Installing a Server without external sensors

When installing a Server without external sensors, all data to be processed and analyzed is received only by the computer that performs Server functions. You can apply this installation method if the computer has a sufficient number of network interfaces to receive data from various sources.

It is recommended to choose the Server deployment scheme without external sensors for monitoring one site with a small number of traffic sources. In the case of a distributed network architecture, it is recommended to choose the Server and external sensors deployment scheme.

If traffic aggregation tools (such as aggregation switches or network packet brokers) are used to transmit traffic to the Server in a distributed network architecture, important data about the origination sources of information security events may be lost. In addition, if the same device addresses are used in different network segments, these addresses cannot be correctly matched to the devices without additional configuration of traffic aggregation tools and the application. Also, individual network segments and devices may not be available for monitoring in the application, and errors may occur when using some application functions (in particular, the functionality of auditing, active polling, and response to threats).

The computer must have network interfaces to receive traffic on monitoring points from all industrial network segments. Due to the limit on the number of monitoring points on the Server, there must be no more than four of these network interfaces.

The computer must also have one more network interface so that other computers can connect to the Server through the web interface. There must be no monitoring points on this network interface. If there are no more free network interfaces on the computer, this same network interface can also be used for other connections from the dedicated Kaspersky Industrial CyberSecurity network.

The figure below shows an example scenario for deploying a Server without sensors. The network interfaces of the computer that performs Server functions are connected to the SPAN ports of network switches (SPAN ports and connections are marked yellow) and receive a copy of traffic from three segments of the industrial network. The dedicated Kaspersky Industrial CyberSecurity network is designated by green lines.

Diagram illustrating the physical connections of industrial network devices to the internal switches of this network. A copy of traffic is transmitted to the Application Server monitoring points via SPAN ports of the network switches using separate communication channels.

Example deployment of a Server without sensors

Page top