HowTo Setup A Server With Multiple Network Interface Adapters Using: "nstnetcfg"

From NST Wiki
Revision as of 14:25, 23 April 2013 by Paul Blankenbaker (talk | contribs) (Overview)
Jump to navigationJump to search

Overview

Note: The NST script name was changed from "nstipconf" to "nstnetcfg" post the NST 18 release. NST Pro users please perform a "yum update;" to get the latest version of the nstnetcfg script. For non-NST Pro users please use the script name: "nstipconf" as it has most of the features included in the nstnetcfg script.

This page demonstrates how to setup networking with an NST server that is configured with multiple network interface adapters for performing simultaneous network computing surveillance tasks. The NST script: "nstnetcfg" command line tool was designed to make this task easy to accomplish using the underlying "network" service.

The diagram below will be used as a reference for setting up a multi-network interface adapter server using NST. The rear panel of a 1U Server is shown with NIC attachments to the network infrastructure. The network security staff for fictitious company: "TxyCorp" would like to use NST for monitoring different network segments throughout their network. In particular, they would like to monitor traffic entering and leaving their corporation, web server traffic, all client electronic business transactions and remote traffic to and from their satellite offices.

When booting up "NST Live" or after a hard disk installation, the "Network Manager" service is on by default for managing all network interfaces found on an NST system. Network Manager provides a quick and easy method for setting up networking on a system equipped with a wireless interface that uses DHCP for IPv4 Address configuration. When a system is configured with two or more wired network interfaces or requires a multi-homed network setup, the "network" service may be a better choice for setting up the network configuration.

The nstnetcfg script will help mitigate some of the error prone tasks necessary when setting up networking on a NST (Linux) system using the "network" service.

A Multi-Network Interface Adapter NST Server Configuration
Note: The "Sys Admin Network" is an out-of-band network for the management of enterprise servers within this network infrastructure. The "ILOM" (Integrated Lights Out Management) network interface (i.e., "NetMgt") and the "Serial Console" device (i.e., "ttyS0") are shown for completeness and are not used by "nstnetcfg".

Network Interface Setup Configuration Information

In this section we will identify each network interface and how it should be setup using the 1U Server configuration illustrated in the reference diagram above. Network parameters such as the Subnet Mask, Host Name(s), Domain Name Servers, Domain Name, Gateway and Default Interface will also be identified. The table below depicts values that will be used by the nstnetcfg script.

Interface / Parameter Configuration Values
em0 IPv4 Address: 172.30.1.16, Network Routing Prefix: 24, Host Name: nstsurv1-mon, Gateway: 10.221.1.1
em1 IPv4 Address: 10.221.5.14, Network Routing Prefix: 16, Host Name: nstsurv1, Gateway: 10.221.1.1
em2 IPv4 Address: stealth
em3 IPv4 Address: stealth
p2p1 IPv4 Address: stealth
p2p2 IPv4 Address: stealth
p4p1 IPv4 Address: stealth
p4p2 IPv4 Address: stealth
p6p1 IPv4 Address: stealth
p6p2 IPv4 Address: stealth
Domain Name Servers 10.221.1.10, 10.221.1.11
Domain Name txycorp.com
Virtual Host (ssl.conf) *.443
Server Name (ssl.conf) nstsurv1.txycorp.com:443

 

Network Interface Configuration: nstnetcfg

The NST script: "nstnetcfg" will now be used for setting up networking on this server. This script will disable the "NetworkManager" service and enable the "network" service when setting up a static IPv4 Address (--mode ipv4). The "NetworkManager" service will also be disabled at boot time and the "network" service will be enabled at boot time. Use the sequence of nstnetcfg invocations below to serve as an example for setting up networking on your particular server with NST.

Note: The reader is encouraged to use the man page for "nstnetcfg" as reference material prior to its use. One can also use the "--verbose" output parameter for greater visibility on the progress of the nstnetcfg during its configuration stages.

Warning.png The "nstnetcfg" script should only be run on a Serial Console or a Desktop Terminal due to the fact that the "IPv4 Address" for this NST system will most likely change.

Initialize All Network Interfaces

The nstnetcfg mode: --init will put the networking setup posture in a known initialized state. Both the "NetworkManager" service and the "network" service will be disabled with their associated configuration files and/or entries removed. The "LoopBack" interface device is never altered or removed with this mode. The Name Service Switch configuration file: "/etc/nsswitch.conf" will have its hosts entry set to: "files dns". It is wise to first use this mode prior to setting up networking so that any lingering "NetworkManager" configuration files will Not interfere with the "network" service operation.

[root@probe ~]# nstnetcfg --mode init;
[root@probe ~]# 

Static IPv4 Configured Interfaces

The example NST server shown above uses a "Multi-Home" configuration with network interface devices: "em0" and "em1" set with static IPv4 Addresses: 172.30.1.16 and 10.221.5.14 respectively.

Interface: em1

The "em1" interface device is network attached to the "TxyCorp" Intranet. This network provides name services and external access to the Internet. The "Host Name", "Domain Name", "Name Servers" and "Gateway" values are set accordingly. A host name entry for "nstsurv1" will be added to the Hosts file: "/etc/hosts", the system host name will be set to: "nstsurv1". A "16" network routing prefix (CIDR - Format) will be used. The configuration for this interface is shown below.

[root@probe ~]# nstnetcfg --mode ipv4 --interface em1 --ipv4-addr-prefix 10.221.5.14/16 --gateway 10.221.1.1 --host-name nstsurv1 --domain-name txycorp.com --name-servers "10.221.1.10,10.221.1.11";
[root@probe ~]# 

Interface: em0

The "em0" network interface is connected to the "Security Network" for performing network surveillance tasks using the "NST WUI" and the large collection of NST network security applications and tools. The "--hosts-file-only" setting is used so that only the Hosts file: "/etc/hosts" will be updated with a host name entry for: "nstserv1-mon". Note that the "--gateway" setting: "10.221.1.1" is the same as that set for network interface "em1" above providing only one default gateway for this Multi-Home example configuration. It is not necessary to again set the system "Host Name", "Domain Name" and "Name Servers" values since these were specified in the configuration for network interface "em1". A "24" network routing prefix (CIDR - Format) will be used.

[root@probe ~]# nstnetcfg --mode ipv4 --interface em0 --ipv4-addr-prefix 172.30.1.16/24 --gateway 10.221.1.1 --host-name nstsurv1-mon --hosts-file-only;
[root@probe ~]# 

Stealth Configured Interfaces

The "Stealth" network interfaces (i.e., An interface in the "UP" state with No binding IPv4 Address) will now be configured. These interfaces are strategically network attached throughout the network infrastructure for surveillance monitoring.

Interface: em2

This network interface: "em2" is used to monitor the Transmit Data: "TxD" port on a Network TAP (Test Access Point) for all traffic leaving (egress) the "TxyCorp" corporation at the Firewall Dirty Side.

[root@probe ~]# nstnetcfg --mode stealth --interface em2;
[root@probe ~]# 

Interface: em3

This network interface: "em3" is used to monitor the Receive Data: "RxD" port on a Network TAP for all traffic entering (ingress) the "TxyCorp" corporation at the Firewall Dirty Side.

[root@probe ~]# nstnetcfg --mode stealth --interface em3;
[root@probe ~]# 

Interface: p2p1

This network interface: "p2p1" is used to monitor specific "Web Server" traffic on a SPAN (Switched Port Analyzer) port.

[root@probe ~]# nstnetcfg --mode stealth --interface p2p1;
[root@probe ~]# 

Interface: p2p2

This network interface: "p2p2" is used to monitor specific "Web Server" traffic on a SPAN port.

[root@probe ~]# nstnetcfg --mode stealth --interface p2p2;
[root@probe ~]# 

Interface: p4p1

This 10 Gigabit Ethernet network interface: "p4p1" is used to monitor specific "Business Transaction" data packets on a SPAN port.

[root@probe ~]# nstnetcfg --mode stealth --interface p4p1;
[root@probe ~]# 

Interface: p4p2

This 10 Gigabit Ethernet network interface: "p4p2" is used to monitor specific "Business Transaction" data packets on a SPAN port.

[root@probe ~]# nstnetcfg --mode stealth --interface p4p2;
[root@probe ~]# 

Interface: p6p1

This network interface: "p6p1" is used to monitor specific "Remote Office" traffic on a SPAN port.

[root@probe ~]# nstnetcfg --mode stealth --interface p6p1;
[root@probe ~]# 

Interface: p6p2

This network interface: "p6p2" is used to monitor specific "Remote Office" traffic on a SPAN port.

[root@probe ~]# nstnetcfg --mode stealth --interface p6p2;
[root@probe ~]# 

Stealth Interface Combo Setting Command

The output below is a compact way of using a Bash "for loop " statement to configure all "Stealth" interfaces in one command line invocation.

[root@probe ~]# for i in em2 em3 p2p1 p2p2 p4p1 p4p2 p6p1 p6p2; do nstnetcfg --mode stealth --interface ${i}; done
[root@probe ~]# 

Apache SSL Configuration For Proper HTTPS NST WUI Access

If the "IPv4 Address" on an NST system is changed, the Apache Web Server SSL configuration file: "/etc//httpd/conf.d/ssl.conf" needs to be modified for proper HTTPS access to the "NST WUI". The following "nstnetcfg" command uses the "ssl" mode to allow all hosts "HTTPS" access to the "NST WUI" using Server Name: "nstsurv1.txycorp.com". A new "SSL" certificate and key file will also be generated.

[root@probe ~]# nstnetcfg --mode ssl --interface em1 --virtual-host *.443 --server-name nstsurv1.txycorp.com:443;
[root@probe ~]#