Configuring Celerra for Security Information Management with Network Intelligence s envision



Similar documents
Clavister InSight TM. Protecting Values

EMC Backup and Recovery for Microsoft SQL Server 2008 Enabled by EMC Celerra Unified Storage

IBM TSM DISASTER RECOVERY BEST PRACTICES WITH EMC DATA DOMAIN DEDUPLICATION STORAGE

QRadar Security Intelligence Platform Appliances

EMC DOCUMENTUM xplore 1.1 DISASTER RECOVERY USING EMC NETWORKER

CONFIGURATION GUIDELINES: EMC STORAGE FOR PHYSICAL SECURITY

EMC Backup and Recovery for Microsoft Exchange 2007 SP2

EMC Backup and Recovery for Microsoft SQL Server

EMC Backup and Recovery for Microsoft SQL Server

EMC Data Domain Boost for Oracle Recovery Manager (RMAN)

EMC CENTERA VIRTUAL ARCHIVE

EMC Disk Library with EMC Data Domain Deployment Scenario

Understanding EMC Avamar with EMC Data Protection Advisor

EMC Unified Storage for Microsoft SQL Server 2008

QRadar SIEM 6.3 Datasheet

EMC VNXe HIGH AVAILABILITY

Isilon OneFS. Version OneFS Migration Tools Guide

Symantec NetBackup OpenStorage Solutions Guide for Disk

Symantec Security Information Manager 4.8 Release Notes

EMC Integrated Infrastructure for VMware

CONFIGURATION BEST PRACTICES FOR MICROSOFT SQL SERVER AND EMC SYMMETRIX VMAXe

Virtualizing SQL Server 2008 Using EMC VNX Series and Microsoft Windows Server 2008 R2 Hyper-V. Reference Architecture

Symantec Security Information Manager - Best Practices for Selective Backup and Restore

WHITEPAPER: Understanding Pillar Axiom Data Protection Options

IBM QRadar Security Intelligence Platform appliances

EMC Virtual Infrastructure for Microsoft SQL Server

Isilon OneFS. Version 7.2. OneFS Migration Tools Guide

EMC Business Continuity for Microsoft SQL Server 2008

RSA Solution Brief. RSA envision. Platform. Compliance and Security Information Management. RSA Solution Brief

Symantec Security Information Manager Administrator Guide

EMC VNXe File Deduplication and Compression

EMC Symmetrix Data at Rest Encryption

Understanding EMC Avamar with EMC Data Protection Advisor

EMC ViPR Controller. Version 2.4. User Interface Virtual Data Center Configuration Guide REV 01 DRAFT

VIDEO SURVEILLANCE WITH SURVEILLUS VMS AND EMC ISILON STORAGE ARRAYS

Solution Overview 4 Layers...2. Layer 1: VMware Infrastructure Components of the VMware infrastructure...2

EMC DATA DOMAIN OPERATING SYSTEM

EMC Integrated Infrastructure for VMware

Get Success in Passing Your Certification Exam at first attempt!

SQL Server Database Administrator s Guide

Veeam Cloud Connect. Version 8.0. Administrator Guide

AUTOMATED DATA RETENTION WITH EMC ISILON SMARTLOCK

Online Transaction Processing in SQL Server 2008

Protect Microsoft Exchange databases, achieve long-term data retention

EMC Celerra Version 5.6 Technical Primer: Control Station Password Complexity Policy Technology Concepts and Business Considerations

Implementing Offline Digital Video Storage using XenData Software

Symantec Endpoint Protection 11.0 Architecture, Sizing, and Performance Recommendations

EMC Celerra Unified Storage Platforms

EMC DATA DOMAIN OPERATING SYSTEM

XenData Archive Series Software Technical Overview

Workflow Templates Library

Security Information Lifecycle

Integration Guide. EMC Data Domain and Silver Peak VXOA Integration Guide

MICROSOFT HYPER-V SCALABILITY WITH EMC SYMMETRIX VMAX

Cisco and EMC Solutions for Application Acceleration and Branch Office Infrastructure Consolidation

EMC Business Continuity for Microsoft SQL Server Enabled by SQL DB Mirroring Celerra Unified Storage Platforms Using iscsi

IBM System Storage DS5020 Express

AX4 5 Series Software Overview

High Availability and Disaster Recovery Solutions for Perforce

nwstor Storage Security Solution 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4.

