Академический Документы
Профессиональный Документы
Культура Документы
Copyright 2014 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor translated to any electronic medium without the
written consent of Blue Coat Systems, Inc. Blue Coat, ProxySG, PacketShaper, CacheFlow, IntelligenceCenter and BlueTouch are registered trademarks of Blue Coat Systems, Inc. in the U.S.
and worldwide. Solera is a trademark of Solera Networks, a Blue Coat company. All other trademarks mentioned in this document are the property of their respective owners.
This document is intended to help you use the web interface to configure your Security Analytics
Virtual Appliance to perform network traffic capture, filtering, and playback or to function as a
Central Manager Console. It is not intended as a guide to policies and or procedures for either
network security or network forensics.
This document attempts to provide the best information possible; however, this information is
provided AS-IS and without warranty of any kind for accuracy, completeness, or currency. All
references and links to Web sites are valid as of the date of publication, but the content and nature
of those Web sites and pages is subject to change without our knowledge or control.
Copyrights, Trademarks, and Intellectual Property
Blue Coat Systems will provide a machine-readable copy of the GPL open-source code on a CD.
To obtain a copy, send a written request, along with a certified check or money order in the
amount of U.S. $25.00, payable to Blue Coat Systems, Inc., to:
ATTN: Customer Support
GPL Source Code Request, Security Analytics
Blue Coat Systems
Suite 100
10713 South Jordan Gateway
South Jordan, UT 84095
USA
Copyright 2014 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor translated to any electronic medium without the
written consent of Blue Coat Systems, Inc. Blue Coat, ProxySG, PacketShaper, CacheFlow, IntelligenceCenter and BlueTouch are registered trademarks of Blue Coat Systems, Inc. in the U.S.
and worldwide. Solera is a trademark of Solera Networks, a Blue Coat company. All other trademarks mentioned in this document are the property of their respective owners.
Introduction
This installation guide describes the installation and initial configuration of the Blue Coat Security
Analytics Virtual Appliance using VMware and the web interface. With the web interface, you can
manage the Security Analytics Virtual Appliance settings, control what is being captured, generate
a variety of reports about the captured data, and view, package, and regenerate captured data.
You can also configure the Security Analytics Virtual Appliance to operate as a Central Manager
Console (CMC).
This guide includes the following sections:
Requirements
Installation
For detailed information about using the web interface, select Settings > Help > English on the
web interface. The help files include a command-line interface (CLI) section (Reference > CLI
Commands) to provide advanced configuration and operation controls for the Security Analytics
Virtual Appliance.
For assistance with the installation of your Security Analytics Virtual Appliance, contact Security
Analytics Support:
Copyright 2014 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor translated to any electronic medium without the
written consent of Blue Coat Systems, Inc. Blue Coat, ProxySG, PacketShaper, CacheFlow, IntelligenceCenter and BlueTouch are registered trademarks of Blue Coat Systems, Inc. in the U.S.
and worldwide. Solera is a trademark of Solera Networks, a Blue Coat company. All other trademarks mentioned in this document are the property of their respective owners.
Table of Contents
1
Requirements ...............................................................................................................................................................5
2.1
2.2
2.3
2.4
3.1
3.2
3.3
4.1
Copyright 2014 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor translated to any electronic medium without the
written consent of Blue Coat Systems, Inc. Blue Coat, ProxySG, PacketShaper, CacheFlow, IntelligenceCenter and BlueTouch are registered trademarks of Blue Coat Systems, Inc. in the U.S.
and worldwide. Solera is a trademark of Solera Networks, a Blue Coat company. All other trademarks mentioned in this document are the property of their respective owners.
1 Requirements
The Security Analytics Virtual Appliance has the following hardware and software requirements:
Two or more Ethernet adapters (VMware does not support capture on wireless NICs)
ESXi
VMware ESXi 5 server (ESXi 5.5 is recommended for Security Analytics Platform 7.0+)
Workstation 9
Fusion 5
Player 6
64-bit architecture on the host for running the 64-bit Solera OS guest VM
Supported Versions
Security Analytics Version
VMware Version
End of Support
DeepSee 6.0
12 Dec 2014
DeepSee 6.6.x
14 Jun 2016
To Be Announced
To Be Announced
5 of 16
Copyright 2014 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor translated to any electronic medium without the
written consent of Blue Coat Systems, Inc. Blue Coat, ProxySG, PacketShaper, CacheFlow, IntelligenceCenter and BlueTouch are registered trademarks of Blue Coat Systems, Inc. in the
U.S. and worldwide. Solera is a trademark of Solera Networks, a Blue Coat company. All other trademarks mentioned in this document are the property of their respective owners.
2.1
Management Network
By default, the VMware ESX server uses vSwitch0 for ESX management and for creating a VM
network. You must modify vSwitch0 to permit management of the Security Analytics Virtual
Appliance.
HOW TO
Create a
management
network
6 of 16
Copyright 2014 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor translated to any electronic medium without the
written consent of Blue Coat Systems, Inc. Blue Coat, ProxySG, PacketShaper, CacheFlow, IntelligenceCenter and BlueTouch are registered trademarks of Blue Coat Systems, Inc. in the
U.S. and worldwide. Solera is a trademark of Solera Networks, a Blue Coat company. All other trademarks mentioned in this document are the property of their respective owners.
