Remerciez-le!

Remerciez @Admin pour avoir partagé cet document gratuitement, de la manière la plus simple, en partageant sur les réseaux sociaux.

USM v5 Deployment Guide Copyright © 2016 AlienVault. All rights reserved. Alien

USM v5 Deployment Guide Copyright © 2016 AlienVault. All rights reserved. AlienVault, Open Threat Exchange, OTX, Unified Security Management, and USM are trademarks of AlienVault and/or its affiliates. Other names may be trademarks of their respective owners. USM v5 Deployment Guide 2 Contents Contents 3 AlienVault Unified Security Management™v5 System Requirements 6 Minimum Hardware Specifications 7 Virtual Machine Requirements 7 Supported Browsers 8 Deployment Planning 9 About Deployment Planning 10 About the AlienVault USM Components 10 About USM Deployment Types 11 USM Deployment Examples 12 USM Firewall Permissions 15 USM Initial Setup 17 About the Initial Setup 18 Setup Task Overview 18 Managing USM with a Virtual Appliance 21 Managing USM with a Hardware Appliance 22 Configuring the Network Interface 32 Appliance Setup 35 USM Logger Configuration 48 Connecting Your Corporate Mail Server to USM 51 Getting Started Wizard 52 About the Getting Started Wizard 53 Running the Getting Started Wizard 55 Configuring High Availability 66 About High Availability 67 High Availability Prerequisites and Restrictions 68 Configuring High Availability in USM Standard Virtual Appliances 70 Configuring High Availability in USM Enterprise Hardware Appliances 82 Disabling High Availability 85 Contents USM v5 Deployment Guide 3 Upgrading a USM Deployment Configured for High Availability 86 Virtual Private Network Configuration 88 About Configuring a Virtual Private Network 89 Configuring a Virtual Private Network 89 Verifying the VPN Connection 94 Disabling a VPN Configuration 94 IDS Configuration 96 About Intrusion Detection Systems 97 AlienVault HIDS 98 AlienVault NIDS 114 Plugin Management 123 About the Use of Plugins in USM 124 About the USM Plugin Types 125 Enabling Plugins 139 Troubleshooting Plugins 150 Updating Plugins 152 About Customizing or Developing Plugins 154 Customizing an Existing Plugin 156 About Developing a New Plugin 157 Developing a New Plugin 160 Adding New Event Types 162 Configuration Backup and Restoration 164 About the Backup Process 165 About the Restoration Process 165 Backing Up Configurations 167 Restoring Configuration Backups 169 Managing Configuration Backups 169 USM Update Process 171 About the USM Updates 172 About USM Update Order 172 Updating USM Online 173 Performing USM Update Offline 174 Contents 4 USM v5 Deployment Guide Updating the IPMI Firmware 178 Remote Support 182 About Remote Support 183 Remote Support Prerequisites 183 Using Remote Support 183 Contents USM v5 Deployment Guide 5 AlienVault Unified Security Management™v5 System Requirements This topic discuss the following subtopics: Minimum Hardware Specifications 7 Virtual Machine Requirements 7 Supported Browsers 8 USM v5 Deployment Guide 6 Minimum Hardware Specifications Hosting USM virtual appliances on inadequate system resources may affect its ability to perform necessary tasks and the stated throughput. All AlienVault hardware appliances share the specifications listed in the table below. To achieve adequate performance, you need to use similar or better hardware to host one AlienVault USM virtual appliance. In other words, if you satisfy the hardware specification but try to run multiple USM v5 virtual appliances on it, the performance degrades. Name Value CPU Type Intel® Xeon E5620 RAM Type DDR3 1333 MHz Disk Type SAS 10000 RPM (204 MB/s) Memory Performance (MEMCPY) 3310.32 MiB/s Disk Performance (random read/write) 15.97 Mb/s USM Recommended Hardware Specifications Virtual Machine Requirements The following table lists the system requirements for different AlienVaultUSM virtual appliances. USM All-in-One Remote Sensor USM Standard 1TB 500GB 1TB 250GB Server Logger Sensor Virtual Cores 81 4 8 RAM (GB) 16 8 24 Storage (TB) 1.0 0.5 1.0 0.25 1.2 1.8 1.2 Virtualization Environment VMware ESXi 4.x, 5.x, and 6.x USM Virtual Machine Requirements These are virtual cores with hyperthreading disabled. Minimum Hardware Specifications 7 USM v5 Deployment Guide About Hyperthreading in VMware ESXi 4.x Because the maximum number of virtual CPUs per virtual machine is 8 on VMware ESXi 4.x (see VMware's documentation in PDF format for details), hyperthreading must be disabled to ensure correct CPU performance. During the formatting process, VMware ESX 4.x formats a 1-MB block size by default. This allocates enough storage space for files of ≤256 GB. Because this does not meet USM minimum disk space requirements, you must increase the block size. (For details on how to do this, see the VMware KB article Increasing the block size of local VMFS storage in ESX 4.x during installation.) Supported Browsers AlienVault supports the following browsers. All USM releases are tested on the most recent version of the browsers and one version prior to the most recent. Windows Mac OS X Linux Chrome x x x Edge x Firefox x x x IE 11 x Safari x Supported browsers Supported Browsers USM v5 Deployment Guide 8 Deployment Planning This topic discusses the following subtopics: About Deployment Planning 10 About the AlienVault USM Components 10 About USM Deployment Types 11 USM Deployment Examples 12 USM Firewall Permissions 15 USM v5 Deployment Guide 9 About Deployment Planning These topics help hardware and software deployment managers successfully deploy AlienVault Unified Security Management™(USM) v5. l What USM components are part of the solution my company purchased? See About the AlienVault USM Components. l How do the USM deployment solutions differ from each other? See About USM Deployment Types. l How does topology change according to which USM solution my company purchased? See USM Deployment Examples, on page 12. l Which transport protocols do USM components require? See USM Firewall Permissions, on page 15. l Which ports do I need to open? See USM Firewall Permissions, on page 15. About the AlienVault USM Components All USM products include these three core components available as hardware or virtual appliances: USM Sensor The USM Sensor is deployed throughout the network to collect logs and monitor network traffic. It provides the five essential USM security capabilities – Behavioral Monitoring, SIEM, Intrusion Detection, Asset Discovery, and Vulnerability Assessment – for complete visibility. There must be at least one USM Sensor. Depending on your corporate requirements, more may be desirable. This is particularly true if you have distributed branches on subnets subordinate to the network at your headquarters. USM Server Aggregates and correlates information that the Sensors gather. Provides single-pane-of-glass management, reporting, and administration. There is always just one USM Server. USM Logger Securely archives raw event log data for forensic research and compliance mandates. About Deployment Planning 10 USM v5 Deployment Guide There is usually just one USM Logger. However, under some circumstances, two may be used. For information, contact AlienVault Technical Support. Note: USM All-in-One combines the Server, Sensor, and Logger components onto a single system. About USM Deployment Types You deploy AlienVault USM in one of two ways: Simple Deployment Deploys all AlienVault USM components—Sensor, Server, and Logger—in a single hardware appliance called USM All-in-One. This deployment model has most applicability for smaller environments, for testing, and for demonstrations. Complex/Distributed Deployment This model deploys each AlienVault USM component—Sensor, Server, and Logger—as an individual virtual or hardware appliance to create a distributed topology. This deployment model comes in two versions that increase scalability and performance by provisioning dedicated systems for each component: USM Standard Consists of the following: l USM Standard Server l USM Standard Sensor l USM Standard Logger USM Enterprise Consists of the following: l USM Enterprise Server—Combines the Enterprise Server and Enterprise Database. l USM Enterprise Sensors l USM Enterprise Logger Note: The USM Enterprise solution is not available as a virtual appliance. For examples of deployment topography, see the USM Deployment Examples, on page 12. About USM Deployment Types USM v5 Deployment Guide 11 USM All-in- One USM Standard USM Enterprise User Type Small organizations Mid-size organizations Large organizations Environment Single-tier deployment Multi-tier deployments & distributed environment Multi-tier deployments and distributed environment Virtual Appliance x x Hardware Appliance x x x AlienVault USM deployment solutions For more details, see the USM datasheet. USM Deployment Examples This topic provides topology examples for three USM deployment options: l Simple deployment with USM All-in-One l Extended simple deployment with a combination of All-in-One and one or more Remote Sensors l Complex deployment for larger corporations with multiple branches Example I: Simple Deployment In this example, a USM All-in-One virtual or hardware appliance is deployed behind the corporate firewall. The USM Sensor component on the USM All-in-One collects logs from the following networks: l Office network l Wireless network l DMZ l Firewalls The USM All-in-One also monitors the network traffic through the connected routers. These routers must have port mirroring enabled. USM Deployment Examples 12 USM v5 Deployment Guide Simple deployment example: USM All-in-One Example II: Extended Simple Deployment This model differs from the Simple Deployment example in that it uses a USM Remote Sensor for monitoring at a remote office that operates on a subnet. USM All-in-One is deployed on the main network. USM Remote Sensor collects logs and monitors traffic specific to the subnet. It then sends these data to USM All-in-One on the main network for correlation and risk assessment. USM Deployment Examples USM v5 Deployment Guide 13 Extended simple deployment example: USM All-in-One and a remote sensor Example III: Complex Deployment In this deployment example, each office subnet has a remote sensor deployed to collect uploads/Management/ usm-v5-deployment-guide.pdf