The Threat Command Virtual Appliance

The following diagrams illustrate how the virtual appliance fits in your company environment.

temporary placeholderHigh-level connectivity diagram

temporary placeholderHigh-level Device connectivity

Virtual appliance hardening is detailed in Virtual Appliance Hardening.

General prerequisites for deploying the appliance

For on-premises security devices, you must set up the Threat Command virtual appliance (“appliance”) on either a VMware or Hyper-V host. For cloud devices, skip to Device-side Configuration for Cloud Devices.

Prerequisites

  • Subscription to the Threat Command TIP and Automation modules
    If you don't have such a subscription, contact Rapid7 sales.
  • Network connectivity from the appliance to the Threat Command cloud (External)
    There is no connectivity initiated from the cloud to the internal network.
    Connectivity includes unrestricted access to *.intsights.com - To enable access based on the IP addresses, enable the IPv4 addresses listed here: https://www.cloudflare.com/ips/
    (Threat Command uses Cloudflare for IP address allocation.)
  • For appliance versions earlier than v3.7.0, unrestricted access is also required to: *.gcr.io, *.googleapis.com, *.docker.io, *.cloudfront.net
  • Network connectivity between the appliance to and from the security devices for IOC sharing.
Service/PortDirectionPurpose
DNS (53/UDP)Outgoing (from the machine)Allow DNS queries from the machine.
HTTPS (443/TCP)Incoming (to the machine)From the internal network to the virtual appliance “Management” interface, for administration.
HTTPS (443/TCP)Outgoing (from the machine)From the virtual appliance to Threat Command cloud (Internet).

Please make sure that all access is allowed to:

*.intsights.com

That is,  all subdomains under the above domain must be whitelisted too.

Note: during the initial setup phase of the DEB file, the machine needs to have unrestricted access to the internet. After a successful installation, the access can be limited to the above.
SSH (22/TCP or other)Incoming (to the machine)From the internal network to the virtual appliance for administration.
8080/TCPIncoming (to the machine)From the various security devices to the virtual appliance for pulling IOCs.
Per device connectivity, (as described inIntegration support list)Outgoing (from the machine)From the virtual appliance to the various security devices, for pushing IOCs.