Appearance
Getting started with Enclave
This guide will walk you through the steps to get up and running with Enclave microsegmentation.
INFO
This guide assumes you have either a managed or self-hosted beacon running. If you do not have a beacon running, please refer to the beacon documentation for more information on how to set one up. If you are signing up, a free-tier beacon will be automatically created for you.
Step 1: Create your account
Create an account on the EMC. You can choose to create a free account, or contact our sales team to discuss pricing options or extended trials.
Once logged in you will be brought to the main dashboard. This screen will provide a jumping off point to modules that your organization has access to.
Step 2: Add nodes to your network
Nodes are machines that need permanent access or rules that need to be open constantly (i.e. a webserver and a database or an SSH server).
On the left side navigation menu, click on the Agents
> Nodes
.
Click on the button:
Once clicked, a form will slide into view. Enter a hostname, a name (optional), and any labels that you want this node to be a part of.
For example, if you were adding an SSH server, you could add remote-host-1
to the hostname
field. The Hostname
field will be how this node is identified in the system. The Name
field will override the system identifer, in this example, I will add Remote Host #1
as the name. In the Labels
field you can add a group to which this node belongs; I will add the SSH servers
label to this node's label list.
TIP
You can create labels later or add them in this form as well. Click on the + Add a new label
link. This will also slide a form into view. Enter the name of the label, you wish to create.
Labels are the preferred way of grouping nodes and users. These provide a shorthand way to assign groups of agents the same access rules.
Step 3: Add users to your account
Users are designed to be used by humans. The only difference between a user agent type and node agent type is how they authenticate with Enclave. A user's access is session based, expiring in a configured period of time, where as a node expires based on deployed access key length (optionally can be set to auto-roll). To continue on the example above, we want a user to connect to our server over SSH.
In the left navigation menu, click on the Agents
> Users
menu item.
There are two ways to add users: (1) individually or (2) a bulk add with a CSV file.
Add users individually
If you only have a few users to add to your organization, a simple way to add them is by clicking the Add User
button. A form will slide into view asking for you to enter data into three fields: Name, Email, and Labels.
- Name is the written identifier that they system will use to display the user
- Email is they email address that this user can access. They will receive their initial MFA token at this email address
- Labels are any of the groups to which this person should be a part
For our example, I will add the following information to the system:
Name: Nick
Email: nick@example.com
Labels: SSH admins
TIP
Creating labels works the same way as previously mentioned in Step 2
Add users with a CSV file
Another option to add users, especially useful you have many users, is to upload a CSV file.
Use the following table as a template:
Name | Label | Label | |
---|---|---|---|
nick@example.net | Nick | DB admin | SSH admins |
james@example.net | James | DB admin |
Field Descriptions
Email of the user you would like to add
Name of the user you are adding
Label that you want to associate with this user.
TIP
You can keep adding as many label columns as necessary for the user.
Once you have completed your CSV file, you can go back to the EMC. Click on the Users button in the left side navigation menu. On the Users page, click on the Bulk Add Users +
link. A form will slide into view and you can upload your CSV there.
Did you upload a CSV file only to realize that you forgot a label or decided to make some changes? No worries, we got you covered. Make the adjustments on the CSV file and the EMC will alter the users in the system to the new specification.
TIP
Note that removing a user from a CSV find and reuploading it will not remove the user from the system. You must manually remove them from the system.
Step 4. Install the Enclave software agent
Installing the agent is a straight forward process. There are builds for Linux, Windows, and Mac OS X. Instructions for installation can be found in the EMC and under the Install
tab on a user or a node.
Installing the agent on nodes
For each node that the EMC manages, we will need to download and install the appropriate software package.
Click which operating system you are looking to install the agent on and follow the prompts. Enclave supports Linux, Windows, and Mac OS X.
Once those choices have been made a download button and link will appear. Download the package and install it with the given instructions for your system.
Next, you will need to create an a token to authenticate this node. Navigate to the Security
tab and click on the Create token
button. A form will slide into view allowing you to choose how long you would like the token to be valid. Continue with your preference and then a generated token will appear. Make sure to keep this token handy when starting up the agent. Select the option to use an agent token in the GUI or following the CLI instructions to start a node. Paste your generated token into the prompt and start up your node.
Installing the agent for users
This is a bit simpler than the node installation. Go to the Install
tab on the User page. Choose which operating system and architecture that the user is on. Run through the install instructions for that platform.
Once installed, the user will be guided through the setup process when they start the app. There are two apps that a user can run: a GUI app where they can point and click to get connected, or a command line interface. Both have similar features, it is up to the preference of the user on which to use.
Step 5. Create some enclaves
At this point, you have your nodes and users in the system. You should be able to see the node reporting into the EMC, designated by a green icon next to their name. Now let's start making some connections to get things communicating.
Let's go click on the Networking
> Enclaves
button on the left side navigation menu. On the Enclaves
page, click on the Add an Enclave +
button. A form will slide into view, where you can name the enclave and add Labels that will be associated to the enclave. Using our previous examples, let's name the enclave SSH servers
, and add the labels: SSH admins
, and SSH servers
.
We will be brought to the Overview
tab for this enclave. Here we will see the labels, nodes, and users that we added this enclave.
Click on the Network map
tab. Now click and drag on the SSH admins
label and drag the line to the SSH servers
label.
On the pop-up screen, we can add any firewall rule we like. In this case since we want SSH access to this machine for all the SSH admins
, we can simply type SSH into the search field and hit submit.
The network map will update with the provided configuration. Configurations will then be sent to all the agents associated with this enclave. And you are ready to connect.
Step 6. Test your connection
The user can now go to the client app and authenticate themselves. After a quick user verification, networking will be active and the user the node over SSH using the assigned VPN IP.
Step 7. Celebrate! 🎉
Congratulations. You just set up your first Enclave. Let's go celebrate!