View
5.720
Download
3
Category
Tags:
Preview:
DESCRIPTION
Architecting a Novell Sentinel, Novell Sentinel Rapid Deployment or Novell Sentinel Log Manager installation can be a complicated process, particularly for users who are required to collect data from a large distributed environment. Many factors can impact the architecture users choose, including the amount of data, network link quality, device types, and features of Sentinel and/or Sentinel Log Manager the user wishes to take advantage of.This session will explain common Sentinel architectural requirements requested by users and will demonstrate how to architect a Sentinel system to meet these requirements. This includes what and how much hardware to buy, how to choose between Sentinel Log Manager, collector managers, or a full Sentinel deployment in order to best meet your needs at the most efficient cost.
Citation preview
How to Architect a Novell® Sentinel™ Implementation
John P. GassnerSentinel Platform Product Line Leadjgassner@novell.com
© Novell, Inc. All rights reserved.2
Agenda
Introduction– What is Novell® Sentinel™?
– What is Architecture?
Novell Sentinel Product Features
Scalability Constraints
Architecting Novell Sentinel
Example Architectures
Tips
Questions and Answers
Introduction
© Novell, Inc. All rights reserved.4
What is Novell® Sentinel™?
• Security Information and Event Management (SIEM)
• Log Management
• Security
• Compliance Management Platform (CMP)
© Novell, Inc. All rights reserved.5
Novell® Sentinel™ Product Line
Novell SentinelLog Manager
Novell SentinelRapid Deployment
Novell Sentinel6.1
© Novell, Inc. All rights reserved.6
What is Architecture?
• The high level design of system components to meet user requirements.
• The the internal and external relationships between these components
© Novell, Inc. All rights reserved.7
Architectural Considerations
• What product features does the user need?– Search and reporting– Long term data retention– Correlation– Identity integration
• How to scale to the user's environment?– How much software does a user need?– How much hardware does a user need?– Disparate geographic locations
• What redundancies does the user need?– High Availability– Disaster Recovery
Novell® Sentinel™ Product Features
© Novell, Inc. All rights reserved.9
Novell® Sentinel™ Log Manager
• Released July 2009
• Streamlined install
• Simplified data collection
• Powerful search
• Integrated reporting
• Flexible data retention
© Novell, Inc. All rights reserved.10
Novell® Sentinel™ 6.1
• Released July 2008• Event enrichment/injection• ActiveViews• Correlation• Incident response• Exploit detection• Identity integration• Solution Designer/Packs• Sentinel Data Management• Compliance Management
© Novell, Inc. All rights reserved.11
Novell® Sentinel™ Rapid Deployment
• Released June 2009Same as Novell Sentinel 6.1 but…• Smaller footprint• Easier install• Embedded database• Integrated reporting
© Novell, Inc. All rights reserved.12
Not On The Agenda
• What I'm not going to discuss
– Details of the features of Novell® Sentinel™
– How to use Novell Sentinel
– Details of pricing and licensing
Architectural Constraints
© Novell, Inc. All rights reserved.14
Constraints
• Software– License limits– Product features
• Organizational– Company standards– Geographies
• Hardware– CPU– Storage– Memory (RAM)– Network bandwidth
© Novell, Inc. All rights reserved.15
Software Constraints
• License limits– Novell® Sentinel™ Log Manager
> 500, 2500, and 7500 events per second license options
» Steady state recommendation is 80% of license limit (to account for spikes up to license limit)
» 400, 2000, and 6000 events per second recommended for steady state
> Includes unlimited license to collect from most devices
> Certain (type IV and V) device collectors require additional licenses
– Novell Sentinel 6.1 and Novell Sentinel Rapid Deployment> No single instance license limits
> Per device and correlation engine related license costs
© Novell, Inc. All rights reserved.16
Software Constraints
• Product features– Novell® Sentinel™ Log Manager
> High throughput data collection> Long term data storage> Searching and Reporting
– Novell Sentinel 6.1 and Novell Sentinel Rapid Deployment> Advanced searching> Real-time and historical reporting> Correlation> Identity integration> Exploit detection and more...
– Novell Sentinel 6.1> Additional server and database platform support
© Novell, Inc. All rights reserved.17
Software Constraints Applied
• Product Features– Basic data collection, searching, and reporting
> Choose Novell® Sentinel™ Log Manager
– Long term data storage> Choose Novell Sentinel Log Manager
– Advanced reporting, detection, integration, and more...> SUSE Enterprise Linux based server and embedded database platform
» Choose Novell Sentinel Rapid Deployment
> Windows, Solaris, or Red Hat based server and Oracle or SQL Server platforms
» Choose Novell Sentinel 6.1
> Long term data storage also required?» Choose Novell Sentinel 6.1 or Novell Sentinel Rapid Deployment plus Novell
Sentinel Log Manager
© Novell, Inc. All rights reserved.18
Software Constraints Applied
• License Limits
– Novell® Sentinel™ Log Manager
> Divide events per second in user's environment by the steady state events per second
» 18,000 eps / 6,000 eps = 3 Sentinel Log Manager 7500 licenses
> Unlimited type I (server) and II (desktop) devices
– Novell Sentinel 6.1 and Novell Sentinel Rapid Deployment
> No license constraints to apply to
> Per device cost: type I (server), II (desktop), III (vulnerability), IV (enterprise applications), and V (mainframe)
© Novell, Inc. All rights reserved.19
Software Constraints Applied
• Sidebar
– Novell® Sentinel™ Log Manager as an aggregation node
> Cost effective versus per device cost of Novell Sentinel 6.1 and Rapid Deployment
© Novell, Inc. All rights reserved.20
Organizational Constraints
• Company standards and expertise
– Operating systems
– Database platforms
• Geographies
– Local laws
– Security operation centers
• Monitored Device Types
© Novell, Inc. All rights reserved.21
Organizational Constraints Applied
• Company standards and expertise– Database and operating system standards and expertise
> SUSE® Enterprise Linux based server and embedded database platform» Advanced reporting, detection, integration, and more...
~ Choose Novell® Sentinel™ Rapid Deployment
» Long term data storage or basic data collection and reporting~ Choose Novell Sentinel Log Manager
> Windows, Solaris, or Red Hat based server and Oracle or SQL Server platforms
» Choose Novell Sentinel 6.1
> Appliance» Choose Novell Sentinel Log Manager Appliance (available middle of 2010)
– Little or no relevant expertise> Choose Novell Sentinel Rapid Deployment> Choose Novell Sentinel Log Manager Appliance
© Novell, Inc. All rights reserved.22
Organizational Constraints Applied
• Geographies– Local laws
> Process, store, and report on data locally» Long term data storage or basic data collection and reporting
~ Local instance(s) Novell® Sentinel™ Log Manager
» Advanced reporting, detection, integration, and more...~ Local instance(s) of Novell Sentinel 6.1 or Novell Sentinel Rapid Deployment
– Security operation centers> Local, Regional, Global (flat or hierarchical)
» Long term data storage or basic data collection and reporting~ Per SOC instance(s) of Novell Sentinel Log Manager
» Advanced reporting, detection, integration, and more...~ Per SOC instance(s) of Novell Sentinel 6.1 or Novell Sentinel Rapid Deployment
» Use Sentinel Link to forward events up the chain
© Novell, Inc. All rights reserved.23
Organizational Constraints Applied
• Device Types– Windows Event Log
> Data collection requires a Collector Manager running on Windows
> Server is SUSE® Enterprise Linux only, requiring at least one additional Collector Manager machine
» Novell® Sentinel™ Rapid Deployment
» Novell Sentinel Log Manager
– All other device types> Data collection available from Linux, Windows, or Solaris
> No additional Collector Managers required for these device types
© Novell, Inc. All rights reserved.24
Organizational Constraints Applied
• Summary– Per security operations center or legal data boundary, at least
one instance of the following> For advanced reporting, detection, integration, and more...
» Choose Novell® Sentinel™ 6.1 or Novell Sentinel Rapid Deployment
and/or> For long term data storage or basic data collection and reporting
» Choose Novell Sentinel Log Manager
– Monitoring Windows Event Log? Add a Collector Manager machine when using these Novell Sentinel products
> Novell Sentinel Rapid Deployment> Novell Sentinel Log Manager
© Novell, Inc. All rights reserved.25
Hardware Constraints
• CPU– Events per second– Number and types of devices– Number and complexity of correlation rules and reports– Number of users
• Storage– Events per second– Length of data retention policy– Number and complexity of reports
• Memory (RAM)– Number and complexity of correlation rules
• Network bandwidth and stability
© Novell, Inc. All rights reserved.26
Performance Data: Full Disclosure
• How did I get this data?
