ATA Gateway Prerequisites


General

  • The ATA Gateway supports installation on a server running Windows Server 2012 R2 or Windows Server 2016
  • The ATA Gateway can be installed on a server that is a member of a domain or workgroup.
  • The ATA Gateway can be used to monitor Domain Controllers with Domain Functional Level of Windows 2003 and above.

Port mirroring on Virtual /physical Machine

ATA Gateway Domain Controller Considerations
Virtual Virtual on same host The virtual switch needs to support port mirroring.

Moving one of the virtual machines to another host by itself may break the port mirroring.

Virtual Virtual on different hosts Make sure your virtual switch supports this scenario.
Virtual Physical Requires a dedicated network adapter otherwise ATA sees all of the traffic coming in and out of the host, even the traffic it sends to the ATA Center.
Physical Virtual Make sure your virtual switch supports this scenario – and port mirroring configuration on your physical switches based on the scenario:

If the virtual host is on the same physical switch, you need to configure a switch level span.

If the virtual host is on a different switch, you need to configure RSPAN or ERSPAN*.

Physical Physical on the same switch Physical switch must support SPAN/Port Mirroring.
Physical Physical on a different switch Requires physical switches to support RSPAN or ERSPAN*.

* ERSPAN is only supported when decapsulation is performed before the traffic is analyzed by ATA.

Server Specification

  • For optimal performance, set the Power Optionof the ATA Gateway to High Performance.
  • virtual machine dynamic memory or any other memory ballooning feature is not supported

Time Synchronization

  • The ATA Center server, the ATA Gateway servers, and the domain controllers must have time synchronized to within five minutes of each other.

Network Adapters

The ATA Gateway requires at least one Management adapter and at least one Capture adapter:

  • Management adapter– used for communications on your corporate network
    • Static IP address including default gateway
    • Preferred and alternate DNS servers
    • The DNS suffix for this connectionshould be the DNS name of the domain for each domain being monitored.
  • Capture adapter– used to capture traffic to and from the domain controllers.
    • Configure port mirroring for the capture adapter as the destination of the domain controller network traffic.
    • Configure a static non-routable IP address for your environment with no default gateway and no DNS server addresses.

Ports

 

Protocol Transport Port To/From Direction
LDAP TCP and UDP 389 Domain controllers Outbound
Secure LDAP (LDAPS) TCP 636 Domain controllers Outbound
LDAP to Global Catalog TCP 3268 Domain controllers Outbound
LDAPS to Global Catalog TCP 3269 Domain controllers Outbound
Kerberos TCP and UDP 88 Domain controllers Outbound
Netlogon (SMB, CIFS, SAM-R) TCP and UDP 445 All devices on network Outbound
Windows Time UDP 123 Domain controllers Outbound
DNS TCP and UDP 53 DNS Servers Outbound
NTLM over RPC TCP 135 All devices on the network Outbound
NetBIOS UDP 137 All devices on the network Outbound
SSL TCP 443 ATA Center Outbound
Syslog (optional) UDP 514 SIEM Server Inbound

 

As part of the resolution process done by the ATA Gateway, the following ports need to be open inbound on devices on the network from the ATA Gateways.

  • NTLM over RPC (TCP Port 135)
  • NetBIOS (UDP port 137)
  • Using the Directory service user account, the ATA Gateway queries endpoints in your organization for local admins using SAM-R (network logon) in order to build the lateral movement path graph.
  • The following ports need to be open inbound on devices on the network from the ATA Gateway:
    • NTLM over RPC (TCP Port 135) for resolution purposes
    • NetBIOS (UDP port 137) for resolution purposes
Advertisements