5. Setting up the Greenbone Security Manager¶
This chapter provides specific setup guides for all current GSM appliances:
- GSM 5400/6500 → Chapter 5.1
- GSM 400/450/600/650 → Chapter 5.2
- GSM 150 → Chapter 5.3
- GSM 35 → Chapter 5.4
- GSM 150V/CENO/DECA/TERA/PETA/EXA → Chapter 5.5
- GSM 25V → Chapter 5.6
- GSM ONE/MAVEN → Chapter 5.7
5.1. GSM 5400/6500¶
This setup guide shows the steps required to put a GSM 5400 or 6500 appliance into operation.
The following checklist can be used to monitor the progress:
| Step | Done |
|---|---|
| Power supply established (2 connectors) | |
| Networking cables connected | |
| Console access established | |
| Keyboard layout selected | |
| IP address configured | |
| DNS server configured | |
| SSH service enabled (optional) | |
| SSL certificate created | |
| Web user account created | |
| GOS selfcheck run |
5.1.1. Installing the Appliance¶
The GSM 5400 and GSM 6500 are 19-inch mountable and require two rack units (RU). Rack holders for the installation in a 19-inch rack are supplied.
For cabling GSM 5400 and GSM 6500 appliances have corresponding connectors at the front and back:
- Front
- 1 RS-232 serial port, Cisco compatible, suitable cable is enclosed
- 2 USB 2.0 ports
- 2 RJ45 Ethernet ports, labeled “MGMT”, for management
- Up to 4 optional modules with additional Ethernet ports (RJ45, SFP, SFP+ or XFP)
- Back
- 1 VGA port
- 2 USB 3.0 ports
- 2 USB 2.0 ports
- 2 power supplies
The installation requires either a monitor and a keyboard or a serial console connection and a terminal application.
5.1.2. Utilizing the Serial Port¶
The enclosed console cable is used for utilizing the serial port. Alternatively, a blue Cisco console cable (rollover cable) can be used.
To access the serial port a terminal application is required. The application needs to be configured to a speed of 9600 bits/s (Baud).
In Linux the command screen can be used in the command line to access the serial port by passing the device providing the serial port as parameter:
screen /dev/ttyS0 #(for serial port)
screen /dev/ttyUSB0 #(for USB adapter)
Tip
After starting screen, it may be necessary to press Enter several times to see a command prompt.
To close the serial connection, press Ctrl + a and immediately afterwards \.
In Microsoft Windows the PuTTY application can be used. After starting it, the options as shown in Fig. 5.1 and the appropriate serial port have to be selected.
Fig. 5.1 Setting up the serial port in PuTTY
5.1.3. Starting the Appliance¶
Once the appliance is fully wired, a connection to the appliance using the console cable is achieved and the terminal application (PuTTY, screen or similar) is set up, the appliance can be started.
The appliance will boot and after short time – depending on the exact model – the first messages will be displayed in the terminal application.
5.2. GSM 400/450/600/650¶
This setup guide shows the steps required to put a GSM 400, GSM 450, GSM 600 or GSM 650 appliance into operation.
The following checklist can be used to monitor the progress:
| Step | Done |
|---|---|
| Power supply established (1 connector) | |
| Networking cables connected | |
| Console access established | |
| Keyboard layout selected | |
| IP address configured | |
| DNS server configured | |
| SSH service enabled (optional) | |
| SSL certificate created | |
| Web user account created | |
| GOS selfcheck run |
5.2.1. Installing the Appliance¶
The GSM 400, GSM 450, GSM 600 and GSM 650 are 19-inch mountable and require one rack unit (RU). Rack holders for the installation in a 19-inch rack are supplied.
For cabling GSM 400, GSM 450, GSM 600 and GSM 650 appliances have corresponding connectors at the front and back:
- Front
- 1 RS-232 serial port, Cisco compatible, suitable cable is enclosed
- 2 USB 3.0 ports
- 6 RJ45 Ethernet ports
- 2 SFP Ethernet ports
- Back
- 1 VGA port
- 1 power supply
The installation requires either a monitor and a keyboard or a serial console connection and a terminal application.
