beautypg.com

Device fingerprinting – Brocade Mobility RFS Controller System Reference Guide (Supporting software release 5.5.0.0 and later) User Manual

Page 604

background image

592

Brocade Mobility RFS Controller System Reference Guide

53-1003099-01

10

20. Select OK to save the updates to the MAC Firewall rule. Select Reset to revert to the last saved

configuration.

Device Fingerprinting

With an increase in Bring Your Own Device (BYOD) corporate networks, there’s a parallel increase
in the number of possible attack scenarios within the network. BYOD devices are inherently unsafe,
as the organization’s security mechanisms do not extend to these personal devices deployed in the
corporate wireless network. Organizations can protect their network by limiting how and what these
BYODs can access on and through the corporate network.

Device fingerprinting assists administrators by controlling how BYOD devices access a corporate
wireless domain.

Device fingerprinting uses DHCP options sent by the client in request or discover packets to derive
a unique signature specific to device class. For example, Apple devices have a different signature
from Android devices. The signature is used to classify the devices and assign permissions and
restrictions on each device class.

NOTE

Ensure DHCP is enabled on the WLAN on which device fingerprinting is to be enabled.

To define a device fingerprinting configuration on controllers, service platforms and Access Points:

1. Select Configuration.

Select Security

Select Device Fingerprinting. The Client Identity screen displays by default populated with existing
client identity configurations.

Action

The following actions are supported:
Log - Logs the event when this rule is applied to a wireless clients association attempt.
Mark - Modifies certain fields inside the packet and then permits them.
Therefore, mark is an action with an implicit permit.
- VLAN 802.1p priority.
- DSCP bits in the header.
- TOS bits in the header.
Mark, Log — Applies both log and mark actions.

Ethertype

Use the drop-down menu to specify an Ethertype. An EtherType is a two-octet field within an Ethernet
frame. It’s used to indicate which protocol is encapsulated in the payload of an Ethernet frame.

Precedence

Use the spinner control to specify a precedence for this MAC policy between 1-1500. Rules with lower
precedence are always applied first to packets. More than one rule can share the same precedence
value.

Description

Provide a description for the rule to differentiate the IP Firewall Rule from others with similar
configurations. This should be more descriptive then simply re-applying the name of the rule.

See also other documents in the category Brocade Computer Accessories: