A. We will need a span port set up on the same switch as the firewall. The source port of the span will be the LAN interface of the firewall so we see internet traffic in and out of the building. The destination port of the span session is an empty port on the switch. The empty port will get plugged in directly to the extra NIC on the VMware/HyperV server. This allows the sensor to get a copy of all the internet traffic for analysis. The Span port should span both directions of traffic TX and RX
Follow the cable from the LAN port of the firewall to the switch and make a note of the port number, this will be the source of our data for the NIDS.
Pick an empty port on your switch, make a note of it (this is the destination of the span) and run a cable from this port into the dedicated currently unused physical NIC in your physical VMware/Hyper V host
Login to your switch and create the span port
The span port configuration on your switch should be as follows:
Example for a Cisco switch.
#Check for existing span port
Switch(config)# show monitor session 1
#After review, clear the existing configuration
Switch(config)# no monitor session 1
#Tell the switch what physical switch port to use for the source of the span
Switch(config)# monitor session 1 source interface fastEthernet0/1 **USE the port where your LAN interface of the firewall is plugged in**
#Tell the switch which physical switch port to send the now copied data to for analysis by the USM system
Switch(config)# monitor session 1 destination interface fastEthernet0/10 **USE the port where the sniff interface on the sensor is plugged into
#Review the configuration
Switch(config)# show monitor session 1
Session 1
———
Type : Local Session
Source Ports :
Both : Fa0/1
Destination Ports : Fa0/10
Encapsulation : Native
Ingress : Disabled
Switch(config)# end
Your span port should now be configured.
Do not forget to save the config
B. The VMware/HyperV server needs a new virtual switch and port group with only the extra NIC in it. The switch should allow promiscuous mode configured via the security tab.
We need to assign the added physical NIC to a new virtual switch in VMWare and then add the new virtual switch to a new port group.
Also, open the properties of the newly created virtual switch and go to the security tab. Allow Promiscuous mode and click save
C. Create new windows service account for us to use to connect to resources and scan them. This should be an admin account.
D. Turn on windows remote management on all machines in the domain and Open the Windows firewall port for Windows RM using the following instructions
Note: These instructions are written for Windows Server 2012 R2. If you’re using an older version of Windows Server, your steps and the labels you see may vary.
First, we need to create a Group Policy object for your domain.
Next, edit the new Group Policy object you just created. When you’re done, there will be three WinRM service settings enabled:
Now that Windows Remote Management has been enabled on the Group Policy, you need to enable the service that goes with it.
Now you must allow for inbound remote administration by updating the firewall rules. When you’re done, there will be two rules enabled:
Almost done! The final steps is to create a new inbound firewall rule and update the network list manager for unidentified networks.
All the Windows machines on your network are now WMI-enabled
E. Push out the new policy with this command – gpupdate /force
F. Preparing machines for Agents
Start Windows PowerShell with the “Run as Administrator” option. Only members of the Administrators group on the computer can change the execution policy.
Type Get-ExecutionPolicy to view how it is currently set
Enable running remote signed scripts by entering: set-executionpolicy remotesigned
Questions? Give us a call, 800-463-7920 x2