Applies to Product: | USM Appliance™ | LevelBlue OSSIM® |
For your convenience, we have compiled the deployment steps into different checklists depending on which type of USM Appliance you are deploying.
Use this checklist if you are deploying the USM Appliance Federation Server as a virtual or physical machine.
Topic | Details |
---|---|
Ensure Hardware Requirements |
If you are installing USM Appliance as a VM, see Minimum Hardware Requirements for Virtual Machines and Minimum Virtual Machine Requirements to ensure all requirements are met. |
Understand Network |
Map out any intermediate networks between MSSP and client. |
Open Ports |
Open ports on firewall and enable port forwarding. See Firewall Permissions to know which ports to open. |
Deploy Virtual Appliance |
Deploy appliance on ESX or ESXi 4.0+. |
(Alternatively) Setup Physical Appliance |
Decide if IPMI will be used for out of band hardware appliance management. It is a best practice to use IPMI. See Configure the USM Appliance Hardware through IPMI for more details. |
Management Interface |
Configure management interface manually, see Set Up the Management Interface. |
Follow General Installation Steps |
Change default root password, see Reset Password for the Root User. Register product, see Register USM Appliance. Configure appliance hostname, see Configure a Hostname for USM Appliance. Note: For the sake of usability and readability, it is especially important for MSSP clients to have distinct hostnames because when forwarded alarms are displayed in the Federation Server, they are differentiated by the hostnames of their USM Appliance instances. Change default timezone, see Change the Default Time Zone. Configure the appliance to synchronize time with an NTP server, see Configure Synchronization with an NTP Server. |
Configure VPN |
|
Email Server |
(Optional) Configure a connection between Federation Server and corporate mail server, see Configure Mail Relay in USM Appliance. |
Test Setup |
See Confirm that the USM Appliance Operates Properly. If NIDS is not working, see NIDS Troubleshooting. |
Backups |
Keep configuration backups of the customer machine at a central site so that you can restore them quickly. You can backup your client's configuration from the Federation Server, see Backing Up a Child Server from the Federated Server. Another option is to scp the backup files at this location to a central server: /var/alienvault/backup/configuration_<hostname>_ <timestamp>.tar.gz |
Setup OTX |
Consider using a generic master OTX account, then use the same master account key in each child server. This allows the MSSP to easily manage their clients' OTX subscription because they only need to change the master OTX account and all the clients' accounts will change, including subscribing to pulses. |
Use this checklist if you are deploying the USM Appliance Federation Server in the Amazon Cloud.
Topic | Details |
---|---|
AWS Federation Server Deployment |
Working with an LevelBlue sales representative, ask for the Federation Server AMI, providing them with your AWS account number and desired AWS region. Federation Server in AWS has two IP addresses, a public and a private IP address. Configure security groups. Note: By default, a security group includes an outbound rule that allows all outbound traffic. Security groups are stateful, allowing incoming traffic only from approved sources such as predefined IPs or networks. Therefore, you will need a different security group entry for each client. Allow incoming TCP on ports 80 and 443 for web GUI access. Allow incoming SSH on port 22 from MSSP SOC or whatever IP is used to manage the Federation Server. Allow incoming TCP on port 33800 for openVPN access from client USM Appliance instances. Everything else is the same as deploying an on-premises Federation Server. |
VPN |
AWS has built-in VPN, so the Federation Server can become a VPN client. This allows the customer’s USM Appliance to be a VPN server so their sensors can be a VPN client. |
Use this checklist if you are deploying USM Appliance All-in-One on your customer's network as a virtual or physical machine.
Topic | Details |
---|---|
Ensure Hardware Requirements |
If you are installing USM Appliance as a VM, see Minimum Hardware Requirements for Virtual Machines and Minimum Virtual Machine Requirements to ensure all requirements are met. |
Understand Network |
Map out your customer's network topology, making sure logs can be sent from their office network, wireless network, DMZ, and firewalls. |
Send Documentation to Customer |
Send the prerequisite document to the customer, describing the necessary network, VM and infrastructure prerequisites. Prepare a document describing the installation of USM Appliance in their network or use the documentation from the LevelBlueDocumentation Center. |
Open Ports |
Open ports on firewall and enable port forwarding. See Firewall Permissions in this guide to know which ports to open. |
Deploy Virtual Appliance |
Deploy appliance on ESX or ESXi 4.0+. |
(Alternatively) Setup Physical Appliance |
Decide if IPMI will be used for out of band hardware appliance management. It is a best practice to use IPMI. See Configure the USM Appliance Hardware through IPMI for more details. |
Management Interface |
Configure the management interface manually, see Set Up the Management Interface. |
Follow General Installation Steps |
Change the default root password, see Reset Password for the Root User. Register the product, see Register USM Appliance. Configure the appliance hostname, see Configure a Hostname for USM Appliance. Note: For the sake of usability and readability, it is especially important for MSSP clients to have distinct hostnames because when forwarded alarms are displayed in the Federation Server, they are differentiated by the hostnames of their USM Appliance instances. Change the default timezone, see Change the Default Time Zone. Configure the appliance to synchronize time with an NTP server, see Configure Synchronization with an NTP Server. |
Configure VPN |
|
Monitor Networks |
Set up SPAN port on switch or firewall to the monitoring interface configured in the Getting Started Wizard. Note: If working with a Standard or Enterprise Deployment, skip the next step. Follow Standard/Enterprise Deployment Checklist, and then return to this checklist. |
Run the Getting Started Wizard (Only for USM Appliance All-in-One) |
Launch the USM Appliance web UI, and run the Getting Started wizard. Set up network monitoring (for NIDS), see Configuring Network Interfaces. Note: Best practice is to designate your management interface as your log collection interface as well. The log interface requires a second IP address, which can cause network problems. You only need a separate log interface if logs can't reach the management interface for some reason. Run an asset scan and schedule recurring scans, see Discovering Assets in Your Network. Verify that the hostnames are being properly resolved on Environment > Assets & Groups > Assets. Note: Initially, schedule asset scans using the Fast Scan option with a frequency of Hourly. After a day or so, edit the scheduled scan, changing the Scan Type to Full Scan and the frequency to Daily. Note that very large networks can take days to complete a full scan. If this is the case, consider breaking the larger networks into smaller networks and setting up multiple scheduled scans. Deploy HIDS agents to servers, see Deploying HIDS to Servers. Note: HIDS deployment rarely works through the wizard because sharing is often blocked or limited on the customer network. Enable plugins for assets, see Enabling Log Management. Connect to OTX, see Connecting to AlienVault Open Threat Exchange®. Verify that OTX Pulses are received on Dashboards > Open Threat Exchange. If you have created a master OTX account for all your customers, import this key into this box. |
Forward Alarms to Federated Server |
Configure USM Appliance to forward its alarms to your Federation Server, see Setting Up Alarm Forwarding. |
Email Server |
(Optional) Configure a connection between USM Appliance and customer's corporate mail server, see Configure Mail Relay in USM Appliance. |
Asset Management |
See Asset Valuation for guidelines on how to pick the right asset values. |
Schedule Vulnerability Scan(s)
|
Set up regular vulnerability scans, see Vulnerability Scans. Create credentials for authenticated vulnerability scans. For most common tasks, select Default — Non destructive Full and Fast scan. However, there are other use cases for the other scanning profiles. We recommend you schedule hourly scans during the first day of deployment, then maintain a daily scan afterwards (under Schedule Method when creating a scan). |
Test Setup |
See Confirm that the USM Appliance Operates Properly. If NIDS is not working, see NIDS Troubleshooting. |
More Best Practices |
Depending on the log volume, limit logger and SIEM archiving to reasonable limits. Depending on expected alarm volume, use the alarm expiration feature. Note: Since alarms are typically closed only on the Federation Server, enable alarm expiration on each customer USM Appliance. |
Self-Reporting False Positives |
|
Backup |
Keep configuration backups of the customer machine at a central site so that you can restore them quickly. See Back Up and Restore System Configuration. |
Use this checklist if you are deploying USM Appliance Standard or Enterprise Solutions on your customer's network as a virtual or physical machine.
Topic | Details |
---|---|
Standard/Enterprise Deployment — Configuring Appliances |
Deploy and configure USM Appliance Server as detailed in Child Server Deployment Checklist. Deploy and configure USM Appliance Sensor as detailed in Configure the USM Appliance Sensor after Deployment. Note: Be sure to configured the sensor after you have configured the server. Note that the sensor does not have a web UI, so you must use SSH. Deploy and configure USM Appliance Logger as detailed in Configure the USM Appliance Logger after Deployment. If forwarding to both the logger and the Federation Server, stop after adding the server to the logger. See important note below. Important: If you want USM Appliance Server to forward logs to the USM Appliance Logger AND forward alarms to the Federation Server, you must do the following: Configure USM Appliance Server to forward alarms to the Federation Server as detailed in Setting Up Alarm Forwarding. To forward logs to the USM Appliance Logger, create a new policy in the default policy group to send all events (from ANY source to ANY destination) to the USM Appliance Logger (under the Forwarding tab, change Forward Events to 'Yes' and choose the logger as your server). |
Standard/Enterprise Deployment — Configuring Data Sources |
Set up network monitoring (for NIDS), see Configuring AlienVault NIDS. If NIDS is not working, see NIDS Troubleshooting. Note: Best practice is to designate your management interface as your log collection interface as well. The log interface requires a second IP address, which can cause network problems. You only need a separate log interface if logs can't reach the management interface for some reason. Run an asset scan and schedule recurring scans, see Running Asset Scans. Verify that the hostnames are being properly resolved on Environment > Assets & Groups > Assets. Note: Initially, schedule asset scans using the Fast Scan option with a frequency of Hourly. After a day or so, edit the scheduled scan and change the Scan Type to Full Scan and the frequency to Daily. Note that very large networks can take days to complete a full scan. If this is the case, consider breaking the larger networks into smaller networks and setting up multiple scheduled scans. Deploy HIDS agents to servers, see Deploy LevelBlue HIDS Agents, which includes instructions for deploying to both Windows and Linux hosts. Note: Be aware that HIDS deployment sometimes does not work because sharing is blocked or limited on the customer's network. Configure file integrity monitoring, see File Integrity Monitoring. Configure HIDS agentless monitoring, if desired, see Agentless Monitoring. You may also be interested in Tutorial: Reading a Log File with a HIDS Agent on Windows. Enable plugins for assets, see Enabling Log Management. Verify proper parsing/normaliztion of logs by checking the events on Analysis > Security Events (SIEM). Connect to OTX, using the master OTX account for all your customers, if you have one. See Connecting to AlienVault Open Threat Exchange®. Verify that OTX Pulses are received on Dashboards > Open Threat Exchange. |