1.4. Presentation of the GCenter

The GCenter is the second component of the system working in conjunction with the GCap detection probe
Its main functions include:

  • Management of the GCap probe including managing the analysis rules, signatures, health status supervision, and so on.

  • In-depth analysis of the files retrieved by the probe

  • Administering the system

  • Displaying the results of the various analyzes in different dashboards

  • Long-term data storage

  • Exporting data to third-party solutions such as the Security Information and Events Management (SIEM) system

1.4.1. Different server models

For more information, please refer to Mechanical characteristics of the Center.

1.4.2. List of the GCenter inputs / outputs

Example of a GCenter server 7100/8100/9100:

../_images/gcenter-back.drawio_en.png

The GCenter comprises:

Inputs/outputs

Usage

USB and VGA connector
Directly access a keyboard and a monitor
This connection mode is deprecated in favor of KVM/IDRAC/XCC and should only be used as a last resort

USB connector

Accommodates the USB key enabling disk decryption (standard Linux Unified Key Setup)

RJ-45 connector `KVM/IDRAC`

Remote access to the server's management and configuration interface

RJ-45 connector `MGMT0`
In the double interface configuration: used for the Management and tunnel roles
In the single interface configuration: used for the Management role only

RJ-45 connector `VPN0`
In the double interface configuration: used for the Dedicated VPN interface for the tunnel role
In the single interface configuration: not used

RJ-45 connector `ICAP0`

Interaction with external services

RJ-45 connector `SUP0`

Interaction with external services

Two power supplies

Redundant server power supplies

Example of a GCenter server 9900/10500:

../_images/vue_arriere_dell840.png

Note

Although the names of the interfaces may suggest that they are specifically dedicated, it is possible to use these interfaces for other purposes via the "output interfaces" options.

Viewing these communication links is provided in the section Interconnection between devices.

1.4.2.1. Use of USB and VGA connectors

Connecting a keyboard and monitor enables direct access to the GCenter console interface.

Important

This mode is deprecated. It should only be used during initial installation and for advanced diagnosis.

1.4.2.2. Access to the server's management and configuration interface

Access to this management interface is via HTTPS:

  • On a Dell server, this connector is called iDRAC. It is noted on the KVM/IDRAC diagram

  • On a Lenovo server, this connector is called TSM. This connector can be identified by a wrench symbol on the bottom of it

1.4.2.3. `MGMT0` and `VPN0` network interfaces

The network interfaces `MGMT0` and `VPN0` are connected to:

  • The `gcp0` tunnel network interface

  • The `gcp1` management network interface

These interfaces enable the following 2 functions:

  • Function 1: remote administration through the SSH protocol with access:

    • To the graphical setup/configuration menu

  • Function 2: secure communication between the GCenter and the probe through an IPSEC tunnel in order to:

    • Escalate information such as files, alerts, metadata, and so on, derived from analyzing the monitored flows

    • Report information on the health of the probe to the GCenter

    • Control the probe - analysis rules, signatures, etc

There are 2 configuration possibilities:

  • The single interface configuration

  • The double interface configuration

In single interface configuration:

  • The `MGMT0` interface is used and connected to the `gcp0` tunnel network interface of the GCap
    This interface ensures functions 1 and 2.

  • The `VPN0` interface is not used

In double interface configuration:

  • The `MGMT0` interface is used and connected to the `gcp0` tunnel network interface of the GCap
    This interface ensures function 1.
  • The `VPN0` interface is used and connected to the `gcp1` management network interface of the GCap
    This interface ensures function 2.

The purpose of the double interface configuration is to ensure that the management flow and the interconnection flow between the GCap and the GCenter are separated from each other.

Important

This configuration of flow separation by interface is mandatory when using the LPM mode on the GCenter.

1.4.2.4. Network interfaces `ICAP0` and `SUP0`

These two interfaces enable, if needed, communicating with services external to the solution such as:

  • An update server

  • A supervision server

  • An LDAP server

  • A log server or an SIEM

  • A storage server for backing up the solution

  • etc

1.4.2.5. Electrical connection

The server has two electrical power supplies, each of which has the necessary power to operate the equipment.
It is strongly recommended that each power supply should be connected to a separate power supply.

1.4.2.6. USB connector and LUKS key

During installation, the contents of the disks (excluding /boot) are encrypted using the LUKS standard.
During this process, a unique encryption key is created and placed on the USB stick connected to the equipment.
Upon start-up, the USB key must be plugged into the equipment to allow the disks to be decrypted
It is strongly recommended to make a copy of this key because, in the event of failure, the data on the disks will no longer be accessible.
Once the system is up and running, the USB stick should be removed and placed in a secure place (e.g. in a safe).