PART NO: SV-IG-601-11-08 Securify Installation Guide
2008 McAfee, Inc. 2008 Secure Computing Corporation. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of Secure Computing Corporation. Product names used within are trademarks of their respective owners. Secure Computing and Securify are trademarks of Secure Computing Corporation, registered in the U.S. Patent and Trademark Office and in other countries. This manual, as well as the software or any Secure Computing Corporation products described in it, is furnished by Secure Computing Corporation under license and must be used or copied only in accordance with the terms of such license. The content of this manual is furnished as is for informational use only, is subject to change without notice, and should not be construed as any commitment or warranty by Secure Computing Corporation regarding the content of the manual, the software, or any products described herein. Secure Computing Corporation assumes no responsibility or liability for the content of the manual, any errors, or any inaccuracies that may appear in this manual. Except as permitted by such license, no part of this publication may be reproduced, stored in a retrieval system, transmitted, distributed, or translated in any form or by any means, electronic or mechanical, including photocopying and recording, without the prior written permission of Secure Computing Corporation, 20245 Stevens Creek Blvd., Suite 200, Cupertino, CA 95014, Attn.: Legal Department. Notice to U.S. government end users: The software and documentation are commercial items, as that term is defined at 48 C.F.R. 2.101, consisting of commercial computer software, and commercial computer software documentation, as such terms are used in 48 C.F.R. 12.212 or 48 C.F.R. 227.7202, as applicable. Consistent with 48 C.F.R. 12.212 or 48 C.F.R.227.7202-4, as applicable, the commercial computer software and commercial computer software documentation are being licensed to U.S. government end users as only commercial items and with only those rights as are granted to all other end users pursuant to the terms and conditions set forth in the Secure Computing commercial agreement for this software. Unpublished rights are reserved under the copyright laws of the United States. Use of this manual, software, or any Secure Computing Corporation product(s) is governed by the Secure Computing Corporation License Agreement. Secure Computing makes no warranties, express, implied, or statutory, with respect to the manual, the software, or product(s) described herein, and Secure Computing Corporation expressly disclaims all warranties, including without limitation any warranty of non infringement, merchantability, fitness for a particular purpose, informational content, or system integration. Secure Computing Corporation reserves the right to revise the information in this manual at any time without notice. Twelvth edition August, 2008. Thirteenth edition November, 2008. This document applies to V6.0.1. Secure Computing Corporation 20425 Stevens Creek Blvd., Suite 200 Cupertino, CA 95014 Tel 408.343.4300 Fax 408.343.4301 www.securecomputing.com
Installation Guide Table of Contents Chapter 1 Introducing Securify Installation.................... 7 Related Documentation....................... 8 Chapter 2 Installing Securify Studio..................... 11 System Requirements....................... 12 Installing Studio Software..................... 12 Starting Securify Studio...................... 14 Chapter 3 Installing and Upgrading a Securify Distributed Login Collector....... 15 System Requirements....................... 16 DNS Resolution Requirements................... 16 Installing DLC Software...................... 17 Configuring the DLC........................ 18 Server Certificate........................ 19 SecurVantage Connection..................... 20 Log............................. 20 DC Connection......................... 21 DLC Remote Configuration.................... 22 Using Microsoft Management Console for Certificate Management.... 23 Importing/Removing a Server or Client CA Certificate for DLC....... 25 Using NTLMv2 with DLCs...................... 26 Contents 3
Securify Chapter 4 Installing Securify Monitors, Enterprise Managers, or Enterprise Global.... 27 System Requirements....................... 28 Overview of Installation...................... 28 Appliance Packaging....................... 29 Configuring an Appliance on a Network................ 30 All Appliances......................... 30 Monitor Product Line...................... 30 Flow Monitor and Flow Monitor SE................. 30 Wiring an Appliance........................ 31 Installing the Core Appliance Software................. 32 Optionally Enable a Serial Port Connection.............. 37 What s Next?.......................... 38 Chapter 5 Installing Securify Enterprise Reporting................ 39 About the Enterprise Reporting Hardware............... 40 Configuring Enterprise Reporting on a Network............. 41 Wiring an ER Gateway and ER Warehouse............... 42 Installing Enterprise Reporting Software................ 43 Configuring the Crystal Enterprise Software............... 50 Enabling the Crystal Enterprise License Key.............. 50 Enabling the Crystal Enterprise Servers................ 52 Enabling Auditing........................ 52 Configuring Report Retention................... 53 Formatting the Third Hard Drive................... 54 What s Next?.......................... 55 Chapter 6 Allowing SSH Access........................ 57 Appendix A Upgrading Securify Software.................... 59 Appendix B Managing Certificates........................ 63 Managing Certificates with the Web Application............. 64 Generating a New Self-signed Certificate................ 66 Uploading a Signed Certificate and Private Key............. 67 Converting PEM to PKCS#12................... 67 Uploading an NMSS Client Certificate on an Enterprise Manager....... 68 4 Contents
Installation Guide Requiring Client Certificates..................... 69 Connecting with Signed Certificates.................. 71 Updating a Monitor Connected to an Enterprise Manager........ 71 Updating an ER Gateway Connected to an Enterprise Manager...... 72 Updating an Enterprise Manager Connected to Another Securify Appliance.. 74 Updating an Enterprise Global Connected to an Enterprise Manager.... 76 Updating a Computer Running Studio................ 77 Managing Certificates for Connections................. 79 Contents 5
Securify 6 Contents
CHAPTER 1 Introducing Securify Installation This guide provides instructions for installing all Securify products, including: Installing Securify Studio on page 11 Installing and Upgrading a Securify Distributed Login Collector on page 15 Installing Securify Monitors, Enterprise Managers, or Enterprise Global on page 27 Installing Securify Enterprise Reporting on page 39 Upgrading Securify Software on page 59 Note: See Related Documentation on page 8 for information about other Securify documentation. Introducing Securify Installation 7
Securify Related Documentation The following diagram depicts the recommended path you should follow through the Securify documentation. Quick Start Guides These guides ship as single-page printed documents with your Securify appliance. They are designed to provide information that helps you get up and running quickly. Release Notes This document contains important information about a release, including a summary of new features, descriptions of compatibility issues, if any, installation and upgrade instructions, and descriptions of known and resolved issues. Securify Deployment Guide This guide provides an architectural overview of the Securify system, and descriptions of the Securify products. It is your introduction to the components and concepts that comprise a Securify system. It contains a glossary for Securify-related terms and information to help you get started quickly. 8 Introducing Securify Installation
Installation Guide Securify Installation Guide Provides instructions for installing all Securify products, including: Securify Studio Securify Distributed Login Collector Securify Monitor (all models) Securify Enterprise Manager (all models) Securify Enterprise Reporting (ER Gateway and ER Warehouse) Securify Enterprise Global Also included are instructions for uploading software updates to Securify appliances and for managing certificates. Issues related to configuring credentials for the DLC to use with your directory are covered at the end of the Securify Deployment Guide. Securify Studio User Guide Provides details regarding the features and functionality of the Studio policy development and traffic analysis application. Securify Web Application Operations Guide Provides details regarding the features and functionality of the Web application shared by the Monitor product family and Enterprise Manager products for analyzing network traffic and managing the appliance deployments. Securify Enterprise Reporting Operations Guide Provides details regarding the features and functionality of the Web application used to access the data aggregated from many Enterprise Managers, including how to archive a record of your network traffic so that you are able to produce reports covering weeks and months of logged user behaviors. Securify Enterprise Global User Guide Provides details regarding the features and functionality of the Web application that provides an overview of many Enterprise Managers, from how to arrange connectivity between the machines to the advantages of high-level monitoring across a large and geographically-dispersed network. Securify External Scanner Integration Guide Provides details regarding how to build and configure a stand-alone Nessus vulnerability scanner, as well as how to integrate it with your Securify deployment. Related Documentation 9
Securify 10 Introducing Securify Installation
CHAPTER 2 Installing Securify Studio This chapter provides instructions for installing Securify Studio (Studio). System Requirements on page 12 Installing Studio Software on page 12 Starting Securify Studio on page 14 Studio is the Securify policy development and security analysis environment. It enables: Security architects to quickly create and refine policies. Network administrators to perform detailed traffic analysis. Operations personnel to associate actions and owners with policy violations. You can use Studio alone to develop policy or, in conjunction with a Securify Monitor and the Studio Analyzer feature, to analyze real-time traffic. Installing Securify Studio 11
Securify System Requirements The Securify Studio software requires a system that meets these minimum hardware and software requirements: Processor running at 1GHz or better 1GB RAM (or more, to improve performance) 10 GB hard drive free space Display set to 1024x768 pixels or greater Microsoft Windows 2000 or Windows XP Installing Studio Software The Studio software is shipped on a single CD. This CD contains the preassigned password you need during the installation process. Note: Studio is incompatible with Symantec Norton Ghost. Prior to installing Studio, ensure that you do not have Norton Ghost installed on your system. If it is installed, uninstall it before proceeding with the installation of Studio. To install Studio software: 1 Make a note of the password that appears on the Studio CD before you insert it into the CD drive. 2 Backup relevant files from the Studio installation directory (such as asset files or policy files) if you are re-installing or upgrading Studio to the same directory, then delete the previous installation directory. Once Studio is installed, you can copy these files back into their respective directories. 3 Insert the Studio CD. Using Windows Explorer, display the contents of the Studio CD. 4 Double-click the setup icon. The Studio Installer starts. The Welcome window advises you to exit all other applications before continuing. 5 Click Next to display the license agreement. 6 Read the license agreement, then click Yes if you agree to accept the terms of the license agreement. 12 Installing Securify Studio
Installation Guide 7 Follow the instructions on your screen to: a Type your user name and company name. Click Next. b Select a location for the Studio installation. Click Next. You can accept the default location, or click Browse to select another one. If you need to run two versions of Studio at the same time, rename your current Studio directory. For example, if some of a network's Monitors are on 5.4.1 and others are on 6.0. Otherwise, the new installation writes over the previous installation. c Specify the program group. Click Next. d Click Next again to begin installing. e Type the password from the front of the CD, then click OK. Type the password printed on your CD. 8 Click Finish when Studio is finished installing Installing Studio Software 13
Securify Starting Securify Studio You can start Studio the same way you start any application: from a desktop shortcut or from the Start menu. To start Studio: Select Start > Programs > Securify Studio N.N.N > Studio vn.n.n (where N.N.N is the version number). Studio appears as shown in Figure 2-1. Figure 2-1: Securify Studio, initial view For information about configuring and using Studio, see the Securify Studio User Guide. 14 Installing Securify Studio
CHAPTER 3 Installing and Upgrading a Securify Distributed Login Collector This chapter provides instructions for installing a Securify Distributed Login Collector (DLC). Note: Upgrade the DLC last. Everything that communicates with a DLC should be upgraded to the latest version first, and then the DLC itself should be upgraded to the latest version. The DLC gathers login events from Domain Controllers (DCs) so that monitored network traffic can be associated with user identities. System Requirements on page 16 Installing DLC Software on page 17 Configuring the DLC on page 18 Using NTLMv2 with DLCs on page 26 The default authentication method in Windows environments, LM hash, generates a weak response that can be used by an attacker to perfrom an off-line, brute-force attack in order to guess the actual password. Read this section to learn how to use the NTLMv2 authentication method for a more secure connection between a DLC and a DC. Installing and Upgrading a Securify Distributed Login Collector 15
Securify System Requirements The DLC software runs as a Microsoft Windows service on a Windows server, and requires a system that meets these minimum requirements: Intel Pentium III processor running at 500 Mhz or better 1 GB RAM 10 GB hard drive free space Display set to 1024x768 pixels or greater Microsoft Windows 2003 Server Service Pack 1 Network connectivity to the Securify system (the Enterprise Manager, or the Monitor in the case of a stand-alone Monitor deployment) Network connectivity to the DCs of the Microsoft Active Directory domain that the Securify system s policy is expecting to monitor. Important: Ensure that you have a certificate for the DLC, whether it is a newly generated (by the DLC) self-signed certificate or one generated by a Certifcate Authority. The DLC will not function without a certificate. DNS Resolution Requirements Proper DNS resolution is a very critical prerequisite for Identity Collection. Both the machine hosting the DLC and the Securify Enterprise Manager or Monitor configured to collect identities must be configured to refer to a DNS server that: must be able to resolve any domains from which logins are collected This can be accomplished using DNS forwarding in Microsoft Windows 2003 must provide forward resolution for all hosts that belong to any domains from which logins are collected must provide reverse resolution for all Domain Controllers from which logins are collected must be able to access SRV records for all of the Domain Controllers from which logins are collected 16 Installing and Upgrading a Securify Distributed Login Collector
Installation Guide Installing DLC Software The DLC software is shipped on the Studio CD. You do not need a special passphrase to install the DLC. If you have purchased a licence for a Securify Enterprise Manager or for a Securify Monitor, you may install as many instances of the DLC as are needed to provide adequate coverage for the Domain Controllers in your monitored domain. Note: The DLC service may be incompatible with other Windows applications and processes. Use caution when deploying a DLC on a machine where it must share resources with other heavily utilized services. To install the DLC software: 1 Uninstall the previous version of DLC if you have one. Use the Add or Remove Programs tool in Control Panel to uninstall the Securify Distributed Login Collector. 2 Ensure that you have also already upgraded all other components that communicate with the DLC (such as the Enterprise Manager). 3 Insert the Studio CD. Using Windows Explorer, display the contents of the Studio CD. 4 Copy the DLC installer (for example DLC_V601_91.exe) from the Studio CD to the target machine. 5 Ensure you are logged in as an administrator and double-click the local copy of the installation file. Follow the prompts to install: a Accept the license agreement. b Accept the default installation location or select a new one. c Accept the default program group or select a new one. d Allow the installation to start. e Click Config to display the DLC Configuration dialog. For more information, see Configuring the DLC on page 18. Note: At the end of the installation, you see the configuration screen. Configuration can take place at this point, or you can click through and configure the DLC later using: C:\Program Files\Securify\DLC\WMICONFIG.EXE. 6 Reboot the server and ensure the DLC service is started after the reboot. Installing DLC Software 17
Securify Configuring the DLC The DLC runs as a Windows service, and starts automatically after every power cycle. To configure the DLC: All configuration is done from an application named Securify DLC on the local Windows server. Go to the Start menu, and select Start > Programs > Securify DLC > DLC Configuration to display the DLC Configuration dialog (Figure 3-1). Figure 3-1: DLC Configuration dialog Configuration tab. Note: You do not have to restart the DLC service when you make configuration changes. Changes take effect after you click OK. The DLC s configuration information is stored in the Windows Registry. 18 Installing and Upgrading a Securify Distributed Login Collector
Server Certificate Installation Guide The Server Certificate settings are used to configure the certificate that the DLC uses to authenticate itself to the Enterprise Manager. Important: Ensure that you have a certificate for the DLC, whether it is a newly generated (by the DLC) self-signed certificate or one generated by a Certifcate Authority. The DLC will not function without a certificate. To reconnect a DLC to an Enterprise Manager after a new certificate has been generated, go to Manage > Domains for the Enterprise Manager, select the DLC to reconnect, and then select Submit Changes. Distinguished Name The Distinguished Name contains the Common Name and other attributes that the DLC needs to identify the certificate found in its store (see Store Name below) that should be used to authenticate to the server. For example, cn=dlc.centserv.org, o=centserv, c=us could be the Distinguished Name, comprised of the certificate s Common Name (cn), organization name (o) and country of origin (c). To use a self-signed certificate, you only need to use the Common Name (prefixed with cn=) for identification. Store Name The Store Name, or Certificate Store name, is where the DLC looks to find its certificates. The default setting for the Store Name is SecurifyDLC\MY. This uses the Store Type CERT_SYSTEM_STORE_SERVICES. If the DLC is running in standalone mode, use the Store Name MY. This uses the Store Type CERT_SYSTEM_STORE_CURRENT_USER. Generate Self-Signed Certificate Only available when the Distinguished Name field is not blank, the Generate Self-Signed Certificate button generates a self-signed certificate and places it in the certificate store identified by Store Name. View Certificate Only available when the Distinguished Name field is not blank, the View Certificate button displays a Windows-standard certificate viewer displaying the certificate matching the Distinguished Name, if one is found in the store. Configuring the DLC 19
Securify SecurVantage Connection The SecurVantage Connection settings are used to configure the connection between the Enterprise Manager or Monitor and the DLC. Server Port This option specifies the port for the DLC service to listen on. As long as another service is not listening on the specified port, use your choice of port. The default is port 443. Valid port numbers are 1-65535. Certificate Checking This option specifies the check type to perform. There are three types: Certificate Hash A Certificate Hash check is checking that the hash configured for the given common name matches the hash stored. Certificate Store The Certificate Store check is where the certificate must be signed by a certificate authority found in the Certificate Store. Certified Not Required Certificate Not Required does not check any certificate and is not deemed secure. Securify recommends using Certificate Hash as the most secure method. Type The Types of Certificate available are encrypted using TLS or not encrypted. The encrypted certificate type encrypts between the DLC and the Monitor or Enterprise Manager. Non-encrypted sessions are not recommended. Log The Log settings are used to configure the logging options of the DLC. Debug Level This option controls the amount of information written out to the log during operation. The level of detail increases with the debug level; the default is 0, with no extra log detail recorded. File Location This option determines where in the system the log files are kept. Default is C:\Program Files\Securify. File Size This option controls the size, in Kilobytes, to which the log file grows before rotating. The system keeps up to 5 log files in the selected file location; dlc.log is the most recent file, followed chronologically by dlc.log.1 to dlc.log.4. 20 Installing and Upgrading a Securify Distributed Login Collector
DC Connection Installation Guide The DC Connection settings are used to configure the connection to the DC. Authentication Type This option specifies the type of authentication for the connection between the DLC and any DCs. Kerberos and NTML authentication are supported. Default is Kerberos. Important: With the Kerberos authentication type, all machines using the same target must synchronize their time setting. CPU Disconnect Threshold This option determines when the DLC introduces rate-limiting if services on a monitored DC consume too much CPU too quickly. If the CPU threshold is crossed, the DLC stops polling a domain for twenty minutes. After the twenty minute window, giving the CPU time to handle its load, the DLC reconnects. If you find that the DLC is frequently resorting to rate-limiting, you should try disabling the Allow Backlog Queries feature. Allow Backlog Queries This option determines whether the DLC checks the security event logs for identity-related events that may have occurred while it was disconnected, instead of simply picking up where it had left off. Important: Backlog queries are likely to affect the performance of heavily loaded machines and legacy hardware (such as Windows 2000- based DCs) and are not recommended. If you find that the DLC is frequently resorting to rate-limiting, try disabling this feature. Configuring the DLC 21
Securify DLC Remote Configuration The Remote tab contains the certificate common name and certificate hash of any Enterprise Manager (or Monitor) that connects to this DLC. Note: The DLC accepts any number of Certificates in the Remote tab. Figure 3-2: DLC Configuration dialog Remote tab. To create a new connection: 1 Click New. 2 Type the common name of the certificate into the Common Name field and paste its corresponding hash into the Certificate Hash field. 3 Click OK to commit the information, or click Cancel to quit without saving. Note: Changes are also committed if you click the Configuration tab. 22 Installing and Upgrading a Securify Distributed Login Collector
Installation Guide Using Microsoft Management Console for Certificate Management DLC uses the Microsoft Certificate store for the management of keys. After installing the DLC the easiest way to view the certificates is to use the Microsoft Management Console (MMC) to view the Certificate store for the DLC service. To use MMC: 1 Launch MMC (Start > Run > MMC). The MMC Console is displayed. 2 Navigate to File > Add/Remove Snap-in to display the Add/Remove Snapin dialog. Configuring the DLC 23
Securify 3 Click Add to display the Add Standalone Snap-in dialog. 4 Select Certificates and then click Add to display the Certificates snap-in dialog. 5 Select Service account on the Certificates snap-in dialog, and then click Next. 6 Select Local computer, and then click Next. 7 Select Securify Distributed Login Collector from the list of services and then click Finish. 8 Click Close on the Add Standalone Snap-in dialog. 9 Click OK on the Add/Remove Snap-in dialog to close the dialog. MMC displays the certificate information for the DLC. 24 Installing and Upgrading a Securify Distributed Login Collector
Installation Guide 10 Right-click a certificate or a store to import certificate lists in the display. Importing/Removing a Server or Client CA Certificate for DLC See the Microsoft documentation on the Certificate snap-in for MMC on importing a certificate as a CA for DLC. Configuring the DLC 25
Securify Using NTLMv2 with DLCs Securify recommends that you use the NTLMv2 authentication method on Windows 2003 servers where you are running a DLC. This enables the DLC to use NTLMv2 to authenticate to the DCs. This can only be accomplished by modifying the Registry; no changes are required on the DCs. Warning: This procedure requires modifying the Windows 2003 Server Registry. This could leave your system completely unusable or in an unstable state. Make a backup of your Registry before proceeding. 1 If the Windows 2003 Server offers other services and there are clients that do not support NTLMv2 (for example, WINDOWS 95 or Windows 98), this change prevents these old clients from using the server. To force the use of NTLMv2: 1 Logon to the Windows 2003 server where the DLC runs. Note: You must have administrator privileges to change the Windows 2003 server Registry. 2 Launch the registry editor (Start -> Run -> regedit). 3 Navigate to the key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA 4 Right-click the value LmCompatibilityLevel. See: http://www.microsoft.com/technet/prodtechnol/windows2000serv/ reskit/regentry/76052.mspx?mfr=true 5 Click Modify. 6 Type the number 5 (only use NTLMv2 authentication and negotiate NTLMv2 session security if the server supports it) and click OK. 7 Restart the Windows 2003 server. 8 Ensure the IA status on the Securify server is OK after 10 minutes. 1 For more information, see: http://support.microsoft.com/kb/322756/ 26 Installing and Upgrading a Securify Distributed Login Collector
CHAPTER 4 Installing Securify Monitors, Enterprise Managers, or Enterprise Global This chapter provides installation instructions, including hardware setup, for version 6.0 of the following Securify appliances: Monitor product family (Monitor, Monitor LE, Monitor SE, Flow Monitor, Flow Monitor SE) Enterprise Manager and Enterprise Manager SE Enterprise Global System Requirements on page 28 Overview of Installation on page 28 Configuring an Appliance on a Network on page 30 Wiring an Appliance on page 31 Installing the Core Appliance Software on page 32 What s Next? on page 38 Installing Securify Monitors, Enterprise Managers, or Enterprise Global 27
Securify System Requirements The Securify Web interface you use to manage and configure the Securify appliances requires a system that meets these minimum hardware and software requirements: Processor running at 1GHz or better 1GB RAM (or more, to improve performance) 2 GB is required to use Group Behavior Profiling (GBP) Display set to 1024x768 pixels or greater Microsoft Windows 2000 or Windows XP Internet Explorer 7 (you should also be able to use Firefox 3 without issues) Overview of Installation The installation is identical for all appliances in the Monitor, Enterprise Manager and Enterprise Global product lines. The only difference is in the display of the name of the actual product within the screens during the software installation. Note: The configuration and installation instructions in this guide are only applicable to version 6.0 of the Securify products. For configuration and installation instructions for the 5.4.1 and earlier versions of the Securify products, see the appropriate version of the Securify Installation Guide. Consult your Securify representative about installing the version 6.0 software onto an older appliance that shipped with an earlier version of the software. Following is a frontal view of an appliance with the bezel included: Note: The name of the actual product shown on the bottom-right corner of the appliance bezel varies depending on the product. 28 Installing Securify Monitors, Enterprise Managers, or Enterprise Global
Installation Guide Appliance Packaging Each member of the Monitor, Enterprise Manager, and Enterprise Global product lines consists of a single appliance and comes with the following: 1U server mounting rails DB9/RJ45 console cable (Monitor and Enterprise Manager products) Crossover cable (Enterprise Global) Power cord You may need some or all of the following: ethernet cable monitor hubs PS/2 or USB Keyboard mouse Overview of Installation 29
Securify Configuring an Appliance on a Network All Appliances Monitor Product Line Ensure you follow the requirements for the appliance you are installing. Obtain a status IP address with net mask and gateway parameters Obtain information on an SNMP (Simple Network Management Protocol) server so that Securify is able to generate SNMP traps Obtain information on an NTP (Network Time Protocol) server connection to automatically synchronize network activity time (otherwise you must synchronize the time for Securify components manually) Obtain information on an SMTP (Simple Mail Transfer Protocol) server connection for sending notification email messages for critical violations or system alerts Obtain information on a DNS (Domain Name System) server connection for DNS name resolution in the Web Application In addition to the items listed under All Appliances: Identify a physical location where the Monitor appliance(s) can be rackmounted near a switch with a SPAN port Note: The switch must have a SPAN (Switch Port Analyzer) port enabled. SPAN is a feature on the switch that enables port mirroring of traffic on that switch. If SPAN is not currently enabled, contact your switch vendor for SPAN configuration instructions. Obtain information on a DNS (Domain Name System) server connection for DNS name resolution in the Web Application Flow Monitor and Flow Monitor SE In addition to the items listed under All Appliances: Obtain a static IP address with net mask and gateway for Flow data collection 30 Installing Securify Monitors, Enterprise Managers, or Enterprise Global
Installation Guide Wiring an Appliance Each Monitor appliance has two network interfaces: Ethernet 1 (Eth 1 on the left) Ethernet 2 (Eth 2 on the right) As part of the configuration for the appliance, you assign an IP address and other related network attributes to the Eth 1 port. For Flow Monitors, you also configure attributes on the Eth 2 port. Note: Rack the appliance before connecting it to a network. A Monitor appliance should be rack-mounted near a switch of a SPAN port. To wire an appliance: 1 Use a standard category 5 cable to connect its Eth 1 port to the network. For Enterprise Manager and Enterprise Global appliances, the same port is used for both administrative access and connectivity. 2 (Monitor line) Use a standard category 5 cable to connect the Eth 2 port to the SPAN port it is monitoring or, on a Flow Monitor or Flow Monitor SE, to the network port from which Flow traffic is received. Figure 4-1: Monitor appliance Eth 1 Eth 2 Network Category 5 cable Collection point SPAN port or Flow collection point Figure 4-2: Enterprise Manager or Enterprise Global appliance Eth 1 Eth 2 Network, for admin access Category 5 cable Wiring an Appliance 31
Securify Installing the Core Appliance Software Warning: Installing the core appliance software erases the contents of all hard drives when you insert the CD and reboot the appliance. To install the core appliance software: Note: Steps 1 through 6 initialize the installation and are typically performed for you by Securify before your appliance is shipped. You will normally start at the configuration phase, step 7, when you receive your appliance. 1 Connect the power cord, monitor, and keyboard either USB or PS/2 to the appliance. 2 Press the power button located on the front of the appliance to start it. 3 Go into BIOS, then set the time for the appliance to UTC time. For current UTC time, refer to: http://tycho.usno.navy.mil/cgi-bin/timer.pl 4 Open the CD drive, insert the appropriate CD, then reboot the appliance. The installer reports: Welcome to the Securify(TM)Installer 0 This program will install Securify Monitor. 0 Only approved hardware configurations are supported. Please verify your configuration before continuing. 0 Continuing will cause ALL hard disks on this computer to be erased and overwritten. Please verify the disks you are using contain no important data. 0 To begin the installation, press the <ENTER> key. <-------------------------------------------------------------> boot: 5 Press Enter to begin the installation. You see messages as the installation progresses. When the initial phase is completed, you see a screen showing the product name and version number. Next, you see messages as packages are installed. This can take several minutes. 32 Installing Securify Monitors, Enterprise Managers, or Enterprise Global
Installation Guide 6 Remove the CD when it is ejected at the end of installation and close the drive on all appliances except for Enterprise Global. Once the system reboots, the installer reports information about building the embedded database and provides an estimation for how long it will take. The appliance may reboot a second time before beginning to build the embedded database. After the database is built, the installer reboots the appliance again. Once the appliance reboots, the installer displays: The Securify product has been fully installed. [System information appears here.] The system may be safely rebooted (and then halted) or the system specific information can be entered to finish customizing the system for use. Either press <ctl><alt><del> to exit OR <CR> to continue The name of the actual product you are installing displays in the installer message above. Note: On new appliances, steps 1 through 6, the initialization phase, should be completed. 7 Press Enter to continue with the configuration phase of the installation. 8 Press Enter to read the license agreement when prompted. To navigate through the agreement, press the space bar to move to the next page, press b to move back to the previous page, press h for more help, or press q to quit reading and move to the next step. 9 After pressing q (to quit reading), type yes, and then press Enter if you agree to the terms of the agreement. 10 Type the network information requested when you are prompted. Press Enter after each item. Use the mouse, tab key, or arrow keys to move from one field to another. Type over the displayed value, such as the IP address, to change it. Installing the Core Appliance Software 33
Securify Use the mouse, or press the space bar to toggle on and off a property with a check box (for example, SSH password authentication). For this field... Machine Name MTU Size SSH enabled in IPTABLES SSH password authentication Configure IPv4 Configure IPv6 Configure IPv6 via STAAC Add second NIC for Flow Data Type... The name of the appliance (sys1, for example). The MTU rate for eth1 (Monitor) or eth1 (Enterprise Manager and Enterprise Global) the administrative interface that has an externally addressable IP address. The default is the appropriate setting for most situations. If the appliance you are defining requires a different value, type that value. For example, for a PPPoE connection, you would set the MTU size to 1492. Check this box to enable SSH on the appliance. Check this box to enable SSH authentication. If you select this option, you must also select SSH enabled in IPTABLES. Check this box to enable IPv4 for the appliance. Check this box to enable IPv6 for the appliance. Check this box to enable IPv6 by way of Stateless Auto Address Configuration (STAAC) for the appliance. Selecting this option will autoconfigure all IPv6 settings by way of negotiation with the router. Check with your site network administrator before enabling this option due to security concerns. (Flow Monitor and Flow Monitor SE only) Check this box to enable a second network interface card (NIC) for Flow collection. 11 Select <Next--> to proceed to specifying network address information. Note: You can change the IP address for the appliance at any time by running editsvnetwork.pl directly as root from the console or remotely after connecting to the appliance by way of SSH. You need to have /opt/ svs/system/bin in your path, or change to that directory to run the command. 34 Installing Securify Monitors, Enterprise Managers, or Enterprise Global
Installation Guide 12 (IPv4 selected) Type the IPv4 network information requested when you are prompted. Press Enter after each item and then select Next to proceed when you are done. Note: If you select IPv4 exclusively, you will still see a link local IPv6 address when you use ifconfig. This is normal behavior. The system knows the address is not routable and neither sends nor receives IPv6 data. Use the mouse, tab key, or arrow keys to move from one field to another. Type over the displayed value, such as the IP address, to change it. For this field... System IP Address Netmask Gateway IP Address Type... The IPv4 address of the appliance s command port. Specify the address using the format a.b.c.d. The command port is the ethernet port used to access the appliance s Web interface. The IPv4 netmask of the appliance. Specify the netmask using the format a.b.c.d. The IPv4 address of the network gateway, typically a router, that is responsible for the network that includes the address specified in System IP Address. Specify the address using the format a.b.c.d. 13 (IPv6 selected) Type the IPv6 network information requested when you are prompted. Press Enter after each item and then select Next to proceed when you are done.. Use the mouse, tab key, or arrow keys to move from one field to another. Type over the displayed value, such as the IP address, to change it. For this field... System IP Address Gateway IP Address Netmask Type... The IPv6 address of the appliance s command port. The command port is the ethernet port used to access the appliance s Web interface. The IPv6 address of the network gateway, typically a router, that is responsible for the network that includes the address specified in System IP Address. The IPv6 netmask of the appliance. Installing the Core Appliance Software 35
Securify 14 Select < SAVE > to save the information when you finish. Next, the installer displays a box requesting information about the appliance s serial port. 15 Use the mouse, or press the space bar to toggle on or off serial port login to the appliance. See Optionally Enable a Serial Port Connection on page 37 for information about performing this step outside of the installation process. When serial port login is enabled, you can connect a tty to the serial port of the appliance to connect to the appliance command line interface. Only the svs account can log on by way of the serial tty. When serial port login is off, this feature is disabled. The recommended setting is disabled, which is the default. Next, the installer automatically creates a certificate for the appliance and compiles the default policy. 16 Type the user name and password (with confirmation) for the Web administrator account for accessing the appliance. Press Enter after each item. At this prompt... Enter a user name: Enter a password for <username>: Confirm <user name s> password: Type... The user name assigned to the Web interface administrator account. A user must sign in as this user to configure the appliance software. The user name must be at least 6 characters, and can contain upper and lowercase letters, numbers, and - or _ characters. The password for the administrator account. The password must be at least 8 characters, and it must contain at least one uppercase letter, one lowercase letter, and one number. Retype the password for the administrator account. Tip: Securify recommends that you use a password for the administrator account that is at least 8 characters and contains at least one uppercase letter, one lowercase letter, and one number. The installer reports that the user name was added successfully and then prompts for a password. 36 Installing Securify Monitors, Enterprise Managers, or Enterprise Global
Installation Guide 17 Type a password for the root account, press Enter, then type the password again and press Enter again to confirm. Tip: Securify recommends that you use a password as strong as for the Web interface: at least 8 characters, and containing at least one uppercase letter, one lowercase letter, and one number. The installer reports that you successfully set the root password, then prompts you to type a password for the svs account. 18 Type a password for the svs account, press Enter, then type the password again to confirm. Tip: Securify recommends that you use a password for the svs account that is at least 8 characters, and contains at least one uppercase letter, one lowercase letter, and one number. The installer displays a screen that summarizes your supplied information. 19 Copy the information and save it in a safe place. After you copy the network information, press Enter to reboot the appliance. Optionally Enable a Serial Port Connection You can perform this operation at any time if you do not do it during installation (see step 15). 1 Log in to the appliance as root. 2 Type editsvmisc.pl to display the Securify Misc System Setup dialog. 3 Select the box to enable a serial port connection for the particular Securify appliance. 4 Reboot the appliance. 5 Connect to the Securify appliance s COM1 port with a db9 null modem cable. 6 Set the terminal settings to 8-N-1 at 9600 baud with a vt100 setting. Installing the Core Appliance Software 37
Securify What s Next? For instructions on upgrading software, see Upgrading Securify Software on page 59. For information about configuring SSH access after installation, see Allowing SSH Access on page 57. For information about generating and installing certificates, see Managing Certificates on page 63. Warning: Before a planned service outage, Securify appliances should be safely powered down to avoid unexpected behavior when power is restored. Use the command svhalt to halt the system before pressing the power button. 38 Installing Securify Monitors, Enterprise Managers, or Enterprise Global
CHAPTER 5 Installing Securify Enterprise Reporting This chapter provides the hardware configuration, and software and hardware installation instructions for the Securify Enterprise Reporting (ER) system. About the Enterprise Reporting Hardware on page 40 Configuring Enterprise Reporting on a Network on page 41 Wiring an ER Gateway and ER Warehouse on page 42 Installing Enterprise Reporting Software on page 43 Configuring the Crystal Enterprise Software on page 50 Formatting the Third Hard Drive on page 54 What s Next? on page 55 Installing Securify Enterprise Reporting 39
Securify About the Enterprise Reporting Hardware An Enterprise Reporting system consists of two appliances one for the ER Gateway and another for the ER Warehouse. Each appliance has its own IP address. Note: The configuration and installation instructions in this guide are only applicable to version 6.0 of the Securify products. For configuration and installation instructions for the 5.4.1 and earlier versions of the Securify products, see the appropriate version of the Securify Installation Guide. Following is a frontal view of the ER appliances with the bezels included: Note: Consult your Securify representative about installing the Enterprise Reporting version 6.0 software onto an older Enterprise Reporting appliance that shipped with an earlier version of the software. Miscellaneous other hardware Each appliance comes with the following: 1U server mounting rails DB9/RJ45 console cable Crossover cable Power cord You may need some or all of the following: ethernet cable monitor hubs PS/2 or USB Keyboard mouse 40 Installing Securify Enterprise Reporting
Configuring Enterprise Reporting on a Network Installation Guide Before installing an Enterprise Reporting appliance, obtain a static IP address with net mask and gateway parameters. Note: If you are deploying Enterprise Reporting in an IPv6 environment, you must assign the ER Warehouse both an IPv4 and an IPv6 address during installation. After you install an Enterprise Reporting appliance, you may also need the following: An SNMP (Simple Network Management Protocol) server for critical violation and system alert traps. This server enables Securify to generate SNMP traps. A DNS (Domain Name System) server connection for DNS name resolution. This server enables Securify to provide DNS name resolution in the Web interface. An NTP (Network Time Protocol) server connection to synchronize network activity time. You must synchronize the time for Securify components manually without an NTP server. An SMTP (Simple Mail Transfer Protocol) server connection notification email messages. This server enables Securify to send email notifications of critical violations or system alerts. Configuring Enterprise Reporting on a Network 41
Securify Wiring an ER Gateway and ER Warehouse Each ER Gateway and ER Warehouse appliance has two network interfaces: Ethernet 1 (Eth 1 on the left) Ethernet 2 (Eth2 on the right) As part of configuration, you assign an IP address and other related network attributes to each appliance s Eth 1 port. To wire an ER Gateway and ER Warehouse: 1 Connect the ER Warehouse appliance to the ER Gateway appliance using a crossover cable between the eth 2 (Ethernet 2) ports on each appliance. Eth 1 Eth 2 ER Gateway Network, for admin access Network, for admin access Crossover cable ER Warehouse 2 Use a standard category 5 cable to connect Eth 1 on each appliance to a network. This interface is used for administrative access and Enterprise Manager connectivity. 42 Installing Securify Enterprise Reporting
Installation Guide Installing Enterprise Reporting Software Installing software for an Enterprise Reporting system consists of: Installing the ER Gateway software from its own CD Installing the ER Warehouse software from its own CD Installing the Crystal Enterprise software from its own CD Once you have installed the Crystal Enterprise software, you must complete certain configuration tasks before you can utilize your Enterprise Reporting system. These tasks are described in Configuring the Crystal Enterprise Software on page 50. Important: If you are re-installing ER Gateway or ER Warehouse software, you must remove the third hard drive (the drive at the far right when you face the appliance) before continuing with reinstalling the software. If you do not remove the third hard drive first, all backup data is erased. A re-installation means you are installing the same version of the software to an appliance to which you had already installed software. Always perform a backup, including of reports in the case of ER Warehouse, before you begin re-installing software. For more information on back ups and upgrading, see the chapter on Managing Your Enterprise Reporting System in the Securify Enterprise Reporting Operations Guide. If you are re-installing, for example because of an ER Gateway failure, contact Securify technical support for assistance in getting your ER Gateway and ER Warehouse re-connected and any relevant data restored. In the case of updates and upgrades, review the Release Notes that accompany the update for important information such as an estimate of how long the update process may take, dependencies for the update and in what sequence you should perform the tasks necessary for an update. Installing Enterprise Reporting Software 43
Securify To install ER Gateway or ER Warehouse software: Note: Steps 1 through 6 constitute the initialization phase of installation and are typically performed for you by Securify before your appliance is shipped. You will normally start at the configuration phase, step 7, when you receive your appliance. 1 Connect the power cord, monitor, and keyboard either USB or PS/2 to the appliance. 2 Remove the third hard drive, if necessary. a Push the release button beside the third hard drive (the one on the right). b Pull the handle gently to remove it. Fold the handle back into place to avoid accidentally damaging it. For information on formatting this drive after installation, see Formatting the Third Hard Drive on page 54. 3 Press the power button located on the front of the appliance to start it. 4 Go into BIOS, then set the time for the appliance to UTC time. For current UTC time, see http://tycho.usno.navy.mil/cgi-bin/timer.pl. 5 Open the CD drive, insert the Enterprise Reporting CD (ER Gateway or ER Warehouse), then reboot the appliance. The installer reports: Welcome to the Securify(TM)Installer This program will prepare monitoring stations for use with Securify. Only approved hardware configurations are supported. Please verify your configuration before continuing. Continuing will cause ALL hard disks on this computer to be erased and overwritten. Please verify the disks you are using contain no important data. To begin the installation, press the <ENTER> key. <-------------------------------------------------------------> boot: Note: When you receive your appliance, steps 1 through 5, the initialization phase, have typically already been completed. 6 Press Enter to continue with the configuration phase of the installation. You see messages as the installation progresses. 44 Installing Securify Enterprise Reporting
Installation Guide 7 Remove the CD when it is ejected at the end of installation and close the drive. Once the appliance reboots, the installer reports: Building embedded database: This will take approximately 25 minutes. The screen may not show any output during this time frame. This is normal as the system is working in the background. After the database is installed, the installer reboots the appliance. Once the appliance reboots, the installer displays a message similar to the following, depending on whether you are installing software for the ER Gateway or the ER Warehouse: The Securify ER Gateway has been fully installed. [System information appears here.] The system may be safely rebooted (and then halted) or the system specific information can be entered to finish customizing the system for use. Either press <ctl><alt><del> to exit OR <CR> to continue Note: When you receive your appliance, steps 1 through 6, the initialization phase, have typically already been completed. 8 Press Enter to continue with the configuration phase of the installation. 9 Press Enter to read the license agreement when prompted. To navigate through the agreement, press the space bar to move to the next page, press b to move back to the previous page, press h for more help, or press q to quit reading, and move to the next step. 10 Press q (to quit reading), type yes, and then press Enter if you agree to the terms of the agreement. 11 Type the network information requested when you are prompted. Press Enter after each item. Use the mouse, tab key, or arrow keys to move from one field to another. Type over the displayed value, such as the IP address, to change it. Installing Enterprise Reporting Software 45
Securify Use the mouse, or press the space bar to toggle on and off a property with a check box. For this network information... System IP Address Netmask Gateway IP Address Machine Name MTU Size SSH enabled in IPTABLES SSH password authentication Type... The IP address of the Enterprise Reporting appliance s command port. Specify the address using the format a.b.c.d. The command port is the ethernet port used to access the appliance s Web user interface. The netmask of the Enterprise Reporting appliance. The IP address of the network gateway, typically a router, that is responsible for the network that includes the address specified in System IP Address. Specify the address using the format a.b.c.d. The name of the Enterprise Reporting appliance (sys1, for example). The MTU size for eth0 the administrative interface that has an externally addressable IP address. The default is the appropriate setting for most situations. If the appliance you are defining requires a different value, type that value. For example, for a PPPoE connection, you would set the MTU size to 1492. Check this box to enable SSH on the Enterprise Reporting appliance. Check this box to enable SSH authentication. If you select this option, you must also select SSH enabled in IPTABLES. 12 Select <SAVE> to save the information when you finish. 13 Use the mouse, or press the space bar to toggle on and off serial port login to the Enterprise Reporting appliance. When serial port login is on, you can connect a tty to the serial port of the appliance to connect to the Enterprise Reporting command line. Only the svs account can log on by way of the serial tty. When serial port login is off, this feature is disabled. The recommended setting is the default, disabled. Unless you need this option, accept the default setting of disabled. 46 Installing Securify Enterprise Reporting
Installation Guide Next, the installer creates a certificate for the appliance and compiles the default policy. 14 ER Gateway only: Type a user name and password for the Web administrator account for accessing the appliance. Press Enter after each item. At this prompt... Enter a user name: Enter a password for <username>: Confirm <user name s> password: Type... The user name assigned to the Web interface administrator account. A user must sign in as this user to configure the Enterprise Reporting software. The user name must be at least 6 characters, and can contain upper and lowercase letters, numbers, and - or _ characters. The password for the administrator account. The password must be at least 8 characters, and it must contain at least one uppercase letter, one lowercase letter, and one number. Retype the password for the Web administrator account. Tip: Securify recommends that you use a password for the administrator account that is at least 8 characters and contains at least one uppercase letter, one lowercase letter, and one number. Note: The next step (Time Zone Offset) is only for the ER Warehouse. 15 ER Warehouse only: At the Time Zone Offset prompt, type a number that corresponds to your time zone. The installer displays a table of time zone offsets and codes. For example, [5] PST -8 indicates that Pacific Standard Time (code 5) is 8 hours earlier than UTC. Enterprise Reporting uses the time zone offset you select to determine the time period for daily reports. Note: The remaining steps are for both ER Gateway and ER Warehouse. 16 Type a password for the root account when prompted, press Enter, then type the password again to confirm. Installing Enterprise Reporting Software 47
Securify Tip: Securify recommends that you use a password for the root account that is at least 8 characters, and contains at least one uppercase letter, one lowercase letter, and one number. The installer reports that you successfully set the root password, then prompts you to type a password for the svs account. 17 Type a password for the svs account, press Enter, then type the password again to confirm. Tip: Securify recommends that you use a password for the svs account that is at least 8 characters, and contains at least one uppercase letter, one lowercase letter, and one number. The installer displays a screen that summarizes your supplied information. 18 Copy the information and save it in a safe place. After you copy the network information, press Enter to restart the appliance. Note: If you removed the third hard drive earlier in the installation, power the appliance off before it finishes rebooting, re-insert the third hard drive, then restart the appliance. As the appliance reboots, watch to see that all three hard drives are initialized. 19 Optionally enable a serial port connection. Note: You can perform this operation at any time if you do not want to do it during installation. a Log in to the appliance as root. b Type editsvmisc.pl to display the Securify Misc System Setup dialog. c Select the box to enable a serial port connection for the particular Securify appliance. d Reboot the appliance. e Connect to the Securify appliance s COM1 port with a db9 null modem cable. f Set the terminal settings to 8-N-1 at 9600 baud with a vt100 setting. 20 Proceed depending on what you have already done: If you have only installed the ER Gateway software, return to step 5 on page 44 to install the ER Warehouse software If you are installing the ER Warehouse software, proceed to the instructions for installing the Crystal Enterprise software (To install the Crystal Enterprise software on the ER Warehouse appliance: on page 49) 48 Installing Securify Enterprise Reporting
Installation Guide If you have finished installing the Enterprise Reporting software, proceed to Configuring the Crystal Enterprise Software on page 50. Note: After you have completed installing and configuring the software, remember that you may need to format the third hard drive. For information, see Formatting the Third Hard Drive on page 54. To install the Crystal Enterprise software on the ER Warehouse appliance: 1 Open the CD drive and insert the Crystal Enterprise CD. Note: Ensure that all three hard drives on the ER Warehouse appliance have been initialized before you insert the Crystal Enterprise CD. 2 Log in as root with the Crystal Enterprise CD loaded. 3 Type the following command at the system prompt: # crystalinstall.pl --install This installs the Crystal Enterprise reporting system software. Once the installation reports that it has completed, you may remove the CD from the drive. This concludes the ER Warehouse installation. 4 Proceed to Configuring the Crystal Enterprise Software on page 50. Note: If you are deploying Enterprise Reporting in an IPv6 environment, you must assign the ER Warehouse both an IPv4 and an IPv6 address during installation so that the Crystal Enterprise software will function properly. Installing Enterprise Reporting Software 49
Securify Configuring the Crystal Enterprise Software This section describes the configuration tasks you must complete following the installation of the Crystal Enterprise software. Enabling the Crystal Enterprise License Key on page 50 Enabling the Crystal Enterprise Servers on page 52 Enabling Auditing on page 52 Configuring Report Retention on page 53 Enabling the Crystal Enterprise License Key ER Warehouse is not installed with a Crystal Enterprise license key. Your production version of Enterprise Reporting uses a multi-user license key that permits users to log on to the ER Warehouse and run reports concurrently. Note: If you log on to ER Warehouse, then quit without logging off, ER Warehouse may still consider you logged on. Remember to log off at the end of each ER Warehouse session. To enable the ER Warehouse license key: 1 Connect to the ER Warehouse with your Web browser, using this URL: https://<warehouse IP address>/crystal/enterprise10/admin where <warehouse IP address> is the IP address of the ER Warehouse appliance. The logon screen for the Crystal Enterprise report engine displays. 2 Type the user name (administrator), and password. By default, there is no user password set in the Crystal Enterprise software. 3 Click the Log On button to display the home page. 50 Installing Securify Enterprise Reporting
Installation Guide 4 Select License Keys. 5 Type your multi-user license key in the Add Key field and then click Add. 6 Proceed to Enabling the Crystal Enterprise Servers. Configuring the Crystal Enterprise Software 51
Securify Enabling the Crystal Enterprise Servers Once you enable the license key, you must enable the Crystal Enterprise servers. 1 Follow steps 1 through 3 for Enabling the Crystal Enterprise License Keyto log onto the ER Warehouse and view the Crystal Enterprise home page. 2 Select Servers from the home page to display the Servers configuration page. Enabling Auditing 3 Check the box in the Selected column for each server that is disabled, then select the enable button at the top of the panel to enable the selected servers. 4 Proceed to Enabling Auditing. With your license key and the Crystal Enterprise servers enabled, you must enable auditing. When auditing is enabled, you can track the operation of the system. For instructions about enabling auditing, see the help on Enabling auditing of user and system actions in the Crystal Enterprise Administrator s Guide. Proceed to Configuring Report Retention on page 53. 52 Installing Securify Enterprise Reporting
Configuring Report Retention The default settings for retaining reports are: Installation Guide Last 100 report instances This count is regardless of the type of report. If you run 101 instances of the same report, only 100 are retained. Seven (7) days If these settings are not sufficient, adjust them as necessary. To adjust report retention settings: 1 Connect to the ER Warehouse with your Web browser, using this URL: https://<warehouse IP address>/crystal/enterprise10/admin where <warehouse IP address> is the IP address of the ER Warehouse appliance. The logon screen for the Crystal Enterprise report engine displays. 2 Type the user name (administrator), and password on the log on screen. By default, there is no user password set in the Crystal Enterprise software. 3 Click the Log On button to display the home page. 4 Click Settings. 5 Click the Limits tab. 6 Adjust the settings for the following to suit your needs: Delete excess instances for the following users/groups Delete instances after N days for the following users/groups 7 Proceed to Formatting the Third Hard Drive on page 54. Configuring the Crystal Enterprise Software 53
Securify Formatting the Third Hard Drive You must format the third hard drive when you install Enterprise Reporting for the first time. If you fail to remove the third hard drive when you install Enterprise Reporting software, the third drive may become unreadable. If this occurs, you can reformat the third hard drive so that it can be used to back up Enterprise Reporting data. To format the third hard drive: 1 Log on as root. From the console, type: cd /opt/svs/system/bin/, then press Enter. 2 Type:./.format_sdc.sh, then press Enter. 3 Confirm that you want to format the drive. 4 Reboot your system. To verify that the hard drive is formatted: 1 Log onto the appliance as root. At a console, type: # fdisk -1, then press Enter. Verify the existence of a device called sdc1. For example: Disk /dev/sda1: 255 heads, 63 sectors, 4462 cylinders Units = cylinders of 16065 * 512 bytes Disk /dev/sdb1: 255 heads, 63 sectors, 8924 cylinders Units = cylinders of 16065 * 512 bytes Disk /dev/sdc1: 255 heads, 63 sectors, 8924 cylinders Units = cylinders of 16065 * 512 bytes The devices in your system may have more storage than the example shown above, but if sdc1 does not appear, then confirm that the third drive is physically seated properly. 2 Type the command svhalt to shut down the system if you did not see sdc1. 3 Ensure the third drive is seated properly in its slot: a Push the release button beside the third hard drive (the one on the right). b Pull the handle gently to remove the third hard drive. c Push the third hard drive back into place. 54 Installing Securify Enterprise Reporting
Installation Guide What s Next? 4 Restart the system. As the appliance reboots, watch to see that all three hard drives are initialized. 5 Type the following commands, pressing Enter after each one: # mkdir -p /mnt/test # mount /dev/sdc1 /mnt/test # ls /mnt/test # umount /mnt/test If these commands are successful, the third disk is formatted, and backup can occur. Otherwise, you must format the hard drive. Note: You must complete the instructions provided herein to connect the ER Gateway and ER Warehouse appliances before you connect an ER Gateway to an Enterprise Manager. For instructions on upgrading Enterprise Reporting software, see Upgrading Securify Software on page 59. For information about configuring a Securify appliance for SSH access after installation, see Allowing SSH Access on page 57. For information about generating and installing certificates on Securify systems, see Managing Certificates on page 63. For information about Enterprise Reporting, see the Securify Enterprise Reporting Operations Guide. Warning: Before a planned service outage, Securify appliances should be safely powered down to avoid unexpected behavior when power is restored. Use the command svhalt to halt the system before pressing the power button. What s Next? 55
Securify 56 Installing Securify Enterprise Reporting
CHAPTER 6 Allowing SSH Access You can allow Secure Shell (SSH) access for secure access to a Securify appliance. The instructions in this chapter apply to all Securify server products. When you install a Securify server product, RSA-based authentication is enabled by default. Important: You can use either public key or password authentication for SSH access. Check with your security administrator to determine which method is recommended or permitted by your organization. If you are using public key method, you must place your public key on the system before you attempt SSH access. Allowing SSH Access 57
Securify To place the public key on your appliance: 1 Log on as svs at the system console. From the console, create this file (and the directory if necessary) if it does not already exist: /home/svs/.ssh/authorized_keys 2 Set permissions on this file so that you can edit it, but no one else can read it. For example, chmod -R 0700 /home/svs/.ssh /home/svs/.ssh/authorized_keys 3 Using an editor, append your public key to the end of authorized_keys. For example, to edit the file using vi, type vi /home/svs/.ssh/authorized_keys To allow SSH access: 1 Log on to the console as root and run the command editsvnetwork.pl. The script displays the network information dialog. 2 Using the mouse or the space bar, select SSH enabled in IPTABLES. An [x] appears to signify it is enabled. 3 If you want to require SSH password authentication, use the mouse or the space bar to select that option. 4 Select <SAVE> to save your changes and close the file. Note: Experienced system administrators may attempt to edit the SSH server configuration manually, though this is not recommended. Due to the security concerns around manually editing the SSH server configuration file, it is strongly recommended that the root user not be granted remote access. The root user s password can be subject to a bruteforce attack, if SSH password authentication is enabled for that user and the strict password policy feature is not enabled. Since svs is a known account, its password can also be attacked, if the strict password policy feature is not enabled. If successful, an attacker with physical access could use this information to directly access the Securify appliance. Access via SSH enables an attacker to gain direct access to the database as it only listens locally on the loop-back address. The attacker can then gain total control of the local database. 58 Allowing SSH Access
APPENDIX A Upgrading Securify Software The instructions in this appendix apply to Securify Monitor, Monitor SE, Monitor LE, Monitor LE-50, Enterprise Manager, Enterprise Manager SE, Enterprise Global, and Enterprise Reporting (ER Gateway and ER Warehouse). They do not apply to Studio. Securify periodically releases software updates. Updates are available only from Securify, and are cryptographically signed to ensure that only authorized updates are applied to the Securify system. You typically receive an update on CD or from the my.securify.com Web site. Important: Review the Release Notes that accompany the update for important information such as an estimate of how long the update process may take, dependencies for the update and in what sequence you should perform the tasks necessary for an update. Depending on the specific software update, the update process may involve rebooting the appliance. If necessary, the update program handles logging you off, and rebooting the appliance. Upgrading Securify Software 59
Securify To upgrade Securify software: Note: These instructions do not apply to the ER Warehouse. For those instructions, see To upgrade ER Warehouse software: on page 61. 1 Log on to the Web interface of the appliance as a Securify administrator. 2 Click Manage > Configure and then select the name of the Securify appliance you are upgrading to display that appliance s configuration screen. 3 Click the Software Update tab (a Monitor is used in this example). 4 Click Browse, navigate to the upgrade file, then click Open. 5 Click Upload on the Software Upgrade for <machine name> page. To verify the upgrade, check the version tag by clicking Manage > Status, then selecting the machine name, and then clicking the Version link. Note: An Enterprise Manager must be at the same or higher version number than its client Monitors to avoid incompatibilities and issues. To upgrade Securify software on all Monitors: 1 Log on to the Enterprise Manager that manages the Monitors you are upgrading, then click Manage > Configure. 2 Click the Enterprise Manager name in the Configure Systems tree to display the configuration page. 3 Click Software Update: All Monitors. 4 Browse to the upgrade file, then click Upload. 60 Upgrading Securify Software
Installation Guide To upgrade ER Warehouse software: 1 Log on to the ER Warehouse, then click Manage to display the Security Zone access/software Update page. 2 Click Software Update. 3 Click Browse and select the software update file. 4 Type your login password in the space labeled Please re-enter your login password. 5 Click Apply to start the software update process. 61
Securify 62 Upgrading Securify Software
APPENDIX B Managing Certificates Securify systems authenticate by means of self-signed certificates that are created when you install a system. In most cases, you do not need to manage a system's certificates. This appendix describes how to enforce the use of certificates in an organization that requires the use of certificates and administers full Public Key Infrastructure (PKI). Managing Certificates with the Web Application on page 64 Generating a New Self-signed Certificate on page 66 Uploading a Signed Certificate and Private Key on page 67 Uploading an NMSS Client Certificate on an Enterprise Manager on page 68 Requiring Client Certificates on page 69 Connecting with Signed Certificates on page 71 Managing Certificates for Connections on page 79 Managing Certificates 63
Securify Managing Certificates with the Web Application Certificates enable the Securify system to identify servers and users prior to authentication. The Certificates page (Manage > Certificates) page enables you to: Generate and install a new self-signed certificate Import a signed certificate with its private key and the certificate authority s (CA) root certificate Enforce client certificates for connection identification Remove all root certificate authority (CA) certificates Upload a Negative Model Subscription Service certificate, allowing for the automatic update of exploit signatures and related security information around host and network vulnerabilities. You can manage certificates through the Web interface of Enterprise Global, ER Gateway, all Monitor types, and all Enterprise Manager types. Use the command-line instructions given throughout this chapter to manage certificates on the ER Warehouse. Important: Many of the actions made available on the Certificates page restart the server. All current user sessions closed, and users must wait until the server restarts before reauthenticating if they wish to continue their work. To view the Certificates page: 1 Log on to the Web Application as a user with SV Manager permissions, then click Manage >Certificates to display the Certificates page. If you are accessing a Monitor, you are able to upload server certificates or generate a self-signed certificate. See Figure B-1 on page 65. On an Enterprise Manager, you can also upload the NMSS Client Certificate for package auto-update. See Figure B-2 on page 65. Note this feature is not available on other systems such as the Monitor product line. 64 Managing Certificates
Installation Guide Figure B-1: Certificates tab of a Monitor Figure B-2: Upload NMSS client certificate portion for the Certificates page of an Enterprise Manager Managing Certificates with the Web Application 65
Securify Generating a New Self-signed Certificate The self-signed certificate generated at install time uses the machine s IP address as the certificate common name. To generate a self-signed certificate with a different common name from the default, create a new certificate using the Generate a self-signed certificate section of the certificate management page. Type the desired common name and click the Generate button. This overwrites any previously-installed certificate and restarts the system. To modify attributes other than the common name of a new self-signed certificate, a command-line tool is provided. Log in to the application s console or connect by way of SSH, and run the command: sudo create-self-signed-cert This program prompts the user to type the required attributes for the new certificate, such as the size of the private key. The new certificate is created and installed, and the user is prompted to restart system services manually. If you want to have the new certificate signed by your organization s certificate authority, a certificate signing request for the new certificate is available at: /www/conf/ssl.crt/new.cert.csr 66 Managing Certificates
Installation Guide Uploading a Signed Certificate and Private Key To use certificates signed by a certificate authority (CA), include the signed certificate and its private key in a PKCS#12 file. The filename ends with.pfx or.p12. Optionally, a PKCS #12 file can also include one or more CA certificates (see Requiring Client Certificates on page 69). The currently-installed server key and certificate (self-signed or otherwise) as well as any CA certificates are replaced by those in the PKCS#12 file, and the system is restarted. To upload a signed certificate: 1 Log on to the Web interface of an appliance as a user with SVManager permissions, click Manage > Certificates. 2 Click Browse in the Upload server certificates section to locate your signed certificate s PKCS#12 file. Note: If you have files in PEM format, see Converting PEM to PKCS#12 below for information on converting your files. 3 Type the certificate s passphrase in the appropriate text field, then click Upload. The server restarts, ending all active user sessions. Converting PEM to PKCS#12 If you have certificates and keys in PEM format, you can use the openssl command-line tool available on most modern UNIX-based systems (including Securify appliances) to convert to PKCS#12 format. To convert certificates and keys in PEM format to PKCS#12: At a command prompt, run the command: openssl pkcs12 -export -in certificate.crt -inkey certificate.key -out certificate.p12 Alternatively, most Web browsers can import certificates with their keys and export them in PKCS#12 format. See your browser s documentation for details. Uploading a Signed Certificate and Private Key 67
Securify Uploading an NMSS Client Certificate on an Enterprise Manager This function is only available on Enterprise Manager systems. To enable Negative Model Subscription Service (NMSS) automatic update, a valid NMSS client certificate must be installed. Uploading the NMSS client certificate does not affect the server certificate. To import a Negative Model certificate: 1 Log on to the Web Application as a user with SVManager permissions, click Manage > Certificates. 2 Click Browse in the Upload NMSS client certificate section to locate your NMSS certificate. 3 Type the certificate s passphrase in the appropriate text field, then click Upload. After restarting, if your Enterprise Manager can reach the Internet it attempts to auto-update itself every four hours as future Negative Model packages are published to Securify s Security Best Practice Services Web site (also available to a properly enabled browser as https://sbps.securify.com). 68 Managing Certificates
Installation Guide Requiring Client Certificates You can force anyone connecting to a Securify appliance to use a client certificate. When you require client certificates on a Securify appliance, a user connecting to that appliance through the Web interface or Studio must have a client certificate either imported into their browser, or loaded into Studio to gain access to the appliance s data. For more information, see Updating a Computer Running Studio on page 77. Note: If you enforce client certificates on a Securify appliance, the appliance must have one or more root CAs installed, which are typically imported into the system as part of the server s signed certificate in PKCS#12 format. Use the Certificates page of the appliance s Web interface to enable or disable client certificate authentication. There is an Enable button if certificates are not required, or a Disable button if they are required. If no CA certificates are installed, the Client certificate authentication section of the certificate management page does not appear. Any CA certificates currently installed at the time of a server s PKCS#12 installation is replaced by the certificates in the uploaded file. For information on uploading the file, follow the procedures in Uploading a Signed Certificate and Private Key on page 67. Requiring Client Certificates 69
Securify Installing any CA certificates enforces client certificate authentication for Studio connections. To also enable client certificate authentication on the WebUI, click the Enable button on the Client certificate authentication section. To disable client certificate authentication, click the Disable button. To disable client certificate authentication for Studio connections, all CA certificates must be removed. To do so, upload a PKCS #12 file including only the server certificate and key with no CA certificates. If it becomes impossible to log in to the Web Application due to the client certificates requirement, client certificate authentication can be disabled at the command line with: sudo /opt/svs/system/emuiscripts/configure/require-client-certs no The system restarts and client certificates are no longer required for the appliance s Web Application access. To view any uploaded certificate authority certificates: Click the Certificate Authorities button. 70 Managing Certificates
Installation Guide Connecting with Signed Certificates When you install a signed certificate on a Securify appliance, you must install the root CA certificate on all Securify appliances to which it is connected and on any computers running Studio if you require client certificates for authentication. For example, if you install a signed certificate on a Monitor connected to an Enterprise Manager, you must also install the root CA certificate on the Enterprise Manager. If you install a signed certificate on an Enterprise Manager, you must also install the root CA certificates on each of the Monitors connected to it. Updating a Monitor Connected to an Enterprise Manager After you install a signed certificate on a Monitor (including Monitor LE or Monitor LE-50), you must also install the root CA certificate on the Securify Enterprise Manager that manages it. You must then update the Monitor s certificate information on the Enterprise Manager. For more information, see Identifying Enterprise Manager on a Monitor and Adding a Monitor to Enterprise Manager (Security Zone) in the chapter on configuring of the Securify Web Application Operations Guide. To update a Monitor connected to an Enterprise Manager: 1 Log on to the Monitor as a user with SVManager permissions, click Manage > Certificates. 2 Follow the procedures in Uploading a Signed Certificate and Private Key on page 67 for importing a PKCS #12 file that includes the appropriate root CA certificate. The Monitor restarts automatically. 3 Log back on to the Enterprise Manager as a user with SVManager permissions, click Manage and then Certificates. 4 Click Certificate Authorities. If the root CA for the other machine s new signed certificate does not appear in the list, then follow the procedures in Uploading a Signed Certificate and Private Key on page 67. The Enterprise Manager restarts automatically. 5 Still logged into the Enterprise Manager, click Manage > Configure and then select the Monitor from the Configure Systems list. 6 Click Update Certificate to obtain the new certificate from the Monitor. 7 Click Accept Certificate. After 5 minutes, the Monitor should connect back to the Enterprise Manager with its new signed certificate. Connecting with Signed Certificates 71
Securify Updating an ER Gateway Connected to an Enterprise Manager After you install a signed certificate on an ER Gateway, you must also install the root CA certificate on the Enterprise Manager. You must then update the ER Gateway s certificate information on the Enterprise Manager. To update an ER Gateway connected to an Enterprise Manager: 1 Log on to the ER Gateway as a user with SVManager permissions, click Manage > Certificates. 2 Follow the procedures in Uploading a Signed Certificate and Private Key on page 67 for importing a PKCS #12 file that includes the appropriate root CA certificate. The ER Gateway restarts automatically. 3 Log on to the Enterprise Manager as a user with SVManager permissions, click Manage > Certificates. 4 Click the Certificate Authorities button. If the root CA for the other machine s new signed certificate does not appear in the list, then follow the procedures in Uploading a Signed Certificate and Private Key on page 67. The Enterprise Manager restarts automatically. 5 Still logged on to the Enterprise Manager, click Manage > Access > Add Machine to display the Create New Machine Profile page. 6 Log on to the ER Gateway (in a second browser window), click Manage, then Configure and then select the ER Gateway to display the ER Gateway s Configuration page. Copy these two pieces of information... 72 Managing Certificates
Installation Guide 7 Copy the ER Gateway s new Certificate Common Name and Certificate Hash. Paste them in the Enterprise Manager s Create New Machine Profile page....paste ER Gateway information here. 8 Click Add Machine Profile. After 5 minutes, the ER Gateway should connect back to the Enterprise Manager with its new signed certificate. 9 Once connectivity is shown to be successful, find the old machine access profile for the ER Gateway on the Enterprise Manager and delete it. Connecting with Signed Certificates 73
Securify Updating an Enterprise Manager Connected to Another Securify Appliance After you install a signed certificate on an Enterprise Manager, you must also install the root CA certificate on all Monitors, Monitor LEs, Monitor LE-50s, ER Gateways, and Enterprise Globals connected to the Enterprise Manager. You must then update the Enterprise Manager s certificate information on each connected appliance. To update an Enterprise Manager connected to another Securify appliance: 1 Log on to the Enterprise Manager as a user with SVManager permissions, click Manage > Certificates. 2 Follow the procedures in Uploading a Signed Certificate and Private Key on page 67 for importing the new signed certificate with key and root CA in the form of a PKCS #12 file. The Enterprise Manager restarts automatically. 3 Log on to the Web Application, as a user with SV Manager permissions, for each Monitor, ER Gateway, and Enterprise Global connected to the Enterprise Manager. 4 Click Manage > Certificates in the Web interface of each appliance. 5 Click the Certificate Authorities button. If the root CA for the other machine s new signed certificate does not appear in the list, then follow the procedures in Uploading a Signed Certificate and Private Key on page 67 for importing a PKCS #12 file that includes the appropriate root CA certificate. The appliance restarts automatically. 6 For each Monitor connected to the Enterprise Manager, log on to the Web interface, click Manage > Access > Add Machine. For an ER Gateway or an Enterprise Global, skip to step 12. 7 Log on to the Enterprise Manager in a second browser window, click Manage > Configure. 8 Select the Enterprise Manager to display the configuration page. 74 Managing Certificates
Installation Guide Copy these two pieces of information... 9 Copy the Enterprise Manager s new Certificate Common Name and Certificate Hash. Paste them in the Create New Machine Profile page. 10 Click Add Machine Profile. After 5 minutes, the appliance you are working with should connect back to the Enterprise Manager with its new signed certificate. 11 Find the old machine access profile for the Enterprise Manager on the Monitor and delete it once you verify connectivity is successful. 12 (For ER Gateway and Enterprise Global only) Log onto the ER Gateway or Enterprise Global in a separate browser window, click Manage > Configure, and then select the Enterprise Manager. 13 (For ER Gateway and Enterprise Global only) Click Accept Certificate and confirm that you want to accept the certificate. After 10 to 15 minutes, the Enterprise Manager should connect back to the ER Gateway or Enterprise Global with its new signed certificate. Connecting with Signed Certificates 75
Securify Updating an Enterprise Global Connected to an Enterprise Manager After you install a signed certificate on an Enterprise Global, you must also install the root CA certificate on it. You must then update the Enterprise Global s certificate information on the Enterprise Manager. To update an Enterprise Global connected to an Enterprise Manager: 1 Log on to the Enterprise Global as a user with SVManager permissions, click Manage > Certificates. 2 Follow the procedures in Uploading a Signed Certificate and Private Key on page 67 for importing a PKCS #12 file that includes the appropriate root CA certificate. The Enterprise Global restarts automatically. 3 Log on to the Enterprise Manager as root. 4 Click the Certificate Authorities button. If the root CA for the other machine s new signed certificate does not appear in the list, then follow the procedures in Uploading a Signed Certificate and Private Key on page 67 for importing a PKCS #12 file that includes the appropriate root CA certificate. The Enterprise Manager restarts automatically. 5 Log on to the Enterprise Manager, click Manage > Access > Add Machine to display the Create New Machine Profile page. 6 Log on to the Enterprise Global in a second browser window, click Manage > Configure. 7 Click on the Enterprise Global in the Configure Systems list to display the Enterprise Global s Configuration page. Copy these two pieces of information... 76 Managing Certificates
Installation Guide 8 Copy the Enterprise Global s new Certificate Common Name and Certificate Hash. Paste them in the Enterprise Manager s Create New Machine Profile page. 9 Click Add Machine Profile. After 5 minutes, the Enterprise Global should connect back to the Enterprise Manager with its new signed certificate. 10 Find the old machine access profile for the Enterprise Global on the Enterprise Manager and delete it once connectivity is proven successful. Updating a Computer Running Studio After you install a signed certificate on a stand-alone Monitor (including Monitor LE or Monitor LE-50) or Enterprise Manager, and you require client certificates for authentication from Studio, you must also install the root CA certificate on all computers running Studio and synchronize the certificate hash for Studio users on the appliance and for the client certificate on the computer running Studio. 1 Open Studio and click File > Certificates > Manage CA Root Certificates. to display the Manage CA Root Certificates dialog. 2 Import the new CA root certificate. Connecting with Signed Certificates 77
Securify 3 Click File > Certificates > View Certificates and open the client certificate that matches the new root CA certificate. Keep the dialog open as you need the certificate s Common Name (CN) and hash to synchronize with a Studio user in the Web interface of an appliance. 4 Log on to the appliance to which you want Studio to connect and create a new user. For information on creating users, see Managing Users and Machines Access Tab in the chapter on Managing a Securify System of the Securify Web Application Operations Guide. a Set the user name to the CN of the certificate. b Set the authorization type to SHA1_certificate_hash. c Copy the hash from the View Certificates dialog (step 3 above) and paste it into the appropriate fields for the new user. 5 Repeat the previous steps for any appliances to which you want Studio to connect. If you do not have a different CA root certificate for each appliance, you can skip steps 1 and 2. 6 Create a new connection to each appliance to which you want Studio to connect. For information on connections, see Managing Connections in the chapter on Studio Basics of the Securify Studio User Guide. 78 Managing Certificates
Installation Guide Managing Certificates for Connections In the Connection List dialog, (Figure B-3) you are able to select or remove a certificate for a connection. Note: For information on managing Connections, see Managing Connections in the Studio Basics chapter of the Securify Installation Guide. Figure B-3: Connection List dialog To select a certificate for a connection: 1 Click the row of the appropriate connection and then click the open folder icon to display the Select Certificate dialog (Figure B-4). 2 Browse to the appropriate directory and then click the file name. Figure B-4: Select Certificate dialog with file selected Managing Certificates for Connections 79
Securify 3 Type your credentials as necessary to view the contents of the file. 4 Click Select. The directory path appears next to the icons in the Cert column. To remove a certificate for a connection: Click the row of the appropriate connection in the Connection List dialog (Figure B-3) and then click the trashcan icon. 80 Managing Certificates