User's Guide

ManualsBrandsExtreme Networks ManualsComputers & AccessoriesWireless Security

561

562

563

564

565

566

567

568

569

570

Table Of Contents

Table of Contents
Preface
- Conventions
  - Text Conventions
  - Terminology
- Providing Feedback
- Getting Help
- Documentation and Training
Introduction
- Scope of Documentation
Extreme AirDefense New User Experience
- Login to ADSP
  - Logout of AirDefense
- Download ADSP Toolkit
  - Download Toolkit from New User Interface
- Launch the Old User Interface
Dashboard
- View Dashboard
  - Set a Favorite Dashboard
- Create a Dashboard
- Manage Your Dashboard
- Delete the Dashboard
- Dashboard Widgets
Network View
- Network View - Network Snapshot
- Network Pane - Details View
Alarm View
- Object Missing
- Alarms - Details View
- Alarms Widget View
- Alarm Details List
Configuration
- Appliance Management
  - Appliance Settings
  - Backup / Restore Status
  - Certificate / Key Validation
    - Certificate Validation
    - Key Validation
  - Certificate Manager
  - Configuration Backup
  - Configuration Clear
  - Configuration Restore
  - Download Logs
    - Forensic and Log Backup
  - Language
  - Login / SSH Banners
  - Redundant Appliance Sync
- Structure Configuration
  - View And Manage Your Network Tree
  - Generate a Network Tree
  - Import the Network Tree
  - Floor Plans
- Auto-Placement Rules
  - View Auto-Placement Rules
  - Add an Auto-Placement Rule
  - Edit an Auto-Placement Rule
- Discovery Profile and Polling Configuration
  - Discovery Profile
  - Polling Configuration
    - Edit Polling Preferences
- Communication Profile
  - View Communication Profiles
  - Add a Communication Profile
  - Edit the Communication Profile
  - Delete Communication Profiles
- Security Profile
  - View Security Profile
  - Add a Security Profile
  - Edit a Security Profile
  - Delete a Security Profile
- Alarm Action Manager
  - View Alarm Action Manager Rule Set
  - Add Alarm Action Manager Rule Set
  - Edit Alarm Action Manager Rule Set
  - Delete Alarm Action Manager Rule Set
- Device Action Manager
  - View Device Action Manager Rule Set
  - Add a Device Action Manager Rule Set
  - Apply or Run the Device Action Manager Rule Sets
    - Apply Device Action Manager Rule Sets
    - Run Device Action Manager Rule Sets Manually
- Sensor Manager
  - Operation Tab
  - Settings Tab
- Alarm Configuration
- Wired Network Monitoring
- Performance Profile
  - View Performance Profile
  - Add Performance Profile
  - Apply Performance Profile
- Environment Monitoring
- Client Types
  - Manage Client Types
- Appliance Settings
- Device Age Out
- Configuration Backup
  - How Backups Work
  - View Backup Schedules
  - Scheduling Configuration Backup
- Forensic and Log Backup
  - Forensic Backup Configuration
  - Log Backup Configuration
- Configuration Restore
- Download Logs
  - Forensic and Log Backup
- Redundant Appliance Synchronization
  - How Synchronization Works
  - Synchronization Rules
  - _
  - Automatic Synchronization
  - Appliance Replacement Considerations
- Configuration Clear
- Language Settings
  - Change the Language
- License Management
  - Auto License Management
  - Add Licenses
  - Manage License Manually
- User Management
  - Manage User Accounts
  - User Group Management
  - User Profile Management
- Relay Server
  - Configure External Relay Server
  - Import Relay Servers
  - Internal Relay Server
- System Settings
  - Add System Log Server IP Address
System Overview
- AirDefense in Standalone Mode
- System Components
- System Requirements
- Version Compatibility for Upgrade
- Connecting to Hardware Appliance
- Configuring the Appliance
  - Add-On Modules
  - Hardware Dependencies
- System Configuration
- Selecting and Deploying APs and Sensors
- Connecting to the Network
- Assigning User Interfaces
- Basic Navigation
- Alarm Time Reporting
Extreme AirDefense on Virtual Platform
- Prerequisites
- Installing Extreme AirDefense 10.0 on VMware
- Install Extreme AirDefense on Xen Hypervisor
Menu
- Installing the Toolkit
- Open
  - Frame Capture Analysis
  - Spectrum Analysis
- Forensic Analysis-Basic
- Advanced Forensic Analysis
- Action Control
  - Action Control Table
  - Action Control Commands
- Reports
  - Web Reporting Interface
- Report Builder
- Connection Troubleshooting
- Scheduled AP Tests
  - Scheduled AP Test
    - On-demand AP Tests
    - AP Test License
- Scheduled Vulnerability Assessment
  - Scheduled Vulnerability Assessment
  - Vulnerability Assessment License
- Scheduled Events
  - Monitoring Scheduled Events
  - Altering Event Schedules
- Add Devices
- Import and Discovery
- Bluetooth Monitoring
AirDefense Dashboard
- The Dashboard
- Selecting Dashboard Scope
- Customizing Dashboard Views
  - View Customization
  - Draggable Components
- Dashboard Components
Network Tab
- Capabilities with a Central Management License
- Select-Network View
  - Show Menu
    - Viewing the Network
    - Types of Devices
  - Actions Menu
- Network Devices
- Association Tree
- Network Graph
- Network Filters
- Actions Menu
- Actions Descriptions
- Advanced Search
Alarms
- AirDefense Alarm Model
- Capabilities with a Central Management License
- Alarm Table
- Alarm Filters
- Alarm Categories and Criticality
  - Alarm Categories
  - Alarm Criticality
- Alarm Details
- Alarm Actions
Configuration Tab
- Search
- Appliance Platform
- Security & Compliance
- Network Assurance
- Infrastructure Management
- Operational Management
- Appliance Management
- Account Management
- Drop-down Menu Access
Security
- WIPS
- Planning Your Sensor Deployment
  - Deployment Considerations
- Physical and Electromagnetic Interference
  - Device Placement Considerations
- Planning Your Sensor Placement
- Sensor Monitoring
- Vulnerability Assessment
  - On-Demand Vulnerability Assessment
  - Scheduled Vulnerability Assessment
- WEP Cloaking
WLAN Management
- Infrastructure Management
- Operational Management
  - Pending State Audit
- Appliance Platform
  - Relay Server
  - Import Relay Server Information
Central Management Console
- Configuring Master/Slave Servers
  - Things to Remember
  - Sharing Certificates
- Adding a Slave Server
ADSPAdmin
- Accessing the ADSPadmin Console
- Manage System
- Manage the Database
- Software
- Configure AirDefense
Troubleshooting
- AP Testing
- Connection Troubleshooting
- Live RF
- Forensic RF
- Spectrum Analysis
- Advanced Spectrum Analysis
- Advanced Troubleshooting
- Assurance Suite (Network Assurance)
- Radio Share Network Assurance
- Customer Support
AirDefense Icons
- AirDefense Application Icons
- Wireless Client Icons
Legacy Content
- Menu
- AirDefense Dashboard
- Network Tab
- Alarms
- Configuration Tab
- Security
- WLAN Management
- Central Management Console
  - Configuring Master/Slave Servers
    - Things to Remember
    - Sharing Certificates
  - Adding a Slave Server
- ADSPAdmin
- Troubleshooting
- AirDefense Icons
  - AirDefense Application Icons
  - Wireless Client Icons
Glossary

Anomalous Behavior Alarms (ABA) feature is only available for AirDefense Enterprise servers and does

not require any speciﬁc license. This feature is enabled when you enable Performance Proﬁle. ABA is

calculated for sanctioned clients and BSS only. All other data is ignored.

The AirDefense server ﬂags trac behavior that deviates signiﬁcantly from observed normal behavior.

The server learns speciﬁc attributes of trac monitored over a conﬁgurable period of time. It uses this

information to ﬂag any trac that deviates signiﬁcantly from its learned trac behavior.

AirDefense ABA works in two phases.

• Background Learning Phase

• Live Data Threshold Comparison Phase

These phases are common to all alarms based on the anomaly detection paradigm. Each alarm type

could have dierent learning parameters and custom threshold computation methods.

In the Background Learning Phase, the AirDefense server monitors the forensic data in the data

store for a conﬁgured duration of time. It then computes a baseline behavior against which an event will

be tested. The learning phase training window is sliding to enable including the live data being added to

the forensic store. ABA learning happens at regular intervals during the day to compute thresholds for

all anomalous alarms. The default learning interval for each alarm is 14 days. Thresholds are computed

and stored in 5 minute windows. These learning interval conﬁguration values cannot be modiﬁed. These

thresholds are computed on the scope where performance proﬁle is enabled. The scopes can be at

Site Level, Floor Level, or System Level.

In the Live Data Threshold Comparison Phase, live data from the sensors is compared with

the computed thresholds for the enabled scope. If the live data is above the computed threshold, its

corresponding alarm is triggered. For example, if, in the live data, the total AP Management Frames

in a location in a 5 minute interval exceeds the computed threshold value of the total AP Management

Frames in the same 5 minute interval over the last 14 days, then the AP Management Frame

Anomalous Behavior Frames alarm is raised.

ABA computation starts at 00:00 hour. The computed threshold values are not persistent across server

reboots and restarts. In case a server is restarted or rebooted, threshold computation will commence at

00:00 hours. You will not have computed threshold value from the time the server was rebooted or

restarted till the nearest 00:00 hour.

The following Anomalous Behavior Alarms are supported

• MU Management Frame Anomalous Behavior Frames

• MU Data Frame Anomalous Behavior Frames

• MU Control Frame Anomalous Behavior Frames

• AP Management Frame Anomalous Behavior Frames

• AP Data Frame Anomalous Behavior Frames

• AP Control Frame Anomalous Behavior Frames

• MU Management Frame Anomalous Behavior Bytes

• MU Data Frame Anomalous Behavior Bytes

• MU Control Frame Anomalous Behavior Bytes

• AP Management Frame Anomalous Behavior Bytes

Conﬁguration

Tab Anomaly Baseline View

Extreme AirDefense User Guide for version 10.5. 561