Network Detector Setup and Configuration

(1)

339 N. Bernardo Avenue, Suite 200

•

Mountain View, CA 94043

www.airtightnetworks.net

Network Detector Setup

and Configuration

(2)

Technical Brief: Configuring Network Detector Scope

It is common practice to partition networks into Virtual LANs (VLANs) which eases management and allows for segregation and security within a corporation. In the case of monitoring these networks for intrusion prevention and security; a security device would need a presence on each of these network segments (VLANs) in order to have visibility to accurately categorize devices and potential threats. In networks where there are a large number of VLANs, manage-ment and the costs to provide this functionality can increase quickly.

Airtight Networks has taken an approach to minimize the amount of network hardware, cost and overhead by creating the concept of Network Detector. Network Detector is an AirTight Networks sensor configured in a special mode, which supports 802.1q trunking, for visibility into multiple wired networks simultaneously. VLAN or managed switches use 801.1Q open standard encapsulation technique for carrying multiple data VLANs over a single physical port. This mode allows for a decreased number of sensors, decrease number of switch ports and visibility of mul-tiple subnets on a single port.

Typically you would need a sensor per subnet to have visibility to the wired network in order to deterministically categorize Access Points (as rogue, external, authorized, or mis-configured). In a network with a large amount of VLANs, this can create additional management and

expense. It might look something like this: MODE STACKSPEEDDUPLX STATMASTR RPSSYST Catalyst 3750 S E R I E S 123 45 67891 01 1 1 2 1 X 2 X 1 1 X 1 2 X 1 3 1 4 1 5 1 61 71 81 9 2 0 2 12 22 3 2 4 1 3 X 1 4 X 2 3 X 2 4 X 1 2 34 Vlans: Wireless Wired Sales Wired Marketing Wired Engineering

(3)

Configuration

There are three modes of operation for Sensors: Sensor Mode (single VLAN and wireless visi-bility), Sensor/Network Detector Combo mode (up to 4 VLANs monitored and wireless visibili-ty), and Network Detector mode (up to 32 VLANs monitored and no wireless visibility). You should choose a mode that best suits your environment. Both Combo and Network detector modes are configured in the same manner. You can use the sample configuration for either.

Best Practices: Architecture

Airtight Network’s sensor has three modes that provide the following coverage options: 1. Sensor Only: RF Monitoring: [ON]

VLAN Monitoring: [OFF] VLAN Detection: [OFF] 2. Sensor/ND Combo: RF Monitoring: [ON]

VLAN Monitoring: [Up to 4 VLANs] VLAN Detection: [Up to 16 VLANs] 3. Network Detector (ND): RF Monitoring: [OFF]

VLAN Monitoring: [Up to 32 VLANs] VLAN Detection: [Up to 64 VLANs]

These three modes allow for many different deployment scenarios based on the architecture of the network. Here a few possible examples for deployment.

MODE STACK SPEEDDUPLXSTAT MASTRRPS SYST Catalyst 3750 S E R I E S 123 4567 89 1 01 1 1 2 1 X 2 X 1 1 X 1 2 X 1 3 1 4 1 5 1 61 71 81 9 2 0 2 12 22 3 2 4 1 3 X 1 4 X 2 3 X 2 4 X 1 2 34 Vlans: Wireless Wired Sales Wired Marketing Wired Engineering However network detector can greatly

decrease the amount of physical sensors deployed, for example:

(4)

Scenario 1 Small enterprise:

Our small enterprise will consist of one floors that will require approximately 3 sensors per floor. The enterprise has 9 VLANs (one wireless) which would need to be monitored as they are physically accessible.

Example: Deploy the 3 sensors as Sensor/ND Combo mode, and add different VLANs tagged

to each of the 3 sensors (i.e Sensor 1 VLANs 1-3, Sensor 2 VLANs 4-6, Sensor 3 VLANs 7-9.) This will allow for full visibility of the VLANs as well as Air Coverage for the entire building.

Scenario 2 large enterprise:

Our large enterprise will consist of 7 floors that will require approximately 3 sensors per floor. The enterprise has 96 VLANs (4 wireless) which would need to be monitored as they are physically accessible. ( 1 floor Pictured with 2 network switches and one Network Detector x 32 VLANs)

(5)

Example: Deploy the 21 sensors in Sensor only mode across the 4 wireless VLANs. Using 3

more sensors in Network Detector Mode, deploy these in the Aggregation or core layer of the network (wherever the VLANs collapse) to monitor the remaining 92 VLANs.

Scenario 3 Enterprise with Remote Offices

The enterprise with remote office scenario is a combination of one of the previous two with the remote office piece added.

Example 1: If the remote office is a single VLAN, just adding the required number of sensors

in sensor only mode to that VLAN will provide protection.

Example 2: If the remote office has 3 VLANs that need to be monitored and 3 sensors are

being deployed for coverage of that office. To provide complete coverage, a sensor in sensor only mode can be added to each of the 3 VLANs, and full coverage will be provided.

