Remote Collector overview

Remote Collectors let you deploy sensors in multiple isolated locations. Remote Collectors must be connected to a Guardian and act as a remote interface, that broaden its capture capability.

Remote Collectors are low-resource sensors that capture data from distributed locations and send it to Guardian(s) for further analysis. A Remote Collector is typically installed in isolated areas, such as windmills, or solar power fields, where it monitors multiple small sites. Traffic is encrypted. The Remote Collector firmware receives automatic updates from the connected Guardian.

The relationship between a Remote Collector and a Guardian is similar to that between a Guardian and a Central Management Console (CMC), but with some key differences. A Remote Collector:

  • Does not process sniffed traffic, it just forwards it to the Guardian to which it is attached
  • Has no graphical user interface (GUI)
  • A Remote Collector has bandwidth limitations

You must enable a Guardian to receive traffic from a Remote Collector. Once it has been enabled in the Guardian, the Remote Collector provides an additional (virtual) network interface, called a remote-collector that aggregates the traffic of all the Remote Collectors connected to it. You can open the Guardian's Sensors page to inspect all the Remote Collectors that are currently connected.

Each Remote Collector forwards its sniffed traffic to a set of Guardians. Multiple Remote Collectors can connect to a Guardian. To avoid third-party interception, traffic is encrypted with high security measures over the transport layer security (TLS) channel.

Certificate-based authentication

The channel is established with a mutual authentication scheme that validates dedicated X.509 certificates on both sides:

  • The Guardian checks that the Remote Collector certificate is trusted.
  • The Remote Collector checks that the Guardian certificate is trusted.

These certificates are separate from the certificate used by Guardian for the hypertext transfer protocol secure (HTTPS) endpoint.

By default, sensors generate their own certificates (one-year validity, self-signed) and periodically perform a rotation procedure to ensure that communication does not break due to expired certificates. For more details, see Configure certificate rotation.

You can provision your own certificates instead, in which case the periodic rotation is not performed. For more details, see Configure custom certificates.

Regardless of their origin, traffic starts flowing between the Remote Collector and its upstream Guardians only after the certificates are successfully exchanged and trusted via the HTTPS control channel.