Security Analytics Virtual Appliance Installation Guide.d

Security Analytics Virtual Appliance
Installation Guide for VMware

2 April 2014
Copyright 2014 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor translated to any electronic medium without the
written consent of Blue Coat Systems, Inc. Blue Coat, ProxySG, PacketShaper, CacheFlow, IntelligenceCenter and BlueTouch are registered trademarks of Blue Coat Systems, Inc. in the U.S.
and worldwide. Solera is a trademark of Solera Networks, a Blue Coat company. All other trademarks mentioned in this document are the property of their respective owners.
This document is intended to help you use the web interface to configure your Security Analytics
Virtual Appliance to perform network traffic capture, filtering, and playback or to function as a
Central Manager Console. It is not intended as a guide to policies and or procedures for either
network security or network forensics.
This document attempts to provide the best information possible; however, this information is
provided AS-IS and without warranty of any kind for accuracy, completeness, or currency. All
references and links to Web sites are valid as of the date of publication, but the content and nature
of those Web sites and pages is subject to change without our knowledge or control.
Copyrights, Trademarks, and Intellectual Property
A trademark symbol () or a registered trademark symbol () denotes a Blue Coat Systems

trademark. A degree sign () denotes a third-party trademark. All third-party trademarks are the
property of their respective owners. All other trademarks mentioned in this document are the
property of their respective owners.
Copyright 2014 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this
document may be reproduced by any means nor translated to any electronic medium without the
written consent of Blue Coat Systems, Inc. Specifications are subject to change without notice.
Information contained in this document is believed to be accurate and reliable, however, Blue Coat
Systems, Inc. assumes no responsibility for its use.
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at apache.org/licenses/LICENSE-2.0. Unless required
by applicable law or agreed to in writing, software distributed under the License is distributed on an AS IS
BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License
for the specific language governing permissions and limitations under the License.
The Blue Coat Security Analytics Platform includes freeradius-client libraries, freeradius-client-devel, and freeradiusclient-libs. The FreeRADIUS Client library is distributed under the BSD license: freeradius.org/freeradius-client/.
GNU General Public License Source Code Requests
Blue Coat Systems will provide a machine-readable copy of the GPL open-source code on a CD.
To obtain a copy, send a written request, along with a certified check or money order in the
amount of U.S. $25.00, payable to Blue Coat Systems, Inc., to:
ATTN: Customer Support
GPL Source Code Request, Security Analytics
Blue Coat Systems
Suite 100
10713 South Jordan Gateway
South Jordan, UT 84095
USA
Introduction
This installation guide describes the installation and initial configuration of the Blue Coat Security
Analytics Virtual Appliance using VMware and the web interface. With the web interface, you can
manage the Security Analytics Virtual Appliance settings, control what is being captured, generate
a variety of reports about the captured data, and view, package, and regenerate captured data.
You can also configure the Security Analytics Virtual Appliance to operate as a Central Manager
Console (CMC).
This guide includes the following sections:
Requirements
Installation
Preparing the Security Analytics Virtual Appliance
For detailed information about using the web interface, select Settings > Help > English on the
web interface. The help files include a command-line interface (CLI) section (Reference > CLI
Commands) to provide advanced configuration and operation controls for the Security Analytics
Virtual Appliance.
For assistance with the installation of your Security Analytics Virtual Appliance, contact Security
Analytics Support:
Toll-Free (U.S. and Canada): 888-860-5705

International: +1 801-545-4002
Web: www.bluecoat.com/support
Email: atp-support@bluecoat.com
Table of Contents
1
Requirements ...............................................................................................................................................................5
ESX Server Configuration ..............................................................................................................................................6
Virtual Appliance Installation ...................................................................................................................................... 10
Virtual Appliance Administration................................................................................................................................. 13
Troubleshooting the Installation ................................................................................................................................. 14
Appendix: Virtual Machine Sizing ................................................................................................................................ 16
2.1
2.2
2.3
2.4
3.1
3.2
3.3
4.1
Management Network ..................................................................................................................................................................................................... 6

