How to Install Falcon in the Data Center

Introduction

CrowdStrike Falcon strikes the balance needed in today’s data center.  Unrivaled protection from best-in-class prevention, detection and response. And security that actually contributes to the speed, flexibility, manageability and scalability benefits that IT operations expect from their modern-day data center. CrowdStrike Falcon provides the following key benefits to data centers:

  1. Speed and simplicity.
    • No performance impact. Maximum security. Minimal impact. Data center guys typically hate security because it slows their servers down. This means that they have to purchase more servers to do the same job as one server could do before it got bogged down by security tools. We are so lightweight that this problem goes away.
    • Easy to deploy. All you need is the Falcon sensor and an internet connection. No complex security infrastructure to manage. Just install the Falcon Sensor and go.
  2. Works everywhere. Works in all three data center types. These are 1) on-prem 2) hybrid 3) cloud. Also works with every cloud platform including Amazon AWS, Google Cloud Platform and Microsoft Azure. And works with any hypervisor (such as V-sphere, Hyper etc) with the same solution. The Falcon sensor also supports Windows, Linux and macOS at the kernel level.
  3. Ultimate threat protection. An organization’s internet-facing servers are constantly under attack. We stand out in our ability to provide protection for the Linux OS – which especially important given its growing use in the data center. Falcon is providing more CrowdStrike Falcon provides protection against all attack types, from the mundane opportunistic attacks to highly-targeted and sophisticated attacks. CrowdStrike provides protection against the threats that AV and Application Whitelisting miss.

Video

Read Video Transcript

Installation Instructions

Detailed sensor instruction can be seen in the How to Install the Falcon Sensor article and found in the UI in the Support App.  Below are instructions specifically related to VM and datacenter deployments.

Installing the Windows Sensor On a Virtual Machine Template

Installing the Falcon Host Window Sensor on a virtual machine template requires you to follow specific steps outlined below. This ensures that each virtual machine created from your template has a unique configuration and ensures proper detection display in the Falcon Host UI.

To install on a virtual machine template:

  1. Complete all steps required to generalize the VM template, such as sysprep, as well as apply all updates.
  2. Install the sensor on the VM template, specifying the NO_START=1 option:WindowsSensor.exe /install /quiet /norestart CID=MyCIDWithChecksumValue NO_START=1The NO_START=1 option will result in a standard installation except it will not start the sensor components that connect to the CrowdStrike cloud.
  3. Shut down the VM. Use your virtualization software to convert the VM to a template image.

The next time the VM OS starts up, the sensor will start, will be automatically assigned a new ID and will appear as a unique sensor installation.

Important: If for some reason the VM template needs to be restarted AFTER sensor installation but before being converted to a final VM template image, the following registry values need to be removed:

HKEY_LOCAL_MACHINE\SYSTEM\CrowdStrike\{9b03c1d9-3138-44ed-9fae-d9f4c034b88d}\{16e0423f-7058-48c9-a204-725362b67639}\Default\AGHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CSAgent\Sim\AG

Installing the Linux Kernel Sensor on a Virtual Machine Template

The section teaches you how to prepare a “gold image” or virtual machine template. This image will contain a pre-installed Falcon Host Sensor that will be present on all hosts cloned from the master version.

Installing the Falcon Host Sensor on a gold image or virtual machine template requires specific steps to ensure that the sensor configuration is unique on each virtual machine or new machine created from the template. Sensor configuration uniqueness ensures proper detection display in the UI.

BEFORE YOU BEGIN

Complete the following before installing the Falcon Host Linux Sensor:

  • Review Before You Begin: Review all details under Before You Begin to ensure you have the dependencies installed and to ensure your network is configured properly.
  • Get the latest installer: Before you begin prepping a gold image template, ensure that you are working with the latest installer available. The latest installers are available for download in the Downloads section of the Falcon Host UI. This ensures that when you build your template, the sensor that is initially deployed is based on a recent build and that the installer used contains all of the bug fixes and current security certificates afforded to the latest available installers.

INSTALLING THE SENSOR

  1. Follow the instructions under Installing the Sensor to install the sensor.
  2. Remove the AID:$ sudo /opt/CrowdStrike/falconctl -d -f --aid
  3. Shut down the image or virtual machine.

UPDATING YOUR TEMPLATES

When you periodically boot your template to update the software that’s included on the base image, apply OS and security updates, or do other maintenance, we recommend addressing the sensor as well. Typically, the process is:

  1. Uninstall the currently applied sensor (see Uninstalling the Linux Sensor).
  2. Reboot the host to complete the uninstall and complete any necessary cleanup.
  3. Install using the latest installer per the special instructions below for your given platform.

 

Installing the Mac Sensor on A Virtual Machine Template

To install the Falcon Host Mac Sensor on a virtual machine template image, you must:

  • Ensure that the sensor configuration is unique in each virtual machine created from that template
  • Turn off networking in the VM as you build your template

Then, install the Falcon Host Sensor normally and take a snapshot.

Conclusion

The Falcon Platform has been built to provide best in class prevention, detection and response capabilities for the modern data center, via a lightweight agent for Windows, Linux or macOS servers.  The Falcon high performance server platform SKU ensures complete, real-time and retrospective visibility into the servers that comprise the modern-day  data center.

 

More Resources

 

Stop Breaches with CrowdStrike Falcon request a live demo