EMC Data Domain Boost for Oracle Recovery Manager (RMAN)

ACHIEVING STORAGE EFFICIENCY WITH DATA DEDUPLICATION

Archive Data Retention & Compliance. Solutions Integrated Storage Appliances. Management Optimized Storage & Migration

Security Information and Event Management Introduction to envision: The Information Management Platform for Security and Compliance Operations Success

Big data management with IBM General Parallel File System

EMC SYNCPLICITY FILE SYNC AND SHARE SOLUTION

How To Protect Data On Network Attached Storage (Nas) From Disaster

EMC AVAMAR INTEGRATION WITH EMC DATA DOMAIN SYSTEMS

EMC Documentum Repository Services for Microsoft SharePoint

IBM CommonStore Archiving Preload Solution

Microsoft SQL Server 2008 R2 Enterprise Edition and Microsoft SharePoint Server 2010

EMC NetWorker and Replication: Solutions for Backup and Recovery Performance Improvement

How To Secure An Rsa Authentication Agent

EMC VNXe Series Using a VNXe System with CIFS Shared Folders

Windows Server 2008 Hyper-V Backup and Replication on EMC CLARiiON Storage. Applied Technology

Vicom Storage Virtualization Engine. Simple, scalable, cost-effective storage virtualization for the enterprise

Using HP StoreOnce Backup systems for Oracle database backups

EMC Celerra NS Series/Integrated

EMC NetWorker. Server Disaster Recovery and Availability Best Practices Guide. Release 8.0 Service Pack 1 P/N REV 01

VMware Site Recovery Manager with EMC RecoverPoint

16 TB of Disk Savings and 3 Oracle Applications Modules Retired in 3 Days: EMC IT s Informatica Data Retirement Proof of Concept

EMC Virtual Infrastructure for SAP Enabled by EMC Symmetrix with Auto-provisioning Groups, Symmetrix Management Console, and VMware vcenter Converter

Optimizing Large Arrays with StoneFly Storage Concentrators

Synology High Availability (SHA)

IBM Software InfoSphere Guardium. Planning a data security and auditing deployment for Hadoop

Pharos Uniprint 8.4. Maintenance Guide. Document Version: UP84-Maintenance-1.0. Distribution Date: July 2013

Connectivity. SWIFTNet Link 7.0. Functional Overview

EMC VNX2 Deduplication and Compression

EMC VNXe3200 UFS64 FILE SYSTEM

Eoin Thornton Senior Security Architect Zinopy Security Ltd.

ABSTRACT. February, 2014 EMC WHITE PAPER

CA arcserve Unified Data Protection Agent for Linux

EMC UNISPHERE FOR VNXe: NEXT-GENERATION STORAGE MANAGEMENT A Detailed Review

EMC SOLUTION FOR SPLUNK

Preface Introduction... 1 High Availability... 2 Users... 4 Other Resources... 5 Conventions... 5

Backup Solutions for the Celerra File Server

GFI Product Manual. Deployment Guide

AND Recorder 5.4. Overview. Benefits. Datenblatt

Increasing Recoverability of Critical Data with EMC Data Protection Advisor and Replication Analysis

Transcription:

Configuring Celerra for Security Information Management with Best Practices Planning Abstract appliance is used to monitor log information from any device on the network to determine how that device is being used. envision captures security events that take place in the network infrastructure. This white paper provides guidelines to set up storage for Security Information and Event Management with EMC s Celerra Network. October 2006

Copyright 2006 EMC Corporation. All rights reserved. EMC believes the information in this publication is accurate as of its publication date. The information is subject to change without notice. THE INFORMATION IN THIS PUBLICATION IS PROVIDED AS IS. EMC CORPORATION MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Use, copying, and distribution of any EMC software described in this publication requires an applicable software license. For the most up-to-date listing of EMC product names, see EMC Corporation Trademarks on EMC.com All other trademarks used herein are the property of their respective owners. Part Number H2465 Best Practices Planning 2

