MAC Auditor Administration Guide

(1)

(2)

Release 1.73, Rev. 1

Copyright Notice

REBASOFT Software, the Rebasoft logo, MAC Auditor are registered trademarks of Rebasoft Ltd in the United Kingdom and other countries. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.

All specifications are subject to change without notice. Rebasoft assumes no responsibility for any inaccuracies in this document or for any obligation to update information in this document. Rebasoft reserves the right to change, modify, transfer, or otherwise revise this publication without notice.

Disclaimer

(3)

Introduction

MAC Auditor is an application intended for multiple audiences and users. Principally it is designed to be used by networking and security professionals to locate and report on devices accessing a network. Studies have shown that as much as a quarter of an IT

department’s network maintenance budget will be spent on troubleshooting issues. MAC Auditor uniquely

addresses the key issue of quickly identifying users and

devices and relating them to a physical location or part of

the network.

Switches and other networking devices by their nature do

not hold much history of activity nor do they provide auditing of network device movement. MAC Auditor addresses this; its powerful collection and reporting

capabilities provide for much more in-depth forensics and

alerting over time – MAC Auditor’s data handling has no limit to the length of time information can be held and reported on.

Key Features include:

 Extensive MAC & ARP tracking  DNS Resolution

 User lookup – relating users to your network via LDAP & Active Directory  Free port reports

 Watchlist alerting on MAC addresses accessing the network  Extensive executive and operations graphical reporting  Real-time and historic interface status

 Powerful searches on MAC, IP, UserID and other text strings  Unlimited data retention

 User configurable device grouping

 Extensive 3rd party integration and full URL control

 Low system resource and overhead – with extensive configuration options

MAC Auditor can help assist with incident management, distinguishing between moves, changes and normal operations. Laptop Management is eased; allowing identification of roaming devices and even “blacklisted” devices on the network. MAC Auditor can help ensure mobile devices comply with security policy, identifying devices and relating them to physical/network locations. MAC Auditor can also assist in monitoring and planning network changes. MAC Auditor can help:

1) Security professionals see a history of device access to (or tried to access) the network, thus assisting with compliance regulations.

2) Network managers see unused ports in their network, driving up asset utilisation, and reducing costs.

(6)

Compliance

On 15 March 2006 the European Union formally adopted Directive 2006/24/EC, on "the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC"

The Directive requires Member States to ensure that communications providers must retain, for a period of between 6 months and 2 years, necessary data as specified in the Directive:

 to trace and identify the source of a communication;  to trace and identify the destination of a communication;  to identify the date, time and duration of a communication;  to identify the type of communication;

 to identify the communication device;

 to identify the location of mobile communication equipment.

(7)

Installation and Configuration

MAC Auditor is provisioned using a simple installer that can be run on Windows Server operating systems. This installer can be used for initial installation, software version upgrades and changes in system parameters.

Minimum System Requirements

The type of system required to run MAC Auditor depends on the number of devices to be polled for management reporting. The following requirements are a guideline; the only way to determine requirements is by testing the software’s performance in a specific network environment. To this end Rebasoft has packaged a 7-day trial download.

 Dual core Intel Xeon or AMD similar processor.

 2Gb RAM, although performance will benefit from increased RAM, as data is cached in memory prior to writing to the database.

 80 Gb SATA 7200rpm+ disk (or greater depending on network size and period of storage).  Windows 2003/2008 server.

 Java Runtime (JRE) V1.6 (or later) installed.

 Internet Explorer V6 or later, Mozilla V3 or later (JavaScript must enabled in the browser).  1200 x 1024 pixel screen resolution is recommended for client devices accessing MAC Auditor. MAC Auditor is supported in a VMware environment.

Data storage

Data is stored and archived on a monthly basis, with each year and month being kept in a separate directory. This means there is no limit to the timeframe over which information can be stored. Typically, each month of data collection will require 1GB of disk space (based on site with approximately 30,000 MACs). Almost any form of local disk supported by Windows can be used for MAC Auditor data storage. The architecture of the DBMS is such that data can be backed-up and restored on the fly without any service interruption. This means we have not had to build in any complex data back-up utilities; organisations can rely on standard file based data archive and recovery mechanisms that may already be in use.

System parameters

MAC Auditor relies on SNMP polling device CAM tables as part of information collection. The software has been extensively tested in large networks and against different device types and vendors. System parameters are set as a result of the testing and in line with system recommendations below.

Experience shows that it takes around 1 minute for a device to respond to poll of the CAM table. The system default is for the polling cycle to be completed every 30 minutes. The objective therefore is to set the number of concurrent poller threads to be sufficient to complete to information collection and processing within the allotted time.

We recommend that 1 thread be allowed for each 10 devices to be polled. The installation default is for 20 threads, this would allow support of up to 200 devices (with between 5000 and 8000 interfaces). The thread count can be increased subject to network and server load considerations.

