Monitoring VMware ESX Virtual Switches

Product: USM
Version: All
Deployment: All Deployments

1. INTRODUCTION

The objective of this document is to explain how to configure the AlienVault USM virtual
appliance to monitor a virtual network.

The AlienVault USM virtual appliance has six network interfaces: one for management (eth0)
and the other five network interfaces for log collection and traffic capture on the network
segment monitored. Connecting the monitor interface to a SPAN port enables the following
functions to operate:

Network IDS

Netflow and Traffic Monitoring

Passive Asset Identification

2. CREATE THE VSWITCH SPAN PORT GROUP

Virtual Switches are configured through the ESX vSphere GUI via the master Configuration
tab. Select Networking from the side panel and bring up Properties on the VSwitch you want
AlienVault to monitor.
To capture all traffic over the vSwitch, a new port group must be created to direct traffic to.

This port group will act like a network hub, with all network traffic within the vSwitch visible to
interfaces connected to this port group.

Add a new Virtual Machines port group to the existing switch.

The port group should be named to indicate it has visibility to all traffic (SPAN port).

VLAN ID All (4095) is a special ID in VMware vSwitches that has visibility to all
traffic on the switch.
SPAN port is created. Any VM interface connected to this SPAN port group will be able to enter
promiscuous mode and capture traffic from any other VM interface connected to the other port
groups on this vSwitch.
3. GRANT PROMISCUOUS MODE PERMISSIONS TO THE PORT GROUP

The port group must have permission for interfaces to enter promiscuous mode before they can
capture network traffic.
If the defaults are to deny promiscuous mode, open the properties sheet (click on Edit...) for
the SPAN port group and manually assign permission for promiscuous mode.

4. ASSIGN ALIENVAULT USM INTERFACES TO THE PORT GROUP

Now the port group is created, connect one or more interfaces to the AlienVault USM to the
SPAN port group and power it on.

Edit settings of the target virtual appliance to assign the network adapter to the port group
created (SPAN port).
5. USM GETTING STARTED WIZARD: CONFIGURE ALIENVAULT TO MONITOR
THE NEW INTERFACE

Configuring the network interface assigned to the port group in order to perform network
monitoring has to be done as part of the first step of the USM Getting Started Wizard. Select
Network Monitoring as the Purpose of the NIC previously assigned in the ESX configuration.

6. USM COMMAND LINE INTERFACE: CONFIGURE ALIENVAULT TO MONITOR

THE NEW INTERFACE

1 Open a console terminal and write the following command:

2 SSH root@IP_address

IP_address refers to the default IP of your appliance.

1 The AlienVault Setup main menu is displayed:

1. Use the arrow keys to move to the option Configure Sensor. Then, press Enter to accept the
selection (<OK>).

2. Use the arrow keys to move to the option Configure Network Monitoring. Then, press Enter
to accept the selection (<OK>).
3. Use the arrow keys on the keyboard to move to the desired interface and select/deselect it by
pressing the Space Bar on the keyboard. Accept the selection (<OK>) by pressing Enter key. It is
possible to select several interfaces.

4. Use the arrow keys to move to the option (<Back>), then, press Enter and the AlienVault
Setup main menu appears.

5. Use the arrow keys to move to the option Apply all Changes. Then, press Enter to accept the
selection (<OK>).
6. Press Enter to accept the changes (<Yes>). This process may take several minutes depending
on the Internet connection. During the process, the following screen appears:

7. At the end, the following message appears:

8. Press Enter to accept (<OK>), the AlienVault Setup main menu appears.