RiskSense On-Site Agent (ROSA) v2: Overview

Summary: High-level overview of RiskSense On-Site Agent (ROSA) v2.

Click here for more information on the legacy RiskSense On-Site Appliance (ROSA) v1 OVA.

ROSA v2

The ROSA v2 Customer Set Up Script is available here on GitHub.

The RiskSense On-Site Agent (ROSA) v2 performs the same functions as the ROSA v1; it allows the Ivanti Neurons platform to securely connect to an on-premises scanner or ticketing system and ingest vulnerability data or create tickets in a ticketing system. This version of ROSA leverages Cloudflare's Tunnel technology to create a secure connection between your internal services and the Ivanti Neurons platform. A high-level overview of Tunnel can be found here on Cloudflare's Blog.

How it Works

ROSA v2 leverages Cloudflare's Tunnel to create a private link from your internal service to Cloudflare without a publicly routable IP address. This link can then be used to create a connector in the Ivanti Neurons platform that will allow you to ingest your on-premises scanner vulnerability data or create tickets in your ticketing system. This private connection is established by running Cloudflare’s lightweight daemon, cloudflared, on your origin to create an outbound-only connection ensuring only traffic that routes through Cloudflare can reach your origin. A single tunnel can be used to connect to multiple internal services, each with its own private link that is used during connector setup in the Ivanti Neurons platform.

Step 1: A private connection is established with Cloudflare using their lightweight daemon, cloudflared, to create a secure, outbound-only connection. This creates a private link from your origin server to Cloudflare.

Step 2: The Ivanti Neurons platform establishes a connection using documented APIs of a third-party source through the private link created in Cloudflare.

Step 3: Once a successful connection is made to the third-party software through the secure tunnel, data can be pushed or pulled depending on the third-party software, its capabilities, data sources, and configured integration with the Ivanti Neurons platform.

ROSA v2 Requirements

The Ivanti Neurons platform offers users with an on-premises solution the ability to ingest that data into the platform. We provide ROSA v2 in the form of commands with instructions to be used in an Ubuntu 20.04 OVA. These commands are used to download and create a secure connection from your internal network to the Ivanti Neurons platform within your VM.

The Ivanti Neurons-provided ROSA v2 commands will be sent digitally to you. Below are the hardware specifications and requirements needed for the OVA and Tunnel creation within the Ivanti Neurons Cloudflare application:

OVA Virtual Machine (VM) Requirements:

  • Online always.

  • Network access to all data sources.

  • Outgoing traffic on ports 443 and 7844 (Cloudflare's Documentation).

  • Dedicated VM resources are recommended.

  • VM Requirements:

    • Ubuntu 20.04 OS

    • 4 vCPU

    • 4GB RAM

    • 20GB Disk

  • Network Information Required from Customer

  • For each service you would like to connect to the Ivanti Neurons platform, we will need the following information:

    • Name of Service (Tenable, Nessus, etc.).

    • Your internal URL used to access this service.

    • The IP address of this service.

    • The service’s FQDN (this should match the CN name on the certificate, regardless of if self-signed or not).

    • The service’s port.

    • If this service uses TLS.

    • The service’s certificate authority (CA) or self-signed certificate (base-64 encoded).

    • The Operating System where ROSA v2 will be installed.

ROSA v2 Installation

The following are the three pieces of information you need to set up your Cloudflare ROSA tunnel:

  1. Tunnel Token: This token is used to authenticate your specific tunnel to call home and connect back to Cloudflare's edge.

  2. Service CNAMEs: The URLs listed in this section will be used to set up your services connector in the Ivanti Neurons platform.

  3. Instructions: The instructions listed in this section are by default set up for a Debian 64-bit OS to be run from the CLI.

OS Instructions

Windows (64-Bit)

  1. Download the file from here.

  2. Run the installer.

  3. Open Command Prompt as Administrator.

  4. Navigate to the installed directory (usually C:\Program Files (x86)\cloudflared), update the following command with your Tunnel Token, and run it:

cloudflared.exe service install (replace with Tunnel Token)

Mac

To connect your tunnel to Cloudflare, update the command with your Tunnel Token and then copy-paste the following commands into a terminal window.

brew install cloudflare/cloudflare/cloudflared &&

 

sudo cloudflared service install (replace with Tunnel Token)

Debian (64-bit)

To connect your tunnel to Cloudflare, update the command with your Tunnel Token and then copy-paste the following commands into a terminal window.

curl -L --output cloudflared.deb https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb &&

 

sudo dpkg -i cloudflared.deb &&

 

sudo cloudflared service install (replace with Tunnel Token)

Redhat (64-bit)

To connect your tunnel to Cloudflare, update the command with your Tunnel Token and then copy-paste the following commands into a terminal window.

curl -L --output cloudflared.rpm https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-x86_64.rpm &&

 

sudo yum localinstall -y cloudflared.rpm &&

 

sudo cloudflared service install (replace with Tunnel Token)

Useful Commands (Debian OS)

  • cloudflared status: If you need to see if your cloudflared connector is currently running or stopped, you can use the following command to get the service’s status:

sudo systemctl status cloudflared

  • Stopping cloudflared: If you ever need to stop the Cloudflare connector, cloudflared, you can use the following command to stop the service:

sudo systemctl stop cloudflared

  • Restarting cloudflared: Use the following command to restart your cloudflared service:

sudo systemctl restart cloudflared

Frequently Asked Questions

Can I add or remove services later?

Contact your Ivanti Neurons RBVM/ASOC/VULN KB Customer Support for more information on how to do this.

What are the minimum access controls I can give to ROSA v2?

ROSA v2 needs to be able to communicate to Cloudflared outbound on ports 443 and 7844. More information on Cloudflare's ports for its Tunnels can be found here.

ROSA v2, as a secure tunnel to your scanner, will also need to be able to reach the services you wish to connect to, e.g., Tenable.SC, Jira, Nessus, Nexpose.