Security Analytics Virtual Appliance Installation Guide.d

Copyright © 2014 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor translated to any electronic medium without the written consent of Blue Coat Systems, Inc. Blue Coat, ProxySG, PacketShaper, CacheFlow, IntelligenceCenter and BlueTouch are registered trademarks of Blue Coat Systems, Inc. in the U.S. and worldwide. Solera is a trademark of Solera Networks, a Blue Coat company. All other trademarks mentioned in this document are the property of their respective owners.

Security Analytics Virtual Appliance Installation Guide for VMware

2 April 2014


This document is intended to help you use the web interface to configure your Security Analytics Virtual Appliance to perform network traffic capture, filtering, and playback or to function as a Central Manager Console. It is not intended as a guide to policies and or procedures for either network security or network forensics.

This document attempts to provide the best information possible; however, this information is provided AS-IS and without warranty of any kind for accuracy, completeness, or currency. All references and links to Web sites are valid as of the date of publication, but the content and nature of those Web sites and pages is subject to change without our knowledge or control.

Copyrights, Trademarks, and Intellectual Property

A trademark symbol (™) or a registered trademark symbol (®) denotes a Blue Coat Systems trademark. A degree sign (°) denotes a third-party trademark. All third-party trademarks are the property of their respective owners. All other trademarks mentioned in this document are the property of their respective owners.

Copyright © 2014 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor translated to any electronic medium without the written consent of Blue Coat Systems, Inc. Specifications are subject to change without notice. Information contained in this document is believed to be accurate and reliable, however, Blue Coat Systems, Inc. assumes no responsibility for its use.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at apache.org/licenses/LICENSE-2.0. Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an AS IS BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

The Blue Coat Security Analytics Platform includes freeradius-client libraries, freeradius-client-devel, and freeradius-client-libs. The FreeRADIUS Client library is distributed under the BSD license: freeradius.org/freeradius-client/.

GNU General Public License Source Code Requests

Blue Coat Systems will provide a machine-readable copy of the GPL open-source code on a CD. To obtain a copy, send a written request, along with a certified check or money order in the amount of U.S. $25.00, payable to Blue Coat Systems, Inc., to:

ATTN: Customer Support GPL Source Code Request, Security Analytics Blue Coat Systems Suite 100 10713 South Jordan Gateway South Jordan, UT 84095 USA


Introduction This installation guide describes the installation and initial configuration of the Blue Coat Security Analytics Virtual Appliance using VMware° and the web interface. With the web interface, you can manage the Security Analytics Virtual Appliance settings, control what is being captured, generate a variety of reports about the captured data, and view, package, and regenerate captured data. You can also configure the Security Analytics Virtual Appliance to operate as a Central Manager Console (CMC).

This guide includes the following sections:

• Requirements

• Installation

• Preparing the Security Analytics Virtual Appliance

For detailed information about using the web interface, select Settings > Help > English on the web interface. The help files include a command-line interface (CLI) section (Reference > CLI Commands) to provide advanced configuration and operation controls for the Security Analytics Virtual Appliance.

For assistance with the installation of your Security Analytics Virtual Appliance, contact Security Analytics Support:

• Toll-Free (U.S. and Canada): 888-860-5705 • International: +1 801-545-4002 • Web: www.bluecoat.com/support • Email: [email protected]


Table of Contents 1 Requirements ...............................................................................................................................................................5

2 ESX Server Configuration ..............................................................................................................................................6 2.1 Management Network ..................................................................................................................................................................................................... 6 2.2 Capture Network .............................................................................................................................................................................................................. 7 2.3 Virtual Machine Network ................................................................................................................................................................................................. 8 2.4 Playback Network ............................................................................................................................................................................................................ 9

3 Virtual Appliance Installation ...................................................................................................................................... 10 3.1 ESX Configuration ......................................................................................................................................................................................................... 10 3.2 Workstation Configuration ............................................................................................................................................................................................. 11 3.3 Add Indexing and Capture Virtual Disks ...................................................................................................................................................................... 12

4 Virtual Appliance Administration ................................................................................................................................. 13 4.1 Configure Initial Settings ............................................................................................................................................................................................... 13

5 Troubleshooting the Installation ................................................................................................................................. 14

6 Appendix: Virtual Machine Sizing ................................................................................................................................ 16

5 of 16 Copyright © 2014 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor translated to any electronic medium without the written consent of Blue Coat Systems, Inc. Blue Coat, ProxySG, PacketShaper, CacheFlow, IntelligenceCenter and BlueTouch are registered trademarks of Blue Coat Systems, Inc. in the U.S. and worldwide. Solera is a trademark of Solera Networks, a Blue Coat company. All other trademarks mentioned in this document are the property of their respective owners.

1 Requirements The Security Analytics Virtual Appliance has the following hardware and software requirements:

• 12–64 GB of memory per VM

• Disk space per datastore:

o See Appendix: Virtual Machine Sizing

• 4–8 CPU cores per VM

• Two or more Ethernet adapters (VMware° does not support capture on wireless NICs)

• VMware software platform for running the virtual appliance:

o ESXi

VMware ESXi 5 server (ESXi 5.5 is recommended for Security Analytics Platform 7.0+)

o Workstation — One of the following:

Workstation 9 Fusion 5 Player 6

o VMware vSphere° Client

• VMware Infrastructure Client (VI Client) or vSphere° Client

• 64-bit architecture on the host for running the 64-bit Solera OS guest VM

• A workstation with a Web browser running one of the following:

o Microsoft° Internet Explorer (IE) 8+ o Firefox° 18+ o Safari° 5+ o Chrome° 24+

• Cookies must be enabled in the browser.

• JavaScript must be enabled in the browser.

Supported Versions

Security Analytics Version VMware Version End of Support

DeepSee 6.0 VMware ESXi 5.0 and 5.1 12 Dec 2014

DeepSee 6.6.x VMware ESXi 5.0, 5.1 or 5.5 14 Jun 2016

Security Analytics 7.0 VMware ESXi 5.0, 5.1 or 5.5 To Be Announced

Security Analytics 7.1 VMware ESXi 5.0, 5.1 or 5.5 To Be Announced


2 ESX Server Configuration This configuration assumes that the VMware ESX server is installed and configured with the correct data stores. Before importing the Security Analytics Virtual Appliance, configure the ESX server as follows:

• Create a Management Network

• Create a Capture Network (not applicable to Central Manager Console [CMC])

• Create a Virtual Machine Network (optional; not applicable to CMC)

• Create a Playback Network (optional; not applicable to CMC)

2.1 Management Network By default, the VMware ESX server uses vSwitch0 for ESX management and for creating a VM network. You must modify vSwitch0 to permit management of the Security Analytics Virtual Appliance.

HOW TO

Create a management

network

a. Connect to the ESX server using the vSphere client.

b. In the left pane, click the target ESX server.

c. In the right pane, open the Configuration tab.

d. Select Hardware > Networking.

e. For vSwitch0, click Properties.

f. In the left pane, select VM Network.

g. Click Remove, then Yes.

h. Click Add, select Virtual Machine, and click Next.

i. Label the network SA Management, leave the VLAN ID field blank, and click Next.

j. Click Next, Finish, and Close.


2.2 Capture Network

Note If you plan to use this VM as a CMC, do not configure a capture network.

To capture all network traffic, you must create a capture network that supports promiscuous mode in order to capture all network traffic. This network should be located on a separate vSwitch other than vSwitch0.

HOW TO

Create a capture

network


b. In the left pane, select the target ESX server.



e. Click Add Networking.

f. Select Virtual Machine and click Next.

g. Select Create a virtual switch, select an available VM NIC, and click Next.

h. Label the network Capture Network, and leave the VLAN ID field blank.

i. Click Next, then Finish.

j. Click Properties for vSwitch1.

k. Select Capture Network, then click Edit.

l. Click the Security tab, select the Promiscuous Mode check box, and select Accept from the drop-down menu.

m. Click OK, and then click Close.


2.3 Virtual Machine Network

Note If you plan to use this VM as a CMC, do not configure a virtual machine network.

Use the VM network to capture traffic from virtual systems. If you are not planning on capturing virtual traffic, you may skip to section 2.4 Playback Network.

HOW TO

Create a virtual

machine network





e. For vSwitch1, click Properties.

f. Click Add, then select Virtual Machine.

g. Label the network VM Network.

h. Select Next, then Finish.

i. On the Ports tab, select Virtual Machine Network, then click Edit.

j. Click the Security tab and select the Promiscuous Mode check box.

k. Select Accept from the drop-down menu.

l. Click OK, and then Close.


2.4 Playback Network

Note If you plan to use this VM as a CMC, do not configure a playback network.

Use the playback network to play back traffic from either virtual networks or physical networks. If you are not planning on playing back traffic for either type of network, you may skip to section Error! Reference source not found. Error! Reference source not found..

HOW TO

Create a playback network



c. In the right pane, click the Configuration tab.


e. Click Add Networking.

f. Select Virtual Machine, then click Next.

g. Select Create a virtual switch.

h. Select an available VM NIC and click Next.

i. Label the network Replay Network and leave the VLAN ID field blank.

j. Click Next, then Finish.

k. For vSwitch1 click Properties.

l. Select Replay Network, then click Edit.

m. On the Security tab, select the Promiscuous Mode check box.

n. Select Accept from the drop-down menu.

o. Click OK, then Close.

Note Playing back traffic to the same virtual or physical network that you used for capture can create network storms. Use extreme caution when playing back network traffic.


3 Virtual Appliance Installation These installation steps assume that you have downloaded and extracted the virtual appliance from Blue Coat Systems. If you have not downloaded and extracted these files, please contact Security Analytics Support.

IMPORTANT DO NOT attempt to install VMware Tools on Security Analytics Virtual Appliances.

3.1 ESX Configuration

HOW TO

Install the virtual

appliance on an ESX(i)

server



c. In the vSphere client, select File > Deploy OVF Template… to start the Deploy OVF Template wizard.

d. Select Deploy from file and browse to the directory where you extracted the Security Analytics Virtual Appliance files.

e. Select the OVF file and click Open.

f. Click Next twice.

g. Accept the default name of the virtual appliance and click Next.

h. Map the virtual networks accordingly:

SA Management to SA Management (vSwitch0)

Capture Network to Capture Network (vSwitch1) (not for CMC)

Replay Network to Replay Network (vSwitch2) (not for CMC)

i. Click Next and then click Finish.

j. The virtual appliance begins importing.

Note The import may take up to 10 minutes, depending upon your ESX hardware. Do not interrupt the import process.

Important Do not power on the Security Analytics Virtual Appliance until you have followed the steps in Section 3.3 Add Indexing and Capture Virtual Disks.


3.2 Workstation Configuration Follow these steps if you are using the Evaluation for VMware workstation.

HOW TO

Install the virtual

appliance on a Workstation

a. Extract the Security Analytics Virtual Appliance ZIP file to your workstation.

b. Launch VMware player or equivalent.

c. Select File > Open, locate the VMX file, and open it.

Important Do not power on the Security Analytics Virtual Appliance until you have followed the steps in Section 3.3 Add Indexing and Capture Virtual Disks.

Note The workstation VM image is not intended to run on VMware ESX. If you would like access to the ESX virtual appliance trial, please contact the Blue Coat Sales Team.


3.3 Add Indexing and Capture Virtual Disks Except for the ESX trial version, the Security Analytics Virtual Appliance includes one virtual hard disk, which is the system virtual disk. To function properly, the Security Analytics Virtual Machine requires two additional virtual disks for indexing and capture. If you have deployed the ESX trial VM, the capture and indexing virtual disks have already been configured for you.

Note It is highly recommended that you place the capture virtual disks on a logical unit comprising at least three (3) physical hard drives to achieve optimal capture performance. It is also recommended that you not share the logical unit with any other virtual machines to avoid excess read/write overhead.

HOW TO

Add indexing and capture virtual disks

on ESX

a. On the vSphere client, select the virtual machine and click Edit Virtual Machine Settings.

b. On the Hardware tab, click Add.

c. Select Hard Disk and click Next twice.

d. For Disk Size, consult the tables in Appendix: Virtual Machine Sizing for the size of the capture virtual disk(s).

Note When specifying sizes in TB, change the unit from GB to TB instead of specifying a four-digit GB.

e. Click Next twice and then Finish.

f. Repeat steps b through e for the indexing virtual disk.

g. Power on the virtual machine

HOW TO

Add indexing and capture virtual disks

on the Workstation

a. In VMware Workstation/Fusion/Player, select Edit Virtual Machine Settings.

b. Click Add or Add Device.

c. Select Hard Disk.

d. For Disk Size, consult the tables in Appendix: Virtual Machine Sizing for the size of the capture virtual disk(s).

Note When specifying sizes in TB, change the unit from GB to TB instead of specifying a four-digit GB.

e. Repeat steps b through d for the indexing virtual disk.

f. Power on the virtual machine.

Note Booting the virtual appliance for the first time will take several minutes. While the virtual machine starts, you will see a progress indicator. Press the Esc key to view additional information while the virtual appliance is booting.


4 Virtual Appliance Administration The Security Analytics Virtual Appliance includes the full web interface and a command-line interface (CLI) for configuring and managing the Security Analytics Virtual Appliance. Once the virtual appliance is running, you can use either interface to administer and configure the virtual appliance.

Note The Security Analytics Virtual Appliance user interface is identical to the user interface for Security Analytics Appliances.

4.1 Configure Initial Settings By default, the management interface (eth0) is set to 192.168.20.20. Follow these steps to assign a temporary IP address:

HOW TO

Assign a temporary IP

address

a. Log in to the CLI using the following credentials: admin|Solera

b. Use the following method to temporarily assign an IP address to the management interface (eth0):

ifconfig

sudo ifconfig eth0 <IP_address> netmask <subnet_mask> sudo route add default gw <IP_of_default_gateway>

View the assigned IP address:

ifconfig eth0

Use the web interface to configure the initial settings.

HOW TO

Launch the web interface

a. Launch a Web browser and navigate to the IP address for eth0. You can use either HTTP or HTTPS.

b. At the Login page, type the default username and password, both of which are case-sensitive:

Username: admin Password: Solera

c. Click Log In.

d. The End User License Agreement (EULA) is displayed. Accept the terms. The Initial Configuration page is displayed.

e. Select Settings ( ) > Help and then select your language under Online Help Files.

f. View the "Initial Settings" page for instructions on initial appliance configuration. All virtual appliances must also follow the steps to license the appliance.


5 Troubleshooting the Installation The following sections discuss some common issues and other items to be aware of when using the Security Analytics Virtual Appliance. If you have any questions or need further assistance, please contact ATP Support.

• Phone: 888-860-5705 (U.S. and Canada) or +1 801-545-4002 (international) • Email: [email protected] • Web: www.bluecoat.com/support

Cannot Connect to the UI 1. Verify that you can ping the host IP address from the virtual appliance.

2. Verify that the virtual appliance has a valid gateway route:

[prompt]# route

3. Restart the network services:

[prompt]# sudo service network restart

4. Verify that the network interface of the machine where the virtual appliance is running is a bridged network interface. Refer to the VMware documentation for information on how to configure the network interfaces.

Cannot Capture Data 1. Verify that IP has been disabled on the physical interfaces that capture data.

2. Verify that you have modified the virtual interface to operate in promiscuous mode.

3. Confirm that you have added index and capture virtual disks before powering on the VM for the first time. If this was not done, delete the VM and start over.

Networking Not Working Properly If networking is not working properly within the guest OS VM—e.g., you do not have a valid routing table, or you did not obtain an IP address from your DHCP server—you should try restarting the networking service at least once to resolve the issue:

[prompt]# sudo service network restart


64-bit Host Operating System with Virtual Technology The Solera Virtual Machine requires that the server's CPU be both 64-bit and VT capable. More information about running a 64-bit guest OS on VMware platforms can be found in Article 1003945: "Hardware and Firmware Requirements for 64-bit Guest Operating Systems" in the VMware Knowledge Base (http://kb.vmware.com/). If you are uncertain of your ESX server or host computer’s 64-bit compatibility, you can obtain a processor check utility from VMware from Article 1003945, referenced above.

• Error Message

This kernel requires an x86‐64 CPU, but only detected an i686 CPU. Unable to boot ‐ please use a kernel appropriate for your CPU.

You attempted to start the guest OS VM on an ESX server or host computer that is not 64-bit and VT capable. Install your VMware ESX server or on a computer that is both 64-bit and VT capable.

• Error Message

You have configured this virtual machine to use a 64‐bit guest operating system. However, 64‐bit operation is not possible. This host is VT‐capable, but VT is disabled.

You attempted to start the guest OS VM on an ESX server or host computer that is both 64-bit and VT capable, but whose VT settings are disabled in the BIOS. This is usually because VT has been disabled in the BIOS/firmware settings, or the ESX server or host computer has not been power-cycled since changing this setting.

1. Verify these BIOS/firmware settings: enable VT and disable trusted execution.

2. Power-cycle the ESX server or host computer if you changed either of these BIOS/firmware settings.

3. Power-cycle the ESX server or host computer if you have not done so since installing VMware.

4. Update the host computer's BIOS/firmware to the latest version. For more details, see Article 1003945, referenced above.

http://kb.vmware.com/


6 Appendix: Virtual Machine Sizing Consult the following as a guideline for configuring your Security Analytics Virtual Machine.

50G 500G 2T 5T 10T CMC* ESX Trial Workstation

Capture 40 GB 0.4 TB 1.6 TB 3 x 1.34 TB 5 x 1.6 TB n/a 1.5 TB 100 GB§

Index 10 GB 0.1 TB 0.4 TB 1.0 TB 1.7 TB n/a 220 GB 20 GB§

System 80 GB 0.1 TB 0.5 TB 0.75 TB 1 TB 100+ GB 80 GB 80 GB

RAM (GB) 12 12 16 32 64 12–32 GB 12 8

CPUs 8 8 8 8 8 8–32 GB 8 4

* CMC sizing depends on factors such as the average capture rate and number of sensors that the CMC controls. Increase the size of the system disk as the capture speed and number of sensors increases. Refer to the table below as a general guideline.

Ave. Capture Rate (Up to 16 sensors)

RAM CPUs

< 0.5 Gbps 12 GB 8

0.5 Gbps 12 GB 8

2 Gbps 16 GB 16

5 Gbps 32 GB 32

§ The size of capture and index virtual disks for the VMware workstation evaluation can be increased as long as the index disk is at least 20% the size of the capture disk.

Documents

Security Analytics Virtual Appliance Installation Guide.d