NetSHIELD Branch PRO, NANO 100, NANO 254, NANO 25, Enterprise 100 User Manual

...

Download

Nano 25/100

Branch Pro

Enterprise 10/100/250

USER GUIDE

MAY, 2017

TABLE OF CONTENTS

February, 2017...................................................................................................................................... i

Setup ...................................................................................................................................................... 2

Connect appliance to the network and determine IP address ............................................................ 2

Using a Console Connection............................................................................................................. 3

Appliance Installation Wizard ............................................................................................................ 6

License not activated ...................................................................................................................... 11

System Management ............................................................................................................................. 12

Rebooting NetSHIELD .................................................................................................................... 12

Stopping Audits In-Process ............................................................................................................. 13

Factory Reset ................................................................................................................................. 13

Reset Console Password................................................................................................................ 13

Enable SSH .................................................................................................................................... 14

Setting Up User Accounts ................................................................................................ .................. 15

Understanding Relationships between User Types ......................................................................... 15

Creating or Editing User Accounts .................................................................................................. 16

NetSHIELD Access Level ............................................................................................................... 17

Deleting User Accounts ................................ ................................ .................................................. 17

Coordinating User Accounts with Asset Tracker User List ............................................................... 17

Setting System Date/Time .................................................................................................................. 18

Background Scans ................................................................ ............................................................. 18

Backup and Restore........................................................................................................................... 19

Backup Now ................................................................................................................................ ... 20

Restore .......................................................................................................................................... 21

System Statistics ................................................................................................................................ 23

Manage Server Certificate .................................................................................................................. 23

Network Configuration ........................................................................................................................... 26

Multiple Network Interface Card (NIC) Support ................................................................................... 27

Configuring NICs ............................................................................................................................ 27

Setting Up Network Access Control ....................................................................................................... 27

Initial Asset Discovery ........................................................................................................................ 27

How SnoopWall NetSHIELD Generates the List of IP Addresses ........................................................ 29

Adding IP Addresses Manually ........................................................................................................... 30

System Information Fields .............................................................................................................. 31

List Categories ............................................................................................................................... 32

Determining Ping Response of Nodes on Subnet ................................................................................... 32

Ping Latency Chart............................................................................................................................. 32

Pinging Individual Assets ................................................................................................................... 33

IP Categories ..................................................................................................................................... 34

Managing Assets ................................ ................................................................ ................................ ... 35

Manage Assets Overview ................................................................................................................... 35

Asset Summary Box........................................................................................................................... 37

Pop-up Menu ..................................................................................................................................... 37

Filter Panel......................................................................................................................................... 38

Deleting IP Addresses ........................................................................................................................ 39

Managing Asset Categories ................................................................................................................... 40

Importing and Exporting Asset Lists ....................................................................................................... 41

Exporting ........................................................................................................................................... 41

Importing............................................................................................................................................ 42

Setting Up SmartSwitch Integration........................................................................................................ 42

Asset Detection and Vulnerability Quarantine™ ..................................................................................... 43

NetShield Blocking ......................................................................................................................... 46

Enabling Manual NetSHIELD Blocking ................................................................ ............................ 46

Enabling Automatic NetSHIELD Blocking ........................................................................................ 46

Excluding Assets From NetSHIELD Blocking...................................................................................... 47

Viewing Assets Blocked With NetSHIELD Blocking ............................................................................ 47

Viewing NetSHIELD Blocking Logs ................................ ................................ .................................... 48

Immediately Blocking an Untrusted Asset ........................................................................................... 48

Enabling NetSHIELD UnBlocking Traffic............................................................................................. 49

Enabling MAC Spoof Alerting ............................................................................................................. 50

Enabling MAC Spoof Blocking ............................................................................................................ 50

Viewing ADS Configuration Settings ................................................................................................... 50

Preparing Your Network for Asset Detection ....................................................................................... 50

Queuing Trusted Asset Scans ............................................................................................................ 51

Disable ADS ................................................................................................ ................................ ...... 52

Policy Manager ................................................................................................................................ ...... 52

Configuring Inventory Alerts ................................................................................................................... 53

Configuring Asset Tracker ..................................................................................................................... 54

Viewing Systems List (Asset List) in Asset Tracker ............................................................................. 54

Viewing/Modifying/Adding Systems In The Asset Tracker ................................................................... 55

Editing/Adding System Information ................................................................................................. 55

Viewing Asset Report List ................................................................ ............................................... 56

Adding User Information ..................................................................................................................... 57

Adding Software Information .............................................................................................................. 58

Adding Peripheral Information ............................................................................................................ 59

Associating Users, Software, & Peripherals With Systems .................................................................. 60

Associating Users with Systems ................................................................ ................................ ......... 61

Associating Software with Systems .................................................................................................... 62

Associating Peripherals with Systems ................................................................................................ 62

Removing Assets from SnoopWall NetSHIELD .................................................................................. 63

Malware detection system ..................................................................................................................... 64

overview ................................ ................................................................ ................................ ............ 64

configuration malware detection ......................................................................................................... 64

malware detection system .................................................................................................................. 64

Managing Whitelist For Detected Malware IP Address(es) .............................................................. 66

Managing Manual Malware IP Addresses .................................................................................... 67

Viewing Malware IP Address History............................................................................................... 68

Viewing Malware Signature Update Schedule ................................................................................. 68

Audits .................................................................................................................................................... 69

Creating and Managing Audits ................................ ................................................................ ........... 69

Running a One-Click Audit ................................................................................................................. 69

Defining A New Audit ......................................................................................................................... 70

Assigning an Audit Name................................ ................................ ................................................ 71

Setting Vulnerability Threshold for Notification ................................................................................ 71

Modifying Who Receives Reports ................................................................................................... 72

Scheduling Audits .............................................................................................................................. 73

Scheduling Backups and Audits ......................................................................................................... 73

Setting Audit Frequency and Start Time .......................................................................................... 73

Choosing IP Addresses From List ...................................................................................................... 74

Selecting/Grouping IP Addresses to Audit .......................................................................................... 75

Saving the Audit ................................................................................................................................. 75

Activating & Managing Audits ............................................................................................................. 76

Scheduling an Audit to Run ................................................................................................................ 76

Starting an Audit ................................................................ ............................................................. 76

Deactivating an Audit ......................................................................................................................... 77

Removing an Audit ............................................................................................................................. 77

Modifying an Existing Audit’s Definition .............................................................................................. 78

Copying an Audit to Create a Variation ............................................................................................... 78

Removing Systems/IP Addresses from an Audit ................................................................................. 78

Viewing Lists of CVE Tests by OS and Application ............................................................................. 79

Managing Known Missing Assets........................................................................................................... 79

Viewing SnoopWall NetSHIELD Schedule ............................................................................................. 80

iii

Viewing the Monthly, Weekly, or Yearly Schedule .............................................................................. 81

Viewing The Daily Schedule ................................ ................................ ............................................... 81

Daily Schedule Details .................................................................................................................... 81

Searching the Calendar...................................................................................................................... 81

Opening Audit/Scheduling FAQ in the Calendar View ......................................................................... 82

National Vulnerability Database.......................................................................................................... 82

Managing In Process Audits ................................ ................................................................ ............... 83

Reviewing Audits ................................ ................................ ............................................................ 83

Viewing Partial Reports .................................................................................................................. 84

Generating and Viewing Asset Reports .................................................................................................. 85

Updates ................................................................................................................................................. 88

Setting Up Automatic Vulnerability Updates ........................................................................................ 88

Retrieving SnoopWall NetSHIELD Service Packs/Version Updates .................................................... 89

Service Pack Configuration ................................................................................................................ 90

Malware threat feed update ................................................................................................ ................ 90

License/Subscription updates ......................................................................................................... 91

Configuring a Proxy for Service Pack and Vulnerability Updates ......................................................... 91

Command Center ................................................................................................ ................................ .. 92

Managing Appliances ......................................................................................................................... 93

Adding Managed Appliances .............................................................................................................. 93

Edit Appliance Information ................................................................................................ .............. 94

Removing Appliances ................................ ................................ ................................ ..................... 94

Adding/Managing Appliance Groups .................................................................................................. 94

Remote Operations ................................ ................................ ............................................................ 95

Command Center Syslog Messages .................................................................................................. 96

Configuring the Syslog Server ............................................................................................................ 98

Clearing Command Center Alerts ....................................................................................................... 98

Developing Corporate Policies ................................ ................................ ............................................. 101

Understanding Regulations .............................................................................................................. 101

Using The Basic Policy Builder ......................................................................................................... 102

Modifying Policy Text ................................ ................................ ....................................................... 104

Revising Policy Document Status and Releasing Policy.................................................................... 105

Using The ISO 27001/17799 Policy Builder ...................................................................................... 106

Indicating Your Existing Security Status ................................ ........................................................... 107

Generating Draft Text for Your Security Policy .................................................................................. 108

Reports Guide ..................................................................................................................................... 110

Overview of Report Types and Content ............................................................................................ 110

Understanding SnoopWall NetSHIELD Report Types ....................................................................... 110

CVE Information in Reports ................................................................ .............................................. 110

Selecting Content Presented in Reports ........................................................................................... 111

Interpreting and Understanding Reports ........................................................................................... 113

Interpreting Complete Vulnerability Reports ...................................................................................... 113

Interpreting Vulnerability Descriptions............................................................................................... 115

Interpreting Summary Reports.......................................................................................................... 116

Remediation of Vulnerabilities in Reports ......................................................................................... 117

Custom Comments .......................................................................................................................... 117

Adding New Comments ................................................................................................................ 118

Editing/Removing Existing Comments .......................................................................................... 119

Viewing Comments in Reports ...................................................................................................... 119

Finding Automatic Reports for Dynamically Detected Devices .......................................................... 120

Removing a Report .......................................................................................................................... 120

Saving a Report to Disk.................................................................................................................... 121

Creating Custom Reports Using Queries .......................................................................................... 121

Querying Reports Database.......................................................................................................... 121

Printing Query Results .................................................................................................................. 122

Generating Management and Executive Reports ................................................................................. 123

Requirements for Executive/Management Reports ................................................................ ........... 123

Generating Management Reports..................................................................................................... 123

Understanding Content of Management Reports .............................................................................. 124

Generating Executive Reports .......................................................................................................... 126

Understanding Content of Executive Reports ................................................................................... 126

Working with Logs ................................ ................................ ............................................................... 129

Viewing Network Events Log ............................................................................................................ 129

Viewing System Events Log ............................................................................................................. 130

Log Reporting Wizard ................................................................................................ ...................... 130

Filtering ........................................................................................................................................ 131

Generating PDFs .......................................................................................................................... 132

Saving Reports ............................................................................................................................. 133

Opening Reports .......................................................................................................................... 134

Sorting.......................................................................................................................................... 135

Summary ...................................................................................................................................... 135

Workflow /Remediation Requirements ................................................................................................. 137

Workflow Management System at a Glance ................................................................ ..................... 137

Progression of Job Status ............................................................................................................. 137

Remediation of Vulnerabilities ....................................................................................................... 137

Flagging False Positives ............................................................................................................... 137

Workflow Setup/Remediation Steps ................................ ................................ ................................. 138

Who Should Learn about Vulnerability Remediation ......................................................................... 138

Understanding Workflow and User Responsibilities .......................................................................... 139

Progression of Job Status ............................................................................................................. 139

IT Staff: Steps For Remediation of Vulnerabilities ............................................................................. 139

Managing Remediation—Initial Setup ........................................................................................... 140

Managing Remediation—Responding to Events as Manager............................................................ 140

Using Workflow in Vulnerability Remediation .................................................................................... 141

Remediation Scheduling .................................................................................................................. 141

How SnoopWall NetSHIELD Calculates/Sets Due Dates............................................................... 142

The Workflow Ticket Log .................................................................................................................. 143

Selecting and Assigning Jobs ........................................................................................................... 143

Recognizing a Job Is On Hold .......................................................................................................... 145

Viewing Logs of Assigned Jobs ........................................................................................................ 145

Viewing Vulnerability Reports ........................................................................................................... 146

Using Links in Reports ..................................................................................................................... 146

Researching CVEs and CANs .......................................................................................................... 147

Updating Job Status ......................................................................................................................... 147

Updating Multiple IDs in a Single Job Ticket ..................................................................................... 148

Tagging a Vulnerability as a False Positive ....................................................................................... 148

Dealing with Escalated Jobs (Managers Only) .................................................................................. 148

Viewing Escalated Jobs ................................................................................................................... 149

Reassigning Jobs (Managers Only) .................................................................................................. 149

Viewing Job Logs of Specific Individuals (Managers Only) ................................................................ 150

Confirming False Positives (Managers Only) .................................................................................... 151

Closing a Job (Managers Only) ........................................................................................................ 152

Customer Service ................................ ................................................................ ................................ 154

System Guide

SETUP

Connect appliance to the network and determine IP address

1. Plug power cord into the power jack in the rear of the NetSHIELD appliance, and into a 3-prong grounded outlet.

2. Connect your local area network cable to the eth0 port on the NetSHIELD appliance. Network cable must be Type RJ -45, category 5 cable or higher.

