MsActivator (VSOC 8.2) Administration Guide

Transcription

1 MsActivator (VSOC 8.2) Administration Guide rue Henri Barbusse B.P GRENOBLE cedex 2 FRANCE Phone : +33 (0) Fax : +33 (0) support@ubiqube.com Copyright 2009 UBIqube solutions 1

2 DOCUMENT IDENTIFICATION MsActivator Administrators guide Reference: [MsActivator_VSOC8.2_Administrators_guide.doc] History: Date Changes Author Review January 2008 First draft (aka DOSS/INTE/662) jcf October 1, 2008 SmartSOC 1.1 adaptation. cpi November 17, 2008 Apply the new UBIqube Stylesheet. cpi January 16, 2009 SmartSOC 1.2 adaptation cpi Add maintenance. Add licences Update Network Stream & Firewall April 29, 2009 VSOC 8.2 Adaptation cpi Remove reference to SSOC version (1.2) Update screenshot with new webconf features (additional routes, ntp/snmp, reboot, ) Mai 15, 2009 MsActivator Adaptation cpi This document is the property of UBIqube Solutions and the information contained herein is Company confidential. Even if not explicitly indicated, all names and trademarks mentioned on this document are the property of their respective owners. Copyright 2009 UBIqube solutions 2

3 CONTENTS TABLE MsActivator (VSOC 8.2)... 1 Administration Guide... 1 Introduction... 4 MsActivator Brief description... 4 Advantages of the MsActivator... 5 Web portal... 5 Global profiles... 5 Event based architecture... 5 Powerful configuration Engine... 5 Configuration engine based on pattern files... 5 Modular architecture... 5 Resuming after incident and high availability... 5 MsActivator Deployment... 6 Typical Integration Scheme... 6 Overview of the MsActivator Network Integration... 6 Network stream and firewalls... 7 Configuration... 8 Required information s... 8 Information s Detail... 8 Company General Information s... 8 Basic Configuration... 9 Equipments management interface parameters Maintenance interface parameters Mails parameters Advanced Features Maintenance Licenses YFILES Google Map Advanced Features Remote terminal access Creation of a putty session Remote Windows Access VNC Session to the MsActivator Remote Desktop connection to the MsActivator IPS Copyright 2009 UBIqube solutions 3

4 Introduction The purpose of this document is to guide you through the integration of your MsActivator. The first part is an overview of the MsActivator itself and its functionalities. The second part is about network connectivity and external backup. The third part details the minimal needed configuration. And the last part offers an advanced overview of the internal parts of the MsActivator. MsActivator Brief description The MsActivator is based on a modular architecture composed of different parts: A web portal for the administration (staging/provisioning) and the monitoring. An Event Tracker for collecting equipments logs. A SecEngine for equipments configuration and security services. An archiving module for logs and backup purpose. Copyright 2009 UBIqube solutions 4

5 Advantages of the MsActivator Web portal The VSOC web portal is a unified console that allows administration and supervision of UTM equipments coming from various constructors. Through this console you can delegate access and management using predefined roles. Global profiles The predefine profiles integrated in the MsActivator allow you to use many security functionalities like VPN, firewalls, IPS, anti-virus, anti-spam, URL filtering Those profiles allow fast deployment of new services and equipments. Event based architecture Enhanced event collecting and management by group and by site allows a deeper analysis. Detailed reporting generation allows event correlation and proactive management of alerts. Powerful configuration Engine Configuration and supervision engines are very close, this enables large-scale deployment of equipments with minimum human resources. Configuration engine based on pattern files Pattern files allow quick equipments configuration, minimise human error, guaranteeing the global security policy consistency. Modular architecture The modular architecture makes the MsActivator modules easy to updates. Resuming after incident and high availability Database, events, MsActivator logs, reports and managed equipments daily configurations are saved on the MsActivator itself and can be exported to another storage area. The log archiving solution is SOX and Bâle II compliance. Copyright 2009 UBIqube solutions 5

6 MsActivator Deployment Typical Integration Scheme Overview of the MsActivator Network Integration Copyright 2009 UBIqube solutions 6

7 Network stream and firewalls Notice that the MsActivator has embedded firewalls on each interface to prevent any unwanted incoming/outgoing traffic. Although it is not recommended, you can set up firewalls or use router redirection on each interface. Below is all ports needed by the MsActivator to let be fully operational: Interface Components Protocol Request Direction Description Web portal TCP 80/443 IN/OUT HTTP(S) UBIqube TCP 22 IN/OUT SSH access maintenance ICMP echo-reply IN/OUT Ping Maintenance interface TCP/UDP 53 IN/OUT Domain / DNS TCP 3577 IN http/webconf Web portal TCP 80/443 IN/OUT HTTP(S) TCP 22 IN/OUT SSH access TCP 23 OUT Telnet access SecEngine TCP 69 OUT TFTP TCP 20/21 IN/OUT FTP TCP/UDP 53 IN/OUT Domain / DNS Equipments management TCP 25 IN/OUT SMTP interface UDP 514 IN Syslog UDP 161 SNMP. MsActivator retrieve EventTracker IN/OUT SNMP data but also offer their UDP 162 MIB for external monitoring. ICMP echo-reply IN/OUT Ping OS TCP/UDP 123 IN MsActivator act a NTP server for CPE Backup interface (which can be the maintenance interface) Web portal TCP 80/443 IN/OUT HTTP(S) TCP 22 IN/OUT SSH access ICMP echo-reply IN/OUT Ping Maintenance UDP 53 IN/OUT DNS TCP 3577 IN http/webconf Copyright 2009 UBIqube solutions 7

8 Configuration Required information s Field Value Comments Company General Information s Company Name Company Address City State Company Country Telephone Number IT Service Name Manager Password Basic Configuration Hostname Domain Name DNS Forwarder IP Equipments management interface parameters (For devices access) IP Address Network Subnet Mask Default GW Maintenance interface parameters IP Address Network Subnet Mask Mails parameters Support SMTP Server IP Address SMTP Server FQDN Advanced Features NTP SNMP Supervisor Information s Detail Company General Information s Most of the fields defined here are used to generate a Cryptographic Certificate for the Web Portal. Company Name Enter Here your company name, without space and without underscore. This field is mandatory. Copyright 2009 UBIqube solutions 8

9 Company address Company address City Enter Here your city Without space and without underscore. This field is mandatory. State Enter Here your company state Without space and without underscore. This field is mandatory. Company country Enter here the two letter country code. (Like RU, BE,...) Without space and without underscore. This field is mandatory. Telephone Number Telephone number Company Web Site URL Website URL IT service name Enter here Your IT Service Name (Organizational Unit) without space and without underscore. This field is mandatory (used in SSL Certificates). Manager Password Enter here the privileged Manager password. This is the password associated to the user 'Manager' on the SES Web Portal. The password can't be empty! Basic Configuration Hostname The appliance hostname. Domain Name The appliance domain name. The embedded mapview is licensed for the ubiqube.net domain. If you change this information, the mapview won t be available until you have purchased your own domain license (please contact your UBIqube account manager). Warning: any change to the domain name implies a UBIqube Solution support team intervention in order to setup new licences for the mapview and the google map! DNS Forwarder IP Your DNS server DNS Ip address. The SmartSoc acts as DNS server for managed equipments. DNS requests for other zones than hostname.domainname are forwarded to this address. Copyright 2009 UBIqube solutions 9

10 Equipments management interface parameters This is the equipments management interface. This interface is firewalled, and must be plugged with your equipment. They must not be on a DMZ or behind NAT/Proxy. Default GW The SmartSOC default GW pass through this interface, to get access to your equipments. Additional Routes You can eventually specify routes that will pass through this interface but not by the default gw. Warning: If you change the IP address of the equipments management interface, your equipment s will not be able to contact the SmartSOC. A manual update of equipment s will be necessary! Maintenance interface parameters This is the remote administration interface, and must be connected to Internet. It is used by UBIqube to: - Make the initial configuration. - Apply patches. - Update to the latest version of the software. - Support with remote ssh connection. This interface has a limited protection and it is generally a good idea keep to it on a DMZ. The Additional Routes is used to access the UBIqube network. The default gateway is used for managed equipment and is not necessarily connected to Internet. Mails parameters Specify the person who will receive alerts as well as the server through which will pass. Copyright 2009 UBIqube solutions 10

