Professional Documents
Culture Documents
Table of Contents
Chapter 1: Introduction
Overview Existing Detection Tools Key Features Intruders & Malicious Stations 802.1x & NAC Overview of 802.1x and NAC Online Network Discovery Tools Additional Benefits Organizational Tree Support ESM Integration Flexible MAC Address Permissions Enhanced Reports and Query Capabilities Easy Installation Scalable Installation 1 1 3 3 4 4 6 7 7 8 8 8 8 8
Chapter 3: Pre-Installation
System Requirements Obtaining the Software Database Configuration Switch/Router Information & Configuration 14 15 15 17
Chapter 4: Installation
Installing SWAT SWAT Directories Reinstalling SWAT Configuration General - Verbose Logging Interface Discovery Agents & Managers Default Installation Creating a New Agent 18 21 22 23 24 24 24 25 25
Creating a New Manager Installing the Manager Key File Creation Generating a Key File Uninstalling SWAT
27 28 29 30 30
Chapter 5: Administration
Administration Menu General Administration Form Run Modes SWAT Users Alert Types Alert Type List 31 32 36 38 40 41
Chapter 7: Reports
Reports Menu Station Reports Inactive Stations Report New Stations Report Station History Report Network Reports Inactive Ports Active Multi MAC Ports Multi MAC Ports Statistics Reports New Station Statistics Moving Station Statistics Station Alert Statistics Port Statistics Alert Console 76 77 77 80 82 83 84 86 88 89 90 91 92 92 93
Table of Contents
Alert Console Filtering Pane Alert Console Filtered Results Scheduled Tasks Scheduled Tasks Filtered Results
94 95 96 96
Chapter 8: Operations
Operations Menu Station Permissions MAC Address Filtering Pane Add New MAC Address Pane MAC Addresses Filtered Results Changing Permissions MAC Address Details Site Permissions Site Permission Parameters MAC Address Permission Filtering MAC Address Permission Parameters Advanced Station Addition Site Filtered Parameters 98 99 99 100 101 102 104 105 106 107 109 110 112
135
Connection String User Name and Password Windows Server 2008 Configuration
Table of Contents
P reface
Welcome to SWAT (Switch Access Control), the ideal NAC for protecting your network from unauthorized endpoint devices. The purpose of this guide: This guide contains information for using SWAT efficiently and correctly. Who should use this guide? This guide is intended for network and security managers. Conventions: The manual uses the following conventions: Actions you need to perform are displayed in bold. For example, click OK or enter the IP address. This font is used for hyperlinks. This font is used for code and system activity. UPPERCASE is used for keys and acronyms. Cross-references are underlined. For example, see Conventions:. The Italic font is used to emphasize words and phrases in certain cases.
NOTE
Notes are used to call your attention to important and special information.
TIP
Tips are used to provide additional and beneficial information.
CAUTION
Caution implies essential information that should be taken with extra care.
I ntroduction
IN
THIS CHAPTER:
Overview Key Features Intruders & Malicious Stations 802.1x & NAC Additional Benefits
1.1 Overview
SWAT (SWitch Access conTrol), a Wise-Mon NAC product, enables online mapping of IP addresses to their exact physical entry point and geographical location. Providing a critical feature for IDS/IPS, anti viruses and risk management solutions, SWAT complements existing security tools by automatically or manually blocking the actual port of an intruder and preventing unauthorized stations from connecting to the organization's LAN instantly. SWAT also enables quick and simple migration to 802.1x, providing simple non-intrusive network access control for switches and end stations that do not support 802.1x. The product supplies a MAC address security permission system, restricting access to an organization's internal network and creating a repository of all network nodes.
Chapter 1: Introduction
Intrusion Detection Systems IDS (Intrusion Detection Systems) scan the data passing through them on the way to the server farm or important parts of the network. IDS identify a pattern of attack and notify users of the attacker. The attacker is identified by its IP address. Intrusion Prevention Systems IPS (Intrusion Prevention Systems) solutions are enhanced IDS which also block the attacker after identifying it in one of the following methods: Blocking its traffic. Terminating its TCP communication. Inserting access lists to firewalls and routers. All these blocking mechanisms do not exclude the malicious stations from the network. They only confine the intruder and limit its access to the server farm, or at best prevent it from getting out of its segment. Intruders however, can continue infecting stations in the unblocked part of the network. Furthermore, the stations they infect act as proxies for additional attacks. Centralized Anti-Virus Solutions There is a current trend to move to centralized anti-virus management on all stations inside the organization. This enables controlled update of viruses' information from the center, and the ability to receive alerts for: Discovered viruses in the enterprise. Stations that removed the agent of the anti-virus. However, these products only notify the administrators of the alerts, yet do not disable the malicious stations. Risk Management Solutions Risk Management Solution tools gather event logs and audit records from servers and devices in the enterprise. Then they correlate the records in order to discover intruders or malicious stations. If an intruder is found, the operator is notified and actions are performed accordingly. However, on network level, only the IP address of the malicious station is known, similar to IPS capabilities.
Chapter 1: Introduction
Provides the exact location of an intruder: Physicalswitch/slot/port. Geographicalbuilding/floor/room/socket. Complements the capabilities of existing IDS/IPS, anti viruses and risk management solutions, disabling any intruders and excluding attackers from the network within seconds of discovery. Includes a powerful engine, providing a distributed instantaneous online discovery process. Physically moves new stations to a VLAN and automatically disables/enables them, enhancing network quarantine abilities. Enables simple integration with management platforms (Tivoli, HP, CA and more). Performs online mapping, enabling IP address to MAC address mapping along with online management of organization layout. Easily installed, maintained and operated from a central position in the network. No additional components or adjustments to the network architecture are required. Multi-vendor switch support. Easily installed, maintained and operated from a central position in the network. SWAT Provides a full enhanced compliance mechanism using variety of protocols: WMI SNMP HTTP TELNET
Additional features:
Quick and simple migration to 802.1x, providing access control for switches and end stations that do not support 802.1x. Includes a MAC address security permission system, restricting access to an organization's internal network and creating a repository of all network nodes.
The problem: IDS/IPS, centralized anti-virus and risk management software detect and block malicious stations either from within the organization or from the outside. Hence, these products operate and block stations at the IP address level (access list in firewalls/routers). This solution is sufficient for intruders outside the organization, however malicious stations residing within the
Chapter 1: Introduction
Organization can continue poisoning the enterprise's internal network. Most malicious stations that actually cause damage come from within the organization, thus there is a need to disconnect malicious stations based on their IP address, at the actual physical port level. Most operators require the exact physical location of the switch/slot/port of a station with a given IP address, as well as the exact geographical location building/floor/room/socket for disconnecting it from the network Wise-Mon's solution: Serving as the next step for IDS/IPS, anti viruses and risk management solutions, SWAT complements existing security tools by blocking the actual physical port of an intruder. With the ability to perform online mapping of MAC addresses, SWAT specifies the exact location of an intruder on both physical and geographical level, right away. In order to locate newly connected stations and validate them by using their MAC addresses for identification, SWAT combines alert handling mechanisms and fast low-bandwidth switch polling. SWAT is easy to deploy and implements an easy-to-use web-based GUI with full management capabilities. Several high speed low-bandwidth IP scanning and routers polling provide a quick identification and compliance check for layer3 devices.
Network devices that support 802.1x. A radius server which is connected to the organization's authentication store. It is clear that within 3-5 years 802.1x will become the standard for network access authentication, both for wired & wireless devices. The problems in implementing 802.1x: There are a few problems with the current implementation of 802.1x: Currently not all switches support this standard. For some switches it only requires the change of the firmware, however for others it requires the exchange of the complete switch. Requires a change in the enterprise network's architecture (switch, RADIUS, device drivers in stations, etc.). The implementation itself is very complex and requires a long deployment period (weeks to months in most organizations). There are many network devices that do not support 802.1x: Most printers. Some UNIX platforms. It is quite complicated to manage 802.1x. SWAT as an easy way for 802.1x migration: SWAT enables organizations to migrate to 802.1x easily and surely. SWAT provides access control checks for switches and network stations that do not support 802.1x. The implementation of SWAT does not require any change in any switch and/or end device, and most network devices are supported as is. SWAT acts as a centralized guard of the internal network. MAC address & location-based security permission system: SWAT supplies a security mechanism, which restricts the access to the organizations internal network based on MAC addresses. The product creates
Chapter 1: Introduction
a repository of all nodes in the enterprise network. It then checks the connecting nodes and either permits or disconnects the node from the network according to the given permissions. The security parameters for a permission entry are: A list of ports on the switches. A list of switches (all the ports of a given switch). A list of sockets and physical access points in the geographical premises of the enterprise. A socket is represented by the following list of information: location-building-floor-room-socket. Time-based permission system.
Centralized tools mounted on a single server. Thus, all discovery communication passes through the network to the server and there is no distributed discovery. High bandwidth utilization since all discoveries are centralized, entailing high expenses of bandwidth when the organization is distributed.
Swat has the ability to distribute agents that perform the discovery process. The discovery agents are located near the monitored equipment and perform the discovery in parallel. SWAT locates the agents near the monitored devices, maintaining an image of the results in the agents. Only the delta between the discoveries is returned to the center. This reduces the bandwidth utilization. The distributed agents supply parallel discovery. SWAT also performs asynchronous discovery operations within the agent, allowing faster operations within each agent. This enables SWAT to perform a full discovery operation within minutes. SWAT integrates with: IDS, IPS, centralized anti-virus management stations and risk management tools.
Serial discovery process usually polls one node at a time, causing a slow discovery cycle. In a large network the discovery cycle can last many hours (this being the reason that most of these tools recommend scheduling a discovery cycle every few days). Malicious station detection tools do not integrate with any security product.
Chapter 1: Introduction
SWAT
Limited device support for only a given set of devices with mapping connections. Adding new nodes usually requires changes in the software.
Mapping is hardly a standardized issue. SWAT is designed to enable support to new devices at site level by changing configuration files. Minimal software changes are required when adding new device support to SWAT. SWAT enables obtaining the geographical location of a given device. The information of the location can be imported from external sources and asset management tools. SWAT is designed for scalability, allowing unlimited agents with unlimited mangers in the centers, accepting data from the agents. The managers can also be distributed to the different devices.
No geographical location support, and usually no information, is provided about the physical location of a given node.
Non scaleable, becoming very slow when the discovered network grows.
NOTE
All communication between the agents and managers in the center is secured and encrypted.
Chapter 1: Introduction
imported from existing asset management platforms in the organization, or fully maintained using only the SWAT GUI.
Chapter 1: Introduction
For large installations with thousands of switches, SWAT offers a distributed and scalable deployment, designed for any size network.
Chapter 1: Introduction
1 0
O perational Concepts
IN
THIS CHAPTER:
10
Disconnect modewhen unidentified/unauthorized MAC addresses try to connect via an open port, the port is automatically locked and the foreign computer is disconnected. The unidentified MAC addresses are then blacklisted.
