Post on 29-May-2020
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 37
Cisco Multicloud Portfolio: Cloud Protect
Design and Deployment Guide for
Cisco Stealthwatch Cloud Public and Private
Network Monitoring
June 2018
Guide
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 2 of 37
Contents
Executive summary ................................................................................................................................................. 3 Cisco Multicloud Portfolio: Overview ..................................................................................................................... 3 Cloud Protect overview ......................................................................................................................................... 4 Cloud Protect use cases ....................................................................................................................................... 4 Cloud Protect benefits ........................................................................................................................................... 5
Technology overview .............................................................................................................................................. 5
Solution design ........................................................................................................................................................ 6
Solution deployment ............................................................................................................................................... 7 Configuring Stealthwatch Cloud with AWS ........................................................................................................... 7
Create a policy ................................................................................................................................................. 7 Create a new role ............................................................................................................................................. 9 Enable VPC Flow Logs .................................................................................................................................. 10
Configuring Stealthwatch Cloud with GCP .......................................................................................................... 11 Configuring Stealthwatch Cloud with Microsoft Azure ......................................................................................... 12 Configuring Stealthwatch Cloud Private Network Monitoring .............................................................................. 12
Sensor deployment to a physical machine ..................................................................................................... 13 Sensor deployment to hypervisor ................................................................................................................... 14
Stealthwatch Cloud PNM sensor setup ............................................................................................................... 14 Connecting the Stealthwatch Cloud PNM sensor to the network ................................................................... 23 Configuring a sensor to collect flow data ........................................................................................................ 25
Attaching sensors to the Stealthwatch Cloud portal ............................................................................................ 27 Adding a sensor’s public IP Address to a portal ............................................................................................. 28
Confirming a sensor’s portal connection ............................................................................................................. 28
Appendix A: Sensor connectivity issues ............................................................................................................. 30
Appendix B: Install PNM on nonpackaged Linux operating systems ............................................................... 30
Appendix C: Adding a portal’s service key to a sensor ..................................................................................... 32
Appendix D: Configuring the PNM firewall (iptables) ......................................................................................... 33
Appendix E: Stealthwatch Cloud sensor services .............................................................................................. 34
Appendix F: NetFlow integration templates ........................................................................................................ 35
Additional resources ............................................................................................................................................. 36
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 3 of 37
Executive summary
Cisco Stealthwatch® Cloud is a public cloud and private network monitoring solution, a cloud-delivered application
in the Cisco® Multicloud Portfolio that provides visibility and effectively identifies active threats and monitors user
and device behavior across public and on-premises networks. This guide focuses on how to deploy that
application.
Stealthwatch Cloud provides high-value, low-noise alerts to detect unusual, risky, and malicious behavior
across your IT infrastructure from the public cloud to headquarters to the branch network. It uses the collection
of Virtual Private Cloud (VPC) Flow Logs and other APIs inside Amazon Web Services (AWS) and Google Cloud
Platform (GCP) for visibility into cloud environments and on-premises sensors for visibility into campus and
branch networks.
The audience for this document includes network-design engineers, network-operations personnel, and security-
operations personnel who wish to implement efficient threat identification through entity modeling inside and across
the public cloud(s) and on-premises network(s).
Cisco Multicloud Portfolio: Overview
In a multicloud world, growing complexity is driving a cloud gap between what your customers require and what
your people, processes, and tools can support. With the Cisco Multicloud Portfolio, we make it simple: simple to
connect, simple to protect, and simple to consume.
The Cisco Multicloud Portfolio is a set of essential products, software, and services supported with simplified
ordering and design deployment guides to help you when it comes to multicloud adoption. The Cisco Multicloud
Portfolio consists of four component portfolios (Figure 1):
● Cloud Advisory: Helps you design, plan, accelerate, and reduce risk during your multicloud migration.
● Cloud Connect: Securely extends your private networks into public clouds and helps ensure the
appropriate application experience.
● Cloud Protect: Protects your multicloud identities, direct-to-cloud connectivity, data, and applications,
including Software as a Service (SaaS), and detects infrastructure and application threats on-premises and
in public clouds.
● Cloud Consume: Helps you deploy, monitor, and optimize applications in multicloud and container
environments.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 4 of 37
Figure 1. Cisco Multicloud Portfolio: Cloud Advisory, Cloud Connect, Cloud Protect, and Cloud Consume
Cloud Protect overview
Cloud Protect consists of essential products to protect your multicloud identities, direct-to-cloud connectivity,
data, and applications, including SaaS, and detects infrastructure and application threats on-premises and in public
clouds:
● Cisco Umbrella™
● AMP for Endpoints
● Cisco Meraki™
Systems Manager
● CloudLock®
● Tetration Cloud
● Stealthwatch Cloud
For detailed use cases, see the section about Cloud Protect on the portfolio’s solution page at
https://www.cisco.com/go/multicloud.
Cloud Protect use cases
Cloud Protect delivers value in the following use cases:
● Secure users connecting to the Internet (cloud), including users from data centers/main offices, branches
(no Multiprotocol Label Switching [MPLS]), users who are roaming (off VPN), and “direct-to-cloud” users.
Includes protection for ransomware, command-and-control callbacks, phishing attacks, and inappropriate
web use.
● Secure users’ devices connecting to the Internet, both on and off the network. Security measures include
blocking malicious files at initial entry by inspection and using a sandbox to further inspect unknown files for
advanced protection.
● Enable endpoint protection by ensuring the right security services are installed and configured, by permitting
only sanctioned apps to access the cloud, and by constantly evaluating and dynamically taking corrective
action based on changes to endpoint posture.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 5 of 37
● Secure cloud applications and data, including detecting data leakages through sanctioned SaaS
applications and protecting sensitive data and users from malicious or compromised applications.
● Gain the visibility and continuous threat detection needed to secure your public cloud, private network, and
hybrid environments.
● Discover, map, baseline, and protect applications for workloads on the cloud, hybrid, and on-premises.
Planning application migrations, identifying deviations in application behavior, and applying security policies
for enforcing fine-grain application microsegmentation are included.
● Efficiently identify threat activity and monitor user and device behavior across public cloud and on-premises
network. Use high-value, low-noise alerts to detect unusual, risky, and malicious behavior across your IT
infrastructure, from the public cloud to headquarters to the branch network.
Cloud Protect benefits
Cloud Protect benefits include:
● Secure cloud identities, data, and apps/SaaS
● Provide secure cloud access for users on and off the network
● Enable easy pluggable protection of mobile devices accessing apps (for example, Apple iOS devices)
● Protect workloads on public cloud Infrastructure-as-a-Service (IaaS) providers with security policy
enforcement
● Enable compliance in the cloud
● Lower risk by providing increased visibility and control
● Provide ~5% to 10% lower cost through simplified deployment
● Reduce remediation time for >30% of organizations by >90%
● Reduce malware infections for ~40% of organizations by >90%
● Protect on-premises and cloud environments with a single vendor
● Provide increased visibility tied into automated threat defense
● Dynamically react to changes in endpoint posture by controlling apps, users and services that access cloud
data via laptops, mobile devices
Technology overview
In a multicloud world, IT managers are quickly realizing the benefits of cloud computing services such as
infrastructure as a service. IaaS providers such as AWS allow organizations to more rapidly and cost-effectively
prototype new applications. Instead of procuring, installing, and managing hardware – which could takes months to
accomplish – you can easily use the on-demand and scalable compute services within AWS. This allows you to
focus your resources on applications rather than on managing the data center and physical infrastructure. With the
use of IaaS, expenses shift from fixed costs for hardware, software, and data center infrastructure to variable costs
based on the usage of compute resources and the amount of data transferred between the private data center and
the IaaS provider. Therefore, you must also be able to monitor the usage of such resources for cost tracking and/or
internal billing purposes.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 6 of 37
Stealthwatch Cloud improves security and incident response across the distributed network - from the private
network and branch office to the public cloud. This solution addresses the need for digital businesses to quickly
identify threats posed by their network devices and cloud resources, and to do so with minimal management,
oversight, and security manpower.
The network is evolving. IT resources are frequently being moved into the cloud. At the same time, the number of
connected devices on the private network is increasing dramatically. Security personnel are struggling just to know
what entities are operating in their environment, let alone whether they pose a threat to the organization.
Stealthwatch Cloud addresses this problem by providing comprehensive visibility and high-precision alerts with low
noise, without the use of software agents. Organizations can accurately detect threats in real time, regardless of
whether an attack is taking place on the network, in the cloud, or across both environments. Stealthwatch Cloud is
a cloud-based, Software-as-a-Service (SaaS)-delivered solution. It detects ransomware and other malware, data
exfiltration, network vulnerabilities, and role changes that indicate compromise.
Solution design
Stealthwatch Cloud consists of two primary offerings: Public Cloud Monitoring and Private Network Monitoring.
Public Cloud Monitoring can be used in combination with Private Network Monitoring or Cisco Stealthwatch
Enterprise to provide visibility and threat detection across the entire network, such as AWS, GCP, and Microsoft
Azure infrastructures. It is a cloud-delivered, SaaS-based solution that can be deployed easily and quickly.
In AWS environments, Stealthwatch Cloud can be deployed without software agents, instead relying on native
AWS sources of telemetry, such as its VPC Flow Logs. Using VPC Flow Logs, Stealthwatch Cloud models all IP
traffic generated by an organization’s resources and functions, whether they are inside the VPC, between VPCs, or
to external IP addresses. Stealthwatch Cloud is also integrated with additional AWS services such as Cloud Trail,
Cloud Watch, Config, Inspector, Identity and Access Management (IAM), Lambda, and more.
In GCP environments, Stealthwatch Cloud supports an in-beta integration with the in-beta GCP flow logs and can
be deployed without the use of software agents.
In Microsoft Azure environments, Stealthwatch Cloud relies on a software sensor that must be deployed to all of
the Linux servers where entity modeling is desired.
Cisco Stealthwatch Cloud Private Network Monitoring provides visibility and threat detection for the on-premises
network, delivered from a cloud-based SaaS solution. It is the perfect solution for organizations that want better
awareness and security in their on-premises environments while reducing capital expenditure and operational
overhead. It works by deploying a lightweight virtual appliance in a virtual machine or server that can consume a
variety of native sources of telemetry or extract metadata from network packet flow. It encrypts this metadata and
sends it to the Stealthwatch Cloud analytics platform for analysis. Stealthwatch Cloud consumes metadata only.
The packet payloads are never retained or transferred outside the network.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 7 of 37
Figure 2. Stealthwatch Cloud monitoring Cloud and Private network environments
Solution deployment
Configuring Stealthwatch Cloud with AWS
Cisco Stealthwatch Cloud Public Cloud Monitoring can be deployed easily and quickly in AWS.
NOTE: Log in to Stealthwatch Cloud and review the procedures for integration in the portal,
since they can change, and those changes may not be reflected in this guide.
To enable Stealthwatch Cloud in AWS:
● A policy with the appropriate permissions needs to be created.
● A role needs to be created for Stealthwatch Cloud.
● Amazon VPC Flow Logs need to be enabled.
Create a policy
Step 1. Log in to your Stealthwatch Cloud instance, click the Settings icon, and select Integrations.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 8 of 37
Step 2. Ensure that the AWS tab is selected in the left pane, and copy the sample Policy Document.
Step 3. Log in to your AWS console (https://console.aws.amazon.com) and click Services > IAM. Select Polices in
the left pane, and click Create Policy.
Step 4. Click the JSON tab and paste in the copied sample Policy Document, and click Review Policy.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 9 of 37
Step 5. Enter a Policy Name, and click Create Policy.
Create a new role
Step 1. In the IAM view of your AWS console, click Roles > Create Role.
Step 2. Select “Another AWS Account.”
Step 3. On the AWS Integrations page in your Stealthwatch Cloud Dashboard, make a note of your account ID
and External ID. This will be shown below the previously copied sample policy.
Step 4. In the AWS console, paste in the Account ID, select the Require external ID check-box, and paste in the
External ID. Click Next > Permissions.
Step 5. Locate and select the previously created policy. Click Next > Review.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 10 of 37
Step 6. Enter a role name, and click Create Role.
Step 7. Click on the newly created role and locate a copy of the Role ARN. It will look like:
“arn:aws:iam::<account_id>:role/<role_name>”
Step 8. On the AWS Integrations page in the Stealthwatch Cloud Dashboard, click the Credentials tab.
Step 9. Paste the copied Role ARN into the text box, enter a name to identify the instance, and click the icon.
Enable VPC Flow Logs
Step 1. In your AWS dashboard, click Services > CloudWatch > Logs, and click Create Log Group.
Step 2. Enter a name for the group, and click Create Log Group.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 11 of 37
Step 3. Click on the newly created group, and click Create Log Stream. Enter a name for the stream.
Step 4. On the AWS Integrations page in the Stealthwatch Cloud Dashboard, click the VPC Flow Logs tab. Enter
the name of the CloudWatch Logs Group, and click Add.
Configuring Stealthwatch Cloud with GCP
Stealthwatch Cloud has added the ability to work with Google Cloud Platform VPC Flow Logs (at time of writing, in
beta) in a beta mode. Because this feature is currently in beta, the instructions to enable it will be maintained on
the GCP Integrations page in the Stealthwatch Cloud Dashboard, and will be updated as the integration matures.
NOTE: Log in to Stealthwatch Cloud and review the procedures for integration in the portal, since they can
change, and those changes may not be reflected in this guide.
To enable Stealthwatch Cloud integration with GCP, browse to the GCP Integrations page in the Stealthwatch
Cloud Dashboard, and follow the instructions:
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 12 of 37
Configuring Stealthwatch Cloud with Microsoft Azure
Today, Microsoft Azure does not currently have a native flow log equivalent to its platform. To provide visibility
inside Azure VPC’s, Stealthwatch Cloud relies on a software sensor that must be deployed to all of the Linux
servers where entity modeling is desired. This sensor is the same that is used by Stealthwatch Cloud Private
Network Monitoring. Please refer to the below section on “Configuring Stealthwatch Cloud Private Network
Monitoring” as a reference material to the implementation of the software sensor on Linux servers.
NOTE: Log in to Stealthwatch Cloud and review the procedures for integration in the portal, since they can
change and those changes may not be reflected in this guide.
Configuring Stealthwatch Cloud Private Network Monitoring
Stealthwatch Cloud provides visibility and advanced threat detection for on-premises and cloud networks. For on-
premises networks, a Private Network Monitor (PNM) virtual appliance needs to be installed. This is available as an
ISO, which contains the Stealthwatch Cloud packages as part of an Ubuntu Linux image. The virtual appliance is
installed on the local premises.
Figure 3. Private Network Monitoring virtual sensor overview
The sensor is included in the Stealthwatch Cloud service. Users can download the sensor ISO directly from their
customer portal. The sensor image is based on Ubuntu Linux. Its source code is available at this URL:
https://github.com/obsrvbl/ona.
To set up a sensor, you need:
● A machine (physical or virtual):
◦ Network interfaces: At least two (one control, one-plus data).
◦ RAM: At least 2 GB.
◦ CPU: At least two cores.
◦ Disk space: At least 32 GB.
● Internet access (needed during setup):
◦ See the firewall rules in Table 1, below.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 13 of 37
● Installation media:
◦ The ISO file from the web portal.
◦ A USB drive or CD-R (for physical sensors).
Table 1. Firewall rules for installation
Service Domains/IPs Ports Direction
Sensor data upload sensor.ext.obsrvbl.com 107.22.217.211 107.22.210.176 107.22.247.3
443/tcp Outbound
OS updates us.archive.ubuntu.com 443/tcp, 80/tcp Outbound
Hostname resolution Your local DNS server 53/udp Outbound
Remote troubleshooting (optional)
54.83.42.41 22/tcp Inbound
Configure the firewall to allow these services, before installation of the sensor. The installation process will not be
able to complete properly without them. After installation, the sensor will initiate connections to the monitoring
service and send network data for processing.
For installation of the sensor onto a physical machine, you may use the ISO file from the web portal by writing the
image CD or DVD, and using it to create a bootable USB drive. For deployment as a virtual machine, you can boot
to the ISO file directly.
Sensor deployment to a physical machine
To create a bootable USB drive on a Windows-based computer, follow these steps:
Step 1. Once you download the ISO, go to https://rufus.akeo.ie/
Step 2. Download the Rufus utility, and open it.
Step 3. Insert the target USB drive. Rufus will detect its presence.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 14 of 37
Step 4. Click the CD-ROM icon, and then select the ISO file you downloaded.
Verify that you've selected the right ISO and USB drive; this is a potentially destructive operation.
Step 5. Click Start.
Step 6. When prompted, select “Write in DD Image mode” and click OK.
Sensor deployment to hypervisor
Follow your environment’s specific instructions and procedures for deploying an ISO-format virtual machine. Verify
that you have allocated the required resources to the sensor virtual machine, prior to setup.
Stealthwatch Cloud PNM sensor setup
Once the physical or virtual machine running the Stealthwatch Cloud Sensor has booted up, you will begin the
sensor setup process.
Step 1. Choose the language to be used during setup.
Step 2. Select the first option from the presented menu.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 15 of 37
Step 3. Select the language to be used for the installation process.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 16 of 37
Step 4. Select a country. The default is United States.
Step 5. The installer will offer to detect your keyboard layout. If you wish to select your keyboard layout manually,
select No.
Step 6. If you choose to manually select, at the next screen(s) choose your keyboard layout. The default is
English (US).
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 17 of 37
Step 7. Once the keyboard layout is selected, the setup process will scan for hardware.
Step 8. If the installer detects multiple network interfaces, then it will prompt you to choose a “primary” one.
Step 9. Select the interface that you will use for controlling the Stealthwatch Cloud Sensor, rather than the one for
mirroring traffic.
Step 10. The other NICs will automatically be configured to accept the mirrored traffic.
Step 11. By default, the installer will try to use DHCP to configure the interface you selected as the primary control
NIC.
Step 12. If DHCP is not set up on your network, you will be prompted to configure the network manually.
Step 13. If DHCP is set up on your network, but you don't want to use it, press the Enter key to cancel while
DHCP settings are being detected.
Step 14. If you miss the chance to cancel, select Go Back (using the Tab key) at the next screen. Then select
“Configure the Network” to try again.
Step 15. When configuring the network without DHCP, you need to enter an address, subnet mask, and gateway,
a DNS server, and a local domain suffix.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 18 of 37
Step 16. Now you will need to create a user account for local management of the system.
Step 17. Enter the full name of the account. This name can have spaces and capital letters (for example, SWC
Admin).
Step 18. Next, enter the username for the account. This name cannot have spaces or capital letters. (for example,
swcadmin).
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 19 of 37
Step 19. After the username is entered, you will be prompted to select a password for the local management
account.
Step 20. Enter the password in the first prompt, and then again in the second to verify it.
Step 21. Once the password is entered, you will be prompted to encrypt the home directory for the local
management user's account. Select Yes.
Step 22. The installer will then attempt to automatically detect your time zone. If successful, accept the detected
location and continue.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 20 of 37
Step 23. If you are prompted to configure the clock, select the correct time zone from the list.
Step 24. The installer will detect your disks and offer to automatically partition the disk for the operating system.
Step 25. Select Guided – use the entire disk.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 21 of 37
Step 26. When prompted, confirm the selected partitioning setup.
Step 27. Select Yes and press Enter to confirm that the installer can erase the disk and install the operating
system.
Step 28. Once partitioning has completed, the system installation process will begin.
Step 29. You will be prompted for HTTP proxy information. Unless the network requires an HTTP proxy, press
Enter to continue.
Step 30. The installer will download the latest updates for the sensor and the operating system.
Step 31. You will be prompted to select whether to install the updates automatically. The recommended setting is
“Install security updates automatically.”
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 22 of 37
Step 32. If your organization's policy does not allow for automatic updates, select “No automatic updates.”
Step 33. The installation process will continue to setup the sensor appliance.
Step 34. You will be prompted to install the GRUB boot loader onto the target drive.
Step 35. Move the cursor to Yes, and press Enter.
Step 36. After the installer finishes copying the files, the installation process will finish.
Step 37. Eject the boot CD from the drive.
Step 38. After the boot CD has been removed, reboot the system.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 23 of 37
Step 39. After the system reboots, you may log in with the same user account created during the installation.
Step 40. You may log out (with the exit command) and leave the system unattended after verifying that it is
working; it will run automatically after installation.
Step 41. See the following section for guidance on connecting the sensor to the network.
Connecting the Stealthwatch Cloud PNM sensor to the network
The network sensor monitors the traffic on your network and transmits it to the Stealthwatch Cloud service for
analysis. This section will cover where to place the sensor and how to configure your switch or router to send traffic
to the sensor.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 24 of 37
A sensor needs to have at least two network interfaces: one control interface and at least one mirror interface. The
control interface connects to the Internet. See the sensor setup guide to know how to configure the control
interface. The mirror interface connects to a special port on a switch (or router) that replicates the data from other
ports.
You may wish to place multiple sensors in your network to get a view of all traffic.
The following figure shows the possible deployment locations.
Figure 4. Sensor deployment diagram
Multiple-sensor deployments are usually needed only for larger networks. Use the “Contact Us” form on the web
portal if you need help determining where to place your sensors.
Mirror interface setup
When setting up a mirror interface, keep in mind that it will be sending copies of all of the source traffic
(both inbound and outbound) to the destination:
● Take note of how much traffic is expected at peak, and ensure that it is less than the capacity of the
sensor's mirror interface link (for example: 1 Gbps or 10 Gbps).
● Many switches will drop packets from the source interfaces, if a mirror port destination is configured with too
much traffic, which will cause problems on the LAN.
● You may use multiple mirror interfaces on a sensor; the sensor is not limited to a single control interface
and a single mirror interface.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 25 of 37
Most managed switches can be configured to replicate traffic. Different switch vendors call this capability by
different names:
● Cisco: Switched Port Analyzer (SPAN)
● Juniper, Netgear, ZyXEL: port mirror
● Others: monitor port, analyzer port, tap port
You may also use a passive tap device to replicate traffic. Common tap vendors include NetOptics and Gigamon.
Switch configuration
The user guide for your particular switch model should have the correct configuration steps for setting up a mirror
port.
For Cisco switches with IOS software, a typical configuration looks like the following:
monitor session 1 source interface Vlan10
monitor session 1 destination interface Gig1/0/3
For information on configuration documentation for Cisco and other switch vendors, please refer to the “Additional
Resources” section.
Virtual environment monitoring
If your sensor is running as a virtual machine, you need to make sure that both the virtual host and virtual network
are configured properly.
For VMware:
● Promiscuous mode setup: https://kb.vmware.com/s/article/1004099
● Information on promiscuous mode: https://kb.vmware.com/s/article/1002934
You may need to set the VLAN ID to 4095.
For VirtualBox:
● In the Settings for your host, go to the Network tab, and select the Adapter to be used for the Mirror
interface.
● In the Advanced Options section, set Promiscuous mode to Allow.
Configuring a sensor to collect flow data
By default, a sensor creates flow records from the traffic on its Ethernet interfaces. This default configuration
assumes that the sensor is attached to a SPAN or mirror Ethernet port. If other devices on your network can
generate flow records, you can configure the sensor’s config.local configuration file to collect flow records from
these sources, and send them to Stealthwatch Cloud for analysis.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 26 of 37
If the network devices generate different types of flows, it is recommended to configure the sensor to collect each
type over a different UDP port. This also makes the troubleshooting easier. You can configure a collection of the
following flow types:
● NetFlow v5
● NetFlow v9
● IPFIX
● SFLOW
Certain network appliances require an entry in the config.local configuration file, before they start working properly.
See Appendix F for templates.
● Cisco Meraki
● Cisco Advanced Security Appliance (ASA) software
● SonicWALL
Customizing config.local on the Stealthwatch Cloud Sensor for flow collection
SSH log into the sensor as an administrator.
Step 1. At the command prompt, enter sudo nano /opt/obsrvbl-ona/config.local and press Enter to edit the
config.local configuration file.
Step 2. Add the following line to enable flow collection. This enables the sensor to look for the defined flow inputs.
OBSRVBL_IPFIX_CAPTURER="true"
Step 3. For each type of flow collection, you want to enable, copy the _Type and _Port lines from Appendix F for
that flow collection type, then delete the “#” at the beginning of each line.
For example: To enable generic NetFlow v5 on port 9995, and ASA flow collection on port 9996, enter the
following:
OBSRVBL_IPFIX_PROBE_0_TYPE="netflow-v5"
OBSRVBL_IPFIX_PROBE_0_PORT="9995"
OBSRVBL_IPFIX_PROBE_1_TYPE="netflow-v9"
OBSRVBL_IPFIX_PROBE_1_PORT="9996"
OBSRVBL_IPFIX_PROBE_1_SOURCE="asa"
Step 4. Press Ctrl + 0 to save your changes.
Step 5. Press Ctrl + x to exit.
Step 6. At the command prompt, enter sudo service obsrvbl-ona restart to restart the Stealthwatch Cloud
service. This also restarts the other configured services.
Step 7. Enter cd /opt/obsrvbl-ona/logs/ipfix to change to the ../ipfix directory. If you properly enabled the flow
collection, this directory should exist.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 27 of 37
Step 8. Enter ls –l to view the log files; the files should be incrementing. Check the iptables rule configuration if
the log files are not incrementing.
Step 9. Enter netstat -na | grep udp and press Enter to view the UDP ports that the sensor is listening on.
Viewing a port in this list does not mean that the iptables rules are configured correctly. This list only shows what
ports the sensor is listening on. See Appendix D for information on configuring iptables.
Attaching sensors to the Stealthwatch Cloud portal
Once a sensor is installed, it will need to be linked with an account. This is done by identifying its public IP address
and entering it into the web portal. If this method does not work, a sensor can manually be added to a portal using
the service key.
