Airpatrol Certified CEF Configuration Guide

Summary:

Based on the provided text, it appears that the document is focused on managing and protecting "proprietary information," which could include sensitive data related to technology, business strategies, or other competitive advantages. The summary highlights several key points about how this information should be handled: 1. **Definition of Proprietary Information**: The text does not explicitly define what constitutes proprietary information but implies that it includes technical data, financial information, and possibly other forms of sensitive material that are protected by law to prevent unauthorized use or disclosure. 2. **Handling and Protection Measures**: To protect this information, the document likely suggests implementing strict internal protocols for handling documents, restricting access based on employee roles, and considering non-disclosure agreements (NDAs) for employees who need access to sensitive data. 3. **Employee Responsibilities**: Employees are expected to report any suspected breach of proprietary information immediately to management and potentially involve legal action against those found in violation of the policy. 4. **Penalties for Breach**: The text does not explicitly mention penalties, but it implies that there are consequences for individuals who misuse, disclose, or leak this confidential information, which could range from disciplinary actions up to criminal charges depending on the severity and impact of the breach. Overall, the document emphasizes the importance placed on maintaining a secure environment for proprietary information within the organization and outlines clear responsibilities and potential repercussions for those involved in handling such sensitive data.

Details:

The "Common Event Format Configuration Guide" for AirPatrol Corporation's WiVision WLS is a document designed to assist in configuring the system for syslog event collection. It outlines the support for Windows platforms and version 2.0 of the device. This guide has undergone several revisions since its first edition on April 4, 2007, with updates including changes to the product name, new event types, and updated tag/data pair definitions. The introduction highlights the importance of securing corporate networks against wireless threats due to the lack of physical connection required for data transfer in wireless technology. This has led to an increase in security risks as unauthorized users can access a network through a simple connection of their wireless devices. By the end of 2005, there were around 150 million wireless laptops in use with another 70 million expected by 2006. The guide aims to provide solutions for these increasing security challenges faced by both private and government organizations as per Sarbanes Oxley requirements. In summary, this configuration guide is a vital tool for setting up AirPatrol's WiVision WLS system to collect events from wireless networks efficiently and securely, addressing the growing concerns around corporate data protection in an increasingly wireless world. AirPatrol Corporation has developed network management and intrusion detection solutions designed to simplify the deployment of secure wireless networks, with additional capabilities to monitor the airspace around office buildings for unauthorized devices like "rogue" access points and laptops. These solutions cater to markets including Unified Threat Management, Intrusion Detection, and Wireless Network Management, collectively valued at approximately $3 billion by IDC. AirPatrol is recognized as a key player in wireless technology innovation within these sectors. Its products offer comprehensive suites designed to address the challenges of securing wireless networks and detecting unauthorized devices. Configuration instructions for WiVision WLS: 1. Access the "Alerts and Reports" console and click on "Setup Syslog." 2. In the "Syslog Server Setup" dialog, enable Syslog message generation by checking the "Enable Syslog" checkbox. Confirm enabling syslog messaging for all event types with a 'Yes' response. 3. Enter the ArcSight server's IP address and port number, then click "Apply" to save the configuration. 4. Close the "Syslog Server Setup" dialog by clicking "OK." 5. To modify Syslog generation settings for specific events:

• Navigate to the "Alerts and Logging Configuration" tree on the left-hand side.

• Select the event, then check or uncheck the "Generate Syslog Message" checkbox under "Event Action" based on your requirements. You can also adjust the default priorities of the event by selecting a different "Event Severity."

6. Confirm all changes by clicking the "Apply changes" button. 7. This process ensures that syslog messages are efficiently generated and managed, contributing to the overall security and functionality of wireless networks through comprehensive configuration settings. This document outlines the mappings between vendor-specific event definitions and ArcSight data fields for a device called AirPatrol Connector. The table provided in this technical note lists how various information from these events, such as MAC addresses, IP addresses, SSIDs, BSSIDs, sites, buildings, floors, and sensor details are mapped to corresponding ArcSight data fields. This mapping allows for the interoperability of different types of event data, ensuring that it can be collected, stored, and analyzed together in the ArcSight platform. This text appears to be a list of event codes used in an application management system, detailing various statuses and errors that can occur during the operation or shutdown of the application. Here's a summarized breakdown of each event code mentioned:

• **Application Startup (0257)**: Indicates the start of the application.

• **Application Stop (0258)**: Indicates the end of the application, possibly due to errors or system requirements not being met.

• **License Added (0259)**: Signals that a license has been successfully added to the application.

• **License Expired (0260)**: Alerts when an application license has expired.

• **Disk Full (0261)**: Suggests that the host computer's hard drive is nearly full, which might affect system performance or functionality.

• **Application Status (0262)**: Generic notification for other management application statuses.

• **Application Warning (0263)**: Indicates warnings from the application related to operations or configurations.

• **Application Error (0264)**: Signals errors within the application that need attention.

• **Email Alert Generation Error (0265)**: Indicates failure in generating an email alert, possibly due to issues like too many concurrent alerts, incorrect email setup, or SMTP server problems.

• **EventLog Error (0266)**: Reports a failure in saving an event to the Windows Event Log, which could be because of corruption or being full and set not to overwrite old events.

• **AP and/or Sensor limit reached (0267)**: Indicates that the maximum number of APs and sensors allowed for management has been exceeded.

• **Tracked Devices limit reached (0268)**: Signals that the total amount of tracked devices has reached its maximum capacity, potentially limiting new device tracking or management capabilities.

• **Database Error (0269)**: Reports an error during database access, with detailed logs to be generated as part of this event.

• **Database Connection Offline/Online (0270-0271)**: Indicates changes in the database connection status, either offline or reconnected online.

• **Application Events - Generating timer driven heartbeat event (0272)**: A periodic event triggered by the application to monitor its own status and performance.

• **Client Provisioning Events (1024-1029)**: Relate to client provisioning within the system, including requests for provisioning, activations upon receipt of provisioning data, and changes in online/offline status of clients.

These codes are part of an event logging system used within an application management environment, providing detailed information about various operational aspects such as license statuses, hardware conditions, database interactions, and client communications. This text appears to be related to monitoring and managing rogue and known wireless access points (APs) in various sites or buildings, as indicated by terms like "rogue/unknown wireless device" and "Known Rogue AP." Here's a summary of the information provided: 1. **Rogue AP Positioning:** This refers to locating unauthorized wireless devices that are not registered or known on the network. The status is detailed for each instance, with different outcomes based on whether the rogue device was found inside or outside an "Alert Zone." An Alert Zone is defined as a restricted area where such devices should not be present. 2. **Completion of Tasks:** Each task related to positioning or detecting rogue APs has a completion status marked by numbers (e.g., 1542, 1543). The tasks are completed when:

• A device was positioned inside the Alert Zone.

• A device was positioned outside the Alert Zone.

• Positioning failed due to insufficient sensor coverage or reliability issues.

• A previously detected rogue moved into an Alert Zone.

• A previously detected rogue moved out of the Alert Zone.

3. **Rogue AP Detection:** New discoveries are noted when a "rogue/unknown wireless device" is first detected, which hasn't been located yet ("not yet positioned"). 4. **Known AP Positioning:** When known rogue APs are discovered and managed:

• They can come online (Event) or go offline, as indicated by specific numbers and events.

• The task involves positioning these devices inside or outside the Alert Zone if they are detected in a restricted area.

5. **Alert Zones:** These are areas where certain types of wireless devices, particularly unauthorized ones like rogue APs, should not be located. Compliance with this rule is checked through positioning tasks. 6. **Sensor Coverage:** In some cases, the device could not be reliably positioned because it was seen by fewer than 3 sensors. This implies that sensor network coverage might have been inadequate for accurate localization of the wireless devices. This summary provides a basic framework for understanding how rogue and known APs are managed in terms of their location relative to defined Alert Zones, based on various operational tasks and events documented through sequential numbers. The document outlines various events and actions related to the detection, positioning, and movement of both known rogue APs (rouge access points) and recently discovered ad hoc networks in a specific site or building. Key findings and outcomes include: 1. **Known Rogue AP Positioning**:

• Events 1550-1555 cover the detection and status changes of known rogue wireless devices, including when they come online, go offline, are detected for the first time (Event 1552), or move within or outside alert zones.

• Event 1591 notes a failure to reliably position a recently discovered Known Rogue AP due to insufficient sensor coverage.

2. **Adhoc Network Positioning**:

• Events 1586-1591 and 1652-1653 focus on the positioning of ad hoc networks, including when they are detected for the first time (Event 1584), positioned inside or outside alert zones, and when movement within or out of these zones is observed.

• Event 1591 reports that a recently discovered Adhoc Network could not be reliably positioned because it was seen by fewer than three sensors.

3. **Alert Zone Management**:

• No Alert Zones were defined for ad hoc networks, as indicated in Events 1586 and 1589 where the positioning results are reported without specific alert zone information.

• For known rogue APs, events such as moving inside or outside an alert zone (e.g., Events 1651-1653) provide updates on their location relative to predefined security zones.

4. **Event Interoperability**:

• The document is part of a technical series related to event interoperability, which suggests it could be used in conjunction with other systems or standards for comprehensive network and device monitoring within an organization's infrastructure.

This summary highlights the sequence and outcomes of events related to rogue wireless devices and ad hoc networks, emphasizing their positioning and movement relative to defined alert zones based on sensor coverage and detection thresholds. The document outlines various events related to a rogue client in an Adhoc wireless network, which is part of a VirtualShield system for managing unknown or rogue clients within defined alert zones. Here's a summary of the key points from each numbered event: 1. **Adhoc Network Events:**

• 1585: The Adhoc wireless network goes offline.

• 1588: The Adhoc wireless network comes back online.

2. **Rogue Client VirtualShield Events:**

• 1816: A previously discovered rogue client is moved inside the VirtualShield region (Alert Zone).

• 1817: The same rogue client is moved outside the VirtualShield region.

• 1818: A new rogue client is detected inside a VirtualShield region for the first time.

• 1819: A new rogue client is detected outside a VirtualShield region for the first time.

3. **Rogue Client Positioning Completed:**

• 1811: A recently discovered rogue client has not been positioned yet, and no alert zones are defined for this site/building.

• 1813: The rogue client is successfully positioned inside an Alert Zone.

• 1814: The rogue client is positioned outside the Alert Zone.

• 1815: The rogue client could not be reliably positioned, likely due to insufficient sensor coverage.

• 1874: A previously detected rogue client moves from outside to inside an Alert Zone.

• 1875: The same rogue client moves from inside to outside an Alert Zone.

These events and their descriptions provide a comprehensive record of the actions taken, detections, movements, and status updates related to rogue clients within the VirtualShield system, including details on alert zone interactions. This document outlines various events related to client detection and positioning within a network environment, particularly focusing on rogue (unknown) and known clients, as well as virtual shield zones. The events are categorized for easy reference and understanding of the actions taken by the system or software in response to these detections:

• **Rogue Client Events**: These include scenarios where an unauthorized client is first detected ('1809 Rogue Client Events - Rogue Client Detected'), when a previously discovered rogue client comes online after being offline ('1810 Rogue Client Events - Rogue Client Online'), or goes offline ('1811 Rogue Client Events - Rogue Client Offline'). Another event ('1820 Rogue Client Events - Rogue Client Connected to Unauthorized Device') occurs when a rogue client connects to an unauthorized device. Finally, a rogue client is blocked using a third-party firewall and unblocked in another case ('1821 & 1822 Rogue Client Events - Rogue Client Blocked/Unblocked').

• **Known Client VirtualShield Events**: These describe the movement of previously known clients within virtual shield regions. The events include when a client is initially detected inside or outside a virtual shield zone, and also includes cases where it moves from one region to another ('1800 - 1803 Known Client VirtualShield Events').

• **Known Client Positioning Events**: These cover the positioning of newly discovered clients within defined alert zones. The events are as follows: no alert zones were defined for a site/building ('1795 Completed - No Alert Zones Defined'), the client was positioned inside an alert zone after being detected ('1797 Completed - Positioned Inside Alert Zone'), and when it is outside the alert zone after detection ('1798 Completed - Positioned Outside Alert Zone').

Each event type provides a snapshot of how the system interacts with different types of network devices, indicating whether they are rogue or known, and their position within or outside defined security zones. This categorization helps in understanding the operational status and compliance of client devices connected to the network. The document outlines various events and activities related to the detection, positioning, online/offline status, and connection details of known clients and managed access points (APs) in a network environment. Here's a summary: 1. **Known Client Positioning:** This section covers tasks where the location of known clients is determined or tracked within an Alert Zone region. The client could be inside or outside this zone, and it involves using multiple sensors to locate the device accurately. 2. **Known Client Events:** These are related to events involving previously discovered Known Clients:

• **Client Online/Offline**: Indicates when a known client comes online after being offline or goes offline.

• **Client connected to an Unauthorized Device**: When a known client connects to devices not authorized by the network.

• **Client Blocked/Unblocked using Firewall**: A 3rd party firewall's status change affecting a known client's connectivity.

3. **Managed Access Point Events:** These pertain to new or existing APs managed by the system, including:

• **Detected (New)** and **Online/Offline**: Indications of a newly detected AP coming online or going offline.

4. **802.11 Sensor Events:** These cover events related to wireless sensors, such as new detections, changes in their status (online/offline), which are part of the 802.11 standard for network connectivity. 5. **Completed Tasks without Alert Zone Involvement:** There is a task noted under Managed Client Positioning completed but not accompanied by an alert zone mention:

• **No Alert Zone Mentioned**: Indicates that a specific event or task does not involve the use of, or comment on, an Alert Zone during its handling.

These events and tasks collectively help in maintaining network security, client management, and ensuring proper functioning of connected devices within defined zones. The document outlines the status of a recently discovered Managed Client and cellular activity in relation to alert zones on various dates. Here's a summary: 1845-1846: Two entries about positioning a newly discovered Managed Client. On 1845, it was successfully positioned inside an Alert Zone, while on 1846, it was placed outside the Alert Zone. 1847: The attempt to position the Managed Client using less than three sensors resulted in failure and is marked as "Completed - Position not reliably positioned." 1876-1877: These entries report that a previously detected Managed Client moved within or outside an Alert Zone region, with both scenarios being marked as completed. 1840: A new Managed Client was discovered but had not yet been positioned (not yet positioned). 1841: The Managed Client came online after its initial detection. 1842: The Managed Client went offline. 1848: The Managed Client connected to an unauthorized device, which is recorded as an event in the events log. 1849: A managed client was blocked using a 3rd party firewall, another entry indicating a status change or action related to the client's network connectivity. 1850: The managed client that was previously blocked with a 3rd party firewall is now unblocked, showing an update in its network configuration. 2308-2309: Entries about cellular activity positioning within a site or building without defining any alert zones for the location. This technical note outlines various events related to cellular activity and sensor events detected within or outside of an "Alert Zone" for a site or building, as well as the detection of new or previously discovered CellSensors. The events are categorized by their unique ID numbers, with descriptions detailing the type of event and its location relative to the Alert Zone. Additionally, it mentions that cellular activity can be reliably positioned based on sensor coverage, while other events may not have a precise position due to insufficient sensor coverage. Finally, there's a mention of 802.11 wireless infrastructure and client device events, as well as specific events related to mobile devices or sensors. The given text seems to be a section or heading in a document, likely related to the protection and handling of confidential information. Here's a detailed summary based on common understanding around such provisions: ### Section Heading: Proprietary Information This section outlines the importance placed on confidential data within an organization. It underscores the company’s commitment to safeguarding its intellectual property, which includes but may not be limited to trade secrets, patents, and other forms of proprietary information that provide a competitive advantage. The term "proprietary information" typically refers to any kind of information that has been or is protected by law (such as through copyright, trademark, or patent) from unauthorized use or disclosure. ### Content Breakdown: 1. **Definition of Proprietary Information**: This section defines what constitutes proprietary information. It might include detailed descriptions such as technical data, financial information, business plans, and other sensitive material that could be used to gain an unfair advantage in the market. 2. **Handling and Protection Measures**: The text specifies how this information should be handled internally within the company to prevent leaks or misuse. This may involve setting up secure protocols for handling documents, implementing strict access controls based on employee roles, and possibly even requiring non-disclosure agreements (NDAs) for certain employees who come into contact with such sensitive data. 3. **Employee Responsibilities**: The section likely includes guidelines for employees about what they should do if they encounter or suspect any breach of this proprietary information. This could include immediate reporting procedures to management and possibly legal action against those found in violation of the policy. 4. **Penalties for Breach**: It is common practice to specify penalties for individuals who misuse, disclose, or inadvertently leak proprietary information. These might range from disciplinary actions like termination up to criminal charges depending on the severity of the breach and its potential impact on the company’s interests. ### Conclusion: The section serves as a critical component in an organization's overall strategy to maintain competitive advantage through intellectual property protection. It ensures that all employees are aware of their role in safeguarding confidential information, thereby fostering a culture of respect for proprietary rights and adherence to legal standards within the company.