Skip to main content

 

 

Cisco Defense Orchestrator

Install Multiple SECs Using Your VM Image

The Secure Event Connector (SEC) forwards events from ASA and FTD to the Cisco cloud so that you can view them in the Event Logging page and investigate them with Stealthwatch Cloud, depending on your licensing. 

You can install more than one Secure Event Connector (SEC) on your tenant and direct events from your ASAs and FTDs to any of the SECs you install. Having multiple SECs allows you to have SECs installed in different regions and distribute the work of sending events to the Cisco cloud. 

This article describes installing a second, third, or other additional SEC for your tenant. It assumes that you have already installed one SEC.

Installing multiple SECs using your own VM image is a three part process. These three tasks are described in this article: 

  1. Install a CDO Connector, to Support an On-Premises SEC, Using a VM Image you Create 
  2. Perform some additional configuration steps for your VM.
  3. Install an Additional Secure Event Connector.

Note: Using a CDO VM image for the CDO Connector is the easiest, most accurate, and preferred method of installing a CDO connector. If you want to use that method, see Install Multiple SECs for your Tenant Using a CDO VM Image.

1. Install a CDO Connector, to Support an On-Premises SEC, Using Your VM Image

The CDO Connector is a light-weight SDC. The installation of this light-weight SDC is solely to support an additional SEC for Cisco Security Analytics and Logging (SaaS) customers. You use the similar installation methods as you would for installing a full-featured SDC, but the bootstrap data you copy from the SEC deployment window triggers the installation of the CDO Connector.

Prerequisites

  • Purchase the Cisco Security and Analytics Logging, Logging and Troubleshooting license, you may also purchase the Logging Analytics and Detection and Total Network Analytics and Monitoring licenses to apply SWC analytics to the events. 

If you would rather, you can request a trial version of Security Analytics and Logging by logging in to CDO, and on the main navigation bar, select Monitoring > Event Logging and click Request Trial.

  • CDO requires strict certificate checking and does not support a Web/Content Proxy between the CDO Connector and the Internet.
  • The CDO Connector must have full outbound access to the Internet on TCP port 443.
  • Review Connect to Cisco Defense Orchestrator using Secure Device Connector for ensure proper network access for the CDO Connector. 
  • VMware ESXi host installed with vCenter web client or ESXi web client.
    • Note: We do not support installation using the vSphere desktop client.
  • ESXi 5.1 hypervisor.
  • Cent OS 7 guest operating system.
  • System requirements for a VM to host only a CDO Connector and an SEC. 
    • CPU: Assign 4 CPUs to accommodate the SEC.
    • Memory: Assign 8 GB of memory for the SEC. 
    • Disk Space: 10 GB
  • After you have updated the CPU and memory on the VM, power on the VM and ensure that the Secure Connectors page indicates that the SDC has reported a heartbeat in the last ten minutes and is in the "Active" state. 
  • Users performing this procedure should be comfortable working in a Linux environment and using the vi visual editor for editing files.
  • If you are installing your CDO Connector on a CentOS virtual machine, we recommend you install Yum security patches on a regular basis. Depending on your Yum configuration, to acquire Yum updates, you may need to open outbound access on port 80 as well as 443. You will also need to configure yum-cron or crontab to schedule the updates. Work with your security-operations team to determine if any security policies need to change to allow you to get the Yum updates.
  • Gather this information before you begin the installation:
    • Static IP address you want to use for your CDO Connector. 
    • Passwords for the root and cdo users that you create during the installation process.
    • The IP address of the DNS server your organization uses. 
    • The gateway IP address of the network the CDO Connector address is on. 
    • The FQDN or IP address of your time server. 
  • The on-premises CDO Connector virtual machine is configured to install security patches on a regular basis and in order to do this, opening port 80 outbound is required.

Procedure

Before you get started: Do not copy and paste the commands in this procedure into your terminal window, type them instead. Some commands include an "n-dash" and in the cut and paste process, these commands can be applied as an "m-dash" and that may cause the command to fail.

  1. From the Secure Device Connectors page, select the blue plus button blue_cross_button.png and click Secure Event Connector. 
  2. Copy the SEC Bootstrap Data in step 2 of the "Deploy an On-Premises Secure Event Connector" window to a notepad.
  3. Install a CentOS 7 virtual machine with at least the following RAM and disk space allotted to the CDO Connector: 
  4. Once installed, configure basic networking such as specifying the IP address for the CDO Connector, the subnet mask, and gateway.
  5. Configure a DNS (Domain Name Server) server.
  6. Configure a NTP (Network Time Protocol) server.
  7. Install an SSH server on CentOS for easy interaction with CDO Connector's CLI.
  8. Run a Yum update and then install the packages: open-vm-tools, nettools, and bind-utils
[root@sdc-vm ~]# yum update -y
[root@sdc-vm ~]# yum install -y open-vm-tools net-tools bind-utils
  1. Install the AWS CLI package (https://docs.aws.amazon.com/cli/latest/userguide/awscli-install-linux.html)

