ABOUT THE TOPIC
This topic describes all the information related to the datacenter and users required by Virsec Security Platform (VSP) to protect the configured applications. It aids the user to maintain the consolidated information in one place and utilize it as and when required by VSP.
VSP HARDWARE REQUIREMENTSVSP HARDWARE REQUIREMENTS
NOTE:
It is expected that relevant licenses and required operational support are procured for the software mentioned as requirements
Table below lists the hardware requirements for VSP components
|
Component |
Minimum Configuration |
Operating System |
Additional Information |
|
VSP VM (LFR and CMS-Large) [All the Core and optional CMS services are installed] |
|
Red Hat Enterprise Linux Server 7.x, 8.x |
Requires
|
|
VSP VM (LFR and CMS-Small) [Only the Core CMS services are installed; Recommended for POVs only] |
|
Red Hat Enterprise Linux Server 7.x, 8.x
|
Requires
|
Table – Hardware Requirements for VSP VM
Refer VM Installation Section for more information about CMS Deployment Mode selection
Here are the VSP Idle usage specifications:
|
Component |
Feature |
Minimum Requirements |
Additional Information |
|
|
Memory (MB) |
Disc (MB) |
|||
|
VSP Probe |
VSP-Host, VSP-Memory |
100-200 |
100-200 |
Requires 400-500MB in /tmp partition during installation |
|
VSP Probe |
VSP-WEB |
200-600 |
500-600 |
Requires 400-500MB in /tmp partition during installation |
Table – VSP Idle Usage specification
REMOTE VRULE ENGINE REQUIREMENTS
The remote vRule requirements are provided below:
-
Operating System: Red Hat Enterprise Linux Server 7.9
-
Min 8vCPUs
-
8 GB RAM
-
Docker version – 18.x+
-
100-200MB in /tmp partition during installation
EMBEDDED VRULE ENGINE REQUIREMENTS
The embedded vRule requirements are dependent on the number of enabled worker threads:
|
Number of worker Threads |
Memory (Min-Max) |
vCPUs |
|
1 |
512 MB- 1 GB |
1 |
|
2 (Default) |
1 GB - 1.5 GB |
2 |
|
3 |
1.5 GB- 2 GB |
3 |
Table – Hardware Requirements for Embedded vRule Engine
NOTE:
To modify the number of vRule engine worker threads, execute the command:
vsp-cli config ae edit numWorker <1-16> --persist
VSP PROBE PRE-REQUISITESVSP PROBE PRE-REQUISITES
The pre-requistites for VSP Probe on Windows 2008 R2 are provided below:
-
Windows Patch: Security Update for Microsoft Windows (KB4474419)
-
Microsoft .Net Framework 4.0 or above
COMMUNICATION MATRIXCOMMUNICATION MATRIX
Table below lists all the ports utilized by VSP components. If the VSP components are installed in different subnets or zones, the below firewall rules need to be established for seamless communication among them.
|
Client |
Server |
Client Port |
Server Port |
Protocol |
|
VSP Probe (Deployed on customer workload) |
CMS |
Any |
443, 9092 (Secure Kafka not enabled) OR 9093 (Secure Kafka enabled) |
TCP |
|
VSP Probe (Deployed on customer workload) |
Remote vRule (Optional) |
Any |
55555 |
TCP |
|
VSP Probe (Deployed on customer workload) |
LFR |
Any |
80 |
TCP |
|
[AWS Environment ONLY] JReports Service (CMS) |
CMS (Other Services) |
Any |
1129 |
TCP |
|
[AWS Environment ONLY] cms-client service (CMS) |
CMS (Other Services) |
Any |
443* |
HTTPS |
Table – Communication Matrix
* Security Group must be configured to allow reachability between Internal IP and Public IP
All nodes should have high-speed internet access to the below URL list:
|
VM Instance |
URL |
|
LFR |
Artifactory Directory: https://artifacts.virsec.work/ui/ |
|
CMS |
Virus Total: https://www.virustotal.com/ |
|
Reversing Labs: |
|
|
VSP Licenses: https://flex1298.compliance.flexnetoperations.com/ |
Table – URL Access
Ensure that the Application Instance has connectivity to the below URLs/repositories during VSP Probe installation:
|
Operating System |
URL/Repository |
Dependency Packages Downloaded |
|
Ubuntu, Debian |
"apt-get" repo |
sudo, libexpatl, libffi6 and libssl-dev |
|
https://download.java.net/java/ga/jdk11/openjdk-11_linux-x64_bin.tar.gz |
openjdk11 |
|
|
Amazon Linux |
https://corretto.aws/downloads/latest/amazon-corretto-11-x64-linux-jdk.tar.gz |
jdk |
|
Alpine |
"apk" repository |
sudo, libstdc++, hyperscan and openjdk11 |
Table – Dependencies URL Access
INTERFACES CONFIGURATIONINTERFACES CONFIGURATION
EMAIL SERVICE
Specify the following attributes in CMS to configure the email service used to notify the application updates to the users. Configure either CMS Internal Server or an External Email Server on CMS.
|
Attribute |
Description |
|
Internal Email Server |
|
|
Sender Email |
Email Address of the Sender |
|
Sender Name |
Name of the Sender |
|
External Email Server |
|
|
Server Host |
The DNS hostname or IP address of the Email Server |
|
Protocol Type |
Mailing protocol to be utilized |
|
Use STARTTLS Encryption |
Select appropriate option to turn the Encryption On or Off |
|
TLS Version |
Select the version of TLS protocol |
|
Account Username |
Account representing VSP on the Email Server |
|
Password |
Pasword associated with the Account Username |
|
Port |
Email Server Port |
|
Retry Count |
Maximum number of retry attempts to establish connection with the Email server |
|
Sender Email |
Email Address of the Sender |
|
Sender Name |
Name of the Sender |
Table – Email Service Attributes
LDAP INTEGRATION
|
Attribute |
Description |
|
LDAP Connection |
|
|
Host |
The DNS hostname or IP address of the LDAP or AD server |
|
Port |
Port number for LDAP or AD server access |
|
Protocol |
Select the appropriate Protocol from the drop-down: LDAP or LDAPS |
|
Validate Server Certificate |
If enabled, the server certificate is validated |
|
Authentication Realm |
User defined value that defines the authentication directory and associated policies to search for users and groups |
|
Timeout (seconds) |
The number of seconds the system waits for a response from the LDAP server before it closes the connection and tries to connect again |
|
Dead Time (minutes) |
The time (in minutes) that the system considers an unresponsive authentication server to be “dead” or “out of service”. During this time, the system falls back to using local authentication. After every Dead Time expiry, the system attempts to determine if the server is active again |
|
Retry Count |
The number of times that the system attempts to connect to the LDAP server. If the number of timed-out attempts reaches the configured Retry count, it is considered inactive (dead) and the Dead Time timer starts. Further traffic is not sent to the server till it becomes responsive again |
|
LDAP Connection Authentication Parameters |
|
|
Authentication Method |
Select the appropriate method from the drop-down – Anonymous, Simple or Strong. LDAP supports Simple method ONLY |
|
Bind DN (Username) |
Distinguished Name (DN) of a user in the directory that has read access to all information about valid users. Example: uid=admin,ou=system |
|
Bind Password |
Password for the provided Bind DN |
|
LDAP User Binding Parameters |
|
|
Base DN |
The base of the search tree for all users. Example: ou=users,dc=adobe,dc=com |
|
User Object Class |
Filter for directories where the Base DN is a mix of object types (Example: people, groups, printers, etc) and the search scope has to be limited to “people” |
|
Login Attribute |
Attribute of the LDAP directory users that will be used to log in. Example: user ID or full email address or both. Value must be “cn” |
|
Real Name Attributes |
Attributes of the Object class that supplies the real name of the user to be mapped to the real name of the user in CMS |
|
Email Attributes |
Attributes of the Object class that supplies the email address of the user |
|
Advanced |
|
|
Search within Nested Group |
Enable or disable searching within nested groups. This option is disabled by default |
|
Follow Referrals |
In multi-tenant or multi-domain enterprise forests, AD/LDAP queries may be referred to another server. A referral is when an LDAP server forwards an LDAP client request to another LDAP server. This option is disabled by default |
|
Limit Referrals |
The number of referrals that should be followed when AD replies with a Referral response. Select the appropriate value from the drop-down. The default selected value is "5" |
Table – LDAP Integration Attributes
PROXY SETTINGS
When direct internet connection is NOT available for CMS, configure a proxy server to enable CMS to Procure the Threat Intelligence and Communicate with Cloud based License Server
|
Attribute |
Description |
|
IP Address |
IP Address of the Proxy Server |
|
Port |
Port of the Proxy server |
|
Username |
Authentication username |
|
Password |
Password associated with the configured Username |
|
Authentication Method |
None OR NTLM |
|
Domain |
For NTLM only |
Table – Proxy Server Attributes
THREAT INTELLIGENCE
Specify the following attributes to configure Threat Intelligence as VirusTotal OR Virsec Threat Intelligence tool
|
Tool |
Attribute |
|
VirusTotal |
URL |
|
API Key |
|
|
Virsec Threat Intelligence |
Username |
|
Password |
Table – Threat Intelligence Attributes