Install the ExtraHop Discovery Edition, EH1000v, and EH2000v in Amazon Web Services

Introduction

This guide explains how to launch the ExtraHop AMI to monitor your Amazon Web Services (AWS) environment. You must have administrative access to launch a third-party AMI and an ExtraHop product key to complete these procedures.

Creating the ExtraHop Instance in AWS

To create the ExtraHop instance in AWS, complete the following steps:

  1. Sign in to AWS with your username and password.

  2. Click EC2.

  3. In the left navigation panel, under Images, click AMIs.

  4. Above the table of AMIs, change the Filter from Owned by Me to Public Images.

  5. In the filter box, type ExtraHop and then press enter.

    If you want Enhanced Networking capabilities, select an ExtraHop AMI with (HVM).
  6. Select the checkbox next to the appropriate ExtraHop AMI and click Launch.

  7. Select a supported instance type for the product you're installing, using the following table.

    Product Supported Instance Types
    ExtraHop Discovery Edition m3.large, c3.large
    EH1000v m3.large, c3.xlarge, c4.xlarge
    EH2000v m3.xlarge, c3.2xlarge, c4.2xlarge
    C3 instance types deployed in a VPC will take advantage of Enhanced Networking capabilities. M3 instance types do not support Enhanced Networking.

    The image below shows an m3.large instance type selected for an EH1000v.

  8. Click Next: Configure Instance Details.

  9. Click the Network drop-down list and select Launch into EC2-Classic or one of your
    organization’s VPCs.

    ExtraHop C3 instances deployed in a VPC will take advantage of advantage of Amazon's Enhanced Networking capabilities. If you launch into EC2-Classic, you will not get support for Enhanced Networking.
  10. Use the default shutdown behavior, Stop.

  11. Click the Protect against accidental termination checkbox.

  12. (Optional) Click the IAM role drop-down list and select an IAM role.

  13. (Optional) If you launched into a VPC and want to use two interfaces, scroll down to the Network Interfaces section and click Add Device to add another interface to the instance.

    If you use two interfaces, make sure they are on different subnets.
  14. On the Configure Instance Details page, click Next: Add Storage.

    If you want to add a disk to enable packet capture, finish this procedure and then refer to Appendix D: Installing a disk for Packet Capture.
  15. Accept the default storage settings and click Next: Tag Instance.

  16. In the Value field, enter a name for the instance.

  17. Click Next: Configure Security Group.

  18. On the Configure Security Group page, use the procedure below and the table that follows to create a new security group or add ports to an existing group. If you already have a security group with the required ports for ExtraHop, you can skip this step.

    1. Select either Create a new security group or Select an existing security group. If you choose to edit an existing group, select the group you want to edit. If you choose to create a new group, enter a Security group name and Description.

    2. Click the Type drop-down list, and select a protocol type. Type the port number in the Port Range field.

    3. For each additional port needed, click the Add Rule button. Then click the Type drop-down list, select a protocol type, and type the port number in the Port Range field.

    The following ports need to be open for the ExtraHop AWS instance:

    • TCP ports 22, 80, and 443 inbound to the ExtraHop system: These ports are used to download the installer and administer the ExtraHop system. If you cannot open port 80, you can copy the installer to each instance manually. Refer to Installing the Software Tap on a Linux Instance or Installing the Software Tap on a Windows Instance.

    • TCP/UDP ports inbound to the ExtraHop system: Depending on the ExtraHop product, you must open a port (or a range of ports) for the software tap. See the following table for the default ports required for each product. You can use alterante port numbers, but you must add them to the security group. For the best performance, keep the port ranges for each product intact.

      Product TCP/UDP ports Range
      ExtraHop Discovery Edition, EH1000v 2003 1
      EH2000v 2003-2006 4

      The image below depicts the security groups configuration for an EH1000v listening on port 2003 for UPD or TCP traffic from the software tap.

  19. Click Review and Launch.

  20. Select Make General Purpose (SSD) and click Next.

    If you select Make General Purpose (SSD)..., then you won't see this step on subsequent instance launches.
  21. Scroll down to review the AMI details, instance type, and security group information, and then click Launch.

  22. In the pop-up window, click the first drop-down list and select Proceed without a key pair.

  23. Click the I acknowledge… checkbox and then click Launch Instance.

  24. Click View Instances to return to the AWS Management Console.

    From the AWS Management Console, you can view your instance on the Initializing screen.

    Under the table, on the Description tab, you can find an IP or hostname for the ExtraHop appliance that is accessible from your environment.

Licensing the ExtraHop System

To license the ExtraHop system, complete the following steps:

  1. Once the instance has booted, browse to the ExtraHop applicance (https://<extrahop_management_ip>/admin).

  2. Review the license agreement, select I Agree, and click Submit.

  3. In the Login screen, enter the default user name and password:

    • For user name, type setup.

    • For password, type the instance ID. You can find the Instance ID on the Description tab of an instance selcted on the Initlizing screen. Use the string of characters that follow i- (but not i- itself).

  4. Click ExtraHop Administration.

  5. Under Manage License, click Register to enter the product key.

  6. Enter the product key and then click Register.

    The ExtraHop system will contact the license server and validate the product key. After the product key is validated, the license is downloaded.

  7. Click Done.

    The following example shows a properly licensed ExtraHop system on the License Administration page:

The ExtraHop system is now able to receive traffic from software taps.

Monitoring Instances Using RPCAP

Remote packet capture (RPCAP) forwards traffic from any server to the ExtraHop virtual appliance. RPCAP is conceptually similar to a physical network tap, but implemented in software. ExtraHop refers to this configuration as a software tap, or packet forwarder.

To monitor instances using RPCAP, you must do the following:

  • Install the software tap on the instances sending traffic.

  • Analyze wire data in the ExtraHop Web UI.

    For ExtraHop AWS instances with one interface, the target and the management IP addresses are the same. All EC2-Classic instances have one interface.

Installing the Software Tap on an Instance Sending Traffic

(Linux) You must run the software tap command on each instance to be monitored in order to forward packets to the ExtraHop system.

  1. In the ExtraHop Admin UI, go to the Configuration section, click Capture, and click Software Tap.

  2. Go to the section that matches the Linux distribution you're running, and copy and paste the commands for installing and setting up the software into your terminal.

    Amazon bases its Linux distributions on Red Hat. If you want to install the software tap on an Amazon distribution, use the RPM option.

(Windows) You must run the software tap command on each instance to be monitored in order to forward packets to the ExtraHop system. You must have Administrator privileges on the Windows server to use this procedure.

  1. In the ExtraHop Admin UI, go to the Configuration section, click Capture, and click Software Tap.

  2. Click the Windows rpcapd installer to begin the download.

  3. Follow the prompts to run the software tap.

Managing the Software Tap

Linux: Use the following commands to manage the software tap.

To start, stop, restart, reload, or check the status of the software tap, run the command:

sudo /etc/init.d/rpcapd {start|stop|status|restart|force-reload}

To view software tap messages, run the command:

tail /var/log/messages or tail /var/log/syslog

To run the software tap manually for debugging purposes only, run the command:

sudo /opt/extrahop/sbin/rpcapd -a <extrahop_rpcap_target_ip>,<extrahop_rpcapd_port> -n –v
  • Replace <extrahop_rpcap_target_ip> with the IP Address of the ExtraHop appliance you want to recieve this data.

  • Replace <extrahop_rpcapd_port>with the port number the EXtraHop appliance is listenting on.

  • If your ExtraHop appliance was at IP address 10.0.0.2, listetning for packets on port 2003, you would enter: 10.0.0.2,2003.

For information on running the software tap on servers with multiple interfaces, refer to Appendix C.

Windows: Use the following commands to manage the software tap.

To set the PowerShell execution policy back to the default, run the command:

set-executionpolicy restricted

To start, stop, restart, or check the status of the software tap, run the command:

{start-service|stop-service|restart-service|get-service} rpcapd

To view software tap messages

  1. Open the Event Viewer, click Windows Logs, and select Application.

  2. In the Application panel, sort by source and scroll down to rpcapd.

When reinstalling rpcapd, if a message appears that rpcapd is being used by another process, make sure the Event Viewer is closed.

To run the software tap manually for debugging purposes only, run the command:

“C:\Program Files\rpcapd\rpcapd” -a <extrahop_rpcap_target_ip>,<extrahop_rpcapd_port> -n –v
  • Replace <extrahop_rpcap_target_ip> with the IP Address of the ExtraHop appliance you want to recieve this data.

  • Replace <extrahop_rpcapd_port>with the port number the EXtraHop appliance is listenting on.

  • If your ExtraHop appliance was at IP address 10.0.0.2, listetning for packets on port 2003, you would enter: 10.0.0.2,2003.

For information on running the software tap on servers with multiple interfaces, refer to Appendix C.

Analyzing Wire Data from a Software Tap

To find out how much forwarded traffic the ExtraHop system is receiving, complete the following steps.

  1. Log in to the ExtraHop Web UI (https://<extrahop_management_ip>/extrahop) and click the Settings button in the left navigation panel.

  2. Click System Health to get more information about the forwarded data. This page displays a Packets and Throughput graph for each software tap connected to the ExtraHop system.

The RPCAP Packet and Throughput graphs contain four metrics:

  • Encapsulation: The total number of RPCAP encapsulation packets received by the ExtraHop system.

  • Tunnel Eligible: Total number of packets eligible to be forwarded to the ExtraHop system.

  • Tunnel Sent: Total number of RPCAP-tunneled packets forwarded to the ExtraHop system.

  • Tunnel Received: Total number of RPCAP-tunneled packets received by the ExtraHop system.

If the ExtraHop system is receiving and processing all the packets sent by the server, then the Tunnel Eligible, Tunnel Sent, and Tunnel Received values are equal. If they are not, use the following guidelines for troubleshooting:

  • If Tunnel Sent is less than Tunnel Eligible, the server is not able to forward out all the traffic. This may indicate that the software tap requires more processing or outbound bandwidth resources on the instance. Consider separating the forwarding process onto a separate CPU or allocating a dedicated interface for forwarding traffic.

  • If Tunnel Received is less than Tunnel Sent, the ExtraHop system is not receiving all the traffic forwarded by the instance. This may be due to network congestion or insufficient resources on the ExtraHop system. If you suspect it is the latter, contact ExtraHop Support.

Appendix A: Configuring RPCAP Settings

By default, the ExtraHop system accepts RPCAP forwarded packets on port 2003. The servers using the software tap are directed to forward all traffic as denoted by the wildcard in the Interface Address column.

The default user name and password are as follows:

  • User name: setup (for Web UI) or shell (for shell access)

  • Password: The instance ID, which consists of the string of characters that follow i-.

Updating the RPCAP Configuration on the ExtraHop System

(Optional) To specify another port, subnet, or filter, complete the following steps.

  1. Go to the Network Settings section and click Connectivity.

  2. Go to the RPCAP Settings section and click Change.

  3. Change and modify the settings on the Add RPCAP Port Definition page.

    • Port: Specifies the listening port on the ExtraHop system. Each port must be unique for each interface subnet on the same device. Different subnets across servers can use the same port.

    • Interface Address: Specifies a subnet to choose the interface from which to forward packets. If the server has multiple interfaces that match the interface address, the first interface on the server sends traffic to the ExtraHop system.

    • Interface Name: Indicates the interface on the packet-forwarding server from which to forward packets.

      You must specify either an interface address or an interface name. If you specify both, then both criteria will apply.

    • Filter: Specifies the traffic to forward using Berkeley Packet Filter syntax. For example, TCP port 80 forwards only TCP traffic on port 80, and not TCP port 80 forwards only non-TCP traffic on port 80.

Updating the RPCAP Configuration on the Instance

If the instances using the software tap are not already connecting to the port configured on the ExtraHop system, you must update the port used in the software tap command on each monitored instance.

Run the following command:

curl --connect-timeout 10 –-fail –k \
'https://<extrahop_management_ip>/tools/install-rpcapd.sh' > \
install-rpcapd.sh && sudo sh ./install-rpcapd.sh \
<extrahop_rpcap_target_ip> <extrahop_rpcapd_port>
  • <extrahop_management_ip> is the ExtraHop system’s management IP, usually 10.X.X.X.
  • <extrahop_rpcapd_port> is the port you configured on the ExtraHop system.
Some PDF viewers may add extra newlines when copying and pasting commands. Ensure the text has copied correctly before running the command.

If the software tap is already running, run the following command:

sudo sh ./install-rpcapd.sh <extrahop_rpcap_target_ip> <extrahop_rpcapd_port>
If you configure a new port, you must ensure that your AWS firewall allows inbound traffic from that port.

Appendix B: Using Additional RPCAP Installation Commands

Linux

To download the software tap manually, complete the following steps.

  1. Go to https://<extrahop_management_ip>/tools.

  2. Download the rpcapd file for Linux.

  3. Install it on the server by running the command

    sudo sh ./install-rpcapd.sh <extrahop_rpcap_target_ip> <extrahop_rpcapd_port>

Windows

To download the software tap manually, complete the following steps.

  1. Go to https://<extrahop_management_ip>/tools.

  2. Download and unzip the rpcapd file for Windows.

  3. Open PowerShell and navigate to the directory containing the unzipped files.

  4. Run the command:

    ./install-rpcapd.ps1 -InputDir . -RpcapIp <extrahop_rpcap_target_ip> -RpcapPort <extrahop_rpcapd_port>

Appendix C: Monitoring Multiple Interfaces

For servers with multiple interfaces, the software tap can be configured to forward packets from a particular interface or from multiple interfaces by editing its configuration file on the server.

Linux

To edit the configuration file, complete the following steps.

  1. After installing the software tap, open the configuration file on the instance: /opt/extrahop/etc/rpcapd.ini

    After installation, the configuration file contains this text or similar:

    ActiveClient = 10.0.0.100,2003
    
    NullAuthPermit = YES
  2. Modify the existing ActiveClient line and create an ActiveClient line for each additional interface to be monitored. Specify each interface by its interface name or IP address.

    ActiveClient = <extrahop_management_ip>, <extrahop_rpcapd_port>, ifname=<interface_name>

    or

    ActiveClient = <extrahop_management_ip>, <extrahop_rpcapd_port>, ifaddr=<interface_address>

    <interface_name> is the name of the interface from which you want to forward packets.

    <interface_address> specifies the IP address of the interface from which the packets are forwarded. <interface_address> may be either the IP address itself, such as 10.10.1.100, or a CIDR specification (network IP address/subnet prefix length) that contains the IP address, such as 10.10.1.0/24.

    For every ActiveClient line, the software tap independently forwards packets from the interface specified in the line.

    The following is an example of the configuration file specifying two interfaces using the interface name:

    ActiveClient = 10.10.6.45, 2003, ifname=eth0
    
    ActiveClient = 10.10.6.45, 2003, ifname=eth1
    
    NullAuthPermit = YES

    The following is an example of the configuration file specifying two interfaces using the interface IP address:

    ActiveClient = 10.10.6.45, 2003, ifaddr=10.10.1.100
    ActiveClient = 10.10.6.45, 2003, ifaddr=10.10.2.100
    NullAuthPermit = YES

    The following is an example of the configuration file specifying two interfaces using CIDR specifications that contain the interface IP address:

    ActiveClient = 10.10.6.45, 2003, ifaddr=10.10.1.0/24
    ActiveClient = 10.10.6.45, 2003, ifaddr=10.10.2.0/24
    NullAuthPermit = YES
  3. Save the configuration file and restart the software tap. Run the command

    sudo /etc/init.d/rpcapd restart

    To reinstall the software tap after changing the configuration file, run the installation command and replace <extrahop_management_ip> and <extrahop_rpcapd_port> with the –k flag in order to preserve the modified configuration file. For example:

    sudo sh ./install-rpcapd.sh –k

Windows

To edit the configuration file, complete the following steps.

  1. After installing the software tap, open the configuration file on the instance: C:\Program Files\rpcapd\rpcapd.ini

    After installation, the file contains this text or similar:

    ActiveClient = 10.0.0.100,2003
    NullAuthPermit = YES
  2. Modify the existing ActiveClient line and create an ActiveClient line for each additional interface to be monitored. Specify each interface by its interface name or IP address. For every ActiveClient line, the software tap will independently forward packets from the interface specified in the line:

    ActiveClient = <extrahop_management_ip>, <extrahop_rpcapd_port>, ifname=<interface_address>

    or

    ActiveClient = <extrahop_management)ip>, <extrahop_rpcapd_port>, ifaddr=<interface_name>

    <interface_address> specifies the IP address of the interface from which the packets are forwarded. <interface_address> may be either the IP address itself, such as 10.10.1.100, or a CIDR specification (network IP address/subnet prefix length) that contains the IP address, such as 10.10.1.0/24.

    <interface_name> is the name of the interface from which the packets are forwarded. The name is formatted as \Device\NPF_{<GUID>}, where <GUID> is the globally unique identifier (GUID) of the interface. For example, if the interface GUID is 2C2FC212-701D-42E6-9EAE-BEE969FEFB3F, the interface name is \Device\NPF_{2C2FC212-701D-42E6-9EAE-BEE969FEFB3F}.

    The following is an example of the configuration file specifying two interfaces using the interface IP address:

    ActiveClient = 10.10.6.45, 2003, ifaddr=10.10.1.100
    ActiveClient = 10.10.6.45, 2003, ifaddr=10.10.2.100
    NullAuthPermit = YES

    The following is an example of the configuration file specifying two interfaces using CIDR specifications that contain the interface IP address:

    ActiveClient = 10.10.6.45, 2003, ifaddr=10.10.1.0/24
    ActiveClient = 10.10.6.45, 2003, ifaddr=10.10.2.0/24
    NullAuthPermit = YES

    The following is an example of the configuration file specifying two interfaces using the interface name:

    ActiveClient = 10.10.6.45, 2003, ifname=\Device\NPF_{2C2FC212-701D-42E6-9EAE-BEE969FEFB3F}
    ActiveClient = 10.10.6.45, 2003, ifname=\Device\NPF_{3C2FC212-701D-42E6-9EAE-BEE969FEFB3F}
    NullAuthPermit = YES
  3. Save the configuration file and restart the software tap by running the command restart-service rpcapd

    To reinstall the software tap after changing the configuration file, run the installation command and replace –RpcapIp and –RpcapPort with the -KeepConfig flag in order to preserve the modified configuration file. For example:

    .\install-rpcapd.ps1 -MgmtIp <extrahop_management_ip> -KeepConfig

    or

    .\install-rpcapd.ps1 –InputDir . -KeepConfig

Appendix D: Installing a Disk for Packet Capture

With ExtraHop firmware version 4.1 and later, you can use packet capture with your ExtraHop system deployed with AWS.

Packet capture is not available for the ExtraHop Discovery Edition.

To use packet capture with the ExtraHop system, complete the following steps:

  1. In the ExtraHop Admin UI, go to the System Settings section and click License. Go to the Features section and verify that Packet Capture is set to Enabled.

  2. Go to the System Settings section and click Shutdown/Restart.

  3. In the System section, click Shutdown.

  4. Click Halt.

  5. Click Done.

  6. In the left panel of the AWS console, go to the Elastic Block Store section and click Volumes.

  7. Click the Create Volume button.

  8. Select a size up to 500 G.

  9. Select an availability zone. Ensure the volume is in the same availability zone as the AWS instance.

  10. Leave Snapshot ID blank.

  11. Click Create.

  12. Your volume appears in the list. Select the volume.

  13. Click Actions and select Attach Volume.

  14. In the Attach Volume pop-up window, click the Instance field and search for your instance.

  15. The Device field populates with the file system location where the volume will be mounted.

  16. Click Attach.

  17. In the left panel, click Instances and then select your instance.

  18. From the Action button, point to Instance State and then click Start.

    The public IP may change when you relaunch an instance.
  19. You are prompted to confirm you want to start the instance. Click Yes, Start.

  20. In the ExtraHop Admin UI, go to the System Settings section and click Disk to ensure Disk #1 has the role, Packet Capture.

Published 2017-06-21 22:18