How to Architect a Novell             ®



Sentinel Implementation
        ™




John P. Gassner
Sentinel Platform Product...
Agenda

       Introduction
            –   What is Novell Sentinel ? ®
                                              ™


...
Introduction
What is Novell Sentinel ?             ®
                                              ™




    •   Security Information a...
Novell Sentinel Product Line
                            ®
                                               ™




Novell Sen...
What is Architecture?

    •   The high level design of system components to meet
        user requirements.

    •   The ...
Architectural Considerations

    •   What product features does the user need?
         –   Search and reporting
        ...
Novell Sentinel Product Features
     ®
              ™
Novell Sentinel Log Manager
                            ®
                                          ™




    •   Released...
Novell Sentinel 6.1     ®
                                           ™




     •   Released July 2008
     •   Event enri...
Novell Sentinel Rapid Deployment
                             ®
                                           ™




     •   ...
Not On The Agenda

     •   What I'm not going to discuss

          –   Details of the features of Novell Sentinel
      ...
Architectural Constraints
Constraints

     •   Software
          –   License limits
          –   Product features
     •   Organizational
       ...
Software Constraints

     •   License limits
          –   Novell Sentinel Log Manager
                            ®
    ...
Software Constraints

     •   Product features
          –   Novell Sentinel Log Manager
                            ®
  ...
Software Constraints Applied

     •   Product Features
          –   Basic data collection, searching, and reporting
    ...
Software Constraints Applied

     •   License Limits
          –   Novell Sentinel Log Manager
                          ...
Software Constraints Applied

     •   Sidebar
          –   Novell Sentinel Log Manager as an aggregation node
          ...
Organizational Constraints

     •   Company standards and expertise
          –   Operating systems

          –   Databa...
Organizational Constraints Applied

     •   Company standards and expertise
          –   Database and operating system s...
Organizational Constraints Applied

     •   Geographies
          –   Local laws
               >   Process, store, and r...
Organizational Constraints Applied

     •   Device Types
          –   Windows Event Log
               >   Data collecti...
Organizational Constraints Applied

     •   Summary
          –   Per security operations center or legal data boundary, ...
Hardware Constraints

     •   CPU
          –   Events per second
          –   Number and types of devices
          –  ...
Performance Data: Full Disclosure

     •   How did I get this data?
          –   Internal testing at Novell   ®




    ...
Hardware Constraints Applied

     •   CPU: Data Collection: Connector
          –   A single event source server instance...
Hardware Constraints Applied

     •   CPU: Data Collection: Collector
          –   A single collector instance is capabl...
Hardware Constraints Applied

     •   CPU: Data Collection: Collector Manager
          –   A single dedicated Collector ...
Hardware Constraints Applied

     •   CPU: Data Collection: Server
          –   A single instance of Novell Sentinel Log...
Hardware Constraints Applied

     •   CPU and Memory: Correlation
          –   A single correlation engine is capable of...
Hardware Constraints Applied

     •   Storage
          –   Novell Sentinel Log Manager
                               ®
...
Hardware Constraints Applied

     •   CPU and Storage: Reports
          –   Novell Sentinel Log Manager and Novell Senti...
Hardware Constraints Applied

     •   Network bandwidth and stability: Communication
          –   Collector Manager
    ...
Hardware Constraints Applied

     •   Network bandwidth and stability: Communication
          –   Sentinel Link
        ...
Example Architectures
Small Scale Single Site

     •   Environment
          –   100 devices to monitor
               >   50 Windows Event Log...
Small Scale Single Site

     •   Requirements
          –   Easy install

          –   Store events for a long time

   ...
Small Scale Single Site –
     Architectures
     •   Servers
          –   For long term data storage or basic data colle...
Small Scale Single Site –
     Architectures
     •   A single instance of Windows Collector Manager
          –   A singl...
Small Scale Single Site –
     Architectures




41   © Novell, Inc. All rights reserved.
Large Scale Multi-Site

     •   Environment
          –   20000 devices to monitor
               >   14000 Windows Event...
Large Scale Multi-Site

     •   Environment
          –   Many geographic locations
               >   10 Nations

      ...
Large Scale Multi-Site

     •   Requirements
          –   Same as small scale site plus...
          –   20 correlation ...
Large Scale Multi-Site – Architecture

     •   Server
          –   Multiple instances of Novell Sentinel Log Manager
   ...
Large Scale Single Site – Architecture

     •   Data Collection
          –   Syslog collection directly by Novell Sentin...
Large Scale Single Site – Architecture

     •   Data Collection
          –   10 Collector Managers dedicated to Bluecoat...
Large Scale Single Site – Architecture

     •   Correlation
          –   6 instances of correlation engine
             ...
Large Scale Multi-Site – Architecture

     •   Fault Tolerance
          –   Regional Novell Sentinel instance
          ...
Large Scale Multi-Site – Architecture

     •   Managed Security Service Provider
          –   Multi-tenancy using MSSPCu...
Large Scale Single Site – Architecture




51   © Novell, Inc. All rights reserved.
Retail Chain

     •   Environment
          –   1000s of stores; each has 10s of devices
          –   Similar environmen...
Retail Chain – Sentinel Architecture

     •   Novell Sentinel Log Manager, Novell Sentinel 6.1, or
                      ...
Tips
Tips: Planning

     •   Create a device list
          –   Vendor, product, version

          –   Number and data rate (...
Tips: Choosing Hardware

     •   Choose adequate hardware
          –   Data Collection (CPU)
          –   Database (CPU...
Tips: Implementation

     •   Assemble the right team
          –   Oracle or Microsoft SQL Server DBA
          –   Devi...
Question and Answer
Unpublished Work of Novell, Inc. All Rights Reserved.
This work is an unpublished work and contains confidential, propriet...
How to Architect a Novell Sentinel Implementation
Upcoming SlideShare
Loading in …5
×

How to Architect a Novell Sentinel Implementation

5,253 views

Published on

Architecting a Novell Sentinel, Novell Sentinel Rapid Deployment or Novell Sentinel Log Manager installation can be a complicated process, particularly for users who are required to collect data from a large distributed environment. Many factors can impact the architecture users choose, including the amount of data, network link quality, device types, and features of Sentinel and/or Sentinel Log Manager the user wishes to take advantage of.

This session will explain common Sentinel architectural requirements requested by users and will demonstrate how to architect a Sentinel system to meet these requirements. This includes what and how much hardware to buy, how to choose between Sentinel Log Manager, collector managers, or a full Sentinel deployment in order to best meet your needs at the most efficient cost.

0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
5,253
On SlideShare
0
From Embeds
0
Number of Embeds
26
Actions
Shares
0
Downloads
319
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

How to Architect a Novell Sentinel Implementation

  1. 1. How to Architect a Novell ® Sentinel Implementation ™ John P. Gassner Sentinel Platform Product Line Lead jgassner@novell.com
  2. 2. Agenda Introduction – What is Novell Sentinel ? ® ™ – What is Architecture? Novell Sentinel Product Features Scalability Constraints Architecting Novell Sentinel Example Architectures Tips Questions and Answers 2 © Novell, Inc. All rights reserved.
  3. 3. Introduction
  4. 4. What is Novell Sentinel ? ® ™ • Security Information and Event Management (SIEM) • Log Management • Security • Compliance Management Platform (CMP) 4 © Novell, Inc. All rights reserved.
  5. 5. Novell Sentinel Product Line ® ™ Novell Sentinel Novell Sentinel Log Manager 6.1 Novell Sentinel Rapid Deployment 5 © Novell, Inc. All rights reserved.
  6. 6. What is Architecture? • The high level design of system components to meet user requirements. • The the internal and external relationships between these components 6 © Novell, Inc. All rights reserved.
  7. 7. Architectural Considerations • What product features does the user need? – Search and reporting – Long term data retention – Correlation – Identity integration • How to scale to the user's environment? – How much software does a user need? – How much hardware does a user need? – Disparate geographic locations • What redundancies does the user need? – High Availability – Disaster Recovery 7 © Novell, Inc. All rights reserved.
  8. 8. Novell Sentinel Product Features ® ™
  9. 9. Novell Sentinel Log Manager ® ™ • Released July 2009 • Streamlined install • Simplified data collection • Powerful search • Integrated reporting • Flexible data retention 9 © Novell, Inc. All rights reserved.
  10. 10. Novell Sentinel 6.1 ® ™ • Released July 2008 • Event enrichment/injection • ActiveViews • Correlation • Incident response • Exploit detection • Identity integration • Solution Designer/Packs • Sentinel Data Management • Compliance Management 10 © Novell, Inc. All rights reserved.
  11. 11. Novell Sentinel Rapid Deployment ® ™ • Released June 2009 Same as Novell Sentinel 6.1 but… • Smaller footprint • Easier install • Embedded database • Integrated reporting 11 © Novell, Inc. All rights reserved.
  12. 12. Not On The Agenda • What I'm not going to discuss – Details of the features of Novell Sentinel ® ™ – How to use Novell Sentinel – Details of pricing and licensing 12 © Novell, Inc. All rights reserved.
  13. 13. Architectural Constraints
  14. 14. Constraints • Software – License limits – Product features • Organizational – Company standards – Geographies • Hardware – CPU – Storage – Memory (RAM) – Network bandwidth 14 © Novell, Inc. All rights reserved.
  15. 15. Software Constraints • License limits – Novell Sentinel Log Manager ® ™ > 500, 2500, and 7500 events per second license options » Steady state recommendation is 80% of license limit (to account for spikes up to license limit) » 400, 2000, and 6000 events per second recommended for steady state > Includes unlimited license to collect from most devices > Certain (type IV and V) device collectors require additional licenses – Novell Sentinel 6.1 and Novell Sentinel Rapid Deployment > No single instance license limits > Per device and correlation engine related license costs 15 © Novell, Inc. All rights reserved.
  16. 16. Software Constraints • Product features – Novell Sentinel Log Manager ® ™ > High throughput data collection > Long term data storage > Searching and Reporting – Novell Sentinel 6.1 and Novell Sentinel Rapid Deployment > Advanced searching > Real-time and historical reporting > Correlation > Identity integration > Exploit detection and more... – Novell Sentinel 6.1 > Additional server and database platform support 16 © Novell, Inc. All rights reserved.
  17. 17. Software Constraints Applied • Product Features – Basic data collection, searching, and reporting > Choose Novell Sentinel Log Manager ® ™ – Long term data storage > Choose Novell Sentinel Log Manager – Advanced reporting, detection, integration, and more... > SUSE Enterprise Linux based server and embedded database platform » Choose Novell Sentinel Rapid Deployment > Windows, Solaris, or Red Hat based server and Oracle or SQL Server platforms » Choose Novell Sentinel 6.1 > Long term data storage also required? » Choose Novell Sentinel 6.1 or Novell Sentinel Rapid Deployment plus Novell Sentinel Log Manager 17 © Novell, Inc. All rights reserved.
  18. 18. Software Constraints Applied • License Limits – Novell Sentinel Log Manager ® ™ > Divide events per second in user's environment by the steady state events per second » 18,000 eps / 6,000 eps = 3 Sentinel Log Manager 7500 licenses > Unlimited type I (server) and II (desktop) devices – Novell Sentinel 6.1 and Novell Sentinel Rapid Deployment > No license constraints to apply to > Per device cost: type I (server), II (desktop), III (vulnerability), IV (enterprise applications), and V (mainframe) 18 © Novell, Inc. All rights reserved.
  19. 19. Software Constraints Applied • Sidebar – Novell Sentinel Log Manager as an aggregation node ® ™ > Cost effective versus per device cost of Novell Sentinel 6.1 and Rapid Deployment 19 © Novell, Inc. All rights reserved.
  20. 20. Organizational Constraints • Company standards and expertise – Operating systems – Database platforms • Geographies – Local laws – Security operation centers • Monitored Device Types 20 © Novell, Inc. All rights reserved.
  21. 21. Organizational Constraints Applied • Company standards and expertise – Database and operating system standards and expertise > SUSE Enterprise Linux based server and embedded database platform ® » Advanced reporting, detection, integration, and more... ~ Choose Novell Sentinel Rapid Deployment ® ™ » Long term data storage or basic data collection and reporting ~ Choose Novell Sentinel Log Manager > Windows, Solaris, or Red Hat based server and Oracle or SQL Server platforms » Choose Novell Sentinel 6.1 > Appliance » Choose Novell Sentinel Log Manager Appliance (available middle of 2010) – Little or no relevant expertise > Choose Novell Sentinel Rapid Deployment > Choose Novell Sentinel Log Manager Appliance 21 © Novell, Inc. All rights reserved.
  22. 22. Organizational Constraints Applied • Geographies – Local laws > Process, store, and report on data locally » Long term data storage or basic data collection and reporting ~ Local instance(s) Novell Sentinel Log Manager ® ™ » Advanced reporting, detection, integration, and more... ~ Local instance(s) of Novell Sentinel 6.1 or Novell Sentinel Rapid Deployment – Security operation centers > Local, Regional, Global (flat or hierarchical) » Long term data storage or basic data collection and reporting ~ Per SOC instance(s) of Novell Sentinel Log Manager » Advanced reporting, detection, integration, and more... ~ Per SOC instance(s) of Novell Sentinel 6.1 or Novell Sentinel Rapid Deployment » Use Sentinel Link to forward events up the chain 22 © Novell, Inc. All rights reserved.
  23. 23. Organizational Constraints Applied • Device Types – Windows Event Log > Data collection requires a Collector Manager running on Windows > Server is SUSE Enterprise Linux only, requiring at least one additional ® Collector Manager machine » Novell Sentinel Rapid Deployment ® ™ » Novell Sentinel Log Manager – All other device types > Data collection available from Linux, Windows, or Solaris > No additional Collector Managers required for these device types 23 © Novell, Inc. All rights reserved.
  24. 24. Organizational Constraints Applied • Summary – Per security operations center or legal data boundary, at least one instance of the following > For advanced reporting, detection, integration, and more... » Choose Novell Sentinel 6.1 or Novell Sentinel Rapid Deployment ® ™ and/or > For long term data storage or basic data collection and reporting » Choose Novell Sentinel Log Manager – Monitoring Windows Event Log? Add a Collector Manager machine when using these Novell Sentinel products > Novell Sentinel Rapid Deployment > Novell Sentinel Log Manager 24 © Novell, Inc. All rights reserved.
  25. 25. Hardware Constraints • CPU – Events per second – Number and types of devices – Number and complexity of correlation rules and reports – Number of users • Storage – Events per second – Length of data retention policy – Number and complexity of reports • Memory (RAM) – Number and complexity of correlation rules • Network bandwidth and stability 25 © Novell, Inc. All rights reserved.
  26. 26. Performance Data: Full Disclosure • How did I get this data? – Internal testing at Novell ® > Testing and tuning is ongoing – Experiences of customers • Numbers are approximations – Approximations are conservative – Best practice: In a highly dynamic system, build in buffers and allow room for growth 26 © Novell, Inc. All rights reserved.
  27. 27. Hardware Constraints Applied • CPU: Data Collection: Connector – A single event source server instance is capable of > Syslog and Novell Sentinel Link ® ™ » Approximately 500 devices maximum and rates less than 2000 eps > Windows (WMS) » Approximately 50 devices maximum and rates less than 100 eps > Novell Audit, SNMP » (Unverified) estimated 5-20 devices maximum and rates less than 1000 – A single connector instance is capable of > File, Database, SDEE, SAP, Mainframe, LEA, and Process » Limits not well tested at this time » One device and events per second rates less than 600 per instance – Approximately one fully utilized instance per CPU core 27 © Novell, Inc. All rights reserved.
  28. 28. Hardware Constraints Applied • CPU: Data Collection: Collector – A single collector instance is capable of > Approximately 600-1000 maximum events per second > Depends on device type and parsing complexity > Distribute load across multiple collectors/multiple CPU cores > Approximately one fully utilized collector instance per CPU core 28 © Novell, Inc. All rights reserved.
  29. 29. Hardware Constraints Applied • CPU: Data Collection: Collector Manager – A single dedicated Collector Manager is capable of > Assumes 4 core 2.2Ghz+ CPU, 4GB RAM, SLES 11 > 1750 events per second per Collector Manager > Approximate limit of 2000 devices > Three collector/connector pairs running at maximum events per second » One per CPU core » More if running below maximum events per second – Use additional Collector Managers to scale 29 © Novell, Inc. All rights reserved.
  30. 30. Hardware Constraints Applied • CPU: Data Collection: Server – A single instance of Novell Sentinel Log Manager is capable of ® ™ > Approximate limit of 2000 devices and licensed events per second limit » Target of 4000 devices in the next 6 months – A single instance of Novell Sentinel Rapid Deployment is capable of > Approximate limit of 3200 events per second > Approximate limit of 2000 devices, even with low eps – A single instance of Novell Sentinel 6.1 is capable of > Approximate limit of 5000 events per second and 1500 devices > Approximate limit of 1500 devices, even with low eps – 20 Collector Managers (unverified maximum approximately 70) 30 © Novell, Inc. All rights reserved.
  31. 31. Hardware Constraints Applied • CPU and Memory: Correlation – A single correlation engine is capable of > Assumes dedicated 2 core 3Ghz CPU, 4GB RAM, SLES > 20 rules per correlation engine » Assumes fairly complex rules » Computational cost varies depending on the complexity of the rule – windows, gates, actions, etc. increase complexity. » More rules possible with simple filter/trigger rules » Less rules with large window-based rules ~ Window uses significant CPU and memory depending on the size of the time window – Use Novell Sentinel 6.1 with additional correlation engine ® ™ instances to scale > Novell Sentinel Rapid Deployment currently not capable of adding additional correlation engines 31 © Novell, Inc. All rights reserved.
  32. 32. Hardware Constraints Applied • Storage – Novell Sentinel Log Manager ® ™ > Online and Archive (compressed flat file storage) » ({average byte size of event} + {average byte size of raw data}) x {number of days} x {events per second} x 0.000012 = Total GB storage required ~ (750 bytes + 200 bytes) x 90 days x 1000 eps x 0.000012 = 1026 Total GB – Novell Sentinel 6.1 and Novell Sentinel Rapid Deployment > Online (uncompressed database) » {average byte size of event} x {number of days} x {events per second} x 0.123 + 5000 = Total GB storage required ~ 750 bytes x 90 days x 1000 eps x 0.123 + 5000 = 8.3 TB > Archive (uncompressed database table export) » {average byte size of event} x {number of days} x {events per second} x 0.00008 = Total GB storage required ~ 750 bytes x 365 days x 1000 eps x 0.082 = 22.4 TB 32 © Novell, Inc. All rights reserved.
  33. 33. Hardware Constraints Applied • CPU and Storage: Reports – Novell Sentinel Log Manager and Novell Sentinel Rapid ® ™ Deployment > Embedded reporting engine > Hundreds of saved reports > 5 running simultaneously – Novell Sentinel 6.1 > External Crystal Reports server 33 © Novell, Inc. All rights reserved.
  34. 34. Hardware Constraints Applied • Network bandwidth and stability: Communication – Collector Manager > Communicates between data collection node and server > Encrypted and compressed > Local size-bounded caching > Light Weight Collector Manager » Lower memory usage » Lower bandwidth usage » Default with Novell Sentinel Log Manager and Novell Sentinel Rapid Deployment ® ™ » Optional with Novell Sentinel 6.1 34 © Novell, Inc. All rights reserved.
  35. 35. Hardware Constraints Applied • Network bandwidth and stability: Communication – Sentinel Link > Used to scale Novell Sentinel servers ® ™ > Communicates between servers > Encrypted and compressed > Local size-bounded caching > Configurable bandwidth utilization volume and schedule > 500 eps per Sentinel Link Connection » 7 Sentinel Link connections at maximum eps per Collector Manager » Each connection paired with its own collector > Capable of 500 connections per Sentinel Link event source server at lower eps 35 © Novell, Inc. All rights reserved.
  36. 36. Example Architectures
  37. 37. Small Scale Single Site • Environment – 100 devices to monitor > 50 Windows Event Logs > 50 SUSE Enterprise Linux syslogs – 200 events per second aggregate event rate > 100 eps from Windows Event Logs > 100 eps from SUSE Enterprise Linux syslogs ® – One geographic location 37 © Novell, Inc. All rights reserved.
  38. 38. Small Scale Single Site • Requirements – Easy install – Store events for a long time – Searching and Reporting – Low-touch administration – 10 correlation rules (advanced) 38 © Novell, Inc. All rights reserved.
  39. 39. Small Scale Single Site – Architectures • Servers – For long term data storage or basic data collection and reporting > A single instance of 500 eps Novell Sentinel Log Manager ® ™ – (optional) For advanced reporting, detection, integration, and more... > A single instance of Novell Sentinel Rapid Deployment » Or use Novell Sentinel 6.1 to meet database and operating system organizational constraints > A single instance of Sentinel Link to forward data from Novell Sentinel Log Manager to Novell Sentinel Rapid Deployment 39 © Novell, Inc. All rights reserved.
  40. 40. Small Scale Single Site – Architectures • A single instance of Windows Collector Manager – A single instance of the Windows (WMS) connector and collector – A single instance of Syslog event source server and SUSE Enterprise Linux collector 40 © Novell, Inc. All rights reserved.
  41. 41. Small Scale Single Site – Architectures 41 © Novell, Inc. All rights reserved.
  42. 42. Large Scale Multi-Site • Environment – 20000 devices to monitor > 14000 Windows Event Logs > 5000 SUSE Enterprise Linux syslogs ® > 500 Bluecoat log files > 500 Oracle databases – 8000 events per second aggregate event rate > 3000 eps of Windows Event Logs > 4000 eps of SUSE Enterprise Linux syslogs > 500 eps of Bluecoat log files > 500 eps of Oracle databases 42 © Novell, Inc. All rights reserved.
  43. 43. Large Scale Multi-Site • Environment – Many geographic locations > 10 Nations » 2000 devices per region » 800 eps per region » Device types evenly distributed > 3 Regions > 1 global headquarters 43 © Novell, Inc. All rights reserved.
  44. 44. Large Scale Multi-Site • Requirements – Same as small scale site plus... – 20 correlation rules at each region – 50 correlation rules at global level – Scalable installation – Archiving – Low Internet bandwidth utilization between sites – Fault tolerance > Network loss resilience > High Availability > Disaster Recovery – Managed Security Service Provider 44 © Novell, Inc. All rights reserved.
  45. 45. Large Scale Multi-Site – Architecture • Server – Multiple instances of Novell Sentinel Log Manager ® ™ > 10 at national level, 2500 eps each » Sentinel Link in each nation to forward data to regional center – Multiple instances of Novell Sentinel 6.1 or Novell Sentinel Rapid Deployment > 3 at regional level » Each region filters down to total of 800 eps before forwarding > 1 at global level 45 © Novell, Inc. All rights reserved.
  46. 46. Large Scale Single Site – Architecture • Data Collection – Syslog collection directly by Novell Sentinel Log ® ™ Manager server > 1 syslog event source server per server » 400 eps each nation / 2000 eps max = less then 1 event source server » 500 devices / 500 devices max = 1 event source server > 1 SUSE Enterprise Linux collector each » 400 eps each nation / 1000 eps max = less than one collector – 20 Collector Managers dedicated to Windows Event Log > 2 per nation » 300 eps / 50 eps max = 6 WMS connectors » 6 WMS connectors / 3 connector max = 2 Collector Managers 46 © Novell, Inc. All rights reserved.
  47. 47. Large Scale Single Site – Architecture • Data Collection – 10 Collector Managers dedicated to Bluecoat and Oracle > 1 per nation > 50 file connector instances per nation > 50 database connector instances per nation > 100 eps per nation » 100 eps total / 600 eps per instance = less than 1 » Each connector instance will have very low utilization 47 © Novell, Inc. All rights reserved.
  48. 48. Large Scale Single Site – Architecture • Correlation – 6 instances of correlation engine » 1 per region ~ Each included with server » 3 at global level ~ 50 rules / 20 rules per engine = approx. 3 engines ~ One included with server and two additional 48 © Novell, Inc. All rights reserved.
  49. 49. Large Scale Multi-Site – Architecture • Fault Tolerance – Regional Novell Sentinel instance ® ™ – Distributed Collector Managers (local caching) – Sentinel Link (local caching) – High Availability > Clustering: SUSE High Availability Extension > Duplication for High Availability failover nodes – Disaster Recovery > Regular complete backups to offset data center > Complete data center duplication 49 © Novell, Inc. All rights reserved.
  50. 50. Large Scale Multi-Site – Architecture • Managed Security Service Provider – Multi-tenancy using MSSPCustomerName event field > Segregates correlation, event views, reporting data 50 © Novell, Inc. All rights reserved.
  51. 51. Large Scale Single Site – Architecture 51 © Novell, Inc. All rights reserved.
  52. 52. Retail Chain • Environment – 1000s of stores; each has 10s of devices – Similar environment at each store – Small event volume at each store but large aggregate volume • Requirements – Same as Large Scale Multi-Site plus... – Easy “boiler-plate” install at each store – Store all events at each store – Forward important events to regional/headquarters – Centralized Management 52 © Novell, Inc. All rights reserved.
  53. 53. Retail Chain – Sentinel Architecture • Novell Sentinel Log Manager, Novell Sentinel 6.1, or ® ™ Novell Sentinel Rapid Deployment at each store – Handles temporary store disconnects – Sentinel Link > Locally store all events > Forward important events with bandwidth usage limits – Pre-built virtual machines copied to each store > Run a script at each store hook it into the system • Hierarchical aggregation, correlation, and analysis points – Local, regional, and global 53 © Novell, Inc. All rights reserved.
  54. 54. Tips
  55. 55. Tips: Planning • Create a device list – Vendor, product, version – Number and data rate (events per second) • Evaluate environmental complexity – Distributed Networks – Firewalls, NATs, ports to open – Reused IP Ranges – Authentication and Administrative Domains 55 © Novell, Inc. All rights reserved.
  56. 56. Tips: Choosing Hardware • Choose adequate hardware – Data Collection (CPU) – Database (CPU and GB) – Correlation (CPU) • Hardware Recommendation Links – Sentinel Log Manager – Sentinel Rapid Deployment – Sentinel 6.1 56 © Novell, Inc. All rights reserved.
  57. 57. Tips: Implementation • Assemble the right team – Oracle or Microsoft SQL Server DBA – Device Administrators – Network Administrators – Novell Services and Partners – Internal Auditor (for testing) • Review installation prerequisites • Achieve adequate performance – Collector load balancing – RAID 10 • Time synchronization 57 © Novell, Inc. All rights reserved.
  58. 58. Question and Answer
  59. 59. Unpublished Work of Novell, Inc. All Rights Reserved. This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability. General Disclaimer This document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for Novell products remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.

×