McAfee Next Generation Firewall (NGFW) and Brocade vRouter/ODL Controller - Secure Programmable Virtual data Center Threat Management:

Version 2

    Introduction

     

    Intel Security and Brocade have collaborated to create a joint solution that provides data center an advanced threat protection while off-loading unnecessary Next Generation Firewall Layer 7 analysis.

     

    Solution Overview

     

    One of the main features of this design is the ability to self-defend the network. When a hacker sends malicious traffic, McAfee Next Generation Firewall (NGFW) will identify and block that malicious traffic flow and informs McAfee Security Management Center (SMC). The McAfee Security Management Center (SMC) communicates with the Brocade Vyatta Controller (SDN/ODL) which dynamically reprograms Vyatta vRouter. The controller inserts rules into Vyatta vRouter to block malicious traffic from the hacker and allow benign traffic flow to pass.

    NGWF - Virtual Data Center-Brocade 1.JPG

    Figure 1. McAfee and Brocade - Secure Programmable Virtual Data Center Threat Management Design


    As shown in Figure 2, Brocade SDN Controller inserts rules into Vyatta vRouter to block malicious traffic and allow benign traffic to pass. 

       NGWF - Virtual Data Center-Brocade 2.JPG

    Figure 2. Granular view of the solution.

     

    Solution Benefits

     

    The benefit of the self-defending network is the ability to reduce Layer 7 analysis once the malicious flow has been identified and blocked by Next Generation Firewall. This allows the Next Generation Firewall to retain its resources that can be used for Layer 7 analysis of other traffic flows. Such a self-defending secured network provides agility, flexibility and high reliability for mission critical network services.

    NGWF - Virtual Data Center-Brocade 3.JPG

             Figure 3. Zero CPU utilization by McAfee NGFW for Layer 7 analysis and similar flows.

     

    Configurations

     

    All the configurations that are described in this document are specific to the McAfee and Brocade joint solution as seen in Figure 1. For full configuration of the devices, refer to the vendor specific website.

     

    OpenStack Installation

     

    This section covers installation of Redhat version of Openstack known as packstack and OpenDayLight on a 2 Node setup. The document assumes that the user has knowledge of openstack components and Horizon UI.

     

    System Requirements


      • Node 1 for OpenStack control, compute and network. To be referred as control node
      • Node 2 for OpenStack compute. To be referred as compute node.


    Note: You can use either physical machine or VM's for the setup.


      • Option 1 (Node 1&2): OpenStack directly on Physical Server 2 Servers each with 2 NIC interface Ex: Supermicro Micro server 64 GB RAM, 1 CPU 8 core processor, 1TB HDD

      • Option 2 (Node 1&2): OpenStack on a ESXi VM 2 VM's each with 3 NIC interface Ex: VM  (24 GB RAM, 4 VCPU 4 core processor, 300 GB HDD)

     

    System Preparation

     

    On both Computer and Control Node


      1. Install CentOS 7 x64
        • Server with GUI
        • Ensure hostname is set
        • Create standard partition for the installation (ex. /boot – 20GB, / - 900 GB, swap – 30GB)

    Note: By default mount point '/' space is used by Open stack for its VM's hence try allocate maximum space to it.

     

      2.  Typically interface are named as enoxxxxxxx, which is not easy to use. To change to legacy naming ethx execute the below steps:

        • Edit file /etc/default/grub
        • Edit line containing GRUB_CMDLINE_LINUX  add net.ifnames=0 to the string
        • Save the file
        • Execute "grub2-mkconfig -o /boot/grub2/grub.cfg"
        • Execute "reboot"
        • After reboot move ifcfg-enoxxxxxxx to ifcfg-ethx under /etc/sysconfig/network-scripts/.

     

      3.  Copy scripts folder and sample packstack file “packstack-answers-os-floatingipsupport.txt” that is inside scripts folder to "/root "

        • Ensure system has internet access, before running the scripts below
        • Execute the script "os_system_prepare.sh" that installs all the dependencies and Openstack packstack
        • Manually edit the network scripts to assign the management IP address
          • Update /etc/sysconfig/network-scripts/ifcfg-br-ex (External/Floating IP)
          • Update /etc/sysconfig/network-scripts/ifcfg-eth0 as below:

    OVS_BRIDGE=br-ex

    TYPE=OVSPort

    ONBOOT=yes

    DEVICETYPE=ovs

    DEVICE=eth0

    BOOTPROTO=none

    DEFROUTE=yes

          • Update key values in /etc/sysconfig/network-scripts/ifcfg-eth1 and add the management ip address.

    Here are the keys to be updated:

    Update key values in /etc/sysconfig/network-scripts/ifcfg-eth1 and add the management ip address. Here are the keys to be updated

    BOOTPROTO=none

    DEFROUTE=no

    #UUID=a6fe4af2-7884-4df9-b6db-8a3d22803686

    ONBOOT=yes

          • Execute service network restart
        • Manually edit /etc/hosts file, to include the hostname of control and compute node, localhost ip
          • ex: 172.28.214.26 osodlphy1

    172.28.214.27 osodlphy2

    127.0.0.1 osodlphy1.sddc

    On Control node


      4.  Execute "packstack --answer-file=packstack-answers-os-floatingipsupport.txt"

     

    Setup floating IP for external network access

     

      1. Get a range of unassigned IP address which will be used as floating IP for VM's inside openstack tenant

      2. Create a public network with name public and then execute below command

      3. $ neutron subnet-create --name public_subnet --enable_dhcp=False --allocation-pool=start=<start ip>,end=<end ip> --gateway=<gateway> public <subnet cidr>

      4. Ex: neutron subnet-create --name public_subnet --enable_dhcp=False --allocation-pool=start=172.28.214.41,end=172.28.214.50 --gateway=172.28.214.1 public 172.28.214.0/24

     

    Verification of the setup

     

    Test OS - ODL setup with Floating IP support with the following steps.

     

      1. Execute commands in "setup_test.sh" manually in the command line, running all commands together in the script may not succeed
      2. 2 VM's should be in running state and able to ping each other, this ensures openstack installation is successful
      3. Allocate and associate a floating IP to the VM
      4. Verify the VM is ping-able from the floating ip network, and access internet

     

    References

     

    https://www.rdoproject.org/Quickstart

     

    McAfee Next Generation Firewall (NGFW) and Security Management Center (SMC) Installation & Policy Cofiguration

     

    Requirements

     

      • “aws-test.img” of virtual NGFW   (SOON TO BE AVAILABLE)
      • Security Management Center (SMC)

     

    Supporting Documentation

     

    This section will only get you started with installing NGFW on OpenStack environment. To complete the NGFW and SMC configuration, Installing Licenses, Installing Policies and other necessary configuration; refer to the full NGFW configuration guide.

    The Getting Started section of NGFW located at McAfee Expert Center may also assist in completing the NGFW and SMC configuration - https://community.mcafee.com/community/business/expertcenter/products/ngfw

     

    Installing McAfee Security Management Center (SMC)

     

    Once you have the SMC installer folder, follow the steps in as showing in this document to install Security Management Center – Link to SMC Installation from expert center.

     

    Installing Virtual Next Generation Firewall

     

      1.  Upload the “aws-test.img” (SOON TO BE AVAILABLE) to OpenStack

        • Under userid “admin”,  go to  Project > Images > Create Image
        • Fill dialog as below and hit “create image” button.  Upload may take some time.

    NGWF - Virtual Data Center-Brocade 4.jpg

    Figure 4. Uploading NGFW VM image file to OpenStack’s image repository.


      2.  Ensure that all the networking/networks have been created in OpenStack. This includes management network, internal network (Victim machines) and external network (one Attacker and one Good guy)

     

      3.  Using the openstack image uploaded, “launch” an instance of it.

        • Choose a flavor of 4GB Ram at least

        • Under Networking, we need to assign 3 networks to this image (refer to slide 1).
          • The management network.
          • The VR-NGFW network - This is the “internal” network for NGFW
          • The NGFW-VADX network. - This is the “external” network for NGFW
        • Open a console for this VM once the launch has begun.
          • Under Project > Instances > Actions Column > DropDown box:  select “console”.

        • Now follow the installation  steps for NGFW as per the NGFW install documentation.
          • In the screen “Configure Network Interfaces”, it is important to ensure that “eth0”, “eth1” and “eth2” are assigned to the correct networks. This information may not be available at this time. But go ahead and select defaults for now.  Correct it later, once the MAC addresses of the interfaces are available when the rest of the configuration is completed.
          • In screen “Prepare for Management Contact” select “Enter node IP address manually” and supply the IP address allocated by OpenStack on the management interface.

    NGWF - Virtual Data Center-Brocade 5.jpg

    Figure 5. McAfee NGFW Configuration view

     

    NOTE: For further configuration of NGFW and SMC, please refer to the NGFW Getting Started section at McAfee Expert Center - https://community.mcafee.com/community/business/expertcenter/products/ngfw

     

    Policy Configuration on NGFW

     

    Figure 6. shows that High Security Inspection Policy should be selected in the inspection tab. Fill the source and destination fields based on the networking configuration.  Review the NGFW configuration guide on how to select and install a policy.

    NGWF - Virtual Data Center-Brocade 6.jpg

    Figure 6. Policy Example on McAfee NGFW – High Security Inspection Policy selected for inspection

     

    Brocade Vyatta Controller (ODL controller) and vRouter 5600 EMS App installation and configuration

     

    This document explains the installation and configuration of Brocade Vyatta Controller and EMS app on Brocade Vyatta Controller to communicate with Brocade Vyatta vRouter. This document is simplified version of Brocade Vyatta Controller Quick Start Guide and Vyatta vRouter 5600 EMS App User Guide. For full documentation on Brocade Vyatta Controller and EMS app, please refer to Brocade official documentation.

     

    Brocade Vyatta Controller (ODL Controller)

     

    Hardware Requirements

    NGWF - Virtual Data Center-Brocade 7.JPG

     

    Software Requirements

     

    Ensure that you have the following installed before you install the Brocade Vyatta Controller:

      • Ubuntu 14.04
        • Do a sudo apt-get update after installing Ubuntu 14.04
      • Oracle Server Java SE JRE 1.7.0_65 or a later version
      • Zip
        • Enter the following command to install Zip:

    sudo apt-get install zip

      • Unzip
        • Enter the following command to install Unzip:

    sudo apt-get install unzip

      • cURL
        • Enter the following command to install

    sudo apt-get install curl

      • Node.js
        • Enter the following command to fetch the scripts that are required to set up Node.js:

    curl -sL https ://deb.nodesource.com/setup | sudo bash -

        • Enter the following command to install Node.js:

    sudo apt-get install nodejs

      • OpenSSH
        • Enter the following command to install OpenSSH

    sudo apt-get install openssh-server

      • Google Chrome

     

    Installing the Brocade Vyatta Controller (Brocade ODL Controller)

     

      1.  Download the following installation directories of the Brocade Vyatta Controller that are available at:

    http://my.brocade.com

        • bvc-1.1.1.zip
        • bvc-dependencies-1.1.1.zip

     

      2.  Enter the following command to create the /opt/bvc directory:

    sudo mkdir /opt/bvc

     

      3.  Enter the following command to change the ownership of the directory:

    sudo chown $USER /opt/bvc

     

      4.  Enter the following commands to unzip the installation directories:

    unzip -o bvc-1.1.1.zip -d /opt

    unzip -o bvc-dependencies-1.1.1.zip -d /opt

    These commands create files in the /opt/bvc/ directory

     

      5.  Enter the following commands to install the Brocade Vyatta controller:

    cd /opt/bvc

    ./install


    The controller and the GUI automatically start at the end of the installation.

     

    Verifying the installation of the Brocade Vyatta Controller

     

    Go to the following web location: http://<controller-ip>:8181/apidoc/explorer/index.html  to access the API Doc Explorer application. The OpenDaylight RestConf API Documentation page displays the following:

     

      • List of APIs supported by the controller
      • Mount points for any API that you select

     

    Brocade Vyatta vRouter 5600 EMS App

     

    Brocade Vyatta vRouter 5600 EMS is an app built on top of the Brocade Vyatta Controller to manage the Vyatta 5600 devices.

     

    Installing the EMS App

     

    Ensure that you have installed the following before you install the EMS:

     

      • Brocade Vyatta Controller version 1.1.1.  ( Earlier Section )
      • Brocade Vyatta 5600 vRouter version 3.2.1R4.  (Refer to Vyatta 5600 vRouter installation guide for  this setup)

     

    To install the EMS, perform the following steps.

     

    1. Install the Brocade Vyatta Controller (Refer section 3 for Brocade Vyatta Controller installation)

    2. Download the EMS app zip file available at http://my.brocade.com

    3. Enter the following command to unzip the EMS app zip file to the /opt directory.

    unzip -o bvc-app-vyattaems-1.1.0.zip -d /opt

      4.  Enter the following command to go to the /opt/bvc directory.

    cd /opt/bvc

      5.  Enter the following command to install the EMS app.

    ./install

     

    This command installs the EMS app. Refresh the Brocade Vyatta Controller GUI to see the app inthe application pane.

     

    Registering devices with the Controller

     

      1. Open a supported browser and enter the login URL http ://<controller-ip>:9000 to access the Brocade Vyatta Controller UI. The controller-ip is the IP address of the computer, on which the Brocade Vyatta Controller is installed.
      2. Log in with the following credentials: a username of admin, and a password of admin.
      3. Select Vyatta vRouter 5600 EMS in the application pane. The Vyatta vRouter 5600 EMS window is displayed.
      4. In the Vyatta vRouter 5600 EMS content pane, enter a Device Name for the vRouter VM and the NETCONF IP Address and Port Number of the VM. (Make sure ssh service is enabled on Vyatter vRouter)
      5. Enter the User ID and Password, which the controller uses to connect to the vRouter.
      6. Click Mount Device.
      7. If the mount operation is successful, the interfaces for the vRouter are displayed under Mounted Devices.
      8. The Mounted Device section displays the names and interfaces of all the vRouters.

     

    NOTE:

    The files attached in this section should all go into the same folder, copy the entire folder to the same machine where the ODL is installed. These files will listen to the events coming from McAfee Security Management Center and send commands to ODL. They act like an intermediate broker/proxy between SMC and ODL.


    Open the commans.py script, on the line ODL_ADDR= http ://172.28.209.80:8181, change the IP address to point  to the ODL machine. In the same script, on the line port=4000 #UDP port to listen on. IP=”172.28.209.80”, change the IP address to the local IP address. The SMC LogServer will be configured to send logs to this <IP,PORT>

     

    Brocade Vyatta vRouter

     

    Brocade’s vRouter can be downloaded from Brocade's website as a VM format.  Once you have the VM image, upload this as a raw image into OpenStack and launch an instance of it. Create the necessary interfaces for it (including one management interface connected to management network).

     

    Follow the installation guide for the Vyatta router (Refer to Brocade’s Website for Installation and Configuration) to complete the configuration