Preparing for Deployment
The following sections provide information on preparing your environment to deploy InsightIDR.
Preparing Collectors
The Collector is a machine on your network running the Rapid7 Collector software. The Collector either polls event sources for data or has data pushed to it from the event sources. An event source is a single device that has its logs collected by the Collector; it will either send logs to the Collector or have the Collector pull the logs from it. The Collector can not only gather logs from the various assets in your environment, but it can also collect endpoint data.
To deploy InsightIDR, you should have at least one dedicated system prepared in advance on which you will install the InsightIDR Collector.
If you already have Nexpose installed in your organization, do not install the Insight Collector software on an existing Nexpose Console or Nexpose Scan Engine as this will cause issues with your Nexpose systems.
The Collector can be a physical or virtual system and should be configured with the following:
- Linux 64-bit or Windows 64-bit operating system
- A minimum of 4 GB RAM and 60 GB of hard disk space
- 1000 Mbps network bandwidth and 2 CPU recommended
All Collectors must be configured with a fully qualified domain name, for example idrcollector1.myorg.com.
Preparing Collectors for endpoint scanning
For endpoint scanning, a Collector can be configured with only one endpoint scanning credential. Therefore, if you have multiple domains or other requirements for separate credentials that need to be used for scanning different endpoint ranges, you should plan on a separate Collector for each domain/set of credentials.
In the US, you can configure firewall/web proxy rules so that the Collector can connect to:
In Europe, the Middle East, and Asia (EMEA), you can configure firewall/web proxy rules so that the Collector can connect to:
- https://eu.data.insight.rapid7.com
- https://s3.eu-central-1.amazonaws.com
- https://eu.endpoint.ingress.rapid7.com
All endpoints need to be able to communicate back to the Collector on these TCP ports:
- 5508
- 6608
- 20000 - 30000
To learn more about endpoint monitoring, please see Endpoint Monitoring with InsightIDR.
Collector placement and sizing
When considering where to place your Collectors, keep in mind that your bandwidth and network architecture will influence the number of Collectors that you need in your organization and where you should place them. Generally, you want to deploy the Collectors close to the logs that will be pulled/sent and also close to the endpoints that they will be scanning.
CPU requirements are based on the number of endpoints that you are monitoring. As a general rule of thumb, you need one CPU in the Collector for each IP range of 16,000 assigned to the Collector running the scan. These CPUs can be spread across more than one Collector. For example, if you will have 160,000 IPs in your scan, then would need approximately 10 CPUs across all Collectors.
Memory requirements are based on the number of event sources that the Collector will be collecting. Use the chart below to help you determine how much RAM memory to use in your Collectors:
| Number of Event Sources on the Collector | RAM |
|---|---|
|
1 – 10 |
4 GB |
|
10 - 50 |
8 GB |
|
50 – 80* |
16 GB |
*If you have more than 80 event sources, you should split your event sources across multiple Collectors.
Note that it is often more efficient to deploy multiple Collectors throughout the environment rather than break firewall rules or overload a single Collector. Also, when scanning endpoints with a Collector, each Collector can be configured with only one set of credentials for the endpoint scanning. If different credentials are required for scanning endpoints, then you will need to use a separate Collector for each credential that will be used.
Planning for Continuous Agents
The continuous agent software allows for real-time monitoring of the endpoint, and for InsightIDR customers, it provides the ability to run forensic jobs directly on the agent. When planning your continuous agent rollout, be aware that the Insight Platform does not provide a method to push out the continuous agent software to systems or to do an automatic deployment. You will need to deploy and manage the software using your own software installation methods. However, after the initial installation of the agent software, updates will be pushed out automatically from the Collector. Also, the continuous agent can only be installed on Windows systems at this time.
Although the agent footprint is quite small, it is recommended that you install the continuous agent software on a few agents to monitor the performance, and then continue to roll it out as desired to the rest of the endpoint systems. Before the first day of your Insight deployment, you should identify one or two Windows end-points that you will install a continuous agent on during the deployment, and then plan to rollout the rest of the agent software later.
The Continuous Agents need to be able to communicate back to the Collector on these TCP ports:
- 5508
- 6608
- 20,000 -30,000
The Continuous Agents communicate back to the most recent Collector that they communicated with every 30 seconds via a heartbeat connection. If this fails, the agent will then try to communicate with each additional Collector deployment. If the agent is unable to reach any Collector, the agent will communicate directly to the cloud.
If you are planning to use your own packaging/installation method to install the continuous agent, such as pushing it out with a GPO or installing it with SCCM or a similar product, here are a few things to note:
- After downloading the endpoint package from your Insight instance, unzip it. The endpoint package, which is the continuous agent for Windows, contains a few files besides the MSI installers. The .pem, .crt, and .key files are certificates that allow the agents to connect to your Insight instance. There is also a configuration file that contains information for the agent regarding how it should connect to your Collectors and to the cloud. All of the files in the zip package must be placed into the folder from which you run the MSI to install the agent.
- You can run a silent install of the agent if you wish using the usual Microsoft commands for an MSI file: msiexec /i agentinstaller-x86_x64.msi /quiet /qn.
To learn more about continuous agens, please see Endpoint Monitoring with InsightIDR.
Preparing service accounts
You will need to set up at least one service account that will be used for event log collection and endpoint scans. You may want to configure additional accounts, depending on your environment.
To learn more about the service accounts that are required, please see Supported Event Sources.
| Event Source Type | Service Account Requirement |
|---|---|
| Active Directory security log | *Domain account that is a member of the domain admins group |
| LDAP | Domain account with read permissions to all users and groups in the domain |
| Microsoft DHCP | Domain account with read permissions to the share on each DHCP server where the DHCP audit trail is written |
| Microsoft DNS | Domain account with read permissions to the share on each DNS server where the DNS audit trail is written |
| Outlook Web Access | Domain account with read permissions to the share on each IIS server where the Outlook Web Access audit trail is written |
| Windows Endpoint Monitor** | Domain account that is a member of the domain admins group |
| Mac Endpoint Monitor | An account with sudo privileges on the Mac endpoints. If you are using private key authentication, the account must also have passwordless sudo. |
* This same service account may be used for all the over event source log collection and endpoint scans if desired.
** If you have multiple domains in your environment that have endpoints that will be scanned, you will need a separate Collector for each domain. You can only have one endpoint credential per Collector.
What's Next?