3e Technologies International AirGuard 3e-525A-3 Скачать руководство пользователя страница 107

Страница: 107 / 112

3e-525A–3 Wireless Access Point

Appendix A: Misuse Guidelines

29000167-001 B

A-1

Appendix A: Misuse Guidelines

This appendix contains a vulnerability analysis for the Wireless Ac-

cess Point, referred to as the "TOE"(Target of Evaluation). The following

table contains potential threats/issues and the remedies that are em-

ployed.

Threat

Remedy

The TOE may broadcast its SSID

(Service Set Identifi er). SSIDs are

The TOE may broadcast its SSID

used to gain access to wireless access

points for 802.11 wireless networks.

used to gain access to wireless access

SSID information could be useful by

points for 802.11 wireless networks.

an attacker to glean information about

SSID information could be useful by

the wireless LAN. For this reason, an

an attacker to glean information about

access point that broadcasts the SSID

can compromise wireless network

access point that broadcasts the SSID

security.

The TOE does not broadcast its SSID.

The SSID fi eld is zeroed-out in the

broadcast 802.11 Beacon message sent

by the TOE

broadcast 802.11 Beacon message sent

A Wireless Scanner client device may

be able to connect without authen-

A Wireless Scanner client device may

ticating to the TOE. This event may

indicate that encryption is not turned

ticating to the TOE. This event may

on.

MAC address fi ltering is performed in

the TOE. Also, authentication using

MAC address fi ltering is performed in

RSA, as per the FIPS 140-2 security

the TOE. Also, authentication using

policy, is required before any client

RSA, as per the FIPS 140-2 security

device can join the wireless LAN.

policy, is required before any client

A Wireless Scanner client device may

be able to obtain an IP address using

A Wireless Scanner client device may

DHCP (Dynamic Host Control Proto-

be able to obtain an IP address using

col) after successfully associating with

DHCP (Dynamic Host Control Proto-

the TOE. This means that the Wireless

col) after successfully associating with

Scanner client device has gained ac-

cess to the IP network and can com-

Scanner client device has gained ac-

municate with other computers on the

same network. A potential attacker

municate with other computers on the

could also use DHCP in the same

same network. A potential attacker

manner to gain access to the network.

All TOE’s are confi gured to allow con-

nections only from valid, recognized

All TOE’s are confi gured to allow con-

clients. This ensures that DHCP ac-

nections only from valid, recognized

cess is secure, through a form of MAC

address fi ltering, because the DHCP

cess is secure, through a form of MAC

server is confi gured to only provide IP

address fi ltering, because the DHCP

addresses to specifi c, approved MAC

server is confi gured to only provide IP

addresses.

addresses to specifi c, approved MAC

A client is communicating directly

with the TOE. This could be an at-

A client is communicating directly

tempt to reconfi gure the TOE over the

wireless interface. Under normal, se-

tempt to reconfi gure the TOE over the

cure circumstances, TOE’s should only

be confi gured over the wired interface,

cure circumstances, TOE’s should only

through the wired network.

be confi gured over the wired interface,

All TOE’s are confi gured such that the

TOE is disabled to the access point’s

All TOE’s are confi gured such that the

confi guration options (e.g., SNMP,

TOE is disabled to the access point’s

telnet, HTTP). All communication to

confi guration options (e.g., SNMP,

the TOE occurs through the network

gateway.

Содержание AirGuard 3e-525A-3

Страница 1: ...AirGuard Wireless Access Point User s Guide Model 3e 525A 3 3e Technologies International 700 King Farm Blvd Suite 600 Rockville MD 20850 301 670 6779 www 3eti com 29000167 001 B publ 10 18 05 ...

Страница 2: ...This page intentionally left blank ...

Страница 3: ...3e Technologies International s AirGuard Wireless Access Point User s Guide Model 3e 525A 3 ...

Страница 4: ...to locate a copy of the license contact 3e Technologies International and a copy will be provided to you ___________________________________ UNITED STATES GOVERNMENT LEGEND If you are a United States Government agency then this documentation and the product described herein are provided to you subject to the following All technical data and computer software are commercial in nature and developed ...

Страница 5: ... and Management 11 Management 11 3e 525A 3 Navigation Options 12 Chapter 2 Hardware installation 13 Preparation for Use 13 Installation Instructions 14 Minimum System and Component Requirements 14 Cabling 15 Outdoor Protection Kit Installation 16 Earth Ground Connection 17 Lighnting Arrestor Installation 17 The Indicator Lights 19 External Reset Kit 20 Chapter 3 Access Point Configuration 21 Intro...

Страница 6: ...ng Reports 51 System Status 51 Bridging Status 52 Bridge Site Map 53 Wireless Clients 54 Adjacent AP List 55 DHCP Client List 56 System Log 56 Web Access Log 57 Network Activity 57 Auditing 58 Log 58 Report Query 59 Configuration 59 System Administration 61 System Upgrade 61 Firmware Upgrade 61 Local Configuration Upgrade 62 Remote Configuration Upgrade 63 Factory Default 65 Remote Logging 65 Rebo...

Страница 7: ...Configuration 87 Point to Point Bridging Setup Guide Manual Mode 88 Point to Point Bridging Setup Guide Auto Mode 88 Point to Multipoint Bridge Configuration 92 Point to Multipoint Bridging Setup Guide Manual Mode 93 Point to Multipoint Bridging Setup Guide Auto Mode 93 Repeater Bridge Configuration 94 Repeater Bridging Setup Guide Manual Mode 94 Repeater Bridging Setup Guide Auto Mode 95 Chapter ...

Страница 8: ...vi 29000167 001 B ...

Страница 9: ...is sold with the 3e 110 long range PC Card or sold separately for use with other compatible PC Cards If you are using the 3e 525A 3 in non FIPS 140 2 mode you can select None Static 3DES Static AES Static WEP or WPA WPA uses TKIP or AES CCMP so you can employ legacy client WEP cards and still secure the wireless band The 3e 525A 3 incorporates Power over Ethernet The PoE interface on the 3e 525A 3...

Страница 10: ...n validated against FIPS 46 3 for 168 bit keys Basic Features The 3e 525A 3 is housed in a sturdy case which is not meant to be opened except by an authorized technician for maintenance or repair If you wish to reset to factory settings use the reset function available through the GUI based management module The 3e 525A 3 is wall mountable It has the following features Ethernet uplink WAN port Loc...

Страница 11: ...the following conditions The wireless device and wireless access point must have been configured to recognize each other using the SSID a unique ID assigned in setup so that the wireless device is seen to be part of the network by the 3e 525A 3 Encryption and authentication capabilities and types en abled must conform and If MAC filtering is used the 3e 525A 3 must be configured to allow disallow ...

Страница 12: ...g 2 4GHz WLANs that don t use Super G because there isn t enough room in the 2 4GHz wireless LAN spectrum for the increased spectrum used by channel bonding Moreover Super G doesn t check to see if 11b or 11g standards compliant devices are in range before using its non standard techniques Network Configuration The 3e 525A 3 is an access point with bridging setup capability Access point Gateway pl...

Страница 13: ...Ethernet network to bridge between the wired and wireless environments Each AP can operate independently of the other APs on the LAN Multiple APs can coexist as separate individual networks at the same site with a different network ID SSID 3 The last and most prevalent use is multiple APs connected to a wired network and operating off that network s DHCP server to provide a wider coverage area for...

Страница 14: ...us Server for key management with either TKIP or AES CCMP Bridging encryption is established between 3e 525A 3 s and includes use of AES ECB or 3DES encryption approved by the National Institute of Standards and Technology NIST for U S Government and DoD agencies SSID The Service Set ID SSID is a string used to define a common roam ing domain among multiple wireless access points Different SSIDs o...

Страница 15: ...PA mode and AES ECB or 3DES for FIPS 140 2 mode and for the bridging channel FIPS 802 11i IEEE 802 11i is a Layer 2 specification that focuses on strengthening IEEE 802 11 security at the MAC sublayer It is completely separate from and independent of VPN designs or architectures which are often imple mented at Layer 3 IEEE 802 11i goes beyond the simple flawed encryp tion mechanism of 1999 802 11 ...

Страница 16: ...i depends upon 802 1X to control the flow of MSDUs between the DS and STAs by use of the IEEE 802 1X Controlled Uncontrolled Port model IEEE 802 1X authen tication frames are transmitted in 802 11 Data frames and passed via the IEEE 802 1X Uncontrolled Port The 802 1X Controlled Port is blocked from passing general data traffic between two STAs until an 802 1X authentication procedure completes su...

Страница 17: ...terconnect two different VLANs routers or Layer 3 switches are used These routers or Layer 3 switches execute inter VLAN routing or routing of traffic between VLANs Broadcast traffic is then terminated and isolated by these Layer 3 devices for example a router or Layer 3 switch will not route broadcast traffic from one VLAN to another Wireless VLAN is an extension of Layer 2 wired VLANs in wireles...

Страница 18: ...identifies each node of a network In IEEE 802 networks the Data Link Control DLC layer of the OSI Reference Model is divided into two sub layers the Logical Link Control LLC layer and the Media Access Control MAC layer The MAC layer interfaces directly with the network media Consequently each type of network media requires a unique MAC address Authentication is the process of proving a client iden...

Страница 19: ...re defined with three basic attributes username role and authentication credentials i e password A user account can be defined as a normal user or as an administrator Administrative users can access the TOE management interface in addition to being able to use the wireless network while normal users can only access the wireless net work The TOE authentication sequence includes a counter for unsucc...

Страница 20: ... Filtering Port Filtering Port Filtering Virtual Server Virtual Server DMZ DMZ Advanced Advanced User Management User Management User Management User Management List All Users Edit Delete List All Users Edit Delete List All Users Edit Delete List All Users Edit Delete Add New User Add New User Add New User Add New User User Password Policy User Password Policy Monitoring Reports Monitoring Reports...

Страница 21: ...th a range of 30 degrees C to 70 degrees C The latter version of the product employs ThermoElectric Cooler TEC technology to extend the product into the higher temperature environment The TEC Technology comes with a price it requires power to trans fer the heat Unfortunately this raises the electric current requirement to 25 watts beyond the 802 3af specification of 15 4 watts To ensure that the 5...

