What is the BlockBox?
The BlockBox Appliance is a hardened Linux virtual appliance with an onboard web server
designed to provide a richly detailed but easy-to-understand portrait of your IT environment. It
is also available as a standalone, self-contained package that will run on a Windows server or
desktop.
The information capture elements of the BlockBox are designed to capture an exhaustive and
an accurate inventory of all endpoints - be they Windows PCs and Servers, Linux or Solaris systems,
OSX devices, SNMP-enabled Layer 2 & Layer 3 devices, or even mobile devices connected to
your wireless network.
The on-board reporting provided by the BlockBox is designed to be easy to use, requiring the
fewest clicks possible, and to answer key questions about the hardware and software present in
your environment.
We’d love to get the BlockBox stood up and deployed as soon as is convenient to get the most
amount of time possible for discovery, which should allow ample time to capture the machines
as they come on and off the network.
Following is an illustrative example of how we might configure the different appliances, should we
require more than one, and how they will all check back into our master reporting server.
The Data We Gather
- Network: By scanning your internal subnets, we can detect all devices on the network and store their IP addresses.
- Hardware: Manufacturer and model information is recorded, as well as hardware-specific details like CPU and RAM.
- Software: From general installed software records to database instances, we collect as much as we can without accessing personal data.
- Active Directory: By pulling user and device data from Active Directory, we can gain useful analytical insights as well as have a reference for discovery progress.
- Virtual Infrastructure: Collecting virtual management, host, and guest relationships is relevant to cloud readiness and server optimization activities.
- Usage and Performance Data: Activity metering and resource utilization are valuable in assessing your cloud readiness and uncovering optimization opportunities.
We have compiled a Security FAQ that is available on our website.
Who will have access to my data?
During the course of this engagement, and in order to prepare your deliverable(s), our analysis and support team at Block 64 and/or at the partner you are collaborating with will have the ability to view the data that has been gathered, which will be destroyed after 90 days. Our Privacy Policy is available on our website.
What You’ll want to have on hand:
- Virtual Machine: The BlockBox appliance image deployed on a virtual host
- Network: All internal networks in scope; CIDR notation or single IP addresses are accepted
- Active Directory: A domain controller per domain in scope; IP address or FQDN formats are accepted
- Windows Inventory: A service account that has the following levels of access will accomplish inventory:
-
- Access to C$ (Example: \\10.0.0.50\ADMIN$\... or \\192.168.2.5\ADMIN$\...)
- The ability to run NET RPC / Remote Registry (Collection of Software/Hardware data)
- Remote (read-only) WMI (Polling CPU, RAM Usage & Disk IOPS)
- WinRM
-
- Virtual Infrastructure: Read-only administrator credentials for each vCenter Server in scope.
- Linux Inventory: A local or domain credential with access to files in /proc/. Superuser rights are preferred for accurate data collection but are not required.
- Mac Inventory: Administrative or Root Credentials
- SNMP: Community strings or v3 credentials
- Azure: A local administrative or service account for each endpoint that has access to the protocols required for inventory (WMI, SMB, RPC).
The Network Ports We Leverage
A question we often get leading up to deployment or during troubleshooting is: what ports will your inventory and other processes be leveraging on my network? We have a complete list below – but some good news is that these ports are very rarely – if ever – blocked. Here is the complete list of ports we presently leverage for inventory purposes:
Windows Inventory*:
- TCP 135, 1025-5000 and 49152-65535 (WMI)
- TCP 445 (SMB – RPC)
- TCP 5985, 5986 (WinRM HTTP & HTTPS)
- TCP 1025 (Alternate Netbios)
- TCP port 465 (SSL-Encrypted Email)
- TCP 139 (NetBIOS)
- UDP 137, 138 (NetBIOS)
Active Directory Data:
- TCP 389 (LDAP)
- TCP 636 (LDAPS)
External Data Feeds:
- HTTP 80 (External Data Feeds)
- HTTP/SSL 443 (External Data Feeds + Updates/Patches + External Data/Debug Transfer)
- Destination URLs - combine.block64.com & sublimation.block64.com
Linux Inventory:
- TCP 22 (SSH) (OSX + POSIX-Compliant Inventory + CLI access)
Oracle DB Inventory:
- 1521 (Oracle DB Connection)
SNMP Devices:
- UDP 161 & 162 (SNMP)
We have created instructions to create and apply a GPO that allows for inventory in a Windows Defender environment available here. A whitelisting guide for third-party security software can be found here.
*Please note that we require a rule to be created for endpoints which allows Inbound connectivity from the Blockbox only.