You can install Feed Service and Feed Utility on separate computers. This allows you to isolate the computer, on which event data is matched against feeds, from the Internet.
Do not delete the dmz
directory from the distribution kit of Kaspersky CyberTrace, even if you are not going to use Feed Service and Feed Utility on separate computers.
You can install Feed Utility on a Windows computer. For this you must have the distribution package for Windows which also contains the instructions on how to perform the installation.
How Feed Service and Feed Utility work in DMZ
The following diagram describes how Feed Service and Feed Utility work in DMZ.
Workflow when Feed Service and Feed Utility are installed on separate computers
Using CyberTrace Web if Feed Service and Feed Utility are on separate computers
If you use Kaspersky CyberTrace Web with Feed Service and Feed Utility installed on separate computers, avoid performing the actions below on the Settings > Feeds tab, in the Feeds update period section. The actions will be ineffective.
The feeds will not be updated on the Local computer, because it is isolated from the Internet.
The certificate will only be changed on the Local computer. To change the certificate on the DMZ computer, manually copy it from the Local computer to the dmz
directory.
By default, Kaspersky CyberTrace updates Kaspersky Threat Data Feeds every 30 minutes.
If you use DMZ integration, perform one of the following actions:
You can use Kaspersky CyberTrace Web to perform the actions listed below. However, note that each time you make any changes, you have to copy the kl_feed_util.conf file from the Local computer to the DMZ computer so that the changes you made on the Local computer get replicated on the DMZ computer.
For example, you can add new custom or third-party feeds.
Outline of the installation procedure
The following procedure describes how to install Feed Service on one computer (in this topic, referred to as Local) and Feed Utility on another computer (in this topic, referred to as DMZ).
If you use Kaspersky CyberTrace Web, please see section "Using CyberTrace Web if Feed Service and Feed Utility are on separate computers" above before proceeding to the installation.
To install Feed Service and Feed Utility on separate computers:
%service_dir%
) on the Local computer.(Kaspersky CyberTrace version 3.0) After you specify the path to the certificate file in the configurator, the list of available feeds is not retrieved, because the Local computer is not connected to the Internet. In this case, you are prompted to manually select the feeds.
<NotifyKTFS path="">false</NotifyKTFS>
element. Change it to <NotifyKTFS path="..\bin">true</NotifyKTFS>
.dmz
subdirectory of the installation directory from the Local computer to the DMZ computer.(Kaspersky CyberTrace version 3.0) When you have to use a new PEM-formatted certificate for updating feeds, change Kaspersky CyberTrace configuration using the installation script. You will have to copy the dmz
subdirectory from the Local computer to the DMZ computer.
For more information on how to manage the settings of feeds through Kaspersky CyberTrace Web, see section "Feeds settings".
dmz
directory located on the DMZ computer with the copy of the same file stored on the Local computer.You can obtain kl_feed_util.conf on the Local computer in one of the following ways:
%service_dir%/etc
directory.%service_dir%/scripts/cron_cybertrace.sh
file on the Local computer, specify the credentials for connecting to the DMZ computer and the path to the feeds
directory on the DMZ computer.Configuring the updating of feeds on the DMZ computer
Configure the cron task that runs the updating of feeds on the DMZ computer so that the cron-dmz.sh script will run twice as often as when Kaspersky CyberTrace is installed on a single computer. This is done so that the new versions of feeds will be used as soon as possible. For example, specify the following line in the cron configuration file:
*/15 * * * * %path_to_cron.sh%/cron-dmz.sh
Configuring the updating of feeds on the Local computer
Add a task that runs the updating of feeds so that the cron_cybertrace.sh script will run twice as often as when Kaspersky CyberTrace is installed on a single computer. The synchronization of feeds must occur after they are updated on the DMZ computer, and so you can specify launching of the cron_cybertrace.sh script several minutes after the cron-dmz.sh script is launched on the DMZ computer. For example, specify the following line in the cron configuration file:
*/15+7 * * * * %service_dir%/scripts/cron_cybertrace.sh
You might have to change the settings in the cron_cybertrace.sh script. The settings are describes in the following table. For more information, see section "Synchronizing directories that contain feeds" below.
Settings in cron_cybertrace.sh
Setting |
Description |
RSYNC_USER |
Login on the computer where the RSync utility is installed. |
RSYNC_HOST |
Host where the RSync utility is installed. |
PATH_TO_FEEDS |
Path to the directory where to store the processed feeds. |
DOWNLOAD_DIR |
Path to the directory in which the feeds are downloaded. Do not change the value of this parameter. Changing this value may cause Feed Utility not to work properly. |
SSH_KEY |
The RSA public key to be used when synchronizing directories with feeds. |
Synchronizing directories that contain feeds
For synchronizing feeds on both the Local and DMZ computers you can use the RSync utility. If the DMZ computer is a Windows computer, the RSync utility can be run by using Cygwin.
To install the RSync utility on a Windows computer:
ssh-host-config
You can answer "Yes"
every time. The main point is to run the sshd daemon as a service.
net start sshd
The sshd daemon will start automatically.
To configure the synchronization of feeds:
For this purpose, run the following command on the Local computer:
ssh-keygen -t rsa -q -N '' -f /home/<user>/.ssh/dmz_rsa_key
(Specify the user login instead of <user>
.) The keys will be created without a password.
ssh-copy-id -i /home/<user>/.ssh/dmz_rsa_key <DMZ_user>@<DMZ_host>
When you run this command, you will be asked for the password to <DMZ_user>@<DMZ_host>
.
rsync -a --delete-before --delay-updates -e "ssh -i /home/<user>/.ssh/dmz_rsa_key" <DMZ_user>@<DMZ_host>:/<Path_to_feeds>/ /<Path_to_feeds_on_Local>/
In this command, <Path_to_feeds_on_Local>
is the path to the directory containing feeds on the Local computer (namely, %service_dir%/feeds
), and <Path_to_feeds>
is the path to the directory on which updated feeds are stored on the DMZ computer.
To pass the synchronization test, the contents of the <Path_to_feeds_on_Local>
directory on the Local computer must be the same as the contents of the <Path_to_feeds>
directory on the DMZ computer.