United States
945 Concord St.
Framingham, MA 01701
508.620.4788
www.insightix.com
International
13 Hasadna Street
Ra'anana, Israel
+972.9.740.1667
Insightix Discovery & NAC
Lite Edition
Version 3.0
User Manual
May 2007
Copyright © 2007 - All Rights Reserved. This material is proprietary of Insightix. Any unauthorized
reproduction, use or disclosure of this material, or any part thereof, is strictly prohibited. This material
is meant solely for the use by Insightix employees, and authorized Insightix customers.
About Insightix Insightix is a pioneer in the development of the new generation of IT infrastructure discovery,
monitoring and auditing solutions. Insightix strives to solve the growing and ongoing problems faced
by IT management by delivering solutions that enable enterprises to achieve comprehensive visibility
of their network environments.
Insightix’s patent-pending Dynamic Infrastructure Discovery (DID) technology provides an innovative
approach to network discovery, enabling enterprises to unobtrusively obtain complete, accurate and
real-time infrastructure information. Insightix’s DID-based solutions allow enterprises to successfully
manage their IT environments and control IT processes, such as asset management, patch
management and vulnerability assessments. As a result, Insightix’s DID-based solutions enable
enterprises to control IT resources, reduce IT expenses, protect organizational assets and improve
business processes.
Insightix develops the only complete, real-time and agentless network discovery and network access
control solutions. Insightix Discovery delivers comprehensive network visibility by obtaining a
complete, accurate and real-time inventory of all devices connected to the IT infrastructure.
Insightix NAC provides complete and real-time network access control, ensuring that only authorized
and compliant devices are allowed to access and operate on the network. Insightix's solutions
provide complete network coverage and deliver an immediate return-on-investment for IT
operations, network security and regulation compliance. Insightix solutions are simple to use and
overcome the technical limitations of existing solutions.
Contents iii
Contents Lite Edition User Manual
Contents
1 Introducing the Insightix Discovery & NAC Lite Edition ...............................................................1
1.1 Insightix Discovery ........................................................................................................1
1.2 Insightix Discovery & NAC ..............................................................................................1
1.3 Deployment...................................................................................................................2
1.4 Licensing.......................................................................................................................3
2 Quick Tour of the Insightix Discovery & NAC Lite Edition ............................................................4
2.1 Client Software Requirements.........................................................................................4
2.1.1 Verifying the Current Java Version ..............................................................................4
2.1.2 Downloading and Installing Java JRE 6.0 .....................................................................4
2.1.3 Downloading and Installing Adobe Flash Player ............................................................5
2.2 Accessing the Insightix Discovery & NAC Enterprise Edition...............................................5
2.3 Insightix Discovery & NAC Lite Edition Modules ................................................................8
2.4 Searching the Insightix Discovery & NAC Lite Edition......................................................27
2.5 Exporting Data ............................................................................................................29
2.6 Right-Click Menu Indicator............................................................................................29
2.7 Interactive Module Selection Bar ...................................................................................29
3 Dashboard Module.................................................................................................................30
3.1 Dashboard Module Components ....................................................................................30
3.1.1 System Summary Area.............................................................................................30
3.1.2 OS Summary Area ...................................................................................................31
3.1.3 Alerts Table .............................................................................................................31
4 Topology Module ...................................................................................................................33
4.1 Viewing the Physical Network Topology Map ..................................................................33
4.2 Viewing Device Properties.............................................................................................35
4.3 Searching for a Device .................................................................................................37
5 Inventory Module ..................................................................................................................39
5.1 Viewing the Inventory List ............................................................................................39
5.2 Filtering the System Inventory List................................................................................41
5.3 Right-Click Menu Options..............................................................................................42
5.3.1 Authorizing or Un-Authorizing a Device......................................................................42
iv Contents
Lite Edition User Manual Contents
5.3.2 Creating an Exception Rule .......................................................................................43
5.3.3 Resetting Device Properties ......................................................................................43
5.3.4 Generating an OS Signature .....................................................................................44
5.3.5 Tuning Device Properties ..........................................................................................46
5.3.6 Setting a Device as Offline........................................................................................46
5.3.7 Removing an Element from the Inventory..................................................................47
5.3.8 Active Rediscovery ...................................................................................................47
5.4 Element Coloring Scheming ..........................................................................................48
5.5 Viewing Detailed Properties of a Specific Device .............................................................48
5.5.1 Properties Tab .........................................................................................................49
5.5.2 Connected Elements Tab (Switches Only) ..................................................................52
5.5.3 Interfaces & Routing Tab (Routers Only)....................................................................53
5.5.4 Alerts Tab................................................................................................................53
5.5.5 Event History...........................................................................................................54
6 NAC Module ..........................................................................................................................55
6.1 Background .................................................................................................................55
6.2 Operation....................................................................................................................55
6.2.1 Quarantine ..............................................................................................................56
6.2.2 Enforcement ............................................................................................................56
6.4 Operational Pre-Requisites............................................................................................57
6.5 Configuring the Pre-Admission Module...........................................................................57
6.6 Configuring the Admission Module.................................................................................59
6.6.1 Configuring the Compliance Checks...........................................................................60
6.6.2 Configuring the Admission Quarantine .......................................................................61
6.7 Post-Admission Module.................................................................................................63
6.7.1 Configuring the Compliance Checks...........................................................................63
6.7.2 Creating a Device Profile...........................................................................................64
6.8 Exceptions...................................................................................................................66
6.9 Enforced Violations ......................................................................................................67
6.9.1 Enforcement Using Switch Integration .......................................................................68
6.9.2 Enforcement Using Quarantine Silo & Enforcement Technology....................................69
Contents v
Contents Lite Edition User Manual
6.9.3 Quarantined Elements ..............................................................................................71
6.10 NAC Configuration .......................................................................................................72
7 Alerts Module ........................................................................................................................74
7.1 Viewing Alerts .............................................................................................................74
7.1.1 Sorting Alerts ..........................................................................................................75
7.1.2 Searching Alerts ......................................................................................................75
7.2 Configuring Alerts ........................................................................................................75
7.3 Configuring Target Groups............................................................................................79
7.4 Configuring Alert Destinations.......................................................................................81
7.4.1 Configuring an Email Recipient..................................................................................81
7.4.2 Configuring a Destination Syslog Server ....................................................................82
8 Audit Module .........................................................................................................................83
8.1 Viewing Network Services Audit Data ............................................................................83
8.2 Configuring Server Audit Rules .....................................................................................84
8.2.1 Defining Audit Rules According to Operating Systems .................................................85
8.2.2 Defining Audit Rules According to a Specific IP Address ..............................................86
8.2.3 Defining Audit Rules According to IP Subnets .............................................................88
8.2.4 Defining Audit Rules According to Hostnames.............................................................90
8.2.5 Order of Audit Rules Execution..................................................................................91
8.2.6 Removing Audit Rules ..............................................................................................91
8.3 Authorizing Devices .....................................................................................................92
8.3.1 Pre-Authorizing Devices............................................................................................94
8.4 Microsoft Windows OS Auditing.....................................................................................95
8.4.1 Prerequisites for the Microsoft Windows OS Auditing...................................................95
8.4.2 Configuring Windows OS Auditing .............................................................................95
8.4.3 Defining the Exclude List ..........................................................................................97
8.4.4 Manually Initiating a Microsoft Windows OS Audit .......................................................98
8.5 Managing OS Signatures ..............................................................................................98
8.5.1 Removing an OS Signature .......................................................................................99
8.5.2 Restoring Factory Default Settings for OS Identification ............................................100
8.5.3 Initiating the OS Identification Process against Elements with an Unidentified OS .......100
vi Contents
Lite Edition User Manual Contents
8.6 Configuring Service Naming........................................................................................101
9 Reports Module ...................................................................................................................103
9.1 Report Types .............................................................................................................103
9.2 Viewing a Report .......................................................................................................105
10 Configuration Module .....................................................................................................107
10.1 Topology Configuration ..............................................................................................107
10.1.1 Topology Summary Page ........................................................................................107
10.1.2 Manually Initiating the Physical Network Topology Discovery.....................................108
10.1.3 Configuring Switches..............................................................................................109
10.1.4 Configuring a Management Network ........................................................................112
10.1.5 Physical Geographical Location................................................................................113
10.2 Managing Users .........................................................................................................115
10.3 Configuring System-Wide Parameters..........................................................................116
10.3.1 Configuring the Detection Level...............................................................................116
10.3.2 Configuring Real-Time System Parameters ..............................................................118
10.3.3 Configuring System Parameters (Requiring Restart) .................................................119
10.3.4 Configuring the Web Interface ................................................................................122
10.4 Configuring Time & Date ............................................................................................123
10.5 Network Configuration................................................................................................124
10.5.1 Configuring the Insightix Discovery & NAC Lite Edition IP Address .............................124
10.5.2 Configuring DNS Resolution ....................................................................................124
10.6 Configuring Subnets...................................................................................................125
10.7 Registering the Application .........................................................................................127
11 Taskbar Operations........................................................................................................129
Insightix Discovery 1
Introducing the Insightix Discovery & NAC Lite Edition Lite Edition User Manual
1 Introducing the Insightix Discovery & NAC Lite Edition
This chapter introduces the Insightix Dynamic Infrastructure Discovery (DID) technology and
describes the key features and deployment of the Insightix solution.
Insightix Discovery & NAC Lite Edition includes the Insightix Discovery and Insightix NAC products.
1.1 Insightix Discovery
The Insightix Dynamic Infrastructure Discovery (DID) technology makes use of a unique,
patent-pending combination of various network discovery algorithms, which gather and correlate
information from passive and active network discovery engines to provide complete and accurate
infrastructure discovery in real time.
The Insightix DID technology enables the Insightix Discovery & NAC Lite Edition to:
• Provide complete and accurate asset discovery.
• Present an accurate real-time physical network topology map.
• Build, monitor, track and dynamically update the inventory and the topology to reflect any
changes made to the network and/or to its elements.
• Provide detailed information on the properties of each device attached to the network.
• Alert regarding occurrence of preconfigured network events.
• Provide configurable reports of network inventory, devices, locations, and so on.
• Enable exporting and saving of inventory and topology information in standard formats.
1.2 Insightix Discovery & NAC
Insightix Discovery & NAC adds network access control capabilities to the Insightix Discovery
product. Insightix NAC delivers complete and real-time network access control, ensuring that only
authorized and compliant devices are allowed to access and operate on the enterprise network.
Insightix NAC provides complete network coverage by discovering, in real-time, a comprehensive
inventory of all elements connected to the network and their associated properties. Based on the
wealth of contextual IT infrastructure information gathered by Insightix NAC, IT professionals are
able to easily baseline their network and authorize the devices that are permitted to access and
operate on the network. Once activated, Insightix NAC performs real-time element detection and
authorization enforcement, denying connectivity to any unauthorized device.
Insightix NAC features a straightforward, rule-based policy engine for defining the compliance
checks to be performed against authorized Microsoft Windows-based elements as they attempt to
connect to the network. The compliance checks supported include checks on Windows-based
operating systems, including verification of the service pack level, presence of operating system
patches, running services, and so on. If an authorized device does not pass the compliance checks,
2 Deployment
Lite Edition User Manual Introducing the Insightix Discovery & NAC Lite Edition
network access is granted to remediation servers only, allowing the device’s user to align the device
with the enterprise’s network access policy.
Insightix NAC uses a patent-pending technology for enforcement and quarantine, which alleviates
dependencies on switch integration and other IT resources. Insightix Quarantine Silo technology
ensures an authorized device is denied access to the network while compliance checks are
performed, and that quarantined devices cannot access each other. This ensures the complete
isolation of questionable elements from the network until they are granted (or denied) network
access. Insightix Quarantine Silo technology ensures network access is granted to authorized
devices only after successfully passing the compliance checks.
Insightix NAC constantly monitors the network, identifying and responding to any changes made to
the properties of devices that are authorized to operate on the network. Insightix NAC ensures that
the properties of an authorized device, such as the MAC address, are not abused, preventing an
unauthorized device from masquerading as an authorized device.
Note: Although the NAC functionality is enabled during the evaluation period of the Insightix
Discovery & NAC Lite Edition, it is not part of the standard Insightix Discovery Enterprise
Edition and requires a separate license for continued use. Please contact your local reseller
or [email protected] for details.
1.3 Deployment
The Insightix Discovery & NAC Lite Edition is a software-based solution. It is shipped as a Windows
executable program, and can be installed on Microsoft Windows XP, Microsoft Windows 2003, and
Microsoft Windows Vista operating systems.
The Insightix Discovery & NAC Lite Edition works opposite a single broadcast domain and requires a
single network interface card (single network connection) for its operation.
The diagram below presents a typical deployment scenario of the Insightix Discovery & NAC Lite
Edition in a sample enterprise network environment.
Licensing 3
Introducing the Insightix Discovery & NAC Lite Edition Lite Edition User Manual
Figure 1: System Deployment
1.4 Licensing
Software evaluation is limited to a period of 7 days. Please contact your local reseller or
[email protected] to extend the evaluation period.
Note: During the evaluation period, the Network Access Control features are enabled in the
software. Following the evaluation period, a separate license is required for this functionality.
4 Client Software Requirements
Lite Edition User Manual Quick Tour of the Insightix Discovery & NAC Lite Edition
2 Quick Tour of the Insightix Discovery & NAC Lite Edition
This chapter describes how to access the Insightix Discovery & NAC Lite Edition application and
introduces the various components of the application.
2.1 Client Software Requirements
The Insightix Discovery & NAC Lite Edition is a web-based application that can be accessed using
Windows-based operating systems and the Microsoft Internet Explorer 6.x/7.x web browser. In order
to access the web interface of the Insightix Discovery & NAC Lite Edition, the following software
needs to be installed on the client computer:
• Java Runtime Environment (JRE) version 6.0
• Adobe Flash Player version 8 (or above)
Before attempting to access the web interface of the Insightix Discovery & NAC Lite Edition, it is
recommended to verify that the necessary software is installed on the client computer. If the
necessary software is not installed on the client computer, or if an earlier version is installed, the
necessary version must be downloaded and installed before attempting to access the web interface.
2.1.1 Verifying the Current Java Version
To verify the Java version installed on your computer:
• In a Microsoft Windows environment, open the command line and type java -version.
If Java is installed on the client computer, the version number is indicated. If Java is not
installed on the client computer, a message is displayed indicating that the command typed is not recognized.
2.1.2 Downloading and Installing Java JRE 6.0
You can download the required version of Java from the Internet.
To download and install Java JRE 6.0:
1 In a web browser, go to http://java.sun.com/javase/downloads/index.jsp. Scroll down the
page, locate Java Runtime Environment (JRE) 6 and click the Download button adjacent to it.
2 Accept the license agreement by clicking the radio button for Accept License Agreement
and then click on Windows Offline Installation, Multi-language to download the installation file to your computer.
3 Double-click the jre-6-windows-i586.exe file to begin the installation.
4 Follow the on-screen instructions and select the proper files for your platform.
Accessing the Insightix Discovery & NAC Enterprise Edition 5
Quick Tour of the Insightix Discovery & NAC Lite Edition Lite Edition User Manual
2.1.3 Downloading and Installing Adobe Flash Player
You can download the required version of Adobe Flash player from the Internet.
To download and install Adobe Flash player:
5 In a web browser, go to: http://www.adobe.com/shockwave/download/download.cgi?P1_Prod_Version=ShockwaveFlash
&promoid=BIOW and click Install Now.
6 When the security warning appears for the Adobe Flash Player version you are attempting to install, click Install.
2.2 Accessing the Insightix Discovery & NAC Enterprise Edition
Once you have verified the necessary software is installed on your computer, you are ready to
access the application.
Note: If the Insightix Discovery & NAC Lite Edition is located behind a firewall, access to the IP
address of the system using TCP ports 22, 80, 443 and 18,000 must be allowed through the
firewall in order to successfully access and use the system.
Note: When Insightix Discovery & NAC Lite Edition is installed, the application tries to bind
itself to TCP port 80. If another service is already using this TCP port, the application binds
itself to another TCP port. A message bubble notifies the user in the event that a TCP port
other than 80 is used (the first choice will be TCP port 8000).
To access the Insightix Discovery & NAC Lite Edition:
1 If you are attempting to log in to the Insightix Discovery & NAC Lite Edition from the computer
on which the application is installed, browse to http://localhost in your Microsoft Internet Explorer 6.x/7.x browser,
2 OR
3 If you are attempting to log in to the Insightix Discovery & NAC Lite Edition remotely, browse
to http://<IP address of the Insightix Discovery & NAC Lite Edition> in your Microsoft Internet Explorer 6.x browser and press <Enter>.
4 The Insightix Discovery & NAC Lite Edition Login page is displayed.
6 Accessing the Insightix Discovery & NAC Enterprise Edition
Lite Edition User Manual Quick Tour of the Insightix Discovery & NAC Lite Edition
Note: If the Insightix Discovery & NAC Lite Edition has bound itself to a TCP port other than
TCP port 80, the user needs to specify the exact TCP port to use when connecting to the
Insightix Discovery & NAC Lite Edition. For example, if the Insightix Discovery & NAC Lite
Edition is using TCP port 8000, specify the port as follows:
• Local access: http://localhost:8000
• Remote access: http://<IP address of the Insightix Discovery & NAC Lite
Edition>:8000
Figure 2: Insightix Discovery & NAC Lite Edition Application
Accessing the Insightix Discovery & NAC Enterprise Edition 7
Quick Tour of the Insightix Discovery & NAC Lite Edition Lite Edition User Manual
5 Enter your username and password in the designated fields, and click Login. By default, the Dashboard module of the Insightix Discovery & NAC Lite Edition application is displayed.
Figure 3: Insightix Discovery & NAC Lite Edition - Dashboard Module
Note: By default, two user accounts are defined in the system, one with administrative
privileges, which allows the user to perform configuration changes (username admin), and one
with read-only privileges, which only allows the user to view information (username user). By
default, the passwords for both user accounts are left empty. To prevent unauthorized access,
it is highly recommended that you change these passwords as soon as possible. Refer to
Managing Users, page 115.
8 Insightix Discovery & NAC Lite Edition Modules
Lite Edition User Manual Quick Tour of the Insightix Discovery & NAC Lite Edition
2.3 Insightix Discovery & NAC Lite Edition Modules
The Insightix Discovery & NAC Lite Edition functionality is implemented via the following modules:
• Dashboard: Provides a composite overview of ongoing system activities. For details, refer to
3 Dashboard Module.
• Topology: Outlines the physical network topology of the monitored network(s) and enables a
user to find devices and view their physical connectivity information. For details, refer to 4
Topology Module.
• Inventory: Lists all of the elements detected to operate on the network (in the present and in the
past). It enables a user to search the inventory according to multiple search criteria, to manually
export custom reports, and to view detailed properties of specific elements. For details, refer to
5 Inventory Module.
• NAC: Enables a user to enforce a strict network access control policy disallowing unauthorized
and non-compliant elements from connecting to the network in real-time. For details, refer to 6
NAC Module.
2.4 Alerts: Enables a user to determine the types of events that trigger alerts and displays a list of alerts generated by the system. For details, refer 6.1 Background
Insightix NAC delivers complete and real-time network access control, ensuring that only authorized
and compliant devices are allowed to access and operate on the enterprise network.
Insightix NAC provides complete network coverage by discovering, in real-time, a comprehensive
inventory of all elements connected to the network and their associated properties. Based on the
wealth of contextual IT infrastructure information gathered by Insightix NAC, IT professionals are
able to easily baseline their network and authorize the devices that are permitted to access and
operate on the network. Once activated, Insightix NAC performs real-time element detection and
authorization enforcement, denying connectivity to any unauthorized device.
Insightix NAC features a straightforward, rule-based policy engine for defining the compliance
checks to be performed against authorized Microsoft Windows-based elements as they attempt to
connect to the network. The compliance checks supported include checks on Windows-based
operating systems, including verification of the service pack level, presence of operating system
patches, running services, and so on. If an authorized device does not pass the compliance checks,
network access is granted to remediation servers only, allowing the device’s user to align the device
with the enterprise’s network access policy.
Insightix NAC uses a patent-pending technology – Insightix Quarantine Silo – for enforcement and
quarantine, which alleviates dependencies on switch integration and other IT resources, and
ensures that network access is granted to authorized devices only after successfully passing the
compliance checks.
Operation 9
Quick Tour of the Insightix Discovery & NAC Lite Edition Lite Edition User Manual
Insightix NAC constantly monitors the network, identifying and responding to any changes made to
the properties of devices that are authorized to operate on the network. Insightix NAC ensures that
the properties of an authorized device, such as the MAC address, are not abused, preventing an
unauthorized device from masquerading as an authorized device.
Note: Although the NAC module is enabled during the evaluation period, it is not part of the
standard Insightix Discovery Lite Edition and requires a separate license for continued use.
Please contact your local reseller or [email protected] for details.
2.5 Operation
Insightix NAC incorporates three operational modules:
• Pre-Admission: This module uses several patent-pending techniques to perform real-time
element detection and authorization enforcement, denying connectivity to any unauthorized
device.
• Admission: The module allows configuring compliance checks to be performed against
authorized Microsoft windows-based elements as they attempt to connect to the network. The
compliance checks supported include checks on windows-based operating systems, including
verification of the service pack level, presence of operating system patches, running services,
etc. If an authorize device does not pass the compliance checks, network access is granted to
remediation servers only, allowing the device’s user to align the device with the enterprise’s
network access policy.
• Post-Admission: This module is charged with the task of constantly monitoring the network,
identifying and responding to any changes made to the properties of devices that are authorized
to operate on the network. The post-admission module allows building device profiles ensuring
that the properties of an authorized device are not abused, preventing an unauthorized device
masquerading as an authorized device.
Note: Insightix NAC provides the flexibility of determining which NAC modules should, or
should not, be operational. The order of execution of the NAC modules, assuming they are all
enabled, is Pre-Admission, Admission, and finally Post-Admission.
Insightix NAC monitors elements from the time they are attached to the network until the time
they are detached from the network.
2.5.1 Quarantine
Insightix NAC uses a patent-pending technology for enforcement and quarantine, which alleviates
dependencies on switch integration and other IT resources. Insightix Quarantine Silo technology
ensures an authorized device is denied access to the network while compliance checks are
performed, and that quarantined devices cannot access each other. This ensures the complete
isolation of questionable elements from the network until they are granted (or denied) network
access. Insightix Quarantine Silo technology ensures network access is granted to authorized
devices only after successfully passing the compliance checks.
10 Operational Pre-Requisites
Lite Edition User Manual Quick Tour of the Insightix Discovery & NAC Lite Edition
If an authorized device does not pass the compliance checks, network access can be granted to
remediation servers only, allowing the device’s user to align the device with the enterprise’s network
access policy. As long as the device fails to comply with the network access policy, it remains in the
quarantine.
2.5.2 Enforcement
To deny network access to unauthorized elements trying to attach themselves to the enterprise
network and/or to non-compliance elements, Insightix NAC can be configured using two
enforcement modules:
• Switch Integration: Elements found to be non-compliant with the network access control policy
will be disconnected from the network shutting down the switch port they are connected to.
• Insightix Quarantine Silo & Enforcement Technology: A patent-pending technology for
enforcement and quarantine, which removes dependencies on switch integration and other IT
resources. Insightix Quarantine Silo & Enforcement technology ensures an unauthorized
element and/or a non-compliant element would not be able to access the network
You can opt to use one or both of these enforcement modules. When both enforcement modules are
enabled, Insightix NAC first attempts to shut down the switch port to which an unauthorized or a non-
compliant element is connected.
Insightix NAC uses several patent-pending techniques to detect, in real-time, when a new element is
attempting to join the network. It discovers the exact switch and switch port to which the newly
discovered element is connected in real-time. Using its location discovery algorithms, Insightix NAC
classifies the connectivity point, and determines whether the element is directly connected to the
switch port, or whether it is sharing the port connectivity with other elements (i.e., through a Hub or
an unmanaged switch).
If Insightix NAC cannot shut down the switch port to which an unauthorized or a non-compliant
element is connected (if the element shares its switch connectivity with other elements, and/or if the
element is connected to an unmanaged switch), Insightix Quarantine Silo & Enforcement technology
is used to deny network access.
2.4 Operational Pre-Requisites
The Insightix Discovery & NAC Lite Edition should have access through its active NIC(s) to the layer-
2 broadcast domains of the networks NAC is to be enforced against.
The following are the prerequisites for the enforcement modules:
• Switch Integration: Read/Write SNMP access to the switches operating on the network.
• Insightix Quarantine Silo & Enforcement: Layer-2 access to the network Insightix NAC should
be operating against.
In order for the Insightix NAC to successfully audit a Microsoft Windows operating system during the
admission stage, the following pre-requisites need to be met:
Configuring the Pre-Admission Module 11
Quick Tour of the Insightix Discovery & NAC Lite Edition Lite Edition User Manual
• The Insightix NAC must be configured with local administrative rights on the remote machine and
be able to log on to this machine remotely (done under Audit > Windows OS Audit).
• File and Print Sharing must be enabled on the queried Microsoft Windows OS.
• The NetBIOS (TCP 139) port must be accessible on the remote machine.
• The queried Microsoft Windows machine must have the local Server service running.
• The remote machine must be running the Windows Remote Registry service.
2.5 Configuring the Pre-Admission Module
You can configure the type of action, if any, to be taken whenever an unauthorized device connects
to the network. The pre-admission NAC module can be set to automatically enforce policy and
disconnect any unauthorized devices that attempt to attach itself to your network or you can
configure the system to issue an alert without taking action against the element.
The level of operation of the pre-admission NAC module is set in the Pre-Admission tab of the NAC
module.
Note: Device authorization is configured on the Audit > Device Authorization tab.
To configure the level of operation of the Pre-Admission NAC module:
1 Select NAC in the Module Selection bar. The Pre-Admission tab of the NAC module is displayed.
12 Configuring the Pre-Admission Module
Lite Edition User Manual Quick Tour of the Insightix Discovery & NAC Lite Edition
Figure 16: NAC Module – Pre-Admission Tab (Mode Selection)
The current mode of operation is selected in the Pre-Admission tab.
2 Select the required mode of operation:
• Disabled: The Pre-Admission module is disabled and unauthorized elements may access the network.
• Alert Only: Network access policy violations of unauthorized elements are reported, however they are not enforced.
• Enabled: Elements that are not authorized are automatically disconnected from the
network according to the selected enforcement method (configured under NAC > Configuration).
Note: The Save and Continue buttons are enabled/disabled according to the option
selected in step 2.
3 If you select Disabled or Alert Only, click Save.
OR
If you select Enabled, click Continue to configure additional policy parameters.
A list of unauthorized devices that have been detected on the network is now displayed in the Pre-Admission tab. The elements listed will be disconnected from the network once the pre-admission NAC module is enabled.
Figure 17: NAC Module – Pre-Admission Tab (Unauthorized Device List)
Configuring the Admission Module 13
Quick Tour of the Insightix Discovery & NAC Lite Edition Lite Edition User Manual
4 (Optional) Review the list of unauthorized devices and authorize specific devices as required.
To authorize a device, select the checkbox adjacent to the IP address of the device and click Authorize Selected. The newly authorized devices are removed from the list and will not be disconnected when the pre-admission module is enabled.
5 Click Finish to enforce the pre-admission NAC policy.
2.6 Configuring the Admission Module
The admission NAC module allows you configuring the compliance checks to be performed against
authorized Microsoft windows-based elements as they attempt to connect to the network. If an
authorized device does not pass the compliance checks, network access is granted to remediation
servers only, allowing the device’s user to align the device with the enterprise’s network access
policy.
2.6.1 Configuring the Compliance Checks
You can configure the compliance checks to be performed against authorized Microsoft windows-
based elements as they attempt to connect to the network. The compliance checks supported
include checks on Windows-based operating systems, including verification of the service pack level,
presence of operating system patches, running services, and so on.
To configure the compliance checks:
1 Select NAC > Admissions. The Policy page of the Admission tab is displayed.
Figure 18: NAC Module – Admission Tab (Policy Page)
14 Configuring the Admission Module
Lite Edition User Manual Quick Tour of the Insightix Discovery & NAC Lite Edition
2 Select or clear the NAC Admissions protection checkbox to enable or disable the Admission module.
3 From the Define action dropdown list, select the action to be taken If an authorized device does not pass the compliance checks:
• Alert: Network access policy violations of authorized non-compliant elements are reported, however they are not enforced.
• Enforce: Action is taken against devices that do not pass the compliance checks
according to the selected enforcement method (configured under NAC > Configuration).
4 To configure compliance check rules according to operating system:
• Select the Operating System for which to add a rule the dropdown list immediately above the Operating System header.
• In the Action column, set the action that is to be taken when a device passes the compliance checks.
• Click Add. A line is added to the Rules table for the selected operating system.
• In the Admissions Checks column, click the icon to select the type(s) of service check(s) to be performed. A line is displayed for each selected service type.
• Set the additional required criteria for each selected service check type in the adjacent field as follows:
• Service Pack Level: Specify the required service pack level.
• Opened Network Service: Specify the network service(s) that must be open.
• Hot Fixes: Specify the required Hot Fixes. Note: all Hot Fixes must start with "KB" or "Q".
Note: To remove a rule, select it in the table and click Remove.
5 Set the action to be taken (Allow/Deny) if the element matches the following conditions that make performance of one or more of the service checks unfeasible:
• If the element is firewalled.
• If the NETBIOS service is not enabled.
• If the credentials do not allow the extracting of information.
6 Set the action to be taken (Allow/Deny) if no match is found, meaning that the element does
not match any of the rules for compliance check and does not meet the criteria of any special cases previously defined as allowed.
7 Click Save to save the changes.
Note: Multiple rules per operating system can be set. The first rule an element
matches is the rule that would be used.
Configuring the Admission Module 15
Quick Tour of the Insightix Discovery & NAC Lite Edition Lite Edition User Manual
2.6.2 Configuring the Admission Quarantine
Insightix Quarantine Silo technology ensures an authorized device is denied access to the network
while compliance checks are performed, and that quarantined devices cannot access each other.
This ensures the complete isolation of questionable elements from the network until they are granted
(or denied) network access. Insightix Quarantine Silo technology ensures network access is granted
to authorized devices only after successfully passing the compliance checks.
The conditions for the quarantining of a device are configured in the NAC > Admissions >
Quarantine page.
To configure the Admission quarantine:
1 In the Admission tab of the NAC Module, click Quarantine. The Quarantine page is displayed.
Figure 19: NAC Module – Admission Tab (Quarantine Page)
2 Configure when NAC should quarantine elements by selecting Do not quarantine elements or Quarantine elements for each of the following options:
• While performing admission checks
• When a security violation is discovered during the admission stage
3 Define the remediation servers that can be accessed by an element that is in quarantine for the purpose of aligning the device with the enterprise’s network access policy as follows:
• To add a remediation server, type its IP address in the fields immediately above the IP Address header in the table and click Add. The IP address is added to the table.
16 Post-Admission Module
Lite Edition User Manual Quick Tour of the Insightix Discovery & NAC Lite Edition
• To remove a remediation server, select the checkbox adjacent to its IP address and click Remove Selected.
Note: The IP address of the remedial server must be local to the subnet it serves.
4 Click Save to save the changes.
2.7 Post-Admission Module
This module is charged with the task of constantly monitoring the network, identifying and
responding to any changes made to the properties of devices that are authorized to operate on the
network. The Post-Admission module allows the building of device profiles to ensure that the
properties of an authorized device are not abused by an unauthorized device masquerading as an
authorized device.
2.7.1 Configuring the Compliance Checks
You can configure compliance checks making sure specific operating systems and running services
are not operating on your networks.
To configure the compliance checks:
1 Select NAC > Post-Admission. The Policy page of the Post-Admission tab is displayed.
Figure 20: NAC Module – Post-Admission Tab (Policy Page)
Post-Admission Module 17
Quick Tour of the Insightix Discovery & NAC Lite Edition Lite Edition User Manual
2 Select or clear the Enable NAC Post-Admission protection checkbox to enable or disable the Admission module.
3 From the Define action dropdown list, select the action to be taken if a non-authorized operating system or a network service is detected:
• Alert: Network access policy violations are reported, however they are not enforced.
• Enforce: Action is taken against devices that do not comply with the network access policy according to the selected enforcement method (configured under NAC > Configuration).
4 To perform post-admission checks for denying access from a certain operating system:
• Select the Non-Authorized operating systems checkbox.
• Select the Operating System family from the dropdown lists immediately above the
Operating System header of the adjacent table. You can select only an operating system family or you can select a specific system from within that family.
• Click Add. A rule is added. If the specified type of operating system is detected and Post-Admission protection is enabled, the element will be handled according to the action defined above the tables.
Note: To remove a rule, select it in the table and click Remove.
5 To perform post-admission checks for non-authorized running service(s):
• Select the Non-Authorized open running services checkbox.
• Select the Operating System family from the dropdown lists immediately above the Operating System header of the adjacent table. You can select only an operating system family or you can select a specific system from within that family.
• In the Services field, enter up to two applicable TCP ports.
• Click Add. A rule is added. If the specified type of running service and operating system
are detected and Post-Admission protection is enabled, the elements will be handled according to the action defined above the tables.
Note: To remove a rule, select it in the table and click Remove.
6 Click Save to save the changes.
2.7.2 Creating a Device Profile
Creating device profiles for specific elements in the inventory helps prevent spoofing attacks. A
device profile sets one or more of the following parameters as fixed:
• Operating System
• NETBIOS name
• Switch IP address and port to which it is connected
If the device properties are changed so that the fixed properties no longer match, the defined Post-
Admission action is taken (Alert, Enforce).
18 Post-Admission Module
Lite Edition User Manual Quick Tour of the Insightix Discovery & NAC Lite Edition
Device profiles are configured in the NAC > Post-Admission > Devices page.
To configure device profiles:
1 In the Post-Admission tab of the NAC Module, click Devices. The Devices page is displayed.
Figure 21: NAC Module – Post-Admission Tab (Devices Page)
The Devices page lists all the elements in the inventory list. If the properties of a device do not match its fixed profile parameters, it is displayed in red.
2 From the Define action dropdown list, select the action to be taken If a non-authorized operating system is detected:
• Alert: Network access policy violations are reported, however they are not enforced.
• Enforce: Action is taken against devices violating the network access policy according to the selected enforcement method (configured under NAC > Configuration).
3 Select the checkbox for a specific element to indicate that it must always use the configured parameters.
Tip: You can use the Search option to locate and sort elements according to various
criteria. For additional information, refer to 2.11 Searching the Insightix Discovery &
NAC Lite Edition.
Exceptions 19
Quick Tour of the Insightix Discovery & NAC Lite Edition Lite Edition User Manual
4 (Optional) Right-click anywhere on the line for the element and select one or more of the
following options in the popup menu: u:
• Set current Operating System as Fixed
• Set current NETBIOS Name as Fixed
• Set current Switch IP and Port as Fixed
The selected properties are set as fixed for the selected element.
Notes:
To edit the fixed property settings, right-click and select or clear the options as
required.
To disable the fixed property settings, clear the element's checkbox in the Operating
System column.
5 Click Save to save the changes.
2.8 Exceptions
You can define exceptions to the various NAC modules. An exception rule can be configured
according to a variety of device parameters, including MAC address, MAC address range, IP
address, network address, switch IP, and switch IP and port. The operational stages the exception
rule overrides must be configured for each rule. Devices that meet the conditions of a defined
exception do not pass through the NAC module this exception rule is set for.
20 Exceptions
Lite Edition User Manual Quick Tour of the Insightix Discovery & NAC Lite Edition
To define an exception:
1 In the NAC module, select the Exceptions tab. The Exceptions tab is displayed.
Figure 22: NAC Module – Exceptions Tab
If any exceptions have been defined, they are listed on the Exceptions tab.
2 From the Type dropdown list, select the device parameter on which the exception is to be based and enter the corresponding criteria in the adjacent fields.
• MAC Address: The MAC address of the specific device.
• MAC Range: The first three bits, which define a range of MAC addresses belonging to a certain NIC family (usually the same manufacturer).
• Switch IP: The IP address of a switch.
• Switch IP and Port: The IP address of a switch and the exact number of the port.
• IP Address: The IP address of a specific device
• Network Address: The network address of a specific subnet.
Note: The number and size of the adjacent fields change according to the option
selected from the dropdown list.
3 Select the NAC module or modules that the exception rule is to discard by selecting the checkbox adjunct the NAC module’s name.
Note: The available NAC modules to be set as an exception vary according to
the option selected from the dropdown list.
Enforced Violations 21
Quick Tour of the Insightix Discovery & NAC Lite Edition Lite Edition User Manual
4 Click Add. The exception is added to the list.
5 Click Save.
To remove an exception:
1 In the Exceptions tab, select the exception to be removed and click Remove Selected.
2 Click Save.
To edit an exception:
1 In the Exceptions tab, select the exception to be edited and click on the icon to select the NAC modules that the exception rule is to discard.
2 Click Save.
2.9 Enforced Violations
The Enforced Violations tab of the NAC module list the elements that are either denied network
access or are quarantined keeping with the NAC enforcement policy.
The Enforced Violations tab contains three pages:
• Switch Integration – Lists shutdown switch ports unauthorized or non-compliant devices are
connected to.
• Quarantine Silo – Lists unauthorized and/or non-compliant devices, which are prevented
network access using Insightix’s patent-pending Quarantine Silo and Enforcement technology.
• Quarantine – Lists non-compliant devices, which are currently being quarantined.
2.9.1 Enforcement Using Switch Integration
The Switch Integration page of the Enforced Violations tab lists elements that have been
disconnected from the network by shutting down the switch port to which they were connected, in
keeping with the NAC policy.
2.9.1.1 Re-enabling a Closed Switch Port
If you identify specific switch ports that you do not want to remain disconnected, you can set the
NAC module to re-enable those switch ports.
22 Enforced Violations
Lite Edition User Manual Quick Tour of the Insightix Discovery & NAC Lite Edition
To re-enable specific switch ports:
1 In the NAC module, select the Enforced Violations tab. The Switch Integration tab is displayed.
Figure 23: NAC Module – Enforced Violations Tab
The Switch Integration page lists the following information for those elements that have been disconnected in keeping with NAC policy:
• Switch IP Address: The IP address of the switch to which the element was connected.
• Switch Port: The port number of the switch to which the element was connected.
• Element: The MAC address of the device.
• Disconnection Reason: The reason for disconnecting the device, for example, because the device is an unauthorized device.
• Time & Date: The date and time when the device was disconnected.
• Mode: The enforcement module that prevented the network access.
2 Select the switch port to be re-enabled and click Allow Network Access. The selected
switch port is re-enabled. Insightix NAC automatically re-enables the shutdown switch ports at regular time intervals (by default, every five minutes).
Note: The Insightix Discovery & NAC Lite Edition automatically re-enables a shut-down
switch port after a five-minute time period. If the element for which access was prevented
continues to remain connected to this port, the port will be shut down again when
rediscovered. The re-enable time interval is configurable. For details, refer to Configuring
Real-Time System Parameters, page 118.).
Enforced Violations 23
Quick Tour of the Insightix Discovery & NAC Lite Edition Lite Edition User Manual
2.9.1.2 Finding Closed Switch Ports
You can locate a closed switch port on any identified switches operating on the network.
To locate closed switch ports:
1 In the NAC module, select the Enforced Violations tab.
2 Click Scan Switches for Closed Ports to perform the scan. The following window is displayed:
Figure 24: Scanning for Closed Switch Ports
Any closed switch ports are now displayed on the Enforced Violations tab.
2.9.2 Enforcement Using Quarantine Silo & Enforcement Technology
The Q. Silo page of the Enforced Violations tab lists elements that have been disconnected from
the network using Insightix patent-pending Quarantine Silo and Enforcement technology, in keeping
with the NAC policy.
The Q. Silo page lists the following information for those elements that have been disconnected in keeping with NAC policy:
• MAC Address: The MAC address of the element violating the network access policy.
• Disconnection Reason: The reason for disconnecting the device, for example, because the
device is an unauthorized device.
• Time & Date: The date and time when the device was disconnected.
• IP Address: The IP address of the element violating the network access policy.
24 Enforced Violations
Lite Edition User Manual Quick Tour of the Insightix Discovery & NAC Lite Edition
Figure 25: NAC Module: Enforced Violations Tab (Quarantine Silo & Enforcement Page)
Enforced Violations 25
Quick Tour of the Insightix Discovery & NAC Lite Edition Lite Edition User Manual
2.9.3 Quarantined Elements
The Quarantined Elements page of the Enforced Violations tab lists elements that are currently
quarantined while Insightix NAC performs compliance checks.
Figure 26: NAC Module – Enforced Violations Tab (Quarantine Page)
The Quarantine tab lists the following information for the elements currently in quarantine:
• MAC Address: The MAC address of the element in quarantine.
• Disconnection Reason: The reason for quarantining the element.
• Time & Date: The date and time when the device was quarantined.
• IP Address: The IP address of the element.
26 NAC Configuration
Lite Edition User Manual Quick Tour of the Insightix Discovery & NAC Lite Edition
2.10 NAC Configuration
To deny network access to unauthorized elements trying to attach themselves to the enterprise
network and/or to non-compliance elements, Insightix NAC can be configured using two
enforcement modules:
• Switch Integration: Elements found to be non-compliant with the network access control policy
will be disconnected from the network shutting down the switch port they are connected to.
• Insightix Quarantine Silo & Enforcement Technology: A patent-pending technology for
enforcement and quarantine, which removes dependencies on switch integration and other IT
resources. Insightix Quarantine Silo & Enforcement technology ensures an unauthorized
element and/or a non-compliant element would not be able to access the network
The mode of enforcement for the NAC is set in the Configuration tab of the NAC module.
To configure the enforcement mode:
1 In the NAC module, select the Configuration tab. The Configuration tab is displayed.
Figure 27: NAC Module – Configuration Tab
Searching the Insightix Discovery & NAC Lite Edition 27
Quick Tour of the Insightix Discovery & NAC Lite Edition Lite Edition User Manual
2 Select one of the following NAC Enforcement mode options:
• Switch Integration: This option disconnects non-compliant elements from the network by shutting down the switch port to which they are connected.
• Quarantine Silo & Enforcement Technology: This option utilizes Insightix’’s patent-pending Quarantine Silo and enforcement technology to deny access to unauthorized and/or non-compliant elements.
• Both: This option combines the above two options.
3 Click Save to save the changes.
Note: If the selected option incorporates Quarantine Silo & Enforcement technology and
there is a problem with Layer-2 access to one or more networks, a warning message is
displayed when you click Save, indicating those networks against which this technology
cannot be applied.
• Alerts Module .
• Audit: Provides information regarding network servers and services, allows the configuration of
network services audit, controls the operating system signatures generated, allows the
configuration of the Windows operating system patch (hotfixes) audit, and allows naming
network services. For details, refer to 8 Audit Module.
• Reports: Enables a user to generate, view and export a wide range of pre-defined reports. For
details, refer to 9 Reports Module.
• Configuration: Enables the configuration of various parameters affecting the operation of the
system. For details, refer to 10 Configuration Module.
Note: Although the NAC module is available during the evaluation period, it is not part of the
standard Insightix Discovery & NAC Lite Edition and requires a separate license. Please
contact your local reseller or [email protected] for details.
Each module is accessed by selecting the corresponding module name in the Module Selection bar.
A user with read-only privileges cannot view the following:
• Inventory right-click menu
• Configuration tab of the Alerts module
• Configuration, Device Authorization, Windows OS Audit, OS Signatures, and Service
Naming tabs of the Audit module.
• Configuration module
• NAC module
2.11 Searching the Insightix Discovery & NAC Lite Edition
Insightix Discovery & NAC Lite Edition enables a user to search for a specific device or element
according to a string that appears in any of the element's defined properties. The Search option can
be found in the Inventory and Topology modules.
28 Searching the Insightix Discovery & NAC Lite Edition
Lite Edition User Manual Quick Tour of the Insightix Discovery & NAC Lite Edition
To search for an element:
1 Enter your search criteria in the Search field. The search criteria can consist of a full or partial word that is included in any of a device’s parameters.
The search criteria can include more than one word. For example, entering “Windows SP2”
retrieves all the elements that have both Windows and SP2 (i.e. Service Pack 2) in their properties.
In addition, there is an option to negate the search. For example, searching for “Windows –SP2” displays all Windows machines that do not have SP2 installed.
Important Note: The search is not case sensitive.
Tip: To search for a specific port, enter tcpport:<port number> or udpport:<port
number> in the Search field.
2 (Optional) Certain predefined keywords can be used for specific searches. These include:
online, offline, DC (for domain controller), DHCP (for DHCP server), KVM, NAT, printer, router, switch, storage, UPS, VMware, voice, firewall, wireless, and so on.
3 (Optional) To include only those parameters that contain the exact phrase you enter, select the Exact Match checkbox.
4 Click Search to execute the search. The matching results are displayed in the Search Results.
Figure 4: Sample Search Results
Tip: To sort the search results according to a specific criterion, select the
criterion from the Sort by dropdown list. The search results can be sorted
according to MAC Address, IP Address, or Operating System.
Exporting Data 29
Quick Tour of the Insightix Discovery & NAC Lite Edition Lite Edition User Manual
2.12 Exporting Data
Search results, inventory data, the physical network topology map and other reports can be exported
to external files. Inventory related data can be exported in CSV, HTML or PDF format. The Topology
Map can be exported in Visio format. This option is available in the Inventory and Reports modules.
To export data from the Inventory module:
1 Select the required type of export file to be created from the Export to dropdown list (in either
the Inventory module or the Reports module) and click Export. A report is created in an external window.
2 Save the file, as required.
2.13 Right-Click Menu Indicator
A right-click menu indicator appears when the cursor is positioned for a period of 3 seconds over
an entry or function for which a right-click menu is available. Moving the mouse curser over the right-
click menu indicator displays the menu options.
2.14 Interactive Module Selection Bar
The Module Selection Bar allows interactive browsing (when available). When the cursor is
positioned over a module that includes multiple tabs and/or pages, a list of its internal module pages
is displayed. Selecting a tab name directs the browser to that tab.
Figure 5: Interactive Module Selection Bar
30 Dashboard Module Components
Lite Edition User Manual Dashboard Module
3 Dashboard Module
The Dashboard module provides a composite overview of ongoing system activities. The data
displayed is automatically refreshed on an ongoing basis.
This chapter describes the Dashboard module and the information that it displays.
3.1 Dashboard Module Components
The Dashboard module page is divided into several areas, each of which provides information
regarding system wide monitoring.
Figure 6: Dashboard Module Components
3.1.1 System Summary Area
The System Summary area lists general information regarding the system, as follows:
PARAMETER DESCRIPTION
System Uptime The length of time that the system has been up (days, hours, minutes, seconds).
System Version The Insightix Discovery & NAC Lite Edition’s version number.
Dashboard Module Components 31
Dashboard Module Lite Edition User Manual
PARAMETER DESCRIPTION
Online Devices The total number of elements currently connected to the monitored networks.
Operating Systems Detected The number of elements detected, currently connected to the monitored networks, for which the operating system was identified.
Operating Systems Not Detected
The number of elements detected, currently connected to the monitored networks, for which the operating system could not be
identified.
Devices Without IPs The number of elements detected, currently connected to the monitored networks, for which an IP address was not discovered.
Offline Devices The number of elements detected that were connected to the network sometime in the past but are currently detached from the
network.
Offline Devices Without IPs The number of elements detected that were connected to the network sometime in the past but are currently detached from the
network, for which an IP address was not discovered.
NACed Devices The number of elements, which their access to the network is currently blocked.
Total Devices The total number of elements detected by the system. It is the sum
of the online elements and the offline elements.
Frames Processed The total number of packets the system has processed.
3.1.2 OS Summary Area
The OS Summary area lists the operating systems detected as currently operating on the network,
and indicates the number of devices per operating system. By default the list is ordered according to
the quantity.
To sort the list according to a specific parameter (for example, OS Name), click the corresponding
column header. The table is sorted according to the selected header. Scroll down to view the
complete list.
3.1.3 Alerts Table
The Alerts table lists the five most recent alerts triggered by the system. Each entry includes the
alert number (ID), a timestamp, the alert message, and the alert’s severity. The severity of the alert
is indicated by an alert icon, as follows:
A red X indicates critical severity
A red exclamation point indicates high severity
A yellow triangle indicates medium severity
A green "i" indicates low severity
32 Dashboard Module Components
Lite Edition User Manual Dashboard Module
To view the detailed individual properties of the element for which the alert was triggered, right-click
the Alert Message field of the alert and select the IP address or the MAC Address of the element.
The Individual properties page for the element is displayed, listing the properties of the selected
element.
Viewing the Physical Network Topology Map 33
Topology Module Lite Edition User Manual
4 Topology Module
The Topology module provides the physical network topology map of the monitored network. It
enables you to search for devices and to locate their whereabouts on the network topology map.
This chapter describes how to use the physical network topology map and how to search for and
locate a specific element on the topology map.
4.1 Viewing the Physical Network Topology Map
The physical network topology map illustrates the connectivity of the elements as detected by the
Insightix Discovery & NAC Lite Edition.
The information presented in the Topology module is read-only and cannot be edited.
To display the topology map:
• Select Topology in the Module Selection bar. The Topology module is displayed.
Figure 7: Topology Module
By default, one of the routers is the centered element on the topology map.
34 Viewing the Physical Network Topology Map
Lite Edition User Manual Topology Module
The following icons represent the elements in the topology map:
Insightix Discovery Device VMware Guest
Router VMware Host
Switch Analog voice equipment
Hub Device Group
Host Voice Over IP equipment
NAT Device Storage Device
Firewall Printer
Wireless Access Point Print Server
KVM Over IP IP PBX
UPS PBX
Note: For your convenience, you can view the Map Legend at any time by selecting the
Show Legend checkbox.
Note: If the Topology module has not yet been executed, a message is displayed indicating
so.
An asterisk (*) following an IP address indicates that the device has more than one IP address. In
such instances, the application lists the IP address that best fits the device (according to the
network); When the mouse is positioned over the device, all of the IP addresses that are associated
with the device are listed in a tooltip that summarizes the device properties (Figure 8).
Devices that have other devices connected to them are circled in gray (i.e. switches, hubs). To
display the connected devices, right-click the element and select Expand. The expanded element is
no longer circled in gray. To hide the connected elements, right-click the element and select
Collapse from the right-click menu.
In some cases, elements are grouped together when a device to which other elements are
connected is expanded. This is due to user interface considerations. To fully expand the elements,
right-click the Device Group icon and select Show Hosts from the right-click menu. To collapse the
devices, right-click the parent device (the device to which they are connected), and select Regroup
Devices from the right-click menu.
Viewing Device Properties 35
Topology Module Lite Edition User Manual
To place a specific element at the center of the topology map, select the Show Set Center Options
checkbox. Then select the IP address of the element from the dropdown list of known switches and
click Set Center. The element is centered on the topology map. It is recommended to allow the
application to automatically set the center of the topology map.
To display only the connectivity between networking devices (i.e., switches, routers, hubs and
VMware host machines), select the Show Physical Topology Only checkbox. To include host
device connectivity in the topology map, clear the Show Physical Topology Only checkbox.
4.2 Viewing Device Properties
Some of the properties of a specific element can be viewed in the Topology module in the following
ways:
• Key properties of an element can be viewed in a tooltip when the mouse hovers above an
element.
• When a device is clicked, its properties are displayed in the Device Details area (the upper right
corner of the Topology module).
• Detailed properties for a specific element can be viewed in the individual inventory properties
page for the device.
To view the device properties summary:
• Hover over an element in the topology map. A summary of the element's properties is
displayed in a tooltip (Figure 8).
Figure 8: Device Properties Tooltip
OR
Click an element in the map. The element is centered and circled in red. Some of its
properties, including its MAC address, IP address, operating system, Host Name, and the switch IP address and the switch port to which it is connected, are displayed in the Device Details area.
36 Viewing Device Properties
Lite Edition User Manual Topology Module
To view the detailed device properties:
• Right-click the element on the topology map and select Properties from the right-click menu.
OR
Click the MAC address of an element in the Search Results pane. The element is centered on
the topology map and its details appear in the Device Details area. Then click Properties in the Device Details area.
The Inventory module is displayed, listing the individual properties page for the selected element.
Figure 9: Device Specific Properties in the Inventory Module
Searching for a Device 37
Topology Module Lite Edition User Manual
4.3 Searching for a Device
You can search for a specific device or element according to a string that appears in any of the
element's properties.
Note: For a list of element properties, refer to section 5.3.
To search for an element:
1 Enter your search criteria in the Search field. The search criteria can consist of a full or partial
word that is included in any of a device's parameters. The search criteria can include more than a single word.
Important Note: The search is not case sensitive.
2 (Optional) To include only those parameters that contain the exact phrase you enter, select the Exact Match checkbox.
3 Click Search to execute the search. The matching results are displayed in the Search Results.
Tip: To sort the search results according to a specific criterion, select the criterion
from the Sort by dropdown list and click Search.
4 To place an element at the center of the topology map, click the element’s MAC address in
the search results. The element is centered and circled in red on the topology map and the summary of the individual properties of the element is displayed in the Device Details area.
To view additional element specific properties, click Properties in the Device Details area. The Inventory module is displayed, listing the individual properties of the selected device.
38 Searching for a Device
Lite Edition User Manual Topology Module
Figure 10: Locating an Element on the Topology Map
Tip: For your convenience, the Recently Viewed Devices area lists the most
recently viewed elements in the system. Clicking an element’s IP address in the
Recently Viewed Devices area displays the element's details in the Device Details
area without placing the element at the center of the map.
Viewing the Inventory List 39
Inventory Module Lite Edition User Manual
5 Inventory Module
The Inventory module lists the elements detected by the system, and enables users to view the
detailed properties of specific elements. The Inventory module forms a complete inventory list of
network elements:
• Online elements: Elements that are currently connected to the network.
• Offline elements: Elements that were connected to the network in the past but are currently
detached from the network.
This chapter describes the Inventory module and the information that it displays.
5.1 Viewing the Inventory List
To display the inventory list:
• Select Inventory in the Module Selection bar. The Main page of the Inventory module is
displayed.
Figure 11: Inventory Module
40 Viewing the Inventory List
Lite Edition User Manual Inventory Module
The following parameters are listed for each element in the system inventory:
PARAMETER DESCRIPTION
A The authorization status of the devices, as follows:
Authorized
Not authorized
Authorization enables users to easily distinguish between known devices and unknown devices. It also enables detection of unauthorized devices connecting to the network. Authorization is performed in the Audit module in
the Device Authorization tab.
Cap. The capability or function performed by the element in the network:
• DC – Domain Controller
• DID – Insightix Discovery Device
• F – Firewall
• D – DHCP Server
• KVM – KVM Over IP
• N – NAT Device
• P – Printer
• PS – Print Server
• PSTN – Analog voice equipment
• R – Router
• ST – Storage Device
• S – Switch
• U – UPS
• VM – VMware Element
• VoIP – Voice Over IP equipment
• W – Wireless Access Point
IP Address The IP address of the element. The IP addresses of online elements appear in blue. The IP addresses of offline elements appear in gray. The IP addresses of devices not allowed on the network (enforced by the NAC
module) appear in red.
Operating System The Operating System installed on the element.
Name The NetBIOS name and/or the DNS name of the element.
When only the icon is presented, the name displayed is the NetBIOS
name for the element. When the icons and are presented, the name displayed is both the NetBIOS name and the DNS name for the element.
When the icons and are presented, the value in the name field is the NetBIOS name for the element where the DNS name is different. When only
the icon is presented, the name displayed is the element’s DNS name.
VLAN The VLAN ID of the element, if assigned.
MAC Address The MAC address of the element.
Filtering the System Inventory List 41
Inventory Module Lite Edition User Manual
PARAMETER DESCRIPTION
MAC Vendor ID The name of the network interface card vendor.
Switch IP The IP address of the switch to which the element is connected.
Port The port number on the switch to which the element is connected.
User Name The name of the user logged on to the element (applicable for Microsoft
Windows-based elements).
5.2 Filtering the System Inventory List
You can filter the System Inventory list by defining specific criteria and performing a search for
elements that match those criteria.
To filter the system inventory list:
1 Enter your search criteria in the Search field. The search criteria can consist of a full or partial word that is included in any of a device's parameters.
The search criteria can include more than one word. For example, entering “Windows SP2” retrieves all the elements that have both Windows and SP2 (i.e. Service Pack 2) in their properties.
In addition, there is an option to negate the search. For example, searching for “Windows –SP2” displays all Windows machines that do not have SP2 installed.
Important Note: The search is not case sensitive.
Tip: To search for a specific port, enter tcpport:<port number> or udpport:<port
number> in the Search field.
2 (Optional) Certain predefined keywords can be used for a specific search. These include:
online, offline, DC (for domain controller), DHCP (for DHCP server), KVM, NAT, printer, router, switch, storage, UPS, VMware, voice, firewall, wireless, and so on.
3 (Optional) To include only those parameters that contain the exact phrase entered in the Search field, select the Exact Match checkbox.
4 Click Search to execute the search. The results presented in the Inventory List are filtered to include only those elements that match the search criteria.
Tip: To sort the search results according to a specific criterion, select the criterion
from the Sort by dropdown list.
42 Right-Click Menu Options
Lite Edition User Manual Inventory Module
Note: You can export the search results to an external file (in CSV or HTML format).
Select the required type of file from the Export to dropdown list and click Export. A
report is created in an external window. Save the file, as required.
5.3 Right-Click Menu Options
The Inventory module incorporates a right-click menu, available only to users who have
administrator privileges. The right-click menu is used to:
• Authorize or un-authorize an element
• Create an exception rule for the network access control (NAC) module
• Reset a device OS properties (available for online elements only)
• Reset a device’s properties (available for online elements only)
• Generate an OS signature (available for online elements only)
• Tune parameters for a device (available for online elements only)
• Set an online device as offline (available for online elements only)
• Remove an offline element from the inventory list (available for offline elements only)
• Performs a rediscovery for either the DNS name, the underlying operating system of the
element, or for the presence of a personal firewall (available for online elements only)
Note: A right-click menu indicator appears when the cursor is positioned for a period of 3
seconds over an entry or function for which a right-click menu is available. Moving the mouse
curser over the right-click menu indicator displays the menu options.
5.3.1 Authorizing or Un-Authorizing a Device
Devices can be authorized or un-authorized using the right-click menu in the Inventory module.
To authorize a device:
1 In the Inventory module, right-click an unauthorized device and select Authorize from the right-click menu. A popup confirmation message appears.
2 Click OK to confirm or click Cancel to discard the change.
To unauthorize a device:
3 In the Inventory module, right-click an authorized device and select Unauthorize from the right-click menu. A popup confirmation message appears.
4 Click OK to confirm or click Cancel to discard the change.
Right-Click Menu Options 43
Inventory Module Lite Edition User Manual
5.3.2 Creating an Exception Rule
You can create an exception rule for the NAC module disallowing the disconnection of the element
from the network.
To create an exception rule:
1 In the Inventory module, right-click an element and select Make an Exception Rule from the right-click menu. A popup confirmation message appears.
2 Click Yes to confirm or click No to discard the change.
5.3.3 Resetting Device Properties
When you reset any of the properties of an element, the device data is redetected in the next
discovery cycle and updated accordingly.
Note: A device must be online in order for its properties to be reset.
5.3.3.1 Resetting Device OS Properties
The operating system properties of an element can be reset without resetting additional information.
The previously detected OS reverts to Unknown and the operating system is re-identified.
To reset OS properties:
1 In the main page of the Inventory module, right-click an element in the Inventory list and
select Reset Device OS Properties from the right-click menu. A popup confirmation message appears.
2 Click OK to confirm.
5.3.3.2 Resetting All Device Properties
All of the properties and data collected for an element can be reset. The device properties, including
the underlying OS, are then re-discovered.
To reset all device properties:
1 In the main page of the Inventory module, right-click an element in the Inventory list and
select Reset All Device Properties from the right-click menu. A popup confirmation message appears.
2 Click OK to confirm.
44 Right-Click Menu Options
Lite Edition User Manual Inventory Module
5.3.4 Generating an OS Signature
5.3.4.1 Creating a New OS Signature for an Unknown Element
By default, the Insightix Discovery & NAC Lite Edition is able to identify hundreds of different
operating systems. In case a certain element’s operating system is not identified (or is misidentified)
by the application, the automatic operating system signature generator mechanism can be used.
This mechanism allows operating system signatures to be introduced into the system in an intuitive
and easy manner. Once an operating system signature is created, it can be used to identify other
unknown devices whose operating systems match the newly created operating system signature.
