RiskSense On-Site Application (ROSA) OVA: Overview

A high-level overview of RiskSense On-Site Application (ROSA) OVA v1 and v2.

Ivanti Neurons plans on deprecating ROSA v1 in favor of ROSA v2 in the coming months.

ROSA v1

RiskSense On-Site Appliance (ROSA) v1 is a virtual machine that allows the Ivanti Neurons platform to securely connect to an on-premises scanner or ticketing system and ingest vulnerability data or create tickets in a ticketing system.

The OVA can also be used for Ivanti Neurons to conduct managed scanning. This is only done for customers who subscribe to Ivanti Neurons Managed Scanning. In this case, it provides a secure connection back to the RiskSense Labs and the scanner we are using to perform the scan.

How it Works

ROSA v1 is designed to allow a secure connection from the customer's internal network directly to the Ivanti Neurons platform. This is accomplished by creating a secure SSH tunnel over port 443 to transmit the required scan data to the platform for ingestion. 

As a Managed Scanning OVA, outbound SSH traffic over port 10555 would be required for scan connection.

Warning: Sending SSH traffic over port 443 can often be blocked by your perimeter firewall. Please ensure that the ROSA v1 IP and the Ivanti Neurons platform IP are whitelisted to communicate via SSH over port 443 through these devices.

ROSA v1 not only works for the ingestion of scan data but will also allow a user to configure a connector to access and submit tickets.

ROSA - Data Flow Diagram

Step 1. ROSA v1 establishes a secure SSH tunnel with the Ivanti Neurons platform.

Step 2. The Ivanti Neurons platform establishes a connection using documented APIs of a third-party source through the SSH tunnel (these connections must be pre-configured by Ivanti Neurons staff upon support request).

Step 3. Once a successful connection is made to the third-party software through the secure tunnel, data can be pushed or pulled depending on the third-party software, its capabilities, data sources, and configured integration with the Ivanti Neurons platform.

ROSA v1 Requirements

The Ivanti Neurons platform offers users that have an on-premises solution the ability to ingest that data into the platform. It can also be used to securely facilitate managed scanning. We provide the ROSA v1 in the form of an Open Virtual Appliance (OVA). This creates a secure connection from your internal network to the Ivanti Neurons platform.

The Ivanti Neurons-provided OVA will be sent digitally to you. Below are the hardware specifications and requirements needed for the OVA:

OVA Virtual Machine (VM) Requirements:

  • Online always.
  • Network access to all data sources.
  • Outgoing SSH traffic on port 443 (10555 for Managed Scanning).
  • Dedicated VM resources are recommended.
  • VM Requirements:
    • 4 vCPU
    • 4GB RAM
    • 20GB Disk
  • Network Information Required from Customer
    • Customer’s public IP address for whitelisting.

ROSA v1 Installation

The OVA contains three packaged files:

  • ovf: The virtual appliance file that contains all the VM configurations and hardware requirements.
  • vmdk: The disk image for the .ovf that contains the operating system and software for the device.
  • mf: A manifest file for confirming the previous two files is accurate and unchanged.

All three files must be used in the deployment of the OVA. In VMware vCenter or ESXi, all three files can be deployed as an OVA template.

Device Setup

Boot up the device. At the configuration screen, provide the necessary information to configure the network settings. 

Device Name: Name of the device

Network Mode: Select between DHCP and Static.

DHCP: If the network location you are deploying the ROSA v1 has dynamically assigned IP addresses, select this option.

ROSA - Initial Setup - DHCP

Static: If you are statically assigning the IP address to the ROSA v1 device, select this option and complete the following network configuration options that are displayed.

ROSA - Initial Setup - Static

IP/netmask: Provide the static IP address that is to be assigned to the device. For the subnet mask, provide it in CIDR notation.

Gateway: Provide the default gateway address for the subnet that the device is in.

DNS: Provide the IP address for the local DNS server for domain name resolution.

Checking the Use VLAN box adds an additional field for completion. Complete the following field.

ROSA - Initial Setup - Use VLAN

VLAN ID: VLAN identification tag for internal network access. For establishing connectors with the platform, this is likely not necessary if you have established routes to the scanners or applications you are making connectors for.

Checking the Use Proxy box adds additional fields for completion. Complete the following fields.

ROSA - Initial Setup - Proxy

Proxy Type: Supported protocols for the proxy include HTTP, SOCKS4, and SOCKS5.

ROSA - Initial Setup - Proxy Type

Proxy IP: IP address for the proxy server.

Proxy Port: Port the proxy server listens on.

Proxy Username (Optional): Username for proxy (if needed).

Proxy Password (Optional): Password for proxy (if needed).

ROSA - Initial Setup - Use Proxy

Edit the configuration to update the network configuration as needed. Update the network settings and click Apply. If the provided whitelisting is accurate, then the device will connect within one minute, as illustrated below:

ROSA - Initial Setup - Connected

Frequently Asked Questions

What communication protocols are used for ROSA v1?

ROSA v1 communicates via TCP using the SSH Protocol through port 443.

For Managed Scanning, it communicates using the SSH Protocol through port 10555.

What if our virtual environment does not support the OVA format?

Please contact Ivanti Neurons Customer Support for other ROSA v1 deployment options.

What are the minimum access controls I can give to ROSA v1?

ROSA v1 needs to be able to communicate back to Ivanti Neurons outbound on port 443. Managed Scanning needs to communicate over port 10555.

ROSA v1, as a secure tunnel to your scanner, will also need to be able to reach the services you wish to connect to, e.g., Tenable.SC, Jira, Nessus, Nexpose.

For updates, the following addresses must be reachable:

  • http://us.archive.ubuntu.com/ubuntu
  • http://archive.canonical.com/ubuntu
  • http://security.ubuntu.com/ubuntu

ROSA v2

The RiskSense On-Site Application (ROSA) v2 performs the same functions as the ROSA v1; it allows the Ivanti Neurons platform to securely connect to an on-premises scanner or ticketing system and ingest vulnerability data or create tickets in a ticketing system. This version of ROSA leverages Cloudflare's Tunnel technology to create a secure connection between your internal services and the Ivanti Neurons platform. A high-level overview of Tunnel can be found here on Cloudflare's Blog.

How it Works

ROSA v2 leverages Cloudflare's Tunnel to create a private link from your internal service to Cloudflare without a publicly routable IP address. This link can then be used to create a connector in the Ivanti Neurons platform that will allow you to ingest your on-premises scanner vulnerability data or create tickets in your ticketing system. This private connection is established by running Cloudflare’s lightweight daemon, cloudflared, on your origin to create an outbound-only connection ensuring only traffic that routes through Cloudflare can reach your origin. A single tunnel can be used to connect to multiple internal services, each with its own private link that is used during connector setup in the Ivanti Neurons platform.

Step 1: A private connection is established with Cloudflare using their lightweight daemon, cloudflared, to create a secure, outbound-only connection. This creates a private link from your origin server to Cloudflare.

Step 2: The Ivanti Neurons platform establishes a connection using documented APIs of a third-party source through the private link created in Cloudflare.

Step 3: Once a successful connection is made to the third-party software through the secure tunnel, data can be pushed or pulled depending on the third-party software, its capabilities, data sources, and configured integration with the Ivanti Neurons platform.

ROSA v2 Requirements

The Ivanti Neurons platform offers users that have an on-premises solution the ability to ingest that data into the platform. We provide the ROSA v2 in the form of three files to be used in an Ubuntu 20.04 OVA. These files are used to download and create a secure connection from your internal network to the Ivanti Neurons platform within your VM.

The Ivanti Neurons-provided ROSA v2 files will be sent digitally to you. Below are the hardware specifications and requirements needed for the OVA and Tunnel creation within the Ivanti Neurons Cloudflare application:

OVA Virtual Machine (VM) Requirements:

  • Online always.
  • Network access to all data sources.
  • Outgoing traffic on ports 443 and 7844 (Cloudflare's Documentation).
  • Dedicated VM resources are recommended.
  • VM Requirements:
    • Ubuntu 20.04 OS
    • 4 vCPU
    • 4GB RAM
    • 20GB Disk
  • Network Information Required from Customer
    • The internal URLs to each of your internal services login pages you are attempting to connect to the Ivanti Neurons platform.

