SAMURAI-ni təcrid olunmuş mühitlərdə yerləşdirmə
Why air-gapped matters
Many networks that need monitoring the most — government, defense, financial, critical infrastructure — operate in air-gapped or severely restricted environments. No internet access. No SaaS. No cloud APIs. No calling home for license validation. If your monitoring tool requires an internet connection for anything beyond the initial install, it is unusable in these environments.
SAMURAI is designed from the ground up for offline operation. Once deployed, it requires zero external connectivity. Every dependency is bundled. Every database is embedded. Every lookup table ships with the image.
The deployment stack
The full stack runs from a single docker compose up: MongoDB for data storage, the Go API server, and the web dashboard served as static files by the same binary. The entire deployment fits on a single mid-tier VM — no Kubernetes, no microservices, no distributed coordinator.
Configuration lives in a single .env file at the repository root. Key settings include MONGODB_URL (defaults to localhost:27017), APP_PORT (defaults to 5001), and SYNC_INTERVAL_SECONDS (defaults to 3600). Runtime-tunable settings — CORS origins, syslog forwarding, sync schedule, branding — live in app_settings in MongoDB and are hot-reloaded without restart.
Offline OUI database
Vendor identification for endpoint discovery relies on the IEEE OUI (Organizationally Unique Identifier) database. Most tools fetch this from the IEEE website at runtime. SAMURAI ships a 39,000-entry OUI database embedded in the binary. No HTTP call. No DNS resolution. The lookup is a local map access that resolves a MAC prefix to a manufacturer name in microseconds.
TLS and self-signed certificates
Air-gapped networks almost universally use self-signed certificates or internal CAs that are not in any public trust store. SAMURAI disables TLS verification on all connectors — APIC, FMC, NDO, Palo Alto, ISE, vCenter. This is a deliberate design choice for the target environment, not a security shortcut. In a network where every certificate is self-signed and there is no path to a public CA, strict TLS verification is not security — it is a deployment blocker.
Encryption at rest
Device credentials stored in MongoDB are encrypted with AES-256-GCM via the pkg/crypto package. The encryption key is a 64-character hex string set via the DEVICE_ENCRYPTION_KEY environment variable. Encrypted fields include device passwords, secrets, the default password, SMTP credentials, LDAP bind password, and the Telegram bot token. Decryption happens at the service layer — fetchers receive plaintext credentials from DeviceGetAll and DeviceGetByID; the crypto layer is never invoked inside a connector.
No cloud dependencies
There is no license server. No telemetry. No update check. No analytics beacon. JWT authentication runs locally with 30-minute access tokens and 7-day refresh tokens, validated against a secret in the .env file. Permissions are resolved per-request from the roles collection — not embedded in the JWT, not fetched from an external identity provider.
The monitoring dashboard, the sync engine, the change detection pipeline, the endpoint aggregation, the traffic simulation — everything runs on that one VM behind your firewall. The only network traffic SAMURAI generates is to the devices it monitors, on ports you explicitly configure.
Şəbəkəniz nizam-intizama layiqdir
SAMURAI-ni real mühitinizə qarşı işlədiyini görün. Demoların əksəriyyəti 24 saat ərzində planlaşdırılır.