Cisco Multicloud Portfolio: Overview
Configuring Stealthwatch Cloud with AWS
Configuring Stealthwatch Cloud with GCP
Configuring Stealthwatch Cloud with Microsoft Azure
Configuring Stealthwatch Cloud Private Network Monitoring
Sensor deployment to a physical machine
Sensor deployment to hypervisor
Stealthwatch Cloud PNM sensor setup
Connecting the Stealthwatch Cloud PNM sensor to the network
Configuring a sensor to collect flow data
Attaching sensors to the Stealthwatch Cloud portal
Adding a sensor’s public IP Address to a portal
Confirming a sensor’s portal connection
Appendix A: Sensor connectivity issues
Appendix B: Install PNM on nonpackaged Linux operating systems
Appendix C: Adding a portal’s service key to a sensor
Appendix D: Configuring the PNM firewall (iptables)
Appendix E: Stealthwatch Cloud sensor services
Appendix F: NetFlow integration templates
Cisco Stealthwatch® Cloud is a public cloud and private network monitoring solution, a cloud-delivered application in the Cisco® Multicloud Portfolio that provides visibility and effectively identifies active threats and monitors user and device behavior across public and on-premises networks. This guide focuses on how to deploy that application.
Stealthwatch Cloud provides high-value, low-noise alerts to detect unusual, risky, and malicious behavior across your IT infrastructure from the public cloud to headquarters to the branch network. It uses the collection of Virtual Private Cloud (VPC) Flow Logs and other APIs inside Amazon Web Services (AWS) and Google Cloud Platform (GCP) for visibility into cloud environments and on-premises sensors for visibility into campus and branch networks.
The audience for this document includes network-design engineers, network-operations personnel, and security-operations personnel who wish to implement efficient threat identification through entity modeling inside and across the public cloud(s) and on-premises network(s).
Cisco Multicloud Portfolio: Overview
In a multicloud world, growing complexity is driving a cloud gap between what your customers require and what your people, processes, and tools can support. With the Cisco Multicloud Portfolio, we make it simple: simple to connect, simple to protect, and simple to consume.
The Cisco Multicloud Portfolio is a set of essential products, software, and services supported with simplified ordering and design deployment guides to help you when it comes to multicloud adoption. The Cisco Multicloud Portfolio consists of four component portfolios (Figure 1):
● Cloud Advisory: Helps you design, plan, accelerate, and reduce risk during your multicloud migration.
● Cloud Connect: Securely extends your private networks into public clouds and helps ensure the appropriate application experience.
● Cloud Protect: Protects your multicloud identities, direct-to-cloud connectivity, data, and applications, including Software as a Service (SaaS), and detects infrastructure and application threats on-premises and in public clouds.
● Cloud Consume: Helps you deploy, monitor, and optimize applications in multicloud and container environments.
Cloud Protect consists of essential products to protect your multicloud identities, direct-to-cloud connectivity, data, and applications, including SaaS, and detects infrastructure and application threats on-premises and in public clouds:
● Cisco Umbrella™
● AMP for Endpoints
● Cisco Meraki™ Systems Manager
● CloudLock®
● Tetration Cloud
● Stealthwatch Cloud
For detailed use cases, see the section about Cloud Protect on the portfolio’s solution page at https://www.cisco.com/go/multicloud.
Cloud Protect delivers value in the following use cases:
● Secure users connecting to the Internet (cloud), including users from data centers/main offices, branches (no Multiprotocol Label Switching [MPLS]), users who are roaming (off VPN), and “direct-to-cloud” users. Includes protection for ransomware, command-and-control callbacks, phishing attacks, and inappropriate web use.
● Secure users’ devices connecting to the Internet, both on and off the network. Security measures include blocking malicious files at initial entry by inspection and using a sandbox to further inspect unknown files for advanced protection.
● Enable endpoint protection by ensuring the right security services are installed and configured, by permitting only sanctioned apps to access the cloud, and by constantly evaluating and dynamically taking corrective action based on changes to endpoint posture.
● Secure cloud applications and data, including detecting data leakages through sanctioned SaaS applications and protecting sensitive data and users from malicious or compromised applications.
● Gain the visibility and continuous threat detection needed to secure your public cloud, private network, and hybrid environments.
● Discover, map, baseline, and protect applications for workloads on the cloud, hybrid, and on-premises. Planning application migrations, identifying deviations in application behavior, and applying security policies for enforcing fine-grain application microsegmentation are included.
● Efficiently identify threat activity and monitor user and device behavior across public cloud and on-premises network. Use high-value, low-noise alerts to detect unusual, risky, and malicious behavior across your IT infrastructure, from the public cloud to headquarters to the branch network.
