Skip to content

Barac POC Pre Req’s

Barac POC Pre Req’s

You are here:
< All Topics
Table of Contents

Introduction

This document covers the setup of the Barac collector, the collector is used to capture metadata and send it to the Barac Encrypted Traffic Visibility (ETV) platform. The guide walks through the setup and configuration of the components of the collector.

The collector has two interfaces, one for capture and the other for management and data transfer. Generally, these interfaces are on different networks. This configuration is used when the packet capture interface is on a tapped infrastructure, a transit network or a non-routable network, or connected to a switch that will not allow communication and capture on the same interface.

POC diagram

The diagram below gives an overview of the ETV solution, showing the collector and the route to the ETV platform.


The following schematic highlights the elements involved in the collector

Install & Configuration for the Barac collector

In order to install the collector, the following requirements are needed:

Mandatory requirements:

During POC we will need to have access to the following:

  • VMware console access to configure admin tools with credentials (these do not have to be shared with the engineer, but needs to be available for someone to fill in at some points)
  • Access to the virtual machine via the management interface through SSH
  • A contact within the company to escalate questions regarding the deployment and running of the POC

Preferable requirements:

  • Remote access for troubleshooting, and/or remote install of the POC, upon request

OS Prerequisites

  • ESXi 6.x or higher (If another hypervisor is required, please check with barac for verification)
  • HDD 65 G  (ESXi use para virtualisation, if importing to other hypervisors – use LSI logic SAS)
  • RAM 4 Gig
  • CPU 2
  • 2 NIC – e1000e driver

Network requirements

Firewall port

To allow the collector to talk to the ETV platform the following ports need to be opened in the firewall.

TCP port 10519

Outbound traffic is only meta data and sent inside a TLS tunnel.

Network interfaces

The collector has two interfaces one for management and communication (mgmt) and one for capture (capture).

Set the lowest interface for mgmt name this mgmt, give this an IP address + gateway on the mgmt network.

This requires an IP address on the network that is to be connected to the management interface.

The collector needs one interface for capture. This interface should be connected to the traffic capture infrastructure such a as a span, mirror or tap port

Interface mapping

By default when imported into ESX

Nic 1 – management (ens192) map to management – change this to your management network (it is configured for DHCP)

Nic 2 – capture (ens224) map to capture in our infrastructure – change to span/mirror port/nic

Collector ID

The Collector ID is the unique identifier for the POC for Barac to select the right data and show on the website and pass through to the SIEM or SOC.

The Barac collector ID can be changed by running the following command:

sudo bin/changecompanyID.sh ************* (* = the unique ID you will receive from Barac)

Sample screen

Considerations

Configuring VMware ESX Virtual Switches for Port Monitoring

For the Barac Collector to monitor traffic from your physical network, you need to allocate a spare NIC (Network Interface Card) on your VMware server to pass the SPAN port traffic to the virtual network. Barac recommends that you SPAN your internal firewall ports, connect the SPAN port to the spare NIC, and then associate the spare NIC with a vSwitch.

Note: The following procedure is based on the ESXi 6.5 Web Client. If you are using a different client or an earlier version of VMware products, please consult the vendor documentation accordingly.

To monitor network traffic through a vSwitch

  1. Direct traffic from your physical network to the virtual network.
    1. Enable port mirroring on the network you want Barac to monitor.
    1. Allocate a spare NIC on your VMware server to receive the mirrored traffic.
    1. Associate your spare NIC with the vSwitch.
  2. In the ESXi 6.5 Web Client, click Networking in the Navigator and select the Port groups tab.
     note: In VMware terminology, a port group acts like a network hub, making the network traffic undergoing the vSwitch visible to all interfaces connected to this port group.
  3. Click Add port group.
  1. Enter a name for the port group.
    1. In VLAN ID, select 4095 for the VGT (Virtual Guest Tagging) mode.
      See VLAN Configuration in the VMware documentation for more information about VLAN tagging modes.
    1. In Virtual switch, select the vSwitch associated with the spare NIC configured in Step 1.
    1. Expand the Security section and set Promiscuous mode to Accept.
      This setting assures any virtual interface connected to this port group will be able to enter promiscuous mode and capture traffic from any other virtual interfaces connected to the vSwitch.
  2. Click Add to create the port group.
  3. Next, you need to make sure that the Barac Collector Capture interface is connected to one or more interfaces in the port group.

Testing functionality

The following steps prove the collector is working as expected.

From a terminal session ping the management interface and gateway to check connectivity.

Run nmcli to understand the names of the interface

Sample screen

From this setup ens192 is the mgmt. interface and ens224 is the capture interface

The following steps prove the collector is working as expected.

From a terminal session ping the management interface and gateway to check connectivity.

Check Data is Being Collected

Form a terminal session run

Ls -al ~/capture/

Check for the traffic file and see if the file is there and builds up in size.

tail -10 ~/capture/traffic

traffic should be displayed showing the current date and time

is the traffic file filling and incrementing / rotating

Check Data is Being Collected

From a terminal session run where “ens224” is the capture interface as shown at the beginning of this section (see previous image)

sudo tcpdump -i ens224

checks for all traffic

sudo tcpdump -i ens224 tcp port 443

Checks just for traffic on port 443

This shows data scrolling in the terminal session, this will only show data on new session setup.

Check Data is Being sent

From a terminal session run

Data is sent from the mgmt. interface as shown at the beginning of this section (see previous image)

sudo tcpdump -i ens192 tcp port 10519 -X -s 0 -nn

This shows data scrolling in the terminal session, this will only show data on new session setup.