Deploy USM Appliance Using Hyper-V Manager

Applies to Product: USM Appliance™ AlienVault OSSIM®

Microsoft Hyper-V is a hypervisor that lets you create and manage virtual machines by using virtualization technology built into Windows Servers. Starting from USM Appliance version 5.3.4, AlienVault offers USM Appliance for Hyper-V in a Virtual Hard Disk (VHD) format, tested on the latest version of the following Windows operating systems

  • Windows Server 2008 SP2
  • Windows Server 2008 R2 SP2
  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows Server 2016

You can deploy USM Appliance using Microsoft Hyper-V Manager, an administrative tool for managing local and remote Hyper-V hosts.

Prerequisites

The requirements for deploying USM Appliance in Hyper-V are the same as for the other virtual appliances that AlienVault supports. See Minimum Virtual Machine Requirements for details. However, to meet the requirements, you must enable hyper-threading from the system BIOS first. Refer to this virtualization blog post from Microsoft for explanation.

You must also have downloaded the Hyper-V image file from AlienVault and unzip it to a location where you can access from the Hyper-V Manager.

Note: Due to the size of the image file, the built-in zip utility on Windows Server 2008 (all versions) cannot unzip the file. You can use 7-Zip or WinZip instead.

Create the Virtual Machine

To create a virtual machine using the Hyper-V Manager

  1. Open the Hyper-V Manager.
  2. In the Actions panel, click New > Virtual Machine.

    3. The New Virtual Machine Wizard opens.

  3. Go to Specify Name and Location and type a name for your new virtual machine

    4. New Virtual Machine Wizard in Hyper-V Manager

  4. Click Next.
  5. Choose Generation 1 for this virtual machine and click Next.

  6. Change the value of the Startup Memory

    • For USM Appliance Standard deployment options (including Standard Server, Standard Logger, and Standard Sensor), type 24576 MB.
    • For USM Appliance All-in-One, type 16384 MB.
    • For USM Appliance Remote Sensor, type 8192 MB.
  7. Click Next.
  8. Select the network adapter to the network you want to monitor and click Next.
  9. Select Use an existing virtual hard disk and click Browse to locate the Hyper-V VHD file.
  10. Click Next and on the summary page, click Finish.

Configure the Virtual Machine

To configure a virtual machine using the Hyper-V Manager

  1. Select the USM Appliance virtual machine that you created and click Settings.

    A new window opens.

  2. Click Processor in the left panel,

    • For USM Appliance All-in-One and USM Appliance Standard deployment options (including Standard Server, Standard Logger, and Standard Sensor), select 8 number of virtual processors.
    • For USM Appliance Remote Sensor, select 4 number of virtual processors

    Hyper-V Manager specify virtual processors

  3. Click Apply.

  4. Click Add Hardware > Network Adapter > Add to add network interfaces.

    Note: USM Appliance All-in-One supports 6 network interfaces and USM Appliance Remote Sensor supports 2 network interfaces. AlienVault recommends that you have at least two network interfaces, one for management and the other for network IDS.

  5. (Optional) If using VLAN, in VLAN ID, select Enable virtual LAN identification and specify the VLAN ID in the box.

  6. In Bandwidth Management, leave the option unchecked since enabling bandwidth management introduces the risk of packet lost.

    Hyper-V Manager adding network adapter

  7. Click Apply.
  8. Repeat Steps 4 through 7 to add more network interfaces.

Configure Port Mirroring

Note: This procedure is optional. Port mirroring configuration is only supported in Windows Server 2012 and later.

To configure port mirroring, follow the steps below when adding network adapters

  1. In the left panel, click the plus sign (+) next to the network adapter you are adding, and then click Advanced Features.

  2. Locate Mirroring mode in the Port mirroring section, select Destination, and then click OK.

    Setting up port mirroring in Hyper-V Manager

  3. Open a PowerShell session as administrator.

  4. To setup virtual switches in promiscuous mode for monitoring external traffic, run the following:

    $portFeature=Get-VMSystemSwitchExtensionPortFeature -FeatureId 776e0ba7-94a1-41c8-8f28-951f524251b5

    $portFeature.SettingData.MonitorMode = 2

    Add-VMSwitchExtensionPortFeature -ExternalPort -SwitchName <mySwitch> -VMSwitchExtensionFeature $portFeature

    where

    <mySwitch> denotes the name of the virtual switch.

    With this example, all traffic going through the virtual switch will be mirrored to any VM whose mirroring mode has been set to "Destination".

  5. Alternatively, to setup virtual switches in promiscuous mode for monitoring internal traffic, run the following:

    $portFeature=Get-VMSystemSwitchExtensionPortFeature -FeatureId 776e0ba7-94a1-41c8-8f28-951f524251b5

    $portFeature.SettingData.MonitorMode = 2

    Add-VMSwitchExtensionPortFeature -ManagementOS -VMSwitchExtensionFeature $portFeature

    Note: The -ManagementOS option does not allow you to specify a switch, so all virtual switches, including the shared management NIC port, will be set in monitoring mode.

  6. To setup virtual switches in promiscuous mode for monitoring both internal and external traffic, run the following:

    $portFeature=Get-VMSystemSwitchExtensionPortFeature -FeatureId 776e0ba7-94a1-41c8-8f28-951f524251b5

    $portFeature.SettingData.MonitorMode = 2

    Add-VMSwitchExtensionPortFeature -ExternalPort -SwitchName <mySwitch> -VMSwitchExtensionFeature $portFeature

    Add-VMSwitchExtensionPortFeature -ManagementOS -VMSwitchExtensionFeature $portFeature

    Note: In the steps above, MonitorMode 0 = None, 1 = Destination, and 2 = Source.

Start the Virtual Machine

To start the virtual machine using the Hyper-V Manager

  1. Select your virtual machine and click Start on the right panel.
  2. The system initialization screen appears and you will see the console to access USM Appliance from the command line.