This post includes initial documentation and steps to create images like the one below with
the 3D Tool beta and data collected by the SecurityCenter.
When the 3D Tool first starts, it has a blank screen:
In order to create a topology,a saved query of traceroute data must be present on
the SecurityCenter. For this demo, I have saved many queries ahead of time:
The query named "traceRoute" will be used to create a small example topology. Within
SecurityCenter, the traceoure query is for full vuln detail:
If the query was for an IP summary, a vuln list or anything besides full vuln detail
the 3D tool won't list it as an option.
Before we grab data from the SecurityCenter, we need to configure the 3D Tool
we need to tell it how to log in:
Click on the spoke and gear icon in the top right of the 3D Tools' screen.
This will present the following GUI:
Click on the 'Query data directly from SC4' radio button and then
click the 'Manage Logins' button to get the following screen:
This screen lets you manage your SC4 login or logins and test
the connection before saving.
After saving your SC4 login, you should select the 'List Queries'
button which will populate the 'Queries' drop down menu which a
list of saved queries in your SC4 that can used to obtain traceroue
Select the query that has traceroute data. In this demo, we used
the 'traceRoute' query.
Click the 'New Topology' button and the 3D tool will log into
SC4, obtain traceroute data and create a 3D chart as shown
The mouse wheel can be used to zoom in and out. Holding the mouse button
and moving the mouse will transform the image.
Now lets paint all of our windows nodes with an icon.
To start this, select the spoke and wheel settings icon and then choose the
Select the New button. This will give you a choice of three types of
- Node Traits - lets you color, re-shape, re-icon or lower or raise any node
- Connections - lets you draw colored arcs between connecting and receiving nodes for IDS events, firewall logs and any other type of event
- Counts - lets you project any type of vulnerability data on 4 upward or 4 downward vertical bars on each node
To change the "Windows" computers icons, chose Node Traits list:
Name this modifier "Windows Icons"
This will create your modifier, which by default is empty. Click on the
edit button to add in some modifiers.
And this list of IPs is empty, since we've not performed a query yet.
The intent of this layer is to allow you to populate your own IP addresses
if a query isn't available at SC4 for you. Choose the "Configure" button
to select an SC4 query:
After hitting the "Configure" button, the following GUI is shown:
We need to perform a query to SC4, but need to tell it what kind of
query we need to do. Lists of IP addresses can come from SC4's
asset lists, from an IP vuln summary and from an IP LCE summary.
For this example, we have a dynamic asset list that used Nessus's
OS ID of Windows to create a list of any Windows OS on the network.
After selecting 'Asset List' the 'List Queries' button comes active and
the list of available assets is shown in the drop down menu:
Select the asset name you want to use. In this demo, we selected
a list named "Windows Computers" (not shown). Click "Perform
Query" to obtain the list of IPs.
The 3D Tool will prompt you if you want the asset list applied
against all repositories or just one. For this query, we want the
list of IPs to use all repositories:
After the query, the Modifiers GUI will contain the list of matching IP addresses,
After the query, we can still modify how this list of IPs will be transformed in the
3D display. By default, the modifier is color. Choosing the drop down menu under
'Trait Select', you can choose other options, such as icons, height and shape.
In this demo we chose icons, and then selected the windows icon image.
Hitting the "Done" button on this screen and in the Configuration screen brings us
back to the settings GUI. From here you can turn this modifier on or off with the
checkbox selection and also hit the "Apply to Topology" button. When doing so,
the icons for those IP addresses change:
By selecting the Modifiers GUI again, you can add in one for vertical bars to be
colored red for a query that listed all IPs with actively discovered high vulns. In
our demo SC4, the following query was saved as "High Active Vulns":
In the 3D tool, the modifier we used was filled in as shown:
Applying this to the topology, we can see vertical bars colored red:
We can display connection data logged by the PVS as well. Here is an SC4 querry
which shows PVS full vuln detail records for any port 22 trust relationships:
This query is used in the 3D tool as shown:
When displayed in the 3D Tool, the connections are visible:
And finally, a saved query for LCE events that related to blacklisted conenctions
was saved and shown below:
These particular network connections were logged by the TNM sniffer. The 3D
tool modifier GUI was configured as shown:
Notice we'ev asked for these connections to be displayed below
the topology by unchecking the 'Lines drawn above layout' checkbox.
This results in the following display:
I'd like to thank SecurityCenter users in advanced for helping us beta test this tool.
There are many, many, many uses for this tool and a wide variety of reports that
can be created with this.