Table of Contents Executive summary...4 Introduction...4 Audience... 4 Terminology... 4 Overview...4 Recommendations... 5 Conclusion...8 References...8 Best Practices Planning 3

Executive summary Regulatory compliance now makes it imperative that corporations secure sensitive information and articulate how they manage the effectiveness of their security program. Enterprise security teams use Security Information and Event Management (SIEM) products to automate the compliance reporting of security transactions. envision provides security professionals with the essential real-time security intelligence to help identify and understand hacker, virus, and SPAM/spyware behavior to combat security threats and meet compliance auditing requirements. Network Intelligence s 1 envision provides security intelligence across thousands of network devices that have an impact on a company s security framework. envision automatically collects and correlates event data from a variety of heterogeneous multi-vendor network devices and systems including routers, switches, firewalls, VPNs, IDS/IPS systems, proxy servers, antivirus, SPAM, and spyware systems, content filtering and web security appliances. This security information must be stored safely for the duration of its data retention period. The volume of information generated by SIEM necessitates the integration of powerful Network Attached Storage, such as EMC s Celerra. envision helps to eliminate false positives, improve security operations and delivers all necessary tools to meet Sarbanes-Oxley, GLBA, HIPAA, and FISMA compliance. Using the real-time monitoring and correlation analysis, security professionals can quickly and easily gain insight into hacker and virus activity to improve the overall security posture. Introduction envision appliances create thousands of new files every day. Enterprise environments with a large number of monitored devices need a robust storage platform to house the volume of data gathered by envision. Celerra network servers are capable of storing this large volume of data and quickly serving files back to envision for analysis and correlation of network events. Recommendations are provided in this paper that follow known best practices for configuring EMC Celerra in an envision environment. Audience Security or Network Administrators using envision to monitor their networks and servers, envision users that integrate the Celerra storage platform to hold compliance information for their company, and EMC engineers who will deploy Celerra in an envision environment comprise the intended audience for this white paper. Terminology SIEM - Security Information and Event Management Network Intelligence Engine (NIE) - hardware platform running envision software for SIEM Overview envision is made up of three components: - Supports interactive users and runs the suite of analysis tools. Data - Manages access and retrieval of captured events. s - Captures incoming events from network devices. Some NIE series appliances, EX and HA series, are designed to operate in a stand-alone, non-distributed mode. They have all three envision components (,, and Data ) installed on one appliance. The single appliance is a site. The LS series NIE appliances are designed to operate in a distributed installation, where each envision component (,, and Data ) is on its 1 Network Intelligence is a business unit of RSA, the Security Division of EMC Best Practices Planning 4

own appliance. All of the appliances together form a site. Multiple appliances allow a variety of installations for the three components to be deployed in order to manage the variety of network infrastructures found in production environments. Each appliance in the site is referred to as a node. s can be local or remote depending on their location in the network. LAN attached collectors are local. WAN separated collectors are remote. The maximum number of s and collectors a site can have is five. If three s are used, then only two s can be implemented. If three s are used, then only two s can be implemented. A site can also support up to 16 Remote s. Remote s have store-andforward technology that allows user-selectable critical events to be processed in real-time, while noncritical events are compressed, securely stored, and locally cached until they can be forwarded to the Data, which send the events on to the Celerra. Only the s and the Data will create directories and write files to the Celerra. Just the Data server will read from the Celerra. Network Administrators or Security Managers will run queries or reports from s that interface with the Data to retrieve alert, log, or security event data. Celerra network servers have been tested with envision at the maximum collection rate per site. The following diagram illustrates the flow of communications and data between envision components and the Celerra. Data Remote (s) Data Remote (s) Celerra File Celerra File Figure 1. Multiple appliance sites with the maximum number of s or s Recommendations Recommendation #1 Whenever possible, ensure that the latest available software code version or patch is installed and active. Keep all software up to date on your systems. The latest versions have upgraded features and higher performance potential for the storage and retrieval of security event information. Best Practices Planning 5

