Skybox Securoty Appliance 8000, Quick Start Manual

Page 1: ...Skybox Appliance 8000 Quick Start Guide 10 1 200 CentOS Linux release 7 7 1908 Core ...

Page 2: ...l system or transmitted in any form or by any means electronic mechanical photocopying recording or otherwise without the prior written permission of Skybox Security Skybox Skybox Security Skybox Firewall Assurance Skybox Network Assurance Skybox Vulnerability Control Skybox Threat Manager Skybox Change Manager Skybox Appliance 5500 6000 7000 8000 8050 and the Skybox Security logo are either regis...

Page 3: ...System configuration 12 Configuring connection 12 Setting up the Appliance for configuration 17 First time configuration 17 What s next 17 Configuring the Appliance 19 Configuration and management options 19 Setting up network interface bonding 21 Supported bond modes 21 Setting up SNMP configuration 23 RADIUS authentication 23 LDAP authentication 24 Changing the TLS version 25 Sending CentOS logs...

Page 4: ...sole 42 Updating via RMM 42 Updating the firmware 42 Configuring Java for login 48 Adding your own certificate 52 Exporting the Server certificate and private key from the Java keystore 53 Restoring the Appliance to factory defaults 55 Monitoring SNMP 56 Troubleshooting 58 Wiping the hard disk drive 59 CIS benchmarks for CentOS 7 60 Regulatory and safety information 67 Product regulatory complianc...

Page 5: ... and Collector are preinstalled on Skybox Appliance and run at startup In this chapter Basic architecture 5 Related documentation 5 Basic architecture The Skybox platform consists of a 3 tiered architecture with a centralized server Skybox Server data collectors Skybox Collectors and a user interface Skybox Manager Skybox can be scaled to suit the complexity and size of any infrastructure See the ...

Page 6: ... has not been damaged and verify that all tamper evident seals are intact Verify that the Appliance serial number purchase order number and FedEx tracking number match the information provided by Skybox Customer Support What s in the box The following items are included in the shipping carton Skybox Appliance Rack mount kit Front bezel 2 AC power cords RJ45 to DB9 serial console cable Skybox Quick...

Page 7: ...set button 2 USB 2 0 3 0 connectors DB 15 video connector Bezel with lock support External I O connectors back panel DB 15 video connector RJ45 serial port A connector Dedicated RJ45 server management NIC 2 RJ 45 10000baseT network interfaces 10GB Ethernet LAN eno1 and eno2 4 RJ 45 1000baseT network interfaces 1GB Ethernet LAN eno3 eno4 ens513f2 and ens51f3 3 USB 2 0 3 0 Ports Compliant standards ...

Page 8: ...rement 2352 3 BTU hour for 115 volt power 2302 3 BTU hour for 220 volt power MTBF estimates for Skybox Appliance The estimated mean time between failures MTBF and Failures in Time FIT for Skybox Appliance 8000 are listed in the following table Component MTBF hours Estimated FIT 4 x 3 5 12 Gb Hot Swap Backplane SATA SAS 9579145 104 1 Slot Riser Card per card 20060338 50 Standard Front Panel 5053932...

Page 9: ... Power button with integrated LED G Hard drive activity LED H NIC2 activity LED Front panel LED functions LED Color State Description Power Sleep Green on Power on Green blinking Sleep Off Power off NIC LEDs Green on Network link but no network activity Green blinking Network activity Off No link System Status Green on System ready no alarm Green blinking System ready but degraded Redundancy lost ...

Page 10: ...em unplugged Power on System powered off and in standby no prior degraded non critical critical state Back panel connectors The Appliance back panel includes the connectors shown in the following figure By default NIC1 eno1 is enabled and configured as DHCP NIC2 eno2 is enabled and configured as static with the IP address 192 168 1 1 24 You can change these values File system partitions The Skybox...

Page 11: ... telecommunications lines connected to I O connectors or ports on the back of the chassis 4 Provide electrostatic discharge ESD protection by wearing an antistatic wrist strap attached to a chassis ground any unpainted metal surface when handling components Required tools and supplies Phillips cross head screwdriver 1 bit and 2 bit Recommended Antistatic wrist strap and conductive foam pad Install...

