Host GS: The Basics

Document created by RSA Information Design and Development on Nov 7, 2017Last modified by David O'Malley on Nov 10, 2017
Version 3Show Document
  • View in full screen mode
This guide gives administrators the standard procedures for adding and configuring hosts and services in NetWitness Suite. After introducing you to the basic purpose of hosts and services and how they function within in the NetWitness Suite network, this guide covers:
  • The  tasks you must complete to set up hosts and services in your network
  • Additional procedures that you complete based on the long-term and daily, operational needs of your enterprise
  • Reference topics that describe the user interface

 

What Is a Host

A host is the machine on which a service runs and a host can be a physical or virtual machine.

 

A service performs a unique function, such as collecting logs or archiving data. Each service runs on a dedicated port and is modeled as a plugin to enable or disable, according to the function of the host.

 

You must configure the following Core services first: 

 

  • Decoder
  • Concentrator
  • Broker
  • Log Decoder

 

All the services are listed below and each service except the Log Collector has its own guide or shares a guide in the Host and Services Configuration Guides. The Log Collector has its own set of configuration guides to handle the configuration for all the supported event collection protocols. For Log Collector information, see Log Collection Guides.

 

  • Archiver
  • Broker
  • Concentrator
  • Context Hub
  • Decoder
  • Event Stream Analysis
  • Event Stream Analytics
  • Investigate
  • Log Collector
  • Log Decoder
  • Malware Analysis
  • Reporting Engine
  • Respond
  • Warehouse Connector
  • Workbench

 

You must configure hosts and services to communicate with the network and each other so they can perform their functions such as storing or capturing data. 

 

 

 

Setting Up a Host

You use the Host view to add a host to NetWitness Suite.  See Step 1. Deploy a Host for detailed instructions.

 

Maintaining Hosts

You use the main Host view to add, edit, delete, and perform other maintenance tasks for the hosts in your deployment. You use the Task List dialog to perform tasks relating to a host and its communications with the network. See Hosts and Services Procedures for detailed instructions.

 

After your initial implementation of NetWitness Suite, the major task you perform from the Host view is updating your NetWitness Suite deployment to a new version.

 

Update Version Naming Convention

You use the Hosts view to apply the latest version updates from your Local Update Repository (see the Manage NetWitness Suite Updates topic in System Maintenance for more information on your Local Update Repository). You must understand the update version naming convention to know which version you want to apply to the host. The naming convention is major-release.minor-release.service-pack.patch. For example, if you choose 11.6.1.2, you would be applying the following version to the host.

 

  • 11 = major release
  •   6 = minor release
  •   1 = service pack
  •   2 = patch

NetWitness Suite supports multiple versions in your deployment. The NetWitness Server (NW Server Host) is updated first and all other hosts must have the same or earlier version as the NW Server Host.

 

Note: You must update the NW Server Host first and that all other hosts have the same or earlier version as the NW Server Host.

In the following example of a multiple version deployment:

 

  • Version updates currently available in your Local Update Repository are 11.0.2.0 and 11.0.1.0 for the Broker, LC/LD, and Log Decoder hosts.
  • The NW Server Host and all the other hosts are currently updated to 11.0.2.0.

This means that you have the option to update the Broker, LC/LD, and Log Decoder hosts to 11.0.2.0 or 11.0.2.0.

 

Maintaining Services

You use the Services view to add, edit, delete, monitor, and perform other maintenance tasks for the services in your deployment. See Hosts and Services Procedures for detailed instructions.

 

Services Implemented with the NetWitness Server

The services in the following table are implemented when you deploy the NW Server to support:

 

  • the expansion of physical and virtual deployment platforms and improvements to host and service maintenance.
  • improvements to the Investigate and Respond functionality.
Caution: You do not need to configure these services to deploy NetWitness Suite. RSA recommends that you monitor the operating status of these services using Health-and-Wellness. Do not attempt to modify the parameters in the Explore view without contacting Customer Support (https://community.rsa.com/docs/DOC-1294).

 


ServicePurpose
AdminThe NetWitness Suite Administration Server (Admin server) is the back-end service for administrative tasks in the NetWitness Suite User Interface (UI). It abstracts authentication, global preferences management, and authorization support for the UI. The Admin server requires the Config server and the Security server to be online to perform its role.
ConfigThe NetWitness Suite Configuration Server (Config server) stores and manages configuration sets. A configuration set is any logical configuration group that is managed independently. The Config server facilitates the sharing of properties among services, provides configuration backup and restore facilities, and tracks changes to properties.
InvestigateCo-located on NW Server host with the Admin server, Config server, Orchestration server, Respond server, and Security server.
OrchestrationInternal, system management service that runs on the NW Server to provision, install, and configure all services in your NetWitness Suite deployment.
RespondCo-located on NW Server host with the Admin server, Config server, Investigate server, Orchestration server, and Security server.
Security

The NetWitness Suite Security Server (Security server) manages the security infrastructure of a NetWitness Suite deployment. It handles the following security-related concerns.

 

  • Users and the authentication accounts
  • Role Based Access Control (RBAC)
  • Deployment PKI infrastructure

 

A NetWitness Suite deployment has users with authentication accounts. Independent of how you verify the identity of the analyst (for example, Active Directory), NetWitness Suite must maintain user state that is not provided by all authentication providers (for example, last login time, failed login attempts, and roles). The concept of a user is separate from the identify associated with the user and the Security server maintains these as separate User and Account entities. In addition to the out of the box local NetWitness accounts available to all NetWitness deployments, the server supports external authentication providers.

 

The Security server also implements RBAC by managing Role and Permission entities. Permissions can be assigned to roles and roles to users. Together these enable a flexible authorization policy for the deployment. The server also manages generation of cryptographically secure tokens that encode the applicable authorization for a user. These tokens form the basis for deployment wide authorization.

 

 

 

Running in Mixed Mode

 

Functionality Gaps Encountered During in Staggered Updates

If you stagger the update, you:

 

  • Will not have service administrative features available until you update all the hosts in your deployment.
  • May be without data capture for a period of time.

 

Examples of Staggered Updates

In the following examples, all the hosts are on 11.1.0.x and you want to stagger the host updates to version 11.1.1.0.

 

Example 1. Multiple Decoders and Concentrators, Alternative 1

In this example, the 11.1.0.x deployment includes 1 NW Server host, 2 Decoder hosts, 2 Concentrator hosts, 1 Archiver host, 1 Broker host, 1 Event Stream Analysis host, and 1 Malware Analysis host.

 

You must complete Phase 1 first and update the hosts in the order listed for Phase 1.

 

RSA recommends that you update the Phase 2 hosts in the order listed for Phase 1.

 

Phase 1 - session 1

  1. Update the Security Analytics Server host.
  2. Update Event Stream Analysis host.
  3. Update Malware Analysis host.
  4. Broker or Concentrator host.

 

Phase 2 - session 2

  1. Update 2 Decoder hosts.
  2. Update 2 Concentrator hosts and Archiver host.

 

Phase 2 - session 3

  1. Update all other hosts.

 

Example 2. Multiple Decoders and Concentrators, Alternative 2

In this example, the 11.1.0.x deployment includes 1 NW Server host, 2 Decoder hosts, 2 Concentrator hosts, 1 Broker host, 1 Event Stream Analysis host, and 1 Malware Analysis host. RSA recommends that you update the Phase 2 hosts the following sequence (you must complete Phase 1 first and update the hosts in the order listed).

 

Phase 1 - session 1

  1. Update the Security Analytics Server host.
  2. Update Event Stream Analysis host.
  3. Update Malware Analysis host.
  4. Update Broker host.

 

Phase 2 - session 2

  1. Update 1 Decoder host and 1 Concentrator host.
    Time elapses during which NetWitness Suite processes a significant amount of data.

 

Phase 2 - session 3

  1. Update 1 Decoder host, 1 Concentrator host, and the Broker host.
  2. Log Decoders
    Update all Log Decoder hosts before you update Virtual Log Collectors

  3. Update all other hosts.

 

Example 3. Multiple Regions

In this example, the 11.1.0.x deployment includes 1 NW Server host, 1 Event Stream Analysis host, 1 Malware Analysis host, 4 Decoder hosts, 4 Concentrator hosts, 2 Broker hosts, (2 sites, each with 2 Decoders, 2 Concentrators, and 1 Broker).

 

Phase 1 - Update Site 1 

  1. Update the NW Server host.
  2. Update the Event Stream Analysis host.
  3. Update the Malware Analysis host.
  4. Update 1 Broker host, 2 Decoder hosts, and 2 Concentrator hosts.
  5. Update all other hosts.

 

Phase 2 - Update Site 2

  1. Update Broker hosts.
  2. Update 2 Decoder hosts.
  3. Update 2 Concentrator hosts.
  4. Update all other hosts.

 

 
You are here

Table of Contents > Host GS: The Basics

Attachments

    Outcomes