USM Anywhere™

VMware Sensor Deployment

AT&T Cybersecurity provides a VMware Sensor to monitor your virtual and physical on-premises infrastructure. When this USM Anywhere Sensor is deployed and configured for your USM Anywhere instance, security-related data is collected and sent to the AlienVault Secure Cloud for security analysis, threat correlation, and secure, compliance-ready data storage. You can also create jobs to collect log data through VMware, including operating system and database-level logs.

Through VMware, you can deploy a USM Anywhere Sensor in any of the virtual networks that you want to instrument for network intrusion detection (NIDS), including standard sensor features:

  • Log data collection
  • Authenticated asset scans
  • Unauthenticated asset discovery scans

The VMware Sensor deployment includes network-based intrusion detection system (NIDS)Network Intrusion Dectection System (NIDS) monitors network traffic and events for suspicious or malicious activity using the sensors that provide management and network monitoring interfaces to networks and network devices. that monitors the networks connected to the listening interfaces. A deployed VMware Sensor supports a NIDS throughput of 600 Mbps, but this performance may vary depending on your environment, configurations, and other variables.

AT&T Cybersecurity distributes the VMware Sensor as an Open Virtual Format (OVF) file that can be deployed through vCenter or directly to an ESXi Hypervisor version 5.1 and later.

Important: If you are using VMware ESXi 5.1 through 6.0, the VMware vSphere Desktop Client is required for deployment of the USM Anywhere Sensor OVF. You cannot use the VMware vSphere Web Client interface for the sensor deployment.

If you are using VMware ESX 6.5, you must have build 7388607 or later. Earlier builds have an issue with the OVF tools that will cause the sensor OVF deployment to fail.

If the OVF package is invalid and can't be deployed, and you get a SHA256 Error message, see The OVF Package Is Invalid and Cannot Be Deployed - SHA256 Error for more information.

The USM Anywhere Sensor deployed on VMware provides the ability to monitor the packets on networks that you select by attaching one of the Sensor network interfaces to a port configured in promiscuous modeMode in which network IDS monitoring operates in passive listening mode, checking all IP packet traffic passing through it for threats. on a virtual switch. This also requires that port mirroringMethod of network monitoring in which a system passively collects network traffic on the same ports as other network devices. is enabled on the upstream physical switch to which the ESXi host is connected.

Note: If your organization uses multiple subnets to allow communication between headquarters and remote offices, you do not need a sensor for each subnet. However, you will need a deployed VMware Sensor for each physical location that you want to monitor.

There is an option for you to enter credentials for either your vCenter or ESXi servers, which will allow the sensor to discover the VMs registered on the ESXi servers through the vSphere API. This allows for the discovery of assets and also monitors user logins within your vSphere environment and feeds the information back to USM Anywhere.

Deployment Process Overview

The deployment process for an initial USM Anywhere Sensor on VMware consists of these primary tasks:

  1. Review requirements for a VMware Sensor deployment
  2. Deploy a VMware Sensor by executing the USM_sensor-node.ovf file
  3. Configure the sensor on the virtual machine
  4. Register the new sensor with your sensor authentication code to provision the USM Anywhere instance and connect the deployed sensor
  5. Complete your VMware Sensor configuration, including initial asset discovery

Related Video Content

To view other related training videos, click here.