Страница 22: ... equip ment Installation Instructions The 3e 525A 3 is intended to be installed as part of a complete wire less design solution This manual deals only with the 3e 525A 3 device and its accessories The purpose of this chapter is the description of the device and its iden tifiable parts so that the user is sufficiently familiar to interact with the physical unit Preliminary setup information provide...

Страница 23: ...5 5 or later or Netscape 6 2 or later installed on the PC or laptop you will be using to configure the Access Point TCP IP Protocol usually comes installed on any Windows PC Cabling The following illustration shows the external cable connectors on the 3e 525A 3 The WAN connector is used to connect the 3e 525A 3 to the organiza tion s LAN The RED Ethernet PoE cable is attached to the WAN port of th...

Страница 24: ...o install this protection will void the warranty The Outdoor Protection Kit 3e OPK 3 contains the following items 10 inch 10AWG wire with 8 ring terminal on one end and a 10 ring terminal on the other end 12 inch 10 AWG wire with 8 ring terminal on one end and a 10 ring terminal on the other end 18 inch 10 AWG wire with 8 ring terminal on one end and a 10 ring terminal on the other end Three light...

Страница 25: ...t the unit s metal case The earth ground ring terminal should be the first con nection on the unit s grounding stud NOTE The cable used to connect to a proper earth ground must be AWG 10 or heavier This cable should be kept as short as possible Lighnting Arrestor Installation Examine the lightning arrestors and remove and discard the following items if necessary See figure below Securing Nut Washe...

Страница 26: ... the N connector finger tight Attach the ring terminal from the Lightning Arrestors ground cable to the grounding stud on the 3e 525A 3 unit The lightning arrestor s ring terminal should be attached to the unit after the earth ground ring terminal is attached Perform this same procedure for every antenna installed on the unit It is recommended that this Outdoor Protection Kit be replaced every thr...

Страница 27: ...on is passing through the AP connection WLAN2 Activity This light may be steady or blinking and indicates that information is passing through the Bridge connection WLAN Signal Strength The Strength LED indicator indicates the strength of the Bridge connection WLAN2 1 LED Off means no connection on the bridge side or the signal is very weak 2 LED blinks slowly every 1 second means there is a connec...

Страница 28: ...525A 3 that is used for configuration purposes Connect one end of the RED Ethernet cable provided with the 3e RK1 to the LAN LOCAL port on the 3e 525A 3 Connect the RJ 45 end of this cable to the AP side of the reset dongle Connect one end of the Eth ernet pigtail to the PC side of the dongle and connect the other end to the laptop to be used for configuring the 3e 525A 3 To reboot the 3e 525A 3 p...

Страница 29: ... all the screens in the FIPS 140 2 mode There are a few differ ences in non FIPS mode which are described in the Navigation chart on page 8 Preliminary Configuration Steps For preliminary installation the 3e 525A 3 network administrator may need the following information IP address a list of IP addresses available on the organization s LAN that are available to be used for assignment to the AP s S...

Страница 30: ...n for Obtain an IP address automatically is checked In Windows 2000 XP follow the path Start à Settings à Net work and Dialup Connections à Local Area Connection and select the Properties button In the Properties window highlight the TCP IP protocol and click properties Make sure that the radio button for Obtain an IP address automatically is checked Once the DHCP server has recognized your laptop...

Страница 31: ...Configuration General You will immediately be directed to the System Configuration General screen for the 3e 525A 3 access point This screen lists the firmware version number for your 3e 525A 3 and allows you to set the Host Name and Domain Name as well as establish system date and time Host and Domain Names are both set at the fac tory for default but can optionally be assigned a unique name for ...

Страница 32: ...ode Note that if you change modes from AP to Gateway your configura tion is not lost However if you switch from FIPS 140 2 submode to non FIPS or from IPv6 to non IPv6 submode all previously entered informa tion will be reset to factory settings Submodes There are two options under Submodes FIPS 140 2 Mode Use IPv6 Mode If you can select the Use IPv6 Mode the AP will be configured to support IPv6 ...

Страница 33: ...2 1x When in IPv6 mode the AP can be accessed from the management port using IP address 192 168 15 1 This is the default IP address and it can not be changed The WAN port can not be accessed using IPv4 ad dresses If Use IPv6 mode is selected as a submode then you will need to enter a IPv6 address under System Configuration WAN and LAN screens ...

Страница 34: ...or System Configu ration WAN This directs you to the System Configuration WAN screen If not using DHCP to get an IP address input the static IP information that the access point requires in order to be managed from the wired LAN This will be the IP address Subnet Mask Default Gateway and where needed DNS 1 and 2 Click Apply to accept changes ...

Страница 35: ... the System Configuration LAN screen This sets up the default numbers for the four octets for a possible pri vate LAN function for the access point It also allows changing the default numbers for the LAN Subnet Mask The Local LAN port provides local access for configuration It is not advisable to change the private LAN ad dress while doing the initial setup as you are connected to that LAN ...

Страница 36: ...nica tions Follow the manufacturer s instructions to set up the PC Card on each wireless device that will be part of the WLAN WARNING If you are configuring this 3e 525A 3 in FIPS 140 2 secure mode your configuration will have to be accomplished through the LAN port due to the secure nature of the access point The Wireless Access Point General screen lists the MAC Address of the AP card This is no...

Страница 37: ...hen channel 11 and then continue with 1 6 11 you will have the optimum frequency spread to decrease noise If you click on the button Select the optimal channel a popup screen will display the choices It will select the optimal channel for you You can also set it up to automatically select the optimal channel at boot up CHANNEL NO OPTIONS Wireless Mode Channel No 802 11b 802 11g 802 11b g Mixed 1 2...

Страница 38: ...RTS threshold the RTS CTS handshaking is performed DTIM 1 255 The number of beacon intervals that broadcast and multicast traffic is buffered for a client in power save mode Basic Rates Basic Rates for 802 11b 1 and 2 Mbps 1 2 5 5 and 11 Mbps The basic rates used and reported by the AP The highest rate specified is the rate that the AP uses when transmitting broadcast multicast and management fram...

Страница 39: ...Encryption Options on the 3e 525A 3 In FIPS 140 2 Mode In non FIPS AP Mode None None Static AES AES ECB Static AES Static 3DES Static 3DES Dynamic Key Exchange with 3e 030 Security Server pur chased separately 802 11i and WPA Preshared Key or 802 1x us ing Radius Server and TKIP or AES CCMP FIPS 802 11i Static WEP In the following explanations the FIPS Mode security options are discussed first No ...

Страница 40: ...ock cipher algorithm and encryption technique for protecting computerized infor mation With the ability to use even larger 192 bit and 256 bit keys if desired it offers higher security against brute force attack than the old 56 bit DES keys The Key Generator button automatically generates a randomized key of the appropriate length This key is initially shown in plain text so the user has the oppor...

Страница 41: ...DES enter a 192 bit key as 48 hexidecimal digit 0 9 a f or A F The Key Generator button automatically generates a randomized key of the appropriate length This key is initially shown in plain text so the user has the opportunity to copy the key Once the key is applied the key is no longer displayed in plain text ...

Страница 42: ...g the AP to pre authenticate a client decreases the transition time when a client roams between APs As an alternative for business applications who have installed Ra dius Servers select 802 1x and input the Primary Radius Server and RFC Backend security settings Use of Radius Server for key management and authentication requires that you have installed a separate certification sys tem and each cli...

Страница 43: ...e clients and configuring the 3e Technologies International s Security Server software with the appropriate root certifi cate The Security Server software application is discussed in a separate manual If you have installed the Security Server software Dynamic Key Management is the preferred security setup Configure the IP address and password of the security server and set the key type Key type wi...

Страница 44: ...to 64 bit or 128 bit encryption The Key Generator button automatically generates a randomized key of the appropriate length This key is initially shown in plain text so the user has the opportunity to copy the key Once the key is applied the key is no longer displayed in plain text WEP Wired Equivalent Privacy Encryption is a security protocol for wireless local area networks WLANs defined in the ...

Страница 45: ...the time the user crossed into the network s space These utilities can be used to determine whether your network is unsecured Note that if WEP is enabled that same WEP key must also be set on each wireless device that is to become part of the wireless network and if shared key is accepted then each wireless de vice must also be coded for shared key To use WEP encryption iden tify the level of encr...

Страница 46: ...ric hexadecimals in the Passphrase field If your clients use WPA TKIP select TKIP as encryption type If your clients use WPA AES select AES CCMP If a combination select AUTO Enable pre authentication to allow a client to authenticate in advance with the AP before the client is associated with it Allowing the AP to pre authenticate a client decreases the transition time when a client roams between ...

Страница 47: ...3e 525A 3 Wireless Access Point Chapter 3 Access Point Configuration 29000167 001 B 39 If you will be using MAC Address filtering navigate next to the MAC Address Filtering screen ...

Страница 48: ...VLAN tagged which means an external network unit such as a router switch or a VLAN enabled computer has to be used to terminate the VLAN traffic Data originating from or targeting to a wireless network cli ent is tagged with the VLAN ID corresponding to an SSID it is associated with Data generated by an Access Point itself is tagged with the manage ment VLAN ID ...

Страница 49: ...ped with the authorized MAC addresses will be able to communicate with the access point In this case input the MAC addresses of all the PC cards that will be authorized to access this access point The MAC ad dress is engraved or written on the PC PCMCIA Card If Filtering is enabled and Filter Type is Allow All Except Those Listed Below those devices with a MAC address which has been entered in the...

Страница 50: ...s for notification of any rogue or non trusted APs The MAC Address for the 3e 525A 3 is located on the System Configuration General screen You can also select the follow ing filter options SSID FIlter Check the SSID option to only send rogue APs that match the AP s SSID or wireless bridge s SSID Channel Filter Check the channel filter option to only send rogue APs that match the AP s channel or th...

