RSA enVision is a security information and event management (SIEM) application. It can gather log event data from a variety of event sources within an enterprise system and consolidate it into one logical location. This data can then be viewed, tracked, analyzed, reported on and securely stored.
RSA enVision transforms the raw, unrelated security and network events into meaningful intelligence that:
- Reduces demand on IT staff
- Increases security personnel effectiveness
- Provides ongoing support for compliance regulations.
RSA enVision's Internet Protocol Database (IPDB) provides the architecture to automatically collect and protect data from network devices and event sources, without filtering or agents. It independently monitors network and security events to generate alerts for possible security and compliance breaches, and analyze and report on network performance.
RSA enVision Components & Sites
RSA enVision Components
RSA enVision is made up of three components:
- Application - Supports interactive users and runs the suite of analysis tools.
- Database - Manages access and retrieval of captured events.
Site
RSA enVision is deployed on a site basis.
You set up your site during the enVision installation, using the enVision Configuration Wizard. For more information, see the RSA enVision Getting Started Guide 60 Series or RSA enVision Configuration Guide 50 Series Product Documentation.
The number of appliances in an enVision site is determined by the enVision appliance series you purchased:
- Single appliance site. These appliances are designed to operate in a stand-alone, non-distributed mode. They have all three enVision components (Database, Application, and Collector) installed on one appliance.
- Multiple appliance site. These appliances are designed for distributed installations, with each enVision component (Database, Application, and Collector) on its own appliance type.
Each site has a unique site name. enVision appends the site name with series name to indicate the type of appliance. Each appliance in the site is referred to as a node.
A NIC Windows domain is established when you configure your enVision site. The naming convention issitename.nic.
You set up permissions for which sites a user can access on the Manage Site Login Permissions window.
Site Name
You set up your site and name it during the RSA enVision installation, using the enVision Configuration Wizard. For more information, see the RSA enVision Getting Started Guide 60 Series or RSA enVision Configuration Guide 50 Series Product Documentation.
A valid site name is a 2-11 alphanumeric character string. Selecting the site name is extremely important. Once you name the site you cannot change the name.
The site name is used in the following names:
- Node name for each of your appliances. See Node Name.
- NIC Windows domain name created for your site. The site name also becomes the name of the Windows domain created for your site, sitename.nic. For example, if your site name is Boston, the Windows domain for the site is Boston.nic.
Important! The site name must be unique, it cannot be the same as any other enVision site name, nor can it be the same as any existing Windows domain name, or netbios name for a Windows domain. (The netbios name for a Windows domain is the name preceding the dot). For example if your Windows domain name is MyDomainName.com, then the netbios name for this Windows domain would be MyDomainName; it would then be wrong to install an enVision site with the name MyDomainName.
Node Name
Each appliance in a site is referred to as a node. The site name becomes part of the node name.
- For single appliance sites the appliance name is sitename-appliancetype, where sitename is the site name and appliancetype is the appliance type. For example, if your site name is Seattle, the ES appliance name is Seattle-ES.
- For multiple appliance sites:
- For the Database server (D-SRV), the appliance name is sitename-DS1. For example, if your site name is Boston, the D-SRV name is Boston-DS1.
- For the Application servers (A-SRV), the appliance name is sitename-ASx (where x indicates which A-SRV it is; values are from 1 to 3). For example, if you have 3 A-SRVs in your site, and your site name is Boston, the A-SRV names are Boston-AS1, Boston-AS2, and Boston-AS3.
- For the Local Collectors (LC), the appliance name is sitename-LCx (where x indicates which LC it is; values are from 1 to 3). For example, if you have 2 LCs in your site, and your site name isBoston, the LC names are Boston-LC1 and Boston-LC2.
- For Remote Collectors (RC), the appliance name is sitename-RC1. Each RC is considered a site, so the sitename for an RC is not the same name as its host site. For example, if you have 3 RCs associated your Boston site, and the RCs’ site names are Springfield, Worcester, andFramingham, the RC names are Springfield-RC1, Worcester-RC1, and Framingham-RC1.
Single Appliance Site
The RSA enVision single appliance series is designed to operate in a stand-alone, non-distributed mode. They have all three enVision components (Database, Application, and Collector) installed on one appliance. The single appliance is considered a site.
Multiple Site Deployment
The appliance types used in a multiple appliance site are as follows.
Component | Appliance Type | Description | Each site has ... |
D-SRV | Manages access and retrieval of captured events. | One | |
A-SRV1 | Supports interactive users. Runs the suite of analysis tools. | Up to three. You may want multiple A-SRVs so that you can separate the alerting processes from the reporting processes. | |
LC1 | Captures incoming events locally. | Up to three. Each site has at least one LC. |
Remote Collectors (RCs) capture incoming events remotely and forward data to their master site. Each master site can have up to 16 server appliances as slave sites. Remote collectors have store-and-forward technology that allows user-selectable critical events to be processed in real-time, while non-critical events are compressed, encrypted, and locally cached until they can be forwarded to the enVision site (by the NIC Forwarder Service) for historical analysis as available WAN bandwidth allows. (The Administrator sets up the remote collector Forwarder parameters in the Modify Collector Service window in enVision.)
Note: The total events per second (EPS) for all Collectors per site (per D-SRV) cannot exceed 30,000 EPS.
The following diagram illustrates one possible configuration of a multiple appliance site
Remote Collector
The remote collector server (RC) captures incoming events remotely. Each RC is considered a remote site. Each remote site is associated with a multiple appliance site. You can have up to 16 RCs per multiple appliance site.
You set up the RC remote site during installation, using the enVision Configuration Wizard. For more information, see the RSA enVision Getting Started Guide 60 Series or RSA enVision Configuration Guide 50 Series Product Documentation.
In this example, sites 2 and 3 are remote sites associated with Site 1.
RCs have store-and-forward technology. On the RC site, enVision processes alerts in real-time.
RSA enVision compresses, encrypts other events and caches them locally until it can forward them to the master enVision site (by the NIC Forwarder Service) for historical analysis. This is called data forwarding.
Data Forwarding
The NIC Forwarder Service on the RC allows you to collect your data on the RC and then forward the data to the associated enVision site.
Forwarder Parameters
You set up the parameters for the RC Forwarder on the Modify Collector Service window.
Forwarder Scheduling
You must schedule the data forwarding task on the Schedule Task window. By default, the data forwarding task runs every 4 hours. You can specify when the data forwarding task is performed and how often.
NIC Domain
A group of multiple appliance sites is referred to as a NIC Domain. You can deploy up to ten D-SRVs in a NIC domain.
The NIC domain is set up in a specific configuration with one site acting as the NIC domain master site. Data flow and configuration information are based on your NIC domain configuration.
You set up the NIC domain during installation, using the RSA enVision Configuration Wizard. For more information, see the RSA enVision Getting Started Guide 60 Series or RSA enVision Configuration Guide (50 Series) Product Documentation.
The following diagram illustrates the possible configuration of a NIC domain.
Master/Slave Relationship
The following diagram illustrates a basic enVision multiple site setup with a master and a slave. In a configuration with more than one site, the master is always Site 1 in the hierarchy.
In a multiple site NIC domain, Site 1 is the NIC domain master site. You can only have one NIC domain master site and it is always Site 1. The sites connected to Site 1 are slaves to Site 1.
A slave site can also be a master site in a multiple site deployment.
In the following example, the NIC domain consists of seven sites:
- Site 1 is the NIC domain master site.
- Sites 2 and 5 are slaves to site 1; site 1 is the master site for sites 2 and 5, in addition to being the NIC domain master site.
- Sites 3 and 4 are slaves to site 2; site 2 is the master site for sites 3 and 4.
- Sites 6 and 7 are slaves to site 5; site 5 is the master site for sites 6 and 7.
Site Name | Master Site |
Site 1 | None |
Site 2 | Site 1 |
Site 3 | Site 2 |
Site 4 | Site 2 |
Site 5 | Site 1 |
Site 6 | Site 5 |
Site 7 | Site 5 |
Site Access in the NIC Domain
Note: This topic is for multiple appliance sites only.
You can access and maintain data globally across all sites in the NIC Domain.
The exceptions are these site-specific-items that only have meaning to the site where they were configured:
- Directories.
- Module/tool settings that you set for:
- System Performance tool - display options.
- Query tool - process options and storage directory for saved queries.
- Reports module - storage directory and format for saved report results.
- Dashboard - item settings. (Note: Permissions for the items are set globally.)
- Custom reports that you added.
- Scheduled reports (can only be scheduled to run on the site where they were configured).
Blackhattrick blog
(Googlethewebsite.blogspot.com/blackhattrick.blogspot.com)
Reviewed by BlackHat
on
9:46 PM
Rating:
No comments:
Post a Comment