|Applies to Product:||USM Appliance™||AlienVault OSSIM®|
This section introduces the various USM Appliance components and explains the different deployment types.
USM Appliance Components
All USM Appliance products include these three core components available as hardware or virtual machines. USM Appliance All-in-One combines the Server, Sensor, and Logger components onto a single system.
USM Appliance Sensor
The USM Appliance Sensor is deployed throughout the network to collect logs and monitor network traffic. It provides the five essential USM Appliance security capabilities – Behavioral Monitoring, SIEM, Intrusion Detection, Asset Discovery, and Vulnerability Assessment – for complete visibility.
There must be at least one USM Appliance Sensor. Depending on your corporate requirements, more may be desirable. This is particularly true if you have distributed branches on subnets subordinate to the network at your headquarters.
USM Appliance Server
Aggregates and correlates information that the Sensors gather. Provides single-pane-of-glass management, reporting, and administration.
There is usually just one USM Appliance Server.
USM Appliance Logger
Securely archives raw event log data for forensic research and compliance mandates.
There is usually just one USM Appliance Logger. However, under some circumstances, two may be used. For information, contact AlienVault Technical Support.
USM Appliance Deployment Types
You deploy AlienVault USM Appliance in one of two ways, simple or complex.
Deploys all AlienVault USM Appliance components — Sensor, Server, and Logger — in a single machine called USM Appliance All-in-One.
This deployment model has most applicability for smaller environments, for testing, and for demonstrations.
This model deploys each AlienVault USM Appliance component — Sensor, Server, and Logger — as an individual virtual or hardware machine to create a distributed topology.
This deployment model comes in two versions that increase scalability and performance by provisioning dedicated systems for each component.
USM Appliance Standard
Consists of the following
- USM Appliance Standard Server
- USM Appliance Standard Sensor
- USM Appliance Standard Logger
USM Appliance Enterprise
Consists of the following
- USM Appliance Enterprise Server — includes the Enterprise Server and Enterprise Database
- USM Appliance Enterprise Sensor
- USM Appliance Enterprise Logger
Note: The USM Appliance Enterprise solution is not available as a virtual machine.
|USM Appliance All-in-One||USM Appliance Standard||USM Appliance Enterprise|
|User Type||Small organizations||Mid-size organizations||Large organizations|
|Environment||Single-tier deployment||Multi-tier deployments & distributed environment||Multi-tier deployments and distributed environment|
For more details, see the USM Appliance data sheet.
USM Appliance Deployment Examples
This topic provides topology examples for the three USM Appliance deployment options
- Simple deployment with USM Appliance All-in-One
- Extended simple deployment with a combination of All-in-One and one or more Remote Sensors
- Complex deployment for larger corporations with multiple branches
In this example, a USM Appliance All-in-One virtual or hardware appliance is deployed behind the corporate firewall.
The USM Appliance Sensor component on the USM Appliance All-in-One collects logs from the following networks:
- Office network
- Wireless network
The USM Appliance All-in-One also monitors the network traffic through the connected switches.
These switches must have port mirroring enabled.
This model differs from the Simple Deployment example in that it uses a USM Appliance Remote Sensor for monitoring at a remote office that operates on a subnet. USM Appliance All-in-One is deployed on the main network.
USM Appliance Remote Sensor collects logs and monitors traffic specific to the subnet. It then sends these data to USM Appliance All-in-One on the main network for correlation and risk assessment.
In this deployment example, each office subnet has a remote sensor deployed to collect logs and monitor traffic.
On the main network at headquarters, a single USM Appliance Server, a Logger, and at least one Sensor install as individual appliances to increase scalability and performance.
All USM Appliance Sensors connect to one USM Appliance Server where correlation and risk assessment occur.
The USM Appliance Server forwards the events and alarms to the USM Appliance Logger for long-term storage.