ABOUT THE TOPIC
This topic describes all the information related to the Virsec Security Platform (VSP) infrastructure for its deployment as containers using HelmChart. The pre-requisites for Management and Worker Nodes along with VSP components specifications are described in various sections. The information related to Interfaces configuration and Application creation in CMS is also specified.
PRE-REQUISITESPRE-REQUISITES
NOTE:
It is expected that relevant licenses and required operational support are procured for the software mentioned in the pre-requisites
MANAGEMENT NODE
Management Node has the below pre-requisites:
-
Ensure that the below software is installed:
-
Helm v2 OR v3
-
-
Ensure access to the docker registry
WORKER NODE
VSP CMS is deployed across multiple-pods
CMS SERVICES POD
-
Disc space: Min 28 GB in /var partition
-
Docker must be installed
-
Internet connectivity is required for the installation of some dependencies if Alpine/Debian installers are utilized
-
Minimum Specification
-
CMS – 16 GB Node
-
OVERVIEW OVERVIEW
VSP is composed of various architectural elements. The components include:
-
LFR Pod – Local File Repository Pod
-
CMS Services Pod – CMS component hosting all service containers and Ngnix container
-
Kafka Pod – CMS component hosting Kafka infrastructure
-
Redis Pod – CMS component hosting Redis infrastructure
-
MongoDB Pod – CMS component hosting MongoDB infrastructure
-
VSP Agent – VSP component installed on the Application Container
-
VSP Controller – VSP component that interacts with CMS
-
vRule Engine – VSP’s rule engine
VSP COMPONENTS SPECIFICATIONSVSP COMPONENTS SPECIFICATIONS
Table below lists the specifications for VSP components
|
Component |
Minimum Configuration |
Operating System |
|
Central Management System (CMS) |
||
|
LFR Pod |
CPU: 1 CPU RAM: 1 GB |
Debian 10 |
|
Kafka Pod |
CPU: 2 CPUs RAM: 4 GB |
Alpine Linux |
|
CMS Services Pod with CMS services and Ngnix Container |
CPU: 8 CPUs RAM: 16 GB |
Alpine Linux |
|
Redis Container |
CPU: 1 CPU RAM: 2 GB |
Alpine Linux |
|
MongoDB Container |
CPU: 2 CPUs RAM: 8 GB |
Alpine Linux |
Table – VSP Component Specification
Here are the VSP Idle usage specifications:
|
Component |
Operating System |
Feature |
Minimum Requirements |
|
|
Memory (MB) |
Disc (MB) |
|||
|
VSP Probe |
RHEL and Ubuntu |
VSP-Host, VSP-Memory |
100-200 |
100-200 |
|
VSP Sidecar |
Alpine Linux |
VSP-Host, VSP-Memory |
200-300 |
200-300 |
|
VSP Probe |
RHEL and Ubuntu |
VSP-WEB |
200-600 |
500-600 |
|
VSP Sidecar |
Alpine Linux |
VSP-WEB |
200-600 |
500-600 |
|
vRule Engine |
RHEL |
Remote vRule Engine |
500-600 |
500-600 |
Table – VSP Idle Usage specification
COMMUNICATION MATRIXCOMMUNICATION MATRIX
Table below lists all the ports utilized by VSP components. If the VSP components are installed in different subnets or zones, the below firewall rules need to be established for seamless communication among them.
|
Client |
Server |
Client Port |
Server Port |
Protocol |
|
VSP Controller |
CMS |
Any |
443 |
TCP |
|
VSP Controller |
Kafka |
Any |
9092 (Secure Kafka not enabled) OR 9093 (Secure Kafka enabled) |
TCP |
|
VSP Controller |
Remote vRule (Optional) |
Any |
55555 |
TCP |
Table – Communication Matrix
All nodes should have high-speed internet access to the below URL list:
|
VM Instance |
URL |
|
LFR |
Artifactory Directory: https://artifacts.virsec.work/ui/ |
|
CMS |
Virus Total: https://www.virustotal.com/ |
|
Reversing Labs: |
|
|
VSP Licenses: https://flex1298.compliance.flexnetoperations.com/ |
Table – URL Access
Ensure that the nodes have connectivity to the below URLs/repositories during VSP Probe (Controller and vRule Engine) installation:
|
Operating System |
URL/Repository |
Dependency Packages Downloaded |
|
Ubuntu, Debian |
"apt-get" repo |
sudo, libexpatl, libffi6 and libssl-dev |
|
https://download.java.net/java/ga/jdk11/openjdk-11_linux-x64_bin.tar.gz |
openjdk11 |
|
|
Amazon Linux |
https://corretto.aws/downloads/latest/amazon-corretto-11-x64-linux-jdk.tar.gz |
jdk |
|
Alpine |
"apk" repository |
sudo, libstdc++, hyperscan and openjdk11 |
Table – Dependencies URL Access
INTERFACES CONFIGURATIONINTERFACES CONFIGURATION
EMAIL SERVICE
Specify the following attributes in CMS to configure the email service used to notify the application updates to the users. Configure either CMS Internal Server or an External Email Server on CMS.
|
Attribute |
Description |
|
Internal Email Server |
|
|
Sender Email |
Email Address of the Sender |
|
Sender Name |
Name of the Sender |
|
External Email Server |
|
|
Server Host |
The DNS hostname or IP address of the Email Server |
|
Protocol Type |
Mailing protocol to be utilized |
|
Use STARTTLS Encryption |
Select appropriate option to turn the Encryption On or Off |
|
TLS Version |
Select the version of TLS protocol |
|
Account Username |
Account representing VSP on the Email Server |
|
Password |
Pasword associated with the Account Username |
|
Port |
Email Server Port |
|
Retry Count |
Maximum number of retry attempts to establish connection with the Email server |
|
Sender Email |
Email Address of the Sender |
|
Sender Name |
Name of the Sender |
Table – Email Service Attributes
LDAP INTEGRATION
|
Attribute |
Description |
|
LDAP Connection |
|
|
Host |
The DNS hostname or IP address of the LDAP or AD server |
|
Port |
Port number for LDAP or AD server access |
|
Protocol |
Select the appropriate Protocol from the drop-down: LDAP or LDAPS |
|
Validate Server Certificate |
If enabled, the server certificate is validated |
|
Authentication Realm |
User defined value that defines the authentication directory and associated policies to search for users and groups |
|
Timeout (seconds) |
The number of seconds the system waits for a response from the LDAP server before it closes the connection and tries to connect again |
|
Dead Time (minutes) |
The time (in minutes) that the system considers an unresponsive authentication server to be “dead” or “out of service”. During this time, the system falls back to using local authentication. After every Dead Time expiry, the system attempts to determine if the server is active again |
|
Retry Count |
The number of times that the system attempts to connect to the LDAP server. If the number of timed-out attempts reaches the configured Retry count, it is considered inactive (dead) and the Dead Time timer starts. Further traffic is not sent to the server till it becomes responsive again |
|
LDAP Connection Authentication Parameters |
|
|
Authentication Method |
Select the appropriate method from the drop-down – Anonymous, Simple or Strong. LDAP supports Simple method ONLY |
|
Bind DN (Username) |
Distinguished Name (DN) of a user in the directory that has read access to all information about valid users. Example: uid=admin,ou=system |
|
Bind Password |
Password for the provided Bind DN |
|
LDAP User Binding Parameters |
|
|
Base DN |
The base of the search tree for all users. Example: ou=users,dc=adobe,dc=com |
|
User Object Class |
Filter for directories where the Base DN is a mix of object types (Example: people, groups, printers, etc) and the search scope has to be limited to “people” |
|
Login Attribute |
Attribute of the LDAP directory users that will be used to log in. Example: user ID or full email address or both. Value must be “cn” |
|
Real Name Attributes |
Attributes of the Object class that supplies the real name of the user to be mapped to the real name of the user in CMS |
|
Email Attributes |
Attributes of the Object class that supplies the email address of the user |
|
Advanced |
|
|
Search within Nested Group |
Enable or disable searching within nested groups. This option is disabled by default |
|
Follow Referrals |
In multi-tenant or multi-domain enterprise forests, AD/LDAP queries may be referred to another server. A referral is when an LDAP server forwards an LDAP client request to another LDAP server. This option is disabled by default |
|
Limit Referrals |
The number of referrals that should be followed when AD replies with a Referral response. Select the appropriate value from the drop-down. The default selected value is "5" |
Table – LDAP Integration Attributes
PROXY SETTINGS
When direct internet connection is NOT available for CMS, configure a proxy server to enable CMS to Procure the Threat Intelligence and Communicate with Cloud based License Server
|
Attribute |
Description |
|
IP Address |
IP Address of the Proxy Server |
|
Port |
Port of the Proxy server |
|
Username |
Authentication username |
|
Password |
Password associated with the configured Username |
|
Authentication Method |
None OR NTLM |
|
Domain |
For NTLM only |
Table – Proxy Server Attributes
THREAT INTELLIGENCE
Specify the following attributes to configure Threat Intelligence as VirusTotal OR Virsec Threat Intelligence tool
|
Tool |
Attribute |
|
VirusTotal |
URL |
|
API Key |
|
|
Virsec Threat Intelligence |
Username |
|
Password |
Table – Threat Intelligence Attributes