Novell Home

Sentinel - Security, Regulatory Compliance and Corporate Governance

Novell Cool Solutions: Feature
By Steven L. Weitzeil

Digg This - Slashdot This

Posted: 3 May 2006
 

See also
http://www.novell.com/coolblogs/?p=211

Novell has announced the acquisition of e-Security and its flagship product Sentinel. More and more customers are concerned about security, regulatory compliance and corporate governance. The Sentinel product gives Novell a market leading product to address these customer concerns. In this posting I will review the architecture of this exciting addition to Novell?s product line ...

The Sentinel architecture is represented in the following diagram:

Figure 1 - Sentinel architecture

Before we go into the details of the architecture, let's talk about the general functionality that Sentinel provides:

  • The capturing of events from many types of devices, referential sources, operating systems, and applications.
  • The event data is analyzed to determine if predefined conditions have been met. If so, triggers are activated to set other events in motion.
  • The event data is recorded for analysis.
  • The event data may be displayed on visual displays and/or reports generated for evaluation.
  • Workflows may be established to automate and enforce incident identification and resolution processes.

Now let?s discuss how all this happens. There are seven architectural areas that make all of this possible: 1) External Event Sources, 2) iScale Message Bus, 3) Correlation engine, 4) Sentinel Control Center, 5) Collector Manager, 6) iTrac, and 7) Sentinel Repository.

External Event Sources

Figure 2 - Event data capture

The diagram above shows four key areas from which Sentinel may capture event data:

  • Security Perimeters - VPNs, firewalls, routers, switches, etc.
  • Referential Sources - Identity management, asset management, patch maintenance systems, etc.
  • Operating Systems - Main frames, workstations, servers, laptops, etc.
  • Applications - Business application, database management systems, domain controllers, collaboration systems, etc.

Collectors (Agents) and Collector Manager

Sentinel is able to collect and filter events using collectors (also referred to as agents):

Figure 3 - Collectors

Collectors run remotely or locally on the hardware where the events are being generated. If running remotely, the collector receives the events via SCP or SSH. It may also use protocols such as SNMP or SYSLOG.

Once events are received, the collector filters them. The majority of events are sent to the Repository for storage and later analysis. Other events are sent to the Correlation Engine for evaluation against predefined policies.

The Collectors may enhance the events by adding additional data that helps further identify the event.

The iScale Message Bus

Communication between Sentinel components is achieved via the iScale Message Bus (based on the Sonic JMS Bus architecture).

Figure 4 - iScale Message Bus

This bus enables easy integration with other products capable of message bus communication (e.g., Novell?s Identity Manager product has a JMS driver that enables it to interface with this bus).

Correlator

The Correlator is responsible for taking Sentinel policies and determining if the received events meet the criteria defined in those policies.

Figure 5 - Correlator

If the event does meet the criteria, then a new event is generated and sent to the message bus. This enables other components (e.g., iTrac) or applications to receive the event and act accordingly.

Control Center

The Sentinel Control Center is the user interface to the application.

Figure 6 - Event data capture

This real-time dashboard enables the administrator to monitor events as they are being received.

iTrac

iTrac is a built-in automated incident response and workflow system.

Figure 7 - Event data capture

The administrator may configure a specific workflow to be followed when specific events occur. It also provides a two-way integration with external systems.

Repository

The event repository is an Oracle or SQL database that is acquired, deployed, and managed by the customer.

Figure 8 - Event data capture

The amount of data held in the repository is dependent on the size of the captured events and the filtering that occurs by the Collectors.

Reporting

Sentinel ships with Crystal Reports and a number of predefined report templates. Of course, customers may also produce their own reports and generate SQL queries against the Repository.

Architectural Dream

It is this powerful architecture that is enabling Novell to quickly integrate its products with Sentinel. This same architecture will also dovetail nicely with the servers, applications and devices used by our customers. We see this as major step in meeting the needs of our customers.

Showing support for Novell?s recent acquisition of e-Security, Chris Christiansen, IDC Vice President of Security Products and Services said, "In the compliance area, customers want converged solutions that encompass system, identity, access and security event management. With the acquisition of e-Security, Novell is the only vendor with the potential to proactively address business needs for a real-time, comprehensive compliance solution that integrates people, systems and processes."

What more needs to be said!


Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell