Swat User Guide 4.1.0

SWAT User Guide
Software Version 4.1.0
Wise-Mon Ltd., January 2011
Table of Contents
Chapter 1: Introduction
Overview Existing Detection Tools Key Features Intruders & Malicious Stations 802.1x & NAC Overview of 802.1x and NAC Online Network Discovery Tools Additional Benefits Organizational Tree Support ESM Integration Flexible MAC Address Permissions Enhanced Reports and Query Capabilities Easy Installation Scalable Installation 1 1 3 3 4 4 6 7 7 8 8 8 8 8
Chapter 2: Operational Concepts

Basic Mechanism Run Modes Advanced Run Modes Scaleable Solution Faster Network Discovery Cycle Reduced Bandwidth Utilization Flexible Solution Supporting New Device Types 10 10 11 12 12 13 13
Chapter 3: Pre-Installation
System Requirements Obtaining the Software Database Configuration Switch/Router Information & Configuration 14 15 15 17
Chapter 4: Installation
Installing SWAT SWAT Directories Reinstalling SWAT Configuration General - Verbose Logging Interface Discovery Agents & Managers Default Installation Creating a New Agent 18 21 22 23 24 24 24 25 25
SWAT User Guide
Creating a New Manager Installing the Manager Key File Creation Generating a Key File Uninstalling SWAT
27 28 29 30 30
Chapter 5: Administration
Administration Menu General Administration Form Run Modes SWAT Users Alert Types Alert Type List 31 32 36 38 40 41
Chapter 6: Network Configuration

Network Configuration Menu Switch Groups Switch Group List Switch Group Form Switches Switch Filtered Results Switch Forms Switch Ports States Switch Port Filtered Results Switch Port Forms Routers Router Filtered Results Router Form Site Configuration Site ConfigurationAdd Dialog Boxes Site Configuration Filtered Results 42 43 46 46 49 51 53 58 59 60 61 66 67 68 71 73 75
Chapter 7: Reports
Reports Menu Station Reports Inactive Stations Report New Stations Report Station History Report Network Reports Inactive Ports Active Multi MAC Ports Multi MAC Ports Statistics Reports New Station Statistics Moving Station Statistics Station Alert Statistics Port Statistics Alert Console 76 77 77 80 82 83 84 86 88 89 90 91 92 92 93
Table of Contents
SWAT User Guide
Alert Console Filtering Pane Alert Console Filtered Results Scheduled Tasks Scheduled Tasks Filtered Results
94 95 96 96
Chapter 8: Operations
Operations Menu Station Permissions MAC Address Filtering Pane Add New MAC Address Pane MAC Addresses Filtered Results Changing Permissions MAC Address Details Site Permissions Site Permission Parameters MAC Address Permission Filtering MAC Address Permission Parameters Advanced Station Addition Site Filtered Parameters 98 99 99 100 101 102 104 105 106 107 109 110 112
Chapter 9: Antivirus Support

SWATs Added Value Supporting External Antivirus Systems 113 114
Chapter 10: Advanced Settings

Switch List File Router List File Defining New Device Types EquipmentTypeEntry Tags Loading the XML File Watchdog Service 117 117 118 119 121 122
Chapter 11: Background Processes

Job List 127
Chapter 12: Compliance

General Compliance Menu Policies Management Conditions Management Compliance status Compliance Statistics Analyze Device Types Management 127 127 127 127 127 127 127
Appendix A: Antivirus Integration

Symantec Configuration 129
Appendix B: Advanced Configuration

Database Configuration
Table of Contents
135
SWAT User Guide
Connection String User Name and Password Windows Server 2008 Configuration
135 136 136
Table of Contents
P reface
Welcome to SWAT (Switch Access Control), the ideal NAC for protecting your network from unauthorized endpoint devices. The purpose of this guide: This guide contains information for using SWAT efficiently and correctly. Who should use this guide? This guide is intended for network and security managers. Conventions: The manual uses the following conventions: Actions you need to perform are displayed in bold. For example, click OK or enter the IP address. This font is used for hyperlinks. This font is used for code and system activity. UPPERCASE is used for keys and acronyms. Cross-references are underlined. For example, see Conventions:. The Italic font is used to emphasize words and phrases in certain cases.
NOTE
Notes are used to call your attention to important and special information.
TIP
Tips are used to provide additional and beneficial information.
CAUTION
Caution implies essential information that should be taken with extra care.
I ntroduction
IN
THIS CHAPTER:
Overview Key Features Intruders & Malicious Stations 802.1x & NAC Additional Benefits
1.1 Overview
SWAT (SWitch Access conTrol), a Wise-Mon NAC product, enables online mapping of IP addresses to their exact physical entry point and geographical location. Providing a critical feature for IDS/IPS, anti viruses and risk management solutions, SWAT complements existing security tools by automatically or manually blocking the actual port of an intruder and preventing unauthorized stations from connecting to the organization's LAN instantly. SWAT also enables quick and simple migration to 802.1x, providing simple non-intrusive network access control for switches and end stations that do not support 802.1x. The product supplies a MAC address security permission system, restricting access to an organization's internal network and creating a repository of all network nodes.
1.1.1 Existing Detection Tools

Various tools exist for identifying malicious stations within the enterprise network; however each tool lacks a certain important feature which jeopardizes the network's security. SWAT complements these tools, ensuring full security and effectiveness.
SWAT User Guide
Intrusion Detection Systems IDS (Intrusion Detection Systems) scan the data passing through them on the way to the server farm or important parts of the network. IDS identify a pattern of attack and notify users of the attacker. The attacker is identified by its IP address. Intrusion Prevention Systems IPS (Intrusion Prevention Systems) solutions are enhanced IDS which also block the attacker after identifying it in one of the following methods: Blocking its traffic. Terminating its TCP communication. Inserting access lists to firewalls and routers. All these blocking mechanisms do not exclude the malicious stations from the network. They only confine the intruder and limit its access to the server farm, or at best prevent it from getting out of its segment. Intruders however, can continue infecting stations in the unblocked part of the network. Furthermore, the stations they infect act as proxies for additional attacks. Centralized Anti-Virus Solutions There is a current trend to move to centralized anti-virus management on all stations inside the organization. This enables controlled update of viruses' information from the center, and the ability to receive alerts for: Discovered viruses in the enterprise. Stations that removed the agent of the anti-virus. However, these products only notify the administrators of the alerts, yet do not disable the malicious stations. Risk Management Solutions Risk Management Solution tools gather event logs and audit records from servers and devices in the enterprise. Then they correlate the records in order to discover intruders or malicious stations. If an intruder is found, the operator is notified and actions are performed accordingly. However, on network level, only the IP address of the malicious station is known, similar to IPS capabilities.
SWAT User Guide
1.2 Key Features

SWAT is a unique and very powerful complimentary tool for most of the existing security products in the field of malicious stations detection.
SWAT includes the following key features:
Provides the exact location of an intruder: Physicalswitch/slot/port. Geographicalbuilding/floor/room/socket. Complements the capabilities of existing IDS/IPS, anti viruses and risk management solutions, disabling any intruders and excluding attackers from the network within seconds of discovery. Includes a powerful engine, providing a distributed instantaneous online discovery process. Physically moves new stations to a VLAN and automatically disables/enables them, enhancing network quarantine abilities. Enables simple integration with management platforms (Tivoli, HP, CA and more). Performs online mapping, enabling IP address to MAC address mapping along with online management of organization layout. Easily installed, maintained and operated from a central position in the network. No additional components or adjustments to the network architecture are required. Multi-vendor switch support. Easily installed, maintained and operated from a central position in the network. SWAT Provides a full enhanced compliance mechanism using variety of protocols: WMI SNMP HTTP TELNET
Additional features:
Quick and simple migration to 802.1x, providing access control for switches and end stations that do not support 802.1x. Includes a MAC address security permission system, restricting access to an organization's internal network and creating a repository of all network nodes.
1.3 Intruders & Malicious Stations

SWAT User Guide
The problem: IDS/IPS, centralized anti-virus and risk management software detect and block malicious stations either from within the organization or from the outside. Hence, these products operate and block stations at the IP address level (access list in firewalls/routers). This solution is sufficient for intruders outside the organization, however malicious stations residing within the
SWAT User Guide
Organization can continue poisoning the enterprise's internal network. Most malicious stations that actually cause damage come from within the organization, thus there is a need to disconnect malicious stations based on their IP address, at the actual physical port level. Most operators require the exact physical location of the switch/slot/port of a station with a given IP address, as well as the exact geographical location building/floor/room/socket for disconnecting it from the network Wise-Mon's solution: Serving as the next step for IDS/IPS, anti viruses and risk management solutions, SWAT complements existing security tools by blocking the actual physical port of an intruder. With the ability to perform online mapping of MAC addresses, SWAT specifies the exact location of an intruder on both physical and geographical level, right away. In order to locate newly connected stations and validate them by using their MAC addresses for identification, SWAT combines alert handling mechanisms and fast low-bandwidth switch polling. SWAT is easy to deploy and implements an easy-to-use web-based GUI with full management capabilities. Several high speed low-bandwidth IP scanning and routers polling provide a quick identification and compliance check for layer3 devices.
1.4 802.1x & NAC

SWAT provides online monitoring for the location of the station connected to the internal network of the enterprise. When a malicious station is connected, SWAT discovers it within seconds to minutes and presents precise location information about it, also in the case of the station changing its IP address. Hence, operators identify the intruder online by its IP address, and are able to disconnect it from the network on the physical switch level.
1.4.1 Overview of 802.1x and NAC

The 802.1x standard addresses the issue of access permissions to the network. When a station is connected to a switch, the user/device is prompted by the switch for authentication information. This information is passed by the switch to a radius server for verification. Only when the station is authenticated, the switch allows it to connect to the network. Hardware NAC system is an extension to 802.1x; it adds additional tests and conditions, which the switch verifies before the network device is connected. The tests can include the verification if an anti-virus product is running and the patch level is high enough. In order to implement 802.1x there is a need for: Switches that support this standard.
SWAT User Guide
Network devices that support 802.1x. A radius server which is connected to the organization's authentication store. It is clear that within 3-5 years 802.1x will become the standard for network access authentication, both for wired & wireless devices. The problems in implementing 802.1x: There are a few problems with the current implementation of 802.1x: Currently not all switches support this standard. For some switches it only requires the change of the firmware, however for others it requires the exchange of the complete switch. Requires a change in the enterprise network's architecture (switch, RADIUS, device drivers in stations, etc.). The implementation itself is very complex and requires a long deployment period (weeks to months in most organizations). There are many network devices that do not support 802.1x: Most printers. Some UNIX platforms. It is quite complicated to manage 802.1x. SWAT as an easy way for 802.1x migration: SWAT enables organizations to migrate to 802.1x easily and surely. SWAT provides access control checks for switches and network stations that do not support 802.1x. The implementation of SWAT does not require any change in any switch and/or end device, and most network devices are supported as is. SWAT acts as a centralized guard of the internal network. MAC address & location-based security permission system: SWAT supplies a security mechanism, which restricts the access to the organizations internal network based on MAC addresses. The product creates
SWAT User Guide
a repository of all nodes in the enterprise network. It then checks the connecting nodes and either permits or disconnects the node from the network according to the given permissions. The security parameters for a permission entry are: A list of ports on the switches. A list of switches (all the ports of a given switch). A list of sockets and physical access points in the geographical premises of the enterprise. A socket is represented by the following list of information: location-building-floor-room-socket. Time-based permission system.
1.4.2 Online Network Discovery Tools

Most network management tools include a discovery mechanism. However these tools have the following limitations: SWAT vs. Regular Network Discovery Tools
Network Discovery Tools SWAT
Centralized tools mounted on a single server. Thus, all discovery communication passes through the network to the server and there is no distributed discovery. High bandwidth utilization since all discoveries are centralized, entailing high expenses of bandwidth when the organization is distributed.
Swat has the ability to distribute agents that perform the discovery process. The discovery agents are located near the monitored equipment and perform the discovery in parallel. SWAT locates the agents near the monitored devices, maintaining an image of the results in the agents. Only the delta between the discoveries is returned to the center. This reduces the bandwidth utilization. The distributed agents supply parallel discovery. SWAT also performs asynchronous discovery operations within the agent, allowing faster operations within each agent. This enables SWAT to perform a full discovery operation within minutes. SWAT integrates with: IDS, IPS, centralized anti-virus management stations and risk management tools.
Serial discovery process usually polls one node at a time, causing a slow discovery cycle. In a large network the discovery cycle can last many hours (this being the reason that most of these tools recommend scheduling a discovery cycle every few days). Malicious station detection tools do not integrate with any security product.
SWAT User Guide
Network Discovery Tools
SWAT
Limited device support for only a given set of devices with mapping connections. Adding new nodes usually requires changes in the software.
Mapping is hardly a standardized issue. SWAT is designed to enable support to new devices at site level by changing configuration files. Minimal software changes are required when adding new device support to SWAT. SWAT enables obtaining the geographical location of a given device. The information of the location can be imported from external sources and asset management tools. SWAT is designed for scalability, allowing unlimited agents with unlimited mangers in the centers, accepting data from the agents. The managers can also be distributed to the different devices.
No geographical location support, and usually no information, is provided about the physical location of a given node.
Non scaleable, becoming very slow when the discovered network grows.
NOTE
All communication between the agents and managers in the center is secured and encrypted.
1.5 Additional Benefits

1.5.1 Organizational Tree Support
SWAT enables building an organizational hierarchy tree. The hierarchy tree describes the organization's structure and contains: Sites. Buildings. Rooms. Network sockets. Based on this organizational tree, SWAT's alerts show the exact location of an intruder, in addition to its switch/slot/port information. This allows for location-based permission rules for given devices. The organizational tree data and the connection between network sockets and switch/slot/port can be
SWAT User Guide
imported from existing asset management platforms in the organization, or fully maintained using only the SWAT GUI.
1.5.2 ESM Integration

By learning the network structure from installed management platforms, SWAT is easily integrated, saving the time needed for defining the switches and routers in the network. SWAT also receives the list of MAC addresses and automatically authorizes them all. Leveraging ESM platform capabilities, SWAT can be used to show port-switch-MAC-IP-socket-physical-room information in trap details, displayed by the ESM platforms. The following ESM platforms are supported: HP OpenView NNM IBM Tivoli Netview
1.5.3 Flexible MAC Address Permissions

SWAT enables setting MAC address permissions according to several flexible rules. Specific MAC addresses are allowed to connect to specific network sockets, buildings, rooms, switches, ports, at given time slots, etc. MAC addresspermission scenario examples: Allow a specific laptop to connect only to a specific floor in a specific building for a given amount of time. Allow only specific stations to connect to specific sockets in given buildings.
1.5.4 Enhanced Reports and Query Capabilities

Based on a relational database, SWAT generates any report needed for management. SWAT includes a large number of built-in reports such as: Ports locked by SWAT or other systems. MAC addresses in the enterprise and their authorization status. Different views of MAC address permissions. Last connection time of MAC address and its location: Site/building/room/socket Switch/slot/port
1.5.5 Easy Installation

SWAT is easy to install and maintain. It requires a single Windows-based server with SQL server (or MSDE) for database and reporting capabilities. SWAT's client is HTTP/S web-based. No additional components, switches, OS or hardware upgrades are required.
1.5.6 Scalable Installation
SWAT User Guide
For large installations with thousands of switches, SWAT offers a distributed and scalable deployment, designed for any size network.
1 0
O perational Concepts
IN
THIS CHAPTER:
Basic Mechanism Run Modes Scaleable Solution
2.1 Basic Mechanism

