High Availability and Disaster Recovery with Novell Sentinel Log Manager
Upcoming SlideShare
Loading in...5
×
 

High Availability and Disaster Recovery with Novell Sentinel Log Manager

on

  • 2,048 views

Novell Sentinel Log Manager can be implemented in a high availability cluster using the SUSE Linux Enterprise 11 High Availability Extension. This approach, combined with Sentinel Log Manager backup ...

Novell Sentinel Log Manager can be implemented in a high availability cluster using the SUSE Linux Enterprise 11 High Availability Extension. This approach, combined with Sentinel Log Manager backup scripts can be used to provide a solution for disaster recovery.

This session will explain the architecture of the high availability and disaster recovery solution available with Sentinel Log Manager as well as implementation details.

Statistics

Views

Total Views
2,048
Views on SlideShare
2,042
Embed Views
6

Actions

Likes
0
Downloads
150
Comments
0

1 Embed 6

http://www.slideshare.net 6

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

High Availability and Disaster Recovery with Novell Sentinel Log Manager High Availability and Disaster Recovery with Novell Sentinel Log Manager Presentation Transcript

  • Building Highly Available Log Management and SIEM Solutions Sesh Ramasharma, CISSP Principal – Identity, Access & Security Management Novell, Inc
  • Agenda • Logical view of Log Management and SIEM • Key Tenants of Security - CIA • Availability Defined • Know the moving parts of the solution • Key considerations • Tools in the Repertoire • Summary 2 © Novell, Inc. All rights reserved.
  • Log Management and SIEM • Log Management is sometimes referred to as Security Information Management or “SIM” • Security Event Management or “SEM” is focused on real-time monitoring, alerting, incident response SEM Log Management Event correlation Data collection Compression Robust alert Ad-hoc query Forensics Incident response E-mail alerts Data integrity Dashboards Reports Unknown log support Data enrichment Data retention Filtering Raw log forwarding 3 © Novell, Inc. All rights reserved.
  • CIA Tenants of Security • CIA tenants of security apply to SIEM / Log Management systems as well – Confidentiality: Classification of data and ensuring data is visible to only constituencies that are authorized – Integrity: Data cannot be tampered with and non-repudiation – Availability: Available when and where needed 4 © Novell, Inc. All rights reserved.
  • Risk based definition of High Availability • Definition of “High Availability” is subjective – Defined by number of 9’s • It should be driven by and be commensurate to business risk • Primary reason it needs to be evaluated subjectively is because it comes with a cost! 5 © Novell, Inc. All rights reserved.
  • Functional Sensitivity to Availability • Break down availability by functionality • Some functions need higher availability than others SEM Log Management Event correlation Data collection Compression Robust alert Ad-hoc query Forensics Incident response E-mail alerts Data integrity Dashboards Reports Unknown log support Data enrichment Data retention Filtering Raw log forwarding 6 © Novell, Inc. All rights reserved.
  • Logical View – SIEM Burton Reference Model OPERATIONS INTEGRATION VISUALIZATION / ADMINISTRATION Security alerts Reports Visualization Network / Security Operations Help Desk Ticketing REAL-TIME ANALYSIS / RESPONSE REAL-TIME ANALYSIS / RESPONSE Raw Log Policies / Compliance Signatures / Attack Rules Patterns COLLECTION / AGGREGATION / CORRELATION RESPONSE RESPONSE Central / Master Collector Distributed Collectors INPUTS Agent Logging Agent Logging Agent Logging Agent Logging Identity Management System Management Perimeter Controls Intrusion Detection / Response • Access Control • Host and DB Configuration • Routers • Network IDS • Directories • Patch Management • Firewalls • Network IPS • Provisioning • Vulnerability Management • Content Scanners • Other Sensors Source: Burton Group – Diana Kelley 7 © Novell, Inc. All rights reserved.
  • Novell Sentinel SIEM ® ™ Correlation iTRAC Sentinel Reports Repository Control Center Subscribe Channels PROXY Parse-normalize Collector Manager Collector Manager Taxonomy Publish Business relevance Exploit detection Collectors Collectors Collectors Collectors External Event Sources Event Sources VPN External Firewall Asset Mgmt Patch Mgmt Workstations Laptops Business Apps RDBMS Host IDS Identity Vulnerability Domain Custom Antivirus Server Mainframe Network IDS Mgmt Mgmt Controller Events Security Perimeter Referential IT Sources Operating Systems Application Events 8 © Novell, Inc. All rights reserved.
  • Novell Sentinel RD ® ™ 9 © Novell, Inc. All rights reserved. © Novell Inc, Confidential & Proprietary
  • Novell Sentinel Log Manager ® ™ 10 © Novell, Inc. All rights reserved.
  • SIEM/Log Management Layers AGENT SIEM Log Mgmt. Application Application Operating System Operating System Storage Network Storage Network Event Source SIEM / Log Management System 11 © Novell, Inc. All rights reserved.
