This topic describes the procedures for configuring the Security Analytics operating environment to connect to a Security Analytics Malware Analysis service. Security Analytics Malware Analysis can operate as a co-located service on a Security Analytics Server or as a service on a dedicated Malware Analysis appliance. If your site is using a dedicated appliance, do one of the following:
- If your site is adding a new dedicated Security Analytics Malware Analysis appliance, install the physical Security Analytics Malware Analysis appliance in your network and configure the operating environment.
- If your site is upgrading a dedicated Spectrum appliance to a dedicated Security Analytics Malware Analysis appliance, re-image the Spectrum appliance as a Security Analytics Malware Analysis appliance.
Security Analytics Malware Analysis is dependent on the Core infrastructure to operate. The following steps are necessary before Security Analytics Malware Analysis can successfully analyze data.
- Configure the onboard Broker on the Malware Analysis appliance to connect another Broker or Concentrator in the existing Security Analytics Core infrastructure.
Note: If no Core infrastructure exists, only manually uploaded files can be analyzed.
- Use Security Analytics Live to find all Live resources with the malware analysis tag and deploy these resources to each Decoder service that will be capturing traffic for Security Analytics Malware Analysis to analyze. Security Analytics uses this proprietary set of parsers and feeds to find events that are likely to be malware.
- Configure communications ports. Security Analytics Malware Analysis requires a number of different communications ports to be open, including TCP/443 for HTTPS. These are described below in Network Connections.
- Configure the NextGen source to which Security Analytics Malware Analysis will connect. This is the Broker or the Concentrator.
The Security Analytics Malware Analysis is now ready to begin analyzing network traffic.
The inbound and outbound network connections must be configured for the Malware Analysis appliance to properly communicate with services, RSA sources for software updates, and other critical information.
Your network firewall must be configured to allow the Malware Analysis access to the internet. Proxy servers may be used to facilitate these connections, if necessary.
TCP/22 - Secure Shell access to the Security Analytics Malware Analysis server to review log files and troubleshoot. Access can be limited to IP addresses that will be managing Security Analytics Malware Analysis.
- TCP/443 - HTTPS web-based connection to access the Security Analytics Malware Analysis user interface.
- TCP/50008 - JMX port for performance troubleshooting, using an application such as JVisualVM. This is optional and access can be limited to IP addresses that will be managing Security Analytics Malware Analysis.
- TCP/443 - HTTPS connections to SSL-based web servers. Some features include Security Analytics Malware Analysis sending files or documents to servers for analysis, which require a secure connection. Use of a web proxy server is supported.
- TCP/443 - SSL connection from Security Analytics Malware Analysis to the RSA Cloud. Use of a SOCKS proxy server is supported. Customer infrastructure changes may be required to ensure that 443 is open to cloud.netwitness.com.)
- TCP/50103 - REST API port used to communicate with a Broker. (Security Analytics 10.3.x and earlier)
- TCP/50105 - REST API port used to communicate with a Concentrator. (Security Analytics 10.3.x and earlier)
- TCP/50003 TCP/56003 - Ports used to communicate with a Broker. (Security Analytics 10.4 and later)
- TCP/50005 TCP/56005 - Ports used to communicate with a Concentrator. (Security Analytics 10.4 and later)
- ICMP - JMS connection from Security Analytics to the Malware Analysis service to verify if the hostname and ip address entered is valid for a successful test connection.