1.4. Presentation of the GCenter

The GCenter is the second component of the system working in conjunction with the GCap detection probe
Its main functions include:

  • The management of the GCap probe including managing the analysis rules, signatures, health status supervision, and so on.

  • In-depth analysis of the files retrieved by the probe

  • Administering the system

  • Displaying the results of the various analyses in different dashboards

  • Long-term data storage

  • Exporting data to third-party solutions such as the Security Information and Events Management (SIEM) system

  • Sends files to the GBox for analysis and retrieves reports

1.4.1. Different server models

For more information, please refer to Mechanical characteristics of GCenter.

1.4.2. List of the GCenter inputs / outputs

Example of a GCenter server 7100/8100/9100 :

../_images/gcenter-backv2.drawio-fr.png

The GCenter comprises:

Inputs/outputs

Usage

USB and VGA connector
Directly access a keyboard and a monitor.
This connection mode is deprecated in favour of KVM/IDRAC/XCC and should only be used as a last resort

USB connector

Accommodates the USB key enabling disk decryption (standard Linux Unified Key Setup)

RJ-45 connector `KVM/IDRAC`

Remote access to the server's management and configuration interface

RJ-45 connector `MGMT0`

Management and VPN interface with GCAP

RJ-45 connector `VPN0`

Dedicated VPN interface with GCAP (optional)

RJ-45 connector `ICAP0`

Interaction with external services

RJ-45 connector `SUP0`

Interaction with external services

Two power supplies

Redundant server power supplies

Example of a GCenter server 9900/10500 :

../_images/vue_arriere_dell840.png

Note

Although the names of the interfaces may suggest that they are specifically dedicated, it is possible to use these interfaces for other purposes via the "output interfaces" options.

Viewing these communication links is provided in the section Interconnection between devices.

1.4.2.1. Use of USB and VGA connectors

Connecting a keyboard and monitor enables direct access to the GCenter console interface.

Important

This mode is deprecated. It should only be used during initial installation and for advanced diagnosis.

1.4.2.2. Access to the server's management and configuration interface

Access to this management interface is via HTTPS:

  • on a Dell server, this connector is called iDRAC. It is noted on the KVM/IDRAC diagram

  • on a Lenovo server, this connector is called TSM: This connector can be identified by a wrench symbol on the bottom of it.

1.4.2.3. `MGMT0` and `VPN0` network interfaces

The network interfaces `MGMT0` and `VPN0` are connected to the network interfaces `gcp0` and `gcp1`.
These interfaces enable the following 2 functions:

  • Function 1: remote administration through the SSH protocol with access:

    • To the graphical setup/configuration menu

  • Function 2: secure communication between the GCenter and the probe through an IPSEC tunnel in order to:

    • Escalate information such as files, alerts, metadata, and so on, derived from analyzing the monitored flows

    • Report information on the health of the probe to GCenter

    • Control the probe - analysis rules, signatures, etc.

There are 2 configuration possibilities:

  • The single interface configuration

  • The dual-interface configuration

In single interface configuration:

  • The `MGMT0` interface is used and connected to the `gcp0` network interface of the GCap
    This interface ensures functions 1 and 2.

  • The `VPN0` interface is not used

In dual-interface configuration:

  • The `MGMT0` interface is used and connected to the `gcp0` network interface of the GCap
    This interface ensures function 1.
  • The `VPN0` interface is used and connected to the `gcp1` network interface of the GCap
    This interface ensures function 2.

The purpose of the dual-interface configuration is to ensure that the management flow and the interconnection flow between the GCap and the GCenter are separated from each other.

Important

This configuration of flow separation by interface is mandatory when using the MPL mode on the GCenter.

1.4.2.4. Network interfaces `ICAP0` and `SUP0`

These two interfaces enable, if needed, communicating with services external to the solution such as:

  • An update server

  • A supervision server

  • An LDAP server

  • A log server or an SIEM

  • A storage server for backing up the solution

  • etc.

1.4.2.5. Electrical connection

The server has two electrical power supplies, each of which has the necessary power to operate the equipment.
It is strongly recommended that each power supply should be connected to a separate power supply.

1.4.2.6. USB connector and LUKS key

During installation, the contents of the disks (excluding /boot) are encrypted using the LUKS standard.
During this process, a unique encryption key is created and placed on the USB stick connected to the equipment.
Upon start-up, the USB key must be plugged into the equipment to allow the disks to be decrypted
It is strongly recommended to make a copy of this key because, in the event of failure, the data on the disks will no longer be accessible.
Once the system is up and running, the USB stick should be removed and placed in a secure place (e.g. in a safe).

1.4.3. Failure of GCenter

In case of GCenter failure, the GCap probes store/save metadata and events generated from the analyzed network traffic and are returned when the GCenter is available again:

  • A GCap can typically amortize 30-60 minutes or more of traffic depending on network usage and generated events

  • There are different GCap models with different storage capacity

  • In a more charged network, it will be able to store less