Communication between the various components of Sentinel Rapid Deployment is across the network, and there are different kinds of communication protocols used throughout the system.
Section 5.2.1, Communication between Sentinel Server Processes
Section 5.2.2, Communication between the Sentinel Server and Sentinel Client Applications
Section 5.2.3, Communication between the Server and the Database
Section 5.2.4, Communication between the Collector Managers and Event Sources
Section 5.2.6, Communication between the Database and Other Clients
The Sentinel server processes include DAS Core, DAS Binary, Correlation Engine, Collector Manager, and the Web server. They communicate with each other by using ActiveMQ.
The communication between these server processes is by default over SSL via the ActiveMQ message bus. To configure SSL, specify the following information in <Install_Directory>/configuration.xml:
<jms brokerURL="failover://(ssl://localhost:61616?wireFormat.maxInactivityDuration=30000)?randomize=false" interceptors="compression" keystore="../config/.activemqclientkeystore.jks" keystorePassword="password" password="374d9f338b4dc4b50e45b3822fc6be12" username="system"/>
For more information on setting up the custom server and client certificates, see Processes
in the Sentinel Rapid Deployment User Guide.
Sentinel Client applications such as the Sentinel Control Center (SCC), Sentinel Data Manager (SDM), and Solution Designer use SSL communication by default via the SSL Proxy Server.
To enable communication between the Sentinel server and the SCC, the SDM, and the Solution Designer, when they are all running as client applications on the server, specify the following information in the <install_directory>/configuration.xml:
<strategy active="yes" id="proxied_client" location="com.esecurity.common.communication.strategy.proxystrategy.ProxiedClientStrategyFactory">
<transport type="ssl">
<ssl host="localhost" keystore="<install_directory>/config/.proxyClientKeystore" port="10013" usecacerts="false"/>
</transport>
</strategy>
To enable communication between the Sentinel server and the SCC, the SDM, and the Solution Designer running through Web Start, the communication strategy is defined on the server in the <install_directory>/3rdparty/tomcat/webapps/ROOT/novellsiemdownloads/configuration.xml file as follows:
<strategy active="yes" id="proxied_client" location="com.esecurity.common.communication.strategy.proxystrategy.ProxiedClientStrategyFactory" >
<transport type="ssl">
<ssl host="127.0.0.1" port="10013" keystore="./.novell/sentinel/.proxyClientKeystore" />
</transport>
</strategy>
For more information on setting up the custom server and client certificates, see Processes
in the Sentinel Rapid Deployment User Guide.
The protocol used for communication between the server and the database is defined by the JDBC driver. Some drivers are capable of encrypting communication with the database.
Sentinel Rapid Deployment uses the PostgreSQL driver (postgresql-<version>.jdbc3.jar) provided on the PostgreSQL Download Page to connect to the PostgreSQL database, which is a Java (Type IV) implementation. This driver supports encryption for data communication. To configure encryption for data communication, refer to PostgreSQL Encryption Options.
NOTE:Turning encryption on affects the performance of the system. Therefore, database communication is not encrypted by default. However, this is not a security concern because the communication between the database and server happens over the loopback network interface and is not exposed to the open network.
You can configure Sentinel Rapid Deployment to securely collect data from various event sources. However, secured data collection is determined by specific protocols supported by the event source. For example, the Check Point LEA, Syslog, and Audit Connectors can be configured to encrypt their communication with event sources.
For more information on the possible security features that can be enabled, refer to the Connector and event source vendor documentation provided on the Novell Sentinel Plug-ins Web site.
The Web server is by default configured to communicate via HTTPS. For more information, see the Tomcat documentation.
You can configure the PostgreSQL SIEM database to allow connection from any client machine by using the Sentinel Data Manager or any third-party application such as Pgadmin.
To allow the Sentinel Data Manager to connect from any client machine, add the following line in the <Install_Dirirectory>/3rdparty/postgresql/data/pg_hba.conf file:
host all all 0.0.0.0/0 md5
If you want to limit client connections that are allowed to run and connect to the database through the SDM, replace the above line with the IP address of the host. The following line in pg_hba.conf is an indicator to PostgreSQL to accept connections from the local machine so that the Sentinel Data Manager is allowed to run only on the server.
host all all 127.0.0.1/32 md5
In order to limit connections from other client machines, you can add additional host entries.