Security Analytics Virtual Appliance



Similar documents
Install Guide for JunosV Wireless LAN Controller

Virtual Appliance Setup Guide

EMC Data Domain Management Center

Virtual Appliance Setup Guide

SonicWALL SRA Virtual Appliance Getting Started Guide

Installing and Configuring vcloud Connector

HP Intelligent Management Center v7.1 Virtualization Monitor Administrator Guide

Forcepoint Sidewinder, Virtual Appliance Evaluation for Desktop. Installation Guide 8.x. Revision A

Building a Penetration Testing Virtual Computer Laboratory

Altor Virtual Network Security Analyzer v1.0 Installation Guide

Nasuni Filer Virtualization Getting Started Guide. Version 7.5 June 2016 Last modified: June 9, Nasuni Corporation All Rights Reserved

ClearPass Policy Manager 6.3

RSA Authentication Manager 8.1 Virtual Appliance Getting Started

Setting up VMware ESXi for 2X VirtualDesktopServer Manual

ESX System Analyzer Version 1.0 Installation Guide

CommandCenter Secure Gateway

Virtual Web Appliance Setup Guide

VCCC Appliance VMware Server Installation Guide

Rally Installation Guide

Virtual Appliance for VMware Server. Getting Started Guide. Revision Warning and Disclaimer

BLACK BOX. Quick Start Guide. Virtual Central Management System (VCMS) Works with LES Series Console Servers. LES-VCMS. Customer Support Information

Virtual Managment Appliance Setup Guide

Virtual Appliance Installation Guide

FortiAnalyzer VM (VMware) Install Guide

User Manual. User Manual for Version

Quick Start Guide. for Installing vnios Software on. VMware Platforms

BaseManager & BACnet Manager VM Server Configuration Guide

F-Secure Internet Gatekeeper Virtual Appliance

PHD Virtual Backup for Hyper-V

Managing Multi-Hypervisor Environments with vcenter Server

vcenter Chargeback User s Guide vcenter Chargeback 1.0 EN

WatchGuard Dimension v1.1 Update 1 Release Notes

Foglight. Foglight for Virtualization, Enterprise Edition 7.2. Virtual Appliance Installation and Setup Guide

Thinspace deskcloud. Quick Start Guide

AKIPS Network Monitor Installation, Configuration & Upgrade Guide Version 15. AKIPS Pty Ltd

Exinda How to Guide: Virtual Appliance. Exinda ExOS Version Exinda, Inc

Cyberoam Virtual Security Appliance - Installation Guide for VMware ESX/ESXi. Version 10

In order to upload a VM you need to have a VM image in one of the following formats:

Foglight. Foglight for Virtualization, Free Edition Installation and Configuration Guide

Installing and Configuring vcloud Connector

SAS University Edition: Installation Guide for Windows

Installing and Using the vnios Trial

RealPresence Platform Director

Virtual Server Installation Manual April 8, 2014 Version 1.8

Table of Contents. Contents

Quick Setup Guide. 2 System requirements and licensing Kerio Technologies s.r.o. All rights reserved.

Product Version 1.0 Document Version 1.0-B

AKIPS Network Monitor Installation, Configuration & Upgrade Guide Version 16. AKIPS Pty Ltd

Installing and Configuring vcenter Multi-Hypervisor Manager

LifeSize Transit Virtual Appliance Installation Guide June 2011

Getting Started Guide

VX 9000E WiNG Express Manager INSTALLATION GUIDE

DDoS Secure. VMware Virtual Edition Installation Guide. Release Published: Copyright 2013, Juniper Networks, Inc.

How To Set Up A Firewall Enterprise, Multi Firewall Edition And Virtual Firewall

If you re not using VMware vsphere Client 5.1, your screens may vary.

VMware vsphere 5.5: Install, Configure, Manage Lab Addendum. Lab 4: Working with Virtual Machines

Set Up Panorama. Palo Alto Networks. Panorama Administrator s Guide Version 6.0. Copyright Palo Alto Networks

Personal Virtual Server (PVS) Quick Start Guide

Getting Started with ESXi Embedded

VMware Horizon FLEX User Guide

Setup Cisco Call Manager on VMware

ISERink Installation Guide

How to monitor network traffic inside an ESXi host

Deploy the ExtraHop Discover Appliance with Hyper-V

Quick Start Guide for VMware and Windows 7

VMware vcenter Support Assistant 5.1.1

Barracuda Message Archiver Vx Deployment. Whitepaper

Core Protection for Virtual Machines 1

How to install/upgrade the LANDesk virtual Cloud service appliance (CSA)

VMware for Bosch VMS. en Software Manual

Monitoring VMware ESX Virtual Switches

How to Configure an Initial Installation of the VMware ESXi Hypervisor

Copyright 2015 SolarWinds Worldwide, LLC. All rights reserved worldwide. No part of this document may be reproduced by any means nor modified,

Installing the PA 100 VM in VMware Workstation 9.x

Quick Start Guide for Parallels Virtuozzo

Using ESXi with PowerChute Business Edition

Quick Start Guide. Citrix XenServer Hypervisor. Server Mode (Single-Interface Deployment) Before You Begin SUMMARY OF TASKS

Uila SaaS Installation Guide

Virtual Appliances. Virtual Appliances: Setup Guide for Umbrella on VMWare and Hyper-V. Virtual Appliance Setup Guide for Umbrella Page 1

VELOCITY. Quick Start Guide. Citrix XenServer Hypervisor. Server Mode (Single-Interface Deployment) Before You Begin SUMMARY OF TASKS

Virtual LoadMaster for VMware ESX, ESXi using vsphere

Quick Deployment Step-by-step instructions to deploy Oracle Big Data Lite Virtual Machine

DameWare Server. Administrator Guide

VMware vsphere 5.0 Evaluation Guide

Avaya Identity Engines Ignition Server Getting Started. Avaya Identity Engines Ignition Server Release 7.0

Bosch Video Management System High availability with VMware

Virtual Appliance Setup Guide

FortiOS Handbook VM Installation for FortiOS 5.0

Veeam Backup Enterprise Manager. Version 7.0

XenClient Enterprise Synchronizer Installation Guide

IronKey Enterprise Server 6.1 Quick Start Guide

RSA Security Analytics Virtual Appliance Setup Guide

WatchGuard Training. Introduction to WatchGuard Dimension

VPN-1 VE Evaluation Guide

If you re not using Citrix XenCenter 6.0, your screens may vary. Required Virtual Interface Maps to... mgmt0. virtual network = mgmt0 wan0

VMware vsphere Examples and Scenarios

VMware vcenter Log Insight Getting Started Guide

Netwrix Auditor. Virtual Appliance Deployment Guide. Version: 8.0 8/1/2016

1 Download & Installation Usernames and... Passwords

POD INSTALLATION AND CONFIGURATION GUIDE. EMC CIS Series 1

Transcription:

Security Analytics Virtual Appliance Installation Guide for VMware 19 March 2015

This document is intended to help you use the web interface to configure your Security Analytics Virtual Appliance to perform network traffic capture, filtering, and playback or to function as a Central Manager Console. It is not intended as a guide to policies and or procedures for either network security or network forensics. This document attempts to provide the best information possible; however, this information is provided AS-IS and without warranty of any kind for accuracy, completeness, or currency. All references and links to Web sites are valid as of the date of publication, but the content and nature of those Web sites and pages is subject to change without our knowledge or control. Copyrights, Trademarks, and Intellectual Property A trademark symbol ( ) or a registered trademark symbol ( ) denotes a Blue Coat Systems trademark. A degree sign ( ) denotes a third-party trademark. All third-party trademarks are the All other trademarks mentioned in this document are the Copyright 2015 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor translated to any electronic medium without the written consent of Blue Coat Systems, Inc. Specifications are subject to change without notice. Information contained in this document is believed to be accurate and reliable, however, Blue Coat Systems, Inc. assumes no responsibility for its use. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at apache.org/licenses/license-2.0. Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an AS IS BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. The Blue Coat Security Analytics Platform includes freeradius-client libraries, freeradius-client-devel, and freeradiusclient-libs. The FreeRADIUS Client library is distributed under the BSD license: freeradius.org/freeradius-client/. GNU General Public License Source Code Requests Blue Coat Systems will provide a machine-readable copy of the GPL open-source code on a CD. To obtain a copy, send a written request, along with a certified check or money order in the amount of U.S. $25.00, payable to Blue Coat Systems, Inc., to: ATTN: Customer Support GPL Source Code Request, Security Analytics Blue Coat Systems Suite 400 25 E Scenic Pointe Drive Draper, UT 84020 USA 2 of 16

Introduction This installation guide describes the installation and initial configuration of the Blue Coat Security Analytics Virtual Appliance using VMware and the web interface. With the web interface, you can manage the Security Analytics Virtual Appliance settings, control what is being captured, generate a variety of reports about the captured data, and view, package, and regenerate captured data. You can also configure the Security Analytics Virtual Appliance to operate as a Central Manager Console (CMC). This guide includes the following sections: Requirements Installation Preparing the Security Analytics Virtual Appliance For detailed information about using the web interface, select Settings > Help > English on the web interface. The help files include a command-line interface (CLI) section (Reference > CLI Commands) to provide advanced configuration and operation controls for the Security Analytics Virtual Appliance. For assistance with the installation of your Security Analytics Virtual Appliance, contact Blue Coat Technical Support: Contact Information: bluecoat.com/support/technical-support/contact-service-support BlueTouch Online: bto.bluecoat.com 3 of 16

Table of Contents 1 Requirements...5 2 ESX Server Configuration...6 2.1 Management Network... 6 2.2 Capture Network... 7 2.3 Virtual Machine Network... 8 2.4 Playback Network... 9 3 Virtual Appliance Installation... 10 3.1 ESX Configuration... 10 3.2 Workstation Configuration... 11 3.3 Add Indexing and Capture Virtual Disks... 12 4 Virtual Appliance Administration... 13 4.1 Configure Initial Settings... 13 5 Troubleshooting the Installation... 14 6 Appendix: Virtual Machine Sizing... 16 4 of 16

1 Requirements The Security Analytics Virtual Appliance has the following hardware and software requirements: 12 64 GB of memory per VM Disk space per datastore: o See Appendix: Virtual Machine Sizing 4 8 CPU cores per VM Two or more Ethernet adapters (VMware does not support capture on wireless NICs) VMware software platform for running the virtual appliance: o o o ESXi VMware ESXi 5 server (ESXi 5.5 is recommended for Security Analytics Platform 7.0+) Workstation One of the following: Workstation 9 Fusion 5 Player 6 VMware vsphere Client VMware Infrastructure Client (VI Client) or vsphere Client 64-bit architecture on the host for running the 64-bit Solera OS guest VM A workstation with a Web browser running one of the following: o Microsoft Internet Explorer (IE) 8+ o Firefox 18+ o Safari 5+ o Chrome 24+ Cookies must be enabled in the browser. JavaScript must be enabled in the browser. Supported Versions Security Analytics Version VMware Version End of Support DeepSee 6.0 VMware ESXi 5.0 and 5.1 12 Dec 2014 DeepSee 6.6.x VMware ESXi 5.0, 5.1 or 5.5 14 Jun 2016 Security Analytics 7.0.x VMware ESXi 5.0, 5.1 or 5.5 TBA Security Analytics 7.1.x VMware ESXi 5.0, 5.1 or 5.5 TBA 5 of 16

2 ESX Server Configuration This configuration assumes that the VMware ESX server is installed and configured with the correct data stores. Before importing the Security Analytics Virtual Appliance, configure the ESX server as follows: Create a Management Network Create a Capture Network (not applicable to Central Manager Console [CMC]) Create a Virtual Machine Network (optional; not applicable to CMC) Create a Playback Network (optional; not applicable to CMC) 2.1 Management Network By default, the VMware ESX server uses vswitch0 for ESX management and for creating a VM network. You must modify vswitch0 to permit management of the Security Analytics Virtual Appliance. Create a management network a. Connect to the ESX server using the vsphere client. b. In the left pane, click the target ESX server. c. In the right pane, open the Configuration tab. d. Select Hardware > Networking. e. For vswitch0, click Properties. f. In the left pane, select VM Network. g. Click Remove, then Yes. h. Click Add, select Virtual Machine, and click Next. i. Label the network SA Management, leave the VLAN ID field blank, and click Next. j. Click Next, Finish, and Close. 6 of 16

2.2 Capture Network If you plan to use this VM as a CMC, do not configure a capture network. To capture all network traffic, you must create a capture network that supports promiscuous mode in order to capture all network traffic. This network should be located on a separate vswitch other than vswitch0. Create a capture network a. Connect to the ESX server using the vsphere client. b. In the left pane, select the target ESX server. c. In the right pane, open the Configuration tab. d. Select Hardware > Networking. e. Click Add Networking. f. Select Virtual Machine and click Next. g. Select Create a virtual switch, select an available VM NIC, and click Next. h. Label the network Capture Network, and leave the VLAN ID field blank. i. Click Next, then Finish. j. Click Properties for vswitch1. k. Select Capture Network, then click Edit. l. Click the Security tab, select the Promiscuous Mode check box, and select Accept from the dropdown menu. m. Click OK, and then click Close. 7 of 16

2.3 Virtual Machine Network If you plan to use this VM as a CMC, do not configure a virtual machine network. Use the VM network to capture traffic from virtual systems. If you are not planning on capturing virtual traffic, you may skip to section 2.4 Playback Network. Create a virtual machine network a. Connect to the ESX server using the vsphere client. b. In the left pane, select the target ESX server. c. In the right pane, open the Configuration tab. d. Select Hardware > Networking. e. For vswitch1, click Properties. f. Click Add, then select Virtual Machine. g. Label the network VM Network. h. Select Next, then Finish. i. On the Ports tab, select Virtual Machine Network, then click Edit. j. Click the Security tab and select the Promiscuous Mode check box. k. Select Accept from the drop-down menu. l. Click OK, and then Close. 8 of 16

2.4 Playback Network If you plan to use this VM as a CMC, do not configure a playback network. Use the playback network to play back traffic from either virtual networks or physical networks. If you are not planning on playing back traffic for either type of network, you may skip to Section 3: Virtual Appliance Installation. Create a playback network a. Connect to the ESX server using the vsphere client. b. In the left pane, select the target ESX server. c. In the right pane, click the Configuration tab. d. Select Hardware > Networking. e. Click Add Networking. f. Select Virtual Machine, then click Next. g. Select Create a virtual switch. h. Select an available VM NIC and click Next. i. Label the network Replay Network and leave the VLAN ID field blank. j. Click Next, then Finish. k. For vswitch1 click Properties. l. Select Replay Network, then click Edit. m. On the Security tab, select the Promiscuous Mode check box. n. Select Accept from the drop-down menu. o. Click OK, then Close. Playing back traffic to the same virtual or physical network that you used for capture can create network storms. Use extreme caution when playing back network traffic. 9 of 16

3 Virtual Appliance Installation These installation steps assume that you have downloaded and extracted the virtual appliance from Blue Coat Systems. If you have not downloaded and extracted these files, please contact Security Analytics Support. IMPORTANT DO NOT attempt to install VMware Tools on Security Analytics Virtual Appliances. 3.1 ESX Configuration Install the virtual appliance on an ESX(i) server a. Connect to the ESX server using the vsphere client. b. In the left pane, select the target ESX server. c. In the vsphere client, select File > Deploy OVF Template to start the Deploy OVF Template wizard. d. Select Deploy from file and browse to the directory where you extracted the Security Analytics Virtual Appliance files. e. Select the OVF file and click Open. f. Click Next twice. g. Accept the default name of the virtual appliance and click Next. h. Map the virtual networks accordingly: SA Management to SA Management (vswitch0) Capture Network to Capture Network (vswitch1) (not for CMC) Replay Network to Replay Network (vswitch2) (not for CMC) i. Click Next and then click Finish. j. The virtual appliance begins importing. The import may take up to 10 minutes, depending upon your ESX hardware. Do not interrupt the import process. Important Do not power on the Security Analytics Virtual Appliance until you have followed the steps in Section 3.3: Add Indexing and Capture Virtual Disks. 10 of 16

3.2 Workstation Configuration Follow these steps if you are using the Evaluation for VMware workstation. Install the virtual appliance on a Workstation a. Extract the Security Analytics Virtual Appliance ZIP file to your workstation. b. Launch VMware player or equivalent. c. Select File > Open, locate the VMX file, and open it. Important Do not power on the Security Analytics Virtual Appliance until you have followed the steps in Section 3.3: Add Indexing and Capture Virtual Disks. The workstation VM image is not intended to run on VMware ESX. If you would like access to the ESX virtual appliance trial, please contact the Blue Coat Sales Team. 11 of 16

3.3 Add Indexing and Capture Virtual Disks Except for the ESX trial version, the Security Analytics Virtual Appliance includes one virtual hard disk, which is the system virtual disk. To function properly, the Security Analytics Virtual Machine requires two additional virtual disks for indexing and capture. If you have deployed the ESX trial VM, the capture and indexing virtual disks have already been configured for you. It is highly recommended that you place the capture virtual disks on a logical unit comprising at least three (3) physical hard drives to achieve optimal capture performance. It is also recommended that you not share the logical unit with any other virtual machines to avoid excess read/write overhead. Add indexing and capture virtual disks on ESX a. On the vsphere client, select the virtual machine and click Edit Virtual Machine Settings. b. On the Hardware tab, click Add. c. Select Hard Disk and click Next twice. d. For Disk Size, consult the tables in Appendix: Virtual Machine Sizing for the size of the capture virtual disk(s). When specifying sizes in TB, change the unit from GB to TB instead of specifying a four-digit GB. e. Click Next twice and then Finish. f. Repeat steps b through e for the indexing virtual disk. g. Power on the virtual machine Add indexing and capture virtual disks on the Workstation a. In VMware Workstation/Fusion/Player, select Edit Virtual Machine Settings. b. Click Add or Add Device. c. Select Hard Disk. d. For Disk Size, consult the tables in Appendix: Virtual Machine Sizing for the size of the capture virtual disk(s). When specifying sizes in TB, change the unit from GB to TB instead of specifying a four-digit GB. e. Repeat steps b through d for the indexing virtual disk. f. Power on the virtual machine. Booting the virtual appliance for the first time will take several minutes. While the virtual machine starts, you will see a progress indicator. Press the Esc key to view additional information while the virtual appliance is booting. 12 of 16

4 Virtual Appliance Administration The Security Analytics Virtual Appliance includes the full web interface and a command-line interface (CLI) for configuring and managing the Security Analytics Virtual Appliance. Once the virtual appliance is running, you can use either interface to administer and configure the virtual appliance. The Security Analytics Virtual Appliance user interface is identical to the user interface for Security Analytics Appliances. 4.1 Configure Initial Settings By default, the management interface (eth0) is set to 192.168.20.20. Follow these steps to assign a temporary IP address: Assign a temporary IP address a. Log in to the CLI using the following credentials: admin Solera b. Use the following method to temporarily assign an IP address to the management interface (eth0): ifconfig sudo ifconfig eth0 <IP_address> netmask <subnet_mask> sudo route add default gw <IP_of_default_gateway> View the assigned IP address: ifconfig eth0 Use the web interface to configure the initial settings. Launch the web interface a. Launch a Web browser and navigate to the IP address for eth0. You can use either HTTP or HTTPS. b. At the Login page, type the default username and password, both of which are case-sensitive: Username: admin Password: Solera c. Click Log In. d. The End User License Agreement (EULA) is displayed. Accept the terms. The Initial Configuration page is displayed. e. Select Settings ( ) > Help and then select your language under Online Help Files. f. View the "Initial Settings" page for instructions on initial appliance configuration. All virtual appliances must also follow the steps to license the appliance. 13 of 16

5 Troubleshooting the Installation The following sections discuss some common issues and other items to be aware of when using the Security Analytics Virtual Appliance. If you have any questions or need further assistance, contact Blue Coat Support. Contact Information: bluecoat.com/support/technical-support/contact-service-support BlueTouch Online: bto.bluecoat.com Cannot Connect to the UI 1. Verify that you can ping the host IP address from the virtual appliance. 2. Verify that the virtual appliance has a valid gateway route: [prompt]# route 3. Restart the network services: [prompt]# sudo service network restart 4. Verify that the network interface of the machine where the virtual appliance is running is a bridged network interface. Refer to the VMware documentation for information on how to configure the network interfaces. Cannot Capture Data 1. Verify that IP has been disabled on the physical interfaces that capture data. 2. Verify that you have modified the virtual interface to operate in promiscuous mode. 3. Confirm that you have added index and capture virtual disks before powering on the VM for the first time. If this was not done, delete the VM and start over. Networking Not Working Properly If networking is not working properly within the guest OS VM e.g., you do not have a valid routing table, or you did not obtain an IP address from your DHCP server you should try restarting the networking service at least once to resolve the issue: [prompt]# sudo service network restart 14 of 16

64-bit Host Operating System with Virtual Technology The Solera Virtual Machine requires that the server's CPU be both 64-bit and VT capable. More information about running a 64-bit guest OS on VMware platforms can be found in Article 1003945: "Hardware and Firmware Requirements for 64-bit Guest Operating Systems" in the VMware Knowledge Base (http://kb.vmware.com/). If you are uncertain of your ESX server or host computer s 64-bit compatibility, you can obtain a processor check utility from VMware from Article 1003945, referenced above. Error Message This kernel requires an x86 64 CPU, but only detected an i686 CPU. Unable to boot please use a kernel appropriate for your CPU. You attempted to start the guest OS VM on an ESX server or host computer that is not 64-bit and VT capable. Install your VMware ESX server or on a computer that is both 64-bit and VT capable. Error Message You have configured this virtual machine to use a 64 bit guest operating system. However, 64 bit operation is not possible. This host is VT capable, but VT is disabled. You attempted to start the guest OS VM on an ESX server or host computer that is both 64-bit and VT capable, but whose VT settings are disabled in the BIOS. This is usually because VT has been disabled in the BIOS/firmware settings, or the ESX server or host computer has not been power-cycled since changing this setting. 1. Verify these BIOS/firmware settings: enable VT and disable trusted execution. 2. Power-cycle the ESX server or host computer if you changed either of these BIOS/firmware settings. 3. Power-cycle the ESX server or host computer if you have not done so since installing VMware. 4. Update the host computer's BIOS/firmware to the latest version. For more details, see Article 1003945, referenced above. 15 of 16

6 Appendix: Virtual Machine Sizing Consult the following as a guideline for configuring your Security Analytics Virtual Machine. 50G 500G 2T 5T 10T CMC* ESX Trial Workstation Capture 40 GB 0.4 TB 1.6 TB 3 x 1.34 TB 5 x 1.6 TB n/a 1.5 TB 100 GB Index 10 GB 0.1 TB 0.4 TB 1.0 TB 1.7 TB n/a 220 GB 20 GB System 80 GB 0.1 TB 0.5 TB 0.75 TB 1 TB 100+ GB 80 GB 80 GB RAM (GB) 12 12 16 32 64 12 32 GB 12 8 CPUs 8 8 8 8 8 8 32 GB 8 4 * CMC sizing depends on factors such as the average capture rate and number of sensors that the CMC controls. Increase the size of the system disk as the capture speed and number of sensors increases. Refer to the table below as a general guideline. Ave. Capture Rate (Up to 16 sensors) RAM CPUs < 0.5 Gbps 12 GB 8 0.5 Gbps 12 GB 8 2 Gbps 16 GB 16 5 Gbps 32 GB 32 The size of capture and index virtual disks for the VMware workstation evaluation can be increased as long as the index disk is at least 20% the size of the capture disk. 16 of 16

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information