Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 01-Text | 9.83 MB |
Installing the operating system
Uploading sandbox images to the server and performing the MD5 authentication
Configuring the traffic collection port and management port on the system
Deployment modes
Advanced threat detection (ATD) products can be widely used for intranet security defense in various large enterprises and institutions to provide full threat awareness and defense capabilities.
ATD products acquire traffic through switch traffic mirroring for analysis and detection, and then discover advanced malicious threats in the traffic. The deployment mode is shown in the following figure.
Figure 1 Standalone deployment
Data collection
Traffic mirroring
To analyze traffic for one or more network ports (such as IDS products and network analyzers), network monitoring can be achieved by configuring switches or routers to forward data from one or more ports (VLAN) to one port, that is, port mirroring. Port mirroring is an effective security method for network traffic monitoring. The analysis of monitored traffic supports security check and allows timely locating of network failures.
This function mirrors the monitored traffic to the monitoring port to locate failures, analyze traffic, back up traffic, etc. The monitoring port is usually directly connected to the monitoring host.
ATD products support collecting traffic through port mirroring, configuring port mirroring on the core switch, and mirroring traffic from the collection port to another port, sending the traffic from the specified port ID to the IP address of the ATD product of the monitoring host. Configure port monitoring on the ATD system, and receive incoming traffic packets to restore, analyze, and detect them. Configure traffic mirroring as two-way. One-way traffic mirroring can result in the sandbox failing to parse packets. Packets encapsulated by VLAN TAG or VXLAN can be restored and parsed, but the VLAN information cannot be shown in the logs. Packets encapsulated by MPLS cannot be restored or parsed for the moment.
Figure 2 Sketch for port mirroring
Installing the operating system
Preparing for installation
Hardware configuration
Table 1 lists the hardware parameters for H3C ATD products.
Table 1 Recommended hardware parameters of ATD-A
|
Item |
ATD server |
|
Model |
ATD-A |
|
CPU |
2*4110 (2.1 GHz/8-core/11 MB/85 W) |
|
Memory |
128 GB |
|
Drive |
3*4 TB SATA + 2*600 GB |
|
Network adapter |
4-port GE copper port module (Intel i350 series) |
|
RAID controller |
Independent RAID controller, 2 GB cache, RAID-P460-M2 model |
|
Remarks |
Only supports installation sandboxes with Intel i350 series and Intel 82599 series network adapter chips |
Table 2 Recommended hardware parameters of ATD-E
|
Item |
ATD server |
|
Model |
ATD-E |
|
CPU |
2*4114 (2.2 GHz/10-core/13.75 MB/85 W) |
|
Memory |
192 GB |
|
Drive |
6*4 TB SATA |
|
Network adapter |
4-port GE copper port module 2-port 10GE fiber port module |
|
RAID controller |
Independent RAID controller, 2 GB cache, RAID-P460-M2 model |
|
Remarks |
Only supports installation sandboxes with Intel i350 series and Intel 82599 series network adapter chips |
Table 3 Recommended hardware parameters of ATD-P
|
Item |
ATD server |
|
Model |
ATD-P |
|
CPU |
2*4214 (2.1 GHz/12-core/16.5 MB/85 W) |
|
Memory |
256G |
|
Drive |
8*4 TB SATA |
|
Network adapter |
4-port GE copper port module 2-port 10GE fiber port module |
|
RAID controller |
Independent RAID controller, 2 GB cache, RAID-P460-M2 model |
|
Remarks |
Only supports installation sandboxes with Intel i350 series and Intel 82599 series network adapter chips |
|
|
CAUTION: Insert the network adapter into the server before the operating system is installed. |
Other preparations
· Install an FTP client on the local PC, for example, Xftp.
· Install an SSH client on the local PC, for example, Xshell.
· Place the sandbox image package on the local PC.
Figure 3 Sandbox image file
· Place the sandbox image file (.iso) on the local PC. The file name is SecCenterCSAPATD-IMW31-E6802P06.iso.
Procedure
The procedure for installing a standard server is as follows.
Connecting the server
The server has been configured with an HDM management port IP address (192.168.1.2/24) before it left the factory. The default HDM Web login username is admin and the password is Password@_. Users can log in to the HDM Web interface directly with this default information.
1. Connect the PC with the server management port HDM through a network cable, and modify the IP address of the PC to any address in the 192.168.1.0/24 (except 192.168.1.2) subnet segment, such as 192.168.1.1. Start the browser on the PC, enter the IP address (192.168.1.2) in the address bar, and press Enter to go to the server Web login page. Enter the default username and password and click Log In to go to the 192.168.1.2 configuration page, as shown below.
Figure 4 HDM login page
2. If you modify the IP address of the HDM port, make sure you can ping the PC from the new IP address. Start the browser on the PC, enter the new IP address in the address bar, and press Enter. Enter the default username (admin) and password (Password@_) to log in to the server configuration page.
3. Select Information > Hardware Info to view the CPU information (including the number of cores), memory, storage, network adapter, and PCIe card of the server. Compare the actual server hardware parameters with the recommended hardware parameters in Hardware configuration to find models that fit, and select the corresponding procedure to configure the RAID array.
Figure 5 Hardware information comparison
4. Configure the Java environment on the PC. Select Control Panel > Java > Security > Edit Site List > Add to add the IP address of the HDM management system to the exception site in Java.
5. Select Remote Console in Remote Control. Click KVM to download the KVM file.
Figure 6 HDM remote console
6. Run the KVM file and open the control console as instructed.
7. Click Power > Force System Reset from the menu bar of the control console to reboot the server.
8. When the page below appears, press F7 to go to the boot menu page.
Figure 7 Server boot page
9. Select Enter Setup from this page.
10. Set Boot mode select to LEGACY and press F4 to save the settings and exit the page. Reboot the server.
Figure 8 Boot configuration page
Configuring a RAID array
|
|
NOTE: This documentation describes the RAID controller configurations on ATD-E products. The procedures for RAID controllers on other ATD products are similar to this, with only a few different parameters. |
1. When the server is starting up, and the page below appears, press Ctrl and A to go to the RAID settings. The shortcut keys to enter the RAID settings may vary on different servers. Follow the instructions.
Figure 9 Server boot menu page
2. When the page below appears, select Array Configuration, and press Enter to go to the next menu.
Figure 10 Controller settings
3. Select Create Array and press Enter to create an array.
Figure 11 RAID main menu
4. Use the arrow keys to select the drive, press the space bar, and the list on the right generates a column of information. Press Enter to go to the RAID parameter configuration page.
|
|
NOTE: In this step, select one 4 TB drive for ATD-A products, two 4 TB drives for ATD-E products, and three 4 TB drives for ATD-P products. |
Figure 12 Selecting two drives to create RAID0
5. Enter the RAID parameter configuration page and set the following parameters. Select Done when the settings are complete. Press Enter to return to the main menu page.
Figure 13 Setting parameters
6. Use the arrow keys to select Create Array and press Enter to go to the array creation age.
Figure 14 RAID main menu
7. Use the arrow keys to select the drive, press the space bar, and the list on the right generates a column of information. Press Enter to go to the RAID parameter settings.
|
|
NOTE: In this step, select two 600 GB drives for ATD-A products, one 4 TB drive for ATD-E products, and one 4 TB drive for ATD-P products. |
Figure 15 Selecting one drive to create RAID0
8. Enter the RAID parameter configuration page and set the following parameters. Select Done when the settings are complete. Press Enter to return to the main menu page.
Figure 16 Setting parameters
9. Use the arrow keys to select Create Array and press Enter to go to the array creation age.
Figure 17 RAID main menu
10. Use the arrow keys to select the drive, press the space bar, and the list on the right generates a column of information. Press Enter to go to the RAID parameter settings.
|
|
NOTE: In this step, select two 4 TB drives for ATD-A products, three 4 TB drives for ATD-E products, and four 4 TB drives for ATD-P products. |
Figure 18 Selecting three drives to create RAID0
11. On the RAID settings page that opens, set the parameters as shown in the following figure. Then select Done and press Enter to return to the main menu.
Figure 19 Setting parameters
12. Press Exit to exit the RAID management page and a prompt "Exit Utility" appears. Select Yes and press Enter. The system reboots automatically.
Figure 20 Exiting the RAID management page
13. During the reboot, click Virtual Media > Virtual Media Wizard in the upper left corner of the page, and click Browse next to CD/DVD Media: I. Find the image file under the ISO file path, click Open, and mount the image file.
Figure 21 Mounting image on the virtual media page
14. When the ISO file is mounted using the built-in management port of the server, click Connect CD/DVD. Click the close icon after a successful connection, and wait for the server to reboot before installation begins.
15. During the reboot, when the page below appears, press F7 to go to the boot menu page. The shortcut key may vary on different servers. Follow instructions.
Figure 22 Boot menu page
16. When the page below appears, select AMI Virtual CDROM0 1.00 and configure it to a virtual CD-ROM drive. Press Enter to go to the installation page.
Figure 23 Setting a CD-ROM drive
17. The system enters the auto installation process. The process may last 1 to 1.5 hours, and manual intervention is not required.
Figure 24 Auto installation
Uploading sandbox images to the server and performing the MD5 authentication
1. Decompress all sandbox images on the PC and rename them to the ones shown in the figure below.
Figure 25 Decompressing and renaming the sandbox images
2. Open the Xftp on the PC. As shown in the following figure, the PC and the server management port are directly connected through a network cable. Create a session connection server, as shown below. The management port IP address of the host is set to 192.168.10.100. The default username is sftp and password is Admin@123. Click OK.
Figure 26 Default management port wiring on the server
Figure 27 Xftp login page
|
|
NOTE: On a standard server, as shown in 17Figure 26, the first port on the upper left is the default system management port, and the default system management IP address is 192.168.10.100; however, the eth port corresponding to it is not necessarily eth0. |
3. Click Connect.
Figure 28 Connecting the session
4. Move all local sandbox image files to the KVM folder.
Figure 29 Uploading sandbox images
5. Enable the SSH service from the remote console.
Figure 30 Accessing H5 KVM
Add the hot key Ctrl+Alt+F2 to access the CLI terminal.
Figure 31 Accessing the CLI terminal
Enter the username (admin) and password (Admin@123). Execute the service sshd start command in the console mode to enable the SSH service.
Figure 32 Enabling the SSH service
6. When all sandbox image files are uploaded to the server, you can log in to the sandbox through the SSH protocol. The host IP address is 192.168.10.100, the username is admin, and the password is Admin@123. (This user can only log in to the sandbox through the SSH protocol and cannot log in to the graphic interface.)
Figure 33 Connecting the sandbox through the SSH protocol
7. Execute the md5sum command to perform the MD5 authentication on the sandbox images uploaded to the server. The MD5 values of the image files shall be consistent with those in Table 4. (Renaming the image files will not affect the MD5 values.) Remove the image files with inconsistent MD5 values after authentication and upload the image files whose MD5 values match those in the release document.
Table 4 MD5 values of the image files
|
Image name |
MD5 value |
|
netway_new.qcow2_1.0.0.3 |
d113987c74dddb5caf4fb8b2c14fe843 |
|
Win64.qcow2_2.1.0.35 |
85d98c9e01791f2c58e6a7780de3ea64 |
|
Windows7.qcow2_2.1.0.35 |
a0eb46c48ab809279dbf6d9f3de3b584 |
|
WEB.qcow2_3.1.0.20 |
917450af89d1fe9ae547e1dc8d2e2f44 |
|
WindowsXP.qcow2_2.1.0.35 |
5d2986fdd07e9b215eadf51ae0bda0fa |
|
Linux.qcow2_1.0.0.5 |
945ff97e3f02613b8d2bab51a1ee2aa9 |
Figure 34 MD5 authentication on image files
System authorization
1. Open Google Chrome on your PC, enter the management IP address (192.168.10.100) in the address bar. Enter the default administrator username (admin) and password (Admin@123), and click Log In.
Figure 35 H3C ATD login page
2. Change the password as instructed.
Figure 36 Changing the password
3. Log in again and go to the authorization page to record the server ID.
Figure 37 Authorization page
4. Authorize the server according to the application and registration guide for license activation and import the generated activation code to the server.
Configuring the traffic collection port and management port on the system
1. When the server is authorized, open Google Chrome on your PC, and enter the default management IP address (192.168.10.100) in the address bar. Enter the administrator username and password, which are admin and Admin@123 by default (after login with the default username and password, you need to change the password and log in to the system again). Then click Log In.
Figure 38 System login page
2. Before the traffic collection port is configured, make sure that the server is connected to a network cable and that the indicator on the network adapter is on. After installation, access the background of the sandbox through the SSH protocol. Enter the username (admin) and password (Admin@123) and execute the ip a command to view the eth ports that are in the UP state. As shown in the figure below, the eth0, eth1, and eth2 ports are in the UP state.
Figure 39 Viewing the status of network ports
3. Click Configuration > System Configuration to view the eth ports corresponding to the management ports on the current network configuration page. Select the traffic collection ports according to the eth ports that are in the UP state on Figure 39. Since the eth0, eth1, and eth2 ports are in the UP state (as shown in Figure 39), and the management port is set to eth2 (as shown in Figure 40), select the eth0 and eth1 ports as the traffic collection ports. Click Save.
Figure 40 Configuring the traffic collection port
4. Select Configuration > System Configuration > Network Configuration and configure the management ports and their IP addresses according to the actual situations.
5. Select Configuration > System Configuration > Device Operation and click Device Restart. When the device is rebooted and running, the sandbox installation is complete.
