Skybox Appliance 8000downloads.skyboxsecurity.com/files/iso/Archive/...Proprietary and Confidential to Skybox Security. © 2018 Skybox Security, Inc. All rights reserved

Skybox Appliance 8000

Quick Start Guide

9.0.100

Revision: 11

Proprietary and Confidential to Skybox Security. © 2018 Skybox Security, Inc. All rights reserved.

Due to continued product development, the information contained in this document may change without notice. The information and intellectual property contained herein are confidential and remain the exclusive intellectual property of Skybox Security. If you find any problems in the documentation, please report them to us in writing. Skybox Security does not warrant that this document is error-free.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means—electronic, mechanical, photocopying, recording, or otherwise—without the prior written permission of Skybox Security.

Skybox®, Skybox® Security, Skybox Firewall Assurance, Skybox Network Assurance, Skybox Vulnerability Control, Skybox Threat Manager, Skybox Change Manager, Skybox Appliance 5500/6000/7000/8000, and the Skybox Security logo are either registered trademarks or trademarks of Skybox Security, Inc., in the United States and/or other countries. All other trademarks are the property of their respective owners.

Contact information

Contact Skybox using the form on our website or by emailing [email protected]

Customers and partners can contact Skybox technical support via the Skybox Support portal

https://lp.skyboxsecurity.com/ContactMe1.html

mailto:[email protected]

https://www.skyboxsecurity.com/support/portal

https://www.skyboxsecurity.com/support/portal

Skybox version 9.0.100 3

Overview ............................................................................................... 5 Basic architecture ..................................................................................... 5 Related documentation .............................................................................. 5

Skybox Appliance specifications ................................................................ 6 What’s in the box ..................................................................................... 6 Physical specifications ............................................................................... 6 Environmental specifications ...................................................................... 7 MTBF estimates for Skybox Appliance ......................................................... 8 Front panel .............................................................................................. 9 Back panel connectors ............................................................................. 10 File system partitions .............................................................................. 10

Setting up Skybox Appliance ................................................................... 11 Installation ............................................................................................ 11

Starting Skybox Appliance .................................................................. 11 System configuration .............................................................................. 11

Configuring connection ....................................................................... 11 Setting up the Appliance for configuration ............................................ 14 First-time configuration ...................................................................... 14

What’s next ........................................................................................... 15

Configuring the Appliance ....................................................................... 16 Configuration and management options ..................................................... 16 Setting up network interface bonding ........................................................ 18

Supported bond modes ...................................................................... 19 Setting up SNMP configuration ................................................................. 20 RADIUS authentication ............................................................................ 20 Changing the TLS version ........................................................................ 21

Customizing the syslog server ................................................................. 24

Installing the Skybox Manager ................................................................. 26 Manager system requirements ................................................................. 26 Installing the Manager ............................................................................. 27 Upgrading the Manager ........................................................................... 27

Contents

Skybox Appliance 8000 Quick Start Guide


Updating the operating system on Skybox Appliance .................................. 28

Adding a customer certificate .................................................................. 29

Restoring the Appliance to factory defaults ................................................ 30

Monitoring SNMP .................................................................................... 31

Troubleshooting ..................................................................................... 33

Wiping the hard disk drive ....................................................................... 34

Regulatory and safety information ............................................................ 35 Product regulatory compliance ................................................................. 35

Safety compliance ............................................................................. 35 EMC compliance – Class A compliance .................................................. 35 Environmental requirements ............................................................... 36 Regulatory compliance markings ......................................................... 36 Electromagnetic compatibility notices for the server board ...................... 39


Chapter 1

The Skybox® Appliance is a hardware solution that enables you to deploy Skybox easily, without the burden of maintaining your own server.

Skybox® is an Automated Risk and Compliance Management (ARCM) platform that helps enterprise IT departments to discover and resolve potential security and compliance risks before they impact your organization.

Skybox is a multi-tier platform. Skybox Appliance runs the Server and users run Managers (clients) that connect to the Server over the network. Skybox also runs an additional Skybox component, the Collector, which connects to data sources and imports the data to the Server.

The Skybox Server and Collector are preinstalled on Skybox Appliance and run at startup.

In this chapter

Basic architecture ................................................................. 5

Related documentation .......................................................... 5

Basic architecture The Skybox platform consists of a 3-tiered architecture with a centralized server (Skybox Server), data collectors (Skybox Collectors), and a user interface (Skybox Manager). Skybox can be scaled easily to suit the complexity and size of any infrastructure.

For additional information, see the Skybox architecture topic in the Skybox Installation and Administration Guide.

Related documentation Related documentation includes:

› Skybox online help › Skybox documentation

Overview

http://downloads.skyboxsecurity.com/files/Installers/Skybox_View/9.0/9.0.100/Docs


Chapter 2

This chapter contains product specifications and packaging information for the Skybox Appliance 8000.

In this chapter

What’s in the box .................................................................. 6

Physical specifications ........................................................... 6

Environmental specifications .................................................. 7

MTBF estimates for Skybox Appliance ...................................... 8

Front panel .......................................................................... 9

Back panel connectors ......................................................... 10

File system partitions .......................................................... 10

What’s in the box The following items are included in the shipping carton:

› Skybox Appliance › Rack mount kit › Front bezel › 2 AC power cords › RJ45 to DB9 serial console cable › Skybox Quick Start Guide › 2 DVDs

• Skybox: Installs Skybox on the Skybox Appliance; it contains the Skybox software and additional Appliance documentation

• Restore Appliance: Restores the Skybox Appliance to factory settings

Physical specifications The physical features of Skybox are listed in the following table.

Feature Description

Form factor 1U rack mount chassis

Rack dimensions 1.7” x 17.25” x 28” (43.2 mm x 438.15 mm x 712 mm)

Skybox Appliance specifications

Chapter 2 Skybox Appliance specifications


Feature Description (H x W x D)

Weight • System weight: 27.1 lb (12.3 kg) • Packaged weight: 47 lb (21.3 kg)

Power supply 750 W redundant AC

Data storage Embedded Software SATA RAID • Intel® Rapid Storage RAID Technology (RSTe) 4.1 • Intel® Embedded Server RAID Technology 2 (ESRT2)

1.41 with optional RAID 5 key support System cooling • 6 managed 40 mm dual rotor system fans

• 2 power supply fans Front panel features

• 1 power button with integrated LED • 1 system ID button with integrated LED • 1 system status LED • 2 NIC LEDs • 1 HDD activity LED • 1 system cold reset button • 2 USB 2.0 / 3.0 connectors • DB-15 video connector • Bezel with lock support

External I/O connectors (back panel)

• DB-15 video connector • RJ45 serial port A connector • Dedicated RJ45 server management NIC • 2 RJ45 network interface connectors (NIC1 and NIC2)

supporting 10 GbE RJ45 connectors • 3 USB 2.0 / 3.0 Ports

Compliant standards

CE, UL, VCCI, BSMI, GS, ICES-003, FCC Part 15, IEC 60950-1, and more For detailed information, see Regulatory and safety information (on page 35).

Environmental specifications Environmental specifications for Skybox are listed in the following table.

Property Limits

Operating temperature

• ASHRAE Class A2: Continuous Operation. 10ºC to 35ºC (50ºF to 95ºF) with the maximum rate of change not to exceed 10°C per hour

• ASHRAE Class A3: Includes operation up to 40ºC for up to 900 hrs per year

• ASHRAE Class A4: Includes operation up to 45ºC for up to 90 hrs per year

Shipping temperature

-40°C to +70°C (-40°F to 158°F)

Non-operating humidity

50% to 90%, non-condensing with a maximum wet bulb of 28°C (at temperatures from 25°C to 35°C)

Shock • Operating: Half sine, 2 g peak, 11 msec • Unpackaged: Trapezoidal, 25 g, velocity change is

based on packaged weight • Packaged: ISTA (International Safe Transit



Property Limits Association) Test Procedure 3A 2008

Vibration • Unpackaged: 5 Hz to 500 Hz, 2.20 g RMS random • Packaged: ISTA (International Safe Transit

Association) Test Procedure 3A 2008 ESD • Air Discharge: 12.0 kV

• Contact Discharge: 8.0 kV System cooling requirement

• 2352.3 BTU/hour for 115 volt power • 2302.3 BTU/hour for 220 volt power

EMI operating Required to meet EMI emission requirements, tested as part of system

MTBF estimates for Skybox Appliance The estimated mean time between failures (MTBF) and Failures in Time (FIT) for Skybox Appliance 8000 are listed in the following table.

Component MTBF (hours) Estimated FIT

4 x 3.5" 12 Gb Hot Swap Backplane – SATA/SAS

9579145 104

1-Slot Riser Card (per card) 20060338 50

Standard Front Panel 5053932 198

Intel® Server Board S2600WTT 230615 4336

AC 750W Platinum 537582 1860

Fan kit, 6 fans 50799 19685

Total FIT rate 26284

System MTBF Hrs @ 40°C 38084



Model: Telcordia Issue 3* Method 1 Case 3 Duty cycle 100% Quality Level II

Note: The estimates listed here are for Appliance in 35°C ambient air with a rise of up to 10°C at the Server Board.

Chapter 2 Skybox Appliance specifications


Front panel Skybox Appliance 8000’s front panel includes 2 USB connectors, plus a power button and LEDs.

Power button and LEDs

Letter Feature

A System ID button with integrated LED

B NMI button (recessed; tool required for use)

C NIC1 activity LED

D System cold reset button

E System status LED

F Power button with integrated LED

G Hard drive activity LED

H NIC2 activity LED

Front panel LED functions

LED Color/state Description

Power/Sleep

Green/on Power on

Green/blinking Sleep

Off Power off

NIC LEDs

Green/on Network link but no network activity

Green/blinking Network activity

Off No link

System Status

Green/on System ready/no alarm

Green/blinking System ready, but degraded: redundancy lost (for example, a power supply or fan failure); non-critical temperature or voltage threshold reached; battery failure; or predictive



LED Color/state Description power supply failure.

Amber/on Critical Alarm: Critical power modules failure, critical fans failure, voltage (power supply), critical temperature and voltage

Amber/blinking Non-Critical Alarm: Redundant fan failure, redundant power module failure, non-critical temperature and voltage

Off Power off: System unplugged Power on: System powered off and in standby, no prior degraded/non-critical/critical state

Back panel connectors Skybox’s back panel includes the following connectors:

By default:

› NIC1 / eno1 is enabled and configured as DHCP › NIC2 / eno2 is enabled and configured as static with the IP address:

192.168.1.1 /24

You can change these values as necessary.

File system partitions Skybox Appliance’s file system is partitioned as follows:

› SWAP: 4 GB › /tmp: 5% of the entire space › /: 20% of the entire space › /var: 45% of the entire space › /opt: The rest of the disk

Note: On machines with less than 200 GB of disk space, Skybox is installed on a single partition.


Chapter 3

This chapter explains how to set up Skybox Appliance.

In this chapter

Installation ........................................................................ 11

System configuration .......................................................... 11

What’s next ........................................................................ 15

Installation This section explains how to install the Skybox Appliance.

STARTING SKYBOX APPLIANCE

To start the Appliance 1 Connect the AC power cords to the AC connectors on Skybox’s back panel and

connect the other ends to a power supply.

Note: You can use Skybox with either 110 or 220 volt power.

2 On the Appliance’s front panel, press the Power button.

3 Lock the front bezel in place using the key provided.

System configuration Before running the Skybox Server, configure Skybox Appliance to be part of your network and perform some initial system configuration.

CONFIGURING CONNECTION Before using the Skybox Appliance Administration, you must configure connection of Skybox to your network locally, using one of the following methods:

› Console (mouse, keyboard, and screen) connection › Serial port connection › Network connection via static NIC

Note: For a diagram of the connectors used in the following procedures, see Back panel connectors (on page 10).

Setting up Skybox Appliance



Configuration via console

To configure connection using a mouse, keyboard, and screen 1 Connect one end of a standard network cable to the NIC 1 (eno1) port on the

Appliance’s back panel; connect the other end of the cable to a network socket.

2 Connect a mouse, keyboard, and screen to the connectors on the Appliance’s back panel.

3 Log in to the Appliance using the default login (root) and the default password (skyboxview).

4 Run the command set_appliance_network (this command configures network interfaces with an IP address, netmask, and default gateway).

a. Select a network interface to configure.

b. Select the IP mode (static or DHCP).

— When using static mode, you must provide the IP address, netmask, and default gateway.

5 If you are using DHCP, run ifconfig, and write down the IP address assigned to the Appliance. You will need it later.

Configuration via serial port

To configure connection using a serial port connection 1 Connect one end of the serial cable to a serial port on the management

computer; connect the other end to the serial port on the Appliance.

2 On the management computer start a terminal emulation program, select the port that you connected to in the previous step, and configure the following port settings:

• Bits per second: 9600

• Data bits: 8

• Parity: none

• Stop bits: 1

• Flow control: none

• (If using PuTTY as your terminal emulator) Character set translation on received data: UTF-8

3 Press the Power button on the Appliance’s front panel and verify that the Power LED turns green.

4 Log in to the Appliance using the default login (root) and the default password (skyboxview).

5 Use the following command to move to the directory containing the interface configuration files:

• cd /etc/sysconfig/network-scripts/

6 Determine the 1st network card using the following command:

• ifconfig –a

Chapter 3 Setting up Skybox Appliance


7 Open the network card config file using the vi editor.

DHCP example: NAME=ens2f0 DEVICE=ens2f0 IPV6INIT=no ONBOOT=yes HWADDR=00:1e:67:d4:7d:50 BOOTPROTO=dhcp PEERDNS=no

Static IP address example: NAME=ens2f0 DEVICE=ens2f0 IPV6INIT=no ONBOOT=yes HWADDR=00:1e:67:d4:7d:50 BOOTPROTO=none IPADDR=192.168.80.132 NETMASK=255.255.254.0 GATEWAY=192.168.80.254

8 If you are using a static IP address, make the following changes in the configuration file:

• IPADDR: Change the value to your IP address

• NETMASK: Change the value to the network subnet

• GATEWAY: Change the value to the default gateway

If you are using DHCP, no changes are necessary.

9 Configure the DNS servers; use vi to edit /etc/resolv.conf: nameserver 1.1.1.1 nameserver 1.1.1.2

10 Save the file and exit.

11 Restart the network service by running the following command:

• systemctl restart network

The interface now has a DHCP or static IP address.

12 Query the new configuration by running the following command:

• ifconfig –a

Configuration via network port You can connect to the Appliance via the preconfigured static network port (eno2), whose IP address is 192.168.1.1 /24.

To configurate connection via eno2 1 Configure the IP of the client side to a different IP address on the same

network. For example, 192.168.1.50 /24.

2 In your browser, connect via the IP address for eno2: https://192.168.1.1:444/



SETTING UP THE APPLIANCE FOR CONFIGURATION

To prepare for configuring the system remotely 1 From a different machine on the network, open a browser to connect to the

Skybox Appliance Administration using the following URL, where <appliance IP address> is the IP address of the Appliance that you configured in Configuring connection (on page 11):

• https://<appliance IP address>:444

2 The default login is skyboxview; the default password is skyboxview.

The main page of the Skybox Appliance Administration appears.

FIRST-TIME CONFIGURATION You must configure the date and time and change the passwords before using the Skybox Server. All other settings are optional and you can configure them later.

To configure the date and time 1 On the System tab, select Date and Time Configuration.

2 For manual date and time configuration:

a. Select Manual Date and Time Configuration.

b. Click Change Date and Time; set the date and time for Skybox’s time zone.

c. Click Change Time Zone; set the time zone for the location where the Appliance is installed, so that reports and other data are timestamped correctly.

3 For automatic configuration:

a. Select Automatic Date and Time Configuration Using NTP Server.

b. Click Change NTP Server; add the IP address or DNS of the time server to use. For example, 0.asia.pool.ntp.org.

c. Click Change Time Zone; set the time zone for the location where the Appliance is installed, so that reports and other data are timestamped correctly.

To change the passwords 1 On the Security tab, select Appliance Passwords.

2 To change the root password of the machine, click Change Root Password.

3 To change the password of the Appliance Administration, click Change Skyboxview Password.

Chapter 3 Setting up Skybox Appliance


What’s next The Skybox Manager is the client application that communicates with the Server. After installation and configuration of the Appliance, you must install the Manager on at least one remote machine. For additional information, see Installing the Skybox Manager (on page 26).

Using Skybox for change tracking You can use Skybox to track changes on firewalls. Although much of the change information can be collected directly from the firewalls, additional information (including timestamp and user who made the change) is available only from syslog change events that are sent to the syslog server in the Appliance. You collect the change events using Change Tracking Events – Syslog Import tasks.

Syslog server The syslog server in the Appliance is preconfigured and is enabled by default.

Updates to the configuration files of the syslog server and the syslog log file rotation are provided automatically (when necessary) as part of Skybox updates. However, when updates are provided, you must restart the syslog server (on the System tab, disable the syslog server and then enable it again) for it to start using the updates.

For information about customizing the syslog server, see Customizing the syslog server (on page 24).


Chapter 4

The following sections explain how to configure the Appliance.

› Configuration and management options (Appliance Administration) (on page 16)

› Setting up SNMP configuration (on page 20) › RADIUS authentication (on page 20) › Changing the TLS version (on page 21)

In this chapter

Configuration and management options ................................. 16

Setting up network interface bonding..................................... 18

Setting up SNMP configuration .............................................. 20

RADIUS authentication ......................................................... 20

Changing the TLS version ..................................................... 21

Configuration and management options Skybox Appliance’s configuration options are described in the following tables.

About tab

Pane Description

System Information

Provides information about Skybox configuration.

Network tab

Note that changes to the configuration information made in this tab are only saved after you click Save Network Configuration.

Pane Description

Network Configuration Summary

Displays a summary of the Appliance configuration information. Click Export to save this information to an HTML file.

Network Configuration

Enables you to configure network settings (connection method, IP address, netmask, and gateway) and bonding for each network interface connection, and to configure the DNS servers. Note: For non-virtual Appliances, this pane includes a

Configuring the Appliance

Chapter 4 Configuring the Appliance


link to a drawing of the back panel to help you to understand the connections.

System tab

Pane Description

Date and Time Configuration

Enables you to view and change the date and time in the Appliance’s time zone. Notes: • When setting this information manually, set the date

and time and then the time zone for the location where the Appliance is installed, so that reports and other data are timestamped accurately.

• Automatic configuration synchronizes Skybox with an atomic clock. You must provide the IP address or DNS of the NTP server to use. For example, 0.asia.pool.ntp.org (click Change NTP Server). Set the time zone after setting the NTP server.

Syslog Server Starts or stops the syslog server service.

Host Name Enables you to change the name of the Appliance.

Change System Mode

Toggles between Server mode (where the Appliance functions as both Server and a Collector) and Collector mode (where the Appliance functions only as a Collector).

SNMP Select Enable SNMP Service to set up SNMP configuration, host configuration, and sending traps. You can also download the Appliance MIBs. For more information, see Setting up SNMP configuration (on page 20).

Security tab

Pane Description

Appliance Passwords

Enables you to change the root password for the Appliance and the password for the Appliance Administration.

SSH Toggles the SSH service on and off and enables the root user to log in via SSH.

Control tab

Pane Description

Skybox Services Toggles the Server and Collector on and off. Note: Turning a Skybox service off stops the service and switches it to Manual mode. Turning the service on restarts the service and switches it back to Automatic mode.

Appliance Operations

Enables you to reboot or shut down the Appliance.



Support tab

Pane Description

Logs Enables you to view Server, Collector, and other logs of the Appliance. Get Packlogs: Runs the packlogs utility and saves the packlogs (ZIP) file to a local directory so that you can send the logs to Skybox Support.

Skybox Manager Enables you to download the Manager for installation.

Setting up network interface bonding Skybox Appliances support network interface bonding for redundancy and for higher bandwidth.

To create a network interface bonding 1 On the Network tab, click Network Configuration.

2 Select Network Interfaces.

3 Select an interface that you want to add to a network bond and click Add to Network Bond.

The Network Bond Setup dialog box appears.

4 Add a new bond interface. By default, the 1st interface is named bond0, the 2nd bond1, and so on.

5 Select the interfaces that should be bonded to this new interface (as slaves).

6 Select the method for assigning the IP address for this interface: static or DHCP.

When using static mode, you must provide the IP address, netmask, and gateway.

7 Select the mode in which the bond should work; the recommended mode is active-backup.

For information about the supported bond modes, see below.

8 Click Save.

To view a list of the network interface bonding 1 On the Network tab, click Network Configuration Summary.



SUPPORTED BOND MODES The following bond modes are supported. The recommended bond mode is active-backup.

mode=0 (balance-rr) Round-robin policy: Transmit packets in sequential order from the first available slave through the last. This mode provides load balancing and fault tolerance.

mode=1 (active-backup) Active-backup policy: Only one slave in the bond is active. A different slave becomes active if, and only if, the active slave fails. The bond's MAC address is externally visible on only one port (network adapter) to avoid confusing the switch. This mode provides fault tolerance. The primary option affects the behavior of this mode.

mode=2 (balance-xor) XOR policy: Transmit based on [(source MAC address XORed with destination MAC address) modulo slave count]. This selects the same slave for each destination MAC address. This mode provides load balancing and fault tolerance.

mode=3 (broadcast) Broadcast policy: transmits everything on all slave interfaces. This mode provides fault tolerance.

mode=4 (802.3ad) IEEE 802.3ad Dynamic link aggregation. Creates aggregation groups that share the same speed and duplex settings. Utilizes all slaves in the active aggregator according to the 802.3ad specification.

Prerequisites:

› ethtool support in the base drivers for retrieving the speed and duplex of each slave.

› A switch that supports IEEE 802.3ad Dynamic link aggregation. Most switches will require some type of configuration to enable 802.3ad mode.

mode=5 (balance-tlb) Adaptive transmit load balancing: channel bonding that does not require any special switch support. The outgoing traffic is distributed according to the current load (computed relative to the speed) on each slave. Incoming traffic is received by the current slave. If the receiving slave fails, another slave takes over the MAC address of the failed receiving slave.

Prerequisite:

› ethtool support in the base drivers for retrieving the speed of each slave.



mode=6 (balance-alb) Adaptive load balancing: includes transmit load balancing and receive load balancing for IPV4 traffic, and does not require any special switch support. The receive load balancing is achieved by ARP negotiation. The bonding driver intercepts the ARP replies sent by the local system on their way out and overwrites the source hardware address with the unique hardware address of one of the slaves in the bond such that different peers use different hardware addresses for the server.

Setting up SNMP configuration

To use the Appliance as an SNMP Server 1 On the System tab, click SNMP.

2 Select Enable SNMP Service.

3 Set the following values.

• On the General tab:

— System Location: physical location of the Appliance

— Contact Details: email address of administrator

• On the Security tab:

— Read Only Community: SNMPv1 or SNMPv2 community string

— Source: Name or IP address / subnet, represented as IP/netmask (10.10.10.0/255.255.255.0) / IP/bits (10.10.10.0/24).

Multiple sources must be comma-separated

• On the Notification (Traps) tab:

— Destination: Name or IP address of the notification receiver traps server

— Traps Community: SNMP community of the notification receiver traps server

4 When you are finished, click Save SNMP Configuration to save the configuration and update the service with the new configuration.

RADIUS authentication This topic explains how to configure RADIUS authentication for Skybox Appliance.

Note: To use RADIUS authentication, the pam_radius package must be installed on the Skybox Server. You can check whether it is installed using the rpm –qa|grep pam_radius command. If you need help installing it, contact Skybox Support.

To configure RADIUS authentication 1 Open /etc/pam.d/system-auth in your editor and find the following line:

auth sufficient pam_unix.so nullok try_first_pass





2 Add the following line immediately following them: auth sufficient pam_radius_auth.so

3 Open /etc/pam.d/password-auth in your editor and find the following line: auth sufficient pam_unix.so nullok try_first_pass

4 Add the following line immediately following it: auth sufficient pam_radius_auth.so

5 Save and close the file.

6 Open /etc/pam_radius.conf and find the following entry: 127.0.0.1 secret 1

7 Replace that line with the relevant information for your RADIUS server.

There are 3 fields per line in this file, where each line represents a RADIUS server. Blank lines or lines beginning with '#' are treated as comments, and are ignored. The fields are: server[:port] secret [timeout]

• The port number is optional. The default port is 1812.

• The timeout field is optional. The default timeout is 3 seconds.

The timeout field controls how many seconds the module waits before deciding that the server has failed to respond.

If multiple RADIUS server lines exist, they are tried in order. The first server to return success or failure causes the module to return success or failure. If a server fails to respond it is skipped, and the next server in turn is used.

8 Save and close the file.

9 Add the new user on the OS level, using the following command: useradd <user1>

There is no need to set the password; it comes from RADIUS.

You can now log in to Skybox with the user’s credentials: <user1> / <password> (using the password stored on the RADIUS server for this user).

Changing the TLS version The Apache HTTP Server module mod_ssl provides an interface to the OpenSSL library, which provides Strong Encryption using the Secure Sockets Layer and Transport Layer Security (TLS) protocols.

There are 3 possible configurations for TLS:

› Default (High) Security configuration for SSL: TLS versions 1.2 and higher are enabled

Supported browsers are: Firefox 27, Chrome 30, IE 11 on Windows 7, Edge, Opera 17, Safari 9, Android 5.0, Java 8, and higher.

› Medium Security configuration for SSL: TLS versions 1.1 and higher are enabled



Supported browsers are: Firefox 1, Chrome 1, IE 7, Opera 5, Safari 1, Windows XP IE8, Android 2.3, Java 7, and higher.

› Low Security configuration for SSL: All TLS versions are enabled › Supported browsers are: Windows XP IE6, Java 6, and higher.

The configuration settings are stored in the following file: /etc/httpd/conf.d/skyboxwebadmin.conf

Important: Use the highest TLS configuration that supports your browser.

To change the TLS configuration settings 1 Make a backup of the skyboxwebadmin.conf file.

2 Open the skyboxwebadmin.conf file (with vi).

3 Comment out the default security configuration by adding “#” at the beginning of the SSLProtocol and SSLCipherSuite lines.

# Default Security configuration for SSL. Oldest compatible clients: Firefox 27, Chrome 30, IE 11 on Windows 7, Edge, Opera 17, Safari 9, Android 5.0, and Java 8. SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256

4 Uncomment either Medium or Low (not both) by deleting “#” from the appropriate SSLProtocol & SSLCipherSuite lines.

Note: Do not uncomment the title line itself (Medium/Low Security).



# Medium Security configuration for SSL. Oldest compatible clients: Firefox 1, Chrome 1, IE 7, Opera 5, Safari 1, Windows XP IE8, Android 2.3, Java 7 #SSLProtocol all -SSLv3 #SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS # Low Security configuration for SSL. Oldest compatible clients: Windows XP IE6, Java 6. #SSLProtocol all #SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP

5 Save the file.

6 Restart httpd using the following command: systemctl restart httpd


Chapter 5

The syslog server in Skybox Appliance is preconfigured and is enabled by default.

Updates to the configuration files of the syslog server and the syslog log file rotation are provided automatically (when necessary) as part of Skybox updates. However, when updates are provided, you must restart the syslog server (on the System tab, disable the syslog server and then enable it again) for it to start using the updates.

In addition to the automatic updates, users can modify the files locally for local changes:

› The syslog configuration file is at /etc/syslog-ng/syslog-ng.conf

› The log rotation file is at /etc/logrotate.conf

Note: If you modify the files locally, you must also restart the server afterwards.

Where are the logs stored? When the syslog server is enabled, new log files are stored in one of the following locations (depending on the type of log):

• /var/log/syslog-ng/new

• /var/log/firewall_assurance/change_logs/new

The logs are kept for 48 hours in the new directory, and are then archived for 3 more days in the parallel old directory:

• /var/log/syslog-ng/old

• /var/log/firewall_assurance/change_logs/old

What are the log files named? A separate log is generated for each device from which logs are received. The file names have the following format:

• New logs: <host name | IP address>_<time of creation>.log

• Archived logs: <host name | IP address>_<time of creation>.zip

How can the logs be imported to Skybox? Device logs can be imported using the following tasks, depending on the information that are looking for:

› Change Tracking Events – Syslog Import › Traffic Events – Syslog Import

At a minimum, you need the following information (in the task) to import the logs:

Customizing the syslog server

Chapter 5 Customizing the syslog server


› In the Basic tab:

• The directory path of the files (/var/log/syslog-ng/new and /var/log/firewall_assurance/change_logs/new)

• Modules: The scope of devices whose logs are to be imported

› In the Advanced tab:

• The date format used by the device

• (For Cisco and Juniper traffic events) The positions of the Device ID and date in the log


Chapter 6

You can install the Manager from the DVD included with Skybox or you can download it from the Skybox Appliance over HTTP using the Appliance’s IP address (https://<appliance IP address>:444/manager). For additional information, see Installing the Manager (on page 27).

The Manager runs on Windows.

In this chapter

Manager system requirements .............................................. 26

Installing the Manager ......................................................... 27

Upgrading the Manager ....................................................... 27

Manager system requirements The Skybox Manager is a Java client application that connects to the Skybox Server (through port 8443).

You can install multiple Managers on a single computer; this is useful when connecting to Servers of different versions.

Operating system The following operating systems are supported for the Manager:

› Windows 7 › Windows 10 (64bit only) › Windows Server 2012

Browser The following browsers are supported for the Manager:

› Microsoft Internet Explorer 9 or higher

Note: Microsoft Edge is not supported.

› Google Chrome › Mozilla Firefox › Safari (for Skybox Horizon)

Hardware The hardware requirements for the Manager are listed in the following table.

Installing the Skybox Manager

Chapter 6 Installing the Skybox Manager


Item Minimum Recommended

CPU Intel i3 or equivalent

Intel i5 or equivalent

RAM 2 GB 4 GB

Available disk space

1 GB 2 GB

Installing the Manager

Note: Skybox Manager runs on most Microsoft Windows operating systems. For details, see Manager system requirements (on page 26).

Installing the Manager requires administrator privileges.

To install the Manager 1 Run the installation file (SkyboxManager-<version#>-<build>.exe).

2 Follow the directions in the wizard.

Note: Installation under <Drive>:\Program Files (or any other path containing a space) is not supported.

Important: The Manager communicates with the server over 8443/TCP by default. If there is a firewall between the Manager and the Server, access on this port should be explicitly permitted.

Upgrading the Manager In some cases, the Manager installation file on the Appliance is outdated. In this case, you can download the new Manager installation file (or you might receive it from Skybox Security’s product support team) to replace the old installation file. This way, when Skybox users install the Manager from the Appliance, they are installing the latest version.

To replace the Manager installation file 1 Copy the installation file (SkyboxManager-<version#>-<build#>.exe) to the

Appliance using PuTTY, WinSCP, or any other client program.

Save the file at /opt/skyboxwebadmin/web/manager/

2 Delete any other files in this directory, including any previous installation file; the directory must contain only the new installation file.


Chapter 7

In some cases, it may be necessary to update the CentOS operating system on your Skybox Appliance, such as when bug fixes or security patches are released for the operating system.

Updates to the operating system do not affect Skybox.

Before you start the update Both the Skybox model and important system files can be saved as part of the update procedure, or you can save them manually beforehand. Changes that you made manually in any files are not saved as part of the update, so you must back them up manually.

Note that the machine reboots as part of the update process.

To update the operating system 1 Download the following files to your computer (not to the Appliance server).

• Skybox_<patch>.appliance_update

• Skybox_<patch>appliance_update.md5

2 Copy Skybox_<patch>.appliance_update to the Appliance server using Secure Copy Protocol (SCP).

3 Copy Skybox_<patch>.appliance_update.md5 to the same directory using SCP.

4 Connect to the Appliance server via SSH using root credentials.

5 Navigate to the directory where the files were saved.

6 Verify that the update file was copied without any mistakes using the md5sum command:

• md5sum -c Skybox_<patch>.appliance_update.md5

The output should be: Skybox_<patch>.appliance_update: OK

7 Run the following command to install the update:

• /bin/sh Skybox_<patch>.appliance_update

The update procedure begins.

8 We recommend that, when asked where to save the files, you select either a location on the file sharing system (as opposed to on the Appliance server itself) or an external drive.

9 Restore the files that you saved manually.

Updating the operating system on Skybox Appliance


Chapter 8

If you want to connect to the Appliance Administration via a customer certificate, you need to add the certificate to the Apache server.

To connect to the Appliance Administration via a customer certificate 1 Locate (or generate) the validated certificate and key files.

2 Upload the certificate files to the Skybox Server in the following directory: /etc/httpd/conf.d

a. SSLCertificateFile must be your certificate file (for example, <your domain name>.crt).

b. SSLCertificateKeyFile must be the key file generated when you created the CSR.

c. SSLCertificateChainFile must be the intermediate certificate file (for example, DomainCertCA.crt)

3 Save a backup of /etc/httpd/conf.d/skybox.conf, and then open the file.

4 In the file, make the following changes, replacing the sample file names here with the actual file names.

a. ServerName skyboxapp ServerName www.<your domain>.org

b. SSLCertificateFile: /etc/pki/tls/certs/localhost.crt /etc/httpd/conf.d/<your domain name>.crt

c. SSLCertificateKeyFile: /etc/pki/tls/private/localhost.key /etc/httpd/conf.d/<your key>.key

d. Add the following new line: SSLCertificateChainFile /etc/httpd/conf.d/DomainCertCA.crt

5 Save the file.

6 Restart Apache using the following command: systemctl restart httpd

7 Access the Server.

Adding a customer certificate


Chapter 9

The Restore Appliance DVD that comes in the Appliance 8000 package is for restoring the Appliance to factory defaults.

Warning: Restoring the Appliance erases all data on the Appliance.

To restore the Appliance to factory defaults 1 Insert the DVD in the DVD-ROM drive.

2 Reboot the Appliance.

3 As soon as you see the Skybox Installation Menu window, press any key.

Note: If you do not press a key within several seconds, the Appliance boots from the local drive.

4 In the menu, select Skybox Appliance Installation

Note: The restore process takes approximately 25 minutes.

5 When the installation finishes, proceed from System configuration (see page 11).

Restoring the Appliance to factory defaults


Chapter 10

Skybox Appliance supports standard Linux OIDs. The following are some OIDs that you can monitor:

CPU load statistics

› 1 minute load: .1.3.6.1.4.1.2021.10.1.3.1 › 5 minute load: .1.3.6.1.4.1.2021.10.1.3.2 › 15 minute load: .1.3.6.1.4.1.2021.10.1.3.3

CPU statistics

› Percentage of user CPU time: .1.3.6.1.4.1.2021.11.9.0 › Raw user CPU time: .1.3.6.1.4.1.2021.11.50.0 › Percentages of system CPU time: .1.3.6.1.4.1.2021.11.10.0 › Raw system CPU time: .1.3.6.1.4.1.2021.11.52.0 › Percentages of idle CPU time: .1.3.6.1.4.1.2021.11.11.0 › Raw idle CPU time: .1.3.6.1.4.1.2021.11.53.0 › Raw nice CPU time: .1.3.6.1.4.1.2021.11.51.0

Memory statistics

› Total swap size: .1.3.6.1.4.1.2021.4.3.0 › Available swap space: .1.3.6.1.4.1.2021.4.4.0 › Total RAM in machine: .1.3.6.1.4.1.2021.4.5.0 › Total RAM used: .1.3.6.1.4.1.2021.4.6.0 › Total RAM free: .1.3.6.1.4.1.2021.4.11.0 › Total RAM shared: .1.3.6.1.4.1.2021.4.13.0 › Total RAM buffered: .1.3.6.1.4.1.2021.4.14.0 › Total cached memory: .1.3.6.1.4.1.2021.4.15.0

System uptime

› System uptime: .1.3.6.1.2.1.1.3.0

Skybox Server and Collector In addition to the standard OIDs, the following OIDs are supported for Skybox components.

Monitoring SNMP



› Skybox Server status: .1.3.6.1.4.1.8072.1.3.2.3.1.4.19.49.46.51.46.54.46.49.46.52.46.49.46.49.57.55.54.56.46.49

› Skybox Collector status: .1.3.6.1.4.1.8072.1.3.2.3.1.4.19.49.46.51.46.54.46.49.46.52.46.49.46.49.57.55.54.56.46.50

Additional SNMP configuration For further SNMP configuration, refer to:

› The MIB files on the Appliance, in the /usr/local/snmpsa/mibs directory.

› The SNMP configuration file: /etc/snmp/snmpd.conf


Chapter 11

Obtaining version information when the Appliance Administration is not available If you need to know the version of the Appliance (also called the image version) and other information about the Appliance at a time when the Appliance Administration is not available, you can find this information by running the get_appliance_details script from the CLI.

The following is a sample output of this script: APPLIANCE_VERSION: 8.5.103-7.1.11 CORES: 2 MODE: SERVER MODEL: RAM: 32014 MB SERIAL_NUMBER: SKYBOXVIEW: 8.0.513

Hardware issues If there is a hardware issue on the Appliance (usually indicated by the system status LED turning amber or blinking), do the following:

1 Run getlogs as the root user.

The diagnostic log file, diagnostic_<timestamp>.log, is in the <Skybox_Home>/server/log directory.

2 Open a support case and attach the (most recent) diagnostic file.

Troubleshooting


Chapter 12

In some cases, you need to wipe the hard disk drive (HDD), completely destroying the data on it. This might be required, for example, if you are sending the Appliance back to Skybox Security for replacement.

Caution: This procedure wipes the HDD completely. Afterwards, it will not be bootable or function at all.

The following command overwrites all partitions, master boot records, and data:

› dd if=/dev/urandom of=/dev/sda bs=1M

Wiping the hard disk drive


Chapter 13

This chapter includes regulatory and safety information for Skybox Appliance 8000’s hardware.

Product regulatory compliance

Intended application This product is to be evaluated and certified as Information Technology Equipment (ITE), which may be installed in offices, schools, computer rooms, and similar commercial type locations. The suitability of this product for other product certification categories and environments (such as: medical, industrial, telecommunications, NEBS, residential, alarm systems, test equipment, and so on), other than an ITE application, may require further evaluation.

SAFETY COMPLIANCE

› UL60950 –CSA 60950(USA / Canada) › EN60950 (Europe) › IEC60950 (International) › CB Certificate & Report, IEC60950 (report to include all country national

deviations) › CE -Low Voltage Directive 2006/95/EC (Europe)

EMC COMPLIANCE – CLASS A COMPLIANCE

› FCC /ICES-003-Emissions (USA/Canada) Verification › CISPR 22 –Emissions (International) CISPR 24 –Immunity (International) › EN55022 -Emissions (Europe) › EN55024 -Immunity (Europe) › CE –EMC Directive 2004/108 EC (Europe) › AS/NZS 3548 Emissions (Australia / New Zealand) › BSMI CNS13438 Emissions (Taiwan) › KC Certification (Korea)

Regulatory and safety information



ENVIRONMENTAL REQUIREMENTS Intel has a system in place to restrict the use of banned substances in accordance with worldwide regulatory requirements. A Material Declaration Data Sheet is available for Intel products. For more reference on material restrictions and compliance you can view Intel’s Environmental Product Content Specification at http://supplier.intel.com/ehs/environmental.htm.

› Europe – European Directive 2002/95/EC – Restriction of Hazardous Substances (RoHS) Threshold limits and banned substances are noted below.

• Quantity limit of 0.1% by mass (1000 PPM) for: Lead, Mercury, Hexavalent Chromium, Polybrominated Biphenyls Diphenyl Ethers (PBB/PBDE)

• Quantity limit of 0.01% by mass (100 PPM) for: Cadmium

› California Code of Regulations, Title 22, Division 4.5, Chapter 33: Best Management Practices for Perchlorate Materials

› China – Restriction of Hazardous Substances (China RoHS) › WEEE Directive (Europe) › Packaging Directive (Europe) › REACH Directive (Europe)

REGULATORY COMPLIANCE MARKINGS The server is typically marked with the following regulatory marks.

Regulatory Compliance

Region Marking

Ctick Australia/NZ

CE Mark Europe

NRTL (National Recognized Test Laboratory)

USA/Canada

EMC Marking (Class A)

Canada CANADA ICES-003 CLASS A

GS Mark Germany

VCCI Marking (Class A)

Japan

Chapter 13 Regulatory and safety information



Region Marking

KC Mark (Korean Communications Commission)

Korea

CU Russia

Ukraine Certification

Ukraine

BSMI Certification (RPC) Number & Class A Warning

Taiwan

FCC Marking (Class A)

USA This device complies with Part 15 of the FCC Rules. Operation of this device is subject to the following two conditions: (1) This device may not cause harmful interference, and (2) This device must accept interference receive, including interference that may cause undesired operation

Nordic Ground Multiple Line 1: “WARNING:” Swedish on line 2: “Apparaten skall anslutas till jordat uttag, när den ansluts till ett nätverk.” Finnish on line 3: “Laite on liitettävä suojamaadoituskoskettimilla varustettuun pistorasiaan.” English on line 4: “Connect only to a properly earth grounded outlet.”

WEEE (Waste Electronic and Electrical Equipment) Recycling Mark

Europe

China Restriction of Hazardous Substance (RoHS) Environmental Friendly Use Period Mark

China




Region Marking

Recycling Package Marks

China

Will be added on Package label

Other Recycling Package Marks

International

Will be added on Package label

Battery Perchlorate Warning Information

USA (CA) Perchlorate Material – Special handling may apply. See www.dtsc.ca.gov/hazardouswaste/perchlorate This notice is required by California Code of Regulations, Title 22, Division 4.5, Chapter 33: Best Management Practices for Perchlorate Materials. This product / part includes a battery which contains Perchlorate material.

Safety – Multiple Power Cord

International

English: This unit has more than one power supply cord. To reduce the risk of electrical shock, disconnect (2) two power supply cords before servicing.

German: Dieses Geräte hat mehr als ein Stromkabel. Um eine Gefahr des elektrischen Schlages zu verringern trennen sie beide (2) Stromkabeln bevor Instandhaltung.

Safety – Standby Power button

International




Region Marking

Safety – Rack Load Warning

International

ELECTROMAGNETIC COMPATIBILITY NOTICES FOR THE SERVER BOARD

FCC Verification Statement (USA) This device complies with Part 15 of the FCC Rules. Operation is subject to two conditions: (1) This device may not cause harmful interference, and (2) this device must accept any interference received, including interference that may cause undesired operation.

Intel Corporation, 5200 N.E. Elam Young Parkway Hillsboro, OR 97124-6497 Phone: 1-800-628-8686

This equipment has been tested and found to comply with the limits for a Class B digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation. This equipment generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the instructions, may cause harmful interference to radio communications. However, there is no guarantee that interference will not occur in a particular installation. If this equipment does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by any of these measures:

› Reorient or relocate the receiving antenna. › Increase the separation between the equipment and the receiver. › Connect the equipment to an outlet on a circuit different from that to which

the receiver is connected. › Consult the dealer or an experienced radio/TV technician for help.

Any changes or modifications not expressly approved by the grantee of this device could void the user’s authority to operate the equipment. The customer is responsible for ensuring compliance of the modified product.

All cables used to connect to peripherals must be shielded and grounded. Operation with cables, connected to peripherals that are not shielded and grounded may result in interference to radio and TV reception.

ICES-003 (Canada) Cet appareil numérique respecte les limites bruits radioélectriques applicables aux appareils numériques de Classe B prescrites dans la norme sur le matériel brouilleur: “Appareils Numériques”, NMB-003 édictée par le Ministre Canadian des Communications.

English translation of this notice:



This digital apparatus does not exceed the Class B limits for radio noise emissions from digital apparatus set out in the interference-causing equipment standard entitled “Digital Apparatus,” ICES-003 of the Canadian Department of Communications.

Europe (CE Declaration of Conformity) This product has been tested in accordance to, and complies with the Low Voltage Directive (2005/96/EC) and EMC Directive (2004/108/EC). The product has been marked with the CE Mark to illustrate its compliance.

VCCI (Japan)

English translation of this notice:

This is a Class B product based on the standard of the Voluntary Control Council for Interference (VCCI) from Information Technology Equipment. If this is used near a radio or television receiver in a domestic environment, it may cause radio interference. Install and use the equipment according to the instruction manual.

BSMI (Taiwan) The BSMI Certification Marking and EMC warning is located on the outside rear area of the product.

KC (Korea) Korea EMC Certification requires additional information on the product. If there is no room to place the information, it is provided in the product literature.



1 Type of Equipment (Model Name): Model name is on KC certificate on product

2 Certification No.: Certification number is on KC certificate on product

3 Name of Certification Recipient: Intel Corporation (name is on KC certificate on product)

4 Date of Manufacturer: Refer to the date code serial number marked on product

5 Manufacturer/Nation: Intel Corporation/Refer to country of origin marked on product

Documents

Skybox Appliance 8000downloads.skyboxsecurity.com/files/iso/Archive/...Proprietary and Confidential to Skybox Security. © 2018 Skybox Security, Inc. All rights reserved