Document Version: 3.11

Date: 2021-10-22



Purpose

The purpose of this document is to describe the installation and configuration process when setting up the HIAB for the first time. 

Introduction

This guide helps the HIAB administrator/network technician to set up the HIAB in the data center. Once the HIAB is enrolled and configured to send out the alerts through the proper channels, then the vulnerability program needs to be implemented (not covered in this document).

Setting Up the HIAB

Checklist

The below table displays the checklist for HIAB installation.

Number

Action

1

Setting up the HIAB.

2

Set up the IP assignment in the console.

3

Verify the required communication settings.

4

Enroll the server.

5

Log on to the portal interface.

6

Configure additional network settings.

7

Verify time zone.

8

Set up automatic updates.

9

Configure backup.

10

Set up events and notification.


Prerequisites

It is required to have access to an OUTSCAN account and a HIAB license to download the image. 

Getting Started

To launch the OUTSCAN application, navigate to https://outscan.outpost24.com.

Note

Use HTTPS protocol.

Login OUTSCAN


Log in using your credentials.

Downloading HIAB Image

To download the HIAB image:

  1. Open the Main Menu in the lower left corner of the screen and select Support.
  2. In the Support System window select the Virtual HIAB Appliance tab:

    Virtual HIAB Appliance

  3. Click on the link "here", it leads to a new view in the UI https://outscan.outpost24.com/portal/#/account/downloads.
  4. Log in to the portal using the same credentials as for https://outscan.outpost24.com.

    Portal Login Authenticatioin

  5. Available VMware and Hyper-V download options are displayed.

    HIAB VMware Virtual Image Download
    HIAB Hyper-V Virtual Image Download

  6. Select the option that is most suitable for your virtual environment, and click on the Download button located on the bottom of each option. See Download Options for more information.
  7. Select a location to store the downloaded file. 

After downloading the HIAB image, follow the appropriate installation instructions to set up the appliance.

Installation Instructions for HIAB VMware Appliance

  1. Open the administration tool for the virtual environment.
  2. Select the option to deploy an OVF or OVA file.
  3. Follow the instructions in the application. For more information on Deploying OVF or OVA files see VMware documentation about Deploying OVF and OVA Templates.
  4. Start the virtual machine.


Note

Select any Linux 64-bit system as the type of operating system.

Once the machine is started, you are presented with the HIAB menu in the virtual console. Use the console to set up the virtual HIAB according to your network environment.

Installation Instructions for HIAB Hyper-V Appliance

The installation can be done by using Microsoft Hyper-V import guide as well as other management tools for Hyper-V. Following instructions are written for PowerShell Management Library for Hyper-V.

  1. Extract the downloaded ZIP-file to a directory on the Hyper-V server, for example C:\HIAB_HYPER-V.
  2. Run Show-HypervMenu from PowerShell on the server.
  3. Import the virtual machine by selecting [7] Import Virtual Machine.
  4. Enter the path to the directory holding the extracted files you want to import. For example C:\HIAB_HYPER-VHIAB_VIRTUAL01.

  5. Do you wish to re-use IDs?
    [  ] No

    Note

    If the virtual machine is unique on the Hyper-V server,  then IDs may be re-used. If the imported HIAB is a copy of an existing virtual HIAB on this server, then IDs cannot be re-used and attempt to import the machine fails.

  6. Are you sure you want to perform this action?
    [Y] Yes
  7. Start the virtual machine.

Note

Select any Linux 64-bit system as the type of operating system.

Once the machine is started, you are presented with the HIAB menu in the virtual console. Use the console to set up the virtual HIAB according to your network environment.


Note

The current Network Test may not provide adequate information with regards to access to the license server. This can be addressed using the Traceroute utility found under the Tools menu by manually testing access towards the host outscan.outpost24.com over TCP port 443.


Download Options
NameCPUsRAMHard drive
VMware
HIAB VMware Virtual Image (150 GB)28 GB150 GB
HIAB VMware Virtual Image (150 GB)832 GB150 GB
HIAB VMware Virtual Image (1024 GB)28 GB1024 GB
HIAB VMware Virtual Image (1 TB) (Recommended)832 GB1024 GB
Hyper-V
HIAB Hyper-V Virtual Image (150 GB)18 GB150 GB
HIAB Hyper-V Virtual Image (1 TB)18 GB1024 GB
HIAB Hyper-V Virtual Image (1 TB) (Recommended)832 GB1024 GB

Set up the IP Assignment in the Console


Once the HIAB has booted (or if you connect to the HIAB via SSH), the following screen is displayed on your monitor.

HIAB Console Main Menu


The main menu is a multi-choice menu allowing access to different sections of the configuration in the HIAB. From this menu, the HIAB can be configured, updated, and hardened.
To restrict the access, define a password.

  1. Select option M in the above menu and provide a password.

Important Note

Do not forget this password or you may be locked out of the console and require remote access to reset the password.

Static IP

Perform the following steps from the Main Menu to set up the HIAB to use a static IP:

  1. Select option n to configure Network Settings.

    Network Settings:
  2. Select option d (Devices) to see to the available devices.
  3. Use the arrow keys to select the right device.
  4. Select the option c to connect the selected device.
  5. Select option q to go back to the network settings menu.

  6. Select option c (Connections) to go the connections window.
  7. Use the arrow keys to select the right connection.
  8. Select option a to activate the selected connection.

    Modify selected connection:
  9. Still in the n (Network Settings) > c (Connections), select option m to modify the selected connection.
  10. Select option a (Addresses) to go to the addresses window.
  11. Select option 4 or 6 depending on which IP version that are used.

    Note

    An IP address need to be added before setting the IPv4/v6 to manual.

  12. Type manual and press Enter.
  13. Select option a to Add IP.
  14. Enter the wanted IP address, for example 192.168.2.3/24 and press Enter.

    Note

    Specified in CIDR

  15. Exit the addresses menu q and go to r (Routes) to specify a default gateway. A default gateway is usually required for the communication from and to the HIAB.
  16. Select option q twice to go back to Connections.
  17. Select option d and thereafter a to reactivate the interface.

DHCP Assigned IP for IPv4/IPv6

To enable the server to be granted an IP address via DHCP, please perform the following steps from the Main Menu.

  1. Select option n to configure network settings.
  2. Select option c (Connections) from the network settings menu.
  3. Use the arrow keys to select an interface which you wish to change.
  4. Select option m to modify the selected connection.
  5. Select option a to modify the addresses for the interface.
  6. Select option 4 or 6 to set DHCP for an IPv4 or IPv6 address.
  7. Type auto and press Enter.
  8. Select option q twice to go back to Connections.
  9. Select option d and thereafter a to reactivate the interface.


Required Communication Settings

During the installation, it is required that the HIAB is able to communicate with the Enrollment server and the Update server at Outpost24. See the following section for information.

Note

The update connection in the network tests will fail if the HIAB is not enrolled due to the required certificate not yet being obtained. The certificate is obtained during the license check with OUTSCAN during the enrollment procedure.

Network Scanning Range

Firewalls, IDSs and IPSs may interfere with the security scan if they have a reactive defense mechanism. In such case, we recommend to set up OUTSCAN (CIDR IP range 91.216.32.0/24, 80.254.228.0/22, IPv6 range 2001:67c:1084::/48) as a trusted range.


Clarification

The scanning occurs from within the below range:

  • For IPv4: 91.216.32.1 to 91.216.32.254, 80.254.228.0 to 80.254.231.255.
  • For IPv6: 2001:67c:1084::0 to 2001:067c:1084:ffff:ffff:ffff:ffff:ffff.

Firewall Rules

The HIAB requires several firewall rules to allow for a smooth functionality in regard to updates and enrollments. Below is a list of rules that are used, however the Enrollment and Update rules are required and necessary. DNS host names are used for services where changes may occur without prior notification.


Service

Destination

Port

Protocol

Direction

Description

Remote Support

osrss.outpost24.com

22

TCP

Outbound

Remote Assistance

Update

repo.outpost24.com

443

5000

TCP

Outbound

HIAB Updates

Enrollment

outscan.outpost24.com

443

TCP

Outbound

Registering HIAB

HIAB External/ OUTSCAN Internal

outscan.outpost24.com

443

TCP

Outbound

External Scanning from HIAB

WEB

<HIAB IP>

443

TCP

Inbound

WEB GUI

Scheduler to Scanner

<HIAB IP>

443

TCP

Outbound

Communication to scanner, depends on Polling enabled or not

SMTP

<SMTP Server>

25

TCP

Outbound

For the HIAB to send emails

DNS

<DNS Server>

53

TCP/UDP

Outbound

To resolve host names

SSH

<HIAB IP>

22

TCP

Inbound

To allow remote access to the console

Proxy

<Proxy IP>

<Proxy port>

TCP

Outbound

To allow communications using a proxy server

FTP

<FTP IP>

<FTP Port>

TCP

Outbound

To perform backup and imports


Verify the Communication Settings

To verify if the HIAB is able to communicate with the above locations, perform the following steps from the Main Menu.

  1. Select option t to test network connections
  2. Select option r to run network tests
  3. Select option q to go back


Enroll the Server

The HIAB needs to be registered to the correct account to be able to perform any scanning. Therefore, you need to pair it with the Main Account, this is done through an enrollment process.
You can enroll the HIAB through console or portal interface.
If you are enrolling using console, you need to perform the following steps:

  1. Select option m (Maintenance), from the main menu.
  2. Select option u (Update).
  3. Select option e to enroll.
  4. Insert the user name for the HIAB license, which you have received in an email from Outpost24 and press Enter.
  5. Type the password given in the email and press Enter.

    Note

    Make sure that the correct K (Keymap) in Main Menu has been selected before typing in the password for enrollment.

  6. Now the HIAB connects to the update server to register.


If you are enrolling through portal interface, you need to perform the following steps:

  1. Navigate to https://<hiab-ip>.
  2. Provide your details and click Enroll.

    HIAB Enroll


You can also configure your Network settings and Activate Remote Support.

Note

Use the main account or any account with the Allow enroll HIAB option checked on the OUTSCAN system, to enroll the HIAB.


Note

The Enrollment Package is bound to the generated key, in other words, it can only be uploaded on the specific HIAB on which the key was generated. Similarly, the key is bound to the HIAB on which it was generated.

The Enrollment Package contains:

  • An SQL file with license information, containing username, name, email, and hashed password. 
  • A key file containing a unique key. The key file does not contain any information about MAC or IP.
  • Rules update.
  • Exploits update.
  • Updated RPM packages.
  • A certificate used for enrolling.


Log on to the Portal Interface


Once you enroll the server, you are able to see the below screen available at https://<hiab-ip>.

Example: If your assigned IP is 192.168.2.3, navigate to https://192.168.2.3


HIAB Login Authentication
Log on using your credentials.

Configure Additional Network Settings


Once logged in, you are able to set up any additional network interfaces and define any additional routes if required. 

The network settings are available in the Main Menu > Settings > Server, under the Network tab.

HIAB Server Settings Network

NTP Settings

NTP settings can be configured in the Servers tab under: Main Menu > Settings > Server


HIAB Server Settings NTP Settings

Verify Time Zone


All references to time can be modified to reflect the time in the current time zone. Click on the time section of the window in the lower right corner of the window to modify the time zone offset from GMT.
HIAB Verify Time

You can also change the date and time format and what is considered the first day of the week.

HIAB Time Settings

Set up Automatic Updates


Before you start using your HIAB, it is a good idea to set up automatic updates. This enables you to always receive the latest vulnerability tests and provide you with new features as they become available.
To schedule your updates, go to Main Menu > Settings > Maintenance, select the Update tab.

HIAB Maintenance Settings Update


Here you can define if the updates are allowed to terminate any running scans (they resume afterwards if they are still within their scanning window).

Select the frequency for the update and provide a start time, then click Save to save the current settings.

Configure Backup


The HIAB can be set up to perform regular backups and transfer them over various protocols to a remote location for safekeeping. To configure these settings, go to Main Menu > Settings > Maintenance, select the Backup tab.

HIAB Maintenance Settings Backup


Refer to HIAB Maintenance Settings guide for detailed information about Update and Backup.

Set up Events and Notifications


The HIAB can send you the notifications either through email, Syslog or SNMP traps. The supported events that can be defined are located under Main Menu > Settings > Event notifications.

HIAB Event Notifications


Click on + New button, to add a new event to the system. Right click on any event and select edit to set the event notification.

HIAB Maintaining Event Notification


Click on ? (help button) on the top right corner of the window to know more details about the available options.


Copyright

© 2022 Outpost24® All rights reserved. This document may only be redistributed unedited and unaltered. This document may be cited and referenced only if clearly crediting Outpost24® and this document as the source. Any other reproduction and redistribution in print or electronically is strictly prohibited without explicit permission.

Trademark

Outpost24® and OUTSCAN™ are trademarks of Outpost24® in Sweden and other countries.