Proof of Concept
Definition of Scope
© 2017 All Rights Reserved, RedSocks B.V.
The following information, hereafter referred to "the customer" in this document.
This document describes the requirements and needs for the successful execution of a RedSocks Malicious Threat Detection Proof of Concept (PoC).
This document is also intended to set the expectations of the PoC according to the capabilities of the RedSocks Solutions.
1.1 Proof of Concept
The RedSocks MTD PoC is intended for a customer who wishes to experience the operations and effectiveness of the appliance in a live environment. Because every environment has different characteristics and operational specifications there is a need for information about those specifics. This document describes the need for this information. A Proof of Concept usually only encompasses one (1) RedSocks Malicious Threat Detection (MTD) and one (1) probe (hardware or virtual appliances)
1.2 RedSocks solution management overview
RedSocks is specialized in detecting and fighting malware. This 100% Dutch company provides the RedSocks Malicious Threat Detection (MTD) as network appliance. This innovative appliance analyses digital traffic flows in real-time on the basis of lists of malicious indicators and algorithms compiled by the RedSocks Malware Intelligence Team. The members of this team are highly experienced specialists
in finding new threats on the Internet and translating them into state-of-the-art malware detection. The RedSocks appliance detects malware, malicious behavior and potential data leakage in network traffic and in doing so provides an effective solution for a healthy network and safer IT-facilities for an efficiently operating organization.
RedSocks recognizes the confidentiality level of the details requested in this document. As such this document is only intended for the use by RedSocks and the customer and only for the purpose of the PoC. The contents and scope of this document will never be shared in any form (digital, in print, writing or any other form) without explicit written permission from the customer.
1.4 RedSocks End User License Agreement
When conduction a Proof of Concept the customer agrees with all the terms and conditions of the RedSocks EULA in respect to this product and the use of this product – please refer to appendix A.
2. Required Information
The following forms contain the information required by RedSocks to successfully plan, implement and evaluate the PoC. The information provided will assist RedSocks in identifying key dates, contacts and technical specifications. When the customer has any documentation he/she considers important and valuable in the successful execution of the PoC please attach it / them at the bottom of this document.
2.3 Preparations by the customer
In order to guarantee a fully functional implementation of the RedSocks solution and to gain maximum results of the POC some preparations have to be made by the customer.
1) Mirrored Traffic (SPAN ports): The RedSocks solution analyses all outgoing traffic. To enable this one or more traffic mirroring have to be configured on the infrastructure of the customer. Traffic mirroring is to be configured before the traffic passes through a proxy server and/or a NAT device (like a firewall). This enables the RedSocks solution to pinpoint the infected machine internally either based on the IP-address or the MAC-address of the device.
Appendix C – Positioning the RedSocks MTD, provides more information on the best location for generating mirrored traffic.
2) IP Addresses and Information: For the implementation and configuration of the RedSocks solution some IP addresses, DNS information, etc. are required. Please refer to paragraph 2.6 of this document.
3) Internet connectivity: The RedSocks solution requires Internet access to be able to download the Threat Intelligence updates. This is done using SSL (port 443). The RedSocks also needs to be able to resolve domain names through a DNS server. Connectivity with the Internet can be direct or via a proxy server. No data is send to RedSocks!
4) In case of an implementation of virtual appliances please make sure the minimum requirements as stated in paragraph 2.2.2 can be met.
5) In case of an implementation of the hardware appliances please make sure in total 2 U rack space is available. Network cables (UTP) are to be provided by the customer. The appliances are shipped with standard C14 (male) / C13 (female) power cables. If other cables are required, these are to be provided by the customer. A keyboard (USB) and monitor (VGA) need to be available on location of implementation.
2.4 Timelines for the PoC
The below table describes the timeline of the PoC. It is important to recognize that the responsibility for making the preferred dates of each milestone lies with different parties. Please make sure that all the parties involved are aware of their respective responsibilities and the attached timeline(s).
Preparations by <<the customer>>:
- Working span port on network segment(s) to be monitored
- Availability of IP addresses
2.5 PoC Agreements
To assure that the best results are achieved during the PoC the following agreements are effective:
· Implementation will be done as described in the, by <<the customer>> completed, PoC Definition of Scope.
· A mutually signed NDA (Non-Disclosure Agreement) is in place
· A mutually signed Loan Agreement is in place
· <<the customer>> agrees that RedSocks will have access to the log information collected by the RedSocks MTD
· No confidential information (log information and reports) will be sent via e-mail, unless PGP encryption is available.
· During the PoC Evaluation Session the appropriate people (for example the Security Officer, IT Manager, decision makers, DPO, etc) are present.
2.6 Technical Details of the PoC implementation
The implementation of the RedSocks solution requires the installation and configuration of the MTD (Malicious Threat Detection) and the RedSocks Probe.
The function of the Probe is to extract the meta data (flow information) from the outgoing traffic and send it to the MTD. The MTD than analyzes the meta data and alerts in case of malware infections.
The management interface (GUI) of the MTD has to have access to the Internet and be able to download hourly updates. Making this possible, please make sure that the following traffic from the RedSocks MTD has to be allowed:
|DNS (internal or external)
The MTD needs a DNS server for name resolving
Remark: External address resolving is needed!
|NTP (internal or external)
||If available a NTP server can be configured to get the correct timestamps in the logging – optional
||If desired the MTD can send e-mail alerts – optional
|RedSocks updates (external)
||TCP 80 & 443
The MTD download the updates from the Internet via HTTP and HTTPS.
RedSocks Update servers:
· nl0.rs-us.nl (via https)
· nl1.rs-us.nl (via https)
· nl2.rs-us.nl (via https)
· nl3.rs-us.nl (via https)
· nl4.rs-us.nl (via https)
Ubuntu Update servers:
*.ubuntu.com (via http & https)
The management interface of the probe will send the meta data (flow information) to the MTD using the IPFIX protocol. Please make sure the following traffic from the Probe to the MTD is allowed:
|IPFIX destination Port
||IPFIX data send from the Probe to the MTD
The RedSocks MTD requires 2 IP-addresses and information about the facilitating IP and Internet services such as DNS, SMTP, NTP and Gateways.
NOTE: It is strongly advised to place the management interface (Eth1) of the MTD and the flow interface (Eth2) of the MTD in different network segments.
If the internal clients and servers make use of an explicit proxy server(s) (configured in the web browser) the details regarding the proxy server port numbers is required for the configuration of the RedSocks solution.