Page tree

Validate that two networks are isolated. Ensure that no traffic flows between them.

Prerequisites

To create a new zone . . .

  1. Browse to the Settings > Zones page.
  2. Click Add Zone.
  3. In the Name field, input Enclaves.
    Note: Zone names can be a combination of alphanumeric characters but cannot start with number. The maximum number of characters for a username is 32. Special characters are not allowed. 
  4. In the Organization field, select the option USA.

  5.  Click Create
    Your new zone displays on the left in the Available Zones column.

Zones control user access and delimit the scope of information that can be displayed on an Lumeta map. Regarding access, a zone may grant one set of users access to the New York zone but not the London or Zurich zones. Regarding mapping, only elements belonging to a particular zone can be mapped together. When defining a zone, include devices and/or CIDRs you want to see on a single map as members of the same zone. There are often many zones in an enterprise, so give each a distinguishable name. Set criteria defining zone membership (e.g., unifying features and purpose) and standardize your naming conventions.

Within the zone container, Lumeta keeps you continuously apprised of network assets and activity: what's there, what's there but inactive, what's there but shouldn't be, what's behaving, what's misbehaving, what can get in from outside, what can get out from inside, what's sound, and what's vulnerable to exploitation. Indexing assets discovered within a zone is central to reducing your network's risk profile and vulnerability to exploitation.


To add the collector . . .

  1. Browse to Settings > Zones.
  2. In the Available Zones list, select the Enclaves zone.
    This is the zone to which you'll add collectors.
  3. Click Zone Collectors > Add.
  4. Name the collectors  and complete the associated forms as indicated:

    Collector NameRescan IntervalInterface
    Onsite20 minutesSpectre_training_CC:eth0
    Offsite10 minutesSpectre_training_CC:eth0

    As you do . . .

    1. Leave the Enable Collector option unchecked until you are ready for the collector to run its routine.

    2. The Rescan Interval specifies how often a collector is to perform its routine. Frequent rescan intervals are prescribed in this exercise to produce results quickly in our training environment. When you return to your production network, you'll want to use more periodic  rescan intervals to avoid creating unnecessary jitter on your Lumeta system. See Understanding Rescan Intervals for more.

    3. The Interface identifies the Lumeta component—Command Center or Scout—from which you want the collector issued. For this exercise, choose your Command Center interface. For general use, however, you'll want to connect the collection to whichever interface will provide the best visibility into your network. Browse in the Lumeta application to Settings > Lumeta Systems to see where you can select from among connected interfaces. 

  5. Click Create to save the collectors, which are added to the list of available collectors.

Collectors enable you to index a network with a high degree of control and specificity.


Configure Onsite and Offsite to collect information about activity in the Enclave zone.
 

  1. Browse to the Zone Collectors tab of Settings > Zones > NJ.
  2. Select your newly created Onsite collector.
  3. Complete the Onsite collector's Broadcast and OSPF tabs as indicated and click Update for each.

    Passive Discovery
    Broadcast OSPF

     

  4. Complete the Onsite collector's active discovery tabs as indicated and click Update for each.

    Active Discovery
    SNMP Configuration & SNMP CredentialsPathHost

  5. Complete the Onsite collector's DNS discovery tab, which is used to label systems in reports, maps, and dashboards, and then click Update.

    System Labeling
    DNS
  6. Complete the Onsite collector's Ports and Profiling tabs, which are configured to find the properties of devices such as their operating system version, seller, and device type, and then click Update.

    Targeted Discovery
    PortProfiling

     

  7. Congratulations!  You've configured the Onsite collector to monitor activity in your Enclaves zone. 

Collectors are logical entities composed of discovery settings. Users create and then configure them to flow among a Command Center and one or more Scouts, gathering data.  The collectors carry indexing/discovery definitions, instantiate and perform passive, active, and targeted discovery, reference interfaces, watch message queues, and transmit collected data back to the Command Center. 

Multiple collectors can work together collaboratively within a zone, collecting and exchanging more network data as a unit than any one of them could alone. Collectors can also be configured to not share information, which is useful when you want to contain the time-to or scope-of discovery, ensure that discovery does not extend out to a classified enclave or the Internet, or more clearly understand what results are generated by a particular collector's activity. 

A collector does not probe a network or perform any activity until you enable it. Also, a collector that has not been associated with any discovery settings will not run.  Collectors can be associated with either a Command Center or a Scout.

Next, configure your Offsite collector.

  1. Browse to the Zone Collectors tab of Settings > Zones > NJ.
  2. Select your newly created Offsite collector.
  3. Complete the Offsite collector's Broadcast and OSPF tabs as indicated and click Update.

    Passive Discovery
    Broadcast

     

  4. Complete the Offsite collector's active discovery tabs as indicated and click Update.

    Active Discovery
    SNMP ConfigurationPathHost

    Discussion: Notice that Offsite uses common SNMPv2 credentials whereas Onsite configures the use of specific aliases instead.   

    Discussion: Notice the Trace to Hosts and Discovered Routes options have not been selected in Offsite, yet they are selected in Onsite.  

    Additional Discussion: What's the benefit of configuring multiple collectors in a zone if all of them are collecting data from the same scout? 
     

     

    Complete the Offsite collector's Ports and Profiling tabs, which are configured to find the properties of devices such as their operating system version, seller, and device type, and then click Update.

    Targeted Discovery
    PortProfiling

       Congratulations!  You've configured the Offsite collector to monitor activity in your Enclaves zone.  

Collectors are logical entities composed of discovery settings. Users create and then configure them to flow among a Command Center and one or more Scouts, gathering data.  The collectors carry indexing/discovery definitions, instantiate and perform passive, active, and targeted discovery, reference interfaces, watch message queues, and transmit collected data back to the Command Center. 

Multiple collectors can work together collaboratively within a zone, collecting and exchanging more network data as a unit than any one of them could alone. Collectors can also be configured to not share information, which is useful when you want to contain the time-to or scope-of discovery, ensure that discovery does not extend out to a classified enclave or the Internet, or more clearly understand what results are generated by a particular collector's activity. 

A collector does not probe a network or perform any activity until you enable it. Also, a collector that has not been associated with any discovery settings will not run.  Collectors can be associated with either a Command Center or a Scout.

Next, populate the Known, Target, and Avoid lists for each. 

   Known/Eligible/Internal, Target/Stop/Avoid
   Lists establish the scope of discovery and indexing. They also specify how devices on your network should be labeled
   in Lumeta reports, maps, and dashboards.

 

The Zone-Networks Lists–-Known, Eligible and Internal—apply to the Enclave zone as a whole. 

Enclave Lists
KnownEligibleInternal
Leave blank.Leave blank.

To populate the Known, Eligible and Internal lists, import and/or manually input the IPs/CIDRs listed in this NJ Zone Lists table.

  1. In the Zone Networks tab of Settings > Zones > NJ, select the Known tab.
  2. Click Upload and import Enclaves-known.txt, which is a list of Known IPs and CIDRs in the Enclaves zone.
    The Known list is now populated.

Next, populate the lists that apply to collectors.

The Zone-Collectors Lists–-Target, Avoid and Stop—apply to individual collectors within the Enclave zone.

Collector Lists for Enclave:OnsiteCollector Lists for Enclave:Offsite
TargetAvoidStopTargetAvoidStop
Leave blank.Leave blank.Leave blank.

To populate the Target and Avoid lists, import and/or manually input the IPs/CIDRs listed in the Enclave Lists table.

  1. In the Zone Collectors tab of Settings > Zones > Enclave, select the Onsite > Discovery Spaces >Target tab.
  2. Click Upload and import Onsite-target.txt, which is a list of Target IPs and CIDRs the Onsite collector should go after.
  3. Select the Onsite > Discovery Spaces >Avoid tab.
  4. Click Upload and import Onsite-avoid.txt, which is a list of IPs and CIDRs the Onsite collector should go around.
  5. In the Zone Collectors tab of Settings > Zones > Enclave, select the Offsite > Discovery Spaces >Target tab.
  6. Click Upload and import Offsite-target.txt, which is a list of Target IPs and CIDRs the Offsite collector should go after.
    The Target and Avoid lists for both Enclave collectors are now populated. 

Next, enable your collectors and let them run.

The Zone lists—Known, Eligible and Internal—describe the makeup of a zone in terms of the networks it comprises.

The Collector lists— Target, Avoid, and Stop—specify how each collector in a zone should behave: Which CIDRs/IPs to target, which to go around, and at which to halt.

      To kick off the discovery and indexing processes . . .
  1. Select the Onsite collector.
  2. Click Edit.
  3. Select the Enable Collector option.
  4. Click Update.
  5. Repeat for the Offsite collector.

    Your collectors are enabled and will begin to run immediately. The discovery and indexing of your network has begun.

Next, review the results.

Perhaps the easiest and most expedient way to validate that the network enclaves Onsite and Offsite are isolated from each other (e.g., no traffic flows between) is with a topology map which will enable you to visualization.  Following is one approach to exploring Lumeta's analytics.

  1. Wait a few minutes for the collectors to discover your network, then browse to Maps > Enclaves to view Lumeta's map analytics.  The map will change over time as Lumeta discovers more, but this is a start.
  2. Check out the default view of the map, grouped by third octet, and notice that basic groups can be expanded for more detail.
  3. Notice that a group of forwarders can be Ungrouped.
  4. After you ungroup forwarders, you will likely be able to see the Command Center icon.
  5. You can delve even further by expanding all attached hosts.
  6. Notice the end nodes attached to forwarders.



Above is a view of the map at its most complex, with everything expanded fully.

As you can see, these are two separate networks with no connections between the two of them. This validates the segmentation of the two Enclaves. The visualization shows that no network traffic is flowing between the the two enclaves.

But what if there were a connection between the two subnets that should not be exchanging information?

See Next Steps for recommendations on what to do in this case.

  1. Export the info to your SIEM.

    Enable the CEF logging feature to make Lumeta compile all subscribed event notifications to a logging server. Here's an example of how to enable logging to a HP ArcSite console via the Lumeta graphical user interface (GUI) or the Lumeta command-line interface (CLI).

    Enable via GUI:

    1. Log in Lumeta.
    2. Select Settings > Lumeta Systems.
    3. Click the CEF Notifications tab. 
    4. Enter the Host Name, Port Number, and Protocol of the logging server to which you want to send event notifications, and then click Submit

      A message displays, indicating that your configuration settings were saved. Lumeta is now configured to display CEF-formatted syslog output in your ArcSite console.
  2. Write a query.
    Navigate to Search > Advanced Query > Add Query.
  3. Run a report against the query.

  4. Schedule regular delivery of the report to an email recipient.
  • No labels