SWAT performs its actions by learning the VLAN topology of the organization, while matching the physical MAC addresses of the nodes in the organization to the IP addresses assigned to them. SWAT performs periodical checks of defined switches and routers. It extracts the bridge and ARP information from the devices, mapping the location of each device within the network. SWAT also receives linkup traps from the switches in the organization and examines the node connected to the originator of the trap. Every new node SWAT detects is entered to the mapping database and verified according to the permissions assigned to it. Then actions are performed based on these permissions.
2.2 Run Modes

Various run modes are available for learning and maintaining images of existing devices in an enterprise's internal network. Learn modenewly discovered MAC addresses are automatically set as valid and authorized for accessing the whole network. Known address permissions are left unchanged. This mode is suitable for enterprises that just installed SWAT and want to build their device repository. SWAT also supports the option of loading all the valid devices in the organization from an external source. Warn modea warning is sent by email or written to an event log when unidentified/unauthorized MAC addresses connect to the network via open ports. The unidentified MAC addresses are then blacklisted.
10
SWAT User Guide
Disconnect modewhen unidentified/unauthorized MAC addresses try to connect via an open port, the port is automatically locked and the foreign computer is disconnected. The unidentified MAC addresses are then blacklisted.
NOTE
Each and every mode can be configured for the entire enterprise network or a specific switch or port.
2.2.1 Advanced Run Modes

Learn and Lock for Groupconnecting MAC addresses receive authorization for the group of switches to which they are connected. Learn and Lock for Switchconnecting MAC addresses receive authorization for all ports on the switch to which they are connected. Learn and Lock for Portconnecting MAC addresses receive authorization for the port to which they are connected. Learn Once and Warnconnecting MAC addresses are automatically set as valid and authorized for the whole network. The port to which they are connected changes to Warn mode. Learn Once and Disconnectconnecting MAC addresses are automatically set as valid and authorized for the whole network. The port to which they are connected changes to Disconnect mode. Move to VLANconnecting new stations are physically moved to a VLAN and automatically disabled/enabled. This run mode enables enhanced network quarantine capabilities: stations receive new permissions in accordance with the VLAN to which they are moved. Furthermore, stations that receive a new dynamic IP address are discovered by SWAT. The decision-making process, which takes place when access is determined for a connecting computer during Warn or Disconnect mode, is as follows: Unknown computerthe MAC address is blacklisted and its port is warned or disconnected. Known computerthe MAC address permissions are verified according to the switch and port through which they connect.
NOTE
In order to stay connected, the permissions (exclusively positive or negative) have to either approve the switch/port or not deny the switch/port.
11
SWAT User Guide
If the current run mode is any type of learn mode, the computer's MAC address is authorized in one of the following ways: If the MAC address is authorized to access the port, its permissions are not altered. If the address is not authorized: Learn-and-Lock modes add permissions to the switch/port. Learn and Learn Once modes add permissions to the entire network; old permissions are deleted.
2.3 Scaleable Solution

SWAT is scalable to networks of all sizes. This is implemented by allowing the distribution of SWAT collector agents near the devices they monitor, thus providing the following added value: Faster network discovery cycle. Reduced bandwidth utilization. Secured communication.
Figure 2-1: Optional distributed architecture
2.3.1 Faster Network Discovery Cycle

Since SWAT operates in a distributed mode, it can perform discovery operations in parallel. This enables a very fast discovery cycle. In addition, the agents are also designed to perform fast discovery by performing their queries both asynchronously and simultaneously.
12
SWAT User Guide
Parallelism in two places:
Multiple agents which perform the discovery in parallel to different parts of the network. Each agent sends its requests asynchronously to the switches and routers it monitors, and then correlates the answers. This way the discovery cycle within each agent is very short.
2.3.2 Reduced Bandwidth Utilization

The agents are designed to use as little bandwidth as possible. This is critical when the organization is composed of several sites connected by WAN lines. The agents pass the discovered information periodically, however in order to reduce bandwidth utilization, the agents keep an image of the discovered information in their memory and pass only the changes to the center. Thus, there is hardly any traffic directed to the center, even when the discovery process has high frequency. According to a defined time, the agent notifies the center of the switchs/routers status. If for any reason the agent does not send keep-alive information to the manager within a predefined time, the SWAT administrator is notified.
2.3.3 Flexible Solution Supporting New Device Types

In order to build an accurate mapping, SWAT is required to learn the information from switches within the organization. Despite the bridge information standard (Bridge MIB), some switches do not support this MIB, and many support it in different ways. With SWAT, the installer of the product can easily introduce new devices to the product by directing it to where the information is located. This process can be carried out at site level by the operator of the product.
13
P re-Installation
IN
THIS CHAPTER:
System Requirements Obtaining the Software Database Configuration Switch/Router Information & Configuration
3.1 System Requirements

Hardware Requirements
Prerequisite Additional Specifications
Platform Disk space CPU
Intel. At least 250 MB. Dual Pentium IV 2.0GHz processors with 512 KB cache. SWATs CPU consumption depends on the number of monitored switches and connected nodes.
NOTE
It is assumed that SWAT is also running the database used by the product, however this is not a requirement.
RAM
2 GB
Software Requirements
Prerequisite Additional Specifications
Operating system Internet information services
Windows 2000 server (Service Pack 3); Windows 2003 server. IIS 5 or IIS 6.
14
SWAT User Guide
Prerequisite
Additional Specifications
Microsoft .Net framework
Version 1.1. NOTE

To ensure that IIS supports .NET pages, you need to run the file: aspnet_regiis.exe located in
winnt (windows - in 2003)\ Microsoft.NET\Framework\ #Version. Database MS SQL server 2000 with service pack 3. This database should be purchased separately; SWAT does not include an installation of SQL server. MSDE database. Windows Installer SWAT installation uses MSI installation. This requires the latest version of Windows Installer (a Windows component). The required version of Windows Installer is already bundled with service pack 3 of Windows 2000. SWAT's graphical user switch port is web-based. In order to use the GUI, you need Internet Explorer 6 and above.
Internet browser
3.2 Obtaining the Software

To obtain the software:
Contact Wise-Mon Technologies at sales@Wise-Mon-t.com and provide the following information: The operating system on which you plan to install the product. IP and MAC addresses of the computer running SWAT. Wise-Mon provides you with a user name and password to access the FTP site, customers.Wise-Mon-t.com, from where the installation package can be downloaded. You will also receive the license file required for operating the product.
3.3 Database Configuration

The installation process assumes the following: The SQL server/MSDE database is running on the same LAN on which SWAT is installed.
15
SWAT User Guide
The database permits both SQL server and Windows authentication.
NOTE
Do not install the MSDE on a computer that already has an SQL server installed on it.
Setting the SQL server and Windows authentication: The following instructions refer only to SQL servers. For the MSDE database, other instructions are available in the readme file located in the MSDE directory on Wise-Mon's FTP site. In order to set the SQL server and Windows authentication in the database server, perform the following: 1. Enter the SQL servers enterprise manager. 2. Select the Properties section of the database server. 3. Select the Security tab. 4. Select the SQL server and Windows option.
Figure 3-1: SQL server and Windows authentication
Checking the database definitions: You can check the database definitions by creating an ODBC entry for the database, and then verify that the database is up and the SQL server user and password are valid.
16
SWAT User Guide
3.4 Switch/Router Information & Configuration

In order to configure the switches/routers, you need to first perform the following steps: 1. Make sure you know all the IP addresses of all the switches.
TIP
Switch/router information can be obtained automatically by configuring SWAT to do so in the Management Platforms Connectivity pane of the General Administration form (see General Administration Form on page 32 for more information).
2. Make sure that the switch configured to allow SNMP receives both from the SWAT's agent location and SWAT's central server (if they are not located on the same machine). 3. Select the method of setting definitions for the switch/switch groups (SNMP or SSH) either from the General Administration Form or per each switch in the Switch form (see Switch Forms on page 53 for more information).
17
I nstallation
IN
THIS CHAPTER:
Installing SWAT SWAT Directories Configuration Discovery Agents & Managers Key File Creation Uninstalling SWAT
4.1 Installing SWAT

To install SWAT perform the following: 1. Open the compressed file and extract the installation files. 2. Execute the file named Setup.exe. The SWAT Installation Wizard opens.
Figure 4-1: Installation Wizard
3. Click Next and follow the directions on the screen.
18
SWAT User Guide
NOTE
If you decide to change the default destination folder, make sure the directory does not contain any spaces in the path, otherwise the product might malfunction.
4. After the Destination Folder screen appears, click Next to begin transferring files to the destination folder. When this is done the following screen appears:
Figure 4-2: Database location
5. In the Database Connection String tab, enter the database you want to work with, your user name and password.
19
SWAT User Guide
6. In the General tab, enter the required Verbose (Verbose=0-9 trace & verbose level: 0-no output, 1-error output, 9-debug info) and click Apply.
Figure 4-3: Installation; Verbose
7. In the License tab, copy the license from the license file and click Apply. (If you do not know your license number, contact Wise-Mon).
Figure 4-4: Swat license
20
SWAT User Guide
NOTE
The installation process takes 5 to 8 minutes.
The installation process performs the following operations: Copies files into the destination directory tree (see SWAT Directories below). Creates the SWAT database and tables in the database server. Creates a website for SWAT using Internet Information Services.
4.2 SWAT Directories

The following table presents the list of SWAT directories and a brief description:
Directory Description
[INSTALLDIR] [INSTALLDIR]\bin [INSTALLDIR]\bin\SWAT_JOBD [INSTALLDIR]\bin\OS_USER_MA NAGEMENT [INSTALLDIR]\bin\EVENT_LOG [INSTALLDIR]\bin\IIS_ MANAGMENT [INSTALLDIR]\bin\DATABASE_ MANAGMENT [INSTALLDIR]\doc [INSTALLDIR]\SwatAgent [INSTALLDIR]\SwatManager
Main directory. Binaries. SWAT launch scripts. Installation scripts. Enables adding alerts to the event log on the server. Files for installing SWAT's website. Scripts that manage the database (e.g., creating the database). Help file. Agent files, including file for creating a new agent. All manager files, including installation file for creating a new manager. Application data files. Configuration files. Log files. Temporary files. Web files.
[INSTALLDIR]\Data [INSTALLDIR]\ini [INSTALLDIR]\log [INSTALLDIR]\Temp [INSTALLDIR]\web
21
SWAT User Guide
4.2.1 Reinstalling SWAT

Using a new database: To use a new database, you need to perform the following steps before reinstalling a new version/uninstalling an old version of SWAT: 1. Open the SQL Server Manager. 2. Connect to the SWAT database. 3. Open Management->Current Activities->Process info section in the tree. 4. Right-click the SWAT Process Database column (listed as SWAT). 5. Select Kill Process. 6. Open Current Activities and refresh the screen. 7. From the SWAT database, perform the delete action (not detach). 8. Uninstall SWAT. 9. Reinstall SWAT. Saving previous databases: If you reinstall SWAT and do not want to loose the configuration information that was entered in the previous installation, perform the following: 1. Create a backup of SWAT's database information using the batch file: [INSTALLDIR]\bin \DATABASE_MANAGEMENT\DuplicateDB.bat This script copies the existing SWAT database into a temporary database before the uninstall process.
NOTE
Step 1 is possible only if the database is local (on the server).
For remote database, you need to manually copy the database using SQLEnterprize as follows: a. Open the SQL Server Manager. b. Connect to the SWAT database. c. Open Databases>SWAT. Right-click All Tasks and select the Backup Database section in the tree. d. Select the database backup file on your computer. e. Open Databases and right-click All Tasks. Select the Database section in the tree and set the new databases name as SWAT_OLD. f. Select the file you saved in step e.
22
SWAT User Guide
2. Delete the SWAT database (see Database Configuration on page 15 for more information). 3. Uninstall SWAT from the control panel. 4. Follow the installation process. 5. After the installation process is complete, restore the old database using the batch file: INSTALLDIR]\bin\DATABASE_MANAGEMENT\RestoreDB.bat This script copies the existing SWAT database from the temporary database into the production database.
4.3 Configuration
The configuration definitions for SWAT are saved in a file named SWAT.ini located in the [INSTALLDIR]/ini directory. In order for changes in the file to take effect, the processes of SWAT must be restarted. The file format appears below:
[general] ;Verbose=0-9 trace & verbose level: 0-no output, 1-error output, 9-debug info Verbose=1 [database] dsn=dbi:ODBC:DRIVER=SQL Server;SERVER=(local);database=SWAT ;dsn=dbi:ODBC:SWAT user=sa password=sa WEBdsn=Initial Catalog=SWAT;Data Source=localhost;Trusted_Connection=no ;-----------------------------------------------------------;Interface types ;regular interfaces see mib description 2-32 ;Avaya 10/100 (p580,p880) - 62 ;Giga port - 117 ;-----------------------------------------------------------[interface] InterfaceTypes=2-32,62,117
NOTE
Lines beginning with a semi-colon are ignored.
23
SWAT User Guide
4.3.1 General - Verbose Logging

Detailed logging options are available for troubleshooting and debugging purposes.
[general] ;Verbose=0-9 trace & verbose level: 0-no output, 1-error ;output, 9-debug info Verbose=1
These options are defined using the parameter Verbose in the General section. The valid values are 0, 1, and 9: 0No logging output is written. 1Default value to log (only errors). 9Full logging of all actions. Use this value only when you encounter problems with the product and want to collect data about the reason. Do not leave this value for a long period of time, since it increases the log file dramatically.
NOTE
There is a log cleanup mechanism that truncates log files that are bigger than 100 MB. It is recommended to leave the verbose set to 1.
4.3.2 Interface
InterfaceTypes=2-32, 62, 117 The Interface section defines the IfTypes of interfaces SWAT monitors. IfTypes are extracted from the SNMP interface MIB. Since switches can contain both logical and VLAN interfaces, the list under the parameter InterfaceTypes identifies only the physical interfaces.
NOTE
It is recommended not to change this list without consulting Wise-Mon.
4.4 Discovery Agents & Managers

SWAT is designed to perform extremely fast discovery cycles; to accomplish this task discovery managers and agents are created. SWAT supports the creation and distribution of multiple agents and managers. The managers communicate with SWAT's logic through the database, and therefore they should be located in or near the SWAT server. The agents should be spread in
24
SWAT User Guide
the enterprise network, as close as possible to the switches and routers they monitor. The best location for an agent in a remote branch is on a regional server. The discovery agents themselves are designed for speed. They query the switches and routers in their responsibility zone simultaneously, in an asynchronous way. The communication between the SWAT agents and managers is designed to be minimal. To achieve this goal each agent keeps an image of its monitored segment, and reports only the changes in the network to the center. The changes are relatively minimal. Dividing switches/routers between agents: Through the SWAT GUI, the administrator determines which agent/manager monitors a given switch or router.
Secured agent and manager communication:
The agent and manager communication is designed for security; the manager is the originator of the communication. There is an authentication process between the agent and manager. The communication between the agent and manager is encrypted (based on a shared password used for generating an encryption key, which is used to encrypt their communication).
4.4.1 Default Installation

SWAT comes in the default installation with a single agent and manger. They are both installed as services on the machine that runs SWAT. The service names are: SwatSwitchManagerSWAT manager. SwatSwitchAgentSWAT agent. By default the agent waits for a manager to connect to it on port 54100 with the TCP protocol. The parameters used by the agent and manager are taken from the SWAT agent.xml and SWAT manager.xml.
4.4.2 Creating a New Agent

In order to create a new agent, copy all the contents of [INSTALLDIR]\SwatAgent, including its sub-directories, to the target computer. The following directories are copied:
25
SWAT User Guide
Agent Directories
[INSTALLDIR] [INSTALLDIR]\bin [INSTALLDIR]\ini [INSTALLDIR]\log [INSTALLDIR]\Temp
Main directory. Binaries. Configuration files. Log files. Temporary files.
CAUTION
Do not to use the installation SwatAgent and SwatManager folders. Instead, copy them to a new location and then proceed with the installation of the agents and managers.
Run the script Install.bat located in the [INSTALLDIR]\bin directory. The script is designed for Windows platform, although there are agents that can run on non-Windows platforms (UNIX: HPUX, SUN, Linux). The script receives two parameters which specify the [INSTALLDIR] and the port, on which the agent runs. For example: Install c:\Wise-Mon\swat\SwatAgent 54100. The script changes the ini files so the agent binds to this port number, and waits for a manager call from there. The script also creates a service named: Wise-MonSwatSwitchAgent_agentPort which is automatically started.
NOTE
You need to choose a different port for each agent.
SwatAgent.xml ini File The agent uses the following XML-based ini file. The file contains parameters which are relevant to the agents operations.
<SwatSwitchAgent> <SWATXMLFile>C:\WISE-MON\SWAT\SwatAgent\ini\Swat.xml</SWATXMLFile> <KeyFile>127.0.0.1.54100</KeyFile> <nTCPPort>54100</nTCPPort> <KeepAliveTimeout>120</KeepAliveTimeout> <nRetry>2</nRetry> <nTimeout>3</nTimeout> </SwatSwitchAgent>
26
SWAT User Guide
Parameter
Description
SWATXMLFile
Points to SWATs internal ini file, located in the ini directory as well. NOTE
This parameter should not be changed.
KeyFile
Points to the encryption and authentication key file, used for manager authentication and data encryption. Controls the port that the agent binds to. The manager then connects to this port. Notifies the agent that after the defined number of seconds a keep-alive message must be sent to the manager, even if no information is required to be sent. The default value for retry operations when polling the communication devices. The default value for time-out value for requests sent to the communication devices. Runs the script: UnInstall.bat located in the [INSTALLDIR]\bin directory. If the script does not receive parameters it removes the agent service. Added as a prefix to the subject of the emails that SWAT sends.
nTCPPort KeepAliveTime out
nRetry nTimeout UnInstall the agent MailSubject Prefix
4.4.3 Creating a New Manager

In order to create a new agent, copy all the contents of [INSTALLDIR]\SwatManager, including its sub-directories into the target computer. The following directories are copied:
27
SWAT User Guide
Manager Directories
[INSTALLDIR] [INSTALLDIR]\bin [INSTALLDIR]\ini [INSTALLDIR]\log [INSTALLDIR]\Temp
Main directory. Binaries. Configuration files. Log files. Temporary files.
4.4.4 Installing the Manager

To install the manager:
Run the script: Install.bat located in the [INSTALLDIR]\bin directory. The script is designed for Windows platform. The script receives two parameters which specify the [INSTALLDIR] and the manager ID assigned to the manager. For example: Install C:\WISE-MON\SWAT\SwatManager 1 The script changes the ini files so the manager has the given manager ID. The script also creates a service named: SwatSwitchManger_managerid which is automatically started. Agent SwatManager.xml ini File The managers use the following XML-based ini file. The file contains the following parameters that are relevant to the managers operations.
<SwatSwitchManager> <SWATXMLFile>C:\WISE-MON\SWAT\SwatManager\ini\Swat.xml</SWATXMLFil> <ManagerId>1</ManagerId> <ReloadSwitchListTimeout>300</ReloadSwitchListTimeout> <ConnectionTimeout>180</ConnectionTimeout> <ReplyTimeout>180</ReplyTimeout> </SwatSwitchManager>
28
SWAT User Guide
Parameter
Description
SWATXML File
Points to SWATs internal ini file, located also in the INI directory. NOTE
This parameter should not be changed.
ManagerID
Specifies the manager ID assigned to the given manager. When adding a new router/switch, one of the parameters is the number of the manager assigned to the given switch. The switch and router definitions under the responsibility of this manager can be changed due to user additions/deletions or renewed discovery on the switches and routers configuration. This parameter instructs the manager to reload these definitions every given period (in seconds). If a change is discovered, which is relevant to a given agent, the configuration is resent to the agent. Instructs the manager to send an alert to the operator if an agent did not respond in the given time-out (in seconds). Specifies the time-out value for retrying to reconnect to an agent that was previously unavailable.
ReloadSwitch ListTimeout
Connection Timeout ReplyTimeout
Uninstalling the Manager Run the script: UnInstall.bat located in the [INSTALLDIR]\bin directory. If the script does not receive parameters, it removes the manager service.
4.5 Key File Creation

The key file is an encrypted file containing data used for authenticating the conversation partners and for encrypting the data that passes on that conversation. Each session between a manager and agent should have a key file that exists on both sides. The key files in the manager, are named after the IP address and the port number of the given agent, using the convention: IP_address.port_number. For example, for an agent sitting on a station with an IP: 10.0.1.150 binding to port 54100 the file is named 10.0.1.150.54100. In the agents ini file, there is a key that specifies the name of the key file used by the agent.
29
SWAT User Guide
4.5.1 Generating a Key File

As mentioned before, each session between an agent and manger, should have a key file. The same key file can be used on more than one session; however, this is less secure. To generate a key file: 1. Create a clear text key file, and password in it. 2. Run the executable: [INSTALLDIR]\bin\encryptfile.exe clr_file_name encrypted_file_name where: clr_file_name is the full path to the clear text key file. encrypted_file nameis the full path to the encrypted key file generated. The encrypted file generated should be copied to the manager's [INSTALLDIR]\ini\ directory with the name specified. The encrypted file generated should also be copied to the agent's [INSTALLDIR]\ini\ directory and pointed by the SwatAgent.xml KeyFile tag.
4.6 Uninstalling SWAT

To uninstall SWAT: 1. Open Start > Settings > Control Panel. 2. Open Add/Remove Programs. 3. Select Wise-Mon Technologies - SWAT. 4. Click Remove. After uninstalling SWAT, remove the SWAT database from the database server you created (using the database tools).
NOTE
The uninstall package does not remove newly created files. To remove these you need to delete the SWAT directory.
30
A dministration
IN
THIS CHAPTER:
Administration Menu General Administration Form SWAT Users Alert Types
5.1 Administration Menu

The Administration menu lets you set up the default settings and attributes for SWAT.
Figure 5-1: Administration menu
The Administration menu includes the following options:

Option Description
General
Opens the General Administration form, for you to enter various parameter definitions. See General Administration Form on page 32 for more information. Determines the groups to be recognized by SWAT. See SWAT Users on page 38 for more information. Displays the list of available alerts. See Alert Types on page 40 for more information.
SWAT Users Alert Types
31
SWAT User Guide
5.2 General Administration Form

Select General from the Administration menu to open the General Administration form:
Figure 5-2: General Administration form
Use the General Administration form to define the following various general parameters according to which you want SWAT to perform:
32
SWAT User Guide
Mail Pane Use To
Administration Mail
Enter the email address to which you want the warnings to be sent.
NOTE
Separate multiple addresses with a comma.
Mail Server IP
Enter the IP address of the mail server. TIP

You can also enter the name of the server.
Default Operations Settings Pane Use To
Run Mode
Select the required run mode from the drop-down list. The run mode is the action SWAT performs when a computer connects to the network via an open port (see Run Modes on page 10 for further details). Select the permission you want to give to connecting computers: Allno restriction. Lock for grouprestricted to a defined group. Lock for switchrestricted to a defined switch. Lock for portrestricted to a defined port. Lock for VLANrestricted to a defined VLAN.
Permission
NOTE
Permission is relevant only when the run mode is of the Learn group.
VLAN Number Switch Check Frequency (minutes)
Enter the required VLAN number when using Move to VLAN run mode. Enter the required interval in minutes between each cycle of discovery, i.e., the process of detecting new MAC addresses in the network. (This information is used by the agents.)
33
SWAT User Guide
Use
To
Disconnect Time (minutes)
The amount of time SWAT leaves a port disconnected after an unauthorized intrusion. NOTE
The value zero causes a disconnection for an unlimited amount of time.
Unmanage MultiMAC Interface
Select Yes or No. When this attribute is set to Yes, ports with multiple addresses connected to them are unmanaged and SWAT is not responsible for them. Select Yes or No. When No is selected: after receiving a specified detailed trap, which SWAT could not locate, the MAC address is disconnected immediately. Select Yes or No. When this attribute is set to Yes, ports with multiple MAC addresses connected to them are automatically disconnected. This attribute is not affected by the current run mode. NOTE
MAC addresses disconnected in this way are not blacklisted. This feature is used to prevent insertion of hubs into the organizations network.
Ignore Unknown MAC
Disconnect MultiMAC Interface
Check Spoofing on Multi-MAC Interface Port Settings Application Agent IP Agent Port Manager ID
Select Yes to activate spoofing on multi-MAC interfaces. The default setting is No. Configures the port through SNMP, Telnet or SSH (see Switch List File on page 117). Enter the IP address of the agent that monitors the group. Enter the port number of the agent that monitors the group. Enter the ID of the manager that is responsible for monitoring the given group.
34
SWAT User Guide
Default Telnet Parameters Pane Use To
Telnet/SSH user
Enter the Telnet/SSH user name. NOTE

When Telnet connection parameters are provided, SNMP is no longer used to change settings on a switch; instead, a Telnet script is executed.
Telnet/SSH Password Telnet Enable Password

Default Communities Use
Enter the Telnet/SSH password. Enter the Telnet script for enabling the password.
To
Get Community Set Community
Enter Get SNMP community for routers and switches. Enter Set SNMP community for routers and switches. NOTE
If no value is provided, the Get Community is taken as default.
35
SWAT User Guide
SWAT Run Parameters Pane Use To
Verbose License License Information
Enter the detailing level of the log (0, 1, 9). Enter the license number. View the detailed license information.
Management Platform Connectivity Pane Use To
Management Platform
Select the management platform (installed on the same computer as SWAT) from the dropdown list. If you have a management platform for your network, SWAT can elicit information from it, including the list of switches and routers in the network and the MAC addresses discovered by the platform. NOTE
This feature is not included with the default installation of the product.
Management Platform ODBC Management Platform DB User Management Platform DB Password Load from Management Platform
Create an ODBC connection to the platforms server on SWATs server. Enter the user name of the management platform database. Enter the password of the management platform database. Load the switch/MAC address from the management platform.
Use
To
Save the changes made to the General form. Clear the General form without saving any changes.
5.2.1 Run Modes
36
SWAT User Guide
The various run modes enable you to execute the following commands:
Run Mode Description
Learn
Newly discovered MAC addresses are automatically set as valid and authorized for accessing the whole network. Known addresses' permissions are left unchanged, yet port data is updated. This run mode is suitable for enterprises that just installed SWAT and want to build their device repository. SWAT also supports an option to load all the valid devices in the organization from an external source. Connecting MAC addresses receive authorization only for the defined group of switches to which they are connected. Connecting MAC addresses receive authorization only for all ports on the switch to which they are connected. Connecting MAC addresses receive authorization only for the port to which they are connected. Connecting MAC addresses are automatically set as valid and authorized for the whole network. The port to which they are connected changes to Warn mode. Connecting MAC addresses are automatically set as valid and authorized for the whole network. The port to which they are connected changes to Disconnect mode. A warning is sent by email or written to an event log when unidentified or unauthorized MAC addresses have been discovered as connected to the network via an open port. The unidentified MAC addresses are then blacklisted.
Learn and Lock for Group
Learn and Lock for Switch
Learn and Lock for Port
Learn Once and Warn
Learn Once and Disconnect
Warn (mail)
37
SWAT User Guide
Run Mode
Description
Disconnect
When unidentified or unauthorized MAC addresses try to connect via an open port, the port is automatically locked and the foreign computer is disconnected for a predefined amount of time. If the MAC address discovered is unknown, unidentified MAC addresses are blacklisted. When new stations try to connect, they are physically moved to a VLAN and automatically disabled/enabled. This run mode enables enhanced network quarantine capabilities: stations receive new permissions in accordance with the VLAN to which they are moved. Furthermore, stations that receive a new dynamic IP address are discovered by SWAT.
Move to VLAN
5.3 SWAT Users

Select SWAT Users from the Administration menu to open the SWAT Users screen as follows:
Figure 5-3: SWAT Users screen
Use this screen to define the groups you want recognized by SWAT and determine their permissions.
38
SWAT User Guide
SWAT Groups Pane Use To
SWAT Admin (drop-down list box)
Select the required group for the selected permission scope. Delete a group from the defined user groups.
Group Permission Scope Pane
This pane determines the permission scope of the defined SWAT groups.
Group Permission
Administrator User Operator User Report User Device Manager User
Overall permission (administration, operators, reports and device manager). Permission to manage the MAC addresses (see Operations Menu on page 98. Permission to manage the reports (see Reports Menu on page 76). Permission to change definitions for given ports on specific switches (see Network Configuration on page 42).
Computer Groups Pane Use To
Select Group (drop-down list box)
Display the defined groups on the SWAT server, excluding those that are defined for the given permission scope. Add a new group to the defined user groups.
Use
To
Save the changes made to the groups added. NOTE

The Update button is enabled only for groups added by users.
39
SWAT User Guide
5.4 Alert Types

Select Alert Types from the Administration menu to view the full list of the various alerts provided by SWAT:
Figure 5-4: Alert Types screen
Field
Description
Alert Type Alert Description Send Mail Event Log Severity
Displays the list of alerts (see Alert Type List below for the full list of alerts and their description). Presents a brief description of the various types of alerts. When selected, receives mail in case of an alert. When selected, writes the alert to an event log. Determines the severity of the alert. Select from the following available options: Info Warning Error
40
SWAT User Guide
Field
Description
Saves the changes. Refreshes the Alert Types list.
5.4.1 Alert Type List

Alert Description
Agent Reconnect Agent Time Out SNMP Problem in Device External Intruder Detected New MAC Address New Uplink Found Port Disable Failed Port Enable Failed Router Down Service Down Switched Changed Switch Down Unauthorized Connection Detected Virus Found
The agent reconnects to the manager after the server is down. The agent is not responding. The device is experiencing SNMP problems. An unauthorized station is detected. A new MAC address was found. The port is defined as uplink. The attempt to disable the port failed. The attempt to enable the port failed. The router is not responding to SNMP. The service is not responding. The type of switch has changed. The switch is not responding to SNMP. A station with the given MAC address in not permitted in a specified location. A virus was found by the antivirus system (see Antivirus Support on page 113 for further information).
41
N etwork Configuration
IN
THIS CHAPTER:
Network Configuration Menu Switch Groups Switches Switch Ports Routers Site Configuration
6.1 Network Configuration Menu

The Network Configuration menu lets you set up the network structure and permission settings of switch groups, switches, switch ports, routers and the organizational site structure.
Figure 6-1: Network Configuration menu
The Network Configuration menu includes the following options:

Option Description
Switch Groups Switches Switch Ports
Defines a certain group of switches. See Switch Groups on page 43 for more information. Filters by switches. See Switches on page 49 for more information. Filters by switch ports. See Switch Ports on page 58 for more information.
42
SWAT User Guide
Option
Description
Routers Site Configuration
Filters by routers. See Routers on page 66 for more information. Opens the Site Configuration screen, allowing you to link your physical network structure to your organization's physical structure. See Site Configuration on page 71 for more information.
6.2 Switch Groups

Select Switch Groups from the Network Configuration menu to open the Switch Group screen.
Figure 6-2: Switch Groups screen
Use this screen to provide a unifying name to a certain group of switches.

Switch Group Filtering Pane Use To
Group Name Group Description Run Mode
Enter the name of the defined group of switches. Provide a description of the group of switches. Select the run mode of the group. See Run Modes on page 36 for more information.
43
SWAT User Guide
Use
To
Permission
Select the permission you want to give to connecting computers: Allno restriction. Lock for grouprestricted to a defined group. Lock for switchrestricted to a defined switch. Lock for portrestricted to a defined port. Lock for VLANrestricted to a defined VLAN.
NOTE
Manager ID Agent IP Agent Port Check Frequency
Enter the ID of the manager that is responsible for monitoring the given group. Enter the IP address of the agent that monitors the group. Enter the port number of the agent that monitors the group. Enter the required interval in minutes between each cycle of discovery, i.e., the process of identifying new MAC addresses in the network. This information is used by the agents. Enter the required number of minutes for which a port is closed when a disconnection is warranted. Filter according to the IP address entered for the switch. Clear the filtering pane (not the results).
Disconnect Time
44
SWAT User Guide
Add New Group Pane Use To
Group Name Group Description
Enter the name of the defined group of switches. Provide a description of the group of switches. Add a new group of switches.
Switch Groups Filtered Results
After clicking the Filter button, the following switch group parameters are displayed:
Parameter Description
Group Name Group Description Run Mode Permission
The name of the defined group of switches. The users description for the group of switches. The run mode of the switch. See Run Modes on page 36 for more information. The permission you want to give to connecting computers: Allno restriction. Lock for grouprestricted to a defined group. Lock for switchrestricted to a defined switch. Lock for portrestricted to a defined port. Lock for VLANrestricted to a defined VLAN.
NOTE
Opens the Switch Group List for you to update the current list of defined groups. Opens the Switch Group Form, for setting all the attributes of the group of switches. Edits the MAC address permissions for the selected switches and sets them according to the selected permission. See MAC Address Permission Filtering on page 107 for more information.
45
SWAT User Guide
Parameter
Description
Deletes selected switches. Exports results to Excel.
6.2.1 Switch Group List

Use the Switch Group list to enforce a certain run mode on a defined group of switches.
Figure 6-3: Switch group list
Select the required switches and click Apply.
6.2.2 Switch Group Form

Use the Switch Group form to provide the operational and permission information of the selected group of switches. The form displays both attributes and inherited values.
46
SWAT User Guide
Figure 6-4: Switch Group form
Field
Description
Group Name Group Description Administration Mail
The name of the defined group of switches. The users description for the group of switches. The email address to which warnings are sent. NOTE
Run Mode
The run mode of the group. See Run Modes on page 36 for more information.
47
SWAT User Guide
Field
Description
Permission
The permission you want to give to connecting computers: Allno restriction. Lock for grouprestricted to a defined group. Lock for switchrestricted to a defined switch. Lock for portrestricted to a defined port. Lock for VLANrestricted to a defined VLAN.
NOTE
VLAN Number Manager ID Agent IP Agent Port Group Check Frequency (minutes) Disconnect Time (minutes) Unmanage MultiMAC Interface Ignore Unknown MAC
The number of the defined VLAN. The manager ID that handles the group. The IP address of the agent that polls the group. The port number of the agent that polls the group. Polling frequency in minutes.
The time the switch port remains disconnected in minutes. When this attribute is set to Yes, ports with multiple MAC addresses connected to them are unmanaged, i.e., SWAT is not responsible for them. Select Yes or No. When No is selected: after receiving a specified detailed trap, which SWAT could not locate, the MAC address is disconnected immediately. When this attribute is set to Yes, ports with multiple MAC addresses connected to them are automatically disconnected. This attribute is not affected by the current run mode. NOTE
MAC addresses that are disconnected this way are not blacklisted. (This feature is used to prevent insertion of hubs into the organizations network.)
48
SWAT User Guide
Field
Description
SNMP Port
The port number for SNMP communication. The default port number is 162; for any other port, enter a value. Get SNMP community for the switch. Set SNMP community for the switch. If none is given then Get Community is taken as default. The Telnet/SSH user name. The Telnet/SSH password. The Telnet script for enabling the password. Configures the port through SNMP, Telnet or SSH (see Switch List File on page 117). Saves the changes made to the Switch Group form. Closes the Switch Group form without saving any changes.
Get Community Set Community Telnet/SSH User Telnet/SSH Password Telnet Enable Password Port Settings Application
6.3 Switches
Select Switches from the Network Configuration menu to open the Switches screen and define your required switch-related filtering parameters.
Figure 6-5: Switches screen
49
SWAT User Guide
Switch Filtering Pane Use To
Switch Name
Enter the required switch name. NOTE

You can use wildcards such as (%) or (*) for the switch name.
Switch IP Switch Group Run Mode Permission
Enter the required switch IP address. Add the new switch to the selected switch group. Select the run mode of the switch. See Run Modes on page 36 for more information. Select the permission you want to give to connecting computers: Allno restriction. Lock for grouprestricted to a defined group. Lock for switchrestricted to a defined switch. Lock for portrestricted to a defined port. Lock for VLANrestricted to a defined VLAN.
NOTE
Manager ID Agent IP Agent Port Check Frequency
Enter the ID of the manager that is responsible for monitoring the given switch. Enter the IP address of the agent that monitors the switch. Enter the port number of the agent that monitors the switch. Enter the required interval in minutes between each cycle of discovery, i.e., the process of identifying new MAC addresses in the network. This information is used by the agents. Enter the required number of minutes for which a port is closed when a disconnection is warranted.
Disconnect Time
50
SWAT User Guide
Use
To
Filter according to the IP address entered for the switch. Clear the filtering pane (not the results).
Add New Switch Pane Use To
Switch IP Switch Name Get Community Switch Group Run Mode Permission
Enter the IP address of the new switch. Enter the switch name. Default GET SNMP community for routers and switches. Add the new switch to the selected switch group. Select the run mode of the new switch. See Run Modes on page 36 for more information. Select the permission you want to give to connecting computers: Allno restriction. Lock for grouprestricted to a defined group. Lock for switchrestricted to a defined switch. Lock for portrestricted to a defined port. Lock for VLANrestricted to a defined VLAN.
NOTE
Add a new switch. Add the switch and open the Switch Form screen. For more information see Switch Forms below.
6.3.1 Switch Filtered Results

After clicking the Filter button, the following switch parameters are displayed:
Switch Name Switch IP
The switch name. The switch IP address.
51
SWAT User Guide
Parameter
Description
Switch VLAN(s) Switch Group SysDescription Last Automatic Check Date Run Mode Permission
The switch number. The switch group. The description value taken from the switch. The timestamp of the last MAC address discovery. The run mode of the switch. See Run Modes on page 36 for more information. The permission you want to give to connecting computers: Allno restriction. Lock for grouprestricted to a defined group. Lock for switchrestricted to a defined switch. Lock for portrestricted to a defined port. Lock for VLANrestricted to a defined VLAN.
NOTE
Loads the Switch List file. For more information see Switch List File on page 117. Loads the ports of the selected switches. Loads the MAC addresses of the selected switches. Opens the Switch Forms, for setting all the attributes of the switch. Edits the MAC address permissions for the selected switches and sets them according to the selected permission. See MAC Address Permission Filtering on page 107 for more information. Deletes selected switches. Exports results to Excel.
52
SWAT User Guide
6.3.2 Switch Forms

Use the switch form to provide the operational and permission information of the selected switch. The switch form displays both attributes and inherited values. Switch FormSingle Switch When a single switch is selected the following switch form is displayed:
Figure 6-6: Switch formone switch selected
Field
Description
Switch Name Switch IP Group IP Switch SysName Switch SysDescription Switch SysObjectID
The name of the switch. The IP address of the switch. The IP address of the switch group. The system name of the switch. The information found in the switch SysDescription field. The system object ID of the switch.
53
SWAT User Guide
Field
Description
Switch Last Automatic Check Time Administration Mail
The last discovery time of the switch.
The email address to which warnings are sent. NOTE

Run Mode Permission
The run mode of the switch. See Run Modes on page 36 for more information. The permission you want to give to connecting computers: Allno restriction. Lock for grouprestricted to a defined group. Lock for switchrestricted to a defined switch. Lock for portrestricted to a defined port. Lock for VLANrestricted to a defined VLAN.
NOTE
VLAN Number Manager ID Agent IP Agent Port Switch Check Frequency (minutes) Disconnect Time (minutes) Unmanage MultiMAC Interface Ignore Unknown MAC
The number of the VLAN. The manager ID that handles the switch. The IP address of the agent that polls the switch. The port number of the agent that polls the switch. Polling frequency in minutes.
The time the switch port remains disconnected in minutes. When this attribute is set to Yes, ports with multiple MAC addresses connected to them are unmanaged, i.e., SWAT is not responsible for them. Select Yes or No. When No is selected: after receiving a specified detailed trap, which SWAT could not locate, the MAC address is disconnected immediately.
54
SWAT User Guide
Field
Description
When this attribute is set to Yes, ports with multiple MAC addresses connected to them are automatically disconnected. This attribute is not affected by the current run mode. NOTE
MAC addresses disconnected this way are not blacklisted. (This feature is used to prevent insertion of hubs into the organizations network.)
SNMP Port
The port number for SNMP communication. The default port number is 162; for any other port, enter a value. Get SNMP community for the switch. Set SNMP community for the switch. If none is given then Get Community is taken as default. The Telnet/SSH user name. The Telnet/SSH password. The Telnet script for enabling the password. Configures the port through SNMP, Telnet or SSH (see Switch List File on page 117). Saves the changes made to the switch form. Closes the Switch form without saving any changes.
55
SWAT User Guide
Switch FormMultiple Switches When multiple switches are selected the following switch form is displayed:
Figure 6-7: Switch formmultiple switches selected
Field
Description
Administration Mail

Run Mode
The run mode of the switch. See Run Modes on page 36 for more information.
56
SWAT User Guide
Field
Description
Permission
The permission you want to give to connecting computers: Allno restriction. Lock for grouprestricted to a defined group. Lock for switchrestricted to a defined switch. Lock for portrestricted to a defined port. Lock for VLANrestricted to a defined VLAN.
NOTE
Switch Group Manager ID Agent IP Agent Port Switch Check Frequency (minutes) Disconnect Time (minutes) Unmanage MultiMAC Interface Ignore Unknown MAC
The switch group. The manager ID that handles the switch. The IP address of the agent that polls the switch. The port number of the agent that polls the switch. Polling frequency in minutes.
The time the switch port remains disconnected in minutes. When this attribute is set to Yes, ports with multiple MAC addresses connected to them are unmanaged, i.e., SWAT is not responsible for them. Select Yes or No. When No is selected: after receiving a specified detailed trap, which SWAT could not locate, the MAC address is disconnected immediately. When this attribute is set to Yes, ports with multiple MAC addresses connected to them are automatically disconnected. This attribute is not affected by the current run mode. NOTE
MAC addresses disconnected this way are not blacklisted. This feature is used to prevent insertion of hubs into the organizations network.
57
SWAT User Guide
Field
Description
SNMP Port
The port number for SNMP communication. The default port number is 162; for any other port, enter a value. Get SNMP community for the switch. Set SNMP community for the switch. If none is given then Get Community is taken as default. The Telnet/SSH user name. The Telnet/SSH password. The Telnet script for enabling the password. Configures the port through SNMP, Telnet or SSH (see Switch List File on page 117). Saves the changes made to the switch form. Closes the switch form without saving any changes.
6.4 Switch Ports

Select Switch Ports from the Network Configuration menu to open the Switch Ports screen and define your required switch port-related filtering parameters:
Figure 6-8: Switch Ports screen
58
SWAT User Guide
Port Filtering Pane Use To
Switch Name Switch IP Switch Group Slot Port State
Enter the name of the switch. Enter the IP address of the switch. Add the new switch to the selected switch group. Enter the switch slot number in which the port is located. Enter the port number on a given slot. Select the current state of the port: Enable, Disable, Unmanaged, or Uplink. See States below for more details. Select the run mode of the switch port. See Run Modes on page 36 for more information. Enter the permission you want to give to connecting computers: Allno restriction. Lock for grouprestricted to a defined group. Lock for switchrestricted to a defined switch. Lock for portrestricted to a defined port. Lock for VLANrestricted to a defined VLAN.
Run Mode Permission
NOTE
Port Status VLAN(s)
Select the ports status: connected or no link. Enter the required VLAN. Filter the switch ports according to the IP address entered in the Switch Port IP field. Clear the filtering pane (not the results).
6.4.1 States
The following states exist: Enablethe port in the switch is open. Disablethe port in the switch is closed. Unmanaged the port is not managed by SWAT.
59
SWAT User Guide
Uplinkthe port is connected to a different switch. Ports that connect switches are never disconnected. If a new MAC address is discovered on an uplink port, an alert is also sent in Disconnect mode.
NOTE
SWAT automatically identifies uplinks, providing the switches are defined through the system.
6.4.2 Switch Port Filtered Results

After clicking the Filter button, the following switch port parameters are displayed:
Port Status Switch Name Switch IP Slot Port If Index Port State
The status of the port. The name of the switch. The IP address of the switch. The switch slot number in which the port is located. The ports serial number. The serial number of the switch port in the switch. Shows the current state of the switch port: Enable, Disable, Unmanaged, or Uplink. See States on page 59 for more details. The number of VLANs. The run mode of the switch. See Run Modes on page 36 for more information. The permission you want to give to connecting computers: Allno restriction. Lock for grouprestricted to a defined group. Lock for switchrestricted to a defined switch. Lock for portrestricted to a defined port. Lock for VLANrestricted to a defined VLAN.
VLAN(s) Run Mode Permission
NOTE
60
SWAT User Guide
Parameter
Description
Opens the drop-down list box, enabling you to select the required state of the switch port: Enable, Disable, Uplink or Unmanage. Sets the selected state. Edits the MAC address permissions for the selected switches and sets them according to the selected permission. See MAC Address Permission Filtering on page 107 for more information. Opens the Switch Port Forms (see below). Opens the VLAN Number dialog box for you to set the filtered interfaces VLANs.
Deletes the selected switch ports. Exports results to Excel. Go Defines the number of lines displayed per page in the filtered results.
6.4.3 Switch Port Forms

