In this blog post, I'm going to go over the common administration elements of the StealthWatch appliance.
SMC
Login to the StealthWatch Web App and navigate to Admin User>Administer Appliance. You will be brought to the appliance administration page:
Naming and DNS
Navigate to Configuration>Naming and DNS to configure the following:
- Host Name
- Domain Name
- DNS Timeout Value
- Cache size
- Local Resolution (Host file)
System Time and NTP
Navigate to Configuration>System Time and NTP to configure the following:
- NTP servers
- Time Zone
Services
Navigate to Configuration>Services to configure the following:
- SNMP
- SSH
- SSH Root access
- Advanced Intrusion Detection Environment (AIDE) - This is to enable host baselining that detects modifications of critical files on a system
- Syslog over TLS
- Proxy server settings
Static Routing
Navigate to Configuration>Static Routing to configure static routes
SSL Certificates
Navigate to Configuration>SSL Certificates to configure both SSL and SSL Client Certificates (used for pxGrid integration later)
Certificate Authority Certificates
Navigate to Configuration>Certificate Authority Certificates to upload certificates of trusted root CAs
Remote File System
Navigate to Configuration>Remote File System to configure the remote file system to store database backups
Global Settings
Navigate to Configuration>Global Settings to configure the following:
- Password Policy
- Opening Message
- Session Timeout
- FIPS Mode
Licensing
As I stated in a previous post, we can add licensing later to the StealthWatch Management Console. Navigate to Configuration>Licensing to activate licenses or upload offline licenses.
Managing Users
You can add users or change you password by navigating to one of the following:
- Manage Users>Add/Delete Users
- Manage Users>Change Password
These are pretty self-explanatory.
Backup/Restore database or configuration
You can perform a backup or restore of the SMC database by navigating to Support>Backup/Restore Database {Configuration}
Browse Files
Navigate to Support>Browse Files to display the file system within the /lancope/var folder on the appliance.
Packet Capture
Navigate to Support>Packet Capture to display functionality provided by the tcpdump utility which monitors network traffic by capturing and displaying packet headers and you may match them against a set of criteria.
Update
Navigate to Support>Update to upload update files and install them
Diagnostics Pack
Navigate to Support>Diagnostics Pack to generate and download diagnostic information from the appliance
Audit Log
To view the audit log for system and configuration changes, navigate to Audit Log
Restarting and Shutting Down the Appliance
To shutdown or restart the appliance, navigate to Operations>{Restart Appliance | Shutdown Appliance}
Exit out of the Administer Appliance window and go back to your SMC dashboard. Now I'll walk through some of the different things to configure here.
Active Directory Configuration
Next we will configure Active Directory Configuration. To integrate Active Directory with the StealthWatch system, you should have one of the following identity sources:
- Cisco ISE (Preferred Method)
- StealthWatch IDentity
- Palo Alto Network Firewall
- Cisco ASA
Depending on the quality of user information in Active Directory determines the usefulness of integrating AD with SMC. The following AD information will be available after integration with StealthWatch:
- Full Name
- Email address
- Phone Number
- Location
- Role/Designation
- Group
- Manager Name
You also may integrate multiple AD servers in the SMC and change the order in which SMC polls the AD servers for user information.
Note: This AD integration does NOT map users to IP address. You would need an external identity source like ISE to do so. This is just to gather more contextual information for you.
To configure Active Directory integration, navigate to Tools>Settings>Active Directory Configuration and click on the Add New Configuration button:
On the next page, fill out the applicable information to add Active Directory and click Save when done:
If it is configured correctly and the SMC is able to connect to the AD server, you should get the following pop-up:
FlowCollector
Most of the administrative settings in the FlowCollector are very similar so I'll go over the ones that are different.
Management Systems Configuration
This is where to configure one or more external management switches such as an SMC or SIEM system and to establish communication with this appliance. To configure this in the FlowCollector, navigate to Configuration>Management Systems Configuration and click on Add New Management System.
On this page, you may also check the box to accept connections from any management system. This is not advised if the FlowCollector will be outside your firewall as you may be accepting connections from systems you do not want to accept connections from.
Advanced Settings
The advanced settings will show you a list of settings that can be used to change the behavior of the StealthWatch system. It's not advised to change this unless Lancope support tells you to as you can seriously impact the FlowCollector if you mess something up.
To change these settings or view them, navigate to Support>Advanced Settings
There are a few other SMC/FC administrative functions that I will save for their own separate blog posts:
- External Lookup
- Proxy Ingest
- ISE Integration