Sentinel - Security, Regulatory Compliance and Corporate Governance
Novell Cool Solutions: Feature
By Steven L. Weitzeil
Digg This -
Posted: 3 May 2006
Novell has announced the acquisition of e-Security and its flagship product Sentinel. More and more customers are concerned about security, regulatory compliance and corporate governance. The Sentinel product gives Novell a market leading product to address these customer concerns. In this posting I will review the architecture of this exciting addition to Novell?s product line ...
The Sentinel architecture is represented in the following diagram:
Figure 1 - Sentinel architecture
Before we go into the details of the architecture, let's talk about the general functionality that Sentinel provides:
- The capturing of events from many types of devices, referential sources, operating systems, and applications.
- The event data is analyzed to determine if predefined conditions have been met. If so, triggers are activated to set other events in motion.
- The event data is recorded for analysis.
- The event data may be displayed on visual displays and/or reports generated for evaluation.
- Workflows may be established to automate and enforce incident identification and resolution processes.
Now let?s discuss how all this happens. There are seven architectural areas that make all of this possible: 1) External Event Sources, 2) iScale Message Bus, 3) Correlation engine, 4) Sentinel Control Center, 5) Collector Manager, 6) iTrac, and 7) Sentinel Repository.
External Event Sources
Figure 2 - Event data capture
The diagram above shows four key areas from which Sentinel may capture event data:
- Security Perimeters - VPNs, firewalls, routers, switches, etc.
- Referential Sources - Identity management, asset management, patch maintenance systems, etc.
- Operating Systems - Main frames, workstations, servers, laptops, etc.
- Applications - Business application, database management systems, domain controllers, collaboration systems, etc.
Collectors (Agents) and Collector Manager
Sentinel is able to collect and filter events using collectors (also referred to as agents):
Figure 3 - Collectors
Collectors run remotely or locally on the hardware where the events are being generated. If running remotely, the collector receives the events via SCP or SSH. It may also use protocols such as SNMP or SYSLOG.
Once events are received, the collector filters them. The majority of events are sent to the Repository for storage and later analysis. Other events are sent to the Correlation Engine for evaluation against predefined policies.
The Collectors may enhance the events by adding additional data that helps further identify the event.
The iScale Message BusCommunication between Sentinel components is achieved via the iScale Message Bus (based on the Sonic JMS Bus architecture).
Figure 4 - iScale Message Bus
This bus enables easy integration with other products capable of message bus communication (e.g., Novell?s Identity Manager product has a JMS driver that enables it to interface with this bus).
The Correlator is responsible for taking Sentinel policies and determining if the received events meet the criteria defined in those policies.
Figure 5 - Correlator
If the event does meet the criteria, then a new event is generated and sent to the message bus. This enables other components (e.g., iTrac) or applications to receive the event and act accordingly.
The Sentinel Control Center is the user interface to the application.
Figure 6 - Event data capture
This real-time dashboard enables the administrator to monitor events as they are being received.
iTrac is a built-in automated incident response and workflow system.
Figure 7 - Event data capture
The administrator may configure a specific workflow to be followed when specific events occur. It also provides a two-way integration with external systems.
The event repository is an Oracle or SQL database that is acquired, deployed, and managed by the customer.
Figure 8 - Event data capture
The amount of data held in the repository is dependent on the size of the captured events and the filtering that occurs by the Collectors.
Sentinel ships with Crystal Reports and a number of predefined report templates. Of course, customers may also produce their own reports and generate SQL queries against the Repository.
It is this powerful architecture that is enabling Novell to quickly integrate its products with Sentinel. This same architecture will also dovetail nicely with the servers, applications and devices used by our customers. We see this as major step in meeting the needs of our customers.
Showing support for Novell?s recent acquisition of e-Security, Chris Christiansen, IDC Vice President of Security Products and Services said, "In the compliance area, customers want converged solutions that encompass system, identity, access and security event management. With the acquisition of e-Security, Novell is the only vendor with the potential to proactively address business needs for a real-time, comprehensive compliance solution that integrates people, systems and processes."
What more needs to be said!
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com