Transcription
BlackRidge TechnologyTransport Access Control (TAC)Model 2010Virtual GatewayR4.2.1 Installation and ConfigurationGuidePart No. VTAC-INSTCONF-00042-01-04Revision 1.4, March 2019
Preface . 7From the Publisher . 7About This Guide . 8Who Should Use This Guide . 9How This Guide is Organized . 10Typographical Conventions . 12SECTION I - Installing BlackRidge TAC Virtual Gateways . 13BlackRidge TAC Virtual Platform Appliances . 14Installation and Configuration Task Map . 15Sample Deployment Requirements . 16ESX Network Topology . 17ESXi 5.x and 6x Virtual Machine and Host Requirements . 19TAC Virtual Machine Port Definitions and Functions . 20Defining VMware Virtual Switching. 22Virtual Switch Concepts and the BlackRidge Appliance . 22Promiscuous Mode Options and Best-Practice Configuration . 23Task: Create Virtual Switches . 24vSwitch Configuration for the Blackridge Data Center . 25vSwitch Configuration Blackridge Branch . 29Installing Virtual Appliances . 32Deploy Gateway OVA Templates . 32Reserve Guest Memory . 34Attaching the VMs to Virtual Switches . 35Task: Connect the BlackRidge 2010 TAC Gateway (Data Center) . 35Task: Connect the BlackRidge 2010 TAC Gateway (Branch) . 38Task: Connect the Test VMs to Network Topology . 401
Task: Connect the Protected Resources to BlackRidge 2010 TAC Gateway (Data Center). 41Task: Connect the Trusted Host(s) to BlackRidge 2010 TAC Gateway (Branch) . 42Accessing the BlackRidge 2010 Virtual TAC Gateways . 44Task: Power on the Gateways . 44Task: Connect the Administration Console . 44Logging into the BlackRidge 2010 Virtual TAC Gateways . 46Enabling the BMC and BEM WebUI Interface (Optional) . 47SECTION II - Configuring the Management Interface . 48The TAC Gateway Management Interface . 49Introduction, Terminology, and Definitions . 49Executing the Setup Wizard on the BlackRidge TAC Gateways . 50Task: Log into the BlackRidge 2010 TAC Gateway (Branch) . 50Task: Agree to the Terms of the License Agreement . 50Task: Execute the Setup Wizard on the Gateway . 51Task: Change the Administrator Password . 51Sample Attributes for Configuring the Management Ports for the TAC Gateway(s) . 52Task: Configure the Management Port for the TAC Gateway(s) . 53Task: Create a Host Name for the Gateway . 54Task: Configure Date and Time . 54Task: Configure the NTP Server(s) . 55Task: Complete the Initial Configuration . 55Executing the Setup Wizard on Additional BlackRidge TAC Gateways . 56Task: Log into the BlackRidge 2010 TAC Gateway (Data Center) . 56Task: Agree to the Terms of the License Agreement . 56Task: Execute the Setup Wizard on the Gateway . 57Task: Change the Administrator Password . 572
Sample Attributes for Configuring the Management Ports for the TAC Gateway(s) . 58Task: Configure the Management Port for the TAC Gateway(s) . 59Task: Create a Host Name for the Gateway . 60Task: Configure Date and Time . 60Task: Configure the NTP Server(s) . 61Task: Complete the Initial Configuration . 61Accessing the Management Port with PuTTY and SSH . 62Optional CLI Commands for Configuring the Management Interface . 64Configure DHCP Network Settings for the Management Port . 64cfg (static IP) - Configure IPv4 Network Settings for the Management Port . 66cfg - Configure DNS . 67show - Show DNS settings. 68cfg - Configure Hostname . 69Validating the Initial Configuration of the TAC Gateway . 70Task: Set CLI Timeout and Pager Control . 70Task: Verify Management Network Settings . 71Task: Ping the Router for the Gateway . 71Task: Verify DNS Configuration . 72Task: Ping the DNS Server . 72Task: Ping an Internal Host by Domain Name . 73Task: Ping an External Host by Domain Name . 74Task: Verify NTP Host Configuration . 74Task: Verify Communication with the NTP Hosts . 75Task: Verify Correct Date and Time . 75Task: Verify the Software Version . 763
Changing Transport Access Control (TAC) Mode of Operation . 77Task: Display TAC Mode . 78Task: Set TAC Mode as “monitor” . 78SECTION III - Configuring BlackRidge TAC Certificates . 79Introduction, Terminology and Definitions . 80Certificates and PKI . 80Generate Keys . 81Generate CSR . 81Submit CSR to CA . 81Subject - Additional OU Values . 83Subject Field String Lengths . 84Additional References on the Subject Field . 84Setting the Subject Alternative Name . 85Best Practice. 85TAC Endpoint, Identity Agent, or Trust Level Client . 85Gateway or BEM . 86Provisioning Keys and Certificates on a TAC Gateway . 89Replacing a Certificate . 89Initiating a BlackRidge Certificate Signing Request (CSR) . 89Task: Generate BlackRidge TAC Gateway Keys . 90Task: Generate a Certificate Signing Request (CSR) . 91Task: Submit the CSR to the CA . 93Task: The CA Signs the CSR . 94Importing Certificates into the TAC Gateway . 95Task: Import the Root and Intermediate Certificates . 95Task: Import the BlackRidge TAC Gateway Certificates . 964
