- Requirements
- Obtaining the ISO
- Burning the ISO Image
- Installing the ISO
- Registering the IDS Sensor in the Manager
- Registering the IDS Sensor in redBorder Live
- Assigning Resources to Segments
Requirements
redBorder IPS is a software that needs the following requirements in order to function correctly.
The minimum essential elements required for the installation as well as those recommended for
correct performance are referenced at every SNORT instance being executed. They are shown in the
following table:
| Minimum |
Recommended |
|
| RAM | 2 GB | 4 GB |
| Processor | 1 Core | 1 Core |
| HDD (SSD) | 20 GB | 40 GB |
| NIC | 2 | 2 |
For example, if you want four SNORT instances in the recommended configuration, you need a machine with 16 GB and four cores.
Obtaining the ISO
Redborder Enterprise Edition IPS is distributed as an ISO file that can be obtained in different ways.
If you don’t have it, please contact our sales team (sales@redborder.com) or our support team
(support@redborder.com) to provide you with the last available ISO file or a way to download it.
Burning the ISO Image
The ISO image is prepared to perform the boot from a DVD reader, USB device or as an ISO file for a virtual machine.
NOTE: The process of creating a bootable USB for the IPS installation is the same as for the manager installation. You can find it by clicking on this link.
In order to burn the ISO image from a Linux system to a USB device, the following command needs to be used if the USB device is mapped in /dev/sdd:
[root@machine ~]# dd if=redBorder-3.1.80-6-x86_64-6.5-sensor.iso of=/dev/sdd bs=10M
Installing the ISO
NOTE: If a usb memory is used on a real machine, the operating system will be automatically extending the disk and the data on the usb will be lost. To avoid this, the usb need to be removed before rebooting.
Once you have booted the redborder ISO, you will see the installation menu. To perform the
installation, select the option: Install Sensor IPS:
Once in the installation process, the user only needs to confirm the installation destination and root
password. Redborder is prepared for unattended installations and so you should be especially careful
with the time you have to respond to these three questions if you wish to modify the default options:
Once this page has been confirmed, the installation will carry out all of the necessary processes to
prepare the system for configuration.
By default, the root password will be redborder.
Basic Configuration
Upon completing the installation process, you have two configuration options depending on whether or not there is a DHCP server.
- Dynamic IP (DHCP): in this case, redBorder will have acquired an IP in its network interface.
- Static IP: in this case redborder will not have any IP assigned.
In both cases you will have to access the system in order to configure and register the sensor in the
manager. You will access with the root user and password that was selected during installation.
Once inside the system you will start the configuration manager. To do this, you will execute:
[root@rbmanager ~]# rb_sysconf
A menu with different options will appear:
Select option number 2 for Network configuration:
Select option number 1 for Management Network configuration:
Select option “n” to create a new bonding. You’ll configure the management IP in the first bonding (bond0).
You type "0" to create bond0.
Now you choose the first interface (port) for bond0. The second interface in optional:
In the next steps you set the IP address, netmask and defaullt gateway. Remember that the sensor
requires visibility with the manager.
The option “Insert a route for this bonding” defines a static route. If you are going to use the default
gateway, select “N” for this option.
To finish the configuration of the management IP, you need to apply the changes. Then you must return to the previous menu (Network configuration menu) and select option “a”.
When the above processes finish, the management interface will be configured.
In this section you must keep in mind whether you want an Intrusion Detection System (IDS) or an
Intrusion Prevention System (IPS). For the former, you only need a management network interface
and another which you will use to analyze traffic. For the latter, in addition to the management
interface, you will need two or more network interfaces.
In this guide we will assume that there are two network interfaces in your system. You have already
configured the first in the previous steps and this is the interface that you will use to communicate with
the sensor. With the second network interface you are going to create a segment with a listening port
to analyze the traffic that flows through the said interface. Likewise, you need to send the desired
traffic to this second interface. One option is to use a network listening device (Network TAP) which
will be configured to resend traffic through the interfaces where it has not received traffic (see image).
A diagram is included where the configuration can be seen:
Now select option number 3 for Segment settings.
If you have a segment with bypass support, this capability will be auto-configured by default when detected. In our case you are going to assume that you don't have bypass support. So, you must select the option "n" (new segment) in order to configure a segment and follow the wizard:
- Insert segment number (0-1) [0]: Press ENTER to select 0.
- Insert segment first port [1]: Press ENTER to select 1.
- Assign a second port to the segment (Y/n): Select N and press ENTER.
After creating the segment, you must apply the changes.
Lastly you can change, in Network Configuration, the DNS configuration and the desired domain. To do this, you select option 2 - DNS and domain settings:
You must apply the changes again.
Registering the IDS Sensor in the Manager
Now you are going to register the sensor, configured previously, in the Manager. To do this, you must go to the main menu and select option 1 - System configuration:
Option 1 allows us to create a host name for the IDS/IPS sensor.
Option 2 allows us to indicate the local time of the IDS/IPS sensor.
In option 3 you must insert the domain or IP that the Manager has in its management interface.
Lastly, you must select option 4 Register rB Sensor/ manager. This wizard will ask us for the username and password to access the web interface of the Manager (by default, the username is admin and the password is redborder).
If you have followed these instructions, the sensor will be registered:
Likewise, it will appear in the web interface of our Manager as configured. To verify this, you can access Sensors in the web interface to see if the last check in was satisfactory:
Registering the IDS Sensor in redBorder Live
In order to register the sensor in redBorder Live, you must have a redborder account. In order to create one (in case you don't have it) you must access here and then click on RB LIVE, in the upper right of the screen.
You will be redirected to the LIVE page where you must click on the Create a new redBorder LIVE account box.
Fill out the form and click on Register. You will need to confirm the email in order to finish the process.
Now, you must go the redborder Live login page and log in with the same email address and password that you used in the registration process.
The next step is to access the sensor as the root user.
Once inside the system you will start the configuration manager. To do this, you will execute:
[root@rbmanager ~]# rb_sysconf
A menu with different options will appear:
You must select option 1 - System configuration:
First of all, Option 1 must be selected to create a host name for the IDS/IPS sensor because default hostname rbsensor is not allowed.
Then, select Option 5 to start the registration process to redBorder cloud. You must indicate the cloud address ("rblive.redborder.com" in this case), and then the Sensor UUID must be showed.
Copy the UUID and go to the redborder Live web page. If you are logged in, go to Sensors and press + Claim Sensor:
A pop-up window will appear where you must enter a name for the sensor and paste the UUID that you copied before in the field below.
Click on save and wait until the sensor is configured correctly. First the Last Check In tab will appear as configuring, and after a while it will change to claimed.
You can then verify that the sensor is working both in redborder Live and by executing the rb_sysconf command and selecting option 1 in the menu:
Assigning Resources to Segments
You need to go to Sensor Tab and select Edit Option:
Go to Groups and in this view you can see the number of segments and cores you have. You only need to check the segment and assign the number of cores you want. Then press Update.
To know how to create a rule and assign it to the IDS/IPS that is registered, you can visit the following link.
Comments
0 comments
Article is closed for comments.