DeepSee Virtual Appliance · IMPORTANT DO NOT attempt to install VMware Tools on DeepSee Virtual...

© 2013 Solera Networks. Contains confidential, proprietary, and trade-secret information of Solera Networks. Any use of this work without express written consent is strictly prohibited.

DeepSee Virtual Appliance Installation Guide for VMware ESX Server

Updated 15 January 2013 2 of 13 © 2013 Solera Networks

This document is intended to help you use the DeepSee interface to configure your Solera

Networks™ DeepSee™ Virtual Appliance (full version or 30-day trial) to perform network

traffic capture, filtering, and playback or to function as a Central Manager Console. It is not

intended as a guide to policies and or procedures for either network security or network

forensics.

This document attempts to provide the best information possible; however, this information

is provided AS-IS and without warranty of any kind for accuracy, completeness, or currency.

All references and links to Web sites are valid as of the date of publication, but the content

and nature of those Web sites and pages is subject to change without our knowledge or

control.

Copyrights, Trademarks, and Intellectual Property

A trademark symbol (™) denotes a Solera Networks trademark. A degree sign (°) denotes a

third-party trademark. All third-party trademarks are the property of their respective

owners. All other marks referenced herein are the property of their respective owners.

Solera Networks, DeepSee, and “See everything. Know everything.” are trademarks or

registered trademarks of Solera Networks in the United States.

Copyright © 2013 Solera Networks, Inc. All rights reserved. No portion may be copied or

reproduced without express written consent.

Several of the icons in the DeepSee interface came from the famfamfam “Silk” icon set famfamfam.com/lab/icons/silk/ and are used under

a Creative Commons Attribution 3.0 License creativecommons.org/licenses/by/3.0/legalcode.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You

may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS,

WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing

permissions and limitations under the License.

GNU General Public License Source Code Requests

Solera Networks will provide a machine-readable copy of the GPL open-source code on a

CD. To obtain a copy, send a written request, along with a certified check or money order in

the amount of U.S. $25.00, payable to Solera Networks, to:

ATTN: Customer Support

GPL Source Code Request

Solera Networks

Suite 100

10713 South Jordan Gateway

South Jordan, UT 84095

USA


DeepSee 6.6.0 3 of 13 See Everything. Know Everything.™

Table of Contents

1 Requirements ...............................................................................................................................................................5

2 ESX Server Configuration ..............................................................................................................................................6

2.1 Management Network ..................................................................................................................................................................................................... 6

2.2 Capture Network .............................................................................................................................................................................................................. 7

2.3 Virtual Machine Network ................................................................................................................................................................................................. 8

2.4 Playback Network ............................................................................................................................................................................................................ 8

2.5 ESX Configuration and Virtual Appliance Installation................................................................................................................................................... 9

2.6 Network Adapter Configuration .................................................................................................................................................................................... 10

3 Virtual Appliance Administration ................................................................................................................................. 11

3.1 Configure Initial Settings ............................................................................................................................................................................................... 11

4 Troubleshooting the Installation ................................................................................................................................. 12


Introduction

This installation guide describes the installation and initial configuration of the DeepSee™

Virtual Appliance using VMware° ESX server and the DeepSee interface. With the DeepSee

interface, you can manage the DeepSee Virtual Appliance settings, control what is being

captured, generate a variety of reports about the captured data, and view, package, and

regenerate captured data. You can also configure the DeepSee Virtual Appliance to operate

as a Central Manager Console (CMC).

IMPORTANT The DeepSee Virtual Appliance—Lab Edition does not support the VMware ESX server.

This guide includes the following sections:

Requirements

Installation

Preparing the DeepSee Virtual Appliance

For detailed information about using the DeepSee interface, see the DeepSee Administration

Guide and the DeepSee Reference Guide, which includes a command-line interface (CLI)

section to provide advanced configuration and operation controls for the DeepSee Virtual

Appliance. You can access the DeepSee Administration Guide, the DeepSee Reference Guide,

and the DeepSee Central Manager Guide from the HELP link in the lower-right corner of

the DeepSee interface.

