ThreatSTOP's ThreatSTOP Centralized Manager (TSCM) software allows for the rapid deployment of ThreatSTOP across multiple devices and types of devices in a production environment. Installation and configuration is also simpler than the single device scripts.
The following instructions will cover the setup of the TSCM from the Command Line Interface (CLI). Note that automating these setups is possible with a simple shell script. However, the instructions will only cover the prompted device installation at this time.
The command to setup and control TSCM is tsadmin. During configuration, tsadmin associates module files that contain configuration data relevant to your available hardware. These files allow tsadmin to communicate with your hardware and expedite setting up ThreatSTOP on your network.
Who should use this manual?
This manual is intended to be a step-by-step guide for System Administrators of intermediate to advanced skill levels. It assumes a certain level of familiarity with setting up Linux based Virtual Machines (VMs), and importing saved Virtual Machine Images (OVA files) into a VM host.
Before installation can begin, the following ports will need to be open along the communications route between the specified destinations:
- tcp/udp port 53: Needs to be opened from the TSCM to ThreatSTOP's DNS servers. The TSCM will query for ThreatSTOP policy (IP Intelligence) data and deliver the data to your firewall device (network objects). This query is a standard DNS query to ThreatSTOP's DNS servers.
- SSH access from the TSCM to the device: To load ThreatSTOP policy to your device, the TSCM requires SSH access to your device.
- UDP port 514 from the device to the TSCM: Syslog on your device is configured to send data to the TSCM. ThreatSTOP requires the messages from syslog as this is the source data for your reports.
- SSL from the TSCM to ThreatSTOP: syslogs upload from the TSCM to ThreatSTOP where our internal systems will parse and process your device logs. In the ThreatSTOP portal the Reporting section shows the result of the log parsing for your account.
VM installation of the ts-appliance image can take one of two different paths. For a Linux based installation download the latest ts-appliance image from our FTP service (ftp://ftp.threatstop.com/pub/TSCM.ova), and make note of its location. Once the VM import has completed you will need to configure Ubuntu as laid out in Adjusting the Appliance to Your Network Environment. A Microsoft Hyper-V based environment is available through our Support (firstname.lastname@example.org) team.
Users running an Oracle Virtual Box based environment will be able to follow the directions in a Virtual Box Deployment and create an environment quickly and easily. Users running VMware's vSphere client may need to follow the additional steps to convert the OVA from Virtual Box format into VMWare's .OVF format as described in VMWare Conversion and Setup.
Virtual Box Deployment
- In Virtual Box, import the OVA file, under Virtual Box this is done by clicking File and selecting Import Appliance…
- Enter the location of the .ova file or click on Browse… and locate the file on your computer. Then click Open, then click Next.
- Review the specifications for the VM to be created, and make any needed changes. Then click Import.
- Provide a name for the VM, this can be left as-is or may be updated to fall into an existing naming schema. Click Next.
- Verify your storage setup and requirements then click Import.
- After the VM has been imported right-click on the new VM entry and select Settings...
- Select the Provisioning required by your deployment.
- Verify the network connections mapped in your OVA template and the network to which it will be deployed, adjust as needed. Then click OK.
Adjusting the Appliance to Your Network Environment
- Power on the VM Console and login using the following login information:
- Username: threatstop
- Password: threatstop
- After powering up the system, the VM will need to be modified to access the network with a static IP address. To do this:
At the command prompt enter:
- Locate the line iface eth0 inet dhcp in the file (see figure 1) you will need to change this.
- Modify the line to iface eth0 inet static, and uncomment the following four lines (see figure 2).
You will need to adjust the address, netmask, and gateway values to match your network.
Figure 1 /etc/network/interfaces default
Figure 2 /etc/network/interfaces configured for a static IP
This should be followed by restarting the network using the command:
Once this is performed the system should be upgraded to the current version of Ubuntu using the following commands. Please be aware that this upgrade process can take more than 25 minutes depending on the speed of your Internet connection.
Enter "sudo apt-get update"
Enter "sudo apt-get dist-upgrade"
As of 08/04/2016, Ubuntu has been updated to 16.04, while the provided OVA does not provide 16.04 the Hardware Enablement (HWE) stack is still supported, but will need to be upgraded. To do this, enter the following command and reboot your system:
Once the VM is back online log in and finish device setup.
Logging SetupLogging information from a NIOS device requires a copy of TSCM. Setup itself is extremely straight forward, only requiring six entries, and most of those are defaults. The required data is:
- Device name: This is the nickname of the device provided to the ThreatSTOP portal.
- Log upload IP address: The external IP address of your network. If you are uncertain of what address to use please visit https://www.threatstop.com/cgi-bin/validip.pl this will show the address to provide.
- All possible syslog source IP(s): This utility sets up one logging device, but can receive logs from multiple NIOS devices. Enter the IP addresses of the NIOS devices from which the logger will receive logs.
- Log rotate size, in Kb: Logs can be cached by NIOS devices until they reach a certain size and then batch uploaded to the logging device.
- Send logs to ThreatSTOP?: If the logging device should send the received logs to ThreatSTOP set this to Y.
To setup logging for TSCM with a new NIOS device
- Login to your TSCM device.
At the command prompt enter the following command:This will add a NIOS logging device, and provide the following setup questions.
- Press ENTER to accept the default (Y) for the Configuring 'ThreatSTOP Log Relay Device' prompt.
- Enter the external IP address that will be providing Log data to ThreatSTOP at the Log upload IP address prompt.
Enter the device IP adresses for any NIOS devices at the Please enter all possible syslog source IP(s): prompt.
If multiple addresses are being provided, separate each with a space.
- Enter the Log rotation size, in Kb to enable rotation. Most users keep this set this to around 100 Kb.
- For Send logs to ThreatSTOP? press ENTER to accept the default.
This will complete your setup and begin sending your logs to ThreatSTOP.
If for any reason you need to reconfigure the NIOS logging device enter this command, and you will be able to update the device settings:
Adding RPZ Feed for ThreatSTOP DNS Firewall
- Navigate to Data Management --> DNS --> Response Policy Zones
- Click on the Add ( ) icon at the top right of the table. This will open a wizard dialog to add the RPZ feed.
Add the Grid Secondary name server
- Select the down arrow next to the Add icon button and select Grid Secondary.
- Click on the Select button below Add Grid Secondary then click Add button.
Add the External Primary name server
Specify the following:
- Name: should match the RPZ feed
- IP address of the external DNS server
Setup TSIG by selecting Use TSIG checkbox:
ThreatSTOP TSIG Credentials for Infoblox Devices:
- Key Name: threatstop
- Key Algorithm: HMAC-MD5
- Key Data: VsumFOvJ9fbrKFjBCGd+BLAmTMbi/HIG3tAudgoepYw7KMQmP24Fh09uQEkJEB0rM1ELDa8CUUKNULIyjrapzw==
This TSIG Key is only for trial accounts, and will change with a paid account.
- Select the down arrow next to the Add icon button and select External Primary
- Click Add button to insert external DNS server into table.
- Specify the following:
- Click Next button to go to next wizard screen.
- Click Next button without making any changes to Extensible Attributes.
- Click Next button to accept Schedule Change - Now option.
- Click Save & Close button to submit changes.
NIOS appliances do not have a baked in method to upload logs to ThreatSTOP. This requires the configuration of a syslog device and management through TSCM. These steps will help you to configure your NIOS device to report RPZ events to ThreatSTOP.
Setting up External Syslog Server
Enabling Logging for RPZ
- Assuming you have setup the DNS service and are using RPZ domains, you need to verify that the RPZ events are being captured as logged events. Navigate to Data Management --> DNS --> Members -> Grid DNS Properties --> Edit. Once the Grid DNS Properties window is open, select the Logging tab.
- Change the Logging Facility to LOCAL7 unless another facility is required for logging.
- Select the categories desired, but at a minimum, ensure that rpz and security checkboxes are selected.
- Click the Save & Close button when finished to apply the changes. A restart of the DNS service will probably be required.
- Add an External Syslog server
- Open the Grid Properties, Select Grid --> Grid Manager --> Members --> Grid Properties --> Edit. Once the Grid Properties Editor window is open select the Monitoring tab.
- Select the Log to External Syslog Servers checkbox if not already selected.
- Click on the Add Server icon at the top right of the External Syslog Servers table. This will display a form to the a syslog server.
Complete the Add External Syslog Server form
- Add the IP Address of the syslog server
- Change the Transport to your preferred method.
- Select the Interface that NIOS server will us to send syslog packets.
- Change the Node ID to Host Name.
- Change Logging Category to Send selected categories and select DNS RPZ and DNS Security categories only.
- Click the Add button to insert the new syslog server into the table.
- Click the Save & Close button to complete the setup of the external syslog server. A service restart may be required.
Testing the Connection
After device setup has been completed, a test will need to be run to verify the firewall is behaving as intended. To perform this test:
- Open a console on the TSCM and enter "tail -f /var/log/threatstop/devices/<device name>/syslog"
- From a device behind the firewall that is not the TSCM, attempt to connect to
with a web browser.
- If the connection is blocked, you will see a connection blocked error message in the web browser, and the log being tailed will update.
- If the connection is not blocked you will see the ThreatSTOP logo appear, and the configuration settings will need to be double checked.
If the command runs successfully update the device's configuration as detailed in TSCM Configuration to begin sending logs back to ThreatSTOP for enhanced security.
After the initial setup, reconfiguring the device (for example to enable sending logs to ThreatSTOP for processing) uses the following instructions:
- At the command prompt, enter:
tsadmin configure <device name>and press ENTER.
- Accept the established defaults; these come from the settings provided during the initial device setup. If a parameter needs to be changed, you may do so when its prompt appears.
- If setup completed correctly in the previous steps and you choose to Submit logs to ThreatSTOP enter
- The username and password are stored securely and will not need to be added a second time.
- If one appears, enter the password at the Enable Password prompt.
- For the block list, grouping name (Object, Address, or Zone) enter the name you want the block or allow lists to appear as in the control panel for the maintenance device.
- For the allow list, grouping name (Object, Address, or Zone) enter the name you want the block or allow lists to appear as in the control panel for the maintenance device.
- For the Max entries or Number of Dynamic Lists prompts accept the defaults or enter the values determined to be required for your network.
- To verify your settings enter
tsadmin show <device name>and review the output.
Reconfiguration of the device is not immediately applied. tsadmin update is scheduled in cron (/etc/cron.d/multidevice-core) and will automatically update the device when the job is normally scheduled to run. You can speed up this process by entering tsadmin update <device name>.
Notes and Limitations
Attempting to run multiple instances of tsadmin will not work. Multiple users are locked, and only the first user will be allowed to commit their changes.
It is possible to adjust resources on a VM, but the number of CPUs cannot be changed, this will cause the VM to fail to start.