Getting started with OpenDXL in Node-RED?

  • Awhile ago our team was considering creating a Node-RED extension that would let us send events over OpenDXL from our own custom flow(s). It looks like the OpenDXL community beat us to the punch already, though.


    I'm not sure where to get started though, I see around 20+ solutions listed when I go to the Node-RED Category on the solutions page. I'm trying to figure out which of these solutions I can use to actually install the OpenDXL Node-RED node (nodes?), etc.

  • It's recommended that users who want to get started with the DXL nodes/flows available for Node-RED visit the OpenDXL Node-RED Nodes solution. The GitHub repository for that project contains a wiki and documentation that not only help with setting up the required environment, but provide samples and API information.


    Additionally, there is also the OpenDXL Node-RED Docker solution. There you will find a Docker image that is ready out-of-the-box to support the official OpenDXL Node-RED solutions available. Note that some additional environmental requirements may need to be met for the various community-built solutions that use Node-RED.

  • Hi,

    Our organisation is looking at node-red to tie all our security products together to automate our threat response.

    I assume looking at your flows that the standard ports for mar, epo, tie and pxgrid will need to be forwarded on a docker installation? There is no mention of which ports are required in github against the docker solution. Everything seems to be outgoing only on port 8443 from the docs which doesn't look to be correct for pxgrid.

  • Hi-


    All of the Node-RED extensions leverage DXL for communication with the services (TiE, MAR, ePO, and pxGrid). Thus, no additional ports must be exposed from the Docker installation (assume you are referring to the OpenDXL Node-RED Image).


    If you can provide a bit of additional information about your deployment, I can try to walk you though the details.


    Thanks a lot,

    Chris

  • Chris,

    Thanks for your response. From information I came across yesterday and your response would the following deployment work?


    Create a docker opendxl broker. Register Cisco ISE and McAfee products with the broker. Open the opendxl ports on my node-red container and use the various nodes available also registered to the opendxl broker to look for messages from the platforms and publish messages to the platforms?


    The opendxl broker is basically a broadcast switch. I just have to grab the messages with the correct types.

    We're using node-red to keep the automation in one place and simplify automation for non-coders. It is preferable to scripts on Cisco boxes coupled with McAfee automation spread across the infrastructure especially when they have different owners.

    Thanks Mark

  • Hi Mark-


    If you are using McAfee products, it would probably make more sense to use the McAfee-based DXL brokers (versus the OpenDXL brokers). Using McAfee-based brokers simplifies the management of those products (TIE, MAR, Cisco pxGrid) with DXL connectivity (authentication, authorization, etc.).


    The OpenDXL extensions that are included with the OpenDXL Node-RED docker image can connect to either a McAfee-managed or OpenDXL fabric.


    See the following video for a guided walkthrough of getting up and running with Node-RED and DXL:


    Video: Using OpenDXL with Node-RED


    Totally agree with your approach. It makes sense to centralize the automation efforts using a tool like Node-RED.


    Thanks,

    Chris

  • Chris,

    The first use case we'll be using McAfee and Cisco ISE. The final objective will be too integrate as many tools as we can.

    Therefore from your comment we'll stick with the opendxl broker. Thanks for the pointers and tipping me in the right direction. I may document the whole thing in detail once done for other to learn from.


    I'm just testing the containers at the moment to see what they need access to when I run them as we have a heavily locked down production environment. For your node-red container I've moved the npm install from the start bash script into the Dockerfile to reduce access requirements on docker run. Obviously that means the install function will break and we'll need to rebuild the container with any requirements but that is a desirable outcome in our network. I've checked the opendxl and it doesn't seem to access anything on run.

    Thanks again Mark

  • Hi,

    More questions as I cannot find the answers anywhere.


    I have my node-red and opendxl broker containers running. The video shows node-red and the broker integrated and they and an EPO which is great.


    How do I get node-red itself into the opendxl fabric on the broker? I tried setting up the broker itself as a client in node-red but I get a 503 and the file contains a csr for the suggested connection. Or do I just connect to a device such as an EPO and connect the broker to the EPO?

    Thanks Mark

  • Hi,

    For reference simply add a configuration in the opendxl broker and ftp the downloaded contents in to the node-red data directory under a suitably named folder. Then reference this folder in the client config in the opendxl nodes in node-red.

    Thanks Mark