Configuring a detection server for an Endace card
After installing DLP as a Network Detection server there are additional configuration options that must be done both on the detection server and within the Enforce UI.
Installing the Endace card on the detection server
The first problem to be aware of is to make sure the Endace drivers and software is installed in a folder that has no spaces, c:\endace instead of the default: c:\program files\endace
From the Enforce server copy the dagextraconfig.bat from c:\vontu\protect\bin to c:\endace\dag-3.3.1\bin. Do not worry that this bat file is commented out, an error will be generated if this file is missing
Change the boot.ini to enable the /3GB switch
If you are running Windows Server 32-bit on the detection side the 3GB switch needs to be enabled in the boot.ini file. The following steps need to be done:
- Change the attributes on the file from the command type: attrib.exe –s –h –r c:\boot.ini
- Open the boot.ini in notepad
- Copy the line that reads like: multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows Server 2003, Enterprise" /fastdetect /noexecute=alwaysoff
- At the end of the line add /3GB /userva=3030 so it will look like this: multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows Server 2003, Enterprise" /fastdetect /noexecute=alwaysoff /3GB /userva=3030
- Restart the detection server
Once the span port is connected to the Endace card traffic can be verified by opening a command line, navigating to the c:\Endace\dag-3.3.1\bin directory and type: dagsnap –d0 –v –o tracefile, traffic should be displayed in the window.
Changing settings on the Enforce UI
The following settings need to be changed within the Enforce UI in order for Network Monitor to work correctly with an Endace card.
In the UI for Enforce navigate to System -> Overview and then select the correct detection server. Click on the Server Settings button and make changes to the following items::
- PacketCapture.IS_ENDACE_ENABLED from false to true
- PacketCapture.ENDACE_BIN_PATH to the location you installed the software to (c:\endace\dag-3.3.2\bin)
- PacketCapture.ENDACE_LIB_PATH to the location you installed the software to (c:\endace\dag-3.3.2\lib)
- PacketCapture.ENDACE_XILINX_PATH to the location you installed the software to (c:\endace\dag-3.3.2\xilinx)
After making the above changes, restart the Vontu services on each detection server using an Endace card. Once the services are back from restarting, select Configure, dag0 should be then select the Endace card
About Security Community Blog
The Security Community Blog is the perfect place to share short, timely insights including product tips, news and other information relevant to the Security community. Any authenticated Connect member can contribute to this blog.
Comments 3 Comments • Jump to latest comment
I know I'm going to need this page in the future. This looks REALLY helpful
*bookmarked*
Thanks for the share bro =]
Trying to come up w/ content people would find useful. Let me know if there are more articles or information you are looking for on DLP :)
Jonathan Jesse Practice Principal ITS Partners
Will do ;]
Actually...I've been working on the Endpoint Prevent module for some time now and been doing a lot of reading. I think I'm pretty proficient with it but there's one thing that I really have no clue about. You know when you go to System -> Servers -> EndpointServer...there is a tab called "Server Settings". I have no clue about what those variables do. I found a table in the DLP documentation explaining the "Endpoint Settings" tab but couldn't find anything for the other one.
It would be unfair to ask you to document all of the purposes and parameters of each of those options but I guess it would qualify as information I'm looking for on DLP =P
I highly doubt I'd ever modify any of those stuff...but just for knowing's sake...it'd be good.
Would you like to reply?
Login or Register to post your comment.