Novell SENTINEL RAPID DEPLOYMENT 6.1 - INSTALLATION GUIDE... User manual
Novell®
www.novell.com
novdocx (en) 17 September 2009
AUTHORIZED DOCUMENTATION
Sentinel 6.1 Rapid Deployment Installation Guide
Sentinel
TM
Rapid Deployment
6.1
December 2009
Installation Guide
novdocx (en) 17 September 2009
Legal Notices
Novell, Inc., makes no representations or warranties with respect to the contents or use of this documentation, and
specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose.
Further, Novell, Inc., reserves the right to revise this publication and to make changes to its content, at any time,
without obligation to notify any person or entity of such revisions or changes.
Further, Novell, Inc., makes no representations or warranties with respect to any software, and specifically disclaims
any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc.,
reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to
notify any person or entity of such changes.
Any products or technical information provided under this Agreement may be subject to U.S. export controls and the
trade laws of other countries. You agree to comply with all export control regulations and to obtain any required
licenses or classification to export, re-export or import deliverables. You agree not to export or re-export to entities
on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export
laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses.
See the Novell International Trade Services Web page (http://www.novell.com/info/exports/) for more information
on exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export
approvals.
Copyright © 1999-2009 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied,
stored on a retrieval system, or transmitted without the express written consent of the publisher.
Novell, Inc., has intellectual property rights relating to technology embodied in the product that is described in this
document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S.
patents listed on the Novell Legal Patents Web page (http://www.novell.com/company/legal/patents/) and one or
more additional patents or pending patent applications in the U.S. and in other countries.
Novell, Inc.
404 Wyman Street, Suite 500
Waltham, MA 02451
U.S.A.
www.novell.com
Online Documentation: To access the latest online documentation for this and other Novell products, see
the Novell Documentation Web page (http://www.novell.com/documentation).
novdocx (en) 17 September 2009
Novell Trademarks
For Novell trademarks, see the Novell Trademark and Service Mark list (http://www.novell.com/company/legal/
trademarks/tmlist.html).
Third-Party Materials
All third-party trademarks are the property of their respective owners.
4Sentinel 6.1 Rapid Deployment Installation Guide
novdocx (en) 17 September 2009
Contents 5
Contents
novdocx (en) 17 September 2009
About This Guide 9
1 Introduction 11
1.1 Sentinel Rapid Deployment Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
1.2 Sentinel Rapid Deployment User Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
1.2.1 Sentinel Rapid Deployment Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
1.2.2 Sentinel Control Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
1.2.3 Sentinel Data Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
1.2.4 Sentinel Solution Designer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
1.2.5 Sentinel Plug-in SDK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
1.2.6 Sentinel Collector Builder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
1.3 Sentinel Server Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
1.3.1 Data Access Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
1.3.2 Message Bus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
1.3.3 Sentinel Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
1.3.4 Sentinel Collector Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
1.3.5 Correlation Engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
1.3.6 iTRAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
1.3.7 Sentinel Advisor and Exploit Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
1.3.8 Web Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
1.4 Sentinel Plug-Ins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
1.4.1 Collectors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
1.4.2 Connectors and Integrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
1.4.3 Correlation Rules and Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
1.4.4 Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
1.4.5 iTRAC Workflows. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
1.4.6 Solution Packs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
1.5 Language Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
2 What’s New in Sentinel 6.1 Rapid Deployment 19
2.1 New and Updated Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
2.2 Comparing Sentinel 6.1 and Sentinel 6.1 Rapid Deployment Features and Capabilities . . . . 19
3 Sentinel 6.1 Rapid Deployment System Requirements 23
3.1 Software Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
3.2 Supported Web Browsers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
3.3 Hardware Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
3.4 Virtualization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
4 Installing Sentinel 6.1 Rapid Deployment 27
4.1 Installer Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
4.1.1 Server Components. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
4.1.2 Client Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
4.2 Sentinel 6.1 Rapid Deployment Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
4.3 Port Numbers for Sentinel 6.1 Rapid Deployment Client Components . . . . . . . . . . . . . . . . . . 29
4.4 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
6Sentinel 6.1 Rapid Deployment Installation Guide
novdocx (en) 17 September 2009
4.4.1 Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
4.4.2 Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
4.4.3 Advisor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
4.5 Installing the Sentinel 6.1 Rapid Deployment Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
4.5.1 Single Script Installation with Root Privileges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
4.5.2 Non-Root Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
4.6 Installing the Client Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
4.6.1 Accessing Novell Sentinel 6.1 Rapid Deployment Web Interface . . . . . . . . . . . . . . . 34
4.6.2 Installing the Sentinel Client Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
4.6.3 Installing the Sentinel Collector Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
4.7 Manually Starting and Stopping the Sentinel Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
4.8 Post-Installation Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
4.8.1 Configuring an SMTP Integrator to Send Sentinel Notifications . . . . . . . . . . . . . . . . 40
4.8.2 Collector Manager Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
4.8.3 Managing Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
4.9 LDAP Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
4.9.1 Configuring the Sentinel 6.1 Rapid Deployment Server for LDAP Authentication . . . 42
4.9.2 Configuring LDAP Failover Servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
4.9.3 LDAP Authentication without Performing Anonymous Searches . . . . . . . . . . . . . . . 47
4.9.4 Migrating LDAP Users from Sentinel 6.1 Rapid Deployment Hotfix 2 to Sentinel 6.1
Rapid Deployment SP1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
4.10 Updating the License Key from an Evaluation Key to a Production Key . . . . . . . . . . . . . . . . . 48
5 Security Considerations for Sentinel 6.1 Rapid Deployment 49
5.1 Securing Communication Across the Network. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
5.1.1 Communication between Sentinel Server Processes . . . . . . . . . . . . . . . . . . . . . . . . 49
5.1.2 Communication between the Sentinel Server and the Sentinel Client Applications . 50
5.1.3 Communication between the Server and the Database . . . . . . . . . . . . . . . . . . . . . . 50
5.1.4 Communication between the Collector Managers and Event Sources . . . . . . . . . . . 51
5.1.5 Communication with the Web Browsers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
5.1.6 Communication between the Database and Other Clients . . . . . . . . . . . . . . . . . . . . 51
5.2 Securing Users and Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
5.2.1 Operating System Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
5.2.2 Sentinel Application and Database Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
5.3 Securing Sentinel Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
5.4 Backing Up Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
5.5 Securing the Operating System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
5.6 Auditing Sentinel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
5.7 Generating an SSL Certificate for the Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
6 Advisor Configuration 59
6.1 Advisor Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
6.2 Installing Advisor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
6.2.1 Updating Advisor Data in a Secured Environment . . . . . . . . . . . . . . . . . . . . . . . . . . 59
6.3 Maintaining Advisor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
7 Testing the Sentinel 6.1 Rapid Deployment Installation 61
7.1 Testing the Rapid Deployment Installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
7.2 Cleaning Up after Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
7.3 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Contents 7
novdocx (en) 17 September 2009
8 Uninstalling Sentinel 6.1 Rapid Deployment 73
8.1 Uninstalling the Sentinel 6.1 Rapid Deployment Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
8.2 Uninstalling the Remote Collector Manager and Sentinel Client Applications . . . . . . . . . . . . . 74
8.2.1 Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
8.2.2 Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
8.2.3 Post-Uninstallation Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
A Updating the Sentinel 6.1 Rapid Deployment Hostname 77
A.1 Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
A.2 Client Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
B Troubleshooting Tips 79
B.1 Database Authentication Fails on Entering Invalid Credentials . . . . . . . . . . . . . . . . . . . . . . . . 79
B.2 Sentinel Web Interface Does Not Start Up. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
B.3 Remote Collector Manager Throws Exception on Windows 2008 When UAC is Enabled . . . 80
C Manually Configuring Sentinel 6.1 Rapid Deployment Server for LDAP
Authentication 81
D Documentation Updates 83
D.1 December 2009 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
D.2 August 2009 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
8Sentinel 6.1 Rapid Deployment Installation Guide
novdocx (en) 17 September 2009
About This Guide 9
novdocx (en) 17 September 2009
About This Guide
SentinelTM is a security information and event management solution that receives information from
many sources throughout an enterprise, standardizes it, prioritizes it, and presents it to you so you
can make threat, risk, and policy related decisions.
