Page 1 Fortress Security System Secure Wireless Bridge and Security Controller Software GUI Guide www.fortresstech.com © 2010 Fortress Technologies...
Page 2 To receive a complete machine-readable copy of the corresponding source code on CD, send $10 (to cover the costs of production and mailing) to: Fortress Technologies; 4023 Tampa Road, suite 2200; Oldsmar, FL 34677-3216. Please be sure to include a copy of your Fortress Technologies invoice and a valid “ship to”...
Page 3 DOWNLOADING, INSTALLING OR USING FORTRESS TECHNOLOGIES SOFTWARE CONSTITUTES ACCEPTANCE OF THIS AGREEMENT. FORTRESS TECHNOLOGIES, INC., WILL LICENSE ITS SOFTWARE TO YOU THE CUSTOMER (END USER) ONLY UPON THE CONDITION THAT YOU ACCEPT ALL OF THE TERMS CONTAINED IN THIS END USER LICENSE AGREEMENT. THE ACT OF DOWNLOADING, INSTALLING, OR USING FORTRESS SOFTWARE, BINDS YOU AND THE BUSINESS THAT YOU REPRESENT (COLLECTIVELY, “CUSTOMER”) TO THE...
Page 4 Software and Documentation in any form to any third party without the prior written consent of Fortress Technologies. Customer shall implement reasonable security measures to protect such trade secrets.
Page 5 Bridge GUI Guide Term and Termination This Agreement and License shall remain in effect until terminated through one of the following circumstances: i.Agreement and License may be terminated by the Customer at any time by destroying all copies of the Software and any Documentation. ii.Agreement and License may be terminated by Fortress due to Customer non-compliance with any provision of the Agreement.
Page 6 Bridge GUI Guide Fortress]. Date of shipment is established per the shipping document (packing list) for the Product that is shipped from Fortress location. Customer shall provide Fortress with access to the Product to enable Fortress to diagnose and correct any errors or defects. If the Product is found defective by Fortress, Fortress' sole obligation under this warranty is to remedy such defect at Fortress' option through repair, upgrade or replacement of product.
Page 7 Bridge GUI Guide the defense of all such claims, lawsuits, and other proceedings. If, as a result of any claim of infringement against any U.S. patent or copyright, Fortress is enjoined from using the Product, or if Fortress believes the Product is likely to become the subject of a claim of infringement, Fortress at its option and expense may procure the right for Customer to continue to use the Product, or replace or modify the Product so as to make it non- infringing.
Page 8 User agrees to indemnify and hold harmless Fortress Technologies, Inc. from any fines, costs or expenses resulting from or associated with unauthorized use of this frequency range.
Page 9: Table Of Contents
Bridge GUI Guide: Table of Contents Table of Contents Introduction This Document ......... . . 1 Related Documents .
Page 10 Bridge GUI Guide: Table of Contents Administrative Accounts and Access ......19 Global Administrator Settings .........20 Maximum Failed Logon Attempts .
Page 11 Bridge GUI Guide: Table of Contents Radio Settings ......... . .57 Advanced Global Radio Settings .
Page 12 Bridge GUI Guide: Table of Contents Basic Network Settings Configuration ......91 Hostname, Domain and DNS Client Settings ......91 IP Configuration .
Page 13 Bridge GUI Guide: Table of Contents Encrypted Interface Cleartext Traffic ........121 Encrypted Interface Management Access .
Page 14 Bridge GUI Guide: Table of Contents System and Network Monitoring FIPS Indicators ......... 166 Administrative Account Details .
Page 15 Bridge GUI Guide: Table of Contents Digital Certificates ........200 Generating CSRs and Key Pairs .
Page 16: Introduction
ES-series Bridges and between the ES-series and the FC-X, or Fortress Controller. Each Fortress hardware device is therefore covered in a platform- specific hardware guide, currently including: ES820 Secure Wireless Bridge Hardware Guide  ES520 Secure Wireless Bridge Hardware Guide ...
Page 17: Network Security Overview
Bridges and the Fortress Controller (FC-X) and may be collectively referred to as Bridges, Controllers or Controller devices. The ES820 Bridge is also known as Fortress's Vehicle Mesh Point. The ES440 Bridge is also known as an Infrastructure Mesh Point, and the ES210 Bridge is also known as a Tactical Mesh Point.
Page 18: Es-Series Model Numbers
HW label SW label option encryption Radio 1 802.11a/g/n Ethernet1 encrypted ES820 Radio 2 802.11a/n Ethernet2 clear Radio 1 802.11a/g 1–8 lan1–lan8 clear ES520 Radio 2 802.11a wan1 encrypted Radio 1 802.11a/g/n...
Page 19: Fortress Bridge Management
Bridge GUI Guide: Introduction You can find the full model number for any ES-series Bridge on the Administration Settings screen under System Info . Figure 1. ES-Series Product Model Number Explication The number of digits after the hyphen corresponds to the Use of CAUTION: number of radios installed in the Bridge.
Page 20: Fortress Secure Client Software
Bridge GUI Guide: Introduction Information Bases (MIBs) are included on the Bridge CD and can be downloaded from the Fortress Technologies web site: www.fortresstech.com/. Configuring SNMP through the Bridge GUI is covered in this guide; configuring it through the Bridge CLI is covered in Secure Wireless Bridge and Security Controller CLI Software Guide .
Page 21: Isolated Fastpath Mesh Networks
FastPath Mesh enable a set of Fortress Bridges to form a fully functioning FastPath Mesh network as soon as they are connected. Access Network ES210 STAtion mode ES210 ES820 ES210 Access Network ES820 ES210 STAtion mode ES520...
Page 22: Network-Attached Fastpath Mesh Networks
Bridge GUI Guide: Introduction Create a bridging BSS on (one of) the radio(s) with:  an SSID in common with the bridging BSSs on the rest BSSs NOTE:  bridging setting of the MPs also determines its FP a Wireless Bridge setting of Enabled ...
Page 23 MBG, configure route(s) to the FP Mesh subnet. ES440 0HVK 3RLQW 0HVK %RUGHU *DWHZD\ ES210 0HVK &RUH &RQQHFWLRQ 0HVK +LHUDUFKLFDO &RQQHFWLRQ $FFHVV ,QWHUIDFH ES210 ES820 ES440 ES210 ES820 ES820 ES440 ES210 Figure 1.2. Single FP Mesh Network with a Single MBG Attachment Point...
Page 24: Separating And Rejoining In Fastpath Mesh Networks
Bridge GUI Guide: Introduction In addition to the RFC-4193 IPv6 address FP Mesh automatically generates, the MBG is provided with a global prefix by the network IPv6 router. If a DHCP server internal to one of the MPs is enabled, each IPv6 node in the network can then be reached by the public address so provided.
Page 25: Bridging Loops In Fastpath Mesh Networks
Bridge GUI Guide: Introduction separated from the MBG will be temporarily disconnected from the hierarchical network. Multiple MBGs can enable parts of the mesh temporarily separated from each other to remain connected to a hierarchical network, as long as there is an MBG present among the separated group of nodes.
Page 26: Traffic Duplication In Fastpath Mesh Networks
Bridge GUI Guide: Introduction on the Access interfaces on which the loop has been detected. Only the MP so chosen as the forwarder will advertise  NMPs discovered on these Access interfaces. Because only one MBG in a given FP Mesh network will actively pass traffic to and from the hierarchical network, multiple MBGs can be present in multiple FP Mesh networks attached to the same LAN, as shown in Figure 1.5.
Page 27: Stp Mesh Network Deployments
Bridge GUI Guide: Introduction VHQGHU WDUJHW LAN 2 LAN 1 Mesh A MBG A2 MBG B2 MBG A1 Mesh B MBG B1 0HVK 3RLQW 0HVK %RUGHU *DWHZD\ 0HVK &RUH &RQQHFWLRQ 0HVK +LHUDUFKLFDO &RQQHFWLRQ $FFHVV ,QWHUIDFH 'XSOLFDWH 7UDIILF Figure 1.6. Traffic Duplication in Two FP Mesh Networks Attached to Separate Access Networks Avoid such configurations if traffic duplication is undesirable in your environment.
Page 28 Bridge GUI Guide: Introduction Bridges configured to be able to connect to one another automatically form mesh networks. WLAN WLAN ...rear-panel grounding stud to earth port ground mast- mounted ES520 ...to PoE power STP Root (implementation dependent on lightning arrestor) PoE adapter Figure 1.7.
Page 29: Point-To-Point Bridging Deployments
Bridge GUI Guide: Introduction 1.4.3 Point-to-Point Bridging Deployments The Bridge can be deployed as a conventional wireless Bridge to connect two separately located LANs (local area networks), for example, or to link remotely located hardware to the local network for system management and data upload, as shown in Figure 1.8).
Page 30: Compatibility
Bridge GUI Guide: Introduction Compatibility The Fortress Bridge is fully compatible with WPA and WPA2 enterprise and pre-shared key modes and with Fortress Secure Client versions 2.5.6 and later. In addition or as an alternative to the Bridge’s native authentication service, the Bridge can be used with an external RADIUS server.
Page 31: Bridge Gui And Administrative Access
Bridge GUI Guide: Administrative Access Chapter 2 Bridge GUI and Administrative Access Bridge GUI The Fortress Secure Wireless Bridge’s graphical user interface provides access to Bridge administrative and monitoring functions. 2.1.1 System Requirements To display properly, the Bridge GUI requires a monitor resolution of at least 1024 ×...
Page 32 Bridge GUI Guide: Administrative Access agreement, click to accept them. (Once accepted the agreement does not display.) If an administrative logon banner has been configured (Section 2.2.1.9)—click to accept its terms. (There is no administrator logon banner by default.) On the Logon to Fortress Security System screen, enter a valid Username and Password .
