The Network sensor

The Network sensor collects and pre-processes network-related events in order to enrich the context of your incidents.

It is configured in TAP mode and gets a copy of the network traffic via a SPAN port. It can detect any type of device that communicates via IPv4 or IPv6 network protocols, regardless of whether the device is managed by Bitdefender or not. If there are any IoT devices on the network that communicate using those same protocols, the Network sensor will inspect that traffic as well.

For more information about the Network sensor requirements, refer to the Network sensor requirements page.

For optimal results, it is recommended you implement one network sensor appliance per network subnet.

Note

The Network sensor does not support SCADA or any particular OT protocols.

After configuration, the Network sensor continuously listens to network traffic, collects events from all endpoints in your environment, pre-processes and pre-filters them, and sends both metadata and detections to GravityZone Security Analytics engine.

View the triggered detections in the Incidents > Search section, by using the following query: other.sensor_name:network. These detections are used to enrich the context of Extended Incidents generated by GravityZone.

To add the Network sensor, follow these steps:

Install the Network sensor

Deploy the Network sensor kit in your environment by using either vSphere or Hyper-V.

These steps must be followed to deploy the Network sensor probes in your environment. For hardware requirements see Network sensor requirements.

Open the vSphere client, and click File > Add OVF template to create an OVF template for the Network Sensor Virtual Appliance (NSVA) that will be used to configure and activate the Network sensor in your environment.
You can select a template from:
- a remote URL - https://download.bitdefender.com/business/NetworkSensor/Bitdefender_SVE-SVA-NSVA.ova
- a local file system (hard drive, network share, CD / DVD drive) where the NSVA kit was downloaded.
After selecting the OVF template click Next.
Name the network sensor virtual appliance and select the deployment location.
Click Next.
Select the target endpoints in your environment where to deploy the Network sensor probes and then click Next.
Verify the details of your NSVA template and click Next.
On the Select storage page, define where and how to store the files for the deployed NSVA template.
1. Select the disk format for the virtual machine virtual disks.
  Choose from the available options:
  - Thick Provision Lazy Zeroed
  - Thick Provision Eager Zeroed
  - Thin Provision
2. Select a storage policy.
  Note
  This option is available only if storage policies are enabled on the target endpoints.
3. Select a datastore to store the deployed NSVA template.
  The configuration file and virtual disk files are stored on the datastore. Select a datastore large enough to accommodate the virtual appliance and all associated virtual disk files.
On the Select networks page:
1. Select the network interface that establishes communication between the Network sensor appliance and GravityZone.
2. Select the SPAN network that will be monitored by the Network sensor probes.
  Important
  After deployment, the monitored network's subnet must be set in the network sensor by running the sva_setup.sh script. For more information, refer to the Network sensor configuration.
Click Next.
Optionally, customize the NSVA deployment properties and click Next.
On the Ready to complete page, review the details and click Finish.
After the creation task is completed, open your Network sensor virtual appliance and start the configuration process.

These steps must be followed to deploy to deploy the Network sensor probes in your environment. For hardware requirements see Network sensor requirements.

Download the Network sensor virtual machine kit in one of the following formats:
- .vhd - https://download.bitdefender.com/business/NetworkSensor/Bitdefender_SVE-SVA-NSVA.vhd.
- .vhdx - https://download.bitdefender.com/business/NetworkSensor/Bitdefender_SVE-SVA-NSVA.vhdx
Open Hyper-V Manager and from the Action pane click New > Virtual Machine... to create a virtual machine that will be used to configure and activate the Network sensor in your environment.
In the Before You Begin window, click Next to create a virtual machine with a custom configuration.
In the Specify Name and Location window, add your virtual machine name and the location where the image was downloaded.
In the Specify Generation window you must:
- Select Generation 1 if you have downloaded the .vhd image type.
- Select Generation 2 if you have downloaded the .vhdx image type.
In the Assign Memory window, set the Startup memory to 2048 MB.
In the Configure Networking window, set the Connection to the desired network interface.
In the Connect Virtual Hard Disk window select the Use an existing virtual hard disk option and browse for the location of the downloaded Network sensor VHD kit.
In the Summary page, review the details and click Finish.
In Hyper-V Manager right-click the newly created virtual machine, and go Settings.
1. If the Generation 2 virtual machine was selected, go to Security and select Microsoft UEFI Certificate Authority from the Template dropdown list.
2. Go to Add Hardware and select Network Adapter to add the SPAN network that will be monitored by the Network sensor probes.
  Important
  After deployment, the monitored network's subnet must be set in the network sensor by running the sva_setup.sh script. For more information, refer to the Network Sensor configuration.
3. Select the desired SPAN network and click Apply .
4. Open Advanced Features of the SPAN network adapter and set the Port mirroring mode to Destination, then click Apply.
Start the Network sensor virtual machine and begin the configuration process.

Configure the Network sensor virtual appliance

After installing the Network sensor, follow these steps to configure the virtual appliance:

Start the Network sensor virtual machine (using either vSphere client or Hyper-V Manager).
Log in via SSH using root / sve as username and password.
Change the password.
The default password does not meet the new security password requirements, so you have to change it. It must contain at least 8 characters, one digit, at least one upper case character, at least one lower case character, one special character and must be changed every 3 months.
Note
For more information about resetting the root password, refer to Reset root password for Security Server.
To configure the Network sensor, run the following command:
```
/opt/bitdefender/bin/sva_setup.sh
```
Start the configuration process.
Choose an option from:
1. Network configuration - allows setting the following modes:
  - eth0: this is the primary interface used in the Dynamic Host Configuration Protocol (DHCP) mode to enable communication with GravityZone.
  - eth1: this is the interface in promiscuous mode, used to analyze network traffic.
  The subnet of the monitored network on the promiscuous interface must be configured:
  1. Select Network configuration.
  2. Select the promiscuous interface. By default it is eth1.
  3. Configure the monitored subnet address using the CIDR notation:
  4. Select the configuration mode for the primary interface:
    If no change is needed, select 1. DHCP (current).
    If the primary interface must have static IP address, select 2. Static and complete the configuration:
2. Internet proxy configuration - allows setting a proxy configuration that will be used the first time the Network sensor communicates with GravityZone .
3. Go to Communication server configuration and select one of the following options, based on your browser's URL:
  - For cloudgz.gravityzone.bitdefender.com: GZ Cloud Instance 1
  - For cloud.gravityzone.bitdefender.com: GZ Cloud Instance 2
  - For cloudap.gravityzone.bitdefender.com: GZ Cloud Instance 3
4. Configure the Company hash - the GravityZone company hash where the Network sensor sends the data (Login to GravityZone > My Company > My Company hash).
If the connection is successful, the Network sensor will be displayed in the GravityZone platform, in Network > Computers and Groups( in approximately 30 seconds).
The Network sensor main log file can be found here:
```
/opt/bitdefender/var/log/bdxdrd.log
```