Secureworks iSensor Integration Guide
integrations network isensor secureworks managedxdr managedxdr elite
Secureworks iSensor® is a managed network IDS/IPS device available from Secureworks. The iSensor device is installed on your network where it monitors all network traffic, leverages our latest threat intelligence to detect network-level threats, and sends alerts to Secureworks when malicious traffic is detected. iSensor is a separately contracted feature that may be included with Secureworks® Taegis™ ManagedXDR and Secureworks® Taegis™ ManagedXDR Elite.
Supported Features:
- Inline and passive deep packet inspection
- Integration of Counter Threat Unit™ Threat Intelligence
- Ability to block malicious traffic on the network
Data Provided from Integration ⫘
| Antivirus | Auth | DHCP | DNS | Encrypt | Filemod | HTTP | Management | Netflow | NIDS | Process | Thirdparty | ||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Secureworks iSensor | D | D, V |
Y = Normalized | D = Out-of-the-Box Detections | V = Vendor-Specific Detections
Note
XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Alert Rules to generate alerts based on normalized data from a data source.
Requirements ⫘
Review the following requirements prior to implementation.
Connectivity Requirements ⫘
| Source | Destination | Port/Protocol |
|---|---|---|
| iSensor (mgmt IP) | 206.55.100.0/22 216.9.204.0/22 |
TCP/443 (unproxied)* |
*(unproxied) — TCP/443 traffic will need to be excluded from any web content filtering devices. The TCP/443 traffic will be inspected and dropped by most web content filtering devices as malformed HTTPS traffic.
Maximum Transmission Unit (MTU) ⫘
Secureworks offers two types of iSensors based on software image: the Standard iSensor and the High Speed iSensor. The supported MTU sizes differ for each type.
-
Standard — Packets that will traverse the Standard IPQ3 or 3G/10G IPQ3 iSensor should have a MTU of 1522 or less. Anything higher will lead to packet loss and have a negative impact on network connectivity.
-
High Speed — The High Speed iSensor running DPDK is able to support an MTU of up to 9000. If you wish to use the non-default MTU size of 1500, please inform your implementation engineer during implementation discussions.
Important
The MTU size is applied to all of the iSensor's monitoring interfaces. This means that if the iSensor is monitoring multiple network segments, all segments must have the same MTU.
Physical Requirements ⫘
- The default static rail shipped with the Dell Server is compatible with both two post and four post racks. If desired, there is an optional sliding rail available that is only compatible with four post racks.
- A monitor and USB keyboard connected to the iSensor.
- Connection from the management interface of the iSensor to the network. See the following diagrams.
- Connection of the included power cable(s) to the iSensor.
- Device powered on.
Contact your Secureworks representative to walk you through the rest of the implementation.
Physical Setup ⫘
Interface Diagrams ⫘
- Standard Four Port iSensor (PER320):
Standard Four Port iSensor (PER320)
- Standard Four Port iSensor (PER330):
Standard Four Port iSensor (PER330)
- Standard Four Port iSensor (R340XL):
Standard Four Port iSensor (R340XL)
- High Speed Four Port iSensor (PER630,PER640):
High Speed Four Port iSensor (PER630,PER640)
- High Speed Eight Port iSensor (PER630,PER640):
High Speed Eight Port iSensor (PER630,PER640)
- High Speed 10G Two Port iSensor (PER630,PER640):
High Speed 10G Two Port iSensor (PER630,PER640)
- High Speed 10G Four Port iSensor (PER630,PER640):
High Speed 10G Four Port iSensor (PER630,PER640)
System Specifications ⫘
| Feature | Purpose | Form Factor | Rack Support | Power Supplies | Heat Dissipation | NIC |
|---|---|---|---|---|---|---|
| Standard (PER320) | IDS/IPS appliance | 1U rack | Dell A7 Static ReadyRails (default); Dell A8 Sliding ReadyRails (optional) |
Hot-plug redundant power supplies (350 watts each) | 1356 BTU/hr maximum | 4-port copper Gb adapter; management interface; hardware fail-open |
| Standard (PER330) | IDS/IPS appliance | 1U rack | Dell A7 Static ReadyRails (default); Dell A8 Sliding ReadyRails (optional) |
Hot-plug redundant power supplies (350 watts each) | 1357 BTU/hr maximum | 4-port copper Gb adapter; 4-port fiber Gb adapter; management interface; hardware fail-open |
| High Speed (PER630) | IDS/IPS appliance | 1U rack | Dell A7 Static ReadyRails (default); Dell A8 Sliding ReadyRails (optional) |
Hot-plug redundant power supplies (495 watts each) | 1908 BTU/hr maximum | 4/8-port copper Gb adapter; 4-port fiber Gb adapter; 2/4-port fiber 10Gb adapter; management interface; hardware fail-open |
| High Speed (PER640) | IDS/IPS appliance | 1U rack | Dell A7 Static ReadyRails (default); Dell A8 Sliding ReadyRails (optional) |
Hot-plug redundant power supplies (495 watts each) | 1908 BTU/hr maximum | 4/8-port copper Gb adapter; 4-port fiber Gb adapter; 2/4-port fiber 10Gb adapter; management interface; hardware fail-open |
Fiber Connection Information ⫘
This section provides information on the physical connection requirements for the iSensor's fiber network interface cards. Please note that Secureworks does not provide the required fiber cable(s) as part of the iSensor shipment.
2-Port 10Gb Fiber ⫘
The 10Gb iSensor fiber card is only offered in conjunction with the High Speed iSensor (PER630/640) models.
- Port Quantity — Dual
- Connector Type — Lucent Connector (LC)
- Fail-open and/or Hardware Bypass — Supported
- Interface Data Transfer Rate — 10.3125 GBd
- Fiber Type — Multimode
- Wavelength — 850 nm
- Optical Output Power — Typical: -3.1 dBm; Maximum: -7.3 dBm
- Optical Receive Sensitivity — Typical: -15.37 dBm; Maximum: -11 dBm
Important
If utilizing the 2-port 10Gb fiber card on a non-High Speed iSensor, inspection throughput is limited to 3.5Gbps.
4-Port 10Gb Fiber ⫘
The 10Gb iSensor fiber card is only offered in conjunction with the High Speed iSensor (PER630/640) models.
- Port Quantity — Quad
- Connector Type — Lucent Connector (LC)
- Fail-open and/or Hardware Bypass — Supported
- Interface Data Transfer Rate — 10.3125 GBd
- Fiber Type — Multimode
- Wavelength — 850 nm
- Optical Output Power — Minimum: -7.3 dBm;
- Optical Receive Sensitivity — Maximum: -11 dBm
Important
If utilizing the 4-port 10Gb fiber card on a non-High Speed iSensor, inspection throughput is limited to 3.5Gbps.
4-Port 1G fiber ⫘
- Port Quantity — Quad
- Connector Type — Lucent Connector (LC)
- Fail-open and/or Hardware Bypass — Supported
- Interface Data Transfer Rate — 10.3125 GBd
- Fiber Type — Multimode
- Wavelength — 850 nm
- Optical Output Power — Typical: -6.0 dBm (TX -Switch Norma - Fiber - LC/LC); Minimum: -10.9 dBm
- Optical Receive Sensitivity — Typical: -20 dBm; Maximum: -15.6 dBm
Important
If utilizing the 4-port 1G fiber card on a non-High Speed iSensor, inspection throughput is limited to 3.5Gbps.
iSensor Deployment Considerations ⫘
During the registration of your iSensor, you must determine the implementation that best serves your organization. To aid in making these decisions, review the following options and determine what will be needed prior to the registration process.
Interface Configuration ⫘
Auto-negotiate or hardcoded? If hardcoded, which speed and duplex settings?
Note
A crossover cable is highly recommended between an iSensor and layer 3 devices, such as routers and firewalls. Auto MDIX will allow for straight through cables to be used between the iSensor and layer 3 devices in most cases, but both devices must be configured to auto negotiate speed and duplex. If any side is hard coded, then a crossover cable is required. A straight through cable is required between an iSensor and layer 2 devices, such as switches. These requirements are necessary to facilitate the fail open functionality.
Active or Passive Mode ⫘
In inline-active mode (IPS), the recommended installation setup for your iSensor, all traffic passes through the iSensor with network traffic being blocked if determined to be malicious by the signature set.
In inline-passive mode (IDS), all traffic passes through the iSensor and is inspected. The device will only alert to malicious traffic but will not block it. This is also known as inline-sniffing.
In sniffer mode (IDS) (non-inline monitor), the network segments to be monitored are spanned to the iSensor for inspection, but no traffic is blocked.
HOME_NET ⫘
HOME_NET is a network or list of networks that are important to you, and that you wish to protect with the iSensor. The iSensor uses the defined HOME_NET(s) to determine the traffic that will be inspected. These networks are stored as a variable on the iSensor device called the $HOME_NET. Selecting the correct HOME_NET is extremely important to ensure proper coverage of your network.
Proxy Servers ⫘
Proxy servers must be accounted for during the iSensor deployment. Secureworks must know if you have any proxy servers in the monitored environment, if they are transparent or active (clients are forced through the proxy via browser configuration) proxies, what port number the client browsers connect to the proxy on if active, and the IP address of the proxy/proxies.
HTTP_PORTS ⫘
After you have defined your proxy server(s), if any are active, we will need to record the port number used by clients when proxying through the active proxy. This port will be used in the $HTTP_PORTS variable. The HTTP_PORTS variable is used to instruct the iSensor that HTTP traffic is expected on this port and to apply all HTTP signatures to the traffic. If you do NOT have any proxy servers in your environment, but you have HTTP traffic traversing your network on a port other than the following default ports, please ensure they are recorded so they can be added to the HTTP_PORTS variable for proper HTTP traffic inspection.
The default $HTTP_PORTS variable is as follows:
[80,81,88,311,383,591,593,901,1220,1414,1741,1830,2301,2381,2809,3037,3128,3702,4343,4848,5250,6988,7000,7001,7144,7145,7510,7777,7779,8000,8008,8014,8028,8080,8085,8088,8090,8118,8123,8180,8181,8243,8280,8300,8800,8888,8899,9000,9060,9080, 9090,9091,9443,9999,11371,34443,34444,41080,50002,55555]
Signature Sets ⫘
Balanced ⫘
The balanced policy offers a mix of increased security coverage while still aiming to provide minimal impact to legitimate traffic. Traffic dropped by the balanced policy includes but is not limited to: current threatscape malware and traffic aimed at exploiting high severity vulnerabilities in both widespread and lesser-used software. Traffic that generates alerts, but is not dropped, includes but is not limited to: traffic commonly associated with reconnaissance attempts/the noise of the internet, traffic that triggers lower fidelity signatures, and traffic related to questionable activities such as torrent use.
Security ⫘
The security policy provides the highest security coverage feasible, while aiming to limit impact to legitimate enterprise traffic. The security policy leans towards stronger security over connectivity, thus it accepts a higher false positive rate in order to provide increased coverage. Traffic dropped by the security policy includes but is not limited to: malware seen within the current threatscape, traffic aimed at exploiting vulnerabilities in both widespread and lesser-used software for high and medium severity vulnerabilities, traffic commonly associated with reconnaissance attempts/the noise of the internet, generic signatures to prevent common attacks such as SQL injection and Cross-Site Scripting attacks, and traffic related to questionable activities such as torrent use.
Connectivity ⫘
The connectivity policy protects against the most severe threats, which have the highest risk within an enterprise environment. It provides minimal impact to legitimate traffic. Traffic dropped by the connectivity policy includes but is not limited to: current threatscape malware and high threat exploit attempts against known vulnerabilities in widespread software or software actively being exploited in the wild. Traffic that generates alerts, but is not dropped, includes but is not limited to: threats identified by signatures that protect against a variety of medium threat events in lesser-used applications. Signatures that generate more noise are disabled by default.
iSensor Deployment Scenarios ⫘
The following installation scenarios represent common internal deployments that adhere to Secureworks best practices. Secureworks does not recommend deploying the iSensor external of the firewall due to detection concerns and masking (hide NAT) of internal assets. Alternative iSensor deployment scenarios should be reviewed, approved, and documented with your installation team.
- Internal Inline:
Internal Inline
- HA Active/Standby Internal Inline:
HA Active/Standby Internal Inline
- HA Active/Active Internal Inline:
HA Active/Active Internal Inline
- Internal DMZ Inline:
Internal DMZ Inline
- Internal Sniffer:
Internal Sniffer
- HA Internal Sniffer:
HA Internal Sniffer
- Internal DMZ Sniffer:
Internal DMZ Sniffer
Registration Preparation ⫘
Before you begin the installation of your iSensor device, prepare the following important pieces of information that you will be prompted for during the installation process:
- Device hostname
- iSensor Registration Key — If not already received, please contact your onboarding project manager to obtain the Registration Key.
- iSensor mode that you wish to use — At this time, you should have already worked with a Secureworks representative to identify the best solution for you. You must select one of the three modes during the installation process. See Active or Passive Mode for more information.
- Static IP address or DHCP — If you plan to use a static IP for your iSensor, please have your IP address, network mask, and gateway address ready for entry during the installation process. These values should have been provisioned by your network team for use by the iSensor.
Configuration and Registration ⫘
Follow these steps to begin installation of your iSensor device:
- Connect the iSensor management port to your network.
- Connect a monitor and keyboard to your iSensor device.
- Turn-on your iSensor device. The iSensor Configuration Wizard displays.
- At the initial screen, the iSensor automatically attempts to detect if the management port is connected. If No interface detected is shown, verify the management interface cable is connected and fully seated. Once done, select Yes to retry the interface detection.
No Interface Detected
- On the next prompt, if using a static IP, select Configure Static and then enter your IP, netmask, and gateway information. If using DHCP, select Configure DHCP.
Configure Static IP or DHCP
- The iSensor attempts to ping its gateway to verify the information is valid. If a ping failure is expected, select Ignore to continue with the registration process.
Ignore Ping Failure
- Confirm the network configuration by selecting the Use option, or switch to Static or DHCP by selecting the Configure option.
Confirm Configuration
- After you confirm the network configuration, select the iSensor mode desired for your device and then select OK to continue.
Select iSensor Mode
- Enter the Registration Key you obtained from your onboarding project manager. See the following note to download a specific iSensor version if required; otherwise, select OK.
Enter Registration Key
Note
Optional: If your compliance framework requires your iSensor version to be controlled, you may select a specific iSensor version to download. Once you have entered your Registration Key, select iSensor Version.
Select iSensor Version
Enter your desired iSensor version and select OK to continue.
Enter iSensor Version
- If you did not select the option to enter a specific iSensor version, select whether to enable or disable automatic software updates. These updates include minor OS patches that will not disrupt inspection or network connection(s). Secureworks recommends you select No to enable updates.
Enable Software Updates
- The iSensor now contacts Secureworks with its Registration Key and completes a fairly lengthy set of steps to download software and configure itself.
Download and Configuration
- You have now successfully installed your iSensor. Contact your Secureworks representative to validate connectivity.
QuickStart for Network Reconfiguration ⫘
Use the Secureworks iSensor QuickStart feature to modify the network configuration when needed. Follow these steps:
- To execute QuickStart from the console of the iSensor, connect a monitor and keyboard to the system and output similar to the following displays. If there is no output present, select Enter on the keyboard to wake the console.
Secureworks CLI v1.0
Access to this private computer system is for authorized users only. Unauthorized and/or inappropriate use, including exceeding authorization, is strictly prohibited and may subject said user(s) to civil and criminal penalties. System use may be monitored and recorded. Use of this system constitutes consent to any such monitoring.
Press '?' for help
G-12345>
- Enter
quickstartto execute the QuickStart program.
Important
This command should only be used while working with Secureworks support to change the network configuration of the iSensor. Changes made locally have direct impact on the monitoring and management of the iSensor and could lead to a service outage if not directed by a member of Secureworks support.
- The following dialogue displays. Select OK to continue.
QuickStart
- Select the network mode the iSensor should be in. If you are unsure of the proper value, please consult Secureworks support.
Select iSensor Mode
- Select either IPS (Intrusion Prevention) or IDS (Intrusion Detection). If you are unsure of the proper value, please consult Secureworks support.
Select IPS/IDS
- Select the value you would like to change and then select Edit. You may change the Mode, IP Address, Netmask, Gateway, and Management Port.
Change Settings
Note
If changing the IP address of the iSensor, the first question asked is whether or not the iSensor will use DHCP for the management port. Select No to configure the proper IP address.
DHCP Setting
- After you have configured the settings as desired, review your changes and then select Accept.
Accept Changes
- Status messages display as the configuration is applied. When the network interfaces have been successfully configured, select OK to return to the console prompt.
Successful Reconfiguration
- Now that you have changed the network configuration, use the commands
show ip,show gw,show netmode, andshow routesto verify your configuration changes.
Registration Error Codes ⫘
The following error codes may be seen during configuration/registration. Review the description for details.
| Error Code | Description |
|---|---|
| 20 | User cancelled the process of setting the network configuration |
| 21 | User cancelled the process of selecting the iSensor mode |
| 22 | User cancelled the process of setting up a registration key |
| 23 | The policy obtained is not a valid XML file |
| 24 | The policy contains an empty VPN password field |
| 25 | VPN connection failed - user decides not to retry |
| 26 | Unable to retrieve RCMS certificates |
| 27 | Certificate tar file missing /var/mqm/ssl/Key.sth file |
| 28 | CIP server information is missing from the policy (Certinit.config) |
| 29 | Unable to obtain UIN - Server provided an invalid response |
| 30 | Unable to obtain UIN - Server provided no response |
| 31 | Imagetools configuration is missing the iSensor Version |
| 32 | Image MD5Sum didn't match what the server MD5Sum |
| 33 | Image installation failed (instimage.barebone) |