Belmonitor Client Monitoring Service
Hermalindo Lepicier
Belarc's cloud architecture allows users to simplify and automate the monitoring of all of their desktops, laptops, servers and virtual machines throughout the world, using a single server and database. The BelManage server can be located on premises, on our customer's cloud or hosted by Belarc via SaaS.
BelManage uses encrypted HTTPS protocols to communicate with the clients and users viewing reports. BelManage also supports PKI/CAC user authentication for our US Government customers. Unlike other systems, BelManage does not require Domain or SSH User credentials.
Certain commercial entities, equipment, products, or materials may be identified in this document in order to describe an experimental procedure or conceptadequately. Such identification is not intended to imply recommendation or endorsement by NIST or NCCoE, nor is it intended to imply that the entities,equipment, products, or materials are necessarily the best available for the purpose.
As a private-public partnership, we are always seeking feedback on our Practice Guides. We are particularly interested in seeing how businesses apply NCCoEreference designs in the real world. If you have implemented the reference design, or have questions about applying it in your environment, please email us atfinanc...@nist.gov.
NIST Cybersecurity Practice Guides (Special Publication Series 1800) target specific cybersecurity challenges in the public and private sectors. They arepractical, user-friendly guides that facilitate the adoption of standards-based approaches to cybersecurity. They show members of the information securitycommunity how to implement example solutions that help them align more easily with relevant standards and best practices, and provide users with the materialslists, configuration files, and other information they need to implement a similar approach.
The documents in this series describe example implementations of cybersecurity practices that businesses and other organizations may voluntarily adopt. Thesedocuments do not describe regulations or mandatory practices, nor do they carry statutory authority.
The Technology Partners/Collaborators who participated in this build submitted their capabilities in response to a notice in the Federal Register.Respondents with relevant capabilities or product components were invited to sign a Cooperative Research and Development Agreement (CRADA) with NIST, allowingthem to participate in a consortium to build this example solution. We worked with:
This National Institute of Standards and Technology (NIST) Cybersecurity Practice Guide demonstrates a standards-based reference design and provides users withthe information they need to replicate all, or parts of the build created in the NCCoE ITAM Lab. This reference design is modular and can be deployed in wholeor in part.
Technology or security program managers who are concerned with how to identify, understand, assess, and mitigate risk will be interested in NIST SP 1800-5B, which describes what we did and why. The following sections will be of particular interest:
The lab network is connected to the public Internet through a virtual private network (VPN) appliance and firewall to enable secure Internet and remote access. The lab network is not connected to the NIST enterprise network. Table 1-1 lists the software and hardware components used in the build, as well the specific function each component contributes.
The build architecture consists of multiple networks implemented to mirror the infrastructure of a typical financial industry corporation. The networks includea Demilitarized Zone (DMZ) network along with several subnets as shown in Figure 1-1. The DMZ network provides technologies that monitor anddetect cybersecurity events, conduct patch management, and provide secure access to the mainframe computer. The Physical Asset Management Network providesmanagement of identities and credentials for authorized devices and users. Network Security provides vulnerability scanning, along with a database forcollection and analysis of data from hardware and software components. The IT Systems Network conducts configuration management and validation of clientmachines. Physical Security consists of management consoles for devices that operate and manage physical security. Such devices consist of badge readers andcameras. Firewalls are configured to limit access to and from the networks, blocking all traffic except required internetwork communications.
The NCCoE base Windows OS images are Server 2012 R2 x86_64 and Windows 7 Enterprise x86_64 Department of Defense (DoD) Security Technical Implementation Guide(STIG) images. The installation of both Windows systems was performed using installation media provided by the Defense Information Systems Agency (DISA). Theseimages were chosen because they are standardized, hardened and fully documented.
The NCCoE base Linux OS is CentOS 7. This OS is available as an open source image. The OS was configured to meet the DoD CentOS 6, STIG. No CentOS 7 STIG wasavailable at the time the build was implemented.
