000029464 - Configuring RSA Security Analytics to work with NAT addresses

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on Aug 27, 2018
Version 6Show Document
  • Comment0
  • View in full screen mode

Article Content

Article Number000029464
Applies ToRSA Product Set: NetWitness Logs & Packets, Security Analytics
RSA Version/Condition: 10.4.x, 10.5.x, 10.6.x
Platform: CentOS 6
IssueProvisioning devices that reach the SA Server with a NAT IP do not work as the NAT address conflicts with proper puppet operation.
Resolution

Summary: Need to add NAT rules to output chain of iptables configuration and make sure puppetmaster.local resolves to SA Server's NATed address on the Remote VLC.

In the following steps, We assume the following:
SA_INTERFACE_IP = The actual interface IP of the SA Server
SA_NAT_IP = The translated IP of the SA Server (If outbound NAT is done for the SA Server)
DEVICE_INTERFACE_IP = The actual interface IP of the SA Device (VLC, Logdecoder...etc)
DEVICE_NAT_IP = The translated IP of the SA Device (VLC, Logdecoder...etc). If outbound NAT is done for the SA Device
SERVICE_PORT = The SDK Port number that appears when provisioning the device in the SA GUI. For example, 50001 for Remote Log Collector without SSL and 56001

Terminology Note:
In Security Analytics 10.4.x appliances and VMs are known as Devices
In Security Analytics 10.5.x and later (e.g. NetWitness 10.6.X) appliances and Virtual Machines (VMs) are known as Hosts



Modifications on the SA Server


1) Replace the <%=@sa_server %> reference with puppetmaster.local in the following files:
If Security Analytics 10.4.x then need to update (otherwise ignore this file)

/etc/puppet/modules/yumconfig/templates/rsa.erb

For all versions:


/etc/puppet/modules/mcollective/templates/server.erb
/etc/puppet/modules/mcollective-client/templates/client.erb


Apply the puppet recipe changes:

# puppet agent -t
# service mcollective restart

Note: At this stage `puppet agent -t` will unlikely be working on the NATed host so applying puppet recipe changes is not necessary.

2) puppetmaster.local should resolve to 127.0.0.1
You can confirm this by running the command:

# ping -nc 1 puppetmaster.local

Example Output:


PING SASERVER (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.050 ms

--- SASERVER ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.050/0.050/0.050/0.000 ms

 
3) Modify the iptables firewall on the SA Server as follows:

# service iptables save
# cp /etc/sysconfig/iptables /etc/sysconfig/iptables.backup.$(date +"%Y%m%d_%H%M")
# iptables -t nat -A OUTPUT -p tcp -d DEVICE_INTERFACE_IP --dport 5671 -j DNAT --to-destination DEVICE_NAT_IP:5671
# iptables -t nat -A OUTPUT -p tcp -d DEVICE_INTERFACE_IP --dport SERVICE_PORT -j DNAT --to-destination DEVICE_NAT_IP:SERVICE_PORT


Test the new rules:

# curl -v DEVICE_INTERFACE_IP:5671
# curl -v DEVICE_INTERFACE_IP:SERVICE_PORT


If the curl commands return "connected" then the rule is working. Commit the changes to the firewall config:

# service iptables save

 

Modifications on other Devices/Hosts


1) Modify the hosts' file (/etc/hosts) on the NATed SA Device/Host to point the hostname to the NAT IP of puppetmaster.local instead of the interface IP
2) Modify the iptables firewall on the SA Device/Host as follows:

# service iptables save
# cp /etc/sysconfig/iptables /etc/sysconfig/iptables.backup.$(date +"%Y%m%d_%H%M")
# iptables -t nat -A OUTPUT -p tcp -d SA_INTERFACE_IP --dport 61614 -j DNAT --to-destination SA_NAT_IP:61614


Test the new rule:

# curl -v SA_INTERFACE_IP:61614


If the curl commands return "connected" then the rule is working. Commit the changes to the firewall config:

# service iptables save



Now the SA Device/Host should be discovered in the SA Web UI
In 10.4.x this is Administration -> Appliances
In 10.5.x and later this is Administration -> Hosts

If you need assistance with any of these steps please contact RSA Support.

Notes

Worked Example


Taken from a RSA Test environment.

ServerReal IP AddressPublic (NAT IP Address)
SA Server (puppetmaster.local)192.168.123.3172.16.0.3
Remote Log Collector (rvlc1)172.18.0.105172.16.0.15 
Local Log Collector* (logdec1)192.168.123.4172.16.0.4


* Note: Local Log Collector is understood to be Log Decoder appliance in the same subnet as the SA Server which also includes a log collector service.




SA Server 


In /etc/hosts, puppetmaster.local points to 127.0.0.1 (IPv4 loopback address).


# cat /etc/hosts
# Created by NetWitness Installer on Mon Dec 28 23:14:57 UTC 2015
127.0.0.1 SASERVER localhost localhost.localdomain localhost4 localhost4.localdomain4 puppetmaster.local
::1 SASERVER localhost localhost.localdomain localhost6 localhost6.localdomain6

172.16.0.15 rvlc1


You can either view iptables NAT forward rules using Remote Log Collector being added to the SA server's iptables:
Note: Local Log Collector is in the same subnet as SA server so no rule is needed


# iptables -L -nv -t nat

Or by examining iptables configuration file directly (below example shows


# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.7 on Mon Feb 23 11:04:55 2015
*nat
:PREROUTING ACCEPT [8:480]
:POSTROUTING ACCEPT [38:2270]
:OUTPUT ACCEPT [38:2270]
-A OUTPUT -d 172.18.0.105/32 -p tcp -m tcp --dport 5671 -j DNAT --to-destination 172.16.0.15:5671
-A OUTPUT -d 172.18.0.105/32 -p tcp -m tcp --dport 56001 -j DNAT --to-destination 172.16.0.15:56001
-A OUTPUT -d 172.18.0.105/32 -p tcp -m tcp --dport 56006 -j DNAT --to-destination 172.16.0.15:56006
COMMIT
# Generated by iptables-save v1.4.7 on Fri Sep 12 16:38:25 2014
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p tcp -m multiport --ports 5671 -m comment --comment "1 AMQPS" -j ACCEPT
-A INPUT -p tcp -m multiport --ports 50006 -m comment --comment "1 Appliance Port" -j ACCEPT
-A INPUT -p tcp -m multiport --ports 8140 -m comment --comment "1 Puppet Port" -j ACCEPT
-A INPUT -p tcp -m multiport --ports 443 -m comment --comment "1 SA Port" -j ACCEPT
-A INPUT -p tcp -m multiport --ports 50106 -m comment --comment "2 Appliance REST Port" -j ACCEPT
-A INPUT -p tcp -m multiport --ports 61614 -m comment --comment "2 STOMP Port" -j ACCEPT
-A INPUT -p tcp -m multiport --ports 80 -m comment --comment "2 Yum Port" -j ACCEPT
-A INPUT -p tcp -m multiport --ports 56006 -m comment --comment "3 Appliance Service Port" -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 192.168.123.27/32 -p udp -m udp --dport 161 -j ACCEPT
-A INPUT -s 192.168.123.27/32 -p tcp -m tcp --dport 161 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 50006 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 50106 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 60007 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 8443 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 20 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 139 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 445 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 51024:51033 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 137 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 138 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 50010 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Fri Sep 12 16:38:25 2014

 

Iptables on Remote VLC behind NAT


In /etc/hosts, puppetmaster.local points to 172.16.0.4


# cat /etc/hosts
# Created by NetWitness Installer on Tue Dec 29 01:38:14 UTC 2015
127.0.0.1 REMOTEVLCNAT  localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 REMOTEVLCNAT  localhost localhost.localdomain localhost6 localhost6.localdomain6

172.16.0.3  puppetmaster.local
172.16.0.4  logdec1


Examining iptables configuration file:

# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.7 on Wed Feb 25 15:56:50 2015
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A OUTPUT -d 192.168.123.3/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 172.16.0.3:80
-A OUTPUT -d 192.168.123.3/32 -p tcp -m tcp --dport 5671 -j DNAT --to-destination 172.16.0.3:5671
-A OUTPUT -d 192.168.123.3/32 -p tcp -m tcp --dport 8140 -j DNAT --to-destination 172.16.0.3:8140
-A OUTPUT -d 192.168.123.3/32 -p tcp -m tcp --dport 56001 -j DNAT --to-destination 172.16.0.3:56001
-A OUTPUT -d 192.168.123.3/32 -p tcp -m tcp --dport 61614 -j DNAT --to-destination 172.16.0.3:61614
-A OUTPUT -d 192.168.123.3/32 -p udp -m udp --dport 123 -j DNAT --to-destination 172.16.0.3:123
-A OUTPUT -d 192.168.123.4/32 -p tcp -m tcp --dport 56001 -j DNAT --to-destination 172.16.0.4:5671
-A OUTPUT -d 192.168.123.4/32 -p tcp -m tcp --dport 56001 -j DNAT --to-destination 172.16.0.4:56001
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [14:1624]
-A INPUT -p tcp -m multiport --ports 5671 -m comment --comment "1 AMQPS" -j ACCEPT
-A INPUT -p tcp -m multiport --ports 50006 -m comment --comment "1 Appliance Port" -j ACCEPT
-A INPUT -p tcp -m multiport --ports 50001 -m comment --comment "1 LogCollector Port" -j ACCEPT
-A INPUT -p tcp -m multiport --ports 50106 -m comment --comment "2 Appliance REST Port" -j ACCEPT
-A INPUT -p tcp -m multiport --ports 50101 -m comment --comment "2 LogCollector REST Port" -j ACCEPT
-A INPUT -p tcp -m multiport --ports 56006 -m comment --comment "3 Appliance Service Port" -j ACCEPT
-A INPUT -p tcp -m multiport --ports 56001 -m comment --comment "3 New LogCollector Port" -j ACCEPT
-A INPUT -p tcp -m multiport --ports 514 -m comment --comment "4 Syslog TCP Port" -j ACCEPT
-A INPUT -p udp -m multiport --ports 514 -m comment --comment "4 Syslog UDP Port" -j ACCEPT
-A INPUT -p udp -m multiport --ports 162 -m comment --comment "4 UDP 162 Port" -j ACCEPT
-A INPUT -p udp -m multiport --ports 2055 -m comment --comment "4 UDP 2055 Port" -j ACCEPT
-A INPUT -p udp -m multiport --ports 4739 -m comment --comment "4 UDP 4739 Port" -j ACCEPT
-A INPUT -p udp -m multiport --ports 6343 -m comment --comment "4 UDP 6343 Port" -j ACCEPT
-A INPUT -p udp -m multiport --ports 9995 -m comment --comment "4 UDP 9995 Port" -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 8140 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 50006 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 50106 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 56006 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 5671 -j ACCEPT
-A INPUT -p udp -m state --state INVALID -m udp --dport 514 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 56001 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 50001 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 50101 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 514 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 514 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 162 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 9995 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 6343 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 4739 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 2055 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Wed Sep 10 10:26:28 2014

 

Iptables on Local Log Collector


In /etc/hosts, puppetmaster.local points to 192.168.123.4 (as same subnet as SA server)


# cat /etc/hosts
# Created by NetWitness Installer on Tue Dec 29 01:38:14 UTC 2015
127.0.0.1 LOGDECODER1  localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 LOGDECODER1  localhost localhost.localdomain localhost6 localhost6.localdomain6

192.168.123.3  puppetmaster.local
172.16.0.15 rvlc1


Examining iptables configuration file (which has the nat rules to reference NAT address of Remote VLC):

# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.7 on Mon Feb 23 11:04:55 2015
*nat
:PREROUTING ACCEPT [8:480]
:POSTROUTING ACCEPT [38:2270]
:OUTPUT ACCEPT [38:2270]
-A OUTPUT -d 172.18.0.105/32 -p tcp -m tcp --dport 5671 -j DNAT --to-destination 172.16.0.5:5671
-A OUTPUT -d 172.18.0.105/32 -p tcp -m tcp --dport 56001 -j DNAT --to-destination 172.16.0.5:56001
COMMIT
*filter
:INPUT ACCEPT [4:378]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2:242]
-A INPUT -p tcp -m multiport --ports 5671 -m comment --comment "1 AMQPS" -j ACCEPT
-A INPUT -p tcp -m multiport --ports 50006 -m comment --comment "1 Appliance Port" -j ACCEPT
-A INPUT -p tcp -m multiport --ports 50001 -m comment --comment "1 LogCollector Port" -j ACCEPT
-A INPUT -p tcp -m multiport --ports 50002 -m comment --comment "1 LogDecoder Port" -j ACCEPT
-A INPUT -p tcp -m multiport --ports 50020 -m comment --comment "1 WarehouseConnector Port" -j ACCEPT
-A INPUT -p tcp -m multiport --ports 50106 -m comment --comment "2 Appliance REST Port" -j ACCEPT
-A INPUT -p tcp -m multiport --ports 50101 -m comment --comment "2 LogCollector REST Port" -j ACCEPT
-A INPUT -p tcp -m multiport --ports 50102 -m comment --comment "2 LogDecoder REST Port" -j ACCEPT
-A INPUT -p tcp -m multiport --ports 50120 -m comment --comment "2 WarehouseConnector REST Port" -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 9995 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 6343 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 4739 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 2055 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 162 -j ACCEPT
-A INPUT -p udp -m state --state INVALID -m udp --dport 514 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 514 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 514 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 5671 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 56001 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 50101 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 50001 -j ACCEPT
-A INPUT -p tcp -m multiport --ports 56006 -m comment --comment "3 Appliance Service Port" -j ACCEPT
-A INPUT -p tcp -m multiport --ports 56001 -m comment --comment "3 New LogCollector Port" -j ACCEPT
-A INPUT -p tcp -m multiport --ports 56002 -m comment --comment "3 New LogDecoder Port" -j ACCEPT
-A INPUT -p tcp -m multiport --ports 56020 -m comment --comment "3 New WarehouseConnector Port" -j ACCEPT
-A INPUT -p tcp -m multiport --ports 514 -m comment --comment "4 Syslog TCP Port" -j ACCEPT
-A INPUT -p udp -m multiport --ports 514 -m comment --comment "4 Syslog UDP Port" -j ACCEPT
-A INPUT -p udp -m multiport --ports 162 -m comment --comment "4 UDP 162 Port" -j ACCEPT
-A INPUT -p udp -m multiport --ports 2055 -m comment --comment "4 UDP 2055 Port" -j ACCEPT
-A INPUT -p udp -m multiport --ports 4739 -m comment --comment "4 UDP 4739 Port" -j ACCEPT
-A INPUT -p udp -m multiport --ports 6343 -m comment --comment "4 UDP 6343 Port" -j ACCEPT
-A INPUT -p udp -m multiport --ports 9995 -m comment --comment "4 UDP 9995 Port" -j ACCEPT
COMMIT
# Completed on Mon Feb 23 11:04:55 2015


If the host does not enable, confirm that the proper nat'd IP is configured in /etc/puppet/csr_attributes.yaml.

If the concentrator does not establish a connection to the decoder over the local IP for aggregation, add the decoder's local IP via explore.  The local IP may not be seen in the list of decoders for aggregation because the nat'd IP was configured to establish a connection with the SA server.

Service > Concentrator > tool icon - View - Explore > Right click Concentrator > Properties > Select add in the dropdown list>  In Parameters type:

device= <local-IP-of-the-decoder>:<port-of-decoder> username=<service-account-username> password=<service-account-password> 

> click the send button 

i.e.
device=192.168.0.1:50002 username=admin password=netwitness
or
device=192.168.0.1:56002 username=admin password=netwitness ssl=true

Attachments

    Outcomes