• Support
  • Forums
  • Blogs

Best way to set up a USM AIO + Remote Sensor to optimize capabilities

KyleKatKyleKat

Little green alien
+6
I would like some advise regarding how to better use a USM All-In-One serer + a remote sensor (2 different physical locations, Data Center A and Data Center B)

Right now i have the USM server in DCA and the remote sensor in DCB. I have two contexts/entities respectively and each server/sensor is assigned to receive logs, syslogs and netflow from their respective local assets.

This works well to make sure that assets only talk to their respective local sensor, but i found a few limitations like the one in this FEATURE REQUEST.

I'm thinking of merging my contexts into a single context but after doing so, I would like to continue making sure assets only talk to their local sensor.

Will I be able to do this?

Share post:

Best Answer

  • Answer ✓
    KyleKat,

    The Context feature is designed specifically to allow to subnets with the same internal address scheme to be processed by the server. If your subnets are not within the same address space, then you will not have an issue with one context.

    With regard to what sensors, assets talk to, I assume you mean logging. As the USM is passive in this, the destination is dependent on either how the asset is added for HIDS, or how it was configured by the admin for any other logging method.

    If each subnet configured on the Server is assigned to only one sensor, and the asset and vulnerabilities scans are configured to use that sensor, then any assets added by those processes will inherit that sensor as parent.
    KyleKat

Answers

  • Thank you @kcoe

    Can you clarify what do you mean by "same address space"? they are 3 completely different subnets like this:

    172.16.30.0/24
    172.16.31.0/24
    172.16.32.0/24
    BBanks
  • hi, we have the same request..kcoe can you it explain it? thx
  • @BBanks I believe i was correct to understand that he meant "overlaping subnet families" this graph below shows what I think he meant. I went ahead and merged my two correlation contexts into one.... and then created two Entities on this and assign each of my sensors to each entity.


    Correlation Contexts
  • hi kylekat, ah ok then you have another challenge as we. 
    i have the luck that each location have it´s own subnet. 
    we have more the issue that we would like to sync config like openvas scanning config, rules,polices between usm server ( in your picture ...noc)
Sign In or Register to comment.