Fortress Security System Secure Wireless Access Bridge User Guide www.fortresstech.
Fortress Bridge Fortress Secure Wireless Access Bridge 2.6.1 Copyright © 2006 Fortress Technologies, Inc. All rights reserved. This document contains proprietary information protected by copyright. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, without written permission of Fortress Technologies, 4023 Tampa Road, Suite 2000, Oldsmar, FL 34677, except as specified in the Product Warranty and License Terms. FORTRESS TECHNOLOGIES, INC.
Fortress Bridge DISCLAIMED.
Fortress Bridge: Table of Contents Table of Contents 1 Introduction 1 Fortress Secure Wireless Access Bridge . . . . . . . . . . . . . . . . . . . . .1 Management Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Bridge GUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1 Bridge CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Fortress Bridge: Table of Contents Installation Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Outdoor Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Connecting the Bridge for Preconfiguration . . . . . . . . . . . . . . . . . . . . . . . . Preconfiguring the Bridge for Outdoor Operation . . . . . . . . . . . . . . . . . . . . Weatherizing the Bridge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Fortress Bridge: Table of Contents 802.1X Server and LAN Port Settings . . . . . . . . . . . . . . . . . . . . . . 35 802.1X Authentication Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 LAN Port 802.1X Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Bridge Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Security Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Fortress Bridge: Table of Contents Trusted Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 Adding Trusted Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Editing Trusted Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Deleting Trusted Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Visitor Access through Trusted Devices . . . . . . . . . . . . . . . . . .
Fortress Bridge: Table of Contents Getting Help in the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 Command Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 Configuration in the Bridge CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 LAN Settings in the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 Spanning Tree Protocol in the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Fortress Bridge: Table of Contents Secure Automatic Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . .105 Preconfiguring a New Network Deployment with SAC . . . . . . . . . . . . . . . . 106 Connecting the Bridges for Preconfiguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .106 Automatically Preconfiguring Network Bridges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .106 Reconfiguring Network Settings with SAC . . . . . . . . . . . . . . . . . . . . .
Fortress Bridge: Introduction Chapter 1 Introduction 1.1 Fortress Secure Wireless Access Bridge The Fortress Secure Wireless Access Bridge is an all-in-one network access device with the most stringent security available today built in. It can serve as a wireless bridge, a WLAN access point, and an eight-port LAN switch, while performing all the functions of a Fortress controller device: encrypting wireless traffic and providing Multi-factor Authentication for devices on the network it protects.
Fortress Bridge: Introduction 1.1.1.2 Bridge CLI The Bridge’s command-line interface provides administration and monitoring functions via a command line. It is accessed over the network via the Bridge’s IP address or through a terminal connected directly to the Bridge’s serial Console port. 1.1.1.3 SNMP The Bridge supports versions 1 and 2 of the Simple Network Management Protocol (SNMP) Internet standard for network management.
Fortress Bridge: Introduction 3) User authentication requires the user of a connecting device to enter a recognized user name and valid credentials, a password, for example, or a digital certificate. The Fortress Security System can authenticate users locally or through existing user-authentication provisions. 1.3.
Fortress Bridge: Introduction 1.3.5 Deployment Options The Fortress Security System is flexible and expandable. Figure 1.
Fortress Bridge: Introduction The Bridge can provide a secure edge for a WLAN (or infrastructure-mode) deployments, as shown in Figure 1.1 1.4 This Document This user guide assumes its users have a level of expertise consistent with a professional Network Administrator. 1.4.1 Document Conventions This is a task-oriented document, and the procedures it contains are, wherever possible, self-contained and complete in themselves.
Fortress Wireless Access Bridge: Installation Chapter 2 Installation 2.1 Introduction The Fortress Secure Wireless Access Bridge is a full-featured Fortress controller device, providing strong data encryption and Multi-factor Authentication™, including native RADIUS authentication, to users and devices on the network it secures. The Bridge additionally comprises three, independent network components that can be employed alone or simultaneously in any combination: Radio 1 is a tri-band 802.
Fortress Wireless Access Bridge: Installation 2.1.2 Compatibility The Fortress Bridge is fully compatible with Fortress Secure Client versions 2.4 and higher. 2.2 2.2.1 Preparation Shipped and Optional Parts Included in each Fortress Bridge shipment are: Fortress Secure Wireless Access Bridge, comprising: one eight-port Ethernet LAN switch one PoE Ethernet WAN port two USB ports one 802.11 a/b/g multi-mode radio one 802.
Fortress Wireless Access Bridge: Installation 2.2.2 Preparing the Network Any Ethernet device—including hubs, switches and access points—directly connected to the Bridge must have autonegotiation capability (and have the feature enabled), or link and/or packet loss could result. Refer to a device’s documentation to configure its negotiation options.
Fortress Wireless Access Bridge: Installation General: This equipment must be installed by qualified service personnel according to the applicable installation codes. Do not locate the Bridge or antennas near power lines or power circuits. When installing an external antenna, take extreme care not to come into contact with such circuits as they can cause serious injury or death. Avoid metal ladders wherever possible.
Fortress Wireless Access Bridge: Installation PoE powered from a remote 802.11af (13 Watt) PoE midspan source. Circuit Overloading: The Bridge includes a 48 V main resettable fuse specified at 1.8 A. Lightning/Electrostatic Protection: The Bridge’s antenna ports conform to IEC1000-4-5 10 KV 8/20us waveform. The WAN port conforms to IEC-61000-4-2 8 KV waveform with 58 V additional transient protection.
Fortress Wireless Access Bridge: Installation 2.3 Antennas must be installed to provide a separation of at least 20 cm (7.9") from all persons and any co-located antenna or transmitter. Regarding use in specific environments: • Do not operate near unshielded blasting caps or in an explosive environment. • Limit use in a hazardous location to the constraints imposed by the location’s safety director.
Fortress Wireless Access Bridge: Installation 2.4.1 Connecting the Bridge for Preconfiguration 1 2 3 4 5 6 2.4.2 Position the Bridge so that it operates only within its safe temperature range (14º–122º F/ –10º–50º C). Connect a waterproof, standard 802.11a/b/g-capable antenna with an N-type male connector to antenna port 1 (ANT1). Connect an antenna cable with an N-type male connector between antenna port 2 (ANT2) and a high-gain omnidirectional or directional antenna.
Fortress Wireless Access Bridge: Installation 1 2 3 Open a browser application on a computer on your LAN and, in the browser address field, enter the Bridge’s default IP address: 192.168.254.254. Log on to the Bridge GUI, entering admin as both User ID and Password and then clicking Login. (When prompted, agree to accept the security certificate.) From the main menu on the left choose LAN SETTINGS, and on the LAN SETTINGS screen: In Host name, enter a descriptive name for the Fortress Bridge.
Fortress Wireless Access Bridge: Installation 5 From the main menu, select SECURITY SETTINGS, and on the SECURITY SETTINGS screen, in the CHANGE ACCESS ID section: In Current Access ID enter 16 zeros or the word default. In New Access ID enter the 16-digit hexadecimal Access ID to be used by the Bridge and its Secure Clients. In the Confirm New Access ID field, re-enter the new Access ID to ensure against entry errors. detail: 6 7 Click Apply.
Fortress Wireless Access Bridge: Installation If the Fortress Bridge is the root node in the point-to-point/ multipoint deployment, skip this step. 8 or If the Fortress Bridge is the non-root node in the point-topoint/multipoint deployment, choose RADIO SETTINGS from the main menu and in Bridge Mode setting for Radio 2, choose Non-Root , and click Apply.
Fortress Wireless Access Bridge: Installation 13 After the Bridge reboots, change the CLI password (according to the instructions in Section 6.4.4.2) and configure unique SSIDs for the Bridge (according to the instructions in Section 3.3). If you want to use the received signal strength indicator (RSSI) to aim the antenna of a non-root Bridge, you may want to enable it now (refer to Section 3.3.2.7). 14 2.4.
Fortress Wireless Access Bridge: Installation Slide the compression nut, with the threaded opening facing toward the connector, over the connector and onto the cable. Slide the compression bushing over the connector and onto the cable. Slide the threaded coupler, with the flanged end facing toward the compression nut and bushing, over the connector and onto the cable.
Fortress Wireless Access Bridge: Installation 2.4.4 Mast Mounting the Bridge The Mast-Mounting Kit accommodates masts from 1.5" to 3" in diameter. To install the Mast-Mounting Kit: Figure 2.4 2.4.5 1 Position the Bridge at the desired position on the mast, with the Bridge’s underside facing toward the mast and the front panel facing down, as shown in Figure 2.4 2 Sandwich the mast between the underside of the Bridge and the mounting bracket, fitting the mast into the bracket’s toothed cut-outs.
Fortress Wireless Access Bridge: Installation 4 2.5 NOTE: Third par- ty antennas are subject to local regulatory requirements. For outdoor installations, they must be waterproof. Indoor Installation Figure 2.5 2.5.1 omnidirectional or directional antenna. The antenna and cable must be waterproof. Connect the Bridge's WAN port to an external 802.
Fortress Wireless Access Bridge: Installation 1 2 3 4 Position the Bridge so that it operates only within its safe temperature range (14º–122º F/ –10º–50º C). Connect a standard 802.11a/b/g-capable antenna with an N-type male connector to antenna port 1 (ANT1). Connect an antenna cable with an N-type male connector between antenna port 2 (ANT2) and a high-gain omnidirectional or directional antenna.
Fortress Bridge: Configuration Chapter 3 Configuration 3.1 The Bridge GUI The Fortress Wireless Access Bridge’s graphical user interface provides access to Bridge administrative functions. Access Bridge GUI help screens by clicking Help, the last link on the main menu. 3.1.1 User Accounts There are two user accounts on the Bridge GUI, and the predetermined names associated with them are not userconfigurable. 3.1.
Fortress Bridge: Configuration The Bridge GUI opens on the Welcome screen. Configuration settings are accessed through the main menu links on the left of the screen. 3.1.3 Logging Off To log off the Bridge GUI, click Logout (below the main menu). If you simply close the browser you have used to access the Bridge GUI, you will automatically be logged off. (If you are using Firefox’s tabbed browsing, you will only be logged off when you close the active browser instance completely.
Fortress Bridge: Configuration 3.2.1 Spanning Tree Protocol STP is a link management protocol that prevents bridging loops on the network while providing path redundancy. You should enable it only in deployments in which multiple OSI layer 2 paths to the same device(s)—i.e., bridging loops—are possible. Bridging loops can occur on a WLAN only when multiple APs share the same ESS (extended service set). NOTE: STP requires multicasting capability.
Fortress Bridge: Configuration To reconfigure Bridge LAN settings: 1 Log on to the Bridge GUI admin account and select LAN SETTINGS from the menu on the left. 2 On the LAN SETTINGS screen, make your changes to the relevant field(s).
Fortress Bridge: Configuration Radio 1 is the tri-band 802.11a/b/g radio, which can be configured as an 802.11g or an 802.11a radio. Radio 2 always functions as an 802.11a radio. RADIO SETTINGS fields are described in sections 3.3.1 and 3.3.2. Section 3.3.3 provides step-by-step instructions to change them. 3.3.1 NOTE: 802.11b de- vices are fully compatible with the 802.11g radio.
Fortress Bridge: Configuration Non-Root - Radios in Non-Root mode do initiate connections with other Fortress Bridges—either directly with a root Bridge or with other non-root Bridges (as well as receiving connections from other non-root Bridges and wireless devices). Typically, one Bridge serves as the root node (or root Bridge) and any other Bridges in the deployment are configured as non-root nodes.
Fortress Bridge: Configuration 3.3.2.3 Distance The Distance setting configures the maximum distance—from 1 to 35 miles, in increments of 1 mile—for which the radio must adjust for the propagation delay of its transmissions. Figure 3.1.
Fortress Bridge: Configuration 3.3.2.5 Beacon Interval The Bridge’s radios transmit beacons at regular intervals to announce their presence on the network. You can configure the number of milliseconds between beacons in whole numbers between 25 and 1000. You cannot disable the beacon. The default beacon interval is 100 milliseconds. 3.3.2.6 Multicasting Wireless is an inherently broadcast medium.
Fortress Bridge: Configuration Enabled on the LAN SETTINGS screen. If you disable STP on a non-root Bridge, the Multicast field for the radio with a Radio Mode setting of Bridge and a Bridge Mode setting of Non-Root will be configurable. Refer to Section 3.2.1 for more information on STP. 3.3.2.
Fortress Bridge: Configuration unconfigured VAPs for radios in AP radio mode on the VIRTUAL ACCESS POINTS display frame on the INTERFACES screen. You can view the settings that assign SSIDs (and associated settings) for the radio’s VAPs in the VIRTUAL ACCESS POINTS frame on the INTERFACES screen. The Edit button for each VAP provides access to the fields that configure these settings. Sections 3.3.4.1 through 3.3.4.
Fortress Bridge: Configuration Radio 1 is preconfigured with a default SSID of Base-11g; the default SSID for Radio 2 is Base-11a. 3.3.4.2 Hide SSID and Accept G Only Options To the right of the SSID field are two options that you can enable through their checkboxes: 3.3.4.3 Hide SSID - Enabling this option deletes the SSID string from the packet headers of beacon and probe responses. It is disabled by default. Accept G Only - Enabling this option prevents 802.
Fortress Bridge: Configuration The security protocol(s) employed by the Bridge’s virtual access point are configured per VAP. Your selection in the Security Suite field of the VIRTUAL ACCESS POINT SETTINGS frame determines which fields are configurable (and which are grayed-out) in the SECURITY SUITE SETTINGS frame (in the lower half of the same screen), as described below. Cleartext Security Selecting Cleartext as a VAP’s Security Suite essentially turns off security measures for that VAP.
Fortress Bridge: Configuration WEP Key Type - WEP keys can be composed of an ASCII (plaintext) passphrase or hexadecimal string. Hex is the default. WEP Keys 1–4 - You must manually enter at least one static key to be used in Open WEP and Shared WEP transactions, within the specifications you set in the two fields above, which determine the usable key lengths for these fields. Table 3.2.
Fortress Bridge: Configuration WPA and WPA2 generate encryption keys dynamically and exchange keys automatically with connected devices at userspecified intervals. This interval is the only additional setting required for WPA security. Specify the interval in seconds in the WPA Rekey Period field. Whole numbers between 0 and 99999, inclusive, are allowed. A value of 0 (zero), disables the rekeying function; the keys used by connecting devices will remain unchanged for the duration of their sessions.
Fortress Bridge: Configuration 3.4 802.1X Server and LAN Port Settings The Fortress Bridge can be used with an external 802.1X authentication server and its internal switch ports can be individually configured to allow or block 802.1X traffic. The Fortress Bridge supports non-802.1X authentication through a separate and unrelated set of configuration settings. The global settings for non-802.1X authentication are described in Section 3.6.6. Individual non-802.
Fortress Bridge: Configuration 2 3 3.4.2 In the 801.1X AUTHENTICATION SERVER frame: In Server Address, enter the IP address of the network 802.1X authentication server (the default is 127.0.0.1). In Server Port, enter the port used by the server for 802.1X requests (the default is 1812). In Auth Server Key, enter the shared key assigned to the Bridge in the 802.1X service. (The default is fortress.) In Confirm Server Key, re-enter the shared key (to guard against entry errors).
Fortress Bridge: Configuration NOTE: For security 37
Fortress Bridge: Configuration The viewable, default security settings are shown below. 3.6.1 Operating Mode The Fortress Bridge can be operated in either of two modes: Normal (the default) or FIPS. FIPS operating mode is necessary for deployments and applications that are required to comply with the Federal Information Processing Standards (FIPS) for cryptographic modules.
Fortress Bridge: Configuration If the Bridge fails any self-test on startup, it is rendered inoperable and must be returned to the vendor for repair or replacement. Only a designated Crypto Officer, as defined by the Federal Information Processing Standards, may perform administrative functions on the Bridge and its Secure Clients. detail: To change the Bridge operating mode: 1 Log on to the Bridge GUI admin account and select SECURITY SETTINGS from the menu on the left.
Fortress Bridge: Configuration Bridge. For information on setting encryption algorithms on Secure Clients, refer to your Fortress Secure Client user guide. detail: To change the Bridge encryption algorithm: 1 Log on to the Bridge GUI admin account and select SECURITY SETTINGS from the menu on the left. 2 On the CRYPTO ALGORITHM section of the SECURITY SETTINGS screen, select the AES key length to be used to encrypt network data. 3 Click Apply at the bottom of the screen. 3.6.
Fortress Bridge: Configuration on Secure Clients, refer to your Fortress Secure Client user guide. detail: To change the Bridge’s Access ID 1 Log on to the Bridge GUI admin account and select SECURITY SETTINGS from the menu on the left. 2 In the CHANGE ACCESS ID frame of the SECURITY SETTINGS screen: Enter the Current Access ID. Enter a 16-digit hexadecimal number to serve as the New Access ID. Re-enter the new Access ID in Confirm New Access ID. 3 3.6.
Fortress Bridge: Configuration selected and, in the case of device authentication, when it has been globally enabled in the AUTHENTICATION SETTINGS frame of the SECURITY SETTINGS screen. These screens are described in Section 4.1 (Device Authentication) and Section 4.2 (User Authentication), in the next chapter. 3.6.6.1 Enabling/Disabling Authentication Globally The Fortress Bridge has an internal RADIUS server built-in. The Bridge additionally supports an external RADIUS server.
Fortress Bridge: Configuration The default Auth Server Key is fortress, which you can optionally change. Selecting Local authentication enables the screens and fields that configure local authentication settings for both users and devices. 3.6.6.3 External Authentication Server The Bridge can be integrated with an external Remote Authentication Dial-In User Service (RADIUS). It supports the open source freeRADIUS.
Fortress Bridge: Configuration 3.6.6.4 Enabling/Disabling Device Authentication On a Fortress Bridge configured for Local authentication, the settings in the AUTHENTICATION OPTIONS section of the AUTHENTICATION SETTINGS frame globally enable/disable device authentication, according to whether device authentication is included in the selection you make. detail: To enable/disable device authentication: 1 Log on to the Bridge GUI admin account and select SECURITY SETTINGS from the menu on the left.
Fortress Bridge: Configuration detail: To configure maximum authentication attempts: 1 Log on to the Bridge GUI admin account and select SECURITY SETTINGS from the menu on the left. 2 In the AUTHENTICATION SETTINGS frame, in the Auth Mode field, ensure that Local authentication is enabled. 3 Under AUTHENTICATION OPTIONS, in the Max Auth Retries field, enter a whole number between 1 and 255. 4 Click Apply at the bottom of the screen.
Fortress Bridge: Configuration To enable/disable user session timeout login prompts: 1 Log on to the Bridge GUI admin account and select SECURITY SETTINGS from the menu on the left. 2 In the AUTHENTICATION SETTINGS frame: Check the box for Restart Session Login Prompt to enable user session timeout prompts (the default). or Clear the checkbox for Restart Session Login Prompt to disable user session timeout prompts. 3 Click Apply at the bottom of the screen. 3.6.6.
Fortress Bridge: Configuration To configure the default user authentication and device state for authenticating devices: 1 Log on to the Bridge GUI admin account and select SECURITY SETTINGS from the menu on the left. 2 In the AUTHENTICATION SETTINGS frame, in Auth Mode, ensure that Local authentication is enabled and that Device Auth is selected under AUTHENTICATION OPTIONS (refer to sections 3.6.6.1 and 3.6.6.4, respectively).
Fortress Bridge: Configuration To enable/disable blackout mode: 1 Log on to the Bridge GUI admin account and select SYSTEM OPTIONS from the menu on the left. detail: Under BLACKOUT MODE, in the Status field choose to Enable BLACKOUT MODE (turn the LEDs off) or Disable BLACKOUT MODE (turn the LEDs on). 3 Click OK in the BLACKOUT MODE frame. You can also enable/disable blackout mode through the Bridge’s front-panel switches (refer to Section 3.10.1.2) 2 3.
Fortress Bridge: Configuration 3.10 Front-Panel Operation The Fortress Bridge front panel is equipped with three, recessed buttons: two switches (labeled SW1 and SW2) and a Reset button. 3.10.1 Mode Selection from the Front Panel The front-panel switches can be used to select the Bridge Mode of the Bridge’s internal Radio 2 as well as to turn the Bridge’s front-panel LEDs off and on (enable/disable blackout mode). Each of these Bridge settings has only two possible values.
Fortress Bridge: Configuration indicated by the Stat2 LED, which flashes rapidly (green) when the new mode is selected. If you accidentally cycle past the Bridge Mode setting, continue pushing SW2 until Stat2 again begins flashing. 3 When Stat2 is flashing, press SW1 and hold it down for two seconds to save the new Bridge Mode setting. The Stat1 and Stat2 LEDs will stop flashing and light solid green to indicate that you have successfully changed Radio 2’s Bridge Mode.
Fortress Bridge: Configuration 3.10.2 Rebooting the Bridge from the Front Panel To reboot the Fortress Bridge from the front-panel: Press and hold the Reset button for one second, until the Stat1 LED exhibits a slow green flash to indicate that the Bridge is rebooting. 2 Release the button. After the Bridge reboots the Stat1 LED will again light solid green. 1 3.10.3 NOTE: There are no LED indications in a Bridge in blackout mode (refer to Section 3.7).
Fortress Bridge: Administration Chapter 4 Administration 4.1 Device Authentication Device authentication is supported only for Local authentication. (When External authentication is selected, the settings that configure device authentication are grayed out to reflect your selection.) On a Fortress-secured network with device authentication enabled, a unique Device ID is generated for each device connecting from an encrypted zone.
Fortress Bridge: Administration authenticate on the network. (Refer to Section 3.6.6.5 for detailed instructions.) If a device exceeds the maximum allowable retry attempts to connect to the Bridge-secured network, that device will be locked out until the device’s State is set to Allow. Such a device is locked out on every Bridge in a point-to-multipoint network, and you must change the device’s State setting on every Bridge that handles traffic from the device. 4.1.
Fortress Bridge: Administration Access user configurable settings for an authenticating device by clicking its Edit button under AUTHORIZED DEVICES (Section 4.1.2.1). Configurable settings include: 4.1.2.1 Device Name - accepts up to 64 alphanumeric characters by which you can identify the device.
Fortress Bridge: Administration 2 3 4 4.1.2.2 On the DEVICE AUTHENTICATION screen, click the Edit button of the device for which you want to change settings. In the EDIT DEVICE frame (above the device list) where the device’s current settings are displayed, enter new values into the relevant fields (described in Section 4.1.2). Click Update to save the edited settings (or Cancel your changes). The device’s entry in AUTHORIZED DEVICES reflects your changes.
Fortress Bridge: Administration on the AUTHENTICATION SETTINGS frame of the SECURITY SETTINGS screen. On a Fortress Bridge-secured network, user authentication can be used by itself or combined with device authentication. The options that determine whether device authentication is enabled are also configured globally, in the AUTHENTICATION SETTINGS frame of the SECURITY SETTINGS screen. 4.2.
Fortress Bridge: Administration 4.2.2.1 Session Timeout - sets the amount of time the user’s device can be present on the network before the current session is ended and he/she must log back in to re-establish the connection. Session Timeout is set in minutes, between 0 and 9999. A value of zero disables session timeout for that user (her device can be present on the network indefinitely without timing out).
Fortress Bridge: Administration 2 On the USER AUTHENTICATION screen, click the Edit button of the user for which you want to change settings. 3 In the EDIT USER frame (above USER ACCOUNTS) where the account’s current settings are displayed, enter new values into the relevant fields (described in Section 4.2.2). Click Update to save the edited settings (or Cancel your changes). 4 The user’s entry in USER ACCOUNTS reflects your changes. 4.2.2.
Fortress Bridge: Administration 4.3 Trusted Devices Some wireless devices—IP phones, digital scales or printers, and APs, for example—are not equipped to run additional software such as the Fortress Secure Client. In order to allow such a device access to the encrypted zone, the Fortress Bridge must be configured to identify it as a Trusted Device—to which the narrowest possible access rules should be applied. All traffic to and from Trusted Devices is sent in the clear (unencrypted).
Fortress Bridge: Administration The section of the frame under MANAGED TRUSTED DEVICES shows the Trusted Device you added, with the settings you specified. detail: 4.3.1 Editing Trusted Devices You can edit the IP and MAC addresses of an existing Trusted Device and change its port settings, but you cannot change its TD Identifier. To edit a Trusted Device: 1 2 3 4 Log on to the Bridge GUI admin account and choose TRUSTED DEVICES from the menu on the left.
Fortress Bridge: Administration 4.3.2 Deleting Trusted Devices You can delete Trusted Devices one at a time, or by selecting multiple devices for deletion. detail: 1 2 4.3.3 Log on to the Bridge GUI admin account and choose TRUSTED DEVICES from the menu on the left. On the TRUSTED DEVICES screen, in the MANAGED TRUSTED DEVICES frame, check the box(es) beside the Trusted Device(s) you wish to delete and click Delete at the bottom of the frame.
Fortress Bridge: Administration 4.4.1 Configuring SNMP 1 2 3 4.5 Log on to the Bridge GUI admin account and choose SNMP SETTINGS from the menu on the left. In the SNMP OPTIONS frame, enter valid values into the relevant fields (described above). Click Apply. Backing Up and Restoring The backup function of the Bridge creates and downloads a configuration file that can be used to restore those Bridge settings it saves. You can create multiple backup files under pathnames of your choosing. Table 4.
Fortress Bridge: Administration Table 4.1. User Configured Settings Backed Up for the Bridge function network setting STP enable/disable WAN port encrypted/unencrypted radio state enable/disable radio band (Radio 1) 802.11g/802.11a radio mode AP/Bridge channel transmit power radios distance preamble beacon interval multicasting enable/disable LED RSSI monitor enable/disable VAP SSIDs and related settings any created Wireless Extension Tools scripts 802.1X authentication 802.
Fortress Bridge: Administration 4.5.1 Backing Up the Bridge Configuration 1 2 Log on to the Bridge GUI admin account and choose SYSTEM OPTIONS from the menu on the left. On the SYSTEM OPTIONS screen under BACKUP SYSTEM SETTINGS, click Next. detail: 4.5.2 3 On the resulting screen: Optionally enter a Password to protect the backup file. Click Backup (or Cancel the operation). 4 On the system dialog, choose to save the file to disk. The file is named settings.fti by default.
Fortress Bridge: Administration 4.6 Software Versions and Upgrades Fortress Technologies regularly releases updated versions of the Bridge software that add new features, improve functionality and/or fix known bugs. Upgrade files may be shipped to you on CD-ROM or, more often, made available for download from your account on the Fortress Technologies website. www.fortresstech.com/support/products_updates.asp The Fortress Bridge is compatible with Fortress Secure Client versions 2.4 and higher.
Fortress Bridge: Administration Click Apply (or Cancel the operation). 4 Click OK on the system confirmation dialog. The frame displays Uploading file... (with crawling dots to indicate system activity), then changes to the Performing upgrade... status display, which presents a series of progress messages. When the process completes, the frame displays [DONE], and a system dialog prompts you to reboot the Bridge. 5 Click OK on the system prompt. Follow the instructions in Section 4.7, below.
Fortress Bridge: Administration 4.7 Rebooting the Bridge The reboot option power cycles the Bridge, ending all sessions and forcing Secure Client devices (and any other Fortress Bridges) in communication with the Bridge to re-key in order to start a new session. 1 2 Log on to the Bridge GUI admin account and choose SYSTEM OPTIONS from the menu on the left. On the SYSTEM OPTIONS screen under REBOOT SYSTEM, click OK. detail: 3 On the resulting system dialog, click OK again (or Cancel the reboot).
Fortress Bridge: Monitoring and Diagnostics Chapter 5 Monitoring and Diagnostics 5.1 Statistics The statistics screen displays statistics for overall encryptedzone traffic, each of the Bridge’s logical interfaces (including physical Ethernet ports and all configured virtual radio interfaces), as well as for each of the Bridge’s internal radios.
Fortress Bridge: Monitoring and Diagnostics 5.1.1 Traffic Statistics The packets that the Fortress Bridge has transmitted to and received from the encrypted zone since cryptographic processing was last started are shown in the STATISTICS frame: 5.1.
Fortress Bridge: Monitoring and Diagnostics - the total number of bytes received/transmitted on the interface PACKETS - the total number of packets received/transmitted on the interface ERRORS - the total number of receive/transmit errors reported on the interface 5.1.3 BYTES Radio Statistics 1 is the tri-band, 802.11a/b/g radio and RADIO 2 is the higher-gain 802.11a radio.
Fortress Bridge: Monitoring and Diagnostics Idle Since - the number of hours, minutes and seconds since the device was last active on the network.
Fortress Bridge: Monitoring and Diagnostics Table 5.1.
Fortress Bridge: Monitoring and Diagnostics Channel - identifies the channel, by number, over which the Bridge and the associated device are communicating, as selected for the radio being used (Section 3.3.2.1). Rate - provides a dynamic measurement of the data rate of the connection to the associated device, in megabits per second.
Fortress Bridge: Monitoring and Diagnostics when Secure Clients contact and negotiate keys with the Fortress Bridge system configuration changes when cryptographic processing is restarted system and communication errors The log is allocated 500 Kbytes of memory and can contain a maximum of approximately 16,000 log messages (approximate because record sizes vary somewhat). When the log is full, the oldest records are overwritten as new messages are added to the log.
Fortress Bridge: Monitoring and Diagnostics 5.5 Diagnostics Access Fortress Bridge diagnostic utilities by logging into the Bridge GUI admin account and selecting DIAGNOSTICS from the menu on the left. The DIAGNOSTICS screen displays: 5.5.1 Radio 1 uses antenna port 1 (ANT1); Radio 2 uses antenna port 2 (ANT2). NOTE: The version and build number of the firmware currently running on the Fortress Bridge, under SOFTWARE VERSION.
Fortress Bridge: Monitoring and Diagnostics 5.5.3 Flushing the Host MAC Database The Fortress Bridge maintains a database of the MAC addresses of devices in the unencrypted zone. You can flush the HOST MAC DATABASE: 1 2 3 5.5.4 Log on to the Bridge GUI admin account and choose DIAGNOSTICS from the menu on the left. At the bottom of the DIAGNOSTICS screen, click the FLUSH HOST MAC DATABASE button. Click OK on the confirmation system dialog. The Bridge resets all connections to the unencrypted zone.
Fortress Bridge: Monitoring and Diagnostics 5.
Fortress Bridge: Monitoring and Diagnostics can exhibit: solid green - The Bridge is operating in root mode. off - The Bridge is operating in non-root mode. Clr can exhibit: fast green flash - The Bridge is passing cleartext (unencrypted data) in the encrypted zone. Fail can exhibit: off - The Fail LED does not apply to version 2.6.x of the Fortress Bridge software. It is reserved for future support for failover Bridge deployments.
Fortress Bridge: Monitoring and Diagnostics Both upper and lower LEDs can exhibit: off - The associated radio is disabled (in the Bridge GUI or CLI). All four Radio LEDs can exhibit: solid amber - A firmware error has occurred. off - Both radios are disabled (in the Bridge GUI or CLI). 5.6.3 Port LEDs The Fortress Bridge’s Ethernet ports—including those for the LAN switch, numbered 1 through 8, and for the WAN port—are each equipped with two LEDs.
Fortress Bridge: Command-Line Interface Chapter 6 Command-Line Interface 6.1 Introduction The Fortress Bridge CLI provides commands for managing the Fortress Bridge and the network it secures. You can access it through a direct connection to the Bridge’s serial console port or, using Secure Shell (SSH), from any computer with access to the Bridge—i.e., any computer in the Bridge’s unencrypted zone or a computer running the Fortress Secure Client.
Fortress Bridge: Command-Line Interface 6.1.1 CLI Administrative Modes There are two administrative modes in the Bridge CLI. When you first access the CLI you are, by default, in Gateway mode, indicated by the command prompt: [GW]>. In Gateway mode, you can manage the Bridge’s Fortress controller device functions, including basic administration and security settings.
Fortress Bridge: Command-Line Interface WSG login: sysadm Password: Fortress Wireless Security Gateway [GW]> The login ID, sysadm, cannot be changed. If you are changing the CLI password for the first time as part of an installation procedure (Chapter 2) use the default password, sysadm. NOTE: The default CLI password is sysadm. Passwords should never be left at their defaults.
Fortress Bridge: Command-Line Interface Note that only those options available in the current administrative mode are displayed and that valid command options differ significantly between modes. [AP]> show Description: Displays Access Point information, configuration Usage: show [args]. Possible args: associations radio radius ?|help Several of the commands that change Bridge configuration settings can be run interactively.
Fortress Bridge: Command-Line Interface 6.4 6.4.1 Switch refers to the identifier, preceded by a dash (hyphen), for the argument to follow (ex., -ip, -n, etc.) Switches allow permissible arguments to be entered in any combination and order. Angle brackets: indicate variable, user-supplied inputs (parameters and variable arguments), which are also italicized (ex., , ).
Fortress Bridge: Command-Line Interface The CLI displays the configurable fields for set network one at a time. Enter a new value for the field—or leave the field blank and the setting unchanged—and strike Enter↵, to display the next field. The final reboot query displays only when you have entered a value into at least one of the fields presented. Entering the 0 (zero) argument for the DefaultGateway option deletes the default gateway from the Bridge’s network configuration.
Fortress Bridge: Command-Line Interface [AP]> show radio [RADIO 1] Radio State: Radio Band: Radio Mode: Channel: Tx Power: Distance: Beacon Interval: Preamble: Multicast: RSSI Monitor: [RADIO 2] State: Radio Band: Radio Mode: Bridge Mode: Channel: Tx Power: Distance: Beacon Interval: Multicast: RSSI Monitor: On 802.11g AP 1 Auto 1 100 Short On Off On 802.11a Bridge Root 149 Auto 1 100 On Off RADIO 1 identifies the 802.
Fortress Bridge: Command-Line Interface [AP]> set radio 1 Radio state [on|off] (on): Radio band [802.11g|802.11a] (802.11g): 802.11a [OK] Reboot is required when changing radio band Radio Mode [ap|bridge|ids] (ap): bridge [OK] Bridge Mode [root|nonroot] (nonroot): nonroot Radio is in nonroot mode...cannot set channel Transmit Power [auto|1-18] (auto): Distance in miles [1-35] (1): 3 [OK] Beacon interval (ms) [25..
Fortress Bridge: Command-Line Interface The sample output for the show radio command (at the beginning of this section) shows the default radio settings. As shown in the example interactive set radio output, reconfiguring radio settings requires that you reboot the Bridge in order to effect your changes. The show radio and set radio commands are valid only in AP (access point) mode (refer to Section 6.1.1 for more detail). 6.4.3.
Fortress Bridge: Command-Line Interface By default a single virtual access point (vap 1) is configured for each radio. The SSIDs associated with these two primary VAPs should never be left at their defaults (shown above). SSID strings can be up to 32 characters long. Configure VAP settings interactively by entering the set command with just the vap argument, where N is the VAP number.
Fortress Bridge: Command-Line Interface [VAP]> set vap {1|2|3|4} [-ssid |.] [-dtim 1-255] [-hidessid on|off] [-rts 1–2345|off] [-frag 256–2345|off] [-only11g on|off] [-suite fortress|clear|open-wep|shared-wep|8021x|wpa|wpa-psk|wpa2|wpa2-psk|wpa-mixed|wpa-mixed-psk] [-wepkeytype hex|passphrase] [-wepkeysize 40|104] [-wepkey1 ] [-wepkey2 ] [-wepkey3 ] [-wepkey4 ] [-weptxkey 1–4] [-keytype hex|passphrase] [-rekeyperiod ] [-passphrase ] [-hex ] In the dot (.
Fortress Bridge: Command-Line Interface 6.4.4.1 Changing Bridge GUI Passwords in the CLI Which GUI password is set depends upon the username argument: admin sets the administrator password, operator, the view-only password. Use the set passwd command, as follows: [GW]> set passwd web {admin|operator} Enter Current Password: Enter New Password: Re-enter New Password: The default Bridge GUI admin password is admin. The default operator password is operator.
Fortress Bridge: Command-Line Interface View the encryption algorithm (and the re-keying interval) in effect on the Bridge with show crypto: [GW]> show crypto CryptoEngine:AES256 ReKeyInterval:4 The show crypto command is valid only in GW (gateway) mode (refer to Section 6.1.1 for more detail). The encryption algorithm that the Fortress Bridge and its Clients will use is set with set crypto, as follows: [GW]> set crypto [-e aes128|aes192|aes256] The default encryption algorithm is AES256.
Fortress Bridge: Command-Line Interface 6.4.5.4 Access ID in the CLI The Access ID is a 16-digit hexadecimal ID that provides network authentication for the Fortress Security System. All of the Bridge’s Secure Clients must be configured to use the same Access ID as the Bridge. For information on setting encryption algorithms on Secure Clients, refer to your Fortress Secure Client user guide.
Fortress Bridge: Command-Line Interface 6.4.5.7 SSH Access to the CLI Secure Shell (SSH) is disabled on the Fortress Bridge by default. You can view the current SSH setting with show ssh: [GW]> show ssh Off To enable SSH, log on to the CLI (via a direct connection to the Bridge’s Console port, as described in Section 6.1.2) and enter: CAUTION: If you want to be able to access the Bridge CLI after outdoor installation, you must enable SSH (secure shell) during pre-configuration of the Bridge.
Fortress Bridge: Command-Line Interface 6.4.
Fortress Bridge: Command-Line Interface Configure the Bridge interactively to authenticate users through an external RADIUS server with set auth, as follows: [GW]> set auth external IPserver:123.45.67.89 [OK] set Server IP AuthKey:s3cr4ts5r6v7rk8y [OK] set Authentication Key The default RADIUS shared key is fortress. The RADIUS shared key can also be set non-interactively with: [GW]> set auth -key The -key switch does not apply to internal (local) user authentication settings.
Fortress Bridge: Command-Line Interface 6.4.9 802.1X Authentication Settings in the CLI 6.4.9.1 802.1X Authentication Server Settings Support for 802.1X authentication on the Fortress Bridge, whether for wired or wireless devices, requires the use of an external 802.1X authentication service. Those WPA and WPA2 Security Suite settings that do not use PSK (pre-shared key mode), also require the use of an 802.1.X authentication server.
Fortress Bridge: Command-Line Interface In GW mode, use the show command with the 8021X argument to view the server settings: [GW]> show 8021X Lan1:off Lan2:off Lan3:off Lan4:off Lan5:off Lan6:off Lan7:off Lan8:off AuthServer:127.0.0.1 AuthPort:1812 The last two lines of output display the current 802.1X server settings. The LAN port settings shown are described in the next section (6.4.9.2). In GW mode, use the set command with just the 8021X argument to configure the 802.1X server interactively.
Fortress Bridge: Command-Line Interface 6.4.9.2 Internal LAN Switch Port 802.1X Settings You can individually configure each of the ports of the Bridge’s internal LAN switch to require that a connected device is an 802.1X supplicant successfully authenticated by the 802.1X authentication server configured for the Bridge (Section 6.4.9). View current LAN port settings with the show command: [GW]> show 8021X Lan1:off Lan2:off Lan3:off Lan4:off Lan5:off Lan6:off Lan7:off Lan8:off AuthServer:127.0.0.
Fortress Bridge: Command-Line Interface The commands that configure and delete Trusted Devices are valid only in GW (gateway) mode (refer to Section 6.1.1 for more detail). 6.5.1.1 Adding Trusted Devices in the CLI Add Trusted Devices with the add td command, as follows: [GW]> add td {-n } {-ip } {-m } {-p any|} NOTE: Trusted De- vices must be assigned static IP addresses.
Fortress Bridge: Command-Line Interface [GW]> set snmp -c -l -ro -rw Set Contact:OK Set Location:OK Set RO Community:OK Set RW Community:OK in which contact is the e-mail address to which SNMP event notifications will be sent, locationName identifies the Fortress Bridge, roCmntyName identifies the SNMP read-only community, and rwCmntyName identifies the SNMP read-write community.
Fortress Bridge: Command-Line Interface [GW]> show device Hostname:Fswab DeviceID:4389C1B376B1AFDD CryptoEngine:AES256 IP(Private):172.24.1.27 Ssh:Off Gui:On Auth:Off Fips:On The show device command is valid only in GW (gateway) mode (refer to Section 6.1.1 for more detail). 6.6.
Fortress Bridge: Command-Line Interface Hosts (labeled Client) are numbered in the order they were added to the database, following the Bridge’s internal interfaces, and are listed by their MAC addresses. Below the list, a count of the entries in the database is given.
Fortress Bridge: Command-Line Interface 6.6.7 Pinging a Device You can ping devices from the Bridge’s CLI. The Bridge pings three times and then displays the ping statistics. [GW]> ping 123.45.6.78 PING 123.45.6.78 (123.45.6.78) from 123.45.6.89 : 56(84) bytes of data. 64 bytes from 123.45.6.78: icmp_seq=1 ttl=128 time=18.3 ms 64 bytes from 123.45.6.78: icmp_seq=2 ttl=128 time=23.0 ms 64 bytes from 123.45.6.78: icmp_seq=3 ttl=128 time=23.0 ms --- 123.45.6.
Fortress Bridge: Command-Line Interface [AP]> wlan wlanconfig -h usage: wlanconfig wlanX create wlandev wifiX wlanmode [sta|adhoc|ap|monitor] [bssid | -bssid] [nosbeacon] usage: wlanconfig wlanX destroy 6.7.1 Creating a Wireless Extension Tools Script Configuration changes made with the iwconfig and iwpriv WLAN Wireless Extension Tools are held in dynamic memory and do not persist through reboots of the Bridge.
Fortress Bridge: Command-Line Interface 6.8.1 Preconfiguring a New Network Deployment with SAC All of the Bridges to be included in the new network must be at their factory-default settings. (Section 6.4.7 describes restoring the Bridge’s default settings from the Bridge CLI; Section 3.9 describes the same function in the Bridge GUI.) 6.8.1.1 Connecting the Bridges for Preconfiguration Position the Bridges so that they operate only within their safe temperature range (14º–122º F/ –10º–50º C).
Fortress Bridge: Command-Line Interface Allow all of the Bridges to boot before proceeding with SAC: front-panel Stat1 and Stat2 LEDs and the lower LEDs for both radios light solid green, while the upper LEDs for both radios and the WAN port link/activity (Lnk/Act) LED flash green intermittently. 1 Open a terminal application on the computer connected to the SAC master Bridge’s Console port and (using the settings given in Section 6.1.2) open a session with the master Bridge.
Fortress Bridge: Command-Line Interface Bridges. Alternatively, you can specify only a subnet and allow SAC to automatically generate all member IP addresses within that subnet, including that of the root/ master Bridge. The IP or subnet address you enter must fall within one of these reserved ranges: 10.0.0.0 – 10.255.255.255 172.16.0.0 – 172.31.255.255 192.168.0.0 – 192.168.255.
Fortress Bridge: Command-Line Interface [GW]> set sac stop SAC Stop Initiated. May take some time to complete...
Fortress Bridge: Command-Line Interface Similarly, the encryption algorithm and re-key interval in effect on the network can be viewed with show crypto (sections 6.4.5.1 and 6.4.5.2, respectively). The Access ID cannot be displayed for security purposes (but it must match across all network Bridges). Use the show network command on the master/root Bridge to view its IP address (Section 6.4.1), and the show sac command to view the IP addresses of slave/non-root Bridges.
Fortress Bridge: Command-Line Interface SeriallNum|IpAddress|CfgID|PeerNum|PeerSACStatus|PeerSACState|PeerSACVer 24773196|172.24.0.4|19082|2|SAC_PEER_CONFIRMED|SAC_COMPLETE_4PEER|SAC_VER_PEGASUS_ARCH1 24743196|172.24.0.3|19082|1|SAC_PEER_CONFIRMED|SAC_COMPLETE_4PEER|SAC_VER_PEGASUS_ARCH1 To save the new configuration, enter set sac stop: [GW]> set sac stop SAC Stop Initiated. May take some time to complete...
Fortress Bridge: Command-Line Interface [GW]> show sac SwabSerialNum:24743196 SwabConfigID:0 SwabSACRole:SAC_SLAVE SwabSACState:SAC_INIT4SWAB SwabSACVer:SAC_VER_PEGASUS_ARCH1 10 Log off the new Bridge’s CLI and disconnect the Console port cable.
Fortress Bridge: Command-Line Interface 16 Disconnect the WAN ports of the new and master Bridges. 17 Power cycle the new Bridge. The new Bridge is ready to be deployed on the network. 6.8.3.
Fortress Bridge: Fortress Security System Overview Chapter 7 Specifications 7.1 7.1.1 7.1.2 Hardware Specifications Performance unencrypted throughput: up to 23 Mbps encrypted throughput: up to 10 Mbps Physical form factor: compact, rugged desktop chassis dimensions: 2.3" H x 8.75" W x 6.6" D (5.8 cm×22.2cm×16.8cm) weight: 3.5 lbs. (1.
Fortress Bridge: Fortress Security System Overview 7.1.4 Compliance safety: UL60950-1, IEC60529 (CB test), UL (NEMA) 3/3S/4 “raintight” 7.1.5 emissions: CE, FCC Class A immunity: EN61000-3, EN61000-4 vibration: MIL-STD 810F 514 / SC-18 (pending) Logical Interfaces The physical connections described in Section 7.1.
Fortress Bridge: Fortress Security System Overview the wide side up, pins are numbered from right to left, top to bottom. Figure 7.1 RJ-45 and DB9 Pin Numbering Table 7.1 shows the adapter pin-outs. Table 7.1.
Fortress Bridge: Troubleshooting Chapter 8 Troubleshooting Problem Solution Verify the Bridge’s physical connection: • from an Ethernet port on a computer or a network switch to one of the Bridge’s unencrypted internal LAN ports. —or— • from a computer running the Fortress Secure Client in the Bridge’s encrypted zone. Verify the browser link: • the computer you are using to access the Bridge GUI is in the same subnet as—or has a network route to—the Bridge’s IP address.
