More Related Content Similar to How to Architect a Novell Sentinel Implementation (20) How to Architect a Novell Sentinel Implementation1. How to Architect a Novell ®
Sentinel Implementation
™
John P. Gassner
Sentinel Platform Product Line Lead
jgassner@novell.com
2. Agenda
Introduction
– What is Novell Sentinel ? ®
™
– What is Architecture?
Novell Sentinel Product Features
Scalability Constraints
Architecting Novell Sentinel
Example Architectures
Tips
Questions and Answers
2 © Novell, Inc. All rights reserved.
4. What is Novell Sentinel ? ®
™
• Security Information and Event Management (SIEM)
• Log Management
• Security
• Compliance Management Platform (CMP)
4 © Novell, Inc. All rights reserved.
5. Novell Sentinel Product Line
®
™
Novell Sentinel Novell Sentinel
Log Manager 6.1
Novell Sentinel
Rapid Deployment
5 © Novell, Inc. All rights reserved.
6. What is Architecture?
• The high level design of system components to meet
user requirements.
• The the internal and external relationships between
these components
6 © Novell, Inc. All rights reserved.
7. Architectural Considerations
• What product features does the user need?
– Search and reporting
– Long term data retention
– Correlation
– Identity integration
• How to scale to the user's environment?
– How much software does a user need?
– How much hardware does a user need?
– Disparate geographic locations
• What redundancies does the user need?
– High Availability
– Disaster Recovery
7 © Novell, Inc. All rights reserved.
9. Novell Sentinel Log Manager
®
™
• Released July 2009
• Streamlined install
• Simplified data collection
• Powerful search
• Integrated reporting
• Flexible data retention
9 © Novell, Inc. All rights reserved.
10. Novell Sentinel 6.1 ®
™
• Released July 2008
• Event enrichment/injection
• ActiveViews
• Correlation
• Incident response
• Exploit detection
• Identity integration
• Solution Designer/Packs
• Sentinel Data Management
• Compliance Management
10 © Novell, Inc. All rights reserved.
11. Novell Sentinel Rapid Deployment
®
™
• Released June 2009
Same as Novell Sentinel 6.1 but…
• Smaller footprint
• Easier install
• Embedded database
• Integrated reporting
11 © Novell, Inc. All rights reserved.
12. Not On The Agenda
• What I'm not going to discuss
– Details of the features of Novell Sentinel
®
™
– How to use Novell Sentinel
– Details of pricing and licensing
12 © Novell, Inc. All rights reserved.
14. Constraints
• Software
– License limits
– Product features
• Organizational
– Company standards
– Geographies
• Hardware
– CPU
– Storage
– Memory (RAM)
– Network bandwidth
14 © Novell, Inc. All rights reserved.
15. Software Constraints
• License limits
– Novell Sentinel Log Manager
®
™
> 500, 2500, and 7500 events per second license options
» Steady state recommendation is 80% of license limit (to account for spikes up to
license limit)
» 400, 2000, and 6000 events per second recommended for steady state
> Includes unlimited license to collect from most devices
> Certain (type IV and V) device collectors require additional licenses
– Novell Sentinel 6.1 and Novell Sentinel Rapid Deployment
> No single instance license limits
> Per device and correlation engine related license costs
15 © Novell, Inc. All rights reserved.
16. Software Constraints
• Product features
– Novell Sentinel Log Manager
®
™
> High throughput data collection
> Long term data storage
> Searching and Reporting
– Novell Sentinel 6.1 and Novell Sentinel Rapid Deployment
> Advanced searching
> Real-time and historical reporting
> Correlation
> Identity integration
> Exploit detection and more...
– Novell Sentinel 6.1
> Additional server and database platform support
16 © Novell, Inc. All rights reserved.
17. Software Constraints Applied
• Product Features
– Basic data collection, searching, and reporting
> Choose Novell Sentinel Log Manager
®
™
– Long term data storage
> Choose Novell Sentinel Log Manager
– Advanced reporting, detection, integration, and more...
> SUSE Enterprise Linux based server and embedded database platform
» Choose Novell Sentinel Rapid Deployment
> Windows, Solaris, or Red Hat based server and Oracle or SQL Server
platforms
» Choose Novell Sentinel 6.1
> Long term data storage also required?