3. Connect a monitor to the VGA port on the NetSHIELD™ appliance.

4. Connect a keyboard to the USB ports.

5. Boot the appliance by pushing the red Start button on the left side of the front panel.

6. The green Power light will come on. The yellow Disk Activity indicator will also flash.

7. The front panel lights (from right to left) are:

 Power  Hard Drive Activity  Network Activity 1  Network Activity 2  System Overheat

8. The appliance will run through its startup, displaying its progress on the monitor. When it is finished, a screen like the following will appear.

NOTE: If you do not open the port on the Firewall, you cannot receive automatic vulnerability signature updates, malware updates, or SnoopWall NetSHIELD™ Service Packs.

9. Make a note of the DHCP assigned IP address (https://XX.X.XX) you are given. The final number (443) is the port number.

Before you configure NetSHIELD™ software, open port 443 on your Firewall Server. This port must remain open while NetSHIELD™ is operating so that you can receive service packs, code updates, and updates to vulnerability tests from SnoopWall.

Using a Console Connection

To manually configure your appliance using a console connection do the following:

1. The default console password is changeme. No characters will be displayed when entering the password.

2. The following screen appears:

The following functions can be performed from this screen:

 <1> Network Configuration – Configure network settings for Eth0. A web browser is

used to configure additional interfaces.

 <2> Allowed Access Control - Modify the list of IP addresses that are allowed to

access the user interface via a web browser.

 <3> Disable ADS – Disable the Asset Detection engine on the NetSHIELD™.  <4> Disable NetSHIELD™ NAC Blocking - Disable NetSHIELD™ Blocking and stop

blocking any assets currently being blocked.

 <5> Reset Network Interfaces - Configuration for all interfaces except ETH0 will be cleared

and the appliance will be rebooted.

 <6> Change Console Password - You will be asked to provide the current password and

confirm the new password. Please remember your password for future use.

 <7> Reset MainAccount Password – Reset MainAccount password to changeme.

 <8> Reboot - Restart the appliance.

 <9> Shutdown - Power down the appliance.  <10> Factory settings - Return to factory preset settings.  <11> Enable SSH Login – Enables the ability to login via SSH

 <12> Reset License - Reinstall the NetSHIELD™ license  <13> Generate SSH Key – Create a one-tine key to allow SSH login.  <14> Open Support Channel – Open the SSH connection for remote support.  <15> Close Support Channel – Close the SSH connection for remote support.  <16> Recreate Certificate – Recreate the self-signed certificate of the NetSHIELD™.  <17> Logout

To log in

1. Open a secure browser window using https://<IP address of appliance>

For example; If the appliance has an IP address 192.168.254.159

https://192.168.254.159

2. If you changed the default port (443) in the installation process, add a colon followed by the new port number.

For example; If using port number 10000, Enter the URL as https://192.168.254.159:10000.

If you see a Security Alert or other message from your system, Click Continue to proceed with the login.

3. The login screen appears:

1. Login the NetSHIELD™ appliance with the default credentials.

 Username: MainAccount  Password: changeme

4. Click the Login button.

First time setup

Appliance Installation Wizard

The Appliance Installation Wizard will automatically launch. It consists of 8 tabs designed to get you up and running as quickly as possible. Note that the new tabs do not appear until the most recently presented tab is completed.

The 1st tab is the End Users License Agreement.

The 2nd tab is the MainAccount Password.

1. Fill in the default Login ID and Password.

2. Confirm the Password.

3. Click the Save button.

The 3rd tab is the Subscription Information tab.

1. Fill in all of the required information, indicated by (*).

2. Click the Save button.

The 4th tab is the Ethernet Port Configuration.

1. A picture of the possible Ethernet connections is displayed based on the appliance type. See the example below.

The 5th tab is the Network Configuration tab.

1. Make changes as necessary to the Network Configuration Data.

2. Click on Save.

3. Click the Next buttons to go to the next screen.

If you have changed the IP Address for Eth0 or SSL port, the appliance server will be restarted. The Appliance Installation Wizard will attempt to reload itself. You can need to login again, or prompt the browser to try the reload again. You will also need to confirm the certificate again.

The 6th tab is Notification Information.

1. Fill in the Required Information as indicated by the red (*).

2. Click the Verify Mail Settings.

3. If the configuration is correct, a message box will appear, and the email address specified in the System Admin Email entry will receive a test message.

4. Click Save.

The 7th tab is Configure Multiple VLANs.

1. Select an Ethernet interface to configure from the NIC dropdown box.

2. Click the ( + ) button to add a VLAN entry for the current interface.

3. Enter the VLAN tag, the VLAN name, the subnet mask, and the IP address.

4. Repeat Steps 2 and 3 for each VLAN the appliance will use on the current interface.

5. Click Save to save the VLAN configuration.

6. Repeat Steps 1 thru 6 for each additional Interface required.

7. To Remove a VLAN entry, click the checkbox to the left side of the item.

8. Now click the ( – ) button.

The 8th tab is Initial Asset Discovery.

1. Click Refresh IPs to perform an initial asset discovery

2. When complete the Manage Assets page opens.

License not activated

If your license has not yet been activated, you will get the following message;

1. Click Continue

2. Go to UpdatesLicense/Subscription.

3. Enter the code sent to you by SnoopWall, or wait for automatic activation (usually overnight).

4. When the license is activated, you will see a screen similar to this:

SYSTEM MANAGEMENT

The System Menu gives you access to the NetSHIELD system functions such as utilities, password change, change the system date and time, etc.

To access system utilities, select System  Utilities from the left menu.

Rebooting NetSHIELD

Restart SnoopWall NetSHIELD without losing any saved information.

 Select System



Utilities from the left menu.

 Click the Reboot button.

Confirm or cancel the reboot. If you proceed, the browser window displays the message Reboot in Progress.

Rebooting does not change the Scheduled or Inactive status of an audit profile. Any audits in process when the reboot occurs are not completed. You will receive a warning informing you that they are currently in process, will stop, and must be restarted later.

NOTE: Wait at least 2 minutes for the reboot to complete.

To shut down SnoopWall NetSHIELD:

 Select System



Utilities from the left menu.

 Click the Shutdown button.

You are asked to confirm or cancel the shutdown. If you proceed, SnoopWall NetSHIELD operating system will shut down. Manually press the power button to power off.

To restart SnoopWall NetSHIELD, you must manually press the Power button on the appliance. Shutting down does not change the Scheduled or Inactive status of any audit. Any audits in

process when the shutdown occurs will stop. You must restart them when SnoopWall NetSHIELD is powered up again.

Stopping Audits In-Process

To terminate audits currently running:

 Select System



Utilities from the left menu.

(You can also halt an audit on the Manage Audits page by clicking the Stop button.)

 Click the Stop All Audits button.

You are asked to confirm or cancel the action.

Any audits currently in process do not complete. You receive a warning saying in-process audits will stop and must be restarted later.

Any reports already generated remain on the system. You may still view them by selecting Reports  View Audit Results.

A halted audit does not run again until its next scheduled time. Halting all audits does not change their Scheduled or Inactive status.

To restart an audit sooner than the next scheduled time:

 Select Audits  Select the audit to open it in the Audit Wizard. Click through Audit Wizard pages until you



Manage Audits from the left menu.

reach the screen with audit frequency settings. Set the Frequency of Audit to Now.

 Click Next until you complete the Audit Wizard steps, and Save the audit. When the

Manage Audits page opens, click the Start button to begin the audit.

Factory Reset

To return SnoopWall NetSHIELD to the settings with which it was shipped, select System  Utilities from the left menu, and then click Factory Settings.

Important Note: Alerts should always be cleared from the command center following a factory reset on the client appliance.

Just as with the console factory reset, you will be given the option of retaining the Company Information, Notification Information, and the appliance name. All the asset information, categories, audits, reports, etc. will be deleted.

Reset Console Password

To reset the Console Password back to the original changeme, click the Reset Console Password button on the System  Utilities page.

Click Reset Console Password to confirm. Make sure you go immediately log in as MainAccount and go to System  User Management to update the password.

Enable SSH

To Enable SSHreturn SnoopWall NetSHIELD to the settings with which it was shipped, select System  Utilities from the left menu, and then click Factory Settings.

Any manager-level user may perform this action.

Manager

IT Staff

NAC User

All administrative tasks Add more users Access all levels of reporting Set person-hour allocations Reassign tasks Access all information in

Workflow Management system Managers can perform all IT

Staff functions.

Access Workflow to see open tickets/jobs

Select jobs (assign to oneself) Access vulnerability reports Enter workflow comments on

assigned jobs IT Staff can perform all NAC

User functions.

Access Network Access Control menu only

Can perform NAC functions only – cannot access workflow

SETTING UP USER ACCOUNTS

Create SnoopWall NetSHIELD user accounts on three levels—Manager, IT Staff, and NAC User—based on actions you wish the user to be allowed to take. The Main Account that comes with SnoopWall NetSHIELD is a Manager. Only a Manager user can create other users. All Manager accounts can create accounts for subordinate managers and IT staff, but the Main Account can create the entire structure of users if desired. NAC Users have Network Access Control functionality only – they can control setup and maintenance of SnoopWall NetSHIELD and systems to be audited, but are not involved in vulnerability remediation.

Understanding Relationships between User Types

Any manager may reassign a job to another IT User or Manager. If a job is not assigned and becomes escalated, all managers receive email about the job escalation.

IT Staff can view reports, but only Managers can create Executive/Manager reports or query the database through Reports  Query.

A summary of the actions each user type can take is listed in the following table.

NOTE: As Main Account, you should create all top-level managers first. You may also create IT Staff accounts that work directly for you. You can delegate creation of remaining accounts in SnoopWall NetSHIELD. Any manager creating accounts should enter subordinate managers first, then IT staff users.

The Main Account is the only user who can change his/her own login ID. For all other users, the parent Manager must make that change. The currently logged in user can change his/her account, with the following restrictions:

A user may not change their own:

 Access level (from Manager to IT Staff or vice versa)  Manager  Login ID, unless you are Main Account

Creating or Editing User Accounts

To create or modify user accounts:

 Select System



User Management from the left menu. A list of existing users appears

(initially, only Main Account is shown).

 Click the name of the user to edit, or click Add User button to go to the User Account

Wizard.

 SnoopWall Appliance Account User Name screen appears. (We suggest you add

Managers first.)

 Click the Select Existing User button to select a person already in the Asset Tracker

database, or fill in the requested name fields.

 Click Next to continue to the Appliance Access Level screen.

NetSHIELD Access Level

Enter Managers first, then IT Staff users, and finally NAC Users.

 Enter requested information for Login ID, Access Level, First Name, Last Name, Select

Title from the dropdown list, Manager, Email Address and Password with confirmation.

Deleting User Accounts

When users leave your organization, it is recommended you remove their access to NetSHIELD.

 Select System



User Management from the left menu. A list of existing users.

 Click the trash icon next to the user name and the row will highlight in pink.  Click the Remove User button

Coordinating User Accounts with Asset Tracker User List

When you create a SnoopWall NetSHIELD account for a user who is already in the Asset Tracker User List, NetSHIELD recognizes the user name and coordinates the information.

If you delete a user from the Asset Tracker User List, their NetSHIELD user account is also deleted.

However, if you delete a user account under User Management, the user remains in the Asset Tracker User List. Theoretically, the person could still be an employee but no longer have access to NetSHIELD.

SETTING SYSTEM DATE/TIME

 Set the date and time the first time you log in to

SnoopWall NetSHIELD.

 Click System

and time on your initial NetSHIELD use.



Date and Time to set the date

 The Change Date screen appears.  Enter the system date and time information. Click

the Change button to put the new date and time into effect. Daylight savings time changes occur automatically.

 Click Save.

BACKGROUND SCANS

To run a daily analysis of the asset inventory in the background to detect changes in the asset list click System  Background Scans.

Enable background scans by clicking the button on the lower left. The button toggles to Disable Background Scans. Scans of all assets are queued and scanning begins at 10:00AM using the parameters indicated. When background scanning is disabled, any active scans are

immediately terminated. At the upper right are the 3 parameters that control background scanning. Maximum Active

Analyses is the number of scans that can be running simultaneously. It has a range of 1-10. Timeout indicates the amount of time a scan will be allowed to run before it is forced to

terminate. Its range is 1-10 minutes. Purge indicates how long the scan results will be kept in the database. Scan results may be kept for a maximum of 365 days. To view the scan results, go into the Asset Manager and use the mouse button menu for specific assets.

On the right is the list of active scans. You can force active scans to terminate by selecting one or more from the list and clicking the Kill Selected Scans button.

BACKUP AND RESTORE

You will want to back up and restore your SnoopWall NetSHIELD information regularly. SnoopWall NetSHIELD performs this function for you and sends it to the server of your choice

on a periodic basis.

 Select System



Backup and Restore from the left menu. Your settings, if any, are

displayed on the Backup and Restore page.

 Click the Change Backup Settings button to enter or revise your backup information. The

Backup and Restore Settings page appears.

Select the Type of File Server from the pull down. You have two choices: Windows or Linux/Unix servers.

 Fill in the requested technical information for your server.

Windows systems require a username and password for access. As soon as you select Windows, the form will change to include these fields.

Linux/Unix servers need a certificate to allow interaction with the Linux server.

 Click the link at the top of the

page (Important steps

required for Linux servers to work), if necessary. This takes

you to the Linux Certificate Instruction page.

 Review the instructions and make the appropriate changes on your system.  Click the Back button.

 Select a frequency and time for backup in the Backup and Restore Settings box. You can

schedule the backup to run Never, Monthly, Quarterly, Half Yearly, or Yearly, at a specific time of day.

 Click Save to retain your settings or Cancel to delete the information. You return to the

Backup and Restore page.

Backup Now

SnoopWall NetSHIELD creates a compressed backup file of Reports and Workflow, Audit Configurations, Asset Tracking Data, NetSHIELD Settings, and NetSHIELD Log(s) when you backup. The Backup Now feature provides on-demand backups.

 Click Backup Now on the Backup and Restore page to start the backup process. This

takes you to the System Backup page (shown below). You can proceed with the backup or cancel the operation at this point.

 Click Backup Now to continue to the next screen.

 Click the link in the message displayed to identify a destination for the backup file used for

archival storage. This file may be used to restore SnoopWall NetSHIELD appliance (or a replacement appliance) to the state at which the backup file was created.

NOTE: You cannot open the backup file. You can only save it to your local machine.

NOTE: Do not change the name of the backup file. Otherwise, it will be unrecognizable to SnoopWall NetSHIELD if you need to access it later.

NOTE: When you back up this file, remember the Login ID/passwords you use. You will need them if you must back up again later.

 Click Delete Backup on SnoopWall Appliance and Proceed once the download completes.

NOTE: We suggest you delete the backup file from SnoopWall NetSHIELD to save valuable space.

Restore

Restore allows you to select a backup file and re-establish SnoopWall NetSHIELD appliance settings to their state at the time the backup was created.

NOTE: The version and patch state of SnoopWall NetSHIELD is not restored. Only the data and configuration information reverts to the former state.

 Select System

and Restore page.



Backup and Restore from the left menu. This takes you to the Backup

 Click the Restore button. This takes you to the following screen.

 Select the file from your system using the Browse button.  Click Upload File Now. This takes you to the following screen.

NOTE: When you upload the new file, remember this process will stop all currently running audits.

NOTE: Be sure you keep track of all your Login IDs and passwords – new and old. Once this file is restored, all other versions are gone.

NOTE: Don’t forget – if you must restore this file from an older version, you will lose your most recent data. You might want to back up the current state before returning to the previous state.

SYSTEM STATISTICS

Check SnoopWall NetSHIELD System Statistics page if you’d like to know how much space is left on your system.

 Select System



System Statistics from the left menu.

The System Statistics page displays a pie chart indicating the amount of hard disk space left on the system after SnoopWall NetSHIELD uses what it needs.

Users currently logged into the system are shown for each IP address. All users have access to the statistics for their system(s), but only MainAccount can see all

systems in use. When the disk space usage is deemed critical (75%), SnoopWall NetSHIELD displays a

scrolling warning at the bottom of the page.

MANAGE SERVER CERTIFICATE

The Certificate Manager located under the System menu, enables you create a Certificate Signing Request, and then install the signed certificate on your appliance. Certificate Signing Requests and the certificates themselves can also be deleted with this utility.

Launch the Certificate Manager. The form is auto-filled with any data available from Company Information, but you can edit it without affecting the stored Company Information.

Click the Generate button to create the CSR. You can copy and paste it, or download a file containing it for submission the trusted Certificate Authority of your choice.

Once you receive your certificate, launch the Certificate Manager again. This time, the screen will enable you to upload the certificate, or delete the CSR you previously created.

Browse to the certificate file received from the Signing Authority and click upload. This will upload the file to the server and install it.

If instead, you delete the Certificate Signing Request, you will return to the CSR entry form. After installing a signed certificate, the Certificate Manager provides a delete button in the rare

case where you might want to delete the signed certificate and revert to a default, self-signed certificate.

NETWORK CONFIGURATION

The network configuration information you enter controls how SnoopWall NetSHIELD accesses the network.

To set up your configuration:

 Select System



Network Configuration from the left menu. The Network

Configuration screen appears. This application automatically turns off DHCP for the

appliance. If you want the appliance to acquire its IP Address dynamically you must set that option on the console. SnoopWall strongly recommends a static IP address for the appliance.

 The default gateway is display-only, but may be changed on the console if necessary.  Enter additional or new information if required and click Save to retain the settings.  With the exception of Eth0, it is possible to clear NICs. When another NIC such as Eth1 is

selected, the button on the right is enabled and its text changes to specify the current NIC.

NOTE: For DHCP Environments, the IP Address, Subnet Mask, and Default Gateway, and DNS Server settings were assigned automatically during your installation. You cannot change these values here. Host Name and SSL Port may be edited.

NOTE: SSL Port is typically 443. This is the default for https. If you use a different value, your URL will be slightly different.

MULTIPLE NETWORK INTERFACE CARD (NIC) SUPPORT

SnoopWall NetSHIELD supports multiple NICs for the purposes of both auditing and network access control. The NICs can be configured for completely separate VLANs or subnets, allowing NetSHIELD to monitor physically disconnected segments.

Most NetSHIELD operations will choose the appropriate NIC for the operation in the background.

There are some areas where a NIC must be specified.

Important Note: While NetSHIELD supports multiple NICs, these NICs cannot be configured to reside on the same subnet or VLAN.

Configuring NICs

 Select Network Configuration



Network Configuration from the left.

 Select the appropriate NIC by selecting the interface from the pull-down menu.  Enter the configuration information for the NIC and click Save. Ensure that the IP ranges

you enter do not intersect.

SETTING UP NETWORK ACCESS CONTROL

INITIAL ASSET DISCOVERY

Before NetSHIELD can check your assets, it must first find them on your network. To ensure NetSHIELD finds all assets, be sure all assets are powered on before you initiate the discovery

process.

 Select Network Access Control

reveals one of two dialogs, depending on your network configuration. This one for a single NIC:



Initial Asset Discovery from the left menu. This

Or this one for multiple NICs or VLANs:

 The only entries that can be changed are the IP Ranges. Any octet in the IP range may be

changed as long as it doesn’t conflict with the subnet mask. Subnet masks are set in

Network Configuration and VLAN Tag Configuration. Subnets may be excluded from discovery by unchecking them.

 Click the Refresh IPs button below the Find Network Assets box.  If asset detection is turned on, a confirmation box will appear warning that asset detection

will be turned off and asking if you want to continue.

Refresh IPs directs SnoopWall NetSHIELD to examine the network and discover IP addresses of machines on the network, including routers, firewalls, printers, and other devices as well as desktops, workstations, and servers. Later, you can include these systems in audits.

After several seconds, the discovered assets begin appearing in a grid. Below that is the status of the discovery as IP addresses are probed.

You can wait for the refresh to complete or you can stop it in process by clicking the Halt Discovery button at any time. You are given the option of saving any assets discovered so far.

After the discovery process completes, or when you save a partial discovery, NetSHIELD takes you to the Manage Assets page. You can review your asset list there.

HOW SNOOPWALL NETSHIELD GENERATES THE LIST OF IP ADDRESSES

By default, if the discovery process finds any IPs that duplicate existing ones, the latest hostname and operating system overwrite the old ones.

NOTE: On some systems, the operating system IP Refresh finds may not be the one you entered when you added the IP address manually.

NOTE: Any IP address behind a Firewall could remain hidden from the IP Refresh operation and may not appear in the list. You should add any unfound addresses manually if you want them audited, or disable the Firewall and run the Asset Discovery again.

ADDING IP ADDRESSES MANUALLY

 After you run an asset discovery process, you may want to manually add more IPs.  You can manually add IP addresses by selecting Network Access Control



Add

Assets. This takes you to the System Information screen.

 The IP Address field is required.  If you are unsure of the MAC address, click the Detect MAC button after you enter the IP

address. The MAC address may be filled in for you if the asset is online. If you have to add an asset manually because the Asset Discovery process failed to find it, the Detect MAC button will probably not find it either.

 Host Name, Operating System, and Manufacturer may also be filled in automatically,

depending on current information available for that IP Address.

Note: Required fields (marked with an asterisk) must contain information. After you add system data, check the System Information page again. The MAC Address, Host Name, Operating System, and Manufacturer may be filled in for you. We strongly recommend you only change the MAC Address and Host Name fields if it is absolutely necessary.

 Fill in the remaining fields on the page. The table below gives an overview for each field.

Field

Overview

IP Address (required)

A standard IP address in ###.###.###.### format.

MAC Address

SnoopWall NetSHIELD may fill this field in for you. If you are unsure of the address, click the Detect MAC button

Host Name

If you do not include the information, this field may be supplied by SnoopWall NetSHIELD.

Operating System

The software system used on the asset. SnoopWall NetSHIELD may complete this field for you.

Manufacturer

Name of company that produced the product.

Value

Monetary value of the asset. Choose from over 35 international currencies.

System Name

The name of the asset - not necessarily the host name. This name is for your own use. It allows you to identify the system. You can use alphabetic and numeric characters, hyphens, and underscores.

System Type

System type - such as Laptop, Desktop, Email Server, Wireless. Choose from 14 options such as Application Server, File Server, Router, etc. from the pull-down menu.

Serial Number

Alphabetic and numeric characters as well as hyphens are allowed.

Location

Description of the system location, such as building, wing, office area, lab, etc.

Data Outlet Number

The number of the line that plugs into the computer, such as A3.

Asset Notes

Anything you may wish to note about the asset that does not fall into the other fields provided.

Maintained by

Name of individual who maintains the system – such as the

system administrator responsible for the asset’s subnet or the

manager of the user’s group.

System Information Fields

List Category

Description

Untrust

Asset that has not been given permission to be on the network.

Trust and Audit-exempt

Known, clean asset that does not need to be scanned regularly.

Trust and Firewall/SmartSwitch safe

Known, clean asset that does not need to be blocked/quarantined at the Firewall or SmartSwitch.

Trust

Known, clean asset considered part of the company’s resources.

 The four radio buttons at the bottom of the box allow you to place the asset into one of four

categories. You can manage your assets more efficiently if you use specific classifications. List categories are defined below. More information is available in the IP Categories section that follows.

List Categories

 Click Add System below the System Information box to enter the asset into the

database.

DETERMINING PING RESPONSE OF NODES ON SUBNET

PING LATENCY CHART

You can create a chart showing the ping results for all IP addresses displayed in your audit.

 Select Network Access Control

The chart shows IP addresses and the number of milliseconds it took the node to respond

to the ping. The bars compare the length of time for each node’s response. Systems may not respond because they choose not to, are powered down or disconnected, or

cannot respond in a timely manner.



Ping Latency Chart

To see if the patterns are persistent, click the Refresh button and update the data. Ping latency data is also available from the Audit Wizard page.

PINGING INDIVIDUAL ASSETS

You can also see the ping response for individual assets:

 Select System  Enter the IP address of the asset in the field provided and click Ping.

Another way to ping an individual asset is from the Asset Manager.

 Click the second mouse button on any asset in the list, and select Ping from the pop-up

menu.



Manual Ping

IP CATEGORIES

All system information discovered on the network is stored in SnoopWall NetSHIELD database. This data includes the MAC address and last known IP address for each individual asset, as well as the asset’s host name and operating system (if known or provided).

You may enter asset information from several places in SnoopWall NetSHIELD, including the Network Access Control Add Assets page, or the Edit Asset feature which is available from both the Network Access Control  Manage Assets page and the Asset Tracker  Systems page. Assets can be assigned to one of the following lists:

 Trust List  Untrust List  Audit-Exempt List  Firewall/SmartSwitch Safe List

There are three ways a Known Missing Assets may be rectified:

1. The new IP address is determined via Asset Discovery or Asset Detection

2. A user can manually enter the new IP address by editing the system information through the Asset Tracker  Systems page

3. The Asset Detection System discovers the new IP address

MANAGING ASSETS

The Asset Manager displays all the assets found via Initial Asset Discovery, Asset Detection, or entered via Add Assets. You can trust and untrust assets, delete them, assign categories, sort on any column, and filter the display to show a subset of assets. It includes a summary of the number of assets on the network and the number showing due to filtering. Nano appliances will show the Total Trusted Assets and the Trusted Asset Limit, while other appliances will show the number of Trusted Assets and Untrusted Assets.

MANAGE ASSETS OVERVIEW

The Asset Manager shows the current status of all the assets, as well as detailed information about each asset.

 Select Network Access Control  The Manage Assets page appears.



Manage Assets.

 Click on the column headers to sort the grid on that column’s data. A second click on the

same column header will reverse the sort order.

 To move a column to another location, click on the column header and hold the mouse

button down while moving it into the column data area. Quickly release and reclick the mouse. Move the mouse right and left. A new mouse cursor containing an arrow will indicate the new location for the column. Release the mouse button; the column will be moved to the indicated position. Multiple adjacent columns may be selected and moved at one time.

 Move the mouse to the right-hand edge of any column header. The mouse cursor will

change to indicate the column width may be changed. Click and move the mouse right and left to change the column width.

 Column width and position preferences will be saved.  Click the Reset Columns button to restore the default positions and widths.  Click the second mouse button over any item in the grid. A pop-up menu gives you a

variety of actions that can be performed on one or more selected assets.

 Clicking the checkbox next to one or more assets will allow you to use the Trust, Untrust,

and Remove buttons on multiple assets at once.

 Scrolling the asset grid right and left will reveal more columns, including category columns

if you have defined any.

 Use the slider in the Time Detected Filter to highlight assets that have been detected

within a selected period via Asset Detection, a background scan, or background ping sweep. Assets that have not been detected within that period will be displayed in a lighter,

italicized font. Every 10 minutes, each asset known to the appliance is pinged. If the asset ping was successful, the detection time is updated.

ASSET SUMMARY BOX

The Asset Summary Box shows a quick count of assets and their statuses.

 Total Assets: All unique assets including the appliance itself.  Currently Showing: All assets including the appliance itself and any VLANs that haven’t

been filtered out.

 Trusted Assets: All unique, trusted assets, not including appliance interfaces or appliance

VLANs. Multi-IP assets will only be counted once.

 Untrusted Assets: Number of untrusted assets on the network.  Trusted Asset Limit (Nanos only): Number of trusted assets the Nano will allow.

A reminder pop-up containing this information is displayed when you click within the Asset Summary box.

POP-UP MENU

A pop-up menu is available by hovering the mouse over any asset or selecting multiple assets, and clicking the 2nd mouse button.

The first item is either Trust or Untrust depending on the current status of the selected asset(s). If there are both trusted and untrusted assets on the list, the menu item will depend on the status of the first selected item. If its status is trusted, the menu item will be Untrust; if it is untrusted, the menu

item will be Trust. Block Now appears only when the asset detection system is running with manual blocking

enabled. This allows you to instantly block any asset. To unblock it, select Trust. When automatic blocking is used instead of manual blocking, Block Now does not appear, but untrusting an asset in that case will block it.

Never Block allows you to add and remove assets from the Never-Block list. If the selected asset is currently on the list, the menu item changes to Remove from Never-Block List. The Never-Block list works on the asset’s MAC address, so the asset will never be blocked even if it’s IP Address changes.

To determine if an asset is online, you can Ping it. Analyze Asset Now is available only for single selections. It runs a scan on the selected asset

and displays the results. The results of scans are stored for future reference and can be viewed via View Completed Analyses. (Use System  Background Scans to run periodic scans automatically).

Only on those appliances that use an Active Domain server will View AD Login Records be available.

The 10-Day Forensics Report can be obtained for single or multiple assets. It is similar to the NetSHIELD IP History Report, but it uses the MAC address to select log records rather than the IP Address.

Select the menu item and the generated PDF will open in a new browser window (make sure pop-ups are enabled); the report will either contain the single MAC Address in the title with no MAC Address column, or the title will be Multiple-MAC 10-Day Forensics Report and the IPs Affected column will be included.

FILTER PANEL

The filter panel allows you to select criteria to show a limited set of assets in the grid. Click the Show Filters button to reveal it.

 All the filters appear. You may select one or more items from each filter list except for the

Asset Status, Trust Status, and Detected filters which only allow one item to be selected. All the others allow multiple selections. Use the Ctrl key to click multiples.

 Clicking multiple items within a list will display any assets that have any of the selected

values for that column. Selecting from multiple filters will limit the asset list to items that meet the criteria for every filter. So if you choose Untrusted from the Trust Status filter, and

then both Apple and Brother Industries from the Manufacturer Filter, only assets that are untrusted and are manufactured by either Apple or Brother Industries will be listed.

 Click Apply Filters. The grid is updated to show only assets meeting the selected criteria.

 Click Show Category Panel. The category panel appears. This panel looks similar to the

filter panel, but it allows you to assign categories to assets. Categories and their values are created using Network Access Control  Manage

Asset Categories application. Select assets using the checkbox at the left. Select a single value from one or more

categories and then click Apply Categories. Scrolling the asset grid to the far right will show the category value in the category column for the selected assets.

You can assign only one value from a particular category, but you may assign many categories at one time.

DELETING IP ADDRESSES

 To delete individually selected IP addresses from the list of IPs, click the check boxes next

to the IP addresses and then click the Remove Selected IPs button.

A confirmation dialog will ask you to confirm the deletion.

MANAGING ASSET CATEGORIES

This screen allows you to add categories and values for those categories. The categories can then be assigned to assets on the Manage Assets page where you can also filter the list of assets by category. The categories are added as new columns at the far right of the asset grid.

To indicate where the assets are located create a category called Location with values like

Nashua, Chicago, and Barstow. A category such as Equipment Type can contain values like Printer, Desktop, and Monitor. Create categories that will meet the needs of the organization.

Under the Categories list box, click the “+” button to get the Add Asset Category dialog. Enter the name for your new category and click Save.

The new category appears in the Categories list box. In the same fashion, use the “+” button beneath the Category Values list box to add some values for the new Category.

Deleting Categories and Category Values is done by highlighting the entry you wish to delete

and clicking the ““ button beneath it. You will be asked to confirm the deletion. Deleting a

category will also delete all the associated Category Values. To modify a Category or Category Value, double click the item. The text will be selected and

you will be able to change it. Hit Enter to indicate you are done. Your categories will be available to assign to assets and to use for filtering on the Manage

Assets page.

IMPORTING AND EXPORTING ASSET LISTS

You can import and export your asset lists to and from a spreadsheet using this option. It also allows you to assign categories to assets.

EXPORTING

Click the button labeled Export All Assets. A dialog will appear asking you to confirm that you wish to open exported_assets.csv, a comma separated value file. Clicking OK

will launch Excel. The first 8 columns of the exported CSV are always VLAN, IP Address, MAC Address, Trusted, Host Name, Operating System, Manufacturer, and AD User. There will be more than 8 columns if you have specified categories in the Manage Asset Categories application.

IMPORTING

Import uses a comma separated value (CSV) file. Using a spreadsheet containing the list of assets, create a copy and modify it to contain the same columns that appear in an exported asset list. Save it as a CSV file. You can also modify an asset list that you have exported and then import it back in.

Click the Browse button and locate your CSV file in the file browser. Click Upload. A message will appear in the Messages panel indicating whether the import was successful and how many records were imported. The first 8 columns of the CSV file must be the same as the export CSV file and in the same order. Columns beyond #8 may be category assignments you wish to make. At this time, matching categories and values must already be entered in the database using the Manage Asset Categories application.

SETTING UP SMARTSWITCH INTEGRATION

If you have smart switches on your network the SnoopWall NetSHIELD can disable the switch port or move a vulnerable system to a quarantine VLAN.

To set up the switches on SnoopWall NetSHIELD: Select NAC Configuration SmartSwitch Integration from the left menu. The SmartSwitch

Integration page appears. The first step is to add switches.

 Click the Add Switch button at the top of the page to open the SmartSwitch Information

window. Choose the SmartSwitch brand. The SmartSwitch Information window changes based

on the brand you choose. All brands ask for:

 IP Address  Location  SmartSwitch Password  Uplink Port Number

Remaining fields vary based on brand. See illustrations.

NOTE: Be sure the Uplink Port Number is correct or the integration will fail.

 Fill in required and requested information for the selected switch brand.

 Click Save to keep the data or Cancel to delete your entries.

ASSET DETECTION AND VULNERABILITY QUARANTINE™

When a new device plugs into the network, SnoopWall NetSHIELD can dynamically detect its presence and immediately audit the device for vulnerabilities. You may set the levels at which you want to audit and the actions you wish it to take upon detecting vulnerabilities.

If SnoopWall NetSHIELD finds vulnerabilities on the device, it can send a message to the SmartSwitch to block traffic to and from the node.

You can also choose to never block particular IP addresses. When a device is blocked, SnoopWall NetSHIELD sends an alert indicating blocked ports or IP

addresses.

One-Click ADS Configuration

SnoopWall NetSHIELD supports One-Click ADS Configuration:

 Select NAC Configuration



Asset Detection System from the left.

 Select one of the predefined ADS configurations:

1) Detect Assets, Alert. Allow Manual Blocking With NetSHIELD Blocking.

2) Detect Assets, Alert and Block With NetSHIELD Blocking.

 Click on Show Advanced and review the settings.

 Click Save to save the settings.

 If Asset Detection is currently disabled, click Enable Asset Detection System.

A few of the Advanced Asset Detection Options are discussed in more detail below:

Enabling NetBIOS Scans

NetBIOS Scans use NetBIOS protocol to discover NetBIOS enabled devices. Enabling this option will cause the appliance to use NetBIOS scans to scan assets for host names and MAC addresses during Asset Detection. You should choose to use NetBIOS scans if there is no DNS server available.

 Click Enable NetBIOS Scans For Windows Host Names or Enable NetBIOS Scans For

MAC Addresses.

 Click Save to save the settings.

Enabling IP Detection via Packet Inspection

 Packet Sniffing Ranges are defined based on the NetSHIELD configuration.  To change the range of IP addresses, enter the range of IP addresses the ADS should

monitor via packet inspection. IP addresses within the range extracted from inspected

packets will be handled by the ADS using current configuration settings.

One-Click Packet Sniffing Range Configuration

 Select NAC Configuration



Asset Detection System from the left menu.

 Click Auto-Fill Based On Appliance Address(es) below the Packet Sniffing Range.

 Review the settings.  Click Save to save the settings.

Important Note: Ranges will be based on IP address(es) assigned to the appliance network interface cards.

NetShield Blocking

NetSHIELD Blocking works by blocking communication routes from Untrusted blocked assets.

Important Note: A full asset discovery should be run prior to enabling NetSHIELD Blocking. Assets within NetSHIELD Blocking Range will be blocked if they are Untrusted.

Important Note: Packet Sniffing and NetSHIELD Block Ranges will be based on IP address(es) assigned to the appliance network interface cards. The appliance asset list will be used for the protect range. All IP addresses contained in the asset list, trusted and Untrusted, will be protected from assets blocked with NetSHIELD blocking.

Enabling Manual NetSHIELD Blocking

Selecting option #1 from the One-Click Configuration options and enabling asset detection. To block an asset, go to the Asset manager and click the second mouse button over an asset listed in the grid, and choose Block Now from the pop-up menu.

Enabling Automatic NetSHIELD Blocking

Start by selecting option #2 from the One-Click Configuration options. Open the advanced settings and examine the following options.

 Select the Enable NetSHIELD Blocking checkbox.

 In the Block Range field, enter the range of IP addresses that the ADS will attempt to

block using NetSHIELD blocking if an asset is Untrusted.

 To have a range of IP Addresses created click Auto-Fill Based On Appliance Address(es).  To enter your own range, use a comma separated list of IP Address ranges.  In the Protect Range field, enter the range of IP addresses or click the Use Asset List

For Protect Range checkbox.

 Select the Enable NetSHIELD Check Alive checkbox to cause the ADS to periodically

determine if the blocked asset exists on the network. If the blocked asset no longer exists,

the blocking will be stopped.

Recommended Setting: Enabled

 Select the Enable NetSHIELD UnBlocking Traffic checkbox to cause the ADS to send

traffic which will attempt to immediately allow network access to an asset which is being

unblocked.

Recommended Setting: Enabled

 Click Save to save your settings.

EXCLUDING ASSETS FROM NETSHIELD BLOCKING

You can choose to have a predefined list of trusted assets that will never be blocked by NetSHIELD blocking.

 Select Network Access Control

Block List. All assets included in the list on the

right will never be blocked by NetSHIELD

Blocking.



Never-

 You may add and remove assets to and from

the list from this menu.

 Click Save to save the list.  You can also put assets on the Never-Block list

from the Asset Manager 2nd mouse button menu.

VIEWING ASSETS BLOCKED WITH NETSHIELD BLOCKING

At any time, you may view a list of all assets currently being blocked by NetSHIELD.

 Select Network Access Control

to NetSHIELD Blocking screen, which displays assets currently blocked with NetSHIELD Blocking.



NetSHIELD Blocking from the left menu to go directly

 Click Unblock to stop blocking the asset with NetSHIELD Blocking. Assets will also be

marked as trusted when unblocked.

 Blocked assets can also be viewed in the Asset Manager by selecting Blocked from the

Trust Status filter in the Filter Panel.

Note: Marking an asset as Trusted also stops the asset from being blocked with NetSHIELD Blocking.

VIEWING NETSHIELD BLOCKING LOGS

To view logs of which assets NetSHIELD has blocked in the past, and when:

 Select Logging

left menu to go to the Network Logging screen.



Network from the

 Select NetSHIELD Blocking Started.

Click Show Logs to view the log containing NetSHIELD Blocking started data.

 Select NetSHIELD Blocking Stopped. Click Show Logs to view the log containing

NetSHIELD Blocking stopped data.

For a more complete list, use the Log Reporting Wizard and choose both BlockNow Started and NAC Blocking Started from the Event filter.

IMMEDIATELY BLOCKING AN UNTRUSTED ASSET

Blocking an asset every time it attempts to connect to the system will depend on the settings selected in the Asset Detection System. Asset Detection must be running.

If option #1, Detect Assets, Alert. Allow Manual Blocking is selected:

 Select Network Access Control

Manage Assets screen.

 Select Block Now from the Mouse Button 2 menu.



Manage Assets from the left menu to go directly to the

If option #2, Detect Assets, Alert and Block is selected:

 Select Network Access Control



Manage Assets from the left menu to go directly to the

Manage Assets screen.

Select the checkbox next to the asset to be Untrusted and click the Untrust button in the Asset Actions pane or select Untrust from the Mouse Button 2 menu.

Important Note: The asset marked as Untrusted must be online and within NetSHIELD Blocking Range for blocking to be initiated, otherwise it will be marked as untrusted and will be blocked when it comes online.

ENABLING NETSHIELD UNBLOCKING TRAFFIC

Unblocking traffic will be sent when a blocked asset is marked as trusted.

 Select NAC Configuration

to the Asset Detection System configuration screen.



Asset Detection System from the left menu to go directly

 Select the Enable NetSHIELD UnBlocking Traffic checkbox.

ENABLING MAC SPOOF ALERTING

If MAC Spoof Alerting is enabled, NetSHIELD will send an alert when multiple IP addresses are detected for a single MAC address.

 Select NAC Configuration

to the Asset Detection System configuration screen.



Asset Detection System from the left menu to go directly

 Select the Enable MAC Spoof Alerting checkbox.

ENABLING MAC SPOOF BLOCKING

If MAC Spoof Blocking is enabled, SnoopWall NetSHIELD will initiate NetSHIELD blocking when multiple IP addresses are detected for a single MAC address. All assets assigned to the single MAC address will be blocked.

 Select NAC Configuration

to the Asset Detection System configuration screen.



Asset Detection System from the left menu to go directly

 Select the Enable MAC Spoof Blocking checkbox.

VIEWING ADS CONFIGURATION SETTINGS

To view the ADS configuration settings:

 Select NAC Configuration

to the Asset Detection System configuration screen.



Asset Detection System from the left menu to go directly

PREPARING YOUR NETWORK FOR ASSET DETECTION

Asset Detection discovers new devices (such as laptops or wireless routers) upon plug-in or connection to the network. When new assets are detected, you can choose to have NetSHIELD perform any of the following actions:

 Quarantine and notify appropriate personnel upon detection of an untrusted asset  Send an email notification when a new system is detected  Audit the new system immediately  Block traffic to/from the new system at the SmartSwitch when vulnerabilities are detected.

Note: For SmartSwitch blocking to take effect, you must set up an interface to the

SmartSwitch.

 Block traffic at the port or IP address level

To create a protocol for SnoopWall NetSHIELD to follow upon discovering new assets, complete the following fields in the Asset Detection System window under NAC Configuration Asset Detection System.

Enable Audit Upon Detection—SnoopWall NetSHIELD will audit assets upon discovery. Check the appropriate boxes to enable the audit For All Assets or just Untrusted assets. Enter the network address range(s) to define the detection level.

Enter distinct IP ranges separated by commas, as shown in the illustration.

 Notify by Email—Provide email addresses for individuals who should be notified of

detected assets. They will be notified in addition to the people you designated under

Notifications in Setup.

 You may also select the frequency at which you wish to receive Untrusted asset alerts.  Click Save.

QUEUING TRUSTED ASSET SCANS

Select Queue Trusted Asset Scans When Thread Threshold Exceeded in order to queue scans of trusted assets. Scans will only be queued if the thread threshold is exceeded.

DISABLE ADS

To disable the Asset Detection System from the console select menu option #3:

Upon selecting this option, you will be asked to verify that you really wish to disable the ADS. Answering Y will disable the ADS and redisplay the menu.

POLICY MANAGER

Under the Network Access Control menu, there is a new item, Manage Policies, which allows you to set conditions for ensuring NetBIOS names don’t change.

To use the Policy Manager define categories and assign category values to the assets. Click the Manage Categories button to link directly to the Category Manager to create categories and values; click Manage Assets to link to the Asset Manager to assign the category values to assets.

Once you have categories and assets assigned to those categories, you’re ready to create a policy. Think of it as a sentence: “Alert Only when assets with Category=Category Value have

Hostname/MAC ID mismatch”. The only Policy Actions currently available are Alert Only and Untrust. The only condition

currently available is Hostname/MAC ID mismatch. The category and category value may be any that you have defined.

CONFIGURING INVENTORY ALERTS

When an asset is unresponsive SnoopWall NetSHIELD highlights that system in the Systems (Asset) List on the Asset Tracker page and alerts the designated contact via email.

The Network Monitor engine monitors assets when Inventory Alerts is enabled and determines when a system is non-responsive. During normal business hours, the Network Monitor engine performs a simple ping test on each asset at preset intervals (every 1, 5, 10, 20, 30, or 60 minutes). If an asset does not respond, Network Monitor pings it again in 5 minutes. If the asset does not respond to the second ping, an email alert is sent to the designated contact and the asset is highlighted in red on the Asset Tracker  Systems page.

Set up Inventory Alerts for specific system groups. This allows you to more easily control the assets monitored and resources responsible.

To set up Inventory Alerts:

 Select NAC Configuration



Inventory Alerts from the left menu.

The Inventory Alerts page appears.

 Click the Create New Group button to add the first group of assets for monitoring. This

takes you to the Inventory Alerts: Add Group page.

 Type the Group Name in the box. We suggest you categorize systems in a meaningful

way so they are easier to manage (e.g. Servers, Desktops, Sales Department, etc.).

 Enter the Email Address(es) for the designated contact(s) separated by semi-colons. If

no email address is specified, you are prompted to provide one.

 Select times and Polling Interval.

24 hours – Choose this option if you want the alerts running all day. Start Time and End Time – Select times here if you want the alerts running within a specific

time interval. Polling Interval – Select the interval most appropriate for your environment (every 1, 5, 10,

20, or 30 minutes; hourly, twice daily, or daily)

 Click the Save button to retain your choices or Cancel to return to the Inventory Alerts

page. Your new group(s) appears in the list. Groups are listed in the order in which they were created. View the Group Name and Status here. Buttons on the right side allow you to Enable the alert

or Remove each group from the list, as required.

CONFIGURING ASSET TRACKER

Complete an Initial Asset Discovery from Network Access Control on the left menu before you use Asset Tracker.

VIEWING SYSTEMS LIST (ASSET LIST) IN ASSET TRACKER

To display a list of current assets:

 Select Asset Tracker

The Asset Tracker: Systems page appears. The Systems List shows all systems (assets) on the network. These assets were either entered manually or discovered by SnoopWall NetSHIELD’s automatic discovery engine during the Asset Discovery process.

As the key indicates:



Systems in the left menu to open Asset Tracker.

 A system highlighted in red is not accessible.  You can click on a system name in the Host Name column to view details about that asset  You can select a system’s IP address (in IP Address column) to find all reports with

information about that system

VIEWING/MODIFYING/ADDING SYSTEMS IN THE ASSET TRACKER

Your assets are listed on the Asset Tracker  Systems page. To view an existing asset in the list, click on its Host Name in the far left column. The Asset

Tracker: System Information Overview display opens. Displayed is all known information about the system: its host name, IP address, MAC ID, etc.

SnoopWall NetSHIELD generates a link between the system information and reports generated by audits to assist you in tracking assets. The date and time (24 hour time is used) the asset was last audited is indicated near the bottom of the left-most column.

Associated Users is the last item in the first column. You may add users, peripherals, and software to the database and associate them with particular systems.

Editing/Adding System Information

You can edit existing system information or add new systems from Asset Tracker. To edit an existing system:

 Select Asset Tracker



Systems from the left menu.

 Click the Host Name you wish to modify. The Asset Tracker: System Information

Overview page appears.

 Click the Edit button at the bottom of the page to reach the Asset Tracker: System

Information page and make the necessary changes. Be sure to click Update System at

the bottom of the page to save your revisions. To add a new system:

 Select Asset Tracker



Systems from the left

menu.

 Click the Add System button to the upper left of

the Asset List. The Asset Tracker: System Information page appears.

(You can also get to the Asset Tracker: System

Information page by selecting Network Access Control  Add Assets.)

 Fill in the requested data. For more information

about these fields, see Adding IP Addresses

Manually in the Setting Up Network Access Control section.

 Click Add System to save your entry.

fields if it is absolutely necessary.

After you modify the list in any way, you should see changes in the Systems List (Asset List).

NOTE: When generating report summaries on critical servers (in Executive and Management reports), SnoopWall NetSHIELD refers to systems with the word Server in the System Type field. If no systems are of type Server, SnoopWall NetSHIELD reports instead on most vulnerable systems under the heading Most Vulnerable Critical Servers.

Viewing Asset Report List

SnoopWall NetSHIELD generates a variety of reports you can use to more effectively manage your assets.

 Select Asset Tracker



Systems from the left menu.

 Click on the IP Address of interest. The Available Reports list for that IP address appears.  See Overview of Report Types and Content for more information on reports.

Item

Guideline

First Name (Required)

Given name.

Middle Name

Not required. May be useful if you have more than one person with the same first and last name

Last Name (Required)

Family name.

Email Address (Required)

Must be a valid email address.

Security Level

Security level of user, up to 5 digits. This element is a custom designation for your network.

Title

User’s role.

Other Title

If you selected “Other” from the Title dropdown list, you may enter a title of your choice here.

Location

User’s location - building, wing, office area, lab, etc.

Business Unit

User’s department.

ADDING USER INFORMATION

You can add users on your network independent of an individual asset. Later, you may associate users with particular systems (see Associating Users, Software, & Peripherals With Systems). When you create user accounts under System  User Management, you may choose from users you have previously added here.

To add user information:

 Select Asset Tracker



Users from the left menu.

 The Asset Tracker: Users page displays with current individuals entered in the system.

Initially, this list is empty.

Click the Add User button to the upper left. The Add User dialog opens.

 Enter the requested information. See the guidelines in the table below.

Phone

User’s phone number.

Item

Guideline

Software Name (Required)

Do not include the manufacturer’s name in the product name,

e.g., enter Office, not Microsoft Office.

Manufacturer

Enter the name of the software manufacturer without Corporation, Incorporated, or Inc. The manufacturer’s name is pre-appended to the product name.

 When you complete all information about the new user, click Add User to save the data

and return to the Asset Tracker: Users page. As you add users, they are listed in

alphabetical order with their email addresses and security levels.

ADDING SOFTWARE INFORMATION

You can add software on your network independent of an asset. Later, you may associate software with particular systems (see Associating Users, Software, & Peripherals With Systems). To enter software:

 Select Asset Tracker  Software from the left menu.

The Asset Tracker: Software List displays. (Initially, this list is empty, as shown.)

 Click the Add Software button to the left. The Add

Software dialog opens.

 Enter requested data in the form. See Guidelines in

the table below.

 Click the Add Software button at the bottom of the page when you finish entering software

data. This saves the information and returns you to the Asset Tracker: Software list.

Item

Guideline

Model (Required)

Alphabetic and numeric characters and hyphens allowed.

Manufacturer (Required)

Alphabetic and numeric characters and hyphens allowed.

Serial Number (Required)

Alphabetic and numeric characters and hyphens allowed.

Description

Enter up to 75 characters describing the peripheral. You may wish to include other relevant information, such as cartridge model numbers, year purchased, etc.

 You can remove a software package from the list by clicking the check box to the left of its

name, then clicking the Remove Selected button.

ADDING PERIPHERAL INFORMATION

You can add peripherals on your network independently of an asset and later link the equipment to particular system assets. This list helps you keep track of monitors, printers, and a variety of other important equipment that may or may not need to be audited, but nevertheless has value to the company. Later, you may associate peripherals with particular systems (see Associating Users, Software, & Peripherals With Systems).

To add information about peripherals on your network:

 Select Asset Tracker  Peripherals from the left menu.

The Peripherals list displays. Initially, this list is empty, as shown below.

 Click the Add Peripheral button to the

upper left to open the Add Peripheral

Device dialog.

 Fill in requested peripheral data.  Fields with an asterisk are required; others

are optional. See Guidelines in the table

below.

 Click the Add Peripheral button at the bottom of the page to save peripheral data. This

returns you to the Peripherals List.

 Remove a peripheral from the list by clicking the check box to the left of its name, and then

clicking the Remove Selected button.

ASSOCIATING USERS, SOFTWARE, & PERIPHERALS WITH SYSTEMS

Once you add users, software, and peripherals to your database, you can associate them with specific systems. Start at the Asset Tracker: Systems page to make these associations.

 Click the Host Name of the target system. The Asset Tracker: System Information

Overview page opens.

 The Associate User, Associate Peripheral, and Associate Software buttons are at the

top of the page. These functions allow you to make links with the selected Host Name.

ASSOCIATING USERS WITH SYSTEMS

 Click the Associate User button on the

Asset Tracker: System Information Overview. Lists of Unassociated and

Associated Users appear.

 Select users from the Unassociated

Users list on the left and click the

arrows in the middle to move them to the Associated Users list.

 Click the Associate the User button below

the box to complete the changes.

 When the Asset Tracker: System

Information Overview page redisplays,

notice that the user(s) you selected now appear in the list of users associated with the system (bottom of first column).

You may associate as many users as required with any system.

ASSOCIATING SOFTWARE WITH SYSTEMS

 Click the Associate Software button on the Asset Tracker: System Information

Overview page shown above.

Lists of Unassociated/Associated Software appear.

 Select software from the Unassociated

Software list on the left and click the arrows

in the middle to move them to the Associated Software list.

 Click the Associate the Software button below the box to complete the changes.  When the Asset Tracker: System Information Overview page redisplays, notice the

software you selected now appears in the list of software associated with the system.

You may associate as much software as required with any system.

ASSOCIATING PERIPHERALS WITH SYSTEMS

 Click the Associate Peripherals button on

the Asset Tracker: System Information Overview page shown above. Lists of Unassociated and Associated Peripherals appear.

 Select peripherals from the Unassociated

Peripherals list on the left and click the

arrows in the middle to move them to the Associated Peripherals list.

 Click the Associate the Peripheral button below the box to complete the changes.  When the Asset Tracker: System Information Overview page redisplays, notice the

peripheral(s) you selected now appear in the list of peripherals associated with the system.

You may associate as many peripherals as required with any system.

REMOVING ASSETS FROM SNOOPWALL NETSHIELD

To remove assets from all configured audits, the Asset Tracker Systems list, and the Asset Manager:

 Select Asset Tracker



Systems from the left menu to open the Asset List.

 Click the check box next to the host names you wish to remove from the list.  Click the Remove Selected button to the upper right of the list. Confirm when prompted.

NOTE: Eth1 must be connected and configured as span or mirror port or Malware Scanning will not stay on. Also Asset Detection System must be on.

Note: 1. Agentless Malware Detection works in conjunction with NetSHIELD™

Appliance Asset Detection System’s packet sniffing. Assets within the packet sniffing

range will also be scanned for malware when malware detection is enabled. Assets not within the sniffing range will not be scanned for malware.

2. Agentless Malware Detection works in conjunction with NetSHIELD™

Appliance Asset Detection System’s blocking capabilities. Assets within

NetSHIELD™ Block range will be blocked if they attempt to contact a malware IP

address.

MALWARE DETECTION SYSTEM

OVERVIEW

CONFIGURATION MALWARE DETECTION

MALWARE DETECTION SYSTEM

In the event a network asset attempts to contact a known malware IP address, the administrator will be notified and the asset will be set as untrusted.

A block can occur depending on NetSHIELD™ Appliance settings. Blocked assets are indicated with a red background in the Asset Manager.

1. Select NAC Configuration Malware Detection System from the menu.

2. The Malware Detection System screen opens up.

3. Ensure that the Malware Scanner is enabled.

4. If an Enable Malware Scanning message shows in the box at top left,

5. Click on it to Enable Scanning, the following message appears.

6. The Malware Scanner Control opens.

7. In the Malware Hosts List, Host History and Malware Hosts Detected is shown in the box on the left.

8. Click on a malware items and the Malware Hosts History appears in the box on the right.

Managing Whitelist For Detected Malware IP Address(es)

1. To add an IP address to the Whitelist.

2. Select a Malware IP from the Malware Hosts Detected List.

3. Click the Move to Whitelist button to add the IP address to Malware IP Whitelist.

The IP address moves from the Malware Hosts Detected list (left side) to the Malware Hosts Whitelist (right side).

4. To remove a malware from the Whitelist

Note: Network assets that attempt to contact an IP address on the Whitelist will not be restricted, set as untrusted, or blocked.

NOTE: Specific domains can also manually be set to block exclude domains such as; .ru, .cn or ,ir.

5. Highlight it in the Whitelist.

6. Click the Move to Blacklist button and the item returns to the Malware Hoists Detected list.

The bottom frame of the Scanner contains a Malware Detection log.

Managing Manual Malware IP Addresses

1. Select Network Access Control Malware Detection System from the menu.

2. Enter IP Address in the Manual Malware Host List Field.

3. Enter a Description in the Manual Malware Host List Description Field

4. Click the Add Button.

5. To Remove an IP address;

6. To remove an IP address Manually,

7. Click Remove Button and the IP Address will be removed from the list.

Viewing Malware IP Address History

1. Select NAC Configuration Malware Detection System.

2. Select a Malware IP from Malware Hosts Detected List

The Date, Time, and Event Type are listed for the IP address Selected.

Viewing Malware Signature Update Schedule

To check when Malware Signatures were last updated. Select UpdatesMalware Threat Feed from the menu.

AUDITS

CREATING AND MANAGING AUDITS

The first step to managing audits is to define a series of audits and save them. Later, as required, you activate each audit.

To define an audit, specify the timing and IP scope. Once you define an audit, either run it immediately or schedule the audit and wait for

NetSHIELD to run it as specified.

RUNNING A ONE-CLICK AUDIT

To audit a single IP address in a hurry:

 Select Audits  One-Click Audit from the left

menu. The One-Click Audit Wizard appears with the

Audit Now box.

 Enter the desired IP address (#.#.#.# format) and click Audit Now.

If NetSHIELD has trouble finding a system with that IP address, it pops up another box asking you to confirm the IP address. If it is correct, click the Continue button to proceed.

As soon as the audit starts, the Reports page pops up:

 Click on the Quick Audit entry to get more detail on the audit. (Shown below.)

The name of the Report entry starts with Quick_audit, the IP address, the date, and the time.

The audit is automatically a Full audit. When the report is complete, you will see an S in the Summary column and a C in the

Complete column. In the meantime, you will see the count of vulnerabilities found so far.

 Select Reports



View Audit Results from the left menu if you want to leave this page

and return to it in a few minutes.

For more information on reports, including how to add custom comments, identify and hide false positives, and restrict the content you view to selected levels of vulnerabilities, refer to the chapter on Working with Vulnerability Reports, Logs & Utilities.

To see how vulnerabilities in reports are assigned to IT staff for remediation, refer to the chapter on Understanding Workflow and User Responsibilities.

DEFINING A NEW AUDIT

To create a new audit description (also called an audit definition):

 Click Audits



Audit Wizard from the left menu.

Item

Guideline

The Audit Wizard appears. Audit Name and Notification Information are on the first page.

Assigning an Audit Name

Enter the name of the new audit definition in the Audit Name field. The name must be one word and may consist of up to 30 letters, numbers, underscores, hyphens, and spaces, as well as pound signs (#), ampersands (&), and single quotes ( ‘ ).

We recommend using the name of the department to which the machines belong as the audit name. This naming convention assists varied audit report users in understanding report contents without opening and studying the report. The name must be unique to the particular audit.

NOTE: It’s a good idea to name audits based on the department performing the audits. Later, all reports from that source have the same name. When managers/executives create reports, they choose from a list of audits from which to cull information. If reports have the department name, they can readily select those of interest.

Setting Vulnerability Threshold for Notification

 Click an option to indicate the level of vulnerability required for NetSHIELD to send a

notification. See Guidelines in the table below.

Any

Any vulnerability, however minor.

Medium

At least one medium level vulnerability, as indicated in the table of Vulnerability Levels Definitions (see below).

High

At least one high level vulnerability.

Serious

Only when a serious level of vulnerability occurs.

Modifying Who Receives Reports

Fill in the notification field with appropriate email addresses:

 Email - add email addresses separated by commas or semi-colons up to a 100 character

limit.

 SNMP Server and Syslog Server – when checked, information about a completed audit

will be sent to either the SNMP or Syslog server, provided you have configured these for use. Messages will contain the number and level of vulnerabilities found at each IP address.

 Check the Attach Summary report to email notification box if you want a Summary

Report included with the notification.

 Click Next to proceed to the second page of the Audit Wizard. You will be prompted for

any missing information before you can proceed.

 Select an Audit Mode to define the audit scope. You may choose between Full, Differential,

Incremental, and Top 20 audits.

The first time you audit your network, you should run a Full audit. Later, you can edit the audit definition to make it Differential, but be sure to save it with the same audit name. Otherwise, if you create a new audit definition with a different name and make it Differential, it runs a Full audit the first time and subsequently runs a Differential audit. (See Modifying an Existing Audit’s

Definition.)

NOTE: Since a Differential audit performs a full audit the first time, we suggest you run Differential audits from the start, rather than change them later.

If you want to run only new vulnerability tests on a machine or group of machines, use the Incremental option. Incremental never runs a Full audit. SnoopWall NetSHIELD keeps track of

Setting

Description

Now

Runs the audit as soon as it is activated. (Audit automatically returns to Inactive setting after completion).

Daily

Runs the audit at the same time each day. Use the pull down menus in the

tests run on any given IP address, and runs only those not run before. Incremental audits, therefore, run more quickly and save time.

SCHEDULING AUDITS

Before you take the next step in the Audit Wizard, you need to think about logistics of scheduling your audits and all related issues in your particular work environment.

The following sections include Scheduling Audits and Setting Audit Frequency and Start Time. This information should help you decide appropriate settings for your company.

Take several factors into consideration when determining an audit schedule.

SCHEDULING BACKUPS AND AUDITS

Do not overlap your backup schedule with the audit schedule. To avoid overlap, be aware of how long the audit may take. Refer to Estimating Audit Length. As a precaution, if you know how long your backup usually takes, schedule it to run first and schedule audits after you expect the backup to be complete.

Setting Audit Frequency and Start Time

The third page of the Audit Wizard allows you to set audit frequency and timing.

The Frequency of Audit and Start Time fields indicate when and how often this audit runs once it is started from the Audits: Manage page.

 Set Frequency of Audit to one of the settings shown. See setting descriptions in the table

below.

Start Time fields to specify the time of day to begin the test. Any Day of Week you set is ignored. Once activated, the audit runs every day at the specified time.

Weekly

Runs the audit at the same time each week as soon as it is activated. Use the pull downs to select the Start Time and Day of Week. Once activated, the audit runs every week at the specified time.

Monthly

Runs the audit every month on the Day of Week and at the Start Time you select as soon as it is activated. For example, if you select Monday, the test will run on the next Monday in the current month, then on the first Monday in succeeding months. Once activated, the audit runs every month at the specified time.

PostUpdate

Runs the audit immediately after a CVE update is downloaded. (Audit immediately returns to Inactive status after completion and remains

Inactive until the next CVE update is downloaded.)

NOTE: An audit set to Now runs each time you start it, then reverts to the Inactive state.

 Set the audit Start Time, if appropriate. (For an audit set to Now or PostUpdate frequency,

the time does not apply.) Choose the Hour and Minute you want to schedule the audit to start, and then select the day

of the week, if appliacable, from the pull down menu. The day of the week selector will be disabled for Now, Daily, and PostUpdate audits.

CHOOSING IP ADDRESSES FROM LIST

The fourth page of the Audit Wizard allows you to choose specific IP Addresses for auditing. Information about your auditing capacity is shown at the top of the page, including:

 Number of IP addresses your license allows you to audit (variable depending on which

appliance you own)

 Number of IP addresses currently selected (IP addresses are selected when the box to the

left of their entry is checked)

 Number of IP addresses already audited  Link to list of IPs audited so far and their status  Green (or alternate color, based on browser settings) box that flags Wireless Access Points

After NetSHIELD collects IP addresses on the network, it recognizes:

 Wireless Access Points  Assets on the Safe List  Missing systems

 Blocked systems or systems with a blocked port

SELECTING/GROUPING IP ADDRESSES TO AUDIT

Each IP address is listed with a check box to its left. Use the check box to select individual IPs for audit. The listing also shows IP addresses of subnets; subnets do not have host name or operating system data.

You must select at least one IP address to audit. Selecting the checkbox in the column header will select all the IP addresses on the list or within a subnet.

SAVING THE AUDIT

Review your settings on the Audit Settings page.

NOTE: Before you proceed, ensure no red text appears in the Audit Settings display. If any IP addresses are shown in red, you either exceeded the number of IP addresses your license allows you to audit, or an existing audit may show an unknown IP Address (Known Missing Assets). (See the sections on Known Missing Assets for more information. These Known Missing Assets are preceded by the word Previously.)

SnoopWall NetSHIELD indicates the number of IPs in excess of your license in a message at

the top of the window. You must click Edit and deselect enough IPs to reduce the number below the limit, or you can increase your license limit.

Click Review before saving again. (Your license is not affected until you click Save in the Audit Settings window and audit those assets. Save is “grayed out” until you are within your license range).

 Click Save to preserve the audit and exit from the Audit Wizard. This takes you to the

Manage Audits page that displays all defined audits.

ACTIVATING & MANAGING AUDITS

You can manage all audits you create and save on the Manage Audits page. Here you may start, stop, or delete audits depending on your daily needs. After you save an audit, SnoopWall NetSHIELD automatically displays this page.

To get here at any time:

 Select Audits



Manage Audits from the left menu.

The Manage Audits page displays all audits saved in the system as well as their audit/CVE test parameters. The Status column shows the current state (Auditing, Inactive, or Scheduled) of each audit.

SCHEDULING AN AUDIT TO RUN

The Manage Audits page gives an overview of audit parameters you set earlier. The first column shows Audit Name. Each audit has its own row with Start, Stop, and Remove

(Command) buttons to the far right.

A Status column just to the left of the Command buttons indicates the audit’s current condition. The initial status of any audit is Inactive. Inactive audits do not run.

Starting an Audit

 Click the Start command button in the audit row.

Audit Status becomes Scheduled. The audit starts running at the specified Audit Time and Start Time. If an audit is scheduled for Now, it starts auditing immediately after you click Start, and the Status changes to Auditing.

Once it starts, an audit’s Status changes to Auditing (See the Manage Audits page for more information.) When an audit finishes, its Status automatically reverts to Scheduled, unless it is a Now audit – Now audits revert to Inactive upon completion, but can be run again at any time by clicking Start.

When an audit is complete and reports are available, the system sends emails to the contacts designated in the Audit Wizard.

Any number of audits can be Scheduled or Auditing at a given time without interference. To see the reports:

 Select Reports

For details on how to work with reports, see Working with Vulnerability Reports, and Working with Logs.



View Audit Results from the left menu bar.

DEACTIVATING AN AUDIT

When you no longer want a particular audit to run but wish to keep it in the system, you can make it Inactive.

 Select Audits



Manage Audits from the left menu.

 Click the Stop button (far right in the row) for the audit. The Status column indicates it is

Inactive.

The audit stays in the system, but does not run until you change its status to Scheduled again by clicking Start.

REMOVING AN AUDIT

You can remove a specific audit when you no longer need it.

 Select Audits



Manage Audits from the left menu.

 Click the audit’s Remove button, to the right of the Stop button.  The audit is deleted from the system and no longer appears on the Manage Audits page.

MODIFYING AN EXISTING AUDIT’S DEFINITION

You can also change parameters for an existing audit from the Manage Audits page.

 Select Audits



Manage Audits from the left menu.

 Select the Audit Name and click on the link. If the audit is scheduled, there won’t be a link.

Click the Start button to deactivate it. The Audit Wizard opens and displays information for that audit.

 Make the desired changes as you proceed through the Audit Wizard pages.  Click Review and check your settings before clicking Save.  Upon return to the main Manage Audits page, click Start to schedule the audit.

COPYING AN AUDIT TO CREATE A VARIATION

To create a new audit with some or all the parameters from an existing audit definition:

 Select Audits  Select the Audit Name and click on the link. If the audit is scheduled, there won’t be a link.

Click the Start button to deactivate it.

 The Audit Wizard opens and displays the information for that audit.  Enter the name for the new audit in the Audit Name field. Be sure it is unique.  Change the parameters as you click through the Audit Wizard pages.



Manage Audits from the left menu page.

 Click the Save button to save the variant audit.  Upon return to the main Manage Audits page, click Start to schedule the audit.

REMOVING SYSTEMS/IP ADDRESSES FROM AN AUDIT

To remove system/IP addresses from a particular audit, deselect that IP address in the list, and then re-save the audit.

 Select Audits  Select the Audit Name and click on the link. If the audit is scheduled, there won’t be a link.

Click the Start button to deactivate it.

 This takes you to the Audit Wizard for the selected audit.  Page through the Audit Wizard using the Next button until you reach the list of IP

Addresses.

 Click check boxes next to the IP addresses you want to remove to deselect them.  Click the Review button to verify your changes.  Click Save to retain the changes once you are satisfied with your edits.



Manage Audits from the left menu.

VIEWING LISTS OF CVE TESTS BY OS AND APPLICATION

You can view information about tests SnoopWall NetSHIELD runs for each operating system or

application at any time.

 Select Audits

the left menu. The View Test List by OS & Applications box

opens.



View Vulnerability Tests from

 Select All OS, Windows, or UNIX/Linux.  Click the display list to see the available CVE

tests. Choose the test you want to see from the pull-

down menu. For example, if you choose Novell Server from the pull-down list, you see a list of tests SnoopWall NetSHIELD will run on your Novell Server.

 Click the Display List button to view the results.

MANAGING KNOWN MISSING ASSETS

Sometimes the audits you create contain Known Missing Assets – assets that changed their IP Address for various reasons since the last scan. One way to view and manage Known Missing Assets is from the Manage Assets page.

 Select Network Access Control



Manage Assets from the left menu.

 Select Known Missing from the Asset Status filter.  If you click on the link for the first IP address above, you go to the Edit Asset page which

shows previously known information about this asset. The IP address is shown as unknown.

This IP Address is currently Unknown. If you know what it has changed to, you can manually enter the new IP Address here.

 If you access the asset from the Asset Tracker: Systems page, you will find this entry:

The other option for resolving this Known Missing Assets is to either remove the Known Missing Asset(s) from the audit or run an Asset Discovery.

VIEWING SNOOPWALL NETSHIELD SCHEDULE

If you want a visual overview of all audits, you can display a schedule in a calendar view.

 Select Audits  Schedule from the left menu.

Initially, a weekly view of the schedule displays. The illustration shows an example of a

weekly schedule. Time is blocked out for each audit. More time is blocked out for audits SnoopWall NetSHIELD estimates will take longer to run.

 Hold the mouse over any audit name in

the calendar (as shown for Wednesday’s

audit in the illustration) to view a box showing estimated length of time required for the audit as well as a list of the IP addresses included in the audit.

VIEWING THE MONTHLY, WEEKLY, OR YEARLY SCHEDULE

Additional schedule formats can be viewed from pull-down lists, located near the bottom of the page, labeled Month, Week, and Year.

Month—To see the schedule for a particular month, select that month from the pull down at the lower left of the page.

Week—To see the schedule for a particular week, select that week from the pull down on the bottom center of the page.

Year—To see the schedule for a particular year view, select that year from the pull down in the lower right corner of the page.

NOTE: If you have not clicked the Start button for the audit on the Manage Audits page, the audit will not show in the calendar because it is not yet scheduled.

VIEWING THE DAILY SCHEDULE

When viewing the yearly or monthly schedule, you can click on any specific day to see audits scheduled for that day in a daily calendar display.

Daily Schedule Details

To see details of the schedule for a particular day, click on the actual audit in the Monthly, Weekly, or Daily view.

The audit schedule description appears, including:

 Audit name  IP addresses to be audited  Audit frequency  Scheduled start time  Expected audit duration

SEARCHING THE CALENDAR

You can search the calendar for a particular audit.

 Select Search below the Month field in the lower left corner.

 Enter the search parameters in the Keywords field.  Search for words that appear in the name of the audit.  The search results indicate the number of matches found and the names of reports

containing that match.

OPENING AUDIT/SCHEDULING FAQ IN THE CALENDAR VIEW

Select FAQ below the Month field in the lower left corner of the Calendar to view answers to frequently asked questions about audits and reports.

The FAQ page appears in a small separate window. If you do not find the answer you need, please email SnoopWall Technical Support at

support@snoopwall.com.

NATIONAL VULNERABILITY DATABASE

There is a direct link to the National Vulnerability Database maintained by the National Institute of Standards and Technology (NIST) and sponsored by the Department of Homeland Security.

Here you will find a vulnerability database that integrates publicly available U.S. Government vulnerability resources as well as references.

 Select Audits

the left menu.

 Click the link to visit the NVD web site or enter the CVE

number of the vulnerability you wish to look up.



National Vulnerability Database from

 Select the Additional Information you wish to include in the lookup.  Click the Search button to view results.

MANAGING IN PROCESS AUDITS

Reviewing Audits

There are several options for reviewing in process audits. Let’s say you create an audit called

Sales Department. If you select Audits from the left menu, you will see it listed.

 Click the Sales Department Start button to begin the audit. Once the audit begins, you are

automatically taken to the Reports Page (Reports  View Audit Results) and shown an overview of the audit as it progresses. Here, the audit has started, but no vulnerabilities have yet been discovered.

 Click on Sales Department link to go to the audit details.

The next illustration shows the status of the Sales Department audit after a few minutes.

Note 15 vulnerabilities have been discovered so far. Two are of high priority. The data will change as the audit progresses. Now there are 48 total vulnerabilities. (See

the screen below.)

In the final audit screen there are 51 total vulnerabilities present. Notice that the Status column has disappeared and the Firewall/SmartSwitch Update column has been added to the far right.

After the Sales Department audit finished, the SmartSwitch blocked the IPs showing high vulnerabilities. (You specify the SmartSwitch blocking requirements when you create the audit in the Audit Wizard; NetSHIELD no longer does Firewall blocking).

IP Address 192.168.254.64 in the illustration shows two high vulnerability items. This address was blocked at SmartSwitch 192.168.254.23 on Unit 1, Port 12.

You can also specify SmartSwitch blocking requirements on the Network Access Control 

Asset Detection System page. Blocking rules for this action are displayed on the Network Access Control  SmartSwitch Integration page.

Viewing Partial Reports

At times it may be helpful to view actual report data before an audit is fully completed – perhaps to check how things are going, or to view the status of a particular asset.

Let’s say you create an audit called Email Server. If you select Audits  Manage Audits from the left menu, you will see it listed.

 Click the Email Server Start button to begin the audit.

You are automatically taken to the Reports Page (Reports  View Audit Results), where you see an overview of the audit.

Initially, there are 0 vulnerabilities discovered, but this number will change as the audit updates. Make sure you check the Refresh this page every seconds box at the bottom of the page to get updates. Adjust the refresh rate if necessary.

As the audit progresses, the page will be updated, and you can proceed.

 Click the Generate Report link for this audit to get a partial report (the report is partial

because the audit is still In Progress). This takes you to the Generate Report

page. Here you have four options, as shown in

the illustration.

NOTE: A partial audit may affect your license agreement because you can only audit a specific number of MAC

addresses with a limited license agreement. You are licensed to audit “N” specific

addresses, not “N” addresses total.

 Decide which Partial Report option works best for you and select the appropriate button.

Click Proceed.

Your choice takes you back to the Reports Page. In this example, we chose Create a partial report and continue with the audit.

 Click on the button to get your partial report. The report opens in a PDF file.

The Summary and Complete Reports are both available after the audit completes.

GENERATING AND VIEWING ASSET REPORTS

 Select Reports



View Audit Results from the left menu to go directly to the Audit

Results screen.

 Select an audit result to generate an Asset Report for that audit. Assets will also be marked

as trusted when unblocked.

 Click Generate Asset Report.

 Click on one of the generated links to view the report.

Note: Asset reports combine SnoopWall and NVD data. Reports are available in PDF and XML formats. XML Schema is also available.

Generating and Viewing NetSHIELD Reports.

 Select Reports  NetSHIELD Reports from the left menu to go directly to NetSHIELD

Reports screen.

 Select a start date for NetSHIELD report. Assets will also be marked as trusted when

unblocked.

 Select an end date for NetSHIELD report.  Click Generate NetSHIELD Report.  Click on the generated link to view the report.

Generating and Viewing IP History Reports

 Select Reports  NetSHIELD Reports from the left menu to go directly to NetSHIELD

Reports screen.

 Enter an IP address. Assets will also be marked as trusted when unblocked.

 Select a start date for the IP History report. Assets will also be marked as trusted when

unblocked.

 Select an end date for the IP History report.  Click Generate IP History Report.  Click on the generated link to view the report.

UPDATES

SETTING UP AUTOMATIC VULNERABILITY UPDATES

You can schedule updates at any time to ensure you are up to date on all the latest tests.

 Select Updates



Vulnerability Tests from the left menu.

 The Automatic Vulnerability Test Updates Update screen appears.  You can opt to receive updated vulnerability tests over the Internet from the Update Server

automatically every day, or you can manage downloads manually by selecting Never. Downloads are secure transmissions that access only SnoopWall NetSHIELD appliance.

NOTE: For automatic downloads to occur, you must open port 443 on your Firewall.

NOTE: The normal setting is Daily. If you click Never, no automatic downloads occur.

You may still run updates when you wish by clicking the Update Now button – a single download will occur immediately, but no periodic updates will be scheduled.

 Choose Update Now or Undo Update to continue.

Update Now—Click this button to immediately receive updated vulnerability tests from the

Update Server.

Option

Description

Ignore

This set of tests is not installed

Install Now

New vulnerability tests are installed

Undo Update

Returns you to the previous set of vulnerability tests. Example: Did you update vulnerability tests but are

not sure that you should have? Click this button. The previous set of vulnerability tests is stored in a file, so it can be restored.

You can Cancel if you click this button by mistake.

You can also request a single download of vulnerabilities at any time. (This may be necessary later if you initially select the Never option in this setup.)

When you select Update Now, you move to a new screen, where you can choose to Download Updates if your SnoopWall NetSHIELD appliance is connected to the Internet.

Or you may choose to download the updates to your own machine, and then upload them to the appliance.

NOTE: We recommend you select Update Now when you first set up SnoopWall NetSHIELD as well as whenever daily updates have not been performed for a length of time.

NOTE: Do not change the name of the update file. If the file needs to be accessed later, SnoopWall NetSHIELD will only be able to locate it if it retains the same name.

NOTE: Sometimes Windows renames the tar.gz update file to tar.tar or other variations thereof when it downloads the file. Make sure the file is named tar.gz after the download.

 After you click Download Updates or Upload Now, you receive a list of new vulnerability

tests (sample shown below). Peruse this list and then decide on your next step. Options are shown below.

RETRIEVING SNOOPWALL NETSHIELD SERVICE PACKS/VERSION UPDATES

You may download service pack updates at any time.

 Select Updates  Service Packs from the left menu.

A screen similar to the one below appears. Click Install Patches.

SERVICE PACK CONFIGURATION

To obtain automatic updates;

1. Select UpdatesService pack Configuration.

2. If the screen shows Software Auto Updates Disabled,

3. Click Enable Software Auto Updates.

You will now receive automatic updates as they become available.

MALWARE THREAT FEED UPDATE

1. Select UpdatesMalware Threat Feed Updates.

2. The current Malware Signature running on the network are displayed.

3. The Last and Next Signature Updates are listed.

License/Subscription updates

The current license/subscription information is provided on this screen. Select UpdatesLicense/Subscription.

CONFIGURING A PROXY FOR SERVICE PACK AND VULNERABILITY UPDATES

 SnoopWall NetSHIELD supports the use of a proxy

server for both service pack updates and vulnerability signature updates.

 Select Network Configuration

Configuration from the left menu to go to the Proxy

Configuration screen.

 Select Use Proxy to direct the appliance to use a

proxy server for outgoing connections.

 Enter the proxy server IP address in the IP Address

field.

 Enter the proxy server port in the Port field.  Select Proxy Requires Login if the proxy server requires a username and password to

 Enter the proxy server username in the Username field.  Enter the proxy server password in the Password field.



Proxy

 Click Save to save the configuration.

Appliance

Number of Possible Managed Appliances

Enterprise 10

Up to 10

Enterprise 100

Up to 100

Enterprise 250

Up to 250

COMMAND CENTER

The Command Center offers the ability to command and control remote appliances across your network:

 Remote client appliances can be added and groups of remote appliances can be created.  In one action, policies and configurations can be saved to all remote appliances included

in a group.

 Remote actions can be performed on remote appliances.  Group and appliance status can be quickly viewed on a single screen, providing an easy-

to-use management console.

 The number of appliances the Command Center is able to manage varies depending on

the type of Enterprise appliance you have purchased. Command Center is only available on the Enterprise appliances.

Important Note: SnoopWall Command Center can be used to remotely manage multiple Nano, Branch Pro, or Enterprise appliances.

Important Note: Intermediate devices, such as firewalls, must be configured to allow traffic from SnoopWall Command Center to each remote, managed appliance. Please consult your firewall documentation for more information on port/traffic forwarding.

To accomplish all this, you will first need to add the appliances that will be managed remotely, and then arrange them into groups.

MANAGING APPLIANCES

Select Command Center  Manage Appliances from the left menu. The Managed Appliance page displays a list of SnoopWall NetSHIELD appliances (see table below).

ADDING MANAGED APPLIANCES

 Select Command Center  This takes you to the Appliance Information screen. Fields with a red asterisk are

required: Appliance Name, URL, and Serial Number.

 Enter appliance information.

If you enter the username and password for the appliance, you will not be asked for that information when you log on to it while using SnoopWall NetSHIELD interface.



Manage Appliances and click the Add Appliance button.

The remaining optional fields are for information that may be useful to the network administration group, such as the location of the appliance or locations serviced by the appliance.

NetSHIELD Branch PRO, NANO 100, NANO 254, NANO 25, Enterprise 100 User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual