Integrate Ixia with the Packet Decoder

Document created by RSA Information Design and Development on Aug 30, 2017Last modified by David O'Malley on Sep 5, 2017
Version 2Show Document
  • View in full screen mode
  

You must complete the following tasks to integrate the Security AnalyticsDecoder with Ixia CloudLens.

Task 1. Deploy Client Machines

Task 2. Create CloudLens Project

Task 3. Install Docker Container on Decoder

Task 4. Install Docker Container on Clients

Task 5. Map Packet Decoder to Ixia Clients

Task 6. Validate CloudLens Packets Arriving at Decoder

Task 7. Set Interface in Packet Decoder

Task 1. Deploy Client Machines

Task 2. Create CloudLens Project

Complete the following steps to create a new project and get your project key.

  1. Get Cloudlens login credentials and access to a sandbox.
    1. Create an Ixia login account at https://login.ixiacom.com/.
    2. Send your Ixia login account email to cloudlens@ixiacom.com so Ixia can provide you with access to the Sandbox.
  2. Go to the Cloudlens public site (https://www.ixia-sandbox.cloud/).
  3. Click + (add) to create a new project with a name of your choosing (for example, Netwitness-IxiaIntegration).
  4. Click on your newly created project and make note of your Project Key.
    You need the key later for the API key configured on the Host & Tool agents.

Task 3. Install Docker Container on Decoder

Complete the following steps to install the Docker container onto the Security Analytics Decoder.

  1. SSH to the Packet Decoder.
  2. Enter the following command to install the Docker RPM onto the Decoder.
    #rpm -iUvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
  3. Edit the /etc/yum.repos.d/CentOS-Base.repos file to enable the required repositories by changing enable = 0 to enable = 1 for all repos.
  4. Enter the following commands to complete the install the Docker service on the Decoder.
    #yum clean all
    # yum –y install docker-io
  5. Enter the following command string to start the Docker service.
    # service docker start
  6. Enter the following commands to:
    • Access the Ixia repository and obtain the cloudlens-sandbox-agent container.
    • Replace the ProjectKeyFromIxiaProjectPortal variable, which identifies your project key in Ixia portal, with the Project Key you created in Task 2. Create CloudLens Project.

      docker run --name ca \
      -v /:/host \
      -d --restart=always \
      --net=host \
      --privileged \
      ixiacom/cloudlens-sandbox-agent \
      --server agent.ixia-sandbox.cloud \
      --accept_eula y \
      --apikey
      ProjectKeyFromIxiaProjectPortal

Task 4. Install Docker Container on Clients

Complete the follow steps to Y install the Docker Container onto the client machines for which you want to route the traffic to the Security Analytics Decoder.

  1. SSH to the AWS Client instance.
  2. Enable root access to OS CLI (for example sudo su -).
  3. Enter the following commands to install Docker.
    # yum –y install docker

    Caution: You must enable the required repository to install the Docker RPM on the AWS Client instance.

  4. Enter the following commands to start the Docker service.
    # service docker start
  5. Enter the following commands to:
    • Access the Ixia repository and obtain the cloudlens-sandbox-agent container.
    • Replace the variable ProjectKeyFromIxiaProjectPortal, which identifies your project key in Ixia portal, with the Project Key you created in the previous section.
      docker run --name ca \
      -v /:/host \
      -d --restart=always \
      --net=host \
      --privileged \
      ixiacom/cloudlens-sandbox-agent \
      --server agent.ixia-sandbox.cloud \
      --accept_eula y \
      --apikey
      ProjectKeyFromIxiaProjectPortal

Warning: If you cut and paste commands from a PDF, first paste them into a test editor such as Notepad to confirm the syntax before pasting into the OS CLI. Direct cut and paste between PDF and CLI can contain dashes or other special characters that should not be part of the commands.

Task 5. Map the Packet Decoder to Ixia Clients

Complete the following steps to map the Packet Decoder to the client machines to route the traffic to the Packet Decoder.

  1. Go to the Cloudlens public site (https://www.ixia-sandbox.cloud/).
  2. Double-click on your project to open it.
  3. Click the Define Group button or the Instances count.
    You should see two instances listed, one for your decoder and the other for the client machines.
  4. Filter for the decoder instance and click Save Search.
  5. Choose Save as a tool.
  6. Specify a name for the tool, and the Aggregation Interface.
    Use a meaningful name for the Aggregation Interface (for example CloudTAP. This is a virtual interface that appears in the OS where your Tool is installed. You need to instruct your tool to ‘listen’ to that interface in a subsequent step.
  7. Filter the client host instance from the list, and click Save Search.
  8. Navigate back to the top-level view of the project.
    Your client machine instance and Decoder instance are now displayed.
  9. Drag a connection between the your client machine instance and Decoder instance to allow the flow of packets.

Task 6. Validate CloudLens Packets Arriving at Decoder

Complete the following steps to validate that packets are actually arriving at the Packet Decoder.

  1. SSH to the Packet Decoder.
  2. Enter the following command.
    ifconfig
    The new aggregation interface you created is displayed.
  3. Generate traffic from the client OS instance CLI (for example, wget http://www.google.com/).
  4. SSH to Packet Decoder to go to your Packet Decoder instance CLI.
  5. Enter the following commands to look for suitable results in the tcpdump.
    tcpdump -I Cloudlens0

Task 7. Set the Interface in the Packet Decoder

Complete the following steps in the Packet Decoder to set the interface to use for the Ixia integration.

  1. SSH to the Packet Decoder.
  2. Enter the following commands to restart decoder service.
    $ sudo restart nwdecoder
    The Packet Decoder is now set to capture network traffic.
  3. Log in to Security Analytics and click Administration > Services.
  4. In the Admin Services view, select a Decoder service and click > View > Explore.
  5. Expand the decoder node and click config to view the configuration settings.
  6. Set the capture.selected parameter to the following value.
    packet_mmap_,cloudlens0(bpf)
  7. (Conditional) - If you have multiple capture interfaces on the Packet Decoder, set the parameters with the following values.
    capture.device.params --> interfaces=cloudlens0,cloudlens1
    capture.selected --> packet_mmap_,All
  8. Restart the Decoder service after you set the capture.selected parameter.

 

You are here

Table of Contents > Checklist > Step 5. Configure Packet Capture > Integrate Ixia with the Packet Decoder

Attachments

    Outcomes