  • SIEM/Log Management Layers – Novell Sentinel Suite Perspective ® ™ AGENT SIEM Log Mgmt. Application Application Operating System Operating System Storage Network Storage Network Event Source SIEM / Log Management System Collector Collector Manager Application Operating System Storage Network 12 © Novell, Inc. All rights reserved.
  • Know the Moving Parts – A Vertical Slice – Flavor 1 Burton Reference Novell Sentinel ® ™ Security alerts Security Alerts Reports Workflow Remediation Visualization Visualization Reports Log Database Log Database Message Bus Central / Master Collector Distributed Collector Central / Master Collector Distributed Collector Event Source Event Source Agent Logging Logging 13 © Novell, Inc. All rights reserved.
  • Know the Moving Parts – A Vertical Slice – Flavor 2 Burton Reference Novell Sentinel ® ™ Security alerts Security Alerts Reports Workflow Remediation Visualization Visualization Reports Control Center Log Database Log Database Message Bus Central / Master Collector Sentinel Log Raw Manger Log Distributed Collector Central / Master Collector Distributed Collector Event Source Event Source Agent Logging Logging 14 © Novell, Inc. All rights reserved.
  • Degrees of Availability HOT BACKUP WARM STANDBY COST COLD BACKUP 0% 95% 98% 99.5% 99.9% Availability 15 © Novell, Inc. All rights reserved.
  • Cold Backup • Characteristics – Backup all the components at periodic intervals – Restore a point-in-time backup upon failure • Implications – Economic solution – Availability will be on the lower spectrum as recovery will take longer time – State of the entire system has to be in synch – High potential for data loss upon recovery 16 © Novell, Inc. All rights reserved.
  • Warm Standby • Characteristics – Backup all the components at periodic intervals – Full redundant system on stand-by – Restore a point-in-time on a redundant hardware on stand-by mode – Activate stand-by upon primary failure • Implications – More expensive than cold backup solution – Availability will be better – State of the entire system has to be in synch – Potential for data loss on recovery 17 © Novell, Inc. All rights reserved.
  • Hot Backup • Characteristics – Full redundant system – Collect events redundantly from all event sources – Activate stand-by upon primary failure – Can be used in an Active/Active mode if correlation rules and reporting users are high • Implications – More expensive than cold backup and warm standby solution – Availability will be best – Low potential for data loss on recovery 18 © Novell, Inc. All rights reserved.
  • Hybrid Solutions are possible • It is possible to have hybrid solutions to achieve varying degree of availability for different components / event sources based on business requirements and cost factors – High Availability within a Data Center > E.g - Clustering solution with RAID » Protects against outage of hardware or components within a data center – High Availability Across Data Center > E.g - Warm standby across data center » Protects against outage of entire data center – Disaster Recovery > E.g - Cold backup every day » Protects from total loss of service in case of failure / disaster • Question for the audience – What else is possible to provide each of these situations? 19 © Novell, Inc. All rights reserved.
  • Key Considerations for model choice • Functional Sensitivity • Distributability of the solution – More is better or less is better? – Depends!!! • Balance Scalability with Availability • Appliance vs Software – Component Distributability – Component Resiliency > Redundancy > Local Buffering • Self-monitoring capabilities – Need a MoM or can your SIEM software monitor itself 20 © Novell, Inc. All rights reserved.
  • Tools in the Repertoire • Traditional – Vendor provided solution > Full redundancy? – Platform HA > E.g OHAC, HACMP – O/S HA > E.g Veritas clusters, Linux Clusters, Solaris clusters – Database HA > Oracle clustering, MS-SQL clustering – Disk HA > E.g SANs, EMC, RAID – Network HA > E.g Self healing networks • Leading Edge / Emerging – Cloud Computing – Intelligent Workload Management 21 © Novell, Inc. All rights reserved.
  • Summary – Back to Basics Consider a Systemic View • Understand the organizational risks and costs of these risks materializing • Know the cost / benefit of SIEM HA for your organization • Attack HA from a functional point of view • Understand the moving parts • Leverage tools available at all layers ---------------------------------------------------------------------- Build the best HA solution for your organization ---------------------------------------------------------------------- 22 © Novell, Inc. All rights reserved.
  • Section Break Text Here (32pt)
  • Unpublished Work of Novell, Inc. All Rights Reserved. This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability. General Disclaimer This document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for Novell products remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.