AlienVault. Unified Security Management (USM) x Initial Setup Guide

(1)

AlienVault

(2)

Contents

August 24,

2015 USM v4.8-5.x Initial Setup Guide Page 2 of 42 USM v4.8-5.x Initial Setup Guide

The AlienVault Logo, AlienVault™, AlienVault Unified Security Management™, AlienVault USM™, AlienVault Open Threat Exchange™, AlienVault OTX™, Open Threat Exchange™, AlienVault OTX Reputation Monitor™, AlienVault OTX Reputation Monitor Alert™, AlienVault OSSIM™, and

OSSIM™ are trademarks or service marks of AlienVault, Inc.

(3)

Contents

August 24,

2015 USM v4.8-5.x Initial Setup Guide Page 3 of 42

Introduction ... 5

Audience ... 5

Preparing for Initial Setup ... 6

Before You Start ... 6

DHCP or Manual Network Configuration Requirements ... 6

Task Overview by USM Solution ... 7

Managing USM with a Virtual Appliance ... 10

Managing USM with a Hardware Appliance ... 12

Local and Remote Appliance Management Requirements ... 12

Local and Remote Appliance Management Best Practices ... 13

Managing the USM Hardware Appliance Locally ... 13

Managing the USM Hardware Appliance Remotely ... 14

Recommendations Prior to Configuring IPMI ... 14

Cabling an Appliance and Configuring Remote Management ... 14

Cabling a USM Remote Sensor and Configuring Remote Management ... 19

Configuring IPMI with Your Browser ... 22

Configuring a VLAN for IPMI Access ... 23

Configuring the Management Interface ... 24

Configuring the Network Interface Manually ... 25

Configuring the Network Interface to Use a DHCP Server ... 25

Appliance Setup ... 27

Accessing the AlienVault Setup Menu ... 27

Changing the Root Password ... 29

Registering the Appliance ... 29

Registering the Appliance Online Through the AlienVault Console ... 30

Registering Your Appliance Off Line ... 30

(4)

Contents

August 24,

Configuring the Appliance Hostname ... 32

Changing the Default Time Zone ... 33

Configuring the Appliance to Synchronize with an NTP Server ... 34

Configuring USM to Recognize Your Local Keyboard ... 35

Configuring a USM Sensor ... 36

Configuring a USM Enterprise Server and Enterprise Database ... 38

(5)

Audience

August 24,

Introduction

Audience

This guide is for use by AlienVault Unified Security Management (USM) v.4.8–5.x customers who must set up the All-in-One or Standard/Enterprise versions of the product using either USM Hardware Appliance or USM Virtual Appliance.

Preparing for Initial Setup

Before You Start Task Overview

Before You Start

Review the following prerequisites to ensure an efficient setup and configuration of all USM solutions:

You should have already planned and implemented your USM network topology, including failover appliances. See the USM Deployment Planning Guide on the AlienVault Documentation Center for the version you are deploying.

If your network accesses the Internet, you must first open the ports on all the appliances you plan to deploy. For port requirements, see the USM Deployment Planning Guide on the AlienVault Documentation Center for the version you are deploying.

Note: If your network is an intranet that may not access the Internet, you may disregard the port information.

If you have a USM virtual client, review release-specific information in the System Requirements for USM Virtual Appliances documentation on the AlienVault Documentation Center.

DHCP or Manual Network Configuration Requirements

You may configure the network connection either manually or through DHCP (Table 1). Table 1. USM network connection requirements.

DHCP Network

Configuration Manual Network Configuration

A DHCP server running on the same network as the AlienVault appliance.

•

A dedicated IP address for every USM instance.

•

Network gateway and subnet mask.

(7)

Task Overview by USM Solution

August 24,

Task Overview by USM Solution

USM All-in-One and USM Standard deployments can be configured either on virtual servers, using VMware, or on one or more USM Hardware Appliances; while USM Enterprise

deployment is only available on hardware appliances.

Deployment of a single USM All-in-One instance takes the least time, because one deployment instance contains all required components.

You initialize the appliances through the AlienVault Setup menu and complete final

configuration through your browser, using the USM Getting Started Wizard if you are a USM All-in-One customer or, if you are a USM Standard or Enterprise customer, manually.

If you deploy more than one instance of the USM All-in-One solution—or if you deploy either the USM Standard or USM Enterprise solutions—you must repeat the basic tasks described in Table 2

for each instance. Example

If you have multiple All-in-One instances, you must repeat steps 2-10 and step 11. Important: If you have purchased either the USM Standard or the USM

(8)

August 24,

2015 USM v4.8-5.x Initial Setup Guide Page 8 of 42 Table 2. Task overview for setup of all USM 4.8-5.x solutions.

Solution

Type/Component

Task No.

Task Description

All 1 Review the network and individual solution prerequisites.

See the USM Release Notes for the version you want to deploy. See also the USM Deployment Planning Guide.

USM VMware Virtual Appliance

2 Deploy the USM Virtual Appliance. See Managing USM with a Virtual Appliance. When done, go to task 3 then 4.

USM Hardware Appliance

Decide if you will manage appliances locally or remotely. See Managing USM with a Hardware Appliance.

When done, go to task 3 then 3#_.

AlienVault Setup Menu

All 3 Configure the network interface settings you prefer:

• Manually—See Configuring the Network Interface Manually.

• DHCP—See Configuring the Network Interface to Use a

DHCP Server. USM Enterprise

Server

3# _{Configure the USM Enterprise Server Hardware Appliance. See}

Configuring a USM Enterprise Server and Enterprise Database.

All 4 Change the default root password. See Changing the Root

Password.

5 Register the product in one of three ways: • Through the Setup menu via ssh. • Offline.

• Through the Web browser. See Registering the Appliance. 6 Configure appliance hostname.

See Configuring the Appliance Hostname. 7 (Optional) Change default time zone.

See Changing the Default Time Zone.

8 (Recommended) Configure the appliance to synchronize time with an NTP server.

(9)

August 24,

2015 USM v4.8-5.x Initial Setup Guide Page 9 of 42 Solution

Type/Component

Task No.

Task Description

9 (Non-U.S. keyboard users only) Configure USM to recognize your local keyboard.

See Configuring USM to Recognize Your Local Keyboard. • Deploying a single USM All-in-One instance? You are done with the

Setup menu. Go to task 10.

• Deploying multiple USM All-in-One instances?  Repeat tasks 2-9.

 When done, go to task 10.

• Just completed setup of the first USM Std./Enterprise Server?  This completes your USM Server setup.

 Repeat tasks 2 through 9 for your first USM Sensor. When done, go to task 11. Repeat for each sensor.

• Completed setup and configuration of all USM Sensors? Repeat tasks 2 through 9 for the USM Std./Enterprise Logger, if applicable. Go to task 12.

All-in-One 10 Launch the USM web UI in a browser window; place all components into service by running the Getting Started wizard.

For information, see the guide Running the Getting Started Wizard on the AlienVault Documentation Center.

USM Sensor 11 • If you are a USM Standard, Enterprise, or Remote Sensor user, configure the USM Sensor on the AlienVault Setup menu. Repeat tasks 2 through 9, and then the current task See Configuring a USM Sensor.

• When finished, if you have a separate USM Logger appliance, go to task 12.

USM Logger 12 Configure the USM Logger, using the USM web UI. See Configuring a

(10)

August 24,

Managing USM with a Virtual Appliance

This procedure is valid for deployment of both free AlienVault USM trials and licensed versions.

Note: This procedure is specifically for the vSphere client. For instructions specific to a different VMware client, consult the vendor documentation.

To load the OVF template containing the USM image on a VMware ESXi instance 1. In VMware Manager, under File, choose Deploy OVF Template.

VMware Manager displays the Deploy OVF Template screen.

2. In the Deploy OVF Template screen, browse to the USM virtual image file; click Next. VMware Manager displays the OVF Template Details screen.

3. On each of the following screens, click Next: OVF Template Details

Name and Location Storage

Disk Format Network Mapping

4. On the Ready to Complete screen, select Power on after deployment, located below the list of deployment settings and click Finish.

Deployment of the virtual image requires several minutes. After deployment is finished, VMware Manager displays:

Deployment Completed Successfully. 5. Click Close.

6. Connect to the console of the USM Virtual Appliance in one of the following ways: On the Inventory screen, click Virtual Machine and in its submenu; click Open Console. In the console toolbar, click the console icon.

(11)

August 24,

Next…

(12)

Local and Remote Appliance Management Requirements

August 24,

Managing USM with a Hardware Appliance

Local and Remote Appliance Management Requirements Local and Remote Appliance Management Best Practices Managing the USM Hardware Appliance Locally

Managing the USM Hardware Appliance Remotely

Local and Remote Appliance Management Requirements

Hardware and power requirements are identical, whether you are managing your appliances locally or remotely (Table 3).

Table 3. USM Hardware Appliance requirements for both local and remote management. Local and Remote Hardware Management Requirements

Cables

• 2 AC power cables • 1 Ethernet cable AC Power Source

Standard systems require either:

• Two 2A circuits @ 120V or

• Two 1A circuits @220V. Heat output = 641.31 BTU/hr

Enterprise systems require either:

• Two 3A circuits @120V or

(13)

Local and Remote Appliance Management Best Practices

August 24,

2015 USM v4.8-5.x Initial Setup Guide Page 13 of 42 Local and Remote Hardware Management Requirements

• Keyboard • Mouse • Monitor

Local and Remote Appliance Management Best Practices

Review the following best practices for secure management of your appliances.

Even if you intend to manage your appliances locally, it is a good idea to set up remote (IPMI) management ahead of time for an emergency situation. See Managing the USM Hardware Appliance Remotely.

The default behavior of the IPMI LAN mode in the appliances is to fail over from the IPMI port to LAN0 (eth0) or LAN1 (eth1). If you want the IPMI port to be dedicated, you must explicitly configure it to be so. For instructions, see the IPMI vendor documentation from Supermicro.

Managing the USM Hardware Appliance Locally

This method of appliance management requires you to connect a monitor, mouse, and keyboard to the appliance.

For hardware and power requirements, see Table 3. To manage the USM Hardware Appliance locally

1. Make sure that the appliance is powered off. (The power switch is located on the opposite side of the appliance from the cable ports.)

2. On the rear of the appliance, connect the monitor cable to the VGA port, as applicable (Figure 1).

Figure 1. All-in-One Hardware Appliance ports.

3. Connect the keyboard and mouse to either of the following port types:

(14)

August 24,

2015 USM v4.8-5.x Initial Setup Guide Page 14 of 42 4. Connect one end of an Ethernet cable to the Eth0 port, which is reserved for Administrative

setup, and the other to the network Switch.

5. Cable the two power cables to each of the power ports on the left-rear side of the appliance and plug the other ends into a power strip.

6. Power on the appliance and turn on the monitor.

The monitor should now display the AlienVault Setup management interface configuration menu.

Managing the USM Hardware Appliance Remotely

This topic describes how to configure management of your appliance from a remote location, using Intelligent Platform Management Interface (IPMI).

Appliance management through IPMI can be very useful if your system must recover from a disruption in service, excluding power outages.

The appliance has an IPMI port in addition to its two Ethernet ports (Figure 1). This port is also compatible with Gigabit Ethernet switches and wiring.

For hardware and power requirements, see Table 3.

Recommendations Prior to Configuring IPMI

It is a good idea to configure it when you first set up the product, so that it is ready to use when and if you have an emergency.

For complete information on IPMI configuration, review the relevant IPMI vendor documentation, available from Supermicro web site.

AlienVault recommends that you deploy IPMI on an isolated network segment or virtual LAN (VLAN). See Configuring a VLAN for IPMI Access.

If the IPMI port must be accessed outside of the network security perimeter, set up a VPN server to provide that access.

Stay abreast of all IPMI firmware upgrades, particularly those connected to security updates.

Cabling an Appliance and Configuring Remote Management

Follow these steps to cable and configure network settings for remote management through IPMI of each USM Hardware Appliance except the Remote Sensor.

(15)

August 24,

2015 USM v4.8-5.x Initial Setup Guide Page 15 of 42 To cable and configure remote management of the USM Hardware Appliance

1. Ask the person responsible for network management to give you an IP address, netmask IP, and Gateway IP for each appliance you plan to manage remotely.

2. Make sure that the appliance is powered off.

3. Connect a keyboard, mouse, and monitor to the appliance.

PS2 connector—Keyboard connects to the purple port; mouse connects to the green port. USB connector—Keyboard and mouse connect to either USB ports.

4. Connect one end of an Ethernet cable to the IPMI port on the rear of the appliance (Figure 1) and the other connector to an already operational switch.

5. Connect the two power cables to each of the power ports on the left-rear side of the appliance and plug the other ends into a power strip.

6. Power on the appliance.

The appliance should begin startup.

7. During startup, press and continuously hold Delete on the keyboard. The BIOS SETUP UTILITY screen appears on the monitor.

(16)

August 24,

(17)

August 24,

2015 USM v4.8-5.x Initial Setup Guide Page 17 of 42 The IPMI Configuration panel appears (Figure 3).

Figure 3. Set LAN Configuration selection on the IPMI Configuration panel. 10. Choose Set LAN Configuration and press Enter.

(18)

August 24,

2015 USM v4.8-5.x Initial Setup Guide Page 18 of 42 Figure 4. Set LAN Configuration panel with the Static selected.

11. Choose a method of assigning an IP address to the appliance:

If you have a DHCP server in the same segment of the network as the USM Hardware Appliance, use the Arrow keys to select IP Address Source; then use the plus (+) or minus (-) key to change the label IP Address Source to DHCP.

If you do not have a DHCP Server, use the arrow keys to select Static.

12. (Static IP address users only) Use the Arrow keys to access the IP Address, Subnet Mask, and Gateway Address fields and type the appropriate values in each for your device.

Note: Each appliance comes with a default IP address; you may either use this IP address or configure a new one.

13. Save the changes by pressing F10, then exit the BIOS SETUP UTILITY by pressing Esc. 14. You must restart the appliance for your changes to take effect.

Next…

Proceed to Configuring IPMI with Your Browser.

(19)

August 24,

Cabling a USM Remote Sensor and Configuring Remote Management

Like other appliances you want to manage remotely, the USM Remote Sensor requires its own IP address, netmask, and gateway IP addresses.

Figure 5. Remote Sensor rear panel, showing IPMI port location.

To cable and configure remote management of a USM Remote Sensor

1. Ask the person responsible for network management to give you an IP address, netmask IP, and Gateway IP for each appliance you plan to manage remotely.

2. Make sure that the appliance is powered off.

3. Connect a keyboard, mouse, and monitor to the appliance.

PS2 connector—Keyboard connects to the purple port; mouse connects to the green port. USB connector—Keyboard and mouse connect to either USB ports.

4. Connect one end of an Ethernet cable to the IPMI port on the rear of the appliance (Figure 5) and the other connector to an already operational switch.

5. Insert the power cable connector into to the power port on the left-rear side of the appliance, then plug the other end into a power strip.

6. Power on the appliance.

The appliance should begin startup.

7. During startup, press and continuously hold Delete on the keyboard. The Aptio Setup Utility appears on the monitor.

(20)

August 24,

2015 USM v4.8-5.x Initial Setup Guide Page 20 of 42 Figure 6. IPMI tab for configuration of Remote Sensor network settings.

(21)

August 24,

2015 USM v4.8-5.x Initial Setup Guide Page 21 of 42 Figure 7. Update IPMI LAN configuration on the BMC network configuration panel.

10. Use the Down Arrow to go to Update IPMI LAN configuration and press Enter (Figure 7). 11. Use the Tab or Right Arrow key to go to the column labeled [No]; toggle it to [Yes] by using

the plus (+)/minus (-) keys and press Enter.

