Beruflich Dokumente
Kultur Dokumente
Suncoast Security Society
Data Visualization
Network Visualization
What do you know
Security Visualizations
Creating a Visualization System
Future
The main goal of data visualization is to
communicate information clearly and effectively
through graphical means
Without visualization we rely on
Tables
Lists
Data sets
Email alerts
Log files
Been around sense there has been data to view
Everyone is familiar with graphs
Bar, pie, line, etc.
Pretty mature area
Lots of applications in this area including
Insight by HP
Solar Winds
Big Brother
Custom scripts
Most of these programs rely on agents or snmp
to gather their information for display
Not all of them display visually
There is little to no applications for Security
Visualization
Applications exist but they are
Too specific covering one area – Like IDS
Not visual ‐ like syslog
Do not support enough different areas ie.
Routers, Switches, Firewalls, etc.
Where does this lead…….
Misconfiguration
Failure to lock down systems
Fear to make changes to systems
Complacency
Exploitation
Why?
Most administrators don’t know their network
Here is what they know
Installation and configuration of operating systems
Basic knowledge of applications
Basic knowledge of networking
Basic knowledge of how to keep things working
The Point ‐ Basic, Basic, Basic knowledge
Intimate knowledge of operating systems,
applications, and networking including:
Default configuration
Protocol implementation
Hardening standards
Interaction with the network
Interaction with each other
How do you do it ?
Lets look at what we can do now and then going
forward..
Firewall Log Visualization
Port / Application Visualization
Traffic Visualization
Intrusion Detection Visualization
Firewalls a just routers with a rule base
Most do not provide much visual information
Visual information is usually limited to
Configuration of rules
Visual logging
Current activity
Even though the system doesn’t provide the
information you can still get it
Using log parsers such as “LogParser” can allow
you to create graphs from data
Uses SQL like statements for parse data
1;31Dec2008;23:47:27;172.24.66.31;log;accept;;eth1c0;inboun
d;VPN‐1 & FireWall‐1;;26;{E41F3FA2‐3714‐42E2‐A4E0‐
02D2A79D7EBF};;domain‐
udp;172.24.66.211;205.171.2.65;udp;65.127.183.98;;0;0;domai
n‐udp;62205;;28062;;;;;;;;;;;;;;;;;;;;;;;
logparser ‐i:TSV ‐iSeparator:; ‐fixedSep:ON "select top 20
service_id, count(*) as hits into Chart1.gif from 2009‐01‐
01.txt group by service_id order by hits desc"
Every application uses ports and protocols to
communicate across the network
Many can be isolated to the well known ports
HTTP – Port 80
SMTP – Port 25
SQL – Port 1433
SMB – Port 445
NetBios – Port 139
Do you known what servers are using what ports
Do you know what you port distribution in the
network is
Do you know how your port distribution has
changed over time
Are these distributions normal
Do I understand why a port distribution would
increase or decrease over time
More/Less servers
More services per server
Application(s) leveraging extra ports
How were these graphs created
In addition to knowing ports in use is traffic
patterns over the network
Through packet captures and visualization you
can
Determine traffic patterns
Lock down ports
Optimize network topology
Are these patterns normal
Is there anything unusual
Is there room to change or update the network
How were these graphs created
Based on signatures much like virus scanners
Only produces insight in to what it detects
Requires a great deal of monitoring and
maintenance
Not as many questions can be raised because
every detect is considered a problem..
Because many of systems are self contained
there is not much you can do with them
However:
Many of the systems write to databases
With some time and effort you can create a
common interface which displays a dashboard
view of all the systems.
Before we look at the future lets get a context of
what we have learned through an example.
In this example we are going to look at three
subjects and how much money in coins they have
Nicholas has $2.71 in coins in his pocket.
What conclusions can be drawn
What can be theorized about the situation
Nicholas has 21 coins totaling $2.71
Nicholas has more quarters than any other
Maybe Nicholas is about to get paid
Maybe he likes quarters
In other words not much can be concluded
Too little data
Nothing to compare to
Only assumption can be made
Mark has $1.91 in coins
Nicholas has $2.71 in coins
What conclusions can be drawn
Mark has more nickels and dimes
Nick has more pennies and quarters
In other words not much can be concluded
Still, too little data
No basis to conclude anything
Only assumption can be made
Mark has $1.91 in coins
Nicholas has $2.71 in coins
Daniel has a $1.63 in coins
Still not much can be learned
- Lets add some more data / data types to the story
There is more than one way to look at the data
By manipulating how data is displayed you can
Get a better understanding of data
Make assumptions
Plan better
Data will be visualized in ways where
assumptions will instantly be known
Some of these visualizations are already there
they just need to be applied to networks
Look to other areas and fields to see what they
are doing like
Social Networks, Psychology
Medicine, Movies
Meteorology, etc.
Here are some examples
Visualization or graphing of data is growing
beyond simple bar charts
Looks for patterns beyond what the data says
Visualizations include
Color
Size
3D
Sound*