RiskSense On-Site Application (ROSA) OVA: Overview

A high-level overview of RiskSense On-Site Application (ROSA) OVA v1 and v2.

Ivanti Neurons plans on deprecating ROSA v1 in favor of ROSA v2 in the coming months.

ROSA v1

RiskSense On-Site Appliance (ROSA) v1 is a virtual machine that allows the Ivanti Neurons platform to securely connect to an on-premises scanner or ticketing system and ingest vulnerability data or create tickets in a ticketing system.

The OVA can also be used for Ivanti Neurons to conduct managed scanning. This is only done for customers who subscribe to Ivanti Neurons Managed Scanning. In this case, it provides a secure connection back to the RiskSense Labs and the scanner we are using to perform the scan.

How it Works

ROSA v1 is designed to allow a secure connection from the customer's internal network directly to the Ivanti Neurons platform. This is accomplished by creating a secure SSH tunnel over port 443 to transmit the required scan data to the platform for ingestion. 

As a Managed Scanning OVA, outbound SSH traffic over port 10555 would be required for scan connection.

Warning: Sending SSH traffic over port 443 can often be blocked by your perimeter firewall. Please ensure that the ROSA v1 IP and the Ivanti Neurons platform IP are whitelisted to communicate via SSH over port 443 through these devices.

ROSA v1 not only works for the ingestion of scan data but will also allow a user to configure a connector to access and submit tickets.

ROSA - Data Flow Diagram

Step 1. ROSA v1 establishes a secure SSH tunnel with the Ivanti Neurons platform.

Step 2. The Ivanti Neurons platform establishes a connection using documented APIs of a third-party source through the SSH tunnel (these connections must be pre-configured by Ivanti Neurons staff upon support request).

Step 3. Once a successful connection is made to the third-party software through the secure tunnel, data can be pushed or pulled depending on the third-party software, its capabilities, data sources, and configured integration with the Ivanti Neurons platform.

ROSA v1 Requirements

The Ivanti Neurons platform offers users that have an on-premises solution the ability to ingest that data into the platform. It can also be used to securely facilitate managed scanning. We provide the ROSA v1 in the form of an Open Virtual Appliance (OVA). This creates a secure connection from your internal network to the Ivanti Neurons platform.

The Ivanti Neurons-provided OVA will be sent digitally to you. Below are the hardware specifications and requirements needed for the OVA:

OVA Virtual Machine (VM) Requirements:

  • Online always.
  • Network access to all data sources.
  • Outgoing SSH traffic on port 443 (10555 for Managed Scanning).
  • Dedicated VM resources are recommended.
  • VM Requirements:
    • 4 vCPU
    • 4GB RAM
    • 20GB Disk
  • Network Information Required from Customer
    • Customer’s public IP address for whitelisting.

ROSA v1 Installation

The OVA contains three packaged files:

  • ovf: The virtual appliance file that contains all the VM configurations and hardware requirements.
  • vmdk: The disk image for the .ovf that contains the operating system and software for the device.
  • mf: A manifest file for confirming the previous two files is accurate and unchanged.

All three files must be used in the deployment of the OVA. In VMware vCenter or ESXi, all three files can be deployed as an OVA template.

Device Setup

Boot up the device. At the configuration screen, provide the necessary information to configure the network settings. 

Device Name: Name of the device

Network Mode: Select between DHCP and Static.

DHCP: If the network location you are deploying the ROSA v1 has dynamically assigned IP addresses, select this option.

ROSA - Initial Setup - DHCP

Static: If you are statically assigning the IP address to the ROSA v1 device, select this option and complete the following network configuration options that are displayed.

ROSA - Initial Setup - Static

IP/netmask: Provide the static IP address that is to be assigned to the device. For the subnet mask, provide it in CIDR notation.

Gateway: Provide the default gateway address for the subnet that the device is in.

DNS: Provide the IP address for the local DNS server for domain name resolution.

Checking the Use VLAN box adds an additional field for completion. Complete the following field.

ROSA - Initial Setup - Use VLAN

VLAN ID: VLAN identification tag for internal network access. For establishing connectors with the platform, this is likely not necessary if you have established routes to the scanners or applications you are making connectors for.

Checking the Use Proxy box adds additional fields for completion. Complete the following fields.

ROSA - Initial Setup - Proxy

Proxy Type: Supported protocols for the proxy include HTTP, SOCKS4, and SOCKS5.

ROSA - Initial Setup - Proxy Type

Proxy IP: IP address for the proxy server.

Proxy Port: Port the proxy server listens on.

Proxy Username (Optional): Username for proxy (if needed).

Proxy Password (Optional): Password for proxy (if needed).

ROSA - Initial Setup - Use Proxy

Edit the configuration to update the network configuration as needed. Update the network settings and click Apply. If the provided whitelisting is accurate, then the device will connect within one minute, as illustrated below:

ROSA - Initial Setup - Connected

Frequently Asked Questions

What communication protocols are used for ROSA v1?

ROSA v1 communicates via TCP using the SSH Protocol through port 443.

For Managed Scanning, it communicates using the SSH Protocol through port 10555.

What if our virtual environment does not support the OVA format?

Please contact Ivanti Neurons Customer Support for other ROSA v1 deployment options.

What are the minimum access controls I can give to ROSA v1?

ROSA v1 needs to be able to communicate back to Ivanti Neurons outbound on port 443. Managed Scanning needs to communicate over port 10555.

ROSA v1, as a secure tunnel to your scanner, will also need to be able to reach the services you wish to connect to, e.g., Tenable.SC, Jira, Nessus, Nexpose.

For updates, the following addresses must be reachable:

  • http://us.archive.ubuntu.com/ubuntu
  • http://archive.canonical.com/ubuntu
  • http://security.ubuntu.com/ubuntu

ROSA v2

The ROSA v2 Customer Set Up Script is available here on GitHub.

The RiskSense On-Site Application (ROSA) v2 performs the same functions as the ROSA v1; it allows the Ivanti Neurons platform to securely connect to an on-premises scanner or ticketing system and ingest vulnerability data or create tickets in a ticketing system. This version of ROSA leverages Cloudflare's Tunnel technology to create a secure connection between your internal services and the Ivanti Neurons platform. A high-level overview of Tunnel can be found here on Cloudflare's Blog.

How it Works

ROSA v2 leverages Cloudflare's Tunnel to create a private link from your internal service to Cloudflare without a publicly routable IP address. This link can then be used to create a connector in the Ivanti Neurons platform that will allow you to ingest your on-premises scanner vulnerability data or create tickets in your ticketing system. This private connection is established by running Cloudflare’s lightweight daemon, cloudflared, on your origin to create an outbound-only connection ensuring only traffic that routes through Cloudflare can reach your origin. A single tunnel can be used to connect to multiple internal services, each with its own private link that is used during connector setup in the Ivanti Neurons platform.

ROSA v2 - ROSA v2 Network Diagram

Step 1: A private connection is established with Cloudflare using their lightweight daemon, cloudflared, to create a secure, outbound-only connection. This creates a private link from your origin server to Cloudflare.

Step 2: The Ivanti Neurons platform establishes a connection using documented APIs of a third-party source through the private link created in Cloudflare.

Step 3: Once a successful connection is made to the third-party software through the secure tunnel, data can be pushed or pulled depending on the third-party software, its capabilities, data sources, and configured integration with the Ivanti Neurons platform.

ROSA v2 Requirements

The Ivanti Neurons platform offers users with an on-premises solution the ability to ingest that data into the platform. We provide the ROSA v2 in the form of a single file with instructions to be used in an Ubuntu 20.04 OVA. This file is used to download and create a secure connection from your internal network to the Ivanti Neurons platform within your VM.

The Ivanti Neurons-provided ROSA v2 file will be sent digitally to you. Below are the hardware specifications and requirements needed for the OVA and Tunnel creation within the Ivanti Neurons Cloudflare application:

OVA Virtual Machine (VM) Requirements:

  • Online always.
  • Network access to all data sources.
  • Outgoing traffic on ports 443 and 7844 (Cloudflare's Documentation).
  • Dedicated VM resources are recommended.
  • VM Requirements:
    • Ubuntu 20.04 OS
    • 4 vCPU
    • 4GB RAM
    • 20GB Disk
  • Network Information Required from Customer
    • For each service you would like to connect to the Ivanti Neurons platform, we will need the following information:
      • Name of Service (Tenable, Nessus, etc.).
      • Your internal URL used to access this service.
      • The IP address of this service.
      • The service’s FQDN (this should match the CN name on the certificate, regardless of if self-signed or not).
      • The service’s port.
      • If this service uses TLS.
      • The service’s certificate authority (CA) or self-signed certificate (base-64 encoded).

ROSA v2 Installation

The JSON file you will receive will contain the three pieces of information you need to set up your Cloudflare ROSA tunnel:

  1. Tunnel Token: This token is used to authenticate your specific tunnel to call home and connect back to Cloudflare's edge.
  2. Service CNAMEs: The URLs listed in this section will be used to set up your services connector in the Ivanti Neurons platform.
  3. Instructions: The instructions listed in this section are by default set up for a Debian 64-bit OS to be run from the CLI.

OS Instructions

Windows (64-Bit)

  1. Download https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-windows-amd64.msi.
  2. Run the installer.
  3. Open Command Prompt as Administrator.
  4. Navigate to the installed directory (usually C:\Program Files (x86)\cloudflared), update the following command with your Tunnel Token, and run it:
cloudflared.exe service install (replace with Tunnel Token)

Mac

To connect your tunnel to Cloudflare, update the command with your Tunnel Token and then copy-paste the following commands into a terminal window.

brew install cloudflare/cloudflare/cloudflared &&

sudo cloudflared service install (replace with Tunnel Token)

Debian (64-bit)

To connect your tunnel to Cloudflare, update the command with your Tunnel Token and then copy-paste the following commands into a terminal window.

curl -L --output cloudflared.deb https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb &&

sudo dpkg -i cloudflared.deb &&

sudo cloudflared service install (replace with Tunnel Token)

Redhat (64-bit)

To connect your tunnel to Cloudflare, update the command with your Tunnel Token and then copy-paste the following commands into a terminal window.

curl -L --output cloudflared.rpm https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-x86_64.rpm &&

sudo yum localinstall -y cloudflared.rpm &&

sudo cloudflared service install (replace with Tunnel Token)

Useful Commands (Debian OS) 

  • cloudflared status: If you need to see if your cloudflared connector is currently running or stopped, you can use the following command to get the service’s status:
sudo systemctl status cloudflared
  • Stopping cloudflared: If you ever need to stop the Cloudflare connector, cloudflared, you can use the following command to stop the service:
sudo systemctl stop cloudflared
  • Restarting cloudflared: Use the following command to restart your cloudflared service:
sudo systemctl restart cloudflared

Frequently Asked Questions

Can I add or remove services later?

Contact your Ivanti Neurons Customer Support for more information on how to do this.

What are the minimum access controls I can give to ROSA v2?

ROSA v2 needs to be able to communicate to Cloudflared outbound on ports 443 and 7844. More information on Cloudflare's ports for its Tunnels can be found here.

ROSA v2, as a secure tunnel to your scanner, will also need to be able to reach the services you wish to connect to, e.g., Tenable.SC, Jira, Nessus, Nexpose.