WitFoo Precinct can be deployed as an All-in-One Appliance for organizations with less than 10,000 events per second or can be deployed in a horizontally & vertically scaling architecture to allow for millions of events per second and long term retention and processing.
Deployment Video Guide
Deployment Options
WitFoo Precinct can be deployed in several methods.
- Hypervisors: Use the OVA/VHD downloads under Downloads on this page.
- Cloud Hosted: Launch from the AWS Marketplace or Azure Marketplace. Pricing can be hourly (pay-as-you-go) or BYOL.
- Custom Build: Custom builds on physical or virtual appliances can be achieved via Ubuntu debian installer.
- Managed Service: WitFoo Partners provide managed services for WitFoo Precinct.
Licenses
A 30 day trial license is automatically issued on all new appliance deployments when they launch. To obtain a trial license manually, please fill out this form. To obtain a production license, please request a quote and a WitFoo Partner will deliver the quote. Cloud hosted licensing on pay-as-you-go appliances are automatically billed to the cloud account. Pricing details are available on the pricing page.
Appliance Nodes
WitFoo Precinct is deployed via appliance nodes. There is an All-in-One appliance that contains all three WitFoo Precinct components. Each node can handle up to 50,000 events per second when clustered (at optimal resource allocation and Core processing level.) Appliance CPU and RAM must comply with the chart below and must be adjusted on OVA import.
- All-in-One – Contains Investigative Engine (IE), Streamer and Data nodes. Rated up to 10k eps.
- Investigative Engine (IE) Node – Provides the user interface and centralized configuration as well as distributed processing and analysis.
- Streamer Node – Receives, parses and stores Syslog and NetFlow in a WitFoo Artifact in Data Nodes. Also includes the Investigative Engine.
- Data Node – Cassandra data cluster node to receive, store and process WitFoo Artifacts and Relational (SQL) data cluster.
Downloads
| Node | CPU | RAM | Disk | OVA Download | VHD Download |
|---|---|---|---|---|---|
| All-in-One (200GB Data) | 8 | 24GB | 300GB | OVAarrow_downward | VHDarrow_downward |
| All-in-One (1TB Data) | 8 | 24GB | 1.3TB | OVAarrow_downward | VHDarrow_downward |
| Data (200GB Data) | 4 | 12GB | 275GB | OVAarrow_downward | VHDarrow_downward |
| Data (1TB Data) | 4 | 12GB | 1.1TB | OVAarrow_downward | VHDarrow_downward |
| Streamer | 4 | 8GB | 100GB | OVAarrow_downward | VHDarrow_downward |
| IE/Management | 4 | 8GB | 60GB | OVAarrow_downward | VHDarrow_downward |
Best Practice Note: Initial deployments that are created in a minimum horizontal cluster allow for simple expansion without the need to migrate data. For most enterprises, the configuration below allows for horizontal scale flexibility:
- One (1) IE Node
- One (1) Streamer Nodes for each transport type (syslog, NetFlow, Beats, Cloudwatch, Splunk)
- Three (3) Data Nodes
For additional performance and scale guidance please refer to this training module: https://vimeo.com/277872139.
Appliance Deployment Instructions
- VMWare ESX (use OVA)
- Virtualbox (use OVA)
- Hyper-V (use VHD)
- Openstack (use VHD)
- Amazon Web Services Marketplace
- Microsoft Azure Marketplace
- Custom build on Ubuntu 18.04 LTS (Virtual or Physical) (using Debian installer)
It is highly recommended that appliances be thick provisioned to prevent performance and stability issues.
For more appliance installation and configuration guidance see: https://community.witfoo.com/forums/forum/virtual-appliance-and-os/
Network Configuration
The operating system of WitFoo Precinct is Ubuntu 18.04 LTS. Before running ./register ensure networking is configured correctly. For reference see: https://ubuntu.com/server/docs/network-configuration
It is highly recommended that network configuration be handled through DHCP scope reservations.
Installation Walk-through
The Deployment Checklist can be accessed at: https://community.witfoo.com/forums/topic/witfoo-precinct-deployment-checklist/
Firewall Ports
All appliances must be able to reach the following external hosts on HTTPS (443/tcp):
Additionally, the cluster communicates internally over the following ports.
| Image | Open Ports |
|---|---|
| All-in-One | SSH (22/tcp), HTTPS (443/tcp), Syslog (514/udp/tcp, 6055/tcp, 6555/tcp), NetFlow (2055/udp), Beats (5044/tcp) |
| IE Node | SSH (22/tcp), HTTPS (443/tcp), API (8080/tcp) |
| Streamer Node | SSH (22/tcp), Syslog (514/udp/tcp) Syslog SSL (6514/tcp), NetFlow (2055/udp), Beats (5044/tcp) |
| Data Node | SSH (22/tcp), Cassandra (9042/tcp) Replication (7001/tcp) |
Precinct Architecture
Training
Detailed training on deployment, configuration and scale can be found at: https://community.witfoo.com/courses/ (free registration required.)
Security Products Currently Supported
| Vendor | Product | Critical Security Controls |
|---|---|---|
 | Cloudwatch | |
| Cloudtrail | |
| Guard Duty | 1, 2, 4, 8, 12, 14 |
| AWS VPC Security | 9, 11, 12, 15 |
| AWS Instance Backup | 10 |
 | Apache Web Server | |
 | BRO IDS | |
 | Barracuda WAF | |
 | Carbon Black Protect/Defend | 1, 2, 5, 8 |
 | Centrify | 4 |
 | Checkpoint FW | 9, 12 |
 | Stealthwatch | 12, 13 |
| Advanced Malware Protection (AMP) | 1, 8 |
| Firepower | 7, 12 |
| ASA Firewall | 9, 12 |
| Meraki | 15 |
| Cisco Ironport | 7 |
| Umbrella | 7 |
| Cisco Threat Response | 8 |
| Cisco Wireless | 15 |
 | Netscaler | 2 |
 | Falcon | 1, 2, 5, 8 |
 | Cybereason | 1, 8 |
 | Cylance Protect | 1, 5, 8 |
| Security Manager | 1, 2, 8 |
 | ASM | 12 |
 | FireEye Email Security (EX Series) | 7 |
| FireEye Network Security (NX Series) | 12, 13 |
| FireEye Endpoint Security (HX Series) | 1, 5, 8 |
| FireEye Malware Analysis (AX Series) | 8 |
| FireEye File Protect (FX Series) | 8 |
| FireEye Central Management (CM Series) | |
 | Fortigate | 7, 9, 12 |
 | Application Metadata | |
 | Gin Access Log | |
 | QRadar | 1, 6, 16 |
 | SecureSphere | 13 |
 | InfoBlox | 1, 7 |
 | Juniper FW | 7, 9, 12 |
 | NameD | |
| SSHD | |
| fail2ban | 4 |
 | Malwarebytes Anti-Malware | 1, 8 |
 | McAfee Web Gateway | 7 |
| McAfee ePolicy Orchestrator | 1, 8 |
 | Windows Logs | 4, 14 |
| Windows Active Directory | 4, 5, 14 |
| Advanced Threat Analytics | 13, 16 |
| DHCP | |
| Azure Security | 2, 4, 5, 9, 13, 14, 16 |
 | Mist Wireless | 15 |
 | Mojo Wireless | 15 |
 | NetFlow v5, v7, v9 | |
 | IPFIX | |
 | Common Event Format (CEF) | |
 | Log Event Extended Format (LEEF) | |
 | Netscout | |
 | NetGuard | 12 |
 | OSSEC | 1, 8 |
 | POSTFIX | |
 | PAN NGFW | 7, 9, 12 |
 | ProofPoint Protect | 7 |
 | Qualys VA | 1, 2, 3, 5, 11 |
 | Radware Appwall | 12 |
 | Senhasegura PAM | 4 |
 | N-Central | 8 |
 | SonicWall Firewall | 9, 12 |
 | Sophos Central | 1, 5, 8 |
 | Suricata IDS | 12 |
 | Symantec Endpoint Protection | 1, 8 |
| Symantec Data Loss Prevention | 13 |
 | STIX/Taxii | |
 | Threatmetrix | |
 | Secret Server | 4 |
 | Tippingpoint IPS | 9, 12 |
 | SpamTitan | 7 |
 | TrapX | |
 | Trend Deep Security | 1, 8 |
 | DatAdvantage | 12 |
| Cognito | 8 |
 | Wazuh | 1, 8 |
 | Websense | 7 |
 | Precinct | 6, 16 |
| WitFoo IOC Feed | |
 | Zix Email | 7 |
 | pfSense Firewall | 9, 12 |
 | zScaler NSS | 7 |