Installing MAC Auditor

(8)

The installer can be run whether performing a new installation or updating an existing system. In the case of an upgrade, data is preserved; Rebasoft does, however, advise administrators to perform a data back-up regularly and especially prior to system back-upgrade.

To start installation, simply execute the installer:

1)

Click next….

2)

Click “I Agree” to accept the licence agreement ….

(9)

Select components to install and click next ….

4)

For threads setting please see System parameters for more details.

5)

Specify drive and directory for installation click next ….

Note:

If the http or https ports entered are already in use by another application, the installation will complete, but an entry stating “bind failed, port already in use” will appear in the MAC Auditor log and the MAC Auditor service will fail to start.

Note:

(10)

6)

MAC Auditor installs as a system service, a command window should appear during this process

7)

Once MAC Auditor installation is complete (administrators can view the details of where files have been installed by clicking the details button) click next…..

Note:

(11)

Logging in for the first time

Users and administrators can access MAC Auditor from a workstation with a compliant browser by opening the following address:

http://<IP or DNS address of server>:<port>

To access MAC Auditor, at the login screen enter the default username and password of “admin” and “admin”. We recommend administrators change the default installation password from “admin” via the User administration function.

Installation of License key

(12)

To add a license, simply cut and paste the license string into the “New License” box and click “load license”. The license will validate and confirmation of the system license will be displayed. If the license level is exceeded, MAC Auditor will not collect information from the additional interfaces until a new key is obtained from a MAC Auditor reseller.

Note:

If an invalid license is applied, or a version mismatch is detected, MAC Auditor will write a message to the MAC Auditor log, located in SYSTEM32 directory and will not perform any further polling until a valid license is loaded

Note:

(13)

Application structure

MAC Auditor has been designed with ease of use in mind. Information is displayed both graphically and in table form depending on user requirements. The Reporting view shows summary level in graphical form at the Network, Site and Device levels, providing an easily assimilated view of Interfaces and MAC addresses.

The Operational view allows a workflow drill down from Site to Device to details via VLAN, Interfaces or MACs. Alternatively users can take advantage of the powerful search function.

The screen shot below shows the main areas for interacting with MAC auditor:

The View and period selector allows toggling between the report and operations view of data. The date drop-down allows selection of the month dataset to use for reports and operational view of sites, devices and searches.

The Searches input allows searching in the selected month on any string. See Searches for more information on searching.

(14)

The Sites selector lists the sites with the number of devices contained in each site. See Sites administration for more details in setting up and administering sites.

The Devices selector shows the devices within a site. This list is blank upon login until a site is selected. The devices list is then populated from the list of devices configured within the site

From the devices frame, users can select Device, VLAN, Interface and MAC information for that device. This information is then displayed in the Display frame.

Finally, the Status frame displays system information, including license status and utilisation and Watchlist results.

Most of the tables in MAC Auditor can be sorted by column; simply click the mouse on the desired column heading. The first click will sort from low to high, the second from high to low:

User administration

MAC Auditor offers two levels of security – normal user or admin user. Admin users have the ability to create and manage sites, users, devices and communities. Normal users are just able to view reports and information captured by MAC Auditor. This way, administrators could grant access to helpdesk staff without granting privileges to change the MAC Auditor system settings.

Users administration is accessed from the Administration dropdown in the top frame; clicking the arrow:

Administrators are then presented with Users administration in the information frame:

(15)

To reset password or delete a user, click on the username from the list (administrators can also promote or demote a user from admin privileges at this stage).

System settings administration

One of the first actions recommended is the configuration of system settings. System level settings are used throughout the application. Here administrators can set-up:

 System SNMP Community strings  Alert defaults

System settings are accessed from the Administration dropdown in the top frame (clicking the arrow):

Note:

(16)

A summary of the current system settings and directory locations are shown at the bottom of the system settings page:

System SNMP Community strings

System level SNMP community strings are used during initial device polling. SNMP strings, if entered during device input, are used first. In the absence of a specified SNMP community string, system level SNMP communities are used in turn until a successful poll is performed. MAC Auditor then stores the successful string with the device, this reduces the number of alerts that a device might generate if a community is used unsuccessfully. It is only necessary to use Read-only strings.

To add a new community simply type the string into the box & click “Add community”

To remove a community, simply click the cross next to the string to be removed:

System Alerts

(17)

.

Syslog server receivers can be removed by simply clicking the cross next to the syslog to be removed:

Device administration

Any device that has a CAM table can be a data source for MAC Auditor – this might be Layer 3 switch, Router or Firewall. MAC Auditor uses SNMP to poll device MIB parameters using RFC standards to retrieve the required information from the device. Where a device is not compliant, it is possible to use a custom MIB – Rebasoft will consider adding vendor MIBs to Mac Auditor to support customer requirements. We have also provided an over-ride to cater to devices where the MIB definitions present inconsistent results.

To add, delete or manage existing devices, administrators should select “Devices” from the administration dropdown & click the arrow:

Add a device

(18)

To add multiple devices, simply separate with a comma; for example “router1, switch1, firewall8” will add 3 devices – DNS will resolve the device to the current IP address. Up to 10 devices may be added using this method using IP addresses.

To add a range of devices, simply add the start of the range and the end of the range separated with a space; for example “1.1.1.1 1.1.1.50” will add and scan fifty devices from 1.1.1.1 to 1.1.1.50.

For multiple ranges, it is recommended that the bulk load facility is used.

Note:

(19)

Devices can be bulk loaded by cutting and pasting lines into the Bulk load dialog. The format of the load is shown below:

 <ipaddress>:<snmpCommunity>:<SiteName>

This loads a single IP address per line. If snmpCommunity is omitted, MAC auditor uses the system defaults in turn to contact the device. If SiteName is omitted, device is added to “All devices”. The colon ( : ) is a field delimiter. If the site does not currently exist, it will be created dynamically

 <ipaddress_start> <ipaddress_end>:snmpCommunity:SiteName

In this case the space between the 2 IP addresses indicates that MAC Auditor should add the range of addresses between the two. The same provisions apply for snmpCommunity & SiteName

 <ipaddress_1>,<ipaddress_2>,<ipaddress_3>:<snmpCommunity>:<SiteName>

A set of IP addresses separated by commas constitutes a list to be processed.

Changing device settings

Once a device has been added to the MAC Auditor database, certain settings can be overridden.

It is possible to enable or disable a device, simply tick the enable box, and then click the ”Save device” button. Failure to click the save device button will cause changes to be lost if navigating away from the page:

“Rescan” will cause the device to be polled using SNMP.

“Save device” will cause the device updated information to be to be saved to the database. Navigation

away from this page without saving changes causes them to be lost.

“Remove device” deletes the device from MAC Auditor, but does not delete the device data collected in

the current month. Removing a device will stop it being polled for information. A removed device / interface will not count towards the license count, but will still appear in the sites/devices list.

“Remove device and data” removes all device and information collected via that device from the MAC

Auditor system for the current month. Any data collected via a different device will still remain in the database. Hence MAC, IP and UserID data will still remain in the system if it has been collected via another device.

(20)

If the interface index, or retrieved parameter does not match the desired display, administrators can override the “ifindex”, name and description displayed.

Use of this facility should be carefully considered as reports against interfaces may not be accurately shown.

Sites administration

MAC Auditor groups devices into “Sites”. A site is any definition administrators choose; Sites can be buildings, floors, departments. By default MAC Auditor comes with a site called “All devices”. During network discovery, the devices added will be automatically assigned to the “All devices” grouping unless otherwise specified.

To access Sites administration, select “Sites” from the administration dropdown in the top frame and click the arrow:

Note:

(21)

Sites settings can then be managed in the information frame:

To add a site, simply type a name and click the “Add New Site” button.

Once a site has been added it will appear in the Site list, and administrators can add or remove a device by using the cursor to select a device and add or remove it from the members list.

To remove a site, simply highlight the site & click the “Remove site button”. Removing a site does not remove the device or data for that device. The device will remain in the “All devices” site.

To rename a site, simply highlight the site, type in the new name and click the “Rename Site” button.

Devices may appear in more than one site.

User Lookup administration

A powerful feature of MAC Auditor is the associating of user login information. This allows organisations to search on UserID as well as IP address and MAC. The association of this information makes it easy to find users on the network for help desk and audit purposes.

Note:

(22)

MAC auditor supports user lookup via LDAP systems, such as Novell eDirectory, and Windows 2003 & 2008 Active Directory. Since Active Directory does not store user login requests in the directory; rather Microsoft records user logon/logoff information in the system security log, the log must be accessible to the user configured in the User lookup settings.

MAC auditor supports LDAP and Windows 2003/2008 WMI methods –multiple User Lookup servers in any combinations of LDAP, Windows 2003/2008 are supported.

User details are fully searchable once stored in the database. Please note that MAC Auditor polls the directory service configured once per hour, and looks for login records. Hence it may be some time before UserID information appears in the system.

To access user lookup, select from the Admin menu:

The TAG used in setting up LDAP and Active Directory look up is a label used in reporting. If you have multiple LDAP or PDC/BDC servers, you could tag them with one or more names. For example you have an internal domain of "abccompany.local", but use multiple authentication servers on your network, using "abccompany.local" as a tag for each server being polled will allow MAC Auditor to group all user entries for that group of DC's into a single report.

