User's Guide
Table Of Contents
- Table of Contents
- Preface
- Introduction
- Extreme AirDefense New User Experience
- Dashboard
- View Dashboard
- Create a Dashboard
- Manage Your Dashboard
- Delete the Dashboard
- Dashboard Widgets
- WIPS Widgets
- Widget - Top Criticalities
- Widget - Top Security Alarms
- Widget - Top Wireless Exploits
- Widget - Top Wireless Extrusions
- Widget - Top Vulnerabilities
- Widget - Severity by Device
- Widget - Severity by Tree Level
- Widget - Rogue Access Points
- Widget - Recent Rogue Events
- Widget - Anomalies
- Widget - Top BT Security Alarms
- Widget - BT Security Threat By Category
- Widget - BT Security Threat by Tree Level
- STATs Widgets
- COMPLIANCE Widgets
- WIPS Widgets
- Network View
- Alarm View
- Configuration
- Appliance Management
- Appliance Settings
- Backup / Restore Status
- Certificate / Key Validation
- Certificate Manager
- Configuration Backup
- Configuration Clear
- Configuration Restore
- Download Logs
- Language
- Login / SSH Banners
- Redundant Appliance Sync
- Structure Configuration
- Auto-Placement Rules
- Discovery Profile and Polling Configuration
- Communication Profile
- Security Profile
- Alarm Action Manager
- Device Action Manager
- Sensor Manager
- Alarm Configuration
- Wired Network Monitoring
- Performance Profile
- Environment Monitoring
- Client Types
- Appliance Settings
- Device Age Out
- Configuration Backup
- Forensic and Log Backup
- Configuration Restore
- Download Logs
- Redundant Appliance Synchronization
- Configuration Clear
- Language Settings
- License Management
- User Management
- Relay Server
- System Settings
- Appliance Management
- System Overview
- AirDefense in Standalone Mode
- System Components
- System Requirements
- Version Compatibility for Upgrade
- Connecting to Hardware Appliance
- Configuring the Appliance
- System Configuration
- Selecting and Deploying APs and Sensors
- Connecting to the Network
- Assigning User Interfaces
- Basic Navigation
- Alarm Time Reporting
- Extreme AirDefense on Virtual Platform
- Menu
- AirDefense Dashboard
- Network Tab
- Capabilities with a Central Management License
- Select-Network View
- Network Devices
- Association Tree
- Network Graph
- Network Filters
- Actions Menu
- Actions Descriptions
- Advanced Search
- Alarms
- Configuration Tab
- Search
- Appliance Platform
- Security & Compliance
- Network Assurance
- Infrastructure Management
- Operational Management
- Alarm Action Manager
- Alarm Configuration
- Client Types
- Device Action Manager
- Device Age Out
- Job Status
- Location Based Services
- Location Subscriber Profiles
- Pending State - Audit
- Sensor Only Settings
- Sensor Operation
- Appliance Management
- Appliance Settings
- Backup / Restore Status
- Certificate / Key Validation
- Certificate Manager
- Configuration Backup
- Configuration Clear
- Configuration Restore
- Download Logs
- Language
- Login / SSH Banners
- Redundant Appliance Sync
- Account Management
- Drop-down Menu Access
- DevicesDrop-down Menu
- Device Functions Requiring More Explanation
- Network Level Drop-down Menus
- Global Tools
- Floor Plan Actions
- Floor Manipulation Tools
- Unplaced Devices Level Drop-down Menu
- Security
- WLAN Management
- Central Management Console
- ADSPAdmin
- Accessing the ADSPadmin Console
- Manage System
- Manage the Database
- Software
- Configure AirDefense
- Configure IDS
- IP Address Configuration
- IPv6
- NETPORT
- DNS Configuration
- Bonding Configuration
- hname Configuration
- dname Configuration
- Time Configuration
- Time Zone Configuration
- NTP Configuration
- PING Config
- SNMP Agent Configuration
- SNMP Community String Configuration
- SNMP Trap Configuration
- HTTP Configuration
- PANIC Configuration
- UIPORT Configuration
- Troubleshooting
- AirDefense Icons
- Legacy Content
- Menu
- AirDefense Dashboard
- Network Tab
- Capabilities with a Central Management License
- Select-Network View
- Network Devices
- Association Tree
- Network Graph
- Network Filters
- Actions Menu
- Actions Descriptions
- Advanced Search
- Alarms
- Configuration Tab
- Search
- Appliance Platform
- Security & Compliance
- Network Assurance
- Infrastructure Management
- Operational Management
- Alarm Action Manager
- Alarm Configuration
- Client Types
- Device Action Manager
- Device Age Out
- Job Status
- Location Based Services
- Location Subscriber Profiles
- Pending State - Audit
- Sensor Only Settings
- Sensor Operation
- Appliance Management
- Appliance Settings
- Backup / Restore Status
- Certificate / Key Validation
- Certificate Manager
- Configuration Backup
- Configuration Clear
- Configuration Restore
- Download Logs
- Language
- Login / SSH Banners
- Redundant Appliance Sync
- Account Management
- Drop-down Menu Access
- DevicesDrop-down Menu
- Device Functions Requiring More Explanation
- Network Level Drop-down Menus
- Global Tools
- Floor Plan Actions
- Floor Manipulation Tools
- Unplaced Devices Level Drop-down Menu
- Security
- WLAN Management
- Central Management Console
- ADSPAdmin
- Accessing the ADSPadmin Console
- Manage System
- Manage the Database
- Software
- Configure AirDefense
- Configure IDS
- IP Address Configuration
- IPv6
- NETPORT
- DNS Configuration
- Bonding Configuration
- hname Configuration
- dname Configuration
- Time Configuration
- Time Zone Configuration
- NTP Configuration
- PING Config
- SNMP Agent Configuration
- SNMP Community String Configuration
- SNMP Trap Configuration
- HTTP Configuration
- PANIC Configuration
- UIPORT Configuration
- Troubleshooting
- AirDefense Icons
- Glossary
life applications of the capability include: Geofencing, Prioritized Device Tracking, and Wi-Fi Device
Inventory.
Alarm Library
To view a list of Proximity Alarms for each alarm sub-type, go to Configuration > Operational
Management > Alarm Configuration, open Proximity, and then open the alarm sub-type to see all the
alarms associated with the sub-type.
Reconnaissance Alarms
Reconnaissance Alarms alert you to events that track devices which are actively attempting to locate
wireless networks. 802.11 wireless networking operates in a shared medium in which the wireless signals
are not constrained by the traditional physical boundaries. Signals may extend outside of building
boundaries into parking lots or neighboring faculties enabling valid client devices, attackers or malicious
users to receive the signals and discover available wireless networks. Wireless behavior from supplicants
such as such as Windows XP zero configuration client (WZC) is an example of normal reconnaissance
behavior where the client will continue to probe for all configured networks; this is normal
reconnaissance activity that allows the clients to find networks which do not broadcast SSIDs.
Alternatively, reconnaissance may be used by a malicious user as the first step in an attack on a wireless
network. Open source reconnaissance tools, such as Wellenreiter, Netstumbler, and Dstumbler, can be
used to discover wireless networks. Some reconnaissance tools use active methods to detect wireless
networks and are easily detected by ADSP, while other tools such as Kismet have transitioned to a
passive or "listen only" mode, and cannot be detected by any WIDS platform. For customers operating
in no-wireless environments, reconnaissance events are of medium to high importance, and should be
investigated. For deployments in urban multi-tenant areas reconnaissance events are of minor
importance, because of the increasing prevalence of wireless networks combined with the increasing
sophistication of newer reconnaissance tools that operate in passive mode and cannot be detected.
Reconnaissance Alarms are broken down into the following three sub-types:
• Reconnaissance Tools - Reconnaissance tools enable a user to discover available wireless devices in
the vicinity of the user running the tool. While early versions of these tools use active methods to
find available wireless resources, newer version are increasingly more sophisticated and have
transitioned to passive or listen only mode and will go undetected.
• Typical Client Activity - In wireless networking clients actively search for the wireless networks they
have been configured to connect to, enabling the clients to find the wireless APs that are in the
vicinity of the station. Once a client connects to an AP, it will continue to search for other resources,
which may include dierent networks or resources with a higher signal strength. Reconnaissance
activity in environments with deployed wireless networks is considered typical and is expected
behavior from devices.
•
Weakness - APs can be configured to make them more or less vulnerable to reconnaissance activity;
some of these options include broadcasting the SSID in beacon, and options to respond to null
probe requests. Configuring the AP to not respond to null probe requests and disable broadcasting
the beacon in the SSID is a good security practice, which hides the wireless network identify from
basic users, however it will do little to deter more advanced users attempting to discover the
wireless network.
Configuration
Tab Alarm Configuration
Extreme AirDefense User Guide for version 10.5. 627