We are looking at deploying AlienVault USM in an architecture with 16 ESX, and significant overall bandwith.
As we want to be able to capture the traffic that is even internal to each ESX, we are considering putting 16 virtual remote sensors.
1/ If the goal of the remote sensors is just to capture traffic and have NIDS, could remote sensors be replaced by Security Onion for example and forward those logs to USM to be used as flows coming from remote sensors?
2/ what is the difference between remote sensors VS sensors if the 2 network interfaces are enough? except for price, is there for example a max bandwith difference or bandwith is just a matter of ressources allocated to the virtual machine?