Snare Management Center

Overview

This document describes how to use the Snare Management Center capability of the Snare Central server. This guide is divided in the following sections:

1. Introduction

Snare Management Center or SMC is a tool within the Snare Central Server that enables the Administrator to securely and reliably monitor and manage several remote Snare Central Servers within the customer network, or outside the core network, through the Snare Central Server interface.

Please note that only Administrators have access to this tool and access to the Snare Central UI is restricted to users belonging to the Administrators group while the tool is active.

Once enabled, it is possible to change the configuration of multiple Snare Central Servers from a single management server known as the Snare Management Center Server or SMCS.

The Snare Management Center joins together one or more remote Snare Central Servers into administrative groups. Each group comprises one or more remote Snare Central Server installations belonging to the same physical entity (like a company, a branch or an office for example). A remote server must belong to only one group. A group is just a logical way to join servers together.

Inside each management group, servers can share common settings. Examples include report configurations, or AMC Remote Management Objectives. Management groups provide the capability to deploy configuration changes to all servers in the group from a designated primary server.

Snare Management Center enables Managed Security Service Providers (MSSPs) to remotely manage and monitor multiple customers’ Snare Central Servers from a single point in a highly secure setup by automatically and transparently establishing private secure VPNs with each remote server over any existing network links.

In large network setups where multiple Snare Central Servers are deployed, Snare Management Center enables the Administrator to easily monitor and configure many servers from a central management point.

2. How does Snare Management Center works?

When enabled, a Snare Management Center Server (SMCS) is capable of monitoring and managing one or more remote Snare Central Servers (otherwise known as a Remote Server, or RS, in this document), optionally over a secure VPN. Once a RS is acquired, the Administrator in the SMCS can monitor the health and the performance of the RS and perform administrative task like:

• User administration on one or more remote Snare Central servers.

• Create new or modify existing objectives on one or more remote Snare Central servers.

• Centrally create reports or objectives and distribute to one or more remote Snare servers.

• Change the execution schedule for Reports and Objectives remotely.

• Change the configuration and execution schedule of AMC's Remote Management Objectives in one or more remote Snare Central servers.

• Monitor, Create, Delete or Change SnareCollector/Reflector destinations on one or more remote Snare Central servers.

• Change security settings on remote Snare Central servers.

• Change most configuration settings on remote Snare Central servers.

For this to be possible, Snare Management Center assumes that any administrative changes made to the Remote Server will be initiated by the SMCS. Any changes that would normally be managed by the SMCS that are made locally on a controlled RS, will be lost the next time the SMC updates the configuration.

Once a remote server has been acquired, it will send alerts in the form of SNMP traps when a problem arises on the RS. These SNMP traps are received as SNMPTrap events in the SMCS, and are stored in the main Snare Archive like any other type of event. A history of alerts can be retrieved from the "Event Search" tool in the UI.

Fully licensed Snare Central servers ( and the license must include the Snare Management Center Client feature) running Snare Central version v8.5.0 or greater, are compatible with the Snare Management Center. Please note that during the acquisition process, the password of the snare user account in the RS needs to be provided. Once a Snare Central server has been acquired, this password can be safely changed.

When several RSs are administered from a single SMCS, the Snare Management Center supports a one to many configuration mode where an RS is designated as a primary/template system. Any changes made to this primary node, will be replicated to the other members of the group automatically. This is called Master to many operation mode. Snare Management Center can be configured to use a secure Virtual Private Network for its operation. In this case the acquisition of the RS is triggered automatically the moment the RS successfully establishes the VPN the first time.

3. Enabling Snare Management Center

Prerequisites

• The Snare Management Center Server needs to be fully licensed including the Snare Management Center feature.

• Each Remote Server to be managed, needs to be fully licensed and the license must include the Snare Management Center Client feature.

• We strongly recommend using a freshly installed server.

• We strongly recommend designating this server as a pure SMCS. Normal event/audit data should, in general, not be processed by this server, and should be pushed to one or more RS.

• Please make sure that your Organization Name is configured in the Configuration Wizard.

• Please make sure that the Time Zone is correctly configured in the Configuration Wizard.

• Please make sure that the “Reply-To address for Snare MailOuts” in the Email Setup section of the Configuration Wizard is configured with a valid email address.

VPN Server Prerequisites

An additional layer of security & encryption is available within the SMC infrastructure. This should not take the place of any VPNs or access controls you have in place on your network, but can provide an additional secure channel between SMCS and RS components.

Note that by establishing this VPN link, any port or address level access controls you have in place on end-point or intermediate routers/firewalls will not apply to packets that transit the VPN managed by the SMCS and associated RS components.

If you require VPN support to communicate with the Remote Servers outside your network, it will be necessary to configure your external firewall to do an address translation (NAT) for UDP port 1194 from your external public IP address to the internal IP address of the Snare Management Center Server.

The other obvious requirement is in order for the Remote Snare Central Servers to be managed, they all need to have Internet access so they will be able to reach your external IP address via UDP to the 1194 port.

To enable the VPN functionality on the SMC, go to the Configuration Wizard under Administrative Tools menu and open the Snare Management Center Setup panel. From there, select the “Enable Remote Management Support” checkbox.

Optionally the Administrator can also enable the VPN Support if required. To successfully enable the VPN server:

• Select the Network Interface Controller to be used by the VPN server and

• Enter the external IP address that Remote Servers will use to access the VPN.

The VPN server in Snare Central uses strong-cipher (AES in GCM mode) encryption along with TLS v1.3 to establish secure tunnel links with the Remote Servers. In order to establish an authenticated and encrypted link, a set of certificates and public keys are needed.

One of the Snare Management Center core components is an internal Public-Key Infrastructure (PKI) management capability, that automatically and behind the scenes, generates self-signs and distributes the certificates and keys required for the VPN to work.

However, SMC can be configured to use an External Certificate Authority to manage all certificate and key requirements. Please refer to the section “Using External Certificate Authority” at the end of this guide for a detailed description on how to configure and use this capability.

Once all the selected options are set, click on the “Next” button to save the changes. Please note that if the Enable VPN support option was checked, the interface can take up to two minutes to finalize all settings and save the changes.

Open

The next time the Administrator user logs into the UI, a new menu will appear under Administrative Tools, with the title “Snare Management Center”. This is the main interface to manage remote servers.

Open

4. Snare Management Center interface.

a) Overview

Managing a remote server involves six simple steps:

• Creating a group

• Adding a server to the group

• Acquiring the server

• Enabling and Configuring Data Synchronization

• Administering the remote server

• Monitoring the remote server

b) Creating a group

The first time the Administrator visits the Snare Management Center tool, an empty page will be shown. Click on the folder icon at the top-right to add a new empty management group. We recommend using the company name or the department, in the Name field, as it will make more sense when servers are been added to the group.

Once the group is created, it will appear in the list of groups. There is no limit on the number of groups to be created. The horizontal ellipsis (…) icon at the top right corner opens a small menu where the group can be deleted (if empty) or edited.

Click on the group to open the list of servers in the group (which will be empty the first time).

c) Adding a server

Click on the plus-sign icon at the top-right of the window, to add a new server to this group. Provide a server name (which can use letters and numbers and spaces), a description for this server, and the internal IP address of the server. All three fields are mandatory. Even if using the VPN, an IP address is needed to add a new server to the group.

Once the server is created, it will appear in the list of servers inside the group. There is no limit on the number of servers to be created. The horizontal ellipsis (…) icon at the top right corner opens a small menu where the server can be configured, deleted or edited. Initially, the status of the server will be Pending until this server is acquired and Sync status is Disabled until Sync is enabled.

d) The horizontal ellipsis menu

The horizontal ellipsis (…) icon at the top right corner opens a small menu with the following options:

e) Acquiring a server

Acquiring a server means that the Snare Management Center Server establishes an initial connection to the Remote Snare Central Server. I then retrieves configuration files, and configures the remote server to send alerts to the SMCS. Depending whether the VPN support is active or not, there are two types of server acquisition: direct from the SMCS or remote (triggered when the RS establishes the VPN tunnel the first time).

i) Direct Server Acquisition

Once the server is added, it will appear in the list of servers. There is no limit on the number of servers to be created. The horizontal ellipsis (…) icon at the top right corner opens a small menu where the server can be Deleted, Edited or Acquired. Click on the Acquire option to show the Acquisition dialogue.

The password of the snare user account of the Remote Snare Central Server needs to be provided for the acquisition to be started. Please note that this password is not saved and is only used for the acquisition. Though not necessary, is a good practice to change the snare user password on the remote server prior to the acquisition and restore the original password once is finished.

ii) Remote Server Acquisition (when VPN Support is enabled)

When VPN support is enabled, the direct acquisition will not work since the Remote Server is not reachable. We need to wait for the RS to establish a VPN tunnel to acquire it.

In order to establish a VPN session with the SMCS, the Remote Server needs a VPN configuration file.

When VPN Support is enabled, the horizontal ellipsis (…) icon at the top right corner, will have a Setup VPN option where the Administrator can download this VPN configuration file (.ovpn file) for this particular Server. This file need to be downloaded and sent to the remote site via an email or some secure transport - this process is not automated, and should be subject to manual intervention and confirmation to provide a reasonable level of security and integrity.

To obtain the .ovpn configuration file, click on the Setup VPN option to show the Setup VPN Wizard and download the .ovpn file that should be transferred to the target RS.

Please note that the .ovpn configuration file is specifically tailored for the particular Remote Server and can not be used on any other server in the group. This is because the file contains certificate and key data for this Remote Server only.

Once the .ovpn file has been downloaded, it needs to be sent to the premises where the Remote Server is located and it needs be uploaded by the Administrator via the Configuration Wizard.

The upload .ovpn option is found in the Network Services panel in the VPN Client Setup section.

Once uploaded, click on the Connect to VPN Server button to establish a tunnel and to initiate remote acquisition.

For both types of acquisitions, if successful, the acquisition process takes a few seconds and once finished, the status of the server changes from Pending to Acquired. Once the server is acquired, the SMCS can monitor the status of the RS and receive alerts.

f) Enable and Configure Data Synchronization

Once the server is acquired, it is necessary to specify what configuration data is going to be managed by the SMCS for this Remote Server. To do this, click on the horizontal ellipsis (…) menu and select the Enable Sync option to enable data synchronization with this server. The Sync status will change to Enabled.

Now, click on the horizontal ellipsis (…) menu again and select the Configure Sync option to open the Configure Sync dialogue.

Snare Management Center in its current state, is able to keep track and synchronize configuration changes for:

• All Agent Management Console (AMC) Policies and Remote Management Objectives.

• All existing Reports including custom reports.

• Scheduling data for all existing Reports and Objectives.

• Snare Central security settings (this does not include OS level security settings).

• SnareCollector/Reflector destinations and filters.

• Snare central Users and Groups database as well as all Access Control Lists (ACL) settings.

Once the configuration options have been selected, click the SAVE button to store the changes. Once the changes have been saved, a background process will retrieve form the Remote Server all the selected configuration files and databases.

The SMC Data Synchronization mechanism will automatically detect and commit configuration changes to the Remote Server but only for those Data Synchronization items that were selected. These configuration changes will be sent only to the selected server by default.

However, if this server is the Master Server for the group, then all of the configuration changes will be sent to all the servers in the group that have Sync enabled. For a more detailed description of this behavior please see the Master to many Synchronization mode further down in this document.

g) Manage the Remote Server

Once the Data Synchronization options are set, the Administrator can make changes to the Reports and Objectives allowed by the selected Data Synchronization options for this server from within the Snare Central Server UI. To do this click on the horizontal ellipsis (…) menu and select the Manage option to select this server for management.

This will change the whole Snare Central Server UI to Remote Management Mode (RMM) where the Administrator can make supported configuration changes to the Remote Server, as determined by the Data Synchronization options selected by the RS Administrator, as discussed previously in this document. For a detailed description see the section Remote Management Mode further down on this document.

h) Monitoring the Remote Server

Click on the server to open its Alerts, Dashboard and History panel. The status of each remote server can be reviewed, and a list of alerts received from this server in the last minute is displayed.

5. Master to many Synchronization mode

A server in any management group can be set as Master. Each group can have only one Master Server. When a Remote Server is set as the Master of the group and the Data Synchronization is enabled and configured for this Server, any configuration changes made on this server will be automatically replicated to all other Servers in the group that have the Data Sync enabled when returning from the Remote Management Mode (For a detailed description see the section Remote Management Mode further down on this document.).

To set a Server as Master, just select the Set as Master option from the horizontal ellipsis (…) menu. A crown icon indicates which server is the master of the group (if any). To remove the Master flag from a server select Unset Master from the menu.

It is necessary to Enable Sync for all the other Servers in the group for which configuration synchronization is needed.

6. Remote Management Mode

Independently from the Master to many operation mode, A Remote Server’s configuration can be changed at any time by selecting Manage option from the horizontal ellipsis (…) menu to select the server for management.

When a Server is being managed, the Snare Central Server UI will switch to Remote Management Mode (RMM). In this mode, the Administrator can make configuration changes to the allowed Reports or Objectives in the same way as if they were logged in the Remote Server. The allowed configuration changes will be subject to the Data Synchronization options that have been selected & authorized for this Server.

When Snare Central is in Remote Management Mode, only administrators will have access to the system and all existing sessions of other users will be terminated.

While in RMM mode a new top green banner in the main top bar will show a notification and access to the horizontal ellipsis (…) menu like in the following image. Please note the reduced number of options available in the left menu due to the SyncOptions selected (in this example only Health Checker, Security Settings and Reflector Configuration were selected).

To leave RMM just open the horizontal ellipsis (…) menu in the top green banner (or return to the Snare Management Center tool to the selected Server) and click on the Exit Manage option. When this option is selected, all the changes made during the RMM mode will be sent to the Remote Server.

When returning from RMM a dialogue will pop up asking the user to enter a log message with a description of the changes made during the Remote Management Mode session. This description will be stored along with the list of files that changed, as a historical record. (For a detailed description see the section Changes History further down in this document.).

7. Catching up with all the changes in the Master

When an existing server has been the Master of a group for a long period, many configuration changes may have been made through time. In such scenario, when a server is added to the group, all these changes need to be committed to new server. The “Sync to Master” option in the ellipsis (…) menu helps to achieve this.

Select the new server, which needs to be already acquired, the Sync has to be enabled and the Sync Options need to be already configured; once all these requirements are met, click on Manage from the ellipsis (…) menu to enter in Remote Management Mode and the “Sync to Master” option will be available. Click on it and the configuration synchronization process will start in the background and the UI will return to normal mode. After a few seconds the new Remote Server will have all the changes stored in the Master server.

8. Disabling remote management from the Snare Management Center Server

To release a Remote Server from management, go to the Snare Management Center page into the group and into the selected Remote Server and click on the Delete Server option from the ellipsis menu.

After this action, the Remote Server will be released from management. No further changes can be made via SMC, and no further monitoring or alerts will be received from that server.

Please note that it is not possible to revert this action. If the Administrator needs to enable remote management for this Server again, it needs to be added, acquired and configured again.

9. Disabling remote management from the Remote Server

It is also possible to release a Server form the Snare Management Center Server from within the Remote Server itself, without the consent of the SMC.

To do this, the Remote Server’s Administrator need to go to the Snare Management Center Setup panel in the Configuration Wizard, and select the Disable Remote Management checkbox, then click Next.

After this action has been taken, the Server will release itself from remote management, the VPN tunnel will be terminated and no further changes and no further monitoring or alert transmission from this server will be performed.

Please note that it is not possible to revert this action.

10. Changes History

Click on the server to open its Alerts, Dashboard and History panel. Then select the History tab to show a table with all the records of every management session for the selected server. Every record includes the Changes description entered at the end of the management session, the status of the session, the list of the files that were changed during the session, any errors in case the file synchronization failure and the command output of the file synchronization process.

It is also possible to use the “Events Search” tool to look for SnareServerLog events that contain SnareManagement as RESOURCE. As an example, the following query will retrieve all MCS events since the start of the month. (you can copy it and paste it to the “Query Preview” input in the Event Search page to execute it):

DATE>='FIRST DAY OF THIS MONTH' AND TABLE = 'SnareServerLog' AND RESOURCE REGEXI 'SnareManagement|SnareAcquire|ManagementPusher' AND ACTION REGEXI 'System Message|Sync Changes'

11. Logs for troubleshooting

When DEBUG is turned on on the Snare Central Server, all the activity that the MCS performs is logged in for trouble shooting purposes in different log files depending the subsystem involved as per the following table:

12. Management Center Limitations

Snare Management Center can not manage another SMC, when trying to acquire an SMC from another SMC the acquisition will fail.

Snare Management Center can only manage the primary node of a High Availability Snare Central cluster. Acquiring a secondary node from a cluster will break the server synchronization between the nodes of the cluster.

Snare Management Center can apply changes only to a limited number of settings from a Remote Server. Some administrative objectives can not be accessed with the SMC and most of the configuration settings shown in the “Configuration Wizard” can not be modified through SMC either. The following is a comprehensive list of things that can not be remotely managed with SMC in its current state and therefor are disabled while in Remote Management Mode:

13. Using External Certificate Authority

a) Generating Certificates for Snare Management Center

When Snare Management Center is enabled, the server can use the VPN Support to securely accept connections from managed Remote Servers if required. To assure the highest security communication levels, two Certificates are needed. The Certificate for your server (a Signed Certificate) and the Root Certificate of the Certificate Authority (CA) that signed your server's certificate.

To obtain your server's Signed Certificate, you must first generate a Certificate Signing Request (CSR) on the Snare Central Server, download it and send the CSR to your Certificate Authority for signing. Ensure that the CSR is signed as a subordinate CA or intermediate CA.

Once the CSR has been signed, a Certificate is created. You need to upload this newly created Signed Certificate to your server along with the Root CA Certificate used to sign yours.

Once the Certificates are in place, the VPN Support can be configured and enabled. The steps to achieve all this are the following:

1. Create and download a Certificate Signing Request for your Snare Central Server

2. Go to "Configuration Wizard" -> "Snare Management Center Setup"

3. Check the Enable VPN Support check box.

4. Go to the "Create Server Certificate Signing Request" section and fill all the required fields and click on Generate CSR button.

1. Download the file "server.csr". This is your CSR.

2. Submit the Certificate Signing Request for signing with your AD Server.

3. Sign and Download the Signed Server Certificate in your AD Server.

   • Open an elevated command prompt

   • Enter cmd in the search bar.

   • Press CTRL + SHIFT + ENTER.

   • A dialog prompt will appear asking if you want to run the program as an administrator. Select Yes to open an elevated command prompt.

   • Enter the following command: certreq -submit -attrib "CertificateTemplate:SubCA" server.req server.crt

   • From the dialog box, choose the desired certificate authority.

   • Click OK.

   • The issued certificate will be saved as server.crt so long as you have domain administrator access permissions.

   • Download server.crt

4. Upload the Issued Signed Server Certificate in you Snare Center Server.

   • Go to "Configuration Wizard" -> "Snare Management Center Setup" -> "Upload Signed Server Certificate"

   • Choose the file server.crt

5. Export and download the CA Root Certificate from your AD Server.

   • In the AD server, launch the Certificate Authority application by Start | Run | certsrv.msc.

   • Right click the CA you created and select Properties.

   • On the General tab, click the View Certificate button.

   • On the Details tab, select Copy to File.

   • Follow through the wizard, and select the Base-64 Encoded X.509 (.cer) format.

   • Click browse and specify a path and filename to save the certificate.

   • Click the Next button and click Finish.

1. Upload the CA Root Certificate in your Snare Center Server.

   • Go to "Configuration Wizard" -> "Snare Management Center Setup" -> "Upload CA Root Certificate"

   • Choose the file obtained in step 6.

2. The VPN Support can only be enabled after the two Certificates have been installed correctly. In the cases where more than one NIC exists in the server, you may need to specify which one is going to be used to listen for VPN connection requests.

b) Generating Certificate and a VPN connection setup file for a Remote Server

To assure the highest security levels one extra Certificate is needed. The Certificate for the Remote Server (a Signed Certificate) signed by the same Certificate Authority (CA) that signed your SMC Server's certificate and that was uploaded when "Snare Management Center" was enabled as described above.

Although you can generate a private key and certificate request on your client machine and then send it to the CA to be signed, this guide outlines a process for generating the certificate request on the server. The benefit of this is that we can create a script which will automatically generate client configuration files that contain all of the required keys and certificates. This lets you avoid having to transfer keys, certificates, and configuration files to clients and streamlines the process of joining the VPN.

To obtain the remote server's Signed Certificate, you must first generate a Certificate Signing Request (CSR) for the server, download it and send the CSR to your Certificate Authority for signing. Ensure that the CSR is signed as a subordinate CA or intermediate CA.

Once the CSR has been signed, a Certificate is created. You need to upload this newly created Signed Certificate to the MCS server.

Once the Certificate is in place, a VPN configuration file can be created and downloaded.

The steps to achieve all this are the following:

1. To Create and download a Certificate Signing Request (CSR) for the remote Snare server, go to the "Snare Management Center" page to the selected group and choose "Setup VPN" for the server from the ellipsis menu.

2. A "Generate Client Signing Request Form" will be shown for you to fill all the required fields.

3. Click on "Generate CSR" button. IMPORTANT: The CSR is generated using the IP address of the remote server.

4. Download the file "client.csr". This is the CSR for the Remote Server.

5. Submit the Certificate Signing Request for signing with your AD Server.

6. Sign and Download the Signed Server Certificate in your AD Server.

   1. Open an elevated command prompt

   2. Enter cmd in the search bar.

   3. Press CTRL + SHIFT + ENTER.

   4. A dialogue prompt will appear asking if you want to run the program as an administrator.

   5. Select Yes to open an elevated command prompt.

   6. Enter the following command:

      certreq -submit -attrib "CertificateTemplate:SubCA" server.req server.crt

   7. From the dialog box, choose the desired certificate authority.

   8. Click OK.

   9. The issued certificate will be saved as server.crt so long as you have domain administrator access permissions.

   10. Download client.crt

7. Upload the Issued Signed Server Certificate in the Snare Management Center server.

8. Once the client.crt has been uploaded a VPN configuration file tailored for the Remote Server will be generated

9. Download the .ovpn file and send it securely to the Remote Server for upload.