Страница 51: ... between APs If two APs with similar settings are in a conference room depending on the location of the APs all wire less clients could potentially associate with the same AP leaving the other AP unused Load balancing attempts to evenly distribute the wireless clients on both APs Layer 2 isolation prevents wireless clients that associate with the same AP from communicating with each other Once you...

Страница 52: ...he Local LAN port The default factory setting for the DHCP server function is enabled You can disable the DHCP server function if you wish but it is not recommended You can also set the range of addresses to be assigned The Lease period after which the dynamic address can be reassigned can also be varied The DHCP server function accessible only from the LAN port is used for initial configuration o...

Страница 53: ...s connected to a different subnet than its home subnet If subnet roaming is supported by the wireless infrastructure the client is able to continue its network connectivity without having to change its IP address Therefore to the mobile device roaming is transparent and it will continue to function as if it is in its home subnet The coordinator is a separate server that keeps track of the client s...

Страница 54: ...the SNMP Manager which usually resides on a network administra tor s computer The SNMP Manager function interacts with the SNMP Agent to execute applications to control and manage object variables interface features and devices in the gateway Common forms of managed infor mation include number of packets received on an interface port status dropped packets and so forth SNMP is a simple request and...

Страница 55: ...s ob tained Access Control Defines the level of management interaction per mitted If using SNMPv3 enter a username minimum of eight characters authentication type with key and data encryption type with a key If FIPS mode only SHA and AES are supported This configuration information will also need to be entered in your MIB manager setup Misc Service Under Misc Services you can enable or disable you...

Страница 56: ... for the unit You can edit or delete users from this screen If you click on Edit the User Management Edit User screen ap pears On this screen you can edit the user ID password role and note fields The Password Generator button creates a random password so that you don t need to create one Initially the password is shown in plain text so that you can copy it Once the Apply button is pressed the pas...

Страница 57: ...nt Add New User screen allows you to add new Administrators and CryptoOfficers assigning and confirming the password The screen shown above is the screen as it will appear in FIPS 140 2 mode The Password complexity check and the Minimal Password length are established on the User Management User Password Policy screen ...

Страница 58: ...rd Policy screen allows you to enable a Password Complexity Check when you are in FIPS 140 2 mode The definition of a complex password is a password that contains charac ters from 3 of the following 4 groups uppercase letters lowercase letters numerals and symbols If enabled you must also select minimum pass word length Click Apply to save your selection ...

Страница 59: ...riety of lists and status reports Most of these are self explanatory System Status The Monitoring Report System Status screen displays the status of the 3e 525A 3 device the network interface and the routing table There are some pop up informational menus that give detailed infor mation about CPU PCI Interrupts Process and Interfaces ...

Страница 60: ...ter 3 Access Point Configuration 52 29000167 001 B Bridging Status The Monitoring Report Bridging Status screen displays the Eth ernet Port STP status Ethernet DSL Port STP status Wireless Port STP status and Wireless Bridging information ...

Страница 61: ...ing tree network topology of both wired and wireless nodes connected to the network The root STP node is always on top and the nodes of the hierarchy are displayed below it Wired links are double dotted lines and wireless links are single dotted lines This map does not update dynamically You must press the Update button to refresh the map ...

Страница 62: ...works with 3e 010F Crypto Client in FIPs mode If Transmit power is disabled either by setting TX Pwr Mode to Off on the management screen or by using the RF Manager Chapter 6 the Wireless Clients page will show the results from each associated client in the EMCON Response column If the client responds to the disable command a Yes is displayed If the column contains a No this can mean either the cl...

Страница 63: ...ars as which indicates the status record is not applicable Adjacent AP List The Monitoring Report Adjacent AP List screen shows all the APs on the network If you select the check box next to any AP shown the AP will thereafter be accepted by the 3e 525A 3 as a trusted AP These APs are detected by the AP s wireless card and the wireless bridge s wireless card The list of APs are only within the ban...

Страница 64: ... check mark the Revoke Entry selection and click Remove to confirm the action System Log The Monitoring Report System Log screen displays system facil ity messages with date and time stamp These are messages documenting functions performed internal to the system based on the system s func tionality Generally the Administrator would only use this information if trained as or working with a field en...

Страница 65: ...etc using the web browser It establishes a running record regarding what actions were performed and by whom The Web access log will continue to accumulate listings If you wish to clear listings manually use the Clear button Network Activity The Network Activity Log keeps a detailed log of all activities on the network which can be useful to the network administration staff The Network Activities l...

Страница 66: ...noted in the audit record For audit events resulting from actions of identified users the 3e 525A 3 shall be able to associate each auditable event with the identity of the user that caused the event The 3e 525A 3 shall be able to include or exclude auditable events from the set of audited events based on object identity user identity subject identity host identity and event type The TOE provides ...

Страница 67: ...rt based on start time end time MAC address or unique record IDs Configuration The Auditing Configuration screen is used to configure the auditing settings You can enable and disable the auditing function on this screen You can select which audit event types you wish to log The following figure shows the screen and the table lists event types and descriptions ...

Страница 68: ...Individual log messages appear from the application and driver since keys are held in both loca tions STA Failed Authentication A station s authentication request is dropped because it doesn t match the MAC address filter STA Associated A station successfully associates to the AP Encryption Algorithm Changed The encryption algorithm is changed including bypass mode Failed FIPS Policy All HMAC AES ...

