ArcSight User Discussions
cancel

Secure transfer between two connectors

SOLVED
Go to solution
Highlighted
Frequent Contributor.. Miroslav Marcisin Frequent Contributor..
Frequent Contributor..

Secure transfer between two connectors

Hi,

Im now solving one challenge. I have two sites connected via internet. On both part is smartconnector and I need to create most secure data transfer as possible.

I found, that there is Secure CEF syslog via UDP, but, if Im right, there is no chance to found when internet conectivity is down and make cache on smartconnector.

Is there any way, how to make this secure transfer (Secured CEF looks good), but, for example via TCP port, or some proprietary transfer protocol between two smartconnectors?

Thnaks for hints

1 ACCEPTED SOLUTION

Accepted Solutions
Micro Focus Expert
Micro Focus Expert
Solution

Re: Secure transfer between two connectors

Good afternoon Miroslav and thank you for posting your query.

Our SmartConnector framework is quite versatile and understanding all its available capabilities and possible deployment models can be daunting.

From your description, I understand that:

a) You have a SmartConnector 'close' to the event source, responsible for parsing/normalisation.
b) There is a SmartConnector the other side of a public WAN connection, 'close' to the final ESM (or Logger?) destination.
c) You wish to route events securely and with the benefit of as stateful connection (TCP) across the public WAN between the two connectors.

If the above is incorrect, please let me know, but for the remainder of this post, I shall assume the above.

Let's refer to the connector close to the event-source as 'tier-1' and the other, close to the destinaiton ESM/Logger as 'tier-2'.

This sceanrio - tyypically referred to as a 'tierred-connector deployment' - is not uncommon and the connector framework supports this topology with the following components:

1. Tier-1 connector, dependent upon the source device(s) - e.g. MS WIndows Native Connector for AD logs etc. This connector remains responsible for event acquisition, parsing, normalisation and enrichment (e.g. DNS lookups, etc).
The Destinaiton of this connector is configured as 'CEF Syslog over TLS' and directed at the Tier-2 connector instance, with the 'Forwarder' property set to 'true'. The CEF Syslog over TLS destinaiton is inherently TCP/stateful.

2. Tier-2 connector is installed as the Syslog-NG SmartConnector and configured to receive events on a given inbound Port and with the IP Address configured for a specific local NIC or else to bind to ALL local NICs (the usual option.) '

You will find all the above information plus much more in both the generic SmartConnector Users Guide - applying to all connector frameworks - the specific Syslog-NG SmartConnector Configuraiton Guide as well as the specific config guide for the relevant Tier-1 connector(s).

I trust that proves helpful and wish you every success with this integration.

Regards,
Martyn Hill
Customer Success Manager
Micro Focus Security Products group

2 REPLIES
Micro Focus Expert
Micro Focus Expert
Solution

Re: Secure transfer between two connectors

Good afternoon Miroslav and thank you for posting your query.

Our SmartConnector framework is quite versatile and understanding all its available capabilities and possible deployment models can be daunting.

From your description, I understand that:

a) You have a SmartConnector 'close' to the event source, responsible for parsing/normalisation.
b) There is a SmartConnector the other side of a public WAN connection, 'close' to the final ESM (or Logger?) destination.
c) You wish to route events securely and with the benefit of as stateful connection (TCP) across the public WAN between the two connectors.

If the above is incorrect, please let me know, but for the remainder of this post, I shall assume the above.

Let's refer to the connector close to the event-source as 'tier-1' and the other, close to the destinaiton ESM/Logger as 'tier-2'.

This sceanrio - tyypically referred to as a 'tierred-connector deployment' - is not uncommon and the connector framework supports this topology with the following components:

1. Tier-1 connector, dependent upon the source device(s) - e.g. MS WIndows Native Connector for AD logs etc. This connector remains responsible for event acquisition, parsing, normalisation and enrichment (e.g. DNS lookups, etc).
The Destinaiton of this connector is configured as 'CEF Syslog over TLS' and directed at the Tier-2 connector instance, with the 'Forwarder' property set to 'true'. The CEF Syslog over TLS destinaiton is inherently TCP/stateful.

2. Tier-2 connector is installed as the Syslog-NG SmartConnector and configured to receive events on a given inbound Port and with the IP Address configured for a specific local NIC or else to bind to ALL local NICs (the usual option.) '

You will find all the above information plus much more in both the generic SmartConnector Users Guide - applying to all connector frameworks - the specific Syslog-NG SmartConnector Configuraiton Guide as well as the specific config guide for the relevant Tier-1 connector(s).

I trust that proves helpful and wish you every success with this integration.

Regards,
Martyn Hill
Customer Success Manager
Micro Focus Security Products group

Community Manager COEST Community Manager
Community Manager

Re: Secure transfer between two connectors

Hello Miroslav!

Did Martyn's response answer your question? If so, it would be great if you could "accept this solution" as this will help other members when having similar question. Thank you!