Complete. Simple. Affordable Copyright 2014 AlienVault. All rights reserved.
AlienVault, AlienVault Unified Security Management, AlienVault USM, AlienVault Open Threat Exchange, AlienVault OTX, Open Threat Exchange, AlienVault OTX Reputation Monitor, AlienVault OTX Reputation Monitor Alert, AlienVault OSSIM and OSSIM are trademarks or service marks of AlienVault.
CONTENTS 1. INTRODUCTION... 4 2. CREATE THE VSWITCH SPAN PORT GROUP... 4 3. GRANT PROMISCUOUS MODE PERMISSIONS TO THE PORT GROUP... 6 4. ASSIGN ALIENVAULT USM INTERFACES TO THE PORT GROUP... 7 5. USM GETTING STARTED WIZARD: CONFIGURE ALIENVAULT TO MONITOR THE NEW INTERFACE... 8 6. USM COMMAND LINE INTERFACE: CONFIGURE ALIENVAULT TO MONITOR THE NEW INTERFACE... 9 DC-00129 Edition 01 Copyright 2014 AlienVault. All rights reserved. Page 3 of 13
1. INTRODUCTION The objective of this document is to explain how to configure the AlienVault USM All in One virtual appliance to monitor a virtual network. The AlienVault USM All in One virtual appliance has six network interfaces: one for management (eth0) and the other five network interfaces for log collection and traffic capture on the network segment monitored. Connecting the monitor interface to a SPAN port enables the following functions to operate: Network IDS Netflow and Traffic Monitoring Passive Asset Identification 2. CREATE THE VSWITCH SPAN PORT GROUP Virtual Switches are configured through the ESX vsphere GUI via the master Configuration tab. Select Networking from the side panel and bring up Properties on the VSwitch you want AlienVault to monitor. Figure 1. ESX vsphere GUI console To capture all traffic over the vswitch, a new port group must be created to direct traffic to. This port group will act like a network hub, with all network traffic within the vswitch visible to interfaces connected to this port group. DC-00129 Edition 01 Copyright 2014 AlienVault. All rights reserved. Page 4 of 13
Add a new Virtual Machines port group to the existing switch. The port group should be named to indicate it has visibility to all traffic ( SPAN port ). VLAN ID All (4095) is a special ID in VMware vswitches that has visibility to all traffic on the switch. Figure 2. Configure vswitch with a span port group DC-00129 Edition 01 Copyright 2014 AlienVault. All rights reserved. Page 5 of 13
SPAN port is created. Any VM interface connected to this SPAN port group will be able to enter promiscuous mode and capture traffic from any other VM interface connected to the other port groups on this vswitch. Figure 3. Add Network Wizard: span port is created 3. GRANT PROMISCUOUS MODE PERMISSIONS TO THE PORT GROUP The port group must have permission for interfaces to enter promiscuous mode before they can capture network traffic. DC-00129 Edition 01 Copyright 2014 AlienVault. All rights reserved. Page 6 of 13
Figure 4. vswitch Properties If the defaults are to deny promiscuous mode, open the properties sheet (click on Edit... ) for the SPAN port group and manually assign permission for promiscuous mode. Figure 5. SPAN Ports Properties 4. ASSIGN ALIENVAULT USM INTERFACES TO THE PORT GROUP Now the port group is created, connect one or more interfaces to the AlienVault USM to the SPAN port group and power it on. Edit settings of the target virtual appliance to assign the network adapter to the port group created (SPAN port). DC-00129 Edition 01 Copyright 2014 AlienVault. All rights reserved. Page 7 of 13
Figure 6. USM Virtual Machine Properties: Network Connection 5. USM GETTING STARTED WIZARD: CONFIGURE ALIENVAULT TO MONITOR THE NEW INTERFACE Configuring the network interface assigned to the port group in order to perform network monitoring has to be done as part of the first step of the USM Getting Started Wizard. Select Network Monitoring as the Purpose of the NIC previously assigned in the ESX configuration. DC-00129 Edition 01 Copyright 2014 AlienVault. All rights reserved. Page 8 of 13
Figure 7. USM Getting Started Wizard: Network Interfaces 6. USM COMMAND LINE INTERFACE: CONFIGURE ALIENVAULT TO MONITOR THE NEW INTERFACE 1. Open a console terminal and write the following command: ssh root@ip_address IP_address refers to the default IP of your appliance. 2. The AlienVault Setup main menu is displayed: DC-00129 Edition 01 Copyright 2014 AlienVault. All rights reserved. Page 9 of 13
Figure 8. AlienVault Setup main menu 1. Use the arrow keys to move to the option Configure Sensor. Then, press Enter to accept the selection (<OK>). Figure 9. AlienVault Setup: Configure Network Monitoring 2. Use the arrow keys to move to the option Configure Network Monitoring. Then, press Enter to accept the selection (<OK>). DC-00129 Edition 01 Copyright 2014 AlienVault. All rights reserved. Page 10 of 13
Figure 10. AlienVault Setup: select sensor listening interfaces (promiscuous mode) 3. Use the arrow keys on the keyboard to move to the desired interface and select/deselect it by pressing the Space Bar on the keyboard. Accept the selection (<OK>) by pressing Enter key. It is possible to select several interfaces. 4. Use the arrow keys to move to the option (<Back>), then, press Enter and the AlienVault Setup main menu appears. Figure 11. AlienVault Setup: Apply all Changes option 5. Use the arrow keys to move to the option Apply all Changes. Then, press Enter to accept the selection (<OK>). DC-00129 Edition 01 Copyright 2014 AlienVault. All rights reserved. Page 11 of 13
Figure 12. AlienVault Setup: confirmation of changes 6. Press Enter to accept the changes (<Yes>). This process may take several minutes depending on the Internet connection. During the process, the following screen appears: Figure 13. AlienVault USM Reconfig 7. At the end, the following message appears: DC-00129 Edition 01 Copyright 2014 AlienVault. All rights reserved. Page 12 of 13
Figure 14. AlienVault Setup: Changes applied 8. Press Enter to accept (<OK>), the AlienVault Setup main menu appears. DC-00129 Edition 01 Copyright 2014 AlienVault. All rights reserved. Page 13 of 13