For assistance with the installation of your DeepSee Virtual Appliance, contact Solera

Networks support:

Toll-Free (U.S. and Canada): 888-860-5705

International: +1 801-545-4002

Web: www.soleranetworks.com/support

Email: [email protected]



1 REQUIREMENTS The DeepSee Virtual Appliance has the following hardware and software requirements:

8 GB+ of memory per VM

Disk space per datastore:

o 30-Day Trial Version—100 GB

o Full Version—See the Install Addendum in the ZIP file

2–4 CPU cores per VM

Two or more Ethernet adapters (VMware° does not support capture on wireless

NICs)

VMware software platform for running the virtual appliance:

o VMware ESX(i) 4 server

o VMware ESX(i) 5 server

VMware Infrastructure Client (VI Client) or vSphere° Client

64-bit architecture on the host for running the 64-bit DeepSee OS guest VM

A workstation with a Web browser running one of the following:

o Microsoft° Internet Explorer (IE) 8, 9

o Firefox° 10–14

o Safari° 5

o Chrome° 19

Cookies must be enabled in the browser.

JavaScript must be enabled in the browser.

Note This Virtual Appliance supports only one concurrent DeepSee activity at a time. Future releases will support multiple DeepSee activities.

ESX Server Configuration


2 ESX SERVER CONFIGURATION This configuration assumes that the VMware ESX server is installed and configured with the

correct data stores. Before importing the DeepSee Virtual Appliance, configure the ESX

server as follows:

Create a Management Network

Create a Capture Network (not applicable to Central Manager Console [CMC])

Create a Virtual Machine Network (optional; not applicable to CMC)

Create a Playback Network (optional; not applicable to CMC)

2.1 Management Network

By default, the VMware ESX server uses vSwitch0 for ESX management and for creating a VM

network. You must modify vSwitch0 to permit management of the DeepSee Virtual Appliance.

HOW TO

Create a

management

network

a. Connect to the ESX server using the vSphere client.

b. In the left pane, click the target ESX server.

c. In the right pane, open the Configuration tab.

d. Select Hardware > Networking.

e. For vSwitch0, click Properties.

f. In the left pane, select VM Network.

g. Click Remove, then Yes.

h. Click Add, select Virtual Machine, and click Next.

i. Label the network DeepSee Management, leave the VLAN ID field blank, and click Next.

j. Click Next, Finish, and Close.



2.2 Capture Network

Note If you plan to use this VM as a CMC, do not configure a capture network.

To capture all network traffic, you must create a capture network that supports promiscuous

mode in order to capture all network traffic. This network should be located on a separate

vSwitch other than vSwitch0.

HOW TO

Create a

capture

network


b. In the left pane, select the target ESX server.



e. Click Add Networking.

f. Select Virtual Machine and click Next.

g. Select Create a virtual switch, select an available VM NIC, and click Next.

h. Label the network Capture Network, and leave the VLAN ID field blank.

i. Click Next, then Finish.

j. Click Properties for vSwitch1.

k. Select Capture Network, then click Edit.

l. Click the Security tab, select the Promiscuous Mode check box, and select Accept from the drop-down menu.

m. Click OK, and then click Close.



2.3 Virtual Machine Network

Note If you plan to use this VM as a CMC, do not configure a virtual machine network.

Use the VM network to capture traffic from virtual systems. If you are not planning on

capturing virtual traffic, you may skip to section 2.4 Playback Network.

HOW TO

Create a

virtual

machine

network





e. For vSwitch1, click Properties.

f. Click Add, then select Virtual Machine.

g. Label the network VM Network.

h. Select Next, then Finish.

i. On the Ports tab, select Virtual Machine Network, then click Edit.

j. Click the Security tab and select the Promiscuous Mode check box.

k. Select Accept from the drop-down menu.

l. Click OK, and then Close.

2.4 Playback Network

Note If you plan to use this VM as a CMC, do not configure a playback network.

