The Network sensor

The Network sensor collects and pre-processes network-related events in order to enrich the context of your incidents.

It is configured in TAP mode and gets a copy of the network traffic via a SPAN port. It can detect any type of device that communicates via IPv4 or IPv6 network protocols, regardless of whether the device is managed by Bitdefender or not. If there are any IoT devices on the network that communicate using those same protocols, the Network sensor will inspect that traffic as well.

For more information about the Network sensor requirements, refer to the Network sensor requirements page.

Note

The Network sensor does not support SCADA or any particular OT protocols.

After configuration, the Network sensor continuously listens to network traffic, collects events from all endpoints in your environment, pre-processes and pre-filters them, and sends both metadata and detections to GravityZone Security Analytics engine.

View the triggered detections in the Incidents > Search section, by using the following query: other.sensor_name:network. These detections are used to enrich the context of Extended Incidents generated by GravityZone.

Preparing your environment for the NSVA Network Sensor Appliance deployment

Before deploying the Network Sensor Virtual Appliance (NSVA) for GravityZone XDR, take the following steps to prepare your environment:

Tip

The NSVA appliance supports monitoring more than one network subnet with a single appliance.

Ensure all network subnet requirements are met:
- Non-overlapping IP address spaces - Networks monitored by a single NSVA appliance must not have overlapping IP address spaces.
  This is crucial to avoid event correlation inconsistencies and ensure accurate monitoring.
- Non-duplicated MAC addresses - Networks monitored by a single NSVA appliance must not contain duplicated MAC addresses.
  This is crucial to avoid event correlation inconsistencies and ensure accurate monitoring.
- Network routers information - A list of IP and MAC addresses for the routers handling traffic for the monitored subnets. These will be required during setup.
A NSVA network sensor appliance will need to be configured to monitor at least one subnet and be provided with at least an internet gateway and/or router for each of the monitored networks.
Configure the NSVA Group ID
The group ID is a user-defined integer value that is configured on each NSVA appliance and allows for partitioning of the network monitoring in case overlapping address spaces are present in your infrastructure.
Please consider the following guidelines:
- The NSVA Group ID can have values between 1 and 254.
- NSVA appliances with the same group ID must not monitor network subnets with overlapping address spaces.
- Use the same group ID for appliances monitoring distinct subnets with non-overlapping IP address spaces or duplicated MAC addresses. This helps GravityZone treat that network site as a consistent partition of the environment and correlate events across its entirety.
- Avoid configuring more than one NSVA appliance within the same group ID to monitor the same network subnet.
- Each network subnet should be monitored only once within the same GravityZone company to avoid redundant monitoring and potential data conflicts and duplication
- If your infrastructure does not have subnets with overlapping address spaces that need to be monitored within the same GravityZone company, you should let all the NSVA network sensor appliances to use the default group ID value (1).
Set up traffic monitoring.
The NSVA appliance monitors network traffic using mirroring (also known as SPAN) switchport sessions. Depending on your network equipment, different terminologies might be used.
One NSVA appliance can monitor traffic from multiple networks over the same network interface, through a session that mirrors traffic from one or more network segments or switch ports. The NSVA appliances can monitor traffic delivered via SPAN, RSPAN or mirroring
Important
Ensure that your network hardware supports SPAN or mirroring sessions to facilitate traffic delivery to the network sensor appliance.

By following these prerequisites, you can ensure the successful deployment of the NSVA network sensor appliance, and set up comprehensive and conflict-free network monitoring.

To add the Network sensor, follow these steps:

Install the Network sensor

You can deploy the Network sensor in your environment by using the prebuilt appliance images for vSphere, Hyper-V, or you can install it manually.

These steps must be followed to deploy the Network sensor probes in your environment. For hardware requirements see Network sensor requirements.

Open the vSphere client, and click File > Add OVF template to create an OVF template for the Network Sensor Virtual Appliance (NSVA) that will be used to configure and activate the Network sensor in your environment.
You can select a template from:
- a remote URL - https://download.bitdefender.com/business/NetworkSensor/Bitdefender_SVE-SVA-NSVA.ova
- a local file system (hard drive, network share, CD / DVD drive) where the NSVA kit was downloaded.
After selecting the OVF template click Next.
Name the network sensor virtual appliance and select the deployment location.
Click Next.
Select the target endpoints in your environment where to deploy the Network sensor probes and then click Next.
Verify the details of your NSVA template and click Next.
On the Select storage page, define where and how to store the files for the deployed NSVA template.
1. Select the disk format for the virtual machine virtual disks.
  Choose from the available options:
  - Thick Provision Lazy Zeroed
  - Thick Provision Eager Zeroed
  - Thin Provision
2. Select a storage policy.
  Note
  This option is available only if storage policies are enabled on the target endpoints.
3. Select a datastore to store the deployed NSVA template.
  The configuration file and virtual disk files are stored on the datastore. Select a datastore large enough to accommodate the virtual appliance and all associated virtual disk files.
On the Select networks page:
1. Select the network interface that establishes communication between the Network sensor appliance and GravityZone.
2. Select the SPAN network that will be monitored by the Network sensor probes.
  Important
  After deployment, the monitored network's subnet must be set in the network sensor by running the sva_setup.sh script. For more information, refer to the Network sensor configuration.
Click Next.
Optionally, customize the NSVA deployment properties and click Next.
On the Ready to complete page, review the details and click Finish.
After the creation task is completed, open your Network sensor virtual appliance and start the configuration process.

These steps must be followed to deploy to deploy the Network sensor probes in your environment. For hardware requirements see Network sensor requirements.

Download the Network sensor virtual machine kit in one of the following formats:
- .vhd - https://download.bitdefender.com/business/NetworkSensor/Bitdefender_SVE-SVA-NSVA.vhd.
- .vhdx - https://download.bitdefender.com/business/NetworkSensor/Bitdefender_SVE-SVA-NSVA.vhdx
Open Hyper-V Manager and from the Action pane click New > Virtual Machine... to create a virtual machine that will be used to configure and activate the Network sensor in your environment.
In the Before You Begin window, click Next to create a virtual machine with a custom configuration.
In the Specify Name and Location window, add your virtual machine name and the location where the image was downloaded.
In the Specify Generation window you must:
- Select Generation 1 if you have downloaded the .vhd image type.
- Select Generation 2 if you have downloaded the .vhdx image type.
In the Assign Memory window, set the Startup memory to 2048 MB.
In the Configure Networking window, set the Connection to the desired network interface.
In the Connect Virtual Hard Disk window select the Use an existing virtual hard disk option and browse for the location of the downloaded Network sensor VHD kit.
In the Summary page, review the details and click Finish.
In Hyper-V Manager right-click the newly created virtual machine, and go Settings.
1. If the Generation 2 virtual machine was selected, go to Security and select Microsoft UEFI Certificate Authority from the Template dropdown list.
2. Go to Add Hardware and select Network Adapter to add the SPAN network that will be monitored by the Network sensor probes.
  Important
  After deployment, the monitored network's subnet must be set in the network sensor by running the sva_setup.sh script. For more information, refer to the Network Sensor configuration.
3. Select the desired SPAN network and click Apply .
4. Open Advanced Features of the SPAN network adapter and set the Port mirroring mode to Destination, then click Apply.
Start the Network sensor virtual machine and begin the configuration process.

The default configuration for the Network sensor virtual appliance requires:

Two network adapters:
- The first adapter is used to communicate with GravityZone and it requires internet access.
- The second adapter is configured in promiscuous mode by the installation script and must receive a copy of the network traffic through a SPAN port.
Two CPUs and 2 GB of RAM

Memory	CPU	Processed throughput
2 GB	2 x 2 GHz	5 Gbps
2 GB	2 x 1 GHz	2.5 Gbps
2 GB	2 x 0.5 GHz	1 Gbps

The VM will be dedicated to the Bitdefender Network sensor and serves no other purpose. Installing 3rd party services alongside the Bitdefender Network sensor is not supported.

Environment setup

You must create an Ubuntu Server 20.04 with the following specifications:

The VM can have the root user with a password
The VM can have an administrator user with a password (the root user without using a password)
The VM can have multiple users with passwords (the root user without using a password)
The VM can have multiple users with passwords (the root user using a password)

Install the script

To manually install the script, you must follow these steps:

Log in to the VM via TTY or SSH.
Download the install-xdr-nsva.tar archive from here.
Extract script from the archive using the following command: tar -xf install-xdr-nsva.tar.
Set execute permissions for the script using the following command: chmod +x install-xdr-nsva.sh.
Start the installation by running the following command: sudo ./install-xdr-nsva.sh [--users <user_name1 user_name2 ...>].
The script can be run with or without the --users <user_name1 user_name2 ...> parameter. To run the script without the parameter, the root user must have a have password set up.
If the script is run and the user doesn't have a password set, the following error message is going to be displayed: "Error: provide a list of users to receive SSH access or set a usable root password. For more information, run the following command: ./install-xdr-nsva.sh --help".
After the network interfaces configuration, you must reboot the VM.
After rebooting, connect to the VM through TTY and check if the network interfaces and the IPs have been changed.
Run the same command from step 5 again to complete the installation.
After the installation is complete, you can configure the Network sensor virtual appliance starting from step 4.

Important

The SSH connection is allowed only for the users that were added with the --users <user_name1 user_name2 ...> parameter and/or for the root user if a password was set. You can check the SSH connection for any user added as a parameter.

In addition, the root user password expires every 90 days.

Configure the Network sensor virtual appliance

After installing the Network sensor, follow these steps to configure the virtual appliance:

Start the Network sensor virtual machine.
Log in via SSH using root / sve as username and password.
Change the password.
The default password does not meet the new security password requirements, so you have to change it. It must contain at least 8 characters, one digit, at least one upper case character, at least one lower case character, one special character and must be changed every 3 months.
Note
For more information about resetting the root password, refer to Reset root password for Security Server.
To configure the Network sensor, run the following command:
```
/opt/bitdefender/bin/sva_setup.sh
```
The sva_setup interface allows for comprehensive network configuration, including the setup of subnets, VLANs, and routers.
Start the configuration process. Use the arrow keys to navigate and select OK or Cancel to confirm or discard your choices.
Network configuration - allows setting the following modes:
- eth0: this is the primary interface used in the Dynamic Host Configuration Protocol (DHCP) mode to enable communication with GravityZone.
- eth1: this is the interface in promiscuous mode, used to analyze network traffic.
Select the interface to be set in promiscuous mode for traffic monitoring and then configure the communication interface:
1. Select Network configuration.
2. Select the promiscuous interface. By default it is eth1.
3. Select the configuration mode for the primary interface:
  - If no change is needed, select 1. DHCP (current).
  - If the primary interface must have static IP address, select 2. Static and complete the configuration:
Internet proxy configuration - allows setting a proxy configuration that will be used the first time the Network sensor communicates with GravityZone .
Go to Communication server configuration and select one of the following options, based on your browser's URL:
- For cloudgz.gravityzone.bitdefender.com: GZ Cloud Instance 1
- For cloud.gravityzone.bitdefender.com: GZ Cloud Instance 2
- For cloudap.gravityzone.bitdefender.com: GZ Cloud Instance 3
Configure the Company hash - the GravityZone company hash where the Network sensor sends the data (Login to GravityZone > My Company > My Company hash).
The Configure monitored networks menu allows you to manage and configure various network settings. For more information on how to prepare your environment for the Network sensor, refer to this section.
Choose one of the following options:
In the Configure subnets and VLANs window you can set up and manage network subnets and Virtual Local Area Networks ID’s (VLAN IDs):
Note
If a subnet is not declared, its traffic won't be monitored even if it reaches the Network sensor.
1. View/Edit subnet list - here you can view and edit the list of added subnets and VLANs.
2. Add a new subnet - here you can add a new subnet.
3. You can configure the monitored subnet address by using the CIDR notation and VLAN ID if the traffic is tagged.
4. Select Yes to confirm your configuration.
5. Remove subnet - this options allows you to remove any subnet.
Note
If the traffic is untagged, no VLAN ID is required.
In the Set Network group ID window you can assign or modify the network group identification number:
- The group ID must be an integer between 1 and 254.
- Unique Group ID for Overlapping Subnets: NSVA appliances with the same group ID must not monitor network subnets with overlapping address spaces.
- Consistent Group ID for Non-overlapping Subnets: Use the same group ID for appliances monitoring distinct subnets with non-overlapping IP address spaces.
This is an example of Group ID assignment based on subnets with overlapping address spaces:
In the Configure routers window you can configure the network routers:
1. View/Edit router list - here you view and edit the list of added routers.
2. Add new router - this option allows you to add a list of IPs and MAC addresses for different routers and/or internet gateway in the monitored network infrastructure.
  Afterwards you can confirm your configuration by selecting Yes.
3. Remove router - this option allows you to remove elements from the list of added routers.
After the configuration is complete, select Apply configuration.
If the configuration is incorrect, you can select Discard changes to discard any changes made and revert to the previous settings.
This is an example of a network with multiple subnets:
Based on the network configuration diagram, the Network Sensor configuration includes:
- subnets and VLANs configuration
- routers configuration

(Optional) You can also add the sva-setup configuration based through a JSON file, using the following command in the terminal: sva-setup --monitored-networks network.json

The JSON file should contain the list of routers, subnets and the group ID:

{
	"gateways": [
		{
			"ip": "gateway-ip",
			"mac": "gateway-mac"
		}
	],
	"groupId": 1,
	"home_net_vlan": [
		{
			"isTrafficTagged": "yes/no",
			"subnet": "subnet/mask",
			"vlanId": vlanID
		}
	]
}

If the isTrafficTagged variable is set to no, the vlanId variable is not required.

Here is an example of a JSON file containing the configuration displayed in the example above:

{
	"gateways": [
		{
			"ip": "100.100.0.100",
			"mac": "0F:0F:0F:0F:0F:0F"
		},
		{
			"ip": "10.0.0.1",
			"mac": "00:01:02:03:04:05"
		},
		{
			"ip": "10.0.1.1",
			"mac": "06:07:08:09:10:11"
		},
		{
			"ip": "10.0.2.1",
			"mac": "12:13:14:15:16:17"
		},
		{
			"ip": "10.0.3.1",
			"mac": "20:21:22:23:24:25"
		}
	],
	"groupId": 1,
	"home_net_vlan": [
		{
			"isTrafficTagged": "no",
			"subnet": "10.0.0.0/24"
		},
		{
			"isTrafficTagged": "yes",
			"subnet": "10.0.1.0/24",
			"vlanId": 10
		},
		{
			"isTrafficTagged": "yes",
			"subnet": "10.0.2.0/24",
			"vlanId": 20
		},
		{
			"isTrafficTagged": "no",
			"subnet": "10.0.3.0/24"
		}
	]
}

If the connection is successful, the Network sensor will be displayed in the GravityZone platform, in Network > Computers and Groups (in approximately 30 seconds).
The Network sensor main log file can be found here:
```
/opt/bitdefender/var/log/bdxdrd.log
```

View the triggered detections in the Incidents > Search section, by using the following query: alert.type:ghoster.

If you encounter any issues with your Network sensor, you can collect debug logs and contact Bitdefender Enterprise Support for assistance.

In this section:

The Network sensor

Note

Preparing your environment for the NSVA Network Sensor Appliance deployment

Tip

Important

Install the Network sensor

Note

Important

Important

Important

Configure the Network sensor virtual appliance

Note

Note

Note

Search results