2.2
Note
Capture Network
If you plan to use this VM as a CMC, do not configure a capture network.
To capture all network traffic, you must create a capture network that supports promiscuous mode
in order to capture all network traffic. This network should be located on a separate vSwitch other
than vSwitch0.
HOW TO
Create a
capture
network
7 of 16
Copyright 2014 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor translated to any electronic medium without the
written consent of Blue Coat Systems, Inc. Blue Coat, ProxySG, PacketShaper, CacheFlow, IntelligenceCenter and BlueTouch are registered trademarks of Blue Coat Systems, Inc. in the
U.S. and worldwide. Solera is a trademark of Solera Networks, a Blue Coat company. All other trademarks mentioned in this document are the property of their respective owners.
2.3
Note
HOW TO
Create a
virtual
machine
network
8 of 16
Copyright 2014 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor translated to any electronic medium without the
written consent of Blue Coat Systems, Inc. Blue Coat, ProxySG, PacketShaper, CacheFlow, IntelligenceCenter and BlueTouch are registered trademarks of Blue Coat Systems, Inc. in the
U.S. and worldwide. Solera is a trademark of Solera Networks, a Blue Coat company. All other trademarks mentioned in this document are the property of their respective owners.
2.4
Note
Playback Network
If you plan to use this VM as a CMC, do not configure a playback network.
Use the playback network to play back traffic from either virtual networks or physical networks. If
you are not planning on playing back traffic for either type of network, you may skip to section
Error! Reference source not found. Error! Reference source not found..
HOW TO
Create a
playback
network
Playing back traffic to the same virtual or physical network that you used for capture can create network
storms. Use extreme caution when playing back network traffic.
9 of 16
Copyright 2014 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor translated to any electronic medium without the
written consent of Blue Coat Systems, Inc. Blue Coat, ProxySG, PacketShaper, CacheFlow, IntelligenceCenter and BlueTouch are registered trademarks of Blue Coat Systems, Inc. in the
U.S. and worldwide. Solera is a trademark of Solera Networks, a Blue Coat company. All other trademarks mentioned in this document are the property of their respective owners.
IMPORTANT
3.1
ESX Configuration
HOW TO
Install the
virtual
appliance on
an ESX(i)
server
Important
The import may take up to 10 minutes, depending upon your ESX hardware. Do not interrupt the import
process.
Do not power on the Security Analytics Virtual Appliance until you have followed the steps in Section
3.3 Add Indexing and Capture Virtual Disks.
10 of 16
Copyright 2014 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor translated to any electronic medium without the
written consent of Blue Coat Systems, Inc. Blue Coat, ProxySG, PacketShaper, CacheFlow, IntelligenceCenter and BlueTouch are registered trademarks of Blue Coat Systems, Inc. in the
U.S. and worldwide. Solera is a trademark of Solera Networks, a Blue Coat company. All other trademarks mentioned in this document are the property of their respective owners.
3.2
Workstation Configuration
Follow these steps if you are using the Evaluation for VMware workstation.
HOW TO
Install the
virtual
appliance on a
Workstation
a. Extract the Security Analytics Virtual Appliance ZIP file to your workstation.
b. Launch VMware player or equivalent.
c. Select File > Open, locate the VMX file, and open it.
Important
Note
Do not power on the Security Analytics Virtual Appliance until you have followed the steps in Section
3.3 Add Indexing and Capture Virtual Disks.
The workstation VM image is not intended to run on VMware ESX. If you would like access to the ESX
virtual appliance trial, please contact the Blue Coat Sales Team.
11 of 16
Copyright 2014 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor translated to any electronic medium without the
written consent of Blue Coat Systems, Inc. Blue Coat, ProxySG, PacketShaper, CacheFlow, IntelligenceCenter and BlueTouch are registered trademarks of Blue Coat Systems, Inc. in the
U.S. and worldwide. Solera is a trademark of Solera Networks, a Blue Coat company. All other trademarks mentioned in this document are the property of their respective owners.
3.3
Note
It is highly recommended that you place the capture virtual disks on a logical unit comprising at least three
(3) physical hard drives to achieve optimal capture performance. It is also recommended that you not share
the logical unit with any other virtual machines to avoid excess read/write overhead.
HOW TO
Add indexing
and capture
virtual disks
on ESX
a. On the vSphere client, select the virtual machine and click Edit Virtual Machine Settings.
b. On the Hardware tab, click Add.
c. Select Hard Disk and click Next twice.
d. For Disk Size, consult the tables in Appendix: Virtual Machine Sizing for the size of the capture virtual
disk(s).
Note
When specifying sizes in TB, change the unit from GB to TB instead of specifying a four-digit GB.
HOW TO
Add indexing
and capture
virtual disks
on the
Workstation
When specifying sizes in TB, change the unit from GB to TB instead of specifying a four-digit GB.
Note
Booting the virtual appliance for the first time will take several minutes. While the virtual machine starts, you
will see a progress indicator. Press the Esc key to view additional information while the virtual appliance is
booting.
