Implementing Distributed Novell Sentinel Environments: A Customer Case Study
Upcoming SlideShare
Loading in...5
×
 

Implementing Distributed Novell Sentinel Environments: A Customer Case Study

on

  • 1,368 views

GaVI is an IT service provider for a number of German insurance companies. Due to EU and national regulations, it is required to retain data generated while running communications services. In the ...

GaVI is an IT service provider for a number of German insurance companies. Due to EU and national regulations, it is required to retain data generated while running communications services. In the scope of the data retention project, a distributed Novell Sentinel environment was deployed and several custom collectors were developed to collect logs from fixed telephone, Internet access, Internet e-mail and Internet telephone devices.

This session will discuss how you can use the enhanced event router features and Sentinel Link to implement a distributed SIEM solution in a high event rate environment. The session will finish with a lessons-learned section.

Statistics

Views

Total Views
1,368
Views on SlideShare
1,361
Embed Views
7

Actions

Likes
0
Downloads
106
Comments
0

2 Embeds 7

http://www.linkedin.com 4
http://www.slideshare.net 3

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Implementing Distributed Novell Sentinel Environments: A Customer Case Study Implementing Distributed Novell Sentinel Environments: A Customer Case Study Presentation Transcript

  • Implementing Distributed Novell Sentinel Environments ® ™ A Customer Case Study Christine Deger Norbert Klasen Department Manager Senior Consultant IT Security nklasen@novell.com christine.deger@gavi.de
  • Overview • What is GaVI? – A short introduction • Data retention – Legal requirements • How to get there – Planning / decision / implementation • Demonstration • Lessons Learned 2 © Novell, Inc. All rights reserved.
  • GaVI – IT Full Service … … for public insurance companies in Germany
  • GaVI History • Gavi was founded in 2003 as subsidiary company of three insurance companies • Customers – Insurance holding organizations which represent 33 insurance companies • Offered Services – As a full service provider gavi offers all required IT services 4 © Novell, Inc. All rights reserved.
  • Assignment and Claim • Supply or provision of all required IT services • Coverage and increase of the economic efficiency and quality of our (and our customers‘) IT business • Develop synergies • Optimisation and homogenisation • Structuring of technological strategies • Consulting in all business areas As measured by its full service customers‘ gross premium income, GaVI is  THE leading IT service supplier of the public insurance sector (71%)  Germany‘s third largest IT service supplier within the insurance business (behind ASI C and ITErgo, on par with AMB Informatik Services) 5 © Novell, Inc. All rights reserved.
  • 6 Business Figures 2009 Business figures (in 1.000 EUR) Turnover exposure, thereof 176.000 - Shareholders and their subsidiaries 174.400 - other customers 1.600 Personnel costs 42.000 Material expenses (incl. services) 122.000 6 © Novell, Inc. All rights reserved.
  • GaVI - Facts and Figures Employees 490 Locations 7 main locations 5 secondary locations Business volume 180 mio EUR (2008) Host system 13.000 MIPS Central print 260 mio pages p. a. Memory 600 terabyte Server (logic) - UNIX/Linux 700 - others 2.100 PC work stations 31.000 Mobile devices 21.000 Service desk 300.000 calls p. a. 7 © Novell, Inc. All rights reserved.
  • Data Retention
  • Legal Requirements • EU Directive 2006/24/EC – Retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks • German law – Gesetz zur Neuregelung der Telekommunikationsüberwachung und anderer verdeckter Ermittlungsmaßnahmen sowie zur Umsetzung der Richtlinie 2006/24/EG – 2nd of march 2010 arrived a press release from the german federal consitutional court that contains that parts of the existing law are not in line with the consitutional requirements. This means, that all personal data had to be deleted from the databases. 9 © Novell, Inc. All rights reserved.
  • Legal Obligations • For fixed telephony, (mobile telephony), Internet access, Internet email and Internet telephony • Retain, for a period of 6 months, necessary data – To trace and identify the source of a communication – To identify the destination of a communication – To identify the date, time and duration of a communication – To identify the type of communication • No data revealing the content of the communication may be retained 10 © Novell, Inc. All rights reserved.
  • Arguments On Data Retention • Data retention is an invasion of privacy • Disproportionate response to the threat of terrorism • Costs of retaining data • Several lawsuits have been filed by individuals and organizations • Use of retained data has been restricted by BVerfG • Some providers need not retain data until courts have reached final judgement 11 © Novell, Inc. All rights reserved.
  • Does the Law Apply to GaVI? • Data Retention is required for publicly available services • GaVI is no public internet service provider in the general sense • But, some of its customers explicitly allow their employees private internet access • Legal advisors determined, that GaVI must indeed retain data under the aforementioned laws 12 © Novell, Inc. All rights reserved.
  • 13 Devices to Monitor • 6 firewalls from 3 vendors • 13 VPN gateways from 2 vendors • 1 fax server • 2 mail relays • 13 proxy servers from 3 vendors • 100 PBXs from 10 vendors 13 © Novell, Inc. All rights reserved.
  • Solution • GaVI had deployed Novell Audit to fulfill internal ® requirements on File Acess auditing • Novell Audit was superseded by Sentinel , Novell’s award ™ winning general purpose Security Information and Event Management (SIEM) product • Sentinel has a flexible Event Source Management that ships with a large number of connectors for all different kind of devices – from network devices such as firewalls and intrusion detection systems to vulnerability scanners, databases, and operating systems. • An SDK allows for rapid development of custom connectors. This was key in supporting all Fax and Telephony systems at GaVI. 14 © Novell, Inc. All rights reserved.
  • Implementation
  • 16 Novell Sentinel ® ™ • Sentinel is based on a message bus architecture that provides flexibility and scaling for large deployments • Real-Time Analytics, Visualization • Detect and analyze trends, threats, violations • Drill-down into historical details from seconds to hours in the past 16 © Novell, Inc. All rights reserved.
  • Implementation • Distributed architecture – three Sentinel instances at major branch offices – one central Sentinel instance for data retention purposes • Local instances collect from event sources – Data normalization – Shot term storage • Events relevant to data retention are forwarded to central instance – Only allowed fields – Log term storage 17 © Novell, Inc. All rights reserved.
  • Numbers • Combined from all three branch offices • Event Sources – 150 • Sustained event rate – 800 Events/s • Peak event rate – 2000 Events/s • Storage – 14 TB • 90% of events fall under data retention law 18 © Novell, Inc. All rights reserved.
  • Sentinel Link ™ • Sender – Action and Integrator – Event batch allows for better compression – Reliable transport – Encryption • Receiver – Connector and Collector – Collector is a single thread and thus limited to one CPU core – Limites parsing rate to ~500 eps – Create dedicated connector/collector pairs for each event source 19 © Novell, Inc. All rights reserved.
  • Sentinel Link Demonstration ™
  • Lessons Learned
  • Project Costs • Hardware – 150.000 € (210.000 $) • Licenses – 259.000 € (362.600 $) • Internal / External effort – Internal: 52.000 € (72.800 $) – External: 75.000 € (105.000 $) 22 © Novell, Inc. All rights reserved.
  • Event Forwarding • Using database connector – No good Identifier in event record • Forwarding from Correlation Rules – JavaScript actions are compiled for each event – Allows ~ 20 actions per second – Not fast enough • Forward from Event Router – Events are batched up – Action is called once for a batch of up to 500 events 23 © Novell, Inc. All rights reserved.
  • Process • Validate Data – Ensure complete and correct forwarding of data – Each event was shifted into the future by one hour • Performance – Always test for performance issues during pilot 24 © Novell, Inc. All rights reserved.
  • Requirements by BVerfG • If a new a bill is to be passed, it must impose strict data security guidelines – Separate storage – Asymmetric encryption – Four-eyes principle – Advanced authentication mechanisms – Non-repudiatable access and deletion logs 25 © Novell, Inc. All rights reserved.
  • Future • Use deployed infrastructure for IT security monitoring – Expand collection to Windows systems – Correlate events across systems – Track security incidents – Automatically notify on suspicious or illegal activity • Improve Compliance Reporting for IT Controls – Fulfill requirements set forth by internal and external auditors 26 © Novell, Inc. All rights reserved.
  • Unpublished Work of Novell, Inc. All Rights Reserved. This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability. General Disclaimer This document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for Novell products remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.