3e Technologies International AirGuard 3e-525A-3 User Manual Download Page 108

Page: 108 / 112

3e-525A–3 Wireless Access Point

Appendix A: Misuse Guidelines

A-2

29000167-001 B

The TOE may initially operate in an

unsafe state since wireless encryption

The TOE may initially operate in an

is not initially turned on.

unsafe state since wireless encryption

The TOE factory default settings ini-

tialize such that the wireless radio is

The TOE factory default settings ini-

off and must be manually confi gured.

The manual confi guration prompts for

off and must be manually confi gured.

encryption and for static or dynamic

The manual confi guration prompts for

key management so the user cannot

encryption and for static or dynamic

forget to enable encryption.

key management so the user cannot

A client has been probing a TOE using

different SSIDs (Service Set Identifi ers)

A client has been probing a TOE using

in each probe. This may indicate an at-

tacker’s attempt to guess the network

in each probe. This may indicate an at-

SSID, which could allow the attacker

tacker’s attempt to guess the network

to gain access to the network.

Only client devices that belong to the

approved MAC address list are al-

Only client devices that belong to the

lowed to join the network, and these

approved MAC address list are al-

clients are provided with the SSID

lowed to join the network, and these

a priori

. All other client devices are

clients are provided with the SSID

blocked from associating to the TOE.

a priori

A wireless client device may fail au-

thentication to the TOE, then repeat-

A wireless client device may fail au-

edly try to re-authenticate in order to

thentication to the TOE, then repeat-

guess passwords or glean information

edly try to re-authenticate in order to

about how to pass authentication.

guess passwords or glean information

The TOE supports a policy such that

following repeated failed authentica-

The TOE supports a policy such that

tion attempts, a client device is added

following repeated failed authentica-

to a “cannot join” list and is prevented

tion attempts, a client device is added

from accessing the wireless network.

to a “cannot join” list and is prevented

An administrator, including the

Crypto Offi cer, may incorrectly install

An administrator, including the

or confi gure the TOE resulting in inef-

Crypto Offi cer, may incorrectly install

fective security mechanisms.

or confi gure the TOE resulting in inef-

The TOE provides administrators,

including Crypto Offi cers, with the

The TOE provides administrators,

necessary information for secure man-

including Crypto Offi cers, with the

agement.

Lack of or insuffi cient tests to dem-

onstrate that all TOE security func-

tions operate correctly (including in a

onstrate that all TOE security func-

fi elded TOE) may result in incorrect

tions operate correctly (including in a

TOE behavior being undiscovered

fi elded TOE) may result in incorrect

thereby causing potential security

TOE behavior being undiscovered

vulnerabilities.

thereby causing potential security

The TOE provides the capability to

test the TSF to ensure the correct op-

The TOE provides the capability to

eration of the TSF at a customer site.

test the TSF to ensure the correct op-

Power-on and conditional self-test

suites have been evaluated during the

FIPS 140-2 validation process for the

suites have been evaluated during the

TOE.

A user or process may cause, through

an unsophisticated attack, TSF data,

A user or process may cause, through

or executable code to be inappropri-

an unsophisticated attack, TSF data,

ately accessed (viewed, modifi ed, or

or executable code to be inappropri-

deleted).

ately accessed (viewed, modifi ed, or

The TOE provides functions and facili-

ties necessary to support the admin-

The TOE provides functions and facili-

istrators, including Crypto Offi cer, in

ties necessary to support the admin-

their management of the security of

istrators, including Crypto Offi cer, in

the TOE, and restrict these functions

their management of the security of

and facilities from unauthorized use.

A user may gain access to services

(either on the TOE or by sending data

A user may gain access to services

through the TOE) for which they are

(either on the TOE or by sending data

not authorized according to the TOE

through the TOE) for which they are

security policy.

not authorized according to the TOE

The TOE mediates the fl ow of infor-

mation to and from wireless clients

communicating via the TOE RF

Transmitter/Receiver interface in

communicating via the TOE RF

accordance with its FIPS 140-2 public

security policy.

accordance with its FIPS 140-2 public

A user or process may gain unauthor-

ized access to data through realloca-

A user or process may gain unauthor-

tion of TOE resources from one user or

ized access to data through realloca-

process to another.

The TOE ensures that any informa-

tion contained in a protected resource

The TOE ensures that any informa-

within its Scope of Control is not

tion contained in a protected resource

released when the resource is real-

within its Scope of Control is not

located. All relevant Critical Security

Parameters (CSPs) within the TOE are

located. All relevant Critical Security

zeroized when the resource is real-

located. This CSP zeroization has

been evaluated within the FIPS 140-2

validation process.

Summary of Contents for AirGuard 3e-525A-3

Page 1: ...AirGuard Wireless Access Point User s Guide Model 3e 525A 3 3e Technologies International 700 King Farm Blvd Suite 600 Rockville MD 20850 301 670 6779 www 3eti com 29000167 001 B publ 10 18 05 ...

Page 2: ...This page intentionally left blank ...

Page 3: ...3e Technologies International s AirGuard Wireless Access Point User s Guide Model 3e 525A 3 ...