NOTE
Each and every mode can be configured for the entire enterprise network or a specific switch or port.
NOTE
In order to stay connected, the permissions (exclusively positive or negative) have to either approve the switch/port or not deny the switch/port.
11
If the current run mode is any type of learn mode, the computer's MAC address is authorized in one of the following ways: If the MAC address is authorized to access the port, its permissions are not altered. If the address is not authorized: Learn-and-Lock modes add permissions to the switch/port. Learn and Learn Once modes add permissions to the entire network; old permissions are deleted.
12
Multiple agents which perform the discovery in parallel to different parts of the network. Each agent sends its requests asynchronously to the switches and routers it monitors, and then correlates the answers. This way the discovery cycle within each agent is very short.
13
P re-Installation
IN
THIS CHAPTER:
System Requirements Obtaining the Software Database Configuration Switch/Router Information & Configuration
Intel. At least 250 MB. Dual Pentium IV 2.0GHz processors with 512 KB cache. SWATs CPU consumption depends on the number of monitored switches and connected nodes.
NOTE
It is assumed that SWAT is also running the database used by the product, however this is not a requirement.
RAM
2 GB
Software Requirements
Prerequisite Additional Specifications
Windows 2000 server (Service Pack 3); Windows 2003 server. IIS 5 or IIS 6.
Chapter 3: Pre-Installation
14
Prerequisite
Additional Specifications
winnt (windows - in 2003)\ Microsoft.NET\Framework\ #Version. Database MS SQL server 2000 with service pack 3. This database should be purchased separately; SWAT does not include an installation of SQL server. MSDE database. Windows Installer SWAT installation uses MSI installation. This requires the latest version of Windows Installer (a Windows component). The required version of Windows Installer is already bundled with service pack 3 of Windows 2000. SWAT's graphical user switch port is web-based. In order to use the GUI, you need Internet Explorer 6 and above.
Internet browser
Contact Wise-Mon Technologies at sales@Wise-Mon-t.com and provide the following information: The operating system on which you plan to install the product. IP and MAC addresses of the computer running SWAT. Wise-Mon provides you with a user name and password to access the FTP site, customers.Wise-Mon-t.com, from where the installation package can be downloaded. You will also receive the license file required for operating the product.
15
NOTE
Do not install the MSDE on a computer that already has an SQL server installed on it.
Setting the SQL server and Windows authentication: The following instructions refer only to SQL servers. For the MSDE database, other instructions are available in the readme file located in the MSDE directory on Wise-Mon's FTP site. In order to set the SQL server and Windows authentication in the database server, perform the following: 1. Enter the SQL servers enterprise manager. 2. Select the Properties section of the database server. 3. Select the Security tab. 4. Select the SQL server and Windows option.
Checking the database definitions: You can check the database definitions by creating an ODBC entry for the database, and then verify that the database is up and the SQL server user and password are valid.
Chapter 3: Pre-Installation
16
TIP
Switch/router information can be obtained automatically by configuring SWAT to do so in the Management Platforms Connectivity pane of the General Administration form (see General Administration Form on page 32 for more information).
2. Make sure that the switch configured to allow SNMP receives both from the SWAT's agent location and SWAT's central server (if they are not located on the same machine). 3. Select the method of setting definitions for the switch/switch groups (SNMP or SSH) either from the General Administration Form or per each switch in the Switch form (see Switch Forms on page 53 for more information).
Chapter 3: Pre-Installation
17
I nstallation
IN
THIS CHAPTER:
Installing SWAT SWAT Directories Configuration Discovery Agents & Managers Key File Creation Uninstalling SWAT
Chapter 4: Installation
18
NOTE
If you decide to change the default destination folder, make sure the directory does not contain any spaces in the path, otherwise the product might malfunction.
4. After the Destination Folder screen appears, click Next to begin transferring files to the destination folder. When this is done the following screen appears:
5. In the Database Connection String tab, enter the database you want to work with, your user name and password.
Chapter 4: Installation
19
6. In the General tab, enter the required Verbose (Verbose=0-9 trace & verbose level: 0-no output, 1-error output, 9-debug info) and click Apply.
7. In the License tab, copy the license from the license file and click Apply. (If you do not know your license number, contact Wise-Mon).
Chapter 4: Installation
20
NOTE
The installation process takes 5 to 8 minutes.
The installation process performs the following operations: Copies files into the destination directory tree (see SWAT Directories below). Creates the SWAT database and tables in the database server. Creates a website for SWAT using Internet Information Services.
[INSTALLDIR] [INSTALLDIR]\bin [INSTALLDIR]\bin\SWAT_JOBD [INSTALLDIR]\bin\OS_USER_MA NAGEMENT [INSTALLDIR]\bin\EVENT_LOG [INSTALLDIR]\bin\IIS_ MANAGMENT [INSTALLDIR]\bin\DATABASE_ MANAGMENT [INSTALLDIR]\doc [INSTALLDIR]\SwatAgent [INSTALLDIR]\SwatManager
Main directory. Binaries. SWAT launch scripts. Installation scripts. Enables adding alerts to the event log on the server. Files for installing SWAT's website. Scripts that manage the database (e.g., creating the database). Help file. Agent files, including file for creating a new agent. All manager files, including installation file for creating a new manager. Application data files. Configuration files. Log files. Temporary files. Web files.
Chapter 4: Installation
21
NOTE
Step 1 is possible only if the database is local (on the server).
For remote database, you need to manually copy the database using SQLEnterprize as follows: a. Open the SQL Server Manager. b. Connect to the SWAT database. c. Open Databases>SWAT. Right-click All Tasks and select the Backup Database section in the tree. d. Select the database backup file on your computer. e. Open Databases and right-click All Tasks. Select the Database section in the tree and set the new databases name as SWAT_OLD. f. Select the file you saved in step e.
Chapter 4: Installation
22
2. Delete the SWAT database (see Database Configuration on page 15 for more information). 3. Uninstall SWAT from the control panel. 4. Follow the installation process. 5. After the installation process is complete, restore the old database using the batch file: INSTALLDIR]\bin\DATABASE_MANAGEMENT\RestoreDB.bat This script copies the existing SWAT database from the temporary database into the production database.
4.3 Configuration
The configuration definitions for SWAT are saved in a file named SWAT.ini located in the [INSTALLDIR]/ini directory. In order for changes in the file to take effect, the processes of SWAT must be restarted. The file format appears below:
[general] ;Verbose=0-9 trace & verbose level: 0-no output, 1-error output, 9-debug info Verbose=1 [database] dsn=dbi:ODBC:DRIVER=SQL Server;SERVER=(local);database=SWAT ;dsn=dbi:ODBC:SWAT user=sa password=sa WEBdsn=Initial Catalog=SWAT;Data Source=localhost;Trusted_Connection=no ;-----------------------------------------------------------;Interface types ;regular interfaces see mib description 2-32 ;Avaya 10/100 (p580,p880) - 62 ;Giga port - 117 ;-----------------------------------------------------------[interface] InterfaceTypes=2-32,62,117
NOTE
Lines beginning with a semi-colon are ignored.
Chapter 4: Installation
23
These options are defined using the parameter Verbose in the General section. The valid values are 0, 1, and 9: 0No logging output is written. 1Default value to log (only errors). 9Full logging of all actions. Use this value only when you encounter problems with the product and want to collect data about the reason. Do not leave this value for a long period of time, since it increases the log file dramatically.
NOTE
There is a log cleanup mechanism that truncates log files that are bigger than 100 MB. It is recommended to leave the verbose set to 1.
4.3.2 Interface
InterfaceTypes=2-32, 62, 117 The Interface section defines the IfTypes of interfaces SWAT monitors. IfTypes are extracted from the SNMP interface MIB. Since switches can contain both logical and VLAN interfaces, the list under the parameter InterfaceTypes identifies only the physical interfaces.
NOTE
It is recommended not to change this list without consulting Wise-Mon.
Chapter 4: Installation
24
the enterprise network, as close as possible to the switches and routers they monitor. The best location for an agent in a remote branch is on a regional server. The discovery agents themselves are designed for speed. They query the switches and routers in their responsibility zone simultaneously, in an asynchronous way. The communication between the SWAT agents and managers is designed to be minimal. To achieve this goal each agent keeps an image of its monitored segment, and reports only the changes in the network to the center. The changes are relatively minimal. Dividing switches/routers between agents: Through the SWAT GUI, the administrator determines which agent/manager monitors a given switch or router.
Secured agent and manager communication:
The agent and manager communication is designed for security; the manager is the originator of the communication. There is an authentication process between the agent and manager. The communication between the agent and manager is encrypted (based on a shared password used for generating an encryption key, which is used to encrypt their communication).
Chapter 4: Installation
25
Agent Directories
Directory Description
CAUTION
Do not to use the installation SwatAgent and SwatManager folders. Instead, copy them to a new location and then proceed with the installation of the agents and managers.
Run the script Install.bat located in the [INSTALLDIR]\bin directory. The script is designed for Windows platform, although there are agents that can run on non-Windows platforms (UNIX: HPUX, SUN, Linux). The script receives two parameters which specify the [INSTALLDIR] and the port, on which the agent runs. For example: Install c:\Wise-Mon\swat\SwatAgent 54100. The script changes the ini files so the agent binds to this port number, and waits for a manager call from there. The script also creates a service named: Wise-MonSwatSwitchAgent_agentPort which is automatically started.
NOTE
You need to choose a different port for each agent.
SwatAgent.xml ini File The agent uses the following XML-based ini file. The file contains parameters which are relevant to the agents operations.
<SwatSwitchAgent> <SWATXMLFile>C:\WISE-MON\SWAT\SwatAgent\ini\Swat.xml</SWATXMLFile> <KeyFile>127.0.0.1.54100</KeyFile> <nTCPPort>54100</nTCPPort> <KeepAliveTimeout>120</KeepAliveTimeout> <nRetry>2</nRetry> <nTimeout>3</nTimeout> </SwatSwitchAgent>
Chapter 4: Installation
26
Parameter
Description
SWATXMLFile
Points to SWATs internal ini file, located in the ini directory as well. NOTE
This parameter should not be changed.
KeyFile
Points to the encryption and authentication key file, used for manager authentication and data encryption. Controls the port that the agent binds to. The manager then connects to this port. Notifies the agent that after the defined number of seconds a keep-alive message must be sent to the manager, even if no information is required to be sent. The default value for retry operations when polling the communication devices. The default value for time-out value for requests sent to the communication devices. Runs the script: UnInstall.bat located in the [INSTALLDIR]\bin directory. If the script does not receive parameters it removes the agent service. Added as a prefix to the subject of the emails that SWAT sends.
Chapter 4: Installation
27
Manager Directories
Directory Description
Run the script: Install.bat located in the [INSTALLDIR]\bin directory. The script is designed for Windows platform. The script receives two parameters which specify the [INSTALLDIR] and the manager ID assigned to the manager. For example: Install C:\WISE-MON\SWAT\SwatManager 1 The script changes the ini files so the manager has the given manager ID. The script also creates a service named: SwatSwitchManger_managerid which is automatically started. Agent SwatManager.xml ini File The managers use the following XML-based ini file. The file contains the following parameters that are relevant to the managers operations.
<SwatSwitchManager> <SWATXMLFile>C:\WISE-MON\SWAT\SwatManager\ini\Swat.xml</SWATXMLFil> <ManagerId>1</ManagerId> <ReloadSwitchListTimeout>300</ReloadSwitchListTimeout> <ConnectionTimeout>180</ConnectionTimeout> <ReplyTimeout>180</ReplyTimeout> </SwatSwitchManager>
Chapter 4: Installation
28
Parameter
Description
SWATXML File
Points to SWATs internal ini file, located also in the INI directory. NOTE
This parameter should not be changed.
ManagerID
Specifies the manager ID assigned to the given manager. When adding a new router/switch, one of the parameters is the number of the manager assigned to the given switch. The switch and router definitions under the responsibility of this manager can be changed due to user additions/deletions or renewed discovery on the switches and routers configuration. This parameter instructs the manager to reload these definitions every given period (in seconds). If a change is discovered, which is relevant to a given agent, the configuration is resent to the agent. Instructs the manager to send an alert to the operator if an agent did not respond in the given time-out (in seconds). Specifies the time-out value for retrying to reconnect to an agent that was previously unavailable.
ReloadSwitch ListTimeout
Uninstalling the Manager Run the script: UnInstall.bat located in the [INSTALLDIR]\bin directory. If the script does not receive parameters, it removes the manager service.
Chapter 4: Installation
29
NOTE
The uninstall package does not remove newly created files. To remove these you need to delete the SWAT directory.
Chapter 4: Installation
30
A dministration
IN
THIS CHAPTER:
General
Opens the General Administration form, for you to enter various parameter definitions. See General Administration Form on page 32 for more information. Determines the groups to be recognized by SWAT. See SWAT Users on page 38 for more information. Displays the list of available alerts. See Alert Types on page 40 for more information.
Chapter 5: Administration
31
Use the General Administration form to define the following various general parameters according to which you want SWAT to perform:
Chapter 5: Administration
32
Administration Mail
Enter the email address to which you want the warnings to be sent.
NOTE
Separate multiple addresses with a comma.
Mail Server IP
Run Mode
Select the required run mode from the drop-down list. The run mode is the action SWAT performs when a computer connects to the network via an open port (see Run Modes on page 10 for further details). Select the permission you want to give to connecting computers: Allno restriction. Lock for grouprestricted to a defined group. Lock for switchrestricted to a defined switch. Lock for portrestricted to a defined port. Lock for VLANrestricted to a defined VLAN.
Permission
NOTE
Permission is relevant only when the run mode is of the Learn group.
Enter the required VLAN number when using Move to VLAN run mode. Enter the required interval in minutes between each cycle of discovery, i.e., the process of detecting new MAC addresses in the network. (This information is used by the agents.)
Chapter 5: Administration
33
Use
To
The amount of time SWAT leaves a port disconnected after an unauthorized intrusion. NOTE
The value zero causes a disconnection for an unlimited amount of time.
Select Yes or No. When this attribute is set to Yes, ports with multiple addresses connected to them are unmanaged and SWAT is not responsible for them. Select Yes or No. When No is selected: after receiving a specified detailed trap, which SWAT could not locate, the MAC address is disconnected immediately. Select Yes or No. When this attribute is set to Yes, ports with multiple MAC addresses connected to them are automatically disconnected. This attribute is not affected by the current run mode. NOTE
MAC addresses disconnected in this way are not blacklisted. This feature is used to prevent insertion of hubs into the organizations network.
Check Spoofing on Multi-MAC Interface Port Settings Application Agent IP Agent Port Manager ID
Select Yes to activate spoofing on multi-MAC interfaces. The default setting is No. Configures the port through SNMP, Telnet or SSH (see Switch List File on page 117). Enter the IP address of the agent that monitors the group. Enter the port number of the agent that monitors the group. Enter the ID of the manager that is responsible for monitoring the given group.
Chapter 5: Administration
34
Telnet/SSH user
Enter the Telnet/SSH password. Enter the Telnet script for enabling the password.
To
Enter Get SNMP community for routers and switches. Enter Set SNMP community for routers and switches. NOTE
If no value is provided, the Get Community is taken as default.
Chapter 5: Administration
35
Enter the detailing level of the log (0, 1, 9). Enter the license number. View the detailed license information.
Management Platform
Select the management platform (installed on the same computer as SWAT) from the dropdown list. If you have a management platform for your network, SWAT can elicit information from it, including the list of switches and routers in the network and the MAC addresses discovered by the platform. NOTE
This feature is not included with the default installation of the product.
Management Platform ODBC Management Platform DB User Management Platform DB Password Load from Management Platform
Create an ODBC connection to the platforms server on SWATs server. Enter the user name of the management platform database. Enter the password of the management platform database. Load the switch/MAC address from the management platform.
Use
To
Save the changes made to the General form. Clear the General form without saving any changes.
Chapter 5: Administration
36
The various run modes enable you to execute the following commands:
Run Mode Description
Learn
Newly discovered MAC addresses are automatically set as valid and authorized for accessing the whole network. Known addresses' permissions are left unchanged, yet port data is updated. This run mode is suitable for enterprises that just installed SWAT and want to build their device repository. SWAT also supports an option to load all the valid devices in the organization from an external source. Connecting MAC addresses receive authorization only for the defined group of switches to which they are connected. Connecting MAC addresses receive authorization only for all ports on the switch to which they are connected. Connecting MAC addresses receive authorization only for the port to which they are connected. Connecting MAC addresses are automatically set as valid and authorized for the whole network. The port to which they are connected changes to Warn mode. Connecting MAC addresses are automatically set as valid and authorized for the whole network. The port to which they are connected changes to Disconnect mode. A warning is sent by email or written to an event log when unidentified or unauthorized MAC addresses have been discovered as connected to the network via an open port. The unidentified MAC addresses are then blacklisted.
Warn (mail)
Chapter 5: Administration
37
Run Mode
Description
Disconnect
When unidentified or unauthorized MAC addresses try to connect via an open port, the port is automatically locked and the foreign computer is disconnected for a predefined amount of time. If the MAC address discovered is unknown, unidentified MAC addresses are blacklisted. When new stations try to connect, they are physically moved to a VLAN and automatically disabled/enabled. This run mode enables enhanced network quarantine capabilities: stations receive new permissions in accordance with the VLAN to which they are moved. Furthermore, stations that receive a new dynamic IP address are discovered by SWAT.
Move to VLAN
Use this screen to define the groups you want recognized by SWAT and determine their permissions.
Chapter 5: Administration
38
Select the required group for the selected permission scope. Delete a group from the defined user groups.
This pane determines the permission scope of the defined SWAT groups.
Group Permission
Overall permission (administration, operators, reports and device manager). Permission to manage the MAC addresses (see Operations Menu on page 98. Permission to manage the reports (see Reports Menu on page 76). Permission to change definitions for given ports on specific switches (see Network Configuration on page 42).
Display the defined groups on the SWAT server, excluding those that are defined for the given permission scope. Add a new group to the defined user groups.
Use
To
Chapter 5: Administration
39
Field
Description
Displays the list of alerts (see Alert Type List below for the full list of alerts and their description). Presents a brief description of the various types of alerts. When selected, receives mail in case of an alert. When selected, writes the alert to an event log. Determines the severity of the alert. Select from the following available options: Info Warning Error
Chapter 5: Administration
40
Field
Description
Agent Reconnect Agent Time Out SNMP Problem in Device External Intruder Detected New MAC Address New Uplink Found Port Disable Failed Port Enable Failed Router Down Service Down Switched Changed Switch Down Unauthorized Connection Detected Virus Found
The agent reconnects to the manager after the server is down. The agent is not responding. The device is experiencing SNMP problems. An unauthorized station is detected. A new MAC address was found. The port is defined as uplink. The attempt to disable the port failed. The attempt to enable the port failed. The router is not responding to SNMP. The service is not responding. The type of switch has changed. The switch is not responding to SNMP. A station with the given MAC address in not permitted in a specified location. A virus was found by the antivirus system (see Antivirus Support on page 113 for further information).
Chapter 5: Administration
41
N etwork Configuration
IN
THIS CHAPTER:
Network Configuration Menu Switch Groups Switches Switch Ports Routers Site Configuration
Defines a certain group of switches. See Switch Groups on page 43 for more information. Filters by switches. See Switches on page 49 for more information. Filters by switch ports. See Switch Ports on page 58 for more information.
42
Option
Description
Filters by routers. See Routers on page 66 for more information. Opens the Site Configuration screen, allowing you to link your physical network structure to your organization's physical structure. See Site Configuration on page 71 for more information.
Enter the name of the defined group of switches. Provide a description of the group of switches. Select the run mode of the group. See Run Modes on page 36 for more information.
43
Use
To
Permission
Select the permission you want to give to connecting computers: Allno restriction. Lock for grouprestricted to a defined group. Lock for switchrestricted to a defined switch. Lock for portrestricted to a defined port. Lock for VLANrestricted to a defined VLAN.
NOTE
Permission is relevant only when the run mode is of the Learn group.
Enter the ID of the manager that is responsible for monitoring the given group. Enter the IP address of the agent that monitors the group. Enter the port number of the agent that monitors the group. Enter the required interval in minutes between each cycle of discovery, i.e., the process of identifying new MAC addresses in the network. This information is used by the agents. Enter the required number of minutes for which a port is closed when a disconnection is warranted. Filter according to the IP address entered for the switch. Clear the filtering pane (not the results).
Disconnect Time
44
Enter the name of the defined group of switches. Provide a description of the group of switches. Add a new group of switches.
After clicking the Filter button, the following switch group parameters are displayed:
Parameter Description
The name of the defined group of switches. The users description for the group of switches. The run mode of the switch. See Run Modes on page 36 for more information. The permission you want to give to connecting computers: Allno restriction. Lock for grouprestricted to a defined group. Lock for switchrestricted to a defined switch. Lock for portrestricted to a defined port. Lock for VLANrestricted to a defined VLAN.
NOTE
Permission is relevant only when the run mode is of the Learn group.
Opens the Switch Group List for you to update the current list of defined groups. Opens the Switch Group Form, for setting all the attributes of the group of switches. Edits the MAC address permissions for the selected switches and sets them according to the selected permission. See MAC Address Permission Filtering on page 107 for more information.
45
Parameter
Description
46
Field
Description
The name of the defined group of switches. The users description for the group of switches. The email address to which warnings are sent. NOTE
Separate multiple addresses with a comma.
Run Mode
The run mode of the group. See Run Modes on page 36 for more information.
47
Field
Description
Permission
The permission you want to give to connecting computers: Allno restriction. Lock for grouprestricted to a defined group. Lock for switchrestricted to a defined switch. Lock for portrestricted to a defined port. Lock for VLANrestricted to a defined VLAN.
