This operation guide is intended to provide assistance and instruction for the operation of hosted IMPEX systems. The document gives general and specific information regarding the operation of stations and the ICC. This document does not describe the system or application structure which is described in a separate document. This documentation will not explain troubleshooting of a station which is in a separate document.
Word | Definition |
---|---|
ICC | The server which control the Stations |
IMPEX USB | The kiosk computer used to scan mass storage devices |
REPO | The server that has the updates and definitions |
IMPEX Data Lock | Server used for network flows that will scan files before transferring them onwards |
Network flows | This is the description of data being scanned and transferred through the Data Lock to a remote destination. A Data Lock can have multiple remote destinations configured |
Customers with a valid support contract can send support emails to
support@sysctl.se
IMPEX USB is a system for scanning data on USB-devices in a kiosk solution, the stations are managed from a central ICC server. IMPEX USB scan files from USB-devices and can deny the content by using different rules and technologies. IMPEX USB initiate all communications to the ICC server on port TCP/443 and use TLS1.2 for encryption during transit. IMPEX USB will get the current time and the configuration from the ICC. IMPEX USB will push logs and operation results from scans and other actions to the ICC server. IMPEX USB will get AV-signatures updates, operating system patches and application upgrades from the Repo server, the Repo server can be installed on the ICC server or on a separate server called Repo server.
The IMPEX Data Lock is just like an Impex USB station but it uses SFTP over the network instead of USB devices and scans and sends files in different flows.
The ICC server exposes a REST API that requires authentication. The stations will use the REST API but it is also possible to use the interface for other types of integrations. The Repo will sync AV-signatures and updates from updates.sysctl.se on port TCP/443 over TLS and expose them to the stations.
All systems(IMPEX USB, IMPEX Data Lock, ICC and Repo) use CentOS 7 as the base OS. IMPEX USB and IMPEX Data Lock are not supposed to be logged in to and remote access is not possible, all configuration is created as configuration cards on the ICC server. The ICC and Repo server use local accounts by default, but can be connected to Active Directory, Red Hat Identity Manager, FreeIPA or other LDAP service when using central accounts. Administrators can log in to the Repo and ICC server with SSH or from the console. The application on the ICC has local accounts and the only configuration that can be done is related to the IMPEX USB and IMPEX Data Lock. System owners can use the web interface to manage the IMPEX USB and IMPEX Data Lock. It is also possible to analyze the results from the nodes.
The impex solution is built to be in architectures based on IEC62443 and simular zone concept solution as well as other network designs. These are two examples of how IMPEX solution can fit in a network. The ICC and the Repo can be on the same machine and does not need to be separated servers. The solution supports a proxy but a proxy is not required.
+-------------------+ +--------------+
| updates.sysctl.se | | Lets Encrypt |
+---^---------------+ +---^----------+
Internet | |
| +----------------+
| |
+------------------------------------------------------------+
| |
DMZ +---+-----+---+
| Firewall <------+
+-------------+ |
|
+-----+----+
+-------------> Proxy |
| | if used |
| +----------+
|
|
+----+--------------------+
| |
| ICC and optional Repo <---+
| | |
+-------^-----------------+ +----^----+
| | Proxy |
| | if used |
| +-+-------+
| |
+------------------------+---------------------+-------------+
| |
Peripheral Network | |
| |
+----+----------+ +-------+-------+
| IMPEX STATION | | IMPEX STATION |
+---------------+ +---------------+
+-------------------+ +--------------+
| updates.sysctl.se | | Lets Encrypt |
+---^---------------+ +---^----------+
Internet | |
| +----------------+
| |
+------------------------------------------------------------+
| |
DMZ +---+-----+---+
| Firewall <------+
+-------------+ |
|
+-----+----+
+------------------> Proxy |
| | if used |
| +----------+
+----+-------------+
| |
| Repo, if used |
| |
+----+-------------+
|
+------------------------------------------------------------+
|
Internal network |
|
+----+--------------------+
| |
| ICC and optional Repo <---+
| | |
+-------^-----------------+ +----^----+
| | Proxy |
| | if used |
| +-+-------+
| |
+------------------------+---------------------+-------------+
| |
Peripheral Network | |
| |
+----+----------+ +-------+-------+
| IMPEX STATION | | IMPEX STATION |
+---------------+ +---------------+
+-------------------+ +--------------+
| updates.sysctl.se | | Lets Encrypt |
+---^---------------+ +---^----------+
Internet | |
| +----------------+
| |
+---------------------------------------------------------------------+
| |
DMZ +---+-----+---+
| Firewall <------+
+-------------+ |
|
+-----+----+
+-------------> Proxy |
| | if used |
| +----------+
|
|
+----+--------------------+
| |
| ICC and optional Repo <---+
| | |
+-------^-----------------+ +----^----+
| | Proxy |
| | if used |
| +-+-------+
| |
+------------------------+---------------------+-----------------------+
| |
Office Network | |
| |
| |
+--------+ +----+----------+ +-------+-------+ +--------+
| Sender |-------> Data Lock | | Data Lock <-----| Sender |
+--------+ +---------------+ +---------------+ +--------+
| |
| |
+------------------------+---------------------+------------------------+
| |
Protected Network | |
+----v----------+ +-------v-------+
| Receiver | | Receiver |
+---------------+ +---------------+
The table explains the normal interactions used by the system, but it may differ depending on the actual installation if other integrations are used, like Active Directory.
Data | Delivers to | Receives from | Tool | Protocol/ Port | Short Description |
---|---|---|---|---|---|
smtp.tld | ICC | Mail Relay | SMTP TCP/25 | Information from ICC to end users | |
Time | ICC | ntp.tld | NTP | NTP UDP/123 | Time source to ICC |
Time | Repo | ntp.tld | NTP | NTP UDP/123 | Time source to Repo |
DNS | ICC | resolver.dns | DNS resolver | DNS UDP/53 | DNS lookup for ICC |
DNS | Repo | resolver.dns | DNS resolver | DNS UDP/53 | DNS lookup for Repo |
Logs | syslog.tld | ICC | Syslog | Syslog UDP/514 | Sending syslog to log collector |
Logs | syslog.tld | Repo | Syslog | Syslog UDP/514 | Sending syslog to log collector |
Updates | IMPEX USB | Repo | Patches/ Signatures | HTTPS TCP/443 | Gets updates from Repo |
Updates | IMPEX Data Lock | Repo | Patches/ Signatures | HTTPS TCP/443 | Gets updates from Repo |
Updates | ICC | Repo | Patches/ Signatures | HTTPS TCP/443 | Gets updates from Repo |
Updates | Repo | updates. sysctl.se | Patches/ Signatures | HTTPS TCP/443 | Sync updates from sysctl |
Cert | ICC | letsencrypt. org | Certificate renew | ACME TCP/443 | Get certificate from letsencrypt |
Cert | letsencrypt. org | ICC | Certificate renew | ACME TCP/80 | Get certificate challenge from ICC |
Software needed to manage the systems.
A modern version with one of the following browsers.
SSH client software to access the ICC or Repo.
Description of different tasks that may be needed for administrative tasks.
The systems are self maintained and no operations are needed. The systems will check for new updates on a daily basis and regularly check for signature updates several times every day. The systems will reboot every night.
If the letsencrypt module is not installed and used the certificate needs to be renewed on the servers before the certificate expires. With an expired certificate the IMPEX USB and IMPEX Data Lock will not get new updates. No other tasks are needed for the day to day work.
sudo -i
cd /opt/sysctl/impex-server/django-app
sudo -u impex-server ./manage.sh changepassword <username>
Login to the system can be done on the server console or remote using SSH.
The servers have one root account with a password set during the initial installation. The password is created during the installation by the system owner. The password is not known by Sysctl. No other accounts besides the root account can be used to log in to the system after installation. SSH with root account is not allowed and login is only possible from the console. Personal accounts are recommended to use for remote login with SSH, and tasks can be performed from a user account with privilege escalations. Personal accounts can exist in a LDAP server like Active Directory.
Use the following command to get root permissions from a personal account.
sudo -i
systemctl stop impex-server
systemctl start impex-server
systemctl poweroff
systemctl reboot
The servers will check for updates and update the system automatically every day at 01:00 with a random delay of 1 hour. The servers will reboot if needed.
Certificates are only needed on the ICC server and Repo server if a separate server is used.
Renewing certificates depends on the current installation.
Certificate renewal is automatic if the letsencrypt module is installed. If it is not installed the certificate must be renewed by the administrator before it expires.
When the ICC uses a certificate from an internal CA or uses a certificate from an external vendor must the certificate be renewed manually. A new CSR must be created and signed by the CA. The following paths are used for certificates.
Snapshots of the servers can be done to create backups. With every update of the ICC software the update will create a local backup of the database.
The repo server can always resync all the data from Sysctl. There is no need to backup any repository data or signature data.
The ICC stores all application data in a SQLite database.
/opt/sysctl/impex-server/django-app/db/db.sqlite3
To backup the database, the following command can be used.
sqlite3 /opt/sysctl/impex-server/django-app/db/db.sqlite3 .dump > new_backup_file
If YARA rules are used one might want to backup any custom rules uploaded. They are stored as plain files under
/opt/sysctl/impex-server/django-app/upload/yara/custom
Since these were files uploaded by an ICC admin they might already be backed up depending on where they came from.
The ICC can enable IMPEX USB and IMPEX Data Lock online monitoring and send email if any is offline.
The following should be monitored by an external system on the ICC and Repo.
The ICC will generate a syslog message when IMPEX USB or IMPEX Data Lock has uploaded a scan report that contains malware. The following format is used for the message
Dec 24 15:00:00 icc journal: ICC WARNING [ICC:14] \
Station detected malware (https://icc.domain.tld/v/operations?byId=2)
The message includes a link to the actual scan report on the ICC. It will not include any sensitive information about the data.