Novell SENTINEL RAPID DEPLOYMENT Installation Guide
Novell®
www.novell.com
Installation Guide
SentinelTM Rapid Deployment
novdocx (en) 17 September 2009
AUTHORIZED DOCUMENTATION
6.1
December 2009
Sentinel 6.1 Rapid Deployment Installation Guide
Legal Notices
Novell, Inc., makes no representations or warranties with respect to the contents or use of this documentation, and
specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose.
Further, Novell, Inc., reserves the right to revise this publication and to make changes to its content, at any time,
without obligation to notify any person or entity of such revisions or changes.
Further, Novell, Inc., makes no representations or warranties with respect to any software, and specifically disclaims
any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc.,
reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to
notify any person or entity of such changes.
Any products or technical information provided under this Agreement may be subject to U.S. export controls and the
trade laws of other countries. You agree to comply with all export control regulations and to obtain any required
licenses or classification to export, re-export or import deliverables. You agree not to export or re-export to entities
on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export
laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses.
See the Novell International Trade Services Web page (http://www.novell.com/info/exports/) for more information
on exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export
approvals.
novdocx (en) 17 September 2009
Copyright © 1999-2009 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied,
stored on a retrieval system, or transmitted without the express written consent of the publisher.
Novell, Inc., has intellectual property rights relating to technology embodied in the product that is described in this
document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S.
patents listed on the Novell Legal Patents Web page (http://www.novell.com/company/legal/patents/) and one or
more additional patents or pending patent applications in the U.S. and in other countries.
Novell, Inc.
404 Wyman Street, Suite 500
Waltham, MA 02451
U.S.A.
www.novell.com
Online Documentation: To access the latest online documentation for this and other Novell products, see
the Novell Documentation Web page (http://www.novell.com/documentation).
Novell Trademarks
For Novell trademarks, see the Novell Trademark and Service Mark list (http://www.novell.com/company/legal/
trademarks/tmlist.html).
Third-Party Materials
All third-party trademarks are the property of their respective owners.
novdocx (en) 17 September 2009
novdocx (en) 17 September 2009
4 Sentinel 6.1 Rapid Deployment Installation Guide
Contents
About This Guide 9
1 Introduction 11
1.1 Sentinel Rapid Deployment Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
1.2 Sentinel Rapid Deployment User Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
1.2.1 Sentinel Rapid Deployment Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
1.2.2 Sentinel Control Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
1.2.3 Sentinel Data Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
1.2.4 Sentinel Solution Designer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
1.2.5 Sentinel Plug-in SDK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
1.2.6 Sentinel Collector Builder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
1.3 Sentinel Server Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
1.3.1 Data Access Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
1.3.2 Message Bus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
1.3.3 Sentinel Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
1.3.4 Sentinel Collector Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
1.3.5 Correlation Engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
1.3.6 iTRAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
1.3.7 Sentinel Advisor and Exploit Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
1.3.8 Web Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
1.4 Sentinel Plug-Ins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
1.4.1 Collectors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
1.4.2 Connectors and Integrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
1.4.3 Correlation Rules and Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
1.4.4 Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
1.4.5 iTRAC Workflows. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
1.4.6 Solution Packs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
1.5 Language Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
novdocx (en) 17 September 2009
2 What’s New in Sentinel 6.1 Rapid Deployment 19
2.1 New and Updated Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
2.2 Comparing Sentinel 6.1 and Sentinel 6.1 Rapid Deployment Features and Capabilities . . . . 19
3 Sentinel 6.1 Rapid Deployment System Requirements 23
3.1 Software Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
3.2 Supported Web Browsers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
3.3 Hardware Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
3.4 Virtualization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
4 Installing Sentinel 6.1 Rapid Deployment 27
4.1 Installer Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
4.1.1 Server Components. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
4.1.2 Client Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
4.2 Sentinel 6.1 Rapid Deployment Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
4.3 Port Numbers for Sentinel 6.1 Rapid Deployment Client Components . . . . . . . . . . . . . . . . . . 29
4.4 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Contents 5
4.4.1 Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
4.4.2 Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
4.4.3 Advisor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
4.5 Installing the Sentinel 6.1 Rapid Deployment Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
4.5.1 Single Script Installation with Root Privileges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
4.5.2 Non-Root Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
