Copyright © 2010 - 2015 RSA, the Security Division of EMC. All rights reserved.
Trademarks
RSA, the RSA Logo and EMC are either registered trademarks or trademarks of EMC Corporation in the United States and/or other countries. All other trademarks used herein are the property of their respective owners. For a list of EMC trademarks, go towww.emc.com/legal/emc-corporation-trademarks.htm.
License Agreement
This software and the associated documentation are proprietary and confidential to EMC, are furnished under license, and may be used and copied only in accordance with the terms of such license and with the inclusion of the copyright notice below. This software and the documentation, and any copies thereof, may not be provided or otherwise made available to any other person.
No title to or ownership of the software or documentation or any intellectual property rights thereto is hereby transferred. Any unauthorized use or reproduction of this software and the documentation may be subject to civil and/or criminal liability. This software is subject to change without notice and should not be
construed as a commitment by EMC.
Third-Party Licenses
This product may include software developed by parties other than RSA. The text of the license agreements applicable to third-party software in this product may be viewed in the thirdpartylicenses.pdf file.
Note on Encryption Technologies
This product may contain encryption technology. Many countries prohibit or restrict the use, import, or export of encryption technologies, and current use, import, and export regulations should be followed when using, importing or exporting this product.
Distribution
Use, copying, and distribution of any EMC software described in this publication requires an applicable software license. EMC believes the information in this publication is accurate as of its publication date. The information is subject to change without notice.
Contents
• Virtual Appliance Setup Guide 4
◦ Virtual Appliance Overview 5
◦ Install Security Analytics Virtual Appliance in Virtual Environment 8
▪ Step 1: Deploy the Virtual Appliance 9
▪ Step 2: Configure the Network 13
▪ Step 3: Configure Datastore Space for the Appliance 16
▪ Step 4: Configure Appliance-Specific Parameters 20
Virtual Appliance Setup Guide
Overview
This guide provides instructions for installing and configuring virtual instances of the Security Analytics appliances. This
document pertains only to elements for installation and configuration that are dependent on instances of Security
Analytics running in a virtualized environment.
Overview
Virtual Appliance Overview
Overview
This topics provides an overview of the virtual instances of Security Analytics appliances, including installation media,
available appliances, recommendations, minimum requirements, and sizing guidelines.
Context
You can install the following Security Analytics appliances in your virtual environment as a virtual appliance and inherit
features that are provided by your virtual environment:
• Archiver • Broker • Concentrator
• Event Stream Analysis • Log Decoder
• Malware Analysis • Decoder
• Remote IPDB • Remote Log Collector • Security Analytics Server • Warehouse Connector
You must be familiar with the following VMware infrastructure concepts:
• VMware vCenter Server • VMware ESX host • Virtual machine
For information on these VMware concepts, refer to the VMware product documentation.
The virtual appliances are provided as an Open Virtual Appliance (OVA). You need to deploy the OVA file as a virtual
machine in your virtual infrastructure.
Installation Media
Installation media are in the form of Open Virtual Appliance (OVA) packages, which are available for download and
installation from Download Central (
https://download.rsasecurity.com
). As part of your RSA order fulfillment, you are
provided access to the OVFs that pertain to each component ordered.
Virtual Environment Recommendations
The virtual appliances installed with the OVF packages have the same functionality as the Security Analytics hardware
appliances. As a result, when implementing any of the virtual appliances considerations, you must account for the
backend hardware.
• Based on resource requirements of the different components, follow best practices to utilize the system and dedicated storage appropriately.
• Ensure that backend disk configurations provide minimum write speed of 10% greater than the required sustained capture and ingest rate for the deployment.
• Build Concentrator directories for meta and Index databases on the SSD/EFD HDD.
• If the database components are separate from the installed OS components (that is, on a separate physical system), provide direct connectivity using either two 8-Gbps Fiber Channel SAN ports per virtual appliance or 6-Gbps SAS connectivity.
Virtual Appliance Minimum Requirements
The following table lists CPU, Memory, and OS Disk partition minimum requirements for the virtual appliances.
• The disk requirements are fixed sizes for the OVA packages. Some settings for the OVA package will need to be adjusted. • RAM and CPU metrics are minimums and are also dependent on the capture and ingest environment.
• The requirements were tested at ingest rates of 5k EPS for logs and 300 Mbps for packets.
