all | frequencies |
|
exhibits | applications |
---|---|---|---|---|
manual |
app s | submitted / available | |||||||
---|---|---|---|---|---|---|---|---|
1 2 |
|
USERS MANUAL | Users Manual | 4.32 MiB | March 10 2010 / April 10 2010 | |||
1 2 | Attestation Statements | March 10 2010 / April 10 2010 | ||||||
1 2 | Cover Letter(s) | March 10 2010 / April 10 2010 | ||||||
1 2 | Cover Letter(s) | March 10 2010 / April 10 2010 | ||||||
1 2 | Cover Letter(s) | March 10 2010 / April 10 2010 | ||||||
1 2 | External Photos | March 10 2010 / April 10 2010 | ||||||
1 2 | Internal Photos | March 10 2010 / April 10 2010 | ||||||
1 2 | ID Label/Location Info | March 10 2010 / April 10 2010 | ||||||
1 2 | ID Label/Location Info | March 10 2010 / April 10 2010 | ||||||
1 2 | Operational Description | March 10 2010 / April 10 2010 | ||||||
1 2 | RF Exposure Info | March 10 2010 / April 10 2010 | ||||||
1 2 | Cover Letter(s) | March 10 2010 / April 10 2010 | ||||||
1 2 | Test Report | March 10 2010 / April 10 2010 | ||||||
1 2 | Test Report | March 10 2010 / April 10 2010 | ||||||
1 2 | Test Report | March 10 2010 / April 10 2010 | ||||||
1 2 | Test Report | March 10 2010 / April 10 2010 | ||||||
1 2 | Test Setup Photos | March 10 2010 / April 10 2010 | ||||||
1 2 | Cover Letter(s) | March 10 2010 / April 10 2010 | ||||||
1 2 | Test Report | March 10 2010 / April 10 2010 | ||||||
1 2 | Test Report | March 10 2010 / April 10 2010 | ||||||
1 2 | Test Report | March 10 2010 / April 10 2010 | ||||||
1 2 | Test Setup Photos | March 10 2010 / April 10 2010 |
1 2 | USERS MANUAL | Users Manual | 4.32 MiB | March 10 2010 / April 10 2010 |
Installation Guide
SpectraGuard Enterprise An AirTight Product Wireless Vulnerability Management and Intrusion Prevention Version 5.7
AirTight Networks, Inc., 339 N. Bernardo Avenue, # 200, Mountain View, CA 94043 https://www.airtightnetworks.com Product documentation is being enhanced continuously based on customer feedback. To obtain a latest copy of this document, visit www.airtightnetworks.com/home/support.html
Thispagehasbeenintentionallyleftblank.
SpectraGuard Enterprise InstallationGuide Disclaimer THEINFORMATIONINTHISGUIDEISSUBJECTTOCHANGEWITHOUTANYPRIORNOTICE. AIRTIGHTNETWORKS,INC.ISNOTLIABLEFORANYSPECIAL,INCIDENTAL,INDIRECT,ORCONSEQUENTIAL DAMAGESWHATSOEVER(INCLUDING,WITHOUTLIMITATION,DAMAGESFORLOSSOFBUSINESSPROFITS, BUSINESSINTERRUPTION,LOSSOFBUSINESSINFORMATION,ORANYOTHERPECUNIARYLOSS)ARISINGOUTOF THEUSEOFORINABILITYTOUSETHISPRODUCT. THISPRODUCTHASTHECAPABILITYTOBLOCKWIRELESSTRANSMISSIONSFORTHEPURPOSEOFPROTECTING YOURNETWORKFROMMALICIOUSWIRELESSACTIVITY.BASEDONTHEPOLICYSETTINGS,YOUHAVETHE ABILITYTOSELECTWHICHWIRELESSTRANSMISSIONSAREBLOCKEDAND,THEREFORE,THECAPABILITYTO BLOCKANEXTERNALWIRELESSTRANSMISSION.IFIMPROPERLYUSED,YOURUSAGEOFTHISPRODUCTMAY VIOLATEUSFCCPART15ANDOTHERLAWS.BUYERACKNOWLEDGESTHELEGALRESTRICTIONSONUSAGEAND UNDERSTANDSANDWILLCOMPLYWITHUSFCCRESTRICTIONSASWELLASOTHERGOVERNMENT REGULATIONS.AIRTIGHTISNOTRESPONSIBLEFORANYWIRELESSINTERFERENCECAUSEDBYYOURUSEOF THEPRODUCT.AIRTIGHTANDITSAUTHORIZEDRESELLERSORDISTRIBUTORSWILLASSUMENOLIABILITYFOR ANYDAMAGEORVIOLATIONOFGOVERNMENTREGULATIONSARISINGFROMYOURUSAGEOFTHEPRODUCT, EXPECTASEXPRESSLYDEFINEDINTHEINDEMNITYSECTIONOFTHISDOCUMENT. LIMITATIONOFLIABILITY AirTightwillnotbeliabletocustomeroranyotherpartyforanyindirect,incidental,special,consequential,exemplary,or reliancedamagesarisingoutoforrelatedtotheuseofSpectraGuardEnterpriseunderanylegaltheory,includingbutnot limitedtolostprofits,lostdata,orbusinessinterruption,evenifAirTightknowsoforshouldhaveknownofthepossibilityof suchdamages.Regardlessofthecauseofactionortheformofaction,AirTightstotalcumulativeliabilityforactualdamages arisingoutoforrelatedtotheuseofSpectraGuardEnterprisewillnotexceedthepricepaidforSpectraGuardEnterprise. Copyright20032008AirTightNetworks,Inc.AllRightsReserved. AirTightNetworks,TheAirTightlogo,andSpectraGuardareregisteredtrademarksofAirTightNetworks.Allother productsandservicesaretrademarks,registeredtrademarks,andservicemarksorregisteredservicemarksoftheirrespective owners. ThisproductcontainscomponentsfromOpenSourcesoftware.Thesecomponentsaregovernedbythetermsandconditions oftheGNUPublicLicense.Toreadthesetermsandconditionsvisithttp://www.gnu.org/copyleft/gpl.html. ThisproductisprotectedbyoneormoreofU.S.patentNos.7,002,943,7,154,874,7,216,365,7,333,800,7,333,481,7,339,914, 7,406,320,AustralianpatentNo.200429804andanyotherslistedatwww.airtightnetworks.com/patents.Morepatentspending.
FederalCommunicationCommissionInterferenceStatement ThisequipmenthasbeentestedandfoundtocomplywiththelimitsforaClassBdigitaldevice,pursuanttoPart15ofthe FCCRules.Theselimitsaredesignedtoprovidereasonableprotectionagainstharmfulinterferenceinaresidential installation.Thisequipmentgeneratesusesandcanradiateradiofrequencyenergyand,ifnotinstalledandusedin accordancewiththeinstructions,maycauseharmfulinterferencetoradiocommunications. However,thereisnoguaranteethatinterferencewillnotoccurinaparticularinstallation.Ifthisequipmentdoescause harmfulinterferencetoradioortelevisionreception,whichcanbedeterminedbyturningtheequipmentoffandon,theuser isencouragedtotrytocorrecttheinterferencebyoneofthefollowingmeasures:
Reorientorrelocatethereceivingantenna. Increasetheseparationbetweentheequipmentandreceiver. Connecttheequipmentintoanoutletonacircuitdifferentfromthattowhichthereceiverisconnected. Consultthedealeroranexperiencedradio/TVtechnicianforhelp. ThisdevicecomplieswithPart15oftheFCCRules.Operationissubjecttothefollowingtwoconditions:(1)Thisdevicemay notcauseharmfulinterference,and(2)thisdevicemustacceptanyinterferencereceived,includinginterferencethatmay causeundesiredoperation. FCCCaution:Anychangesormodificationsnotexpresslyapprovedbythepartyresponsibleforcompliancecouldvoidthe usersauthoritytooperatethisequipment. IMPORTANTNOTE: ii SpectraGuardEnterpriseInstallationGuide Disclaimer FCCRadiationExposureStatement: ThisequipmentcomplieswithFCCradiationexposurelimitssetforthforanuncontrolledenvironment.Thisequipment shouldbeinstalledandoperatedwithminimumdistance20cmbetweentheradiator&yourbody. Ifthisdeviceisgoingtobeoperatedin5.15~5.25GHzfrequencyrange,thenitisrestrictedinindoorenvironmentonly. Thistransmittermustnotbecolocatedoroperatinginconjunctionwithanyotherantennaortransmitter. This product must be installed by a professional technician/installer. Operation is subject to the following two conditions: (1) this device may not cause interference, and (2) this device must accept any interference, including interference that may cause undesired operation of the device. The County Code Selection feature is disabled for products marketed in the US/Canada. This Class [B] digital apparatus complies with Canadian ICES-003. Cet appareil numerique de la classe [B] est conforme a la norme NMB-003 du Canada. SpectraGuardEnterpriseInstallationGuide iii If this device is going to be operated in 5.15 ~ 5.25GHz frequency range, then it is restricted in indoor environment only. FCC NOTICE: To comply with FCC part 15 rules in the United States, the system must be professionally installed to ensure compliance with the Part 15 certification. It is the responsibility of the operator and professional installer to ensure that only certified systems are deployed in the United States. The use of the system in any other combination (such as co-located antennas transmitting the same information) is expressly forbidden. Only the antennas listed below are allowed to be used with the radio. Ant. Antenna Model Name Type Product description 2.4/5 GHz Gain (dBi) Tx/Rx mode REMARK 1 2 3 4 5 6 7 Omni Ant. 3CWE591 Omni Ant. S24513BPX 3Com 6/8dBi Dual-Band Omni Antenna CUSHCRAFT 2.4~2.5&
4.9~5.9 GHz DUAL BAND OMNI ANTENNA Airtight 2.4~2.5& 4.9~5.9 6/8 6/6.5 1T1R/
1T1R concurrent 1T1R/
1T1R concurrent Omni Ant. SS-200-AT-AN-30 GHz Dual-band Omnidirectional 6/6.5 1T1R/
1T1R concurrent Omni Ant. TGX-102XNXXX Panel Ant. 3CWE596 Indoor/outdoor antenna Joymax Base Station Antenna 3Com 18/20dBi Dual-Band Panel Antenna 6/6 18/20 1T1R/
1T1R concurrent 2T2R/
2T2R concurrent Panel Ant. 3CWE598 3Com 8/10dBi Dual-Band Panel Antenna 8/10 2T2R/
2T2R concurrent Panel Ant. SL24513P12SMF ceiling mounted 3/3 CUSHCRAFT Tri-mode, dual band 802.11b/a/g 2T2R/
2T2R concurrent 2T2R/
2T2R concurrent Omnidirectional panel antenna Airtight dual band 802.11b/a/g Omnidirectional Indoor panel antenna 3Com 2dBi Dual-Band Omni Antenna Kit 3/3 2/2 3/3 8 Panel Ant. SS-200-AT-AN-10 Monopole Ant. 3CWE590 PCB Ant. TFF-A015MPAX-361 Integrated PCB Antenna 2T3R Main Ant. for test 2T3R Main Ant. for test 9 10 Main Ant. for test
-
-
-
Main Ant. for test
-
-
-
EndUserLicenseAgreement YouorYourshallmeananyperson,entityororganizationthatusesAirTightproducts. AirTight,shallmeanAirTightNetworks,Inc. AirTightCompetitorapersonorentityinthebusinessofwirelesssecurityproductsorservicessubstantially EndUserLicenseAgreement BEFOREYOUCLICKIHAVEREADANDAGREETOTHELICENSINGAGREEMENTABOVEOROTHERWISEUSEOR ACTIVATETHEAIRTIGHTPRODUCTS,READTHISAGREEMENTCAREFULLY.ITISALEGALLYBINDING AGREEMENTANDCONTROLSYOURANDYOURCOMPANYSUSEOFTHEAIRTIGHTPRODUCTS. WHENYOUCLICKIHAVEREADANDAGREETOTHELICENSINGAGREEMENTABOVEOROTHERWISE DOWNLOAD,USEORACTIVATETHEAIRTIGHTPRODUCTS,THISAGREEMENTGOVERNSYOURUSE.THIS AGREEMENTISENFORCEABLEAGAINSTYOUANDANYENTITYTHATOBTAINSORUSESTHEAIRTIGHT PRODUCTSTHROUGHYOUONTHEIRBEHALF.IFYOUORANYENTITYTHATYOUREPRESENTDOESNOTAGREE TOALLOFTHETERMSOFTHISAGREEMENT,CLICKTHEBOXTHATSAYSIDONOTAGREETOTHELICENSING AGREEMENTABOVEANDDONOTOTHERWISEDOWNLOAD,INSTALLORACTIVATETHEAIRTIGHTPRODUCTS. IFYOUPAIDFORTHEAIRTIGHTPRODUCT(S)ANDDIDNOTHAVEANOPPORTUNITYTOREVIEWTHIS AGREEMENTPRIORTOPURCHASINGITANDDONOTAGREETOTHISAGREEMENT,CONTACTYOURPLACEOF PURCHASETORETURNTHEPRODUCTFORAREFUNDINACCORDANCEWITHITSREFUNDPOLICIES. SEESECTION11REGARDINGYOURCONSENTTOAIRTIGHTSUSEOFCERTAINCOLLECTEDDATA. 1. DEFINITIONS 1.1 1.2 1.3 similartoAirTightsproductsorservices. 1.4 1.5 any)andSoftware.AdvertisingandmarketingmaterialsarenotDocumentation. 1.6 Documentation. 1.7 HardwareshallmeanthehardwarecontainingAirTightsoftware.NotallAirTightProductscomewithhardware. 1.8 IntellectualPropertyRightsshallmeancopyrights,trademarks,servicemarks,tradesecrets,patents,patent applications,moralrights,contractualrightsofnondisclosureoranyotherintellectualpropertyorproprietaryrights, howeverarising,throughouttheworld. 1.9 disputeastowhetheraparticularReleaseisanUpdateoranUpgrade,AirTightspublisheddesignationwillbefinal. 1.10 asastandaloneproductorloadedonAirTightHardware,andanyReleasethereto. 1.11 withrespecttotheSoftwareprovidedbyAirTightthatdonotaddfunctionalitytotheSoftware. 1.12 functionalityof,oraddmaterialfunctionalcapabilitiesto,theSoftware.AirTightmaychargeadditionallicensefeesfor Upgrades. YourCustomersmeansyourcurrentorpotentialcustomersexcludinganyAirTightCompetitor. DocumentationshallmeantheendusertechnicaldocumentationthatAirTightsupplieswiththeHardware(if Softwareshallmeanthesoftware(inobjectcodeformat)createdorlicensedbyAirTightandlicensedtoyoueither Updateshallmean,ifandwhenavailable,anyerrorcorrections,fixes,workaroundsorothermaintenancereleases ErrorshallmeanareproduciblefailureoftheSoftwareorHardwaretoperforminsubstantialconformitywithits Upgradeshallmean,ifandwhenavailable,newreleasesorversionsoftheSoftwarethatmateriallyimprovethe ReleaseshallmeananyUpdateorUpgradeifandwhenthesearemadeavailablebyAirTight.Intheeventofa iv SpectraGuardEnterpriseInstallationGuide EndUserLicenseAgreement 2. CONTROLLINGAGREEMENT:ThiselectronicAgreementistheentireagreementbetweenyouandAirTightand supersedesallpriororcontemporaneousagreements,understandings,andcommunications,whetherwrittenororal unlesssuchagreementisexecutedbyanofficerofAirTight.Insuchevent,thatagreementshallonlysupersedethis AgreementtotheextentsuchagreementconflictswiththisAgreement.Anytermsandconditionsinyourpaperor electronicpurchaseorder,requestforproposalorquotation,oraresponsetothosedocumentsaresupersededbythis electronicAgreement.IfathirdpartyreselleracceptsyourpurchaseorderandanofficerofAirTightdoesnotsignitand returnittoyou,AirTightisnotacceptingitstermsandconditions.AirTightisnotobligatedunderanyresellers agreementwithyouunlessanofficerofAirTightsignstheagreement.Certainthirdpartysoftwaremaybenecessaryto operateorruntheSoftware,youareresponsibleforobtainingandlicensingsuchthirdpartysoftware.Thirdparty softwareisgovernedbythelicenseagreementprovidedbythatthirdparty. LICENSEGRANT RestrictionsonUse.ExceptasexpresslyprovidedforinthisAgreement,youshallnot:(a)adapt,alter,publicly 3. 3.1 LimitedLicense.AllSoftwareislicensed,notsoldandsubjecttothisAgreement.AllHardwareissoldsubjecttothe licensegrantedinthisAgreement.ForeachunitofHardwareand/orSoftwarethatyoupurchase,AirTightgrantsyouanon exclusive,nontransferable(exceptasprovidedintheSectionentitledAssignment),nonsublicensablelicenseduringtheterm ofthisAgreement,toinstallandexecutesuchSoftwareandHardware.TheSoftwareandHardwarearelicensedforyourown internalbusinesspurposesunlessyouhavepurchasedorbeengivenademonstrationversionorauditversionoftheSoftware. IfyouhaveademonstrationversionoftheSoftware,youmayusetheSoftwaresolelytoprovidedemonstrationstoYour Customers.IfyouhaveanauditversionoftheSoftware,youmayuseittoprovideservicestoYourCustomers.Youmay makeandretainonecopyoftheSoftwareforbackupanddisasterrecoverypurposessolongasyouclearlymarkitasa backuporsimilarlanguage. 3.2 display,publiclyperform,translate,createderivativeworksoforotherwisemodifytheSoftware;(b)sublicense,lease,rent, loan,distributeorotherwisetransfertheSoftwaretoanythirdparty(exceptasprovidedintheSectionentitledAssignment);(c) allowthirdpartiestoaccessorusetheSoftwareorHardware,includingbutnotlimitedtoASP,OEM,ortimesharing arrangements.Youshallnotreverseengineer,decompile,disassembleorotherwiseattempttoderivethesourcecodeforthe SoftwareexcepttotheextentexpresslypermittedbyapplicablelawtoobtaininformationnecessarytorendertheSoftware interoperablewithothersoftware;provided,however,thatyoumustfirstrequestsuchinformationfromAirTightand AirTightmay,initsdiscretion,eitherprovidesuchinformationtoyouorimposereasonableconditions,includinga reasonablefee,onsuchuseofthesourcecodefortheSoftwaretoensurethatAirTightsanditssuppliersproprietaryrightsin thesourcecodefortheSoftwareareprotected;Youshallnotremove,alterorobscureanyproprietarynoticesontheSoftware orDocumentation.UndernocircumstancesmayyouinstallorexecutetheSoftwareonmorethanonecomputeratthesame time.ExcepttotheextentnecessarytoprovideademonstrationorservicestoYourCustomerwhenyouhavepurchasedor beengiventhedemonstrationversionorauditversionoftheSoftware,respectively,youshallnotcapturescreenshotsofthe SoftwareandshareitwithotherpeoplewithoutAirTightswrittenconsent. 3.3 servicesfromAirTightorathirdpartypursuanttoaseparateagreement. 4. Installation.YouareresponsibleforinstallingtheSoftwareandHardware(ifany)unlessyoupurchaseinstallation PROPRIETARYRIGHTS.YouacknowledgeandagreethattheSoftwareandHardware,includingbutnotlimitedtotheir sequence,structure,organizationandsourcecode,containsIntellectualPropertyRightsofAirTightanditssuppliers.The Softwareislicensedandnotsoldtoyou,andnotitleorownershiptosuchSoftwareortheIntellectualPropertyRights embodiedthereinpassesasaresultofthisAgreementoranyactpursuanttothisAgreement.TheSoftware(andall IntellectualPropertyRightstherein)istheexclusivepropertyofAirTightanditssuppliers,andallrightsinandtothe SoftwarenotexpresslygrantedtoyouinthisAgreement,arereserved.AirTightownsallcopiesoftheSoftware,however made.TheSoftware,HardwareandrelatedmaterialscontaintradesecretsofAirTightandyoushallnotprovidethe Software,Hardware,Documentation,ordetailsregardingtheoperationoftheSoftwareand/orHardware,oranyother AirTightconfidentialand/orproprietaryinformationtoanythirdparty. LIMITEDWARRANTY Warranty.ForaperiodofoneyearfromyourreceiptoftheHardwareand/orSoftware(theWarrantyPeriod), 5. 5.1 AirTightwarrantstoyouandforyoursolebenefitthat,subjecttotheSectionentitledExclusions,theSoftwareandHardware whenusedaspermittedunderthisAgreementandinaccordancewiththeinstructionsintheDocumentation,willoperate substantiallywithoutError. SpectraGuardEnterpriseInstallationGuide v EndUserLicenseAgreement RemedyforErrors.ForErrorsreportedtoAirTightduringtheWarrantyPeriod,yourexclusiveremedyand Exclusions.AirTightwillhavenoobligationtocorrect,andAirTightmakesnowarrantywithrespectto,Errors 5.2 causedby:(a)improperinstallationoftheSoftwareorHardware;(b)changesthatyouhavemadetotheSoftwareor Hardware;(c)useoftheSoftwareorHardwareinamannerinconsistentwiththeDocumentation;(d)thecombinationofthe SoftwareorHardwarewithhardwareorsoftwarenotprovidedbyAirTight;(e)malfunction,modificationorrelocationof yourservers;or(f)yourfailuretomakereasonablebackups. 5.3 AirTightssoleliabilityforbreachofthiswarrantyisthatAirTightshall,atitsownexpense,(a)usecommerciallyreasonable effortstomakeavailabletoyou,byInternetdownload,UpdatesthatareintendedtocorrectsuchErrorsandthatAirTight makesgenerallyavailable;(b)atitselection,repairorreplaceanydefectiveHardwarereturnedtoAirTightwithinthe WarrantyPeriod.AnyremedyprovidedunderthisSection5.3willnotextendtheoriginalWarrantyPeriod.AirTightshall havenoobligationregardingErrorsreported,orreturnsmade,aftertheWarrantyPeriod. 5.4 Disclaimer.EXCEPTFORTHEEXPRESSWARRANTYINSECTION5.1,AIRTIGHTANDITSAFFILIATES DISCLAIMALLOTHERWARRANTIES,WHETHEREXPRESS,IMPLIEDORSTATUTORY,INCLUDINGBUTNOT LIMITEDTOTHEIMPLIEDWARRANTIESOFMERCHANTABILITY,FITNESSFORAPARTICULARPURPOSE, ACCURACY,RESULT,EFFORT,TITLEANDNONINFRINGEMENT.THEREISNOWARRANTYTHATTHESOFTWARE WILLBEERRORFREE,ORTHATTHESOFTWAREORHARDWAREWILLOPERATEWITHOUTINTERRUPTIONOR WILLFULFILLANYOFYOURPARTICULARPURPOSESORNEEDS.AIRTIGHTPROVIDESNOWARRANTYFORANY THIRDPARTYSOFTWARE. 6. LIMITATIONOFLIABILITY.TOTHEMAXIMUMEXTENTPERMITTEDBYAPPLICABLELAW:AIRTIGHT,ITS AFFILIATES,SUPPLIERSANDMANUFACTURERSSHALLNOTBELIABLETOYOUORANYOTHERPARTYFOR ANYINDIRECT,INCIDENTAL,SPECIAL,CONSEQUENTIAL,EXEMPLARYORRELIANCEDAMAGESARISING OUTOFORRELATEDTOTHISAGREEMENT,THEHARDWAREORTHESOFTWARE,UNDERANYLEGAL THEORY,INCLUDINGBUTNOTLIMITEDTOLOSTPROFITS,LOSTDATA,BUSINESSINTERRUPTION,PERSONAL INJURY,FORLOSSOFPRIVACY,NEGLIGENCE,ANDFORANYOTHERPECUNIARYOROTHERLOSS WHATSOEVER,EVENIFAIRTIGHTKNOWSOFORSHOULDHAVEKNOWNOFTHEPOSSIBILITYOFSUCH DAMAGES. EXCEPTFORAIRTIGHTSOBLIGATIONSUNDERTHESECTIONENTITLEDINDEMNIFICATION,AIRTIGHTS,ITS AFFILIATES,SUPPLIERSANDMANUFACTURERSTOTALCUMULATIVELIABILITYFORACTUALDAMAGES ARISINGOUTOFORRELATEDTOTHISAGREEMENT,THEHARDWARE,ORTHESOFTWARE,SHALLNOTEXCEED THEPRICEAIRTIGHTRECEIVEDFORSUCHHARDWAREORSOFTWARE,REGARDLESSOFTHECAUSEORFORM OFACTION.THISSECTIONSHALLAPPLYEVENIFYOUREXCLUSIVEREMEDYHASFAILEDOFITSESSENTIAL PURPOSE.YOUACKNOWLEDGEANDAGREETHATTHEPRICESANDFEESREFLECTTHEALLOCATIONOFRISK SETFORTHINTHISAGREEMENTANDTHATAIRTIGHTWOULDNOTENTERINTOTHISAGREEMENTWITHOUT THESELIMITATIONSONITSLIABILITY. INFRINGEMENTINDEMNIFICATION AirTightsObligation.SubjecttotheSectionsentitledConditionsandExclusions,ifathirdpartymakesaclaimagainst 7. 7.1 youallegingthattheHardwareorSoftwareinfringesanyU.S.patentorcopyrightregisteredorissuedasoftheStartDate, AirTightshall:(a)payallreasonablecoststodefendyou;and(b)payanydamagesassessedagainstyouinafinaljudgmentby acourtofcompetentjurisdictionoranysettlementthatAirTighthasagreeduponwithsuchthirdparty. 7.2 Conditions.AirTightshallbeobligatedtopaythesecostsonlyifyou:(a)notifyAirTightpromptlyinwritingofany suchclaim;(b)giveAirTightfullinformationandassistanceinsettlingand/ordefendingtheclaim;and(c)giveAirTightfull authorityandcontrolofthedefenseandsettlementofanysuchclaim.Youmayalsoparticipateinthedefenseatyourown expense. 7.3 authorization;(b)anyuseoftheHardwareorSoftwarenotinaccordancewiththisAgreementortheDocumentation;(c)for anyclaimbasedontheuseoracombinationoftheHardwareorSoftwarewithanyothersoftware,firmware,hardwareor datanotprovidedorapprovedbyAirTight;(d)useofanyReleaseoftheSoftwareotherthanthemostcurrentReleasemade availabletoyou;or(e)anyalterationsormodificationoftheHardwareorSoftwarebyanypersonotherthanAirTightorits authorizedagents. 7.4. Exclusions.AirTightshallnotbeliablefor:(a)anycostsorexpensesincurredbyyouwithoutAirTightspriorwritten Cure.IntheeventAirTightisrequired,orinAirTightssoleopinionislikelytoberequired,toindemnifyyouunder vi SpectraGuardEnterpriseInstallationGuide EndUserLicenseAgreement theSectionentitledAirTightsObligation,AirTightshalldooneofthefollowing:(a)obtaintherightforyoutocontinueusing theHardwareorSoftware;(b)replaceormodifytheHardwareorSoftwarewithafunctionalequivalentthatisnoninfringing; or(c)terminatethisAgreementandrefundanyfeeAirTightreceived,proratedover3years,ortheperiodofyourlicenseif shorterthan3years. 8. RISKSANDYOUROBLIGATIONS.AirTightproductsmaybecapableofoperatingatfrequenciesbeyondthoseallowed inyourregionandlocatinganddisablingtargetedwirelessdevicesandcomputers.YOUUSEAIRTIGHTPRODUCTSAT YOUROWNRISK.IfathirdpartymakesaclaimagainstAirTightarisingoutofyouruseoftheAirTightproductsoryour breachofthisAgreement,youshall:(a)payallcoststodefendAirTight;and(b)payanydamagesassessedagainst AirTightinafinaljudgmentbyacourtofcompetentjurisdictionoranysettlementthatyouagreeduponwithsuchthird party.IfyoufailtomeetyourobligationsunderthisSection,AirTightshallhavefullauthorityandcontrolofthedefense and/orsettlementofanysuchclaimatyourexpense. EXPORTRESTRICTIONS.YouacknowledgethattheSoftwareissubjecttoU.S.exportjurisdiction.Youagreetocomply withallapplicableinternationalandnationallawsthatapplytotheSoftware,includingtheU.S.ExportAdministration Regulations,aswellasenduser,enduse,anddestinationrestrictionsissuedbyU.S.andothergovernments.Youassume soleresponsibilityforanyrequiredexportapprovaland/orlicensesandallrelatedcosts.Youshallnotacquire,ship, transferorreexport,directlyorindirectly,theHardwareand/orSoftwaretoproscribed,embargoed,orprohibited countriesortheirnationals,denieddestinations,noruseitfornuclearactivities,chemicalbiologicalweaponsormissile projects.Proscribedcountries,destinations,andpeoplearesetforthintheUnitedStatesExportAdministration Regulations,andtheOfficeofForeignAssetControlsSpeciallyDesignatedNationalslist,andaresubjecttochange withoutfurthernoticefromAirTight. 9. 10. U.S.GOVERNMENTENDUSERS.TheSoftwarecoveredunderthisAgreement,isacommercialitemasthattermis definedat48C.F.R.2.101,consistingofcommercialcomputersoftwareandcommercialcomputersoftware documentationassuchtermsareusedin48C.F.R.12.212.Consistentwith48C.F.R.12.212and48C.F.R.227.72021 through227.72024,allU.S.GovernmentendusersacquiretheSoftwareandanyothersoftwareanddocumentation coveredunderthisAgreementwithonlythoserightssetforththerein. 11. CONSENTTOUSEOFDATA.YouagreethatAirTightanditsaffiliatesmaycollectanduseinformationthatispersonally identifiabletoyou.Wecollecttwotypesofinformation.
