Cascade® Shark® Appliance User'

Cascade® Shark® Appliance
User’s Guide
Version 10.0.5
February 2012
© 2013 Riverbed Technology. All rights reserved.
Accelerate®, AirPcap®, BlockStream™, Cascade®, Cloud Steelhead®, Granite™, Interceptor®, RiOS®, Riverbed®, Shark®,
SkipWare®, Steelhead®, TrafficScript®, TurboCap®, Virtual Steelhead®, Whitewater®, WinPcap®, Wireshark®, and
Stingray™ are trademarks or registered trademarks of Riverbed Technology, Inc. in the United States and other countries.
Riverbed and any Riverbed product or service name or logo used herein are trademarks of Riverbed Technology. All other
trademarks used herein belong to their respective owners. The trademarks and logos displayed herein cannot be used without
the prior written consent of Riverbed Technology or their respective owners.
F5, the F5 logo, iControl, iRules, and BIG-IP are registered trademarks or trademarks of F5 Networks, Inc. in the U.S. and certain
other countries. Linux is a trademark of Linus Torvalds in the United States and in other countries. VMware, ESX, ESXi are
trademarks or registered trademarks of VMware, Incorporated in the United States and in other countries.
Portions of Cascade® products contain copyrighted information of third parties. Title thereto is retained, and all rights therein
are reserved, by the respective copyright owner. PostgreSQL is (1) Copyright © 1996-2009 The PostgreSQL Development
Group, and (2) Copyright © 1994-1996 the Regents of the University of California; PHP is Copyright © 1999-2009 The PHP
Group; gnuplot is Copyright © 1986-1993, 1998, 2004 Thomas Williams, Colin Kelley; ChartDirector is Copyright © 2007
Advanced Software Engineering; Net-SNMP is (1) Copyright © 1989, 1991, 1992 Carnegie Mellon University, Derivative Work
1996, 1998-2000 Copyright © 1996, 1998-2000 The Regents of The University of California, (2) Copyright © 2001-2003
Network Associates Technology, Inc., (3) Copyright © 2001-2003 Cambridge Broadband Ltd., (4) Copyright © 2003 Sun
Microsystems, Inc., (5) Copyright © 2003-2008 Sparta, Inc. and (6) Copyright © 2004 Cisco, Inc. and Information Network
Center of Beijing University of Posts and Telecommunications, (7) Copyright © Fabasoft R&D Software; Apache is Copyright ©
1999-2005 by The Apache Software Foundation; Tom Sawyer Layout is Copyright © 1992 - 2007 Tom Sawyer Software; Click
is (1) Copyright © 1999-2007 Massachusetts Institute of Technology, (2) Copyright © 2000-2007 Riverbed Technology, Inc.,
(3) Copyright © 2001-2007 International Computer Science Institute, and (4) Copyright © 2004-2007 Regents of the
University of California; OpenSSL is (1) Copyright © 1998-2005 The OpenSSL Project and (2) Copyright © 1995-1998 Eric
Young (eay@cryptsoft.com); Netdisco is (1) Copyright © 2003, 2004 Max Baker and (2) Copyright © 2002, 2003 The Regents
of The University of California; SNMP::Info is (1) Copyright © 2003-2008 Max Baker and (2) Copyright © 2002, 2003 The
Regents of The University of California; mm is (1) Copyright © 1999-2006 Ralf S. Engelschall and (2) Copyright © 1999-2006
The OSSP Project; ares is Copyright © 1998 Massachusetts Institute of Technology; libpq++ is (1) Copyright © 1996-2004 The
PostgreSQL Global Development Group, and (2) Copyright © 1994 the Regents of the University of California; Yahoo is
Copyright © 2006 Yahoo! Inc.; pd4ml is Copyright © 2004-2008 zefer.org; Rapid7 is Copyright © 2001-2008 Rapid7 LLC;
CmdTool2 is Copyright © 2008 Intel Corporation; QLogic is Copyright © 2003-2006 QLogic Corporation; Tarari is Copyright ©
2008 LSI Corporation; Crypt_CHAP is Copyright © 2002-2003, Michael Bretterklieber; Auth_SASL is Copyright © 2002-2003
Richard Heyes; Net_SMTP is Copyright © 1997-2003 The PHP Group; XML_RPC is (1) Copyright © 1999-2001 Edd Dumbill, (2)
Copyright © 2001-2006 The PHP Group; Crypt_HMAC is Copyright © 1997-2005 The PHP Group; Net_Socket is Copyright ©
1997-2003 The PHP Group; PEAR::Mail is Copyright © 1997-2003 The PHP Group; libradius is Copyright © 1998 Juniper
Networks. This software is based in part on the work of the Independent JPEG Group the work of the FreeType team.
This documentation is furnished “AS IS” and is subject to change without notice and should not be construed as a commitment
by Riverbed Technology. This documentation may not be copied, modified or distributed without the express authorization of
Riverbed Technology and may be used only in connection with Riverbed products and services. Use, duplication, reproduction,
release, modification, disclosure or transfer of this documentation is restricted in accordance with the Federal Acquisition
Regulations as applied to civilian agencies and the Defense Federal Acquisition Regulation Supplement as applied to military
agencies. This documentation qualifies as “commercial computer software documentation” and any use by the government
shall be governed solely by these terms. All other use is prohibited. Riverbed Technology assumes no responsibility or liability
for any errors or inaccuracies that may appear in this documentation.
Individual license agreements can be viewed at the following location: https://<appliance_name>/license.php
This manual is for informational purposes only. Addresses shown in screen captures were generated by simulation software
and are for illustrative purposes only. They are not intended to represent any real traffic or any registered IP or MAC addresses.
712-00091-05
Contents
About this guide
v
Scope .................................................................................................................................................................................... v
Audience ............................................................................................................................................................................. v
Terminology ...................................................................................................................................................................... v
Concepts
1
Cascade Shark family of products ............................................................................................................................ 1
User interfaces ........................................................................................................................................................ 1
Storage ....................................................................................................................................................................... 1
Capture jobs ............................................................................................................................................................. 1
Cascade Pilot software .................................................................................................................................................. 2
Microflow Indexing ........................................................................................................................................................ 2
Tasks
3
Connecting to the appliance ....................................................................................................................................... 3
Logging in using a browser................................................................................................................................ 3
Logging in using Cascade Pilot software ...................................................................................................... 4
Logging out ............................................................................................................................................................... 5
Checking appliance status ........................................................................................................................................... 5
Setting basic appliance parameters......................................................................................................................... 6
Configuring data export to Cascade Profiler appliances ................................................................................. 7
Configuring data collection ports ............................................................................................................................. 8
Shark appliances .................................................................................................................................................... 8
Shark-VE appliances .......................................................................................................................................... 10
Capturing network data ............................................................................................................................................ 11
Viewing capture jobs ......................................................................................................................................... 11
Adding/editing capture jobs .......................................................................................................................... 13
Controlling capture jobs .................................................................................................................................. 16
Using Cascade Pilot software to create capture jobs ........................................................................... 16
Exporting packets ............................................................................................................................................... 17
Managing users and groups ..................................................................................................................................... 18
Adding users and groups ................................................................................................................................. 18
Changing user passwords ............................................................................................................................... 19
Unlocking a locked-out user........................................................................................................................... 20
Setting up the login screen ............................................................................................................................. 21
Authenticating users ......................................................................................................................................... 23
Managing security functions ................................................................................................................................... 30
Setting up auditing ............................................................................................................................................. 30
Setting up a firewall ........................................................................................................................................... 31
Managing certificates ........................................................................................................................................ 34
Managing the appliance............................................................................................................................................. 39
Enabling SNMP management ........................................................................................................................ 39
Setting up notifications .................................................................................................................................... 41
Updating system software .............................................................................................................................. 43
Performing maintenance functions ............................................................................................................ 45
Advanced Configuration Settings .......................................................................................................................... 48
Port and protocol names ................................................................................................................................. 49
Port and protocol groups ................................................................................................................................ 50
Advanced settings .............................................................................................................................................. 50
Troubleshooting an initial installation................................................................................................................ 51
Cascade Shark Appliance User’s Guide
iii
Securing your appliance configuration ............................................................................................................... 52
Common Criteria initial setup ....................................................................................................................... 52
Common Criteria operation ........................................................................................................................... 57
JITC-hardened initial setup ............................................................................................................................ 58
Reference
61
CLI commands ............................................................................................................................................................... 61
Certificate commands ....................................................................................................................................... 62
Interface commands .......................................................................................................................................... 63
License commands ............................................................................................................................................. 63
Service commands ............................................................................................................................................. 64
System commands.............................................................................................................................................. 64
Uptime-report commands .............................................................................................................................. 66
Wizard command ............................................................................................................................................... 67
Help command ..................................................................................................................................................... 67
Exit command ...................................................................................................................................................... 67
Appendix A: BIOS settings for Cascade Shark appliances
69
How to change the BIOS password ....................................................................................................................... 69
How to disable booting from removable media .............................................................................................. 72
Cascade Shark Appliance User’s Guide
iv
About this guide
Scope
This guide covers the Riverbed® Cascade® Shark® family of network appliances:
•
•
Riverbed Cascade Shark appliances (Shark appliancess)
Riverbed Cascade Shark Virtual Edition appliances (Shark-VE appliances)
It tells you how to configure and operate Shark and Shark-VE appliances. It assumes that your
appliances are ready to receive packets and can communicate on your network. (Instructions for
getting your appliances to that state are provided by the Quick Start Guides for the appliances.) The
configuration and operation activities covered by this guide are performed primarily over the
network, rather than through direct console connections to the appliances.
Audience
This guide is intended for network administrators. It assumes a solid knowledge of computer
networking.
Terminology
Note that “capture ports” have been renamed. As of version 10.0 they are called “interfaces”, and
the web user interface has been updated to reflect that change.
“Capture Ports”
“are now
“Interfaces”
Cascade Shark Appliance User’s Guide
v
Cascade Shark Appliance User’s Guide
vi
Concepts
Cascade Shark family of products
The Shark products capture and analyze network traffic. They come in two general forms:
•
•
Cascade Shark appliances (Shark appliances)—rack-mounted standalone hardware
devices for capturing and analyzing network packet data
Cascade Shark Virtual Edition appliances (Shark-VE appliances)—packet capture and
analysis software running as virtual machines in virtual environments
These products capture packets at network speeds up to 10 Gbps. They can also generate Microflow
Indexing data, described below on page 2. Microflow Indexing provides summary data, allowing for
very rapid analysis of some types of network traffic information. In addition, the Shark products can
capture network flow information and forward it to Cascade Profiler appliances for analysis.
User interfaces
Initial configuration of Shark products is performed through a console interface. This configuration
is described in the Quick Start Guides for the Shark appliances and the Shark-VE appliances.
Normal operation of the appliances is performed through a web user interface, which is accessible
from a standard web browser or through the Cascade Pilot software.
Storage
The Shark products include two separate storage subsystems:
•
•
The OS file system contains the Shark appliance operating system, software, pcap trace files,
View metrics, and Microflow Indexing data for Job Traces and pcap files.
The Packet Storage subsystem is used by the Shark Packet Recorder to store job traces. This
storage system is optimized to provide high-speed writing to disk and fast read access for
arbitrary time intervals within a job trace.
Capture jobs
Network traffic data capture is organized into capture jobs. Capture job parameters specify start
times for capture jobs, capture job duration, data filtering, and so on. You will encounter these
terms in your work with Shark products:
•
•
•
•
Capture job: A capture job refers to the specific parameters associated with at packet
recording session. These parameters include the job name, the network interface, a BPF
filter, start and stop criteria, and an upper bound on the amount of storage to be used by the
capture job.
Job trace: The job trace represents the network traffic saved in the packet storage. Each
capture job is associated with exactly one job trace, which has the same name as the capture
job.
Trace clips: Trace clips represent user-defined time intervals within a job trace.
Jobs repository: In Cascade Pilot, the Files panel for a Shark appliance contains a folder
called the Jobs Repository that has an icon and the name for each job trace in the appliance.
Cascade Shark Appliance User’s Guide
1
•
Virtual job device: In Cascade Pilot, the Devices panel for a Shark appliance contains an
icon and the name for each Virtual Job Device representing the network interface associated
with a capture job on the appliance. Views can be applied to these capture job interfaces
creating a visual analysis and representation of what was captured by the corresponding
capture job.
Cascade Pilot software
The Cascade Pilot software integrates closely with the Shark products to provide analysis and
display of network data captured by the Shark products. Cascade Pilot is a distributed analysis tool,
using the Shark and Shark-VE appliances to perform computations and integrating the results for
display. This distributed processing saves network bandwidth—only the results, not the underlying
packet data, are transferred across the network—and allows Cascade Pilot to manipulate very large
packet trace files.
Cascade Pilot contains an extensive collection of network traffic analysis metrics (Views), and can
analyze live or offline traffic sources. It allows drag-and-drop drill-down (successive application of
Views), visualization and analysis of long-duration and multi-source packet captures, trigger-alert
mechanisms, and report generation.
Microflow Indexing
Microflow Indexing captures summary information about conversations between devices on the
network. This information is all that is needed by the Cascade Pilot software to calculate many of
the View metrics that describe the traffic stream. Because it is already in summary form, processing
of Microflow Indexing data for View metrics is very fast.
In simplified terms, the Microflow Indexing process is this: For each packet, there is a conversation
identifier consisting of the 5-tuple:
•
•
•
•
•
source IP address
destination IP address
IP protocol
source port
destination port
When the Microflow Indexing feature is enabled for a capture job, the Shark appliance computes
the total bytes and number of packets for each unique conversation identifier in the traffic stream
for each second. This information is stored in a file on the OS disk and is referred to as Microflow
Indexing data.
Cascade Shark Appliance User’s Guide
2
Tasks
Tasks for Shark appliances and Shark-VE appliances are very similar, often identical. Differences
are noted in the text. Screen shots shown in the following pages may be from either product, except
that screen shots from both products are shown in cases where there is a significant difference.
Connecting to the appliance
Connect to the appliance through its web user interface. You can do this using your web browser or
using the Cascade Pilot software.
Logging in using a browser
1) Point your browser at
https://<shark>
where <shark> is the IP
address or DNS name of the
appliance.
2) Enter username and
password, then click Login
button. (Default value is
“admin” for both
username and password.)
Cascade Shark Appliance User’s Guide
3
Logging in using Cascade Pilot software
1) Click the
Remote tab.
2) Click the
Devices button.
3) Select the
device.
4) Click the Web
Interface button.
5) Enter the
username and
password.
(Default value is
“admin” for both
username and
password.)
6) Click the Login
button.
Cascade Shark Appliance User’s Guide
4
Logging out
1) Click to log out.
Checking appliance status
1) Click the Status tab to bring up the Status screen.
Status of capture jobs
Disk and memory usage
Cascade Profiler
statistics
Cascade Profiler
export configuration
Status of interfaces
Cascade Shark Appliance User’s Guide
5
Setting basic appliance parameters
The Settings -> Basic Settings screen allows you to change the configuration parameters that you
set during initial configuration.
1) Click the Settings tab, then select Basic Settings.
2) Make changes to settings as needed…
Enter a name for the appliance.
Select a city in the appliance’s
time zone.
Enter addresses for NTP time servers.
Click to use DHCP addressing, or
enter IP address, mask, and gateway.
Enter DNS information.
Click to enable FIPS mode.
Click to enable SSH access.
3) Click to apply settings.
Changes to the Host Name, IP Address, or Timezone parameters require a reboot.
The Enable FIPS 140-2 Compatible Cryptography checkbox enables the use of a cryptographic
module that has been certified to be FIPS 140-2 compliant (certificate #1747). This mode of
operation is referred to as “FIPS mode” for brevity.
Cascade Shark Appliance User’s Guide
6
Configuring data export to Cascade Profiler appliances
You can configure a Shark appliance to export network flow statistics to one or two Cascade Profiler
appliances. You can view the configured Profiler Export settings and the export statistics on the
Status page.
1) Click to enable
export.
2) Enter IP address or
DNS name for up to
two Cascade Profiler
appliances.
3) Enable all ports
or individual ports
to export data.
4) Enter a BPF filter,
if desired.
5) Enable output of VoIP
metrics, if desired.
6) Click to apply
configuration.
You can specify one BPF filter per port.
When Profiler Export is configured, the Shark appliance uses the configured Cascade Profiler
appliances as NTP servers for time synchronization.
Cascade Shark Appliance User’s Guide
7
Configuring data collection ports
Because of product differences between a Shark appliance and a Shark-VE appliance—one has
physical ports, the other does not—separate descriptions of the interface configuration are given
below.
Shark appliances
Interfaces (formerly called capture ports) are contained on one or more network interface cards
located at the back of the Shark appliance chassis. Physical ports are grouped into logical boards
composed of two ports each. In the example screen below, a card with four ports is represented as
two boards with two ports each.
1) Click the Interfaces tab.
2) Set interface parameters as desired.
Board info
Passthru
Timestamping
Blink
Deduplication
Link info
3) Click to save changes.
You can configure several parameters for each interface.
Cascade Shark Appliance User’s Guide
8
Identifying the physical port (setting Blink)
The Start Blink button causes the LED next to the network port (located on the back panel of the
Shark appliance) to blink. This can help you positively identify the port you are configuring.
Click to start blink.
Click again to stop.
When you no longer need the LED to blink, turn it off by clicking the Stop Blink button (in the same
location).
Setting Passthru mode
Passthru mode is supported only for 1G copper NICs. When Passthru mode is enabled the two ports
of a logical board act as a network tap: packets received on one port are sent out through the other
port, and vice versa. The board can negotiate only one fixed, full-duplex rate on the two ports.
Click to enable Passthru mode.
Drop down and click to
set board speed.
When Passthru mode is disabled the board operates as two independent ports.
Setting Timestamping
The Timestamping parameter lets you select the timing source for data captures made by the port.
Timestamping settings can be modified only on an interface where no capture job has been defined.
Use Shark Internal for connection
to mirror (SPAN) port.
Use tap selection for connection
to network tap.
When timestanping is set to Shark Internal, capture packets are timestamped using the Shark
appliance’s internal clock reference. The other options use the internal clocks of the selected
network tap, eliminating any latency and improving timestamp precision. Make sure to select the
timestamping mode corresponding to the tap the port is physically connected to; otherwise you
may get unpredictable results (false packets, false timestamps, dropped packets, and so on).
Cascade Shark Appliance User’s Guide
9
Setting the Timestamping parameter gives you the highest level of timing accuracy at a capture
interface. Timestamping can help maintain accuracy when analyzing packet flows using
Multi-Segment Analysis with the Cascade Pilot software.
Eliminating packet redundancy (setting Deduplication)
If the Shark appliance is receiving packets from more than one source in the same network (by
using a SPAN port or an aggregating tap, for example), it may receive some of the packets more than
once. Enabling Deduplication causes the appliance to discard the duplicate packets, allowing for
more accurate traffic analysis.
Click to discard redundant packets.
Note that Deduplication consumes additional resources, and may affect performance in a busy
network. Deduplication applies only to one single physical port. It does not deduplicate packets
from multiple turbocap ports.
Shark-VE appliances
One interface, mon0, is preconfigured into the appliance and is installed as part of the deployment
process. You can add up to three additional ports after deployment. Ports are assigned to logical
boards, one port per board. The example screen below shows a typical configuration with a single
interface.
There are no parameters to set for the interfaces on a Shark-VE appliance.
1) Click the Interfaces tab.
Board info
Interface info
Link info
Cascade Shark Appliance User’s Guide
10
Capturing network data
Viewing capture jobs
For quick capture job status, look on the Status page.
1) Click the Status tab to see quick job status.
Status of capture jobs
The Status page updates the capture statistics periodically. Click the Status tab to update the page
manually.
Cascade Shark Appliance User’s Guide
11
For more detail, go to the Job Details page for a particular job.
1) Click the Capture Jobs tab.
2) Click the Job Name or the
View or Edit button to see
the Job Details.
Job statistics
Job settings
Cascade Shark Appliance User’s Guide
12
Adding/editing capture jobs
1) Click the Capture Jobs tab.
2) Click Add a New Job to add a job or
click Edit to edit an existing job.
3) Enter/adjust
capture job parameters.
(See details below.)
4) Click to save capture job configuration.
The parameters of an existing job can be edited only if the job is stopped.
Cascade Shark Appliance User’s Guide
13
Capture settings
Enter a job name.
Select a capture port.
Enter a BPF filter, if desired.
Set the maximum number of bytes
saved for each packet —the snaplen.
(Specifying 65535 captures the
entire packet.)
Click to start the job as soon as you
save the job parameters.
A BPF filter can select a subset of network traffic for capturing. For example, the filter src host
192.168.43.17 captures only packets with a source address of 192.168.43.17. You can find more
information on BPF filters at http://wiki.wireshark.org/CaptureFilters.
Data Retention settings
Specify the maximum
amount of packet data
to save.
Click to enable
Microflow Indexing.
Specify the maximum
amount of indexing data
to save.
Click to synchronize indexing
with packet recording.
Note that the Shark appliance stores packet data on its RAID array and stores Microflow Indexing
data on the system drive.
Specify the amount of storage to reserve for packet data, either in bytes or as a percentage of the
packet storage size. Additionally, you can specify a maximum amount of packets to store or a
maximum time interval to record. After a limit is reached, the oldest packets are discarded as new
packets arrive.
Cascade Shark Appliance User’s Guide
14
Microflow Indexing computes summary data for conversations between devices on the network.
(See Microflow Indexing on page 2 for more information.) Its behavior depends on the states of two
checkboxes:
No Microflow Indexing data will be collected.
This is generally reserved for cases where the
indexing computation affects the performance
of packet capture.
If indexing is enabled but not synchronized with
packet recording, the amount of indexing data
stored on the disk is determined by the amount
of storage allocated (bytes or percentage of disk
space) or the time interval (days). When the
space or time limit is reached, the oldest index
summaries are discarded as new ones arrive.
Indexing time is typically set to be significantly
longer than packet recording time since it
consumes much less storage.
The duration of Microflow Indexing is kept
synchronized with that of packet capture. This
ensures that all Cascade Pilot Views of the
network traffic—both those that use only the
indexing data and those that require only packet
data—are available for the entire time period. It
likely limits the amount of indexing data that
can be retained, however.
Start / Stop settings
Enter specific start
and/or stop times…
and/or
specify job size limit in
terms of storage space,
packets, and/or time.
These settings are not available if Microflow Indexing has been enabled for the capture job.
Capture stops after the first limit of any type is reached.
Cascade Shark Appliance User’s Guide
15
Controlling capture jobs
Capture jobs start or stop automatically under certain circumstances:
•
•
•
You checked the Start New Job Immediately check box when setting up the job, and then
clicked the Save button.
A preset Absolute Start/Stop Time is reached.
The job matches a “Stop capturing after” rule (storage space, number of packets, or elapsed
time).
You can control jobs manually using the buttons on the Capture Jobs page. Note that the buttons
change according to the status of the job.
Click to stop a running job.
Click to clear packet and
indexing data from disk.
Click to start a stopped job.
Click to clear packet and
indexing data and to
delete the job configuration.
Using Cascade Pilot software to create capture jobs
The Cascade Pilot software is well integrated with the Shark and Shark-VE appliances, and provides
a broad array of methods for interacting with capture jobs. This combination of hardware and
software gives you the best means of analyzing traffic on your network and troubleshooting
network problems.
For full information on using this hardware/software combination to set up capture jobs, please see
the “Cascade Shark Packet Recorder” section of the Cascade Pilot Reference Guide.
Cascade Shark Appliance User’s Guide
16
Exporting packets
You can export packets from a capture job to a file on your local system. This file is in .pcap
(Wireshark) format.
1) Click the Capture Jobs tab.
2) Click a job name or a View or Edit button
to bring up the Job Details page.
3) Set the packet export
parameters (time and/or size).
4) Click to prepare export.
5) Click to download.
Cascade Shark Appliance User’s Guide
17
Managing users and groups
Adding users and groups
You must have a username and password to log in to a Shark appliance. Each username is
associated with a user group, and each group has a set of capabilities (permissions). Add new users
and groups as follows:
1) Click Settings, then
Users and Groups.
2) Click to add
User or Group.
Enter username and password.
Select group.
Check box to enable user lockout.
Cascade Shark Appliance User’s Guide
Enter group name and description.
Select capabilities.
18
Changing user passwords
You can change a user’s password from the Users and Groups page, as follows:
1. Click to bring up the
Change Password dialog.
2. Enter new password.
Cascade Shark Appliance User’s Guide
19
Unlocking a locked-out user
If a user gets locked out due to exceeding the allowed number of unsuccessful login attempts, he
will see a message on the login screen like this:
A user with administrator privileges can unlock the account from the Users and Groups page by
clicking the Unlock User button for that user.
Click to unlock.
Cascade Shark Appliance User’s Guide
20
Setting up the login screen
Entries on the Authentication Settings page determine the layout of the login screen for the
appliance. Click the Settings tab, then Authentication Settings to go to that screen. Then fill in the
screen as follows:
Click to generate a Purpose box on the login screen.
Set an inactivity limit after which the session ends.
Enter a message to be displayed at login.
The entries in the screen above produce the login screen shown below.
Cascade Shark Appliance User’s Guide
21
Information in the Purpose field may be logged to the local syslog and/or to a remote TACACS+ or
RADIUS server, depending on the audit settings for the Authentication information category. See
the section on “Setting up auditing” on page 30 for information on making those settings.
Cascade Shark Appliance User’s Guide
22
Authenticating users
Use the Authentication Settings page to set up the type of authentication used on your appliance.
Select an authentication method by checking its check box in the Authentication Methods list.
(Details for configuring each authentication method are given below.)
Check the box(es) for the authentication method(s)
you want to use.
You can choose more than one authentication method. If first method (primary) fails to
authenticate, the second method (fallback) is tried, and so on. The first method to succeed is the one
that is used for the session. Use the Authentication Sequence drop-down list to choose the order for
authentication attempts.
If you choose more than one
authentication method…
…use this drop-down list to specify
the order in which they are tried.
Cascade Shark Appliance User’s Guide
23
If you have selected a remote authentication method (TACACS+ or RADIUS), the user interface
presents additional authentication settings:
•
•
Default Remote Group—lets you specify a default group assignment if a remote server
(TACACS+ or RADIUS) does not assign an authenticated user to a group.
When a remote server successfully authenticates a user, it sends attribute/value pairs to the
appliance to identify the group to which the user belongs; the user receives the capabilities
assigned to that group. (These capabilities are set in the Users and Groups page under the
Settings tab.) The Default Remote Group parameter gives you the option to specify a default
group to use if the server does not return a group; in that case the user receives the
capabilities of the default group. The drop-down box for the parameter lets you choose from
all the groups on the appliance; if you choose “none”, no capabilities are assigned to the
user.
Fallback only when servers are unavailable—allows you to limit server fallback actions
based on the reason for an authentication failure.
An attempt to authenticate might fail because the user does not present proper credentials
or it might fail for technical reasons, such as a server being unreachable. If you leave the
“For RADIUS/TACACS+, fallback only when servers are unavailable” box unchecked, any
failed authentication attempt causes the appliance to try the next authentication method in
the sequence (if there is one). But if you do check the box, the fallback procedure continues
only if the failure is due to technical reasons; an authentication failure due to improper
credentials stops the authentication process and prevents authentication of the user.
Note that if you have specified multiple TACACS+ or RADIUS servers, a failure to
authenticate for technical reasons causes the appliance to try to authenticate with the next
server of the same type. A failure due to improper credentials ends the authentication
attempt for that authentication method; the setting of the “Fallback only when servers are
unavailable” box determines whether the appliance tries to authenticate using a different
method (local, TACACS+, or RADIUS).
Click to allow fallback to next authentication method only
in case of technical problem with server (does not fall
back if authentication fails due to improper credentials).
Cascade Shark Appliance User’s Guide
Click to choose default group to use
when server assigns authenticated
user to non-existent group.
24
For each authentication method you choose, select its tab in the Authentication Parameters section
and fill in the parameters (described below).
Click a tab, then fill in the authentication parameters.
When you have finished filling in the parameters, click the Apply button in the lower left corner.
Click when done.
Local Password File authentication
This authentication type uses the user information you set up in the Add New User screen. See
Adding Users and Groups on page 18. If the username and password match a username and
password combination stored in the Shark appliance, you are logged in to the appliance. The
appliance grants you the capabilities of the group you are assigned to.
The Local tab of the Authentication Parameters lets you set various password parameters. Click the
Default Settings button to set all parameters to 0 (unconstrained); click the STIG Compliant Settings
button to set parameters to values that comply with the Security Technical Implementation Guides
(STIG) of the Joint Interoperability Test Command (JITC) of the U.S. Department of Defense.
Click to disable all constraints.
Cascade Shark Appliance User’s Guide
Click to apply STIG-compliant settings.
25
TACACS+ authentication
If you select TACACS+ Authentication on the Authentication Settings screen, click the TACACS+
tab under Authentication Parameters and fill in the parameters.
Click here to add a new server.
Fill in parameters as desired, then click Apply.
For servers, specify the IP address and Shared Secret. You can enter up to eight TACACS+ servers.
Fill in IP address and Shared Secret for each server you add (up to 8).
Fill in the parameters as follows:
•
•
•
Server IP address – IP address of the TACACS+ server. This field accepts only numeric IP
addresses; host names are not supported.
Server Port – TCP port the TACACS+ server is listening on. This is pre-configured to port
49.
TACACS+ Shared Secret – Shared secret configured by the TACACS+ protocol, used to
protect the communication between Shark and the TACACS+ server.
Cascade Shark Appliance User’s Guide
26
•
•
•
•
•
Client Port – This field is part of the TACACS+ protocol and it contains the name of the
client port used on the NAS server. Please consult the documentation for the TACACS+
server for details on the correct client port to use.
Authorization Attribute and Authorization Value – These two fields are used in the
authorization step to specify the attribute-value pair used to request a specific service to the
TACACS+ server. During the TACACS+ protocol authorization step, Shark sends the
attribute-value pair “Authorization-Attribute=Authorization-Value” to the TACACS+ server.
The server uses the pair together with the user-name to identify the user group.
Enable TACACS+ accounting – Enables the remote data accounting on the TACACS+
server.
Accounting Attribute and Accounting Value – These two values are used to create an
attribute-value pair that Shark sends to the TACACS+ server together with the accounting
data to trace the accounting communication.
Accounting Terminator – This field is specified as the last value in the attribute-value
pairs list, and its value may change based on the TACACS+ server in use.
During the authentication process, Shark sends the user name and password credentials to the
TACACS+ server to validate the credentials and indicate the group that the user is a member of. If
the credentials are invalid or if the authorized group name received from the TACACS+ server does
not match any of the local groups on the Shark appliance, the authentication will fail. If, however,
the user is successfully authenticated and the appliance has been configured with a Default Remote
Group, the user receives the capabilities assigned to the default group.
Please note that you must configure the authentication and authorization parameters on the
TACACS+ server as well as on the Shark appliance. These values must be coordinated between the
server and the appliance. If they are not, authentication will fail and users will not be able to log in
to the appliance.
Cascade Shark Appliance User’s Guide
27
RADIUS authentication
If you select RADIUS Authentication on the Authentication Settings screen, click the RADIUS tab
under Authentication Parameters and fill in the parameters.
Click here to add a new server.
Fill in parameters as desired, then click Apply.
For servers, specify the IP address and Shared Secret. You can enter up to eight RADIUS servers.
Fill in IP address and Shared Secret for each server you add (up to 8).
Fill in the parameters as follows:
•
•
•
•
Server IP address – IP address of the RADIUS server. This field accepts only numeric IP
addresses; host names are not supported.
Server Port – TCP port the RADIUS server is listening on. This is pre-configured to port
1812.
RADIUS Shared Secret – Shared secret configured by the RADIUS protocol, used to protect
the communication between Shark and the RADIUS server.
Client Port – This field is part of the RADIUS protocol and it should contain the name of the
client port used on the NAS server. Please consult the documentation for your RADIUS
server for details on the client port to use.
Cascade Shark Appliance User’s Guide
28
•
•
Encryption protocol – Specifies the protocol used to encrypt data in the path between
Shark and the authentication server. Four protocols are supported:
 PAP – Basic RADIUS encryption; uses MD5 hashes and XOR
 CHAP – Challenge-Handshake Authentication Protocol
 MSCHAP1 – MS CHAP version 1
 MSCHAP2 – MS CHAP version 2
Enable RADIUS Accounting – Enables remote data accounting on a RADIUS server.
During the authentication process the Shark appliance sends the user name and password
credentials to the RADIUS server. If the authentication is successful, the RADIUS server responds
with a one or more attribute-value pairs associated with the local group the user belongs to. The
appliance attempts to match the first of these pairs with the configured local groups, and if there is
a match the user is authorized with the capabilities assigned to that group.
If the credentials are invalid or if the authorized group name received from the RADIUS server does
not match any of the local groups on the appliance, the authentication process will fail. If, however,
the user is successfully authenticated and the appliance has been configured with a Default Remote
Group, the user receives the capabilities assigned to the default group.
Please note that you must configure the authentication and authorization parameters on the
RADIUS server as well as on the appliance. These values must be coordinated between the server
and the appliance. If they are not, authentication will fail and users will not be able to log in to the
appliance.
Cascade Shark Appliance User’s Guide
29
Managing security functions
Setting up auditing
The Audit Settings page lets you control which system events get logged for auditing purposes.
There are 11 categories of information that can be logged, and you can log to a local syslog, to a
remote log, or both. You can find the Audit Settings page at Settings > Audit Settings.
Click to set logging for a category.
Click to set all categories.
Click when done.
Cascade Shark Appliance User’s Guide
30
To set the logging for an information category, click the drop-down list that corresponds to the
category and logging location and select which types of events in that category—all events, errors
only, or no events—you want to have logged. To set all categories for a logging location (local or
remote) at once, click the drop-down list at the top of the column for that location.
Click to set events to be logged.
Local logging.
Events logged on the local system can be seen by examining the log file at System > Maintenance.
Click the Download Log button to save a .TGZ archive of the logs. Once you download and unpack
the archive, the syslog files are the files named messages and messages-<datetime>.
Remote logging.
If you set up remote logging, events are logged to the remote TACACS+ or RADIUS server that you
authenticate with. (The Accounting configuration on the TACACS+ or RADIUS server determines
where the logs are located on the server.) Note, however, that if you have multiple Remote
Authentication Methods set up, only the first one in the Authentication Sequence can be used for
remote logging. (See the “Authenticating users” section on page 23 for a description of the
Authentication Methods and Authentication Sequence settings.)
Consider, for instance, an authentication configuration that sets up both TACACS+ and RADIUS as
Authentication Methods and specifies an Authentication Sequence of “RADIUS; TACACS+”. Assume
that your Remote Log Settings are enabled for All Events.
RADIUS first, then TACACS+
If an authentication attempt succeeds with the RADIUS server, the logging occurs as expected:
events are logged to the RADIUS server.
But if the authentication attempt fails with the RADIUS server and then falls back to the TACACS+
server and succeeds, events are not logged to the TACACS+ server since TACACS+ was not the first
authentication method specified in the Authentication Sequence setting.
Setting up a firewall
The Firewall Settings page, available at Settings > Firewall Settings, lets you set up an inbound-only
firewall to control access to the appliance. This firewall applies to management interfaces; it does
not apply to capture interfaces. The same settings are applied to all management interfaces.
Cascade Shark Appliance User’s Guide
31
The firewall is disabled by default; check the Enable Firewall Protection checkbox to enable it. The
default configuration for an enabled firewall allows access through the web UI from a web browser
or a Cascade Pilot console (using HTTPS) or through an SSH console, and allows the appliance to
respond to ICMP messages (such as a ping). All other access is denied by default.
Click to enable firewall.
The Default Action tells the firewall what to do with a packet that does not match any of the rules.
You can set the Default Action to either Allow or Deny.
Click to set default action.
You can edit existing rules or add new ones. Click the Edit button to edit an existing rule; click the
Add New Rule button to add a new rule.
Click to edit existing rule.
Click to add new rule.
Cascade Shark Appliance User’s Guide
32
The parameters are the same in both cases. Note that:
•
•
•
•
Actions can be:
o Allow
o Deny
o Allow And Log
o Deny And Log
Logged actions show up in the syslog files. You can download these files using the Download
Log button on the System > Maintenance page. After you unpack the archive, you can find
logged actions in the messages and messages-<datetime> files.
Protocols can be:
o ALL
o TCP
o UDP
o ICMP
If no protocol is specified the rule applies to all protocols.
For TCP and UDP protocols, the port number can range from 0 to 65535; if no port number
is specified, the rule applies to all ports. Service names (HTTP, FTP, and so on) are not
allowed in this field.
Sources can be IP addresses in:
o CIDR notation (192.168.1.0/24)
o complete IP/mask format (192.168.1.0/255.255.255.0)
o single host IP address with no mask (192.168.1.23)
If no IP address is specified, the rule applies to all IP addresses.
Hostnames are not allowed in this field.
Fill in parameters.
Click when done.
Note that clicking the Update Table button enters the rule in the Firewall Rules table, but
that no changes are effective until you click the Apply Changes button at the bottom of that
table.
Cascade Shark Appliance User’s Guide
33
Rules are evaluated from top to bottom. As soon as a rule is matched, the action for that rule is
applied and processing for that packet stops. You can change the order of evaluation by using the
blue arrows to move a rule up or down in the list.
Use the blue arrows to
move a rule up or down
in the list.
Changes are not effective until you click the Apply Changes button at the bottom of the page.
Click to apply changes.
It is possible to configure the firewall in such a way that you lock yourself out of the appliance. If
this occurs, you can make a direct connection to the Shark appliance through the serial port or the
keyboard/monitor ports and disable the firewall using the system firewall disable CLI
command. (See the System commands section on page 64.) Once the firewall is disabled, you can
reconfigure it to avoid the problem, and then re-enable it.
Managing certificates
You can manage certificates from the SSL Certificate Management page: Settings > SSL Certificate
Management.
There are three types of certificate:
•
•
•
Web Interface—This certifies the appliance’s identity to a web browser or to the Cascade
Pilot software. The default Web Interface certificate is a self-signed certificate generated
after the first boot of the appliance. Any subsequent boot uses the same certificate. Each
appliance has a unique certificate.
Profiler Export—This certifies the appliance’s identity to a Cascade Profiler appliance when
using the Profiler Export feature. It is a self-signed certificate. The default certificate is the
same on all Shark and Cascade Profiler appliances.
Trusted Profiler—This certifies the identity of a Cascade Profiler appliance connecting to
this Shark appliance. By default there are two default Trusted Profiler certificates, which
allows trusting any Profiler using the default certificates.
The SSL Certificate Management page lets you view and replace the certificates. Any changes you
make to the configuration are applied after a Shark Probe service restart.
Cascade Shark Appliance User’s Guide
34
Click a tab to choose
a certificate.
Click to view the PEM file
for the certificate.
On the Web Interface tab, click to re-use the Profiler Export
certificate/key pair as the Web Interface certificate/key pair.
Click to generate a new certificate/key pair.
Click to import an existing certificate/key pair.
On the Profiler Export tab, click to re-use the Web Interface
certificate/key pair as the Profiler Export certificate/key pair.
Cascade Shark Appliance User’s Guide
35
To view the PEM file for a certificate, click the View PEM button.
You can import existing certificates that are in PEM format and have either PKCS1 or PKCS8
headers. The general format of these certificates is:
-----BEGIN PRIVATE KEY-----
(Base64 encoded data goes here.)
-----END PRIVATE KEY---------BEGIN CERTIFICATE----(Base64 encoded data goes here.)
-----END CERTIFICATE-----
The two sections can appear in either order. For Web Interface and Profiler Export, include both
certificate and key. For Trusted Profilers, include only the certificate section.
To import an existing certificate, click the Import Certificate button and paste the certificate (and
key, if appropriate) in the space provided. Then click the Replace Certificate button.
Paste existing certificate here.
Click when done.
Cascade Shark Appliance User’s Guide
36
To generate a new certificate/key pair, click the Generate Certificate button and fill in the
parameters.
It is important to make sure that the hostname and domain name are properly configured before
generating the new certificate, as the new certificate contains hostname.domainname as the
Common Name record. The hostname and domain name are specified on the Settings > Basic
Settings page. The Certificate Details for each certificate type on the Settings > SSL Certificate
Settings page show the Common Name record and other records encoded into the certificate.
Click the Replace Certificate button to generate the new certificate/key pair.
Fill in parameters.
Click when done.
To use an existing certificate and private key that are stored on the appliance, click the Use Profiler
Export Certificate button (from the Web Interface tab) or Use Web Interface Certificate button
(from the Profiler Export tab). Click the Replace Certificate button to accomplish the replacement.
Click to replace certificate.
The default Profiler Export certificate for the Shark appliance is the default_profiler certificate
if the appliance is running version 9.5 or earlier software, or if the software is version 9.6 or later
but the appliance has never been booted in FIPS mode. Once the appliance has been booted in FIPS
mode (in version 9.6 or later software), the default_profiler_fips certificate becomes the
default Profiler Export certificate; it remains the default Profiler Export certificate even if the
appliance returns to non-FIPS mode, unless you upload a new certificate or generate a new
certificate. FIPS mode is described in the section on “Setting basic appliance parameters” on page 6.
Cascade Shark Appliance User’s Guide
37
Note that if you replace the default Profiler Export certificate with a new one (either by importing a
certificate or by generating a new one), you need to add that new certificate to the trusted
certificates in any Cascade Profiler appliances to which you will be exporting data. If you change the
certificate on the Shark appliance but not on the Cascade Profiler appliances, the Shark appliances
will no longer be able to export data to the Cascade Profiler appliances .
There are two default certificates under the Trusted Profilers tab: default_profiler and
default_profiler_fips. These allow trusting Cascade Profiler appliances connecting to the
Shark appliance. Buttons on the Trusted Profilers tab allow you to view or remove these
certificates, or to add new certificates.
Cascade Shark Appliance User’s Guide
38
Managing the appliance
Enabling SNMP management
The Shark appliance can act as a Simple Network Management Protocol (SNMP) server, allowing
you to manage it using an SNMP management application. The appliance supports the v1, v2c, and
v3 versions of the SNMP protocol. It allows polling, does not allow traps, and exports some standard
MIBs.
Check the Enable SNMP box to enable SNMP on the Shark. Then choose a version and fill in the
Location, Description, and Contact parameters. If you use v1 or v2c, you can leave the Community
string at its default value of “public”; for more security, you can choose a different value.
Check the box to enable SNMP operation.
Select a protocol version.
Fill in parameters.
Specify a Community string.
Click Apply.
Cascade Shark Appliance User’s Guide
39
SNMP v3 does not use a Community string, but offers additional parameters for more security.
There are three levels of security for SNMP v3; as you increase the security level, you specify
additional passpharases and protocols, as follows:
Username: SNMP security name that the application attempting to browse the MIB must
use.
Security level: Choose among:
•
•
•
No Authentication/No Privacy: SNMP transactions are not authenticated and the
SNMP traffic is transmitted in plaintext.
Authentication/No Privacy: SNMP transactions are authenticated and the SNMP
traffic is transmitted in plaintext.
Authentication/Privacy: SNMP transactions are authenticated and encrypted.
Authentication passphrase: password associated with the username. It must be at least 8
characters long.
Authentication protocol: algorithm used by the authentication protocol. This can be MD5
or SHA.
Privacy passphrase: string used to encrypt SNMP data exchanges. It must be at least 8
characters long.
Privacy protocol: algorithm used to encrypt the SNMP data exchanges. This can be DES or
AES.
Note that certain SNMP configurations are modified when the appliance is switched into the FIPS
mode.
Cascade Shark Appliance User’s Guide
40
Security levels:
No authentication
or privacy
Authentication, but
no privacy
Both authentication
and privacy
Setting up notifications
You can configure the Shark appliance to notify you by email when certain events occur:
•
•
•
packet storage malfunction
system clock modification
appliance reboot
In the Settings > Notifications page, check the box to Enable Notifications, fill in the email
parameters, and select the events you want to be notified about. The Shark appliance will send you
an email whenever any of the selected events occurs.
Cascade Shark Appliance User’s Guide
41
Check the box to enable notifications.
Enter parameters to configure email.
Click to test the email configuration.
Check the boxes to select events for notification.
Click Apply.
You can test the configuration by clicking the Test Email Settings button; the Shark appliance will
try to send you a test email to verify that the configuration is correct.
Cascade Shark Appliance User’s Guide
42
Updating system software
From time to time, Riverbed may make software updates available for the appliance. You can install
these updates by uploading an ISO file that is saved on the local system or by fetching the update
from the Riverbed support site. Use the screen shown below:
1) Click System > Update to bring up
the Update screen.
2) Specify the update source and execute the update.
Cascade Shark Appliance User’s Guide
43
If you check the “Update to target version immediately…” box, the update is performed as soon as
the update file has been transferred to the Shark appliance. Otherwise the file is saved on the
appliance and you perform the update manually by clicking the Install Update Now button.
Cascade Shark Appliance User’s Guide
44
Performing maintenance functions
Click System > Maintenance to bring up the Maintenance screen. From this screen you can
perform the functions listed below.
Cascade Shark Appliance User’s Guide
45
Gathering system information
The System Info section of the screen presents version information that will be useful when
troubleshooting with the assistance of Riverbed Support.
Downloading logs
This section allows you to download various system logs to your local system. It is normally used
under the direction of Riverbed Support. There is also a field where you can enter a support case
number. If you have opened a support case with Riverbed Support, entering a case number here
causes the case number to be inserted into the file name of downloaded archive files.
Viewing packet storage status
The Packet Storage Status section of the screen shows aggregate information for the packet storage
disks as well as individual information for each drive. Initially the drive status boxes give a quick
summary of the condition of each disk:
Aggregate status information
Status of individual drives
If you hover the cursor over one of the drive status boxes, you will see a tooltip that gives the status,
model number, and serial number for that drive:
Drive status details
Or, if you want to see that information for all of the drives, click the Expand Disk Information link
under the drive status boxes:
Cascade Shark Appliance User’s Guide
46
Global status for the packet storage can be:
•
•
•
•
•
OK (all drives are working properly)
FAILING (at least one drive is about to fail AND all the others are OK)
INOPERABLE (at least one drive has failed or is missing, or the packet storage is down)
INITIALIZING (the enclosure is undergoing a reinitialization process)
CORRUPTED (the file system is corrupted)
Status for an individual drive can be:
•
•
•
•
OK (the drive is working properly)
FAILING (the drive is still operable, but is about to fail)
FAILED (the drive has failed—it is not seen by the Shark—or is missing)
NEW (a new drive has been inserted, but the packet storage has not been reinitialized)
Reinitializing and reformatting packet storage
Reinitializing or reformatting the packet storage subsystem should be done only under the
direction of Riverbed Support. Clicking the Reinitialize Packet Storage button performs a
low-level format of the packet storage subsystem. This format takes a considerable amount of time
and destroys all data on the subsystem. It ignores the Reserved Space setting (see next paragraph)
and formats the entire packet storage subsystem. It is typically used when a drive fails and is
replaced. Clicking the Reformat Packet Storage button performs a fast, light wipe of the data; it
destroys all data on the packet storage subsystem. The Reformat option honors the Reserved
Space setting (see next paragraph).
The Reserved Space parameter is available only on physical Shark appliances, not on Shark-VE
appliances. Setting the Reserved Space parameter prevents the use of inner tracks of hard disks
that can have slower transfer rates. Setting this value to something other than 0% can in some cases
provide more uniform write-to-disk speeds, although it reduces the amount of storage available for
packet capture.
Halting and rebooting the system
Clicking Shutdown Cascade Shark shuts down the operating system and powers down the
appliance. Clicking Reboot Cascade Shark shuts down the operating system and then reboots the
appliance.
Cascade Shark Appliance User’s Guide
47
Advanced Configuration Settings
These are the paths to the settings discussed in the following topics:
Cascade Shark Appliance User’s Guide
48
Port and protocol names
By default, non-standard ports/protocols appear as “Other” in many Views. For more informative
descriptions, you can edit this mapping to define the ports used by non-standard protocols. The
syntax of the Port/Protocol Definitions file is detailed at the beginning of the textbox.
Cascade Shark Appliance User’s Guide
49
Port and protocol groups
The file shown below enables you to group port/protocol definitions into logical groups. These
definitions are useful in grouping a number of related protocols into categories such as Email, Web,
and so on. The syntax of the Port/Protocol Groups file is detailed at the beginning of the textbox.
Advanced settings
The Advanced Settings page allows modifying the Shark Probe configuration file and should be used
only with the assistance of Riverbed Support personnel.
Cascade Shark Appliance User’s Guide
50
Troubleshooting an initial installation
If you have gone through the initial configuration of your Shark appliance or Shark-VE appliance
and it does not seem to function properly, try the troubleshooting steps below. Remember that the
default username and password are admin and admin.
After each step, check again to see whether you appliance is functioning properly.
1. Using the appliance’s console, enter wizard at the console prompt and check that you have
the right values for:
a. IP address
b. IP subnet mask
c. IP default gateway
d. DNS servers
e. domain name
If you don’t want to change any of the entries, you can cancel by typing c at the end of the
list of questions.
If you used DHCP to provision your IP address, you can find the value of the IP address by
entering interface show eth0 at the console prompt.
2. Try to ping the appliance at the IP address you set up in using the configuration wizard. If
that doesn’t work, it indicates a possible network problem. Check your network connections
and make sure that your firewall and proxy configurations are correct.
3. Try using your web browser to connect to the web UI of the appliance.
4. If you configured SSH, try connecting with an SSH program like PuTTY.
If those steps fail, contact Riverbed technical support:
Email: http://support.riverbed.com
Phone (U.S. and Canada): 1-888-782-3822
Phone (outside U.S. and Canada): 1-415-247-7381
Cascade Shark Appliance User’s Guide
51
Securing your appliance configuration
Use the following procedures to make your Shark appliance compliant with Common Criteria
certification (certificate TBD at the time this manual was prepared), JITC hardened, and using FIPS
140-2 compliant cryptography.
Common Criteria initial setup
1) Enable FIPS-compliant cryptographic algorithms by putting the appliance into FIPS mode.
• In the CLI: system fips enable
• In the web interface:
a. Go to Settings > Basic Settings
b. Put a check mark in the Enable FIPS 140-2 Compatible Cryptography box at the bottom
of the page.
Check this box.
Click Apply.
c. Click Apply.
A reboot is required:
•
•
In the CLI: Use system reboot.
In the web interface: Go to System > Maintenance and click the Reboot Cascade
Shark button at the bottom of the page.
After the reboot the appliance shows “FIPS Mode” in the banner in the web interface.
Cascade Shark Appliance User’s Guide
52
1) Make sure that the Web Interface certificate and private key are compliant:
• Private key algorithm must be RSA.
• Key length should be at least 2048 bits.
• Certificate hashing algorithm should be one of:
• SHA1
• SHA224
• SHA256
• SHA384
• SHA512
In the CLI: The certificate and private key can be replaced using certificate web set.
In the web interface: To view the certificate, go to Settings > SSL Certificate Management
and click the Web Interface tab. If you need to import or generate a new certificate, use the
buttons at the bottom of the page.
The default certificate and any self-signed certificates generated by the appliance are
compliant.
A Shark Probe service restart (CLI: service probe restart; web interface: a Restart
Probe button pops up) is required for the certificate change to be effective.
2) Make sure that the Profiler Export certificate and private key are compliant:
• Private key algorithm must be RSA.
• Key length should be at least 2048 bits.
• Certificate hashing algorithm should be one of:
• SHA1
• SHA224
• SHA256
• SHA384
• SHA512
In the CLI: The certificate and private key can be replaced using certificate
profiler-export set.
In the web interface: To view the certificate, go to Settings > SSL Certificates and click the
Profiler Export tab. If you need to import or generate a new certificate, use the buttons at
the bottom of the page.
When booted in FIPS mode, the default certificate and any self-signed certificates generated
by the appliance are compliant.
A Shark Probe service restart (CLI: service probe restart; web interface: a Restart
Probe button pops up) is required for the certificate change to be effective.
Note: A Shark appliance that has never booted in FIPS mode uses a default Profiler Export
certificate that is compatible with Cascade Profiler appliances of version 9.5 or earlier. The
first time the Shark appliance boots in FIPS mode, this certificate is replaced with a
certificate that is FIPS and Common Criteria compliant and that is compatible only with
Cascade Profiler appliances of version 9.6 or later. If you revert to non-FIPS mode on the
Shark appliance, the version 9.6 certificate remains active; it does not revert to the version
9.5 certificate.
Cascade Shark Appliance User’s Guide
53
3) Make sure that the Trusted Profiler certificate and private key are compliant:
• Private key algorithm must be RSA.
• Key length should be at least 2048 bits.
• Certificate hashing algorithm should be one of:
• SHA1
• SHA224
• SHA256
• SHA384
• SHA512
In the CLI: The certificate and private key can be managed using the certificate
profiler-trusted … commands.
In the web interface: To view the certificate, go to Settings > SSL Certificates, click the
Trusted Profilers tab, and click the View button for one of the listed certificates. If you need
to import a new certificate, use the Add button at the bottom of the page.
By default the Shark appliance contains two Trusted Profiler certificates:
default_profiler and default_profiler_fips. The default_profiler certificate is
compatible with appliances with software version 9.5 or earlier, or appliances with version
9.6 or later software that have never been booted in FIPS mode; this certificate is not
compliant. The default_profiler_fips certificate is compliant. For operation in FIPS
mode, you must remove the default_profiler certificate. In the CLI: Use certificate
profiler-trusted del. In the web interface: Use the Remove button next to
default_profiler in the list of certificates.
If you make any changes to the certificates, you must restart the Shark Probe service (CLI:
service probe restart; web interface: a Restart Probe button pops up).
4) Make sure that authentication is set to Local Authentication. (The TACACS+ and RADIUS
implementations use algorithms that are not FIPS compliant.)
In the web interface: On the Settings > Authentication Settings page, make sure the Local
Password File Authentication check box is checked and the TACACS+ and RADIUS check boxes
are unchecked.
This box should
be checked.
These boxes should
be unchecked.
If you make any changes, click the Apply button at the bottom of the page.
Cascade Shark Appliance User’s Guide
54
5) Configure all users, including the administrator, to have a lockout policy.
In the web interface:
a. From Settings > Authentication Settings, on the Local tab, make sure that the “Number
of unsuccessful login attempts before user is locked out” is set to a number between 0
and 10.
Set this to a number between 0 and 10.
b. When creating a user (in Settings > Users and Groups, click the Add A New User button),
make sure that the “User Can Be Locked Out” checkbox is checked.
Make sure this box is checked.
Note: The default users (admin, normaluser) do not have the lockout property enabled.
Since it is not possible to change that property on an existing user, you must delete the
existing user entry and recreate it with the lockout property enabled. For the “admin”
user, first create another, temporary, admin user (say, “admin2”) and use that
temporary admin user to delete and recreate the “admin” user.
Cascade Shark Appliance User’s Guide
55
6) Change the Audit Settings to log all events to the local syslog.
In the web interface: Go to Settings > Audit Settings. In the Local Syslog Settings column, set
the top drop-down box to All Events. This sets all categories of events to be logged locally.
(There is no need to change the Remote Log Settings box, as remote logging to TACACS+ and
RADIUS servers is not officially supported in the Common Criteria compliant mode of
operation.)
Set to All Events.
7) Make sure that these specific Advanced Settings have appropriate values.
In the web interface: From Settings > Advanced Settings, make sure that the following settings
are configured as described. Once the appliance is booted in FIPS mode these settings cannot be
changed.
•
•
•
•
•
•
•
•
•
webui.legacy_port=0
connection.ports.https=443
connection.ports.http=80
connection.ports.http_redirect=True
webui.enabled=True
profilerexport.profiler.port=41018
profilerexport.profiler.ssl.enabled=True
profilerexport.profiler.ssl.port=41017
actions.enable_run_program=False
Note that any setting that is not listed under Advanced Settings has a value of corresponding to
the list above. (This applies to actions.enable_run_program, which is not listed.)
9) Enable FIPS mode on the Windows client system running the Cascade Pilot software. Details are
at http://technet.microsoft.com/en-us/library/cc750357.aspx.
Cascade Shark Appliance User’s Guide
56
10) Disable SSH access, as its use has not been certified for Common Criteria.
In the web interface: Go to Settings > Basic Settings and make sure that the Enable Secure Shell
(SSH) Access box is unchecked. If you make a change, click the Apply button in the lower left
corner of the page.
Make sure this box is unchecked.
Common Criteria operation
Cascade Pilot software
•
•
•
•
Do not use the Cascade Pilot software to analyze local files or to analyze traffic from
local interfaces. There is no authentication and auditing when analyzing local files and
traffic.
Do not tick the “Remember password” check box when connecting to a Shark
appliance. The password would be saved in clear text on the client system running
Windows.
Do not use SMTP with authentication when configuring a watch that sends an email.
The password would be saved in clear text on the Shark appliance.
Do not use the SSL protocol when configuring a watch that sends an email. There is no
auditing on this cryptographic functionality.
Shark appliance
•
Do not change any of the settings listed below. Changing any of the following settings
when FIPS mode is enabled is prohibited.
o
o
o
o
o
o
o
o
o
o
o
webui.legacy_port=
connection.ports.https=
connection.ports.http=
connection.ports.http_redirect=
webui.enabled=
actions.enable_run_program=
profilerexport.enabled=
profilerexport.profiler.port=
profilerexport.ssl.enabled=
profilerexport.profiler.ssl.port=
profilerexport.profilers.address.*=
Changing any of these settings when FIPS mode is enabled results in a failure, as it would
violate either secure communication or auditing requirements.
Cascade Shark Appliance User’s Guide
57
JITC-hardened initial setup
1) Put the appliance into Common Criteria compliant mode. Refer to the list of instructions under
“Common Criteria initial setup” on page 52, above.
2) Disable the IPMI port. The IPMI port does not use secure channels. Note that this does not apply
to a Shark-VE appliance, as Shark-VE appliances do not have IPMI ports.
In the CLI: Use system ipmi disable.
3) Set compliant password requirements.
In the web interface: Go to Settings > Authentication Settings. In the Local tab, click the STIG
Compliant Settings button, then click Apply.
Click to set password requirements.
Click to apply settings.
4) Change the default boot password.
In the CLI: Use system boot password.
5) Change the default BIOS password. See the section on “How to change the BIOS password” on
page 69 for more information.
6) Change the web/CLI default user passwords.
In the web interface: Go to Settings > Users and Groups and for each user click the Change
Password button and change the password.
Cascade Shark Appliance User’s Guide
58
7)
Set up a login banner.
In the web interface: Go to Settings > Authentication Settings and configure a login banner.
Click the Apply button when done.
Enter text for login banner.
8) Enable the firewall. The default settings are compliant.
In the web interface: Go to Settings > Firewall Settings and make sure the Enable Firewall
Settings box is checked. If you make a change, click the Apply Changes button when done.
Check this box.
9) Configure the idle timeout for the web interface to 10 minutes or less.
In the web interface: Go to Settings > Authentication Settings and set the Session Timeout to 10
minutes or less. Then click the Apply button at the bottom of the page.
Set to 10 minutes or less.
10) Configure authentication for your NTP servers. You need to use a secure hashing algorithm and
key for each NTP server to be compliant.
By default, NTP server listings show only the server (as a URL):
server1
server2
server3
server4
Cascade Shark Appliance User’s Guide
59
To use secure hashing, add an index, an algorithm, and a key for each server:
server1:index1:algorithm1:key1
server2:index2:algorithm2:key2
server3:index3:algorithm3:key3
server4:index4:algorithm4:key4
Note that:
•
•
•
•
When using Profiler Export, the Shark appliance uses the Cascade Profiler appliance as the
NTP source, and no additional configuration is required.
You can configure NTP servers only when export to Cascade Profiler appliances is disabled.
The index field must be unique within the Shark appliance. It is provided by the
administrator of the NTP server.
Valid values for the algorithm are MD5 and SHA1. These values are not case sensitive.
Note also that:
• When in non-FIPS mode the Shark appliance uses MD5-based NTP authentication with the
Cascade Profiler appliance.
• When in FIPS mode the Shark appliance uses SHA1-based NTP authentication with the
Cascade Profiler appliance.
In the CLI: Use the wizard command, and in the NTP server specification step enter the server,
index, algorithm, and key information for each server.
In the web interface: Go to Settings > Basic Settings and enter the NTP server information in
the NTP Server Addresses box. Then click the Apply button.
Enter server information here.
When the settings have been updated, the keys will be hidden.
11) Change the BIOS settings to disallow booting from removable media. See the section on “How to
disable booting from removable media” on page 72.
Cascade Shark Appliance User’s Guide
60
Reference
CLI commands
These commands are available through the console interface of a Shark appliance:
certificate profiler-trusted add
Add a new trusted profiler certificate
certificate profiler-trusted del
Remove the given trusted profiler certificate
certificate profiler-trusted list
List all trusted profiler certificates
certificate profiler-export set
Replace the encryption key used by profiler export
certificate web set
Replace the encryption key used by the web UI
challenge create
Create a new challenge
challenge response
Validate the response of a challenge
interface show eth0
Print network settings for eth0
interface show eth1
Print network settings for eth1
interface show ipmi
Print network settings for the IPMI interface
license add
Add a new license
license del
Delete a license
license clear
Clear all licenses
license list
List all licenses
service probe restart
Restart SharkProbe
service packetrecorder restart
Restart the Packet Recorder
system boot password
Reset the boot password
system fipsmode enable
Enable FIPS mode
system fipsmode disable
Disable FIPS mode
system fipsmode show
Show the current FIPS status and the status at the next reboot
system firewall disable
Disable the system firewall
system firewall status
Show the current status of the firewall
system ipmi enable
Enable the IPMI interface
system ipmi disable
Disable the IPMI interface
system poweroff
Power off Cascade Shark
system reboot
Reboot Cascade Shark
system serial show
Show the Cascade Shark serial number
system vault wipe
Wipe and re-initialize the secure key vault
system wipe
Wipe off all the data from the disks
uptime-report enable
Enable the uptime reports
uptime-report disable
Disable the uptime reports
uptime-report status
Check on the uptime reports status
wizard
Start a wizard for basic settings
help
Display this help
exit
Exit the shell
Cascade Shark Appliance User’s Guide
61
Certificate commands
certificate profiler-trusted add <trusted-key-name>
Adds a new Trusted Profiler certificate. The <trusted-key-name> appears as the name of
the certificate when you list the Trusted Profiler certificates using the certificate
profiler-trusted list command (described below) or when listing them in the web
interface.
certificate profiler-trusted del <trusted-key-name>
Deletes the specified Trusted Profiler certificate.
certificate profiler-trusted list
Lists all Trusted Profiler certificates.
certificate profiler-export set
Replaces the certificate and private key used for Profiler Export. When you run this
command, the CLI prompts you to type (copy and paste) the PEM version of the certificate
and private key into the command line.
certificate web set
Replaces the certificate and private key used by the Web Interface. When you run this
command, the CLI prompts you to type (copy and paste) the PEM version of the certificate
and private key into the command line.
Cascade Shark Appliance User’s Guide
62
Interface commands
interface show eth0
interface show eth1
interface show ipmi
These commands show useful information about the appliance’s various Ethernet
interfaces.
An example of the output:
shark> interface show eth0
mac address
: 00:25:90:0E:2E:82
ip address
: 10.5.16.59
netmask
: 255.255.255.0
broadcast
: 10.5.16.255
dhcp
: enabled
link status
: up (100Mbps full duplex)
[OK]
License commands
license add <license-key>
Adds a new license to the appliance.
license del <license-key>
Deletes the specified license from the appliance.
license clear
Deletes all licenses from the appliance.
Cascade Shark Appliance User’s Guide
63
license list
Lists all licenses on the appliance.
To make the changes effective, you must restart the Shark Probe service after issuing these
commands:
•
•
•
license add <license-key>
license del <license-key>
license clear
You can use the service probe restart command for this purpose.
Service commands
The service commands act on the main services running on the Shark appliance. They do not reboot
the appliance. If you want to reboot the appliance, use the system reboot command.
service probe restart
Restarts the Shark Probe service.
service packetrecorder restart
Restarts the Packet Recorder service.
System commands
system boot password
Resets the system boot password. You will be asked to enter a password and to confirm it.
system fipsmode enable
Enables the use of FIPS 140-2 compliant cryptography. This change takes place at the next
system reboot.
system fipsmode disable
Disables FIPS mode. This change takes place at the next system reboot.
Cascade Shark Appliance User’s Guide
64
system fipsmode show
Shows the current FIPS status and the status after the next system reboot.
system firewall disable
Disables the system firewall. This is the emergency command you can use if you lock
yourself out of the Shark appliance. You would enter it from a terminal (or terminal
emulator) connected through the serial port or the keyboard/monitor ports, and then
reconfigure the firewall from the web interface to fix the problem.
system firewall status
Shows the current status of the system firewall.
system ipmi enable {dhcp}|{ipaddr <addr> netmask <mask>}
Enables the IPMI interface. You must specify DHCP address assignment or specify an IP
address and subnet mask.
system ipmi disable
Disables the IPMI interface. Note: The IPMI interface is disabled by effectively setting its IP
address to 0.0.0.0.
system poweroff
Powers off the appliance.
system reboot
Reboots the appliance.
system serial show
Shows the serial number of the appliance.
system vault wipe
Reinitializes the secure key vault. This erases all data in the vault, recreates the folder
structure, and generates SSH keys. In the process, the Web Interface certificate, the Profiler
Export certificate, and the Trusted Profiler certificates are all erased and reset to their
default values. A reboot is required after this operation.
Cascade Shark Appliance User’s Guide
65
system wipe {dod|dodshort|short}
Restarts the appliance with a custom kernel that securely wipes all data from the disks.
Choose one of three wipe options:
•
•
•
dod — 7 passes, random data (most secure), DoD 5220.22-M standard wipe
dodshort — 3 passes, random data, DoD 5220-22-M short wipe (passes 1, 2, and 7
of the standard wipe
short — 1 pass, all zeros
Note that:
•
•
It takes a long time for the wipe operation to complete, during which time the
appliance is reachable only from the monitor and keyboard. Therefore, it is strongly
recommended that you run this command locally from the monitor/keyboard.
After the wipe operation is complete, the appliance software needs to be reinstalled,
as the OS drive has been wiped during the operation.
Uptime-report commands
uptime-report enable
Enables the uptime ping service. It is enabled by default.
uptime-report disable
Disables the uptime ping service.
uptime-report status
Shows the status of the uptime ping service.
For more information on the uptime ping service, see
https://support.riverbed.com/announce/dns.htm.
Cascade Shark Appliance User’s Guide
66
Wizard command
wizard
Runs the setup wizard for a Shark or Shark-VE appliance. This leads you through setting up
initial configuration parameters, including:
•
•
•
•
•
•
•
hostname
IP addressing for the eth0 and eth1 ports
DNS servers
domain name for the appliance
time zone
SSH daemon
NTP servers
You can find details on the wizard in the Quick Start Guide for the Shark appliance or the
Shark-VE appliance.
Help command
help
Displays the list of CLI commands.
Exit command
exit
Exits the CLI.
Cascade Shark Appliance User’s Guide
67
Cascade Shark Appliance User’s Guide
68
Appendix A: BIOS settings for Cascade Shark appliances
How to change the BIOS password
1) Reboot the appliance and be ready to press DEL in order to enter the BIOS SETUP UTILITY.
2) Move to the ‘Security’ tab and select the option ‘Change Supervisor Password’.
Cascade Shark Appliance User’s Guide
69
3) Enter a password at the prompt and confirm it.
Cascade Shark Appliance User’s Guide
70
4) Once the Supervisor Password has been enabled, the User Access Level may be set to ‘Full
Access’. This must be disabled since only the Supervisor can access the BIOS SETUP UTILITY.
5) Select ‘User Access Level’, press Enter and select ‘No Access’.
Cascade Shark Appliance User’s Guide
71
6) Move to the ‘Exit’ tab and save the settings.
How to disable booting from removable media
1) In the BIOS SETUP UTILITY, move to the ‘Boot’ tab.
Cascade Shark Appliance User’s Guide
72
2) Select the option ‘Boot Device Priority’. Removable (and network) devices may be listed.
3) To disable a device, select it, press enter and select ‘Disabled’ in the drop-down menu.
Cascade Shark Appliance User’s Guide
73
4) Make sure that all removable drives are disabled.
5) Save settings and exit the BIOS SETUP UTILITY.
Cascade Shark Appliance User’s Guide
74
Download PDF
Similar pages
Next Wave Automation Touch Plate user`s guide
Aerocool Shark 14cm
RCV922AE SPECIFICATION DOCUMENT REV C
shark_sub - Architettura Sonora
Aerocool Shark