12 of 16
Copyright 2014 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor translated to any electronic medium without the
written consent of Blue Coat Systems, Inc. Blue Coat, ProxySG, PacketShaper, CacheFlow, IntelligenceCenter and BlueTouch are registered trademarks of Blue Coat Systems, Inc. in the
U.S. and worldwide. Solera is a trademark of Solera Networks, a Blue Coat company. All other trademarks mentioned in this document are the property of their respective owners.
Note
4.1
The Security Analytics Virtual Appliance user interface is identical to the user interface for Security Analytics
Appliances.
HOW TO
Assign a
temporary IP
address
a. Launch a Web browser and navigate to the IP address for eth0. You can use either HTTP or HTTPS.
b. At the Login page, type the default username and password, both of which are case-sensitive:
Username: admin
Password: Solera
c. Click Log In.
d. The End User License Agreement (EULA) is displayed. Accept the terms. The Initial Configuration
page is displayed.
e. Select Settings ( ) > Help and then select your language under Online Help Files.
f. View the "Initial Settings" page for instructions on initial appliance configuration. All virtual appliances
must also follow the steps to license the appliance.
13 of 16
Copyright 2014 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor translated to any electronic medium without the
written consent of Blue Coat Systems, Inc. Blue Coat, ProxySG, PacketShaper, CacheFlow, IntelligenceCenter and BlueTouch are registered trademarks of Blue Coat Systems, Inc. in the
U.S. and worldwide. Solera is a trademark of Solera Networks, a Blue Coat company. All other trademarks mentioned in this document are the property of their respective owners.
14 of 16
Copyright 2014 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor translated to any electronic medium without the
written consent of Blue Coat Systems, Inc. Blue Coat, ProxySG, PacketShaper, CacheFlow, IntelligenceCenter and BlueTouch are registered trademarks of Blue Coat Systems, Inc. in the
U.S. and worldwide. Solera is a trademark of Solera Networks, a Blue Coat company. All other trademarks mentioned in this document are the property of their respective owners.
Error Message
This kernel requires an x8664 CPU, but only detected an i686 CPU. Unable to boot please use a kernel
appropriate for your CPU.
You attempted to start the guest OS VM on an ESX server or host computer that is not 64-bit
and VT capable. Install your VMware ESX server or on a computer that is both 64-bit and VT
capable.
Error Message
You have configured this virtual machine to use a 64bit guest operating system. However, 64bit operation
is not possible. This host is VTcapable, but VT is disabled.
You attempted to start the guest OS VM on an ESX server or host computer that is both 64-bit
and VT capable, but whose VT settings are disabled in the BIOS. This is usually because VT
has been disabled in the BIOS/firmware settings, or the ESX server or host computer has not
been power-cycled since changing this setting.
1. Verify these BIOS/firmware settings: enable VT and disable trusted execution.
2. Power-cycle the ESX server or host computer if you changed either of these
BIOS/firmware settings.
3. Power-cycle the ESX server or host computer if you have not done so since installing
VMware.
4. Update the host computer's BIOS/firmware to the latest version. For more details, see
Article 1003945, referenced above.
15 of 16
Copyright 2014 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor translated to any electronic medium without the
written consent of Blue Coat Systems, Inc. Blue Coat, ProxySG, PacketShaper, CacheFlow, IntelligenceCenter and BlueTouch are registered trademarks of Blue Coat Systems, Inc. in the
U.S. and worldwide. Solera is a trademark of Solera Networks, a Blue Coat company. All other trademarks mentioned in this document are the property of their respective owners.
500G
2T
5T
10T
CMC*
ESX Trial
Workstation
Capture
40 GB
0.4 TB
1.6 TB
3 x 1.34 TB
5 x 1.6 TB
n/a
1.5 TB
100 GB
Index
10 GB
0.1 TB
0.4 TB
1.0 TB
1.7 TB
n/a
220 GB
20 GB
System
80 GB
0.1 TB
0.5 TB
0.75 TB
1 TB
100+ GB
80 GB
80 GB
RAM (GB)
12
12
16
32
64
1232 GB
12
CPUs
832 GB
* CMC sizing depends on factors such as the average capture rate and number of sensors that the CMC controls. Increase the size of the system
disk as the capture speed and number of sensors increases. Refer to the table below as a general guideline.
Ave. Capture Rate
(Up to 16 sensors)
RAM
CPUs
12 GB
0.5 Gbps
12 GB
2 Gbps
16 GB
16
5 Gbps
32 GB
32
The size of capture and index virtual disks for the VMware workstation evaluation can be increased as long as the index disk is at least 20% the
size of the capture disk.
16 of 16
Copyright 2014 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor translated to any electronic medium without the
written consent of Blue Coat Systems, Inc. Blue Coat, ProxySG, PacketShaper, CacheFlow, IntelligenceCenter and BlueTouch are registered trademarks of Blue Coat Systems, Inc. in the
U.S. and worldwide. Solera is a trademark of Solera Networks, a Blue Coat company. All other trademarks mentioned in this document are the property of their respective owners.