Deployment and Discovery

Quick Reference Guide


RISC Networks Architecture

RN150

The RN150 is a CentOS Virtual Appliance. It is deployed on a VMWare Player, Workstation, or ESX system.

RN150 Minimum Requirements
  • 4 GB of RAM
  • 50 GB Hard drive (Thin Provisioned)
  • Internet Access (TCP Port 443 outbound) to the following:
    • orchestration.riscnetworks.com ( 34.192.184.110, 34.192.195.90 )
    • initial.riscnetworks.com ( 34.192.43.78, 34.192.198.28)
    • dataup.riscnetworks.com ( 34.192.12.37, 34.192.197.132 )
    • app1.riscnetworks.com (34.192.198.73 )
    • Backup & Growth (34.192.99.153, 34.192.185.36)
RN150 Communication Protocols

The RN150 uses the following protocols (ports) to access the network. These protocols/ports should be permitted between the RN150 and all local resources (servers, routers, etc) to be included in the discovery.

  • ICMP
    • A Ping Sweep is performed for all IPs included in the subnets that are put into the appliance
  • SNMP – UDP port 161
    • Used to access Linux/UNIX Servers
    • Used to access Network Routers/Switches
    • Read Only access is all that is required
    • Supports v1/v2/v3
  • SSH – TCP port 22, user supplied
    • Used to access Linux/UNIX Servers
    • Requires elevated privilege using sudo
    • Support password or public key authentication
    • Uses TCP port 22 by default, but allows the user to specify the target TCP port on a per-credential basis
  • WMI – TCP Ports 135, 445, and 1024-65536
    • Used to access WMI on Windows Machines to gather process information, etc.
    • Requires Domain Administrator or Local Administrator account to be added to the RN150 (covered under credentials)
    • Additional ports (e.g tcp/139) may be required for legacy Windows servers, if they are not configured to support direct hosting of SMB over TCP/IP.
  • HTTP(s) – TCP ports 80 and 443
    • Used to access the VMware vSphere API on either your vCenter server or each individual ESX host. Please use only vCenter if you have all ESX hosts associated with vCenter
  • TCP Ports 8443 & 62078
    • Used in discovery to identify specific devices such as Cisco UC boxes and Apple devices.

Protocol Port Source Destination Usage
TCP 443 RN150 Internet For communication from the RN150 to the RISC Networks Cloud Orchestration layer
TCP 135 RN150 Local Networks By the RN150 to obtain WMI information from Windows hosts discovered
TCP 80 RN150 Local Networks By the RN150 to obtain HTTP
UDP 161 RN150 Local Networks Used by the RN150 to gather SNMP information from devices on the Network
TCP 443 RN150 Local Networks Used by the RN150 to gather VMware guest information directly from Vcenter.
ICMP RN150 Local Networks By the RN150 for base discovery for available devices.
TCP 22 RN150 Local Networks For command line discovery of Cisco Switches and Routers.
TCP 22 RN150 Local Networks By the RN150 to collect from Linux/UNIX servers over the SSH protocol
TCP * RN150 Local Networks Collection from Linux/UNIX servers via SSH user supplied non-standard TCP ports
TCP 1024-65535 RN150 Local Networks RPC Dynamic Port Allocation used for WMI communication.
TCP 445 RN150 Local Networks SMB over TCP/IP used for application socket collection
TCP 139 RN150 Local Networks SMB over NetBIOS used for application socket collection
TCP 8443 RN150 Local Networks Used for discovering Tomcat and Cisco UC servers
TCP 62078 RN150 Local Networks Used for discovering Apple products (iPhone) – iTunes sync over air port

RISC Networks Data Flow

The RISC Networks Secure Cloud Environment (SCE) is the data repository for the engagement. Data is collected by the RN150 at the client location and periodically exported, encrypted, and securely transmitted via SSL to the SCE. The data is then accessed by browsing to riscnetwork.com and logging in to the assessment portal. More information regarding requirements and operation of the RN150 and SCE can be found here: www.riscnetworks.com/security-architecture

Required Credentials and Parameters

Credentials and information needed to perform an engagement

  • IP Subnets that the client would like to scan
    • These can be added at the time the RN150 is deployed.
    • Subnets can be manually entered or a routing table can be used to populate the list via SNMP
  • SNMP Read Only Credentials
    • Needed for Linux/Unix Servers and should include the following MIBs:
      • Host-Resources-MIB
      • UCD-MIB
      • IF-MIB
      • TCP-MIB
      • UCD-DISKIO-MIB
    • Needed for Network Devices
  • Windows Domain Administrator or Local Administrator (workgroup servers only) credentials
    • Needed for WMI access
  • VMware credentials
    • Read only access to vCenter or root access to ESX hosts directly

Discovery Best Practices

Best Practices in preparing for change orders and performing the deployment:

  • Create a separate account for access to windows servers in your domain. This account can have logging enabled on it and then can be disabled/deleted at the end of the engagement. This additional audit trail provides the ability to differentiate between RISC Networks activity and other Domain Administrator activity
  • Always select “Enable” when prompted for Application Socket Collection as you deploy windows credentials. This is critical to collecting information on Windows dependencies. This box is NOT required for Linux Servers, as this information is collected by default via SNMP
  • Be prepared to do at least one rescan. Once the initial scan is completed, you will receive an email notification and can then verify the assets that you expect to see are seen. Be sure to look for red exclamation points (!) on any device categories such as Windows or Other. This will alert you to the fact that we have identified potential assets that need review

Additional Resources

Please review the following additional resources regarding the operation and security of the RN150 virtual appliance, as well as RISC Networks platform.