ROSA v2 Installation

Files Included

  • JSON file: The title of this file will vary as the naming convention is (your tunnels uuid).json. This JSON file contains your tunnels credentials in a JSON format and is unique to each tunnel. This file functions as a token authenticating the tunnel it is associated with.
  • yml: This .yaml file is used to configure the operation of your tunnel. The information contained within may vary depending on the number of services you want to connect through your tunnel.

ROSA v2 - Multiservice Configuration

Example of a Multiservice config.yml via Cloudflare’s Documentation

ROSA v2 - Single Service Configuration

Example of a Single service config.yml via Cloudflare’s Documentation

  • tunnel: This field specifies your tunnel UUID.
  • credentials-file: This field is used to specify the path to your tunnel's credential JSON file.
  • Depending on the number of services you intend to connect to the Ivanti Neurons platform you may see a field titled URL or ingress.
    • ingress: If you are connecting multiple internal services through your tunnel to the Ivanti Neurons platform you will see hostname/service field pairs.
      • The hostname field is the private URL that Ivanti Neurons creates within our Cloudflare instance to connect to your internal service.
      • The service field is used to specify one of your internal services login page URLs.
    • URL: If you are connecting a single internal service through your tunnel to the Ivanti Neurons platform this field will contain that service's internal login URL.
  • sh: This bash script is used to download the current Linux version of Cloudflare's connector, cloudflared, from the following URL:
    https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64
    It then moves the JSON and config.yml files shared by Ivanti Neurons, to the following directory: /usr/local/bin/cloudflared in your VM, installs Cloudflare as a service, and enables it to start on boot.

Device Setup

Once you have received your Tunnel files, in the form of a zip file, from Ivanti Neurons and created and set up your Ubuntu 20.04 VM, you can begin the installation process. As an example, we downloaded a testing tunnels file to our Download directory:

ROSA v2 - Downloads Folder Example

Once you have extracted your tunnel files, you will want to verify that you have the three needed files. A JSON file, a config.yml, and a customerSetUpScript.sh file.

ROSA v2 - Required Files

Next, open a terminal and elevate yourself to root using the command sudo su and navigate to the directory where you extracted your tunnel files.

Once you are in your tunnels directory, execute the customerSetUpScript.sh using bash customerSetUpScript.sh. This script will attempt to download the latest version of Cloudflare’s connector cloudflared, move your config and JSON files to the cloudflared directory, install cloudflared as a service, and start it.

ROSA v2 - Cloudflared Download OutputCloudflared Download Output

ROSA v2 - Cloudflared Installation

Cloudflared Installation

ROSA v2 -  Cloudflared Running as a ServiceCloudflared Running as a Service

Your cloudflared connector is now installed and running as a service on your Ubuntu 20.04 VM. You can now use the Hostnames Ivanti Neurons provided to set up your connectors in the Ivanti Neurons platform.

Useful Commands

  • cloudflared status: If you need to see if your cloudflared connector is currently running or stopped, you can use the following command to get the service’s status:
sudo systemctl status cloudflared
  • Stopping cloudflared: If you ever need to stop the Cloudflare connector, cloudflared, you can use the following command to stop the service:
sudo systemctl stop cloudflared
  • Restarting cloudflared: Use the following command to restart your cloudflared service:
sudo systemctl restart cloudflared

Frequently Asked Questions

Can I add or remove services later?

Absolutely, contact your Ivanti Neurons Customer Support for more information on how this is done.

What are the minimum access controls I can give to ROSA v2?

ROSA v2 needs to be able to communicate to Cloudflared outbound on ports 443 and 7844. More information on Cloudflare's ports for its Tunnels can be found here.

ROSA v2, as a secure tunnel to your scanner, will also need to be able to reach the services you wish to connect to, e.g., Tenable.SC, Jira, Nessus, Nexpose.