12. Choose a method of assigning an IP address to the appliance:

If you have a DHCP server in the same segment of the network as USM Remote Sensor:

a.

Use the Tab key to go to the Configuration IP Address source row, then to Static in the right-hand column of that row.

b.

Toggle Static to DHCP, using the plus (+) or minus (-) key, and press Enter.

If you do not have a DHCP Server, use the Tab or Arrow keys to go to Static; press Enter. 13. (Static IP address users only) Use the Tab key to access the Station IP address, Subnet

mask, and Gateway IP address fields, and type the values applicable to your device in each; press Enter.

(22)

August 24,

2015 USM v4.8-5.x Initial Setup Guide Page 22 of 42 15. Commit the changes by pressing F4; exit by pressing Esc.

16. Restart the appliance so that your changes take effect.

Next…

Proceed to Configuring IPMI with Your Browser.

Configuring IPMI with Your Browser

IPMI browser configuration requires the following:

An Ethernet cable connected to the IPMI port on the appliance.

IP address of the USM appliance to which you want to connect remotely.

The USM appliance should be connected to a power supply, but does not need to be powered on at this time.

You should be able to reach the appliance that you want to manage remotely over the Internet. The Java version recommended by Supermicro, the IPMI vendor. See the vendor website for up-to-date information.

To configure IPMI through your browser

1. Open a browser on the computer that can access USM and type the IP address of the USM appliance that you want to manage remotely.

After a connection is made, the Supermicro Login screen appears.

2. Type the default factory username ADMIN and type the password AlienVault gave you in your Welcome letter; click Login.

The main IPMI screen appears.

3. After you have successfully logged in, change the default password for security purposes. You must then log in with the new password.

For information about how to change the password, see the Embedded BMC IPMI User's Guide, available from the Supermicro website.

4. After logging in again, enable display of the remote USM appliance console and configure redirection:

a. On the top menu bar, click Remote Control.

(23)

August 24,

2015 USM v4.8-5.x Initial Setup Guide Page 23 of 42 c. On the Console Redirection screen, click Launch Console.

Note: If the browser blocks it, click the top of the menu bar and select Download File. Then open it from your Downloads folder.

5. When you receive the Java prompt asking whether you want to run the application, click Run. Note: If you receive a warning that the application is untrusted and asking if you want to make an exception, click Continue.

Next…

(Recommended) Configuring a VLAN for IPMI Access.

Configuring a VLAN for IPMI Access

We recommend that you deploy IPMI as part of a VLAN. This procedure describes how to set it up for access by IPMI.

To configure VPN VLAN IPMI network settings

1. Log into the appliance through the browser and enter the IPMI IP address previously configured.

2. Go to Configuration > Network.

3. Within the VLAN section of the page, click enable.

4. In the VLAN ID field, type a value between 1 and 4095 to identify the VLAN. 5. (Optional) In the LAN interface list, select Dedicate.

By selecting Dedicate, you configure IPMI to connect only over the IPMI port at all times. Otherwise, it fails over automatically to the two LAN ports (eth0 and eth1).

6. Click Save.

Next…

(24)

August 24,

Configuring the Management Interface

The Management Interface provides the means for communication between the web UI and the AlienVault Server.

The AlienVault Setup Management Interface panel appears automatically when the following occurs:

Local Hardware Appliance users—When you switch on a local appliance for the first time the panel shown in Figure 8 appears on your monitor.

Virtual Hardware Appliance users—At the completion of Managing USM with a Virtual Appliance for any one appliance, the panel shown in Figure 8 appears.

Remote Hardware Management (IPMI)—When you access an appliance for the first time after completion of Configuring IPMI with Your Browser, the panel shown in Figure 8 appears.

Figure 8. Initial Management Interface configuration menu.

Note: After you complete this configuration, this menu never appears again. You must configure the interface in one of two ways:

Manually—See Configuring the Network Interface Manually.

Using the settings of your DHCP server, if you have one—See Configuring the Network Interface to Use a DHCP Server.

(25)

Configuring the Network Interface Manually

August 24,

Configuring the Network Interface Manually

This task describes how to complete the network interface configuration manually. To configure the network interface manually

1. Select the default menu item, Manual Configuration, by pressing Enter (Figure 8). 2. Type the IP address of the appliance and press Enter.

Note: Write down the IP address for each appliance; you must use it later on in the configuration process. It is also useful to have on hand for technical support or service.

3. Type the Netmask IP address for the network and press Enter. 4. Type the Gateway address for the network and press Enter. 5. Type the IP address of the DNS server and press Enter.

Note: If you have multiple DNS servers, type each of their IP addresses, separated by a comma.

6. Verify the values you entered previously. If the values look correct, press Enter.

If you discover that you made an error, return to the previous screens to correct the value by pressing No.

If you need to reach an earlier screen, press Cancel until you reach the one you need to update. Then re-enter the data and press Enter until you reach the verification panel again. Note: If your appliance has sensor capacity and multiple Ethernet ports to support multiple subnets, you may now connect those ports to the network.

Next…

Proceed to Appliance Setup.

(26)

Configuring the Network Interface to Use a DHCP Server

August 24,

2015 USM v4.8-5.x Initial Setup Guide Page 26 of 42 To configure the network interface to use DHCP

1. Press the Tab key to move to the DHCP selection on the menu and press Enter (Figure 8). The next panel displays the network settings assigned by your DHCP server.

2. Confirm or reject the values displayed:

To accept the values displayed, press Enter to select the default (Yes). The appliance accepts these settings and the

If the settings displayed need correction, use the Tab key to move to No and press Enter.

Next…

(27)

Accessing the AlienVault Setup Menu

August 24,

Appliance Setup

This topic describes required appliance setup configuration using the AlienVault Setup menu. You must use this menu to perform initial configuration for every USM appliance, regardless of how you manage it.

Important: If you have purchased either the USM Standard or the USM Enterprise solution, you must set up and configure the USM Server first, the Sensors second. Otherwise, you cannot configure the USM Sensor.

You perform these initialization procedures following successful configuration of appliance management and network interface management.

Accessing the AlienVault Setup Menu Changing the Root Password

Registering the Appliance

Configuring the Appliance Hostname Changing the Default Time Zone

Configuring the Appliance to Synchronize with an NTP Server Configuring USM to Recognize Your Local Keyboard

Configuring a USM Sensor

Configuring a USM Enterprise Server and Enterprise Database

Accessing the AlienVault Setup Menu

You access the AlienVault Setup menu in one of the following ways:

Local Management--By using monitor, keyboard, and mouse connected directly to the USM Hardware Appliance.

Virtual Management—Virtual Appliance users access the console as a vSphere client or through an ssh-enabled telnet utility such as PuTTY.

IPMI Remote Management—After IPMI remote configuration, with the IPMI port cabled to a router, you can access the console by any computer connected to the same subnet in which the appliance runs, through the IPMI connection.

(28)

Accessing the AlienVault Setup Menu

August 24,

2015 USM v4.8-5.x Initial Setup Guide Page 28 of 42 To access the AlienVault console

1. Launch PuTTY or any other telnet utility, and in the Host Name (or IP address) field, type the IP address of the appliance.

2. Make sure that ssh is selected. This is usually the default setting. 3. Click Open.

4. Enter the user credentials you use to log into the telnet utility.

The AlienVault splash screen for USM appears and displays the root username and a randomly generated password for you to enter (Figure 9).

Figure 9. Sample initial AlienVault login screen, showing the default username and password. 5. In the login: field, enter root.

(29)

Changing the Root Password

August 24,

2015 USM v4.8-5.x Initial Setup Guide Page 29 of 42 Important: If your AlienVault USM is on version 4.13 or earlier, the password is

‘alienvault’ instead. We recommend that you change your password immediately. See Changing the Root Password.

Next…

Proceed to Changing the Root Password.

Changing the Root Password

After initial login using the default username and randomly generated password, AlienVault prompts you to change the password.

To change the root password

1. On the first Change Root Password panels, type your new password in the New root password field and press Enter.

Note: The cursor is not visible on the field. To verify that your cursor is in the right location, look for a black left border at the start of the field. This tells you that your cursor is where it should be.

2. On the second Change Root Password panels, confirm the password you just entered by retyping it; press Enter.

3. On the third, and final, Change Root Password panel, a confirmation message appears, showing that you successfully updated the password.

The system verifies that you are connected to the Internet, because you need a connection to register the product online, which is the next procedure.

The application now prompts you to log in again, using the newly created password.

Next…

Proceed to Registering the Appliance.

Registering the Appliance

You can register the product in one of three ways:

(30)

August 24,

2015 USM v4.8-5.x Initial Setup Guide Page 30 of 42 Offline. See Registering Your Appliance Off Line.

Online through a Web browser. See Registering the Appliance with the Web UI.

Registering the Appliance Online Through the AlienVault Console

Prerequisites

The appliance license key that you received from AlienVault. To register the appliance through the AlienVault console 1. Log into the AlienVault console.

The AlienVault Setup menu appears.

“Register this Appliance” is now the default selection.

2. To register the appliance, press Enter since OK is the default.

3. On the Online Registration screen, tab to Online registration and press Enter. 4. Type the license key, then press Enter.

The registration process can take several seconds. A status message shows you a registration progress bar.

5. When registration has completed, message box displays: AlienVault USM activated successfully. 6. To continue, press Enter.

The AlienVault Setup menu appears again, but this time without the Register this Appliance menu option.

Registering Your Appliance Off Line

Prerequisites

A license key file called alienvault-license.deb, obtained from AlienVault Support for a specific appliance. See About the license key.

A USB flash drive formatted as FAT32, onto which you must copy the license file. (For instructions on how to format the USB flash drive for Windows, Mac, and Linux, see the

AlienVault Offline Key Activation document, available on the AlienVault Documentation Center.)

About the license key file

(31)

August 24,

2015 USM v4.8-5.x Initial Setup Guide Page 31 of 42 appliance. The system_id is available from the AlienVault Setup menu under About this

Installation.

Note: Make sure that you associate each license key file with the correct appliance in your deployment.

To register the appliance offline

1. Save the license file alienvault-license.deb you received from AlienVault to a computer desktop or other location where you can easily retrieve it.

2. Insert a FAT32-formatted USB flash drive into the same computer.

3. Copy the license file alienvault-license.deb to the root directory of the formatted USB flash drive.

4. Open an ssh-enabled shell on Linux or a telnet window on MS Windows and enter the username root and the IP address of the USM appliance.

The AlienVault Setup menu appears with “Register this Appliance” as the default selection. 5. To register the appliance, press Enter since OK is the default.

6. Tab to Offline registration and press Enter.

7. Connect the flash drive to the USB port of the appliance and press Enter (OK).

Registering the Appliance with the Web UI

All USM appliances may be registered through the web UI with the exception of the USM Sensor. USM Sensor registration must occur through the AlienVault console.

To register your appliance through the web UI

1. Open a web browser from the appliance connected to the Internet and type the appliance IP address into the address bar.

The AlienVault Free Trial Activation screen appears. 2. Click on click here to enter your product license key.

3. On the Welcome to AlienVault Unified Security Management <version> screen, type the license key in the Product License Key field and click Send.

(32)

Configuring the Appliance Hostname

August 24,

2015 USM v4.8-5.x Initial Setup Guide Page 32 of 42 The Welcome screen appears and contains a form that you must fill out to create the

administrator account for the web UI.

5. Fill out the form and, when done, click Start Using AlienVault. The AlienVault User Login screen appears.

6. Type the username admin and the password you created on the previous screen, then click Login.

Next…

Proceed to Configuring the Appliance Hostname.

Configuring the Appliance Hostname

After registering a USM appliance, you should always configure a hostname for it. This helps you to identify each one uniquely, which is particularly important if you need to make an AlienVault

Support call.

For guidelines on how to create good hostnames, see RFC 1178. To configure a hostname for an appliance

1. Launch the console and AlienVault Setup menu and select System Preferences by pressing Enter (OK).

2. From System Preferences, use the Tab key to select Configure Hostname; press Enter (OK). 3. From Configure Hostname, enter the name for this host in the Hostname; press Enter (OK).

The Setup menu displays the information that you must apply these changes on the main Setup menu and reboot the appliance.

4. Press OK.

The System Preferences menu reappears.

5. Use the Tab key to move from OK to Back and press Enter. This returns you to the AlienVault Setup main menu.

6. On the AlienVault Setup menu, scroll down and select Apply all Changes; select OK. The application prompts you to confirm your choice.

7. Confirm by selecting Yes. The services restart.

8. On the Apply all Changes screen, press Enter (OK).

(33)

Changing the Default Time Zone

August 24,

Next…

Proceed to Changing the Default Time Zone.

Changing the Default Time Zone

The default time zone for AlienVault appliances is Pacific Time (UTC -7h). If you are not operating the appliance in that time zone, you must change it. Otherwise, the ability of USM to timestamp events accurately will be compromised, for example.

To change the default time zone

2. Use the Tab key to select Change Location; press Enter (OK). 3. Select Date and Time; press Enter (OK).

4. Select Configure Time Zone; press Enter (OK).

An information panel advises you that the time zone will be changed and that your profile and the mysql services will be changed.

5. Press Enter (Yes)—or return to the previous panel by selecting No and pressing Enter. The Package Configuration panel appears, where America is the default setting. This includes all time zones in both North and South America.

Note: If you want to set another time zone within the United States and its possessions, you can also scroll down using the Down Arrow key until you reach U.S. All menu entries are alphabetical.

6. Locate the applicable region or continent for the appliance:

a. Use the Up or Down Arrow key to scroll up or down until you locate the appropriate continent or region. Select OK.

b. If you selected a country or continent with multiple time, zones, expose those by clicking OK.

c. Make a selection by pressing Enter or use the Side Arrow key to select OK.

After you make your selection, the application returns you to the Date and Time menu; press Enter (OK).

(34)

Configuring the Appliance to Synchronize with an NTP Server

August 24,

2015 USM v4.8-5.x Initial Setup Guide Page 34 of 42 7. Press Enter (Yes), which returns you to the Package Configuration menu.

8. Select Cancel.

9. Select Back and press Enter until you progress back to the AlienVault Setup menu.

10. On the AlienVault Setup menu, scroll down the menu and select Apply all Changes; select OK.

The application prompts you to confirm your choice. 11. Confirm by selecting Yes.

The services restart.

Next…

Proceed to Configuring the Appliance to Synchronize with an NTP Server.

Configuring the Appliance to Synchronize with an NTP Server

Use of an NTP server in your network helps ensure that all system components are correctly synchronized. This is particularly important for timestamp accuracy and auditability in your efforts to comply with certain regulatory standards.

Note: The NTP server requires use of port 123 over UDP.

To enable or disable synchronization with an NTP server

2. Use the Tab key to select Change Location; press Enter (OK). 3. Tab to select Date and Time; press Enter (OK).

4. Tab to select Configure NTP Server; press Enter (OK). 5. Enable the NTP Server by selecting Enable with your cursor.

After successful selection, an asterisk appears. 6. Confirm the selecting by pressing Enter (OK).

(35)

Configuring USM to Recognize Your Local Keyboard

August 24,

2015 USM v4.8-5.x Initial Setup Guide Page 35 of 42 7. Type the hostname or the IP address of the NTP Server; press Enter (OK).

The application returns you to the Date and Time menu.

A progress screen appears showing you that the services are restarting and the percentage of job completion.

Next…

If you do not use a U.S. keyboard, proceed to Configuring USM to Recognize Your Local Keyboard.

If you are a USM All-in-One user, see the document Running the Getting Started Wizard on the AlienVault Documentation Center.

If you are a USM Standard, Enterprise, or Remote Sensor user and you have just completed setup for a USM Server, complete all of the applicable foregoing tasks for the USM Sensor. Then, proceed to Configuring a USM Sensor.

If you are a USM Standard, Enterprise, or Remote Sensor user and you have just completed setup for a USM Logger, proceed to Configuring a Logger.

Configuring USM to Recognize Your Local Keyboard

Follow this procedure if you use a keyboard that does not use U.S. key layout. To change the default U.S. keyboard to another layout

2. Use the Tab key to select Change Location; press Enter (OK).

3. Accept the default setting (Change Keyboard) on the Change Location menu by pressing Enter (OK).

4. On the Package configuration panel, scroll the list of keyboards using the Down or Up Arrow keys until you identify yours, then select it by pressing Enter (OK).

(36)

August 24,

2015 USM v4.8-5.x Initial Setup Guide Page 36 of 42 A new Package configuration information panel appears and prompts you to select which key should serve as the AltGr key.

6. Accept the default key or select another from the list and press Enter (OK).

A new Package configuration information panel appears and prompts you to select which key should serve as the Compose key.

7. Accept the default key or select another from the list and press Enter (OK).

Next…

If you are a USM All-in-One user, see the document Running the Getting Started Wizard on the AlienVault Documentation Center.

If you are a USM Standard, Enterprise, or Remote Sensor user and you have just completed setup for a USM Server, complete all of the applicable foregoing tasks for the USM Sensor. Proceed to Configuring a USM Sensor.

If you are a USM Standard, Enterprise, or Remote Sensor user and you have just completed setup for a USM Logger, proceed to Configuring a Logger.

Configuring a USM Sensor

If your company purchased USM Standard, Enterprise, or Remote Sensors, you must configure the sensor by providing the USM Server IP address and Framework IP address through the AlienVault Setup menu.

After that you must complete some final configuration steps on the web UI. Prerequisites

(37)

August 24,

2015 USM v4.8-5.x Initial Setup Guide Page 37 of 42 If you are a USM Standard or Enterprise solution customer, you must have already configured your USM Server and have its IP address available.

To configure a USM Sensor

1. Launch the console and the AlienVault Setup menu and use the Tab key to go to Configure Sensor; press Enter (OK).

2. On the Configure Sensor menu, use the Tab key to select Configure AlienVault Server IP; press Enter (OK).

3. In the Enter Server IP field, type the IP address of the USM Server this sensor should contact; press Enter (OK).

The Configure Sensor menu appears again.

4. Use the Tab key to select Configure Framework IP; press Enter (OK).

5. In the Enter Framework IP Address field, type the same IP address you did for the server in step 2; press Enter (OK).

The application returns you to the Configure Sensor menu.

9. Launch the web UI through a browser and log into USM as administrator. 10. Navigate to Configuration > Deployment > Sensors.

A warning message appears stating:

Warning: The following sensors are being reported by as enabled by the server, but aren’t configured.

The warning message contains the sensor IP address and two links labeled Insert and Discard.

11. Click Insert.

A new screen containing a form appears. 12. Fill out the form and click Save.

(38)

August 24,

Next…

If you are deploying a USM Standard or Enterprise solution, proceed to Configuring a Logger.

If you have configured a USM All-in-One appliance using the Getting Started Wizard, and just completed Remote Sensor configuration, you are done!

Configuring a USM Enterprise Server and Enterprise Database

The AlienVault USM Enterprise Server component is hardware only. It ships with two devices, an Enterpriser Server and an Enterprise Database. The Enterprise Server needs to know the IP

address and password of the Enterprise Database, and the Enterprise Database needs to know the IP address of the Enterprise Server, so that the two devices can communicate with each other. Both is done through the AlienVault Setup menu.

To start the USM Enterprise Server configuration

4. Follow the steps in Configuring the Management Interface to assign an IP address to the Enterprise Server.

5. When the AlienVault MySQL Setup menu appears, put it on hold and proceed with configurating the USM Enterprise Database.

To configure the USM Enterprise Database

1. Follow the steps in Configuring the Management Interface to assign an IP address to the Enterprise Database.

2. On the AlienVault Setup menu, use the Tab key to go to Configure Database; press Enter (OK).

3. On the Configure Database menu, use the Tab key to select Configure AlienVault Server IP; press Enter (OK).

4. In the Enter Server IP Address field, type the IP address of the USM Enterprise Server; press Enter (OK).

The Configure Database menu appears again.

5. Use the Tab key to select Configure AlienVault Framework IP; press Enter (OK).

6. In the Enter Framework IP Address field, type the same IP address you did for the server in step 4; press Enter (OK).

The application returns you to the Configure Database menu.

7. Select Back and press Enter until you progress back to the AlienVault Setup menu. 8. On the AlienVault Setup menu, use the Tab key to select Apply all Changes; select OK.

(39)

August 24,

2015 USM v4.8-5.x Initial Setup Guide Page 39 of 42 A progress screen appears showing you that the services are restarting and the percentage of job completion.

11. On the AlienVault Setup menu, use the Tab key to select Jailbreak System; press Enter (OK). The application prompts you to confirm your choice.

12. Type the following command:

grep ^pass /etc/ossim/ossim_setup.conf

13. Write down the password to be entered on the Enterprise Server. 14. Type exit to return to the AlienVault Setup menu.

To continue the USM Enterprise Server configuration

1. On the AlienVault MySQL Setup menu, in the Enter MySQL Server IP address field, type the IP address of the USM Enterprise Database; press Enter (OK).

2. In the Enter MySQL Server password field, enter the password recorded from step 13 above. Note: You will not see any character when typing the password.

3. Press Enter (OK) to finish the configuration.

4. On the AlienVault Setup menu, use the Tab key to select Jailbreak System; press Enter (OK). The application prompts you to confirm your choice.

5. Type the following command:

alienvault-api add_system –-system-ip=<IP-of-Enterprise-Database> --password=<root-password-of-Enterprise-Database>

6. Type exit to return to the AlienVault Setup menu.

Next…

(40)

August 24,

Configuring a Logger

This configuration procedure is for customers who are deploying one of the following USM Standard or Enterprise solution and must configure each appliance separately.

USM One Appliance, but who are deploying a remote Logger, as an addition to the All-in-One.

Note: Unlike the Standard/Enterprise USM Server and Sensors, the USM Logger can only be configured for operation with the USM web UI.

Prerequisites

You must have completed all of the tasks associated with appliance initialization for the USM Server and USM Sensors. (See Table 2.)

You must have completed all of the tasks associated with appliance initialization for the USM Logger before completing this procedure. (See Table 2.)

Recommended!

Because you will be working with two USM instances, it is helpful for this configuration procedure (although not a prerequisite) if you have first given the USM Logger a hostname with the word “Logger” in its hostname on the AlienVault Setup menu. (See Configuring the Appliance Hostname.)

About Logger Configuration

Because the USM Server forwards events to the USM Logger, the USM Logger is considered the parent server. For this reason, you must add the USM Server as a child server on the USM Logger, and then configure event forwarding on the USM Server.

To configure a USM Logger

1. Open a browser, enter the IP address for the USM Logger, and log in.

(41)

August 24,

2015 USM v4.8-5.x Initial Setup Guide Page 41 of 42 Figure 10. Add Server selection on Servers screen of USM deployment configuration.

3. Type the IP address and root password of the USM Server; click Save.

4. Return to the Servers screen, shown in Figure 10, and select the USM Logger; click Modify. 5. On the next screen, click No for all the options on the form except Log; click Yes.

6. Click Save.

7. Open a browser, enter the IP address for the USM Server, and log in. 8. Go to Configuration > Deployment > Servers.

You should now see both the USM Server and the Logger (Figure 10). 9. Select the USM Logger and click Modify.

10. On the next screen, type the credentials for the Remote Admin User and the Remote Password. (These are the administrator user credentials to log into the Logger.) 11. To populate the remote URL field automatically, click it.

12. Click Set Remote Logger.

13. On the Servers screen, select the USM Server and click Modify. a. Set the option for Log to No.

b. In the Forward Servers section of the screen, click Add Server. This extends the form and displays a list box labeled Server. c. Select Logger and click Add New.

(42)

August 24,

2015 USM v4.8-5.x Initial Setup Guide Page 42 of 42 14. Return to the Servers screen, click Apply Changes.

15. To verify that you added the USM Logger successfully, click Server Hierarchy.

You should now see that there is an arrow extending from the USM Server to the USM Logger, whereas previously they were each floating freely in the graph.

The Logger becomes active immediately.

16. To view Logger activity, go to Analysis > Raw Logs (Figure 11).

Figure 11. Raw Logs screen, showing USM Logger activity.

AlienVault. Unified Security Management (USM) x Initial Setup Guide

AlienVault

Contents

Introduction ... 5

Preparing for Initial Setup ... 6

Managing USM with a Virtual Appliance ... 10

Managing USM with a Hardware Appliance ... 12

Configuring the Management Interface ... 24

Appliance Setup ... 27

Introduction

Audience

Related Documentation

Preparing for Initial Setup

Before You Start

DHCP or Manual Network Configuration Requirements

•

•

Task Overview by USM Solution

Managing USM with a Virtual Appliance

Next…

Managing USM with a Hardware Appliance

Local and Remote Appliance Management Requirements

Local and Remote Appliance Management Best Practices

Managing the USM Hardware Appliance Locally

Managing the USM Hardware Appliance Remotely

Recommendations Prior to Configuring IPMI

Cabling an Appliance and Configuring Remote Management

Next…

Cabling a USM Remote Sensor and Configuring Remote Management

a.

b.

Next…

Configuring IPMI with Your Browser

Next…

Configuring a VLAN for IPMI Access

Next…

Configuring the Management Interface

Configuring the Network Interface Manually

Next…

Next…

Appliance Setup

Accessing the AlienVault Setup Menu

Next…

Changing the Root Password

Next…

Registering the Appliance

Registering the Appliance Online Through the AlienVault Console

Registering Your Appliance Off Line

About the license key file

Registering the Appliance with the Web UI

Next…

Configuring the Appliance Hostname

Next…

Changing the Default Time Zone

Next…

Configuring the Appliance to Synchronize with an NTP Server

Next…

Configuring USM to Recognize Your Local Keyboard

Next…

Configuring a USM Sensor

Next…

Configuring a USM Enterprise Server and Enterprise Database

Next…

Configuring a Logger

About Logger Configuration