USM Appliance Deployment Types

Applies to Product: USM Appliance™ LevelBlue OSSIM®

This section introduces the various USM Appliance components and explains the different deployment types.

USM Appliance Components

All USM Appliance products include these three core components available as hardware or virtual machines. USM Appliance All-in-One combines the Server, Sensor, and Logger components onto a single system.

USM Appliance Sensor

The USM Appliance Sensor is deployed throughout the network to collect logs and monitor network traffic. It provides the five essential USM Appliance security capabilities – Behavioral Monitoring, SIEM, Intrusion Detection, Asset Discovery, and Vulnerability Assessment – for complete visibility.

There must be at least one USM Appliance Sensor. Depending on your corporate requirements, more may be desirable. This is particularly true if you have distributed branches on subnets subordinate to the network at your headquarters.

USM Appliance Server

Aggregates and correlates information that the Sensors gather. Provides single-pane-of-glass management, reporting, and administration.

There is usually just one USM Appliance Server.

USM Appliance Logger

Securely archives raw event log data for forensic research and compliance mandates.

There is usually just one USM Appliance Logger. However, under some circumstances, two may be used. For information, contact LevelBlue Technical Support.

USM Appliance Deployment Types

You deploy LevelBlue USM Appliance in one of two ways, simple or complex.

Simple Deployment

Deploys all LevelBlue USM Appliance components — Sensor, Server, and Logger — in a single machine called USM Appliance All-in-One.

This deployment model has most applicability for smaller environments, for testing, and for demonstrations.

Complex/Distributed Deployment

This model deploys each LevelBlue USM Appliance component — Sensor, Server, and Logger — as an individual virtual or hardware machine to create a distributed topology.

This deployment model comes in two versions that increase scalability and performance by provisioning dedicated systems for each component.

USM Appliance Standard

Consists of the following

  • USM Appliance Standard Server
  • USM Appliance Standard Sensor
  • USM Appliance Standard Logger

USM Appliance Enterprise

Consists of the following

  • USM Appliance Enterprise Server — includes the Enterprise Server and Enterprise Database
  • USM Appliance Enterprise Sensor
  • USM Appliance Enterprise Logger

Note: The USM Appliance Enterprise solution is not available as a virtual machine.

LevelBlue USM Appliance deployment solutions
  USM Appliance All-in-One USM Appliance Standard USM Appliance Enterprise
User Type Small organizations Mid-size organizations Large organizations
Environment Single-tier deployment Multi-tier deployments & distributed environment Multi-tier deployments and distributed environment
Virtual Appliance x x  
Hardware Appliance x x x

For more details, see the USM Appliance data sheet.

USM Appliance Deployment Examples

This topic provides topology examples for the three USM Appliance deployment options

  • Simple deployment with USM Appliance All-in-One
  • Extended simple deployment with a combination of All-in-One and one or more Remote Sensors
  • Complex deployment for larger corporations with multiple branches

In this example, a USM Appliance All-in-One virtual or hardware appliance is deployed behind the corporate firewall.

The USM Appliance Sensor component on the USM Appliance All-in-One collects logs from the following networks:

  • Office network
  • Wireless network
  • DMZ

  • Firewalls

The USM Appliance All-in-One also monitors the network traffic through the connected switches.

These switches must have port mirroring enabled.

Simple deployment example: All-in-One.

Simple deployment example: USM Appliance All-in-One

This model differs from the Simple Deployment example in that it uses a USM Appliance Remote Sensor for monitoring at a remote office that operates on a subnet. USM Appliance All-in-One is deployed on the main network.

USM Appliance Remote Sensor collects logs and monitors traffic specific to the subnet. It then sends these data to USM Appliance All-in-One on the main network for correlation and risk assessment. 

Extended simple deployment example: All-in-One and a remote sensor.

Extended simple deployment example: USM Appliance All-in-One and a remote sensor

In this deployment example, each office subnet has a remote sensor deployed to collect logs and monitor traffic.

On the main network at headquarters, a single USM Appliance Server, a Logger, and at least one Sensor install as individual appliances to increase scalability and performance.

All USM Appliance Sensors connect to one USM Appliance Server where correlation and risk assessment occur.

The USM Appliance Server forwards the events and alarms to the USM Appliance Logger for long-term storage.

Complex deployment example: individual components.

Complex deployment example: individual USM Appliance components