Virtual Appliance Type Quantity of CPUs CPU Specifications RAM Disk
Decoder 4 Intel Xeon CPU @2.93 Ghz 16 GB 320 GB Log Decoder 4 Intel Xeon CPU @2.93 Ghz 16 GB 320 GB Concentrator 4 Intel Xeon CPU @2.93 Ghz 16 GB 320 GB Archiver 4 Intel Xeon CPU @2.93 Ghz 16 GB 320 GB Broker 4 Intel Xeon CPU @2.93 Ghz 16 GB 320 GB Warehouse Connector 4 Intel Xeon CPU @2.93 Ghz 16 GB 320 GB Security Analytics Server 4 Intel Xeon CPU @2.93 Ghz 16 GB 320 GB
Installation Media
Virtual Log Collector Sizing Guidelines
The following table lists the recommended CPU Specifications, Memory, and Disk size for the Virtual Log Collector
(VLC) based on events per second (EPS).
Rate Quantity of CPUs CPU Specifications RAM Disk
1,000 EPS 2 Intel Xeon CPU @2.00 Ghz 2 GB 150 GB 2,500 EPS 2 Intel Xeon CPU @2.00 Ghz 2.5 GB 150 GB 5,000 EPS 3 Intel Xeon CPU @2.00 Ghz 3 GB 150 GB 20,000 EPS 8 Intel Xeon CPU @2.00 Ghz 8 GB 150 GB
Install Security Analytics Virtual Appliance in Virtual
Environment
Overview
This topic provides the sequence of the installation steps along with detailed procedures for installing a Security
Analytics virtual appliance in your virtual environment.
Prerequisites
Make sure that you have:
• A VMware ESX Server that meets the requirements described in the above section. • vSphere 4.1 Client or vSphere 5.0 Client installed to log on to the VMware ESX Server. • Administrator rights to create the virtual machines on the VMware ESX Server.
Overview
Step 1: Deploy the Virtual Appliance
Overview
This topic provides instructions to deploy the OVA file on the vSphere Server or ESX Server using the vSphere client.
Prerequisites
Make sure that you have:
• Network IP addresses, netmask, and gateway IP addresses for the virtual appliance. • Network names for all virtual appliances, if you are creating a cluster.
• DNS or host information.
• Password for virtual appliance access. The default username isrootand the default password isnetwitness.
• Downloaded the Security Analytics virtual appliance package file from the download server.
Note:
A script will run immediately upon logging on, asking for the Security Analytics server IP address.
Press Enter, with no IP address, or Ctrl-C to break out of this script. Once the current appliance is completely
setup and the Security Analytics server is online and ready to accept appliances, enter the Security Analytics
IP address at this prompt by logging off and logging back on.
Procedure
Note:
The following instructions illustrate one possible example of deploying an OVA appliance, your screens
may vary.
To deploy the OVA appliance:
1. Log on to the ESXi environment.
2. In the File drop-down, select Deploy OVF Template. The Deploy OVF Template dialog is displayed.
3. In the Deploy OVF Template dialog, select the OVF for the appliance that you want to deploy in the virtual environment, and click Next.
The Name and Location dialog is displayed. The designated name does not reflect the server hostname, instead it is for inventory reference from within ESXi.
4. Make a note of the name, and click Next. Storage Options are displayed.
Procedure
5. For Storage options, designate the datastore location for the virtual appliance. This location is only for the appliance OS. It is not required to be the same datastore needed when setting up and configuring additional volumes for the Security Analytics
databases on certain appliances (covered in the following sections). When finished, click Next. The Network Mapping options are displayed.
6. If you want to configure Network Mapping now, you can select options here, but RSA recommends that you keep the default values and save network mapping for after the OVF has been configured. This configuration is done inStep 4: Configure Appliance-Specific Parameters.
Leave the default values, and click Next.
A status window showing deployment status is displayed.
After the process is complete, the new OVF is presented in the designated resource pool visible on ESXi from within vSphere. At this point, the core virtual appliance is installed but is still not configured.
Procedure
Step 2: Configure the Network
Overview
This topic provides instructions on how to configure the network of the Virtual Appliance.
Prerequisites
Make sure that you have:
• Network IP addresses, netmask, and gateway IP addresses for the virtual appliance. • Network names for all virtual appliances, if you are creating a cluster.
• DNS or host information.
Note:
A script will run immediately upon logging on, asking for the Security Analytics server IP address.
Press Enter, with no IP address, or Ctrl-C to break out of this script. Once the current appliance is completely
setup and the Security Analytics server is online and ready to accept appliances, enter the Security Analytics
IP address at this prompt by logging off and logging back on.
Procedure
Perform the following steps for all virtual appliances to get them on your network.
