On-prem Support - Dropzone Connector

On-prem support - Dropzone Private Network Connector

Dropzone AI connects to APIs via its Data Source and Alert integrations. Many of these are reachable across the internet, such as third-party Threat Intelligence sources, corporate SaaS tools, and public cloud APIs. However many corporate systems may be behind firewalls and VPNs for security reasons.

Customers are able to enable Dropzone to reach restricted systems by running a lightweight Dropzone Private Network Connector Client docker container within their secure environment. This process connects out to the Dropzone tenant network and establishes a reverse tunnel.

Private Network Connector Security

The Dropzone Private Network Connector Client establishes an outbound HTTP session, inside which websockets re used to establish a two-way TCP session. On this TCP session a secure SSH session is established. This SSH session is authenticated by both the client and the server, and fully end-to-end encrypted.

The Dropzone integrations that require access to the protected resources tunnel their connections through this Private Network Connector Client container, so their source IP is from within your datacenter.

The Private Network Connector Client can be run on any host capable of running Docker containers, such as a physical server, VM, or inside your public/private cloud environment.

For additional security you may restrict what outbound connections can be made from the connector machine to your internal resources. Examples include

• Putting the connector machine on a firewall DMZ

• Enabling cloud-native restrictions on the connector machine (e.g. AWS Security Groups)

• Running local firewall rules on the connector machine (e.g. iptables, shorewall)

Just make sure that the connector machine can reach the machines you want integrated, on the ports/protocols needed, DNS, and your tenant machine on port 8080.

Enabling the Private Network Connector Client

Running the Private Network Connector Client requires a machine that meets the following requirements:

• System

  • has Docker Engine (Docker CE) installed

  • capable of running x86_64 Linux docker containers

  • has at least 1 GB of available memory

  • has at least 1 GB of available disk space

• Network

  • can reach the resources (e.g. splunk) you want available for Dropzone integrations

  • can connect to your tenant (e.g. https://mycompany.dropzone.ai ) on port 8080 via TCP

  • has access to DNS that can look up your tenant DNS name and internal resources

• Availability

  • is up 24x7

This may be a machine dedicated to this container, or a multi-use resource that meets your security policy.

Henceforth we will call this machine the connector-client-host.

To install the Private Network Connector Client, do the following:

• Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.ai

• Click System > Connectors

• On the "Main" connector tile, click "Configure"

• The configuration drawer will slide out from the right hand side

• Download the Private Network Connector Client docker image by clicking on the link

• Upload the Private Network connector Docker image to the connector-client-host, e.g. via scp

• Load the docker image on the connector-client-host

  Copy

  connector-client-host$ sudo docker load -i connector.tar.gz
  
  # Or, if sudo is not needed
  connector-client-host$ docker load -i connector.tar.gz

• Copy the command in the Dropzone UI and run it on the connector-client-host:

  Copy

  connector-client-host$ sudo docker run --detach --name connector --env OPTIONS='--auth ...
  
  # Or if sudo is not needed
  connector-client-host$ docker run --detach --name connector --env OPTIONS='--auth ...

• Verify the connector is running by using docker ps

  Copy

  connector-client-host$ docker ps
  CONTAINER ID IMAGE     COMMAND      CREATED         STATUS       NAMES
  1c92972436d9 connector "/app/init"  3 seconds ago   Up 2 seconds dropzone-connector-client

• Click Close

• Refresh the page and you should see that Main is now in "Connected" state:

When enabling Data and Alert sources that need on-prem access, be sure to specify this Private Network Connector Client.

Troubleshooting

The following troubleshooting steps may be useful in conjunction with your Dropzone support team.

Restarting the Private Network Connector Container

It is always safe to delete and relaunch the connector, for example if it does not come back properly after a reboot or system failure

$ docker stop connector
$ docker rm connector
$ docker run ....    <-- command you got from the Dropzone interface

Testing Network Path

If the connector fails to connect there could be a network issue or an IPS device that is preventing it from establishing the websocket connection. Running the following from the host where the connector runs can help identify this situation:

$ tenant=my-tenant.dropzone.ai

$ curl -i -N \
    -H "Connection: Upgrade" \
    -H "Upgrade: websocket" \
    -H "Host: $tenant:8080" \
    -H "Sec-WebSocket-Key: AAAAAAAAAAAAAAAAAAAAAA==" \
    -H "Sec-WebSocket-Protocol: chisel-v3" \
    -H "Sec-WebSocket-Version: 13" \
    http://$tenant:8080

When successful, you should see an HTTP handshake and websocket upgrade like this:

HTTP/1.1 101 Switching Protocols
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Accept: ICX+Yqv66kxgM0FcWaLWlFLwTAI=

SSH-chisel-v3-server

Any device along the path that is interfering will likely provide feedback when this command is run.

If you have any errors engage your Dropzone AI support representative.