– Internal testing at Novell®
> Testing and tuning is ongoing
– Experiences of customers
• Numbers are approximations
– Approximations are conservative
– Best practice: In a highly dynamic system, build in buffers and allow room for growth
© Novell, Inc. All rights reserved.27
Hardware Constraints Applied
• CPU: Data Collection: Connector– A single event source server instance is capable of
> Syslog and Novell® Sentinel™ Link» Approximately 500 devices maximum and rates less than 2000 eps
> Windows (WMS)» Approximately 50 devices maximum and rates less than 100 eps
> Novell Audit, SNMP» (Unverified) estimated 5-20 devices maximum and rates less than 1000
– A single connector instance is capable of> File, Database, SDEE, SAP, Mainframe, LEA, and Process
» Limits not well tested at this time
» One device and events per second rates less than 600 per instance
– Approximately one fully utilized instance per CPU core
© Novell, Inc. All rights reserved.28
Hardware Constraints Applied
• CPU: Data Collection: Collector– A single collector instance is capable of
> Approximately 600-1000 maximum events per second> Depends on device type and parsing complexity> Distribute load across multiple collectors/multiple CPU cores> Approximately one fully utilized collector instance per CPU core
© Novell, Inc. All rights reserved.29
Hardware Constraints Applied
• CPU: Data Collection: Collector Manager– A single dedicated Collector Manager is capable of
> Assumes 4 core 2.2Ghz+ CPU, 4GB RAM, SLES 11> 1750 events per second per Collector Manager> Approximate limit of 2000 devices> Three collector/connector pairs running at maximum events per second
» One per CPU core
» More if running below maximum events per second
– Use additional Collector Managers to scale
© Novell, Inc. All rights reserved.30
Hardware Constraints Applied
• CPU: Data Collection: Server– A single instance of Novell® Sentinel™ Log Manager is capable of
> Approximate limit of 2000 devices and licensed events per second limit» Target of 4000 devices in the next 6 months
– A single instance of Novell Sentinel Rapid Deployment is capable of
> Approximate limit of 3200 events per second> Approximate limit of 2000 devices, even with low eps
– A single instance of Novell Sentinel 6.1 is capable of> Approximate limit of 5000 events per second and 1500 devices> Approximate limit of 1500 devices, even with low eps
– 20 Collector Managers (unverified maximum approximately 70)
© Novell, Inc. All rights reserved.31
Hardware Constraints Applied
• CPU and Memory: Correlation– A single correlation engine is capable of
> Assumes dedicated 2 core 3Ghz CPU, 4GB RAM, SLES> 20 rules per correlation engine
» Assumes fairly complex rules
» Computational cost varies depending on the complexity of the rule – windows, gates, actions, etc. increase complexity.
» More rules possible with simple filter/trigger rules
» Less rules with large window-based rules~ Window uses significant CPU and memory depending on the size of the time window
– Use Novell® Sentinel™ 6.1 with additional correlation engine instances to scale
> Novell Sentinel Rapid Deployment currently not capable of adding additional correlation engines
© Novell, Inc. All rights reserved.32
Hardware Constraints Applied
• Storage– Novell® Sentinel™ Log Manager
> Online and Archive (compressed flat file storage)» ({average byte size of event} + {average byte size of raw data}) x {number of days} x
{events per second} x 0.000012 = Total GB storage required~ (750 bytes + 200 bytes) x 90 days x 1000 eps x 0.000012 = 1026 Total GB
– Novell Sentinel 6.1 and Novell Sentinel Rapid Deployment> Online (uncompressed database)
» {average byte size of event} x {number of days} x {events per second} x 0.123 + 5000 = Total GB storage required
~ 750 bytes x 90 days x 1000 eps x 0.123 + 5000 = 8.3 TB
> Archive (uncompressed database table export)» {average byte size of event} x {number of days} x {events per second} x 0.00008 =
Total GB storage required~ 750 bytes x 365 days x 1000 eps x 0.082 = 22.4 TB
© Novell, Inc. All rights reserved.33
Hardware Constraints Applied
• CPU and Storage: Reports– Novell® Sentinel™ Log Manager and Novell Sentinel Rapid
Deployment> Embedded reporting engine> Hundreds of saved reports> 5 running simultaneously
– Novell Sentinel 6.1> External Crystal Reports server
© Novell, Inc. All rights reserved.34
Hardware Constraints Applied
• Network bandwidth and stability: Communication– Collector Manager
> Communicates between data collection node and server> Encrypted and compressed> Local size-bounded caching> Light Weight Collector Manager
» Lower memory usage
» Lower bandwidth usage
» Default with Novell® Sentinel™ Log Manager and Novell Sentinel Rapid Deployment
» Optional with Novell Sentinel 6.1
© Novell, Inc. All rights reserved.35
Hardware Constraints Applied
• Network bandwidth and stability: Communication– Sentinel Link
> Used to scale Novell® Sentinel™ servers> Communicates between servers> Encrypted and compressed> Local size-bounded caching> Configurable bandwidth utilization volume and schedule> 500 eps per Sentinel Link Connection
» 7 Sentinel Link connections at maximum eps per Collector Manager
» Each connection paired with its own collector
> Capable of 500 connections per Sentinel Link event source server at lower eps
Example Architectures
© Novell, Inc. All rights reserved.37
Small Scale Single Site
• Environment
– 100 devices to monitor
> 50 Windows Event Logs
> 50 SUSE Enterprise Linux syslogs
– 200 events per second aggregate event rate
> 100 eps from Windows Event Logs
> 100 eps from SUSE® Enterprise Linux syslogs
– One geographic location
© Novell, Inc. All rights reserved.38
Small Scale Single Site
• Requirements
– Easy install
– Store events for a long time
– Searching and Reporting
– Low-touch administration
– 10 correlation rules (advanced)
© Novell, Inc. All rights reserved.39
Small Scale Single Site – Architectures• Servers
– For long term data storage or basic data collection and reporting> A single instance of 500 eps Novell® Sentinel™ Log Manager
– (optional) For advanced reporting, detection, integration, and more...
> A single instance of Novell Sentinel Rapid Deployment
» Or use Novell Sentinel 6.1 to meet database and operating system organizational constraints
> A single instance of Sentinel Link to forward data from Novell Sentinel Log Manager to Novell Sentinel Rapid Deployment
© Novell, Inc. All rights reserved.40
Small Scale Single Site – Architectures• A single instance of Windows Collector Manager
– A single instance of the Windows (WMS) connector and collector
– A single instance of Syslog event source server and SUSE Enterprise Linux collector
© Novell, Inc. All rights reserved.41
Small Scale Single Site – Architectures
© Novell, Inc. All rights reserved.42
Large Scale Multi-Site
• Environment– 20000 devices to monitor
> 14000 Windows Event Logs> 5000 SUSE® Enterprise Linux syslogs> 500 Bluecoat log files> 500 Oracle databases
– 8000 events per second aggregate event rate> 3000 eps of Windows Event Logs> 4000 eps of SUSE Enterprise Linux syslogs> 500 eps of Bluecoat log files> 500 eps of Oracle databases
© Novell, Inc. All rights reserved.43
Large Scale Multi-Site
• Environment
– Many geographic locations
> 10 Nations
» 2000 devices per region
» 800 eps per region
» Device types evenly distributed
> 3 Regions
> 1 global headquarters
© Novell, Inc. All rights reserved.44
Large Scale Multi-Site
• Requirements– Same as small scale site plus...– 20 correlation rules at each region– 50 correlation rules at global level– Scalable installation– Archiving– Low Internet bandwidth utilization between sites– Fault tolerance
