AlienVault Deployment Guide

Contents
AlienVault Deployment Guide ...................................................................................................................... 1
About USM Appliance System Architecture and Components ................................................................. 2
USM Appliance Deployment Options ....................................................................................................... 3
USM Appliance Deployment Examples......................................................................................................... 4
Example I: Simple Deployment ............................................................................................................. 4
Example II: Extended Simple Deployment ............................................................................................ 5
Example III: Complex Deployment ........................................................................................................ 6
Minimum Hardware Requirements for USM Appliance Virtual Machines................................................... 7
Firewall Permissions...................................................................................................................................... 8
About the Use of VPN ............................................................................................................................. 10

Copyright 2017 SIMBUS 360. All Rights Reserved | [email protected] | 1.949.398.2600

Deployment Process

1 Review Deployment Requirements

2 Deployment Planning

3 USM Appliance Deployment

4 Register USM Appliance

5 USM Initial Setup

6 Setup Wizard

7 IDS Configuration

8 VPN Configuration

9 High Availability Configuration

10 Plugin Managment

11 Configure Update Process

12 Backup and Restore

13 USM Initial Setup

About USM Appliance System Architecture and Components

As a unified security platform, USM Appliance combines several critical security technologies in one
integrated platform. USM Appliance can be deployed as a single appliance or distributed across multiple
servers (either virtual or hardware) to provide additional scalability and availability. The following figure
presents a high-level overview of the AlienVault USM Appliance system architecture.

Copyright 2017 SIMBUS 360. All Rights Reserved | [email protected] | 1.949.398.2600

About USM Appliance System Architecture and Components
The three components of the USM Appliance architecture that work together to monitor and provide
security in your environment are

 USM Appliance Sensor(s) — Deployed throughout the network to collect and normalize
information from any devices in your network environment that you want to manage with USM
Appliance. A wide range of plugins are available to process raw logs and data from various
types of devices such as firewalls, routers, and host servers.
 USM Appliance Server — Aggregates and correlates information that the USM Appliance
Sensors gather. (This is USM Appliance’s SIEM capability.) Provides single pane-of-glass
management, reporting, and administration through a web-based user interface.
 USM Appliance Logger — Securely archives raw event log data for forensic research and
compliance mandates. (This archive of raw event data is also referred to as cold storage.)

USM Appliance Deployment Options

AlienVault USM Appliance can be deployed in one of two basic configurations:

 Simple Deployment Model — All USM Appliance components (Sensor, Server, and Logger) are
combined in a USM Appliance All-in-One appliance. This configuration is most often used in
smaller environments, as well as for demonstrations and proof-of-concept deployments.
 Multi-tier, Distributed Deployment Model — This model deploys each AlienVault USM
Appliance component (Sensor, Server, and Logger) as an individual virtual or hardware appliance
to create a distributed system topology.

The distributed deployment model also comes in two versions, USM Appliance Standard and USM
Appliance Enterprise, that increase scalability and performance by provisioning dedicated systems

Copyright 2017 SIMBUS 360. All Rights Reserved | [email protected] | 1.949.398.2600

 for each USM Appliance component. See USM Appliance Deployment Examples for more details on
USM Appliance deployment models and examples.

USM Appliance Deployment Examples

This topic provides topology examples for three USM Appliance deployment options:

 Simple deployment with USM Appliance All-in-One

 Extended simple deployment with a combination of All-in-One and one or more Remote Sensors
 Complex deployment for larger corporations with multiple branches
Example I: Simple Deployment
In this example, a USM Appliance All-in-One virtual or hardware appliance is deployed behind the
corporate firewall.

The USM Appliance Sensor component on the USM Appliance All-in-One collects logs from the following
networks:

 Office network
 Wireless network
 DMZ
 Firewalls

The USM Appliance All-in-One also monitors the network traffic through the connected switches.

These switches must have port mirroring enabled.

Copyright 2017 SIMBUS 360. All Rights Reserved | [email protected] | 1.949.398.2600

Example II: Extended Simple Deployment
This model differs from the Simple Deployment example in that it uses a USM ApplianceRemote Sensor
for monitoring at a remote office that operates on a subnet. USM Appliance All-in-One is deployed on
the main network.

USM Appliance Remote Sensor collects logs and monitors traffic specific to the subnet. It then sends
these data to USM Appliance All-in-One on the main network for correlation and risk assessment.

Copyright 2017 SIMBUS 360. All Rights Reserved | [email protected] | 1.949.398.2600

Example III: Complex Deployment
In this deployment example, each office subnet has a remote sensor deployed to collect logs and
monitor traffic.

On the main network at headquarters, a single USM Appliance Server, a Logger, and at least one Sensor
install as individual appliances to increase scalability and performance.

All USM Appliance Sensors connect to one USM Appliance Server where correlation and risk assessment
occur.

The USM Appliance Server forwards the events and alarms to the USM Appliance Logger for long-term
storage.

Copyright 2017 SIMBUS 360. All Rights Reserved | [email protected] | 1.949.398.2600

Minimum Hardware Requirements for USM Appliance Virtual Machines
All AlienVault USM Appliance hardware meets the requirement listed in the table below. To achieve
sufficient performance, you need to use similar or better hardware to host every AlienVault USM
Appliance virtual machine. Hosting USM Appliance virtual machines on inadequate system resources
may affect their ability to perform necessary tasks, and also may affect the stated throughput. In
addition, if you satisfy the hardware specification but try to run multiple USM Appliance virtual
machines on it, the performance degrades.

Warning: In USM Appliance version 5.4, AlienVault updated its Network IDS to include the Hyperscan
library, which requires the CPU to support SSSE3 (Supplemental Streaming SIMD Extensions 3)
instruction set.

Copyright 2017 SIMBUS 360. All Rights Reserved | [email protected] | 1.949.398.2600

USM Appliance Minimum Required Hardware Specifications

Name Value

CPU Type Intel® Xeon E5620

RAM Type DDR3 1333 MHz

Disk Type SAS 10000 RPM (204 MB/s)

Memory Performance (MEMCPY) 3310.32 MiB/s

Disk Performance (random read/write) 15.97 MB/s

Firewall Permissions
USM Appliance components must use particular URLs, protocols, and ports to function correctly.

Note: If deploying USM Appliance All-in-One, you only need to open the ports associated with the
monitored assets, because All-in-One includes both USM Appliance Server and USM Appliance Sensor,
therefore the communication between them becomes internal.
If your company operates in a highly secure environment, you must change some permissions on your
firewall(s) for USM Appliance to gain access.

External URLs and port numbers used by USM Appliance features

Server URL Port Number AlienVault Features in Use Applicable Release

data.alienvault.com 80 AlienVault product and feed update All

maps-api-ssl.google.com 443 Asset Location All

messages.alienvault.com 443 Message Center All

telemetry.alienvault.com 443 Telemetry Data Collection All

Copyright 2017 SIMBUS 360. All Rights Reserved | [email protected] | 1.949.398.2600

 External URLs and port numbers used by USM Appliance features

Server URL Port Number AlienVault Features in Use Applicable Release

tractorbeam.alienvault.com 22, 443 Remote Support All

www.google.com1 80 AlienVault API All

reputation.alienvault.com 443 AlienVault IP Reputation All

otx.alienvault.com 443 Open Threat Exchange 5.1+

The following diagram shows the port numbers used by the USM Appliance components to
communicate with each other and with the monitored assets. The direction of the arrows indicate the
direction of the network traffic.

Port numbers used between USM Appliance components

Important: Ports labeled with * are optional.

 On the hosts you plan to deploy AlienVault HIDS agents on, you must open TCP port 139 and TCP
port 445 (inbound) to allow for initial deployment, and UDP port 1514 (outbound) for ongoing
communication between the HIDS agent and the USM Appliance Sensor. For assistance on
deployment, see Deploy AlienVault HIDS Agents.
 To use SNMP in USM Appliance, you need to open UDP port 161 on the SNMP agent and UDP port
162 on the USM Appliance Sensor. For more details, see SNMP Configuration in USM Appliance.

Copyright 2017 SIMBUS 360. All Rights Reserved | [email protected] | 1.949.398.2600

About the Use of VPN
Port 33800 shown in the diagram is a default and only used when VPN is enabled. You may use a
different port for VPN, if desired.

Note: When enabling the VPN, you do not need to open the other ports between the USM
Appliance Sensor and the USM Appliance Server, because all communication goes through the VPN
tunnel.
If you enable VPN, in addition to having port 33800/TCP open for the VPN tunnel, you also need to allow
TLS transport for that port in case you use a firewall/security device that can perform inspection or
interception of TLS traffic.

[email protected]

949.398.2600

Copyright 2017 SIMBUS 360. All Rights Reserved | [email protected] | 1.949.398.2600