Swat User Guide 4.1.0

download Swat User Guide 4.1.0

of 148

  • date post

  • Category


  • view

  • download


Embed Size (px)

Transcript of Swat User Guide 4.1.0

  • 8/3/2019 Swat User Guide 4.1.0



    User GuideSoftware Version 4.1.0

    Wise-Mon Ltd., January 2011

  • 8/3/2019 Swat User Guide 4.1.0


    Table of Contents

    Chapter 1: Introduction

    Overview 1Existing Detection Tools 1

    Key Features 3Intruders & Malicious Stations 3802.1x & NAC 4

    Overview of 802.1x and NAC 4Online Network Discovery Tools 6

    Additional Benefits 7Organizational Tree Support 7

    ESM Integration 8Flexible MAC Address Permissions 8Enhanced Reports and Query Capabilities 8

    Easy Installation 8

    Scalable Installation 8

    Chapter 2: Operational Concepts

    Basic Mechanism 10

    Run Modes 10Advanced Run Modes 11

    Scaleable Solution 12Faster Network Discovery Cycle 12

    Reduced Bandwidth Utilization 13

    Flexible Solution Supporting New Device Types 13

    Chapter 3: Pre-Installation

    System Requirements 14

    Obtaining the Software 15Database Configuration 15Switch/Router Information & Configuration 17

    Chapter 4: Installation

    Installing SWAT 18

    SWAT Directories 21Reinstalling SWAT 22

    Configuration 23General - Verbose Logging 24Interface 24

    Discovery Agents & Managers 24Default Installation 25

    Creating a New Agent 25

  • 8/3/2019 Swat User Guide 4.1.0


    SWAT User Guide 2

    Table of Contents

    Creating a New Manager 27

    Installing the Manager 28Key File Creation 29

    Generating a Key File 30

    Uninstalling SWAT 30

    Chapter 5: AdministrationAdministration Menu 31

    General Administration Form 32Run Modes 36

    SWAT Users 38

    Alert Types 40

    Alert Type List 41

    Chapter 6: Network Configuration

    Network Configuration Menu 42

    Switch Groups 43

    Switch Group List 46Switch Group Form 46

    Switches 49

    Switch Filtered Results 51

    Switch Forms 53Switch Ports 58

    States 59

    Switch Port Filtered Results 60

    Switch Port Forms 61

    Routers 66

    Router Filtered Results 67

    Router Form 68

    Site Configuration 71Site ConfigurationAdd Dialog Boxes 73

    Site Configuration Filtered Results 75

    Chapter 7: Reports

    Reports Menu 76

    Station Reports 77Inactive Stations Report 77New Stations Report 80Station History Report 82

    Network Reports 83Inactive Ports 84

    Active Multi MAC Ports 86Multi MAC Ports 88

    Statistics Reports 89New Station Statistics 90Moving Station Statistics 91Station Alert Statistics 92

    Port Statistics 92

    Alert Console 93

  • 8/3/2019 Swat User Guide 4.1.0


    SWAT User Guide 3

    Table of Contents

    Alert Console Filtering Pane 94

    Alert Console Filtered Results 95Scheduled Tasks 96

    Scheduled Tasks Filtered Results 96

    Chapter 8: Operations

    Operations Menu 98

    Station Permissions 99MAC Address Filtering Pane 99Add New MAC Address Pane 100MAC Addresses Filtered Results 101

    Changing Permissions 102

    MAC Address Details 104

    Site Permissions 105

    Site Permission Parameters 106

    MAC Address Permission Filtering 107

    MAC Address Permission Parameters 109

    Advanced Station Addition 110

    Site Filtered Parameters 112

    Chapter 9: Antivirus Support

    SWATs Added Value 113Supporting External Antivirus Systems 114

    Chapter 10: Advanced Settings

    Switch List File 117

    Router List File 117

    Defining New Device Types 118

    EquipmentTypeEntry Tags 119

    Loading the XML File 121

    Watchdog Service 122

    Chapter 11: Background Processes

    Job List 127

    Chapter 12: Compliance

    GeneralCompliance Menu 127Policies Management 127Conditions Management 127

    Compliance status 127Compliance Statistics 127Analyze Device 127Types Management 127

    Appendix A: Antivirus Integration

    Symantec Configuration 129

    Appendix B: Advanced Configuration

    Database Configuration 135

  • 8/3/2019 Swat User Guide 4.1.0


    SWAT User Guide 4

    Table of Contents

    Connection String 135

    User Name and Password 136

    Windows Server 2008 Configuration 136

  • 8/3/2019 Swat User Guide 4.1.0



    Welcome to SWAT (Switch Access Control), the ideal NAC for protecting

    your network from unauthorized endpoint devices.

