The DefenseStorm Virtual Machine


Overview

Overview

The DefenseStorm Virtual Machine (DVM) integrates your network with the cloud, via outbound HTTPS (port 443), so we can monitor network activity. For a complete list of both inbound and outbound firewall ports, see our Firewall Ports article. The DVM accepts Syslog (both formatted and unformatted) for transferring data.  After the initial deployment, you are notified via Release Notes when an update is recommended. 

If you have already deployed the dvm and need to upgrade, see the Upgrading section. If you are unsure if an upgrade is recommended, in the main menu of the dvm, select option 8: Get DVM Status and compare your version to the latest version listed here

Deploying

Deploying the DVM

If you have never installed the DefenseStorm virtual machine, follow these steps based on your virtual machine environment. The DefenseStorm Virtual Machine (DVM) image is available for both VMware and Hyper-V environments.

VMware

Obtain detailed OVA information directly from VMWare: https://www.vmware.com/support/developer/studio/studio20/va_user.pdf

How to Install DVM VMware Image
  1. Download the OVA
  2. Deploy the OVA image to VSphere/ESXi
  3. Power on the DefenseStorm Virtual Machine
  4. Open the Console to begin configuration
  5. Scroll down to Configuring the DVM, and follow the instructions.


Hyper-V

This section details the minimum recommended specifications for Hyper-V host servers to perform efficiently. We recommend 2012 R2 and above. According to Microsoft, the end of life dates are as follows:

  • Server 2012 R2 end of life is January 2020
  • Server 2016 end of life estimated as 2025-2026
Server Core install options

As an alternative to a paid option, Hyper-V Server can be installed on a host to enable services on a headless server. This is a Server Core-based OS, and is command-line.

Images are provided by Microsoft at the following URLs:

For all other SKUs, the Server Core install option can be used to further reduce the resources used by the host (reduces host OS storage footprint by ~4 GB) as long as no other roles are active on the Windows host; however, the VMs must be managed remotely or through PowerShell if this option is chosen. If this option is used, ensure that remote management is set up as part of provisioning the Hyper-V host.

Windows Server Minimum Recommended Specs

These specifications assume that only remote management and the Hyper-V Server roles are enabled on the Windows Server install. Using this host for additional roles and/or services may require additional resources depending on which roles are enabled.

OS SKU (select one): Hyper-V Server, Server Standard, Server Datacenter, Server Enterprise

CPU: multi-core, 64-bit CPU

  • must support virtualization and DEP (data execution prevention)

RAM: 4 GB

  • 2 GB RAM for hyper-v host, 1-2 GB for DVM

Disk size: 100 GB.

  • Recommend sizing this higher if possible (200GB+) to allow for VM snapshotting and account for troubleshooting scenarios where DVM reprovisioning alongside an existing copy is necessary.
  • 100 GB breakdown: minimum 32 GB for Windows install + 28 GB space for windows updates, 20 GB for DVM, and 30 GB free space for VM image upgrades.

Network adapter: Gigabit ethernet network adapter

  • At least 10 Mb/s peak outbound network bandwidth to internet (Spikes of high event volume may require higher peak upload bandwidth to avoid queueing event data on the DVM).

How to Install the DVM Hyper-V Image

  1. Download the zip file
  2. Deploy the Hyper-V image to the Windows Server Host.
  3. Power on the DefenseStorm Virtual Machine.
  4. Open the Console to begin configuration.
  5. Scroll down to Configuring the DVM, and follow the instructions.

Configuring

Configuring

After you have installed the DVM via VMware or Hyper-V, follow these instructions to configure your DVM settings.

  1. Log into the DVM
    username: ds / password: defensestorm 
  2. Change the password (forced by system)
  3. Configure Time Zone
    Select option 5 and then answer the questions regarding your local timezone.
  4. Configure Networking
    Selection option 4,  
    • Choose to enable DHCP
    • Set the static IP address.
    • Set the Netmask 
    • Set the Gateway
    • Set the Nameserver 1,2, and 3. If there is no Nameserver 2 or 3, then leave the field blank and select 'OK'.
  5. Set DefenseStorm Credentials
    Select option 1, and then use the instructions below to answer the questions.
    • Input your Administrator email address and password.  Note: These credentials are used for one-time authorization of the DVM and are not stored.
  6. Verify Network Connectivity
    Select option 6: Troubleshooting, then option 1: Connectivity Tests

    Once the network tests have passed, you see the following message:
  7. Verify that the DVM is sending messages to the Console by verifying that the API key displayed through your DVM menu and the web console are the same. Within your DVM, select option 8: Get DVM Status to view your API key.
  8. After you have seen the api key through your DVM, open your DefenseStorm UI to verify that associated events are coming through. Go to Events, and select the API key from the filters drop-down list.

Enabling DVM Event Compression

The DVM supports compression to help with limited egress bandwidth. Compression also helps prevent events from being dropped during ingestion. Sign into the DVM and enter the following information. 

  1. Select option (10) Bash Shell
  2. type  sudo vi /etc/praesidio/praesidio.conf   (Enter DVM logon credentials if prompted)
  3. After config file is displayed, do the following:

    Type this Command

    Action (hit)

    Explanation

    /Flush

    Enter

    With cursor on the /Flush line, type the next command.

    o


    Creates new line for typing

    Compress=True

    Enter, ESC

    This adds the command to the file and exits edit mode.

    :wq

    Hit Enter

    Saves the file and exits the vi

  4. Restart syslog-ng service with the new configuration file upon display of the command prompt.
    Type this CommandAction
    sudo service syslog-ng reloadhit enter
    exithit enter

If syslog restarts without error, the compression feature has been successfully enabled. 


Upgrading

Upgrading

Upgrading your DVM keeps your network protection up to date with the best features and enhancements. To determine if your DVM is eligible for upgrade, select Option 8: Get DVM Status, and view your version number. If your version number does not display, please open a support ticket for assistance. If a version number displays, complete the steps below.  

When upgrading to DVM version 1.2.0, there is no upgrade path; a new image must be spun up and the old one shut down. Open a Connect Ticket for instructions and assistance.


Pre-Upgrade

There are a few steps required to ensure that your DVM environment is ready for a successful upgrade. 

  • Backup critical files
  • Increase max_connections

Which files need to be backed up?

To prevent any unintended alterations to configuration files, we recommend that you back them up prior to upgrade, and restore them once the upgrade has completed. As listed in the table, some files may not be present on your network, therefore, they do not need to be backed up.

Configuration File

Description

/etc/praesidio/praesidio.conf

This is the DVM's primary configuration file, and contains the provisioned DVM API key as seen in the web console.

/etc/syslog-ng/conf.d/praesidio.conf

This is the syslog-ng configuration file, generated during DVM servicing by the pConfig script.

--Optional Files--

--The below files may not exist unless customized--

/etc/syslog-ng/conf.d/snmp.conf

/etc/default/snmpd

SNMP configuration files, generated / modified as part of DVM SNMP configuration. (See connect article for details)

/lib/ufw/user.rules

/lib/ufw/user6.rules

User-generated firewall rules files for IPv4 and IPv6.  This is modified during setup of SSH and SNMP, among other protocols.

 

How to back them up through the DVM Menu

The following steps create a folder called "dvm_yyyymmdd" in the ds user's home directory on the DVM; then backup the configurations listed in the table above to the folder. 

In the DVM menu, select option (10) Bash Shell, then do the following:

Type this Command

Action (hit)

Explanation

cd ~

Enter

Navigate to the current user's home directory.

mkdir dvm_20171025

Enter

Make new backup folder (change date portion to current date)

cd dvm_20171025

Enter

Navigate into new backup folder.

sudo cp /etc/praesidio/praesidio.conf .

Enter

Copy the /etc/praesidio/praesidio.conf file to here (the backup folder).

Enter DVM login password if prompted.

 

mkdir syslog-ngEnterCreate subfolder for syslog-ng configuration file
cd syslog-ngEnterNavigate to the new subfolder

sudo cp /etc/syslog-ng/conf.d/praesidio.conf .

Enter

Copy the /etc/syslog-ng/conf.d/praesidio.conf file to here (the sub-backup folder).

cd ..EnterGo back to the main backup folder (dvm_20171025)

-- optional section --

 

 --Ignore any copy failures for the below files; may not exist.--

sudo cp /etc/syslog-ng/conf.d/snmp.conf .

Enter

Copy the /etc/syslog-ng/conf.d/snmp.conf file to here (the backup folder).

sudo cp /etc/default/snmpd .

Enter

Copy the /etc/default/snmpd file to here (the backup folder).

sudo cp /lib/ufw/user.rules .

Enter

Copy the /lib/ufw/user.rules file to here (the backup folder).

sudo cp /lib/ufw/user6.rules .

Enter

Copy the /lib/ufw/user6.rules file to here (the backup folder).


Increasing max_connections using Bash Shell

If your host counts exceed 100 (for linux / appliances) or 500 (for NXLog server installs, or Windows Agent installs on Windows workstations / laptops), we recommend increasing the max_connections option on your DVM.

The default ports, connection counts, and port uses are described below:

Port

Max Conn. Count

Port Description

Host Type

TCP 514

100

Standard RFC-compliant Syslog port.

Unix / Linux, appliances

TCP 516

100

Non-strict syslog port.  This is used for devices that send events over syslog, but whose formats do not comply with the RFC format.  Cisco Meraki devices are an example of this.

Appliances (non-compliant)

TCP 601

500

Syslog port used by Windows NXLog clients.

Windows

TCP 1602

500

Syslog port used by the DefenseStorm Windows Agent.

Windows

 

If your host counts exceed 100 (for linux / appliances) or 500 (for NXLog server installs, or Windows Agent installs on Windows workstations / laptops), you should modify the following section to increase the number of maximum connections.  The default CPU and RAM amounts provisioned on the DVM image can support raising these counts up to 1500; if you need more concurrent connections than this, we suggest increasing the resources available to the VM instance first. 

Steps to open the file, navigate to the configuration file section, and change the values below. Select option 10: Bash Shell through the DVM Main Menu, and perform the following command steps: 

Type this Command

Action (hit)

Explanation

cd /etc/praesidio/

Enter

Navigate to the DVM configuration directory.

sudo vi praesidio.conf

Enter

Open the praesidio.conf file in Vi.  Provide DVM login password if prompted.

-- repeat next 5 steps for each count to change --



/tcp###  (e.g. /tcp514)

Enter

Moves the edit cursor to the line for tcp### (if editing TCP514 counts, type /tcp514)

ww

 

Move the cursor two words to the right.  Should be under the count number (100, 500) at this point.

dw

 

Deletes the existing count number.

a

 

Typing mode (append): moves cursor to character right.

(type your count number here)

ESC

Input your new max connection count digits here.  This adds the count to the file and exits edit mode.

-- end repeat section --



:wq

Enter

Saves the file and exits the vi


If you make a mistake and need to revert all changes and restart from the original file, type the following sequence to quit without saving.

Type this Command

Action (hit)

Explanation


ESC

Exit any edit modes

:q!

Enter

Quit without saving.


How to Upgrade your DVM

Once you have backed up all required configuration files and increased the max_connections if necessary, follow the steps listed below to upgrade your DVM. 

  1.  Access your DVM main menu.
  2.  Select Option 7: Update/Upgrade DVM.
  3. Input your DVM console user (ds user) and password when prompted. 
  4. Text scrolls by on the screen during the upgrade process. Always accept the default options.
    Do you want to overwrite praesidio file, default is No, select this option. Deleting this file deletes all previous configurations and files.
  5. Once the upgrade is finished, login to your DefenseStorm UI as usual.