CISCO Secure Network Analytics Deployment

Product Information

Specifications:

• Product Name: Cisco Secure Network Analytics Deployment
• Integration: Cisco ISE Integration for ANC

Cisco Secure Network Analytics Deployment and Cisco ISE Integration for ANC

Installation of SMC

Log in to the console, type the command SystemConfig. Enter the network configuration for the appliance.

Installation of Datastore Node

Log in to the console, type the command SystemConfig. Enter the network configuration for the appliance.

We have configured the management interface, the following is a second network interface for the inter-Data Node communication (communication with other data nodes).

Installation of Flow Collector

Log in to the console, type the command SystemConfig. Ensure that all telemetry options are selected.

Configure the ports for the telemetry.

• Netflow: 2055
• Network Visibility Module: 2030
• Firewal Logs: 8514

Enter the network configuration for the appliance.

Installation of Flow Sensor

Log in to the console, type the comand SystemConfig. Enter the network configuration for the appliance.

Installation of Cisco Telemetry Broker
Cisco Telemetry Brocker the core component of

Cisco Secure Network Analytics (Formerly Cisco Stealthwatch) and a powerfull device to optimize telemetry, it is mainly used :

• To simplify collection and aggregation of Netflow, SNMP and Syslog traffic.
• It simplifies configuring and sending Netflow data using one exporter in your Network Devices instead of different exporters, especially when you have disparate netflow analyzers like Cisco Secure Network Analytics, SolarWinds or LiveAction, or in case you have multiple flow collectors with Cisco Secure Network Analytics.
• In addition it simplfies the Telemetry Streams when using multiple destinations and differents logs management solutions.

The architecture of Cisco Telemetry Broker consists of two components: 

• Manager Node
• Broker Node.

Broker Nodes are all managed by one Cisco Telemetry Broker manager using the Management Interface. Manager Node requires one network interface for management traffic. Broker Node requires two network interfaces. One management interface for communication with the manager and the Telemetry interface to send Telemetry to Flow Collector which in turn sends to the configured destinations such as SMC Management Console in the Cisco Secure Network Analytics solution. The Destination Flow Collector IP Address/Port of the telemetry traffic in Cisco Secure Network Analytics solution is added on the Manager Node and pushed down to the Broker Node through the  management interface to instruct them where to NetFlow traffic.

When Intalling the Broker Node, you must join it to the manager Node using the sudo ctb-manage command and provides the IP Address and admin credentials of the Manager Node. Once the Broker Node is added into the Manager Node, the Web GUI of the Manager Node displays the Broker Node added with its management IP Address. To finish the integration between the Broker Node and Manager Node, you need to added the Data or Telemetry Network Interface of the Broker Node to the Manager Node. Finally the Network Devices such as firewalls, Routers and Switches use the Broker Node Telemetry Interface IP Address as the Netflow Exporter.

Deploy the Manager Node
Run the sudo ctb-install –init command.

Enter the following informations :

• Password for the admin user
• Hostname
• IPv4 address, subnet mask, and default gateway address for the Management Network interface
• DNS nameserver IP address

Deploy the Broker Node
Run the sudo ctb-install –init command.

Enter the following informations :

• Password for the admin user
• Hostname
• IPv4 address, subnet mask, and default gateway address for the Management Network interface
• DNS nameserver IP address

Run the sudo ctb-manage command. 
Enter the following informations :

• IP address of the Manager node
• Username of the admin account of the Manager node

Log in to Cisco Telemetry Broker. In a web browser, enter the Manager’s management interface IP address of the manager node. From the main menu, choose Broker Nodes.

In the Broker Nodes table, click the broker node. In the Telemetry Interface section, Configure the Telemetry Interface et the default gateway.

Now the SNA appliances are configured with a management IP address, we need to complete the Appliance Setup Tool (AST) on each SNA components.

The Appliance Setup Tool (AST) will configure the appliances to be able to communicate with the rest of the SNA deployment.

SMC

• Access the SMC GUI.
• Change the Default Passwords for admin, root, and sysadmin.

• No changes for the Management Network Interface.
• Configure the Host Name and Domains.
• Configure the DNS Servers.
• Configure the NTP Server.
• Finally register the SMC.
• The SMC will reboot.

Datastore Node
Follow the same procedure, the only difference is the configuration of Central Management Settings. In this section Enter the IP address of SMC 198.19.20.136 and the username/password.

Flow Collector
Follow the same procedure, the only difference is the configuration of Central Management Settings. In this section Enter the IP address of SMC 198.19.20.136 and the username/password.

Flow Sensor

• Follow the same procedure, the only difference is the configuration of Central Management Settings. In this section Enter the IP address of SMC 198.19.20.136 and the username/password.
• To complete the configuration, Initialize the DataStore node.
• SSH to the DataStore node and run the SystemConfig command.
• Follow the interactive dialog to initialize the DataStore node.
• Access the SMC GUI, in the Central Management we can see all Cisco SNA appliances are connected to SMC.

Cisco Telemetry Broker Configuration
Access the Cisco Telemetry Broker Manager node GUI. Click Add Destination and select UDP Destination. Configure the following parameters.

• Destination Name: SNA-FC
• Destination IP Address: 198.19.20.137
• Destination UDP Port: 2055
• Click Add Rule.
• Enter 2055 as the Receiving UDP Port.

Click Add Destination and select UDP Destination.
Configure the following parameters.

• Destination Name: Manager
• Destination IP Address: 198.19.20.136
• Destination UDP Port: 514
• Click Add Rule.
• Enter 2055 as the Receiving UDP Port.

Cisco ISE Identity Services Engine Integration
Navigate to Administration > pxGrid > Certificates.

Complete the form as follows:

• Click in the I want to field and select Download Root Certificate Chain
• Click in the Host Names field and select admin
• Click in the Certificate Download Format field and select the PEM option
• Click Create
• Download the file as ISE-CA-ROOT-CHAIN.zip.
• On the SMC GUI, click Central Management. On the Central Management page, locate the SMC Manager appliance, then select Edit Appliance Configuration.
• Click General.
• Scroll down to Trust Store and click Add New. Select the CertificateServicesRootCA-admin_.cer file. Click Add Certificate.
• The SMC will now trust certificates issued by the ISE CA.
• Click the Appliance tab. Scroll down to Additional SSL/TLS Client Identities section and click Add New.
• It will ask if you need to generate a CSR, select Yes and click Next.

Fill out the CSR as follows:

• RSA Key Length
• Organization
• Organizational Unit
• Locality or City
• State or Province
• Country Code
• Email Address

Click Generate CSR, then Download CSR.

Access the Cisco ISE GUI. Navigate to Administration > pxGrid > Certificates.

Use the following informations :

• In the I want to field, select Generate a single certificate (with certificate signing request)
• Past the CSR in the Certificate Signing Request Details field
• Type SMC in the Description field
• Select IP Address in the SAN field and enter 198.19.20.136 as the associated IP Address
• Select PKCS12 format as the Certificate Download Format option
• Enter a password
• Click Create
• Save the certificate created with a name SMC-PXGRID.

Note :
In some existing Cisco ISE deployment, you may have expired system certificates used for admin, eap and pxGrid services as shown below.

This is because the Cisco ISE internal CA certificates that sign these system certificates are expired.

To renew the system certificates. Navigate to Administration > Certificates > Certificate Signing Requests. In the Usage field, select ISE Root CA, then click on Replace ISE Root CA Certificate Chain.

The Cisco ISE generate a new Internal CA certificates. Dont forget to adjust the Trusted For field for the appropriate services such as pxGrid.

Now the system certificates are valid.

Access the SMC GUI. Go to Central Management. In the SMC Appliance Configuration tab, scroll down to Add SSL/TLS Client Identity form, then click Choose File, select the SMC-PXGRID certificate.

In the SMC GUI, navigate to Deploy > Cisco ISE Configuration.

Configure the ISE Configuration with the following parameters:

• Cluster Name: ISE-CLUSTER
• Certificate: SMC-PXGRID
• Primary PxGrid Node: 198.19.20.141
• Client Name: SMC-PXGRID

Navigate to Monitor > Users.
Notice that we can see User data on SMC.

ISE Adaptive Network Control (ANC) Policies
Select Operations > Adaptive Network Control > Policy List > Add and enter SW_QUARANTINE for the Policy Name and Quarantine for the Action.

Access the SMC GUI. Select an IP address in the dashboard, we can see that the ISE ANC Policy is populated.

ISE Authorization Policies

• Global authorization exception policies enable you to define rules that override all authorization rules in all of your policy sets. Once you configure a global authorization exception policy, it is added to to all policy sets.
• The local authorization exception rule overwrites the global exception rules. So the local exception rule is processed first, then the global exception rule, and finally, the normal rule of the authorization policy.
• One of the interesting use case of these Exception Rules is when you configure Cisco Secure Network Analytics (Stealth watch) with Cisco ISE for Response Management using Adaptive Network Policy (ANC) so that when an  alarm is raised, Cisco Secure Network Analytics (Stealth watch) will request Cisco ISE to quarantine the host with Adaptive Network Control Policy through Px Grid.
• The best practice to configure the Authorization Policy on Cisco ISE to quarantine the host either in the Local Exception or Global Exception.
• If you want to apply the ANC Policy to all your policy sets, VPN, wired wireless aka all wired VPN and wireless users. Use the Global Exception.
• If you want to apply the ANC Policy only to VPN users or Wired users. Use the Local Policy inside the VPN Policy Sets or Wired Policy Set respectively.

Automatic Action and Response with ANC
Scenario : A company is using Cisco Umbrella as the DNS server to prevent internet threats. We want a custom alarm so that when internals users are using other external DNS servers, an alarm is triggered to prevent connection to rogue DNS servers that potentially redirect traffic to external sites for malicious purposes. When an alarm is raised, Cisco Secure Network Analytics will request Cisco ISE to quarantine the host that uses rogue DNS Servers with Adaptive Network Control Policy through PxGrid. Navigate to Configure > Host Management. In the parent host group Inside Hosts, create a Host Group named Corporate Networks for your internal networks.

In the parent host group Outside Hosts, create a Host Group named Umbrella DNS Servers for Umbrella IP addresses.

The internal users are using Cisco Umbrella as the DNS server to prevent internet threats.  Configure a custom alarm so that when internals users are using other external DNS servers, an alarm is triggered to prevent connection to rogue DNS server that potentially redirect traffic to external sites for malicious purposes. When an alarm is raised, Cisco Secure Network Analytics will request Cisco ISE to quarantine the host that uses rogue DNS Servers with Adaptive Network Control Policy through PxGrid.

Navigate to Configure > Policy Management.
Create a Custom Events with the following informations :

• Name : Unauthorized DNS Traffic
• Subject Host Groups : Corporate Networks
• Peer Host Groups : Outside Host Except Umbrella DNS Servers
• Peer Port/Protocols : 53/UDP 53/TCP

Basically this event is triggered when any host withing Corporate Networks Host Group communicates with any host within Outside Hosts Host Group except those within Umbrella DNS Servers Host Group, through 53/UDP or 53/TCP, an alarm is raised.

Navigate to Configure > Response Management. Click on Actions.

Select the ISE ANC Policy Action. Give a name and select the Cisco ISE cluster that should be contacted to apply a quarantine policy for any violation or connection to rogue servers.

Under the Rules section. Create a new Rule. This rule will apply the previously Action when any host inside the internal network is trying to send DNS traffic to rogue DNS Servers. In the section Rule is triggered if, select Type, scroll down and select the custom event created previously. Under the Associated Actions, select the ISE ANC action created previously.

From an inside host, open the CMD console. Execute the nslookup command, then server 8.8.8.8 command. Type in a few addresses for the 8.8.8.8 DNS server to resolve.

Navigate to Monitor > ISE ANC Policy Assignments. You should see that the Cisco Secure Network Analytics applied Adaptive Network Control Policy through PxGrid and ISE to quarantine the Host.

FAQ

Q: How do I complete the Appliance Setup Tool (AST) on each SNA component?
A: Once SNA appliances are configured with a management IP address, you can complete the AST on each component by following the specific instructions provided for that component within the user manual or setup guide.

Documents / Resources

CISCO Secure Network Analytics Deployment [pdf] Instruction Manual Secure Network Analytics Deployment, Network Analytics Deployment, Analytics Deployment, Deployment

References

• User Manual