Arbor APS STT Unit 02 Deployment 25 Jan2018

Partner Technical Training
Arbor APS Deployment
Partner • Sales • Engineering

APS
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY Release 5.12
Objectives
At the conclusion of this unit you should understand how to:
• Install Arbor APS
• Upgrade Arbor APS
• Perform initial configuration using the CLI
• Apply Best Practices at initial deployment
• Begin to use Arbor APS API
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 2

INSTALLING ARBOR APS

Connecting to Arbor APS Appliance
• Connect to the appliance for configuration by using one of the following methods
(the serial console is easier to use):
• Serial Console
• Plug the RJ45 end of an Ethernet patch cable into the serial console port on the front
of the appliance
• Connect the other end of the Ethernet patch cable to a serial console server or computer
• Configure your console server or computer with the following settings:
• Baud rate: 9600
• Data bits: 8
• Stop bits: 1
• Parity: None
• Flow control: None
• VGA – Keyboard, Video Mouse

Installing Arbor APS
1. Turn on the APS appliance
2. When the prompt that tells you to “Press any key to continue” appears,
press a key within five seconds.
3. Select the following option on the GRUB menu and then press enter:
(re)install from on-board flash (Serial)
4. Enter “Y” in response to the following prompt:
• Do you want to begin the install process? This will remove all current data
and configuration [n]
5. When the installation processes finish, respond to the prompts to configure
the APS for the first time

INITIAL
CONFIGURATION – CLI

Initial Configuration via CLI
• Below is a list of tasks to complete
• Access the system console, set a host • Configure SSH
name and password • Set current Time and
• Connect and configure management time zone
Ethernet interface (mgt0) • Set language (optional)
• Configure span port in the router / switch • Configure the system’s
• Connect cable from span port into license
Protection Interface port (ext0) • Set deployment mode
• Configure default gateway • Start Arbor APS services
• Configure IP access rules • Save configuration

Quick Start Cards

Arbor APS Documentation

Login to the CLI
• First time login using default password (“arbor”)
Arbor login: admin

Password:
Arbor Networks APS v5.11.0

Copyright (c) 2000-2016 Arbor Networks, Inc.
All Rights Reserved.
Welcome to ArbOS
admin@arbos:/# _

Set System Name
• The system name may be arbitrary
• The system name is not used for inter-device communications
in Cloud Signaling
admin@arbos:/# system name set demo
admin@demo:/#

Admin Password
• After installing APS, the default administrator password must be changed
before you can start the APS services
• If admin password is not changed prior to starting APS services the following
message will appear:
admin@demo:/# services aps start
ERROR: The default admin password must be changed
• To change admin password:
admin@demo/:# services aaa local password admin interactive
Changing password for user admin.
New password:
Re-enter new password:
Password changed
passwd: all authentication tokens updated successfully.

User Password Criteria
• Enforces a minimum level of password complexity
• Acceptable Arbor APS passwords:
• At least 7 characters long
• At most 72 characters long
• Can include special characters, spaces, and quotation marks
• Cannot be all digits
• Cannot be all lower-case letters or all uppercase letters
• Cannot be only letters followed by only digits (such as, abcd123)
• Cannot be only digits followed by only letters (such as, 123abcd)
• Cannot consist of alternating letter-digit combinations (such as, 1a3A4c1)

Clock & Time Zone Setting
• Setting Clock is important to allow proper Syslog reporting
and also to support advanced features like Cloud Signaling
• Setting Time Zone must be done in the GUI, not in the CLI
• Clock format is MMDDhhmm[[CC]YY][.ss]

• Good idea to set even when plans are to use NTP
• Clock is set in UTC timezone
admin@demo /:# clock set 062210222012

Setting Management Interface IP address
ip interfaces ifconfig mgt0 10.2.24.76/24

ip interfaces ifconfig mgt0 2620:11e:1001:ebc::34/128
ip route add default 10.2.24.1
admin@demo:/# ping 10.2.24.1

Sending five 64 byte echo request to 10.2.24.1
!!!!!
5 packets transmitted, 5 received, 0% packet loss, time 80ms

DNS Server Setting
• Setting DNS in the CLI is useful to ensure the ability to reach services
like AIF Updates and to provide reverse DNS lookups for UI
/ service dns server add 10.2.24.222
admin@demo:/# / services dns server

Active DNS Servers:
10.2.24.222

IP Media Commands (Optional)
• If necessary, speed and duplex can be set for both management
and protection interfaces
• Copper interfaces of both types are 10/100/1000
Management
/ ip interfaces media mgt0 speed 1000 duplex full
Interfaces
Protection / services aps mitigation interface media ext0 speed 1000 duplex full
Interfaces / services aps mitigation interface media int0 speed 1000 duplex full

Management Interface Traffic Type
• Types of traffic for Arbor APS management interfaces
• HTTPS
• Web GUI, AIF, Cloud Signaling Handshake
• SSH
• Ping/ICMP
• NTP
• DNS
• SNMP traffic
• Cloud Signaling heartbeats (UDP)

Access Control via IP Access Lists
• Arbor APS “internal firewall” needs to be configured to allow access
• IP access rules allow you to specify authorized access (inbound
connections) on a per subnet per interface per application basis
ip access add https all 10.0.0.0/8
ip access add ping all 0.0.0.0/0
ip access add ssh all 10.0.0.0/8
ip access add https all 2620:11e:1000::/44
ip access add ping mgt0 2620:11e:1000::/44
ip access add ssh mgt0 2620:11e:1000::/44
IMPORTANT: In order to activate the access list, it needs to be committed

ip access commit

Ports & Protocols – Access Required
• Arbor APS management traffic
uses these ports and protocols
• Make sure existing firewalls
in the management network are
configured to allow this traffic
Port number is configurable

Enabling Secure Shell Access
• SSH access is optional but recommended
• Enabling SSH
admin@demo/:# services ssh start
admin@demo/:# services ssh show
SSH service status:
Status: running
Port: 22 (default)
Protocol: 2 (default)
• Connect via SSH to validate and also to continue the CLI configuration
in a more productive way

Check for Arbor APS Version
• It is very important to ensure you have the latest code release for Arbor APS
• To find the latest version, check Arbor Technical Assistance Center (ATAC) web
site download area
admin@demo:/# system version
Version: Arbor Networks APS 5.11.0 (build HEDK) (arch x86_64)
Note: If you don’t have the latest code release,

you MUST upgrade before moving forward

Installed System Software
• System will ship with software pre-installed on the internal flash file system
admin@demo:/# system files show
Installed packages:
ArbOS_5.3.6.2 ArbOS 5.3.6.2 system files (build HEDK) (arch x86_64)

Arbor-APS-5.11.0 Arbor Networks APS 5.11.0 (build HEDK) (arch x86_64)

Obtain New ArbOS & APS Package
• Pre-requisites
• Download new software and release notes from https://update.arbor.net/
• open a ticket at ATAC https://support.arbor.net/ to obtain an account
• Carefully read Release Notes
• Obtain a Product and an AIF license from Arbor Support
• Copy software packages to Arbor APS’ disk: (via CLI or GUI)
admin@demo:/#
system file copy http://10.2.24.209/arbos-5.3.6.2-HJ4H-x86_64 disk:
system file copy http://10.2.24.209/Arbor-APS-5.12.0-HJ4h-x86_64 disk:
Note: For other copy options and syntax use the cli command #> / system file copy ?

Uninstall Old APS Package
admin@demo:/# system files show

Installed packages:
ArbOS_5.3.6.2 ArbOS 5.3.6.2 system files (build HEDK) (arch x86_64)
Arbor-APS-5.11.0 Arbor Networks APS 5.11.0 (build HEDK) (arch x86_64))
admin@demo:/# service aps stop
admin@demo:/# config write
admin@demo:/# system files uninstall Arbor-APS-5.11.0
Note: System configuration, statistics, history, log, etc. will be preserved

Install New ArbOS & APS Package
• Install new ArbOS package and reboot for OS to take effect
/ system file install disk: arbos-5.3.6.2-HJ4H-x86_64
/ reload
• Install new Arbor APS package

/ system file install disk: Arbor-APS-5.12.0-HJ4H-x86_64
/ reload
Note: Be sure to do reload after both the ArbOS install & the Arbor package install

Check for Installed Arbor APS Licenses
• Arbor APS requires both a product and AIF license
• If you see this, you need to install licenses:
admin@demo:/# system license show
No licenses are set
• If you see this, the licenses are already installed:

Product: Arbor
Model: PRA-APS-2108
Expires: Never
Key: NP94V-NREPK-9C9DB-MG76S-GHDWS-JMXPS-5PY36-J6AP6-V0M38
Product: ASERT
Model: PRA-AIF-ADVANCED
Expires: Thu Aug 15 13:24:55 2019
Key: BBE4P-4PZGR-GX99M-B93Y5-D10B7-A0HT2-P8HEV-6KQMG-PPM82

Appliance Serial Number
• Arbor APS units have unique serial numbers
• The serial number is required to generate the license
admin@demo:/# system hardware
Boot time: Thu Dec 20 12:36:54 2012, 43 days 20:44 ago
Load averages: 1.17, 1.59, 1.64
BIOS Version: S5500.86B.01.00.0054.092820101104
System Board Model: T5520UR
System Model Number: APS2100YAPS2100
Serial Number: PRV-20110430

Installing Arbor APS Licenses
• Once you have obtained both a product and AIF license, you now need
to set them in the system
• Best approach is to Copy-Paste into CLI using SSH client
admin@demo:/# system license set Arbor PRA-APS-2108 P8RG5-STWX4-F0DDW-4DYP4-
DVTXW-YMDHH-Y3C1Y-X39N3-DY2RR
admin@demo:/# system license set ASERT "PRA-APS-AIF-ADVANCED expires:
1437749737" 98765-43210-FGHIJ-ABCDE-PQRST-KLMNO-UVWXY-Z9876-54321
Product: Arbor
Model: PRA-APS-2108
Expires: Never
Key: P8RG5-STWX4-F0DDW-4DYP4-DVTXW-YMDHH-Y3C1Y-X39N3-DY2RR
Product: ASERT
Model: PRA-AIF-ADVANCED
Expires: Thu Aug 15 13:24:55 2019
Key: 98765-43210-FGHIJ-ABCDE-PQRST-KLMNO-UVWXY-Z9876-54321

Configure Arbor APS Services
• Arbor APS Services menu
admin@demo:/# services aps ?
Subcommands:
bypass/ Configure bypass control
database Initialize or reinitialize the database
histograms Configure or display histograms
language Configure the language used in the UI
mode Switch between Pravail APS deployment modes
protection Modify protection configuration
reconfig Reconfigure Pravail APS services
show Show aps status
start Start Pravail APS services
stop Stop Pravail APS services

Set User Interface Language (Optional)
• Language selection affects all GUI text
• Language can also be changed in GUI
• CLI remains in English
admin@demo# services aps language show
Language: English
admin@demo# services aps language set ?
en (English)
ja (Japanese)
ko (Korean)
ru (Russian)
zh (Mandarin)
admin@demo# services aps language set en
admin@demo#

Set MONITOR Deployment Mode
• Determines whether Arbor APS forwards any traffic
• Inline forwards, Monitor does not forward,
• Setting appears as icon at top of GUI
admin@demo# services aps mode show
Deployment mode: inline (inactive)
admin@demo# services aps mode set ?
inline
l3
monitor
admin@demo# services aps mode set inline
admin@demo#

Initialize Arbor APS Database
• Database initialization is required to clean up the device
• Resets Arbor APS databases
• Any existing Arbor APS data is erased
admin@demo# services aps database initialize
• Any GUI-only configuration is erased

• Any configuration that appears in CLI is retained
• This command removes most customer data remnants from Arbor APS
GUI after a trial
• CLI logs will still be there
• For a complete wipe initialize disks and (re)install the system

Start Monitoring
• Start Arbor APS services
• Until you start the Arbor APS services, the appliance will be in Software
Bypass mode
• Supports the Graphical User Interface (GUI)
• No running APS service = no GUI
admin@demo:/# services aps start

Starting Arbor services..................done.
admin@demo:/# services aps show
Arbor state: started

Save the Configuration
admin@demo:/# conf write

admin@demo:/#
Initial CLI configuration is complete !

BEST PRACTICES AT
INITIAL DEPLOYMENT

Device Configuration
• There are a few things that are important to ensure success in Arbor APS’s
deployment. Some of them are:
• Initialize the disk and reinstall if there is previous data in the system
• Create user-ids for each person accessing Arbor APS
• Leave admin as a backup for last resort. Do not use it daily.
• Use Radius or TACACS if possible
• Configure IP access lists as strict as possible
• Always avoid using 0.0.0.0/0
• Use NTP to ensure all devices share the same time (especially your Syslog
server)
• Configure Syslog to export data to a local server
• As soon as you finish the setup, create a Remote backup

Operation
• When operating APS, best practice is to:
• Access the devices using only encrypted connections (HTTPS or SSH)
• Create a separate Protection Group for each of the services that need
to be monitored
• Configure Filter Lists to Drop unnecessary traffic into a Protection Group
• For a Web Server Type, configure the Filter List Prevention
with “drop udp” (unless it is a requirement for UDP traffic to be allowed
to the service)

Allow Internal Traffic in Advance
• Reduce service disruptions by whitelisting institutional space in Master Filter
List

Whitelist Known / Approved Traffic Sources
• Try to Whitelist
known NATs and
Known Sources

Tuning: Look for Collateral Damage
• While in Inactive Mode, Try different Protection Levels and look for hosts
that would be unintentionally blocked
• Then, in peace time, do the same under Active mode

IPv6 Functionality (1 of 2)
• Arbor APS does not support the following functionality for IPv6:
• ICMPv6 decode in packet capture
• Blacklist countries, URLs, and Domains
• AIF support of IPv6 Threats
• Outbound Threat Filter
• Outbound Black / Whitelist
• Notifications to IPv6 destinations (SNMP traps, Syslog, Email)
• IPv6 host as a backup server
• IPv6 host as a proxy server
• IPv6 host as a Cloud Signaling server
• IPv6 host as NSI controller

IPv6 Functionality (2 of 2)
• Arbor APS does not support the following functionality for IPv6:
• GRE Remote IP’s
• Post GRE Routes
• API calls for the following functionality
• Blacklists
• Whitelists
• Blocked Hosts
• Protection Group creation
• Server Type creation
• Default IPv6 Protection Group

MANAGEMENT WITH
ARBOR APS API

Application Program Interface: API
• Allows customers to create or use their
current custom management portals to
correlate threat alert and information
across multiple devices
• Enterprise: Manage a large security
deployment across dispersed
architecture
• Partners: Manage multiple clients
utilizing current ticketing and
management systems

Arbor APS API Use cases
• User can eliminate the need to interact with multiple UIs creating a
single UI view to present all of the collected data on a single screen
• Automation of repetitive tasks across multiple APS appliances
• Blacklist / Whitelist multiple hosts using a single script

Arbor APS API Automation Examples
• Arbor APS API usage examples:
• Configuration Synchronization
• Create / Manage Protection Groups and Server Types
• Change Protection Levels and Deployment modes
• Send and Manage manual Cloud signaling alerts
• Whitelist and Blacklist management
• Summary Traffic reporting on Protection Groups and APS’s
• Get Attack Category statistics per Protection Group
• What cannot be done with Arbor APS API
• Gain IPv6 data and histograms

API Documentation
Available for
download from
Arbor’s Support
Knowledge Base

Unit Summary
In this unit we have learned how to:
• Install Arbor APS
• Upgrade Arbor APS
• Perform initial configuration using the CLI
• Apply Best Practices at initial deployment
• Begin to use Arbor APS API

Q&A / THANK YOU

Arbor APS STT Unit 02 Deployment 25 Jan2018

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Arbor APS STT Unit 02 Deployment 25 Jan2018

Încărcat de

Drepturi de autor:

Formate disponibile

Partner Technical Training

Arbor APS Deployment

Partner • Sales • Engineering

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 2

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 3

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 4

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 5

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 6

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 7

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 8

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 9

Arbor login: admin

Arbor Networks APS v5.11.0

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 10

admin@arbos:/# system name set demo

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 11

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 12

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 13

• Clock format is MMDDhhmm[[CC]YY][.ss]

admin@demo /:# clock set 062210222012

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 14

ip interfaces ifconfig mgt0 10.2.24.76/24

ip route add default 10.2.24.1

admin@demo:/# ping 10.2.24.1

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 15

/ service dns server add 10.2.24.222

admin@demo:/# / services dns server

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 16

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 17

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 18

IMPORTANT: In order to activate the access list, it needs to be committed

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 19

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 20

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 21

Note: If you don’t have the latest code release,

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 22

ArbOS_5.3.6.2 ArbOS 5.3.6.2 system files (build HEDK) (arch x86_64)

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 23

system file copy http://10.2.24.209/Arbor-APS-5.12.0-HJ4h-x86_64 disk:

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 24

admin@demo:/# system files show

Note: System configuration, statistics, history, log, etc. will be preserved

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 25

• Install new Arbor APS package

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 26

• If you see this, the licenses are already installed:

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 27

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 28

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 29

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 30

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 31

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 32

• Any GUI-only configuration is erased

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 33

admin@demo:/# services aps start

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 34

admin@demo:/# conf write

Initial CLI configuration is complete !

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 35

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 36

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 37

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 38

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 39

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 40