6 Replies Latest reply: Sep 13, 2011 1:52 PM by rongula RSS

3D Tool Creation and Walk-Through

rongula

This post includes initial documentation and steps to create images like the one below with

the 3D Tool beta and data collected by the SecurityCenter.

 

28-blacklist-shown.png

 

When the 3D Tool first starts, it has a blank screen:

 

01-3d-tool-start.png

 

In order to create a topology,a saved query of traceroute data must be present on

the SecurityCenter. For this demo, I have saved many queries ahead of time:

 

02-sc4-querries.png

The query named "traceRoute" will be used to create a small example topology. Within

SecurityCenter, the traceoure query is for full vuln detail:

 

03-sc4-raw-traceroute-detail.png

If the query was for an IP summary, a vuln list or anything besides full vuln detail

the 3D tool won't list it as an option.

 

Before we grab data from the SecurityCenter, we need to configure the 3D Tool

we need to tell it how to log in:

 

Click on the spoke and gear icon in the top right of the 3D Tools' screen.

 

07-initial-sc4-creds-enter.png

 

This will present the following GUI:

 

08-ip-topology-config.png

 

Click on the 'Query data directly from SC4' radio button and then

click the 'Manage Logins' button to get the following screen:

 

09-sc4-login-screen.png

 

This screen lets you manage your SC4 login or logins and test

the connection before saving.

 

After saving your SC4 login, you should select the 'List Queries'

button which will populate the 'Queries' drop down menu which a

list of saved queries in your SC4 that can used to obtain traceroue

data. 

 

10-traceroute-querry.png

Select the query that has traceroute data. In this demo, we used

the 'traceRoute' query.

 

Click the 'New Topology' button and the 3D tool will log into

SC4, obtain traceroute data and create a 3D chart as shown

below:

 

11-first-topology.png

 

The mouse wheel can be used to zoom in and out. Holding the mouse button

and moving the mouse will transform the image.

 

Now lets paint all of our windows nodes with an icon.

 

To start this, select the spoke and wheel settings icon and then choose the

Modifiers tab.

 

12-modifier-screen.png

 

Select the New button. This will give you a choice of three types of

modifiers.

 

  • Node Traits - lets you color, re-shape, re-icon or lower or raise any node
  • Connections - lets you draw colored arcs between connecting and receiving nodes for IDS events, firewall logs and any other type of event
  • Counts - lets you project any type of vulnerability data on 4 upward or 4 downward vertical bars on each node

 

To change the "Windows"  computers icons, chose Node Traits list:

13-modified-dropdown.png

Name this modifier "Windows Icons"

 

14-windows-icons-modifier.png

 

This will create your modifier, which by default is empty. Click on the

edit button to add in some modifiers.

 

15-needs-to-be-edited.png

And this list of IPs is empty, since we've not performed a query yet.

The intent of this layer is to allow you to populate your own IP addresses

if a query isn't available at SC4 for you. Choose the "Configure" button

to select an SC4 query:

 

16-needs-to-be-configured.png

 

After hitting the "Configure" button, the following GUI is shown:

 

17-configure-screen.png

 

We need to perform a query to SC4, but need to tell it what kind of

query we need to do. Lists of IP addresses can come from SC4's

asset lists, from an IP vuln summary and from an IP LCE summary.  

 

18-drop-down-querry-types.png

 

For this example, we have a dynamic asset list that used Nessus's

OS ID of Windows to create a list of any Windows OS on the network.

 

After selecting 'Asset List' the 'List Queries' button comes active and

the list of available assets is shown in the drop down menu:

 

19-asset-querry.png

 

Select the asset name you want to use. In this demo, we selected

a list named "Windows Computers" (not shown). Click "Perform

Query" to obtain the list of IPs.

 

The 3D Tool will prompt you if you want the asset list applied

against all repositories or just one. For this query, we want the

list of IPs to use all repositories:

 

20-which-repositories.png

 

After the query, the Modifiers GUI will contain the list of matching IP addresses,

 

21-after-querry.png

 

After the query, we can still modify how this list of IPs will be transformed in the

3D display. By default, the modifier is color. Choosing the drop down menu under

'Trait Select', you can choose other options, such as icons, height and shape.

In this demo we chose icons, and then selected the windows icon image.

 

Hitting the "Done" button on this screen and in the Configuration screen brings us

back to the settings GUI. From here you can turn this modifier on or off with the

checkbox selection and also hit the "Apply to Topology" button.  When doing so,

the icons for those IP addresses change:

 

22-icons.png

By selecting the Modifiers GUI again, you can add in one for vertical bars to be

colored red for a query that listed all IPs with actively discovered high vulns. In

our demo SC4, the following query was saved as "High Active Vulns":

 

04-sc4-high-active-vulns.png

 

In the 3D tool, the modifier we used was filled in as shown:

 

23-high-vuln-querry.png

 

Applying this to the topology, we can see vertical bars colored red:

 

24-high-vulns.png

 

We can display connection data logged by the PVS as well. Here is an SC4 querry

which shows PVS full vuln detail records for any port 22 trust relationships:

 

05-sc4-pvs-port22-trust.png

 

This query is used in the 3D tool as shown:

 

25-pvs-port-22.png

 

When displayed in the 3D Tool, the connections are visible:

 

26-port-22-trust-graphs.png

 

And finally, a saved query for LCE events that related to blacklisted conenctions

was saved and shown below:

 

06-lce-blacklist-list.png

These particular network connections were logged by the TNM sniffer. The 3D

tool modifier GUI was configured as shown:

 

27-blacklisted-events.png

Notice we'ev asked for these connections to be displayed below

the topology by unchecking the 'Lines drawn above layout' checkbox.

 

This results in the following display:

 

28-blacklist-shown.png

 

I'd like to thank SecurityCenter users in advanced for helping us beta test this tool.

There are many, many, many uses for this tool and a wide variety of reports that

can be created with this.

 

Ron Gula

  • Re: 3D Tool Creation and Walk-Through

    Hi Ron Gula,

     

    I'm a student, and i am interested in the 3D tool creation that you've done. Can i know where can i get the software for doing this?

    Thank you.

     

    Regards,

    Adeline

    • Re: 3D Tool Creation and Walk-Through
      rongula

      Hi there,

       

      SecurityCenter and the 3D Tool software is only available to Tenable

      customers.

       

      Ron Gula

      • Re: 3D Tool Creation and Walk-Through

        Just curious, is there a way to apply more than one property to an icon? I've tried a few things and it appears I can only display on icon property at a time.

         

        What I'm trying to do is identify a specific group's systems, which we have an asset list created for, and show the risk level of those systems vs. other systems. I can apply a pyramid icon to the specific group but when I try to apply a color change for high risk systems to compare to the others, the red color doesn't appear. I'd prefer to be able to use two icon properties to make it look clean.

         

        Thanks.

        • Re: 3D Tool Creation and Walk-Through
          rongula

          Hi there,

           

          You should be able to apply mulitple properties to an icon of different types (size, shape,

          color, skin, .etc) but not mulitple skins, shapes, .etc.

           

          Try turning your properties on one at a time to see if they are getting applied in the order

          you want them to.

           

          Ron

          • Re: 3D Tool Creation and Walk-Through

            Thanks Ron. I think I'll be stuck using the bars to show vulnerability counts instead. I was hoping to use a pyramid icon for a specific asset list and then color each one red, yellow, whatever based on the highest risk vulnerability detected for each host. When I configure the 2nd property (color based on vulnerability count) I think that get's superceded by the default color of the asset list icon property. I can see why what I'd like to do isn't working.I guess I could potentially create a few asset lists. One for the specific department containing hosts with high risks and one for medium, etc. Then color the icons to match. I'll play around a bit more to see if that could work.

             

            Management is getting interested in visualization presentation for upper management and we're trying to keep things very clean and informative. Something beyond powerpoints and pie charts but not extrmely cluttered. I can create view modifiers to highlight specific departements, apply filters, etc. so we should be able to toggle throught predefined items easily.

            • Re: 3D Tool Creation and Walk-Through
              rongula

              I like to use assets for color, but sometimes you can have an IP in more than one asset.

               

              I've never been a fan of icons, because the networks can get really big.

               

              Don't forget you can go up AND down with your vertical bars. In this screen shot, I've graphed logins

              vs. login failures (from an LCE querry)  across a bunch of different assets:

               

              up-and-down.PNG

               

              Lastly, it's more effective in the tool, but if you have all of your assets pre-loaded

              with a hieght modifier, you can quickly step through each asset and see them pop

              up. If you have this offscreen, it makes for a very stunning display. You can do this

              with color as well. 

               

              Please feel free to post your final result without any incriminating corporate IPs

              if you can. I've been very interested to see how people use the 3D tool to show

              different items.

               

              Ron Gula