Page tree

Contents

Overview

ThreatSTOP's ThreatSTOP Centralized Manager (TSCM) software allows for the rapid deployment of ThreatSTOP across multiple devices and types of devices in a production environment. Installation and configuration is also simpler than the single device scripts.

Who should use this manual?

This manual is intended to be a step-by-step guide for System Administrators of intermediate to advanced skill levels. It assumes a certain level of familiarity with setting up Linux based Virtual Machines (VMs), and importing saved Virtual Machine Images (OVA files) into a VM host.

Device setup:

  1. Route Preparation
  2. VM Installation
  3. Enabling ThreatSTOP on the Device

The following instructions will cover the setup of the TSCM from the Command Line Interface (CLI). Note that automating these setups is possible with a simple shell script. However, the instructions will only cover the prompted device installation at this time.

tsadmin

The command to setup and control TSCM is tsadmin. During configuration, tsadmin associates module files that contain configuration data relevant to your available hardware. These files allow tsadmin to communicate with your hardware and expedite setting up ThreatSTOP on your network.

Route Preparation

Before installation can begin, the following ports will need to be open along the communications route between the specified destinations:

  • tcp/udp port 53: Needs to be opened from the TSCM to ThreatSTOP's DNS servers. The TSCM will query for ThreatSTOP policy (IP Intelligence) data and deliver the data to your firewall device (network objects). This query is a standard DNS query to ThreatSTOP's DNS servers.
  • SSH access from the TSCM to the device: To load ThreatSTOP policy to your device, the TSCM requires SSH access to your device.
  • UDP port 514 from the device to the TSCM: Syslog on your device is configured to send data to the TSCM. ThreatSTOP requires the messages from syslog as this is the source data for your reports.
  • SSL from the TSCM to ThreatSTOP: syslogs upload from the TSCM to ThreatSTOP where our internal systems will parse and process your device logs. In the ThreatSTOP portal the Reporting section shows the result of the log parsing for your account.

VM Installation

The TSCM installation is available in three different Linux distribution formats (as listed to the right). After downloading the .ova for your chosen flavor of Linux, the file can be imported to VMware. Once the VM import has completed you will need to configure the new VM as laid out in Adjusting the Appliance to Your Network Environment. A Microsoft Hyper-V based environment is also available through our Support (support@threatstop.com) team but is not directly supported here.

Beginning Deployment

  1. In vSphere, import the OVA file by clicking File and selecting Deploy OVF Template
  2. Enter the location of the .ova file or click on Browse… and locate the file on your computer. Then click Next.
  3. Review the details of the deployment, make note of the Size on disk values. Click Next.
  4. Provide a name for the VM, this can be left as-is or may be updated to fall into an existing naming schema. Click Next.
  5. Select the resource pool into which your device should be deployed, and click Next.
  6. Select the destination storage destination for the Virtual Machine, and click Next.
  7. Select the Provisioning required by your deployment and available disk space.
  8. Verify the network used in the OVF template, and click Next.
  9. Review your deployment selections and click Finish, if they appear correct.

Adjusting the Appliance to Your Network Environment

  1. Power on the VM Console and login using the following login information:
    • Username: threatstop
    • Password: threatstop
    After powering up the system, the VM will need to be modified to access the network with a static IP address. This will vary by the distribution being deployed. To do this:

CentOS 7.3

  1. At the command prompt enter:

    sudo vi /etc/network-scripts/ifcfg-ens160

  2. Locate the line:

    BOOTPROTO="dhcp"

    This will need to be modified to none.

  3. The following information will also need to be added to the end of the file:

    IPADDR="192.168.1.7"
    NETMASK="255.255.255.0"
    GATEWAY="192.168.1.99"
    DNS1="192.168.1.99"
    DNS2="8.8.8.8"

  4. After these settings are changed, save the file and restart networking with the command:

    sudo systemctl restart NetworkManager

  5. Once this is performed the system should be upgraded to the current version of CentOS using the following commands. Please be aware that this upgrade process can take more than 25 minutes depending on the speed of your Internet connection.

    1. Enter sudo yum update

RHEL 7.3

  1. At the command prompt enter:

    sudo vi /etc/sysconfig/network-scripts/ifcfg-ens192

  2. Locate the line:

    BOOTPROTO="dhcp"

    This will need to be modified to none.

