Insightix Discovery and NAC Lite Edition User Manual

United States

945 Concord St.

Framingham, MA 01701

508.620.4788

[email protected]

www.insightix.com

International

13 Hasadna Street

Ra'anana, Israel

+972.9.740.1667

Insightix Discovery & NAC

Lite Edition

Version 3.0

User Manual

May 2007

Copyright © 2007 - All Rights Reserved. This material is proprietary of Insightix. Any unauthorized

reproduction, use or disclosure of this material, or any part thereof, is strictly prohibited. This material

is meant solely for the use by Insightix employees, and authorized Insightix customers.

About Insightix Insightix is a pioneer in the development of the new generation of IT infrastructure discovery,

monitoring and auditing solutions. Insightix strives to solve the growing and ongoing problems faced

by IT management by delivering solutions that enable enterprises to achieve comprehensive visibility

of their network environments.

Insightix’s patent-pending Dynamic Infrastructure Discovery (DID) technology provides an innovative

approach to network discovery, enabling enterprises to unobtrusively obtain complete, accurate and

real-time infrastructure information. Insightix’s DID-based solutions allow enterprises to successfully

manage their IT environments and control IT processes, such as asset management, patch

management and vulnerability assessments. As a result, Insightix’s DID-based solutions enable

enterprises to control IT resources, reduce IT expenses, protect organizational assets and improve

business processes.

Insightix develops the only complete, real-time and agentless network discovery and network access

control solutions. Insightix Discovery delivers comprehensive network visibility by obtaining a

complete, accurate and real-time inventory of all devices connected to the IT infrastructure.

Insightix NAC provides complete and real-time network access control, ensuring that only authorized

and compliant devices are allowed to access and operate on the network. Insightix's solutions

provide complete network coverage and deliver an immediate return-on-investment for IT

operations, network security and regulation compliance. Insightix solutions are simple to use and

overcome the technical limitations of existing solutions.

Contents iii

Contents Lite Edition User Manual

Contents

1 Introducing the Insightix Discovery & NAC Lite Edition ...............................................................1

1.1 Insightix Discovery ........................................................................................................1

1.2 Insightix Discovery & NAC ..............................................................................................1

1.3 Deployment...................................................................................................................2

1.4 Licensing.......................................................................................................................3

2 Quick Tour of the Insightix Discovery & NAC Lite Edition ............................................................4

2.1 Client Software Requirements.........................................................................................4

2.1.1 Verifying the Current Java Version ..............................................................................4

2.1.2 Downloading and Installing Java JRE 6.0 .....................................................................4

2.1.3 Downloading and Installing Adobe Flash Player ............................................................5

2.2 Accessing the Insightix Discovery & NAC Enterprise Edition...............................................5

2.3 Insightix Discovery & NAC Lite Edition Modules ................................................................8

2.4 Searching the Insightix Discovery & NAC Lite Edition......................................................27

2.5 Exporting Data ............................................................................................................29

2.6 Right-Click Menu Indicator............................................................................................29

2.7 Interactive Module Selection Bar ...................................................................................29

3 Dashboard Module.................................................................................................................30

3.1 Dashboard Module Components ....................................................................................30

3.1.1 System Summary Area.............................................................................................30

3.1.2 OS Summary Area ...................................................................................................31

3.1.3 Alerts Table .............................................................................................................31

4 Topology Module ...................................................................................................................33

4.1 Viewing the Physical Network Topology Map ..................................................................33

4.2 Viewing Device Properties.............................................................................................35

4.3 Searching for a Device .................................................................................................37

5 Inventory Module ..................................................................................................................39

5.1 Viewing the Inventory List ............................................................................................39

5.2 Filtering the System Inventory List................................................................................41

5.3 Right-Click Menu Options..............................................................................................42

5.3.1 Authorizing or Un-Authorizing a Device......................................................................42

iv Contents

Lite Edition User Manual Contents

5.3.2 Creating an Exception Rule .......................................................................................43

5.3.3 Resetting Device Properties ......................................................................................43

5.3.4 Generating an OS Signature .....................................................................................44

5.3.5 Tuning Device Properties ..........................................................................................46

5.3.6 Setting a Device as Offline........................................................................................46

5.3.7 Removing an Element from the Inventory..................................................................47

5.3.8 Active Rediscovery ...................................................................................................47

5.4 Element Coloring Scheming ..........................................................................................48

5.5 Viewing Detailed Properties of a Specific Device .............................................................48

5.5.1 Properties Tab .........................................................................................................49

5.5.2 Connected Elements Tab (Switches Only) ..................................................................52

5.5.3 Interfaces & Routing Tab (Routers Only)....................................................................53

5.5.4 Alerts Tab................................................................................................................53

5.5.5 Event History...........................................................................................................54

6 NAC Module ..........................................................................................................................55

6.1 Background .................................................................................................................55

6.2 Operation....................................................................................................................55

6.2.1 Quarantine ..............................................................................................................56

6.2.2 Enforcement ............................................................................................................56

6.4 Operational Pre-Requisites............................................................................................57

6.5 Configuring the Pre-Admission Module...........................................................................57

6.6 Configuring the Admission Module.................................................................................59

6.6.1 Configuring the Compliance Checks...........................................................................60

6.6.2 Configuring the Admission Quarantine .......................................................................61

6.7 Post-Admission Module.................................................................................................63

6.7.1 Configuring the Compliance Checks...........................................................................63

6.7.2 Creating a Device Profile...........................................................................................64

6.8 Exceptions...................................................................................................................66

6.9 Enforced Violations ......................................................................................................67

6.9.1 Enforcement Using Switch Integration .......................................................................68

6.9.2 Enforcement Using Quarantine Silo & Enforcement Technology....................................69

Contents v

Contents Lite Edition User Manual

6.9.3 Quarantined Elements ..............................................................................................71

6.10 NAC Configuration .......................................................................................................72

7 Alerts Module ........................................................................................................................74

7.1 Viewing Alerts .............................................................................................................74

7.1.1 Sorting Alerts ..........................................................................................................75

7.1.2 Searching Alerts ......................................................................................................75

7.2 Configuring Alerts ........................................................................................................75

7.3 Configuring Target Groups............................................................................................79

7.4 Configuring Alert Destinations.......................................................................................81

7.4.1 Configuring an Email Recipient..................................................................................81

7.4.2 Configuring a Destination Syslog Server ....................................................................82

8 Audit Module .........................................................................................................................83

8.1 Viewing Network Services Audit Data ............................................................................83

8.2 Configuring Server Audit Rules .....................................................................................84

8.2.1 Defining Audit Rules According to Operating Systems .................................................85

8.2.2 Defining Audit Rules According to a Specific IP Address ..............................................86

8.2.3 Defining Audit Rules According to IP Subnets .............................................................88

8.2.4 Defining Audit Rules According to Hostnames.............................................................90

8.2.5 Order of Audit Rules Execution..................................................................................91

8.2.6 Removing Audit Rules ..............................................................................................91

8.3 Authorizing Devices .....................................................................................................92

8.3.1 Pre-Authorizing Devices............................................................................................94

8.4 Microsoft Windows OS Auditing.....................................................................................95

8.4.1 Prerequisites for the Microsoft Windows OS Auditing...................................................95

8.4.2 Configuring Windows OS Auditing .............................................................................95

8.4.3 Defining the Exclude List ..........................................................................................97

8.4.4 Manually Initiating a Microsoft Windows OS Audit .......................................................98

8.5 Managing OS Signatures ..............................................................................................98

8.5.1 Removing an OS Signature .......................................................................................99

8.5.2 Restoring Factory Default Settings for OS Identification ............................................100

8.5.3 Initiating the OS Identification Process against Elements with an Unidentified OS .......100

vi Contents

Lite Edition User Manual Contents

8.6 Configuring Service Naming........................................................................................101

9 Reports Module ...................................................................................................................103

9.1 Report Types .............................................................................................................103

9.2 Viewing a Report .......................................................................................................105

10 Configuration Module .....................................................................................................107

10.1 Topology Configuration ..............................................................................................107

10.1.1 Topology Summary Page ........................................................................................107

10.1.2 Manually Initiating the Physical Network Topology Discovery.....................................108

10.1.3 Configuring Switches..............................................................................................109

10.1.4 Configuring a Management Network ........................................................................112

10.1.5 Physical Geographical Location................................................................................113

10.2 Managing Users .........................................................................................................115

10.3 Configuring System-Wide Parameters..........................................................................116

10.3.1 Configuring the Detection Level...............................................................................116

10.3.2 Configuring Real-Time System Parameters ..............................................................118

10.3.3 Configuring System Parameters (Requiring Restart) .................................................119

10.3.4 Configuring the Web Interface ................................................................................122

10.4 Configuring Time & Date ............................................................................................123

10.5 Network Configuration................................................................................................124

10.5.1 Configuring the Insightix Discovery & NAC Lite Edition IP Address .............................124

10.5.2 Configuring DNS Resolution ....................................................................................124

10.6 Configuring Subnets...................................................................................................125

10.7 Registering the Application .........................................................................................127

11 Taskbar Operations........................................................................................................129

Insightix Discovery 1

Introducing the Insightix Discovery & NAC Lite Edition Lite Edition User Manual

1 Introducing the Insightix Discovery & NAC Lite Edition

This chapter introduces the Insightix Dynamic Infrastructure Discovery (DID) technology and

describes the key features and deployment of the Insightix solution.

Insightix Discovery & NAC Lite Edition includes the Insightix Discovery and Insightix NAC products.

1.1 Insightix Discovery

The Insightix Dynamic Infrastructure Discovery (DID) technology makes use of a unique,

patent-pending combination of various network discovery algorithms, which gather and correlate

information from passive and active network discovery engines to provide complete and accurate

infrastructure discovery in real time.

The Insightix DID technology enables the Insightix Discovery & NAC Lite Edition to:

• Provide complete and accurate asset discovery.

• Present an accurate real-time physical network topology map.

• Build, monitor, track and dynamically update the inventory and the topology to reflect any

changes made to the network and/or to its elements.

• Provide detailed information on the properties of each device attached to the network.

• Alert regarding occurrence of preconfigured network events.

• Provide configurable reports of network inventory, devices, locations, and so on.

• Enable exporting and saving of inventory and topology information in standard formats.

1.2 Insightix Discovery & NAC

Insightix Discovery & NAC adds network access control capabilities to the Insightix Discovery

product. Insightix NAC delivers complete and real-time network access control, ensuring that only

authorized and compliant devices are allowed to access and operate on the enterprise network.

Insightix NAC provides complete network coverage by discovering, in real-time, a comprehensive

inventory of all elements connected to the network and their associated properties. Based on the

wealth of contextual IT infrastructure information gathered by Insightix NAC, IT professionals are

able to easily baseline their network and authorize the devices that are permitted to access and

operate on the network. Once activated, Insightix NAC performs real-time element detection and

authorization enforcement, denying connectivity to any unauthorized device.

Insightix NAC features a straightforward, rule-based policy engine for defining the compliance

checks to be performed against authorized Microsoft Windows-based elements as they attempt to

connect to the network. The compliance checks supported include checks on Windows-based

operating systems, including verification of the service pack level, presence of operating system

patches, running services, and so on. If an authorized device does not pass the compliance checks,

2 Deployment

Lite Edition User Manual Introducing the Insightix Discovery & NAC Lite Edition

network access is granted to remediation servers only, allowing the device’s user to align the device

with the enterprise’s network access policy.

Insightix NAC uses a patent-pending technology for enforcement and quarantine, which alleviates

dependencies on switch integration and other IT resources. Insightix Quarantine Silo technology

ensures an authorized device is denied access to the network while compliance checks are

performed, and that quarantined devices cannot access each other. This ensures the complete

isolation of questionable elements from the network until they are granted (or denied) network

access. Insightix Quarantine Silo technology ensures network access is granted to authorized

devices only after successfully passing the compliance checks.

Insightix NAC constantly monitors the network, identifying and responding to any changes made to

the properties of devices that are authorized to operate on the network. Insightix NAC ensures that

the properties of an authorized device, such as the MAC address, are not abused, preventing an

unauthorized device from masquerading as an authorized device.

Note: Although the NAC functionality is enabled during the evaluation period of the Insightix

Discovery & NAC Lite Edition, it is not part of the standard Insightix Discovery Enterprise

Edition and requires a separate license for continued use. Please contact your local reseller

or [email protected] for details.

1.3 Deployment

The Insightix Discovery & NAC Lite Edition is a software-based solution. It is shipped as a Windows

executable program, and can be installed on Microsoft Windows XP, Microsoft Windows 2003, and

Microsoft Windows Vista operating systems.

The Insightix Discovery & NAC Lite Edition works opposite a single broadcast domain and requires a

single network interface card (single network connection) for its operation.

The diagram below presents a typical deployment scenario of the Insightix Discovery & NAC Lite

Edition in a sample enterprise network environment.

Licensing 3

Introducing the Insightix Discovery & NAC Lite Edition Lite Edition User Manual

Figure 1: System Deployment

1.4 Licensing

Software evaluation is limited to a period of 7 days. Please contact your local reseller or

[email protected] to extend the evaluation period.

Note: During the evaluation period, the Network Access Control features are enabled in the

software. Following the evaluation period, a separate license is required for this functionality.

4 Client Software Requirements

Lite Edition User Manual Quick Tour of the Insightix Discovery & NAC Lite Edition

2 Quick Tour of the Insightix Discovery & NAC Lite Edition

This chapter describes how to access the Insightix Discovery & NAC Lite Edition application and

introduces the various components of the application.

2.1 Client Software Requirements

The Insightix Discovery & NAC Lite Edition is a web-based application that can be accessed using

Windows-based operating systems and the Microsoft Internet Explorer 6.x/7.x web browser. In order

to access the web interface of the Insightix Discovery & NAC Lite Edition, the following software

needs to be installed on the client computer:

• Java Runtime Environment (JRE) version 6.0

• Adobe Flash Player version 8 (or above)

Before attempting to access the web interface of the Insightix Discovery & NAC Lite Edition, it is

recommended to verify that the necessary software is installed on the client computer. If the

necessary software is not installed on the client computer, or if an earlier version is installed, the

necessary version must be downloaded and installed before attempting to access the web interface.

2.1.1 Verifying the Current Java Version

To verify the Java version installed on your computer:

• In a Microsoft Windows environment, open the command line and type java -version.

If Java is installed on the client computer, the version number is indicated. If Java is not

installed on the client computer, a message is displayed indicating that the command typed is not recognized.

2.1.2 Downloading and Installing Java JRE 6.0

You can download the required version of Java from the Internet.

To download and install Java JRE 6.0:

1 In a web browser, go to http://java.sun.com/javase/downloads/index.jsp. Scroll down the

page, locate Java Runtime Environment (JRE) 6 and click the Download button adjacent to it.

2 Accept the license agreement by clicking the radio button for Accept License Agreement

and then click on Windows Offline Installation, Multi-language to download the installation file to your computer.

3 Double-click the jre-6-windows-i586.exe file to begin the installation.

4 Follow the on-screen instructions and select the proper files for your platform.

Accessing the Insightix Discovery & NAC Enterprise Edition 5

Quick Tour of the Insightix Discovery & NAC Lite Edition Lite Edition User Manual

2.1.3 Downloading and Installing Adobe Flash Player

You can download the required version of Adobe Flash player from the Internet.

To download and install Adobe Flash player:

5 In a web browser, go to: http://www.adobe.com/shockwave/download/download.cgi?P1_Prod_Version=ShockwaveFlash

&promoid=BIOW and click Install Now.

6 When the security warning appears for the Adobe Flash Player version you are attempting to install, click Install.

2.2 Accessing the Insightix Discovery & NAC Enterprise Edition

Once you have verified the necessary software is installed on your computer, you are ready to

access the application.

Note: If the Insightix Discovery & NAC Lite Edition is located behind a firewall, access to the IP

address of the system using TCP ports 22, 80, 443 and 18,000 must be allowed through the

firewall in order to successfully access and use the system.

Note: When Insightix Discovery & NAC Lite Edition is installed, the application tries to bind

itself to TCP port 80. If another service is already using this TCP port, the application binds

itself to another TCP port. A message bubble notifies the user in the event that a TCP port

other than 80 is used (the first choice will be TCP port 8000).

To access the Insightix Discovery & NAC Lite Edition:

1 If you are attempting to log in to the Insightix Discovery & NAC Lite Edition from the computer

on which the application is installed, browse to http://localhost in your Microsoft Internet Explorer 6.x/7.x browser,

2 OR

3 If you are attempting to log in to the Insightix Discovery & NAC Lite Edition remotely, browse

to http://<IP address of the Insightix Discovery & NAC Lite Edition> in your Microsoft Internet Explorer 6.x browser and press <Enter>.

4 The Insightix Discovery & NAC Lite Edition Login page is displayed.

6 Accessing the Insightix Discovery & NAC Enterprise Edition


Note: If the Insightix Discovery & NAC Lite Edition has bound itself to a TCP port other than

TCP port 80, the user needs to specify the exact TCP port to use when connecting to the

Insightix Discovery & NAC Lite Edition. For example, if the Insightix Discovery & NAC Lite

Edition is using TCP port 8000, specify the port as follows:

• Local access: http://localhost:8000

• Remote access: http://<IP address of the Insightix Discovery & NAC Lite

Edition>:8000

Figure 2: Insightix Discovery & NAC Lite Edition Application

Accessing the Insightix Discovery & NAC Enterprise Edition 7


5 Enter your username and password in the designated fields, and click Login. By default, the Dashboard module of the Insightix Discovery & NAC Lite Edition application is displayed.

Figure 3: Insightix Discovery & NAC Lite Edition - Dashboard Module

Note: By default, two user accounts are defined in the system, one with administrative

privileges, which allows the user to perform configuration changes (username admin), and one

with read-only privileges, which only allows the user to view information (username user). By

default, the passwords for both user accounts are left empty. To prevent unauthorized access,

it is highly recommended that you change these passwords as soon as possible. Refer to

Managing Users, page 115.

8 Insightix Discovery & NAC Lite Edition Modules


2.3 Insightix Discovery & NAC Lite Edition Modules

The Insightix Discovery & NAC Lite Edition functionality is implemented via the following modules:

• Dashboard: Provides a composite overview of ongoing system activities. For details, refer to

3 Dashboard Module.

• Topology: Outlines the physical network topology of the monitored network(s) and enables a

user to find devices and view their physical connectivity information. For details, refer to 4

Topology Module.