Capture Network .............................................................................................................................................................................................................. 7
Virtual Machine Network ................................................................................................................................................................................................. 8
Playback Network ............................................................................................................................................................................................................ 9
ESX Configuration ......................................................................................................................................................................................................... 10
Workstation Configuration ............................................................................................................................................................................................. 11
Add Indexing and Capture Virtual Disks ...................................................................................................................................................................... 12
Configure Initial Settings ............................................................................................................................................................................................... 13
1 Requirements
The Security Analytics Virtual Appliance has the following hardware and software requirements:
1264 GB of memory per VM
Disk space per datastore:

o
See Appendix: Virtual Machine Sizing
48 CPU cores per VM
Two or more Ethernet adapters (VMware does not support capture on wireless NICs)
VMware software platform for running the virtual appliance:

o
ESXi
Workstation One of the following:
VMware ESXi 5 server (ESXi 5.5 is recommended for Security Analytics Platform 7.0+)
Workstation 9
Fusion 5
Player 6
VMware vSphere Client
VMware Infrastructure Client (VI Client) or vSphere Client
64-bit architecture on the host for running the 64-bit Solera OS guest VM
A workstation with a Web browser running one of the following:

o
o
o
o
Microsoft Internet Explorer (IE) 8+

Firefox 18+
Safari 5+
Chrome 24+
Cookies must be enabled in the browser.
JavaScript must be enabled in the browser.
Supported Versions
Security Analytics Version
VMware Version
End of Support
DeepSee 6.0
VMware ESXi 5.0 and 5.1
12 Dec 2014
DeepSee 6.6.x
VMware ESXi 5.0, 5.1 or 5.5
14 Jun 2016
Security Analytics 7.0
To Be Announced
Security Analytics 7.1
To Be Announced
5 of 16
written consent of Blue Coat Systems, Inc. Blue Coat, ProxySG, PacketShaper, CacheFlow, IntelligenceCenter and BlueTouch are registered trademarks of Blue Coat Systems, Inc. in the
U.S. and worldwide. Solera is a trademark of Solera Networks, a Blue Coat company. All other trademarks mentioned in this document are the property of their respective owners.
2 ESX Server Configuration

This configuration assumes that the VMware ESX server is installed and configured with the correct
data stores. Before importing the Security Analytics Virtual Appliance, configure the ESX server as
follows:
2.1
Create a Management Network
Create a Capture Network (not applicable to Central Manager Console [CMC])
Create a Virtual Machine Network (optional; not applicable to CMC)
Create a Playback Network (optional; not applicable to CMC)
Management Network
By default, the VMware ESX server uses vSwitch0 for ESX management and for creating a VM
network. You must modify vSwitch0 to permit management of the Security Analytics Virtual
Appliance.
HOW TO
Create a
management
network
a. Connect to the ESX server using the vSphere client.

b. In the left pane, click the target ESX server.
c. In the right pane, open the Configuration tab.
d. Select Hardware > Networking.
e. For vSwitch0, click Properties.
f. In the left pane, select VM Network.
g. Click Remove, then Yes.
h. Click Add, select Virtual Machine, and click Next.
i. Label the network SA Management, leave the VLAN ID field blank, and click Next.
j. Click Next, Finish, and Close.
6 of 16
2.2
Note
Capture Network
If you plan to use this VM as a CMC, do not configure a capture network.
To capture all network traffic, you must create a capture network that supports promiscuous mode
in order to capture all network traffic. This network should be located on a separate vSwitch other
than vSwitch0.
HOW TO
Create a
capture
network
b. In the left pane, select the target ESX server.

e. Click Add Networking.
f. Select Virtual Machine and click Next.
g. Select Create a virtual switch, select an available VM NIC, and click Next.
h. Label the network Capture Network, and leave the VLAN ID field blank.
i. Click Next, then Finish.
j. Click Properties for vSwitch1.
k. Select Capture Network, then click Edit.
l. Click the Security tab, select the Promiscuous Mode check box, and select Accept from the dropdown menu.
m. Click OK, and then click Close.
7 of 16
2.3
Note
Virtual Machine Network

If you plan to use this VM as a CMC, do not configure a virtual machine network.
Use the VM network to capture traffic from virtual systems. If you are not planning on capturing
virtual traffic, you may skip to section 2.4 Playback Network.
HOW TO
Create a
virtual
machine
network

e. For vSwitch1, click Properties.
f. Click Add, then select Virtual Machine.
g. Label the network VM Network.
h. Select Next, then Finish.
i. On the Ports tab, select Virtual Machine Network, then click Edit.
j. Click the Security tab and select the Promiscuous Mode check box.
k. Select Accept from the drop-down menu.
l. Click OK, and then Close.
8 of 16
2.4
Note
Playback Network
If you plan to use this VM as a CMC, do not configure a playback network.
Use the playback network to play back traffic from either virtual networks or physical networks. If
you are not planning on playing back traffic for either type of network, you may skip to section
Error! Reference source not found. Error! Reference source not found..
HOW TO
Create a
playback
network

c. In the right pane, click the Configuration tab.
e. Click Add Networking.
f. Select Virtual Machine, then click Next.
g. Select Create a virtual switch.
h. Select an available VM NIC and click Next.
i. Label the network Replay Network and leave the VLAN ID field blank.
j. Click Next, then Finish.
k. For vSwitch1 click Properties.
l. Select Replay Network, then click Edit.
m. On the Security tab, select the Promiscuous Mode check box.
n. Select Accept from the drop-down menu.
o. Click OK, then Close.
Note
Playing back traffic to the same virtual or physical network that you used for capture can create network
storms. Use extreme caution when playing back network traffic.
9 of 16
3 Virtual Appliance Installation

These installation steps assume that you have downloaded and extracted the virtual appliance
from Blue Coat Systems. If you have not downloaded and extracted these files, please contact
Security Analytics Support.
IMPORTANT
3.1
DO NOT attempt to install VMware Tools on Security Analytics Virtual Appliances.
ESX Configuration
HOW TO
Install the
virtual
appliance on
an ESX(i)
server

c. In the vSphere client, select File > Deploy OVF Template to start the Deploy OVF Template
wizard.
d. Select Deploy from file and browse to the directory where you extracted the Security Analytics
Virtual Appliance files.
e. Select the OVF file and click Open.
f. Click Next twice.
g. Accept the default name of the virtual appliance and click Next.
h. Map the virtual networks accordingly:
SA Management to SA Management (vSwitch0)
Capture Network to Capture Network (vSwitch1) (not for CMC)
Replay Network to Replay Network (vSwitch2) (not for CMC)
i. Click Next and then click Finish.
j. The virtual appliance begins importing.
Note
Important
The import may take up to 10 minutes, depending upon your ESX hardware. Do not interrupt the import
process.
Do not power on the Security Analytics Virtual Appliance until you have followed the steps in Section
3.3 Add Indexing and Capture Virtual Disks.
10 of 16
3.2
Workstation Configuration
Follow these steps if you are using the Evaluation for VMware workstation.
HOW TO
Install the
virtual
appliance on a
Workstation
a. Extract the Security Analytics Virtual Appliance ZIP file to your workstation.
b. Launch VMware player or equivalent.
c. Select File > Open, locate the VMX file, and open it.
Important
Note
Do not power on the Security Analytics Virtual Appliance until you have followed the steps in Section
3.3 Add Indexing and Capture Virtual Disks.
The workstation VM image is not intended to run on VMware ESX. If you would like access to the ESX
virtual appliance trial, please contact the Blue Coat Sales Team.
11 of 16
3.3
Add Indexing and Capture Virtual Disks

Except for the ESX trial version, the Security Analytics Virtual Appliance includes one virtual hard
disk, which is the system virtual disk. To function properly, the Security Analytics Virtual Machine
requires two additional virtual disks for indexing and capture. If you have deployed the ESX trial
VM, the capture and indexing virtual disks have already been configured for you.
Note
It is highly recommended that you place the capture virtual disks on a logical unit comprising at least three
(3) physical hard drives to achieve optimal capture performance. It is also recommended that you not share
the logical unit with any other virtual machines to avoid excess read/write overhead.
HOW TO
Add indexing
and capture
virtual disks
on ESX
a. On the vSphere client, select the virtual machine and click Edit Virtual Machine Settings.
b. On the Hardware tab, click Add.
c. Select Hard Disk and click Next twice.
d. For Disk Size, consult the tables in Appendix: Virtual Machine Sizing for the size of the capture virtual
disk(s).
Note
When specifying sizes in TB, change the unit from GB to TB instead of specifying a four-digit GB.
e. Click Next twice and then Finish.

f. Repeat steps b through e for the indexing virtual disk.
g. Power on the virtual machine
HOW TO
Add indexing
and capture
virtual disks
on the
Workstation
a. In VMware Workstation/Fusion/Player, select Edit Virtual Machine Settings.

b. Click Add or Add Device.
c. Select Hard Disk.
d. For Disk Size, consult the tables in Appendix: Virtual Machine Sizing for the size of the capture virtual
disk(s).
Note
When specifying sizes in TB, change the unit from GB to TB instead of specifying a four-digit GB.
e. Repeat steps b through d for the indexing virtual disk.

