Deploy USM Appliance in VMware

Applies to Product: USM Appliance™ AlienVault OSSIM®

AlienVault offers USM Appliance for VMware in a Open Virtual Appliance (OVA) package, which is a tar archive file with the OVF (Open Virtualization Format) directory inside. You can deploy USM Appliance using VMware vSphere Desktop Client, which this document entails. For instructions specific to a different VMware client, consult the vendor documentation directly.

Prerequisites

Before deploying the USM Appliance virtual machine, make sure you have met the Minimum Hardware Requirements for Virtual Machines as well as the Minimum Virtual Machine Requirements.

You must also have downloaded the VMware image file from AlienVault and unzip it to a location where you can access from the VMware vSphere Client.

Deploy the VMware Image

Note: The deployment steps are the same for USM Appliance free trials and licensed versions.

To deploy USM Appliance in vSphere Desktop Client

  1. Under File, select Deploy OVF Template.
  2. In the Deploy OVF Template screen, browse to the USM Appliance virtual image file; click Next.
  3. On each of the following screens, click Next to keep the default values:

    • OVF Template Details
    • Name and Location
    • Storage
    • Disk Format
    • Network Mapping
  4. On the Ready to Complete screen, select Power on after deployment, located below the list of deployment settings and click Finish.

    Deployment of the virtual image requires several minutes. After deployment is finished, VMware displays:

    Deployment Completed Successfully.

    Important: If deploying the OVA file fails and you receive the following error:

    The OVF package is invalid and cannot be deployed.

    The following manifest file entry (line 1) is invalid: SHA256 (xxxxxxx.ovf)

    it is because the vSphere Desktop Client does not support SHA256. (This is not an issue if you use the vSphere Web Client or ESXi Web Client to deploy the image.) To work around the issue, you can use the OVFTool from VMware to change SHA256 to SHA1. See this VMware article for instructions. You will be able to deploy the SHA1 OVA file after the conversion.

  5. Click Close.
  6. Connect to the USM Appliance virtual machine in one of the following ways:

    • On the Inventory screen, click Virtual Machine and in its submenu; click Open Console.
    • In the console toolbar, click the console icon.

    The monitor should now display the initial login screen.

    Note: Since USM Appliance Sensors do not have a web UI, you cannot access them through a browser. Follow Configure the USM Appliance Sensor after Deployment to finish the configuration.

Monitor VMware Standard Virtual Switches

This section provides instructions for VMware Standard Virtual Switches (vSwitches). For help on VMware vSphere Distributed Switches (VDS), see instructions from VMware.

USM Appliance virtual machines have six network interfaces: one for management (eth0) and the other five for log collection and/or traffic capture on the network segment monitored. Connecting the monitoring interface(s) to a SPAN (Switched Port Analyzer) port, sometimes also called a mirror port, provides the following capabilities:

  • Network IDS
  • NetFlow and traffic monitoring
  • Passive asset identification

For USM Appliance to monitor traffic from your physical network, you need to allocate a spare NIC (Network Interface Card) on your VMware server to pass the SPAN port Method of monitoring network traffic where you mirror or tap into the ports used by another network device and monitor and analyze a copy of the network traffic sent over those ports. traffic to the virtual network. AlienVault recommends that you SPAN your internal firewall ports, connect the SPAN port to the spare NIC, and then associate the spare NIC with a vSwitch.

Important: USM Appliance provides multiple network interfaces to monitor your network. You should not connect them all to the same vSwitch. Instead, you can connect each interface to a different vSwitch that mirrors a different subnet within your network.

Note: The following procedure is based on the ESXi 6.5 Web Client. If you are using a different client or an earlier version of VMware products, please consult the vendor documentation accordingly.

To monitor network traffic through a vSwitch

  1. Direct traffic from your physical network to the virtual network.

    1. Enable port mirroring on the network you want USM Appliance to monitor.
    2. Allocate a spare NIC on your VMware server to receive the mirrored traffic.
    3. Associate your spare NIC with the vSwitch.
  2. In the ESXi 6.5 Web Client, click Networking in the Navigator and select the Port groups tab.

    Note: In VMware terminology, a port group acts like a network hub, making the network traffic undergoing the vSwitch visible to all interfaces connected to this port group.

  3. Click Add port group.

    Add a new port group in a vSwitch

    1. Enter a name for the port group.
    2. In VLAN ID, select 4095 for the VGT (Virtual Guest Tagging) mode.

      See VLAN Configuration in the VMware documentation for more information about VLAN tagging modes.

    3. In Virtual switch, select the vSwitch associated with the spare NIC configured in Step 1.
    4. Expand the Security section and set Promiscuous mode to Accept.

      This setting assures any virtual interface connected to this port group will be able to enter promiscuous mode and capture traffic from any other virtual interfaces connected to the vSwitch.

  4. Click Add to create the port group.
  5. Next, you need to edit the USM Appliance node you have deployed and connect one or more interfaces to the port group.

Repeat the steps for every vSwitch you want to monitor.

And lastly, you need to configure network monitoring in the AlienVault Console SSH management interface used to perform setup and configuration tasks for USM Appliance with options from the AlienVault Setup menu.:

  1. Connect to the AlienVault Console through SSH and use your credentials to log in.

    The AlienVault Setup menu displays.

  2. Select Configure Sensor.
  3. Select Configure Network Monitoring.
  4. Use the keyboard arrow keys to move to the interface assigned to the SPAN port group configured previously, select the interface by pressing the spacebar, and then press Enter (<OK>).

  5. Press <Back> until you are on the AlienVault Setup menu again. Select Apply all Changes.
  6. Press <Yes> to confirm.

    USM Appliance applies the changes and restarts all the services, which may take several minutes.

Repeat the steps for every listening interface you want to enable.