Страница 69: ...lso a configuration file transfer option which allows the system configuration file from one AP to be transferred to another AP in order to minimize the administration of the APs Only configuration parameters that can be shared between APs are downloaded in the con figuration file WAN IP address and hostname are not transferred in the configuration file Click on the Local Configuration Upgrade and...

Страница 70: ...passphrase for that file The passphrase protects the file from unauthorized users It prevents unauthorized users from applying the system configuration file to an unauthorized AP to gain access to the network Before downloading the system configuration file to a local com puter the user must enter a passphrase to protect the file Before the sys tem configuration file can be uploaded onto another A...

Страница 71: ...nfiguration file to other APs Once the file is transferred the remote AP will be rebooted Once the remote units are rebooted the site map can be updated and the File Tag will show the status of the units If the tag matches the local tag the unit was updated successfully The random configuration file is used to update the bridging SSID and bridging encryption on other devices using the existing bri...

Страница 72: ...lied the unit will reboot and start using the new configuration file The automatic IP address configuration feature can be used to assign a remote device an IP address This feature minimizes the effort to con figure IP addresses in a wireless network The IP addresses are assigned on the private class A IP address range 10 0 0 0 By default this feature is enabled so if you want to assign your own I...

Страница 73: ...er if a duplicate IP address is detected the bridge site map will show this device with a red IP address The distributed default gateway is the first IP address in the valid range For example for 10 128 0 0 the default gateway is 10 128 0 1 The distributed netmask is 255 0 0 0 Factory Default The System Administration Factory Default screen is used to reset the AP to its factory settings The Resto...

Страница 74: ...without changing any preset functionality Both Crypto Officer and Administrator functions have access to this function Utilities The System Administration Utilities screen gives you ready access to two useful utilities Ping and Traceroute Simply enter the IP Address or hostname you wish to ping or traceroute and click either the Ping or Traceroute button as appropriate ...

Страница 75: ...ce s desktop type arp d and hit return This reconfigures the MAC address in the wireless device s PC card so that it is now visible to the gateway Chapter 4 Gateway Configuration Introduction Chapter 3 covered the default configuration of the 3e 525A 3 Wireless Access Point as an access point for use as part of a host wired network This chapter covers configuration as a gateway If additional secur...

Страница 76: ...3e 525A 3 Wireless Access Point Chapter 4 Gateway Configuration 68 29000167 001 B A comparison of gateway and access point setup for the 3e 525A 3 ...

Страница 77: ... AP to Gateway your configura tion is not lost However if you switch from FIPS 140 2 submode to non FIPS all previously entered information will be reset to factory settings You can then proceed to change the management screens as necessary to reconfigure the device as a gateway Configuration in gateway mode allows you to set firewall parameters This is the main difference between the screens you ...

Страница 78: ... The WAN IP address is the Public IP address required to link the pri vate WLAN users to the external enterprise or shipboard network which is to be outside the protected wireless LAN Normally you will be provided with the IP address Subnet Mask Default Gateway and DNS to assign by the Network Administrator for the Ethernet Network There are two ways to configure the WAN IP address 1 Obtain an IP ...

Страница 79: ... port The IP aliasing entries can be used by the virtual server to map a public IP address to a private IP address If the virtual server needs to map multiple public IP addresses to multiple private IP addresses the IP aliasing entries can be used to create additional public IP addresses These entries are always static entries and can not use DHCP ...

Страница 80: ...Con figuration LAN This directs you to the System Configuration LAN screen This sets up the default numbers for the four octets for a possible pri vate LAN function for the access point You can also change the default subnet mask The Local LAN port provides DHCP server functionality to automatically assign an IP address to a computer Ethernet port ...

Страница 81: ...encryption is set by the CryptoOfficer It is recommended that you set encryption as soon as possible Gateway mode has the same encryption options as the AP mode Firewall Content Filtering Click the entry on the left hand navigation panel for Firewall Con tent Filtering The Content Filtering screen allows the system adminis trator to identify particular hosts or IPs that will be blocked from access...

Страница 82: ...rtain IPs on the Private LAN from ac cessing your Internet connection It restricts clients to those with a specific IP Address Port Filtering Click the entry on the left hand navigation panel for Firewall Port Filtering Port filtering permits you to configure the Gateway to block outbound traffic on specific ports It can be used to block the wireless network from using specific protocols on the ne...

Страница 83: ...rt 23 FTP port 21 and Web server port 80 Client computers on the Private LAN can host these applications and allow users from the Internet to access these applications hosted on the virtual servers This is done by mapping virtual servers to private IP addresses according to the specific TCP port application As the planning table below shows we have identified a Telnet port 23 virtual server for pr...

Страница 84: ...d to the wired network or Internet for unrestricted two way communication This configuration is typically used when a computer is operating a proprietary client software or 2 way communication such as video teleconferencing where multiple TCP port assignments are required for communication To assign a PC the DMZ host status fill in the Private IP address which is identified as the exposed host and...

Страница 85: ...ay Configuration 29000167 001 B 77 Advanced Firewall As advanced firewall functions you can enable disable Block Ping to WAN Web based management from WAN port SNMP management from WAN port These options allow you more control over your environment ...

Страница 86: ...3e 525A 3 Wireless Access Point Chapter 4 Gateway Configuration 78 29000167 001 B This page intentionally left blank ...

Страница 87: ...dging of two Ethernet links Point to multipoint bridging of several Ethernet links Repeater mode The wireless bridging screens are the same whether you are in access point or gateway mode Bridging is a function that is set up in addition to basic access point or gateway setup If you will be using the 3e 525A 3 solely as a bridge some of the settings you may have selected for access point gateway u...

Страница 88: ...ss bridging AWB with a maximum num ber of allowable bridges the default is 40 Auto forming Wireless Bridging When the wireless bridge is in auto forming mode the wireless bridge sniffs for beacons from other wireless bridges and identifies APs that match a policy such as SSID and channel Instead of simply adding the APs with the same SSID channel to the network a three way association handshake is...

Страница 89: ...allowed Bridge Priority 1 40 Determines the root leaf STP node The lowest bridge priority in the net work will become the STP root Signal Strength Threshold 27 21 15 9 Prevents the node under the thresh old from associating and joining the network Broadcast SSID Diable Enable When disabled the AP hides the SSID in outgoing beacon frames and sta tions cannot obtain the SSID through passive scanning...

Страница 90: ...rength LED MAC Not Assigned Allows you to set the number of one of the Remote APs which will be listed at the bottom of the screen once the system is operational This wireless bridge be comes the guiding port that is displayed in the WLANNSS LED on the front of the 3e 525A 3 as a signal Spanning Tree Protocol STP Enable Disable Enable STP is there is any possiblity that a bridging loop could occur...

Страница 91: ...ation If you select Enable ref esh you can set the bridge refresh interval from 5 seconds to 30 minutes Refreshing the screen allows you to see the effect of aiming the antenna to improve signal strength Wireless Bridge Radio The Wireless Bridge Radio screen contains wireless bridging information including the channel number Tx rate Tx power spanning tree protocol 802 1d enable disable and remote ...

Страница 92: ... optimal rate for the chan nel If a fixed rate is used the card will only transmit at that rate 802 11a Turbo AUTO The card attempts to select the opti mal rate for the channel Channel No 802 11b g Mixed 1 2 412 GHz 2 2 417 GHz 3 2 422 GHz 4 2 427 GHz 5 2 432 GHz 6 2 437 GHz 7 2 442 GHz 8 2 447 GHz 9 2 452 GHz 10 2 457 GHz 11 2 462 GHz Sets the channel frequency for the wireless bridge 802 11g Sup...

Страница 93: ...wireless bridge when the Tx Pwr Mode is off Fixed Pwr Level 1 2 3 4 5 Select a range when Rx Pwr Mode is set to FIXED Level 1 is the shortest distance Level 1 7dBm and Level 5 is the longest Level 5 15dBm Propagation Distance 5 Miles 5 10 Miles 11 15 Miles 16 20 Miles 21 25 Miles 26 30 Miles 30 Miles Set the distance based on the distance between this bridge and furthest bridge that is connected t...

Страница 94: ...page to set up to ensure that your bridge is working correctly The encryption key that you use on this screen must be the same for any bridge connected to your bridging network in order for communication to occur On this screen you can select None Static 3DES 192 bit or Static AES 128 bit 192 bit or 256 bit The following sections describe the setup for three types of bridging configuration point t...

Страница 95: ...idging there can be a separate WLAN on the AP WLAN card with no loss efficiency as long as you set the channel numbers so there s no conflict or noise with the channel as signed to the bridge Spanning Tree Protocol may be set to Enable if there is any possibility of a bridging loop or to Disable which is more efficient if there s no possibility of a bridging loop Each bridge must contain the other...

Страница 96: ...e length and value Must be the same key as Bridge 2 Select appropriate key type length and value Must be the same key as Bridge 1 Point to Point Bridging Setup Guide Auto Mode Direction Bridge 1 Bridge 2 Wireless Bridge Genral Auto Bridging Mode Bridging Mode Auto bridging selected Auto bridging selected SSID Must be the same as Bridge 2 Must be the same as Bridge 1 Max Auto Bridges 40 range 1 40 ...

Страница 97: ... Next select the Channel Number The Channel Number must be set to the same frequency in order for each bridge to communicate TX Pwr Mode can be left on Auto unless the power needs to be regulated Select the Propagation Distance which is based on the distance be tween a bridge and the furthest bridge that is connected to it Set the RTS Threshold which is the number of bytes used for the RTS CTS han...

Страница 98: ...rom this screen you can also choose to delete a remote AP s MAC ad dress Click Apply to accept your changes If you choose Auto Bridging mode then you will need to enter the follwoing information Enter the SSID This can be any set of letters and numbers assigned by the network administrator This nomenclature has to be set on the wireless bridge and each wireless device in order for them to communi ...

