Deploy additional Application Discovery network sensors

This topic describes how to deploy additional network sensors as needed, directly on a customer-owned Windows or Linux machine, or on a repurposed ASMS machine.

The Application Discovery server contains a network sensor that captures data from across your ASMS network. Additionally, AAD traffic log sensors are automatically installed wherever a syslog server is running on your system (Remote Agents, Central Manager).

You may need to add additional network sensors if you want to capture traffic from other networks or to separate your Application Discovery server and sensor machines.

For more details about traffic collection using remote network sensors, see Traffic collection options.

Sensor installation options

The following table describes the supported configurations for installing additional sensors, and the high-level steps required for each configuration:

ESX with port mirroring

Do the following:

  1. Deploy an Application Discovery sensor to each ESX server.
  2. Configure each sensor to view traffic in promiscuous mode.
Physical server with port mirroring

Do the following:

  1. Prepare a separate server for the Application Discovery sensor. The server can be physical or virtual, and Windows or Linux.
  2. Direct mirrored traffic to the sensor.
Local mode with direct capture

Install a sensor on any server from which you want to capture traffic.

For more details, see on this page Deploy remote Application Discovery network sensors.

Note: To configure statistical traffic collection with NetFlow/SFlow, we recommend using the sensor installed together with the Application Discovery server.

For more details, see Deploy Application Discovery .

Application Discovery network sensor system requirements

Additional Application Discovery sensors must be installed on a Linux or Windows server with the following minimum specifications:

CPU

Standard: 4-core CPU, if expected traffic load has a maximum of 2 Gbps

Large: 8-core CPU, if expected traffic load is 2 - 4 Gbps

Memory

Standard: 4 GB

Large: 8 GB
Disk space 1 GB free disk space
Network adapters

At least 2 network adapters:

  • 1 adapter connected to each source mirror port or LAN
  • 1 adapter connected to the LAN, for communication with the Application Discovery server

Software

(Windows only)

When deploying a Windows sensor, make sure you have the following software installed on the Application Discovery sensor machine. From https://www.microsoft.com/ :

  • Visual Studio 2019 - X64 package

  • Visual Studio 2013 (VC++ 12.0) - X64 package
Linux OS CentOs 7
Windows OS Windows Server 2016

Note: You can adjust the load of traffic to a sensor by setting the NetFlow frequency filter

When deploying on a virtual machine, network cards must be physically connected to the switch / router.

Deploy remote Application Discovery network sensors

This procedure describes how to deploy additional Application Discovery sensors.

Note: If you are deploying additional sensors, each additional sensor must be deployed on its own machine. Use different machines than the ones you are using for the Application Discovery server and the ASMS installation.

Do the following:

Do the following:

  1. Verify that your Application Discovery sensor machine complies with the system requirements. For details, see on this page Application Discovery network sensor system requirements.

  2. Access Application Discovery:

    1. Log in to ASMS and open AppViz. See Access AppViz.

    2. From the AppViz main menu select DISCOVERY.

  3. On the top menu bar select Download Sensor.

  4. Click to download the required installation file for Windows Remote Sensor. A .msi file is downloaded for your Windows sensor deployment.

  5. Run the extracted AutoDiscoverySensor-Windows-x64.msi file.

  6. Click Next to start the wizard.

    Accept the EULA, and continue through the wizard as instructed.

  7. The wizard includes an OpenSSL installation. When prompted to select the location to copy the OpenSSL DLLs, select The windows system directory.

  8. Complete the final steps of the wizard. Your sensor is installed and ready to use with Application Discovery.

This procedure describes how to deploy an Application Discovery sensor on Linux.

Do the following:

  1. Verify that your Application Discovery sensor machine complies with the system requirements. For details, see on this page Application Discovery network sensor system requirements.

  2. Access Application Discovery:

    1. Log in to ASMS and open AppViz. See Access AppViz.

    2. From the AppViz main menu select DISCOVERY.

  3. On the top menu bar select Download Sensor.

  4. Click to download the required installation file for Linux Remote Sensor. A .run file is downloaded for your Linux sensor installation

    Tip: You can download the file directly to the Linux remote sensor by running the following code:

    wget --no-check-certificate https://<server IP>/AutoDiscovery/WebServices/api/v1/webGui/sensorInstallationFileDownload?fileType=Linux

  5. Deploy the downloaded file on your sensor machine. Run in installation:

    ./AutoDiscovery-Linux-x64.run

  6. After installation is completed, exit by pressing CTRL+C.

Your sensor is deployed and ready to use with Application Discovery.

This procedure describes how to repurpose an ASMS machine to run as an Application Discovery sensor.

Important: When you repurpose an ASMS machine to be an Application Discovery sensor, the process is irreversible.

  • The machine cannot be used for other purposes in the future.

  • The algosec_conf menu will not be accessible.

  • For security updates, upgrade of appliance build is run manually.

Do the following:

  1. Deploy a new ASMS machine.

  2. Run this script (Note: the operation is irreversible!):

    /usr/share/algosec_toolbox/convert-to-network-sensor-machine.sh

  3. After installation is completed, exit by pressing CTRL+C.

Your sensor is installed and ready to use with Application Discovery.

This procedure describes how to deploy an Application Discovery sensor on a VMware machine.

Do the following:

  1. Navigate to https://portal.algosec.com/en/downloads/software?get=autodiscovery&switch=sensor to install the OVF via the portal.

  2. Choose VMware and A32.20 from the New Installation dropdowns. Then click Next.

  3. Click Download to save the installation software to your computer.

  4. Install OVF.

  5. If you need to change the IP address you must use ifconfig (see Change IP address using ifconfig).

    Important: algosec_conf must not be used to change the IP address.

    Change IP address using ifconfig

    Do the following:

    1. Open the terminal application.

    2. List the current IP addresses for all network interfaces with command:

      ifconfig -a

    3. Take the network interface down with command:

      ifconfig <interface> down

    4. Change the IP address with command:

      ifconfig <interface> <ip address> <netmask>

    5. Press Enter to run the command.

    6. Verify that the new IP address is correct with command:

      ifconfig -a

    7. Take the interface up with command:

      ifconfig <interface> up

Upgrade remote Application Discovery sensors

For Windows and Linux machines

Important: For security updates for a VMware machine, reinstall OVF manually.

Do the following:

  1. On the Application Discovery web console, go to the Sensors tab.

  2. Select the checkboxes of the sensors you want to install from the list.

  3. Click Upgrade.

Additional Application Discovery requirements based on network traffic collection method

Note: The number of sensors to install and where to install them depends on your network's load and topology.

For example, if you have packet brokers or standalone sniffers already collecting traffic on your network, you can send the traffic they collect to a single sensor. This avoids the need to thoroughly cover your network with sensors.

Configure one of the following:

Configure full capture by connecting an Application Discovery sensor to a mirrored switch port or a TAP device.

In both cases, the output rate must match the AlgoSec appliance collector rate and interface.

System requirements for full capture include the following:

Collection rates

Supported collection rates are 250,000 packets(s) for an AlgoSec 2062 appliance-based collector and 1,000,000 packet(s) for an AlgoSec 2322 appliance.

These are recommended collection rates, since AlgoSec Application Discovery is statistical in nature and a loss of a few packets has no adverse effect.
ESX infrastructure

In order to enable port mirroring for a Sensor is installed on an ESX server, the server must be configured in promiscuous mode and the traffic must be mirrored to a port group.

Adding a Sensor to that port group will enable the Sensor to capture all of the traffic.
Log formats

From version 2.4.3, the Sensor can optionally receive traffic in the following log formats:

  • ERSPAN (type 2 and 3)
  • GRE (IP 800 and Transparent Ethernet Bridging 6558)
  • Encapsulated Remote Mirroring in VMware environments (on VDS from VSphere 7 and up)

Port mirroring hardware requirements

When installed in port mirroring mode, memory and CPU requirements depend on the amount of traffic monitored.

Estimated minimum requirements include:

  • Dual CPU/dual core
  • 2GB RAM
  • 10MB free disk space
  • 2 Network Adapters - one connected to the mirror port, the other connected to the LAN.

Note: For information on how to configure mirroring for a port, see your Switch/Router/Firewall documentation.

TCPReplay enables full traffic capture by simulating the traffic in collected PCAP files and sending that traffic to the Application Discovery sensor.

For example, use TCPReplay to collect PCAP files as follows:

  • By Packet Brokers, such as VSS or Fluke
  • By open source tools, such as Ethereal or TCPdump

Tip: Multiple PCAP files can be merged and played back simultaneously. This requires timing synchronization of better than 1 ms when collecting data.