Swat User Guide 4.1.0

8/3/2019 Swat User Guide 4.1.0

1/148

SWAT

User GuideSoftware Version 4.1.0

Wise-Mon Ltd., January 2011


2/148

Table of Contents

Chapter 1: Introduction

Overview 1Existing Detection Tools 1

Key Features 3Intruders & Malicious Stations 3802.1x & NAC 4

Overview of 802.1x and NAC 4Online Network Discovery Tools 6

Additional Benefits 7Organizational Tree Support 7

ESM Integration 8Flexible MAC Address Permissions 8Enhanced Reports and Query Capabilities 8

Easy Installation 8

Scalable Installation 8

Chapter 2: Operational Concepts

Basic Mechanism 10

Run Modes 10Advanced Run Modes 11

Scaleable Solution 12Faster Network Discovery Cycle 12

Reduced Bandwidth Utilization 13

Flexible Solution Supporting New Device Types 13

Chapter 3: Pre-Installation

System Requirements 14

Obtaining the Software 15Database Configuration 15Switch/Router Information & Configuration 17

Chapter 4: Installation

Installing SWAT 18

SWAT Directories 21Reinstalling SWAT 22

Configuration 23General - Verbose Logging 24Interface 24

Discovery Agents & Managers 24Default Installation 25

Creating a New Agent 25


3/148

SWAT User Guide 2

Table of Contents

Creating a New Manager 27

Installing the Manager 28Key File Creation 29

Generating a Key File 30

Uninstalling SWAT 30

Chapter 5: AdministrationAdministration Menu 31

General Administration Form 32Run Modes 36

SWAT Users 38

Alert Types 40

Alert Type List 41

Chapter 6: Network Configuration

Network Configuration Menu 42

Switch Groups 43

Switch Group List 46Switch Group Form 46

Switches 49

Switch Filtered Results 51

Switch Forms 53Switch Ports 58

States 59

Switch Port Filtered Results 60

Switch Port Forms 61

Routers 66

Router Filtered Results 67

Router Form 68

Site Configuration 71Site ConfigurationAdd Dialog Boxes 73

Site Configuration Filtered Results 75

Chapter 7: Reports

Reports Menu 76

Station Reports 77Inactive Stations Report 77New Stations Report 80Station History Report 82

Network Reports 83Inactive Ports 84

Active Multi MAC Ports 86Multi MAC Ports 88

Statistics Reports 89New Station Statistics 90Moving Station Statistics 91Station Alert Statistics 92

Port Statistics 92

Alert Console 93


4/148

SWAT User Guide 3

Table of Contents

Alert Console Filtering Pane 94

Alert Console Filtered Results 95Scheduled Tasks 96

Scheduled Tasks Filtered Results 96

Chapter 8: Operations

Operations Menu 98

Station Permissions 99MAC Address Filtering Pane 99Add New MAC Address Pane 100MAC Addresses Filtered Results 101

Changing Permissions 102

MAC Address Details 104

Site Permissions 105

Site Permission Parameters 106

MAC Address Permission Filtering 107

MAC Address Permission Parameters 109

Advanced Station Addition 110

Site Filtered Parameters 112

Chapter 9: Antivirus Support

SWATs Added Value 113Supporting External Antivirus Systems 114

Chapter 10: Advanced Settings

Switch List File 117

Router List File 117

Defining New Device Types 118

EquipmentTypeEntry Tags 119

Loading the XML File 121

Watchdog Service 122

Chapter 11: Background Processes

Job List 127

Chapter 12: Compliance

GeneralCompliance Menu 127Policies Management 127Conditions Management 127

Compliance status 127Compliance Statistics 127Analyze Device 127Types Management 127

Appendix A: Antivirus Integration

Symantec Configuration 129

Appendix B: Advanced Configuration

Database Configuration 135


5/148

SWAT User Guide 4

Table of Contents

Connection String 135

User Name and Password 136

Windows Server 2008 Configuration 136


6/148

Preface

Welcome to SWAT (Switch Access Control), the ideal NAC for protecting

your network from unauthorized endpoint devices.

The purpose of this guide:

This guide contains information for using SWAT efficiently and correctly.

Who should use this guide?

This guide is intended for network and security managers.

Conventions:The manual uses the following conventions:

Actions you need to perform are displayed in bold. For example, click OK or

enter the IP address.

This font is used for hyperlinks.

This font is used for code and system activity.

UPPERCASE is used for keys and acronyms.

Cross-references are underlined. For example, see Conventions:.

The Italic font is used to emphasize words and phrases in certain cases.

NOTE

Notes are used to call your attention to important and specialinformation.

TIP

Tips are used to provide additional and beneficial information.

CAUTION

Caution implies essential information that should be taken with extracare.

1


7/148

Introduction 1

1Chapter 1: Introduction

IN THIS CHAPTER:

Overview

Key Features

Intruders & Malicious Stations

802.1x & NAC

Additional Benefits

1.1 Overview

SWAT (SWitchAccess conTrol), a Wise-Mon NAC product, enables online

mapping of IP addresses to their exact physical entry point and geographical

location. Providing a critical feature for IDS/IPS, anti viruses and risk

management solutions, SWAT complements existing security tools by

automatically or manually blocking the actual port of an intruder and

preventing unauthorized stations from connecting to the organization's LAN

instantly. SWAT also enables quick and simple migration to 802.1x, providing

simple non-intrusive network access control for switches and end stations that

do not support 802.1x. The product supplies a MAC address security

permission system, restricting access to an organization's internal networkand creating a repository of all network nodes.

1.1.1 Existing Detection Tools

Various tools exist for identifying malicious stations within the enterprise

network; however each tool lacks a certain important feature which

jeopardizes the network's security. SWAT complements these tools, ensuring

full security and effectiveness.


8/148


SWAT User Guide

Intrusion Detection Systems

IDS (Intrusion Detection Systems) scan the data passing through them on the

way to the server farm or important parts of the network. IDS identify a

pattern ofattackand notify users of the attacker. The attacker is identified by

its IP address.

Intrusion Prevention Systems

IPS (Intrusion Prevention Systems) solutions are enhanced IDS which also

block the attacker after identifying it in one of the following methods:

Blocking its traffic.

Terminating its TCP communication.

Inserting access lists to firewalls and routers.

All these blocking mechanisms do not exclude the malicious stations from the

network. They only confine the intruder and limit its access to the server farm,

or at best prevent it from getting out of its segment. Intruders however, cancontinue infecting stations in the unblocked part of the network. Furthermore,

the stations they infect act as proxies for additional attacks.

Centralized Anti-Virus Solutions

There is a current trend to move to centralized anti-virus management on all

stations inside the organization. This enables controlled update of viruses'

information from the center, and the ability to receive alerts for:

Discovered viruses in the enterprise.

Stations that removed the agent of the anti-virus.

However, these products only notify the administrators of the alerts, yet do

not disable the malicious stations.

Risk Management Solutions

Risk Management Solution tools gather event logs and audit records from

servers and devices in the enterprise. Then they correlate the records in order

to discover intruders or malicious stations. If an intruder is found, the

operator is notified and actions are performed accordingly. However, on

network level, only the IP address of the malicious station is known, similar to

IPS capabilities.


9/148


SWAT User Guide

1.2 Key Features

SWAT is a unique and very powerful complimentary tool for most of the

existing security products in the field of malicious stations detection.

SWAT includes the following key features: Provides the exact location of an intruder:

Physicalswitch/slot/port.

Geographicalbuilding/floor/room/socket.

Complements the capabilities of existing IDS/IPS, anti viruses and risk

management solutions, disabling any intruders and excluding attackers

from the network within seconds of discovery.

Includes a powerful engine, providing a distributed instantaneous online

discovery process.

Physically moves new stations to a VLAN and automaticallydisables/enables them, enhancing network quarantine abilities.

Enables simple integration with management platforms (Tivoli, HP, CA

and more).

Performs online mapping, enabling IP address to MAC address mapping

along with online management of organization layout.

Easily installed, maintained and operated from a central position in the

network.

No additional components or adjustments to the network architecture

are required.

Multi-vendor switch support.

Easily installed, maintained and operated from a central position in

the network.

SWAT Provides a full enhanced compliance mechanism using variety of protocols:

WMI

SNMP

HTTP

TELNET

Additional features:

Quick and simple migration to 802.1x, providing access control for switches

and end stations that do not support 802.1x.

Includes a MAC address security permission system, restricting access to an

organization's internal network and creating a repository of all network

nodes.

1.3 Intruders & Malicious Stations


10/148


SWAT User Guide

The problem:

IDS/IPS, centralized anti-virus and risk management software detect and

block malicious stations either from within the organization or from the

outside. Hence, these products operate and block stations at the IP address

level (access list in firewalls/routers). This solution is sufficient for intruders

outside the organization, however malicious stations residing within the


11/148


SWAT User Guide

Organization can continue poisoning the enterprise's internal network. Most

malicious stations that actually cause damage come from within the

organization, thus there is a need to disconnect malicious stations based on

their IP address, at the actual physical port level. Most operators require the

exact physical location of the switch/slot/port of a station with a given IP

address, as well as the exact geographical location building/floor/room/socketfor disconnecting it from the network

Wise-Mon's solution:

Serving as the next step for IDS/IPS, anti viruses and risk management

solutions, SWAT complements existing security tools by blocking the actual

physical port ofan intruder. With the ability to perform online mapping of

MAC addresses, SWAT specifies the exact location of an intruder on both

physical and geographical level, right away.

In order to locate newly connected stations and validate them by using their

MAC addresses for identification, SWAT combines alert handling mechanismsand fast low-bandwidth switch polling. SWAT is easy to deploy and

implements an easy-to-use web-based GUI with full management

capabilities.

Several high speed low-bandwidth IP scanning and routers polling provide a

quick identification and compliance check for layer3 devices.

1.4 802.1x & NAC

SWAT provides online monitoring for the location of the station connected to

the internal network of the enterprise. When a malicious station isconnected, SWAT discovers it within seconds to minutes and presents precise

location information about it, also in the case of the station changing its IP

address. Hence, operators identify the intruder online by its IP address, and

are able to disconnect it from the network on the physical switch level.

1.4.1 Overview of 802.1x and NAC

The 802.1x standard addresses the issue of access permissions to the

network. When a station is connected to a switch, the user/device is

prompted by the switch for authentication information. This information is

passed by the switch to a radius server for verification. Only when thestation is authenticated, the switch allows it to connect to the network.

Hardware NAC system is an extension to 802.1x; it adds additional tests and

conditions, which the switch verifies before the network device is connected.

The tests can include the verification if an anti-virus product is running and

the patch level is high enough.

In order to implement 802.1x there is a need for:

Switches that support this standard.


12/148


SWAT User Guide

Network devices that support 802.1x.

A radius server which is connected to the organization's authentication

store.

It is clear that within 3-5 years 802.1x will become the standard for network

access authentication, both for wired & wireless devices.

The problems in implementing 802.1x:

There are a few problems with the current implementation of 802.1x:

Currently not all switches support this standard. For some switches it only

requires the change of the firmware, however for others it requires the

exchange of the complete switch.

Requires a change in the enterprise network's architecture (switch,

RADIUS, device drivers in stations, etc.).

The implementation itself is very complex and requires a long deployment

period (weeks to months in most organizations).

There are many network devices that do not support 802.1x:

Most printers.

Some UNIX platforms.

It is quite complicated to manage 802.1x.

SWAT as an easy way for 802.1x migration:

SWAT enables organizations to migrate to 802.1x easily and surely. SWAT

provides access control checks for switches and network stations that do not

support 802.1x. The implementation of SWAT does not require any change in

any switch and/or end device, and most network devices are supported as is.SWAT acts as a centralized guard of the internal network.

MAC address & location-based security permission system:

SWAT supplies a security mechanism, which restricts the access to the

organizations internal network based on MAC addresses. The product creates


13/148


SWAT User Guide

a repository of all nodes in the enterprise network. It then checks the

connecting nodes and either permits or disconnects the node from the network

according to the given permissions.

The security parameters for a permission entry are:

A list of ports on the switches. A list of switches (all the ports of a given switch).

A list of sockets and physical access points in the geographical premises of

the enterprise.

A socket is represented by the following list of information:

location-building-floor-room-socket.

Time-based permission system.

1.4.2 Online Network Discovery Tools

Most network management tools include a discovery mechanism. However

these tools have the following limitations:

SWAT vs. Regular Network Discovery Tools

Network Discovery Tools SWAT

Centralized tools mounted on asingle server. Thus, all discoverycommunication passes through thenetwork to the server and there isno distributed discovery.

High bandwidth utilizationsince all discoveries are

centralized, entailing highexpenses of bandwidth when theorganization is distributed.

Serial discovery process usuallypolls one node at a time, causing aslow discovery cycle. In a largenetwork the discovery cycle can

last many hours (this being thereason that most of these toolsrecommend scheduling a discoverycycle every few days).

Malicious station detectiontools do not integrate with anysecurity product.

Swat has the ability to distributeagents that perform the discoveryprocess. The discovery agents arelocated near the monitored

equipment and perform the discoveryin parallel.

SWAT locates the agents near themonitored devices, maintaining animage of the results in the agents.Only the delta between thediscoveries is returned to the center.This reduces the bandwidthutilization.

The distributed agents supplyparallel discovery. SWAT alsoperforms asynchronous discoveryoperations within the agent, allowing

faster operations within each agent.This enables SWAT to perform a fulldiscovery operation within minutes.

SWAT integrates with: IDS, IPS,centralized anti-virus management

stations and risk management tools.


14/148


SWAT User Guide

Network Discovery Tools SWAT

Limited device support for onlya given set of devices with mappingconnections. Adding new nodesusually requires changes in the

software.

No geographical locationsupport, and usually noinformation, is provided about thephysical location of a given node.

Non scaleable, becoming veryslow when the discovered networkgrows.

Mapping is hardly a standardized

issue. SWAT is designed to enable

support to new devices at site level by

changing configuration files. Minimalsoftware changes are required when

adding new device support to SWAT.

SWAT enables obtaining thegeographical location of a givendevice. The information of thelocation can be imported fromexternal sources and assetmanagement tools.

SWAT is designed for scalability,

allowing unlimited agents withunlimited mangers in the centers,

accepting data from the agents. The

managers can also be distributed to

the different devices.

NOTE

All communication betweenthe agents and managers in

the center is secured andencrypted.

1.5 Additional Benefits

1.5.1 Organizational Tree Support

SWAT enables building an organizational hierarchy tree. The hierarchy tree

describes the organization's structure and contains:

Sites.

Buildings.

Rooms.

Network sockets.

Based on this organizational tree, SWAT's alerts show the exact location of an

intruder, in addition to its switch/slot/port information. This allows for

location-based permission rules for given devices. The organizational tree data

and the connection between network sockets and switch/slot/port can be


15/148


SWAT User Guide

imported from existing asset management platforms in the organization, or

fully maintained using only the SWAT GUI.

1.5.2 ESM Integration

By learning the network structure from installed management platforms,

SWAT is easily integrated, saving the time needed for defining the switchesand routers in the network. SWAT also receives the list of MAC addresses and

automatically authorizes them all.

Leveraging ESM platform capabilities, SWAT can be used to show

port-switch-MAC-IP-socket-physical-room information in trap details,

displayed by the ESM platforms.

The following ESM platforms are supported:

HP OpenView NNM

IBM Tivoli Netview

1.5.3 Flexible MAC Address Permissions

SWAT enables setting MAC address permissions according to several flexible

rules. Specific MAC addresses are allowed to connect to specific network

sockets, buildings, rooms, switches, ports, at given time slots, etc.

MAC addresspermission scenario examples:

Allow a specific laptop to connect only to a specific floor in a specific building

for a given amount of time.

Allow only specific stations to connect to specific sockets in given buildings.

1.5.4 Enhanced Reports and Query CapabilitiesBased on a relational database, SWAT generates any report needed for

management. SWAT includes a large number of built-in reports such as:

Ports locked by SWAT or other systems.

MAC addresses in the enterprise and their authorization status.

Different views of MAC address permissions.

Last connection time of MAC address and its location:

Site/building/room/socket

Switch/slot/port

1.5.5 Easy Installation

SWAT is easy to install and maintain. It requires a single Windows-based

server with SQL server (or MSDE) for database and reporting capabilities.

SWAT's client is HTTP/S web-based. No additional components, switches, OS

or hardware upgrades are required.

1.5.6 Scalable Installation


16/148

1

Chapter 1: Introduction

SWAT User Guide

For large installations with thousands of switches, SWAT offers a distributed

and scalable deployment, designed for any size network.


17/148

10Chapter 2: Operational Concepts

Operational Concepts 2IN THIS CHAPTER:

Basic Mechanism

Run Modes

Scaleable Solution

2.1 Basic Mechanism

SWAT performs its actions by learning the VLAN topology of the organization,

while matching the physical MAC addresses of the nodes in the organizationto the IP addresses assigned to them.

SWAT performs periodical checks of defined switches and routers. It extracts

the bridge and ARP information from the devices, mapping the location of

each device within the network.

SWAT also receives linkup traps from the switches in the organization and

examines the node connected to the originator of the trap. Every new node

SWAT detects is entered to the mapping database and verified according to

the permissions assigned to it. Then actions are performed based on these

permissions.

2.2 Run Modes

Various run modes are available for learning and maintaining images of

existing devices in an enterprise's internal network.

Learn modenewly discovered MAC addresses are automatically set as

valid and authorized for accessing the whole network. Known address

permissions are left unchanged. This mode is suitable for enterprises that

just installed SWAT andwant to build their device repository. SWAT also

supports the option of loading all the valid devices in the organization from

an external source.

Warn modea warning is sent by email or written to an event log when

unidentified/unauthorized MAC addresses connect to the network via open

ports. The unidentified MAC addresses are then blacklisted.


18/148


SWAT User Guide

Disconnect modewhen unidentified/unauthorized MAC addresses try to

connect via an open port, the port is automatically locked and the foreign

computer is disconnected. The unidentified MAC addresses are then

blacklisted.

NOTE

Each and every mode can be configured for the entire enterprise

network or a specific switch or port.

2.2.1 Advanced Run Modes

Learn and Lock for Groupconnecting MAC addresses receive

authorization for the group of switches to which they are connected.

Learn and Lock for Switchconnecting MAC addresses receive

authorization for all ports on the switch to which they are connected.

Learn and Lock for Portconnecting MAC addresses receiveauthorization for the port to which they are connected.

Learn Once and Warnconnecting MAC addresses are automatically set

as valid and authorized for the whole network. The port to which they are

connected changes to Warn mode.

Learn Once and Disconnectconnecting MAC addresses are

automatically set as valid and authorized for the whole network. The port to

which they are connected changes to Disconnect mode.

Move to VLANconnecting new stations are physically moved to a VLAN

and automatically disabled/enabled. This run mode enables enhanced

network quarantine capabilities: stations receive new permissions in

accordance with the VLAN to which they are moved. Furthermore, stations

that receive a new dynamic IP address are discovered by SWAT.

The decision-making process, which takes place when access is determined for

a connecting computer during Warn orDisconnect mode, is as follows:

Unknown computerthe MAC address is blacklisted and its port is warned

or disconnected.

Known computerthe MAC address permissions are verified according to the

switch and port through which they connect.

NOTE

In order to stay connected, the permissions (exclusively positive ornegative) have to either approve the switch/port or not deny theswitch/port.


19/148


SWAT User Guide

If the current run mode is any type of learn mode, the computer's MAC

address is authorized in one of the following ways:

If the MAC address is authorized to access the port, its permissions are not

altered.

If the address is not authorized:

Learn-and-Lock modes add permissions to the switch/port.

Learn and Learn Once modes add permissions to the entire network; old

permissions are deleted.

2.3 Scaleable Solution

SWAT is scalable to networks of all sizes. This is implemented by allowing the

distribution of SWAT collector agents near the devices they monitor, thus

providing the following added value:

Faster network discovery cycle. Reduced bandwidth utilization.

Secured communication.

Figure 2-1: Optional distributed architecture

2.3.1 Faster Network Discovery Cycle

Since SWAT operates in a distributed mode, it can perform discovery

operations in parallel. This enables a very fast discovery cycle. In addition, the

agents are also designed to perform fast discovery by performing their queries

both asynchronously and simultaneously.


20/148


SWAT User Guide

Parallelism in two places:

Multiple agents which perform the discovery in parallel to different parts of

the network.

Each agent sends its requests asynchronously to the switches and routers it

monitors, and then correlates the answers. This way the discovery cycle

within each agent is very short.

2.3.2 Reduced Bandwidth Utilization

The agents are designed to use as little bandwidth as possible. This is critical

when the organization is composed of several sites connected by WAN lines.

The agentspass the discovered information periodically, however in order to

reduce bandwidth utilization, the agents keep an image of the discovered

information in their memory and pass only the changes to the center. Thus,

there is hardly any traffic directed to the center, even when the discovery

process has high frequency. According to adefined time, the agent notifies the

center of the switchs/routers status. If for any reason the agent does not send

keep-alive information to the manager within a predefined time, the SWAT

administrator is notified.

2.3.3 Flexible Solution Supporting New Device Types

In order to build an accurate mapping, SWAT is required to learn the

information from switches within the organization. Despite the bridge

information standard (Bridge MIB), some switches do not support this MIB,

and many support it in different ways. With SWAT, the installer of the

product can easily introduce new devices to the product by directing it to

where the information is located. Thisprocess can be carried out at site level

by the operator of the product.


21/148

14Chapter 3: Pre-Installation

Pre-Installation 3IN THIS CHAPTER:

System Requirements

Obtaining the Software

Database Configuration

Switch/Router Information & Configuration

3.1 System Requirements

Hardware Requirements

Prerequisite Additional Specifications

Platform Intel.

Disk space At least 250 MB.

CPU Dual Pentium IV 2.0GHz processors with 512 KB

cache. SWATs CPU consumption depends on the

number of monitored switches and connected nodes.

NOTE

RAM 2 GB

It is assumed that SWAT is also running thedatabase used by the product, however this isnot a requirement.

Software Requirements


Operating system Windows 2000 server (Service Pack 3); Windows2003 server.

Internetinformationservices

IIS 5 or IIS 6.


22/148


SWAT User Guide


Microsoft .Net

framework

Version 1.1.

NOTE

To ensure that IIS supports .NET pages,

you need to run the file:

aspnet_regiis.exe located in

winnt (windows - in 2003)\

Microsoft.NET\Framework\

#Version.

Database MS SQL server 2000 with service pack 3. This

database should be purchased separately; SWAT

does not include an installation of SQL server.

MSDE database.

Windows

InstallerSWAT installation uses MSI installation. This

requires the latest version of Windows Installer

(a Windows component). The required version of

Windows Installer is already bundled with service

pack 3 of Windows 2000.

Internet browser SWAT's graphical user switch port is web-based. In

order to use the GUI, you need Internet Explorer 6

and above.

3.2 Obtaining the Software

To obtain the software:

Contact Wise-Mon Technologies at [email protected] and provide

the following information:

The operating system on which you plan to install the product.

IP and MAC addresses of the computer running SWAT.

Wise-Mon provides you with a user name and password to access the FTP

site, customers.Wise-Mon-t.com, from where the installation package can be

downloaded. You will also receive the license file required for operating the

product.

3.3 Database Configuration

The installation process assumes the following:

The SQL server/MSDE database is running on the same LAN on which

SWAT is installed.


23/148


SWAT User Guide

The database permits both SQL server and Windows authentication.

NOTE

Do not install the MSDE on a computer that already has an SQL server

installed on it.

Setting the SQL server and Windows authentication:

The following instructions refer only to SQL servers. For the MSDE database,

other instructions are available in the readme file located in the MSDE

directory on Wise-Mon's FTP site.

In order to set the SQL server and Windows authentication in the database

server, perform the following:

1. Enter the SQL servers enterprise manager.

2. Select the Properties section of the database server.

3. Select the Security tab.

4. Select the SQL server and Windows option.

Figure 3-1: SQL server and Windows authentication

Checking the database definitions:

You can check the database definitions by creating an ODBC entry for the

database, and then verify that the database is up and the SQL server user and

password are valid.


24/148


SWAT User Guide

3.4 Switch/Router Information & Configuration

In order to configure the switches/routers, you need to first perform the

following steps:

1. Make sure you know all the IP addresses of all the switches.

TIP

Switch/router information can be obtained automatically byconfiguring SWAT to do so in the Management Platforms Connectivity

pane of the General Administration form (see General

Administration Formon page 32 for more information).

2. Make sure that the switch configured to allow SNMP receives both from

the SWAT's agent location and SWAT's central server (if they are not

located on the same machine).

3. Select the method of setting definitions for the switch/switch groups

(SNMP or SSH) either from the General Administration Form or per each

switch in the Switch form (see Switch Forms on page 53 for more

information).


25/148

18Chapter 4: Installation

Installation 4IN THIS CHAPTER:

Installing SWAT

SWAT Directories

Configuration

Discovery Agents & Managers

Key File Creation

Uninstalling SWAT

4.1 Installing SWAT

To install SWAT perform the following:

1. Open the compressed file and extract the installation files.

2. Execute the file named Setup.exe.

The SWAT Installation Wizard opens.

Figure 4-1: Installation Wizard

3. Click Next and follow the directions on the screen.


26/148


SWAT User Guide

NOTE

If you decide to change the default destination folder, make sure the

directory does not contain any spaces in the path, otherwise theproduct might malfunction.

4. After the Destination Folder screen appears, click Next to begin

transferring files to the destination folder. When this is done the following

screen appears:

Figure 4-2:Database location

5. In the Database Connection String tab, enter the database you want to

work with, your user name and password.


27/148


SWAT User Guide

6. In the General tab, enter the requiredVerbose (Verbose=0-9 trace &

verbose level: 0-no output, 1-error output, 9-debug info) and clickApply.

Figure 4-3: Installation; Verbose

7. In the License tab, copy the license from the license file and clickApply.

(If you do not know your license number, contact Wise-Mon).

Figure 4-4: Swat license


28/148


SWAT User Guide

NOTE

The installation process takes 5 to 8 minutes.

The installation process performs the following operations:

Copies files into the destination directory tree (see SWAT Directories below).

Creates the SWAT database and tables in the database server.

Creates a website for SWAT using Internet Information Services.

4.2 SWAT Directories

The following table presents the list of SWAT directories and a brief

description:

Directory Description

[INSTALLDIR] Main directory.

[INSTALLDIR]\bin Binaries.

[INSTALLDIR]\bin\SWAT_JOBD SWAT launch scripts.

[INSTALLDIR]\bin\OS_USER_MANAGEMENT

Installation scripts.

[INSTALLDIR]\bin\EVENT_LOG Enables adding alerts to the eventlog on the server.

[INSTALLDIR]\bin\IIS_MANAGMENT

Files for installing SWAT's website.

[INSTALLDIR]\bin\DATABASE_MANAGMENT

Scripts that manage the database(e.g., creating the database).

[INSTALLDIR]\doc Help file.

[INSTALLDIR]\SwatAgent Agent files, including file for creatinga new agent.

[INSTALLDIR]\SwatManager All manager files, includinginstallation file for creating a newmanager.

[INSTALLDIR]\Data Application data files.

[INSTALLDIR]\ini Configuration files.

[INSTALLDIR]\log Log files.

[INSTALLDIR]\Temp Temporary files.

[INSTALLDIR]\web Web files.


29/148


SWAT User Guide

4.2.1 Reinstalling SWAT

Using a new database:

To use a new database, you need to perform the following steps before

reinstalling a new version/uninstalling an old version of SWAT:

1. Open the SQL Server Manager.

2. Connect to the SWAT database.

3. Open Management->Current Activities->Process info section in the

tree.

4. Right-click the SWAT Process Database column (listed as SWAT).

5. Select Kill Process.

6. Open Current Activities and refresh the screen.

7. From the SWAT database, perform the delete action (not detach).

8. Uninstall SWAT.

9. Reinstall SWAT.

Saving previous databases:

If you reinstall SWAT and do not want to loose the configuration information

that was entered in the previous installation, perform the following:

1. Create a backup of SWAT's database information using the batch file:

[INSTALLDIR]\bin \DATABASE_MANAGEMENT\DuplicateDB.bat

This script copies the existing SWAT database into a temporary database

before the uninstall process.

NOTE

Step 1 is possible only if the database is local (on the server).

For remote database, you need to manually copy the database using

SQLEnterprize as follows:

a. Open the SQL Server Manager.

b. Connect to the SWAT database.

c. Open Databases>SWAT. Right-clickAll Tasks and select the

Backup Database section in the tree.

d. Select the database backup file on your computer.

e. Open Databases and right-clickAll Tasks. Select the Database

section in the tree and set the new databases name as SWAT_OLD.

f. Select the file you saved in step e.


30/148


SWAT User Guide

2. Delete the SWAT database (see Database Configuration on page 15 for

more information).

3. Uninstall SWAT from the control panel.

4. Follow the installation process.5. After the installation process is complete, restore the old database using

the batch file:

INSTALLDIR]\bin\DATABASE_MANAGEMENT\RestoreDB.bat

This script copies the existing SWAT database from the temporary

database into the production database.

4.3 Configuration

The configuration definitions for SWAT are saved in a file named SWAT.ini

located in the [INSTALLDIR]/inidirectory. In order for changes in the file to

take effect, the processes of SWAT must be restarted.

The file format appears below:

[general]

;Verbose=0-9 trace & verbose level: 0-no output, 1-error output, 9-debug

info

Verbose=1

[database]

dsn=dbi:ODBC:DRIVER=SQL Server;SERVER=(local);database=SWAT

;dsn=dbi:ODBC:SWAT

user=sa

password=sa

WEBdsn=Initial Catalog=SWAT;Data Source=localhost;Trusted_Connection=no

;------------------------------------------------------------

;Interface types

;regular interfaces see mib description 2-32

;Avaya 10/100 (p580,p880) - 62

;Giga port - 117

;------------------------------------------------------------

[interface]

InterfaceTypes=2-32,62,117

NOTE

Lines beginning with a semi-colon are ignored.


31/148


SWAT User Guide

4.3.1 General - Verbose Logging

Detailed logging options are available for troubleshooting and debugging

purposes.

[general]

;Verbose=0-9 trace & verbose level: 0-no output, 1-error;output, 9-debug info

Verbose=1

These options are defined using the parameter Verbosein the General

section. The valid values are 0, 1, and 9:

0No logging output is written.

1Default value to log (only errors).

9Full logging of all actions. Use this value only when you encounter

problems with the product and want to collect data about the reason. Do not

leave this value for a long period of time, since it increases the log file

dramatically.

NOTE

There is a log cleanup mechanism that truncates log files that are bigger than

100 MB.

It is recommended to leave the verbose set to 1.

4.3.2 Interface

InterfaceTypes=2-32, 62, 117

The Interface section defines the IfTypesof interfaces SWAT monitors.

IfTypesare extracted from the SNMP interface MIB. Since switches can

contain both logical and VLAN interfaces, the list under the parameter

InterfaceTypes identifies only the physical interfaces.

NOTE

It is recommended not to change this list without consulting Wise-Mon.

4.4 Discovery Agents & Managers

SWAT is designed to perform extremely fast discovery cycles; to accomplish

this task discovery managers and agents are created. SWAT supports the

creation and distribution of multiple agents and managers. The managers

communicate with SWAT's logic through the database, and therefore they

should be located in or nearthe SWAT server. The agents should be spread in


32/148


SWAT User Guide

the enterprise network, as close as possible to the switches and routers they

monitor. The best location for an agent in a remote branch is on a regional

server.

The discovery agents themselves are designed for speed. They query the

switches and routers in their responsibility zone simultaneously, in an

asynchronous way. The communication between the SWAT agents and

managers is designed to be minimal. To achieve this goal each agent keeps an

image of its monitored segment, and reports only the changes in the network

to the center. The changes are relatively minimal.

Dividing switches/routers between agents:

Through the SWAT GUI, the administrator determines which agent/manager

monitors a given switch or router.

Secured agent and manager communication:

The agent and manager communication is designed for security; the manageris the originator of the communication. There is an authentication process

between the agent and manager. The communication between the agent and

manager is encrypted (based on a shared password used for generating an

encryption key, which is used to encrypt their communication).

4.4.1 Default Installation

SWAT comes in the default installation with a single agent and manger. They

are both installed as services on the machine that runs SWAT. The service

names are:

SwatSwitchManagerSWAT manager. SwatSwitchAgentSWATagent. By default the agent waits for a manager to

connect to it on port 54100 with the TCP protocol.

The parameters used by the agent and manager are taken from the SWAT

agent.xmland SWAT manager.xml.

4.4.2 Creating a New Agent

In order to create a new agent, copy all the contents of

[INSTALLDIR]\SwatAgent, including its sub-directories, to the target

computer. The following directories are copied:


33/148


SWAT User Guide

Agent Directories







CAUTION

Do not to use the installation SwatAgent and SwatManager folders.Instead, copy them to a new location and then proceed with the

installation of the agents and managers.

Run the script Install.batlocated in the [INSTALLDIR]\bin directory.

The script is designed for Windows platform, although there are agents that

can run on non-Windows platforms (UNIX: HPUX, SUN, Linux).

The script receives two parameters which specify the [INSTALLDIR] and the

port, on which the agent runs.

For example: Install c:\Wise-Mon\swat\SwatAgent 54100.

The script changes the ini files so the agent binds to this port number, and

waits for a manager call from there. The script also creates a service named:

Wise-MonSwatSwitchAgent_agentPortwhich is automatically started.

NOTE

You need to choose a different port for each agent.

SwatAgent.xml ini File

The agent uses the following XML-based ini file. The file contains parameters

which are relevant to the agents operations.

C:\WISE-MON\SWAT\SwatAgent\ini\Swat.xml

127.0.0.1.54100

54100

120

2

3


34/148


SWAT User Guide

Parameter Description

SWATXMLFile Points to SWATs internal ini file, located in the inidirectory as well.

NOTE

This parameter should not be changed.

KeyFile Points to the encryption and authentication key file,used for manager authentication and dataencryption.

nTCPPort Controls the port that the agent binds to. Themanager then connects to this port.

KeepAliveTime

out

Notifies the agent that after the defined number ofseconds a keep-alive message must be sent to the

manager, even if no information is required to besent.

nRetry The default value for retry operations when pollingthe communication devices.

nTimeout The default value for time-out value for requests sentto the communication devices.

UnInstall the

agent

Runs the script: UnInstall.bat located in the[INSTALLDIR]\bin directory. If the script doesnot receive parameters it removes the agent service.

MailSubjectPrefix Added as a prefix to the subject of the emails thatSWAT sends.

4.4.3 Creating a New Manager

In order to create a new agent, copy all the contents of

[INSTALLDIR]\SwatManager, including its sub-directories into the target

computer. The following directories are copied:


35/148


SWAT User Guide

Manager Directories







4.4.4 Installing the Manager

To install the manager:

Run the script: Install.bat located in the [INSTALLDIR]\bin

directory. The script is designed for Windows platform. The script receives two

parameters which specify the [INSTALLDIR] and the manager ID assigned tothe manager. Forexample:

Install C:\WISE-MON\SWAT\SwatManager 1

The script changes the ini files so the manager has the given manager ID. The

script also creates a service named: SwatSwitchManger_manageridwhich is

automatically started.

Agent SwatManager.xml ini File

The managers use the following XML-based ini file. The file contains the

following parameters that are relevant to the managers operations.

C:\WISE-MON\SWAT\SwatManager\ini\Swat.xml

1

300

180

180


36/148


SWAT User Guide


SWATXML

File

Points to SWATs internal ini file, located also in theINI directory.

NOTE

This parameter should not be changed.

ManagerID Specifies the manager ID assigned to the givenmanager. When adding a new router/switch, one ofthe parameters is the number of the managerassigned to the given switch.

ReloadSwitch

ListTimeout

The switch and router definitions under theresponsibility of this manager can be changed due touser additions/deletions or renewed discovery on theswitches and routers configuration. This parameter

instructs the manager to reload these definitionsevery given period (in seconds). If a change isdiscovered, which is relevant to a given agent, theconfiguration is resent to the agent.

Connection

Timeout

Instructs the manager to send an alert to theoperator if an agent did not respond in the giventime-out (in seconds).

ReplyTimeout Specifies the time-out value for retrying to reconnectto an agent that was previously unavailable.

Uninstalling the ManagerRun the script: UnInstall.bat located in the [INSTALLDIR]\bin

directory. If the script does not receive parameters, it removes the manager

service.

4.5 Key File Creation

The key file is an encrypted file containing data used for authenticating the

conversation partners and for encrypting the data that passes on that

conversation. Each session between a manager and agent should have a key

file that exists on both sides. The key files in the manager, are named after theIP address and the port number of the given agent, using the convention:

IP_address.port_number. For example, for an agent sitting on a station

with an IP: 10.0.1.150 binding to port 54100 the file is named

10.0.1.150.54100. In the agents ini file, there is a key that specifies the name

of the key file used by the agent.


37/148


SWAT User Guide

4.5.1 Generating a Key File

As mentioned before, each session between an agent and manger, should have

a key file. The same key file can be used on more than one session; however,

this is less secure.

To generate a key file:

1. Create a clear text key file, and password in it.

2. Run the executable: [INSTALLDIR]\bin\encryptfile.exe

clr_file_name encrypted_file_name where:

clr_file_nameis the full path to the clear text key file.

encrypted_file nameis the full path to the encrypted key file

generated.

The encrypted file generated should be copied to the manager's

[INSTALLDIR]\ini\directory with the name specified.

The encrypted file generated should also be copied to the agent's[INSTALLDIR]\ini\ directory and pointed by the SwatAgent.xmlKeyFile

tag.

4.6 Uninstalling SWAT

To uninstall SWAT:

1. Open Start > Settings > Control Panel.

2. OpenAdd/Remove Programs.

3. SelectWise-Mon Technologies - SWAT.

4. Click Remove.

After uninstalling SWAT, remove the SWAT database from the database

server you created (using the database tools).

NOTE

The uninstall package does not remove newly created files. To

remove these you need to delete the SWAT directory.


38/148

31Chapter 5: Administration

Administration 5IN THIS CHAPTER:

Administration Menu

General Administration Form

SWAT Users

Alert Types

5.1 Administration Menu

The Administration menu lets you set up the default settings and attributesfor SWAT.

Figure 5-1:Administration menu

The Administration menu includes the following options:

Option Description

General Opens the General Administration form, for you toenter various parameter definitions. See General

Administration Form on page 32 for moreinformation.

SWAT Users Determines the groups to be recognized by SWAT.See SWAT Users on page 38 for more information.

Alert Types Displays the list of available alerts. SeeAlert Typeson page 40 for more information.


39/148


SWAT User Guide

5.2 General Administration Form

Select General from the Administration menu to open the General

Administration form:

Figure 5-2: General Administration form

Use the General Administration form to define the following various general

parameters according to which you want SWAT to perform:


40/148


SWAT User Guide

Mail Pane

Use To

Administration

MailEnter the email address to which you want the

warnings to be sent.

NOTE

Separate multiple addresses with a comma.

Mail Server IP Enter the IP address of the mail server.

TIP

You can also enter the name of the server.

Default Operations Settings Pane

Use To

Run Mode Select the required run mode from the drop-downlist. The run mode is the action SWAT performswhen a computer connects to the network via anopen port (see Run Modes on page 10 for furtherdetails).

Permission Select the permission you want to give to

connecting computers:

Allno restriction.

Lock for grouprestricted to a defined group.

Lock for switchrestricted to a defined switch.

Lock for portrestricted to a defined port.

Lock for VLANrestricted to a defined VLAN.

NOTE

Permission is relevant only when the runmode is of the Learn group.

VLAN Number Enter the required VLAN number when usingMove to VLAN run mode.

Switch CheckFrequency(minutes)

Enter the required interval in minutes betweeneach cycle of discovery, i.e., the process of detectingnew MAC addresses in the network. (Thisinformation is used by the agents.)


41/148


SWAT User Guide

Use To

Disconnect Time(minutes)

Unmanage Multi-MAC Interface

Ignore UnknownMAC

Disconnect Multi-MAC Interface

Check Spoofing onMulti-MACInterface

Port SettingsApplication

The amount of time SWAT leaves a port

disconnected after an unauthorized intrusion.

NOTE

The value zero causes a disconnection for an

unlimited amount of time.

Select Yes or No. When this attribute is set to Yes,ports with multiple addresses connected to themare unmanaged and SWAT is not responsible forthem.

Select Yes or No.

When No is selected: after receiving a specifieddetailed trap, which SWAT could not locate, the

MAC address is disconnected immediately.

Select Yes or No. When this attribute is set to Yes,ports with multiple MAC addresses connected tothem are automatically disconnected. Thisattribute is not affected by the current run mode.

NOTE

MAC addresses disconnected in this way arenot blacklisted. This feature is used toprevent insertion of hubs into the

organizations network.

Select Yes to activate spoofing on multi-MACinterfaces. The default setting is No.

Configures the port through SNMP, Telnet or SSH(see Switch List File on page 117).

Agent IP Enter the IP address of the agent that monitorsthe group.

Agent Port Enter the port number of the agent that monitors

the group.

Manager ID Enter the ID of the manager that is responsible formonitoring the given group.


42/148


SWAT User Guide

Default Telnet Parameters Pane

Use To

Telnet/SSH user Enter the Telnet/SSH user name.

NOTE

Telnet/SSHPassword

Telnet EnablePassword

When Telnet connection parameters areprovided, SNMP is no longer used to changesettings on a switch; instead, a Telnet script

is executed.

Enter the Telnet/SSH password.

Enter the Telnet script for enabling the password.

Default Communities

Use To

Get Community Enter Get SNMP community for routers andswitches.

Set Community Enter Set SNMP community for routers and

switches.

NOTE

If no value is provided, the GetCommunityis taken as default.


43/148


SWAT User Guide

SWAT Run Parameters Pane

Use To

Verbose Enter the detailing level of the log (0, 1, 9).

License Enter the license number.

LicenseInformation

View the detailed license information.

Management Platform Connectivity Pane

Use To

Management Platform Select the management platform (installed onthe same computer as SWAT) from the drop-down list. If you have a management platformfor your network, SWAT can elicit informationfrom it, including the list of switches androuters in the network and the MAC addressesdiscovered by the platform.

NOTE

Management PlatformODBC

Management PlatformDB User

Management PlatformDB Password

Load from Management

Platform

This feature is not included with the

default installation of the product.

Create an ODBC connection to the platformsserver on SWATs server.

Enter the user name of the management

platform database.

Enter the password of the managementplatform database.

Load the switch/MAC address from themanagement platform.

Use To

Save the changes made to the General form.

Clear the General form without saving anychanges.

5.2.1 Run Modes


44/148


SWAT User Guide

The various run modes enable you to execute the following commands:

Run Mode Description

Learn Newly discovered MAC addresses areautomatically set as valid and authorized for

accessing the whole network. Knownaddresses' permissions are left unchanged,yet port data is updated. This run mode issuitable forenterprises that just installedSWAT and want to build their devicerepository. SWAT also supports an option toload all the valid devices in the organizationfrom an external source.

Learn and Lock for Group Connecting MAC addresses receiveauthorization only for the defined group ofswitches to which they are connected.

Learn and Lock for Switch Connecting MAC addresses receiveauthorization only for all ports on the switchto which they are connected.

Learn and Lock for Port Connecting MAC addresses receiveauthorization only for the port to which theyare connected.

Learn Once and Warn Connecting MAC addresses areautomatically set as valid and authorized forthe whole network. The port to which theyare connected changes to Warn mode.

Learn Once and Disconnect Connecting MAC addresses areautomatically set as valid and authorized forthe whole network. The port to which theyare connected changes toDisconnect mode.

Warn (mail) A warning is sent by email or written to anevent log when unidentified or unauthorizedMAC addresses have been discovered as

connected to the network via an open port.The unidentified MAC addresses are thenblacklisted.


45/148


SWAT User Guide

Run Mode Description

Disconnect When unidentified or unauthorized MACaddresses try to connect via an open port, theport is automatically locked and the foreigncomputer is disconnected for a predefined

amount oftime.Ifthe MAC addressdiscovered is unknown, unidentified MACaddresses are blacklisted.

Move to VLAN When new stations try to connect, they arephysically moved to a VLAN andautomatically disabled/enabled. This runmode enables enhanced network quarantinecapabilities: stations receive new permissionsin accordance with the VLAN to which theyare moved. Furthermore, stations thatreceive a new dynamic IP address are

discovered by SWAT.

5.3 SWAT Users

Select SWAT Users from the Administration menu to open the SWAT Users

screen as follows:

Figure 5-3: SWAT Users screen

Use this screen to define the groups you want recognized by SWAT and

determine their permissions.


46/148


SWAT User Guide

SWAT Groups Pane

Use To

SWAT Admin

(drop-down list box)Select the required group for the selected

permission scope.

Delete a group from the defined user groups.

Group Permission Scope Pane

This pane determines the permission scope of the defined SWAT groups.

Group Permission

Administrator

UserOverall permission (administration, operators,

reports and device manager).

Operator User Permission to manage the MAC addresses(see Operations Menu on page 98.

Report User Permission to manage the reports (see ReportsMenuon page 76).

Device ManagerUser

Permission to change definitions for given ports onspecific switches (see Network Configuration onpage 42).

Computer Groups Pane

Use To

Select Group

(drop-down list box)Display the defined groups on the SWAT server,

excluding those that are defined for the givenpermission scope.

Add a new group to the defined user groups.

Use To

Save the changes made to the groups added.

NOTE

The Update button is enabled only forgroups added by users.


47/148


SWAT User Guide

5.4 Alert Types

SelectAlert Types from the Administration menu to view the full list ofthe

various alerts provided by SWAT:

Figure 5-4:Alert Types screen

Field Description

Alert Type Displays the list of alerts (seeAlert Type List belowfor the full list of alerts and their description).

Alert Description Presents a brief description of the various types ofalerts.

Send Mail When selected, receives mail in case of an alert.

Event Log When selected, writes the alert to an event log.

Severity Determines the severity of the alert. Select from thefollowing available options:

Info

Warning

Error


48/148


SWAT User Guide

Field Description

Saves the changes.

Refreshes the Alert Types list.

5.4.1 Alert Type List

Alert Description

Agent Reconnect The agent reconnects to the manager after the

server is down.

Agent Time Out The agent is not responding.

SNMP Problem in

Device

External Intruder

Detected

The device is experiencing SNMP problems.

An unauthorized station is detected.

New MAC Address A new MAC address was found.

New Uplink Found The port is defined as uplink.

Port Disable Failed The attempt to disable the port failed.

Port Enable Failed The attempt to enable the port failed.

Router Down The router is not responding to SNMP.

Service Down The service is not responding.

Switched Changed The type of switch has changed.

Switch Down The switch is not responding to SNMP.

Unauthorized

Connection DetectedA station with the given MAC address in not

permitted in a specified location.

Virus Found A virus was found by the antivirus system (see

Antivirus Support on page 113 for furtherinformation).


49/148

42Chapter 6: Network Configuration

Network Configuration 6IN THIS CHAPTER:

Network Configuration Menu

Switch Groups

Switches

Switch Ports

Routers

Site Configuration

6.1 Network Configuration Menu

The Network Configuration menu lets you set up the network structure and

permission settings of switch groups, switches, switch ports, routers and the

organizational site structure.

Figure 6-1: Network Configuration menu

The Network Configuration menu includes the following options:

Option Description

Switch Groups Defines a certain group of switches. See SwitchGroups on page 43 for more information.

Switches Filters by switches. See Switches on page 49 for

more information.

Switch Ports Filters by switch ports. See Switch Ports on page 58for more information.


50/148


SWAT User Guide

Option Description

Routers Filters by routers. See Routers on page 66 for more

information.

Site

Configuration

Opens the Site Configuration screen, allowing you

to link your physical network structure to yourorganization's physical structure. See SiteConfiguration on page 71 for more information.

6.2 Switch Groups

Select Switch Groups from the Network Configuration menu to open the

Switch Group screen.

Figure 6-2: Switch Groups screen

Use this screen to provide a unifying name to a certain group of switches.

Switch Group Filtering Pane

Use To

Group Name Enter the name of the defined group of switches.

Group Description Provide a description of the group of switches.

Run Mode Select the run mode of the group. See Run Modes onpage 36 for more information.


51/148


SWAT User Guide

Use To

Permission Select the permission you want to give to connecting

computers:

Allno restriction.

Lock for grouprestricted to a defined group. Lock for switchrestricted to a defined switch.



NOTE

Permission is relevant only when the run mode

is of the Learn group.

Manager ID Enter the ID of the manager that is responsible for

monitoring the given group.

Agent IP Enter the IP address of the agent that monitors thegroup.

Agent Port Enter the port number of the agent that monitors thegroup.

Check Frequency Enter the required interval in minutes between eachcycle of discovery, i.e., the process of identifying newMAC addresses in the network. This information isused by the agents.

Disconnect Time Enter the required number of minutes for which aport is closed when a disconnection is warranted.

Filter according to the IP address entered for theswitch.

Clear the filtering pane (not the results).


52/148


SWAT User Guide

Add New Group Pane

Use To

Group Name Enter the name of the defined group of switches.

Group Description Provide a description of the group ofswitches.

Add a new group of switches.

Switch Groups Filtered Results

After clicking the Filter button, the following switch group parameters are

displayed:


Group Name The name of the defined group of switches.

Group Description The users description for the group of switches.

Run Mode The run mode of the switch. See Run Modes on

page 36 for more information.

Permission The permission you want to give to connectingcomputers:

Allno restriction.





NOTE

Permission is relevant only when the run modeis of the Learn group.

Opens the Switch Group List for you to update thecurrent list of defined groups.

Opens the Switch Group Form, for setting all theattributes of the group of switches.

Edits the MAC address permissions for the selectedswitches and sets them according to the selectedpermission. See MAC Address Permission Filteringon page 107 for more information.


53/148


SWAT User Guide


Deletes selected switches.

Exports results to Excel.

6.2.1 Switch Group List

Use the Switch Group list to enforce a certain run mode on a defined group of

switches.

Figure 6-3: Switch group list

Select the required switches and clickApply.

6.2.2 Switch Group Form

Use the Switch Group form to provide the operational and permission

information of the selected group of switches. The form displays both

attributes and inherited values.


54/148


SWAT User Guide

Figure 6-4: Switch Group form

Field Description

Group Name The name of the defined group of switches.

Group Description The users description for the group of switches.

AdministrationMail

The email address to which warnings are sent.

NOTE


Run Mode The run mode of the group. See Run Modes onpage 36 for more information.


55/148


SWAT User Guide

Field Description


Allno restriction.




NOTE



VLAN Number The number of the defined VLAN.

Manager ID The manager ID that handles the group.

Agent IP The IP address of the agent that polls the group.

Agent Port The port number of the agent that polls the group.

Group CheckFrequency

(minutes)



Ignore UnknownMAC

Disconnect Multi-

MAC Interface

Polling frequency in minutes.

The time the switch port remains disconnected inminutes.

When this attribute is set to Yes, ports withmultiple MAC addresses connected to them areunmanaged, i.e., SWAT is not responsible for them.

Select Yes or No.When No is selected: after receiving a specified

detailed trap, which SWAT could not locate, theMAC address is disconnected immediately.

When this attribute is set to Yes, ports withmultiple MAC addresses connected to them areautomatically disconnected. This attribute is notaffected by the current run mode.

NOTE

MAC addresses that are disconnectedthis way are not blacklisted. (This

feature is used to prevent insertion ofhubs into the organizations network.)


56/148


SWAT User Guide

Field Description

SNMP Port The port number for SNMP communication. Thedefault port number is 162; for any other port, entera value.

Get Community Get SNMP community for the switch.

Set Community Set SNMP community for the switch. If none isgiven then Get Community is taken as default.

Telnet/SSH User The Telnet/SSH user name.

Telnet/SSH

Password


Port Settings

Application

The Telnet/SSH password.

The Telnet script for enabling the password.

Configures the port through SNMP, Telnet or SSH

(see Switch List File on page 117).

Saves the changes made to the Switch Group form.

Closes the Switch Group form without saving anychanges.

6.3 Switches

Select Switches from the Network Configuration menu to open the Switches

screen and define your required switch-related filtering parameters.

Figure 6-5: Switches screen


57/148


SWAT User Guide

Switch Filtering Pane

Use To

Switch Name Enter the required switch name.

NOTE

You can use wildcards such as (%) or (*)for the switch name.

Switch IP Enter the required switch IP address.

Switch Group Add the new switch to the selected switch group.

Run Mode Select the run mode of the switch. See Run Modes on


Permission Select the permission you want to give to connecting

computers: Allno restriction.





NOTE



Manager ID Enter the ID of the manager that is responsible formonitoring the given switch.

Agent IP Enter the IP address of the agent that monitors theswitch.

Agent Port Enter the port number of the agent that monitors the

switch.

Check Frequency Enter the required interval in minutes between eachcycle of discovery, i.e., the process of identifying newMAC addresses in the network. This information isused by the agents.

Disconnect Time Enter the required number of minutes for which a

port is closed when a disconnection is warranted.


58/148


SWAT User Guide

Use To

Add New Switch Pane

Filter according to the IP address entered for theswitch.


Use To

Switch IP Enter the IP address of the new switch.

Switch Name Enter the switch name.

Get Community Default GET SNMPcommunity for routers andswitches.


Run Mode Selecttherunmodeofthenewswitch. SeeRun

Modes on page 36 for more information.

Permission Select the permission you want to give to connectingcomputers:

Allno restriction.





NOTE


Add a new switch.

Add the switch and open the Switch Form screen.For more information see Switch Forms below.

6.3.1 Switch Filtered Results

After clicking the Filter button, the following switch parameters are displayed:


Switch Name The switch name.

Switch IP The switch IP address.


59/148


SWAT User Guide


Switch VLAN(s) The switch number.

Switch Group The switch group.

SysDescription The description value taken from the switch.

Last Automatic

Check DateThe timestamp of the last MAC address discovery.

Run Mode The run mode of the switch. See Run Modes on


Permission The permission you want to give to connecting

computers:

Allno restriction.





NOTE


Loads the Switch List file. For more information seeSwitch List File on page 117.

Loads the ports of the selected switches.

Loads the MAC addresses of the selected switches.

Opens the Switch Forms, for setting all theattributes of the switch.


Deletes selected switches.



60/148


SWAT User Guide

6.3.2 Switch Forms

Use the switch form to provide the operational and permission information of

the selected switch. The switch form displays both attributes and inherited

values.

Switch FormSingle Switch

When a single switch is selected the following switch form is displayed:

Figure 6-6: Switch formone switch selected

Field Description

Switch Name The name of the switch.

Switch IP The IP address of the switch.

Group IP The IP address of the switch group.

Switch SysName The system name of the switch.

Switch

SysDescription

SwitchSysObjectID

The information found in the switch

SysDescriptionfield.

The system object ID of the switch.


61/148


SWAT User Guide

Field Description

Switch LastAutomatic CheckTime

AdministrationMail

The last discovery time of the switch.


NOTE


Run Mode The run mode of the switch. See Run Modes onpage 36 for more information.


Allno restriction.





NOTE


VLAN Number The number of the VLAN.

Manager ID The manager ID that handles the switch.

Agent IP The IP address of the agent that polls the switch.

Agent Port The port number of the agent that polls the switch.

Switch CheckFrequency(minutes)



Ignore UnknownMAC


The time the switch port remains disconnected inminutes.


Select Yes or No.When No is selected: after receiving a specifieddetailed trap, which SWAT could not locate, the

MAC address is disconnected immediately.


62/148


SWAT User Guide

Field Description



NOTE

MAC addresses disconnected this way

are not blacklisted. (This feature is usedto prevent insertion of hubs into theorganizations network.)





Telnet/SSH

Password


Port SettingsApplication





Saves the changes made to the switch form.

Closes the Switch form without saving any changes.


63/148


SWAT User Guide

Switch FormMultiple Switches

When multiple switches are selected the following switch form is displayed:

Figure 6-7: Switch formmultiple switches selected

Field Description

Administration

Mail


NOTE




64/148


SWAT User Guide

Field Description


Allno restriction.




NOTE



Switch Group The switch group.

Manager ID The manager ID that handles the switch.

Agent IP The IP address of the agent that polls the switch.

Agent Port The port number of the agent that polls the switch.

Switch Check

Frequency(minutes)



Ignore UnknownMAC



The time the switch port remains disconnected in

minutes.


Select Yes or No.When No is selected: after receiving a specified

detailed trap, which SWAT could not locate, theMAC address is disconnected immediately.


NOTE

MAC addresses disconnected this wayare not blacklisted. This feature is used

to prevent insertion of hubs into theorganizations network.


65/148


SWAT User Guide

Field Description





Telnet/SSH

Password


Port Settings

Application





Saves the changes made to the switch form.

Closes the switch form without saving any changes.

6.4 Switch Ports

Select Switch Ports from the Network Configuration menu to open the

Switch Ports screen and define your required switch port-related filtering

parameters:

Figure 6-8: Switch Ports screen


66/148


SWAT User Guide

Port Filtering Pane

Use To

Switch Name Enter the name of the switch.

Switch IP Enter the IP address of the switch.


Slot Enter the switch slot number in which the port islocated.

Port Enter the port number on a given slot.

State Select the current state of the port: Enable,Disable,Unmanaged, or Uplink. See States below for moredetails.

Run Mode Select the run mode of the switch port. See Run

Modes on page 36 for more information.

Permission Enter the permission you want to give to connectingcomputers:

Allno restriction.





NOTE


Port Status Select the ports status: connected or no link.

VLAN(s) Enter the required VLAN.

Filter the switch ports according to the IP addressentered in the Switch Port IP field.


6.4.1 States

The following states exist:

Enablethe port in the switch is open.

Disablethe port in the switch is closed.

Unmanaged the port is not managed by SWAT.


67/148


SWAT User Guide

Uplinkthe port is connected to a different switch.

Ports that connect switches are never disconnected. If a new MAC address is

discovered on an uplink port, an alert is also sent in Disconnect mode.

NOTE

SWAT automatically identifies uplinks, providing the switches are

defined through the system.

6.4.2 Switch Port Filtered Results

After clicking the Filter button, the following switch port parameters are

displayed:


Port Status The status of the port.

Switch Name The name of the switch.

Switch IP The IP address of the switch.

Slot The switch slot number in which the port is located.

Port The ports serial number.

If Index The serial number of the switch port in the switch.

Port State Shows the current state of the switch port: Enable,Disable, Unmanaged, or Uplink. See States on

page 59 for more details.

VLAN(s) The number of VLANs.



Allno restriction.





NOTE



68/148


SWAT User Guide


Opens the drop-down list box, enabling you to selectthe required state of the switch port: Enable,

Disable, Uplink or Unmanage.

Sets the selected state.


Opens the Switch Port Forms (see below).

Opens the VLAN Number dialog box for you to set

the filtered interfaces VLANs.

Deletes the selected switch ports.


Go Defines the number of lines displayed per page in

the filtered results.

6.4.3 Switch Port Forms

The switch port form includes informational parameters and attributes that

determine its security mode. Most of the parameters are inheritable.


69/148


SWAT User Guide

Switch Port FormSingle Switch Port

When a single switch port is selected the following switch port form is

displayed:

\

Figure 6-9:

Figure 6-10: Switch Port formone switch port selected

Field Description

Switch Name The name of the sw

Swat User Guide 4.1.0

Documents

Transcript of Swat User Guide 4.1.0