Use the playback network to play back traffic from either virtual networks or physical

networks. If you are not planning on playing back traffic for either type of network, you may

skip to section 2.5 ESX Configuration and Virtual Appliance Installation.

HOW TO

Create a

playback

network



c. In the right pane, click the Configuration tab.


e. Click Add Networking.

f. Select Virtual Machine, then click Next.

g. Select Create a virtual switch.

h. Select an available VM NIC and click Next.

i. Label the network Replay Network and leave the VLAN ID field blank.



j. Click Next, then Finish.

k. For vSwitch1 click Properties.

l. Select Replay Network, then click Edit.

m. On the Security tab, select the Promiscuous Mode check box.

n. Select Accept from the drop-down menu.

o. Click OK, then Close.

Note Playing back traffic to the same virtual or physical network that you used for capture can create network storms. Use extreme caution when playing back network traffic.

2.5 ESX Configuration and Virtual Appliance Installation

These installation steps assume that you have downloaded and extracted the virtual

appliance from the Solera Networks secure FTP site. If you have not downloaded and

extracted these files, please contact Solera Networks support.

IMPORTANT DO NOT attempt to install VMware Tools on DeepSee Virtual Appliances.

HOW TO

Install the

virtual

appliance on

an ESX(i)

server



c. In the vSphere client, select File > Deploy OVF Template… to start the Deploy OVF Template wizard.

d. Select Deploy from file and browse to the directory where you extracted the DeepSee Virtual Appliance files.

e. Select the OVF file and click Open.

f. Click Next twice.

g. Accept the default name of the virtual appliance and click Next.

h. Map the virtual networks accordingly:

DeepSee Management to DeepSee Management (vSwitch0)

Capture Network to Capture Network (vSwitch1) (not for CMC)

Replay Network to Replay Network (vSwitch2) (not for CMC)

i. Click Next and then click Finish.

j. The virtual appliance begins importing.

Note The import may take up to 10 minutes depending upon your ESX hardware. Do not interrupt the import process.



2.6 Network Adapter Configuration

Before starting the DeepSee Virtual Appliance, you must configure the network settings for

the virtual network adapters.

HOW TO

Configure

network

adapters


b. In the left pane, expand the ESX server.

c. Under the ESX server, select the DeepSee Virtual Appliance that you imported earlier.

d. In the right pane, click the Getting Started tab.

e. Click Edit virtual machine settings.

f. On the Hardware tab, select Network adapter 1.

g. In the MAC Address section:

Full version—Leave the setting as Automatic.

Evaluation version—Select Manual and set the network adapters according to the values in the table:

Adapter MAC Address

1 00:50:56:0C:01:01

2 00:50:56:0C:02:02

3 00:50:56:0C:03:03

4 00:50:56:0C:04:04

5 00:50:56:0C:05:05

h. Click OK.

i. Power on the DeepSee Virtual Appliance.

Notes The process of loading the virtual appliance might take a few minutes. While the virtual machine starts, you will see a progress indicator. If the boot process seems to hang, press the Esc key to view additional information.

Evaluation Version Only—There is a direct link between the DeepSee license file and the MAC address of Network Adapter 1; if this address changes or otherwise does not match the address recorded in the license file, DeepSee will not be licensed for capture.



3 VIRTUAL APPLIANCE ADMINISTRATION The DeepSee Virtual Appliance includes the full DeepSee interface and a command-line

interface (CLI) for configuring and managing the DeepSee Virtual Appliance. Once the

virtual appliance is running on your VMware server, you can use either interface to

administer and configure the virtual appliance.

Note The DeepSee Virtual Appliance user interface is identical to the user interface for DeepSee Appliances.

3.1 Configure Initial Settings

By default, the management interface (eth0) is set to 192.168.20.20. Follow these steps to

assign a temporary IP address:

HOW TO

Assign a

temporary IP

address

a. Log in to the CLI using the following credentials: admin|Solera

b. Use ifconfig to temporarily assign an IP address to the management interface (eth0) that is accessible by your management workstation:

sudo ifconfig eth0 <IP_address> netmask <subnet_mask>

c. As necessary, assign a default route:

sudo route add default gw <IP_ of_default_gateway>

Use the DeepSee interface to configure the initial settings.

