3.2.4 Configure Devices View

The Configured Devices view allows administrators to edit and push device configuration information to managed servers. The devices are limited to wireless stations, as these are more likely to move to other locations managed by a different WIPS server.
E.4 LiveRF
AirDefense LiveRF module, powered by Motorola technology, provides the industry's only real-time and remote assessment of wireless network performance. With AirDefense LiveRF, network administrators can visualize the RF environment to troubleshoot wireless connectivity, throughput issues, capacity problems, and identify RF interference sources from a central console without having to send administrators out to remote locations. AirDefense LiveRF provides a real-time view of wireless coverage as well as performance allowing administrators to determine the source of performance degradation or analyze how additional applications will affect the wireless network.
E.4.1 Features
Features include: View wireless signal coverage Assess Capacity Based on Application Identify & Locate Sources of Interference View Wireless Coverage Holes Evaluate Peak Data Rates by Location Map Signal-to-Interference Ratio Locate Wireless Devices LiveRF is a Windows application that can be installed on any remote workstation pulling feeds from select infrastructure Access Points and AirDefense Enterprise monitoring sensors. A site-specific floor plan with building characteristics modeled in AirDefense Architect is a prerequisite. Combining the measurements taken from WLAN infrastructure, data reported by distributed monitoring sensors and the RF characteristics of walls and other obstructions as modeled in the floor plan, LiveRF maps
E-9
the results real-time on a site specific graphical display. This provides the user with a powerful tool to identify and resolve performance, capacity, and interference related problems.
E.4.2 AP Information
LiveRF obtains information (XMT Power, Channel, etc) about APs in two ways. It polls APs (Cisco Fat APs, etc) that the LiveRF client supports and it queries the ADE Servers for the APs that the LiveRF client does not support. The ADE Server obtains information (XMT Power, Channel, etc) about APs that the LiveRF client does not directly support by importing this information from a file. The LiveRF client then imports this AP information from the ADE Server. The AP information that is imported from the ADE Server is static, and thus does not change when the AP is turned off. Thus LiveRF will continue to "see" APs even after they are powered off. One can delete the AP that was imported for LiveRF and it should disappear from LiveRF. One can then re-import it, and it should reappear. Note that APs that are queried directly by the LiveRF client will also not disappear for up to the polling interval that the LiveRF client uses.
E.4.3 Configuration
Refer to separate LiveRF installation and user guides.
E.5 Spectrum Analysis

The Spectrum Analysis add-on module gives you a tool to identify and locate interference sources on your wireless network. The analysis is conducted using only AirDefense software; no extra hardware is required. You must possess a valid Spectrum Analysis license from AirDefense for each sensor that you wish to conduct an analysis from. Spectrum Analysis supports two modes of operation: Background Scanning Part-time scanning of power spectral density (Layer 1), while sensor continues to scan for WIDS (Layer 2). Generate 'RF Spectrum Analysis' alerts in Enterprise 7.3 system (BlueTooth, Microwave, Frequency Hopper, Continuous Wave) Dedicated Spectrum View Sensor temporarily dedicated to Spectrum Analysis While in Spectrum View the sensor provides no protocol analysis (after user-configured time period, sensor defaults back to WIPS) Scanning options:
Full Scan Mode - scan full 2.4-2.5 GHz and 4.9-6.1 GHz spectrum to identify presence of interference (scan more channels, spend less time on each channel) Interference Scan Mode - scan specific bands to classify type of interference source (scan fewer channels, spend more time on each channel)
E-11
E.6 Troubleshooting
AirDefense Troubleshooting provides a way to remotely test connectivity to Access Points or remotely troubleshoot stations. A valid AirDefense Troubleshooting license is required before you can access either troubleshooting feature.
E.6.1 AP Test
AP Testing tracks network failures from an automated or manual AP connectivity test. Alarms are generated to indicate a failure of one of the test conditions in the test profile and should be considered a high priority event as it may be preventing the wireless applications from operating properly. AP Testing is a tool that performs remote end to end network testing from a wireless perspective. The test is accomplished by using the deployed sensors as a wireless station to connect to an AP and validate the appropriate resources that can be reached. AP Testing allows validation of wireless authentication, encryption, DHCP, ACL and firewall testing general network connectivity, and application availability testing. These connectivity tests can be run automatically or manually providing proactive notification that the network resources may be unavailable. NOTE: For AirDefense Enterprise 7.3.4, AP Testing is only supported on the M510 and M520 Sensors with firmware version 5.1.x installed.
E.6.1.1 Manual AP Test