• Inventory: Lists all of the elements detected to operate on the network (in the present and in the

past). It enables a user to search the inventory according to multiple search criteria, to manually

export custom reports, and to view detailed properties of specific elements. For details, refer to

5 Inventory Module.

• NAC: Enables a user to enforce a strict network access control policy disallowing unauthorized

and non-compliant elements from connecting to the network in real-time. For details, refer to 6

NAC Module.

2.4 Alerts: Enables a user to determine the types of events that trigger alerts and displays a list of alerts generated by the system. For details, refer 6.1 Background

Insightix NAC delivers complete and real-time network access control, ensuring that only authorized

and compliant devices are allowed to access and operate on the enterprise network.














Insightix NAC uses a patent-pending technology – Insightix Quarantine Silo – for enforcement and

quarantine, which alleviates dependencies on switch integration and other IT resources, and

ensures that network access is granted to authorized devices only after successfully passing the

compliance checks.

Operation 9






Note: Although the NAC module is enabled during the evaluation period, it is not part of the

standard Insightix Discovery Lite Edition and requires a separate license for continued use.

Please contact your local reseller or [email protected] for details.

2.5 Operation

Insightix NAC incorporates three operational modules:

• Pre-Admission: This module uses several patent-pending techniques to perform real-time

element detection and authorization enforcement, denying connectivity to any unauthorized

device.

• Admission: The module allows configuring compliance checks to be performed against

authorized Microsoft windows-based elements as they attempt to connect to the network. The

compliance checks supported include checks on windows-based operating systems, including

verification of the service pack level, presence of operating system patches, running services,

etc. If an authorize device does not pass the compliance checks, network access is granted to

remediation servers only, allowing the device’s user to align the device with the enterprise’s

network access policy.

• Post-Admission: This module is charged with the task of constantly monitoring the network,

identifying and responding to any changes made to the properties of devices that are authorized

to operate on the network. The post-admission module allows building device profiles ensuring

that the properties of an authorized device are not abused, preventing an unauthorized device

masquerading as an authorized device.

Note: Insightix NAC provides the flexibility of determining which NAC modules should, or

should not, be operational. The order of execution of the NAC modules, assuming they are all

enabled, is Pre-Admission, Admission, and finally Post-Admission.

Insightix NAC monitors elements from the time they are attached to the network until the time

they are detached from the network.

2.5.1 Quarantine








10 Operational Pre-Requisites


If an authorized device does not pass the compliance checks, network access can be granted to

remediation servers only, allowing the device’s user to align the device with the enterprise’s network

access policy. As long as the device fails to comply with the network access policy, it remains in the

quarantine.

2.5.2 Enforcement

To deny network access to unauthorized elements trying to attach themselves to the enterprise

network and/or to non-compliance elements, Insightix NAC can be configured using two

enforcement modules:

• Switch Integration: Elements found to be non-compliant with the network access control policy

will be disconnected from the network shutting down the switch port they are connected to.

• Insightix Quarantine Silo & Enforcement Technology: A patent-pending technology for

enforcement and quarantine, which removes dependencies on switch integration and other IT

resources. Insightix Quarantine Silo & Enforcement technology ensures an unauthorized

element and/or a non-compliant element would not be able to access the network

You can opt to use one or both of these enforcement modules. When both enforcement modules are

enabled, Insightix NAC first attempts to shut down the switch port to which an unauthorized or a non-

compliant element is connected.

Insightix NAC uses several patent-pending techniques to detect, in real-time, when a new element is

attempting to join the network. It discovers the exact switch and switch port to which the newly

discovered element is connected in real-time. Using its location discovery algorithms, Insightix NAC

classifies the connectivity point, and determines whether the element is directly connected to the

switch port, or whether it is sharing the port connectivity with other elements (i.e., through a Hub or

an unmanaged switch).

If Insightix NAC cannot shut down the switch port to which an unauthorized or a non-compliant

element is connected (if the element shares its switch connectivity with other elements, and/or if the

element is connected to an unmanaged switch), Insightix Quarantine Silo & Enforcement technology

is used to deny network access.

2.4 Operational Pre-Requisites

The Insightix Discovery & NAC Lite Edition should have access through its active NIC(s) to the layer-

2 broadcast domains of the networks NAC is to be enforced against.

The following are the prerequisites for the enforcement modules:

• Switch Integration: Read/Write SNMP access to the switches operating on the network.

• Insightix Quarantine Silo & Enforcement: Layer-2 access to the network Insightix NAC should

be operating against.

In order for the Insightix NAC to successfully audit a Microsoft Windows operating system during the

admission stage, the following pre-requisites need to be met:

Configuring the Pre-Admission Module 11


• The Insightix NAC must be configured with local administrative rights on the remote machine and

be able to log on to this machine remotely (done under Audit > Windows OS Audit).

• File and Print Sharing must be enabled on the queried Microsoft Windows OS.

• The NetBIOS (TCP 139) port must be accessible on the remote machine.

• The queried Microsoft Windows machine must have the local Server service running.

• The remote machine must be running the Windows Remote Registry service.

2.5 Configuring the Pre-Admission Module

You can configure the type of action, if any, to be taken whenever an unauthorized device connects

to the network. The pre-admission NAC module can be set to automatically enforce policy and

disconnect any unauthorized devices that attempt to attach itself to your network or you can

configure the system to issue an alert without taking action against the element.

The level of operation of the pre-admission NAC module is set in the Pre-Admission tab of the NAC

module.

Note: Device authorization is configured on the Audit > Device Authorization tab.

To configure the level of operation of the Pre-Admission NAC module:

1 Select NAC in the Module Selection bar. The Pre-Admission tab of the NAC module is displayed.

12 Configuring the Pre-Admission Module


Figure 16: NAC Module – Pre-Admission Tab (Mode Selection)

The current mode of operation is selected in the Pre-Admission tab.

2 Select the required mode of operation:

• Disabled: The Pre-Admission module is disabled and unauthorized elements may access the network.

• Alert Only: Network access policy violations of unauthorized elements are reported, however they are not enforced.

• Enabled: Elements that are not authorized are automatically disconnected from the

network according to the selected enforcement method (configured under NAC > Configuration).

Note: The Save and Continue buttons are enabled/disabled according to the option

selected in step 2.

3 If you select Disabled or Alert Only, click Save.

OR

If you select Enabled, click Continue to configure additional policy parameters.

A list of unauthorized devices that have been detected on the network is now displayed in the Pre-Admission tab. The elements listed will be disconnected from the network once the pre-admission NAC module is enabled.

Figure 17: NAC Module – Pre-Admission Tab (Unauthorized Device List)

Configuring the Admission Module 13


4 (Optional) Review the list of unauthorized devices and authorize specific devices as required.

To authorize a device, select the checkbox adjacent to the IP address of the device and click Authorize Selected. The newly authorized devices are removed from the list and will not be disconnected when the pre-admission module is enabled.

5 Click Finish to enforce the pre-admission NAC policy.

2.6 Configuring the Admission Module

The admission NAC module allows you configuring the compliance checks to be performed against

authorized Microsoft windows-based elements as they attempt to connect to the network. If an

authorized device does not pass the compliance checks, network access is granted to remediation

servers only, allowing the device’s user to align the device with the enterprise’s network access

policy.

2.6.1 Configuring the Compliance Checks

You can configure the compliance checks to be performed against authorized Microsoft windows-

based elements as they attempt to connect to the network. The compliance checks supported

include checks on Windows-based operating systems, including verification of the service pack level,

presence of operating system patches, running services, and so on.

To configure the compliance checks:

1 Select NAC > Admissions. The Policy page of the Admission tab is displayed.

Figure 18: NAC Module – Admission Tab (Policy Page)

14 Configuring the Admission Module


2 Select or clear the NAC Admissions protection checkbox to enable or disable the Admission module.

3 From the Define action dropdown list, select the action to be taken If an authorized device does not pass the compliance checks:

• Alert: Network access policy violations of authorized non-compliant elements are reported, however they are not enforced.

• Enforce: Action is taken against devices that do not pass the compliance checks

according to the selected enforcement method (configured under NAC > Configuration).

4 To configure compliance check rules according to operating system:

• Select the Operating System for which to add a rule the dropdown list immediately above the Operating System header.

• In the Action column, set the action that is to be taken when a device passes the compliance checks.

• Click Add. A line is added to the Rules table for the selected operating system.

• In the Admissions Checks column, click the icon to select the type(s) of service check(s) to be performed. A line is displayed for each selected service type.

• Set the additional required criteria for each selected service check type in the adjacent field as follows:

• Service Pack Level: Specify the required service pack level.

• Opened Network Service: Specify the network service(s) that must be open.

• Hot Fixes: Specify the required Hot Fixes. Note: all Hot Fixes must start with "KB" or "Q".

Note: To remove a rule, select it in the table and click Remove.

5 Set the action to be taken (Allow/Deny) if the element matches the following conditions that make performance of one or more of the service checks unfeasible:

• If the element is firewalled.

• If the NETBIOS service is not enabled.

• If the credentials do not allow the extracting of information.

6 Set the action to be taken (Allow/Deny) if no match is found, meaning that the element does

not match any of the rules for compliance check and does not meet the criteria of any special cases previously defined as allowed.

7 Click Save to save the changes.

Note: Multiple rules per operating system can be set. The first rule an element

matches is the rule that would be used.



2.6.2 Configuring the Admission Quarantine

Insightix Quarantine Silo technology ensures an authorized device is denied access to the network

while compliance checks are performed, and that quarantined devices cannot access each other.

This ensures the complete isolation of questionable elements from the network until they are granted

(or denied) network access. Insightix Quarantine Silo technology ensures network access is granted

to authorized devices only after successfully passing the compliance checks.

The conditions for the quarantining of a device are configured in the NAC > Admissions >

Quarantine page.

To configure the Admission quarantine:

1 In the Admission tab of the NAC Module, click Quarantine. The Quarantine page is displayed.

Figure 19: NAC Module – Admission Tab (Quarantine Page)

2 Configure when NAC should quarantine elements by selecting Do not quarantine elements or Quarantine elements for each of the following options:

• While performing admission checks

• When a security violation is discovered during the admission stage

3 Define the remediation servers that can be accessed by an element that is in quarantine for the purpose of aligning the device with the enterprise’s network access policy as follows:

• To add a remediation server, type its IP address in the fields immediately above the IP Address header in the table and click Add. The IP address is added to the table.

16 Post-Admission Module


• To remove a remediation server, select the checkbox adjacent to its IP address and click Remove Selected.

Note: The IP address of the remedial server must be local to the subnet it serves.


2.7 Post-Admission Module

This module is charged with the task of constantly monitoring the network, identifying and

responding to any changes made to the properties of devices that are authorized to operate on the

network. The Post-Admission module allows the building of device profiles to ensure that the

properties of an authorized device are not abused by an unauthorized device masquerading as an

authorized device.


You can configure compliance checks making sure specific operating systems and running services

are not operating on your networks.


1 Select NAC > Post-Admission. The Policy page of the Post-Admission tab is displayed.

Figure 20: NAC Module – Post-Admission Tab (Policy Page)

Post-Admission Module 17


2 Select or clear the Enable NAC Post-Admission protection checkbox to enable or disable the Admission module.

3 From the Define action dropdown list, select the action to be taken if a non-authorized operating system or a network service is detected:

• Alert: Network access policy violations are reported, however they are not enforced.

• Enforce: Action is taken against devices that do not comply with the network access policy according to the selected enforcement method (configured under NAC > Configuration).

4 To perform post-admission checks for denying access from a certain operating system:

• Select the Non-Authorized operating systems checkbox.

• Select the Operating System family from the dropdown lists immediately above the

Operating System header of the adjacent table. You can select only an operating system family or you can select a specific system from within that family.

• Click Add. A rule is added. If the specified type of operating system is detected and Post-Admission protection is enabled, the element will be handled according to the action defined above the tables.


5 To perform post-admission checks for non-authorized running service(s):

• Select the Non-Authorized open running services checkbox.

• Select the Operating System family from the dropdown lists immediately above the Operating System header of the adjacent table. You can select only an operating system family or you can select a specific system from within that family.

• In the Services field, enter up to two applicable TCP ports.

• Click Add. A rule is added. If the specified type of running service and operating system

are detected and Post-Admission protection is enabled, the elements will be handled according to the action defined above the tables.



2.7.2 Creating a Device Profile

Creating device profiles for specific elements in the inventory helps prevent spoofing attacks. A

device profile sets one or more of the following parameters as fixed:

• Operating System

• NETBIOS name

• Switch IP address and port to which it is connected

If the device properties are changed so that the fixed properties no longer match, the defined Post-

Admission action is taken (Alert, Enforce).



Device profiles are configured in the NAC > Post-Admission > Devices page.

To configure device profiles:

1 In the Post-Admission tab of the NAC Module, click Devices. The Devices page is displayed.

Figure 21: NAC Module – Post-Admission Tab (Devices Page)

The Devices page lists all the elements in the inventory list. If the properties of a device do not match its fixed profile parameters, it is displayed in red.

2 From the Define action dropdown list, select the action to be taken If a non-authorized operating system is detected:


• Enforce: Action is taken against devices violating the network access policy according to the selected enforcement method (configured under NAC > Configuration).

3 Select the checkbox for a specific element to indicate that it must always use the configured parameters.

Tip: You can use the Search option to locate and sort elements according to various

criteria. For additional information, refer to 2.11 Searching the Insightix Discovery &

NAC Lite Edition.

Exceptions 19


4 (Optional) Right-click anywhere on the line for the element and select one or more of the

following options in the popup menu: u:

• Set current Operating System as Fixed

• Set current NETBIOS Name as Fixed

• Set current Switch IP and Port as Fixed

The selected properties are set as fixed for the selected element.

Notes:

To edit the fixed property settings, right-click and select or clear the options as

required.

To disable the fixed property settings, clear the element's checkbox in the Operating

System column.


2.8 Exceptions

You can define exceptions to the various NAC modules. An exception rule can be configured

according to a variety of device parameters, including MAC address, MAC address range, IP

address, network address, switch IP, and switch IP and port. The operational stages the exception

rule overrides must be configured for each rule. Devices that meet the conditions of a defined

exception do not pass through the NAC module this exception rule is set for.

20 Exceptions


To define an exception:

1 In the NAC module, select the Exceptions tab. The Exceptions tab is displayed.

Figure 22: NAC Module – Exceptions Tab

If any exceptions have been defined, they are listed on the Exceptions tab.

2 From the Type dropdown list, select the device parameter on which the exception is to be based and enter the corresponding criteria in the adjacent fields.

• MAC Address: The MAC address of the specific device.

• MAC Range: The first three bits, which define a range of MAC addresses belonging to a certain NIC family (usually the same manufacturer).

• Switch IP: The IP address of a switch.

• Switch IP and Port: The IP address of a switch and the exact number of the port.

• IP Address: The IP address of a specific device

• Network Address: The network address of a specific subnet.

Note: The number and size of the adjacent fields change according to the option

selected from the dropdown list.

3 Select the NAC module or modules that the exception rule is to discard by selecting the checkbox adjunct the NAC module’s name.

Note: The available NAC modules to be set as an exception vary according to

the option selected from the dropdown list.

Enforced Violations 21


4 Click Add. The exception is added to the list.

5 Click Save.

To remove an exception:

1 In the Exceptions tab, select the exception to be removed and click Remove Selected.

2 Click Save.

To edit an exception:

1 In the Exceptions tab, select the exception to be edited and click on the icon to select the NAC modules that the exception rule is to discard.

2 Click Save.

2.9 Enforced Violations

The Enforced Violations tab of the NAC module list the elements that are either denied network

access or are quarantined keeping with the NAC enforcement policy.

The Enforced Violations tab contains three pages:

• Switch Integration – Lists shutdown switch ports unauthorized or non-compliant devices are

connected to.

• Quarantine Silo – Lists unauthorized and/or non-compliant devices, which are prevented

network access using Insightix’s patent-pending Quarantine Silo and Enforcement technology.

• Quarantine – Lists non-compliant devices, which are currently being quarantined.

2.9.1 Enforcement Using Switch Integration

The Switch Integration page of the Enforced Violations tab lists elements that have been

disconnected from the network by shutting down the switch port to which they were connected, in

keeping with the NAC policy.

2.9.1.1 Re-enabling a Closed Switch Port

If you identify specific switch ports that you do not want to remain disconnected, you can set the

NAC module to re-enable those switch ports.

22 Enforced Violations


To re-enable specific switch ports:

1 In the NAC module, select the Enforced Violations tab. The Switch Integration tab is displayed.

Figure 23: NAC Module – Enforced Violations Tab

The Switch Integration page lists the following information for those elements that have been disconnected in keeping with NAC policy:

• Switch IP Address: The IP address of the switch to which the element was connected.

• Switch Port: The port number of the switch to which the element was connected.

• Element: The MAC address of the device.

• Disconnection Reason: The reason for disconnecting the device, for example, because the device is an unauthorized device.

• Time & Date: The date and time when the device was disconnected.

• Mode: The enforcement module that prevented the network access.

2 Select the switch port to be re-enabled and click Allow Network Access. The selected

switch port is re-enabled. Insightix NAC automatically re-enables the shutdown switch ports at regular time intervals (by default, every five minutes).

Note: The Insightix Discovery & NAC Lite Edition automatically re-enables a shut-down

switch port after a five-minute time period. If the element for which access was prevented

continues to remain connected to this port, the port will be shut down again when

rediscovered. The re-enable time interval is configurable. For details, refer to Configuring

Real-Time System Parameters, page 118.).



2.9.1.2 Finding Closed Switch Ports

You can locate a closed switch port on any identified switches operating on the network.

To locate closed switch ports:

1 In the NAC module, select the Enforced Violations tab.

2 Click Scan Switches for Closed Ports to perform the scan. The following window is displayed:

Figure 24: Scanning for Closed Switch Ports

Any closed switch ports are now displayed on the Enforced Violations tab.