User lookup with LDAP

MAC Auditor supports user lookup via LDAP. To add LDAP lookup, administrators should complete the LDAP form below, providing credentials and LDAP parameters.

Note:

Rebasoft recommends the polling period of 3600000 milliseconds be left as default, and that a

Note:

(23)

Following configuration, an entry similar to below should be saved: java.naming.provider.url:ldap://x.x.x.x:389 java.naming.factory.initial:com.sun.jndi.ldap.LdapCtxFactory java.naming.security.principal:cn=company,ou=servers,o=ldap-servers java.naming.security.authentication:None java.naming.security.credentials:******** java.naming.ldap.attributes.binary:networkAddress Polling Period:3600000 Filter:loginDisabled=FALSE

User lookup with Active Directory

User lookup for Active Directory login information is available for both Windows 2003 or 2008 platforms.

To add a lookup, simply specify a tag – this identifies which server MAC Auditor has used for the look-up. Specify the server address, domain name and user ID & password. It is not recommended to change the UserExcludeFilter or polling period.

Note:

Windows Authentication 2003/2008 lookup uses the System Security Log as the data source. Rebasoft recommend creation of a new user with access privileges to the system security event logs.

More information on “Manage auditing and security log properties” can be found at

(24)

Using MAC Auditor

Once MAC Auditor is set-up and collecting information, it can be reported upon. There are two main methods of viewing reports and drilling further into the information collected:

 Reports  Operations

Reports

The Reports view is designed so that information at the Network, Site and device level can be understood and viewed graphically. To run reporting, users must first select the month of interest (default is the current month):

Once the month has been selected, the Network, Site or Device overview report must be run:

Reports have been designed to show data in a consistent manner; with summary data, interface statistics, and scrolling down, users can graphically view the distribution of MAC addresses across top populated devices, and a count of MAC addresses by day, over the current month:

Note:

(25)

There are a number of links from the Interface level summary, and a useful report can be the list of “Down interfaces”:

The “Down Interfaces” report can be a useful guide to interfaces that have been down or unused over a period of time, potentially making them candidates as “free ports” available for use.

Clicking the device, interface or other link will swap the user into the operational view of the item in question.

Operations

In addition to reporting, MAC Auditor provides detailed forensics to allow users to logically drill down from Sites to Devices to VLANs, Interfaces or MACs. Users can relate usernames to IP addresses, so from a site, quickly locate a user and how they are connected to the network.

(26)

Selecting a device will show a device overview interface statistic, and lists of the interfaces and VLANs on the device:

(27)

Below the device attributes, is a summary of Interfaces, VLAN and MAC’s for the device:

The Interface section provides a quick view of interfaces, real-time status, recent device status, type, MAC and IP related information for each interface. Hyperlinks allow drilldown to VLAN, MAC, and IP for further detailed information.

(28)

Any field underlined can be selected, so from the device level, users can drill to Interface and ultimately MAC, IP and User forensics.

(29)

IP Forensics

(30)

VLAN overview

VLAN overview shows VLAN and MAC count for the VLAN.

Note:

Where the VLAN is “local” there is no VLAN configured.

Note:

(31)

MAC forensics

MAC forensics allows users to review the IP and connection history of a MAC address:

The IP details show the history of IP address assignment to the MAC address.

Connections show the interfaces (and device) that the MAC address has been seen on (The MAC Count shows the total number of unique MAC’s on the interface).

(32)

User forensics

User forensics can be used to find the IP and hence the MAC history of a UserID. This will be non-zero if User Lookup administration has been correctly configured, and MAC Auditor has had sufficient time to start collecting user data from LDAP or log sources:

Searches

MAC Auditor’s powerful search engine allows users to search for any string in the currently selected month. Most users will use the search as way to quickly navigate to the point of interest. Searches return results in for MAC, User ID, IP address, Devices, Interfaces and VLANS:

For example, searching on “10.1.6.9” in May 2009 will bring up all the matching records with the string “10.1.6.9“. The results are presented as a table that allows the user to drill down for further information:

Note:

(33)

Watch list

MAC Auditor is able to help track devices on the network. Whether users require alerts about a rogue access point, or a stolen Laptop, as soon as it is seen on the network, a Watchlist hit is displayed and an alert is optionally generated. Clicking on the hyperlink shows a list of watched devices and when seen on the network:

Users can click clear to remove the alert or click on the MAC address link to see further details on the device. In addition to the web screen alert, the current version of MAC Auditor allows alert of a Watchlist hit to a Syslog server or other syslog based management system.

Watch lists can be added via 2 methods. From the MAC forensics screen by clicking the “Add Watch entry” link:

Note:

(34)

Or via the Watchlist admin drop down:

There are two potential phases to adding a Watchlist device: 1. Add device (plus a description) to the watch list.

2. Once the watch list device is added, decide on an alerting setting if required.

3. Alerts for watch lists can be multiple and can be deleted without the Watchlist entry being deleted.

Alerts are only sent when a MAC address is first seen by the MAC Auditor

Note:

(35)

Auditor is then restarted you will, of course, generate an alert as this would be classed as a new Watchlist hit.

The syslog message will be sent as:

messages.2:Sep 1 17:32:42 172.21.40.199 MAC Auditor Watch Entry Seen:00:1f:c5:ed:ae:23 on Device:172.21.40.254 ifIndex:3 Reason:Wii

3rd Party Integration

MAC Auditor is an open application and has been designed with powerful integration facilities. Integration can be at the MAC, IP, Interface or Device level. Integration can be selected via the Admin dropdown:

To enable integration, select the type required, and provide a name. This name will be displayed on the appropriate page under tools:

(36)

Once added, the integration appears as a “tool” at the IP, MAC, Device or interface level:

While there are no limits to the number or types of integrations available, Rebasoft recommend no more than 4 or 5 per level be configured to maintain clarity during application use.

3rd Party integration can happen in reverse. All reports and screens within MAC Auditor are accessible via a URL. Hence it is possible to call MAC Auditor from any web application. For example, a search with a search parameter can be called via a URL from any web application:

(37)

Appendices

Appendix1: Glossary

ARP Table Address Resolution Protocol (ARP) Table is a mapping of MAC addresses to IP addresses. This table is needed by hosts in order to send information in a network. ARP is defined in RFC 826.

DNS Domain Name System or Domain Name Server – an IP protocol via which names for computers or applications can be resolved to the correct IP address.

CAM Table Content Addressable Memory (CAM) table is used by a layer 2 Ethernet switch to copy bits from one port to another where the destination network device resides. The MAC addresses for the CAM table are populated using ARP.

LDAP Lightweight Directory Access Protocol is an application protocol for querying and modifying directory services running over TCP/IP. LDAP is used by MAC Auditor to determine the user and relate to the MAC or IP Address.

MAC Media Access Control address is a unique identifier assigned to most network adapters or network interface cards (NICs) by the manufacturer for identification. Unlike IP V4, there are 248 possible addresses

MIB Management Information Base (MIB-II) is an area of device memory where system parameters and other relevant information can be written by a device and retrieved using SNMP to other systems. The MIB may include CPU, bandwidth utilisation or CAM table entries. The MIB data is often volatile – and can be overwritten or lost if a device loses power

SNMP Simple Network Management Protocol is used to monitor network-attached devices for conditions that warrant administrative attention. MAC Auditor uses SNMP to obtain information from managed devices in the network.

Site Site is simply a logical grouping of devices.

DBMS Data Base Management System – software used to store, organise and retrieve information – for example SQLite

Appendix 2: System settings and information

Performance

Performance is used to monitor the system and provide information on collection from devices.

The system presents a list of Devices, Interfaces, VLANs, CAMs, MACs, ARPs and other parameters at the system level. Graphs also provide system memory use information. Since MAC Auditor caches data in RAM, the more memory available, the better system performance is.

A chart also shows the amount of free disk space on the current server, so that administrators can ensure that data storage problems are avoided.

Data storage

(38)

Appendix 3: Troubleshooting

Knowledgebase

A comprehensive knowledge base is available at http://www.rebasoft.net/support. Most issues related to installing, configuring and using MAC Auditor can be resolved here.

MAC Auditor log

By default MAC Auditor outputs messages to the C:\WINDOWS\SYSTEM32 directory. If users experience a problem, we recommend that this file be copied and included when making a support request.

SNMP Problems

Often users will see a device in the devices frame, where the VLAN, Interfaces and MAC’s have question marks. In addition to the unknown data, the device is highlighted in red and rolling over yields the message SNMP problem:

Resolutions:

1) Verify that the a valid community is configured in System SNMP Community strings for the device 2) Assuming IP connectivity to the device is possible, ensure:

 the device is enabled for SNMP polling

 the SNMP ACL has the source address of the MAC Auditor server  any firewall or NAT device is passing port 161/162 traffic

Interface display problem

If MAC Auditor is unable to determine a value, it will display ?? (double question mark) in place of a value. For example in the device overview, the interface list is shown below:

The cause of this may be due to the fact that the logical configuration for that interface has been removed. Other unknown device or status conditions may be due to the fact that the device stopped responding to MAC Auditor polling in the current month.

Resolution:

a) Verify the device is currently responding to SNMP polling from MAC Auditor

b) Verify the configuration is still valid – you may wish to make a note on “devices administration” to indicate the interface configuration has been removed or changed.

(39)

Known Issues

Juniper Networks ScreenOS based firewall devices have inconsistent reporting of ARP & CAM in relation to interfaces. Rebasoft have provided an override mechanism to provide a work around. See Changing device settings for further details.

Appendix4: Third Party Software Components

MAC Auditor makes use of several third party libraries, distributed under various licenses. SQLite

MAC Auditor includes SQLite 3.6.13, available at http://www.sqlite.org/download.html

This is distributed the SQLite license, a copy of which is available at http://www.sqlite.org/copyright.html. Jetty

Jetty is dual licensed under the Apache License 2.0 and Eclipse Public License 1.0. Jetty is free for commercial use and distribution under the terms of either license, with exceptions listed in the NOTICE file.

JQuery

jQuery is currently available for use in all personal or commercial projects under both MIT and GPL licenses. This means that you can choose the license that best suits your project, and use it accordingly. http://docs.jquery.com/License

SNMP4J

SNMP4J is an enterprise class free open source and state-of-the-art SNMP implementation for Java™

2SE 1.4 or later. SNMP4J and SNMP4J-Agent are licensed under the Apache 2.0 license

Log4J

Log4J is an open source debug logger. Log4J is licensed under the Apache Software License V2: http://logging.apache.org/log4j/1.2/license.html

jFreeCharts

JFreeChart is a free 100% Java chart library that makes it easy for developers to display professional quality charts in their applications, licensed under lgpl http://www.gnu.org/licenses/lgpl.html

iText

iText is a library that allows you to generate PDF files on the fly. iText is licensed under MPL -

(40)

Appendix5: End User Licence Agreement

REBASOFT LIMITED END USER LICENSE AGREEMENT

IMPORTANT -- READ CAREFULLY BEFORE USING THIS SOFTWARE: THIS IS A LEGAL AGREEMENT BETWEEN YOU (EITHER AN INDIVIDUAL OR A SINGLE ENTITY) AND REBASOFT LIMITED COVERING YOUR USE OF ANY REBASOFT LIMITED SOFTWARE APPLICATION (“SOFTWARE”) THAT YOU HAVE ACQUIRED. YOU ACKNOWLEDGE UPON INSTALLATION OF ANY SOFTWARE THAT YOU HAVE REVIEWED AND AGREED TO ALL OF THE TERMS AND CONDITIONS SET FORTH IN THIS DOCUMENT. IF YOU DO NOT AGREE WITH THESE TERMS AND CONDITIONS, DO NOT INSTALL OR USE THE SOFTWARE. IF YOU HAVE ALREADY INSTALLED THIS SOFTWARE AND DO NOT AGREE TO THESE TERMS, PLEASE UNINSTALL THE SOFTWARE AND IMMEDIATELY DISCONTINUE ITS USE. YOU AGREE THAT YOUR USE OF THE SOFTWARE ACKNOWLEDGES THAT YOU HAVE READ THIS LICENSE, UNDERSTAND IT, AND AGREE TO COMPLY WITH ITS TERMS AND CONDITIONS. BY CLICKING ON THE "ACCEPT" BUTTON, OPENING THE PACKAGE, DOWNLOADING THE PRODUCT, OR USING THE EQUIPMENT THAT CONTAINS THIS SOFTWARE, YOU ARE CONSENTING TO BE BOUND BY THIS AGREEMENT. IF YOU DO NOT AGREE TO ALL OF THE TERMS OF THIS AGREEMENT, CLICK THE "DO NOT ACCEPT" BUTTON AND THE INSTALLATION PROCESS WILL NOT CONTINUE. IN ADDITION: (1) IF YOU PURCHASED THE PRODUCT, RETURN THE PRODUCT TO THE PLACE OF PURCHASE FOR A FULL REFUND; OR, (2) IF YOU ARE OTHERWISE ATTEMPTING TO DOWNLOAD THE PRODUCT AND YOU DO NOT AGREE WITH THE TERMS OF THIS AGREEMENT, DO NOT COMPLETE THE DOWNLOAD; OR, (3) IF YOUR SOFTWARE WAS INCLUDED IN EQUIPMENT WHICH YOU PURCHASED AND YOU DO NOT AGREE WITH THE TERMS OF THIS AGREEMENT, DO NOT USE THE SOFTWARE.

As used herein, “EULA” means an end user license agreement. This EULA is a legal agreement between you (either an individual or an entity) and REBASOFT LIMITED and its suppliers and licensors (collectively "REBASOFT LIMITED") for the Software which may include components provided by suppliers and third-parties to REBASOFT LIMITED.

“Software” means the object code versions of the product, together with the updates, upgrades, modifications or enhancements owned and provided by REBASOFT LIMITED to you pursuant to this agreement. As used herein, "Computer" means the hardware, if the hardware is a single computer system whether physical or virtual, or shall mean the computer system with which the hardware operates, if the hardware is a computer system component. This Software is an application made up of individual software components, each of which was individually written and copyrighted.

ANY THIRD PARTY SOFTWARE, INCLUDING ANY THIRD PARTY'S PLUG-IN, THAT MAY BE PROVIDED WITH THE SOFTWARE IS INCLUDED FOR USE AT YOUR OPTION. IF YOU CHOOSE TO USE SUCH THIRD PARTY SOFTWARE, THEN SUCH USE SHALL BE GOVERNED BY SUCH THIRD PARTY'S LICENSE AGREEMENT. REBASOFT LIMITED IS NOT RESPONSIBLE FOR ANY THIRD PARTY'S SOFTWARE AND SHALL HAVE NO LIABILITY FOR YOUR USE OF THIRD PARTY SOFTWARE. YOU MAY ACCESS ANY THIRD PARTY LICENSE INCLUDED WITH THE SOFTWARE YOU HAVE PURCHASED AT WWW.REBASOFT.NET

The third-party components contained in this Software may include or contain software licensed under the following licenses, GNU General Public License (“GPL”), Apache 2.0 license, MOZILLA PUBLIC LICENSE or Lesser GNU General Public License (“Open Source Programs”). These Open Source Programs are licensed pursuant to a EULA that permits the End User to copy, modify, and redistribute the software, in both source code and binary code forms. These EULAs can be located at http://www.rebasoft.net/support/license.php. Nothing in this EULA limits end User’s rights under, or grants the End User rights that supersede, the terms of any applicable Open Source Program EULA. Upon installation of this Software, REBASOFT LIMITED hereby grants you the following license to use the Software in your facility subject to the terms contained herein subject to the licenses referenced herein.

1. GRANT OF LICENSE.

Upon payment of the fees applicable under this Agreement, REBASOFT LIMITED hereby grants to you a perpetual, non-exclusive, non-transferable license to use the Software and any related documentation ("Documentation") subject to the following terms:

a) For each registered Software license key that you purchase, you may: (i) use the Software on any single Computer and

(ii) subject to the number of interfaces as defined within the purchase order

(41)

b) The Software is "in use" on a computer when it is loaded into temporary memory or installed in permanent memory (Hard Drive, CD-ROM or other storage device). You agree to use your best efforts to prevent and protect the contents of the Software and Documentation from unauthorized use or disclosure. You agree that you will only use the Software license key obtained directly from REBASOFT LIMITED.

2. LICENSE RESTRICTIONS. a) You may not:

(i) permit other individuals to use the Software except under the terms listed above;

(ii) modify, translate, reverse engineer, decompile, disassemble (except to the extent that this restriction is expressly prohibited by law) or create derivative works based upon the Software or Documentation;

(iii) copy the Software or Documentation (except for back-up or archival purposes); (iv) rent, lease, transfer, or otherwise transfer rights to the Software or Documentation;

(v) remove any proprietary notices or labels on the Software or Documentation. Any such forbidden use shall immediately terminate your license to the Software. The recording, playback and download features of the Software are intended only for use with public domain or properly licensed content and content creation tools. You may require a patent, copyright, or other license from a third party to create, copy, download, record or save content files for playback by this Software or to serve or distribute such files to be played back by the Software.

b) You may not delete, remove, hide, move or alter any Icon, Image or Text that represents either the company name of REBASOFT LIMITED or any derivation thereof. All representations to the company name “REBASOFT LIMITED” must remain as originally distributed regardless of the presence or absence of a trademark or copyright symbol. c) This EULA does not grant you any rights in connection with any trademarks or service marks of REBASOFT LIMITED or its suppliers. All title and intellectual property rights in and to the Software (including but not limited to any images, photographs, animations, video, audio, music, and text incorporated into the Software, the accompanying printed materials, and any copies of the Software) are owned by REBASOFT LIMITED, its suppliers, or are publicly available. All title and intellectual property rights in and to the content which may be accessed through use of the Software is the property of the respective content owner and may be protected by applicable copyright or other intellectual property laws and treaties. This EULA grants you no rights to use such content. All rights not expressly granted under this EULA are reserved by REBASOFT LIMITED and its suppliers. You agree that you will not export or re-export the Software to any country, person, or entity

d) You agree that you shall only use the Software and Documentation in a manner that complies with all applicable laws in the jurisdictions in which you use the Software and Documentation, including, but not limited to, applicable restrictions concerning copyright and other intellectual property rights.

e) REBASOFT LIMITED strictly prohibits the use of the Software to sell or provide Network Monitoring Services to users who are not individually licensed by REBASOFT LIMITED except as described herein.

i) If you are an IT Consultant, IT Solution Provider, or Facilities Management Provider, who deploy or maintain networks, security solutions, communications solutions, hardware, software components, upgrades, etc, you are required to individually license each of your customers.

3. TITLE.

Title, ownership, rights, and intellectual property rights in and to the Software and Documentation shall remain in REBASOFT LIMITED and/or its suppliers. The Software and the Services are protected by the copyright laws of the United Kingdom and international copyright treaties. Title, ownership rights and intellectual property rights in and to the content accessed through the Software and the Services "Content") shall be retained by the applicable Content owner and may be protected by applicable copyright or other law. This license gives you no rights to such Content.

4. DATA RIGHTS.

You should be aware that REBASOFT LIMITED’ Software contains functions for collecting information related to your use of the Software. REBASOFT LIMITED may also collect and track non-personally identifiable

information about you including but not limited to your IP address, the type of hardware you use and the type of browser you employ. REBASOFT LIMITED reserves the right to compile, save, use within the scope of

REBASOFT LIMITED’ activities, and analyze any and all of your data (registration data, and use history). REBASOFT LIMITED intends to use such data for internal purposes only, including without limitation for the purposes of responding to your requests for information and for contacting you. REBASOFT LIMITED may provide aggregated statistics about your use of the Software to third parties, but such information will be aggregated so that it does not identify a particular individual or company.

5. LIMITED WARRANTY.

(42)

will be uninterrupted or error free. The foregoing warranty applies only to failures in operation of the Software that are reproducible in standalone form and does not apply to:

(i) Software that is modified or altered by you or any third party that is not authorized by REBASOFT LIMITED; (ii) Software that is otherwise operated in violation of this Agreement or other than in accordance with the published documentation; or

(iii) failures which are caused by other software or hardware products. To the maximum extent permitted under applicable law, REBASOFT LIMITED and its supplier's entire liability and your exclusive remedy under the express warranty for any breach of the foregoing warranty, REBASOFT LIMITED will, at its sole option and expense, promptly repair or replace any medium or Software which fails to meet this limited warranty or, if REBASOFT LIMITED is unable to repair or replace the medium or the Software, refund to you the applicable license fees paid upon return, if applicable, of the nonconforming item to REBASOFT LIMITED (in the case of a subscription license, the unused repaid subscription fees). The warranty is void if failure of the Software has resulted from accident, abuse or misapplication. Any replacement Software will be warranted for 30 days. REBASOFT LIMITED WARRANTS THAT THE SOFTWARE AND RELATED DOCUMENTATION DO NOT INFRINGE ON ANY PATENTS, COPYRIGHTS OR TRADEMARKS OR CONSTITUTE MISAPPROPRIATION OF THIRD PARTY PROPRIETARY INFORMATION. EXCEPT AS EXPRESSLY STATED IN THIS SECTION, REBASOFT LIMITED IS PROVIDING AND LICENSING THE SOFTWARE TO YOU "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT, AND FITNESS FOR A PARTICULAR PURPOSE.

6. LIMITATION OF LIABILITY.

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT WILL REBASOFT LIMITED BE LIABLE TO YOU FOR MORE THAN THE AMOUNT OF LICENSE FEES THAT YOU HAVE PAID TO REBASOFT LIMITED IN THE PRECEDING (12) TWELVE MONTHS OR BE LIABLE TO YOU FOR ANY INCIDENTAL OR CONSEQUENTIAL DAMAGES, INCLUDING LOST PROFITS, LOST SAVINGS, OR OTHER INCIDENTAL OR CONSEQUENTIAL DAMAGES, ARISING OUT OF THE USE OR INABILITY TO USE THE SOFTWARE OR SOFTWARE PROGRAMS, EVEN IF REBASOFT LIMITED OR A DEALER AUTHORIZED BY REBASOFT LIMITED HAD BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

7. GENERAL.

If any provision of this Agreement is held to be unenforceable, that shall not affect the enforceability of the remaining provisions. This Agreement shall be governed by the laws of the United Kingdom, without regard to any conflict of laws provisions, except that the United Nations Convention on the International Sale of Goods shall not apply.

8. COMPLETE AGREEMENT.

This Agreement constitutes the entire agreement between the Parties and supersedes all prior or

contemporaneous communications, agreements and understandings, written or oral, with respect to the subject matter hereof including without limitation the terms of any EULA contained in the software or any purchase order issued in connection with this Agreement. This Agreement shall not be amended or modified except in a writing signed by authorized representatives of each party.

MAC Auditor Administration Guide

Release 1.73, Rev. 1

Table of Contents

Introduction

Compliance

Installation and Configuration

Minimum System Requirements

Installing MAC Auditor

Logging in for the first time

Installation of License key

Application structure

User administration

System settings administration

Device administration

Sites administration

User Lookup administration

Using MAC Auditor

Reports

Operations

Searches

Watch list

3rd Party Integration

Appendices

Appendix1: Glossary

Appendix 2: System settings and information

Appendix 3: Troubleshooting

Appendix4: Third Party Software Components

Appendix5: End User Licence Agreement