Manual AP Tests are run directly from The AirDefense Enterprise GUI using the AP Test window. To access the window, determine the scope (system, location, group, or AP) that you want to test, right-click on it, and then select Test AP Connectivity. NOTE: When the scope is a system, location, or group, all APs in the scope are tested.
The AP Test window allows you to configure and run the AP Test. After you have configured an AP Test, you can save it as a profile. A profile can be selected later to run test on a similar Access Point. See the AirDefense Enterprise Online Help for details on how to set up and run AP Tests on demand.
E.6.1.2 Automated (Scheduled) AP Test

Automated AP Tests must be scheduled using the Schedule AP Tests window.
The Schedule AP Tests window displays a list of all scheduled AP Tests. From the Schedule AP Tests window you can: Add, edit, delete, and cancel tests View detail test results
E-13
Manage the profiles that are used to run tests on similar Access Points. See the AirDefense Enterprise Online Help for details on how to schedule AP Tests and use the Schedule AP Tests window.
E.6.2 Troubleshooting Stations

AirDefense Troubleshooting provides a web application that allows you to troubleshoot a Station's ability to connect to your wireless network. Using a Station's MAC address or device name, the Troubleshooting tool can run tests to determine the status of a Station within your wireless network and display results summarizing the status. The Troubleshooting tool is accesed through the Enterprise thin client web page. You must have a valid AirDefense Troubleshooting license before you can access the Troubleshooting tool. If you attempt to access Troubleshooting without a license, an error message is displayed.
Online web help is provided that fully explains how to use the Troubleshooting tool.
E.7 Vulnerability Assessment

NOTE: A valid AirDefense Vulnerability Assessment license is required before you will be able to access this feature. Using your existing Sensor deployment, Vulnerability Assessment scans your wireless network for vulnerabilities utilizing a hacker's point-of-view. This allows you to: Identify network security issues before a hacker does Remotely scan for and discover wireless network vulnerabilities Generate alarms to bring attention to vulnerabilities. The assessment is accomplished by using deployed sensors as a wireless station to connect to an AP and scan network resources. Vulnerability Assessment can be run automatically or manually, providing proactive notification that network resources may be compromised. NOTE: For AirDefense Enterprise 7.3.4, AP Testing is only supported on the M520 Sensor with firmware version 5.2.x installed.
E.7.1 Manual Vulnerability Assessment

Manual Vulneratility Assessments are run directly from The AirDefense Enterprise GUI using the Vulnerability Assessment window. To access the window, determine the scope (system, location, group, or AP) that you want to assess, right-click on it, and then select Vulnerability Assessment. NOTE: When the scope is a system, location, or group, all APs in the scope are assessed.
E-15
The Vulnerability Assessment window allows you to configure and run the assessment. After you have configured an assessment, you can save it as a profile. A profile can be selected later to run test on a similar scope. See the AirDefense Enterprise Online Help for details on how to set up and run Vulnerability Assessments on demand.
E.7.2 Automated (Scheduled) Vulnerability Assessment

Automated Vulnerability Assessments must be scheduled using the Schedule Vulnerability Assessment window.
The Schedule Vulnerability Assessment window displays a list of all scheduled assessments. From the Schedule Vulnerability Assessment window you can: Add, edit, delete, and cancel assessments View detail assessment results Manage the profiles that are used to run assessments on similar scopes. See the AirDefense Enterprise Online Help for details on how to schedule Vulnerability Assessments and use the Schedule Vulnerability Assessment window.
E-17
E.8 WEP Cloaking

In order to extend the life of some older legacy equipment that only supports WEP encryption, AirDefense has implemented a feature known as WEP Cloaking. This technology injects "noise" into a WEP-protected environment by transmitting frames that appear to be sourced from valid devices but are encrypted with an invalid WEP key. This has very little impact on the devices that know the correct WEP key and serves to confuse any attackers which might be attempting to crack the WEP key. NOTE: By default, the sensor is a passive wireless monitoring device and does not transmit (provided termination has not been enabled). Enabling the sensors for WEP Cloaking will cause the sensors to actively transmit on the channels of the Access Points it is protecting.
E.8.1 How Does WEP Cloaking Work?

AirDefense sensors communicate with the Enterprise server to coordinate cloaking operation. The server can be configured to instruct a group of sensors to cloak authorized devices in a given location. Sensors are designed to intelligently adjust their frequency scanning patterns to maximize cloaking effectiveness while performing regular Wireless IPS scanning on other channels. More than one sensor can cloak a single wireless device depending on spatial coverage. Once configured for cloaking, sensors intelligently analyze local traffic and insert carefully timed cloaking frames as shown in the figure below. To attackers, who do not have the secret WEP key, these cloaking frames appear as legitimate WEP traffic between authorized devices. Authorized devices, configured with the production WEP key, automatically ignore the cloaking frames as their integrity test fails.
An attacker sniffing traffic will not be able to distinguish between cloaking frames and legitimate frames, and therefore, cannot filter out the cloaked frames. When statistical WEP cracking tools are run on the
captured data, they simply fail to decode the key. The following figure shows a screenshot of Aircrack-ng with WEP Cloaking enabled.
E.8.2 What if there Is a Problem?

In the event of a wired network outage, if sensors lose connection with the centralized server, they will continue to cloak. In addition, WEP Cloaking is optimized to not disturb the wireless environment or impact Wireless LAN performance. The sensors use countermeasures, correlation through the server, and mutual coordination over the air to maximize the effectiveness of cloaking with nominal wired and wireless bandwidth consumption.
E.8.2.1 Are there any Recommendations?

You should use a layered security approach to fortify your wireless network. AirDefense recommends that you follow these guidelines to secure a wireless network utilizing WEP wireless devices: Use AirDefense WEP Cloaking to protect the wireless network using WEP Encryption. Enable policy-based termination on a Rogue Station and Replay Injection Attack alarms. If the access points support PSPF (Public Secure Packet Forwarding) mode, also referred to as AP isolation, you must enable it. PSPF mode prevents wireless client to wireless client communication and will limit the effectiveness of typical replay attack. When choosing your WEP key, it is best to use a randomly chosen hexadecimal key. Analyze the power output of the APs to ensure that the AP is not transmitting any further than is necessary. Authorize only specific data rates: Check the AP's allowed data rates to ensure that unnecessarily distant wireless associations, which would result in a low negotiated data rate, do not provide a wireless client access to the network through the AP.
E-19
If the AP is 802.11b/g and the stations which require WEP are 802.11b devices and not 802.11g, disable the AP from supporting data rates higher than 11 Mbps.
E.8.3 How Do I Configure WEP Cloaking?

Follow these steps to configure WEP Cloaking: 1. Go to Configuration > Monitoring Policy Manager. 2. You can enable WEP Cloaking on Sensors for your entire system, a location, a group, or one or more Sensors. 3. Select a System, Location, Group, or Sensor(s). 4. Select the Profile Configuration tab. 5. Select No for Inherit Profile From. 6. Select Yes for the Web Cloak feature. 7. Click Apply. System automatically detects the authorized APs to protect and starts WEP Cloaking.
Customer Support
F.1 Motorolas Enterprise Mobility Support Center
If you have a problem with your equipment, contact Enterprise Mobility support for your region. Contact information is available by visiting http://support.symbol.com and after selecting your region, click on the appropriate link under Support for Business. When contacting Enterprise Mobility support, please provide the following information: Serial number of the unit Model number or product name Software type and version number Motorola responds to calls by email, telephone or fax within the time limits set forth in support agreements. If you purchased your Enterprise Mobility business product from a Motorola business partner, contact that business partner for support.
F.2 Customer Support Web Site