If multiple sensors are staged in a central location, such as an MSSP, and they are intended for different portals,
add the portal’s service key to the sensor. In this case, if a public IP address of the staging environment is used
for multiple sensors, a sensor could be incorrectly attached to the wrong portal.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 28 of 37
Adding a sensor’s public IP Address to a portal
SSH into the sensor and login as an administrator.
Step 1. At the command prompt, enter curl https://sensor.ext.obsrvbl.com and press Enter. The error value of
unknown identity means that the sensor is not associated with a portal.
Step 2. Copy the identity IP address.
Step 3. Log out of the sensor.
Step 4. Log into the web portal as an administrator.
Step 5. Select Settings > Sensors > Public IP.
Step 6. Enter the identity IP address in the Public IP field.
Step 7. Click Add IP. After the portal and sensor exchange keys, they establish future connections using the keys,
and not the public IP address.
Step 8. It can take up to 10 minutes before a new sensor is reflected in the portal.
NOTE: You can also edit a Sensor’s config.local configuration file to manually add a portal’s service key and
associate the sensor with the portal. See Appendix C for instructions.
Confirming a sensor’s portal connection
After a sensor is added to the portal, confirm the connection.
NOTE: If the sensor’s config.local configuration file was updated using the portal’s service key, confirming the
connection using the curl command from the sensor may not return the portal name.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 29 of 37
SSH log into the sensor as an administrator.
Step 1. At the command prompt, enter curl https://sensor.ext.obsrvbl.com and press Enter.
Step 2. The sensor returns the portal name.
Step 3. Log out of the sensor.
Step 4. Log into the portal.
Step 5. Select Settings > Sensor. The sensor appears in the list.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 30 of 37
Appendix A: Sensor connectivity issues
The installer needs to connect to the Internet to retrieve up-to-date packages. If, during the PNM installation
process, you experience issues with connectivity, for example, if there was an issue with connecting to the internet,
you may see the below screen:
Double-check if the primary network interface has internet access (including DNS). You may want to restart the
installation, once this is in place.
Appendix B: Install PNM on nonpackaged Linux operating systems
In addition to the ISO provided, this virtual appliance can be deployed on the following operating systems:
● Ubuntu Linux version 14.04 (32- and 64-bit)
● Ubuntu Linux versions 16.04 and later (32- and 64-bit)
● Red Hat Enterprise Linux (RHEL) version 6 and compatible, including CentOS version 6* and Amazon Linux
for EC2 (32- and 64-bit)
● Red Hat Enterprise Linux (RHEL) version 7 and compatible, including CentOS version 7 (64-bit)
● Raspberry Pi 2 Model B with Raspbian (32-bit armhf)
● Docker, tested with CoreOS (64-bit)
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 31 of 37
Installation on RHEL 7
Log into the RHEL 7 system as an administrator.
Step 1. At the command prompt, enter curl -L -O https://s3.amazonaws.com/onstatic/ona-service/master/ona-
service_RHEL_7_x86_64.rpm and press Enter to download the Stealthwatch Cloud package.
Step 2. Enter sudo yum install -y net-tools tcpdump and press Enter to install dependencies.
Step 3. Enter sudo yum updateinfo && yum install -y libpcap libtool-ltdl lzo
Step 4. Enter curl -L -O https://github.com/bbayles/netsa-pkg/releases/download/v0.1.15/netsa-pkg.rpm
Step 5. Enter sudo rpm -i netsa-pkg.rpm
Step 6. Enter sudo rpm -i ona-service_RHEL_7_x86_64.rpm and press Enter to install the Stealthwatch Cloud
service.
Installation on RHEL 6
NOTE: RHEL 6 does not include Python 2.7. Additional repositories must be added to install Python.
Log into the RHEL 6 system as an administrator.
Step 1. At the command prompt, enter curl -L -O https://s3.amazonaws.com/onstatic/ona-service/master/ona-
service_RHEL_6_x86_64.rpm and press Enter to download the Stealthwatch Cloud package.
Step 2. Enter curl -L -O https://dl.fedoraproject.org/pub/epel/epel-release-latest-6.noarch.rpm and press Enter to
download the EPEL repository package.
Step 3. There are two options:
a. Enter curl -L -O https://rhel6.iuscommunity.org/ius-release.rpm and press Enter to download the IUS
repository package for RHEL.
b. Enter curl -L -O https://centos6.iuscommunity.org/ius-release.rpm and press Enter to download the
IUS repository package for CentOS.
Step 4. There are two options:
a. To install the IUS repository package for RHEL, enter sudo rpm -i epel-release-latest-
6.noarch.rpm
b. To install the IUS repository package for CentOS, enter sudo rpm -i ius-release.rpm
Step 5. To install Python 2.7, enter: sudo yum install python27 tcpdump and press Enter.
Step 6. Enter sudo yum updateinfo && yum install -y libpcap libtool-ltdl lzo
Step 7. Enter curl -L -O https://github.com/bbayles/netsa-pkg/releases/download/v0.1.15/netsa-pkg.rpm
Step 8. Enter sudo rpm -i netsa-pkg.rpm
Step 9. Enter sudo rpm -i ona-service_RHEL_6_x86_64.rpm and press Enter to install the Stealthwatch Cloud
service.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 32 of 37
Installation on Ubuntu with NetFlow collection
Log into the Ubuntu system as an administrator.
Step 1. At the command prompt, enter curl -L -O https://s3.amazonaws.com/onstatic/ona- service/master/ona-
service_UbuntuXenial_amd64.deb and press Enter to download the Stealthwatch Cloud package.
Step 2. Enter sudo apt-get install -y net-tools tcpdump and press Enter to install dependencies.
Step 3. Enter sudo apt-get update && sudo apt-get install -y libglib2.0-0 liblzo2-2 libltdl7
Step 4. Enter curl -L -O https://github.com/bbayles/netsa-pkg/releases/download/v0.1.15/netsa-pkg.deb
Step 5. Enter sudo dpkg -i netsa-pkg.deb
Step 6. Enter sudo apt-get -f install to verify that the dependencies installed properly.
Step 7. Enter sudo dpkg -i ona-service_UbuntuXenial_amd64.deb and press Enter to install the Stealthwatch
Cloud service.
Step 8. Reload the machine by entering sudo reboot
Step 9. Confirm that the services are running. See Appendix E for Stealthwatch Cloud services.
Installation on Ubuntu without NetFlow collection
Log into the Ubuntu system as an administrator.
Step 1. At the command prompt, enter curl -L -O https://s3.amazonaws.com/onstatic/ona-service/master/ona-
service_UbuntuXenial_amd64.deb and press Enter to download the Stealthwatch Cloud package.
Step 2. Enter sudo apt-get install -y net-tools tcpdump and press Enter to install dependencies.
Step 3. Enter sudo apt-get –f install to verify if the dependencies installed properly.
Step 4. Enter sudo dpkg -i ona-service_UbuntuXenial_amd64.deb and press Enter to install the Stealthwatch
Cloud service.
Appendix C: Adding a portal’s service key to a sensor
Edit a sensor’s config.local configuration file to manually add a portal’s service key to associate the sensor with the
portal.
Before you begin, log into the portal as an administrator.
Step 1. Select Settings > Sensors.
Step 2. Navigate to the end of the sensor list, and copy the service key. See the following screenshot for an
example.
Step 3. SSH login to the sensor as an administrator.
Step 4. At the command prompt, enter sudo nano opt/obsrvbl-ona/config.local and press Enter to edit the
configuration file.
Step 5. Beneath the line # Service Key, add the following line, replacing <service-key> with the portal’s service
key:
OBSRVBL_SERVICE_KEY="<service-key>"
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 33 of 37
See the following for an example.
Step 6. Press Ctrl + 0 to save the changes.
Step 7. Press Ctrl + x to exit.
Step 8. At the command prompt, enter sudo service obsrvbl-ona restart to restart the Stealthwatch Cloud
service.
Appendix D: Configuring the PNM firewall (iptables)
Editing iptables
The Stealthwatch Cloud ISO image uses a built-in Ubuntu firewall service called iptables. During the install
process, ports 22/TCP (SSH), 9995 UDP, and ICMP are open. You can open other ports by configuring the
iptables rules. For example, if you also want to collect IPFIX, you can configure the iptables rules to open port
9996/UDP.
Before you begin, SSH log into the sensor as an administrator.
Step 1. At the command prompt, enter sudo nano /etc/iptables/rules.v4 and press Enter to modify the iptables
rules.
Step 2. For each port you want to enable, add the following line, updating the --dport value with the desired port.
-A INPUT -p udp --dport 9996 -m state –state
NEW,ESTABLISHED -j ACCEPT
The screenshot below shows the open ports: 9995/UDP, 996/UDP, and 9997/UDP.
Step 3. Press Ctrl + 0 to save your changes.
Step 4. Press Ctrl + x to exit.
Step 5. Reboot the machine to have the new rules go into effect.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 34 of 37
Checking firewall configuration
After you make changes, and restart the Stealthwatch Cloud service, you can verify that the rules are working.
SSH log into the sensor as an administrator.
Step 1. At the command prompt, enter sudo iptables –L –v and press Enter to modify the iptables rules.
Step 2. See the following screenshot for an example of traffic over port 9997/UDP and SSH traffic.
Appendix E: Stealthwatch Cloud sensor services
Service Enabled by default?
Description
obsrvbl-ona yes Monitors for configuration changes and handles automatic updates. Starting this service also starts the other configured services
log-watcher yes Tracks the sensor's authentication logs
pdns-capturer yes Collects passive DNS queries
pna-monitor yes Collects IP traffic metadata
pna-pusher yes Sends IP traffic metadata to the cloud
hostname-resolver yes Resolves active IP addresses to local hostnames
netflow-monitor no Listens for NetFlow data sent by routers and switches
netflow-pusher no Sends NetFlow data to the cloud
notification-publisher no Relays observations and alerts over syslog or SNMP
ossec-alert-watcher no Monitors OSSEC alerts, if installed
suricata-alert-watcher no Monitors Suricata alerts, if installed
Verifying running services
You can verify that the various Stealthwatch Cloud services are running from the sensor command line. Before you
begin, SSH into the sensor and login as an administrator.
At the command prompt, enter ps -ef | grep obsrvbl and press Enter.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 35 of 37
Appendix F: NetFlow integration templates
You can add the following lines to the config.local configuration file and enable collection of that flow type or from
that network appliance type. Note that new sources added to the PNM will need to have their ports opened in the
sensor firewall. See Appendix D for details.
# NetFlow v5 exporter
OBSRVBL_IPFIX_PROBE_0_TYPE="netflow-v5"
OBSRVBL_IPFIX_PROBE_0_PORT="2055"
# Standard NetFlow v9 exporter
OBSRVBL_IPFIX_PROBE_1_TYPE="netflow-v9"
OBSRVBL_IPFIX_PROBE_1_PORT="9995"
# IPFIX exporter
OBSRVBL_IPFIX_PROBE_2_TYPE="ipfix"
OBSRVBL_IPFIX_PROBE_2_PORT="9996"
# Cisco ASA exporter
OBSRVBL_IPFIX_PROBE_3_TYPE="netflow-v9"
OBSRVBL_IPFIX_PROBE_3_PORT="9997"
OBSRVBL_IPFIX_PROBE_3_SOURCE="asa"
# Meraki exporter
OBSRVBL_IPFIX_PROBE_4_TYPE="netflow-v9"
OBSRVBL_IPFIX_PROBE_4_PORT="9998"
OBSRVBL_IPFIX_PROBE_4_SOURCE="meraki"
# SonicWALL exporter
OBSRVBL_IPFIX_PROBE_5_TYPE="netflow-v9
OBSRVBL_IPFIX_PROBE_5_PORT="9999"
OBSRVBL_IPFIX_PROBE_5_SOURCE="sonicwall"
# sFlow exporter
OBSRVBL_IPFIX_PROBE_6_TYPE="sflow"
OBSRVBL_IPFIX_PROBE_6_PORT="6343"
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 36 of 37
Additional resources
If you have further questions, refer to the following additional resources:
● Cisco Stealthwatch Cloud:
https://www.cisco.com/c/en/us/products/security/stealthwatch-cloud/index.html
Switch configuration documentation
● Cisco documentation:
https://www.cisco.com/c/en/us/tech/lan-switching/port-monitoring/tech-configuration-examples-list.html
● Juniper documentation (you may need to search for your particular switch model):
https://www.juniper.net/documentation/en_US/junos/topics/concept/port-mirroring-ex-series.html
● Netgear support page (the Software Administration Manual for your particular model should include
a section on port mirroring):
https://kb.netgear.com/21850/What-is-port-mirroring-and-how-does-it-work-with-my-managed-switch
● For more examples, see the Wireshark Switch Reference page:
https://wiki.wireshark.org/SwitchReference
For a complete list of all of our design and deployment guides for the Cisco Multicloud Portfolio, including Cloud
Protect, visit https://www.cisco.com/go/clouddesignguides.
About Cisco design and deployment guides
Cisco design and deployment guides consist of systems and/or solutions designed, tested, and documented to
facilitate faster, more reliable, and more predictable customer deployments. For more information visit:
https://www.cisco.com/go/designzone.
ALL DESIGNS, SPECIFICATIONS, STATEMENTS, INFORMATION, AND RECOMMENDATIONS
(COLLECTIVELY, "DESIGNS") IN THIS MANUAL ARE PRESENTED "AS IS," WITH ALL FAULTS. CISCO AND
ITS SUPPLIERS DISCLAIM ALL WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE WARRANTY OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING
FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS
SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES,
INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE
USE OR INABILITY TO USE THE DESIGNS, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF
THE POSSIBILITY OF SUCH DAMAGES.
THE DESIGNS ARE SUBJECT TO CHANGE WITHOUT NOTICE. USERS ARE SOLELY RESPONSIBLE FOR
THEIR APPLICATION OF THE DESIGNS. THE DESIGNS DO NOT CONSTITUTE THE TECHNICAL OR OTHER
PROFESSIONAL ADVICE OF CISCO, ITS SUPPLIERS, OR PARTNERS. USERS SHOULD CONSULT THEIR
OWN TECHNICAL ADVISORS BEFORE IMPLEMENTING THE DESIGNS. RESULTS MAY VARY DEPENDING
ON FACTORS NOT TESTED BY CISCO.
CCDE, CCENT, Cisco Eos, Cisco Lumin, Cisco Nexus, Cisco StadiumVision, Cisco TelePresence, Cisco WebEx,
the Cisco logo, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live,
Play, and Learn and Cisco Store are service marks; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting
To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified
Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo,
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 37 of 37
Cisco Unified Computing System (Cisco UCS), Cisco UCS B-Series Blade Servers, Cisco UCS C-Series Rack
Servers, Cisco UCS S-Series Storage Servers, Cisco UCS Manager, Cisco UCS Management Software, Cisco
Unified Fabric, Cisco Application Centric Infrastructure, Cisco Nexus 9000 Series, Cisco Nexus 7000 Series. Cisco
Prime Data Center Network Manager, Cisco NX-OS Software, Cisco MDS Series, Cisco Unity, Collaboration
Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive,
HomeLink, Internet Quotient, IOS, iPhone, iQuick Study, LightStream, Linksys, MediaTone, MeetingPlace,
MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX,
PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way
to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco
Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or website are the property of their respective owners. The use of
the word partner does not imply a partnership relationship between Cisco and any other company. (0809R)
© 2018 Cisco Systems, Inc. All rights reserved.
Printed in USA C07-740823-00 06/18