» Choose Novell Sentinel 6.1 or Novell Sentinel Rapid Deployment plus Novell
Sentinel Log Manager
17 © Novell, Inc. All rights reserved.
18. Software Constraints Applied
• License Limits
– Novell Sentinel Log Manager
®
™
> Divide events per second in user's environment by the steady state events
per second
» 18,000 eps / 6,000 eps = 3 Sentinel Log Manager 7500 licenses
> Unlimited type I (server) and II (desktop) devices
– Novell Sentinel 6.1 and Novell Sentinel Rapid Deployment
> No license constraints to apply to
> Per device cost: type I (server), II (desktop), III (vulnerability), IV (enterprise
applications), and V (mainframe)
18 © Novell, Inc. All rights reserved.
19. Software Constraints Applied
• Sidebar
– Novell Sentinel Log Manager as an aggregation node
®
™
> Cost effective versus per device cost of Novell Sentinel 6.1 and Rapid
Deployment
19 © Novell, Inc. All rights reserved.
20. Organizational Constraints
• Company standards and expertise
– Operating systems
– Database platforms
• Geographies
– Local laws
– Security operation centers
• Monitored Device Types
20 © Novell, Inc. All rights reserved.
21. Organizational Constraints Applied
• Company standards and expertise
– Database and operating system standards and expertise
> SUSE Enterprise Linux based server and embedded database platform
®
» Advanced reporting, detection, integration, and more...
~ Choose Novell Sentinel Rapid Deployment
®
™
» Long term data storage or basic data collection and reporting
~ Choose Novell Sentinel Log Manager
> Windows, Solaris, or Red Hat based server and Oracle or SQL Server
platforms
» Choose Novell Sentinel 6.1
> Appliance
» Choose Novell Sentinel Log Manager Appliance (available middle of 2010)
– Little or no relevant expertise
> Choose Novell Sentinel Rapid Deployment
> Choose Novell Sentinel Log Manager Appliance
21 © Novell, Inc. All rights reserved.
22. Organizational Constraints Applied
• Geographies
– Local laws
> Process, store, and report on data locally
» Long term data storage or basic data collection and reporting
~ Local instance(s) Novell Sentinel Log Manager
®
™
» Advanced reporting, detection, integration, and more...
~ Local instance(s) of Novell Sentinel 6.1 or Novell Sentinel Rapid Deployment
– Security operation centers
> Local, Regional, Global (flat or hierarchical)
» Long term data storage or basic data collection and reporting
~ Per SOC instance(s) of Novell Sentinel Log Manager
» Advanced reporting, detection, integration, and more...
~ Per SOC instance(s) of Novell Sentinel 6.1 or Novell Sentinel Rapid Deployment
» Use Sentinel Link to forward events up the chain
22 © Novell, Inc. All rights reserved.
23. Organizational Constraints Applied
• Device Types
– Windows Event Log
> Data collection requires a Collector Manager running on Windows
> Server is SUSE Enterprise Linux only, requiring at least one additional
®
Collector Manager machine
» Novell Sentinel Rapid Deployment
®
™
» Novell Sentinel Log Manager
– All other device types
> Data collection available from Linux, Windows, or Solaris
> No additional Collector Managers required for these device types
23 © Novell, Inc. All rights reserved.
24. Organizational Constraints Applied
• Summary
– Per security operations center or legal data boundary, at least
one instance of the following
> For advanced reporting, detection, integration, and more...
» Choose Novell Sentinel 6.1 or Novell Sentinel Rapid Deployment
®
™
and/or
> For long term data storage or basic data collection and reporting
» Choose Novell Sentinel Log Manager
– Monitoring Windows Event Log? Add a Collector Manager
machine when using these Novell Sentinel products
> Novell Sentinel Rapid Deployment
> Novell Sentinel Log Manager
24 © Novell, Inc. All rights reserved.
25. Hardware Constraints
• CPU
– Events per second
– Number and types of devices
– Number and complexity of correlation rules and reports
– Number of users
• Storage
– Events per second
– Length of data retention policy
– Number and complexity of reports
• Memory (RAM)
– Number and complexity of correlation rules
• Network bandwidth and stability
25 © Novell, Inc. All rights reserved.
26. Performance Data: Full Disclosure
• How did I get this data?