Motorola's Support Central Web site, accessed via the Symbol-branded products link under Support for Business, provides information and online assistance including developer tools, software downloads, product manuals and online repair requests.
F-2 AirDefense Enterprise User Guide
Index
Numerics
7 day data purge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-6
A
About Location Tracking (Signature) . . . . . . . . . . . . . . . . . . . . . . 14-11 About Termination Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-5 Access points as sensors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-4 Action Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-15 Action Control commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-16 Action Control table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-15 Action Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-12 Action Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-12 Action rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-9 Adding Switches. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-4 Add-on Products . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E-1 Admin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-9, 3-2 Admin, Sensor Web User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-5 Advanced Forensic Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E-1 Advanced notification filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-3 Air Termination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-1, 14-5 AirDefense Mobile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-2 AirDefense Sensor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8 AirDefense Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 AirDefense system time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-13 AirTermination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-6 AirTermination, Single and Multiple Device . . . . . . . . . . . . . . . . . 14-5 AirWave Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-13 Alarm categories. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-3 Alarm criticality. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-5 Alarm descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-4 Alarm Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-2 Alarms, customizing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-5 AP placement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2 AP Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E-11 Appliance form factor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-7 Appliance Manager (GUI program area). . . . . . . . . . . . . . . . . . . . . 17-6 APs, importing file format. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-5 Architect, and sensor placement . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-5 Assessing threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-1 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-7 Authentication, local. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-7 Authentication, remote. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-7 Authorized devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2 auto logout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5
Auto-Classifying multiple devices . . . . . . . . . . . . . . . . . . . . . . . . . .8-8 Automated Data Retrieval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .C-1 Automated synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D-1 Automatic Forensics Backup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D-4 automatic server synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . .2-6 Automatic synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D-3
B
backing up data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-5 Backup Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-6 Backups program. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-6 Basic navigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-10 BONDING . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B-8 BONDING (WIPSadmin utility--also see Config program area) . . . .B-1 buildi a report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16-5 Building a new report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16-4 Building your tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-3
C
CA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-2 Central Management Console (CMC) . . . . . . . . . . . . . . . . . . . . . . . .E-4 Certificate Authority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-2 Certificate Security Alerts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-3 Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-1 Changing, passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3, 3-9 Charts, in reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16-6 Check the Current Sensor Version . . . . . . . . . . . . . . . . . . . . . . . .17-12 Checking the Integrity of the Databases . . . . . . . . . . . . . . . . . . . .17-9 Clearing the Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-6 Columns, in reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16-5 Command Line Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-8 Command Line User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-8 Common Settings Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-10 Config settings screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B-2 Config (WIPSadmin program area-also see WIPSadmin utilities) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-4, B-1, B-8 Configuring the Model 500 Series Sensor . . . . . . . . . . . . . . . . . . . .7-9 Connecting Sensors, Model 400 Sensor. . . . . . . . . . . . . . . . . . . . .7-10 Connection Termination, and sensor placement . . . . . . . . . . . . . . .5-3 create a report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-2, 16-5 Create, report template. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16-4 creating a report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16-4 Creating Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16-2 Criticality, of alarms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11-5 Customer Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F-1
IN-2
AirDefense Enterprise User Guide
D
Dashboard preferences. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-9 Data fields, in reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-6 Database backups on the primary server . . . . . . . . . . . . . . . . . . . . .D-1 Dbase screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-9, 17-11 Dbase (WIPSadmin program area-also see WIPSadmin utilities) . . . . . . . . . . . . . . . . . . 17-5, 17-7, 17-9, 17-10, B-7 default certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2 Deleting a report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-9 Deployment Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2 Deployment overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 Device Analysis Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-1 Device Based Forensic Analysis . . . . . . . . . . . . . . . . . . . . . . . . E-1, E-3 Device classification. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2 Device Density . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2 Device Forensic Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-1 Device synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-10 Device termination, enabling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3 Device termination, enabling on sensors . . . . . . . . . . . . . . . . . . . . . 7-2 Devices, authorized. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2 Devices, auto-classifying . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-8 Devices, ignored . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2 Devices, importing multiple . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-4 Devices, neighboring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2 Devices, unauthorized. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2 DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-12 DHCP, and sensor configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . 7-30 Display preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-9 DNAME . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B-8 DNAME (WIPSadmin utility-also see Config program area) . . . . . 12-4 DNAME (WIPSadmin utility--also see Config program area). . . . . .B-1 DNS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B-8 DNS servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-4, B-3 DNS (WIPSadmin utility--also see Config program area) . . . . B-1, B-3 Domain considerations, and tree organization. . . . . . . . . . . . . . . . . 6-2 Domain Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-4 Domain Name Resolution, and sensor configuration. . . . . . . . . . . 7-30 Domain Name Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B-1 Domain-based partitioning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-4 Domain-based partitioning, enabling . . . . . . . . . . . . . . . . . . . . . . . . 2-4 DTAGAUTH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B-8 DTAGAUTH (WIPSadmin utility--also see Config program area). . .B-2 Duration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-2
Forensic Analysis, accessing . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13-7 Forensic Analysis, Device Based . . . . . . . . . . . . . . . . . . . . . . . . . . .E-3 forensic data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13-7 Forensic Time window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13-7 Forensics Backup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D-4 Frame Capture Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13-6 Frame Capture Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13-6
G
Graphical User Interface (GUI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-8 Guest . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-9, 3-2 GUI, Current User Information tab . . . . . . . . . . . . . . . . . . . . . . . . . .3-9 GUI, Other Preferences tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-9 GUI, Preferences tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-9
H
HALT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B-7 Halt AirDefense. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-2 HALT (WIPSadmin utility-also see Manage program area) . . . . . .17-2 HHMM format. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B-5 HHMMSS format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B-5 High-water mark . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11-3 HNAME . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B-8 HNAME (WIPSadmin utility-also see Config program area) . . . . .12-4 HNAME (WIPSadmin utility--also see Config program area). . . . . .B-1 Host Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12-4 Host name mismatch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-3 Hostname . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12-4 http and https, sensor connections. . . . . . . . . . . . . . . . . . . . . . . . . .7-2
I
Ignored devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2, 14-4 importing a report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16-10 Importing multiple devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-4 Importing Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-8 INTCK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B-7 Interfaces, sensor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-2 IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B-8 IP address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B-6 IP (WIPSadmin utility--also see Config program area) . . . . . . . B-1, B-2 IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-1, B-8 IRESTORE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B-7 IRESTORE (WIPSadmin utility--also see Dbase program area) . . .17-7
E
Email notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-1 Encryption Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2 Enterasys AP1602 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-4 exporting a report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-11
J
Java Security Warning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-3
K
KEYPKG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B-8
F
File for importing Access Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-5 File Format for importing Switches . . . . . . . . . . . . . . . . . . . . . . . . . 9-9 File format, importing APs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-5 File format, importing stations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-6 Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-1 Filters, in reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-8 Firmware prerequisite, sensors . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2 Forensic Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13-7, E-1, E-2
L
LDAP server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-8 license management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-3 Live View. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-1, 13-3, 13-6, 14-4 LiveRF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .E-8 Local authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-7 local system time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-13 Location Tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-4, 14-7 Location tracking. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13-2
IN-3
Location Tracking Right-Click Options . . . . . . . . . . . . . . . . . . . . . 14-11 Location Tracking, and sensor placement . . . . . . . . . . . . . . . . 5-3, 5-8 Location Tracking, triangulation . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-7 Lock On Channel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-32 Login banner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4
Port suppression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13-1 Port Suppression, enbling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-3 ports, Sensor connections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-2 Power and Data cabling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-4 Preferences, user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-9
M
Mail Relay Host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-4 Manage (WIPSadmin program area-also see WIPSadmin utilities) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-2 Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-9, 3-2 Manager view. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-9 Manual authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-3 Manual data backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5 manual server synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5 Mitigation strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-1 MMDDYYYY format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B-5 Mobile, and sensor placement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-5 Model 510 Sensor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-3 Model 510 Sensor LED Functionality . . . . . . . . . . . . . . . . . . . . . . . 7-28 Model 520 Sensor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-3 Model 520 Sensor LED Functionality . . . . . . . . . . . . . . . . . . . . . . . 7-29 Monitoring Policy Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-22 Monitoring Scheduled Events. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-1 Monitor, Sensor Web User. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-5 Motorola AP300 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-4 Motorola AP51xx . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-5 Motorola AP71xx . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-5
Q
Quick Scan Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-32
R
RADIUS setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-8 REBOOT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B-7 REBOOT (WIPSadmin utility-also see Manage program area) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-1, 17-2 Rebooting a sensor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-33 Rebooting AirDefense. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-2 Recovering the Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-7 Refresh rate, dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-9 Remote authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-7 Report Builder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-1, 16-4 report favorites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16-3 report scheduling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16-3 Reporting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16-1 Reports, building . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16-4 Reports, creating. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16-2 Reports, templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16-4 RESTART . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B-7 RESTART (WIPSadmin utility-also see Manage program area) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-1, 17-2 Restoring Intellicenter Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-7 Retrievable Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .C-1 Rogue Detection, and sensor placement . . . . . . . . . . . . . . . . . . . . .5-3 Rogue mitigation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14-4 Rogue-on-my-network. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14-4 Root-signed certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-2 Root-signed certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-2 Rule sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-9
N
Neighboring devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2 NETPORT. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-1, B-3, B-8 Network connections, sensor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2 Network Operator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-9, 3-2 Network Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1 Nortel 2330 and 2330A. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-4 Notification filters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-3 Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-1 NTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B-8 NTP (WIPSadmin utility--also see Config program area) . . . . . B-1, B-6