Page 4: ...to locate a copy of the license contact 3e Technologies International and a copy will be provided to you ___________________________________ UNITED STATES GOVERNMENT LEGEND If you are a United States Government agency then this documentation and the product described herein are provided to you subject to the following All technical data and computer software are commercial in nature and developed ...

Page 5: ... and Management 11 Management 11 3e 525A 3 Navigation Options 12 Chapter 2 Hardware installation 13 Preparation for Use 13 Installation Instructions 14 Minimum System and Component Requirements 14 Cabling 15 Outdoor Protection Kit Installation 16 Earth Ground Connection 17 Lighnting Arrestor Installation 17 The Indicator Lights 19 External Reset Kit 20 Chapter 3 Access Point Configuration 21 Intro...

Page 6: ...ng Reports 51 System Status 51 Bridging Status 52 Bridge Site Map 53 Wireless Clients 54 Adjacent AP List 55 DHCP Client List 56 System Log 56 Web Access Log 57 Network Activity 57 Auditing 58 Log 58 Report Query 59 Configuration 59 System Administration 61 System Upgrade 61 Firmware Upgrade 61 Local Configuration Upgrade 62 Remote Configuration Upgrade 63 Factory Default 65 Remote Logging 65 Rebo...

Page 7: ...Configuration 87 Point to Point Bridging Setup Guide Manual Mode 88 Point to Point Bridging Setup Guide Auto Mode 88 Point to Multipoint Bridge Configuration 92 Point to Multipoint Bridging Setup Guide Manual Mode 93 Point to Multipoint Bridging Setup Guide Auto Mode 93 Repeater Bridge Configuration 94 Repeater Bridging Setup Guide Manual Mode 94 Repeater Bridging Setup Guide Auto Mode 95 Chapter ...

Page 8: ...vi 29000167 001 B ...

Page 9: ...is sold with the 3e 110 long range PC Card or sold separately for use with other compatible PC Cards If you are using the 3e 525A 3 in non FIPS 140 2 mode you can select None Static 3DES Static AES Static WEP or WPA WPA uses TKIP or AES CCMP so you can employ legacy client WEP cards and still secure the wireless band The 3e 525A 3 incorporates Power over Ethernet The PoE interface on the 3e 525A 3...

Page 10: ...n validated against FIPS 46 3 for 168 bit keys Basic Features The 3e 525A 3 is housed in a sturdy case which is not meant to be opened except by an authorized technician for maintenance or repair If you wish to reset to factory settings use the reset function available through the GUI based management module The 3e 525A 3 is wall mountable It has the following features Ethernet uplink WAN port Loc...

Page 11: ...the following conditions The wireless device and wireless access point must have been configured to recognize each other using the SSID a unique ID assigned in setup so that the wireless device is seen to be part of the network by the 3e 525A 3 Encryption and authentication capabilities and types en abled must conform and If MAC filtering is used the 3e 525A 3 must be configured to allow disallow ...

Page 12: ...g 2 4GHz WLANs that don t use Super G because there isn t enough room in the 2 4GHz wireless LAN spectrum for the increased spectrum used by channel bonding Moreover Super G doesn t check to see if 11b or 11g standards compliant devices are in range before using its non standard techniques Network Configuration The 3e 525A 3 is an access point with bridging setup capability Access point Gateway pl...

Page 13: ...Ethernet network to bridge between the wired and wireless environments Each AP can operate independently of the other APs on the LAN Multiple APs can coexist as separate individual networks at the same site with a different network ID SSID 3 The last and most prevalent use is multiple APs connected to a wired network and operating off that network s DHCP server to provide a wider coverage area for...

Page 14: ...us Server for key management with either TKIP or AES CCMP Bridging encryption is established between 3e 525A 3 s and includes use of AES ECB or 3DES encryption approved by the National Institute of Standards and Technology NIST for U S Government and DoD agencies SSID The Service Set ID SSID is a string used to define a common roam ing domain among multiple wireless access points Different SSIDs o...

Page 15: ...PA mode and AES ECB or 3DES for FIPS 140 2 mode and for the bridging channel FIPS 802 11i IEEE 802 11i is a Layer 2 specification that focuses on strengthening IEEE 802 11 security at the MAC sublayer It is completely separate from and independent of VPN designs or architectures which are often imple mented at Layer 3 IEEE 802 11i goes beyond the simple flawed encryp tion mechanism of 1999 802 11 ...

Page 16: ...i depends upon 802 1X to control the flow of MSDUs between the DS and STAs by use of the IEEE 802 1X Controlled Uncontrolled Port model IEEE 802 1X authen tication frames are transmitted in 802 11 Data frames and passed via the IEEE 802 1X Uncontrolled Port The 802 1X Controlled Port is blocked from passing general data traffic between two STAs until an 802 1X authentication procedure completes su...

Page 17: ...terconnect two different VLANs routers or Layer 3 switches are used These routers or Layer 3 switches execute inter VLAN routing or routing of traffic between VLANs Broadcast traffic is then terminated and isolated by these Layer 3 devices for example a router or Layer 3 switch will not route broadcast traffic from one VLAN to another Wireless VLAN is an extension of Layer 2 wired VLANs in wireles...

Page 18: ...identifies each node of a network In IEEE 802 networks the Data Link Control DLC layer of the OSI Reference Model is divided into two sub layers the Logical Link Control LLC layer and the Media Access Control MAC layer The MAC layer interfaces directly with the network media Consequently each type of network media requires a unique MAC address Authentication is the process of proving a client iden...

Page 19: ...re defined with three basic attributes username role and authentication credentials i e password A user account can be defined as a normal user or as an administrator Administrative users can access the TOE management interface in addition to being able to use the wireless network while normal users can only access the wireless net work The TOE authentication sequence includes a counter for unsucc...

Page 20: ... Filtering Port Filtering Port Filtering Virtual Server Virtual Server DMZ DMZ Advanced Advanced User Management User Management User Management User Management List All Users Edit Delete List All Users Edit Delete List All Users Edit Delete List All Users Edit Delete Add New User Add New User Add New User Add New User User Password Policy User Password Policy Monitoring Reports Monitoring Reports...

Page 21: ...th a range of 30 degrees C to 70 degrees C The latter version of the product employs ThermoElectric Cooler TEC technology to extend the product into the higher temperature environment The TEC Technology comes with a price it requires power to trans fer the heat Unfortunately this raises the electric current requirement to 25 watts beyond the 802 3af specification of 15 4 watts To ensure that the 5...

Page 22: ... equip ment Installation Instructions The 3e 525A 3 is intended to be installed as part of a complete wire less design solution This manual deals only with the 3e 525A 3 device and its accessories The purpose of this chapter is the description of the device and its iden tifiable parts so that the user is sufficiently familiar to interact with the physical unit Preliminary setup information provide...

Page 23: ...5 5 or later or Netscape 6 2 or later installed on the PC or laptop you will be using to configure the Access Point TCP IP Protocol usually comes installed on any Windows PC Cabling The following illustration shows the external cable connectors on the 3e 525A 3 The WAN connector is used to connect the 3e 525A 3 to the organiza tion s LAN The RED Ethernet PoE cable is attached to the WAN port of th...

Page 24: ...o install this protection will void the warranty The Outdoor Protection Kit 3e OPK 3 contains the following items 10 inch 10AWG wire with 8 ring terminal on one end and a 10 ring terminal on the other end 12 inch 10 AWG wire with 8 ring terminal on one end and a 10 ring terminal on the other end 18 inch 10 AWG wire with 8 ring terminal on one end and a 10 ring terminal on the other end Three light...

Page 25: ...t the unit s metal case The earth ground ring terminal should be the first con nection on the unit s grounding stud NOTE The cable used to connect to a proper earth ground must be AWG 10 or heavier This cable should be kept as short as possible Lighnting Arrestor Installation Examine the lightning arrestors and remove and discard the following items if necessary See figure below Securing Nut Washe...

Page 26: ... the N connector finger tight Attach the ring terminal from the Lightning Arrestors ground cable to the grounding stud on the 3e 525A 3 unit The lightning arrestor s ring terminal should be attached to the unit after the earth ground ring terminal is attached Perform this same procedure for every antenna installed on the unit It is recommended that this Outdoor Protection Kit be replaced every thr...

Page 27: ...on is passing through the AP connection WLAN2 Activity This light may be steady or blinking and indicates that information is passing through the Bridge connection WLAN Signal Strength The Strength LED indicator indicates the strength of the Bridge connection WLAN2 1 LED Off means no connection on the bridge side or the signal is very weak 2 LED blinks slowly every 1 second means there is a connec...

Page 28: ...525A 3 that is used for configuration purposes Connect one end of the RED Ethernet cable provided with the 3e RK1 to the LAN LOCAL port on the 3e 525A 3 Connect the RJ 45 end of this cable to the AP side of the reset dongle Connect one end of the Eth ernet pigtail to the PC side of the dongle and connect the other end to the laptop to be used for configuring the 3e 525A 3 To reboot the 3e 525A 3 p...

Page 29: ... all the screens in the FIPS 140 2 mode There are a few differ ences in non FIPS mode which are described in the Navigation chart on page 8 Preliminary Configuration Steps For preliminary installation the 3e 525A 3 network administrator may need the following information IP address a list of IP addresses available on the organization s LAN that are available to be used for assignment to the AP s S...

Page 30: ...n for Obtain an IP address automatically is checked In Windows 2000 XP follow the path Start à Settings à Net work and Dialup Connections à Local Area Connection and select the Properties button In the Properties window highlight the TCP IP protocol and click properties Make sure that the radio button for Obtain an IP address automatically is checked Once the DHCP server has recognized your laptop...

Page 31: ...Configuration General You will immediately be directed to the System Configuration General screen for the 3e 525A 3 access point This screen lists the firmware version number for your 3e 525A 3 and allows you to set the Host Name and Domain Name as well as establish system date and time Host and Domain Names are both set at the fac tory for default but can optionally be assigned a unique name for ...

Page 32: ...ode Note that if you change modes from AP to Gateway your configura tion is not lost However if you switch from FIPS 140 2 submode to non FIPS or from IPv6 to non IPv6 submode all previously entered informa tion will be reset to factory settings Submodes There are two options under Submodes FIPS 140 2 Mode Use IPv6 Mode If you can select the Use IPv6 Mode the AP will be configured to support IPv6 ...

Page 33: ...2 1x When in IPv6 mode the AP can be accessed from the management port using IP address 192 168 15 1 This is the default IP address and it can not be changed The WAN port can not be accessed using IPv4 ad dresses If Use IPv6 mode is selected as a submode then you will need to enter a IPv6 address under System Configuration WAN and LAN screens ...

Page 34: ...or System Configu ration WAN This directs you to the System Configuration WAN screen If not using DHCP to get an IP address input the static IP information that the access point requires in order to be managed from the wired LAN This will be the IP address Subnet Mask Default Gateway and where needed DNS 1 and 2 Click Apply to accept changes ...

Page 35: ... the System Configuration LAN screen This sets up the default numbers for the four octets for a possible pri vate LAN function for the access point It also allows changing the default numbers for the LAN Subnet Mask The Local LAN port provides local access for configuration It is not advisable to change the private LAN ad dress while doing the initial setup as you are connected to that LAN ...

Page 36: ...nica tions Follow the manufacturer s instructions to set up the PC Card on each wireless device that will be part of the WLAN WARNING If you are configuring this 3e 525A 3 in FIPS 140 2 secure mode your configuration will have to be accomplished through the LAN port due to the secure nature of the access point The Wireless Access Point General screen lists the MAC Address of the AP card This is no...

Page 37: ...hen channel 11 and then continue with 1 6 11 you will have the optimum frequency spread to decrease noise If you click on the button Select the optimal channel a popup screen will display the choices It will select the optimal channel for you You can also set it up to automatically select the optimal channel at boot up CHANNEL NO OPTIONS Wireless Mode Channel No 802 11b 802 11g 802 11b g Mixed 1 2...

Page 38: ...RTS threshold the RTS CTS handshaking is performed DTIM 1 255 The number of beacon intervals that broadcast and multicast traffic is buffered for a client in power save mode Basic Rates Basic Rates for 802 11b 1 and 2 Mbps 1 2 5 5 and 11 Mbps The basic rates used and reported by the AP The highest rate specified is the rate that the AP uses when transmitting broadcast multicast and management fram...

Page 39: ...Encryption Options on the 3e 525A 3 In FIPS 140 2 Mode In non FIPS AP Mode None None Static AES AES ECB Static AES Static 3DES Static 3DES Dynamic Key Exchange with 3e 030 Security Server pur chased separately 802 11i and WPA Preshared Key or 802 1x us ing Radius Server and TKIP or AES CCMP FIPS 802 11i Static WEP In the following explanations the FIPS Mode security options are discussed first No ...

Page 40: ...ock cipher algorithm and encryption technique for protecting computerized infor mation With the ability to use even larger 192 bit and 256 bit keys if desired it offers higher security against brute force attack than the old 56 bit DES keys The Key Generator button automatically generates a randomized key of the appropriate length This key is initially shown in plain text so the user has the oppor...

Page 41: ...DES enter a 192 bit key as 48 hexidecimal digit 0 9 a f or A F The Key Generator button automatically generates a randomized key of the appropriate length This key is initially shown in plain text so the user has the opportunity to copy the key Once the key is applied the key is no longer displayed in plain text ...

Page 42: ...g the AP to pre authenticate a client decreases the transition time when a client roams between APs As an alternative for business applications who have installed Ra dius Servers select 802 1x and input the Primary Radius Server and RFC Backend security settings Use of Radius Server for key management and authentication requires that you have installed a separate certification sys tem and each cli...

Page 43: ...e clients and configuring the 3e Technologies International s Security Server software with the appropriate root certifi cate The Security Server software application is discussed in a separate manual If you have installed the Security Server software Dynamic Key Management is the preferred security setup Configure the IP address and password of the security server and set the key type Key type wi...

Page 44: ...to 64 bit or 128 bit encryption The Key Generator button automatically generates a randomized key of the appropriate length This key is initially shown in plain text so the user has the opportunity to copy the key Once the key is applied the key is no longer displayed in plain text WEP Wired Equivalent Privacy Encryption is a security protocol for wireless local area networks WLANs defined in the ...

Page 45: ...the time the user crossed into the network s space These utilities can be used to determine whether your network is unsecured Note that if WEP is enabled that same WEP key must also be set on each wireless device that is to become part of the wireless network and if shared key is accepted then each wireless de vice must also be coded for shared key To use WEP encryption iden tify the level of encr...

Page 46: ...ric hexadecimals in the Passphrase field If your clients use WPA TKIP select TKIP as encryption type If your clients use WPA AES select AES CCMP If a combination select AUTO Enable pre authentication to allow a client to authenticate in advance with the AP before the client is associated with it Allowing the AP to pre authenticate a client decreases the transition time when a client roams between ...

Page 47: ...3e 525A 3 Wireless Access Point Chapter 3 Access Point Configuration 29000167 001 B 39 If you will be using MAC Address filtering navigate next to the MAC Address Filtering screen ...

Page 48: ...VLAN tagged which means an external network unit such as a router switch or a VLAN enabled computer has to be used to terminate the VLAN traffic Data originating from or targeting to a wireless network cli ent is tagged with the VLAN ID corresponding to an SSID it is associated with Data generated by an Access Point itself is tagged with the manage ment VLAN ID ...

Page 49: ...ped with the authorized MAC addresses will be able to communicate with the access point In this case input the MAC addresses of all the PC cards that will be authorized to access this access point The MAC ad dress is engraved or written on the PC PCMCIA Card If Filtering is enabled and Filter Type is Allow All Except Those Listed Below those devices with a MAC address which has been entered in the...

Page 50: ...s for notification of any rogue or non trusted APs The MAC Address for the 3e 525A 3 is located on the System Configuration General screen You can also select the follow ing filter options SSID FIlter Check the SSID option to only send rogue APs that match the AP s SSID or wireless bridge s SSID Channel Filter Check the channel filter option to only send rogue APs that match the AP s channel or th...

Page 51: ... between APs If two APs with similar settings are in a conference room depending on the location of the APs all wire less clients could potentially associate with the same AP leaving the other AP unused Load balancing attempts to evenly distribute the wireless clients on both APs Layer 2 isolation prevents wireless clients that associate with the same AP from communicating with each other Once you...

Page 52: ...he Local LAN port The default factory setting for the DHCP server function is enabled You can disable the DHCP server function if you wish but it is not recommended You can also set the range of addresses to be assigned The Lease period after which the dynamic address can be reassigned can also be varied The DHCP server function accessible only from the LAN port is used for initial configuration o...

Page 53: ...s connected to a different subnet than its home subnet If subnet roaming is supported by the wireless infrastructure the client is able to continue its network connectivity without having to change its IP address Therefore to the mobile device roaming is transparent and it will continue to function as if it is in its home subnet The coordinator is a separate server that keeps track of the client s...

Page 54: ...the SNMP Manager which usually resides on a network administra tor s computer The SNMP Manager function interacts with the SNMP Agent to execute applications to control and manage object variables interface features and devices in the gateway Common forms of managed infor mation include number of packets received on an interface port status dropped packets and so forth SNMP is a simple request and...

Page 55: ...s ob tained Access Control Defines the level of management interaction per mitted If using SNMPv3 enter a username minimum of eight characters authentication type with key and data encryption type with a key If FIPS mode only SHA and AES are supported This configuration information will also need to be entered in your MIB manager setup Misc Service Under Misc Services you can enable or disable you...

Page 56: ... for the unit You can edit or delete users from this screen If you click on Edit the User Management Edit User screen ap pears On this screen you can edit the user ID password role and note fields The Password Generator button creates a random password so that you don t need to create one Initially the password is shown in plain text so that you can copy it Once the Apply button is pressed the pas...

Page 57: ...nt Add New User screen allows you to add new Administrators and CryptoOfficers assigning and confirming the password The screen shown above is the screen as it will appear in FIPS 140 2 mode The Password complexity check and the Minimal Password length are established on the User Management User Password Policy screen ...

Page 58: ...rd Policy screen allows you to enable a Password Complexity Check when you are in FIPS 140 2 mode The definition of a complex password is a password that contains charac ters from 3 of the following 4 groups uppercase letters lowercase letters numerals and symbols If enabled you must also select minimum pass word length Click Apply to save your selection ...

Page 59: ...riety of lists and status reports Most of these are self explanatory System Status The Monitoring Report System Status screen displays the status of the 3e 525A 3 device the network interface and the routing table There are some pop up informational menus that give detailed infor mation about CPU PCI Interrupts Process and Interfaces ...

Page 60: ...ter 3 Access Point Configuration 52 29000167 001 B Bridging Status The Monitoring Report Bridging Status screen displays the Eth ernet Port STP status Ethernet DSL Port STP status Wireless Port STP status and Wireless Bridging information ...

Page 61: ...ing tree network topology of both wired and wireless nodes connected to the network The root STP node is always on top and the nodes of the hierarchy are displayed below it Wired links are double dotted lines and wireless links are single dotted lines This map does not update dynamically You must press the Update button to refresh the map ...

Page 62: ...works with 3e 010F Crypto Client in FIPs mode If Transmit power is disabled either by setting TX Pwr Mode to Off on the management screen or by using the RF Manager Chapter 6 the Wireless Clients page will show the results from each associated client in the EMCON Response column If the client responds to the disable command a Yes is displayed If the column contains a No this can mean either the cl...

Page 63: ...ars as which indicates the status record is not applicable Adjacent AP List The Monitoring Report Adjacent AP List screen shows all the APs on the network If you select the check box next to any AP shown the AP will thereafter be accepted by the 3e 525A 3 as a trusted AP These APs are detected by the AP s wireless card and the wireless bridge s wireless card The list of APs are only within the ban...

Page 64: ... check mark the Revoke Entry selection and click Remove to confirm the action System Log The Monitoring Report System Log screen displays system facil ity messages with date and time stamp These are messages documenting functions performed internal to the system based on the system s func tionality Generally the Administrator would only use this information if trained as or working with a field en...

Page 65: ...etc using the web browser It establishes a running record regarding what actions were performed and by whom The Web access log will continue to accumulate listings If you wish to clear listings manually use the Clear button Network Activity The Network Activity Log keeps a detailed log of all activities on the network which can be useful to the network administration staff The Network Activities l...

Page 66: ...noted in the audit record For audit events resulting from actions of identified users the 3e 525A 3 shall be able to associate each auditable event with the identity of the user that caused the event The 3e 525A 3 shall be able to include or exclude auditable events from the set of audited events based on object identity user identity subject identity host identity and event type The TOE provides ...

Page 67: ...rt based on start time end time MAC address or unique record IDs Configuration The Auditing Configuration screen is used to configure the auditing settings You can enable and disable the auditing function on this screen You can select which audit event types you wish to log The following figure shows the screen and the table lists event types and descriptions ...

Page 68: ...Individual log messages appear from the application and driver since keys are held in both loca tions STA Failed Authentication A station s authentication request is dropped because it doesn t match the MAC address filter STA Associated A station successfully associates to the AP Encryption Algorithm Changed The encryption algorithm is changed including bypass mode Failed FIPS Policy All HMAC AES ...

Page 69: ...lso a configuration file transfer option which allows the system configuration file from one AP to be transferred to another AP in order to minimize the administration of the APs Only configuration parameters that can be shared between APs are downloaded in the con figuration file WAN IP address and hostname are not transferred in the configuration file Click on the Local Configuration Upgrade and...

Page 70: ...passphrase for that file The passphrase protects the file from unauthorized users It prevents unauthorized users from applying the system configuration file to an unauthorized AP to gain access to the network Before downloading the system configuration file to a local com puter the user must enter a passphrase to protect the file Before the sys tem configuration file can be uploaded onto another A...

Page 71: ...nfiguration file to other APs Once the file is transferred the remote AP will be rebooted Once the remote units are rebooted the site map can be updated and the File Tag will show the status of the units If the tag matches the local tag the unit was updated successfully The random configuration file is used to update the bridging SSID and bridging encryption on other devices using the existing bri...

Page 72: ...lied the unit will reboot and start using the new configuration file The automatic IP address configuration feature can be used to assign a remote device an IP address This feature minimizes the effort to con figure IP addresses in a wireless network The IP addresses are assigned on the private class A IP address range 10 0 0 0 By default this feature is enabled so if you want to assign your own I...

Page 73: ...er if a duplicate IP address is detected the bridge site map will show this device with a red IP address The distributed default gateway is the first IP address in the valid range For example for 10 128 0 0 the default gateway is 10 128 0 1 The distributed netmask is 255 0 0 0 Factory Default The System Administration Factory Default screen is used to reset the AP to its factory settings The Resto...

Page 74: ...without changing any preset functionality Both Crypto Officer and Administrator functions have access to this function Utilities The System Administration Utilities screen gives you ready access to two useful utilities Ping and Traceroute Simply enter the IP Address or hostname you wish to ping or traceroute and click either the Ping or Traceroute button as appropriate ...

Page 75: ...ce s desktop type arp d and hit return This reconfigures the MAC address in the wireless device s PC card so that it is now visible to the gateway Chapter 4 Gateway Configuration Introduction Chapter 3 covered the default configuration of the 3e 525A 3 Wireless Access Point as an access point for use as part of a host wired network This chapter covers configuration as a gateway If additional secur...

Page 76: ...3e 525A 3 Wireless Access Point Chapter 4 Gateway Configuration 68 29000167 001 B A comparison of gateway and access point setup for the 3e 525A 3 ...

Page 77: ... AP to Gateway your configura tion is not lost However if you switch from FIPS 140 2 submode to non FIPS all previously entered information will be reset to factory settings You can then proceed to change the management screens as necessary to reconfigure the device as a gateway Configuration in gateway mode allows you to set firewall parameters This is the main difference between the screens you ...

Page 78: ... The WAN IP address is the Public IP address required to link the pri vate WLAN users to the external enterprise or shipboard network which is to be outside the protected wireless LAN Normally you will be provided with the IP address Subnet Mask Default Gateway and DNS to assign by the Network Administrator for the Ethernet Network There are two ways to configure the WAN IP address 1 Obtain an IP ...

Page 79: ... port The IP aliasing entries can be used by the virtual server to map a public IP address to a private IP address If the virtual server needs to map multiple public IP addresses to multiple private IP addresses the IP aliasing entries can be used to create additional public IP addresses These entries are always static entries and can not use DHCP ...

Page 80: ...Con figuration LAN This directs you to the System Configuration LAN screen This sets up the default numbers for the four octets for a possible pri vate LAN function for the access point You can also change the default subnet mask The Local LAN port provides DHCP server functionality to automatically assign an IP address to a computer Ethernet port ...

Page 81: ...encryption is set by the CryptoOfficer It is recommended that you set encryption as soon as possible Gateway mode has the same encryption options as the AP mode Firewall Content Filtering Click the entry on the left hand navigation panel for Firewall Con tent Filtering The Content Filtering screen allows the system adminis trator to identify particular hosts or IPs that will be blocked from access...

Page 82: ...rtain IPs on the Private LAN from ac cessing your Internet connection It restricts clients to those with a specific IP Address Port Filtering Click the entry on the left hand navigation panel for Firewall Port Filtering Port filtering permits you to configure the Gateway to block outbound traffic on specific ports It can be used to block the wireless network from using specific protocols on the ne...

Page 83: ...rt 23 FTP port 21 and Web server port 80 Client computers on the Private LAN can host these applications and allow users from the Internet to access these applications hosted on the virtual servers This is done by mapping virtual servers to private IP addresses according to the specific TCP port application As the planning table below shows we have identified a Telnet port 23 virtual server for pr...

Page 84: ...d to the wired network or Internet for unrestricted two way communication This configuration is typically used when a computer is operating a proprietary client software or 2 way communication such as video teleconferencing where multiple TCP port assignments are required for communication To assign a PC the DMZ host status fill in the Private IP address which is identified as the exposed host and...

Page 85: ...ay Configuration 29000167 001 B 77 Advanced Firewall As advanced firewall functions you can enable disable Block Ping to WAN Web based management from WAN port SNMP management from WAN port These options allow you more control over your environment ...

Page 86: ...3e 525A 3 Wireless Access Point Chapter 4 Gateway Configuration 78 29000167 001 B This page intentionally left blank ...

Page 87: ...dging of two Ethernet links Point to multipoint bridging of several Ethernet links Repeater mode The wireless bridging screens are the same whether you are in access point or gateway mode Bridging is a function that is set up in addition to basic access point or gateway setup If you will be using the 3e 525A 3 solely as a bridge some of the settings you may have selected for access point gateway u...

Page 88: ...ss bridging AWB with a maximum num ber of allowable bridges the default is 40 Auto forming Wireless Bridging When the wireless bridge is in auto forming mode the wireless bridge sniffs for beacons from other wireless bridges and identifies APs that match a policy such as SSID and channel Instead of simply adding the APs with the same SSID channel to the network a three way association handshake is...

Page 89: ...allowed Bridge Priority 1 40 Determines the root leaf STP node The lowest bridge priority in the net work will become the STP root Signal Strength Threshold 27 21 15 9 Prevents the node under the thresh old from associating and joining the network Broadcast SSID Diable Enable When disabled the AP hides the SSID in outgoing beacon frames and sta tions cannot obtain the SSID through passive scanning...

Page 90: ...rength LED MAC Not Assigned Allows you to set the number of one of the Remote APs which will be listed at the bottom of the screen once the system is operational This wireless bridge be comes the guiding port that is displayed in the WLANNSS LED on the front of the 3e 525A 3 as a signal Spanning Tree Protocol STP Enable Disable Enable STP is there is any possiblity that a bridging loop could occur...

Page 91: ...ation If you select Enable ref esh you can set the bridge refresh interval from 5 seconds to 30 minutes Refreshing the screen allows you to see the effect of aiming the antenna to improve signal strength Wireless Bridge Radio The Wireless Bridge Radio screen contains wireless bridging information including the channel number Tx rate Tx power spanning tree protocol 802 1d enable disable and remote ...

Page 92: ... optimal rate for the chan nel If a fixed rate is used the card will only transmit at that rate 802 11a Turbo AUTO The card attempts to select the opti mal rate for the channel Channel No 802 11b g Mixed 1 2 412 GHz 2 2 417 GHz 3 2 422 GHz 4 2 427 GHz 5 2 432 GHz 6 2 437 GHz 7 2 442 GHz 8 2 447 GHz 9 2 452 GHz 10 2 457 GHz 11 2 462 GHz Sets the channel frequency for the wireless bridge 802 11g Sup...

Page 93: ...wireless bridge when the Tx Pwr Mode is off Fixed Pwr Level 1 2 3 4 5 Select a range when Rx Pwr Mode is set to FIXED Level 1 is the shortest distance Level 1 7dBm and Level 5 is the longest Level 5 15dBm Propagation Distance 5 Miles 5 10 Miles 11 15 Miles 16 20 Miles 21 25 Miles 26 30 Miles 30 Miles Set the distance based on the distance between this bridge and furthest bridge that is connected t...

Page 94: ...page to set up to ensure that your bridge is working correctly The encryption key that you use on this screen must be the same for any bridge connected to your bridging network in order for communication to occur On this screen you can select None Static 3DES 192 bit or Static AES 128 bit 192 bit or 256 bit The following sections describe the setup for three types of bridging configuration point t...

Page 95: ...idging there can be a separate WLAN on the AP WLAN card with no loss efficiency as long as you set the channel numbers so there s no conflict or noise with the channel as signed to the bridge Spanning Tree Protocol may be set to Enable if there is any possibility of a bridging loop or to Disable which is more efficient if there s no possibility of a bridging loop Each bridge must contain the other...

Page 96: ...e length and value Must be the same key as Bridge 2 Select appropriate key type length and value Must be the same key as Bridge 1 Point to Point Bridging Setup Guide Auto Mode Direction Bridge 1 Bridge 2 Wireless Bridge Genral Auto Bridging Mode Bridging Mode Auto bridging selected Auto bridging selected SSID Must be the same as Bridge 2 Must be the same as Bridge 1 Max Auto Bridges 40 range 1 40 ...

Page 97: ... Next select the Channel Number The Channel Number must be set to the same frequency in order for each bridge to communicate TX Pwr Mode can be left on Auto unless the power needs to be regulated Select the Propagation Distance which is based on the distance be tween a bridge and the furthest bridge that is connected to it Set the RTS Threshold which is the number of bytes used for the RTS CTS han...

Page 98: ...rom this screen you can also choose to delete a remote AP s MAC ad dress Click Apply to accept your changes If you choose Auto Bridging mode then you will need to enter the follwoing information Enter the SSID This can be any set of letters and numbers assigned by the network administrator This nomenclature has to be set on the wireless bridge and each wireless device in order for them to communi ...

Page 99: ...wireless bridge will be indicated on the Signal Strength LED located on the front of the case Next navigate to the Wireless Bridge Encryption screen Select the appropriate key type and length and the key value The encryption key value and type for Bridge 1 must be the same as for Bridge 2 For wireless bridging only AES and 3DES are available for encryption ...

Page 100: ...t have the same channel number Span ning Tree Protocol will usually be set to Enable If configured as in the diagram following Bridge 1 must contain all of the others BSSIDs while Bridge 2 n must only contain Bridge 1 s BSSID The BSSID of each is equivalent to the MAC address found on the Wireless Bridge Radio page Enter only hexadecimal numbers Data entry is not case sensitive Finally the wireles...

Page 101: ...and value Must be the same key as Bridge 2 n Select appropriate key type length and value Must be the same key as Bridge 1 Point to Multipoint Bridging Setup Guide Auto Mode Direction Bridge 1 Bridge 2 n Wireless Bridge Radio Wirelss Mode 802 11a 802 11a Tx Rate AUTO AUTO Channel No Same as Bridge 2 n Same as Bridge 1 Tx Power Mode Auto Auto Propagation Distance 5 Miles 5 Miles RTS Threshold 2346 ...

Page 102: ...dge can control a wireless LAN at a distance Repeater Bridging Setup Guide Manual Mode Direction Bridge 1 Bridge 2 Bridge 3 Wireless Bridge Radio Wireless Mode 802 11a 802 11a 802 11a Tx Rate AUTO AUTO AUTO Channel No Same as Bridge 2 Same as Bridge 1 Same as Bridge 1 Tx Power Mode Auto Auto Auto Propagation Dis tance 5 Miles 5 Miles 5 Miles RTS Threshold 2346 2346 2346 BSSID Add Bridge 2 s MAC Ad...

Page 103: ...idge General Auto Bridging Mode Bridging Mode auto auto auto SSID Must be the same as Bridge 2 Must be the same as Bridge 1 Must be the same as Bridge 1 Max Auto Bridges 40 range 1 40 40 range 1 40 40 range 1 40 Bridge Priority 40 1 40 40 1 40 40 1 40 Signal Strength Threshold 9 9 9 Signal Strength MAC Enter from list at the bottom of the screen Enter from list at the bottom of the screen Enter fr...

Page 104: ...3e 525A 3 Wireless Access Point Chapter 5 Wireless Bridge Configuration 96 29000167 001 B This page intentionally left blank ...

Page 105: ...eral Communications Commission s Rules and Regulations These limits are designed to pro vide reasonable protection against harmful interference when the equip ment is operated in a commercial environment This equipment gener ates uses and can radiate radio frequency energy and if not installed and used in accordance with the instruction manual may cause harmful interference to radio communications...

Page 106: ...3e 525A 3 Wireless Access Point Chapter 6 Technical Support 98 29000167 001 B This page intentionally left blank ...

Page 107: ...mic Host Control Proto be able to obtain an IP address using col after successfully associating with DHCP Dynamic Host Control Proto col after successfully associating with DHCP Dynamic Host Control Proto the TOE This means that the Wireless col after successfully associating with the TOE This means that the Wireless col after successfully associating with Scanner client device has gained ac cess ...

Page 108: ...ure man including Crypto Officers with the agement Lack of or insufficient tests to dem onstrate that all TOE security func tions operate correctly including in a onstrate that all TOE security func tions operate correctly including in a onstrate that all TOE security func fielded TOE may result in incorrect tions operate correctly including in a fielded TOE may result in incorrect tions operate c...

Page 109: ...n interfaces The TSF cryptographic boundary disclosure through its own interfaces and all ports and interfaces meet this The TSF cryptographic boundary and all ports and interfaces meet this The TSF cryptographic boundary objective as part of the FIPS 140 2 and all ports and interfaces meet this objective as part of the FIPS 140 2 and all ports and interfaces meet this Chapter 2 Cryptographic Modu...

Page 110: ...3e 525A 3 Wireless Access Point Appendix A Misuse Guidelines A 4 29000167 001 B ...

Page 111: ...d by Belgian cryptographers Joan Daemen and Vincent Rijmen The U S government adopted the algorithm as its encryption technique in October 2000 replacing the DES encryption it used AES works at multiple network layers simultaneously Bridge A device that connects two local area networks LANs or two segments of the same LAN that use the same protocol such as Ethernet or Token Ring DHCP Short for Dyn...

Page 112: ... thereafter operate as a group TKIP Temporal Key Integrity Protocol TKIP is a protocol used in WPA It scrambles the keys using a hashing algorithm and by adding an integrity checking feature ensures that the keys haven t been tampered with VPN Virtual Private Network A VPN uses encryption and other security mechanisms to ensure that only authorized us ers can access the network and that the data c...

Search results

Summary of Contents for AirGuard 3e-525A-3

Reviews:

Related manuals for AirGuard 3e-525A-3

Brands by name

Popular brands

3e Technologies International AirGuard 3e-525A-3, User Manual

Search results

Summary of Contents for AirGuard 3e-525A-3

Reviews:

Related manuals for AirGuard 3e-525A-3

Brands by name

Popular brands