Page 33: Using Bridge Gui Views
Bridge GUI Guide: Administrative Access Two administrators with Administrator -level privileges (refer to Section 2.2.2.3) cannot be logged on the Bridge at the same time. If you are trying to log on to an Administrator -level account when another such session is active, you will have the option of forcibly ending the active session and proceeding with the logon, or choosing from the dropdown to...
Page 34: Accessing Bridge Gui Help
Bridge GUI Guide: Administrative Access (refer to Section 2.2.2.3 for more information on account roles and access). On a screen common to both views, you can toggle between the two views of the screen. If you are viewing a screen exclusive to the Advanced View and you click , the SIMPLE VIEW...
Page 35: Global Administrator Settings
Bridge GUI Guide: Administrative Access predetermined user names: admin , maintenance , and logviewer , respectively. Administrative roles are described in greater detail in Section 2.2.2.3. Default passwords for preconfigured accounts are the same as their user names. The first time you log on to the admin account, you will be forced to enter a new password of at least 15 characters.
Page 36: Failed Logon Timeout
Bridge GUI Guide: Administrative Access configured lockout behavior. Numbers from accepted; is the default. 2.2.1.2 Failed Logon Timeout The lock- NOTE: out feature applies The Failed Logon Timeout setting specifies the number of only to remote logon at- seconds that must elapse after a failed logon attempt before tempts.
Page 37: Authentication Method And Failback
Bridge GUI Guide: Administrative Access log-ons and when Log Viewer accounts Monitor -> Event Log first access the Bridge GUI). The feature is by default. Disabled Show Previous Logon is present only in Advanced View (refer to Section 2.1.4). 2.2.1.6 Authentication Method and Failback By default, administrative Usernames and passwords are Adminis-...
Page 38 Bridge GUI Guide: Administrative Access Log on to the Bridge GUI through an Administrator -level account and select in the upper right corner ADVANCED VIEW of the page, then from the Configure -> RADIUS Settings menu on the left. Click to access the tab, and in the Local Local Server Authentication Server frame:...
Page 39 Bridge GUI Guide: Administrative Access Select from the menu on the Configure -> RADIUS Settings left. Click to access the tab and in the User Entries Local Server frame, click NEW USER In the Edit Local Authentication screen’s User Database Entry frame: In Username , enter a user name of at least one (1) ...
Page 40: Password Expiration
Bridge GUI Guide: Administrative Access Consult your RADIUS server documentation for information on configuring the service. You must additionally configure an entry for the server on the Bridge’s list Authentication Servers ), specifying Configure -> RADIUS Settings -> Server List as its Server Type and as a supported Auth Party RADIUS...
Page 41: Password Requirements
Bridge GUI Guide: Administrative Access 2.2.1.8 Password Requirements The Bridge will not accept new passwords that do not meet Passwords NOTE: do not need to be specified requirements. If you specify new requirements that unique. existing passwords do not meet, nonconforming passwords are treated according to the Expire Nonconforming Passwords setting (described in Section 2.2.1.7).
Page 42 Bridge GUI Guide: Administrative Access Pass. Dictionary - Passwords can/cannot match words in  the dictionary. When Pass. Dictionary is , passwords Enabled are checked against a list of English words, and the password is rejected if a match is found. When it is Disabled (the default), passwords can contain the words on the list.
Page 43: System Messages
Bridge GUI Guide: Administrative Access Table 2.1. Global Administrator Logon Settings Simple & Advanced Views Advanced View Only Max Failed Logon Tries Show Previous Logon Failed Logon Timeout Authentication Method Permanent Lockout Authentication Failback Lockout Duration Expire Nonconforming Pass. Session Idle Timeout Pass.
Page 44 Bridge GUI Guide: Administrative Access Logon Banner Logon Screen Figure 2.9. on the Bridge GUI screen, all platforms To configure a comment or administrator logon banner: Log on to the Bridge GUI through an Administrator -level account and select from the Configure Administration ->...
Page 45: Individual Administrator Accounts
Bridge GUI Guide: Administrative Access To eliminate an existing logon banner, delete all content from the Warning Banner field and the change. APPLY 2.2.2 Individual Administrator Accounts Up to thirteen usable administrative accounts can be present on the Bridge’s local administrator database at one time. Three of these are preconfigured with the fixed user names: admin , maintenance and logviewer , reflecting the default administrative Role of each account.
Page 46: Administrator User Names
Bridge GUI Guide: Administrative Access 2.2.2.1 Administrator User Names At the time a new administrative account is created, you must NOTE: vanced View, the provide a Username . Once established, the Username for any ac- Username associated with an administrative account cannot be changed. count listed in Adminis- Administrator user names must be unique on the Bridge.
Page 47: Administrator Audit Requirement
Bridge GUI Guide: Administrative Access to configuration changes. Log Viewer -level accounts have no execution privileges on the Bridge. Only one Administrator -level account can be active on the Bridge at one time. Their limited permissions allow multiple Maintenance -level and Log Viewer -level accounts to be active on the Bridge at the same time.
Page 48: Administrator Passwords And Password Controls
Bridge GUI Guide: Administrative Access - The account can access the Bridge CLI through a Console  Console direct, physical connection to the Bridge’s port (refer to the CLI Software Guide ). - The account can access the Bridge GUI through a ...
Page 49: Adding Administrative Accounts
Bridge GUI Guide: Administrative Access The same message will be returned for an Administrator -level account if the administrator tries to change the password when the password is locked. Because Administrator -level accounts can change the Password is Locked setting for any account, it is impossible to effectively lock passwords on these accounts (although the administrator will have to select for Password...
Page 50 Bridge GUI Guide: Administrative Access of the page, then from the menu Configure -> Administration on the left. In the Administration screen’s Administrator Settings frame, click NEW USER Figure 2.12. creating a new administrator account, all platforms In the Account Information frame, enter at least a Username and optionally a Full Name and/or Description , and configure any additional settings for the account.
Page 51 Bridge GUI Guide: Administrative Access You can optionally view current password complexity NOTE: view but not edit requirements by clicking in the upper right More Information the list against which of the Edit Password screen and then Password Complexity passwords are checked Settings by clicking Password Dic-...
Page 52: Editing Administrative Accounts
Bridge GUI Guide: Administrative Access Click in the upper right of the screen (or APPLY CANCEL conversion of the account). The newly converted account will be listed, in Advanced View, with Learned state of , and the Configure -> Administration associated administrator will be allowed to log on (with valid credentials).
Page 53: Changing Administrative Passwords
Bridge GUI Guide: Administrative Access Click in the confirmation dialog (or the deletion). CANCEL Figure 2.14. deleting an administrator account, all platforms The account will be removed from the Advanced View Administrator Settings frame ( Configure -> Administration 2.2.2.11 Changing Administrative Passwords Administrators with Administrator -level accounts can change the password of any account, including their own, as described in sections 2.2.2.7 and 2.2.2.9.
Page 54: Unlocking Administrator Accounts
Bridge GUI Guide: Administrative Access entry failed the check and cannot be used. If the Password Dictionary check is not in effect it is labeled (disabled) . Click in the upper right of the screen (or APPLY CANCEL change). Role configuration options for administrative accounts are described in detail in Section 2.2.2.3.
Page 55 Bridge GUI Guide: Administrative Access In the resulting screen’s Admin IP Access Control Whitelist frame, click NEW IP Add an IP ACL Entry Figure 2.17. Advanced View dialog, all platforms In the resulting Add an IP ACL Entry dialog, enter the IP Address of the computer from which you are currently logged on and, optionally, a Description for the entry.
Page 56: Snmp Administration
Bridge GUI Guide: Administrative Access A dialog will also warn you if you are deleting your current IP address from the list when it is already enabled (after you have cleared the usual confirmation dialog). Unless you want to prevent management access to the Bridge from your current IP address, these changes.
Page 57: Configuring Snmp V3
Bridge GUI Guide: Administrative Access The settings that configure SNMP on the Bridge include: SNMP v3 Support - enables/disables SNMP v3 user access.  When SNMP v3 Support is , the preconfigured Enabled SNMP v3 user is permitted to access the Bridge, and new passphrases should be configured in the SNMP v3 User frame: Username - identifies the v3 user, FSGSnmpAdmin.
Page 58: Configuring Snmp Traps
Bridge GUI Guide: Administrative Access In New Privacy Passphrase and Confirm Privacy  Passphrase , enter a privacy passphrase for the user (10–32 alphanumeric characters without spaces). In the same frame, optionally enter: an E-mail address to serve as the SNMP System ...
Page 59 Bridge GUI Guide: Administrative Access To create trap destinations: Log on to the Bridge GUI through an Administrator -level account and select in the upper right corner ADVANCED VIEW of the page, then from the menu Configure -> Administration on the left. Scroll down to the SNMP frame, and click NEW DESTINATION In the Add SNMP Trap Destination dialog :...
Page 60 Bridge GUI Guide: Administrative Access To delete a trap destinations: Log on to the Bridge GUI through an Administrator -level account and select in the upper right corner ADVANCED VIEW of the page, then from the menu Configure -> Administration on the left.
Page 61: Network And Radio Configuration
4.4 GHz, military band) will generally be the better choice for network bridging (or backhaul) links. In Bridges with two radios (ES520 and ES820), these are Radio 2. In the four-radio ES440, Radio 2, Radio 3 and Radio 4...
Page 62: Bridging Configuration
Bridge GUI Guide: Network Configuration In Fortress Bridges equipped with any number of radios, the standard-equipment Radio 1 is a dual-band 802.11a/g (or 802.11a/g/n) radio. Radio 1’s 802.11g capability typically indicates its use to provide wireless access to devices within range.
Page 63: Fastpath Mesh Bridging
Bridge GUI Guide: Network Configuration support the mesh network and user controls to configure and tune it. Table 3.1. STP Networks Compared to FastPath Mesh function FP Mesh self-forming supported supported self-healing supported supported end-to-end encryption supported supported all paths available at all times not supported supported optimal path selection...
Page 64 Bridge GUI Guide: Network Configuration inherent in layer-2 networks, including advance ARP resolution and streamlined broadcast and multicast handling to significantly reduce broadcast traffic. FP Mesh enables each node to use all mesh network links and to route traffic on the optimal path by computing per-hop costs, based on link conditions, and end-to-end costs, based on cumulative per-hop costs.
Page 65: Fastpath Mesh Bridging Mode
Bridge GUI Guide: Network Configuration Additionally, FastPath Mesh functionality itself provides automatic IPv6 addressing without the need for a DHCP server and name distribution within the network without the need for a DNS server. To provide independent IPv6 addressing and facilitate optimal network traffic routing, FP Mesh generates an RFC-4193 Unique Local IPv6 Unicast Address (a.k.a., unique local addresses or ULAs) for every MP and supports up to sixteen...
Page 66: Mobility Factor
Bridge GUI Guide: Network Configuration between FastPath MPs. When (the default), traffic Enabled between MPs is subject to Fortress’s Mobile Security Protocol (MSP), as configured on the Bridge itself (refer to Section 4.1). 3.2.1.3 Mobility Factor To facilitate node mobility in the FP Mesh network, Mobility Factor adjusts the frequency at which the costs of data paths to neighbor nodes are sampled so that cost changes can be transmitted to the network.
Page 67: Neighbor Cost Overrides
Bridge GUI Guide: Network Configuration U - is the user defined per-interface cost offset, which  allows you to configure one link to be more costly than another. Any non-negative integer between (zero) and can be defined (for configuration 4,294,967,295 information, refer to Section 3.3.4.4 for wireless and Section 3.7.3 for Ethernet interface controls).
Page 68: Configuring Fastpath Mesh Settings
Bridge GUI Guide: Network Configuration You can also force MPs to join or leave specific multicast groups, if you need to support non-IP multicast groups or a device on an Access interface that doesn’t implement IGMP/ MLD, or for testing/debugging purposes. To subscribe to a multicast group, you must identify the FP Mesh interface for the stream and specify the multicast address for the group by MAC or IP address.
Page 69 Bridge GUI Guide: Network Configuration Log on to the Bridge GUI through an Administrator -level account. If you are configuring any setting beyond Bridging Mode , click in the upper right corner of the page. ADVANCED VIEW (If not, skip this step.) Navigate to a Bridge GUI screen and frame through which the setting(s) you want to configure can be accessed: Bridging Configuration...
Page 70 Bridge GUI Guide: Network Configuration If you want to subscribe to a new multicast group:  Click NEW MULTICAST GROUP  In the Add a Multicast Group dialog, specify the  Access interface on which the current MP will subscribe to the multicast group: From the Interface dropdown, select a BSS ...
Page 71: Stp Bridging
(These include Radio 2 in is Dis- Wi-Fi Security the ES520 and ES820 and Radio 2, Radio 3 and Radio 4 in the , and these fields abled ES440.) BSSs configured on these radios are therefore are greyed out.
Page 72: Configuring Stp Bridging
4.4 GHz model radios label equipment band model # option model # Radio 1 802.11a/g/n 802.11g ES820 ES820-35 Radio 2 802.11a/n 802.11a Radio 1 802.11a/g 802.11g ES520 ES520-35 ES520-34 Radio 2 802.11a 802.11a Radio 1 802.11a/g/n 802.11g...
Page 73: Advanced Global Radio Settings
Bridge GUI Guide: Network Configuration Each radio installed in a Fortress Bridge can be configured with up to four BSSs, which can serve either as bridging interfaces networked with other Fortress Bridges or as access interfaces for connecting wireless client devices. Refer to Section 3.3.4 for details on radio BSS configuration.
Page 74: Environment Setting
Bridge GUI Guide: Network Configuration When Country is licensed on the Bridge (Section 6.3), additional countries are available for selection. To allocate bandwidth and prevent interference, radio transmission is a regulated activity, and different countries specify hardware configurations and restrict the strength of signals broadcast on particular frequencies according to different rules.
Page 75: Configuring Global Advanced Radio Settings
Bridge GUI Guide: Network Configuration In many regulatory domains, including the Bridge’s FCC domain, additional channels are available for selection (Section 3.3.2.3) when Environment is set to Indoors Advanced Global Radio Settings Figure 3.4. Advanced View frame, all radio-equipped platforms 3.3.1.5 Configuring Global Advanced Radio Settings Log on to the Bridge GUI through an Administrator -level...
Page 76: Radio Administrative State
When Advanced Radio is licensed, the Bridge’s 802.11a radio(s) can use additional licensed and unlicensed frequencies. Contact Fortress Technologies for additional information. An Advanced Radio license permits the Bridge’s 802.11a radio(s) to be used, in the 802.11a band, in any of the countries on the default Country Code list (Section 3.3.1.3) and in any of...
Page 77 802.11n network devices. Band Figure 3.6. 802.11n-capable, dual-band radio options, ES210, ES440, ES820 Selecting an 802.11n option in a radio’s Band field permits the Bridge to take advantage of radio enhancements and traffic handling efficiencies defined in the newer standard, including...
Page 78: Channel And Channel Width
DFS Channel Exclusions list (Section 3.3.3). A dual-band radio that uses the 2.4 GHz 802.11g band by default (Radio 1 in the multiple radio ES440, ES520 and ES820 Bridges) is set to channel by default.
Page 79: Network Type
Bridge GUI Guide: Network Configuration Table 3.4 shows all channels available for selection on military band Bridge radios, with their corresponding frequencies. Table 3.4. 4.4 GHz Military Band Radio Channels Channel Frequency (GHz) Channel Frequency (GHz) 4100 4.476 4128 4.616 4104 4.496 4132...
Page 80: Tx Power Mode And Tx Power Settings
Bridge GUI Guide: Network Configuration 3.3.2.6 Tx Power Mode and Tx Power Settings WARNING: FCC (the Bridge’s The default transmit power level for all radios is , which Auto default regulatory do- directs the Bridge to automatically set the transmit power at the main) requires anten- maximum allowed for the selected Band , Channel , Network nas to be professionally...
Page 81: Beacon Interval
Bridge GUI Guide: Network Configuration Figure 3.7. Bridge network deployment with radio settings of kilometers Distance You can configure Distance only in Advanced View. 3.3.2.8 Beacon Interval Bridge radios transmit beacons at regular intervals to Radios CAUTION: using DFS chan- announce their presence on their network, the strength of their nels (Section 3.3.3) must RF signals and, when Advertise SSID is enabled (Section...
Page 82: Short Preamble
Bridge GUI Guide: Network Configuration 3.3.2.9 Short Preamble The short preamble is used by virtually all wireless devices currently being produced. The Short Preamble is therefore the most likely requirement for new network implementations and by default. The setting applies only to 802.11g band Enabled operation;...
Page 83: Dfs Operation And Channel Exclusion
Bridge GUI Guide: Network Configuration Click in the upper right of the screen (or APPLY RESET screen settings to cancel your changes). Figure 3.8. Advanced View RADIO 1 Radio Settings frame, all radio-equipped platforms 3.3.3 DFS Operation and Channel Exclusion Most regulatory domains, including the Bridge’s default FCC NOTE: Bridge’s regulato-...
Page 84: Channel Exclusion
Bridge GUI Guide: Network Configuration signal the impending change and transmit the new channel number to the network, before switching its bridging radio to the new channel. Bridges receiving this transmission will do the same, until the new channel has been propagated to every Bridge in the network and all are all connected over the new channel.
Page 85: Radio Bss Settings
Bridge GUI Guide: Network Configuration You can observe the channels currently excluded from each radio’s use, in Advanced View only, on the Channel Exclusions list on Configure -> Radio Settings Add Channel To Exclude Figure 3.10. Advanced View dialog, all radio-equipped platforms To manually add channels for exclusion: Log on to the Bridge GUI through an Administrator -level account and select...
Page 86: Bss Administrative State And Name
Bridge GUI Guide: Network Configuration Bridges or serve as a WLAN access point (AP). Refer to Section 3.2.2 for more detail. You can view the BSSs configured for each radio, under the radio’s entry on Configure -> Radio Settings No BSSs are configured on Bridge radios by default. To create a BSS you need only specify a unique name (Section 3.3.4.1) and SSID (Section 3.3.4.2).
Page 87: Wireless Bridge And Minimum Rss
BSSs, when the radio is left on the default 5 GHz Wireless Bridge the BSS enforces a For- 802.11a band. setting of tress Security On Bridges with two radios, the ES520 and ES820, Wireless (Section Enabled Bridge is by default for BSSs on Radio1, when it is left Disabled 3.3.4.13).
Page 88: Bss Switching Mode And Default Vlan Id
Bridge GUI Guide: Network Configuration Because of its dependency on the BSSs Wireless Bridge function, the FastPath Mesh Mode of a wireless interface on the Bridge is not among the user controls provided. When FastPath Mesh is enabled and the BSS is configured as bridging interface ( Wireless Bridge: ), the BSS is Enabled...
Page 89: Bss Wmm Setting
Bridge GUI Guide: Network Configuration function is by default, at which setting the BSS Disabled accepts connections from both 802.11g and 802.11b devices. Enabling G Band Only prevents 802.11b wireless devices from connecting to the BSSs. The older 802.11b is the slower of the two 2.4 GHz wireless standards and most new devices support 802.11g.
Page 90: Bss Rts And Fragmentation Thresholds
Bridge GUI Guide: Network Configuration 3.3.4.9 BSS RTS and Fragmentation Thresholds The RTS Threshold allows you to configure the maximum size of the frames the BSS sends without using the RTS/CTS protocol. Frame sizes over the specified threshold cause the BSS to first send a Request to Send message and then receive a Clear to Send message from the destination device before transmitting the frame.
Page 91: Bss Unicast Rate Mode And Maximum Rate
Bridge GUI Guide: Network Configuration 3.3.4.10 BSS Unicast Rate Mode and Maximum Rate When a BSS is configured to use a Unicast Rate Mode setting NOTE: configure the uni- (the default), the interface dynamically adjusts the bit auto cast minimum rate in rate at which it transmits unicast data frames—throttling the Bridge CLI (refer to between the configured Unicast Maximum Rate and the...
Page 92: Bss Description
Bridge GUI Guide: Network Configuration which is appropriate for a BSS using the 5 GHz frequency band, typically for network bridging. Fortress recommends leaving BSSs in the 802.11a band, including all 802.11na options, at the default of If the BSS will provide mesh network bridging in the 5 GHz 802.11a band, Fortress recommends a Multicast Rate of .
Page 93 Bridge GUI Guide: Network Configuration BSSs enabled for bridging (Section 3.3.4.3) must be Enabled for Fortress Security . You cannot apply Wi-Fi Security to bridging-enabled BSSs. A Wi-Fi Security setting of requires no further None configuration. New BSS Figure 3.13. Advanced View settings frame, all radio-equipped platforms WPA, WPA2 and WPA2-Mixed Security WPA (Wi-Fi Protected Access) and WPA2 are the enterprise...
Page 94 Bridge GUI Guide: Network Configuration On the New/Edit BSS screens, these additional settings apply selections: WPA2 WPA2-Mixed WPA Rekey Period - specifies the interval at which new pair-  wise transient keys (PTKs) are negotiated or (zero), which disables the rekeying function: the interface will use the same key for the duration of each session seconds.
Page 95: Configuring A Radio Bss
Bridge GUI Guide: Network Configuration New Preshared Key and Confirm Preshared Key - specify the  preshared key itself, as: a plaintext passphrase between 8 and 63 characters in  length, when is selected for Preshared Key Type , ASCII above.
Page 96: Es210 Bridge Sta Settings And Operation
Bridge GUI Guide: Network Configuration In the Radio Settings screen’s New/Edit BSS frame, enter new values for the settings you want to change (described in sections 3.3.4.1 through 3.3.4.14, above). Click in the upper right of the screen (or your APPLY CANCEL changes).
Page 97: Station Administrative State
Bridge GUI Guide: Network Configuration Refer to the relevant step-by-step instructions in Section 3.3.5.11, Establishing an ES210 Bridge STA Interface Connection, for preconfiguring the interface or creating it through the ES210 Bridge’s scanning function. 3.3.5.1 Station Administrative State Admin State simply determines whether the interface is Disabled .
Page 98: Station Fragmentation And Rts Thresholds
Bridge GUI Guide: Network Configuration In a WMM-enabled association, packets sent from the Bridge include WMM tags that permit traffic from the Bridge to be prioritized according to the information contained in those tags. You can configure WMM for the STA Interface only in Advanced View.
Page 99: Station Multicast Rate
Bridge GUI Guide: Network Configuration The default Unicast Maximum Rate for a new STA interface is Radio NOTE: Band settings are cov- , which specifies the highest setting possible in either Mbps ered in detail in Section frequency band. 3.3.2.2). You can configure Unicast Rate Mode and Unicast Maximum Rate only in Advanced View.
Page 100 Bridge GUI Guide: Network Configuration peer and at least one CA (Certificate Authority) certificate must be present in the local certificate store. Refer to Section 6.2.1 for guidance on configuring an EAP-TLS key pair and digital certificate. On the Add Station Mode screen, these additional settings apply to selections: WPA2...
Page 101: Establishing An Es210 Bridge Sta Interface Connection
Bridge GUI Guide: Network Configuration be used exclusively by the STA Interface , or WPA2-PSK you can configure it to be able to use either by selecting WPA2- Mixed-PSK Pre-shared key mode differs from enterprise mode in that PSK bases initial key generation on a user-specified key or passphrase instead of through digital certificates.
Page 102 Bridge GUI Guide: Network Configuration Table 3.9. STA Interface Settings Simple & Advanced Views Advanced View Only Admin State Description STA Name SSID Frag. Threshold BSSID RTS Threshold Wi-Fi Security Unicast Rate Mode Key Type Unicast Maximum Rate Rekey Period Multicast Rate WPA Key/Key Confirm TLS Cipher...
Page 103 Bridge GUI Guide: Network Configuration In the Radio screen’s Add Station Mode frame, click the button to detect and display available networks. SCAN STA Interface Figure 3.18. selecting a network for the to connect to, ES210 Click to select the network you want the Bridge to connect Click the network SSID to capture only the network ...
Page 104: Editing Or Deleting The Es210 Bridge Sta Interface
Bridge GUI Guide: Network Configuration additional security options described under WPA, WPA2 and WPA2-Mixed Security in Section 3.3.5.10. Optionally configure any additional interface settings,  as described in sections 3.3.5.2 through 3.3.5.8. Click in the upper right of the screen (or APPLY CANCEL action).
Page 105: Enabling And Disabling Es210 Bridge Station Mode
Bridge GUI Guide: Network Configuration To edit or delete the STA Interface: Log on to the Bridge GUI through an Administrator -level account and select from the Configure -> Radio Settings menu on the left. If you are reconfiguring the existing STA Interface , on the Radio screen: If you are reconfiguring one or more Advanced View ...
Page 106: Basic Network Settings Configuration
Bridge GUI Guide: Network Configuration Basic Network Settings Configuration The basic settings that establish the Bridge’s presence on the network are configured in the Network Configuration frame on , described in sections 3.4.1 and Configure -> Administration 3.4.2, below. The Bridge’s system clock and, optionally, NTP (network time protocol) configuration are set in the Time Configuration frame of the same screen, as described in Section 3.4.3.
Page 107 Bridge GUI Guide: Network Configuration Configure these settings on the Bridge GUI’s Network Configuration screen. Network Configuration Figure 3.20. Advanced View frame, all platforms Preferred DNS and Alternate DNS- provide addresses of When en-  NOTE: abled (the external Domain Name System servers on the network or fault), Bridge’s specifies no network DNS server with...
Page 108: Ip Configuration
Bridge GUI Guide: Network Configuration 3.4.2 IP Configuration The Bridge supports Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6). IPv4 is enabled by default. When it is disabled, the Bridge's management IP address neither accepts or sends IPv4 packets.
Page 109 Bridge GUI Guide: Network Configuration Auto Addressing - configures the Bridge to learn IPv6 global  prefixes from network routers ( , the default) or to Enabled use only a locally established global address ( Disabled Configurable Global Address - manually establishes an IPv6 ...
Page 110: System Clock And Ntp Client Configuration
Bridge GUI Guide: Network Configuration Table 3.11. IPv6 Network Configuration Settings Configurable Settings Configurable Global Address Auto Addressing Configurable Gateway Configurable GW Metric View-Only Settings Configured Global Address/prefix length Local Address/prefix length Other Addresses/prefix lengths Default Gateways (metrics) To configure IP settings: Log on to the Bridge GUI through an Administrator -level account and select from the...
Page 111: Ntp Client Configuration
Bridge GUI Guide: Network Configuration 3.4.3.2 NTP Client Configuration In Advanced View, after you have set the Bridge’s internal clock to within 1000 seconds of the current time on the network, you can enable the Bridge to synchronize its clock with the time disseminated by up to three configured NTP servers.
Page 112: Location Or Gps Configuration
Bridge’s physical position on the globe. Coordinates entered are shown only here (and for the Bridge command). show location Figure 3.24. Location settings frame, ES440, ES520, ES820, FC- Manually establish a Bridge’s Location with standard settings for:...
Page 113: Dhcp And Dns Services
Bridge GUI Guide: Network Configuration Latitude and Longitude - specify the Bridge’s global  coordinates in degrees, minutes and seconds, north/south or east/west in the format: DD : MM : SS . ss N/S/E/W, with no spaces You need only specify whole seconds. You can optionally specify the Bridge’s coordinates to the 100 second.
Page 114 Bridge GUI Guide: Network Configuration an IP address, the Bridge will forward the request to up to two network DNS servers. When FastPath Mesh is used for bridging and the FastPath Fortress’s NOTE: FastPath Mesh Mesh network is attached to a conventional hierarchical functionality includes network, internal DHCP services obtain default gateway and...
Page 115: Dns Service
Bridge GUI Guide: Network Configuration If Auto Addressing will be left at its default of Enabled  (see below), you should leave these settings at their defaults ( If you opt to disable Auto Addressing , you must enter  IPv6 addresses in the usual format.
Page 116 Bridge GUI Guide: Network Configuration The Bridge GUI’s DNS Host to IP Map shows all mappings, which you can sort by ascending or descending Hostname or IP Address . Each entry is identified by Type , which can be: self - a mapping for the current Bridge ...
Page 117: Ethernet Interface Settings
Table 3.12. Fortress Bridge Model Ethernet Ports # of Fortress takes serves fiber default HW label GUI label model option encryption ports Ethernet1 encrypted ES820 Ethernet2 clear wan1 encrypted ES520 1–8 lan1–lan8 clear Ethernet1 encrypted ES440 Ethernet2 clear Ethernet (WAN)
Page 118: Port Administrative State
Configure -> Ethernet Settings Ethernet Settings Figure 3.28. Simple View screen, ES210, ES440, ES820 Software labels cannot be changed. Ethernet Settings screens display each port’s view-only Name . 3.7.1 Port Administrative State Admin. State determines whether the port is Enabled .
Page 119: Port Fortress Security
Bridge GUI Guide: Network Configuration Ethernet Port Settings Figure 3.29. Advanced View screen, port, ES210, ES440, ES820 3.7.4 Port Fortress Security When Fortress Security is on a port, traffic on that port Enabled is subject to Fortress’s Mobile Security Protocol (MSP), as configured on the Bridge itself (refer to Section 4.1).
Page 120: Port Qos Setting
Bridge GUI Guide: Network Configuration - configures the port to accept incoming packets There Trunk  NOTE: only one VLAN with any VLAN tag in the VLAN ID table and to send trunk per Bridge, used packets with their VLAN tagging information by all Trunk ports.
Page 121: Configuring Ethernet Ports
Bridge GUI Guide: Network Configuration Ethernet devices that do not support PoE, or non-Powered Devices, can use a PSE -enabled port with no effect on such devices or on PSE operation. If you are powering a PoE Class 3 or Class 0 device on a given port, you may want to leave PSE on the port above/ Disabled...
Page 122: Qos Implementation
Bridge GUI Guide: Network Configuration QoS Implementation The Bridge supports Quality of Service (QoS) expediting for wireless traffic according to the WMM® (Wi-Fi Multimedia) subset of the IEEE standard 802.11e, QoS for Wireless LAN, and for Ethernet traffic according to the IEEE standard 802.1p, Traffic Class Expediting.
Page 123 Bridge GUI Guide: Network Configuration WMM is enabled by default on new BSSs (refer to Section 3.3.4.7). Wireless packets can convey QoS priority tags directly in their 802.11 headers. When no VLAN tags are present, the Bridge sorts wireless traffic into QoS priority queues according to these tags.
Page 124: Vlans Implementation
Bridge GUI Guide: Network Configuration To reconfigure QoS priority tag-to-queue mapping: Log on to the Bridge GUI through an Administrator -level account and select in the upper right corner ADVANCED VIEW of the page, then from the Configure -> Ethernet Settings menu on the left.
Page 125 Bridge GUI Guide: Network Configuration External switches running in port-based VLAN modes require that the Bridge use the VLAN mode Disabled VLAN Mode: Normal VLAN Mode , the Bridge passes the VLAN tag’s VLAN Normal ID exactly as it is received, while encrypting/decrypting the rest of the data normally.
Page 126: Native Vlan
Bridge GUI Guide: Network Configuration you configure for each VLAN that the Bridge secures. The routable VLAN IDs received on clear interfaces are translated, according to the routing map, into non-routable IDs and transmitted on an encrypted interface, and vice versa (non- routable VLAN IDs received on encrypted interfaces are translated into routable IDs and transmitted on a clear interface).
Page 127: Vlan Id Table
Bridge GUI Guide: Network Configuration 3.9.3 VLAN ID Table The VLAN IDs you use on your network, for the native VLAN and for translate-mode mapping, are stored in the VLAN ID Table . The contents of the table determine the VLANs available for There NOTE: only one VLAN...
Page 128: Vlan Map Records
Bridge GUI Guide: Network Configuration In the resulting dialog, enter the ID number of the VLAN you want to add to the configuration and click The ID number of VLAN you added will be listed in the VLAN Active ID Table . You cannot delete a VLAN ID from the Bridge configuration while it is in use, as indicated by a red asterisk to the right of the ID number.
Page 129 Bridge GUI Guide: Network Configuration In the VLAN Translate Map Records frame, click RECORD On the resulting Edit VLAN screen, in VLAN Map Record : In Record Name: enter a descriptive name for the  mapping record. In Routable ID: enter the routable VLAN ID for packets ...
Page 130: 3.10 Es210 Bridge Serial Port Settings
Bridge GUI Guide: Network Configuration 3.10 ES210 Bridge Serial Port Settings The serial port on the front panel of the ES210 Bridge is Console configured by default to be used for port access to the Bridge CLI, as other Bridge model serial ports are used. On the ES210 Bridge, you can reconfigure the serial port to instead connect the Bridge to an external third-party Serial Sensor , or another serial device.
Page 131: Resetting The Serial Port
Bridge GUI Guide: Network Configuration Console automatic setting for the port), , or (the 19200 38400 default when Serial Sensor Settings are Enabled Parity - specifies whether the parity bit used for error  checking results in an number of bits per byte Even or, with a setting of (the default), that no parity bit...
Page 132: Security, Access, And Auditing Configuration
Bridge GUI Guide: Security Configuration Chapter 4 Security, Access, and Auditing Configuration Fortress Security The Security Settings frame provides controls for various Fortress NOTE: MSP is not sup- aspects of the Bridge’s overall network security provisions: ported on an ES210 Fortress MSP (Mobile Security Protocol) functions including Bridge in Station Mode...
Page 133: Msp Encryption Algorithm
Bridge GUI Guide: Security Configuration all networked environments that are not required to comply with FIPS. As of this writing, FIPS operating mode in the current version of Contact NOTE: your Fortress rep- Bridge software is in the process of being validated as resentative for up-to- compliant with FIPS 140-2 Security Level 2.
Page 134: Msp Key Establishment
Bridge GUI Guide: Security Configuration 4.1.3 MSP Key Establishment You can configure the method that the Bridge and its Secure Clients (and other connecting controller devices) use to establish data encryption keys. In Normal operating mode (Section 4.1.1) the Bridge supports On wire- NOTE: less networks, sep-...
Page 135: Msp Re-Key Interval
Bridge GUI Guide: Security Configuration 4.1.4 MSP Re-Key Interval Fortress Bridges generate new keys at defined intervals, renegotiating dynamic keys with their Secure Clients whenever those Clients are logged on. You can specify the re-key interval, in hours, at values between 1 and 24. The default is 4. At the default, for example, to decrypt data intercepted over a 12-hour period, a hacker would need to recover three sets of keys just from the Bridge, quickly enough to employ them...
Page 136: Fips Self-Test Settings
Bridge GUI Guide: Security Configuration 4.1.8 FIPS Self-Test Settings The Bridge runs a number of self-tests described in FIPS 140- 2, (Federal Information Processing Standards’ Security Requirements for Cryptographic Modules ). FIPS tests run—and self-test failures are logged—regardless of whether it is in FIPS or Normal operating mode. When the Bridge is in FIPS operating mode, it will additionally shut down and reboot upon the failure of any FIPS self-test, as required by FIPS 140-2 (refer to Section 4.1.1).
Page 137: Encrypted Interface Management Access
Bridge GUI Guide: Security Configuration Encrypted-interface cleartext traffic must be enabled to support cur- NOTE: rent traf- AP management rules on the Bridge and Trusted Device Cleartext fic setting is shown in access to the Bridge’s encrypted zone. In FIPS terminology, the upper left of all when clear text is enabled on the Bridge’s encrypted Bridge GUI screens (re-...
Page 138: Cached Authentication Credentials
Bridge GUI Guide: Security Configuration on any encrypted interface, including by configured cleartext devices, regardless of the Guest Management setting. You can enable/disable Guest Management only in Advanced View. 4.1.13 Cached Authentication Credentials When a device’s session times out, the device is required to renegotiate encryption keys in order to reconnect to the network.
Page 139: Changing Basic Security Settings
Bridge GUI Guide: Security Configuration Security Settings Figure 4.2. Advanced View, Fortress frame, all platforms 4.1.16 Changing Basic Security Settings: Table 4.1 shows which settings can be configured only in Advanced View. Table 4.1. Security Settings Simple & Advanced Views Advanced View Only Operating Mode FIPS Reseed Interval...
Page 140: Fortress Access Id
Bridge GUI Guide: Security Configuration 4.1.17 Fortress Access ID The Access ID provides network authentication for the Fortress The default NOTE: Access ID is repre- Security System. This 16- or 32-digit hexadecimal ID is sented by 16 zeros or established during installation, after which the same Access ID the word, .
Page 141: Internet Protocol Security
Bridge GUI Guide: Security Configuration If you want to manually enter a 16-digit or a 32-digit hexadecimal Access ID of your own composition: In New Access ID and Confirm Access ID , enter the 16-  or 32-digit hexadecimal Access ID to be used by the Bridge and its Secure Clients.
Page 142: Global Ipsec Settings
Bridge GUI Guide: Security Configuration devices, using its own IP address as the IPsec peer address and conducting IKE transactions on behalf of (and transparently to) the devices it secures. IPsec can be used alone or in conjunction with the Fortress Security settings described in Section 4.1.
Page 143: Interface Security Policy Database Entries
Bridge GUI Guide: Security Configuration Suites - selects the cryptographic algorithm suite(s) that the Unlike  NOTE: Suite B Bridge will accept when acting as an IKE responder and will Key Estab- options (Sec- lishment offer when acting as an IKE initiator. tion 4.1.3), Suite B IPsec - AES-256-GCM, 16B ICV (default selection) ...
Page 144 Bridge GUI Guide: Security Configuration How traffic defined by an SPD entry will be handled is determined by the Action specified in the entry, as shown in Table 4.2. Table 4.2. Configurable SPD Entry Actions action inbound packets outbound packets Apply must be IPsec-protected IPsec-encrypt and send as ESP...
Page 145 Bridge GUI Guide: Security Configuration Action - determines how packets selected by the local and  remote subnet parameters specified above will be handled: - drop packets without further processing  Drop (default selection) - receive and send only packets unprotected Bypass ...
Page 146: Ipsec Pre-Shared Keys
Bridge GUI Guide: Security Configuration 4.2.3 IPsec Pre-Shared Keys As an alternative to using a digital certificate, the identity a given IPsec peer can be authenticated by a static pre-shared key (PSK), as configured on both parties to the initial ISAKMP transaction.
Page 147: Ipsec Access Control List
Bridge GUI Guide: Security Configuration To delete IPsec peer PSKs: Log on to the Bridge GUI through an Administrator -level account and select from the menu on the Configure -> IPsec left. In the IPsec Settings screen’s Pre-Shared Keys frame: If you want to delete the PSK for a single or selected ...
Page 148: Authentication Services
Bridge GUI Guide: Security Configuration matches the DN: C=US, ST=Florida, O="Fortress Technologies” OU=Engineering but does not match the DNs: C=US, ST=Florida, OU=Engineering C=US, ST=Florida, L=Oldsmar, O="Fortress Technologies” Priority - establishes the order in which the ACL entry will  be applied, from , relative to other configured ACL entries.
Page 149 Bridge GUI Guide: Security Configuration Authentication is enabled on the Bridge when at least one If you are NOTE: using an external authentication server is configured and enabled on the Bridge. RADIUS server, config- You can configure two types of authentication server for the ure user timeouts in that network, depending on the network configuration: service.
