ABOUT THE TOPIC


 

This topic describes all the information related to the datacenter and users required by Virsec Security Platform (VSP) to protect the configured applications. It aids the user to maintain the consolidated information in one place and utilize it as and when required by VSP. 

 

 

 

VSP HARDWARE REQUIREMENTSVSP HARDWARE REQUIREMENTS

 

NOTE:

It is expected that relevant licenses and required operational support are procured for the software mentioned as requirements

 

Table  below lists the hardware requirements for VSP components

 

Component

Minimum Configuration

Operating System

Additional Information

VSP VM (LFR and CMS-Large)

[All the Core and optional CMS services are installed]

  • 8 CPU Cores
  • 64 GB RAM
  • 250 GB Disk Space
Red Hat Enterprise Linux Server 7.x, 8.x

Requires

  • Docker-compose version 1.29+
  • Docker version –18.x+
  • 200 GB in /var partition  

VSP VM (LFR and CMS-Small)

[Only the Core CMS services are installed; Recommended for POVs only]

  • 8 CPU Cores
  • 32 GB RAM
  • 250 GB Disk Space

Red Hat Enterprise Linux Server 7.x, 8.x

 

Requires

  • Docker-compose version 1.29+
  • Docker version –18.x+
  • 200 GB in /var partition  

Table – Hardware Requirements for VSP VM

 

Refer VM Installation Section for more information about CMS Deployment Mode selection

Here are the VSP Idle usage specifications:

 

Component

Feature

Minimum Requirements

Additional Information

Memory (MB)

Disc (MB)

VSP Probe

VSP-Host, VSP-Memory

100-200

100-200

Requires 400-500MB in /tmp partition during installation

VSP Probe

VSP-WEB

200-600

500-600

Requires 400-500MB in /tmp partition during installation

Table – VSP Idle Usage specification

 

REMOTE VRULE ENGINE REQUIREMENTS

 

The remote vRule requirements are provided below:

  1. Operating System: Red Hat Enterprise Linux Server 7.9

  2. Min 8vCPUs

  3. 8 GB RAM

  4. Docker version – 18.x+

  5. 100-200MB in /tmp partition during installation

 

EMBEDDED VRULE ENGINE REQUIREMENTS

 

The embedded vRule requirements are dependent on the number of enabled worker threads: 

 

Number of worker Threads

Memory (Min-Max)

vCPUs

1

512 MB- 1 GB

1

2 (Default)

1 GB - 1.5 GB

2

3

1.5 GB- 2 GB

3

Table – Hardware Requirements for Embedded vRule Engine

 

NOTE:

To modify the number of vRule engine worker threads, execute the command:
vsp-cli config ae edit numWorker <1-16> --persist

 

VSP PROBE PRE-REQUISITESVSP PROBE PRE-REQUISITES

 

The pre-requistites for VSP Probe on Windows 2008 R2 are provided below:

  1. Windows Patch: Security Update for Microsoft Windows (KB4474419)

  2. Microsoft .Net Framework 4.0 or above

COMMUNICATION MATRIXCOMMUNICATION MATRIX

 

Table below lists all the ports utilized by VSP components. If the VSP components are installed in different subnets or zones, the below firewall rules need to be established for seamless communication among them.

 

Client

Server

Client Port

Server Port

Protocol

VSP Probe (Deployed on customer workload)

CMS

Any

443, 9092 (Secure Kafka not enabled) OR 9093 (Secure Kafka enabled)

TCP

VSP Probe (Deployed on customer workload)

Remote vRule (Optional)

Any

55555

TCP

VSP Probe (Deployed on customer workload)

LFR

Any

80

TCP

[AWS Environment ONLY] JReports Service (CMS)

CMS (Other Services)

Any

1129

TCP

[AWS Environment ONLY] cms-client service (CMS)

CMS (Other Services)

Any

443*

HTTPS

Table – Communication Matrix

 

* Security Group must be configured to allow reachability between Internal IP and Public IP

 

All nodes should have high-speed internet access to the below URL list:

 

Table – URL Access

 

Ensure that the Application Instance has connectivity to the below URLs/repositories during VSP Probe installation:

 

Operating System

URL/Repository

Dependency Packages Downloaded

Ubuntu, Debian

"apt-get" repo

sudo, libexpatl, libffi6 and libssl-dev

https://download.java.net/java/ga/jdk11/openjdk-11_linux-x64_bin.tar.gz

openjdk11

Amazon Linux

https://corretto.aws/downloads/latest/amazon-corretto-11-x64-linux-jdk.tar.gz

jdk

Alpine

"apk" repository

sudo, libstdc++, hyperscan and openjdk11

Table – Dependencies URL Access

INTERFACES CONFIGURATIONINTERFACES CONFIGURATION

EMAIL SERVICE

 

Specify the following attributes in CMS to configure the email service used to notify the application updates to the users. Configure either CMS Internal Server or an External Email Server on CMS.

 

Attribute

Description

Internal Email Server

Sender Email

Email Address of the Sender

Sender Name

Name of the Sender

External Email Server

Server Host

The DNS hostname or IP address of the Email Server

Protocol Type

Mailing protocol to be utilized

Use STARTTLS Encryption

Select appropriate option to turn the Encryption On or Off

TLS Version

Select the version of TLS protocol

Account Username

Account representing VSP on the Email Server

Password

Pasword associated with the Account Username

Port

Email Server Port

Retry Count

Maximum number of retry attempts to establish connection with the Email server

Sender Email

Email Address of the Sender

Sender Name

Name of the Sender

Table – Email Service Attributes

 

LDAP INTEGRATION

 

Attribute

Description

LDAP Connection

Host

The DNS hostname or IP address of the LDAP or AD server

Port

Port number for LDAP or AD server access

Protocol

Select the appropriate Protocol from the drop-down: LDAP or LDAPS

Validate Server Certificate

If enabled, the server certificate is validated

Authentication Realm 

User defined value that defines the authentication directory and associated policies to search for users and groups

Timeout (seconds)

The number of seconds the system waits for a response from the LDAP server before it closes the connection and tries to connect again

Dead Time (minutes)

The time (in minutes) that the system considers an unresponsive authentication server to be “dead” or “out of service”. During this time, the system falls back to using local authentication. After every Dead Time expiry, the system attempts to determine if the server is active again

Retry Count

The number of times that the system attempts to connect to the LDAP server. If the number of timed-out attempts reaches the configured Retry count, it is considered inactive (dead) and the Dead Time timer starts. Further traffic is not sent to the server till it becomes responsive again

LDAP Connection Authentication Parameters

Authentication Method

Select the appropriate method from the drop-down – Anonymous, Simple or Strong. LDAP supports Simple method ONLY

Bind DN (Username)

Distinguished Name (DN) of a user in the directory that has read access to all information about valid users. Example: uid=admin,ou=system

Bind Password

Password for the provided Bind DN

LDAP User Binding Parameters

Base DN

The base of the search tree for all users. Example: ou=users,dc=adobe,dc=com

User Object Class

Filter for directories where the Base DN is a mix of object types (Example: people, groups, printers, etc) and the search scope has to be limited to “people”

Login Attribute

Attribute of the LDAP directory users that will be used to log in. Example: user ID or full email address or both. Value must be “cn

Real Name Attributes

Attributes of the Object class that supplies the real name of the user to be mapped to the real name of the user in CMS

Email Attributes

Attributes of the Object class that supplies the email address of the user

Advanced

Search within Nested Group

Enable or disable searching within nested groups. This option is disabled by default

Follow Referrals

In multi-tenant or multi-domain enterprise forests, AD/LDAP queries may be referred to another server. A referral is when an LDAP server forwards an LDAP client request to another LDAP server. This option is disabled by default

Limit Referrals

The number of referrals that should be followed when AD replies with a Referral response. Select the appropriate value from the drop-down. The default selected value is "5"

Table – LDAP Integration Attributes

PROXY SETTINGS

 

When direct internet connection is NOT available for CMS, configure a proxy server to enable CMS to Procure the Threat Intelligence and Communicate with Cloud based License Server

 

Attribute

Description

IP Address

IP Address of the Proxy Server

Port

Port of the Proxy server

Username

Authentication username

Password

Password associated with the configured Username

Authentication Method

None OR NTLM

Domain

For NTLM only

Table – Proxy Server Attributes

 

THREAT INTELLIGENCE

 

Specify the following attributes to configure Threat Intelligence as VirusTotal OR Virsec Threat Intelligence tool

 

Tool

Attribute

VirusTotal

URL

API Key

Virsec Threat Intelligence

Username

Password

Table – Threat Intelligence Attributes