4.6 Installing the Client Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
4.6.1 Accessing Novell Sentinel 6.1 Rapid Deployment Web Interface . . . . . . . . . . . . . . . 34
4.6.2 Installing the Sentinel Client Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
4.6.3 Installing the Sentinel Collector Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
4.7 Manually Starting and Stopping the Sentinel Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
4.8 Post-Installation Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
4.8.1 Configuring an SMTP Integrator to Send Sentinel Notifications . . . . . . . . . . . . . . . . 40
4.8.2 Collector Manager Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
4.8.3 Managing Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
4.9 LDAP Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
4.9.1 Configuring the Sentinel 6.1 Rapid Deployment Server for LDAP Authentication . . . 42
4.9.2 Configuring LDAP Failover Servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
4.9.3 LDAP Authentication without Performing Anonymous Searches . . . . . . . . . . . . . . . 47
4.9.4 Migrating LDAP Users from Sentinel 6.1 Rapid Deployment Hotfix 2 to Sentinel 6.1
Rapid Deployment SP1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
4.10 Updating the License Key from an Evaluation Key to a Production Key . . . . . . . . . . . . . . . . . 48
novdocx (en) 17 September 2009
5 Security Considerations for Sentinel 6.1 Rapid Deployment 49
5.1 Securing Communication Across the Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
5.1.1 Communication between Sentinel Server Processes . . . . . . . . . . . . . . . . . . . . . . . . 49
5.1.2 Communication between the Sentinel Server and the Sentinel Client Applications . 50
5.1.3 Communication between the Server and the Database . . . . . . . . . . . . . . . . . . . . . . 50
5.1.4 Communication between the Collector Managers and Event Sources . . . . . . . . . . . 51
5.1.5 Communication with the Web Browsers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
5.1.6 Communication between the Database and Other Clients . . . . . . . . . . . . . . . . . . . . 51
5.2 Securing Users and Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
5.2.1 Operating System Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
5.2.2 Sentinel Application and Database Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
5.3 Securing Sentinel Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
5.4 Backing Up Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
5.5 Securing the Operating System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
5.6 Auditing Sentinel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
5.7 Generating an SSL Certificate for the Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
6 Advisor Configuration 59
6.1 Advisor Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
6.2 Installing Advisor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
6.2.1 Updating Advisor Data in a Secured Environment . . . . . . . . . . . . . . . . . . . . . . . . . . 59
6.3 Maintaining Advisor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
7 Testing the Sentinel 6.1 Rapid Deployment Installation 61
7.1 Testing the Rapid Deployment Installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
7.2 Cleaning Up after Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
7.3 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
6 Sentinel 6.1 Rapid Deployment Installation Guide
8 Uninstalling Sentinel 6.1 Rapid Deployment 73
8.1 Uninstalling the Sentinel 6.1 Rapid Deployment Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
8.2 Uninstalling the Remote Collector Manager and Sentinel Client Applications . . . . . . . . . . . . . 74
8.2.1 Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
8.2.2 Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
8.2.3 Post-Uninstallation Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
A Updating the Sentinel 6.1 Rapid Deployment Hostname 77
A.1 Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
A.2 Client Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
B Troubleshooting Tips 79
B.1 Database Authentication Fails on Entering Invalid Credentials . . . . . . . . . . . . . . . . . . . . . . . . 79
B.2 Sentinel Web Interface Does Not Start Up. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
B.3 Remote Collector Manager Throws Exception on Windows 2008 When UAC is Enabled . . . 80
C Manually Configuring Sentinel 6.1 Rapid Deployment Server for LDAP
Authentication 81
novdocx (en) 17 September 2009
D Documentation Updates 83
D.1 December 2009 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
D.2 August 2009. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Contents 7
novdocx (en) 17 September 2009
8 Sentinel 6.1 Rapid Deployment Installation Guide
About This Guide
SentinelTM is a security information and event management solution that receives information from
many sources throughout an enterprise, standardizes it, prioritizes it, and presents it to you so you
can make threat, risk, and policy related decisions.
®
Sentinel Rapid Deployment is a simplified version of Novell
PostgreSQL*, activeMQ*, and JasperReports* components. The following sections help you
understand and install the major components of the Sentinel Rapid Deployment system.
Chapter 1, “Introduction,” on page 11
Chapter 2, “What’s New in Sentinel 6.1 Rapid Deployment,” on page 19
Chapter 3, “Sentinel 6.1 Rapid Deployment System Requirements,” on page 23
Chapter 4, “Installing Sentinel 6.1 Rapid Deployment,” on page 27
Chapter 5, “Security Considerations for Sentinel 6.1 Rapid Deployment,” on page 49
Chapter 6, “Advisor Configuration,” on page 59
Chapter 7, “Testing the Sentinel 6.1 Rapid Deployment Installation,” on page 61
Sentinel that leverages open source
novdocx (en) 17 September 2009
Chapter 8, “Uninstalling Sentinel 6.1 Rapid Deployment,” on page 73
Appendix A, “Updating the Sentinel 6.1 Rapid Deployment Hostname,” on page 77
Appendix B, “Troubleshooting Tips,” on page 79
Appendix C, “Manually Configuring Sentinel 6.1 Rapid Deployment Server for LDAP
Authentication,” on page 81
Appendix D, “Documentation Updates,” on page 83
Audience
This documentation is intended for Information Security Professionals.