5.2.2. Utilizing the Serial Port¶
The enclosed console cable is used for utilizing the serial port. Alternatively, a blue Cisco console cable (rollover cable) can be used.
To access the serial port a terminal application is required. The application needs to be configured to a speed of 9600 bits/s (Baud).
In Linux the command screen can be used in the command line to access the serial port by passing the device providing the serial port as parameter:
screen /dev/ttyS0 #(for serial port)
screen /dev/ttyUSB0 #(for USB adapter)
Tip
After starting screen, it may be necessary to press Enter several times to see a command prompt.
To close the serial connection, press Ctrl + a and immediately afterwards \.
In Microsoft Windows the PuTTY application can be used. After starting it, the options as shown in Fig. 5.2 and the appropriate serial port have to be selected.
Fig. 5.2 Setting up the serial port in PuTTY
5.2.3. Starting the Appliance¶
Once the appliance is fully wired, a connection to the appliance using the console cable is achieved and the terminal application (PuTTY, screen or similar) is set up, the appliance can be started.
The appliance will boot and after short time – depending on the exact model – the first messages will be displayed in the terminal application.
5.3. GSM 150¶
This setup guide shows the steps required to put a GSM 150 appliance into operation.
The following checklist can be used to monitor the progress:
| Step | Done |
|---|---|
| Power supply established (1 connector) | |
| Networking cables connected | |
| Console access established | |
| Keyboard layout selected | |
| IP address configured | |
| DNS server configured | |
| SSH service enabled (optional) | |
| SSL certificate created | |
| Web user account created | |
| GOS selfcheck run |
5.3.1. Installing the Appliance¶
The GSM 150 is 19-inch mountable and requires one rack unit (RU). The optional RACKMOUNT150 kit provides the rack holders for installing the appliance in a 19-inch rack.
For stand-alone appliances four self-sticking rubber pads have to be mounted on the corresponding bottom side embossments.
For cabling the GSM 150 appliance has corresponding connectors at the front and back:
- Front
- 1 RS-232 serial port, Cisco compatible, suitable cable is enclosed
- 2 USB 3.0 ports
- 1 HDMI port
- 4 RJ45 Ethernet ports
- Back
- 1 power supply
The installation requires either a monitor and a keyboard or a serial console connection and a terminal application.
5.3.2. Utilizing the Serial Port¶
The enclosed console cable is used for utilizing the serial port. Alternatively, a blue Cisco console cable (rollover cable) can be used.
To access the serial port a terminal application is required. The application needs to be configured to a speed of 9600 bits/s (Baud).
In Linux the command screen can be used in the command line to access the serial port by passing the device providing the serial port as parameter:
screen /dev/ttyS0 #(for serial port)
screen /dev/ttyUSB0 #(for USB adapter)
Tip
After starting screen, it may be necessary to press Enter several times to see a command prompt.
To close the serial connection, press Ctrl + a and immediately afterwards \.
In Microsoft Windows the PuTTY application can be used. After starting it, the options as shown in Fig. 5.3 and the appropriate serial port have to be selected.
Fig. 5.3 Setting up the serial port in PuTTY
5.3.3. Starting the Appliance¶
Once the appliance is fully wired, a connection to the appliance using the console cable is achieved and the terminal application (PuTTY, screen or similar) is set up, the appliance can be started.
The appliance will boot and after short time – depending on the exact model – the first messages will be displayed in the terminal application.
5.4. GSM 35¶
This setup guide shows the steps required to put a GSM 35 sensor appliance into operation.
The following checklist can be used to monitor the progress:
| Step | Done |
|---|---|
| Power supply established (1 connector) | |
| Networking cables connected | |
| Console access established | |
| Keyboard layout selected | |
| IP address configured | |
| DNS server configured | |
| SSH service enabled (optional) | |
| SSL certificate created | |
| Scan user account created | |
| GOS selfcheck run |
5.4.1. Installing the Appliance¶
The GSM 35 is 19-inch mountable and requires one rack unit (RU). The optional RACKMOUNT35 kit provides the rack holders for installing the appliance in a 19-inch rack.
For stand-alone appliances four self-sticking rubber pads have to be mounted on the corresponding bottom side embossments.
For cabling the GSM 35 appliance has corresponding connectors at the front and back:
- Front
- 1 RS-232 serial port, Cisco compatible, suitable cable is enclosed
- 2 USB 3.0 ports
- 1 HDMI port
- 4 RJ45 Ethernet ports
- Back
- 1 power supply
The installation requires either a monitor and a keyboard or a serial console connection and a terminal application.
5.4.2. Utilizing the Serial Port¶
The enclosed console cable is used for utilizing the serial port. Alternatively, a blue Cisco console cable (rollover cable) can be used.
To access the serial port a terminal application is required. The application needs to be configured to a speed of 9600 bits/s (Baud).
In Linux the command screen can be used in the command line to access the serial port by passing the device providing the serial port as parameter:
screen /dev/ttyS0 #(for serial port)
screen /dev/ttyUSB0 #(for USB adapter)
Tip
After starting screen, it may be necessary to press Enter several times to see a command prompt.
To close the serial connection, press Ctrl + a and immediately afterwards \.
In Microsoft Windows the PuTTY application can be used. After starting it, the options as shown in Fig. 5.4 and the appropriate serial port have to be selected.
Fig. 5.4 Setting up the serial port in PuTTY
5.4.3. Starting the Appliance¶
Once the appliance is fully wired, a connection to the appliance using the console cable is achieved and the terminal application (PuTTY, screen or similar) is set up, the appliance can be started.
The appliance will boot and after short time – depending on the exact model – the first messages will be displayed in the terminal application.
5.4.4. Performing a General System Setup¶
All GSM appliances share the same way of basic configuration and readiness check.
However, since the GSM 35 is a dedicated sensor, some setup steps differ from those of other appliances:
- A scan user account has to be created instead of a web administrator account.
- The master key has to be exchanged with the sensor.
Note
Follow the steps described in Chapter 7.
Add the scan user account instead of a web administrator account. Afterwards, continue with the Chapter 16 to exchange the keys with the master.
The GSM 35 sensor does not offer any web interface. The sensor is solely managed by the master. Logging into the sensor is possible by using the console and SSH from the master.
If the communication between master and sensor fails, the rule set of any internal firewall governing the network connection may be adjusted.
5.5. GSM 150V/CENO/DECA/TERA/PETA/EXA¶
This setup guide shows the steps required to put a GSM 150V/CENO, GSM DECA, GSM TERA, GSM PETA or GSM EXA appliance into operation.
The following checklist can be used to monitor the progress:
| Step | Done |
|---|---|
| VMware ESXi installed | |
| Integrity verified (optional) | |
| OVA file imported | |
| Virtual machine settings checked | |
| Keyboard layout selected | |
| IP address configured | |
| DNS server configured | |
| SSH service enabled (optional) | |
| SSL certificate created | |
| Web user account created | |
| GOS selfcheck run |
5.5.1. Setup Requirements¶
This section lists the requirements for successfully deploying a GSM 150V/CENO, GSM DECA, GSM TERA, GSM PETA or GSM EXA appliance. All requirements have to be met.
5.5.1.1. Resources¶
The virtual appliances require at least the following resources:
GSM 150V/CENO
- 2 virtual CPUs
- 8 GB RAM
- 32 GB hard disk
GSM DECA
- 4 virtual CPUs
- 8 GB RAM
- 140 GB hard disk
GSM TERA
- 6 virtual CPUs
- 8 GB RAM
- 140 GB hard disk
GSM PETA
- 8 virtual CPUs
- 16 GB RAM
- 140 GB hard disk
GSM EXA
- 12 virtual CPUs
- 24 GB RAM
- 140 GB hard disk
5.5.1.2. Supported Hypervisor¶
While a GSM 150V/CENO/DECA/TERA/PETA/EXA can be run on various hypervisors, currently only VMware hypervisors are officially supported.
Each GSM 150V/CENO/DECA/TERA/PETA/EXA is delivered in hardware version 9 format. For VMware ESXi/ESX version 5.1 or higher is required.
5.5.1.3. Verification of Integrity¶
Note
The integrity of the virtual appliance can be verified. On request the Greenbone Networks Support provides an integrity checksum.
To request the checksum contact the Greenbone Networks Support via e-mail (support@greenbone.net) including the subscription number.
The integrity checksum can be provided via phone or via support portal at https://support.greenbone.net. Specify the preferred channel in the e-mail.
The local verification of the checksum depends on the host operating system.
On Linux systems the following command for calculating the checksum for the GSM 150V/CENO/DECA/TERA/PETA/EXA can be used:
sha256sum GSM-150V-5.0.4-gsf201906301.ova
Note
The commands for the other GSM types differ according to the GSM type and the GSF subscription key.
On Microsoft Windows systems an appropriate program has to be installed first.
Tip
Rehash may be used which can be found at http://rehash.sourceforge.net.
To calculate the checksum, use:
rehash.exe -none -sha256 C:\<path>\GSM-150V-5.0.4-gsf201906301.ova
Note
The commands for the other GSM types differ according to the GSM type and the GSF subscription key.
If the checksum does not match the checksum provided by the Greenbone Networks Support, the virtual appliance has been modified and should not be used.
5.5.2. Deploying the Appliance¶
The virtual appliance is provided by Greenbone Networks in the Open Virtualization Appliance (OVA) format.
Each GSM 150V/CENO/DECA/TERA/PETA/EXA is activated using a unique subscription key.
Note
Cloning the GSM 150V/CENO/DECA/TERA/PETA/EXA and using several instances in parallel is not permitted and can result in inconsistencies and unwanted side effects.
To deploy a GSM 150V/CENO/DECA/TERA/PETA/EXA, it has to be imported into the hypervisor of choice as follows:
Note
The example features VMware ESXi, but is also applicable for VMware vSphere.
The figures show the installation of a GSM 150V. The installation of a GSM CENO/DECA/TERA/PETA/EXA is carried out equivalently. File names used in the example differ based on the GSM type and the GSF subscription key.
Install VMware ESXi for the current operating system.
Open the web interface of the VMware ESXi instance and log in.
Click Virtual Machines in the left column (see Fig. 5.5).
Fig. 5.5 Importing a new virtual machine
Click
Create / Register VM.Select Deploy a virtual machine from an OVF or OVA file and click Next (see Fig. 5.6).
Fig. 5.6 Selecting the creation type
Enter a name for the virtual machine in the input box.
Click Click to select files or drag/drop, select the OVA file of the appliance and click Next.
Select the storage location in which to store the virtual machine files and click Next.
Adjust the deployment options as required and click Next.
Note
The default deployment settings may be used.
Check the configuration of the virtual machine (see Fig. 5.7).
Tip
Settings can be changed by clicking Back and adjusting them in the respective dialog.
Fig. 5.7 Checking the configuration of the virtual machine
Click Finish.
→ The appliance is imported. This can take up to 10 minutes.
Important
Do not refresh the browser while the virtual machine is being deployed.
When the appliance is imported, click Virtual Machines in the left column.
Select the appliance in the list (see Fig. 5.8).
Fig. 5.8 Imported virtual machine
Click
Power on.
5.6. GSM 25V¶
This setup guide shows the steps required to put a GSM 25V sensor appliance into operation.
The following checklist can be used to monitor the progress:
| Step | Done |
|---|---|
| VMware ESXi installed | |
| Integrity verified (optional) | |
| OVA file imported | |
| Virtual machine settings checked | |
| Keyboard layout selected | |
| IP address configured | |
| DNS server configured | |
| SSH service enabled (optional) | |
| SSL certificate created | |
| Scan user account created | |
| GOS selfcheck run |
5.6.1. Setup Requirements¶
This section lists the requirements for successfully deploying the GSM 25V appliance. All requirements have to be met.
5.6.1.1. Resources¶
The virtual appliance requires at least the following resources:
- 2 virtual CPUs
- 4 GB RAM
- 16 GB hard disk
5.6.1.2. Supported Hypervisor¶
While the GSM 25V can be run on various hypervisors, currently only VMware hypervisors are officially supported.
Each GSM 25V is delivered in hardware version 9 format. For VMware ESXi/ESX version 5.1 or higher is required.
5.6.1.3. Verification of Integrity¶
Note
The integrity of the virtual appliance can be verified. On request the Greenbone Networks Support provides an integrity checksum.
To request the checksum contact the Greenbone Networks Support via e-mail (support@greenbone.net) including the subscription number.
The integrity checksum can be provided via phone or via support portal at https://support.greenbone.net. Specify the preferred channel in the e-mail.
The local verification of the checksum depends on the host operating system.
On Linux systems the following command for calculating the checksum for the GSM 25V can be used:
sha256sum GSM-25V-5.0.4-gsf201906301.ova
On Microsoft Windows systems an appropriate program has to be installed first.
Tip
Rehash may be used which can be found at http://rehash.sourceforge.net.
To calculate the checksum, use:
rehash.exe -none -sha256 C:\<path>\GSM-25V-5.0.4-gsf201906301.ova
If the checksum does not match the checksum provided by the Greenbone Networks Support, the virtual appliance has been modified and should not be used.
5.6.2. Deploying the Appliance¶
The GSM 25V is provided by Greenbone Networks in the Open Virtualization Appliance (OVA) format.
Each GSM 25V is activated using a unique subscription key.
Note
Cloning the GSM 25V and using several instances in parallel is not permitted because and can result in inconsistencies and unwanted side effects.
To deploy the GSM 25V, it has to be imported into the hypervisor of choice as follows:
Note
The example features VMware ESXi, but is also applicable for VMware vSphere.
The figures show the installation of a GSM 150V. The installation of a GSM 25V is carried out equivalently. File names used in the example differ based on the GSM type and the GSF subscription key.
Install VMware ESXi for the current operating system.
Open the web interface of the VMware ESXi instance and log in.
Click Virtual Machines in the left column (see Fig. 5.9).
Fig. 5.9 Importing a new virtual machine
Click
Create / Register VM.Select Deploy a virtual machine from an OVF or OVA file and click Next (see Fig. 5.10).
Fig. 5.10 Selecting the creation type
Enter a name for the virtual machine in the input box.
Click Click to select files or drag/drop, select the OVA file of the appliance and click Next.
Select the storage location in which to store the virtual machine files and click Next.
Adjust the deployment options as required and click Next.
Note
The default deployment settings may be used.
Check the configuration of the virtual machine (see Fig. 5.11).
Tip
Settings can be changed by clicking Back and adjusting them in the respective dialog.
Fig. 5.11 Checking the configuration of the virtual machine
Click Finish.
→ The appliance is imported. This can take up to 10 minutes.
Important
Do not refresh the browser while the virtual machine is being deployed.
When the appliance is imported, click Virtual Machines in the left column.
Select the appliance in the list (see Fig. 5.12).
Fig. 5.12 Imported virtual machine
Click
Power on.
5.6.3. Performing a General System Setup¶
All GSM appliances share the same way of basic configuration and readiness check.
However, since the GSM 25V is a dedicated sensor, some setup steps differ from those of other appliances:
- A scan user account has to be created instead of a web administrator account.
- The master key has to be exchanged with the sensor.
Note
Follow the steps described in Chapter 7.
Add the scan user account instead of a web administrator account. Afterwards, continue with the Chapter 16 to exchange the keys with the master.
The GSM 25V does not offer any web interface. The sensor is solely managed by the master. Logging into the sensor is possible by using the console and SSH from the master.
If the communication between master and sensor fails, the rule set of any internal firewall governing the network connection may be adjusted.
5.7. GSM ONE/MAVEN¶
This setup guide shows the steps required to put a GSM ONE or GSM MAVEN appliance into operation.
The following checklist can be used to monitor the progress:
| Step | Done |
|---|---|
| VirtualBox installed | |
| Integrity verified (optional) | |
| OVA file imported | |
| Virtual machine settings checked | |
| Keyboard layout selected | |
| IP address configured | |
| DNS server configured | |
| SSH service enabled (optional) | |
| SSL certificate created | |
| Web user account created | |
| GOS selfcheck run |
5.7.1. Setup Requirements¶
This section lists the requirements for successfully deploying a GSM ONE or GSM MAVEN appliance. All requirements have to be met.
5.7.1.1. Resources¶
The virtual appliance requires at least the following resources:
- 2 virtual CPUs
- 4 GB RAM
- 16 GB hard disk
5.7.1.2. Supported Hypervisor¶
While a GSM ONE/MAVEN can be run on various hypervisors, currently only Oracle VirtualBox version 5.2 or higher is officially supported.
5.7.1.3. Verification of Integrity¶
Note
The integrity of the virtual appliance can be verified. On request the Greenbone Networks Support provides an integrity checksum.
To request the checksum contact the Greenbone Networks Support via e-mail (support@greenbone.net) including the subscription number.
The integrity checksum can be provided via phone or via support portal at https://support.greenbone.net. Specify the preferred channel in the e-mail.
The local verification of the checksum depends on the host operating system.
On Linux systems the following command for calculating the checksum for a GSM ONE/MAVEN can be used:
sha256sum GSM-ONE-5.0.4-gsf201906301.ova
Note
The command for the GSM MAVEN differs according to the GSM type and the GSF subscription key.
On Microsoft Windows systems an appropriate program has to be installed first.
Tip
Rehash may be used which can be found at http://rehash.sourceforge.net.
To calculate the checksum, use:
rehash.exe -none -sha256 C:\<path>\GSM-ONE-5.0.4-gsf201906301.ova
Note
The command for the GSM MAVEN differs according to the GSM type and the GSF subscription key.
If the checksum does not match the checksum provided by the Greenbone Networks Support, the virtual appliance has been modified and should not be used.
5.7.2. Deploying the Appliance¶
The virtual appliance is provided by Greenbone Networks in the Open Virtualization Appliance (OVA) format.
Each GSM ONE/MAVEN is activated using a unique subscription key.
Note
Cloning the GSM ONE/MAVEN and using several instances in parallel is not permitted and can result in inconsistencies and unwanted side effects.
To deploy a GSM ONE/MAVEN, it has to be imported into the hypervisor of choice as follows:
Note
The figure shows the installation of a GSM ONE. The installation of a GSM MAVEN is carried out equivalently. File names used in the example differ based on the GSM type and the GSF subscription key.
Install Oracle VirtualBox for the current operating system.
Note
VirtualBox is often included with Linux distributions.
Should this not be the case and or a version of Microsoft Windows is used, VirtualBox is available at https://www.virtualbox.org/wiki/Downloads.
Start VirtualBox.
Select File > Import Appliance… in the menu bar.
Click
and select the OVA file of the appliance (see Fig. 5.13).
Fig. 5.13 Importing the OVA file of the appliance
Check the configuration of the virtual machine in the window Appliance settings (see Fig. 5.13).
Values can be changed by double clicking into the input box of the respective value.
Note
If possible, select 4096 MB RAM (memory) for optimal configuration of the virtual appliance.
Click Import.
→ The appliance is imported. This can take up to 10 minutes.
When the appliance is imported, it is displayed in the left column in VirtualBox.
Select the appliance in the list and click Start.