🌙
 

Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Secureworks® iSensor™ Integration Guide

integrations network isensor secureworks managedxdr managedxdr elite


Secureworks® iSensor™ is a managed network IDS/IPS device available from Secureworks. The iSensor device is installed on your network where it monitors all network traffic, leverages our latest threat intelligence to detect network-level threats, and sends alerts to Secureworks when malicious traffic is detected. iSensor is a separately contracted feature that may be included with ManagedXDR and ManagedXDR Elite.

Supported Features:

Data Provided from Integration

  Antivirus Auth DHCP DNS Email Encrypt Filemod HTTP Management Netflow NIDS Process Thirdparty
Secureworks iSensor                   D D, V    

Y = Normalized | D = Out-of-the-Box Detections | V = Vendor-Specific Detections

Note

Taegis™ XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Alert Rules to generate alerts based on normalized data from a data source.

Requirements

Review the following requirements prior to implementation.

Connectivity Requirements

Source Destination Port/Protocol
Secureworks iSensor (mgmt IP) 206.55.100.0/22
216.9.204.0/22
TCP/443 (unproxied)*

*(unproxied) — TCP/443 traffic will need to be excluded from any web content filtering devices. The TCP/443 traffic will be inspected and dropped by most web content filtering devices as malformed HTTPS traffic.

Maximum Transmission Unit (MTU)

Secureworks offers two types of iSensors based on software image: the Standard iSensor and the High Speed iSensor. The supported MTU sizes differ for each type.

Important

The MTU size is applied to all of the iSensor's monitoring interfaces. This means that if the iSensor is monitoring multiple network segments, all segments must have the same MTU.

Physical Requirements

  1. The default static rail shipped with the Dell Server is compatible with both two post and four post racks. If desired, there is an optional sliding rail available that is only compatible with four post racks.
  2. A monitor and USB keyboard connected to the iSensor.
  3. Connection from the management interface of the iSensor to the network. See the following diagrams.
  4. Connection of the included power cable(s) to the iSensor.
  5. Device powered on.

Contact your Secureworks representative to walk you through the rest of the implementation.

Physical Setup

Interface Diagrams

Standard Four Port iSensor (PER320)

Standard Four Port iSensor (PER320)

Standard Four Port iSensor (PER330)

Standard Four Port iSensor (PER330)

Standard Four Port iSensor (R340XL)

Standard Four Port iSensor (R340XL)

High Speed Four Port iSensor (PER630,PER640)

High Speed Four Port iSensor (PER630,PER640)

High Speed Eight Port iSensor (PER630,PER640)

High Speed Eight Port iSensor (PER630,PER640)

High Speed 10G Two Port iSensor (PER630,PER640)

High Speed 10G Two Port iSensor (PER630,PER640)

High Speed 10G Four Port iSensor (PER630,PER640)

High Speed 10G Four Port iSensor (PER630,PER640)

System Specifications

Feature Purpose Form Factor Rack Support Power Supplies Heat Dissipation NIC
Standard (PER320) IDS/IPS appliance 1U rack Dell A7 Static ReadyRails (default);
Dell A8 Sliding ReadyRails (optional)
Hot-plug redundant power supplies (350 watts each) 1356 BTU/hr maximum 4-port copper Gb adapter;
management interface;
hardware fail-open
Standard (PER330) IDS/IPS appliance 1U rack Dell A7 Static ReadyRails (default);
Dell A8 Sliding ReadyRails (optional)
Hot-plug redundant power supplies (350 watts each) 1357 BTU/hr maximum 4-port copper Gb adapter;
4-port fiber Gb adapter;
management interface;
hardware fail-open
High Speed (PER630) IDS/IPS appliance 1U rack Dell A7 Static ReadyRails (default);
Dell A8 Sliding ReadyRails (optional)
Hot-plug redundant power supplies (495 watts each) 1908 BTU/hr maximum 4/8-port copper Gb adapter;
4-port fiber Gb adapter;
2/4-port fiber 10Gb adapter;
management interface;
hardware fail-open
High Speed (PER640) IDS/IPS appliance 1U rack Dell A7 Static ReadyRails (default);
Dell A8 Sliding ReadyRails (optional)
Hot-plug redundant power supplies (495 watts each) 1908 BTU/hr maximum 4/8-port copper Gb adapter;
4-port fiber Gb adapter;
2/4-port fiber 10Gb adapter;
management interface;
hardware fail-open

Fiber Connection Information

This section provides information on the physical connection requirements for the iSensor's fiber network interface cards. Please note that Secureworks does not provide the required fiber cable(s) as part of the iSensor shipment.

2-Port 10Gb Fiber

The 10Gb iSensor fiber card is only offered in conjunction with the High Speed iSensor (PER630/640) models.

Important

If utilizing the 2-port 10Gb fiber card on a non-High Speed iSensor, inspection throughput is limited to 3.5Gbps.

4-Port 10Gb Fiber

The 10Gb iSensor fiber card is only offered in conjunction with the High Speed iSensor (PER630/640) models.

Important

If utilizing the 4-port 10Gb fiber card on a non-High Speed iSensor, inspection throughput is limited to 3.5Gbps.

4-Port 1G fiber

Important

If utilizing the 4-port 1G fiber card on a non-High Speed iSensor, inspection throughput is limited to 3.5Gbps.

iSensor Deployment Considerations

During the registration of your iSensor, you must determine the implementation that best serves your organization. To aid in making these decisions, review the following options and determine what will be needed prior to the registration process.

Interface Configuration

Auto-negotiate or hardcoded? If hardcoded, which speed and duplex settings?

Note

A crossover cable is highly recommended between an iSensor and layer 3 devices, such as routers and firewalls. Auto MDIX will allow for straight through cables to be used between the iSensor and layer 3 devices in most cases, but both devices must be configured to auto negotiate speed and duplex. If any side is hard coded, then a crossover cable is required. A straight through cable is required between an iSensor and layer 2 devices, such as switches. These requirements are necessary to facilitate the fail open functionality.

Active or Passive Mode

In inline-active mode (IPS), the recommended installation setup for your iSensor, all traffic passes through the iSensor with network traffic being blocked if determined to be malicious by the signature set.

In inline-passive mode (IDS), all traffic passes through the iSensor and is inspected. The device will only alert to malicious traffic but will not block it. This is also known as inline-sniffing.

In sniffer mode (IDS) (non-inline monitor), the network segments to be monitored are spanned to the iSensor for inspection, but no traffic is blocked.

HOME_NET

HOME_NET is a network or list of networks that are important to you, and that you wish to protect with the iSensor. The iSensor uses the defined HOME_NET(s) to determine the traffic that will be inspected. These networks are stored as a variable on the iSensor device called the $HOME_NET. Selecting the correct HOME_NET is extremely important to ensure proper coverage of your network.

Proxy Servers

Proxy servers must be accounted for during the iSensor deployment. Secureworks must know if you have any proxy servers in the monitored environment, if they are transparent or active (clients are forced through the proxy via browser configuration) proxies, what port number the client browsers connect to the proxy on if active, and the IP address of the proxy/proxies.

HTTP_PORTS

After you have defined your proxy server(s), if any are active, we will need to record the port number used by clients when proxying through the active proxy. This port will be used in the $HTTP_PORTS variable. The HTTP_PORTS variable is used to instruct the iSensor that HTTP traffic is expected on this port and to apply all HTTP signatures to the traffic. If you do NOT have any proxy servers in your environment, but you have HTTP traffic traversing your network on a port other than the following default ports, please ensure they are recorded so they can be added to the HTTP_PORTS variable for proper HTTP traffic inspection.

The default $HTTP_PORTS variable is as follows: [80,81,88,311,383,591,593,901,1220,1414,1741,1830,2301,2381,2809,3037,3128,3702,4343,4848,5250,6988,7000,7001,7144,7145,7510,7777,7779,8000,8008,8014,8028,8080,8085,8088,8090,8118,8123,8180,8181,8243,8280,8300,8800,8888,8899,9000,9060,9080, 9090,9091,9443,9999,11371,34443,34444,41080,50002,55555]

Signature Sets

Balanced

The balanced policy offers a mix of increased security coverage while still aiming to provide minimal impact to legitimate traffic. Traffic dropped by the balanced policy includes but is not limited to: current threatscape malware and traffic aimed at exploiting high severity vulnerabilities in both widespread and lesser-used software. Traffic that generates alerts, but is not dropped, includes but is not limited to: traffic commonly associated with reconnaissance attempts/the noise of the internet, traffic that triggers lower fidelity signatures, and traffic related to questionable activities such as torrent use.

Security

The security policy provides the highest security coverage feasible, while aiming to limit impact to legitimate enterprise traffic. The security policy leans towards stronger security over connectivity, thus it accepts a higher false positive rate in order to provide increased coverage. Traffic dropped by the security policy includes but is not limited to: malware seen within the current threatscape, traffic aimed at exploiting vulnerabilities in both widespread and lesser-used software for high and medium severity vulnerabilities, traffic commonly associated with reconnaissance attempts/the noise of the internet, generic signatures to prevent common attacks such as SQL injection and Cross-Site Scripting attacks, and traffic related to questionable activities such as torrent use.

Connectivity

The connectivity policy protects against the most severe threats, which have the highest risk within an enterprise environment. It provides minimal impact to legitimate traffic. Traffic dropped by the connectivity policy includes but is not limited to: current threatscape malware and high threat exploit attempts against known vulnerabilities in widespread software or software actively being exploited in the wild. Traffic that generates alerts, but is not dropped, includes but is not limited to: threats identified by signatures that protect against a variety of medium threat events in lesser-used applications. Signatures that generate more noise are disabled by default.

iSensor Deployment Scenarios

The following installation scenarios represent common internal deployments that adhere to Secureworks best practices. Secureworks does not recommend deploying the iSensor external of the firewall due to detection concerns and masking (hide NAT) of internal assets. Alternative iSensor deployment scenarios should be reviewed, approved, and documented with your installation team.

Internal Inline

Internal Inline

HA Active/Standby Internal Inline

HA Active/Standby Internal Inline

HA Active/Active Internal Inline

HA Active/Active Internal Inline

Internal DMZ Inline

Internal DMZ Inline

Internal Sniffer

Internal Sniffer

HA Internal Sniffer

HA Internal Sniffer

Internal DMZ Sniffer

Internal DMZ Sniffer

Registration Preparation

Before you begin the installation of your iSensor device, prepare the following important pieces of information that you will be prompted for during the installation process:

Configuration and Registration

Follow these steps to begin installation of your iSensor device:

  1. Connect the iSensor management port to your network.
  2. Connect a monitor and keyboard to your iSensor device.
  3. Turn-on your iSensor device. The iSensor Configuration Wizard displays.
  4. At the initial screen, the iSensor automatically attempts to detect if the management port is connected. If No interface detected is shown, verify the management interface cable is connected and fully seated. Once done, select Yes to retry the interface detection.

No Interface Detected

No Interface Detected

  1. On the next prompt, if using a static IP, select Configure Static and then enter your IP, netmask, and gateway information. If using DHCP, select Configure DHCP.

Configure Static IP or DHCP

Configure Static IP or DHCP

  1. The iSensor attempts to ping its gateway to verify the information is valid. If a ping failure is expected, select Ignore to continue with the registration process.

Ignore Ping Failure

Ignore Ping Failure

  1. Confirm the network configuration by selecting the Use option, or switch to Static or DHCP by selecting the Configure option.

Confirm Configuration

Confirm Configuration

  1. After you confirm the network configuration, select the iSensor mode desired for your device and then select OK to continue.

Select iSensor Mode

Select iSensor Mode

  1. Enter the Registration Key you obtained from your onboarding project manager. See the following note to download a specific iSensor version if required; otherwise, select OK.

Enter Registration Key

Enter Registration Key

Note

Optional: If your compliance framework requires your iSensor version to be controlled, you may select a specific iSensor version to download. Once you have entered your Registration Key, select iSensor Version.

Select iSensor Version

Select iSensor Version

Enter your desired iSensor version and select OK to continue.

Enter iSensor Version

Enter iSensor Version

  1. If you did not select the option to enter a specific iSensor version, select whether to enable or disable automatic software updates. These updates include minor OS patches that will not disrupt inspection or network connection(s). Secureworks recommends you select No to enable updates.

Enable Software Updates

Enable Software Updates

  1. The iSensor now contacts Secureworks with its Registration Key and completes a fairly lengthy set of steps to download software and configure itself.

Download and Configuration

Download and Configuration

  1. You have now successfully installed your iSensor. Contact your Secureworks representative to validate connectivity.

QuickStart for Network Reconfiguration

Use the Secureworks iSensor QuickStart feature to modify the network configuration when needed. Follow these steps:

  1. To execute QuickStart from the console of the iSensor, connect a monitor and keyboard to the system and output similar to the following displays. If there is no output present, select Enter on the keyboard to wake the console.
Secureworks CLI v1.0

Access to this private computer system is for authorized users only.  Unauthorized and/or inappropriate use, including exceeding authorization, is strictly prohibited and may subject said user(s) to civil and criminal penalties.  System use may be monitored and recorded.  Use of this system constitutes consent to any such monitoring.

Press '?' for help

G-12345>
  1. Enter quickstart to execute the QuickStart program.

Important

This command should only be used while working with Secureworks support to change the network configuration of the iSensor. Changes made locally have direct impact on the monitoring and management of the iSensor and could lead to a service outage if not directed by a member of Secureworks support.

  1. The following dialogue displays. Select OK to continue.

QuickStart

QuickStart

  1. Select the network mode the iSensor should be in. If you are unsure of the proper value, please consult Secureworks support.

Select iSensor Mode

Select iSensor Mode

  1. Select either IPS (Intrusion Prevention) or IDS (Intrusion Detection). If you are unsure of the proper value, please consult Secureworks support.

Select IPS/IDS

Select IPS/IDS

  1. Select the value you would like to change and then select Edit. You may change the Mode, IP Address, Netmask, Gateway, and Management Port.

Change Settings

Change Settings

Note

If changing the IP address of the iSensor, the first question asked is whether or not the iSensor will use DHCP for the management port. Select No to configure the proper IP address.

DHCP Setting

DHCP Setting

  1. After you have configured the settings as desired, review your changes and then select Accept.

Accept Changes

Accept Changes

  1. Status messages display as the configuration is applied. When the network interfaces have been successfully configured, select OK to return to the console prompt.

Successful Reconfiguration

Successful Reconfiguration

  1. Now that you have changed the network configuration, use the commands show ip, show gw, show netmode, and show routes to verify your configuration changes.

Registration Error Codes

The following error codes may be seen during configuration/registration. Review the description for details.

Error Code Description
20 User cancelled the process of setting the network configuration
21 User cancelled the process of selecting the iSensor mode
22 User cancelled the process of setting up a registration key
23 The policy obtained is not a valid XML file
24 The policy contains an empty VPN password field
25 VPN connection failed - user decides not to retry
26 Unable to retrieve RCMS certificates
27 Certificate tar file missing /var/mqm/ssl/Key.sth file
28 CIP server information is missing from the policy (Certinit.config)
29 Unable to obtain UIN - Server provided an invalid response
30 Unable to obtain UIN - Server provided no response
31 Imagetools configuration is missing the iSensor Version
32 Image MD5Sum didn't match what the server MD5Sum
33 Image installation failed (instimage.barebone)

 

On this page: