Deployment

Deployment Considerations

Traffic Source

The NTA is a passive device and relies on client infrastructure to stream a copy of network traffic to the NTA’s monitoring interface. When deploying an NTA in a virtual environment or on AWS EC2, several key consideration should be addressed to ensure effective monitoring and minimal impact on performance:

Resource Allocation

  • Ensure the NTA meets the recommended specifications. In some circumstances the resources may not be sufficient and we will work with you on any modifications we recommend based on your traffic throughput once the NTA is deployed and running.

Multi-NTA Deployments

  • If your network throughput figures exceeds what a single NTA can accomodate you have the option to deploy multiple NTA’s to ensure coverage.

Network Topology and Segmentation

  • Map out the virtual network topology and identify where the NTA should be deployed for optimal coverage e.g east-west traffic which typically flows between VM’s connected in the same virtual switch or virtual network, or EC2 instances in the same VPC. Additionally north-south traffic which typically flows between internal and external networks such as web traffic.

Traffic Visibility

  • A stream copy of data needs to be provided to the NTA monitoring interface. Capturing traffic requires configuring network mirroring or traffic monitoring as outlined below based on your deployment:

    Virtual Environment

    • Network mirroring on a virtual switch is a method used to capture and analyze traffic passing through a virtual machine (VM) or virtual networks. This is typically achieved by configuring a port mirror, where a copy of the network traffic from one or more source ports is sent to a designated mirror port i.e the NTA mirror interface.
    • In a virtualized environment, network mirroring and promiscuous mode can be configured on a virtual switch (such as those in VMware vSphere, Microsoft Hyper-V or others) to facilitate traffic analysis without affecting the networks performance.

    virtual_nta.png

    Figure 1: The NTA in a virtual environment

    Amazon EC2

    • For deployment on an EC2 instance, VPC Traffic Mirroring is utilized which allows you to copy traffic from an Elastic Network Interface (ENI).

    aws_nta.png

    Figure 2: The NTA running atop AWS

Create Configure and Download an NTA

  1. Login to the Samurai MDR portal, click Telemetry and select Network Traffic Analyzer from the main menu

  2. Select Create

  3. Complete the fields as required.

FieldDescription
NTA nameA name for the NTA
Description (Optional)A description of your NTA
Location (Optional)Useful if you have NTAs in multiple locations
HostnameA hostname for your NTA
Proxy Server address (Optional)Optional HTTP proxy server (URL that contains a hostname or IP address with port e.g https://192.168.1.254:8080)
NTP Servers (Optional)Input your own NTP server IP addresses
SizeSelect the appropriate Size based on throughput
DHCP or StaticDetermine whether the NTA will use DHCP or specify static IP address and network information

  1. Select Create NTA once you have completed all relevant fields

  2. Select the NTA you created by clicking the NTA Name used in Step 3

  3. Select Download

  • The files you need to download are based on your deployment and hypervisor. The options available for download are:

    • Configuration
      • ISO - configuration file for the NTA, this file is always required for virtual machines
    • Cloud init
      • AWS - used to provide cloud-init data to an AWS EC2 instance
    • Virtual machine
      • vmdk - disk image (not needed if using the ova)
      • vhdx - virtual hard disk format used for Hyper-V
      • ova - virtual machine that the NTA will run (includes disk image) for VMware and/or Proxmox
  1. Download the appropriate files for your deployment.

NTA Installation

Based on your chosen deployment follow the relevant section:

VMware vSphere Installation

Follow the documentation from VMware:

  1. Provide a virtual machine name.
  2. Be sure to select the .ova file you downloaded when asked for the file to deploy your virtual machine from.

Once complete follow the VMware article to mount the config ISO file

  1. Be sure to select the .iso file you downloaded when asked to select file
  2. The management interface will by default be Network Device (net0)
  3. The monitoring interface will be by default Network Device (net1) - ensure it is connected to your monitoring network.
  4. The VM is now ready to be powered on.
  5. Jump to Deployment Status for next steps.

Proxmox VE Installation

Follow the documentation from Proxmox:

  1. Follow the steps to first setup a new storage for an import source.
  2. Refer to the OVA/OVF Import section to import the OVA file you downloaded from the SamurAI Portal.
  • Import the NTA configuration ISO file to Proxmox
  1. Navigate to the Datacenter - Storage section
  2. Select the storage where you want to store the ISO file
  3. Click on ISO Images

proxmox_step1.png

  1. Click Upload
  2. Choose the NTA ISO file and upload it using default settings

proxmox_step2.png

  • Configure the NTA virtual machine to use the NTA configuration file
  1. Select the NTA virtual machine and click on Hardware and then Add

proxmox_step3.png

  1. Select CD/DVD Drive

proxmox_step4.png

  1. Check Use CD/DVD disk image file (iso) and locate your NTA configuration file. Click Add

proxmox_step5.png

  1. The management interface will by default be Network Device (net0)
  2. The monitoring interface will be by default Network Device (net1) - ensure it is connected to your monitoring network
  3. The VM is now ready to be powered on.
  4. Jump to Deployment Status for next steps.

Microsoft Hyper-V Installation

Follow the documentation from Microsoft:

  1. Provide a virtual machine name
  2. Use the Virtual Machine Requirements when configuring memory and network
  3. When asked to Connect Virtual Hard Disk ensure to use the .vhdx file you previously downloaded
  4. For Installation Options ensure you use the .iso file you previously downloaded
  5. The management interface will by default be Eth0
  6. The monitoring interface will be by default Eth1 - ensure it is connected to your monitoring network
  7. The VM is now ready to be powered on.
  8. Jump to Deployment Status for next steps.

Amazon EC2 Installation

Prerequisitve steps:

  1. Ensure you have the AWS cloud-init.yaml file you downloaded from Create, Configure and Download an NTA.. This file will be used later during EC2 instance deployment.

Follow the vendor documentation from Amazon to launch a EC2 instance:

Follow the steps outlined in Launch an instance

Perform the following adjustments to the vendor documentation when launching the instance:

  1. During step 5.a, select Ubuntu as AMI.
  2. During step 5.b*,* select the latest Ubuntu 24.04 Server AMI
  3. During step 6*,* select a suitable Instance Type based on estimated performance requirements while fulfilling the Recommended Specifications.
  4. During step 7 & 7, Set Key pair & Network Settings as per your AWS policies. Ensuring the the Network settings still fulfills the Communications Requirements.
  5. Before step 9, modify the Configure storage section based on the appropriate NTA size disk requirements.
  6. Before step 9, expand the section Advanced details and paste in the content of the cloud-init.yaml file into the User data section. Ensure that the check box User data has already been base64 encoded is not enabled.
  7. Proceed with step 10 and finish the rest of the installation as per the vendor documentation.
  8. Jump to Deployment Status for next steps.

Deployment Status

Once you have deployed your NTA you can view the deployment steps and status within the Samurai MDR portal.

  1. Login to the Samurai MDR Portal

  2. Click Telemetry and select Network Traffic Analyzer from the main menu

  3. Click the relevant NTA from the presented list

  4. Under General the Status will display as Provisioning.

  5. Deployment Status will be displayed and along with phases and a timestamp. As the NTA builds the status will be listed and cycle green as completed. This includes:

No.Deployment Status MessageDescription
1.Initial call to backend. Network connectivity okFirst message sent to NTA Samurai backend, this indicates that the enrolment has started
2.Refreshing OS package listsRefreshing operating system software repository information
3.Upgrading packagesStarting updating operating system
4.Finished upgrading packagesOperating sytem update completed
5.Base OS update completedPost operating system update maintenance jobs completed
6.Initiating CTS Build XNTA installer downloaded and started
7.Running verification to ensure minimal requirementsInstaller started self check to verify minimum requirements and software settings
8.Completed verification to ensure minimal requirementsSelf check completed
9.Request device_idRequesting device identity
10.Request initStarted the registration process
11.Initiator successfully contacted backendContacting backend to retreive basic operating information
12.Downloading configurationDownloaded configuration
13.Logged in to dockerhubAuthorized to Docker hub to access private containers
14.Downloading Docker containersContainers was downloaded from Docker hub and are ready to be used
15.Storing device configuration to the backendSent device information to the backend
16.Starting ManagerStarting NTA manager software, more software/containers will be downloaded in the background
  1. Once the NTA has completed deployment, Status will display as Not Healthy as individual components need to start. Once complete the Status will be updated to Healthy which may take approximately 5 minutes.

Configure Traffic Mirroring

Once you have deployed your NTA you will need to determine the Monitoring interface.

  1. Login to the Samurai MDR Portal

  2. Click Telemetry and select Network Traffic Analyzer from the main menu

  3. Click the relevant NTA from the presented list

  4. Select System Information and view Network which will display the Management and Monitoring interfaces. Take note of each MAC address and ensure it aligns with the relevant configuration for your hypervisor or AWS EC2 configuration.

  5. You will now need to configure traffic mirroring to the monitoring interface of the NTA. Based on your chosen deployment. We advise you to refer to vendor documentation for traffic mirroring as environments may differ. We have provided some useful links based on your deployment model:

VMware VSphere

Microsoft Hyper-V

The following Microsoft documentation is based on Microsoft Defender for IoT, however is applicable to traffic mirroring configuration in general.

Amazon EC2

Delete an NTA

If you need to delete an NTA you can do so by following the steps below:

  1. From the Samurai MDR portal click Telemetry and select Network Traffic Analyzer from the main menu

  2. Select the relevant NTA from your list

  3. On the left hand side of the relevant NTA, click on delete_nta.png (more options) and select Delete NTA

  4. The following warning will appear: ‘Warning: This is a destructive action and cannot be reversed.’. To ensure you intended to delete the NTA you will need to type DELETE in the field and select Delete NTA

What’s Next?

You have now deployed and configured your NTA. Refer to NTA Details.