Cloud Protect benefits include:
● Secure cloud identities, data, and apps/SaaS
● Provide secure cloud access for users on and off the network
● Enable easy pluggable protection of mobile devices accessing apps (for example, Apple iOS devices)
● Protect workloads on public cloud Infrastructure-as-a-Service (IaaS) providers with security policy enforcement
● Enable compliance in the cloud
● Lower risk by providing increased visibility and control
● Provide ~5% to 10% lower cost through simplified deployment
● Reduce remediation time for >30% of organizations by >90%
● Reduce malware infections for ~40% of organizations by >90%
● Protect on-premises and cloud environments with a single vendor
● Provide increased visibility tied into automated threat defense
● Dynamically react to changes in endpoint posture by controlling apps, users and services that access cloud data via laptops, mobile devices
In a multicloud world, IT managers are quickly realizing the benefits of cloud computing services such as infrastructure as a service. IaaS providers such as AWS allow organizations to more rapidly and cost-effectively prototype new applications. Instead of procuring, installing, and managing hardware – which could takes months to accomplish – you can easily use the on-demand and scalable compute services within AWS. This allows you to focus your resources on applications rather than on managing the data center and physical infrastructure. With the use of IaaS, expenses shift from fixed costs for hardware, software, and data center infrastructure to variable costs based on the usage of compute resources and the amount of data transferred between the private data center and the IaaS provider. Therefore, you must also be able to monitor the usage of such resources for cost tracking and/or internal billing purposes.
Stealthwatch Cloud improves security and incident response across the distributed network - from the private network and branch office to the public cloud. This solution addresses the need for digital businesses to quickly identify threats posed by their network devices and cloud resources, and to do so with minimal management, oversight, and security manpower.
The network is evolving. IT resources are frequently being moved into the cloud. At the same time, the number of connected devices on the private network is increasing dramatically. Security personnel are struggling just to know what entities are operating in their environment, let alone whether they pose a threat to the organization.
Stealthwatch Cloud addresses this problem by providing comprehensive visibility and high-precision alerts with low noise, without the use of software agents. Organizations can accurately detect threats in real time, regardless of whether an attack is taking place on the network, in the cloud, or across both environments. Stealthwatch Cloud is a cloud-based, Software-as-a-Service (SaaS)-delivered solution. It detects ransomware and other malware, data exfiltration, network vulnerabilities, and role changes that indicate compromise.
Stealthwatch Cloud consists of two primary offerings: Public Cloud Monitoring and Private Network Monitoring.
Public Cloud Monitoring can be used in combination with Private Network Monitoring or Cisco Stealthwatch Enterprise to provide visibility and threat detection across the entire network, such as AWS, GCP, and Microsoft Azure infrastructures. It is a cloud-delivered, SaaS-based solution that can be deployed easily and quickly.
In AWS environments, Stealthwatch Cloud can be deployed without software agents, instead relying on native AWS sources of telemetry, such as its VPC Flow Logs. Using VPC Flow Logs, Stealthwatch Cloud models all IP traffic generated by an organization’s resources and functions, whether they are inside the VPC, between VPCs, or to external IP addresses. Stealthwatch Cloud is also integrated with additional AWS services such as Cloud Trail, Cloud Watch, Config, Inspector, Identity and Access Management (IAM), Lambda, and more.
In GCP environments, Stealthwatch Cloud supports an in-beta integration with the in-beta GCP flow logs and can be deployed without the use of software agents.
In Microsoft Azure environments, Stealthwatch Cloud relies on a software sensor that must be deployed to all of the Linux servers where entity modeling is desired.
Cisco Stealthwatch Cloud Private Network Monitoring provides visibility and threat detection for the on-premises network, delivered from a cloud-based SaaS solution. It is the perfect solution for organizations that want better awareness and security in their on-premises environments while reducing capital expenditure and operational overhead. It works by deploying a lightweight virtual appliance in a virtual machine or server that can consume a variety of native sources of telemetry or extract metadata from network packet flow. It encrypts this metadata and sends it to the Stealthwatch Cloud analytics platform for analysis. Stealthwatch Cloud consumes metadata only. The packet payloads are never retained or transferred outside the network.
Configuring Stealthwatch Cloud with AWS
Cisco Stealthwatch Cloud Public Cloud Monitoring can be deployed easily and quickly in AWS.
NOTE: Log in to Stealthwatch Cloud and review the procedures for integration in the portal, since they can change, and those changes may not be reflected in this guide. |
To enable Stealthwatch Cloud in AWS:
● A policy with the appropriate permissions needs to be created.
● A role needs to be created for Stealthwatch Cloud.
● Amazon VPC Flow Logs need to be enabled.
Step 1. Log in to your Stealthwatch Cloud instance, click the Settings icon, and select Integrations.
Step 2. Ensure that the AWS tab is selected in the left pane, and copy the sample Policy Document.
Step 3. Log in to your AWS console (https://console.aws.amazon.com) and click Services > IAM. Select Polices in the left pane, and click Create Policy.
Step 4. Click the JSON tab and paste in the copied sample Policy Document, and click Review Policy.
Step 5. Enter a Policy Name, and click Create Policy.
Step 1. In the IAM view of your AWS console, click Roles > Create Role.
Step 2. Select “Another AWS Account.”
Step 3. On the AWS Integrations page in your Stealthwatch Cloud Dashboard, make a note of your account ID and External ID. This will be shown below the previously copied sample policy.
Step 4. In the AWS console, paste in the Account ID, select the Require external ID check-box, and paste in the External ID. Click Next > Permissions.
Step 5. Locate and select the previously created policy. Click Next > Review.
Step 6. Enter a role name, and click Create Role.
Step 7. Click on the newly created role and locate a copy of the Role ARN. It will look like: “arn:aws:iam::<account_id>:role/<role_name>”
Step 8. On the AWS Integrations page in the Stealthwatch Cloud Dashboard, click the Credentials tab.
Step 9. Paste the copied Role ARN into the text box, enter a name to identify the instance, and click the icon.
Step 1. In your AWS dashboard, click Services > CloudWatch > Logs, and click Create Log Group.
Step 2. Enter a name for the group, and click Create Log Group.
Step 3. Click on the newly created group, and click Create Log Stream. Enter a name for the stream.
Step 4. On the AWS Integrations page in the Stealthwatch Cloud Dashboard, click the VPC Flow Logs tab. Enter the name of the CloudWatch Logs Group, and click Add.
Configuring Stealthwatch Cloud with GCP
Stealthwatch Cloud has added the ability to work with Google Cloud Platform VPC Flow Logs (at time of writing, in beta) in a beta mode. Because this feature is currently in beta, the instructions to enable it will be maintained on the GCP Integrations page in the Stealthwatch Cloud Dashboard, and will be updated as the integration matures.
NOTE: Log in to Stealthwatch Cloud and review the procedures for integration in the portal, since they can change, and those changes may not be reflected in this guide. |
To enable Stealthwatch Cloud integration with GCP, browse to the GCP Integrations page in the Stealthwatch Cloud Dashboard, and follow the instructions:
Configuring Stealthwatch Cloud with Microsoft Azure
Today, Microsoft Azure does not currently have a native flow log equivalent to its platform. To provide visibility inside Azure VPC’s, Stealthwatch Cloud relies on a software sensor that must be deployed to all of the Linux servers where entity modeling is desired. This sensor is the same that is used by Stealthwatch Cloud Private Network Monitoring. Please refer to the below section on “Configuring Stealthwatch Cloud Private Network Monitoring” as a reference material to the implementation of the software sensor on Linux servers.
NOTE: Log in to Stealthwatch Cloud and review the procedures for integration in the portal, since they can change and those changes may not be reflected in this guide. |
Configuring Stealthwatch Cloud Private Network Monitoring
Stealthwatch Cloud provides visibility and advanced threat detection for on-premises and cloud networks. For on-premises networks, a Private Network Monitor (PNM) virtual appliance needs to be installed. This is available as an ISO, which contains the Stealthwatch Cloud packages as part of an Ubuntu Linux image. The virtual appliance is installed on the local premises.
The sensor is included in the Stealthwatch Cloud service. Users can download the sensor ISO directly from their customer portal. The sensor image is based on Ubuntu Linux. Its source code is available at this URL: https://github.com/obsrvbl/ona.
To set up a sensor, you need:
● A machine (physical or virtual):
◦ Network interfaces: At least two (one control, one-plus data).
◦ RAM: At least 2 GB.
◦ CPU: At least two cores.
◦ Disk space: At least 32 GB.
● Internet access (needed during setup):
◦ See the firewall rules in Table 1, below.
● Installation media:
◦ The ISO file from the web portal.
◦ A USB drive or CD-R (for physical sensors).
Table 1. Firewall rules for installation
Service |
Domains/IPs |
Ports |
Direction |
Sensor data upload |
sensor.ext.obsrvbl.com 107.22.217.211 107.22.210.176 107.22.247.3 |
443/tcp |
Outbound |
OS updates |
us.archive.ubuntu.com |
443/tcp, 80/tcp |
Outbound |
Hostname resolution |
Your local DNS server |
53/udp |
Outbound |
Remote troubleshooting (optional) |
54.83.42.41 |
22/tcp |
Inbound |
Configure the firewall to allow these services, before installation of the sensor. The installation process will not be able to complete properly without them. After installation, the sensor will initiate connections to the monitoring service and send network data for processing.
For installation of the sensor onto a physical machine, you may use the ISO file from the web portal by writing the image CD or DVD, and using it to create a bootable USB drive. For deployment as a virtual machine, you can boot to the ISO file directly.
Sensor deployment to a physical machine
To create a bootable USB drive on a Windows-based computer, follow these steps:
Step 1. Once you download the ISO, go to https://rufus.akeo.ie/
Step 2. Download the Rufus utility, and open it.
Step 3. Insert the target USB drive. Rufus will detect its presence.
