|Applies to Product:||USM Appliance™||AlienVault OSSIM®|
An AlienVault USM Appliance All-in-One comes with six network interfaces, numbered eth0 to eth5. USM Appliance uses these interfaces to perform the following functions:
- Monitor the network, using its built-in IDS capabilities
- Run asset scans
- Collect log data from your assets
- Run vulnerability scans
- Generate network flows
The interfaces include the options described in the following subtopics.
By default, USM Appliance configures the management interface to perform network monitoring, log collection and scanning. So, for this reason, you do not need to configure any additional interfaces, as long as they are all on the same subnet as the management interface.
The management interface lets you
- Communicate with the AlienVault console
- Connect to the web interface
You cannot configure the management interface from the Getting Started Wizard; it is configured during initial setup from the AlienVault console. For more information, see Set Up the Management Interface.
Note: The default port for the management interface is eth0. However, you may configure a different port for this interface, if desired.
When the administrator configures an interface for network monitoring, the interface operates in passive listening mode (also known as promiscuous mode). A network tap or span is set up that allows the interface to monitor all packet traffic passing through it for threats.
Because USM Appliance's built-in IDS capability uses the network monitoring interface, you must dedicate at least one of the network interfaces to it.
You use the Log Collection and Scanning interface to reach the networks and systems from which you want to collect data. You also use it to scan the systems, using USM Appliance's built-in asset discovery, vulnerability assessment, and availability monitoring tools.
Setting up this interface requires assignment of an IP address and network mask to the interface.
This is the default option for all the interfaces except the management interface. This applies to any network interface that is not in use and not configured.
To configure network monitoring
- Choose the network interface you want to use for network monitoring
Select Network Monitoring from the list.
Once selected, USM Appliance immediately configures the network interface to listen for incoming traffic.
Configure your virtual machine to get traffic from your physical network.
Once the network is forwarding data to the selected network interface, the Status indicator changes from red to green. This means that the interface is both configured and receiving data as expected.
After you've configured the network monitoring interface, verify that it's receiving network traffic. If you are on a virtual network, make sure that you are receiving network traffic and not just virtual switch traffic. Follow the instructions in Monitor VMware Standard Virtual Switches.
To configure log collection and scanning
- Choose the network interface that will be used for log collection and scanning.
Select "Log Collection & Scanning" from the list.
A screen pops up asking for an IP address and netmask. This information will be used to configure the network interface with a static IP address.
On the IP Address & Netmask box, enter an IP address and netmask for a different subnet.
The Configure Network Interfaces screen displays again. The IP address you supplied shows as the IP address for the interface. This indicates that the interface configuration is successful.
Configure the other interfaces as needed for additional log collection and scanning.
Note: In some situations the network that you want to monitor may not be accessible from the IP address provided without setting up a route in the routing table. This is an extreme case and should not happen often. If a route is required, you will need to jailbreak the system using the AlienVault console and configure the route using the command line.
After you have finished configuring the network interfaces, click Next at the bottom-right corner to proceed.