DeepSurface: System Requirements

Documentation
Installation Guide
Overview
Let DeepSurface Host For You
Getting Started
System Requirements
Self Hosted Quick Start - Installing to Cloud Platforms
Self Hosted - Installation Using an OVA
Registration, Package Installation, and Initialization
First Steps After Initialization of the Console
Deployment Options
Main and Subordinate Consoles
Agent-Based Deployment
User Managed Scan Deployment
Credentialed Scanning Deployment
Mixed Environment
Deployment Tools
Active Directory Group Policy
Microsoft Endpoint Configuration Manager (part of InTune)
Tanium Deploy
HCL BigFix
Ivanti
Virtual Machines
VMWare
Virtual Box
VirtualBox Guest Additions
AWS EC2 (BYOL)
AWS EC2 (Usage Based)
Azure Cloud
Google Cloud
Additional Items to Consider
Main Console Server Certificates
LDAP
TOFU
Clock Sync
DeepSurface Commands
Multiple Vulnerability Sources
API Documentation
User Guide
Reporting
Dashboards
Exports
Risk Insight
Hosts
Patches
Vulnerabilities
Vulnerability Instances
Users
Remediation Workflow Manager
Plans
Settings
Integrations
Workflow
Exporting
Accepted Risk Plans
Accepted Risk Workflow
Explore
Model
Paths
Activity
Tasks
Configuration Alerts
Scan Logs
Notification Settings
Scanning
Status
Agents
User Managed
Credentialed Scanning Settings
Credentials
Scan Groups
General Settings
Cloud Scanning
Network Connectivity
Subordinates
Vulnerability Sources
Setup
Sensitive Assets: Polices
Sensitive Assets: Manual
Admin Settings
SMTP Settings
Certificates
Outbound Proxy
Authentication Providers
Users
Tags
Integrations Guide
Vulnerability Sources
CrowdStrike Spotlight
SentinelOne
Carbon Black Cloud
Microsoft Defender for Endpoint
Wazuh
Lansweeper Cloud
Nessus API
Tenable.io API
Security Center/Tenable.sc API
Rapid7 InsightVM API
Qualys API
Nozomi Guardian
Eclypsium
AWS Inspector
Remediation
Jira Software
Tanium (BETA)
Authentication Providers
LDAP (Active Directory)
SAML (Azure Active Directory)
SAML (Google)
SAML (Okta)
PAM
CyberArk
Delinea (Thycotic)
Microsoft LAPS
Security Guide
Firewall Configuration
Base Network Requirements
Agent Network Requirements
Credentialed Scanning Network Requirements
API Network Requirements
How DeepSurface Scans Work
Domain (LDAP) Scanning
Host Scanning Routine
Reasons for the Administrative Access Requirement
Endpoint Protection Considerations
Other Items
Scope of Data Storage and Retention
IPS/IDS Considerations
Logging
Resetting the DSADMIN password
Product Information
Changelogs
Open source Licenses
End User License Agreement (EULA)

Virtual Appliance System Requirements

DeepSurface deploys on cloud platforms from their respective marketplaces in AWS (BYOL or Usage Based), in Azure, or in Google Cloud. DeepSurface can also deploy as an on premise self-hosted virtual appliance using a downloadable OVA (contact DeepSurface to get a download link).

DeepSurface can also host an instance of the RiskAnalyzer for your company. Contact DeepSurface to get a hosted environment set up for your company.

On cloud platforms, system requirements are pre-configured to fit a standard installation for images deployed from their marketplaces. However, those settings should be reviewed and adjusted to fit your requirements based on the information below

Hardware Requirements (Main Console)

Self hosted environments either on premise in your data center or in a self managed virtual machine in the cloud have the below minimum resource requirements. The resources required by the DeepSurface appliance may vary based on a number of factors, but the following table provides a rough guideline on what to expect based on the number of hosts in your environment:

Number of Hosts CPU Cores Memory (RAM) Free Disk Space (SSD)
Up to 5,000 2 16 GB 128 GB
5,000 - 20,000 4 32 GB 256 GB
20,000 - 50,000 8 64 GB 512 GB

** For Deployments over 50,000 elements please contact us **

Subordinate scanners are relatively lightweight, and do not require the same hardware that the DeepSurface appliance needs:

CPU Cores Memory (RAM) Free Disk Space (SSD)
2 4 GB 32 GB

Virtual Appliance Network Access

The following are requirements for deployment, regardless of which deployment model is used.

Credentialed Deployment Technical Requirements

DeepSurface credentialed scans must have network access and the proper credentials to the machines that a customer wants to scan. Windows machines must be scanned using either SMB (port 445/TCP) or WinRM (ports 5985/TCP or 5986/TCP). If domain controllers need to be scanned, LDAPS access is required (port 389/TCP or 636/TCP). Linux machines can be scanned using SSH (port 22/TCP).

Credentials

DeepSurface performs authenticated scans on systems in scope. Customers must provide credentials to log in to each of these systems. The method of authenticating varies by operating system and version:

For Windows, these are often domain administrator credentials, but could also be local administrator accounts, or domain accounts which are granted administrator access to specific systems.

DeepSurface can obtain scanning credentials from Privileged Access Management (PAM) systems. PAM integrations we support are located here.

For SSH access, username/password pairs or SSH keys may be used.

Agent Deployment Technical Requirements

Supported Windows Versions:

All Windows Server and Desktop versions currently supported by Microsoft

DeepSurface will continue to support older versions for 2 years after Microsoft’s Extended Support expires.

Supported Linux Versions (BETA):

The latest two stable/LTS releases of each of the following distributions: -RedHat Enterprise Linux (RHEL) - Includes Fedora, CentOS and related flavors

Supported MacOS Versions (BETA):

The latest MacOS release plus the two previous major versions

Agent Port Requirements:

DeepSurface Agents must be able to reach the Main Console or a Subordinate scanner’s port 44305 (TCP) in order to provide data to DeepSurface.

Agent Configuration:

By default, DeepSurface Agents trust a Certificate Authority (CA) maintained by DeepSurface to secure communication and simplify deployment. Optionally, agent registration can be configured to depend upon a manually-configured certificate deployed on the DeepSurface main console and/or subordinate scanners.

In order to set up an agent on a host, the DeepSurface Agent installer script must be distributed to each system and executed. This script will download the agent software package from the DeepSurface main console (or subordinate) and then register the agent system with DeepSurface. This process can be achieved by pushing a single file to all endpoints and subsequently running a single command. You will find platform-specific instructions on how to obtain and run this script in the DeepSurface web console under the Scanning > Agents section.

Agents can be configured to scan and communicate their results to the DeepSurface console on a Daily or Weekly basis. Additionally, you may configure a blackout schedule to prevent agents from running scans during specific time frames.

Vulnerability Data Source

DeepSurface draws data from customers’ existing vulnerability scanners.

To sync this data automatically, credentials and service information are needed for scanner APIs. Currently supported APIs are found in our Integrations Guide.

Contact DeepSurface Support if other vulnerability scanner output formats or APIs are a requirement.