Home    SecuLution Dokumentation back next
Welcome
SecuLution technique and terminology
Quick start
Test setup in 30 minutes
Best practice in everyday use
Full setup and deployment in 5 hours
Installation of components
Install Appliance
AdminWizard installation
Agent installation
Syslog server installation
Initial configuration tasks
Configure basic settings
Agent configuration
Configure automated tasks
Manage whitelist
Initial whitelist generation
Import trustworthy software
Learn mode
Check deployment and learning progress
Audit
Add entries to whitelist
Drag'n'drop
Individual lernmode
Import from directory
PermanentLernUser
Log alarms
Cleanup whitelist
Manually delete unused entries
Delete entries using a pattern
Clean up classifications
Managed Whitelist
Managed Whitelist
Actions
Actions
Referring rules to objects
Offline mode
Offline mode
Devices
USB device management
USB device encryption
RCM
Agent deployment (RemoteClientManagement)
ArpWatch
ArpWatch
Logs
Logs
FAQ
setup.ini

ArpWatch

With "ArpWatch" the Appliance can detect and report network devices (nodes) which are located in the same network segment as the Appliance. The Appliance detects "ARP who-has" requests. These MAC addresses are compared with the list of MAC addresses that currently have an active connection to the Appliance, which indicates that an Agent is running on the node. If the node which owns the detected MAC address does not connect to the Appliance (within the next 3 minutes), the Appliance will report this MAC address as not secured by SecuLution. The Appliance will send alarms to the syslog server for nodes that are neither secured nor ignored:

Alarms:

Nodes that are neither secured by the Agent nor marked as "ignore" will trigger an alarm.

Secured:

Nodes which are secured by the Agent are listed in the "secured" list.

Ignored:

Nodes that cannot be secured by SecuLution (e.g. Linux nodes, printers) can be ignored.

Changes to lists and backups

Each list can be exported as CSV; the "ignored" list can also be imported from a backup.
To mark a MAC address as "ignore" so that it will not trigger alarms in the future, click the checkbox "ignore" in the alarm. This will add a new entry in the "ignored" list. However, this "ignored" list is not yet applied on the server. Changes to the "ignored" list must be applied by clicking the "apply ignorelist" button while the ignorelist is being displayed. Ignoring a MAC address will hide it from the alarms which you are currently seeing in the AdminWizard, but since this is only a copy of the alarms on the Appliance, you should also click on "clear all alarms".