In this blog post, I'll be going through the installation and setup of StealthWatch. This is pretty easy stuff so I'll breeze through it here. In my lab, I'm going to set up a StealthWatch Management Console (SMC) VM and a FlowCollector (FC) VM.
Since the SMC and FC Virtual Edition are both downloaded and deployed via OVA, it's pretty easy to initially spin them up. One thing I want to step back and talk about really quickly are the sizing recommendations and communication ports that should be open if you're going to deploy this on a virtual machine in a production environment. For the SMC VE, the following resources are recommended:
For the FC VM, the following resources are recommended:
Depending on the services and if there is a firewall in the way, here are the ports that the appliances may utilize:
To give you a diagram of the various connections:
Some other things to note when deploying StealthWatch:
- Make sure the SMC is placed somewhere in the network where devices can send data to it
- You can deploy the SMC in an HA failover pair for redundancy
- You can deploy the UDP Directors in an HA failover pair for redundancy or if you have a large environment, you could place them behind a load balancer
- When it comes to asymmetric routing, make sure the flow is going to the same FlowCollector
- If you place the FlowCollector outside a firewall, turn off the setting of "accept traffic from any exporter" or you may be flooded with sources you don't want to be flooded with
- Even if all your devices are NetFlow capable, still think about FlowSensors in critical parts of your network as it will compliment the data that is already received natively from flow-capable devices
In my environment, I deployed the OVA file and powered up the VM. After the initial boot, it will ask you to enter the IP address, subnet, broadcast address, and gateway you would like to use. After you configure this, it'll restart once again:
After the VM restarts, you are given a login prompt. The default username/password is sysadmin/lan1cope. You can enter this in and change the default password if you would like.
Open up a browser and navigate to https://<ip-addr-of-SMC>
Note: You'll have to do the following setup for both the FC and the SMC.
You should be presented with a login page for the SMC:
You'll be able to login to this page with the default username/password of admin/lan411cope. After initially signing in, you'll be taken to the Welcome screen:
Click Continue to move on. On the next page, you'll be ask to configure the network information for the appliance. If this is all already correct, click Next:
On the next page, you'll be ask to define the hostname and domain for the appliance. After doing so, click Next:
Define and add the DNS servers for the appliance and click Next:
Define and add the NTP servers and click Next:
Review the settings and click Apply. This will cause the appliance to restart:
Now that the initial setup is done, we'll configure the system and get the SMC and FC talking to each other. After all the appliances restart, login to the SMC. You'll start going through the StealthWatch System Tool:
On the first page, you'll go through the Domain & IP addresses settings. This is where you enter in the domain name of the enterprise as well as the IP ranges that the domain encompasses. This includes private and public IP addresses that are owned and that you plan on being monitored. Click Next when completed:
On the next page , you would add the FlowCollectors and FlowSensors in the deployment. Click Next when completed:
On the next page, you would configure the SMTP information (optional) and click Next:
On the next page, specify whether the SMC is connected directly to the internet, through a proxy or not connected at all and then click Next:
Note: If the SMC cannot connect to the internet, you'll have to login to the Licensing Center on Lancope's site and download an offline licensing key to license StealthWatch.
If the SMC is directly connected to the internet or through a proxy and you already have purchased licenses and configured the serial number of the appliance in Lancope's Licensing dashboard online, you can continue with licensing it:
After activating the license, click Next and then Launch:
One thing to note: You can finish this wizard without licensing it and come back to license it later.