Note: An OS signature can be generated only for an online device.
To generate an OS signature:
1 In the main page of the Inventory module, right-click an unknown element in the Inventory list
and select Generate OS Signature from the right-click menu. The following window is displayed.
2 In the Operating System area, set the following parameters:
• OS Family: The operating system family name (for example, Microsoft Windows).
• OS Type: The exact type of the operating system (for example, 2000).
Right-Click Menu Options 45
Inventory Module Lite Edition User Manual
• OS Additional Info (optional): Additional information, if applicable (for example, Service Pack 3).
• Appliance (optional): If the device is an appliance, select the Appliance checkbox (for example, Linksys wireless access point).
3 (Optional) In the Capabilities area, select the checkboxes for the relevant capabilities.
4 Click Save. The operating system automatic signature generator process begins executing.
5 If the operating system automatic signature is successfully generated, a new OS signature is created and a popup message indicates that process has been successfully completed.
6 The element’s operating system name now reflects the name of the newly added operating
system signature. An asterisk (*) is appended to the new operating system’s name to indicate that this is a generated OS signature.
7 The newly created OS signature is listed in the OS Signature tab of the Audit module.
Note: If, for some reason, the operating system signature generating process fails, an error
message is displayed on the screen.
8 In order to apply the new signature against unknown elements in the Inventory list,
reschedule the operating system identification process by clicking the Reschedule button in the OS Signatures tab of the Audit module.
9 Any unknown devices that match the new OS signature are identified.
5.3.4.2 Creating a New OS Signature for a Misidentified Element
If an element’s operating system is misidentified due to the lack of an appropriate operating system
signature, this can be remedied using the operating system automatic generator.
To generate an OS signature for a misidentified element:
1 Right-click the misidentified element in the Inventory list and select Reset OS Propertiesfrom the right-click menu. A popup confirmation message is displayed.
2 Click OK to confirm the reset of the OS properties. The operating system name is changed to Unknown.
3 Right-click the element and select Generate OS Signature.
4 Proceed to create a new operating system signature for the element, as described in Creating a New OS Signature for an Unknown Element, page 44.
46 Right-Click Menu Options
Lite Edition User Manual Inventory Module
5.3.5 Tuning Device Properties
Specific parameters can be applied to a selected element by tuning the device parameters.
Note: A device must be online in order for its properties to be tuned.
To tune device parameters:
1 In the Main page of the Inventory module, right-click an element in the Inventory list and select Tune Parameters from the right-click menu.
2 Select the information to be changed for this element. The element’s operating system identification and/or its capabilities can be changed.
3 Click Save to apply the changes.
Note: When tuning the parameters of an element, a unique identification is created for this
element.
5.3.6 Setting a Device as Offline
The status of an online element can be changed to offline. The offline status is maintained until
activity is observed coming from the element.
To change a device state from online to offline:
1 In the Main page of the Inventory module, right-click an online element in the inventory list and select Set Offline from the right-click menu.
OR
In the Properties tab of the Individual Inventory page for the device, click the Set as Offlinebutton.
A confirmation message is displayed.
2 Click Yes to confirm.
Note: Only an online element can be set as offline.
Right-Click Menu Options 47
Inventory Module Lite Edition User Manual
5.3.7 Removing an Element from the Inventory
An offline element can be removed from the Inventory list. No information is saved for an offline
element once it has been removed from the inventory list.
To remove an offline element:
1 In the Main page of the Inventory module, right-click an offline element in the Inventory list and select Remove Element from the right-click menu. A confirmation message is displayed.
2 Click Yes to confirm the removal of the offline element from the Inventory list.
Note: If at a later time activity is observed from a removed element, the element reappears in
the Inventory list as an online element, and its properties are re-discovered.
5.3.8 Active Rediscovery
Active rediscovery allows performing a rediscovery for the DNS name, the underlying operating
system, the presence of a personal firewall or the location of an element.
To rediscover the DNS name for an element:
• In the Main page of the Inventory module, right-click an online element in the Inventory list,
select Active Rediscovery from the right-click menu and then select DNS Name.
The DNS name is rediscovered. A popup message detailing the results of the rediscovery is
displayed when the rediscovery process is complete.
To rediscover the underlying operating system for an element:
• In the Main page of the Inventory module, right-click an online element in the Inventory list,
select Active Rediscovery from the right-click menu and then select OS Detection.
The underlying operating system is rediscovered. A popup message detailing the results of
the rediscovery is displayed when the rediscovery process is complete.
48 Element Coloring Scheming
Lite Edition User Manual Inventory Module
To rediscover the presence of a personal firewall for an element:
• In the Main page of the Inventory module, right-click an online element in the Inventory list,
select Active Rediscovery from the right-click menu and then select Personal Firewall
Detection.
Whether or not a personal firewall is present for the element is rediscovered. A popup
message detailing the results of the rediscovery is displayed when the rediscovery process is
complete.
To rediscover the location of an element:
• In the Main page of the Inventory module, right-click an online element in the Inventory list,
select Active Rediscovery from the right-click menu and then select Device Location.
The location of the element is rediscovered. A popup message detailing the results of the
rediscovery is displayed when the rediscovery process is complete.
5.4 Element Coloring Scheming
The elements listed in the Inventory module may be color-coded as follows:
• Blue – The element is online.
• Gray – The element is offline.
• Red – The element was prevented access to the network by the NAC module.
5.5 Viewing Detailed Properties of a Specific Device
Users can view detailed properties of a specific element as well as additional information (if the
element is online) about its performance, running sessions, and related alerts.
To view element details:
• Click the IP address of an element in the Inventory list. The Inventory Properties page of the
Inventory module is displayed, listing the properties of the selected element.
The inventory details for an online device are displayed in the Properties, Performance, Audit,
Alerts, and Event History tabs of the Inventory module. Additional tabs may be presented for a
switch (Connected Elements) and for a Router (Interfaces and Routing).
The inventory details for an offline device are displayed in the Properties and Event History tabs.
Viewing Detailed Properties of a Specific Device 49
Inventory Module Lite Edition User Manual
5.5.1 Properties Tab
The Properties tab displays the properties of the selected device. The header of the Properties tab
includes information regarding the state of the element, and its detection on the network.
The following parameters are displayed for an online element:
PARAMETER DESCRIPTION
Inventory Properties for The IP address of the specified element, as well as its active state (online).
Active since The time at which the element was discovered to be active on the
network.
Last activity seen at The time at which the last activity was detected for the element.
The following parameters are displayed for an offline element:
PARAMETER DESCRIPTION
Inventory Properties for The MAC address of the specified offline element.
Last activity seen at The time at which the element was detached from the network.
Figure 12: Inventory Module – Specific Device Properties Tab for an Online Element
50 Viewing Detailed Properties of a Specific Device
Lite Edition User Manual Inventory Module
The Properties tab displays the following inventory details for an online element:
PARAMETER DESCRIPTION
IP Address The IP address of the element.
MAC Address The MAC address of the element.
MAC Vendor ID The name of the manufacturer of the network interface card.
VLAN ID The VLAN ID assigned to the element, if assigned.
Open Services The network services that are currently running on this device.
OS The Operating System running on the element.
Capability The function performed by the element in the network (router, switch, VMware, and so on).
DNS Name The DNS name for the IP address of the element (if it exists).
NetBIOS Name The NetBIOS name of the element. (This field is not applicable for non-Microsoft Windows elements).
Username (Windows) The username of the user using this element (This field is not applicable for non-Microsoft Windows elements).
Domain The name of the Windows domain to which the element belongs, if applicable. (This field may not be applicable for non-Microsoft Windows
elements.)
Switch IP The IP address of the switch to which the element is connected.
Switch Port The port number on the switch to which the element is connected.
Geographic Location Additional information regarding the location of the element. The information
is taken from the Configuration > Topology > Location page.
Firewalled Indicates whether or not a personal firewall is operating on the element.
Authorized Indicates whether or not the device has been authorized, enabling a user to easily differentiate between known devices and unknown devices in the system. It also enables detection of unauthorized devices connecting to the
network in real-time.
To authorize the device, select Yes from the dropdown list. To unauthorize
the device, select No from the dropdown list.
Note: Only users with administrator privileges can authorize or
unauthorized devices.
Free Text A free text field in which a user can insert additional information about the element.
To view the location of the device on the network, click the Locate on Topology Map link.
Changing information on the properties page requires administrator’s privileges.
An element can be moved to an offline state by clicking the Set as Offline button.
Viewing Detailed Properties of a Specific Device 51
Inventory Module Lite Edition User Manual
The Properties tab displays the following inventory details for an offline device:
PARAMETER DESCRIPTION
IP Address The IP address that was used by the element.
MAC Address The MAC address of the element.
MAC Vendor ID The name of the manufacturer of the network interface card.
VLAN ID The VLAN ID that was assigned to the element, if assigned.
Open Services The network services that were found running on this device.
OS The underlying Operating System of the element.
Capability The function performed by the element in the network (i.e. router, switch, VMware, and so on).
DNS Name The DNS name for the IP address of the element (if it exists).
NetBIOS Name The NetBIOS name of the element. (This field is not applicable for non-Microsoft Windows elements).
Username (Windows) The username of the user using this element (This field is not applicable for non-Microsoft Windows elements).
Domain The name of the Windows domain the element is logged on to, if applicable.
(This field may not be applicable for non-Microsoft Windows elements.)
Switch IP The IP address of the switch to which the element was connected.
Switch Port The port number on the switch to which the element was connected.
Geographic Location Additional information regarding the location of the element. The information
is taken from the Configuration > Topology > Location page.
Firewalled Indicates whether or not a personal firewall was operating on the device.
Authorized Indicates whether or not the device has been authorized, enabling a user to easily differentiate between known devices and unknown devices in the system. It also enables detection of unauthorized devices connecting to the
network in real-time.
To authorize the device, select Yes from the dropdown list. To unauthorize
the device, select No from the dropdown list.
Note: Only users with administrator privileges can authorize or
unauthorized devices.
Free Text A free text field in which a user can insert additional information about the element.
Note: Click the Inventory Main link to return to the main page of the Inventory module.
52 Viewing Detailed Properties of a Specific Device
Lite Edition User Manual Inventory Module
5.5.2 Connected Elements Tab (Switches Only)
The Connected Elements tab displays information about elements connected to the selected
switch. This tab is applicable for switches only.
Figure 13: Inventory Module – Specific Device – Connected Elements Tab
The Connected Elements tab displays the following details for each connected element:
PARAMETER DESCRIPTION
Switch Port The switch port to which the element is connected.
MAC Address The MAC address of the element.
Authorized (A.) Indicates whether or not the device has been authorized, enabling a user to easily differentiate between known devices and unknown devices in the system. It also enables detection of unauthorized devices connecting to the
network in real-time.
VLAN The VLAN ID assigned to the element, if assigned.
IP Address The IP address of the element.
Operating System The Operating System running on the element.
Hostname The Hostname of the element.
C. The capability of the element.
Note: Information about the location of an offline element is visible in the Connected
Elements tab.
Viewing Detailed Properties of a Specific Device 53
Inventory Module Lite Edition User Manual
Note: You can authorize or unauthorize an element by right-clicking the element in the
Connected Elements tab and selecting the corresponding option from the right-click menu.
5.5.3 Interfaces & Routing Tab (Routers Only)
The Interfaces & Routing tab is displayed for elements that are Routers. This tab includes
information regarding the routing table of a router, and lists the different interfaces of the router, as
applicable.
5.5.4 Alerts Tab
The Alerts tab lists the alerts generated for the specific element. Each entry includes the alert
number (ID), timestamp, the alert message, and the severity of the alert.
Figure 14: Inventory Module – Specific Device – Alerts Tab
The severity of the alert is indicated by an alert icon, as follows:
A red X indicates critical severity
A red exclamation point indicates high severity
A yellow triangle indicates medium severity
A green "i" indicates low severity
To sort the Alerts table according to a specific parameter (for example, Timestamp, ID, Alert
Message or severity), click the column header. The table is sorted according to the selected header.
54 Viewing Detailed Properties of a Specific Device
Lite Edition User Manual Inventory Module
5.5.5 Event History
The Event History tab lists alerts generated by the system and marked to be indexed to serve as a
device’s history. In the Event History tab, audit information regarding the element can be tracked to
the past, for example, previously used IP addresses or changes in properties.
The Configuration tab of the Alerts module page is used to configure which alerts are to be
indexed. For more information, refer to Configuring Alerts, page 75.
Figure 15: Inventory Module – Specific Device – Event History Tab
Background 55
NAC Module Lite Edition User Manual
6 NAC Module
6.1 Background
Insightix NAC delivers complete and real-time network access control, ensuring that only authorized
and compliant devices are allowed to access and operate on the enterprise network.
Insightix NAC provides complete network coverage by discovering, in real-time, a comprehensive
inventory of all elements connected to the network and their associated properties. Based on the
wealth of contextual IT infrastructure information gathered by Insightix NAC, IT professionals are
able to easily baseline their network and authorize the devices that are permitted to access and
operate on the network. Once activated, Insightix NAC performs real-time element detection and
authorization enforcement, denying connectivity to any unauthorized device.
Insightix NAC features a straightforward, rule-based policy engine for defining the compliance
checks to be performed against authorized Microsoft Windows-based elements as they attempt to
connect to the network. The compliance checks supported include checks on Windows-based
operating systems, including verification of the service pack level, presence of operating system
patches, running services, and so on. If an authorized device does not pass the compliance checks,
network access is granted to remediation servers only, allowing the device’s user to align the device
with the enterprise’s network access policy.
Insightix NAC uses a patent-pending technology – Insightix Quarantine Silo – for enforcement and
quarantine, which alleviates dependencies on switch integration and other IT resources, and
ensures that network access is granted to authorized devices only after successfully passing the
compliance checks.
Insightix NAC constantly monitors the network, identifying and responding to any changes made to
the properties of devices that are authorized to operate on the network. Insightix NAC ensures that
the properties of an authorized device, such as the MAC address, are not abused, preventing an
unauthorized device from masquerading as an authorized device.
Note: Although the NAC module is enabled during the evaluation period, it is not part of the
standard Insightix Discovery Lite Edition and requires a separate license for continued use.
Please contact your local reseller or [email protected] for details.
6.2 Operation
Insightix NAC incorporates three operational modules:
• Pre-Admission: This module uses several patent-pending techniques to perform real-time
element detection and authorization enforcement, denying connectivity to any unauthorized
device.
• Admission: The module allows configuring compliance checks to be performed against
authorized Microsoft windows-based elements as they attempt to connect to the network. The
compliance checks supported include checks on windows-based operating systems, including
56 Operation
Lite Edition User Manual NAC Module
verification of the service pack level, presence of operating system patches, running services,
etc. If an authorize device does not pass the compliance checks, network access is granted to
remediation servers only, allowing the device’s user to align the device with the enterprise’s
network access policy.
• Post-Admission: This module is charged with the task of constantly monitoring the network,
identifying and responding to any changes made to the properties of devices that are authorized
to operate on the network. The post-admission module allows building device profiles ensuring
that the properties of an authorized device are not abused, preventing an unauthorized device
masquerading as an authorized device.
Note: Insightix NAC provides the flexibility of determining which NAC modules should, or
should not, be operational. The order of execution of the NAC modules, assuming they are all
enabled, is Pre-Admission, Admission, and finally Post-Admission.
Insightix NAC monitors elements from the time they are attached to the network until the time
they are detached from the network.
6.2.1 Quarantine
Insightix NAC uses a patent-pending technology for enforcement and quarantine, which alleviates
dependencies on switch integration and other IT resources. Insightix Quarantine Silo technology
ensures an authorized device is denied access to the network while compliance checks are
performed, and that quarantined devices cannot access each other. This ensures the complete
isolation of questionable elements from the network until they are granted (or denied) network
access. Insightix Quarantine Silo technology ensures network access is granted to authorized
devices only after successfully passing the compliance checks.
If an authorized device does not pass the compliance checks, network access can be granted to
remediation servers only, allowing the device’s user to align the device with the enterprise’s network
access policy. As long as the device fails to comply with the network access policy, it remains in the
quarantine.
6.2.2 Enforcement
To deny network access to unauthorized elements trying to attach themselves to the enterprise
network and/or to non-compliance elements, Insightix NAC can be configured using two
enforcement modules:
• Switch Integration: Elements found to be non-compliant with the network access control policy
will be disconnected from the network shutting down the switch port they are connected to.
• Insightix Quarantine Silo & Enforcement Technology: A patent-pending technology for
enforcement and quarantine, which removes dependencies on switch integration and other IT
resources. Insightix Quarantine Silo & Enforcement technology ensures an unauthorized
element and/or a non-compliant element would not be able to access the network
Operational Pre-Requisites 57
NAC Module Lite Edition User Manual
You can opt to use one or both of these enforcement modules. When both enforcement modules are
enabled, Insightix NAC first attempts to shut down the switch port to which an unauthorized or a non-
compliant element is connected.
Insightix NAC uses several patent-pending techniques to detect, in real-time, when a new element is
attempting to join the network. It discovers the exact switch and switch port to which the newly
discovered element is connected in real-time. Using its location discovery algorithms, Insightix NAC
classifies the connectivity point, and determines whether the element is directly connected to the
switch port, or whether it is sharing the port connectivity with other elements (i.e., through a Hub or
an unmanaged switch).
If Insightix NAC cannot shut down the switch port to which an unauthorized or a non-compliant
element is connected (if the element shares its switch connectivity with other elements, and/or if the
element is connected to an unmanaged switch), Insightix Quarantine Silo & Enforcement technology
is used to deny network access.
6.3 Operational Pre-Requisites
The Insightix Discovery & NAC Lite Edition should have access through its active NIC(s) to the layer-
2 broadcast domains of the networks NAC is to be enforced against.
The following are the prerequisites for the enforcement modules:
• Switch Integration: Read/Write SNMP access to the switches operating on the network.
• Insightix Quarantine Silo & Enforcement: Layer-2 access to the network Insightix NAC should
be operating against.
In order for the Insightix NAC to successfully audit a Microsoft Windows operating system during the
admission stage, the following pre-requisites need to be met:
• The Insightix NAC must be configured with local administrative rights on the remote machine and
be able to log on to this machine remotely (done under Audit > Windows OS Audit).
• File and Print Sharing must be enabled on the queried Microsoft Windows OS.
• The NetBIOS (TCP 139) port must be accessible on the remote machine.
• The queried Microsoft Windows machine must have the local Server service running.
• The remote machine must be running the Windows Remote Registry service.
6.4 Configuring the Pre-Admission Module
You can configure the type of action, if any, to be taken whenever an unauthorized device connects
to the network. The pre-admission NAC module can be set to automatically enforce policy and
disconnect any unauthorized devices that attempt to attach itself to your network or you can
configure the system to issue an alert without taking action against the element.
The level of operation of the pre-admission NAC module is set in the Pre-Admission tab of the NAC
module.
58 Configuring the Pre-Admission Module
Lite Edition User Manual NAC Module
Note: Device authorization is configured on the Audit > Device Authorization tab.
To configure the level of operation of the Pre-Admission NAC module:
3 Select NAC in the Module Selection bar. The Pre-Admission tab of the NAC module is displayed.
Figure 16: NAC Module – Pre-Admission Tab (Mode Selection)
The current mode of operation is selected in the Pre-Admission tab.
4 Select the required mode of operation:
• Disabled: The Pre-Admission module is disabled and unauthorized elements may access the network.
• Alert Only: Network access policy violations of unauthorized elements are reported, however they are not enforced.
• Enabled: Elements that are not authorized are automatically disconnected from the network according to the selected enforcement method (configured under NAC > Configuration).
Note: The Save and Continue buttons are enabled/disabled according to the option
selected in step 2.
Configuring the Admission Module 59
NAC Module Lite Edition User Manual
5 If you select Disabled or Alert Only, click Save.
OR
If you select Enabled, click Continue to configure additional policy parameters.
A list of unauthorized devices that have been detected on the network is now displayed in the
Pre-Admission tab. The elements listed will be disconnected from the network once the pre-admission NAC module is enabled.
Figure 17: NAC Module – Pre-Admission Tab (Unauthorized Device List)
6 (Optional) Review the list of unauthorized devices and authorize specific devices as required.
To authorize a device, select the checkbox adjacent to the IP address of the device and click Authorize Selected. The newly authorized devices are removed from the list and will not be disconnected when the pre-admission module is enabled.
