Transcription
Cisco Cyber Vision for the AWS CloudInstallation Guide1.0.0, 12 August 2021Cisco Systems, Inc.
Total pages: 44Cisco Cyber Vision for the AWS CloudOwner:Cisco IoTAuthor:Walid Boudaa, Juliette Maffet1.0.0, 12 August 2021Cisco Systems, Inc.Trademark AcknowledgmentsCisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Ciscotrademarks, go to this URL: www.cisco.com/go/trademarks.Third party trademarks mentioned are the property of their respective owners.The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)Publication DisclaimerCisco Systems, Inc. assumes no responsibility for errors or omissions that may appear in this publication. We reserve the right to change this publication atany time without notice. This document is not to be construed as conferring by implication, estoppel, or otherwise any license or right under any copyright orpatent, whether or not the use of any information in this document employs an invention claimed in any existing or later issued patent. A printed copy of thisdocument is considered uncontrolled. Refer to the online version for the latest revision.Copyright 2021 Cisco and/or its affiliates. All rights reserved.Information in this publication is subject to change without notice. No part of this publication may be reproduced or transmitted in any form, by photocopy,microfilm, xerography, or any other means, or incorporated into any information retrieval system, electronic or mechanical, for any purpose, without theexpress permission of Cisco Systems, Inc.Americas HeadquartersCisco Systems, Inc.San Jose, CAAsia Pacific HeadquartersCisco Systems (USA) Pte. Ltd.SingaporeEurope HeadquartersCisco Systems International BV AmsterdamThe NetherlandsCisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/offices.
ContentsPage 3Contents1234561.0.0About this documentation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41.1 Document purpose. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41.2 Warnings and notices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4Getting started. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52.1 Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52.2 Prerequisites. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52.3 Supported features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62.4 Limitations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62.5 Configure the AWS environment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62.6 Create Elastic IPs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Deploy the Cisco Cyber Vision Center. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103.1 Create and configure the instance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103.2 Allocate an Elastic IP to the instance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183.3 Cisco Cyber Vision Center setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213.3.1 Open an SSH connection from AWS. . . . . . . . . . . . . . . . . . . . . . . . . 213.3.2 Basic Center configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Connect to the Center. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384.1 Using the GUI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384.2 Using the console. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384.3 Install Cisco Cyber Vision. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39Deploy sensors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Annex – Setup Center json file. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44Cisco Cyber Vision for the AWS Cloud
About thisdocumentationPage 41About this documentation1.1Document purposeAmazon VirtualPrivate Cloud (Amazon VPC) enables you to launch Amazon WebServices(AWS) resources into a virtual network that you define. This virtual network closelyresembles a traditional network that might operate in your own data center, with thebenefits of using the scalable infrastructure of AWS. This document explains how todeploy Cisco Cyber Vision Virtual on AWS.This manual is applicable to system version 4.0.0.1.2Warnings and noticesThis manual contains notices you have to observe to ensure your personal safety as wellas to prevent damage to property.The notices referring to your personal safety and to your property damage arehighlighted in the manual by a safety alert symbol described below. These notices aregraded according to the degree of danger.WARNINGIndicates risks that involve industrial network safety or production failure that could possiblyresult in personal injury or severe property damage if proper precautions are not taken.IMPORTANTIndicates risks that could involve property or Cisco equipment damage and minor personalinjury if proper precautions are not taken.NoteIndicates important information on the product described in the documentation to whichattention should be paid.1.0.0Cisco Cyber Vision for the AWS Cloud
GettingstartedPage 52Getting started2.1OverviewAWS is a collection of remote computing services offered by Amazon.com, also calledweb services, that make up a cloud-computing platform. These services operate from 11geographical regions across the world.In general, the user should become familiar with the following AWS services whendeploying Cisco Cyber Vision Center and Cisco Cyber Vision Global Center: Amazon Elastic Compute Cloud (EC2)A web service that enables you to rent virtual computers to launch and manage yourown applications and services, such as a Cisco Cyber Vision Center, in Amazon's datacenters.Amazon Virtual Private Cloud (VPC)A web service that enables you to configure an isolated private network that existswithin the Amazon public cloud. You run your EC2 instances within a VPC.Amazon Simple Storage Service (S3)A web service that provides you with a data storage infrastructure.You create an account on AWS, set up the VPC and EC2 components (using either theAWS Wizards or manual configuration), and choose an Amazon Machine Image (AMI)instance. The AMI is a template that contains the software configuration needed tolaunch your instance.NoteThe AMI images are not available for download outside of the AWS environment.2.2Prerequisites 1.0.0An Amazon account.An SSH client (required to access the Cisco Cyber Vision Center console).Communication path: public/elastic IPs for access to the Cisco Cyber Visionresources.An AMI available for Cisco Cyber Vision instance.An Elastic IP (the default public IP change after a reboot. This can cause an issue forsensors).Minimum configuration to run and test the product are 8 vCPU and 16GB RAM.SSD disks are mandatory.Cisco Cyber Vision for the AWS Cloud
Gettingstarted2.3Page 6Supported features 2.4CenterCenter with syncGlobal CenterLimitationsThe following features or hardwares are not supported: Dual interface Centers.Sensors using the sensor management extension.Cisco IC3000 ssh access from Center.NoteFor details about Center resources, refer to the Cisco Cyber Vision VM Installation Guide.2.5Configure the AWS environmentTo deploy Cisco Cyber Vision on AWS you need to configure an Amazon VPC with yourdeployment-specific requirements and settings. In most situations, a setup wizard canguide you through your setup. AWS provides online documentation where you can finduseful information about the services ranging from introduction to advanced features.Refer to d/ for more information.2.6Create Elastic IPsWhen an instance is created, a public IP address is associated with the instance. Thatpublic IP address changes automatically when you stop and start the instance. To resolvethis issue, assign a persistent public IP address to the instance using Elastic IP addressing.Elastic IPs are reserved public IPs that are used for remote access to the Cisco CyberVision as well as other instances.1.2.1.0.0Access you Amazon account.Navigate to Services EC2.Cisco Cyber Vision for the AWS Cloud
Gettingstarted1.0.0Page 73.Under Network & Security, click Elastic IPs.4.Click Allocate Elastic IP address.Cisco Cyber Vision for the AWS Cloud
GettingstartedPage 85.1.0.0Click Allocate to create the Elastic IP.Cisco Cyber Vision for the AWS Cloud
GettingstartedPage 96.1.0.0Check the new Elastic IP out.Cisco Cyber Vision for the AWS Cloud
Deploy the Cisco CyberVision CenterPage 103Deploy the Cisco Cyber Vision Center3.1Create and configure the instance1.0.01.Go to https://aws.amazon.com Amazon Web Services and sign in.2.Navigate to Services EC2.3.Click Launch Instance.4.Click Launch Instance again.Cisco Cyber Vision for the AWS Cloud
Deploy the Cisco CyberVision Center5.Page 11Choose your Cisco Cyber Vision AMI from the AWS Marketplace and click Select.NoteIn the example above, the image is mapped with sample AMIs. Those images are forinternal use. You will find the image in the AWS marketplace using the keyword "CiscoCyber Vision". The correct version to use should appear.6.1.0.0Choose the instance type from the available list and click Next.Cisco Cyber Vision for the AWS Cloud
Deploy the Cisco CyberVision CenterPage 12Supported instance families C5, C5a, C5ad, C5d, C5n, C6g, C6gd M5, M5a, M5ad, M5d, M5dn, M5n, M5zn, M6g,M6gd R5, R5a, R5ad, R5d, R5dn, R5n, R6, R6gd T3, T3a, T4g Z1dVM sizingMinimum – up to 500 components: CPU: Intel Xeon, 8 cores RAM: 16GB minimum Storage: 500GB SSDRecommended:For 10,000 components w/o Center DPI: CPU: Intel Xeon, 10 cores RAM: 32GB minimum Storage: 1TB SSD minimum, RAID-10For more than 10,000 components or CenterDPI: CPU: Intel Xeon, 16 cores RAM: 64GB minimum Storage: 1TB SSD minimum, RAID-101.0.0Cisco Cyber Vision for the AWS Cloud
Deploy the Cisco CyberVision CenterPage 131.Configure instance details.2.3.Choose the VPC and the subnet network.The public IP address should be disabled. An Elastic IP will be associated to the CiscoCyber Vision instance to avoid any Dynamic public IP issues. The Public IP addressassociation will be described later in this section.Depending on the Center type you can fill the Advanced Details User data part atthe bottom of Configure Instance Details menu.4.If a JSON file is used to specify the type of the Center, this step will be skipped duringthe installation.1.0.0Cisco Cyber Vision for the AWS Cloud
Deploy the Cisco CyberVision CenterPage 14 To deploy a Center, leave the textbox empty. To deploy a Center with sync, the minimal configuration is:{"center-type": "Local Center",} To deploy a Global Center, the minimal configuration is:{"center-type": "Global Center",}5.6.For all json parameters, refer to Annex – Setup Center json file (page44).Click Next: Add Storage.If needed, click the button to add a new volume.NoteMake sure to setup the correct disk size as this information will remain and cannot bemodified.Do not use the Magnetic (Standard) for Volume Type.Default type will be SSD.7.1.0.0You can add tags to identify resources internally on AWS.Cisco Cyber Vision for the AWS Cloud
Deploy the Cisco CyberVision Center8.Page 15AWS firewall settingsAdd the rules that provide access from users or other resources to the Center. List ofthe ports that need to be added:For Global Center -- Center logUDP/TCP 514SSHTCP/22For CS workstation/ntp server -- Center DP/123For Sensor à Center communication1.0.0Cisco Cyber Vision for the AWS Cloud
Deploy the Cisco CyberVision CenterPage 16ProtocolPortAMPQTCP/5671SyslogUDP/10514Example of a security configuration:1.1.0.0Review your settings and click Launch.Cisco Cyber Vision for the AWS Cloud
Deploy the Cisco CyberVision Center1.0.0Page 172.Select or create a new key pair for the SSH connection.3.4.Click Download Key Pair. A file called YOURKEYPAIRNAME.pem will be downloaded.Then, click Launch Instance.Cisco Cyber Vision for the AWS Cloud
Deploy the Cisco CyberVision Center3.21.0.0Page 18Allocate an Elastic IP to the instance1.Click View Instances.2.Choose your instance on instances list and copy your instance ID.Cisco Cyber Vision for the AWS Cloud
Deploy the Cisco CyberVision Center1.0.03.Go to Elastic IP.4.Click the created Elastic IP.Page 19Cisco Cyber Vision for the AWS Cloud
Deploy the Cisco CyberVision Center1.0.05.Click Associate Elastic IP address.6.7.8.9.Tick Instance.Paste the instance ID previously copied.Type the private IP address of the created Center.Click Associate.Page 20Cisco Cyber Vision for the AWS Cloud
Deploy the Cisco CyberVision CenterPage 213.3Cisco Cyber Vision Center setup3.3.1Open an SSH connection from AWS1. Go to instances to check the information of the created machine.1.0.0Cisco Cyber Vision for the AWS Cloud
Deploy the Cisco CyberVision CenterPage 22The key previously created or chosen will be automatically added to /data/etc/ssh/userkey/root.NoteIt is possible to add multiple keys on that file if an access is needed from another devicethat is not using the same certificates than the installed one.2.3.1.0.0This key is downloaded locally or already exists.Please follow the steps below to connect using SSH and finalize the installation.In the AWS EC2 management console, click Instances (1).Choose the needed instance and click the Connect button (2).Cisco Cyber Vision for the AWS Cloud
Deploy the Cisco CyberVision Center4.1.0.0Page 23Access the SSH Client menu (3) and follow the steps described in it.Cisco Cyber Vision for the AWS Cloud
Deploy the Cisco CyberVision Center5.Page 24Copy and paste the example (4) into the ssh client and replace the ‘root’ with ‘cvadmin’, like below:ssh -i wbo.pem onaws.com6.Once connected to the Center, type the following command:sudo -i7.Type the following command:setup-center8.1.0.0Press enter.Cisco Cyber Vision for the AWS Cloud
Deploy the Cisco CyberVision CenterPage 25The basic Center configuration appears.3.3.2Basic Center configuration3.3.2.1Access the basic Center configurationThe Center wizard is displayed on your screen as you power on the Center. Enter Start tostart configuring the Center.3.3.2.11.0.0Accept the End User License AgreementCisco Cyber Vision for the AWS Cloud
Deploy the Cisco CyberVision Center3.3.2.1Page 26Select the language to match your keyboardNoteBy default, the system is configured to work with a US QWERTY keyboard.1.0.0Cisco Cyber Vision for the AWS Cloud
Deploy the Cisco CyberVision Center3.3.2.1Page 27Select the Center typeDuring this procedure you will choose which type of Center to install. There are threetypes of Centers: A standalone Center receives metadata from sensors and store them into an internaldatabase (Postrgresql). To safeguard the data collected from the industrial networkand ensure maximum reliability, the Center includes a RAID storage array. It alsoincludes redundant internal cooling fans (x3) and dual hot-swappable powersupplies.A Center with sync, or Center with Global Center, is similar to a (standalone) Centerfrom a functionality point of view, except for the database structure and themechanism to reach a Global Center. You must install Centers with sync after theGlobal Center. This will enable your system to start enrollment and start pushesevents to it.A Global Center introduces a centralized architecture which collects all industrialinsights and events from Centers with Global Center and aggregate it on a singleglobal point of view. It will also allow you to manage the knowledge database (KDB)and upgrade the whole platform.Select the type of Center you want to install.1.0.0Cisco Cyber Vision for the AWS Cloud
Deploy the Cisco CyberVision CenterPage 28CenterIf installing a Center, select the first option.As this step does not apply to a Center without Global Center, select No.1.0.0Cisco Cyber Vision for the AWS Cloud
Deploy the Cisco CyberVision CenterPage 29You will be directed to the step Give the Center a name.Center with syncIf installing a Center managed by a Global Center, select the second option.The next step is to set the Center id. It can be used in case of Center restoration to reusethe same id previously set in the Global Center. Thus, some data can be retrieved.If you're installing the Center for the first time, this id will be automatically generated.Select No. You will be directed to the step Give the Center a name.1.0.0Cisco Cyber Vision for the AWS Cloud
Deploy the Cisco CyberVision CenterPage 30If you're reinstalling the Center and want to restore it, select Yes.Use the following command from the Global Center's CLI to get a list of all Center's id:sbs-db exec "select name, id from center"Type the id into the basic Center configuration UUID field.1.0.0Cisco Cyber Vision for the AWS Cloud
Deploy the Cisco CyberVision CenterPage 31Click OK. You will be direct to the next step Give the Center a name.Global CenterIf installing a Global Center, select the third option.As this step does not apply to a Global Center, select No.1.0.0Cisco Cyber Vision for the AWS Cloud
Deploy the Cisco CyberVision CenterPage 32You will be directed to the step Give the Center a name.3.3.2.1Configure the Center's DNSType a DNS server address and optional fallbacks.3.3.2.1Synchronize the Center and the sensors to NTP serversEnter IP addresses of local or remote NTP servers (gateway configuration needed) tosynchronize the Center and the sensors with a clock reference. Each address must beseparated by a space.1.0.0Cisco Cyber Vision for the AWS Cloud
Deploy the Cisco CyberVision CenterPage 33Optionally, add a key ID and an AES A28 CMAC key value separated by a semicolon withthe corresponding NTP server.The synchronization takes a few seconds.Check that the time is correct, or set the time manually.NoteThe time is set in the UTC standard.1.0.0Cisco Cyber Vision for the AWS Cloud
Deploy the Cisco CyberVision Center3.3.2.1Page 34Configure the sensors' passwordAs this step does not apply when installing a Global Center, the following screens won'tbe displayed. Instead, you'll be directed to Authorize networks (page 35).Although, if you're installing a Center, proceed as below.The sensors' root password must be set for security reasons.This password will be assigned once you will have enrolled the sensors on the Center. Youwill need this password for troubleshooting, diagnostics, and updates.Confirm the password.1.0.0Cisco Cyber Vision for the AWS Cloud
Deploy the Cisco CyberVision Center3.3.2.1Page 35Authorize networksThis step allows you to restrict IP addresses that can connect to the Administrationinterface. If no IP is entered, all networks are authorized by default.3.3.2.1Set DHCP1.1.0.0If the following message appears, select OK.Cisco Cyber Vision for the AWS Cloud
Deploy the Cisco CyberVision Center2.3.3.2.1Page 36Select DHCP.Complete the basic Center configurationNext is the last screen of the basic Center configuration. It reminds you the addresses setto be used to download the CA certificate and access Cisco Cyber Vision. Save theseaddresses somewhere, you will need them later to access the user interface.Enter OK to finish the basic Center configuration.1.0.0Cisco Cyber Vision for the AWS Cloud
Deploy the Cisco CyberVision CenterPage 37Close the Center configuration window before proceeding with the next steps of CiscoCyber Vision configuration.To proceed with the Cisco Cyber Vision configuration, open your browser and go to theURL previously indicated to access the user interface.NoteEach Cisco Cyber Vision Center includes its own PKI (Public Key Infrastructure), with a CA(Certification Authority), that will be used to establish the TLS connection with the sensors andto clients. The CA must be installed on each client browser (see the following chapters).1.0.0Cisco Cyber Vision for the AWS Cloud
Connect to theCenter4Page 38Connect to the CenterYou can connect to the Center: 4.1Using the GUI (page 38).Using the console (page 38).Using the GUIThe Public IP address and FQDN of your instance will be available on the Instancesummary page:1.2.4.2In your browser, use the public IP address or the FQDN to download and save thecertificate: https:// Public IPV4 address /ca/crt https:// Public IPV4 DNS /ca/crtIn your browser, use the following address to access Cisco Cyber Vision:https:// CENTERNAME /.You can proceed with Cisco Cyber Vision installation (page 39).Using the consoleYou can connect to the Center using the AWS serial console.1.0.0Cisco Cyber Vision for the AWS Cloud
Connect to theCenterPage 39NoteSerial Console is only supported in the following AWS Regions:US East (N. Virginia), US East (Ohio), US West (Oregon), Europe (Ireland), Europe (Frankfurt),Asia Pacific (Sydney), Asia Pacific (Tokyo), Asia Pacific (Singapore).To use the serial console, click Actions Monitor and troubleshoot EC2 Serial Console.The root password by default will be the instance ID of the Center you created.Supported instance families: 4.3A1C5, C5a, C5ad, C5d, C5n, C6g, C6gdM5, M5a, M5ad, M5d, M5dn, M5n, M5zn, M6g, M6gdR5, R5a, R5ad, R5d, R5dn, R5n, R6, R6gdT3, T3a, T4gZ1dInstall Cisco Cyber VisionAccess the Cisco Cyber Vision installation wizard:With your browser, access https:// CENTERNAME /.NoteAccessing the Center by using its name allows to use the HTTPS secure interface. Yet, thisrequires a DNS or local host configuration to associate the name and the IP address. The Centeraccess through its IP address is possible but the connection is not secure.The setup wizard used for the first access to Cisco Cyber Vision is displayed:1.0.0Cisco Cyber Vision for the AWS Cloud
Connect to theCenterPage 40Create an admin account:Enter the information required.NoteEmail will be asked for login access.Passwords must contain at least 6 characters and comply with the rules below.Passwords: Must contain a lower case character: a-z. Must contain an upper case character: A-Z. Must contain a numeric character: 0-9. Cannot contain the user id. Must contain a special character: !"# %&’()* ,-./:; ?@[] { }.IMPORTANTPasswords should be changed regularly to ensure the platform and the industrialnetwork security.NoteYou can reset users using the following command in the Center's CLI:1.0.0Cisco Cyber Vision for the AWS Cloud
Connect to theCenterPage 41sbs-db reset-usersAccept the software license agreement:Finish the installation:The Center is now correctly installed and Cisco Cyber Vision is ready to operate. ClickStart to Explore.1.0.0Cisco Cyber Vision for the AWS Cloud
Connect to theCenterPage 42Cisco Cyber Vision installation is now complete.If you were installing a standalone Center, you can start installing the sensors by referringto the Cisco Cyber Vision Sensor Installation Guides.If you are installing a Global Center or a synchronized Center, proceed with Configuredata synchronization.1.0.0Cisco Cyber Vision for the AWS Cloud
Deploysensors5Page 43Deploy sensorsOn standard conditions: No tunnels are configured.Both switches and sensors have internet access.The deployment procedure is the same as described on the sensors installation guides.The only difference is that the Center's public IP address must be specified in the menubelow:1.0.0Cisco Cyber Vision for the AWS Cloud
Annex – Setup Centerjson file6Page 44Annex – Setup Center json file keys:SSH public keys to add in the authorized keys.dns:DNS used by Cisco Cyber Vision. If not specified, Cisco Umbrella is used by ble or not DHCPD on the Collection network interface. Accepts "true" or "false"as string.single-interface:Deploy Cisco Cyber Vision in single interface mode. Default mode on AWS.center-type:Type of Cisco Cyber Vision Center to deploy: Standalone (default), Local Center orGlobal Center.center-id:Specify Center ID. If not provided, a new one is generated at first boot.fqdn:FQDN to access the Cisco Cyber Vision web application. Public IPv4 DNS on AWS isused by default.ipset:Configure allowed networks. 169.254.0.0/16 and 0.0.0.0/0 (all networks) are used bydefault.Examples: To deploy a standalone Center, leave the textbox empty.To deploy a Local Center, the minimal configuration is:{"center-type": "Local Center",} To deploy a Global Center, the minimal configuration is:{"center-type": "Global Center",}1.0.0Cisco Cyber Vision for the AWS Cloud
Amazon Elastic Compute Cloud (EC2) A web ser vice that enables you to rent virtual computers to launch and manage your own applications and ser vices, such as a Cisco Cyber Vision Center, in Amazon's data . Amazon Simple Storage Ser vice (S3) A web ser vice that provides you with a data storage infrastructure. You create an account on AWS .