The switch port form includes informational parameters and attributes that determine its security mode. Most of the parameters are inheritable.
61
SWAT User Guide
Switch Port FormSingle Switch Port When a single switch port is selected the following switch port form is displayed:
Figure 6-9: Figure 6-10: Switch Port formone switch port selected
Field
Description
Switch Name Switch IP Slot Port IfName IfAlias Ifindex Description
The name of the switch. The IP address of the switch. The switchs slot number in which the switch port is located. The switchs port number in which the switch port is located. The ifName value for the given port's switch port. An alias for the switch port which can be configured on the switch. The serial number of the switch port in the switch. The switch port's description. The default value is the switch ports name.
62
SWAT User Guide
Field
Description
State
Shows the current state of the switch port: Up, Down, Unmanaged, Processing, or Uplink. See States on page 59 for more details. The email address to which warnings are sent. NOTE
Administration Mail
Run Mode Permission
The run mode of the switch. See Run Modes on page 36 for more information. Select the permission you want to give to connecting computers: Allno restriction. Lock for grouprestricted to a defined group. Lock for switchrestricted to a defined switch. Lock for portrestricted to a defined port. Lock for VLANrestricted to a defined VLAN.
NOTE
Disconnect Time (minutes) Unmanage MultiMAC Interface Ignore Unknown MAC
The amount of time the switch port remains disconnected in minutes. When this attribute is set to Yes, ports with multiple MAC addresses connected to them are unmanaged, i.e., SWAT is not responsible for them. Select Yes or No. When No is selected: after receiving a specified detailed trap, which SWAT could not locate, the MAC address is disconnected immediately.
63
SWAT User Guide
Field
Description
When this attribute is set to Yes, ports with multiple MAC addresses connected to them are automatically disconnected. This attribute is not affected by the current run mode. NOTE
MAC addresses disconnected this way are not blacklisted. This feature is used to prevent insertion of hubs into the organizations network.
Saves the changes. Closes the switch port form without saving any changes. Switch Ports FormMultiple Switch Ports When multiple switch ports are selected the following switch port form is displayed:
Figure 6-11: Switch ports formmultiple switch ports selected
64
SWAT User Guide
Field
Description
Administration Mail

Run Mode
The behavior of SWAT, i.e., the action SWAT performs when a computer connects to the network via an open port. Select the permission you want to give to connecting computers: Allno restriction. Lock for grouprestricted to a defined group. Lock for switchrestricted to a defined switch. Lock for portrestricted to a defined port. Lock for VLANrestricted to a defined VLAN.
Permission
NOTE
Disconnect Time Unmanaged Multi-MAC Interface Ignore Unknown MAC
The number of minutes for which a port is closed when a disconnection is warranted. When this attribute is set to Yes, ports with multiple MAC addresses connected to them are unmanaged, i.e., SWAT is not responsible for them. Select Yes or No. When No is selected: after receiving a specified detailed trap, which SWAT could not locate, the MAC address is disconnected immediately. When this attribute is set to Yes, ports with multiple MAC addresses connected to them are automatically disconnected. Saves the changes. Closes the switch port form without saving any changes.
65
SWAT User Guide
6.5 Routers
Select Routers from the Network Configuration menu to open the Routers screen and define your required router-related filtering parameters.
Figure 6-12: Routers screen
Router Filtering Pane

Use To
Router Name Router IP Manager ID Agent IP Agent Port Check Frequency
Enter the name of the router. Enter the IP address of the router. Enter the ID of the manager that is responsible for monitoring the given router. Enter the IP of the agent that is responsible for monitoring the given router. Enter the port number of the agent that monitors the router. Enter the interval in minutes between each cycle of discovery, i.e., the process of checking for new MAC addresses in the network. This information is used by the agents. Filter according to the IP address you entered in the Router IP field. Clear the filtering pane (not the results).
66
SWAT User Guide
Add New Router Pane Field Description
Router IP Router Name Get Community
Enter the IP address of the new router. Enter the name of the new router. The authentication string which facilitates access control to the switch. Add the new router.
6.5.1 Router Filtered Results

After clicking the Filter button, the following router parameters are displayed:
Router Name Router IP SysDescription Last Automatic Check Date View Subnets
The name of the router. The IP address of the router. The description value taken from the router. The timestamp of the last MAC address discovery. Opens the Router Subnets dialog box, after clicking the Subnets link under the View Subnets field.
The dialog box lists the subnets discovered on the router. Loads the routers list file. For more information see Router List File on page 117. Loads the routers data. Opens the Router Form (see below).
67
SWAT User Guide
Parameter
Description
Deletes the selected routers. Exports results to Excel.
6.5.2 Router Form

The router form includes parameters that are individual to each router and attributes that are inheritable. Router FormSingle Router When a single router is selected the following router form is displayed:
Figure 6-13: Router formone router selected
Field
Description
Router Name Router IP Router SysName Router SysDescription
The name of the router. The IP address of the router. The name value taken from the router. The description value taken from the router.
68
SWAT User Guide
Field
Description
Router SysObjectID Router Last Automatic Check Time Manager ID Agent IP Agent Port Router Check Frequency
The ObjectID value taken from the router. The last discovery time of the router.
The ID of the manager that is responsible for monitoring the given router. The ID of the agent that is responsible for monitoring the given router. The port number of the agent that monitors the router. The interval in minutes between each cycle of discovery, i.e., the process of checking new MAC addresses in the network. This information is used by the agents. The port number for SNMP communication. The default port number is 162; for any other port, enter a value. The authentication string which facilitates access control to the router. Saves changes. Closes the Router form without saving any changes.
SNMP Port
Get Community
69
SWAT User Guide
Router FormMultiple Routers When multiple routers are selected the following Router Form is displayed:
Figure 6-14: Router formmore than one router selected
Field
Description
Manager ID Agent IP Agent Port Router Check Frequency
The ID of the manager that is responsible for monitoring the given router. The ID of the agent that is responsible for monitoring the given router. The port number of the agent that monitors this router. The interval in minutes between each cycle of discovery, i.e., the process of checking for new MAC addresses in the network. This information is used by the agents. The port number for SNMP communication. The default port number is 162, for any other port, enter a value. The authentication string which facilitates access control to the router.
SNMP Port
Get Community
70
SWAT User Guide
6.6 Site Configuration

Select Site Configuration from the Network Configuration menu to open the Site Configuration screen:
Figure 6-15: Site Configuration screen
The Site Configuration screen lets you link your physical network structure to your organization's physical structure, thereby providing added value and information. This way, when a new MAC address is identified, you not only know the slot/port/switch to which it connects, but also in which room the person with the given computer is located. Additionally, permissions for MAC addresses can be defined for any level in the organizational geographical structure, allowing or denying access to office branches, buildings, floors and rooms.
71
SWAT User Guide
Organization Filtering Pane
Use the Organization Filtering pane to filter a required site.

Use To
Site Name
Enter the required site name (office branch or location of the company).
TIP
You can use wildcards such as (%) or (*) for the site name.
Building Name Floor Name Room Name Socket
Enter the required building name (optional). Enter the required floor name (optional). Enter the required room name (optional). Enter the required socket name (optional).
NOTE
The name of the socket in a room connected to the port in the switch. The connection between the physical structures to the network structure is done via the socket level. A socket is linked with a given slot and port of a given switch.
Switch IP Slot Port
Enter the IP address of the switch to which the socket is connected (optional). Enter the slot number in the switch to which the socket is connected (optional). Enter the port number in the switch to which the socket is connected (optional). Filter the sites according to the information entered in the Site Name field. Clear the filtering pane (not the results).
72
SWAT User Guide
Add/Update Pane
Use the Add/Update pane to add, update or delete sites. To do so simply use the Add/Update/Delete buttons and fill in the site details. See below for more information.
Use To
Organization Site Name Building Name Floor Name Room Name Socket Name
Enter the name of the office branch or location of the company. Enter the name of the site. Enter the name of the physical structure on site. Enter the name of the floor in the building. Enter the name of the room on the floor. Enter the name of the socket in a room connected to the port in the switch. The connection between the physical structures to the network structure is done via the socket level. A socket is linked with a given slot and port of a given switch. Update the changes made. Open the various Add dialog boxes. See Site ConfigurationAdd Dialog Boxes below for more details. Delete the required site/building/floor/room/socket. Open the MAC Address Permission Filtering screen. See MAC Address Permission Filtering on page 107 for more information.
6.6.1 Site ConfigurationAdd Dialog Boxes

Adding a new site:
Figure 6-16: Add New Site dialog box
Enter the site name, address, phone and description and then click Add.
73
SWAT User Guide
Adding a new building:
Figure 6-17: Building dialog box
Enter the building name and address and click Add. Adding a new floor:
Figure 6-18: Floor Name dialog box
Enter the floor name and click Add. Adding a new room:
Figure 6-19:
Enter the room name and click Add. Adding a new socket:
Figure 6-20: Socket dialog box
Enter the socket name, switch IP, slot, port and name of person and click Add.
74
SWAT User Guide
6.6.2 Site Configuration Filtered Results

After clicking the Filter button, the following Site Configuration parameters are displayed:
Organization Name Site Name Building Name Floor Name Room Name Socket Name
The name of the organization. The name of the branch office or location of the company. The name of the physical structure on site. The name of the floor in the building. The name of the room on the floor. The name of the socket in a room connected to the port in the switch. The connection between the physical structures to the network structure is done via the socket level. A socket is linked with a given slot and port of a given switch. The IP address of the switch which is connected to the socket. The slot of the switch which is connected to the socket. The port of the switch which is connected to the socket. The name of the person who works on the socket. Loads the MAC Address Permissions Filtering screen. See MAC Address Permission Filtering on page 107 for more information. Exports results to Excel.
Switch IP Slot Port Person Name
Go
Defines the number of lines displayed per page in the filtered results.
75
R eports
IN
THIS CHAPTER:
Reports Menu Station Reports Network Reports Statistics Reports Alert Console Scheduled Tasks
7.1 Reports Menu

Use the Reports menu to generate various station, network and statistical reports, as well as filter the alert console and view the scheduled tasks.
Figure 7-1: Reports menu
The Reports menu includes the following options:

Option Description
Station Reports
Includes reports about new/inactive stations and their history. See Station Reports on page 77 for more information. Includes reports about inactive ports and ports with MAC addresses/active MAC addresses. See Network Reports on page 83 for more information. Includes various statistical reports on the network stations. The statistics are divided into a period of five weeks. See Statistics Reports on page 89 for more information.
Network Reports
Statistic Reports
Chapter 7: Reports
76
SWAT User Guide
Option
Description
Alert Console Scheduled Tasks
Enables various alert filtering options. See Alert Console on page 93 for more information. Displays a list of all SWAT's active and completed processes, until they are cleared by the CleanDB job or the user. See CleanDB on page 128 for more information.
7.2 Station Reports

Select Station Reports from the Reports menu. The following report options appear:
Figure 7-2: Station report options
7.2.1 Inactive Stations Report

Select the Inactive Stations option to delete inactive stations and generate a report that displays all inactive stations connected to the network.
Figure 7-3: Inactive Stations report
Chapter 7: Reports
77
SWAT User Guide
Inactive Stations Filtering Pane Generate the report according to the following filtering options:
Use To
MAC Address
Enter the MAC address; you can enter only a part of the address using the (%) or (*) signs as a prefix/suffix. Enter the last known IP address allocated to the MAC address. Enter the last known network name of the MAC address's computer. Enter the name of the switch group. Enter the IP address of the switch containing the switch port to which the MAC address is connected. Enter the name of the switch. Enter the slot number containing the switch port to which the MAC address is connected. Enter the port number to which the MAC address is connected. Select the amount of time the station was inactive (24 hours, 7 days, 14 days, 1 month, 3 months, 6 months). Display the last known permission of the MAC address, i.e., Allow if it is authorized and Deny if it is warned about or disconnected. Filter according to the filtering options you entered and/or selected in the Inactive Stations Filtering pane. Clear the filtering pane (not the results).
IP Address Node Name Switch Group Switch IP Switch Name Slot Port Inactive Station Period MAC Last Permission
Chapter 7: Reports
78
SWAT User Guide
Inactive Station Filtered Results After clicking the Filter button, the following parameters are displayed:
Inactive Date
The date the station became inactive (choose from 7, 14 days; 1, 3, 6, months of the Inactive Station period selected in the Filtering pane). The MAC address; you can enter only a part of the address using the (%) or (*) signs as a prefix/suffix. The last known IP address allocated to the MAC address. The last known network name of the MAC address's computer. The IP address of the switch containing the switch port to which the MAC address is connected. The name of the switch. Enter the slot number containing the switch port to which the MAC address is connected. The port number to which the MAC address is connected. Shows the last known permission of the MAC address, i.e., Allow if it is authorized and Deny if it is warned about or disconnected. Deletes the inactive station. Exports results to Excel.
MAC Address IP Address Node Name Switch IP Switch Name Slot Port Last Discovered Status
Go
Chapter 7: Reports
79
SWAT User Guide
7.2.2 New Stations Report

Select the New Stations option to display all the new stations in the enterprise.
Figure 7-4: New Stations report
New Stations Filtering Pane Generate the report according to the following filtering options:
Use To
Switch Name Switch IP Slot Port Switch Group Stations Permission Start Time
Enter the name of the switch. Enter the IP address of the switch containing the switch port to which the MAC address is connected. Enter the slot number containing the switch port to which the MAC address is connected. Enter the port number to which the MAC address is connected. Enter the name of the switch group. Display the last known permission of the MAC address, i.e., Allow if it is authorized and Deny if it is warned about or disconnected. Select the time the new station connected.
Chapter 7: Reports
80
SWAT User Guide
Use
To
End Time New Station Summary Results
Select the time the new station disconnected. Display the actual number and average per day of new connected stations. Filter according to the filtering options you entered and/or selected in the Stations History Filtering pane. Clear the filtering pane (not the results).
New Stations Filtered Results After clicking the Filter button, the following parameters are displayed:
Date Switch Name Switch IP Slot Port MAC Address IP Address Node Name Discovered Status
The date and time the new station connected. The name of the switch. The IP address of the switch containing the switch port to which the MAC address is connected. Enter the slot number containing the switch port to which the MAC address is connected. The port number to which the MAC address is connected. The MAC address; you can enter only a part of the address using the (%) or (*) signs as a prefix/suffix. The last known IP address allocated to the MAC address. The last known network name of the MAC address's computer. Shows the last known permission of the MAC address, i.e., Allow if it is authorized and Deny if it is warned about or disconnected. Exports results to Excel.
Go
Chapter 7: Reports
81
SWAT User Guide
7.2.3 Station History Report

Select the Station History option to display the history of a specific station.
Figure 7-5: Station History report
Station History Filtering Pane Generate the report according to the following filtering options:
Use To
MAC Address
Enter the MAC address; you can enter only a part of the address using the (%) or (*) signs as a prefix/suffix. Enter the last known IP address allocated to the MAC address. Enter the last known network name of the MAC address's computer. Select the time the station connected. Select the time the station disconnected. Display the actual total connection time and average per day of the required stations. Filter according to the filtering options you entered and/or selected in the Stations History Filtering pane. Clear the filtering pane (not the results).
IP Address Node Name Start Time End Time Stations Summary Results
Chapter 7: Reports
82
SWAT User Guide
History Station Report Results After clicking the Filter button, the following parameters are displayed:
Switch Name Switch IP Slot Port Connect Date Date Connection Time Permission
The name of the switch. The IP address of the switch containing the switch port to which the MAC address is connected. Enter the slot number containing the switch port to which the MAC address is connected. The port number to which the MAC address is connected. The date on which the station connected. Disconnect The date on which the station disconnected. The amount of time the station remained connected. Shows the last known permission of the MAC address, i.e., Allow if it is authorized and Deny if it is not authorized. Exports results to Excel.
Go
7.3 Network Reports

Select Network Reports from the Reports menu. The following report options appear:
Figure 7-6: Network report options
Chapter 7: Reports
83
SWAT User Guide
7.3.1 Inactive Ports

Select the Inactive Ports option to display the inactivate ports in the enterprise.
Figure 7-7: Switch Inactive Ports report
Switch Inactive Ports Filtering Pane Generate the report according to the following filtering options:
Use To
Switch Name Switch IP Slot Port State
Enter the name of the switch. Enter the IP address of the switch containing the switch port to which the MAC address is connected. Enter the slot number containing the switch port to which the MAC address is connected. Enter the port number to which the MAC address is connected. Display the current state of the port: Enable, Disable, Unmanaged, or Uplink. See States on page 59 for more details. Select the run mode of the switch. See Run Modes on page 36 for more information. Select the amount of time the port was inactive (24 hours, 7 days, 14 days, 1 month, 3 months, 6 months). Filter according to the filtering options you entered and/or selected in the Switch Inactive Ports Filtering pane. Clear the filtering pane (not the results).
Run Mode Inactive Port Period
Chapter 7: Reports
84
SWAT User Guide
Switch Inactive Ports Results After clicking the Filter button, the following parameters are displayed:
Inactive Date Switch Name Switch IP Slot Port IfIndex Port State
The date and time the port became inactive. The name of the switch. The IP address of the switch containing the switch port to which the MAC address is connected. Enter the slot number containing the switch port to which the MAC address is connected. The port number to which the MAC address is connected. The serial number of the switch port in the switch. Shows the current state of the port: Enable, Disable, Unmanaged, or Uplink. See States on page 59 for more details. The run mode of the switch. See Run Modes on page 36 for more information. Disconnects the selected port/s. Exports results to Excel.
Run Mode
Go
TIP
It is recommended to disable ports that are no longer in use.
Chapter 7: Reports
85
SWAT User Guide
7.3.2 Active Multi MAC Ports

Select the Active Multi MAC Ports option to display all ports, including their stations, with at least two active MAC addresses.
Figure 7-8: Active Multi MAC Port report
Active Multi MAC on Port Filtering Pane Generate the report according to the following filtering options:
Use To
Switch Name Switch IP Slot Port Switch Group MAC Last Permission
Enter the name of the switch. Enter the IP address of the switch containing the switch port to which the MAC address is connected. Enter the slot number containing the switch port to which the MAC address is connected. Enter the port number to which the MAC address is connected. Enter the name of the switch group. Enter the last known permission of the MAC address, i.e., Allow if it is authorized and Deny if it is warned about or disconnected. Filter according to the filtering options you entered and/or selected in the Active Multi MAC on Port Filtering pane. Clear the filtering pane (not the results).
Chapter 7: Reports
86
SWAT User Guide
Active Multi MAC on Port Results After clicking the Filter button, the following parameters are displayed:
Switch Name Switch IP Slot Port MAC Address IP Address Node Name Last Discovered Status
The name of the switch. The IP address of the switch containing the switch port to which the MAC address is connected. Enter the slot number containing the switch port to which the MAC address is connected. The port number to which the MAC address is connected. The MAC address which is connected/not connected to the Multi MAC port. The last known IP address allocated to the MAC address. The last known network name of the MAC address's computer. Shows the last known permission of the MAC address, i.e., Allow if it is authorized and Deny if it is warned about or disconnected. Exports results to Excel.
Go
Chapter 7: Reports
87
SWAT User Guide
7.3.3 Multi MAC Ports

Select the Multi MAC Ports option to display all ports that have more than one station (not necessarily connected).
Figure 7-9: Multi MAC Port report
Multi MAC on Port Filtering Pane Generate the report according to the following filtering options:
Use To
Switch Name Switch IP Slot Port Switch Group MAC Last Permission
Enter the name of the switch. Enter the IP address of the switch containing the switch port to which the MAC address is connected. Enter the slot number containing the switch port to which the MAC address is connected. Enter the port number to which the MAC address is connected. Enter the name of the switch group. Enter the last known permission of the MAC address, i.e., Allow if it is authorized and Deny if it is warned about or disconnected. Filter according to the filtering options you entered and/or selected in the Multi MAC on Port Filtering pane. Clear the filtering pane (not the results).
Chapter 7: Reports
88
SWAT User Guide
Multi MAC on Port Results After clicking the Filter button, the following parameters are displayed:
MAC Address IP Address Node Name Switch IP Switch Name Slot Port Last Discovered Status Last Connection Date Last Disconnect Date
The MAC address; you can enter only a part of the address using the (%) or (*) signs as a prefix/suffix. The last known IP address allocated to the MAC address. The last known network name of the MAC address's computer. The IP address of the switch containing the switch port to which the MAC address is connected. The name of the switch. Enter the slot number containing the switch port to which the MAC address is connected. The port number to which the MAC address is connected. Shows the last known permission of the MAC address, i.e., Allow if it is authorized and Deny if it is warned about or disconnected. Shows the last date the MAC address was connected. Shows the last date the MAC address was disconnected. Exports results to Excel.
Go
7.4 Statistics Reports

Select Statistic Reports from the Reports menu. The following report options appear:
Figure 7-10: Statistic Reports options
Chapter 7: Reports
89
SWAT User Guide
7.4.1 New Station Statistics

Select the New Station Statistics option to view the statistics of the new switch/switches stations (both authorized and unauthorized) in the enterprise. Enter the required Switch IP and click Filter to generate the report; Click Clear to view the original results of all the switches.
Figure 7-11: New Station Statistics
Field
Description
Week New Stations Count Authorized Unauthorized Disconnected Day 8:00-20:00 Night 20:00-8:00
Displays the defined five weeks of the statistical report. The number of new stations that connected during the defined week. The number of authorized stations that connected during the defined week. The number of unauthorized stations that connected during the defined week. The number of stations that disconnected during the defined week. Displays the number of new stations that connected between 8:00-20:00. Displays the number of new stations that connected between 20:00-8:00.
Chapter 7: Reports
90
SWAT User Guide
7.4.2 Moving Station Statistics

Select the Moving Station Statistics option to view statistics on the movement of stations (both authorized and unauthorized) in the enterprise.
Figure 7-12: Moving Station statistics
Field
Description
Week Moving Stations Count Authorized Unauthorized Disconnected Day 8:00-20:00 Night 20:00-8:00
Displays the defined five weeks of the statistical report. The number of stations that moved during the defined week. The number of stations that were authorized after they moved. The number of stations that were unauthorized after they moved. The number of stations that disconnected during the defined week. Displays the number of stations that moved between 8:00-20:00. Displays the number of stations that moved between 20:00-8:00.
Chapter 7: Reports
91
SWAT User Guide
7.4.3 Station Alert Statistics

Select the Station Alert Statistics option to view the number of alerts received (both Warn and Disconnected) for a defined switch station. Enter the required Switch IP and click Filter to generate the report; Click Clear to view the original results of all the switches.
Figure 7-13: Station Alert statistics
Field
Description
Week Station Alert Count Disconnected Day 8:00-20:00 Night 20:00-8:00
Displays the defined five weeks of the statistical report. The number of alerts received for defined switch/switchess stations. The number of stations that were disconnected during the defined week. Displays the number of stations that received an alert between 8:00-20:00. Displays the number of stations that received an alert between 20:00-8:00.
7.4.4 Port Statistics

Select the Port Statistics option to view a pie chart of the number of free/connected switch port/s. Enter the required Switch IP and click Filter to
Chapter 7: Reports
92
SWAT User Guide
generate the report; Click Clear to view the original results of all the switches.
Figure 7-14: Port statistics
Field
Description
Ports Count Free Ports Count Connected Ports Count
Displays the total number of switch port/s in the enterprise. Displays the number of free ports in the enterprise. Displays the number of connected ports in the enterprise.
7.5 Alert Console

Select Alert Console from the Reports menu to open the Alert Console screen. Use this screen to filter the alerts according to the severity, type, MAC address, etc.
Figure 7-15: Alert Console screen
Chapter 7: Reports
93
SWAT User Guide
7.5.1 Alert Console Filtering Pane

Filter the alerts according to the following parameters:
Use To
Alert Severity
Determine the severity of the alert. Choose from the following options: All Info Warning Error
Alert Type
Display the list of alerts: Agent Reconnected Agent Time Out Device SNMP Problem External Intruder Detected New MAC Address New Uplink Found Port Disable Failed Port Enable Failed Router Down Service Down Switch Changed Switch Down Unauthorized Connection Detected Virus Found
Alert Description Switch IP Slot Port MAC Address
Display a brief description of the various types of alerts. Enter the IP address on which the event occurred. Enter the slot in which the event occurred. Enter the port on which the event occurred. Enter the MAC address for which the event occurred. Filter according to the filtering options you entered and/or selected in the Alert Console Filtering pane. Clear the filtering pane (not the results).
Chapter 7: Reports
94
SWAT User Guide
7.5.2 Alert Console Filtered Results

After clicking the Filter button, the following Alert Console parameters are displayed:
Alert Date Alert Type
The date (and time) on which the event occurred. View the list of alerts: Agent Reconnected Agent Time Out Device SNMP Problem External Intruder Detected New MAC Address New Uplink Found Port Disable Failed Port Enable Failed Router Down Service Down Switch Changed Switch Down Unauthorized Connection Detected Virus Found
Alert Description Switch IP Slot Port MAC Address Disconnect
Displays a brief description of the various types of alerts. The IP address of the switch. The slot in which the event occurred. The port on which the event occurred. The MAC address for which the event occurred. Shows whether a station is connected or disconnected (if the station is disconnected, the check box is selected; if the station is connected, the check box is cleared). Deletes the selected alert.
Chapter 7: Reports
95
SWAT User Guide
Parameter
Description
Refreshes the screen. Go Defines the number of lines displayed per page in the filtered results.
7.6 Scheduled Tasks

Select Scheduled Tasks from the Reports menu to open the Scheduled Tasks screen. Use this screen to view a list of all SWAT's active/in progress/ completed processes. To refresh the report, click the Refresh button.
Figure 7-16: Scheduled Tasks list
Scheduled tasks are processes in SWAT, allowing batch operations to control switches and switch ports. Each task consists of several steps.
NOTE
The ClearEndedJobs job cleans the Scheduled Tasks filtered results according to a defined time. See Background Processes on page 127 for more information. The Scheduled Task List is for debugging purposes only.
7.6.1 Scheduled Tasks Filtered Results

Description State Scheduled Time Start Time Stop Time
Displays a brief description of the relevant task. Displays the state of the task. Shows the time for which the task is scheduled. Shows the actual start time of the task. Shows the time the task finished. Deletes completed jobs.
Chapter 7: Reports
96
SWAT User Guide
Parameter
Description
Deletes the selected jobs. Refreshes the list of tasks.
Chapter 7: Reports
97
O perations
IN
THIS CHAPTER:
Operations Menu Station Permissions Site Permissions Advanced Station Addition
8.1 Operations Menu

The Operations menu lets you facilitate permission handling of MAC addresses by filtering/querying and by adding new addresses.
Figure 8-1: Operations menu
Option
Description
Station Permissions Site Permissions
Sets all levels of network permissions. See Station Permissions on page 99 for more information. Determines the permissions for MAC addresses on a required site. See Site Permissions on page 105 for more information. Adds new MAC address properties. See Advanced Station Addition on page 110 for more information.
Advanced Station Addition
98
SWAT User Guide
8.2 Station Permissions

Select Station Permissions from the Operations menu to open the Station Permissions screen.
Figure 8-2: Station Permissions screen
Permissions can be set for all levels of the network, i.e., MAC addresses can be allowed or denied access to the whole networkfor switches or individual ports.
NOTE
Permissions are set using exclusively positive (Allow) or negative (Deny) clauses, never a combination of both.
8.2.1 MAC Address Filtering Pane

Field Filter by
MAC Address IP Address Node Name Switch Name Switch IP Address
MAC address; you can enter only a part of the address using the (%) or (*) signs as a prefix/suffix. The last known IP address allocated to the MAC address. The last known network name of the MAC address's computer. The name of the switch. The IP address of the switch containing the switch port to which the MAC address is connected.
99
SWAT User Guide
Field
Filter by
Slot Port MAC Last Permission User Description
The slot number containing the switch port to which the MAC address is connected. The port number to which the MAC address is connected. Shows the last known permission of the MAC address, i.e., Allow if it is authorized and Deny if it is warned about or disconnected. A description of the MAC address to facilitate easy identification of its computer. Filters according to the IP address entered for the Switch IP. Clears the filtering pane (not the results).
8.2.2 Add New MAC Address Pane

Use To
MAC Permitted
Select last known permission of the MAC address, i.e., Allow All if it is authorized and Deny All if it is warned about or disconnected. Enter the MAC Address. View the user description of the MAC address to facilitate easy identification of its computer. Select the IP address of the switch. Enter the slot number which contains the switch port to which the MAC address is connected. Enter the port number to which the MAC address is connected. Add the new MAC address.
MAC Address User Description Switch IP Slot Port
Loading MAC Addresses via CSV Files Loading MAC addresses into the SWAT system can also be done via the CSV StationData.csv file located in the [INSTALLDIR]\Data directory. : #MAC address,IP address,DNS,Lock for[ALL/Switch/Port], SwitchIP(Optional),Slot(Optional),Port(Optional) You can add new MAC addresses and permissions or map MAC addresses to IP addresses, either to the entire organization (ALL) or by switch/port.
100
SWAT User Guide
8.2.3 MAC Addresses Filtered Results

The MAC Addresses Filtered Results table displays the filtered MAC addresses and handles those addresses either in batches or individually. MAC addresses discovered only via an uplink port or imported from the management platform, but not verified, appear with missing details. After clicking the Filter button, the following MAC Address parameters are displayed:
Connected Modify Last Connection Status Last Connection Date Switch Name Switch IP Slot Port MAC Address IP Address Node Name User Description Permissions Details
Indicates whether the MAC address is connected or free. Opens a box in the User Description column for editing purposes. Shows the last known permission of the MAC address, Allow or Deny. Shows the last date the MAC address was connected. The name of the switch. The IP address of the switch which contains the switch port to which the MAC address is connected. The slot number containing the switch port to which the MAC address is connected. The port number to which the MAC address is connected. The MAC Address. The last known IP address allocated to the MAC address. The last known network name of the MAC address's computer. A description of the MAC address to facilitate easy identification of its computer. Opens the Change Permissions dialog box. See Changing Permissions below for more information. Sets the MAC address permission according to the permission selected. Click the View link under the Details column to open the screen. See MAC Address Details on page 104 for more information.
101
SWAT User Guide
Parameter
Description
Edits the MAC address permissions for the selected switches and sets them according to the selected permission. See MAC Address Permission Filtering on page 107 for more information. Deletes the selected MAC address. Disables the selected MAC addresses. Exports results to Excel. Go Defines the number of lines displayed per page in the filtered results.
NOTE
The information displayed in the table is updated the last time the MAC address connected to the network, and does not necessarily mean that the MAC address is currently connected.
8.2.4 Changing Permissions

