Installing a Modular, Network, or Security Sensor in GCP

A network sensor monitors the virtual environment, the physical environment if connected to the span port of a physical switch, or the LAN segment via a mirror port on a switch. The sensor monitors network and server response times and can identify applications.

The network sensor converts that information to metadata and forwards it to the DP as Interflow. The DP can then provide security, DDoS, and breach attempt detections.

A security sensor operates as a network sensor and adds:

  • sandbox
  • anti-virus
  • IDS

You can also tunnel traffic over VXLAN from an agent sensor, network sensor, or container sensor to the security sensor so it can inspect those environments.

A modular sensor lets you easily add the features you like to your sensor. This helps simplify your deployment and lets you manage the VM requirements for the sensors based on the modular features they use. A modular sensor is also recommended by Stellar Cyber when you want to deploy an aggregator – simply enable the Aggregator feature in its Modular Sensor Profile.

You can install a modular, network, or security sensor in GCP. To install you must:

  1. Prepare.
  2. Launch the instance.
  3. Connect to the DP.
  4. Authorize the sensor.

Preparing

Click to see the minimum system requirements for installing a modular, network, or security sensor.

You must have:

  • One IP address with access to a default gateway
  • A Stellar Cyber license that can be applied to the sensor

To prepare for the installation:

  1. Open firewall ports for a network sensor security sensor.
  2. Open firewall ports for log ingestion.
  3. Contact Stellar Cyber support (support@stellarcyber.ai) for access to the image. You must provide:
    • The GCP Gmail account name

Do this at least a day before installing, so we have time to deploy the images to your account.

Configuring and Launching the Instance

To configure and launch the instance:

Use our example as a guideline, as you might be using a different software version.

  1. Log in to your Google Cloud Platform Console.

  2. Use the dropdown in the toolbar to select the Project where you want to deploy the DP.

  3. Select the Compute Engine | VM instances entry from the left navigation panel.

  4. Click the Create Instance button.

  5. Supply a Name, Region, and Zone for the instance.

  6. Choose a Machine type for the instance. You can either choose one of the preconfigured GCP machine types or create a Custom machine type, so long as the instance meets the minimum specifications for your sensor type.

    Note that Stellar Cyber recommends that in a GCP deployment, you increase the standard provisioning for security and network sensor virtual machines as follows:

    • Network Sensor – 4 virtual cores, 16 GB memory.

    • Security Sensor – 16 virtual cores, 32 GB memory.

    In the example below, we are creating a Custom Machine Type with 16 virtual cores and 32 GB of memory to serve as the foundation for a Security Sensor:

  7. Scroll down to the Boot disk section and click the CHANGE button.

  8. Click on the CUSTOM IMAGES tab and then click the CHANGE button in the Source project for images entry, as illustrated below.

  9. Click the SELECT A PROJECT button, set the Organization dropdown to NO ORGANIZATION, and choose the stellar-official-images project, as illustrated below.

    The stellar-official-images entry won't appear until we've made images available to your account. If you don't see the stellar-official-images entry, make sure your region is the same one where you asked Customer Success to deploy the images. If you still don't see the entry, contact Customer Success.

  10. Select the entry for your sensor version and type from the Images dropdown. We've selected a Security Sensor image in the illustration below (stellar-securitysensor-x-x-x).

  11. Set the Boot disk type to Balanced persistent disk, choose a size of 100 GB, and click Select.

    You are returned to the Create an instance wizard.

  12. Click the Create button to create the instance.

    You can launch the image but you cannot copy it. This means that the VM must be deployed in the GCP region where the image was authorized.

The VM is now running in the GCP cloud and appears in the Compute engine | VM instances list, as illustrated below. Copy the External IP address so you can use it to connect to the Sensor's console in the next section.

Connecting the Sensor to the DP

To connect to the DP:

  1. Log in to your new sensor. The default username/password is aella/changeme. You are immediately prompted to change the password.

  2. Change the password.

    After you change the password, your session closes automatically. When you log back in with your new credentials, the prompt changes to DataSensor>.

  3. Set the host name. The host name is displayed in Stellar Cyber and should be unique for each sensor:

    set hostname <new hostname>

  4. If necessary, set the proxy HTTP server:

    set proxy http://<proxy IP address:port>

  5. Optionally assign the tenant (if you skip this, the sensor is assigned to Root Tenant):

    set tenant_id <Tenant ID from Stellar Cyber>

  6. Use the set cm command to specify the IP address to reach the management interface of the Data Processor. For a DP cluster, this is the IP address of the DL-master's management interface. For a single DP deployment, this is simply the DP's management IP address. You can specify either an IP address or a hostname. For example:

    set cm 192.168.44.10

    or:

    set cm example.company.com

    If you specify a hostname rather than an IP address, the system attempts to verify the hostname with the DNS server. If the DNS server is not reachable, the system reports the error and lets you either proceed with the configured hostname or quit. This way, you can specify a hostname for the set cm destination in an offline environment without access to a DNS server.

  7. Verify with the show cm command. You should see the IP address of the DP listed as the CM Controller and the Status should be Established.

  8. Use the show time command to view the time zone.

    During installation, the timezone for sensors are automatically set to UTC+0. Since the logs for some security products may only include the local time without a timezone, Stellar Cyber recommends that you set the sensor timezone to the same timezone as your security product.

  9. Log out with the quit command.

The sensor automatically contacts the DP to register itself.

Authorize the Sensor

You must authorize the sensor when it appears in the network.

You can authorize multiple sensors at a time. So if you're installing multiple sensors, install them all, then authorize them all at once.

Configuring Packet Mirroring in GCP

Refer to Configuring GCP Packet Mirroring for details on how to use packet mirroring for packet acquisition in GCP environments.