    The purpose of this guide:

    This guide contains information for using SWAT efficiently and correctly.

    Who should use this guide?

    This guide is intended for network and security managers.

    Conventions:The manual uses the following conventions:

    Actions you need to perform are displayed in bold. For example, click OK or

    enter the IP address.

    This font is used for hyperlinks.

    This font is used for code and system activity.

    UPPERCASE is used for keys and acronyms.

    Cross-references are underlined. For example, see Conventions:.

    The Italic font is used to emphasize words and phrases in certain cases.


    Notes are used to call your attention to important and specialinformation.


    Tips are used to provide additional and beneficial information.


    Caution implies essential information that should be taken with extracare.


  • 8/3/2019 Swat User Guide 4.1.0


    Introduction 1

    1Chapter 1: Introduction



    Key Features

    Intruders & Malicious Stations

    802.1x & NAC

    Additional Benefits

    1.1 Overview

    SWAT (SWitchAccess conTrol), a Wise-Mon NAC product, enables online

    mapping of IP addresses to their exact physical entry point and geographical

    location. Providing a critical feature for IDS/IPS, anti viruses and risk

    management solutions, SWAT complements existing security tools by

    automatically or manually blocking the actual port of an intruder and

    preventing unauthorized stations from connecting to the organization's LAN

    instantly. SWAT also enables quick and simple migration to 802.1x, providing

    simple non-intrusive network access control for switches and end stations that

    do not support 802.1x. The product supplies a MAC address security

    permission system, restricting access to an organization's internal networkand creating a repository of all network nodes.

    1.1.1 Existing Detection Tools

    Various tools exist for identifying malicious stations within the enterprise

    network; however each tool lacks a certain important feature which

    jeopardizes the network's security. SWAT complements these tools, ensuring

    full security and effectiveness.

  • 8/3/2019 Swat User Guide 4.1.0


    2Chapter 1: Introduction

    SWAT User Guide

    Intrusion Detection Systems

    IDS (Intrusion Detection Systems) scan the data passing through them on the

    way to the server farm or important parts of the network. IDS identify a

    pattern ofattackand notify users of the attacker. The attacker is identified by

    its IP address.

    Intrusion Prevention Systems

    IPS (Intrusion Prevention Systems) solutions are enhanced IDS which also

    block the attacker after identifying it in one of the following methods:

    Blocking its traffic.

    Terminating its TCP communication.

    Inserting access lists to firewalls and routers.

    All these blocking mechanisms do not exclude the malicious stations from the

    network. They only confine the intruder and limit its access to the server farm,

    or at best prevent it from getting out of its segment. Intruders however, cancontinue infecting stations in the unblocked part of the network. Furthermore,

    the stations they infect act as proxies for additional attacks.

    Centralized Anti-Virus Solutions

    There is a current trend to move to centralized anti-virus management on all

    stations inside the organization. This enables controlled update of viruses'

    information from the center, and the ability to receive alerts for:

    Discovered viruses in the enterprise.

    Stations that removed the agent of the anti-virus.

    However, these products only notify the administrators of the alerts, yet do

    not disable the malicious stations.

    Risk Management Solutions

    Risk Management Solution tools gather event logs and audit records from

    servers and devices in the enterprise. Then they correlate the records in order

    to discover intruders or malicious stations. If an intruder is found, the

    operator is notified and actions are performed accordingly. However, on

    network level, only the IP address of the malicious station is known, similar to

    IPS capabilities.

  • 8/3/2019 Swat User Guide 4.1.0


    3Chapter 1: Introduction

    SWAT User Guide

    1.2 Key Features

    SWAT is a unique and very powerful complimentary tool for most of the

    existing security products in the field of malicious stations detection.

    SWAT includes the following key features: Provides the exact location of an intruder:



    Complements the capabilities of existing IDS/IPS, anti viruses and risk

    management solutions, disabling any intruders and excluding attackers

    from the network within seconds of discovery.

    Includes a powerful engine, providing a distributed instantaneous online

    discovery process.

    Physically moves new stations to a VLAN and automaticallydisables/enables them, enhancing network quarantine abilities.

    Enables simple integration with management platforms (Tivoli, HP, CA

    and more).

    Performs online mapping