Posts by markryan

Hi,

I believe they do I'll double check. I think the squid proxy on the box may be causing an issue. However, it seems I'm going to be ditching the opendxl brokers as I just the other post connecting epo brokers to your brokers. It is done through node-red. The idea was I connect a fabric together using opendxl and epo brokers and then attach the various security products into the fabric including node-red. However, it seems node-red is the glue so I don't need the opendxl broker at all. I just point node-red at everything.

Just tried a new set up for two containers as a bridge as per the document. I created a broker cert and put it in the second broker's keystore. I added the following file to both and still can't get a bridge working without a hub.

Docker run strings.

Hi,

Back again with the next stage of our trial. We're trying to bridge a docker OpenDXL broker into an existing hub. I thought I would get it working with 3 docker containers first. I went onto the primary broker in the hub and created a cert under broker, deleted the files in the keystore on broker 1fd87aac-0784-4362-a8ec-38ca791e301a and put the new cert bundle in. Everything is up but messages sent don't appear in any of the other brokers. The docker run strings are shown below:

docker run -d --restart=unless-stopped -it -p 1443:443 -p 1883:8883 -p 2443:8443 -v /dxlbroker-volume-1:/dxlbroker-volume:z --name opendxl-broker1 opendxl:broker-001

docker run -d --restart=unless-stopped -it -p 3443:443 -p 2883:8883 -p 4443:8443 -v /dxlbroker-volume-2:/dxlbroker-volume:z --name opendxl-broker2 opendxl:broker-001

docker run -d --restart=unless-stopped -it -p 5443:443 -p 3883:8883 -p 6443:8443 -v /dxlbroker-volume-3:/dxlbroker-volume:z --name opendxl-broker3 opendxl:broker-001

Docker bridge

Here are is the file I have in all three containers for policy/brokerstate.policy

Anything I've missed?

The two hub brokers are showing root hub. The bridged broker isn't showing a parent.

Hi,

Now I've got rid of the node-red base container, I'm hitting pypi as well now to install wheels. I don't want to have two containers around 1G. Would send the packet capture but think there are security implications around that.

Thanks Mark

EDIT just realised wrong docker file Will grab later

Hi,

For reference simply add a configuration in the opendxl broker and ftp the downloaded contents in to the node-red data directory under a suitably named folder. Then reference this folder in the client config in the opendxl nodes in node-red.

Thanks Mark

Hi,

More questions as I cannot find the answers anywhere.

I have my node-red and opendxl broker containers running. The video shows node-red and the broker integrated and they and an EPO which is great.

How do I get node-red itself into the opendxl fabric on the broker? I tried setting up the broker itself as a client in node-red but I get a 503 and the file contains a csr for the suggested connection. Or do I just connect to a device such as an EPO and connect the broker to the EPO?

Thanks Mark

Hi,

Yes I am to registry.nodejs.com. The container on run still seems to be checking for nodejs packages which is fine as long as I can justify why?

Thanks Mark

Hi,

Our prod environment is locked down and I have to justify any connections needed. Hence anything installed on build is fine. Installing anything on a run not so much. So I've moved the npm installs to the Dockerfile from the bash script.

I have built and run the custom docker environment from node-red and I don't see outgoing connections on a run.

151.101.0.223

199.232.57.63

104.16.24.35,104.16.24.35

When running the opendxl-node-red-docker container I see https connections out to the following IPs. I'm struggling to identify what specifically is going on. They look to be python and npmjs repo requests why are they being carried out at run and not build? Any ideas on what theses connections are would be greatly received? I can the decide whether to ditch, move or allow them.

EDIT: Checked the package.json and looked at the dependencies. I moved any node-red node-modules into the docker file. I've also removed the python venv from startup.sh. I'm just down to the npmjs registry traffic now.

Thanks Mark

Chris,

The first use case we'll be using McAfee and Cisco ISE. The final objective will be too integrate as many tools as we can.

Therefore from your comment we'll stick with the opendxl broker. Thanks for the pointers and tipping me in the right direction. I may document the whole thing in detail once done for other to learn from.

I'm just testing the containers at the moment to see what they need access to when I run them as we have a heavily locked down production environment. For your node-red container I've moved the npm install from the start bash script into the Dockerfile to reduce access requirements on docker run. Obviously that means the install function will break and we'll need to rebuild the container with any requirements but that is a desirable outcome in our network. I've checked the opendxl and it doesn't seem to access anything on run.

Thanks again Mark

Chris,

Thanks for your response. From information I came across yesterday and your response would the following deployment work?

Create a docker opendxl broker. Register Cisco ISE and McAfee products with the broker. Open the opendxl ports on my node-red container and use the various nodes available also registered to the opendxl broker to look for messages from the platforms and publish messages to the platforms?

The opendxl broker is basically a broadcast switch. I just have to grab the messages with the correct types.

We're using node-red to keep the automation in one place and simplify automation for non-coders. It is preferable to scripts on Cisco boxes coupled with McAfee automation spread across the infrastructure especially when they have different owners.

Thanks Mark

Hi,

Our organisation is looking at node-red to tie all our security products together to automate our threat response.

I assume looking at your flows that the standard ports for mar, epo, tie and pxgrid will need to be forwarded on a docker installation? There is no mention of which ports are required in github against the docker solution. Everything seems to be outgoing only on port 8443 from the docs which doesn't look to be correct for pxgrid.