Step 4. Click the CD-ROM icon, and then select the ISO file you downloaded.
Verify that you've selected the right ISO and USB drive; this is a potentially destructive operation. |
Step 5. Click Start.
Step 6. When prompted, select “Write in DD Image mode” and click OK.
Sensor deployment to hypervisor
Follow your environment’s specific instructions and procedures for deploying an ISO-format virtual machine. Verify that you have allocated the required resources to the sensor virtual machine, prior to setup.
Stealthwatch Cloud PNM sensor setup
Once the physical or virtual machine running the Stealthwatch Cloud Sensor has booted up, you will begin the sensor setup process.
Step 1. Choose the language to be used during setup.
Step 2. Select the first option from the presented menu.
Step 3. Select the language to be used for the installation process.
Step 4. Select a country. The default is United States.
Step 5. The installer will offer to detect your keyboard layout. If you wish to select your keyboard layout manually, select No.
Step 6. If you choose to manually select, at the next screen(s) choose your keyboard layout. The default is English (US).
Step 7. Once the keyboard layout is selected, the setup process will scan for hardware.
Step 8. If the installer detects multiple network interfaces, then it will prompt you to choose a “primary” one.
Step 9. Select the interface that you will use for controlling the Stealthwatch Cloud Sensor, rather than the one for mirroring traffic.
Step 10. The other NICs will automatically be configured to accept the mirrored traffic.
Step 11. By default, the installer will try to use DHCP to configure the interface you selected as the primary control NIC.
Step 12. If DHCP is not set up on your network, you will be prompted to configure the network manually.
Step 13. If DHCP is set up on your network, but you don't want to use it, press the Enter key to cancel while DHCP settings are being detected.
Step 14. If you miss the chance to cancel, select Go Back (using the Tab key) at the next screen. Then select “Configure the Network” to try again.
Step 15. When configuring the network without DHCP, you need to enter an address, subnet mask, and gateway, a DNS server, and a local domain suffix.
Step 16. Now you will need to create a user account for local management of the system.
Step 17. Enter the full name of the account. This name can have spaces and capital letters (for example, SWC Admin).
Step 18. Next, enter the username for the account. This name cannot have spaces or capital letters. (for example, swcadmin).
Step 19. After the username is entered, you will be prompted to select a password for the local management account.
Step 20. Enter the password in the first prompt, and then again in the second to verify it.
Step 21. Once the password is entered, you will be prompted to encrypt the home directory for the local management user's account. Select Yes.
Step 22. The installer will then attempt to automatically detect your time zone. If successful, accept the detected location and continue.
Step 23. If you are prompted to configure the clock, select the correct time zone from the list.
Step 24. The installer will detect your disks and offer to automatically partition the disk for the operating system.
Step 25. Select Guided – use the entire disk.
Step 26. When prompted, confirm the selected partitioning setup.
Step 27. Select Yes and press Enter to confirm that the installer can erase the disk and install the operating system.
Step 28. Once partitioning has completed, the system installation process will begin.
Step 29. You will be prompted for HTTP proxy information. Unless the network requires an HTTP proxy, press Enter to continue.
Step 30. The installer will download the latest updates for the sensor and the operating system.
Step 31. You will be prompted to select whether to install the updates automatically. The recommended setting is “Install security updates automatically.”
Step 32. If your organization's policy does not allow for automatic updates, select “No automatic updates.”
Step 33. The installation process will continue to setup the sensor appliance.
Step 34. You will be prompted to install the GRUB boot loader onto the target drive.
Step 35. Move the cursor to Yes, and press Enter.
Step 36. After the installer finishes copying the files, the installation process will finish.
Step 37. Eject the boot CD from the drive.
Step 38. After the boot CD has been removed, reboot the system.
Step 39. After the system reboots, you may log in with the same user account created during the installation.
Step 40. You may log out (with the exit command) and leave the system unattended after verifying that it is working; it will run automatically after installation.
Step 41. See the following section for guidance on connecting the sensor to the network.
Connecting the Stealthwatch Cloud PNM sensor to the network
The network sensor monitors the traffic on your network and transmits it to the Stealthwatch Cloud service for analysis. This section will cover where to place the sensor and how to configure your switch or router to send traffic to the sensor.
A sensor needs to have at least two network interfaces: one control interface and at least one mirror interface. The control interface connects to the Internet. See the sensor setup guide to know how to configure the control interface. The mirror interface connects to a special port on a switch (or router) that replicates the data from other ports.
You may wish to place multiple sensors in your network to get a view of all traffic.
The following figure shows the possible deployment locations.
Multiple-sensor deployments are usually needed only for larger networks. Use the “Contact Us” form on the web portal if you need help determining where to place your sensors.
Mirror interface setup
When setting up a mirror interface, keep in mind that it will be sending copies of all of the source traffic (both inbound and outbound) to the destination:
● Take note of how much traffic is expected at peak, and ensure that it is less than the capacity of the sensor's mirror interface link (for example: 1 Gbps or 10 Gbps).
● Many switches will drop packets from the source interfaces, if a mirror port destination is configured with too much traffic, which will cause problems on the LAN.
● You may use multiple mirror interfaces on a sensor; the sensor is not limited to a single control interface and a single mirror interface.
Most managed switches can be configured to replicate traffic. Different switch vendors call this capability by different names:
● Cisco: Switched Port Analyzer (SPAN)
● Juniper, Netgear, ZyXEL: port mirror
● Others: monitor port, analyzer port, tap port
You may also use a passive tap device to replicate traffic. Common tap vendors include NetOptics and Gigamon.
Switch configuration
The user guide for your particular switch model should have the correct configuration steps for setting up a mirror port.
For Cisco switches with IOS software, a typical configuration looks like the following:
monitor session 1 source interface Vlan10 monitor session 1 destination interface Gig1/0/3 |
For information on configuration documentation for Cisco and other switch vendors, please refer to the “Additional Resources” section.
Virtual environment monitoring
If your sensor is running as a virtual machine, you need to make sure that both the virtual host and virtual network are configured properly.
For VMware:
● Promiscuous mode setup: https://kb.vmware.com/s/article/1004099
● Information on promiscuous mode: https://kb.vmware.com/s/article/1002934
You may need to set the VLAN ID to 4095.
For VirtualBox:
● In the Settings for your host, go to the Network tab, and select the Adapter to be used for the Mirror interface.
● In the Advanced Options section, set Promiscuous mode to Allow.
Configuring a sensor to collect flow data
By default, a sensor creates flow records from the traffic on its Ethernet interfaces. This default configuration assumes that the sensor is attached to a SPAN or mirror Ethernet port. If other devices on your network can generate flow records, you can configure the sensor’s config.local configuration file to collect flow records from these sources, and send them to Stealthwatch Cloud for analysis.
If the network devices generate different types of flows, it is recommended to configure the sensor to collect each type over a different UDP port. This also makes the troubleshooting easier. You can configure a collection of the following flow types:
● NetFlow v5
● NetFlow v9
● IPFIX
● SFLOW
Certain network appliances require an entry in the config.local configuration file, before they start working properly. See Appendix F for templates.
● Cisco Meraki
● Cisco Advanced Security Appliance (ASA) software
● SonicWALL
Customizing config.local on the Stealthwatch Cloud Sensor for flow collection
SSH log into the sensor as an administrator.
Step 1. At the command prompt, enter sudo nano /opt/obsrvbl-ona/config.local and press Enter to edit the config.local configuration file.
Step 2. Add the following line to enable flow collection. This enables the sensor to look for the defined flow inputs.
OBSRVBL_IPFIX_CAPTURER="true" |
Step 3. For each type of flow collection, you want to enable, copy the _Type and _Port lines from Appendix F for that flow collection type, then delete the “#” at the beginning of each line.
For example: To enable generic NetFlow v5 on port 9995, and ASA flow collection on port 9996, enter the following:
OBSRVBL_IPFIX_PROBE_0_TYPE="netflow-v5" OBSRVBL_IPFIX_PROBE_0_PORT="9995" OBSRVBL_IPFIX_PROBE_1_TYPE="netflow-v9" OBSRVBL_IPFIX_PROBE_1_PORT="9996" OBSRVBL_IPFIX_PROBE_1_SOURCE="asa" |
Step 4. Press Ctrl + 0 to save your changes.
Step 5. Press Ctrl + x to exit.
Step 6. At the command prompt, enter sudo service obsrvbl-ona restart to restart the Stealthwatch Cloud service. This also restarts the other configured services.
Step 7. Enter cd /opt/obsrvbl-ona/logs/ipfix to change to the ../ipfix directory. If you properly enabled the flow collection, this directory should exist.
Step 8. Enter ls –l to view the log files; the files should be incrementing. Check the iptables rule configuration if the log files are not incrementing.
Step 9. Enter netstat -na | grep udp and press Enter to view the UDP ports that the sensor is listening on.
Viewing a port in this list does not mean that the iptables rules are configured correctly. This list only shows what ports the sensor is listening on. See Appendix D for information on configuring iptables. |
Attaching sensors to the Stealthwatch Cloud portal
Once a sensor is installed, it will need to be linked with an account. This is done by identifying its public IP address and entering it into the web portal. If this method does not work, a sensor can manually be added to a portal using the service key.
If multiple sensors are staged in a central location, such as an MSSP, and they are intended for different portals, add the portal’s service key to the sensor. In this case, if a public IP address of the staging environment is used for multiple sensors, a sensor could be incorrectly attached to the wrong portal. |
Adding a sensor’s public IP Address to a portal
SSH into the sensor and login as an administrator.
Step 1. At the command prompt, enter curl https://sensor.ext.obsrvbl.com and press Enter. The error value of unknown identity means that the sensor is not associated with a portal.
Step 2. Copy the identity IP address.
Step 3. Log out of the sensor.
Step 4. Log into the web portal as an administrator.
Step 5. Select Settings > Sensors > Public IP.
Step 6. Enter the identity IP address in the Public IP field.
Step 7. Click Add IP. After the portal and sensor exchange keys, they establish future connections using the keys, and not the public IP address.
Step 8. It can take up to 10 minutes before a new sensor is reflected in the portal.
NOTE: You can also edit a Sensor’s config.local configuration file to manually add a portal’s service key and associate the sensor with the portal. See Appendix C for instructions. |
Confirming a sensor’s portal connection
After a sensor is added to the portal, confirm the connection.
NOTE: If the sensor’s config.local configuration file was updated using the portal’s service key, confirming the connection using the curl command from the sensor may not return the portal name. |
SSH log into the sensor as an administrator.
Step 1. At the command prompt, enter curl https://sensor.ext.obsrvbl.com and press Enter.
Step 2. The sensor returns the portal name.
Step 3. Log out of the sensor.
Step 4. Log into the portal.
Step 5. Select Settings > Sensor. The sensor appears in the list.
Appendix A: Sensor connectivity issues
The installer needs to connect to the Internet to retrieve up-to-date packages. If, during the PNM installation process, you experience issues with connectivity, for example, if there was an issue with connecting to the internet, you may see the below screen:
Double-check if the primary network interface has internet access (including DNS). You may want to restart the installation, once this is in place.
Appendix B: Install PNM on nonpackaged Linux operating systems
In addition to the ISO provided, this virtual appliance can be deployed on the following operating systems:
● Ubuntu Linux version 14.04 (32- and 64-bit)
● Ubuntu Linux versions 16.04 and later (32- and 64-bit)
● Red Hat Enterprise Linux (RHEL) version 6 and compatible, including CentOS version 6* and Amazon Linux for EC2 (32- and 64-bit)
● Red Hat Enterprise Linux (RHEL) version 7 and compatible, including CentOS version 7 (64-bit)
● Raspberry Pi 2 Model B with Raspbian (32-bit armhf)
● Docker, tested with CoreOS (64-bit)
Installation on RHEL 7
Log into the RHEL 7 system as an administrator.
Step 1. At the command prompt, enter curl -L -O https://s3.amazonaws.com/onstatic/ona-service/master/ona- service_RHEL_7_x86_64.rpm and press Enter to download the Stealthwatch Cloud package.
Step 2. Enter sudo yum install -y net-tools tcpdump and press Enter to install dependencies.
Step 3. Enter sudo yum updateinfo && yum install -y libpcap libtool-ltdl lzo
Step 4. Enter curl -L -O https://github.com/bbayles/netsa-pkg/releases/download/v0.1.15/netsa-pkg.rpm
Step 5. Enter sudo rpm -i netsa-pkg.rpm
Step 6. Enter sudo rpm -i ona-service_RHEL_7_x86_64.rpm and press Enter to install the Stealthwatch Cloud service.
Installation on RHEL 6
NOTE: RHEL 6 does not include Python 2.7. Additional repositories must be added to install Python. |
Log into the RHEL 6 system as an administrator.
Step 1. At the command prompt, enter curl -L -O https://s3.amazonaws.com/onstatic/ona-service/master/ona- service_RHEL_6_x86_64.rpm and press Enter to download the Stealthwatch Cloud package.
Step 2. Enter curl -L -O https://dl.fedoraproject.org/pub/epel/epel-release-latest-6.noarch.rpm and press Enter to download the EPEL repository package.
Step 3. There are two options:
a. Enter curl -L -O https://rhel6.iuscommunity.org/ius-release.rpm and press Enter to download the IUS repository package for RHEL.
b. Enter curl -L -O https://centos6.iuscommunity.org/ius-release.rpm and press Enter to download the IUS repository package for CentOS.
Step 4. There are two options:
a. To install the IUS repository package for RHEL, enter sudo rpm -i epel-release-latest-6.noarch.rpm
b. To install the IUS repository package for CentOS, enter sudo rpm -i ius-release.rpm
Step 5. To install Python 2.7, enter: sudo yum install python27 tcpdump and press Enter.
Step 6. Enter sudo yum updateinfo && yum install -y libpcap libtool-ltdl lzo
Step 7. Enter curl -L -O https://github.com/bbayles/netsa-pkg/releases/download/v0.1.15/netsa-pkg.rpm
Step 8. Enter sudo rpm -i netsa-pkg.rpm
Step 9. Enter sudo rpm -i ona-service_RHEL_6_x86_64.rpm and press Enter to install the Stealthwatch Cloud service.
Installation on Ubuntu with NetFlow collection
Log into the Ubuntu system as an administrator.