Sentinel Rapid Deployment is a simplified version of Novell®Sentinel that leverages open source
PostgreSQL*, activeMQ*, and JasperReports* components. The following sections help you
understand and install the major components of the Sentinel Rapid Deployment system.
Chapter 1, “Introduction,” on page 11
Chapter 2, “What’s New in Sentinel 6.1 Rapid Deployment,” on page 19
Chapter 3, “Sentinel 6.1 Rapid Deployment System Requirements,” on page 23
Chapter 4, “Installing Sentinel 6.1 Rapid Deployment,” on page 27
Chapter 5, “Security Considerations for Sentinel 6.1 Rapid Deployment,” on page 49
Chapter 6, “Advisor Configuration,” on page 59
Chapter 7, “Testing the Sentinel 6.1 Rapid Deployment Installation,” on page 61
Chapter 8, “Uninstalling Sentinel 6.1 Rapid Deployment,” on page 73
Appendix A, “Updating the Sentinel 6.1 Rapid Deployment Hostname,” on page 77
Appendix B, “Troubleshooting Tips,” on page 79
Appendix C, “Manually Configuring Sentinel 6.1 Rapid Deployment Server for LDAP
Authentication,” on page 81
Appendix D, “Documentation Updates,” on page 83
Audience
This documentation is intended for Information Security Professionals.
Feedback
We want to hear your comments and suggestions about this manual and the other documentation
included with this product. Please use the User Comments feature at the bottom of each page of the
online documentation and enter your comments there.
Additional Documentation
Sentinel technical documentation is broken down into several different volumes. They are:
Novell Sentinel 6.1 RD Installation Guide (http://www.novell.com/documentation/
sentinel61rd/s61rd_install/data/index.html)
Novell Sentinel 6.1 RD User Guide (http://www.novell.com/documentation/sentinel61rd/
s61rd_user/data/index.html)
Novell Sentinel 6.1 RD Reference Guide (http://www.novell.com/documentation/sentinel61rd/
s61rd_reference/data/index.html)
10 Sentinel 6.1 Rapid Deployment Installation Guide
novdocx (en) 17 September 2009
Sentinel 6.1 Install Guide (http://www.novell.com/documentation/sentinel61/pdfdoc/
sentinel_61_installation_guide.pdf)
Sentinel 6.1 User Guide (http://www.novell.com/documentation/sentinel61/pdfdoc/
sentinel_61_user_guide.pdf)
Sentinel 6.1 Reference Guide (http://www.novell.com/documentation/sentinel61/pdfdoc/
sentinel_61_reference_guide.pdf)
Sentinel SDK (http://developer.novell.com/wiki/index.php?title=Develop_to_Sentinel)
The Sentinel SDK site provides the details about developing collectors (proprietary or
JavaScript) and JavaScript correlation actions.
Documentation Conventions
In this documentation, a greater-than symbol (>) is used to separate actions within a step and items
within a cross-reference path.
A trademark symbol (®, ™, etc.) denotes a Novell trademark. An asterisk (*) denotes a third-party
trademark.
When a single path name can be written with a backslash for some platforms or a forward slash for
other platforms, the path name is presented with forward slashes to reflect the Linux* convention.
Users of platforms that require a backslash, such as NetWare®, should use backlashes as required by
your software.
Contacting Novell
Novell Website (http://www.novell.com)
Novell Technical Support (http://support.novell.com/
phone.html?sourceidint=suplnav4_phonesup)
Novell Self Support (http://support.novell.com/
support_options.html?sourceidint=suplnav_supportprog)
Patch Download Site (http://download.novell.com/index.jsp)
Novell 24x7 Support (http://www.novell.com/company/contact.html)
Sentinel TIDS (http://support.novell.com/products/sentinel)
Introduction
1
11
novdocx (en) 17 September 2009
1
Introduction
SentinelTM is a security information and event management solution that receives information from
many sources throughout an enterprise, standardizes it, prioritizes it, and presents it to you so you
can make threat, risk, and policy-related decisions.
The following sections describe the installation and configuration of Novell®SentinelTM 6.1 Rapid
Deployment. The Sentinel 6.1 Rapid Deployment User Guide has more detailed architecture,
operation, and administrative procedures.
Section 1.1, “Sentinel Rapid Deployment Overview,” on page 11
Section 1.2, “Sentinel Rapid Deployment User Interfaces,” on page 12
Section 1.3, “Sentinel Server Components,” on page 14
Section 1.4, “Sentinel Plug-Ins,” on page 16
Section 1.5, “Language Support,” on page 17
1.1 Sentinel Rapid Deployment Overview
Sentinel automates log collection, analysis, and reporting processes to ensure that IT controls are
effective in supporting threat detection and audit requirements. Sentinel replaces labor-intensive
manual processes with automated, continuous monitoring of security and compliance events and IT
controls.
Sentinel gathers and correlates security and non-security information from across the networked
infrastructure of an organization, as well as the third-party systems, devices, and applications.
Sentinel presents the collected data in a GUI, identifies security or compliance issues, and tracks
remedial activities to streamline the error-prone processes and build a more rigorous and secure
management program.
Automated incident response management enables you to document and formalize the process of
tracking, escalating, and responding to incidents and policy violations, and provides two-way
integration with trouble-ticketing systems. Sentinel enables you to react promptly and resolve
incidents efficiently.
Solution Packs are a simple way to distribute and import Sentinel correlation rules, dynamic lists,
maps, reports, and iTRACTM workflows into controls. These controls can be designed to meet
specific regulatory requirements, such as the Payment Card Industry Data Security Standard, or they
can be related to a specific data source, such as user authentication events for a database.
With Sentinel Rapid Deployment, you get:
Integrated, automated real-time security management and compliance monitoring across all
systems and networks
A framework that enables business policies to drive IT policy and action
Automatic documenting and reporting of security, systems, and access events across the
enterprise
12 Sentinel 6.1 Rapid Deployment Installation Guide
novdocx (en) 17 September 2009
Built-in incident management and remediation
The ability to demonstrate and monitor compliance with internal policies and government
regulations such as Sarbanes-Oxley, HIPAA, GLBA, FISMA, and others. The content required
to implement these controls is distributed and implemented through Solution Packs
The following is an illustration of the conceptual architecture of Sentinel 6.1 Rapid Deployment,
which shows the components involved in performing security and compliance management.
Figure 1-1 Conceptual Architecture of Sentinel
1.2 Sentinel Rapid Deployment User Interfaces
Sentinel includes the following easy-to-use user interfaces:
Sentinel Rapid Deployment Web Interface
Sentinel Control Center
Sentinel Data Manager
Sentinel Solution Designer
Sentinel Plug-in SDK
Sentinel Collector Builder
Introduction 13
novdocx (en) 17 September 2009
1.2.1 Sentinel Rapid Deployment Web Interface
With the Novell Sentinel Rapid Deployment Web interface, you can manage and search Reports and
launch the Sentinel Control Center, the Sentinel Data Manager, and the Solution Designer. You can
also download the Collector Manager installer and the Client installer from the Application tab of
the Sentinel 6.1 Rapid Deployment Web interface.
Fore more information, see “Managing Sentinel 6.1 Rapid Deployment Through the Web Interface”
in the Sentinel 6.1 Rapid Deployment User Guide.
1.2.2 Sentinel Control Center
The Sentinel Control Center (SCC) provides an integrated security management dashboard that
enables analysts to quickly identify new trends or attacks, manipulate and interact with real-time
graphical information, and respond to incidents.
You can launch the SCC either as a client application or by using Java* Webstart.
Key features of the Sentinel Control Center include:
Active Views: Real-time analytics and visualization
Analysis: Runs and saves offline queries
Incidents: Incident creation and management
Correlation: Correlation rules definition and management
iTRAC: Process management for documenting, enforcing, and tracking incident resolution
processes
Event Source Management: Collector deployment and monitoring
Solution Manager: Install, implement, and test the Solution pack contents
Fore more information, see “Sentinel Control Center” in the Sentinel 6.1 Rapid Deployment User
Guide.
