Skip to main content

The Network sensor

The Network sensor collects and pre-processes network-related events in order to enrich the context of your incidents.

It is configured in TAP mode and gets a copy of the network traffic via a SPAN port. It can detect any type of device that communicates via IPv4 or IPv6 network protocols, regardless of whether the device is managed by Bitdefender or not. If there are any IoT devices on the network that communicate using those same protocols, the Network sensor will inspect that traffic as well.

For more information about the Network sensor requirements, refer to the Network sensor requirements page.

Note

The Network sensor does not support SCADA or any particular OT protocols.

After configuration, the Network sensor continuously listens to network traffic, collects events from all endpoints in your environment, pre-processes and pre-filters them, and sends both metadata and detections to GravityZone Security Analytics engine.

View the triggered detections in the Incidents > Search section, by using the following query: other.sensor_name:network. These detections are used to enrich the context of Extended Incidents generated by GravityZone.

Preparing your environment for the NSVA Network Sensor Appliance deployment

Before deploying the Network Sensor Virtual Appliance (NSVA) for GravityZone XDR, take the following steps to prepare your environment:

Tip

The NSVA appliance supports monitoring more than one network subnet with a single appliance.

  1. Ensure all network subnet requirements are met:

    • Non-overlapping IP address spaces - Networks monitored by a single NSVA appliance must not have overlapping IP address spaces.

      This is crucial to avoid event correlation inconsistencies and ensure accurate monitoring.

    • Non-duplicated MAC addresses - Networks monitored by a single NSVA appliance must not contain duplicated MAC addresses.

      This is crucial to avoid event correlation inconsistencies and ensure accurate monitoring.

    • Network routers information - A list of IP and MAC addresses for the routers handling traffic for the monitored subnets. These will be required during setup.

    A NSVA network sensor appliance will need to be configured to monitor at least one subnet and be provided with at least an internet gateway and/or router for each of the monitored networks.

  2. Configure the NSVA Group ID

    The group ID is a user-defined integer value that is configured on each NSVA appliance and allows for partitioning of the network monitoring in case overlapping address spaces are present in your infrastructure.

    Please consider the following guidelines:

    • The NSVA Group ID can have values between 1 and 254.

    • NSVA appliances with the same group ID must not monitor network subnets with overlapping address spaces.

    • Use the same group ID for appliances monitoring distinct subnets with non-overlapping IP address spaces or duplicated MAC addresses. This helps GravityZone treat that network site as a consistent partition of the environment and correlate events across its entirety.

    • Avoid configuring more than one NSVA appliance within the same group ID to monitor the same network subnet.

    • Each network subnet should be monitored only once within the same GravityZone company to avoid redundant monitoring and potential data conflicts and duplication

    • If your infrastructure does not have subnets with overlapping address spaces that need to be monitored within the same GravityZone company, you should let all the NSVA network sensor appliances to use the default group ID value (1).

  3. Set up traffic monitoring.

    The NSVA appliance monitors network traffic using mirroring (also known as SPAN) switchport sessions. Depending on your network equipment, different terminologies might be used.

    One NSVA appliance can monitor traffic from multiple networks over the same network interface, through a session that mirrors traffic from one or more network segments or switch ports. The NSVA appliances can monitor traffic delivered via SPAN, RSPAN or mirroring

    Important

    Ensure that your network hardware supports SPAN or mirroring sessions to facilitate traffic delivery to the network sensor appliance.

By following these prerequisites, you can ensure the successful deployment of the NSVA network sensor appliance, and set up comprehensive and conflict-free network monitoring.

To add the Network sensor, follow these steps:

Install the Network sensor

You can deploy the Network sensor in your environment by using the prebuilt appliance images for vSphere, Hyper-V, or you can install it manually.

Configure the Network sensor virtual appliance

After installing the Network sensor, follow these steps to configure the virtual appliance:

  1. Start the Network sensor virtual machine.

  2. Log in via SSH using root / sve as username and password.

  3. Change the password.

    The default password does not meet the new security password requirements, so you have to change it. It must contain at least 8 characters, one digit, at least one upper case character, at least one lower case character, one special character and must be changed every 3 months.

    gravityzone_cl_sve_new_password_nsva.png

    Note

    For more information about resetting the root password, refer to Reset root password for Security Server.

  4. To configure the Network sensor, run the following command:

    /opt/bitdefender/bin/sva_setup.sh

    The sva_setup interface allows for comprehensive network configuration, including the setup of subnets, VLANs, and routers.

  5. Start the configuration process. Use the arrow keys to navigate and select OK or Cancel to confirm or discard your choices.

    network_configuration_cl_pt_113104.png
  6. Network configuration - allows setting the following modes:

    • eth0: this is the primary interface used in the Dynamic Host Configuration Protocol (DHCP) mode to enable communication with GravityZone.

    • eth1: this is the interface in promiscuous mode, used to analyze network traffic.

    Important

    If no changes are needed, no further configuration is required.

    If the primary interface must have static IP address, select eth0 from Network configuration and configure it as follows:

    network_config_113104_cl_op_en.png
    1. Select Static.

      network_config_static_ip_113104_cl_op_en.png
    2. Complete the configuration.

      network_config_complete_113104_cl_op_en.png
    3. Select Ok.

    4. Select Cancel to return to the Network interface(s) configuration menu.

    5. Select Apply configuration.

      network_config_apply_113104_cl_op_en.png
    6. (Optional) You can also change the hostname of the NSVA by selecting the Set hostname option, and then selecting Apply configuration.

  7. Internet proxy configuration - allows setting a proxy configuration that will be used the first time the Network sensor communicates with GravityZone .

  8. Go to Communication server configuration and select one of the following options, based on your browser's URL:

    • For cloudgz.gravityzone.bitdefender.com: GZ Cloud Instance 1

    • For cloud.gravityzone.bitdefender.com: GZ Cloud Instance 2

    • For cloudap.gravityzone.bitdefender.com: GZ Cloud Instance 3

  9. Configure the Company hash - the GravityZone company hash where the Network sensor sends the data (Login to GravityZone > My Company > My Company hash).

  10. The Configure monitored networks menu allows you to manage and configure various network settings. For more information on how to prepare your environment for the Network sensor, refer to this section.

    configure_nsva_cl_pt_113104.png
  11. Choose one of the following options:

    monitored_network_config_cl_pt_113104.png
  12. In the Configure subnets and VLANs window you can set up and manage network subnets and Virtual Local Area Networks ID’s (VLAN IDs):

    configure_subnets_vlan_cl_pt_113104.png

    Note

    If a subnet is not declared, its traffic won't be monitored even if it reaches the Network sensor.

    1. View/Edit subnet list - here you can view and edit the list of added subnets and VLANs.

      view_subnet_cl_pt_113104.png
    2. Add a new subnet - here you can add a new subnet.

      enter_subnet_cl_pt_113104.png
    3. You can configure the monitored subnet address by using the CIDR notation and VLAN ID if the traffic is tagged.

    4. Select Yes to confirm your configuration.

      confirm_subnet_config_cl_pt_113104.png
    5. Remove subnet - this options allows you to remove any subnet.

    Note

    If the traffic is untagged, no VLAN ID is required.

  13. In the Set Network group ID window you can assign or modify the network group identification number:

    • The group ID must be an integer between 1 and 254.

    • Unique Group ID for Overlapping Subnets: NSVA appliances with the same group ID must not monitor network subnets with overlapping address spaces.

    • Consistent Group ID for Non-overlapping Subnets: Use the same group ID for appliances monitoring distinct subnets with non-overlapping IP address spaces.

    This is an example of Group ID assignment based on subnets with overlapping address spaces:

    group_assignment_id_cl_pt_113104.png
  14. In the Configure routers window you can configure the network routers:

    configure_router_cl_pt_113104.png
    1. View/Edit router list - here you view and edit the list of added routers.

      view_edit_router_list_cl_pt_113104.png
    2. Add new router - this option allows you to add a list of IPs and MAC addresses for different routers and/or internet gateway in the monitored network infrastructure.

      add_ip_mac_cl_pt_113104.png

      Afterwards you can confirm your configuration by selecting Yes.

      ip_mac_config_cl_pt_113104.png
    3. Remove router - this option allows you to remove elements from the list of added routers.

  15. After the configuration is complete, select Apply configuration.

  16. If the configuration is incorrect, you can select Discard changes to discard any changes made and revert to the previous settings.

    This is an example of a network with multiple subnets:

    multiple_subnets_example_cl_pt_113104.png

    Based on the network configuration diagram, the Network Sensor configuration includes:

    • subnets and VLANs configuration

      subnets_vlan_example_cl_pt_113104.png
    • routers configuration

      routers_example_cl_pt_113104.png
  17. (Optional) You can also add the sva-setup configuration based through a JSON file, using the following command in the terminal: sva-setup --monitored-networks network.json

    The JSON file should contain the list of routers, subnets and the group ID:

    {
    	"gateways": [
    		{
    			"ip": "gateway-ip",
    			"mac": "gateway-mac"
    		}
    	],
    	"groupId": 1,
    	"home_net_vlan": [
    		{
    			"isTrafficTagged": "yes/no",
    			"subnet": "subnet/mask",
    			"vlanId": vlanID
    		}
    	]
    }

    If the isTrafficTagged variable is set to no, the vlanId variable is not required.

    Here is an example of a JSON file containing the configuration displayed in the example above:

    {
    	"gateways": [
    		{
    			"ip": "100.100.0.100",
    			"mac": "0F:0F:0F:0F:0F:0F"
    		},
    		{
    			"ip": "10.0.0.1",
    			"mac": "00:01:02:03:04:05"
    		},
    		{
    			"ip": "10.0.1.1",
    			"mac": "06:07:08:09:10:11"
    		},
    		{
    			"ip": "10.0.2.1",
    			"mac": "12:13:14:15:16:17"
    		},
    		{
    			"ip": "10.0.3.1",
    			"mac": "20:21:22:23:24:25"
    		}
    	],
    	"groupId": 1,
    	"home_net_vlan": [
    		{
    			"isTrafficTagged": "no",
    			"subnet": "10.0.0.0/24"
    		},
    		{
    			"isTrafficTagged": "yes",
    			"subnet": "10.0.1.0/24",
    			"vlanId": 10
    		},
    		{
    			"isTrafficTagged": "yes",
    			"subnet": "10.0.2.0/24",
    			"vlanId": 20
    		},
    		{
    			"isTrafficTagged": "no",
    			"subnet": "10.0.3.0/24"
    		}
    	]
    }
  18. If the connection is successful, the Network sensor will be displayed in the GravityZone platform, in Network > Computers and Groups (in approximately 30 seconds).

    xEDR-NS-in-network-page.png
  19. The Network sensor main log file can be found here:

    /opt/bitdefender/var/log/bdxdrd.log
    xEDR-main-log-file.jpg

View the triggered detections in the Incidents > Search section, by using the following query: alert.type:ghoster.

If you encounter any issues with your Network sensor, you can collect debug logs and contact Bitdefender Enterprise Support for assistance.