Fortress Bridge: Troubleshooting Problem Solution Verify the Bridge’s physical connections: • from the Bridge’s Unencrypted port to the LAN. • from the Bridge’s Encrypted port to the WLAN. • in AF7500 & AF2100, verify the CAT5e cable type (crossover for direct host/AP connections; straight for connections to switches/hubs). Verify that auto-negotiation is enabled on all devices directly connected The Bridge is not to the Bridge, including switches, hubs and APs. allowing traffic to pass.
Fortress Bridge: Index Index Numerics 802.11a/b/g see radio settings, radio band; radios 802.
Fortress Bridge: Index Bridge CLI 80–105 about command 101 accessing 81 SSH 39, 81, 94 troubleshooting 117 add/del sp commands 112, 113 add/del td commands 100 ap command 81, 88 clear vap command 90 command syntax 83–84 default password 91 del clients command 103 exit commands 82 getting help 82–83 gw command 81 password default 82 ping command 104 reboot command 101 reset command 95 script command 105 set 8021X command 98, 99 set accessid command 93, 111 set auth command 95, 96 set blackout command 94 set
Fortress Bridge: Index C cabling see ports, connections channel settings 26 configuring in Bridge CLI 86–88 in Bridge GUI 29 with SAC 106–111 defaults 26 clock see system date and time; Bridge CLI set clock command compatibility 7 compliance ii, 11, 115 connections see ports, network connections; grounding console port adapter 81, 106, 111, 115–116 location 8 serial settings 81 crypto algorithm see encryption algorithm Crypto Officer 39 D date and time see system date and time default Access ID 14, 40, 41
Fortress Bridge: Index encrypted zone Device IDs 70 IP addresses 70 MAC addresses 70 tracking sessions 70–72 WAN port configuration 23 encryption algorithm 3, 39–40 configuring in Bridge CLI 91–92 in Bridge GUI 40 with SAC 106–111 default 39, 92 in Secure Clients 39 environmental specifications 114 Ethernet see network interfaces; ports external authentication server 802.1X server 35–36, 97–98 non-802.
Fortress Bridge: Index L LAN settings configuring at installation 13 in Bridge CLI 84–85 in Bridge GUI 22–24 with SAC 106–111 default IP address 13, 21, 84 LAN switch (internal) 6, 7, 35 port settings in Bridge CLI 99 in Bridge GUI 36 LEDs see front-panel LEDs local authentication server 42, 95 logging on/off Bridge CLI 81–82 Bridge GUI 21–22 at installation 12–13 login prompt for session timeouts 45–46 M MAC addresses encrypted zone 70 Fortress Bridge interfaces 69 on Tracking screen 70 Trusted Devices 5
Fortress Bridge: Index operator account see Bridge GUI, operator account outdoor installation 11–19 mast mounting 18 preconfiguration 12–16 requirements ii, 8–11, 18 siting 9 weatherizing 16–17 P passwords 36–37 changing at installation 14 in Bridge CLI 90–91 in Bridge GUI 37 default CLI password 82, 91 GUI admin password 14, 21, 91 GUI operator password 14, 21, 91 security requirements 14, 64 ping in Bridge CLI 104 in Bridge GUI 75 PoE 4, 6, 9 connecting 12, 19, 20 ports antenna 6, 114 connections indoor
Fortress Bridge: Index S SAC see Secure Automatic Configuration safety compliance 115 requirements 1, 8–11, 12, 17, 18 see also specifications Secure Automatic Configuration 105–113 adding a SAC network Bridge 111–113 Bridge settings when unspecified 106 deleting a SAC network Bridge 113 deploying a new SAC network 106–109 reconfiguring the SAC network 109–111 SAC event logging 107 Secure Clients 3 compatibility 7 Device IDs 70 encryption configuration 39 IP addresses 70 MAC addresses 70 session timeout lo
Fortress Bridge: Index T user authentication ...
Fortress Bridge: Index weatherizing 10, 16–17 cover plate 17 requirements 8–11, 18 RJ-45 connector boot 16–17 Weatherizing Kit 7 installation 16–17 WEP 32–33 WLAN command line utility 104–105 WLAN settings see radio settings WPA and WPA2 33–34 127
Fortress : Glossary Glossary Triple Data Encryption Standard—a FIPS-approved NIST standard for data encryption using 192-bits (168-bit encryption, 24 parity bits) for protecting sensitive (unclassified) 3DES U.S. government (and related) data. NIST amended and re-approved 3DES for FIPS in May, 2004. 802.11 The IEEE standard that specifies technologies for WLANs. An IEEE standard for port-based network access control, providing user authentication 802.
Fortress : Glossary Bridge GUI CCITT The browser-based graphical user interface through which the Fortress Secure Wireless Access Bridge is configured and managed, locally or remotely. Comite Consultatif Internationale de Telegraphie et Telephonie, former name of the ITU-T. In the Fortress Controller FISh (command-line) interface and front-panel LCD, devices on the encrypted (WLAN) side of the network and running the Fortress Secure Client.
Fortress : Glossary A device or system configuration in which two, identical components are installed for a given function so that if one of them fails the redundant component can carry on operfailover ations without any substantial interruption of service. Also, an instance in which an active component becomes inoperative and fails over operations to its partner. Federal Information Processing Standards—issued by NIST, FIPS mandate how IT, FIPS including network security, is implemented by the U.S.
Fortress : Glossary groups An association of network objects (users, devices, etc.). Groups are typically used to allocate shared resources and apply access policies. GUI Graphical User Interface In Fortress Technologies, a guest user as configured in MaPS. guest Alternatively, in the Fortress Controller, devices given access on the encrypted (WLAN) side of the network as Trusted Devices, access points, or guests. host In Fortress Technologies, devices on the unencrypted (LAN) side of the network.
Fortress : Glossary MaPS Console MaPS object MAN MIB MobileLink™ In Fortress’s MaPS, a Java-based, configuration client interface for the Fortress Management and Policy Server, through which all MaPS functions are accessed. In Fortress’s MaPS, any entity on the secure network, including Fortress controller devices, Secure Client devices, users, and network resources. Metropolitan Area Network—a collection of interconnected computers within a town or city.
Fortress : Glossary RSA SecurID® An authentication method created and owned by RSA Security. Remote Authentication Dial-In User Service—an authentication server design that issues challenges to connecting users for their usernames and passwords and authentiRADIUS cates their responses against a database of valid usernames and passwords; described in RFC 2865.
Fortress : Glossary User Datagram Protocol—defines a method for “best effort” delivery of data packets UDP over a network that, like TCP, runs on top of IP but, unlike TCP, does not guarantee the order of delivery or provide integrity checking. The practice of requiring users to enter their assigned user IDs and established passuser authentication words and of checking the validity of these credentials before allowing them to connect to the network.