TechnicalInformationregardingtheAirTightproductsandyourhardwareorsoftware,including,butnotlimitedto, serverinstallationandactivationinformation,licensekeyexpiration,serverlogs,MediaAccessControl(MAC) addresses,InternetProtocol(IP)addresses,wirelessnetwork(WLAN)informationandsensordetails.Theproduct featuresallowingustocollectTechnicalInformationareenabledbydefaulttoconnectviatheInternettoAirTights and/oritsaffiliatescomputersystemsautomatically,andmayoccurwithoutseparatenoticetoyou.Youconsentto theoperationofthesefeatures.Youmaychoosenottogiveusthisinformationbynotactivatingorinstallingthe product.
PersonalInformation(name,address,telephonenumber,companynameandemailaddress),collected,forexample, aspartofshipping,servicingorregisteringaproduct.IfwecollectPersonalInformationwewillexpresslyaskyou forit.Youmaychoosenottogiveusthisinformationatthetimewerequestit,butitmaypreventusfromshipping orservicingtheproduct.
AirTightanditsaffiliatesmayuseTechnicalandPersonalInformationsolelytoimproveourproductsortoprovide customizedservicesortechnologiestoyou.AirTightwillnotdisclosethisinformationinaformthatpersonallyidentifiesyou excepttothirdpartyprovidersthatweutilizetoserviceorshiptheproducts.Wemaydisclosethecollectedinformationif requiredtobylaworcourtorder.InformationthatiscollectedbyorsenttoAirTightmaybestoredandprocessedinthe UnitedStates,IndiaoranyothercountryinwhichAirTight,itsaffiliates,subsidiariesoragentsmaintainfacilities.Youmay contactusregardingthecollectionanduseofTechnicalandPersonalInformationorthisprovisionat support@airtightnetworks.comorbywritingusat339No.BernardoAvenue,Suite200,MountainView,CA94043USA. 12. GENERAL 12.1 AgreeorotherwiseinstalloractivatetheSoftwareorHardware(theStartDate)andshallcontinueinfullforceandeffect untilitexpirespursuanttotheperiodofusethatyoupurchasedorunlessearlierterminatedasdescribedintheSection Term.ThisAgreementshallstartonthedateyouclickIhavereadandagreetothelicensingtermsabove,I SpectraGuardEnterpriseInstallationGuide vii EndUserLicenseAgreement GoverningLawandVenue.ThisAgreementwillbegovernedbythelawsoftheStateofCalifornia.TheUnited entitledTermination. 12.2 Termination.Withoutprejudicetoanyotherrights,AirTightmayterminatethisAgreementifyoudonotcomply withit.YoumayterminatethisAgreementatanytime.UponterminationofthisAgreementforanyreason:(a)alllicense rightsgrantedinthisAgreementwillimmediatelyterminateandyoumustpromptlystopalluseoftheSoftware;(b) AirTightsobligationtoprovideservicesunderanyserviceagreementterminates;(c)youmusteraseallcopiesoftheSoftware fromyourcomputers,anddestroyallcopiesoftheSoftwareandDocumentationontangiblemediainyourpossessionor control.TerminationofthisAgreementwillnotaffectyourrighttootherwiseuseortransfertheHardwarepurchasedfrom AirTightoncetheSoftwareisremoved. Survival.TheSectionsentitledControllingAgreement,ProprietaryRights,LimitedWarranty,LimitationofLiability,Risks 12.3 andYourObligations,ExportRestrictions,Termination,GoverningLawandVenueandSeverabilityshallsurvivetheexpirationor terminationofthisAgreement.AirTightsobligationsundertheSectionentitledInfringementIndemnificationshallsurviveonly forclaimsbasedonuseoftheHardwareorSoftwareduringthelicensedterm. 12.4 Assignment.Youmaynotassignortransfer,byoperationoflaw,mergerorotherwise,anyofyourrightsordelegate anyofyourdutiesunderthisAgreement(includingwithoutlimitation,thelicenseswithrespecttotheSoftware)toanythird partywithoutAirTightspriorwrittenconsent.Anyattemptedassignmentortransferinviolationoftheforegoingwillbe void.AirTightmayassignitsrightsordelegateitsobligationsunderthisAgreement. 12.5 NationsConventiononContractsfortheInternationalSaleofGoodsdoesnotapplytothisAgreement.Anyactionor proceedingarisingfromorrelatingtothisAgreementmustbebroughtexclusivelyinafederalorstatecourtseatedinSanta Clara,California,andinnoothervenue.Eachpartyirrevocablyconsentstothepersonaljurisdictionandvenuein,andagrees toserviceofprocessissuedby,anysuchcourt.Notwithstandingtheforegoing,AirTightreservestherighttofileasuitor actioninanycourtofcompetentjurisdictionasAirTightdeemsnecessarytoprotectitsintellectualpropertyandproprietary rights. 12.6 EquitableRelief.YouagreethattheSoftwareandHardwarecontainsAirTightsvaluabletradesecretsand proprietaryinformationandthatanyactualorthreateneddisclosureormisappropriationofsuchinformationwould constituteimmediate,irreparableharmtoAirTightforwhichmonetarydamageswouldbeaninadequateremedy.Therefore, inadditiontoanyotherrightsandremedieswhichmaybeavailabletoAirTightatlaworinequity,anysuchactualor threateneddisclosuremaybestoppedthroughinjunctiveproceedingswithoutthepostingofabond. 12.7 WaiversandAmendments.Allwaiversmustbeinwriting.Anywaiverorfailuretoenforceanyprovisionofthis Agreementononeoccasionwillnotbedeemedawaiverofanyotherprovisionorofsuchprovisiononanyotheroccasion. ThisAgreementmaybeamendedonlybyawrittendocumentsignedbyyouandAirTight. 12.8 provisionsshallcontinueinfullforceandeffect.
Severability.IfanyprovisionofthisAgreementisheldtobevoid,invalid,unenforceableorillegal,theother viii SpectraGuardEnterpriseInstallationGuide TableofContents TableofContents 4.3 4.2 4.1 3.4 3.5 1.1 1.2 1.3 3.1 3.2 3.3 3.3.1 3.3.2 4.2.1 4.2.2 CHAPTER 4 CHAPTER 2 CHAPTER 3 CHAPTER 1 GETTING STARTED...................................................................................................................................1 BEFORE YOU BEGIN.......................................................................................................................................................1 HOW TO GET MORE INFORMATION ..................................................................................................................................1 CONTACT INFORMATION.................................................................................................................................................1 PACKAGE CONTENTS ..............................................................................................................................2 SERVER AND SENSOR OVERVIEW.......................................................................................................4 FRONT PANEL OF THE SERVER ........................................................................................................................................4 REAR PANEL OF THE SERVER..........................................................................................................................................5 FRONT PANEL OF SENSOR...............................................................................................................................................6 Sensor SS-200-AT...................................................................................................................................................6 Sensor SS-300-AT...................................................................................................................................................7 REAR PANEL OF SENSOR SS-200-AT..............................................................................................................................8 REAR AND SIDE PANELS OF SENSOR SS-300-AT ............................................................................................................9 INSTALLING THE SERVER......................................................................................................................9 CONNECTING THE SERVER..............................................................................................................................................9 4.1.1 Mount the Server Appliance ...................................................................................................................................9 Power up the Server ...............................................................................................................................................9 4.1.2 4.1.3 Connect the Server to the Network.......................................................................................................................10 ACCESSING THE SERVER...............................................................................................................................................10 Accessing the Server using SSH (Recommended) ................................................................................................ 11 Accessing the Server using a Serial Cable ........................................................................................................... 11 ACCESSING THE SERVER INITIALIZATION AND SETUP WIZARD.....................................................................................14 Configure the Backspace Key...............................................................................................................................14 Step 1: Change Config Shell Password ................................................................................................................14 Step 2: Change Network Settings .........................................................................................................................15 Step 3: Set Server Time Zone, Date and Time Settings .........................................................................................16 Step 4: Set Server ID Settings...............................................................................................................................19 Set up the Server DNS Entry ................................................................................................................................21 LAUNCHING THE SYSTEM CONSOLE (GUI) ..................................................................................................................21 System Requirements............................................................................................................................................21 ACTIVATING THE LICENSE ............................................................................................................................................24 INSTALLING THE SENSOR....................................................................................................................25 ZERO CONFIGURATION OF SENSORS.............................................................................................................................25 CONNECTING THE SENSOR ...........................................................................................................................................25 5.2.1 Mount the SS-200-AT Sensor................................................................................................................................25 Ceiling Mounting ............................................................................................................................................................ 25 Flat Surface Installation .................................................................................................................................................. 27 5.2.2 Mount the SS-300-AT Sensor................................................................................................................................28 Ceiling/Wall Mounting.................................................................................................................................................... 28 Flat Surface Installation .................................................................................................................................................. 28 Power up the Sensor.............................................................................................................................................29 Connect the Sensor to the Network ......................................................................................................................30 CHAPTER 6 MANUALLY CONFIGURING THE SENSOR........................................................................................30 INTRODUCTION.............................................................................................................................................................30 CONFIGURING SENSOR THROUGH CONFIG SHELL ........................................................................................................30 Invoke HyperTerminal (or minicom) ....................................................................................................................30 Launching HyperTerminal .............................................................................................................................................. 30 Defining a New HyperTerminal Connection................................................................................................................... 31 Specifying HyperTerminal Connection Details............................................................................................................... 32 4.3.1 4.3.2 4.3.3 4.3.4 4.3.5 4.3.6 6.2.1.1 6.2.1.2 6.2.1.3 CHAPTER 5 5.2.2.1 5.2.2.2 5.2.1.1 5.2.1.2 5.2.3 5.2.4 6.1 6.2 5.1 5.2 4.4.1 6.2.1 4.4 4.5 SpectraGuardEnterpriseInstallationGuide ix TableofContents CHAPTER 7 7.1 6.2.1.4 6.2.2 6.2.3 6.2.4 6.2.5 7.1.1 7.1.2 7.1.3 7.1.4 7.1.5 Editing Serial Port Settings ............................................................................................................................................. 32 Log in and Change the Default Password............................................................................................................33 Set Server Discovery ............................................................................................................................................33 Set Sensor Mode...................................................................................................................................................33 Configure Network Settings..................................................................................................................................34 SETTING UP THE SERVER CONSOLE ................................................................................................35 LOGGING INTO THE CONSOLE.......................................................................................................................................35 Step 1: Starting the Setup Wizard .........................................................................................................................35 Step 2: Changing your Account Password ...........................................................................................................36 Step 3: Preparing your System for Configuration ................................................................................................37 Step 4: Configuring Notification Settings.............................................................................................................40 Step 5: Setting up Locations and Sensors.............................................................................................................45 Adding a New Location .................................................................................................................................................. 46 Attaching an image ......................................................................................................................................................... 59 Placing Locations on a Location Folder with an Attached Image ................................................................................... 59 Importing a Planner file into a Location Node................................................................................................................ 60 Step 6: Classifying APs ........................................................................................................................................60 Specify Authorized SSIDs............................................................................................................................................... 61 Select Wi-Fi Networks .................................................................................................................................................... 64 RSSI based Classification ............................................................................................................................................... 64 Step 7: Classifying Clients....................................................................................................................................69 Step 8: Configuring Intrusion Prevention Policy .................................................................................................72 Intrusion Prevention Policy............................................................................................................................................. 72 Intrusion Prevention Level.............................................................................................................................................. 74 Step 9: Configuring Events and Reports ..............................................................................................................75 Security ........................................................................................................................................................................... 75 Monitoring ...................................................................................................................................................................... 75 Adding a Report.............................................................................................................................................................. 78 Adding a Section to a Report .......................................................................................................................................... 81 Creating a Report Schedule............................................................................................................................................. 83 Step 10: Calibrating Location Tracking ...........................................................................................................85 Step 11: Locking the System Configuration ......................................................................................................87 Step 12: Completion of Setup Wizard................................................................................................................89 CONFIG SHELL COMMANDS................................................................................................................91 SERVER CONFIG SHELL COMMANDS ............................................................................................................................91 SENSOR CONFIG SHELL COMMANDS ............................................................................................................................95 TROUBLESHOOTING .............................................................................................................................97 SERVER TROUBLESHOOTING ........................................................................................................................................97 SENSOR TROUBLESHOOTING ........................................................................................................................................99 7.1.5.1 7.1.5.2 7.1.5.3 7.1.5.4 7.1.6.1 7.1.6.2 7.1.6.3 7.1.6 7.1.7 7.1.8 7.1.9 7.1.8.1 7.1.8.2 7.1.9.1 7.1.9.2 7.1.9.3 7.1.9.4 7.1.9.5 7.1.10 7.1.11 7.1.12 CHAPTER 8 CHAPTER 9 8.1 8.2 9.1 9.2
x SpectraGuardEnterpriseInstallationGuide TableofFigures TableofFigures SERVER PACKAGE CONTENTS ..................................................................................................................................................... 2 FIGURE 1. SENSOR SS-200-AT PACKAGE CONTENTS................................................................................................................................... 3 FIGURE 2. FIGURE 3. FRONT PANEL OF THE SERVER..................................................................................................................................................... 4 REAR PANEL OF THE SERVER....................................................................................................................................................... 5 FIGURE 4. FIGURE 5. FRONT PANEL OF SENSOR SS-200-AT......................................................................................................................................... 6 FRONT VIEW OF SENSOR SS-300-AT .......................................................................................................................................... 7 FIGURE 6. FIGURE 7. REAR PANEL OF SENSOR............................................................................................................................................................. 8 REAR PANEL OF SENSOR SS-300-AT .......................................................................................................................................... 9 FIGURE 8. FIGURE 9. SIDE PANEL OF SENSOR SS-300-AT.......................................................................................................................................... 10 FIGURE 10. MOUNT THE SERVER................................................................................................................................................................... 9 FIGURE 11. POWER UP THE SERVER............................................................................................................................................................. 10 FIGURE 12. CONNECT THE SERVER TO THE NETWORK ................................................................................................................................. 10 FIGURE 13. OPEN SSH ............................................................................................................................................................................... 11 FIGURE 14. CONNECT THE SERVER TO YOUR COMPUTER USING A SERIAL CABLE ......................................................................................... 11 FIGURE 15. LAUNCH HYPERTERMINAL APPLICATION .................................................................................................................................. 12 FIGURE 16. DEFINE A NEW HYPERTERMINAL CONNECTION FOR THE SYSTEM .............................................................................................. 12 FIGURE 17. SPECIFY HYPERTERMINAL CONNECTION DETAILS..................................................................................................................... 13 FIGURE 18. EDIT SERIAL PORT SETTINGS .................................................................................................................................................... 13 FIGURE 19. MAP THE BACKSPACE KEY........................................................................................................................................................ 14 FIGURE 20. SERVER INITIALIZATION AND SETUP WIZARD SCREEN ............................................................................................................... 14 FIGURE 21. CHANGE CONFIG SHELL PASSWORD.......................................................................................................................................... 15 CHANGE NETWORK SETTINGS .................................................................................................................................................. 16 FIGURE 22. FIGURE 23. CONFIRM NETWORK SETTINGS CHANGES ................................................................................................................................. 16 SPECIFY CONTINENT AND COUNTRY FOR TIME ZONE SETTINGS................................................................................................. 17 FIGURE 24. FIGURE 25. SELECT TIME ZONE REGION ..................................................................................................................................................... 18 SPECIFY IPADDRESS OF NTP SERVER FOR SYNCHRONIZATION.................................................................................................. 18 FIGURE 26. FIGURE 27. SPECIFY TIME ZONE USING POSIX TZ FORMAT .......................................................................................................................... 19 SPECIFY DATE AND TIME .......................................................................................................................................................... 19 FIGURE 28. FIGURE 29. SET SERVER ID......................................................................................................................................................................... 20 FIGURE 30. SERVER SETUP COMPLETION SCREEN ....................................................................................................................................... 20 FIGURE 31. GENERATING CERTIFICATE FOR WEB SERVER............................................................................................................................ 21 FIGURE 32. WEB SITE CERTIFICATE VERIFICATION...................................................................................................................................... 22 FIGURE 33. INSTALLING JRE....................................................................................................................................................................... 22 FIGURE 34. POP-UP BLOCKER MESSAGE ..................................................................................................................................................... 22 FIGURE 35. DETECTING JAVA RUNTIME ENVIRONMENT (JRE) ..................................................................................................................... 23 FIGURE 36. WEB SITE CERTIFICATE WARNING ............................................................................................................................................ 23 FIGURE 37. HOSTNAME MISMATCH WARNING............................................................................................................................................. 23 FIGURE 38. DIGITAL SIGNATURE VERIFIED.................................................................................................................................................. 24 FIGURE 39. ACTIVATE LICENSE................................................................................................................................................................... 24 FIGURE 40. ALIGNING THE SENSOR AND MOUNT SLOTS .............................................................................................................................. 26 FIXING THE MOUNTING BRACKET TO THE SENSOR .................................................................................................................... 26 FIGURE 41. FIGURE 42. TAB ORIENTATIONS FOR US INSTALLATIONS .............................................................................................................................. 26 PRESSING THE MOUNT AGAINST THE T-BAR .............................................................................................................................. 27 FIGURE 43. FIGURE 44. INITIAL TWISTING OF THE MOUNT ............................................................................................................................................ 27 FIGURE 45. FINAL TWISTING OF THE MOUNT WITH THE US TAB SUPPORTING THE MOUNT............................................................................ 27 FIGURE 46. FLAT SURFACE INSTALLATION................................................................................................................................................... 28 FIGURE 47. HOLES FOR INSERTING SCREWS ................................................................................................................................................. 28 FIGURE 48. INSERTING TABS ON THE TABLE STAND....................................................................................................................................... 29 LOCKING THE STAND TO THE SENSOR ....................................................................................................................................... 29 FIGURE 49. FIGURE 50. SENSOR MOUNT ON A TABLE .................................................................................................................................................... 29 POWER UP THE SENSOR............................................................................................................................................................. 30 FIGURE 51. FIGURE 52. CONNECT THE SENSOR TO THE NETWORK ................................................................................................................................. 30 FIGURE 53. CONNECTING THE SENSOR TO YOUR COMPUTER USING A SERIAL CABLE .................................................................................... 30 FIGURE 54. OPENING HYPERTERMINAL ...................................................................................................................................................... 31 FIGURE 55. DEFINE A NEW HYPERTERMINAL CONNECTION FOR SENSOR..................................................................................................... 31 FIGURE 56. SPECIFY HYPERTERMINAL CONNECTION DETAILS..................................................................................................................... 32 EDIT SERIAL PORT SETTINGS .................................................................................................................................................... 32 FIGURE 57. FIGURE 58. SET SERVER DISCOVERY COMMAND ........................................................................................................................................... 33 FIGURE 59. SET SENSOR MODE COMMAND ................................................................................................................................................... 34 SpectraGuardEnterpriseInstallationGuide xi TableofFigures CONSOLE LOGIN SCREEN.......................................................................................................................................................... 35 FIGURE 60. END USER LICENSE AGREEMENT SCREEN................................................................................................................................. 35 FIGURE 61. FIGURE 62. SYSTEM SETUP WIZARD WELCOME SCREEN ............................................................................................................................. 36 CHANGE PASSWORD ................................................................................................................................................................. 37 FIGURE 63. FIGURE 64. EVENT DE-ACTIVATION............................................................................................................................................................. 38 FIGURE 65. INTRUSION PREVENTION DE-ACTIVATION.................................................................................................................................. 39 FIGURE 66. DEVICE LIST UNLOCKING......................................................................................................................................................... 40 SMTP CONFIGURATION............................................................................................................................................................ 41 FIGURE 67. FIGURE 68. SYSLOG CONFIGURATION ......................................................................................................................................................... 42 FIGURE 69. SYSLOG CONFIGURATION DIALOG ............................................................................................................................................ 43 FIGURE 70. SNMP CONFIGURATION ........................................................................................................................................................... 44 SNMP CONFIGURATION DIALOG .............................................................................................................................................. 45 FIGURE 71. FIGURE 72. LOCATIONS SCREEN.................................................................................................................................................................. 46 FIGURE 73. ADDING A NEW LOCATION........................................................................................................................................................ 47 FIGURE 74. SPECIFYING LOCATION PROPERTIES .......................................................................................................................................... 47 SENSOR CONFIGURATION.......................................................................................................................................................... 48 FIGURE 75. FIGURE 76. CHANNEL SETTINGS TAB .......................................................................................................................................................... 49 FIGURE 77. CHANNEL FREQUENCY TABLE................................................................................................................................................... 50 FIGURE 78. ANTENNA PORT ASSIGNMENT TAB............................................................................................................................................ 51 FIGURE 79. SENSOR PASSWORD CONFIGURATION TAB................................................................................................................................. 52 FIGURE 80. OFFLINE SENSOR CONFIGURATION TAB..................................................................................................................................... 53 FIGURE 81. OFFLINE SENSOR CONFIGURATION: DEVICE CLASSIFICATION POLICY TAB................................................................................. 54 FIGURE 82. OFFLINE SENSOR CONFIGURATION: INTRUSION PREVENTION POLICY TAB ................................................................................. 55 FIGURE 83. IMPORT DEVICES - SENSORS ..................................................................................................................................................... 56 FIGURE 84. IMPORT SENSOR LIST................................................................................................................................................................ 57 FIGURE 85. DEVICES SCREEN SENSORS .................................................................................................................................................... 58 FIGURE 86. LOCATIONS SCREEN.................................................................................................................................................................. 59 FIGURE 87. PLACING SENSORS ON THE FLOORMAP...................................................................................................................................... 60 FIGURE 88. AUTHORIZED WLAN SETUP..................................................................................................................................................... 61 FIGURE 89. CREATING A CONFIGURATION TEMPLATE FOR AN AUTHORIZED SSID ........................................................................................ 62 FIGURE 90. NO-WI-FI NETWORKS .............................................................................................................................................................. 64 FIGURE 91. RSSI BASED CLASSIFICATION ................................................................................................................................................... 65 FIGURE 92. APAUTO-CLASSIFICATION POLICY........................................................................................................................................... 66 FIGURE 93. IMPORT DEVICES APS ............................................................................................................................................................ 67 FIGURE 94. IMPORT AUTHORIZED AP LIST .................................................................................................................................................. 68 FIGURE 95. DEVICES SCREEN APS ........................................................................................................................................................... 68 LOCATIONS SCREEN.................................................................................................................................................................. 69 FIGURE 96. FIGURE 97. CLIENT AUTO-CLASSIFICATION POLICY .................................................................................................................................... 70 FIGURE 98. IMPORT DEVICES CLIENTS ..................................................................................................................................................... 71 FIGURE 99. DEVICES SCREEN CLIENTS..................................................................................................................................................... 72 INTRUSION PREVENTION POLICY .......................................................................................................................................... 73 FIGURE 100. FIGURE 101. INTRUSION PREVENTION LEVEL............................................................................................................................................ 74 EVENT CONFIGURATION SECURITY .................................................................................................................................... 75 FIGURE 102. FIGURE 103. EVENT CONFIGURATION MONITORING ............................................................................................................................... 76 FIGURE 104. EVENT ADVANCED SETTINGS................................................................................................................................................ 77 FIGURE 105. EMAIL NOTIFICATION ........................................................................................................................................................... 77 EMAIL CONFIGURATION DIALOG........................................................................................................................................... 78 FIGURE 106. FIGURE 107. REPORTS SCREEN ................................................................................................................................................................. 78 REPORT DETAILS SCREEN ..................................................................................................................................................... 79 FIGURE 108. FIGURE 109. REPORT DETAILS SCREEN SHOWING REPORT SUMMARY TAB ................................................................................................. 80 REPORT DETAILS SCREEN SHOWING REPORT SECTIONS TAB.................................................................................................. 81 FIGURE 110. FIGURE 111. ADDING A SECTION TO A REPORT .......................................................................................................................................... 82 SCHEDULING A REPORT FOR ONE TIME DELIVERY................................................................................................................. 83 FIGURE 112. FIGURE 113. SCHEDULING A REPORT FOR RECURRING GENERATION.......................................................................................................... 84 FIGURE 114. SPECIFYING ADDITIONAL EMAIL ADDRESSES FOR REPORT DELIVERY.................................................................................... 85 FIGURE 115. LOCATIONS SCREEN CALIBRATION..................................................................................................................................... 85 RF CALIBRATION DIALOG .................................................................................................................................................... 86 FIGURE 116. FIGURE 117. EVENT ACTIVATION .............................................................................................................................................................. 87 FIGURE 118. INTRUSION PREVENTION ACTIVATION ................................................................................................................................... 88 FIGURE 119. DEVICE LIST LOCKING ......................................................................................................................................................... 89 FIGURE 120. DASHBOARD SCREEN ........................................................................................................................................................... 90
xii SpectraGuardEnterpriseInstallationGuide Chapter1 GettingStarted GettingStarted BeforeYouBegin 1.1 ThankyouforpurchasingSpectraGuardEnterprise(referredtoassystemhereafterinthisdocument)fromAirTight Networks,Inc.Thesystemassistsyoutoeffectivelymonitor,troubleshoot,administer,andprotectyourwirelessnetwork. PleasereadtheEULAbeforeinstallingtheServer.InstallingtheServerconstitutesyouracceptanceofthetermsand conditionsoftheEULAmentionedaboveinthisdocument.Thisproductcannotberentedorleasedyouarethesoleownerof theproduct. ThisinstallationguidegivesanoverviewofthepowerconnectorandportsontheServerandexplainshowtoconfigureit. Thisguidecontainsthefollowingchapters:
PackageContents:Liststhecomponentsincludedinthesystempackage. ServerandSensor(Sensor)Overview:ProvidesanoverviewoftheServerandSensor. ConfiguringtheServer:DescribeshowtopowertheServer,connecttheServertothenetworkandyourcomputer, andconfiguretheServer. InstallingtheSensor:DescribeshowtoconnectandinstalltheSensor.
ManualConfigurationofSensor:DescribeshowtoconfiguretheSensorthroughtheConfigShell.
SettinguptheSystem:DescribeshowthesystemConsoleislaunchedandsetup. ConfigShellCommands:Listsapredefinedsetofcommandsthatallowyoutoconfigureandviewthestatusofthe ServerandSensors. Troubleshooting:ProvidestroubleshootingtipswhileinstallingtheServerandSensor.
ContactInformation Howtogetmoreinformation 1.2 Toreceiveimportantnewsonproductupdates,pleasevisitourwebsiteatsupport@airtightnetworks.com. 1.3 AirTightNetworks,Inc. 339N,BernardoAvenue,Suite#200, MountainView,CA94043 Tel:(650)9611111 Fax:(650)9633388 Fortechnicalsupportsendanemailtosupport@airtightnetworks.com. SpectraGuardEnterpriseInstallationGuide 1 Chapter2 PackageContents PackageContents ThischapterliststhecomponentsincludedintheServerandSensor(both802.11a/b/gor802.11a/b/g/n)packages. Note:TheconventionstobefollowedintheGuideare:1>802.11a/b/g:SS200ATand2>802.11a/b/g/n:SS300AT. PleaseensurethatthefollowingitemsareincludedintheServerpackage.Ifthepackageisnotcomplete,pleasecontact AirTightNetworks,Inc.TechnicalSupportatsupport@airtightnetworks.com,orreturnthepackagetothevendorordealer whereyoupurchasedtheproduct.
ServerwithSoftware SystemDocumentationCDROMcontaining:
SpectraGuardEnterpriseUserGuide
SpectraGuardEnterpriseInstallationGuide
SpectraGuardEnterpriseQuickSetupGuide
SpectraGuardEnterpriseReports
SpectraGuardEnterpriseReleaseNotes
UpgradeInstructionsforSpectraGuardEnterprise
HighAvailabilityConfigurationforSpectraGuardEnterprise
NetworkDetectorConfigurationforSpectraGuardEnterprise PowerCord
NetworkInterface(Ethernet)Cable
SerialCable RackMountingAccessories Figure 1. Server Package Contents
Thecontentsofthea/b/gSensorpackageareasfollows: Sensor EthernetCable
WallMountingAccessories 2 SpectraGuardEnterpriseInstallationGuide PackageContents Figure 2. Sensor SS-200-AT Package Contents
Note:TheMACaddressoftheSensorisshownonalabelatthebottomoftheproductandthepackagingbox SpectraGuardEnterpriseInstallationGuide 3 Chapter3 ServerandSensorOverview ServerandSensorOverview ThischapterprovidesanoverviewoftheServerandSensoranddescribesindetailaboutthefollowing.
FrontPaneloftheServerandSensor RearPaneloftheServerandSensor FrontPaneloftheServer 3.1 ThefrontpaneloftheServerhasaPowerswitchandLEDsthatindicateitsstate.Thefollowingfigureshowsthelocationof thePowerswitchandLEDsonthefrontpaneloftheServer.
Figure 3. Front Panel of the Server ThefollowingtabledescribesthebehaviorofthePowerswitch. Table 1. Behavior of Power Switch Action System Behavior Recommended User Action Push Power switch for two seconds Push Power switch for more than three seconds
Graceful shutdown of the Server (similar to restarting the Server) Hard shutdown of the Server
(similar to disconnecting the power cable) No action is required as the Server restarts automatically. Press the Power switch again to power on the Server. Do not press the Power switch for a longer time as this may cause damage to the hard disk and thereby cause severe data loss. ThefollowingtabledescribesthestatusLEDsonthefrontpaneloftheServer. 4 SpectraGuardEnterpriseInstallationGuide Table 2. Front Panel LEDs ServerandSensorOverview LED Power Hard Disk Network Interface Card High Availability Interface LED Color Meaning of LED Solid Green Off Blinking Green Off Blinking Green Off Blinking Green Off Indicates that the Server is powered on and working normally Indicates that the Server is not powered on or not receiving power Indicates that the hard disk drive is being accessed Indicates that the hard disk drive is not being accessed Indicates that the Server is connected to the network Indicates that the Server is not connected to the network Indicates that the Server is a part of a high availability cluster Indicates that the Server is not a part of a high availability cluster
3.2 TherearpaneloftheServerhasapowerconnectorandportsthatenableyoutopoweruptheServerandconnectittothe networkandacomputer. RearPaneloftheServer Note:Otherconnectorssuchasparallelport,25pinSerialport,keyboardconnector,soundcard,andsoonareshowninthefollowing figure.However,theseconnectorsaredisabledandcannotbeused. Figure 4. Rear Panel of the Server TherearpaneloftheServerhasaSerial(RS232FF)port,aNetworkInterfaceport(RJ4510/100/1000Ethernet),aHigh Availability(HA)port(RJ4510/100/1000Ethernet),andaPowerconnector.ThePowerconnectorisusedtopowertheServer using110240V50/60HzACinput.ThefollowingtabledescribestheSerial,NetworkInterface,andHighAvailabilityports.
Table 3. Rear Panel Ports Port Description Connector Type Serial Enables a serial (RS-232) connection to establish terminal sessions using terminal emulation programs such as HyperTerminal for Windows or minicom for Linux DB-9 Settings/Protocol Settings:
Bits per second: 9600 Data Bits: 8 Parity: None Stop Bits: 1 Flow Control: None Protocol: RS-232 SpectraGuardEnterpriseInstallationGuide 5 ServerandSensorOverview High Availability Interface Network Interface Used to connect the Server to a high availability cluster RJ-45 Used to connect the Server to the wired LAN through a hub or a switch Allows the Server to talk to Sensors RJ-45 Settings: 10/100/1000 Mbps Protocol: Ethernet Settings: 10/100/1000 Mbps Protocol: Ethernet FrontPanelofSensor
3.3 3.3.1 SensorSS200AT ThefrontpaneloftheSensorhasLEDsthatindicatetheworkingoftheSensor. Figure 5. Front Panel of Sensor SS-200-AT TheseLEDsaredescribedinthefollowingtable.
Table 4. LED details for Sensor SS-200-AT and SS-300-AT Fast Blink Solid Green Fast Blink Fast Blink Fast Blink Slow Blink LED1 or Power LED2 or LAN LED3 or 802.11a Solid Green Solid Green Solid Green Solid Green Solid Green Solid Green Solid Green Solid Green Solid Green Slow Blink Solid Green Solid Green Solid Green Solid Green Solid Green Solid Green Solid Green Solid Green Solid Green Solid Green 6 Solid Green Solid Green Solid Green Slow Blink Slow Blink Slow Blink Slow Blink LED4 or 802.11 b/g Solid Green Fast Blink Slow Blink Solid Green Fast Blink Slow Blink Description The Sensor is receiving power and is working normally. The Sensor is connected to the Server. The Sensor is performing Troubleshooting on 802.11b/g. The Sensor is performing Intrusion Prevention on 802.11b/g. The Sensor is performing Troubleshooting on 802.11a. The Sensor is performing Troubleshooting on 802.11a and 802.11b/g. The Sensor is performing Troubleshooting on 802.11a and Intrusion Prevention on 802.11b/g. The Sensor is performing Intrusion Prevention on 802.11a. The Sensor is performing Intrusion Prevention on 802.11a and Troubleshooting on 802.11b/g. The Sensor is performing Intrusion Prevention on 802.11a and 802.11b/g. Slow Blink The Sensor upgrade is in progress. SpectraGuardEnterpriseInstallationGuide ServerandSensorOverview Solid Orange Solid Orange Solid Orange Solid Orange Solid Orange Off Solid Green Any Fast Blink Any Slow Blink Any Any Any Off Solid Green Any Off Any Any Any Any Solid Green Off The Sensor is unable to get Ethernet link. The Sensor did not receive a valid IP address via the DHCP. The Sensor is unable to connect to the Server. There is an error on 802.11a/b/g interfaces. The Sensor is experiencing a software error. The Sensor is not powered on or it is in the process of starting up.
3.3.2 SensorSS300AT ThefrontpaneloftheSensorhasLEDsthatindicatetheworkingoftheSensor Figure 6. Front View of Sensor SS-300-AT Table 5. LED Details for Sensor SS-300-AT
LED1 or Power LED2 or LAN LED3 or 802.11an Solid Green Solid Green Solid Green Solid Green Solid Green Solid Green Solid Green Solid Green Solid Green Solid Green Solid Green Solid Green Solid Green Solid Green Solid Green Solid Green Solid Green Solid Green LED4 or 802.11 b/gn Solid Green Fast Blink Slow Blink Solid Green Solid Green Solid Green Fast Blink Solid Green Fast Blink Fast Blink Fast Blink Slow Blink Slow Blink Solid Green Slow Blink Fast Blink Slow Blink Slow Blink Description The Sensor is receiving power and is working normally. The Sensor is connected to the Server. The Sensor is performing Troubleshooting on 802.11b/g/n. The Sensor is performing Intrusion Prevention on 802.11b/g/n. The Sensor is performing Troubleshooting on 802.11a/n. The Sensor is performing Troubleshooting on 802.11a/n and 802.11b/g/n. The Sensor is performing Troubleshooting on 802.11a/n and Intrusion Prevention on 802.11b/g/n. The Sensor is performing Intrusion Prevention on 802.11a/n. The Sensor is performing Intrusion Prevention on 802.11a/n and Troubleshooting on 802.11b/g/n. The Sensor is performing Intrusion Prevention on 802.11a/n and 802.11b/g/n. SpectraGuardEnterpriseInstallationGuide 7 ServerandSensorOverview Solid Green Solid Orange Solid Orange Solid Orange Solid Orange Solid Orange Off Slow Blink Slow Blink Slow Blink The Sensor upgrade is in progress. Solid Green Any Fast Blink Any Slow Blink Any Any Any Off Solid Green Any Off Any Any Any Any Solid Green Off The Sensor is unable to get Ethernet link. The Sensor did not receive a valid IP address via the DHCP. The Sensor is unable to connect to the Server. There is an error on 802.11a/b/g/n interfaces. The Sensor is experiencing a software error. The Sensor is not powered on or it is in the process of starting up.
3.4 TherearpaneloftheSensorSS200AThasapowerconnectorandportsthatenableyoutopowerupthedeviceandconnectit tothenetworkoracomputer. RearPanelofSensorSS200AT Figure 7. Rear Panel of Sensor
TheSensorhasthefollowingports:
Serialport:ConnectstheSensortoserialterminalemulationprogramssuchasHyperTerminalforWindowsor minicomforLinux. Ethernetport:ConnectstheSensortothenetwork. Resetswitch:ResetstheSensortofactorydefaults.ToresettheSensor,presstheResetswitchandpowercycle
(removethepowercableonceandconnectitbackagain)theSensortillallLEDsblinkgreen.Pressing<Reset>while theSensorisrunningwillnothaveanyeffect.Thefollowingsettingsarereset:
ConfigShellPasswordisresettoconfig.
ServerDiscoveryvalueiserasedandchangedtothedefault,wifisecurityserver.
AlltheVLANconfigurationsarelost.
SensormodeischangedtoSensorOnly.
IfstaticIPwasconfiguredontheSensor,theIPiserasedandDHCPmodeisset. Afterreset,alltheLEDswillblinkonce,implyingthattheresetissuccessful. 8 SpectraGuardEnterpriseInstallationGuide ServerandSensorOverview Table 6. Rear Panel Port Settings for SS-200-AT Port Description Connector Type Serial Enables a serial connection to establish terminal sessions;
used for launching Config Shell sessions DB-9 Enables the device to be connected to the wired LAN through a switch or a hub. This connection allows the Sensor to communicate with the Server RJ-45 Ethernet
Speed/Protocol Settings:
Bits per second: 9600 Data Bits: 8 Parity: None Stop Bits: 1 Flow Control: None Protocol: RS-232 Settings:
10/100 Mbps Protocol:
Ethernet Note:TheSpeed/ProtocolsettingsmentionedintheabovetablearethesameforHypeTerminalandminicom. 3.5 TherearpaneloftheSensorSS300AThasanEthernetportthatenablesthedevicetobeconnectedtothewiredLANthrough aswitchorahubandalsoprovidesthepowerforthedeviceusing802.3afstandard. RearandSidePanelsofSensorSS300AT Figure 8. Rear Panel of Sensor SS-300-AT
TheSensorhasthefollowingports:
Ethernetport:ConnectstheSensortothenetworkandalsoprovidesthepower. Table 7. Rear Panel Port Settings for SS-300-AT Port Description Connector Type Speed/Protocol This enables the device to be connected to the wired LAN through a switch or a hub. This connection allows the SpectraGuard Sensor to communicate with the SpectraGuard Enterprise Server. This port also provides the power for the device using 802.3af standard Ethernet
RJ-45 10/100/1000 Mbps Ethernet Power over Ethernet Note:TheSpeed/ProtocolsettingsmentionedintheabovetablearethesameforHypeTerminalandminicom. SpectraGuardEnterpriseInstallationGuide 9
ThesidepaneloftheSensorSS300AThasaResetSwitchandaSerialPort. ServerandSensorOverview Figure 9. Side Panel of Sensor SS-300-AT
Thesidepanelhasthefollowingports:
Serialport:ConnectstheSensortoserialterminalemulationprogramssuchasHyperTerminalforWindowsor minicomforLinux Resetswitch:ResetstheSensortofactorydefaults.ToresettheSensor,presstheResetswitchandpowercycle
(removethepowercableonceandconnectitbackagain)theSensortillallLEDsblinkgreen.Pressing<Reset>while theSensorisrunningwillnothaveanyeffect.Thefollowingsettingsarereset:
ConfigShellPasswordisresettoconfig.
ServerDiscoveryvalueiserasedandchangedtothedefault,wifisecurityserver.
AlltheVLANconfigurationsarelost.
SensormodeischangedtoSensorOnly.
IfstaticIPwasconfiguredontheSensor,theIPiserasedandDHCPmodeisset. Afterreset,alltheLEDswillblinkonce,implyingthattheresetissuccessful. Table 8. Side Panel Port Settings for SS-300-AT Port Reset Console 10 Description Connector Type Speed/Protocol Allows resetting of SpectraGuard Sensor to factory settings. Enables a serial connection to establish terminal sessions. Used for launching Config Shell sessions. Pin-hole push-button RJ-45 Hold down and power cycle the Sensor to reset RS 232 Serial Bits per second:
115200 Data Bits: 8 Parity: None Stop Bits: 1 Flow Control: None SpectraGuardEnterpriseInstallationGuide Chapter4 InstallingtheServer InstallingtheServer ConnectingtheServer YouneedtosetuptheServerbeforeusingittomonitorandprotectyournetwork.Thischapterexplainshowtoconnectand configuretheServer. 4.1 ThisinvolvesmountingtheServerappliance,poweringitup,andconnectingittothenetwork. 4.1.1 MounttheServerAppliance PlacetheServerontherackandmountitusingtherackmountingaccessories. Figure 10. Mount the Server 4.1.2 PoweruptheServer TheServerappliancerunsat110240V,35A,5060HzACpower.AirTightNetworksrecommendsthatyouprovidesurge freestablepowertotheServer.
SpectraGuardEnterpriseInstallationGuide 9 InstallingtheServer Figure 11. Power up the Server TopoweruptheServer,performthefollowingsteps: 1. ConnectoneendofthePowercabletothePowersocketontherearpaneloftheServer. 2. ConnecttheotherendofthePowercabletoa110240V,50/60HzACpowersource. 3. PressthePowerswitchonthefrontpaneloftheServer.
Note:OnconnectingthePowercable,thePowerLEDshouldturnsolidgreen. 4.1.3 ConnecttheServertotheNetwork ConnecttheServertothedesirednetworksegment(subnet).TheServershouldbeabletocommunicatewithallthenetwork segmentsthatittriestoprotect. Warning!ThedefaultIPaddressoftheServeris192.168.1.246.PleaseensurethatnootherdeviceonyournetworkusesthesameIP addressastheServer.ConnecttheNetworkInterfacePortontheServertothedesiredsubnetusingtheEthernetcableprovidedtoyouas showninthefollowing.DonotconnecttheHighAvailability(HA)InterfacePorttothesubnet. Figure 12. Connect the Server to the Network ToconnecttheServertothenetwork,performthefollowingsteps: 1. ConnectoneendoftheNetworkInterfacecabletotheNetworkInterfaceportontherearpaneloftheServer. 2. ConnecttheotherendoftheNetworkInterfacecabletotheNetworkInterfacejacklocatedonthewall.
Note:OnconnectingtheNetworkInterfacecable,theNetworkInterfaceCardLEDshouldturnsolidgreen. 4.2 YoucanaccesstheServerintwoways: AccessingtheServer
UsingSSHSecureShell(SSH)ClienttoaccesstheServer(Recommended)
UsingaSerialRS232cable 10 SpectraGuardEnterpriseInstallationGuide InstallingtheServer 4.2.1 AccessingtheServerusingSSH(Recommended) ToaccesstheServerusingSSH,performthefollowingsteps: 1. ConnectyourcomputertothesamesubnetwheretheServerisconnected. Note:ThedefaultIPaddressoftheServeris192.168.1.246. 2. ChangeyourcomputersIPaddressto192.168.1.XXX,forexample,192.168.1.244. 3. OpenSSHonyourcomputerandpress<Enter>or<Space>ontheSSHSecureShelldialog. 4. AccessthedefaultServerIPaddress,192.168.1.246asshowninthefollowingfigure. Figure 13. Open SSH
LoginusingtheUsername:configandPassword:config. 5. 4.2.2 AccessingtheServerusingaSerialCable Alternatively,youcanaccesstheServerusingaSerialRS232cableasshowninthefollowingfigureandthenfollowingthe stepslistedbelowthefigure. Figure 14. Connect the Server to your Computer using a Serial Cable
SpectraGuardEnterpriseInstallationGuide 11 1. ForWindowsXP,launchtheHyperTerminalapplicationbyclickingStartProgramsAccessories CommunicationsHyperTerminalonyourdesktop.
InstallingtheServer Figure 15. Launch HyperTerminal Application 2. DefineanewHyperTerminalconnection.
Selectanicontoidentifythenewconnection. TypetheuserdefinednamefortheHyperTerminalconnectionintheNamefield Click<OK>ontheConnectionDescriptiondialog.
Figure 16. Define a New HyperTerminal Connection for the system
3. SpecifytheHyperTerminalconnectiondetailsbyselectingorenteringtheappropriateconnectiondetailsandclicking
<OK>ontheConnectTodialog. 12 SpectraGuardEnterpriseInstallationGuide InstallingtheServer Figure 17. Specify HyperTerminal Connection Details
4. Bitspersecond:9600 Edittheserialportsettingsasfollowsorclick<RestoreDefaults>toensurepropercommunicationbetweentheServer andyourcomputer.
Databits:8 Parity:None
Stopbits:1
Flowcontrol:None
Figure 18. Edit Serial Port Settings
5. Click<OK>ontheCOMPropertiesdialog. 6. 7. Press<Enter>or<Space>ontheHyperTerminalscreen.Theloginpromptappears. LoginusingtheUsername:configandPassword:config. SpectraGuardEnterpriseInstallationGuide 13 InstallingtheServer AccessingtheServerInitializationandSetupWizard Important:IfyouareconfiguringtheServerforHAmode,youcanskiptheServerInitializationandSetupwizardandgototheconfig prompt.Changetheconfigshellpassword,setthetimezone,dateandtime,settheServerID,andthenusethesethacommandto configuretheServerinHAmode. 4.3 ThesimpleandintuitiveServerInitializationandSetupWizardallowsyoutomaptheBackspacekey,changethe configurationpassword,setthedateandtimeandthetimezone,changethenetworksettings,andsettheServerIDofthe Server.Youcanretainthedefaultvaluesateachstepbypressing<Enter>.JustfollowtheinstructionsintheInitializationand SetupWizardtoconfiguretheServer.ThewizardguidesyouthroughtherestofthesetupoftheServer. 4.3.1 ConfiguretheBackspaceKey MaptheBackspacekeytoworkproperlyusingtheseterasecommandasshowninthefollowingfigure. Figure 19. Map the Backspace key TheServerInitializationandSetupWizardappearsasshowninthefollowingfigure.
Figure 20. Server Initialization and Setup Wizard Screen 4.3.2 Step1:ChangeConfigShellPassword Forsecurityreasons,AirTightrecommendsthatyouchangetheconfigshellpassword.TheServerdeliberatelyavoidsstrong passwordcheckingbecauseitdoesnotwanttoforcepasswordsthataredifficulttoremember. Thefollowingfigureshowshowtochangetheconfigshellpassword.
14 SpectraGuardEnterpriseInstallationGuide
Figure 21. Change Config Shell Password InstallingtheServer 4.3.3 Step2:ChangeNetworkSettings ThenetworksettingsoftheServerspecifyitsuniqueIPaddressonthenetwork.SensorsusethisIPaddresstoidentifythe Server.ThedefaultIPaddressassignedtotheServeris192.168.1.246. Important:Notethenetworksettingsonpaper.Ifyouforgetthenetworksettings,youcannolongeraccesstheServeroverthenetwork afteritisrebooted.UsetheSerialcabletoaccesstheServerandchangeitsnetworksettings. Tochangethenetworksettings,providethefollowinginput.
IPAddress:ChooseanIPaddressthatiscompatiblewiththenetworksegmentonwhichtheServeristobe connected.TheServershouldbelongtothesamesubnet. SubnetMask:EnterthemaskofthenetworksegmenttowhichtheServeristobeconnected.
GatewayIPAddress:EntertheIPaddressofthegateway,forthesubnetonwhichthisServeristobeconnected.
Ethernettrafficfromthesubnetisforwardedtoanothernetworkthroughthegateway. PrimaryDNSIPAddress:SpecifytheIPaddressoftheprimaryDNSServerusedbytheenterpriseservertoresolve DNSentries. SecondaryDNSIPAddress:SpecifytheIPaddressofthesecondary(alternate)DNSServerusedbytheenterprise servertoresolveDNSentries. TertiaryDNSIPAddress:SpecifytheIPaddressofthetertiary(alternate)DNSServerusedbytheenterpriseserver toresolveDNSentries.
DNSSuffix:Appendthissuffixtotheunqualifieddomainnametogenerateafullyqualifieddomainname. Thefollowingfiguresshowhowtochangethenetworksettings. SpectraGuardEnterpriseInstallationGuide 15 InstallingtheServer Figure 22. Change Network Settings
Figure 23. Confirm Network Settings Changes 4.3.4 Step3:SetServerTimeZone,DateandTimeSettings TosettheTimeZone(TZ)correctly,selectacontinent,acountry,andthenatimezoneregion.YoucanusetheNetworkTime ProtocolNTP(NTP)tosynchronizetheServerclockwithanotherServerorreferencetimesourcebyspecifyingtheIPaddress ortheURLoftheNTPServer. Thefollowingfivefiguresshowhowtochangethetimezonesettingsandthedateandtimesettings. 16 SpectraGuardEnterpriseInstallationGuide InstallingtheServer Figure 24. Specify Continent and Country for Time Zone Settings SpectraGuardEnterpriseInstallationGuide
17 InstallingtheServer Figure 25. Select Time Zone Region
Figure 26. Specify IP Address of NTP Server for Synchronization YoucanalsospecifythetimezoneusingthePosixTZ1formatasshowninthefollowingfigure.
1InPosixTZsystems,ausercanspecifythetimezonebymeansoftheTZenvironmentvariable.Theformatusedwhenthere isnoDaylightSavingTime(orsummertime)inthelocaltimezoneisstdoffset,wherestdspecifiesthenameofthetime zoneandoffsetspecifiesthetimevalueonemustaddtothelocaltimetogetaCoordinatedUniversalTimevalue.Ithasa syntax[+|]hh[:mm[:ss]].ThisispositiveifthelocaltimezoneiswestofthePrimeMeridianandnegativeifitiseast.The hourmustbebetween0and24,andtheminuteandsecondsbetween0and59. 18 SpectraGuardEnterpriseInstallationGuide InstallingtheServer Figure 27. Specify Time Zone using Posix TZ format
Figure 28. Specify Date and Time
Important:OntheDateandTimesettingsscreen,ifthedayexceeds31andthemonthexceeds12,thesystemautomaticallysetstheday to31andmonthto12. 4.3.5 Step4:SetServerIDSettings TheServerIDisidentifiesauniqueServerinstancewhentherearemultipleServerinstancesonthenetwork.Sensorscanbe configuredtocommunicatewithaspecificServerinstance.ThedefaultServerIDis1. Recommended:ServerIDsettingisimportantonlyifyouhaveamultiServerinstallation.IfyouhaveonlyoneServer,theServerID shouldbeleftatthedefaultvalue1. ThefollowingfigureshowshowtosettheServerID. SpectraGuardEnterpriseInstallationGuide 19 InstallingtheServer Figure 29. Set Server ID TheServerinitializationcompletionmessagescreenappearsasshowninthefollowingfigure.
Figure 30. Server Setup Completion Screen
20 SpectraGuardEnterpriseInstallationGuide InstallingtheServer Figure 31. Generating Certificate for Web Server PressytoreboottheServerforthechangestotakeeffect.Ifyouchoosetorebootlaterpressn.TheServerConfigShell.prompt appears.YouneedtoreboottheServeroncompletionoftheInitializationandSetupWizardbeforeyouaccesstheServer Console(GUI).
Note:OntheServerConfigShellprompt,typethecommandhelptoviewthelistofavailablecommands. 4.3.6 SetuptheServerDNSEntry AddaDNSentrywifisecurityserverinyourorganizations/enterpriseDNSServer.ThisentryshouldpointtotheNetwork InterfaceIPAddressoftheServerconfiguredinStep2:ChangeNetworkSettings. Addingthisentryservestwopurposes:
SensorscanconnecttotheServerwithzeroconfigurationiftheyareconnectedtoaDHCPenabledsubnet. YoucanaccesstheServerusingtheaddresshttps://wifisecurityserver. LaunchingtheSystemConsole(GUI) 4.4 4.4.1 SystemRequirements Ensurethatthefollowinghardwareandsoftwareisavailableonyourcomputerbeforelaunchingthesystem. Table 9. Hardware Requirements Hardware Requirements Processor Intel P4 X86 architecture platform (or equivalent) Processor Speed 1.4 GHz (minimum) Memory 512 MB (minimum) Screen Resolution 1024X768 (recommended)
Table 10. Software Requirements Software Requirements Operating System
(OS) Windows 2000 or XP Browser Internet Explorer (IE) 5.5 or higher Java Runtime Environment (JRE) version
JRE 1.6.0 or above SpectraGuardEnterpriseInstallationGuide 21 Recommended:InIE,underToolsInternetOptionsAdvanced,deselecttheoption,Reusewindowsforlaunchingshortcuts. Additionally,underToolsPopupBlocker,selectTurnOffPopupBlocker. InstallingtheServer TolaunchtheConsole,performthefollowingsteps: 1. LaunchaWebbrowsersuchasIE5.5orhigheronaclientcomputeronthenetworkthathasWindows2000orXP OperatingSystem(OS). EnterthedefaultIPAddressfortheServer,thatis,192.168.1.246. 2. 3. Click<Yes>oneachofthesecuritymessagepopupdialogstoproceed. Figure 32. Web Site Certificate Verification
Thedialogshownbelowappearsunderthefollowingconditions:
Ifthecorrectversion,thatis,SunJRE1.6.0isnotdetectedonyourcomputer Iftheversioninstalledhasnotbeenactivatedforusage Figure 33. Installing JRE
4. DisableallpopupblockersactiveonyourWebbrowsertoeliminatethewarningmessageshowninthefollowingfigure. Figure 34. Pop-up Blocker Message
22 SpectraGuardEnterpriseInstallationGuide InstallingtheServer Figure 35. Detecting Java Runtime Environment (JRE)
Figure 36. Web Site Certificate Warning
5. AddaDNSentryforthehostnamewifisecurityserverandtheIPaddressoftheServerinthehostsfileoftheclient computertoeliminatethewarningshowninthefollowingfigure. Thehostsfileislocatedatthefollowingpath: C:\WINNT\system32\drivers\etc\hosts,forWindows2000
C:\windows\system32\drivers\etc\hosts,forWindowsXP
SavethehostsfileandrestartthebrowsertoinvoketheConsole. 6. Figure 37. Hostname Mismatch Warning
SpectraGuardEnterpriseInstallationGuide 23 InstallingtheServer
Figure 38. Digital Signature Verified 4.5 1. 2. ActivatingtheLicense SavethelicensekeyfileshippedwiththeServeronyourdesktop. Browsetothelicensekeyfileandselectit.Click<Apply>. Figure 39. Activate License
Ifthelicensekeyisvalid,youwillseetheLoginscreen.Otherwise,youwillseeanerrormessage. 24 SpectraGuardEnterpriseInstallationGuide Chapter5 InstallingtheSensor InstallingtheSensor SensoristheprobethatmonitorsyournetworkandcommunicateswiththeServertoguardyourcorporatenetworkagainst overtheairattacks.TheSensormustbepluggedtoyourcorporatenetworktoperformtheaboveoperations. Sensorcanbeconfiguredinoneofthefollowingthreemodes:
SensorOnly(SO)Mode:Thisisthedefaultmode.Inthismode,theSensorshouldbeconnectedintoanaccessport onaswitch.ItthenmonitorsasingleVLANthatisconfiguredonthataccessport.Thewirelessinterfaceofthe Sensorisenabled.
NetworkDetector(ND)Mode:Thismodeneedstobeexplicitlyconfigured.Inthismode,theNDshouldbe
connectedintoatrunkport(802.1Qcapable)onaswitch.ItthenmonitorsmultipleVLANsthatareconfiguredon thattrunkportandarechosenbytheuserusingtheNDCLI.ThewirelessinterfaceoftheNDisdisabled.AnSS200 ATSensorinNDmodecanmonitorupto32VLANs.Similarly,anSS300ATcanmonitorupto100VLANs. Sensor/NDCombo(SNDC)Mode:Thismodeneedstobeexplicitlyconfigured.Inthismode,theSensorshouldbe connectedintoatrunkport(802.1Qcapable)onaswitch.ItthenmonitorsmultipleVLANsthatareconfiguredon thattrunkportandarechosenbytheuserusingtheNDCLI.ThewirelessinterfaceoftheSensorisenabled.ASS 200ATSensorinSNDCmodecanmonitorupto4VLAN.Similarly,anSS300ATcanmonitorupto16VLANs. Important:Topreventabuseandintrusionbyunauthorizedpersonnel,itisextremelyimportanttoinstalltheSensorsuchthatitis difficulttounplugthedevicefromthenetworkorfromthepoweroutlet. 5.1 Zeroconfigurationisrequiredifthefollowingconditionsaresatisfied: ZeroConfigurationofSensors TheSensorisinSOmode.
ADNSentrywifisecurityserverissetuponallDNSServers.ThisentryshouldpointtotheIPaddressofthe Server.BydefaulttheSensorlooksfortheServerDNSentrywifisecurityserver. SensorisplacedonasubnetthatisDHCPenabled.
Important:IfaSensorisplacedonanetworksegmentthatisseparatedfromtheServerbyafirewall,youmustfirstopenport3851for UserDatagramProtocol(UDP)andTransportControlProtocol(TCP)bidirectionaltrafficonthatfirewall.Thisportnumberisassigned toAirTightNetworks.IfmultipleSensorsaresetuptoconnecttomultipleServers,zeroconfigurationisnotpossible.Inthiscase manualconfigurationofSensorsisneeded.RefertoManuallyConfiguringtheSensorfordetails. ThestepstoinstalltheSensorwithnoconfiguration(zeroconfiguration)areasfollows.
MounttheSensor
PoweruptheSensor ConnecttheSensortothenetwork ConnectingtheSensor 5.2 ThisinvolvesmountingtheSensor,poweringitup,andconnectingittothenetwork. 5.2.1 MounttheSS200ATSensor TakeaconfiguredSensor,thatis,makesurethattheSensorisgivenastaticIPorthesettingshavebeenchangedforDHCP. NotetheMACaddressandtheIPaddressoftheSensorinasafeplacebeforeitisinstalledinahardtoreachlocation.The MACaddressoftheSensorisprintedonalabelatthebottomoftheproductandthepackagingbox. Recommended:YoushouldlabeltheSensorsusingMACaddressesoratleastyourownconvention.Forexample,useserialnumbers,so thatyoucaneasilyidentifytheSensors. CeilingMounting 5.2.1.1 TomounttheSensortoaceiling,performthefollowingsteps: 1. Placethemountingbracket/mountontheSensorandalignthebracketslotswiththoseontheSensorasshowninthe followingfigure.
SpectraGuardEnterpriseInstallationGuide 25 InstallingtheSensor Figure 40. Aligning the Sensor and Mount Slots
2. SlidethemountandbendthetworetainingplatesforwardtopreventtheSensorfromslidingasshowninthefollowing figure. Figure 41. Fixing the Mounting Bracket to the Sensor
Note:Youneedtouseonlyoneofthetwotabsonthemountatatime.ForU.SInstallations,usethetabnearesttheedgefordrop ceiling/tbarsthatareapproximately1inchwide.YouneedtobendtheinnertabforthesmallerEuropeandropceilingssoitis flush/flatwiththebottomofthemount.Therefore,theinnertabdoesnotprotrudeatall.YouneedtobenddownthetabforUSdrop ceilingssothatitprotrudesapproximatelyinchfromthebottom.ForEuropeanInstallations,usetheinnertabfordropceilings/t barsthatareapproximatelyinchwide. Figure 42. Tab orientations for US Installations
3. PresstheSensor/bracketmountagainstthetbaratananglewiththetbarrunningbetweenthetwotabsthatwill eventuallygrabthedropceilingtbarasshowninthefollowingfigure. 26 SpectraGuardEnterpriseInstallationGuide InstallingtheSensor Figure 43. Pressing the Mount against the T-Bar
4. Turn/twistthemountsothatthetwotabsbegintoengagethetbarandthetbarpassesovertheEuropeantab,whichwas pusheddownflush.ThetbarshouldalsopushagainsttheUStab,whichwasbentupapproximatelyinchasshownin thefollowingfigure. Figure 44. Initial Twisting of the Mount
5. Turn/twistthemountalltheway,sothatthetwotabscompletelyengagethetbar.TheUStabbendsupapproximately inchandpushesagainstthesideofthetbarpreventingthemountfromtwistingbackwardanddisengagingformthet barasshowninthefollowingfigures.
Figure 45. Final Twisting of the Mount with the US tab supporting the Mount FlatSurfaceInstallation 5.2.1.2 YoucanplacetheSensoronaflatsurfacesuchasatable,desktop,orfilingcabinet.DonotinstalltheSensoronanytypeof metalsurface.Ifyouchooseaflatsurfacemount,selectalocationthatisclearofobstructionsandprovidesgoodreception. SpectraGuardEnterpriseInstallationGuide 27 InstallingtheSensor Figure 46. Flat Surface Installation
Recommended:AirTightdoesnotrecommendwallmountingoftheSensorasitusesomnidirectionalantennas. 5.2.2 MounttheSS300ATSensor TakeaconfiguredSensor,thatis,makesurethattheSensorisgivenastaticIPorthesettingshavebeenchangedforDHCP. NotetheMACaddressandtheIPaddressoftheSensorinasafeplacebeforeitisinstalledinahardtoreachlocation.The MACaddressoftheSensorisprintedonalabelatthebottomoftheproduct. Recommended:YoushouldlabeltheSensorsusingMACaddressesoratleastyourownconvention.Forexample,useserialnumbers,so thatyoucaneasilyidentifytheSensors. Ceiling/WallMounting 5.2.2.1 ToinstalltheSensoronawallorceiling,usethemountingbracketthatcomeswiththedevice.Followthesesteps: 1.
Followingtheseguidelines,screwthemountingbrackettoawallorceiling:
Themountingbrackettabsshouldbepointingupward. Ifmountingtodrywall,usethe4screwsand4wallanchors. IfmountingtoanEUelectricalbox(60.3mm),use2threadedscrewsandinsertintotheholesmarkedAinthe diagramshownbelow. IfmountingtoaUSelectricalbox(83.3mm),use2threadedscrewsandinsertintotheholesmarkedBinthe diagramshownbelow.
Figure 47. Holes for inserting screws
2. ConnecttheEthernetcable(forpowerandnetworkconnection)totheLANportonthebackoftheSensor. 3. TomounttheSensorontothemountingbracket,insertthemountingbrackettabsintotheslotsonthebackoftheAP. IMPORTANT:IfyouaremountingtheSensoronawall,youcannotusetheslotsonthebottomnarrowedgeofthedevice.Instead,the slotsonthebackoftheSensormustbeused. 5.2.2.2 ToinstalltheSensoronaflatsurfacesuchasatableordesktop,followthesesteps: FlatSurfaceInstallation 28 SpectraGuardEnterpriseInstallationGuide 1. InsertthetabsonthetablestandintotheslotsonthesideoftheSensor,asshownintheillustration.Alignthecable routingcutouttowardtheupperpartofthestand. InstallingtheSensor Figure 48. Inserting tabs on the table stand
2. TolockthestandtotheSensor,slidethestandbackandtheSensorforward,asshownhere: Figure 49. Locking the Stand to the Sensor 3. PlacetheSensorandtablestandonthetable.
Figure 50. Sensor Mount on a Table
4. ConnecttheEthernetcableforpowerandnetworkconnectiontotheLANportonthebackoftheAP. 5.2.3 PoweruptheSensor AnSS200ATSensorrunsona5VDCconnection.UsethepoweradapterprovidedtopowertheSensorfroman110V~240V 50/60HzACpowerconnection. TopoweruptheSensor,performthefollowingsteps: SpectraGuardEnterpriseInstallationGuide 29 1. 2. PlugthepowercableintotheDCpowerreceptacleattherearoftheSensor. Plugtheotherendofthepowercableintoan110V~240V50/60HzACpowersource. InstallingtheSensor Figure 51. Power up the Sensor
Waitfortwominutes! 3. ChecktheStatusLEDs.YouwillseeLED1turnOrangeandLED2turngreen,indicatingthattheSensorispoweredon correctlyandwaitingtobeconnectedtothenetwork. AnSS300ATSensorcanbePoweredonby802.3afClass0PowerOverEthernetofNominalinputvoltage48VDC. 5.2.4 ConnecttheSensortotheNetwork EnsurethattheServerisalreadyrunningonyournetwork.AddtheDNSentrywifisecurityserveronallDNSServers.This entryshouldpointtotheIPaddressoftheServer. ToconnecttheSensortothenetwork,performthefollowingsteps: 1. 2. ConnectoneendoftheNetworkInterfacecabletotheEthernetportattherearoftheSensor. 3. ConnecttheotherendoftheNetworkInterfacecabletoanEthernetjackthatisconnectedtothedesiredsubnet. EnsurethatDHCPisrunningonthesubnettowhichtheSensorwillbeconnected. Important:IfDHCPisnotenabledonasubnet,Sensorscannotconnecttothatsubnetwithzeroconfiguration.RefertoManually ConfiguringtheSensorfordetailsonmanualconfigurationofSensor. Figure 52. Connect the Sensor to the Network
Waitfortwominutes! ChecktheStatusLEDsontheSensor.IfallLEDsglowgreen,thentheSensorisoperationalandconnectedtotheServer. LogontotheServerthroughSSH.Runthegetsensorlistcommand.YouwillseealistofallSensorsthatarerecognizedby theServer. TheSensorisconfiguredandreadytogo.ChecktheConsoletoensurethatthisSensorhasbeendetected. IfalltheSensorshaveconnectedwithzeroconfiguration,youneednotreadthisinstallationguidefurther. 30 SpectraGuardEnterpriseInstallationGuide Note:IfLED1turnsOrange,itmeansthatthezeroconfigurationwasnotsuccessfulandtheSensormustbeconfiguredmanually.Refer toManuallyConfiguringtheSensorfordetails InstallingtheSensor SpectraGuardEnterpriseInstallationGuide 31 Chapter6 ManuallyConfiguringtheSensor ManuallyConfiguringtheSensor Important:IftheinstallationinInstallingtheSensorwassuccessful,stop!YoudonotneedtoconfiguretheSensormanually. 6.1 ManualconfigurationofaSensoristypicallyrequiredinthefollowingcases: Introduction
SensorneedstobeconfiguredinNDorSNDCmode. SensorOnly(SO)devicescannotconnecttotheServerthroughzeroconfiguration.TheDNSentryfortheServerhas beenchangedtoanentryotherthanwifisecurityserverorthereisnoDNSServerpresentinthenetwork.Thisis applicableformultiserverinstallations. SensorisplacedonasubnetthatisnotDHCPenabled. ConfiguringSensorthroughConfigShell 6.2 TousetheConfigShell,connectaSerial(RS232)cablebetweenyourcomputerandtheSensor.TheConfigShellsupportsa predefinedsetofcommandsusedtoconfiguretheSensor.
Figure 53. Connecting the Sensor to your computer using a Serial Cable ThestepstoconfiguretheSensormanuallyareasfollows: InvokeHyperTerminal(orminicom) 1. Loginandchangethedefaultpassword 2. SetServerDiscovery 3. SetSensorMode 4. SetNetworkSettingsforthatSensorMode 5. Theabovestepsareexplainedindetailbelow. 6.2.1 InvokeHyperTerminal(orminicom) ToconfiguretheSensor,followthestepsdescribedbelowtoinvoketheConfigShell. 6.2.1.1 TostartHyperTerminal,clickStartProgramsAccessoriesCommunicationsHyperTerminalasshowninthefollowing figure. LaunchingHyperTerminal 30 SpectraGuardEnterpriseInstallationGuide ManuallyConfiguringtheSensor Figure 54. Opening HyperTerminal Note:IfyouareusingaLinuxlaptop,youcanuseminicomtoconnecttotheConfigShell. 6.2.1.2 DefiningaNewHyperTerminalConnection
Figure 55. Define a New HyperTerminal Connection for Sensor
SpectraGuardEnterpriseInstallationGuide 31
6.2.1.3 ManuallyConfiguringtheSensor Selectanicontoidentifythenewconnection. TypetherequirednamefortheHyperTerminalconnectionintheNamefield Click<OK>ontheConnectionDescriptiondialog. SpecifyingHyperTerminalConnectionDetails
Figure 56. Specify HyperTerminal Connection Details
Selectorentertheappropriateconnectiondetails. Click<OK>ontheConnectTodialog. Note:Thenameoftheserialportwillchangeasperthesettingsofyourcomputer. 6.2.1.4 EditingSerialPortSettings
Figure 57. Edit Serial Port Settings
32 SpectraGuardEnterpriseInstallationGuide ManuallyConfiguringtheSensor
Edittheserialportsettingsasfollowsorclick<RestoreDefaults>toensurepropercommunicationbetweenthe Sensorandyourcomputer.
Bitspersecond:9600
Databits:8
Parity:None
Stopbits:1
Flowcontrol:None Click<OK>ontheCOMPropertiesdialog. Press<Enter>or<Space>ontheHyperTerminalscreen. 6.2.2 LoginandChangetheDefaultPassword LogintotheConfigShellusingtheusernameconfigandpasswordconfig.Changethedefaultpasswordusingthecommand passwd.YoucanchangetheSensorpasswordusingSensortemplates.Refertosection8.4.4:SensorConfigurationinthe SpectraguardEnterpriseUserGuideformoredetails.
Recommended;AirTightrecommendsthatyouchangethedefaultpasswordforsecurityreasons,althoughitisnotmandatory. 6.2.3 SetServerDiscovery ThenextstepistosettheServerDiscoveryinformation.TherearetwotypesofServerDiscovery.
ServerIPbaseddiscovery(preferred) ServerIDbaseddiscovery(deprecated) ServiceLocationProtocol(SLP)baseddiscovery(ifwifisecurityserverservicehasbeenconfigured) UsethecommandsetserverdiscoverytopointtheSensortothecorrectServer. Figure 58. set server discovery command
Note:IfIP/HostnamebaseddiscoveryisbeingusedandthereismorethanoneServeronthenetwork,thenyoumustentertheIPaddress oftheappropriateServer. 6.2.4 SetSensorMode ThenextstepistosetthemodeoftheSensor.Therearethreepossiblemodes:
SOMode:Thisisthedefaultmode.Inthismode,theSensorshouldbeconnectedintoanaccessportonaswitch.It thenmonitorsasingleVLANthatisconfiguredonthataccessport.ThewirelessinterfaceoftheSensorisenabled.
NDMode:Thismodeneedstobeexplicitlyconfigured.Inthismode,theNDshouldbeconnectedintoatrunkport
(802.1Qcapable)onaswitch.ItthenmonitorsmultipleVLANsthatareconfiguredonthattrunkportandarechosen bytheuserusingtheNDCLI.ThewirelessinterfaceoftheNDisdisabled.ASensorinNDmodecanmonitorupto 32VLANsanddetectupto32VLANs. SpectraGuardEnterpriseInstallationGuide 33 ManuallyConfiguringtheSensor
SNDCMode:Thismodeneedstobeexplicitlyconfigured.Inthismode,theSensorshouldbeconnectedintoa trunkport(802.1Qcapable)onaswitch.ItthenmonitorsmultipleVLANsthatareconfiguredonthattrunkportand arechosenbytheuserusingtheNDCLI.ThewirelessinterfaceoftheSensorisenabled.ASensorinSNDCmode canmonitorupto4VLANsanddetectupto4VLANs. UsethesetmodecommandtosettheSensormode. Figure 59. set sensor mode command
6.2.5 ConfigureNetworkSettings Oncethemodeisset,youhavetoenabletheNetworkSettings.
SensorOnlyMode:Forthismode,usethecommandsetipconfig.ThiscommandrunsthroughthecurrentVLAN andtheIPconfigwizard.
NetworkDetector/Sensor/NDComboMode:Forthismode,usethecommandsetvlanconfig.Thiscommand configurestheIPaddressesontheND. RefertoChapter3:GuidelinesforConfiguringandInstallingNDandSNDCinthedocumentNetworkDetector ConfigurationforSpectraGuardEnterprise_5.7forfurtherdetails. 34 SpectraGuardEnterpriseInstallationGuide Chapter7 SettinguptheServerConsole SettinguptheServerConsole TheConfigurationWizardguidesyouthroughthestepsrequiredtosetupthesystem.ThesystemismanagedthroughaJava appletthatislaunchedintheInternetExplorer5.5+Webbrowser.ThisHTMLinterfaceisknownastheConsoleorGraphical UserInterface(GUI).ThischapterdescribeshowtheConsoleislaunchedandsetup. 7.1 1. OntheLoginscreen,typetheLoginID:adminandthePassword:adminandclick<Login>orpress<Enter>. LoggingintotheConsole
Figure 60. Console Login Screen TheEndUserLicenseAgreementscreenappearsasshowninthefollowingfigure.Readtheagreementcarefullyand selectIhavereadandagreetotheLicensingAgreementabove.Click<Next>. 2.
Figure 61. End User License Agreement Screen 7.1.1 Step1:StartingtheSetupWizard 3. TheWelcomescreenappearsasshowninthefollowingfigure.Thiswizardtakesyouthroughthestepstohelpyou initializethesystem.Click<Next>oneachscreentoproceedtothenextstep.Togobacktoapreviousstep,click
<Previous>.Toexitthesetupwizardatanypoint,click<Exit>.Youcantakeatourofthiswizardlaterthroughthe ConsolefromAdministrationGlobalTabSystemSettingsWizardsandconfiguretheappropriatesettings.Click
<Start>. SpectraGuardEnterpriseInstallationGuide 35 SettinguptheServerConsole Figure 62. System Setup Wizard Welcome Screen 7.1.2 Step2:ChangingyourAccountPassword 4. TheChangePasswordscreenappearsasshowninthefollowingfigure.Changeyouraccountloginpassword.Specifyan emailaddressfortheuseradmintobeusedlatertotestSMTPServersettingsandotheremailnotifications.
36 SpectraGuardEnterpriseInstallationGuide SettinguptheServerConsole Figure 63. Change Password UnderPasswordDetails,youcanspecifythefollowing: EmailAddress
OldPassword
NewPassword
ConfirmPassword
UnderUserPreferences,youcanchangeyoursessiontimeoutinterval,languagesettings,ortimezone. SessionTimeout:Enablesyoutospecifythetimeafterwhichtheuserisloggedoutautomaticallyifthesystemdoes notdetectanyactivity
SessionNeverExpires:Selectthischeckboxifyoudonotwantthesessiontoexpire
SessionTimeout:Enablesyoutospecifythenumberofminutesafterwhichthesystemautomaticallylogsout thecurrentlyloggedinuserwhenthereisnoactivityontheConsolefortheSessionTimeoutperiod
(Minimum:10minutes;Maximum:120minutes) Languagepreference:SelectEnglishorMultilingualsupportfromthedropdownlist TimeZone:Selecttheappropriatetimezonefortheuser
Tosavethenewpasswordanduserpreferences,click<Apply>. 7.1.3 Step3:PreparingyourSystemforConfiguration 5. TheEventActivationscreenappearsasshowninthefollowingfigure.Toavoidtransienteventsduringthesetupprocess, deactivatethisfeatureforalllocationswherechangesaretobemade.Thesystempromptsyoutoturnthisfeatureback onattheendoftheSetupWizard.IfyouexittheSetupWizardprematurely,youmustmanuallyreactivatethisfeature. SpectraGuardEnterpriseInstallationGuide 37 SettinguptheServerConsole Figure 64. Event De-activation 6. TheIntrusionPreventionActivationscreenappearsasshowninthefollowingfigure.Toavoidunwantedintrusion preventionactivityduringthesetupprocess,deactivatethisfeatureforalllocationswherechangesaretobemade.The systempromptsyoutoturnthisfeaturebackonattheendoftheSetupWizard.IfyouexittheSetupWizardprematurely, youmustmanuallyreactivatethisfeature.AuthorizedAPsshouldbeintheAuthorizedfolderbeforeactivatingintrusion prevention.TheirnetworkconnectivityiconmayshowthestatusasWired,Unwired,orIndeterminate.
38 SpectraGuardEnterpriseInstallationGuide SettinguptheServerConsole Figure 65. Intrusion Prevention De-activation 7. TheDeviceListLockingscreenappearsasshowninthefollowingfigure.Ifyouhadpreviouslylockedthelistof AuthorizedAPsandClientsatalocationbycheckingthetwocheckboxesLockAPListforlocation<selectedlocation> andLockClientListforlocation<selectedlocation>,youmustunlockthelistsforallthelocationswhereyouexpectto addAuthorizedAPsorClientsduringthesetupwizard.Ifyoulockaparticulardevicelist,nomoredevicesofthattype canbesubsequentlyautomaticallyAuthorizedforthatlocation.AsAPsarenotautomaticallymovedtotheAuthorized folder,lockingtheAuthorizedAPlistmeansthatnowiredAPswillbetaggedasPotentiallyAuthorizedatthislocation; theywillbecomePotentiallyRogueandmaybeautomaticallymovedtotheRoguefolderbasedontheAPAuto Classificationpolicy.
SpectraGuardEnterpriseInstallationGuide 39 SettinguptheServerConsole Figure 66. Device List Unlocking 7.1.4 Step4:ConfiguringNotificationSettings 8. TheSMTPConfigurationscreenappearsasshowninthefollowingfigure.YoumustsetSimpleMailTransferProtocol
(SMTP)Serversettingstosendnotificationofeventsviaemail.AirTightrecommendsthatyoutesttheSMTPsettings beforeapplyingthechanges.Youmusthaveadministratorprivilegestosetthesevalues.
40 SpectraGuardEnterpriseInstallationGuide SettinguptheServerConsole Figure 67. SMTP Configuration Note:Ifyouwantthesystemtonotifyyoubyaneventsemail,youneedtospecifySMTPServerdetails.Thesystemdoesnotemailevents bydefault.Ifyoudonotwanttoreceiveemailfortheevents,select<RestoreDefaults>and<Apply>.
SMTPConfigurationcontainsthefollowingoptions:
SMTPServer(IPaddress/Hostname:Port):SpecifiestheIPaddressorthehostnameandtheportnumberofthe SMTPServertobeusedbythesystemforsendingemailalerts.
(Default:127.0.0.1:25) ThefollowingaretheauthenticationprotocolsforSMTPServer:
PLAIN(Forsendmail8.10andabove)
LOGIN(Forsendmail8.10andabove)
NTLM(Windowsproprietaryauthenticationmethod) EmailAddressinFromfield:Specifiesthesourceaddressfromwhichemailalertsaresent.
AuthenticationRequired:Ifenabled,specifieswhethertheSMTPServerrequiresauthentication.
Username:SpecifiestheusernameforSMTPServerauthentication.
Password:SpecifiesthepasswordforSMTPServerauthentication. Tosendatestemail,click<TestSMTPSettings>.Thistestemailwillbesenttotheemailaddressoftheloggedinuser,inthis caseuseradmin. 9. TheSyslogConfigurationscreenappearsasshowninthefollowingfigure.SyslogConfigurationallowsthesystemto sendeventstodesignatedSyslogreceivers. SpectraGuardEnterpriseInstallationGuide 41 SettinguptheServerConsole
Figure 68. Syslog Configuration
SyslogIntegrationStatus:IfSyslogintegrationisenabled,thesystemsendsmessagestotheconfiguredSyslog Servers.Else,Syslogintegrationservicesareshutoff.
IfyouselectSyslogIntegrationEnabled,youcanmanageSyslogServers.ThesystemenablesSyslogbydefault.
CurrentStatus:DisplaystheCurrentStatusoftheSyslogServer:RunningorStopped.AnErrorstatusisshown inoneofthefollowingcases:
OneoftheconfiguredandenabledSyslogServershasahostname,whichcannotberesolved
SystemServerisstopped
Internalerror,inwhichcaseyouneedtocontactTechnicalSupport
UnderManageSyslogSevers,click<Add>toopenSyslogConfigurationdialogwhereyoucanaddSyslogServer details. 42 SpectraGuardEnterpriseInstallationGuide SettinguptheServerConsole Figure 69. Syslog Configuration Dialog
SyslogConfigurationcontainsthefollowingfields:
SyslogServer(IPAddress/Hostname):SpecifiestheIPaddressorthehostnameoftheSyslogServertowhichevents shouldbesent. Note:ConfiguredSyslogServerswillusetheDNSnamesandDNSsuffixesconfiguredbytheuserintheServerInitializationandSetup WizardontheServerConfigShell.
PortNumber:SpecifiestheportnumberoftheSyslogServertowhichthesystemsendsevents.
(Default:514)
MessageFormat:Specifiestheformatinwhichtheeventissent:IntrusionDetectionMessageExchangeFormat
(IDMEF)orPlaintext.
(Default:Plaintext) Note:IfyouupgradeaServer,pre5.6to5.6,allpreviouslyconfiguredSyslogServerswouldsendeventsinPlaintextMessageFormatby default.YoucanselecttheIDMEFformatbyeditingtheSyslogServersettings.
Enabled?:SpecifiesiftheeventsaretobesenttothisSyslogServer.
(Default:Enabled) Click<Add>toaddthedetailsforanewSyslogServer.Click<Cancel>toclosethewindowanddiscardallchangesthatwere made. Doubleclickaroworclick<Edit>toopenSyslogConfigurationdialogsimilartotheoneshownabove.Click<Save>tosave allsettings.Click<Cancel>toclosethewindowanddiscardallchangesthatweremade. Click<Delete>todiscardthedetailsofanexistingSyslogServer. 10. TheSNMPConfigurationscreenappearsasshowninthefollowingfigure.SNMPConfigurationallowsthesystemto sendeventsasSNMPtrapstodesignatedSNMPtrapreceivers.ItalsoallowsSNMPmanagerstoqueryServeroperating parametersusingIFMIB,MIBII,andHostResourcesMIB. SpectraGuardEnterpriseInstallationGuide 43 SettinguptheServerConsole
Figure 70. SNMP Configuration
SNMPIntegrationStatus:IfSNMPintegrationisenabled,thesystemsendsSNMPtrapstotheconfiguredSNMP Servers.OthersystemscandoanSNMPGettothisServer.Else,SNMPintegrationservicesareshutoff.
IfyouselectSNMPIntegrationEnabled,youcaneditandmanageSNMPServerdetails.Thesystemenables SNMPbydefault.
CurrentStatus:DisplaystheCurrentStatusoftheSNMPServer:Running,Error,orStopped.
UnderSNMPSettings,configureSNMPGetsorTraps.
SNMPGetsEnabled:AllowsSNMPmanagerstoqueryServeroperatingparametersusingIFMIB,MIBII,and HostResourcesMIB.
SNMPTrapsEnabled:AllowsSNMPtrapstobesenttoconfiguredSNMPServers. Additionally,selecttheSNMPversionstobeenabledandconfiguretherelevantsettings.
SNMPv1,v2:Ifselected,specifytheCommunityStringfortheSNMPagent.
(Default:public)
SNMPv3:Ifselected,specifytheEngineID,Username,andPassword.
(DefaultUsername:admin;DefaultPassword:password)
UnderSNMPMIBs,selectthefollowingSNMPMIBstobeenabledandconfiguretherelevantsettings.
IFMIB
HostResourcesMIB
AirTightMIB:EnablestheexternalSNMPagenttoreceivetraps
MIBII:Ifselected,configuretheSystemContact,SystemName,andSystemLocation.
(DefaultSystemName:WifiSecuritySever) Note:TheInternetAssignedNumbersAuthority(IANA)assignedPrivateEnterpriseNumberforAirTightNetworks,Inc.is16901.
UnderSNMPTrapDestinationServers,click<Add>toopenSNMPConfigurationdialogwhereyoucanaddSNMP Serverdetails. 44 SpectraGuardEnterpriseInstallationGuide SettinguptheServerConsole Figure 71. SNMP Configuration Dialog
SNMPDestinationServerDetailscontainsthefollowingfields:
DestinationServer(IPAddress/Hostname)*:SpecifiestheIPaddressorthehostnameoftheSNMPServertowhich eventsshouldbesent. Note:ConfiguredSNMPServerswillusetheDNSnamesandDNSsuffixesconfiguredbytheuserintheServerInitializationandSetup WizardontheServerConfigShell.
SNMPProtocolVersion:SpecifiestheSNMPprotocolversionfortheSNMPagent.
(Default:SNMPv1,v2) PortNumber:SpecifiestheportnumberonthereceivingsystemtowhichtheSNMPtrapissent.
(Default:162) Enabled?:SpecifiesiftheSNMPServerisenabledtoreceiveSNMPtraps.
(Default:Enabled) Note:Youmustspecifyadifferentportnumberifanotherapplicationusesthedefaultport. Click<Add>toaddthedetailsforanewSNMPServer. Doubleclickaroworselectarowandclick<Edit>toopenSNMPConfigurationdialogsimilartotheoneshownabove.. Click<Save>tosaveallsettings. Selectarowandclick<Delete>todiscardthedetailsofanexistingSNMPServer. 7.1.5 Step5:SettingupLocationsandSensors 11. TheLocationsscreenappearsasshowninthefollowingfigure.Createahierarchyofallthelocationsthatthesystemwill monitorandsecurebyaddinglocationfoldersandnodes. SpectraGuardEnterpriseInstallationGuide 45 SettinguptheServerConsole Figure 72. Locations Screen
TheLocationsscreenoperatesintwomodes:DesignermodeandViewermode.TheDesignermodeisactivebydefault. Alocationhierarchyofyoursetupmaycompriselocationfoldersandlocationnodes. Locationfoldersrepresentorganizationalcomponentssuchasbuildings,cities,orcountries.
Root:Thisistherootlocation.ThefactorydefaultnameforthislocationisLocations.Youcanrenamethis location.However,youcannotdeleteormovethislocation.
Unknown:Thisisthedefaultlocationfolderoftherootlocation.Youcannotcreate,delete,rename,move,oradd alocationtotheUnknownfolder.WhenthesystemdetectsanewuntaggedSensor,ittagsthisSensortothe Unknownlocationfolder.Inotherwords,whenthelocationtagofalocationawareentityisnotknownor cannotbedetermined,itistaggedtotheUnknownfolder. Locationnodesrepresentcomponentdetailssuchasafloorinabuilding.Forexample,HawaiiConferenceRoom, Bldg15CubicleG2,orExecutiveArea. AddingaNewLocation 7.1.5.1 Usethefollowingstepstoaddalocation: a. b. Dooneofthefollowing: IntheLocationtree,selectthelocationunderwhichyouwishtoaddanewlocation. Rightclickandfromtheresultingcontextsensitivemenu,selectAddNewLocation. ClicktheAddNewLocationicon(
)belowtheDesignermodetab. SpectraGuardEnterpriseInstallationGuide
46 SettinguptheServerConsole Figure 73. Adding a New Location
Figure 74. Specifying Location Properties
IntheAddNewLocationdialog,selectthetypeoflocation,thatis,LocationFolderorLocationNode. c. d. Enteranameforthenewlocationandoptionallyenterthefollowingdetails.
SelectImageFile:Click<Browse>tonavigatetothepathoftheimagethatyouwishtoattachtothelocationfolder ornode.
Unit:Specifytheunitofmeasurement(feetormeters)forthelocationnode. Length:Specifythelengthofthelocationnode.
Width:Specifythewidthofthelocationnode.
SelectSPM:Click<Browse>tonavigatetothepathofthe.SPMfilethatyouwishtoimportfromSpectraGuard Planner(Planner)intothenewlocationnode. Note:Unit,Length,Width,andSelectSPMoptionsareavailableonlyforalocationnode.Theyaregrayedoutforalocationfolder. e. Click<OK>tocreateanewlocation.Alternatively,click<Cancel>toavoidcreatinganewlocation. 12. TheSensorConfigurationscreenappearsasshowninthefollowingfigure.ThisenablesyoutocreatedifferentSensor configurationtemplates.ThisallowstheusertoapplydifferentsettingstodifferentSensorsbyapplyingdifferent templates.Eachconfigurationtemplateallowssettingsforoperatingregion,channelstomonitor,channelstodefend, antennaconfiguration,Sensorpassword,andofflineSensoroperation. Atanylocation,youcanchooseatemplateasadefaulttemplate.ThistemplatewillbeappliedtoanynewSensortaggedto thatlocation. SpectraGuardEnterpriseInstallationGuide 47 SettinguptheServerConsole Figure 75. Sensor Configuration Note:SensorspriortoVersion5.2donotsupportadditionalchannels(802.11j&Turbochannels),AntennaPortAssignment,andSensor PasswordConfigurationfeatures.IfyouapplytemplatescontainingthesesettingstoolderSensors,olderSensorswillignoretheadditional settings. Click<AddNewSensorTemplate>toopentheSensorConfigurationTemplatedialog.
48 SpectraGuardEnterpriseInstallationGuide SettinguptheServerConsole Figure 76. Channel Settings Tab UnderCreateConfigurationTemplate,specifythefollowing:
Name:UniquenameoftheSensorConfigurationtemplate(lessthan40characters)
Description:BriefdescriptionoftheSensorConfigurationtemplate(lessthan500characters)
Note:ThesystemstoresthedefaultSensorconfigurationinapredefinedtemplateSystemTemplate.YoucannotdeletetheSystem Templatenoredititsname;itisunique.WhenaSensorisaddedordiscovered,itisautomaticallyassignedtheconfigurationsettingsin thistemplate.YouareallowedtoedittheconfigurationsettingsintheSystemTemplatetoeffectdefaultconfigurationoftheirchoice. WheneveryoudeleteauserdefinedSensorconfigurationtemplate,alltheSensorsassociatedwiththattemplateareassigned theSystemTemplate.YoucanoverridethetemplateappliedtoaSensormanuallyfromtheDevicesSensorstab.Ifyou modifythesettingsinatemplate,thenewsettingsareappliedtotheSensorstowhichthistemplateisapplied. ChannelSettings ChannelSettingsdisplaysthe802.11a/802.11b/gandTurbochannelsonwhichscanninganddefendingisenabled/disabled. SensorsscanWLANtrafficonchannelsspecifiedunderChannelstoMonitoranddefendthenetworkagainstvariousWLAN threatsonchannelsspecifiedunderChannelstoDefend.
UnderChannelSettingstab,specifythefollowing:
SelectOperatingRegion:Specifiestheregion:country:ofoperation.Eachregionhasitsownlawsgoverningthe useoftheunlicensedfrequencyspectrumfor802.11communicationsandTurbomode.Thesystemautomatically selectsthechannelsthatareallowedbytheregulatorydomaininselectedregion.
(DefaultOperatingRegion:UnitedStates)
ClickthelinkChannelFrequencyTabletoviewalistofchannels,protocols,frequencies,andcapabilities. SpectraGuardEnterpriseInstallationGuide 49 SettinguptheServerConsole Figure 77. Channel Frequency Table
ChannelstoMonitor:SpecifiesthechannelstobeusedbySensorstomonitorWLANtraffic.
SelectthecheckboxSelectAllStandardChannelstoselectasupersetofallthechannels.For802.11a,the standardsetsofchannelsare184216and34165.Bydefault,thischeckboxisselected.
SelectthecheckboxSelectAllAllowedChannelstoselectalltheallowedchannelsintheselectedoperating region.Bydefault,thischeckboxisselected.
SelectthecheckboxAdditionally,selectintermediatechannelsfor802.11aonlytoselectthechannels betweentheallowedchannelsthatarenonallowedintheselectedoperatingregion.Selectingtheoption helpsthesystemdetectdevicesoperatingonillegalchannels.For802.11a,theintermediatechannelsare185, 186,187,35,37,andsoon.Bydefault,thischeckboxisdeselected.
TurboMode:CertainAtherosChipsetbaseddevicesusewiderfrequencybandsoncertainchannelsin802.11 b/gand802.11abandofchannels.ThesystemiscapableofmonitoringchannelsthatsupportTurboModeof operationanddetectinganyunauthorizedcommunicationonthesechannels.Youcanselectspecificorall channelstomonitorwirelessactivityonTurbochannels.TherearetenTurbochannelsinamode.Thesechannels are40,42,48,50,56,58,152,153,160,and161.ThereisonlyoneTurbochannelinb/gmodei.e.6.
ChannelstoDefend:SpecifiesthechannelstobeusedbySensorstodefendWLANtraffictoprotectyour networkagainstvariousWLANthreats. Note:Itismandatorythatchannelsselectedfordefendingbeselectedforscanning.Ifachannelisselectedfordefendingandisnotalready selectedforscanning,thesystemautomaticallyselectsthatchannelforscanningaswell.IfyoudeselectachannelfromChannelsto Monitor,thenthischannelisalsodeselectedfromChannelstoDefendsection. AntennaPortAssignment Antennaconnectivitysettingisanadvancedsettingandshouldbeusedwithutmostcare.Thissettingallowsyoutoprovide 50 SpectraGuardEnterpriseInstallationGuide SettinguptheServerConsole additionalinformationaboutthetypeofantennasconnectedtotheSensor.Youneedtochangethissettingonlyifyouuse Sensorsthatallowyoutoconnectantennas. ApplyingatemplatewithaparticularantennasettingtoaSensorwithincompatibleantennaconnectioncanresultinalossof systemfunctionalityleadingtohighersecurityrisks.YoushouldnotchangetheAntennaConnectivitySettingsforatemplate thatisalreadyappliedtoagroupofSensorsorisaDefaultSensortemplate.Ifyouneedtochangethesesettings,youshould savethechangesasanewtemplatefirst,thenchangetheantennassettingsasrequired,savethetemplateandapplyittoa groupofSensorswhichhavethesameantennasettingsasspecifiedinthetemplate. Figure 78. Antenna Port Assignment Tab
UnderAntennaPortAssignmenttab
SelectDiversityOnorDiversityOff
DiversityOn:Thisisthedefaultsetting,whichmeansboththeantennasaredualband.Selectthisoptionif youhaveadualband(2.4GHzand5GHz)antennaconnectedtoboththeportsontheSensor.Assigning thissettingtoaSensorwhichdoesnothaveadualbandantennaconnectedtobothports,canresultin unpredictableSensorbehaviorleadingtolossofsystemfunctionality.Makesurethatthetemplatewith DiversityOnsettingisindeedappliedtoSensor(s),whichhavedualbandantennaconnectedtothem.
DiversityOff:SelectthisoptionifandonlyifyourSensorshavea5GHzantennaconnectedtoPort1anda 2.4GHzantennaconnectedtoPort2.ThefigureintheAntennaPortAssignmenttabshowshowtolocate theportstoensurethatthesinglebandantennasarecorrectlyconnected.AssigningthissettingtoaSensor thatdoesnothavesinglebandantennasconnectedasmentionedabovecanresultinunpredictableSensor behaviorleadingtolossofsystemfunctionality.MakesurethatthetemplatewithDiversityOffsettingis indeedappliedtoSensor(s)thathavetwodifferentsinglebandantennassupporting2.4GHzand5GHz frequencybandsandconnectedasmentionedabove. SensorPasswordConfiguration SensorPasswordsettingallowsyoutomanagethepasswordforuserconfigontheSensorCommandLineInterface(CLI).By SpectraGuardEnterpriseInstallationGuide 51 SettinguptheServerConsole definingapasswordintheSensortemplate,youcanmanagethepasswordforagroupofSensorswithouthavingtochangeit oneachSensorseparately.Typeanewpasswordorclick<RestoreDefault>tochangethecurrentpasswordsettings.Ifyou choose<RestoreDefault>,thenthepasswordsettingwillbethesameasthatintheSystemTemplate. Note:IfaSensortemplatecontainsablankpassword,thentheSensors,towhichthistemplateisassigned,retaintheirexistingpassword. FactorysettingoftheSystemTemplatecontainsablankpassword.
Figure 79. Sensor Password Configuration Tab
UnderSensorPasswordConfigurationtabspecifythefollowing
CurrentPasswordstate:SpecifiesthatthenewpasswordmustbethesameastheonespecifiedintheSystem Template.
NewPassword:EnterthenewpasswordtobeassignedasuserconfigpasswordforallSensorsassociatedwith theSensortemplatebeingedited.
ConfirmPassword:Reenterthepasswordtohelpconfirmthenewpasswordbeforesaving. OfflineSensorConfiguration ThisfeatureprovidessomesecuritycoverageevenwhenthereisnoconnectivitybetweenaSensorandtheServer.TheSensor providessomeclassificationandpreventioncapabilitieswhenitisdisconnectedfromtheServer.TheSensoralsoraisesevents, storesthem,andsendsthembacktotheServeronreconnection. 52 SpectraGuardEnterpriseInstallationGuide SettinguptheServerConsole Figure 80. Offline Sensor Configuration Tab
EnableofflineSensormode:SelectthischeckboxtoenabletheofflineSensormode.Whenthismodeisenabled,the Sensorcontinuestodetectandclassifydevices,raiseeventalerts,andpreventongoingthreats.(Default:Selected)
OnlineOfflinemodeswitchdelay:Specifythetimeafterwhich,iftheSensordoesnotreceiveanycommunication fromtheServerandEnableofflineSensormodeisenabled,theSensorswitchestotheofflinemode.
(Minimum:5minutes;Maximum:60minutes;Default:5minutes)
UnderOfflineSensorParameterstab,youcanviewthefollowing:
NumberofAPstobestored:NumberofAPsthattheSensorwillcontinuetodetectinOfflinemode(Default: 128)
NumberofClientstobestored:NumberofClientsthattheSensorwillcontinuetodetectinOfflinemode
(Default:256)
Numberofeventstobestored:NumberofeventsthattheSensorwillcontinuetoraiseinOfflinemode(Default: 256)
Numberofpreventionrecordstobestored:NumberofpreventionrecordsthattheSensorwillcontinuetostore inOfflinemodetopreventongoingthreats(Default:256) SpectraGuardEnterpriseInstallationGuide 53 SettinguptheServerConsole Figure 81. Offline Sensor Configuration: Device Classification Policy Tab sue
UnderDeviceClassificationPolicytabspecifythedesiredclassificationpoliciestomoveAPsandClientsfromthe UncategorizedlisttotheCategorizedlist:
UnderAPClassificationPolicy,selectoneormoreoptionstoenablethesystemautomaticallymoveAPsfrom theUncategorizedAPlisttotheCategorizedAPlist:
MovenetworkedAPstotheRogueorAuthorizedAPfolderintheCategorizedAPList
MovenonnetworkedAPstotheExternalAPfolderintheCategorizedAPList
UnderClientClassificationPolicy,selectoneormoreoptionstoenablethesystemautomaticallyclassify ClientsbasedontheirassociationswithAPs:
OnassociationwithanAuthorizedAP,classifyanUncategorizedClientasAuthorized
OnassociationwithaRogueAP,classifyanUncategorizedClientasUnauthorized
OnassociationwithanExternalAP,classifyanUncategorizedClientasUnauthorized 54 SpectraGuardEnterpriseInstallationGuide SettinguptheServerConsole Figure 82. Offline Sensor Configuration: Intrusion Prevention Policy Tab
UnderIntrusionPreventionPolicytabenableintrusionpreventionagainstthefollowingthreats:
RogueAPs
APscategorizedasRogue
UncategorizedAPsthatareconnectedtothenetwork
MisconfiguredAPs
APscategorizedasAuthorizedbutusingnosecuritymechanism(Open)
APscategorizedasAuthorizedbutusingweaksecuritymechanism(WEP)
ClientMisassociations
AuthorizedClientconnectionstoAPscategorizedasExternal
UnauthorizedAssociations
UnauthorizedClientconnectionstoAPscategorizedasAuthorized
AdhocConnections
AuthorizedClientsparticipatinginanyadhocnetwork
Honeypot/EvilTwinAPs
AuthorizedClientconnectiontoHoneypot/EvilTwinAPs Additionally,specifytheintrusionpreventionlevelthatallowsyoutochooseatradeoffbetweenthedesiredlevelof preventionandthedesirednumberofmultiplesimultaneouspreventionsacrossradiochannels.Youcanchooseeitherofthe followingpreventionlevels: Block
Disrupt Interrupt
Degrade RefertothesectionIntrusionPreventionLevelformoredetails. SpectraGuardEnterpriseInstallationGuide 55 Click<Save>tosaveallsettings. SettinguptheServerConsole
icontoeditanexistingSensortemplate.WhenanexistingSensortemplateiseditedaConfirmationSave Clickthe dialogappearsindicatingthemodifications,byselectingthetabsthatweremodified.Youareallowedtouncheckatabifyou wishtocancelthosemodifications.Click<OK>tosavethechangesfortheselectedtab. Note:NameandDescriptionoftheSensortemplateareautomaticallysaved. Click<SaveAs>tosavetheSensortemplatewithadifferentnamewithoutmodifyingtheoriginaltemplate. Click<RestoreDefault>toreverttotheSystemTemplate.Thesystemenablesyoutoselecttabstocontrolthesettingsthatwill berestoredtothedefaultvalues.Ifyouclick<RestoreDefault>ontheSystemTemplate,parametersundertheselectedtabs arerestoredtotheirfactorydefaultsettings.AConfirmationRestoreDefaultdialogappearswithalistoftabsselected,for whichdefaultsettingswillbeapplied. Important:Thesystemhastheabilitytoscananddefendon4.9204.980GHzand5.4705.725GHzchannelsinUS/CanadaandIEEE 802.11jchannels4.9204.980GHzand5.0405.080GHzchannelsinJapan.
icontoviewanexistingSensortemplate.Clickthe Clickthe 13. TheImportSensorListscreenappearsasshowninthefollowingfigure.ImportingaSensorlistisanefficientalternative tomanuallymovingSensorstothedesiredlocationswhilesettingupthesystem.ThesuccessfullyimportedSensorsare automaticallytaggedtothechosenlocationswhentheyconnecttotheServer.
icontodeleteanexistingSensortemplate. Figure 83. Import Devices - Sensors UnderImportSensorList,click<ImportSensorList>toopenImportSensorListdialog.
56 SpectraGuardEnterpriseInstallationGuide SettinguptheServerConsole Figure 84. Import Sensor List IntheImportSensorListdialog: UnderTagDevices,selectoneofthefollowing:
AutoTagDevices:ToautomaticallytagtheSensortothecorrespondinglocation.
ManuallyTagDevicesto::Click<Change>tomanuallytagtheSensortothedesiredlocation.
UnderEnterSensordetails ToaddaSensorsdetails,typetheSensorsMACaddressandNameandclick<AddtoList>>>>. ToaddaSensorsdetailsfromafile,click<Browse>.OntheSelectSensor_Device_List_Filedialog,selectthe.txtfile fromthedesiredlocationandclick<Open>.Thenclick<AddtoList>>>>. UnderAuthorizedSensorImportList TodeleteaSensorsdetails,selectthecorrespondingrowandclick<Delete>. ToimportSensorsfromtheSensorImportList,click<OK>. Note:WhenyouimportSensorsfromalist,youcandeletetheseSensorsonlyfromtheDevicesscreen. 14. TheDevicesSensorsscreenappearsasshowninthefollowingfigure.Sensorsproactivelyscanthenetworkand generateevents.Sensorscommunicateeventinformationtothesystem.ThisscreenguidesyoutomovealltheSensors fromtheUnknownlocationtotheircorrectlocations. SpectraGuardEnterpriseInstallationGuide 57 SettinguptheServerConsole Figure 85. Devices Screen Sensors RightclickaSensorrowtomoveaSensor.SelectChangeLocationfromtheresultantcontextsensitivemenutomanuallytag theSensortothedesiredlocation. 15. TheLocationsscreenappearsasshowninthefollowingfigure.Createavisualviewofyourdeploymentbyattaching picturesandfloormapstolocations.
58 SpectraGuardEnterpriseInstallationGuide SettinguptheServerConsole Figure 86. Locations Screen
Attachinganimage 7.1.5.2 Usethefollowingstepstoattachanimage: a. b. Dooneofthefollowing: IntheLocationtree,selectthelocationtowhichyouwishtoattachanimage.
Rightclickandfromtheresultingcontextsensitivemenu,selectAttachImage. ClicktheAttachImageonflooricon(
)intherightcorner. c. OntheSelectanimagefiletoattachtoattachoveraplannedlocationdialog,browsetotheappropriateimageandthen click<Open>. PlacingLocationsonaLocationFolderwithanAttachedImage 7.1.5.3 Thesystemenablesyoutoplacelocationsonalocationfolderthathasanattachedimage.Thishelpsyouidentifythephysical positionofeachofthelocations.Thelocationsplacedontheattachedimageareindicatedbycoloredcircles.Agreencircle indicatesthatthelocationisSecure,whilearedcircleindicatesthatthelocationisVulnerable. Usethefollowingstepstoplacelocationsontheattachedimageandviewtheirdetails: a. b. UnderAvailableLocations,draganddroptherequiredlocationsontheattachedimage. c. d. Togotoaparticularlocationplacedontheimage,dooneofthefollowing: Toviewdetailsaboutthelocationholdthemousecursoroverthecoloredcircle. IntheLocationtree,selectalocationfolder.
Clickthecoloredcirclerepresentingthelocation. Pointtocoloredcirclerepresentingthelocation,rightclickandselectJumptothislocation. Note:Youcantraversetoaparticularlocationnodebyfollowingstepduntilyoureachthedesiredlocationnode. SpectraGuardEnterpriseInstallationGuide 59 SettinguptheServerConsole ImportingaPlannerfileintoaLocationNode 7.1.5.4 Thesystemenablesyoutospecifyalayoutforeachlocationnodeusingablankcanvas,alayoutimage,ora.SPMfileexported fromPlanner.UsethefollowingstepstoimportaPlannerfile: a. b. Dooneofthefollowing: IntheLocationtree,selectthelocationnodeintowhichyouwishtoimportthe.SPMfileandthenrightclick.
Fromtheresultingcontextsensitivemenu,selectImportLocation. ClicktheImportLocationicon(
)belowtheViewermodetab.
IntheSelectSpectraGuardPlanner(.spm)Filedialog,browsetotheappropriatePlannerexported.SPMfileandthen click<Open>. c. 16. TheLocationsscreenappearsasshowninthefollowingfigure.YoucanplaceSensorsonthefloormapsbydraggingand droppingthem.IfyouhaveimportedanSPMfilefromPlannerthatcontainsfloorinformationandSensorplacements, Sensorscontainedinthatfilewillbeplacedautomatically. Figure 87. Placing Sensors on the Floormap IntheLocationtree,selectalocationnode. YoumustcompletethissteptoviewliveRFcoveragemapsforalocationnodeandperformonfloorlocationtrackingof visible802.11devices.UsethefollowingstepstoplaceSensorsonthefloormap: a. b. UnderAvailableDevices,selecttheSensorstab,thendraganddroptheSensorsonyourfloormap. 7.1.6 Step6:ClassifyingAPs 17. TheAuthorizedWLANSetupscreenappearsasshowninthefollowingfigure.Onthisscreen,specifyAuthorizedAP detailsusingSSIDtemplatestosuitdifferentlocations.
60 SpectraGuardEnterpriseInstallationGuide SettinguptheServerConsole Figure 88. Authorized WLAN Setup
Selectoneofthefollowingtocharacterizeaparticularlocation:
ThisisaNoWiFilocation:IfnoAuthorizedWiFiAPsareinstalledatthislocation.Ifyouconfigurealocationasa noWiFilocation,theSpecifyAuthorizedSSIDsectionisgrayedout.
WiFiisallowedatthislocation:TospecifythedetailsoftheAuthorizedWiFiAPsinthislocation. SpecifyAuthorizedSSIDs 7.1.6.1 Underthistab,specifytheAuthorizedSSIDsatthislocation.ForeachSSID,youcanspecifythedetailedconfiguration.This perSSIDconfigurationiscalledanSSIDtemplate. CreatingaConfigurationTemplateforanAuthorized802.11SSID AddAuthorizedSSIDsallowsyoutocreateanSSIDtemplateinoneofthefollowingways:
AddVisibleSSID:TocreateanSSIDtemplatefromalistofvisibleSSIDs.ThevisibleSSIDlistisbuiltusingthedata receivedfromSensors.
AddCustomSSID:TocreateatemplateusingauserdefinedSSID. Click<AddNew>tocreateanewSSIDtemplate.TheTemplateforanAuthorized802.11SSIDdialogappearswhereyoucan selectmultipleitemsinsomefields. SpectraGuardEnterpriseInstallationGuide 61 SettinguptheServerConsole Figure 89. Creating a Configuration Template for an Authorized SSID
CreateSSIDTemplateallowsyoutospecifythedetailsforcreatinganewSSIDasfollows:
AuthorizedSSID:DisplaysthenameoftheSSIDthatyouhaveaddedearlier
ThisisaGuestSSID:SelectthisoptionifthisSSIDisaGuestSSIDusedtoprovideWiFiconnectivitytovisitors andguests.ThoughAPswithGuestSSIDareAuthorized,theymaybetreateddifferentlythanAPsthatareused byemployeesforcorporateaccess.MakinganSSIDasGuestallowsyoutospecifyadditionalclassificationand preventionpoliciesrelatedtoGuestSSIDs.RefertothesectionsClientAutoClassificationandIntrusion PreventionPolicyintheSpectraGuardEnterpriseUserGuideformoredetailsonclassifyingGuestSSIDs
TemplateName:NameoftheSSIDtemplate
ApplythisSSIDtemplateatcurrentlocation:SelectthisoptiontoapplythisSSIDtemplatetothecurrent location.TheWLANpolicyatalocationconsistsofSSIDtemplatesappliedatthatlocation.Ifthetemplateisnot appliedatthislocation,itwillnotbeapartoftheWLANpolicy
Description:WriteashortdescriptiontohelpidentifytheSSIDtemplate
NetworkProtocolallowsyoutoselecttheallowed802.11protocolsfortheSSID:
Any:AllowAPswithanynetworkprotocolforthisSSID
Select:Specifythe802.11protocolonwhichthesystemallowstheAPsconnectedtothenetworktooperate 802.11a,802.11b,and802.11g
AuthenticationFrameworkallowsyoutoselectthesecurityframeworkfortheSSID: 62 SpectraGuardEnterpriseInstallationGuide SettinguptheServerConsole
Any:AllowAPswithanyauthenticationframeworktoconnecttothesystem
Select:SpecifytheauthenticationframeworkPSKand802.1x(EAP).Theauthenticationframeworkisonly applicableifthetemplatesupportsWPA/WPA2and802.11iprivacy EncryptionProtocolsallowsyoutoselecttheallowedencryptionprotocolsfortheSSID:
Any:AllowAPswithanyencryptionprotocolforthisSSID
Select:SpecifytheencryptionprotocolsWEP40,WEP108,TKIP,andCCMP.TKIPandCCMPareavailableonly ifthetemplatesupportsWPA/WPA2and802.11iprivacy SecuritySettingsallowsyoutoselectthesecurityprotocol(s)fortheSSID:
Any:AllowAPswithanysecuritysettingstoconnect
Select:SpecifytheprivacymechanismOpen,WEP,WPA,and802.11ifortheAPsconnectedtotheSSID CiscoMFPallowsyoutomakeclassificationdecisionsonCiscoManagementFrameProtection(MFP)capabilityif 802.11icheckboxisselectedunderSecuritySettings:
Any:PolicydoesnotcheckforMFP;bothCiscoMFPenabledanddisabledAPsareclassifiedasAuthorized
Select:PolicychecksforMFP
CiscoMFPEnabled:SelecttoclassifyonlyCiscoMFPsupportingAPsasAuthorizedAPs
CiscoMFPDisabled:SelecttoclassifynonCiscoMFPsupportingAPsasAuthorizedAPs
APCapabilitiesallowsyoutoselecttheadditionalcapabilitiesthatAuthorizedAPsmayhave.Ifyouselectanyof theseadvancedcapabilities,theclassificationlogicallowsAPswithandwithoutthesecapabilities.Selectoneofthe following:
Any:AllowAPswithanyspecialcapabilityforthisSSID
Select:SpecifyiftheAPusesanyTurbo/SupertechniquesusedbyAtherostogethigherthroughputsTurbo, SuperAG,andDot11n(802.11n)
AuthenticationTypesallowsyoutoselecttheallowedauthenticationtypesthatClientscanuse.Authentication typesdonotdeterminetheclassificationofAPs,butareusedtoraiseaneventifaClientisauthenticatedviaanon allowedauthenticationtype.Thesystemraisesthiseventonlyifthesystemseesauthenticationprotocolhandshake frames.
Any:AllowClientswithanyauthenticationtypeforthisSSID
Select:SpecifytheauthenticationtypesthatClientscanuse(onlyif802.1xisselected)PEAP,EAPTLS,LEAP, EAPTTLS,EAPFAST,andEAPSIMSelectionisallowed
AllowedNetworksallowsyoutoselectthenetworkswhereAuthorizedAPswiththisSSIDareconnected:
Any:AllowAPswiththisSSIDtoconnecttoanynetwork
SelectNetworks:SpecifythenetworkswhereAuthorizedAPswiththisSSIDareconnected.Youcaneither choosefromnetworksthatarediscoveredautomaticallybythesystemoraddnewnetworksthatarenotyet discoveredbythesystem
Click<SelectNetworks>toopenAllowedNetworksforSSIDdialogwhereyoucanmoveanetworkfrom NetworksMonitoredbytheSystemtoAllowedNetworksforthisSSIDandaddordeletenetworks.
UnderAllowedAPVendors,selectoneofthefollowing:
Any:AllowAPsmanufacturedbyanyvendortoconnecttothesystem
SelectVendors:SelectthemanufactureroftheAPwiththespecifiedSSID.IfanAPwiththespecifiedSSIDis discoveredatthislocation,thesystemdeclaresitasaRogue,unlessoneofthemanufacturerslisted manufacturesit. SSIDTemplates ApolicyiscollectionofSSIDtemplatesattachedtothatlocation.YoucanapplyanSSIDtemplatefromtheparentorcreateit locally;ifyouwishtocustomizetheWLANpolicyforthatlocation.Othertemplatesmaybeavailabletobeattachedbutare notpartoftheWLANpolicyandwillnotbeusedforAPclassification. TheSSIDTemplatessectionliststheSSIDtemplatesthatareavailableataparticularlocation.Youmustapplythetemplates fromtheavailablelisttocreatetheWLANpolicyatthatlocation.AnewAPoranexistingAuthorizedAPiscomparedagainst theappliedSSIDtemplatestodetermineifitisaRogueorMisconfiguredAP.TheSSIDtemplatescreatedatotherlocations canbeappliedtoaselectedlocationbutcannotbeeditedordeleted.Theeditanddeleteoperationsarepossibleonlyatthe locationwherethetemplateiscreated.Thetableshowsthefollowingdetails: SpectraGuardEnterpriseInstallationGuide 63 SettinguptheServerConsole SSID:NameoftheSSID
GuestSSID?:IndicatesifitisaGuestSSID TemplateName:NameoftheSSIDtemplate
ApplyHere?:EnablesyoutoapplytheSSIDtemplatetotheselectedlocation.NewandexistingAuthorizedAPsare evaluatedagainstallappliedSSIDtemplatestodetermineiftheyareRogueorMisconfigured.
:Clicktheseiconstoperformthefollowing:
CopytheselectedSSIDtemplatetoanotherlocation.
EdittheSSIDtemplate.Thisoptionisenabledonlyatthelocationwherethetemplatewascreated.
ViewtheSSIDtemplate.
Deletethetemplate.Thisoptionisenabledonlyatthelocationwherethetemplatewascreatedandonlyifthe templateisnotappliedatanyotherchildlocationsofthelocationwhereitwascreated. SelectWiFiNetworks 7.1.6.2 ThissectionallowsyoutospecifythelistofnetworksattheselectedlocationwherenoWiFiAPsareallowedtobeconnected. TheNoWiFiNetworkslistatalocationtakesprecedenceoverthelistofnetworksinSSIDtemplatesappliedatthatlocation. Inotherwords,ifanetworkisincludedinalocationsnoWiFilistandhappenstobeinthelistofnetworksinoneormore appliedSSIDsatthatlocation,thenetworkwillbestilltreatedasanoWiFinetwork.
Figure 90. No-Wi-Fi Networks
NetworksMonitoredbytheSystem:Specifiesthenetworksmonitoredbythesystem.
NoWiFiNetworksatthisLocation:SpecifiesthenetworkstowhichnoWiFiAPshouldbeconnectedatthe selectedlocation. YoucanmoveanetworkfromNetworksMonitoredbytheSystemtoNoWiFiNetworksatthisLocation. Click<Add>toenteranewnetworkaddresstoaddaNoWiFinetworkattheselectedlocation. 7.1.6.3 APsarefurtherclassifiedbasedontheRSSIvaluethattheSensorsreceive.Ifthesignalstrenthexceedsamaximmum threshold,theSensorappropriatelyclssifiestheAP.Airtighthiglyrecommendsthatyouturnonnetworkconnectivitybased RSSIbasedClassification 64 SpectraGuardEnterpriseInstallationGuide SettinguptheServerConsole classificationasitisthemostreliablemechanismtoclassifywirelessdeviceswhenmostofyournetworkismonitoredusing SensorsandNDs. UnderRSSIThreshold,selectoneorboth(recommend)ofthefollowingcheckboxes:
PreclassifyAPswithsignalstrengthstrongerthanthresholdasRogueorAuthorizedAPstospecifythethreshold RSSIvaluebasedonwhichthesystemfurtherclassifiesAPs. PreclassifyAPsconnectedtomonitoredsubnetasRogueorAuthorizedAPstoclassifyAPsbasedontheir networkconnectivity. Figure 91. RSSI based Classification 18. TheAPAutoclassificationscreenappearsasshowninthefollowingfigure.ItenablesyoutospecifytheAPclassification policyfordifferentAPcategories.
SpectraGuardEnterpriseInstallationGuide 65 SettinguptheServerConsole
Figure 92. AP Auto-Classification Policy UnderExternalAPs,AirTightrecommendsthatyouselectAutomaticallymovePotentiallyExternalAPsinthe UncategorizedlisttotheExternalFolder.ThesystemautomaticallyremovesanAPfromtheExternalfolderandmovesitto anappropriateAPfolderifitlaterdetectsthattheAPiswiredtotheenterprisenetwork. UnderRogueAPs,AirTightrecommendsthatyouselectAutomaticallymovePotentiallyExternalAPsintheUncategorized listtotheRogueFolder. Note:OnceyoumoveanAPtotheRoguefolder,thesystemneverautomaticallyremovesitfromtheRoguefolder,evenifitlaterdetects thattheAPisunwiredfromtheenterprisenetworkoritssecuritysettingshavechanged. 19. TheImportDevicesscreenappearsasshowninthefollowingfigure.ImportinganAuthorizedAPListisanefficient alternativetomanualmovementoftheseAPsintotheAuthorizedbin.Aftersuccessfullyimportingtheselists,thesystem automaticallyclassifiestheAPsintherespectivelistsasAuthorized. 66 SpectraGuardEnterpriseInstallationGuide SettinguptheServerConsole Figure 93. Import Devices APs
YoucanmoveAuthorizedAPstotheAuthorizedfolderusingoneofthefollowingmethods:
MoveanAPtotheAuthorizedfolderusingrightclickandMoveoption
ImporttheAuthorizedAPlist SynchronizewithanAPManagementServer Note:OnceyoumoveanAPtotheAuthorizedfolder,thesystemneverautomaticallyremovesitfromtheAuthorizedfolder,evenifit laterdetectsthattheAPisunwiredfromtheenterprisenetwork. UnderImportAPList,click<ImportAuthorizedAPList>toopenImportAuthorizedAPListdialog. SpectraGuardEnterpriseInstallationGuide
67 Figure 94. Import Authorized AP List SettinguptheServerConsole IntheImportAuthorizedAPListdialog: UnderTagDevices,selectoneofthefollowing:
AutoTagDevices:ToautomaticallytagtheAPtothecorrespondinglocation.
ManuallyTagDevicesto::Click<Change>tomanuallytagtheAPtothedesiredlocation. UnderEnterAPdetails
ToaddanAPsdetails,typetheAPsMACaddress,IPAddress,andNameandclick<AddtoList>>>>. ToaddanAPsdetailsfromafile,click<Browse>.OntheSelectAuthorizedAP_Device_List_Filedialog,selectthe
.txtfilefromthedesiredlocationandclick<Open>.Thenclick<AddtoList>>>>. UnderAuthorizedAPImportList TodeleteanAPsdetails,selectthecorrespondingrowandclick<Delete>. ToimportAuthorizedAPsfromtheAuthorizedAPImportList,click<OK>. Note:WhenyouimportAPsfromalist,policysettingsintheSetupWizarddonotaffecttheseAPs. 20. TheDevicesAPsscreenappearsasshowninthefollowingfigure.Thesystemenablesyoutoinspect,confirm,andre classifyadevice,whichis,moveadevicetoadifferentfolderbasedonfreshinformation.
Figure 95. Devices Screen APs UsethefollowingstepstomoveanAPtoaspecificfolder: IntheAPlist,rightclickthedesiredAProw. a. Fromtheresultingcontextsensitivemenu,selectMoveto. b. c. ClickthedesiredcategorytowhichyouwanttomovetheAP. Note:IfyoumoveanAPplacedonafloormap,anErrordialogappears. 68 SpectraGuardEnterpriseInstallationGuide 21. TheLocationsscreenappearsasshowninthefollowingfigure.ThesystemenablesyoutoplaceAPsonthefloormapto viewliveRFcoveragemapsforalocationnodeandperformonfloorlocationtrackingofvisible802.11devices. SettinguptheServerConsole Figure 96. Locations Screen IntheLocationtree,selectalocationnode. UsethefollowingstepstoplaceAPsonthefloormap: a. b. UnderAvailableDevices,selecttheAPstab,thendraganddroptheAPsonyourfloormap. 7.1.7 Step7:ClassifyingClients 22. TheClientAutoclassificationscreenappearsasshowninthefollowingfigure.ItdetermineshowClientsareclassified uponinitialdiscoveryandsubsequentassociationswithAPs.
SpectraGuardEnterpriseInstallationGuide 69 SettinguptheServerConsole Figure 97. Client Auto-Classification Policy
UnderInitialClientClassification,specifyifnewlydiscoveredClientsataparticularlocation,whichareUncategorizedby defaultshouldbeclassifiedasAuthorizedorUnauthorized. UnderAutomaticClientClassification,selectoneormoreoptionstoenableThesystemautomaticallyreclassify UncategorizedandUnauthorizedClientsbasedontheirassociationswithAPs.Youcancategorizethefollowingtypesof Clients.
ClientsrunningSAFE
AllUnauthorizedClientsrunningSpectraGuardSAFEareclassifiedasAuthorized
AllUncategorizedClientsrunningSpectraGuardSAFEareclassifiedasAuthorized ClientsconnectingtoAuthorizedAPs
AllUnauthorizedClientsthatconnecttoanAuthorizedAParereclassifiedasAuthorized
AllUncategorizedClientsthatconnecttoanAuthorizedAPareclassifiedasAuthorized YoucanselectthefollowingExceptions
DonotreclassifyaClientconnectingtoaGuestAPasAuthorized
DonotreclassifyaClientconnectingtoaMisconfiguredAPasAuthorized
DonotreclassifyaClientasAuthorizedifitswirelessdatapacketsarenotdetectedonthewirednetwork ClientsconnectingtoExternalorRogueAPs
AllUncategorizedClientsthatconnecttoanExternalAPareclassifiedasUnauthorized
AllUncategorizedClientsthatconnecttoaRogueAPareclassifiedasUnauthorized
AllUncategorizedClientsthatconnecttoaPotentiallyExternalAPareclassifiedasUnauthorized
AllUncategorizedClientsthatconnecttoaPotentiallyRogueAPareclassifiedasUnauthorized 23. TheImportDevicesscreenappearsasshowninthefollowingfigure.ImportinganAuthorizedorUnauthorizedClients ListisanefficientalternativetomanualmovementofthesedevicesintotheAuthorized/Unauthorizedbins.After successfullyimportingtheselists,thesystemautomaticallyclassifiestheClientsintherespectivelistsas Authorized/Unauthorized. 70 SpectraGuardEnterpriseInstallationGuide SettinguptheServerConsole Figure 98. Import Devices Clients IntheImportDevicesdialog,underImportClientList,click<ImportAuthorizedClientList>toopenImportAuthorized ClientListdialogand/orclick<ImportUnauthorizedClientList>toopenImportUnauthorizedClientListdialog. IntheImportAuthorized/UnauthorizedClientListdialog: UnderTagDevices,selectoneofthefollowing:
AutoTagDevices:ToautomaticallytagtheAPtothecorrespondinglocation.
ManuallyTagDevicesto::Click<Change>tomanuallytagtheAPtothedesiredlocation.
UnderEnterClientdetails
ToaddaClientsdetails,underEnterClientdetails,typetheClientsMACAddress,IPAddress,andNameandclick
<AddtoList>>>>. ToaddaClientsdetailsfromafile,click<Browse>.OntheSelectAuthorized/Unauthorized Client_Device_List_Filedialog,selectthe.txtfilefromthedesiredlocationandclick<Open>.Thenclick<Addto List>>>>. UnderAuthorized/UnauthorizedClientImportList
TodeleteaClientsdetails,selectthecorrespondingrowandclick<Delete>. ToimportAuthorized/UnauthorizedClientsfromtheAuthorized/UnauthorizedClientImportList,click<OK>. Note:WhenyouimportClientsfromalist,policysettingsintheSetupWizarddonotaffecttheseClients. 24. TheDevicesClientsscreenappearsasshowninthefollowingfigure.Thesystemenablesyoutoinspect,confirm,and reclassifyadevice,whichis,moveadevicetoadifferentfolderbasedonfreshinformation. SpectraGuardEnterpriseInstallationGuide 71 SettinguptheServerConsole Figure 99. Devices Screen Clients
IntheClientlist,rightclickthedesiredClientrow. Fromtheresultingcontextsensitivemenu,selectMoveto. UsethefollowingstepstomoveaClienttoaspecificfolder: a. b. c. ClickthedesiredcategorytowhichyouwanttomovetheClient. 7.1.8 Step8:ConfiguringIntrusionPreventionPolicy 25. TheIntrusionPreventionscreenappearsasshowninthefollowingfigure. 7.1.8.1 TheIntrusionPreventionpolicydeterminesthewirelessthreatsagainstwhichthesystemprotectsthenetworkautomatically. ThesystemautomaticallymovessuchthreatposingAPsandClientstoquarantine.Thesystemcanprotectagainstmultiple threatssimultaneouslybasedontheselectedIntrusionPreventionLevel. IftheServerquarantinesanAPorClientbasedontheIntrusionPreventionpolicy,theDisableAutoquarantineoption ensuresthatthesystemwillnotautomaticallyquarantinethisAPorClient(regardlessofthespecifiedIntrusionPrevention policies). IntrusionPreventionPolicy 72 SpectraGuardEnterpriseInstallationGuide SettinguptheServerConsole Figure 100. Intrusion Prevention Policy
Youcanenableintrusionpreventionagainstthefollowingthreats:
RogueAPs:APsthatareconnectedtoyournetworkbutnotauthorizedbytheadministrator;anattackercangain accesstoyournetworkthroughtheRogueAPs.YoucanalsoautomaticallyquarantineUncategorizedIndeterminate andBannedAPsconnectedtothenetwork.
MisconfiguredAPs:APsthatareauthorizedbytheadministratorbutdonotconformtothesecuritypolicy;an attackercangainaccesstoyournetworkthroughmisconfiguredAPs.ThiscouldhappeniftheAPsarereset, tamperedwith,orifthereisachangeinthesecuritypolicy. ClientMisassociation:AuthorizedClientsthatconnecttoRogueorExternal(neighboring)APs;corporatedataon theAuthorizedClientisunderthreatduetosuchconnections.AirTightrecommendsthatyouprovideautomatic intrusionpreventionagainstAuthorizedClientsthatconnecttoExternalAPs.
UnauthorizedAssociations:UnauthorizedandBannedClientsthatconnecttoAuthorizedAPs;anattackercangain accesstoyournetworkthroughAuthorizedAPsifthesecuritymechanismsareweak.Unauthorizedor UncategorizedClientconnectionstoanAuthorizedAPusingaGuestSSIDarenottreatedasunauthorized associations.
AdhocConnections:PeertopeerconnectionsbetweenClients;corporatedataontheAuthorizedClientisunder threatifitisinvolvedinanadhocconnection.
MACSpoofing:AnAPthatspoofsthewirelessMACaddressofanAuthorizedAP;anattackercanlaunchanattack throughaMACspoofingAP.
Honeypot/EvilTwinAPs:NeighboringAPsthathavethesameSSIDasanAuthorizedAP;AuthorizedClientscan connecttoHoneypot/EvilTwinAPs.CorporatedataontheseAuthorizedClientsisunderthreatduetosuch connections.
DenialofService(DoS)Attacks:DoSattacksdegradetheperformanceofanofficialWLAN.
WEPGuardTM:ActiveWEPcrackingtoolsallowattackerstocracktheWEPkeyandgainaccesstoconfidentialdata inamatterofminutesorevenseconds.CompromisedWEPkeysareusedtogainentryintotheauthorizedWLAN byspoofingtheMACaddressofaninactiveAuthorizedClient. SpectraGuardEnterpriseInstallationGuide 73 SettinguptheServerConsole IntrusionPreventionLevel 7.1.8.2 Thesystemcanpreventanyunwantedcommunicationinyour802.11network.Itprovidesyouvariouslevelsofprevention blockingmechanismsofvaryingeffectiveness.IntrusionPreventionLevelenablesyoutospecifyatradeoffbetweenthe desiredlevelofpreventionandthedesirednumberofmultiplesimultaneouspreventionsacrossradiochannels. Thegreaterthenumberofchannelsacrosswhichsimultaneouspreventionisdesired,thelesseristheeffectivenessof preventionininhibitingunwantedcommunication.Scanningfornewdevicescontinuesregardlessofthechosenprevention level. Figure 101. Intrusion Prevention Level
Youcanselectthefollowingpreventionlevels:
Block:AsingleSensorcanblockunwantedcommunicationonanyonechannelinthe802.11b/gbandandanyone channelinthe802.11aband.
Disrupt:AsingleSensorcandisruptunwantedcommunicationonanytwochannelsinthe802.11b/gbandandany twochannelsinthe802.11aband. Interrupt:AsingleSensorcaninterruptunwantedcommunicationonanythreechannelsinthe802.11b/gbandand anythreechannelsinthe802.11aband.
Degrade:AsingleSensorcandegradetheperformanceofunwantedcommunicationonanyfourchannelsin 802.11b/gbandandanyfourchannelsinthe802.11aband. Blockisthemostpowerfulpreventionlevel,thatis,itcanseverelyblockalmostallpopularInternetapplicationsincluding ping,SSH,telnet,FTP,HTTP,andthelike.However,atthislevel,asingleSensorcansimultaneouslypreventunwanted communicationononlyonechannelinthe802.11b/gbandandonechannelinthe802.11aband.IfyouwanttheSensorto preventunwantedcommunicationonmultiplechannelssimultaneouslyinthe802.11b/gand/orthe802.11aband,youmust selectotherpreventionlevels. 74 SpectraGuardEnterpriseInstallationGuide SettinguptheServerConsole Note:PreventionTypedeterminestheblockingstrengthtopreventcommunicationfromunwantedAPsandClients.Thesystemcan preventmultipleAPsandClientsoneachchannel.PreventionTypeisnotapplicableforDenialofService(DoS)attacksoradhoc networks.Youmustselectalowerblockingleveltopreventdevicesonmorechannels.Choosingalowerblockinglevelmeansthatsome packetsfromtheblockeddevicemaygothrough. 7.1.9 Step9:ConfiguringEventsandReports 26. TheEventConfigurationfunctionscreenoftheEventSettingsappearsasshowninthefollowingfigure. 7.1.9.1 Securityenablesyoutovieweventsrelatedtosecurityandthatposeathreattoyournetwork. Security Figure 102. Event Configuration Security Securityisfurtherdividedintothefollowing:
RogueAP Prevention
MisConfiguredAP
MisbehavingClients
DoS
AdhocNetwork
ManintheMiddle
MACSpoofing Reconnaissance
System
7.1.9.2 Monitoring Monitoringenablesyoutovieweventsrelatedtothemonitoringofyournetworkandthatareinformationalinnature. SpectraGuardEnterpriseInstallationGuide 75 SettinguptheServerConsole Figure 103. Event Configuration Monitoring
Monitoringisfurtherdividedintothefollowing:
AP
Client Sensor Server Traffic Troubleshooting Onceyouselectanyoftheabovecategoriesandsubcategories,alistofrelatedeventsappears. Theeventslistdisplaysthefollowingcolumns:
Display:SelectthecheckboxesthatcorrespondtothetypesofeventsthatyouwanttoappearinthemainEvents
screen. Email:Selectthecheckboxesthatcorrespondtothetypesofeventsforwhichyouwantemailsnotificationssentto alluserswhoseemailaddressesyouhaveconfiguredintheAdministrationEventSettingsEmailNotification.
Notify:Selectthecheckboxesthatcorrespondtothetypesofeventsforwhichyouwantnotificationssenttoexternal agentssuchasSNMP,Syslog,ArcSight,andOPSEC.
Vulnerability:SelectcheckboxestoindicatewhicheventsmakethesystemVulnerable.TheSecurityScorecard
showsVulnerablestatusifanyeventsoftheselectedtypeoccur. Severity:SelecttheseverityofeacheventasHigh,Medium,orLow.Thisfunctionhelpsyoutoorganizeeventsin themostusefulway. Event:Providesashortdescriptionofeachevent. Click:Click
AdvancedSettings:Click<Edit>toopentheEventAdvancedSettingsdialogandchangetheconfiguration
toviewadetaileddescriptionofthecorrespondingeventcategory. parametersofthecorrespondingeventcategory.<Edit>isdisabledwhentheeventhasnoconfigurationparameters. Note:TheparametersintheEventAdvancedSettingsdialogchangesaccordingtothesettingsfortheselectedevent. 76 SpectraGuardEnterpriseInstallationGuide SettinguptheServerConsole Figure 104. Event Advanced Settings
27. TheEmailNotificationscreenappearsasshowninthefollowingfigure.TheEmailNotificationnodeenablesyouto selecttheemailaddressesthatshouldbenotifiedwhenaneventoccursataparticularlocation.Youcanselectfromthe emailaddressesofsystemusersoraddacustomemailaddress. Figure 105. Email Notification Click<Add>toopenCustomEmailAddressforNotificationdialogwhereyoucanaddanewemailaddress. SpectraGuardEnterpriseInstallationGuide
77 SettinguptheServerConsole Figure 106. Email Configuration Dialog
Click<OK>toaddthenewemailaddress. Selectanemailaddressandclick<Delete>todeleteanexistingemailaddress.Youcandeletemultipleemailaddressesusing clickanddragorusingthe<Shift>+<DownArrow>keysandthenclicking<Delete>. 28. TheReportsscreenappearsasshowninthefollowingfigure.Thesystemenablesyoutousereportsgeneratedbythe systemandcreatecustomreports.YoucanscheduleemaildeliveryofaSharedreport.Youcanselectonetimedeliveryor recurringdelivery. Figure 107. Reports Screen
AddingaReport 7.1.9.3 Thesystemenablesyoutodefinecustomizedreportssothatyoucanviewprecisedetailsthatyourequire.Usethefollowing stepstoaddareport: a. b. UnderListofReports,click<AddReport>. SelectthetabMyReports. 78 SpectraGuardEnterpriseInstallationGuide SettinguptheServerConsole Figure 108. Report Details Screen
c. OntheReportDetailsdialog,underReportName,enteraunique,userfriendlynameforthereport. d. UnderReportDescription,enterbriefnotestohelpidentifythereport. e. ClickUsedefaultlookandfeel,toretainthedefaulttext,title,andcolorsforthereports. f. Alternatively,clickCustomizelookandfeel,tocustomizetheappearanceofthereport. g. SelecttheReportHeadertab.
UnderReportHeader,specifythefollowingparameterstobecustomizedinthegeneratedreport:
TitleText:Specifythetextthatshouldappearintheheaderontheleftside.
TextonRight:Specifythetextthatshouldappearintheheaderontherightside.
Click<Pick>andselecttheForegroundandBackgroundcolorsfortheReportHeader.
UnderReportTitle,specifythefollowingparameterstobecustomizedinthegeneratedreport:
TitleText:Specifyatitlethatappearsbelowtheheaderontheleftside.TheReportDescriptionfollowsthistitle.
Click<Pick>andselecttheForegroundandBackgroundcolorsfortheReportTitle. Selectthecheckbox,DisplayReportGenerationInformationtoviewthefollowinginformationbelowtheReport Title
Durationforwhichthereportisgenerated
Locationforwhichthereportisgenerated
Userwhogeneratedthereport
Dateandtimewhenthereportisgenerated Selectthecheckbox,DisplayReportDescriptionTexttoviewadetaileddescriptionofthereport.
SelecttheReportSummarytab. h. SpectraGuardEnterpriseInstallationGuide 79 SettinguptheServerConsole Figure 109. Report Details Screen showing Report Summary Tab
Deselectthecheckbox,DisplayReportSummaryifyoudonotwishtoviewtheReportSummaryinatabularform.
Alternatively,selectthecheckbox,DisplayReportSummarytocustomizeparametersintheReportSummarytable inthegeneratedreport.
SpecifytheReportSummaryTextthatshouldappearastheReportSummarytableheading.
Click<Pick>andselecttheForegroundandBackgroundcolorsfortheReportSummarytableheading.
UnderSummaryTable,selectthecheckbox,IncludeSectionwithzeroresultstoviewsectionsinwhichtheresult countiszero.
UnderSummaryTableHeader,click<Pick>,selecttheForeground,andBackgroundcolorsfortheReport Summarytablerowheader.
UnderSummaryTableColumnHeaderDefinition,selectthecheckbox,DisplayReportSummaryTableto customizethefollowingcolumnnamesintheReportSummarytableinthegeneratedreport.
SectionName
SectionDescription
QueryType
ResultCount
Jumpto
UnderSummaryCharts,selectaradiobuttontoviewthechartsinthedesiredformat. SelecttheReportSectionstab. i. 80 SpectraGuardEnterpriseInstallationGuide SettinguptheServerConsole Figure 110. Report Details Screen showing Report Sections Tab
UnderSectionTitle,specifythefollowingparameterstobecustomizedinthegeneratedreport:
SectionNameTitle:SpecifythetextthatshouldappearasacommonheadingforalltheSectionNames.
Click<Pick>andselecttheForegroundandBackgroundcolorsfortheSectionNameTitle.
UnderSectionHeader,specifythefollowingparameterstobecustomizedinthegeneratedreport:
Click<Pick>,selecttheForeground,andBackgroundcolorsforthetablerowheadersintheSectionSummary andSectionResultssections.
SelectDisplaySectionDescriptiontexttoviewabriefdescriptionforeachsectionofthereport.
SelectDisplaySectionQuerytoviewalltheconstraintsspecifiedinthedatabasequeryforthatsection.
SelectDisplaySectionSummarytoviewagraphicalandtabularataglanceviewoftheresultsofthesection.
SelectDisplaySectionResultstoviewalltheentriesinthedatabasethatsatisfytheconstraintsspecifiedbythe sectionquery.
SelectDisplaydetailsofSectionResultstoviewadditionaldetailsforeachentryintheSectionResults table. AddingaSectiontoaReport ToaddthereporttotheListofReports,click<Save>.ThenewreportappearsundertheListofReportstable. j. 7.1.9.4 Areportconsistsofoneormoresections.Eachsectionisaquerytothedatabase.Thesystemthensearchesitsdatabasefor thoserecordsthatsatisfytheconditionsthatyouimpose.Usethefollowingstepstoaddasectiontoareport: a. b. Click<AddSectiontoReport>. FromtheListofReportstable,selectthereporttowhichyouneedtoaddasection.
SpectraGuardEnterpriseInstallationGuide 81 SettinguptheServerConsole Figure 111. Adding a Section to a Report
SelectthecheckboxDisplaythissectiontoviewthissectioninthegeneratedreport. c. OntheAddSectiontoReportdialog,enteraSectionNameandaSectionDescriptionforthenewlyaddedsection. d. e. UnderSectionQueryType,selectDevice,Event,orSAFEasthequerytype. f. SelectanycombinationoftheAP,Client,andSensorcheckboxestoincludethesedevicetypesinthereport.These checkboxesarenotavailableforaSAFEquery. g. DescribetheSectionQueryconstructionlogicbyselectingthefollowing:
AcolumnfromSelectColumn
AconditionfromSelectCondition
Anobjectforthequery,whichyoucanselectorenter h. Optionally,selectoneormoreBooleanconnectors(ORorAND)tojointwoormorequeries.Click<Delete>todeletea query. i. UnderSelectColumnstobedisplayedinSectionResults,dothefollowing. Click<Add>toviewalistofattributesandselectanattribute. SelectthecheckboxDisplaytoviewtheselectedattributeinthegeneratedreport.
UnderSummary,youcanchoosetodothefollowing:
Selectthetypeofchartfromthedropdownlisttoviewagraphfortheselectedattribute.
SelectthecheckboxTabletoviewatabulatedcountfortheselectedattribute. Note:PiechartsarenotvisibleinanHTMLreport.YoucanviewpiechartsonlyinaPDFreport.
Selectanattributeandclick<Delete>todeletethatattribute. Selectanattributeandclick<Up>or<Down>toorganizetheattributesthatappearascolumnsintheSectionResults tableofthegeneratedreport. Tosavethesectiontoanexistingreport,click<SaveSectiontoReport>.Tosavethesectionwithanewname,click<Save toReportasNewSection>. j. 82 SpectraGuardEnterpriseInstallationGuide SettinguptheServerConsole CreatingaReportSchedule 7.1.9.5 Usethefollowingstepstoscheduleemaildeliveryofareport: a. b. Click<AddSchedule>.TheGenerationandDeliveryOptionsforSelectedLocationdialogappears.
FromtheListofReportstable,selectthereportthatyouwanttoschedule. Figure 112. Scheduling a Report for One Time Delivery
c. FromtheFormatdropdownlist,selecttheoutputtypeforthereport,thatis,HTML,XML,orPDF. Note:ThesystemdoesnotsupportPDFreportgenerationonolderversionsofIE(versionslowerthan7.0). d. SelecteitherOneTimeGenerationorRecurringGeneration.
ToscheduleareportforOneTimeGeneration,performthefollowing:
UnderScheduleReport,clickthecalendaricon
tospecifythedateandthetimeonwhichtogeneratethe report.
UnderReportTimePeriod,customizethedurationforwhichthereportshouldbegeneratedbydoingeitherof thefollowing:
SelectLastandthenthenumberofhours,days,ormonthsbeforethereportdeliverytime.
SelectCustomizeandthentheexactdateandtimeinFromDateandToDatefields. SpectraGuardEnterpriseInstallationGuide 83 SettinguptheServerConsole Figure 113. Scheduling a Report for Recurring Generation
ToscheduleareportforRecurringGeneration,performthefollowing:
UnderScheduleReport,fromtheGenerateReportEverydropdownlist,selectthenumberofhours,days,or monthsoverwhichtodeliverthereport.
ClickthecalendariconnexttoStartDatetoselectthestartdateandtimeforthereport.
ClickthecalendariconnexttoEndDatetoselecttheenddateandtimeforthereport.TheEndDatemustbe greaterthantheStartDate.ThesystemautomaticallyselectstheEndDateandTimefromtheStartDate.
UnderReportTimePeriod,customizethedurationforwhichthereportshouldbegeneratedbyselectingLast andthenthenumberofhours,days,ormonthsbeforethereportdeliverytime. e. UnderDeliveryOptions,performthefollowing:
SelectArchiveReportandthenchoosethefollowing:
NeverDeletetoretainthereportforever
Deleteafterndaystodeletethereportafterthespecifiednumberofdays SelectEmailReporttoemailacopyofthereporttotheselecteduser(s).
SelectZipbeforeemailtocompressthereportbeforeemailingit. f. Click<AddRecipients>toopenReportDeliverydialog.Here,youcandothefollowing: SelectoneormoreemailaddressesunderSystemUsersandthenclicktomovethechosenemailaddress(s)to Recipients.ThesystemdeliversscheduledreportstotheusersunderRecipients. Click<Add>toopenAdditionalEmailAddressesdialogwhereyoucanspecifyacustomemailaddressforanon systemuserwhowillreceiveascheduledreport.Inthisdialog,youcanaddmultipleemailaddressesoneatatime.
84 SpectraGuardEnterpriseInstallationGuide SettinguptheServerConsole
Figure 114. Specifying Additional Email Addresses for Report Delivery Toschedulethereport,click<Save>. g. Click<OK>toclosetheAdditionalEmailAddressesdialog. h. Click<OK>toclosetheReportDeliverydialog. i. 7.1.10 Step10:CalibratingLocationTracking 29. TheLocationsscreenappearsasshowninthefollowingfigure.Calibrateyoursystemforaccuratelocationtracking. Figure 115. Locations Screen Calibration SpectraGuardEnterpriseInstallationGuide
85 SettinguptheServerConsole CalibrationhelpsintuningRFparametersusedbythesystemtocomparetheAPandSensorpredictionstoactual observations.Thesystemhasarobustcalibrationtechniquethatalsoallowsmanualinterventionincaseofdiscrepancy.Use thefollowingstepstocalibrateRFviews: a. b. c. d. GeneratethedesiredRFCoveragemapbyclicking<Calibration>. e. Placedevicesonthefloormap. SelecttheViewertab. SelectoneoftheAPorSensorviews. Toimprovepredictions,finetunetheMin.SignalDecayConstantandtheMax.SignalDecayConstant. Note:Min.SignalDecayConstantspecifiestheamountofsignallossthatisacceptableforregionsclosetothetransmitter(Sensor). Max.SignalDecayConstantspecifiestheamountofsignallossthatisacceptableforregionsawayfromthetransmitter.Signallossis directlyproportionaltothesignaldecayconstants. f. ChangethevaluesoftheSignalDecaySlope(Beta)andtheSignalDecayInflection(Alpha).Thesystemusesthese parameterswhencomputingtheRFanddefinestheregionaroundthetransmitterthatisunobstructed. Note:WhenyouchangethevaluesofMin.SignalDecayConstant,Max.SignalDecayConstant,SignalDecaySlope(Beta),and SignalDecayInflection(Alpha)theRFviewandLocationTrackingforunobstructedregionsisaffected.Intheobstructedregions,only LocationTrackingisaffected,RFviewisnotaffected. g. Click<UpdateGraph>toviewyourselectionagainstthepredictedvalues. Important:ThePredictedvaluecurveshouldoverlaptheObservedvaluecurveasmuchaspossible. h. Click<Calibrate>tocompletecalibrationifyouhaveadjustedtheparametersmanuallysuchthatthetwocurvesare parallel(butnotcoinciding). Click<Apply>tocommityourchanges. i. Figure 116. RF Calibration Dialog
86 SpectraGuardEnterpriseInstallationGuide SettinguptheServerConsole 7.1.11 Step11:LockingtheSystemConfiguration 30. TheEventActivationscreenappearsasshowninthefollowingfigure.Ifthesystemconfigurationisnotconfirmed,you needtogobacktothepreviousstepsandcompleteanyadditionalconfiguration.Otherwise,inthisstep,youcanturnon events.Thesystemwillbecomecompletelyoperationalafteractivatingintrusionprevention. Figure 117. Event Activation 31. TheIntrusionPreventionActivationscreenappearsasshowninthefollowingfigure.Ifthesystemconfigurationisnot confirmed,youneedtogobacktothepreviousstepsandcompleteanyadditionalconfiguration.Otherwise,inthisstep, youcanturnonintrusionprevention.Thismakesthesystemoperational.
SpectraGuardEnterpriseInstallationGuide 87 SettinguptheServerConsole Figure 118. Intrusion Prevention Activation 32. TheDeviceListLockingscreenappearsasshowninthefollowingfigure.Ifyouhadpreviouslyunlockedthelistof AuthorizedAPsandClientsatalocationbydecheckingthetwocheckboxesLockAPListforlocation<selected location>andLockClientListforlocation<selectedlocation>,youmaylockthelistsforalllocationswhereyoudo notexpectmoreauthorizedAPsorClientstobeadded.AirTightrecommendsthatyoulocktheAPlist.IfyourClientsare authorizedautomatically,donotlocktheClientlists.Anynewdeviceaddedafterthelistislockedhastobemanually movedtotheAuthorizedcategory.
88 SpectraGuardEnterpriseInstallationGuide SettinguptheServerConsole Figure 119. Device List Locking 7.1.12 Step12:CompletionofSetupWizard 33. Thismarksthecompletionofthesetupwizard.TheDashboardscreenappearsasshowninthefollowingfigure.The Serverisconfiguredtoprotectyournetworkagainstwirelessthreats.
SpectraGuardEnterpriseInstallationGuide 89 SettinguptheServerConsole Figure 120. Dashboard Screen
90 SpectraGuardEnterpriseInstallationGuide Chapter8 ConfigShellCommands ConfigShellCommands ServerConfigShellCommands 8.1 ThischapterdescribesthecommandsintheServerConfigShellusedtoreconfigureormaintaintheServerafterrunningthe ServerConfigurationWizard.SomecommandsdisplaythestatusoftheServer. Database Commands Command Description db backup Backs up the database to the Remote Server specified by you db clean Resource clean-up without disruption of services db maintain Resource clean-up after temporary shutting down of services db reset db restore
Resets the database to factory defaults but maintains network settings Restores the database from a previous backup on a Remote Server Command Description get Commands get allowed ip Displays the list of IP addresses or subnets that are allowed to access this device get cert Generates a self-signed certificate get certreq Generates a Certificate Signing Request (CSR) get date get debug get ha Displays the current time zone, date, and time on the Server Creates a debug information tarball file; this file can be used for debugging purposes Displays High Availability (HA) Cluster configuration and service status get ha help Displays detailed High Availability (HA) setup help get interface Displays the Network and HA Interface speed and mode get locationinfo Extracts information about location hierarchy, imported images, and signal strength for all devices seen by Sensor get log config Displays the configuration of the logger get monitoring get network Displays the number of days that the system should keep the data for all performance monitoring charts Displays the Network Interface (eth0) configuration including the IP Address, Subnet mask, Gateway, DNS Address, and DNS Prefix get opsec log Displays the log messages generated by OPSEC API get route Displays the routing table SpectraGuardEnterpriseInstallationGuide 91 ConfigShellCommands get sensor list Displays a list of Sensors and NDs get server config get server check Displays the complete Server configuration which includes the Server ID, Server Version, Server Build, MAC address of the Network and HA Interface, Server Mode, Server Time Zone, Date and Time Settings, WLSE Integration Settings, Settings of Network Interfaces, and Server Processes Runs a Server consistency check and display the results. If any fatal item fails, a failure result is recorded get serverid Displays the Server ID get ssh Displays the status of the SSH Server get status Displays the status of Server processes get support get version
Displays settings that control how, when, where, and what support information is to be sent Displays the version and build information of all the Server components 92 SpectraGuardEnterpriseInstallationGuide ConfigShellCommands set Commands Command Description set allowed ip Sets the list of IP addresses or subnets that are allowed to access this device set cert set date Installs a signed SSL certificate issued for the request generated using 'get certreq'
Sets the current time zone, date, and time information on the Server; the Server needs to be rebooted for the date/time information to take effect set dbserver Starts/Stops the Database Server set erase Configures the backspace key set ha Enables or disables High Availability (HA) service set interface Sets the Network and HA Interface speed and mode set log config Sets the configuration of the logger set monitoring set network Sets the number of days that the system should keep the data for all performance monitoring charts Sets the Network Interface (eth0) configuration including the IP Address, Subnet mask, Gateway, DNS Address, and DNS Prefix set route Allows addition/deletion of routing table entries set server Starts/Stops the Application Server set serverid Sets the Server ID set ssh Starts/Stops the SSH access to the Server set support Sets up how, when, where, and what support information is to be sent set webserver Starts/Stops the Web Server
SpectraGuardEnterpriseInstallationGuide 93 ConfigShellCommands Other Commands Command Description exit help Exits the config shell session Displays help for all the commands passwd Allows the admin to change the config shell password ping<Hostname/IP Address>
Pings a host reboot Reboots the Server reset factory reset password gui Resets the Server to the factory defaults/out of the box status Sets the Graphical User Interface (GUI) password for the user admin to the factory default admin shutdown Shuts down the Server gracefully traceroute Shows the route to a host upgrade
Upgrades the Server using the specified upgrade bundle from an HTTP location 94 SpectraGuardEnterpriseInstallationGuide ConfigShellCommands
8.2 SensorConfigShellCommands get Commands Command Description get ap Displays all the currently visible APs get interface Displays Network Interface speed and mode get ip config Displays the IP information get log Displays the log information as it is created get log config Displays the configuration of the logger get mode Displays the mode in which the Sensor is currently configured get rf Displays if RF monitoring for a Sensor is ON or OFF get serial num Displays the Board Number get server discovery Displays the Server discovery/setting information get status Displays the current running status of all the components get version Displays the version and build information of all the components get vlan config Displays the VLAN information (set info and dynamic info) get vlan id Displays the VLAN IDs seen by the ND get vlan status Displays the VLAN status information get model Displays the Sensor Model set Commands Command Description set erase Sets the erase character to ^H set interface Sets Network Interface speed and mode set ip config Runs through the current VLAN and IP config wizard set server discovery Sets the Server discovery information set vlan config Sets multiple VLAN monitoring to ON or OFF set mode Sets the mode to Sensor, Sensor/ Network Detector Combo, Network Detector, or Sentry
SpectraGuardEnterpriseInstallationGuide 95 ConfigShellCommands Other Commands Command Description exit help help set help get Exists the Sensor config Shell session Displays help for all commands Displays help for set commands Displays help for get commands help other Displays help for other commands passwd ping reboot restart Changes the config Shell password Pings a host. Usage: ping <IP_address/host_name> e.g. ping 192.168.1.246 Reboots the Sensor Restarts the Sensor application reset factory Resets the Sensor to out of the box status upgrade Upgrades the Sensor manually from a given IP address
96 SpectraGuardEnterpriseInstallationGuide Troubleshooting Chapter9 Troubleshooting 9.1 ServerTroubleshooting
Problem After changing the IP address of the Server, the computer used to configure the Server gets disconnected. On typing https:// wifi-
security-server in the IE 5.5 browser, the Login screen does not appear even after adding a DNS entry wifi-security-server for the Server. Solution The subnet mask of the computer used to configure the Server may not be the same as that of the Server. Change the subnet mask of the computer so that it is in the same subnet as the Server. The Default gateway and Preferred DNS Server settings of the computer used to access the Server Console may be incorrect. Ensure that the Default gateway and Preferred DNS Server settings of the computer used to access the Server Console match the Server settings. On rebooting the Server, the get network command does not show an IP address. The IP address that you have assigned to the Server conflicts with some other IP address on the network. Change the IP address of the Server using the set network command. No Sensors connect to the Server after setting the Server ID. No connection to the Server The Console reports Java Runtime Environment Detection not installed message. Unable to log into the Console. The Server ID used by the Server may be used by another Server on the network. Verify that no other Server with the Server ID set for the Server is running on the network. Change the Server ID using the set serverid command. Check if the Server is powered on. If the Server is not powered on, switch it on. Else, check the IP Address or the DNS Name on the Server Config Shell. Important: Please ensure that you have used the correct IP Address or the DNS name to connect to the Server. If the IP Address or the DNS name is correct, try pinging other computers on the network from the Server Config Shell interface. If the problem still exits, reset the Server and attempt to reconnect to the Server. Follow the instructions provided on the Console to install the Java Runtime Environment. If you are logging in for the first time, refer to the Initializing section for the default Login Name and Password. Try recovering the password using the Recover option in the Forgot Password? section of the Login Screen. The Console has frozen
(Clicks do not work). Close the browser and try connecting to the Server in another window. If you cannot connect to the Server, follow the steps listed in Problem 1 of this table. SpectraGuardEnterpriseInstallationGuide 97 No events are being reported or the device status is stale (not updated). Troubleshooting Check the status of the Server on the Administration screen. If the Current Status field shows Start Server button in the Server Status section. Check the status of the Server on the Administration screen. or
, click the No Sensor is connected to the Server. If the Current Status field shows Start Sever button in the Server Status section. or
, click the Server response time is high.
If the Current Status field shows Sensors Troubleshooting section for the solution. Restart the Console. If the problem persists, run the db clean command from the Server Config Shell.
, refer to the 98 SpectraGuardEnterpriseInstallationGuide
9.2 SensorTroubleshooting
Symptoms Diagnosis Solution Troubleshooting
LED1: Solid Orange LED2: Fast Blink The Sensor did not receive a valid IP address via the DHCP. The DHCP Server is unreachable. Restore the connectivity to the DHCP Server or set a static IP address via the HTTP interface or the Config Shell CLI. LED1: Solid Orange LED2: Slow Blink Unable to connect to the Server. Ensure that the Server is running and is reachable from the network to which the Sensor is attached. If there is a firewall or a router with ACLs enabled between the Sensor and the Server, ensure that the traffic is allowed on UDP port 3851. If utilizing the Server ID based discovery, ensure that multicast is enabled on the network. Alternatively, if utilizing the Server IP based discovery, ensure that the DNS name wifi-security-
server has been correctly entered on the DNS Server. Also ensure that the DNS Server IP addresses are either correctly configured on the Sensor, or are provided by the DHCP Server. LED1: Solid Orange LED2: Solid Green LED1: Solid Orange LED3: Solid Green LED1: Solid Orange LED4: Solid Green The Ethernet cable is loose. It is probably disconnected from the network. An error on the 802.11 interface has occurred. Ensure that the Ethernet cable is connected. Contact support@airtightnetworks.com for more details. A fatal Software error has occurred. Contact support@airtightnetworks.com for more details. SpectraGuardEnterpriseInstallationGuide 99
frequency | equipment class | purpose | ||
---|---|---|---|---|
1 | 2010-10-04 | 2412 ~ 2462 | DTS - Digital Transmission System | Original Equipment |
2 | 5510 ~ 5670 | NII - Unlicensed National Information Infrastructure TX |
app s | Applicant Information | |||||
---|---|---|---|---|---|---|
1 2 | Effective |
2010-10-04
|
||||
1 2 | Applicant's complete, legal business name |
Arista Networks, Inc.
|
||||
1 2 | FCC Registration Number (FRN) |
0014080386
|
||||
1 2 | Physical Address |
5453 Great America Parkway
|
||||
1 2 |
Santa Clara, CA
|
|||||
1 2 |
United States
|
|||||
app s | TCB Information | |||||
1 2 | TCB Application Email Address |
T******@TIMCOENGR.COM
|
||||
1 2 | TCB Scope |
A4: UNII devices & low power transmitters using spread spectrum techniques
|
||||
app s | FCC ID | |||||
1 2 | Grantee Code |
TOR
|
||||
1 2 | Equipment Product Code |
SS300ATC50
|
||||
app s | Person at the applicant's address to receive grant or for contact | |||||
1 2 | Name |
F******** S******
|
||||
1 2 | Title |
Manager, Product Compliance
|
||||
1 2 | Telephone Number |
40854********
|
||||
1 2 | Fax Number |
1-408********
|
||||
1 2 |
f******@arista.com
|
|||||
app s | Technical Contact | |||||
n/a | ||||||
app s | Non Technical Contact | |||||
n/a | ||||||
app s | Confidentiality (long or short term) | |||||
1 2 | Does this application include a request for confidentiality for any portion(s) of the data contained in this application pursuant to 47 CFR § 0.459 of the Commission Rules?: | Yes | ||||
1 2 | Long-Term Confidentiality Does this application include a request for confidentiality for any portion(s) of the data contained in this application pursuant to 47 CFR § 0.459 of the Commission Rules?: | No | ||||
if no date is supplied, the release date will be set to 45 calendar days past the date of grant. | ||||||
app s | Cognitive Radio & Software Defined Radio, Class, etc | |||||
1 2 | Is this application for software defined/cognitive radio authorization? | No | ||||
1 2 | Equipment Class | DTS - Digital Transmission System | ||||
1 2 | NII - Unlicensed National Information Infrastructure TX | |||||
1 2 | Description of product as it is marketed: (NOTE: This text will appear below the equipment class on the grant) | SPECTRAGUARD SENSOR | ||||
1 2 | Related OET KnowledgeDataBase Inquiry: Is there a KDB inquiry associated with this application? | No | ||||
1 2 | Modular Equipment Type | Does not apply | ||||
1 2 | Purpose / Application is for | Original Equipment | ||||
1 2 | Composite Equipment: Is the equipment in this application a composite device subject to an additional equipment authorization? | Yes | ||||
1 2 | Related Equipment: Is the equipment in this application part of a system that operates with, or is marketed with, another device that requires an equipment authorization? | No | ||||
1 2 | Grant Comments | Power Output listed is conducted. Professional installation is required. Device is operating in a 3x3 Spatial Multiplexing MIMO configuration as described in this filing. This composite device is restricted to indoor use only for 5.15-5.25 GHz. The antenna(s) used for this transmitter must be installed to provide a separation distance of at least 20 cm from all persons and must not be co-located or operating in conjunction with any other antenna or transmitter. End-Users must be provided with transmitter operation conditions for satisfying RF exposure compliance. | ||||
1 2 | Is there an equipment authorization waiver associated with this application? | No | ||||
1 2 | If there is an equipment authorization waiver associated with this application, has the associated waiver been approved and all information uploaded? | No | ||||
app s | Test Firm Name and Contact Information | |||||
1 2 | Firm Name |
Quietek Linkou EMC Labotorty
|
||||
1 2 |
DEKRA Testing and Certification Co., Ltd.
|
|||||
1 2 | Name |
J****** C********
|
||||
1 2 |
S****** H******
|
|||||
1 2 | Telephone Number |
886-2******** Extension:
|
||||
1 2 |
886-2******** Extension:
|
|||||
1 2 | Fax Number |
886-2********
|
||||
1 2 |
886-2********
|
|||||
1 2 |
j******@quietek.com
|
|||||
1 2 |
s******@quietek.com
|
|||||
Equipment Specifications | |||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Line | Rule Parts | Grant Notes | Lower Frequency | Upper Frequency | Power Output | Tolerance | Emission Designator | Microprocessor Number | |||||||||||||||||||||||||||||||||
1 | 1 | 15C | CC MO | 2412 | 2462 | 0.9462 | |||||||||||||||||||||||||||||||||||
1 | 2 | 15C | CC MO | 5745 | 5825 | 0.881 | |||||||||||||||||||||||||||||||||||
1 | 3 | 15C | CC MO | 2422 | 2452 | 0.9036 | |||||||||||||||||||||||||||||||||||
1 | 4 | 15C | CC MO | 5755 | 5795 | 0.857 | |||||||||||||||||||||||||||||||||||
Line | Rule Parts | Grant Notes | Lower Frequency | Upper Frequency | Power Output | Tolerance | Emission Designator | Microprocessor Number | |||||||||||||||||||||||||||||||||
2 | 1 | 15E | CC MO | 5180 | 5240 | 0.0226 | |||||||||||||||||||||||||||||||||||
2 | 2 | 15E | CC MO | 5260 | 5320 | 0.133 | |||||||||||||||||||||||||||||||||||
2 | 3 | 15E | CC MO | 5500 | 5700 | 0.1734 | |||||||||||||||||||||||||||||||||||
2 | 4 | 15E | CC MO | 5190 | 5230 | 0.036 | |||||||||||||||||||||||||||||||||||
2 | 5 | 15E | CC MO | 5270 | 5310 | 0.1435 | |||||||||||||||||||||||||||||||||||
2 | 6 | 15E | CC MO | 5510 | 5670 | 0.1687 |
some individual PII (Personally Identifiable Information) available on the public forms may be redacted, original source may include additional details
This product uses the FCC Data API but is not endorsed or certified by the FCC