Utilizing Novell Sentinel Advisor and Attack Vulnerability

Utilizing Novell Sentinel ®
™

Advisor and Attack vulnerability

Tom Burt
GTS-Backline Engineer Novell
Novell/tburt@novell.com

Presentation Goals

• Present the benefits of Advisor
• Explain Advisor and its related components
• Discuss installation and maintenance of Advisor

2 © Novell, Inc. All rights reserved.

Agenda

• Advisor Overview
• Exploit Detection Overview
• Background/History Advisor v3 vs. v4
• Installation and Maintenance


Terminology

• Advisor-The Novell optional add on subscription to
®

provide attack and remediation information
• Attack-An event that indicates malicious or rogue
software and or devices
• Vulnerability-An opening or weakness in a network
allowing the potential for an attack
• Vulnerability Scanners-The process of detecting the
strength of protection on a network.
• IPS/IDS collectors-Sentinel device collectors that
™

gather data from IDS devices
• Vulnerability collectors-Sentinel device collectors that
gather data from vulnerability scanners

Collector links

• IPS, IDS and Vulnerability scan collectors are available
at the following URL;
http://support.novell.com/products/sentinel/secure/senti
nel61.html


Overview

• Powered by Security Nexus
• Acts as an early warning service to identify attacks and
vulnerabilities.
– Provides Normalized Attack and remediation information
• Optional add on subscription service
– Initial download feed is free but additional downloads require a
license
> Entitlement is linked to your Customer authentication credentials


Overview

• Early warning service
– Normalization of attack data
– Correlation on real time data
– Incident Tracking
• Updates
– Updated on a regular configurable basis
– Advisor feeds/Downloads
> CVE's
> Bugtraq
> IDS
> ISS
> etc....


Exploit detection

• Exploit detection: Enables you to quickly identify and/or
send out notifications in the event an attack is
attempting to exploit a vulnerability in your system


Requirements

• Requires that both the Vulnerability scanner and IDS
system reports the vulnerabilities and attacks against
the same systems.
• In Sentinel, systems are identified by IP Address and
MSSP Customer Name
• The Vulnerability and IDS system must be supported by
the Advisor service
• The reported attacks and vulnerabilities must be known
to the Advisor service and Exploit Detection
– Most Novell collectors support the Attack and exploit detection
data


Requirements cont....

• The Vulnerability and IDS collectors must populate all 4
of these fields
– DeviceName (RV31)
– DIP (Destination or TargetIP)
– DeviceAttackName (RT1)
– MSSP Customer Name (RV39)
> Managed Security Service Provider

• All Novell shipped collectors populate these values by
®

default


Exploit Detection

• When running supported IDS and Vulnerability
collectors, events from the devices are scanned for
potential attacks and vulnerabilities
– The mapping service maps the Product Name and MSSP
Customer Name to the Advisor name and MSSP Customer
Name
– If the events match successfully, the exploit information is
updated in the exploitdetection.csv file
> $ESEC_HOME/data/map_data/exploitdetection.csv
» IP, Device & Attack names, MSSP Customer name

– The mapping service populates the vulnerability event field
> Used to evaluate whether the incoming event exploits a vulnerability
» If the value is 1, the destination device IS exploited
» If the value is 0, the destination device is NOT exploited

History
Advisor v3 Advisor v4
XML Files CSV

Database Space GB Database Space MB

Disk Space GB Disk Space MB

Feed Process Time - Hours Feed Process Time - Minutes

Failed Feed Recovery - Hours Failed Feed Recovery - Minutes

Failed Process required database
MD5sum
cleanup

Configured at Install only Can be configured at any time

Log files for failure Internal Events

History

• Supported Systems
– IDS
– IPS
– Vulnerability


Installation

• Requirements
– The Advisor service and Exploit Detection rely on mappings
between attacks on assets and vulnerabilities of devices. As
such it requires the following data to work with Advisor
> Vulnerability scan data
» Sentinel supports multiple Vulnerability scanners
> Advisor map data
» Contains data about known threats, attacks, and vulnerabilities
» Service gathers information from multiple vulnerability and IDS vendors
» Creates mappings from abstract Vuln and attack data
» Security Nexus provides the advisor feed data
> Real Time attack data
» The real time attacks that are detected as events are loaded into the Sentinel
database from IDS collectors


Installation

• Installation media
– SP2 Full installer
– SP2 Patch installer
• Initial load data
– Advisor v4 feed files are included with Novell Sentinel ®
™

> $ESEC_HOME/data/updates/advisor
– After initial load, updates are performed on scheduled basis
> Advisor license/subscription is required for updates
> Feed location;
https://secure-www.novell.com/sentinel/download/advisor/feed/


Usage/Maintenance

• Advisor User Interface
• Novell Sentinel Control Center
®
™

– Must have Advisor Interface permissions
– Advisor Tab
> Status information
– Admin Tab
> Manual process of files in specified location
> Download Manager
» Initialize download
» Edit configuration preferences
> Preview Threat Map


Usage/Maintenance


Maintenance

• Advisor data feed source is updated on a regular basis
– Updating your database with current data feeds
> Automatic scheduling of updates
> Manual update

• Scripts
– Novell Sentinel 6.1SP2 & RD
®
™

> $ESEC_HOME/bin/advisor.sh

• Configuration
– advisor_client.xml


Maintenance

• Logging
– As of v4 all logging is done to das_query logs
– Configuration for additional logging should be made to the
das_query_log.prop in the $ESEC_HOME/config directory
– Logs status of download and checking for feed notifcations
• Example;
Fri Mar 05 05:05:21 MST 2010|INFO|Thread-148570|
esecurity.ccs.comp.downloadfeed.
Downloader.download Downloaded file:
advnxsfeed.51.zip.md5 to local directory /opt/novell/se
ntinel6/data/updates/advisor


Manual update

• A manual download of the advisor feeds can be done
as needed
– Login to the Novell Advisor feed download site using your
eLogin username and password that is associated with the
Advisor license
– Download any advisor feed files you need making sure to
include both the .zip and .md5 files.
– Copy the files to the directory on the Sentinel server you have
specified in the configuration
> Default location is $ESEC_HOME/data/updates/advisor
– In the Admin Tab → Advisor → Process Now


Manual Update


Automatic Update


Maintenance

• Advisor notifications
– Errors
> Errors in downloading feeds or data loading
– Success/failure on updates
> Success or failure messages on advisor feed updates
– Notifications
> Correlation rules
» Actions such as send email


Maintenance

• Exploit Detection Data Generation
– By default scheduled to run every 30 minutes
> Configurable in $ESEC_HOME/config/das_query.xml
> Object component, <obj-component id="ExploitDetectDataGenerator">
> Property, <property name="minRegenerateInterval">1800000</property>

• Scheduled Updates
– Direct Download
> 6 hour, 12 hour, Daily, Weekly, Monthly
» The time of the download is based off the first successful download
~ Success at 10:30am results in 4:30pm for 6 hours configuration


Usage

• View advisor data in SCC, Sentinel Control Center
™

– Right click an event → analyze → Advisor data
– Only available after initial data load
– Analyze is only available if event data is from a Supported IDS
Device
– Regular updates are necessary to ensure accuracy of data


Demonstration

• Demonstration details
– Advisor download
– Advisor Processing
– Vulnerability scanning with test data
– Basic IDS Collector with Sample data
– Exploit detection
– Analyze Data


Utilizing Novell Sentinel Advisor and Attack Vulnerability

Unpublished Work of Novell, Inc. All Rights Reserved.
This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc.
Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope
of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified,
translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc.
Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.

General Disclaimer
This document is not to be construed as a promise by any participating company to develop, deliver, or market a
product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in
making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents
of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any
particular purpose. The development, release, and timing of features or functionality described for Novell products
remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to
make changes to its content, at any time, without obligation to notify any person or entity of such revisions or
changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc.
in the United States and other countries. All third-party trademarks are the property of their respective owners.

Utilizing Novell Sentinel Advisor and Attack Vulnerability

More Related Content

What's hot (20)

Similar to Utilizing Novell Sentinel Advisor and Attack Vulnerability (20)

More from Novell (20)

Utilizing Novell Sentinel Advisor and Attack Vulnerability