11 Advanced Features NTP External NTP server on which the SmartSOC will synchronize their time. SNMP Supervisor We can monitor the SmartSOC by another SOC (SmartSOC/MsActivator). To make this feature available, the SmartSOC must authorize explicitly the remote host by which it will be monitored. Copyright 2009 UBIqube solutions 11

12 Maintenance To have support from UBIqube, the support team needs remote access to the MsActivator. If, for security reason, you don t want permanent remote link to UBIqube, you can plug the cable on maintenance phase. Only when needed. Licenses MsActivator use two external applications that need licenses and special adaptation of the MsActivator Software: - yfiles - google map YFILES YFiles was used to display graphical monitoring console like below. The licence is based on domain name. By default, the MsActivator has a domain name of ubiqube.net for which, a licence was available. To have the MapView functionality, you have two choices: - Add the ip address/fqdn of the MsActivator to your host file. On Windows: Update the file C:\WINDOWS\system32\drivers\etc\hosts On UNIX/Linux: Update the file /etc/hosts This is the preferred method if this is always the same person that uses the MsActivator functionality. - Buy a licence key. If you want to change the domain name of your MsActivator, and want the MapView functionality, UBIqube (through the maintenance program) will have to copy a new license key of your domain in the MsActivator. This is the preferred method if you have many people accessing the MsActivator. Copyright 2009 UBIqube solutions 12

13 Google Map You can geolocalize your CPE through the Google Map. For this to work, a default key for the UBIqube domain name was used inside the MsActivator. If you change the domain name of the MsActivator, you will get this error message: To have the Google Map functionality, you have two choices: - Keep the ubiqube.com domain and add the ip address/fqdn of the MsActivator to your host file. On Windows: Update the file C:\WINDOWS\system32\drivers\etc\hosts On UNIX/Linux: Update the file /etc/hosts This is the preferred method if this is always the same person that uses the MsActivator functionality. - Setup a licence key. If you want to change the domain name of your MsActivator, and want the Google Map functionality, UBIqube (through the maintenance program will have to copy a new license key of your domain in the MsActivator. You need to provide UBIqube a licence acquired through Google with the following procedure: o o go to enter the web site URL (example: For more details on license key generation: About the geocoding request limits: Copyright 2009 UBIqube solutions 13

14 Advanced Features Remote terminal access You can connect remotely on each interface with ssh. To facilitate the access, you can generate a key pair with ssh-keygen (or putty on windows). A sample public key: ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIEAuSxZqIsgGc9oxoK/gZfwUAFXBytbdtdQgeEjWs3DR4y B4P1J+OGqegXL4yZ9A6P/UE+ZRJUkO/P75D9rJbz/y0VO2gkmVl7o4PUVtvEpEzyHrEjqZC pczlgffbz/vb0drgfkndpx6o57mqkakuu8wu3pbhdjemmljpg4st3lp6m= rsa-key This key must be pushed on the authorized keys of the root user (/root/.ssh/authorized_keys) to have access transparently. Copyright 2009 UBIqube solutions 14

15 Creation of a putty session Define the authentication key at this location: Copyright 2009 UBIqube solutions 15

16 Remote Windows Access This section applies only in cases where Windows runs on a Xen virtual machine. Define the following tunnels: VNC Session to the MsActivator Once you connected through ssh with the help of putty, the tunnels are automatically created for the time of your ssh connection. At UBIqube, we use the tool RealVNC. This one is free and downloadable at That s say, any VNC client do the trick. The login Windows is Administrator. Copyright 2009 UBIqube solutions 16

17 Tips : VNC can be annoying with characters. If you have problems, you can change the keyboard to 'EN'. To enter the password more easily. Remote Desktop connection to the MsActivator Connect through the tunnel like this: Use the same credential than for VNC. With remote desktop connection, you should not have keyboard mapping problem. Copyright 2009 UBIqube solutions 17

18 IPS This feature can be requested through the maintenance program. IPSv2 profiles support the latest IOS IPS with 5.x Format Signatures available in Cisco IOS Software Release 12.4(11)T and later release. New Signatures Files are automatically updated by the SEC Engine. Simply download the new 5.X signature file from the Cisco web site and download it to /opt/sms/spool/tftp/ios_ips_sig. At 8 PM those files are automatically downloaded to the managed devices. You can trigger that update using the SEC engine CLI with the verb RELOADSIGDEF Copyright 2009 UBIqube solutions 18