Firewall requirements

Firewall Requirements Sections

Important Notes This section covers Respond UX vs Quadrant UX applicability. It also covers SSL inspection, internet/air-gap requirements, and remote support IP range conflicts.

Vectra Cloud Connectivity This section covers connectivity to Vectra services hosted in Vectra’s cloud. It is mainly for Respond UX deployments. The Auth Gateways section also applies to Quadrant UX deployments of CDR for M365, IDR for Azure AD, and CDR for AWS.

Appliance Connectivity This section covers connectivity required for Vectra appliances (physical or virtual). It applies to both RUX for Network and Quadrant UX deployments. This section also contains additional details regarding connectivity from Vectra appliances to the Vectra cloud.

Important Notes

Respond UX vs Quadrant UX Applicability

The Respond User Experience (Respond UX or RUX) and the Quadrant User Experience (Quadrant UX or QUX) are two different analyst user experiences that Vectra offers. It is important to differentiate between the different UX's when looking at requirements for FW rules. Some FW rules will only apply to deployments using the Respond UX and some will apply only to deployments using the Quadrant UX. For additional information please see: Vectra Analyst User Experiences (Respond vs Quadrant).

While the Respond UX is delivered from Vectra's cloud as part of the overall Vectra AI Platform, it can be used without traditional Brain and Sensor appliances when only non-network data sources are used. RUX for Network deployments (using network Sensors with the Respond UX) still require a Brain appliance to be installed in the customer environment (which can be in IaaS clouds or physical data centers, etc). Sensors will be deployed and paired with that Brain to capture network traffic for analysis.

Requirements listed below that apply only to RUX for Network deployments or only to QUX deployments will be labeled as such.

Firewall/Proxy SSL Inspection

Please note that Vectra appliances validate SSL certificates for all HTTPS connections. For this reason, SSL/TLS inspection on firewall and proxy appliances must be disabled for these connections to work.

We have also identified that some firewall software transparently enables SSL inspection if certain filters (DNS hostname filtering) are enabled. This is not necessarily obvious to the administrator and should be investigated if connectivity issues are being observed.

Internet Access From Vectra Brain

A Vectra Brain requires connectivity to the automatic update service for normal operation. This connectivity is used for automatic (including security) updates and to synchronize keys for cryptographic authentication of sensors.

The Brain requires Internet DNS resolution to obtain the IP addresses for these requests. The customer may choose public/Internet DNS servers or internal DNS servers; however, Internet DNS entries must be resolvable by the Brain. Please note that DNS is often considered to be a UDP-only protocol, however, TCP may be used depending on the type of DNS transaction. Both UDP and TCP use port 53 and should be permitted to all configured DNS servers.

Vectra can function in air-gapped environments when a Quadrant UX based deployment is done, but there will be some impacts such as:

• Vectra Threat Intelligence detections will be disabled.

• Suspect Domain Activity detection will be disabled.

• Context enrichments from external sources such as whois, etc that are displayed in certain models will not function.

Please see the Vectra Quadrant UX Deployment Guide for additional details about air gap environments including guidance for offline updates. Respond UX for Network is not possible in air-gapped environments since the Respond UX is delivered from Vectra's cloud and communicates with a locally installed Brain.

Internet Access to Vectra Appliances

As with all security infrastructure Vectra appliances should be blocked from Internet access and access should only be granted from trusted workstations and/or authenticated sources.

Management Network IP Address Range Conflicts with Remote Support

Customers should note that the following IP ranges will conflict with remote support capability:

• 192.168.72.0/21

• 192.168.80.0/21

If you will ever need Vectra to assist remotely (outside of screen sharing sessions), care should be taken to number the management network interface (MGT) used on any appliance (physical, virtual, or cloud - Brains or Network Data Sources/Sensors) outside of the above ranges. If your management network interface (MGT) is numbered in either of these ranges, remote support access will not function. Remote support connectivity with Vectra all goes through the Brain (even to access other appliances in your deployment) so firewall rules for remote support functionality only need to allow connectivity from the Brain to Vectra's cloud (Sensors must still allow connectivity to the Brain per the below charts).

