Hello colleagues! Having decided on the minimum requirements for deploying StealthWatch in , we can start the product rollout.
1. Ways to deploy StealthWatch
There are several ways to "touch" the StealthWatch:
- β cloud service of laboratory works;
- cloud based: - here Netflow from your device will fall into the cloud and StealthWatch software will analyze it there;
- On-premise POV) - the way I went, you will be given 4 OVF files of virtual machines with built-in licenses for 90 days, which can be deployed on a dedicated server in the corporate network.
Despite the abundance of downloaded virtual machines, only 2 are enough for a minimum working configuration: StealthWatch Management Console and FlowCollector. However, if there is no network device that can export Netflow to FlowCollector, then it is also necessary to deploy FlowSensor, since the latter, using SPAN / RSPAN technologies, allows you to collect Netflow.
As a laboratory stand, as I said earlier, your real network can act, since StealthWatch only needs a copy, or, more correctly, a squeeze copy of the traffic. The figure below shows my network, where on the Security Gateway I will configure the Netflow Exporter and, as a result, I will send Netflow to the collector.
To access future VMs, your firewall, if any, should allow the following ports:
TCP 22 l TCP 25 l TCP 389 l TCP 443 l TCP 2393 l TCP 5222 l UDP 53 l UDP 123 l UDP 161 l UDP 162 l UDP 389 l UDP 514 l UDP 2055 l UDP 6343
Some of them are well-known services, some are reserved for Cisco services.
In my case, I just deployed StelathWatch on the same network as Check Point and didn't have to configure any permission rules.
2. Installing FlowCollector using VMware vSphere as an example
2.1. Click Browse and select OVF file1. After checking the availability of resources, go to the menu View, Inventory β Networking (Ctrl+Shift+N).
2.2. In the Networking tab, select New Distributed port group in the virtual switch settings.
2.3. We set the name, let it be StealthWatchPortGroup, the rest of the settings can be done as in the screenshot and click Next.
2.4. We complete the creation of the Port Group with the Finish button.
2.5. We will edit the settings for the created Port Group by right-clicking on the port group, select Edit Settings. In the Security tab, be sure to enable the "promiscuous mode", Promiscuous Mode β Accept β OK.
2.6. As an example, let's import the OVF FlowCollector, the download link of which was sent by a Cisco engineer after the GVE request. By right-clicking on the host where you plan to deploy the VM, select Deploy OVF Template. Regarding the allocated space, it will βstart upβ at 50 GB, but for combat conditions it is recommended to allocate 200 gigabytes.
2.7. Select the folder where the OVF file is located.
2.8. We press "Next".
2.9. Specify the name and server where we deploy it.
2.10. As a result, we get the following picture and click "Finish".
2.11. Follow the same steps to deploy the StealthWatch Management Console.
2.12. Now you need to specify the required networks in the interfaces so that the FlowCollector can see both the SMC and the devices from which Netflow will be exported.
3. Initializing the StealthWatch Management Console
3.1. Going to the console of the installed SMCVE machine, you will see a place to enter a login and password, by default sysadmin/lan1cope.
3.2. We go to the Management item, set the IP address and other network parameters, then confirm their change. The device will reboot.
3.3. We go to the web interface (via https to the address that you set SMC) and initialize the console, the default login / password is admin/lan411cope.
PS: it happens that it does not open in Google Chrome, Explorer will always help out.
3.4. Be sure to change passwords, set DNS, NTP servers, domain, and more. The settings are intuitive.
3.5. After clicking the "Apply" button, the device will reboot again. After 5-7 minutes, you can connect again at this address; StealthWatch will be managed through a web interface.
4. Setting up the FlowCollector
4.1. It's the same with the collector. First, we specify the IP address, mask, domain in the CLI, then the FC is rebooted. After that, you can connect to the web interface at the specified address and perform the same basic configuration. Due to the similar settings, detailed screenshots are omitted. Credentials to enter the same.
4.2. On the penultimate point, you must set the SMC IP address, in which case the console will see the device, you will have to confirm this setting by entering credentials.
4.3. We select the domain for StealthWatch, it was set earlier, and the port 2055 - regular Netflow, if you work with sFlow, port 6343.
5. Netflow Exporter Configuration
5.1. To configure the Netflow exporter, I highly recommend referring to this , here are the main guides for configuring the Netflow exporter for many devices: Cisco, Check Point, Fortinet.
5.2. In our case, I repeat, we are exporting Netflow from the Check Point gateway. The Netflow exporter is configured in a tab similar in name in the web interface (Gaia Portal). To do this, click "Add", specify the Netflow version and the required port.
6. Analysis of the work of StealthWatch
6.1. Going to the SMC web interface, on the very first page of Dashboards > Network Security, you can see that the traffic has gone!
6.2. Some settings, such as splitting hosts into groups, monitoring individual interfaces, their workload, managing collectors, and more can only be found in the StealthWatch Java application. Of course, Cisco is slowly transferring all the functionality to the browser version, and we will soon abandon such a desktop client.
To install the application, you must first install (I installed version 8, although it says that it is supported up to 10) from the official Oracle website.
In the upper right corner of the web interface of the management console for download, you must click the "Desktop Client" button.
You save and install the client forcibly, java will most likely swear at it, you may need to add the host to java exceptions.
As a result, a fairly clear client opens up, in which it is easy to see the loading of exporters, interfaces, attacks and their flows.
7. StealthWatch Central Management
7.1. The Central Management tab contains all devices that are part of the deployed StealthWatch, such as: FlowCollector, FlowSensor, UDP-Director and Endpoint Concetrator. There you can manage network settings and device services, licenses and manually turn off the device.
You can go to it by clicking on the "gear" in the upper right corner and selecting Central Management.
7.2. By going to the Edit Appliance Configuration of the FlowCollector, you will see the SSH, NTP and other network settings related to the Appliance itself. To go, select Actions β Edit Appliance Configuration for the required device.
7.3. License management can also be found under the Central Management > Manage Licenses tab. Trial licenses in case of GVE request are given on 90 days.
The product is ready to go! In the next part, we will look at how StealthWatch can recognize attacks and generate reports.
Source: habr.com