Table of Contents
Advertisement
iSCALE takes advantage of an independent, multi-channel environment, which virtually eliminates
contention and promotes parallel processing of events. These channels and sub-channels work not
only for event data transport but also offer fine-grain process control for scaling and load balancing
the system under varying load conditions. Using independent service channels such as control
channels and status channels, in addition to the main event channel, allows sophisticated and cost-
effective scaling of event-driven architecture.
A.3.2 Sentinel Event
Sentinel receives information from devices, normalizes this information into a structure called a
Sentinel Event, or Event for short and sends the event for processing. Events are processed by the
real time display, correlation engine and the backend server.
An event comprises of more than 200 tags. Tags are of different types and of different purposes.
There are some predefined tags such as severity, criticality, destination IP and destination port.
There are two sets of configurable tags: Reserved Tags are for Novell internal use to allow future
expansion and Customer Tags are for customer extensions.
Tags can be repurposed by renaming them. The source for a tag can either be external, which means
that it is set explicitly by the device or the corresponding Collector or referential. The value of a
referential tag is computed as a function of one or more other tags using the mapping service. For
example, a tag can be defined to be the building code for the building containing the asset mentioned
as the destination IP of an event. For example, a tag can be computed by the mapping service using
a customer defined map using the destination IP from the event.
Mapping Service
Map Service allows a sophisticated mechanism to propagate business relevance data throughout the
system. This facility aids scalability and provides an extensibility advantage by enabling intelligent
data transfer between different nodes of the distributed system.
Map Service is a data propagation facility that gives the ability to cross-reference Vulnerability
Scanner data with Intrusion Detection System signatures and more (for example, asset data,
business-relevant data). This allows immediate notification when an attack is attempting to exploit a
vulnerable system. Three separate components provide this functionality:
Collection of real time events from an intrusion detection source;
Comparing those signatures to the latest vulnerability scans; and
Cross referencing an attack feed through Sentinel Advisor (an optional product module, which
cross-references between real-time IDS attack signatures and the user's vulnerability scanner
data).
Map Service dynamically propagates information throughput the system without impacting system
load on the system. When important data sets (that is, "maps" such as asset information or patch
update information) are updated in the system, the Map Service propagates the updates across the
system, which can often get to be hundreds of megabytes in size.
iSCALE's Map Service algorithms handle large referential data sets across a production system
processing large real-time data volumes. These algorithms are "update-aware" and selectively push
only the changes or "delta data sets" from the repository to the edge or system perimeter.
444 Sentinel 6.1 User Guide
Advertisement
Table of Contents