Vectra Cloud Connectivity

• For this document, the portions of the Vectra AI Platform that reside in Vectra’s cloud are referred to as the Vectra cloud.

  • This does not refer to any specific service offering.

• Please check each category below to see if it is applicable to your deployment and if rules are required in your environment to enable the required connectivity.

  • For rule categories that have multiple region options, it is only necessary to put rules in place to allow connectivity to the region that your Vectra tenant is deployed in. This region should be visible in the URL used to access the Respond UX.

    • i.e. [tenant_id].ew1.prod.vectra-svc.ai is used for EU deployments (ew1).

• RUX for Network refers to a RUX deployment that has enabled network data sources (sensors).

  • This means you have a Brain somewhere in your premises (data center or public cloud) that is connected to the Vectra cloud for use with the Respond UX and paired with network Sensors (virtual or physical) to capture network traffic and distill a metadata stream for processing by the Brain appliance.

  • Please refer to the Vectra Respond UX Deployment Guide for more details.

• Please refer to the table below to see applicability of the various categories.

• The For Brain or User’s Browser column should be interpreted as follows:

  • Brain – Rules required for the Brain to the Vectra Cloud.

  • User’s Browser – Rules required for the user’s web browser to the Vectra cloud.

RUX for Network GUI Synchronization

• Required for:

  • All RUX for Network deployments.

• This is used to synchronize configurations between the Brain appliance and your Vectra tenant.

• This communications channel is initiated from the Brain to the endpoint in your Vectra tenant’s region.

• The protocol and ports in use for each entry is the same: Websocket and HTTPS over TCP/443

Auth Gateways

• Required for:

  • All Respond UX for Network Deployments.

  • Quadrant UX deployments of CDR for M365, IDR for Azure AD, and CDR for AWS.

    • Your Brain must be able to securely access the Vectra cloud over TCP/443 HTTPS connections to enable detection events from these products to be reported to your UI.

• In Respond UX for Network deployments, the Brain forwards network detections, entities, host sessions, and any selective PCAPs (Vectra Packet Capture) to your Vectra tenant via this connection.

• This communications channel is initiated from your Brain to the endpoint in your Vectra tenant’s region.

RUX Metadata Forwarding

• Required for:

  • All Respond UX for Network Deployments.

• Network metadata is forwarded to AWS S3 buckets and processed to make it available for features such as Instant Investigation and Advanced Investigation in the Respond UX.

• This communications channel is initiated from your Brain to the endpoint in your Vectra tenant’s region.

• The protocol and ports in use for each entry is the same: HTTPS over TCP/443

RUX Research Metadata Forwarding

• Optional but highly recommended for:

  • All Respond UX for Network Deployments

• Research metadata from precursor algorithms are used to improve model quality and reduce detection noise.

• This communications channel is initiated from your Brain to the endpoint in your Vectra tenant’s region.

• The protocol and ports in use for each entry is the same: HTTPS over TCP/443

RUX Analyst/Admin Access

• Required for:

  • All Respond UX deployments.

• Any analyst or admin that wishes to access the Respond UX will need to ensure that their browser can reach their Vectra tenant to login and access the UI.

• This communications channel is initiated from the user’s host.

• The protocol and ports in use for each entry is the same: HTTPS over TCP/443

RUX Static Asset CDN

• Required for:

  • All Respond UX deployments.

• The Respond UX has certain static assets (HTML, CSS, JS) that are required to serve the web application hosted by a CDN (Content Delivery Network).

• This communications channel is initiated from the user’s host.

RUX Customer File Upload

• Required for:

  • All Respond UX deployments.

• This communications channel is used for:

  • Vectra Match deployments and will allow upload of rulesets.

  • PCAP download from the Vectra Cloud for Selective PCAP (Vectra Packet Capture)

  • Additional capabilities are planned for future releases.

    • It is recommended to put rules in place even if you don’t use Match or Selective PCAP.

• This communications channel is initiated from the user’s host.

Appliance Connectivity

The Vectra Cloud connectivity section above primarily deals with connectivity required to deliver the Respond UX and detections from Vectra SaaS offerings to both RUX and QUX deployments, the content in this section also applies to any deployment using Vectra appliances (Brains, Sensors, and Stream) for RUX or QUX deployments.

Vectra Cloud Appliance Connectivity

All communications with the Vectra Cloud occur over a TLS encrypted channel. Appliance devices (physical, virtual, cloud) authenticate using keys. Unique public/private keys are generated when a device is provisioned by Vectra. The corresponding public key is copied to the Vectra Cloud. Every device connecting to the Vectra Cloud authenticates using its own private key.

The Vectra Cloud houses several services:

• update2.vectranetworks.com

  • Used for delivering updates to the Vectra software.

  • Offline updates are also supported.

• api.vectranetworks.com

  • Used for lightweight health monitoring of the Vectra platform and for delivering additional context certain Detections may need.

  • Queries to external information sources to provide context are proxied through this connection.

  • If required, customers can block the platform from reporting health monitoring by blocking outbound connections on their firewall to api.vectranetworks.com.

• rp.vectranetworks.com

  • Used only for Brains deployed in IaaS clouds. Used for authentication and verification (integrity check of the file system).

• metadata.vectra.ai

  • Metadata sharing improves threat detection by contributing anonymized metadata sourced from Brain deployed in your organization. This is optional in QUX deployments.

• rs.vectranetworks.com

  • This enables remote support from authorized Vectra employees.

• SaaS product offerings such as Recall

Proxy Support

Vectra Cloud connectivity to update2.vectranetworks.com and api.vectranetworks.com supports connecting through a customer proxy. If a proxy connection is required for your Brain appliance to reach these endpoints, edit the proxy settings in Configuration → Data Sources → Network → Brain Setup → Proxy & Status.

• Note that Remote Support does not support proxy configuration by default. If this is the only option, please contact Vectra support to configure remote support to manually to use a proxy.

Lightweight Health Monitoring

The lightweight health monitoring includes the following statistics, only aggregate statistics are collected, no details are collected.

• System Health Metrics

  • Installed packages, running processes, system interface information, system usage, database usage, system error stats

• Environment Metrics

  • Host counts, traffic counts, Brain configuration, remote support status, notification status, metadata status

• Detection Metrics

  • Detection counts, PCAP stats, Triage stats

Metadata Sharing

Why is Metadata Sharing Important

• Full details are available at this link. There are optional additional levels of sharing also described.

Metadata Sharing Improves Threat Detection

• By contributing anonymized metadata sourced from the X-series platform deployed in your organization, you are contributing directly to the efficacy and accuracy of the Vectra software and the security of your network.

• Access to Detection metadata improves Vectra’s threat detection algorithms, enabling the Vectra software you use to be more effective in a constantly evolving threat landscape.

• Data is collected daily and includes:

  • Anonymized information about Detections that are triggered in your network.

  • Anonymized information about algorithms in the research and development phase (and not yet visible in the UI) that are triggered in your network.

  • Anonymized attribution of Detections to Hosts.

  • Anonymized information related to host identification efficacy.

• Vectra Secures and Limits Access to Metadata

  • Any metadata you contribute is anonymized by removing personal and network-specific information before it is sent to metadata.vectranetworks.com via an encrypted connection.

  • Vectra treats this metadata as highly confidential and only allows authorized research personnel to access the metadata.

  • Any metadata collected is securely deleted after a six-month period.

• Contact Vectra support if non-anonymized Full Metadata Sharing is desired

  • Algorithm development using non-anonymized metadata helps to ensure that new models function as efficiently as possible in your environment.

Required Connectivity For Appliances

Additional (Feature Dependent) Connectivity

SMTP (OAuth) For Microsoft

Quadrant UX Only: Configuration → RESPONSE → Notifications → SMTP

Respond UX deployments do not require this as email notifications are sent from Vectra's cloud.