Splunk Enterprise is a software platform to search, analyze, and visualize the machine-generated data gathered from the websites, applications, sensors, anddevices that comprise your IT infrastructure or business. Splunk Enterprise is comprised of a database, analytic engine, front-end and various ways of gatheringdata.
In the FS ITAM build Splunk Enterprise receives data from all of the sensors and IT asset management systems. Splunk Enterprise then indexes the data, analyzesit, and displays the results as both reports and graphical desktops.
Analysts can quickly view reports and dashboards to view commonly requested information. Analysts can also form ad-hoc queries on any of the data gathered andanalyzed. Splunk Enterprise also provides the ability to alert on any security or performance event.
On the high-level architecture diagram Splunk Enterprise is the Tier 1 ITAM server. Splunk Enterprise is running its own syslog server and collecting sysloginformation from all hosts on the network (port 514 TCP/UDP). Splunk Enterprise utilizes several methods to acquire data from the ITAM systems which are shownin Table 2-1. The Splunk Enterprise server listens on TCP port 9997 for connections from Universal Forwarders.
Splunk Enterprise stores events in indexes. By default, the main index holds all events. However, using multiple indexes has several benefits includingcontrolling user access to events, different retention policies for different events, and faster searches in certain situations. A separate index was createdfor each input type and stored in the data directory (/data/splunk). Table 2-2 contains the list of indexes that were created.
Several Splunk Enterprise Apps were used in this project. The list of Splunk Enterprise Apps needed for the ITAM project can be found in Table2-3. Splunk Enterprise Apps assist in processing, analyzing and displaying different types of data. To download Splunk Enterprise Apps you musthave a valid Splunk account. You can install Splunk Enterprise Apps from
The Splunk DB Connect v2 app requires the downloading and installation of specific database drivers. Database-specific drivers should be placed in the directory$SPLUNK_HOME/etc/apps/splunk_app_db_connect/bin/lib. This project required the installation of database drivers for Microsoft SQL and MySQL. The drivers mustbe obtained from the database manufacturers; in this case Microsoft and MySQL/Oracle. For more detailed information, please refer to Install databasedrivers at The required drivers are listed in table 2-4.
This section provides information about setting up connections that use the Splunk Enterprise DB Connect v2 app. The Splunk Enterprise DB Connect v2 app is usedto connect to the following external databases: AssetCentral, BelManage and CA-ITAM.
There should only be one database connection to each individual database. The database connections use the identities listed in Table 2-5. Pleaseremember to select the Enable button when you configure each connection.
Operations are the SQL operations performed on the database connections and the results are saved into Splunk Enterprise indexes. The operations can be runautomatically, on a recurring basis, or when new data is detected.
Several lookup table files are necessary for this project. The lookup table files are in comma separated value format and contain data generated by reports thatare used in other reports and dash-boards.
AssetCentral is an IT infrastructure management system that stores and displays information related to physical assets including location, make, model, andserial number. AssetCentral can help run an entire data center by monitoring weight, utilization, available space, heat and power distribution. AssetCentral isinstalled on a CentOS7 system.
BelManage is installed on a Windows Server 2012R2 system. BelManage gathers hardware and software information from computers on the network. BelManage gathers,stores, analyzes and displays the hardware and software information in a Web application. The BelMonitor client is installed on all computers in the network andautomatically sends the BelManage server information on hardware and software changes.
The ITAM system is using BelManage for its data gathering, analysis and reporting features. BelManage reports on all software installed and all hardwareconfigurations for every machine on the network that is running the BelMonitor client.
Before installing BelManage, verify that your Windows Server 2012R2 system is installed correctly, updated and that the network is correctly configured andworking. Additionally, you may have to disable or modify some security services, such as AppLocker, during the installation process.
BelManage requires the following options: Static Content, Default Document, ASP Application Development, IIS Management Scripts and Tools, IIS 6 MetabaseCompatibility, IIS 6 WMI Compatibility, and IIS 6 Scripting Tools.
4a15465005