Agent

The Safetybits agent is delivered preinstalled on a purpose-built network appliance, ready for deployment in your infrastructure. This appliance is a critical component of the system, designed to seamlessly integrate into your network environment while maintaining robust security and performance.

This guide provides step-by-step instructions for setting up and managing the agent, ensuring it functions optimally to protect and monitor your industrial operations.

Requirements

The specifications of the network appliance depend on the size and complexity of the facility where it will be deployed. Safetybits provides appliances with different capacities, ensuring optimal performance regardless of the scale of the operation. During the planning phase, our team will work with you to determine the appropriate appliance model based on your infrastructure and operational needs.

To operate effectively, the agent requires access to three distinct networks:

• Management Network: Used for administrative tasks, configuration, and secure communication with the Safetybits platform.

• OT Network: Enables the discovery and monitoring of operational technology (OT) devices within the infrastructure.

• Port Mirroring/Network Sniffing: Facilitates the collection and analysis of network traffic to identify potential threats and vulnerabilities.

Installation

The Safetybits agent typically comes preinstalled on a dedicated network appliance, simplifying the deployment process. The primary requirement during installation is to properly connect the appliance to the necessary networks in the customer’s infrastructure.

1. Identify the appropriate network ports on the appliance, which are typically designated for Management, OT, and Port Mirroring.
2. Use the table below to match each port with its corresponding network:

3. Connect each port to the respective network using the correct wiring. A set of labels are provided to mark the cables.
4. Confirm that the connections are active by checking the link status on the appliance or through a management interface.

With the appliance properly wired, the system is ready for further configuration and operation. If any additional setup is required, such as specifying IP addresses or VLAN configurations, refer to the Administrator Guide for detailed instructions.

Configuring the Safetybits Agent

Before starting the agent, it is necessary to retrieve the agent ID from the Safetybits backend and configure it. This step ensures the agent is correctly registered and operational within your environment.

Step 1. Retrieve the Agent ID from the Safetybits Console

1. Log in to the Safetybits console using your administrator credentials.
2. Navigate to the Sources section.
3. Select the option to add a new source. The system will generate a unique Agent ID for the new agent.
4. Note down the Agent ID or copy it securely for the next step.

Step 2. Configure the Agent

Once you have the Agent ID, you’ll need to configure the agent on the appliance:

1. Access the appliance through SSH or the local terminal.
2. Open the agent configuration file, located at /etc/safetybits-agent:

sudo vi /etc/safetybits-agent

3. Update the configuration with the retrieved Agent ID:

AGENT_ID="YOUR_AGENT_ID"

4. Configure additional options as required, such backend server URL, logging levels or network preferences:

LOG_JSON = "true"

3. Start the agent

After configuring, start the agent using the following command:

sudo systemctl start safetybits-agent

You can verify the agent’s status with:

sudo systemctl status safetybits-agent

Upgrade

Upgrading the Safetybits agent is efficient and seamless, thanks to its integration with custom repositories and the use of standard Debian package management tools.

To upgrade the agent:

1. Ensure Repository Access: Verify that the Safetybits custom repository is configured on the appliance. This configuration is typically preinstalled, but you can confirm it by checking /etc/apt/sources.list.d/.

2. Update the Package List: Refresh the list of available packages to ensure you get the latest version:

sudo apt update

3. Upgrade the Agent: Install the latest version of the agent package using the apt command:

sudo apt install safetybits-agent

This command automatically resolves dependencies and applies the update.

4. Verify and Restart: Confirm the installation was successful and restart the agent to apply the changes:

sudo systemctl restart safetybits-agent

This process ensures that updates, including feature enhancements, performance improvements, and critical security patches, are applied with minimal effort and maximum reliability.

Cookbook

The Safetybits agent is essential for maintaining security and compliance in OT environments, offering continuous monitoring and resource discovery. This cookbook provides straightforward guidance for everyday operations, including network configuration, system monitoring, and updates.

If you encounter any challenges or require clarification during the process, our Safetybits Support team is ready to assist. Whether it’s setting up the agent, troubleshooting an issue, or optimizing its performance, we’re here to help ensure smooth operation.

Adding a network device to a VLAN to enable discovery

In certain network configurations, the Safetybits appliance may need to join a VLAN and use a static IP address.