S
save a report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16-5 Scale Tool Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14-8 Scan Channels. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-32 Scanning Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-32 Scheduled data backup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-5 Scheduled database backups on the primary server . . . . . . . . . . . D-1 Scheduled device classification . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-8 Scheduled Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15-1 scheduling a report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16-3 scheduling Sensor upgrades from the Sensor Network Settings window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-13 Scope Based Forensic Analysis . . . . . . . . . . . . . . . . . . . . . . . . E-1, E-2 Sections, in reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16-5 Security Alert Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-3 Security view. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-9 Sendmail failures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-2 Sensor Coverage Survey Process . . . . . . . . . . . . . . . . . . . . . . . . . . .5-5 Sensor interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-2 Sensor Netmask . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-12 Sensor Network Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-16
O
Obtain the Sensor Upgrade File . . . . . . . . . . . . . . . . . . . . . . . . . . 17-12 On-Demand auto classification . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-8 on-demand Sensor Upgrades from the Sensor Network Settings window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-13 Other Preferences tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-9 OUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B-7 OUI (WIPSadmin utility--also see Dbase program area) . . 17-9, 17-10
P
PASSWD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B-7 Passwords, changing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3, 3-9 Performance view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-9 Physical and Electromagnetic Interference . . . . . . . . . . . . . . . . . . . 5-2 Policy Enforcement, and sensor placement . . . . . . . . . . . . . . . . . . . 5-3 Policy-based Termination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-6 Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2 Port Suppression. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-11
IN-4
AirDefense Enterprise User Guide
Sensor Network settings, Model 500 Sensor . . . . . . . . . . . . . . . . . 7-5 Sensor placement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-1 Sensor placement, and Location Tracking . . . . . . . . . . . . . . . . . . . . 5-8 Sensor Quantity, Location, and Installation . . . . . . . . . . . . . . . . . . . 5-3 Sensor Reboot. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-33 Sensor Syslog Window. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-8 Sensor Syslog window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-7 Sensor UI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-5 Sensor UI Web User login password . . . . . . . . . . . . . . . . . . . . . . . 7-10 Sensor upgrades via scheduling. . . . . . . . . . . . . . . . . . . . . . . . . . 17-13 Sensor Upgrades window. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-13 Sensor User Interface (Sensor UI) . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8 Sensors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 Sensors, rebooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-33 Sensors, troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-28 server access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6 server connection options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6 server keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-5 server synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5 SERVMOD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B-8 Setting Up for Retrieval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .C-1 Shutdown routine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-2 Simple Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-5 smxarchive, Command Line User . . . . . . . . . . . . . . . . . . . . . . . . . . .C-1 smxmgr, Command Line User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .C-1 SNMP notifications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-1 SNMP (notifications). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-2 Soft reboot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-2 Spectrum Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E-10 SSL certificate. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2 Stations, file format for importing . . . . . . . . . . . . . . . . . . . . . . . . . . 8-6 STATUS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B-7 STATUS (WIPSadmin utility-also see Manage program area). . . . 17-2 Synchronization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .D-1, D-3 Synchronizing Primary and Secondary Servers . . . . . . . . . . . . . . . .D-1 SYSLOG. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B-7 Syslog notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-1 Syslog (notifications) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-2 SYSLOG (WIPSadmin utility-also see Manage program area). . . . 17-2 syslogdata.txt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-2 System log entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-2 System name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2 System Setup Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A-1 System Setup Wizard, and tree organization. . . . . . . . . . . . . . . . . . 6-3
TIME . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B-8 Time Stamp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-13 TIME (WIPSadmin utility--also see Config program area) . . . . B-1, B-5 TLS encryption. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-2 Tomcat certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-2 Trapeze Mobility Point . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-4 Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-1 Triangulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13-2 Triangulation considerations, and tree organization . . . . . . . . . . . .6-1 TRIMLOG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B-7 TRIMLOG (WIPSadmin utility-also see Manage program area). . .17-2 Troubleshooter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-9, 3-2 Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .E-11 Troubleshooting Stations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .E-13 TZ. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B-8 TZ (WIPSadmin utility--also see Config program area) . . . . . . B-1, B-5
U
UI scope considerations, and tree organization . . . . . . . . . . . . . . . .6-2 UIPORT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-6, B-8 UIPORT (WIPSadmin utility--also see Config program area) . . . . . .B-1 Unauthorized devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2, 14-4 Updating Vendor MAC Address Information . . . . . . . . . . . . . . . .17-10 upgrade Sensor(s) on-demand from the Sensor Network Settings window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-13 Upgrading Sensor Firmware . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-12 Upgrading Sensor Firmware Using the Sensor UI . . . . . . . . . . . .17-14 User accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-1 user accounts, creating and changing . . . . . . . . . . . . . . . . . . . . . . .3-3 User preferences. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-9 User types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-9 User types (roles) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-2
V
Vintage view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-9 Vulnerability Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .E-14
W
warning window, accessing Spectrum View . . . . . . . . . . . . . . . . . .3-9 Web Reporting Interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16-2 Web Reporting interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16-1 WEBU . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B-7 WEP Cloaking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2, E-17 WIPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-2 WIPSadmin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-1, B-6 Wizard, System Setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-1 WLSE Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-11
T
Tables, in reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-6 TCP 443, sensor connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2 TCP 80, sensor connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2 Third-party CA. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2 Threat assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-1
Z
Zero-configuration options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-30
MOTOROLA INC. 1303 E. ALGONQUIN ROAD SCHAUMBURG, IL 60196 http://www.motorola.com 72E-130457-01 Revision A - October 2009