Page 12: ...iance A console mouse keyboard and screen connection A serial port connection A network connection via static NIC Note For a figure of the connectors used in the following procedures see Back panel connectors on page 10 Configuration via the RMM interface You can connect to the Appliance via its RMM interface by connecting a network cable to the RMM port The RMM interface is preconfigured with the...

Page 13: ...Chapter 3 Setting up Skybox Appliance Skybox version 10 1 200 13 To configure Java security on your Windows machine to work with RMM 1 From the Windows Start menu select Configure Java ...

Page 14: ...he Appliance machine run ipmitool lan print 1 Configuring the RMM administrator You must change the administrator password on RMM To change the RMM administrator password 1 Reboot the Appliance 2 During the boot process press F2 to open the BIOS setup 3 From the menu select Server Management 4 Select BMC LAN configuration 5 Select User Configuration to configure the RMM user On the User Configurat...

Page 15: ...at the bottom of the page in the BMC hostname field If you are using a Static address Provide the IP address netmask and gateway IP address 5 When you are finished press F10 to save and exit the configuration The Appliance boots with the RMM interface configured with the user that you provided Configuration via console To configure connection using a mouse keyboard and screen 1 Connect one end of ...

Page 16: ...the Power button on the Appliance front panel and verify that the Power LED turns green 4 Log in to the Appliance using the default user name root and the default password skyboxview 5 Configure a network interface with an IP address netmask and default gateway a Run the command set_appliance_network b Select a network interface to configure c Select the IP mode static or DHCP If you select static...

Page 17: ...ce Administration password click Change Skyboxview Password To configure the date and time 1 On the System tab select Date and Time Configuration 2 To configure the date and time manually a Select Manual Date and Time Configuration b Click Change Date and Time set the date and time for Skybox s time zone c Click Change Time Zone set the time zone for the location of the Appliance so that reports a...

Page 18: ...e is available only from syslog change events that are sent to the syslog server in the Appliance You collect the change events using Change Tracking Events Syslog Import tasks Syslog server The syslog server in the Appliance is preconfigured and is enabled by default Updates to the configuration files of the syslog server and syslog log file rotation are included when necessary as part of Skybox ...

Page 19: ...ut tab System Information Provides information about Skybox configuration Network tab Note that configuration changes made in this tab are only saved after you click Save Network Configuration Network Configuration Enables you to configure network settings connection method IP address netmask and gateway and bonding for each network interface connection and to configure the DNS servers Note For no...

Page 20: ...ode Toggles between Server mode the Appliance functions as both the Skybox Server and a Skybox Collector and Collector mode the Appliance functions only as a Skybox Collector SNMP Select Enable SNMP Service to set up SNMP configuration host configuration and sending traps see Setting up SNMP configuration on page 23 You can also download the Appliance MIBs Security tab Appliance Passwords Enables ...

Page 21: ... dialog box add a new bond interface 5 Select the interfaces to bond to this new interface as slaves 6 Select the method for assigning the IP address for this interface If you select static mode provide the IP address netmask and gateway 7 Select the mode in which the bond is to work we recommend active backup For information about the supported bond modes see Supported bond modes on page 21 8 Cli...

Page 22: ...ication Prerequisites ethtool support in the base drivers for retrieving the speed and duplex of each slave A switch that supports IEEE 802 3ad Dynamic link aggregation Most switches require configuration to enable 802 3ad mode mode 5 balance tlb Adaptive transmit load balancing Channel bonding that does not require any special switch support The outgoing traffic is distributed according to the lo...

Page 23: ... the notification receiver traps server 4 When you are finished click Save SNMP Configuration to save the configuration and update the service with the new configuration RADIUS authentication This topic explains how to configure RADIUS authentication for Skybox Appliance Note To use RADIUS authentication the pam_radius package must be installed on the Skybox Server To check whether the package is ...

Page 24: ... 10 Add the new user on the OS level by running useradd user1 There is no need to set the password it comes from RADIUS You can now log in to Skybox with the user credentials user1 password using the password stored on the RADIUS server for this user LDAP authentication This topic explains how to configure LDAP authentication for Skybox Appliance Prerequisites To use LDAP authentication the LDAP s...

Page 25: ...e Directory 2008r2 values With rfc2307 group members are listed by name in the member uid attribute With rfc2307bis and IPA group members are listed by DN and stored in the member attribute LDAP Bind User DN The user bind DN to use for performing LDAP operations This user needs to have read permissions to read the user groups Example CN LDAPUser CN Users DC YOURDOMAIN DC LOCAL LDAP Bind User Passw...

Page 26: ...7 Safari 9 Android 5 0 and Java 8 SSLProtocol all SSLv3 TLSv1 TLSv1 1 SSLCipherSuite ECDHE ECDSA AES256 GCM SHA384 ECDHE RSA AES256 GCM SHA384 ECDHE ECDSA CHACHA20 POLY1305 ECDHE RSA CHACHA20 POLY1305 ECDHE ECDSA AES128 GCM SHA256 ECDHE RSA AES128 GCM SHA256 ECDHE ECDSA AES256 SHA384 ECDHE RSA AES256 SHA384 ECDHE ECDSA AES128 SHA256 ECDHE RSA AES128 SHA256 4 Uncomment either Medium or Low not both...

Page 27: ...A256 ECDHE ECDSA AES128 SHA256 ECDHE RSA AES128 SHA ECDHE ECDSA AES128 SHA ECDHE RSA AES256 SHA384 ECDHE ECDSA AES256 SHA384 ECDHE RSA AES256 SHA ECDHE ECDSA AES256 SHA DHE RSA AES128 SHA256 DHE RSA AES128 SHA DHE DSS AES128 SHA256 DHE RSA AES256 SHA256 DHE DSS AES256 SHA DHE RSA AES256 SHA ECDHE RSA DES CBC3 SHA ECDHE ECDSA DES CBC3 SHA EDH RSA DES CBC3 SHA AES128 GCM SHA256 AES256 GCM SHA384 AES...

Page 28: ...o a remote syslog server To send the Appliance CentOS logs to a remote syslog server 1 On the System tab click Syslog Server 2 Select Send System Logs to Remote Syslog Server 3 Fill in the remote syslog IP address and port to use and select the protocol to use ...

Page 29: ...d port as necessary 3 Click Apply Syslog Configuration How to work with syslog files Updates to the configuration files of the syslog server and to the syslog log rotation file are included when necessary as part of Skybox updates Users can also modify the following files locally for local changes syslog configuration file etc syslog ng syslog ng conf cron file etc cron daily syslog ng archive How...

Page 30: ...me IP address _ time of creation zip How can the logs be imported into Skybox Device logs can be imported using the following tasks depending on the information that you are looking for Change Tracking Events Syslog Import Traffic Events Syslog Import At a minimum you need the following information in the task to import the logs In the Basic tab The directory path of the files var log syslog ng ne...

Page 31: ...kybox Manager system requirements Skybox Manager is a Java client application that connects to the Skybox Server through port 8443 You can install multiple Skybox Managers on a single computer this is useful when connecting to Skybox Servers of different versions Operating system The following operating systems are supported for Skybox Manager Windows 7 Windows 10 64bit only Windows Server 2012 Wi...

Page 32: ...nstallation under Drive Program Files or any other path containing a space is not supported Post installation notes Skybox Manager is configured to communicate with the server over 8443 TCP If there is a firewall between Skybox Manager and Skybox Server access on this port must be explicitly permitted The user running Skybox Manager must have Modify permissions for the directory where Skybox Manag...

Page 33: ...apter 7 Skybox Manager Installation Skybox version 10 1 200 33 2 Delete any other files in this directory including any previous installation file the directory must contain only the new installation file ...

Page 34: ...ack them up manually before updating CentOS The backed up files are at var tmp appliance_update_ installed_version backup appliance_bac kup To update the operating system Note The machine reboots as part of the update process 1 Download the following files to your computer not to the Appliance server where patch is the patch number Skybox_ patch appliance_update Skybox_ patch appliance_update md5 ...

Page 35: ...xternal drive The default location is var tmp appliance_update_ patch backup Note After the update finishes a log of the process details is at opt skyboxview utility log appliance_update_ patch log 9 Optional If something went wrong with the update process you can either restore settings files manually or restore all the files at once overwriting all the original files but preserving the original ...

Page 36: ... DVD R We recommend that you use either a DVD R DL Dual Layer or a flash drive if you need to burn the ISO Note For flash drives we recommend using Rufus to burn the ISO https rufus ie To boot from the ISO During startup select F6 and then select the device DVD or flash drive from which to boot ISO burning ...

Page 37: ...ter 10 Starting in version 9 0 600 security hardening was added to prevent local users from logging in via SSH The following lines were added to etc ssh sshd_config AllowUsers root skyboxview AllowGroups root skyboxview SSH hardening ...

Page 38: ...Updating via the console 42 Updating via RMM 42 Checking your firmware revision via the console To check the firmware revision on your Appliance Note Run all commands from the command line on the Appliance 1 Run get_appliance_details The Appliance model number is shown in the MODEL field 2 Run ipmitool mc info grep Firmware Revision The result shows the firmware revision number for example Firmwar...

Page 39: ...e sure that you have permission to log in to the RMM interface of the Appliance from your local machine For instructions see Configuring Java for login on page 48 To check the firmware revision on your Appliance 1 Open Microsoft Explorer 2 Enter the RMM address of the Appliance as the URL 3 Authenticate using the user name and the password 4 If you are not sure of your model number a Click the FRU...

Page 40: ...8000 Quick Start Guide Skybox version 10 1 200 40 Important You must know the model number for the update 5 From the System Information tab on the Summary page check the firmware revision number in the field BMC FW Rev ...

Page 41: ...om download 26962 Intel Server Board S2600GZ GL Firmware Update Package for Extensible Firmware Interface EFI product 56255 7000 https downloadcenter intel com download 28535 Intel Server Board S1200SP BIOS and Firmware Update Package for EFI product 88955 8000 8050 https downloadcenter intel com download 28002 Intel Server Board S2600WT BIOS and Firmware Update for EFI product 78563 Each of these...

Page 42: ...y boots to the EFI shell and starts the BIOS update procedure 6 The update procedure asks if you want to update the FRU SDR select the option to update both of them 7 Select No to update product and other prompts Note During the update the speed of your system fan changes This is normal 8 Follow onscreen directions at the end of the BIOS update Important After a firmware update the system takes lo...

Page 43: ...ry of a USB flash drive 2 Connect the USB flash drive to the back panel of the Appliance machine 3 Make sure that no other USB is connected 4 Connect to RMM as in steps 1 through 3 in the previous procedure and click the Remote Control tab 5 Click Launch Console 6 In the dialog box that appears as shown click OK 7 In the Security Warning dialog box that appears as shown click Continue ...

Page 44: ...t and click Run A console window opens 9 Log in as root 10 Make sure that Skybox is not running on the Appliance machine before performing the update a To shut down Skybox Server run the command service sbvserver stop b To shut down Skybox Collector run the command service sbvcollector stop 11 Reboot the machine ...

Page 45: ... Skybox Appliance Skybox version 10 1 200 45 12 When the system starts press F2 until you get the menu for booting 13 From the menu select Boot Manager and press Enter 14 From the Boot Manager select Launch EFI Shell and press Enter ...

Page 46: ...Skybox Appliance 8000 Quick Start Guide Skybox version 10 1 200 46 After about 5 seconds the following screen appears 15 Press Enter ...

Page 47: ...hapter 11 Firmware updates for Skybox Appliance Skybox version 10 1 200 47 When the procedure is almost finished the screen displays the following 16 Wait 2 minutes and log in again to the remote console ...

Page 48: ...tart Guide Skybox version 10 1 200 48 17 Press 5 to exit the update 18 Press any key to continue CONFIGURING JAVA FOR LOGIN This procedure enables you to log in to the RMM interface of the Appliance machine from your local computer ...

Page 49: ...Chapter 11 Firmware updates for Skybox Appliance Skybox version 10 1 200 49 1 From the Windows Start menu select Configure Java 2 The Java Control Panel appears ...

Page 50: ...Skybox Appliance 8000 Quick Start Guide Skybox version 10 1 200 50 3 Click the Security tab ...

Page 51: ...Chapter 11 Firmware updates for Skybox Appliance Skybox version 10 1 200 51 4 Click Edit Site List 5 Add the URL of the RMM interface of the Appliance machine ...

Page 52: ...006 2019 ssl error pid 10480 tid 140600437254272 SSL Library Error error 0D08303A asn1 encoding routines ASN1_TEMPLATE_NOEXP_D2I nested asn1 error Sun Nov 03 16 26 23 623012 2019 ssl error pid 10480 tid 140600437254272 SSL Library Error error 0D0680A8 asn1 encoding routines ASN1_CHECK_TLEN wrong tag Sun Nov 03 16 26 23 623019 2019 ssl error pid 10480 tid 140600437254272 SSL Library Error error 0D0...

Page 53: ...ile etc pki tls certs ca chain cert pem 7 Restart the Apache server by running systemctl restart httpd 8 Make sure that the root CA certificate is installed in your browser s trusted CA certificate repository 9 Access the Appliance Administration at https common_name 444 In this chapter Exporting the Server certificate and private key from the Java keystore 53 Exporting the Server certificate and ...

Page 54: ...e p12 nokeys out etc pki tls certs skybox_cert pem 5 When prompted Enter Import Password enter skyboxview 6 Export the private key from the new keystore using the following command It will be exported directly to etc pki tls private openssl pkcs12 in server keystore p12 nodes nocerts out etc pki tls private skybox_key pem 7 When prompted Enter Import Password enter skyboxview 8 Remove the new P12 ...

Page 55: ...lts 1 Insert the DVD in the DVD ROM drive 2 Reboot the Appliance 3 As soon as you see the Skybox Installation Menu window press any key Note If you do not press a key within a few seconds the Appliance boots from the local drive 4 In the menu select Skybox Appliance Installation Note The restore process takes approximately 25 minutes 5 After the installation finishes proceed from System configurat...

Page 56: ... Raw idle CPU time 1 3 6 1 4 1 2021 11 53 0 Raw nice CPU time 1 3 6 1 4 1 2021 11 51 0 Memory statistics Total swap size 1 3 6 1 4 1 2021 4 3 0 Available swap space 1 3 6 1 4 1 2021 4 4 0 Total RAM in machine 1 3 6 1 4 1 2021 4 5 0 Total RAM used 1 3 6 1 4 1 2021 4 6 0 Total RAM free 1 3 6 1 4 1 2021 4 11 0 Total RAM shared 1 3 6 1 4 1 2021 4 13 0 Total RAM buffered 1 3 6 1 4 1 2021 4 14 0 Total c...

Page 57: ...Chapter 14 Monitoring SNMP Skybox version 10 1 200 57 Skybox Collector status 1 3 6 1 4 1 8072 1 3 2 3 1 4 19 49 46 51 46 54 46 49 46 52 46 49 46 49 57 55 54 56 46 50 ...

Page 58: ...ails script from the CLI Sample output of get_appliance_details APPLIANCE_VERSION 8 5 103 7 1 11 CORES 2 MODE SERVER MODEL RAM 32014 MB SERIAL_NUMBER SKYBOXVIEW 8 0 513 Hardware issues If there is a hardware issue on the Appliance usually indicated by the system status LED turning amber or blinking 1 Run getlogs as the root user The diagnostic log file diagnostic_ timestamp log is in the Skybox_Ho...

Page 59: ... might be required for example if you are sending the Appliance back to Skybox for replacement Caution This procedure wipes the HDD completely Afterwards it will not be bootable or function at all The following command overwrites all partitions master boot records and data dd if dev urandom of dev sda bs 1M Wiping the hard disk drive ...

Page 60: ...ntal or malicious misconfigurations or modified binaries 1 3 2 Ensure that file system integrity is regularly checked Periodic checking of the file system integrity is needed to detect changes to the file system Rationale Periodic file checking enables the system administrator to determine on a regular basis if critical files have been changed in an unauthorized fashion 1 4 1 Ensure that permissio...

Page 61: ...is not used very often remove it to reduce the amount of potentially vulnerable code running on the system 1 7 1 3 Ensure that the remote login warning banner is configured properly The content of the etc issue net file is displayed to users prior to login for remote connections from configured services Unix based systems have typically displayed information about the OS release and patch level wh...

Page 62: ...cure ICMP redirects are not accepted Rationale It is possible for even known gateways to be compromised Setting net ipv4 conf all secure_redirects to 0 protects the system from routing table updates by possibly compromised known gateways 3 2 4 Ensure that suspicious packets are logged When enabled this feature logs packets with un routable source addresses to the kernel log Rationale Enabling this...

Page 63: ...at rename a file attribute system calls and tags them with the identifier delete Rationale Monitoring these calls from non privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring This audit option looks at all events system administrators want to look for specific privileged files that ...

Page 64: ...to the SSH server 5 2 6 Ensure that SSH IgnoreRhosts is enabled The IgnoreRhosts parameter specifies that rhosts and shosts files are not used in RhostsRSAAuthentication or HostbasedAuthentication Rationale Setting this parameter forces users to enter a password when authenticating with SSH 5 2 7 Ensure that SSH HostbasedAuthentication is disabled The HostbasedAuthentication parameter specifies wh...

Page 65: ...abet numeric other And more The following options are set in the etc security pwquality conf file minlen 14 Password must be at least 14 characters dcredit 1 Provide at least one digit ucredit 1 Provide at least one uppercase character ocredit 1 Provide at least one special character lcredit 1 Provide at least one lowercase character Note The values shown are sample values Rationale Strong passwor...

Page 66: ...les are the least secure See the chmod 2 man page for more information Rationale Data in world writable files can be modified and compromised by any user on the system World writable files may also indicate an incorrectly written script or program that could potentially be the cause of a larger compromise to the system s integrity 6 1 11 Ensure that no unowned files or directories exist Sometimes ...

Page 67: ... for other product certification categories and environments such as medical industrial telecommunications NEBS residential alarm systems test equipment and so on other than an ITE application may require further evaluation SAFETY COMPLIANCE UL60950 CSA 60950 USA Canada EN60950 Europe IEC60950 International CB Certificate Report IEC60950 report to include all country national deviations CE Low Vol...

Page 68: ...bstances RoHS Threshold limits and banned substances are noted below Quantity limit of 0 1 by mass 1000 PPM for Lead Mercury Hexavalent Chromium Polybrominated Biphenyls Diphenyl Ethers PBB PBDE Quantity limit of 0 01 by mass 100 PPM for Cadmium California Code of Regulations Title 22 Division 4 5 Chapter 33 Best Management Practices for Perchlorate Materials China Restriction of Hazardous Substan...

Page 69: ...s device is subject to the following two conditions 1 This device may not cause harmful interference and 2 This device must accept interference receive including interference that may cause undesired operation Nordic Ground Multiple Line 1 WARNING Swedish on line 2 Apparaten skall anslutas till jordat uttag när den ansluts till ett nätverk Finnish on line 3 Laite on liitettävä suojamaadoituskosket...

Page 70: ... may apply See www dtsc ca gov hazardouswaste perchlorate This notice is required by California Code of Regulations Title 22 Division 4 5 Chapter 33 Best Management Practices for Perchlorate Materials This product part includes a battery which contains Perchlorate material Safety Multiple Power Cord Internatio nal English This unit has more than one power supply cord To reduce the risk of electric...

Page 71: ...r there is no guarantee that interference will not occur in a particular installation If this equipment does cause harmful interference to radio or television reception which can be determined by turning the equipment off and on the user is encouraged to try to correct the interference by any of these measures Reorient or relocate the receiving antenna Increase the separation between the equipment...

Page 72: ... The product has been marked with the CE Mark to illustrate its compliance VCCI Japan English translation of this notice This is a Class B product based on the standard of the Voluntary Control Council for Interference VCCI from Information Technology Equipment If this is used near a radio or television receiver in a domestic environment it may cause radio interference Install and use the equipmen...

Page 73: ... on product 2 Certification No Certification number is on KC certificate on product 3 Name of Certification Recipient Intel Corporation name is on KC certificate on product 4 Date of Manufacturer Refer to the date code serial number marked on product 5 Manufacturer Nation Intel Corporation Refer to country of origin marked on product ...