Step 3: Provision a Network Sensor Host

As stated on the Network Sensor Host System Requirements page, you can deploy the Insight Network Sensor on a physical or virtual Linux box. In particular, this article provides some basic guidelines on how you should configure your Network Interface Controllers (NICs).

At the conclusion of this step, your network sensor host should be running with full connectivity on all configured NICs.

The Network Sensor Deployment is not complete unless the NICs are defined

All physical or virtual network sensor hosts require two Network Interface Controllers (NICs) to effectively run. You must also confirm which interface is used for network traffic capture within Network Sensor Management.

Physical Network Sensor Host Guidelines

When provisioning your physical Linux machine, ensure that your hardware meets the requirements noted in the Physical Specs section of the host requirements page. Depending on your network throughput, the network sensor’s traffic monitoring functions can be memory intensive for the host’s resources.

Physical NIC Configurations

Provision your host machine with two NICs that support either 1GB or 10GB bandwidths. In accordance with the Network Sensor Host System Requirements page, only the primary NIC (the one that provides the network sensor host itself with network connectivity) will need an IP address assigned to it. Your secondary NIC (the one connected to your configured network traffic source) does not need an IP address.

To connect your physical host to a mirror port-equipped core switch:

  1. Use a network cable to connect your primary NIC to an unused port on your core switch to provide the host with network connectivity.
  2. Use another network cable to connect your secondary NIC to the mirror port on your core switch that you configured previously.
  3. After connecting your NICs, proceed to Step 4: Download and Install the Network Sensor Software.

To connect your physical host to a Test Access Point (TAP) device:

  1. Use a network cable to connect your primary NIC to an unused port on your switch device to provide the host with network connectivity.
  2. Use another network cable to connect your secondary NIC to the output (or analyzer) port of your TAP device.
  3. After connecting your NICs, proceed to Step 4: Download and Install the Network Sensor Software.

Virtual Network Sensor Host Guidelines

Virtual network sensor hosts can connect to both physical and virtual network traffic sources depending on the needs of your environment. As noted in the Virtual Deployment Infrastructure section of the requirements page, virtual network sensors must be deployed using a VMware ESXi hypervisor.

NOTE

Virtual network sensor hosts are generally only suitable when configured with NICs supporting 1GB bandwidths since configuring a virtual network sensor host with 10GB NICs requires an inordinate amount of hypervisor resources. Rapid7 recommends that you deploy a physical network sensor host if your network throughput requires the 10GB bandwidth.

Virtual NIC Configurations

NOTE

For optimal performance, configure your virtual NICs with interface type E1000e instead of VMXNET.

Provision your virtual host machine in the ESXi server with two virtual NICs, preferably supporting 1GB bandwidths for the resource usage condition noted previously. Configure the primary virtual NIC with an IP address and connect it to the primary virtual switch that provides connectivity to your other deployed virtual machines that you want to monitor.

The configuration of your secondary NIC dedicated to network traffic will depend on the intended scope of your monitoring efforts for this virtual network sensor host.

If you only intend to monitor the network traffic of the hypervisor:

  1. Configure a secondary virtual NIC without an IP address and connect it to your primary virtual switch. This secondary NIC will serve as your traffic monitoring NIC.
  2. Configure an ESXi port group composed of your existing virtual machines connected to your primary virtual switch.
  3. Enable promiscuous mode on the primary virtual switch so the secondary virtual NIC receives all network traffic.
  4. When finished, proceed to Step 4: Download and Install the Network Sensor Software.

If you intend to monitor the network traffic of both the hypervisor AND the rest of your physical infrastructure:

TIP

This procedure assumes that your ESXi server is mapped to a physical NIC that connects to your core switch along with the rest of the physical network infrastructure.

  1. Configure a secondary virtual switch in the ESXi server dedicated to the virtual network sensor’s use. You will need to enable promiscuous mode on this secondary virtual switch so that your network sensor can process the network traffic that it receives.
  2. Configure a secondary virtual NIC for your network sensor host without an IP address and connect it to the secondary virtual switch you just created. This secondary virtual NIC will serve as your traffic monitoring NIC.
  3. Configure an additional physical NIC without an IP address and map it to your secondary virtual switch that you created in step 1. Use a network cable to connect this physical NIC to your configured mirror port on your core switch.
  4. After your virtual network sensor host NICs are connected to their respective virtual switches in your ESXi server and your secondary virtual switch has a physical connection to the mirror port on your core switch, proceed to Step 4: Download and Install the Network Sensor Software.