Feedback
We want to hear your comments and suggestions about this manual and the other documentation
included with this product. Please use the User Comments feature at the bottom of each page of the
online documentation and enter your comments there.
Additional Documentation
Sentinel technical documentation is broken down into several different volumes. They are:
Novell Sentinel 6.1 RD Installation Guide (http://www.novell.com/documentation/
sentinel61rd/s61rd_install/data/index.html)
Novell Sentinel 6.1 RD User Guide (http://www.novell.com/documentation/sentinel61rd/
s61rd_user/data/index.html)
Novell Sentinel 6.1 RD Reference Guide (http://www.novell.com/documentation/sentinel61rd/
s61rd_reference/data/index.html)
About This Guide 9
Sentinel 6.1 Install Guide (http://www.novell.com/documentation/sentinel61/pdfdoc/
sentinel_61_installation_guide.pdf)
Sentinel 6.1 User Guide (http://www.novell.com/documentation/sentinel61/pdfdoc/
sentinel_61_user_guide.pdf)
Sentinel 6.1 Reference Guide (http://www.novell.com/documentation/sentinel61/pdfdoc/
sentinel_61_reference_guide.pdf)
Sentinel SDK (http://developer.novell.com/wiki/index.php?title=Develop_to_Sentinel)
The Sentinel SDK site provides the details about developing collectors (proprietary or
JavaScript) and JavaScript correlation actions.
Documentation Conventions
In this documentation, a greater-than symbol (>) is used to separate actions within a step and items
within a cross-reference path.
A trademark symbol (®, ™, etc.) denotes a Novell trademark. An asterisk (*) denotes a third-party
trademark.
When a single path name can be written with a backslash for some platforms or a forward slash for
other platforms, the path name is presented with forward slashes to reflect the Linux* convention.
®
Users of platforms that require a backslash, such as NetWare
, should use backlashes as required by
your software.
novdocx (en) 17 September 2009
Contacting Novell
Novell Website (http://www.novell.com)
Novell Technical Support (http://support.novell.com/
phone.html?sourceidint=suplnav4_phonesup)
Novell Self Support (http://support.novell.com/
support_options.html?sourceidint=suplnav_supportprog)
Patch Download Site (http://download.novell.com/index.jsp)
Novell 24x7 Support (http://www.novell.com/company/contact.html)
Sentinel TIDS (http://support.novell.com/products/sentinel)
10 Sentinel 6.1 Rapid Deployment Installation Guide
1
Introduction
SentinelTM is a security information and event management solution that receives information from
many sources throughout an enterprise, standardizes it, prioritizes it, and presents it to you so you
can make threat, risk, and policy-related decisions.
®
The following sections describe the installation and configuration of Novell
Deployment. The Sentinel 6.1 Rapid Deployment User Guide has more detailed architecture,
operation, and administrative procedures.
Section 1.1, “Sentinel Rapid Deployment Overview,” on page 11
Section 1.2, “Sentinel Rapid Deployment User Interfaces,” on page 12
Section 1.3, “Sentinel Server Components,” on page 14
Section 1.4, “Sentinel Plug-Ins,” on page 16
Section 1.5, “Language Support,” on page 17
SentinelTM 6.1 Rapid
novdocx (en) 17 September 2009
1
1.1 Sentinel Rapid Deployment Overview
Sentinel automates log collection, analysis, and reporting processes to ensure that IT controls are
effective in supporting threat detection and audit requirements. Sentinel replaces labor-intensive
manual processes with automated, continuous monitoring of security and compliance events and IT
controls.
Sentinel gathers and correlates security and non-security information from across the networked
infrastructure of an organization, as well as the third-party systems, devices, and applications.
Sentinel presents the collected data in a GUI, identifies security or compliance issues, and tracks
remedial activities to streamline the error-prone processes and build a more rigorous and secure
management program.
Automated incident response management enables you to document and formalize the process of
tracking, escalating, and responding to incidents and policy violations, and provides two-way
integration with trouble-ticketing systems. Sentinel enables you to react promptly and resolve
incidents efficiently.
Solution Packs are a simple way to distribute and import Sentinel correlation rules, dynamic lists,
maps, reports, and iTRAC
specific regulatory requirements, such as the Payment Card Industry Data Security Standard, or they
can be related to a specific data source, such as user authentication events for a database.
With Sentinel Rapid Deployment, you get:
Integrated, automated real-time security management and compliance monitoring across all
systems and networks
TM
workflows into controls. These controls can be designed to meet
A framework that enables business policies to drive IT policy and action
Automatic documenting and reporting of security, systems, and access events across the
enterprise
Introduction
11
Built-in incident management and remediation
The ability to demonstrate and monitor compliance with internal policies and government
regulations such as Sarbanes-Oxley, HIPAA, GLBA, FISMA, and others. The content required
to implement these controls is distributed and implemented through Solution Packs
The following is an illustration of the conceptual architecture of Sentinel 6.1 Rapid Deployment,
which shows the components involved in performing security and compliance management.