Recommendation #2 Use Fibre Channel drives configured for RAID-5. The I/O workload generated by an NIE consists of simultaneous reads and writes. For the most part, the reads are random. This workload is not suitable for ATA drives. Fibre Channel drives should be used due to the random nature of the workload. Recommendation #3 Size the storage environment based upon the number of collectors and the desired event retention period. In order to estimate the Celerra storage sizing, the following factors are multiplied by the Events per second from which daily, monthly, and yearly storage requirements are drawn. This estimate provides the usable space requirements for the disks and does not include hot spare or RAID-5 parity considerations for the Celerra. Events per second - The total number of events per second for all collectors, up to 30,000 events per second per LS site. Event size - The average event size collected from the network. The minimum event size is 160 bytes while the maximum is 2000 bytes, 250 bytes is an accurate norm for storage calculation. EPS duty factor - How much of the potential collection maximum is used on average, for example 50% or 0.50 Hours per day collection - Portion of day that collection is active, for example 9 out of 24 hours or 37.5% of a day. DE factor - Data explosion factor, compression factor when consolidating hourly event files, fixed at 29% Calculations: Events /sec Average event size EPS duty factor Hours per day collection DE factor = bytes /sec bytes per second 60 60 24 = bytes per day bytes per day ( 1024 1024 1024 ) = GB per day Example using 10000 events per second: 10000 250.50.375.29 = 10.9 GB/day = 328.15 GB/month = 3992.5 GB/year Recommendation #4 Configure Network High Availability on Celerra Data Movers. To protect against Data Mover device or network switch port failure, the Celerra Network provides network high-availability or redundancy through the use of three types of virtual devices: Ethernet channels, EtherChannel, that enable multiple active Ethernet connections to the same switch to appear as a single link. Link aggregation, LACP, that allows Ethernet ports with similar characteristics to the same switch to be combined into a single virtual device/link. Fail-Safe Networks, FSN, that extend link failover out into the network by providing switch-level redundancy. Consider using EtherChannel or LACP along with FSN to sustain network communications. Refer to the Configuring and Managing Celerra Network High Availability technical module for more details. Recommendation #5 Consider using standbys for high availability on the Celerra. Celerra Network protects against hardware or software failure by providing one or more standby Data Movers, and for some Celerra server models, a standby Control Station. The standby Data Mover or Control Station assumes operation from the failed component. Failover occurs when a standby component Best Practices Planning 6

takes over for a failed primary component by immediately routing data to an alternate data path or device to avoid interrupting services during a failure. Creating a standby Data Mover assures continuous access to the file systems that NIEs use. Refer to the Configuring Standbys on Celerra technical module for more details. Recommendation #6 When configuring the Celerra, use Automatic Volume Management to create the file systems. Automatic Volume Management is a Celerra Network feature that automates volume creation and management. AVM creates well-designed file system layouts for most situations. AVM reduces the risk of user error during file system configuration and follows backend disk performance best practices as the underlying volumes are created for the new file systems automatically. With Celerra command options and interfaces that support AVM, system defined storage pools create file systems without the need of manual creation and management of stripes, slices, or metavolumes. The clar_r5_performance storage pool will provide optimal performance file systems for envision environments. Refer to the Celerra Network Best Practices for Performance (5.5) paper and the Managing Celerra Volumes and File Systems with Automatic Volume Management technical module for more details. Recommendation #7 Use Automatic File System Extension. The Automatic File System Extension feature allows a file system to be configured to extend automatically, without system administrator intervention, as the file system grows. Automatic File System Extension causes the file system to extend when it reaches a specified usage point, the high water mark. The high water mark is the percentage of the file system that has been consumed and will trigger an Automatic File System Extension. A high water mark of 90% is the default setting. Automatic File System Extension allows the file system to grow as needed without system administrator intervention, making it easier to meet system operations requirements continuously, without interruptions. Refer to the Celerra Network Best Practices for Performance (5.5) paper for more details Recommendation #8 Use NTFS permissions to secure folders on the Celerra file systems that envision is using. Apply the same approach used to secure other sensitive folders. Using NTFS permissions restrict access to the share to only users that need access. envision uses two user accounts to access the Celerra file systems: NIC_System and master. Allow Full Control to the NIC_System and master user accounts. By reducing the number of users allowed to interact with the Celerra folders, envision files can be secured. Refer to the Using Windows Administrative Tools with Celerra technical module for more details. Recommendation #9 Create a separate Celerra file system for each envision collector. Up to three s can be utilized per site. A daily potential of 122,880 files can be written to the Celerra by each, resulting in a total of 368,640 files per day. Having a separate file system in Celerra for each will keep the number of files in each file system manageable. Recommendation #10 Consider using Celerra NDMP Volume Backup, also known as Volume Based Backup, VBB, for the Celerra file systems used by envision. Celerra NDMP Volume Backup (VBB) is a backup feature that improves upon file level backup procedures. VBB is a volume level replication, so it does not track individual files that have changed. Instead, VBB processes file system metadata first, and then transfers used blocks from the volume level rather than from individual files. VBB replicates only the blocks of data that have changed since the last replication, which significantly reduces the amount of data to be transferred. NIEs create a large number of files every day. SIEM environments will benefit from this feature as VBB allows for faster NDMP backups. Refer to EMC 5.5 NDMP Features for more details. Best Practices Planning 7

Recommendation #11 Consider using CWORM file level retention on the Celerra file systems. Celerra File-Level Retention Capability (also known as CWORM) allows you to archive data to Write- Once Read-Many (WORM) storage on standard rewriteable magnetic disks. You can write data to a CIFS or NFS file system only once to create a permanent, non-editable set of records that cannot be altered, corrupted, or deleted. SIEM data cannot be lost or removed using CWORM. This protection will help with compliance of security information management. In a CWORM environment, administrators can use WORM protection on a per-file basis. Files can be stored with specified retention periods, which, until expiration, prohibit the files from being deleted. Only an administrator has the ability to delete the CWORM file system. A file in a CWORM file system is in one of three possible states: CLEAN, WORM, or EXPIRED. The administrator manages files in the WORM state by setting retention periods, which until expiration, prevent the files from being deleted. WORM files can be grouped by directory or batch process, thus enabling the administrator to manage the file archives on a file system basis, or to run a script to locate and delete files in the EXPIRED state. The administrator has the ability to delete a CWORM file system, but cannot delete or modify files in the WORM state. The path to a file in the WORM state is also protected from modification, which means that a directory on a CWORM file system cannot be renamed or deleted unless it is empty. A Celerra File-Level Retention Capability enabled file system: Safeguards data while ensuring its integrity and accessibility. Simplifies the task of archiving data for administrators and applications. Improves storage management flexibility and application performance. Refer to the Using Celerra WORM technical module for more details. Conclusion Celerra Network enhances the Network Intelligence environment, safeguarding its file systems and enabling envision Data s to quickly respond to requests. Security officers must be able to run reports or mine event data quickly to interpret activities in their network and respond to possible threats. Celerra offers envision a scalable storage platform that can expand over time and comply with data retention regulations. Security event information must be stored for the duration of its data retention period. Organizations that do not address data retention requirements face significant fines and penalties that can cripple business or even put an organization out of business. References www.network-intelligence.com Configuring and Managing Celerra Network High Availability available at Powerlink.EMC.com Using Windows Administrative Tools with Celerra available at Powerlink.EMC.com Managing Celerra Volumes and File Systems with Automatic Volume Management technical module available at Powerlink.EMC.com Using Celerra WORM technical module available at Powerlink.EMC.com Configuring Standbys on Celerra technical module available at Powerlink.EMC.com EMC 5.5 NDMP Features available at Powerlink.EMC.com Celerra Network Best Practices for Performance (5.5) available on NSPEED 2 2 Available to NSPEED gurus For a list of NSPEED gurus, go to http://esgfarm.eng.emc.com/speed Best Practices Planning 8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information