IPDB: Step 1. Mount the IPDB

Document created by RSA Information Design and Development on Nov 23, 2016
Version 1Show Document
  • View in full screen mode
  

This topic describes how to configure the Internet Protocol Database (IPDB) Extractor service to make it available as a data source for the Reporting Engine.

The Internet Protocol Database (IPDB) Extractor service facilitates the use of the RSA enVision IPDB event source database as a data source for the Reporting Engine. Before you can use the IPDB as a Reporting Engine data source, you must mount it to your Security Analytics environment and include the mounting instructions in the /etc/fstab file so that the IPDB is mounted automatically in the future.

In this release, Security Analytics:

  • Supports two IPDB deployment types:
    • On an ES Appliance.
    • On a separate Network Attached Storage (NAS) device.
  • Does not support an IPDB that runs on a Direct Attached Storage (DAS) device.

Note: In a RSA enVision multi-site environment, each site requires a different IPDB extractor instance running on a different appliance (virtual or physical) to integrate with that site's IPDB data source.

Mount an IPDB Running on an ES Appliance

You must complete the following tasks to mount an IPDB running on an ES appliance:

  • Task 1 - Log on to the ES Appliance.
  • Task 2 - Create a System User in Active Directory and share the IPDB directory and csd directories.
  • Task 3 - Note the Reporting Engine Broker and configure the firewall.
  • Task 4 - Configure the IPDB and device location file.
  • Task 5 - (Optional) If the IPDB has multiple storage locations, map them.

Note: The examples in these tasks use Microsoft Windows 2003. If you have a different version of Windows, the screens and navigation to these screens may differ.

Task 1 - Log on to the ES Appliance

Log on to the ES Appliance to mount an IPDB that resides on that ES Appliance.

Note: You must use the RSA enVison master account credentials to log on to the ES Appliance.

Task 2 - Create a System User in Active Directory and Share the IPDB and CSD Directories

To create a system user in Active Directory with read-only permission to the IPDB directory:

  1. Go to the Active Directory folder.

  2. Create a new system user in Active Directory.

  1. Share the IPDB directory (for example, e:\nic\lsnode\data):

    The installation program downloads the lockdown.zip file that contains the doit.bat script to the Broker appliance. The doit.bat script gives you the ability to share the IPDB. Sharing exports the folder so that you can access it from Linux in your Security Analytics environment.

    1. Copy the lockdown.zip from the /etc/netwitness/ng/envision directory on the Broker to the ES appliance.
    2. Extract all the files from the lockdown.zip.
    3. Run the doit.bat script on the ES appliance.
    4. Right-click the IPDB directory (for example, e:\nic\lsnode\data).
    5. Select Read access in the Share Permissions tab to give the new user (for example,ipdbuser@ESIPDB.nic) read access to the IPDB directory.

  2. Share the csd directory (for example e:\nic\csd).
    1. Right-click the csd directory (for example, e:\nic\csd).
    2. Select Read access in the Share Permissions tab to give the new user (for example, csd) read access to the csd directory.

Task 3 - Note the Reporting Engine Broker and Configure Firewall

To note the IP address of the Broker for subsequent configuration and to configure the firewall:

  1. Write down the IP address of the Broker appliance on which you want to run the Reporting Engine.
  2. Configure the firewall so that the Broker running the Reporting Engine has access to the shared directory on the ES Appliance.

Task 4 - Configure the IPDB and Device Location File

To configure the IPDB and device location file:

  1. Update the /etc/fstab to create the Mount Point for the IPDB:

    1. Run the following command to allow the use of a password file for credentials:
      yum install cifs-utils

      The cifs-utils package installs on the appliance.

    2. Do one of the following to insert the IPDB mount point directory in the /etc/fstab file:

      • If you do not use a credentials file:
        //1.1.1.1/ESIPDB-ES /var/netwitness/ipdbextractor/ipdb/ cifs auto,nouser,noexec,ro, username=username, password=credentials-of-ipdb-user 0 0
      • If you use a credentials file:
        //1.1.1.1/ESIPDB-ES /var/netwitness/ipdbextractor/ipdb/ cifs auto,nouser,noexec,ro,credentials=/root/cred 0 0

      You can create a credential file to provide the username and password for the IPDB-USER. The contents of the file would be:

      username=username
      password=password

    3. Do one of the following to insert the csd mount point directory in the /etc/fstab file:

      • If you do not use a credentials file:
        //1.1.1.1/csd /var/netwitness/ipdbextractor/devicelocation cifs auto,nouser,noexec,ro, username=username, password=credentials-of-ipdb-user 0 0
      • If you use a credentials file:
        //1.1.1.1/csd /var/netwitness/ipdbextractor/devicelocation cifs auto,nouser,noexec,ro,credentials=/root/cred 0 0
  2. Type mount -a.

Task 5 - (Optional) For IPDB with Multiple Map Storage Locations, Map Multiple Storage Locations

To map storage locations for an IPDB with multiple storage locations:

  1. In the Security Analytics menu, select Administration > Services.
  2. In the Services grid, select an IPDB Extractor service.
  3. In the toolbar, select View > Explore.

    Security Analytics displays the IPDB Extractor parameter folder tree.

  4. Right-click /ipdbextractor/config/storage.mapping in the parameter folder tree.
  5. Enter e:\nic\lsnode~storage1,d:\seclocation~storage2 for the value.

  6. Restart the IPDB Extractor service.
  7. On the Broker appliance, create storage1 and storage2 directories in the ES directory. In addition, you need to change the mount points in the /etc/fstab to reflect the multiple storage directories. For example:

    //1.1.1.1/storage1  /var/netwitness/ipdbextractor/ipdb/storage1 cifs auto,nouser,noexec,ro,credentials=/root/creds 0 0

    //1.1.1.1/storage2 /var/netwitness/ipdbextractor/ipdb/storage2 cifs auto,nouser,noexec,ro,credentials=/root/creds 0 0

Note: In this example, storage1 is a shared name given to e:\nic\lsnode\data on an ES appliance with an IP address of 1.1.1.1. Similarly storage2 is shared name given to d:\alternate-storage\data on the same appliance. In addition, when you have multiple storage locations, the mapped storage locations on a Broker appliance become their respective node names on the ES or the NAS (that is storage1 and storage2 are created in the /var/netwitness/ipdbextractor/ipdb/ directory on the Broker appliance

Mount an IPDB Running on a Network Attached Storage Device

You must complete the following tasks to mount an IPDB running on a NAS:

  • Task 1 - Create an IPDB and csd read-only user.
  • Task 2 - Physically connect to the NAS.
  • Task 3 - Configure the IPDB and device location file.
  • Task 4 - (Optional) If the IPDB has multiple storage locations, map them.

Task 1 - Create an IPDB and CSD  Read-Only User

Access the NAS Administrative controller and create a read-only user to the IPDB and the csd directories on the NAS.

Task 2 - Physically Connect to the NAS

Physically connect the NAS to the Broker Appliance running the Reporting Engine through a private switch. You must apply an IP address to the ethernet point to which you attach the NAS (for example, 10.203.2.x where x is greater than 60).

Task 3 - Configure the IPDB and Device Location File

Both the IPDB and the device location file reside on a Network Attached Storage (NAS) device in an LS appliance deployment. The device location file (.dir) resides on vol0 share and the IPDB resides in vol1/vol2/vol3 depending on how you set up the IPDB for your environment.

To configure the IPDB and Device Location File:

  1. Update the /etc/fstab to create the mount point for the IPDB:

    1. Run the following command to allow the use of a password file for credentials:
      yum install cifs-utils

      The cifs-utils package installs on the appliance.

