DeepSurface deploys on cloud platforms from their respective marketplaces in AWS (BYOL or Usage Based), in Azure, or in Google Cloud. DeepSurface can also deploy as an on premise self-hosted virtual appliance using a downloadable OVA (contact DeepSurface to get a download link).
DeepSurface can also host an instance of the RiskAnalyzer for your company. Contact DeepSurface to get a hosted environment set up for your company.
On cloud platforms, system requirements are pre-configured to fit a standard installation for images deployed from their marketplaces. However, those settings should be reviewed and adjusted to fit your requirements based on the information below
Self hosted environments either on premise in your data center or in a self managed virtual machine in the cloud have the below minimum resource requirements. The resources required by the DeepSurface appliance may vary based on a number of factors, but the following table provides a rough guideline on what to expect based on the number of hosts in your environment:
| Number of Hosts | CPU Cores | Memory (RAM) | Free Disk Space (SSD) |
|---|---|---|---|
| Up to 5,000 | 2 | 16 GB | 128 GB |
| 5,000 - 20,000 | 4 | 32 GB | 256 GB |
| 20,000 - 50,000 | 8 | 64 GB | 512 GB |
** For Deployments over 50,000 elements please contact us **
Optional: If encryption of the data stored by DeepSurface is desired, then the underlying VM server software must be configured to encrypt the VM’s disk. The process for doing this differs with each VM platform. Consult your VM platform provider's documentation for this (VMWare (vSphere), VirtualBox, AWS, Azure and Google Cloud).
Optional: For security reasons, it is recommended that the customer provide an HTTPS server certificate to be used on the DeepSurface web management console, with a fully qualified domain name. (A temporary self-signed certificate will be used if a verifiable certificate isn’t available.)
Subordinate Scanner Virtual Hardware Requirements
Subordinate scanners are relatively lightweight, and do not require the same hardware that the DeepSurface appliance needs:
| CPU Cores | Memory (RAM) | Free Disk Space (SSD) |
|---|---|---|
| 2 | 4 GB | 32 GB |
The following are requirements for deployment, regardless of which deployment model is used.
The DeepSurface appliance must be able to connect to and retrieve updated vulnerability information and software updates from https://updates.deepsurface.com/. (NOTE: The IP address of this service may vary over time.)
The DeepSurface appliance must be able to connect to and retrieve updated software from Ubuntu and Debian package servers in order to install timely security updates.
DeepSurface credentialed scans must have network access and the proper credentials to the machines that a customer wants to scan. Windows machines must be scanned using either SMB (port 445/TCP) or WinRM (ports 5985/TCP or 5986/TCP). If domain controllers need to be scanned, LDAPS access is required (port 389/TCP or 636/TCP). Linux machines can be scanned using SSH (port 22/TCP).
DeepSurface performs authenticated scans on systems in scope. Customers must provide credentials to log in to each of these systems. The method of authenticating varies by operating system and version:
For Windows, these are often domain administrator credentials, but could also be local administrator accounts, or domain accounts which are granted administrator access to specific systems.
DeepSurface can obtain scanning credentials from Privileged Access Management (PAM) systems. PAM integrations we support are located here.
For SSH access, username/password pairs or SSH keys may be used.
Supported Windows Versions:
All Windows Server and Desktop versions currently supported by Microsoft
DeepSurface will continue to support older versions for 2 years after Microsoft’s Extended Support expires.
Supported Linux Versions (BETA):
The latest two stable/LTS releases of each of the following distributions: -RedHat Enterprise Linux (RHEL) - Includes Fedora, CentOS and related flavors
Supported MacOS Versions (BETA):
The latest MacOS release plus the two previous major versions
DeepSurface Agents must be able to reach the Main Console or a Subordinate scanner’s port 44305 (TCP) in order to provide data to DeepSurface.
By default, DeepSurface Agents trust a Certificate Authority (CA) maintained by DeepSurface to secure communication and simplify deployment. Optionally, agent registration can be configured to depend upon a manually-configured certificate deployed on the DeepSurface main console and/or subordinate scanners.
In order to set up an agent on a host, the DeepSurface Agent installer script must be distributed to each system and executed. This script will download the agent software package from the DeepSurface main console (or subordinate) and then register the agent system with DeepSurface. This process can be achieved by pushing a single file to all endpoints and subsequently running a single command. You will find platform-specific instructions on how to obtain and run this script in the DeepSurface web console under the Scanning > Agents section.
Agents can be configured to scan and communicate their results to the DeepSurface console on a Daily or Weekly basis. Additionally, you may configure a blackout schedule to prevent agents from running scans during specific time frames.
DeepSurface draws data from customers’ existing vulnerability scanners.
To sync this data automatically, credentials and service information are needed for scanner APIs. Currently supported APIs are found in our Integrations Guide.
Contact DeepSurface Support if other vulnerability scanner output formats or APIs are a requirement.