To configure the network:
1. Edit the /etc/sysconfig/network-scripts/ifcfg-eth0 configuration file as shown below with the appropriate IP
address, netmask and gateway. (The reason for manual network configuration is that the Security Analytics OVF automatic network configuration option does not successfully set all network settings at this time.) BOOTPROTO should be set
to NONE or STATIC to avoid automatically defaulting to DHCP.
2. Edit the /etc/sysconfig/network file and set the appliance Hostname.
3. (Optional) Edit the /etc/resolv.conf file and set the preferred DNS servers the appliance should use.
4. Configure the hostname. If you configured the DNS server entries so that the DNS server can resolve the Security Analytics appliances, you can skip this step. Otherwise, configure the /etc/hosts file as follows:
a. Change all references to the default appliance hostname to match your chosen hostname. b. Add the line:
<your-appliance-ip-address> <your-appliance-hostname>
where ip-address> is the IP address of your machine, where
<your-appliance-hostname>is the name of your appliance.
c. Add the line:
<your-Security-Analytics-Server-ip-address> <your-Security-Analytics-appliance-hostname>
where <your-Security-Analytics-Server-ip-address> is the IP address
and <your-Security-Analytics-appliance-hostname> is the name of your Security Analytics appliance. 5. Restart the network adapter, and type the following command:
service network restart
Procedure
6. Progress messages are displayed as the adapter restarts.
Step 3: Configure Datastore Space for the Appliance
Overview
This topic provides configuration options for configuring datastore space for the different appliances. Refer to the
specific section for information on the virtual appliance you are trying to configure.
Virtual Drive Space Ratios
The following table provides optimal configurations for packet and log appliances. Additional partitioning and sizing
examples for both packet capture and log ingest environments are provided at the end of this topic.
Decoder Persistent
Datastores Cache Datastores
PacketDB SessionDB MetaDB Index
100% as calculated by Sizing Calculator
6 GB per 100Mb/s of traffic sustained provides 4 hours cache
60 GB per 100Mb/s of traffic sustained provides 4 hours cache
3 GB per 100Mb/s of traffic sustained provides 4 hours cache
Concentrator Persistent
Datastores Cache Datastores
MetaDB SessionDB Index Index Calculated as 10% of the PacketDB required for a 1:1 retention ratio
30 GB per 1TB of PacketDB for standard multi protocol network deployments as seen at typical internet gateways
5% of the calculated MetaDB on the Concentrator. Preferred High Speed Spindles or SSD for fast access
Overview
Log Decoder Persistent
Datastores Cache Datastores
PacketDB SessionDB MetaDB Index
100% as calculated by Sizing
Calculator
1 GB per 1000 EPS of traffic sustained provides 8 hours cache
20 GB per 1000 EPS of traffic sustained provides 8 hours cache
0.5 GB per 1000 EPS of traffic sustained provides 4 hours cache
Log Concentrator Persistent
Datastores Cache Datastores
MetaDB SessionDB Index Index Calculated as 100% of the PacketDB required for a 1:1 retention ratio
3 GB per 1000 EPS of sustained traffic per day of retention
5% of the calculated MetaDB on the Concentrator. Preferred High Speed Spindles or SSD for fast access
Procedures
Expand Drive Space for Packet and Log Decoders
The following instructions provide configuration options to expand drive space on a Virtual Packet/Log Decoder
appliance.
Configure Virtual Datastores
1. Ensure that the newly connected Virtual Datastores are presented as a generic SCSI device to the operating system. 2. Configure the following required datastores for a Decoder within the VM:
◦ PacketDB (Raw Capacity) – This virtual database represents the largest virtual database. This datastore will ultimately house the raw packet or log data.
◦ MetaDB – This virtual datastore represents the meta database cache and is only needed for temporary storage of the meta database on the Decoder. Recommended sizing for this datastore is to allow for a 4-hour cache. Sizing for this datastore is dependent on the sustained capture rate or the sustained EPS rate. The datastore size can also be increased to
accommodate a longer cache window.
◦ SessionDB – This virtual datastore houses the session database of the Decoder. The sizing for this datastore is directly related to the size of the MetaDB cache.
Configure the Linux Volumes
1. Log on to the virtual machine as root.
The virtual datastores show up as a SCSI device. (for example, /dev/sdb, /dev/sdc, and /dev/sdd)
2. Using fdisk, create a GPT partition for each virtual datastore you created. It is useful to name the partitions after the datastores to which they are attached.
3. Format the volume using mkfs_xfs.
4. To add the scsi devices to /etc/fstab, use the following examples as a guide:
/dev/sdb1/var/netwitness/decoder/packetdb xfs noatime 12 /dev/sdc1 /var/netwitness/decoder/metadb xfs noatime 12 /dev/sdd1 /var/netwitness/decoder/sessiondb xfs noatime 12 /dev/sde /var/netwitness/decoder/index xfs noatime 12
Expand Drive Space for a Concentrator
The following instructions provide configuration options to expand drive space on a Virtual Concentrator appliance.