2.9.2 Enforcement Using Quarantine Silo & Enforcement Technology

The Q. Silo page of the Enforced Violations tab lists elements that have been disconnected from

the network using Insightix patent-pending Quarantine Silo and Enforcement technology, in keeping

with the NAC policy.

The Q. Silo page lists the following information for those elements that have been disconnected in keeping with NAC policy:

• MAC Address: The MAC address of the element violating the network access policy.

• Disconnection Reason: The reason for disconnecting the device, for example, because the

device is an unauthorized device.


• IP Address: The IP address of the element violating the network access policy.



Figure 25: NAC Module: Enforced Violations Tab (Quarantine Silo & Enforcement Page)



2.9.3 Quarantined Elements

The Quarantined Elements page of the Enforced Violations tab lists elements that are currently

quarantined while Insightix NAC performs compliance checks.

Figure 26: NAC Module – Enforced Violations Tab (Quarantine Page)

The Quarantine tab lists the following information for the elements currently in quarantine:

• MAC Address: The MAC address of the element in quarantine.

• Disconnection Reason: The reason for quarantining the element.

• Time & Date: The date and time when the device was quarantined.

• IP Address: The IP address of the element.

26 NAC Configuration


2.10 NAC Configuration










The mode of enforcement for the NAC is set in the Configuration tab of the NAC module.

To configure the enforcement mode:

1 In the NAC module, select the Configuration tab. The Configuration tab is displayed.

Figure 27: NAC Module – Configuration Tab

Searching the Insightix Discovery & NAC Lite Edition 27


2 Select one of the following NAC Enforcement mode options:

• Switch Integration: This option disconnects non-compliant elements from the network by shutting down the switch port to which they are connected.

• Quarantine Silo & Enforcement Technology: This option utilizes Insightix’’s patent-pending Quarantine Silo and enforcement technology to deny access to unauthorized and/or non-compliant elements.

• Both: This option combines the above two options.


Note: If the selected option incorporates Quarantine Silo & Enforcement technology and

there is a problem with Layer-2 access to one or more networks, a warning message is

displayed when you click Save, indicating those networks against which this technology

cannot be applied.

• Alerts Module .

• Audit: Provides information regarding network servers and services, allows the configuration of

network services audit, controls the operating system signatures generated, allows the

configuration of the Windows operating system patch (hotfixes) audit, and allows naming

network services. For details, refer to 8 Audit Module.

• Reports: Enables a user to generate, view and export a wide range of pre-defined reports. For

details, refer to 9 Reports Module.

• Configuration: Enables the configuration of various parameters affecting the operation of the

system. For details, refer to 10 Configuration Module.

Note: Although the NAC module is available during the evaluation period, it is not part of the

standard Insightix Discovery & NAC Lite Edition and requires a separate license. Please

contact your local reseller or [email protected] for details.

Each module is accessed by selecting the corresponding module name in the Module Selection bar.

A user with read-only privileges cannot view the following:

• Inventory right-click menu

• Configuration tab of the Alerts module

• Configuration, Device Authorization, Windows OS Audit, OS Signatures, and Service

Naming tabs of the Audit module.

• Configuration module

• NAC module

2.11 Searching the Insightix Discovery & NAC Lite Edition

Insightix Discovery & NAC Lite Edition enables a user to search for a specific device or element

according to a string that appears in any of the element's defined properties. The Search option can

be found in the Inventory and Topology modules.

28 Searching the Insightix Discovery & NAC Lite Edition


To search for an element:

1 Enter your search criteria in the Search field. The search criteria can consist of a full or partial word that is included in any of a device’s parameters.

The search criteria can include more than one word. For example, entering “Windows SP2”

retrieves all the elements that have both Windows and SP2 (i.e. Service Pack 2) in their properties.

In addition, there is an option to negate the search. For example, searching for “Windows –SP2” displays all Windows machines that do not have SP2 installed.

Important Note: The search is not case sensitive.

Tip: To search for a specific port, enter tcpport:<port number> or udpport:<port

number> in the Search field.

2 (Optional) Certain predefined keywords can be used for specific searches. These include:

online, offline, DC (for domain controller), DHCP (for DHCP server), KVM, NAT, printer, router, switch, storage, UPS, VMware, voice, firewall, wireless, and so on.

3 (Optional) To include only those parameters that contain the exact phrase you enter, select the Exact Match checkbox.

4 Click Search to execute the search. The matching results are displayed in the Search Results.

Figure 4: Sample Search Results

Tip: To sort the search results according to a specific criterion, select the

criterion from the Sort by dropdown list. The search results can be sorted

according to MAC Address, IP Address, or Operating System.

Exporting Data 29


2.12 Exporting Data

Search results, inventory data, the physical network topology map and other reports can be exported

to external files. Inventory related data can be exported in CSV, HTML or PDF format. The Topology

Map can be exported in Visio format. This option is available in the Inventory and Reports modules.

To export data from the Inventory module:

1 Select the required type of export file to be created from the Export to dropdown list (in either

the Inventory module or the Reports module) and click Export. A report is created in an external window.

2 Save the file, as required.

2.13 Right-Click Menu Indicator

A right-click menu indicator appears when the cursor is positioned for a period of 3 seconds over

an entry or function for which a right-click menu is available. Moving the mouse curser over the right-

click menu indicator displays the menu options.

2.14 Interactive Module Selection Bar

The Module Selection Bar allows interactive browsing (when available). When the cursor is

positioned over a module that includes multiple tabs and/or pages, a list of its internal module pages

is displayed. Selecting a tab name directs the browser to that tab.

Figure 5: Interactive Module Selection Bar

30 Dashboard Module Components

Lite Edition User Manual Dashboard Module

3 Dashboard Module

The Dashboard module provides a composite overview of ongoing system activities. The data

displayed is automatically refreshed on an ongoing basis.

This chapter describes the Dashboard module and the information that it displays.

3.1 Dashboard Module Components

The Dashboard module page is divided into several areas, each of which provides information

regarding system wide monitoring.

Figure 6: Dashboard Module Components

3.1.1 System Summary Area

The System Summary area lists general information regarding the system, as follows:

PARAMETER DESCRIPTION

System Uptime The length of time that the system has been up (days, hours, minutes, seconds).

System Version The Insightix Discovery & NAC Lite Edition’s version number.

Dashboard Module Components 31

Dashboard Module Lite Edition User Manual


Online Devices The total number of elements currently connected to the monitored networks.

Operating Systems Detected The number of elements detected, currently connected to the monitored networks, for which the operating system was identified.

Operating Systems Not Detected

The number of elements detected, currently connected to the monitored networks, for which the operating system could not be

identified.

Devices Without IPs The number of elements detected, currently connected to the monitored networks, for which an IP address was not discovered.

Offline Devices The number of elements detected that were connected to the network sometime in the past but are currently detached from the

network.

Offline Devices Without IPs The number of elements detected that were connected to the network sometime in the past but are currently detached from the

network, for which an IP address was not discovered.

NACed Devices The number of elements, which their access to the network is currently blocked.

Total Devices The total number of elements detected by the system. It is the sum

of the online elements and the offline elements.

Frames Processed The total number of packets the system has processed.

3.1.2 OS Summary Area

The OS Summary area lists the operating systems detected as currently operating on the network,

and indicates the number of devices per operating system. By default the list is ordered according to

the quantity.

To sort the list according to a specific parameter (for example, OS Name), click the corresponding

column header. The table is sorted according to the selected header. Scroll down to view the

complete list.

3.1.3 Alerts Table

The Alerts table lists the five most recent alerts triggered by the system. Each entry includes the

alert number (ID), a timestamp, the alert message, and the alert’s severity. The severity of the alert

is indicated by an alert icon, as follows:

A red X indicates critical severity

A red exclamation point indicates high severity

A yellow triangle indicates medium severity

A green "i" indicates low severity

32 Dashboard Module Components

Lite Edition User Manual Dashboard Module

To view the detailed individual properties of the element for which the alert was triggered, right-click

the Alert Message field of the alert and select the IP address or the MAC Address of the element.

The Individual properties page for the element is displayed, listing the properties of the selected

element.

Viewing the Physical Network Topology Map 33

Topology Module Lite Edition User Manual

4 Topology Module

The Topology module provides the physical network topology map of the monitored network. It

enables you to search for devices and to locate their whereabouts on the network topology map.

This chapter describes how to use the physical network topology map and how to search for and

locate a specific element on the topology map.

4.1 Viewing the Physical Network Topology Map

The physical network topology map illustrates the connectivity of the elements as detected by the

Insightix Discovery & NAC Lite Edition.

The information presented in the Topology module is read-only and cannot be edited.

To display the topology map:

• Select Topology in the Module Selection bar. The Topology module is displayed.

Figure 7: Topology Module

By default, one of the routers is the centered element on the topology map.

34 Viewing the Physical Network Topology Map

Lite Edition User Manual Topology Module

The following icons represent the elements in the topology map:

Insightix Discovery Device VMware Guest

Router VMware Host

Switch Analog voice equipment

Hub Device Group

Host Voice Over IP equipment

NAT Device Storage Device

Firewall Printer

Wireless Access Point Print Server

KVM Over IP IP PBX

UPS PBX

Note: For your convenience, you can view the Map Legend at any time by selecting the

Show Legend checkbox.

Note: If the Topology module has not yet been executed, a message is displayed indicating

so.

An asterisk (*) following an IP address indicates that the device has more than one IP address. In

such instances, the application lists the IP address that best fits the device (according to the

network); When the mouse is positioned over the device, all of the IP addresses that are associated

with the device are listed in a tooltip that summarizes the device properties (Figure 8).

Devices that have other devices connected to them are circled in gray (i.e. switches, hubs). To

display the connected devices, right-click the element and select Expand. The expanded element is

no longer circled in gray. To hide the connected elements, right-click the element and select

Collapse from the right-click menu.

In some cases, elements are grouped together when a device to which other elements are

connected is expanded. This is due to user interface considerations. To fully expand the elements,

right-click the Device Group icon and select Show Hosts from the right-click menu. To collapse the

devices, right-click the parent device (the device to which they are connected), and select Regroup

Devices from the right-click menu.

Viewing Device Properties 35


To place a specific element at the center of the topology map, select the Show Set Center Options

checkbox. Then select the IP address of the element from the dropdown list of known switches and

click Set Center. The element is centered on the topology map. It is recommended to allow the

application to automatically set the center of the topology map.

To display only the connectivity between networking devices (i.e., switches, routers, hubs and

VMware host machines), select the Show Physical Topology Only checkbox. To include host

device connectivity in the topology map, clear the Show Physical Topology Only checkbox.

4.2 Viewing Device Properties

Some of the properties of a specific element can be viewed in the Topology module in the following

ways:

• Key properties of an element can be viewed in a tooltip when the mouse hovers above an

element.

• When a device is clicked, its properties are displayed in the Device Details area (the upper right

corner of the Topology module).

• Detailed properties for a specific element can be viewed in the individual inventory properties

page for the device.

To view the device properties summary:

• Hover over an element in the topology map. A summary of the element's properties is

displayed in a tooltip (Figure 8).

Figure 8: Device Properties Tooltip

OR

Click an element in the map. The element is centered and circled in red. Some of its

properties, including its MAC address, IP address, operating system, Host Name, and the switch IP address and the switch port to which it is connected, are displayed in the Device Details area.

36 Viewing Device Properties


To view the detailed device properties:

• Right-click the element on the topology map and select Properties from the right-click menu.

OR

Click the MAC address of an element in the Search Results pane. The element is centered on

the topology map and its details appear in the Device Details area. Then click Properties in the Device Details area.

The Inventory module is displayed, listing the individual properties page for the selected element.

Figure 9: Device Specific Properties in the Inventory Module

Searching for a Device 37


4.3 Searching for a Device

You can search for a specific device or element according to a string that appears in any of the

element's properties.

Note: For a list of element properties, refer to section 5.3.

To search for an element:

1 Enter your search criteria in the Search field. The search criteria can consist of a full or partial

word that is included in any of a device's parameters. The search criteria can include more than a single word.


2 (Optional) To include only those parameters that contain the exact phrase you enter, select the Exact Match checkbox.

3 Click Search to execute the search. The matching results are displayed in the Search Results.

Tip: To sort the search results according to a specific criterion, select the criterion

from the Sort by dropdown list and click Search.

4 To place an element at the center of the topology map, click the element’s MAC address in

the search results. The element is centered and circled in red on the topology map and the summary of the individual properties of the element is displayed in the Device Details area.

To view additional element specific properties, click Properties in the Device Details area. The Inventory module is displayed, listing the individual properties of the selected device.

38 Searching for a Device


Figure 10: Locating an Element on the Topology Map

Tip: For your convenience, the Recently Viewed Devices area lists the most

recently viewed elements in the system. Clicking an element’s IP address in the

Recently Viewed Devices area displays the element's details in the Device Details

area without placing the element at the center of the map.

Viewing the Inventory List 39

Inventory Module Lite Edition User Manual

5 Inventory Module

The Inventory module lists the elements detected by the system, and enables users to view the

detailed properties of specific elements. The Inventory module forms a complete inventory list of

network elements:

• Online elements: Elements that are currently connected to the network.

• Offline elements: Elements that were connected to the network in the past but are currently

detached from the network.

This chapter describes the Inventory module and the information that it displays.

5.1 Viewing the Inventory List

To display the inventory list:

• Select Inventory in the Module Selection bar. The Main page of the Inventory module is

displayed.

Figure 11: Inventory Module

40 Viewing the Inventory List

Lite Edition User Manual Inventory Module

The following parameters are listed for each element in the system inventory:


A The authorization status of the devices, as follows:

Authorized

Not authorized

Authorization enables users to easily distinguish between known devices and unknown devices. It also enables detection of unauthorized devices connecting to the network. Authorization is performed in the Audit module in

the Device Authorization tab.

Cap. The capability or function performed by the element in the network:

• DC – Domain Controller

• DID – Insightix Discovery Device

• F – Firewall

• D – DHCP Server

• KVM – KVM Over IP

• N – NAT Device

• P – Printer

• PS – Print Server

• PSTN – Analog voice equipment

• R – Router

• ST – Storage Device

• S – Switch

• U – UPS

• VM – VMware Element

• VoIP – Voice Over IP equipment

• W – Wireless Access Point

IP Address The IP address of the element. The IP addresses of online elements appear in blue. The IP addresses of offline elements appear in gray. The IP addresses of devices not allowed on the network (enforced by the NAC

module) appear in red.

Operating System The Operating System installed on the element.

Name The NetBIOS name and/or the DNS name of the element.

When only the icon is presented, the name displayed is the NetBIOS

name for the element. When the icons and are presented, the name displayed is both the NetBIOS name and the DNS name for the element.

When the icons and are presented, the value in the name field is the NetBIOS name for the element where the DNS name is different. When only

the icon is presented, the name displayed is the element’s DNS name.

VLAN The VLAN ID of the element, if assigned.

MAC Address The MAC address of the element.

Filtering the System Inventory List 41



MAC Vendor ID The name of the network interface card vendor.

Switch IP The IP address of the switch to which the element is connected.

Port The port number on the switch to which the element is connected.

User Name The name of the user logged on to the element (applicable for Microsoft

Windows-based elements).

5.2 Filtering the System Inventory List

You can filter the System Inventory list by defining specific criteria and performing a search for

elements that match those criteria.

To filter the system inventory list:

1 Enter your search criteria in the Search field. The search criteria can consist of a full or partial word that is included in any of a device's parameters.

The search criteria can include more than one word. For example, entering “Windows SP2” retrieves all the elements that have both Windows and SP2 (i.e. Service Pack 2) in their properties.

In addition, there is an option to negate the search. For example, searching for “Windows –SP2” displays all Windows machines that do not have SP2 installed.


Tip: To search for a specific port, enter tcpport:<port number> or udpport:<port

number> in the Search field.

2 (Optional) Certain predefined keywords can be used for a specific search. These include:

online, offline, DC (for domain controller), DHCP (for DHCP server), KVM, NAT, printer, router, switch, storage, UPS, VMware, voice, firewall, wireless, and so on.

3 (Optional) To include only those parameters that contain the exact phrase entered in the Search field, select the Exact Match checkbox.

4 Click Search to execute the search. The results presented in the Inventory List are filtered to include only those elements that match the search criteria.

Tip: To sort the search results according to a specific criterion, select the criterion

from the Sort by dropdown list.

42 Right-Click Menu Options


Note: You can export the search results to an external file (in CSV or HTML format).

Select the required type of file from the Export to dropdown list and click Export. A

report is created in an external window. Save the file, as required.

5.3 Right-Click Menu Options

The Inventory module incorporates a right-click menu, available only to users who have

administrator privileges. The right-click menu is used to:

• Authorize or un-authorize an element

• Create an exception rule for the network access control (NAC) module

• Reset a device OS properties (available for online elements only)

• Reset a device’s properties (available for online elements only)

• Generate an OS signature (available for online elements only)

• Tune parameters for a device (available for online elements only)

• Set an online device as offline (available for online elements only)

• Remove an offline element from the inventory list (available for offline elements only)

• Performs a rediscovery for either the DNS name, the underlying operating system of the

element, or for the presence of a personal firewall (available for online elements only)

Note: A right-click menu indicator appears when the cursor is positioned for a period of 3

seconds over an entry or function for which a right-click menu is available. Moving the mouse

curser over the right-click menu indicator displays the menu options.

5.3.1 Authorizing or Un-Authorizing a Device

Devices can be authorized or un-authorized using the right-click menu in the Inventory module.

To authorize a device:

1 In the Inventory module, right-click an unauthorized device and select Authorize from the right-click menu. A popup confirmation message appears.

2 Click OK to confirm or click Cancel to discard the change.

To unauthorize a device:

3 In the Inventory module, right-click an authorized device and select Unauthorize from the right-click menu. A popup confirmation message appears.

4 Click OK to confirm or click Cancel to discard the change.

Right-Click Menu Options 43


5.3.2 Creating an Exception Rule

You can create an exception rule for the NAC module disallowing the disconnection of the element

from the network.

To create an exception rule:

1 In the Inventory module, right-click an element and select Make an Exception Rule from the right-click menu. A popup confirmation message appears.

2 Click Yes to confirm or click No to discard the change.

5.3.3 Resetting Device Properties

When you reset any of the properties of an element, the device data is redetected in the next

discovery cycle and updated accordingly.

Note: A device must be online in order for its properties to be reset.

5.3.3.1 Resetting Device OS Properties

The operating system properties of an element can be reset without resetting additional information.

The previously detected OS reverts to Unknown and the operating system is re-identified.

To reset OS properties:

1 In the main page of the Inventory module, right-click an element in the Inventory list and

select Reset Device OS Properties from the right-click menu. A popup confirmation message appears.

2 Click OK to confirm.

5.3.3.2 Resetting All Device Properties

All of the properties and data collected for an element can be reset. The device properties, including

the underlying OS, are then re-discovered.

To reset all device properties:

1 In the main page of the Inventory module, right-click an element in the Inventory list and

select Reset All Device Properties from the right-click menu. A popup confirmation message appears.

2 Click OK to confirm.



5.3.4 Generating an OS Signature

5.3.4.1 Creating a New OS Signature for an Unknown Element

By default, the Insightix Discovery & NAC Lite Edition is able to identify hundreds of different

operating systems. In case a certain element’s operating system is not identified (or is misidentified)

by the application, the automatic operating system signature generator mechanism can be used.

This mechanism allows operating system signatures to be introduced into the system in an intuitive

and easy manner. Once an operating system signature is created, it can be used to identify other

unknown devices whose operating systems match the newly created operating system signature.

Note: An OS signature can be generated only for an online device.

To generate an OS signature:

1 In the main page of the Inventory module, right-click an unknown element in the Inventory list

and select Generate OS Signature from the right-click menu. The following window is displayed.

2 In the Operating System area, set the following parameters:

• OS Family: The operating system family name (for example, Microsoft Windows).

• OS Type: The exact type of the operating system (for example, 2000).



• OS Additional Info (optional): Additional information, if applicable (for example, Service Pack 3).

• Appliance (optional): If the device is an appliance, select the Appliance checkbox (for example, Linksys wireless access point).

3 (Optional) In the Capabilities area, select the checkboxes for the relevant capabilities.

4 Click Save. The operating system automatic signature generator process begins executing.

5 If the operating system automatic signature is successfully generated, a new OS signature is created and a popup message indicates that process has been successfully completed.

6 The element’s operating system name now reflects the name of the newly added operating

system signature. An asterisk (*) is appended to the new operating system’s name to indicate that this is a generated OS signature.

7 The newly created OS signature is listed in the OS Signature tab of the Audit module.

Note: If, for some reason, the operating system signature generating process fails, an error

message is displayed on the screen.

8 In order to apply the new signature against unknown elements in the Inventory list,

reschedule the operating system identification process by clicking the Reschedule button in the OS Signatures tab of the Audit module.

9 Any unknown devices that match the new OS signature are identified.

5.3.4.2 Creating a New OS Signature for a Misidentified Element

If an element’s operating system is misidentified due to the lack of an appropriate operating system

signature, this can be remedied using the operating system automatic generator.

To generate an OS signature for a misidentified element:

1 Right-click the misidentified element in the Inventory list and select Reset OS Propertiesfrom the right-click menu. A popup confirmation message is displayed.

2 Click OK to confirm the reset of the OS properties. The operating system name is changed to Unknown.

3 Right-click the element and select Generate OS Signature.

4 Proceed to create a new operating system signature for the element, as described in Creating a New OS Signature for an Unknown Element, page 44.



5.3.5 Tuning Device Properties

Specific parameters can be applied to a selected element by tuning the device parameters.

Note: A device must be online in order for its properties to be tuned.

To tune device parameters:

1 In the Main page of the Inventory module, right-click an element in the Inventory list and select Tune Parameters from the right-click menu.

2 Select the information to be changed for this element. The element’s operating system identification and/or its capabilities can be changed.

3 Click Save to apply the changes.

Note: When tuning the parameters of an element, a unique identification is created for this

element.

5.3.6 Setting a Device as Offline

The status of an online element can be changed to offline. The offline status is maintained until

activity is observed coming from the element.

To change a device state from online to offline:

1 In the Main page of the Inventory module, right-click an online element in the inventory list and select Set Offline from the right-click menu.

OR

In the Properties tab of the Individual Inventory page for the device, click the Set as Offlinebutton.

A confirmation message is displayed.

2 Click Yes to confirm.

Note: Only an online element can be set as offline.



5.3.7 Removing an Element from the Inventory

An offline element can be removed from the Inventory list. No information is saved for an offline

element once it has been removed from the inventory list.

To remove an offline element:

1 In the Main page of the Inventory module, right-click an offline element in the Inventory list and select Remove Element from the right-click menu. A confirmation message is displayed.

2 Click Yes to confirm the removal of the offline element from the Inventory list.

Note: If at a later time activity is observed from a removed element, the element reappears in

the Inventory list as an online element, and its properties are re-discovered.

5.3.8 Active Rediscovery

Active rediscovery allows performing a rediscovery for the DNS name, the underlying operating

system, the presence of a personal firewall or the location of an element.

To rediscover the DNS name for an element:

• In the Main page of the Inventory module, right-click an online element in the Inventory list,

select Active Rediscovery from the right-click menu and then select DNS Name.

The DNS name is rediscovered. A popup message detailing the results of the rediscovery is

displayed when the rediscovery process is complete.

To rediscover the underlying operating system for an element:


select Active Rediscovery from the right-click menu and then select OS Detection.

The underlying operating system is rediscovered. A popup message detailing the results of

the rediscovery is displayed when the rediscovery process is complete.

48 Element Coloring Scheming


To rediscover the presence of a personal firewall for an element:


select Active Rediscovery from the right-click menu and then select Personal Firewall

Detection.

Whether or not a personal firewall is present for the element is rediscovered. A popup

message detailing the results of the rediscovery is displayed when the rediscovery process is

complete.

To rediscover the location of an element:


select Active Rediscovery from the right-click menu and then select Device Location.

The location of the element is rediscovered. A popup message detailing the results of the

rediscovery is displayed when the rediscovery process is complete.

5.4 Element Coloring Scheming

The elements listed in the Inventory module may be color-coded as follows:

• Blue – The element is online.

• Gray – The element is offline.

• Red – The element was prevented access to the network by the NAC module.

5.5 Viewing Detailed Properties of a Specific Device

Users can view detailed properties of a specific element as well as additional information (if the

element is online) about its performance, running sessions, and related alerts.

To view element details:

• Click the IP address of an element in the Inventory list. The Inventory Properties page of the

Inventory module is displayed, listing the properties of the selected element.

The inventory details for an online device are displayed in the Properties, Performance, Audit,

Alerts, and Event History tabs of the Inventory module. Additional tabs may be presented for a

switch (Connected Elements) and for a Router (Interfaces and Routing).

The inventory details for an offline device are displayed in the Properties and Event History tabs.

Viewing Detailed Properties of a Specific Device 49


5.5.1 Properties Tab

The Properties tab displays the properties of the selected device. The header of the Properties tab

includes information regarding the state of the element, and its detection on the network.

The following parameters are displayed for an online element:


Inventory Properties for The IP address of the specified element, as well as its active state (online).

Active since The time at which the element was discovered to be active on the

network.

Last activity seen at The time at which the last activity was detected for the element.

The following parameters are displayed for an offline element:


Inventory Properties for The MAC address of the specified offline element.

Last activity seen at The time at which the element was detached from the network.

Figure 12: Inventory Module – Specific Device Properties Tab for an Online Element

50 Viewing Detailed Properties of a Specific Device


The Properties tab displays the following inventory details for an online element:


IP Address The IP address of the element.


MAC Vendor ID The name of the manufacturer of the network interface card.

VLAN ID The VLAN ID assigned to the element, if assigned.

Open Services The network services that are currently running on this device.

OS The Operating System running on the element.

Capability The function performed by the element in the network (router, switch, VMware, and so on).

DNS Name The DNS name for the IP address of the element (if it exists).

NetBIOS Name The NetBIOS name of the element. (This field is not applicable for non-Microsoft Windows elements).

Username (Windows) The username of the user using this element (This field is not applicable for non-Microsoft Windows elements).

Domain The name of the Windows domain to which the element belongs, if applicable. (This field may not be applicable for non-Microsoft Windows

elements.)

Switch IP The IP address of the switch to which the element is connected.

Switch Port The port number on the switch to which the element is connected.

Geographic Location Additional information regarding the location of the element. The information

is taken from the Configuration > Topology > Location page.

Firewalled Indicates whether or not a personal firewall is operating on the element.

Authorized Indicates whether or not the device has been authorized, enabling a user to easily differentiate between known devices and unknown devices in the system. It also enables detection of unauthorized devices connecting to the

network in real-time.

To authorize the device, select Yes from the dropdown list. To unauthorize

the device, select No from the dropdown list.

Note: Only users with administrator privileges can authorize or

unauthorized devices.

Free Text A free text field in which a user can insert additional information about the element.

To view the location of the device on the network, click the Locate on Topology Map link.

Changing information on the properties page requires administrator’s privileges.

An element can be moved to an offline state by clicking the Set as Offline button.



The Properties tab displays the following inventory details for an offline device:


IP Address The IP address that was used by the element.


MAC Vendor ID The name of the manufacturer of the network interface card.

VLAN ID The VLAN ID that was assigned to the element, if assigned.

Open Services The network services that were found running on this device.

OS The underlying Operating System of the element.

Capability The function performed by the element in the network (i.e. router, switch, VMware, and so on).

DNS Name The DNS name for the IP address of the element (if it exists).

NetBIOS Name The NetBIOS name of the element. (This field is not applicable for non-Microsoft Windows elements).

Username (Windows) The username of the user using this element (This field is not applicable for non-Microsoft Windows elements).

Domain The name of the Windows domain the element is logged on to, if applicable.

(This field may not be applicable for non-Microsoft Windows elements.)

Switch IP The IP address of the switch to which the element was connected.

Switch Port The port number on the switch to which the element was connected.

Geographic Location Additional information regarding the location of the element. The information

is taken from the Configuration > Topology > Location page.

Firewalled Indicates whether or not a personal firewall was operating on the device.

Authorized Indicates whether or not the device has been authorized, enabling a user to easily differentiate between known devices and unknown devices in the system. It also enables detection of unauthorized devices connecting to the


To authorize the device, select Yes from the dropdown list. To unauthorize

the device, select No from the dropdown list.

Note: Only users with administrator privileges can authorize or

unauthorized devices.

Free Text A free text field in which a user can insert additional information about the element.

Note: Click the Inventory Main link to return to the main page of the Inventory module.



5.5.2 Connected Elements Tab (Switches Only)

The Connected Elements tab displays information about elements connected to the selected

switch. This tab is applicable for switches only.

Figure 13: Inventory Module – Specific Device – Connected Elements Tab

The Connected Elements tab displays the following details for each connected element:


Switch Port The switch port to which the element is connected.


Authorized (A.) Indicates whether or not the device has been authorized, enabling a user to easily differentiate between known devices and unknown devices in the system. It also enables detection of unauthorized devices connecting to the


VLAN The VLAN ID assigned to the element, if assigned.

IP Address The IP address of the element.

Operating System The Operating System running on the element.

Hostname The Hostname of the element.

C. The capability of the element.

Note: Information about the location of an offline element is visible in the Connected

Elements tab.



Note: You can authorize or unauthorize an element by right-clicking the element in the

Connected Elements tab and selecting the corresponding option from the right-click menu.

5.5.3 Interfaces & Routing Tab (Routers Only)

The Interfaces & Routing tab is displayed for elements that are Routers. This tab includes

information regarding the routing table of a router, and lists the different interfaces of the router, as

applicable.

5.5.4 Alerts Tab

The Alerts tab lists the alerts generated for the specific element. Each entry includes the alert

number (ID), timestamp, the alert message, and the severity of the alert.

Figure 14: Inventory Module – Specific Device – Alerts Tab

The severity of the alert is indicated by an alert icon, as follows:





To sort the Alerts table according to a specific parameter (for example, Timestamp, ID, Alert

Message or severity), click the column header. The table is sorted according to the selected header.



5.5.5 Event History

The Event History tab lists alerts generated by the system and marked to be indexed to serve as a

device’s history. In the Event History tab, audit information regarding the element can be tracked to

the past, for example, previously used IP addresses or changes in properties.

The Configuration tab of the Alerts module page is used to configure which alerts are to be

indexed. For more information, refer to Configuring Alerts, page 75.

Figure 15: Inventory Module – Specific Device – Event History Tab

Background 55

NAC Module Lite Edition User Manual

6 NAC Module

6.1 Background

Insightix NAC delivers complete and real-time network access control, ensuring that only authorized

and compliant devices are allowed to access and operate on the enterprise network.














Insightix NAC uses a patent-pending technology – Insightix Quarantine Silo – for enforcement and

quarantine, which alleviates dependencies on switch integration and other IT resources, and

ensures that network access is granted to authorized devices only after successfully passing the

compliance checks.





Note: Although the NAC module is enabled during the evaluation period, it is not part of the

standard Insightix Discovery Lite Edition and requires a separate license for continued use.

Please contact your local reseller or [email protected] for details.

6.2 Operation

Insightix NAC incorporates three operational modules:

• Pre-Admission: This module uses several patent-pending techniques to perform real-time

element detection and authorization enforcement, denying connectivity to any unauthorized

device.

• Admission: The module allows configuring compliance checks to be performed against

authorized Microsoft windows-based elements as they attempt to connect to the network. The

compliance checks supported include checks on windows-based operating systems, including

56 Operation

Lite Edition User Manual NAC Module

verification of the service pack level, presence of operating system patches, running services,

etc. If an authorize device does not pass the compliance checks, network access is granted to

remediation servers only, allowing the device’s user to align the device with the enterprise’s

network access policy.

• Post-Admission: This module is charged with the task of constantly monitoring the network,

identifying and responding to any changes made to the properties of devices that are authorized

to operate on the network. The post-admission module allows building device profiles ensuring

that the properties of an authorized device are not abused, preventing an unauthorized device

masquerading as an authorized device.

Note: Insightix NAC provides the flexibility of determining which NAC modules should, or

should not, be operational. The order of execution of the NAC modules, assuming they are all

enabled, is Pre-Admission, Admission, and finally Post-Admission.

Insightix NAC monitors elements from the time they are attached to the network until the time

they are detached from the network.

6.2.1 Quarantine








If an authorized device does not pass the compliance checks, network access can be granted to

remediation servers only, allowing the device’s user to align the device with the enterprise’s network

access policy. As long as the device fails to comply with the network access policy, it remains in the

quarantine.

6.2.2 Enforcement










Operational Pre-Requisites 57


You can opt to use one or both of these enforcement modules. When both enforcement modules are

enabled, Insightix NAC first attempts to shut down the switch port to which an unauthorized or a non-

compliant element is connected.

Insightix NAC uses several patent-pending techniques to detect, in real-time, when a new element is

attempting to join the network. It discovers the exact switch and switch port to which the newly

discovered element is connected in real-time. Using its location discovery algorithms, Insightix NAC

classifies the connectivity point, and determines whether the element is directly connected to the

switch port, or whether it is sharing the port connectivity with other elements (i.e., through a Hub or

an unmanaged switch).

If Insightix NAC cannot shut down the switch port to which an unauthorized or a non-compliant

element is connected (if the element shares its switch connectivity with other elements, and/or if the

element is connected to an unmanaged switch), Insightix Quarantine Silo & Enforcement technology

is used to deny network access.

6.3 Operational Pre-Requisites

The Insightix Discovery & NAC Lite Edition should have access through its active NIC(s) to the layer-

2 broadcast domains of the networks NAC is to be enforced against.

The following are the prerequisites for the enforcement modules:

• Switch Integration: Read/Write SNMP access to the switches operating on the network.

• Insightix Quarantine Silo & Enforcement: Layer-2 access to the network Insightix NAC should

be operating against.

In order for the Insightix NAC to successfully audit a Microsoft Windows operating system during the

admission stage, the following pre-requisites need to be met:

• The Insightix NAC must be configured with local administrative rights on the remote machine and

be able to log on to this machine remotely (done under Audit > Windows OS Audit).





6.4 Configuring the Pre-Admission Module

You can configure the type of action, if any, to be taken whenever an unauthorized device connects

to the network. The pre-admission NAC module can be set to automatically enforce policy and

disconnect any unauthorized devices that attempt to attach itself to your network or you can

configure the system to issue an alert without taking action against the element.

The level of operation of the pre-admission NAC module is set in the Pre-Admission tab of the NAC

module.

58 Configuring the Pre-Admission Module


Note: Device authorization is configured on the Audit > Device Authorization tab.

To configure the level of operation of the Pre-Admission NAC module:

3 Select NAC in the Module Selection bar. The Pre-Admission tab of the NAC module is displayed.

Figure 16: NAC Module – Pre-Admission Tab (Mode Selection)

The current mode of operation is selected in the Pre-Admission tab.

4 Select the required mode of operation:

• Disabled: The Pre-Admission module is disabled and unauthorized elements may access the network.

• Alert Only: Network access policy violations of unauthorized elements are reported, however they are not enforced.

• Enabled: Elements that are not authorized are automatically disconnected from the network according to the selected enforcement method (configured under NAC > Configuration).

Note: The Save and Continue buttons are enabled/disabled according to the option

selected in step 2.



5 If you select Disabled or Alert Only, click Save.

OR

If you select Enabled, click Continue to configure additional policy parameters.

A list of unauthorized devices that have been detected on the network is now displayed in the

Pre-Admission tab. The elements listed will be disconnected from the network once the pre-admission NAC module is enabled.

Figure 17: NAC Module – Pre-Admission Tab (Unauthorized Device List)

6 (Optional) Review the list of unauthorized devices and authorize specific devices as required.

To authorize a device, select the checkbox adjacent to the IP address of the device and click Authorize Selected. The newly authorized devices are removed from the list and will not be disconnected when the pre-admission module is enabled.

7 Click Finish to enforce the pre-admission NAC policy.

6.5 Configuring the Admission Module

The admission NAC module allows you configuring the compliance checks to be performed against

authorized Microsoft windows-based elements as they attempt to connect to the network. If an

authorized device does not pass the compliance checks, network access is granted to remediation

servers only, allowing the device’s user to align the device with the enterprise’s network access

policy.




You can configure the compliance checks to be performed against authorized Microsoft windows-

based elements as they attempt to connect to the network. The compliance checks supported

include checks on Windows-based operating systems, including verification of the service pack level,

presence of operating system patches, running services, and so on.


8 Select NAC > Admissions. The Policy page of the Admission tab is displayed.

Figure 18: NAC Module – Admission Tab (Policy Page)

9 Select or clear the NAC Admissions protection checkbox to enable or disable the Admission module.

10 From the Define action dropdown list, select the action to be taken If an authorized device does not pass the compliance checks:

• Alert: Network access policy violations of authorized non-compliant elements are reported, however they are not enforced.

• Enforce: Action is taken against devices that do not pass the compliance checks

according to the selected enforcement method (configured under NAC > Configuration).



11 To configure compliance check rules according to operating system:

• Select the Operating System for which to add a rule the dropdown list immediately above the Operating System header.

• In the Action column, set the action that is to be taken when a device passes the compliance checks.

• Click Add. A line is added to the Rules table for the selected operating system.

• In the Admissions Checks column, click the icon to select the type(s) of service check(s) to be performed. A line is displayed for each selected service type.

• Set the additional required criteria for each selected service check type in the adjacent field as follows:

• Service Pack Level: Specify the required service pack level.

• Opened Network Service: Specify the network service(s) that must be open.

• Hot Fixes: Specify the required Hot Fixes. Note: all Hot Fixes must start with "KB" or "Q".


12 Set the action to be taken (Allow/Deny) if the element matches the following conditions that make performance of one or more of the service checks unfeasible:

• If the element is firewalled.

• If the NETBIOS service is not enabled.

• If the credentials do not allow the extracting of information.

13 Set the action to be taken (Allow/Deny) if no match is found, meaning that the element does not match any of the rules for compliance check and does not meet the criteria of any special cases previously defined as allowed.


Note: Multiple rules per operating system can be set. The first rule an element

matches is the rule that would be used.

6.5.2 Configuring the Admission Quarantine

Insightix Quarantine Silo technology ensures an authorized device is denied access to the network

while compliance checks are performed, and that quarantined devices cannot access each other.

This ensures the complete isolation of questionable elements from the network until they are granted

(or denied) network access. Insightix Quarantine Silo technology ensures network access is granted

to authorized devices only after successfully passing the compliance checks.

The conditions for the quarantining of a device are configured in the NAC > Admissions >

Quarantine page.



To configure the Admission quarantine:

15 In the Admission tab of the NAC Module, click Quarantine. The Quarantine page is displayed.

Figure 19: NAC Module – Admission Tab (Quarantine Page)

16 Configure when NAC should quarantine elements by selecting Do not quarantine elements or Quarantine elements for each of the following options:

• While performing admission checks

• When a security violation is discovered during the admission stage

17 Define the remediation servers that can be accessed by an element that is in quarantine for the purpose of aligning the device with the enterprise’s network access policy as follows:

• To add a remediation server, type its IP address in the fields immediately above the IP Address header in the table and click Add. The IP address is added to the table.

• To remove a remediation server, select the checkbox adjacent to its IP address and click Remove Selected.

Note: The IP address of the remedial server must be local to the subnet it serves.




6.6 Post-Admission Module

This module is charged with the task of constantly monitoring the network, identifying and

responding to any changes made to the properties of devices that are authorized to operate on the

network. The Post-Admission module allows the building of device profiles to ensure that the

properties of an authorized device are not abused by an unauthorized device masquerading as an

authorized device.


You can configure compliance checks making sure specific operating systems and running services

are not operating on your networks.


19 Select NAC > Post-Admission. The Policy page of the Post-Admission tab is displayed.

Figure 20: NAC Module – Post-Admission Tab (Policy Page)

20 Select or clear the Enable NAC Post-Admission protection checkbox to enable or disable the Admission module.

21 From the Define action dropdown list, select the action to be taken if a non-authorized operating system or a network service is detected:


• Enforce: Action is taken against devices that do not comply with the network access policy according to the selected enforcement method (configured under NAC > Configuration).



22 To perform post-admission checks for denying access from a certain operating system:

• Select the Non-Authorized operating systems checkbox.



• Click Add. A rule is added. If the specified type of operating system is detected and Post-Admission protection is enabled, the element will be handled according to the action defined above the tables.


23 To perform post-admission checks for non-authorized running service(s):

• Select the Non-Authorized open running services checkbox.



• In the Services field, enter up to two applicable TCP ports.

• Click Add. A rule is added. If the specified type of running service and operating system are detected and Post-Admission protection is enabled, the elements will be handled according to the action defined above the tables.



6.6.2 Creating a Device Profile

Creating device profiles for specific elements in the inventory helps prevent spoofing attacks. A

device profile sets one or more of the following parameters as fixed:

• Operating System

• NETBIOS name

• Switch IP address and port to which it is connected

If the device properties are changed so that the fixed properties no longer match, the defined Post-

Admission action is taken (Alert, Enforce).

Device profiles are configured in the NAC > Post-Admission > Devices page.

To configure device profiles:

25 In the Post-Admission tab of the NAC Module, click Devices. The Devices page is displayed.



Figure 21: NAC Module – Post-Admission Tab (Devices Page)

The Devices page lists all the elements in the inventory list. If the properties of a device do not match its fixed profile parameters, it is displayed in red.

26 From the Define action dropdown list, select the action to be taken If a non-authorized operating system is detected:


• Enforce: Action is taken against devices violating the network access policy according to the selected enforcement method (configured under NAC > Configuration).

27 Select the checkbox for a specific element to indicate that it must always use the configured parameters.

Tip: You can use the Search option to locate and sort elements according to various

criteria. For additional information, refer to 2.11 Searching the Insightix Discovery &

NAC Lite Edition.

28 (Optional) Right-click anywhere on the line for the element and select one or more of the

following options in the popup menu: u:

• Set current Operating System as Fixed

• Set current NETBIOS Name as Fixed

• Set current Switch IP and Port as Fixed

The selected properties are set as fixed for the selected element.

Notes:

To edit the fixed property settings, right-click and select or clear the options as

required.

66 Exceptions


To disable the fixed property settings, clear the element's checkbox in the Operating

System column.


6.7 Exceptions

You can define exceptions to the various NAC modules. An exception rule can be configured

according to a variety of device parameters, including MAC address, MAC address range, IP

address, network address, switch IP, and switch IP and port. The operational stages the exception

rule overrides must be configured for each rule. Devices that meet the conditions of a defined

exception do not pass through the NAC module this exception rule is set for.

To define an exception:

30 In the NAC module, select the Exceptions tab. The Exceptions tab is displayed.

Figure 22: NAC Module – Exceptions Tab

If any exceptions have been defined, they are listed on the Exceptions tab.

31 From the Type dropdown list, select the device parameter on which the exception is to be based and enter the corresponding criteria in the adjacent fields.

• MAC Address: The MAC address of the specific device.

• MAC Range: The first three bits, which define a range of MAC addresses belonging to a certain NIC family (usually the same manufacturer).

• Switch IP: The IP address of a switch.



• Switch IP and Port: The IP address of a switch and the exact number of the port.

• IP Address: The IP address of a specific device

• Network Address: The network address of a specific subnet.

Note: The number and size of the adjacent fields change according to the option

selected from the dropdown list.

32 Select the NAC module or modules that the exception rule is to discard by selecting the checkbox adjunct the NAC module’s name.

Note: The available NAC modules to be set as an exception vary according to

the option selected from the dropdown list.

33 Click Add. The exception is added to the list.

34 Click Save.

To remove an exception:

35 In the Exceptions tab, select the exception to be removed and click Remove Selected.

36 Click Save.

To edit an exception:

37 In the Exceptions tab, select the exception to be edited and click on the icon to select the NAC modules that the exception rule is to discard.

38 Click Save.

6.8 Enforced Violations

The Enforced Violations tab of the NAC module list the elements that are either denied network

access or are quarantined keeping with the NAC enforcement policy.

The Enforced Violations tab contains three pages:

• Switch Integration – Lists shutdown switch ports unauthorized or non-compliant devices are

connected to.

• Quarantine Silo – Lists unauthorized and/or non-compliant devices, which are prevented

network access using Insightix’s patent-pending Quarantine Silo and Enforcement technology.

• Quarantine – Lists non-compliant devices, which are currently being quarantined.



6.8.1 Enforcement Using Switch Integration

The Switch Integration page of the Enforced Violations tab lists elements that have been

disconnected from the network by shutting down the switch port to which they were connected, in

keeping with the NAC policy.

6.8.1.1 Re-enabling a Closed Switch Port

If you identify specific switch ports that you do not want to remain disconnected, you can set the

NAC module to re-enable those switch ports.

To re-enable specific switch ports:

39 In the NAC module, select the Enforced Violations tab. The Switch Integration tab is displayed.

Figure 23: NAC Module – Enforced Violations Tab

The Switch Integration page lists the following information for those elements that have been disconnected in keeping with NAC policy:

• Switch IP Address: The IP address of the switch to which the element was connected.

• Switch Port: The port number of the switch to which the element was connected.

• Element: The MAC address of the device.

• Disconnection Reason: The reason for disconnecting the device, for example, because the device is an unauthorized device.




• Mode: The enforcement module that prevented the network access.

40 Select the switch port to be re-enabled and click Allow Network Access. The selected switch port is re-enabled. Insightix NAC automatically re-enables the shutdown switch ports at regular time intervals (by default, every five minutes).

Note: The Insightix Discovery & NAC Lite Edition automatically re-enables a shut-down

switch port after a five-minute time period. If the element for which access was prevented

continues to remain connected to this port, the port will be shut down again when

rediscovered. The re-enable time interval is configurable. For details, refer to Configuring

Real-Time System Parameters, page 118.).

6.8.1.2 Finding Closed Switch Ports

You can locate a closed switch port on any identified switches operating on the network.

To locate closed switch ports:

41 In the NAC module, select the Enforced Violations tab.

42 Click Scan Switches for Closed Ports to perform the scan. The following window is displayed:

Figure 24: Scanning for Closed Switch Ports

Any closed switch ports are now displayed on the Enforced Violations tab.

6.8.2 Enforcement Using Quarantine Silo & Enforcement Technology

The Q. Silo page of the Enforced Violations tab lists elements that have been disconnected from

the network using Insightix patent-pending Quarantine Silo and Enforcement technology, in keeping

with the NAC policy.

The Q. Silo page lists the following information for those elements that have been disconnected in keeping with NAC policy:

• MAC Address: The MAC address of the element violating the network access policy.

• Disconnection Reason: The reason for disconnecting the device, for example, because the

device is an unauthorized device.




• IP Address: The IP address of the element violating the network access policy.

Figure 25: NAC Module: Enforced Violations Tab (Quarantine Silo & Enforcement Page)



6.8.3 Quarantined Elements

The Quarantined Elements page of the Enforced Violations tab lists elements that are currently

quarantined while Insightix NAC performs compliance checks.

Figure 26: NAC Module – Enforced Violations Tab (Quarantine Page)

The Quarantine tab lists the following information for the elements currently in quarantine:

• MAC Address: The MAC address of the element in quarantine.

• Disconnection Reason: The reason for quarantining the element.

• Time & Date: The date and time when the device was quarantined.

• IP Address: The IP address of the element.

72 NAC Configuration


6.9 NAC Configuration










The mode of enforcement for the NAC is set in the Configuration tab of the NAC module.

To configure the enforcement mode:

43 In the NAC module, select the Configuration tab. The Configuration tab is displayed.

Figure 27: NAC Module – Configuration Tab

NAC Configuration 73


44 Select one of the following NAC Enforcement mode options:

• Switch Integration: This option disconnects non-compliant elements from the network by shutting down the switch port to which they are connected.

• Quarantine Silo & Enforcement Technology: This option utilizes Insightix’’s patent-pending Quarantine Silo and enforcement technology to deny access to unauthorized and/or non-compliant elements.

• Both: This option combines the above two options.


Note: If the selected option incorporates Quarantine Silo & Enforcement technology and

there is a problem with Layer-2 access to one or more networks, a warning message is

displayed when you click Save, indicating those networks against which this technology

cannot be applied.

74 Viewing Alerts

Lite Edition User Manual Alerts Module

7 Alerts Module

The Alerts module enables users with administrative privileges to configure the types of events for

which the system generates alerts, and where these alerts are to be sent. The Alerts module

displays the list of generated alerts and allows users to search the list for a specific element and/or

event.

This chapter describes the types of alerts that can be generated, as well as how they are configured

and viewed.

7.1 Viewing Alerts

Users can view a complete list of the alerts generated by the system.

To view alerts:

• Select Alerts in the Module Selection bar. The Alerts tab of the Alerts module is displayed.

.

Figure 28: Alerts Module – Alerts Tab

The Alerts table lists the alerts generated by the system, ordered according to the time at which they

were generated (most recent on top). Each entry includes the alert number (ID), a timestamp, the

alert message, and the alert’s severity.

Configuring Alerts 75

Alerts Module Lite Edition User Manual

The severity of the alert is indicated by an alert icon, as follows:





To view the detailed properties of the element for which an alert was generated, right-click an alert

message field and select Device Properties. The individual inventory page of the Inventory module

is displayed, listing the properties of the selected element. To search for the device in the Inventory

module, select Search Device from the right-click menu.

7.1.1 Sorting Alerts

To sort the Alerts table according to a specific parameter (for example, Timestamp, ID, Alert

Message, Severity), click the column header. The table is sorted according to the selected header.

7.1.2 Searching Alerts

A user can search the alerts generated by the system according to any word, IP address, MAC

address, and other search criterion that appears in any of the alert messages.

Note: The Alerts table displays a maximum of 50 alerts at one time. When searching alerts,

the search is executed against the last 1,000 alerts the system had generated.

7.2 Configuring Alerts

A user with administrative privileges can determine the types of events that trigger alerts in the

system. A user can designate a target destination for the alerts to be sent to the system, an email

address, a syslog server and/or indexing for event history.

The following events are predefined in the system as alerts, and can be configured according to the

monitoring requirements of the network:

• A New IP Address Detected: Generates an alert when an IP address that has not been

previously detected is discovered.

• A New MAC Address Detected: Generates an alert when a MAC address that has not been

previously detected is discovered.

• A New IP Subnet Detected: Generates an alert when a new IP subnet address range is

detected.

• An Additional IP address for an element detected: Generates an alert when a network

element has been detected as having more than a single IP address.

• A Duplicate IP address Detected: Generates an alert when the system has detected more than

one device with the same IP address (two network interface cards claiming to be configured with

the same IP address).

76 Configuring Alerts


• The IP address of an element has changed: Generates an alert when the IP address of an

element has been changed to a different IP address.

• A VLAN ID detected for an element: Generates an alert when a VLAN ID associated with a

network element is detected.

• Operating system detected for an element: Generates an alert when the operating system for

an element is detected.

• Operating System changed for an element: Generates an alert when the operating system for

an element has been changed.

• A network service detected to operate on an element: Generates an alert when an open

network service is detected operating on a network element.

• An element is behind a personal firewall: Generates an alert when a network element is

protected by a personal firewall.

• The firewall state for an element changed: Generates an alert when the firewall state has

changed for an element (i.e. from on to off and vice versa)

• NetBIOS name changed for an element: Generates an alert when a change in the NetBIOS

name is detected.

• Network connectivity changed for an element: Generates an alert when the location of an

element, the switch and/or switch port it is connected to, has been changed.

• Physical connectivity of switches changed: Generates an alert when a change in the way

network switches are physically connected to each other is detected.

• An element is offline (detached from the network): Generates an alert when an element is no

longer connected to the network.

• Communications established from an external element: Generates an alert when

communication is established between an element residing on a non-monitored network (i.e. the

Internet) to a monitored system.

• Unauthorized device detected: Generates an alert when an unauthorized device is physically

connected to a monitored network (refer to Authorizing Devices, page 92).

• Unauthorized device tracked: Generates an alert when an unauthorized device is detected

operating on the network. This alert includes details about the exact location of the unauthorized

device, the IP address of the switch and the exact switch port to which this element is

connected.

• A switch does not answer SNMP queries: Generates an alert when a switch does not reply to

SNMP queries sent by the Insightix Discovery & NAC Lite Edition.

• A Wireless Access Point detected: Generates an alert when a Wireless Access Point is

discovered operating on the network.

• A Firewall device detected: Generates an alert when a Firewall has been discovered.

• A NAT device detected: Generates an alert when a NAT device is detected.

• A printer detected: Generates an alert when a printer is detected operating on the network.

Configuring Alerts 77


• A printer server detected: Generates an alert when a print server is detected operating on the

network.

• A Router detected: Generates an alert when a Router is detected operating on the network.

• A switch detected: Generates an alert when a switch is detected operating on the network.

• Microsoft Virtual PC Guest detected: Generates an alert when a Microsoft Virtual PC Guest is

detected.

• Microsoft Virtual PC Host detected: Generates an alert when a Microsoft Virtual PC Host is

detected.

• VMware Guest detected: Generates an alert when a VMware Guest machine is detected.

• VMware Host detected: Generates an alert when a VMware Host machine is detected.

• An analog voice device detected: Generates an alert when an analog voice device is detected.

• A VoIP device detected: Generates an alert when a VoIP is detected.

• An element is now online: An element’s connectivity state has changed from offline to online.

• NAC Module successful manual enforcement: Generates an alert when an element is

manually disconnected from the network by a user with administrative privileges.

• NAC Module successful enforcement: Generates an alert when an unauthorized element is

not allowed access to the network.

• NAC module re-enabled a switch port (automatic): Generates an alert when the NAC module

re-enables a previously shutdown switch port. By default, a shutdown switch port is re-enabled

after 5 minutes. This time period is configurable in the Configuration module.

• NAC enforcement violation (manual change of switch port): Generates an alert when a

previously shutdown switch port has been manually re-enabled by the network administrator.

• Unauthorized device detected but not disconnected (NAC module in Alert mode):

Generates an alert when an unauthorized element is detected as operating on the network, but

is not disconnected since the NAC module operates in alert only mode.

• NAC module operational mode change: Generates an alert whenever the operational mode of

the NAC module changes.

• Inappropriate SNMP write credentials for NAC enforcement: Generates an alert when the

SNMP community string provided for a certain switch does not allow write permission.

• An exception rule prevented the disconnection of an unauthorized device: Generates an

alert when an unauthorized element was not disconnected from the network due to an exception

rule preventing the disconnection of the element.

• NAC module re-enabled a switch port (manual): Generates an alert when a switch port that

was previously shutdown by the NAC module has been manually re-enabled.

• Unauthorized device location not detected: Generates an alert when the switch and switch

port of an unauthorized element have not been detected.

• NAC module re-enabled a switch port due to a defined exception change: Generates an

alert when an exception rule previously not allowing the disconnection of an element (or

elements) has been deleted allowing the disconnection of these elements.

78 Configuring Alerts


• License Violation: Generates an alert when the license for the Insightix Discovery & NAC Lite

Edition is violated (i.e., the license is for a smaller number of elements, where the actual number

of elements detected is much higher).

To configure alerts:

1 Select Alerts in the Module Selection bar, and then click the Configuration tab in the Alerts module. The Configuration tab of the Alerts module is displayed.

Figure 29: Alerts Module – Configuration Tab (Alerts Page)

2 Select or clear the Enable checkbox to determine the events for which alerts are to be generated.

3 Select the group for the alert from the Target Group dropdown list (Always, for all elements, or a specific group name as a filter). Selecting a Target Group enables you to assign alerts to specific group of elements. (For details, refer to 7.3 Configuring Target Groups.)

4 Select the severity of the alert from the Severity dropdown list.

5 (Optional) In the Alerts Destinations area, select one or more of the checkboxes to indicate the action to be taken when an alert is triggered:

• To display alerts in the Alerts table, select the Display checkbox in the Alerts tab of the Alerts module.

• To send alerts to an email address, select the Email checkbox. The alerts are sent to the email address configured on the Destinations page.

Configuring Target Groups 79


• To save alerts to a syslog server, select the Syslog checkbox. The alerts are issued as syslog messages to a syslog server. The IP address of the syslog server is configured on the Destinations page.

• To index alerts to serve as a device’s audit history, select the History checkbox.


7.3 Configuring Target Groups

A user can configure an alert to be triggered for all of the elements detected by the system, or define

Target Groups to filter the alerts so that they are triggered only for the elements contained in the

Target Group.

A Target Group can include the following element types:

• Network Services

• Networks

• IP Addresses

• MAC Addresses

A Target Group can include multiple entries of one element type or it can include multiple entries of

diverse element types. When filtering alerts for a target group that includes more than one element

type, the alert must meet at least one of the criteria defined for each of the element types contained

in the group.

For example, if target group AAA includes two IP elements (192.168.2.2. and 192.168.2.3) and two

TCP Service elements (ports 21 and 22), an alert is triggered only if it matches the IP address

criteria (192.168.2.2. OR 192.168.2.3) AND the TCP Service criteria (ports 21 OR 22).

Note: In order to introduce multiple element types into a Target Group, the same group name

must be used when defining the member elements.

80 Configuring Target Groups


To add a Target Group entry:

1 In the Configuration tab of the Alerts module, click Targets to display the Targets page.

Existing Target Group entries are listed in a table, with a separate row displayed for each element in a group.

Figure 30: Alerts Module – Configuration Tab (Targets Page)

2 Enter the name of the Target Group in the Group Name field.

Note: When adding an entry to en existing group, take care to enter the name exactly

as it appears in existing entries for the group.

3 Select the type of element from the Element Type dropdown list.

4 Enter the appropriate element value in the Value field.

Note: The format of the Value field varies according to the type of element selected.

5 Click Save. The Target Group definitions are updated and the Target Group is included in the Group Name dropdown list on the Alerts page.

Configuring Alert Destinations 81


To delete a Target Group entry:

1 In the Configuration tab of the Alerts module, click Targets to display the Targets page.

2 Select the checkbox for the entry to be deleted and click Remove. The entry is removed from the Target Group.

Note: You can delete more than one entry at a time by selecting multiple checkboxes

on the page.

3 Click Save to update and save the Target Group definitions.

Note: Once all entries for a Target Group are deleted, the group is no longer included

in the Group Name dropdown list on the Alerts page).

7.4 Configuring Alert Destinations

You can determine the types of actions that trigger alerts in the system, and designate an email

address or a Syslog Server for the receipt of alert notifications.

7.4.1 Configuring an Email Recipient

To configure an email recipient:

1 In the Configuration tab of the Alerts module, click Destinations to display the Destinations page.

Figure 31: Alerts Module – Configuration Tab (Destinations Page)

82 Configuring Alert Destinations


2 In the Email area, configure the email destination details as follows:

• Enter the email address that is to appear as the email address of the sender of the alert emails in the Email Sender field.

• Enter the email subject that is to appear as the email subject for the emails received from the Insightix Discovery & NAC Lite Edition in the Email Subject field.

• Enter the destination email address in the Email Recipient field.

• Enter the IP address or the Hostname of the email server to be used to send alerts in the SMTP Server IP field.

• Enter the port number used by the email server to send alerts in the SMTP Server Portfield.

• (Optional) If authentication is required to send emails, select the User Authentication checkbox and enter the user name and password in the designated fields.

Note: The User Name and Password fields are displayed when User

Authentication is selected.

Note: If the email server requires Windows domain authentication credentials,

the user name needs to be entered as follows: \Domainname\username

• (Optional) To enable TLS encryption, select the Use TLS checkbox.

7.4.2 Configuring a Destination Syslog Server

To configure a destination Syslog server:

1 Enter the IP address of the target Syslog server in the Syslog Collector IP Address field.

2 Enter the port number used by the Syslog server in the Syslog Port field.

3 Click Save to update and save the alert destination definitions.

Viewing Network Services Audit Data 83

Audit Module Lite Edition User Manual

8 Audit Module

The Audit module provides information regarding network servers and their running services. It

enables the configuration of various auditing features such as the Microsoft Windows operating

system patch auditing, the authorization scheme, the management of generated OS signatures, and

network service naming.

This chapter describes the information displayed in the Audit module, as well as how to configure the

various auditing features.

8.1 Viewing Network Services Audit Data

The Local Servers tab lists audit information regarding network services found to be operating on

monitored networks according to the protocol they use (TCP or UDP) and the network service (SSH,

FTP, and so on).

To view the network services audit information:

1 Select Audit in the Module Selection bar to display the Audit module, and then select the Local Servers tab.

2 Select the protocol type, TCP or UDP. The network services found to operate on the monitored network using the selected network protocol are listed in the Services list.

Figure 32: Audit Module – Local Servers Tab

84 Configuring Server Audit Rules

Lite Edition User Manual Audit Module

3 To view the elements on which a particular network service is found to operate, select the

service in the Services list. The IP address and Operating System for matching elements are listed.

4 (Optional) By selecting an element (clicking on its table entry) it is possible to view a list of IP addresses currently communicating with the element using the selected network service.

5 To view the individual properties page for a specific element, click the magnifying glass icon

adjacent to the element's operating system name. The individual inventory properties page for the element is displayed, listing the properties of the selected element.

Note: To create custom exportable reports regarding the network services found to operate

on the monitored networks, use the Inventory module. The keywords tcpport:<port number>

and udppoprt:<port number> can be used to search for a specific list of elements on which a

particular network service is found to operate.

Note: For a list of element properties, refer to section 5.3.

8.2 Configuring Server Audit Rules

The Insightix Discovery & NAC Lite Edition enables defining network services audit rules according

to specific operating systems, IP addressed, network subnets, and hostnames. The audit rules

includes a list of network services that are to be audited by the system both passively and actively (if

not found to operate passively). Other network services are added to the list of predefined audit rules

per individual element, if their existence is passively detected by the system (this can be seen in

their individual properties pages).

A user can initiate the audit process by performing a scan on demand in the Audit module.

Audit rules are defined in the Servers Audit tab of the Audit module.

Configuring Server Audit Rules 85


8.2.1 Defining Audit Rules According to Operating Systems

Audit rules can be defined for specific operating systems.

To add a port definition for an Operating System:

1 Select Audit in the Module Selection bar to display the Audit module, and then select theServers Audit tab. By default the OS page is displayed.

Figure 33: Audit Module – Configuration Tab

2 Select the Operating System for which to add a port from the Audit Rules list, and enter the port number in the field immediately above the Rule Ports list.

3 Click Add. The port number is added to the Rule Ports list.


To remove a port definition:

1 Select Audit in the Module Selection bar to display the Audit module, and then select theServers Audit tab (Figure 33).

2 In the OS page, select the Operating System from which the port is to be removed from the Audit Rules list.

3 Select the port number in the Rule Ports list and click Remove Port. The port number is deleted from the Port Numbers list.




Note: When a new operating system signature is added, its name is listed under the

operating system names that can be selected for audit rules. Select the operating system

name, and define its audit rules.

To perform a scan on demand:


2 In the OS page, select the Operating System to be scanned on demand from the Operating Systems list.

3 Click Scan Now to initiate the audit process.

8.2.2 Defining Audit Rules According to a Specific IP Address

Audit rules can be defined for specific IP addresses.

To add an audit rule for a specific IP address:

1 In the Servers Audit tab of the Audit module, click IP to display the Servers Audit IP page. The Servers Audit rules for IP addresses are listed.

Figure 34: Servers Audit According to IP Addresses

2 In the Add Audit Rule area, enter the IP address for which the Audit rule is to be defined.

3 Enter the port number(s) in the Ports field (comma separated).



4 Click Add. The IP address and its specified network service audit rule are added to the Audit Rules list.


To add a port definition for a specific IP address:


2 Select the IP address for which a port is to be added from the Audit Rules list, and enter the port number in the field immediately above the Rule Ports list.

3 Click Add. The port number is added to the Rule Ports list.




2 Select the IP Address from which the port is to be removed from the list of Audit Rules.

3 Select the port number in the Rule Ports list and click Remove Port. The port number is deleted from the Port Numbers list.




2 Select the IP Address to be scanned on demand.




8.2.3 Defining Audit Rules According to IP Subnets

To add an audit rule for a specific IP Subnet:

1 In the Servers Audit tab of the Audit module, click Subnet to display the Servers Audit Subnet page. The Servers Audit rules for IP subnets are listed.

Figure 35: Audit Rules According to IP Subnets

2 In the Add Audit Rule area, enter the IP subnet address for which an Audit rule is to be defined.

3 Enter the port number(s) for the services to be audited in the Ports field (comma separated).

4 Click Add. The IP Subnet and its specified network service audit rule is added to the Audit Rules list.


To add a port definition for an IP Subnet:

1 In the Servers Audit tab of the Audit module, click Subnet to display the Servers Audit Subnet page. The Servers Audit rules for IP subnets are listed.

2 Select the IP Subnet for which a port is to be added from the Audit Rules list, and enter the port number in the field immediately above the Rule Ports list.



3 Click Add. The port number is added to the Rules Port list.



1 In the Servers Audit tab of the Audit module, click Subnet to display the Servers Audit IP page. The Servers Audit rules for IP subnets are listed.

2 Select the IP Subnet from which a port is to be removed from the list of Audit Rules.

3 Select the port number, by clicking it, in the Rule Ports list and click Remove. The port number is deleted from the Port Numbers list.



1 In the Servers Audit tab of the Audit module, click Subnet to display the Servers Audit IP page. The Servers Audit rules for IP subnets are listed.

2 Select the IP Subnet to be scanned on demand.




8.2.4 Defining Audit Rules According to Hostnames

To add an audit rule for a specific Hostname:

1 In the Servers Audit tab of the Audit module, click Hostnames to display the Servers Audit Hostname page. The Servers Audit rules for Hostnames are listed.

Figure 36: Audit Rules According to Hostnames

2 In the Add Audit Rule field, insert the Hostname, and then enter the port number(s) for the services to be audited in the Ports field (comma separated).

3 Click Add. The Hostname and its specified network service audit rule is added to the Audit Rules list.


To add a port definition for a Hostname:


2 Select the Hostname for which a port is to be added from the Audit Rules list, and enter the port number in the field immediately above the Rule Ports list.

3 Click Add. The port number is added to the Rules Port list.






2 Select the Hostname from which a port is to be removed from the list of Audit Rules.

3 Select the port number, by clicking it, in the Rule Ports list and click Remove. The port number is deleted from the Port Numbers list.




2 Select the IP Subnet to be scanned on demand.


Note: Audit rules according to Hostnames execute only if the Insightix Discovery & NAC

Lite Edition discovers the hostname defined in the Audit rule.

8.2.5 Order of Audit Rules Execution

Server Audit Rules are executed according in the following order:

1 Audit Rules for a Hostname

2 Audit Rules for an IP Address

3 Audit Rules for an IP Subnet

4 Audit Rules for an Operating System

8.2.6 Removing Audit Rules

Audit Rules can be completely removed. When an Audit Rule is removed, its corresponding network

service audit instructions are removed and are no longer audited by the system.

To remove an audit rule:


2 Select the relevant audit rules page, as required.

3 Select the audit rule to be removed in the Audit Rules list and click Remove Rule. The rule is removed from the Audit Rules list.

92 Authorizing Devices



8.3 Authorizing Devices

Relying on the real-time, complete and accurate discovery performed by the Insightix Discovery &

NAC Lite Edition, users with administrative privileges are able to designate which systems are

authorized to operate on their networks and which are not. This enables the Insightix Discovery &

NAC Lite Edition to identify in real-time the introduction of unauthorized elements to monitored

networks and immediately alert regarding their presence. The alert includes the exact location (the

switch and switch port to which the element is connected) of an unauthorized element.

Note: Only users with administrative privileges can authorize or unauthorize elements.

Devices are authorized in the Device Authorization tab of the Audit Module. Devices can be

authorized and unauthorized at any time.

Note: A device can also be authorized in the Properties tab of the Inventory module or by

right-clicking the device in the Main page of the Inventory module and selecting Authorize.

Authorizing Devices 93


To authorize a device:

1 Select Audit in the Module Selection bar to display the Audit module, and then select theDevice Authorization tab.

Note: For a description of the device parameters displayed in the Authorization tab,

refer to 5.5.1 Properties Tab.

Figure 37: Audit Module – Authorization Tab

Tip: Filter the displayed list of devices by entering a string that appears in any of the

element's defined properties by performing a search. Refer to 2.11 Searching the for

details.

2 In the A (authorization) column, select the checkbox for the device to be authorized.

Notes:

To select all of the devices on a page, select the checkbox in the A column.

A user may define actions using the Select Action dropdown list at the bottom of the

page.


94 Authorizing Devices


To unauthorized a device:

1 In the Device Authorization tab of the Audit module (Figure 37), clear the checkbox for the device to be unauthorized.


8.3.1 Pre-Authorizing Devices

The MAC addresses of elements which have not been yet introduced to the network can be pre-

authorized, for example, devices prepared by the helpdesk.

To pre-authorize a device:

1 In the Device Authorization tab of the Audit module (Figure 37), enter the MAC address of the device to be pre-authorized in the Pre-Authorize MAC Address field.

2 Click Authorize to apply and save the changes.

Note: A pre-authorized MAC address appears in red in the Device Authorization tab of

the Audit module. It does not appear in the Inventory module.

To pre-authorize a list of devices:

1 In the Device Authorization tab of the Audit module (Figure 37), select Import from a file.

2 In the Choose file window browse and select the comma-delimited file containing a list of MAC addresses which needs to be pre-authorized. Click on open.

3 Click Upload to apply and save the changes.

To unauthorize a pre-authorized device:

1 In the Device Authorization tab of the Audit module, select the pre-authorized MAC addresses (marked with red) to be unauthorized by clearing the Authorized checkbox.

2 Click Save to apply.

Note: When un-authorizing a pre-authorized MAC address, the MAC address will no

longer be visible in the Device Authorization tab.

Microsoft Windows OS Auditing 95


8.4 Microsoft Windows OS Auditing

The Insightix Discovery & NAC Lite Edition can be configured to determine:

• The Service Pack (SP) and patches (hot fixes) installed on elements running Microsoft Windows

operating systems

• The username of the user logged in to elements running Microsoft windows operating systems

8.4.1 Prerequisites for the Microsoft Windows OS Auditing

In order for the Insightix Discovery & NAC Lite Edition to successfully audit a Microsoft Windows

operating system, the following pre-requisites need to be met:

• The Insightix Discovery & NAC Lite Edition must be configured with local administrative rights on

the remote machine and be able to log on to this machine remotely.





Note: This feature does not execute automatically out-of-the-box. It must be enabled by a

user with administrative privileges and configured with the appropriate credentials in order to

run effectively.

8.4.2 Configuring Windows OS Auditing

To configure Windows OS auditing:

1 Select Audit in the Module Selection bar to display the Audit module. Then select the Windows OS Audit tab.

2 Click Configuration to display the Configuration page.

3 Select the Enable Windows Operating System Service Pack and Hotfixes Auditing checkbox and/or the Enable Username Auditing checkbox.

96 Microsoft Windows OS Auditing


Figure 38: Audit Module – Windows OS Audit Tab (Configuration Page)

4 Set the frequency at which the auditing process is to be run by entering the required number

of minutes in the designated field. (The default setting is every 12 hours, and it applies only for the service pack and hotfix auditing.)

5 Configure the credentials auditing parameters as follows:

• Select Per Host Name (for a single element) or Per Domain (for all elements belonging to a specific windows domain) from the Add Credentials for dropdown list.

• Enter the user name and password in the designated fields.

• If you are adding credentials for a Host name, enter the host name in the Name field. OR If you are adding credentials for a domain, enter the domain name in the Name field.

6 Click Add. The Host or Domain credentials are added to the Credentials list.

Note: To remove an entry from the Credentials list, select the entry in the list and click

Remove Selected.

Microsoft Windows OS Auditing 97


8.4.3 Defining the Exclude List

The Exclude List contains the IP addresses and network subnets that are to be excluded from the

Microsoft Windows OS auditing process. The Windows OS Audit Exclude List is displayed in the

Exclude List page of Windows OS Audit tab.

To define an Exclude List entry:

1 Select Audit in the Module Selection bar to display the Audit module, and then select the Window OS Audit tab.

2 Click Exclude List to display the Windows OS Exclude List.

Figure 39: Audit Module – Windows OS Tab (Exclude List Page)

3 To exclude a single IP address, enter the IP address to be excluded in the empty cell above the IP Address. In the fields above the Network Mask, enter 255.255.255.255.

4 To exclude an IP subnet, enter the network IP address in the empty cell above IP column header. In the fields above the Network Mask, enter the appropriate network mask of the IP subnet.

5 Click Add. The IP address or subnet is added to the Windows OS Audit Exclude list.

Note: To remove an entry from the Windows OS Audit Exclude List, select the entry in the list

and click Remove Selected.

98 Managing OS Signatures


8.4.4 Manually Initiating a Microsoft Windows OS Audit

To manually initiate a Windows OS audit:

1 Select Audit in the Module Selection bar to display the Audit module, and then select the

Window OS Audit tab. The Summary page of the Windows OS Audit is displayed. The

summary page lists information regarding the status of the audit process, the statistics of a previous run, and the schedule of the next audit.

2 To run the Microsoft Windows OS audit process, click Discover. A progress bar is displayed in the window while the audit process is performed.

The audit process can be stopped at any time by clicking Cancel.

Figure 40: Audit Module – Windows OS Audit Tab (Summary Page)

8.5 Managing OS Signatures

To facilitate identification of operating systems operating on the network that were not identified out-

of-the-box by the Insightix Discovery & NAC Lite Edition, a user with administrative privileges can

generate an OS signature, as described in Generating an OS Signature, page 44. Once a signature

is created, it can be used by the Insightix Discovery & NAC Lite Edition to identify any otherwise

unknown devices that match the new OS signature.

Existing OS Signatures are listed in the OS Signatures tab of the Audit module.

Managing OS Signatures 99


There are two types of operating system signatures:

• Global (denoted by the keyword Global), which applies to any element on the network which

may match the OS signature. A Global OS signature is created by selecting the Generate OS

Signature option from the Inventory module’s right-click menu.

• Specific (denoted by the MAC address of the element it was generated for), which matches only

the element it was created for. A specific OS signature is created by selecting the Tune

Parameters option from the Inventory module’s right-click menu.

8.5.1 Removing an OS Signature

Generated OS Signatures can be removed from the OS Signatures list.

Note: When you delete an OS Signature, the OS identification of any elements previously

identified using the deleted signature reverts to Unknown.

To remove a custom signature:

1 Select Audit in the Module Selection bar to display the Audit module, and then select the OS Signature tab.

Figure 41: Audit Module – OS Signature Tab

If any OS Signatures have been created, they are listed in the OS Signature tab.

100 Managing OS Signatures


2 Select the OS Signature(s) to be removed and click Remove Selected. The Signatures are

removed from the list and the OS identification of any elements that matched the deleted OS Signatures reverts to Unknown.


8.5.2 Restoring Factory Default Settings for OS Identification

A user can restore the default factory settings for the OS identification, thereby removing all

manually generated OS signatures.

Note: When you restore factory default settings, all generated signatures are erased. The OS

identification of any elements previously identified using the signatures reverts to Unknown.

To restore factory defaults:


2 Click Factory Defaults. The original system settings are restored and any custom signatures are erased.

8.5.3 Initiating the OS Identification Process against Elements with an Unidentified OS

When a new OS signature is generated, a user with administrator privileges must reinitiate an

operating system identification process against elements for which the OS has not been identified.

This enables the identification of some additional elements that may use the same operating system

as the new generated OS signature.

To initiate the OS identification process:


2 Click Reschedule. The Insightix Discovery & NAC Lite Edition initiates the OS identification process against elements with unknown operating systems.

Configuring Service Naming 101


8.6 Configuring Service Naming

A user can assign names to different network services according to TCP or UDP ports.

To add a service name:

1 Select Audit in the Module Selection bar to display the Audit module, and then select the Service Naming tab.

Figure 42: Audit Module – Service Naming Tab

The Service Naming tab lists the service names and ports according to the transport protocol type (TCP or UDP).

2 Select the required transport protocol type, TCP or UDP.

3 In the fields above the Service Names list, enter the port number and service name and click Add. The service name is added to the list.

4 Click Save.

To remove a service name:

1 In the Service Name tab, select the service name to be removed and click Remove Selected.

2 Click Save.

102 Configuring Service Naming


To change an existing service name:

1 To change an existing service name from the list, enter the same port number and change the name in the Service Name field.

2 Click Add.

3 Click Save.

Report Types 103

Reports Module Lite Edition User Manual

9 Reports Module

The Reports module enables a user to generate and view a wide range of predefined reports.

This chapter describes the different types of reports.

9.1 Report Types

The following types of reports are available:

• Inventory Reports

• Executive Summary (Online devices only): Lists the total number of operating systems

identified by the Insightix Discovery & NAC Lite Edition. The information is broken down into three separate tables. The first table lists the detected operating systems and their

quantity, the second table lists the top-7 detected operating systems, and the last table lists the top-7 capabilities detected (i.e. the functionality of a device, such as a switch, router, or printer).

• Device Summary: The report provides a complete list of all devices detected by the Insightix Discovery & NAC Lite Edition, with information similar to the information

presented in the Inventory module. Information about each element includes its authorization state, its IP address, its operating system, its hostname (where applicable), its VLAN ID (if applicable), its MAC address, the vendor ID for the MAC address, and its location on the network (the switch IP and the exact port to which it is connected).

• Devices without IP Addresses: Lists the devices found on the network which operate without IP addresses.

• Audit Reports

• Network Services (Per Service): Lists the IP addresses running a specific network service, according to the network service. Report details include a service name, followed by a list of the elements on which the network service is found to operate. It is followed by the operating systems running on these elements.

• Network Services (Per Element): Lists, per IP address, the network services operating

on a specific IP address. Report details include entries according to an IP address, followed by its VLAN ID (if applicable), its operating system, its hostname (if applicable),

its MAC address, its firewall state, and the list of network services found to operate on the element.

• Microsoft Windows Operating System Auditing (Service Packs and Hot Fixes): Lists, for Microsoft Windows operating system that the Insightix Discovery & NAC Lite Edition was able to successfully query, a list of installed operating system patched. Report details

include VLAN, Host Name, MAC address, Operating system and the installed Hot Fixes (patches), according to the device’s IP address.

• Firewalled Network Elements: Lists the network elements that have firewalls operating on them. Report details include the following device information: its authorization state, its

IP address, its operating system, its hostname (where applicable), its VLAN ID (if applicable), its MAC address, the vendor ID for the MAC address, and its location on the network (the switch IP and the exact port to which it is connected).

104 Report Types

Lite Edition User Manual Reports Module

• Domain Elements: Lists the different Microsoft Windows domains detected to operate on the monitored networks and the different elements, which operate under them. The report

is ordered according to a domain name, and the system(s) belonging to that domain. Device information includes the domain it belongs to, its Hostname, its Operating System, its VLAN ID (if applicable), its MAC address, the NIC vendor, the IP address of the element, and its connectivity location to the network (the exact switch and switch port to which it is connected).

• Security Reports

• Authorized Devices: Lists the authorized network devices.

• Unauthorized Devices: Lists the unauthorized network devices.

• Authorization Scheme: Lists both authorized and unauthorized network devices.

• Topology Reports

• Switch Connectivity: Per switch, lists the elements connected to that switch according to the switch port.

• Physical Topology: Displays the physical network connectivity of the network. The report

is a Microsoft Visio report, which may include routers, switches, hubs, and VMware guest machines.

• Entire Layout: Displays the entire layout of the network topology. This is a Microsoft Visio report.

• Network Access Control Reports

• Network Access Policy Violators: Displays a list of the elements that have violated the network access security policy.

• Shutdown Switch Ports: Displays a list of the switch ports that have been shutdown by the network access control module to prevent access by elements detected in violation of the network access security policy.

Viewing a Report 105

Reports Module Lite Edition User Manual

9.2 Viewing a Report

You can produce and view reports on demand.

To view a report:

1 Select Reports in the Module Selection bar to display the Reports module.

The available report types are listed according to category.

Figure 43: Reports Module

2 Select the radio button for the required report.

3 Select the elements to be included in the report from the Include dropdown list (all, online, offline), and then set the criterion for sorting the data in the report from the Sort Report bydropdown list.

Note: The options available in the Sort report by dropdown list vary according to the

type of report.

4 Select the format of the report from the Report Format dropdown list.

Note: The options available in the Report Format dropdown list vary according to the

type of report.

5 Click Generate Report. The report is generated in an external window.

6 Save or export the file, as required.

106 Viewing a Report

Lite Edition User Manual Reports Module

Note: With the exception of topology reports, reports can be exported to .CSV or

HTML files. Topology reports are exported as Microsoft Visio Drawings.

Topology Configuration 107

Configuration Module Lite Edition User Manual

10 Configuration Module

The Configuration module of the Insightix Discovery & NAC Lite Edition allows a user with

administrative privileges to configure certain aspects of the system's operation.

This chapter describes the procedures for configuring various aspects of the operation of the

Insightix Discovery & NAC Lite Edition, such as configuring information for the Topology module,

administrating users, tuning system parameters, changing the time and date, controlling the

system’s IP address, upgrading and downgrading the software, and software registration.

Note: The Configuration module is enabled only for those users who have been assigned

administrator privileges.

10.1 Topology Configuration

The Topology tab of the Configuration module enables users to view information regarding the last

run of the topology discovery process, initiate manual topology discovery, configure query

parameters for switches (such as the SNMP read-only community string to use), configure

information regarding out-of-band management networks (if applicable), and manually input the

physical geographical location of each switch port for the different switches operating on a network.

10.1.1 Topology Summary Page

To view the topology summary page:

1 Select Configuration in the Module Selection bar. The Topology tab of the Configuration module is displayed. By default the Summary page is displayed.

108 Topology Configuration

Lite Edition User Manual Configuration Module

Figure 44: Configuration Module – Topology Tab (Summary page)

The Summary page displays the following topology discovery information:

• Status: The status of the physical network topology discovery process (either idle or running).

• Last Run: The day, date and time at which the last discovery process was run.

• Queried Switches (Last Run): The number of switches queried the last time the physical network topology discovery process was run.

• Next Scheduled Run: The day, date and time of the start of the next scheduled run.

10.1.2 Manually Initiating the Physical Network Topology Discovery

There are two options for manually initiating physical network topology discovery:

• Initiating a physical network topology discovery while ignoring any collected information

previously gathered about switches operating on the networks. Using this option, any suspected

switch and all unknown elements are queried with SNMP. Click Discover to manually initiate the

physical network topology discovery process. A progress bar is displayed in the window while

the discovery process is performed.

• Initiating a physical network topology discovery relying on previously collected information about

switches operating on the network. Using this option queries with SNMP only pre-identified

switches. If a new switch is added to the network it will not be queried. Click Re-Discover to

manually initiate the physical network topology discovery process. A progress bar is displayed in

the window while the discovery process is performed.



10.1.3 Configuring Switches

In order for the Insightix Discovery & NAC Lite Edition to successfully discover the physical network

topology of monitored networks, it must have SNMP read access to switches operating on the

network.

The Switches tab of the Topology Configuration allows configuring various parameters essential

for the physical network topology discovery process:

• The default SNMP protocol version, and the exact SNMP read-only community string to use by

default when a switch is detected (can be more than one).

• Manually configuring the IP address, the SNMP protocol version, and exact SNMP read-only

community string to use for switches not identified by the system

• Changing the SNMP protocol version and/or the SNMP read-only community string to use when

querying a specific switch

• The Switches tab is also used to verify the information used to query a certain switch allows the

Insightix Discovery & NAC Lite Edition to collect the required information.

Note: Queried switches must comply with the SNMP RFCs and support MIB-II.

10.1.3.1 The Global Credentials Table

The Global Credentials table is used to configure the SNMP protocol version and community string

to use by default when a new switch is detected by the system. A user can configure more than a

single entry, as there may be multiple configurations and various SNMP protocol versions

configured, by default, across a network.

Global credentials entries are executed according to their location in the Global Credentials table. A

higher entry is used before a lower entry.

To add Global Credentials:

2 Select Configuration in the Module Selection bar. The Topology tab of the Configuration module is displayed.

3 Choose the SNMP protocol version to use from the SNMP Version dropdown list, and enter the SNMP read-only community string to use in the Community String field.

4 Click Add.


Note: By default, the system is configured to use SNMP protocol version 1, with public as

the default SNMP community string.



To remove Global Credentials:


2 Select the global credentials entry to be removed and click Remove.


To determine the order of Global Credentials entries:


2 To change the order of the global credential, select the global credentials entry to be moved.

3 Click the up arrow or down arrow to change the location of the entry in the list, thereby changing the order of execution of the selected entry.


10.1.3.2 Switch Configuration Table

The Switches table includes the IP address, the SNMP protocol version, and the SNMP read-only

community string of any switches automatically detected by the system or manually configured by

the user. It also includes the operating system of the switch, and indicates whether or not the switch

was successfully queried by the system the last time the Topology Discovery process was run. A

user can add an entry to the Switches table for any switch that was not identified by the system, and

can configure the SNMP protocol version and community string to use when querying the switch.

The default SNMP protocol version used by the system is version 1. The default SNMP read-only

community string used by the system is public.

To add a switch to the Switches Table or to change switch information:


2 Click Switches to display the Switches page.



Figure 45: Configuration Module – Topology Tab (Switches Page)

3 To add an entry for a switch (or to change an existing entry):

• In the empty cells above the Switch IP Address header, enter the IP address of the switch.

• In the field above the Community String header, enter the SNMP read-only community string.

• Select the SNMP version from the adjacent dropdown list.

• Click Apply. The switch information is added.

• Click Save to save the changes.

To remove a switch from the Switches Table:


2 Click Switches to display the Switches page.

3 Select the entry to be removed from the Switches Table and click Remove.


Note: After a switch is added to the list of switches and the changes are saved, a Test button

appears. Clicking the Test button verifies whether that the system can access the switch

using the credentials listed.

10.1.3.3 Manually Testing a Switch



For each switch entry in the Switch Table list there is a Test button, which can be used to verify

whether that the system can access the listed switch using the credentials listed.

To manually test a switch:


2 Click Switches to display the Switches page (Figure 45).

3 In the Switches table, click the Test button for the switch that is to be tested.

The Insightix Discovery & NAC Lite Edition probes the switch and an icon indicating the status of the test is displayed in the Test column as follows:

• A green icon, , indicates that the switch has been successfully queried and the SNMP credentials are correct.

• A green icon, , indicates that the switch has been successfully queried with the supplied SNMP community string credentials but that the necessary information for the physical network topology discovery process was not provided by the switch.

• A red icon, , indicates that the test has failed and that there is a problem with either the

credentials listed for the switch or with access from the Insightix Discovery & NAC Lite Edition to the switch.

10.1.4 Configuring a Management Network

On some networks, switches are managed using a dedicated network called a management

network. In such a case, the information about the management network must be configured in the

Insightix Discovery & NAC Lite Edition in order for the topology discovery process to be successful.

To configure the management network IP address:


2 Click Mgt Network to display the Management Network Configuration table.



Figure 46: Configuration Module – Topology Tab (Mgt. Network Page)

3 In the empty cells above the IP Address header, enter the IP address of the management

network’s IP Address according to the following example: If the management network subnet is 192.168.1.0/24, then enter 192.168.1.0.

4 Click Add. A Class C network is automatically added to the table.


Note: To delete an entry in the Management Networks, select the checkbox for the row and

click Remove Selected.

10.1.5 Physical Geographical Location

The Location feature allows linking the physical geographical location of elements to their logical

location (i.e., the switch and switch ports to which they are connected).

The location information, which is manually provided by a user with administrative rights, is

correlated with the physical network topology discovery process (which uncovers the logical

relationships between elements and the switch and switch port to which they are connected) to

pinpoint the exact physical location of elements attached to the enterprise network in real-time.



To add the physical geographical location information description for a switch’s interface (i.e. port):

1 Select Configuration in the Module Selection bar. The Topology tab of the Configuration

module is displayed. Then select Location. The physical geographical location configuration page is then displayed.

2 Select from the drop down menu the switch IP address you wish to view. The switch port information is displayed according to its interfaces list.

3 Double-click the Physical Location filed for the interface you wish to configure

4 Insert the physical geographical location description for the interface


Figure 47: Configuration Location Information

Managing Users 115


10.2 Managing Users

A user with administrator privileges can add or remove Insightix Discovery & NAC Lite Edition

users.

To add a user:

1 In the Configuration module, select the User Admin tab. The User Admin tab is displayed.

Figure 48: Configuration Module – User Admin Tab

2 Enter a name for the user in the User Name field.

3 Enter the user's password in the Password field.

4 Select the required level of permissions from the Authorization Level dropdown list (User or Admin).

5 Click Add.


Note: To remove a user, select the user in the Current User list and click Remove Selected.

116 Configuring System-Wide Parameters


10.3 Configuring System-Wide Parameters

The System Parameters tab of the Configuration module enables the configuration of various

parameters, which control different aspects of system behavior.

10.3.1 Configuring the Detection Level

The Detection Level configuration controls exceptions to the system's default detection level.

The following detection level configurations are supported by the system:

• Complete: Any active probing method can be used in order to collect information about an

element (if needed).

• Host Detection Only: The only active probing method to be used is the host detection method,

which ensures that the element is listed in the Inventory module. No other active probing is used.

Information is collected about the element using passive network discovery methods only.

• None: No active queries are performed against an element.

The default detection level of the Insightix Discovery & NAC Lite Edition is Complete.

To configure the system’s detection level:

1 Select Configuration in the Module Selection bar. In the Configuration module, select the System Parameters tab. The Detection Level page is displayed by default.

2 From the Generic Detection Level dropdown list, select the default system detection level (Complete, Host Detection Level, or None).


Note: It is highly recommended that the system Detection Level be set to Complete. If

you select Host Detection Only, topology information will not be available and the quality

and completeness of data will be considerably diminished.

Configuring System-Wide Parameters 117


To configure an exception to the system’s detection level:

1 Select Configuration in the Module Selection bar. In the Configuration module, select the System Parameters tab. The Detection Level page is displayed by default.

Figure 49: Configuration Module – System Parameters Tab (Detection Level Page)

2 For a single IP address exception, enter the IP address for which an exception is to be added

in the empty cell above the IP Address column header. In the fields above the Network Mask column header, enter 255.255.255.255. Then select the detection level from the dropdown list above the Detection Level column header.

3 For an IP subnet exception, enter the network IP address of the IP subnet in the empty cell above the IP Address column header. In the fields above the Network Mask column header,

enter the appropriate network mask of the IP subnet. Then select the detection level from the dropdown list above the Detection Level column header.

4 Click Add to add the exception entry.


Note: To delete an exception, select the checkbox for the row and click Remove

Selected.



10.3.2 Configuring Real-Time System Parameters

The Real-Time system parameters are parameters that can be configured or reset during the

operation of the system, without the need to restart the Insightix Discovery & NAC Lite Edition.

To change the configuration of a real time system parameter:

1 In the System Parameters tab of the Configuration module, click Real Time. The Real Time page is displayed.

Figure 50: Configuration Module – System Parameters Tab (Real Time Page)

The default settings for each of the following discovery parameters are displayed as follows:

SYSTEM PARAMETER DESCRIPTION

Inactive Device Detection

Cycle

The frequency (in minutes) at which the Insightix Discovery & NAC Lite Edition will scan known subnets

for elements, which may not generate traffic.

The default setting is 5 minutes.

Active OS Detection initial

start time

The number of minutes after a system startup before the Insightix Discovery & NAC Lite Edition initiates an active operating system detection for the first time.

The default setting is 13 minutes.

Active OS detection cycle The frequency (in seconds) at which the Insightix Discovery & NAC Lite Edition reinitiates active operating

system detection. The default setting is 10 minutes.




Send SNMP Probes to Detected Switches Only

The parameter controls which elements are probed with SNMP when the topology discovery module is executed. The default setting is to query known switches and

unknown elements (no).

It is highly recommended not to change the default

settings of this parameter.

Device Detection Rate The upper limit of the number of packets the system sends to the network.

The default setting is 100 packets per second (pps).

It is highly recommended not to change the default

setting of this parameter.

Check for inactivated IP each

The frequency at which the Insightix Discovery & NAC Lite Edition checks whether or not an IP address is still connected to the network if no passive network activity is

observed.

Time to preserve offline

elements

The period of time that offline elements are kept in the Inventory module after they are disconnected from the network, after which the offline element is erased from

the inventory.

The parameter is measured in hours. The default setting

is one week (24hr x7days = 168 hours).

System Debug Level The level of debug information the system produces. The default setting is 100.

2 Modify the frequency at which various functions are performed by entering the required value in the corresponding field and clicking the adjacent Set button.

Notes:

You must click the Set button for each parameter that you change.

To restore the factory default settings for specific parameters, select the relevant

checkbox(es) and click Reset Selected. The selected parameters are reset

accordingly.

To restore the factory default settings for all parameters, click Factory Defaults. The

values of all parameters are reset accordingly.

10.3.3 Configuring System Parameters (Requiring Restart)

The system parameters that require a restart are parameters that control various aspects of the

system’s operation. When the values of these parameters are changed, the system needs to be

restarted in order for the changes to take effect.



To change the configuration of a system parameter that requires a restart:

1 In the System Parameters tab of the Configuration module, click Restart. The Restart pageis displayed.

.

Figure 51: Configuration Module – System Parameters Tab (Restart Page)

2 The default settings for each of the following discovery parameters is displayed as follows:


Use complex switch heuristics for multi-IP

addressed switches

Allows use of a topology discovery algorithm designed to operate against a switch with multiple IP addresses and

multiple networking card configurations.

The default value is no.

Topology module new device rescan

The frequency at which the topology discovery process is refreshed when an indicator for a topology change has

been observed.

The default value is 5 minutes.

Topology module initial start time

The number of minutes after the system startup before the topology discovery process is run for the first time.


Topology module complete rescan

The frequency at which the topology discovery is refreshed in its entirety.

The default value is 3 hours.




Topology module sleep time (in microsecond)

The number of microseconds between each SNMP query sent by the Insightix Discovery & NAC Lite Edition.

The default value is 1000 microseconds.

Network interfaces to use in Passive monitoring

The network interface cards to be used in passive monitoring. The Insightix Discovery & NAC Lite Edition can receive passive network traffic by using multiple network interface cards. With the exception of eth1, any network interface card can be used to passively receive

network traffic.

Multiple NICs can be set by entering their values in the field, followed and separated only by commas, for

example: eth0,eth2,

Note: Do not insert spaces between the switch

designations.

Firewall detection initial start time

The number of minutes after the system startup before the Insightix Discovery & NAC Lite Edition detects elements with personal firewalls operating on the

network.


Firewall detection cycle The frequency (in hours) at which the Insightix Discovery& NAC Lite Edition will re-initiate the Firewall detection process for new elements not queried in a previous run.

The default value is 1 hour.

Active network service detection time

The number of minutes after the system startup before the Insightix Discovery & NAC Lite Edition discovers

open running services on network elements.


3 Modify the frequency at which various functions are performed by entering the required value

in the corresponding field and clicking the adjacent Set button. A popup window appears requesting that you restart the Insightix Discovery & NAC Lite Edition.

Notes:

You must click the Set button for each parameter that you change.

To restore the factory default settings for specific parameters, select the relevant

checkbox(es) and click Reset Selected. The selected parameters are reset

accordingly.

To restore the factory default settings for all parameters, click Factory Defaults. The

values of all parameters are reset accordingly.

To restart the Insightix Discovery & NAC Lite Edition:

• Windows 2003: Select Start > All Programs > Administrative Tools >

Services. Locate and right-click the Lite Collector process and select Restart.

• Windows XP: Right-click My Computer and select Manage Open Services and

Applications and then select Services. Locate and right-click the Lite Collector



process and select Restart.

10.3.4 Configuring the Web Interface

A user with administrative privileges can configure the type of web access (HTTP or HTTPS) to be

used when accessing the Insightix Discovery & NAC Lite Edition.

To configure web access:

1 In the System Parameters tab of the Configuration module, click Management. The Management page is displayed.

Figure 52: Configuration Module – System Parameters Tab (Management Page)

2 In the Web Access Settings area, select the relevant access option and specify (optional)

the port number to be used for accessing the Insightix Discovery & NAC Lite Edition web interface:

• Use Regular HTTP

• Use SSL (HTTPS)


To configure communications with an Insightix Management Center:

1 In the System Parameters tab of the Configuration module, click Management. The Management page is displayed.

Configuring Time & Date 123


2 To send information to an Insightix Management Center, select the Report to the Management Center checkbox.

3 Insert the IP address of the Insightix Management Center to communicate with.

4 Click Save to save the changes. Clicking Save would initiate the communications between the Insightix Discovery & NAC Lite Edition to the Insightix Management Center.

10.4 Configuring Time & Date

The time and date settings of the Insightix Discovery & NAC Lite Edition are maintained by the

Microsoft Windows-based operating system the application is hosted on. The Time & Date tab of the

configuration module displays only the information configured.

Figure 53: Configuration Module – Time & Date Tab

124 Network Configuration


10.5 Network Configuration

10.5.1 Configuring the Insightix Discovery & NAC Lite Edition IP Address

The IP settings of the Insightix Discovery & NAC Lite Edition can be configured through the Microsoft

Windows-based operating system the application is hosted on. The Network tab of the configuration

module displays only the IP address configuration.

Figure 54: Configuration Module – Network Tab

10.5.2 Configuring DNS Resolution

The Insightix Discovery & NAC Lite Edition can be configured to resolve IP addresses to their

respective DNS names, if these exist.

To configure the IP address of the Insightix Discovery & NAC Lite Edition:

1 In the Configuration module, select the Network tab and then click DNS. The DNS Configuration page is then displayed.

2 Select Enable DNS resolution and enter the IP address of the DNS server to be used in the DNS Server fields.

3 Click Save to apply and save the configuration.

Configuring Subnets 125


Figure 55: Configuration Module – Network Tab (DNS Configuration Page)

Note: A user with administrative privileges can test the DNS server settings by clicking on the

Test button.

10.6 Configuring Subnets

Insightix Discovery & NAC Lite Edition automatically detects and probes IP subnets, which are

detected through analyzing information coming to and from monitored networks. In addition, a user

can configure the system to routinely probe IP subnets whose traffic is not observed by the system

and would otherwise not be subjected to active probing by the system (the information about the

elements residing on these networks would not be visible).

These IP subnets are called:

• Silent Local: If the Subnet’s IP addresses belong to the Subnet to which the Insightix Discovery

& NAC Lite Edition’s IP address belongs.

• Silent Remote: If the Subnet’s IP addresses do not belong to the Subnet to which the Insightix

Discovery & NAC Lite Edition’s IP address belongs.

Note: The only elements from a silent remote subnet that are represented in the Inventory

module are those which respond to SNMP queries sent by the system.

126 Configuring Subnets


To configure a remote subnet:

1 In the Configuration module, select the Subnets tab. The Subnets tab is displayed.

Figure 56: Configuration Module – Subnets Tab

The detected subnets are listed in the Detected Subnets list.

2 To configure a silent local subnet, enter the IP address that represents the network IP address of the subnet in the field immediately above the Silent Local list and click Add. The subnet is added to the Silent Local list.

3 To configure a silent remote subnet, enter the IP address that represents the network IP

address of the subnet in the field immediately above the Silent Remote list and click Add (for example, for 192.168.1.0/24 enter 192.168.1.0). The subnet is added to the Silent Remote list.


To remove a silent subnet:

1 In the Configuration module, select the Subnets tab. The Subnets tab is displayed (Figure 56).

2 Select the subnet to be removed from the Silent Local or Silent Remote list by clicking on the entry, and click Remove. The subnet is deleted from the respective list.


Registering the Application 127


10.7 Registering the Application

In order to continue using this application after the trial period has ended, you need to contact your

local reseller or Insightix customer support ([email protected]) to obtain a valid registration

key.

A registration key cannot be issued without the Machine ID. A user with administrator privileges can

view the Machine ID in the Registration tab of the Configuration module. Note down the Machine ID

and include it when requesting a registration key.

To register the application:

1 In the Configuration module, select the Registration tab. The Registration tab is displayed.

If you are using a demo version of the application, the number of days remaining before the end of the trial period is listed.

2 In the Registration Key field, enter the registration number provided to you by Insightix or your local reseller.

3 Click Submit to complete the registration process.

Figure 57: Configuration Registration Page – After Registration

To register the application using a registration file:

1. In the Configuration module, select the Registration tab. The Registration tab is displayed.

2. Click Browse to select the location where your registration file is found.

3. Click Upload to upload the registration file information.

128 Registering the Application


4. Click Submit to complete the registration process.

Registering the Application 129

Taskbar Operations Lite Edition User Manual

11 Taskbar Operations

The Insightix Discovery & NAC Lite Edition icon is displayed in the taskbar after successful

installation of the application. The following operations can be performed from the taskbar:

• Open Control Panel: Opens Microsoft Internet Explorer displaying the log in page of the

Insightix Discovery & NAC Lite Edition application.

• Select Interface: Selects the Network Interface Card (NIC) to be used with the Insightix Lite

Collector.

• Stop Collector: Stops the Insightix Lite Collector.

• Start Collector: Starts the Insightix Lite Collector.

• Restart Collector w/o Persistancy: Restarts the Insightix Discovery & NAC Lite Edition,

discarding any previously collected data.

• Quit: Stops the Insightix Lite Collector and quit the application.

Note: Stopping, starting, and quitting the Insightix Discovery & NAC Lite Edition application

does not impact on whether or not the Insightix Discovery & NAC Lite Edition is automatically

started (or not) the next time the Microsoft Windows-based operating system it is installed on

is restarted.

96 Index

Lite Edition User Manual Taskbar Operations

Index

A

Active Rediscovery, 47

DNS name, 47

element location, 48

operating system, 47

personal firewall, 48

Admission Module, 9, 55

compliance checks, 13, 59

Alert Destinations, 82

email, 83

Alerts

configuring, 76

predefined, 76

searching, 76

sorting, 76

viewing complete list, 75

viewing for a device, 53

viewing most recent, 31

Alerts Module, 75

Alerts tab, 75

Configuration tab, 79

ARP Mitigation, 10, 57

Audit Module, 84

Exclude List, 98

Local Servers tab, 84

OS Signature tab, 100

Servers Audit tab, 85

Service Name tab, 102

Windows OS Audit Name tab, 97, 99

Audit Reports, 104

Auditing

Hot Fixes, 96

Windows OS Patch Information, 96

Authorizing, 42

devices, 50, 51, 93

pre-authorizing devices, 95

C

Collapse, 34

Compliance Checks, 13, 59

configuring, 16, 63

Configuration Module, 108

Date & Time tab, 124

Network tab, 125, 126

Subnets tab, 127

System Parameters tab, Detection Level, 118

System Parameters tab, Management, 123

System Parameters tab, Real Time, 119

System Parameters tab, Restart, 121

Topology tab, 108

Topology tab, Mgt Network, 114

Topology tab, Summary, 109

Topology tab, Switches, 112

User Admin tab, 116

Configuring

alert destinations, 82

alerts, 76

detection level, 117

management network, 113

real-time system parameters, 119

service naming, 102

silent subnets, 126

switches, 111

system parameters, 120

Target Groups, 80

web interface, 123

2 Index

Lite Edition User Manual Index

D

Dashboard Module, 30

Alerts table, 31

components, 30

System Summary, 30

Detection Level

configuring, 117

exceptions, 118

Device

authorizing, 42, 50, 51, 93

color coding, 48

fixed properties, 17, 64

pre-authorizing, 95

removing from inventory, 47

resetting properties, 43

searching for, 27, 37

setting as offline, 46

tuning properties, 46

unauthorizing, 95

viewing properties, 35, 48

Device Profile, 17, 64

DNS names

active rediscovery, 47

E

Enforced Violations Tab

NAC module, 21, 22, 25, 68, 69, 72

Enforcement Module

prerequisites, 10, 57

Exceptions

defining, 20, 67

editing, 21, 68

removing, 21, 68

Exceptions Tab

NAC module, 20, 67

Exclude List, 98

Expand, 34

Exporting Data, 29

F

Factory Default Settings

restoring, 101

Firewalls


G

Generating

OS signature, 44

Global Credentials

adding, 110, 115

removing, 111

setting order, 111

H

Hostnames

port definition, 91

Hot Fixes, 14, 61, 96

I

Insightix DID Technology, 1

Inventory Module, 39

Alerts tab, 53

color coding, 48

Connected Elements tab, 52

Interfaces & Routing tab, 53

Properties tab, 49

right-click menu options, 42

Inventory Reports, 104

IP Addresses

port definition, 87

J

Java

downloading, 4, 5

installing, 4, 5

verifying version, 4

Java Runtime Environment, 4

Index 3

Index Lite Edition User Manual

L

Licensing, 3

Local Servers, 84

Logging In, 5

M

Management Network, 113

IP address, 114

Module Selection Bar, 29

N

NAC

compliance checks, 13, 59

configuring enforcement, 26, 73

enforcement, 10, 26, 56, 73

quarantine, 9, 56

NAC Module

Admission tab, 14, 60

Enforced Violations tab, 21, 22, 68, 69

Enforcement module, 10, 26, 56, 73

Exceptions tab, 20, 67

Post-Admission tab, 17, 63

Pre-Admission tab, 12, 58

quarantine, 15, 62

Quarantined Elements, 25, 72

unauthorized devices, 13, 59

NAC Operations

exceptions, 19, 66

O

Open Network Services, 14, 61

Operating Systems


port definition, 86

OS Identification Process

initiating, 101

OS Properties

resetting, 43

OS Signature

creating for misidentified element, 45

creating for unknown element, 44

generating, 44

OS Signatures, 99

OS Signatures:, 100, 101

P

Port Definition

hostnames, 91

IP address, 88

IP addresses, 87

IP subnet, 89

operating system, 86

removing hostname, 92

removing IP address, 88

removing IP subnet, 90

removing OS, 86

Post Admission

inventory list, 18, 65

Post-Admission Module, 9, 16, 56, 63

Pre-Admission Module, 9, 55

configuring, 11, 57

Pre-authorizing

devices, 95

Q

Quarantine, 9, 56

Quarantine Silo, 2, 21, 68

R

Real-Time System Parameters

configuring, 119

Re-enable Switch Ports, 21, 68

Registration, 128

Remediation Servers

configuring, 15, 62

Removing

audit rules, 92

hostname port definition, 92

IP subnet port definition, 90

4 Index

Lite Edition User Manual Index

OS port definition, 86

port IP address definition, 88

Report Types, 104

Reports

sorting, 106

viewing, 106

Reports Module, 104

Requirements

software, 4

Resetting

OS properties, 43

Right-click Menu, 42

Right-click Menu Indicator, 29

S

Scan on Demand

hostname, 92

IP address, 88

IP subnet, 90

OS, 87

Searching

alerts, 76

for devices, 27

Security Reports, 105

Server Audit Rules, 85

hostnames, 91

IP addresses, 87

IP subnets, 89

operating systems, 86

order of execution, 92

removing, 92

Service Names

adding, 102

removing, 102, 103

Service Pack Levels, 14, 61

Silent Subnets

configuring, 126

removing, 127

Sorting

alerts, 76

Switch Integration, 10, 21, 57, 68

Switch Ports

locating, closed, 23, 70

re-enabling, 21, 68

Switches, 111

configuring, 110

testing, 113

System Inventory List

filtering, 41

viewing, 39

System Parameters

configuring, 120

T

Target Groups

adding entries, 81

configuring, 80

deleting entries, 82

Taskbar Operations, 130

TLS Encryption, 83

Topology Discover

initiating, 109

Topology Map, 33

collapsing elements, 34

displaying host connectivity, 35

expanding elements, 34

Topology Module, 33

Topology Reports, 105

Topology Summary, 108

Topology Tab

Configuration module, 108

Tuning, 46

U

Unauthorizing

devices, 95

Users

managing, 116

Index 5

Index Lite Edition User Manual

V

Viewing

alerts (complete list), 75

alerts (most recent), 31

alerts (specific device), 53

device properties, 35

reports, 106

topology map, 33

W

Web Interface

configuring, 123

Windows OS Auditing

configuring, 96

initiating, 99

prerequisites, 10, 57, 96

Documents

Insightix Discovery and NAC Lite Edition User Manual