Setting up the Virtual Tunnel

If you have on-premise scanners that are protected by a firewall, you can use the Virtual Tunnel to allow connectivity between Cisco Vulnerability Management and your scanners.

The Virtual Tunnel is distributed as an image on a Rocky Linux-based OVA (VMware hardware level 13), which modern VM hypervisors can use. This VM has been tested with VMware Workstation/Fusion/ESXi, Linux KVM, and VirtualBox programs.

Installation Steps

  1. Contact Cisco Support  or your Customer Success Engineer to register your virtual tunnel VM. Cisco Support provisions the Virtual Tunnel.
  2. The Cisco Support team will confirm the Virtual Tunnel Host Server details for you to interact with.
  3. Whitelist the endpoints that Support provided to you in your firewall. See Outbound Traffic Requirements
  4. Based on the Virtual Tunnel Host Server details, download the appropriate OVA file from Cisco Software Downloads. In the following steps, you'll configure the OVA image using direct console access to the VM in your hypervisor.
  5.  Retrieve a Cisco Vulnerability Management Security API Key.
    Hover over the gear icon in the upper right-hand corner and select API Keys. The following image shows the window that opens. You can create a new user for the tunnel API key; however, any valid API that is assigned to a administrator will work. If you need help with API Keys, see API Key Generation and Permissions

    Screen_Shot_2021-10-27_at_12.00.16_PM.png

  6. Using a VM tool, import the OVA file and access the console menu of the VM.
    console-menu.png
  7. Enter option 1 and change the API endpoint to the value that Cisco Support provides.
    option-1.png
  8. Enter option 2 and change the API Key. You can't copy and paste the key. You must type it in. If the command is successful, a success message is displayed. If you receive an API key change failed message, ensure that you've entered the correct API endpoint in step 6, then redo option 2.
  9. Enter option 3 and change the network configuration. 
  10. Perform option 4 only if it's required for your environment. 
  11. Contact Cisco Support to confirm that your Virtual Tunnel is working. This is the only way to verify that it's working. 

Important: The Cisco Support team cannot convert the image into the native image format for your hypervisor. Contact Support for your hypervisor for help in converting images for your environment.

Troubleshooting Steps 

Perform the following the steps if you receive the following error message:option-2.png

  1. Verify that the correct network requirements have been put in place: outbound TCP connections on port 443 (NOT HTTPS) and Cisco Vulnerability Management's client gateway IP and URL are different, based on the hosting environment where your instance lives. Ask Cisco Support for the gateway information. 
  2. If you've completed the previous step, and you're still receiving the error message, go to the console menu (as shown in step 6 of the installation steps) and enable the client-user account (option 5). Then let Cisco Support know that you've completed the previous troubleshooting step and still can't access the API. 

Outbound Traffic Requirements

Source

Destination

Protocol/
Port

Description

Notes

Cisco Vulnerability Management

Confirm via support ticket

TCP/443

Web traffic used to verify your API key and pull a VPN configuration from Cisco Vulnerability Management to the VM.

A firewall rule for this must use a hostname as a destination, as its IP may change. This traffic can be sent through a standard web proxy.

Cisco Vulnerability Management

Confirm via support ticket

TCP/443

OpenVPN traffic used to bring up a VPN tunnel from the VM to Cisco Vulnerability Management's client gateway.

This traffic is raw TCP which cannot be HTTPS-filtered and  requires a direct outbound connection. It cannot be sent through a web proxy.

Rocky Linux Updates Mirror

mirrors.rockylinux.org

 

The VM attempts to update the base image for patching and security updates using this mirror.

 

 

Note: When deciding where to deploy the file, remember that it must be able to reach both the security appliance or scanner inside your network and make outbound TCP connections to Cisco Vulnerability Management. This can be on a permanent virtualization server or on your own computer. If you run the virtual machine on your computer, it will only have access to your network when the computer is running and the VM is active.

Virtual Tunnel Frequently Asked Questions

What image is the virtual tunnel based on? Does the virtual tunnel allow access to patch and maintain the image?

The Virtual Tunnel is running Rocky Linux as its operating system. Cisco Vulnerability Management does not provide client access to the virtual tunnel VM and does not require client iteration other than entering the API key and local network configuration settings in the console prompts. Support will patch the VM as needed.

How does Cisco Vulnerability Management secure data in transit between the virtual tunnel and Cisco Vulnerability Management?

All data is transmitted to Cisco Vulnerability Management through an encrypted OpenVPN tunnel.

How are the API credentials used for the scanners secured both in transit between the virtual tunnel and Cisco Vulnerability Management, and while at rest? Where are the credentials stored?

The API credentials for the scanner are entered and stored in the Connectors page of the UI, not in the VM itself; they are encrypted as part of the Cisco Vulnerability Management platform solution. The API key is entered once when establishing the tunnel and transmitted data to Cisco Vulnerability Management via HTTPS to complete the initial handshake after which the tunnel is established and all future communications occur securely over the tunnel. The API key is not saved and any subsequent reboots of the VM require that the API key is re-entered. 

Since OpenVPN is used, who is responsible for keeping it up-to-date and secure?

Cisco Vulnerability Management is responsible for implementing secure OpenVPN libraries as part of our distributed tunnel solution. 

Is the virtual tunnel backed up in the cloud? Can my organization create a backup?

Cisco Vulnerability Management does not back up the virtual tunnel VM because it resides in your organization's own environment. One instance of the virtual tunnel is supported and can be running and connected at a given time. The connector settings or authentication information is saved in the Cisco Vulnerability Management UI, not in the virtual tunnel VM so it can easily be replaced with a fresh image by following the console configuration instructions.

What happens when I need to reboot my virtual tunnel?

The setup prompt appears when the VM is rebooted and requires manual configuration. There may be options at the hypervisor level to restrict console access to the VM but the setup menu must be accessible as that this the only way the VM can be configured with the API and local network configuration information.

A reboot also triggers any pending kernel patching.

How do packages get updated on the VM?

Packages are updated automatically every week.

Can I scan the virtual tunnel for vulnerabilities?

You can use a local service account for authenticated security scans. This local service account is included with the image and can be initialized with a password by performing option 5 in the console menu.

What virtual hardware version does the virtual tunnel use?

The virtual tunnel OVA uses virtual hardware version 13 and runs on ESXi version 6.5 and above.

What are the hardware requirements?

The recommended requirements are: 1 core/CPU, 2GB RAM, 10GB HDD.

The base image for the virtual tunnel is RHEL 8. For more information on the requirements for RHEL 8, refer to the information from Red Hat here.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.