NOTE
Permission is relevant only when the run mode is of the Learn group.
VLAN Number Manager ID Agent IP Agent Port Group Check Frequency (minutes) Disconnect Time (minutes) Unmanage MultiMAC Interface Ignore Unknown MAC
The number of the defined VLAN. The manager ID that handles the group. The IP address of the agent that polls the group. The port number of the agent that polls the group. Polling frequency in minutes.
The time the switch port remains disconnected in minutes. When this attribute is set to Yes, ports with multiple MAC addresses connected to them are unmanaged, i.e., SWAT is not responsible for them. Select Yes or No. When No is selected: after receiving a specified detailed trap, which SWAT could not locate, the MAC address is disconnected immediately. When this attribute is set to Yes, ports with multiple MAC addresses connected to them are automatically disconnected. This attribute is not affected by the current run mode. NOTE
MAC addresses that are disconnected this way are not blacklisted. (This feature is used to prevent insertion of hubs into the organizations network.)
48
Field
Description
SNMP Port
The port number for SNMP communication. The default port number is 162; for any other port, enter a value. Get SNMP community for the switch. Set SNMP community for the switch. If none is given then Get Community is taken as default. The Telnet/SSH user name. The Telnet/SSH password. The Telnet script for enabling the password. Configures the port through SNMP, Telnet or SSH (see Switch List File on page 117). Saves the changes made to the Switch Group form. Closes the Switch Group form without saving any changes.
Get Community Set Community Telnet/SSH User Telnet/SSH Password Telnet Enable Password Port Settings Application
6.3 Switches
Select Switches from the Network Configuration menu to open the Switches screen and define your required switch-related filtering parameters.
49
Switch Name
Enter the required switch IP address. Add the new switch to the selected switch group. Select the run mode of the switch. See Run Modes on page 36 for more information. Select the permission you want to give to connecting computers: Allno restriction. Lock for grouprestricted to a defined group. Lock for switchrestricted to a defined switch. Lock for portrestricted to a defined port. Lock for VLANrestricted to a defined VLAN.
NOTE
Permission is relevant only when the run mode is of the Learn group.
Enter the ID of the manager that is responsible for monitoring the given switch. Enter the IP address of the agent that monitors the switch. Enter the port number of the agent that monitors the switch. Enter the required interval in minutes between each cycle of discovery, i.e., the process of identifying new MAC addresses in the network. This information is used by the agents. Enter the required number of minutes for which a port is closed when a disconnection is warranted.
Disconnect Time
50
Use
To
Filter according to the IP address entered for the switch. Clear the filtering pane (not the results).
Switch IP Switch Name Get Community Switch Group Run Mode Permission
Enter the IP address of the new switch. Enter the switch name. Default GET SNMP community for routers and switches. Add the new switch to the selected switch group. Select the run mode of the new switch. See Run Modes on page 36 for more information. Select the permission you want to give to connecting computers: Allno restriction. Lock for grouprestricted to a defined group. Lock for switchrestricted to a defined switch. Lock for portrestricted to a defined port. Lock for VLANrestricted to a defined VLAN.
NOTE
Permission is relevant only when the run mode is of the Learn group.
Add a new switch. Add the switch and open the Switch Form screen. For more information see Switch Forms below.
51
Parameter
Description
Switch VLAN(s) Switch Group SysDescription Last Automatic Check Date Run Mode Permission
The switch number. The switch group. The description value taken from the switch. The timestamp of the last MAC address discovery. The run mode of the switch. See Run Modes on page 36 for more information. The permission you want to give to connecting computers: Allno restriction. Lock for grouprestricted to a defined group. Lock for switchrestricted to a defined switch. Lock for portrestricted to a defined port. Lock for VLANrestricted to a defined VLAN.
NOTE
Permission is relevant only when the run mode is of the Learn group.
Loads the Switch List file. For more information see Switch List File on page 117. Loads the ports of the selected switches. Loads the MAC addresses of the selected switches. Opens the Switch Forms, for setting all the attributes of the switch. Edits the MAC address permissions for the selected switches and sets them according to the selected permission. See MAC Address Permission Filtering on page 107 for more information. Deletes selected switches. Exports results to Excel.
52
Field
Description
Switch Name Switch IP Group IP Switch SysName Switch SysDescription Switch SysObjectID
The name of the switch. The IP address of the switch. The IP address of the switch group. The system name of the switch. The information found in the switch SysDescription field. The system object ID of the switch.
53
Field
Description
The run mode of the switch. See Run Modes on page 36 for more information. The permission you want to give to connecting computers: Allno restriction. Lock for grouprestricted to a defined group. Lock for switchrestricted to a defined switch. Lock for portrestricted to a defined port. Lock for VLANrestricted to a defined VLAN.
NOTE
Permission is relevant only when the run mode is of the Learn group.
VLAN Number Manager ID Agent IP Agent Port Switch Check Frequency (minutes) Disconnect Time (minutes) Unmanage MultiMAC Interface Ignore Unknown MAC
The number of the VLAN. The manager ID that handles the switch. The IP address of the agent that polls the switch. The port number of the agent that polls the switch. Polling frequency in minutes.
The time the switch port remains disconnected in minutes. When this attribute is set to Yes, ports with multiple MAC addresses connected to them are unmanaged, i.e., SWAT is not responsible for them. Select Yes or No. When No is selected: after receiving a specified detailed trap, which SWAT could not locate, the MAC address is disconnected immediately.
54
Field
Description
When this attribute is set to Yes, ports with multiple MAC addresses connected to them are automatically disconnected. This attribute is not affected by the current run mode. NOTE
MAC addresses disconnected this way are not blacklisted. (This feature is used to prevent insertion of hubs into the organizations network.)
SNMP Port
The port number for SNMP communication. The default port number is 162; for any other port, enter a value. Get SNMP community for the switch. Set SNMP community for the switch. If none is given then Get Community is taken as default. The Telnet/SSH user name. The Telnet/SSH password. The Telnet script for enabling the password. Configures the port through SNMP, Telnet or SSH (see Switch List File on page 117). Saves the changes made to the switch form. Closes the Switch form without saving any changes.
Get Community Set Community Telnet/SSH User Telnet/SSH Password Telnet Enable Password Port Settings Application
55
Switch FormMultiple Switches When multiple switches are selected the following switch form is displayed:
Field
Description
Administration Mail
Run Mode
The run mode of the switch. See Run Modes on page 36 for more information.
56
Field
Description
Permission
The permission you want to give to connecting computers: Allno restriction. Lock for grouprestricted to a defined group. Lock for switchrestricted to a defined switch. Lock for portrestricted to a defined port. Lock for VLANrestricted to a defined VLAN.
NOTE
Permission is relevant only when the run mode is of the Learn group.
Switch Group Manager ID Agent IP Agent Port Switch Check Frequency (minutes) Disconnect Time (minutes) Unmanage MultiMAC Interface Ignore Unknown MAC
The switch group. The manager ID that handles the switch. The IP address of the agent that polls the switch. The port number of the agent that polls the switch. Polling frequency in minutes.
The time the switch port remains disconnected in minutes. When this attribute is set to Yes, ports with multiple MAC addresses connected to them are unmanaged, i.e., SWAT is not responsible for them. Select Yes or No. When No is selected: after receiving a specified detailed trap, which SWAT could not locate, the MAC address is disconnected immediately. When this attribute is set to Yes, ports with multiple MAC addresses connected to them are automatically disconnected. This attribute is not affected by the current run mode. NOTE
MAC addresses disconnected this way are not blacklisted. This feature is used to prevent insertion of hubs into the organizations network.
57
Field
Description
SNMP Port
The port number for SNMP communication. The default port number is 162; for any other port, enter a value. Get SNMP community for the switch. Set SNMP community for the switch. If none is given then Get Community is taken as default. The Telnet/SSH user name. The Telnet/SSH password. The Telnet script for enabling the password. Configures the port through SNMP, Telnet or SSH (see Switch List File on page 117). Saves the changes made to the switch form. Closes the switch form without saving any changes.
Get Community Set Community Telnet/SSH User Telnet/SSH Password Telnet Enable Password Port Settings Application
58
Enter the name of the switch. Enter the IP address of the switch. Add the new switch to the selected switch group. Enter the switch slot number in which the port is located. Enter the port number on a given slot. Select the current state of the port: Enable, Disable, Unmanaged, or Uplink. See States below for more details. Select the run mode of the switch port. See Run Modes on page 36 for more information. Enter the permission you want to give to connecting computers: Allno restriction. Lock for grouprestricted to a defined group. Lock for switchrestricted to a defined switch. Lock for portrestricted to a defined port. Lock for VLANrestricted to a defined VLAN.
NOTE
Permission is relevant only when the run mode is of the Learn group.
Select the ports status: connected or no link. Enter the required VLAN. Filter the switch ports according to the IP address entered in the Switch Port IP field. Clear the filtering pane (not the results).
6.4.1 States
The following states exist: Enablethe port in the switch is open. Disablethe port in the switch is closed. Unmanaged the port is not managed by SWAT.
59
Uplinkthe port is connected to a different switch. Ports that connect switches are never disconnected. If a new MAC address is discovered on an uplink port, an alert is also sent in Disconnect mode.
NOTE
SWAT automatically identifies uplinks, providing the switches are defined through the system.
Port Status Switch Name Switch IP Slot Port If Index Port State
The status of the port. The name of the switch. The IP address of the switch. The switch slot number in which the port is located. The ports serial number. The serial number of the switch port in the switch. Shows the current state of the switch port: Enable, Disable, Unmanaged, or Uplink. See States on page 59 for more details. The number of VLANs. The run mode of the switch. See Run Modes on page 36 for more information. The permission you want to give to connecting computers: Allno restriction. Lock for grouprestricted to a defined group. Lock for switchrestricted to a defined switch. Lock for portrestricted to a defined port. Lock for VLANrestricted to a defined VLAN.
NOTE
Permission is relevant only when the run mode is of the Learn group.
60
Parameter
Description
Opens the drop-down list box, enabling you to select the required state of the switch port: Enable, Disable, Uplink or Unmanage. Sets the selected state. Edits the MAC address permissions for the selected switches and sets them according to the selected permission. See MAC Address Permission Filtering on page 107 for more information. Opens the Switch Port Forms (see below). Opens the VLAN Number dialog box for you to set the filtered interfaces VLANs.
Deletes the selected switch ports. Exports results to Excel. Go Defines the number of lines displayed per page in the filtered results.
61
Switch Port FormSingle Switch Port When a single switch port is selected the following switch port form is displayed:
Figure 6-9: Figure 6-10: Switch Port formone switch port selected
Field
Description
The name of the switch. The IP address of the switch. The switchs slot number in which the switch port is located. The switchs port number in which the switch port is located. The ifName value for the given port's switch port. An alias for the switch port which can be configured on the switch. The serial number of the switch port in the switch. The switch port's description. The default value is the switch ports name.
62
Field
Description
State
Shows the current state of the switch port: Up, Down, Unmanaged, Processing, or Uplink. See States on page 59 for more details. The email address to which warnings are sent. NOTE
Separate multiple addresses with a comma.
Administration Mail
The run mode of the switch. See Run Modes on page 36 for more information. Select the permission you want to give to connecting computers: Allno restriction. Lock for grouprestricted to a defined group. Lock for switchrestricted to a defined switch. Lock for portrestricted to a defined port. Lock for VLANrestricted to a defined VLAN.
NOTE
Permission is relevant only when the run mode is of the Learn group.
The amount of time the switch port remains disconnected in minutes. When this attribute is set to Yes, ports with multiple MAC addresses connected to them are unmanaged, i.e., SWAT is not responsible for them. Select Yes or No. When No is selected: after receiving a specified detailed trap, which SWAT could not locate, the MAC address is disconnected immediately.
63
Field
Description
When this attribute is set to Yes, ports with multiple MAC addresses connected to them are automatically disconnected. This attribute is not affected by the current run mode. NOTE
MAC addresses disconnected this way are not blacklisted. This feature is used to prevent insertion of hubs into the organizations network.
Saves the changes. Closes the switch port form without saving any changes. Switch Ports FormMultiple Switch Ports When multiple switch ports are selected the following switch port form is displayed:
64
Field
Description
Administration Mail
Run Mode
The behavior of SWAT, i.e., the action SWAT performs when a computer connects to the network via an open port. Select the permission you want to give to connecting computers: Allno restriction. Lock for grouprestricted to a defined group. Lock for switchrestricted to a defined switch. Lock for portrestricted to a defined port. Lock for VLANrestricted to a defined VLAN.
Permission
NOTE
Permission is relevant only when the run mode is of the Learn group.
The number of minutes for which a port is closed when a disconnection is warranted. When this attribute is set to Yes, ports with multiple MAC addresses connected to them are unmanaged, i.e., SWAT is not responsible for them. Select Yes or No. When No is selected: after receiving a specified detailed trap, which SWAT could not locate, the MAC address is disconnected immediately. When this attribute is set to Yes, ports with multiple MAC addresses connected to them are automatically disconnected. Saves the changes. Closes the switch port form without saving any changes.
65
6.5 Routers
Select Routers from the Network Configuration menu to open the Routers screen and define your required router-related filtering parameters.
Enter the name of the router. Enter the IP address of the router. Enter the ID of the manager that is responsible for monitoring the given router. Enter the IP of the agent that is responsible for monitoring the given router. Enter the port number of the agent that monitors the router. Enter the interval in minutes between each cycle of discovery, i.e., the process of checking for new MAC addresses in the network. This information is used by the agents. Filter according to the IP address you entered in the Router IP field. Clear the filtering pane (not the results).
66
Enter the IP address of the new router. Enter the name of the new router. The authentication string which facilitates access control to the switch. Add the new router.
Router Name Router IP SysDescription Last Automatic Check Date View Subnets
The name of the router. The IP address of the router. The description value taken from the router. The timestamp of the last MAC address discovery. Opens the Router Subnets dialog box, after clicking the Subnets link under the View Subnets field.
The dialog box lists the subnets discovered on the router. Loads the routers list file. For more information see Router List File on page 117. Loads the routers data. Opens the Router Form (see below).
67
Parameter
Description
Field
Description
The name of the router. The IP address of the router. The name value taken from the router. The description value taken from the router.
68
Field
Description
Router SysObjectID Router Last Automatic Check Time Manager ID Agent IP Agent Port Router Check Frequency
The ObjectID value taken from the router. The last discovery time of the router.
The ID of the manager that is responsible for monitoring the given router. The ID of the agent that is responsible for monitoring the given router. The port number of the agent that monitors the router. The interval in minutes between each cycle of discovery, i.e., the process of checking new MAC addresses in the network. This information is used by the agents. The port number for SNMP communication. The default port number is 162; for any other port, enter a value. The authentication string which facilitates access control to the router. Saves changes. Closes the Router form without saving any changes.
SNMP Port
Get Community
69
Router FormMultiple Routers When multiple routers are selected the following Router Form is displayed:
Field
Description
The ID of the manager that is responsible for monitoring the given router. The ID of the agent that is responsible for monitoring the given router. The port number of the agent that monitors this router. The interval in minutes between each cycle of discovery, i.e., the process of checking for new MAC addresses in the network. This information is used by the agents. The port number for SNMP communication. The default port number is 162, for any other port, enter a value. The authentication string which facilitates access control to the router.
SNMP Port
Get Community
70
The Site Configuration screen lets you link your physical network structure to your organization's physical structure, thereby providing added value and information. This way, when a new MAC address is identified, you not only know the slot/port/switch to which it connects, but also in which room the person with the given computer is located. Additionally, permissions for MAC addresses can be defined for any level in the organizational geographical structure, allowing or denying access to office branches, buildings, floors and rooms.
71
Site Name
Enter the required site name (office branch or location of the company).
TIP
You can use wildcards such as (%) or (*) for the site name.
Enter the required building name (optional). Enter the required floor name (optional). Enter the required room name (optional). Enter the required socket name (optional).
NOTE
The name of the socket in a room connected to the port in the switch. The connection between the physical structures to the network structure is done via the socket level. A socket is linked with a given slot and port of a given switch.
Enter the IP address of the switch to which the socket is connected (optional). Enter the slot number in the switch to which the socket is connected (optional). Enter the port number in the switch to which the socket is connected (optional). Filter the sites according to the information entered in the Site Name field. Clear the filtering pane (not the results).
72
Add/Update Pane
Use the Add/Update pane to add, update or delete sites. To do so simply use the Add/Update/Delete buttons and fill in the site details. See below for more information.
Use To
Organization Site Name Building Name Floor Name Room Name Socket Name
Enter the name of the office branch or location of the company. Enter the name of the site. Enter the name of the physical structure on site. Enter the name of the floor in the building. Enter the name of the room on the floor. Enter the name of the socket in a room connected to the port in the switch. The connection between the physical structures to the network structure is done via the socket level. A socket is linked with a given slot and port of a given switch. Update the changes made. Open the various Add dialog boxes. See Site ConfigurationAdd Dialog Boxes below for more details. Delete the required site/building/floor/room/socket. Open the MAC Address Permission Filtering screen. See MAC Address Permission Filtering on page 107 for more information.
Enter the site name, address, phone and description and then click Add.
73
Enter the building name and address and click Add. Adding a new floor:
Enter the floor name and click Add. Adding a new room:
Figure 6-19:
Enter the room name and click Add. Adding a new socket:
Enter the socket name, switch IP, slot, port and name of person and click Add.
74
Organization Name Site Name Building Name Floor Name Room Name Socket Name
The name of the organization. The name of the branch office or location of the company. The name of the physical structure on site. The name of the floor in the building. The name of the room on the floor. The name of the socket in a room connected to the port in the switch. The connection between the physical structures to the network structure is done via the socket level. A socket is linked with a given slot and port of a given switch. The IP address of the switch which is connected to the socket. The slot of the switch which is connected to the socket. The port of the switch which is connected to the socket. The name of the person who works on the socket. Loads the MAC Address Permissions Filtering screen. See MAC Address Permission Filtering on page 107 for more information. Exports results to Excel.
Go
Defines the number of lines displayed per page in the filtered results.
75
R eports
IN
THIS CHAPTER:
Reports Menu Station Reports Network Reports Statistics Reports Alert Console Scheduled Tasks
Station Reports
Includes reports about new/inactive stations and their history. See Station Reports on page 77 for more information. Includes reports about inactive ports and ports with MAC addresses/active MAC addresses. See Network Reports on page 83 for more information. Includes various statistical reports on the network stations. The statistics are divided into a period of five weeks. See Statistics Reports on page 89 for more information.
Network Reports
Statistic Reports
Chapter 7: Reports
76
Option
Description
Enables various alert filtering options. See Alert Console on page 93 for more information. Displays a list of all SWAT's active and completed processes, until they are cleared by the CleanDB job or the user. See CleanDB on page 128 for more information.
Chapter 7: Reports
77
Inactive Stations Filtering Pane Generate the report according to the following filtering options:
Use To
MAC Address
Enter the MAC address; you can enter only a part of the address using the (%) or (*) signs as a prefix/suffix. Enter the last known IP address allocated to the MAC address. Enter the last known network name of the MAC address's computer. Enter the name of the switch group. Enter the IP address of the switch containing the switch port to which the MAC address is connected. Enter the name of the switch. Enter the slot number containing the switch port to which the MAC address is connected. Enter the port number to which the MAC address is connected. Select the amount of time the station was inactive (24 hours, 7 days, 14 days, 1 month, 3 months, 6 months). Display the last known permission of the MAC address, i.e., Allow if it is authorized and Deny if it is warned about or disconnected. Filter according to the filtering options you entered and/or selected in the Inactive Stations Filtering pane. Clear the filtering pane (not the results).
IP Address Node Name Switch Group Switch IP Switch Name Slot Port Inactive Station Period MAC Last Permission
Chapter 7: Reports
78
Inactive Station Filtered Results After clicking the Filter button, the following parameters are displayed:
Parameter Description
Inactive Date
The date the station became inactive (choose from 7, 14 days; 1, 3, 6, months of the Inactive Station period selected in the Filtering pane). The MAC address; you can enter only a part of the address using the (%) or (*) signs as a prefix/suffix. The last known IP address allocated to the MAC address. The last known network name of the MAC address's computer. The IP address of the switch containing the switch port to which the MAC address is connected. The name of the switch. Enter the slot number containing the switch port to which the MAC address is connected. The port number to which the MAC address is connected. Shows the last known permission of the MAC address, i.e., Allow if it is authorized and Deny if it is warned about or disconnected. Deletes the inactive station. Exports results to Excel.
MAC Address IP Address Node Name Switch IP Switch Name Slot Port Last Discovered Status
Go
Defines the number of lines displayed per page in the filtered results.
Chapter 7: Reports
79
New Stations Filtering Pane Generate the report according to the following filtering options:
Use To
Switch Name Switch IP Slot Port Switch Group Stations Permission Start Time
Enter the name of the switch. Enter the IP address of the switch containing the switch port to which the MAC address is connected. Enter the slot number containing the switch port to which the MAC address is connected. Enter the port number to which the MAC address is connected. Enter the name of the switch group. Display the last known permission of the MAC address, i.e., Allow if it is authorized and Deny if it is warned about or disconnected. Select the time the new station connected.
Chapter 7: Reports
80
Use
To
Select the time the new station disconnected. Display the actual number and average per day of new connected stations. Filter according to the filtering options you entered and/or selected in the Stations History Filtering pane. Clear the filtering pane (not the results).
New Stations Filtered Results After clicking the Filter button, the following parameters are displayed:
Parameter Description
Date Switch Name Switch IP Slot Port MAC Address IP Address Node Name Discovered Status
The date and time the new station connected. The name of the switch. The IP address of the switch containing the switch port to which the MAC address is connected. Enter the slot number containing the switch port to which the MAC address is connected. The port number to which the MAC address is connected. The MAC address; you can enter only a part of the address using the (%) or (*) signs as a prefix/suffix. The last known IP address allocated to the MAC address. The last known network name of the MAC address's computer. Shows the last known permission of the MAC address, i.e., Allow if it is authorized and Deny if it is warned about or disconnected. Exports results to Excel.
Go
Defines the number of lines displayed per page in the filtered results.
Chapter 7: Reports
81
Station History Filtering Pane Generate the report according to the following filtering options:
Use To
MAC Address
Enter the MAC address; you can enter only a part of the address using the (%) or (*) signs as a prefix/suffix. Enter the last known IP address allocated to the MAC address. Enter the last known network name of the MAC address's computer. Select the time the station connected. Select the time the station disconnected. Display the actual total connection time and average per day of the required stations. Filter according to the filtering options you entered and/or selected in the Stations History Filtering pane. Clear the filtering pane (not the results).
IP Address Node Name Start Time End Time Stations Summary Results
Chapter 7: Reports
82
History Station Report Results After clicking the Filter button, the following parameters are displayed:
Parameter Description
Switch Name Switch IP Slot Port Connect Date Date Connection Time Permission
The name of the switch. The IP address of the switch containing the switch port to which the MAC address is connected. Enter the slot number containing the switch port to which the MAC address is connected. The port number to which the MAC address is connected. The date on which the station connected. Disconnect The date on which the station disconnected. The amount of time the station remained connected. Shows the last known permission of the MAC address, i.e., Allow if it is authorized and Deny if it is not authorized. Exports results to Excel.
Go
Defines the number of lines displayed per page in the filtered results.
Chapter 7: Reports
83
Switch Inactive Ports Filtering Pane Generate the report according to the following filtering options:
Use To
Enter the name of the switch. Enter the IP address of the switch containing the switch port to which the MAC address is connected. Enter the slot number containing the switch port to which the MAC address is connected. Enter the port number to which the MAC address is connected. Display the current state of the port: Enable, Disable, Unmanaged, or Uplink. See States on page 59 for more details. Select the run mode of the switch. See Run Modes on page 36 for more information. Select the amount of time the port was inactive (24 hours, 7 days, 14 days, 1 month, 3 months, 6 months). Filter according to the filtering options you entered and/or selected in the Switch Inactive Ports Filtering pane. Clear the filtering pane (not the results).
Chapter 7: Reports
84
Switch Inactive Ports Results After clicking the Filter button, the following parameters are displayed:
Parameter Description
Inactive Date Switch Name Switch IP Slot Port IfIndex Port State
The date and time the port became inactive. The name of the switch. The IP address of the switch containing the switch port to which the MAC address is connected. Enter the slot number containing the switch port to which the MAC address is connected. The port number to which the MAC address is connected. The serial number of the switch port in the switch. Shows the current state of the port: Enable, Disable, Unmanaged, or Uplink. See States on page 59 for more details. The run mode of the switch. See Run Modes on page 36 for more information. Disconnects the selected port/s. Exports results to Excel.
Run Mode
Go
Defines the number of lines displayed per page in the filtered results.
TIP
It is recommended to disable ports that are no longer in use.
Chapter 7: Reports
85
Active Multi MAC on Port Filtering Pane Generate the report according to the following filtering options:
Use To
Switch Name Switch IP Slot Port Switch Group MAC Last Permission
Enter the name of the switch. Enter the IP address of the switch containing the switch port to which the MAC address is connected. Enter the slot number containing the switch port to which the MAC address is connected. Enter the port number to which the MAC address is connected. Enter the name of the switch group. Enter the last known permission of the MAC address, i.e., Allow if it is authorized and Deny if it is warned about or disconnected. Filter according to the filtering options you entered and/or selected in the Active Multi MAC on Port Filtering pane. Clear the filtering pane (not the results).
Chapter 7: Reports
86
Active Multi MAC on Port Results After clicking the Filter button, the following parameters are displayed:
Parameter Description
Switch Name Switch IP Slot Port MAC Address IP Address Node Name Last Discovered Status
The name of the switch. The IP address of the switch containing the switch port to which the MAC address is connected. Enter the slot number containing the switch port to which the MAC address is connected. The port number to which the MAC address is connected. The MAC address which is connected/not connected to the Multi MAC port. The last known IP address allocated to the MAC address. The last known network name of the MAC address's computer. Shows the last known permission of the MAC address, i.e., Allow if it is authorized and Deny if it is warned about or disconnected. Exports results to Excel.
Go
Defines the number of lines displayed per page in the filtered results.
Chapter 7: Reports
87
Multi MAC on Port Filtering Pane Generate the report according to the following filtering options:
Use To
Switch Name Switch IP Slot Port Switch Group MAC Last Permission
Enter the name of the switch. Enter the IP address of the switch containing the switch port to which the MAC address is connected. Enter the slot number containing the switch port to which the MAC address is connected. Enter the port number to which the MAC address is connected. Enter the name of the switch group. Enter the last known permission of the MAC address, i.e., Allow if it is authorized and Deny if it is warned about or disconnected. Filter according to the filtering options you entered and/or selected in the Multi MAC on Port Filtering pane. Clear the filtering pane (not the results).
Chapter 7: Reports
88
Multi MAC on Port Results After clicking the Filter button, the following parameters are displayed:
Parameter Description
MAC Address IP Address Node Name Switch IP Switch Name Slot Port Last Discovered Status Last Connection Date Last Disconnect Date
The MAC address; you can enter only a part of the address using the (%) or (*) signs as a prefix/suffix. The last known IP address allocated to the MAC address. The last known network name of the MAC address's computer. The IP address of the switch containing the switch port to which the MAC address is connected. The name of the switch. Enter the slot number containing the switch port to which the MAC address is connected. The port number to which the MAC address is connected. Shows the last known permission of the MAC address, i.e., Allow if it is authorized and Deny if it is warned about or disconnected. Shows the last date the MAC address was connected. Shows the last date the MAC address was disconnected. Exports results to Excel.
Go
Defines the number of lines displayed per page in the filtered results.
Chapter 7: Reports
89
Field
Description
Week New Stations Count Authorized Unauthorized Disconnected Day 8:00-20:00 Night 20:00-8:00
Displays the defined five weeks of the statistical report. The number of new stations that connected during the defined week. The number of authorized stations that connected during the defined week. The number of unauthorized stations that connected during the defined week. The number of stations that disconnected during the defined week. Displays the number of new stations that connected between 8:00-20:00. Displays the number of new stations that connected between 20:00-8:00.
Chapter 7: Reports
90
Field
Description
Week Moving Stations Count Authorized Unauthorized Disconnected Day 8:00-20:00 Night 20:00-8:00
Displays the defined five weeks of the statistical report. The number of stations that moved during the defined week. The number of stations that were authorized after they moved. The number of stations that were unauthorized after they moved. The number of stations that disconnected during the defined week. Displays the number of stations that moved between 8:00-20:00. Displays the number of stations that moved between 20:00-8:00.
Chapter 7: Reports
91
Field
Description
Displays the defined five weeks of the statistical report. The number of alerts received for defined switch/switchess stations. The number of stations that were disconnected during the defined week. Displays the number of stations that received an alert between 8:00-20:00. Displays the number of stations that received an alert between 20:00-8:00.
Chapter 7: Reports
92
generate the report; Click Clear to view the original results of all the switches.
Field
Description
Displays the total number of switch port/s in the enterprise. Displays the number of free ports in the enterprise. Displays the number of connected ports in the enterprise.
Chapter 7: Reports
93
Alert Severity
Determine the severity of the alert. Choose from the following options: All Info Warning Error
Alert Type
Display the list of alerts: Agent Reconnected Agent Time Out Device SNMP Problem External Intruder Detected New MAC Address New Uplink Found Port Disable Failed Port Enable Failed Router Down Service Down Switch Changed Switch Down Unauthorized Connection Detected Virus Found
Display a brief description of the various types of alerts. Enter the IP address on which the event occurred. Enter the slot in which the event occurred. Enter the port on which the event occurred. Enter the MAC address for which the event occurred. Filter according to the filtering options you entered and/or selected in the Alert Console Filtering pane. Clear the filtering pane (not the results).
Chapter 7: Reports
94
The date (and time) on which the event occurred. View the list of alerts: Agent Reconnected Agent Time Out Device SNMP Problem External Intruder Detected New MAC Address New Uplink Found Port Disable Failed Port Enable Failed Router Down Service Down Switch Changed Switch Down Unauthorized Connection Detected Virus Found
Displays a brief description of the various types of alerts. The IP address of the switch. The slot in which the event occurred. The port on which the event occurred. The MAC address for which the event occurred. Shows whether a station is connected or disconnected (if the station is disconnected, the check box is selected; if the station is connected, the check box is cleared). Deletes the selected alert.
Chapter 7: Reports
95
Parameter
Description
Refreshes the screen. Go Defines the number of lines displayed per page in the filtered results.
Scheduled tasks are processes in SWAT, allowing batch operations to control switches and switch ports. Each task consists of several steps.
NOTE
The ClearEndedJobs job cleans the Scheduled Tasks filtered results according to a defined time. See Background Processes on page 127 for more information. The Scheduled Task List is for debugging purposes only.
Displays a brief description of the relevant task. Displays the state of the task. Shows the time for which the task is scheduled. Shows the actual start time of the task. Shows the time the task finished. Deletes completed jobs.
Chapter 7: Reports
96
Parameter
Description
Chapter 7: Reports
97
O perations
IN
THIS CHAPTER:
Option
Description
Sets all levels of network permissions. See Station Permissions on page 99 for more information. Determines the permissions for MAC addresses on a required site. See Site Permissions on page 105 for more information. Adds new MAC address properties. See Advanced Station Addition on page 110 for more information.
Chapter 8: Operations
98
Permissions can be set for all levels of the network, i.e., MAC addresses can be allowed or denied access to the whole networkfor switches or individual ports.
NOTE
Permissions are set using exclusively positive (Allow) or negative (Deny) clauses, never a combination of both.
MAC address; you can enter only a part of the address using the (%) or (*) signs as a prefix/suffix. The last known IP address allocated to the MAC address. The last known network name of the MAC address's computer. The name of the switch. The IP address of the switch containing the switch port to which the MAC address is connected.
Chapter 8: Operations
99
Field
Filter by
The slot number containing the switch port to which the MAC address is connected. The port number to which the MAC address is connected. Shows the last known permission of the MAC address, i.e., Allow if it is authorized and Deny if it is warned about or disconnected. A description of the MAC address to facilitate easy identification of its computer. Filters according to the IP address entered for the Switch IP. Clears the filtering pane (not the results).
MAC Permitted
Select last known permission of the MAC address, i.e., Allow All if it is authorized and Deny All if it is warned about or disconnected. Enter the MAC Address. View the user description of the MAC address to facilitate easy identification of its computer. Select the IP address of the switch. Enter the slot number which contains the switch port to which the MAC address is connected. Enter the port number to which the MAC address is connected. Add the new MAC address.
Loading MAC Addresses via CSV Files Loading MAC addresses into the SWAT system can also be done via the CSV StationData.csv file located in the [INSTALLDIR]\Data directory. : #MAC address,IP address,DNS,Lock for[ALL/Switch/Port], SwitchIP(Optional),Slot(Optional),Port(Optional) You can add new MAC addresses and permissions or map MAC addresses to IP addresses, either to the entire organization (ALL) or by switch/port.
Chapter 8: Operations
100
Connected Modify Last Connection Status Last Connection Date Switch Name Switch IP Slot Port MAC Address IP Address Node Name User Description Permissions Details
Indicates whether the MAC address is connected or free. Opens a box in the User Description column for editing purposes. Shows the last known permission of the MAC address, Allow or Deny. Shows the last date the MAC address was connected. The name of the switch. The IP address of the switch which contains the switch port to which the MAC address is connected. The slot number containing the switch port to which the MAC address is connected. The port number to which the MAC address is connected. The MAC Address. The last known IP address allocated to the MAC address. The last known network name of the MAC address's computer. A description of the MAC address to facilitate easy identification of its computer. Opens the Change Permissions dialog box. See Changing Permissions below for more information. Sets the MAC address permission according to the permission selected. Click the View link under the Details column to open the screen. See MAC Address Details on page 104 for more information.
Chapter 8: Operations
101
Parameter
Description
Edits the MAC address permissions for the selected switches and sets them according to the selected permission. See MAC Address Permission Filtering on page 107 for more information. Deletes the selected MAC address. Disables the selected MAC addresses. Exports results to Excel. Go Defines the number of lines displayed per page in the filtered results.
NOTE
The information displayed in the table is updated the last time the MAC address connected to the network, and does not necessarily mean that the MAC address is currently connected.
Chapter 8: Operations
102
To add permissions: 1. Select the required Permission Scope. The following levels can be added: Allallows or denies access to all switches monitored by SWAT. Switch Groupsallows or denies access to a specific group of switches. Switchesallows or denies access to a specific switch or switches. Switch ports (interfaces)allows or denies access to a specific switch port or switch ports. VLANsallows or denies access to specific VLAN(s). 2. Select the Type of permissionexclusively a positive Allow or negative Deny, never a combination of both. 3. Click the Add Permission button. The following screen appears:
5. Select the switch for which you want to allow/deny access and click Apply. 6. Click Back to return to the Add Permissions dialog box. 7. Click the Enforce Now button to apply the changes you made.
Chapter 8: Operations
103
The data displayed is divided into the following groups: Station detailsthe details of the station that contains the MAC address. Switch detailsthe details of the switch that contains the MAC address. Switch port detailsthe details of the switch port that contains the MAC address. Organization detailsthe details of the organization where the MAC address is located (if one is defined).
Chapter 8: Operations
104
The Site Permissions screen enables you to determine permissions for MAC addresses on a required site. Use the Site Permissions screen as follows:
Use To
Site Name Building Name Floor Name Room Name Port State Socket Switch IP Slot Port
Enter the name of the site. Enter the name of the building. Enter the name of the floor. Enter the name of the room. Select the current state of the switch port: Enable, Disable, Unmanaged, or Uplink. Enter the defined socket. Enter the IP address of the switch to which the socket is connected. Enter the slot number of the switch to which the socket is connected. Enter the port number of the switch to which the socket is connected.
Chapter 8: Operations
105
Use
To
Filter the sites according to the information entered in the Site Name field. Clears the filtering pane (not the results).
Organization Name Site Name Building Name Floor Name Socket Name
The name of the organization. The name of the office branch or location of the company. The name of the building. The name of the floor. The name of the socket in a room which is connected to the port in the switch. The connection between the physical structures to the network structure is done via the socket level. A socket is linked with a given slot and port of a given switch. The IP address of the switch which is connected to the socket. The slot of the switch which is connected to the socket. The port of the switch which is connected to the socket. The run mode of the switch. See Run Modes on page 36 for more information. This row is empty if the run mode is not of Learn. Shows the current state of the switch port: Enable, Disable, Unmanaged or Uplink.
Chapter 8: Operations
106
Parameter
Description
Displays the list of run modes to select from. If you select Permit All as the run mode, and then click the Set Selected Port button , the Time Selection dialog box opens for you to define the exact time frame of the permitted site:
Edits the MAC address permissions for the selected switches and sets them according to the selected permission. See MAC Address Permission Filtering on page 107 for more information. Enables the selected ports. Disables the selected ports. Go Defines the number of lines displayed per page in the filtered results.
Chapter 8: Operations
107
NOTE
Permissions are set using exclusively positive Allow or negative Deny clauses, never a combination of both.
MAC Address IP Address Node Name Switch Name Switch IP Slot Port Last Discovered Permission
The MAC address; you can enter only a part of the address using the (%) or (*) signs as a prefix/suffix. The last known IP address allocated to the MAC address. The last known network name of the MAC address's computer. The switch name. The IP address of the switch which contains the switch port the MAC address is connected to. The slot number containing the switch port to which the MAC address is connected. The port number to which the MAC address is connected. Allow: allows all MAC addresses selected for the given slots within the given level. Deny: denies all MAC addresses selected for the given slots within the given level.
Chapter 8: Operations
108
Field
Description
Filters the MAC address according to the IP address entered in the IP Address field. Clears the filtering pane (not the results).
TIP
To view the description of a specific MAC address, select the MAC address and click View Link under the Permissions column. See example below:
MAC Address IP Address Node Name Switch Name Switch IP Slot Port IfIndex User Description
The MAC address; you can enter only a part of the address using the (%) or (*) signs as a prefix/suffix. The last known IP address allocated to the MAC address. The last known network name of the MAC address's computer. The switch name. The IP address of the switch which contains the switch port the MAC address is connected to. The slot number containing the switch port to which the MAC address is connected. The port number to which the MAC address is connected. The serial number of the switch port in the switch. A description of the MAC address to facilitate easy identification of its computer.
Chapter 8: Operations
109
Parameter
Description
Permissions
Opens the Change Permissions dialog box. See Changing Permissions below for more information. Changes selected MAC addresses to Allow. Changes selected MAC addresses to Deny. Closes the screen without saving any changes.
Go
Defines the number of lines displayed per page in the filtered results.
The Advanced Station Addition screen allows you to add new MAC address properties and define a start/end time for them.
Chapter 8: Operations
110
MAC Address
The MAC address of the station that performed the unauthorized connection. You can enter only a part of an address using the (%) or (*) sign as a prefix/suffix. A description of the MAC address to facilitate easy identification of its computer. To add/modify the description click Edit.
User Description
The exact time when the new MAC address was permitted. The exact time when the new MAC address stopped being permitted. Adds the new MAC address properties.
Site Name Building Name Floor Name Room Name Socket Switch IP Slot Port
The name of the site. The name of the building. The name of the floor. The name of the room. The socket ID. The IP address of the switch to which the socket is connected. The slot number in the switch to which the socket is connected. The port number in the switch to which the socket is connected. Filters according to the IP address entered for the Switch IP. Clears the filtering pane (not the results).
Chapter 8: Operations
111
Organization Name Site Name Building Name Floor Name Socket Name
The name of the organization. The name of the branch office or location of the company. The name of the building. The name of the floor. The name of the socket in a room which is connected to the port in the switch. The connection between the physical structures to the network structure is done via the socket level. A socket is linked with a given slot and port of a given switch. The IP address of the switch which is connected to the socket. The slot of the switch which is connected to the socket. The port of the switch which is connected to the socket. Changes all the MAC addresses to Allow. Defines the number of lines displayed per page in the filtered results.
Chapter 8: Operations
112
113
able to locate the infected stations within minutes, and remove it automatically from the network.
114
VirusHandle.XML File
The action SWAT performs (Warn/Disconnect) is listed in each of the following entries of the VirusHandle.XML file:
<Virus> <VirusHandlerEntry> <SWATAction>Warn</SWATAction> <IPs> <IP>*.*.*.*</IP> </IPs> <AlertNames> <Alert>All</Alert> </AlertNames> <Severities> <Severity>All</Severity> </Severities> <Actions> <Action>All</Action> </Actions> <AlertsPerMinutes> <NumberOfAlert>1</NumberOfAlert> <Minutes>0</Minutes> </AlertsPerMinutes> <IgnorVirusNames> <IgnorVirusName></IgnorVirusName> </IgnorVirusNames> </VirusHandlerEntry> </Virus>
IP (subnet) that can be managed. Alerts you want to handle (either all alerts or by name)
NOTE
The alert settings are somewhat dependant on the specific antivirus system.
Action taken by the antivirus (e.g., quarantine, delete, etc.); you can choose to filter according to a certain kind of action. Alerts per Minute deals only with a defined number of alerts that arrived during a defined amount of time. The default is set to handle the first alert that arrives. Ignore Virus Name enables ignoring/recognizing a virus by its name.
115
NOTE
You can use the wildcard capability for virus names.
Antivirus.server
Once the SWAT server is configured, you need to configure the antivirus server in order to notify SWAT about the virus incidents. Since each vendor has a specific configuration, refer to Antivirus Integration on page 129 for further information about the supported vendors.
116
A dvanced Settings
IN
THIS CHAPTER:
1 0
Switch List File Router List File Defining New Device Types Watchdog Service
117
Each entry or field is separated by a comma and each new row in the database is represented by a new line. An example file:
AlphaRouter,121.1.23.254,public BetaRouter,234.11.230.254,comget GammaEouter,120.29.2.254,pass
118
The tags contain details on the location of given information, and the method to get it. The best way to add a new device is to copy the EquipmentTypeEntry of a similar device and modify the relevant fields.
119
XML Reference The most commonly used fields in the XML reference are described in the following table.
NOTE
Indented XML tags signify that the clause should be contained in the clause above it. XML Clause Description Expected Value
Binds an entry to a given device. The SysObjectID of a given device. The program tries to find the longest prefix that matches the device SysObjectID. Describes the device. The category of the device.
Description strType
Text Computer; hub; invisible-hub; router; switch-hub; switch-router; unknown Name; description
ObjectInfo
A sub XML containing the instructions on how to extract general information about the object. A sub XML containing the instructions on how to extract general information on the object's interfaces. A sub XML containing the instructions on how to extract the IfIndex of an interface. The type of function that extracts the requested data.
InterfaceInfo
Index
Function
120
XML Clause
Description
Expected Value
Parameters
The XML parameters which are passed to the function. Each function has its own parameter. See XML Reference on page 120 for further details and examples. A sub XML containing the instructions on how to extract the ARP table's MAC Address. A sub XML containing the instructions on how to extract the IfDescription of an interface. A sub XML containing the instructions on how to extract the IfName of an interface. A sub XML containing the instructions on how to extract the IfAlias of an interface. A sub XML containing the instructions on how to extract the IfType of an interface. A sub XML containing the instructions on how to extract information on the object's ARP table. A sub XML containing the instructions on how to extract information on the object's VLAN. A sub XML containing the instructions on how to extract information on the interfaces slots/ports.
MacAddress
Function; parameters
Description
Function; parameters
Name
Function; parameters
Alias
Function; parameters
Type
Function; parameters
Layer3LinkInfo
VlanInfo
SlotPortInfo
Function; parameters
121
LoadEquipmentTypeInfo.bat in the [INSTALLDIR]\bin\DATABASE_MANAGEMENT The utility updates the information in the table, so a partial XML can be entered too. The key for the update is the sysObjectId value of the entry. Supported Devices As you can see in the XML file, the product supports a large number of devices from all the known equipment providers. Among them are: Cisco, Nortel, Avaya, 3Com, Sun, HP and more. New devices are added all the time. Contact Wise-Mon for updates on the existing file. You can add your proprietary devices on your own or contact Wise-Mon for guidelines and help on how to add new devices.
NOTE
If you receive an alert that a certain action is down, you need to restart that service; if you receive an alert that the manager is down, you need to restart the agent as well.
122
In order to ensure that the Watchdog file runs, put the file in the Windows scheduler on the server as follows: 1. From the Start menu, select Settings>Control Panel>Scheduled Tasks>Add Scheduled Task. The Scheduled Task Wizard appears as follows:
2. Click Next to access the following screen, then click the Browse button and select SWAT Jobs from the list of programs.
123
3. Click Open to access SWAT Jobs and display the following screen:
4. Select Daily, so that the process runs every day, and then click Next. The following screen appears:
5. Enter the time you want the process to start and make sure that Every Day is selected. Click Next to access the next screen. 6. Enter you login user name and password and click Next.
124
7. Select Open advanced properties... (as shown in the screen above) and click Finish. The SWAT Watchdog screen appear as follows:
125
8. Select the Schedule tab, verify that everything is configured as required and click the Advanced button. The Advanced Schedule Options dialog box appears as follows:
9. Select Repeat task and configure the task to repeat itself every 30 minutes and the duration to 24 hours (as shown in screen above). 10. Click OK twice to apply the changes and close the screen.
126
B ackground Processes
11.1 Job List
1 1
The SWAT .ini file includes the list of SWAT jobs and the frequency in which they run.
NOTE
To change the times of when the jobs run, make the required modifications in the .ini file and then run the file: SetFrequencyJobs.bat located in [INSTALLDIR]\bin\DATABASE_MANAGMENT directory.
DeleteOldLogs
This job runs in order to delete old log files; the default setting runs this process every hour. In the Log directorydeletes all files that are older than 12 hours or larger than 50 mega. In the Temp directorydeletes all files older than one month.
NOTE You can change the default parameters from the bin>SWATjobs>DeleteOldLogs.bat file.
LoadSwitchesData
This job runs in order to load all the switchs data (ports and VLANs); the default setting runs this process every 24 hours.
LoadRoutersData
This job runs in order to load all the routers data (subnets); the default setting runs this process every 24 hours.
ClearEndedJobs
This job runs in order to clear the Scheduled Tasks finished jobs; the default setting runs this process every hour.
127
LoadManagementPlatform
This job runs in order to load the management platform (see Management Platform Connectivity Pane on page 36 for further information); the default setting is set to zero, i.e. the process is set not to run.
LoadDNSNames
This job runs in order to review all the IP addresses and update their DNS names; the default setting runs this process every 24 hours.
CleanDB
This job runs in order to clean the following tables from the database; the default setting runs this process every 24 hours. Tables SWAT_ALERTS: deletes all the alerts that are older than the defined time; the default setting is 14 days. SWAT_INACTIVE_STATIONS: deletes all the old stations that have not been connected for the defined time; the default setting is 365 days. SWAT_STATION_HISTROY: deletes the history of each station according to the defined time; the default setting is 365 days. SWAT_VIRUSES_History: deletes the information on each virus according to the time defined; the default setting is 14 days.
128
Capable of connecting to Symantec antivirus system, SWAT receives alerts about infected stations that cannot be removed or occur repeatedly.
To configure Symantec to send traps to SWAT, perform the following: 1. Configure Windows SNMP service as shown below.
Appendix A
129
2. Select the Simple Network Management Protocol checkbox and click OK.
3. Select All Tasks>AMS>Configure to access Symantecs SSC Console. Choose the relevant server group and enter to the AMS settings.
Appendix A
130
4. Select the Virus Found option and click the Configure button.
5. From the Select Action dialog box, select the Send SNMP Trap option and click Next.
6. If the SNMP service is configured correctly, the servers host name should appear in the Select Action Computer screen (below) after a few seconds.
Appendix A
131
TIP
If the servers host name is not displayed, restart the antivirus server.
7. Select the servers host name and click Next to open the Enter Action Message screen.
8. In the Alert Message pane, enter the text as shown above or copy it directly from the VirusHandlerHelp.txt file located in the Installation directory under the ini folder (C:\WISE-MON\SWAT\ini).
Appendix A
132
9. Click Finish. Make sure that the new rule now appears under Virus Found.
10. Open the Windows Services screen and double-click the SNMP Service line to open the SNMP Service Properties screen.
11. Click the Traps tab and enter the SWAT IP address or host name in the Trap Destinations pane.
Appendix A
133
12. Select Public from the Community Name drop-down list. In most cases you need to restart the services of the antivirus server in order for the new settings to take affect; a full restart for the server is recommended.
NOTE
These settings apply to the antivirus side only; for the SWAT side refer to the VirusHandler.xml.
Appendix A
134
A dvanced Configuration
B.1 Database Configuration
SWAT's database settings are configured in the Database section.
[database] dsn=dbi:ODBC:DRIVER=SQL Server;SERVER=(local);database=SWAT ;dsn=dbi:ODBC:SWAT user=sa
The SERVER value, (local), points to a database on the same server as SWAT. The SERVER value, in the example above, (local), can be replaced with the name/URL or the IP address of the database server, e.g., SERVER=192.168.1.2.
NOTE
Remove the parenthesis for server names and IP addresses. If you define the ODBC system entry for SWAT on your own, the connection string should look like this: dsn=dbi:ODBC:EntryName. If you decide to change your password after the installation and want it to appear encoded in the file, run the following file in the command line:
Appendix B
135
TIP
You can change your user name and password at any stage.
Appendix B
136
4. Change the application pool identity to Local System. a. Right-click SwatApplicationPool and select Properties. b. From the Identity tab, under Application Pool Identity>Predefined, select Local System.
1. Set SWAT's application pool. a. Under the Web Sites folder, right-click SWAT>SWATWeb and select Properties. b. From the bottom of the Home Directory tab, in the Application pool list, select SwatApplicationPool. c. Click OK.
Appendix B
137
2. Now, when you select the SwatApplicationPool, you should see the three directories under it.
Appendix B
138
Index
Numerics 802.1x 4, 5 A
Active Multi MAC Ports 86 Adding Permissions 103 Administration 31 Administration Menu 31 Advanced Run-modes 11 Learn and Lock for Group 11 Learn and Lock for Port 11 Learn and Lock for Switch 11 Learn Once and Disconnect 11 Learn Once and Warn 11 Move to VLAN 11 Advanced Settings 117 Advanced Station Addition 110 Agent Directories 26 Alert Console 93 Alert Console Filtered Results 95 Alert Severity 94 Alert Type 40, 94, 95 Alert Types 40, 41 Antivirus Support 113 External Antivirus Systems 114
I
IDS 2, 6 Inactive Ports 84 Inactive Stations Report 77 Installation 8, 18 Installing SWAT 18 Installing the Manager 28 Interface 24 IPS 2, 6
J
Job List 127
K
Key File Creation 29 Generating 30
L
Loading the XML File 121
M
MAC 5 MAC Address 111 MAC Address Details 104 MAC Address Permission Filtering 107 MAC Address Permission Parameters
B
Background Processes 127
C
Centralized Anti-Virus Solutions 2 Changing Permissions 102 Connection String 135
109
MAC Addresses 10 MAC Addresses Filtered Results 101 MAC Permissions 8 Manager Communication 25 Manager Directories 28 Moving Station Statistics 91 MSDE 8 Multi MAC Ports 88
D
Database 15 Database Configuration 15 Database Definitions 16 Default Installation 25 Defining New Device Types 118 Detection Tools 1 Discovery Agents 6 Discovery Agents and Managers 24 Discovery Cycle 12
N
NAC 4 Network Configuration 42 Network Discovery Tools 6 Network Reports 83 New Agent 25 New Manager 27 New Station Statistics 90 New Stations Report 80
E
ESM Integration 8 ESM Platform 8
Index
139
O
Online Network Discovery Tools 6 Operational Concepts 10 Operations 98 Operations Menu 98 Organizational Tree Support 7
P
Password 136 Port Statistics 92 Pre Installation 14
Q
Query Capabilities 8
R
Reduced Bandwidth Utilization 13 Reinstalling SWAT 22 Reports 8, 76 Reports Menu 76 Risk Management Solutions 2 Router Filtered Results 67 Router Forms 68 Multiple Routers 70 Single Router 68 Router List File 117 Routers 66 Run Modes 10, 36 Run-modes Disconnect Mode 11 Learn Mode 10 Warn Mode 10
SQL Server 16 Station ALert Statistics 92 Station History Report 82 Station Permissions 99 Station Reports 77 Statistics Reports 89 Supported Devices 122 Supported ESM Platforms 8 SWAT Directories 21 Switch Filtered Results 51 Switch Form 53 Switch Forms Multiple Switches 56 Single Switch 53 Switch Groups 43 Switch Groups Filtered Results 45 Switch List File 117 Switch Port Filtered Results 60 Switch Port Forms 61 Multiple Switch Ports 64 Single Switch Port 62 Switch Ports 58 Switches 49 Symantec Configuration 129 System Requirements 14 Hardware Requirements 14 Software Requirements 14
U
Uninstalling SWAT 30 Uninstalling the Manager 29 User Name 136
S
Scalable Installation 8 Scheduled Tasks 96 Scheduled Tasks Filtered Results 96 Secured Agent 25 Site Configuration 71 Site Configuration Filtered Results 75 Site Filtered Parameters 112 Site Permission Parameters 106 Site Permissions 105 SQL 8
V
Verbose Logging 24 VLAN 10
W
Watchdog Service 122
X
XML Reference 120 Xtenders 1
Index
140
Contact Information: Main Office: 18 Ben Gurion Street Givat-Shmuel, 54101, Israel Telephone: +972-3-7370737 Fax: +972-3-7370707 Web Site: http://www.Wise-Mon-t.com For assistance/information: sales@Wise-Mon-t.com