Figure 1-1 Conceptual Architecture of Sentinel
novdocx (en) 17 September 2009
1.2 Sentinel Rapid Deployment User Interfaces
Sentinel includes the following easy-to-use user interfaces:
Sentinel Rapid Deployment Web Interface
Sentinel Control Center
Sentinel Data Manager
Sentinel Solution Designer
Sentinel Plug-in SDK
Sentinel Collector Builder
12 Sentinel 6.1 Rapid Deployment Installation Guide
1.2.1 Sentinel Rapid Deployment Web Interface
With the Novell Sentinel Rapid Deployment Web interface, you can manage and search Reports and
launch the Sentinel Control Center, the Sentinel Data Manager, and the Solution Designer. You can
also download the Collector Manager installer and the Client installer from the Application tab of
the Sentinel 6.1 Rapid Deployment Web interface.
Fore more information, see “Managing Sentinel 6.1 Rapid Deployment Through the Web Interface”
in the Sentinel 6.1 Rapid Deployment User Guide.
1.2.2 Sentinel Control Center
The Sentinel Control Center (SCC) provides an integrated security management dashboard that
enables analysts to quickly identify new trends or attacks, manipulate and interact with real-time
graphical information, and respond to incidents.
You can launch the SCC either as a client application or by using Java* Webstart.
Key features of the Sentinel Control Center include:
novdocx (en) 17 September 2009
Active Views: Real-time analytics and visualization
Analysis: Runs and saves offline queries
Incidents: Incident creation and management
Correlation: Correlation rules definition and management
iTRAC: Process management for documenting, enforcing, and tracking incident resolution
processes
Event Source Management: Collector deployment and monitoring
Solution Manager: Install, implement, and test the Solution pack contents
Fore more information, see “Sentinel Control Center” in the Sentinel 6.1 Rapid Deployment User
Guide.
1.2.3 Sentinel Data Manager
The Sentinel Data Manager allows you to manage the Sentinel database. You can perform the
following operations in the Sentinel Data Manager:
Monitor database space utilization
View and manage database partitions
Manage database archives
Import archived data back into the database
Fore more information, see “Sentinel Data Manager” in the Sentinel 6.1 Rapid Deployment User
Guide.
1.2.4 Sentinel Solution Designer
The Sentinel Solution Designer is used to create and modify Solution Packs, which are packaged
sets of Sentinel content, such as correlation rules, actions, iTRAC worflows, and reports.
Introduction 13
Sentinel content is the extended functionality of the Sentinel system. It includes Sentinel plug-ins,
Sentinel Actions, Integrators, and Sentinel plug-ins such as Collectors, Connectors, and Solution
Packs that might include multiple other types of plug-ins.These modular components are used to
integrate with third-party systems, install a complete control-based security solution, and provide
automated remediation for detected incidents.
Fore more information, see “Solution Designer” in the Sentinel 6.1 Rapid Deployment User Guide.
1.2.5 Sentinel Plug-in SDK
The Sentinel Plug-in SDK includes libraries and code developed by the Novell Engineering, as well
as the template and sample code which you can use to begin developing your own projects. For
more information, see Sentinel SDK (http://developer.novell.com/wiki/
index.php?title=Develop_to_Sentinel#Sentinel_Plug-in_SDK).
1.2.6 Sentinel Collector Builder
The Sentinel Collector Builder enables you to build Collectors in the Sentinel proprietary, legacy
language to process events. You can create and customize the templates so that the Collector can
parse the data. For more information on developing your own Collectors, see Developing Sentinel
Collector Plug-ins (http://developer.novell.com/wiki/index.php/Collectors).
novdocx (en) 17 September 2009
1.3 Sentinel Server Components
Sentinel is made up of the following components:
Section 1.3.1, “Data Access Service,” on page 14
Section 1.3.2, “Message Bus,” on page 15
Section 1.3.3, “Sentinel Database,” on page 15
Section 1.3.4, “Sentinel Collector Manager,” on page 15
Section 1.3.5, “Correlation Engine,” on page 15
Section 1.3.6, “iTRAC,” on page 15
Section 1.3.7, “Sentinel Advisor and Exploit Detection,” on page 15
Section 1.3.8, “Web Server,” on page 16
1.3.1 Data Access Service
The Sentinel Data Access Service is the primary component used to communicate with the Sentinel
database. The Data Access Server and other server components work together to store events
received from the Collector Managers into the database, filter data, process Active Views
perform database queries and process results, and manage administrative tasks such as user
authentication and authorization. For more information, see “Sentinel 6.1 Rapid Deployment Data
Access Service” in the Sentinel 6.1 Rapid Deployment Reference Guide.