  3. The following information will also need to be added to the end of the file:

    IPADDR="192.168.1.7"
    NETMASK="255.255.255.0"
    GATEWAY="192.168.1.99"
    DNS1="192.168.1.99"
    DNS2="8.8.8.8"

  4. After these settings are changed, save the file and restart networking with the command:

    sudo systemctl restart NetworkManager

  5. Once this is performed the system should be upgraded to the current version of RHEL using the following commands. Please be aware that this upgrade process can take more than 25 minutes depending on the speed of your Internet connection.

    1. Enter sudo yum update

Ubuntu

  1. At the command prompt enter:

    sudo vi /etc/network/interfaces

  2. Locate the line iface eth0 inet dhcp in the file (see figure 1) you will need to change this to iface eth0 inet static.
  3. Uncomment and adjust the address, netmask, and gateway values to match your network (see figure 2).

    # The primary network interface
    auto eth0
    iface eth0 inet dhcp

    # address 192.168.1.7
    # netmask 255.255.255.0
    # gateway 192.168.1.99

    #dns-nameservers 192.168.1.99 8.8.8.8

    Figure 1 /etc/network/interfaces default

    # The primary network interface
    auto eth0
    iface eth0 inet static
       address 192.168.1.7
       netmask 255.255.255.0
       gateway 192.168.1.99
       dns-nameservers 192.168.1.99 8.8.8.8

    Figure 2 /etc/network/interfaces configured for a static IP

  4. This should be followed by restarting the network using the command:

    sudo /etc/init.d/networking restart

  5. Once this is performed the system should be upgraded to the current version of Ubuntu using the following commands. Please be aware that this upgrade process can take more than 25 minutes depending on the speed of your Internet connection.

    1. Enter sudo apt-get update

    2. Enter sudo apt-get dist-upgrade

Logging Setup

threatstop@tsclient:~$ tsadmin add --type logger <device name>
[INFO ] : Validating access with DNS server
Configuring 'ThreatSTOP Log Relay Device'.  Continue? (y or n) [default y]
Log upload IP address :
Please enter all possible syslog source IP(s) : <Device IP>
Log rotate size, in Kb : [default 100]
Send logs to ThreatSTOP? (y or n) [default y]

Successfully added logger2
Logging information from a NIOS device requires a copy of TSCM. Setup itself is extremely straight forward, only requiring six entries, and most of those are defaults. The required data is:

  • Device name: This is the nickname of the device provided to the ThreatSTOP portal.
  • Log upload IP address: The external IP address of your network. If you are uncertain of what address to use please visit https://www.threatstop.com/cgi-bin/validip.pl this will show the address to provide.
  • All possible syslog source IP(s): This utility sets up one logging device, but can receive logs from multiple NIOS devices. Enter the IP addresses of the NIOS devices from which the logger will receive logs.
  • Log rotate size, in Kb: Logs can be cached by NIOS devices until they reach a certain size and then batch uploaded to the logging device.
  • Send logs to ThreatSTOP?: If the logging device should send the received logs to ThreatSTOP set this to Y.

To setup logging for TSCM with a new NIOS device

  1. Login to your TSCM device.
  2. At the command prompt enter the following command:

    tsadmin add --type logger <device name>

    This will add a NIOS logging device, and provide the following setup questions.

  3. Press ENTER to accept the default (Y) for the Configuring 'ThreatSTOP Log Relay Device' prompt.
  4. Enter the external IP address that will be providing Log data to ThreatSTOP at the Log upload IP address prompt.
  5. Enter the device IP adresses for any NIOS devices at the Please enter all possible syslog source IP(s): prompt.

    Note:

    If multiple addresses are being provided, separate each with a space.

  6. Enter the Log rotation size, in Kb to enable rotation. Most users keep this set this to around 100 Kb.
  7. For Send logs to ThreatSTOP? press ENTER to accept the default.
    This will complete your setup and begin sending your logs to ThreatSTOP.

If for any reason you need to reconfigure the NIOS logging device enter this command, and you will be able to update the device settings:

tsadmin configure <device name>

Adding RPZ Feed for ThreatSTOP DNS Firewall

  1. Navigate to Data Management --> DNS --> Response Policy Zones
  2. Click on the Add () icon at the top right of the table. This will open a wizard dialog to add the RPZ feed.
  3. Select the Add Response Policy Zone Feed option and click Next button












  4. Enter in the name of the desired feed zone and click Next button.












  5. Add the Grid Secondary name server
    1. Select the down arrow next to the Add icon button and select Grid Secondary.
    2. Click on the Select button below Add Grid Secondary then click Add button.








  6. Add the External Primary name server








    1. Specify the following:
      1. Name: should match the RPZ feed
      2. IP address of the external DNS server
      3. Setup TSIG by selecting Use TSIG checkbox:

        ThreatSTOP TSIG Credentials for Infoblox Devices:

        • Key Name: threatstop
        • Key Algorithm: HMAC-MD5
        • Key Data: <tsig key>

        Note

        A tsig key will be provided by our Sales team on sign-up.

      4. Select the down arrow next to the Add icon button and select External Primary
    2. Click Add button to insert external DNS server into table.
  7. Click Next button to go to next wizard screen.
  8. Click Next button without making any changes to Extensible Attributes.
  9. Click Next button to accept Schedule Change - Now option.
  10. Click Save & Close button to submit changes.

Logging

NIOS appliances do not have a baked in method to upload logs to ThreatSTOP. This requires the configuration of a syslog device and management through TSCM. These steps will help you to configure your NIOS device to report RPZ events to ThreatSTOP.

Setting up External Syslog Server

  1. Enabling Logging for RPZ
    1. Assuming you have setup the DNS service and are using RPZ domains, you need to verify that the RPZ events are being captured as logged events.  Navigate to Data Management --> DNS --> Members -> Grid DNS Properties --> Edit. Once the Grid DNS Properties window is open, select the Logging tab.
    2. Change the Logging Facility to LOCAL7 unless another facility is required for logging.
    3. Select the categories desired, but at a minimum, ensure that rpz and security checkboxes are selected.
    4. Click the Save & Close button when finished to apply the changes.  A restart of the DNS service will probably be required.
  2. Add an External Syslog server
    1. Open the Grid Properties, Select Grid --> Grid Manager --> Members --> Grid Properties --> Edit. Once the Grid Properties Editor window is open select the Monitoring tab.
    2. Select the Log to External Syslog Servers checkbox if not already selected.
    3. Click on the Add Server icon at the top right of the External Syslog Servers table.  This will display a form to the a syslog server.


    4. Complete the Add External Syslog Server form
      1. Add the IP Address of the syslog server
      2. Change the Transport to your preferred method.
      3. Select the Interface that NIOS server will us to send syslog packets.
      4. Change the Node ID to Host Name.
      5. Change Logging Category to Send selected categories and select DNS RPZ and DNS Security categories only.
    5. Click the Add button to insert the new syslog server into the table.
    6. Click the Save & Close button to complete the setup of the external syslog server.  A service restart may be required.

Testing the Connection

After device setup has been completed, a test will need to be run to verify the firewall is behaving as intended. To perform this test:

  1. Open a console on the TSCM and enter "tail -f /var/log/threatstop/devices/<device name>/syslog"
  2. From a device behind the firewall that is not the TSCM, attempt to connect to bad.threatstop.com with a web browser.
    • If the connection is blocked, you will see a connection blocked error message in the web browser, and the log being tailed will update.
    • If the connection is not blocked you will see the ThreatSTOP logo appear, and the configuration settings will need to be double checked.

If the command runs successfully update the device's configuration as detailed in TSCM Configuration to begin sending logs back to ThreatSTOP for enhanced security.

TSCM Configuration

After the initial setup, reconfiguring the device (for example to enable sending logs to ThreatSTOP for processing) uses the following instructions:

  1. At the command prompt, enter: tsadmin configure <device name> and press ENTER.
  2. Accept the established defaults; these come from the settings provided during the initial device setup. If a parameter needs to be changed, you may do so when its prompt appears.
  3. If setup completed correctly in the previous steps and you choose to Submit logs to ThreatSTOP enter Y when prompted.
  4. The username and password are stored securely and will not need to be added a second time.
  5. If one appears, enter the password at the Enable Password prompt.
  6. For the block list, grouping name (Object, Address, or Zone) enter the name you want the block or allow lists to appear as in the control panel for the maintenance device.
  7. For the allow list, grouping name (Object, Address, or Zone) enter the name you want the block or allow lists to appear as in the control panel for the maintenance device.
  8. For the Max entries or Number of Dynamic Lists prompts accept the defaults or enter the values determined to be required for your network.
  9. To verify your settings enter tsadmin show <device name> and review the output.

Reconfiguration of the device is not immediately applied. tsadmin update is scheduled in cron (/etc/cron.d/multidevice-core) and will automatically update the device when the job is normally scheduled to run. You can speed up this process by entering tsadmin update <device name>.

Notes and Limitations

Attempting to run multiple instances of tsadmin will not work. Multiple users are locked, and only the first user will be allowed to commit their changes.

It is possible to adjust resources on a VM, but the number of CPUs cannot be changed, this will cause the VM to fail to start.