Configure the Virtual Datastores
The estimates below are intended to provide guidance for configuring the partitioning for the Log Decoder databases.
The capacity requirements have an additional 5% overhead designated to account for overhead when ultimately
configured within Security Analytics.
To configure the virtual datastores:
1. Configure the following required datastores for a Concentrator:
◦ Metadb – This virtual datastore houses the permanent database and should be largest datastore on the attached storage. ◦ Sessiondb – This virtual datastore houses the session database for the concentrator. RSA recommends that you
configure SSDs for this datastore.
◦ Index – This virtual datastore houses the index for the Concentrator. RSA recommends that you configure SSDs for this datastore.
2. Ensure that the configured datastores are presented to the virtual Concentrator as a SCSI device.
Configure the Linux Volumes
1. Log on to the virtual machine as root.
The virtual datastores show up as a SCSI device. (for example, /dev/sdb, /dev/sdc, and /dev/sdd)
2. Using fdisk, create a GPT partition for the each virtual datastore you created. It is useful to name the partitions after the datastores to which they are attached.
3. Format the volume usingmkfs_xfs.
4. To add the scsi devices to /etc/fstab, use the following examples as a guide:
/dev/sdc1 /var/netwitness/concentrator/metadb xfs noatime 12 /dev/sdd1 /var/netwitness/concentrator/sessiondb xfs noatime 12 /dev/sde /var/netwitness/concentrator/index xfs noatime 12
Add the New Partitions to the Security Analytics Configuration
1. Log on to Security Analytics.
Procedures
2. Select Administration > Services.
3. In the Services view select the service, and at the end of the row, click > View > Explore.
4. Select Database > Config.
5. Select the directory that you want to expand (for example, meta dir, session dir, and so on.).
6. Append the value by using a semicolon (;) followed by the mount point that you defined in Step 4 of Configure the Linux Volumes.
Note:
Verify that the databases are configured to roll over at approximately 95% of their full capacity.
If you mounted the additional partition to /var/netwitness/decoder/packetdb, and the partition
is 10TB, you can have the following entry under packet.dir:
/var/netwitness/decoder/packetdb=xxx TB;/var/netwitness/decoder/packetdb=9.5TB
The first entry before (;) denotes the original location for packet.dir.
7. After adding the new 10TB partition to the configuration, you must run the reconfig file so that the correct size is added. a. Right-click Database and click Properties.
b. In the drop-down list, select reconfig and enter update=1 in the Parameters field. c. Click Send. The partition sizes will be adjusted to 95% of the partition's available space. 8. Restart the appliance service for the changes to take effect.
Step 4: Configure Appliance-Specific Parameters
Overview
This section provides guidance and options specific for configurations based on whether you will be analyzing logs,
packets, or both.
Procedures
Configure Log Ingest in the Virtual Environment
Log ingest is easily accomplished by sending the logs to the IP address you have specified for the decoder. The
decoder’s management interface allows you to then select the proper interface to listen for traffic on if it has not already
selected it by default.
Configure Packet Capture in the Virtual Environment
There are two options for capturing packets in a VMWare environment The first is setting your vSwitch in promiscuous
mode and the second is to use a third party Virtual Tap.
Set a vSwitch to Promiscuous Mode
The option of putting a switch whether virtual or physical into promiscuous mode, also described as a SPAN port (Cisco
services) and port mirroring, is not without limitations. Whether virtual or physical, depending on the amount and type of
traffic being copied, packet capture can easily lead to oversubscription of the port, which equates to packet loss. Taps,
being either physical or virtual, are designed and intended for lossless 100% capture of the intended traffic.
Promiscuous mode is disabled by default, and should not be turned on unless specifically required. Software running
inside a virtual machine may be able to monitor any and all traffic moving across a vSwitch if it is allowed to enter
promiscuous mode as well as causing packet loss due to oversubscription of the port..
To configure a portgroup or virtual switch to allow promiscuous mode:
1. Log on to the ESXi/ESX host or vCenter Server using the vSphere Client. 2. Select the ESXi/ESX host in the inventory.
3. Select the Configuration tab.
Overview
4. In the Hardware section, click Networking.
5. Select Properties of the virtual switch for which you want to enable promiscuous mode. 6. Select the virtual switch or portgroup you want to modify, and click Edit.
7. Click the Security tab. In the Promiscuous Mode drop-down menu, select Accept.
