Page tree

Contents

Overview

ThreatSTOP's ThreatSTOP Centralized Manager (TSCM) software allows for the rapid deployment of ThreatSTOP across multiple devices and types of devices in a production environment. Installation and configuration is also simpler than the single device scripts.

Device setup:

  1. Route Preparation
  2. VM Installation
  3. Enabling ThreatSTOP on the Device

The following instructions will cover the setup of the TSCM from the Command Line Interface (CLI). Note that automating these setups is possible with a simple shell script. However, the instructions will only cover the prompted device installation at this time.

tsadmin

The command to setup and control TSCM is tsadmin. During configuration, tsadmin associates module files that contain configuration data relevant to your available hardware. These files allow tsadmin to communicate with your hardware and expedite setting up ThreatSTOP on your network.

Who should use this manual?

This manual is intended to be a step-by-step guide for System Administrators of intermediate to advanced skill levels. It assumes a certain level of familiarity with setting up Linux based Virtual Machines (VMs), and importing saved Virtual Machine Images (OVA files) into a VM host.

Route Preparation

Before installation can begin, the following ports will need to be open along the communications route between the specified destinations:

  • tcp/udp port 53: Needs to be opened from the TSCM to ThreatSTOP's DNS servers. The TSCM will query for ThreatSTOP policy (IP Intelligence) data and deliver the data to your firewall device (network objects). This query is a standard DNS query to ThreatSTOP's DNS servers.
  • SSH access from the TSCM to the device: To load ThreatSTOP policy to your device, the TSCM requires SSH access to your device.
  • UDP port 514 from the device to the TSCM: Syslog on your device is configured to send data to the TSCM. ThreatSTOP requires the messages from syslog as this is the source data for your reports.
  • SSL from the TSCM to ThreatSTOP: syslogs upload from the TSCM to ThreatSTOP where our internal systems will parse and process your device logs. In the ThreatSTOP portal the Reporting section shows the result of the log parsing for your account.

VM Installation

VM installation of the ts-appliance image can take one of two different paths. For a Linux based installation download the latest ts-appliance image from our FTP service (ftp://ftp.threatstop.com/pub/TSCM.ova), and make note of its location. Once the VM import has completed you will need to configure Ubuntu as laid out in Adjusting the Appliance to Your Network Environment. A Microsoft Hyper-V based environment is available through our Support (support@threatstop.com) team.

Note:

Users running an Oracle Virtual Box based environment will be able to follow the directions in a Virtual Box Deployment and create an environment quickly and easily. Users running VMware's vSphere client may need to follow the additional steps to convert the OVA from Virtual Box format into VMWare's .OVF format as described in VMWare Conversion and Setup.

Virtual Box Deployment

  1. In Virtual Box, import the OVA file, under Virtual Box this is done by clicking File and selecting Import Appliance
  2. Enter the location of the .ova file or click on Browse… and locate the file on your computer. Then click Open, then click Next.
  3. Review the specifications for the VM to be created, and make any needed changes. Then click Import.
  4. Provide a name for the VM, this can be left as-is or may be updated to fall into an existing naming schema. Click Next.
  5. Verify your storage setup and requirements then click Import.
  6. After the VM has been imported right-click on the new VM entry and select Settings...
  7. Select the Provisioning required by your deployment.
  8. Verify the network connections mapped in your OVA template and the network to which it will be deployed, adjust as needed. Then click OK.

Adjusting the Appliance to Your Network Environment

  • Power on the VM Console and login using the following login information:
    • Username: threatstop
    • Password: threatstop
  • After powering up the system, the VM will need to be modified to access the network with a static IP address. To do this:
    1. At the command prompt enter:

      sudo vi /etc/network/interfaces

    2. Locate the line iface eth0 inet dhcp in the file (see figure 1) you will need to change this.
    3. Modify the line to iface eth0 inet static, and uncomment the following four lines (see figure 2).
    4. You will need to adjust the address, netmask, and gateway values to match your network.

      # The primary network interface
      auto eth0
      iface eth0 inet dhcp

      # address 192.168.1.7
      # netmask 255.255.255.0
      # gateway 192.168.1.99

      #dns-nameservers 192.168.1.99 8.8.8.8

      Figure 1 /etc/network/interfaces default

      # The primary network interface
      auto eth0
      iface eth0 inet static
         address 192.168.1.7
         netmask 255.255.255.0
         gateway 192.168.1.99
         dns-nameservers 192.168.1.99 8.8.8.8

      Figure 2 /etc/network/interfaces configured for a static IP

    5. This should be followed by restarting the network using the command:

      sudo /etc/init.d/networking restart

Once this is performed the system should be upgraded to the current version of Ubuntu using the following commands. Please be aware that this upgrade process can take more than 25 minutes depending on the speed of your Internet connection.

  1. Enter "sudo apt-get update"

  2. Enter "sudo apt-get dist-upgrade"

Caution:

As of 08/04/2016, Ubuntu has been updated to 16.04, while the provided OVA does not provide 16.04 the Hardware Enablement (HWE) stack is still supported, but will need to be upgraded. To do this, enter the following command and reboot your system:

sudo apt-get install linux-generic-lts-xenial linux-image-generic-lts-xenial

Once the VM is back online log in and finish device setup.

Testing the Connection

After device setup has been completed, a test will need to be run to verify the firewall is behaving as intended. To perform this test:

  1. Open a console on the TSCM and enter "tail -f /var/log/threatstop/devices/<device name>/syslog"
  2. From a device behind the firewall that is not the TSCM, attempt to connect to bad.threatstop.com with a web browser.
    • If the connection is blocked, you will see a connection blocked error message in the web browser, and the log being tailed will update.
    • If the connection is not blocked you will see the ThreatSTOP logo appear, and the configuration settings will need to be double checked.

If the command runs successfully update the device's configuration as detailed in TSCM Configuration to begin sending logs back to ThreatSTOP for enhanced security.

TSCM Configuration

After the initial setup, reconfiguring the device (for example to enable sending logs to ThreatSTOP for processing) uses the following instructions:

  1. At the command prompt, enter: tsadmin configure <device name> and press ENTER.
  2. Accept the established defaults; these come from the settings provided during the initial device setup. If a parameter needs to be changed, you may do so when its prompt appears.
  3. If setup completed correctly in the previous steps and you choose to Submit logs to ThreatSTOP enter Y when prompted.
  4. The username and password are stored securely and will not need to be added a second time.
  5. If one appears, enter the password at the Enable Password prompt.
  6. For the block list, grouping name (Object, Address, or Zone) enter the name you want the block or allow lists to appear as in the control panel for the maintenance device.
  7. For the allow list, grouping name (Object, Address, or Zone) enter the name you want the block or allow lists to appear as in the control panel for the maintenance device.
  8. For the Max entries or Number of Dynamic Lists prompts accept the defaults or enter the values determined to be required for your network.
  9. To verify your settings enter tsadmin show <device name> and review the output.

Reconfiguration of the device is not immediately applied. tsadmin update is scheduled in cron (/etc/cron.d/multidevice-core) and will automatically update the device when the job is normally scheduled to run. You can speed up this process by entering tsadmin update <device name>.

TSCM Command Line Switches

Notes and Limitations

Attempting to run multiple instances of tsadmin will not work. Multiple users are locked, and only the first user will be allowed to commit their changes.

It is possible to adjust resources on a VM, but the number of CPUs cannot be changed, this will cause the VM to fail to start.