Table of Contents
Advertisement
ActiveMQ takes advantage of an independent, multi-channel environment, which virtually
eliminates contention and promotes parallel processing of events. These channels and sub channels
work not only for event data transport but also offer fine-grained process control for scaling and load
balancing the system under varying load conditions. Using independent service channels such as
control channels and status channels, in addition to the main event channel, allows sophisticated and
cost-effective scaling of event-driven architecture.
A.3.2 Sentinel Events
Sentinel receives information from devices, normalizes this information into a structure called a
Sentinel event, and sends the event for processing. Events are processed by the real-time display,
correlation engine, and the back-end server.
An event is made up of more than 200 tags. Tags are of different types and have different purposes.
There are some predefined tags such as severity, criticality, destination IP, and destination port.
There are two sets of configurable tags: reserved tags are for Novell internal use to allow future
expansion and customer tags are for customer extensions.
Tags can be repurposed by renaming them. The source for a tag can either be external, which means
that it is set explicitly by the device or the corresponding Collector, or referential. The value of a
referential tag is computed as a function of one or more other tags using the mapping service. For
example, a tag can be defined to be the building code for the building containing the asset mentioned
as the destination IP of an event. Or, a tag can be computed by the mapping service by using a
customer-defined map with the destination IP from the event.
"Map Service" on page 389
"Streaming Maps" on page 390
"Exploit Detection" on page 390
Map Service
The Map Service allows a sophisticated mechanism to propagate business relevance data throughout
the system. This facility aids scalability and provides an extensibility advantage by enabling
intelligent data transfer between different nodes of the distributed system.
The Map Service cross-references vulnerability scanner data with intrusion detection system
signatures and more (for example, asset data and business-relevant data). This allows immediate
notification when an attack is attempting to exploit a vulnerable system. Three separate components
provide this functionality:
Collection of real-time events from an intrusion detection source
Comparing those signatures to the latest vulnerability scans
Cross-referencing an attack feed through Sentinel Advisor (an optional product module, which
cross-references between real-time intrusion detection system attack signatures and the user's
vulnerability scanner data).
The Map Service dynamically propagates information through out the system without impacting the
system load. When important data sets (that is, "maps" such as asset information or patch update
information) are updated in the system, the Map Service propagates the updates across the system.
Sentinel 6.1 Rapid Deployment Architecture 389
Advertisement
Table of Contents