    2. Do one of the following to insert the IPDB mount point directory in the /etc/fstab file:

      • If you do not use a credentials file:

        //1.1.1.1/vol1 /var/netwitness/ipdbextractor/ipdb/LSIPDB-LC1/ cifs auto,nouser,noexec,ro,prefixpath=/nic/lsnode/LSIPDB-LC1/data/LSIPDB-LC1, username=username, password=credentials-of-ipdb-user 0 0

      • If you use a credentials file:

        //1.1.1.1/vol1 /var/netwitness/ipdbextractor/ipdb/LSIPDB-LC1/ cifs auto,nouser,noexec,ro,prefixpath=/nic/lsnode/LSIPDB-LC1/data/LSIPDB-LC1,credentials=/root/cred 0 0

        You can create a credential file to provide the username and password for the IPDB-USER. The contents of the file would be:

        username=username
        password=password

        To verify that the IPDB mounted properly, make sure that the /var/netwitness/ipdbextractor/ipdb directory contains the NODENAME followed by various device type.

      • If you have multiple LCs:

        //1.1.1.1/LSIPDB-LC1 /var/netwitness/ipdbextractor/ipdb/LSIPDB-LC1 cifs auto,nouser,noexec,ro, username=username, password=credentials-of-ipdb-user 0 0

        //1.1.1.1/LSIPDB-LC2 /var/netwitness/ipdbextractor/ipdb/LSIPDB-LC2 cifs auto,nouser,noexec,ro, username=username, password=credentials-of-ipdb-user 0 0

    3. Do one of the following to insert the csd mount point directory in the /etc/fstab file:
      • If you do not use a credentials file:

        //1.1.1.1/vol0 /var/netwitness/ipdbextractor/devicelocation cifs auto,nouser,noexec,ro,prefixpath=/nic/csd, username=username, password=credentials-of-ipdb-user 0 0

      • If you use a credentials file:

        //1.1.1.1/vol0 /var/netwitness/ipdbextractor/devicelocation cifs auto,nouser,noexec,ro,prefixpath=/nic/csd,credentials=/root/cred 0 0

        To verify that the device location file mounted properly, make sure that the /var/netwitness/ipdbextractor/devicelocation/global/local/directory contains device location file.

  2. Type mount -a.

Task 4 - (Optional) For IPDB with Multiple Map Storage Locations, Map Multiple Storage Locations

To map storage locations for an IPDB with multiple storage locations:

  1. In the Security Analytics, select Administration > Services.
  2. In the Services grid, select an IPDB Extractor service.
  3. In the toolbar, select View > Config.

    Security Analytics displays the IPDB Extractor General configuration parameters tab.

  4. Under IPDB Extractor Configuration, in the Mapping of storage location to mount point parameter, enter \\1.1.1.1\vol1\nic\lsnode\LSIPDB-LC1~storage1,\\1.1.1.1\vol2\nic\lsnode\LSIPDB-LC1~storage2 for the configuration value.
  5. Restart the IPDB Extractor service.
  6. On the Broker appliance, create storage1 and storage2 directories in the LSIPDB-LC1directory. In addition, you need to change the mount points in the /etc/fstab to reflect the multiple storage directories. For example:

    //1.1.1.1/vol1 /var/netwitness/ipdbextractor/ipdb/LSIPDB-LC1/storage1 cifs auto,nouser,noexec,ro,prefixpath=/nic/lsnode/LSIPDB-LC1/data/LSIPDB-LC1,credentials=/root/cred 0 0

    //1.1.1.1/vol2 /var/netwitness/ipdbextractor/ipdb/LSIPDB-LC1/storage2 cifs auto,nouser,noexec,ro,prefixpath=/nic/lsnode/LSIPDB-LC1/data/LSIPDB-LC1,credentials=/root/cred 0 0

Note: In this example, storage1 is a shared name given to \\1.1.1.1\vol1\nic\lsnode\LSIPDB-LC1 on a NAS with an IP address of 1.1.1.1. Similarly storage2 is shared name given to \\1.1.1.1\vol2\nic\lsnode\LSIPDB-LC1 on the same appliance. In addition, when you have multiple storage locations, the mapped storage locations on a Broker appliance become their respective node names on the NAS (that is storage1 and storage2 are created in the /var/netwitness/ipdbextractor/ipdb/LSIPDB-LC1 directory on the Broker appliance.

You are here
Table of Contents > Configure the IPDB Extractor Service > Step 1. Mount the IPDB

Attachments

    Outcomes