AirTight Networks

SpectraGuard Enterprise (SGE)

RSA enVision Ready Implementation Guide

th
Last Modified: March 30 , 2012

Partner Information
Product Information
Partner Name AirTight Networks
Web Site www.airtightnetworks.com
Product Name SpectraGuard Enterprise
Version & Platform 6.7 Linux/Centos
Product Description SpectraGuard Enterprise is a complete, end-to-end wireless intrusion
prevention solution (WIPS) which proactively block wireless threats by
automatically scanning, detecting and classifying all unauthorized access
and rogue traffic to your network. SpectraGuard Enterprise provides
performance management and knowledge-based troubleshooting features
that allow analysis and resolution of remote wireless network issues from a
central location.
AirTight Networks
SpectraGuard Enterprise (SGE)

Solution Summary
AirTight Networks SpectraGuard Enterprise (SGE) enables enterprises to protect both wired and wireless
networks and mobile client security from wireless vulnerabilities. AirTight delivers threat monitoring and
automatic intrusion prevention and manages wireless network performance for maximum capacity and
uptime. SpectraGuard Enterprise protects organizations from emerging threats including comprehensive
802.11n rogue APs, Multi-Pot threats, Denial of Service, and WEP cracking attacks. By integrating with
RSA enVision, SGE log activity can be used in an effective security log management solution for real-time
alerting, correlated rules and events, and scheduled reporting.
RSA enVision Features
SpectraGuard Enterprise 6.7

EventSource Integration package name atnspectraguardpe.zip

Device display name within enVision ATNSpectraGuardPE
Collection method Syslog

Release Notes
Release Date What’s New In This Release
03/30/2012 Changed 8 messages from Table 1 to Table 74. All tables are Content 2.0.
11/14/2011 Added support for AirTight SpectraGuard Enterprise 6.6.
08/02/2011 Changed and added additional variables to existing messages.
07/19/2011 Added additional variables to existing messages.
06/01/2011 Initial support for AirTight SpectraGuard Enterprise.

-2-
AirTight Networks
SpectraGuard Enterprise (SGE)

EventSource Integrator Package

The RSA enVision Intelligence Community is an online forum for customers and partners to exchange
technical information and best practices with each other. The forum also contains the location to
download the EventSource Integrator Package for this guide. All enVision customers and partners are
invited to register and participate in the Intelligence Community: https://rsaenvision.lithium.com.
Once you have downloaded the ATNSpectraGuardPE package from the Intelligence Community, you
must deploy the package on all enVision appliances in your environment as described in the following
table.
RSA enVision Site Where to Deploy the Event Source XML Package
Single appliance site On the appliance
Multiple appliance site On all components:
• Application Servers (A-SRVs)
• Database Servers (D-SRVs)
• Local Collectors (LCs)
• Remote Collectors (RCs)
Multiple appliance site On all components:
with Enhanced • Application Servers (A-SRVs)
Availability • Database Servers (D-SRVs)
• Cluster Appliances (CAs)

EventSource Integrator Package Notifications

An EventSource Integrator package may be updated frequently depending on the vendor or changes to
the log messages of the device. To ensure you receive e-mail notifications on all new and existing RSA
Partner ESI Packages, simply subscribe to the Partner Created Content message board within the RSA
enVision Intelligence Community. To do, perform the following steps:
1. Login to the enVision Intelligence Community.
2. Scroll down and click enVision Content and Event Sources  Partner Created Content.

-3-
AirTight Networks
SpectraGuard Enterprise (SGE)

3. On the top menu, click Board Options  Subscribe.

Note: You will now be notified via e-mail when new or existing ESI
packages are updated.

Deploying an EventSource Package

To deploy an event source package:
1. Extract the EventSource Package directly into the following folder: %_ENVISION%\update.

Important: Do not create a subfolder within the %_ENVISION%\update

directory when extracting the package.

2. Run the script file, DeployEventSourceSetup.vbs.

3. The RSA enVision EventSource Integrator box will appear. If you wish to have the NIC Service Manager service
restart on all of your sites after the install, click Yes. If you plan to manually restart the services later, click No.
The time the script file takes to run depends on the number of event source XML files that need to be verified. If
you are deploying a new event source, the script assigns an event source type ID to the event source. If you are
updating an existing event source, the event source XML file is updated.

4. Login to the enVision console to confirm the new device type is displayed under Overview  System
Configuration Devices  Manage Device Types and listed as ATNSpectraGuardPE.

Important: The new device will not be displayed in the enVision

console until the NIC Service Manager service has been restarted.

-4-
AirTight Networks
SpectraGuard Enterprise (SGE)

Partner Product Configuration

Before You Begin
This section provides instructions for configuring the AirTight Networks SpectraGuard Enterprise (SGE)
with RSA enVision. This document is not intended to suggest optimum installations or configurations.
It is assumed that the reader has both working knowledge of all products involved, and the ability to
perform the tasks outlined in this section. Administrators should have access to the product
documentation for all products in order to install the required components.
All AirTight Networks components must be installed and working prior to the integration. Perform the
necessary tests to confirm that this is true before proceeding.

SpectraGuard Enterprise Configuration

The SpectraGuard Enterprise server should be configured to send syslog events to the RSA enVision
appliance. The following steps give a brief overview to configure RSA enVision as a syslog event
receiver. For detailed description of the SpectraGuard Enterprise user interface, please refer to
SpectraGuard Enterprise User Guide document.
1. Login to SpectraGuard Enterprise UI as a user with administrator privileges.
2. Select the Administration tab and then the Global Policies view.
3. Select ESM Integration, then Syslog. The Syslog Configuration screen will now open.

Syslog Configuration
The Syslog Configuration screen allows the SpectraGuard Enterprise to send events to designated Syslog receivers.

-5-
AirTight Networks
SpectraGuard Enterprise (SGE)

• Syslog Integration Status: If Syslog Integration Enabled is checked, the system sends messages to the
configured Syslog Servers. Otherwise, Syslog integration services are shut-off and you cannot manage the
Syslog Servers.

• Current Status: Displays the Current Status of the Syslog Server: Running or Stopped. An Error status is
shown in one of the following cases:
• One of the configured and enabled Syslog Servers has a hostname, which cannot be resolved
• System Server is stopped
• Internal error, in which case you need to contact AirTight Networks Technical Support

Adding RSA enVision Server as Syslog receiver

1. Under Manage Syslog Severs, click Add to open the Syslog Configuration screen.

2. Enter the Syslog Server (IP Address or Hostname) of the RSA enVision server.
3. Enter the Port Number of the enVision syslog port (Default: 514).
4. From the Message Format pull-down menu, select Plain text. This specifics the format in-which events
are sent to enVision.
5. Next, check the Enabled checkbox. This enables events to be sent to this Syslog receiver.
6. Finish by clicking the Add button.

-6-
AirTight Networks
SpectraGuard Enterprise (SGE)

Certification Checklist for RSA enVision

th
Date Tested: March 30 , 2012
Certification Environment
Product Name Version Information Operating System
RSA enVision 4.1 SP1 Microsoft Windows 2003 R2
RSA EventSource Integrator 1.2 Microsoft Windows XP SP2
RSA Event Source Update (ESU) 20120305-123706 Microsoft Windows XP SP2
SpectraGuard Enterprise (SGE) 6.5/6.6/6.7 Linux/Centos

enVision Test Case Result

Device Management
Device discovers properly under Manage Monitored Devices
Vendor name appears in enVision GUI correctly
Device can be deleted from Manage Monitored Devices
Device can be disabled from Manage Device Types
Device Class type is correct under Manage Device Types
Device displays properly under Manage Messages to Parse

Message Management
Disabled device creates unknown device in monitored device list
Temporary nugget files are removed

Queries / Reports
Messages for device populate the table columns correctly
Ad Hoc report populates variables correctly

JJO / PAR = Pass = Fail N/A = Non-Available Function

-7-
AirTight Networks
SpectraGuard Enterprise (SGE)

Appendix
In certain cases after deploying the ESI Package, the device may come into enVision as an Unknown
device type. To resolve this issue, complete the following steps.

1. In the enVision GUI, select Overview  System Configuration  Devices  Managed Monitor Devices,
then click on the IP Address of the Unknown device.

-8-
AirTight Networks
SpectraGuard Enterprise (SGE)

2. From the Device Type pull-down menu, select the correct device type. For the name of the device as it
appears in enVision, refer to the above section RSA enVision Features, page 2.

3. Select OK to the information dialog box shown below.

-9-
AirTight Networks
SpectraGuard Enterprise (SGE)

4. From the Collection pull-down menu, select Active.

5. Select the Analyze radio button.

6. Click Apply.

Important: You must restart the enVision NIC Collector windows

service for your changes to take effect.

- 10 -