How to Architect a Novell Sentinel Implementation

How to Architect a Novell® Sentinel™ Implementation

John P. GassnerSentinel Platform Product Line [email protected]

© Novell, Inc. All rights reserved.2

Agenda

Introduction– What is Novell® Sentinel™?

– What is Architecture?

Novell Sentinel Product Features

Scalability Constraints

Architecting Novell Sentinel

Example Architectures

Tips

Questions and Answers

Introduction


What is Novell® Sentinel™?

• Security Information and Event Management (SIEM)

• Log Management

• Security

• Compliance Management Platform (CMP)


Novell® Sentinel™ Product Line

Novell SentinelLog Manager

Novell SentinelRapid Deployment

Novell Sentinel6.1


What is Architecture?

• The high level design of system components to meet user requirements.

• The the internal and external relationships between these components


Architectural Considerations

• What product features does the user need?– Search and reporting– Long term data retention– Correlation– Identity integration

• How to scale to the user's environment?– How much software does a user need?– How much hardware does a user need?– Disparate geographic locations

• What redundancies does the user need?– High Availability– Disaster Recovery

Novell® Sentinel™ Product Features


Novell® Sentinel™ Log Manager

• Released July 2009

• Streamlined install

• Simplified data collection

• Powerful search

• Integrated reporting

• Flexible data retention


Novell® Sentinel™ 6.1

• Released July 2008• Event enrichment/injection• ActiveViews• Correlation• Incident response• Exploit detection• Identity integration• Solution Designer/Packs• Sentinel Data Management• Compliance Management


Novell® Sentinel™ Rapid Deployment

• Released June 2009Same as Novell Sentinel 6.1 but…• Smaller footprint• Easier install• Embedded database• Integrated reporting


Not On The Agenda

• What I'm not going to discuss

– Details of the features of Novell® Sentinel™

– How to use Novell Sentinel

– Details of pricing and licensing

Architectural Constraints


Constraints

• Software– License limits– Product features

• Organizational– Company standards– Geographies

• Hardware– CPU– Storage– Memory (RAM)– Network bandwidth


Software Constraints

• License limits– Novell® Sentinel™ Log Manager

> 500, 2500, and 7500 events per second license options

» Steady state recommendation is 80% of license limit (to account for spikes up to license limit)

» 400, 2000, and 6000 events per second recommended for steady state

> Includes unlimited license to collect from most devices

> Certain (type IV and V) device collectors require additional licenses

– Novell Sentinel 6.1 and Novell Sentinel Rapid Deployment> No single instance license limits

> Per device and correlation engine related license costs


Software Constraints

• Product features– Novell® Sentinel™ Log Manager

> High throughput data collection> Long term data storage> Searching and Reporting

– Novell Sentinel 6.1 and Novell Sentinel Rapid Deployment> Advanced searching> Real-time and historical reporting> Correlation> Identity integration> Exploit detection and more...

– Novell Sentinel 6.1> Additional server and database platform support


Software Constraints Applied

• Product Features– Basic data collection, searching, and reporting

> Choose Novell® Sentinel™ Log Manager

– Long term data storage> Choose Novell Sentinel Log Manager

– Advanced reporting, detection, integration, and more...> SUSE Enterprise Linux based server and embedded database platform

» Choose Novell Sentinel Rapid Deployment

> Windows, Solaris, or Red Hat based server and Oracle or SQL Server platforms

» Choose Novell Sentinel 6.1

> Long term data storage also required?» Choose Novell Sentinel 6.1 or Novell Sentinel Rapid Deployment plus Novell

Sentinel Log Manager



• License Limits

– Novell® Sentinel™ Log Manager

> Divide events per second in user's environment by the steady state events per second

» 18,000 eps / 6,000 eps = 3 Sentinel Log Manager 7500 licenses

> Unlimited type I (server) and II (desktop) devices

– Novell Sentinel 6.1 and Novell Sentinel Rapid Deployment

> No license constraints to apply to

> Per device cost: type I (server), II (desktop), III (vulnerability), IV (enterprise applications), and V (mainframe)



• Sidebar

– Novell® Sentinel™ Log Manager as an aggregation node

> Cost effective versus per device cost of Novell Sentinel 6.1 and Rapid Deployment


Organizational Constraints

• Company standards and expertise

– Operating systems

– Database platforms

• Geographies

– Local laws

– Security operation centers

• Monitored Device Types


Organizational Constraints Applied

• Company standards and expertise– Database and operating system standards and expertise

> SUSE® Enterprise Linux based server and embedded database platform» Advanced reporting, detection, integration, and more...

~ Choose Novell® Sentinel™ Rapid Deployment

» Long term data storage or basic data collection and reporting~ Choose Novell Sentinel Log Manager

> Windows, Solaris, or Red Hat based server and Oracle or SQL Server platforms

» Choose Novell Sentinel 6.1

> Appliance» Choose Novell Sentinel Log Manager Appliance (available middle of 2010)

– Little or no relevant expertise> Choose Novell Sentinel Rapid Deployment> Choose Novell Sentinel Log Manager Appliance



• Geographies– Local laws

> Process, store, and report on data locally» Long term data storage or basic data collection and reporting

~ Local instance(s) Novell® Sentinel™ Log Manager

» Advanced reporting, detection, integration, and more...~ Local instance(s) of Novell Sentinel 6.1 or Novell Sentinel Rapid Deployment

– Security operation centers> Local, Regional, Global (flat or hierarchical)

» Long term data storage or basic data collection and reporting~ Per SOC instance(s) of Novell Sentinel Log Manager

» Advanced reporting, detection, integration, and more...~ Per SOC instance(s) of Novell Sentinel 6.1 or Novell Sentinel Rapid Deployment

» Use Sentinel Link to forward events up the chain



• Device Types– Windows Event Log

> Data collection requires a Collector Manager running on Windows

> Server is SUSE® Enterprise Linux only, requiring at least one additional Collector Manager machine

» Novell® Sentinel™ Rapid Deployment

» Novell Sentinel Log Manager

– All other device types> Data collection available from Linux, Windows, or Solaris

> No additional Collector Managers required for these device types



• Summary– Per security operations center or legal data boundary, at least

one instance of the following> For advanced reporting, detection, integration, and more...

» Choose Novell® Sentinel™ 6.1 or Novell Sentinel Rapid Deployment

and/or> For long term data storage or basic data collection and reporting

» Choose Novell Sentinel Log Manager

– Monitoring Windows Event Log? Add a Collector Manager machine when using these Novell Sentinel products

> Novell Sentinel Rapid Deployment> Novell Sentinel Log Manager


Hardware Constraints

• CPU– Events per second– Number and types of devices– Number and complexity of correlation rules and reports– Number of users

• Storage– Events per second– Length of data retention policy– Number and complexity of reports

• Memory (RAM)– Number and complexity of correlation rules

• Network bandwidth and stability


Performance Data: Full Disclosure

• How did I get this data?

– Internal testing at Novell®

> Testing and tuning is ongoing

– Experiences of customers

• Numbers are approximations

– Approximations are conservative

– Best practice: In a highly dynamic system, build in buffers and allow room for growth


Hardware Constraints Applied

• CPU: Data Collection: Connector– A single event source server instance is capable of

> Syslog and Novell® Sentinel™ Link» Approximately 500 devices maximum and rates less than 2000 eps

> Windows (WMS)» Approximately 50 devices maximum and rates less than 100 eps

> Novell Audit, SNMP» (Unverified) estimated 5-20 devices maximum and rates less than 1000

– A single connector instance is capable of> File, Database, SDEE, SAP, Mainframe, LEA, and Process

» Limits not well tested at this time

» One device and events per second rates less than 600 per instance

– Approximately one fully utilized instance per CPU core



• CPU: Data Collection: Collector– A single collector instance is capable of

> Approximately 600-1000 maximum events per second> Depends on device type and parsing complexity> Distribute load across multiple collectors/multiple CPU cores> Approximately one fully utilized collector instance per CPU core



• CPU: Data Collection: Collector Manager– A single dedicated Collector Manager is capable of

> Assumes 4 core 2.2Ghz+ CPU, 4GB RAM, SLES 11> 1750 events per second per Collector Manager> Approximate limit of 2000 devices> Three collector/connector pairs running at maximum events per second

» One per CPU core

» More if running below maximum events per second

– Use additional Collector Managers to scale



• CPU: Data Collection: Server– A single instance of Novell® Sentinel™ Log Manager is capable of

> Approximate limit of 2000 devices and licensed events per second limit» Target of 4000 devices in the next 6 months

– A single instance of Novell Sentinel Rapid Deployment is capable of

> Approximate limit of 3200 events per second> Approximate limit of 2000 devices, even with low eps

– A single instance of Novell Sentinel 6.1 is capable of> Approximate limit of 5000 events per second and 1500 devices> Approximate limit of 1500 devices, even with low eps

– 20 Collector Managers (unverified maximum approximately 70)



• CPU and Memory: Correlation– A single correlation engine is capable of

> Assumes dedicated 2 core 3Ghz CPU, 4GB RAM, SLES> 20 rules per correlation engine

» Assumes fairly complex rules

» Computational cost varies depending on the complexity of the rule – windows, gates, actions, etc. increase complexity.

» More rules possible with simple filter/trigger rules

» Less rules with large window-based rules~ Window uses significant CPU and memory depending on the size of the time window

– Use Novell® Sentinel™ 6.1 with additional correlation engine instances to scale

> Novell Sentinel Rapid Deployment currently not capable of adding additional correlation engines



• Storage– Novell® Sentinel™ Log Manager

> Online and Archive (compressed flat file storage)» ({average byte size of event} + {average byte size of raw data}) x {number of days} x

{events per second} x 0.000012 = Total GB storage required~ (750 bytes + 200 bytes) x 90 days x 1000 eps x 0.000012 = 1026 Total GB

– Novell Sentinel 6.1 and Novell Sentinel Rapid Deployment> Online (uncompressed database)

» {average byte size of event} x {number of days} x {events per second} x 0.123 + 5000 = Total GB storage required

~ 750 bytes x 90 days x 1000 eps x 0.123 + 5000 = 8.3 TB

> Archive (uncompressed database table export)» {average byte size of event} x {number of days} x {events per second} x 0.00008 =

Total GB storage required~ 750 bytes x 365 days x 1000 eps x 0.082 = 22.4 TB



• CPU and Storage: Reports– Novell® Sentinel™ Log Manager and Novell Sentinel Rapid

Deployment> Embedded reporting engine> Hundreds of saved reports> 5 running simultaneously

– Novell Sentinel 6.1> External Crystal Reports server



• Network bandwidth and stability: Communication– Collector Manager

> Communicates between data collection node and server> Encrypted and compressed> Local size-bounded caching> Light Weight Collector Manager

» Lower memory usage

» Lower bandwidth usage

» Default with Novell® Sentinel™ Log Manager and Novell Sentinel Rapid Deployment

» Optional with Novell Sentinel 6.1



• Network bandwidth and stability: Communication– Sentinel Link

> Used to scale Novell® Sentinel™ servers> Communicates between servers> Encrypted and compressed> Local size-bounded caching> Configurable bandwidth utilization volume and schedule> 500 eps per Sentinel Link Connection

» 7 Sentinel Link connections at maximum eps per Collector Manager

» Each connection paired with its own collector

> Capable of 500 connections per Sentinel Link event source server at lower eps

Example Architectures


Small Scale Single Site

• Environment

– 100 devices to monitor

> 50 Windows Event Logs

> 50 SUSE Enterprise Linux syslogs

– 200 events per second aggregate event rate

> 100 eps from Windows Event Logs

> 100 eps from SUSE® Enterprise Linux syslogs

– One geographic location


Small Scale Single Site

• Requirements

– Easy install

– Store events for a long time

– Searching and Reporting

– Low-touch administration

– 10 correlation rules (advanced)


Small Scale Single Site – Architectures• Servers

– For long term data storage or basic data collection and reporting> A single instance of 500 eps Novell® Sentinel™ Log Manager

– (optional) For advanced reporting, detection, integration, and more...

> A single instance of Novell Sentinel Rapid Deployment

» Or use Novell Sentinel 6.1 to meet database and operating system organizational constraints

> A single instance of Sentinel Link to forward data from Novell Sentinel Log Manager to Novell Sentinel Rapid Deployment


Small Scale Single Site – Architectures• A single instance of Windows Collector Manager

– A single instance of the Windows (WMS) connector and collector

– A single instance of Syslog event source server and SUSE Enterprise Linux collector


Small Scale Single Site – Architectures


Large Scale Multi-Site

• Environment– 20000 devices to monitor

> 14000 Windows Event Logs> 5000 SUSE® Enterprise Linux syslogs> 500 Bluecoat log files> 500 Oracle databases

– 8000 events per second aggregate event rate> 3000 eps of Windows Event Logs> 4000 eps of SUSE Enterprise Linux syslogs> 500 eps of Bluecoat log files> 500 eps of Oracle databases



• Environment

– Many geographic locations

> 10 Nations

» 2000 devices per region

» 800 eps per region

» Device types evenly distributed

> 3 Regions

> 1 global headquarters



• Requirements– Same as small scale site plus...– 20 correlation rules at each region– 50 correlation rules at global level– Scalable installation– Archiving– Low Internet bandwidth utilization between sites– Fault tolerance

> Network loss resilience> High Availability> Disaster Recovery

– Managed Security Service Provider


Large Scale Multi-Site – Architecture

• Server

– Multiple instances of Novell® Sentinel™ Log Manager

> 10 at national level, 2500 eps each

» Sentinel Link in each nation to forward data to regional center

– Multiple instances of Novell Sentinel 6.1 or Novell Sentinel Rapid Deployment

> 3 at regional level

» Each region filters down to total of 800 eps before forwarding

> 1 at global level


Large Scale Single Site – Architecture

• Data Collection– Syslog collection directly by Novell® Sentinel™ Log

Manager server> 1 syslog event source server per server

» 400 eps each nation / 2000 eps max = less then 1 event source server

» 500 devices / 500 devices max = 1 event source server

> 1 SUSE Enterprise Linux collector each» 400 eps each nation / 1000 eps max = less than one collector

– 20 Collector Managers dedicated to Windows Event Log> 2 per nation

» 300 eps / 50 eps max = 6 WMS connectors

» 6 WMS connectors / 3 connector max = 2 Collector Managers



• Data Collection

– 10 Collector Managers dedicated to Bluecoat and Oracle

> 1 per nation

> 50 file connector instances per nation

> 50 database connector instances per nation

> 100 eps per nation

» 100 eps total / 600 eps per instance = less than 1

» Each connector instance will have very low utilization



• Correlation

– 6 instances of correlation engine

» 1 per region

~ Each included with server

» 3 at global level

~ 50 rules / 20 rules per engine = approx. 3 engines

~ One included with server and two additional



• Fault Tolerance– Regional Novell® Sentinel™ instance

– Distributed Collector Managers (local caching)

– Sentinel Link (local caching)

– High Availability> Clustering: SUSE High Availability Extension

> Duplication for High Availability failover nodes

– Disaster Recovery> Regular complete backups to offset data center

> Complete data center duplication



• Managed Security Service Provider

– Multi-tenancy using MSSPCustomerName event field

> Segregates correlation, event views, reporting data




Retail Chain

• Environment– 1000s of stores; each has 10s of devices– Similar environment at each store– Small event volume at each store but large aggregate volume

• Requirements– Same as Large Scale Multi-Site plus...– Easy “boiler-plate” install at each store– Store all events at each store– Forward important events to regional/headquarters– Centralized Management


Retail Chain – Sentinel Architecture

• Novell® Sentinel™ Log Manager, Novell Sentinel 6.1, or Novell Sentinel Rapid Deployment at each store

– Handles temporary store disconnects– Sentinel Link

> Locally store all events> Forward important events with bandwidth usage limits

– Pre-built virtual machines copied to each store> Run a script at each store hook it into the system

• Hierarchical aggregation, correlation, and analysis points

– Local, regional, and global

Tips


Tips: Planning

• Create a device list

– Vendor, product, version

– Number and data rate (events per second)

• Evaluate environmental complexity

– Distributed Networks

– Firewalls, NATs, ports to open

– Reused IP Ranges

– Authentication and Administrative Domains


Tips: Choosing Hardware

• Choose adequate hardware– Data Collection (CPU)

– Database (CPU and GB)

– Correlation (CPU)

• Hardware Recommendation Links– Sentinel Log Manager

– Sentinel Rapid Deployment

– Sentinel 6.1

http://www.novell.com/documentation/novelllogmanager10/log_manager_install/data/bgpqzh2.html

http://www.novell.com/documentation/sentinel61rd/s61rd_install/data/bjxvbe6.html

http://www.novell.com/documentation/sentinel61/s61_install/?page=/documentation/sentinel61/s61_install/data/bgmq7g2.html


Tips: Implementation

• Assemble the right team– Oracle or Microsoft SQL Server DBA– Device Administrators– Network Administrators– Novell Services and Partners– Internal Auditor (for testing)

• Review installation prerequisites• Achieve adequate performance

– Collector load balancing– RAID 10

• Time synchronization

Question and Answer

Unpublished Work of Novell, Inc. All Rights Reserved.This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.

General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for Novell products remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.

How to Architect a Novell Sentinel Implementation

Documents

large scale multi

average byte size

basic data collection

high availability

bounded caching

collector manager

data collection

forward data