1 Log visualization at CNES (Part II)



Similar documents
Firewall Firewall August, 2003

Secret Server Qualys Integration Guide

Concierge SIEM Reporting Overview

AlienVault. Unified Security Management (USM) 5.x Policy Management Fundamentals

Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme. Firewall

Intrusion Log Sharing University of Wisconsin-Madison

A LITERATURE REVIEW OF NETWORK MONITORING THROUGH VISUALISATION AND THE INETVIS TOOL

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

Solution of Exercise Sheet 5

W3Perl A free logfile analyzer

1Fortinet. 2How Logtrust. Firewall technologies from Fortinet offer integrated, As your business grows and volumes of data increase,

Assets, Groups & Networks

mframe Software Development Platform KEY FEATURES

12. Firewalls Content

Automatic Hotspot Logon

AlienVault Unified Security Management (USM) 4.x-5.x. Deployment Planning Guide

Edge Configuration Series Reporting Overview

Testing Network Security Using OPNET

Sophos XG Firewall v Release Notes. Sophos XG Firewall Reports Guide v

Intrusion Detection Systems (IDS)

NVisionIP: An Interactive Network Flow Visualization Tool for Security

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

How To Protect A Dns Authority Server From A Flood Attack

FortiWeb 5.0, Web Application Firewall Course #251

Classic IOS Firewall using CBACs Cisco and/or its affiliates. All rights reserved. 1

Firewalls & Intrusion Detection

Protecting and controlling Virtual LANs by Linux router-firewall

Chapter 11 Cloud Application Development

ThreatSpike Dome: A New Approach To Security Monitoring

CSE 4482 Computer Security Management: Assessment and Forensics. Protection Mechanisms: Firewalls

Tunisia s experience in building an ISAC. Haythem EL MIR Technical Manager NACS Head of the Incident Response Team cert-tcc

Cyber Essentials. Test Specification

Network Security Monitoring and Behavior Analysis Pavel Čeleda, Petr Velan, Tomáš Jirsík

1. Introduction. 2. DoS/DDoS. MilsVPN DoS/DDoS and ISP. 2.1 What is DoS/DDoS? 2.2 What is SYN Flooding?

SonicWALL GMS Custom Reports

Lab Configuring Access Policies and DMZ Settings

Lab Objectives & Turn In

EKT 332/4 COMPUTER NETWORK

WHY ATTACKER TOOLSETS DO WHAT THEY DO

Integration Guide. Help Desk Authority, Perspective and sl

FIREWALL AND NAT Lecture 7a

Configuring Your Gateman Proxy Server

Public-Root Name Server Operational Requirements

Lab Configuring Access Policies and DMZ Settings

ΕΠΛ 674: Εργαστήριο 5 Firewalls

Intrusion Detection in AlienVault

Lab Configure and Test Advanced Protocol Handling on the Cisco PIX Security Appliance

Cyber Security Analytics. Su Zhao Yuan-Jen Lee Ching-Tang Lin Yufeng Mao

Passive Logging. Intrusion Detection System (IDS): Software that automates this process

graphical Systems for Website Design

CARL : Cyberoam Aggregated Reporting and Logging :: User Guide. Table Of Contents INTRODUCTION... 4

Chapter 15. Firewalls, IDS and IPS

Bandwidth Management for Peer-to-Peer Applications

Configuring Citrix NetScaler for IBM WebSphere Application Services

Network Monitoring and Traffic CSTNET, CNIC

CMPT 471 Networking II

Network Visiblity and Performance Solutions Online Demo Guide

場 次 :C-3 公 司 名 稱 :RSA, The Security Division of EMC 主 題 : 如 何 應 用 網 路 封 包 分 析 對 付 資 安 威 脅 主 講 人 :Jerry.Huang@rsa.com Sr. Technology Consultant GCR

Types of Firewalls E. Eugene Schultz Payoff

FIREWALL INTELLIGENCE. 1 Copyright 2014 Juniper Networks, Inc.

AccessEnforcer. HTTPS web filter overview

IBM Security QRadar SIEM & Fortinet FortiGate / FortiAnalyzer

Basic & Advanced Administration for Citrix NetScaler 9.2

Architecture. The DMZ is a portion of a network that separates a purely internal network from an external network.