– Internal testing at Novell ®
> Testing and tuning is ongoing
– Experiences of customers
• Numbers are approximations
– Approximations are conservative
– Best practice: In a highly dynamic system, build in buffers and
allow room for growth
26 © Novell, Inc. All rights reserved.
27. Hardware Constraints Applied
• CPU: Data Collection: Connector
– A single event source server instance is capable of
> Syslog and Novell Sentinel Link
®
™
» Approximately 500 devices maximum and rates less than 2000 eps
> Windows (WMS)
» Approximately 50 devices maximum and rates less than 100 eps
> Novell Audit, SNMP
» (Unverified) estimated 5-20 devices maximum and rates less than 1000
– A single connector instance is capable of
> File, Database, SDEE, SAP, Mainframe, LEA, and Process
» Limits not well tested at this time
» One device and events per second rates less than 600 per instance
– Approximately one fully utilized instance per CPU core
27 © Novell, Inc. All rights reserved.
28. Hardware Constraints Applied
• CPU: Data Collection: Collector
– A single collector instance is capable of
> Approximately 600-1000 maximum events per second
> Depends on device type and parsing complexity
> Distribute load across multiple collectors/multiple CPU cores
> Approximately one fully utilized collector instance per CPU core
28 © Novell, Inc. All rights reserved.
29. Hardware Constraints Applied
• CPU: Data Collection: Collector Manager
– A single dedicated Collector Manager is capable of
> Assumes 4 core 2.2Ghz+ CPU, 4GB RAM, SLES 11
> 1750 events per second per Collector Manager
> Approximate limit of 2000 devices
> Three collector/connector pairs running at maximum events per second
» One per CPU core
» More if running below maximum events per second
– Use additional Collector Managers to scale
29 © Novell, Inc. All rights reserved.
30. Hardware Constraints Applied
• CPU: Data Collection: Server
– A single instance of Novell Sentinel Log Manager is capable of
®
™
> Approximate limit of 2000 devices and licensed events per second limit
» Target of 4000 devices in the next 6 months
– A single instance of Novell Sentinel Rapid Deployment is
capable of
> Approximate limit of 3200 events per second
> Approximate limit of 2000 devices, even with low eps
– A single instance of Novell Sentinel 6.1 is capable of
> Approximate limit of 5000 events per second and 1500 devices
> Approximate limit of 1500 devices, even with low eps
– 20 Collector Managers (unverified maximum approximately 70)
30 © Novell, Inc. All rights reserved.
31. Hardware Constraints Applied
• CPU and Memory: Correlation
– A single correlation engine is capable of
> Assumes dedicated 2 core 3Ghz CPU, 4GB RAM, SLES
> 20 rules per correlation engine
» Assumes fairly complex rules
» Computational cost varies depending on the complexity of the rule – windows, gates,
actions, etc. increase complexity.
» More rules possible with simple filter/trigger rules
» Less rules with large window-based rules
~ Window uses significant CPU and memory depending on the size of the time window
– Use Novell Sentinel 6.1 with additional correlation engine
®
™
instances to scale
> Novell Sentinel Rapid Deployment currently not capable of adding additional
correlation engines
31 © Novell, Inc. All rights reserved.
32. Hardware Constraints Applied
• Storage
– Novell Sentinel Log Manager
®
™
> Online and Archive (compressed flat file storage)
» ({average byte size of event} + {average byte size of raw data}) x {number of days} x
{events per second} x 0.000012 = Total GB storage required
~ (750 bytes + 200 bytes) x 90 days x 1000 eps x 0.000012 = 1026 Total GB
– Novell Sentinel 6.1 and Novell Sentinel Rapid Deployment
> Online (uncompressed database)
» {average byte size of event} x {number of days} x {events per second} x 0.123 +
5000 = Total GB storage required
~ 750 bytes x 90 days x 1000 eps x 0.123 + 5000 = 8.3 TB
> Archive (uncompressed database table export)
» {average byte size of event} x {number of days} x {events per second} x 0.00008 =
Total GB storage required
~ 750 bytes x 365 days x 1000 eps x 0.082 = 22.4 TB
32 © Novell, Inc. All rights reserved.
33. Hardware Constraints Applied
• CPU and Storage: Reports
– Novell Sentinel Log Manager and Novell Sentinel Rapid
®
™
Deployment
> Embedded reporting engine
> Hundreds of saved reports
> 5 running simultaneously
– Novell Sentinel 6.1
> External Crystal Reports server
33 © Novell, Inc. All rights reserved.
