StealthWatch 6.8 Appliance Administration

In this blog post, I'm going to go over the common administration elements of the StealthWatch appliance. 

SMC

Login to the StealthWatch Web App and navigate to Admin User>Administer Appliance. You will be brought to the appliance administration page:

Naming and DNS

Navigate to Configuration>Naming and DNS to configure the following:

  • Host Name
  • Domain Name
  • DNS Timeout Value
  • Cache size
  • Local Resolution (Host file)

System Time and NTP

Navigate to Configuration>System Time and NTP to configure the following:

  • NTP servers
  • Time Zone

Services

Navigate to Configuration>Services to configure the following:

  • SNMP
  • SSH 
  • SSH Root access
  • Advanced Intrusion Detection Environment (AIDE) - This is to enable host baselining that detects modifications of critical files on a system
  • Syslog over TLS
  • Proxy server settings

 

Static Routing

Navigate to Configuration>Static Routing to configure static routes

 

SSL Certificates

Navigate to Configuration>SSL Certificates to configure both SSL and SSL Client Certificates (used for pxGrid integration later)

Certificate Authority Certificates

Navigate to Configuration>Certificate Authority Certificates to upload certificates of trusted root CAs

Remote File System

Navigate to Configuration>Remote File System to configure the remote file system to store database backups

 

Global Settings

Navigate to Configuration>Global Settings to configure the following:

  • Password Policy
  • Opening Message
  • Session Timeout
  • FIPS Mode

Licensing

As I stated in a previous post, we can add licensing later to the StealthWatch Management Console. Navigate to Configuration>Licensing to activate licenses or upload offline licenses.

Managing Users

You can add users or change you password by navigating to one of the following:

  • Manage Users>Add/Delete Users
  • Manage Users>Change Password

These are pretty self-explanatory.

 

Backup/Restore database or configuration

You can perform a backup or restore of the SMC database by navigating to Support>Backup/Restore Database {Configuration}

Browse Files

Navigate to Support>Browse Files to display the file system within the /lancope/var folder on the appliance.

 

Packet Capture

Navigate to Support>Packet Capture to display functionality provided by the tcpdump utility which monitors network traffic by capturing and displaying packet headers and you may match them against a set of criteria.

Update

Navigate to Support>Update to upload update files and install them

 

Diagnostics Pack

Navigate to Support>Diagnostics Pack to generate and download diagnostic information from the appliance

 

Audit Log

To view the audit log for system and configuration changes, navigate to Audit Log

Restarting and Shutting Down the Appliance

To shutdown or restart the appliance, navigate to Operations>{Restart Appliance | Shutdown Appliance}

 

Exit out of the Administer Appliance window and go back to your SMC dashboard. Now I'll walk through some of the different things to configure here. 

Active Directory Configuration

Next we will configure Active Directory Configuration. To integrate Active Directory with the StealthWatch system, you should have one of the following identity sources:

  • Cisco ISE (Preferred Method)
  • StealthWatch IDentity
  • Palo Alto Network Firewall
  • Cisco ASA

Depending on the quality of user information in Active Directory determines the usefulness of integrating AD with SMC. The following AD information will be available after integration with StealthWatch:

  • Full Name
  • Email address
  • Phone Number
  • Location
  • Role/Designation
  • Group
  • Manager Name

You also may integrate multiple AD servers in the SMC and change the order in which SMC polls the AD servers for user information.

Note: This AD integration does NOT map users to IP address. You would need an external identity source like ISE to do so. This is just to gather more contextual information for you. 

To configure Active Directory integration, navigate to Tools>Settings>Active Directory Configuration and click on the Add New Configuration button:

On the next page, fill out the applicable information to add Active Directory and click Save when done:

If it is configured correctly and the SMC is able to connect to the AD server, you should get the following pop-up:

FlowCollector

Most of the administrative settings in the FlowCollector are very similar so I'll go over the ones that are different. 

Management Systems Configuration

This is where to configure one or more external management switches such as an SMC or SIEM system and to establish communication with this appliance. To configure this in the FlowCollector, navigate to Configuration>Management Systems Configuration and click on Add New Management System

On this page, you may also check the box to accept connections from any management system. This is not advised if the FlowCollector will be outside your firewall as you may be accepting connections from systems you do not want to accept connections from.

Advanced Settings

The advanced settings will show you a list of settings that can be used to change the behavior of the StealthWatch system. It's not advised to change this unless Lancope support tells you to as you can seriously impact the FlowCollector if you mess something up.

To change these settings or view them, navigate to Support>Advanced Settings

 

 

There are a few other SMC/FC administrative functions that I will save for their own separate blog posts: 

  • External Lookup
  • Proxy Ingest
  • ISE Integration