Table Of Contents
Requirements
- Networking Requirements
- Network Security Requirements
- Windows Inventory Requirements
- Linux Inventory Requirements
- Apple OSX/macOS Inventory Requirements
- VMWare Inventory Requirements
- SNMP Inventory Requirements
Information Collection
Initial Setup
Blockbox Virtual Appliance Technical Pre-work
Blockbox Virtual Appliance Deployment Prep
- Deployment on Azure
- Deployment on VMware ESXi
- Deployment on Microsoft Hyper-V
- Deployment on Nutanix AHV
Requirements
For the BlockBox appliance to function properly, there are some ‘must haves’ that should be taken care of out of the gate.
Networking Requirements
First off – you or someone with the appropriate access will need to provide a list of the appropriate subnet(s) to put into scope to ‘see’ all devices on the network(s)
- To function properly and be able to access and communicate with your entire environment, the BlockBox must be on a network segment that can route to any and all other segments. If there are unique ACLs on your routers or switches, they must allow the discovery appliance to communicate through to your endpoints.
- Access from the appliance through any network firewalls, intrusion prevention systems or endpoint protection. See Network Security Requirements below.
Network Security Requirements
Certain features of the appliance require a small amount of pre-work. We have endeavoured to create a platform that required zero client footprint – no agents, and no leave-behinds on your endpoints. To make that possible, however, we require the ability to remotely administer these endpoints. Luckily, this is easily accomplished and is a one-time effort.
The salient points are as follows:
- Network-based firewalls or Intrusion Prevention systems must allow communication from the appliance to your endpoints.
- Local firewalls or Endpoint Protection applications must also allow for communication from the appliance.
-
The simplest method to ensure connectivity through your Endpoint Protection product, is to add a firewall and/or complete exception from the appliance’s IP address to all endpoints over all ports and through all protections.
-
Windows Inventory processes typically communicate over TCP ports 135, 139 and 445 (WMI, RPC, SMB) and UDP ports 137 and 138 (NetBIOS). Windows Inventory communicates over those ports using the following “services” (To ensure these services respond to our inventory, please refer to Appendix 1.2 – Allowing Inventory services using Group Policy…)
- WMI
- Remote Procedure Calls (RPC)
- SMB (CIFS)
- OSX, Linux and Solaris Inventory processes are carried out over SSH (TCP port 22)
- SNMP Inventory processes are carried out over UDP ports 161 and/or 162
- VMware vCenter Inventory process are carried out over HTTPS (TCP port 443)
Windows Inventory Requirements
- We do not expressly require administrative credentials to conduct our inventory, provided we have access to the required protocols and services for Windows inventory (RPC. SMBv2 or SMB v3, WMI)
- Access through any local firewalls or endpoint protection systems to, at minimum, TCP ports 135, 139 and 445 (WMI, RPC and SMB) and UDP ports 137 and 138. See Network Security Requirements above.
- Additional Windows firewall exceptions may need to be set using Group Policy. Our guide can be found here.
- Additionally, if a domain account is not applicable to the assessment (eg. non-domain joined), please refer to the following link to implement a local service account via PowerShell on each device that are intending to be inventoried here
Linux Inventory Requirements
We can inventory almost all RPM-based and Debian-based variants of Linux.
We can also inventory Oracle Solaris and IBM’s AIX.
(Utilization data and performance metrics cannot be pulled from Oracle or AIX)
We cannot inventory the following variants at this moment:
- IBM System i (iSeries/AS400)
- HP-UX
- Gentoo-based Linux
- Slackware-based Linux
- Pacman-based Linux
- Alpine Linux
In order to perform that inventory we require the following:
- Credentials that can access the following resources for *nix systems:
- Files in /proc/
- dmidecode (ideal)
- Credentials that can access the following resources for Solaris systems:
- /usr/sbin/psrinfo
- /usr/sbin/prtconf
- /usr/sbin/smbios (or eeprom or sneep)
- Access through any local firewalls or endpoint protection systems using TCP port 22 (SSH). See Network Security Requirements above.
Apple OSX/macOS Inventory Requirements
- OSX Administrator credentials for inventorying OSX machines
- SSH management must be enabled on the endpoint
- Access through any local firewalls or endpoint protection systems using TCP port 22 (SSH). See Network Security Requirements above.
Click here for more information on how to enable remote inventory on your Mac
VMware Inventory Requirements
-
vCenter SSO domain credentials in UPN format e.g. administrator@sso.mydomain.local
- These credentials can also be Windows domain credentials.
- Access through any local firewalls or endpoint protection systems using TCP port 443 (HTTPS). See Network Security Requirements above.
- Read-Only role assigned at the vCenter level and propagated to child entries
- If it is desired to get VMware license details (as populated on the vCenter), simply follow these steps:
- clone the read-only role (for example, to a Block 64 Discovery role)
- edit the new role and add the Global > Licensing permission to the role
- assign that new role to the user account at the vCenter role
SNMP Inventory Requirements
- SNMP v1 or v2c read-only community strings
- SNMP v3 credentials for inventorying the network devices. These would include:
- Username
- Password
- Context
- Security level
- Authentication and encryption protocols
- Encryption key
-
- Access through any local firewalls or endpoint protection systems using UDP ports 161 and 162. See Network Security Requirements above.
Information Collection
The BlockBox can collect an inventory of all devices on the network, though if you have an alternate solution already collecting this data, you can simply choose to not enable the Inventory functions of the BlockBox, and import flatfiles of your existing inventory yourself in the ‘Utilities’ section of the BlockBox GUI.
Should you use the BlockBox to collect an inventory of your environment, information is collected in the following fashion:
Scanning
First, a list of viable targets is generated via a multi-level scan of the environment. This has been engineered to have the lowest impact to the network possible. First, a list of possible targets is gathered by conducting a scan of provided subnets via TCP SYN requests. The results of these scans are combined and used as a list of viable targets within the environment.
Fingerprinting
Optionally, and recommended on all but the most fragile of networks, further information can be collected about the devices that have been uncovered without a full-blown inventory being conducted, via OS fingerprinting. This is carried out by investigating the manner in which the device responds to a small number of TCP and UDP probes over a period of a few milliseconds. This can be disabled if chosen.
Inventory
Once a possible candidate for inventory has been detected and validated, an inventory of that endpoint can be optionally carried out. For Windows and OSX machines, a full list of installed software, as well as the hardware specifications and serial numbers of the machines are gathered. For SNMP devices (such as printers, switches, routers, and firewalls), the full complement of MIBs is dumped, and information such as manufacturer, model, serial number, etc. is gathered. For Linux, Unix, Solaris and similar variants, hardware information, package lists, and certain files pertaining to software installations are gathered.