Host GS: The Basics

Document created by RSA Information Design and Development Employee on Feb 8, 2018Last modified by RSA Information Design and Development Employee on Sep 8, 2020
Version 16Show Document
  • View in full screen mode
 

This guide gives administrators the standard procedures for adding and configuring hosts and services in NetWitness Platform. After introducing you to the basic purpose of hosts and services and how they function within the NetWitness Platform network, this guide covers:

  • Tasks you must complete to set up hosts and services in your network
  • Additional procedures that you complete based on the long-term and daily, operational needs of your enterprise
  • Reference topics that describe the user interface

Go to the Master Table of Contents to find all RSA NetWitness Platform 11.x documents.

What Is a Host?

A host is the machine on which a service runs and can be a physical or virtual machine. See the "NetWitness Platform Detailed Host Deployment Diagram" in the NetWitness Platform Deployment Guide for an illustration of how hosts are deployed.

What Is a Category?

A category assigns a service or services to a host when you install a host from the Hosts view. You choose a host Category in the Install Services dialog which is displayed when you select a host in the Hosts view and click The Install icon. The following table lists each category and the services it installs. See the "NetWitness Platform Detailed Host Deployment Diagram" in the NetWitness Platform Deployment Guide for an illustration of how hosts are deployed.

                                                                                       
CategoryServices Installed

Analyst UI

Investigate Server, Broker, NetWitness UI, Reporting Engine, Respond Server

Archiver

Workbench and Archiver

Broker

Broker

Concentrator

Concentrator

Endpoint

Endpoint Server

Endpoint Broker

Endpoint Broker Server

Endpoint Log Hybrid

Log Collector, Log Decoder, Endpoint Server, and Concentrator

ESA Primary

Contexthub Server and ESA Correlation

ESA Secondary

ESA Correlation

Log Collector

Log Collector

Log Decoder

Log Collector and Log Decoder

Log Hybrid

Log Collector, Log Decoder, and Concentrator

Log Hybrid - Retention

Log Collector and Log Decoder (deployed on RSA Series 6 Hybrid hardware with Log Hybrid-Retention Optimization)

Malware Analysis

Malware Analysis and Broker

Network Decoder

Decoder (Packets)

Network Hybrid

Concentrator and Network Decoder

New Health and Wellness

Metrics Server

UEBA

UEBA

Warehouse Connector

Warehouse Connector

What Is a Service?

A service performs a unique function, such as collecting logs or archiving data. Each service runs on a dedicated port and is modeled as a plug-in to enable or disable, according to the function of the host.

You must configure the following Core services first: 

  • Network Decoder
  • Concentrator
  • Broker
  • Log Decoder

All the services are listed below and each service except the Log Collector has its own guide or shares a guide in the Host and Services Configuration Guides section of the NetWitness Platform documentation page on RSA Link at https://community.rsa.com/community/products/netwitness/documentation. The Log Collector has its own set of configuration guides to handle the configuration for all the supported event collection protocols. For Log Collector information, see Log Collection Guides.

                                                                                                                                                           
ServicesNotes

NW Server

Admin
Config
Content
Integration
Investigate
License
Orchestration
Reporting Engine
Respond
Security

Implemented with the NW Server
Implemented with the NW Server
Implemented with the NW Server
Implemented with the NW Server
Implemented with the NW Server
Implemented with the NW Server
Implemented with the NW Server

Implemented with the NW Server
Implemented with the NW Server

Analyst UI

 

Broker
Investigate Server
NetWitness UI
Reporting Engine
Respond Server

Implemented with the Analyst UI
Implemented with the Analyst UI
Implemented with the Analyst UI
Implemented with the Analyst UI
Implemented with the Analyst UI

Archiver

Archiver
Workbench

Core Service

 

Broker

Broker

Core Service

Concentrator

Concentrator

Core Service

Endpoint

 

Endpoint Server

 

Endpoint Broker

Endpoint Broker Server

 

Endpoint Log Hybrid

Log Collector
Log Decoder
Endpoint Server
Concentrator

Core Service
Core Service

Core Service

ESA Primary

Contexthub
ESA Correlation

 

ESA Secondary

ESA Correlation

 

Log Collector

Log Collector

Core Service

Log Decoder

Log Collector
Log Decoder


Core Service

Log Hybrid

Log Collector
Log Decoder
Concentrator


Core Service
Core Service

Log Hybrid - Retention

Deployed on RSA Series 6 Hybrid hardware with Log Hybrid-Retention Optimization.

Log Collector
Log Decoder

Core Service

Malware Analysis

Malware Analysis
Broker


Core Service

Network Decoder

Decoder (Packets)

Core Service

Network Hybrid

Concentrator
Network Decoder

Core Service
Core Service

New Health and Wellness

 

Metrics Server 

UEBA

UEBA

 

Warehouse Connector

Warehouse Connector

Command line installation

You must configure hosts and services to communicate with the network and each other so they can perform their functions such as storing or capturing data. For information about ports and a comprehensive list of ports for all services, see "Network Architecture and Ports" in the Deployment Guide for RSA NetWitness Platform. Go to the Master Table of Contents to find all RSA NetWitness Platform 11.x documents.

Workflow for deploying a host and maintaining hosts and services

Setting Up a Host

You use the Hosts view to add a host to NetWitness Platform.  See Step 1. Deploy a Host for detailed instructions.

Maintaining Hosts

You use the main Hosts view ( (Admin)  > Hosts) to add, edit, delete, and perform other maintenance tasks for the hosts in your deployment. You use the Host Task List dialog to perform tasks relating to a host and its communications with the network. See Hosts and Services Maintenance Procedures for detailed instructions.

After initial implementation of NetWitness Platform, the major task you perform from the Hosts view is updating your NetWitness Platform deployment to a new version.

Update Version Naming Convention

You use the Hosts view to apply the latest version updates from your Hosts and Services Maintenance Procedures. You must understand the update version naming convention to know which version you want to apply to the host. The naming convention is major-release.minor-release.service-pack.patch. For example, if you choose 11.6.1.2, you apply the following version to the host.

  • 11 = major release
  •   6 = minor release
  •   1 = service pack
  •   2 = patch

NetWitness Platform supports multiple versions in your deployment. For more information, see Running in Mixed Mode. The NetWitness Server (NW Server Host) is updated first and all other hosts must have the same or earlier version as the NW Server Host.

The following example is a single version deployment with all hosts updated to 11.5.0.0.
This is an example of the Admin Hosts view

Maintaining Services

You use the Services view ( (Admin)  > Services) to add, edit, delete, monitor, and perform other maintenance tasks for the services in your deployment. See Hosts and Services Procedures for detailed instructions.

Services Implemented with the NetWitness Server

The services in the following list are implemented when you deploy the NW Server to support:

  • The expansion of physical and virtual deployment platforms and improvements to host and service maintenance.
  • Content, Investigate, Respond, and Source functionality.

Caution: You do not need to configure these services to deploy NetWitness Platform. RSA recommends that you monitor the operating status of these services using Health-and-Wellness. Do not attempt to modify the parameters in the Explore view without contacting Customer Support (https://community.rsa.com/docs/DOC-1294).

                                               
ServicePurpose
Admin

The Administration (Admin) Server is the back-end service for administrative tasks in the NetWitness Platform User Interface (UI). It abstracts authentication, global preferences management, and authorization support for the UI. The Admin server requires the Config server and the Security server to be online to perform its role.

Config

The Configuration (Config) Server stores and manages configuration sets. A configuration set is any logical configuration group that is managed independently. The Config server facilitates the sharing of properties among services, provides configuration backup and restore facilities, and tracks changes to properties.

Content

The Content server manages the RSA provided and user-created parser rules. For more information on parser management, search for "parsers" in RSA Link.

Integration

The Integration Server manages interactions with external systems. The service handles the following outbound or inbound channels.

  • REST API Gateway - gateway to external REST clients that assigns calls to the NetWitness Application Programming Interface (API).
  • Notifications Dispatcher - centralized dispatcher for all outbound notifications originating in the NetWitness deployment.
InvestigateThe Investigate server supports Investigate and Malware Analysis functionality. For more information see the NetWitness Platform Investigate User Guide.
Orchestration The Orchestration server provisions, installs, and configures all services in your NetWitness Platform deployment.

Respond

The Respond server supports Respond functionality. For more information see the NetWitness Platform Respond Configuration Guide.

Security

The NetWitness Platform Security Server (Security server) manages the security infrastructure of a NetWitness Platform deployment. It handles the following security-related concerns.

  • Users and the authentication accounts
  • Role Based Access Control (RBAC)
  • Deployment PKI infrastructure

A NetWitness Platform deployment has users with authentication accounts. Independent of how you verify the identity of the analyst (for example, Active Directory), NetWitness Platform must maintain the user state, which is not provided by all authentication providers (for example, last login time, failed login attempts, and roles). The concept of a user is separate from the identify associated with the user and the Security server maintains these as separate User and Account entities. In addition to the out-of-the-box local NetWitness accounts available to all NetWitness deployments, the server supports external authentication providers.

The Security server also implements RBAC by managing Role and Permission entities. Permissions can be assigned to roles and roles to users. Together these enable a flexible authorization policy for the deployment. The server also manages generation of cryptographically secure tokens that encode the applicable authorization for a user. These tokens form the basis for deployment-wide authorization.

Source

The Source server is reserved for future use and will provide a centralized location to configure sources (for example, Endpoints and Log Sources).

Running in Mixed Mode

Mixed mode occurs when some services are updated to the latest version and some are still on older versions. This happens when you update the hosts in your deployment to the latest version in phases (or stagger the update).

Functionality Gaps Encountered During in Staggered Updates

If you stagger the update, you:

  • May not have all the features operational until you update your entire deployment.
  • Will not have service administrative features available until you update all the hosts in your deployment.
  • May be without data capture for a period of time.

Examples of Staggered Updates

In the following examples, all the hosts are on 11.4.0.0 and you want to stagger the host updates to version 11.4.1.0.

 

Example 1. Multiple Network Decoders and Concentrators, Alternative 1

 

In this example, the 11.4.0.0 deployment includes one NW Server host, two Network Decoder hosts, two Concentrator hosts, one Archiver host, one Broker host, one Event Stream Analysis host, one Endpoint Log Hybrid host, and one Malware Analysis host.

You must complete Session 1 first and update the hosts in the order listed.

RSA recommends that you update the Sessions 2 and 3 hosts in the order listed.

Session 1: Update Essential Hosts

  1. Update the NetWitness Server host.
  2. Update the Event Stream Analysis host.
  3. Update the Endpoint Log Hybrid host.
  4. Update the Malware Analysis host.
  5. Update the Broker host.

Session 2: Update Other Hosts

  1. Update the two Network Decoder hosts.
  2. Update the two Concentrator hosts and the Archiver host.

Session 3: Update Other Hosts

  1. Update all other hosts.

Example 2. Multiple Network Decoders and Concentrators, Alternative 2

In this example, the 11.4.0.0 deployment includes one NW Server host, two Network Decoder hosts, two Concentrator hosts, one Broker host, one Event Stream Analysis host, one Endpoint Log Hybrid host and one Malware Analysis host.

You must complete Session 1 first and update the hosts in the order listed.

RSA recommends that you update the Sessions 2 and 3 hosts in the order listed.

Session 1: Update Essential Hosts

  1. Update the NetWitness Server host.
  2. Update the Event Stream Analysis host.
  3. Update the Endpoint Log Hybrid host.
  4. Update the Malware Analysis host.
  5. Update the Broker host.

Session 2: Update Other Hosts

  1. Update one Network Decoder host and one Concentrator host.

Note: It does not matter which of the Network Decoder hosts or which of the Concentrator hosts you update first.

Time elapses during which NetWitness Platform processes a significant amount of data.

Session 3: Update Other Hosts

  1. Update the second Network Decoder host and the second Concentrator host.
  2. Update all Log Decoder hosts before you update Virtual Log Collectors.
  3. Update all other hosts.

Example 3. Multiple Regions

In this example, the 11.4.0.0 deployment includes one NW Server host, one Event Stream Analysis host, one Endpoint Log Hybrid host, one Malware Analysis host. Additionally, there are two sites, each with two Network Decoders, two Concentrators, and one Broker, for a total of four Network Decoder hosts, four Concentrator hosts, and two Broker hosts.

Session 1: Update Essential Hosts and Site 1 

  1. Update the NW Server host.
  2. Update the Event Stream Analysis host.
  3. Update the Endpoint Log Hybrid host.
  4. Update the Malware Analysis host.
  5. Update one Broker host, two Network Decoder hosts, and two Concentrator hosts.

Session 2: Update Other Hosts and Site 2

  1. Update the second Broker host.
  2. Update the two remaining Network Decoder hosts.
  3. Update the two remaining Concentrator hosts.
  4. Update all the other hosts.

 

You are here
Table of Contents > Hosts and Services Basics

Attachments

    Outcomes