The Photon Network/Security Sensor is a Virtual Machine (VM) image that implements a **Starlight** sensor in the

Microsoft Hyper-V environment.

This page describes the steps to install the sensor.

Site Preparation

This process will require access to a Microsoft Hyper-V environment on a Windows Server.  Currently Windows Server

2016 is the tested version.   The resources required for the Network Sensor are:

  • 8 CPU Cores.
  • 16Gbyte Memory.
  • 500GB Hard Disk.
  • Server Switch with a physical network interface that supports promiscuous mode.
  • One IP Address with access to a default gateway.
  • A **Starlight** license that can be applied to the sensor.

The VM image can be downloaded from the Stellar Cyber AI production server at the following URLs.

Description: [Network Sensor]
Link: (https://acps.stellarcyber.ai/release/3.2.0/datasensor/aella-device-ds-3.2.0.vhdx)
Version: 3.2.0
URL: `https://acps.stellarcyber.ai/release/3.2.0/datasensor/aella-device-ds-3.2.0.vhdx`

For authentication to download, the user name is and the password are in your email.

The text in the procedures the following sections assume that the file has been downloaded into the local `C:\Users\Public\Documents\Hyper-V\Virtual hard disks\` folder.

Alternatively, the `curl` command  may be used to download the image.   The following is an example that may be used to download the 3.2 image:

curl -k -u CREDENTIALS https://acps.stellarcyber.ai/release/3.2.0/datasensor/aella-device-ds-3.2.0.vhdx -o aella-device-ds-3.2.0.vhdx

Create A Virtual Switch

The first step is to create a virtual switch through which the VM will communicate.  Start the Hyper-V manager and open the Virtual Switch Manager from the right-hand sidebar. Select “Create Virtual Switch” then choose “External Network.” The resulting display is shown in the following image.

The next step is to select the physical network port that is to be used to connect to the outside world. The result will look similar to the sample in the following image.

Set Promiscuous Mode

Promiscuous mode is used so that the Network sensor can monitor all traffic.   This setting is not supported via the User Interface so the following commands my be used via the PowerShell.

In this example the name of the switch is “External.”  This must be modified for the value actually used.

C:\Users\Administrator> $a = Get-VMSystemSwitchExtensionPortFeature -FeatureId 776e0ba7-94a1-41c8-8f28-951f524251b5
C:\Users\Administrator> $a.SettingData.MonitorMode = 2
C:\Users\Administrator> add-VMSwitchExtensionPortFeature -ExternalPort -SwitchName <name of the switch> -VMSwitchExtensionFeature $a

Create new VM

Return to the Hyper-V manager again and select the menu options “Action &rarr; New &rarr; Virtual Machine…”  This will appear similar to the following image.

Specify a name for the new security sensor.   This can be any legal VM name but it is recommended to adopt a site convention so that the name identifies type type of sensor.   The screen will look similar to the following image.

Enter the Generation parameter. The guest Operating System is a 64-bit OS so “Generation 1” is a good choice as shown in the following image.

Next assign memory as shown in the following image. The Photon sensors require at least 16Gbyte. An example is shown in the following image.

Configure the Management network interface.  You may either enter a static IP or configure using a DHCP server. This is the interface that will be used for the Sensor to send its Interflow data records to the data processor. The networking is selected as in the following image.

Connect the Virtual Disk image that was downloaded in the site preparation mentioned above.  In the dialog box use the “Use existing” option as shown in the following image.   If the image was placed in a different location adjust the Location field appropriately.

At this point the creation of the VM is complete and it should appear in the Hyper-V Manager screen in a manner similar to the following image.

Change Processor Setting

Before activating the VM it needs to have the proper number of CPU cores allocated to it.  Select the VM in the list and click the “Settings &rarr; Processor” menu options.   In the resulting dialog box change the number of processors to 8 as shown in the following image.

Add an Interface

The Sensor requires a connection to the virtual switch that we created in the first steps.  Click the “Add Hardware &rarr; Network Adapter” options as shown in the following image.

After the interface is crated, select the virtual switch that was created in the first steps of this procedure.

Then example the associated network adapter and click the “Advanced Features” option.   Sent the mirroring mode of the sensor to “Destination.”   This is shown in the following image.

Configure the Sensor

The sensor may now be started.  When the VM is ready open the console to the VM and log in.

The administrative user is `admin` and the default password is `changeme`.   On first login the user will be prompted to change the password.

The resulting screen will appear as in the following image.

If DHCP is used to assign IP addresses the following command may be used:

set interface management ip dhcp

Alternatively a static IP address can be assigned.   An example of this is as follows.  Substitute the values in the sample for the values that are correct for the local installation.

set interface management ip 192.168.14.100/255.255.255.0 gateway 192.168.14.1 dns 8.8.8.8

The next step is to restart the sensor enter the Data Processor’s (CM) address.  This is done with the following commands.

restart
set cm Express.StellarCyber.ai

The session may be terminated with the `quit` command.

Congratulations!

Please email us at express@stellarcyber.ai to get the credentials for the portal.