Embed Size (px)
DESCRIPTION
Step by Step Guide on Sourcefire 5.4Virtual Defense Center Setup and Policy Guide.
Citation preview
InstallationofSourcefire3DFiresightDefenseCenterandVirtualAppliance.
ContentsIntroduction ..................................................................................................................................................3
Host Requirements ................................................................................................................................... 3
Feature Comparison.................................................................................................................................. 3
Initial Setup ...................................................................................................................................................4
Login via Web Interface ................................................................................................................................7
Adding of Licenses ......................................................................................................................................10
Additional Configuration Changes. .............................................................................................................14
User Management ..................................................................................................................................14
System Configuration..............................................................................................................................15
Adding of Managed Devices. ......................................................................................................................16
Host Requirements .................................................................................................................................16
Feature Comparison................................................................................................................................16
Setting up the Managed Devices ................................................................................................................18
Adding the Managed Devices .....................................................................................................................21
Create an IPS policy.....................................................................................................................................23
Create a protection policy...........................................................................................................................30
Verifying of Incidents ..................................................................................................................................36
Introduction
This installation guide will provide information on the Installation of Firesight Defense Center VirtualAppliance.
Host Requirements
The table below will summarize the requirement for the Virtual Machine.
Host OS Official Support: ESXi 5.x, Unofficial Support: Vmware Workstation, Oracle VirtualBoxMemory 4GBStorage 250GB (Thick recommended rather than Thin provisioned)vCPU 4NIC 1Gbps x 1
Feature Comparison
Full Feature supported among the appliances except for the following services:
Feature or Capabilities Series 2 DefenseCenter
Series 3 DefenseCenter
Virtual DefenseCenter
Establish High AvailabilityYes Yes No
Install Malware Storage Pack DC1000,DC3000 Yes No
Initial Setup
Import the OVF (ESXi version) into the Host. Once deployed, power on the appliance and wait for theLogin Prompt to appear. It make take anywhere from 20 to 35 minutes for the initial login prompt toappear depending on the host performance.
Once the script had run successfully, the following login prompt will appear. You may need to hit theenter key a few times to see the login prompt. The Default credential is admin/Sourcefire.
Type “ifconfig eth0” to verify the ip address of the appliance. Default is 192.168.45.45. You may want tochange the IP address to suit the environment. The rest of the settings can be changes via the GUI Webinterface.
To change the IP address of the Virtual Appliance, type:sudo ifconfig eth0 192.168.46.2 netmask 255.255.255.0 up
You will need to enter the defaulted password(Sourcefire) to complete the process.
Login via Web Interface
Once done, use Firefox or IE 9.0 and above browser and type https://192.168.46.2
Enter the Username: admin, Password: Sourcefire and Click Log in.
You will be presented to the initial page where u can choose to change the password and enter anyother relevant information like Licensing, Managed Devices, etc. In this example, we are only going tochange the password, Gateway, DNS IP addresses, hostname and accept the End User LicenseAgreement. The rest of the options, we are able to change via the GUI in later sections.
Scroll down to agree on the EULA by clicking on the checkbox and click Apply. You may need to wait foraround 2 to 5 minutes for the process to complete.
You will be automatically redirected to the Main Dashboard once all the internal system processing iscompleted.
Adding of Licenses
The License file can be obtained via Cisco. The Initial key will need to be given to Cisco and Cisco willreturn a License File where we can apply the license in. In this example we are installing a 45 DaysProtection license for 1 Manage Devices and Firesight Management Software.
System -> License -> Add New License
The license key is automatically generated by the system based on the Eth0 mac address.
You will need to submit the License Key to Cisco in order for them to generate a set of license file for youto install into the Defense Center.
An example of the File generated by Cisco is as follows:
Copy and Paste the License File Content into the textbox provided and select “Submit License”.
In this example we will be doing it twice. One is for the Virtual Device/Managed Device and the other isthe Firesight License itself.
Wait for the following screen to appear to verify that the license key was successful. Then scroll downand click on the “Return to License Page” button.
Repeat the Above steps for the Firesight License as well.
In the end when we return to the licensing page, we would be able to see 2 set of license implemented.
Additional Configuration Changes.
User Management
System -> Local -> User Management
We can change passwords, add accounts and even manage login roles and link to AAA server.
System Configuration
System -> Local -> Configurations.
We can modify the Certificates settings, Link the Device Center to an external Database, change thenetwork settings like gateway, DNS and proxy servers.
Additionally we can reconfigure the Management Interface, Change the Time Settings and evenShutdown the Appliance or Reboot the Appliance from the “Process” option.
Adding of Managed Devices.
In this example, we shall be adding a Virtual Appliance 3D System to the Defense Center. Similarly justlike the Defense Center, import the OVF file into the Host Server.
Host Requirements
The table below, list the requirements needed by the Host Server to support the Virtual Appliance 3DSystem.
Host OS Official Support: ESXi 5.x, Unofficial Support: Vmware Workstation, Oracle VirtualBoxMemory 4GBStorage 40GB (Thick recommended rather than Thin provisioned)vCPU 4NIC 1Gbps x 3 (1st Adapter used for Management, 2nd and 3rd use to support traffic.
Feature Comparison
The following table highlights the differences between the various managed devices.
Feature or Capabilities Series 2 Devices Series 3Devices
VirtualDevice
Security Intelligence filtering No Yes Yesaccess control: geolocation-based filtering No Yes Yesaccess control: application control No Yes Yesaccess control: user control No Yes Yesaccess control: literal URLs No Yes Yesaccess control: URL Filtering by category andreputation No Yes Yes
network-based advanced malware protection(AMP) No Yes Yes
fast-path rules 3D9900 8000 Series Nostrict TCP enforcement No Yes Noconfigurable bypass interfaces
Noexcept where
hardwarelimited
No
tap mode 3D9900 Yes Noswitching and routing No Yes NoNAT policies No Yes NoVPN No Yes No
device stacking3D9900
3D814082xx Family83xx Family
No
device clustering No Yes Noclustered stacks
No3D8140
82xx Family83xx Family
No
malware storage pack No Yes NoSourcefire-specific interactive CLI No Yes Yesconnect to an eStreamer client Yes Yes No
Setting up the Managed Devices
Import the OVF (ESXi version) into the Host. Once deployed, power on the appliance and wait for theLogin Prompt to appear. It make take anywhere from 20 to 35 minutes for the initial login prompt toappear depending on the host performance.
The defaulted username is admin, password is Sourcefire. Hit “Enter” to display the End User LicenseAgreement and press the spacebar to scroll thru the pages.
Please type in “YES” to accept the agreement or you can’t continue with the installation.
The following prompt will be asking for a new password, configuration of IPv4 and/or IPv6, domainname, dns server and the interface mode to be configured as Inline or Passive.
Once completed, the system will run some internal scripts and continue with the installation process.
It may take a while for it to complete. Once the prompt appears again, we will need to add in theDefense Center IP address and shared secret key in order for the defense center to communicate withthe virtual appliance. The command is as follows:
Once completed, test the ping connectivity between the Virtual Appliance to the Defense Center.
>expert
Sudo ping 192.168.46.2
Type in Commands like “ifconfig –a | more” to display all the 3 NICs with the corresponding MACaddresses.You may want to check the settings on the Host Machine to ensure that the Adapters and mappedaccordingly to the correct virtual networks.
Adding the Managed Devices
Click on Devices -> Device Management
Select “Add Device”
Type in the IP address of the Managed Device and Registration Key(Shared Secret Key). Select theDefault Network Discovery policy as a defaulted policy and Select the Licensed feature for the product.
Click Register and wait for about 1 to 2 minutes.
Create an IPS policy
Policies -> Intrusion -> Intrusion Policy
Click on “Create Policy”
Type in the name of the policy and select a Base Policy. Base policy is a defaulted rule that we want touse in our policy initially a we can overwrite the defaulted values with our customized values.
Choose “No Rules Active” for a fresh, clean policy to start with.
Click on “Managed Rules”to edit the current policy.
A vast number of Signature IDs are displayed. We can search via the left hand side column or type in theSID if we know the number.
Type in “16363” in row for Filter and hit enter. You will see a single entry appearing.
Indicates Signature that is disabled.
Indicates Signature that is enabled and is able to generate events if triggered.
Indicates Signatures that is enabled, able to generate events and will drop the connection iftriggered.
You can also click on the “Show details” button and scroll down to either read a summary of what thesignature does or modify its threshold or even set limits if required.
Click on the “green arrow” and change the State to “Drop and Generate Events” and Click “OK”.
Type in the word “Bad login” to search via Signature name. This method is good if the Signature ID is notknown. The search is case sensitive.
Once done, click on the Policy Element in the Left hand side column and Click “Commit Changes” onceready.
Enter appropriate description to complete the “Commit Change” process.
Create a protection policy
Policies -> Access Control -> New Policy.
Type is an appropriate name for the access policy. In this example we used newAccessPolicy and set thedefault option to “Block All traffic”
Select “Add Rule”
Specify a rule name. In our scenario, we will permit all traffic BUT monitor them with the IPS rule thatwe had created. Click on “Networks” tab and select “Private Networks” add it to both the Source andDestination network. Ensure Action is set to “Allow”.
Click on “Inspection” tab.
In the Intrusion Policy tab, select “IPSPolicy” that we had created earlier. Click “Add” button, once weare done.
Click on “Target” tab and ensure that our Virtual Appliance is selected. If it is not selected, then Click onits name and move it to the selected listbox.
Once ready, Click on the “Save and Apply” button.
Click on “Apply All” and review its status.
“Applying to 1 Devices” indicates that rules are not ready yet and it is still applying to the ManagedDevices.
Up-to-date on 1 devices, indicates that the rules are ready on the Appliance.
Verifying of Incidents
There are several ways for the Incidents to be view and tracked. Below are some screenshot that can beexplored to look and investigate on the various incidents.
