Cisco Multicloud Portfolio: Cloud Protect...Ensure that the AWS tab is selected in the left pane,...

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. of 37

Cisco Multicloud Portfolio: Cloud Protect

Design and Deployment Guide for

Cisco Stealthwatch Cloud Public and Private

Network Monitoring

June 2018

Guide


Contents

Executive summary ................................................................................................................................................. 3 Cisco Multicloud Portfolio: Overview ..................................................................................................................... 3 Cloud Protect overview ......................................................................................................................................... 4 Cloud Protect use cases ....................................................................................................................................... 4 Cloud Protect benefits ........................................................................................................................................... 5

Technology overview .............................................................................................................................................. 5

Solution design ........................................................................................................................................................ 6

Solution deployment ............................................................................................................................................... 7 Configuring Stealthwatch Cloud with AWS ........................................................................................................... 7

Create a policy ................................................................................................................................................. 7 Create a new role ............................................................................................................................................. 9 Enable VPC Flow Logs .................................................................................................................................. 10

Configuring Stealthwatch Cloud with GCP .......................................................................................................... 11 Configuring Stealthwatch Cloud with Microsoft Azure ......................................................................................... 12 Configuring Stealthwatch Cloud Private Network Monitoring .............................................................................. 12

Sensor deployment to a physical machine ..................................................................................................... 13 Sensor deployment to hypervisor ................................................................................................................... 14

Stealthwatch Cloud PNM sensor setup ............................................................................................................... 14 Connecting the Stealthwatch Cloud PNM sensor to the network ................................................................... 23 Configuring a sensor to collect flow data ........................................................................................................ 25

Attaching sensors to the Stealthwatch Cloud portal ............................................................................................ 27 Adding a sensor’s public IP Address to a portal ............................................................................................. 28

Confirming a sensor’s portal connection ............................................................................................................. 28

Appendix A: Sensor connectivity issues ............................................................................................................. 30

Appendix B: Install PNM on nonpackaged Linux operating systems ............................................................... 30

Appendix C: Adding a portal’s service key to a sensor ..................................................................................... 32

Appendix D: Configuring the PNM firewall (iptables) ......................................................................................... 33

Appendix E: Stealthwatch Cloud sensor services .............................................................................................. 34

Appendix F: NetFlow integration templates ........................................................................................................ 35

Additional resources ............................................................................................................................................. 36


Executive summary

Cisco Stealthwatch® Cloud is a public cloud and private network monitoring solution, a cloud-delivered application

in the Cisco® Multicloud Portfolio that provides visibility and effectively identifies active threats and monitors user

and device behavior across public and on-premises networks. This guide focuses on how to deploy that

application.

Stealthwatch Cloud provides high-value, low-noise alerts to detect unusual, risky, and malicious behavior

across your IT infrastructure from the public cloud to headquarters to the branch network. It uses the collection

of Virtual Private Cloud (VPC) Flow Logs and other APIs inside Amazon Web Services (AWS) and Google Cloud

Platform (GCP) for visibility into cloud environments and on-premises sensors for visibility into campus and

branch networks.

The audience for this document includes network-design engineers, network-operations personnel, and security-

operations personnel who wish to implement efficient threat identification through entity modeling inside and across

the public cloud(s) and on-premises network(s).

Cisco Multicloud Portfolio: Overview

In a multicloud world, growing complexity is driving a cloud gap between what your customers require and what

your people, processes, and tools can support. With the Cisco Multicloud Portfolio, we make it simple: simple to

connect, simple to protect, and simple to consume.

The Cisco Multicloud Portfolio is a set of essential products, software, and services supported with simplified

ordering and design deployment guides to help you when it comes to multicloud adoption. The Cisco Multicloud

Portfolio consists of four component portfolios (Figure 1):

● Cloud Advisory: Helps you design, plan, accelerate, and reduce risk during your multicloud migration.

● Cloud Connect: Securely extends your private networks into public clouds and helps ensure the

appropriate application experience.

● Cloud Protect: Protects your multicloud identities, direct-to-cloud connectivity, data, and applications,

including Software as a Service (SaaS), and detects infrastructure and application threats on-premises and

in public clouds.

● Cloud Consume: Helps you deploy, monitor, and optimize applications in multicloud and container

environments.


Figure 1. Cisco Multicloud Portfolio: Cloud Advisory, Cloud Connect, Cloud Protect, and Cloud Consume

Cloud Protect overview

Cloud Protect consists of essential products to protect your multicloud identities, direct-to-cloud connectivity,

data, and applications, including SaaS, and detects infrastructure and application threats on-premises and in public

clouds:

● Cisco Umbrella™

● AMP for Endpoints

● Cisco Meraki™

Systems Manager

● CloudLock®

● Tetration Cloud

● Stealthwatch Cloud

For detailed use cases, see the section about Cloud Protect on the portfolio’s solution page at

https://www.cisco.com/go/multicloud.

Cloud Protect use cases

Cloud Protect delivers value in the following use cases:

● Secure users connecting to the Internet (cloud), including users from data centers/main offices, branches

(no Multiprotocol Label Switching [MPLS]), users who are roaming (off VPN), and “direct-to-cloud” users.

Includes protection for ransomware, command-and-control callbacks, phishing attacks, and inappropriate

web use.

● Secure users’ devices connecting to the Internet, both on and off the network. Security measures include

blocking malicious files at initial entry by inspection and using a sandbox to further inspect unknown files for

advanced protection.

● Enable endpoint protection by ensuring the right security services are installed and configured, by permitting

only sanctioned apps to access the cloud, and by constantly evaluating and dynamically taking corrective

action based on changes to endpoint posture.

https://www.cisco.com/go/multicloud


● Secure cloud applications and data, including detecting data leakages through sanctioned SaaS

applications and protecting sensitive data and users from malicious or compromised applications.

● Gain the visibility and continuous threat detection needed to secure your public cloud, private network, and

hybrid environments.

● Discover, map, baseline, and protect applications for workloads on the cloud, hybrid, and on-premises.

Planning application migrations, identifying deviations in application behavior, and applying security policies

for enforcing fine-grain application microsegmentation are included.

● Efficiently identify threat activity and monitor user and device behavior across public cloud and on-premises

network. Use high-value, low-noise alerts to detect unusual, risky, and malicious behavior across your IT

infrastructure, from the public cloud to headquarters to the branch network.

Cloud Protect benefits

Cloud Protect benefits include:

● Secure cloud identities, data, and apps/SaaS

● Provide secure cloud access for users on and off the network

● Enable easy pluggable protection of mobile devices accessing apps (for example, Apple iOS devices)

● Protect workloads on public cloud Infrastructure-as-a-Service (IaaS) providers with security policy

enforcement

● Enable compliance in the cloud

● Lower risk by providing increased visibility and control

● Provide ~5% to 10% lower cost through simplified deployment

● Reduce remediation time for >30% of organizations by >90%

● Reduce malware infections for ~40% of organizations by >90%

● Protect on-premises and cloud environments with a single vendor

● Provide increased visibility tied into automated threat defense

● Dynamically react to changes in endpoint posture by controlling apps, users and services that access cloud

data via laptops, mobile devices

Technology overview

In a multicloud world, IT managers are quickly realizing the benefits of cloud computing services such as

infrastructure as a service. IaaS providers such as AWS allow organizations to more rapidly and cost-effectively

prototype new applications. Instead of procuring, installing, and managing hardware – which could takes months to

accomplish – you can easily use the on-demand and scalable compute services within AWS. This allows you to

focus your resources on applications rather than on managing the data center and physical infrastructure. With the

use of IaaS, expenses shift from fixed costs for hardware, software, and data center infrastructure to variable costs

based on the usage of compute resources and the amount of data transferred between the private data center and

the IaaS provider. Therefore, you must also be able to monitor the usage of such resources for cost tracking and/or

internal billing purposes.


Stealthwatch Cloud improves security and incident response across the distributed network - from the private

network and branch office to the public cloud. This solution addresses the need for digital businesses to quickly

identify threats posed by their network devices and cloud resources, and to do so with minimal management,

oversight, and security manpower.

The network is evolving. IT resources are frequently being moved into the cloud. At the same time, the number of

connected devices on the private network is increasing dramatically. Security personnel are struggling just to know

what entities are operating in their environment, let alone whether they pose a threat to the organization.

Stealthwatch Cloud addresses this problem by providing comprehensive visibility and high-precision alerts with low

noise, without the use of software agents. Organizations can accurately detect threats in real time, regardless of

whether an attack is taking place on the network, in the cloud, or across both environments. Stealthwatch Cloud is

a cloud-based, Software-as-a-Service (SaaS)-delivered solution. It detects ransomware and other malware, data

exfiltration, network vulnerabilities, and role changes that indicate compromise.

Solution design

Stealthwatch Cloud consists of two primary offerings: Public Cloud Monitoring and Private Network Monitoring.

Public Cloud Monitoring can be used in combination with Private Network Monitoring or Cisco Stealthwatch

Enterprise to provide visibility and threat detection across the entire network, such as AWS, GCP, and Microsoft

Azure infrastructures. It is a cloud-delivered, SaaS-based solution that can be deployed easily and quickly.

In AWS environments, Stealthwatch Cloud can be deployed without software agents, instead relying on native

AWS sources of telemetry, such as its VPC Flow Logs. Using VPC Flow Logs, Stealthwatch Cloud models all IP

traffic generated by an organization’s resources and functions, whether they are inside the VPC, between VPCs, or

to external IP addresses. Stealthwatch Cloud is also integrated with additional AWS services such as Cloud Trail,

Cloud Watch, Config, Inspector, Identity and Access Management (IAM), Lambda, and more.

In GCP environments, Stealthwatch Cloud supports an in-beta integration with the in-beta GCP flow logs and can

be deployed without the use of software agents.

In Microsoft Azure environments, Stealthwatch Cloud relies on a software sensor that must be deployed to all of

the Linux servers where entity modeling is desired.

Cisco Stealthwatch Cloud Private Network Monitoring provides visibility and threat detection for the on-premises

network, delivered from a cloud-based SaaS solution. It is the perfect solution for organizations that want better

awareness and security in their on-premises environments while reducing capital expenditure and operational

overhead. It works by deploying a lightweight virtual appliance in a virtual machine or server that can consume a

variety of native sources of telemetry or extract metadata from network packet flow. It encrypts this metadata and

sends it to the Stealthwatch Cloud analytics platform for analysis. Stealthwatch Cloud consumes metadata only.

The packet payloads are never retained or transferred outside the network.


Figure 2. Stealthwatch Cloud monitoring Cloud and Private network environments

Solution deployment

Configuring Stealthwatch Cloud with AWS

Cisco Stealthwatch Cloud Public Cloud Monitoring can be deployed easily and quickly in AWS.

NOTE: Log in to Stealthwatch Cloud and review the procedures for integration in the portal,

since they can change, and those changes may not be reflected in this guide.

To enable Stealthwatch Cloud in AWS:

● A policy with the appropriate permissions needs to be created.

● A role needs to be created for Stealthwatch Cloud.

● Amazon VPC Flow Logs need to be enabled.

Create a policy

Step 1. Log in to your Stealthwatch Cloud instance, click the Settings icon, and select Integrations.


Step 2. Ensure that the AWS tab is selected in the left pane, and copy the sample Policy Document.

Step 3. Log in to your AWS console (https://console.aws.amazon.com) and click Services > IAM. Select Polices in

the left pane, and click Create Policy.

Step 4. Click the JSON tab and paste in the copied sample Policy Document, and click Review Policy.

https://console.aws.amazon.com/


Step 5. Enter a Policy Name, and click Create Policy.

Create a new role

Step 1. In the IAM view of your AWS console, click Roles > Create Role.

Step 2. Select “Another AWS Account.”

Step 3. On the AWS Integrations page in your Stealthwatch Cloud Dashboard, make a note of your account ID

and External ID. This will be shown below the previously copied sample policy.

Step 4. In the AWS console, paste in the Account ID, select the Require external ID check-box, and paste in the

External ID. Click Next > Permissions.

Step 5. Locate and select the previously created policy. Click Next > Review.


Step 6. Enter a role name, and click Create Role.

Step 7. Click on the newly created role and locate a copy of the Role ARN. It will look like:

“arn:aws:iam::<account_id>:role/<role_name>”

Step 8. On the AWS Integrations page in the Stealthwatch Cloud Dashboard, click the Credentials tab.

Step 9. Paste the copied Role ARN into the text box, enter a name to identify the instance, and click the icon.

Enable VPC Flow Logs

Step 1. In your AWS dashboard, click Services > CloudWatch > Logs, and click Create Log Group.

Step 2. Enter a name for the group, and click Create Log Group.


Step 3. Click on the newly created group, and click Create Log Stream. Enter a name for the stream.

Step 4. On the AWS Integrations page in the Stealthwatch Cloud Dashboard, click the VPC Flow Logs tab. Enter

the name of the CloudWatch Logs Group, and click Add.

Configuring Stealthwatch Cloud with GCP

Stealthwatch Cloud has added the ability to work with Google Cloud Platform VPC Flow Logs (at time of writing, in

beta) in a beta mode. Because this feature is currently in beta, the instructions to enable it will be maintained on

the GCP Integrations page in the Stealthwatch Cloud Dashboard, and will be updated as the integration matures.

NOTE: Log in to Stealthwatch Cloud and review the procedures for integration in the portal, since they can

change, and those changes may not be reflected in this guide.

To enable Stealthwatch Cloud integration with GCP, browse to the GCP Integrations page in the Stealthwatch

Cloud Dashboard, and follow the instructions:

https://cloud.google.com/vpc/docs/using-flow-logs


Configuring Stealthwatch Cloud with Microsoft Azure

Today, Microsoft Azure does not currently have a native flow log equivalent to its platform. To provide visibility

inside Azure VPC’s, Stealthwatch Cloud relies on a software sensor that must be deployed to all of the Linux

servers where entity modeling is desired. This sensor is the same that is used by Stealthwatch Cloud Private

Network Monitoring. Please refer to the below section on “Configuring Stealthwatch Cloud Private Network

Monitoring” as a reference material to the implementation of the software sensor on Linux servers.

NOTE: Log in to Stealthwatch Cloud and review the procedures for integration in the portal, since they can

change and those changes may not be reflected in this guide.

Configuring Stealthwatch Cloud Private Network Monitoring

Stealthwatch Cloud provides visibility and advanced threat detection for on-premises and cloud networks. For on-

premises networks, a Private Network Monitor (PNM) virtual appliance needs to be installed. This is available as an

ISO, which contains the Stealthwatch Cloud packages as part of an Ubuntu Linux image. The virtual appliance is

installed on the local premises.

Figure 3. Private Network Monitoring virtual sensor overview

The sensor is included in the Stealthwatch Cloud service. Users can download the sensor ISO directly from their

customer portal. The sensor image is based on Ubuntu Linux. Its source code is available at this URL:

https://github.com/obsrvbl/ona.

To set up a sensor, you need:

● A machine (physical or virtual):

◦ Network interfaces: At least two (one control, one-plus data).

◦ RAM: At least 2 GB.

◦ CPU: At least two cores.

◦ Disk space: At least 32 GB.

● Internet access (needed during setup):

◦ See the firewall rules in Table 1, below.

https://github.com/obsrvbl/ona


● Installation media:

◦ The ISO file from the web portal.

◦ A USB drive or CD-R (for physical sensors).

Table 1. Firewall rules for installation

Service Domains/IPs Ports Direction

Sensor data upload sensor.ext.obsrvbl.com 107.22.217.211 107.22.210.176 107.22.247.3

443/tcp Outbound

OS updates us.archive.ubuntu.com 443/tcp, 80/tcp Outbound

Hostname resolution Your local DNS server 53/udp Outbound

Remote troubleshooting (optional)

54.83.42.41 22/tcp Inbound

Configure the firewall to allow these services, before installation of the sensor. The installation process will not be

able to complete properly without them. After installation, the sensor will initiate connections to the monitoring

service and send network data for processing.

For installation of the sensor onto a physical machine, you may use the ISO file from the web portal by writing the

image CD or DVD, and using it to create a bootable USB drive. For deployment as a virtual machine, you can boot

to the ISO file directly.

Sensor deployment to a physical machine

To create a bootable USB drive on a Windows-based computer, follow these steps:

Step 1. Once you download the ISO, go to https://rufus.akeo.ie/

Step 2. Download the Rufus utility, and open it.

Step 3. Insert the target USB drive. Rufus will detect its presence.

https://rufus.akeo.ie/


Step 4. Click the CD-ROM icon, and then select the ISO file you downloaded.

Verify that you've selected the right ISO and USB drive; this is a potentially destructive operation.

Step 5. Click Start.

Step 6. When prompted, select “Write in DD Image mode” and click OK.

Sensor deployment to hypervisor

Follow your environment’s specific instructions and procedures for deploying an ISO-format virtual machine. Verify

that you have allocated the required resources to the sensor virtual machine, prior to setup.

Stealthwatch Cloud PNM sensor setup

Once the physical or virtual machine running the Stealthwatch Cloud Sensor has booted up, you will begin the

sensor setup process.

Step 1. Choose the language to be used during setup.

Step 2. Select the first option from the presented menu.


Step 3. Select the language to be used for the installation process.


Step 4. Select a country. The default is United States.

Step 5. The installer will offer to detect your keyboard layout. If you wish to select your keyboard layout manually,

select No.

Step 6. If you choose to manually select, at the next screen(s) choose your keyboard layout. The default is

English (US).


Step 7. Once the keyboard layout is selected, the setup process will scan for hardware.

Step 8. If the installer detects multiple network interfaces, then it will prompt you to choose a “primary” one.

Step 9. Select the interface that you will use for controlling the Stealthwatch Cloud Sensor, rather than the one for

mirroring traffic.

Step 10. The other NICs will automatically be configured to accept the mirrored traffic.

Step 11. By default, the installer will try to use DHCP to configure the interface you selected as the primary control

NIC.

Step 12. If DHCP is not set up on your network, you will be prompted to configure the network manually.

Step 13. If DHCP is set up on your network, but you don't want to use it, press the Enter key to cancel while

DHCP settings are being detected.

Step 14. If you miss the chance to cancel, select Go Back (using the Tab key) at the next screen. Then select

“Configure the Network” to try again.

Step 15. When configuring the network without DHCP, you need to enter an address, subnet mask, and gateway,

a DNS server, and a local domain suffix.


Step 16. Now you will need to create a user account for local management of the system.

Step 17. Enter the full name of the account. This name can have spaces and capital letters (for example, SWC

Admin).

Step 18. Next, enter the username for the account. This name cannot have spaces or capital letters. (for example,

swcadmin).


Step 19. After the username is entered, you will be prompted to select a password for the local management

account.

Step 20. Enter the password in the first prompt, and then again in the second to verify it.

Step 21. Once the password is entered, you will be prompted to encrypt the home directory for the local

management user's account. Select Yes.

Step 22. The installer will then attempt to automatically detect your time zone. If successful, accept the detected

location and continue.


Step 23. If you are prompted to configure the clock, select the correct time zone from the list.

Step 24. The installer will detect your disks and offer to automatically partition the disk for the operating system.

Step 25. Select Guided – use the entire disk.


Step 26. When prompted, confirm the selected partitioning setup.

Step 27. Select Yes and press Enter to confirm that the installer can erase the disk and install the operating

system.

Step 28. Once partitioning has completed, the system installation process will begin.

Step 29. You will be prompted for HTTP proxy information. Unless the network requires an HTTP proxy, press

Enter to continue.

Step 30. The installer will download the latest updates for the sensor and the operating system.

Step 31. You will be prompted to select whether to install the updates automatically. The recommended setting is

“Install security updates automatically.”


Step 32. If your organization's policy does not allow for automatic updates, select “No automatic updates.”

Step 33. The installation process will continue to setup the sensor appliance.

Step 34. You will be prompted to install the GRUB boot loader onto the target drive.

Step 35. Move the cursor to Yes, and press Enter.

Step 36. After the installer finishes copying the files, the installation process will finish.

Step 37. Eject the boot CD from the drive.

Step 38. After the boot CD has been removed, reboot the system.


Step 39. After the system reboots, you may log in with the same user account created during the installation.

Step 40. You may log out (with the exit command) and leave the system unattended after verifying that it is

working; it will run automatically after installation.

Step 41. See the following section for guidance on connecting the sensor to the network.

Connecting the Stealthwatch Cloud PNM sensor to the network

The network sensor monitors the traffic on your network and transmits it to the Stealthwatch Cloud service for

analysis. This section will cover where to place the sensor and how to configure your switch or router to send traffic

to the sensor.


A sensor needs to have at least two network interfaces: one control interface and at least one mirror interface. The

control interface connects to the Internet. See the sensor setup guide to know how to configure the control

interface. The mirror interface connects to a special port on a switch (or router) that replicates the data from other

ports.

You may wish to place multiple sensors in your network to get a view of all traffic.

The following figure shows the possible deployment locations.

Figure 4. Sensor deployment diagram

Multiple-sensor deployments are usually needed only for larger networks. Use the “Contact Us” form on the web

portal if you need help determining where to place your sensors.

Mirror interface setup

When setting up a mirror interface, keep in mind that it will be sending copies of all of the source traffic

(both inbound and outbound) to the destination:

● Take note of how much traffic is expected at peak, and ensure that it is less than the capacity of the

sensor's mirror interface link (for example: 1 Gbps or 10 Gbps).

● Many switches will drop packets from the source interfaces, if a mirror port destination is configured with too

much traffic, which will cause problems on the LAN.

● You may use multiple mirror interfaces on a sensor; the sensor is not limited to a single control interface

and a single mirror interface.


Most managed switches can be configured to replicate traffic. Different switch vendors call this capability by

different names:

● Cisco: Switched Port Analyzer (SPAN)

● Juniper, Netgear, ZyXEL: port mirror

● Others: monitor port, analyzer port, tap port

You may also use a passive tap device to replicate traffic. Common tap vendors include NetOptics and Gigamon.

Switch configuration

The user guide for your particular switch model should have the correct configuration steps for setting up a mirror

port.

For Cisco switches with IOS software, a typical configuration looks like the following:

monitor session 1 source interface Vlan10

monitor session 1 destination interface Gig1/0/3

For information on configuration documentation for Cisco and other switch vendors, please refer to the “Additional

Resources” section.

Virtual environment monitoring

If your sensor is running as a virtual machine, you need to make sure that both the virtual host and virtual network

are configured properly.

For VMware:

● Promiscuous mode setup: https://kb.vmware.com/s/article/1004099

● Information on promiscuous mode: https://kb.vmware.com/s/article/1002934

You may need to set the VLAN ID to 4095.

For VirtualBox:

● In the Settings for your host, go to the Network tab, and select the Adapter to be used for the Mirror

interface.

● In the Advanced Options section, set Promiscuous mode to Allow.

Configuring a sensor to collect flow data

By default, a sensor creates flow records from the traffic on its Ethernet interfaces. This default configuration

assumes that the sensor is attached to a SPAN or mirror Ethernet port. If other devices on your network can

generate flow records, you can configure the sensor’s config.local configuration file to collect flow records from

these sources, and send them to Stealthwatch Cloud for analysis.

https://kb.vmware.com/s/article/1004099

https://kb.vmware.com/s/article/1002934


If the network devices generate different types of flows, it is recommended to configure the sensor to collect each

type over a different UDP port. This also makes the troubleshooting easier. You can configure a collection of the

following flow types:

● NetFlow v5

● NetFlow v9

● IPFIX

● SFLOW

Certain network appliances require an entry in the config.local configuration file, before they start working properly.

See Appendix F for templates.

● Cisco Meraki

● Cisco Advanced Security Appliance (ASA) software

● SonicWALL

Customizing config.local on the Stealthwatch Cloud Sensor for flow collection

SSH log into the sensor as an administrator.

Step 1. At the command prompt, enter sudo nano /opt/obsrvbl-ona/config.local and press Enter to edit the

config.local configuration file.

Step 2. Add the following line to enable flow collection. This enables the sensor to look for the defined flow inputs.

OBSRVBL_IPFIX_CAPTURER="true"

Step 3. For each type of flow collection, you want to enable, copy the _Type and _Port lines from Appendix F for

that flow collection type, then delete the “#” at the beginning of each line.

For example: To enable generic NetFlow v5 on port 9995, and ASA flow collection on port 9996, enter the

following:

OBSRVBL_IPFIX_PROBE_0_TYPE="netflow-v5"

OBSRVBL_IPFIX_PROBE_0_PORT="9995"



OBSRVBL_IPFIX_PROBE_1_SOURCE="asa"

Step 4. Press Ctrl + 0 to save your changes.

Step 5. Press Ctrl + x to exit.

Step 6. At the command prompt, enter sudo service obsrvbl-ona restart to restart the Stealthwatch Cloud

service. This also restarts the other configured services.

Step 7. Enter cd /opt/obsrvbl-ona/logs/ipfix to change to the ../ipfix directory. If you properly enabled the flow

collection, this directory should exist.


Step 8. Enter ls –l to view the log files; the files should be incrementing. Check the iptables rule configuration if

the log files are not incrementing.

Step 9. Enter netstat -na | grep udp and press Enter to view the UDP ports that the sensor is listening on.

Viewing a port in this list does not mean that the iptables rules are configured correctly. This list only shows what

ports the sensor is listening on. See Appendix D for information on configuring iptables.

Attaching sensors to the Stealthwatch Cloud portal

Once a sensor is installed, it will need to be linked with an account. This is done by identifying its public IP address

and entering it into the web portal. If this method does not work, a sensor can manually be added to a portal using

the service key.

If multiple sensors are staged in a central location, such as an MSSP, and they are intended for different portals,

add the portal’s service key to the sensor. In this case, if a public IP address of the staging environment is used

for multiple sensors, a sensor could be incorrectly attached to the wrong portal.


Adding a sensor’s public IP Address to a portal

SSH into the sensor and login as an administrator.

Step 1. At the command prompt, enter curl https://sensor.ext.obsrvbl.com and press Enter. The error value of

unknown identity means that the sensor is not associated with a portal.

Step 2. Copy the identity IP address.

Step 3. Log out of the sensor.

Step 4. Log into the web portal as an administrator.

Step 5. Select Settings > Sensors > Public IP.

Step 6. Enter the identity IP address in the Public IP field.

Step 7. Click Add IP. After the portal and sensor exchange keys, they establish future connections using the keys,

and not the public IP address.

Step 8. It can take up to 10 minutes before a new sensor is reflected in the portal.

NOTE: You can also edit a Sensor’s config.local configuration file to manually add a portal’s service key and

associate the sensor with the portal. See Appendix C for instructions.

Confirming a sensor’s portal connection

After a sensor is added to the portal, confirm the connection.

NOTE: If the sensor’s config.local configuration file was updated using the portal’s service key, confirming the

connection using the curl command from the sensor may not return the portal name.

https://sensor.ext.obsrvbl.com/



Step 1. At the command prompt, enter curl https://sensor.ext.obsrvbl.com and press Enter.

Step 2. The sensor returns the portal name.

Step 3. Log out of the sensor.

Step 4. Log into the portal.

Step 5. Select Settings > Sensor. The sensor appears in the list.

https://sensor.ext.obsrvbl.com/


Appendix A: Sensor connectivity issues

The installer needs to connect to the Internet to retrieve up-to-date packages. If, during the PNM installation

process, you experience issues with connectivity, for example, if there was an issue with connecting to the internet,

you may see the below screen:

Double-check if the primary network interface has internet access (including DNS). You may want to restart the

installation, once this is in place.

Appendix B: Install PNM on nonpackaged Linux operating systems

In addition to the ISO provided, this virtual appliance can be deployed on the following operating systems:

● Ubuntu Linux version 14.04 (32- and 64-bit)

● Ubuntu Linux versions 16.04 and later (32- and 64-bit)

● Red Hat Enterprise Linux (RHEL) version 6 and compatible, including CentOS version 6* and Amazon Linux

for EC2 (32- and 64-bit)

● Red Hat Enterprise Linux (RHEL) version 7 and compatible, including CentOS version 7 (64-bit)

● Raspberry Pi 2 Model B with Raspbian (32-bit armhf)

● Docker, tested with CoreOS (64-bit)


Installation on RHEL 7

Log into the RHEL 7 system as an administrator.

Step 1. At the command prompt, enter curl -L -O https://s3.amazonaws.com/onstatic/ona-service/master/ona-

service_RHEL_7_x86_64.rpm and press Enter to download the Stealthwatch Cloud package.

Step 2. Enter sudo yum install -y net-tools tcpdump and press Enter to install dependencies.

Step 3. Enter sudo yum updateinfo && yum install -y libpcap libtool-ltdl lzo

Step 4. Enter curl -L -O https://github.com/bbayles/netsa-pkg/releases/download/v0.1.15/netsa-pkg.rpm

Step 5. Enter sudo rpm -i netsa-pkg.rpm

Step 6. Enter sudo rpm -i ona-service_RHEL_7_x86_64.rpm and press Enter to install the Stealthwatch Cloud

service.

Installation on RHEL 6

NOTE: RHEL 6 does not include Python 2.7. Additional repositories must be added to install Python.

Log into the RHEL 6 system as an administrator.


service_RHEL_6_x86_64.rpm and press Enter to download the Stealthwatch Cloud package.

Step 2. Enter curl -L -O https://dl.fedoraproject.org/pub/epel/epel-release-latest-6.noarch.rpm and press Enter to

download the EPEL repository package.

Step 3. There are two options:

a. Enter curl -L -O https://rhel6.iuscommunity.org/ius-release.rpm and press Enter to download the IUS

repository package for RHEL.

b. Enter curl -L -O https://centos6.iuscommunity.org/ius-release.rpm and press Enter to download the

IUS repository package for CentOS.

Step 4. There are two options:

a. To install the IUS repository package for RHEL, enter sudo rpm -i epel-release-latest-

6.noarch.rpm

b. To install the IUS repository package for CentOS, enter sudo rpm -i ius-release.rpm

Step 5. To install Python 2.7, enter: sudo yum install python27 tcpdump and press Enter.

Step 6. Enter sudo yum updateinfo && yum install -y libpcap libtool-ltdl lzo

Step 7. Enter curl -L -O https://github.com/bbayles/netsa-pkg/releases/download/v0.1.15/netsa-pkg.rpm

Step 8. Enter sudo rpm -i netsa-pkg.rpm

Step 9. Enter sudo rpm -i ona-service_RHEL_6_x86_64.rpm and press Enter to install the Stealthwatch Cloud

service.

https://s3.amazonaws.com/onstatic/ona-service/master/ona-%20service_RHEL_7_x86_64.rpm


https://github.com/bbayles/netsa-pkg/releases/download/v0.1.15/netsa-pkg.rpm



https://dl.fedoraproject.org/pub/epel/epel-release-latest-6.noarch.rpm

https://rhel6.iuscommunity.org/ius-release.rpm

https://centos6.iuscommunity.org/ius-release.rpm

https://github.com/bbayles/netsa-pkg/releases/download/v0.1.15/netsa-pkg.rpm


Installation on Ubuntu with NetFlow collection

Log into the Ubuntu system as an administrator.

Step 1. At the command prompt, enter curl -L -O https://s3.amazonaws.com/onstatic/ona- service/master/ona-

service_UbuntuXenial_amd64.deb and press Enter to download the Stealthwatch Cloud package.

Step 2. Enter sudo apt-get install -y net-tools tcpdump and press Enter to install dependencies.

Step 3. Enter sudo apt-get update && sudo apt-get install -y libglib2.0-0 liblzo2-2 libltdl7

Step 4. Enter curl -L -O https://github.com/bbayles/netsa-pkg/releases/download/v0.1.15/netsa-pkg.deb

Step 5. Enter sudo dpkg -i netsa-pkg.deb

Step 6. Enter sudo apt-get -f install to verify that the dependencies installed properly.

Step 7. Enter sudo dpkg -i ona-service_UbuntuXenial_amd64.deb and press Enter to install the Stealthwatch

Cloud service.

Step 8. Reload the machine by entering sudo reboot

Step 9. Confirm that the services are running. See Appendix E for Stealthwatch Cloud services.

Installation on Ubuntu without NetFlow collection

Log into the Ubuntu system as an administrator.


service_UbuntuXenial_amd64.deb and press Enter to download the Stealthwatch Cloud package.

Step 2. Enter sudo apt-get install -y net-tools tcpdump and press Enter to install dependencies.

Step 3. Enter sudo apt-get –f install to verify if the dependencies installed properly.

Step 4. Enter sudo dpkg -i ona-service_UbuntuXenial_amd64.deb and press Enter to install the Stealthwatch

Cloud service.

Appendix C: Adding a portal’s service key to a sensor

Edit a sensor’s config.local configuration file to manually add a portal’s service key to associate the sensor with the

portal.

Before you begin, log into the portal as an administrator.

Step 1. Select Settings > Sensors.

Step 2. Navigate to the end of the sensor list, and copy the service key. See the following screenshot for an

example.

Step 3. SSH login to the sensor as an administrator.

Step 4. At the command prompt, enter sudo nano opt/obsrvbl-ona/config.local and press Enter to edit the

configuration file.

Step 5. Beneath the line # Service Key, add the following line, replacing <service-key> with the portal’s service

key:

OBSRVBL_SERVICE_KEY="<service-key>"

https://s3.amazonaws.com/onstatic/ona-%20service/master/ona-service_UbuntuXenial_amd64.deb

https://s3.amazonaws.com/onstatic/ona-%20service/master/ona-service_UbuntuXenial_amd64.deb

https://github.com/bbayles/netsa-pkg/releases/download/v0.1.15/netsa-pkg.deb

https://s3.amazonaws.com/onstatic/ona-service/master/ona-service_UbuntuXenial_amd64.deb

https://s3.amazonaws.com/onstatic/ona-service/master/ona-service_UbuntuXenial_amd64.deb


See the following for an example.

Step 6. Press Ctrl + 0 to save the changes.


Step 8. At the command prompt, enter sudo service obsrvbl-ona restart to restart the Stealthwatch Cloud

service.

Appendix D: Configuring the PNM firewall (iptables)

Editing iptables

The Stealthwatch Cloud ISO image uses a built-in Ubuntu firewall service called iptables. During the install

process, ports 22/TCP (SSH), 9995 UDP, and ICMP are open. You can open other ports by configuring the

iptables rules. For example, if you also want to collect IPFIX, you can configure the iptables rules to open port

9996/UDP.

Before you begin, SSH log into the sensor as an administrator.

Step 1. At the command prompt, enter sudo nano /etc/iptables/rules.v4 and press Enter to modify the iptables

rules.

Step 2. For each port you want to enable, add the following line, updating the --dport value with the desired port.

-A INPUT -p udp --dport 9996 -m state –state

NEW,ESTABLISHED -j ACCEPT

The screenshot below shows the open ports: 9995/UDP, 996/UDP, and 9997/UDP.

Step 3. Press Ctrl + 0 to save your changes.


Step 5. Reboot the machine to have the new rules go into effect.


Checking firewall configuration

After you make changes, and restart the Stealthwatch Cloud service, you can verify that the rules are working.


Step 1. At the command prompt, enter sudo iptables –L –v and press Enter to modify the iptables rules.

Step 2. See the following screenshot for an example of traffic over port 9997/UDP and SSH traffic.

Appendix E: Stealthwatch Cloud sensor services

Service Enabled by default?

Description

obsrvbl-ona yes Monitors for configuration changes and handles automatic updates. Starting this service also starts the other configured services

log-watcher yes Tracks the sensor's authentication logs

pdns-capturer yes Collects passive DNS queries

pna-monitor yes Collects IP traffic metadata

pna-pusher yes Sends IP traffic metadata to the cloud

hostname-resolver yes Resolves active IP addresses to local hostnames

netflow-monitor no Listens for NetFlow data sent by routers and switches

netflow-pusher no Sends NetFlow data to the cloud

notification-publisher no Relays observations and alerts over syslog or SNMP

ossec-alert-watcher no Monitors OSSEC alerts, if installed

suricata-alert-watcher no Monitors Suricata alerts, if installed

Verifying running services

You can verify that the various Stealthwatch Cloud services are running from the sensor command line. Before you

begin, SSH into the sensor and login as an administrator.

At the command prompt, enter ps -ef | grep obsrvbl and press Enter.


Appendix F: NetFlow integration templates

You can add the following lines to the config.local configuration file and enable collection of that flow type or from

that network appliance type. Note that new sources added to the PNM will need to have their ports opened in the

sensor firewall. See Appendix D for details.

# NetFlow v5 exporter



# Standard NetFlow v9 exporter



# IPFIX exporter

OBSRVBL_IPFIX_PROBE_2_TYPE="ipfix"


# Cisco ASA exporter



OBSRVBL_IPFIX_PROBE_3_SOURCE="asa"

# Meraki exporter



OBSRVBL_IPFIX_PROBE_4_SOURCE="meraki"

# SonicWALL exporter

OBSRVBL_IPFIX_PROBE_5_TYPE="netflow-v9


OBSRVBL_IPFIX_PROBE_5_SOURCE="sonicwall"

# sFlow exporter

OBSRVBL_IPFIX_PROBE_6_TYPE="sflow"



Additional resources

If you have further questions, refer to the following additional resources:

● Cisco Stealthwatch Cloud:

https://www.cisco.com/c/en/us/products/security/stealthwatch-cloud/index.html

Switch configuration documentation

● Cisco documentation:

https://www.cisco.com/c/en/us/tech/lan-switching/port-monitoring/tech-configuration-examples-list.html

● Juniper documentation (you may need to search for your particular switch model):

https://www.juniper.net/documentation/en_US/junos/topics/concept/port-mirroring-ex-series.html

● Netgear support page (the Software Administration Manual for your particular model should include

a section on port mirroring):

https://kb.netgear.com/21850/What-is-port-mirroring-and-how-does-it-work-with-my-managed-switch

● For more examples, see the Wireshark Switch Reference page:

https://wiki.wireshark.org/SwitchReference

For a complete list of all of our design and deployment guides for the Cisco Multicloud Portfolio, including Cloud

Protect, visit https://www.cisco.com/go/clouddesignguides.

About Cisco design and deployment guides

Cisco design and deployment guides consist of systems and/or solutions designed, tested, and documented to

facilitate faster, more reliable, and more predictable customer deployments. For more information visit:

https://www.cisco.com/go/designzone.

ALL DESIGNS, SPECIFICATIONS, STATEMENTS, INFORMATION, AND RECOMMENDATIONS

(COLLECTIVELY, "DESIGNS") IN THIS MANUAL ARE PRESENTED "AS IS," WITH ALL FAULTS. CISCO AND

ITS SUPPLIERS DISCLAIM ALL WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE WARRANTY OF

MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING

FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS

SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES,

INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE

USE OR INABILITY TO USE THE DESIGNS, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF

THE POSSIBILITY OF SUCH DAMAGES.

THE DESIGNS ARE SUBJECT TO CHANGE WITHOUT NOTICE. USERS ARE SOLELY RESPONSIBLE FOR

THEIR APPLICATION OF THE DESIGNS. THE DESIGNS DO NOT CONSTITUTE THE TECHNICAL OR OTHER

PROFESSIONAL ADVICE OF CISCO, ITS SUPPLIERS, OR PARTNERS. USERS SHOULD CONSULT THEIR

OWN TECHNICAL ADVISORS BEFORE IMPLEMENTING THE DESIGNS. RESULTS MAY VARY DEPENDING

ON FACTORS NOT TESTED BY CISCO.

CCDE, CCENT, Cisco Eos, Cisco Lumin, Cisco Nexus, Cisco StadiumVision, Cisco TelePresence, Cisco WebEx,

the Cisco logo, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live,

Play, and Learn and Cisco Store are service marks; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting

To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified

Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo,

https://www.cisco.com/c/en/us/products/security/stealthwatch-cloud/index.html

https://www.cisco.com/c/en/us/tech/lan-switching/port-monitoring/tech-configuration-examples-list.html

https://www.juniper.net/documentation/en_US/junos/topics/concept/port-mirroring-ex-series.html

https://kb.netgear.com/21850/What-is-port-mirroring-and-how-does-it-work-with-my-managed-switch

https://wiki.wireshark.org/SwitchReference

https://www.cisco.com/go/clouddesignguides

https://www.cisco.com/go/designzone


Cisco Unified Computing System (Cisco UCS), Cisco UCS B-Series Blade Servers, Cisco UCS C-Series Rack

Servers, Cisco UCS S-Series Storage Servers, Cisco UCS Manager, Cisco UCS Management Software, Cisco

Unified Fabric, Cisco Application Centric Infrastructure, Cisco Nexus 9000 Series, Cisco Nexus 7000 Series. Cisco

Prime Data Center Network Manager, Cisco NX-OS Software, Cisco MDS Series, Cisco Unity, Collaboration

Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive,

HomeLink, Internet Quotient, IOS, iPhone, iQuick Study, LightStream, Linksys, MediaTone, MeetingPlace,

MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX,

PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way

to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco

Systems, Inc. and/or its affiliates in the United States and certain other countries.

All other trademarks mentioned in this document or website are the property of their respective owners. The use of

the word partner does not imply a partnership relationship between Cisco and any other company. (0809R)

© 2018 Cisco Systems, Inc. All rights reserved.

Printed in USA C07-740823-00 06/18

Cisco Multicloud Portfolio: Cloud Protect...Ensure that the AWS tab is selected in the left pane,...

Documents

Transcript of Cisco Multicloud Portfolio: Cloud Protect...Ensure that the AWS tab is selected in the left pane,...