Sophos NDR on Dell hardware
You can install NDR on Dell systems that we've tested and certified.
Create an NDR appliance image
Sophos NDR uses an appliance to collect data and forward it to the Sophos Data Lake for analysis.
Before you set up your hardware, you must create and download an NDR appliance installation image. You'll deploy this ISO image as your NDR appliance later.
- In Sophos Central, go to Threat Analysis Center > Integrations.
- Find and click Sophos Network Detection and Response (NDR).
-
On the NDR page, in Data Ingest (Security Alerts), click Add Configuration.
Integration setup steps appears.
-
In Step 1, enter a name and description for the integration.
- In Step 2, click Create new appliance.
-
To create the new appliance, do as follows:
- Enter the appliance name and description. You must enter a unique name.
- In Virtual platform, select Hardware.
-
In Step 3, exclude specific domains and protocols from checking. For example, you might do this if you have a domain that causes false positives.
You can set up your exclusions later, but you must enter an exclusion list name now.
- Enter a name in Exclusion list name.
- To exclude a domain, click Domain exclusions. Enter the domain name, for example
sophos.com
, and click Add. -
To exclude a protocol, click Protocol exclusions. You can enter information in either or both of the fields:
- In the first field, enter a master protocol. For example,
TCP
orUDP
. - In the second field, enter a sub-protocol (website). For example,
facebook
.
We don't recommend excluding a master protocol completely. Only do this if a high-traffic protocol that isn't usually risky, like a routing protocol, generates too much data.
Note
You can export your exclusions as a JSON file. You can also upload exclusions to the list from a JSON file you've exported previously.
- In the first field, enter a master protocol. For example,
-
Click Add.
-
Click Save.
A pop-up shows you the Sophos Appliance Manager credentials. Make a note of them. You'll need Appliance Manager to access and troubleshoot appliances.
Your new integration now shows in the Configured NDR integrations list.
-
To download the appliance image, click the three dots in the Actions column and select Download image. You may have to wait for the image to become available for download.
Install and connect system
- Unbox the Dell hardware.
- Install the rack mount rails. See Dell PowerEdge Manuals.
-
Connect the following cables and peripherals to the Dell device:
- Power cables to the power supplies.
- VGA monitor and USB keyboard.
- Management network cable to the port labeled 1.
- Syslog network cable to the port labeled 2.
- iDRAC network cable to the port labeled iDRAC.
- Any network capture cables to the SPAN/mirror ports.
Configure iDRAC settings
iDRAC provides remote keyboard and video functionality, as well as remote virtual media support. This system will be used to facilitate the installation of the NDR software via bootable ISO image.
When the system is racked and all connections listed above are made, power on the system.
Press F2 on the keyboard at startup to enter System Setup.
Enter iDRAC setting menu
- On the System Setup screen, use the arrow keys to select iDRAC settings, then press Enter.
- Use the arrow keys to select Network, then press Enter.
Configure iDRAC network settings
- Use the arrow keys to scroll through the IP settings and configure the address you'll use to connect to the iDRAC system.
- Press Tab to highlight the Back button in the lower right, and press Enter.
Configure iDRAC username and password
We strongly recommend that you change the default password. To do this, do as follows:
- Use the arrow keys to select User Configuration from the iDRAC settings, then press Enter.
- The default username is
root
. You can change this by entering a new username. - To change the password, use the arrow keys to scroll down to the Change password field, then press Enter.
- Enter your new password, then confirm it.
- Press Tab to highlight the Back button, then press Enter.
- Press Tab to highlight the Finish button, then press Enter.
- Use the arrow keys to select the Yes button to save your changes.
- On the System Setup screen, press tab to highlight the Finish button, then press Enter.
- Use the arrow keys to select the Yes button to confirm you want to exit.
Verify connectivity
At this point, the iDRAC system should be accessible via a web browser. To test this, open your browser and go to http://<configured IP address>
. If the iDRAC page doesn't connect, check the iDRAC network connection and try again.
Note
All subsequent configuration will be done remotely. You can disconnect the keyboard and VGA monitor.
Connect to iDRAC
- If you're not already connected to the iDRAC interface, open your web browser and go to
http://<configured IP address>
. -
Enter the username and password configured in the previous section.
After a successful login, the iDRAC dashboard appears.
Create RAID data partition (R660 2 socket system only)
You only need to create a RAID data partition on the Dell R660 2 socket system, which includes three disk drives in the front disk enclosure.
If the system wasn't shipped with the disks pre-configured in RAID 5 setup, you must configure RAID for the data drive.
- On the iDRAC dashboard, click Storage. Then make sure Summary is selected.
- Under the Summary of Disks section, check the number of virtual disks. If there are two virtual disks listed, you can skip the remaining steps in this section and continue to the "Connect installation ISO" section.
-
Click Virtual Disks.
The current virtual disk is for the Operating System disk. We need to create the RAID 5 array for the data partition.
-
Click Create Virtual Disk, then select Basic Configuration.
- Select the PERC controller from the Controller drop-down list.
- Select RAID 5 from the Layout drop-down list.
- Click Add to Pending.
-
Click Apply Now.
The volume creation is added to the job queue.
-
Click Job Queue to see the operation status.
If you don't see anything, make sure you're looking at Pending Operations under the Tasks tab. You can periodically click Refresh until the pending operations list is empty.
-
On the iDRAC dashboard, click Storage, and make sure there are two virtual disks under Summary of Disks.
Connect installation ISO
Open virtual console
- If you're not already on the dashboard, click Dashboard in the upper left of the iDRAC menu on the web page.
- In the lower-right corner of the page, click Virtual Console. This opens a new browser window.
Note
If you have a pop-up blocker, the virtual console won't open. To open it, you must allow pop-ups for this website.
Connect virtual media
- Click Virtual Media in the menu bar at the top of the Virtual Console.
- Click Connect Virtual Media.
- If you've not already done so, download the NDR appliance installation image from Sophos Central.
- Under Map CD/DVD, click the Browse button.
-
Use the file selection dialog to select the appliance ISO image that you downloaded from Central.
Selecting the ISO image activates the Map Device button.
-
Click Map Device.
- Click Close .
Boot from installer ISO
- Click Boot in the menu bar at the top of the Virtual Console.
- Click Virtual CD/DVD/ISO.
- Click Yes to confirm the selection.
- Click Power in the menu bar at the top of the Virtual Console.
- Click Reset System (warm boot).
- Click Yes to confirm the selection.
The reboot process will start when the system is configured to boot from the ISO installer.
Begin installation
Make sure Install Sophos NDR - Dell Models is highlighted and press Enter.
Booting from the ISO image may take some time, so you must wait for the installer to fully load. When you see the Network Connections screen, the installer has finished loading.
Configure management IP address
Identify the interface to be used for the management network and connection to Sophos Central.
You must configure this interface with an IP address, default gateway, and DNS address. DHCP configuration is possible but not recommended, because the appliance's IP address may change during a future reboot.
- Use the arrow keys to select the management interface, then press Enter.
- Select Edit IPv4, then press Enter.
- Press Enter on the IPv4 method and select Manual.
- Enter the subnet for the interface in CIDR notation.
- Enter the IP address for the interface in the Address field.
- Enter the default gateway in the Gateway field.
- Enter the DNS server(s) in the Name servers field.
- Optional: Enter a domain in the Search domains field.
- Use the arrow keys to select Save, then press Enter.
Configure syslog IP address
- Use the arrow keys to select the interface that will be used for syslog, then press Enter.
- Use the arrow keys to select Edit IPv4, then press Enter.
- Select Manual for the IPv4 Method, then press Enter.
- Enter the subnet for the interface in CIDR notation.
- Enter the IP address for the interface in the Address field.
- Use the arrow keys to select Save, then press Enter.
Note
Don't enter a gateway or DNS address. You must only configure them for the management interface.
Configure capture interfaces
You configure the capture interfaces (SPAN settings) after installation using the Appliance Manager web UI. See SPAN settings.
For now, disable all remaining network interfaces, as follows:
- Use the arrow keys to select the interface, then press Enter.
- Select Edit IPv4, then press Enter.
- Use the arrow keys to select Disabled, then press Enter.
- Use the arrow keys to select Save, then press Enter
Verify network settings
Verify your settings for the management and syslog IP addresses. All other interfaces are disabled.
When all network settings are correct, use the arrow keys to select Done, then press Enter.
Installation process
The system is now ready to partition disks and begin the installation process.
Use the arrow keys to select Continue, then press Enter. This confirms the disk partitioning and installation.
Software installation takes some time and occurs in two phases. In the first phase, we install Ubuntu server. When this is complete, you'll see the Install complete! message at the top of the screen. In the second phase, we install the NDR software. When this is complete, you'll see the spinning progress indicator stop spinning.
Reboot after installation
-
When the installation is complete, use the arrow keys to select Reboot Now, then press Enter.
The exit process will pause and require you to remove the installation media.
-
Select the Virtual Media button on the top menu bar of the Virtual Console.
- Click Disconnect Virtual Media, click Yes, then click Close.
- Press Enter to continue the exit and reboot process.