Step 1. At the command prompt, enter curl -L -O https://s3.amazonaws.com/onstatic/ona- service/master/ona-service_UbuntuXenial_amd64.deb and press Enter to download the Stealthwatch Cloud package.
Step 2. Enter sudo apt-get install -y net-tools tcpdump and press Enter to install dependencies.
Step 3. Enter sudo apt-get update && sudo apt-get install -y libglib2.0-0 liblzo2-2 libltdl7
Step 4. Enter curl -L -O https://github.com/bbayles/netsa-pkg/releases/download/v0.1.15/netsa-pkg.deb
Step 5. Enter sudo dpkg -i netsa-pkg.deb
Step 6. Enter sudo apt-get -f install to verify that the dependencies installed properly.
Step 7. Enter sudo dpkg -i ona-service_UbuntuXenial_amd64.deb and press Enter to install the Stealthwatch Cloud service.
Step 8. Reload the machine by entering sudo reboot
Step 9. Confirm that the services are running. See Appendix E for Stealthwatch Cloud services.
Installation on Ubuntu without NetFlow collection
Log into the Ubuntu system as an administrator.
Step 1. At the command prompt, enter curl -L -O https://s3.amazonaws.com/onstatic/ona-service/master/ona-service_UbuntuXenial_amd64.deb and press Enter to download the Stealthwatch Cloud package.
Step 2. Enter sudo apt-get install -y net-tools tcpdump and press Enter to install dependencies.
Step 3. Enter sudo apt-get –f install to verify if the dependencies installed properly.
Step 4. Enter sudo dpkg -i ona-service_UbuntuXenial_amd64.deb and press Enter to install the Stealthwatch Cloud service.
Appendix C: Adding a portal’s service key to a sensor
Edit a sensor’s config.local configuration file to manually add a portal’s service key to associate the sensor with the portal.
Before you begin, log into the portal as an administrator.
Step 1. Select Settings > Sensors.
Step 2. Navigate to the end of the sensor list, and copy the service key. See the following screenshot for an example.
Step 3. SSH login to the sensor as an administrator.
Step 4. At the command prompt, enter sudo nano opt/obsrvbl-ona/config.local and press Enter to edit the configuration file.
Step 5. Beneath the line # Service Key, add the following line, replacing <service-key> with the portal’s service key:
OBSRVBL_SERVICE_KEY="<service-key>" |
See the following for an example.
Step 6. Press Ctrl + 0 to save the changes.
Step 7. Press Ctrl + x to exit.
Step 8. At the command prompt, enter sudo service obsrvbl-ona restart to restart the Stealthwatch Cloud service.
Appendix D: Configuring the PNM firewall (iptables)
Editing iptables
The Stealthwatch Cloud ISO image uses a built-in Ubuntu firewall service called iptables. During the install process, ports 22/TCP (SSH), 9995 UDP, and ICMP are open. You can open other ports by configuring the iptables rules. For example, if you also want to collect IPFIX, you can configure the iptables rules to open port 9996/UDP.
Before you begin, SSH log into the sensor as an administrator.
Step 1. At the command prompt, enter sudo nano /etc/iptables/rules.v4 and press Enter to modify the iptables rules.
Step 2. For each port you want to enable, add the following line, updating the --dport value with the desired port.
-A INPUT -p udp --dport 9996 -m state –state NEW,ESTABLISHED -j ACCEPT |
The screenshot below shows the open ports: 9995/UDP, 996/UDP, and 9997/UDP.
Step 3. Press Ctrl + 0 to save your changes.
Step 4. Press Ctrl + x to exit.
Step 5. Reboot the machine to have the new rules go into effect.
Checking firewall configuration
After you make changes, and restart the Stealthwatch Cloud service, you can verify that the rules are working. SSH log into the sensor as an administrator.
Step 1. At the command prompt, enter sudo iptables –L –v and press Enter to modify the iptables rules.
Step 2. See the following screenshot for an example of traffic over port 9997/UDP and SSH traffic.
Appendix E: Stealthwatch Cloud sensor services
Service |
|
Description |
obsrvbl-ona |
yes |
Monitors for configuration changes and handles automatic updates. Starting this service also starts the other configured services |
log-watcher |
yes |
Tracks the sensor's authentication logs |
pdns-capturer |
yes |
Collects passive DNS queries |
pna-monitor |
yes |
Collects IP traffic metadata |
pna-pusher |
yes |
Sends IP traffic metadata to the cloud |
hostname-resolver |
yes |
Resolves active IP addresses to local hostnames |
netflow-monitor |
no |
Listens for NetFlow data sent by routers and switches |
netflow-pusher |
|
Sends NetFlow data to the cloud |
notification-publisher |
no |
Relays observations and alerts over syslog or SNMP |
ossec-alert-watcher |
no |
Monitors OSSEC alerts, if installed |
suricata-alert-watcher |
no |
Monitors Suricata alerts, if installed |
Verifying running services
You can verify that the various Stealthwatch Cloud services are running from the sensor command line. Before you begin, SSH into the sensor and login as an administrator.
At the command prompt, enter ps -ef | grep obsrvbl and press Enter.
Appendix F: NetFlow integration templates
You can add the following lines to the config.local configuration file and enable collection of that flow type or from that network appliance type. Note that new sources added to the PNM will need to have their ports opened in the sensor firewall. See Appendix D for details.
# NetFlow v5 exporter OBSRVBL_IPFIX_PROBE_0_TYPE="netflow-v5" OBSRVBL_IPFIX_PROBE_0_PORT="2055"
# Standard NetFlow v9 exporter OBSRVBL_IPFIX_PROBE_1_TYPE="netflow-v9" OBSRVBL_IPFIX_PROBE_1_PORT="9995"
# IPFIX exporter OBSRVBL_IPFIX_PROBE_2_TYPE="ipfix" OBSRVBL_IPFIX_PROBE_2_PORT="9996"
# Cisco ASA exporter OBSRVBL_IPFIX_PROBE_3_TYPE="netflow-v9" OBSRVBL_IPFIX_PROBE_3_PORT="9997" OBSRVBL_IPFIX_PROBE_3_SOURCE="asa"
# Meraki exporter OBSRVBL_IPFIX_PROBE_4_TYPE="netflow-v9" OBSRVBL_IPFIX_PROBE_4_PORT="9998" OBSRVBL_IPFIX_PROBE_4_SOURCE="meraki"
# SonicWALL exporter OBSRVBL_IPFIX_PROBE_5_TYPE="netflow-v9 OBSRVBL_IPFIX_PROBE_5_PORT="9999" OBSRVBL_IPFIX_PROBE_5_SOURCE="sonicwall"
# sFlow exporter OBSRVBL_IPFIX_PROBE_6_TYPE="sflow" OBSRVBL_IPFIX_PROBE_6_PORT="6343" |
If you have further questions, refer to the following additional resources:
● Cisco Stealthwatch Cloud:
https://www.cisco.com/c/en/us/products/security/stealthwatch-cloud/index.html
Switch configuration documentation
● Cisco documentation:
https://www.cisco.com/c/en/us/tech/lan-switching/port-monitoring/tech-configuration-examples-list.html
● Juniper documentation (you may need to search for your particular switch model):
https://www.juniper.net/documentation/en_US/junos/topics/concept/port-mirroring-ex-series.html
● Netgear support page (the Software Administration Manual for your particular model should include a section on port mirroring):
https://kb.netgear.com/21850/What-is-port-mirroring-and-how-does-it-work-with-my-managed-switch
● For more examples, see the Wireshark Switch Reference page:
https://wiki.wireshark.org/SwitchReference
For a complete list of all of our design and deployment guides for the Cisco Multicloud Portfolio, including Cloud Protect, visit https://www.cisco.com/go/clouddesignguides.
About Cisco design and deployment guides
Cisco design and deployment guides consist of systems and/or solutions designed, tested, and documented to facilitate faster, more reliable, and more predictable customer deployments. For more information visit: https://www.cisco.com/go/designzone.
ALL DESIGNS, SPECIFICATIONS, STATEMENTS, INFORMATION, AND RECOMMENDATIONS (COLLECTIVELY, "DESIGNS") IN THIS MANUAL ARE PRESENTED "AS IS," WITH ALL FAULTS. CISCO AND ITS SUPPLIERS DISCLAIM ALL WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THE DESIGNS, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
THE DESIGNS ARE SUBJECT TO CHANGE WITHOUT NOTICE. USERS ARE SOLELY RESPONSIBLE FOR THEIR APPLICATION OF THE DESIGNS. THE DESIGNS DO NOT CONSTITUTE THE TECHNICAL OR OTHER PROFESSIONAL ADVICE OF CISCO, ITS SUPPLIERS, OR PARTNERS. USERS SHOULD CONSULT THEIR OWN TECHNICAL ADVISORS BEFORE IMPLEMENTING THE DESIGNS. RESULTS MAY VARY DEPENDING ON FACTORS NOT TESTED BY CISCO.
CCDE, CCENT, Cisco Eos, Cisco Lumin, Cisco Nexus, Cisco StadiumVision, Cisco TelePresence, Cisco WebEx, the Cisco logo, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn and Cisco Store are service marks; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unified Computing System (Cisco UCS), Cisco UCS B-Series Blade Servers, Cisco UCS C-Series Rack Servers, Cisco UCS S-Series Storage Servers, Cisco UCS Manager, Cisco UCS Management Software, Cisco Unified Fabric, Cisco Application Centric Infrastructure, Cisco Nexus 9000 Series, Cisco Nexus 7000 Series. Cisco Prime Data Center Network Manager, Cisco NX-OS Software, Cisco MDS Series, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQuick Study, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0809R)
© 2018 Cisco Systems, Inc. All rights reserved.