72E-130457-01 - AirDefense Enterprise 7.3.4 User Guide (Rev A)

Загружено:

Сведения о документе

Исходное описание:

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

72E-130457-01 - AirDefense Enterprise 7.3.4 User Guide (Rev A)

Загружено:

Авторское право:

Доступные форматы

M

AirDefense Enterprise 7.3.4

TOC-2 AirDefense Enterprise User Guide

Chapter 2. Basic Server Settings

Chapter 3. Users and User Preferences

Chapter 5. Planning Your Sensor Deployment

TOC-4 AirDefense Enterprise User Guide

Chapter 6. Building Your Network Structure (Tree)

Chapter 7. Managing Sensors

TOC-6 AirDefense Enterprise User Guide

Chapter 8. Authorizing (Classifying) Devices

Chapter 9. Managing Switches

TOC-8 AirDefense Enterprise User Guide

Chapter 10. Initial Policy Setup

Chapter 11. Setting up Alarms

Chapter 12. Notifications

Chapter 13. Assessing Threats

Chapter 14. Mitigation Strategies

TOC-10 AirDefense Enterprise User Guide

Chapter 15. Monitoring Scheduled Events

Chapter 16. Reporting

Chapter 17. Maintenance

TOC-12 AirDefense Enterprise User Guide

Appendix A. System Setup Wizard

Appendix C. Automated Data Retrieval

Appendix D. Synchronizing Primary and Secondary Servers

Appendix E. Add-on Products

Appendix F. Customer Support

TOC-14 AirDefense Enterprise User Guide

About This Guide

Whats in the User Guide vs Online Help

viii AirDefense Enterprise User Guide

1-2 AirDefense Enterprise User Guide

1.2 Overview of an AirDefense Deployment

1.2.3 Server Appliance

1.2.4 Network Connections

1-4 AirDefense Enterprise User Guide

1.3 Deployment Lifecycle

1.3.2 Organization of this manual

1.3.3 Initial appliance configuration

1.3.4 Configuring data collection

1-6 AirDefense Enterprise User Guide

1.3.5 Lean Back Monitoring

1.4 AirDefense Server Connection Options

1.4.2 Keyboard and Terminal

1.4.3 Static IP Address

1.4.4 Serial Port

1-8 AirDefense Enterprise User Guide

1.4.6 About the User Interfaces 1.4.7 Overview

Enterprise Graphical User Interface (GUI)

AirDefense Enterprise Wireless Intrusion Prevention System

Enterprise Thin Client Web Interface

Enterprise thin client web page

Dashboard Network Web reporting Troubleshooting Installer downloads

Sensor User Interface (Sensor UI)

1.5 Your Role as a User

1.5.2 User types

1.5.3 Additional Limitations

1.5.4 Effect of Domain-Based Partitioning

1.5.5 Managing Your User Preferences

1-10 AirDefense Enterprise User Guide

1.6 Basic Navigation