AlienVault USM Appliance can run on both hardware and virtual machines. The network requirements and infrastructure requirements stay consistent regardless of which you are using. These prerequisites generally assume that you are using virtual machines.
Virtual Machine Requirements
- See the USM Appliance data sheet for hardware specifications and virtual machine requirements on the USM Appliance Federation Server.
Provide public IP address for each of the components.
Important: AlienVault does not support NAT (Network Address Translation) between USM Appliance components.
If using the USM Appliance internal VPN, allow inbound connections to the Federation Server from each customer, and outbound connections on each customer's site, both on port TCP/33800. If TCP/33800 is not an option, another TCP port can be configured but requires more work on both ends of the installation.
Note: If you have an application filtering firewall such as the latest CheckPoint firewall, allow OpenVPN application on TCP/33800. On CheckPoint, OpenVPN is denied by default.
- If not using any VPN, be aware that the Federation Server receives alarms from each customer through TCP/40004. Make sure traffic can go through that port on your network.
- Ensure port forwarding is possible for the Federation Server.
In addition, customer USM Appliance and the Federation Server need access to:
- TCP/80 for data.alienvault.com (USM Appliance updates)
- TCP/443 for reputation.alienvault.com (OTX updates)
- TCP/443 for otx.alienvault.com (OTX pulse information)
- TCP/443 for messages.alienvault.com (USM Appliance Message Center Inbox in the USM Appliance web UI which lists messages publicizing availability of various AlienVault product updates plus other messages such as system errors and warnings.)
- All of the above can be accessed through a proxy (configured through SSH console on USM Appliance and the Federation Server)
- Internal or external NTP server (optional, but recommended)
- AlienVault Support uses TCP/22 for Remote Support Secure, encrypted connection to the AlienVault Support Server through the USM Appliance web UI or the console, allowing AlienVault Support staff to access, diagnose, and resolve any problems occurring in a USM Appliance instance..
For a complete list of external URLs and port numbers, see Firewall Permissions.
- NIDS (Network Intrusion Detection Systems) and NetFlow requirements:
- Requires a span port, mirror port or tap to passively sniff traffic
- Limited to 100MBps throughput for each AlienVault USM Appliance All-in-One at customer site
- For each customer, the home networks must be listed. These are the IP networks that define the customer's network range (such as 220.127.116.11/24 or 10.0.0.0/8) — for passive asset discovery
- Vulnerability management:
- Requires a local account for authenticated, local scans. See Creating Credentials for Vulnerability Scans for further assistance.
- Requires unlimited network access to the scan targets (either by being in the same network or by allowing USM Appliance All-in-One to connect to each of the scan targets)
- Customer network requirements:
- Vulnerability scanner needs full access to all the relevant networks (all ports open), or needs to use separate sensors if access is not available
- HIDS (Host-based Intrusion Detection Systems) agents need to communicate to the USM Appliance All-in-One or USM Appliance Sensors through UDP/1514
USM Appliance Hardware Management
Decide if out-of-band management will be used on USM Appliance hardware instances. It is a best practice to use out-of-band management.
If you decide to operate USM Appliance hardware without out-of-band management, connect a mouse, keyboard, and monitor to USM Appliance and turn it on.
If you decide to operate USM Appliance hardware with out-of-band management, but you are not using DHCP Network protocol used to dynamically distribute network configuration parameters, such as IP addresses, for interfaces and services., obtain an IP address, netmask IP, and gateway IP. Then temporarily connect a keyboard, mouse, and monitor to USM Appliance. Next, connect the Ethernet cable from the IPMI/HPE iLO port to an operational switch. Follow the procedures on Configure the USM Appliance Hardware through IPMI to configure IPMI, or Configure the USM Appliance Hardware through HPE iLO to configure HPE iLO.