Implementation Guide
- 19 May 2025
- 10 Minutes to read
- Print
- DarkLight
Implementation Guide
- Updated on 19 May 2025
- 10 Minutes to read
- Print
- DarkLight
Article summary
Did you find this summary helpful?
Thank you for your feedback!
Introduction
This article is to provide guidance for customers to plan, execute, and maintain a BluVector Advanced Threat Detection (ATD) deployment.
BluVector ATD identifies cyberattacks prior to entering a network. The BluVector ATD Features include:
Analysis of network traffic and files in real time
Detection of fileless threats through speculative code execution
Machine learning that adapts and learns about unique content in your network
Enhanced Zeek logs that provide detailed records of network connections
Configurable risk levels
Privacy, with no requirement to share data with BluVector
This article focuses on device implementation to maximize the use of the BluVector ATD product within security organizations.
This document is intended to supplement the BluVector ATD User Manual. Where appropriate, procedures documented in the user manual should be used.
Feedback related to BluVector ATD implementation can be provided to a Customer Success point of contact or by email to support@bluvector.io.
Preinstallation Checklist
This section provides yes or no questions to help a customer plan for a BluVector ATD deployment. It is recommended to complete the checklist as early as convenient, to provide ample time to resolve potential implementation issues.
The questions are broken up into the following categories:
Logistics
Physical Installation
Appliance Configuration
Network Integration
Logistics
Question | Y/N | Reference Article |
|---|---|---|
Has the Bill of Materials (BOM) of the order been reviewed? | ||
Is it known where the hardware is being shipped? | ||
Is it known when the hardware is estimated to arrive? |
Table 1: Preinstallation Logistics Questions
Physical Installation
Question | Y/N | Reference Article |
|---|---|---|
Do the installation sites know the size, weight, and power of the hardware appliances? | ||
Can the sites’ server racks support the hardware? | ||
Have the sites provisioned for the physical connections of the hardware appliances? |
Table 2: Preinstallation Physical Installation Questions
Appliance Configuration
Question | Y/N | Reference Article |
|---|---|---|
Have the IP Requirements for the appliances been provisioned for? | ||
Will any of the following be integrated/used:
| ||
Has an account administration preference been determined? | ||
Have the lights-out capabilities of the product been reviewed:
|
Table 3: Preinstallation Appliance Configuration Questions
Network Integration
Question | Y/N | Reference Article |
|---|---|---|
Has the traffic flow for the ingest interface on the appliances been determined? | ||
Have the firewall requirements for the appliance’s network integration been reviewed? | ||
Has it been determined how the BluVector ATD generated data will be forwarded? | ||
Have the network security integrations for BluVector ATD been determined? |
Table 4: Preinstallation Network Integration Questions
Welcome Kit (What’s in the Box)
A delivered BluVector ATD appliance contains the following in the box:
Standard Rail Kit
Six (6) foot (IEC-320-C19 to IEC-320-C20) power cables
Appliance (FX-2 or R440)
SFP Kit (Applicable to FX-2 appliances)
Physical Installation
This section describes the process to install a BluVector ATD appliance. The procedures are separated for the two different appliance form factors:
R440 (500 Mbps and 1 Gbps)
FX-2 (5 – 40 Gbps)
Appliances are shipped in Dell packaging and are preconfigured with the BluVector ATD software. See the Welcome Kit (What’s in the Box) section for further details on the delivered hardware.
R440 Install Procedure
Unpack the system.
Install the 1U Dell Poweredge Rack Rails into the server rack.
Install the Dell R440 in the Rack Rails.
Insert the two power cords into the dual power supplies and into the power strips in the rack.
Connect an ethernet cable to the following connections on the backside of the server:
Integrated Dell Access Console or “iDRAC” - upper left-hand port
Management switch – the port to the right of the iDRAC.
Ingest port – below the management port. This port should be connected to the tap or packet broker.
Figure 1 shows the back panel of the R440 with the labeled data connections.
Figure 1: R440 Back Panel
FX-2 Install Procedure
Unpack the system.
Install the 2U Dell Poweredge Rack Rails into the server rack.
Install the Dell FX2 server in the rack rails.
Insert the two power cords into the dual power supplies and into the power strips in the rack.
Connect an ethernet cable to the Chassis Management Controller (CMC) interface. This physical interface is for the CMC and each node’s iDRAC connections.
For each node perform the following:
Connect a cable to the node’s management port.*
Connect a cable to the node’s ingest port.*
*The physical interface type will be either copper or fiber, depending on the SFP type used.
Figure 2 shows the back panel of FX-2 chassis with the CMC connection highlighted.
Figure 2: FX-2 Back Panel - CMC Connection
Figure 3 shows the back panel of the FX-2 chassis with the A1 and A2 modules highlighted. The A1 module is reserved for connections to the management interface, and A2 is reserved for the ingest interface.
|
|
Figure 3: FX-2 Back Panel - A1 and A2 Modules
The FX-2 can hold up to four separate compute nodes. For each module, connection numbers 1, 3, 5, and 7 as shown in Figure 3 map to nodes 1, 2, 3, and 4, respectively.
BluVector ATD Appliance Configuration
This section describes the method to configure the following on a BluVector ATD appliance:
IP Address(es)
NTP
DNS
IP Address Configuration – Chassis Management Controller
The Chassis Management Controller (CMC) connection is only available on the multi-node FX-2 hardware. To configure the CMC interface’s IP address, perform the following:
Connect a network cable into the iDRAC port as shown in Figure 2.
Set up the IP address on the computer for which you are configuring the appliance to the following settings:
IP Address – Any IP address in the 192.168.0.x/24 network except 192.168.0.120
Default Gateway – 192.168.0.1
Open a web browser on the workstation and navigate to https://192.168.0.120.
Login with the following credentials:
Username: root
Password: calvin
Figure 4: CMC Login Interface
Select Network from the menu.
Figure 5: CMC Health Status
Under network configuration, choose the appropriate IP settings to configure (IPv4 or IPv6).
Figure 6: IPv4 CMC Settings
After making the required IP configuration changes, select Apply Changes to save the configuration. The appliance will now be accessible via a browser at the newly configured IP address.
IP Address Configuration – iDRAC (FX-2)
The iDRAC IP address for the individual nodes in a FX-2 chassis are configured via the CMC interface. To configure the IP address from the CMC, perform the following:
In the CMC main page, navigate to Chassis Controller > Server Overview and select Setup.
Figure 7: iDRAC IP Setup from CMC
Complete the networking setup in the Quick Deploy Settings to set the IPv4 or IPv6 values.
Select Apply iDRAC Network Settings at the top of the menu pane to save the settings.
IP Address Configuration – iDRAC (R440)
To configure the IP address of an R440’s iDRAC interface, perform the following:
Connect a network cable into the iDRAC port as shown in Figure 1.
Set up the IP address on the computer for which you are configuring the appliance to the following settings:
IP Address – Any IP Address in the 192.168.0.x/24 network except 192.168.0.120
Default Gateway – 192.168.0.1
Open a web browser on the workstation and navigate to https://192.168.0.120
Login with the following credentials to enter the iDRAC Dashboard:
Username: root
Password: calvin
Figure 8: iDRAC Dashboard
Select iDRAC Settings.
Figure 9: iDRAC Settings
Configure the IP address for either IPv4 or IPv6.
Figure 10: iDRAC Network Configuration
Select Apply to save the changes.
IP Address - Management
The IP address for the management interface is set in the terminal of the Operating System in the iDRAC GUI. To change the management IP address, perform the following:
Navigate to the iDRAC GUI and login with the following credentials:
Username: root
Password: calvin
In the iDRAC Dashboard, open up a terminal by selecting Launch Virtual Console.
Figure 11: iDRAC Dashboard - Launch Console
When a command prompt appears, login with the following default credentials:
Username: bvadmin
Password: bluvector
From the terminal prompt as user bvadmin, perform the following commands to set the IPv4 addresses. For the interface, item in the commands below will be either em1 or System em1 values.
nmcli connection modify <interface> ipv4.addresses <ip>/<mask length>
nmcli connection modify <interface> ipv4.gateway <gateway>
nmcli connection modify <interface> ipv4.method manual
nmcli connection down <interface> && nmcli connection up <interface>
For IPv6, the commands are:
nmcli connection modify <interface> ipv6.addresses <ip>/<mask length>
nmcli connection modify <interface> ipv6.gateway <gateway>
nmcli connection modify <interface> ipv6.method manual
nmcli connection down <interface> && nmcli connection up <interface>
As an alternate, the user can set the IP address for the management interface via a Keyboard, Video, and Mouse (KVM) or crash cart local to the appliance.
