USM Appliance Deployment Guide
Total Page:16
File Type:pdf, Size:1020Kb
USM Appliance™ Deployment Guide Copyright © 2021 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or affiliated companies. All other marks are the property of their respective owners. Updated April 27, 2021 2 USM Appliance™ Deployment Guide Contents System Overview 7 About USM Appliance 8 About USM Appliance System Architecture and Components 16 Event Collection, Processing, and Correlation Workflow 18 USM Appliance Deployments 23 USM Appliance Deployments 24 USM Appliance Deployment Types 25 USM Appliance Deployment Requirements 30 Firewall Permissions 33 Configure the USM Appliance Hardware 36 Deploy USM Appliance in VMware 50 Deploy USM Appliance Using Hyper-V Manager 55 Deploy USM Appliance with AMI 61 Configure the USM Appliance Sensor after Deployment 64 Configure the USM Appliance Logger after Deployment 65 Configure the USM Appliance Enterprise Server and Enterprise Database 70 Set Up the Management Interface 72 Register USM Appliance 73 USM Appliance Initial Setup 77 Access the AlienVault Setup Menu 78 Configure Network Interfaces 80 Configure the Search Domain 83 Configure a Hostname for USM Appliance 83 Change the Default Time Zone 84 Configure USM Appliance to Use a DNS 85 Configure Synchronization with an NTP Server 86 Configure USM Appliance to Recognize Your Local Keyboard 86 Configure Custom HTTPS Certificates in USM Appliance 87 Create the Default Admin User 89 USM Appliance™ Deployment Guide 3 Configure Mail Relay in USM Appliance 90 Configure USM Appliance to Use a Proxy 92 Getting Started Wizard 95 Running the Getting Started Wizard 96 Skipping the Getting Started Wizard 96 Configuring Network Interfaces 97 Discovering Assets in Your Network 99 Deploying HIDS to Servers 103 Enabling Log Management 106 Connecting to AlienVault Open Threat Exchange® 107 IDS Configuration 110 Intrusion Detection Systems 111 AlienVault HIDS 112 AlienVault NIDS 149 VPN Configuration 161 Prerequisites 162 Configure a VPN Between USM Appliance Systems 162 Building a VPN Tunnel Without a Client-Server Connection 166 Verifying the VPN Connection 168 Disabling a VPN Configuration 169 High Availability Configuration 171 How Does the High Availability Solution Work? 172 High Availability Prerequisites and Restrictions 173 Configuring High Availability in USM Appliance Standard Systems 174 Configuring High Availability in USM Appliance Enterprise Systems 187 Disabling High Availability 190 Upgrading a USM Appliance Deployment Configured for High Availability 191 Plugin Management 193 Plugin Fundamentals 194 Enable Plugins 207 Configure Plugins 216 Customize and Develop New Plugins 236 4 USM Appliance™ Deployment Guide Update Process 259 USM Appliance Updates 260 Update USM Appliance Online 261 Update USM Appliance Offline 264 Operating System Upgrade in Version 5.8.0 268 Error Codes When Updating from Version 5.8.0 to Version 5.8.x 272 Backup and Restoration 276 Back Up and Restore Alarms 277 Back Up and Restore Events 279 Back Up and Restore MongoDB 283 Back Up and Restore NetFlow Data 285 Back Up and Restore Raw Logs 287 Back Up and Restore System Configuration 290 Migrate Your USM Appliance Deployment 297 Restore Software on a USM Appliance Hardware 302 Update Your AlienVault License Key 307 System Maintenance and Remote Support 309 Message Center 310 Remote Support 314 Locate the AlienVault License and System ID 318 Purge Old System Logs 319 Replace Disk Drives or Power Supplies 319 USM Appliance™ Deployment Guide 5 USM Appliance™ Deployment Guide 6 System Overview This is a basic overview of AlienVault USM Appliance as it is deployed and used in your environment. Individual subjects covered in the System Overview include the following: l About USM Appliance — describes current risks in the business environment due to security threats and vulnerabilities, the role of risk assessment, an overview of USM Appliance security management capabilities for organizations to assess and mitigate risks, to detect threats and pri- oritize response, and to achieve compliance. l About USM Appliance System Architecture and Components — provides description of the USM Appliance architecture, including major system components and functionality. l USM Appliance Deployments — provides description of best practices for installation and con- figuration of USM Appliance. l Event Collection, Processing, and Correlation Workflow — describes the overall USM Appliance workflow, from collection of raw log data from networked devices to analyzing and determining risk from various threats and vulnerabilities. 7 USM Appliance™ Deployment Guide About USM Appliance Businesses today are exposed to an ever-increasing number of threats: l Network-based threats — Aimed at networks and network infrastructure. l Host-based threats — Aimed at individual hosts. l External threats — Coming from external attackers. l Internal threats — Coming from internal attackers. Although the goal of security solutions is to detect and prevent such threats, no network can be completely protected from them all. For this reason, USM Appliance focuses on mitigating risk, identifying vulnerabilities, detecting threats, and prioritizing response to the highest priority threats and vulnerabilities. Measures for mitigating risk, identifying vulnerabilities, and detecting threats include the following: l Identifying patterns of events that indicate a possible threat or vulnerability. l Determining the risk of potentially harmful attacks or compromise. l Implementing controls to address reported vulnerabilities. l Taking action to respond to identified attacks. l Performing ongoing monitoring and reporting of network and host-based activities. The Role of Risk Assessment To properly secure your infrastructure, first conduct a risk assessment of your assets. Risk assessment helps you determine the relative importance of the assets within your network, the vulnerabilities of those assets in relation to specific exploitation threats, and the likelihood of security events taking place against those assets. After completing these analyses, you can design security policies in response to the relative asset values and exploitation risks that various threats and vulnerabilities pose. Strong security policies focus on how best to protect your most vital and at-risk assets. For example, if a network resource is critical and the likelihood of an attack against it is high, focus your efforts on creating security policies that monitor for such attacks, and develop response plans to them. How USM Appliance Helps with Risk Assessment and Mitigation USM Appliance provides you with the ability to identify your critical assets and to set policies to alert you when those assets have vulnerabilities or are subjected to attacks. USM Appliance will generate alarms based upon the risk associated with any given security event captured in USM Appliance. The importance given to any given security event depends on three factors: USM Appliance™ Deployment Guide 8 l The value of the asset associated with the event l The threat represented by the event l The probability that the event will occur These factors are the building blocks for the traditional definition of risk: a measure of the potential impact of a threat on your assets and the probability a threat will be carried out. Each event generated in USM Appliance is evaluated in relation to its associated risk; in other words, in proportion to the assets at risk, the threat represented by the event, and the probability the threat is real. Accordingly, USM Appliance provides you the capability to identify all high risk events, some of which will result in alarms, and allow you to properly prioritize your response. How USM Appliance Helps Detect Threats and Prioritize Responses The following illustration highlights the capabilities and related tools that USM Appliance provides to help you perform security management tasks in your own environment. Asset Discovery — Combines core discovery and inventory technologies to give you visibility into the devices that are on your network. Features include: 9 USM Appliance™ Deployment Guide l Active and Passive Network Scanning l Asset Inventory l Service Inventory Performing asset discovery and inventory are the first essential steps to knowing what systems and devices are on your network. USM Appliance combines core discovery and inventory technologies to give you visibility into the devices you want to monitor. Note: Before scanning a public network space, see Addendum Notice Regarding Scanning Leased or Public Address Space. Vulnerability Assessment — Identifies assets and devices with unpatched software, insecure configurations, and other vulnerabilities on your network. Features include: l Continuous Vulnerability Monitoring l Authenticated / Unauthenticated Active Scanning l Remediation Verification The integrated internal vulnerability scanning keeps you abreast of vulnerabilities on your network, so you can prioritize patch deployment and remediation. Continuous correlation of your dynamic asset inventory with our vulnerability database provides you with up-to-date information on the vulnerabilities in your network, in-between your scheduled scans. Note: Before scanning a public network space, see Addendum Notice Regarding Scanning Leased or Public Address Space. Intrusion Detection — Coordinates incident response and threat management across your network with built-in security monitoring technologies, emerging