34. Hardware Constraints Applied
• Network bandwidth and stability: Communication
– Collector Manager
> Communicates between data collection node and server
> Encrypted and compressed
> Local size-bounded caching
> Light Weight Collector Manager
» Lower memory usage
» Lower bandwidth usage
» Default with Novell Sentinel Log Manager and Novell Sentinel Rapid Deployment
®
™
» Optional with Novell Sentinel 6.1
34 © Novell, Inc. All rights reserved.
35. Hardware Constraints Applied
• Network bandwidth and stability: Communication
– Sentinel Link
> Used to scale Novell Sentinel servers
®
™
> Communicates between servers
> Encrypted and compressed
> Local size-bounded caching
> Configurable bandwidth utilization volume and schedule
> 500 eps per Sentinel Link Connection
» 7 Sentinel Link connections at maximum eps per Collector Manager
» Each connection paired with its own collector
> Capable of 500 connections per Sentinel Link event source server at lower
eps
35 © Novell, Inc. All rights reserved.
37. Small Scale Single Site
• Environment
– 100 devices to monitor
> 50 Windows Event Logs
> 50 SUSE Enterprise Linux syslogs
– 200 events per second aggregate event rate
> 100 eps from Windows Event Logs
> 100 eps from SUSE Enterprise Linux syslogs
®
– One geographic location
37 © Novell, Inc. All rights reserved.
38. Small Scale Single Site
• Requirements
– Easy install
– Store events for a long time
– Searching and Reporting
– Low-touch administration
– 10 correlation rules (advanced)
38 © Novell, Inc. All rights reserved.
39. Small Scale Single Site –
Architectures
• Servers
– For long term data storage or basic data collection and reporting
> A single instance of 500 eps Novell Sentinel Log Manager
®
™
– (optional) For advanced reporting, detection, integration, and
more...
> A single instance of Novell Sentinel Rapid Deployment
» Or use Novell Sentinel 6.1 to meet database and operating system organizational
constraints
> A single instance of Sentinel Link to forward data from Novell Sentinel Log
Manager to Novell Sentinel Rapid Deployment
39 © Novell, Inc. All rights reserved.
40. Small Scale Single Site –
Architectures
• A single instance of Windows Collector Manager
– A single instance of the Windows (WMS) connector and
collector
– A single instance of Syslog event source server and SUSE
Enterprise Linux collector
40 © Novell, Inc. All rights reserved.
42. Large Scale Multi-Site
• Environment
– 20000 devices to monitor
> 14000 Windows Event Logs
> 5000 SUSE Enterprise Linux syslogs
®
> 500 Bluecoat log files
> 500 Oracle databases
– 8000 events per second aggregate event rate
> 3000 eps of Windows Event Logs
> 4000 eps of SUSE Enterprise Linux syslogs
> 500 eps of Bluecoat log files
> 500 eps of Oracle databases
42 © Novell, Inc. All rights reserved.
43. Large Scale Multi-Site
• Environment
– Many geographic locations
> 10 Nations
» 2000 devices per region
» 800 eps per region
» Device types evenly distributed
> 3 Regions
> 1 global headquarters
43 © Novell, Inc. All rights reserved.
44. Large Scale Multi-Site
• Requirements
– Same as small scale site plus...
– 20 correlation rules at each region
– 50 correlation rules at global level
– Scalable installation
– Archiving
– Low Internet bandwidth utilization between sites
– Fault tolerance
> Network loss resilience
> High Availability
> Disaster Recovery
– Managed Security Service Provider
44 © Novell, Inc. All rights reserved.
45. Large Scale Multi-Site – Architecture
• Server
– Multiple instances of Novell Sentinel Log Manager
®
™
> 10 at national level, 2500 eps each
» Sentinel Link in each nation to forward data to regional center
– Multiple instances of Novell Sentinel 6.1 or Novell Sentinel
Rapid Deployment
> 3 at regional level
» Each region filters down to total of 800 eps before forwarding
> 1 at global level
45 © Novell, Inc. All rights reserved.
46. Large Scale Single Site – Architecture
• Data Collection
– Syslog collection directly by Novell Sentinel Log ®
™
Manager server
> 1 syslog event source server per server
» 400 eps each nation / 2000 eps max = less then 1 event source server
» 500 devices / 500 devices max = 1 event source server
> 1 SUSE Enterprise Linux collector each
» 400 eps each nation / 1000 eps max = less than one collector
– 20 Collector Managers dedicated to Windows Event Log
> 2 per nation
» 300 eps / 50 eps max = 6 WMS connectors
» 6 WMS connectors / 3 connector max = 2 Collector Managers
46 © Novell, Inc. All rights reserved.
47. Large Scale Single Site – Architecture
• Data Collection
– 10 Collector Managers dedicated to Bluecoat and Oracle
> 1 per nation
> 50 file connector instances per nation
> 50 database connector instances per nation
> 100 eps per nation
» 100 eps total / 600 eps per instance = less than 1
» Each connector instance will have very low utilization
47 © Novell, Inc. All rights reserved.
48. Large Scale Single Site – Architecture
• Correlation
– 6 instances of correlation engine
» 1 per region
~ Each included with server
» 3 at global level
~ 50 rules / 20 rules per engine = approx. 3 engines
~ One included with server and two additional
48 © Novell, Inc. All rights reserved.
49. Large Scale Multi-Site – Architecture
• Fault Tolerance
– Regional Novell Sentinel instance
®
™
– Distributed Collector Managers (local caching)
– Sentinel Link (local caching)
– High Availability
> Clustering: SUSE High Availability Extension
> Duplication for High Availability failover nodes
– Disaster Recovery
> Regular complete backups to offset data center
> Complete data center duplication
49 © Novell, Inc. All rights reserved.
50. Large Scale Multi-Site – Architecture
• Managed Security Service Provider
– Multi-tenancy using MSSPCustomerName event field
> Segregates correlation, event views, reporting data
50 © Novell, Inc. All rights reserved.
52. Retail Chain
• Environment
– 1000s of stores; each has 10s of devices
– Similar environment at each store
– Small event volume at each store but large aggregate volume
• Requirements
– Same as Large Scale Multi-Site plus...
– Easy “boiler-plate” install at each store
– Store all events at each store
– Forward important events to regional/headquarters
– Centralized Management
52 © Novell, Inc. All rights reserved.
53. Retail Chain – Sentinel Architecture
• Novell Sentinel Log Manager, Novell Sentinel 6.1, or
®
™
Novell Sentinel Rapid Deployment at each store
– Handles temporary store disconnects
– Sentinel Link
> Locally store all events
> Forward important events with bandwidth usage limits
– Pre-built virtual machines copied to each store
> Run a script at each store hook it into the system
• Hierarchical aggregation, correlation, and analysis
points
– Local, regional, and global
53 © Novell, Inc. All rights reserved.
55. Tips: Planning
• Create a device list
– Vendor, product, version
– Number and data rate (events per second)
• Evaluate environmental complexity
– Distributed Networks
– Firewalls, NATs, ports to open
– Reused IP Ranges
– Authentication and Administrative Domains
55 © Novell, Inc. All rights reserved.
56. Tips: Choosing Hardware
• Choose adequate hardware
– Data Collection (CPU)
– Database (CPU and GB)
– Correlation (CPU)
• Hardware Recommendation Links
– Sentinel Log Manager
– Sentinel Rapid Deployment
– Sentinel 6.1
56 © Novell, Inc. All rights reserved.
57. Tips: Implementation
• Assemble the right team
– Oracle or Microsoft SQL Server DBA
– Device Administrators
– Network Administrators
– Novell Services and Partners
– Internal Auditor (for testing)
• Review installation prerequisites
• Achieve adequate performance
– Collector load balancing
– RAID 10
• Time synchronization
57 © Novell, Inc. All rights reserved.
60. Unpublished Work of Novell, Inc. All Rights Reserved.
This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc.
Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope
of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified,
translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc.
Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.
General Disclaimer
This document is not to be construed as a promise by any participating company to develop, deliver, or market a
product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in
making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents
of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any
particular purpose. The development, release, and timing of features or functionality described for Novell products
remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to
make changes to its content, at any time, without obligation to notify any person or entity of such revisions or
changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc.
in the United States and other countries. All third-party trademarks are the property of their respective owners.