Click the Change link under the Permissions column. The Add Permissions dialog box opens, enabling you to change permissions on the computer/port/switch/switch group level.
Figure 8-3: Add Permissions dialog box
102
SWAT User Guide
To add permissions: 1. Select the required Permission Scope. The following levels can be added: Allallows or denies access to all switches monitored by SWAT. Switch Groupsallows or denies access to a specific group of switches. Switchesallows or denies access to a specific switch or switches. Switch ports (interfaces)allows or denies access to a specific switch port or switch ports. VLANsallows or denies access to specific VLAN(s). 2. Select the Type of permissionexclusively a positive Allow or negative Deny, never a combination of both. 3. Click the Add Permission button. The following screen appears:
Figure 8-4: Applying permissions
4. If VLAN was selected, the following screen appears:
Figure 8-5: VLAN list
5. Select the switch for which you want to allow/deny access and click Apply. 6. Click Back to return to the Add Permissions dialog box. 7. Click the Enforce Now button to apply the changes you made.
103
SWAT User Guide
8.2.5 MAC Address Details

The MAC Address Details screen presents the station, switch, switch port and organizational information. To open this screen click the View link in the Details column of the Station Permission screen.
Figure 8-6: MAC address details
The data displayed is divided into the following groups: Station detailsthe details of the station that contains the MAC address. Switch detailsthe details of the switch that contains the MAC address. Switch port detailsthe details of the switch port that contains the MAC address. Organization detailsthe details of the organization where the MAC address is located (if one is defined).
104
SWAT User Guide
8.3 Site Permissions

Select Site Permissions from the Operations menu to open the Site Permissions screen.
Figure 8-7: Site Permissions screen
The Site Permissions screen enables you to determine permissions for MAC addresses on a required site. Use the Site Permissions screen as follows:
Use To
Site Name Building Name Floor Name Room Name Port State Socket Switch IP Slot Port
Enter the name of the site. Enter the name of the building. Enter the name of the floor. Enter the name of the room. Select the current state of the switch port: Enable, Disable, Unmanaged, or Uplink. Enter the defined socket. Enter the IP address of the switch to which the socket is connected. Enter the slot number of the switch to which the socket is connected. Enter the port number of the switch to which the socket is connected.
105
SWAT User Guide
Use
To
Filter the sites according to the information entered in the Site Name field. Clears the filtering pane (not the results).
8.3.1 Site Permission Parameters

After clicking the Filter button, the following Site Permission parameters are displayed:
Organization Name Site Name Building Name Floor Name Socket Name
The name of the organization. The name of the office branch or location of the company. The name of the building. The name of the floor. The name of the socket in a room which is connected to the port in the switch. The connection between the physical structures to the network structure is done via the socket level. A socket is linked with a given slot and port of a given switch. The IP address of the switch which is connected to the socket. The slot of the switch which is connected to the socket. The port of the switch which is connected to the socket. The run mode of the switch. See Run Modes on page 36 for more information. This row is empty if the run mode is not of Learn. Shows the current state of the switch port: Enable, Disable, Unmanaged or Uplink.
Switch IP Slot Port Run Mode Permission Port State
106
SWAT User Guide
Parameter
Description
Displays the list of run modes to select from. If you select Permit All as the run mode, and then click the Set Selected Port button , the Time Selection dialog box opens for you to define the exact time frame of the permitted site:
Edits the MAC address permissions for the selected switches and sets them according to the selected permission. See MAC Address Permission Filtering on page 107 for more information. Enables the selected ports. Disables the selected ports. Go Defines the number of lines displayed per page in the filtered results.
8.3.2 MAC Address Permission Filtering

Use the following screen to facilitate permissions handling of MAC addresses by filtering/querying and adding new addresses. Permissions can be set for all levels of the network, i.e., MAC addresses can be allowed or denied access to the whole networkfor switches or individual ports.
107
SWAT User Guide
NOTE
Permissions are set using exclusively positive Allow or negative Deny clauses, never a combination of both.
Figure 8-8: Filtering MAC address permissions
MAC Filtering Pane

Field Description
MAC Address IP Address Node Name Switch Name Switch IP Slot Port Last Discovered Permission
The MAC address; you can enter only a part of the address using the (%) or (*) signs as a prefix/suffix. The last known IP address allocated to the MAC address. The last known network name of the MAC address's computer. The switch name. The IP address of the switch which contains the switch port the MAC address is connected to. The slot number containing the switch port to which the MAC address is connected. The port number to which the MAC address is connected. Allow: allows all MAC addresses selected for the given slots within the given level. Deny: denies all MAC addresses selected for the given slots within the given level.
108
SWAT User Guide
Field
Description
Filters the MAC address according to the IP address entered in the IP Address field. Clears the filtering pane (not the results).
TIP
To view the description of a specific MAC address, select the MAC address and click View Link under the Permissions column. See example below:
Figure 8-9: MAC address description
8.3.3 MAC Address Permission Parameters

After clicking the Filter button, the following MAC Address Permission parameters are displayed:
MAC Address IP Address Node Name Switch Name Switch IP Slot Port IfIndex User Description
The MAC address; you can enter only a part of the address using the (%) or (*) signs as a prefix/suffix. The last known IP address allocated to the MAC address. The last known network name of the MAC address's computer. The switch name. The IP address of the switch which contains the switch port the MAC address is connected to. The slot number containing the switch port to which the MAC address is connected. The port number to which the MAC address is connected. The serial number of the switch port in the switch. A description of the MAC address to facilitate easy identification of its computer.
109
SWAT User Guide
Parameter
Description
Permissions
Opens the Change Permissions dialog box. See Changing Permissions below for more information. Changes selected MAC addresses to Allow. Changes selected MAC addresses to Deny. Closes the screen without saving any changes.
Go
8.4 Advanced Station Addition

Select Advanced Station Addition from the Operations menu to open the Advanced Station Addition screen.
Figure 8-10: Advanced Station Addition screen
The Advanced Station Addition screen allows you to add new MAC address properties and define a start/end time for them.
110
SWAT User Guide
New MAC Address Properties Pane Field Description
MAC Address
The MAC address of the station that performed the unauthorized connection. You can enter only a part of an address using the (%) or (*) sign as a prefix/suffix. A description of the MAC address to facilitate easy identification of its computer. To add/modify the description click Edit.
User Description
Select Time Pane Field Description
Start Time End Time
The exact time when the new MAC address was permitted. The exact time when the new MAC address stopped being permitted. Adds the new MAC address properties.
Site Filtering Pane Field Description
Site Name Building Name Floor Name Room Name Socket Switch IP Slot Port
The name of the site. The name of the building. The name of the floor. The name of the room. The socket ID. The IP address of the switch to which the socket is connected. The slot number in the switch to which the socket is connected. The port number in the switch to which the socket is connected. Filters according to the IP address entered for the Switch IP. Clears the filtering pane (not the results).
111
SWAT User Guide
8.4.1 Site Filtered Parameters

After clicking the Filter button, the following site filtered parameters are displayed:
Organization Name Site Name Building Name Floor Name Socket Name
The name of the organization. The name of the branch office or location of the company. The name of the building. The name of the floor. The name of the socket in a room which is connected to the port in the switch. The connection between the physical structures to the network structure is done via the socket level. A socket is linked with a given slot and port of a given switch. The IP address of the switch which is connected to the socket. The slot of the switch which is connected to the socket. The port of the switch which is connected to the socket. Changes all the MAC addresses to Allow. Defines the number of lines displayed per page in the filtered results.
Switch IP Slot Port Allow All Go
112
A ntiv irus Support

IN
THIS CHAPTER:
SWATs Added Value Supporting External Antivirus Systems
9.1 SWATs Added Value

SWAT acts as a universal network enforcer for security tools such as: Antivirus products (e.g., Symantec, McAfee, TrendMicro). IDS (Intrusion Detection Systems). IPS (Intrusion Prevention Systems). SOC (Security Operation Centers). These products either: Operate on the IP level (sending alerts to inform that a given IP is malfunctioning). Operate on the wire level (blocking packets from passing through IPS devices, or removing a virus such as antivirus software). None of them operate in a way that removes the source of the threat from the network, or provides an alert that locates the threat in the network (i.e., switch/slot/port location) or in its geographic location (i.e., site/building/floor/ room/socket). SWAT acts as a universal enforcer that receives traps; reads log files; intercepts emails from these products and then: Performs an enforcement action (disconnect/move to VLAN). Sends a warning with the location-based information for the given threat. Adds location information to mail alerts sent by these products if they support this option. Prior to one of SWAT's POC's, an organization with a huge Layer2 network of 2000 nodes suffered from a denial of service virus attack, which its antivirus located but could not remove. Hence, the administrators knew the IP of the infected stations, however it took more than 6 hours and several network experts to locate the stations and disconnect them from the network. A lot of time and money was wasted as a result. With SWAT POC, administrators are
113
SWAT User Guide
able to locate the infected stations within minutes, and remove it automatically from the network.
9.2 Supporting External Antivirus Systems

This section describes how to configure SWAT to support external antivirus systems. Refer to Symantec Configuration on page 129 for a vendor-specific configuration of the antivirus machine. SWAT supports external antivirus systems, enabling you to physically stop the virus/worm expansion in the enterprise immediately. SWAT connects to the organization's antivirus system (currently Symantec, McAfee and Trend Micro) and receives alerts from about stations infected by viruses that are either unable to be removed, or occur repeatedly. Based on these alerts SWAT informs network security personnel and notifies them of the actual physical location of the malicious station. Thus, the infected station can be disconnected at once, preventing the virus to spread and attack other stations. In order to configure SWAT for antivirus support, you need to select the appropriate option in the Alert Types screen.
External antivirus alerts Figure 9-1: Antivirus alerts sent to SWAT
Next, you need to edit the virus handling configuration file.
114
SWAT User Guide
VirusHandle.XML File
The action SWAT performs (Warn/Disconnect) is listed in each of the following entries of the VirusHandle.XML file:
<Virus> <VirusHandlerEntry> <SWATAction>Warn</SWATAction> <IPs> <IP>*.*.*.*</IP> </IPs> <AlertNames> <Alert>All</Alert> </AlertNames> <Severities> <Severity>All</Severity> </Severities> <Actions> <Action>All</Action> </Actions> <AlertsPerMinutes> <NumberOfAlert>1</NumberOfAlert> <Minutes>0</Minutes> </AlertsPerMinutes> <IgnorVirusNames> <IgnorVirusName></IgnorVirusName> </IgnorVirusNames> </VirusHandlerEntry> </Virus>
IP (subnet) that can be managed. Alerts you want to handle (either all alerts or by name)
NOTE
The alert settings are somewhat dependant on the specific antivirus system.
Action taken by the antivirus (e.g., quarantine, delete, etc.); you can choose to filter according to a certain kind of action. Alerts per Minute deals only with a defined number of alerts that arrived during a defined amount of time. The default is set to handle the first alert that arrives. Ignore Virus Name enables ignoring/recognizing a virus by its name.
115
SWAT User Guide
NOTE
You can use the wildcard capability for virus names.
Antivirus.server
Once the SWAT server is configured, you need to configure the antivirus server in order to notify SWAT about the virus incidents. Since each vendor has a specific configuration, refer to Antivirus Integration on page 129 for further information about the supported vendors.
116
A dvanced Settings
IN
THIS CHAPTER:
1 0
Switch List File Router List File Defining New Device Types Watchdog Service
10.1 Switch List File

Using the Switch List file you can set up the whole network structure quickly and efficiently. The file contains the list of switches in your network with their parameters in CSV format (Comma Separated Values). See Switches on page 49 for additional information. The file must be saved under the name SWITCHDATA.CSV in the [INSTALLDIR]\data. The file's format is as follows: SwitchName, SwitchIP, Community Each entry or field is separated by a comma and each new row in the database is represented by a new line. An example file:
AlphaSwitch,121.1.23.34,public BetaSwitch,234.11.230.1,comget GammaSwitch,120.29.2.1,pass
10.2 Router List File

Using the Router List file you can set up the whole network structure quickly and efficiently. The file contains the list of routers in your network with their parameters in CSV format (Comma Separated Values). See Routers on page 66 for additional information. The file must be saved under the name ROUTERDATA.CSV in the [INSTALLDIR]\data. The file's format is as follows: RouterName, RouterIP, Community
117
SWAT User Guide
Each entry or field is separated by a comma and each new row in the database is represented by a new line. An example file:
AlphaRouter,121.1.23.254,public BetaRouter,234.11.230.254,comget GammaEouter,120.29.2.254,pass
10.3 Defining New Device Types

One of the major problems in the mapping process is the fact that although there is a standard to hold map information (the Bridge MIB standard), not all the devices on the market support this standard. Furthermore, the devices that do support the standard, may support them in different ways. SWAT learns new types of devices without any change in the software. You can define the new information of the product, or send Wise-Mon the SNMP output of the device. You will then receive a configuration file that includes information on how to learn the information from the given device. The definition of new devices is done in an XML file named EquipmentType.XML in the [INSTALLDIR]\ini directory. Each device is contained in a tag as described in the following figure:
118
SWAT User Guide
EquipmentType.XML basic entry:

<EquipmentTypeEntry> <SysObjectId/> <Description/> <GifNormal/> <GifWarning/> <GifError/> <nTypeValues/> <strType/> <ObjectInfo/> <InterfaceInfo/> <Table> <Index> <Function>GetTable</Function> <Parameters> <OID_name>mib2.interfaces(2).ifTable(2).ifEntry(1).ifIndex(1)</ OID_name> <OID>1.3.6.1.2.1.2.2.1.1</OID> </Parameters> </Index> <MacAddress/> <Description/> <Name/> <Alias/> <Type/> </Table> </InterfaceInfo> <Layer3LinkInfo/> <Layer2LinkInfo/> <VlanInfo/> <SlotPortInfo/> </EquipmentTypeEntry>
The tags contain details on the location of given information, and the method to get it. The best way to add a new device is to copy the EquipmentTypeEntry of a similar device and modify the relevant fields.
10.3.1 EquipmentTypeEntry Tags

The XML file is built out of several tags. The following section explains some of the tags.
119
SWAT User Guide
XML Reference The most commonly used fields in the XML reference are described in the following table.
NOTE
Indented XML tags signify that the clause should be contained in the clause above it. XML Clause Description Expected Value
EquipmentType Entry SysObjectId
Binds an entry to a given device. The SysObjectID of a given device. The program tries to find the longest prefix that matches the device SysObjectID. Describes the device. The category of the device.
EquipmentTypeEntry entries Example: 1.3.6.1.4.1.9.1.620
Description strType
Text Computer; hub; invisible-hub; router; switch-hub; switch-router; unknown Name; description
ObjectInfo
A sub XML containing the instructions on how to extract general information about the object. A sub XML containing the instructions on how to extract general information on the object's interfaces. A sub XML containing the instructions on how to extract the IfIndex of an interface. The type of function that extracts the requested data.
InterfaceInfo
Index; MAC address, description; name; Alias; type Function; parameters
Index
Function
GetField; GetTable; GetSlotPort
120
SWAT User Guide
XML Clause
Description
Expected Value
Parameters
The XML parameters which are passed to the function. Each function has its own parameter. See XML Reference on page 120 for further details and examples. A sub XML containing the instructions on how to extract the ARP table's MAC Address. A sub XML containing the instructions on how to extract the IfDescription of an interface. A sub XML containing the instructions on how to extract the IfName of an interface. A sub XML containing the instructions on how to extract the IfAlias of an interface. A sub XML containing the instructions on how to extract the IfType of an interface. A sub XML containing the instructions on how to extract information on the object's ARP table. A sub XML containing the instructions on how to extract information on the object's VLAN. A sub XML containing the instructions on how to extract information on the interfaces slots/ports.
OID_Name; OID; SQL; HeaderString; Separator
MacAddress
Function; parameters
Description
Name
Alias
Type
Layer3LinkInfo
Index; MAC address; IP address
VlanInfo
Index; IfIndex; VlanId
SlotPortInfo
10.3.2 Loading the XML File

In order for changes to take effect the XML file must be loaded into the product's database. The loading program is named:
121
SWAT User Guide
LoadEquipmentTypeInfo.bat in the [INSTALLDIR]\bin\DATABASE_MANAGEMENT The utility updates the information in the table, so a partial XML can be entered too. The key for the update is the sysObjectId value of the entry. Supported Devices As you can see in the XML file, the product supports a large number of devices from all the known equipment providers. Among them are: Cisco, Nortel, Avaya, 3Com, Sun, HP and more. New devices are added all the time. Contact Wise-Mon for updates on the existing file. You can add your proprietary devices on your own or contact Wise-Mon for guidelines and help on how to add new devices.
10.4 Watchdog Service

The Watchdog service guards the Trap service, Manager and Database Scheduler processes, and sends an alert if a certain service is down.
NOTE
If you receive an alert that a certain action is down, you need to restart that service; if you receive an alert that the manager is down, you need to restart the agent as well.
122
SWAT User Guide
In order to ensure that the Watchdog file runs, put the file in the Windows scheduler on the server as follows: 1. From the Start menu, select Settings>Control Panel>Scheduled Tasks>Add Scheduled Task. The Scheduled Task Wizard appears as follows:
Figure 10-1: Scheduled Task Wizard
2. Click Next to access the following screen, then click the Browse button and select SWAT Jobs from the list of programs.
Figure 10-2: Program selection
123
SWAT User Guide
3. Click Open to access SWAT Jobs and display the following screen:
Figure 10-3: Daily run
4. Select Daily, so that the process runs every day, and then click Next. The following screen appears:
Figure 10-4: Start time
5. Enter the time you want the process to start and make sure that Every Day is selected. Click Next to access the next screen. 6. Enter you login user name and password and click Next.
124
SWAT User Guide
The following screen appears:
Figure 10-5: Advanced properties
7. Select Open advanced properties... (as shown in the screen above) and click Finish. The SWAT Watchdog screen appear as follows:
Figure 10-6: Scheduling the task
125
SWAT User Guide
8. Select the Schedule tab, verify that everything is configured as required and click the Advanced button. The Advanced Schedule Options dialog box appears as follows:
Figure 10-7: Advanced scheduling options
9. Select Repeat task and configure the task to repeat itself every 30 minutes and the duration to 24 hours (as shown in screen above). 10. Click OK twice to apply the changes and close the screen.
126
B ackground Processes
11.1 Job List
1 1
The SWAT .ini file includes the list of SWAT jobs and the frequency in which they run.
NOTE
To change the times of when the jobs run, make the required modifications in the .ini file and then run the file: SetFrequencyJobs.bat located in [INSTALLDIR]\bin\DATABASE_MANAGMENT directory.
DeleteOldLogs
This job runs in order to delete old log files; the default setting runs this process every hour. In the Log directorydeletes all files that are older than 12 hours or larger than 50 mega. In the Temp directorydeletes all files older than one month.
NOTE You can change the default parameters from the bin>SWATjobs>DeleteOldLogs.bat file.
LoadSwitchesData
This job runs in order to load all the switchs data (ports and VLANs); the default setting runs this process every 24 hours.
LoadRoutersData
This job runs in order to load all the routers data (subnets); the default setting runs this process every 24 hours.
ClearEndedJobs
This job runs in order to clear the Scheduled Tasks finished jobs; the default setting runs this process every hour.
127
SWAT User Guide
LoadManagementPlatform
This job runs in order to load the management platform (see Management Platform Connectivity Pane on page 36 for further information); the default setting is set to zero, i.e. the process is set not to run.
LoadDNSNames
This job runs in order to review all the IP addresses and update their DNS names; the default setting runs this process every 24 hours.
CleanDB
This job runs in order to clean the following tables from the database; the default setting runs this process every 24 hours. Tables SWAT_ALERTS: deletes all the alerts that are older than the defined time; the default setting is 14 days. SWAT_INACTIVE_STATIONS: deletes all the old stations that have not been connected for the defined time; the default setting is 365 days. SWAT_STATION_HISTROY: deletes the history of each station according to the defined time; the default setting is 365 days. SWAT_VIRUSES_History: deletes the information on each virus according to the time defined; the default setting is 14 days.
128
A ntiv irus Integration

A.1 Symantec Configuration
Capable of connecting to Symantec antivirus system, SWAT receives alerts about infected stations that cannot be removed or occur repeatedly.
To configure Symantec to send traps to SWAT, perform the following: 1. Configure Windows SNMP service as shown below.
Figure A-1: Windows Components screen
Appendix A
129
SWAT User Guide
2. Select the Simple Network Management Protocol checkbox and click OK.
Figure A-2: Management and Monitoring Tools screen
3. Select All Tasks>AMS>Configure to access Symantecs SSC Console. Choose the relevant server group and enter to the AMS settings.
Figure A-3: SSC console
Appendix A
130
SWAT User Guide
4. Select the Virus Found option and click the Configure button.
Figure A-4: Symantec; Corporate Edition
5. From the Select Action dialog box, select the Send SNMP Trap option and click Next.
Figure A-5: Selecting an action
6. If the SNMP service is configured correctly, the servers host name should appear in the Select Action Computer screen (below) after a few seconds.
Appendix A
131
SWAT User Guide
TIP
If the servers host name is not displayed, restart the antivirus server.
Figure A-6: Selecting Action Computer screen
7. Select the servers host name and click Next to open the Enter Action Message screen.
Figure A-7: Entering Action Message
8. In the Alert Message pane, enter the text as shown above or copy it directly from the VirusHandlerHelp.txt file located in the Installation directory under the ini folder (C:\WISE-MON\SWAT\ini).
Appendix A
132
SWAT User Guide
9. Click Finish. Make sure that the new rule now appears under Virus Found.
Figure A-8: Verifying new rule
10. Open the Windows Services screen and double-click the SNMP Service line to open the SNMP Service Properties screen.
Figure A-9: Services screen
11. Click the Traps tab and enter the SWAT IP address or host name in the Trap Destinations pane.
Appendix A
133
SWAT User Guide
Figure A-10: Entering IP address or host name
12. Select Public from the Community Name drop-down list. In most cases you need to restart the services of the antivirus server in order for the new settings to take affect; a full restart for the server is recommended.
NOTE
These settings apply to the antivirus side only; for the SWAT side refer to the VirusHandler.xml.
Appendix A
134
A dvanced Configuration
B.1 Database Configuration
SWAT's database settings are configured in the Database section.
[database] dsn=dbi:ODBC:DRIVER=SQL Server;SERVER=(local);database=SWAT ;dsn=dbi:ODBC:SWAT user=sa
password=Encrypted:52616e646f6d49563378d2b299e7b267dbe86b0c8445c971463b b76bec188d14 WEBdsn=Initial Catalog=SWAT;Data Source=localhost;Trusted_Connection=no
B.1.1 Connection String

Connection strings are string variables which contain database connection information, i.e., they define the database used and its location. The connection string is also used to create the SWAT database. The database server connection string, entered under the DSN/WEBdsn parameter, is:
dsn=dbi:ODBC:DRIVER=SQL Server;SERVER=(local);database=SWAT WEBdsn=Initial Catalog=SWAT;Data Source=localhost;Trusted_Connection=no
The SERVER value, (local), points to a database on the same server as SWAT. The SERVER value, in the example above, (local), can be replaced with the name/URL or the IP address of the database server, e.g., SERVER=192.168.1.2.
NOTE
Remove the parenthesis for server names and IP addresses. If you define the ODBC system entry for SWAT on your own, the connection string should look like this: dsn=dbi:ODBC:EntryName. If you decide to change your password after the installation and want it to appear encoded in the file, run the following file in the command line:
[InstallDir]\bin\SetEncryptedPassword.exe [InstallDir]\ini\swat.xml newPassword.
Appendix B
135
SWAT User Guide
B.1.2 User Name and Password

The primary definitions for the database are the user name and password sa. If you have different settings for your database server you need to update them.
TIP
You can change your user name and password at any stage.
B.2 Windows Server 2003 Configuration

When installing SWAT on Windows Server 2003, perform the following after the installation: 1. Open Internet Information Services. 2. Create an application name for SWATWeb: a. Expand the folders Web Sites>SWAT>SWATWeb. b. Right-click SWATWeb and select Properties. c. In the Application Settings pane, click the Create button near the Application Name field. d. Enter the name SWATWeb and click OK. 3. Create a new application pool for SWAT: a. Right-click Application Pools and select New>Application Pool. b. In the Application Pool ID box type SwatApplicationPool and click OK.
Figure B-1: Adding a new application pool
Appendix B
136
SWAT User Guide
4. Change the application pool identity to Local System. a. Right-click SwatApplicationPool and select Properties. b. From the Identity tab, under Application Pool Identity>Predefined, select Local System.
Figure B-2: Application pool identity
1. Set SWAT's application pool. a. Under the Web Sites folder, right-click SWAT>SWATWeb and select Properties. b. From the bottom of the Home Directory tab, in the Application pool list, select SwatApplicationPool. c. Click OK.
Appendix B
137
SWAT User Guide
2. Now, when you select the SwatApplicationPool, you should see the three directories under it.
Figure B-3: SWAT application pool
Appendix B
138
Index
Numerics 802.1x 4, 5 A
Active Multi MAC Ports 86 Adding Permissions 103 Administration 31 Administration Menu 31 Advanced Run-modes 11 Learn and Lock for Group 11 Learn and Lock for Port 11 Learn and Lock for Switch 11 Learn Once and Disconnect 11 Learn Once and Warn 11 Move to VLAN 11 Advanced Settings 117 Advanced Station Addition 110 Agent Directories 26 Alert Console 93 Alert Console Filtered Results 95 Alert Severity 94 Alert Type 40, 94, 95 Alert Types 40, 41 Antivirus Support 113 External Antivirus Systems 114
I
IDS 2, 6 Inactive Ports 84 Inactive Stations Report 77 Installation 8, 18 Installing SWAT 18 Installing the Manager 28 Interface 24 IPS 2, 6
J
Job List 127
K
Key File Creation 29 Generating 30
L
Loading the XML File 121
M
MAC 5 MAC Address 111 MAC Address Details 104 MAC Address Permission Filtering 107 MAC Address Permission Parameters
B
Background Processes 127
C
Centralized Anti-Virus Solutions 2 Changing Permissions 102 Connection String 135
109
MAC Addresses 10 MAC Addresses Filtered Results 101 MAC Permissions 8 Manager Communication 25 Manager Directories 28 Moving Station Statistics 91 MSDE 8 Multi MAC Ports 88
D
Database 15 Database Configuration 15 Database Definitions 16 Default Installation 25 Defining New Device Types 118 Detection Tools 1 Discovery Agents 6 Discovery Agents and Managers 24 Discovery Cycle 12
N
NAC 4 Network Configuration 42 Network Discovery Tools 6 Network Reports 83 New Agent 25 New Manager 27 New Station Statistics 90 New Stations Report 80
E
ESM Integration 8 ESM Platform 8
Index
139
SWAT User Guide
O
Online Network Discovery Tools 6 Operational Concepts 10 Operations 98 Operations Menu 98 Organizational Tree Support 7
P
Password 136 Port Statistics 92 Pre Installation 14
Q
Query Capabilities 8
R
Reduced Bandwidth Utilization 13 Reinstalling SWAT 22 Reports 8, 76 Reports Menu 76 Risk Management Solutions 2 Router Filtered Results 67 Router Forms 68 Multiple Routers 70 Single Router 68 Router List File 117 Routers 66 Run Modes 10, 36 Run-modes Disconnect Mode 11 Learn Mode 10 Warn Mode 10
SQL Server 16 Station ALert Statistics 92 Station History Report 82 Station Permissions 99 Station Reports 77 Statistics Reports 89 Supported Devices 122 Supported ESM Platforms 8 SWAT Directories 21 Switch Filtered Results 51 Switch Form 53 Switch Forms Multiple Switches 56 Single Switch 53 Switch Groups 43 Switch Groups Filtered Results 45 Switch List File 117 Switch Port Filtered Results 60 Switch Port Forms 61 Multiple Switch Ports 64 Single Switch Port 62 Switch Ports 58 Switches 49 Symantec Configuration 129 System Requirements 14 Hardware Requirements 14 Software Requirements 14
U
Uninstalling SWAT 30 Uninstalling the Manager 29 User Name 136
S
Scalable Installation 8 Scheduled Tasks 96 Scheduled Tasks Filtered Results 96 Secured Agent 25 Site Configuration 71 Site Configuration Filtered Results 75 Site Filtered Parameters 112 Site Permission Parameters 106 Site Permissions 105 SQL 8
V
Verbose Logging 24 VLAN 10
W
Watchdog Service 122
X
XML Reference 120 Xtenders 1
Index
140
Contact Information: Main Office: 18 Ben Gurion Street Givat-Shmuel, 54101, Israel Telephone: +972-3-7370737 Fax: +972-3-7370707 Web Site: http://www.Wise-Mon-t.com For assistance/information: sales@Wise-Mon-t.com
Wise-Mon Technologies 2006

Swat User Guide 4.1.0

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Swat User Guide 4.1.0

Uploaded by

Copyright:

Available Formats

SWAT User Guide

Software Version 4.1.0

Wise-Mon Ltd., January 2011

Chapter 2: Operational Concepts

SWAT User Guide

Chapter 6: Network Configuration

SWAT User Guide

Chapter 9: Antivirus Support

Chapter 10: Advanced Settings

Chapter 11: Background Processes

Chapter 12: Compliance

Appendix A: Antivirus Integration

Appendix B: Advanced Configuration

SWAT User Guide

135 136 136

1.1.1 Existing Detection Tools

SWAT User Guide

SWAT User Guide

1.2 Key Features

1.3 Intruders & Malicious Stations

SWAT User Guide

SWAT User Guide

1.4 802.1x & NAC

1.4.1 Overview of 802.1x and NAC

SWAT User Guide

SWAT User Guide

1.4.2 Online Network Discovery Tools

SWAT User Guide

Network Discovery Tools

1.5 Additional Benefits

SWAT User Guide

1.5.2 ESM Integration

1.5.3 Flexible MAC Address Permissions

1.5.4 Enhanced Reports and Query Capabilities

1.5.5 Easy Installation

1.5.6 Scalable Installation

SWAT User Guide

Basic Mechanism Run Modes Scaleable Solution

2.1 Basic Mechanism

2.2 Run Modes

Chapter 2: Operational Concepts

SWAT User Guide

2.2.1 Advanced Run Modes

Chapter 2: Operational Concepts

SWAT User Guide

2.3 Scaleable Solution

Figure 2-1: Optional distributed architecture

2.3.1 Faster Network Discovery Cycle

Chapter 2: Operational Concepts

SWAT User Guide

Parallelism in two places:

2.3.2 Reduced Bandwidth Utilization

2.3.3 Flexible Solution Supporting New Device Types

Chapter 2: Operational Concepts

3.1 System Requirements

Platform Disk space CPU

Operating system Internet information services

SWAT User Guide

Microsoft .Net framework

Version 1.1. NOTE

3.2 Obtaining the Software

3.3 Database Configuration

SWAT User Guide