13
Deploying the FireEye MPS in an Internet-connected environment FireEye, Inc. Confidential 1

Deployment Basics 2

Embed Size (px)

Citation preview

Deploying the FireEye MPS in an Internet-connected environment

FireEye, Inc. Confidential 1

Deployment without a proxy

FireEye, Inc. Confidential 2

Deployment with a proxy

FireEye, Inc. Confidential 3

Additional Network Requirements for Web Deployment

1. When deployed in an Internet-connected environment, the appliance must see bidirectional flows. Seeing either TX or RX may allow for callbacks or binaries to still be detected, but web objects require both sides.

2. Since malware may propagate using a number of methods and botnet Command and Control (C&C) channels may use virtually any port, there should be no special restrictions/ACLs on the traffic fed to the FireEye appliance.

3. It is recommended that total aggregate traffic across the four monitoring interfaces be limited to the rated amount on a single appliance. Although the appliance will attempt to monitor traffic exceeding this level, traffic will likely not be fully analyzed above the rated limit.

FireEye, Inc. Confidential 4

Web Proxies / NAT Environments

§  If your environment contains one or more web proxies or other NAT devices that obscure originating IP addresses, the FireEye appliance must be deployed in such a way that it sees web traffic from the internal (or LAN) side of the proxy.

§  The appliance will need to see both web (HTTP) traffic as well as traffic for other network protocols (if they are allowed out of the firewall): §  Botnet remote command and control traffic as well as some types of

exploits may use protocols other than HTTP, so it’s imperative to have visibility into non-web traffic if this traffic is allowed out of the network.

§  This may mean that you need to connect the appliance to a second SPAN port to monitor non-web traffic as appropriate for your network environment.

§  The FireEye appliance is not able to decrypt SOCKS tunneled traffic, so if you use SOCKS proxies in your environment, the FireEye appliance should SPAN a network segment that is outside the SOCKS proxy for the purposes of monitoring outbound non-HTTP traffic.

FireEye, Inc. Confidential 5

Appliance Deployment Steps

Use the provided FireEye Quick Start Guide to setup the appliance. The steps can be summarized as follows:

1.  Rack the appliance with provided rack mounting rails (do not hang the appliance by its front ears unless you have a shelf underneath)

2.  Connect an Ethernet cable to the management network to Port 1. 3.  Connect one or more SPAN/TAP connections to Ports 3 through 6. 4.  Plug in the power cable to the appliance power supply. 5.  Toggle the power supply switch to (I) and hold green check mark to

power up. 6.  Follow the LCD setup on Quick Start OR connect a 9-pin serial cable

to the serial port and use a laptop and terminal program (settings: VT100, 8,N,1) to access the appliance’s CLI jumpstart configuration script. §  Minimally, you will need to provide an IP address/DHCP, Network mask,

Gateway and DNS. §  Web GUI can be accessed via https://<hostname or IP address>. §  CLI can be accessed via an SSH client (port 22). §  Default login is admin with password admin.

FireEye, Inc. Confidential 6

The Configuration Jumpstart Wizard

§  If this is the first time you are logging into the CLI as an administrator, you will be prompted to use the configuration wizard after accepting the EULA.

§ Proceed with the wizard as detailed in the FireEye Appliance Quick Start Guide.

FireEye, Inc. Confidential 7

Config Jumpstart Wizard (cont’d)

1. Hostname? Enter the hostname for the appliance. 2. Use DHCP on ether1 interface? Enter yes to use DHCP or no to

manually configure your IP address and network settings. If DHCP is selected, you will be immediately sent to step 8.

3. Use zeroconf on ether1 interface? No, this is not needed 4. Primary IP address and masklen? Enter the IP address for the

management interface. (if you omit the mask length it will prompt for the netmask next)

5. Netmask? Enter the network mask in A.B.C.D format.

6. Default gateway? Enter the gateway IP address for the management interface.

7. Primary DNS server? Enter the DNS server IP address. 8. Domain name? Enter the domain for the management

interface. 9. Enable NTP? Enter yes to use default public Network

Time Protocol (NTP) servers pool.ntp.org (can change later)

FireEye, Inc. Confidential 8

Config Jumpstart Wizard (cont’d)

10. Enable IPv6? Choose yes to enable IPv6 11. Admin password? Enter a new administrator password. Press

<Enter> to keep the default admin. 12. Enable SSH access for ‘admin’ user? In most circumstances yes. 13. Product license key? Enter the product license key. Press <Enter> to

evaluate. May fail since most units ship licensed. 14. Security-content updates key? Should ship licensed already, can be entered

later through the CLI/WebUI.

FireEye, Inc. Confidential 9

Establishing MPC Network Connectivity…

§ To enable MPC Network connectivity, you must ensure there is a route for a FireEye appliance (or CMS) to establish outbound connections to the Internet via its management interface (ether1): §  specifically FireEye’s external IP range which is:

199.16.197.0 / 24

§ All FireEye MPC Network communications are established on port 443 outbound from the appliance and are encrypted via 256-bit SSL.

FireEye, Inc. Confidential 10

Deployment checklist

§  Interfaces show correct speed and duplex (“ethtool <interface>”) §  Appliance has valid licenses (“show licenses”, should have appliance,

content & support) §  Appliance can communicate with fenet (“fenet sec apply”, then issue

the show command until it completes) §  Tcpdump shows we are receiving traffic on web ports (“tcpdump –ni

<interface> tcp port <web port, usually 80 or 8080>”) §  Callback, binary and web infection test events fire, and come from the

expected internal IP address §  Check for data loss on fenet later in the day / the next day

FireEye, Inc. Confidential 11

FireEye Appliance Deployment Troubleshooting

FireEye, Inc. Confidential 12

Basic Troubleshooting Considerations

§ Beyond determining whether appliance is up and functioning properly itself, the most common cause of problems involve ensuring monitored traffic is appropriate:

§ Network traffic being monitored at all? § Less than expected bandwidth? § Bidirectional traffic being seen? § Duplicate packets? § Proxy/NATing issues? § HTTP sessions? § Other protocols (callbacks)? § Test events being detected?

FireEye, Inc. Confidential 13