7 Click Finish to enforce the pre-admission NAC policy.
6.5 Configuring the Admission Module
The admission NAC module allows you configuring the compliance checks to be performed against
authorized Microsoft windows-based elements as they attempt to connect to the network. If an
authorized device does not pass the compliance checks, network access is granted to remediation
servers only, allowing the device’s user to align the device with the enterprise’s network access
policy.
60 Configuring the Admission Module
Lite Edition User Manual NAC Module
6.5.1 Configuring the Compliance Checks
You can configure the compliance checks to be performed against authorized Microsoft windows-
based elements as they attempt to connect to the network. The compliance checks supported
include checks on Windows-based operating systems, including verification of the service pack level,
presence of operating system patches, running services, and so on.
To configure the compliance checks:
8 Select NAC > Admissions. The Policy page of the Admission tab is displayed.
Figure 18: NAC Module – Admission Tab (Policy Page)
9 Select or clear the NAC Admissions protection checkbox to enable or disable the Admission module.
10 From the Define action dropdown list, select the action to be taken If an authorized device does not pass the compliance checks:
• Alert: Network access policy violations of authorized non-compliant elements are reported, however they are not enforced.
• Enforce: Action is taken against devices that do not pass the compliance checks
according to the selected enforcement method (configured under NAC > Configuration).
Configuring the Admission Module 61
NAC Module Lite Edition User Manual
11 To configure compliance check rules according to operating system:
• Select the Operating System for which to add a rule the dropdown list immediately above the Operating System header.
• In the Action column, set the action that is to be taken when a device passes the compliance checks.
• Click Add. A line is added to the Rules table for the selected operating system.
• In the Admissions Checks column, click the icon to select the type(s) of service check(s) to be performed. A line is displayed for each selected service type.
• Set the additional required criteria for each selected service check type in the adjacent field as follows:
• Service Pack Level: Specify the required service pack level.
• Opened Network Service: Specify the network service(s) that must be open.
• Hot Fixes: Specify the required Hot Fixes. Note: all Hot Fixes must start with "KB" or "Q".
Note: To remove a rule, select it in the table and click Remove.
12 Set the action to be taken (Allow/Deny) if the element matches the following conditions that make performance of one or more of the service checks unfeasible:
• If the element is firewalled.
• If the NETBIOS service is not enabled.
• If the credentials do not allow the extracting of information.
13 Set the action to be taken (Allow/Deny) if no match is found, meaning that the element does not match any of the rules for compliance check and does not meet the criteria of any special cases previously defined as allowed.
14 Click Save to save the changes.
Note: Multiple rules per operating system can be set. The first rule an element
matches is the rule that would be used.
6.5.2 Configuring the Admission Quarantine
Insightix Quarantine Silo technology ensures an authorized device is denied access to the network
while compliance checks are performed, and that quarantined devices cannot access each other.
This ensures the complete isolation of questionable elements from the network until they are granted
(or denied) network access. Insightix Quarantine Silo technology ensures network access is granted
to authorized devices only after successfully passing the compliance checks.
The conditions for the quarantining of a device are configured in the NAC > Admissions >
Quarantine page.
62 Configuring the Admission Module
Lite Edition User Manual NAC Module
To configure the Admission quarantine:
15 In the Admission tab of the NAC Module, click Quarantine. The Quarantine page is displayed.
Figure 19: NAC Module – Admission Tab (Quarantine Page)
16 Configure when NAC should quarantine elements by selecting Do not quarantine elements or Quarantine elements for each of the following options:
• While performing admission checks
• When a security violation is discovered during the admission stage
17 Define the remediation servers that can be accessed by an element that is in quarantine for the purpose of aligning the device with the enterprise’s network access policy as follows:
• To add a remediation server, type its IP address in the fields immediately above the IP Address header in the table and click Add. The IP address is added to the table.
• To remove a remediation server, select the checkbox adjacent to its IP address and click Remove Selected.
Note: The IP address of the remedial server must be local to the subnet it serves.
18 Click Save to save the changes.
Post-Admission Module 63
NAC Module Lite Edition User Manual
6.6 Post-Admission Module
This module is charged with the task of constantly monitoring the network, identifying and
responding to any changes made to the properties of devices that are authorized to operate on the
network. The Post-Admission module allows the building of device profiles to ensure that the
properties of an authorized device are not abused by an unauthorized device masquerading as an
authorized device.
6.6.1 Configuring the Compliance Checks
You can configure compliance checks making sure specific operating systems and running services
are not operating on your networks.
To configure the compliance checks:
19 Select NAC > Post-Admission. The Policy page of the Post-Admission tab is displayed.
Figure 20: NAC Module – Post-Admission Tab (Policy Page)
20 Select or clear the Enable NAC Post-Admission protection checkbox to enable or disable the Admission module.
21 From the Define action dropdown list, select the action to be taken if a non-authorized operating system or a network service is detected:
• Alert: Network access policy violations are reported, however they are not enforced.
• Enforce: Action is taken against devices that do not comply with the network access policy according to the selected enforcement method (configured under NAC > Configuration).
64 Post-Admission Module
Lite Edition User Manual NAC Module
22 To perform post-admission checks for denying access from a certain operating system:
• Select the Non-Authorized operating systems checkbox.
• Select the Operating System family from the dropdown lists immediately above the
Operating System header of the adjacent table. You can select only an operating system family or you can select a specific system from within that family.
• Click Add. A rule is added. If the specified type of operating system is detected and Post-Admission protection is enabled, the element will be handled according to the action defined above the tables.
Note: To remove a rule, select it in the table and click Remove.
23 To perform post-admission checks for non-authorized running service(s):
• Select the Non-Authorized open running services checkbox.
• Select the Operating System family from the dropdown lists immediately above the
Operating System header of the adjacent table. You can select only an operating system family or you can select a specific system from within that family.
• In the Services field, enter up to two applicable TCP ports.
• Click Add. A rule is added. If the specified type of running service and operating system are detected and Post-Admission protection is enabled, the elements will be handled according to the action defined above the tables.
Note: To remove a rule, select it in the table and click Remove.
24 Click Save to save the changes.
6.6.2 Creating a Device Profile
Creating device profiles for specific elements in the inventory helps prevent spoofing attacks. A
device profile sets one or more of the following parameters as fixed:
• Operating System
• NETBIOS name
• Switch IP address and port to which it is connected
If the device properties are changed so that the fixed properties no longer match, the defined Post-
Admission action is taken (Alert, Enforce).
Device profiles are configured in the NAC > Post-Admission > Devices page.
To configure device profiles:
25 In the Post-Admission tab of the NAC Module, click Devices. The Devices page is displayed.
Post-Admission Module 65
NAC Module Lite Edition User Manual
Figure 21: NAC Module – Post-Admission Tab (Devices Page)
The Devices page lists all the elements in the inventory list. If the properties of a device do not match its fixed profile parameters, it is displayed in red.
26 From the Define action dropdown list, select the action to be taken If a non-authorized operating system is detected:
• Alert: Network access policy violations are reported, however they are not enforced.
• Enforce: Action is taken against devices violating the network access policy according to the selected enforcement method (configured under NAC > Configuration).
27 Select the checkbox for a specific element to indicate that it must always use the configured parameters.
Tip: You can use the Search option to locate and sort elements according to various
criteria. For additional information, refer to 2.11 Searching the Insightix Discovery &
NAC Lite Edition.
28 (Optional) Right-click anywhere on the line for the element and select one or more of the
following options in the popup menu: u:
• Set current Operating System as Fixed
• Set current NETBIOS Name as Fixed
• Set current Switch IP and Port as Fixed
The selected properties are set as fixed for the selected element.
Notes:
To edit the fixed property settings, right-click and select or clear the options as
required.
66 Exceptions
Lite Edition User Manual NAC Module
To disable the fixed property settings, clear the element's checkbox in the Operating
System column.
29 Click Save to save the changes.
6.7 Exceptions
You can define exceptions to the various NAC modules. An exception rule can be configured
according to a variety of device parameters, including MAC address, MAC address range, IP
address, network address, switch IP, and switch IP and port. The operational stages the exception
rule overrides must be configured for each rule. Devices that meet the conditions of a defined
exception do not pass through the NAC module this exception rule is set for.
To define an exception:
30 In the NAC module, select the Exceptions tab. The Exceptions tab is displayed.
Figure 22: NAC Module – Exceptions Tab
If any exceptions have been defined, they are listed on the Exceptions tab.
31 From the Type dropdown list, select the device parameter on which the exception is to be based and enter the corresponding criteria in the adjacent fields.
• MAC Address: The MAC address of the specific device.
• MAC Range: The first three bits, which define a range of MAC addresses belonging to a certain NIC family (usually the same manufacturer).
• Switch IP: The IP address of a switch.
Enforced Violations 67
NAC Module Lite Edition User Manual
• Switch IP and Port: The IP address of a switch and the exact number of the port.
• IP Address: The IP address of a specific device
• Network Address: The network address of a specific subnet.
Note: The number and size of the adjacent fields change according to the option
selected from the dropdown list.
32 Select the NAC module or modules that the exception rule is to discard by selecting the checkbox adjunct the NAC module’s name.
Note: The available NAC modules to be set as an exception vary according to
the option selected from the dropdown list.
33 Click Add. The exception is added to the list.
34 Click Save.
To remove an exception:
35 In the Exceptions tab, select the exception to be removed and click Remove Selected.
36 Click Save.
To edit an exception:
37 In the Exceptions tab, select the exception to be edited and click on the icon to select the NAC modules that the exception rule is to discard.
38 Click Save.
6.8 Enforced Violations
The Enforced Violations tab of the NAC module list the elements that are either denied network
access or are quarantined keeping with the NAC enforcement policy.
The Enforced Violations tab contains three pages:
• Switch Integration – Lists shutdown switch ports unauthorized or non-compliant devices are
connected to.
• Quarantine Silo – Lists unauthorized and/or non-compliant devices, which are prevented
network access using Insightix’s patent-pending Quarantine Silo and Enforcement technology.
• Quarantine – Lists non-compliant devices, which are currently being quarantined.
68 Enforced Violations
Lite Edition User Manual NAC Module
6.8.1 Enforcement Using Switch Integration
The Switch Integration page of the Enforced Violations tab lists elements that have been
disconnected from the network by shutting down the switch port to which they were connected, in
keeping with the NAC policy.
6.8.1.1 Re-enabling a Closed Switch Port
If you identify specific switch ports that you do not want to remain disconnected, you can set the
NAC module to re-enable those switch ports.
To re-enable specific switch ports:
39 In the NAC module, select the Enforced Violations tab. The Switch Integration tab is displayed.
Figure 23: NAC Module – Enforced Violations Tab
The Switch Integration page lists the following information for those elements that have been disconnected in keeping with NAC policy:
• Switch IP Address: The IP address of the switch to which the element was connected.
• Switch Port: The port number of the switch to which the element was connected.
• Element: The MAC address of the device.
• Disconnection Reason: The reason for disconnecting the device, for example, because the device is an unauthorized device.
• Time & Date: The date and time when the device was disconnected.
Enforced Violations 69
NAC Module Lite Edition User Manual
• Mode: The enforcement module that prevented the network access.
40 Select the switch port to be re-enabled and click Allow Network Access. The selected switch port is re-enabled. Insightix NAC automatically re-enables the shutdown switch ports at regular time intervals (by default, every five minutes).
Note: The Insightix Discovery & NAC Lite Edition automatically re-enables a shut-down
switch port after a five-minute time period. If the element for which access was prevented
continues to remain connected to this port, the port will be shut down again when
rediscovered. The re-enable time interval is configurable. For details, refer to Configuring
Real-Time System Parameters, page 118.).
6.8.1.2 Finding Closed Switch Ports
You can locate a closed switch port on any identified switches operating on the network.
To locate closed switch ports:
41 In the NAC module, select the Enforced Violations tab.
42 Click Scan Switches for Closed Ports to perform the scan. The following window is displayed:
Figure 24: Scanning for Closed Switch Ports
Any closed switch ports are now displayed on the Enforced Violations tab.
6.8.2 Enforcement Using Quarantine Silo & Enforcement Technology
The Q. Silo page of the Enforced Violations tab lists elements that have been disconnected from
the network using Insightix patent-pending Quarantine Silo and Enforcement technology, in keeping
with the NAC policy.
The Q. Silo page lists the following information for those elements that have been disconnected in keeping with NAC policy:
• MAC Address: The MAC address of the element violating the network access policy.
• Disconnection Reason: The reason for disconnecting the device, for example, because the
device is an unauthorized device.
70 Enforced Violations
Lite Edition User Manual NAC Module
• Time & Date: The date and time when the device was disconnected.
• IP Address: The IP address of the element violating the network access policy.
Figure 25: NAC Module: Enforced Violations Tab (Quarantine Silo & Enforcement Page)
Enforced Violations 71
NAC Module Lite Edition User Manual
6.8.3 Quarantined Elements
The Quarantined Elements page of the Enforced Violations tab lists elements that are currently
quarantined while Insightix NAC performs compliance checks.
Figure 26: NAC Module – Enforced Violations Tab (Quarantine Page)
The Quarantine tab lists the following information for the elements currently in quarantine:
• MAC Address: The MAC address of the element in quarantine.
• Disconnection Reason: The reason for quarantining the element.
• Time & Date: The date and time when the device was quarantined.
• IP Address: The IP address of the element.
72 NAC Configuration
Lite Edition User Manual NAC Module
6.9 NAC Configuration
To deny network access to unauthorized elements trying to attach themselves to the enterprise
network and/or to non-compliance elements, Insightix NAC can be configured using two
enforcement modules:
• Switch Integration: Elements found to be non-compliant with the network access control policy
will be disconnected from the network shutting down the switch port they are connected to.
• Insightix Quarantine Silo & Enforcement Technology: A patent-pending technology for
enforcement and quarantine, which removes dependencies on switch integration and other IT
resources. Insightix Quarantine Silo & Enforcement technology ensures an unauthorized
element and/or a non-compliant element would not be able to access the network
The mode of enforcement for the NAC is set in the Configuration tab of the NAC module.
To configure the enforcement mode:
43 In the NAC module, select the Configuration tab. The Configuration tab is displayed.
Figure 27: NAC Module – Configuration Tab
NAC Configuration 73
NAC Module Lite Edition User Manual
44 Select one of the following NAC Enforcement mode options:
• Switch Integration: This option disconnects non-compliant elements from the network by shutting down the switch port to which they are connected.
• Quarantine Silo & Enforcement Technology: This option utilizes Insightix’’s patent-pending Quarantine Silo and enforcement technology to deny access to unauthorized and/or non-compliant elements.
• Both: This option combines the above two options.
45 Click Save to save the changes.
Note: If the selected option incorporates Quarantine Silo & Enforcement technology and
there is a problem with Layer-2 access to one or more networks, a warning message is
displayed when you click Save, indicating those networks against which this technology
cannot be applied.
74 Viewing Alerts
Lite Edition User Manual Alerts Module
7 Alerts Module
The Alerts module enables users with administrative privileges to configure the types of events for
which the system generates alerts, and where these alerts are to be sent. The Alerts module
displays the list of generated alerts and allows users to search the list for a specific element and/or
event.
This chapter describes the types of alerts that can be generated, as well as how they are configured
and viewed.
7.1 Viewing Alerts
Users can view a complete list of the alerts generated by the system.
To view alerts:
• Select Alerts in the Module Selection bar. The Alerts tab of the Alerts module is displayed.
.
Figure 28: Alerts Module – Alerts Tab
The Alerts table lists the alerts generated by the system, ordered according to the time at which they
were generated (most recent on top). Each entry includes the alert number (ID), a timestamp, the
alert message, and the alert’s severity.
Configuring Alerts 75
Alerts Module Lite Edition User Manual
The severity of the alert is indicated by an alert icon, as follows:
A red X indicates critical severity
A red exclamation point indicates high severity
A yellow triangle indicates medium severity
A green "i" indicates low severity
To view the detailed properties of the element for which an alert was generated, right-click an alert
message field and select Device Properties. The individual inventory page of the Inventory module
is displayed, listing the properties of the selected element. To search for the device in the Inventory
module, select Search Device from the right-click menu.
7.1.1 Sorting Alerts
To sort the Alerts table according to a specific parameter (for example, Timestamp, ID, Alert
Message, Severity), click the column header. The table is sorted according to the selected header.
7.1.2 Searching Alerts
A user can search the alerts generated by the system according to any word, IP address, MAC
address, and other search criterion that appears in any of the alert messages.
Note: The Alerts table displays a maximum of 50 alerts at one time. When searching alerts,
the search is executed against the last 1,000 alerts the system had generated.
7.2 Configuring Alerts
A user with administrative privileges can determine the types of events that trigger alerts in the
system. A user can designate a target destination for the alerts to be sent to the system, an email
address, a syslog server and/or indexing for event history.
The following events are predefined in the system as alerts, and can be configured according to the
monitoring requirements of the network:
• A New IP Address Detected: Generates an alert when an IP address that has not been
previously detected is discovered.
• A New MAC Address Detected: Generates an alert when a MAC address that has not been
previously detected is discovered.
• A New IP Subnet Detected: Generates an alert when a new IP subnet address range is
detected.
• An Additional IP address for an element detected: Generates an alert when a network
element has been detected as having more than a single IP address.
• A Duplicate IP address Detected: Generates an alert when the system has detected more than
one device with the same IP address (two network interface cards claiming to be configured with
the same IP address).
76 Configuring Alerts
Lite Edition User Manual Alerts Module
• The IP address of an element has changed: Generates an alert when the IP address of an
element has been changed to a different IP address.
• A VLAN ID detected for an element: Generates an alert when a VLAN ID associated with a
network element is detected.
• Operating system detected for an element: Generates an alert when the operating system for
an element is detected.
• Operating System changed for an element: Generates an alert when the operating system for
an element has been changed.
• A network service detected to operate on an element: Generates an alert when an open
network service is detected operating on a network element.
• An element is behind a personal firewall: Generates an alert when a network element is
protected by a personal firewall.
• The firewall state for an element changed: Generates an alert when the firewall state has
changed for an element (i.e. from on to off and vice versa)
• NetBIOS name changed for an element: Generates an alert when a change in the NetBIOS
name is detected.
• Network connectivity changed for an element: Generates an alert when the location of an
element, the switch and/or switch port it is connected to, has been changed.
• Physical connectivity of switches changed: Generates an alert when a change in the way
network switches are physically connected to each other is detected.
• An element is offline (detached from the network): Generates an alert when an element is no
longer connected to the network.
• Communications established from an external element: Generates an alert when
communication is established between an element residing on a non-monitored network (i.e. the
Internet) to a monitored system.
• Unauthorized device detected: Generates an alert when an unauthorized device is physically
connected to a monitored network (refer to Authorizing Devices, page 92).
• Unauthorized device tracked: Generates an alert when an unauthorized device is detected
operating on the network. This alert includes details about the exact location of the unauthorized
device, the IP address of the switch and the exact switch port to which this element is
connected.
• A switch does not answer SNMP queries: Generates an alert when a switch does not reply to
SNMP queries sent by the Insightix Discovery & NAC Lite Edition.
• A Wireless Access Point detected: Generates an alert when a Wireless Access Point is
discovered operating on the network.
• A Firewall device detected: Generates an alert when a Firewall has been discovered.
• A NAT device detected: Generates an alert when a NAT device is detected.
• A printer detected: Generates an alert when a printer is detected operating on the network.
Configuring Alerts 77
Alerts Module Lite Edition User Manual
• A printer server detected: Generates an alert when a print server is detected operating on the
network.
• A Router detected: Generates an alert when a Router is detected operating on the network.
• A switch detected: Generates an alert when a switch is detected operating on the network.
• Microsoft Virtual PC Guest detected: Generates an alert when a Microsoft Virtual PC Guest is
detected.
• Microsoft Virtual PC Host detected: Generates an alert when a Microsoft Virtual PC Host is
detected.
• VMware Guest detected: Generates an alert when a VMware Guest machine is detected.
• VMware Host detected: Generates an alert when a VMware Host machine is detected.
• An analog voice device detected: Generates an alert when an analog voice device is detected.
• A VoIP device detected: Generates an alert when a VoIP is detected.
• An element is now online: An element’s connectivity state has changed from offline to online.
• NAC Module successful manual enforcement: Generates an alert when an element is
manually disconnected from the network by a user with administrative privileges.
• NAC Module successful enforcement: Generates an alert when an unauthorized element is
not allowed access to the network.
• NAC module re-enabled a switch port (automatic): Generates an alert when the NAC module
re-enables a previously shutdown switch port. By default, a shutdown switch port is re-enabled
after 5 minutes. This time period is configurable in the Configuration module.
• NAC enforcement violation (manual change of switch port): Generates an alert when a
previously shutdown switch port has been manually re-enabled by the network administrator.
• Unauthorized device detected but not disconnected (NAC module in Alert mode):
Generates an alert when an unauthorized element is detected as operating on the network, but
is not disconnected since the NAC module operates in alert only mode.
• NAC module operational mode change: Generates an alert whenever the operational mode of
the NAC module changes.
• Inappropriate SNMP write credentials for NAC enforcement: Generates an alert when the
SNMP community string provided for a certain switch does not allow write permission.
• An exception rule prevented the disconnection of an unauthorized device: Generates an
alert when an unauthorized element was not disconnected from the network due to an exception
rule preventing the disconnection of the element.
• NAC module re-enabled a switch port (manual): Generates an alert when a switch port that
was previously shutdown by the NAC module has been manually re-enabled.
• Unauthorized device location not detected: Generates an alert when the switch and switch
port of an unauthorized element have not been detected.
• NAC module re-enabled a switch port due to a defined exception change: Generates an
alert when an exception rule previously not allowing the disconnection of an element (or
elements) has been deleted allowing the disconnection of these elements.
78 Configuring Alerts
Lite Edition User Manual Alerts Module
• License Violation: Generates an alert when the license for the Insightix Discovery & NAC Lite
Edition is violated (i.e., the license is for a smaller number of elements, where the actual number
of elements detected is much higher).
To configure alerts:
1 Select Alerts in the Module Selection bar, and then click the Configuration tab in the Alerts module. The Configuration tab of the Alerts module is displayed.
Figure 29: Alerts Module – Configuration Tab (Alerts Page)
2 Select or clear the Enable checkbox to determine the events for which alerts are to be generated.
3 Select the group for the alert from the Target Group dropdown list (Always, for all elements, or a specific group name as a filter). Selecting a Target Group enables you to assign alerts to specific group of elements. (For details, refer to 7.3 Configuring Target Groups.)
4 Select the severity of the alert from the Severity dropdown list.
5 (Optional) In the Alerts Destinations area, select one or more of the checkboxes to indicate the action to be taken when an alert is triggered:
• To display alerts in the Alerts table, select the Display checkbox in the Alerts tab of the Alerts module.
• To send alerts to an email address, select the Email checkbox. The alerts are sent to the email address configured on the Destinations page.
Configuring Target Groups 79
Alerts Module Lite Edition User Manual
• To save alerts to a syslog server, select the Syslog checkbox. The alerts are issued as syslog messages to a syslog server. The IP address of the syslog server is configured on the Destinations page.
• To index alerts to serve as a device’s audit history, select the History checkbox.
6 Click Save to save the changes.
7.3 Configuring Target Groups
A user can configure an alert to be triggered for all of the elements detected by the system, or define
Target Groups to filter the alerts so that they are triggered only for the elements contained in the
Target Group.
A Target Group can include the following element types:
• Network Services
• Networks
• IP Addresses
• MAC Addresses
A Target Group can include multiple entries of one element type or it can include multiple entries of
diverse element types. When filtering alerts for a target group that includes more than one element
type, the alert must meet at least one of the criteria defined for each of the element types contained
in the group.
For example, if target group AAA includes two IP elements (192.168.2.2. and 192.168.2.3) and two
TCP Service elements (ports 21 and 22), an alert is triggered only if it matches the IP address
criteria (192.168.2.2. OR 192.168.2.3) AND the TCP Service criteria (ports 21 OR 22).
Note: In order to introduce multiple element types into a Target Group, the same group name
must be used when defining the member elements.
80 Configuring Target Groups
Lite Edition User Manual Alerts Module
To add a Target Group entry:
1 In the Configuration tab of the Alerts module, click Targets to display the Targets page.
Existing Target Group entries are listed in a table, with a separate row displayed for each element in a group.
Figure 30: Alerts Module – Configuration Tab (Targets Page)
2 Enter the name of the Target Group in the Group Name field.
Note: When adding an entry to en existing group, take care to enter the name exactly
as it appears in existing entries for the group.
3 Select the type of element from the Element Type dropdown list.
4 Enter the appropriate element value in the Value field.
Note: The format of the Value field varies according to the type of element selected.
5 Click Save. The Target Group definitions are updated and the Target Group is included in the Group Name dropdown list on the Alerts page.
Configuring Alert Destinations 81
Alerts Module Lite Edition User Manual
To delete a Target Group entry:
1 In the Configuration tab of the Alerts module, click Targets to display the Targets page.
2 Select the checkbox for the entry to be deleted and click Remove. The entry is removed from the Target Group.
Note: You can delete more than one entry at a time by selecting multiple checkboxes
on the page.
3 Click Save to update and save the Target Group definitions.
Note: Once all entries for a Target Group are deleted, the group is no longer included
in the Group Name dropdown list on the Alerts page).
7.4 Configuring Alert Destinations
You can determine the types of actions that trigger alerts in the system, and designate an email
address or a Syslog Server for the receipt of alert notifications.
7.4.1 Configuring an Email Recipient
To configure an email recipient:
1 In the Configuration tab of the Alerts module, click Destinations to display the Destinations page.
Figure 31: Alerts Module – Configuration Tab (Destinations Page)
82 Configuring Alert Destinations
Lite Edition User Manual Alerts Module
2 In the Email area, configure the email destination details as follows:
• Enter the email address that is to appear as the email address of the sender of the alert emails in the Email Sender field.
• Enter the email subject that is to appear as the email subject for the emails received from the Insightix Discovery & NAC Lite Edition in the Email Subject field.
• Enter the destination email address in the Email Recipient field.
• Enter the IP address or the Hostname of the email server to be used to send alerts in the SMTP Server IP field.
• Enter the port number used by the email server to send alerts in the SMTP Server Portfield.
• (Optional) If authentication is required to send emails, select the User Authentication checkbox and enter the user name and password in the designated fields.
Note: The User Name and Password fields are displayed when User
Authentication is selected.
Note: If the email server requires Windows domain authentication credentials,
the user name needs to be entered as follows: \Domainname\username
• (Optional) To enable TLS encryption, select the Use TLS checkbox.
7.4.2 Configuring a Destination Syslog Server
To configure a destination Syslog server:
1 Enter the IP address of the target Syslog server in the Syslog Collector IP Address field.
2 Enter the port number used by the Syslog server in the Syslog Port field.
3 Click Save to update and save the alert destination definitions.
Viewing Network Services Audit Data 83
Audit Module Lite Edition User Manual
8 Audit Module
The Audit module provides information regarding network servers and their running services. It
enables the configuration of various auditing features such as the Microsoft Windows operating
system patch auditing, the authorization scheme, the management of generated OS signatures, and
network service naming.
This chapter describes the information displayed in the Audit module, as well as how to configure the
various auditing features.
8.1 Viewing Network Services Audit Data
The Local Servers tab lists audit information regarding network services found to be operating on
monitored networks according to the protocol they use (TCP or UDP) and the network service (SSH,
FTP, and so on).
To view the network services audit information:
1 Select Audit in the Module Selection bar to display the Audit module, and then select the Local Servers tab.
2 Select the protocol type, TCP or UDP. The network services found to operate on the monitored network using the selected network protocol are listed in the Services list.
Figure 32: Audit Module – Local Servers Tab
84 Configuring Server Audit Rules
Lite Edition User Manual Audit Module
3 To view the elements on which a particular network service is found to operate, select the
service in the Services list. The IP address and Operating System for matching elements are listed.
4 (Optional) By selecting an element (clicking on its table entry) it is possible to view a list of IP addresses currently communicating with the element using the selected network service.
5 To view the individual properties page for a specific element, click the magnifying glass icon
adjacent to the element's operating system name. The individual inventory properties page for the element is displayed, listing the properties of the selected element.
Note: To create custom exportable reports regarding the network services found to operate
on the monitored networks, use the Inventory module. The keywords tcpport:<port number>
and udppoprt:<port number> can be used to search for a specific list of elements on which a
particular network service is found to operate.
Note: For a list of element properties, refer to section 5.3.
8.2 Configuring Server Audit Rules
The Insightix Discovery & NAC Lite Edition enables defining network services audit rules according
to specific operating systems, IP addressed, network subnets, and hostnames. The audit rules
includes a list of network services that are to be audited by the system both passively and actively (if
not found to operate passively). Other network services are added to the list of predefined audit rules
per individual element, if their existence is passively detected by the system (this can be seen in
their individual properties pages).
A user can initiate the audit process by performing a scan on demand in the Audit module.
Audit rules are defined in the Servers Audit tab of the Audit module.
Configuring Server Audit Rules 85
Audit Module Lite Edition User Manual
8.2.1 Defining Audit Rules According to Operating Systems
Audit rules can be defined for specific operating systems.
To add a port definition for an Operating System:
1 Select Audit in the Module Selection bar to display the Audit module, and then select theServers Audit tab. By default the OS page is displayed.
Figure 33: Audit Module – Configuration Tab
2 Select the Operating System for which to add a port from the Audit Rules list, and enter the port number in the field immediately above the Rule Ports list.
3 Click Add. The port number is added to the Rule Ports list.
4 Click Save to save the changes.
To remove a port definition:
1 Select Audit in the Module Selection bar to display the Audit module, and then select theServers Audit tab (Figure 33).
2 In the OS page, select the Operating System from which the port is to be removed from the Audit Rules list.
3 Select the port number in the Rule Ports list and click Remove Port. The port number is deleted from the Port Numbers list.
4 Click Save to save the changes.
86 Configuring Server Audit Rules
Lite Edition User Manual Audit Module
Note: When a new operating system signature is added, its name is listed under the
operating system names that can be selected for audit rules. Select the operating system
name, and define its audit rules.
To perform a scan on demand:
1 Select Audit in the Module Selection bar to display the Audit module, and then select theServers Audit tab (Figure 33).
2 In the OS page, select the Operating System to be scanned on demand from the Operating Systems list.
3 Click Scan Now to initiate the audit process.
8.2.2 Defining Audit Rules According to a Specific IP Address
Audit rules can be defined for specific IP addresses.
To add an audit rule for a specific IP address:
1 In the Servers Audit tab of the Audit module, click IP to display the Servers Audit IP page. The Servers Audit rules for IP addresses are listed.
Figure 34: Servers Audit According to IP Addresses
2 In the Add Audit Rule area, enter the IP address for which the Audit rule is to be defined.
3 Enter the port number(s) in the Ports field (comma separated).
Configuring Server Audit Rules 87
Audit Module Lite Edition User Manual
4 Click Add. The IP address and its specified network service audit rule are added to the Audit Rules list.
5 Click Save to save the changes.
To add a port definition for a specific IP address:
1 In the Servers Audit tab of the Audit module, click IP to display the Servers Audit IP page. The Servers Audit rules for IP addresses are listed.
2 Select the IP address for which a port is to be added from the Audit Rules list, and enter the port number in the field immediately above the Rule Ports list.
3 Click Add. The port number is added to the Rule Ports list.
4 Click Save to save the changes.
To remove a port definition:
1 In the Servers Audit tab of the Audit module, click IP to display the Servers Audit IP page. The Servers Audit rules for IP addresses are listed.
2 Select the IP Address from which the port is to be removed from the list of Audit Rules.
3 Select the port number in the Rule Ports list and click Remove Port. The port number is deleted from the Port Numbers list.
4 Click Save to save the changes.
To perform a scan on demand:
1 In the Servers Audit tab of the Audit module, click IP to display the Servers Audit IP page. The Servers Audit rules for IP addresses are listed.
2 Select the IP Address to be scanned on demand.
3 Click Scan Now to initiate the audit process.
88 Configuring Server Audit Rules
Lite Edition User Manual Audit Module
8.2.3 Defining Audit Rules According to IP Subnets
To add an audit rule for a specific IP Subnet:
1 In the Servers Audit tab of the Audit module, click Subnet to display the Servers Audit Subnet page. The Servers Audit rules for IP subnets are listed.
Figure 35: Audit Rules According to IP Subnets
2 In the Add Audit Rule area, enter the IP subnet address for which an Audit rule is to be defined.
3 Enter the port number(s) for the services to be audited in the Ports field (comma separated).
4 Click Add. The IP Subnet and its specified network service audit rule is added to the Audit Rules list.
5 Click Save to save the changes.
To add a port definition for an IP Subnet:
1 In the Servers Audit tab of the Audit module, click Subnet to display the Servers Audit Subnet page. The Servers Audit rules for IP subnets are listed.
2 Select the IP Subnet for which a port is to be added from the Audit Rules list, and enter the port number in the field immediately above the Rule Ports list.
Configuring Server Audit Rules 89
Audit Module Lite Edition User Manual
3 Click Add. The port number is added to the Rules Port list.
4 Click Save to save the changes.
To remove a port definition:
1 In the Servers Audit tab of the Audit module, click Subnet to display the Servers Audit IP page. The Servers Audit rules for IP subnets are listed.
2 Select the IP Subnet from which a port is to be removed from the list of Audit Rules.
3 Select the port number, by clicking it, in the Rule Ports list and click Remove. The port number is deleted from the Port Numbers list.
4 Click Save to save the changes.
To perform a scan on demand:
1 In the Servers Audit tab of the Audit module, click Subnet to display the Servers Audit IP page. The Servers Audit rules for IP subnets are listed.
2 Select the IP Subnet to be scanned on demand.
3 Click Scan Now to initiate the audit process.
90 Configuring Server Audit Rules
Lite Edition User Manual Audit Module
8.2.4 Defining Audit Rules According to Hostnames
To add an audit rule for a specific Hostname:
1 In the Servers Audit tab of the Audit module, click Hostnames to display the Servers Audit Hostname page. The Servers Audit rules for Hostnames are listed.
Figure 36: Audit Rules According to Hostnames
2 In the Add Audit Rule field, insert the Hostname, and then enter the port number(s) for the services to be audited in the Ports field (comma separated).
3 Click Add. The Hostname and its specified network service audit rule is added to the Audit Rules list.
4 Click Save to save the changes.
To add a port definition for a Hostname:
1 In the Servers Audit tab of the Audit module, click Hostnames to display the Servers Audit Hostname page. The Servers Audit rules for Hostnames are listed.
2 Select the Hostname for which a port is to be added from the Audit Rules list, and enter the port number in the field immediately above the Rule Ports list.
3 Click Add. The port number is added to the Rules Port list.
4 Click Save to save the changes.
Configuring Server Audit Rules 91
Audit Module Lite Edition User Manual
To remove a port definition:
1 In the Servers Audit tab of the Audit module, click Hostnames to display the Servers Audit Hostname page. The Servers Audit rules for Hostnames are listed.
2 Select the Hostname from which a port is to be removed from the list of Audit Rules.
3 Select the port number, by clicking it, in the Rule Ports list and click Remove. The port number is deleted from the Port Numbers list.
4 Click Save to save the changes.
To perform a scan on demand:
1 In the Servers Audit tab of the Audit module, click Hostnames to display the Servers Audit Hostname page. The Servers Audit rules for Hostnames are listed.
2 Select the IP Subnet to be scanned on demand.
3 Click Scan Now to initiate the audit process.
Note: Audit rules according to Hostnames execute only if the Insightix Discovery & NAC
Lite Edition discovers the hostname defined in the Audit rule.
8.2.5 Order of Audit Rules Execution
Server Audit Rules are executed according in the following order:
1 Audit Rules for a Hostname
2 Audit Rules for an IP Address
3 Audit Rules for an IP Subnet
4 Audit Rules for an Operating System
8.2.6 Removing Audit Rules
Audit Rules can be completely removed. When an Audit Rule is removed, its corresponding network
service audit instructions are removed and are no longer audited by the system.
To remove an audit rule:
1 Select Audit in the Module Selection bar to display the Audit module, and then select theServers Audit tab (Figure 33).
2 Select the relevant audit rules page, as required.
3 Select the audit rule to be removed in the Audit Rules list and click Remove Rule. The rule is removed from the Audit Rules list.
92 Authorizing Devices
Lite Edition User Manual Audit Module
4 Click Save to save the changes.
8.3 Authorizing Devices
Relying on the real-time, complete and accurate discovery performed by the Insightix Discovery &
NAC Lite Edition, users with administrative privileges are able to designate which systems are
authorized to operate on their networks and which are not. This enables the Insightix Discovery &
NAC Lite Edition to identify in real-time the introduction of unauthorized elements to monitored
networks and immediately alert regarding their presence. The alert includes the exact location (the
switch and switch port to which the element is connected) of an unauthorized element.
Note: Only users with administrative privileges can authorize or unauthorize elements.
Devices are authorized in the Device Authorization tab of the Audit Module. Devices can be
authorized and unauthorized at any time.
Note: A device can also be authorized in the Properties tab of the Inventory module or by
right-clicking the device in the Main page of the Inventory module and selecting Authorize.
Authorizing Devices 93
Audit Module Lite Edition User Manual
To authorize a device:
1 Select Audit in the Module Selection bar to display the Audit module, and then select theDevice Authorization tab.
Note: For a description of the device parameters displayed in the Authorization tab,
refer to 5.5.1 Properties Tab.
Figure 37: Audit Module – Authorization Tab
Tip: Filter the displayed list of devices by entering a string that appears in any of the
element's defined properties by performing a search. Refer to 2.11 Searching the for
details.
2 In the A (authorization) column, select the checkbox for the device to be authorized.
Notes:
To select all of the devices on a page, select the checkbox in the A column.
A user may define actions using the Select Action dropdown list at the bottom of the
page.
3 Click Save to save the changes.
94 Authorizing Devices
Lite Edition User Manual Audit Module
To unauthorized a device:
1 In the Device Authorization tab of the Audit module (Figure 37), clear the checkbox for the device to be unauthorized.
2 Click Save to save the changes.
8.3.1 Pre-Authorizing Devices
The MAC addresses of elements which have not been yet introduced to the network can be pre-
authorized, for example, devices prepared by the helpdesk.
To pre-authorize a device:
1 In the Device Authorization tab of the Audit module (Figure 37), enter the MAC address of the device to be pre-authorized in the Pre-Authorize MAC Address field.
2 Click Authorize to apply and save the changes.
Note: A pre-authorized MAC address appears in red in the Device Authorization tab of
the Audit module. It does not appear in the Inventory module.
To pre-authorize a list of devices:
1 In the Device Authorization tab of the Audit module (Figure 37), select Import from a file.
2 In the Choose file window browse and select the comma-delimited file containing a list of MAC addresses which needs to be pre-authorized. Click on open.
3 Click Upload to apply and save the changes.
To unauthorize a pre-authorized device:
1 In the Device Authorization tab of the Audit module, select the pre-authorized MAC addresses (marked with red) to be unauthorized by clearing the Authorized checkbox.
2 Click Save to apply.
Note: When un-authorizing a pre-authorized MAC address, the MAC address will no
longer be visible in the Device Authorization tab.
Microsoft Windows OS Auditing 95
Audit Module Lite Edition User Manual
8.4 Microsoft Windows OS Auditing
The Insightix Discovery & NAC Lite Edition can be configured to determine:
• The Service Pack (SP) and patches (hot fixes) installed on elements running Microsoft Windows
operating systems
• The username of the user logged in to elements running Microsoft windows operating systems
8.4.1 Prerequisites for the Microsoft Windows OS Auditing
In order for the Insightix Discovery & NAC Lite Edition to successfully audit a Microsoft Windows
operating system, the following pre-requisites need to be met:
• The Insightix Discovery & NAC Lite Edition must be configured with local administrative rights on
the remote machine and be able to log on to this machine remotely.
• File and Print Sharing must be enabled on the queried Microsoft Windows OS.
• The NetBIOS (TCP 139) port must be accessible on the remote machine.
• The queried Microsoft Windows machine must have the local Server service running.
• The remote machine must be running the Windows Remote Registry service.
Note: This feature does not execute automatically out-of-the-box. It must be enabled by a
user with administrative privileges and configured with the appropriate credentials in order to
run effectively.
8.4.2 Configuring Windows OS Auditing
To configure Windows OS auditing:
1 Select Audit in the Module Selection bar to display the Audit module. Then select the Windows OS Audit tab.
2 Click Configuration to display the Configuration page.
3 Select the Enable Windows Operating System Service Pack and Hotfixes Auditing checkbox and/or the Enable Username Auditing checkbox.
96 Microsoft Windows OS Auditing
Lite Edition User Manual Audit Module
Figure 38: Audit Module – Windows OS Audit Tab (Configuration Page)
4 Set the frequency at which the auditing process is to be run by entering the required number
of minutes in the designated field. (The default setting is every 12 hours, and it applies only for the service pack and hotfix auditing.)
5 Configure the credentials auditing parameters as follows:
• Select Per Host Name (for a single element) or Per Domain (for all elements belonging to a specific windows domain) from the Add Credentials for dropdown list.
• Enter the user name and password in the designated fields.
• If you are adding credentials for a Host name, enter the host name in the Name field. OR If you are adding credentials for a domain, enter the domain name in the Name field.
6 Click Add. The Host or Domain credentials are added to the Credentials list.
Note: To remove an entry from the Credentials list, select the entry in the list and click
Remove Selected.
Microsoft Windows OS Auditing 97
Audit Module Lite Edition User Manual
8.4.3 Defining the Exclude List
The Exclude List contains the IP addresses and network subnets that are to be excluded from the
Microsoft Windows OS auditing process. The Windows OS Audit Exclude List is displayed in the
Exclude List page of Windows OS Audit tab.
To define an Exclude List entry:
1 Select Audit in the Module Selection bar to display the Audit module, and then select the Window OS Audit tab.
2 Click Exclude List to display the Windows OS Exclude List.
Figure 39: Audit Module – Windows OS Tab (Exclude List Page)
3 To exclude a single IP address, enter the IP address to be excluded in the empty cell above the IP Address. In the fields above the Network Mask, enter 255.255.255.255.
4 To exclude an IP subnet, enter the network IP address in the empty cell above IP column header. In the fields above the Network Mask, enter the appropriate network mask of the IP subnet.
5 Click Add. The IP address or subnet is added to the Windows OS Audit Exclude list.
Note: To remove an entry from the Windows OS Audit Exclude List, select the entry in the list
and click Remove Selected.
98 Managing OS Signatures
Lite Edition User Manual Audit Module
8.4.4 Manually Initiating a Microsoft Windows OS Audit
To manually initiate a Windows OS audit:
1 Select Audit in the Module Selection bar to display the Audit module, and then select the
Window OS Audit tab. The Summary page of the Windows OS Audit is displayed. The
summary page lists information regarding the status of the audit process, the statistics of a previous run, and the schedule of the next audit.
2 To run the Microsoft Windows OS audit process, click Discover. A progress bar is displayed in the window while the audit process is performed.
The audit process can be stopped at any time by clicking Cancel.
Figure 40: Audit Module – Windows OS Audit Tab (Summary Page)
8.5 Managing OS Signatures
To facilitate identification of operating systems operating on the network that were not identified out-
of-the-box by the Insightix Discovery & NAC Lite Edition, a user with administrative privileges can
generate an OS signature, as described in Generating an OS Signature, page 44. Once a signature
is created, it can be used by the Insightix Discovery & NAC Lite Edition to identify any otherwise
unknown devices that match the new OS signature.
Existing OS Signatures are listed in the OS Signatures tab of the Audit module.
Managing OS Signatures 99
Audit Module Lite Edition User Manual
There are two types of operating system signatures:
• Global (denoted by the keyword Global), which applies to any element on the network which
may match the OS signature. A Global OS signature is created by selecting the Generate OS
Signature option from the Inventory module’s right-click menu.
• Specific (denoted by the MAC address of the element it was generated for), which matches only
the element it was created for. A specific OS signature is created by selecting the Tune
Parameters option from the Inventory module’s right-click menu.
8.5.1 Removing an OS Signature
Generated OS Signatures can be removed from the OS Signatures list.
Note: When you delete an OS Signature, the OS identification of any elements previously
identified using the deleted signature reverts to Unknown.
To remove a custom signature:
1 Select Audit in the Module Selection bar to display the Audit module, and then select the OS Signature tab.
Figure 41: Audit Module – OS Signature Tab
If any OS Signatures have been created, they are listed in the OS Signature tab.
100 Managing OS Signatures
Lite Edition User Manual Audit Module
2 Select the OS Signature(s) to be removed and click Remove Selected. The Signatures are
removed from the list and the OS identification of any elements that matched the deleted OS Signatures reverts to Unknown.
3 Click Save to save the changes.
8.5.2 Restoring Factory Default Settings for OS Identification
A user can restore the default factory settings for the OS identification, thereby removing all
manually generated OS signatures.
Note: When you restore factory default settings, all generated signatures are erased. The OS
identification of any elements previously identified using the signatures reverts to Unknown.
To restore factory defaults:
1 Select Audit in the Module Selection bar to display the Audit module, and then select the OS Signature tab.
2 Click Factory Defaults. The original system settings are restored and any custom signatures are erased.
8.5.3 Initiating the OS Identification Process against Elements with an Unidentified OS
When a new OS signature is generated, a user with administrator privileges must reinitiate an
operating system identification process against elements for which the OS has not been identified.
This enables the identification of some additional elements that may use the same operating system
as the new generated OS signature.
To initiate the OS identification process:
1 Select Audit in the Module Selection bar to display the Audit module, and then select the OS Signature tab.
2 Click Reschedule. The Insightix Discovery & NAC Lite Edition initiates the OS identification process against elements with unknown operating systems.
Configuring Service Naming 101
Audit Module Lite Edition User Manual
8.6 Configuring Service Naming
A user can assign names to different network services according to TCP or UDP ports.
To add a service name:
1 Select Audit in the Module Selection bar to display the Audit module, and then select the Service Naming tab.
Figure 42: Audit Module – Service Naming Tab
The Service Naming tab lists the service names and ports according to the transport protocol type (TCP or UDP).
2 Select the required transport protocol type, TCP or UDP.
3 In the fields above the Service Names list, enter the port number and service name and click Add. The service name is added to the list.
4 Click Save.
To remove a service name:
1 In the Service Name tab, select the service name to be removed and click Remove Selected.
2 Click Save.
102 Configuring Service Naming
Lite Edition User Manual Audit Module
To change an existing service name:
1 To change an existing service name from the list, enter the same port number and change the name in the Service Name field.
2 Click Add.
3 Click Save.
Report Types 103
Reports Module Lite Edition User Manual
9 Reports Module
The Reports module enables a user to generate and view a wide range of predefined reports.
This chapter describes the different types of reports.
9.1 Report Types
The following types of reports are available:
• Inventory Reports
• Executive Summary (Online devices only): Lists the total number of operating systems
identified by the Insightix Discovery & NAC Lite Edition. The information is broken down into three separate tables. The first table lists the detected operating systems and their
quantity, the second table lists the top-7 detected operating systems, and the last table lists the top-7 capabilities detected (i.e. the functionality of a device, such as a switch, router, or printer).
• Device Summary: The report provides a complete list of all devices detected by the Insightix Discovery & NAC Lite Edition, with information similar to the information
presented in the Inventory module. Information about each element includes its authorization state, its IP address, its operating system, its hostname (where applicable), its VLAN ID (if applicable), its MAC address, the vendor ID for the MAC address, and its location on the network (the switch IP and the exact port to which it is connected).
• Devices without IP Addresses: Lists the devices found on the network which operate without IP addresses.
• Audit Reports
• Network Services (Per Service): Lists the IP addresses running a specific network service, according to the network service. Report details include a service name, followed by a list of the elements on which the network service is found to operate. It is followed by the operating systems running on these elements.
• Network Services (Per Element): Lists, per IP address, the network services operating
on a specific IP address. Report details include entries according to an IP address, followed by its VLAN ID (if applicable), its operating system, its hostname (if applicable),
its MAC address, its firewall state, and the list of network services found to operate on the element.
• Microsoft Windows Operating System Auditing (Service Packs and Hot Fixes): Lists, for Microsoft Windows operating system that the Insightix Discovery & NAC Lite Edition was able to successfully query, a list of installed operating system patched. Report details
include VLAN, Host Name, MAC address, Operating system and the installed Hot Fixes (patches), according to the device’s IP address.
• Firewalled Network Elements: Lists the network elements that have firewalls operating on them. Report details include the following device information: its authorization state, its
IP address, its operating system, its hostname (where applicable), its VLAN ID (if applicable), its MAC address, the vendor ID for the MAC address, and its location on the network (the switch IP and the exact port to which it is connected).
104 Report Types
Lite Edition User Manual Reports Module
• Domain Elements: Lists the different Microsoft Windows domains detected to operate on the monitored networks and the different elements, which operate under them. The report
is ordered according to a domain name, and the system(s) belonging to that domain. Device information includes the domain it belongs to, its Hostname, its Operating System, its VLAN ID (if applicable), its MAC address, the NIC vendor, the IP address of the element, and its connectivity location to the network (the exact switch and switch port to which it is connected).
• Security Reports
• Authorized Devices: Lists the authorized network devices.
• Unauthorized Devices: Lists the unauthorized network devices.
• Authorization Scheme: Lists both authorized and unauthorized network devices.
• Topology Reports
• Switch Connectivity: Per switch, lists the elements connected to that switch according to the switch port.
• Physical Topology: Displays the physical network connectivity of the network. The report
is a Microsoft Visio report, which may include routers, switches, hubs, and VMware guest machines.
• Entire Layout: Displays the entire layout of the network topology. This is a Microsoft Visio report.
• Network Access Control Reports
• Network Access Policy Violators: Displays a list of the elements that have violated the network access security policy.
• Shutdown Switch Ports: Displays a list of the switch ports that have been shutdown by the network access control module to prevent access by elements detected in violation of the network access security policy.
Viewing a Report 105
Reports Module Lite Edition User Manual
9.2 Viewing a Report
You can produce and view reports on demand.
To view a report:
1 Select Reports in the Module Selection bar to display the Reports module.
The available report types are listed according to category.
Figure 43: Reports Module
2 Select the radio button for the required report.
3 Select the elements to be included in the report from the Include dropdown list (all, online, offline), and then set the criterion for sorting the data in the report from the Sort Report bydropdown list.
Note: The options available in the Sort report by dropdown list vary according to the
type of report.
4 Select the format of the report from the Report Format dropdown list.
Note: The options available in the Report Format dropdown list vary according to the
type of report.
5 Click Generate Report. The report is generated in an external window.
6 Save or export the file, as required.
106 Viewing a Report
Lite Edition User Manual Reports Module
Note: With the exception of topology reports, reports can be exported to .CSV or
HTML files. Topology reports are exported as Microsoft Visio Drawings.
Topology Configuration 107
Configuration Module Lite Edition User Manual
10 Configuration Module
The Configuration module of the Insightix Discovery & NAC Lite Edition allows a user with
administrative privileges to configure certain aspects of the system's operation.
This chapter describes the procedures for configuring various aspects of the operation of the
Insightix Discovery & NAC Lite Edition, such as configuring information for the Topology module,
administrating users, tuning system parameters, changing the time and date, controlling the
system’s IP address, upgrading and downgrading the software, and software registration.
Note: The Configuration module is enabled only for those users who have been assigned
administrator privileges.
10.1 Topology Configuration
The Topology tab of the Configuration module enables users to view information regarding the last
run of the topology discovery process, initiate manual topology discovery, configure query
parameters for switches (such as the SNMP read-only community string to use), configure
information regarding out-of-band management networks (if applicable), and manually input the
physical geographical location of each switch port for the different switches operating on a network.
10.1.1 Topology Summary Page
To view the topology summary page:
1 Select Configuration in the Module Selection bar. The Topology tab of the Configuration module is displayed. By default the Summary page is displayed.
108 Topology Configuration
Lite Edition User Manual Configuration Module
Figure 44: Configuration Module – Topology Tab (Summary page)
The Summary page displays the following topology discovery information:
• Status: The status of the physical network topology discovery process (either idle or running).
• Last Run: The day, date and time at which the last discovery process was run.
• Queried Switches (Last Run): The number of switches queried the last time the physical network topology discovery process was run.
• Next Scheduled Run: The day, date and time of the start of the next scheduled run.
10.1.2 Manually Initiating the Physical Network Topology Discovery
There are two options for manually initiating physical network topology discovery:
• Initiating a physical network topology discovery while ignoring any collected information
previously gathered about switches operating on the networks. Using this option, any suspected
switch and all unknown elements are queried with SNMP. Click Discover to manually initiate the
physical network topology discovery process. A progress bar is displayed in the window while
the discovery process is performed.
• Initiating a physical network topology discovery relying on previously collected information about
switches operating on the network. Using this option queries with SNMP only pre-identified
switches. If a new switch is added to the network it will not be queried. Click Re-Discover to
manually initiate the physical network topology discovery process. A progress bar is displayed in
the window while the discovery process is performed.
Topology Configuration 109
Configuration Module Lite Edition User Manual
10.1.3 Configuring Switches
In order for the Insightix Discovery & NAC Lite Edition to successfully discover the physical network
topology of monitored networks, it must have SNMP read access to switches operating on the
network.
The Switches tab of the Topology Configuration allows configuring various parameters essential
for the physical network topology discovery process:
• The default SNMP protocol version, and the exact SNMP read-only community string to use by
default when a switch is detected (can be more than one).
• Manually configuring the IP address, the SNMP protocol version, and exact SNMP read-only
community string to use for switches not identified by the system
• Changing the SNMP protocol version and/or the SNMP read-only community string to use when
querying a specific switch
• The Switches tab is also used to verify the information used to query a certain switch allows the
Insightix Discovery & NAC Lite Edition to collect the required information.
Note: Queried switches must comply with the SNMP RFCs and support MIB-II.
10.1.3.1 The Global Credentials Table
The Global Credentials table is used to configure the SNMP protocol version and community string
to use by default when a new switch is detected by the system. A user can configure more than a
single entry, as there may be multiple configurations and various SNMP protocol versions
configured, by default, across a network.
Global credentials entries are executed according to their location in the Global Credentials table. A
higher entry is used before a lower entry.
To add Global Credentials:
2 Select Configuration in the Module Selection bar. The Topology tab of the Configuration module is displayed.
3 Choose the SNMP protocol version to use from the SNMP Version dropdown list, and enter the SNMP read-only community string to use in the Community String field.
4 Click Add.
5 Click Save to save the changes.
Note: By default, the system is configured to use SNMP protocol version 1, with public as
the default SNMP community string.
110 Topology Configuration
Lite Edition User Manual Configuration Module
To remove Global Credentials:
1 Select Configuration in the Module Selection bar. The Topology tab of the Configuration module is displayed.
2 Select the global credentials entry to be removed and click Remove.
3 Click Save to save the changes.
To determine the order of Global Credentials entries:
1 Select Configuration in the Module Selection bar. The Topology tab of the Configuration module is displayed.
2 To change the order of the global credential, select the global credentials entry to be moved.
3 Click the up arrow or down arrow to change the location of the entry in the list, thereby changing the order of execution of the selected entry.
4 Click Save to save the changes.
10.1.3.2 Switch Configuration Table
The Switches table includes the IP address, the SNMP protocol version, and the SNMP read-only
community string of any switches automatically detected by the system or manually configured by
the user. It also includes the operating system of the switch, and indicates whether or not the switch
was successfully queried by the system the last time the Topology Discovery process was run. A
user can add an entry to the Switches table for any switch that was not identified by the system, and
can configure the SNMP protocol version and community string to use when querying the switch.
The default SNMP protocol version used by the system is version 1. The default SNMP read-only
community string used by the system is public.
To add a switch to the Switches Table or to change switch information:
1 Select Configuration in the Module Selection bar. The Topology tab of the Configuration module is displayed.
2 Click Switches to display the Switches page.
Topology Configuration 111
Configuration Module Lite Edition User Manual
Figure 45: Configuration Module – Topology Tab (Switches Page)
3 To add an entry for a switch (or to change an existing entry):
• In the empty cells above the Switch IP Address header, enter the IP address of the switch.
• In the field above the Community String header, enter the SNMP read-only community string.
• Select the SNMP version from the adjacent dropdown list.
• Click Apply. The switch information is added.
• Click Save to save the changes.
To remove a switch from the Switches Table:
1 Select Configuration in the Module Selection bar. The Topology tab of the Configuration module is displayed.
2 Click Switches to display the Switches page.
3 Select the entry to be removed from the Switches Table and click Remove.
4 Click Save to save the changes.
Note: After a switch is added to the list of switches and the changes are saved, a Test button
appears. Clicking the Test button verifies whether that the system can access the switch
using the credentials listed.
10.1.3.3 Manually Testing a Switch
112 Topology Configuration
Lite Edition User Manual Configuration Module
For each switch entry in the Switch Table list there is a Test button, which can be used to verify
whether that the system can access the listed switch using the credentials listed.
To manually test a switch:
1 Select Configuration in the Module Selection bar. The Topology tab of the Configuration module is displayed.
2 Click Switches to display the Switches page (Figure 45).
3 In the Switches table, click the Test button for the switch that is to be tested.
The Insightix Discovery & NAC Lite Edition probes the switch and an icon indicating the status of the test is displayed in the Test column as follows:
• A green icon, , indicates that the switch has been successfully queried and the SNMP credentials are correct.
• A green icon, , indicates that the switch has been successfully queried with the supplied SNMP community string credentials but that the necessary information for the physical network topology discovery process was not provided by the switch.
• A red icon, , indicates that the test has failed and that there is a problem with either the
credentials listed for the switch or with access from the Insightix Discovery & NAC Lite Edition to the switch.
10.1.4 Configuring a Management Network
On some networks, switches are managed using a dedicated network called a management
network. In such a case, the information about the management network must be configured in the
Insightix Discovery & NAC Lite Edition in order for the topology discovery process to be successful.
To configure the management network IP address:
1 Select Configuration in the Module Selection bar. The Topology tab of the Configuration module is displayed.
2 Click Mgt Network to display the Management Network Configuration table.
Topology Configuration 113
Configuration Module Lite Edition User Manual
Figure 46: Configuration Module – Topology Tab (Mgt. Network Page)
3 In the empty cells above the IP Address header, enter the IP address of the management
network’s IP Address according to the following example: If the management network subnet is 192.168.1.0/24, then enter 192.168.1.0.
4 Click Add. A Class C network is automatically added to the table.
5 Click Save to save the changes.
Note: To delete an entry in the Management Networks, select the checkbox for the row and
click Remove Selected.
10.1.5 Physical Geographical Location
The Location feature allows linking the physical geographical location of elements to their logical
location (i.e., the switch and switch ports to which they are connected).
The location information, which is manually provided by a user with administrative rights, is
correlated with the physical network topology discovery process (which uncovers the logical
relationships between elements and the switch and switch port to which they are connected) to
pinpoint the exact physical location of elements attached to the enterprise network in real-time.
114 Topology Configuration
Lite Edition User Manual Configuration Module
To add the physical geographical location information description for a switch’s interface (i.e. port):
1 Select Configuration in the Module Selection bar. The Topology tab of the Configuration
module is displayed. Then select Location. The physical geographical location configuration page is then displayed.
2 Select from the drop down menu the switch IP address you wish to view. The switch port information is displayed according to its interfaces list.
3 Double-click the Physical Location filed for the interface you wish to configure
4 Insert the physical geographical location description for the interface
5 Click Save to save the changes.
Figure 47: Configuration Location Information
Managing Users 115
Configuration Module Lite Edition User Manual
10.2 Managing Users
A user with administrator privileges can add or remove Insightix Discovery & NAC Lite Edition
users.
To add a user:
1 In the Configuration module, select the User Admin tab. The User Admin tab is displayed.
Figure 48: Configuration Module – User Admin Tab
2 Enter a name for the user in the User Name field.
3 Enter the user's password in the Password field.
4 Select the required level of permissions from the Authorization Level dropdown list (User or Admin).
5 Click Add.
6 Click Save to save the changes.
Note: To remove a user, select the user in the Current User list and click Remove Selected.
116 Configuring System-Wide Parameters
Lite Edition User Manual Configuration Module
10.3 Configuring System-Wide Parameters
The System Parameters tab of the Configuration module enables the configuration of various
parameters, which control different aspects of system behavior.
10.3.1 Configuring the Detection Level
The Detection Level configuration controls exceptions to the system's default detection level.
The following detection level configurations are supported by the system:
• Complete: Any active probing method can be used in order to collect information about an
element (if needed).
• Host Detection Only: The only active probing method to be used is the host detection method,
which ensures that the element is listed in the Inventory module. No other active probing is used.
Information is collected about the element using passive network discovery methods only.
• None: No active queries are performed against an element.
The default detection level of the Insightix Discovery & NAC Lite Edition is Complete.
To configure the system’s detection level:
1 Select Configuration in the Module Selection bar. In the Configuration module, select the System Parameters tab. The Detection Level page is displayed by default.
2 From the Generic Detection Level dropdown list, select the default system detection level (Complete, Host Detection Level, or None).
3 Click Save to save the changes.
Note: It is highly recommended that the system Detection Level be set to Complete. If
you select Host Detection Only, topology information will not be available and the quality
and completeness of data will be considerably diminished.
Configuring System-Wide Parameters 117
Configuration Module Lite Edition User Manual
To configure an exception to the system’s detection level:
1 Select Configuration in the Module Selection bar. In the Configuration module, select the System Parameters tab. The Detection Level page is displayed by default.
Figure 49: Configuration Module – System Parameters Tab (Detection Level Page)
2 For a single IP address exception, enter the IP address for which an exception is to be added
in the empty cell above the IP Address column header. In the fields above the Network Mask column header, enter 255.255.255.255. Then select the detection level from the dropdown list above the Detection Level column header.
3 For an IP subnet exception, enter the network IP address of the IP subnet in the empty cell above the IP Address column header. In the fields above the Network Mask column header,
enter the appropriate network mask of the IP subnet. Then select the detection level from the dropdown list above the Detection Level column header.
4 Click Add to add the exception entry.
5 Click Save to save the changes.
Note: To delete an exception, select the checkbox for the row and click Remove
Selected.
118 Configuring System-Wide Parameters
Lite Edition User Manual Configuration Module
10.3.2 Configuring Real-Time System Parameters
The Real-Time system parameters are parameters that can be configured or reset during the
operation of the system, without the need to restart the Insightix Discovery & NAC Lite Edition.
To change the configuration of a real time system parameter:
1 In the System Parameters tab of the Configuration module, click Real Time. The Real Time page is displayed.
Figure 50: Configuration Module – System Parameters Tab (Real Time Page)
The default settings for each of the following discovery parameters are displayed as follows:
SYSTEM PARAMETER DESCRIPTION
Inactive Device Detection
Cycle
The frequency (in minutes) at which the Insightix Discovery & NAC Lite Edition will scan known subnets
for elements, which may not generate traffic.
The default setting is 5 minutes.
Active OS Detection initial
start time
The number of minutes after a system startup before the Insightix Discovery & NAC Lite Edition initiates an active operating system detection for the first time.
The default setting is 13 minutes.
Active OS detection cycle The frequency (in seconds) at which the Insightix Discovery & NAC Lite Edition reinitiates active operating
system detection. The default setting is 10 minutes.
Configuring System-Wide Parameters 119
Configuration Module Lite Edition User Manual
SYSTEM PARAMETER DESCRIPTION
Send SNMP Probes to Detected Switches Only
The parameter controls which elements are probed with SNMP when the topology discovery module is executed. The default setting is to query known switches and
unknown elements (no).
It is highly recommended not to change the default
settings of this parameter.
Device Detection Rate The upper limit of the number of packets the system sends to the network.
The default setting is 100 packets per second (pps).
It is highly recommended not to change the default
setting of this parameter.
Check for inactivated IP each
The frequency at which the Insightix Discovery & NAC Lite Edition checks whether or not an IP address is still connected to the network if no passive network activity is
observed.
Time to preserve offline
elements
The period of time that offline elements are kept in the Inventory module after they are disconnected from the network, after which the offline element is erased from
the inventory.
The parameter is measured in hours. The default setting
is one week (24hr x7days = 168 hours).
System Debug Level The level of debug information the system produces. The default setting is 100.
2 Modify the frequency at which various functions are performed by entering the required value in the corresponding field and clicking the adjacent Set button.
Notes:
You must click the Set button for each parameter that you change.
To restore the factory default settings for specific parameters, select the relevant
checkbox(es) and click Reset Selected. The selected parameters are reset
accordingly.
To restore the factory default settings for all parameters, click Factory Defaults. The
values of all parameters are reset accordingly.
10.3.3 Configuring System Parameters (Requiring Restart)
The system parameters that require a restart are parameters that control various aspects of the
system’s operation. When the values of these parameters are changed, the system needs to be
restarted in order for the changes to take effect.
120 Configuring System-Wide Parameters
Lite Edition User Manual Configuration Module
To change the configuration of a system parameter that requires a restart:
1 In the System Parameters tab of the Configuration module, click Restart. The Restart pageis displayed.
.
Figure 51: Configuration Module – System Parameters Tab (Restart Page)
2 The default settings for each of the following discovery parameters is displayed as follows:
SYSTEM PARAMETER DESCRIPTION
Use complex switch heuristics for multi-IP
addressed switches
Allows use of a topology discovery algorithm designed to operate against a switch with multiple IP addresses and
multiple networking card configurations.
The default value is no.
Topology module new device rescan
The frequency at which the topology discovery process is refreshed when an indicator for a topology change has
been observed.
The default value is 5 minutes.
Topology module initial start time
The number of minutes after the system startup before the topology discovery process is run for the first time.
The default value is 23 minutes.
Topology module complete rescan
The frequency at which the topology discovery is refreshed in its entirety.
The default value is 3 hours.
Configuring System-Wide Parameters 121
Configuration Module Lite Edition User Manual
SYSTEM PARAMETER DESCRIPTION
Topology module sleep time (in microsecond)
The number of microseconds between each SNMP query sent by the Insightix Discovery & NAC Lite Edition.
The default value is 1000 microseconds.
Network interfaces to use in Passive monitoring
The network interface cards to be used in passive monitoring. The Insightix Discovery & NAC Lite Edition can receive passive network traffic by using multiple network interface cards. With the exception of eth1, any network interface card can be used to passively receive
network traffic.
Multiple NICs can be set by entering their values in the field, followed and separated only by commas, for
example: eth0,eth2,
Note: Do not insert spaces between the switch
designations.
Firewall detection initial start time
The number of minutes after the system startup before the Insightix Discovery & NAC Lite Edition detects elements with personal firewalls operating on the
network.
The default value is 10 minutes.
Firewall detection cycle The frequency (in hours) at which the Insightix Discovery& NAC Lite Edition will re-initiate the Firewall detection process for new elements not queried in a previous run.
The default value is 1 hour.
Active network service detection time
The number of minutes after the system startup before the Insightix Discovery & NAC Lite Edition discovers
open running services on network elements.
The default value is 33 minutes.
3 Modify the frequency at which various functions are performed by entering the required value
in the corresponding field and clicking the adjacent Set button. A popup window appears requesting that you restart the Insightix Discovery & NAC Lite Edition.
Notes:
You must click the Set button for each parameter that you change.
To restore the factory default settings for specific parameters, select the relevant
checkbox(es) and click Reset Selected. The selected parameters are reset
accordingly.
To restore the factory default settings for all parameters, click Factory Defaults. The
values of all parameters are reset accordingly.
To restart the Insightix Discovery & NAC Lite Edition:
• Windows 2003: Select Start > All Programs > Administrative Tools >
Services. Locate and right-click the Lite Collector process and select Restart.
• Windows XP: Right-click My Computer and select Manage Open Services and
Applications and then select Services. Locate and right-click the Lite Collector
122 Configuring System-Wide Parameters
Lite Edition User Manual Configuration Module
process and select Restart.
10.3.4 Configuring the Web Interface
A user with administrative privileges can configure the type of web access (HTTP or HTTPS) to be
used when accessing the Insightix Discovery & NAC Lite Edition.
To configure web access:
1 In the System Parameters tab of the Configuration module, click Management. The Management page is displayed.
Figure 52: Configuration Module – System Parameters Tab (Management Page)
2 In the Web Access Settings area, select the relevant access option and specify (optional)
the port number to be used for accessing the Insightix Discovery & NAC Lite Edition web interface:
• Use Regular HTTP
• Use SSL (HTTPS)
3 Click Save to save the changes.
To configure communications with an Insightix Management Center:
1 In the System Parameters tab of the Configuration module, click Management. The Management page is displayed.
Configuring Time & Date 123
Configuration Module Lite Edition User Manual
2 To send information to an Insightix Management Center, select the Report to the Management Center checkbox.
3 Insert the IP address of the Insightix Management Center to communicate with.
4 Click Save to save the changes. Clicking Save would initiate the communications between the Insightix Discovery & NAC Lite Edition to the Insightix Management Center.
10.4 Configuring Time & Date
The time and date settings of the Insightix Discovery & NAC Lite Edition are maintained by the
Microsoft Windows-based operating system the application is hosted on. The Time & Date tab of the
configuration module displays only the information configured.
Figure 53: Configuration Module – Time & Date Tab
124 Network Configuration
Lite Edition User Manual Configuration Module
10.5 Network Configuration
10.5.1 Configuring the Insightix Discovery & NAC Lite Edition IP Address
The IP settings of the Insightix Discovery & NAC Lite Edition can be configured through the Microsoft
Windows-based operating system the application is hosted on. The Network tab of the configuration
module displays only the IP address configuration.
Figure 54: Configuration Module – Network Tab
10.5.2 Configuring DNS Resolution
The Insightix Discovery & NAC Lite Edition can be configured to resolve IP addresses to their
respective DNS names, if these exist.
To configure the IP address of the Insightix Discovery & NAC Lite Edition:
1 In the Configuration module, select the Network tab and then click DNS. The DNS Configuration page is then displayed.
2 Select Enable DNS resolution and enter the IP address of the DNS server to be used in the DNS Server fields.
3 Click Save to apply and save the configuration.
Configuring Subnets 125
Configuration Module Lite Edition User Manual
Figure 55: Configuration Module – Network Tab (DNS Configuration Page)
Note: A user with administrative privileges can test the DNS server settings by clicking on the
Test button.
10.6 Configuring Subnets
Insightix Discovery & NAC Lite Edition automatically detects and probes IP subnets, which are
detected through analyzing information coming to and from monitored networks. In addition, a user
can configure the system to routinely probe IP subnets whose traffic is not observed by the system
and would otherwise not be subjected to active probing by the system (the information about the
elements residing on these networks would not be visible).
These IP subnets are called:
• Silent Local: If the Subnet’s IP addresses belong to the Subnet to which the Insightix Discovery
& NAC Lite Edition’s IP address belongs.
• Silent Remote: If the Subnet’s IP addresses do not belong to the Subnet to which the Insightix
Discovery & NAC Lite Edition’s IP address belongs.
Note: The only elements from a silent remote subnet that are represented in the Inventory
module are those which respond to SNMP queries sent by the system.
126 Configuring Subnets
Lite Edition User Manual Configuration Module
To configure a remote subnet:
1 In the Configuration module, select the Subnets tab. The Subnets tab is displayed.
Figure 56: Configuration Module – Subnets Tab
The detected subnets are listed in the Detected Subnets list.
2 To configure a silent local subnet, enter the IP address that represents the network IP address of the subnet in the field immediately above the Silent Local list and click Add. The subnet is added to the Silent Local list.
3 To configure a silent remote subnet, enter the IP address that represents the network IP
address of the subnet in the field immediately above the Silent Remote list and click Add (for example, for 192.168.1.0/24 enter 192.168.1.0). The subnet is added to the Silent Remote list.
4 Click Save to save the changes.
To remove a silent subnet:
1 In the Configuration module, select the Subnets tab. The Subnets tab is displayed (Figure 56).
2 Select the subnet to be removed from the Silent Local or Silent Remote list by clicking on the entry, and click Remove. The subnet is deleted from the respective list.
3 Click Save to save the changes.
Registering the Application 127
Configuration Module Lite Edition User Manual
10.7 Registering the Application
In order to continue using this application after the trial period has ended, you need to contact your
local reseller or Insightix customer support ([email protected]) to obtain a valid registration
key.
A registration key cannot be issued without the Machine ID. A user with administrator privileges can
view the Machine ID in the Registration tab of the Configuration module. Note down the Machine ID
and include it when requesting a registration key.
To register the application:
1 In the Configuration module, select the Registration tab. The Registration tab is displayed.
If you are using a demo version of the application, the number of days remaining before the end of the trial period is listed.
2 In the Registration Key field, enter the registration number provided to you by Insightix or your local reseller.
3 Click Submit to complete the registration process.
Figure 57: Configuration Registration Page – After Registration
To register the application using a registration file:
1. In the Configuration module, select the Registration tab. The Registration tab is displayed.
2. Click Browse to select the location where your registration file is found.
3. Click Upload to upload the registration file information.
128 Registering the Application
Lite Edition User Manual Configuration Module
4. Click Submit to complete the registration process.
Registering the Application 129
Taskbar Operations Lite Edition User Manual
11 Taskbar Operations
The Insightix Discovery & NAC Lite Edition icon is displayed in the taskbar after successful
installation of the application. The following operations can be performed from the taskbar:
• Open Control Panel: Opens Microsoft Internet Explorer displaying the log in page of the
Insightix Discovery & NAC Lite Edition application.
• Select Interface: Selects the Network Interface Card (NIC) to be used with the Insightix Lite
Collector.
• Stop Collector: Stops the Insightix Lite Collector.
• Start Collector: Starts the Insightix Lite Collector.
• Restart Collector w/o Persistancy: Restarts the Insightix Discovery & NAC Lite Edition,
discarding any previously collected data.
• Quit: Stops the Insightix Lite Collector and quit the application.
Note: Stopping, starting, and quitting the Insightix Discovery & NAC Lite Edition application
does not impact on whether or not the Insightix Discovery & NAC Lite Edition is automatically
started (or not) the next time the Microsoft Windows-based operating system it is installed on
is restarted.
96 Index
Lite Edition User Manual Taskbar Operations
Index
A
Active Rediscovery, 47
DNS name, 47
element location, 48
operating system, 47
personal firewall, 48
Admission Module, 9, 55
compliance checks, 13, 59
Alert Destinations, 82
email, 83
Alerts
configuring, 76
predefined, 76
searching, 76
sorting, 76
viewing complete list, 75
viewing for a device, 53
viewing most recent, 31
Alerts Module, 75
Alerts tab, 75
Configuration tab, 79
ARP Mitigation, 10, 57
Audit Module, 84
Exclude List, 98
Local Servers tab, 84
OS Signature tab, 100
Servers Audit tab, 85
Service Name tab, 102
Windows OS Audit Name tab, 97, 99
Audit Reports, 104
Auditing
Hot Fixes, 96
Windows OS Patch Information, 96
Authorizing, 42
devices, 50, 51, 93
pre-authorizing devices, 95
C
Collapse, 34
Compliance Checks, 13, 59
configuring, 16, 63
Configuration Module, 108
Date & Time tab, 124
Network tab, 125, 126
Subnets tab, 127
System Parameters tab, Detection Level, 118
System Parameters tab, Management, 123
System Parameters tab, Real Time, 119
System Parameters tab, Restart, 121
Topology tab, 108
Topology tab, Mgt Network, 114
Topology tab, Summary, 109
Topology tab, Switches, 112
User Admin tab, 116
Configuring
alert destinations, 82
alerts, 76
detection level, 117
management network, 113
real-time system parameters, 119
service naming, 102
silent subnets, 126
switches, 111
system parameters, 120
Target Groups, 80
web interface, 123
2 Index
Lite Edition User Manual Index
D
Dashboard Module, 30
Alerts table, 31
components, 30
System Summary, 30
Detection Level
configuring, 117
exceptions, 118
Device
authorizing, 42, 50, 51, 93
color coding, 48
fixed properties, 17, 64
pre-authorizing, 95
removing from inventory, 47
resetting properties, 43
searching for, 27, 37
setting as offline, 46
tuning properties, 46
unauthorizing, 95
viewing properties, 35, 48
Device Profile, 17, 64
DNS names
active rediscovery, 47
E
Enforced Violations Tab
NAC module, 21, 22, 25, 68, 69, 72
Enforcement Module
prerequisites, 10, 57
Exceptions
defining, 20, 67
editing, 21, 68
removing, 21, 68
Exceptions Tab
NAC module, 20, 67
Exclude List, 98
Expand, 34
Exporting Data, 29
F
Factory Default Settings
restoring, 101
Firewalls
active rediscovery, 48
G
Generating
OS signature, 44
Global Credentials
adding, 110, 115
removing, 111
setting order, 111
H
Hostnames
port definition, 91
Hot Fixes, 14, 61, 96
I
Insightix DID Technology, 1
Inventory Module, 39
Alerts tab, 53
color coding, 48
Connected Elements tab, 52
Interfaces & Routing tab, 53
Properties tab, 49
right-click menu options, 42
Inventory Reports, 104
IP Addresses
port definition, 87
J
Java
downloading, 4, 5
installing, 4, 5
verifying version, 4
Java Runtime Environment, 4
Index 3
Index Lite Edition User Manual
L
Licensing, 3
Local Servers, 84
Logging In, 5
M
Management Network, 113
IP address, 114
Module Selection Bar, 29
N
NAC
compliance checks, 13, 59
configuring enforcement, 26, 73
enforcement, 10, 26, 56, 73
quarantine, 9, 56
NAC Module
Admission tab, 14, 60
Enforced Violations tab, 21, 22, 68, 69
Enforcement module, 10, 26, 56, 73
Exceptions tab, 20, 67
Post-Admission tab, 17, 63
Pre-Admission tab, 12, 58
quarantine, 15, 62
Quarantined Elements, 25, 72
unauthorized devices, 13, 59
NAC Operations
exceptions, 19, 66
O
Open Network Services, 14, 61
Operating Systems
active rediscovery, 47
port definition, 86
OS Identification Process
initiating, 101
OS Properties
resetting, 43
OS Signature
creating for misidentified element, 45
creating for unknown element, 44
generating, 44
OS Signatures, 99
OS Signatures:, 100, 101
P
Port Definition
hostnames, 91
IP address, 88
IP addresses, 87
IP subnet, 89
operating system, 86
removing hostname, 92
removing IP address, 88
removing IP subnet, 90
removing OS, 86
Post Admission
inventory list, 18, 65
Post-Admission Module, 9, 16, 56, 63
Pre-Admission Module, 9, 55
configuring, 11, 57
Pre-authorizing
devices, 95
Q
Quarantine, 9, 56
Quarantine Silo, 2, 21, 68
R
Real-Time System Parameters
configuring, 119
Re-enable Switch Ports, 21, 68
Registration, 128
Remediation Servers
configuring, 15, 62
Removing
audit rules, 92
hostname port definition, 92
IP subnet port definition, 90
4 Index
Lite Edition User Manual Index
OS port definition, 86
port IP address definition, 88
Report Types, 104
Reports
sorting, 106
viewing, 106
Reports Module, 104
Requirements
software, 4
Resetting
OS properties, 43
Right-click Menu, 42
Right-click Menu Indicator, 29
S
Scan on Demand
hostname, 92
IP address, 88
IP subnet, 90
OS, 87
Searching
alerts, 76
for devices, 27
Security Reports, 105
Server Audit Rules, 85
hostnames, 91
IP addresses, 87
IP subnets, 89
operating systems, 86
order of execution, 92
removing, 92
Service Names
adding, 102
removing, 102, 103
Service Pack Levels, 14, 61
Silent Subnets
configuring, 126
removing, 127
Sorting
alerts, 76
Switch Integration, 10, 21, 57, 68
Switch Ports
locating, closed, 23, 70
re-enabling, 21, 68
Switches, 111
configuring, 110
testing, 113
System Inventory List
filtering, 41
viewing, 39
System Parameters
configuring, 120
T
Target Groups
adding entries, 81
configuring, 80
deleting entries, 82
Taskbar Operations, 130
TLS Encryption, 83
Topology Discover
initiating, 109
Topology Map, 33
collapsing elements, 34
displaying host connectivity, 35
expanding elements, 34
Topology Module, 33
Topology Reports, 105
Topology Summary, 108
Topology Tab
Configuration module, 108
Tuning, 46
U
Unauthorizing
devices, 95
Users
managing, 116
Index 5
Index Lite Edition User Manual
V
Viewing
alerts (complete list), 75
alerts (most recent), 31
alerts (specific device), 53
device properties, 35
reports, 106
topology map, 33
W
Web Interface
configuring, 123
Windows OS Auditing
configuring, 96
initiating, 99
prerequisites, 10, 57, 96