Air gapped installations

Introduction

Air gapped installations are installations that are not connected to the internet. This means that the Clear NDR^® Central Server and the sensors cannot automatically download updates or communicate with external services.

Deploying Clear NDR^® Probes in an air gapped environment is straight forward as the probes are designed to work offline and do not require any internet connection to function.

To limit internal communication to their minimum, please see Firewall rules for the exhaustive list of network communication needed for Clear NDR^® Central Server and Probes.

Clear NDR^® Central Server can also be deployed in an air gapped environment, but it requires some additional configuration to ensure that it can function properly without internet access. The Clear NDR^® Central Server requires some network communication to function properly. This includes communication with threat intelligence sources. The default threat intelligence sources are hosted on the internet, but you can configure the Clear NDR^® Central Server to use custom sources that are accessible in an air gapped environment.

Upgrade handling

There is no change in the upgrade handling for air gapped installations as the upgrade system has been designed to work offline. The same steps as for regular installations apply. See Systems Upgrade for more details on how to upgrade your Clear NDR^® Central Server and Probes.

Managing Threat Intelligence in an Air-gapped Environment

Threat intelligence updates in air gapped installations require manual handling. This means that you will need to download the threat intelligence updates from a connected machine and then transfer them to the air gapped environment.

There are two strategies to handle threat intelligence transfer in air gapped installations:

• Have a local HTTP(S) server that mirrors the threat intelligence updates and can be accessed by the Clear NDR^® Central Server. This requires setting up a local HTTP(S) server that can serve the threat intelligence updates. The Clear NDR^® Central Server can then be configured to retrieve the updates from this local server instead of public ones.

• Manually upload the threat intelligence updates to the Clear NDR^®: this requires a manual interaction to upload the threat intelligence updates to the Clear NDR^® Central Server or a script using the REST API to automate the upload process.

To set up the threat intelligence, you need to create a custom source in the Clear NDR^® Central Server. This source can be configured to retrieve the threat intelligence updates from the local HTTP(S) server or to accept manual uploads.

See Adding a Custom source for more details on how to create a custom source and see Stamus Threat update for offline Clear NDR® Central Server for detailed instructions on how to handle Stamus threat intelligence updates in air gapped installations.