HOW TO

Launch the

DeepSee

interface

a. Launch a Web browser and navigate to the IP address that you just set. You can use either HTTP or HTTPS.

b. At the Login page, type the default username and password, both of which are case-sensitive:

Username: admin Password: Solera

c. Click Log In.

d. The Solera Networks End User License Agreement (EULA) for this appliance is displayed. Select I accept these terms to accept the Solera Networks EULA and click Submit. The Initial Configuration page is displayed.

e. In the lower-right corner of the DeepSee interface, click HELP.

f. Consult the "Initial Setup" section of the DeepSee Administration Guide for instructions on initial appliance configuration. Purchased virtual appliances must also follow the steps to license the appliance.

Troubleshooting the Installation


4 TROUBLESHOOTING THE INSTALLATION The following sections discuss some common issues and other items to be aware of when

using the DeepSee Virtual Appliance. If you have any questions or need further assistance,

please contact Solera Networks Technical Support.

Phone: 888-860-5705 (U.S. and Canada) or +1 801-545-4002 (international)

Email: [email protected]

Web: www.soleranetworks.com/support

Cannot Connect to the UI

1. Verify that you can ping the host IP address from the virtual appliance.

2. Verify that the virtual appliance has a valid gateway route:

[prompt]# route

3. Restart the network services:

[prompt]# sudo service network restart

4. Verify that the network interface of the machine where the virtual appliance is running is

a bridged network interface. Refer to the VMware documentation for information on

how to configure the network interfaces.

Cannot Capture Data

1. Verify that IP has been disabled on the physical interfaces that capture data.

2. Verify that you have modified the virtual interface to operate in promiscuous mode.

Networking Not Working Properly

If networking is not working properly within the guest DeepSee OS VM—e.g., you do not

have a valid routing table, or you did not obtain an IP address from your DHCP server—you

should try restarting the networking service at least once to resolve the issue:

[prompt]# sudo service network restart



64-bit Host Operating System with Virtual Technology

The DeepSee Virtual Machine requires that the server's CPU be both 64-bit and VT

capable. More information about running a 64-bit guest OS on VMware platforms

can be found in Article 1003945: "Hardware and Firmware Requirements for 64-bit

Guest Operating Systems" in the VMware Knowledge Base (http://kb.vmware.com/).

If you are uncertain of your ESX server or host computer’s 64-bit compatibility, you

can obtain a processor check utility from VMware from Article 1003945, referenced

above.

Error Message

This kernel requires an x86‐64 CPU, but only detected an i686 CPU. Unable to boot ‐ please use a

kernel appropriate for your CPU.

You attempted to start the guest DeepSee OS VM on an ESX server or host computer

that is not 64-bit and VT capable. Install your VMware ESX server or on a computer

that is both 64-bit and VT capable.

Error Message

You have configured this virtual machine to use a 64‐bit guest operating system. However, 64‐bit

operation is not possible. This host is VT‐capable, but VT is disabled.

You attempted to start the guest DeepSee OS VM on an ESX server or host computer

that is both 64-bit and VT capable, but whose VT settings are disabled in the BIOS.

This is usually because VT has been disabled in the BIOS/firmware settings, or the

ESX server or host computer has not been power-cycled since changing this setting.

1. Verify these BIOS/firmware settings: enable VT and disable trusted

execution.

2. Power-cycle the ESX server or host computer if you changed either of these

BIOS/firmware settings.

3. Power-cycle the ESX server or host computer if you have not done so since

installing VMware.

4. Update the host computer's BIOS/firmware to the latest version. For more

details, see Article 1003945, referenced above.

http://kb.vmware.com/

DeepSee Virtual Appliance · IMPORTANT DO NOT attempt to install VMware Tools on DeepSee Virtual...

Documents

Transcript of DeepSee Virtual Appliance · IMPORTANT DO NOT attempt to install VMware Tools on DeepSee Virtual...