Sie sind auf Seite 1von 39

Installation

of Sourcefire 3D Firesight
Defense Center and Virtual Appliance.

Contents
Introduction .................................................................................................................................................. 3
Host Requirements ................................................................................................................................... 3
Feature Comparison.................................................................................................................................. 3
Initial Setup ................................................................................................................................................... 4
Login via Web Interface ................................................................................................................................ 7
Adding of Licenses ...................................................................................................................................... 10
Additional Configuration Changes. ............................................................................................................. 14
User Management .................................................................................................................................. 14
System Configuration..............................................................................................................................15
Adding of Managed Devices. ......................................................................................................................16
Host Requirements ................................................................................................................................. 16
Feature Comparison................................................................................................................................16
Setting up the Managed Devices ................................................................................................................18
Adding the Managed Devices .....................................................................................................................21
Create an IPS policy..................................................................................................................................... 23
Create a protection policy...........................................................................................................................30
Verifying of Incidents .................................................................................................................................. 36

Introduction
This installation guide will provide information on the Installation of Firesight Defense Center Virtual
Appliance.

Host Requirements
The table below will summarize the requirement for the Virtual Machine.
Host OS
Memory
Storage
vCPU
NIC

Official Support: ESXi 5.x, Unofficial Support: Vmware Workstation, Oracle VirtualBox
4GB
250GB (Thick recommended rather than Thin provisioned)
4
1Gbps x 1

Feature Comparison
Full Feature supported among the appliances except for the following services:
Feature or Capabilities

Establish High Availability


Install Malware Storage Pack

Series 2 Defense
Center

Series 3 Defense
Center

Virtual Defense
Center

Yes

Yes

No

DC1000,
DC3000

Yes

No

Initial Setup
Import the OVF (ESXi version) into the Host. Once deployed, power on the appliance and wait for the
Login Prompt to appear. It make take anywhere from 20 to 35 minutes for the initial login prompt to
appear depending on the host performance.

Once the script had run successfully, the following login prompt will appear. You may need to hit the
enter key a few times to see the login prompt. The Default credential is admin/Sourcefire.

Type ifconfig eth0 to verify the ip address of the appliance. Default is 192.168.45.45. You may want to
change the IP address to suit the environment. The rest of the settings can be changes via the GUI Web
interface.

To change the IP address of the Virtual Appliance, type:


sudo ifconfig eth0 192.168.46.2 netmask 255.255.255.0 up

You will need to enter the defaulted password(Sourcefire) to complete the process.

Login via Web Interface


Once done, use Firefox or IE 9.0 and above browser and type https://192.168.46.2

Enter the Username: admin, Password: Sourcefire and Click Log in.
You will be presented to the initial page where u can choose to change the password and enter any
other relevant information like Licensing, Managed Devices, etc. In this example, we are only going to
change the password, Gateway, DNS IP addresses, hostname and accept the End User License
Agreement. The rest of the options, we are able to change via the GUI in later sections.

Scroll down to agree on the EULA by clicking on the checkbox and click Apply. You may need to wait for
around 2 to 5 minutes for the process to complete.

You will be automatically redirected to the Main Dashboard once all the internal system processing is
completed.

Adding of Licenses
The License file can be obtained via Cisco. The Initial key will need to be given to Cisco and Cisco will
return a License File where we can apply the license in. In this example we are installing a 45 Days
Protection license for 1 Manage Devices and Firesight Management Software.
System -> License -> Add New License

The license key is automatically generated by the system based on the Eth0 mac address.
You will need to submit the License Key to Cisco in order for them to generate a set of license file for you
to install into the Defense Center.
An example of the File generated by Cisco is as follows:

Copy and Paste the License File Content into the textbox provided and select Submit License.
In this example we will be doing it twice. One is for the Virtual Device/Managed Device and the other is
the Firesight License itself.

Wait for the following screen to appear to verify that the license key was successful. Then scroll down
and click on the Return to License Page button.

Repeat the Above steps for the Firesight License as well.


In the end when we return to the licensing page, we would be able to see 2 set of license implemented.

Additional Configuration Changes.


User Management

System -> Local -> User Management


We can change passwords, add accounts and even manage login roles and link to AAA server.

System Configuration

System -> Local -> Configurations.


We can modify the Certificates settings, Link the Device Center to an external Database, change the
network settings like gateway, DNS and proxy servers.
Additionally we can reconfigure the Management Interface, Change the Time Settings and even
Shutdown the Appliance or Reboot the Appliance from the Process option.

Adding of Managed Devices.


In this example, we shall be adding a Virtual Appliance 3D System to the Defense Center. Similarly just
like the Defense Center, import the OVF file into the Host Server.

Host Requirements
The table below, list the requirements needed by the Host Server to support the Virtual Appliance 3D
System.
Host OS
Memory
Storage
vCPU
NIC

Official Support: ESXi 5.x, Unofficial Support: Vmware Workstation, Oracle VirtualBox
4GB
40GB (Thick recommended rather than Thin provisioned)
4
1Gbps x 3 (1st Adapter used for Management, 2nd and 3rd use to support traffic.

Feature Comparison
The following table highlights the differences between the various managed devices.
Feature or Capabilities
Security Intelligence filtering
access control: geolocation-based filtering
access control: application control
access control: user control
access control: literal URLs
access control: URL Filtering by category and
reputation
network-based advanced malware protection
(AMP)
fast-path rules
strict TCP enforcement
configurable bypass interfaces
tap mode
switching and routing
NAT policies
VPN

Series 2 Devices
No
No
No
No
No

Series 3
Devices
Yes
Yes
Yes
Yes
Yes

Virtual
Device
Yes
Yes
Yes
Yes
Yes

No

Yes

Yes

No

Yes

Yes

3D9900
No

8000 Series
Yes
except where
hardware
limited
Yes
Yes
Yes
Yes

No
No

No
3D9900
No
No
No

No
No
No
No
No

device stacking

3D9900

device clustering
clustered stacks

No

malware storage pack


Sourcefire-specific interactive CLI
connect to an eStreamer client

No
No
Yes

No

3D8140
82xx Family
83xx Family
Yes
3D8140
82xx Family
83xx Family
Yes
Yes
Yes

No
No
No
No
Yes
No

Setting up the Managed Devices


Import the OVF (ESXi version) into the Host. Once deployed, power on the appliance and wait for the
Login Prompt to appear. It make take anywhere from 20 to 35 minutes for the initial login prompt to
appear depending on the host performance.

The defaulted username is admin, password is Sourcefire. Hit Enter to display the End User License
Agreement and press the spacebar to scroll thru the pages.
Please type in YES to accept the agreement or you cant continue with the installation.

The following prompt will be asking for a new password, configuration of IPv4 and/or IPv6, domain
name, dns server and the interface mode to be configured as Inline or Passive.

Once completed, the system will run some internal scripts and continue with the installation process.

It may take a while for it to complete. Once the prompt appears again, we will need to add in the
Defense Center IP address and shared secret key in order for the defense center to communicate with
the virtual appliance. The command is as follows:

Once completed, test the ping connectivity between the Virtual Appliance to the Defense Center.
>expert
Sudo ping 192.168.46.2
Type in Commands like ifconfig a | more to display all the 3 NICs with the corresponding MAC
addresses.
You may want to check the settings on the Host Machine to ensure that the Adapters and mapped
accordingly to the correct virtual networks.

Adding the Managed Devices


Click on Devices -> Device Management
Select Add Device

Type in the IP address of the Managed Device and Registration Key(Shared Secret Key). Select the
Default Network Discovery policy as a defaulted policy and Select the Licensed feature for the product.

Click Register and wait for about 1 to 2 minutes.

Create an IPS policy


Policies -> Intrusion -> Intrusion Policy
Click on Create Policy

Type in the name of the policy and select a Base Policy. Base policy is a defaulted rule that we want to
use in our policy initially a we can overwrite the defaulted values with our customized values.
Choose No Rules Active for a fresh, clean policy to start with.

Click on Managed Rulesto edit the current policy.

A vast number of Signature IDs are displayed. We can search via the left hand side column or type in the
SID if we know the number.

Type in 16363 in row for Filter and hit enter. You will see a single entry appearing.
Indicates Signature that is disabled.
Indicates Signature that is enabled and is able to generate events if triggered.
Indicates Signatures that is enabled, able to generate events and will drop the connection if
triggered.

You can also click on the Show details button and scroll down to either read a summary of what the
signature does or modify its threshold or even set limits if required.

Click on the green arrow and change the State to Drop and Generate Events and Click OK.

Type in the word Bad login to search via Signature name. This method is good if the Signature ID is not
known. The search is case sensitive.

Once done, click on the Policy Element in the Left hand side column and Click Commit Changes once
ready.

Enter appropriate description to complete the Commit Change process.

Create a protection policy


Policies -> Access Control -> New Policy.

Type is an appropriate name for the access policy. In this example we used newAccessPolicy and set the
default option to Block All traffic

Select Add Rule

Specify a rule name. In our scenario, we will permit all traffic BUT monitor them with the IPS rule that
we had created. Click on Networks tab and select Private Networks add it to both the Source and
Destination network. Ensure Action is set to Allow.

Click on Inspection tab.

In the Intrusion Policy tab, select IPSPolicy that we had created earlier. Click Add button, once we
are done.

Click on Target tab and ensure that our Virtual Appliance is selected. If it is not selected, then Click on
its name and move it to the selected listbox.

Once ready, Click on the Save and Apply button.


Click on Apply All and review its status.

Applying to 1 Devices indicates that rules are not ready yet and it is still applying to the Managed
Devices.

Up-to-date on 1 devices, indicates that the rules are ready on the Appliance.

Verifying of Incidents
There are several ways for the Incidents to be view and tracked. Below are some screenshot that can be
explored to look and investigate on the various incidents.