Страница 99: ...wireless bridge will be indicated on the Signal Strength LED located on the front of the case Next navigate to the Wireless Bridge Encryption screen Select the appropriate key type and length and the key value The encryption key value and type for Bridge 1 must be the same as for Bridge 2 For wireless bridging only AES and 3DES are available for encryption ...

Страница 100: ...t have the same channel number Span ning Tree Protocol will usually be set to Enable If configured as in the diagram following Bridge 1 must contain all of the others BSSIDs while Bridge 2 n must only contain Bridge 1 s BSSID The BSSID of each is equivalent to the MAC address found on the Wireless Bridge Radio page Enter only hexadecimal numbers Data entry is not case sensitive Finally the wireles...

Страница 101: ...and value Must be the same key as Bridge 2 n Select appropriate key type length and value Must be the same key as Bridge 1 Point to Multipoint Bridging Setup Guide Auto Mode Direction Bridge 1 Bridge 2 n Wireless Bridge Radio Wirelss Mode 802 11a 802 11a Tx Rate AUTO AUTO Channel No Same as Bridge 2 n Same as Bridge 1 Tx Power Mode Auto Auto Propagation Distance 5 Miles 5 Miles RTS Threshold 2346 ...

Страница 102: ...dge can control a wireless LAN at a distance Repeater Bridging Setup Guide Manual Mode Direction Bridge 1 Bridge 2 Bridge 3 Wireless Bridge Radio Wireless Mode 802 11a 802 11a 802 11a Tx Rate AUTO AUTO AUTO Channel No Same as Bridge 2 Same as Bridge 1 Same as Bridge 1 Tx Power Mode Auto Auto Auto Propagation Dis tance 5 Miles 5 Miles 5 Miles RTS Threshold 2346 2346 2346 BSSID Add Bridge 2 s MAC Ad...

Страница 103: ...idge General Auto Bridging Mode Bridging Mode auto auto auto SSID Must be the same as Bridge 2 Must be the same as Bridge 1 Must be the same as Bridge 1 Max Auto Bridges 40 range 1 40 40 range 1 40 40 range 1 40 Bridge Priority 40 1 40 40 1 40 40 1 40 Signal Strength Threshold 9 9 9 Signal Strength MAC Enter from list at the bottom of the screen Enter from list at the bottom of the screen Enter fr...

Страница 104: ...3e 525A 3 Wireless Access Point Chapter 5 Wireless Bridge Configuration 96 29000167 001 B This page intentionally left blank ...

Страница 105: ...eral Communications Commission s Rules and Regulations These limits are designed to pro vide reasonable protection against harmful interference when the equip ment is operated in a commercial environment This equipment gener ates uses and can radiate radio frequency energy and if not installed and used in accordance with the instruction manual may cause harmful interference to radio communications...

Страница 106: ...3e 525A 3 Wireless Access Point Chapter 6 Technical Support 98 29000167 001 B This page intentionally left blank ...

Страница 107: ...mic Host Control Proto be able to obtain an IP address using col after successfully associating with DHCP Dynamic Host Control Proto col after successfully associating with DHCP Dynamic Host Control Proto the TOE This means that the Wireless col after successfully associating with the TOE This means that the Wireless col after successfully associating with Scanner client device has gained ac cess ...

Страница 108: ...ure man including Crypto Officers with the agement Lack of or insufficient tests to dem onstrate that all TOE security func tions operate correctly including in a onstrate that all TOE security func tions operate correctly including in a onstrate that all TOE security func fielded TOE may result in incorrect tions operate correctly including in a fielded TOE may result in incorrect tions operate c...

Страница 109: ...n interfaces The TSF cryptographic boundary disclosure through its own interfaces and all ports and interfaces meet this The TSF cryptographic boundary and all ports and interfaces meet this The TSF cryptographic boundary objective as part of the FIPS 140 2 and all ports and interfaces meet this objective as part of the FIPS 140 2 and all ports and interfaces meet this Chapter 2 Cryptographic Modu...

Страница 110: ...3e 525A 3 Wireless Access Point Appendix A Misuse Guidelines A 4 29000167 001 B ...

Страница 111: ...d by Belgian cryptographers Joan Daemen and Vincent Rijmen The U S government adopted the algorithm as its encryption technique in October 2000 replacing the DES encryption it used AES works at multiple network layers simultaneously Bridge A device that connects two local area networks LANs or two segments of the same LAN that use the same protocol such as Ethernet or Token Ring DHCP Short for Dyn...

Страница 112: ... thereafter operate as a group TKIP Temporal Key Integrity Protocol TKIP is a protocol used in WPA It scrambles the keys using a hashing algorithm and by adding an integrity checking feature ensures that the keys haven t been tampered with VPN Virtual Private Network A VPN uses encryption and other security mechanisms to ensure that only authorized us ers can access the network and that the data c...

Результаты поиска

Содержание AirGuard 3e-525A-3

Отзывы:

Похожие инструкции для AirGuard 3e-525A-3

Бренды по названию

Популярные бренды

3e Technologies International AirGuard 3e-525A-3, Руководство пользователя

Результаты поиска

Содержание AirGuard 3e-525A-3

Отзывы:

Похожие инструкции для AirGuard 3e-525A-3

Бренды по названию

Популярные бренды