Verifying the Certificates Were Successfully Imported . 97Task: Verify the BlackRidge TAC Gateway Certificates . 97SECTION IV - Configuring BlackRidge TAC Gateways for Layer2 Endpoint Protection . 98Layer2 Endpoint Protection . 99Introduction, Terminology, and Definitions . 99Distributed Identities — Administration Concepts. 100Distributed Identities—Major Components . 101Configuring Distributed Identities . 103Defining a Protected Resource(s) and Rule(s) . 104Topology for Two IPv4 Network Endpoints with Distributed Identities . 106Distributed Identity Definitions for BRGWDC-1 . 107Distributed Identities—Operational Context for Protected Resources . 108Task: BRGWDC-1– Configure a Protected Resource . 110Task: BRGWDC-1– Configure a Rule . 110Task: BRGWDC-1– Configure Publisher-Subscriber Service . 111Defining an Identity . 112Distributed Identities Definitions for BRGWBranch-1 . 113Distributed Identities—Operational Context for Trusted Hosts. 115Task: BRGWBranch-1– Configure Distributed Identities . 116Task: BRGWBranch-1– Add an Identity . 116Configure ‘enforce’ Transport Access Control (TAC) Mode of Operation . 118Task: Display TAC Mode . 118Task: Set the TAC Mode as “enforce” . 119Congratulations . 1225
Copyright 2019 BlackRidge Technology, Inc. All rights reserved.This document is protected by copyright and distributed under licenses restricting its use, copying,distribution and decompilation. No part of this document may be reproduced in any form by anymeans without prior written authorization of BlackRidge Technology Inc. Documentation is provided asis without warranty of any kind, either expressed or implied, including any kind of implied or expressedwarranty of non-infringement or the implied warranties of merchantability or fitness for a particularpurpose.BlackRidge Technology Inc. reserves the right to change any products described herein at any time andwithout notice. BlackRidge Technology Inc. assumes no responsibility or liability arising from the use ofproducts described herein, except as expressly agreed to in writing by BlackRidge Technology Inc. Theuse and purchase of this product does not convey a license under any patent rights, trademark rightsor any other intellectual property rights of BlackRidge Technology Inc.Document Part Number: VTAC-INSTCONF-00042-01-046
PrefaceFrom the PublisherThe Technical Publications group at BlackRidge Technology, Inc. is committed to providing you timely,accurate technical product documentation that is both instructive and easy-to-use.To that end, we apply our internal resources to design and develop comprehensive technical contentto support the installation, configuration and deployment of our product line, and to test the qualityand utility of each product document before releasing to our customers.Unfortunately, no internal process based on people is perfect. There may be occasions when an errorgets by our internal quality assurance process and appears in a released document. We apologize inadvance if this document has such an error(s).We would, however, appreciate your help in notifying us in the event you discover any errors—grammatical or otherwise—by identifying the error(s) and its location in the document, and sending itin an e-mail to: techpubs@blackridge.us.We also welcome any recommendations you might have that would enhance or improve the overallutility of our technical product documentation suite. Your contributions can make a difference in ourefforts to reach and maintain the goal of error-free, easy-to-use technical product documentation.Thank you in advance —Technical Publications, BlackRidge Technology, Inc.7
About This GuideThe BlackRidge 2010 Virtual TAC Gateway is a network-based, virtualized security appliance. There areinitial tasks that must be performed to install and configure the Virtual TAC Gateway(s) for networkaccess and basic operation.This document contains the instructions for installing and configuring BlackRidge 2010 Virtual TACGateways.The instructions are divided into several categories, each of which contains one or more basic tasks toperform. These tasks are designed to simplify the overall process of setting up your gateway(s) to beoperational and connected to the network to implement a basic configuration for network endpointprotection.This Installation and Configuration Guide provides guidance in the following procedures: Identifying resource requirements Selecting resources to trust and protect Designing a network topology Connecting the gateways Setting up a serial connection to the gateways Logging into the gateway with administrative control Executing the Setup Wizard Completing the Certificate Signing Request (CSR) process Validating initial setup and network connectivity Configuring BlackRidge Transport Access Control (TAC)For more detailed instructions on commands referenced in this document, please see the R4.2.1Command Reference Guide.8
Who Should Use This GuideThis guide is intended for experienced VMware systems and networking IT professionals who areresponsible for the installation and configuration of the BlackRidge 2010 Virtual TAC Gateways.9
How This Guide is OrganizedSection I – Installing BlackRidge TAC Virtual Gateways introduces BlackRidge TAC virtual platformappliances. It presents a high-level map of the administrative tasks that are performed during the initialinstallation and setup of TAC virtual gateway appliances. It provides a sample network topology basedon a pre-defined use case and the resources that are required to architect it. Each port on the BlackRidgeTAC Gateway is uniquely identified with a description of its function.The fundamental concepts of VMware virtual switching and how it applies to configuring the BlackRidge2010 Virtual TAC Gateways is provided. Detailed configuration steps to install, attach and connect thevirtual machines to the virtual switches follow.Once completed, the BlackRidge 2010 Virtual TAC Gateways can be powered up, and the console (e.g.,the virtual serial connection) configured to establish login and administrative access to it.Section II – Configuring the Management Interface introduces the Management interface to theBlackRidge TAC virtual gateway appliances. It contains sample screen captures of executing the SetupWizard, the interactive configuration script that is used to define the properties of the Managementinterface.The Setup Wizard is not the only method available to define or configure the network attributes of theManagement interface. There are optional commands, which are included in this section, that can beexecuted via the command line interface (CLI) to define the same attributes that are configured with theSetup Wizard.Once the initial configuration has been set, it should be tested or validated for its accuracy in reflectingthe requirements of the local environment. This is accomplished through a series of CLI commands,which are included in this section, that comprise a set of installation verification tasks to ensure thateach BlackRidge TAC virtual gateway has been configured according to the administrator’s expectations;and that it is network addressable and accessible.This section concludes with information describing two of the three Transport Access Control modes ofoperation, and the guidance for selecting the mode based on the operational context.Section III – Configuring BlackRidge TAC Certificates introduces the requisite procedure for initiating aBlackRidge Technology Certificate Signing Request (CSR). This section provides instructions forgenerating the BlackRidge TAC Gateway keys and the CSR; uploading the CSR to BlackRidge TechnologySupport; unpacking the signed certificate from BlackRidge Technology Support; and loading andvalidating the signed certificate from BlackRidge Technology on each BlackRidge TAC Gateway. Thisprocedure is required for all BlackRidge TAC gateways.Section IV – Configuring BlackRidge TAC Gateways for Layer2 Endpoint Protection provides an overviewof the operation and administration concepts of Distributed Identities, configuring and enabling thePublisher and Subscriber services, and defining network endpoints as Trusted Hosts and ProtectedResources. It acquaints the administrator with the scope of the tasks involved with configuring thesecurity defense and protection capabilities provided by BlackRidge TAC Gateways.It also contains a sample basic network topology highlighting a Layer2 configuration and operation (i.e.,deployed in-line as a transparent bridge at any point along a data path) as the objective to achievethrough this guide.10
There is a high-level task map to orient the administrator while performing the low-level steps ofconfiguring the administrative properties of the gateways.The actual definitions used to configure the gateways for the sample network topology are provided upfront to assist the configuration process. The gateways can be configured in a variety of ways. And eachhas its own predictable behavior which is described in this section.Lastly, it describes the process of configuring the BlackRidge TAC virtual Gateway to trust networkendpoints (Trusted Hosts) and protect high value assets (Protected Resources).There are two network deployment configurations—Layer2 and Layer3. Layer2 mode is the defaultconfiguration for deploying BlackRidge TAC Gateways and is the subject of this document.CAVEAT: Administrating and deploying Layer3 mode is an advanced capability requiring the services ofBlackRidge certified technical support, and therefore is beyond the scope of this guide.11
Typographical ConventionsThis document uses the following typographic conventions to help you locate and identify information:Italic textIdentifies new terms, emphasis, and book titlesBold textIdentifies button names and other items that you can click or touch in the graphical user interface orpress on a computer keyboardCourier NewIdentifies commands, command syntax, command arguments and system promptsBold Courier NewIdentifies command strings being executed by the system through the CLI.Note: Notes provide extra information about a topic that is good to know but not essential to theprocess.Caution: Cautions draw your attention to actions that could compromise the security of your system orresult in the loss of data.12
SECTION I - Installing BlackRidge TACVirtual Gateways13
BlackRidge TAC Virtual Platform AppliancesBlackRidge virtual and cloud gateways are a full implementation of the TAC gateway in a virtualappliance, with functionality that is identical to that of a physical gateway appliance. Currently thevirtual gateway runs on VMware ESXi, Linux KVM, AWS, and on IBM z/VM, with other virtualenvironments and public clouds to be supported soon.BlackRidge TAC virtual gateways can be deployed in a variety of network and cloud security stack andserver configurations as virtual software functions or as hardware appliances.BlackRidge Enterprise TAC Gateways are available as physical, virtual and cloud appliances: 1U rack-mountable 1GbE or 10GbE network devices VMware virtual appliances, KVM and Amazon Web Services cloud appliances IBM z Systems LPAR or z/VM appliancesA virtual BlackRidge TAC appliance may be configured to support up to 100,000 unique identities.14
Installation and Configuration Task MapInstall the Virtual BlackRidgeTAC GatewaysConfigure the ManagementInterface of the VirtualBlackRidge TAC GatewaysConfigure Certificates for VirtualBlackRidge TAC GatewaysConfigure Virtual BlackRidge TACGateways for Layer2 EndpointProtection Determine ESXi host requirements Review port terminology, definitions and functions Define virtual switching configuration Install the BlackRidge TAC virtual machine Attach the BlackRidge TAC virtual machine Access BlackRidge TAC virtual machine Log into BlackRidge TAC virtual machine Review terminology, definitions, and functions Execute the Setup Wizard or invoke CLI commands toconfigure the Management Interface Validate BlackRidge TAC virtual gateway configuration Determine TAC mode of operation Review terminology, definitions and functions Generate the BlackRidge TAC Gateway keys for signing Initiate the BlackRidge Certificate Signing Request (CSR) Extract and import the BlackRidge-signed certificates Validate the BlackRidge-signed certificates Review terminology, definitions, and functions Assign and deploy role-based trust levels Create Protected Resource identities, policies and rules Create Trusted Host identities Configure and start Distributed Identity Service15
Sample Deployment RequirementsThe following virtual and physical hardware is used to build a Blackridge-protected virtualenvironment. It is upon this configuration that this guide is based: Two ESXi 5/6.* hosts One server device VM – configured as a Protected Resource One client device – configured as a Trusted Host One client device – configured as an unauthorized client Two BlackRidge TAC Gateway virtual appliances DNS servers (virtual or physical) for finding NTP servers that reside locally or on the Internet Network connections for connectivity outside of the virtual environmentNote: When setting up your own test lab for the BlackRidge 2010 Virtual TAC Gateways, be sure toassign user-defined host and network configuration values that are specific to the requirements ofyour local environment.16
ESX Network TopologyIn a typical deployment on ESX, a BlackRidge TAC virtual gateway is deployed to protect virtual serversresiding on the ESX hypervisor.For this type of deployment, the BlackRidge Virtual Machine (VM) is connected to the same vSwitchthe servers are connected to, and another vSwitch is created for the trusted zone.Once configured, moving individual virtual servers to the trusted zone is simply done by changing thevSwitch assignment of the virtual network interface card (NIC) for that host.There is no requirement to change any IP address assignments on the host. This can be donetransparently via the vSphere administrator for that host. In this way, virtu
The BlackRidge 2010 Virtual TAC Gateway is a network-based, virtualized security appliance. There are initial tasks that must be performed to install and configure the Virtual TAC Gateway(s) for network access and basic operation. This document contains the instructions for installing and configuring BlackRidge 2010 Virtual TAC Gateways.
