ON PREMISES SOLUTIONS

Sandbox Analyzer On-Premises

Sandbox Analyzer On-premises has specific requirements as follows:

  • ESXi Hypervisor (the virtualization platform that will run the environment).

  • Sandbox Analyzer Virtual Appliance (the management appliance that will controlthe detonation virtual machines).

  • Network Security Virtual Appliance (a VM that encapsulates a network sensor capable of extracting payload from network traffic).

  • Connectivity to an existing GravityZone Control Center used for high-level management of the sandbox environment.

  • Internet connection for downloading the Sandbox Analyzer Virtual Appliance, with minimum bandwidth of 5 MBps.

    Important

    Make sure there are not other applications or processes that may block the internet connection while downloading and installing Sandbox Analyzer.

ESXi hypervisor

Sandbox Analyzer Virtual Appliance is available in OVA format, deployable on a single physical host running VMware ESXi hypervisor.

Hardware requirements for the physical host
  • CPU: the total number of CPU cores (considering hyperthreading) can be extrapolated by using the calculation presented in the section “Physical Host Requirements and Hardware Scaling”.

  • RAM: the total amount of RAM needed for the physical host can be extrapolated by using the calculation presented in the section “Physical Host Requirements and Hardware Scaling”.

  • Disk space: at least 1TB of SSD storage (adequate for 8-VM detonation environment, scalable with at least 50 GB for each additional detonation VM).

  • Network: one dedicated physical network interface card (NIC).

    This NIC can be split into two virtual NICs, with the following mappings:

    • One NIC for the management interface.

    • One NIC for the detonation network.

    Note

    It is recommended to use dedicated physical NICs with the same mappings as the above mentioned vNICs if the hardware configuration allows it.

Software requirements

Supported versions of ESXi server: 6.5 and 6.7.

Supported VMFS version: 5.

Additional configuration on ESXi host:

  • SSH enabled on startup.

  • NTP service configured and active.

  • The start/stop with host option enabled.

Note

Sandbox Analyzer is compatible with the trial version of VMware ESXi. However, for production deployments it is recommended to run on a licensed version of ESXi.

Sandbox Analyzer Virtual Appliance

Sandbox Analyzer Virtual Appliance provides virtually unlimited scalability, as long as the underlying hardware resources are available.

Of the total amount of ESXi available resources, Sandbox Analyzer shares CPU and RAM between Sandbox Manager and the detonation virtual machines.

Sandbox Manager minimum system requirements
  • 6 vCPUs

  • 20 GB of RAM

  • 600 GB of disk space

Sandbox Manager has three internal virtual NICs allocated as follows:

  • 1 NIC for communication with the management console (GravityZone Control Center).

  • 1 NIC for internet connectivity.

  • 1 NIC for communication with detonation VMs.

Note

To allow communication, both the ESXi management vNIC and the Sandbox Manager management vNIC must be in the same network.

Detonation virtual machines

System requirements

Sandbox Analyzer On-premises provides support for custom virtual machine images. This allows for sample detonation in a runtime environment that mimics a realistic production environment.

Creating a virtual machine image requires the following conditions:

  • The virtual machine image is in VMDK format, version 5.0.

  • Supported operating systems for building detonation virtual machines:

    • Windows 7 64-bit (any patch level)

    • Windows 10 64-bit (any patch level)

Important

  • The operating system must be installed on the second partition in the partition table and mounted at drive C: (default Windows installation configuration).

  • Local "Administrator" account must be enabled and have an empty password string (password disable).

  • Before exporting the VM image, you must correctly license the operating system and all installed software in the virtual machine image.

Virtual machine image software

Sandbox Analyzer supports for detonation a wide range of file formats and types. For details, refer to Sandbox Analyzer objects.

For conclusive reports, make sure you have installed in the custom image the software that can open a particular file type you want to detonate. For details, refer to Recommended Applications for Detonation VMs.

Network Security Virtual Appliance

Network Security Virtual Appliance operates the network sensor, which extracts content from network streams and submits it to Sandbox Analyzer. The minimal hardware requirements are:

  • 4 vCPUs

  • 4 GB of RAM

  • 1 TB of disk space

  • 2 vNICs

Physical host requirements and hardware scaling

The scaling algorithm of the Sandbox Analyzer environment considers the following formula, where "K" equals the number of detonation slots (or detonation VMs):

  • Sandbox Analyzer VA vCPU = 6 vCPUs + K x 1vCPU

  • Sandbox Analyzer VA RAM = 20 GB RAM + K x 2GB

Similarly, the scaling algorithm for the host is the following:

  • ESXi Host vCPU = 6 vCPUs + K x 2 vCPU

  • ESXi Host RAM = 20 GB RAM + K x 5 GB

The main difference between Sandbox Analyzer VA and ESXi resources are given by the resources allocated to each detonation VM.

Therefore, a typical detonation environment (8 VMs) would have the following requirements:

  • Sandbox Analyzer VA vCPU = 6 vCPUs + 8 x 1vCPU = 14 vCPUs

  • Sandbox Analyzer VA RAM = 20 GB RAM + 8 x 2GB = 36GB RAM

  • ESXi Host vCPU = 6 vCPUs + 8 x 2 vCPUs = 22 vCPUs

    Note

    Each detonation VM needs 1 vCPU allocated for the Sandbox Analyzer VA and 1vCPU for the detonation VM. The detonation VM will be provisioned with 4 vCPUs, but they will be overprovisioned in a 4:1 ratio, resulting in only 1 vCPU being needed for the ESXi host.

  • ESXi Host RAM = 20 GB RAM + 8 x 5 GB = 60 GB RAM

    Note

    RAM is used in a 1:1 ratio between Sandbox Analyzer VA, detonation VMs and the ESXi host. Thus, each detonation VM will require 5 GB of RAM from the ESXihost, out of which 2 GB will be allocated to the Sandbox Analyzer VA and 3 GBwill be allocated for detonation VM itself.

The resulting physical host requires, in the above-mentioned scenario, at least 22CPU cores (including hyperthreading) and at least 60 GB of RAM, with an additional 10-20% of RAM reserved for the hypervisor itself.

Typically, detonation of a sample takes nine minutes to execute and generate the detonation report, and it uses all provisioned resources. It is recommended to design your sandboxing environment starting with the detonation capacity (files/hour) and then transform this metric into needed resources at host and VM level.

Sandbox Analyzer communication requirements

Sandbox Analyzer On-premises components use certain communication ports bound to specific network interfaces, in order to communicate between themselves and/or with Bitdefender’s public servers.

The sandboxing environment requires three network interfaces:

  • eth0 – Management network interface. It connects to GravityZone and to the ESXi host.

    It is recommended to be connect eth0 to the same network as the ESXi management interface. It is also recommended to map it to a dedicated physical adapter.

    The following table describes the network communication requirements for eth0:

    Direction

    Communication ports (on TCP)

    Source/destination

    Outbound

    8443

    GravityZone Communication Server

    443

    GravityZone Virtual Appliance

    80

    GravityZone Virtual Appliance

    22

    ESXi host

    443

    ESXi host API

    Inbound

    8443

    Any

  • eth1 – Detonation network. It does not require any configuration. The installation process creates the necessary virtual resources.

  • eth2 – Internet access network. It is recommended to have unrestricted and unfiltered connection to the internet.

    It is recommended that the management network and the internet access network are assigned to different subnets.

GravityZone Virtual Appliance requires access to Sandbox Analyzer Virtual Appliance on port 443 (on TCP) to view and download Sandbox Analyzer reports.

GravityZone Virtual Appliance requires connectivity to Sandbox Analyzer Virtual Appliance on port 443 (on TCP) for requesting the status of the detonated samples.