Example 3: If there are more VLANs than sensors, the sensors can be configured in Sensor

combo mode which will allow for up to 4 VLANs per sensor. So if there were 8 VLANs, and 3 sensors were being deployed for air coverage, configuring these in combo mode and tagging the VLANs to them would provide complete coverage.

Configuration Commands:

A standard AirTight Networks Sensor can be easily configured for network detector mode. It is done via the command line interface, and merely changes the Sensors identity. To change the sensor to Network detector follow these steps:

Plug the sensor in using the AC power source or an Ethernet cable with available 802.3af. Connect a straight thru DB9 console cable to the DB9 port on the sensor. Using your choice of serial applications (Hyperterm, SecureCRT, TeraTerm, etc.) make sure your settings are 9600, 8, none, 1.

Watching the sensor boot up, at the login prompt enter the user name of “config” and the password of “config.” To access a list of menu options type “help” and hit the return key. The first command to enter will be “get mode.” After entering this command you will see the following:

[config]$ get mode

Displays the Sensor mode. Mode: [Sensor only] VLAN Monitoring: [OFF] VLAN Detection: [OFF] RF Monitoring: [ON]

(6)

This shows the current operating mode. To change this you will type “set mode” and you will see the following:

Select the mode you would like to use and hit return and you will see this:

Type “y” and hit return. The sensor will reboot and you will see the following:

[config]$ set mode Sets the Sensor mode.

Select Sensor Mode. This command requires reboot. 1. Sensor Only: RF Monitoring: [ON]

VLAN Monitoring: [OFF] VLAN Detection: [OFF] 2. Sensor/ND Combo: RF Monitoring: [ON]

VLAN Monitoring: [Up to 4 VLANs] VLAN Detection: [Up to 16 VLANs] 3. Network Detector (ND): RF Monitoring: [OFF]

VLAN Monitoring: [Up to 32 VLANs] VLAN Detection: [Up to 64 VLANs] 4. Quit

?

? 2

Sensor Mode: [Sensor/ND Combo] RF Monitoring: [ON]

VLAN Monitoring: [Up to 4 VLANs] VLAN Detection: [Up to 16 VLANs]

Confirm mode settings to save and reboot Sensor.

If you select n, exit without saving. Confirm? ([y]/n):

y

Rebooting Sensor...

+Ethernet eth0: MAC address 00:11:74:00:03:d8 IP: 0.0.0.0/255.255.255.0, Gateway: 0.0.0.0 Default server: 0.0.0.0, DNS server IP: 0.0.0.0 RedBoot(tm) bootstrap and debug environment [ROM]

(7)

Once the system has rebooted you will be at the login prompt. Enter your credentials, and type the command “get mode” to verify that it is running the mode you have selected:

When using Combo or Network detector modes, the sensor will discover VLANs that are avail-able on the port. It is very important when configuring the switch port, that you are attaching the Network detector to, that you prune the VLANs. It is a best practice to have no more than 4 VLANs on a port for combo mode, and no more than 32 on a port for Network detector. When using Combo or Network detector modes, the sensor by default will use an untagged VLAN to connect to the server. If the untagged VLAN is not switched or routed to the server, you will need to configure one of the tagged to reach the server. There are two steps to configure this: the first is to configure a VLAN and ID, as well as DHCP or static addressing for that VLAN by typing the command” set VLAN config”:

config]$ get mode

Displays the Sensor mode. Mode: [Sensor/ND Combo]

VLAN Monitoring: [Up to 4 VLANs] VLAN Detection: [Up to 16 VLANs] RF Monitoring: [ON]

[config]$

[config]$ set vlan config

Configures the monitoring information for all VLANs in Network Detector(ND) or Sensor/ND Combo mode.

Mode: [Sensor/ND Combo]

VLAN Monitoring: [Up to 4 VLANs] VLAN Detection: [Up to 16 VLANs] RF Monitoring: [ON]

VLANs:

Fetching VLAN table. Please wait up to 30 seconds... VLAN for Communication with Server : Untagged VLAN

============================================================================== VLAN_ID Mon? Discovered? Type IP Address/Mask

============================================================================== ============================================================================== Untagged Yes Yes static 192.168.1.245/255.255.255.0 10 Yes No dhcp

=============================================================================== Sensor_Status

Not Connected

(8)

Type “y” to modify the table, and then it will prompt you to input the VLAN ID you wish to modify. Type the VLAN ID you wish to use. Change the VLAN monitoring to “on” and then set the ip address to either DHCP or STATIC (if set to static you will have to configure the subnet mask and gateway address here as well):

Select “y” to reboot the sensor. When the system comes back up, enter credentials and type”get VLAN config” to view that your changes are in effect.

In the second step, you need to configure the management VLAN that the server will be using To configure this, type the command “set mgmnt VLAN”

Modify VLAN Table? (y/[n]): y

Enter VLAN ID to edit [u=Untagged,1-4096]: 10 VLAN ID [20]

VLAN Monitoring [Off]: on

IP Type (d=dhcp, s=static) [dhcp]:d Set: VLAN Monitoring: [On]

Sensor must be rebooted for the new VLAN settings to take effect. Reboot now? (y/[n]): y

[config]$ set mgmnt vlan

Settings of management VLAN used to communicate with the Server. Note that the untagged VLAN is also known as the Native VLAN. Settings for Management VLAN:

Management VLAN ID (u=Untagged VLAN,1-4096)[u]: 10

Setting the management VLAN to a tagged VLAN will disable the autoupgrade facility for this Sensor. This Sensor must be upgraded manually through Upgrade Manager.

[config]$ get vlan config

Displays information for all VLANs monitored or discovered in Network Detector (ND) or Sensor/ND Combo mode.

Settings for VLAN:

Fetching VLAN table. Please wait up to 30 seconds... VLAN for Communication with Server : Untagged VLAN

============================================================================== VLAN_ID Mon? Discovered? Type IP Address/Mask

============================================================================== ============================================================================== Untagged Yes Yes static 192.168.1.245/255.255.255.0 10 Yes No dhcp

=============================================================================== Sensor_Status

(9)

Enter the VLAN ID that was used in the previous step, and hit return. The sensor will ask a confirmation of this, select “y” and hit return. The sensor will reboot, and to verify that your configuration type the com-mand “get mgmnt VLAN”

Using Network Detector:

At this point, you have completed the setup for Network Detector. Now you can go to the SpectraGuard enterprise web browser and select the “devices” tab and then the “sensors” tab to view the network detector. You can right click and select either properties or details to get additional information on this device. This device will discover multiple VLANs, and the policies for those VLANs can be configured on the “administration” tab under “security policy.”

Sample Configurations for Extreme Networks and Cisco Switches A Cisco Networks sample configuration:

Cisco Switch Port configuration:

interface FastEthernet0/17

switchport trunk encapsulation dot1q switchport mode trunk

Comptt-SW#sh int fastEthernet 0/17 switchport Name: Fa0/17

Switchport: Enabled

Administrative mode: trunk Operational Mode: trunk

Administrative Trunking Encapsulation: dot1q Operational Trunking Encapsulation: dot1q Negotiation of Trunking: Disabled

Access Mode VLAN: 0 ((Inactive))

Trunking Native Mode VLAN: 1 (default) Trunking VLANs Enabled: ALL

Trunking VLANs Active: 1,10,20,30,50,192 Pruning VLANs Enabled: 2-1001

Priority for untagged frames: 0

[config]$ get mgmnt vlan

Displays information about the management VLAN used by Sensor to communicate with Server. Settings for Management VLAN:

VLAN ID:[10] IP Type: [dhcp] IP Address: [192.168.1.245] Subnet Mask: [255.255.255.0] Gateway: [192.168.1.1] [config]$

(10)

AirTight SpectraGuard Network Detector Configuration:

config]$ set mode (select 2 for combo and 3 for network detector)

If the DNS entry wif-security-server is not configured for your network, you will need to point the Sensor to the server and to do this issue the command:

[config]$ set server discovery

(enter IP address of server) 192.168.1.246 This has the sensor point to the server.

Notes

• Cisco Catalyst switch needs to be configured for 802.1Q trunking • Cisco Catalyst switch does NOT tag frames on native VLAN

- In the above configuration native VLAN is 1 (default native VLAN for all trunks on Cisco Catalyst switches)

- In the above configuration, VLANs 10,20,30, 50, and 192 are the active wired VLANs • Set VLAN ID for the SpectraGuard to communicate with the Enterprise server for a VLAN

where tagging is ENABLED! (i.e. should be a non-native VLAN)

- In the above configuration, VLAN-ID 30 (tagged) is chosen as the VLAN for the Network Detector to communicate with the SpectraGuard server

An Extreme Networks sample configuration:

From a switch with factory default configuration (ExtremeWare 7.3.X), these should be all the commands needed to build a test lab utilizing network detector.

Extreme Networks Switch Configuration

Configure default delete ports all Create VLAN server1

Configure VLAN server1 ipaddress 192.168.1.1/24 Configure VLAN server1 add ports 1-2

Create VLAN user10

Configure VLAN user10 ipaddress 192.168.10.1/24 Configure VLAN user10 add ports 5-6

Configure VLAN user10 tag 10

Configure VLAN user10 add port 3 tag Create VLAN user20

(11)

Configure VLAN user20 add port 3 tag Create VLAN user30

Configure VLAN user30 ipaddress 192.168.30.1/24 Configure VLAN user30 add ports 9-10

Configure VLAN user30 add port 3 tag Enable IPforwarding

Configure ospf add VLAN all area 0.0.0.0 Enable ospf

Enable bootprelay

Configure bootprelay add 192.168.1.5 {the ipaddress of dhcp server}

AirTight SpectraGuard Network Detector Configuration:

[config]$ set mode (select 2 for combo and 3 for network detector)

If the DNS entry wif-security-server is not configured for your network, you will need to point the Sensor to the server and to do this issue the command:

[config]$ set server discovery

(enter IP address of server) 192.168.1.246 This has the sensor point to the server.

Notes: