Stealthwatch Cloud Sensor Installation

Stealthwatch Cloud is a SaaS-based security service that detects and responds to threats in IT environments, both on-premises and in the cloud. This...

Stealthwatch Cloud Sensor Installation

Stealthwatch SaaS is a cloud-based visibility and security analytics service. It is available for on-premises networks, private clouds, Kubernetes, and public cloud networks (AWS, Google, and Azure). This guide explains how to deploy and configure the Stealthwatch Cloud sensor for on-premises networks.

Introduction

Stealthwatch Cloud is a SaaS-based security service that detects and responds to threats in IT environments, both on-premises and in the cloud. This guide explains how to deploy Stealthwatch Cloud sensors as part of your Stealthwatch Cloud Private Network Monitoring service, for use in enterprise networks, private data centers, branch offices, and other on-premises environments.

NOTE: If you plan to use Stealthwatch Cloud only in public cloud environments, such as Amazon Web Services, Microsoft Azure, or Google Cloud Platform, you do not need to install a sensor. See the Free Trial Guide at this link for more information on configuring Public Cloud Monitoring.

If you would like an overview of Stealthwatch Cloud, visit this link for the Stealthwatch Cloud home page, or watch the following video:

Stealthwatch Cloud in 2 Minutes

The following steps walk you through the basic process of installing a Stealthwatch Cloud Private Network Monitoring sensor on your network.

Review the prequisites to install a sensor at 3. Sensor Installation Prerequisites – Physical Appliances and Virtual Machines.
Plan your sensor deployment using 4. Sensor Deployment Considerations – Placing Sensors on your Network.
Update your firewall and network configuration to support deployed sensors, with 5. Network Considerations – Required Network Configuration.
If you plan to install a sensor on a physical appliance, use 6. Boot Media Creation – Physical Appliances Only to create a boot USB flash drive or boot optical disc.
Walk through the sensor installation process with the videos at 7. Sensor Installation – Physical Appliances and Virtual Machines.
Finally, add your sensor to your Stealthwatch Cloud web portal: 8. Web Portal Configuration – Adding a Sensor to the Web Portal.
Review 9. Troubleshooting – NetFlow, IPFIX, sFlow for supplemental information on directly configuring your sensors to ingest NetFlow, IPFIX, or sFlow, or for basic troubleshooting help.

Sensor Installation Prerequisites

Physical and Virtual Machines

Sensor Prerequisites

You can install a sensor on a physical appliance or virtual machine, with the following requirements:

[REQUIRED] At least one network interface (the "Control" interface) for passing information to the Stealthwatch Cloud service, and for collecting flow data, including NetFlow, IPFIX, or sFlow, depending on configuration
- [OPTIONAL] one or more optional additional network interfaces ("Mirror" interfaces) if you want to ingest network traffic over a mirror port
[REQUIRED] 2 GB RAM
[REQUIRED] A CPU with at least two cores
[REQUIRED] 32 GB of storage space
[REQUIRED] Internet access, to download required packages for the installation process

See this white paper for performance metrics and recommendations.

Physical Appliance Additional Requirements

To upload the ISO install file to a physical appliance, you need either:

a USB port and USB flash drive, or
an optical disc drive and writeable optical disc

See 6. Boot Media Creation – Physical Appliances Only for more information.

Virtual Machine Additional Requirements

In addition to one network interface (the Control interface), 2 GB RAM, a CPU with at least two cores, 32 GB of storage space, and internet access, ensure that the virtual host and network are configured for promiscuous mode on the second network interface if you plan to ingest traffic from a mirror or SPAN port.

VirtualBox - See this VirtualBox manual link for more information on configuring promiscuous mode.

Select the adapter for the Mirror interface from the Network settings.
Set promiscious mode to Allow in the Advanced Options.

VMware hypervisor - See this VMware knowledge base article for more information on configuring promiscuous mode. You may need to set the VLAN ID to 4095.

Select the host in the inventory.
Select the Configuration tab.
Click Networking.
Click Properties for your virtual switch.
Select the virtual switch and click Edit.
Select the Security tab.
Select Accept from the Promiscious Mode drop-down.

Sensor Deployment Considerations

Placing Sensors on your Network

Sensor Deployment Considerations

You can deploy sensors to collect flow data, or ingest network traffic that is mirrored from a network router or switch, or both. There is no limit on the number of sensors deployed.

NOTE: Sensors version 4.0 or greater can collect enhanced NetFlow telemetry. This allows Stealthwatch Cloud to generate new types of observations and alerts. For more information, see the Stealthwatch Cloud Configuration Guide for Enhanced NetFlow.

Because network topologies vary greatly, keep the following general guidelines in mind when deploying your sensors:

Determine if you want to deploy sensors to:
- collect flow data
- ingest mirrored network traffic
- have some collect flow data, and others ingest mirrored network traffic
- both collect flow data and ingest mirrored network traffic
If collecting flow data, determine what formats your network devices can export, such as NetFlow v5, NetFlow v9, IPFIX, or sFlow.
- NOTE: Many firewalls support NetFlow, including Cisco ASA firewalls and Cisco Meraki MX Appliances. Consult with your manufacturer's support documentation to determine if your firewall also supports NetFlow.
Ensure that the network port on the sensor can support the Mirror ports capacity.

Contact support@obsrvbl.com if you need help with deploying multiple sensors to your network.

Checking Your Sensor Version

To ensure you have the most recent sensor deployed on your network (version 4.0), you can check an existing sensor's version from the command line. If you need to upgrade, reinstall the sensor, as described in 6. Boot Media Creation – Physical Appliances Only and 7. Sensor Installation – Physical Appliances and Virtual Machines.

SSH log into the sensor.
At the prompt, enter cat /opt/obsrvbl-ona/version and press Enter. If the console does not display 4.0.0, your sensor is out of date. Download the most recent sensor ISO from the web portal UI, as described in 6. Boot Media Creation – Physical Appliances Only.

Cisco Defense Orchestrator and Sensor Deployment

If you use Cisco Defense Orchestrator (CDO) and deploy Firepower appliances to your network, you can purchase a Cisco Security Analytics and Logging license (Firewall Analytics and Monitoring or Total Network Analytics and Monitoring) and apply Stealthwatch Cloud dynamic entity modeling to your Firepower event data. See Cisco Security Analytics and Logging for more information.

With a Firewall Analytics and Monitoring or Total Network Analytics and Monitoring license, you can associate an existing Stealthwatch Cloud portal with your CDO deployment, or have Cisco provision a new Stealthwatch Cloud portal for you. As you configure Security Analytics and Logging, Cisco automatically provisions a sensor named connection-events, dedicated to your Firepower event data. See Request a Stealthwatch Cloud Portal for more information.

Because the Firewall Analytics and Monitoring license applies dynamic entity modeling to Firepower event data only, you do not need to deploy additional Stealthwatch Cloud sensors to your network for this license. In contrast, because the Total Network Analytics and Monitoring license applies dynamic entity modeling to both Firepower event data and on-premises network traffic, to take full advantage of the license capabilities, deploy additional sensors to your network.

NOTE: Contact support@obsrvbl.com if you complete your CDO configuration and do not see the connection-events sensor in your Stealthwatch Cloud portal.

Network Considerations

Required Network Configuration

Sensor External Network Access

Configure your firewall to allow the following traffic from the sensor to the external internet:

[REQUIRED] Outbound HTTPS traffic from the sensor's Control interface to the Stealthwatch Cloud service hosted on Amazon Web Services.
[REQUIRED] Outbound traffic from the Control interface to an Ubuntu Linux server for downloading Linux updates
- us.archive.ubuntu.com:443/TCP
- us.archive.ubuntu.com:80/TCP
[REQUIRED] Outbound traffic from the Control interface to a DNS server for hostname resolution
- [local DNS server]:53/UDP
[OPTIONAL] inbound traffic from a remote troubleshooting appliance to your sensor, for remote troubleshooting assistance
- 54.83.42.41:22/TCP

NOTE: If you use a proxy service, create a proxy exception for sensor Control interface IP addresses.

Network Device Mirrored Traffic Configuration

See the following to configure mirrored traffic on network switches:

Cisco Switch Port Analyzer (SPAN) Configuration Examples
Juniper Port Mirroring Overview
NETGEAR Port Mirroring Overview
ZyXEL Port Mirroring Configuration Commands
Wireshark Wiki Switch Reference (for other switch manufacturers)

See the following to configure mirrored traffic on network taps:

Flow Configuration

You must configure your network device to pass NetFlow data. See https://configurenetflow.info/ or this Cisco NetFlow Configuration PDF to configure NetFlow on Cisco network devices.

Boot Media Creation

Physical Appliances Only

If you install your sensor on a virtual machine, skip to the next section.

You can write the sensor ISO file to an optical disc or USB flash drive, reboot the physical appliance with the optical disc or flash drive in the appliance, and boot from the sensor ISO file. Follow the directions below to download the sensor ISO file and create a bootable optical disc, and the directions and video to the right to create a USB flash drive.

NOTE: If you deploy a sensor without using an ISO, you may need to update the local appliance's firewall settings to allow traffic. Cisco highly recommends that you deploy the sensor using the provided ISO.

Download the Sensor ISO File

Download the latest version of the sensor ISO from the web portal. Use this either to install (for a new sensor) or reinstall (to upgrade an existing sensor).

Log into the web portal UI as an administrator.
Select Help (?) > Sensor Install.
Click the .iso button to download the latest ISO version.

Create a Bootable Optical Disc

Burn the ISO file to an optical disc. See

Create a Bootable USB Flash Drive

Insert a blank USB flash drive into the workstation. WARNING: Creating the bootable USB flash drive deletes all information on the drive.
Go to the Rufus home page and download the latest version of the Rufus USB flash drive utility.
Open the Rufus utility.
Select the USB flash drive in the Device drop-down.
Select Disk or ISO image from the Boot selection drop-down.
Click SELECT and select the sensor ISO file that you downloaded.
Click START.

Create a Bootable USB Flash Drive

Sensor Installation

Physical Appliances and Virtual Machines

The following 4 videos and procedures walk you through a typical sensor installation on a virtual machine. Watch the videos, or follow the procedures, for more information.

Sensor Installation Part 1 covers initial language and keyboard configuration.

Sensor Installation Part 1

Sensor Installation Part 1

After you load the ISO, select a language.
Select Install Observable Network Appliance. Wait several seconds for the installer to load.
Select a language.
Select your location.
Configure the keyboard by selecting Yes, then select your Keyboard Layout.
Select the Country of origin for the keyboard.
Select your Keyboard layout.

Sensor Installation Part 2 covers interface and network configuration.

Sensor Installation Part 2

NOTE: By default, the installation automatically uses DHCP and proceeds. To override the DHCP IP address, you must manually edit the interface after the install finishes.

Sensor Installation Part 2

Configure the Network and select the primary network interface to be used as the Control interface. Wait for the installer to perform additional configuration. NOTE: All other network interfaces are automatically configured as mirror interfaces.
If you do not want to use DHCP, or see a Network autoconfiguration failed message, take the following steps:
1. Select Configure network manually.
2. Enter an IP address and Netmask for the sensor.
3. Enter a Gateway router IP address.
4. Enter up to 3 domain Name server addresses.

Sensor Installation Part 3 covers user creation, encryption, and time configuration.

Sensor Installation Part 3

Sensor Installation Part 3

Enter the Full name for the new user, a non-root account with non-administrative permissions.
Enter the Username for your account.
Choose a password for the new user, then Re-enter the password to verify.
Select Yes to Encrypt your home directory.
Select your time zone. Wait for the installer to perform additional configuration.

NOTE: The account you create during setup is the only account you can use to access the virtual machine. This installation does not create a separate Stealthwatch Cloud portal account.

Sensor Installation Part 4 covers miscellaneous settings, including disk drive partitioning, HTTP proxy configuration, update policy, and boot loader installation.

Sensor Installation Part 4

Sensor Installation Part 4

Select Guided - use entire disk.
Select the disk to partition.
Select Finish partitioning and write changes to disk, then confirm your selection. WARNING: This action deletes all data on the drive. Ensure it is empty before proceeding.
Enter HTTP proxy information, or leave this blank if you do not use one.
Select Install security updates automatically.
Select Yes to Install the GRUB boot loader to the master boot record. Wait for the installer to perform additional configuration.
When the installer displays Installation Complete, select Continue.

Web Portal Configuration

Adding a Sensor to the Web Portal

Add a Sensor's Public IP Address to the Stealthwatch Cloud Web Portal

From the sensor's command line, you can identify its public IP address, then add that to the Stealthwatch Cloud web portal to establish the initial connection between your portal and the sensor. If you cannot identify the public IP address, go to the next page to use the portal's unique service key to associate the sensor with the portal.

SSH log into the sensor.
At the prompt, enter curl https://sensor.ext.obsrvbl.com and press Enter. If the console displays "error": "unknown identity" then this sensor is not associated with a web portal.
Copy the identity IP address.
Log out of the sensor.
Log into the web portal as a site administrator.
Select Settings > Sensors > Public IP.
Paste the identity IP address in the Public IP field.
Click Add IP. After the portal and sensor exchange keys, they establish future connections using the keys, not the public IP address. NOTE: It can take up to 10 minutes before a new sensor is reflected in the portal.

Watch the video below, or follow the procedure to the left, for more information.

Add a Sensor's Public IP Address

Add a Web Portal's Service Key to a Sensor

In certain situations, you might not be able to add a sensor's public IP address to the web portal, such as when you are using a proxy service. In these situations, edit the sensor's config.local file instead to include the portal's service key and establish a connection.

Log into the web portal UI as a site administrator.
Select Settings > Sensors.
Copy the Service key at the end of the sensor list.
SSH log into the sensor as an administrator.
At the prompt, enter sudo nano /opt/obsrvbl-ona/config.local and press Enter.
Beneath the line # Service Key, add the line OBSRVBL_SERVICE_KEY="<service-key>" and replace <service-key> with the web portal's service key.
Press Ctrl + 0 to save your changes.
Press Ctrl + x to exit.
At the prompt, enter sudo service obsrvbl-ona restart to restart the Stealthwatch Cloud service. NOTE: It can take up to 10 minutes before a new sensor is reflected in the portal.

Watch the video below, or follow the procedure to the left, for more information.

Add a Web Portal's Key to a Sensor

Configure a Sensor's Flow Data Ingestion

After you add the sensor, configure the type of flow data that it ingests from the sensor's settings in the web portal.

Log into the web portal UI as a site administrator.
Select Settings > Sensors.
Click Change settings for the sensor you added.
Select NetFlow/IPFIX. NOTE: If you do not see this option, select Help (?) > Sensor Install to download a current version of the sensor ISO.
Click Add New Probe.
Select a flow type from the Probe Type drop-down.
Enter a Port number. NOTE: If you want to pass Flexible NetFlow to your sensor, ensure that the UDP port you configure is not one that is also configured for Flexible NetFlow or IPFIX in your sensor configuration. See the Configuration Guide for Enhanced NetFlow for more information.
Select a Protocol.
Select a Source device from the drop-down.
Click Save.

Watch the video below, or follow the procedure to the left, for more information.

Configure a Sensor's Flow Data Ingestion

Troubleshooting

Verifying Flow Collection

Capture Packets from the Sensor

Occasionally, Cisco Support may need to verify the flow data being received by the sensor. Cisco recommends that you do this by generating a packet capture of the flows. You can also open the packet capture in Wireshark to review the data.

View the videos, or follow the procedures, for more information.

SSH log into the sensor.
At the prompt, enter sudo tcpdump -D and press Enter to view a list of interfaces. Note the name of your sensor's Control interface.
At the prompt, enter sudo tcpdump -i <control_interface> -n -c 100 "port <port_number>" -w <pcap_name>, replace <control_interface> with your Control interface name, <port_number> with the port number corresponding to your configured flow data, and <pcap_name> with a name for the generated pcap file, then press Enter. The system generates a pcap file with the specified name for that interface's traffic, over the specified port.
Log out of your sensor.
Using an SFTP program, such as PuTTY SFTP (PSFTP), or WinSCP, log into the sensor.
At the prompt, enter get <pcap_name>, replace <pcap_name> with your generated pcap file name, and press Enter to transfer the file to your local workstation.

Capture Packets from the Sensor

Analyze the pcap in Wireshark

Download and install Wireshark, then open Wireshark.
Select File -> Open, then select your pcap file.
Select Analyze -> Decode As.
Click + to add a new rule.
Select CFLOW from the Current drop-down, then click OK. The UI updates to display only packets that are related to NetFlow, IPFIX, or sFlow. If no results appear, the pcap does not contain NetFlow-related packets, and flow data collection is incorrectly configured on the sensor.

Analyze the pcap in Wireshark

Next Steps

Questions about the deployment?

Email support@obsrvbl.com with questions about your deployment.

Curious about Stealthwatch Cloud or Stealthwatch Enterprise?

Watch videos at this YouTube link to learn more about the Stealthwatch family of products, including Stealthwatch Cloud.

Want an overview of the Stealthwatch Cloud web portal?

Watch this YouTube video for basic information about the Stealthwatch Cloud web portal.

Want to learn more about Stealthwatch Cloud configuration and use?

Read documentation from this cisco.com link, including:

the Free Trial Guide, especially the Quick Start and Private Network Monitoring Deployment and Configuration sections.
the Private Network Monitoring Advanced Configuration Guide, including Troubleshooting information on the deployment process.