NDR: Deploying a Virtual Sensor in VMware
Description
Notice
-
This guide is intended to serve as an example only. Users must modify applicable details, such as IP addresses, subnets, and device names, to align with their specific environment.
-
Exercise caution when making changes to your firewall or environment, as unplanned modifications can result in downtime, depending on the complexity of the configuration and infrastructure.
-
Your experience may vary if you are using a different software version or a product from another brand or manufacturer. Please note that you are solely responsible for the configuration and management of your devices.
VMware Modular Sensor Deployment
CAUTION: The examples below are intended to be serve as general guidelines. Your platform or software version may differ, resulting in variations in images, screens, options, or other elements. Site Preparation
You will need:
- Server switch with a physical network interface that supports promiscuous mode
- One IP address with access to a default gateway
- A Stellar Cyber license that can be applied to the sensor
- Open firewall ports for log ingestion
- Open firewall ports for Network Traffic, Sandbox, and IDS features, as necessary
Downloading Images
You can download the images for modular sensors using the link below.
- Download the modular sensor image from the following URL: aella-modular-ds-5.1.1.ova
Supported ESXi Versions
Sensor installation is supported on the following ESXi versions:
- 8.0
- 7.0
- 6.7
Installation Steps
Once the prerequisites have been met, use the following procedure to install the sensor:
- Create a new virtual switch with port mirroring capabilities. Start with the add-networking wizard function and select the Virtual Machine Port Group option as shown in the following image.
- You can add the port to an existing switch or create a new switch. The following image shows the attachment being made to an existing switch named vSwitch0.
- Create a network label with the VLAN ID of 4095. This is shown in the following image.
- At this point the settings should be complete. Select the "FINISH" button as shown below.
- When completed, the resulting switch can be seen in the Networking section of the vCenter Navigator as shown in the following image. Select the network connection as shown in "STEP 1" and then the Edit button shown as "STEP 2".
- Select the "Security" panel option and enable Promiscuous Mode by selecting the appropriate Override and Accept controls as shown in the following image.
- You can repeat the above steps as necessary to monitor additional ports.
- The next steps create the VM. Select the option to deploy a new OVF template wizard and use the Local file option, as shown below.
- The Stellar Cyber distribution provides an OVA file, which is a format that includes the requested OVF file as a component.
- On the next screen provide the VM a name and select the appropriate data center where it will be deployed, as shown below:
- Within the data center, there may be more than one resource that can run the VM. Select the one which hosts the mirror port. A simple configuration is shown in the following image:
- Once the selections are made, the summary page appears as follows. If the settings are correct, click the Finish button shown in the following image:
- The VM is loaded into the hypervisor management and can then be seen in the vCenter summary page. An example of this is shown in the following image:
- Expand the Virtual Hardware sub-page. The Management channel used by the sensor is implemented over "Network Adapter 1" which needs to be connected. Select it as shown in the following image:
- Select the "Edit Settings" menu item to add a second adapter.
- This is the network interface that will be used to monitor traffic on the virtual switch we created in prior steps. This is shown in the next two images. Note that you can only add a network adapter to the VM while it is powered off:
- At this point the Sensor is installed and can be started. An example of this is shown in the following image:
