User's Guide
Table Of Contents
- Table of Contents
- Preface
- Introduction
- Extreme AirDefense New User Experience
- Dashboard
- View Dashboard
- Create a Dashboard
- Manage Your Dashboard
- Delete the Dashboard
- Dashboard Widgets
- WIPS Widgets
- Widget - Top Criticalities
- Widget - Top Security Alarms
- Widget - Top Wireless Exploits
- Widget - Top Wireless Extrusions
- Widget - Top Vulnerabilities
- Widget - Severity by Device
- Widget - Severity by Tree Level
- Widget - Rogue Access Points
- Widget - Recent Rogue Events
- Widget - Anomalies
- Widget - Top BT Security Alarms
- Widget - BT Security Threat By Category
- Widget - BT Security Threat by Tree Level
- STATs Widgets
- COMPLIANCE Widgets
- WIPS Widgets
- Network View
- Alarm View
- Configuration
- Appliance Management
- Appliance Settings
- Backup / Restore Status
- Certificate / Key Validation
- Certificate Manager
- Configuration Backup
- Configuration Clear
- Configuration Restore
- Download Logs
- Language
- Login / SSH Banners
- Redundant Appliance Sync
- Structure Configuration
- Auto-Placement Rules
- Discovery Profile and Polling Configuration
- Communication Profile
- Security Profile
- Alarm Action Manager
- Device Action Manager
- Sensor Manager
- Alarm Configuration
- Wired Network Monitoring
- Performance Profile
- Environment Monitoring
- Client Types
- Appliance Settings
- Device Age Out
- Configuration Backup
- Forensic and Log Backup
- Configuration Restore
- Download Logs
- Redundant Appliance Synchronization
- Configuration Clear
- Language Settings
- License Management
- User Management
- Relay Server
- System Settings
- Appliance Management
- System Overview
- AirDefense in Standalone Mode
- System Components
- System Requirements
- Version Compatibility for Upgrade
- Connecting to Hardware Appliance
- Configuring the Appliance
- System Configuration
- Selecting and Deploying APs and Sensors
- Connecting to the Network
- Assigning User Interfaces
- Basic Navigation
- Alarm Time Reporting
- Extreme AirDefense on Virtual Platform
- Menu
- AirDefense Dashboard
- Network Tab
- Capabilities with a Central Management License
- Select-Network View
- Network Devices
- Association Tree
- Network Graph
- Network Filters
- Actions Menu
- Actions Descriptions
- Advanced Search
- Alarms
- Configuration Tab
- Search
- Appliance Platform
- Security & Compliance
- Network Assurance
- Infrastructure Management
- Operational Management
- Alarm Action Manager
- Alarm Configuration
- Client Types
- Device Action Manager
- Device Age Out
- Job Status
- Location Based Services
- Location Subscriber Profiles
- Pending State - Audit
- Sensor Only Settings
- Sensor Operation
- Appliance Management
- Appliance Settings
- Backup / Restore Status
- Certificate / Key Validation
- Certificate Manager
- Configuration Backup
- Configuration Clear
- Configuration Restore
- Download Logs
- Language
- Login / SSH Banners
- Redundant Appliance Sync
- Account Management
- Drop-down Menu Access
- DevicesDrop-down Menu
- Device Functions Requiring More Explanation
- Network Level Drop-down Menus
- Global Tools
- Floor Plan Actions
- Floor Manipulation Tools
- Unplaced Devices Level Drop-down Menu
- Security
- WLAN Management
- Central Management Console
- ADSPAdmin
- Accessing the ADSPadmin Console
- Manage System
- Manage the Database
- Software
- Configure AirDefense
- Configure IDS
- IP Address Configuration
- IPv6
- NETPORT
- DNS Configuration
- Bonding Configuration
- hname Configuration
- dname Configuration
- Time Configuration
- Time Zone Configuration
- NTP Configuration
- PING Config
- SNMP Agent Configuration
- SNMP Community String Configuration
- SNMP Trap Configuration
- HTTP Configuration
- PANIC Configuration
- UIPORT Configuration
- Troubleshooting
- AirDefense Icons
- Legacy Content
- Menu
- AirDefense Dashboard
- Network Tab
- Capabilities with a Central Management License
- Select-Network View
- Network Devices
- Association Tree
- Network Graph
- Network Filters
- Actions Menu
- Actions Descriptions
- Advanced Search
- Alarms
- Configuration Tab
- Search
- Appliance Platform
- Security & Compliance
- Network Assurance
- Infrastructure Management
- Operational Management
- Alarm Action Manager
- Alarm Configuration
- Client Types
- Device Action Manager
- Device Age Out
- Job Status
- Location Based Services
- Location Subscriber Profiles
- Pending State - Audit
- Sensor Only Settings
- Sensor Operation
- Appliance Management
- Appliance Settings
- Backup / Restore Status
- Certificate / Key Validation
- Certificate Manager
- Configuration Backup
- Configuration Clear
- Configuration Restore
- Download Logs
- Language
- Login / SSH Banners
- Redundant Appliance Sync
- Account Management
- Drop-down Menu Access
- DevicesDrop-down Menu
- Device Functions Requiring More Explanation
- Network Level Drop-down Menus
- Global Tools
- Floor Plan Actions
- Floor Manipulation Tools
- Unplaced Devices Level Drop-down Menu
- Security
- WLAN Management
- Central Management Console
- ADSPAdmin
- Accessing the ADSPadmin Console
- Manage System
- Manage the Database
- Software
- Configure AirDefense
- Configure IDS
- IP Address Configuration
- IPv6
- NETPORT
- DNS Configuration
- Bonding Configuration
- hname Configuration
- dname Configuration
- Time Configuration
- Time Zone Configuration
- NTP Configuration
- PING Config
- SNMP Agent Configuration
- SNMP Community String Configuration
- SNMP Trap Configuration
- HTTP Configuration
- PANIC Configuration
- UIPORT Configuration
- Troubleshooting
- AirDefense Icons
- Glossary
Rogue Activity Alarms
Rogue Activity Alarms alert you to devices participating in unauthorized communication in your
airspace. Events included in this category range from detection of a wireless device operating in the
airspace to detection of the most severe risks, e.g., unsanctioned wireless device communicating with
the wired network. ADSP makes a clear distinction between an unauthorized devicewhich may be a
neighboring device transmitting into the monitored airspaceand a rogue devicewhich is a device
communicating with a device on the sanctioned wired network. This distinction is critical to understand
and appropriately respond to the threat posed by each individual device. This advanced threat
assessment capability allows the administrator to safely ignore neighboring APs while focusing his
attention to real threats. Rogue Activity Alarms are broken down into the following four sub-types:
• Authorization Violation - ADSP monitors the airspace for all wireless devices. The authorization
violation subcategory defines devices which have not been acknowledged as sanctioned enterprise
wireless devices, ignored transient or neighboring devices.
• ExtrusionWireless technology increases the attack vectors that exist and present security challenges
to an enterprise. Threats against infrastructure devices such as rogue APs, DoS attacks, and mis-
configurations are some of the most well known and the primary focus to secure and protect
against. Often overlooked are lesser known and more prevalent threats that exist against endpoints
or wireless stations. The very nature of how these endpoints search for available wireless networks
to connect and inability to validate authenticity of the network they are connecting to makes them
vulnerable to forming unsanctioned connections. This process of a sanctioned wireless station
connecting to an external unsanctioned network is known as an Extrusion. A successful Extrusion
may take several forms but will always have the same eect of a sanctioned device forming L2 and
L3 connection and should be considered a similar threat to a hacker connection directly to a laptop
with a crossover cable.
ADSP Rogue Extrusion now includes alarms that alert you to Wi-Fi Direct devices on your network.
Wi-Fi Direct is peer-to-peer networking which may present issues with corporate networks
controlling Wi-Fi Direct devices. Being able to detect Wi-Fi Direct gives corporate personnel a tool
to investigate and determine if there is a threat to their network.
• Rogue Exploit - Rogue Exploit sub-type contains alarms to detect true rogue activities by any
unsanctioned wireless device communicating with the devices on the wired infrastructure. Examples
include an unauthorized AP physically attached to the wired network (Rogue AP) or an
unauthorized station on the wireless network connected to an authorized AP (Rogue Wireless
Client).
• Wired Network Monitoring - Rogue Activity includes events for devices participating in unauthorized
communication in your airspace. Examples of the type of event included in this category are
detection of a wireless device operating in the airspace to detection of the most severe risks
unsanctioned wireless device communicating with the wired network. AirDefense Enterprise makes
a clear distinction between an unauthorized device, which may be a neighboring device transmitting
into the monitored airspace, and a rogue device, a device which is communicating with a device on
the sanctioned wired network. This distinction is critical to understand and appropriately respond to
the threat posed by each individual device. This advanced threat assessment capabilities allows the
administrator to safely ignore neighboring APs while focusing his attention to real threats.
Alarm Library
To view a list of Rogue Activity Alarms for each alarm sub-type, go to Configuration > Operational
Management > Alarm Configuration, open Rogue Activity, and then open the alarm sub-type to see all
the alarms associated with the sub-type.
Operational Management
Legacy Content
1164 Extreme AirDefense User Guide for version 10.5.