Deployment
| Step 1: Setup Splunk wtih Cisco NVM App | |
| Step 2: Setup IPFIX Collector component | |
| Step 3: Configuring Anyconnect NVM Client profile | |
| Step 4: Installing Anyconnect NVM |
Step 5: Data Collection
Verification
Validate NVM installation
| Validate Flow templates are set |
Validate Collector status as running
Related Document
Installation and Configuration of Cisco AnyConnect Network Visibility Module (NVM) Through AnyConnect 4.2.x and Splunk
Introduction
This document describes the method to install and configure the Cisco AnyConnect Network Visibility Module (NVM) on an end-user system using AnyConnect 4.2.x or higher.
The Cisco AnyConnect Network Visibility Module (NVM) is used as a medium for deploying security analytics. NVM empowers organizations to see endpoint & user behavior on their network,collects flows from endpoints both on and off-premise along with additional context like users, applications, devices, locations and destinations.
This is a technote example using AnyConnect NVM with Splunk
Prerequisites
Requirements
- AnyConnect 4.2 with NVM and required modules
- AnyConnect APEX license
Components Used
- Cisco AnyConnect Security Mobility Client 4.2 or higher
- Cisco AnyConnect Profile Editor - (available from Cisco.com) Create NVM profile to be pushed out via ASA/ISE as head end or LAN management software
- Cisco Adaptive Security Appliance (ASA), running 9.5.2 as gateway
- Cisco Adaptive Security Device Manager (ASDM) 7.5.1 to use NVM
- Splunk Enterprise 6.3 ( similar products from Splunk or other SIEM solutions can be used)
- Ubuntu 14.04.3 LTS as a collector device (Splunk forwarder devices can be used)
Topology
In this technote :
Collector IP - 192.0.2.123
Splunk - 192.0.2.113
Deployment
AnyConnect deployment for Network Visibility Module
The steps involved in configuration are as follows:
- Configure Anyconnect NVM client profile. We can use the either ASDM or Profile editor can be used.
- Edit Anyconnect VPN group policy to deploy NVM Service Profile.
- Setup collector service to receive IPFIX (cflow) from clients running AnyConnect NVM
- Setup Splunk to receive flows from the collector device
Step 1: Setup Splunk with Cisco NVM App
We have the Cisco AnyConnect Network Visibility Module (NVM) App for Splunk. This app helps with pre-defined reports and dashboards to use IPFIX data from end points in usable reports and correlate user and endpoint behavior.
Link to App : https://splunkbase.splunk.com/app/2992/
In order to install, we can either Go to Splunk >> Apps and install the tar.gz file downloaded from the Splunkbase or search within the Apps section.
The default configuration receives two data input feeds for Per Flow Data and Endpoint Identity Data, on UDP ports 20519 and 20520 respectively. The collector component sends these feeds on the ports mentioned by default. We can change the ports on collector component (Step 2), this can be changed in the Application Input settings in Splunk.
Go to Splunk >> Settings >> Data Input >> UDP
Step 2: Setup IPFIX Collector component
The Collector Component is responsible for collecting and translating all IPFIX (nvzFlow) data from the endpoints and forwarding it to the Splunk App. By default the collector device receives traffic on UDP port 2055. Collector IP address and port is part of the AnyConnect NVM client profile.
The collector runs on 64-bit Linux. CentOS and Ubuntu configuration scripts are included in with the splunk application. The CentOS install scripts and configuration files can also be used in Fedora and Redhat distributions as well. The collector should be run on either a standalone 64-bit Linux system or a Splunk Forwarder running on 64-bit Linux.
In order to install the collector you will need to copy the application in the CiscoNVMCollector_TA.tar file, located in the $APP_DIR$/appserver/addon/ directory to the system you plan to install it on.
Splunk, for this technote is installed on Windows workstation on the E: drive. CiscoNVMCollector_TA.tar file can be located in the following directory :
E:\Program Files\Splunk\etc\apps\CiscoNVM\appserver\addon\
Extract the tar file on the system where you plan to install the collector and execute the install.sh script with super user privileges. It is recommended to read the $PLATFORM$_README file in the .tar bundle before executing the install.sh script. The $PLATFORM$_README file provides information on the relevant configuration settings that need to be verified and modified (if necessary) before the install.sh script is executed. We will need to configure the address of the Splunk instance, listening ports we will be forwarding data to and collector port where we will be receiveing IPFIX.
On the collector,
csaxena@csaxena-ubuntu-splunkcollector:~/Downloads/CiscoNVMCollector_TA$ ls acnvmcollector CENTOS_README libboost_log.so.1.57.0 acnvmcollectord install_centos.sh libboost_system.so.1.57.0 acnvm.conf install.sh libboost_thread.so.1.57.0 acnvm.conf~ install_ubuntu.sh UBUNTU_README acnvm.service libboost_filesystem.so.1.57.0 csaxena@csaxena-ubuntu-splunkcollector:~/Downloads/CiscoNVMCollector_TA$
At a minimum, we will need to configure the address of the Splunk instance where we plan to forward the flow data in the configuration file (acnvm.conf).
GNU nano 2.2.6 File: acnvm.conf { "syslog_server_ip" : "192.0.2.113", "syslog_flowdata_server_port" : 20519, "syslog_sysdata_server_port" : 20520, "netflow_collector_port" : 2055, "log_level" : 7 } By default, in the acnvm.conf, we have the Per Flow Data Port, Endpoint Identity Data Port and Collector Port defined. If we are using any custom port, please ensure to make changes in Data Inputs on Splunk and NVM client profile on end point.
More info on : https://splunkbase.splunk.com/app/2992/#/documentation
Step 3: Configuring Anyconnect NVM Client profile
On the ASDM
- Navigate to Configuration > Remove Access VPN > Network (Client) Access > Anyconnect Client Profile >> NVM Profile
or Use the profile editor
Save the profile as NVM_ServiceProfile.xml in a secure location. The xml file is required to be placed in the following directory:
- For Windows 7 or higher users, put the file in the this folder: %ALLUSERSPROFILE%\Cisco\Cisco AnyConnect Secure Mobility Client\NVM
- For Mac users, put the file in this folder:
/opt/cisco/anyconnect/nvm
Profile in xml
<?xml version="1.0" encoding="UTF-8"?> -<NVMProfile xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="NVMProfile.xsd"> -<CollectorConfiguration> <CollectorIP>192.0.2.123</CollectorIP> <Port>2055</Port> </CollectorConfiguration> <Anonymize>false</Anonymize> <CollectionMode>all</CollectionMode> </NVMProfile>
We also need to configure Trusted Network Detection in order to use NVM. Refer to AnyConnect Profile Editor, Preferences (Part 2)for information about setting this parameter.
Step 4: Installing Anyconnect NVM
If we plan to install it as a standalone module, we can install the package by starting the Setup.exe to install the client software. In the Cisco AnyConnect Secure Mobility Client Install Selector:
This can also be installed using LAN Management software or using ASA/ISE as the headend.
Step 5: Data Collection
After initial setup, you may need to restart one of your AnyConnect endpoints to ensure the initial IPFIX templates are sent to the collector. The templates are sent from the client only when there are certain events triggered on the endpoints.
The template is sent from the client when one of the following events occur:
- There is a change in the NVM clientprofile.
- There is a network change event.
- The nvmagent service is restarted.
- End point is rebooted/restarted.
We expect to see IPFIX/Cisco Flow (cflow) traffic from the end point to the Collector component.
From the Collector to the Splunk, we expect syslog traffic on ports defined in Step 2.
Verification
Validate NVM installation
We can validate the installation to be successful, by checking the installed modules section in the AnyConnect info.
Also, we can verify if the nvm service is running on the end point and profile is in the required directory.
Validate Flow templates are set
We might see "no template found" in a packet capture on the end point or "no templates for flowset" in the collector logs.
Packet capture
Collector logs
Jan 20 12:48:54 csaxena-ubuntu-splunkcollector NVMCollector: no templates for flowset 258 for 10.150.176.167 yet Jan 20 12:48:55 csaxena-ubuntu-splunkcollector NVMCollector: HandleReceivedIPFIX: exporter=10.150.176.167 bytes_recvd=234 totlength=234 Jan 20 12:48:55 csaxena-ubuntu-splunkcollector NVMCollector: =================> flowsetid=258 flowsetlen=218 Jan 20 12:48:55 csaxena-ubuntu-splunkcollector NVMCollector: no templates for flowset 258 for 10.150.176.167 yet
There is a possibliity when the end point was enabled before collector was setup. In order to mitigate this, we need to ensure one of the below events occur:
- There is a change in the NVM clientprofile.
- There is a network change event.
- The nvmagent service is restarted.
- End point is rebooted/restarted.
Validate Collector status as running
We need to ensure the collector status is running. This ensures that the collector is receiving IPFIX/cflow from the endpoints at all times.
csaxena@csaxena-ubuntu-splunkcollector:~$ /etc/init.d/acnvmcollectord status * acnvmcollector is running csaxena@csaxena-ubuntu-splunkcollector:~$
Related Link
- Cisco AnyConnect Network Visibility (NVM) App for Splunk: https://splunkbase.splunk.com/app/2992/
- Splunk Documentation on Splunk Collector Setup and installing collector scripts : https://splunkbase.splunk.com/app/2992/#/documentation
- Cisco AnyConnect Secure Mobility Client Administrator Guide, Release 4.2: http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect42/b_AnyConnect_Admini...