> Network loss resilience> High Availability> Disaster Recovery
– Managed Security Service Provider
© Novell, Inc. All rights reserved.45
Large Scale Multi-Site – Architecture
• Server
– Multiple instances of Novell® Sentinel™ Log Manager
> 10 at national level, 2500 eps each
» Sentinel Link in each nation to forward data to regional center
– Multiple instances of Novell Sentinel 6.1 or Novell Sentinel Rapid Deployment
> 3 at regional level
» Each region filters down to total of 800 eps before forwarding
> 1 at global level
© Novell, Inc. All rights reserved.46
Large Scale Single Site – Architecture
• Data Collection– Syslog collection directly by Novell® Sentinel™ Log
Manager server> 1 syslog event source server per server
» 400 eps each nation / 2000 eps max = less then 1 event source server
» 500 devices / 500 devices max = 1 event source server
> 1 SUSE Enterprise Linux collector each» 400 eps each nation / 1000 eps max = less than one collector
– 20 Collector Managers dedicated to Windows Event Log> 2 per nation
» 300 eps / 50 eps max = 6 WMS connectors
» 6 WMS connectors / 3 connector max = 2 Collector Managers
© Novell, Inc. All rights reserved.47
Large Scale Single Site – Architecture
• Data Collection
– 10 Collector Managers dedicated to Bluecoat and Oracle
> 1 per nation
> 50 file connector instances per nation
> 50 database connector instances per nation
> 100 eps per nation
» 100 eps total / 600 eps per instance = less than 1
» Each connector instance will have very low utilization
© Novell, Inc. All rights reserved.48
Large Scale Single Site – Architecture
• Correlation
– 6 instances of correlation engine
» 1 per region
~ Each included with server
» 3 at global level
~ 50 rules / 20 rules per engine = approx. 3 engines
~ One included with server and two additional
© Novell, Inc. All rights reserved.49
Large Scale Multi-Site – Architecture
• Fault Tolerance– Regional Novell® Sentinel™ instance
– Distributed Collector Managers (local caching)
– Sentinel Link (local caching)
– High Availability> Clustering: SUSE High Availability Extension
> Duplication for High Availability failover nodes
– Disaster Recovery> Regular complete backups to offset data center
> Complete data center duplication
© Novell, Inc. All rights reserved.50
Large Scale Multi-Site – Architecture
• Managed Security Service Provider
– Multi-tenancy using MSSPCustomerName event field
> Segregates correlation, event views, reporting data
© Novell, Inc. All rights reserved.51
Large Scale Single Site – Architecture
© Novell, Inc. All rights reserved.52
Retail Chain
• Environment– 1000s of stores; each has 10s of devices– Similar environment at each store– Small event volume at each store but large aggregate volume
• Requirements– Same as Large Scale Multi-Site plus...– Easy “boiler-plate” install at each store– Store all events at each store– Forward important events to regional/headquarters– Centralized Management
© Novell, Inc. All rights reserved.53
Retail Chain – Sentinel Architecture
• Novell® Sentinel™ Log Manager, Novell Sentinel 6.1, or Novell Sentinel Rapid Deployment at each store
– Handles temporary store disconnects– Sentinel Link
> Locally store all events> Forward important events with bandwidth usage limits
– Pre-built virtual machines copied to each store> Run a script at each store hook it into the system
• Hierarchical aggregation, correlation, and analysis points
– Local, regional, and global
Tips
© Novell, Inc. All rights reserved.55
Tips: Planning
• Create a device list
– Vendor, product, version
– Number and data rate (events per second)
• Evaluate environmental complexity
– Distributed Networks
– Firewalls, NATs, ports to open
– Reused IP Ranges
– Authentication and Administrative Domains
© Novell, Inc. All rights reserved.56
Tips: Choosing Hardware
• Choose adequate hardware– Data Collection (CPU)
– Database (CPU and GB)
– Correlation (CPU)
• Hardware Recommendation Links– Sentinel Log Manager
– Sentinel Rapid Deployment
– Sentinel 6.1
© Novell, Inc. All rights reserved.57
Tips: Implementation
• Assemble the right team– Oracle or Microsoft SQL Server DBA– Device Administrators– Network Administrators– Novell Services and Partners– Internal Auditor (for testing)
• Review installation prerequisites• Achieve adequate performance
– Collector load balancing– RAID 10
• Time synchronization
Question and Answer
Unpublished Work of Novell, Inc. All Rights Reserved.This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.
General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for Novell products remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.
Recommended