USM Anywhere™

VMware Sensor Deployment

AT&T Cybersecurity provides a VMware Sensor to monitor your virtual and physical on-premises infrastructure. When this USM Anywhere Sensor is deployed and configured for your USM Anywhere instance, security-related data is collected and sent to the AT&T Cybersecurity Secure Cloud for security analysis, threat correlation, and secure, compliance-ready data storage. You can also create jobs to collect log data through VMware, including operating system (OS) and database-level logs.

Through VMware, you can deploy a USM Anywhere Sensor in any of the virtual networks that you want to instrument for a network-based intrusion detection system (NIDS), including standard sensor features:

  • Log data collection
  • Authenticated asset scans
  • Unauthenticated asset discovery scans

The VMware Sensor deployment includes a network-based intrusion detection system (NIDS) Network-based intrusion detection system (NIDS) monitors network traffic and events for suspicious or malicious activity using the sensors that provide management and network monitoring interfaces to networks and network devices. that monitors the networks connected to the listening interfaces. A deployed VMware Sensor supports a NIDS throughput of 600 Mbps, but this performance may vary depending on your environment, configurations, and other variables.

AT&T Cybersecurity distributes the VMware Sensor as an open virtual format (OVF) file that can be deployed through VMware vCenter or directly to a VMware ESX Hypervisor version 6.5 and later.

Important: Use VMware ESXi 6.5, you must have build 7388607 or later. Earlier builds have an issue with the OVF tools that will cause the sensor OVF deployment to fail.

If the OVF package is invalid and can't be deployed, and you get a SHA256 Error message, see The OVF Package Is Invalid and Cannot Be Deployed - SHA256 Error for more information.

The USM Anywhere Sensor deployed on VMware provides the ability to monitor the packets on networks that you select by attaching one of the Sensor network interfaces to a port configured in promiscuous mode Mode in which network IDS monitoring operates in passive listening mode, checking all IP packet traffic passing through it for threats. on a virtual switch. This also requires that port mirroring Method of network monitoring in which a system passively collects network traffic on the same ports as other network devices. is enabled on the upstream physical switch to which the ESXi host is connected.

Note: If your organization uses multiple subnets to enable communication between headquarters and remote offices, you do not need a sensor for each subnet. However, you will need a deployed VMware Sensor for each physical location that you want to monitor.

There is an option for you to enter credentials for either your vCenter or ESXi servers, which will allow the sensor to discover the virtual machines (VMs) registered on the ESXi servers through the VMware vSphere API. This enables the discovery of assets and also monitors user logins within your vSphere environment and feeds the information back to USM Anywhere.

Deployment Process Overview

The deployment process for an initial USM Anywhere Sensor on VMware consists of these primary tasks:

  1. Review requirements for a VMware Sensor deployment.
  2. Deploy a VMware Sensor by executing the USM_sensor-node.ovf file.
  3. Configure the sensor on the VM.
  4. Register the new sensor with your sensor authentication code to provision the USM Anywhere instance and connect the deployed sensor.
  5. Complete your VMware Sensor configuration, including initial asset discovery.

Related Video Content

To view other related training videos, click here.