Deploy the InsightVM Console
The Security Console is an on-premises vulnerability scanner and management system. Its core features allow you to identify risk in your environment, organize your devices, and prioritize remediation.
Scanning
Run scans to extensively probe your devices for known vulnerabilities, exploits, and policy rules. Create sites to logically group your assets for targeted scans. The Security Console uses Scan Engines to perform the actual scan job, and you can configure/distribute them in a way that is best for your environment.
Choose between several built-in Scan Templates (such as CIS policy compliance or Full audit without Web Spider) to determine which checks are performed for a particular scan. You can also tailor your own Scan Templates to quickly search for the vulnerabilities and policies that matter the most to your organization. Create scan schedules to automate your scan jobs and keep your security team informed on a regular basis.
Asset organization
Organize your scanned assets into dynamic or static asset groups according to a variety of traits, such as location, operating system, and owner. Use the Security Console’s tagging system to adjust risk scores and prioritize remediation for your most critical assets. Run filtered asset searches to find scanned assets based on over 40 unique parameters.
Reporting
Generate reports of your scan results so your security teams know what to fix and how. Make use of our built-in report templates or leverage SQL query exports for fully customizable reports. The following example cases highlight some of our most popular report templates:
- Leverage the Top Remediation report to prioritize the remediations that lead to the greatest reduction in risk.
- If you’re a business that handles credit card transactions, use the PCI report to prepare for an upcoming PCI audit.
- Generate the Vulnerability Trends report to examine your total detected assets, vulnerabilities, and exploits over custom date ranges.
Advanced features
InsightVM offers far more advanced functionality than we can cover in the scope of this guide, but we can talk about those features later. For now, just keep these core features in mind as they are the tools you’ll be using day to day.
Core Components
Your InsightVM installation has the following components:
| Component | Description |
|---|---|
| Security Console | This is the component you’ll use to create sites, run scans, generate reports, and much more. The Security Console is accessed via a web-based user interface through any of our supported browsers. |
| Scan Engine | Scan Engines are responsible for performing scan jobs on your assets. Note that Scan Engines only store scan data temporarily before sending it back to the Security Console for integration and long-term storage. |
Requirements
Before you start, ensure you have the following in place.
System requirements
The following system requirements are necessary to ensure you have the best experience with InsightVM and Nexpose.
Hardware requirements
The Security Console and Scan Engine hardware requirements are different because the Security Console uses significantly more resources.
InsightVM does not support running the Security Console in a container. However, the Scan Engine is available as a container image on Docker Hub.
Security Console requirements:
At this time, we only support x86_64 architecture.
| Asset volume | Processor | Memory | Storage |
|---|---|---|---|
| 5,000 | 4 cores | 16 GB | 1 TB |
| 20,000 | 12 cores | 64 GB | 2 TB |
| 150,000 | 12 cores | 128 GB | 4 TB |
| 400,000 | 12 cores | 256 GB | 8 TB |
Scan Engine requirements:
At this time, we only support x86_64 architecture.
| Asset volume per day | Processor | Memory | Storage |
|---|---|---|---|
| 5,000 assets/day | 2 cores | 8 GB | 100 GB |
| 20,000 assets/day | 4 cores | 16 GB | 200 GB |
Operating Systems
We require an English operating system with English/United States regional settings.
64-bit versions of the following platforms are supported:
| Platform | Versions |
|---|---|
| Linux |
|
| Microsoft Windows |
|
| RedHat |
|
| CentOS |
|
Browsers
We support the most recent version of the following browsers:
- Google Chrome (Recommended)
- Mozilla Firefox
- Mozilla Firefox ESR
- Microsoft Edge
Firewall requirements
Security Console firewall requirements:
You must configure your firewall rules to allow outbound connectivity using Port 443. This ensures you can successfully upload data from the Security Console to the Insight Platform.
| Region | Region URL | S3 (Agent Downloads only) |
|---|---|---|
| United States - 1 | us.api.endpoint.ingress.rapid7.com us.deployment.endpoint.ingress.rapid7.com us.exposure-analytics.insight.rapid7.com | s3.amazonaws.com |
| United States - 2 | us2.api.endpoint.ingress.rapid7.com us2.deployment.endpoint.ingress.rapid7.com us2.exposure-analytics.insight.rapid7.com | s3.us-east-2.amazonaws.com |
| United States - 3 | us3.api.endpoint.ingress.rapid7.com us3.deployment.endpoint.ingress.rapid7.com us3.exposure-analytics.insight.rapid7.com | s3.us-west-2.amazonaws.com |
| Europe | eu.api.endpoint.ingress.rapid7.com eu.deployment.endpoint.ingress.rapid7.com eu.exposure-analytics.insight.rapid7.com | s3.eu-central-1.amazonaws.com |
| Canada | ca.api.endpoint.ingress.rapid7.com ca.deployment.endpoint.ingress.rapid7.com ca.exposure-analytics.insight.rapid7.com | s3.ca-central-1.amazonaws.com |
| Japan | ap.api.endpoint.ingress.rapid7.com ap.deployment.endpoint.ingress.rapid7.com ap.exposure-analytics.insight.rapid7.com | s3-ap-northeast-1.amazonaws.com s3.ap-northeast-1.amazonaws.com |
| Australia | au.api.endpoint.ingress.rapid7.com au.deployment.endpoint.ingress.rapid7.com au.exposure-analytics.insight.rapid7.com | s3-ap-southeast-2.amazonaws.com s3.ap-southeast-2.amazonaws.com |
For additional IP addresses for each region see Connectivity requirements.
Scan Engine firewall requirements:
If firewalls are present on your network, make sure you whitelist the necessary ports for your Security Console and Scan Engine host according to the communication method of your choice. Consult the following table for port whitelist requirements.
| Source | Destination | Port | Protocol | |
|---|---|---|---|---|
| Console-to-Engine | Console | Scan Engine | 40814 | TCP |
| Engine-to-Console | Engine | Console | 40815 | TCP |
Ports
The ports shown in this table are the default ports used by the Security Console and Scan Engine. If you modify these default ports during the deployment procedure, make sure your firewall rules match your port modifications.
Memory and Disk Space
Memory
The integration of scan data from Scan Engines can be memory-intensive depending on how many assets are being scanned at once. For this basic deployment, your host machine must have a minimum of 16GB RAM.
Note
If you intend to deploy on a virtual machine, ensure that you provision the virtual machine with sufficient reserved memory according to the system requirements. Configuring a virtual machine with shared memory may cause negative performance impact.
Disk space
Proper disk space allocation for the database is essential. The biggest storage impact on your host machine will come from scans, reports, and database backups. Scan data alone can have varying levels of storage impact depending on your configuration, including scan frequency and whether or not you are authenticating to the target assets.
Note
Authenticated scans require roughly ten times the disk space of unauthenticated scans.
For this basic deployment, your host machine must have a minimum of 100GB of free storage space in order to accommodate your future scan data and reports. At least 1TB of free storage space is recommended for small-scale deployments.
Consider this example deployment situation: Scanning 1000 assets on a monthly basis with authentication, generating a single report, and storing the data for one year will take 76GB of storage.
Don’t underestimate your storage needs
As you prepare your deployment plan, think about how your network and security needs could change over time. Allocate free storage so you can scan additional assets, increase your scanning frequency, and create database backups. Your Security Console host should be prepared for these events! If you find yourself making a decision between two numbers, go for the larger one.
Check our System Requirements page for details. Note the supported operating systems and browsers in particular. Also, you can run the Security Console and Scan Engine on a virtualized instance of any of our supported operating systems as long as they meet the system requirements.
You can deploy using Ubuntu Linux or Windows.
Network requirements
Host IP address
The IP address of your host machine must be statically assigned. You will use this address to access the Security Console’s web interface.
Ports
The Security Console communicates through the following ports in order to perform the following tasks.
| Port | Task | Direction | Destination |
|---|---|---|---|
| 3780 (HTTPS protocol) | Web interface access to the Security Console | Inbound | Security Console |
| 40814 | Management of scan activity on Scan Engines and the retrieval of scan data | Outbound | Scan Engine |
| 443 | Upload of PGP-encrypted diagnostic information | Outbound | support.rapid7.com |
| Allows the Security Console to download content and feature updates. You must allow the server hosting InsightVM to make outbound connections to updates.rapid7.com on port 443. The Security Console connects to updates.rapid7.com regularly to check for new product versions (every 6 hours) and vulnerability/policy content (every 2 hours). With every connection, the console uploads a JSON file containing license and usage information that helps Rapid7 understand how InsightVM is being used. This upload does not contain any vulnerability assessment data from your assets or any other sensitive information on your environment. You can see the contents of this JSON file yourself by running the generate statistics command in the command console. | Outbound | updates.rapid7.com | |
| 25 or 465 (These ports are optional and feature-related) | If report distribution through an SMTP relay is enabled, the Security Console must be able to communicate through these channels to reach the relay server | Outbound | SMTP relay server |
Opt into the Insight platform
InsightVM’s platform-only features like Dashboards and Remediation Projects require some additional connectivity in order to function properly. See our communications page for detailed platform connectivity requirements.
Programs and services
Several programs and services must be disabled for the Security Console to function. In general, the following services may interfere with network scanning and may also prevent checks from loading or executing:
- Anti-virus / malware detectors: If disabling your anti-virus or malware detection software is not an option, make sure that you configure the software to bypass the Rapid7 installation directory on your Security Console host (the default location for this directory on Windows is
C:\Program Files\Rapid7). This ensures that InsightVM can operate without interference from this kind of software. - Intrusion Detection Systems (IDS)
- Personal firewalls
- Executable blocking products
- SELinux
Installation Options
Default account creation
During your installation, you’ll create a default account with Global Administrator privileges. When you configure these credentials, store them in a safe place where you can reference them in the future.
Username and password creation.
Credentials are case-sensitive. As you create credentials, complexity requirements are displayed to ensure that your credentials are secure. Even if your password meets the minimum requirements, it is recommended that you make your password as strong as possible for additional security. A “heat bar” is displayed that gradually changes color from red to green as you make your password stronger. Global Administrators can create and modify accounts after installation.
Avoid conflicts with other authentication source accounts
As a general guideline, the username for your default account should be totally unique from any other account name that you may have already configured in other external authentication sources. The Security Console requires that all user accounts have unique usernames. If you intend to configure an external authentication source for console access (such as Active Directory or SAML), do not use one of your external authentication accounts as the default account username.
Recovery of credentials is not supported.
After installation is complete, you will be able to log in to the InsightVM application. Recovery of credentials is not supported. If you forget your username or password, you will have to reinstall the program.
Enable/disable initialization
Enabled by default, this option will initialize the Security Console after it’s been installed. Initialization configures the application for use and updates the vulnerability database. If you enable initialization, your installation time will increase respective to that process. Initialization time ranges from 10 to 30 minutes.
FIPS Mode requirements
While most organizations do not require this configuration, ensure that you DO NOT initialize the console during your installation if you intend to use FIPS mode. FIPS mode must be configured before the Security Console is started for the first time.
See Enabling FIPS mode for instructions.
Application initialization and automatic start option
If you are installing both the Scan Engine and the Security Console, the automatic start option is enabled by default. If you do not want automatic initialization to occur, you must disable it. The benefit to leaving this option enabled is that you can start using the InsightVM application immediately after the installation is complete. This is because it has to initialize before the process prepares the application for use by updating the database of vulnerability checks and performing the initial configuration. Leaving this option enabled increases total installation time by 10 to 30 minutes. Although disabling the option shortens the installation time, it takes longer to start the application because it will have to initialize before you can begin to use it.
Communication direction between console and engine
Your preferred communication direction between console and engine depends on network configuration:
- (Recommended) Engine to Console. The Scan Engine will actively inform the Security Console that it is available for communication. This configuration allows a configured console that is behind a firewall to allow inbound connections to establish a communication channel.
- Console to Engine. The Scan Engine will listen for communication from the security console. This configuration is most effective when the engine and console are on the same area of the network.
Download and install on Linux
Linux installation requirements
- The latest Linux installer.
- The corresponding checksum file for your installer, which helps ensure that installers are not corrupted during download.
- A product key, which is needed to activate your license upon login.
- Disable SELinux before you install the application.
- We recommend installing the tmux or screen package to provide an interactive terminal with the Security Console and Engine.
- Check the installer file to make sure it was not corrupted during the download.
- Uninstall any previously installed versions of InsightVM.
Contact your account representative if you are missing any of these items. You should have received an email containing the download links and product key if you purchased InsightVM or registered for an evaluation. We recommend adding InsightVM to your email client allowlist to ensure you are receiving all future emails regarding InsightVM.
Verify and Disable SELinux
If you intend to install the Security Console on a Linux host, you can verify whether or not SELinux is disabled, and take action to disable it if it isn't, with the following procedure:
- Check the status of SELinux by opening its configuration file using a text editor of your choice. Enter the following command in a terminal:
vi /etc/selinux/config. - Navigate to the line beginning with
SELINUX=. If the value of this line shows enforcing, you will need to make an edit to disable SELinux. - To do so, modify the value of
SELINUX=from enforcing to disabled:SELINUX=disabled. - When finished, save and close the configuration file.
- Run the following command in your terminal to restart the Linux host so the changes can take effect:
shutdown -r now
- Download the latest Linux installer: Linux installer
- Use the following checksum file to verify the integrity of your installer and ensure that it wasn't corrupted during the download process: sha512sum for Linux download
- Make sure your installer and checksum file are in the same directory.
- Open a terminal and browse to the directory where your installer and checksum file are located.
- Run the following command, substituting with the appropriate value:
sha512sum -c <installer_file_name>.sha512sum</installer_file_name>. Do not close command line window A command line window will appear during installation. You do not need to interact with it, but do not close this window. - If this command returns an OK message, the file is valid. If the check fails, the file was found to be invalid. Download the installer again and retry.
- Modify the permissions of the installer to make it executable:
chmod +x <installer_file_name></installer_file_name> - Run the installer: ./<installer_file_name> -c</installer_file_name>
- Follow the instructions prompted by the installer.
Using a GUI?
If you are using a Graphical User Interface, omit the -c switch at the end of the installer run command. You’ll use a wizard similar to the Windows version instead.
(Optional) Enable FIPS mode
If you want to enable FIPS mode, do not select the option to initialize the application after installation. FIPS mode must be enabled before the application runs for the first time.
Install the Local Scan Engine
If you are only installing the Scan Engine, you may need to specify the Shared Secret to pair it with a Security Console. Global Administrators can generate a Shared Secret in the Administration section of the Security Console. Select Manage scan engines, click Generate next to Shared Secret, and copy and paste the Shared Secret into the Installation Wizard.
Download and install on Windows
Windows installation requirements
- The Windows installer.
- The corresponding checksum file for your installer, which helps ensure that installers are not corrupted during download: sha512sum for Windows download
- A product key, which is needed to activate your license upon login.
- You have administrator privileges and are logged onto Windows as an administrator.
- Your system meets the minimum installation requirements.
- You have uninstalled any previously installed copies of the application.
Contact your account representative if you are missing any of these items. You should have received an email containing the download links and product key if you purchased InsightVM or registered for an evaluation. We recommend adding InsightVM.
- Download the latest installer Windows installer
- Use the following checksum files to verify the integrity of your installer and ensure that it wasn't corrupted during the download process: sha512sum for Windows download
- Make sure your installer and checksum file are in the same directory.
- Open a command prompt and browse to the directory where your installer and checksum are located.
- Run the following command, substituting with the appropriate value:
certutil -hashfile <installer_file_name> sha512</installer_file_name> - Run the installer. Do not close command line window A command line window will appear during the installation, but you will not need to interact with it. Do not close this window.
- Double-click the installer icon. A message displays while the wizard is preparing. Once the wizard is done preparing, you will be sent to the Welcome page to begin installation.
- Follow the steps as the wizard guides you. This is where you will decide on the considerations mentioned previously throughout the process.
(Optional) Enable FIPS mode
If you want to enable FIPS mode, do not select the option to initialize the application after installation. FIPS mode must be enabled before the application runs for the first time.
Install the Local Scan Engine
If you are only installing the Scan Engine, you may need to specify the Shared Secret to pair it with a Security Console. Global Administrators can generate a Shared Secret in the Administration section of the Security Console. Select Manage scan engines next under Scans, click Generate next to Shared Secret, and copy and paste the Shared Secret into the Installation Wizard.
Log in and activate
Initialization progress
If you just started to initialize after installation, it may still be in progress when you connect to the Security Console. You must wait for this process to complete before you can log in.
- Open your supported browser and connect to the following address, substituting
<console_address>with the FQDN or IP address of the machine where your Security Console is installed:https://<console_address>:3780 - A login prompt will display. Enter the credentials that you set up during the Security Console installation and click LOG ON.
- After you log in successfully, an activation prompt will appear. Enter your activation key in the provided field to activate.
Accessing the Security Console from the same machine that it’s installed on?
In this case, you can quickly access the web interface by connecting to https://localhost:3780.