Page 150 Bridge GUI Guide: Security Configuration Role , Fortress-Password-Expired ) and administrators must be configured on the server. Fortress Vendor-Specific Attributes are provided in the configuration file dictionary.fortress included on the Bridge software CD and are available for download at . Consult your www.fortresstech.com/support/ external RADIUS server documentation for instructions on configuring the service...
Page 151: Authentication Server Settings
Bridge GUI Guide: Security Configuration relevant server and failed credentials are not forwarded to any other server. If the server with first priority for a given authentication type becomes unavailable, the next server in the priority sequence that has also been configured to support that authentication type will be used.
Page 152: Server Type And Authentication Types
Bridge GUI Guide: Security Configuration 4.3.1.3 Server Type and Authentication Types The Server Type setting identifies the type of authentication service running on the configured server, while Auth Types selections specify which type(s) of authentication credentials will be sent to the server. Refer to the description at the beginning of this section (Section 4.3) on page 133 for more detail.
Page 153: The Local Authentication Server
Bridge GUI Guide: Security Configuration Table 4.4. External Authentication Server Settings Simple & Advanced Views Advanced View Only Admin. State Priority IP Address Max Retries Server Name Retry Interval Port Auth Types Server Type New/Confirmed Shared Key To configure a RADIUS server in Simple View: Log on to the Bridge GUI through an Administrator -level account and select from the...
Page 154: Local Authentication Server Port And Shared Key
Bridge GUI Guide: Security Configuration 4.3.2.2 Local Authentication Server Port and Shared Key The Port setting configures the port to be used to communicate with the local authentication server. The default authentication server port is , as assigned by the IANA (Internet 1812 Assigned Numbers Authority) for RADIUS server authentication.
Page 155: Local Authentication Server Global Device, User And Administrator Settings
Bridge GUI Guide: Security Configuration (Section 4.1.13), the user will be prompted to re-enter a valid username and password. Set Default Idle Timeout in minutes, between . The default is minutes. The Default Session Timeout - setting determines the amount of time a device can be present on the network before the current session is ended and the associated Device ID and/or user credentials must be reauthenticated and keys renegotiated...
Page 156: Local 802.1X Authentication Settings
Bridge GUI Guide: Security Configuration 4.3.2.7 Local 802.1X Authentication Settings The Bridge’s internal RADIUS server can be configured to authenticate 802.1X supplicant credentials using two possible EAP (Extensible Authentication Protocol) types. EAP-MD5 verifies an MD5 (Message-Digest algorithm 5) hash EAP-TLS NOTE: of each user’s password, which requires a user’s credentials to provides a signifi-...
Page 157: Configuring The Local Radius Server
Bridge GUI Guide: Security Configuration In EAP-TLS, the authentication server selects the cipher suite to use from the list of supported suites sent by the client device (or rejects the authentication request if none of the proposed suites are acceptable). TLS Cipher does not apply to EAP-MD5 authentication.
Page 158: Local User And Device Authentication
Bridge GUI Guide: Security Configuration 4.3.3 Local User and Device Authentication When using NOTE: an external authen- You can configure user and device authentication settings even tication server, user and when the Bridge’s local authentication is disabled (the default). (when applicable) device The settings will only be applied when the local RADIUS server authentication settings...
Page 159 Bridge GUI Guide: Security Configuration Individual User Authentication Settings User authentication on the Fortress Bridge requires the usual settings to identify, track and manage access for each user on the Bridge-secured network. User Database Entry Figure 4.11. Advanced View frame, all platforms Administrative State - determines whether user access to ...
Page 160 Bridge GUI Guide: Security Configuration default, the Session Timeout value in the User Authentication Setting frame will be minutes. You can add and edit locally authenticated users only in Advanced View. To configure locally authenticated user accounts: An existing account’s Username cannot be changed, but you can edit any other value associated with a user account Log on to the Bridge GUI through an Administrator -level account and select...
Page 161: Local Device Authentication
Bridge GUI Guide: Security Configuration Click the User Entries frame’s button. DELETE Click in the confirmation dialog. Deleted accounts are removed from the User Entries list. 4.3.3.2 Local Device Authentication Fortress’s device authentication assigns each Fortress device, Device au- NOTE: including those running the Fortress Secure Client, a unique thentication is sup- ported...
Page 162 Bridge GUI Guide: Security Configuration In Authentication Method , simultaneously enable device  authentication and configure the default user authentication setting, by selecting one of: - enables user Device auth with user auth by default  authentication for new devices by default. - disables Device auth without user auth by default ...
Page 163 Bridge GUI Guide: Security Configuration for instance), that hostname is included for the device when it is first added to the screen. If no DEVICE AUTHENTICATION hostname is associated with the device, it will be added without one. You can edit an existing hostname or add one for a device that has no hostname.
Page 164: Local Session And Idle Timeouts
Bridge GUI Guide: Security Configuration of the page, then from the Configure -> RADIUS Settings menu on the left. On the RADIUS Settings screen, click the tab. Local Server In the Device Entries frame: If you are adding a device, click and enter NEW DEVICE ...
Page 165: Acls And Cleartext Devices
Bridge GUI Guide: Security Configuration device’s session is idle timed out by the Bridge in this way, the device must re-establish its connection; if it is re-accessing an encrypted zone it must also reauthenticate. Idle timeouts can be configured for two types of devices: Secure Client devices - are the devices running the Fortress ...
Page 166: Mac Address Access Control
Bridge GUI Guide: Security Configuration The remaining access Access Control functions are covered below. These prevent, or define limits for, overall network access, whether by administrators or users. 4.5.1 MAC Address Access Control If you CAUTION: ignore the relevant The Bridge allows you to create and maintain an ACL of MAC warning, you can block (Media Access Control) addresses permitted to access the all network access by...
Page 167 Bridge GUI Guide: Security Configuration MAC Access Whitelist Figure 4.16. Advanced View frame, all platforms When you have finished adding permitted MAC addresses, If your CAUTION: in the MAC Access Whitelist frame, in Administrative State , current MAC ad- dress is not on the click Enabled when...
Page 168: Controller Device Access Control
Bridge GUI Guide: Security Configuration To edit the description of an existing MAC address entry: Log on to the Bridge GUI through an Administrator -level account and select in the upper right corner ADVANCED VIEW of the page, then from the Configure ->...
Page 169 Bridge GUI Guide: Security Configuration - (the default) auto-populating controller devices will Allow  be allowed to connect. - auto-populating controller devices require an Pending  administrator to change their individual Auth State settings before they can connect. Allow - auto-populating controller devices are not allowed to Deny ...
Page 170: Cleartext Device Access Control
Bridge GUI Guide: Security Configuration In the Edit a Controller entry dialog, edit the MAC  address or Auth State (you cannot change the Device ID ). Click in the dialog (or it to cancel the APPLY CLOSE  action). When you have finished adding and/or editing Controller entries, click in the upper right of the screen (or...
Page 171: 3Rd-Party Ap Management
Bridge GUI Guide: Security Configuration the smallest effective set of accessible ports is specified for each cleartext device access is enabled only when needed Once cleartext access to encrypted interfaces has been established for a device, the Bridge uses the device’s MAC address, IP address and port number to authenticate it on the network.
Page 172: Trusted Devices
Bridge GUI Guide: Security Configuration having no means to decrypt/encrypt Fortress MSP traffic). To do so, you must configure cleartext access for the AP. Cleartext access configured to permit direct communication with APs can represent a security risk: APs’ MAC addresses are necessarily transmitted in clear text and could be spoofed.
Page 173 Bridge GUI Guide: Security Configuration Well Known Trusted Device Ports Well Known TD Ports - specifies accessible groups of well known ports, grouped by function. Well Known TD Ports options are available only when Device Type (Section 4.5.3) is Trusted Device Well Known TD Ports Figure 4.22.
Page 174: Remote Audit Logging
Bridge GUI Guide: Security Configuration To delete cleartext access for APs and Trusted Device: You can delete cleartext access to the Bridge’s encrypted zone Disabling NOTE: for a single device or for all devices. or deleting cleart- ext access for an AP Log on to the Bridge GUI through an Administrator -level does not disable the ac- account and select...
Page 175: Administrative Audit Logging
Bridge GUI Guide: Security Configuration of the page, then from the Configure -> Logging/Auditing menu on the left. In the Logging/Auditing screen’s Global Logging Settings frame: In Auditing - click to turn audit logging on. Enabled  In Remote Log Storage - click to direct the Enabled ...
Page 176: Logging Administrative Activity By Event Type
Bridge GUI Guide: Security Configuration Figure 4.24. Advanced View Global Auditing Settings frame, radio-equipped platforms 4.6.2.1 Logging Administrative Activity by Event Type You can specify which events can be sent to the audit log by three broad types: Login - When , logon activity by subject Enabled ...
Page 177 Bridge GUI Guide: Security Configuration through and whether the interface is encrypted or clear, wired or wireless: Audit by User Interface - There are four ways an  administrator can access the Bridge: Console Console - a serial connection to the chassis port ...
Page 178: Logging Administrative Activity By Mac Address
Bridge GUI Guide: Security Configuration To configure audit logging by event type, Fortress security status and interface: Log on to the Bridge GUI through an Administrator -level account and select in the upper right corner ADVANCED VIEW of the page, then from the Configure ->...
Page 179: Learned Device Audit Logging
Bridge GUI Guide: Security Configuration In the Logging/Auditing screen’s Mac Auditing Settings frame, click NEW MAC ENTRY In the resulting screen’s MAC Auditing Entry frame, enter the MAC address you want to configure for audit logging and, optionally, a description of up to 250 alphanumeric characters, symbols and/or spaces.
Page 180 Bridge GUI Guide: Security Configuration To configure learned device audit logging: Log on to the Bridge GUI through an Administrator -level account and select from the Configure -> Logging/Auditing menu on the left. On the Logging/Auditing screen, in the Learned Device Auditing Settings frame, click to audit event ENABLE...
Page 181: System And Network Monitoring
Bridge GUI Guide: Monitoring Chapter 5 System and Network Monitoring The Bridge GUI provides access to an array of system and operating information on Configure -> Administration under on the main menu and displays the FIPS Monitor indicators described below on every screen. FIPS Indicators In the upper left of Bridge GUI screens, above the main menu, the Bridge reports three pieces of information relevant to...
Page 182: Administrative Account Details
Bridge GUI Guide: Monitoring these fields displays the basic FIPS state; the text output can reiterate or augment the indicator: Green - Healthy - The Bridge passed the last FIPS tests.  Yellow - Testing - The Bridge is running FIPS self tests. ...
Page 183: Topology View
Bridge GUI Guide: Monitoring System Information displays: Unencrypted MAC - the MAC address of the Bridge’s  management interface Device ID - the Fortress Device ID, as uniquely generated  for each device on a Fortress-secured network and used, when applicable, for device authentication. Software Version / Firmware Revision - the Fortress software ...
Page 184 Bridge GUI Guide: Monitoring ). The legend in the top right corner of the screen No Lines shows what the lines depict and the relative ranges indicated by Green, Yellow, and Red status colors. By default, Bridges in the Topology View are labeled with their IPv4 addresses.
Page 185: Uploading A Background Image
Bridge GUI Guide: Monitoring 5.4.1 Uploading a Background Image You can upload a JPEG (.jpg) image file of up to 1 MB, typically a map or satellite image, to use as the Topology View background. Log on to the Bridge GUI through an Administrator -level account and select from the menu Monitor...
Page 186: Bridge Links
Bridge GUI Guide: Monitoring configured (as APs or FP Mesh Access interfaces) to provide network access to wireless devices within range. Connections Associations Figure 5.7. screen, tab, all radio-equipped platforms Radio - identifies the radio to which the device is connected. ...
Page 187 Bridge GUI Guide: Monitoring shows current connections to any BSS the Bridge configured as the bridging interface in a network of Fortress Bridges. Connections Bridge Links Figure 5.8. screen, tab, all radio-equipped platforms radio N - identifies the radio on which the BSS forming the ...
Page 188: Secure Client And Wpa2 Device Connections
Bridge GUI Guide: Monitoring Because of the radio enhancements and traffic handling efficiencies defined in the newer standard, bridging links formed between radios configured to use 802.11n (refer to Section 3.3.2.2) can show Rate values higher than the Maximum Rate configured for either individual interface (refer to Section 3.3.4.10).
Page 189 Bridge GUI Guide: Monitoring Auth State - the state of the device’s network authentication  process. Possible values include: Unknown - connected, not yet ready to proceed  Initial - ready to proceed, waiting for Client to respond  Started - response received, authentication in process ...
Page 190: Controllers Connections
Bridge GUI Guide: Monitoring The controls at the upper left of the tab and individual checkboxes for connected Clients permit you to: selected sessions: end their current sessions and  RESET force them to reauthenticate on the Bridge. When Allow Cached Credentials is (the default), Enabled locally authenticated users are reauthenticated...
Page 191: Hosts Connections
Bridge GUI Guide: Monitoring Update Access ID - Access ID push in progress for the  device Date Learned - the start date/time of the controller device’s  current session The controls at the upper left of the tab and individual checkboxes for connected controller devices permit you to: selected sessions: end their current sessions and RESET...
Page 192: Ap And Trusted Devices Connections
Bridge GUI Guide: Monitoring Success - authentication succeeded: network access  permitted Locked - authentication failed: network access blocked  Auth State does not apply to hosts connected through a clear interface on the current Bridge. Date Learned - the start date/time of the current session ...
Page 193: Statistics Monitoring
Bridge GUI Guide: Monitoring The MAC Address , IP Address and Hostname of the DHCP client device are displayed, followed by the date and time the lease Expires . Figure 5.12. Connections screen, DHCP Leases tab, all platforms Configuration and operation of the Bridge’s DHCP services are described in Section 3.6.1.
Page 194: Interface Statistics
Figure 5.14. Statistics screen, Ethernet Interface Statistics frame, ES210, ES440, ES820 For each of the Bridge’s Ethernet interfaces, the Bridge displays the Status and basic interface statistics described above, as well as: Link - displays whether the interface’s physical link is: ...
Page 195: Bss Interface Statistics
Bridge GUI Guide: Monitoring Duplex - displays whether the device’s transmission mode  is Full Duplex or Half Duplex (or displays n/a if the duplex setting does not apply. State - the bridging status of the node from which the link is ...
Page 196: Bridge Link Interface Statistics
Bridge GUI Guide: Monitoring MAC Address - the Media Access Control address of the  virtual interface the BSS provides 5.6.2.3 Bridge Link Interface Statistics BSSs that are acting as nodes in a mesh network of Fortress Bridges (i.e., those performing a network bridging function) are shown in their own frame.
Page 197: Vlan Statistics
Bridge GUI Guide: Monitoring 5.6.3 VLAN Statistics The Bridge tracks VLAN traffic and displays the information, by VLAN ID, for each configured VLAN ID, in Monitoring -> VLAN Statistics . Statistics -> Statistics VLAN Statistics Figure 5.17. screen, frame, all platforms For each of packets received ( RX ) and packets sent ( TX ) on each VLAN configured on the Bridge, the screen displays: Clear - unencrypted packets received/sent...
Page 198: Fastpath Mesh Monitoring
Bridge GUI Guide: Monitoring Peer Address - identifies the remote IPsec peer participating  in the SA by IP address. Remote Address and Remote Mask - identify the subnet of  remote IP addresses defined in the SPD entry used by the SA (the inbound source subnet or outbound destination subnet).
Page 199: Fastpath Mesh Statistics
Bridge GUI Guide: Monitoring Global Settings are displayed in the Bridging Configuration frame and described in detail in sections 3.2.1.1 through 3.2.1.5. Mesh Status Bridging Configuration Figure 5.19. screen, frame, all platforms 5.8.2 FastPath Mesh Statistics When FP Mesh is licensed and enabled, the Fortress Bridge gathers statistics on mesh network operations for display in the FastPath Mesh Statistics frame.
Page 200 Bridge GUI Guide: Monitoring received by the current MP since Statistics were last cleared. Adds - NMP information added by network peers  Deletes - NMP information deleted by network peers  Access Rx Ctl - count of the number of FP Mesh control Non- ...
Page 201: Fastpath Mesh Peers And Neighbors
Bridge GUI Guide: Monitoring 5.8.3 FastPath Mesh Peers and Neighbors All MP nodes on the FP Mesh network, including the current MP, are shown in the Peers frame of the Mesh Status screen. MPs directly connected to the current MP are shown in Neighbors .
Page 202: Fastpath Mesh Multicast Groups
Bridge GUI Guide: Monitoring and previous hop—are shown in the first three columns of the Multicast/Broadcast Forwarding frame, along with local interface and mode information. Mesh Status Multicast/Broadcast Forwarding Figure 5.23. screen, frame, all platforms Dest. MAC - the destination MAC address of the multicast ...
Page 203: Fastpath Mesh Routing Table
Bridge GUI Guide: Monitoring current multicast subscriptions are shown in the Multicast Groups frame. Mesh Status Multicast Groups Figure 5.24. screen, frame, all platforms MAC Address - the MAC address of the multicast stream  IP Addresses - the addresses of IP multicast groups the MP ...
Page 204: Fastpath Mesh Loops
Bridge GUI Guide: Monitoring listed in ascending order of cost, with the lowest cost path listed first.) Routes - possible routes to the destination MP in  descending order of preference 5.8.7 FastPath Mesh Loops FP Mesh prevents bridging loops from forming on Core interfaces, which connect MPs to one another.
Page 205 Bridge GUI Guide: Monitoring when the cryptographic processor is restarted  system and communication errors  when FP Mesh neighbors are discovered and lost (when  Fortress’s FastPath Mesh is licensed and enabled) The log is allocated 256 Kbytes of memory and can contain a maximum of approximately 2,000 log messages (approximate because record sizes vary somewhat).
Page 206 Bridge GUI Guide: Monitoring When remote audit logging is enabled (Section 4.6.1), log messages sent to the external audit log are identified as AUDIT messages. Internally generated audit events are flagged AUDIT internal . Audit events generated by administrative action additionally identify the account and interface the administrator was logged onto at the time of the event.
Page 207: System And Network Maintenance
Bridge GUI Guide: Maintenance Chapter 6 System and Network Maintenance The Bridge GUI provides access to a number of administrative and diagnostic functions under on the main menu. Maintenance Only Bridge GUI Advanced View displays the link. Licensing System Maintenance The administrative functions you can access through Maintain vary according to whether you are in Bridge GUI...
Page 208: Rebooting The Bridge
Bridge GUI Guide: Maintenance You can reset sessions only in Advanced View. Reset Clients Figure 6.1. Advanced View frame, all platforms To reset connections: Log on to the Bridge GUI through an Administrator -level or Maintenance -level account and select in the ADVANCED VIEW upper right corner of the page, then...
Page 209: Booting Selectable Software Images
The next time the Bridge boots, it will boot the specified image. 6.1.5 Upgrading Bridge Software Fortress Technologies regularly releases updated versions of Fortress Bridge software to add new features, improve functionality and/or fix known bugs. Upgrade files may be...
Page 210 Bridge GUI Guide: Maintenance The Bridge flash memory is partitioned into two, bootable image areas. The software upgrade file is written to the non- running partition—i.e., the partition that does contain the software currently running on the Bridge. The upgrade does not therefore take effect until the Bridge is rebooted (as described in Section 6.1.2), and the currently running software is retained on the partition it was originally written to.
Page 211: Backing Up And Restoring
Bridge GUI Guide: Maintenance how quickly each completes, you may not see every operation. When upgrade operations are Finished , the dialog Note instructs you to restart the controller device to activate the newly upgraded software image. Click to the Upgrade Status dialog. CLOSE The Version frame on the System screen shows the non- running image number as the Image for Next Boot .
Page 212 Bridge those in the backup file. of the same model. You Fortress Technologies recommends backing up the Bridge cannot restore from a configuration: backup file created on a...
Page 213: Initiating Fips Retests
Bridge GUI Guide: Maintenance To restore the Bridge configuration from a backup file: Log on to the Bridge GUI through an Administrator -level The re- CAUTION: account and select from the menu on store operation Maintain -> System overwrites existing set- the left.
Page 214: Restoring Default Settings
Bridge is reset to factory Because the Bridge’s configuration settings could themselves defaults. be sensitive, Fortress Technologies recommends restoring them to their default values whenever the Bridge is to be shipped (or otherwise transported) out of a secured location. In order to fully restore the Bridge to its factory configuration defaults, you must perform a separate restore operation for the software image on each of the Bridge’s flash memory partitions...
Page 215: Digital Certificates
Bridge GUI Guide: Maintenance If you want to restore the default configuration on both of In order to NOTE: re-access a Bridge the Bridge’s flash memory partitions, reopen your browser. at factory defaults, you Log back on to the Bridge GUI (at the default IP address: must use a new browser 192.168.254.254) through an Administrator -level account instance on a computer...
Page 216 Bridge GUI Guide: Maintenance The generated key pair is saved for use by the Bridge’s certificate management function. The PEM-formatted CSR generated is suitable for cutting and pasting for submission to a Certificate Authority (CA). It is not retained in the Bridge’s configuration, but you can open (or save) it at the time you generate the CSR, or reconstruct it later with the button associated with its entry in the X.509...
Page 217: Managing Local Certificates
Bridge GUI Guide: Maintenance In the resulting Generate KeyPair frame, enter values into the fields provided (described above) and click APPLY the addition). CANCEL The generation of the CSR will be recorded in the X.509 Keys You can re- NOTE: trieve the CSR for frame, with the associated key pair displayed by Name , with a key pair with the asso-...
Page 218 Bridge GUI Guide: Maintenance an intermediate CA certificate  an end certificate corresponding to a public key manually  generated on the Bridge with the button GENERATE KEY (described above) or Bridge CLI command (refer generate to the CLI Software Guide ). Figure 6.11.
Page 219 Bridge GUI Guide: Maintenance Issuer - identifies the issuer X.500 DN.  Valid Until - define the time span during which Valid As Of  the certificate is valid by start and end times. In Use - identifies the Bridge function to which the certificate ...
Page 220: Assigning Stored Certificates To Bridge Functions
Bridge GUI Guide: Maintenance 6.2.2.2 Assigning Stored Certificates to Bridge Functions Locally stored signed certificates can have any of three applications on the Bridge, as indicated in the In Use column of the X.509 Certificates list: ssl - the Secure Socket Layer certificate is used by the ...
Page 221: Changing And Clearing Certificate Assignments
Bridge GUI Guide: Maintenance The specified function will be listed for that certificate in the X.509 Certificates frame, under In Use . X.509 Certificates Figure 6.13. frame, all platforms 6.2.2.3 Changing and Clearing Certificate Assignments You can change the SSL certificate assignment from the default, automatically generated, self-signed certificate, but you cannot configure the Bridge to use no digital certificate for SSL.
Page 222: Features Licensing
Bridge GUI Guide: Maintenance button likewise returns the CLEAR IPSEC CERTIFICATE Bridge’s IPsec function to the default state, in which no certificate is assigned and only PSK is used to authenticate IPsec peers (if pre-shared keys have been configured). Refer to Section 4.2 for more information on IPsec operation and configuration.
Page 223: Obtaining License Keys
Bridge GUI Guide: Maintenance performance at that level, with no more than the maximum number of active connections shown in Table 6.2. Table 6.2. Performance Levels Maximum Encrypted Configuration Throughput Active Devices FC-250: 250 Mbps FC-500: 500 Mbps 1000 FC-1500: 1.5 Gbps 3000 a.
Page 224: Licensing New Features
If you have not yet obtained a license key or group license for feature(s) you want to enable on Bridge(s) already in your possession, you will need to give Fortress Technologies the serial number of each Bridge on which you wish to enable a new feature.
Page 225: Network Tools
Bridge GUI Guide: Maintenance field provided. (Group licensing files include a digital signature and must be used intact.) Enter License Group Figure 6.17. Advanced View dialog, all platforms - to browse to the location of a  UPLOAD LICENSE GROUP group licensing file and select it for upload.
Page 226: Support Package Diagnostics Files
Bridge GUI Guide: Maintenance Log on to the Bridge GUI through an Administrator -level or a Maintenance -level account and select Maintain -> Network from the menu on the left. In the Network screen’s Operation frame, use the Type radio buttons to select the tool you want to use: Ping Traceroute...
Page 227 Bridge GUI Guide: Maintenance Record the password in a secure place; Fortress Technical Support NOTE: package file pass- Support will need it to decrypt the support package file. words can be 1–20 al- Click , and, if your browser is set to block pop- DOWNLOAD phanumeric characters ups/file downloads, take the necessary actions to allow the...
Page 228 Bridge GUI Guide: Index Index Numerics AES-128/192/256 see encryption algorithm 3rd-party AP management 155 – altitude see location settings 4.4 GHz radio see military band radio antennas 802.11a/b/g see radios see radios AP management rules 155 – 802.11i authentication BSS Wi-Fi security 77 –...
Page 229 Bridge GUI Guide: Index boot image 194 data compression 121 see FIPS, bypass mode configuration steps 124 Bridge GUI date and time see GUI system date and time 95 bridging 5 – – configuration steps 97 FastPath Mesh 5 – –...
Page 230 Bridge GUI Guide: Index DTIM period 74 dynamic frequency selection GPS 97 – see DFS operation guest devices see cleartext devices; Trusted Devices, guest device access EAP-TLS 141 – guest management BSS WPA 78 – see cleartext devices, guest devices digital certificate 205 –...
Page 231 Bridge GUI Guide: Index MSP 2 Access ID 125 – beacon interval 123 LAN settings configuration steps 124 see network settings encryption 118 latitude and longitude key establishment 119 see location settings MSP Clients 173 LEDs re-keying interval 120 blackout mode 120 see also security settings configuration steps 124 licensed features 207...
Page 232 Bridge GUI Guide: Index remote logging 159 – ports authentication server ports 136 individual administrative accounts 32 Ethernet 102 – resetting for AP management rules 157 factory defaults 199 – for Trusted Devices 158 resetting connections 192 serial port 115 –...
Page 233 Bridge GUI Guide: Index sessions timeout settings monitoring 173 – administrative timeouts 21 resetting 192 default 21 timeout settings 123 – – – session and idle timeouts 123 – – – SNMP 4 – default 139 – MIB 41 SNMP traps 43 –...
Page 234 WiMAX, WirelessMAN™ or the Air 802.16 Interface Standard. In Fortress Technologies products, a user-defined, 16-digit hexadecimal value that pro- vides network authentication for all devices authorized to communicate over a Fortress- Access ID secured network. Network authentication is one of the components of Multi-factor Authentication™.
Page 235 64 bits (56-bit encryption, 8 parity bits). NIST withdrew its FIPS-approval for DES on May 19, 2005. In Fortress Technologies products, a means of controlling network access at the level of individual devices, tracking them via their generated Device IDs and providing controls device authentication to explicitly allow and disallow them on the network;...
Page 236 Federal Information Processing Standards—issued by NIST, FIPS mandate how IT, including network security, is implemented by the U.S. government and associated FIPS agencies. In Fortress Technologies products, the operating mode that complies with FIPS 140-2 FIPS operating mode Security Level 2. Fortress Security Controller Sometimes, —Fortress’s FC-...
Page 237 DNS hierarchy of a particular entity on the network. In Fortress Technologies GUIs, a portion of a larger screen or dialog, graphically set apart from other elements on the screen and providing the interface for a specific fea- frame ture or function set.
Page 238 ES520 Bridge: Glossary Internet Protocol security—a set of protocols developed by the IETF to support secure IPsec exchange of packets at the IP layer, deployed widely to implement VPNs. Internet Protocol version 4—the first widely implemented and still the most prevalent IPv4 version of IP.
Page 239 National Security Agency—United States intelligence agency administered by the Department of Defense. NTLM Windows NT LAN Manager—a user authentication protocol developed by Microsoft®. In Fortress Technologies products, the way in which access controls and cryptographic operating mode processing are implemented on the Fortress-secured network.
Page 240 Fortress Secure Client Bridge Secure Client Bridge Refer to In Fortress Technologies products, a device such as a laptop, PDA, tablet PC, or barcode scanner, that has the Fortress Secure Client installed and configured to permit the Secure Client device device to communicate on the Fortress-secured network.
Page 241 In Fortress Technologies products, a device that does not have the Secure Client installed but is allowed network access through rules defined for it on the Fortress Trusted Device Bridge.
Page 242 ES520 Bridge: Glossary Worldwide Interoperability for Microwave Access—the IEEE 802.16 specification for fixed, broadband, wireless MANs that use a point-to-multipoint architecture, defining WiMAX bandwidth use in the licensed frequency range of 10GHz–66GHz and the licensed and unlicensed frequency range of 2GHZ–11GHz. Wireless Intrusion Detection System—a means for detecting and preventing unauthor- WIDS ized or unwelcome connections to a network.

This manual is also suitable for:

Es440 Es520 Es210 Fc-x

Fortress Technologies ES820 User Manual

Introduction

Bridge GUI and Administrative Access

Network and Radio Configuration

Security, Access, and Auditing Configuration

System and Network Monitoring

System and Network Maintenance

Quick Links

Need help?

Questions and answers

Related Manuals for Fortress Technologies ES820

Summary of Contents for Fortress Technologies ES820