Create VLAN Connection: Replace <VLAN_ID> with the VLAN ID you want to join (e.g., 100), and with the physical interface name:

sudo nmcli connection add type vlan con-name OT-<VLAN_ID> ifname enp3s0.<VLAN_ID> dev enp3s0 id <VLAN_ID> ip4 <IPv4/NETMASK>

sudo systemctl restart safetybits-agent

Port mirroring configuration

Port mirroring, also known as SPAN (Switched Port Analyzer), allows the Safetybits appliance to monitor network traffic by duplicating packets from one or more ports or VLANs to the port connected to the appliance. While the exact steps to configure port mirroring depend on the specific network switch in use, the general process is outlined below:

Step 1: Access the Switch Management Interface

Log in to the network switch’s management interface. This could be a web interface, command-line interface (CLI), or a dedicated management tool.

Step 2: Identify Source Ports or VLANs

Determine the ports or VLANs from which traffic needs to be mirrored. These are the “source” interfaces that handle the traffic to be monitored.

Step 3: Configure the Destination Port

Select the port connected to the Safetybits appliance as the “destination” or “monitor” port. Ensure this port is configured to receive mirrored traffic from the source ports or VLANs.

Step 4: Enable Port Mirroring

Using the switch’s configuration tools, create a port mirroring session:

• Specify the source ports or VLANs.
• Define the destination port (connected to the Safetybits appliance).
• Save and apply the configuration.

Example for CLI-based configuration on a Cisco switch:

monitor session 1 source interface GigabitEthernet0/1 - 2
monitor session 1 destination interface GigabitEthernet0/3

Replace GigabitEthernet0/1 - 2 with the source ports and GigabitEthernet0/3 with the destination port.

Step 5: Verify the Configuration

Confirm that port mirroring is correctly configured and active:

• Use the switch’s monitoring tools to check the session status.
• Use the Safetybits appliance to verify it is receiving mirrored traffic.

Step 6: Test the Setup

Ensure that the mirrored traffic includes all necessary packets for analysis. If needed, refine the source or destination configuration.

For detailed instructions specific to your switch model, refer to the manufacturer’s documentation. Safetybits Support can also assist in verifying the configuration to ensure compatibility with the appliance.

Monitoring

To ensure optimal performance and visibility into the agent and server’s operations, Safetybits provides two monitoring tools accessible through services running behind a firewall:

1. Cockpit
2. Grafana

Cockpit for Linux Server Management

Cockpit is a web-based interface for managing the Linux server hosting the agent. It provides an intuitive dashboard to perform administrative tasks, including:

• Viewing system resource utilization (CPU, memory, disk usage).
• Monitoring running processes.
• Managing system logs and journal entries.
• Applying updates and managing installed packages.

Accessing Cockpit

1. Ensure that your firewall permits access to the Cockpit service on port 9090.
2. Access the service using your web browser with the following URL:

https://<SERVER_IP>:9090

3. Log in with the administrator credentials provided during setup.

Grafana for Agent Metrics and Performance Dashboards

Grafana provides detailed insights into the agent’s performance and server health through preconfigured dashboards:

• Node Exporter Dashboard: Displays server-level metrics such as CPU usage, memory utilization, disk I/O, and network activity.
• Go Runtime Metrics Dashboard: Provides visibility into the agent’s Go runtime, including memory allocation, garbage collection, and goroutine behavior.

Accessing Grafana

1. Ensure your firewall allows access to the Grafana service on port 3000.
2. Open Grafana in your web browser using the following URL:

http://<SERVER_IP>:3000

3. Log in with the credentials provided during installation.

Exploring the Dashboards

After logging in, navigate to the preconfigured dashboards:

• Node Exporter Dashboard: Provides a real-time view of server health.
• Go Runtime Metrics Dashboard: Offers detailed insights into the agent’s operational metrics.

Use these dashboards to identify performance bottlenecks, monitor resource usage, and troubleshoot issues.

Security Note

Both Cockpit and Grafana services are protected by the server’s firewall. Ensure that only trusted IPs or subnets have access to these services. Use secure passwords and SSL certificates for all connections.

By leveraging these monitoring tools, administrators can maintain a robust, secure, and high-performing Safetybits environment.