The various components of Sentinel Log Manager communicate across the network, and there are different types of communication protocols used throughout the system. All of these communication mechanisms affect the security of your system.
Section 2.1.1, Communication between Sentinel Log Manager Processes
Section 2.1.3, Communication between the Server and the Database
Section 2.1.4, Communication between the Collector Managers and Event Sources
Section 2.1.6, Communication between the Database and Other Clients
Section 2.1.7, Communication between Sentinel Log Manager and NFS/CIFS Archive Servers
Sentinel Log Manager processes include the Sentinel Log Manager server, Tomcat, and Collector Manager. They communicate with each other by using ActiveMQ*.
The communication between these server processes is by default over SSL via the ActiveMQ message bus. The processes use SSL by reading the following information in <Install_Directory>/config/configuration.xml:
<jms brokerURL="ssl://localhost:61616?wireFormat.maxInactivityDuration=0&jms.copyMessageOnSend=false" interceptors="compression" keystore="../config/.activemqclientkeystore.jks" keystorePassword="password" password="1fef3bcdd3fbcbc5cd795346a9f04ddc" username="system"/>
The jms strategy shown in this XML snippet defines how the Sentinel Log Manager process connects to the server. This snippet defines the client side settings of the connection.
Table 2-1 XML Entries in the configuration.xml File
The server-side settings are defined in the Install_Directory/config/activemq.xml file. For instructions on how to edit the activemq.xml file, see the ActiveMQ Web site. However, Novell does not support the modification of the server-side settings.
The Sentinel Log Manager Event Source Management (ESM) client application by default uses SSL communication via the SSL proxy server.
For an architectural representation, see Novell Sentinel Log Manager Architecture
in the Sentinel Log Manager 1.0.0.5 Installation Guide.
ESM knows to use SSL by reading the following information in Install_Directory/config/configuration.xml:
<strategy active="yes" id="proxied_client" location="com.esecurity.common.communication.strategy.proxystrategy.ProxiedClientStrategyFactory"> <transport type="ssl"> <ssl host="164.99.18.132" port="10013" keystore="./novell/sentinel/.proxyClientKeystore" /> </transport> </strategy>
The protocol used for communication between the server and the database is defined by a JDBC* driver.
Sentinel Log Manager uses the PostgreSQL* driver (postgresql-version.jdbc3.jar) to connect to the PostgreSQL database, which is a Java (Type IV) implementation. This driver supports encryption for data communication. To download the driver, refer to the PostgreSQL Download Page. To configure the encryption, refer to PostgreSQL Encryption Options.
NOTE:Turning encryption on has a negative impact on the performance of the system. Therefore, this security concern needs to be weighed against your performance needs. The database communication is not encrypted by default for this reason. Lack of encryption is not a major concern because communication with the database occurs over the localhost network interface.
You can configure Sentinel Log Manager to securely collect data from various event sources. However, secured data collection is determined by the specific protocols supported with the event source. For example, the Check Point LEA, Syslog, and Audit Connectors can be configured to encrypt their communication with event sources.
For more information on the possible security features that can be enabled, refer to the Connector and Event source vendor documentation.
The Web server is by default configured to communicate via HTTPS. For more information, see the Tomcat documentation.
You can configure the PostgreSQL SIEM database to allow connections from any client machine that uses pgAdmin or another third-party application.
To allow pgAdmin to connect from any client machine, add the following line in the Install_Dirirectory/3rdparty/postgresql/data/pg_hba.conf file:
host all all 0.0.0.0/0 md5
If you want to limit the client connections that are allowed to run and connect to the database through pgAdmin, specify the IP address of the host in the above line. The following line in the pg_hba.conf file is an indicator to PostgreSQL to accept connections from the local machine so that pgAdmin is allowed to run only on the server.
host all all 127.0.0.1/32 md5
To allow connections from other client machines, you can add additional host entries in the pg_hba.conf file.
To provide maximum security, by default, PostgreSQL only allows connections from the local machine.
Sentinel Log Manager can be configured to archive event and raw data to a remote CIFS or NFS* server. These protocols do not offer data encryption, so consider security implications before deciding the type of archive location to use. An alternative is to use direct attached storage (local or SAN), which does not suffer from the same security vulnerabilities. If you choose to use CIFS or NFS, it is important to configure the CIFS or NFS server properly to maximize the security of your data.
For more information about configuring the archive server settings, see Configuring Archive Server Settings
in the Sentinel Log Manager 1.0.0.5 Installation Guide.