Intel Security and Brocade have collaborated to create a joint solution that provides data center an advanced threat protection while off-loading unnecessary Next Generation Firewall Layer 7 analysis.
One of the main features of this design is the ability to self-defend the network. When a hacker sends malicious traffic, McAfee Next Generation Firewall (NGFW) will identify and block that malicious traffic flow and informs McAfee Security Management Center (SMC). The McAfee Security Management Center (SMC) communicates with the Brocade Vyatta Controller (SDN/ODL) which dynamically reprograms Vyatta vRouter. The controller inserts rules into Vyatta vRouter to block malicious traffic from the hacker and allow benign traffic flow to pass.
Figure 1. McAfee and Brocade - Secure Programmable Virtual Data Center Threat Management Design
As shown in Figure 2, Brocade SDN Controller inserts rules into Vyatta vRouter to block malicious traffic and allow benign traffic to pass.
Figure 2. Granular view of the solution.
The benefit of the self-defending network is the ability to reduce Layer 7 analysis once the malicious flow has been identified and blocked by Next Generation Firewall. This allows the Next Generation Firewall to retain its resources that can be used for Layer 7 analysis of other traffic flows. Such a self-defending secured network provides agility, flexibility and high reliability for mission critical network services.
Figure 3. Zero CPU utilization by McAfee NGFW for Layer 7 analysis and similar flows.
All the configurations that are described in this document are specific to the McAfee and Brocade joint solution as seen in Figure 1. For full configuration of the devices, refer to the vendor specific website.
This section covers installation of Redhat version of Openstack known as packstack and OpenDayLight on a 2 Node setup. The document assumes that the user has knowledge of openstack components and Horizon UI.
- Node 1 for OpenStack control, compute and network. To be referred as control node
- Node 2 for OpenStack compute. To be referred as compute node.
Note: You can use either physical machine or VM's for the setup.
Option 1 (Node 1&2): OpenStack directly on Physical Server 2 Servers each with 2 NIC interface Ex: Supermicro Micro server 64 GB RAM, 1 CPU 8 core processor, 1TB HDD
Option 2 (Node 1&2): OpenStack on a ESXi VM 2 VM's each with 3 NIC interface Ex: VM (24 GB RAM, 4 VCPU 4 core processor, 300 GB HDD)
On both Computer and Control Node
- Install CentOS 7 x64
- Server with GUI
- Ensure hostname is set
- Create standard partition for the installation (ex. /boot – 20GB, / - 900 GB, swap – 30GB)
Note: By default mount point '/' space is used by Open stack for its VM's hence try allocate maximum space to it.
2. Typically interface are named as enoxxxxxxx, which is not easy to use. To change to legacy naming ethx execute the below steps:
- Edit file /etc/default/grub
- Edit line containing GRUB_CMDLINE_LINUX add net.ifnames=0 to the string
- Save the file
- Execute "grub2-mkconfig -o /boot/grub2/grub.cfg"
- Execute "reboot"
- After reboot move ifcfg-enoxxxxxxx to ifcfg-ethx under /etc/sysconfig/network-scripts/.
3. Copy scripts folder and sample packstack file “packstack-answers-os-floatingipsupport.txt” that is inside scripts folder to "/root "
- Ensure system has internet access, before running the scripts below
- Execute the script "os_system_prepare.sh" that installs all the dependencies and Openstack packstack
- Manually edit the network scripts to assign the management IP address
- Update /etc/sysconfig/network-scripts/ifcfg-br-ex (External/Floating IP)
- Update /etc/sysconfig/network-scripts/ifcfg-eth0 as below:
- Update key values in /etc/sysconfig/network-scripts/ifcfg-eth1 and add the management ip address.
Here are the keys to be updated:
Update key values in /etc/sysconfig/network-scripts/ifcfg-eth1 and add the management ip address. Here are the keys to be updated
- Execute service network restart
- Manually edit /etc/hosts file, to include the hostname of control and compute node, localhost ip
- ex: 172.28.214.26 osodlphy1
On Control node
4. Execute "packstack --answer-file=packstack-answers-os-floatingipsupport.txt"
Setup floating IP for external network access
Get a range of unassigned IP address which will be used as floating IP for VM's inside openstack tenant
Create a public network with name public and then execute below command
$ neutron subnet-create --name public_subnet --enable_dhcp=False --allocation-pool=start=<start ip>,end=<end ip> --gateway=<gateway> public <subnet cidr>
Ex: neutron subnet-create --name public_subnet --enable_dhcp=False --allocation-pool=start=172.28.214.41,end=172.28.214.50 --gateway=172.28.214.1 public 172.28.214.0/24
Verification of the setup
Test OS - ODL setup with Floating IP support with the following steps.
- Execute commands in "setup_test.sh" manually in the command line, running all commands together in the script may not succeed
- 2 VM's should be in running state and able to ping each other, this ensures openstack installation is successful
- Allocate and associate a floating IP to the VM
- Verify the VM is ping-able from the floating ip network, and access internet
McAfee Next Generation Firewall (NGFW) and Security Management Center (SMC) Installation & Policy Cofiguration
- “aws-test.img” of virtual NGFW (SOON TO BE AVAILABLE)
- Security Management Center (SMC)
This section will only get you started with installing NGFW on OpenStack environment. To complete the NGFW and SMC configuration, Installing Licenses, Installing Policies and other necessary configuration; refer to the full NGFW configuration guide.
The Getting Started section of NGFW located at McAfee Expert Center may also assist in completing the NGFW and SMC configuration - https://community.mcafee.com/community/business/expertcenter/products/ngfw
Installing McAfee Security Management Center (SMC)
Once you have the SMC installer folder, follow the steps in as showing in this document to install Security Management Center – Link to SMC Installation from expert center.
Installing Virtual Next Generation Firewall
1. Upload the “aws-test.img” (SOON TO BE AVAILABLE) to OpenStack
- Under userid “admin”, go to Project > Images > Create Image
- Fill dialog as below and hit “create image” button. Upload may take some time.
Figure 4. Uploading NGFW VM image file to OpenStack’s image repository.
2. Ensure that all the networking/networks have been created in OpenStack. This includes management network, internal network (Victim machines) and external network (one Attacker and one Good guy)
3. Using the openstack image uploaded, “launch” an instance of it.
- Choose a flavor of 4GB Ram at least
- Under Networking, we need to assign 3 networks to this image (refer to slide 1).
- The management network.
- The VR-NGFW network - This is the “internal” network for NGFW
- The NGFW-VADX network. - This is the “external” network for NGFW
- Open a console for this VM once the launch has begun.
- Under Project > Instances > Actions Column > DropDown box: select “console”.
- Under Project > Instances > Actions Column > DropDown box: select “console”.
- Now follow the installation steps for NGFW as per the NGFW install documentation.
- In the screen “Configure Network Interfaces”, it is important to ensure that “eth0”, “eth1” and “eth2” are assigned to the correct networks. This information may not be available at this time. But go ahead and select defaults for now. Correct it later, once the MAC addresses of the interfaces are available when the rest of the configuration is completed.
- In screen “Prepare for Management Contact” select “Enter node IP address manually” and supply the IP address allocated by OpenStack on the management interface.
Figure 5. McAfee NGFW Configuration view
NOTE: For further configuration of NGFW and SMC, please refer to the NGFW Getting Started section at McAfee Expert Center - https://community.mcafee.com/community/business/expertcenter/products/ngfw
Policy Configuration on NGFW
Figure 6. shows that High Security Inspection Policy should be selected in the inspection tab. Fill the source and destination fields based on the networking configuration. Review the NGFW configuration guide on how to select and install a policy.
Figure 6. Policy Example on McAfee NGFW – High Security Inspection Policy selected for inspection
Brocade Vyatta Controller (ODL controller) and vRouter 5600 EMS App installation and configuration
This document explains the installation and configuration of Brocade Vyatta Controller and EMS app on Brocade Vyatta Controller to communicate with Brocade Vyatta vRouter. This document is simplified version of Brocade Vyatta Controller Quick Start Guide and Vyatta vRouter 5600 EMS App User Guide. For full documentation on Brocade Vyatta Controller and EMS app, please refer to Brocade official documentation.
Brocade Vyatta Controller (ODL Controller)
Ensure that you have the following installed before you install the Brocade Vyatta Controller:
- Ubuntu 14.04
- Do a sudo apt-get update after installing Ubuntu 14.04
- Oracle Server Java SE JRE 1.7.0_65 or a later version
- Enter the following command to install Zip:
sudo apt-get install zip
- Enter the following command to install Unzip:
sudo apt-get install unzip
- Enter the following command to install
sudo apt-get install curl
- Enter the following command to fetch the scripts that are required to set up Node.js:
curl -sL https ://deb.nodesource.com/setup | sudo bash -
- Enter the following command to install Node.js:
sudo apt-get install nodejs
- Enter the following command to install OpenSSH
sudo apt-get install openssh-server
- Google Chrome
Installing the Brocade Vyatta Controller (Brocade ODL Controller)
1. Download the following installation directories of the Brocade Vyatta Controller that are available at:
2. Enter the following command to create the /opt/bvc directory:
sudo mkdir /opt/bvc
3. Enter the following command to change the ownership of the directory:
sudo chown $USER /opt/bvc
4. Enter the following commands to unzip the installation directories:
unzip -o bvc-1.1.1.zip -d /opt
unzip -o bvc-dependencies-1.1.1.zip -d /opt
These commands create files in the /opt/bvc/ directory
5. Enter the following commands to install the Brocade Vyatta controller:
The controller and the GUI automatically start at the end of the installation.
Verifying the installation of the Brocade Vyatta Controller
Go to the following web location: http://<controller-ip>:8181/apidoc/explorer/index.html to access the API Doc Explorer application. The OpenDaylight RestConf API Documentation page displays the following:
- List of APIs supported by the controller
- Mount points for any API that you select
Brocade Vyatta vRouter 5600 EMS App
Brocade Vyatta vRouter 5600 EMS is an app built on top of the Brocade Vyatta Controller to manage the Vyatta 5600 devices.
Installing the EMS App
Ensure that you have installed the following before you install the EMS:
- Brocade Vyatta Controller version 1.1.1. ( Earlier Section )
- Brocade Vyatta 5600 vRouter version 3.2.1R4. (Refer to Vyatta 5600 vRouter installation guide for this setup)
To install the EMS, perform the following steps.
Install the Brocade Vyatta Controller (Refer section 3 for Brocade Vyatta Controller installation)
Download the EMS app zip file available at http://my.brocade.com
Enter the following command to unzip the EMS app zip file to the /opt directory.
unzip -o bvc-app-vyattaems-1.1.0.zip -d /opt
4. Enter the following command to go to the /opt/bvc directory.
5. Enter the following command to install the EMS app.
This command installs the EMS app. Refresh the Brocade Vyatta Controller GUI to see the app inthe application pane.
Registering devices with the Controller
- Open a supported browser and enter the login URL http ://<controller-ip>:9000 to access the Brocade Vyatta Controller UI. The controller-ip is the IP address of the computer, on which the Brocade Vyatta Controller is installed.
- Log in with the following credentials: a username of admin, and a password of admin.
- Select Vyatta vRouter 5600 EMS in the application pane. The Vyatta vRouter 5600 EMS window is displayed.
- In the Vyatta vRouter 5600 EMS content pane, enter a Device Name for the vRouter VM and the NETCONF IP Address and Port Number of the VM. (Make sure ssh service is enabled on Vyatter vRouter)
- Enter the User ID and Password, which the controller uses to connect to the vRouter.
- Click Mount Device.
- If the mount operation is successful, the interfaces for the vRouter are displayed under Mounted Devices.
- The Mounted Device section displays the names and interfaces of all the vRouters.
The files attached in this section should all go into the same folder, copy the entire folder to the same machine where the ODL is installed. These files will listen to the events coming from McAfee Security Management Center and send commands to ODL. They act like an intermediate broker/proxy between SMC and ODL.
Open the commans.py script, on the line ODL_ADDR= http ://172.28.209.80:8181, change the IP address to point to the ODL machine. In the same script, on the line port=4000 #UDP port to listen on. IP=”172.28.209.80”, change the IP address to the local IP address. The SMC LogServer will be configured to send logs to this <IP,PORT>
Brocade Vyatta vRouter
Brocade’s vRouter can be downloaded from Brocade's website as a VM format. Once you have the VM image, upload this as a raw image into OpenStack and launch an instance of it. Create the necessary interfaces for it (including one management interface connected to management network).
Follow the installation guide for the Vyatta router (Refer to Brocade’s Website for Installation and Configuration) to complete the configuration