1.2.3 Sentinel Data Manager
The Sentinel Data Manager allows you to manage the Sentinel database. You can perform the
following operations in the Sentinel Data Manager:
Monitor database space utilization
View and manage database partitions
Manage database archives
Import archived data back into the database
Fore more information, see “Sentinel Data Manager” in the Sentinel 6.1 Rapid Deployment User
Guide.
1.2.4 Sentinel Solution Designer
The Sentinel Solution Designer is used to create and modify Solution Packs, which are packaged
sets of Sentinel content, such as correlation rules, actions, iTRAC worflows, and reports.
14 Sentinel 6.1 Rapid Deployment Installation Guide
novdocx (en) 17 September 2009
Sentinel content is the extended functionality of the Sentinel system. It includes Sentinel plug-ins,
Sentinel Actions, Integrators, and Sentinel plug-ins such as Collectors, Connectors, and Solution
Packs that might include multiple other types of plug-ins.These modular components are used to
integrate with third-party systems, install a complete control-based security solution, and provide
automated remediation for detected incidents.
Fore more information, see “Solution Designer” in the Sentinel 6.1 Rapid Deployment User Guide.
1.2.5 Sentinel Plug-in SDK
The Sentinel Plug-in SDK includes libraries and code developed by the Novell Engineering, as well
as the template and sample code which you can use to begin developing your own projects. For
more information, see Sentinel SDK (http://developer.novell.com/wiki/
index.php?title=Develop_to_Sentinel#Sentinel_Plug-in_SDK).
1.2.6 Sentinel Collector Builder
The Sentinel Collector Builder enables you to build Collectors in the Sentinel proprietary, legacy
language to process events. You can create and customize the templates so that the Collector can
parse the data. For more information on developing your own Collectors, see Developing Sentinel
Collector Plug-ins (http://developer.novell.com/wiki/index.php/Collectors).
1.3 Sentinel Server Components
Sentinel is made up of the following components:
Section 1.3.1, “Data Access Service,” on page 14
Section 1.3.2, “Message Bus,” on page 15
Section 1.3.3, “Sentinel Database,” on page 15
Section 1.3.4, “Sentinel Collector Manager,” on page 15
Section 1.3.5, “Correlation Engine,” on page 15
Section 1.3.6, “iTRAC,” on page 15
Section 1.3.7, “Sentinel Advisor and Exploit Detection,” on page 15
Section 1.3.8, “Web Server,” on page 16
1.3.1 Data Access Service
The Sentinel Data Access Service is the primary component used to communicate with the Sentinel
database. The Data Access Server and other server components work together to store events
received from the Collector Managers into the database, filter data, process Active ViewsTM displays,
perform database queries and process results, and manage administrative tasks such as user
authentication and authorization. For more information, see “Sentinel 6.1 Rapid Deployment Data
Access Service” in the Sentinel 6.1 Rapid Deployment Reference Guide.
Introduction 15
novdocx (en) 17 September 2009
1.3.2 Message Bus
Sentinel 6.1 Rapid Deployment uses the open source message broker named Apache*Active MQ.
The message bus is capable of moving thousands of message packets in a second between the
components of Sentinel. Its architecture is built around the Java Message Oriented Middleware
(JMOM) that supports asynchronous calls between the client and server applications. Message
queues provide temporary storage when the destination program is busy or not connected. For more
information, see “Communication Server” in the Sentinel 6.1 Rapid Deployment User Guide.
1.3.3 Sentinel Database
The Sentinel product is built around a back-end database that stores security events and all of the
Sentinel metadata. Sentinel 6.1 Rapid Deployment supports PostgreSQL. The events are stored in
normalized form, along with asset and vulnerability data, identity information, incident and
workflow status, and many other types of data. For more information, see “Sentinel Data Manager”
in the Sentinel 6.1 Rapid Deployment User Guide.
1.3.4 Sentinel Collector Manager
The Sentinel Collector Manager manages data collection, monitors system status messages, and
performs event filtering as needed. The main functions of the Collector Manager include
transforming events, adding business relevance to events through taxonomy, performing global
filtering on events, routing events, and sending health messages to the Sentinel server. The Sentinel
Collector Manager directly connects to the message bus. For more information, see “Collectors” in
the Sentinel 6.1 Rapid Deployment User Guide.
1.3.5 Correlation Engine
Correlation adds intelligence to security event management by automating analysis of the incoming
event stream to find patterns of interest. Correlation allows you to define rules that identify critical
threats and complex attack patterns so that you can prioritize events and initiate effective incident
management and response. For more information, see “Correlation Tab” in the Sentinel 6.1 Rapid
Deployment User Guide.
1.3.6 iTRAC
Sentinel provides an iTRAC™ workflow management system to define and automate processes for
incident response. Incidents that are identified in Sentinel, either by a correlation rule or manually,
can be associated with an iTRAC workflow. For more information, see “iTRAC Workflows” in the
Sentinel 6.1 Rapid Deployment User Guide.
1.3.7 Sentinel Advisor and Exploit Detection
Sentinel Advisor is an optional data subscription service that includes known attacks,
vulnerabilities, and remediation information. This data, combined with known vulnerabilities and
real-time intrusion detection or prevention information from your environment, provide proactive
exploit detection and the ability to immediately act when an attack takes place against a vulnerable
system.
16 Sentinel 6.1 Rapid Deployment Installation Guide
novdocx (en) 17 September 2009
An Advisor data snapshot is installed by default with Sentinel 6.1 Rapid Deployment installation.
You need an Advisor license to subscribe to the ongoing Advisor data updates.
1.3.8 Web Server
Sentinel 6.1 Rapid Deployment uses Apache* Tomcat as its Web server to allow secure connection
to the Sentinel Rapid Deployment Web interface.
1.4 Sentinel Plug-Ins
Sentinel supports a variety of plug-ins to expand and enhance system functionality. Some of these
plugins are pre-installed. Additional plugins (and updates) are available for download at Sentinel
Content Page (http://support.novell.com/products/sentinel/sentinel61rd.html).
Some plugins, such as the Remedy* Integrator, the IBM* Mainframe Connector, and the Connector
for SAP* XAL, require an additional license for download.
Section 1.4.1, “Collectors,” on page 16
Section 1.4.2, “Connectors and Integrators,” on page 17
Section 1.4.3, “Correlation Rules and Actions,” on page 17
Section 1.4.4, “Reports,” on page 17
Section 1.4.5, “iTRAC Workflows,” on page 17
Section 1.4.6, “Solution Packs,” on page 17
1.4.1 Collectors
Sentinel collects data from source devices and delivers a richer event stream by injecting taxonomy,
exploit detection, and business relevance into the data stream before events are correlated and
analyzed and sent to the database. A richer event stream means that data is correlated with the
required business context to identify and remediate internal or external threats and policy violations.
Sentinel Collectors can parse data from the types of devices listed below and more:
JavaScript Collectors can be written by using the standard JavaScript development tools and the
Collector SDK. Proprietary (or Legacy) Collectors can be built or modified by using the Sentinel
Collector Builder, which is, a standalone application included with the Sentinel system. For more
information, see Section 1.2.6, “Sentinel Collector Builder,” on page 14.
Intrusion Detection Systems (host)
Intrusion Detection Systems (network)
Firewalls
Operating Systems
Policy Monitoring
Authentication
Routers and Switches
VPNs
Anti-Virus Detection Systems
Web Servers
Databases
Mainframe
Vulnerability Assessment Systems
Directory Services
Network Management Systems
Proprietary Systems
Introduction 17
novdocx (en) 17 September 2009
1.4.2 Connectors and Integrators
Connectors provide connectivity from the Collector Manager to event sources through standard
protocols such as JDBC* and syslog. Events are passed from the Connector to the Collector for
parsing.
Integrators enable remediation actions on systems outside of Sentinel. For example, a correlation
action can use the SOAP Integrator to initiate a Novell Identity Manager™ workflow.
The optional Remedy AR Integrator provides the ability to create a Remedy ticket from Sentinel
events or incidents. For more information, see “Action Manager and Integrator” in the Sentinel 6.1
Rapid Deployment User Guide.
