AWS Deployment Guide

for Version 10.6.3

Contact Information
RSA Link at https://community.rsa.com contains a knowledgebase that answers common
questions and provides solutions to known problems, product documentation, community
discussions, and case management.

Trademarks
For a list of RSA trademarks, go to www.emc.com/legal/emc-corporation-trademarks.htm#rsa.

License Agreement
This software and the associated documentation are proprietary and confidential to EMC, are
furnished under license, and may be used and copied only in accordance with the terms of such
license and with the inclusion of the copyright notice below. This software and the
documentation, and any copies thereof, may not be provided or otherwise made available to any
other person.
No title to or ownership of the software or documentation or any intellectual property rights
thereto is hereby transferred. Any unauthorized use or reproduction of this software and the
documentation may be subject to civil and/or criminal liability.
This software is subject to change without notice and should not be construed as a commitment
by EMC.

Third-Party Licenses
This product may include software developed by parties other than RSA. The text of the license
agreements applicable to third-party software in this product may be viewed on the product
documentation page on RSA Link. By using this product, a user of this product agrees to be fully
bound by terms of the license agreements.

Note on Encryption Technologies

This product may contain encryption technology. Many countries prohibit or restrict the use,
import, or export of encryption technologies, and current use, import, and export regulations
should be followed when using, importing or exporting this product.

Distribution
EMC believes the information in this publication is accurate as of its publication date. The
information is subject to change without notice.
September 2017
Contents

AWS Deployment Guide 5

AWS Environment Recommendations 5
Abbreviations and Other Terminology Used in this Guide 5
AWS Deployment Scenarios 9
Full Security Analytics Stack VPC Visibility (Packet Solution) 9
Hybrid Deployment - Decoder and Log Decoder (Packet Solution) 10
Hybrid Deployment - Decoder, Log Decoder, and Concentrator (Packet Solution) 11
Prerequisites 11
Supported Services 11

AWS Instance Configuration Recommendations 13

Archiver 14
Broker 15
Concentrator - Log Stream 16
Packet Stream Solutions 17
Concentrator - Gigamon Solution 17
Decoder - Gigamon Solution 18
Concentrator - Ixia Solution 18
Decoder - Ixia Solution 18
ESA and Context Hub on Mongo Database 19
Log Collector (Syslog, Netflow, and File Collection Protocols) 20
Log Decoder 21
Security Analytics Server, Reporting Engine, Incident Management and Health & Wellness 22

AWS Deployment Rules and Checklist 23

Rules 23
Checklist 23
Step 1. Establish AWS Environment 23
Step 2. Find RSA Security Analytics (SA) AMIs 24
Step 3. Launch an Instance and Configure a Host 25
Step 4. Configure Hosts (Instances) in Security Analytics 29
Step 5. Configure Packet Capture 30
Integrate Gigamon GigaVUE with the Packet Decoder 30
 AWS Deployment Guide

Integrate Ixia with the Packet Decoder 32

4
AWS Deployment Guide

AWS Deployment Guide

Before you can deploy Security Analytics in the Amazon Web Services (AWS) you need to:
l Understand the requirements of your enterprise.

l Know the scope of a Security Analytics deployment.

When you are ready to begin deployment:

l Make sure that you have a Security Analytics"Throughput" license.

l For packet capture in AWS, you can purchase either of the following Third-Party solutions. If
you engage one of these third-parities, they will assign an account representative and a
professional services engineer to you who will work closely with RSA staff.

l Gigamon® GigVUE

l Ixia Cloudlens™

l Use Chrome for your browser (Internet Explorer is not supported).

AWS Environment Recommendations

AWS instances have the same functionality as the Security Analytics hardware hosts. RSA
recommends that you perform the following tasks when you set up your AWS environment.
l Based on the resource requirements of the different components, follow best practices to use
the system and dedicated storage Elastic Block Store (EBS) Volumes appropriately.

l Make sure that compute capacity provides a write speed of 10% greater than the required
sustained capture and ingest rate for the deployment.

l Build Concentrator directory for index database on the Provisioned IOPS SSD.

Abbreviations and Other Terminology Used in this Guide

Abbre- Description
viations

AMI Amazon Machine Image

AWS Amazon Web Services

5 AWS Deployment Guide

 AWS Deployment Guide

Abbre- Description
viations

BYOL Bring your own licensing

CPU Central Processing Unit

Dedicated AWS Dedicated Instances run in a VPC on hardware that is dedicated

Instance to a single customer. Dedicated instances are physically isolated at the
host hardware level from instances that belong to other AWS accounts.
Dedicated instances may share hardware with other instances from the
same AWS account that are not Dedicated instances. Refer to the
AWS "Amazon EC2 Dedicated Instance" documentation
(https://aws.amazon.com/ec2/purchasing-options/dedicated-instances/) for
more information on dedicated instances.

EBS An Amazon EBS–optimized instance uses an optimized configuration

Optimization stack and provides additional, dedicated capacity for Amazon EBS
I/O. This optimization provides the best performance for your EBS
volumes by minimizing contention between Amazon EBS I/O and
other traffic from your instance. Refer to the AWS "Amazon EBS–
Optimized Instances" documentation (http://-
docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSOptimized.html)
for more information on EBS-optimized instances.

EBS Volume Elastic Block Store (EBS) volume is a highly available and reliable stor-
age volume that you can attach to any running instance that is in the
same Availability Zone. Refer to the AWS "Amazon EBS Volumes"
documentation (http://-
docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSVolumes.html) for
more information on EBS Volumes.

EC2 instance Virtual server in AWS Elastic Compute Cloud (EC2) for running
applications on the AWS infrastructure. See also Instance.

AWS Deployment Guide 6

AWS Deployment Guide

Abbre- Description
viations

Enhanced Enhanced networking provides higher bandwidth, higher packet-per-second

performance, and consistently lower inter-instance latencies.
Networking
If your packets-per-second rate appears to have reached its ceiling, you
Enabled should consider moving to enhanced networking because you have likely
reached the upper thresholds of the virtual machine network interface
(VIF) driver.
Refer to the AWS "How do I enable and configure enhanced networking
on my EC2 instances " documentation
(https://aws.amazon.com/premiumsupport/knowledge-center/enable-
configure-enhanced-networking/) for more information on enhanced
networking.

EPS Events Per Second

GB Gigabyte. 1GB = 1,000,000,000 bytes

Gb Gigbit. 1Gb = 1,000,000,000 bits.

Gbps Gigabits per second or billions of bits per second. It measures band-
width on a digital data transmission medium such as optical fiber.

GHz GigaHertz 1 GHz = 1,000,000,000 Hz

HDD Hard Disk Drive

Instance A virtual host in the AWS (that is, virtual machine or server in the
AWS infrastructure on which you run services or applications). See
also EC2 Instance.

Instance Type Specifies the required CPU and RAM for an instance. Refer to the
AWS "Amazon EC2 Instance Types" documentation
(https://aws.amazon.com/ec2/instance-types/) for more information on
instance types.

IOPS Input/Output Operations Per Second

7 AWS Deployment Guide

 AWS Deployment Guide

Abbre- Description
viations

Mbps Megabits per second or millions of bits per second. It measures band-
width on a digital data transmission medium such as optical fiber.

On-Premise On-premise hosts are installed and run on computers on the premises
(in the building) of the organization using the hosts, rather than in the
AWS.

PPS Packets Per Second

RAM Random Access Memory (also known as memory)

Security Group Set of firewall rules. See the "Network Architecture and Ports" doc-
umentation in RSA Link (https://community.rsa.com/docs/DOC-77879)
for a comprehensive list of the ports you must set up for all Security
Analytics components.

SSD Solid-State Drive

Tag A meaningful identifier for AWS instance.

Tap Vendor Network Tapping Vendor

vCPU Virtual Central Processing Unit (also known as a virtual processor)

VM Virtual Machine

VPC Virtual Public Cloud

vRAM Virtual Random Access Memory (also known as virtual memory)

AWS Deployment Guide 8

AWS Deployment Guide

AWS Deployment Scenarios

The following diagrams illustrate some common AWS deployment scenarios. In the diagrams,
the:
l GigaVUE Series (Gigamon® Solution), in combination with Tunneling (created by the
Security Analytics administrator), facilitates packet data capture in AWS.

l CloudLens™ (Ixia® Solution) through Ixia clients and the CloudLens Docker installed on the
Decoder, facilitates packet data capture in AWS.

l Decoder collects packet data. The Decoder captures, parses, and reconstructs all network
traffic from Layers 2 – 7.

l Log Decoder collects logs. The Log Decoder collects log events from hundreds of devices
and event sources.

l Concentrator indexes metadata extracted from network or log data and makes it available
for enterprise-wide querying and real-time analytics while facilitating reporting and alerting.

l Security Analytics Server hosts Incident Management, Reporting, Investigation, Live

Content Management, Administration and other aspects of the user interface.

Full Security Analytics Stack VPC Visibility (Packet Solution)

This diagram shows all Security Analytics components (full stack) deployed in AWS.

9 AWS Deployment Guide

 AWS Deployment Guide

Hybrid Deployment - Decoder and Log Decoder (Packet Solution)

This diagram shows the Decoder and Log Decoder deployed in AWS with all other Security
Analytics components deployed on your premises.

AWS Deployment Guide 10

AWS Deployment Guide

Hybrid Deployment - Decoder, Log Decoder, and Concentrator (Packet

Solution)
This diagram shows the Decoder, Log Decoder, and the Concentrator deployed in AWS with all
other Security Analytics components deployed on your premises.

Prerequisites
You need the following items before you begin the integration process:
l Ixia account (https://login.ixiacom.com/)

l Access to AWS console

l Network rout-able (and proper AWS Security Groups) for the containers to transfer data to
the RSA Security Analytics Suite Decoder.

Supported Services
RSA provides the following Security Analytics services.
l Security Analytics Server

l Archiver

11 AWS Deployment Guide

 AWS Deployment Guide

l Broker

l Concentrator

l Event Stream Analysis

l Log Decoder

l Decoder

l Remote Log Collector

AWS Deployment Guide 12

AWS Deployment Guide

AWS Instance Configuration Recommendations

Note: For a description of terms and abbreviations used in this topic, refer to Abbreviations
and Other Terminology Used in this Guide.

This topic contains the minimum AWS instance configuration settings recommended for the
Security Analytics (SA) virtual stack components.
l EC2 Instance:
o Minimum instance type - m4-xlarge is the minimum instance type required for any SA
component AMI so that it can function.
o Instance type adjustments -you must adjust instance types according to your ingestion rate,
content and parsers, dashboard reports, scheduled reports, investigations, and active users.
o Recommended settings - the recommended settings in the SA component instance tables
below were calculated under the following conditions.
o Ingestion rates of 15,000 EPS and 1.5 Gbps were used.
o All the components were integrated.
o The Log stream included a Log Decoder, Concentrator, and Archiver.
o The Packet Stream included a Packet Decoder and Concentrator.

o Incident Management was receiving alerts from the Reporting Engine and Event Stream
Analysis.
o The background load included reports, charts, alerts, investigation, and incident
management.

l EBS Volumes (Storage)

Contact RSA Customer Support (https://community.rsa.com/docs/DOC-1294) for assistance
on how to increase the number of volumes based on your the storage requirements using the
RSA Sizing & Scoping Calculator.

Note: The Concentrator index volume must be allocated on Provisioned IOPS SSD.

l Index

l Meta

l Session

l Packet

13 AWS Instance Configuration Recommendations

 AWS Deployment Guide

Archiver

EC2 Instance

Tenancy Type -
Enhanced
Dedicated -
EPS Instance Type Networking
Run a Dedicated
Enabled
Instance

5,000 m4.xlarge No Yes

No of CPU: 4
Memory: 16 GB

10,000 m4.2xlarge No Yes

No of CPU: 8
Memory: 32 GB

15,000 m4.4xlarge No Yes

No of CPU: 16
Memory: 64 GB

EBS Volumes (Storage)

IOPS/Baseline
Volumes Device Volume Type
Throughput

/ (root) /dev/sda1 General Purpose SSD N/A

usr,var,opt,home,tmp /dev/sdf General Purpose SSD N/A

archiver /dev/sdg Throughput Optimized HDD 240 MB/s

workbench /dev/sdh Throughput Optimized HDD N/A

AWS Instance Configuration Recommendations 14

AWS Deployment Guide

Broker

EC2 Instance

Enhanced Tenancy Type -

Instance Type Networking Dedicated -
Enabled Run a Dedicated Instance

m4.xlarge No Yes
No of CPU: 4
Memory: 16 GB

EBS Volumes (Storage)

IOPS/Baseline
Volumes Device Volume Type
Throughput

/ (root) /dev/sda1 General Purpose SSD N/A

usr,var,opt,home,tmp /dev/sdf General Purpose SSD N/A

broker /dev/sdg General Purpose SSD N/A

15 AWS Instance Configuration Recommendations

 AWS Deployment Guide

Concentrator - Log Stream

EC2 Instance

Tenancy Type -
Enhanced
Dedicated -
EPS Instance Type Networking
Run a Dedicated
Enabled
Instance

5,000 m4.xlarge No Yes

No of CPU: 4
Memory: 16 GB

10,000 m4.2xlarge No Yes

No of CPU: 8
Memory: 32 GB

15,000 m4.4xlarge No Yes

No of CPU: 16
Memory: 64 GB

EBS Volumes (Storage)

IOPS/Baseline
Volumes Device Volume Type
Throughput

/ (root) /dev/sda1 General Purpose SSD N/A

usr,var,opt,home,tmp /dev/sdf General Purpose SSD N/A

index,session /dev/sdg Provisioned IOPS 10,000

metadb /dev/sdh Throughput Optimized HDD 240 MB/s

AWS Instance Configuration Recommendations 16

AWS Deployment Guide

Packet Stream Solutions

Concentrator - Gigamon Solution

EC2 Instance

Tenancy Type -
Enhanced
Dedicated -
Mbps/Gbps Instance Type Networking
Run a Dedicated
Enabled
Instance

500 Mbps c4.4xlarge No Yes

No of CPU: 16
Memory: 30 GB

1,000 Mbps c4.8xlarge No Yes

No of CPU: 36
Memory: 60 GB

1.5 Gbps m4.10xlarge No Yes

No of CPU: 40
Memory: 160 GB

EBS Volumes (Storage)

IOPS/Baseline
Volumes Device Volume Type
Throughput

/ (root) /dev/sda1 General Purpose SSD N/A

usr,var,opt,home,tmp /dev/sdf General Purpose SSD N/A

index,session /dev/sdg Provisioned IOPS 15,000

metadb /dev/sdh Throughput Optimized HDD 240 MB/s

17 AWS Instance Configuration Recommendations

 AWS Deployment Guide

Decoder - Gigamon Solution

EC2 Instance

Tenancy Type -
Enhanced
Dedicated -
Mbps/Gbps Instance Type Networking
Run a Dedicated
Enabled
Instance

500 Mbps c4.2xlarge Yes Yes

No of CPU: 8
Memory: 15 GB

1000 Mbps c4.4xlarge Yes Yes

No of CPU: 16
Memory: 30 GB

1.5 Gbps c4.8xlarge Yes Yes

No of CPU: 36
Memory: 60 GB

EBS Volumes (Storage)

IOPS/Baseline
Volumes Device Volume Type
Throughput

/ (root) /dev/sda1 General Purpose SSD N/A

usr,var,opt,home,tmp /dev/sdf General Purpose SSD N/A

index,session,meta /dev/sdg Throughput Optimized HDD 240 MB/s

packet /dev/sdh Throughput Optimized HDD 240 MB/s

Concentrator - Ixia Solution

To be updated when Ixia performance testing is complete.

Decoder - Ixia Solution

To be updated when Ixia performance testing is complete.

AWS Instance Configuration Recommendations 18

AWS Deployment Guide

ESA and Context Hub on Mongo Database

EC2 Instance

Tenancy Type -
Enhanced
Dedicated -
EPS Instance Type Networking
Run a Dedicated
Enabled
Instance

9,000 m4.2xlarge No Yes

No of CPU: 8
Memory: 32 GB

18,000 r4.2xlarge No Yes

No of CPU: 8
Memory: 61 GB

30,000 r4.4xlarge No Yes

Aggregation No of CPU: 16
Rate Memory: 122 GB

EBS Volumes (Storage)

IOPS/Baseline
Volumes Device Volume Type
Throughput

/ (root) /dev/sda1 General Purpose SSD N/A

usr,var,opt,home,tmp /dev/sdf General Purpose SSD N/A

apps (/opt/rsa) /dev/sdg General Purpose SSD N/A

19 AWS Instance Configuration Recommendations

 AWS Deployment Guide

Log Collector (Syslog, Netflow, and File Collection Protocols)

EC2 Instance

Tenancy Type -
Enhanced
Dedicated -
EPS Instance Type Networking
Run a Dedicated
Enabled
Instance

30,000 NON SSL c4.2xlarge No Yes

No of CPU: 8
Memory: 15 GB

EBS Volumes (Storage)

IOPS/Baseline
Volumes Device Volume Type
Throughput

/ (root) /dev/sda1 General Purpose SSD N/A

usr,var,opt,home,tmp /dev/sdf General Purpose SSD N/A

logcollector /dev/sdg General Purpose SSD N/A

AWS Instance Configuration Recommendations 20

AWS Deployment Guide

Log Decoder

EC2 Instance

Tenancy Type -
Enhanced
Dedicated -
EPS Instance Type Networking
Run a Dedicated
Enabled
Instance

5,000 c4.2xlarge Yes Yes

No of CPU: 8
Memory: 15 GB

10,000 c4.4xlarge Yes Yes

No of CPU: 16
Memory :30 GB

15,000 c4.8xlarge Yes Yes

No of CPU: 36
Memory: 60GB

EBS Volumes (Storage)

IOPS/Baseline
Volumes Device Volume Type
Throughput

/ (root) /dev/sda1 General Purpose SSD N/A

usr,var,opt,home,tmp /dev/sdf General Purpose SSD N/A

index,session,meta /dev/sdg Throughput Optimized HDD 240 MB/s

packet /dev/sdh Throughput Optimized HDD 240 MB/s

21 AWS Instance Configuration Recommendations

 AWS Deployment Guide

Security Analytics Server, Reporting Engine, Incident Management

and Health & Wellness

EC2 Instance

Enhanced Tenancy Type -

Instance Type Networking Dedicated -
Enabled Run a Dedicated Instance

m4.2xlarge No Yes
No of CPU: 8
Memory: 32 GB

m4.4xlarge No Yes
No of CPU: 16
Memory: 64 GB

EBS Volumes (Storage)

IOPS/Baseline
Volumes Device Volume Type
Throughput

/ (root) /dev/sda1 General Purpose SSD N/A

usr,var,opt,home,tmp /dev/sdf General Purpose SSD N/A

uax,ipdb /dev/sdg General Purpose SSD N/A

redb,rehome /dev/sdh General Purpose SSD N/A

AWS Instance Configuration Recommendations 22

AWS Deployment Guide

AWS Deployment Rules and Checklist

This topic contains the rules and high-level tasks provides you must follow to deploy RSA
Security Analytics components in the AWS.

Rules
You must adhere to the following rules when deploying Security Analytics in AWS.
l SSH to the Security Analytics Server instance at least once after deployment to initialize the
system.

l Do not interrupt the execution of netconfig.sh script during the first SSH console login to any
Security Analytics AWS instance

l Always use private IP addresses when you provision AWS Security Analyticsinstances.

l Before you enable the out-of-the-box (OOTB) dashboards, set the default data source in
Reporting Engine configuration page.

l If you reboot the Packet Decoder instance, the tunnel is not retained. Create the tunnel on
Packet Decoder again and restart the decoder service.

Checklist

Step Description √

1 Step 1. Establish AWS Environment

2 Step 2. Find RSA Security Analytics (SA) AMIs

3 Step 3. Launch an Instance and Configure a Host

4 Step 4. Configure Hosts (Instances) in Security Analytics

5 Step 5. Configure Packet Capture

Step 1. Establish AWS Environment

1. Make sure that you have an AWS environment with the capacity to meet or exceed the
Security Analytics performance guidelines described in AWS Instance Configuration

23 AWS Deployment Rules and Checklist

 AWS Deployment Guide

Recommendations .

2. Go to Step 2. Find RSA Security Analytics (SA) AMIs.

Step 2. Find RSA Security Analytics (SA) AMIs

Search for SA- AMI files within the Public/Shared/Community repository. Use "RSA-SA" for a
key word to search for the AMI files.

Note: Refer to the AWS Finding Shared AMIs documentation

(http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/usingsharedamis-finding.html) for
additional instructions.

1. Open the Amazon EC2 console (New Subscriber Account) at

https://console.aws.amazon.com/ec2/.

2. In the navigation pane, choose AMIs.

3. In the first filter, choose Public images.

4. Type "RSA-SA" in the search field to find the Security Analytics AMIs.

Note: Contact RSA Customer Support (https://community.rsa.com/docs/DOC-

1294) to obtain access to the RSA-SA-Server-10.6.3.0-01.ami.

5. Go to Step 3. Launch an Instance and Configure a Host.

AWS Deployment Rules and Checklist 24

AWS Deployment Guide

Step 3. Launch an Instance and Configure a Host

Note: Refer to the AWS "Launching an Instance" documentation

(http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/launching-instance.html) for
additional instructions.

1. Select an instance from the grid (for example, RSA-SA-Concentrator-10.6.3.0-01) and

click Launch.

2. Choose the RAM and CPUs by selecting instance type.

Refer to AWS Instance Configuration Recommendations for guidelines on how to configure
the EC2 Instance based on the requirements of the Security Analytics component (that is,
service) for which you are launching an instance. The following example has the
m4.10xlarge instance type selected with 40 CPUs and 160 GB of RAM.

25 AWS Deployment Rules and Checklist

 AWS Deployment Guide

3. Click Next: Configure Instance Details at the bottom right of the Step 2: Choose an
Instance Type page.
The Step 3. Configure Instance Details page is displayed.
For Security Analytics, the subnet and VPC are defaulted to the values in the following
example.

4. Click Next: Add Storage at the bottom right of the Step 3: Configure Instance Details
page.
The Step 4. Add Storage page is displayed.

AWS Deployment Rules and Checklist 26

AWS Deployment Guide

Refer to AWS Instance Configuration Recommendations for guidelines on how to configure

storage based on based on the requirements of the Security Analytics component (that is,
service) for which you are launching an instance.

5. Click Next: Add Tags at the bottom right of the Step 4: Add Storage page.
The Step 5. Add Tags page is displayed. Enter the name of your Instance.

6. Click Next: Configure Security Group at the bottom right of the Step 5: Add Tags page.
The Step 6. Configure Security Group page is displayed.

a. Select the "Create a new security group" radio button.

b. Create a rule that opens all the firewall for the Security Analytics component.
You must configure the security group correctly to configure the instance (host) from the
Security Analytics) User Interface and SSH to it.

Note: See the "Network Architecture and Ports" documentation in RSA Link
(https://community.rsa.com/docs/DOC-77879) for a comprehensive list of the ports you
must set up for all Security Analytics components..

27 AWS Deployment Rules and Checklist

 AWS Deployment Guide

Note: After you configure a Security Group, you can change it at any time.

7. Click Review and Launch at the bottom right of the Step 6: Configure Security Group
page.
The Step 7. Review Instance Launch page is displayed.

8. Click Launch at the bottom right of the Step 7. Review Instance Launch page.
The Select an existing key pair or create a new key pair dialog is displayed.

9. Choose Proceed without key pair.

10. Click Launch Instance.

AWS displays the following information as it builds the Instance.

AWS Deployment Rules and Checklist 28

 AWS Deployment Guide

11. Click View Instances.

12. Select Instances in the left navigation panel to review all instances that AWS is initializing
(for example, the SA-Concentrator) .

The IP Address for the new RSA-SA-Concentrator-10.6.3.0-01 host is sample-ip-address.

13. SSH to newly-created instance using the default Security Analyticscredentials.

14. Go to Step 4. Configure Hosts (Instances) in Security Analytics.

Step 4. Configure Hosts (Instances) in Security Analytics

Configure individual hosts and services as described in RSA Security Analytics Host and
Services Configuration Guide. This guide also describes the procedures for applying updates and
preparing for version upgrades. 

Note: After you successfully launch an instance, AWS assigns a default hostname to it.
Seethe "Change the Name and Hostname of a Host" documentation in RSA Link
(https://community.rsa.com/docs/DOC-74112) for instructions on changing a hostname.

29 AWS Deployment Rules and Checklist

 AWS Deployment Guide

Step 5. Configure Packet Capture

You can integrate either of the following Third-Party solutions with the Packet Decoder to
capture packets in the AWS cloud:
l Gigamon® GigaVUE

l Ixia CloudLens™

Integrate Gigamon GigaVUE with the Packet Decoder

There are two main tasks to configure the Gigamon® third-party Tap vendor packet capture
solution:

Task 1. Integrate the Gigamon® solution.

Task 2. Configure a tunnel on Packet Decoder.

Task 1. Integrate the Gigamon Solution

Gigamon® Visibility Platform on AWS will be available through the AWS Marketplace and
activated by a BYOL license. A thirty-day free trial is also available.
For more information on the Gigamon® solution refer to the "Gigamon® Visibility Platform for
AWS Data Sheet" (https://www.gigamon.com/sites/default/files/resources/datasheet/ds-
gigamon-visibility-platform-for-aws-4095.pdf ).
For deployment details refer to the "Gigamon® Visibility Platform for AWS Getting Started
Guide" (https://www.gigamon.com/sites/default/files/resources/deployment-guide/dg-visibility-
platform-for-aws-getting-started-guide-4111.pdf).
After the “Monitoring Session” is deployed within the Gigamon GigaVUE-FM, you can
configure the Security AnalyticsTunnel.

Task 2. Configure Tunnel on the Packet Decoder

1. SSH to the Decoder.

2. Submit the following command strings.

$ sudo ip link add tun0 type gretap local any remote <ip_address_of_
VSERIES_NODE_TUNNEL_INTERFACE> ttl 255

$ sudo ip link set tun0 up mtu <MTU-SIZE>

$ sudo ifconfig (to verify if the tunnel tun0 is being listed in the
list of interfaces)

$ sudo lsmod | grep gre ( to make sure if the below kernel modules
are running:

ip_gre 18245 0

ip_tunnel 25216 1)

AWS Deployment Rules and Checklist 30

AWS Deployment Guide

If they are not running then execute the below commands to enable the
modules

$ sudo modprobe act_mirred

$ sudo modprobe ip_gre

3. Create a firewall rule in the Packet Decoder to allow traffic through the tunnel.

a. Open the iptables file.

vi /etc/sysconfig/iptables

b. Append the line -A INPUT -p gre -j ACCEPT before the commit statement

c. Restart iptables by executing the following commands.

service iptables restart
service ip6tables restart

4. Set the interface in the Packet Decoder.

a.  Log in to Security Analytics, select the decoder/config node in Explorer view for the
Packet Decoder service.

b. Set the capture.selected = packet_mmap_,tun0.

5. (Conditional) - If you have multiple tunnels on the Packet Decoder.

a. Restart Decoder service after you create the tunnel in Packet Decoder.

b. Log in to Security Analytics, select the decoder/config node in Explorer view for the
Packet Decoder service, and set the following parameters.
capture.device.params = interfaces=tun0,tun1,tun2

31 AWS Deployment Rules and Checklist

 AWS Deployment Guide

capture.selected = packet_mmap_,All

6. Restart decoder service.

$ sudo restart nwdecoder
The user should be all set to capture the network traffic in Decoder.

Integrate Ixia with the Packet Decoder

You must complete the following tasks to integrate the Security AnalyticsDecoder with Ixia
CloudLens.
Task 1. Deploy Client Machines
Task 2. Create CloudLens Project
Task 3. Install Docker Container on Decoder
Task 4. Install Docker Container on Clients
Task 5. Map Packet Decoder to Ixia Clients
Task 6. Validate CloudLens Packets Arriving at Decoder
Task 7. Set Interface in Packet Decoder

Task 1. Deploy Client Machines

n Deploy client machines onto which you want to route the traffic to Security Analytics
Decoder. See the Ixia CloudLens documentation (https://store.ixiacom.com/product/cloudlens-
public) for specifications needed for supported client machines.

Task 2. Create CloudLens Project

Complete the following steps to create a new project and get your project key.
1. Get Cloudlens login credentials and access to a sandbox.

a. Create an Ixia login account at https://login.ixiacom.com/.

b. Send your Ixia login account email to [email protected] so Ixia can provide you
with access to the Sandbox.

2. Go to the Cloudlens public site (https://www.ixia-sandbox.cloud/).

AWS Deployment Rules and Checklist 32

AWS Deployment Guide

3. Click + (add) to create a new project with a name of your choosing (for example,
Netwitness-IxiaIntegration).

4. Click on your newly created project and make note of your Project Key.
You need the key later for the API key configured on the Host & Tool agents.

Task 3. Install Docker Container on Decoder

Complete the following steps to install the Docker container onto the Security Analytics
Decoder.
1. SSH to the Packet Decoder.

33 AWS Deployment Rules and Checklist

 AWS Deployment Guide

2. Enter the following command to install the Docker RPM onto the Decoder.
#rpm -iUvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-
release-6-8.noarch.rpm

3. Edit the /etc/yum.repos.d/CentOS-Base.repos file to enable the required repositories

by changing enable = 0 to enable = 1 for all repos.

4. Enter the following commands to complete the install the Docker service on the Decoder.
#yum clean all
# yum –y install docker-io

5. Enter the following command string to start the Docker service.

# service docker start

6. Enter the following commands to:

l Access the Ixia repository and obtain the cloudlens-sandbox-agent container.

l Replace the ProjectKeyFromIxiaProjectPortal variable, which identifies your project

key in Ixia portal, with the Project Key you created in Task 2. Create CloudLens Project.

docker run --name ca \

-v /:/host \
-d --restart=always \
--net=host \
--privileged \
ixiacom/cloudlens-sandbox-agent \
--server agent.ixia-sandbox.cloud \
--accept_eula y \
--apikey ProjectKeyFromIxiaProjectPortal

Task 4. Install Docker Container on Clients

Complete the follow steps to Y install the Docker Container onto the client machines for which
you want to route the traffic to the Security Analytics Decoder.
1. SSH to the AWS Client instance.

2. Enable root access to OS CLI (for example sudo su -).

3. Enter the following commands to install Docker.

# yum –y install docker

Caution: You must enable the required repository to install the Docker RPM on the AWS
Client instance.

4. Enter the following commands to start the Docker service.

# service docker start

AWS Deployment Rules and Checklist 34

AWS Deployment Guide

5. Enter the following commands to:

l Access the Ixia repository and obtain the cloudlens-sandbox-agent container.

l Replace the variable ProjectKeyFromIxiaProjectPortal, which identifies your project

key in Ixia portal, with the Project Key you created in the previous section.
docker run --name ca \
-v /:/host \
-d --restart=always \
--net=host \
--privileged \
ixiacom/cloudlens-sandbox-agent \
--server agent.ixia-sandbox.cloud \
--accept_eula y \
--apikey ProjectKeyFromIxiaProjectPortal

Warning: If you cut and paste commands from a PDF, first paste them into a test editor such
as Notepad to confirm the syntax before pasting into the OS CLI. Direct cut and paste
between PDF and CLI can contain dashes or other special characters that should not be part of
the commands.

Task 5. Map the Packet Decoder to Ixia Clients

Complete the following steps to map the Packet Decoder to the client machines to route the
traffic to the Packet Decoder.
1. Go to the Cloudlens public site (https://www.ixia-sandbox.cloud/).

2. Double-click on your project to open it.

3. Click the Define Group button or the Instances count.

You should see two instances listed, one for your decoder and the other for the client
machines.

4. Filter for the decoder instance and click Save Search.

5. Choose Save as a tool.

6. Specify a name for the tool, and the Aggregation Interface.

Use a meaningful name for the Aggregation Interface (for example CloudTAP. This is a
virtual interface that appears in the OS where your Tool is installed. You need to instruct

35 AWS Deployment Rules and Checklist

 AWS Deployment Guide

your tool to ‘listen’ to that interface in a subsequent step.

7. Filter the client host instance from the list, and click Save Search.

8. Navigate back to the top-level view of the project.

Your client machine instance and Decoder instance are now displayed.

AWS Deployment Rules and Checklist 36

AWS Deployment Guide

9. Drag a connection between the your client machine instance and Decoder instance to allow
the flow of packets.

Task 6. Validate CloudLens Packets Arriving at Decoder

Complete the following steps to validate that packets are actually arriving at the Packet
Decoder.
1. SSH to the Packet Decoder.

2. Enter the following command.

ifconfig
The new aggregation interface you created is displayed.

3. Generate traffic from the client OS instance CLI (for example, wget
http://www.google.com/).

4. SSH to Packet Decoder to go to your Packet Decoder instance CLI.

37 AWS Deployment Rules and Checklist

 AWS Deployment Guide

5. Enter the following commands to look for suitable results in the tcpdump.
tcpdump -I Cloudlens0

Task 7. Set the Interface in the Packet Decoder

Complete the following steps in the Packet Decoder to set the interface to use for the Ixia
integration.
1. SSH to the Packet Decoder.

2. Enter the following commands to restart decoder service.

$ sudo restart nwdecoder
The Packet Decoder is now set to capture network traffic.

3. Log in to Security Analytics and click Administration > Services.

4. In the Admin Services view, select a Decoder service and click > View > Explore.

5. Expand the decoder node and click config to view the configuration settings.

6. Set the capture.selected parameter to the following value.

packet_mmap_,cloudlens0(bpf)

7. (Conditional) - If you have multiple capture interfaces on the Packet Decoder, set the
parameters with the following values.
capture.device.params --> interfaces=cloudlens0,cloudlens1

AWS Deployment Rules and Checklist 38

AWS Deployment Guide

capture.selected --> packet_mmap_,All

8. Restart the Decoder service after you set the capture.selected parameter.

39 AWS Deployment Rules and Checklist