TM
displays,
14 Sentinel 6.1 Rapid Deployment Installation Guide
1.3.2 Message Bus
Sentinel 6.1 Rapid Deployment uses the open source message broker named Apache*Active MQ.
The message bus is capable of moving thousands of message packets in a second between the
components of Sentinel. Its architecture is built around the Java Message Oriented Middleware
(JMOM) that supports asynchronous calls between the client and server applications. Message
queues provide temporary storage when the destination program is busy or not connected. For more
information, see “Communication Server” in the Sentinel 6.1 Rapid Deployment User Guide.
1.3.3 Sentinel Database
The Sentinel product is built around a back-end database that stores security events and all of the
Sentinel metadata. Sentinel 6.1 Rapid Deployment supports PostgreSQL. The events are stored in
normalized form, along with asset and vulnerability data, identity information, incident and
workflow status, and many other types of data. For more information, see “Sentinel Data Manager”
in the Sentinel 6.1 Rapid Deployment User Guide.
1.3.4 Sentinel Collector Manager
novdocx (en) 17 September 2009
The Sentinel Collector Manager manages data collection, monitors system status messages, and
performs event filtering as needed. The main functions of the Collector Manager include
transforming events, adding business relevance to events through taxonomy, performing global
filtering on events, routing events, and sending health messages to the Sentinel server. The Sentinel
Collector Manager directly connects to the message bus. For more information, see “Collectors” in
the Sentinel 6.1 Rapid Deployment User Guide.
1.3.5 Correlation Engine
Correlation adds intelligence to security event management by automating analysis of the incoming
event stream to find patterns of interest. Correlation allows you to define rules that identify critical
threats and complex attack patterns so that you can prioritize events and initiate effective incident
management and response. For more information, see “Correlation Tab” in the Sentinel 6.1 Rapid
Deployment User Guide.
1.3.6 iTRAC
Sentinel provides an iTRAC™ workflow management system to define and automate processes for
incident response. Incidents that are identified in Sentinel, either by a correlation rule or manually,
can be associated with an iTRAC workflow. For more information, see “iTRAC Workflows” in the
Sentinel 6.1 Rapid Deployment User Guide.
1.3.7 Sentinel Advisor and Exploit Detection
Sentinel Advisor is an optional data subscription service that includes known attacks,
vulnerabilities, and remediation information. This data, combined with known vulnerabilities and
real-time intrusion detection or prevention information from your environment, provide proactive
exploit detection and the ability to immediately act when an attack takes place against a vulnerable
system.
Introduction 15
An Advisor data snapshot is installed by default with Sentinel 6.1 Rapid Deployment installation.
You need an Advisor license to subscribe to the ongoing Advisor data updates.
1.3.8 Web Server
Sentinel 6.1 Rapid Deployment uses Apache* Tomcat as its Web server to allow secure connection
to the Sentinel Rapid Deployment Web interface.
1.4 Sentinel Plug-Ins
Sentinel supports a variety of plug-ins to expand and enhance system functionality. Some of these
plugins are pre-installed. Additional plugins (and updates) are available for download at Sentinel
Content Page (http://support.novell.com/products/sentinel/sentinel61rd.html).
Some plugins, such as the Remedy* Integrator, the IBM* Mainframe Connector, and the Connector
for SAP* XAL, require an additional license for download.
Section 1.4.1, “Collectors,” on page 16
Section 1.4.2, “Connectors and Integrators,” on page 17
Section 1.4.3, “Correlation Rules and Actions,” on page 17
Section 1.4.4, “Reports,” on page 17
novdocx (en) 17 September 2009
Section 1.4.5, “iTRAC Workflows,” on page 17
Section 1.4.6, “Solution Packs,” on page 17
1.4.1 Collectors
Sentinel collects data from source devices and delivers a richer event stream by injecting taxonomy,
exploit detection, and business relevance into the data stream before events are correlated and
analyzed and sent to the database. A richer event stream means that data is correlated with the
required business context to identify and remediate internal or external threats and policy violations.
Sentinel Collectors can parse data from the types of devices listed below and more:
Intrusion Detection Systems (host)
Intrusion Detection Systems (network)
Firewalls
Operating Systems
Policy Monitoring
Authentication
Routers and Switches
VPNs
Anti-Virus Detection Systems
Web Servers
Databases
Mainframe
Vulnerability Assessment Systems
Directory Services
Network Management Systems
Proprietary Systems
JavaScript Collectors can be written by using the standard JavaScript development tools and the
Collector SDK. Proprietary (or Legacy) Collectors can be built or modified by using the Sentinel
Collector Builder, which is, a standalone application included with the Sentinel system. For more
information, see Section 1.2.6, “Sentinel Collector Builder,” on page 14.
16 Sentinel 6.1 Rapid Deployment Installation Guide
1.4.2 Connectors and Integrators
Connectors provide connectivity from the Collector Manager to event sources through standard
protocols such as JDBC* and syslog. Events are passed from the Connector to the Collector for
parsing.
Integrators enable remediation actions on systems outside of Sentinel. For example, a correlation
action can use the SOAP Integrator to initiate a Novell Identity Manager™ workflow.
The optional Remedy AR Integrator provides the ability to create a Remedy ticket from Sentinel
events or incidents. For more information, see “Action Manager and Integrator” in the Sentinel 6.1
Rapid Deployment User Guide.
1.4.3 Correlation Rules and Actions
Correlation rules identify important patterns in the event stream. When a correlation rule triggers, it
initiates correlation actions, such as sending e-mail notifications, initiating an iTRAC workflow, or
executing an action using an Integrator. For more information, see “Correlation Tab” in the Sentinel
6.1 Rapid Deployment User Guide.
novdocx (en) 17 September 2009
1.4.4 Reports
You can run a wide variety of dashboard and operational reports from the Sentinel 6.1 Rapid
Deployment Web interface by using JasperReports. The reports are typically distributed via Solution
Packs.
1.4.5 iTRAC Workflows
iTRAC workflows provide consistent, repeatable processes for managing incidents. The workflow
templates are typically distributed via Solution Packs. iTRAC is shipped with a set of default
templates that you can modify to suit your requirement. For more information, see “iTRAC
Workflows” in the Sentinel 6.1 Rapid Deployment User Guide.
1.4.6 Solution Packs
Solution Packs are packaged sets of related Sentinel content, such as correlation rules, actions,
iTRAC workflows, and reports. Novell also creates Collector packs, which include content focused
on a specific event source, such as Windows* Active Directory*. For more information, see
“Solution Packs ” in the Sentinel 6.1 Rapid Deployment User Guide.
1.5 Language Support
Sentinel components are available in the following languages:
Czech
English
French
German
Italian
Introduction 17
Japanese
Dutch
Polish
Portuguese
Simplified Chinese
Spanish
Traditional Chinese
novdocx (en) 17 September 2009
18 Sentinel 6.1 Rapid Deployment Installation Guide
2
What’s New in Sentinel 6.1 Rapid
novdocx (en) 17 September 2009
Deployment
Novell® SentinelTM 6.1 Rapid Deployment is a simplified alternate platform for the Sentinel 6.1
application that you can install on a single machine. Sentinel 6.1 Rapid Deployment features an
easy-to-install SIEM solution that leverages open source components, including a PostgreSQL
database and JasperReports. It has many new capabilities, such as reporting and searching
functionalities through the Web interface.
Section 2.1, “New and Updated Features,” on page 19
Section 2.2, “Comparing Sentinel 6.1 and Sentinel 6.1 Rapid Deployment Features and
Capabilities,” on page 19
2.1 New and Updated Features
Sentinel 6.1 Rapid Deployment gives you the ability to:
Use Sentinel with an embedded PostgreSQL database.
Use a simplified single-machine server installer.
Use the Web interface for the following:
Accessing the reporting and free-form search functionalities.
2
Running the Sentinel Control Center (SCC), the Solution Designer, and the Sentinel Data
Manager (SDM) clients by using Java Web Start.
Downloading the multiplatform client installer and the Collector Manager.
Use a single multiplatform client installer to install the Sentinel Control Center, the Solution
Designer, and the Sentinel Data Manager.
Use the Collector Manager installer to install additional Collector Managers for a distributed
environment.
Use JasperReports in Solution Packs.
2.2 Comparing Sentinel 6.1 and Sentinel 6.1 Rapid Deployment Features and Capabilities
This section compares the features and capabilities of Novell Sentinel 6.1 Rapid Deployment to
Novell Sentinel 6.1.
Table 2-1 Feature Comparison
Features or Capabilities Sentinel 6.1 Rapid Deployment Sentinel 6.1
Supported Platforms for
Server Installation
SUSE® Linux Enterprise Server Linux, Solaris*, and Windows.
What’s New in Sentinel 6.1 Rapid Deployment
19
Features or Capabilities Sentinel 6.1 Rapid Deployment Sentinel 6.1
novdocx (en) 17 September 2009
Database The major difference between Sentinel
6.1 Rapid Deployment and previous
versions of Sentinel is the introduction of
an embedded Sentinel database, based
on the open source PostgreSQL
database engine. This new database is
installed and configured automatically
during the Sentinel Rapid Deployment
installation, with no need to provide or
manage an external database.
Reporting Sentinel 6.1 Rapid Deployment
introduces a new, streamlined reporting
system to replace Crystal Reports. This
new reporting system is an integral part
of Sentinel and allows users to easily
run pre-defined reports or custom
reports developed using the open
source Jasper reporting engine.
Messaging ActiveMQ SonicMQ*
Installation architecture Installation is simplified. You only need
to provide a Sentinel password, a
database password, and an optional set
of credentials for the Sentinel Advisor
service.
Server components, including the
embedded database, the reporting
engine, a Collector Manager, and a Web
console are all included in the package,
and are installed and configured
automatically on a single machine. This
allows you deploy and begin using the
product very quickly and with a minimum
amount of effort.
Customer-provided MS SQL or
Oracle* database.
Crystal Reports with associated
database is installed separately.
The database is installed
separately by the customer.
Server components can be
installed together or distributed
across multiple machines.
Additional Collector Managers can be
installed as needed.
Web-based application
launch and installation
The Web console used for Sentinel 6.1
Rapid Deployment reporting and full text
search also includes the option to launch
and install the Sentinel client
applications. You can now launch the
Sentinel Control Center, the Sentinel
Solution Designer, and the Sentinel Data
Manager from a Web browser without
the need to install these client
applications locally. The Web console
also includes the option to install the
client applications and the Sentinel
Collector Manager without the need to
manually retrieve the installation
package.
20 Sentinel 6.1 Rapid Deployment Installation Guide
Not supported.
Features or Capabilities Sentinel 6.1 Rapid Deployment Sentinel 6.1
novdocx (en) 17 September 2009
Reporting Reports can be generated, scheduled,
published, and viewed in a browserbased Web interface.
New or updated reports can be
uploaded by using the Web interface or
the Solution Manager.
Search A new Web-based search tool allows
you to quickly search for strings and
patterns within the Sentinel event
database. You can search for text in a
specific Sentinel event field, or across all
fields. Data within the search results is
hyperlinked to narrow down the search
results with a single click. You can also
run the search by using the Sentinel
Control Center.
Communication channel The Collector Manager connects directly
to the message bus.
Reports can be viewed in the
Sentinel Control Center.
Reports can be scheduled in the
Crystal server interface.
New or updated reports can be
uploaded by using the Crystal
server interface or the Solution
Manager.
Event searches can be run in the
Sentinel Control Center.
Collector Manager can connect
directly to the message bus or
use an SSL proxy.
What’s New in Sentinel 6.1 Rapid Deployment 21
novdocx (en) 17 September 2009
22 Sentinel 6.1 Rapid Deployment Installation Guide
3
Sentinel 6.1 Rapid Deployment
novdocx (en) 17 September 2009
System Requirements
For best performance and reliability, you must install the Sentinel components on approved software
and hardware, as listed below, that have been fully quality assured and certified. For the most up-todate information on the minimum requirements, look for updates at the Novell Documentation site
(http://www.novell.com/documentation/sentinel61).
Section 3.1, “Software Requirements,” on page 23
Section 3.2, “Supported Web Browsers,” on page 24
Section 3.3, “Hardware Requirements,” on page 24
Section 3.4, “Virtualization,” on page 26
3.1 Software Requirements
NOTE: Sentinel 6.1 Rapid Deployment is not supported on the Open Enterprise Server® installs of
SLES® 10 SP2.
Table 3-1 Software and Operating System Combinations
3
Platforms Sentinel Server Components
SLES 10 SP2 (64-bit) Certified Certified Certified Not
Windows XP* (32-bit) Not Supported Certified Not
Windows Vista* (32-bit) Not Supported Certified Not
Windows Server* 2003
(32-bit)
Windows Server* 2008
(64-bit)
Not Supported Not
Not Supported Not
Sentinel Client
Applications
Supported
Supported
Collector
Manager
Supported
Supported
Certified Certified
Certified Not
Collector
Builder
Supported
Not
Supported
Certified
Supported
Sentinel 6.1 Rapid Deployment System Requirements
23
novdocx (en) 17 September 2009
Platforms Sentinel Server Components
SLES 10 SP2 (32-bit) Limited Support
NOTE: A demo-only package
of Novell® Sentinel™ Rapid
Deployment is designed for
limited-scale demonstration
and testing environments by
using 32-bit hardware and
operating systems.
Customers or partners with a
contract for Sentinel Rapid
Deployment support can
receive limited support on this
platform from Novell Technical
Support to the extent that the
issues can be reproduced on
the 64-bit production platform.
Due to the inherent limitations
of 32-bit hardware, Novell
Technical Support does not
troubleshoot performance or
scalability issues with the 32-bit
demo version. The 32-bit demo
versions are unsupported in a
production environment.
Sentinel Client
Applications
Limited
Support
Collector
Manager
Certified Limited
Collector
Builder
Support
NOTE: For Sentinel 6.1 Rapid Deployment server, use SLES 10 SP2 (64-bit) OS with ext3 file
system. For more information on file systems, see Overview of File Systems in Linux (http://
www.novell.com/documentation/sles11/stor_admin/data/filesystems.html) in the Storage
Administration Guide.
3.2 Supported Web Browsers
Mozilla* Firefox* 2.0.0.10
Mozilla Firefox 3.x
Internet Explorer* 8.x
3.3 Hardware Requirements
The Sentinel server components run on x86-64 (64-bit) hardware. Sentinel is certified on AMD
Opteron and Intel Xeon hardware. Itanium servers are not supported.
This section includes some general hardware recommendations for Sentinel system design. In
general, design recommendations are based on event rate ranges. However, these recommendations
are based on the following assumptions:
The event rate is at the high end of the EPS range.
The average event size is 600 bytes.
24 Sentinel 6.1 Rapid Deployment Installation Guide
All events are stored in the database (that is, there are no filters to drop events).
Ninety days worth of data is stored online in the database.
Storage space for Advisor data is not included in the specifications in Table 3-2 on page 25 and
Table 3-3 on page 26.
The Sentinel Server has a default 5 GB of disk space for temporarily caching event data that
fails to be inserted into the database.
The Sentinel Server also has a default 5 GB of disk space for events that fail to be written to
aggregation event files.
NOTE: The Advisor subscription requires an additional 50 GB of disk space on the server.
The hardware recommendations for a Sentinel implementation can vary based on the individual
implementation, so it is recommended that Novell Consulting Services or any of Novell Sentinel
partners be consulted prior to finalizing the Sentinel architecture. The recommendations below can
be used as a guideline.
NOTE: Because of high event loads and local caching, the Sentinel Server is required to have a
local or shared striped disk array (RAID) with a minimum of 4 disk spindles.
novdocx (en) 17 September 2009
Table 3-2 Single Machine Configuration
Components RAM Space CPU
Machine 1: Sentinel 6.1 Rapid Deployment
Server (Maximum EPS - 3200)
Collector Manager (1200 MB)
DAS_Core (1024 MB)
DAS_Binary (512 MB)
16 GB 1 TB,
SAS (15K
rpm) Hard
Disk(s)
Hardware
RAID 10
SLES10 SP2- Dell
PowerEdge 2900,2 x
Quad-Core Intel
E5310 (1.6 GHz) with
Gigabit Ethernet NIC
Correlation Engine (512 MB)
9 General Event Collectors
4 eDirectory Event Sources (generating
250 eps each)
3 Syslog Event Sources (generating 350
eps each)
2 WMS Event Sources (generating 500
eps each)
10 Correlation Rules Deployed
10 unique Active Views
3 simultaneous users
2 Maps Deployed
®
Xeon®
Sentinel 6.1 Rapid Deployment System Requirements 25
Table 3-3 3 Machine Configuration
Components RAM Space CPU
novdocx (en) 17 September 2009
Machine 1: Sentinel 6.1 Rapid Deployment
Server (Maximum EPS - 3750)
Collector Manager (1200 MB)
DAS_Core (1024MB)
DAS_Binary (512MB)
16 GB, 1 TB, SAS
(15K rpm)
Hard
Disk(s)
Hardware
RAID 10
SLES10 SP2- Dell
PowerEdge 2900,2 x QuadCore Intel
(1.6 GHz) with Gigabit
Ethernet NIC
®
Xeon® E5310
Correlation Engine (512 MB)
4 General Event Collectors
4 eDirectory Event Sources (generating
250 eps each)
Machine 2: Collector Manager
Collector Manager/Collectors
Machine 3: Collector Manager
Collector Manager/Collectors
4 GB 300
GB,SATA
(3 Gbit/s)
Hard Disk
4 GB 300
GB,SATA
(3 Gbit/s)
Hard Disk
Windows or Linux - Intel
Core 2 Duo E6750 (2.66
GHz) with Gigabit Ethernet
NIC
Windows or Linux - Intel
Core 2 Duo E6750 (2.66
GHz) with Gigabit Ethernet
NIC
®
®
3.4 Virtualization
Sentinel 6.1 Rapid Deployment has been extensively tested on VMWare ESX Server, and Novell
fully supports Sentinel 6.1 Rapid Deployment in this environment. Performance results in a virtual
environment can be comparable to the results achieved in tests on a physical machine, but the virtual
environment should provide the same memory, CPU, disk space, and I/O as the physical machine
recommendations.
26 Sentinel 6.1 Rapid Deployment Installation Guide
Loading...