SIEM Foundations: Mounting ESM 10x software on a VM

Version 1

    You can either mount the McAfee ESM software on an ESXi VM or on Linux Kernel-based Virtual Machine (KVM).

     

    Contents

    • Mounting ESM VM image overview
    • ESM VM system requirements
    • Download the ESM VM image
    • VMware ESXi VM ESM software mounting
    • Linux KVM ESM installation
    • Configure the VM ESM software

     

    Mounting ESM VM image overview

     

    Mounting the ESM software on a VM is similar for an VMware ESXi VM and a Linux KVM.

    This flowchart shows the major tasks used to install and configure the different VM software.

    ESM VM system requirements

    The virtual machine (VM) you use for the McAfee ESM VM must be configured with these minimum requirements.

    • Processor — 8-core 64-bit, Dual Core2/Nehalem or higher, or AMD Dual Athlon64/Dual Opteron64 or higher
    • RAM — Depends on the model (4 GB or more)
    • Disk space — Depends on the model (250 GB or more)
    • ESXi 5.0 or later
    • Thick versus thin provisioning — You must decide the hard disk requirements for your server. The minimum requirement is 250 GB unless the VM purchased has more. See the specifications for your VM product.

     

    Thick vs thin disk provisioning — When you configure your VM disk space, use thick provisioning, if you have the actual disk space available on your ESXi server. Using thin provisioning saves disk space but there is a slight performance impact and you must be careful to never fill that disk space to capacity.

     

    Download the ESM VM image

     

    Downloading the ESM software VM image is similar for the ESXi VM and a Linux KVM.

     

    ** Before you begin you must have your McAfee Grant Number to download the latest ESM software VM image from the download site.

     

    Task

    1. Use your browser and this URL to access the McAfee download site: Product Downloads, Free Security Trials & Tools
    2. Click Downloads, type your McAfee Grant Number and the Captcha code, then click Submit.
    3. On the My Products page, scroll down the list and click one of the McAfee Enterprise Security Mgr VM downloads. The number in the download file name indicates the number of cores the ESM image allocates to the VM. For example, file "VM32" allocates 32 cores to the VM.
    4. Click Current Version tab and select the McAfee Enterprise Security Mgr VM image.
    5. Select one of these downloads:
    • KVM Image — To download the tarball image file for a Linux Kernal VM
    • OVF Deployment File — To download the .ova file for the VMware vSphere ESXi client.

        6. Save the image file to a location on your local system.

     

    Now you can install or deploy the VM image file to create your ESM VM.

     

    VMware ESXi VM ESM software mounting

    After you have downloaded the ESM software, perform these tasks to mount the software on a VMware ESXi VM.

     

    VMware ESXi VM requirements

    The VMware ESXi VM must meet these minimum requirements.

     

    • Processor — 4 cores or higher, depending on model, 64-bit, Dual Core2/Nehalem or higher, or AMD Dual Athlon64/Dual Opteron64 or later

     

    The number of CPU cores the image supports is indicated in the image filename. For example, image "McAfee Enterprise Security Mgr VM4" supports 4 cores. You can not add or suptract processors from the VM or change the VM ID number.

     

    • RAM — 4 GB minimum (depends on the model)

     

    • Disk — 250 minimum (depends on the model)

     

    Sharing CPU or RAM with other VMs impacts the ESXi VM performance.

     

    • ESXI — 5.0 or later

    You can select the hard disk requirement needs for your server. But, the VM requirement depends on the model of the device (at least 250 GB). If you don't have a minimum of 250 GB available, you receive an error when  deploying the VM.

     

    This disk space is for the operating system and does not include the space needed for the database or logs.

    The VM uses many features that require CPU and RAM. If the ESXi environment shares the CPU or RAM requirements with other VMs, the performance of the VM is impacted.

     

    McAfee recommends setting the provisioning option to Thick.

     

    Mount the VMware ESXi virtual machine

     

    Once you mount and key a VMware ESXi VM, it mimics normal ESM operation.

    Task

    1. Access the root of the CD drive (for CD installation) or download the ESX .ova files from the download site.
    2. In vSphere Client, click the server IP address in the device tree.
    3. Click File and select Deploy OVF Template.
    4. Designate the name, the folder to mount the VM, the disk provisioning setting, and the VM Networking option.
    5. Deploy the files to the ESXi server, select the VM, and set the Edit Virtual Machine setting.
    6. Select the correct networking settings for your VMware ESXi network switches/adapters, then click Play to start the VM.
    7. Using the VM menu, set MGT1 IP address, netmask, gateway, and DNS addresses, then press Esc to activate the menu.
    8. Configure the network interface on the VM, save the changes before exiting the Menu window, then key the device. See McAfee Enterprise Security Manager Product Guide for details about keying the devices.

     

    Linux KVM ESM installation

    After you have downloaded the ESM software, perform these tasks to install the software on a Linux KVM

     

    Linux KVM requirements

    The Linux KVM where you install the ESM software must meet these minimum requirements.

     

    Minimum requirements

    • Processor — 4 cores or higher, depending on model, 64-bit, Dual Core2/Nehalem or higher, or AMD Dual Athlon64/Dual Opteron64 or higher (for processors)

    The number of CPU cores the image supports is indicated in the image filename. For example, image "McAfee Enterprise Security Mgr VM4" supports 4 cores. You can not add or suptract processors from the VM or change the VM ID number.

    • RAM — Depends on the model (4 GB or more)

    • Disk space — Depends on the model (250 GB or more)

    Sharing CPU or RAM with other VMs impacts KVM performance.

    • 2 Virtio Ethernet interfaces for ESM

    • Receiver Class devices / 3 for IPS class devices

     

    These interfaces use sequential MAC addresses.

    • 1 Virtio/Virtio-SCSI Disk Controller, which controls the Virtio virtual hard drive

     

    Deploy Linux KVM ESM software

    To run McAfee ESM in a Linux KVM environment, you must import the hard drive image from the tarball (.tgz file).

    Task

    1. Obtain the current tarball (.tgz) file from the McAfee Enterprise Security Manager download page. The tarball contains sample config files.
    2. Move the tarball file to the directory where you want the virtual hard drive to reside.
    3. Extract the tarball by running this command: tar –xf McAfee_ETM_VM4_250.tgz

            tar –xf McAfee_ETM_VM4_250.tgz

        4. To deploy multiple VMs of the same type in the same location, change the name of the virtual hard drive.

            ERC-VM4-disk-1.raw, ERC-VM4-disk-2.raw to, for example, my_first_erc.raw, my_second_erc.raw.

        5. Create a VM on your KVM hypervisor using:

            (libvirt, qemu-kvm, proxmox, virt-manager, ovirt)

        6. Point the VM image to the existing virtual hard drive (Virtio disk .raw file) where you extracted the tarball.

     

    Configure the VM ESM software

     

    One you have mounted the ESM software on the VM, you must configure the VM network interface connection, connect to the ESM using the ESM console, then key the device to establish a connection.

     

    Tasks

    1. Configure the virtual machine. Once you have mounted the ESM software on the VM, configure the network interface.
    2. Key the VM device. You must key the device to establish a link between the device and the ESM.

     

    Configure the virtual machine

    Once you have mounted the ESM software on the VM, configure the network interface.

    Task

    1. Connect a monitor and keyboard to the device and power it on. The boot process completes in about two minutes, and this virtual LiquidCrystal display (LCD) page appears.

         2. To start the configuration, press Esc twice, then scroll down to MGT IP Conf and press Enter.

         3. To set the ESM VM IP address:

              a Scroll down to Mgt1 and press Enter.

              b Scroll down to IP Address and press Enter.

              c Use the arrows to change the value of the current digit and to switch between digits, then when done, press Enter.

         4. To set the IP netmask address:

              a Scroll down to Netmask and press Enter.

              b Use the arrows to change the value of the current digit and to switch between digits, then when done, press Enter.

         5. To set the network gateway IP address:

              a Scroll down to Gateway IP and press Enter.

              b Use the arrows to change the value of the current digit and to switch between digits, then when done, press Enter.

         6. To set the DNS IP address:

              a Scroll down to DNS1 IP and press Enter.

              b Use the arrows to change the value of the current digit and to switch between digits, then when done, press Enter.

         7. To configure whether to use DHCP:

              a Scroll down to DHCP and press Enter.

              b Toggle the setting between Y(es) and N(o) , press Enter to select the correct setting.

         8. To quit and save your changes:

              a Scroll down to Done and press Enter to return to MGT IP Conf.

              b Scroll down to Save Changes and press Enter.

         9. Optional steps to configure FIPS, to change the communication port, press the down arrow twice, then press Enter.

              a Scroll down to Comm Port and press Enter.

              b Change the port number, then press Enter.

              Make note of the new port number; you'll need it when you key the device.

         10. See Log on to the McAfee ESM console to begin configuring the ESM VM settings.

         11.  See Key the VM device to add the SSH key tp the EM VM.

     

    To complete the configuration, log on to the ESM console using the configured the IP address and your

    browser.

     

    Key the VM device

    You must key the device to establish a link between the device and the ESM.

    Before you begin: Physically connect the device to your network.

    Task

    1 On the system navigation tree, click the system or a group, then click the Add Device icon in the

    actions pane.

    2 Enter the information requested on each page of the Add Device Wizard.