f. Power on the virtual machine.
Note
Booting the virtual appliance for the first time will take several minutes. While the virtual machine starts, you
will see a progress indicator. Press the Esc key to view additional information while the virtual appliance is
booting.
12 of 16
4 Virtual Appliance Administration

The Security Analytics Virtual Appliance includes the full web interface and a command-line
interface (CLI) for configuring and managing the Security Analytics Virtual Appliance. Once the
virtual appliance is running, you can use either interface to administer and configure the virtual
appliance.
Note
4.1
The Security Analytics Virtual Appliance user interface is identical to the user interface for Security Analytics
Appliances.
Configure Initial Settings

By default, the management interface (eth0) is set to 192.168.20.20. Follow these steps to assign a
temporary IP address:
HOW TO
Assign a
temporary IP
address
a. Log in to the CLI using the following credentials: admin|Solera

b. Use the following method to temporarily assign an IP address to the management interface (eth0):
ifconfig
sudo ifconfig eth0 <IP_address> netmask <subnet_mask>
sudo route add default gw <IP_of_default_gateway>
View the assigned IP address:

ifconfig eth0
Use the web interface to configure the initial settings.

HOW TO
Launch the
web interface
a. Launch a Web browser and navigate to the IP address for eth0. You can use either HTTP or HTTPS.
b. At the Login page, type the default username and password, both of which are case-sensitive:
Username: admin
Password: Solera
c. Click Log In.
d. The End User License Agreement (EULA) is displayed. Accept the terms. The Initial Configuration
page is displayed.
e. Select Settings ( ) > Help and then select your language under Online Help Files.
f. View the "Initial Settings" page for instructions on initial appliance configuration. All virtual appliances
must also follow the steps to license the appliance.
13 of 16
5 Troubleshooting the Installation

The following sections discuss some common issues and other items to be aware of when using
the Security Analytics Virtual Appliance. If you have any questions or need further assistance,
please contact ATP Support.
Phone: 888-860-5705 (U.S. and Canada) or +1 801-545-4002 (international)

Email: atp-support@bluecoat.com
Web: www.bluecoat.com/support
Cannot Connect to the UI

1. Verify that you can ping the host IP address from the virtual appliance.
2. Verify that the virtual appliance has a valid gateway route:
[prompt]# route
3. Restart the network services:
[prompt]# sudo service network restart
4. Verify that the network interface of the machine where the virtual appliance is running is a bridged
network interface. Refer to the VMware documentation for information on how to configure the
network interfaces.
Cannot Capture Data

1. Verify that IP has been disabled on the physical interfaces that capture data.
2. Verify that you have modified the virtual interface to operate in promiscuous mode.
3. Confirm that you have added index and capture virtual disks before powering on the VM for the
first time. If this was not done, delete the VM and start over.
Networking Not Working Properly

If networking is not working properly within the guest OS VMe.g., you do not have a valid routing
table, or you did not obtain an IP address from your DHCP serveryou should try restarting the
networking service at least once to resolve the issue:
[prompt]# sudo service network restart
14 of 16
64-bit Host Operating System with Virtual Technology

The Solera Virtual Machine requires that the server's CPU be both 64-bit and VT capable. More
information about running a 64-bit guest OS on VMware platforms can be found in Article
1003945: "Hardware and Firmware Requirements for 64-bit Guest Operating Systems" in the
VMware Knowledge Base (http://kb.vmware.com/).
If you are uncertain of your ESX server or host computers 64-bit compatibility, you can obtain a
processor check utility from VMware from Article 1003945, referenced above.
Error Message
This kernel requires an x8664 CPU, but only detected an i686 CPU. Unable to boot please use a kernel
appropriate for your CPU.
You attempted to start the guest OS VM on an ESX server or host computer that is not 64-bit
and VT capable. Install your VMware ESX server or on a computer that is both 64-bit and VT
capable.
Error Message
You have configured this virtual machine to use a 64bit guest operating system. However, 64bit operation
is not possible. This host is VTcapable, but VT is disabled.
You attempted to start the guest OS VM on an ESX server or host computer that is both 64-bit
and VT capable, but whose VT settings are disabled in the BIOS. This is usually because VT
has been disabled in the BIOS/firmware settings, or the ESX server or host computer has not
been power-cycled since changing this setting.
1. Verify these BIOS/firmware settings: enable VT and disable trusted execution.
2. Power-cycle the ESX server or host computer if you changed either of these
BIOS/firmware settings.
3. Power-cycle the ESX server or host computer if you have not done so since installing
VMware.
4. Update the host computer's BIOS/firmware to the latest version. For more details, see
Article 1003945, referenced above.
15 of 16
6 Appendix: Virtual Machine Sizing

Consult the following as a guideline for configuring your Security Analytics Virtual Machine.
50G
500G
2T
5T
10T
CMC*
ESX Trial
Workstation
Capture
40 GB
0.4 TB
1.6 TB
3 x 1.34 TB
5 x 1.6 TB
n/a
1.5 TB
100 GB
Index
10 GB
0.1 TB
0.4 TB
1.0 TB
1.7 TB
n/a
220 GB
20 GB
System
80 GB
0.1 TB
0.5 TB
0.75 TB
1 TB
100+ GB
80 GB
80 GB
RAM (GB)
12
12
16
32
64
1232 GB
12
CPUs
832 GB
* CMC sizing depends on factors such as the average capture rate and number of sensors that the CMC controls. Increase the size of the system
disk as the capture speed and number of sensors increases. Refer to the table below as a general guideline.
Ave. Capture Rate
(Up to 16 sensors)
RAM
CPUs
< 0.5 Gbps
12 GB
0.5 Gbps
12 GB
2 Gbps
16 GB
16
5 Gbps
32 GB
32
The size of capture and index virtual disks for the VMware workstation evaluation can be increased as long as the index disk is at least 20% the
size of the capture disk.
16 of 16

Security Analytics Virtual Appliance Installation Guide.d

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Security Analytics Virtual Appliance Installation Guide.d

Загружено:

Авторское право:

Доступные форматы

Security Analytics Virtual Appliance

Installation Guide for VMware

A trademark symbol () or a registered trademark symbol () denotes a Blue Coat Systems

GNU General Public License Source Code Requests

Preparing the Security Analytics Virtual Appliance

Toll-Free (U.S. and Canada): 888-860-5705

ESX Server Configuration ..............................................................................................................................................6

Virtual Appliance Installation ...................................................................................................................................... 10

Virtual Appliance Administration................................................................................................................................. 13

Troubleshooting the Installation ................................................................................................................................. 14

Appendix: Virtual Machine Sizing ................................................................................................................................ 16

Management Network ..................................................................................................................................................................................................... 6

1264 GB of memory per VM

Disk space per datastore:

See Appendix: Virtual Machine Sizing

48 CPU cores per VM

VMware software platform for running the virtual appliance:

Workstation One of the following:

VMware vSphere Client

VMware Infrastructure Client (VI Client) or vSphere Client

A workstation with a Web browser running one of the following:

Microsoft Internet Explorer (IE) 8+

Cookies must be enabled in the browser.

JavaScript must be enabled in the browser.

VMware ESXi 5.0 and 5.1

VMware ESXi 5.0, 5.1 or 5.5

Security Analytics 7.0

VMware ESXi 5.0, 5.1 or 5.5

Security Analytics 7.1

VMware ESXi 5.0, 5.1 or 5.5

2 ESX Server Configuration

Create a Management Network

Create a Capture Network (not applicable to Central Manager Console [CMC])

Create a Virtual Machine Network (optional; not applicable to CMC)

Create a Playback Network (optional; not applicable to CMC)

a. Connect to the ESX server using the vSphere client.

a. Connect to the ESX server using the vSphere client.

b. In the left pane, select the target ESX server.

Virtual Machine Network

a. Connect to the ESX server using the vSphere client.

b. In the left pane, select the target ESX server.

a. Connect to the ESX server using the vSphere client.

b. In the left pane, select the target ESX server.

3 Virtual Appliance Installation

DO NOT attempt to install VMware Tools on Security Analytics Virtual Appliances.

a. Connect to the ESX server using the vSphere client.

Add Indexing and Capture Virtual Disks

e. Click Next twice and then Finish.

a. In VMware Workstation/Fusion/Player, select Edit Virtual Machine Settings.

e. Repeat steps b through d for the indexing virtual disk.

4 Virtual Appliance Administration

Configure Initial Settings

a. Log in to the CLI using the following credentials: admin|Solera

View the assigned IP address:

Use the web interface to configure the initial settings.

5 Troubleshooting the Installation

Phone: 888-860-5705 (U.S. and Canada) or +1 801-545-4002 (international)

Cannot Connect to the UI

Cannot Capture Data

Networking Not Working Properly

64-bit Host Operating System with Virtual Technology

6 Appendix: Virtual Machine Sizing

< 0.5 Gbps

Вам также может понравиться