DNS / NTP
To configure DNS and NTP connections to an appliance, perform the following from the terminal:
If not already logged in, log in as bvadmin from the appliance terminal.
To set up DNS, perform the following commands:
nmcli connection modify <interface> ipv4.dns <dns servers separated by commas>
nmcli connection modify <interface> ipv4.dns-search <local domain>
To set up the Network Time Protocol, use vi or vim to edit the chrony.conf file:
vi /etc/chrony.conf
Add the following line to the end of the file, using the NTP server for the host value:
server <host> iburst
Restart the chrony service by running the following:
systemctl restart chronyd.service
sudo chronyc online
Customer Network Integration
This section details the services, ports, and protocols for BluVector ATD network connectivity. Use the list to ensure that the settings are configured for various network access control lists (ACLs) and firewall rules for proper system functionality.
The BluVector Portal is the cloud gateway for communicating with the BluVector Cloud infrastructure for the services listed in Table 5. These services are optional and can be disabled.
Service | URL | Port & Protocol | Transmission | Frequency | Description |
|---|---|---|---|---|---|
Submit to BV | https://api.bluvector.io | tcp:443 | On-Demand | N/A | Submit a file from an event to the BluVector Threat Team for analysis. |
Support Bundle Upload | https://api.bluvector.io | tcp:443 | On-Demand | N/A | Submit support bundle containing system logs and information to BluVector Support for troubleshooting. |
Dynamic Malware Analysis in the Cloud | https://api.bluvector.io | tcp:443 | Configured | On- Demand, based on config | Submit files from return execution reports to the BluVector System from the BluVector cloud sandbox (DMAC). |
Health & Status Telemetry | https://api.bluvector.io | tcp:443 | Configured | 2x Daily | Submit system health status logs to BluVector for system health tracking and analysis. |
Detection Telemetry | https://api.bluvector.io | tcp:443 | Configured | 4x Daily | Submit detection data information to BluVector for feedback. |
Adjudication Telemetry | https://api.bluvector.io | tcp:443 | Configured | 1x Daily | Submit analyst adjudication decision on BV event to BluVector for feedback. |
Table 5: BluVector Portal Service Configuration
The services listed in Table 6 are BluVector Portal services that can be accessed for off-line customers.
Service | URL | Port & Protocol | Transmission | Frequency | Description |
|---|---|---|---|---|---|
Artifact Store | https://api.bluvector.io | tcp:443 | Configured | Once Daily | Delivers updated & new detection artifacts to BluVector systems. |
Emerging Threats Pro Suricata Rules | https://api.bluvector.io | tcp:443 | Configured | Once Daily | ETPro ruleset update service option in BluVector subscription. |
Software Updates | https://updates.bluvector.io | tcp:443 | Configured | Once Daily | Queries update server to download new BluVector ATD System updates. |
Table 6: BluVector Portal Off-Line Service Configuration
BluVector ATD System
Table 7 lists the services, ports, and protocols that are needed for BluVector ATD system connectivity with:
BluVector Central Managers
User containers and add-ons
Collectors
Other services
Service | URL | Port & Protocol | Transmission | Frequency | Description |
|---|---|---|---|---|---|
Central Manager & Collector Communications (tinc) | localhost | udp/tcp:655 | Bi-Directional | Automatic | VPN mesh and REST requests. Required for communication between the Central Manager and the Collectors. |
Central Manager & Collector Communications (ssh) | localhost | ssh:22 | Bi-Directional | Automatic | VPN mesh and REST requests. Required for communication between the Central Manager and the Collectors. |
BluVector ATD Application | localhost | tcp:443 | Bi-Directional | Automatic | End user graphic user interface. |
BluVector ATD Application API | localhost | tcp:443 | Bi-Directional | Automatic | End user API interface. |
BluVector Atomic Host | localhost | tcp:9090 | Bi-Directional | Automatic | Local server management graphical user interface. |
Enhanced Rules Manager | localhost | tcp:18443 | Bi-Directional | Automatic | Optional local server Suricata and Snort rules graphical user interface container. |
BluVector STIX/TAXII | localhost | udp:9000 | Bi-Directional | Automatic | Optional publication of STIX documents containing IP/URL and Hash of malicious extracted file to block broadcast to other security products. |
Table 7: BluVector ATD System Service Connectivity
Table 8 lists the services, ports, and protocols that are needed for optional third-party product integrations for:
Email monitoring
Threat intelligence
Data forwarding
Post analyzers / sandboxes
Endpoint solutions
Service | URL | Port & Protocol | Direction | Transmission | Frequency | Description |
|---|---|---|---|---|---|---|
Office 365 | https://outlook.office365.com | tcp:443 | Pull | Automatic | Customer defined | BluVector's IMAP analysis service for Office 365 email. |
AlienVault OTX | https://otx.alienvault.com | tcp:443 | Pull | Customer defined | Once Daily | AlienVault threat intelligence update service included in BluVector subscription. |
ThreatConnect IOCs | https://api.threatconnect.com | tcp:443 | Pull | Customer defined | Customer defined | ThreatConnect threat intelligence update – requires third-party license. |
STIX/TAXII IOCs | Customer defined | tcp:443 | Pull | Customer defined | Customer defined | Threat Intelligence IOCs in a customer STIX/TAXII are retrieved via this connection. |
ZMQ Push (BISON) | Customer defined | Customer defined | Push | Customer defined | Customer defined | Output processor to push BluVector ATD events and extracted files to a backend data store. |
TCP/UDP Pipe (syslog) | Customer defined | Customer defined | Push | Customer defined | Customer defined | Output processor to push BluVector ATD events and/or system health status to backend syslog server or SIEM. |
Email / SMTP | Customer defined | tcp:25 -or -tcp:587 | Push | Customer defined | Customer defined | Output processor to push BluVector ATD events and/or system health status to an email account. |
SFTP | Customer defined | tcp:22 | Push | Customer defined | Customer defined | Output processor to push Zeek logs or targeted Zeek logs and/or extracted files to an FTP server. |
Kafka | Customer defined | tcp:9092 | Push | Customer defined | Customer defined | Output processor to push BluVector ATD events to a backend data store. |
Splunk Forwarder | Customer defined | tcp:9997 | Push | Customer defined | Customer defined | Output processor to push Zeek logs or targeted Zeek logs to a Splunk server. |
Zeek Kafka Script | Customer defined | tcp:9092 | Push | Customer defined | Customer defined | Output processor to push Zeek logs to a backend data store. |
Cuckoo | Customer defined | tcp:443 | Bi-Directional | Customer defined | Customer defined | Analytical Post processor to analyze extracted file contents by a customer Cuckoo sandbox. |
FireEye AX | Customer defined | tcp:443 | Bi-Directional | Customer defined | Customer defined | Analytical Post processor to analyze extracted file content by a customer FireEye AX sandbox. |
LastLine | Customer defined | tcp:443 | Bi-Directional | Customer defined | Customer defined | Analytical Post processor to analyze extracted file content by a customer LastLine sandbox. |
Carbon Black Protect | Customer defined | tcp:443 | Push | Customer defined | Customer defined | Endpoint processor to push IP/URL and Hash of malicious extracted file to a customer Carbon Black Protect endpoint solution. |
Carbon Black Response | Customer defined | tcp:443 | Push | Customer defined | Customer defined | Endpoint processor to push IP/URL and Hash of malicious extracted file to a customer Carbon Black Response endpoint solution. |
Symantec ICDx | Customer defined | tcp:443 | Push | Customer defined | Customer defined | Endpoint processor to push IP/URL and Hash of malicious extracted file to a customer Symantec ICDx endpoint solution. |
Table 8: BluVector ATD Third-Party Integration Connectivity
Was this article helpful?