User's Guide
Table Of Contents
- Table of Contents
- Preface
- Introduction
- Extreme AirDefense New User Experience
- Dashboard
- View Dashboard
- Create a Dashboard
- Manage Your Dashboard
- Delete the Dashboard
- Dashboard Widgets
- WIPS Widgets
- Widget - Top Criticalities
- Widget - Top Security Alarms
- Widget - Top Wireless Exploits
- Widget - Top Wireless Extrusions
- Widget - Top Vulnerabilities
- Widget - Severity by Device
- Widget - Severity by Tree Level
- Widget - Rogue Access Points
- Widget - Recent Rogue Events
- Widget - Anomalies
- Widget - Top BT Security Alarms
- Widget - BT Security Threat By Category
- Widget - BT Security Threat by Tree Level
- STATs Widgets
- COMPLIANCE Widgets
- WIPS Widgets
- Network View
- Alarm View
- Configuration
- Appliance Management
- Appliance Settings
- Backup / Restore Status
- Certificate / Key Validation
- Certificate Manager
- Configuration Backup
- Configuration Clear
- Configuration Restore
- Download Logs
- Language
- Login / SSH Banners
- Redundant Appliance Sync
- Structure Configuration
- Auto-Placement Rules
- Discovery Profile and Polling Configuration
- Communication Profile
- Security Profile
- Alarm Action Manager
- Device Action Manager
- Sensor Manager
- Alarm Configuration
- Wired Network Monitoring
- Performance Profile
- Environment Monitoring
- Client Types
- Appliance Settings
- Device Age Out
- Configuration Backup
- Forensic and Log Backup
- Configuration Restore
- Download Logs
- Redundant Appliance Synchronization
- Configuration Clear
- Language Settings
- License Management
- User Management
- Relay Server
- System Settings
- Appliance Management
- System Overview
- AirDefense in Standalone Mode
- System Components
- System Requirements
- Version Compatibility for Upgrade
- Connecting to Hardware Appliance
- Configuring the Appliance
- System Configuration
- Selecting and Deploying APs and Sensors
- Connecting to the Network
- Assigning User Interfaces
- Basic Navigation
- Alarm Time Reporting
- Extreme AirDefense on Virtual Platform
- Menu
- AirDefense Dashboard
- Network Tab
- Capabilities with a Central Management License
- Select-Network View
- Network Devices
- Association Tree
- Network Graph
- Network Filters
- Actions Menu
- Actions Descriptions
- Advanced Search
- Alarms
- Configuration Tab
- Search
- Appliance Platform
- Security & Compliance
- Network Assurance
- Infrastructure Management
- Operational Management
- Alarm Action Manager
- Alarm Configuration
- Client Types
- Device Action Manager
- Device Age Out
- Job Status
- Location Based Services
- Location Subscriber Profiles
- Pending State - Audit
- Sensor Only Settings
- Sensor Operation
- Appliance Management
- Appliance Settings
- Backup / Restore Status
- Certificate / Key Validation
- Certificate Manager
- Configuration Backup
- Configuration Clear
- Configuration Restore
- Download Logs
- Language
- Login / SSH Banners
- Redundant Appliance Sync
- Account Management
- Drop-down Menu Access
- DevicesDrop-down Menu
- Device Functions Requiring More Explanation
- Network Level Drop-down Menus
- Global Tools
- Floor Plan Actions
- Floor Manipulation Tools
- Unplaced Devices Level Drop-down Menu
- Security
- WLAN Management
- Central Management Console
- ADSPAdmin
- Accessing the ADSPadmin Console
- Manage System
- Manage the Database
- Software
- Configure AirDefense
- Configure IDS
- IP Address Configuration
- IPv6
- NETPORT
- DNS Configuration
- Bonding Configuration
- hname Configuration
- dname Configuration
- Time Configuration
- Time Zone Configuration
- NTP Configuration
- PING Config
- SNMP Agent Configuration
- SNMP Community String Configuration
- SNMP Trap Configuration
- HTTP Configuration
- PANIC Configuration
- UIPORT Configuration
- Troubleshooting
- AirDefense Icons
- Legacy Content
- Menu
- AirDefense Dashboard
- Network Tab
- Capabilities with a Central Management License
- Select-Network View
- Network Devices
- Association Tree
- Network Graph
- Network Filters
- Actions Menu
- Actions Descriptions
- Advanced Search
- Alarms
- Configuration Tab
- Search
- Appliance Platform
- Security & Compliance
- Network Assurance
- Infrastructure Management
- Operational Management
- Alarm Action Manager
- Alarm Configuration
- Client Types
- Device Action Manager
- Device Age Out
- Job Status
- Location Based Services
- Location Subscriber Profiles
- Pending State - Audit
- Sensor Only Settings
- Sensor Operation
- Appliance Management
- Appliance Settings
- Backup / Restore Status
- Certificate / Key Validation
- Certificate Manager
- Configuration Backup
- Configuration Clear
- Configuration Restore
- Download Logs
- Language
- Login / SSH Banners
- Redundant Appliance Sync
- Account Management
- Drop-down Menu Access
- DevicesDrop-down Menu
- Device Functions Requiring More Explanation
- Network Level Drop-down Menus
- Global Tools
- Floor Plan Actions
- Floor Manipulation Tools
- Unplaced Devices Level Drop-down Menu
- Security
- WLAN Management
- Central Management Console
- ADSPAdmin
- Accessing the ADSPadmin Console
- Manage System
- Manage the Database
- Software
- Configure AirDefense
- Configure IDS
- IP Address Configuration
- IPv6
- NETPORT
- DNS Configuration
- Bonding Configuration
- hname Configuration
- dname Configuration
- Time Configuration
- Time Zone Configuration
- NTP Configuration
- PING Config
- SNMP Agent Configuration
- SNMP Community String Configuration
- SNMP Trap Configuration
- HTTP Configuration
- PANIC Configuration
- UIPORT Configuration
- Troubleshooting
- AirDefense Icons
- Glossary
Alarm Library
To view a list of Rogue Activity Alarms for each alarm sub-type, go to Configuration > Operational
Management > Alarm Configuration, open Rogue Activity, and then open the alarm sub-type to see all
the alarms associated with the sub-type.
Vulnerabilities Alarms
Vulnerabilities Alarms alert you to weaknesses that are not actively exploited, but have been detected in
the airspace. Weaknesses can potentially be exploited by both active and passive methods. For
example, unencrypted wired side trac leakage can be exploited passively by discovering wired-side
device information, while rogue APs can be actively exploited by a station associating to it.
Vulnerabilities provide an inherent security risk to the enterprise and should be carefully evaluated to
understand the potential exposure that could occur if a vulnerability was exploited. Once a vulnerability
is discovered options should be considered to remediate the vulnerability to prevent it from being
exploited. Vulnerability Alarms are broken down into the following five sub-types:
• Fuzzing - An active attacking technique that is used to find vulnerabilities and flaws in vendor's
wireless drivers. When a fuzzing attack occurs, a malicious user will generate valid 802.11 frames but
will randomly change information in the frames in an attempt to discover vulnerabilities in the
wireless driver. A successful fuzzing attack can have various outcomes, depending on the specifics
of the attack and the vulnerability in the wireless driver. Possible outcomes include full root access of
the attacked system, remote code execution, DoS attack, or kernel crash. In general, fuzzing attacks
present significant risk to the enterprise. Because wireless drivers receive and process broadcast
trac, fuzzing attacks may not require a physical connection but just physical proximity to the
attacker to execute a successfully attack.
• Predictive Problems - Through passive wireless monitoring AirDefense will provide events indicating
potential wireless security issues. Issues may be related to network or client configuration and may
not currently be actively exploited, however the danger exists that they could be exploited.
Predictive problem detection allows an administrator to take proactive measures to resolve security
issues before a malicious user has the potential to exploit it.
• Suspect Activity - Suspect Activity captures wireless events or activity, though not a direct attack on
the wireless network, suggest the potential for an exploit. Suspect activity events should be
reviewed as they generate, often suspect activity would be accompanied by an other exploit events
as it may be only one facet of malicious activity.
• Vulnerability Assessment - ADSP actively tests the security posture of the wireless infrastructure to
determine if there are weaknesses that could allow a wireless user to access sensitive systems on the
wired side. This is accomplished by allowing the user to perform scheduled or on-demand tests that
allow the sensor to emulate a station (laptop or other wireless device), associate to one or more APs,
and test dierent paths of access to the wired side. The alarms in this category indicate that a
vulnerability has been found in the security posture and should be considered a high priority event,
and could relate to the exposure of sensitive information such as cardholder information. This
vulnerability may be the result of a firewall or wireless switch misconfiguration, or some other
weakness in the layered defenses. A subsequent vulnerability report can be created based on these
alarms. In addition, the Action Manager can be used to automatically disable an AP until the
vulnerability has been remediated.
• Wired Leakage - In wireless networks unencrypted wired side trac leakage into the air is a result of
basic AP functionality. The AP at its most simplistic form is a bridge between the wired medium and
the wireless medium, allowing wireless devices to communicate with devices on the bounded wired
network. An AP typically works the same for trac in the reverse direction, trac from the wired
network can be transmitted into the air, to specific devices as well as broadcast addresses. The
Configuration
Tab Alarm Configuration
Extreme AirDefense User Guide for version 10.5. 629