sBDS-Threat-Trace-Deployment-Guide-1 - Hillstone

Hillstone Networks
sBDS Threat Trace Deployment

Guide
Version 1.0
Te c hDoc s | https ://doc s . hi l l s tone ne t. c om

Copyright 2019 Hillstone Networks All rights reserved.
Information in this document is subject to change without notice. The software described in this doc-
ument is furnished under a license agreement or nondisclosure agreement. The software may be used or
copied only in accordance with the terms of those agreements. No part of this publication may be repro-
duced, stored in a retrieval system, or transmitted in any form or any means electronic or mechanical,
including photocopying and recording for any purpose other than the purchaser's personal use without
the written permission of Hillstone Networks
Hillstone Networks
Contact Information:
US Headquarters:
Hillstone Networks
5201 Great America Pkwy, #420
Santa Clara, CA 95054
Phone: 1-408-508-6750
https://www.hillstonenet.com/about-us/contact/
About this Guide:

This guide gives you sBDS Threat Trace deployment instructions of Hillstone NetworkssBDS .
For more information, refer to the documentation site: https://docs.hillstonenet.com.
To provide feedback on the documentation, please write to us at:
hs-doc@hillstonenet.com
Hillstone Networks
TWNO: TW-DPL-BDS-1.0-CN-V1.0-2019/10/15
Contents
Contents 1
Introduction 1
About This Guide 1
Deployment Requirements 2
User Endpoint System Requirements 2
Server System Requirements 2
Server Hardware Requirements 2
Server Software Requirements 2
Network Environment Requirements 2
Installing sBDS ThreatTrace Client on User Endpoint (Stand-alone Installation Mode) 4
Preparation 4
Insalling the sBDS ThreatTrace Client 4
Step 1: Update the installer with the UpdateMsi tool 4
Step 2: Run the installer to complete the installation 5
Step 3: Confirm the process 5
Uninstalling the sBDS ThreatTrace Client 6
Updating the sBDS ThreatTrace Client 6
Installing sBDS ThreatTrace Client on User Endpoint (Domain Installation Mode) 7
Preparation 7
Assigning the sBDS ThreatTrace Client via Group Policy 7
Assigning to the Domain Users 8
Step 1: Create a group policy object 8
Step 2: User Configuration- Edit group policy and deploy software 8
Step 3: Apply Group Policy to User Organizational Units 11
Step 4: Force the group policy to update 12
Assigning to computers in the domain 12
Step 1: Create a group policy object 12
Step 2: Computer Configuration- Edit group policy and deploy software 13
Step 3: Apply Group Policy to Computer Organizational Units 14
Step 4: Force the group policy to update 15
Uninstalling the Assigned Client via Group Policy 15
Updating the Assigned Client via Group Policy 16
Deploying the Threat Trace Server 18
Preparation 18
TOC - 1
Starting and Visiting the sBDS Threat Trace Server 22
Configuring the sBDS Threat Trace Server 23
Connecting the sBDS Device to the Threat Trace Server 25
Viewing the Threat Trace Results on the sBDS Device 25
Command Line Index 27
Threat Trace Server Commands 27
Viewing Help 27
Configuration Commands 27
Show Commands 28
TOC - 2
Introduction
In order to trace the network threat behavior detected by the sBDS device in the user endpoint process, Hillstone
provides the threat trace function. The deployment of the function includes three parts: the user endpoint, the server,
and the sBDS device.
First, install the sBDS ThreatTrace Client on the user endpoint of the internal network, so as to collect the endpoint
related behaviors such as process creation, network access, file operation, and registry modification.
Then, deploy a threat trace server to store the collected endpoint information.
Finally, the sBDS device will obtain the collected information by connecting to the threat trace server, so as to trace
threat behaviors.
To deploy the device, refer to the following deployment scenarios.
About This Guide

This guide introduces the installation and deployment requirements of the sBDS threat trace function, how to install
the sBDS ThreatTrace client on the user endpoint, how to deploy the threat trace server, and how to connect the sBDS
device to the threat trace server.
Related links:
"Deployment Requirements" on Page 2
"Installing sBDS ThreatTrace Client on User Endpoint (Stand-alone Installation Mode)" on Page 4
"Installing sBDS ThreatTrace Client on User Endpoint (Domain Installation Mode)" on Page 7
"Deploying the Threat Trace Server" on Page 18
"Connecting the sBDS Device to the Threat Trace Server" on Page 25
Introduction 1
Deployment Requirements
The requirements for the installation and deployment of the sBDS Threat Trace function include the following three
aspects:
User endpoint system requirements
Server system requirements
Network environment requirements
User Endpoint System Requirements

To install the sBDS ThreatTrace client, the user endpoint should meet the following requirements:
Use Windows 7/ Windows server 2008 R2 and higher versions.
Require at least 1GB memory.
Hard disk requires more than 20GB.
Have the Ethernet compatible network card and support TCP/IP protocol.
Server System Requirements

The sBDS threat trace Server is packed in an OVF file, and can be installed on a VMware ESXi server running on a 64-
bit system.
Before installing vHSM, you should be already familiar with VMware vSphere hypervisor, ESXi host and VMware virtual
machines.
Server H ardw are Requirements

The server should meet the following requirements:
The virtual machine requires at least 4 CPUs and 16GB memory.
Hard disk requires at least 1000GB (expandable).
At least 1 NIC will be created.
Server So ftw are Requirements

The server should meet the following requirements:
The port used to receive endpoint logs is enabled by default: 5044
The data query port is enabled by default: 9200
Note: At present, the sBDS Threat Trace function does not support changing the port. Please
ensure that the above ports will not be used by other devices.
Network Environment Requirements

Ensure that the network between the user endpoint and the server is reachable.
Ensure that the network between the sBDS device and the server is reachable.
Deployment Requirements 2
The server needs to have a long-term fixed IP address or domain name.
3 Deployment Requirements
Installing sBDS ThreatTrace Client on User Endpoint
(Stand-alone Installation Mode)
Install the sBDS ThreatTrace Client on the user endpoint through the stand-alone installation mode, that is, run and
install the installer in msi format directly on the user endpoint, including the following aspects:
Preparation
Insalling the sBDS ThreatTrace Client
Uninstalling the sBDS ThreatTrace Client
Updating the sBDS ThreatTrace Client
Preparation
Before installing the sBDS ThreatTrace Client, make the following preparations:
1. Obtain the fixed IP address or domain name of server.
2. Download the msi format installer package (32-bit or 64-bit) and the UpdateMsi tool package from the Hillstone
sales.
Note: Please select the corresponding client installer according to the user's actual envir-
onment, such as 64-bit system to select 64-bit client installation program.
Insalling the sBDS ThreatTrace Client

To install the sBDS ThreatTrace Client on the user endpoint through the stand-alone installation mode, take the fol-
lowing steps:
Step 1: Update the installer w ith the UpdateMsi to o l

1. Unzip the obtained installer in msi format.
The installer includes: sBDS ThreatTrace Client_x86.msi (32-bit) and sBDS ThreatTrace Client_x64.msi (64-bit)
2. Unzip the obtained UpdateMsi tool.
3. Open the UpdateMsi tool and click Load msi. After the loading is successful, enter the obtained fixed IP address
or domain name of the Threat Trace server and then click Update.
Installing sBDS ThreatTrace Client on User Endpoint 4

4. After the prompt Update Success, you can complete the update.
Step 2: Run the installer to co mplete the installatio n

1. Double-click to run the installer in msi format.
2. According to the prompt, click the Next button, after confirming the installation location, click the Install button,
and then wait for the installation.
3. Click the Finish button to complete the installation.
Step 3: Co nfirm the pro cess

After the installation is complete, you need to confirm the process of "System activity monitor" and "winlogbeat" in
Task Manager.
5 Installing sBDS ThreatTrace Client on User Endpoint

Uninstalling the sBDS ThreatTrace Client
If you want to uninstall the installed sBDS ThreatTrace Client on the user endpoint, you can use the following two meth-
ods:
Method 1: Run the installer again, click the Remove button as prompted.
Method 2: Go to the Windows Control Panel, select Programs and Features, and select the installed sBDS
ThreatTrace Client in the list, and then click Uninstall.
Updating the sBDS ThreatTrace Client

Currently, the sBDS ThreatTrace Client does not support direct upgrade. If you need to upgrade the client, please unin-
stall the installed client first, and then reinstall the new version of sBDS ThreatTrace Client.

Installing sBDS ThreatTrace Client on User Endpoint
(Domain Installation Mode)
On the user endpoint, you can install the sBDS ThreatTrace client through the domain installation mode. That is, the
domain server sends the sBDS ThreatTrace Client to the domain user.
Install the the sBDS ThreatTrace client (domain installation mode) on the user endpoint, including the following
aspects:
Preparation
Assigning the sBDS ThreatTrace Clinet via Group Policy
Uninstalling the Assigned Client via Group Policy
Updating the Assigned Client via Group Policy
Preparation
Before installing the sBDS ThreatTrace Client, make the following preparations:
1. Download the msi format installer package (32-bit or 64-bit) and the UpdateMsi tool package from the Hillstone
sales.
2. Create a shared folder on the domain server, store the installer in the shared folder, and ensure that the user has
"Read" permission and the computer in the domain can access to the shared folder.
3. Update the installer with the UpdateMsi tool (For details, see Update the installer with the UpdateMsi tool).
Assigning the sBDS ThreatTrace Client via Group Policy

There are two methods to assign the sBDS ThreatTrace client via group policy:
Assign to domain users: When the sBDS ThreatTrace client is assigned to domain users via group policy, the cli-
ent will be installed automatically after the domain user logs on to the computer.

Assign to computers in the domain: When the sBDS ThreatTrace client is assigned to the computer in the domain
via group policy, the client will be installed automatically after the computer reboots.
Assigning to the D o main Users

To assign the client to the domain users, take the following steps:
Step 1: Crea te a group polic y objec t

1. In the domain server, select Start > Control Panel > System and Security > Administrative Tools,
double-click the Group Policy Management to open the Group Policy Management dialog.
2. Expand the node in the left navigation bar, right click on Group Policy Object, select New to open the New
GPO dialog.
3. In the New GPO dialog, type the group policy name into the Name textbox.
4. Click OK.
Step 2: Us er Configura tion- Edit group polic y a nd deploy s oftw a re

1. Right click on the created Group Policy object and select Edit to open the Group Policy Management Editor dia-
log.

2. In the left navigation bar, select User Configuration > Policies > Software Settings > Software Install-
ation, right-click Software Installation, and select New > Packets.
3. Select the sBDS ThreatTrace Client installer that is already stored in the shared folder.
4. In the Deployment Software dialog , select the Assigned, and then click OK to complete the package creation
and deployment.

5. Once the packet is created, it can be displayed in the Group Policy Management Editor dialog.
6. Right click on the deployed installer name and select Properties.
7. In the Properties dialog, select the Deployment tab, in the Deployment options section, check the Install
this application at logon check box.
8. Select the Security tab and make sure the user group has Read permission.
9. Click OK to save the configuration and return to the Group Policy Management dialog.

Note:
When selecting the client installer, please use the network path of the shared folder, oth-
erwise the file will not be read.
Please select the corresponding client installer according to the user's actual environment,
such as 64-bit system to select 64-bit client installation program.
Step 3: Apply Group Polic y to Us er Orga niz a tiona l Units

1. In the Group Policy Management dialog, double-click the created group policy name.
2. In the Security Filtering section, click Add to add a user group to install the sBDS ThreatTrace Client.
3. In the left navigation bar, select the user organization unit that needs to deploy the group policy, right-click the
user organization name, select Link an Existing GPO to open the Select GPO dialog.
4. In the Group Policy objects section, select the created group policy object name.
6. To ensure that the group policy can be enforced in the user organizational unit and its sub-organizational units,
the group policy can be specified as mandatory. In the Linked Group Policy Objects tab, right click the group
policy name and select Enforced.

Note: Before linking a group policy, you need to ensure that the user organizational unit has
been created in the domain.
Step 4: Forc e the group polic y to upda te

In order for group policy to take effect, you need to force a group policy update after completing the above steps.
1. On the domain server, select Start > Control Panel > System and Security > Administrative Tools,
double-click the Windows PowerShell.
2. Enter gpupdate /force in the command window.
3. After the prompt "user policy update has completed successfully", close the dialog box.
Assigning to co mputers in the do main

To assign the client to computers in the domain, take the following steps:
Step 1: Crea te a group polic y objec t

2. Expand the node in the left navigation bar, right click on Group Policy Object, select New to open the New
GPO dialog.

3. In the New GPO dialog, type the group policy name into the Name text box.
4. Click OK.
Step 2: Com puter Configura tion- Edit group polic y a nd deploy s oftw a re
1. Right click on the created Group Policy object and select Edit to open the Group Policy Management Editor dia-
log.
2. In the left navigation bar, select Computer Configuration > Policies > Software Settings > Software
Installation, right-click Software Installation, and select New > Packets.
4. In the Deployment Software dialog , select the Assigned, and then click OK to complete the package creation
and deployment.

5. Once the packet is created, it can be displayed in the Group Policy Management Editor dialog.
Note:
When selecting the client installer, please use the network path of the shared folder, oth-
erwise the file will not be read.
Please select the corresponding client installer according to the user's actual environment,
such as 64-bit system to select 64-bit client installation program.
Step 3: Apply Group Polic y to Com puter Orga niz a tiona l Units
1. In the Group Policy Management dialog, double-click the created group policy name.
2. In the Security Filtering section, click Add to add a computer group to install the sBDS ThreatTrace Client.
3. In the left navigation bar, select the computer organization unit that needs to deploy the group policy, right-click
the user organization name, select Link an Existing GPO to open the Select GPO dialog.

4. In the Group Policy objects section, select the created group policy object name.
6. To ensure that the group policy can be enforced in the computer organizational unit and its sub-organizational
units, the group policy can be specified as mandatory. In the Linked Group Policy Objects tab, right click the
group policy name and select Enforced.
Note: Before linking a group policy, you need to ensure that the computer organizational unit
has been created in the domain.
Step 4: Forc e the group polic y to upda te

In order for group policy to take effect, you need to force a group policy update after completing the above steps.
1. On the domain server, select Start > Control Panel > System and Security > Administrative Tools,
double-click the Windows PowerShell.
2. Enter gpupdate /force in the command window.
3. After the prompt "user policy update has completed successfully", close the dialog box.
Uninstalling the Assigned Client via Group Policy

To uninstall the sBDS ThreatTrace Client that has been assigned and installed via the group policy, take the following
steps:
2. Expand the node in the left navigation bar, right click on the created Group Policy object and select Edit to open
the Group Policy Management Editor dialog.
Installation.

4. In the packet record on the right, right click on the software name and select All Tasks > Remove to open the
Remove Software dialog.
5. In the Remove Software dialog, select Immediately uninstall the software from users and computers.
After completing the above steps, when the computer matching the group policy is restarted, the installed sBDS
ThreatTrace Client will be uninstalled.
Updating the Assigned Client via Group Policy

To update the sBDS ThreatTrace Client that has been assigned and installed via the group policy (taking "assign to
computers in the domain" as an example), take the following steps:
2. Expand the node in the left navigation bar, right click on the created Group Policy object and select Edit to open
the Group Policy Management Editor dialog.

Installation, right-click Software Installation, and select New > Packets.
5. In the Deployment Software dialog , select the Assigned, and then click OK to complete the new version of
package creation and deployment.
6. After the new version of the data package is created, perform the "Force the group policy to update" step to make
the updated group policy take effect. (For details, see Step 4: Force the group policy to update)
After completing the above steps, when the computer matching the group policy is restarted, the client will be
updated to the new version.

Deploying the Threat Trace Server
The sBDS threat trace server is packed in an OVF file, and can be installed on a VMware ESXi server. We suggest you
to use vCenter and vSphere Client to manage ESXi servers.
Preparation
Before deploying the sBDS threat trace server, make the following preparations:
1. Obtain the fixed IP address or domain name of server.
2. Before installation of sBDS threat trace server, please set up your ESXi Server, vCenter Server and vSphere Client
host, then get the disk.
Deploying the Threat Trace Server

To deploy the sBDS threat trace server, take the following steps:
1. Save the OVF file in your local endpoint.
2. In vSphere Client, enter the IP address or name of vCenter Server, then username and password, click Login.
3. After logging in vCenter, from left list, click the "localhost" root node, then select File > Deploy OVF Template.

4. In the pop-up dialog box, click Browse, browse your PC and import OVF file to vCenter, click Next.
5. Confirm the details of the OVF template, click Next.
19 Deploying the Threat Trace Server

6. Enter the name of the OVF template, and select the location of list, click Next.
7. Select the resource pool to run the OVF template in it, click Next.

8. Select data storage to store the deployed OVF template, then choose the Thick Provision Lazy Zeroed format,
click Next.
9. Select network mapping used in OVF template, click Next.

10. Click Finish to start the deployment.
Wait for a while, and the sBDS threat trace server will be deployed successfully.
Starting and Visiting the sBDS Threat Trace Server

After all the setups above, you can now start and visit the sBDS threat trace server.
1. In the list on the left side of the vSphere Client, right-click the virtual machine and select Open Console.
2. Click the green button to start the sBDS threat trace server.
3. Wait for a while, and the server will be up.

4. When the prompt shows the command line interface below, enter default username and password (root/hillstone)
to log in the sBDS threat trace server.
Configuring the sBDS Threat Trace Server

To visit the sBDS threat trace server for the first time, you need to configure the eth0 interface of the sBDS threat trace
server. Follow the steps below.
1. Collect necessary information from your network administrator. You need to have eth0's IP address, network
mask, and gateway IP address.
2. Modify eth0's default IP address to a static IP address you collected from administrator(192.168.1.2 by default).
To modify IP address for eth0, use the following command:
ThreatTraceServer# ifconfig eth0 –ipaddr ip-address –netmask netmask
3. Add a static route. Use the command below to add a route whose next hop is the gateway, and specify the gateway
IP address.
ThreatTraceServer# route add -net -target default –gw gw-ip-address
4. Test if the gateway is accessible.

For example, if the gateway IP address is 10.180.0.1, enter the ping 10.180.0.1command to test whether the
threat trace server and the gateway are connected.

5. Use the following command to view the current endpoint and threat trace server connection status.
ThreatTraceServer# show host list
For an introduction to all commands supported by the threat trace server, see "Command Line Index" on Page 27.

Connecting the sBDS Device to the Threat Trace Server
To connect the sBDS device to the threat trace server, take the following steps:
1. Log in to the sBDS device.
2. Select Configuration > System Configuration > Threat Trace Server.
3. Select the Enable check box after Connect to Server.
4. Type the threat trace server IP address into the Server IP text box.
5. The default port number (9200) is displayed after the Server Port.
6. Click OK.
After the connection is successful, you can see that the connection status is Connected after the Status of the page.
Viewing the Threat Trace Results on the sBDS Device

After all the deployments are completed, the sBDS device will analyze the association with the user endpoint. To view
the threat trace results, take the following steps:
1. Click Threat Analysis> Server > Threat, and click the intranet asset name in the list to open the Server
Detail dialog.
2. Select Server Applications tab to view the relevant executable information of the server.
3. Or click Threat Analysis >Endpoint, and click endpoint name in the list to open the Endpoint Detail dialog.
Connecting the sBDS Device to the Threat Trace 25

Server
4. Select Endpoint Applications tab to view the relevant executable information of the user endpoint.
5. Click Threat Analysis > Threat Event, enter the threat monitor page.
6. Click a threat event name in the list to open the Details dialog for the selected threat , and select the Process
Information tab to view the details of the process information associated with the selected threat event.
26 Connecting the sBDS Device to the Threat Trace Server

Command Line Index
Threat Trace Server Commands

The following command lines include all the supported commands of the sBDS threat trace server. You can enter help
to check all the supported commands of the sBDS threat trace server.
The supported commands of the sBDS threat trace server as follows:
V iew ing H elp

help
Print command explanation.
command -h
In the specific command, when you type -h, the system will display the help information of all parameters of the
command and the command line usage format.
Co nfiguratio n Co mmands
password
You must change the default login password on first use.
ifconfig interface –ipaddr ip-address –netmask netmask

Configure the interface IP address and netmask.
route add [-net | -host] -target target [-netmask netmask] [-gw gateway] [-metric metric] [-dev dev]
Configure the route.
route del [-net | -host] -target target [-netmask netmask] [-gw gateway] [-metric metric] [-dev dev]
Delete the route.
set dns1 server-address

Configure the address of primary DNS server.
set dns2 server-address

Configure the address of backup DNS server .
set ntp server-address

Configure the address of NTP server.
set time time-string

Configure the system date and time.
set zone
Configure the time zone.
ping {ip-address | host-name}

Ping command.
traceroute {ip-address | host-name}

Traceroute command.
mount device directory

Mount the disk.
unmount device
Unmount the disk.
service service-name {start | stop | restart}

Open/ stop/ restart the service.
Command Line Index 27

reboot
Reboot the server.
clear
Clear the screen.
Sho w Co mmands
show interface
View the interface information.
show route
View the route information.
show dns
View the DNS information.
route print
View the routing table information.
show ntp
View the NTP server information.
show time
View the system date and time.
show disk
View the disk usage.
show version
View version information.
show host count

View the number of hosts that have received log information.
show host list

View the list of hosts that have received log information.
show host link host-name

View the time of last received the log information of the specified host.
service service-name status

View the service status.
28 Command Line Index

sBDS-Threat-Trace-Deployment-Guide-1 - Hillstone

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

sBDS-Threat-Trace-Deployment-Guide-1 - Hillstone

Încărcat de

Drepturi de autor:

Formate disponibile

Hillstone Networks

sBDS Threat Trace Deployment

Te c hDoc s | https ://doc s . hi l l s tone ne t. c om

About this Guide:

About This Guide

"Deployment Requirements" on Page 2

"Deploying the Threat Trace Server" on Page 18

"Connecting the sBDS Device to the Threat Trace Server" on Page 25

User endpoint system requirements

Server system requirements

Network environment requirements

User Endpoint System Requirements

Use Windows 7/ Windows server 2008 R2 and higher versions.

Require at least 1GB memory.

Hard disk requires more than 20GB.

Server System Requirements

Server H ardw are Requirements

The virtual machine requires at least 4 CPUs and 16GB memory.

Hard disk requires at least 1000GB (expandable).

At least 1 NIC will be created.

Server So ftw are Requirements

The port used to receive endpoint logs is enabled by default: 5044

The data query port is enabled by default: 9200

Network Environment Requirements

Insalling the sBDS ThreatTrace Client

Uninstalling the sBDS ThreatTrace Client

Updating the sBDS ThreatTrace Client

1. Obtain the fixed IP address or domain name of server.

Insalling the sBDS ThreatTrace Client

Step 1: Update the installer w ith the UpdateMsi to o l

2. Unzip the obtained UpdateMsi tool.

Installing sBDS ThreatTrace Client on User Endpoint 4

Step 2: Run the installer to co mplete the installatio n

3. Click the Finish button to complete the installation.

Step 3: Co nfirm the pro cess

5 Installing sBDS ThreatTrace Client on User Endpoint

Updating the sBDS ThreatTrace Client

Installing sBDS ThreatTrace Client on User Endpoint 6

Assigning the sBDS ThreatTrace Clinet via Group Policy

Uninstalling the Assigned Client via Group Policy

Updating the Assigned Client via Group Policy

Assigning the sBDS ThreatTrace Client via Group Policy

Installing sBDS ThreatTrace Client on User Endpoint 7

Assigning to the D o main Users

Step 1: Crea te a group polic y objec t

Step 2: Us er Configura tion- Edit group polic y a nd deploy s oftw a re

8 Installing sBDS ThreatTrace Client on User Endpoint

Installing sBDS ThreatTrace Client on User Endpoint 9

6. Right click on the deployed installer name and select Properties.

10 Installing sBDS ThreatTrace Client on User Endpoint

Step 3: Apply Group Polic y to Us er Orga niz a tiona l Units

Installing sBDS ThreatTrace Client on User Endpoint 11

Step 4: Forc e the group polic y to upda te

2. Enter gpupdate /force in the command window.

Assigning to co mputers in the do main

Step 1: Crea te a group polic y objec t

12 Installing sBDS ThreatTrace Client on User Endpoint

Installing sBDS ThreatTrace Client on User Endpoint 13

14 Installing sBDS ThreatTrace Client on User Endpoint

Step 4: Forc e the group polic y to upda te

2. Enter gpupdate /force in the command window.

Uninstalling the Assigned Client via Group Policy

Installing sBDS ThreatTrace Client on User Endpoint 15