Network Traffic Analysis

Intro to Firewalls. Summary

CSE543 - Computer and Network Security Module: Firewalls

TEXAS AGRILIFE SERVER MANAGEMENT PROGRAM

Network Security CS 192

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Firewall Design Principles

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

Many network and firewall administrators consider the network firewall at the network edge as their primary defense against all network woes.

TABLE OF CONTENT. Page 2 of 9 INTERNET FIREWALL POLICY

IBM. Vulnerability scanning and best practices

Usage of OPNET IT tool to Simulate and Test the Security of Cloud under varying Firewall conditions

IBM Security QRadar Risk Manager

Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work

Setting Up Scan to SMB on TaskALFA series MFP s.

WildFire Reporting. WildFire Administrator s Guide 55. Copyright Palo Alto Networks

CNS-207 Implementing Citrix NetScaler 10.5 for App and Desktop Solutions

Acquia Cloud Edge Protect Powered by CloudFlare

Optimization of Firewall Filtering Rules by a Thorough Rewriting

XpoLog Center Suite Log Management & Analysis platform

ΕΠΛ 475: Εργαστήριο 9 Firewalls Τοίχοι πυρασφάλειας. University of Cyprus Department of Computer Science

Firewalls 1 / 43. Firewalls

Transformation of honeypot raw data into structured data

Ranch Networks for Hosted Data Centers

National Fire Incident Reporting System (NFIRS 5.0) Configuration Tool User's Guide

Improving Network Performance with Geographic Network Mapping

PROFESSIONAL SECURITY SYSTEMS

Owner of the content within this article is Written by Marc Grote

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

Introducing FortiDDoS. Mar, 2013

Transcription:

1 Log visualization at CNES (Part II) 1.1 Background For almost 2 years now, CNES has set up a team dedicated to "log analysis". Its role is multiple: This team is responsible for analyzing the logs after an incident in order to understand what happened during the incident and the depth of the attack. The team is also responsible for providing expertise to projects that request their logs to be analyzed. Soon, the team have faced several critical issues during investigations of incidents: What are the contents of logs provided for the analysis of this incident? Basically, what we find inside (firewall logs, applications, systems, sensor intrusion detection). How to quickly filter logs which are useful for this incident analysis, among the few mega bytes and millions of lines provided as input information. How to quickly visualize these logs to ask the right questions and to provide answers. After some research, no existing tools seemed satisfactory. Then the CNES decided to develop its own tools. 1.2 The solutions The solutions chosen by the CNES to its problems are: A database. All the data are injected into a database in order to make SQL queries. Regular expressions. All the data are extracted using regular expressions. These regular expressions can efficiently filter useful log events from a significant volume of logs. Graphical tools. The views provided by these graphical tools enable to consider certain phenomena, to find answers and especially to not hide the logs as a whole. If one locks himself in a predefined scenario, it is then impossible to see what is happening aside. The following paragraphs describe the 3 graphical tools used internally by the CNES "log analysis team" as part of its log analysis missions. 1.3 The CubeCnes program This program is a tool for viewing logs. It is based on an initial development by the CEA (French Atomic Energy Commission) and a concept introduced by Stephen Lau in "The Spinning Cube of Potential Doom" (http://www.nersc.gov/nusers/security/thespinningcube.php) published in December 2003. Some features have been added during the development by the CNES (generalization of the concept of "points", adding of regular expressions, adding of new dimensions such as "color", "size" and "lifetime" of points, intuitive user interface, etc.). The goal of this program is: to extract 6 fields or numerical values from a line of logs with a regular expression, to represent the 6 fields by a cloud of points in a 3-dimensional space. The 6 values are represented by the 3 "classical" coordinates of the "X, Y, Z" point, the size of the point, its color and lifespan. The CubeCnes program is particularly suitable for viewing logs from a filtering equipment. The logs generated by these facilities include a lot of digital information easily represented in a graph: Date and Time IP source and destination Protocol

Port number source and destination This screenshot shows a real CubeCnes view while visualizing firewall logs. The X axis (horizontal) represents the internal IP addresses of CNES, the Y axis (vertical) represents the source port of the request, the Z axis (depth) is the IP address, the color represents the protocol number (in this case, UDP is yellow), the size of the points is the number of occurrences, the lifetime parameter is not used (infinite life). The big vertical yellow line on the diagram should make the operator wonder about its origin. In fact after analysis, this line is only due to a single internal machine which was badly configured (more than 100 000 rejected requests generated a day). It was using (or at least trying to use) an external DNS server instead of the internal ones. All the requests were thus rejected by the firewall. The CubeCnes can also be used to highlight the network scans. In such a case, if the "deny" logs of a firewall are injected, a vertical (for a port scan) or horizontal (for network scan) line will appear on the cube. The CNES also uses the CubeCnes to verify that the filtering policy is in accordance with the specification of this policy. To do this, the specification of the filtering policy is injected on one side (in the form of an Excel file converted into text file) and the "allow" logs from the filtering equipment on the other side. The cube is configured not to display the "allow" logs, the ones authorized by the filtering policy (CubeCnes feature). Thus, all the points displayed by the cube are flows authorized by the device but not authorized by the filtering policy. This feature allows to highlight flows unspecified by the policy filtering. A third function of the cube is to generate statistics in 3D:

This other view of the CubeCnes program shows the number of accesses to an internal CNES web server per second and per external IP address. The X axis (horizontal) represents the time (from 0:00 to 23:59) during the day of 18 September 2007. The Y axis (vertical) represents the number of hits per IP address, and Z (depth) is the IP address of the requester. This diagram shows the peaks of activity during the day. After investigation, the jobs of the robots indexing the web (such as Google and Yahoo) can be recognised by the form of continuous horizontal lines. All day long, they make requests on the web server. 1.4 The SphereCnes program The SphereCnes program has been developed following a specific request, "What is the main source in terms of geographical location of the flows rejected by the CNES external firewall?" This real view shows a world map (in 2D or 3D) with the location of IP source addresses rejected by the CNES firewall. Bigger is the size of points, greater is the number of rejected flows from a source. Details are extracted from the log files by using a regular expression.

The view presented by the SphereCnes program can be used, for example, during IT security awareness sessions to present two ideas: "The Internet is dangerous" and "Here are our attackers." SphereCnes is based on a free geo-localisation database from "geoip MaxMind". This database provides the geographical position (latitude and longitude) of any IP address (if it is referenced at worldwide WhoIs bases). This database is updated monthly. A more precise database containing more information is available with a paid subscription to MaxMind. The SphereCnes program is particularly suited for viewing logs of the accesses to a server (FTP, HTTP) or for viewing the "allow or deny" logs of a firewall. 1.5 The BoxCnes program The BoxCnes program's goal is to quickly view the distribution of data extracted from log files by a regular expression. The given view allows to quickly know what information is most present to focus on them first. This real view shows that on 155,483 lines of logs processed, there are 390 destination port numbers and that only 4 port numbers represent 75% of the lines processed. 2 Conclusion Visualizing logs allows to use a great correlation tool, which is the operator's eye. It also helps not to care of the various scenarios of intrusion detection and therefore to keep an overall view and not a truncated one (what is not expected by the scenarios is not visible). On the other hand, the log visualization requires: A certain quality of logging (many logs, synchronized machines, a high level of logging, etc.). All logs can be helpful. The operator must have some experience (and even a confirmed experience) in this exercise. The operator must have the knowledge of the contents of logs and the network topology in order to interpret the displayed results. He must also be able to interact with network or system administrators to understand or interpret certain results. The tools presented in this article (CubeCnes, SphereCnes and BoxCnes) are developed internally and belong to the CNES. You can contact M. Yvon Klein (Yvon.Klein@cnes.fr) for loans, exchanges, partnerships or more ideas about these tools. 3 Several URL of interest http://code.google.com/p/davix/

http://www.nersc.gov/nusers/security/thespinningcube.php http://vraf.free.fr/ http://afterglow.sourceforge.net/ http://phoenix.servhome.org/cube6d_fr.php http://www.maxmind.com/

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information