You can install Feed Service and Feed Utility on separate computers. This allows you to isolate the computer, on which event data is matched against feeds, from the Internet.
Do not delete the dmz
directory from the distribution kit of Kaspersky CyberTrace, even if you do not plan to use Feed Service and Feed Utility on separate computers.
You can install Feed Utility on a Linux computer. For this you must have the distribution package for Linux, which also contains the instructions on how to perform the installation.
How Feed Service and Feed Utility work in DMZ
The following diagram describes how Feed Service and Feed Utility work in the DMZ.
Workflow when Feed Service and Feed Utility are installed on separate computers
Using CyberTrace Web if Feed Service and Feed Utility are on separate computers
If you use Kaspersky CyberTrace Web with Feed Service and Feed Utility installed on separate computers, keep the following actions in mind with respect to the Settings > Feeds tab, in the Feeds update period section.
The feeds will not be updated on the Local computer, because it is isolated from the Internet.
The certificate will only be changed on the Local computer. To change the certificate on the DMZ computer, manually copy it from the Local computer to the dmz
folder.
By default, Kaspersky CyberTrace updates Kaspersky Threat Data Feeds every 30 minutes.
If you use DMZ integration, perform one of the following actions:
You can use Kaspersky CyberTrace Web to perform the actions listed below. However, note that each time you make any changes, you have to copy the kl_feed_util.conf file from the Local computer to the DMZ computer so that the changes you made on the Local computer will be replicated on the DMZ computer
For example, you can add new custom or third-party feeds.
Installing Feed Service and Feed Utility on separate computers
The following procedure describes how to install Feed Service on one computer (in this topic, referred to as Local) and Feed Utility on another computer (in this topic, referred to as DMZ).
If you use Kaspersky CyberTrace Web, please see section "Using CyberTrace Web if Feed Service and Feed Utility are on separate computers", above, before proceeding to the installation.
To install Feed Service and Feed Utility on separate computers:
%service_dir%
) on the Local computer.(Kaspersky CyberTrace version 3.0) If you use Windows Installer, after you specify the path to the certificate file, the list of available feeds is not retrieved, because the Local computer is not connected to the Internet. In this case, you are prompted to manually select the feeds.
<NotifyKTFS path="">false</NotifyKTFS>
element. Change it to <NotifyKTFS path="..\bin">true</NotifyKTFS>
.dmz
subfolder of the installation folder from the Local computer to the DMZ computer.(Kaspersky CyberTrace version 3.0) When you want to use a new PEM-formatted certificate for updating feeds, change Kaspersky CyberTrace configuration by performing the installation procedure again. You will have to copy the dmz
subfolder from the Local computer to the DMZ computer.
For more information, see section "Feeds settings".
dmz
folder located on the DMZ computer with the copy of the same file stored on the Local computer.You can obtain kl_feed_util.conf on the Local computer in one of the following ways:
%service_dir%\bin
folder.%service_dir%\scripts\cron_cybertrace.cmd
file on the Local computer, specify the credentials for connecting to the DMZ computer and the path to the feeds
folder on the DMZ computer.Configuring the updating of feeds on the DMZ computer
Create a regularly launched task that runs the updating of feeds on the DMZ computer so that the cron_dmz.cmd script will run twice as often as in the case when Kaspersky CyberTrace is installed on a single computer. This task will cause new versions of feeds to be used as soon as possible. For example, create the task by running the following command:
schtasks /create /tn KasperskyFeedServiceUpdate /ru system /f /tr "\"%path_to_cron.cmd%\cron_dmz.cmd\"" /sc minute /mo 15
Configuring the updating of feeds on the Local computer
Add a task that runs the updating of feeds so that the cron_cybertrace.cmd script will run twice as often as when Kaspersky CyberTrace is installed on a single computer. For example, modify the task by running the following command. Substitute %user%
with the name of the user that is authorized to run Cygwin on a Windows computer, and substitute %password%
with a password for this user.
schtasks /create /tn KasperskyFeedServiceUpdate /ru %user% /rp %password% /f /tr "%service_dir%\scripts\cron_cybertrace.cmd" /sc minute /mo 15
The synchronization of feeds must occur after they are updated on the DMZ computer, and so you can specify launching of the cron_cybertrace.cmd script several minutes after the cron_dmz.cmd script is launched on the DMZ computer.
You may have to change the settings in the cron_cybertrace.cmd script. The settings are describes in the following table. For more information, see section "Synchronizing directories that contain feeds" below.
Settings in cron_cybertrace.cmd
Setting |
Description |
RSYNC_USER |
Login on the computer where the RSync utility is installed. |
RSYNC_HOST |
Host where the RSync utility is installed. |
PATH_TO_FEEDS |
Path to the directory where to store the processed feeds. |
DOWNLOAD_DIR |
Path to the directory in which the feeds are dowloaded. Do not change the value of this parameter. Changing this value may cause Feed Utility not to work properly. |
SSH_KEY |
The RSA public key to be used when synchronizing directories with feeds. |
Synchronizing directories that contain feeds
For synchronizing feeds on both the Local computer and DMZ computer, you can use the RSync utility. On a computer running Windows, the RSync utility can be run by using Cygwin.
All Linux commands below are run on Windows computers by using Cygwin.
To install the RSync utility on a Windows computer:
ssh-host-config
You can answer Yes
every time. The important point is to run the sshd daemon as a service.
net start sshd
The sshd daemon will start automatically.
To configure the synchronization of feeds:
For this purpose, run the following command on the Local computer:
ssh-keygen -t rsa -q -N '' -f /home/<user>/.ssh/dmz_rsa_key
(Specify the user login instead of <user>
.) The keys will be created without a password.
ssh-copy-id -i /home/<user>/.ssh/dmz_rsa_key <DMZ_user>@<DMZ_host>
When you run this command, you will be asked for the password to <DMZ_user>@<DMZ_host>
.
rsync -a --delete-before --delay-updates -e "ssh -i /home/<user>/.ssh/dmz_rsa_key" <DMZ_user>@<DMZ_host>:/<Path_to_feeds>/ /<Path_to_feeds_on_Local>/
In this command, <Path_to_feeds_on_Local>
is the path to the folder containing feeds on the Local computer (namely, %service_dir%/feeds
), and <Path_to_feeds>
is the path to the folder on which updated feeds are stored on the DMZ computer.
To pass the synchronization test, the contents of the <Path_to_feeds_on_Local>
folder on the Local computer must be the same as the contents of the <Path_to_feeds>
folder on the DMZ computer.