1.4.3 Correlation Rules and Actions
Correlation rules identify important patterns in the event stream. When a correlation rule triggers, it
initiates correlation actions, such as sending e-mail notifications, initiating an iTRAC workflow, or
executing an action using an Integrator. For more information, see “Correlation Tab” in the Sentinel
6.1 Rapid Deployment User Guide.
1.4.4 Reports
You can run a wide variety of dashboard and operational reports from the Sentinel 6.1 Rapid
Deployment Web interface by using JasperReports. The reports are typically distributed via Solution
Packs.
1.4.5 iTRAC Workflows
iTRAC workflows provide consistent, repeatable processes for managing incidents. The workflow
templates are typically distributed via Solution Packs. iTRAC is shipped with a set of default
templates that you can modify to suit your requirement. For more information, see “iTRAC
Workflows” in the Sentinel 6.1 Rapid Deployment User Guide.
1.4.6 Solution Packs
Solution Packs are packaged sets of related Sentinel content, such as correlation rules, actions,
iTRAC workflows, and reports. Novell also creates Collector packs, which include content focused
on a specific event source, such as Windows* Active Directory*. For more information, see
“Solution Packs ” in the Sentinel 6.1 Rapid Deployment User Guide.
1.5 Language Support
Sentinel components are available in the following languages:
Czech
English
French
German
Italian
18 Sentinel 6.1 Rapid Deployment Installation Guide
novdocx (en) 17 September 2009
Japanese
Dutch
Polish
Portuguese
Simplified Chinese
Spanish
Traditional Chinese
What’s New in Sentinel 6.1 Rapid Deployment
2
19
novdocx (en) 17 September 2009
2
What’s New in Sentinel 6.1 Rapid
Deployment
Novell®SentinelTM 6.1 Rapid Deployment is a simplified alternate platform for the Sentinel 6.1
application that you can install on a single machine. Sentinel 6.1 Rapid Deployment features an
easy-to-install SIEM solution that leverages open source components, including a PostgreSQL
database and JasperReports. It has many new capabilities, such as reporting and searching
functionalities through the Web interface.
Section 2.1, “New and Updated Features,” on page 19
Section 2.2, “Comparing Sentinel 6.1 and Sentinel 6.1 Rapid Deployment Features and
Capabilities,” on page 19
2.1 New and Updated Features
Sentinel 6.1 Rapid Deployment gives you the ability to:
Use Sentinel with an embedded PostgreSQL database.
Use a simplified single-machine server installer.
Use the Web interface for the following:
Accessing the reporting and free-form search functionalities.
Running the Sentinel Control Center (SCC), the Solution Designer, and the Sentinel Data
Manager (SDM) clients by using Java Web Start.
Downloading the multiplatform client installer and the Collector Manager.
Use a single multiplatform client installer to install the Sentinel Control Center, the Solution
Designer, and the Sentinel Data Manager.
Use the Collector Manager installer to install additional Collector Managers for a distributed
environment.
Use JasperReports in Solution Packs.
2.2 Comparing Sentinel 6.1 and Sentinel 6.1
Rapid Deployment Features and Capabilities
This section compares the features and capabilities of Novell Sentinel 6.1 Rapid Deployment to
Novell Sentinel 6.1.
Table 2-1 Feature Comparison
Features or Capabilities Sentinel 6.1 Rapid Deployment Sentinel 6.1
Supported Platforms for
Server Installation
SUSE®Linux Enterprise Server Linux, Solaris*, and Windows.
20 Sentinel 6.1 Rapid Deployment Installation Guide
novdocx (en) 17 September 2009
Database The major difference between Sentinel
6.1 Rapid Deployment and previous
versions of Sentinel is the introduction of
an embedded Sentinel database, based
on the open source PostgreSQL
database engine. This new database is
installed and configured automatically
during the Sentinel Rapid Deployment
installation, with no need to provide or
manage an external database.
Customer-provided MS SQL or
Oracle* database.
Reporting Sentinel 6.1 Rapid Deployment
introduces a new, streamlined reporting
system to replace Crystal Reports. This
new reporting system is an integral part
of Sentinel and allows users to easily
run pre-defined reports or custom
reports developed using the open
source Jasper reporting engine.
Crystal Reports with associated
database is installed separately.
Messaging ActiveMQ SonicMQ*
Installation architecture Installation is simplified. You only need
to provide a Sentinel password, a
database password, and an optional set
of credentials for the Sentinel Advisor
service.
Server components, including the
embedded database, the reporting
engine, a Collector Manager, and a Web
console are all included in the package,
and are installed and configured
automatically on a single machine. This
allows you deploy and begin using the
product very quickly and with a minimum
amount of effort.
Additional Collector Managers can be
installed as needed.
The database is installed
separately by the customer.
Server components can be
installed together or distributed
across multiple machines.
Web-based application
launch and installation
The Web console used for Sentinel 6.1
Rapid Deployment reporting and full text
search also includes the option to launch
and install the Sentinel client
applications. You can now launch the
Sentinel Control Center, the Sentinel
Solution Designer, and the Sentinel Data
Manager from a Web browser without
the need to install these client
applications locally. The Web console
also includes the option to install the
client applications and the Sentinel
Collector Manager without the need to
manually retrieve the installation
package.
Not supported.
Features or Capabilities Sentinel 6.1 Rapid Deployment Sentinel 6.1
This manual suits for next models
1
Table of contents
Other Novell Software manuals
Novell
Novell ZENWORKS APPLICATION VIRTUALIZATION 8.0.2 - INTEGRATION AND STREAMING GUIDE... User manual
Novell
Novell LINUX ENTERPRISE SERVER 10 SP2 - STORAGE ADMINISTRATION GUIDE... Instruction Manual
Novell
Novell SENTINEL LOG MANAGER 1.0.0.5 - 03-31-2010 Instruction Manual
Novell
Novell APPARMOR 2.0.1 Instruction Manual
Novell
Novell SUPPORT ADVISOR 2.0.1 Instruction Manual
Novell
Novell ZENWORKS 7.2 LINUX MANAGEMENT - SCENARIOS 1... User manual
Novell
Novell ZENWORKS 10 CONFIGURATION MANAGEMENT SP3 - NETWORK DISCOVERY DATABASE... Quick guide
Novell
Novell ACCESS MANAGER 3.1 SP2 - SSL VPN USER GUIDE... User manual
Novell
Novell OPEN ENTERPRISE SERVER 2 SP2 - LAB GUIDE... User manual
Novell
Novell ZENWORKS 10 CONFIGURATION MANAGEMENT SP3 - COMMAND LINE UTILITIES REFERENCE 10.3... User manual
Novell
Novell GROUPWISE 7 - TROUBLESHOOTING 2 User manual
Novell
Novell LINUX ENTERPRISE SERVER 10 SP3 -... Manual
Novell
Novell NETWARE 6-DOCUMENTATION User manual
Novell
Novell ACCESS MANAGER 3.1 SP2 - J2EE AGENT GUIDE... User manual
Novell
Novell LINUX ENTERPRISE SERVER 10 SP2 - VIRTUALIZATION WITH... User manual
Novell
Novell LINUX ENTERPRISE DESKTOP 10 SP2 User manual
Novell
Novell Account Management 2.1 User manual
Novell
Novell XEN - ADMINISTRATION User manual
Novell
Novell LINUX ENTERPRISE DESKTOP 10 SP2 - KDE... User manual
Novell
Novell CLIENT FOR LINUX 2.0 SP3 Instruction Manual
Popular Software manuals by other brands
HP
HP ProLiant StorageWorks NAS 2000s quick start guide
Aruba Networks
Aruba Networks PowerConnect W Clearpass 100 Software Deployment guide
Juniper
Juniper NETWORK AND SECURITY MANAGER 2010.4 - NSMXPRESS SERIES II REV... manual
360 Systems
360 Systems Short/cut 2000 Audio Editor owner's manual
Canon
Canon VIXIA HF M30 instruction manual
Asus
Asus GigaX 1024P User's user manual
