Site Coordinator Overview

About this document

This document provides an overview of the Site Coordinator and includes details such as what is a Site Coordinator, what is a Master Site Coordinator, and why they are required. It also includes an example to understand the deployment patterns, pre-requisites, and installation of a site coordinator for a sample company, "SAFE Test." 

What is a Site Coordinator (SC)?

A Site Coordinator is a Linux software installation provided by SAFE. It is responsible for performing agentless assessments inside the customers' network with compatible devices and passing those assessments to the SAFE server. It can also act as a gateway for SAFE agents deployed in networks that do not have direct internet access to the SAFE server.

The Site Coordinator enables the assessment of disconnected assets in different locations (referred to as sites). Depending on the rate of Assets to be scanned within a given window, you may require multiple Site Coordinators. If required by your network topology, multiple Site Coordinators can be deployed to allow different sites to be assessed and fed back to a single SAFE Server. 

SAFE will work with you to determine appropriate system sizing.

All existing assessments will work seamlessly in the system through the Site Coordinator deployed on your SAFE server (known as the Default Site Coordinator). 

What is a Master Site Coordinator (MSC)?

The Master Site Coordinator allows a single Site Coordinator to register with multiple SAFE instances via SC Broker and enables the assessment of agentless assets. This makes it easy for many organizations, such as Managed Security Service Providers (MSSP), to manage the security of their multiple customers.

The process remains the same for installing the site coordinator, except that you need an additional SC Broker URL. Add the SC Broker URL to the command generated from SAFE and run the command on the remote system to install the Master Site Coordinator.

Here is an example of Site Coordinator deployment.

Example Site Coordinator Deployment

Network Topology for the example company - SAFE Test

The example company "SAFE Test" has the following network topology:

• On-Premise Infrastructure comprising 
  • A "DMZ" network containing
    • One Firewall
    • One switch
    • One Proxy server running Linux. The Proxy IP is 198.168.1.170 with port 80
• A network "infra" with no internet access containing
  • One switch
  • Two Linux systems
  • Two Windows Servers
• A network "corporate" with internet access via a proxy comprising:
  • One switch
  • Four Windows/Mac Laptops
• An Azure cloud instance is running five Linux VMs. No proxy is required for internet access.

The SAFE Cloud services for this customer are hosted at https://safetest.safescore.ai 

The domain for the company "Safe Test" will be safetest.com

Solution Analysis

The example network topology would be supported as follows:

• On-Premise Infrastructure:
  • "DMZ" network:
    • The firewall, switch, and Linux proxy server will need to be accessible to a Site Coordinator to execute agentless scans using SSH.
  • "infra" network:
    • The switches and Linux systems will need to be accessible to a Site Coordinator to execute agentless scans using SSH.
    • The Windows Servers will require agents to be deployed. As these systems do not have any internet access, these agents will need to communicate with a Site Coordinator. As such, there will need to be a Site Coordinator configured for Agent-Based Communication (Refer to Configuring Site Coordinator for agent-based communication).
    • The Site Coordinator will be required to connect to the internet via a Proxy. As such, it will need to be configured as per Configuring Proxy in Site Coordinator.
  • "corporate" network:
    • The switch will need to be accessible to a Site Coordinator to execute agentless scans using SSH.
    • These machines will not require a Site Coordinator as they have access to the internet and can resolve https://safetest.safescore.ai. These machines should be deployed with SAFE Agents configured with the URL https://safetest.safescore.ai. 
    • These machines will be able to provide scan results whether they are connected to the corporate network or working from any internet-connected location.
• Azure cloud instance:
  • All of the Azure subscription/services supported by the Azure security center should be configured to be scanned via the Safe Azure Security Center webhook. Refer to Azure Security Center.
  • The Linux VMs running in the Azure cloud will require a Site Coordinator to be deployed either in the Azure cloud (as per the diagram below) or at a network location with SSH access to the VMs to be assessed in order to perform agentless scans.

Deployment Architecture

From the above analysis, it can be seen that there are two Site Coordinators required.

On-Premise Infrastructure

One Site Coordinator will be needed to scan the following:

• Firewall
• Switches
• Linux Servers
• Linux Proxy

The Site Coordinator needs to be configured to receive agent-based communication from the Windows server. Furthermore, it needs to be configured with a Proxy server to be able to send it's assessments to https://safetest.safescore.ai. This will require the following:

• A machine in the DMZ cloud or in the "infra" network to run a Site Coordinator that meets the Site Coordinator Installation | Minimum-Hardware-Requirements  and Site Coordinator Installation | Pre-requisites 
• The information for the proxy:
  • IP: 198.168.1.170 
  • Port: 80
  • <no username/password required>
• The information for the Site Coordinator to act as a gateway (in this example, we will assume the hostname for the Site Coordinator is "sc1":
  • Port 443 will need to be opened on the Site Coordinator machine.
  • An internally routable URL for the Site Coordinator:
    • In this case, we will assume that the Site Coordinator hostname will be used. In this example, we will assume the URL will be sc1.safetest.com, but any internally routable URL will work as long as it can connect to port 443.
    • An SSL certificate for sc1.safetest.com
    • A key for sc1.safetest.com
    • The CA certificate for the certificate authority issuing the SSL certificate for sc1.safetest.com
• The Site Coordinator software to be installed as per Site Coordinator Installation | Installing-Site-Coordinatorand the steps for:
  • Gateway - Configuring Site Coordinator for agent-based communication
  • Proxy - Configuring Proxy in Site Coordinator
• The Windows agents installed and configured to use the URL "sc1.safetest.com".

Azure

Another Site Coordinator is needed to scan the Azure VMs. This will require the following:

• A VM in the Azure cloud to run a Site Coordinator that meets the Site Coordinator Installation | Minimum-Hardware-Requirements  and Site Coordinator Installation | Pre-requisites
• The Site Coordinator software to be installed as per Site Coordinator Installation | Installing-Site-Coordinator

As the Azure cloud can provide VMs with direct internet access, and all of the systems to be assessed can be scanned using the Site Coordinators agentless feature. As such, it is not required to configure a Proxy or enable the Gateway feature on this Site Coordinator.

The final deployment is shown in the following diagram:

End State Summary

The Windows/Mac clients connect directly with the SAFE service at safetest.safescore.ai

The remaining physical equipment is either:

• scanned by the Linux site coordinator in the DMZ in the case of the Firewall, Switches, and Linux servers
• receives data from the Windows agents installed on the Windows servers via the configured Site Coordinator gateway
• The Azure cloud is assessed via a SAFE webbook.
• The Linux Site Coordinator scans the Azure VMs in the Azure cloud.