on 02-16-2016 05:38 AM
Deployment
Step 1: Setup Splunk wtih Cisco NVM App | |
Step 2: Setup IPFIX Collector component | |
Step 3: Configuring Anyconnect NVM Client profile | |
Step 4: Installing Anyconnect NVM |
Step 5: Data Collection
Verification
Validate NVM installation
Validate Flow templates are set |
Validate Collector status as running
Related Document
This document describes the method to install and configure the Cisco AnyConnect Network Visibility Module (NVM) on an end-user system using AnyConnect 4.2.x or higher.
The Cisco AnyConnect Network Visibility Module (NVM) is used as a medium for deploying security analytics. NVM empowers organizations to see endpoint & user behavior on their network,collects flows from endpoints both on and off-premise along with additional context like users, applications, devices, locations and destinations.
This is a technote example using AnyConnect NVM with Splunk
In this technote :
Collector IP - 192.0.2.123
Splunk - 192.0.2.113
AnyConnect deployment for Network Visibility Module
The steps involved in configuration are as follows:
We have the Cisco AnyConnect Network Visibility Module (NVM) App for Splunk. This app helps with pre-defined reports and dashboards to use IPFIX data from end points in usable reports and correlate user and endpoint behavior.
Link to App : https://splunkbase.splunk.com/app/2992/
In order to install, we can either Go to Splunk >> Apps and install the tar.gz file downloaded from the Splunkbase or search within the Apps section.
The default configuration receives two data input feeds for Per Flow Data and Endpoint Identity Data, on UDP ports 20519 and 20520 respectively. The collector component sends these feeds on the ports mentioned by default. We can change the ports on collector component (Step 2), this can be changed in the Application Input settings in Splunk.
Go to Splunk >> Settings >> Data Input >> UDP
The Collector Component is responsible for collecting and translating all IPFIX (nvzFlow) data from the endpoints and forwarding it to the Splunk App. By default the collector device receives traffic on UDP port 2055. Collector IP address and port is part of the AnyConnect NVM client profile.
The collector runs on 64-bit Linux. CentOS and Ubuntu configuration scripts are included in with the splunk application. The CentOS install scripts and configuration files can also be used in Fedora and Redhat distributions as well. The collector should be run on either a standalone 64-bit Linux system or a Splunk Forwarder running on 64-bit Linux.
In order to install the collector you will need to copy the application in the CiscoNVMCollector_TA.tar file, located in the $APP_DIR$/appserver/addon/ directory to the system you plan to install it on.
Splunk, for this technote is installed on Windows workstation on the E: drive. CiscoNVMCollector_TA.tar file can be located in the following directory :
E:\Program Files\Splunk\etc\apps\CiscoNVM\appserver\addon\
Extract the tar file on the system where you plan to install the collector and execute the install.sh script with super user privileges. It is recommended to read the $PLATFORM$_README file in the .tar bundle before executing the install.sh script. The $PLATFORM$_README file provides information on the relevant configuration settings that need to be verified and modified (if necessary) before the install.sh script is executed. We will need to configure the address of the Splunk instance, listening ports we will be forwarding data to and collector port where we will be receiveing IPFIX.
On the collector,
csaxena@csaxena-ubuntu-splunkcollector:~/Downloads/CiscoNVMCollector_TA$ ls acnvmcollector CENTOS_README libboost_log.so.1.57.0 acnvmcollectord install_centos.sh libboost_system.so.1.57.0 acnvm.conf install.sh libboost_thread.so.1.57.0 acnvm.conf~ install_ubuntu.sh UBUNTU_README acnvm.service libboost_filesystem.so.1.57.0 csaxena@csaxena-ubuntu-splunkcollector:~/Downloads/CiscoNVMCollector_TA$
At a minimum, we will need to configure the address of the Splunk instance where we plan to forward the flow data in the configuration file (acnvm.conf).
GNU nano 2.2.6 File: acnvm.conf { "syslog_server_ip" : "192.0.2.113", "syslog_flowdata_server_port" : 20519, "syslog_sysdata_server_port" : 20520, "netflow_collector_port" : 2055, "log_level" : 7 }
By default, in the acnvm.conf, we have the Per Flow Data Port, Endpoint Identity Data Port and Collector Port defined. If we are using any custom port, please ensure to make changes in Data Inputs on Splunk and NVM client profile on end point.
More info on : https://splunkbase.splunk.com/app/2992/#/documentation
On the ASDM
or Use the profile editor
Save the profile as NVM_ServiceProfile.xml in a secure location. The xml file is required to be placed in the following directory:
Profile in xml
<?xml version="1.0" encoding="UTF-8"?> -<NVMProfile xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="NVMProfile.xsd"> -<CollectorConfiguration> <CollectorIP>192.0.2.123</CollectorIP> <Port>2055</Port> </CollectorConfiguration> <Anonymize>false</Anonymize> <CollectionMode>all</CollectionMode> </NVMProfile>
We also need to configure Trusted Network Detection in order to use NVM. Refer to AnyConnect Profile Editor, Preferences (Part 2)for information about setting this parameter.
If we plan to install it as a standalone module, we can install the package by starting the Setup.exe to install the client software. In the Cisco AnyConnect Secure Mobility Client Install Selector:
This can also be installed using LAN Management software or using ASA/ISE as the headend.
After initial setup, you may need to restart one of your AnyConnect endpoints to ensure the initial IPFIX templates are sent to the collector. The templates are sent from the client only when there are certain events triggered on the endpoints.
The template is sent from the client when one of the following events occur:
We expect to see IPFIX/Cisco Flow (cflow) traffic from the end point to the Collector component.
From the Collector to the Splunk, we expect syslog traffic on ports defined in Step 2.
We can validate the installation to be successful, by checking the installed modules section in the AnyConnect info.
Also, we can verify if the nvm service is running on the end point and profile is in the required directory.
We might see "no template found" in a packet capture on the end point or "no templates for flowset" in the collector logs.
Packet capture
Collector logs
Jan 20 12:48:54 csaxena-ubuntu-splunkcollector NVMCollector: no templates for flowset 258 for 10.150.176.167 yet Jan 20 12:48:55 csaxena-ubuntu-splunkcollector NVMCollector: HandleReceivedIPFIX: exporter=10.150.176.167 bytes_recvd=234 totlength=234 Jan 20 12:48:55 csaxena-ubuntu-splunkcollector NVMCollector: =================> flowsetid=258 flowsetlen=218 Jan 20 12:48:55 csaxena-ubuntu-splunkcollector NVMCollector: no templates for flowset 258 for 10.150.176.167 yet
There is a possibliity when the end point was enabled before collector was setup. In order to mitigate this, we need to ensure one of the below events occur:
We need to ensure the collector status is running. This ensures that the collector is receiving IPFIX/cflow from the endpoints at all times.
csaxena@csaxena-ubuntu-splunkcollector:~$ /etc/init.d/acnvmcollectord status * acnvmcollector is running csaxena@csaxena-ubuntu-splunkcollector:~$
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: