WIRELESS OBSERVER© What is Observer? Observer is a family of distributed network analysis products. With Observer, network administrators can: -

Capture, view and decode network traffic in real-time. Set alarms triggered by virtually any kind of network condition, including the presence of traffic associated with attacks and viruses. Automatically capture packets when alarms are triggered, and be instantly notified by email or page. Collect network statistics over long time periods, because tracking trends can help you plan network upgrades based on usage patterns as well as providing a baseline performance measurement to compare to current network conditions. Speed troubleshooting with over 450 real-time experts. Predict how changes to the network would affect bandwidth usage and response time with Expert Observer’s “What-If” modelling. Track applications and solve application problems with Application Analysis.

Observer, Expert Observer, and Observer Suite The Observer package has three levels of licensing to meet the needs and budget of any administrator: Observer: For protocol analysis and network troubleshooting Expert Observer: Observer + Expert-assisted troubleshooting and Advanced Multi-Probe Observer Suite: Expert Observer plus SNMP network management and web reporting So that you can evaluate the features for all licensing levels, we have provided you with a fully licensed copy of Observer Suite that is yours to keep and use. The Observer console can communicate with one or multiple remote Probes. Probes can monitor 802.11, 10/100/1000 Ethernet, WAN, Token Ring, or FDDI--individually or simultaneously.

How do Observer and the Probe Communicate? Data collected from the Probe will be available to any Observer console with TCP/IP connectivity. Probe data is securely and efficiently transmittedonly statistical updates are transmitted when showing statistical monitors, and packet captures are compressed and optionally encrypted before transfer.

Features Unique to the Observer Family of Analyzers and Probes Full topology support for all the standard network interfaces in one package (Ethernet, TR, FDDI, 802.11a/b/g, Gigabit, and WAN) -no separate extensions or modules. - One consistent user interface for all solutions, including hardware (WAN and full-duplex Gigabit Observer Suite), and local and remote SingleProbes and Multi-Probes. - Multi-interface probes -Monitoring multiple NICs simultaneously and independently from one or multiple Observer consoles. Collaborative workflow speeds problem resolution and increases flexibility. - VoIP Expert - Included with the Expert package, makes determination of VoIP issues quick and simple. Playback of both audio and video streams. - Application Analysis monitors and analyzes dataflow at the application level to determine transactions, failures, and response times. Helps you prevent user complaints and pinpoint problems that have already been reported. - Trending and Reporting - Determine network baselines and usage patterns, track ongoing issues. Comparison reports let you immediately see changes in the network environment, and immediately determine if changes have improved or degraded the network. Provides excellent reports for use in budget justifications and business cases. 4GB Capture buffer - Up to 4GB of physical, locked memory for capturing frames. Because this memory is not controlled by Windows and therefore non-swappable, there is no fear of dropping frames while capturing due to Windows/other applications compromising the analyzer’s cache. - Focused problem analysis - Separates application delay from network delay, as well as LAN vs. WAN delay letting you quickly and efficiently focus on the correct problem rather than chase red herrings. - Connection Dynamics - Timeline representation of conversation flow lets you easily pinpoint communication problems. -

ELEXO - 20 Rue de Billancourt - 92100 Boulogne-Billancourt Téléphone : 33 (0) 1 41 22 10 00 - Télécopie : 33 (0) 1 41 22 10 01 - Courriel : [email protected]

Getting Started with Observer Suite In addition to the industry’s most complete and powerful capture and decoding technology, Observer Suite offers a number of different ways to look at and use the information collected on your wireless network: -

-

There are monitors (Wireless Vital Signs, Wireless Site Survey, plus general network bandwidth and error displays) found on the Statistics menu. Most of these displays include a number of different views in tabular and graph form. The unique Network Trending Mode (Trending and Analysis menu) lets you track statistical trends over long time periods, which is useful for understanding typical usage patterns on your network (both wired and wireless). Such information is essential for troubleshooting slowdowns and planning network upgrades. Triggers and Alarms let you set alarms that are triggered by network conditions or the presence or prevalence of particular packets sensed. You can be notified via email or page when an alarm has been triggered. Web Reporting lets you publish selected Trending information to secure web reports, letting you give password protected access to them to anyone with a web browser.

Wireless Site Survey Mode The site survey lets you scan for any and all WLAN traffic floating around at your site, and provides a convenient summary of all administratively significant statistics. When coupled with the Network Instruments Wireless Probe, it can see all 802.11 protocols (a, b, and g), and can be configured to scan all channels, selected channels, or just look at one channel. It shows any Access Points in the area, as well as link quality, encryption status, and other detailed information on per-station basis.

Wireless Site Survey Mode The site survey lets you scan for any and all WLAN traffic floating around at your site, and provides a convenient summary of all administratively significant statistics. When coupled with the Network Instruments Wireless Probe, it can see all 802.11 protocols (a, b, and g), and can be configured to scan all channels, selected channels, or just look at one channel. It shows any Access Points in the area, as well as link quality, encryption status, and other detailed information on per-station basis.

The screenshots below show just two of the eight tabs of essential wireless station and AP data available in the Survey.

ELEXO - 20 Rue de Billancourt - 92100 Boulogne-Billancourt Téléphone : 33 (0) 1 41 22 10 00 - Télécopie : 33 (0) 1 41 22 10 01 - Courriel : [email protected]

Wireless Vital Signs This display provides a graphical view of all bandwidth usage and error activity, plotted against a spider web graph that shows data throughput observed on the WLAN:

Access Point Statistics The AP Statistics display breaks down signal strength and quality along with other administratively interesting statistics by Access Point. This makes it easy to see an access point with a suspiciously low signal quality (has a new device been installed that interferes with the AP’s signal? Is there an interference-based denial-of-service attack underway?). You can sort by any column by clicking on the column heading. Right-clicking on any entry pops up a menu that lets you start a packet capture on that station and/or AP.

ELEXO - 20 Rue de Billancourt - 92100 Boulogne-Billancourt Téléphone : 33 (0) 1 41 22 10 00 - Télécopie : 33 (0) 1 41 22 10 01 - Courriel : [email protected]

Triggers & Alarms You can set custom triggers and alarms for just about any network condition you can think of. They can be set to log a message, or even send you an email or page. You can set an alarm on pre-configured conditions and filters (including attack and hack signatures), or write your own filter as a basis for an alarm.

Detecting Rogue Access Points Observer lets you define a list of valid access points. If an AP not on this list is discovered sending packets, you can have Observer send you an email or page in addition to logging the security breach.

List of known Access Points:

List of known Access Points:

ELEXO - 20 Rue de Billancourt - 92100 Boulogne-Billancourt Téléphone : 33 (0) 1 41 22 10 00 - Télécopie : 33 (0) 1 41 22 10 01 - Courriel : [email protected]

MAC addresses of the legitimate APs on your network:

You can create a list of known APs to define what you want to happen when a rogue AP is discovered:

A high number of 802.11 disassociation requests can indicate a denial of service attack. It’s easy to configure an alarm triggered by the number or percentage of such packets found on your network within a given time window.

Figure the rate of disassociations necessary to trigger the alarm:

You can set the alarm to be triggered by a particular number of packets matching the filter, or the percentage of matches as a percentage of total traffic. In addition, you can set the minimum level of network activity (the total packets seen in n number of seconds) that must be present before the filter will trigger. You can then re-define the Actions to be launched when the alarm is triggered.

ELEXO - 20 Rue de Billancourt - 92100 Boulogne-Billancourt Téléphone : 33 (0) 1 41 22 10 00 - Télécopie : 33 (0) 1 41 22 10 01 - Courriel : [email protected]

Capturing, Decoding, and Analyzing Packets Packet Capture This Window shows how many packets Observer is sensing on your network and how many packets are being captured.

Packet Capture Window

Viewing the decoded packets

The Decode Window (Shown in real-time) Decodes are displayed in the industry standard 3-panel format: The packet header pane The decode pane The raw packet display pane

-

Among the over 500 protocols supported the following is a partial list of Wireless LAN protocol decoded: -

EAP PEAP LEAP 802.1x (Port Based Authentication) TKIP RSN TLS TTLS RADIUS 802.11i

ELEXO - 20 Rue de Billancourt - 92100 Boulogne-Billancourt Téléphone : 33 (0) 1 41 22 10 00 - Télécopie : 33 (0) 1 41 22 10 01 - Courriel : [email protected]

Wireless Expert

Expert Summary Display More than 450 Expert Events, including many events that are wireless-specific. Here are just a few: -

Wireless Low Average Signal Strength & Quality: Is interference from other wireless devices (such as cordless phones) causing your wireless speed to drop or disappear? Knowing exactly when and where signal quality is dropping can give you a jump on troubleshooting range variabilites.

-

Wireless WEP Not Used: Enforce corporate security policies by immediately finding out when unsecured access points have joined your wireless network.

-

Wireless Ad-Hoc node using APs SSID

-

Wireless AP does not support high speed transmissions

-

Wireless AP overloaded by stations

-

Wireless AP system or firmware reset

-

Wireless AP using default SSID

-

Wireless AP with AES/CCMP

-

Wireless AP with Broadcasted SSID

-

Wireless AP with channel causing Mutual Interference

-

Wireless AP with Open System Authentication

-

Wireless AP with Shared Key Authentication

-

Etc…

ELEXO - 20 Rue de Billancourt - 92100 Boulogne-Billancourt Téléphone : 33 (0) 1 41 22 10 00 - Télécopie : 33 (0) 1 41 22 10 01 - Courriel : [email protected]

Distributed Single Probe and Multi-Probe Flexibility NI-DNA (Network Instruments’ Distributed Network Analysis) architecture is scalable to the needs of any organization. For smaller wireless networks, a Single Probe license (which allows one console to view the Probe at a time) may be all you need. For larger networks with more administrative staff, you can purchase multiple Single Probe licences, or, for added flexibility, Multi-Probe licenses. Multi-Probes let you monitor multiple network interfaces on a single PC, or allow multiple consoles to view a local or remote Probe for off site troubleshooting and collaborative analysis. You may optionally encrypt the data transfer between a Probe and console with triple DES, the Microsoftendorsed standard for securing data. The following diagram shows how multiple interfaces can be installed in one Multi-Probe system and is available to multiple Observer consoles.

Advanced Multi-Probes offer the following remote monitoring benefits -

Multi-Interface – Simultaneous support for up to 64 network interfaces in one system Multi-Session – Support for multiple Observers’ attached to an Advanced Multi-Probe. Allow multiple users to connect to and view data from a single NIC Security Level Logins – User-definable security levels for Probe access. Also configurable for administration, Network Trending, Probe configuration, packet capture, decode and more

Conclusion Multiple networks, multiple technologies, multiple headaches: You don’t want to add complexity (and cost) to the equation by using multiple analysis tools. Observer’s wireless functionality gives you the essential tools you need to plan, deploy, troubleshoot, and maintain the security of your wireless network and your wired networks. No other solution covers so many technologies so comprehensively and cost effectively.

ELEXO - 20 Rue de Billancourt - 92100 Boulogne-Billancourt Téléphone : 33 (0) 1 41 22 10 00 - Télécopie : 33 (0) 1 41 22 10 01 - Courriel : [email protected]