User's Guide
Table Of Contents
- Table of Contents
- Preface
- Introduction
- Extreme AirDefense New User Experience
- Dashboard
- View Dashboard
- Create a Dashboard
- Manage Your Dashboard
- Delete the Dashboard
- Dashboard Widgets
- WIPS Widgets
- Widget - Top Criticalities
- Widget - Top Security Alarms
- Widget - Top Wireless Exploits
- Widget - Top Wireless Extrusions
- Widget - Top Vulnerabilities
- Widget - Severity by Device
- Widget - Severity by Tree Level
- Widget - Rogue Access Points
- Widget - Recent Rogue Events
- Widget - Anomalies
- Widget - Top BT Security Alarms
- Widget - BT Security Threat By Category
- Widget - BT Security Threat by Tree Level
- STATs Widgets
- COMPLIANCE Widgets
- WIPS Widgets
- Network View
- Alarm View
- Configuration
- Appliance Management
- Appliance Settings
- Backup / Restore Status
- Certificate / Key Validation
- Certificate Manager
- Configuration Backup
- Configuration Clear
- Configuration Restore
- Download Logs
- Language
- Login / SSH Banners
- Redundant Appliance Sync
- Structure Configuration
- Auto-Placement Rules
- Discovery Profile and Polling Configuration
- Communication Profile
- Security Profile
- Alarm Action Manager
- Device Action Manager
- Sensor Manager
- Alarm Configuration
- Wired Network Monitoring
- Performance Profile
- Environment Monitoring
- Client Types
- Appliance Settings
- Device Age Out
- Configuration Backup
- Forensic and Log Backup
- Configuration Restore
- Download Logs
- Redundant Appliance Synchronization
- Configuration Clear
- Language Settings
- License Management
- User Management
- Relay Server
- System Settings
- Appliance Management
- System Overview
- AirDefense in Standalone Mode
- System Components
- System Requirements
- Version Compatibility for Upgrade
- Connecting to Hardware Appliance
- Configuring the Appliance
- System Configuration
- Selecting and Deploying APs and Sensors
- Connecting to the Network
- Assigning User Interfaces
- Basic Navigation
- Alarm Time Reporting
- Extreme AirDefense on Virtual Platform
- Menu
- AirDefense Dashboard
- Network Tab
- Capabilities with a Central Management License
- Select-Network View
- Network Devices
- Association Tree
- Network Graph
- Network Filters
- Actions Menu
- Actions Descriptions
- Advanced Search
- Alarms
- Configuration Tab
- Search
- Appliance Platform
- Security & Compliance
- Network Assurance
- Infrastructure Management
- Operational Management
- Alarm Action Manager
- Alarm Configuration
- Client Types
- Device Action Manager
- Device Age Out
- Job Status
- Location Based Services
- Location Subscriber Profiles
- Pending State - Audit
- Sensor Only Settings
- Sensor Operation
- Appliance Management
- Appliance Settings
- Backup / Restore Status
- Certificate / Key Validation
- Certificate Manager
- Configuration Backup
- Configuration Clear
- Configuration Restore
- Download Logs
- Language
- Login / SSH Banners
- Redundant Appliance Sync
- Account Management
- Drop-down Menu Access
- DevicesDrop-down Menu
- Device Functions Requiring More Explanation
- Network Level Drop-down Menus
- Global Tools
- Floor Plan Actions
- Floor Manipulation Tools
- Unplaced Devices Level Drop-down Menu
- Security
- WLAN Management
- Central Management Console
- ADSPAdmin
- Accessing the ADSPadmin Console
- Manage System
- Manage the Database
- Software
- Configure AirDefense
- Configure IDS
- IP Address Configuration
- IPv6
- NETPORT
- DNS Configuration
- Bonding Configuration
- hname Configuration
- dname Configuration
- Time Configuration
- Time Zone Configuration
- NTP Configuration
- PING Config
- SNMP Agent Configuration
- SNMP Community String Configuration
- SNMP Trap Configuration
- HTTP Configuration
- PANIC Configuration
- UIPORT Configuration
- Troubleshooting
- AirDefense Icons
- Legacy Content
- Menu
- AirDefense Dashboard
- Network Tab
- Capabilities with a Central Management License
- Select-Network View
- Network Devices
- Association Tree
- Network Graph
- Network Filters
- Actions Menu
- Actions Descriptions
- Advanced Search
- Alarms
- Configuration Tab
- Search
- Appliance Platform
- Security & Compliance
- Network Assurance
- Infrastructure Management
- Operational Management
- Alarm Action Manager
- Alarm Configuration
- Client Types
- Device Action Manager
- Device Age Out
- Job Status
- Location Based Services
- Location Subscriber Profiles
- Pending State - Audit
- Sensor Only Settings
- Sensor Operation
- Appliance Management
- Appliance Settings
- Backup / Restore Status
- Certificate / Key Validation
- Certificate Manager
- Configuration Backup
- Configuration Clear
- Configuration Restore
- Download Logs
- Language
- Login / SSH Banners
- Redundant Appliance Sync
- Account Management
- Drop-down Menu Access
- DevicesDrop-down Menu
- Device Functions Requiring More Explanation
- Network Level Drop-down Menus
- Global Tools
- Floor Plan Actions
- Floor Manipulation Tools
- Unplaced Devices Level Drop-down Menu
- Security
- WLAN Management
- Central Management Console
- ADSPAdmin
- Accessing the ADSPadmin Console
- Manage System
- Manage the Database
- Software
- Configure AirDefense
- Configure IDS
- IP Address Configuration
- IPv6
- NETPORT
- DNS Configuration
- Bonding Configuration
- hname Configuration
- dname Configuration
- Time Configuration
- Time Zone Configuration
- NTP Configuration
- PING Config
- SNMP Agent Configuration
- SNMP Community String Configuration
- SNMP Trap Configuration
- HTTP Configuration
- PANIC Configuration
- UIPORT Configuration
- Troubleshooting
- AirDefense Icons
- Glossary
malicious user with basic computer skills, a laptop, and a CD drive can obtain various sets of open
source tool kits which will transform the laptop into a fully configured wireless attack platform.
As time has progressed these tools kits have become increasingly easier to use while oering an
increasingly sophisticated toolset. The bottom line is the wireless attack tools have become accessible
to a broader range of users. Because exploits involve active interaction with the wireless network,
AirDefense recommends timely action to understand and mitigate the threat to minimize security
exposure. Exploits Alarms are broken down into the following three sub-types:
• Active Attacks - Active attacks subcategory includes active malicious interaction with the wireless
network. Active attacks are severe and present a high security risk and potential for significant
exposure. Because these events are active in the wireless network, timely investigation is
recommended to prevent the attack from continuing. These events can be mitigated wirelessly to
minimize and prevent continued exposure; mitigation can be initiated manually by the administrator
or automatically if the system has been configured for policy-based termination.
• DoS - Denial of Service (DoS) events can cause significant disruption in the wireless networks by
preventing a user from accessing a wireless resources. In wireless networks, DoS events can happen
in two forms: the first form is a DoS attack directed at a specific device and the second form is a DoS
attack directed at the wireless medium. Device level attacks will aect one or more devices
depending on the attack setup; broadcast attacks for example can impact all stations associated to
an , whereas a more directed attack will only impact a single station leaving other stations
connected to the . In either case DoS attacks of this nature consume wireless bandwidth. The second
type of attacks directed at the medium exploit inherent flaws in the 802.11 protocol impacting all
devices on the channel by making the medium temporarily unusable. Denial of Service (DoS) attacks
by themselves are of little use to a hacker or malicious user, but they may serve as the foundation for
other more significant exploits.
• Impersonation Attacks - Many of the parameters in the 802.11 specification which are used to
uniquely identify wireless networks and the wireless devices themselves are contained in clear
unencrypted sections of the wireless trac. Malicious users who listen to trac in promiscuous
mode are able to easily learn what these parameters are. Because the current 802.11 standard
doesn't oer any validation of these parameters techniques called spoofing or identity theft have
been developed to impersonate wireless devices to exploit wireless networks. Impersonation
exploits are performed through the use of tools which craft wireless trac substituting some of the
learned parameters into the transmitted trac. Because the wireless devices are unable to
distinguish the impersonated trac from the legitimate trac, all trac is processed as legitimate
trac including the malicious trac. Impersonation is the foundation of a significant percentage of
basic and advanced wireless exploits and may be the first sign of a sophisticated attack.
Alarm Library
To view a list of Exploits Alarms for each alarm sub-type, go to Configuration > Operational
Management > Alarm Configuration, open Exploits, and then open the alarm sub-type to see all the
alarms associated with the sub-type.
Infrastructure Alarms
Infrastructure Alarms alert you to events that are generated based on the SNMP traps received from the
infrastructure devices. Each infrastructure device is capable of forwarding SNMP traps to alert the ADSP
of significant events related to the device. Examples of SNMP traps include ColdStart indicating that a
device has recently rebooted or CPU Limit Exceeded indicating that the CPU on a device has reached a
critical level for a period of time. The SNMP traps received from infrastructure devices are configurable
Configuration
Tab Alarm Configuration
Extreme AirDefense User Guide for version 10.5. 621