RSA Security Analytics. S4 Broker Setup Guide

(1)

(2)

Trademarks

RSA, the RSA Logo and EMC are either registered trademarks or trademarks of EMC Corporation in the United States and/or other countries. All other trademarks used herein are the property of their respective owners. For a list of EMC trademarks, go towww.emc.com/legal/emc-corporation-trademarks.htm.

License Agreement

This software and the associated documentation are proprietary and confidential to EMC, are furnished under license, and may be used and copied only in accordance with the terms of such license and with the inclusion of the copyright notice below. This software and the documentation, and any copies thereof, may not be provided or otherwise made available to any other person.

No title to or ownership of the software or documentation or any intellectual property rights thereto is hereby transferred. Any unauthorized use or reproduction of this software and the documentation may be subject to civil and/or criminal liability. This software is subject to change without notice and should not be

construed as a commitment by EMC.

Third-Party Licenses

This product may include software developed by parties other than RSA. The text of the license agreements applicable to third-party software in this product may be viewed in the thirdpartylicenses.pdf file.

Note on Encryption Technologies

This product may contain encryption technology. Many countries prohibit or restrict the use, import, or export of encryption technologies, and current use, import, and export regulations should be followed when using, importing or exporting this product.

Distribution

Use, copying, and distribution of any EMC software described in this publication requires an applicable software license. EMC believes the information in this publication is accurate as of its publication date. The information is subject to change without notice.

(3)

S4 Broker Setup Guide

• S4 Broker Setup Guide 4

◦ SA Broker Hardware Description 5

◦ Mount the Appliance and Configure Network Parameters 9

◦ Finish Broker Setup in Security Analytics 15

(4)

S4 Broker Setup Guide

Overview

This document is a step-by-step guide for installing the RSA Security Analytics Broker and connecting it to your network.

(5)

SA Broker Hardware Description

This topic contains the following sections:

1.Overview

2.Introduction

3.Package Contents

4.Customer Supplied Materials

5.Front View of the Broker

6.Rear View of the Broker

7.Broker Specifications

Overview

This document introduces the RSA Series 4 Broker and provides a description of controls and connectors along with

selected specifications.

Introduction

The RSA Security Analytics Series 4 Broker is shipped with Broker software installed. The initial setup of the Broker in

your network involves these steps:

1. Review site requirements and safety information. 2. Mount the Broker hardware.

3. Connect the Broker to your network and configure network parameters on the Broker. 4. Finish Broker setup in Security Analytics.

There are several options for the initial physical connection to the Broker to begin configuration of the software

parameters. Once connected, the Security Analytics appliance console is used to make those configuration changes. Each

step is described in detail in this document.

You can learn more about Security Analytics in the online documentation. To view Security Analytics documentation, log

on to Security Analytics and select the Help option in the Security Analytics menu.

Package Contents

Verify the contents of the packing box to ensure that you have received all items necessary to install and configure your

Broker.

• Series 4 Broker appliance • Rail Slide Assemblies (2)

(6)

• Power Cord (2)

Customer Supplied Materials

To complete the setup procedure, you will need:

• One Ethernet network cable

• Cables to connect a monitor or KVM adapter to the VGA port and a keyboard or KVM adapter to the USB port • Standard tools for installing and mounting computer hardware

Front View of the Broker

Key Description 1 Diagnostic LEDs

2 System Identification Light 3 Power On/Off

4 Recessed non-maskable interrupt (NMI) button 5 System Identification Button

6 Micro USB port

7

Ten 2.5-inch hard drive bays. The Broker has two 146 GB drives and two 1 TB drives installed. There is also an internal secure digital (SD) card module where two 32 GB cards are installed, and this is where the operating system is installed by default.

8 Service Tag Details

(7)

Rear View of the Broker

Key Description

1 System Identification Button 2 System Identification Light 3 iDRAC Port

4

RS232 Serial Port (serial connection to laptop via DB9 or serial server)

5 VGA Video Port (monitor)

6 Network Interface cards slot: SAS Controller installed with two DAC interface ports for connecting to the disk_{storage arrays.}

7

Network Interface card expansion slots for optional cards. Possible options are:

• Fiber/Copper 10Gbps network capture card (RJ45)

• Fiber-channel host bus adaptor (HBA) used to connect to a SAN 8 USB Ports (Keyboard)

9 Gigabit Ethernet Port 1: em1 = management port. 10 Gigabit Ethernet Ports (2-4): em 2-4

11 Hot Swappable Power Supply 1 and 2

Broker Specifications

Form Factor 1U, full depth

Weight 39 lbs.

(8)

Dimensions 18.99” (w) x 30.39” (d) x 1.68” (h) Power supplies Hot Swappable, redundant 750W,_{100V to 240V autosensing}

Processors Dual hex core 2.66 GHZ

RAM 96 GB

(9)

Mount the Appliance and Configure Network Parameters

1.Overview

2.Introduction

3.Appliance Console via VGA Connection

4.Appliance Console via Network Connection

5.Set the IP Address

5.1.Set a Static IP

5.2.Set a Dynamic IP

6.Set the Hostname

7.Specify the Network Clock Source

8.Configure DNS Servers

Overview

This topic provides instructions for connecting a Security Analytics S4 appliance to your network and configuring initial

management parameters on the appliance.

Introduction

Before you begin network configuration, mount or place the appliance securely in accordance with site requirements.

Configuring network parameters for an RSA Security Analytics S4 appliance consists of setting the default IP address,

the network clock source, and the hostname, then configuring your DNS servers. To set these parameters, you can

connect to the appliance console using a keyboard and mouse or the Ethernet connection. In both cases, log on to the

appliance as root. Once able to log on to the appliance, use the NwConsole program to modify the appliance

management settings. Use the OS command line to configure DNS servers.

Method Username Default Password

ssh/cli root netwitness appliance admin netwitness

Choose one of these methods for the initial connection:

• Appliance Console via VGA Connection: Keyboard (USB Port) and monitor (VGA Port).

• Appliance Console via Network Connection: Computer using an SSH client connected to the appliance via Ethernet cable to Mgmt Port (em1), which is configured as 192.168.1.1 by default.

(10)

Appliance Console via VGA Connection

To use the Appliance Console via VGA connection:

1. Connect a monitor or KVM adapter to the VGA Port on the back of the appliance.

2. Connect a keyboard or KVM adapter to one of the USB ports on the back of the appliance.

3. Connect a power cord to each of the two power supplies on the rear of the appliance. Connect the power cords to a power source. To provide a more robust setup, connect each power supply to a different circuit.

Caution:

5V standby power is active whenever the system is plugged in. To remove power from the system, you

must unplug both AC power cords from the power source

4. At the login prompt use the default credentials to gain access to the operating system (root/netwitness). 5. Continue to Set the IP Address section below.

Appliance Console via Network Connection

Caution: The default IP address of the appliance is set at the factory to 192.168.1.1. The use of 192.168.1.1 is

fairly common and the IP address may already be in your system's SSH known_hosts file. The specific line for

that IP address may need to be removed.

To use the Appliance Console via network connection:

(11)

1. Connect an Ethernet cable between a computer and the Ethernet management port on the back of the appliance.

2. Connect the power cords to the power connectors on the appliance and a power receptacle.

3. The default IP address of the appliance is set at the factory to 192.168.1.1; therefore, set the IP address of the client system in the same subnet. For example, set your laptop to 192.168.1.15 with default gateway of 192.168.1.1 and then using a secure shell (SSH) client connect to the appliance.

Note: Be aware that if you change network parameters while connected through SSH, your SSH session will

be dropped and you will have to re-connect to the appliance at its new address.

4. Accept the SSH key.

5. At the login prompt use the default credentials to gain access to the operating system. 6. Continue to Set the IP Address section below.

Set the IP Address

Use one of the procedures below to set the management IP address on the appliance.

Set a Static IP

To set a static IP address:

1. At the root prompt: [root@NwAppliance~]# enter the following command:

NwConsole

The NwConsole starts up and the following message is displayed: RSA Security Analytics Console 10.2

login localhost:50006 <adminusername> <password>

for example: login localhost:50006 admin netwitness

You are logged onto the appliance and the following message is displayed: Successfully logged in as session <session #>

3. At the localhost prompt: [localhost:50006] /> enter the following command:

appliance setNet mode=static address=<desired IP address> netmask=<desired netmask> gateway=<desired network gateway>

◦ Example: To set the appliance em1 interface IP address to 10.1.2.35 for a class C network with gateway 10.1.2.1, execute the following command:

appliance setNet mode=static address=10.1.2.35 netmask=255.255.255.0 gateway=10.1.2.1

The network services automatically restart on the appliance and the new settings are applied.

(12)

4. If the appliance is connected via network connection, you will have to reconnect to appliance using the new IP address to continue. If you moved the appliance to a new subnet, changes to client networking may also be required.

5. To logout and exit the NwConsole, type exit.

Set a Dynamic IP

To set a dynamic IP address:

1. At the root prompt: [root@NwAppliance~]# enter the following command:

NwConsole

login localhost:50006 <username> <password>

appliance setNet mode=dhcp

4.

The network services automatically restart on the device and the new settings are applied. If the appliance is

connected via network connection, you will have to reconnect to appliance using the new IP address to continue. If

you moved the appliance to a new subnet, changes to client networking may also be required.

Caution: If you choose DHCP, there may be no way to determine the new address. You must connect to

the appliance console directly to determine the new address.

Set the Hostname

Creating the hostname of the system is a relatively simple task, but can benefit from consideration to limit common

issues. If you are looking for some guidance to choosing a hostname, refer to the RFC 1178. In terms of Security Analytics

the databases on the appliances are associated to the hostname. If the collection or aggregation has started (this is why it

is not turned on by default) then the database is created and changing the hostname after that occurs effectively creates a

second database. The hostname should contain only alphanumeric characters (no special characters such as #, _, @, -)

to eliminate communication issues.

1. If still logged into NwConsole, then skip steps 2 and 3. 2. At the root prompt: [root@NwAppliance~]#

enter the following command:

NwConsole

You are logged onto the appliance and the following message is displayed:

(13)

appliance hostname name=<desired_name_for_appliance>

For example: appliance hostname name=myserver

5. When you see an output of Success, type exit to log out and exit the NwConsole program. 6. Reboot the server using command: reboot

Note: It is recommended that you reboot the system after changing the hostname.

Specify the Network Clock Source

Note: If the NTP server is not configured or reachable at this time, the network clock source configuration will fail,

but can be done from the SA interface later.

It is recommended that all systems in the Security Analytics suite be synchronized using a network time source so that

all devices accurately depict the same time. If this is not done then the time on the devices can get out of sync causing

queries for a specific time to not return the expected results.

Note: The commands in these instructions are case sensitive.

To set the network clock source:

1. If still logged into NwConsole, then skip steps 2 and 3. 2. At the root prompt: [root@NwAppliance~]#

enter the following command:

NwConsole

appliance setNTP source=<NTP_server_hostname or IP_address>

For example: appliance setNTP source=0.pool.ntp.org

Or, if you want to use the appliance clock as a clock source, type: appliance setNTP source=local

5.

When you see an output of Success from the command, type exit to log out and exit the NwConsole program.

Note: If you specified an NTP clock source of local, the appliance clock serves as the clock source and the

time is configured using Set Appliance Built-In Clock as described in Security Analytics online help.

(14)

Configure DNS Servers

To set a static IP address:

1. At the root prompt: [root@NwAppliance~]# enter the following command:

vi /etc/resolv.conf

2.

Add the following lines to the file for each DNS server:

nameserver <DNS_server_ip_address>

search <domain_name>

where <DNS_server_ip_address> is the IP address of your DNS server, and

<domain_name> is the domain name

for example:

nameserver 192.168.0.1

search acmecorp.com

3. Save the changes and exit the vi editor.

(15)

Finish Broker Setup in Security Analytics

1.Overview

2.Introduction

Overview

This topic provides instructions for finishing Broker configuration and starting aggregation in Security Analytics.

Introduction

The final steps for setting up the Broker are done using Security Analytics. These are:

1. Add the Broker to Security Analytics in Devices view. 2. Apply a device license (or Entitlement) to the Broker.

3. Add one or more Concentrators to the Broker as aggregate devices. 4. Configure and start aggregation.

Several of these steps can be completed only when other parts of the Security Analytics network are in place:

• At least one Concentrator and one Decoder service must be installed, licensed, configured, and capturing data to generate Meta that the Broker can retrieve.

• The Security Analytics device licenses (or Entitlements) must be available for activating the devices.

Log on to Security Analytics and follow instructions in the online help to finish setup of the Broker as part of the Security

Analytics suite.

(16)