Note: Do not use the --user flag

  1. Install the Docker CE packages (https://docs.docker.com/install/linux/docker-ce/centos/#install-docker-ce)

Note: Use the “Install using the repository” method

  1. Start the Docker service and enable it to start on boot:
[root@sdc-vm ~]# systemctl start docker
[root@sdc-vm ~]# systemctl enable docker
Created symlink from /etc/systemd/system/multiuser.target.wants/docker.service to
    /usr/lib/systemd/system/docker.service.
  1.  Create two users: "cdo" and "sdc." The cdo user will be the one you log in to run administrative functions (so you don’t need to use the root user directly), and the sdc user will be the user to run the CDO Connector docker container.
[root@sdc-vm ~]# useradd cdo
[root@sdc-vm ~]# useradd sdc –d /usr/local/cdo
  1. Set a password for the cdo user.
[root@sdc-vm ~]# passwd cdo 
Changing password for user cdo. 
New password: <type password> 
Retype new password: <type password> 
passwd: all authentication tokens updated successfully.
  1. Add the cdo user to the “wheel” group to give it administrative (sudo) privileges.
[root@sdc-vm ~]# usermod -aG wheel cdo
[root@sdc-vm ~]#
  1. When Docker is installed, there is a user group created. Depending on the version of CentOS/Docker, this may be called either “docker” or “dockerroot”. Check the /etc/group file to see which group was created, and then add the sdc user to this group.
[root@sdc-vm ~]# grep docker /etc/group
docker:x:993:
[root@sdc-vm ~]#
[root@sdc-vm ~]# usermod -aG docker sdc
[root@sdc-vm ~]#
  1. If the /etc/docker/daemon.json file does not exist, create it, and populate with the contents below. Once created, restart the docker daemon.

Note: Make sure that the group name entered in the “group” key matches the group you found in the /etc/group file in step 15.

[root@sdc-vm ~]# cat /etc/docker/daemon.json
{
     "live-restore": true,
     "group": "docker"
}
[root@sdc-vm ~]# systemctl restart docker
[root@sdc-vm ~]#
  1. If you are currently using a vSphere console session, switch over to SSH and log in with the "cdo" user. Once logged in, change to the "sdc" user. When prompted for a password, enter the password for the "cdo" user.
[cdo@sdc-vm ~]$ sudo su sdc 
[sudo] password for cdo: <type password for cdo user>
[sdc@sdc-vm ~]$
  1. Change directories to /usr/local/cdo.
  2. Create a new file called bootstrapdata and paste the bootstrap data from step 2 into this file. Save the file. You can use vi or nano to create the file.
  3. The bootstrap data comes encoded in base64. Decode it and export it to a file called extractedbootstrapdata
[sdc@sdc-vm ~]$ base64 -d /usr/local/cdo/bootstrapdata > /usr/local/cdo/extractedbootstrapdata
[sdc@sdc-vm ~]$

Run the cat command to view the decoded data. The command and decoded data should look similar to this: 

[sdc@sdc-vm ~]$ cat /usr/local/cdo/extractedbootstrapdata
CDO_TOKEN="<token string>"
CDO_DOMAIN="www.defenseorchestrator.com"
CDO_TENANT="<tenant-name>"
CDO_BOOTSTRAP_URL="https://www.defenseorchestrator.com/sdc/bootstrap/tenant-name/<tenant-name-SDC>"
ONLY_EVENTING="true"
  1. Run the following command to export the sections of the decoded bootstrap data to environment variables.
[sdc@sdc-vm ~]$ sed -e 's/^/export /g' extractedbootstrapdata > sdcenv && source sdcenv
[sdc@sdc-vm ~]$
  1. Download the bootstrap bundle from CDO.
[sdc@sdc-vm ~]$ curl -O -H "Authorization: Bearer $CDO_TOKEN" "$CDO_BOOTSTRAP_URL"
100 10314 100 10314 0 0 10656 0 --:--:-- --:--:-- --:--:-- 10654
[sdc@sdc-vm ~]$ ls -l /usr/local/cdo/*SDC
-rw-rw-r--. 1 sdc sdc 10314 Jul 23 13:48 /usr/local/cdo/tenant-name-SDC
  1. Extract the CDO Connector tarball, and run the bootstrap_sec_only.sh file to install the CDO Connector package.
[sdc@sdc-vm ~]$ tar xzvf /usr/local/cdo/tenant-name-SDC
<snipped – extracted files>
[sdc@sdc-vm ~]$
[sdc@sdc-vm ~]$ /usr/local/cdo/bootstrap/bootstrap_sec_only.sh
[2018-07-23 13:54:02] environment properly configured
download: s3://onprem-sdc/toolkit/prod/toolkit.tar to toolkit/toolkit.tar
toolkit.sh
common.sh
es_toolkit.sh
sec.sh
healthcheck.sh
troubleshoot.sh
no crontab for sdc
-bash-4.2$ crontab -l
*/5 * * * * /usr/local/cdo/toolkit/es_toolkit.sh upgradeEventing 2>&1 >> /usr/local/cdo/toolkit/toolkit.log
0 2 * * * sleep 30 && /usr/local/cdo/toolkit/es_toolkit.sh es_maintenance 2>&1 >> /usr/local/cdo/toolkit/toolkit.log
You have new mail in /var/spool/mail/sdc

2. Additional Configuration for CDO Connectors Installed on a VM You Created

If you installed your SDC on your own CentOS 7 virtual machine, you need to perform one of the following additional configuration procedures to allow events to reach the SEC.  

  •  Disable the firewalld service on the CentOS 7 VM. This matches the configuration of the Cisco-provided SDC VM. 
  •  Add firewall rules to allow into the VM the expected eventing traffic for the SEC. This is a more granular approach to allowing inbound event traffic.

Disable the firewalld service on the CentOS 7 VM

  1. Log into the CLI of the SDC VM as the "cdo" user.
  2. Stop the firewalld service, and then ensure that it will remain disabled upon subsequent reboots of the VM. If you are prompted, enter the password for the "cdo" user:
[cdo@SDC-VM ~]$ sudo systemctl stop firewalld
[cdo@SDC-VM ~]$ sudo systemctl disable firewalld

3. Restart the Docker service to re-insert Docker-specific entries into the local firewall:

[cdo@SDC-VM ~]$ sudo systemctl restart docker
  1. Continue to Next Steps.

Allow the firewalld service to run and add firewall rules to allow into the VM eventing traffic for the SEC

  1. Log into the CLI of the SDC VM as the "cdo" user.
  2. Add local firewall rules to allow incoming traffic to the SEC from the TCP, UDP, or NSEL ports you configured. See Finding Your Device's TCP, UDP, and NSEL Port Used for Cisco Security Analytics and Logging for the ports used by your SEC. If prompted, enter the password for the "cdo" user. Here is an example of the commands. You may need to specify different port values.
[cdo@SDC-VM ~]$ sudo firewall-cmd --zone=public --permanent --add-port=10125/tcp
[cdo@SDC-VM ~]$ sudo firewall-cmd --zone=public --permanent --add-port=10025/udp
[cdo@SDC-VM ~]$ sudo firewall-cmd --zone=public --permanent --add-port=10425/udp
  1. Restart the firewalld service to make the new local firewall rules both active and persistent:
[cdo@SDC-VM ~]$ sudo systemctl restart firewalld
  1. Continue to Next Steps.

3. Install an Additional Secure Event Connector

The Secure Event Connector (SEC) is a container that you install on a CDO Connector that receives events from ASA and FTD devices and forwards them to the Cisco cloud. Cisco Defense Orchestrator (CDO) displays the events on the Event Logging page so that administrators can analyze them. 

Prerequisites

  • Make sure the on-premises SDC is communicating with CDO by following this two step procedure:
  1. From any open page in CDO, open the Secure Connectors page by clicking on the menu, under your user name, in the top right corner of the page.
  2. Make sure that the SDC's last heartbeat was less than 10 minutes prior to the installation of the SEC and that the SDC's status is Active. 

Procedure

  1. Log in to CDO.
  2. Click the user menu and select Secure Connectors.   
  3. Select the CDO Connector that you created in the previous step. In the Secure Connectors table, it will be called a Secure Event Connector.  
  4. Click Deploy an On-Premises Secure Event Connector in the Actions pane on the right.
  5. In step 2 of the wizard, click the link to Copy bootstrap data.
  6. Open a terminal window and log into the CDO Connector as the "cdo" user.
  7. Once logged in, switch to the "sdc" user. When prompted for a password, enter the password for the "cdo" user.  Here is an example of those commands: 
[cdo@sdc-vm ~]$ sudo su sdc
[sudo] password for cdo: <type password for cdo user>
[sdc@sdc-vm ~]$
  1. At the prompt, run the sec.sh setup script:
[sdc@sdc-vm ~]$ /usr/local/cdo/toolkit/sec.sh setup
  1. At the end of the prompt, paste the bootstrap data you copied in step 4 and press Enter.
Please copy the bootstrap data from Setup Secure Event Connector page of CDO: KJHYFuYTFuIGhiJKlKnJHvHfgxTewrtwE
RtyFUiyIOHKNkJbKhvhgyRStwterTyufGUihoJpojP9UOoiUY8VHHGFXREWRtygfhVjhkOuihIuyftyXtfcghvjbkhB=

After the SEC is onboarded, the sec.sh runs a script to check on the health of the SEC. If all the health checks are "green," the health check sends a sample event to the Event Log. The sample event shows up in the Event Log as a policy named "sec-health-check."

sec_health_checker_blurred.jpg

If you receive a message that the registration failed or that the SEC onboarding failed, go to Troubleshooting Secure Event Connector Onboarding Failures.

If you receive the success message return to CDO and click Done in the Deploy an On-Premises Secure Event Connector dialog box.