I am on my way to EuSecWest 2006 in London. The big news is that I will be releasing AfterGlow 2.0. It’s a complete rewrite (really a new version) that supports the generation of TreeMaps, if you feed it a CSV file. For now Version 1.1.6 of AfterGlow will be kept concurrent to the 2.0 release. Version 3.0 will compine the capabilities of the two so that the Java version is going to be able to output not just TreeMaps, but also LinkGraphs.
AfterGlow 2.0
Information Security Products of the Year 2006
I guess the information security magazine can look into the future. They already have their product awards out for the year 2006. Reading through the different categories, I found some really strange awards. Not that I am well versed in any of the categories they awarded, but some of the choices strike me as strange: For example in the intrusion detection category, gold went to the eTrust IDS, silver to Symantec’s Intruder Alert and bronze to the ISS RealSecure Network Sensor. I never even heard of the eTrust IDS. You know what? They have one category for HIDS and NIDS. Does that make sense? Strange. I don’t get it. And again, I never heard of the eTrust IDS. And why is SourceFire or Enterasys or NFR or any of the traditional IDSs not in the list? Have you read the latest NSS report on IDSs? Why do these awards not at all match up with that report?
Then in the vulnerability scanner category, Foundstone won gold, Symantec won silver and ISS won bronze. What’s up with that? Symantec has a silver-style product for vulnerability scanning? Where is Qualys? Where is nCircle? Well, I am confused.
Good Articles
I guess I have a tendency to write about negative articles more than about good ones. Lemme try to counterbalance this. A couple of years ago I met a gentleman called John McCumber at a DHS workshop. Very nice guy. We had some good discussions. Shortly after meeting him, I realized that he is a frequent author of articles in security magazines. I keep reading his articles and I have to say, I like them. They are generally very entertaining. He usually talks about something that happend to him in his daily life and translates that to the security world. If you have a chance read one of his articles.
ISSA: 12 Step Security Program for Small and Medium Businesses
This guy lists 12 steps in his article about how to approach a security program. I did not read all the twelve steps, but I found the one that’s of interest to me: “Step 8: Log reporting”. I started reading the paragraph and well, you bet, I have some comments:
“Management should know where the users are going, what type of bandwidth is being used, and who is hacking into your sites.”
Do you really believe that management is interested in where every user is going and what type of bandwidth they are using? I think they have better things to do. What about deifning a policy that clearly states what employees are allowed to do, what sites are off limit and what applications are prohibited (such as file sharing)? Then you monitor the traffic and figure out who is in violation of this. That’s the report that I as a manager would be interested in. I don’t have the time to interpret log files or reports and figure out what happened. Have machines do the work for me and give me the distilled information!
XCCDF-P
A horrible acronym. I know. We had a working session during the RSA conference to talk about XCCDF-P. For those not familiar with XCCDF, it has to do with policy definitions and uses OVAL to implement the checks.
XCCDF-P (which will hopefully get renamed pretty soon to something else, and hopefully not to CPN (Common Platform Names) [We already have CVE, CME, and CCE]) is an effort to standardize platform names. What’s the problem? Well, if I have two scanners analyzing a system of mine, one of them might report that I am running a “Windows 2000”, the other one might say “Win2K”. This is really the same, but how would a machine know? That’s where the standard is trying to clean things up. You wouldn’t belive how much discussion this topic actually involves. We met for about an hour and had plenty of things to discuss, not even closely getting to an agreed-upon solution. However, the problem is defined and we all agreed upon the the necessity to solve the problem! Stay put for an update soon and hopefully a quick turn around with a solution draft.
GTK2 and Perl and Treemaps
I am frustrated. I found these Perl libraries to buld treemaps (Treemap::Squarified). The problem is that it needs this special input format, which is either an XML tree or you can hack it into the internal perl datastructure which are basically a bunch of arrays. Once I figured out the internal datastructure (I was too lazy to go through XML), it got worse. You need to do everything yourself. The library does not even take care of sizing the pieces for you. You need to make sure that the numbers along the hierarchy are all correct and add up. But that’s not all. After playing with that for a while (basically my problem was to convert CSV to a tree; no I did not finish implementing it), I got into GTK2 coding. Well, that’s a mess too. Hardly anything documented. I just wanted to show some pictures in a window. Easy? No! I wanted to resize them to fit two arbitrary images into one window. Resize? I could not quite figure out how to have pixbufs and Gtk2 and all that interact. So I gave up…
Back to a language that I know a bit better: JAVA. Starting over…
ITM – Insider Threat Management
I just read this article about ITM – yet another acronym, which stands for insider threat management. Looking at the products they reviewed in the infoworld article, I just don’t see what is so new about them. They seem to be either a NIDS or a HIDS on steroids. Why wouldn’t I be able to flag specific traffic with a NIDS? I can build a rule in snort which looks for SSN numbers floating around on my network. Yes, there are some nice managebility features built into these new products, but why don’t NIDS vendors add them on top of their products? I am over-simplifying, but think about it, all these new products are not really _that_ new. They wrap old concepts in new products.
Is marketing taking over completely?
TreeMaps
Wow. I just found this pretty awesome TreeMap tool. The data format it reads is pretty easy and I quickly built a file with some of my firewall data. Well, fake firewall data 😉
What you see in here is first the color: green are firewall passes, red are blocks, then the hierarchy is such that the target system is top, then the target IP and then you see the date inside of the boxes, when the access happened.
Well, the tool is pretty awesome. Lots of interactivity. You define the hierarchies manually, on the fly it updates the graph. Then you can color and filter and all kinds of nifty things. Try it out.
GraphViz – Related Tools
It’s one of those afternoons again where I am loosing myself in doing some research on graph tools. Maybe I can spare some others an afternoon of browsing around and summarize some things I found:
- kgraphviewer – this is a tool to show graphics. The exciting thing is that you can open .dot files. However, only dot is used to render them, not neato or twopi. Too bad.
- ZGRViewer – looks very promising. You can open .dot files and render them with anything (neato, twopi) the output is zoomable and you can move around. Pretty nice. It’s written in Java. Now the question is whether I could use this framework to build my animated viewer that reads the next .dot file and updates the graph nicely. I will get it done someday!
- tinfu – Another java library that draw .dot files. It had trouble with some of my .dot files. I guess the tool’s not very robust.
- Grappa – Another Java tool. The feature list looks promising. The Web demo is interesting. Need to download it and have a closer look.
I guess one thing that I realized is that you could principally build a graph with, let’s say twopi, and generate an SVG. Then you can manipulate that, show it to the user and so on. The question is still how to periodically update a graph without totally re-layouting it. Well, I am working on this. I think I just haven’t really understood the problem yet 😉
GraphViz Graph Nodes
While playing with the AT&T graphviz library again, I was trying to get nodes to show up as pictures, which is fairly simple:
node [peripheries=0, fontsize=10, shapefile="computer.gif"]
However, what I really want is a transparent gif (computer.gif) and then using background color to color that node. That way I could programmatically change the color of the nodes and still use icons to make the nodes a bit nicer. This is what I tried:
node [peripheries=1, fontsize=10, shapefile="computer.gif", fillcolor=blue]
Unfortunately it did not work. Anyone?