High-level overview of the RiskSense On-Site Application (ROSA) OVA.
RiskSense On-Site Appliance (ROSA) is a virtual machine that allows the RiskSense platform to securely connect to an on-premises scanner or ticketing system and ingest vulnerability data or create tickets in a ticketing system.
The OVA can also be used for RiskSense to conduct managed scanning. This is only done for customers who subscribe to RiskSense Managed Scanning. In this case, it provides a secure connection back to the RiskSense Labs and the scanner we are using to perform the scan.
How it Works
ROSA is designed to allow a secure connection from the customer's internal network directly to the RiskSense platform. This is accomplished by creating a secure SSH tunnel over port 443 to transmit the required scan data to the platform for ingestion.
As a Managed Scanning OVA, outbound SSH traffic over port 10555 would be required for scan connection.
Warning: Sending SSH traffic over port 443 can often be blocked by your perimeter firewall. Please ensure that the ROSA IP and the RiskSense platform IP are whitelisted to communicate via SSH over port 443 through these devices.
ROSA not only works for the ingestion of scan data but will also allow a user to configure a connector to access and submit tickets.
Step 1. ROSA establishes a secure SSH tunnel with the RiskSense platform.
Step 2. The RiskSense platform establishes a connection using documented APIs of a third-party source through the SSH tunnel (these connections must be pre-configured by RiskSense staff upon support request).
Step 3. Once a successful connection is made to the third-party software through the secure tunnel, data can be pushed or pulled depending on the third-party software, its capabilities, data sources, and configured integration with the RiskSense platform.
The RiskSense platform offers users that have an on-premises solution the ability to ingest that data into the platform. It can also be used to securely facilitate managed scanning. We provide the ROSA in the form of an Open Virtual Appliance (OVA). This creates a secure connection from your internal network to the RiskSense platform.
The RiskSense-provided OVA will be sent digitally to you. Below are the hardware specifications and requirements needed for the OVA:
OVA Virtual Machine (VM) Requirements:
- Online always.
- Network access to all data sources.
- Outgoing SSH traffic on port 443 (10555 for Managed Scanning).
- Dedicated VM resources recommended.
- VM Requirements:
- 4 vCPU
- 4GB RAM
- 20GB Disk
- Network Information Required from Customer
- Customer’s public IP address for whitelisting.
The OVA contains three packaged files:
- ovf: The virtual appliance file that contains all the VM configurations and hardware requirements.
- vmdk: The disk image for the .ovf that contains the operating system and software for the device.
- mf: A manifest file for confirming the previous two files is accurate and unchanged.
All three files must be used in the deployment of the OVA. In VMware vCenter or ESXi, all three files can be deployed as an OVA template.
Boot up the device. At the configuration screen, provide the necessary information to configure the network settings.
Device Name: Name of the device
Network Mode: Select between DHCP and Static.
DHCP: If the network location you are deploying the ROSA has dynamically assigned IP addresses, select this option.
Static: If you are statically assigning the IP address to the ROSA device, select this option and complete the following network configuration options that are displayed.
IP/netmask: Provide the static IP address that is to be assigned to the device. For the subnet mask, provide it in CIDR notation.
Gateway: Provide the default gateway address for the subnet that the device is in.
DNS: Provide the IP address for the local DNS server for domain name resolution.
Checking the Use VLAN box adds an additional field for completion. Complete the following field.
VLAN ID: VLAN identification tag for internal network access. For establishing connectors with the platform, this is likely not necessary if you have established routes to the scanners or applications you are making connectors for.
Checking the Use Proxy box adds additional fields for completion. Complete the following fields.
Proxy IP: IP address for the proxy server.
Proxy Port: Port the proxy server listens on.
Proxy Username (Optional): Username for proxy (if needed).
Proxy Password (Optional): Password for proxy (if needed).
Edit the configuration to update the network configuration as needed. Update the network settings and click Apply. If the provided whitelisting is accurate, then the device will connect within one minute, as illustrated below:
Frequently Asked Questions
What communication protocols are used for ROSA?
ROSA communicates via TCP using the SSH Protocol through port 443.
For Managed Scanning, it communicates using the SSH Protocol through port 10555.
What if our virtual environment does not support the OVA format?
Please contact RiskSense Customer Support for other ROSA deployment options.
What are the minimum access controls I can give to ROSA?
ROSA needs to be able to communicate back to RiskSense outbound on port 443. Managed Scanning needs to communicate over port 10555.
ROSA, as a secure tunnel to your scanner, will also need to be able to reach the services you wish to connect to, e.g., Tenable.SC, Jira, Nessus, Nexpose.
For updates, the following addresses must be reachable: